Bob Lacatanae just wrote a post discussing SkS being “hacked” way back in February 2012. You know…. the hack that we are all supposed to know is hack because SkS says it’s a hack but they won’t tell use how they know it’s a hack? Well it seems Bob has just posted part I of some sort of “tell all”. I wasn’t going to pre-empt Brandon , who alerted me to the story (and has since posted at his own blog and II, III). But really, this new SkS post is beyond coy.
Here’s Bob telling us how much he’s going to tell us:
So how did the hack happen? Again, I am reluctant to share too many details,…
Indeed, Bob shares very few details.
What we are told is that according to Bob’s theory, the “hack” happened in on February 21, 2012 and was perpetrated by someone Bob calls “The German” who used a Tor browser. Other than that: at least in Part 1, readers are not provided any information to permit one to figure out whether this theory is remotely plausible.
We are also told that no one at SkS suspected or detected ‘the hack’ for month (in Bob’s estimate). But somehow or another, when Bob logged into SkS, he saw that someone else at SkS has learned of the “hack” which, Bob tells us impelled him to “quickly followed the link supplied by grypo to a comment on a backwater pseudo-skeptic blog announcing the hack”. Though Bob does not identify the “backwater pseudo-skeptic blog announcing the hack”, I think the link pointing to the SkS files corresponding to their forum data base appeared in comments in this post at Tom Nelson’s blog
The comment begins:
Dear Friends:
In the interest of transparency, I think you should see these files from Skeptical Science.
An anonymous whistleblower has brought to my attention some database logs and other files (e.g., http://www.skepticalscience.com/logs/2012-03-21.zip (the current day is txt, past days zip)). These files detail everything that happens on the site, from forum conversations to user accounts. I have collated some of the data in a more readable form.
http://files.molongo.ru/en/my/sks.zip
Why has SkS chosen to publish all this on the public internet? Is it the first step towards transparency, or a catastrophic error? This is what I first intended to ask Mr. Cook.
What this suggests is that someone at skeptical science was backing up the database by duplicating it, zipping the database file and storing these files in a directory called http://www.skepticalscience.com/logs/. (For those wondering: My database at Dreamhost lets me create a todays_date.zip file back up of my database at the touch of a button. Heck, I can instruct Dreamhost to create these and store them somewhere on the server, or email them to myself or do any number of things. If I am not insane I make sure that I do not store these in any accessible address, like, for example, a file called http://rankexploits.com/logs/ Note: I do not store my backups in an web-accessible directory.)
So, somehow this ‘logs’ directory and it’s contents were found. How might they have been found? Who knows? Maybe a curious person thought, “Why don’t I type http://www.skepticalscience.com/logs and see what happens?” Or maybe someone started typing a uri, hit return before finishing and found the /logs directory. Or someone typed a broken link.
However they might have typed http://www.skepticalscience.com/logs, if it contained zip files and no index and John Cook has not excluded surfing to that directory with .htaccess, and had not prevented display of the directory tree, the directory tree would have displayed. (This is default behavior of many servers.)
The person who found the directory might then have been curious abut what they saw and clicked. OMG!
I would not call this “a hack”. I would not consider accomplishing this “real skill”. In fact, it might be called “an accidental discovery”.
Could the “well that’s not really a hack unless an accidental discovery can be called a ‘hack'” have possibly happened the way I suggest?
Well, remember how the SkS Nazi Image Files were found? They were found pretty much the way I described above. Directory trees can display, they often do. They did at “http://sksforum.org/image”. This isn’t rocket science. It’s the way “the web” works.
So: in other words, the simplest theory is that someone found the logs the same way someone found all the images. Somehow someone found the /logs/ directory, all the files displayed and then they clicked to download. That person downloaded the files, then created a database to hold the files and hosted it on a Russian server. (This is all easy.) they later described finding stuff in the /logs/ directory in a comment at Tom Nelsons and pointed someone to the address that displayed the database. Not. Real. Difficult.
No one at SkS has ever said anything to suggest this is not what happened.
Meanwhile, we have Bob’s theory. Does Bob give us enough information to tell whether this person he called “The German” ‘hacked in’ in February 2012? Nope. Do we know what uri’s or requests were made that permitted this “The German” to ‘hack in’? Nope. Bob intimates that an SQL injection attack occurred on the day they “think” “The German” hacked in using his “Tor” browser. Can we inspect what he did to see if that particular SQL could possibly have resulted in SkS’s server disgorging the entire contents of the database? Nope. Does Bob tell us the IP so we can check his theory that this Tor connection hacked in? Nope. (I’ve averaged 8 Tor connections a day over the past 3 weeks. I’m Tor hostile and ban them, but just try to visit the blog. Some do do weird things. The mere appearance of Tor does not mean that a hack was attempted. It certainly doesn’t mean one succeeded. One needs to know more.)
Now maybe all of this will be revealed in Part II, III or even XXVI. It will turn out SkS caught “The German” dead to rights– Tor Browser and all. Bob does have some very specific dates and times in Part I, so maybe he’s reveal something to make me believe they actually know this was “a hack”. If so: Good going!
That said: until I read anything to suggest that “revelation of the SkS forum database” didn’t happen exactly in the manner that is consistent with the description in the comment at Tom Nelson’s, I’m going to assume that’s how it happened. You know why? Because the “not a hack” method of revelation totally believable and it wouldn’t require anyone with any skills to accomplish. It would merely require us to believe that John Cook organized the “SkepticalScience.com” more or less the way he later organized “sksforum.org”.
Now, moving away from “the hack”, there are a number of other funny things in Bob’s post. Turns out SkS has particularly bad password security:
Sceptical Wombat at 10:54 AM on 22 February, 2014
One thing I think you should stop doing is holding passwords in plain text. A better way is to use a one way encryption algorithm and to only store the encrypted password. That way you never know my password and so no one else can get it from you. If I forget my password you issue a new one and require me to change it.Moderator Response:
[BL] Passwords are not and have never been stored in the database as clear text. They are and always have been encrypted, and they are never decrypted. Rather, the password sent by the user is encrypted, and that encrypted password is compared to the encrypted password stored for the user. If they match, then the password supplied by the user is valid.
[BL] Correction, I just looked at the code, and passwords are decrypted in the “Forgot your password” function — but that doesn’t represent much of a security hole, because it can’t be used to breach the system, and it can only be used to steal passwords if you already have the password and so can change a user’s e-mail, or otherwise have access to that person’s e-mail.
Either way, that particular flaw doesn’t represent a pressing issue, at least compared to the effort it would take to correct.
Italics mine. That Bob. Bless his heart.
Mind you, those skepticalscience.com passwords are only used to prevent spam at skeptical science. But anyone who knows anything about phishing also knows that people often use the same password on many sites. Some long time email users and even some ‘security experts’ know that people who “otherwise have access to that person’s e-mail” are sometimes called “their employers IT department”. At some companies, emails are stored. That means that skepticalscience is putting their own users at risk of revealing “pet” passwords which they might be using elsewhere to their IT department. So if you have a password at SkepticalScience, maybe you should consider changing it. Oy.
In the meantime, we can all wonder whether Part II will give us any information to suggest that SkS has information to show the “the hack” was accomplished with an SQL injection attack perpetrated by “The German” using a Tor browser. Maybe they will. Maybe they won’t. To Be Continued.
Update: edited to add link to Brandon’s post.
Update Feb 25:Barry Woods found a directory listing at the Wayback machine. I took a screenshot, uploaded and inserted at the appropriate location in the narrative.
Bob Lacatena’s post is unbelievably bad. I cannot fathom how someone writes 2,500 words with that little information. He has to realize he’s not actually telling anyone anything about what happened.
By the way, since lucia preempted me (jerk!), I made my post more blunt and straightforward. In it, I may have figured out why Bob Lacatena wrote such a ridiculous post. You see, I stripped a quote of all its context to distort its meaning and found he says:
Clearly, that’s his strategy!
this was a month after, John was told that the whole non-public forum was publically visible (at time Cook thought due to admin error)
there was discussion about making it more secure, then the solution was to move the non-public forum to a separate website…
I”m guessing that they simply were backing up the whole forum because of the earlier mess up, and getting it ready to transfer across to the new sksforum.org website..
and somebody found it in exactly the same way as the images were later found on the new website (which they did not realize was how, the forum zip was found)
read: 2012-02-23 09:07:25 Ok, something very weird has just happened with the forum
Barry Woods, according to Skeptical Science, the reason the forum was publicly viewable at that time is that is when the hacker first gained access. According to them, he made changes which caused that.
We have no evidence to support that claim, but it’s certainly possible.
If somebody visits a publically accessible website, including seeing a directory tree in their browser, — and doesn’t use any special techniques, or password trickery, etc — it isn’t hacking.
If people want to keep stuff secret, it is their responsibility not to put it on show in a public place. If you stand naked on your front lawn, don’t complain if passers by see your pee-pee.
well – as they made the same mistake at SKSforum.org !
more plausible, that no hacker did it.. just bad webadmin
Barry Woods,
Obviously, unless they reveal enough information to show why we shouldn’t believe the files were obtained in a way that is consistent with the comment left at Tom Nelson’s I don’t see any reason to think the info was obtained the way I suggest.
Also: Might the person have used Tor? Maybe. That could suggest hacking intent– but it wouldn’t prove it. Lot’s of people use Tor for lots of reasons. Hackers also use it. So do fingerprinters etc. So, I mostly ban it. It’s easy to do. But the fact that I ban it doesn’t mean that Tor is “always” or “usually” a hack. It only means that, in my judgement, anyone who uses Tor could just as well read my blog without using Tor. And blocking Tor reduces the potential for mischief making and saves me– a hobby blogger- time, effort and worry. That’s about it.
For those wondering, I interrogate the free publicly available lists about once every half hour and store the IPs I detected during the past two days and show it here:
https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$address and
http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
These give me exist lists. I organized a script to have two files– one of which starts filling on “day 0” and keep accumulating to the end of “day 1”, and the other on “day 1”. On ‘day 1’, I read IPs from the “day 0” file and ban those. This catches everything that hits a php resource nearly as soon as it becomes a live Tor exit node and will also catch a few that might ‘blink on and off’. It has a few false positives… but really.. not much. I’m not too concerned about the few false positives. If others wish to use it:
http://bannasties.com/BanNastiesScripts/DisplayBannedIPs.php
I read those and block them from all php scripts they might hit. If they hit a php script, I automatically submit that IP to cloudflare and bann it for about 7 days. That’s pretty much good enough for me.
Note: my method might not have protected Skeptical Science — especially if the intrusion was a total accident caused by a typo when someone created a link. This is because– at least according to what the person who reported finding the links told us way back in 2012, SkS seems to seem to have stored their databases in zip files stored in a publicly accessible directory. (Super dumb.)
Those are are not php resources so you can’t put a “hook” into ZBblock. and didn’t seem to have any .htaccess blocks protecting those either. My method would not block that “discovery” unless the IP first hit a php resource– and it’s actually pretty hard not to hit a php resource if you are trying to ‘sniff’ my site. (It’s not impossible. I’m sure a dedicated person could do it. But it’s fairly difficult.)
Re: “an accidental discoveryâ€.
I thought “accidental discoveries” were a major factor in how science progresses?!
From an earlier post at SKS by John Cook,
“The hacker hijacked an SkS user account, uploaded files onto the server enabling them to gain access to the entire database, deleted log files to cover their tracks and stole a dump of the entire database. This was achieved using more than two dozen different IP addresses from all over the world over a 5 hour period.”
http://www.skepticalscience.com/SkS-testimony-potential-social-media-passion-volunteers.html#theories
DGH,
That’s a lot of verbiage for a theory. And maybe they have reason to believe something happened. But my question is:
That is to say: Have they ever directly contradicted what the comment at Tom Nelson’s blog actually claims about how they obtained the files. For example did SkS ever say that there were no zip or other files stored in a http://skepticalscience.com/logs/ directory?
As for other questions:
Does SkS have the attack pattern or anything from the uploaded files? Do we know the contents of the uploaded file?
What are the IPs? We can easily check if they are Tor because there is a tool that permits us to do that.
Why be so coy? Telling people the IPs doesn’t materially help any other hacker. And if they were Tor IPs, maybe the guys over on TorTalk ought to be told. (They all seem convinced that those who complain of hacking using Tor are someone paranoid or something.)
Showing the code that was uploaded doesn’t help future hackers either because these codes are readily available. Showing the hack sequence wouldn’t help hackers if SkS has fixed their vulnerability. And moreover, showing the hack would help other bloggers learn to protect themselves.. Sharing this information is how people like Zap who write ZBblock figure out what to write to block hack attempts and close vulnerabilities!!
Why would anybody bother?
Well, it’s an entertaining read, even if it is more or less fiction.
You know… I’m reading comments at http://www.skepticalscience.com/Skeptical-Science-hacked-private-user-details-publicly-posted-online.html
They are hilarious. This is JC correcting hank_ who suggested a “breach of security hole”.
Uhmm… successful SQL, RFI injection & etc attackes are ‘breaches of security holes’. The ‘security hole’ exists due to a vulnerability in software used by whoever designed the system. That the breach is achieved by hacking doesn’t make it not a breach. It’s like someone saying invadors entering through a “breach” in a “wall” is inaccurate because the invaders happened to be armed.
Gotta read more!
Back then they wrote:
Let’s hope part II cuts to the chase and tells us Interpol caught “The German” and actually tells us something. Because the coyness is just…. tooo…. much!
Yet again:
Uhhmmm…. it reads like an RFI that resulted from an SQL vulnerability. That would be a programming error. The only question is whose programming error. I, for example, don’t write “wordpress” software. So if it has a vulnerability that gets exploited, that’s not my coding error. But it is someones programming error!!
I remember the Interpol comment as if it was posted yesterday. Yet another coffee meet monitor moment courtesy the SkS team.
As for Mark Bofill’s, “Why would they bother?” Exactly.
Direct from Moon Landing central we’ve got a constant stream of paranoia and conspiracy theories. It’s a war against their website featuring International hackers in dark rooms armed with Red Bull. But not to worry Interpol is hot on the tales of the plotters.
I’ll see their conspiracist ideation and raise them a delusions of grandeur.
Interpol will never catch The German. He’s like a ghost. In more ways than one.
