June, 2006: I'm in the middle of designing new page layouts for this wiki, as well as my DesignBibliography? wiki. So far, I have http://sunir.org/monkey/mockups/page7.htm (compare to previous version: http://sunir.org/monkey/mockups/page6.htm). Some things I have yet to do:

  • Page bottom. I love sites that put fun things to do at the bottom of a page, as a way of rewarding readers for getting that far. I also want to leave room for that. Any ideas?

Feedback is appreciated. -- SunirShah


I think it looks very nice, but I'm only a reliable judge of attractiveness in so far as I tend to be at odds with the general population. I was suprised that you have switched the font away for the Times Roman family and gone sansSerif. I've generally been told that serifs are significantly easier to read (by recognition). -- HansWobbe

I'm pretty certain the current site expresses no font preference. Your browser must be the one picking Times Roman. -- ChrisPurcell

Serif fonts are easier to read when printed at high resolution. On low resolution displays, such as computer screens, the sharper sans-serif fonts are easier to read. But that's a theory. It may differ for each individual. When this gets done, we can always create different skins for different people. -- SunirShah

Wouldn't it be easier to just use the default browser font? -- ChrisPurcell

Well, it might be easier, but uglier. Testing it, it's not so bad to let the page text itself be serif. http://sunir.org/monkey/mockups/page5-serif.htm -- SunirShah

Picking a font with good hinting (for each platform separately, probably) is definitely important. -- RadomirDopieralski?

Ok. I've made the font the default, although 10% larger just for fun. -- SunirShah


I like the layout, but the colors seem... dirty. -- RadomirDopieralski?

Based on our conversation on IRC, I hope this looks better. -- SunirShah


Another point about the ease of reading -- have you considered limiting the width of text (e.g. to about 50em), I find long lines of text a little hard to read, and I'm sure I'm not alone. -- RadomirDopieralski?

SydneyMercurio? also expressed a desire for margins. I've made it look more like a book now. -- SunirShah


I'm just starting to work with CSS a bit more since its taken me a great deal longer to master the interactions of TiddlyWiki's markup with that of usemod. One of the reasons that I am getting ready to work with this is that I have found the capabilities of Eric Schulman's TiddlyWiki adaptations to be remarkably effective and efficient to apply. If you are interested, I can send you a small test file that you can take a look at.

I'm deeply committed to TransClusion and have found that using this (a lot) is definitley affecting the sytle of the pages that I create. Again, I can send you some screen shots that may illustrate this, but only if you care enough to not consider such a message to be spam (not thast my feelings will be hurt in the least, if you decline). -- HansWobbe

If you could provide an example, I can think about fitting the ideas in. -- SunirShah

Soft security is not weak security.

The idea is to protect the system and its users from harm, in gentle and unobtrusive ways. The opposite of HardSecurity. It follows NonViolence. Instead of using violence, it works architecturally in defense to convince people against attacking and to LimitDamage. It works socially in offense to convince people to be friendly and to get out of the way of people adding value. Soft security is difficult. It often requires you to grow as a person, sometimes painfully so. This by itself makes it valuable.

SoftSecurity is like water. It bends under attack, only to rush in from all directions to fill the gaps. It's strong over time yet adaptable to any shape. It seeks to influence and encourage, not control and enforce.

If nothing within you stays rigid, outward things will disclose themselves. Moving, be like water. Still, be like a mirror. Respond like an echo. -- Bruce Lee

I made what I think is a somewhat nuanced and complicated argument about the nature of security. As such it is difficult to summarize. Basically I think that security measures of a purely technological nature, such as guns and crypto, are of real value, but that the great bulk of our security, at least in modern industrialized nations, derives from intangible factors having to do with the social fabric, which are poorly understood by just about everyone. If that is true, then those who wish to use the Internet as a tool for enhancing security, freedom, and other good things might wish to turn their efforts away from purely technical fixes and try to develop some understanding of just what the social fabric is, how it works, and how the Internet could enhance it. However this may conflict with the (absolutely reasonable and understandable) desire for privacy. -- NealStephenson, ComputersFreedomAndPrivacy 2000 (Toronto)

See also an [excerpt] by Sir Arthur Conan Doyle that Neal selected to show these ideas aren't new.

