Alas, a playground has been shut down. As many bloggers who read their server logs (and Google) knew, sksforum.org used to leave referrers of this form in our server logs:
site:http://www.sksforum.org/thread.php?t=i&p=j
Here, “i” and “j” would be integer values.
So: for example, someone like Anthony Watt’s looking at his referrers to http://wattsupwiththat.com/2013/11/10/towards-a-theory-of-climate/ might see www.sksforum.org/thread.php?t=12517&p=14289. Back in the day, if Anthony clicked on the link to “www.sksforum.org/thread.php?t=12517&p=14289”, he would find himself referred to “http://wattsupwiththat.com/2013/11/10/towards-a-theory-of-climate/”.
Hmmm…. What’s up with that?
Well, it was obvious what was up: someone has programmed a referrer anonymizer of some sort. The details about exactly how the anonymizer worked is not obvious but its effects were. Lots of people saw these sorts of referrers and so knew that the system existed. They knew what it did. This information was not a secret. (If SkSers intended it to be a secret, they really don’t know how the intertubes works.)
As it happened, it was so non-secret google crawled these links:
Notice above that each link has a different ‘i’ and ‘j’ value in the t=i&p=j part of the uri. Notice also that the contents listed by Google indicate match the contents at blog posts at places like Wattsupwiththat, not contents at SkS.
Now, when I first learned of this redirect thingie SkSforum.org was using, my first thought was, “Snort”.
My second thought came one second later: “What if I change the value of ‘i’ or ‘j’ to “i+1” or “j+1”. Naturally I tried both.
My third thought was, “This means that the SkS forum has likely created a handy publicly accessible tool for any and every curious person to easily, legally and ethically discover every single link posted on the SkS forum using the handy SkSforum linkfinding too!” All one needs to do is to increment values of i and/or j (which is perfectly legal and easily accomplished by using the tool SkS provided everyone in the world– including Google.) And if one did this, well, “Bob’s your Uncle” you, just like Google (who likely found these links in published referrer logs or something), or any SEO company could discover pages that had been linked to by members of the SkSforum. If you were thorough, you could find every link they had ever posted.
I looked at a few links. Got bored. After all: just clicking through to a bunch of fairly boring publicly accessible web pages. (None of the links I clicked through to were password protected. Had they been, I would have simply been blocked from reading them. Not really a problem as I would be perfectly content not to read them.)
Ok– so far, this is the state Brandon describes himself being in part way through his recent post. As it happens, I stayed bored with the idea of looking at SkS links.
Then….several months after I got bored looking at dumb links, Brandon found the data from the 97% paper data…
I immediately suspected the method might have revealed interesting stuff if I’d been sufficiently curious to look at more web pages. Brandon had been incrementing the values in links like “http://www.sksforum.org/thread.php?t=i&p=j”. Unlike me, he found something not so boring.
Ultimately, this is resulting in accusations of “hacking”.
Of course you are all thinking, “What fun! I can use this handy tool John Cook created to help people find every link posted at the sksforum.org forum!” And it’s totally legal as one is merely loading links that sends them to web pages which either are (a) totally public or (b) password protected. In the later case, if password protected, nothing illegal has happened by entering the url. Of course, attempting to crack the password might be illegal– but if you don’t do that: well no problem.
Alas, someone has now programmed an ‘.htaccess’ password access restriction. So no joy. But fear not: you haven’t done anything illegal by entering these URLs.
Cracking that user/password combination to enter that page would almost certainly be illegal. But merely seeing it is not.
But sadly, you do see the password protection. The previously publicly accessible playground is now closed.
I should point out I have a list of the URLs from the redirections. It covers everything up to a couple days before the playground was shut up. It has ~18,000 entries. It’s pretty dull for the most part, but people might be interested.
There’s a problem with releasing the file as it is as it could possibly lead people to getting a hold of the “confidential” data. I can see about stripping out the problematic parts and uploading the file later today, if people would like.
