Re: FOAF sites offline during cleanup from paola.dimaio@gmail.com on 2009-04-26 (semantic-web@w3.org from April 2009)

From: <paola.dimaio@gmail.com>
Date: Sun, 26 Apr 2009 18:21:05 +0100
To: Dan Brickley <danbri@danbri.org>
Cc: foaf-dev Friend of a <foaf-dev@lists.foaf-project.org>, foaf-protocols@lists.foaf-project.org, Semantic Web <semantic-web@w3.org>, Thomas Roessler <tlr@w3.org>
Message-ID: <c09b00eb0904261021l1b2fd8e0u2606376d68153bb6@mail.gmail.com>

Reposting my reply without the contentious analogy, as suggested

Additional information about research on the psychological and emotional
abuse  in relation to  server and email hacks available on request

apologies to who  was offended by me sharing my personal response to this
kind of experience

PDM


On Sun, Apr 26, 2009 at 2:07 PM, <paola.dimaio@gmail.com> wrote:

> Hi Dan
>
> thanks for the update, you mentioned something of the kind last week.
>
> I once researched an published an article for IT week, ZDNet must have been
> over ten years go, about hacker culture. I dont remember the name of the guy
> who spoke to me, but he had started a small security firm somewhere around
> London, He explained all about red hats and black hats etc
> It was an extremely informative experience.
>
> He told me that when someone hacks our site, is often 'doing us a favour'
> I thought the guy was being sarcastic but he was serious, I understood
> later
>
> He explained that too often people disregard security matters etc etc and
> (cause they are busy concentraing on the front end or other matters
> perhaps?) and bringing down their sites was the only way to make them face
> the fact that their servers and systems had simply not secure enough, and
> obviously nobody was paying attention
>
> Many of us have been busy elsewhere, but I think this experience should be
> a learning one, if anything
>
> I was wondering why the emphasis was on FOAF+SSL lately, and today I went
> to do some reading, there is some recent literature that maybe we should
> catch up with
>
> I think if FOAF was *my* baby I would try to find out who hacked it or at
> least how, and reverese engineer the security strategy from a vulnerability
> assessment. Get hackers to do do vulnerability assessment, was the bottom
> line of that article
>
> I dont know enough how how the server were set up to give input, but let me
> find them guys again
>
> search for ' FOAF exploit'
>
> http://www.vupen.com/english/advisories/2006/4009
>
> http://www.milw0rm.com/exploits/2506
>
>
>
>
>
>
>
> On Sun, Apr 26, 2009 at 1:31 PM, Dan Brickley <danbri@danbri.org> wrote:
>
>>
>> The server hosting several FOAF related sites has been compromised.
>>
>> I am taking everything offline until I can be 100% sure we are clean of
>> malicious PHP and suchlike (and moved to Amazon EC2 hosting). Apologies for
>> any inconvenience. My own site at danbri.org is also affected.
>>
>> The Subversion files behind the FOAF spec and other materials are on a
>> different machine, and remain online. See:
>>
>> http://svn.foaf-project.org/foaf/trunk/xmlns.com/htdocs/foaf/
>>
>> I will send a status update to foaf-dev,foaf-protocols and semantic-web at
>> the end of the week.
>>
>> In the meantime, I would like everyone on these lists to think about
>> strategies for reducing our exposure to hacked RDF schemas. I believe the
>> best approach today is to use a subset of XML Signature, and have talked
>> with Thomas Roessler (cc:'d) a bit during WWW2009 about what such a spec and
>> toolset might look like. I expect to continue and track that conversation
>> through the new W3C SocialWeb incubutor group.
>>
>> I'll keep you all posted. Apologies for any inconvenience.
>>
>> Dan
>>
>>
>

-- 
Paola Di Maio,
****************************************

Received on Sunday, 26 April 2009 17:21:47 UTC