SoftSecurity is a collective solution, whereas HardSecurity is often an individual solution. It's important to remember that although the Patterns below are written as prescriptions for you to follow, they are meant as notices for everyone to follow. When SoftSecurity becomes unilaterally enforced, it fails. This is a chicken and egg statement. When SoftSecurity fails--when TheCollective fails to act--only a few heroes try to keep it working. When only one person defends TheCollective, the defense loses its effectiveness and believability. One, the target of the defense will not know the hero speaks for the RoyalWe, and thus attempt to undermine the hero's authority in acting. Two, it may be the case that the CommunityDoesNotAgree, and the hero is acting out VigilanteJustice; acting alone should be good pause to reconsider what you are doing. Finally, while you think you ModelDesiredBehaviour, you are not providing space for others to act themselves, and so the real message you are sending is that they should not act.

SoftSecurity follows from the principles of

  • PeerReview. Your peers can ensure that you don't damage the system.

  • ForgiveAndForget. Even well-intentioned people make mistakes. They don't need to be permanent.

  • LimitDamage. When unpreventable mistakes are made, keep the damage within tolerable limits.

  • FairProcess. Kim and Mauborgne's theory that being transparent and giving everyone a voice are essential management skills.

See also

You may also be interested in SunirShah's Powerpoint [presentation] on SoftSecurity from OReillyPeerToPeer East 2001.

The TouchGraphWikiBrowser had visualized the PatternLanguage: [wide shot] [zoomed in]

CategoryWikiTechnology CategoryWikiConventions CategorySoftSecurity

Some ideas.



  • AuditTrail. An audit trail tells you who did what, when. It doesn't necessarily allow you to undo what they did. It does let you know who was responsible.

  • FrontLawn. Provide places for individuals to express private ideas without sullying the public space.

  • MessageBox. Provide a means for personally directed feedback.

  • RubberRoom?. Newcomers experimentation causes harm, but it is unintentional and forgiveable. Setting aside a place where mistakes are more forgiven permits more experimentation and faster learning, while at the same time containing the extent of the damage to an area nobody cares about. e.g. the SandBox.

  • GuidePosts. Placing a line of rocks on either side of a path is better than roping off the path. People will understand where to step without feeling claustrophobic.

  • PricklyHedge. An unpleasant architectural barrier to entry that will help LimitTemptation to only those with a real IntrinsicInterest? in behind there.

  • UnlockedDoors. When GuidePosts aren't enough and you need to put up opaque walls to give yourself privacy, leave the doors unlocked so people can still enter if they choose.

  • SpeedBump?. A disruption in the path of energy flow meant to make it unpleasant to throw excessive energy into the system. For instance, adding an intermediate junk "thank you" page after editing disrupts the rate of editing.

  • SurgeProtector. Prevent excessive load from disabling the system, spamming the system.

Systemic solutions

  • ReversibleChange. If anything that can be done, can be undone, no damage need be permanent. Version control is one way of making changes reversible. You can reverse a change without knowing who made it originally.

  • DelayAction. When you can't reverse a change, delay that action until PeerReview has a chance to prevent disaster.

  • DevolvePower. Hand over as much control of the community to the community.


  • AvoidIllusion. A weak security system can be worse than no security at all, because it may lull users into unwarranted trust. UserNames without passwords may be safer than with, because everyone will know they are forgeable.

  • SecurityByObscurity. Let certain valuable resources be placed in some out of the way place where the casual visitor won't stumble onto it. If some dill puts up a sign pointing out where to find the secret garden take that sign down.

