Dr. Roy Spencer’s climate website has been hacked

RoySpencerHeaderCapture

I have confirmed that www.drroyspencer.com has been hacked and rendered inoperable.

Dr. Spencer confirms this in an email exchange with me this AM and writes:

“Apparently some Indonesian female hacker.”

Whether this is a direct attack on his views about climate, an indirect attack via a hired gun, or just some kid looking to hold up a trophy for others to see is unclear at this point.

It does point to the risks though of running an independent server. My best advice to anyone in the climate issue is to run on wordpress.com rather than an independent server as they keep everything running smoothly and up to date against the latest security threats.

82 thoughts on “Dr. Roy Spencer’s climate website has been hacked

  1. I feel for Roy. It’s very upsetting when something you’ve put a lot of time and effort into gets vandalised. Here’s hoping he can get a resolution sorted out quickly.

  2. Ah, Dr. Spencer will be the Modern C.S. Lewis as he writes the CRUTape Letters. The similarity between the Character Screwtape and the CRUTape bunch is merely deliberately delicious. (Apologies to the people on the “unread in the classics” end of the spectrum.)

    Max

  3. About WordPress’ competence, WP requires reduction of PC security beyond my comfort zone, and requires acceptance of locally stored objects that I will not allow – cookies, persistent identity elements and document objects. Why is evil behavior by a hacker acceptable when it is required for a benefit?

    Read Jonathan Zittrain’s The Future of the Internet – And How to Stop IT ~350 pages

    http://futureoftheinternet.org/static/ZittrainTheFutureoftheInternet.pdf

  4. It was not really a hack. It was just some grad student looking for Dr. Trenberth’s missing heat.

  5. To me, michievous hacking, deliberate and sustained sabotage, or another Carrington event are a far greater threat to our way of life than the difficult to discern climate change.

    tonyb

  6. Gabby did it! I discovered yesterday, Feb 27, every time I tried to access Dr. Spencer’s website a short message by Gabby came up on my screen.

  7. Has anyone else noticed that incidences of hacking have risen in step with increases in CO2? We are seeing more and more examples of extreme hacking. Soon, we will reach the point of no return. The modern world is going to be destroyed by runaway hacking unless we smarten up and destroy it first by prohibiting the use of fossil fuels.

  8. The problem with using the corporate “cloud” services – WordPress, Blogger, Amazon EC3, etc – is that they are highly susceptible to political pressure.

    You only have to look at what one letter from an asshat senator did to Wikileaks relationship with Amazon and PayPal to see that.

    There’s no easy way to be a dissenter.

    “In the Empire of Lies, truth is treason” – and treason is a dangerous occupation.

  9. Gary is correct, I haven’t been proactive about site security. My Bad. I guess assuming I’ve been flying under most persons’ radar can cause a collision with a mountain.

  10. Looking at the page source, it would appear the Title metatag was hacked and loads a flash song from http://flash-mp3-player.net/. If he can still login to the backend and remove the title tag from the settings, he should be good to go. If they inserted the title tag into the WP template.php page, he may have bigger issues and need to FTP into his site to remove the tags. But based on viewing the page source, his info and database appear to be intact.

  11. “I think it was KISS!”

    Skillet, “an American Christian rock band formed in Memphis, Tennessee in 1996″, according to wikipedia.

  12. Stuck-Record says:
    February 28, 2013 at 8:58 am

    Can we have a 2-year long investigation by Norfolk police please?
    ———————————————————————————————–

    Not forgetting assistance from the Anti-terrorist Branch, S-R ;)

    Joking aside, I do believe there’s a valid argument for the police to take invasion of private space / servers more seriously than invasion of corporate ones (individuals have fewer resources to protect themselves so are more deserving of protection by Society) but I doubt it’s catch on!

  13. Sigh….. If you are going to self host, you should *at least* use ZBblock out of the box. You don’t have to use all my extra signatures.

    The rate of *attempted* hackage at any self hosted WP blog is enormous.

    Looking at the page source, it seems that the WP installation must still be there because I can see the text of the page below some extra crap. Gabby just injected something that’s preventing it from displaying. Someone ought to be able to scan his files, database and so on and get it back up pretty quickly.

  14. Stuck-Record says:
    February 28, 2013 at 8:58 am
    Can we have a 2-year long investigation by Norfolk police please?

    They would love that, I hear the UK is thinking of making some gov people redundant, aka laid off. Trying to recall the Detective that called me over the climategate thing, Scott Baker? Seemed a nice chap, good luck Sir.

  15. Probably because February’s 2013 anomaly is going to come in at about +0.25C down from 0.5C last month. They cannot stand the heat LOL. Im sure Dr Spencers site will be up and running soon.

