Wikipedia talk:Don't stuff beans up your nose/Archive 2

RfC about when to talk about stuffing beans up your nose
Should this page contain an exception for discussions about changes in policy or changes in the Wikimedia software? --Guy Macon (talk) 01:03, 29 November 2018 (UTC)

I recently added the following language to this page...


 * When to talk about stuffing beans up your nose


 * While it is true that you should not tell anyone to not stuff beans up their nose, occasionally there are discussions about changes in policy or changes in the Wikimedia software that will make certain kinds of beans more difficult to stuff up your nose. In such discussions, somebody invariably posts a link to WP:BEANS, usually implying that is it a policy as opposed to being a humorous essay. Please don't do that. It violates Kerckhoffs's principle and encourages Security through obscurity. Being allowed to freely discuss things that people might do in the context of preventing them from doing them is important and should not be discouraged.

...which was reverted.

Because the question of what should be in an essay is a judgement call, I would like to gauge the consensus of the community regarding the above addition to this page. Also welcome would be suggestions for better wording that convey the same basic message. --Guy Macon (talk) 01:03, 29 November 2018 (UTC)

Survey

 * Keep. There is a real problem with editors [A] citing this page in policy and software discussions as if it was a policy or guideline, and [B] doing so in support of a common misconception (that security through obscurity is a good thing) that virtually every security expert rejects. Language to discourage this behavior in policy and software discussions is badly needed. Not having such language encourages behavior that, while well-intentioned, hurts the encyclopedia. --Guy Macon (talk) 03:54, 29 November 2018 (UTC)
 * Delete the text being specifically discussed, as the reverting editor. Per my comment in reverting, I considered the text too specific in context as opposed to being a broadly useful. I also felt the text was a little unclear or, at least, might benefit from copy editing. Cinderella157 (talk) 01:57, 29 November 2018 (UTC)
 * Delete it's not clear to the perusing editor (me) what this paragraph is intended to advise. It already says on top that it is an essay so it is therefore WP:NOTPOLICY  Are you suggesting that in the cases of changing policy / Wikimedia software that we should consider WP:BEANS like it is not an advisory essay or remind people that it is an essay in all situations?   AngusWOOF  ( bark  •  sniff ) 03:26, 29 November 2018 (UTC)
 * I am "suggesting" what the text at the top of this RfC says: In the specific case of discussions about policy or software, posting a link to WP:BEANS violates well-known best security practices, and thus should be discouraged in that specific situation. I am not "suggesting" anything other than what I have plainly stated. --Guy Macon (talk) 03:54, 29 November 2018 (UTC)
 * I thought calling BEANS was more for scenarios like someone posting in a talk page a bunch of clickbait like "I discovered you can crash Wikipedia by clicking on this link. Or "here are the secret commands or links to give yourself administrative powers on Wikipedia".  Or "Here are my references inappropriate link."  Adding that technical stuff on top of the "this is an essay" would confuse most editors who are not interested in computer / network security.   AngusWOOF  ( bark  •  sniff ) 23:12, 29 November 2018 (UTC)
 * Delete Guy Macon has misunderstood the point of both Kerckhoffs's principle and "security through obscurity". This proposed text appears to have come from a question on Jimbo's page about whether he uses 2FA and a response from someone that discussing his security choices was a bad idea. The quoted "principles" refer to the design of a optimal secure system. An optimal design does not rely on aspects (except a key) being obscure or unknown. The problem is that we have yet to design an optimal security system (with humans being by far, but not the only, weakest link) and all information is useful to those who wish to break a sub-optimal system.
 * Consider that knowing that the word "weather forecast" was present in German enigma broadcasts at a certain time and in the same location in the message helped crack the code. Capturing an enigma machine also provided vital information, such as that a letter was never encoded as itself. These all helped break an extremely complex but not perfect security system. This is totally in keeping with Kerckhoffs's principle -- it had a failure because information about the system or the words in messages helped crack it. The Germans were right to try to prevent such machines being captured.
 * Similarly our password security, even with 2FA, has weaknesses. They may rely on SMS or emails or pieces of paper or having someone's mobile phone or key fob. Knowing about the details would alert someone about what weaknesses they might exploit (try to steal his mobile phone?). Hackers frequently target unpatched software and OS versions with vulnerabilities, and knowing what software and OS someone or some system is using aids that hacking. Merely having the vulnerability breaks Kerckhoffs's principle, and there's nothing you, I or Jimbo can do about it.
 * Human weakness, such as a phishing attempt, can also be exploited by information. If Jimbo told us who he banked with, then a phishing attempt could incorporate that to make it far more believable. Who of us would not be concerned by a call to say there was a problem transferring our salary from our employer to our bank, a story that is given credence by correcly including the names of both.
 * Famous example: "Clarkson stung after bank prank" Jeremy Clarkson "rubbished the furore over the loss of 25 million people's personal details on two computer discs" claiming that bank account numbers could only be used to credit an account, not maliciously take money without authorisation. He published his bank account numbers in the Sun newspaper and subsequently discovered that a £500 direct debit to Diabetes UK was setup by a hacker. Lesson: our bank security is hopelessly vulnerable; don't make life easier for hackers.
 * Let's leave worrying about these principles to those who design security systems, and the rest of should assume the security system we use is far from perfect, and give as little away about it as possible. -- Colin°Talk 19:08, 29 November 2018 (UTC)


