Climate Science Glossary

Term Lookup

Enter a term in the search box to find its definition.

Settings

Use the controls in the far right panel to increase or decrease the number of terms automatically displayed (or to completely turn that feature off).

Term Lookup

Settings


All IPCC definitions taken from Climate Change 2007: The Physical Science Basis. Working Group I Contribution to the Fourth Assessment Report of the Intergovernmental Panel on Climate Change, Annex I, Glossary, pp. 941-954. Cambridge University Press.

Home Arguments Software Resources Comments The Consensus Project Translations About Donate

Twitter Facebook YouTube Pinterest

RSS Posts RSS Comments Email Subscribe


Climate's changed before
It's the sun
It's not bad
There is no consensus
It's cooling
Models are unreliable
Temp record is unreliable
Animals and plants can adapt
It hasn't warmed since 1998
Antarctica is gaining ice
View All Arguments...



Username
Password
Keep me logged in
New? Register here
Forgot your password?

Latest Posts

Archives

Skeptical Science hacked, private user details publicly posted online

Posted on 25 March 2012 by John Cook

Sometime over the last few days, the Skeptical Science website has been hacked. The hacker has taken much or all of the Skeptical Science database, zipped various excerpts into a single file, uploaded the file onto a Russian website then linked to the zip file from various blogs. While we are still attempting to verify the authenticity of the file, initial scans seem to indicate the hacker has included the entire database of Skeptical Science users. Access to the full database (which includes private details) is restricted only to myself and I am the only one with access to all of the raw data - this fact alone indicates that this breach of privacy came in the form of an external hack rather than from within Skeptical Science itself.

Of great concern is the fact that the hacker has published personal details such as emails and IP addresses of each user. Many users for various reasons have posted under pseudonyms and the Skeptical Science Comments Policy forbids cyberstalking. Consequently, that the private details of every Skeptical Science user has been stolen and publicly posted is a deeply regretable and unfortunate occurence.

Although user passwords are encrypted in the database, it is unknown whether the hacker has been successful in decrypting passwords. As a safeguard, it is highly recommended that everyone update their user passwords. You can do this via the Update Profile form.

Rest assured, we are working hard to upgrade Skeptical Science's security in order to more robustly protect users' private details. We are also in the process of soliciting legal advice on these matters and contacting the appropriate authorities. We would like to thank those who have come to us with information about this hack and those who have decided against spreading the aforementioned files (e.g. Anthony Watts). We all believe that protecting the privacy of individuals is of the utmost importance and we would hope that all illegally obtained documents and files are removed from uploaded servers and disposed of. 

UPDATE: Anthony Watts has since reneged on his pledge to not use illegally stolen private correspondance and has posted excerpts on his website.

0 0

Bookmark and Share Printable Version  |  Link to this page | Repost this Article Repost This

Comments

1  2  3  Next

Comments 1 to 50 out of 133:

  1. John, this is sad news, but as a webhosting provider for 15 years it is my field of expertise and would be happy to help for free.
    0 0
  2. I tried to change my name by clicking on Update Profile form.
    I got an error message "That username has already been taken".

    I don't understand why anybody would do somtething like this. Afterall, everything we posted is public. Reposting anything I wrote on a russian website doesn#t make any sense.
    0 0
  3. Changing password via 'Update Profile Form' just worked for me.

    I think it's just another form of harassment.
    0 0
  4. It's just another skirmish in the climate wars just giving more credibility to the AGW case because of frightened fossil fuel interests.
    Either that, or just the usual Russians hacking for email lists. In either case, I have no fear, but others might.
    0 0
  5. Anyone else wondering if there is a connection to the CRU hack here?

