From the “Collin Maessen is a now a fair game legal target” department and the “SkS double secret publicly browsable Tree-hut archives”, comes this unsupportable claim of ‘criminal hacking’ by Brandon Shollenberger.
My Hidden Information
by Brandon Shollenberger.
Some Skeptical Science members have been publicly accusing me of criminal hacking. None of them say just what it is I did that would be considered hacking. This is strange as I’ve explained just what I did. It should be easy for them to point to the illegal aspect. Instead, one of them (Collin Maessen) recently said:
I know exactly what you did and what you didn’t share about what you did. The details that you didn’t share would make it rather obvious that it was hacking. Even though it was at the script kiddie level.
If we’re to believe Maessen, I’m not just a criminal, I’m a liar too. Of course, Maessen refused to say what I “didn’t share.” If I held back information like he claims, it would be easy to prove. Why won’t he? Why won’t anyone from Skeptical Science? They claim it is obvious I lied and hacked. They just won’t give anyone the information which shows such. They’re doing so even when it requires violating their own moderation policies:
When making any claim provide references (links if possible). Failure to do so can result in the comment not going through moderation….
When asked to clarify an argument or point please respond; this isn’t optional.
Claims that are factually incorrect will not be allowed.
I don’t get that. Maessen accused me of a criminal offense, and he refuses to provide the slightest shred of evidence or information for his accusation. He apparently expects people to just take his word for it, even while he’s being completely hypocritical. Très bizarre.
Oh well. Since the Skeptical Science crowd doesn’t care to provide any information or evidence, I will. I’ve uploaded a list of every link I collected from the Skeptical Science forum. I collected these links by using URLs in the form of: http://sksforum.org/thread.php?p=X where X was a number.
You can see the numbers I used in the list (1-18633) along with the page I was redirected to. This is a list of links posted on the secret-secret Skeptical Science forum. You could have gotten any of these links by plugging their number into the URL I gave above.
You’ll note, many of the entries are given for a domain “secretdomain.org.” This isn’t the actual domain. I’ve replaced the domain of their secret-secret-secret forum with that because of certain concerns. It doesn’t matter because you wouldn’t be able to access anything on the site anyway. If you could though, this would be the link to look for:
2929 http://secretdomain.org/tcp_results.php
If you plugged that in, you’d have direct access to a page that looked like:
I don’t know what information I’m supposedly hiding, but I’ll provide some more. Here are a couple links showing what sorts of things I tried to access:
3031 http://secretdomain.org/thread.php?t=6738&r=15#61211 3513 http://secretdomain.org/members.php 7280 http://secretdomain.org/docs/coming-out-of-ice-age-volcanoes.pdf 8572 http://secretdomain.org/docs/rebuttal_status/18.details.htm
The first two of those required logging in to access. The third and fourth did not. That’s hardly surprising as many sites make documents and images directories publicly accessible so the material in them can be shared. Given some things were blocked and others were not, it is reasonable for a person to try various links to see what they’re allowed to see. Apparently, the Skeptical Science crowd thinks that’s hacking.
Interestingly, two other links in the list are:
10099 http://www.skepticalscience.com/pics/tcp_raters2.gif 10100 http://www.skepticalscience.com/pics/tcp_raters3.gif
While those links no longer work, they are the images I discussed in this post. They provide the identities of 12 of the raters for the Cook et al consensus paper. In that post I said:
This one also identifies nearly a dozen individual participants. It’s true we only found out about these images because of a hack, but that hack happened nearly two years ago. Surely the authors of the paper shouldn’t leave confidential information in a publicly accessible location for two years, even if people have already seen it.
But it’s worse than that. Not only were the images publicly accessible for nearly two years after being discovered, John Cook continued to make it possible for anyone to find links to them. Plus, the links I collected only begin after the original forum was hacked. Who knows if we could have found the same links via the original forum?
Incidentally, you may have noticed one of the links I mentioned being able to access had a number in it. As you may have guessed, there were a series of pages in the form of http://secretdomain.org/docs/rebuttal_status/X.details.htm. I scraped a number of them (392?), but they didn’t contain anything interesting. It was just some proofreading information about various posts at Skeptical Science.
That’s it. There’s no more information to disclose. I don’t know what the Skeptical Science crowd thinks I’m hiding, and I suspect it doesn’t exist.
And hey, now you can see ~18,000 pages the Skeptical Science group discussed!
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
“And hey, now you can see ~18,000 pages the Skeptical Science group discussed!”
NO THANKS !!!!!!
Steven Mosher says:
June 9, 2014 at 3:17 pm
Jesus Christ
That’s not hacking.
======================================================
Is the gratuitous blasphemy needed?
Brandon, well played. Very well played.
Don’t publicly give up your lawsuit potential. FUD can be a useful political tool. Warmunists* use it all the time.
