In late May, I mentioned blog had been the victim of a script injection attack which I cleared up. Tetris had noticed that the WUWT and CA had been attacked during the year and thought the attacks might be politically motivated. I doubted that theory. The reason tetris notices sites he visits are attacked is not because they are attacked any more often than sites he doesn’t visit. It’s because he only notices hackage at sites he visits.
Today, I have evidence! Every now and then, I like to click the linked names at sites to see what commenters link to. Today, I clicked the pink link below:
Barton Paul Levenson (a warmer) normally links his geocities page which link to pages he’s written. (Visit here.) However, when I clicked the link today, I was directed to a slightly different address: http://www.geoci-ties.com/bpl1960. Notice the ‘-‘ inserted in geocities? So, currently, visitors at RealClimate who click Barton’s link visit a page that consists of links BPL probably would not intentionally place on his web page:
My theory? Well, the three things I can think up:
- Barton Paul Levenson really has decided to drop links to a spammy site with links to “adult” content. (I doubt this.)
- Real Climate has been hacked. Someone is running a script that modifies all links to ‘www.geocities.com’ to read ‘www.geoci-ties.com’
- BPL’s computer somehow got hacked and automatically fills the author-url with the bad url.
If it’s the second, we have evidence that hackers hack for profit rather than any motivation for partisan advantage. The hackers intention for inserting or modifying links would be either a) to increase the incoming links to the spam site, thereby increasing it’s page rank with google or b) hoping RC readers will click BPL’s link, and say “Now that I think of it, I really do need Pet Meds and/or adult reading materials!” They would then click something that might be a pay-per-click link and the hackers would make money for the spam site.
Either way, I suspect the guys at RC may want to run a check on comments and remove all links to “geoci-ties.com”. Or they could get that agency who hosts and takes care of RC for them to do the search and replace on their database. While the web hosts is at it, they might want to take a look at general blog security.
“Or they could get that agency who hosts and takes care of RC for them to do the search and replace on their database.”
Did somebodey call for help from Fenton Communications?
http://en.wikipedia.org/wiki/Fenton_Communications
http://www.whois.net/whois_new.cgi?d=realclimate&tld=org
Andrew_FL–
With respect to dealing with this hacking, the whole political aspect of who hosts RC isn’t relevant. Hoewver, since the guys at RC don’t self-host, I figure they may not be able to deal directly with the mysql database of the files on the server. That means they would need the actual host to deal with the script injection attack.
Option 3). Geocities is a huge generator of spam comments and is thus on our spam blacklist. BPL puts in a hyphen to get past the filters, inadvertently adding links to a spam site that presumably was set up to benefit from exactly such an occurrence. I’ll fix it.
Gavin,
It hadn’t occurred to me BPL would intentionally drop what would be a broken link were it not for geoci-ties existing. Ask BPL if he did it. Because if not, you got hacked.
Either way, you’ll want to fix that. I’ve been looking for plugin to quickly search comments so you can scan links. (I want to do it myself. Hackers are sneaky)
Gavin’s explanation is much more plausible. In fact, my first reaction before I read Gavin’s comment was that BPL had simply made a typo. I just didn’t realize it was deliberate.
Lucia I think you mean “cracking” ,(1) not “hacking”.(2) Yes, I know the great wide Internets have conflated those two terms. I do not care. I will continue tilting at that windmill.
Also, Geocities is going to close soon,(3) FWIW.
(1) http://www.catb.org/jargon/html/C/cracker.html
(2) http://www.catb.org/jargon/html/H/hacker.html
(3) http://help.yahoo.com/l/us/yahoo/geocities/geocities-05.html
Deep–
Yep. Could just be a typo.
I discounted the typo notion because… I figured:
a) how do you accidentally insert a ‘-‘ between the i and t on a keyboard? The dash is pretty far over
b) my browser automatically fills in author urls, so I figure most browsers do. That makes it hard to commit typo. (Maybe most don’t),
c) when I saw the first bad link, I searched back. The link with the ‘-‘ is in both links. Could he really do that twice and
d) what’s the likelihood the typo results in a live address? Some geocities typos go to spammy sits, but ge-ocities.com doesn’t.
I think the only way to find out if it was deliberate is to ask BPL. Having been hacked by 15 year old turkish kids who were just playing games, I tend to be suspicious of hacking when things like this happen.
Deep–
I googled Barton’s name, checked the cache, and found the “typo” back to march. See comment 67 here. http://74.125.95.132/search?q=cache:KglOe98aWVMJ:www.realclimate.org/index.php/archives/2009/03/advice-for-a-young-climate-blogger/+Barton+Paul+Levenson+comments&cd=3&hl=en&ct=clnk&gl=us&client=firefox-a
I’m think I’ve clicked the link on his name at RC before, and it went to the correct destination. Of course, I may have clicked on some other link that sent me to his page.
(His links at Deltoid look fine.)
Lucia:
your
I tend to be suspicious of hacking when things like this happen.
You’re paranoid. The question you need to ask yourself is:
“I’m paranoid. But am I paranoid ENOUGH?“
Les–
Well… long ago my knitting blog was hacked by teen-age Turkish kids playing some sort of game. They hacked a bunch of blogs, put up a post showing they hacked in and gave you a little lecture on blog security!