    Given that this is a public discussion board the only 'benefit' the perpetrator(s) could hope to gain from this would be harassment of the site participants. Maybe 'behind the scenes' discussions about the administration of the site. Are the deluded and the deluders really that hard up for new material? They seemed to be doing 'just fine' churning out a constant stream of mindless arguments against reality.
    0 0
  6. SkS has proven to be too good at debunking. I was assuming you were always a target. I wonder if it'll end up in the hands of the delightful Delingpole and Watts as per climatenongate. I'm sure some brave denier will step forward and confess. :-))
    0 0
    Moderator Response: [Riccardo] Anthony Watts is explicitly mentioned in the post as not willing to spread the stolen files. Let's be fair.
  7. From what I understand it's being referred to in the blogosphere as a 'breach of a security hole' at SKS. And blogs are talking about SKS's internal "The Consensus Project" in an unflattering way.
    Make sure you're using the latest version of your blogging software (ie; Wordpress, etc).
    0 0
    Response: [JC] The "breach of security hole" is a falsehood provided by the hacker, trying to deflect from the illegal activity of hacking a website and publishing private details online. The entire user database was dumped. That is only possible via hacking or if one has the database password. Only I have that.
  8. Some nasty people out there, I too would suspect the same hands as with the CRUhack. This does not come as a surprise. Keep up the good work which is obviously perceived as a threat.
    0 0
  9. Having just read that Anthony Watts is not posting the link I retract and apologise for my slight to him (post 6).
    0 0
  10. 'Hacking' and 'breaching a security hole' are synonymous. Someone found a way to get around the SkS website security. The 'unflattering' things being said seem pathetic even by usual denier standards. They committed a crime for this? Really?

    Though reading the hacker's bizarrely delusional words (i.e. "This is an anonymous leak per the standard, but I will consider stepping bravely forward if I get caught.") I suppose I shouldn't be surprised about their bizarrely delusional actions.
    0 0
  11. John, thanks for all the work to keep the credible, peer-reviewed science on climate change in the forefront. Have changed my password as suggested.
    0 0
  12. #2 Martin, as the post says, some people chose to remain anonymous. With private information publically posted on the internet, they might not be any more.

    We've already seen that those hostile to climate science are willing to use crime, harrassment and intimidation.


    And thanks to Anthony Watts for doing the right thing.
    0 0
  13. I find it odd that they constantly try to get access to private information and then try to use that to smear people involved or attempt to undermine the science. As hacking software is taking a real risk and crossing a significant line.

    So with this I'll be waiting for some of the usual suspect to try to data mine the information and use it for just that. Although I'm pleasantly surprised by Watts not linking to the information.
    0 0
  14. The only part I'm concerned about is the spam mail that will inevitably hit my inbox as a result of this. I've already had some lovely threatening emails of late.

    Most of the blog talk is even less informed than usual. Clearly they haven't been moderators on forums before.
    0 0
  15. I don't think SKS is the only site on its server (or servers), so the entry point could have come through many other vectors. An sql injection attack may have allowed admin access to the website, and allowed uploading code that could browse the server with the webserver's permissions and reveal db passwords of all the sites and dump them and site contents to a remote machine.
    (Servers rarely have firewalls on outgoing traffic)

    Alternatively if any users account on the system was compromised via an ssh/ftp brute force attack, or via a keylogger trojan on their home machines, and the site isn't using suPHP to compartmentalize apache access, and could access any other world readable file belonging to other users' sites in the server's docroot, then that could reveal a db password if the server is not using suPHP to separate users' sites.
    If the hacker managed to get a shell account and if the kernel was old and yielded to a root exploit then they could have obtained ownership of the machine, and therefore ownership of all the sites and their databases.
    If root access was ever obtained, then nothing in the operating system can be trusted anymore, and needs wiping and reinstalling as it could just present the illusion of being your server (ala The Matrix)

    If SKS was the only site on the server then it could appear to be targeted, but if the server is shared then it seems more likely that it's just another random victim in the same way that hundreds of thousands of sites are broken into every year to provide email addresses, identity theft, proxy services and run as botnet controllers.