OK, so it is pretty clear Lucia and Brandon have unleashed their mad hacker skilz, maybe through a conspiracy of some kind, to pilfer all Cooks secrets….. as has Google’s crawler. You guys should be ashamed of yourselves.
The total and utter incompetence of these guys continues to amaze. And amuse. 🙂
/a German with a Coke and a keyboard. muhuhahahaha.
TerryMN,
The reason my first reaction was “snort” is that generally, the ‘purpose’ of a referrer anonymyzer is to prevent people from figuring out where those who clicked the links came from. It at least looks like this anonymizer prevented us from knowing the exact forum post the vistor came from, but we still figured they came from sksforum.org. (Though… maybe not.) But anyway, those posts are password protected… so, who cares if we know where they came from? It’s not at all clear why SkS guys should care if I or Anthony or someone else discovered the precise post the visitors came from but possibly they had some reason to not want us to know.
But to prevent us from knowing where people came from, we could now learn every link posted at sksforum.org.
Or at least that’s how it appears.
Unfortunately, in addition to that, the guys at the secret-secret sksforum.org (and I guess a 2nd secret-secret-secret forum) evidently discussed and posted links to stuff that we now discover UQueensland seems to think they own that data and thinks it ought to have been access restricted. But then….. no one access restricted access to the data itself.
And there really was no particular way (short of developing psychic powers) for someone visiting the links the guys at sksforum.org (or the secret-secret-secret 3rd forum) discussed to know that UQueensland thought that stuff on that public accessible page was somehow access restricted…. or something. (Who knows what UQueensland thought.)
In any case, I’m eagerly awaiting another 6 or 8 part series telling the SS faithful just how they discovered and untangled the “sophisticated hack” !
are you defaming the university or Cook?
oh no, its a fact, they are stupid.
So Mr. Cook, the internet expert, really is as stupid as many have suspected.
Not surprising, actually.
Steven Mosher, you know better than that. The University of Queensland is not stupid. It just has a lot of stupid people working for it.
True Brandon I stand corrected. I was speaking metaphorically ..
If the SkS folks worked for NSA, I’d feel a whole lot safer right now.
Hilarious. They’ve created more news cycles of data withholding denials, data release, legal threats, etc. all just for not releasing the damn data. Oh, no, the SS kids couldn’t be happy with the original 97% meme so they had to muck it up. This series of little 97% events now tarnish the original claim too just as the unretracted Marcott 2013 bladeless input data “super hockey stick” now throws *all* of physical climate “science” into clear doubt, including Mosher’s sliced and diced input data hockey stick.
“I was speaking metaphorically”
Metaphorically stupid? Metaphysically maybe.
I still think the pirate song wss a better idea than angry Hitler. A lot more fun anyway.
Mosh sez: ” I was speaking metaphorically.”
I believe the particular technical term for that sort of figure of speech is “schenectady”. The finest practitioners thereof being resident in the state of New York, and city of “Synecdoche”.
I learned all that from the University of Tiljander.
Synecdocheâ€.
yes
do you know what the opposite is called?
and give an example of chiasmus
This was my teacher. He was great. I owe him a lot
http://www.amazon.com/Handlist-Rhetorical-Terms-Richard-Lanham-ebook/dp/B0032UYCOU
I suggest everyone get this book
Heh. What kind of loser would spend their time doing that?
😐
Boris,
If I hadn’t gotten bored, I would have written a script. Or written a page with lots of links on it to get google to crawl and index the links. Then I would have just looked at google search results! Google has indexed 3 pages worth– so I’m sure the later could have worked.
10 links/minute would probably fall well below the threshold someone could call DOS attempts.
Brando says there are 18,000 links. So that means it would take
18,000 links/(24 hours/day * 60 minute/hour * 10 links/minute)= 1.25 days to have a nice list of links.
After that all that would be required is to sort to see if anything stands out.
I didn’t write a script because I didn’t think the result would be *that* interesting!
You would be unwise to assume legislation regarding computer access is sensible. Quite a few jurisdictions, including Australia, have such broad laws that they may cover access by simple construction of URLs.
This was essentially the basis of the AT&T/iPad email address leak – which resulted in a 3 year jail sentence overturned on appeal after a year served.
Several years ago a journalist was arrested in Australia after publishing an article about use of a similar approach to bypass privacy settings in facebook. He wasn’t charged but commentators suggested, if had tested the vulnerability, federal laws were sufficiently broad that he may have been convicted.
andrewt,
There’s a big distinction: the AT&T/Ipad leak involved providing a unique serial number (ICCID) associated with a subscriber identity module (SIM) . These were intended to be associated with specific people. As such, in some sense, these could be ‘user credentials’.
One can argue whether even the AT&T issue is illegal (and it’s not clear it was– as language in the appea suggests) but even if it is, that p=i&t=j has nothing to do with “subscriber identity” means that the latter sort of guesses over “i” and “j” do not by any stretch of the imagination involve ‘identity theft’ or presenting any sort of “user credential’.
Given what weev was charged with and the text of the law, there are eve bigger differences between this and the AT&T issue. When one enters “:http://www.sksforum.org/thread.php?t=i&p=j” one obtains zero (or near zero) information “from” http://www.sksforum.org. What one obtains is the identity of the uri that sksforum.org redirects one to when loading the sksforum.org address. But how does one obtain that uri? One actually obtains that from the domain at the landing site. So for example, if the sksforum.org link redirects you to wuwt, you learn the uri of ‘landing’ site is wuwt from wuwt (who could have redirected you further had they wished to do so.)
But WUWT is would not appear to be a “protected computer”.
lucia, I didn’t visit the target of the redirects while collecting my list. I barely even visited any of them while manually doing it. My crawler ignored the redirect, and I had scripting turned off in my browser so the redirect couldn’t happen.
So I did obtain my information from http://www.sksforum.org.
Brandon–
Ahh.. My mistake. So you read the from the http headers but didn’t follow them? I guess then sksforum.org did give you the infor.
I was thinking when I manually fiddles a little, I only knew he info when I arrived (because I don’t read headers when running my browers.) That said, I’m aware my browser reads the redirects — that’s how it gets redirected. (After all, sksforum can’t deliver the page).
Now I also see your other point: You didn’t get the info UQueensland complains about from sksforum.org. If someone considers visiting sksforum.org “the hack”, then that’s not where you got the data for the 97% paper. All you got from sksforum.org was a list of links.
Visiting any link on the list (which would mostly be to resources not on sksforum.org) is an entirely separate step.
lucia, close. The redirection was actually part of the body, not the header. The redirects were done with PHP code. Since I had scripting turned off, that code wouldn’t run. I could still see the code though, and the destination of the redirect was included in it.
To Brandon (AKA “Brandoon” AKA “Brando”) Shollenberger and all readers of this blog who may be inclined to conspire with him:
As a representative of an entity with an employee who may have a proprietary interest in a list of URLs shared with an unspecified number of persons on an unsecured partisan web forum we hereby threaten you in some unspecified way for being one of the people who now may have that same URL list.
That URL list is the basis of very scientific published stuff which might be challenged if the data used to construct the paper were ever in the hands of persons not disposed to agree with the very scientific published conclusions as everyone should as a matter of consensus and good form.
Note that this concern on the part of the entity I represent obviously involves no possible liability on our part should the very scientific published stuff be found deficient nor will we make a clear assertion of a proprietary interest in said list other than to insinuate that if we did have such an interest then we would very cross were it infringed by you. This lack of clear legal interest or a specific litigation threat should not be taken to mean that this letter is entirely pointless. Neither should our involvement in this manner be taken as an acknowledgement or fear on our part that the very scientific published stuff may suck so badly that the scope of the embarrassment could actually adversely affect the reputation of the entity I represent.
