Guest essay by Brandon Schollenberger
I’ve got mad haxor skillz. I’m a l33t hacker paid by evil organizations and shadowy conglomerates. That’s how I found Skeptical Science’s secret stash of Nazi fantasies. Or so some would have you believe. One commenter at Judith Curry’s blog said:
It may be that Anthony/WUWT did not know that WUWT’s “anonymous” contributor was probing the SkS website for vulnerabilities using professional-grade hacking techniques and/or software tools.
Given the shocking nature of my discovery, I figure people might be curious how I came about it. Was it via some l33t haxor skillz? Was it because of some professional grade hacking? Was I perhaps paid by someone to break into a secure site and extract incriminating photos?
No. It was much simpler than that.
It all began when I read a post on Skeptical Science’s website. I read the post, and I was curious. Naturally, I decided to click on a few links. That’s when I came across this link:
http://www.sksforum.org/redirect.php?t=11065&u=http%3A%2F%2Fwww.ncdc.noaa.gov%2Fcag%2F
As you can guess by the word “redirect,” the link went to the NCDC website. It just went there via www.sksforum.org. That’s when I first learned of www.sksforum.org. I didn’t expect anything from the site, but I decided to visit it anyway. When I did I did, I saw a banner at the top that was obvious an image file. I checked the URL for the image, finding it was hosted in the directory: http://www.sksforum.org/images/. I found the Nazi imagery when I went to that URL and clicked on a subdirectory (user_uploaded).
That’s it. I got intrigued by a link I saw on an SkS post, and I followed a couple links I found from it. My l33t haxor skillz amounted to nothing more than being able to follow a few links. But that’s not where the story ends. When I went to write about how I came across the Nazi roleplaying, I found I couldn’t find the links I had originally used. Why is that? Skeptical Science deleted the post.
That’s right. SkS deleted a post they had written simply because it inadvertently included links that exposed their private forum’s location. Google has a cached verison of the post, but without that, there’d be no record of its existence. Rather than just fix the links for the post, SkS deleted it in its entirely to cover up the existence of their forum. That’s how desperate they are when it comes to PR – They’d rather delete an entire post than address a minor mistake.
Author’s Note: To be clear, I was not an “anonymous” contributor. I made no attempt to hide my identity. Anthony Watts decided not to post my name simply because, at the time, I had not told him I was okay with being identified. It was simply a courtesy.
Moreover, I am trained in network security. I know a fair amount about hacking. I don’t believe in engaging in it, and I would happily help any blogger with security issues. Upon first discovering this directory, I intended to contact John Cook to inform him of the problem.
I only “went public” with my discovery after seeing SkS’s Photoshopped images of their critics. I appreciate privacy, but I feel no obligation to hide my knowledge of inappropriate behavior
That said, if you feel I’ve engaged in professional-grade hacking, feel free to contact me about potential jobs. I’d happily take your money to browse some URLs.
=============================================================
Yes, Brandon’s description is true, it was all out in the open as I’m sure many WUWT readers also discovered. I simply didn’t use his name in the original essay because he hadn’t used the typical “submit story” route for WUWT, which automatically applies permission to include your name as part of the publication agreement, and given the lunacy over there at SkS, I didn’t know if he was concerned about retaliation. He brought the issue to my attention later in the day, and I amended the post to include his name.
And, in case you have not seen it, this is worth a look – Anthony
Looks to be ‘forbidden’ now. Silly rotters closed the back door.
Re: Sergei MK (at 11:16AM 8/8/13) [JUST F. Y. I.]
A Sample U.S.A. Computer Crime Statute (selected parts only):
South Carolina Statutes
Chapter 16. COMPUTER CRIME ACT
Current through 2013 Act No. 100
§ 16-16-20. Computer crime offenses; penalties
(1)It is unlawful for a person to willfully, knowingly, maliciously, and without authorization or for an unauthorized purpose to:
(a) directly or indirectly access or cause to be accessed a computer, computer system, or computer network [Note: NOT “program” or “data” unlike UK statute at Sec. 1 (1) (a)] for the purpose of:
(i) devising or executing a scheme or artifice to defraud;
(ii) obtaining money, property, or services by means of false or fraudulent pretenses, representations, promises; or
(iii) committing any other crime.
(b) ***
(2) A person is guilty of computer crime in the first degree if the amount of gain directly or indirectly derived from the offense made unlawful by subsection (1) or the loss directly or indirectly suffered by the victim exceeds ten thousand dollars. Computer crime in the first degree is a felony and, upon conviction, a person must be fined not more than fifty thousand dollars or imprisoned not more than five years, or both.
(3) (a) *** second degree if *** greater than one thousand dollars but not more than ten thousand dollars.
