Home
nharkins' Journal
 
 [Most Recent Entries] [Calendar View] [Friends]

Below are the 2 most recent journal entries recorded in nharkins' LiveJournal:

    Friday, September 9th, 2005
    1:00 pm
    wouldn't it be funny if... (i like irony)
     ...all the animal testing done by humans,
    ultimately makes animals more resistant
    to all kinds of bad stuff that eventually
    kills us, so they survive some horrible
    bio/chemical cataclysm that we don't.
    Sunday, August 21st, 2005
    5:22 pm
    foaf:mbox_sha1sum seems kind of silly, in context.
     looked at the FOAF spec today.

    while overall intrigued, one small detail set my mind wandering
    (as I just started at SixApart, and am currently fighting comment and
    trackback spam on typepad, I often have to think like the enemy).

    once i reeled my brain in to assess the thought tree,
    this is the conclusion that popped out (along with
    some other cool realizations below):

    foaf:mbox_sha1sum seems kind of silly, in context.

    The point of FOAF is to obtain related public data for a person,
    like first name, last name, nicknames(!), webpage locations
    (domains registered?). It would be trivial for a spammer
    to crawl the foaf-space, and generate SHA1s of the first
    thousand or so permutations of first/last/nick @gmail.com
    (or the domain of your webpage, which might not
    have spam-filters comparable to gmail ;) to compare
    to the mbox_sha1sum in your foaf.rdf.

    I hate suggesting tactics for spammers, but I believe
    we shouldn't waste time being misled by a false sense
    of security. I've had an email account on well.com
    since I worked there. Someone can easily signup and
    grab /etc/passwd (it's shadowed), so I don't kid myself
    that spammers can't get my email address. Complicated
    legitimate communication means the spammers are winning.

    I suppose if you're really concerned, use an anonymous
    remailer (do *any* still exist after anon.petit.fi's cred
    was blown away during the scientology fiasco?) address
    that forwards to your own, and hash that. But how
    likely is anyone to know/use that when first joining
    the FOAF web?

    Imagine the bloat of tons of sha1s in each person's main
    FOAF entry. i.e. effectively give every person that might
    mail you their own unique email address to yourself
    that only they should use. A twist on username+folder@domain.
    This is basically the whitelisted email model in FOAF. Blech,
    although if we actually start describing relationships
    (referrals like friendster, linkedin) then we'll effectively
    have that.

    Ideally, once "connected", people will use multiple references
    to each other (email and blog url, and... ?), so "FOAF google"
    will appear to "self-update" because it's always (been)
    triangulating to you. Timestamps on entries would help a lot here.
    I'm surprised I didn't see anything in the spec for that yet,
    although the file timestamp obtained in the http headers
    could suffice.

    The one really cool (or really scary, if you love the matrix movies)
    realization from all of this: updating your foaf is a form of blogging,
    but for The Computers, instead of for humans-that-care<tm> to read.

    Current Mood: analytical
About LiveJournal.com