Re: EPUBZone - hacked / disposition? (URGENT) from Jeff Jaffe on 2018-05-25 (public-publishing-sc@w3.org from May 2018)

From: Jeff Jaffe <jeff@w3.org>
Date: Fri, 25 May 2018 14:06:59 -0400
To: Bill McCoy <bmccoy@w3.org>, 'W3C Publishing Steering Committee' <public-publishing-sc@w3.org>
Cc: 'Karen Myers' <karen@w3.org>, 'Alan Bird' <alan.bird@w3.org>, 'Ralph Swick' <swick@w3.org>, 'W3C Team Digital Publishing' <team-dig-publishing@w3.org>, Coralie Mercier <coralie@w3.org>, W3C Comm Team <w3t-comm@w3.org>, Vivien Lacourba <vivien@w3.org>, Systems Team <w3t-sys@w3.org>
Message-ID: <894ad63b-56d3-91e8-70a3-df538bcdff96@w3.org>

Adding Comm and SysTeam folks - who might want to weigh in.

Jeff


On 5/25/2018 1:42 PM, Bill McCoy wrote:
>
> Hi Pub SC folks,
>
> Sarah Hilderley who was coordinator for EPUBZone pre IDPF-W3C 
> combination recently noticed and reported that the site seems to have 
> been hacked, showing non-related content and ads. Looks moderately 
> benign but not good and there may be nastier malware lurking under the 
> surface (so if you visit http://www.epubzone.org/ don’t click on 
> anything!!).
>
>
> This website and domain was an explicit part of asset transfer from 
> IDPF to W3C. Early last year (immediately after combination) W3C Comm 
> team didn’t feel it made sense for us to maintain it as a separate 
> identity given the resource cost of so doing, so it’s just been 
> getting stale while it was unclear what to do with it.
>
> Given the hack, we now urgently need to decide and execute on a 
> transition. We could shut it down altogether, for example redirecting 
> the URL to w3.org/publishing, we could statically archive it 
> (presumably an earlier backup as untangling the malware from the 
> Drupal CMS could be challenging) as is planned with IDPF.org (at the 
> moment IDPF.org is hosted on the same infrastructure as epubzone.org 
> so we are just lucky it hasn’t been hacked too… yet – that’s a ticking 
> fuse as it the ongoing hosting cost), or we could identify a third 
> party who wanted to take it on as an independent site (so far in my 
> understanding no one has offered to do that, but we haven’t 
> proactively asked anyone either). I believe W3C management isn’t 
> fussed about the direction as long as within the parameters that it 
> won’t have ongoing cost to W3C since we’d rather direct our limited 
> resources elsewhere.
>
> This was an agenda topic at a SC call a while back but I believe it 
> was a call I had to miss and the minutes didn’t note anything 
> specific. So I don’t know if it was discussed or if not if anyone has 
> any strong opinions about it.
>
> We could temporarily take the site down to avoid spreading malware and 
> if there’s no consensus relatively immediately I think that’s the path 
> we should take to avoid spreading malware and giving EPUB a black eye.
>
>
> Thanks,
>
> --BillM
>

Received on Friday, 25 May 2018 18:07:04 UTC