(b) ***
(c) *** second degree is a misdemeanor *** fined not more than ten thousand dollars or imprisoned not more than one year, or both. ***
Cite as S.C. Code § 16-16-20
**********************************
While I copied the above from a website today, I do not guarantee that the above-quoted law is current as of now. Also, bear in mind that case law (which I did not even look at) may have modified or expanded the statutory language quoted above.
***************************************************************************
Re: “access” (of a program or data):
Question for Code Tech (or D. P. or any computer expert): When I read the law posted by Sergei (at 11:16 AM), it struck me that his citing of that law was not applicable (in addition to failing to satisfy the “no authorization” element) to Brandon’s curiosity trek nor to dp’s friend’s “crime” because neither of those two intrepid internet explorers accessed a “program” or “data.”
My question is, would you consider merely visiting a website and viewing its pages to be accessing a program (as UK statute states)? That is….
IF you do
NOT alter the code by: 1) other code (a macro(?) such as “Uninstall”)
OR
2) directly by actually tinkering with the code,
THEN you have not “accessed” a program.
Is this correct?
Re: “data,” merely VIEWING it is not, apparently, prohibited by the cited UK statute — perhaps, a trespass or illegal search or privacy law (or, likely, another section of the cited law) would cover that.
If my question is worded so poorly as to be nonsensical, please help me out by re-wording and answering a better question. THANKS!
Professional grade hacking skills: the ability to use a keyboard and mouse.
The Mad Haxor said:
Oh man, you were supposed to say you appended “/images” because a lot of sites do that. Like mine. And has for so long I don’t remember if it’s a part of the default Apache installation.
Next you’re going to tell us your “professional-grade hacking techniques and/or software tools” weren’t paid for by Big Oil, huh?
They should have called it skssecretforum.org. Seriously that site exists because the former forum had the similar open-door break in.
Janice:
I think it’s important to know the most essential aspects of a web server in order to answer that properly.
When you type a website name, like wattsupwiththat.com , you are actually entering the domain name. A DNS, or Domain Name Server (probably at your ISP) converts that to the IP address and sends your request to the web server at that IP. Anything after the domain name is part of an address.
If your request includes a specific file, like “front.html”, the web server sends that file. If you enter a directory name (blank means the top level directory), the web server looks for the default filename (usually index.html). If there is no such file, by default Apache sends you the list of all files in that directory. This is the first thing you need to disable when configuring a server since you NEVER want the general public to know what specific files you have on your server.
Any directory that stores uploads or images or sensitive documents should also have an “index.html” file that directs you back to a safe part of the site. This is basic, elementary hack-prevention that ALL server operators should know.
ANY file that is on a publicly accessible web server, and is not protected, and that you can see via a directory listing, is PUBLIC. Since anyone can download it, read it, steal it, whatever. It’s public. It cannot in any way be considered private. Some people use “obfuscation” techniques, like using random strings of characters for filenames, to make files difficult to find, which (assuming they can’t see a directory listing) is a first level of defense. Bypassing even simple obfuscation techniques means you are “hacking”, and those types of files can be considered “stolen”.
By failing to use even the lowest level of security on a server, the operator is essentially saying “here, take all my stuff, it’s not like the thousands of Chinese, Korean, Russian, Vietnamese, etc. bots constantly browsing most servers in the world don’t already have a copy”.
Any script file, like a php file (index.php for example) is considered a program. You should not be able to see the script itself, only the result, since when the server sees your request it doesn’t send you the file, it runs the script. This is considered “accessing a program” since something is actually running to generate output. I personally make all web files into scripts, partly for that reason. With multi-GHz machines the norm it doesn’t take any significant amount of time for the server to realize there’s no actual script in that file and send it along.
Modifying content on a server is “hacking” or “defacing”, and is always wrong (and unlawful). You can whine about someone “stealing” open files but won’t get much sympathy… but if someone alters your files or directory structure they can be charged with a criminal offense… EVEN if you screwed up and left access open.
The SkS incident here does not fall into any sort of criminal domain. The files were linked to in a public page. Following the link yielded a poorly protected directory that was open to access. The assumption that ANY normal person would make is that it was sitting there with a “Free! Take One!” sign on it. When they changed the directory name it was still linked, thus still freely available. If they had merely changed the server to not give a directory listing they would have been safe, but apparently nobody knew how to do that.
I have several scripts running on my servers that monitor access, and search for specific types of access requests. Every day there are dozens or hundreds of attempts to access commonly misconfigured software that might be installed in a server. Some bots will try hundreds of these, looking for a vulnerability. Bots are not always being operated maliciously, some requests come from exploited machines owned by innocent victims, some search engines ignore requests to stay away from sensitive areas of your server and try to index everything, some are well behaved, etc. It is a basic requirement of operating a server to know the difference and keep the easy doors closed.