*My new term for CAGW believers, modeled on an analogy to Communists believing in Karl Marx’ economic pseudo ‘science’ in Das Kapital that ignored incentives. Even the warmunist tactics are similar. Posted that analogy in more explicit detail at CE, and have written an essay on it for a maybe forthcoming book on climate and energy policy.
Regards
WARNING! Brandon’s last link, http://secretdomain.org/docs/rebuttal_status/X.details.htm is being flagged by Malwarebytes as ‘Potentially malicious website blocked, protecting you from hackers and cyber criminals.’
How ironic.
Rud Istvan, thanks. I have no problem giving up potential for a lawsuit in this though. A lawsuit over backhanded accusations like these in blog posts that only a small number of people read would be stupid and petty.
It’s not like this was one of Dana Nuccitelli’s pieces in The Guardian. If the Skeptical Science group decided to start repeating the claim in things like that, legal action might have some merit.
BruceC, it was a cleverly hidden trap so I could engage in more hacking!
He,He….you clever little bugger.
😉 /sarc
Rud,
I’ve heard warministas. I guess we need a male gender word. I like warmunist.
Criminal Hacking? It’s described here :
http://definitions.uslegal.com/c/computer-hacking/
Basically, for a hack to be criminal, it has to access protected government or financial information, or be for financial gain exceeding $5,000, or be with intent to cause damage.
If I understand everything correctly, the only clause which could possibly apply to Brandon Schollenberger is:
“intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;”
but in this case it would appear that the only damage is to their cause, and it’s passive (ie, exposure of the cause itself and its lack of foundation) not active. At this point I suppose that the legal definition of “damage” needs to be checked. I doubt that any illegality can be found.
Brandon, I’d have a talk to a lawyer in your position. I’m not a legal expert, but I am a software developer, so I have some familiarity with the legal side of hacking.
The issue is some devestating hacks can be achieved by slightly modifying the http:// address of a web page.
For example, if a website suffers a SQL injection vulnerability http://en.wikipedia.org/wiki/SQL_injection , a very common security hole, simply adding a single quote character to the http:// address of the website can cause the code to malfunction, and to display data which was not meant to be revealed.
Therefore the definition of hacking is to my understanding very broad, and includes intentionally modifying the http:// address of a web page to gain access to non public data.
I don’t think what you did qualifies on other counts, such as the test for financial advantage or whatever “harm” you are supposed to have done, but IMO its not impossible SkS could cause some grief for you, so it would be well to have a prepared response in case anything comes of this.
PS. and of course, the computer in this case appeared not to be protected, though that too needs legal definition to be used.
At least they admit their web-site is poor enough to be hacked by “kiddies”.
Anyone with a knowledge of computer science can hack a computer without that person knowing. That’s what a computer expert told me once. The governments do it regularly. Copying of course can be construed as stealing or comes under intellectual property. (Intellectual might be a strong word for this mob). Someone made death threats once on a blog, and the cops just laughed.
Intimidation though is also a crime. Gud luck maybe Bob Morrison has something to believe when you uncovered his involvement and posting on this blog as Rusty.
This is only the third time that open internet access links made information available that John Cook thought was protected/secret but was just ordinary http links.
I mean really. All one has to do to defend themselves in this case, is to use the photoshopped images of Cook and Nuccitelli in “uniform”.
Eric Worrall, one can attempt to hack by modifying a URL, but that doesn’t mean modifying a URL to access material is inherently hacking. Put simply, it’s hacking if you modify the URL to be something you know wouldn’t be a legitimate request. Otherwise, it’s okay. If you want more detail, check out this post (and the comments on it).
Mike Jonas, if material is on a public server and no steps are taken to prevent access to it, the public is considered authorized to access it.
bushbunny, that is an exaggeration of what can be done via hacking. It basically requires the victim have lax security.
Considering the Cook 97% paper, where they proved that even simple math was beyond their capability, I doubt they could secure a garbage can during a garbage strike. Hacking? I only wish that was the extent of the real ones.
Brandon, I agree but I do have good security and pay for it. But as you say, governments can get through, and didn’t some school kids hack either the FBI or CIA years ago.
Brandon Shollenberger
… bushbunny, that is an exaggeration of what can be done via hacking. It basically requires the victim have lax security.
Not so. One well known hack is a “drive by” hack, in which a user’s computer is hacked simply by the act of them looking at a malicious website. There is a delay between hackers discovering an exploit, and software vendors delivering a patch. So even someone who makes a conscious effort to stay up to date is still potentially vulnerable.