In conclusion, this letter is so stupid and deeply embarrassing that disclosure and publication could be construed as malice therefore we claim copyright which legal claim is no more tenuous or vacuous than the rest of this content.
So there.
Sincerely
Embarrassed in Australia
I need to make a correction. My last comment said PHP when I meant Javascript. The resource at http://www.sksforum.org being visited was a PHP file, but it returned an HTML file with Javascript code. That code is what I had disabled.
Speaking of which, more people should run NoScript.
Brandon,
Thanks. I am less confused now. I thought you were saying you read the php script and I thought that generally can’t be done.
lucia, no worries. Short of a bug or security hole, there’s no way to read the PHP code without administrative access.
I’m never going to understand John Cook. It’s not like he hasn’t been burned before with the homegrown web craft. Why not get somebody who knows what they’re doing to deal with the Internet?
Whatever.
Mark Bofill,
Based on symptoms of how SkS operates, the main issue with Cook is that he seems to want to dream up a feature, code it so that feature works and really thinks no further. His “finding all the links posted” tool seems to have done exactly what he intended it to do: that is, it hid referrers when someone ‘outclicked’ from sksforum.org substituting one John Cook decided he preferred site admins to see. Why he wanted people to see these “sksforum.org/thread.php?t=i&ip=j” type referrers instead of the uri of the pages where the link actually appeared I do not know. But he coded to specifically do that and he did so correctly.
That his ‘redirect tool’ had other features he might not have thought about — well… ok. Most software has “features” that either (a) the author didn’t think about and which you consider ok or (b) the author thinks about and would prefer did not exist.
John Cook does not seem to spend much time thinking about the ‘other’ features. In this case unlike his decision to send passwords in clear text by email, the other feature isn’t a security issue– after all, you can’t use that info to log in, steal an identity, steal stuff from sks and etc. But it gives people information that Cook may not have intended to hand out which appears to be:
web pages sksforum.org has been coded to redirect visitors to.
(We might infer– and I do infer– those sites are ones the group on an sks forum linked but that’s actually a guess. Maybe John Cook just created a bunch of weird links forwarding links, fed them to bots and created a ‘mystery incoming hits’ for admins to ponder. Quien Sabe?)
But basically, it appears he created a tool that could be used to do something he never really thought about it. And the tool was available on the internet with no caveats or restrictions given about it’s use. Moreover, there weren’t really even any implied restrictions.
Have a look at the number of previously publicly accessible uri’s at sksforum.org
https://www.google.com/search?q=site%3Ahttp%3A%2F%2Fwww.sksforum.org%2Fthread.php%3Ft%3D&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=sb#channel=sb&q=site:sksforum.org&rls=org.mozilla:en-US:official
(I’ll post a screenshot).
Here’s an image of other totally public uri’s at sksforum.org:
Was sksforum.org/denial a ‘private’ page? Did John Cook think visiting that was ‘not authorized”? Were some pages ‘private’ and others ‘public’? And how were people to “just know” that uris at sksforum.org were ‘private’ and links John Cook had “authorized” as public vs. restricted? Most especially: how as someone “supposed” to know that the links John Cook has specifically created to be left in admin referrer logs were the ones admins and ‘the world’ were not supposed to know about?
So far, John Cook hasn’t suggested any hacking.
But on a thread at Brandoon’s a Frank Dwyer seems to think it’s somehow “obvious” that visiting the links Cook created for the specific purpose of leaving in referrer logs where people would learn about them was an unauthorized visit or that someone who clicked it would ‘know’ it was unauthorized… or something. But those links were precisely the links Cook wanted be to see — and he wanted people to learn of those instead of learning about a different set of links (and in fact, we don’t know the identity of the links that Cook intended to conceal. He succeeded in concealing those– just as he intended. His tool did not reveal those.)
It’s all rather mysterious.
