Guest essay by Brandon Schollenberger
I’ve got mad haxor skillz. I’m a l33t hacker paid by evil organizations and shadowy conglomerates. That’s how I found Skeptical Science’s secret stash of Nazi fantasies. Or so some would have you believe. One commenter at Judith Curry’s blog said:
It may be that Anthony/WUWT did not know that WUWT’s “anonymous” contributor was probing the SkS website for vulnerabilities using professional-grade hacking techniques and/or software tools.
Given the shocking nature of my discovery, I figure people might be curious how I came about it. Was it via some l33t haxor skillz? Was it because of some professional grade hacking? Was I perhaps paid by someone to break into a secure site and extract incriminating photos?
No. It was much simpler than that.
It all began when I read a post on Skeptical Science’s website. I read the post, and I was curious. Naturally, I decided to click on a few links. That’s when I came across this link:
http://www.sksforum.org/redirect.php?t=11065&u=http%3A%2F%2Fwww.ncdc.noaa.gov%2Fcag%2F
As you can guess by the word “redirect,” the link went to the NCDC website. It just went there via www.sksforum.org. That’s when I first learned of www.sksforum.org. I didn’t expect anything from the site, but I decided to visit it anyway. When I did I did, I saw a banner at the top that was obvious an image file. I checked the URL for the image, finding it was hosted in the directory: http://www.sksforum.org/images/. I found the Nazi imagery when I went to that URL and clicked on a subdirectory (user_uploaded).
That’s it. I got intrigued by a link I saw on an SkS post, and I followed a couple links I found from it. My l33t haxor skillz amounted to nothing more than being able to follow a few links. But that’s not where the story ends. When I went to write about how I came across the Nazi roleplaying, I found I couldn’t find the links I had originally used. Why is that? Skeptical Science deleted the post.
That’s right. SkS deleted a post they had written simply because it inadvertently included links that exposed their private forum’s location. Google has a cached verison of the post, but without that, there’d be no record of its existence. Rather than just fix the links for the post, SkS deleted it in its entirely to cover up the existence of their forum. That’s how desperate they are when it comes to PR – They’d rather delete an entire post than address a minor mistake.
Author’s Note: To be clear, I was not an “anonymous” contributor. I made no attempt to hide my identity. Anthony Watts decided not to post my name simply because, at the time, I had not told him I was okay with being identified. It was simply a courtesy.
Moreover, I am trained in network security. I know a fair amount about hacking. I don’t believe in engaging in it, and I would happily help any blogger with security issues. Upon first discovering this directory, I intended to contact John Cook to inform him of the problem.
I only “went public” with my discovery after seeing SkS’s Photoshopped images of their critics. I appreciate privacy, but I feel no obligation to hide my knowledge of inappropriate behavior
That said, if you feel I’ve engaged in professional-grade hacking, feel free to contact me about potential jobs. I’d happily take your money to browse some URLs.
=============================================================
Yes, Brandon’s description is true, it was all out in the open as I’m sure many WUWT readers also discovered. I simply didn’t use his name in the original essay because he hadn’t used the typical “submit story” route for WUWT, which automatically applies permission to include your name as part of the publication agreement, and given the lunacy over there at SkS, I didn’t know if he was concerned about retaliation. He brought the issue to my attention later in the day, and I amended the post to include his name.
And, in case you have not seen it, this is worth a look – Anthony
I guess ‘the mouse is mightier than the sword’
That has to be a quote of the week.
TinyCO2 says August 8, 2013 at 11:56 am
You malign them. The 3%-excluded variant rules are played everyday, by proxy, at the Guardian website.
sergeiMK- it’s not your fault, but that law doesn’t apply in this case.
Posting a webpage with a link on it(active or not) would be prima facie evidence that the access is authorized. That authorization would include any links on any connecting pages.
Good work, Mr. Schollenberger.
dp says:
August 8, 2013 at 11:44 am
Brilliant idea, a history of undead Alarmist web artifacts. The polar bear is number one, right?
John Cook: Gaia will protect my site, no need for best practices or security…
@Gail Combs
“Precise language counts and the debasement of language is the refuge of scoundrels.”
I am placing that here because comments on Steve’s “ocean acidi what” page are not open now. I was going to say I remain a fan. I second your QOTW here too.
Thanks
Crispin
The desperation; you can smell it.
Let’s not let SkS shift the focus of this story. This has nothing to do with hacking SkS as Brandon clearly spells out. The real focus should remain on topic — what on earth were they up to? I don’t buy the idea that the creating these images for their own amusement. I don’t think they are neo Nazis. The most logic explanations are that they were either (1) creating the images to use with posting on SkS or (2) they were up to no good. Perhaps Lew is working on a new paper and they were manufacturing evidence to support the paper. I don’t know. But we need to get to the bottom of what they were creating these images.
RockyRoad says at August 8, 2013 at 11:24 am
Hmm – tricky:
Identity – X – T(shirts)
Personality was clothes
Uniform thinkers in the past…
A ha!
Back to the photo shopped images of 1930s Germany.
Of course!
I must be an idiot not to have seen it sooner.
Can’t fool me, you’re a double-knot spy.
M Courtney “You malign them. The 3%-excluded variant rules are played everyday, by proxy, at the Guardian website.
True but because it’s by proxy they are only playing the junior version of the game (for under 5s) where stations on the Jubilee Line are wild. ANYBODY can play when it’s that simplified. I’m sorry but I can’t see the denizens of SkS being able to handle the more advanced versions like the Olympic version or even an old favourite like the Dickens Five a Side. Being from the BBC I doubt they’d made a sceptics variation but it would be wickedly clever.