  16. Re: Max Hugoson @ 8:49 — “Ah, Dr. Spencer will be the Modern C.S. Lewis as he writes the CRUTape Letters. ” Belly laugh of the day – a devilishly fine comment!

  17. I noticed that it was hacked yesterday and this morning, but I just checked drroyspencer.com at 1:27 EST and it looks fine.

  18. I noticed that the site was hacked yesterday and this morning, but I checked at 1:27 p.m. EST today and it looks like it’s already back!

  19. Scuzza Man (@ScuzzaMan) says: February 28, 2013 at 9:48 am “There’s no easy way to be a dissenter. “In the Empire of Lies, truth is treason” – and treason is a dangerous occupation.”

    “You do not become a “dissident” just because you decide one day to take up this most unusual career. You are thrown into it by your personal sense of responsibility, combined with a complex set of external circumstances. You are cast out of the existing structures and placed in a position of conflict with them. It begins as an attempt to do your work well, and ends with being branded an enemy of society. (Vaclav Havel, The Power of the Powerless, Living in Truth,1986)”

  20. lucia liljegren (@lucialiljegren) says:
    February 28, 2013 at 10:03 am
    Gabby just injected something that’s preventing it from displaying.
    Isn’t the bigger issue how she did that on Roy’s local server?

  21. My best advice to anyone in the climate issue is to run on wordpress.com rather than an independent server

    With all due respect Anthony, I completely disagree with you. I have been in this business (IT industry) for more than 25 years. In that time I have owned and operated hosting companies large and small. My forte’ is systems architecture and applications programming, from back-end to front-end, various scale applications from tiny to huge, on a variety of systems and environments that run the gamut. One thing I have learned in all of these years, running on widely popular application platforms (especially when open to public networks,ie: Internet) significantly increases the likelihood of an attack or exploit. One only needs to look at Microsoft’s virus history to see this clearly. There are many reasons why this is so, and I won’t get in to details as I have not the time to be giving a CompSci 101 lesson here. I can think of many applications much less vulnerable than WordPress.

  22. From Roy’s website:
    After my first experience getting hacked, I am back up. Thanks to my developer, Jamon at Clearsightstudio.com, who also installed a new security plugin. Shouldn’t happen again.

  23. I hope Dr Spencer’s site is up and running okay now. Nice work by Thomas and others to so quickly spot ways around the problem – I wouldn’t know where to start.

    BTW, Anthony, for my own blog, which is small and has nothing to do with climate politics (I’m a science fiction author), I chose WordPress.com precisely on your recommendation after Jo Nova’s site was repeatedly hacked. I’m sure others with more important sites have used that advice, too. Just wanted to say thanks.

    As for any site that goes down, in my opinion if the person behind it is still up and running, then the site is still what it is and will build back to its former glory. If WUWT was wiped away, for instance, you are still Anthony Watts, you still do what you do, you still have all your contacts and your entire world-wide audience. If you opened from scratch, the site would still be WUWT with exactly the same style and nature, even if it was “thinner”. I know it wouldn’t happen like this because I’m fairly sure you back up your site and files regularly, but you see what I’m saying.

    Such hackers – or those behind the hackers – are trying to crush the spirit of the person running the site. From what I’ve learned coming here and visiting like sites, you guys and gals are uncrushable. So the hackers are wasting their time, and anyone payiing for such a hit-job is wasting their money.

    Keep up the good work – everyone – we are winning. :)

  24. It was possible to google for distinctive features of the replacement page and I have found that all kinds of pages were hacked the same way. So I don’t think it was some kind of anti-skeptic attack, it was much more likely completely random.

  25. Agree with the comment on WordPress security and common platforms. Its literally a numbers game for the hackers, no point trying to hack 1 off sites when there are millions of WordPress sites to crawl through. If you run any sort of website you will be common with scripts that hit your site looking for ‘weaknesses’. Also a lot of the plug ins for WordPress are not written to the same high standard as the core code..

    That said, if you know what you are doing, it is possible to set up Apache and the environment in general to better ‘defend’ against attack. There are quite a few Apache modules which will detect ‘bad’ requests and stop them dead before they get anywhere near the website code.

  26. Scuzza Man (@ScuzzaMan) says:
    February 28, 2013 at 9:48 am
    “The problem with using the corporate “cloud” services – WordPress, Blogger, Amazon EC3, etc – is that they are highly susceptible to political pressure.”

    All US American companies are subject to the Patriot act and must allow American services to access all their data. The company is prohibited from telling the customers that it happened.