    Forensics should determine what happened, if they couldn't erase the logfiles.
    0 0
  16. Desperate people seeking desperate measures. We got nothing to fear. They can threat/spam all the want. I got enough spam already. Thanks google for throwing it away!
    0 0
  17. They won't get much joy from spamming my email address... it's been harvested to death for the last 15 years, and still going strong... I reported 300,000 spam messages to spamcop just since December!
    0 0
  18. People tend to use the same password for several different services. Having it hacked might be a problem.
    0 0
  19. An unfortunate event certainly, and quite possibly the work of the same individual or group that initiated the Climategate hack. If that is the case, their desperation is sad indeed. It is to his credit that Anthony Watts is refusing to link to the site, and we'll have to see how others in the skeptical side of things respond. What is most absurd of course is any notion that anything could be gained by such a hack, as though there were any secret "warmist" communications to be revealed. Nature is revealing quite plainly the anthropogenic effect of human activity on the planet, and try as they might, deniers have less and less wiggle room to spin their fantasy. This absurdly warm March over much of North America, stretching from Mexico all the way to the edge of the Arctic iperhaps has turned the heat up on certain groups to launch personal attacks as the facts and science continue to not support their denialist position.
    0 0
  20. 19 R Gates - America is just America, less than 2% of the globe. The heatwave looks spectacular, but could it be just the weather?

    Seems a bit early to say, until some does the proper analysis.

    But perhaps what is relevant is that it affects public understanding and what the media say. A March heatwave is reasonably annoying for climate science opponents, if we were getting the same anomalies at the height of summer though it would probably be a public relations disaster for them.
    0 0
  21. Technical Question, were the passwords stored in plaintext, or did the hackers just get the hashes that they will then have to crack offline?
    0 0
  22. I wonder if this hasn't been happening for a while. I use unique e-mail addresses within my domain for accounts such as this. I started getting spam on the address I was using for this site so changed it at the end of January. Trawling though my spam buckets seems to show that the earliest message was for 2012-01-22 but actual messages might have started earlier - that might have been when I cleared things out (I do so every few months). Filters now changed to watch a bit more carefully for spam on all the addresses I've ever used for this site.

    Of course, it's possible I've leaked the address myself somehow but it seems unlikely as it's "receive only".
    0 0
  23. @Paul from VA: the post says “Although user passwords are encrypted in the database, it is unknown whether the hacker has been successful in decrypting passwords.”
    0 0
  24. If they are just unsalted MD5 passwords, 8 character alphanumeric passwords can be cracked in minutes using a GPU. They can, wait for it, run 100 billion attempts per second. As all accounts are tested practically simultaneously against the test hash, thousands of weak accounts are cracked in mere seconds.
    Salted hashes take much much longer, but any hash collision would produce a valid password.

    Bigger hashes such as SHA256 or SHA512 using a salt are currently practically impossible to crack.

    Medieval technology usually works much better on the soft and squidgy human owner!
    0 0
  25. Mark R.,

    I agree that it is the N. American March heat wave could be seen as "just weather" but such extreme record shattering warm events are consistent with the general trends expected over the coming years, decades, and centuries. Such events are Anthropocene weather. The human fingerprint is everywhere on the planet, and while of course there is always natural variabilty, it is impossible to any longer separate out those "just weather" events that do not contain some anthropogenic influence. This is true on both the micro and macro climate scales. The day in and day out weather of the planet exists under the Anthropocene background. It is all Anthopocene weather.
    0 0
  26. Whenever it suits his purposes, Anthony Watts/WUWT has not scrupled to leak unilaterally leak personal information regarding WUWT posters.

    That is why pronouncements regarding ethics from Anthony should be discounted entirely.
    0 0
    Moderator Response: [Dikran Marsupial] This is a poor way to respond to Anthony Watt's responsible and ethical stance on this issue. Please, no more of this sort of thing.
  27. Anthony Watts immediately notified us when the hacker tried to post the stolen information on WUWT, and has not allowed it to be posted, so he deserves credit for doing the right thing. Unfortunately a couple of other blogs have allowed their dislike of SkS to trump their ethical standards.
    0 0
  28. A little while ago the only other account I have that shared both my name and my old SkS password wouldn't log me in. I was quite puzzled about the strangeness of it, but I was able to reset using the 'forgotten password' function - the email address hadn't changed.

    It seems that I now I have a reason to explain that oddity...

