LOL! ‘Mad Haxor Skillz’ Godwinize ‘Skeptical Science’

File:TN 133t-haxor.jpgGuest essay by Brandon Schollenberger

I’ve got mad haxor skillz.  I’m a l33t hacker paid by evil organizations and shadowy conglomerates.  That’s how I found Skeptical Science’s secret stash of Nazi fantasies.  Or so some would have you believe.  One commenter at Judith Curry’s blog said:

It may be that Anthony/WUWT did not know that WUWT’s “anonymous” contributor was probing the SkS website for vulnerabilities using professional-grade hacking techniques and/or software tools.

Given the shocking nature of my discovery, I figure people might be curious how I came about it.  Was it via some l33t haxor skillz?  Was it because of some professional grade hacking?  Was I perhaps paid by someone to break into a secure site and extract incriminating photos?

No.  It was much simpler than that. 

It all began when I read a post on Skeptical Science’s website.  I read the post, and I was curious.  Naturally, I decided to click on a few links.  That’s when I came across this link:
http://www.sksforum.org/redirect.php?t=11065&u=http%3A%2F%2Fwww.ncdc.noaa.gov%2Fcag%2F
As you can guess by the word “redirect,” the link went to the NCDC website.  It just went there via www.sksforum.org.  That’s when I first learned of www.sksforum.org.  I didn’t expect anything from the site, but I decided to visit it anyway.  When I did I did, I saw a banner at the top that was obvious an image file.  I checked the URL for the image, finding it was hosted in the directory: http://www.sksforum.org/images/.  I found the Nazi imagery when I went to that URL and clicked on a subdirectory (user_uploaded).

That’s it.  I got intrigued by a link I saw on an SkS post, and I followed a couple links I found from it.  My l33t haxor skillz amounted to nothing more than being able to follow a few links.  But that’s not where the story ends.  When I went to write about how I came across the Nazi roleplaying, I found I couldn’t find the links I had originally used.  Why is that?  Skeptical Science deleted the post.

That’s right.  SkS deleted a post they had written simply because it inadvertently included links that exposed their private forum’s location.  Google has a cached verison of the post, but without that, there’d be no record of its existence.  Rather than just fix the links for the post, SkS deleted it in its entirely to cover up the existence of their forum.  That’s how desperate they are when it comes to PR – They’d rather delete an entire post than address a minor mistake.

Author’s Note: To be clear, I was not an “anonymous” contributor.  I made no attempt to hide my identity.  Anthony Watts decided not to post my name simply because, at the time, I had not told him I was okay with being identified.  It was simply a courtesy.
Moreover, I am trained in network security.  I know a fair amount about hacking.  I don’t believe in engaging in it, and I would happily help any blogger with security issues.  Upon first discovering this directory, I intended to contact John Cook to inform him of the problem.

I only “went public” with my discovery after seeing SkS’s Photoshopped images of their critics.  I appreciate privacy, but I feel no obligation to hide my knowledge of inappropriate behavior

That said, if you feel I’ve engaged in professional-grade hacking, feel free to contact me about potential jobs.  I’d happily take your money to browse some URLs.

=============================================================

Yes, Brandon’s description is true, it was all out in the open as I’m sure many WUWT readers also discovered. I simply didn’t use his name in the original essay because he hadn’t used the typical “submit story” route for WUWT, which automatically applies permission to include your name as part of the publication agreement, and given the lunacy over there at SkS, I didn’t know if he was concerned about retaliation. He brought the issue to my attention later in the day, and I amended the post to include his name.

And, in case you have not seen it, this is worth a look – Anthony

About these ads

104 thoughts on “LOL! ‘Mad Haxor Skillz’ Godwinize ‘Skeptical Science’

  1. This is clearly a coverup by WuWT. Brandom is clearly a CIA/KGB/OSI triple agent with 60 years of computer cracking training not to mention another 50 years of experience. He is also clearly fund by fossil fuel companies. This is duh facts.

  2. Brandon,

    Has Putin offered you asylum in Russia yet? You are posting this from someplace in China, right?
    You can run from the SkS but you can’t hide!
    /sarc

    Dumb jokes aside, interesting article. I’d have thought Cook to be a more competent webmaster what with the twitterbots and all.

  3. Oh dear. I possess all those hacker skills and all for the same reason. I suppose my arrest and incarceration is imminent. Ah well — it’s been a good life — a few years in a cell is not the end of the world. As long as Drillbit Dana is nowhere near my cell…

  4. Well as I said — I possess all the same hacking skills — likely I too will end up in a jail cell.

    Hopefully Drillbit Dana will be in another block!

  5. I host websites and provide other online services for a living (augmenting my retirement). It is a wholly owned business that I alone built (ignoring Obama’s spontifications that suggest otherwise). It is successful because I make sure my customers are not exposed to this kind of casual browsing. (I have been in the dot com industry since before it was an industry, before the web, before DNS, even, and have been in the employ of a number of very large and prominent dot coms.) It is nothing but casual browsing that reveals the bulk of this kind of webspace error. Anyone can stumble onto this kind of site management error without having any bad intentions. It is a fact that has existed from the day the first web site was created and is why there are so many tools to prevent it.