Anyone else remember the German from the film the Three Amigos? Somehow that association came to mind and won’t go away now.
Actually, the question “why would they bother?” has an two pronged answer:
“They” here potentially encompases a HUGE number of people with a large variety of motives. Why someone one might bother to hack a site– or even just visit a site– could have any number of possible answers.
We know somethings about the release of data:
1) Someone was sufficiently motivated to post the spilled forum in public and publicize that once they had it. We know this because it happened.
What we don’t know (because SkS so far has avoided giving any relevant useful information to know their “theory” or what happened nor see the “data” to check if it’s consistent with their theory) is whether
(a) someone merely stumbled across files stored at http://skepticalscience.com/logs/a_shit_wad_of_files, saw what they were, and downloaded them (perhads concealing their IP behind proxies in the process.) or
(b) someone found a flaw created by a programming error in the software used by SkS, managed a successful RFI using possibly using SQL injection, then used the included file to download the database and do other things.
We know the person commenting at Tom Nelson said (a) and SkS seems to be saying something like (b). But SkS isn’t providing any data to suggest they are correct in their diagnosis nor have they denied files were ever stored at the address where the commenter at Tom Nelson claimed they were stored!
Lucia,
Yes. I have a bad habit of trying to generalize about what ‘anyone’ might do, whether ‘anyone’ could make certain mistakes innocently or not, etc. even though I know perfectly well that this is a silly idea because ‘anyone’ usually encompasses a heck of a lot of people. The way I put it was rather sloppy. Perhaps my sentiment would have been better expressed this way: It wouldn’t be worth the bother in my book.
I was searching to see where, besides Tom Nelson’s blog, that link to the internal location for the zip file was posted.
When the entire URL is entered into google the engine naturally sends you directly to SS. But the site appears as text with no graphics. Odd behavior but apparently consistent with other glitches over there.
Re “why bother?” Yes, clearly somebody was motivated to access the site and distribute what they found. It remains to be seen if it was much of a bother or if they just happened to stumble into an unprotected directory.
Mark Bofill,
You are not the only person who has that habit. Lots of people do.
DGH
That’s not so bad. No matter what might have been stored in the /logs/ directory back in 2012, the link is now dead. Many dynamics blog/forums/sites in general show you more or less blank pages when you enter a dead link.
So visiting that http://skepticalscience/logs/ link now wont’ tell you what was there in 2012. Persumably, Cook should know. At this point, since they’ve been so coy, they are going to find that having waited 2 years to specifically rebut the claim that file were hosted there in 2012, lots of people are not going to believe any rebuttal that might be made now. But…. it’s irrelevant for now because they haven’t ever said that they never even had such a directory. JC did say the “hacker” “lied”, but that doesn’t begin to tell use what statement was supposedly “a lie”.
Lucia,
Maybe they aren’t being coy. Maybe it’s a default mind set or philosophical approach or something. In the immortal words of Phil Jones,
.
I make no bones about the fact that I am determined to stamp out the travesty of physics which sites like SkS and DrRoySpencer continue to promulgate.
Roy Spencer still cannot prove with any valid physics his crazy postulate that there would be isothermal conditions in Earth’s troposphere in the absence of water vapour and radiating gases. The greenhouse conjecture depends totally upon this garbage “fissics” that would violate the entropy conditions of the Second Law of Thermodynamics. All the models depend totally on this weird idea which is never observed anywhere on any planet or moon, not even on Uranus where the base of the nominal troposphere is hotter than Earth.
Roy only needs to look at the data for the Uranus troposphere to realise that thermal gradients (aka “lapse rates”) evolve spontaneously at the molecular level. Radiating gases reduce the gradient (and thus cool the surface) due to inter-molecular radiation. They help energy escape faster up the troposphere and eventually to space. Radiation that strikes any warmer surface is just pseudo scattered.
There is no need for advection (upward rising gases) or any direct solar radiation or a surface: the lapse rate just forms autonomously as gravity acts on molecules in free flight between collisions.
That is why the (badly named) “lapse rate” on Earth, Venus, Uranus, the outer crust of Earth, the core of the Moon – everywhere – evolves spontaneously in solids, liquids and gases. That is why radiative forcing is not what is the primary determinant of any planet’s atmospheric or surface temperature – gravity is – gravity traps energy.
Water vapour reduces the insulation effect – just consider the problem with moist air in double glazed windows. Moist regions are cooler than dry regions – I have proved that with real world temperature records.
You’ll find the study in my book “Why it’s not carbon dioxide after all” available late April from Amazon etc. and from which I quote …
“The world will one day look back upon a small slice of history that began in the 1980’s and sadly have to conclude that never in the name of science have so many people been so seriously misled by so few for so long. Never have so many careers, so much time and so much money been spent in the pursuit of such a misguided and ineffective goal to reduce human emissions of carbon dioxide, a harmless gas which comprises about one molecule in every two and a half thousand other molecules in the atmosphere of our planet, Earth.”
.
“The German”, can be found any day now on The Blacklist, where he will meet the same fate as The Innkeeper. The Chemist,
The Alchemist, The Freelancer, The Stewmaker, The Courier, and their friends.
curious – what does this wayback entry mean….?
http://web.archive.org/web/*/http://www.skepticalscience.com/logs/2012-03-21.zip
It appears that the directory at least existed, and a file with the name was there?
http://web.archive.org/web/*/http://www.skepticalscience.com/logs/*
Barry,
Nice find. So did Cook et al put it there or did the “hacker”? The plot thickens.
Also, who requested that the page be archived? I know the wayback machine stores many pages automatically. But thus is pretty obscure.
If the hacker requested it then Interpol has a major lead. Although it probably just leads to another Tor. OTOH Tom Nelson is pretty savvy and I wouldn’t be surprised if that was his doing.
DGH,
Likely no one made any direct request. The Wayback just crawls. A site owner can request The Wayback stay away and it complies. But otherwise, it crawl and periodically takes screenshots.
DGH– By the way, the data show that the /logs/ directory existed as far back as 2010. That’s two years before the release of SkS database files to the public.
Also note that it didn’t get shutdown for three weeks after they discovered the breach.
Read the post from anonymous over at Tom Nelson’s Blog. He says that someone told him about the breach. Then he provides a link to the logs directory.
Perhaps that’s all true. Perhaps they were using that log directory for temporary storage of the backup file And then moving it once it was created. That would explain why there were no other records at the Wayback machine.
And if the hacker Knew about this practice, he/she could await the file and download it when it arrived.
Or maybe not. It will be interesting to read part two.
DGH
No explanation is required. It is absolutely normal for the Wayback listings to be extremely spotty. In fact, what’s suprizing is that anything got listed at all. Generally, the Wayback won’t find anything unless someone links it on a web page the Wayback visited. The March 21, 2012 zip file probably got linked by shitwads of people after Tom Nelson’s file was posted. That would trigger a Wayback visit. But that file is a zip, so the Wayback crawler would stop there and not look “up the tree” to find everythign else in the directory because that would not fulfill its purpose. Presumably, someone somewhere linked the .txt file and the wayback crawled there.
If someone looked for a url on the Wayback machine and a record was not available then it would retrieve it from the “Live Web”. It would also give a message that the retrieval would then become part of the archive. It is therefore possible that the Webarchive entry resulted from someone making an enquiry at the time when the file was available.
clivere–
Ahh! I didn’t know that asking the Wayback for a record of a page triggered a visit if no record existed. I did know their algorithms are organized to try to include records that interest people ‘now’ and avoid including ones no one cares about. So they don’t just go trying to find any and everything.
Too bad no one asked for just http://skepticalscience.com/logs Then we might have gotten a directory listing!!
One thing worth noting: That record seems to have been made on the 25th of March. Tom’s post is March 22, 2012. In the time between those two events, lots of people were discussing the zip. At the time, did anyone say they downloaded the .zip in the /logs/ file at SkS and discovered it did not contain the forum archive? Anyone at SkS say anything?
I know that if I were SkS, and someone said they got it from that forum, I would want to look at the zip and see what was in the zip. If it was not the forum, I wouldn’t just say “the hacker lied”. I’d say: the stuff at that link is not the forum stuff. I’d be especially motivated to say that if I was trying to convince people that I had reason to believe a “skilled hack” occurred and that the method of “discover” described at Tom Nelsons was not possible.
I know their not saying anything would be “dog that did not bark” type evidence. But sometimes, “dog that did not bark” evidence is persuasive.
I’m trying to find things said at the time. At BH
http://www.bishop-hill.net/blog/2012/3/24/behind-the-scenes-at-skeptical-science.html
Terry S keeps pointing out the files ‘discovered’ were located in a publicly accessible directory hosted at SkS. I’m scanning for rebuttals with people saying the contents don’t match what one might think or confirmations form people who say they downloaded those and confirmed the contents.
As we know, that SKS security on the SKSforum allowed the images to be found, in exact same manner as on the sks website, as the ‘hacker/whistleblower’ described for /logs
I’m happy with the simple explanation..
as they were in th eprocess of transferring the private forum from the main website, to SKSForum.org for security ! 😉
though who the person was, is of interest, someone poking around who found it..
Or maybe it was an insider.. cue, SKS contributors looking suspicioulsy at each other.!!
reading some of their froum, easy to imagine one of them going, OMG and deciding actually thye were sceptical after all. (specially after Way saying McIntyre basically correct)
Here’s a note indicating access to the ‘zip’ file hosted at SkepticalScience was closed on March 25 (the day the Wayback seems to have visited.)
This suggests “Terry S” had downloaded ‘the’ zip file and opened it. I’m assuming by “the” zip file, she means the one she has been harping on previously– the one hosted at skepticalscience.com, not some other one.
This is hilarious
1. “should have been password protected was left open by the server,” Servers do not just put things into directories. Servers do not “leave things open”. Things get put in directories by humans either directly (they upload them) or indirectly by setting in motion script or other software to place certain information in a directory.
The default for access on a web-accessible server(like the one that hosts skepticalscience.com) is “permit”; this is why things will generally become web accessible when you place a file on the web-accessible server. This behavior is pretty well know to people who do things like run blogs (e.g. ‘rankexploits.com’ or ‘skepticalscience.com’. ) It is the responsibility of the human to know that if they put htings on the web accessible server which they use to host their blog and/or forum and they do not create their own .htaccess files to limit access– then the material will become web accessible to everyone. This is not the “server” just going out and deciding to make things public.
Sorry, but what does this even mean? The downloadable zip file was in the skepticalscience.com/logs directory. That is publicly avaialable. The information in the zip file appears to have been the back up of the database which– presumably– was hosted in a location that is not publicly available. (Thats the default at most hosting companies).
The theory is that John Cook or one of his associates did something to cause the ‘zip file’ to be created. (This action could be clicking “create back up’ in the admin panel for mysqul admin or something). Then they did something to put that file in their /logs/ directory. (This action could have been an option on the database permitting people to select a location to store the backup. Dreamhost lets me do both possible actions with the touch of a button. I can even schedule Dreamhost to do this daily. I would never tell dreamhost to put the stuff in a web accessible directory, and no one should.But that doesn’t mean it would be impossible for John Cook to do so.)
This only means that John Cook thinks he is the only one who could have done this. It may be true. But if so, that merely removes “associates” as people who might have had access to back up the database.
This only means John Cook thinks he did not release it. It does not mean he did not release it inadvertently. (And the fact that 1 and 2 are so idiotic suggest that collectively the SkS crowd doesn’t understand how things might be released.)
I never downloaded the files, so I never saw this and can’t check the claim. The message at Tom Nelson did say “These files detail everything that happens on the site, from forum conversations to user accounts. I have collated some of the data in a more readable form.” This would suggest that “the site” database was in the zip file and if so, I assume Nelson means the personal detail of “major deniers” of the “site” had their personal details deleted.
However, one doesn’t insert much in the way of “personal details” when subscribing to Skeptical Science. You post (a) a user name — which can be a sockpuppet, (b) a password and (c) an email. Then it sends you a confirmation email. Does he mean password and emails were? Deleted? If so, this would suggest some modificatino by someone- and so the question would be who? It would be nice to see what tom meant and also see some evidence this occurred.
It might have been nice if Tom Curtis had been more clear on this– and said whose details were deleted. But I would like more information on this to try to find out (a) what the claim actually is and (b) learn if it’s true.
The only files I’ve ever seem are ones purported to come from the forum. “Major deniers” did not subscribe to that forum. They were not permitted to subscribe to the forum.
It might have been nice if Tom Curtis had been more clear here.
Note: I hope Part II might clarify whatever it is Tom Curtis meant in 5. Because so far, part “5” above is the only relevant information that the zip file hosted at SkS would not simply have been the consequence of more or less routine administration by John Cook.
Note, in Lacatana’s Part I, he only talks about the forum being avaialble
Simple explanation. Cook or another, zipped up the forum, database, etc, put it into an accessible location.
to be transferred to the new SKSforum.org, to be unzipped there, and recreate the private forum there..
The forum WAS recreated at SKSforum.org, because of the earlier security issues.. how to you transfer everything, you zip it all up, and copy it over!!
then it gets ‘found’
maybe somebody at SkS is not quite admitting to the truth.. ie has Cook actually said he did NOT create the zip file.. (vs, he did not ‘release’ it – he just merely left it lying around, somebody else ‘release’ it – word games by Cook, been there before.
is Cook hyping the ‘user information
ie there was a single csv file.. stick into excel and get column headings
UserId Username First Name LastName
Email User_LevelId Date_Added
URL Scientist Moderator
a csv file to be used when recreating the forum at sksforum.org
ie this was everybody that had ever registered..
in the actual forum html pages, you get moderator name, email adresss, IP, whenever they made a comment (which could be exactly as the moderators saw the private forum)
No one will go wrong trying to underestimate the probity, intelligence, and common sense of John Cook and his SkS groupies.
Keystone crock?
Barry Woods,
I don’t know if things are “wordgames” or what. But given the existence of scripts and choices, I know it’s possible for someone to do something and be somewhat unaware precisely what they have done. There are all sorts of decisions people make which seem like “good ideas at the time”, but turn out to be not so hot. Sometimes, one automates these and forgets they were being done.
As for backing up a database, look at this plugin which will automatcally back up a wordpress database to a location you specify.
http://readyshoppingcart.com/product/wordpress-backup-and-restoration-plugin/
I’m not sure how much flexibility it gives you, but a quick scan suggests you can put the back up wherever you chose. The plugin does nothing to ensure that location is not web accessible.