 * Leaning delete. The principle is technically correct, especially about security through obscurity [which should not start with a capital s, by the way], but this isn't a frequent enough matter that we need to cover it here. More importantly, it's not actually a . If someone incorrectly "cites" BEANS, just point out why they're misunderstanding it and why it's not applicable to the thread in question. Do that enough, and people will stop. But even if they don't, who cares?  It's not disruptive to claim that some essay is pertinent when it really isn't, just potentially self-embarrassing. Technical discussions, especially if they're addressing a real security matter, are not actually going to be derailed by mention of BEANS, though they probably don't belong on WP in the first place, and are better done at Phabricator where fewer trolls and vandals are apt to see them before the problems they report are fixed.  In other words, the principle being correct doesn't mean we have to mention it here in this essay.  And do we really need an RfC about this (especially after nearly zero resolution attempts between the two editors in the dispute)? The page isn't binding. It's an essay, after all, not a WP:P&G page, and it isn't one of the few essays we have (like WP:BRD and WP:AADD and WP:ROPE and WP:CIR) which the community treats like a guideline (i.e., takes predictable and programmatic actions based on the essay). It really is just an opinion page.  PS: I spend more than average of my WP time engaged in policy discussions and reformation (I'm kind of known for it). I don't find this to be a problem or pseudo-"problem" of any kind in policy discussions, though I can see that throwing the WP:BEANS shortcut around in tech threads might get irritating after a while and is probably not all that rare. PPS: I'm not totally opposed to any mention of BEANS not always being applicable to all discussions, but I don't think this is the wording to use.  — SMcCandlish ☏ ¢ 😼  04:27, 30 November 2018 (UTC)


 * Beans has been used for ways to circumvent our vandalism and article screening processes on WP, not just for attempts to hack into the system. Nobody can claim that any aspect of this system is anywhere near ideal, and some parts of it are very flaky indeed. Much of what we do in this way regard matching known patterns of behavior, and there is a balance between the information patrollers need to take advantage of the experience gained from already-known weak points, and that which vandals might gain from seeing them discussed. Every really good vandal knows the relevant ones quite well already, but new ones do not, and we should be careful about aiding their education. So there is a point in discussing them in places the naive troublemaker will not immediately see; and even, in some cases, of making them available only to trusted users, as with the details of some of the edit filters. To complicate the balance,  in addition to informing our patrollers, there is also benefit in the general public know about the ways we use to remove misinformation and improper use. (And, to mention the area where I now primarily work, telling the public in some detail what we regard as promotionalism may help them detect such material in other places also. -- and the same goes for the way we identify unreliable sources. )  DGG ( talk ) 19:23, 2 December 2018 (UTC)

Threaded Discussion
Comment My Revert of section "A serious side" was initiated after an edit that (IMO) appeared to advocate citing BEANS as a means of obscurity rather than what I would consider to be an appropriate degree of transparency that would be contrary to P&G. At Revert of section "A serious side", I indicated an example (among others) of a cyber-attack, where it may not be appropriate to fully disclose the details. That discussion has since digressed as a justification for not citing BEANS to the point that it appears to have been hijacked (IMO) as part of this discussion. I think it important that a closer be made aware of the fuller history of Revert of section "A serious side".