    This was nothing but operator error and that error grew as the day went on. The pathetic attempt to defeat casual browsing by creating the “allgon3″ folder was doomed for the same reason the original images directory was exposed. The server was allowed to auto-index the parent directory and all subdirectories and it cheerfully did so, revealing the allgon3 directory and its contents. This auto-index capability is frequently the default for some web servers, and it was once considered a useful feature – those trusting days are long gone, but the capability lingers on.

    If you are going to offer content on the internet via a web server you need expertise for basic security as a minimum, even if you have to pay for it.

    As a sidebar, I am aware of at least one person who was successfully sued for opening a public link and then manually shortening the URL path in his browser so see what was upstream. I was stunned to learn this was deemed a crime. I’ll see if I can relocate that story as there are consequences for this seeming innocent activity.

  6. That comment would have been by Afomod. A strange fellow, and not all there. But thanks for the explanation. Most “hacks” are not really hacks, but sloppy security.

  7. The UK computer misuse act:
    1 Unauthorised access to computer material.E+W+S+N.I
    (1)A person is guilty of an offence if—
    (a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [F1, or to enable any such access to be secured]F1 ;
    (b)the access he intends to secure [F2, or to enable to be secured,]F2 is unauthorised; and
    (c)he knows at the time when he causes the computer to perform the function that that is the case
    (2)The intent a person has to have to commit an offence under this section need not be directed at—
    (a)any particular program or data;
    (b)a program or data of any particular kind; or
    (c)a program or data held in any particular computer
    [F3(3)A person guilty of an offence under this section shall be liable—
    (a)on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
    (b)on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;
    (c)on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.]

    ————————-
    So no passwords need be hacked no security breached. Simply to access unauthorised data is an offence!!!!
    No get out clauses about its OK if its funny etc.

  8. It was wide open when I viewed the images the other day.

    I was hoping Josh would have superimposed “Super Mandia” into the pic in front of Lord M so it would look complete. BTW, Mandia has better boots than the rest of you guys Anthony, LOL!

  9. Those folks over at SkS are a bunch of ID-Ten-T’s!

    (Let’s see if any of ‘em can figure THAT out.)

  10. Why would JC say that hacking tools, indeed ‘professional-grade’ tools, had been used?
    I suspect it was more likely she was ‘told’ this by the Skidz, who once they found out the ‘hackers’ identity thought they could make some PR of their own?
    Has JC been duped?

  11. Afomod – who originated the “mad skills” thesis on climate etc – is a funny fellow. He’s got a kind of adjective Tourette’s.

  12. dp says:
    August 8, 2013 at 11:05 am

    “…I am aware of at least one person who was successfully sued for opening a public link and then manually shortening the URL path in his browser so see what was upstream. I was stunned to learn this was deemed a crime.”

    Wow. That is disturbing. Would like to know the legal reasoning behind that one, if you can find it.

  13. Guys, do me a favor and don’t minimize my accomplishments here. I need to seem all awesome and amazing if I’m going to get funding from big oil!

  14. @Brandon
    I guess ‘the mouse is mightier than the sword’ ? Will put a word in to my mates in Big Oil for you!

  15. I’ve had a kind of Dr. Evil idea and that is to refer to web artifacts that demonstrate zombie characteristics be called “allgon3″ so that this stupidity lives on. A zombie in its own right. For example – polar sea ice that should be gone. Here is a polor ice allgon3 image:

    The models have claimed it, the hysterical scientists have assured us, the press has flogged the story of disappearing polar ice. So we obviously have zombie ice as seen in the allgon3 ice image. I give this image an allgon3 index of 10 on a scale of ten of things that won’t die.

    Kivalina gets an allgon3 index of 0 as it definitely has no chance of becoming a zombie island and for no other reason than it is a barrier island and washing away is what they do. The Kivalina story, though, gets another allgon3 index rating of 10 for being a story that won’t die.

  16. Connecting four dots must seem like magic to those who cannot see obvious factual discrepancies in their chosen faith.

  17. Otteryd says:
    August 8, 2013 at 11:15 am
    “Mornington Crescent!”

    Very deep. I’m not sure that SkS would understand the rules of the game ;-)

  18. TinyCO2 says August 8, 2013 at 11:56 am

    Otteryd says:
    August 8, 2013 at 11:15 am
    “Mornington Crescent!”
    Very deep. I’m not sure that SkS would understand the rules of the game ;-)

    You malign them. The 3%-excluded variant rules are played everyday, by proxy, at the Guardian website.

  19. sergeiMK- it’s not your fault, but that law doesn’t apply in this case.
    Posting a webpage with a link on it(active or not) would be prima facie evidence that the access is authorized. That authorization would include any links on any connecting pages.

  20. dp says:
    August 8, 2013 at 11:44 am

    Brilliant idea, a history of undead Alarmist web artifacts. The polar bear is number one, right?

  21. @Gail Combs

    “Precise language counts and the debasement of language is the refuge of scoundrels.”

    I am placing that here because comments on Steve’s “ocean acidi what” page are not open now. I was going to say I remain a fan. I second your QOTW here too.

    Thanks
    Crispin

  22. Let’s not let SkS shift the focus of this story. This has nothing to do with hacking SkS as Brandon clearly spells out. The real focus should remain on topic — what on earth were they up to? I don’t buy the idea that the creating these images for their own amusement. I don’t think they are neo Nazis. The most logic explanations are that they were either (1) creating the images to use with posting on SkS or (2) they were up to no good. Perhaps Lew is working on a new paper and they were manufacturing evidence to support the paper. I don’t know. But we need to get to the bottom of what they were creating these images.