For example, look at the arms race between people who want to root (gain unrestricted access) to their mobile phones, and vendors patching the security flaws which allow such access. Apple have lifted their game lately, but at one point they took so much time to patch a security flaw in the iPhone Safari browser, that hackers started offering “drive by” websites to deliver root access – simply looking at the website using your iPhone rooted the phone.
http://www.theregister.co.uk/2010/08/11/critical_iphone_vuln_patched/
A while ago I needed to prepare some rooted Android phones for a client, who needed capabilities which Android couldn’t deliver “out of the box”. It took me less than an hour to find a tool which could break the phone’s security (in this case I used a Gingerbread hack which exploited a security flaw in the phone’s PC sync toolkit).
I’m not a skilled hacker, I know the theory, I’ve just never bothered honing the practical skills. But I know enough about it to understand what is possible.
Governments have repeatedly been accused of researching and hoarding critical security flaws – so what bushbunny said, about governments regularly dipping into consumer devices, is quite likely correct – at least in the case of devices owned by people who attract their interest.
http://www.theregister.co.uk/2013/09/17/nsa_vupen/
@ur momisugly Curious George:
We already did. It’s called bull (expletive deleted).
@Eric Worrall says:
There was extensive discussion about the issue by lawyers see the prior discussion on this at least under US laws. It is definitely a data breach as defined by Wikipedia (http://en.wikipedia.org/wiki/Data_breach) but criminality is very different under different countries laws and here we have possibly two very different laws at play Australian v USA. I would like to see the legal argument around a negligence case here around the website and/or it’s administrators as well if we are going to claim there is some sort of damages. Certainly under USA law if they went after Brandon I would suspect he would have a counterclaim back at SkS but no doubt the lawyers could fill in the details.
You want to call it a hack then fine go ahead but don’t assume that implies any sort of criminality and the bigger question you haven’t addressed is what was the damage and how is it being valued? The damage situation in a credit card number theft or the like is easy the damage in this sort of arena is going to interesting to try and justify.
I suspect this whole thing has blown up in the face of SkS and University of Queensland and so far all they have got from it is a pile of bad press.
I guess that is a question for you Brandon has your legal advice broken down the letter from University of Queensland. To me it reads like a commercial damages claim and the author does appear to be a commercial lawyer the whole privacy side which would come criminal code doesn’t get a run. I guess the whole privacy thing would probably get tossed under the standard “matters or activities which may reasonably be of public interest” and one would have a hard time arguing that knowing who reviewers of a paper was an invasion of someones “right to be left alone”.
This University of Queensland are acting like a load of students. Academics seem to think if you disagree with them or challenge a concept you are not only breaching confidentiality, but are a rogue student or academic. The only discipline that can be applied is within the university. Usually dismissal or an academic’s tenure not renewed. But if a student complains to the university, well of course that is pushed under the carpet.
Seems as if one, or some of the kiddies keeps on leaving the back door open to the SkS cubby-house.
John Cook, 23 February 2012;
Got an email from Brian P this morning saying that the whole forum was publicly available to him, even when he wasn’t logged in. I checked and this was true. A little panicky, I investigated and worked out that all the permission levels of each forum had been set down to zero. Normally, they’re set so only authors can access most of them, except the translator forum is also accessible to translators. Strangely though, there is an admin forum that only admins can access and that wasn’t set to zero – it was still set so only admins can access it.
I have no idea how this happened. Several possibilities come to mind. First, I did it by accident when I was screwing around with the database sometime. Someone with admin access (there are about half a dozen SkSers with this access) made the change. Or we were hacked in some way and the hacker changed the levels. None of the options seem likely to me but the most likely is human error on my part although the fact that the admin forum was still set at admin level belies some kind of blanket wiping of all levels.
So I’m a little freaked out – it’s not knowing how this happened that has me most worried. Has anyone been looking at the forum and how long has this been available? But I’ve been procrastinating some of those security measures that have been suggested to me and as soon as I get to work this morning, am going to implement some of those measures.
Memo to John Cook: one of the first levels of security is to shut and lock the back door to the cubby-house. Isn’t that what you were going to do two and a half years ago and yet you/they still keep it open. Sounds like a good spanking is in order.
EJ:
“Warmunist” is not a new word. It has been used for years including on WUWT.
Richard
Eric Worral says:
“Therefore the definition of hacking is to my understanding very broad, and includes intentionally modifying the http:// address of a web page to gain access to non public data.”
If that is true I think there are very few people on the net who are not hackers. For example: you find something interesting via Google, and then “back-strip” the adress one step to see if there is anything else interesting. Pretty often you get an unprotected directory listing. Is that a “hack”? And how do you know whether something freely available like that is “non public”? At least in Sweden where I live You have to provide a text that explicitly warns that something is not public, otherwise accessing it isn’t illegal.
Brandon “Mike Jonas, if material is on a public server and no steps are taken to prevent access to it, the public is considered authorized to access it.“. I don’t doubt that, but thought I’d try to check what the law specifically said.