This RfC was initiated after I reverted an edit from the opposite end of the spectrum - advocating full disclosure in the specific instance of a cyber-attack. I do not oppose general advice on whether not/to cite BEANS.
 * The subject edit initiating this RfC has a very specific context - WP cyber security.
 * Others have indicated discussions elsewhere on the subject that may have prompted the subject edit. As such, it has the appearance of being POINTY. I have not been involved in these discussions. The point being made has a specific context which may well be valid. I am expressing no judgement in this respect.
 * There are better ways/forums/avenues to address the concerns of the OP (IMO) than making a very specific and potentially pointy edit to this essay.
 * A narrow context for such commentary suggests that BEANS has only a narrow context of applicability, which I submit is incorrect.

Since initiation of this RfC, another similar edit has been made. To some extent, I believe it at least equally inappropriate and submit that it should also fall under this RfC. Regards, Cinderella157 (talk) 09:58, 7 December 2018 (UTC)


 * Cinderella157, I have reverted the recent edits too. This essay is best kept short & sweet, and not burdened by links to youtube videos that rather misses the point. There is no consensus here that "security though obscurity" is in any way relevant to BEANS. The main proponent of that idea is totally alone in that view. WP Essays are aimed at users of the WMF systems, not at the WMF developers, who I'm sure are well aware of the current best practices. The "security though obscurity" concept is not aimed at "users" but at "system designers". Since BEANS is a widely quoted essay, we don't need it getting complicated by random additions by people who are missing the point or confused. -- Colin°Talk 10:11, 7 December 2018 (UTC)

Is the RfC well formed?
It is unclear whether the RfC is for: the underlying premise, the reverted text, or both? If it is for both, are these to be considered separately or togeather (ie inseparably). Considering this, the RfC is unlikely (IMO) to reach any usable conclusion as it may well be too disjointed to be closed.

I also note that there has not been any discussion following the revert and the OP has taken this straight to an RfC. This does not appear consistent with WP:CON. There has been no discussion about what might be suitable text, let alone the underlying premise. Discussion, and particularly one involving more parties should be engaged in before attempting to pose a question by RfC. Taking this to RfC is premature. I would ask the OP to withdraw this as an RfC and to engage in discussion. At this initial point, a free-form discussion is likely to be more constructive at a number of levels. An RfC is not the only way of eliciting outside opinions. Neutrally phrased requests can be made at appropriate places. Regards, Cinderella157 (talk) 01:57, 29 November 2018 (UTC)


 * Your objection was already answered at the top of this RfC: "Because the question of what should be in an essay is a judgement call, I would like to gauge the consensus of the community regarding the above addition to this page." I think we need more editors looking at this and forming a clear consensus. I don't think that discussion will resolve what is essentially two people saying "I don't like it" and "I do like it", but feel free to either withdraw your objections to my addition to the article or to attempt to convince me that it should not be added. I promise to carefully evaluate any arguments that you present. --Guy Macon (talk) 04:02, 29 November 2018 (UTC)


 * Per WP:RFC:
 * Before using the RfC process to get opinions from outside editors, it's often faster and more effective to thoroughly discuss the matter with any other parties on the related talk page. Editors are normally expected to make a reasonable attempt at working out their disputes before seeking help from others. If you are able to come to a consensus or have your questions answered through discussion with other editors, then there is no need to start an RfC.
 * I do not disagree that the discussion would benefit from more input. However, you have not followed an appropriate course to get to the point of an RfC. Regards, Cinderella157 (talk) 05:22, 29 November 2018 (UTC)

Somewhat different addition suggestion
I wrote a different version (which was reverted by Colin). Guy Macon's addition wasn't funny and rather disconnected from the rest of the essay.
 * "While telling little vandals what not to do is rarely a good idea, the parents should discuss what to do if (read: when) the little boy starts shoving beans up his nose anyway. Or consuming spoonfuls of cinnamon. Or choking down laundry detergent pods. Or shoots himself in the foot. You get the idea. Security through obscurity is a bad idea."

