Don’t Look at The Material We Post!

As most of you know, I came across hidden data for the infamous Skeptical Science paper claiming to find a 97% consensus on global warming. The Skeptical Science team claims I did this by hacking them, publicly accusing me of having committed crimes. Today we have a fun demonstration of how stupid that claim is.

If you haven’t seen it already, I’ve previously explained exactly how I came across the material I found. Collin Maessen of Skeptical Science accused me of lying about it, but he refused to say what it was I said that was untrue (or incomplete). Instead, criticisms of me have rested on the idea the way I got the data was I used a:

hack… that exploited a security hole to gain access to proprietary data used for the Cook et al. paper

The issue is the Skeptical Science team had a super secret domain named http://www.welloiledcatherd.org. If you tried to access it, you were presented a login screen. I obviously didn’t have an account or password there so I couldn’t login.

However, that login screen was only presented for certain parts of the website. Other parts of the site were openly accessible. For instance, if you went to the link:

http://welloiledcatherd.org/docs/coming-out-of-ice-age-volcanoes.pdf

You would be given a .pdf file without logging in. You wouldn’t be able to find a link to this file on the site since you couldn’t log in, but people could give you the link so you could look at the file. This sort of behavior is common. Many sites require logging in for most things but allow some material to be shared like this. Today, we have compelling evidence that’s exactly what they intended:

8-19-login

This screenshot was taken earlier today by a user trying to access a new post on the Skeptical Science website. He had been directed to the post by a link on Twitter promoting the post. It was clearly intended for public access. Despite that, he was given a login prompt, not for http://www.skepticalscience, but for http://www.welloiledcatherd.org. Why? Because the post’s code included this:

8-19-woch

That’s the code used to display Figure 4 of the post. It’s link is to an image hosted at http://www.welloiledcatherd.org. Because it is hosted there, anyone loading the page would have to access http://www.welloiledcatherd.org to see it. We can’t now, of course. After my “hack” they added a new security process which requires logging in to access any material there (trying to load the image triggers this, hence the popup box).

However, if not for my “hack,” that new security wouldn’t have been added. Everyone reading this post would have been able to see the figure despite it being hosted on a password protected website. Everyone visiting this page would have “exploited a security hole” to view an image.

That is, by visiting a post prominently displayed on the Skeptical Science website, publicly advertised by Skeptical Science team members, you could have “hacked” them just like I did.


Of course, the user who alerted me to this isn’t the only one who noticed it. It didn’t take long for a commenter at Skeptical Science to point out the problem, after which it got fixed. However, you can see the original version in the WayBack Machine.

Advertisements

6 comments

  1. The SkS crush crew may have a problem trying to make out that your access was criminal. During their investigation of the Silkroad market the FBI found that one of the page elements on the login screen was ‘phoning home’ directly, rather than going through Tor, revealing the real IP address of the server. The FBI has explicitly characterized this as “using perfectly lawful means”.

    http://www.wired.com/2014/09/the-fbi-finally-says-how-it-legally-pinpointed-silk-roads-server/

  2. Throgmorton, a number of people are talking about that now. It’s really not that relevant. Basically, all the FBI did was look at where the things being sent to them came from. As it happened, one component of the website was not configured to direct traffic through the Tor network. A person using the website in a normal fashion could have seen the same information the FBI saw.

    The story is mostly interesting for what it shows about anonymity. One small component of the guy’s server didn’t use the Tor network, and that’s all it took. He’ll probably wind up in jail because of such a small configuration issue.

  3. It is significant in how it impacts on the definition of ‘unauthorized access’. The default presumption before this was that any access which was not anticipated by the host and explicitly part of the public API of a site could be considered to be against the terms of use and even a prosecutable offense. This is the basis of the SkS legal threats. They didn’t anticipate that anyone could reach their secret lair, despite their proven track record of relying on ‘security through incompetence’. The FBI has just blown their case out of the water.

  4. Throgmorton, that’s not true at all. The FBI didn’t have to do anything to gain access to the IP address information in question other than go through the normal process of creating an account and logging in. Any user of the site would be given the exact information the FBI used to find the server. The FBI just happened to use it while most didn’t pay any attention to it.

    Using the site in the specifically intended way gave the FBI the information it obtained. That’s not comparable.

  5. I see your point. Though the FBI admit that they did have to jig around a bit to trigger the element into making that call. They were giving the tree a good shaking to see what would fall out. A common hacker strategy. I was under the impression that this was an exception which would not have occurred under normal use. Otherwise it would have been quickly caught in the server logs.

    Incidentally, Cook, Mashey, Honeycutt and other slightly more anonymous members of the Crush Crew have appeared on reddit: “I am a scientist”. Ha!

    http://www.reddit.com/r/IAmA/comments/2ftwt1/iama_scientist_who_wrote_the_study_finding_97/

  6. They didn’t have to “jig [anything] around a bit to trigger the element into making that call.” The call was made automatically as part of the normal registration/login process. An FBI tech specifically said so in his affidavit, pointing out any regular user would have been presented the same information.

    This was not an exception. It was something which would necessarily have happened under any normal use of the site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s