If someone has really sensitive data or documents that must be kept secure and only available to specific people there are lots of ways to do it. SkS’s server, and UEA’s server, and many others over the years, were badly configured or someone failed to follow the storage rules, or both. Obfuscation by vague naming and other simple techniques that might have been perfect 20 years ago no longer is enough. There are even ISO security guidelines that any server operator can put into effect to make it all work right.
But the bottom line is, if data or documents are not protected in any way and I get a copy, there’s nothing they can realistically do about it. Even though from the server operator’s perspective it appears it was “stolen”, they just aren’t knowledgeable enough to see that they not only left the doors open, but they posted signs showing people where the valuables are kept.
Thank you, Code Tech, for your kindly taking the time to write such a detailed tutorial on website security. Just so that I know that you know (it was not obvious from your response — and, in my above post I obviously did not make this clear): I REALIZE THAT BRANDON AND DP’S FRIEND WERE NOT GUILTY OF A CRIME under either U.S. (so far as I’ve researched it) or UK (so far as we know from the law cited by Sergei) law.
You’ve provided us all with some VALUABLE PROFESSIONAL advice above.
Thanks! #[:)]
M Courtney on August 8, 2013 at 12:02 pm
TinyCO2 says August 8, 2013 at 11:56 am
Otteryd says:
August 8, 2013 at 11:15 am
“Mornington Crescent!”
Very deep. I’m not sure that SkS would understand the rules of the game 😉
You malign them. The 3%-excluded variant rules are played everyday, by proxy, at the Guardian website.
That would explain the flood of comments there from a Mrs Trellis of N Wales…
johanna says: August 8, 2013 at 4:19 pm
With 97% of scientists on their side, you’d think they could find one who understood how to maintain basic website security and advise them accordingly.
They were using the scientists who write climate models.
@ur momisugly Mike McMillan (10:43) — Bullseye! — Remember this thread?http://wattsupwiththat.com/2013/07/27/another-uncertainty-for-climate-models-different-results-on-different-computers-using-the-same-code/
heh, heh, heh.
That’s bonkers. Under which jurisdiction was this case heard? It’s not very different to being sued by the author of a book for skipping some pages to get to the interesting bits.
This whole thing reminds me a bit of when a UK football club were considering a stadium move. A “fans group”, run mainly by people who thought they should be in charge without having to buy the club, put up an online survey asking various questions on the merits of the move. Of course, it came out heavily against the move, as per the group’s standpoint. I took the survey myself and, in doing so, saw in plain view a link to the email addresses of every other person who’d taken the survey.
Dangerous stuff, and a breach of data protection laws to make this info publicly available.Well, it would’ve been…
but nearly every single email address was made-up. Things like “admin@xxxxxxxx.com”, “sales@xxxxxxxx.com” or genuinely made-up addresses.
Yes, Messrs cook, Nuccitelli and Lewandowsky, the fabricated online survey has been around for a long time.
Late comer, didn’t read all the comments. Did someone mention where I can purchase “professional-grade hacking techniques and/or software tools?”
Man that is impressive hacking. It reminds me of what we were doing in grad school back in the early days where we’d play around with URLs to see if we couldn’t get into directories of images on some relatively new websites that had to do with expensive upper floor accomodations. Ahem. That was in 1998 or so. I’d have thought all but rank amateurs would have understood that you can’t allow easy backdoor access to directories lest someone can get in. If you’re lucky they just look around, if you’re unlucky they start deleting stuff. Or worse. In 1998 it was all new so the error was understandable and sadly, corrected. 2013? Really?
Maybe they need to employ a 14 year old as their website security consultant? As to suing anyone for shortening URL’s it would of course depend on the country that you reside in and the laws of that land which I might add are unenforceable in any second country no matter how much hot air might be expended in trying to sue say an Australian like me by using a law based in the USA. I wouldn’t suggest anything as crass as signing up for a free VPN to hide your physical location either. A quick Google for Website Copier will turn up a Linux based program which runs on windows and apple based systems that I use to back up clients websites which has the added bonus of being able to be run on any computer not connected to the Internet so you can run that website offline. Very handy for presentations when on the road or copying the embarrassing mistakes that webmasters make.
“I intended to contact John Cook to inform him of the problem.”
Why exactly would you do that? Do you really think you are going to gain respect from them? Delusional behavior never ceases to amaze me.
“Moreover, I am trained in network security. I know a fair amount about hacking. I don’t believe in engaging in it, and I would happily help any blogger with security issues.”
Then how come you haven’t trained Lucia to stop going into paranoid rants about being “hacked” by things like Baidu’s web crawler? Of all the skeptic sites she posts the more ridiculous nonsense about security issues. I think everyone should pass on your offer and look to someone properly trained in network security.
Re: Popt Ech says (at 7:28PM)
Brandon Schollenberger hasn’t trained Lucia.
Therefore, you assume Mr. Schollenberger isn’t properly trained.
If you use that kind of logic in writing code, you’ll end up with endless loops.
LOL, I think everyone should pass on reading your comments and look to those written by someone with a brain that thinks logically.
Janice, try reading what I wrote. Anyone properly trained in network security would have corrected her on the nonsense she posts sometimes.
Normally I’d ignore Poptech, but since he asked a valid question nobody else brought up:
Putting aside his derogatory comment, the answer to his question is simple. I think people deserve a certain amount of privacy. If I come across pictures I know the owner wouldn’t want disseminated, I’m inclined not to disseminate them. I’ll only do so if I feel I have a compelling reason.
In this case, I felt the fact the SkS group used Photoshop to insult people removed any need for me to hide their Nazi fantasies. If not for that, I’d have felt SkS’s Photoshopping was disturbing, but I wouldn’t have felt comfortable making it public.
And since I answered the one legitimate thing Poptech said, let me clarify something. Poptech is a fraud. He doesn’t know a fraction of what he claims to know, and he gives people misleading, if not outright false, information about network security. When he says:
He shows his foolishness. Of all the bloggers in the climate change blogosphere, lucia is the only one who has done much with security. What Poptech calls “ridiculous nonsense” is actually good information. As for what he calls “paranoid rants,” nothing lucia has ever posted could come even close to indicating paranoia. And she has never claimed to have been “hacked” by anyone.
The last person anyone should listen to about network security is Poptech. He is completely fabricating things in order to insult her knowledge of security despite it being far greater than his. He does the same with me. Nobody should ever listen to what he says about network security as what he says has no connection to reality. In fact, the only way to describe his postings is:
Janice Moore, I have a comment responding to Poptech awaiting moderation. To sum it up, Poptech makes things up on a regular basis, and he doesn’t know the things he talks about. He’s completely misrepresented lucia in order to attack her and me.
lucia has a better understanding of network security than he does. I suspect so does the average rock.
Poptech–
What are you talking about? I don’t consider the baidu spider to be hacking. It’s a heavy scraper that does me no good and I ban it. Scraping isn’t hacking– and I’ve never said it was. I have no idea what you consider to be ‘nonsense’, but many people ban the baidu spider, and I’m one of them. This is also not a ‘security’ issue; it is a resource and load issue.
If you could give an example of something about security I actually have claimed which you believe to be nonsense, let me know. If I’ve ever claimed such a thing and it’s wrong, I’d be happy to stand corrected.
By the way, I googled for baidu at my blog. The results confirm my recollection that I never suggested anything remotely close to having been ‘hacked’ by Baidu’s web crawler. The closest thing that might cause a confused individual like Poptech to think I suggested Baidu hacked is that I once posted output from the “killed_log.txt” of my site. An entry intercepted something operating on 87.106.143.55 which presented the user agent ‘Mozilla /5.0 .compatible;Baiduspider /2.0;+http: / /www.baidu.com /search /spider.html)’. That connection was interecepted because
(a) it tried to upload a file.
(b) It tried to do so by accessing a known vulnerable plugin (upload.php).
(c) the known vulnerable plugin is not, and has never been available at my site. (Script kiddies do try to hack by guessing that a plugin exists, and then submitting. Not personal– just what they do.)
(d) 87.106.143.55 is has been detected as an open proxy. These often are used by hackers. (See http://www.liveipmap.com/87.106.143.55)
(e) the domain resolves to a hosting company: (onlinehomeserver.info ) This by itself tend to suggest ‘bot’ rather than ‘human’.
(f) that domain is listed as hosting hostile web pages see: http://www.malwaredomainlist.com/mdl.php?search=s15238535.onlinehome-server.info&inactive=on
(g) for what it’s worth, that was probably not a visit from the real baidu spider, which generally operates on Chinese and sometimes Japanese IPs.
All in all: if I had discussed this visit, I would have suggested it was likely an idiot script kiddie spoofing baidu in the hopes that naive admins will let that crawl. I happen to block both real and fake baidu. This would have been blocked for numerous reasons (it hit 4 ‘bad rules’).
[snip – a bit too over the top, I invite you to reword it and resubmit – Anthony]
My last comment went into the filter.
This is a joke if you are going to censor my comments for no reason.
REPLY: There was a reason, you wrote some very angry words that were outside of our normal policy. I simply suggest toning it down and resubmitting. It will reflect better on you if you do so. – Anthony