  23. RockyRoad says at August 8, 2013 at 11:24 am

    Those folks over at SkS are a bunch of ID-Ten-T’s!
    (Let’s see if any of ‘em can figure THAT out.)

    Hmm – tricky:

    Identity – X – T(shirts)
    Personality was clothes
    Uniform thinkers in the past…

    A ha!

    Back to the photo shopped images of 1930s Germany.

    Of course!
    I must be an idiot not to have seen it sooner.

  24. M Courtney “You malign them. The 3%-excluded variant rules are played everyday, by proxy, at the Guardian website.

    True but because it’s by proxy they are only playing the junior version of the game (for under 5s) where stations on the Jubilee Line are wild. ANYBODY can play when it’s that simplified. I’m sorry but I can’t see the denizens of SkS being able to handle the more advanced versions like the Olympic version or even an old favourite like the Dickens Five a Side. Being from the BBC I doubt they’d made a sceptics variation but it would be wickedly clever.

  25. Next they’ll say Brandon is the FOI mole … ROTFLMAO … I am the FOI mole (Sparticus) !

  26. Otteryd says:
    August 8, 2013 at 11:15 am
    Mornington Crescent!

    I am slightly confused, are you saying that a modified Johnsons gambit has been played without a declaration of the rule modification? In that case, Sloan square.

  27. TinyCO2 says:
    I’m sorry but I can’t see the denizens of SkS being able to handle the more advanced versions like the Olympic version or even an old favourite like the Dickens Five a Side.

    WUWT could strategically impose against SkS, Lyttleton’s famous ( pal-reviewed) double-pincer move to Clapham and Turnham Green. It would certainly benefit Anthony personally.

  28. mpaul says:
    August 8, 2013 at 12:24 pm
    [...] what on earth were they up to? I don’t buy the idea that the creating these images for their own amusement. I don’t think they are neo Nazis. The most logic explanations are that they were either (1) creating the images to use with posting on SkS or (2) they were up to no good. Perhaps Lew is working on a new paper and they were manufacturing evidence to support the paper. I don’t know. But we need to get to the bottom of what they were creating these images.
    —————————————————————————————————————
    “Own amusement” works for me.

    They have a site called Skeptical Science which is, generally, abbreviated to SkS – at least in public. Presumably the more obvious abbreviation of “SS” is still considered (rightly) a little close to the bone but I’d make a small bet it’s used in that PW protected forum.

    Bright (yes they are, whatever you think of their views), immature, self-obsessed people like Cook et al, who certainly appear to have no respect for anything except their own inflated sense of self-importance, are quite likely to find it “amusing” that they’re “in the SS”. After all, it was an elite group just like them and, when you’re the Elite, torture and genocide are such subjective concepts that they become irrelevant.

    Of course, if that summary is anywhere near the reason for those pics, it does beg the question of who is more deserving of being linked to Holocaust deniers……

  29. If anyone is interested I have almost all of the episodes of “I’m Sorry I Haven’t a Clue.” Thus a complete list of all the variations of Mornington Crescent. I must agree with others that there is no way that the SkS kids could play anything other than the juvenile version.

  30. sergeiMK at 11:16 above is correct about what it takes to be a “criminal hacker” under UK law and the US law is very similar.

    The ‘get out clause’ is in paragraph (1)(c) which requires that the hacker know that the access he is attempting is unauthorized. There is no presumption of privacy merely because a place is unadvertised.

    That’s what a published URL is, after all. It’s an advertisement of a place on a computer where I want you to look at stuff. But the fact that I haven’t published a particular URL is not an explicit statement that the place the URL points to is private. Once you connect data to the internet, you have to put out some equivalent of a no-trespassing sign if you want to assert privacy on that location.

    Requiring a password would be the least ambiguous way to show your no-trespassing sign but you can use any number of other technical and non-technical means. Even a “this is private” cover page will do. From the account above, however, there is no evidence that any such actions were taken. The documents were left in the open, no different than if someone had tucked them between two books on a shelf at the public library. (By the way, a few hours later, they moved the folder. That was the equivalent of getting angry that someone found your first location and tucking the documents between two different books, still in the public library – they didn’t even pick a different shelf.)

    I am a staunch privacy advocate but even I don’t expect people to read my mind. A person finding an apparently public document is not required to guess or infer the intent of a publisher to assert privacy. The publisher must take some action to make that privacy assertion clear.

  31. I listen to ISIHAC every day (All Humph so far) on ROK radio via tunein.
    Deciphering the rules of Mornington Crescent is a class 5 Wicked Problem (Climate is generally accepted as being a 0.97, at best.

  32. With 97% of scientists on their side, you’d think they could find one who understood how to maintain basic website security and advise them accordingly. This, after all, is not the first time that ineptitude has led to big holes in their security being exposed.

    As for Brandon – well done, that man. It just goes to show that you should never underestimate the enemy’s capacity for repeating its mistakes!

  33. RockyRoad, are your id-ten-t’s the same ones who wonder what the 710 cap is for on their car’s engine?

    As a web designer I’m often amazed at the basic security errors people make, often those who should know better.