    So, as a European, I wouldn’t use an American hosting company. The Patriot Act affects even their data centres located outside the US.

    At least officially, the EU doesn’t have an equivalent to the Patriot Act – for the time being. That doesn’t mean Eurocrats are nice people; maybe they’re just slow.

  27. It is quite clear now that climate change leads to colder-warmer winters, wetter-drier winters, asteroids and website hackings caused by mental illness that stems from climate change.

  28. I did mean to comment about this when it was mentioned in earlier comments.

    First of all this is not a targeted attack. The script kiddy responsible won’t know the eminent Dr Spencer from the Eminen Dr Dre ( see what I did there? no, of course not, you are scientists )

    This is part of an ongoing attack from a basic script in the wild. it comes from an Indonesian girl named gabby who sometimes identifies with a cause to do with the area but mainly it a ‘see what and who we can screw up ).

    They look for a certain vulnerability in a blog / host and exploit it if they can. What agenda there may be is never pushed and you can rest assured that this has nothing to do with the site or the climate issue.

    If you look at webstats for other similar sites currently running the same script you will see that there is absolutely nothing to tie them together other than they are on the internet and were vulnerable to a stock script that’s been in the wild for over 12 months.

    It should be easily fixable with a backup and an addition of code to prevent further backdoor intrusion but Dr Spencer would have to take that up with the bedraggled IT types who no doubt periodically help him with this stuff ( that last part, a bit of poking fun. Forgive me I’m returning from a friend’s funeral )
    All in all it’s a grave inconvenience but in the big scheme of things it’s nothing. It’s the web equivalent of having your house TP’d.

  29. lsvalgaard says:

    February 28, 2013 at 10:57 am

    lucia liljegren (@lucialiljegren) says:
    February 28, 2013 at 10:03 am
    Gabby just injected something that’s preventing it from displaying.
    Isn’t the bigger issue how she did that on Roy’s local server?
    ============
    Gabby-gate ?
    (someone knows more than they used to).

  30. lsvalgaard says:

    Isn’t the bigger issue how she did that on Roy’s local server?

    If you want to recover the site, the biggest issue is what has been done to the contents of the server. If you want to protect in future, how the hack was accomplished is the more important issue. Knowing that can help you prevent it. And of course, if you were law enforcement, both would probably be important. You’d probably also what to know when it occurred and know the IP connections and such like.

    If Roy is going to self host– as I do– he should get ZBblock and install it. ZBblock gives a lot of protection against XSS attacks, and various sorts of hacks. It’s not perfect but it takes care of lots of WordPress’s insecure features of which there are plenty for self hosted installations.

    There are occasional incompatibilities between ZBblock and WordPress (I hit one when approving some moderated comments. I have to tell the developer). But ZBblock will give a great deal of protection. I have some other advice for Roy too. But… I’d give that only if he wants it.

  31. Let’s pause and give credit to WordPress, by the way, for their readiness to host and support sites with a vast multiplicity of views.

  32. DirkH,

    “At least officially, the EU doesn’t have an equivalent to the Patriot Act – for the time being. That doesn’t mean Eurocrats are nice people; maybe they’re just slow.”

    Or maybe they think that they already have the power the US Gov gained from the Patriot Act, so an EU equivalent isn’t necessary.

  33. Random or targeted? That would be my primary concern.

    Any anti-skeptic claims of responsibility for the attack on Spencer’s site being made in the small dark backwaters of the slacker / hacker blogs?

    Let’s peek and poke around a little . . . . eh eh eh.

    John

  34. ZootCadillac says:
    February 28, 2013 at 12:01 pm
    “…Forgive me I’m returning from a friend’s funeral )
    All in all it’s a grave inconvenience…”

    I saw what you did there!

  35. I postulate that the only viable career for persons under 24 is as activist; unless you think part-time service employee is a career.

  36. @John Whitman

    Random.

    I found 11 sites currently running the script last night when made aware of it. Many more over the course of about a year. the only thing that they have in common? their vulnerability to this script.

    It’s kids saying ” hey, your security is crap” and showing you why. Nothing more.

    and at the end of the day if your security won’t deal with a script that has been going around for over a year then yes, it is crap*. Time for a wake up.

    *With the greatest of respect to Dr Spencer as I certainly don’t expect anyone but his army of minions to deal with this :)

  37. ZootCadillac says:

    February 28, 2013 at 2:02 pm

    @John Whitman

    Random.

    = = = = = = =

    ZootCadillac,

    Thanks for your quick research in some of the corners of slacker / hacker land.

    Random does seems a plausible explanation for the hack of Spencer’s site at this point without further info.