Tons of similar convenient “solutions” to backup problems exist. Lots of people use them. Some of these people are going to slip up– or forget what they did etc. And right now, the evidence I’ve seen– even accepting his denials as being total truth as he is aware of it is consistent with John Cook using a back up tool of some sort, which created the zip file and put that in the /logs/ directory. In this regard, everything could happen just as it appeared, John Cook would think he’s telling the total truth, and yet, it would be true that the files “appeared” in the “/logs/” directory just as they were made, he would have no recollection of something he’d done back in the mist of time, and blah…blah… blah….
And– because the idea that Cook screwed up is currently the simplest theory consistent with facts that have been made public by SkS, it also the theory that matches the description the “leaker/hacker” gave, I tend to think “Cook screwed up, made the file and made it public” is the most likely.
Unless Lacatanae posts details that show the simple theory cannot be true…well…. I’ll continue to believe the simple theory. And that will be true even if Lacatanae etc. keep insisting that for some reason they “can’t” post the exonerating evidence for fear of helping hackers (hah!) or for some other reason that sounds totally ridiculous.
Barry
is this file for the forum? If that’s what Curtis is discussing, then it would be natural for these to not include people SkS thinks are “deniers” because they weren’t permitted to join the forum.
lucia, the user.csv file was for Skeptical Science as a whole, not just its forum. That’s why you can see my name in it. That’s also makes it less likely the files were part of any sort of backup being transferred to another site. There’s little reason they’d transfer a user list for their site to a server just hosting a forum. Similarly, there’s little reason they’d transfer a file containing comments that had been deleted from Skeptical Science. It could have been a general backup though.
Incidentally, it’s difficult to know who Tom Curtis is saying was removed from the file. There were ~6,000 users in the list. I have no practical way of telling if any of those are “major deniers.” I mean, I was in there, and Skeptical Science lumped me in with deniers in their forum, but maybe I wasn’t major enough to be removed?
Incidentally, the file doesn’t include passwords.
no..
this was the file with all the user logons to sks (ever I think).
It included Cook, and the moderators, maybe user level, gave privileges to see private forum stuff
the forums, just showed the name, email address, ip address of every private forum member making comments, every time they made a comment (no ‘deniers’ there !)
I think it’s worth noting Terry S’s response to Tom Curtis 5 points at BH was
I don’t know if in (2) Terry means the stuff in the .zip file at SkS or the stuff in the .zip file at the .ru site. Both were referred to in Tom Curtis’s (2). Though difficult to untangle now, my tentative in terpretation is Tom was claiming the later can’t be made from the former, but Terry S is saying it can. Not sure about that though.
http://www.bishop-hill.net/blog/2012/3/24/behind-the-scenes-at-skeptical-science.html?currentPage=3#comments
CO2 cannot cause any warming, full stop. It’s blatantly obvious at the base of the nominal troposphere of Uranus where there’s no CO2, no direct solar radiation and no surface, yet it’s hotter than Earth but nearly 30 times further from the Sun.
I just wanted to prove a point to Brandon.
It is interesting to me that John N-G has referred to SKS in a positive light. If I was a serious academic trying to take a reasonable stance on this great quagmire, I would not be associated with a bunch of guys publishing phony reports with Lewandowsky, dressing themselves (via photoshop) as Nazis, confusing “hack” with finding stuff on line, and most of all, doctoring posts and supplying corrupted quotes for lawsuits.
That Cook and gang are coming up with new excuses about a year after the fact, yet not one actual fact is changed, is also very interesting.
Curiouser and curiouser.
What is clear is that the insiders over there are not acting in the way that equates to good faith and high standards.
And the excuse that they have to act the way they do because of the wickedness of the skeptics is pitiful.
PopTech
What point? That you are not banned? You aren’t. I’ve told you that.
lucia, it’s from this exchange:
http://hiizuru.wordpress.com/2014/02/24/skeptical-science-hacked-or-just-a-hack/#comment-548
Poptech thinks making that comment and providing a link to it proves he can comment here via Tor/some other proxy. I have no idea why. There’s no way I could tell the difference between him using a proxy and not just by seeing a comment was posted.
🙂 Next installment in the series is up at SKS.
What’s a pseudo-skeptic? I’ve lost my secret decoder ring, is that the replacement term for denier?
Brandon,
The IP does not appear to have been Tor. I checked at https://exonerator.torproject.org/ .
It is true that some people can comment using some proxies. They can even block based on some proxies used by common proxy services (e.g. “hide my ass” and such like). I’ve never claimed I’ve blocked all proxy IPs, only that one might have trouble connecting with a proxy IPs because they do often get blocked. Based on reports at “stopforumspam”, he did appear to be using a somewhat spammy IP; it was server based. It may well have been a proxy.
My impression with previous “Poptech gripes” is he was annoyed that I sometimes did block proxies and so might have false positives– that is blocking “people” who might not be spammers. Is he now concerned that an actual person (him) was able to post a comment? Or what?
I’ve invited him to discuss his “concerns”, and also sometimes tried to explain my goal to him. But he doesn’t seem to want to actually discuss them. He seems to think he can “prove” stuff either by saying he was blocked or saying he was not blocked and that somehow that information alone is sufficient to mean…. something.
Anyway, I can’t begin to guess what he thinks ‘being able to comment using a proxy is supposed to “mean” other than: Yes. I have not blocked 100% of servers or proxies. I’ve never claimed otherwise; I suspect you would be unlikely to do so because … how would you know? And I think we all know you well enough to know that you would be unlikely to state with absolutely certainty how a system you did not program and whose code you have not inspected– and which might have evolved over time– work!
Thanks Mark
Lots of stuff is still vague but this one at least has some meat in it– unlike the ridiculous part I. Assuming statements are true (e.g. this “francois” user was injected into the database, identifying an actual data base) and so on, that does sounds hack like. In contrast, previous claims just said… nothing…
ON details: Still don’t know if it’s Tor or some other proxy. (It doesn’t make any material difference whether Tor was to determine about whether it is or is not a hack. Proxies can be cycled rapidly. But the Tor guys would care about that.)
Note btw: it has always been my position that it is ok to disseminate info from a “hack” or “phishing”. That was my position with climategate, Heartland and it is with SkS. But I have been interested in reading evidence that it is a hack.
It will be interesting to see if “The German” has an identity. Also: if he flubbed up, the Tor guys will be interested in how. Not getting caught in a hack is not an easy trick.
An interesting thing about
221.143.48.210
is that there is zero forum spam associated with that at
http://www.stopforumspam.com/search That’s unusual for a readily available proxy or anything used by Tor for any period of time. (Don’t know what that means…)
Other note: That IP 221.143.48.210 has visited my site at least once. At the time, the domain resolved to: 22114348215.tongkni.co.kr
And the “reason” for blocking it was
‘Your computer is infected with Trojan Downloader tencenttraveler . Go to http: / /www.safer-networking.org and get Spybot Search & Destroy, clean your machine, then come back (UA-0005)’
So it tripped my filters— but based on IP and not based on my blocking that domain. I’ll interogate my database of things I blocked to find dates after I take my sick, diabetic ailing cat to the vet!
Yeah. It’s an interesting read any way you slice it. The timestamps I think help with the suspension of disbelief.
Like all good stories though, there is that suspension of disbelief to get past. The thing that nags me (and I know this has already been mentioned) is the deal with the pseudo skeptics:
Okay, so I have to swallow several things here:
1 – There are pseudo skeptics in the private internal forum? Well, maybe not, maybe I’m misunderstanding that. Maybe the PS’s are just general users.
2 – But Bob knows who all the PS’s are? Well, I guess that’s possible, even though he mentions that he isn’t privy to all the information about all the other users in the first place, but maybe he’s astute enough to be able to pick the true believers from the infidels by looking through their comments.
3 – But the German knows who all the PS’s are, and protects their identities? This is getting to be a bit much. What did he do, use his Koch Brothers Matrix log in and type in ‘iddqd’ to get degreelessness mode and look up who the PS’s were? Clearly the German can’t be one person, he must be an intelligence organization? If he is one person, his vast and accurate ability to research obscure identities and their positions on climate change can only be exceeded by the gargantuan size of his hacker genitalia.
Still, I’ll say that it’s a good story.
Mark Bofill (#125432) –
Pardon me if this is a stupid question, but what’s a “pseudo-skeptic”?
Correction above: IPs in that range have tried to hit me. Turns out some tried to do weird things. More later.
HaroldW-
That’s what I was wondering. I guess it’s the current vogue term for denier?
OOooooh. I see now.
The missing piece to the story (maybe) is that Cook already has a table identifying the pseudo skeptics. Thus it was trivial for the German to cull them.
:> and I wasn’t even wearing my tin foil hat when I figured that out!
Am I having too much fun with this?
Isn’t it a far more important to understand why a group of narcissist disordered persons enjoy dressing up as SS nazi officers?
It was easy to understand when they dressed up as superheros, given their noble cause science defect… but war criminals?? GK
G. Karst,
Whatever may or may not be important, the issue of “Is this a hack or a leak” has been out there for a while. It appears the SkS is finally providing details that are germane to telling the difference. Previously, none were provided.
Alas, though the SkS fans may have enjoyed Part I, it was the sort of intro, that, if done in a made for television movie, would like have had the audience changing the channel for more interesting fare. But Part II seems to have some substance to it. Admittedly no actual “court room proof”. For example: they don’t say how they know the two files were uplaoded and deleted– but these are things that– I think– at least can be detected under certain circumstances. So, I’m willing to believe they did detect them. More importantly: these are least details that if true hack not leak and they aren’t so vague as to be “that doesn’t mean anything”.
Or at least so it seems to me. It may turn out that someone like Brandon knows more. But it seems to me the injection of a “francois” in the database would be a bit more “hacklike” .
I’m waiting to see if they identified “The German”. People using proxies sometimes are over confident.
🙁
Well, I liked it.
Next you’re going to try to tell me the show ‘Comic Book Men’ stinks.
:p
The is a bit confusing so I’m just trying to keep the dates and times in order.
Relying on Bob’s AEDT timestamps…
February 21, 2012 — 6:52 AM AEDT — The German
“It was February 20, 8:52 PM CET, the local time in Germany, when The German, or so I’ll call him, first hacked his way into the Skeptical Science web site.”
February 23rd, 2012 — 2:08 AM
“— Opening the Forum. ”
Bob, “It was February 22nd, 4:08 PM in Germany when the hacker returned, two days after his initial hack. Tor rotated his IP address 22 times during the three hour incursion.”
February 23rd, 2012 — 4:36 AM
Bob, “At 4:36 he used a previously hacked ID, one that he’d given administrative capabilities, to give his new “francois†user the same capabilities.”
I guess this be the visit on the 21st.
23 Feb 2012, 9:07 AM
John, “Okay, Something very weird has just happened with forum”
He learns from Brian P that the forum is open to the public. Presumably he resets passwords at that time. Bob tells us that the site was open for about 4 hours. This fits the timeline.
23 Feb 2012, 12:33 PM AEDT
John writes, “Just got 334 400 emails now – each an attempt to hack SkS using SQL injection over a 4 minute period.”
The hacker enters the forum for three hours earlier in the day and then launches an SQL injection attack? Is the hacker trying to regain access because John had reset the passwords and secured the site?
24 Feb 2012, 5:36 AM
Bob, “If you haven’t already, immediately change all passwords (meaning the MySQL database passwords, root password, site access passwords, etc.)”
This is an important entry…
a) If John had already reset the user passwords then Bob would have known since he was able to log in and leave this comment.
b) Which suggests that the hacker still has access at the Admin level through the ID that he previously hacked and through the new ID (Francois) that he had created. Had John detected this unknown Francois with Admin access then he would have or should have realized that they had been hacked.
c) This also suggests that the SQL attack was unnecessary or unrelated.
24 Mar 2012, 1:06 AM
“SkS was hacked”
The SKS team realizes that their file has been leaked.
25 Mar 2012 14:43:59 (Time zone unknown)
Wayback machine takes a snapshot http://www.skepticalscience.com/logs/2012-03-21.zip
In the best case that the time is AEDT then this is 37:37:59 after they become aware of the hack.
As far as I can tell, Bob has not told us how the German gained access on the 21st of (edited) February or how the original ID (not Francois) was hacked.
So if I understand Bob’s story then it remains possible that the hacker found the zip file in the open log directory, found an unprotected password in that file and then gained access using through that ID.
DGH,
Ok… yes, you have a point. I agree that we still need someone to state what was or was not in the zip file at http://skepticalscience.com/logs/ and to state that that file was NOT made by anyone at skeptical science.
This is discussing intrusions that look like hacking. But strictly speaking that doesn’t show WHAT they got… yet…
Testing to see if my IP is banned.
I’m looking at connections ZBBlock blocked at the blogs whose “killed_log.txt” file I monitor. (I snoop about 7 others in addition to mine.)
In 2012, “spambotsecurity” was hit by IPs in that rage. query’s like t his were coming through
….blah/blah/viewtopic.php?f=9&t=542//arcade.php?phpbb_root_path=test??
(Note: these tend to get cleaned up by Zbblock before being listed as reasons. But this one is a malformed query as these shouldn’t have ?? at the end of them.)
Zap also blocked stuff that triggered these ‘reason’
POST unescaped ( POST-010. POST unescaped ) POST-011. POST unescaped ' POST-013. POST unescaped ; POST-014. POST EX POST-015. POST BBCEX POST-032. Bot Detection, INSTA-BAN (IB-002). Injector. INSTA-BAN (IB-026). POST CLOAK POST-071. INSTA-BAN (IB-034). Heavy hit. INSTA-BAN.
(I’d have to look at the code to see what those are blocking, but it was stuff coming in through the $_POST variable.)
Of course, these are almost certainly unrealted to SkS– the only connection is that they use IPs on ‘tongkni.co.kr’ domains.
OK.. yeah. We need part III. After all: the forum leak contains files as late as March 22, right? I have those dates in whatever was sent to me by whoever sent it to me way back when. (I don’t even remember– but I didn’t download this myself.)