    Primarily, you put things like banners, logos, arrows, icons in a separate directory, usually called ‘images’ or ‘res’ or something. Nothing there is secret, none requires any guessing to find. Your basic web page should never link to any other domain for content that might lead an attacker to search that other location, also if the other server is slow the whole page will be delayed waiting for it. If you DO have something to conceal, it goes somewhere else, and is never directly linked to.

    Second, turn off the ability for anyone to read the directory of a folder. That requirement died over a decade ago.

    Third, I’m all for having random folders all over with stuff to be shared on a site’s insiders, really I am. I’m even all for it being secured somehow. But if someone comes in and finds it and downloads it, tough noogies, it’s my fault for not securing it.

  34. Wow – can’t believe I wrote “web designer”. I’m not a designer. When I design something real designers gag. I’m a developer…

  35. Wow! You have more patience and tolerance than I. I visited that site, and Real Climate twice, and then I realized I was in the propaganda world. Never went back to either. You, sir, are deserving a badge of honor.

  36. You’d think by now Cook et al would focus on security issues a bit more. Or, as is the case in media/PR etc, there is no such thing as bad publicity. Clever, stupid or sloppy? Who knows!

  37. Re: Sergei MK (at 11:16AM 8/8/13) [JUST F. Y. I.]

    A Sample U.S.A. Computer Crime Statute (selected parts only):

    South Carolina Statutes

    Chapter 16. COMPUTER CRIME ACT
    Current through 2013 Act No. 100
    § 16-16-20. Computer crime offenses; penalties
    (1)It is unlawful for a person to willfully, knowingly, maliciously, and without authorization or for an unauthorized purpose to:

    (a) directly or indirectly access or cause to be accessed a computer, computer system, or computer network [Note: NOT “program” or “data" unlike UK statute at Sec. 1 (1) (a)] for the purpose of:

    (i) devising or executing a scheme or artifice to defraud;

    (ii) obtaining money, property, or services by means of false or fraudulent pretenses, representations, promises; or

    (iii) committing any other crime.

    (b) ***

    (2) A person is guilty of computer crime in the first degree if the amount of gain directly or indirectly derived from the offense made unlawful by subsection (1) or the loss directly or indirectly suffered by the victim exceeds ten thousand dollars. Computer crime in the first degree is a felony and, upon conviction, a person must be fined not more than fifty thousand dollars or imprisoned not more than five years, or both.

    (3) (a) *** second degree if *** greater than one thousand dollars but not more than ten thousand dollars.
    (b) ***
    (c) *** second degree is a misdemeanor *** fined not more than ten thousand dollars or imprisoned not more than one year, or both. ***
    Cite as S.C. Code § 16-16-20

    **********************************
    While I copied the above from a website today, I do not guarantee that the above-quoted law is current as of now. Also, bear in mind that case law (which I did not even look at) may have modified or expanded the statutory language quoted above.

    ***************************************************************************
    Re: “access” (of a program or data):

    Question for Code Tech (or D. P. or any computer expert): When I read the law posted by Sergei (at 11:16 AM), it struck me that his citing of that law was not applicable (in addition to failing to satisfy the “no authorization” element) to Brandon’s curiosity trek nor to dp’s friend’s “crime” because neither of those two intrepid internet explorers accessed a “program” or “data.”

    My question is, would you consider merely visiting a website and viewing its pages to be accessing a program (as UK statute states)? That is….

    IF you do
    NOT alter the code by: 1) other code (a macro(?) such as “Uninstall”)
    OR
    2) directly by actually tinkering with the code,
    THEN you have not “accessed” a program.
    Is this correct?

    Re: “data,” merely VIEWING it is not, apparently, prohibited by the cited UK statute — perhaps, a trespass or illegal search or privacy law (or, likely, another section of the cited law) would cover that.

    If my question is worded so poorly as to be nonsensical, please help me out by re-wording and answering a better question. THANKS!

  38. The Mad Haxor said:

    That’s when I first learned of http://www.sksforum.org. I didn’t expect anything from the site, but I decided to visit it anyway. When I did I did, I saw a banner at the top that was obvious an image file. I checked the URL for the image, finding it was hosted in the directory: http://www.sksforum.org/images/.

    Oh man, you were supposed to say you appended “/images” because a lot of sites do that. Like mine. And has for so long I don’t remember if it’s a part of the default Apache installation.

    Next you’re going to tell us your “professional-grade hacking techniques and/or software tools” weren’t paid for by Big Oil, huh?

  39. They should have called it skssecretforum.org. Seriously that site exists because the former forum had the similar open-door break in.

  40. Janice:

    I think it’s important to know the most essential aspects of a web server in order to answer that properly.

    When you type a website name, like wattsupwiththat.com , you are actually entering the domain name. A DNS, or Domain Name Server (probably at your ISP) converts that to the IP address and sends your request to the web server at that IP. Anything after the domain name is part of an address.

    If your request includes a specific file, like “front.html”, the web server sends that file. If you enter a directory name (blank means the top level directory), the web server looks for the default filename (usually index.html). If there is no such file, by default Apache sends you the list of all files in that directory. This is the first thing you need to disable when configuring a server since you NEVER want the general public to know what specific files you have on your server.

