W3C home > Mailing lists > Public > semantic-web@w3.org > April 2009

Re: FOAF sites offline during cleanup

From: Dan Brickley <danbri@danbri.org>
Date: Sun, 26 Apr 2009 22:23:37 +0200
Message-ID: <49F4C2C9.8020509@danbri.org>
To: Hugh Glaser <hg@ecs.soton.ac.uk>
CC: Peter Krantz <peter.krantz@gmail.com>, Bijan Parsia <bparsia@cs.manchester.ac.uk>, "paola.dimaio@gmail.com" <paola.dimaio@gmail.com>, foaf-dev Friend of a <foaf-dev@lists.foaf-project.org>, "foaf-protocols@lists.foaf-project.org" <foaf-protocols@lists.foaf-project.org>, Semantic Web <semantic-web@w3.org>, Thomas Roessler <tlr@w3.org>
On 26/4/09 20:45, Hugh Glaser wrote:
> Yes, when Dan has recovered from the more urgent tasks he has, it would be good to have his reflections on what happened.
> I think the primary question I would like to know the answer to is:
> "Was there anything special about it being a "Semweb" site that created a vulnerability."

As far as I can see, no. The FOAF site had a Google Rank of 7, as did my 
own danbri.org (before I was kicked from the Google Index for malware 
distribution :) so I expect that was the primary incentive.

Also fwiw, my homepage was altered. At no point as far as I can see was 
the OpenID markup or RDFa in the page changed. The former is the more 
obvious target and in fact would only need to be altered for a few 
seconds to be useful.

If anyone is using a URL that they control as an OpenID, note that this 
could potentially attract attacker. The SemWeb / microformats angle here 
is that your public behaviour associated with that URL is increasingly 
easy to find (see Google Social Graph API and sites like Sindice, Qdos 
etc.), which makes having control over someone's openid page 
increasingly valuable.

I would recommend chosing an openid that is not hosted alongside common 
webapps (wordpress, mediawiki, blogging and forum and calendar code, 
etc.). Many of us have used homepage and blog URLs for their openid, and 
in my case it over-exposed me. I am surely not alone.

> Was it an equivalent of an SQL injection for SPARQL, or maybe it was through a SPARQL endpoint, or something else RDF?

Bad sysadmin. I let updating some old PHP apps stay on the "someday" 
pile for too long, I believe (but hard to verify) this is how they got in.

> Or maybe it was "just" a standard hack, and we shouldn't get ourselves over-concerned about the RDFness.

We should concern ourselves about RDFness in a few regards:

  * being reminded that any of our sites could fall into the control of 
malicious parties
  * that those of us hosting schemas should be extra-careful
  * that those of us consuming schemas should be extra-careful
  * ditto re openids

Generally, if we hope to see RDF, RDFS, OWL etc widely used, we have to 
anticipate attacks. This wasn't (as far as I can see) a SemWeb-related 
attack, but it is food for thought for everyone working with the technology.

For my part, it is a kick in the backside to get a more professional and 
collaborative hosting environment set up. We were getting there slowly 
but now things need a thorough makeover. Various of us have also been 
tinkering with the digital signature of RDF data for many years. I'd 
like to see that story tidied up and become more integrated into 
mainstream tooling and practice. Not that digital signatures are going 
to magically save us from all risks, but there are tools out there we're 
not fully exploiting.

Thanks everyone for the concern and offers of help. It'll take a few 
days to figure out the best way to make the Web side of the project more 
helpable. In the meantime http://www.w3.org/TR/xmldsig-core/ is worth 
some attention!



Received on Sunday, 26 April 2009 20:24:20 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 08:45:11 UTC