    John

  38. lucia liljegren (@lucialiljegren) says February 28, 2013 at 12:23 pm
    ..
    If Roy is going to self host– as I do–

    Hands up – WHO wants to host their own website and spend the time and effort to ‘battle’ the script kiddies, insure updates are installed and generally ‘supervise’ the whole technical affair including daily readings the ‘hack’ logs?

    Not I … not my core business nor would I want it to be …

    .

  39. The AP’s Seth Borenstein reports that increases in hacking are completely consistent with climate change.

    :)

  40. squid2112 says February 28, 2013 at 11:00 am

    One thing I have learned in all of these years, running on widely popular application platforms (especially when open to public networks,ie: Internet) significantly increases the likelihood of an attack or exploit. One only needs to look at Microsoft’s virus history to see this clearly.

    One might be inclined to think that exposing a ‘physical’ LAN port directly to the internet on an MS-OS-box is an insane thing to do; there are task-specific firewall ‘boxes’, of course, capable of operating at LAN line rates that trap and censor malformed traffic or any other outright hacking attempts, screening out low-level protocol hack ‘attempts’ before supplying arriving packets to the MS-OS-box … of curse, any legitimate-appearing, properly-formatted packets may be destined to ‘disrupt’ an otherwise operating ‘task’ on said MS-OS-box are another story …

    .

  41. ZootCadillac says:
    February 28, 2013 at 12:01 pm
    This is part of an ongoing attack from a basic script in the wild.
    IMHO one should fault anybody for not ‘running the latest and greatest security’ stuff. As far as I know [correct me if I’m wrong] the Gabby script works because Firefox did not prevent XBL bindings from remote locations in the same way it prevents other active content. This was a bug in Firefox and that is where the blame should be laid. Perhaps this goes back to a flaw in the design of CSS stylesheets. in which case blame moves there. Personally, I’m pissed that one has to ‘protect’ against flaws that should never have been allowed in the first place. Many such things might have been introduced to allow commercial interests to control [‘enhance’ as it is called] your ‘experience’ when visiting their websites.

  42. I’m one of the “bedraggled IT types who no doubt periodically help him with this stuff” … haha! Truth is that we let the WordPress updates get a little behind and they took advantage of one of the recent security vulnerabilities.

    Everything is back up and running and please let Dr. Spencer know if anything is still awry. I added a security plugin that is very good and should help prevent this in the future, but of course WordPress security is a moving target. We’ll try to keep up on it going forward. Oh, and I made some fresh backups. :)

    – Jamon (ClearSightStudio.com)

  43. ” or just some kid looking to hold up a trophy for others to see is unclear at this point.”

    This is most likely the case. They run scripts to go search for sites with vulnerabilities, then work their vandalism on the results. I used to get hacked frequently, until I switched to Drupal for most of my sites. Hasn’t happened in 6 years.

  44. IMNSHO, important web pages that must “always” be available are best served on dedicated servers running only a simple web server delivering only static web pages.

    Maintaining “content” is then non-trivial. Not easy for the point-and-clickers.

    WP, etc. provide convenient means of delivering content to a large readership that is fairly secure, albeit with substantial burdens of applicability of laws (as we can’t all be Richard Windsor) and the need to be rigorous about maintaining backups.

  45. I’ve setup some self hosted sites…
    Advice:
    1. Use an Infrastructure as a Service (IaaS) provider. I use Linode.
    2. Configure ssh to accept public key log in.
    3. Disable root password, so only public key login works.
    passwd -l
    4. Purchase SSL cert.
    5. Install SSL cert and ensure only readable by root.
    6. Use postgresql rather than mysql for database.
    I know there are fans of both, but postgresql is more standards compliant and doesn’t allow for certain kinds of sloppy programming behavior.
    7. If email server — use these instructions:

    http://theclimber.fritalk.com/post/2009/01/27/Tutorial-%3A-Setup-your-mail-server-%28courier-imap-postfix-postgresql%29

    8. I don’t use WordPress… but postgresql can be used with WordPress:

    https://wordpress.org/extend/plugins/postgresql-for-wordpress/

  46. If anybody thinks that this will be investigated or the perpetrators prosecuted.

    Don’t get your hopes up. Remember who runs the executive branch. The minions of “The Shrill One.”

  47. “I can tell you the cloud is a far better place to be.”
    Please handover your business intelligence and critical knowledge assets to a third party. Better yet if the party is immune to your laws.