    Any directory that stores uploads or images or sensitive documents should also have an “index.html” file that directs you back to a safe part of the site. This is basic, elementary hack-prevention that ALL server operators should know.

    ANY file that is on a publicly accessible web server, and is not protected, and that you can see via a directory listing, is PUBLIC. Since anyone can download it, read it, steal it, whatever. It’s public. It cannot in any way be considered private. Some people use “obfuscation” techniques, like using random strings of characters for filenames, to make files difficult to find, which (assuming they can’t see a directory listing) is a first level of defense. Bypassing even simple obfuscation techniques means you are “hacking”, and those types of files can be considered “stolen”.

    By failing to use even the lowest level of security on a server, the operator is essentially saying “here, take all my stuff, it’s not like the thousands of Chinese, Korean, Russian, Vietnamese, etc. bots constantly browsing most servers in the world don’t already have a copy”.

    Any script file, like a php file (index.php for example) is considered a program. You should not be able to see the script itself, only the result, since when the server sees your request it doesn’t send you the file, it runs the script. This is considered “accessing a program” since something is actually running to generate output. I personally make all web files into scripts, partly for that reason. With multi-GHz machines the norm it doesn’t take any significant amount of time for the server to realize there’s no actual script in that file and send it along.

    Modifying content on a server is “hacking” or “defacing”, and is always wrong (and unlawful). You can whine about someone “stealing” open files but won’t get much sympathy… but if someone alters your files or directory structure they can be charged with a criminal offense… EVEN if you screwed up and left access open.

    The SkS incident here does not fall into any sort of criminal domain. The files were linked to in a public page. Following the link yielded a poorly protected directory that was open to access. The assumption that ANY normal person would make is that it was sitting there with a “Free! Take One!” sign on it. When they changed the directory name it was still linked, thus still freely available. If they had merely changed the server to not give a directory listing they would have been safe, but apparently nobody knew how to do that.

    I have several scripts running on my servers that monitor access, and search for specific types of access requests. Every day there are dozens or hundreds of attempts to access commonly misconfigured software that might be installed in a server. Some bots will try hundreds of these, looking for a vulnerability. Bots are not always being operated maliciously, some requests come from exploited machines owned by innocent victims, some search engines ignore requests to stay away from sensitive areas of your server and try to index everything, some are well behaved, etc. It is a basic requirement of operating a server to know the difference and keep the easy doors closed.

    If someone has really sensitive data or documents that must be kept secure and only available to specific people there are lots of ways to do it. SkS’s server, and UEA’s server, and many others over the years, were badly configured or someone failed to follow the storage rules, or both. Obfuscation by vague naming and other simple techniques that might have been perfect 20 years ago no longer is enough. There are even ISO security guidelines that any server operator can put into effect to make it all work right.

    But the bottom line is, if data or documents are not protected in any way and I get a copy, there’s nothing they can realistically do about it. Even though from the server operator’s perspective it appears it was “stolen”, they just aren’t knowledgeable enough to see that they not only left the doors open, but they posted signs showing people where the valuables are kept.

  41. Thank you, Code Tech, for your kindly taking the time to write such a detailed tutorial on website security. Just so that I know that you know (it was not obvious from your response — and, in my above post I obviously did not make this clear): I REALIZE THAT BRANDON AND DP’S FRIEND WERE NOT GUILTY OF A CRIME under either U.S. (so far as I’ve researched it) or UK (so far as we know from the law cited by Sergei) law.

    You’ve provided us all with some VALUABLE PROFESSIONAL advice above.

    Thanks! #[:)]

  42. M Courtney on August 8, 2013 at 12:02 pm
    TinyCO2 says August 8, 2013 at 11:56 am
    Otteryd says:
    August 8, 2013 at 11:15 am
    “Mornington Crescent!”
    Very deep. I’m not sure that SkS would understand the rules of the game ;-)
    You malign them. The 3%-excluded variant rules are played everyday, by proxy, at the Guardian website.

    That would explain the flood of comments there from a Mrs Trellis of N Wales…

  43. johanna says: August 8, 2013 at 4:19 pm
    With 97% of scientists on their side, you’d think they could find one who understood how to maintain basic website security and advise them accordingly.

    They were using the scientists who write climate models.

  44. As a sidebar, I am aware of at least one person who was successfully sued for opening a public link and then manually shortening the URL path in his browser so see what was upstream. I was stunned to learn this was deemed a crime. I’ll see if I can relocate that story as there are consequences for this seeming innocent activity.

    That’s bonkers. Under which jurisdiction was this case heard? It’s not very different to being sued by the author of a book for skipping some pages to get to the interesting bits.

    This whole thing reminds me a bit of when a UK football club were considering a stadium move. A “fans group”, run mainly by people who thought they should be in charge without having to buy the club, put up an online survey asking various questions on the merits of the move. Of course, it came out heavily against the move, as per the group’s standpoint. I took the survey myself and, in doing so, saw in plain view a link to the email addresses of every other person who’d taken the survey.

    Dangerous stuff, and a breach of data protection laws to make this info publicly available.Well, it would’ve been…

    but nearly every single email address was made-up. Things like “admin@xxxxxxxx.com”, “sales@xxxxxxxx.com” or genuinely made-up addresses.

    Yes, Messrs cook, Nuccitelli and Lewandowsky, the fabricated online survey has been around for a long time.