    And this isn't the first time that I've had accounts do this after a site hack. Fortunately, after the first time I changed most of my log-in type accounts so that each had a unique combination of ID and password.

    I note that at least one hard-core Denialist is leaving the links (and updates) on his blog. It seems that the Denialati have very quickly forgotten their righteous words of umbrage after Peter Glieck's scoring of material from the Heartland group - and this hack is much more clearly illegal, and in many more ways.

    Ah, the stinking hypocrisy.
    0 0
  29. EVERYONE is very strongly advised to immediately change their password to something unique to this site, and to change passwords on any other site where you used the same password as this one (and don't ever, ever do that again, because once one site is hacked they can go everywhere if you used the same password).
    0 0
  30. I would like to add my own voice to others in thanking Anthony Watts for not posting the hacked information.
    The hacker has caused some inconvenience, but has not found anything of value in the scientific debate. Facts, properly evaluated, cannot be outweighed by private conversations.
    As to the heatwave in America: it isn't local weather. Here in the UK we are also experiencing unseasonaly hot weather, as reported by the Guardian.
    0 0
  31. Thanks for notification of this... this is terrible news and I hope the cuplrits are discovered soon.

    As per your advice I've changed my details.
    0 0
  32. I would also like to thank Anthony Watts and the other bloggers who have refused to share the links; it is greatly appreciated. I hope the hacker draws the conclusion from their response that his or her actions were not in any way justifiable, especially revealing contributors private details, that was absolutely reprehensible.
    0 0
  33. Luckily, I'd used a different password here--now changed per the update form.

    Other than that, I don't much care; anyone who spends a little time can find my real name and location.

    Which, of course, doesn't make the violation any less unethical--especially since others here may have reason to feel quite differently on this issue than I do.
    0 0
  34. No spam or unexpected emails in my inbox from this, but profiles changed just in case.

    Apart from risks of harassment, due to private email addresses being exposed, there is also the possibility that the perpetrators just wish to scare people away from participating in SkS. Those that have chosen to participate anonymously (or pseudonomously) may not feel comfortable with the idea that their personal or work lives are at risk.

    Clearly, someone in the denialsphere is looking at SkS as "the enemy". This is the result of someone that considers SkS to be a serious opponent, so I hope that all contributors continue to participate.
    0 0
  35. "The only thing we have to fear, is fear itself!"
    0 0
  36. Whatever the hacker's motive, the net result will be to make the all-volunteer SkS athor team even more commited to its mission.
    0 0
  37. Password changed just fine. Thanks. I'm not worried about spam as that's my throwaway email address.

    Good on Anthony for his refusal to host the stolen material. That's two complimentary things I've heard about him today from sites that have challenged some of his posts in the past.
    0 0
  38. Oh, good. I miss all the hate mail I used to get when Tim ball unsuccessfully sued me and my University for a million denier dollars. dan.johnson@Leth.ca
    0 0
  39. I'm sure there are people pouring over the comments looking for the information that links SkS to Maurice Strong, the Rothchild's, Al Gore and other sources of massive funding. They're going to be sorely disappointed.
    0 0
  40. 'Breaching a security hole' is a delightful euphemism. Let's insist it be called what it is: This is theft, a crime in most places. Anyone receiving these stolen goods is just as criminal.
    0 0
  41. Well, wasn’t that ethical of them.

    John and the rest of you here – after you are done feeling outraged, disgusted, violated and inconvenienced - you should take it as a complement IMO.
    0 0
  42. Might be a good idea to send out an email to all members with a heading other than "skeptical science posts", as I tend to regard these emails as non-urgent, to be checked at leisure. It'd be good to send a message with a heading like "Skeptical science user details hacked" so that you catch everyone's attention quickly!

    I certainly won't be backing off, and very much doubt that anyone else will be either. I'm impressed by the display of integrity by Anthony Watts ... I only hope that perhaps he'll start to see just how low his "side" have sunk, and that perhaps he considers his position on other matters with similar care.
    0 0
  43. arch stanton @41 - I personally view it as a compliment that the hacker felt SkS was important and influential enough to be worth hacking!
    0 0
  44. I also feel bad that this event has overshadowed Peter Hadfield's excellent Monckton debate video. Please everyone, don't forget about that post!
    0 0
  45. Password changed successfully.