For the probably many who are confused by Otteryd, TinyCO2 et al, try here
https://en.wikipedia.org/wiki/Mornington_Crescent_%28game%29
“I’m sorry I haven’t a clue” is an extremely long-running BBC radio program which is a sort of verbal Monty Python.
Next they’ll say Brandon is the FOI mole … ROTFLMAO … I am the FOI mole (Sparticus) !
Otteryd says:
August 8, 2013 at 11:15 am
Mornington Crescent!
I am slightly confused, are you saying that a modified Johnsons gambit has been played without a declaration of the rule modification? In that case, Sloan square.
TinyCO2 says:
I’m sorry but I can’t see the denizens of SkS being able to handle the more advanced versions like the Olympic version or even an old favourite like the Dickens Five a Side.
WUWT could strategically impose against SkS, Lyttleton’s famous ( pal-reviewed) double-pincer move to Clapham and Turnham Green. It would certainly benefit Anthony personally.
mpaul says:
August 8, 2013 at 12:24 pm
[…] what on earth were they up to? I don’t buy the idea that the creating these images for their own amusement. I don’t think they are neo Nazis. The most logic explanations are that they were either (1) creating the images to use with posting on SkS or (2) they were up to no good. Perhaps Lew is working on a new paper and they were manufacturing evidence to support the paper. I don’t know. But we need to get to the bottom of what they were creating these images.
—————————————————————————————————————
“Own amusement” works for me.
They have a site called Skeptical Science which is, generally, abbreviated to SkS – at least in public. Presumably the more obvious abbreviation of “SS” is still considered (rightly) a little close to the bone but I’d make a small bet it’s used in that PW protected forum.
Bright (yes they are, whatever you think of their views), immature, self-obsessed people like Cook et al, who certainly appear to have no respect for anything except their own inflated sense of self-importance, are quite likely to find it “amusing” that they’re “in the SS”. After all, it was an elite group just like them and, when you’re the Elite, torture and genocide are such subjective concepts that they become irrelevant.
Of course, if that summary is anywhere near the reason for those pics, it does beg the question of who is more deserving of being linked to Holocaust deniers……
If anyone is interested I have almost all of the episodes of “I’m Sorry I Haven’t a Clue.” Thus a complete list of all the variations of Mornington Crescent. I must agree with others that there is no way that the SkS kids could play anything other than the juvenile version.
sergeiMK at 11:16 above is correct about what it takes to be a “criminal hacker” under UK law and the US law is very similar.
The ‘get out clause’ is in paragraph (1)(c) which requires that the hacker know that the access he is attempting is unauthorized. There is no presumption of privacy merely because a place is unadvertised.
That’s what a published URL is, after all. It’s an advertisement of a place on a computer where I want you to look at stuff. But the fact that I haven’t published a particular URL is not an explicit statement that the place the URL points to is private. Once you connect data to the internet, you have to put out some equivalent of a no-trespassing sign if you want to assert privacy on that location.
Requiring a password would be the least ambiguous way to show your no-trespassing sign but you can use any number of other technical and non-technical means. Even a “this is private” cover page will do. From the account above, however, there is no evidence that any such actions were taken. The documents were left in the open, no different than if someone had tucked them between two books on a shelf at the public library. (By the way, a few hours later, they moved the folder. That was the equivalent of getting angry that someone found your first location and tucking the documents between two different books, still in the public library – they didn’t even pick a different shelf.)
I am a staunch privacy advocate but even I don’t expect people to read my mind. A person finding an apparently public document is not required to guess or infer the intent of a publisher to assert privacy. The publisher must take some action to make that privacy assertion clear.
I listen to ISIHAC every day (All Humph so far) on ROK radio via tunein.
Deciphering the rules of Mornington Crescent is a class 5 Wicked Problem (Climate is generally accepted as being a 0.97, at best.
With 97% of scientists on their side, you’d think they could find one who understood how to maintain basic website security and advise them accordingly. This, after all, is not the first time that ineptitude has led to big holes in their security being exposed.
As for Brandon – well done, that man. It just goes to show that you should never underestimate the enemy’s capacity for repeating its mistakes!
RockyRoad, are your id-ten-t’s the same ones who wonder what the 710 cap is for on their car’s engine?
As a web designer I’m often amazed at the basic security errors people make, often those who should know better.
Primarily, you put things like banners, logos, arrows, icons in a separate directory, usually called ‘images’ or ‘res’ or something. Nothing there is secret, none requires any guessing to find. Your basic web page should never link to any other domain for content that might lead an attacker to search that other location, also if the other server is slow the whole page will be delayed waiting for it. If you DO have something to conceal, it goes somewhere else, and is never directly linked to.
Second, turn off the ability for anyone to read the directory of a folder. That requirement died over a decade ago.
Third, I’m all for having random folders all over with stuff to be shared on a site’s insiders, really I am. I’m even all for it being secured somehow. But if someone comes in and finds it and downloads it, tough noogies, it’s my fault for not securing it.
Wow – can’t believe I wrote “web designer”. I’m not a designer. When I design something real designers gag. I’m a developer…
Wow! You have more patience and tolerance than I. I visited that site, and Real Climate twice, and then I realized I was in the propaganda world. Never went back to either. You, sir, are deserving a badge of honor.
You’d think by now Cook et al would focus on security issues a bit more. Or, as is the case in media/PR etc, there is no such thing as bad publicity. Clever, stupid or sloppy? Who knows!