  45. Late comer, didn’t read all the comments. Did someone mention where I can purchase “professional-grade hacking techniques and/or software tools?”

  46. Man that is impressive hacking. It reminds me of what we were doing in grad school back in the early days where we’d play around with URLs to see if we couldn’t get into directories of images on some relatively new websites that had to do with expensive upper floor accomodations. Ahem. That was in 1998 or so. I’d have thought all but rank amateurs would have understood that you can’t allow easy backdoor access to directories lest someone can get in. If you’re lucky they just look around, if you’re unlucky they start deleting stuff. Or worse. In 1998 it was all new so the error was understandable and sadly, corrected. 2013? Really?

  47. Maybe they need to employ a 14 year old as their website security consultant? As to suing anyone for shortening URL’s it would of course depend on the country that you reside in and the laws of that land which I might add are unenforceable in any second country no matter how much hot air might be expended in trying to sue say an Australian like me by using a law based in the USA. I wouldn’t suggest anything as crass as signing up for a free VPN to hide your physical location either. A quick Google for Website Copier will turn up a Linux based program which runs on windows and apple based systems that I use to back up clients websites which has the added bonus of being able to be run on any computer not connected to the Internet so you can run that website offline. Very handy for presentations when on the road or copying the embarrassing mistakes that webmasters make.

  48. “I intended to contact John Cook to inform him of the problem.”

    Why exactly would you do that? Do you really think you are going to gain respect from them? Delusional behavior never ceases to amaze me.

  49. “Moreover, I am trained in network security. I know a fair amount about hacking. I don’t believe in engaging in it, and I would happily help any blogger with security issues.”

    Then how come you haven’t trained Lucia to stop going into paranoid rants about being “hacked” by things like Baidu’s web crawler? Of all the skeptic sites she posts the more ridiculous nonsense about security issues. I think everyone should pass on your offer and look to someone properly trained in network security.

  50. Re: Popt Ech says (at 7:28PM)

    Brandon Schollenberger hasn’t trained Lucia.

    Therefore, you assume Mr. Schollenberger isn’t properly trained.

    If you use that kind of logic in writing code, you’ll end up with endless loops.

    LOL, I think everyone should pass on reading your comments and look to those written by someone with a brain that thinks logically.

  51. Janice, try reading what I wrote. Anyone properly trained in network security would have corrected her on the nonsense she posts sometimes.

  52. Normally I’d ignore Poptech, but since he asked a valid question nobody else brought up:

    “I intended to contact John Cook to inform him of the problem.”

    Why exactly would you do that? Do you really think you are going to gain respect from them? Delusional behavior never ceases to amaze me.

    Putting aside his derogatory comment, the answer to his question is simple. I think people deserve a certain amount of privacy. If I come across pictures I know the owner wouldn’t want disseminated, I’m inclined not to disseminate them. I’ll only do so if I feel I have a compelling reason.

    In this case, I felt the fact the SkS group used Photoshop to insult people removed any need for me to hide their Nazi fantasies. If not for that, I’d have felt SkS’s Photoshopping was disturbing, but I wouldn’t have felt comfortable making it public.

    And since I answered the one legitimate thing Poptech said, let me clarify something. Poptech is a fraud. He doesn’t know a fraction of what he claims to know, and he gives people misleading, if not outright false, information about network security. When he says:

    Then how come you haven’t trained Lucia to stop going into paranoid rants about being “hacked” by things like Baidu’s web crawler? Of all the skeptic sites she posts the more ridiculous nonsense about security issues. I think everyone should pass on your offer and look to someone properly trained in network security.

    He shows his foolishness. Of all the bloggers in the climate change blogosphere, lucia is the only one who has done much with security. What Poptech calls “ridiculous nonsense” is actually good information. As for what he calls “paranoid rants,” nothing lucia has ever posted could come even close to indicating paranoia. And she has never claimed to have been “hacked” by anyone.

    The last person anyone should listen to about network security is Poptech. He is completely fabricating things in order to insult her knowledge of security despite it being far greater than his. He does the same with me. Nobody should ever listen to what he says about network security as what he says has no connection to reality. In fact, the only way to describe his postings is:

    Delusional behavior never ceases to amaze me

  53. Janice Moore, I have a comment responding to Poptech awaiting moderation. To sum it up, Poptech makes things up on a regular basis, and he doesn’t know the things he talks about. He’s completely misrepresented lucia in order to attack her and me.

    lucia has a better understanding of network security than he does. I suspect so does the average rock.

  54. Poptech–

    Then how come you haven’t trained Lucia to stop going into paranoid rants about being “hacked” by things like Baidu’s web crawler?

    What are you talking about? I don’t consider the baidu spider to be hacking. It’s a heavy scraper that does me no good and I ban it. Scraping isn’t hacking– and I’ve never said it was. I have no idea what you consider to be ‘nonsense’, but many people ban the baidu spider, and I’m one of them. This is also not a ‘security’ issue; it is a resource and load issue.

    If you could give an example of something about security I actually have claimed which you believe to be nonsense, let me know. If I’ve ever claimed such a thing and it’s wrong, I’d be happy to stand corrected.

