Have you ever wanted to know what it takes to be a hacker? Well you’re in luck. I’m here to tell you. I’m going to give you a step-by-step guide to how I got myself reported to the Feds by a major university.
If you don’t already know, I recently received a threatening letter from the University of Queensland which, amongst other things, threatened a lawsuit if I showed anyone the letter. The letter also claimed (IP stands for intellectual property):
I can’t disclose the domain name of the site I supposedly hacked right now because a clever person could possibly use that information to find the data I supposedly stole. I can, however, tell you it was a super-secret site for the Skeptical Science group.
You see, a couple years ago, the secret forum on the Skeptical Science website was hacked. You can read all about it in a lengthy series of posts they wrote about it, starting here. It’s amusing as it spends tons of time painting a picture of hackers by saying things like:
It was February 20, 8:52 PM CET, the local time in Germany, when The German, or so I’ll call him, first hacked his way into the Skeptical Science web site. If it had happened in America in the nineties, beside his keyboard would have been a can of Coca Cola and a few Twinkies. I guess today the drink would be a Red Bull. I’m not sure what a German might choose.
I’m not sure why they focused so much on things like hackers’ dietary choices. Then again, we later find out they call the hacker “The German” even though they have absolutely no indication he has any connection to Germany. I wouldn’t bother trying to understand their reasoning.
Anyway, the important thing is after their secret forum was hacked, they moved their forum to a new, secret location: http://www.sksforum.org. This secret-secret forum stayed secret for a while because nobody cared. Then one day Skeptical Science published a post with a few links which included the secret-secret forum’s URL. I saw the domain name and decided to check it out.
There wasn’t much to see. There was just a login page with an image on it. The image happened to be located in the directory http://www.sksforum.org/images/. Out of curiosity, I went to that directory. I found a number of images. I didn’t think much of them at first. Then I saw an image of John Cook, owner of the site, photoshopped into a Nazi uniform:
That creeped me out. I was even more creeped out when I found there were other images which depicted the Skeptical Science team with similar Nazi imagery. Naturally, I told people about these images. Most people were either disturbed or amused by the images, but Skeptical Science representatives were upset. They claimed I had hacked them, saying things like:
It was flattering to know people think I have mad haxor skillz. To stroke my ego, I bragged all about how I did it. Later, I pointed out my skillz were enough to match even Google’s skillz as Google had found the same directory the same way I did, saving a copy for everyone to see.
With their secret-secret forum discovered and penetrated by a hacker, what could Skeptical Science do? It’s obvious. They had to create a secret-secret-secret forum. This one was used for a variety of things, such as doing “The Consensus Project” which lead to their famous paper finding a 97% consensus on global warming.
And it was secret. I mean, secret-secret. No wait, secret-secret-secret.
It was so secret they even registered the domain via a third-party company, Domain Privacy Group, so none of their information would be tied to the site. In other words, you could not possibly know the site was theirs.
Except they linked to it in their secret-secret forum. Repeatedly. That was a problem because anyone could view those links. You see, months back I noticed referral links from the secret-secret forum in my logs. They were in the form of, sksforum.org/thread.php?t=14499&p=18772. When I’d click on them, I’d be redirected to one of my own pages.
I quickly realized the links I was seeing were redirection links for the links people were posting in the secret-secret forum. I figured if I could see the ones going to my own site, I could probably see the ones going to other sites. I was right. Changing the number after p= resulted in a different redirection link. Not only that, but each new redirection link was one number higher than the previous.
That meant I could look at every external link anyone posted on the forum by repeatedly adding +1 to that value. I goofed off a bit and found things like:
But I lost interest pretty quickly. After a few months passed, I regained interest and decided to make a list of all those redirection links. I thought it’d be amusing to keep track of what the Skeptical Science team was linking to in their secret-secret forum. After all, it’s pretty silly to have a secret-secret forum while making information about what you’re discussing in the forum public.
Once I had my list, I looked through it. Most of it was dull, but I kept seeing one domain pop up over and over and over. Additionally, I noticed a lot of the links to it ended with things like “thread.php?t=1954&r=8#47354.” That was reminiscent of the links from the secret-secret forum. I checked the domain out, thinking it’d be hilarious if there was a secret-secret-secret forum. There was.
I didn’t access it though. I didn’t have any login information. An amateur might try brute-force guessing, but I’m too clever a hacker to resort to such a crude approach. Instead, I grabbed a can of Red Bull, scarfed down a Twinkie and got ready to write some awesome haxor code.
By which I mean, I looked at the list I had, found this entry:
And put it into my browser’s navigation bar. Lo and behold, this page appeared:
Since the page was publicly accessible, I decided to follow its links. I saved what I saw. And now, the Feds are coming after me. They’re going to shove a black bag shoved over my head, transport to some deep, dark hole into which I’ll disappear for all eternity, and the Skeptical Science team will create a new, secret-secret-secret-secret forum. This time they might even learn not to make pages publicly accessible if they want to keep those pages hidden.
In the meantime, you can be a l33t haxor like me too. The University of Queensland claimed I hacked “the site where the IP was housed.” The site where the data was stored is the site I found URLs for. All I did to that site was try a few pages to see if it’d let me access any. I’m confident you could do that too.
In fact, I think you already have. I’m sure at some point in your life you rose to the level of a stupid script kiddie and copied the URL of a site. I bet you’ve gone beyond that though. I bet you managed, at some point in your life, to rise to the level of true haxor and pasted the URL of a site into your navigation bar.
But I have an inkling you’ve gone beyond that. The inkling is small, but it tells me at some point you became truly l33t and hit the Enter button.
Be careful. The Feds might come after you next.
If people had theme songs, I’d say this would be the one for the people accusing me of hacking: