[foaf-dev] FOAF sites offline during cleanup

Dan Brickley danbri at danbri.org
Sun Apr 26 22:03:04 CEST 2009 

On 26/4/09 19:38, Peter Krantz wrote:
> Hijacking this thread back to the original topic:

Thank you. I have just got back online after a trip, and am rather 
dismayed at the state of this discussion. Paula, I thank you for your 
attempt at sympathy, but really the analogy with rape and murder was 
very poorly chosen. Burglary would have been the more obvious analogy, 
and while I can understand this would upset many people I'm more 
concerned about where we go from here...

> How can we help? Two important areas to start working with:
>
> 1. How to get your servers back online in a clean uninfected state and,

Stephane Corlosquet is helping me with that, particularly the Drupal 
site. When we are moved over, I would love to find someone who knows 
MediaWiki to help keep it up to date, patched etc. I fear that was how 
they originally got in, though that isn't confirmed.

> 2. how do we provide security recommendations for people who publish
> semweb data online?

Some points here: recent Java includes APIs for XML Signature. Back in 
the early FOAF days we signed FOAF files with PGP, and used a 
wot:assurance link from the doc to the output. See 
http://usefulinc.com/foaf/signingFoafFiles ... in fact the FOAF spec 
used to be signed in this way. I would like to see the most common 100 
namespaces at least signed using some profile of XML Signature; this 
would allow schemas to be cached and checked, and could help reduce 
risks associated with networked retrieval of RDFS/OWL.

Other things I'd like to see:

Everyone else who is hosting RDFS/OWL on machines that also have stuff 
like common PHP apps, please take a look at your site management design, 
and try to partition things, check software is up to date, check the 
site isn't already compromised.

BTW one odd phenomena I noticed this week: the bad links (to viagra 
sites) added to my pages were sometimes removed. I wonder if this was 
done along some estimate of daylight hours? My site was on US hosting, 
and I noticed in the (US) morning the pages were poisoned, in the 
evening they seemed OK. So check webserver logs for odd behaviour. 
Having the authoritative copy of the RDFS/OWL held elsewhere would be 
prudent.

On the application / tool side, anyone who is loading RDFS/OWL from the 
network by derferencing URIs, should work through an example scenario or 
two in which the remote data is under malicious control. For example, if 
you de-reference FOAF or other schemas, mix it with instance data and 
make real-world decisions (eg. access control) based on queries or 
inference against that, you should think again (and please get in touch 
with me).

I think that's plenty to be going along with.

Who wants to take a look at the XML Sig part?

cheers,

Dan

> Anyone who is willing to help out?
>
> Regards,
>
> Peter Krantz
>

More information about the foaf-dev mailing list