[foaf-dev] FOAF sites offline during cleanup
danbri at danbri.org
Sun Apr 26 22:03:04 CEST 2009
On 26/4/09 19:38, Peter Krantz wrote:
> Hijacking this thread back to the original topic:
Thank you. I have just got back online after a trip, and am rather
dismayed at the state of this discussion. Paula, I thank you for your
attempt at sympathy, but really the analogy with rape and murder was
very poorly chosen. Burglary would have been the more obvious analogy,
and while I can understand this would upset many people I'm more
concerned about where we go from here...
> How can we help? Two important areas to start working with:
> 1. How to get your servers back online in a clean uninfected state and,
Stephane Corlosquet is helping me with that, particularly the Drupal
site. When we are moved over, I would love to find someone who knows
MediaWiki to help keep it up to date, patched etc. I fear that was how
they originally got in, though that isn't confirmed.
> 2. how do we provide security recommendations for people who publish
> semweb data online?
Some points here: recent Java includes APIs for XML Signature. Back in
the early FOAF days we signed FOAF files with PGP, and used a
wot:assurance link from the doc to the output. See
http://usefulinc.com/foaf/signingFoafFiles ... in fact the FOAF spec
used to be signed in this way. I would like to see the most common 100
namespaces at least signed using some profile of XML Signature; this
would allow schemas to be cached and checked, and could help reduce
risks associated with networked retrieval of RDFS/OWL.
Other things I'd like to see:
Everyone else who is hosting RDFS/OWL on machines that also have stuff
like common PHP apps, please take a look at your site management design,
and try to partition things, check software is up to date, check the
site isn't already compromised.
BTW one odd phenomena I noticed this week: the bad links (to viagra
sites) added to my pages were sometimes removed. I wonder if this was
done along some estimate of daylight hours? My site was on US hosting,
and I noticed in the (US) morning the pages were poisoned, in the
evening they seemed OK. So check webserver logs for odd behaviour.
Having the authoritative copy of the RDFS/OWL held elsewhere would be
On the application / tool side, anyone who is loading RDFS/OWL from the
network by derferencing URIs, should work through an example scenario or
two in which the remote data is under malicious control. For example, if
you de-reference FOAF or other schemas, mix it with instance data and
make real-world decisions (eg. access control) based on queries or
inference against that, you should think again (and please get in touch
I think that's plenty to be going along with.
Who wants to take a look at the XML Sig part?
> Anyone who is willing to help out?
> Peter Krantz
More information about the foaf-dev