  48. Self hosting is very technical and not for everyone who would like to have a voice on the net. While I agree with your sentiment, I can not imagine the current level of creativity would exist without third party hosting… However, it is a dangerous thing to post socially “unacceptable” material when using third party hosting… The “denier” word is quite scary and is rather indicative of mass witch hunt riots — several points in history come to mind – with the fairly recent movie Agora foremost in my memory… events then set back scientific knowledge 1500 years or more… the hope with the “Climate Change” nonsense is that either most of society doesn’t care enough to seek a witch hunt or that there are enough actual scientists to overcome the political elite and the powerful special interest groups feeding at the public trough generated using the fear factor.

  49. Oh Dear.

    In order to gain publicity regarding the ‘Sequester’ President Obama has ordered a kill-order of all Federal Detention Center Inmates, those ON death row and all those NOT on death row.

    Additionally President Obama is … ‘Angered’ .. by ‘voices’ contrary to HIS vision of ‘Sequester’.

    Therefore, President Obama by Secret Executive Order has ordered the hacking of ‘Contrary Voices’ both within the US Government and exterior to it. Mr. Obama’s thinking is that HE owns all the human and non-human lives on planet Earth. As such, HE and Only HE has rights to kill anything. He gives words to his faithful that He Will be judicious and loving toward those who bestow absolute obedience to HIM and HIM alone by physical actions.

    The Parade of Favorites we have seen in the media for the last few days gives evidence of the obvious.

    :(

    Not a good day for ‘America’ tomorrow.

    A mad man is at the RED button and We are the Target.

  50. ecoGuy says:
    February 28, 2013 at 11:39 am
    Agree with the comment on WordPress security and common platforms. Its literally a numbers game for the hackers, no point trying to hack 1 off sites when there are millions of WordPress sites to crawl through.

    This can be a difficult problem. On the one hand, utilizing popular software like WordPress has the advantage of a lot of support and a lot of people developing (or attempting to develop) very sound, stable and secure software. On the other hand, because it is so widely known and used, more people know about the intimate details of the software and can sometime determine vulnerabilities and exploit them. This is precisely why Microsoft has had to battle security problems for so many years, as opposed to say Mac OS/X, which up until the past decade was not nearly as popular (that has change quite a bit now however).

    _Jim says:
    February 28, 2013 at 4:03 pm
    squid2112 says February 28, 2013 at 11:00 am
    One might be inclined to think that exposing a ‘physical’ LAN port directly to the internet on an MS-OS-box is an insane thing to do; there are task-specific firewall ‘boxes’, of course, capable of operating at LAN line rates that trap and censor malformed traffic or any other outright hacking attempts, screening out low-level protocol hack ‘attempts’ before supplying arriving packets to the MS-OS-box … of curse, any legitimate-appearing, properly-formatted packets may be destined to ‘disrupt’ an otherwise operating ‘task’ on said MS-OS-box are another story …

    _Jim,
    I was in no way suggesting anything of the sort. Anyone who opens a LAN connection to the public is opening their door to the entire world. That would be completely insane. We have been utilizing routers, firewalls, load-balancers and a plethora of supporting software for years. A properly architected infrastructure utilizes a combination of all of these technologies in a tiered architectural fashion. Typically, a more secure site will only allow a connection through port 80 (http) and/or 443 (https, SSL). From there, the software (sometimes additional hardware appliances, but ultimately software does the job) will monitor and/or filter traffic packets to ensure security against typical SQL injections, Cross-Site-Scripting (XSS) and other similar types of exploits. One of the most difficult exploits to guard against (and I have several experiences with this) are DDoS attacks. These can be very difficult to thwart. I once had a DDoS attack on my server cluster take down an entire Peak-10 service provider (one of their largest facilities too). Utilizing CDN’s (content delivery networks) like Akamai can help with this significantly, but I have also found that blocking IP address blocks from known aggressors (ie: China) usually takes care of most of it. If you can protect yourself enough to make it just a bit more difficult, you can usually protect yourself pretty well as the aggressors tend to move on to other sites that are easier. This largely depends upon the value of the information or systems that reside on the “other side of the wall”. The more valuable, the more willing the aggressor is to spend time and resource attempting the exploit. The fundamentals of site protection are not very complicated nor difficult to implement (common sense), mostly. There can be a distinct advantage to operating on proprietary software however, as the intimate details of the software are not known to the general public like they are with WordPress. I have been designing and developing proprietary application frameworks for Internet applications for a very long time now (including for the DOD). I currently work on such an application that handles extremely large volume international logistics data, and is exposed to the general internet. We deal with these kinds of security issues daily.

  51. Odd. Hackers usually do things to “tag” a site with their personal calling card. Skillet is a christian metal band. I haven’t heard of many christian hackers.

Comments are closed.