  55. By the way, I googled for baidu at my blog. The results confirm my recollection that I never suggested anything remotely close to having been ‘hacked’ by Baidu’s web crawler. The closest thing that might cause a confused individual like Poptech to think I suggested Baidu hacked is that I once posted output from the “killed_log.txt” of my site. An entry intercepted something operating on 87.106.143.55 which presented the user agent ‘Mozilla /5.0 .compatible;Baiduspider /2.0;+http: / /www.baidu.com /search /spider.html)’. That connection was interecepted because
    (a) it tried to upload a file.
    (b) It tried to do so by accessing a known vulnerable plugin (upload.php).
    (c) the known vulnerable plugin is not, and has never been available at my site. (Script kiddies do try to hack by guessing that a plugin exists, and then submitting. Not personal– just what they do.)
    (d) 87.106.143.55 is has been detected as an open proxy. These often are used by hackers. (See http://www.liveipmap.com/87.106.143.55)
    (e) the domain resolves to a hosting company: (onlinehomeserver.info ) This by itself tend to suggest ‘bot’ rather than ‘human’.
    (f) that domain is listed as hosting hostile web pages see: http://www.malwaredomainlist.com/mdl.php?search=s15238535.onlinehome-server.info&inactive=on
    (g) for what it’s worth, that was probably not a visit from the real baidu spider, which generally operates on Chinese and sometimes Japanese IPs.

    All in all: if I had discussed this visit, I would have suggested it was likely an idiot script kiddie spoofing baidu in the hopes that naive admins will let that crawl. I happen to block both real and fake baidu. This would have been blocked for numerous reasons (it hit 4 ‘bad rules’).

  56. This is a joke if you are going to censor my comments for no reason.

    REPLY: There was a reason, you wrote some very angry words that were outside of our normal policy. I simply suggest toning it down and resubmitting. It will reflect better on you if you do so. – Anthony

  57. Brandon, what do I do for a living and how long have I been doing it? What University did I attend? You can’t answer any of these questions because you don’t know.

    To show how much of a fraud you are, please quote the alleged “misleading and false information” I have given people about network security. When you fail to do this, your dishonest behavior will be exposed for the world to see.

  58. Poptech–
    Your reading comprehension skills appear to be subpar today. Not only d0es that post not say spammer bots are “hackers”, it specifically distinguishes between hacking and spamming.

    This list is limited to 15 days worth of attempts that were diagnosed as “hack” or “penetration testing” attempts. This is actually a small fraction of the bans– some bans are just “snoop”, “scrape”, or “spam” attempts.

    So: I ban things for hacking. I also ban for things that are not hacking. These other things include scraping, snooping and spamming. See?

    As for your claim that there are no real hack attempts at my site: The list in that post includes

    “95.141.35.196 (1 times) server1.touchweb.it ” which attempted to access a known vulnerable plugin “timthumb) The curious can read about timthumb here. Most people consider attempts to upload scripts that permit an unauthorized user to take over control of a server to be hacking.

    93.91.49.18 (1 times) snat18cb.inet4.cz attempted a url injection attack and anchor hack. A url injection is an attempt to manipulate my database. See What is Url Injections?

    While it’s possible the bans were mis-diagnosed, none of these have anything to do with spamming. And, as I noted: The post specifically distinguishes hacking from spamming. The former is things like trying to take over my database, trying to take over my server, trying to break into the admin side of wordpress and so on.

    No actual REAL hackers care about her site and why would they? Seriously.

    Why? Most hacking is ultimately about money. They want to inject links to gain SEO (so they can outsell their competiros), or get into the data bases to steal emails which they sell, or insert scripts that let them steal information from my site visitors and so on. Or they want to take over the server so they can use it to spam– which they hope will gain them money. It’s usually not personal.

    Anyway, Real Climate, Collideascape, Jo Nova got hacked. Heck, my knitting blog got hacked way back in something like 2008. My server logs show URL injections, anchor hacks, vulnerability scans, XSS attempts and so on. Chances are hackers try to break into WUWT too– but Anthony isn’t going to see these because he doesn’t run his own server.

    This has nothing to do with spam and as far as I am aware I have never suggested that spamming is hacking. Certainly, in that post I specifically say spamming is not hacking.

  59. Interesting discussion.
    I fear that Poptech has said intemperate things and needs to back down. But that does not mean he is clueless with respect to internet security. There may well be unfortunate things said that amount to folly but a folly does not mean that the sayer is always a fool.
    We all write things we regret on the internet sometimes.

    Perhaps everyone needs to calm themselves and step back a bit.

    And we should note the important news in this discussion.

    Lucia has a knitting blog?

  60. M Courtney says:
    August 10, 2013 at 1:38 pm

    > Lucia has a knitting blog?

    Given the interdiscipline nature of climate science I would have expected her to have a quilting blog.

    Baidu certainly seems to be a pest in the realm of web spiders. They seem to scan my site every day or so.

  61. Poptech says:
    August 10, 2013 at 12:29 pm
    “That is all I need to show that she does not know what she is doing let alone anything relevant to network security. No actual REAL hackers care about her site and why would they? Seriously.”

    Hacking is a highly serialized automated process.

  62. Those all say “suspect” for a reason because the software you are using does not really know. The fact that you think you can blacklist (ban) your way to network security shows how naive you really are. It is absolutely impossible to do this.

    Jo Nova got legitimately hacked because she has the most popular skeptic website in Australia, you don’t. All of the legitimate instances are likely comment spam bots trying to post links, a bulk is likely false positives. You are just not that important.

