- From: Dan Brickley <danbri@danbri.org>
- Date: Sun, 26 Apr 2009 22:23:37 +0200
- To: Hugh Glaser <hg@ecs.soton.ac.uk>
- CC: Peter Krantz <peter.krantz@gmail.com>, Bijan Parsia <bparsia@cs.manchester.ac.uk>, "paola.dimaio@gmail.com" <paola.dimaio@gmail.com>, foaf-dev Friend of a <foaf-dev@lists.foaf-project.org>, "foaf-protocols@lists.foaf-project.org" <foaf-protocols@lists.foaf-project.org>, Semantic Web <semantic-web@w3.org>, Thomas Roessler <tlr@w3.org>
On 26/4/09 20:45, Hugh Glaser wrote: > Yes, when Dan has recovered from the more urgent tasks he has, it would be good to have his reflections on what happened. > > I think the primary question I would like to know the answer to is: > "Was there anything special about it being a "Semweb" site that created a vulnerability." As far as I can see, no. The FOAF site had a Google Rank of 7, as did my own danbri.org (before I was kicked from the Google Index for malware distribution :) so I expect that was the primary incentive. Also fwiw, my homepage was altered. At no point as far as I can see was the OpenID markup or RDFa in the page changed. The former is the more obvious target and in fact would only need to be altered for a few seconds to be useful. If anyone is using a URL that they control as an OpenID, note that this could potentially attract attacker. The SemWeb / microformats angle here is that your public behaviour associated with that URL is increasingly easy to find (see Google Social Graph API and sites like Sindice, Qdos etc.), which makes having control over someone's openid page increasingly valuable. I would recommend chosing an openid that is not hosted alongside common webapps (wordpress, mediawiki, blogging and forum and calendar code, etc.). Many of us have used homepage and blog URLs for their openid, and in my case it over-exposed me. I am surely not alone. > Was it an equivalent of an SQL injection for SPARQL, or maybe it was through a SPARQL endpoint, or something else RDF? Bad sysadmin. I let updating some old PHP apps stay on the "someday" pile for too long, I believe (but hard to verify) this is how they got in. > Or maybe it was "just" a standard hack, and we shouldn't get ourselves over-concerned about the RDFness. We should concern ourselves about RDFness in a few regards: * being reminded that any of our sites could fall into the control of malicious parties * that those of us hosting schemas should be extra-careful * that those of us consuming schemas should be extra-careful * ditto re openids Generally, if we hope to see RDF, RDFS, OWL etc widely used, we have to anticipate attacks. This wasn't (as far as I can see) a SemWeb-related attack, but it is food for thought for everyone working with the technology. For my part, it is a kick in the backside to get a more professional and collaborative hosting environment set up. We were getting there slowly but now things need a thorough makeover. Various of us have also been tinkering with the digital signature of RDF data for many years. I'd like to see that story tidied up and become more integrated into mainstream tooling and practice. Not that digital signatures are going to magically save us from all risks, but there are tools out there we're not fully exploiting. Thanks everyone for the concern and offers of help. It'll take a few days to figure out the best way to make the Web side of the project more helpable. In the meantime http://www.w3.org/TR/xmldsig-core/ is worth some attention! cheers, Dan -- data:text/html;charset=utf-8,%3Chtml%20lang%3D%22en%22%3E%0D%0A%3Chead%3E%3Ctitle%3Edanbri%20tmp%20homepage%3C%2Fhead%3E%0D%0A%3Cbody%3E%3Ch1%3EBack%20soon...%3C%2Fh1%3E%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0D%0A
Received on Sunday, 26 April 2009 20:24:20 UTC