And in Part II we have on February 23rd, 2012
He seems to mostly have made the forum easy for people to poke around in without logging in, created as “francois” login and poked around visiting forum pages, and was particularly interested in those about Gleick issue. Also he
But “directory listings” are rather undramatic things– it just tells you the name of the “folders” and “files”, not contents. And he evidently got “full logs directory”, which might be dramatic, but this sounds suspiciously like he got “http://skepticalscience.com/logs” which seems to have been public anyway. Either stuff is “in” there or stuff is not “in” there. And if stuff is “in” there and its public anyway… we still have the possibility that there was a hack and a leak!!
Right now it seems like “francois” was principally interested in reading whether there were any smoking gun admissions about Gleick on the SkS threads. Leaking the forum– maybe not so much.
Also: sounds like so far it’s beyond his pay grade to just download the database? We’ll see.
Looking more… Ok. Initially, I thought: OK. Created this “francois”– which at least would see to be a hack. But is it the hack? So far nothing suggests “francois” got database or database tables… right? (Well…. unless they are in http://skepticalscience.com/logs, and the ‘logs’ he downloaded are those logs. But that which seems to public w/o ‘hack’.)
So right now ‘francois’ doesn’t seem to have enough info to create the display that is in the ‘unauthorized disclosure’ of the private forum.
Hey, it’s not banned today. I get a dynamic IP address in a range, and part of that range is banned. It’s always a crap shoot whether I’ll be able to comment here directly or if I’ll have to route my post through something else.
Anyway, the recent post is… I don’t have the words. I wrote a post discussing some things I saw as I read through it, but I had to quit. As stupid as what I highlight in my post is, things are far, far worse.
In effect, we have conclusive proof Lacatena’s analysis is BS. I actually should have caught this when reading his first post. My only excuse is I was overwhelmed by the sheer amount of meaningless verbiage in that post.
I’ll be writing a post about this later today, but in the meantime, you can rest assured either someone from Skeptical Science (presumably John Cook) is being dishonest or is so incompetent it’s impossible to tell the difference.
Another thing occurs to me.
The hacker left the forum visible to the public on the way out of the site on the 23rd. That seem like it was his/her attempt
–
a) to expose the site to the public and
b) to let SKS know that he/she had gained entry.
–
I mean it was quite a hint and if he/she wanted to continue lurking wouldn’t the hacker have simply logged out?
The hacker had to assume that SKS would do some forensics and take some actions like those that Bob suggested, i.e. change all of the passwords, create log files and perhaps more. The hacker had to realize that visit could be the last one.
I’ll point out that this same sort of server technical ineptitude led to the “mole” postings pre-climategate, where CRU left files out in the open that had been requested by FOIA.
They were so inept that they believed the postings at CA and WUWT citing “the mole” was a real security breach from within.
See: http://wattsupwiththat.com/2009/07/26/deep-cool-the-mole-within-hadley-cru/
http://www.climateaudit.org/?p=6634
http://wattsupwiththat.com/2009/07/28/hadley-cru-discovers-the-mole/
the whole episode was a hoot, much like watching the SkS kidz scramble to explain their own incompetence with conspiracy theories like this most recent posting.
Lucia, “coy” isn’t really an apt description of the ineptitude on display. A better word or phrase is needed.
John cook in the forums, said he had tagged users as sceptics, or believers, lewandowsky was interested in user profiles. So easy to remove anybody with that tag..
Barry,
Oh, see! Here I was clowning as usual, trying to find something preposterous, paranoid sounding, and mildly amusing to spout, … and you confirm it.
~sigh~. I’m going to have to work on that. John Cook in reality is stranger than what I can come up with when I’m deliberately reaching for the bizarre.
Now we know for certain that Bob can make a short story very long. What else have we have learned?
1.
–
2. On 2/21/12 a person gained unauthorized access to their site using an admin account that was apparently authorized.
–
3. On 2/23/12 the person returned to the site, checked out the forums, downloaded some logs, and created another admin account named francois. During the visit he left a calling card – the forum was open to the public
–
4.
–
5. On 3/24/12 someone distributed the SKS forum database in a slightly rearranged format.
–
That’s it. Two long posts and that’s all we have learned. (Unless you count that the SKS server is subject to SQL injection attacks as new information.)
Now If Bob would simply fill in the blanks, 1 and 5, then we would know how a person gained entry the first time and how a person, presumably the same person, acquired the files between 3/22 and 3/24.
DGH
Other discussions suggest the only person who had an authorized admin account was John Cook.
They don’t tell us how the person gained access on 2/21/12. Did they just enter name/password at the login page?
No. Though it appears that in point “3” the person appears to have rapidly cycled through a lot of IPs. It’s not at all clear to me why a skilled hacker would bother. They are in. They have a secure IP (i.e. supposedly Tor). Why change cycle? I’m not sure what the default for the Tor browser bundle is, but it seems to me more reasonable for it to change when you visit a new site rather that for individual visits at the same site.
Also, at the end of point “3” the person seems to have removed an ‘f2’ and ‘un’ file. If these were useful for downloading a database, why not leave them in place?
This person appear to likely be a hacker– which is nefarious. But it’s not at all clear he is the hacker who leaked or disclosed the files at Tom Nelson!
Anthony Watts, the first post was definitely “coy,” but this follow-up gives specific details. Those details, as they’re represented, would indicate Skeptical science was hacked.
That said, one key detail that has been repeated in both posts is unquestionably wrong. It is an outright fabrication. It is so obviously false anyone who had any idea what they were talking about would know it was false long before writing a post, much less a 2,500 word post.
I just opened a bottle of wine. I’m hoping it’ll help me relax so my next post isn’t just a string of sentences investigating how many different ways I can say, “You’re an idiot.” I may need to switch to something stronger.
Side note, I’ll hate you forever if you preempt me again lucia 😛
Brandon… Sorry. I just couldn’t help it. I couldn’t sleep. Part I was just sooooooo stooopid.
Brandon and Lucia – you’re both more knowledgeable than I regarding server security. I don’t understand why this second post gives any more weight to the hacking claim.
The intruder gained unauthorized access, perhaps that’s hacking. (And yes Rob Honeycutt I agree that’s bad.) But has SKS provided anything to suggest the “hacker” didn’t stumble over a file in the log directory and locate a password therein?
But… if it’s the same person, don’t we have info to suggest that people had changed passwords. So how did s/he get in again? That said: we don’t know how they got in in the first place. . .
DGH,
Relative to the other one, this one does say someone got in in some way that gave him the ability to assign user admin capabilities and also create a user and he did so:
It’s true that maybe SkS somehow has things so screwed up that someone could register and gain admin powers accidentally, but I doubt that. So, this does seem to amount to “hacking”. It’s not necessarily “skilled hacking”. It’s possible that some sort of “phishing” happened. It’s also possible that someone in IT at Cooks employer saw the email, sent Cook a new password, used it and got in. We could debate whether that is “hacking”. But it’s certainly knowingly using credentials one knows are not their own, so … not just a “leak” of the sort that SkS would be trying to rebut.
If you are asking whether they showed *proof* that someone logged into the admin side: No. But at least this allegation if true sounds like some sort of “hack”– not just “came across a live link and clicked”.
We’re on the same page. Was this a skilled hack or was it a phish or was access gained through info left in the log directory? Bob hasn’t given us that detail.
Probably top secret.
Lucia says: “They don’t tell us how the person gained access on 2/21/12. Did they just enter name/password at the login page?”
Does anyone know what forum software they used? This whole thing may boil down to something as stupid as not changing the default administrator password used to set up the forum software.
For example, my neighbor’s WiFi router is still set to “admin” and “admin”, the default username and password.
My spidey sense give me issue with the loitering reading articles about Gleick and running directory tree scans on a system where all the information is in the SQL database. Yes, if this magical “f2” program could scoop up the database credentials from the sites main configuration file, that would be great for the hacker. That would be another poor configuration for that disaster of a site. (It would be funny if it is an Apache process numbered 242, in decimal, that he is chasing…anyhow)
But, ALL forums I have seen have a backup built into the maintenance portion of the admin’s portal. Not only that, import and export features are very common today. If you can get access to the Backup or Export feature, do it and read about Gleick later.
How the hacker could put a process or program called “f2” on an Apache webserver; that was not already there, without site FTP access is beyond me. Based on Bob’s description, not likely at all.
As Brandon_S points out (and it was the first that jumped at me) is the incredible SQL ignorance on Bob’s part thinking that it is difficult to query and match up the “real names” and the posts. But if Brandon is right and these were dumped as CSV, they were simply pasted in a spreadsheet.
Without any hard evidence of produced logs, this is all a colossal waste of time speculating and Bob’s story is even worse.
Hey guys. My latest post is up. It’s a surprisingly tame response to Skeptical Science’s two-year narrative about the hack. I think the large amount of alcohol helped:
http://rankexploits.com/musings/2014/sks-non-revelations-about-their-hack-part-i/#comment-125501
(Of course, I may feel otherwise once I’m sober.)
isn’t the sks forum software ‘custom’ – self created..
Barry Woods,
I think it’s custom– though they may have started with something open source. Doing so would make some sense.
That it is or may be customs is why I didn’t immediately say that the the need to use multiple databases to put user IP, email and name info in with a comment was bogus. It would be bogus with the two off-the-shelf forum softwares I’ve used, it would be bogus with WordPress and I suspect it would be bogus with most software. Because most store all this stuff together in 1 database and they do so because that’s both the easiest way to write it (just use 1 simple query to write to the database) and the easiest way to pull it out if you want to do various inspections for “spam”, “trolls”, “suspicious insertions” etc.
But here we have another issue that is key.
Brandon has pointed out is the IPs with the comments are all different. There isn’t just one IP for each user. It’s unlikely their “system” would have different IPs for different users if they didn’t record the IP with each comment in the database. (As is totally normal, standard, common thing to do in most forum software. The IP is normally not displayed to visitors — but it’s stored. FWIW: I’ve been to forums where they display the IP. It’s a choice for the theme designer creating the “front end”. )
This strongly suggests their database is organized the way almost all forum databases are organized: With IP, email, name etc stored together with each comment.
Unless SkS come up with the most weird-ass, strangely organized, hard to use database in the worldwhose organization was both mystyfing– and franky– bad– the claim a hacker had to use “multiple databases” calls to put the email/IP combination with each comment is utterly bogus.
intrepid_waters:
Have you ever visited a site like “flickr” that has an “upload image” feature. It lets you browse your machine and upload an image. When you use that, you upload. I’m not sure if one would call that “using ftp” but I think generally it’s not considered “using ftp”. (Perhaps Brandon can correct me as I could be mistaken.)
Uploading images to my server can be accomplished on the “admin” side of wordpress without forcing the user to enter any ftp user name or password. In any case, I think the claim is “francois” did something like use an upload feature that is available to either (a) logged in users or (b) administrators only.
FWIW: Letting users upload is a rather well known security danger that must be thought about carefully. Many hackers try to upload programs by exploiting wordpress plugins. The same happens at forums. Google timthumb.
(opinion) Regarding FTP, when it’s all caps like that it’s a very specific thing, File Transfer Protocol (RFC 959). In this day and age there are many other file transfer mechanisms in use, I don’t know but maybe people sloppily refer to some of those others as ftp in some cases?
Brandon –
I don’t know how you had the patience and stamina to read and understand those 6 paragraphs of Bob’s first chapter. When the forensics of the hack turned to the color of the tables my eyes glazed over. Thanks for taking the time to decipher and explain all of this IP business.
Of course it is standard fare to store the user’s IP with each comment that is posted. Bob should know that many of the people who are reading and critiquing his posts are also bloggers and will have admin experience. As you’ve noted, either he doesn’t know what he’s talking about or he thinks that his readers don’t.
Mark Bofill,
Yes. On twitter with it’s 140 characters with some used to copy several user names, intrepid_waters seemed to be concluding that Bob Lacatana said “francois” used “FTP”. I said no, Bob did not say that. Then…. intrepid waters tried to get more info which suggested he thought if FTP was “a” way to upload/download, then the fact of uploading/downloading was “the” way Bob was suggesting. I told him it is not the only way and come here where we can use more than 140 characters.
The fact is: FTP is not the only way to upload/download files. And in particular, once he’s on the ‘admin’ side of many forum or blogging platforms, a person can generally upload using methods other than FTP. Some systems even give uploading-by-methods-other-than-FTP functionality to people who merely visit a site. And all Bob Lacatana said, is Francois (a) got into the admin side and (b) uploaded ‘f2’. Bot has not given any more details, and we can’t really infer that ‘francois’ used FTP.
Lucia,
Agreed.
Earlier you asked:
I know nothing about Tor, so I presume this isn’t normal behavior. If it is indeed ~not~ default / normal behavior, it’s a dumb thing for a hacker to do in that it would needlessly draw attention to his/her activities.
But regarding this,
I imagine if the hacker believes his/her activities have not been detected, leaving programs lying around could alert an administrator that somebody’s in there.
On a different note, how common are SQL injection attacks, anyway?
Mark Bofill,
Fairly common though less so over time. The reason they were once quite common is that many software platforms didn’t properly sanitize input. Same with plugins. These software platforms are popular with ‘hobbiest’ whose motivation is merely to write their thoughts in public and have discussions with others; often they don’t watch out for news of releases, don’t update, and in the past, updating was sometimes onerous.
And quality control was not so great, especially for plugins written by plugin writers who learn some php and are even good at it, but are simply unaware of the dangers of SQL injection. So… lots of holes existed. Those who wanted to exploit them shared knowledge of potential exploits and wrote bots to go around trying to do whatever they can do. To the extent that exploits based on SQL injection existed, bots were programmed to try that.
Many of those involved in open source software have become more aware of the need to sanitize data, and even the need to check plugins and extensions to ensure those sanitize data. So I expect so there are fewer vulnerabilities and consequently, fewer attacks.
But beyond that: I think even the attackers (or their off the shelf programs) are getting ‘smarter’. I see lots of “fingerprinting”. It’s much smarter to “fingerprint” first, find a plugin or module and then write an SQL attack that succeeds rather than just fling out SQL attacks hoping one will “work”. (Fingerprinting is a PITA for shared hosting when one runs dynamic content. Not so much because of the security issue as the server load that can occur if the ‘guess’ triggers WordPress to launch the entire beast that is the WordPress script. It’s tantamount to a DoS attack even if that is not the intention of the script writer– in fact, crashing the server can thwart their actual mission which is to hack in!)