A couple of the banks I've been to have ceiling-to-floor glass walls around all the offices -- even the door is mostly glass. It's more soundproof than cubicles, and people sitting in the waiting room can see why they have to wait -- all the people with authority to give loans / draw up CDs / whatever, are all busy just now. I also think it's less intimidating than walking into an opaque office / cubicle. I'm not sure why. Is it because I've been observing it from the waiting room, so I'm now more familiar with the room -- no longer a complete unknown, someone else's turf ? Is it because I've seen other people doing just what I'm about to do, and other people in the waiting room are witnessing what I'm doing, so that I can be sure I'm about to have a civilized conversation, they're not going to ask me to do something weird like flap my arms like a chicken ? Or some other reason it's not so intimidating ?

One bank I've been to had the security vault in the same room as, and directly opposite, the desk with several tellers. They usually left the door standing wide open during normal business hours. There's 2 different soft-security things going on here: (a) While you were waiting for a free teller, you could look at the incredible thickness of the door, and look at the "portholes" on the inside of the door that let you see thick, massive, strong-looking metal gears, and be impressed by how difficult it must be to break in when the door is locked at night. (b) Although it was standing wide open, I never saw anyone actually walk in -- perhaps because they knew that all the tellers faced the security vault -- even when every teller was busy talking to someone, it would be impossible to walk in without the tellers seeing it happen over the shoulder of their customers. Even if someone did walk in, everyone can see that all the security boxes were locked into place.


Controlling relationships to community

  • LimitTemptation. If you don't have restrictions, nobody will be tempted to break them. People react badly to being forced; they want to rebel against authority and beat the machine.

  • MisdirectTemptation?. Set up attractive targets which if damaged are inconsequential. Same idea as honeypots for crackers.

  • IntrinsicInterest?. If you provide no interest to anyone who doesn't instrinsically need/want to be there, the fewer punks you will attract. Be boring or even annoying. (cf. ContentOverForm; classical music example below)
  • Play Classical Music. Playing this music in train stations and shopping centres has the effect of driving away vandals.
    • MeatballWiki looks ugly. This is good.
      • Playing the kind of inane classical-lite music they choose for such applications drives away me -- and I have a right to be there! Not good. (indeed the vandals have a right to be there too, they just don't have the right to vandalise).
        • You would be the exception then - most commuters I've seen either don't care either way for the ambience of the experience, being more interested in the utility of the service (ie. getting to point B from point A), or they coccoon themselves into their own little world of sound via a portable/personal device. Vandals however don't care for the utility of the service, their priorities are based on the experience and aesthetics of the place itself.
        • Somewhere in that comment there is an important idea or principle that I feel deserves more attention.
          • Yes, that people who use a place for its function have better intentions and a more valid reason for being there than people who don't care about the function. People who are just 'hanging around' are generally detrimental. (This doesn't stop all vandalism as sadly some vandals are also genuine commuters).

People who find a place beneficial will lose that benefit if the place is closed down. It's easier to persuade those people to do certain things and not to do other things if you can convince them "If everyone did that, we'd have to shut down". For example, weight limits on airplane luggage -- There may be plenty of room for one person to bring a ton (2000 lbs, 1000 kg) of stuff on the airplane, but "if everyone did that, the airplane couldn't take off".

  • ScareCrow?. A GuidePost that induces fear or unpleasant feelings in people who you don't feel have a real IntrinsicInterest? in behind there. A psychological PricklyHedge, like a wall of legalese.

  • EssentialUse?. If others can find a secondary undesirable use for your service, they may abuse your free service for their ends. Maintain a singular use by reducing non-essential freedoms.
  • Installing Blue Tinted Lighting. Blue light in toilets, alleys and gas stations makes it difficult for junkies to shoot up as it is hard to find a vein in that light.
    • filtering out of html from wiki pages. Keeps the design junkies away ;-)

  • DissuadeReputation. Emotionally separate from those you can't work with, but don't hurt them.

  • RewardReputation. Emotionally bond with your contributors. It's better to keep friends than enemies.

