[foaf-dev] FOAF sites offline during cleanup
danbri at danbri.org
Sun Apr 26 22:23:37 CEST 2009
On 26/4/09 20:45, Hugh Glaser wrote:
> Yes, when Dan has recovered from the more urgent tasks he has, it would be good to have his reflections on what happened.
> I think the primary question I would like to know the answer to is:
> "Was there anything special about it being a "Semweb" site that created a vulnerability."
As far as I can see, no. The FOAF site had a Google Rank of 7, as did my
own danbri.org (before I was kicked from the Google Index for malware
distribution :) so I expect that was the primary incentive.
Also fwiw, my homepage was altered. At no point as far as I can see was
the OpenID markup or RDFa in the page changed. The former is the more
obvious target and in fact would only need to be altered for a few
seconds to be useful.
If anyone is using a URL that they control as an OpenID, note that this
could potentially attract attacker. The SemWeb / microformats angle here
is that your public behaviour associated with that URL is increasingly
easy to find (see Google Social Graph API and sites like Sindice, Qdos
etc.), which makes having control over someone's openid page
I would recommend chosing an openid that is not hosted alongside common
webapps (wordpress, mediawiki, blogging and forum and calendar code,
etc.). Many of us have used homepage and blog URLs for their openid, and
in my case it over-exposed me. I am surely not alone.
> Was it an equivalent of an SQL injection for SPARQL, or maybe it was through a SPARQL endpoint, or something else RDF?
Bad sysadmin. I let updating some old PHP apps stay on the "someday"
pile for too long, I believe (but hard to verify) this is how they got in.
> Or maybe it was "just" a standard hack, and we shouldn't get ourselves over-concerned about the RDFness.
We should concern ourselves about RDFness in a few regards:
* being reminded that any of our sites could fall into the control of
* that those of us hosting schemas should be extra-careful
* that those of us consuming schemas should be extra-careful
* ditto re openids
Generally, if we hope to see RDF, RDFS, OWL etc widely used, we have to
anticipate attacks. This wasn't (as far as I can see) a SemWeb-related
attack, but it is food for thought for everyone working with the technology.
For my part, it is a kick in the backside to get a more professional and
collaborative hosting environment set up. We were getting there slowly
but now things need a thorough makeover. Various of us have also been
tinkering with the digital signature of RDF data for many years. I'd
like to see that story tidied up and become more integrated into
mainstream tooling and practice. Not that digital signatures are going
to magically save us from all risks, but there are tools out there we're
not fully exploiting.
Thanks everyone for the concern and offers of help. It'll take a few
days to figure out the best way to make the Web side of the project more
helpable. In the meantime http://www.w3.org/TR/xmldsig-core/ is worth
More information about the foaf-dev