Thanks Lucia. I’m not convinced the SQL attack and the alleged hack were related, although it’s certainly possible.
Mark Bofill,
They may have been related, but I’m not convinced they were related based on info in PartI and Part II. Maybe part II?
If the behavior of “francois” was observed it appears they did get hacked by someone a month before the release of files. That’s a bad thing– all hacking is a bad thing. And it’s just as bad if it happens to SkS as when it happened to JoNova, Keith Kloor and any number of other blogs that have been hacked. (My knitting blog was hacked long ago. So, this happens. It’s bad. )
But we know the released files contain data added to the database at least a month after this ‘francois’ got in.
Also: the more I read the post, the less convinced I am that “francois” was focused on anything in particular and not just some sort of ‘bot’ following referrers someone might post on the web. For example, initially, I thought: “Oh. It’s looking at Gleick posts. That suggest ‘interest’ which is what we might expect of a human.” But later on I can to think: What if the forum just shows some sort of data or recent posts thingie as is normal at forum. Might that not just show that a bot was programmed to follow links that show. If someone said the loading was too slow to be a bot.. well… no. Bots can be programmed to mimic that, and worse, if it was Tor it would be slow. That’s why man black hat sites tell people not to use Tor but to use other things instead. (I have no idea if using something else is safe enough. But Tor is slow. )
So really, I’m at a loss here. I think Bob’s attempt to make the prose “exciting” makes it a bit difficult to put together the factual bits, but right now, it looks like we still don’t know if these files came from a hack or if SkS might not have experienced a hack and a leak in unrelated events. Oh. Well….
mmm.
I missed that.
The key point is that unless you are just attacking the site with media, you can not upload anything of consequence to the web server.
http://i.imgur.com/jfCzeKz.png
Now, you could install a media manager plugin, but the top level folder stays in Media, and you can only move things around.
http://i.imgur.com/ImLdgzc.png
You could upload a document with a malicious macro, but that is why you do not have such applications on the server.
I must still insist that without FTP, running amok on a web server is quite difficult. Export, yes. Import and trash that site, yes. Run “f2” from a forum with admin credentials, not easy.
intrepid_waters,
First: you are showing links to what you can upload today using the installion of wordpress available to you. There are three at least 3 issues here:
1) The fact that you can’t do something with wordpress doesn’t mean it cannot be done using a different CMS.
2) The fact that it cannot be done using a current installation of wordpress doesn’t mean it can’t be done using a different installation. The upload functionality in wordpress has evolved over time. In early days, you could upload nearly anything: zip, .txt, .php and so on. ‘.php’ tends to be the most problematic. Permitting a huge number of extensions was found to be a security hole, and WordPress ended up coding to limit the number of possible things that can be easily uploaded using the ‘admin’ panel.
3) The SkS forum is probably not hosted using wordpress which is a blogging platform. So limitations from wordpress are unlikely to tell you limitations in another platform.
It’s possible to include php in an image file. You can read about a successful attack here:
http://www.pcworld.com/article/185352/article.html
This means if someone can upload a script, they can upload an executable. What that executable does will depend on what is coded inside the image. I have no idea how this stuff is hidden in the image, but evidently it can be done.
FTP need not be involved.
Very true. The point of the exercise is that a properly coded CMS is quite restrictive in what is uploaded, even to the CMS ‘admin’. But, alas nothing is invulnerable.
It all comes back to what we agree on and that would be the Bob tale has some irregularities. Mine really revolves around why ‘the hacker’ trolled for a directory structure when most of the info is in the database. Who knows, maybe ‘the hacker’ had “root”.
intrepid_waters,
It’s hard to guess “francois’s” motives for getting the directory structure when we don’t even know who ‘francois’ is. Unless that’s revealed in Part III or … Part 1,038,572,043…. we won’t know why he went for a directory listing.
Rob Honeycutt at 08:53 AM on 28 February, 2014
“…As well, no one that I know of has ever condoned Gleick’s actions….”
Rob Honeycutt at 09:41 AM on 28 February, 2014
“…There are certainly people out there who condone Peter’s actions…”
From skepticalscience. com/news.php?n=2422 -l
Both Rob Honeycutt and Andy Skuce provide a link to a Guardian article which quotes Scott Mandia,
“Heartland has been subverting well-understood science for years,” wrote Scott Mandia, co-founder of the climate science rapid response team. “They also subvert the education of our schoolchildren by trying to ‘teach the controversy’ where none exists.”
Mandia went on: “Peter Gleick, a scientist who is also a journalist, just used the same tricks that any investigative reporter uses to uncover the truth. He is the hero and Heartland remains the villain. He will have many people lining up to support him.”
Re: DGH (Feb 28 06:28),
So creating fake documents is uncovering the truth. That’s an interesting definition of truth.
DGH,
I think the funnier Tom Honneycutt comment happens when he becomes irate at Russ for bringing up Heartland.
http://www.skepticalscience. com/news.php?n=2422
Uhhmmm… maybe Honneycutt would have a point, but the main post by Lacatana discusses Heartland.
If Lacatana is going to bring up Heartland in the main post, it’s rather odd to decree that Heartland can’t be discussed in the comments. If Lacatana is going to suggest that “pseudo-skeptics” are somehow hypocritical, then it’s fair for others to point out that SkS itself has been happy enough to post Heartland material both when it is alleged stolen and after it is proven stolen, but posits all sorts of reasons why it’s immoral for other to post CRU or SkS material which is alleged stolen.
As for hypocrisy: I think I and many others SkS might deem “pseudo-skeptics” can easily defend ourselves against that attack. I think it’s ok to post any and all of these materials. My rule is the same for SkS, Heartland, CRU and etc. Same with other leaks outside climate change. My rule is no different from major American news papers and is not hypocritical.
Note: Tom Curtis writes
I agree with Curtis that one should “Personally, I believe that neither attitude is correct. Indeed, given that SkS has frequently moderated posts to delete links to either the UEA emails (I believe), or to draft versions of IPCC AR5 on the grounds that the information was obtained unethically, I think SkS as a matter of consistency should not link the the Heartland Institute documents and would say: “I think [anyone] as a matter of consistency should not link the the Heartland Institute documents [ or implement ] moderation policy to allow links to hacked or unethically leaked material that we consider unethically obtained, and/or published. ”
However, I would note that I think the latter policy is vastly better morally and ethically from the former. I think transparency is best. That way people are empowered to form their own judgements rather than trying to have some paternalistic system where information is suppressed. My method seems to be widly followed by American newspapers and news outlets. Some may not like it, but I think the alternative of everyone pretending we don’t know things is silly and counter productive. I also see no moral or ethical advantage to it.
Skuce is funny too
First: We don’t know if the person who got the SkS files was a hacker. SkS still has not provided information to connect the two. Maybe Part III.
Second: The alleged hacker (who may be a leaker) did “say” what happened. They left a note at Tom Nelsons. It might turn out to be the truth or it might be a lie. We don’t know yet. And we don’t know even if everyone inside SkS’s internal circle knows because SkS has not revealed the smoking gun. Maybe they have it– but they have not revealed it.
But beyond that: Assuming they are a hacker, of course they aren’t coming forward. If they hacked in to gain authorized access they committed a crime. And they have not yet been caught. The reason that Gleick is known is that he was identified by others (especially Steve Mosher). He was caught dead to rights. Initially, he tried to brazen it out, but eventually he admitted what he did, and after he was caught he said he knew what he did was wrong. This all happened relatively quickly– but it’s still the order in which things occurred.
Perhaps, if the SkS files were “hacked” rather than “leaked”, we will eventually discover who did it. And perhaps, if we discover who they are, they will admit they know hacking in was wrong. (Or maybe they will say they think it was right. Or maybe they will talk out of two sides of their mouths and say they knew the hacking was wrong, but we’ve learned important useful stuff as a result of it. Who the heck knows.)
But right now they have not been caught. So of course they are not stepping forward and saying they knew what they did was wrong. Because doing so would result in being caught and– quite likely– punished for computer crimes. The penalties for that are severe.
Quite likely Gleick would not have “stepped forward” (if one want to use terms that spin his actions as noble) to say what he did was wrong had he not been caught.
Lucia,
Yes, I thought that too. It sort of diminishes the virtue, somehow. :>
I wasn’t going to go there (discussing the comments) but since it’s come up, it’s funny that they complain that nobody comes to discuss over there and then, no sooner does somebody show up to talk Robb tries to banish him to another thread. It’s a real enigma why the breezes don’t blow there, seeing what a conducive environment for discussion they’ve got going.
Maybe I’m wrong. Maybe nobody wants to comment there because they’re afraid of the German getting their personal information.
I was curious about something so I fired up the Tor Browser bundle and verified that one can surf SkS using Tor.
It’s funny. I’ve been sitting here writing a similar comment but I didn’t want to preach. Your style is much better.
Regarding the policy, I would only point out that it’s easy to remain consistent – post everything or nothing – as long as you have only seen the goose getting sauce. When the ganders turn comes around it gets easier to rationalize that the sauce ought to be quite different. The feeling of victimization probably affects the decision making. Even after 4 years of commenting on Climategate, I know I would squawk if somebody distributed my emails around the world.
It’s good of Tom Curtis to be pointing out their policy contradiction. I hope they’ll (finally) act on his advice.
DGH
Sure. But the snide-whiney bits in Lacatana and Honeycutt’s stuff suggest they don’t even see how unpersuasive their attempts at “ethical” arguments are if it really does come down to,
“By definition, we are the good guys and they are the bad side. So when ‘our’ guy steals info, it’s for the greater good. When their side does, it’s nasty, sniveling thievery.”
And then, the rest of the argument seems to be about how it’s bad for the “other” side to make the exact same argument but merely switching the role of the “good” guys.
Tom Curtis is at least consistent: He thinks if you think disseminating is unethical, you hold both yourselves and others to that. If you think it’s ok, you get to disseminate, but you can’t complain that others do too. I happen to think dissemination is fine. Would I be grumpy if ‘my’ stuff got hacked? Of. Course. Maybe I’d even say we don’t discuss that at “my” place because it makes me grumpy. But that wouldn’t be a rule based on any ethical principle other than “my house, my rules (no matter how arbitrary). But “don’t do things that make lucia grumpy” is not a ethical principle that can be applied to behavior all around the world.
Part III is up, but it does not appear to be the final installment.
Seriously, how does Bob know all these details after the fact when they were oblivious at the time? Do blogs keep something like wireshark running on a machine in the corner and just store the packets for future reference?
I think he is saying…
a) they put the log file with passwords into an open directory
b) Francois found the file
c) then logged in as an admin using one of those passwords
d) then downloaded the database
e) then used subsequent log files and database connections to keep his copy current
Had he gotten every log file he wouldn’t even need to log back in. Just run the commands and his copy would be up to date. I have to think about these programs he’s uploading.
Whether they were oblivious all the time depends on what you mean by all the time. Humans were not aware that this guy was getting unauthorized passwords, logging as admin, installing/deleting files and eventually downloading the database.
But if the files in /logs/ was every database query submitted and if all the server logs were saved, they would be able to discover stuff after the fact. It may be that SkS have know much of this for nearly two years (all after the leak) but they are only telling us now.
Why now? I don’t know. Maybe they caught “The German”? After all, there must be a reason Bob is writing now.
Anyway: The article has a bunch of silly claims surrounding the few important ones. Like– it would be hard to guess names of files. Uhhmmm… no. One could guess dates — like the record from 2010 in the wayback. If one saw the Wayback, it would be easy to guess that filesnames correspond to dates. One might definitely guess ‘.zip’ if one had already seen .txt. My apache logs get zipped after a few days, then deleted (at least from my view. Maybe Dreamhost keeps them. I don’t know.) So this is a common convention- and so pretty easy to guess. Sort of like dictionary attacks guessing passwords like “123456” or “password”.
Lucia,
hmm. So it was all right there in the logs, just nobody was checking. I also have to believe that for whatever reason the German didn’t cover his tracks in the logs, even though he was clearly pretty intimate with at least the SQL log.
Well, stuff happens, maybe.
Anyway, although the post is disorganized in spitting out this info, this is relevant.
1) According to Bob, http://www.skepticalscience.com/logs/2012-03-21.zip was a log file of SQL queries.
2) and “Then he downloaded the zipped database,”
With regard to (1) this is the first direct statement relating to the actual contents if the specifically relevant file (http://www.skepticalscience.com/logs/2012-03-21.zip) I have read. That is: it makes a claim for what was in them. As such, at least hypothetically one might be able to test the claim.
With regard to (2) it’s the first direct statement that this particular intruder downloaded the database from inside the ‘admin’ area which he’d penetrated by using stolen credentials from the log of SQL queries.
If both (1) and (2) are true, this would mean it’s a hack and not a leak.
Other window dressing is funny. After all: The Wayback machine recorded a file stored in /logs/ in 2010, so we know John was making some sort of dated logs 2 years ago– not just ‘months’ ago. And we know that the Wayback machine could visit that directory back in 2010– and in 2012. And we know that the naming convention for logs files was easy to figure out– it was recorded by the Wayback.
And it’s funny that John Cook was silly enough to store raw database queries in the file. You can’t recreate the whole database from that, but if it’s all the queries (and it seems to be whoppin’ big) you can recreate an awful lot. And if someone found it (which might not have been at all difficult) it could present quite a temptation.
That “anonymous” mocked “Gleick” “stepping forward” after he was “caught” is a touch either an hacker or leaker would make. But it does suggest that if it was a hacker, he did craft is message at Tom Nelson to parody “Gleick’s” various announcements and behavior after getting caught. That doesn’t forgive the leaking…. but maybe anonymous thought it would be fun to include these “Gleick-isms”. Who knows.
Still: looks like a hack. Maybe part IV will reveal who the guy is. If found, he’ll be culpable– just like Gleick. Maybe we’ll learn more.
Perhaps his U1 program was designed to cleanse the log file?
On this
I wonder why he didn’t release more? Why not recreate the full non-secret database too? With deleted comments etc?
I guess if he’s caught, (and then, “gleick-like” steps forward after being caught) we’ll learn.
DGH
I think it’s to download the zipped database
It might also zip it in the first place. But the way it read, he may have found where on the machine the zip backup exists and downloaded it.
