- From: Dan Brickley <danbri@danbri.org>
- Date: Sun, 26 Apr 2009 22:03:04 +0200
- To: Peter Krantz <peter.krantz@gmail.com>
- CC: Bijan Parsia <bparsia@cs.manchester.ac.uk>, paola.dimaio@gmail.com, foaf-dev Friend of a <foaf-dev@lists.foaf-project.org>, foaf-protocols@lists.foaf-project.org, Semantic Web <semantic-web@w3.org>, Thomas Roessler <tlr@w3.org>
On 26/4/09 19:38, Peter Krantz wrote: > Hijacking this thread back to the original topic: Thank you. I have just got back online after a trip, and am rather dismayed at the state of this discussion. Paula, I thank you for your attempt at sympathy, but really the analogy with rape and murder was very poorly chosen. Burglary would have been the more obvious analogy, and while I can understand this would upset many people I'm more concerned about where we go from here... > How can we help? Two important areas to start working with: > > 1. How to get your servers back online in a clean uninfected state and, Stephane Corlosquet is helping me with that, particularly the Drupal site. When we are moved over, I would love to find someone who knows MediaWiki to help keep it up to date, patched etc. I fear that was how they originally got in, though that isn't confirmed. > 2. how do we provide security recommendations for people who publish > semweb data online? Some points here: recent Java includes APIs for XML Signature. Back in the early FOAF days we signed FOAF files with PGP, and used a wot:assurance link from the doc to the output. See http://usefulinc.com/foaf/signingFoafFiles ... in fact the FOAF spec used to be signed in this way. I would like to see the most common 100 namespaces at least signed using some profile of XML Signature; this would allow schemas to be cached and checked, and could help reduce risks associated with networked retrieval of RDFS/OWL. Other things I'd like to see: Everyone else who is hosting RDFS/OWL on machines that also have stuff like common PHP apps, please take a look at your site management design, and try to partition things, check software is up to date, check the site isn't already compromised. BTW one odd phenomena I noticed this week: the bad links (to viagra sites) added to my pages were sometimes removed. I wonder if this was done along some estimate of daylight hours? My site was on US hosting, and I noticed in the (US) morning the pages were poisoned, in the evening they seemed OK. So check webserver logs for odd behaviour. Having the authoritative copy of the RDFS/OWL held elsewhere would be prudent. On the application / tool side, anyone who is loading RDFS/OWL from the network by derferencing URIs, should work through an example scenario or two in which the remote data is under malicious control. For example, if you de-reference FOAF or other schemas, mix it with instance data and make real-world decisions (eg. access control) based on queries or inference against that, you should think again (and please get in touch with me). I think that's plenty to be going along with. Who wants to take a look at the XML Sig part? cheers, Dan > Anyone who is willing to help out? > > Regards, > > Peter Krantz >
Received on Sunday, 26 April 2009 20:03:47 UTC