So.. maybe vote on this. (or make your own version) - Alexis Jazz 08:03, 11 December 2018 (UTC)
 * Too much analogy, not enough substance. Some balance between the two poles would work.  — SMcCandlish ☏ ¢ 😼  09:59, 11 December 2018 (UTC)
 * It is focusing on one issue (ie security) where (IMO) any advice (if at all) on when (or not) to cite this essay should be generalist. Regards, Cinderella157 (talk) 12:07, 11 December 2018 (UTC)
 * Alexis Jazz it is rather rude to deliberately avoid pinging the one person who reverted your addition while suggesting a poll to reinstate it. This essay has been largely untouched since 2005. Indeed the additional sections could do with a trim too. The original page was created along with a talk page note that said "It's short, but says all that is needed. Omit needless words". I suspect its popularity is encouraging some to add their own little thoughts, like too many baubles on a Christmas tree. All the above text does is distract from the point. There's just one point. The recent nonsense about BEANS conflicting with Security through Obscurity is just like a fart in an elevator. Unwelcome at the time, but it has gone the next time you visit. Move along.... -- Colin°Talk 18:12, 11 December 2018 (UTC)


 * I think those analogies are more for adding to the mainspace articles like reverse psychology or Streisand effect as illustrative examples rather than for editors. AngusWOOF  ( bark  •  sniff ) 18:19, 11 December 2018 (UTC)
 * No thanks. The current (short) essay is good. Johnuniq (talk) 22:31, 11 December 2018 (UTC)

Summary
(Here by request.) See strong tendency from editors to prefer to continue with the status quo and to leave the beans alone. Editors may want to save the suggested words of wisdom somewhere, though, for possible future usage on a one-on-one basis when needed with those editors who don't believe in using prophylactics. woops! I guess that would include me.  Paine Ellsworth , ed. put'r there 18:10, 1 January 2019 (UTC)

This is a hilarious policy.
One of my favorites, in fact! Woshiyiweizhongguoren (🇨🇳) 12:48, 29 March 2019 (UTC)

Some clarification for when to use this policy
The main idea of this policy is not to warn people about things they shouldn't do if they haven't done it already, because then that'll give them bad ideas, right?

Well what if I warn people of the consequences in addition to the things they shouldn't do? For example: "Don't stuff beans up your nose, for if you do, they might get stuck up there !" Woshiyiweizhongguoren (🇨🇳) 15:06, 30 March 2019 (UTC)


 * And the purpose of such a warning when there is zero evidence that they had ever even considered stuffing beans up their nose is? Also, your particular example is flawed. Nobody has ever suffocated and died from stuffing beans up their nose. Human can breath through their mouths. --Guy Macon (talk) 17:35, 30 March 2019 (UTC)


 * I get what you're saying. Fixed the example. It makes sense, but what if they stuff the beans anyway without knowing the potential dangers of doing so? Wouldnt that be more likely to occur if one doesn't warn them about the dangers than if they give the type of warning described in the policy? I haven't had much first-hand experience of those kinds of scenarios.


 * For an example more relevant to Wikipedia, let's say somebody keeps vandalizing articles, and then some admin threatens to block them if they do it again. Then what if they warn the vandal against abusing their talk page, else they lose its edit access? That's not okay either, isn't it? (Based on what I've read on Blocking policy. if I made an error please inform me. ) <b style="color:#00205B">Woshiyiwei</b><b style="color:#0077C0">zhongguo</b><b style="color:#00205B">ren</b> (<b style="color:#0077C0">🇨🇳</b>) 18:36, 30 March 2019 (UTC)


 * The way BEANS is usually applied doesn't involve things like talk page abuse by blocked editors. That really doesn't give anyone one ideas. It is often used for things like "...and don't create sockpuppets using the WiFi at a local McDonald's. Those are harder to find than sockpuppets created with your home PC." --Guy Macon (talk) 19:03, 30 March 2019 (UTC)


 * Thanks. That's a good idea, might try it. (Just kidding) <b style="color:#00205B">Woshiyiwei</b><b style="color:#0077C0">zhongguo</b><b style="color:#00205B">ren</b> (<b style="color:#0077C0">🇨🇳</b>) 12:50, 31 March 2019 (UTC)

Love it
Just wanted to say that this page is awesome! Thanks for the laugh --Signimu (talk) 19:43, 22 October 2019 (UTC)

The Links...
You Can Actually Just Look At The Wiki-Code and See Where The Links Actually Go, Which Somewhat Defeats The Purpose. TypographyFixer (talk) 00:54, 4 August 2019 (UTC)
 * But it's not fun if you're spoiling yourselves --Signimu (talk) 02:00, 23 October 2019 (UTC)