The narrative suggests he might have learned where the back up was on his first intrusion when he created a directory listing. Having created that, he wrote a script to download the directory listing. For some reason, it didn’t work the first time around, so he modified and finally got it to work.
That would indicate some programming skillzzzzzz. Not necessarily major because he had the help of the “logs” directory, but not “no programming skillzzzz”.
DGH,
Well, according to Bob,
U1 grabs the DB, U2 erases U1 and U2.
Maybe U2 was supposed to hide his tracks in the log but failed somehow.
Oh snap…. I’m now puzzled
The log files contained portions of the database?!!!!
I’d thought they were the queries? That is
I wonder what the hell was in there? SQL queries are not “portions of the database”. They are queries. Of course, if they are ‘insert’ or ‘update’ they might carry information that was submitted to the database….
I’m also wondering if they logged the SQL queries, or rather if they logged all $_POST and $_QUERY variables passed in requests? $_POST could easily contain unencrypted passwords.
Guys: I’m figuring Part IV finally tells us who “The German” is or who he is alleged to be.
Yeah, I’m hazy on that too now.
So…
1. everything he got, (forums, etc.) was in the database.
2. the injection log has everything you need to update the prior version of the DB (just before the log was started I guess) up to the current DB.
This seems consistent with this
(emphasis added)
I think this post should be updated to show that Parts II and III are out, and I think they do indeed give a lot more detail. I’m enjoying the ethics discussion in the comments.
I doubt they’ll be able to identify “the German”; according to the stories he is seems to be an accomplished hacker and not a climate scientist.
I’m unwilling to put any quatloos down on the question about how the story with the German ends at this time. But I’m stingy with my quatloos…
Mark
I think downloading the full database is all he needs to have the current database. To contstruct the “enhanced” forum, all he needs is the database. To have a full list of usernames and passwords, all he needs is the database.
I think the visits to the injection log file are to obtain new passwords/usernames to log in as admin and required if the admin changes his password.
Depending what what they put in what they call an SQLI ‘log’ table, they are likely to have new passwords/usernames entered by visitors. This would generally include the admin.
That’s all I can untangle from that.
MikeR,
It’s difficult to hack and not get caught if someone is motivated to find you. Many hackers don’t get caught because it’s not worth trying to find them.
I’m suspecting he’s called “The German” for a reason. They either have caught a German, or think they’ve caught a German, or the person has some sort of association with being German.
Yes. I remember having a discussion with a peer ~way back~ in my school days about this. His thinking was that you wanted to avoid hacking government sites, because the government could arbitrarily burn huge resources tracking you down, whereas businesses had to worry about a bottom line.
… Not that I was ever a hacker or anything like that.
I’m not even German!
Lucia,
You wrote,
“The log files contained portions of the database?!!!!”
and
“I think the visits to the injection log file are to obtain new passwords/usernames to log in as admin and required if the admin changes his password.”
Bob wrote, “Because the file contained every SQL statement from a given day”
Each daily log file contains all of the changes for that day – new messages, new threads, new users, deleted users, etc. But only that day’s portion. With a copy of the database and all of the daily files thereafter you get a complete forum.
The risk is that there’s a configuration change made in the master copy that isn’t managed via SQL transactions. If you missed one then your updates might run into problems. So you’d want to check back in from time to time.
Can we go back to the issue of unlinked public pages being hidden?
Bob wrote, “There were still no links to forum, so if you didn’t log in with an contributor level ID, you wouldn’t know the forum existed.”
Uhhh, Bob. Well, I have a bit of news, Bob.
Mark Bofil,
I’m not sure the government would always track you down. But they do have huge resources, and penalties might be higher when the track you. I think generally, hacking bloggers is low hanging fruit. Most are hobbiests, have no resources and… well.. it’s a bit like trespassing in someones rarely used fishing hut. The person who owns it rarely visits, they wont’ notice, they won’t have cameras and so on. If you don’t take much of anything, they won’t devote their lives to nailing you to the wall.
But here, hacking SkS was very embarrassing to them. So, I’m sure they want to get this “The German”. Can’t say I blame them.
Does the news involve the sophisticated technique of “seeing referrers in one’s logs”?
Yeah something like that…
https://web.archive.org/web/20100906223559/http://www.skepticalscience.com/forum.php
They had a regular visitor that was taking notice.
I was thinking more that when the inserted links in comments, people clicked them. Then their browsers referrer told the destination site where they came from. This is very common.
lucia, it’s not really true that it’s difficult to avoid getting caught, regardless of how motivated people may be to catch you. Unless law enforcement gets involved, or the victim has some way to force cooperation from ISPs, it’s easy to avoid being caught. It’s certainly easier than performing the actual hack.
Brandon,
Well, we’ll see if they get this guy personally. The thing is here, SkS were suspecting something before the leak, and they had some stuff in place to try to detect traces.
We’ll see what he did.
I do wish they’d list IP addresses. I’m perfectly willing to believe someone used Tor. But only IP they listed was not Tor.
Of course you’re correct. It’s been some time since I had to review those logs.
How would that appear in your log if the link was embedded in a .php page? Would you see the NAME.php?
Also, if the forum page had a name other than forum.php (which I assume was the case) then you still wouldn’t know about the login page. But you would have a pretty big hint, especially since they use very descriptive names.
DGH–
Yes. The referrers are set by the browers and ordinarily, the referrer you would leave just look the way the uri looks in your address bar in the site you visited before you came here.
Other things that can happen: If they embed an image in their forum, the images leaves a referrer when someone views that comment. Same for .pdfs or anything they embed. This can be overridden somewhat. But if someone is not very, very careful, it’s difficult to keep a forum secret because something will trigger a referrer.
doug_bostrom at Skeptical Science has a hilarious comment about the Peter Gleik comparison. The best part is:
Does that mean Skeptical Science was hacked by “a common thief”?
Brandon,
I saw that. It’s true that comparing people who steal information through various confidence tricks to “common thieves” may require some discussion of how one defines “thief” and what sorts of things one believe can be “stolen”.
I would suggest that “The German” is identified and all the specific things are discussed, we will get to the point where both “The German” and “Gleick” are more or less ethically on par. Distiction like “computer vs phone” and “over the network vs. mail”, “paper vs. electronic” and etc. don’t really change the ethics of intentionally taking steps to obtain information one knew was intended to be kept private and disseminating it. That Gleick acted over the course of something like days while “The German” may have acted over months isn’t a material difference.
That Gleick got caught quickly doesn’t make his actions less unethical than if it had taken a long time to catch him or if he’d never been caught. That he admitted what he did after he was caught dead to rights… also doesn’t help much on any argument about ethics.
doug mentions this,
Wow. There’s actually a primer on when to compromise ethics and morality, huh.
I’ve got to read that. It might answer a lot of questions about how people justify themselves for me!
Mark Bofill, the idea of lying sometimes being justified is neither new nor surprising. I suspect most people won’t even find it surprising or questionable. The example people always tell me is one I actually disagree with – the white lie. I don’t think those are justified, and I don’t use them.
However, there are many cases where lying is harder to argue against. For example, few people would take issue with lying to an abusive husband about where his wife is to protect her from him. Similarly, if you knew someone thought to be dead was actually in the federal witness protection program, few would take issue with you saying they’re dead.
That said, I think Sissela Bok’s work is overrated and lacking in anything resembling a rigorous analysis.
Brandon,
Sure. But I’d argue that there’s no moral or ethical compromise about this. I don’t think one can correctly say ‘lying is wrong’ anymore than one can correctly say ‘firing a gun is wrong’. It’s not just that context matters, it’s that without a context these actions have no moral characteristic to begin with.
Part III has been updated
I agree on the main issue “hack or leak” the existence of the log in 2010 likely doesn’t make much difference. (One could imagine hypotheticals, but they seem rather unlikely. ) But presumably Lacatana realizes that statements given the fact that the naming convention could be found by people fiddling around at the Wayback (and the known fact that people do fiddle at the Wayback, especially looking for SkS’s modifications to comments) it’s ridiculous to claim something like this:
It’s quite plausible that “The German” or someone learned of the existence of the “logs” directory and the naming convention at the Wayback (or even some other way). Once the convention is known it’s pretty easy to guess.
Oohh… love this wording “Post updated to more accurately reflect the age of the SQL injection logging feature.”. The more accurate way to word that would be “Post updated to correct our error in stating age of the SQL injection logging feature.”
Wait, wait, wait.
Wait.
Seriously, wait.
Given that admission, there is no evidence this leak was because of a hack. At least, there is no evidence that doesn’t have a plausible alternate explanation.
I’ll have a post up about this shortly.
lucia, it’s related to what he says in that comment, but it’s not tied to that comment in particular. You can see the post here.
Um. That embedded image screwed up the page for me. My avatar and first name appear to the left of it with my last name (and comment ID) appearing on a new line.
A Security Hole is Born – Prequel
Somewhere in one of the chapters of this tale Bob Lacatana reminds us that Skeptical Science had been hacked before – in March 2010. On the 14th the Wayback Machine takes the first snapshot of the public log directory. On the 19th John Cook announces that they’ve been hacked…
http://www.skepticalscience.com/Skeptical-Science-housekeeping-Contradictions-URLs-and-getting-hacked.html
The comments and replies are interesting – especially #35 and #37.
DGH,
From the march 2010 post you linked:
If regulars rushed to update their passwords soon after John Cook began logging, the person reading the SQL logs would have gotten a pretty good start at compiling a user.csv file.
Comment 37
Lucia, are you currently able to ‘see’ the SKS private forum? Because that screen shot looks like you can…
sue,
No. That’s a screenshot from Lacatana’s post revealing discussion at the private forum after the learned of the ‘leak/hack’.
In the first installment Bob tells a commenter that SKS has never stored passwords as plain text. Oops.
Did you happen to see the quote from Tom Curtis that I posted over at Izuru?
So Cook is a faux researcher, a pseudo-climatologist and a failure at running a website.
Quite a list of incompetencies.
How does one get in touch with Josh? The Skeptical Science Treehouse Bunker cartoon could use an update. Something about secret passwords…
http://bishophill.squarespace.com/display/ShowImage?imageUrl=/storage/opengate_scr.jpg
Lucia, thanks for the reply. I haven’t really been following this whole hack/leak reveal.
DGH,
Yep!!
I’m waiting for Lacatana’s “explanation” in part IV. Each new version does seem to try to incorporate “responses” to things said in comments at twitter and so on. But I think the 2010 issue is important because it means Curtis was mistaken about it being literally impossible to obtain things back to 2010 from the /logs. It was entirely possible. Whether it happened I don’t know.
Also: It’s not clear to me the extent of logs saved by SkS. The word is often used without adjective, but all these have been or can be referred to as logs:
1) those SQLI logs.
2) server error logs.
3) server access logs.
1&2 have been referred to at length. I think he refers a bit to stuff one might see in accesslogs– but I’m not entirely sure.
DGH,
I googled to add find the exact Curtis Quote
http://www.bishop-hill.net/blog/2012/3/24/behind-the-scenes-at-skeptical-science.html?currentPage=4
The italicised portion of Tom’s claim appears to be untrue. Mind you: I think Tom believed it to be true. I suspect Lacatana believed it to be true. Possibly Cook’s recollection is such that even he believes it to be true. But all these combined would suggest that one can’t simply assume that what Tom, Bob and John Cook believe they know about their system is true!!
Actually, I shouldn’t have said appears to be untrue above. I should have said Lacatana’s update confirms that the italicized bit is untrue.
The fact that the /logs table existed since 2010 means the above claim is untrue. The entire database table might have– for some reasons– been restored with all events logged in the database. Or, alternatively, we know that SkS actually complained that the user database was not complete. The omission of some “skeptics” data was noted.
An incomplete database would be consistent with something obtained over time as people logged in or updated their credentials. The latter activity was encouraged by John Cook in March 2010 in a blog post announcing ‘a hack’. It’s plausible most regular SkS readers updated their credentials, while others might not have read the alert and not have done so.
Tom Curtis continues:
I’m pretty sure I also had an exchange with Tom where he jumped to the conclusion that the only alternative to believing his claims was to think he was lying. I’m pretty sure that I pointed out that I could believe him to be truthful but mistaken. I suspect the later occurred.
Note: Other visitors immediately tell Tom they think he (and others) could be mistaken.
Funniest comment
Way quoting an ‘expert’:
Lucia,
Firstly, I am happy to take Tom, Bob and John at their word regarding all of this. They certainly believe the claims they’ve made and the tale that Bob is spinning. It just happens that they are mistaken.
Not only is Brandon’s version more plausible for its simplicity, it’s the only version that fits the evidence we have seen. If the hacker had admin access he would have been able to get the whole forum database. He only had 2010 forward. Tom Curtis was exactly wrong.
Given that I take them at their word I would suggest that they had one person taking files from the log directory and a hacker – the mysterious Francois – logging on as an admin.
I have a comment at Brandon’s awaiting moderation. Their secret forums started in 2010, and this hacker did get the initial content. I’m convinced of this by files ““2010-08-08-Welcome to the Authors Forum.html” and “2010-08-14-Getting to know Skeptical Science authors.html”.
BTW, can anyone here join the dots between the unencrypted forum passwords and the hacker’s ability to upload and execute programs on the server? I guess we don’t really know how they’ve gone about designing their PHP based forum but would it be normal for one to provide the other? Perhaps it’s some kind of integrated security, or an admin just used the same password twice. To me that’s a big missing link which Bob hasn’t touched upon.
A user made an interesting comment at my site. It turns out I was mistaken about this not being the entire forum. There were introductory topics, but they were in the Authors subforum. I hadn’t realized that was the first of the subforums to be created. Skeptical Science gives different levels of access to different people (not all can see that subforum), but the tiered system apparently didn’t get implemented until later on.
What that means is apparently the Skeptical Science subforum didn’t get created until August of 2010, well after the logs of all SQL queries for the site were began and placed in a publicly accessible location. There is no coincidence in how much was released.
I guess we don’t have affirmative evidence the leak wasn’t due to a hack. We’re back to being stuck with no real evidence in either direction.
The “it couldn’t have leaked from the /logs directory” part of the argument definitely went off the rails. Possibly they could prove that– but at this point, they would need to be *very* clear about what’s in the server logs, how long they backed them up, how the searched them and so on. And it can’t be error logs, it has to be access logs back to 2010.