I visited their site and each kid had a score card listing the blogs they’d broken into and when. All break-ins has to be verified by another kid.
I implemented a range of security measures to make it difficult for kids to just run a script guessing log in names and passwords running a script. But… obviously, I’m still not 100% secure. That script injection attack proved that!
Lucia,
The attack some 18 months or so ago on CA was hardly some simple form of hacking or “cracking”. Rather, it was a deliberate “denial of service” type attack intended to take CA out of the game for as long as possible and it succeeded in doing precisely that. SteveM was [and still is] systematically getting too close to the bone and has a significant, generally educated and connected readership. To those with a stake in keeping the “global warming” story alive, that is dangerous. Whatever happened to RC -deliberate or not- is certainly not of the same variety.
Intelligence and police services use various forms of what is generally referred to as MOMM to get a handle on a given case. The acronym MOMM stands for Motive, Opportunity, Means and Methods. The key driver in any such analysis is the the first “M”, i.e. Motive. Based on all available evidence over the past years, I think that there can be very little doubt that it is the AGW/ACC dogmatists/opportunists, most of whom have clearly identifiable and significant academic or business interests at stake and multi-million dollar funding to back them in the ongoing “propaganda war”, who are by far more motivated and able than the “skeptics” to perpetrate attacks against those sites that question the dogma.
Then again, as the saying goes: “just because I’m paranoid doesn’t mean they’re not out to get me..” 🙂
tetris–
Sure. DOS attacks are different.
What happened to me and may or may not have happened to RC is small potatoes. I think it’s unrelated to the CA issue. (I still favor the “hacked” theory over the “BPL inserted a hyphen” theory. I’m going to write something to scan all urls in comments so I can detect any sort of fiddling.)
65 occurrences of “geo-cities” at RC. Some are labeled as intentional spam filter workarounds. 65 is not high enough suggest RC was cracked.
Zero at RE. This article probably hasn’t been visited yet by the Googlebots.
I inserted the hyphen to get my signature past RC’s spam filter, which counts Geocities as a spam site. I wasn’t trying to hack anybody, nor to facilitate hacking by someone else, and I rather resent the implication that I was.
I moved my site to Geocities because AOL closed down web hosting. Geocities, as noted above, is also closing, so I’ve bought a domain name and transferred my entire site there. Anyone who wants to see it can find it at http://BartonPaulLevenson.com. Go to the Cs to find my main climatology page.
Barton–
I wasn’t suggesting you were hacking or helping anyone hack! Sorry if I gave that impression.
What hackers/crackers do is upload scripts to a host (like RC) and modify files stored on the server. What they did at my site (and many sites actually) was inject a snippet of code at the end of every comment. The code triggered someone’s virus protection detector, and they told me. So, I found and removed it from every page on my blog (and my knitting blog.) It was a pain in the neck.
These sorts of scripts get uploaded at various sites and do various different things. Generally, they try to do thing that are as inconspicuous as possible.
So, my theory was someone else uploaded a script that found every instance of “geocities” at RC than changed it to “geoci-ties”.
That’s what I meant by
If the script had been uploaded by a hacker, you would have no control and would know nothing about it. You’d just enter your author url,, it would get changed. That’s why it would be necessary for the blog owner — not you– to do something.
Anyway, it sounds like you added the hyphen yourself, not knowing the result. So, the hacking/cracking didn’t happen.
Dear Lucia,
Thank you for your gracious reply.
Your logic is shockingly bad. The existence of hacking for profit does not really exclude the possibility that CA was targeted ideological reasons nor does it discredit the idea that series of events at set of similar sites could be related.
A statement more becoming ‘The Blackboard’ would be some discussion of conditional probability. See also: http://en.wikipedia.org/wiki/Prosecutor%27s_fallacy
Laura–
I wasn’t suggesting that CA couldn’t have been targeted for ideological reasons. Tetris suggested that I was. I said that I doubted I was. My reasons were based on the specifics associated with the script injection attack here, not what happened at CA.
I agree that it’s not impossible that the script injection attack here was somehow ideologically motivated. But loads of unrelated sites suffered the exact same attack that happened here. So… I doubt it.
Re: Not Sure (Comment#15313) June 26th, 2009 at 10:30 am
“Lucia I think you mean “cracking” ,(1) not “hacking”.(2)”
Thank you. Don’t know why Lucia doesn’t get this. Perhaps we should start using some statistical terms incorrectly and see if she gets the point.
John G. Bell–
I understand the distinction you wish to make between cracking and hacking. However, I am in the descriptivist camp of language usage. All a’ y’all who want to insist that “hackers” are people who are skillful at writing codes while those who break into computers and systems are “crackers”, lost control of the definition some time ago.
You can find the various definitions here:
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla:en-US:official&hs=ndH&defl=en&q=define:Hacking+&ei=eJBHSoHGHpW4NcjDyMwN&sa=X&oi=glossary_definition&ct=title
Sometimes, with language, you just can’t put the toothpaste back in the tube. If you need a word to specifically describe people who are skillful at banging out code, you are going to have to come up with another word. Or, deal with the fact that English is weird, and sometimes permits a word to have more than one meaning.)
Well said. My sister is a linguist so I have heard the argument before. Squeeze away until naught is expressed.