Controlling behaviour within community

  • PeerPressure. Rather than punish wrong-doers somehow, merely expose them and embarrass them in public. Most people want to get along with their fellows.

Controlling control

  • DevolvePower. Hand over as much control of the community to the community.

  • SafetyNet. Give the community a SafetyNet to keep it operational in the face of disaster, such the event that its proprietors get by a bus.


A little [anecdote] on a NetworkSoftSecurity case:

I set up a wireless hotspot over a year ago in Highland Coffee, a shop in Louisville, KY, where I'm a regular. We initally used a SOCKS proxy with some content filtering, logging and a login authentication. Accounts were free but you had to sign an agreement that you wouldn't abuse the system, look at porn or do anything illegal. Way too much. Helping people get their laptops configured, resetting passwords, problems with logfiles filling up. Big headaches. Recently we did away with the proxy and have an open system. Initial requests are redirected to a page that introduces the system and informs the user of the general useage policy. Once they click through they are free to go wherever they want. Aside from a few punkass kids, nobody has ever been seen doing anything inappropriate. Trust in SoftSecurity. -- Jeff Gercken

A problem I see with this idea is that those 'few punkass kids' may be all that is needed to completely destroy the value of what is being protected by soft security. I concede that in many cases -- such as a coffee shop's WiFi? hotspot -- the potential loss is miniscule compared to the costs of more rigorous security. In many, many other situations, however, 99% is NOT good enough. -- Sean Kleinjung

Any others? I feel there may be a PatternLanguage lurking here, if it could be filled out.

How about:

  • Jumping Through Hoops. Put powerful functionality in less convenient places. Example: Don't put the "Edit Text of this page" link at the top of the page.

There are functional reasons for not doing this: placing form submit actions (eg: edit text of page) at the top of a page may well result in data loss or corruption if as a result a partially loaded page is submitted. Putting the link at the bottom of the page (or properly: at the end of the HTML) forces the entire page to be loaded before it can be submitted.

Another example: Putting the fire extinguisher behind a glass panel, then chaining a small hammer on the wall next to this.

Related real world soft security: What would the online analogy for these be?

  • Add Title Here. Some nurses at a hospital kept their milk in a communal fridge, but it was frequently "borrowed". So they stored it in urine-sample flasks instead of milk-bottles. That discouraged the borrowers - it acted as a GuidePost.

  • Add Title Here. A children's hospital kept teddy bears and dolls to amuse the children while they recovered. However, when the children eventually returned home, they would often "liberate" their favourite toy. Theft, but how can you punish sick children for it? So the nurses gave the toys bandages, splints, eye-patches etc. Then the children realised that they needed to stay in the hospital because they were not yet "better".

  • Add Title Here. For centuries, people sent messages to each other sealed with a blob of wax. It would be trivial for anyone to break open the wax and read the message, and even add a few lines of text to the letter, but it would be obvious to the recipient that the wax seal had been broken.

  • Add Title Here. I vaguely remember a movie where someone put a single hair on a desk drawer, and put paper behind a door, so that person could tell whether or not someone else had snuck in through that door and rummaged through that drawer.

(The envelopes, the wax seal, and the flimsy padlocks, none of them really stop anyone from doing whatever they want, but they make it obvious to everyone when security has failed. The hair-on-the-drawer and the paper-on-the-door seem similar, but they don't tell the honest people to stay out ahead of time (not a GuidePost), and after a security breach they don't tell the honest passerby when security has failed.)

"Padlocks only keep honest people out".

Not sure if this is SoftSecurity or HardSecurity, or something in between ... pathetically weak hard security, like two bit padlocks on the petty cash tin (or bikkie tin, more often raided). The point is that it keeps honest people out for very little cost, but would fail (pathetically) with a dishonest person.

It's hard security that can be ignored when necessary by honest people. Perhaps its a sub-variation of GuidePosts and WarningSigns?, where FormFollowsFunction?. (What better way to say "don't open this" than to use a padlock? Beats the language barrier.)