Given the blunder of their not knowing how long mySQL logs had been created and premising a lot of logic on that so on, the “we believe X but we can’t show any real evidence to say why we believe it”, really isn’t going to cut it very well. That’s the tack Tom Curtis used when he insisted he knew on couldn’t recreate based on what was in /logs and it’s clear he was entirely mistaken on this point. That mistake only became evident when Lacatana started actually explaining their reasoning and evidence for clams— and within a very short time, Barry found the listing on the Wayback machine, which we had before Lacatana posted an explicit claim those files did not exist more than a few months before March 2012 and that no one other than John Cook and the one other guy knew they existed.
Maybe Part IV will give us details about what was going on on the ‘admin’ side that show it was a hack and will give details that can be checked out by other people. Some details may be trivial– but it would be nice if we had them. For example:
1) They claim TOR was used. What were the IPs? ( The one IP they gave in one of their posts was not Tor.)
2) How long have they stored their access, error etc. logs?
3) How far back did they search access logs to see that no one visited /logs.
4) Why do they think a Tor browser was used early on (rather than Tor used someother way?)
I get that Lacatana might want to make all this “exciting” by explaining what Tor is and/or speculating “The German” drank red bull, but relevant verifiable details about what went on would be much more enlightening. The issue isn’t so much one about honesty as whether proof actually exists which includes the question about whether the SkS group might not make mistakes similar to their mistake about when the mySQL logs began being created and whether other people would know they existed. With respect to their argument about “proof” this was a hack, this was a huge mistake: on that turned out to be easily detectable by “outsiders”. And SkS have been making this mistake in interpreting their “data” for two years.
Do we know if anybody outside of the forum saw the pages when they were briefly exposed on February 23, 2012?
DGH–
Plus doesn’t matter anyway. No one ever suggested the forum info was obtained by scraping the revealed pages.
It matters a tiny bit.
The Wayback Machine took a snapshot of the open forum. I located in this morning. As we discussed up thread the Wayback machine crawls the web returning to websites from time to time automatically. There’s always a chance that happened at SKS during those few short hours that the forum was exposed. But that’s pretty unlikely.
It’s more likely that someone wanted to archive a snapshot of that page. The the first two discussions threads in the forum including one about Gleick.
https://web.archive.org/web/20120222174758/http://www.skepticalscience.com/topic.php?t=7&p=23565
So while they claim that nobody saw anything private the Wayback machine says otherwise.
Again, I don’t doubt their word. It’s their forensics and analysis that I wonder about.
lucia, the Tor browser issue bugs me more than it probably should. You ask:
But what bugs me more is what Lacatena said about it in his latest post:
Why in the world does Lacatena think upgrading one’s version of Tor browser would improve “performance during long downloads”? And why does he think upgrading it would cause the Tor browser to report a Chrome UA instead of a Mozilla one?
And if the “German” could have used Tor “in a more sophisticated way” the second time around, how do they know he wasn’t the first time around?
Incidentally, I could have sworn this paragraph was different before, but I don’t have a copy of the page prior to its update. Does anybody?
DGH
Oh. That is kinda important. Because if SkS had access logs, the visit from the Wayback Machine should have been evident to anyone who has access to the access logs from Feb 23, 2012. The Wayback is not remotely sneaky. It gives an identifiable user agent. So, either:
1) Lacatana did not know the Wayback visited. We can speculate why he might not have know. .
2) Lacatana was being rather coy in phrasing what visited as “Only two unknown IP addresses (not protected by Tor) visited the forum in that short span, one from Houston, Texas, but almost an hour after the forum had been re-secured, and one from Phoenix, Arizona, once while the forum was open, but without visiting any actual threads and so without seeing anything private, and the other several hours after the forum had been re-secured.”
The Wayback clearly visited because it took a snapshot. It would not have been using Tor. I’m pretty sure that the Wayback was already using the Amazon AWS cloud by 2012. It this the IP from “Phoenix”?
@Brandon Shollenberger (Comment #125833)
That paragraph is the same in the save I had.
Beside a spelling and grammar correction the only substantial difference I see is this:
Old
New
He might get round to ‘eargerly’ in the next edit 🙂
The wayback also caught the first 2 forum conversations on that page:
https://web.archive.org/web/20120222174841/http://www.skepticalscience.com/thread.php?t=4528&r=27
https://web.archive.org/web/20120222175042/http://www.skepticalscience.com/thread.php?t=4607&r=0
sue-
Thanks, I’m taking snapshots of various things. The wayback visited lots of pages!
But I like this
Conspiracy ideation, much?
Also
Conspiracy ideation, much?
Was there ever a “non-secret” SkS forum?
tlitb1, thanks. I probably just misread it the first time around. It wouldn’t surprise me. It can be difficult to try to follow what a person says when it makes little, if any, sense.
lucia, speaking of conspiratorial ideation, did you see this comment on Lacatena’s first post? It cracks me up.
Brandon,
The only browser I know of that could be called a “Tor Browser” is this one:
https://www.torproject.org/projects/torbrowser.html.en
I’ve downloaded it to my mac and it’s firefox. I think out of the box is uses a very bland, non-distinctive commonly shared User Agent. I guess if you saw Tor was being used and saw it was using the default user agent for the Tor Broswerbundle, you might infer they were using the Tor browser. But a sophisticated Tor user might very well pick that agent anyway.
As for upgrades of the Tor browser bundle: as far as I am aware, they are still firefox. Not chrome. I would be astonished if Tor worked faster over chrome– since it’s not the browser that causes the slow speed, it’s traveling through all those onions that smother you!
As for user agent: Why not “perhaps he was spoofing user agent”.
(Though why he would do that is a mystery beyond comprehension. The Tor guys would probably advise against it. Because they think it’s better for everyone going in and out of Tor to look as much like everyone else as possible. I think this might be helpful if someone can sniff both entry and exit nodes? Dunno. Anyway, I’m pretty sure they would tell anyone using Tor not to spoof user agents to something other than their Firefox agent. So using the bland one would be more “sophisticated” than changing to a more unique browser.)
Brandon
As a blog that has been hit so hard by bots (or something) that it was perpetually crashing, I’m am dubious that anyone tried to DOS SkS. Or, at a minimum, I haven’t seen any evidence that anyone tried to DOS SkS– other than accidentally the way bots-gone-wild can effectively DOS a system.
lucia, the people behind the Tor Browser specifically test to see what User Agent is the most common (amongst Tor users). They set the Tor Browser User Agent to that. It’s not that “a sophisticated Tor user might very well pick that agent anyway.” It’s, “Odds are, a Tor user would be using the agent anyway.”
On the topic of spoofing UAs, it is specifically recommended you don’t do that while using Tor. The more difference there is in the traffic of Tor users, the less effective Tor is. That said, the Tor browser you link to gives you the option to spoof whatever UA you want. It takes all of 30 seconds. As such, the German could have been using a Tor browser all along, or he could have never been using it. There’s no way to know.*
And yeah, astonished is the right word for the idea switching browsers could somehow speed things up.
.
*Technically, this isn’t true. The Tor browser does have some built in functionality used to anonymize activity. It is sometimes possible to distinguish this from other uses of Tor if you have the right logging/fingerprinting set up. I sincerely doubt Skeptical Science has any idea how to do this though.
Lucia, Yes. There was a non secret forum. Some of the pages are archived, too.
Sue, actually that’s what I meant with that sentence that began “the the firs two discussion threads…”. I was running out the door and didn’t check that comment.
Lacatena wrote, “A month before the hacker released the data, just days after the initial hack, the hacker made a mistake, one that we missed.”
Try this scenario…
The hacker didn’t make mistake. He/she wanted to embarrass SKS so he/she left the site open. The hacker was sympathetic with Heartland and wanted to expose SKS’s conversations on that issue.
Lacatena mentions a couple of other clues in that regard. He claims that the note left at Tom Nelson’s blog was similar to the one that Peter Gleick wrote in the Heartland affair. I haven’t compared them but I’ll assume that”s true. Lacatena also mentioned that the hacker browsed the Gleick discussions in the forum. It so happens that he browsed the thread at the same time as the Wayback Machine.
It would be one heck of a coincidence for the Wayback machine to stop by in those few hours the site was open. More likely the hacker requested that an archive of the pages be made. The pages were saved around 17:50 GMT (believe Wayback uses GMT) which is 3:50 am in Australia. This fits the timeline that Lacatena provides in chapter 2.
(The odd thing is the second thread that was archived. It was a pretty uninteresting topic.)
Ok this is weird, but on the topic page that DGH linked to above in Wayback at the bottom is a link to register and it leads to Cooks old Sev registration page.
https://web.archive.org/web/20120213150536/http://contests.sev.com.au/ratsy/register.php
John Cook left his old discussion board site up and running until at least Feb 19, 2012 as you can see here:
https://web.archive.org/web/20120205100538/http://forum.sev.com.au/topic.php?TopicId=1
And have a look at this discussion and the cartoon provided by a fan 🙂
https://web.archive.org/web/20120303170623/http://forum.sev.com.au/thread.php?ThreadId=1073
Oh no, here we go again.,.
[JH] The SkS automated email system is experiencing a technical glitch. Please bear with us while we fix it.
Do you think any of his old fans could have just signed in to the SKS forum?
DGH where did you get that message from?
Last comment of chapter 2 or 3 of Bob’s story is a complaint from a registered member about an email.
Thanks DGH.
If you visit the wayback, there are things at
https://web.archive.org/web/*/http://www.skepticalscience.com/forum.php*
https://web.archive.org/web/*/http://www.skepticalscience.com/topic.php*
and:
https://web.archive.org/web/*/http://www.skepticalscience.com/thread.php*
All say “Skeptical Science Forum” and show the same logo. How can we tell if these are all the “secret” forum or the “not secret forum”?
Hmmm. Here it looks like one needed to sign in:
https://web.archive.org/web/20100906223559/http://www.skepticalscience.com/forum.php
It then the page became unavailable by March 2013
Lucia,
I spent some time on that early today. In fact it was the page URL structure that lead me to finding the hidden forum archive.
John opened that forum for people to help develop the Guide to Skepticism. There were announcements on the public boards about this endeavor. As Sue notes this discussion was only public format short time.
I am working on a pad this evening or I would track down some links.
Sue,
That link to the Sev pages is vey funny. It highlights the interconnection between John Cook cartoonist, John Cook IT Professional and John Cook climate scientist. Jack of all trades…
Obviously he copied the Sev forum programming to buld the SKS forum. But he forgot to update the link that you found.
I’ve got the links:
Regular SKS page as currently seen:
http://www.skepticalscience.com/guide-to-skepticism.shtml
Same page on the Wayback with link that goes to the ‘public’ forum?
https://web.archive.org/web/20110830113243/http://www.skepticalscience.com/guide-to-skepticism.shtml
‘Public’ forum
https://web.archive.org/web/20111018041548/http://www.skepticalscience.com/topic.php?t=14
https://web.archive.org/web/20120323024108/http://www.skepticalscience.com/thread.php?t=472&r=1
That link is also on the ‘public’ forum page for the GW Skeptcism.
https://web.archive.org/web/20111018041548/http://www.skepticalscience.com/topic.php?t=14
See the bottom of this page for the announcement…
https://www.skepticalscience.com/The-Scientific-Guide-to-Global-Warming-Skepticism.html
@lucia (Comment #125855)
Here’s a forum logo that’s still live:
http://skepticalscience.com/images/forum_head.gif
Someone please tell me this is not the same Bender from CA:
https://web.archive.org/web/20120321033359/http://forum.sev.com.au/thread.php?ThreadId=910
Actually I want to change my previous post to: Is Bender at Sev the same Bender at CA? I don’t care what the outcome is except that it is the truth. Does anyone have any proof one way or the other?
sue, bender at CA is from US. The Bender at Sev in your link seemed to be from Australia.
Sue, the writing style is also very different from the CA bender. CA bender was smart and could be acerbic but would never resort to some of the sophomoric language used at your link.
I haven’t seen bender lurking around CA in a long time. CA is a lesser place without his commentary.
Bender, bender, bender.
Part I: 21 February 2014
Part II: 26 February
Part III: 28 February 2014
I’m hoping for Part IV soon!
For your entertainment until the next installment here is a lesson on how to block an IP address…
https://web.archive.org/web/20110218014850/http://forum.sev.com.au/thread.php?ThreadId=1065
Funny. I wonder if he used the same forum software at his old Sev cartoon forum and his SkS forum? Based on the module names it looks like he did.
lucia, it looks like the next post in the series may not go up for a while. It’s not listed as being scheduled for this coming week.
The bad link that Sue identified was the first clue in that regard. The registration button at the bottom of the SKS forum pages takes you to the Sev registration. Clearly he was sharing components.
From there you’ll note that the forum is familiar in functionality, layout and (dare I say it?) color. All of the sites that he worked on have that same feel. Of course who wouldn’t share software between sites?
Which begs, was Sev ever hacked?
“Which begs, was Sev ever hacked?”
Yup!
https://web.archive.org/web/20110218041828/http://forum.sev.com.au/thread.php?ThreadId=491
Sue:
More hackage at Sev
http://www.hackforums.net/printthread.php?tid=77619
Some guy with the handle “dark evil” says he hacked John’s cartoon site in 2009
blue thunder adds
Sue and Lucia –
Nice finds.
Seems like John’s been running training camps for SQLI hackers.
umm why would hackers put things like that in a forum?? It’s like a different world to me. And how did you, Lucia, know where to look for something like that 😉
Do you think JC kept using his ID and password from his old site on the new SKS site? 🙂
His username certainly hasn’t changed.
But more importantly if Sev.com.au had a SQLI vulnerability then so did SkepticalScience.com. The link you identified makes that very clear.
Members at the Sev site openly discussed that John had moved on to SKS. One would expect that the hackers followed. A pied piper of sorts!
http://www.urbandictionary.com/define.php?term=cobber
Here’s a cached page where someone is fingerprinting Cook’s old cartoon site
look for cartoons.sev.com.au/.
(I see fingerprinting like that. It’s one of the most obnoxious things that hits my site.)
Cute, 404 on the Sev site goes back to home page. Kinda lose a little tracking capability, but hey. At least we have one Sev hacker of interest, “CodyBooter”.