  63. Poptech:

    “Popularity” is not needed for hacker attacks to occur to AGW sceptics.

    I don’t have a blog and never have had one so – in this context – my “popularity” is zero.
    But I have suffered two very damaging hack attacks.

    Richard

  64. M Courtney

    Lucia has a knitting blog?

    It’s is very neglected.

    As for Poptech, I haven’t made any comments on his level of knowledge about security. I have no idea what he knows about it. I’m only responding to what he claims I’ve said. Specifically:
    1) He said I think the baidu spider and similar things are hackers. He also criticized Brandon for not teaching me that I am wrong is said belief. I do not think any such thing about baidu, have never thought so and have never said so. I knew baidu was a scraper before I even began blogging about climate.

    2) He said I claimed spambots are hackers. To support his claim he linked a blog post where I specifically distinguish between hacker and other things that are not hackers. These spammers was one of the items in the list of “things that are not hackers”.

    Since I am not a security expert, I am sure that I will have at some point said something incorrect about security. Certainly, some of my site visitors helped me find tools that improved my site security (like ZBBlock and Cloudflare). They have also helped me reduce the server load from scraping. I know for a fact that Brandon has corrected some of my mis-statements or just muddled statements about how certain things work on the intertubes. But Poptech’s crtiticism seem to be based on entirely fictional shortcomings.

  65. richardscourtney is not an IT expert. Nor am I.

    But, as his son, I can confirm that the attacks on his PC/Laptop.. internet, whatever, have been targeted; he is not just a target of random attacks like the rest of us.

    His internet provider put him up to special support levels for a while as they saw something weird too.

    Very rarely do I echo, or even entirely agree, with my father but this time I will.
    “Popularity” is not needed for hacker attacks to occur to AGW sceptics.

  66. PopTech

    The fact that you think you can blacklist (ban) your way to network security shows how naive you really are. It is absolutely impossible to do this.

    I do not think I can ban my way to network security. I do however prefer to ban connections with obvious hack signatures because I notice they tend to continue to connect over and over for hours at a time. This sucks resources to the extent that they crash my blog. So: I ban to reduce the level of resources used by bots, some of which happen to attempt hacks.

    Real question: Why do you think that I think I can blacklist my way to network security? Possibly you think this for the same reason you thought I think Baidu ‘hacks’ or spammers are hackbots? If you tell us, we’ll all know why you think what you claim.

  67. M Courtney says:
    I emailed some of Keith Kloors web helpers after he got hacked and before he moved to new digs. They said they were amazed at the level of hack attempts at Collide-a-scape. I suspect climate blogs in general may be subject to a more than normal level of bots, hackers, script kiddies. Some of it might be politically motivated. However, I don’t really know.

  68. Poptech

    All of the legitimate instances are likely comment spam bots trying to post links, a bulk is likely false positives.

    You don’t know what you are talking about. The timthumb attempts, the uploadify attempts and many of these attempts are definitely not comment spam bots. Neither are XSS attempts or all sorts of other things. If you think they are, you are simply mis-informed. (And yes I can say this without knowing what degree in CS you earned nor where you earned it.)

    Jo Nova got legitimately hacked because she has the most popular skeptic website in Australia, you don’t.

    If you think only popular web sites get hacked, you are very, very naive. If you think only Australian blogs get hacked, you are even more naive. If you think only skeptic sites get hacked, you are My knitting blog was hacked way back when. It was not Australian, not that popular and not a skeptic climate blog. It was done by script kiddies playing around.

    As for “legitimately hacked”: I don’t have any idea how you distinguish between “legitimate” or “illegitimate”. I would consider someone injecting stuff into my database, breaking into the admin area or uploading files that take over my site “hacked”. If you were to decree those “not legitimate”, I would suggest that a hack is a hack.

  69. Poptech says:
    August 10, 2013 at 2:06 pm
    “Jo Nova got legitimately hacked because she has the most popular skeptic website in Australia, you don’t. All of the legitimate instances are likely comment spam bots trying to post links, a bulk is likely false positives. You are just not that important.”

    Scripts iterate over blocks of IP addresses looking for a list of vulnerabilities, they trawl for victims. They don’t care what server they hijack, they take what they can.

  70. Lucia banned one of my IP addresses which isn’t mine <— Hilarious. You cannot stop me from posting at your site, I can post under any name at will. Now you pissed me off.

  71. Poptech:

    Please explain why you are hijacking this thread by harassing Lucia.

    Is it that you don’t want discussion of the thread’s subject or do you have some kind of ‘thing’ for her so you are trying to get her to notice you?

    Richard

  72. PopTech
    Anthony has requested we stop this discussion. He didn’t specifically ask me to stop but I assume he’d prefer this bickering end. But I suggest that if you want to answer to your questions (which I find odd btw), you post at blog. I have never banned you and have made no attempt to ban you. So, you should have no trouble posting at my site.

  73. Nice One, Fact: the only skeptic site that I have an IP banned from is Lucia’s. Fact: the only site I have heard commentators complain they can no longer post after “security” changes is Lucia’s. Fact: Brandon is Lucia’s security “consultant”. Conclusion, get someone that knows what they are talking about with network security and don’t ask Brandon for “advice”.

Comments are closed.