Padlocks are also an audit mechanism (albeit a weak one).

There is [nominally] a small assurance against theft. As someone who's gone through more than one padlock, I can assure you that it's quite small.

More significantly, a padlock may serve as an audit mechanism of sorts. Most attacks against padlocked content results in a broken (or missing) lock. As the first step to recovery is admitting you've got a problem, coming back to a broken or missing lock is an indication of a burglary. The real problem is when you have theft which leaves no signs.

Another argument is that a lock, even a small, trivially bypassed one, may help an honest man stay honest. I suppose the flipside is that it might also encourage a dishonest person to be dishonest.

-- KarstenSelf

Even the weakest padlock forces the thief to be conciously commiting a crime. You can look in an unlocked box out of curiosity and find yourself taking some without ever making the conscious choice to steal. Also, any unauthorised person caught looking in the box can be punished without them having stolen anything, because they have had to break the lock to get into the box which is in itself a crime.

However, the safest place to keep money is in the middle of a table with lots of honest people around. They all know the money is in danger and so will all keep an eye on it to prevent it being stolen. If it's in a box somewhere, they will all think it is safe and won't concern themselves over it.

Similar to the "steering lock principle" of car security, if I have a steering lock on my car then it will be that much harder to steal so the thief will probaly move on to the next easier target- a deterant- although I've always wondered what happens when every car in the street has one...

Even flimsier than the padlock is the locks on most of the bathrooms in my city. There's a small hole in the handle on the outside, so anyone with a straightened paper clip can unlock the door and get in. Macintosh computers have the same sort of thing protecting the reset button.

Only wimps use tape backup: _real_ men just upload their important stuff on ftp, and let the rest of the world mirror it. -- Linus Torvalds, about his failing hard drive on linux.cs.helsinki.fi

Linus wants his files "secure", in the sense that he doesn't want them corrupted or irretrievably lost. Too many people confuse this with "not allowing other people to read the files". (Is this different from "not allowing other people to edit the files" ?)

There's an interesting idea at Distributed Proofreaders http://www.pgdp.net/

Second round projects are unavailable until you have proofed more than 50 first round pages. After 50 pages of first round proofing the second round projects will be unlocked for you.
This seems like a cool SoftSecurity idea; how could we extend to wiki ? Perhaps something like "Anyone can read any wiki page and create a UserName. People who have created a UserName are allowed to edit the SandBox and their own HomePage. People who have edited at least 2 pages are allowed to add comments to the bottom of any page. People who have commented at least 8 pages and have edited their UserName on at least 2 different days are allowed to edit any page."

Um... I'm getting caught up in the details here, making it too complex. How can I generalize this idea ?

The "2 different days" is a kind of SurgeProtector. But the rest doesn't seem to match any of the above SoftSecurity categories; perhaps there's a general pattern we can extract here ? What is a good name for this ?

That's HardSecurity. It controls access. See WikiAccessLevels. It is not a good idea as you can game the system; it is completely intolerant to failure. If I sufficiently hated you, I could proofread fifty documents flawlessly, and then turn into the proofreader from hell for the rest. Or even better, deliberatively introduce subtle yet hard to detect errors after that, like mood shifts and racist innuendo. You can probably delete this section when you've read it.

Unprocessed readings

Orlikowski, W.J. (1996) Evolving with Notes: Organizational change around groupware technology. In C.U. Ciborrra (ed.), Groupware and teamwork: Invisible aid or technical hindrance? Wiley: Chichester. Available from http://ccs.mit.edu/papers/CCSWP186.html

Should be compared against (Orlikowski, 1992).

Rasmusson, L. and Jansson, S.. (1996a) Simulated social control for secure Internet commerce (position paper). In Proceedings, New Security Paradigms '96 Workshop.

Rasmusson, L. and Jansson, S.. (1996b) Personal security assistance for secure Internet commerce (position paper). In Proceedings, New Security Paradigms '96 Workshop.

I've been looking for an academic reference for Soft Security, and I can't find one. (I looked up the proceedings above and, annoyingly, don't seem to have access through Athens - incidentally, I also found: Alfarez Abdul-Rahman & Stephen Hailes (1998) A distributed trust model. In Proceedings of the 1997 workshop on New Security Paradigms - looks good). Can someone point me in the right direction? I can't believe there's nothing from a conference on "Soft Security" that i can access (and yes, I know that Sunir is sick of talking about it, but still!) Just to clarify, what I'm looking for is an article/paper, available online, and preferably with a recognisable author, that just explains what soft security is - this page is fantastic, but I don't think it's clear enough for an academic professor, checking references. Thanks. --CormacLawler

We don't LimitTemptation, so we will die.

I'm reading the case (*) of a feminist forum that prided itself on inclusiveness that got trolled to nearly the ground by a anti-feminist troll; they did not want to ban the person on philosophical grounds due to their ideal of RadicalInclusiveness. This left them open to two months of vitriole until the forum hosts banned him. Similarly, MrBungle was finally banned when a wizard stepped in and unilaterally banned him, this after a long argument over free speech. Similarly, our adamant principle of SoftSecurity here leaves us open to trolling with the implicit goal of getting us to ban someone's IP. The more famous our philosophy becomes, the more we open ourselves to "career" trolls who will spend a ridiculous amount of time here getting us to ban their IP to prove we are wrong. I think that since the cyberstalking laws have changed, and since invariably these guys are in America, Canada, Australia, or the UK, we should investigate what criminal charges we can lay as that seems to be the only truly effective means at exiling someone. It would be worthwhile to know, if only to make the threat of a LegalThreat enough of a deterrent. Meanwhile, it seems we are hitting the limits of our current architectural defenses, so we should dream up more.

  • Oh dear! The terrorists have already won (again). Go back to the top of the page and read it all again. On the way, try to think of more soft ways to have a forum where trolling doesn't win (or spend time pruning out HardSecurity that doesn't belong here). -- anon

Additionally, we could ban a few IPs now and then just for the hell of it. A perfect record is always going to be trolled. Best to be WabiSabi?, perhaps. -- SunirShah

The problem with so sophisticated methods is the sheer amount of information about the rules, and many beginners involuntarily can easily broke some of them. This is in sharp contrast with HardSecurity where the newcomer immidiately gets feedback on his actions. I believe much more effort should be excerted in the direction of developing user friendly teaching techniques for the SoftSecurity rules then developing new ones. An immidiate example can be giving somwhere at the top of the wiki pages explicite links to rules that are meant to govern this given page (something like 'This is a ThreadMode page'). -- ZbigniewLukasiak

(*) Herring, S., Job-Sluder, K., Scheckler, R., and Barab, S. (2002). Searching for safety online: Managing ‘trolling’ in a feminist forum. The Information Society, 18, 371–384.

While SoftSecurity is a powerful concept per se, it is important to apply it in a way providing long-term security. Experiences from offline communities applying SoftSecurity show that it often works on a small scale while providing a breeding pit for organized crime through a wide network of loopholes. To avoid this, it is important to distinguish between rules that are only rules but don't allow to be verified if they are followed and the verifiable ones. The latter ones effectively LimitTemptation because everyone will see the offense.

Maybe it's not a problem with different SoftSecurity tactics, but the discovery that it's the proper balance between SoftSecurity and HardSecurity that makes up for an effective system. As always, diversity is the really important thing, and in this case stable innovation is granted by the coexistence of both pattern. HardSecurity is important to make it impossible for everything to collapse, while SoftSecurity creates the actual innovation.

Offline communities often have problems creating an effective rule system because of privacy considerations, whereas online communities have the possibility to create something new, not held back by this dead freight offline communities have to cope with. -- Anon



This is the digested summary. Recently, we've been discussing the design for pages.

Compare to revision

18m SunirShah
2h ChrisPurcell
1d 2h HelmutLeitner
21 more revisions