I really like the Trojan/Win32.Harnig.gen urgency in the ’06 incident, responding by updating Wikipedia. Awesome, John, Just Awesome.
I wonder if Emily “EoS” carried over to SkS? She seems to be a sharp one.
Actually I thought Cook used JC as his username at Sev but that doesn’t click with the hacker forum Lucia linked to.
https://web.archive.org/web/20110217000308/http://sevilians.sev.com.au/profile.php?profilejudgeid=1
(Comment #125966) Sorry, Emily -> Emma
It still clicks. I doubt he signs in as “JC”, but being a christian, I am sure he enjoys the initials/handle.
“skepticator.com/ – Cached – Similar9 Jul 2013 . http://www.skepticalscience.com/news.php?n=2055 . It was my ticket to fame,”
http://svatebnistranky.cz/engine.php?q='productdetail.php?id%3D‘)+UNION+ALL+SELECT+NULL,NULL,NULL+union+all+select+null,null,null,null,null–
Truly a training camp…
http://webcache.googleusercontent.com/search?q=cache:3F8CvaXLhRAJ:www.hackforums.net/archive/index.php/thread-280329-2.html+&cd=4&hl=en&ct=clnk&gl=us
http://webcache.googleusercontent.com/search?q=cache:qnLqQzFfbu4J:www.hackforums.net/archive/index.php/thread-83805.html+&cd=5&hl=en&ct=clnk&gl=us
http://webcache.googleusercontent.com/search?q=cache:bxCixW2QVBUJ:www.hackforums.net/archive/index.php/thread-324015.html+&cd=6&hl=en&ct=clnk&gl=us
And many more.
At one of those I see a person advising
“in version 4 your have to guess the column and table names”.
In newer versions of software, they often have tablenames include a user selected prefix to make it more difficult for these kiddies playing hacker games to hack by guessing.
DGH
Noticed you saying this. For clarity, as far as I can see his site seemed to be used by the self-taught as a training playground. John wasn’t running anything. (In fact, likely after 2009, part of the issue was probably that no one was paying much attention to the administration side of John’s old cartoon site. That’s one of the reasons so much hackage goes on. Old software vulnerabilities exist, they linger… hackers play.)
Tell you what. Can we say that John was actively operating a playground for hackers at SKS by 2009?
http://cyber-warrior.net/Forum/-sql-bug-bank-3_327935,15.cwx
DGH–
If you are going to say that, you are goint to have to tell me what bit at that link tells use that John was actively operating any playground. Because I sure don’t see it.
All I”m seeing is an entity that went by the name “Onur_By_System” posted a link to
http://www.skepticalscience.com/article.php?a=-2295+union+select+0,username,2,3,4,password,6,7,8,9+from+user
On (I guess) Gönderilme Tarihi: 24 Nisan 2009 saat 10:33PM – Kayıtlı IP
This does not mean John was actively operating a playground for hackers (at least not how I understand that accusation.)
Lucia –
I am not sure I understand exactly where you’re finding fault with the comment. To be clear I intend this with a bit of (well deserved) snark – I don’t believe that John was intentionally running his websites for the pleasure of hackers. But it seems with every search we find more hackers that have tested and frequently breached his sites. And let’s just say his attempts at securing his servers do not inspire confidence.
The discussion I linked is titled, “SQL Bug Bank 3.” It’s in a forum called “Exploits and Vulnerabilities.”
The google translation from comment of interest is, “such outcomes password: ^ Ao?. ž; ½ ® Cy? ¿DO does in the introduction. I wonder if I did not understand encrypted in a different way? I am having anything like the first time ….”
And the full text of the link that the person provided is,
http://www.skepticalscience.com/article.php? a=-2295+union+select+0,username, 2,3,4,password,6,7,8,9+from+user
Call me crazy but that sure looks like an effort to hack into SKS.
DGH
When I read what you wrote it seems to convey the notion that John was intentionally operating a site for hackers to play in as opposed to “hackers found his wide-open insecure site and were having a ball developing their skillz while trespassing there”
That’s how “Seems like John’s been running training camps for SQLI hackers.” reads to me. I realize it might be meant in some other way– but that’s why some clarification was required.
It does appear that hackers were going to town on John’s cartoon site and SkS. As far as is revealed, their motives were mostly to practice hacking skillz– not to deface, not to interfere with cartooning or SkS’s green mission and so on. Collectively it appears that people found many of the vulnerabilities by using “Google Dorks”. ( http://www.exploit-db.com/google-dorks/), by reading error messages on the site itself, by running scans to fingerprint and so on. Once the sites were found to be insecure, the fact of the insecurity was shared. Then otherw seem to have gone to town.
Sadly, some people who do not understand security also do not understand that once your site is found to be vulnerable, more and more and more hackers will point themselves at your site. It’s not personal. Either they think it’s “fun” or it’s “for profit” (which can be as little as selling emails to spammers.)
I agree with Lucia that a clarification needed to be made. And with that said, I’m stepping out of this conversation because as I said earlier, this is a whole new world to me and I am not comfortable with it. But you two seem to have come up with more info in a day than Bob has in two years though!
While I question many things about JC there is no doubt on my part that he’s an earnest, true believer in climate change alarmism and science fiction cartoons. Apologies if that’s redundant.
A few questions –
1. How many times has John Cook written to his users at SEV and SKS that their passwords may have been stolen?
2. Based on what has been posted on this blog how many more times should he have notified his users about security breaches?
3. Is the successful hack incidence rate at SEV and SKS higher than a typical blog experiences?
4. Has the security at SEV and SKS been sufficiently enhanced in response to each of the security breaches that have occurred?
5. What level of confidence do you have that your personal information in the SKS database is secure?
It would be silly to assert that John Cook established his websites with the intent of hosting playgrounds for hackers. But to those folks whose personal information has been compromised multiple times, perhaps without their knowledge, does the distinction between negligence and intent really matter?
There are risky practices that persist at SKS. For example, sending passwords in plain text to users is not recommended. There are also issues with their implementation of the SQL database that are of concern.
I wait with bated breath for Chapter 4.
DGH,
Are those rhetorical? Anyway, if they were not rhetorical my answer is: I don’t know and I’m obviously not the person to ask. The person to ask would be John Cook and he’s not here in comments.
I thought we were here to discuss “SKS non-revelations.”
Apologies for wasting your time.
DGH,
You’re not wasting my time. I just don’t know the answers to those. (And one of my few rules is “no rhetorical questions”!)
Sue: “you two seem to have come up with more info in a day than Bob has in two years”
Funny you should say that…I was idly wondering if there was a purpose of trying to attract some diagnostic effort. It wouldn’t surprise me if Cook knew as little about security as (say) I do. That isn’t meant as a knock; Lucia has come by her education about website security with a lot of effort. Anyone can pick up a manual and make something “work”, but the discussions here — well over my head — make it clear that there’s a big gap between “working” and “secure.”
Lucia,
I’ll plead that I think that each of those questions has a answer that is worth consideration and discussion. But in the end I suppose it was a rhetorical device to make a point. I’ll avoid that infraction in the future.
You noted that hackers will “point themselves” at a vulnerable site. Apparently that has been happening at John’s sites and there are reasons to believe that might still be the case at SkS.
The reasons for the “rule” are (at least) two fold:
1) When used to make a point, it’s sometimes difficult for reader to be certain what point is. Maybe point of your ( “1. How many times has John Cook written to his users at SEV and SKS that their passwords may have been stolen?” was “John ought to know his sites are at risk, that it’s partly due to his carelessness with security, and when he is hacked, he may not be detecting it– and so his users or he may be detecting it but sometimes chosing not to inform users”. Possibly… but we don’t know. It’s speculation, and if you are makign that point it would be better to just say it. If you mean some other point, then it would be better to state that point.
2) Sometimes the questions are assigned as some sort of “homework”. (I don’t think yours fell in that category.)
But anyway, overall, these sorts of questions result in lots of confusion and can derail comments. It’s not such a big deal if few people are involved, but otherwise, it can be really bad. Oddly, on twitter…. rhetorical Q’s sometimes forced by 144 char limit.
Yes. And it appears that in the past at least, they did a very poor job of sanitizing user entered data. They may be doing other silly things– dunno.
“Yes. And it appears that in the past at least, they did a very poor job of sanitizing user entered data. They may be doing other silly things– dunno.”
Sanitizing user inputs is a very important protection but not the only protection against SQLI attacks. Google search results suggest that SKS continued employing bad practices as recently as 2/18.
I think you know that Bob acknowledged that they are emailing plain text passwords to users who have lost their passwords. I haven’t seen any rational defense of that practice.
Yes. They seem to email passwords in clear text. This is dumb. They seem to think it’s kinda-sorta- ok. But it’s insecure and dumb.
Part 4 is out. Revelations include: SKS is a roll-your-own written by Cook. It’s apparently served by Apache. Bob overwrote the sks.zip file on the Russian server with a garbage zip to see how the German would react. The SQL injection attack wasn’t the initial point of entry, although once again we’re left breathlessly waiting for the next episode.
Mark-
I don’t believe the fact that John programmed the site is a revelation. He has credited his wife for the design and I believe he has publicly discussed the effort required on his part to develop new features.
DGH – Didn’t know it. OK.
Marc Bofill,
My site is on an apache server. It’s pretty common.
I don’t know if I’d call them revelations but:
Part 4 is hysterically funny…
http://www.skepticalscience.com/hack-2012-4.html
“John, alone, programmed 97% of that,”
LOL (obsessed with that number?)… not98%, nor 94 or 95% – did he measure? 😉
The specificity of the number is funny.
I’m sort of mystified why he wrote so much of software instead of collecting together pieces of software mostly written and maintained by others. His choice.
It’s John Cook’s version of 7 Minute Abs…
http://www.youtube.com/watch?v=byEkJ3zRTcY
DGH,
I noticed this:
This actually suggests the questions are rhetorical. Often rhetorical questions are used “goal” is to try to lead the discussion of those questions without first volunteering one’s own answers. That’s ok in a classroom setting where “you” are the professor and “we” are your ‘little grasshoppers’. But it’s totally inefficient on a blog where people are conversing more or less as equals. Worse: it seems to ‘heap’ the burden of typing the answers on to those who are asked the question while permitting the person who “asks” the questions to avoid going out on a limb and giving their own answers.
Further explanation of the rule may be required. If you think each of the answers has a question and you think, you think you know the answers and your ‘point’ is to try to get other to “see” the obvious answers then you must provide your own answers when you ask the question.
That is: rhetorical questions are permitted as a style feature but the person who posts them is required to volunteer their answers in the comment where they post the question.
John Cook is a database and WWW professional.
http://www.yaleclimatemediaforum.org/2010/12/skeptical-science-founder-john-cook/
“It was 2007, and Cook was working from his home in web programming and database programming, something he still does to earn a living, generally working with small local Australian businesses — local doctors, beauty salons, cartoonists, and promotional product companies.”
DGH,
The only saving grace is many of those people are likely not on the web….?
Lucia
I also wrote, “But in the end I suppose it was a rhetorical device to make a point. I’ll avoid that infraction in the future.”
You’re in charge here. I think my questions were in bounds. You don’t. You win. I don’t want to argue the point.
And let me reiterate, I will avoid the infraction in the future.
Lucia,
In the lower left hand corner of the Sev page you can see other sites that were built by John and his wife. Here is the current portfolio of websites.
http://www.paperweb.com.au/portfolio_webdesign.php
You’ll note that both SKS and Sev are shown. You’ll also note that the other sites have very similar looks and functionality. We can’t know if the engines behind the other sites were built by John.
I know your are going to comply. My goal wasn’t to harp— I just thought I needed to further want to explain the rule so that you can feel free to ask things like that in the future — provided you provide your own answers especially if your entire point of asking the question is that you think the answers are worth discussing. The reasoning is: to the extent that the answers are worth discussing, you might just as well start discussing the answers when you post the questions. The alternative tends to just waste time.
I suspect Cook implemented a method to make search safer from hacking but screwed up exact pattern matching in the process. So search is a bit subpar at those sites.
Exact pattern matching isn’t currently working at SkS and doesn’t seem to work at http://www.bluewaterstudy.com/search.php?s=fluid+mechanics&x=0&y=0 (Try ‘domestic student only’ )
But you know what Bob would say
Well…. yeah. Which means if you are going to create a search function, you want to write a module to look for paired ” or “” and create the appropriate search the appropriate LIKE ‘%whatever%’ or LIKE ‘whatever’ as required. To do this one must first think about the functional design requirements and then code them. Oh the humanity!!
Lucia –
Before you click on the following link I’ll give you 3 guesses at the letters in the SkS captcha security image…
http://www.skepticalscience.com/securityimage/securityimage.php?code=GNBCZQ
BTW the SecurityImage directory was archived by the wayback machine. Now that you’ve clicked on the link above you only get one guess for this one…
https://web.archive.org/web/20080719095056/http://skepticalscience.com/securityimage/securityimage.php?code=WCOASP
As you noted in the thread about your custom captcha this isn’t about high security, it’s about slowing down bots. So I’m sure that the SKS system is accomplishing that purpose. On the other hand, I am certain that Brandon would have to spend much less time coding a way to crack this system.
Finally, you won’t be surprised to learn that other sites designed by Cook use the same system.
h/t Brandon S.
http://www.skepticalscience.com/securityimage/securityimage.php?code=LUCIA
DGH–
I saw brandon post that. It’s hilarious. For others, the SkS captcha is 100% guessable based on the clear text URI of the captcha.
http://www.skepticalscience.com/securityimage/securityimage.php?code=LUCIA
In Part IV comments
Argghhh!!! That would be the only truly interesting thing!
What is this page?
http://sha1.znaet.org/sha1/94eb24cf25a4ceaa49d6fbb1d3768898cb91e23a
No idea. Looks like maybe someone was cracking SkS passwords in December 2013?
https://web.archive.org/web/20100419074929/http://www.skepticalscience.com/zip.php
John is busy erasing the past…
The links I posted in
http://rankexploits.com/musings/2014/sks-non-revelations-about-their-hack-part-i/#comment-125838
are now “excluded”
Sue: That’s why one takes screenshots….
Part 5 up…
Comments continued at http://rankexploits.com/musings/2014/skeptical-science-visits-by-francois/