    I do hope the denial crowd spend hours and hours trawling through every comment on SkS. You never know they might learn something!
    0 0
  46. I am annoyed, but sadly not very surprised, that Skeptical Science has been hacked. The better you are, the higher profile target you become for those who disrespect climate change science, it seems.

    It continues to appall me that somebody with such excellent information technology skills should use them for such a worthless and destructive activity. It appears that sabotage is the last resort of those who are losing the academic argument, or who have the most to lose from the policy decided on the basis of climate change science, because of their stocks and share holdings in mining and energy.
    0 0
  47. My Profile won't let change my password. It says:
    ----------------------------
    Profile Update Error

    Your update wasn't completed because one or more errors occurred. Please resubmit after making the following changes:

    That username has already been taken

    ----------------------------

    any suggestions?
    0 0
  48. @chris #47

    This worked for me. Maybe it can work for you too ?

    I used the "Forgot Password" option, and then got an email with the password in, and was able to login and then change my password via the Update Profile form :-

    http://www.skepticalscience.com/profile.php?a=updateprofileform

    You might want to refresh your browser cache before trying any of this.
    0 0
  49. Without naming names, the two guilty parties thus far who have (without pause) posted links to people's personal and private information that was obtained illegally by hacking, appear to be representative of a larger group of "skeptic" blogs and groups who have an agenda against climate scientists and science in general.

    It is unfortunate that some "skeptics", seemingly unable to make substantiated and scientifically based counter argument to the theory of AGW, are forced to engage and endorse criminal behaviour. To me these desperate and extreme efforts underscore the vacuity of their arguments and that this is absolutely no longer about the science (or scientific integrity) for most "skeptics" and those who deny the theory of AGW, but rather them pursuing an ideologically-driven agenda. Some might go so far as to say that the hacking of CRU and now SkS is tacit admission by the "skeptics" and those in denial about AGW are losing.

    Continually refuting the constant barrage of misinformation and deception from "skeptics" is tiresome (bit necessary) and it takes much more time and effort to refute a myth than "skeptics" spend fabricating them. The sheer volume of misinformation that is being disseminated by "skeptics" and contrarians is one of the reasons that SkS needs a team of volunteers.

    I have no doubt that this latest hack will only strengthen the resolve of John Cook and his team to continue standing up for the science and the pursuit of truth.

    Thanks everyone here for their kind words and support, and thanks to Anthony Watts for taking the high road.
    0 0
  50. I am glad John announced this, and a little curious just what "persona details" the hackers think they can get. As others have already speculated, emails have some value (they can be resold to spammers). But I am little more concerned if those "personal details" include passwords. Hackers could then use that to try to see if any users have used the same password somewhere else, for their login to a site with more interesting, e.g. financial data.

    Or it could be just an attack on the site for its position on AGW, which has made a lot of powerful enemies out of certain unscrupulous organizations and people.

    As for its being on a Russian site, there are two things we must not forget about today's post-Soviet Russia: 1) entire generations have been brought up to admire not civic leaders, not politicians, do-gooders or capitalists, but the Mafia and the Mafia-like structure of the KGB 2) there really are huge criminal networks of hackers taking advantage of loose law enforcement in Russia to run their hacking from there. This hacking is not the casual hacking of bored teenagers, it is very focused on criminal intents.

    Like Sphaerica says, we should change passwords and retire the one used on this site.
    0 0

1  2  3  Next

You need to be logged in to post a comment. Login via the left margin or if you're new, register here.



The Consensus Project Website

TEXTBOOK

THE ESCALATOR

(free to republish)

THE DEBUNKING HANDBOOK

BOOK NOW AVAILABLE

The Scientific Guide to
Global Warming Skepticism

Smartphone Apps

iPhone
Android
Nokia

© Copyright 2014 John Cook
Home | Links | Translations | About Us | Contact Us