Yes. I’m not specifically a web developer or a security guy, but I’d think a professional would give thought to how features can be used in unexpected ways and how that might impact ‘security’ (security in quotes meaning .. what passes for security I guess).
priceless.
Mark Bofill,
Sometimes the person creating something might not care there are alternate uses as long as the one they intended works out. Other creative uses might be a be a ‘feature’ not a bug.
Duct tape is used for lots of things the creator didn’t think about in advance. Whoever first created ductape probably wouldn’t mind and manufacturers now make it in nifty colors and the stuff ends up sold in craft shops.
One can’t assume the fact that the creator didn’t intend a particualar use means they would disapprove or that the use is “unauthorized”. Their reaction might be thrilled, amused… or annoyed and pissed off. Either can occur.
There is a wonderful line in Zodiac by Neal Stephenson.
They have gone into a hardware store and are asked by the guy at the desk if they can be helped.
“No thank you. We’re looking for something to use for a purpose for which it was not intended, Why else would we be in a hardware store?” (Quote could be screwed up)
And yes, I am supposed to be doing something else this morning.
:> Point taken. But I’d think security guys wouldn’t look at life that way. I’d think a feature would be a hole until proved otherwise in that world, more or less. But what do I know, like I said, I’m no security guy.
It would only surprise me slightly to discover I’m not allowed to bring duct tape into my place of work without a waiver.
The part that’s really sad is when I think it through, I’m not sure a reasonable person could figure out what John wanted people to know or not know / access or not access as a result of this. Even making a good faith effort it’s not clear to me it could be done. It seems to me that unless one thought ‘oh, I don’t know what that is, but it must be that John doesn’t want me to think about it or examine it’ for no particular reason, there’d have been no way to know to avoid it.
Maybe they should attach a banner header to all of their HTTP posts by default – ‘SkepSciKidz Only TrespasserzKeepOut, This Means You Brandoon!’
🙂
In all the good super-villain films the super-villain confronts the hero and lays out his plan in detail, including how it would be possible for someone to stop his plan from working by simply doing ………..
Cook is like that.
It is no good sitting around bored in your underground, hollowed-out, volcano at your super secret base at the bottom of the Pacific. What all good super-villains like is a challenge and a chance to show off to the girls. Cook’s security measures are his babe-magnet; Cook hopes Shollenberger’s other-half is going to study his url’s and decide what she really looks for in a man is intellectual shallowness and emotional instability.
Re: lucia (May 19 09:35),
If you’re really serious, you get helicopter tape instead of duct tape. Unfortunately, you can’t buy helicopter tape at your local hardware or big box store.
The corollary of duct tape coming in a variety of colors is that when you paint your race car that has fiberglass bodywork, you use colors that match the available duct tape colors.
DeWitt,
is it still called ‘racing tape’?
DeWitt, is that the tape they developed and used to repair the fiberglass rotors of the Huey’s in Vietnam?
Re: j ferguson (May 19 11:17),
They call it racing tape at the track so they can charge more, which they would do anyway since it’s a captive audience and the track wants it’s cut too.
Re: DocMartyn (May 19 14:13),
I believe that’s correct. They use it in Formula One too. The product info says it can be used to reduce damage (erosion protection) in an abrasive environment.
It seems a little strange to me that the U of Q should be investigating ‘hacking’ of a website that isn’t part of their domain. Is this normal behavior for this sort of institution?
The Zodiac quote is in Chapter 8:
“Young hardware clerks have a lot of hubris. They think they can help you find anything and they ask a lot of stupid questions in the process. Old hardware clerks have learned the hard way that nothing in a hardware store ever gets bought for its nominal purpose. You buy something that was designed to do one thing, and you use it for another.”
@HR
Ken White at Popehat.com has a signature line: vagueness in legal threats is the hallmark of meritless thuggery. [ref]
Lack of specificity in the implied threat is a feature, not a bug.