Skeptical Science, Hacked or Just a Hack?

Skeptical Science author Bob Lacatena wrote a 2,500 word post discussing the hacking of their web site two years ago. About the only kind of hacking he described is his own as his comments prove he is a hack. He has no idea what he is talking about. Why should you believe me, you ask? That’s simple: I hacked Skeptical Science.

Bob Lacatena writes 600 words before saying anything actually relevant to the supposed hacking. 600 words before finally writing:

To mask his identity, [the hacker] fired up a Tor browser.

Don’t bother asking what a “Tor browser” is. Bob Lacatena never says. Instead, he writes 300 words which sound like a bad high school research project on Tor. That is “Tor,” not a “Tor browser.”

Tor is software and a network which allows users to anonymize internet traffic. It can be used with almost any internet communication. That includes command line tools, messaging programs and yes, internet browsers. A “Tor browser,” on the other hand,” is just an internet browser bundled or packaged with Tor for convenience. There is no way to know a person actually used “Tor browser” rather than simply using Tor.

A minor issue? Perhaps. However, that ten word sentence is the only meaningful information Lacatena offers about this hack. After his hundreds of words discussing what Tor is, he says:

Safe in his room, buried under layers of onions, focused on his screen, probably with a caffeinated drink and a snack beside his keyboard on his desk, the hacker comfortably and earnestly began his work.

More than a month passed, certainly not uneventfully, but without any knowledge on our part that we’d been hacked.

What happened to the hacking? One minute the hacker “fired up a Tor browser” and “began his work.” The next minute they’d “been hacked.” We never find out what happened in between. We just get more than a thousand more words telling us nothing of value and a, “To be continued…”

Fortunately, Bob Lacatena responded to several comments left on his post. The relevant one for this post came when a user asked if Skeptical Science could block Tor. He responded:

Yes to blocking Tor IP addresses, and many web sites do, but building the map is a huge task. Generally you have to pay to get a good Tor IP list, or you can get a less reliable and complete list for free. Just google it.

This answer is wrong in almost every way. To demonstrate, let’s take his advice and “google it.” The first hit I get is a web site where a user asks if it is possible to block Tor. He’s promptly told how to get “a good Tor IP list.” As the answer shows, if one wants to get a list of IPs to ban for Skeptical Science, they could just use this URL. It’s free, updated regularly and is complete. It’s also easy to find via the Tor website’s Abuse FAQ page. All anyone needs to do is plug in the IP address of whatever they’re interested in protecting.

And what about it being easy? My fourth hit is to a post by the blogger lucia discussing how she bans Tor. As she says, it’s “trivially easy.” The reality is you can block Tor and keep your block up to date with only a dozen lines of code. I can write the code from scratch in fifteen minutes.

Bob Lacatena’s screwup of claiming to know the hacker used a “Tor browser” isn’t incidental. He clearly doesn’t know much about Tor. He thinks you have to pay to get a list of IP addresses to block for his site when you can get it just by looking on the Tor website. He thinks blocking Tor “is a huge task” when it can be done in 15 minutes. Most troubling, he thinks telling people to “google it” will support his view when in reality 30 seconds with Google proves his excuses wrong.

There’s a lot more wrong with his post, and I’ll discuss that over the next few days. For the moment, I just want to point out Bob Lacatena’s post is uninformative and written by a hack unsuited for such a topic. Thus far his explanation is nothing more than:


Which fits the attitude described in this completely out of context quote from him:

my attitude has always been that the less people know about things, the better

And if you need a reason to trust my knowledge of hacking, just remember, I hacked Skeptical Science. They said so.



  1. Tasty! But surely those are better served with wine than a “caffeinated drink.” Given the putative nationality, likely a Riesling, I should think. 🙂

  2. I wouldn’t call them “techno illiterate.” They seem competent at any number of things involving technology.

    The problem I see is one common amongst even adept programmers – they don’t understand security. It’s not about code, procedures or techniques. It’s a fundamental lack of understanding. And because they don’t understand it, they have to create narratives to explain the things that don’t fit their views.

    It’s similar to how many people treat groups with wildly different views. People often don’t understand how someone could not agree with them so they come up with stories and fantasies to explain it away.

    At least, that’s how it appears to me right now.

  3. What is “trivially easy” is getting around IP bans of any kind and I can still access her site using Tor or any of the thousands of proxies none of you know about. Black listing never works and never will.

    Skeptical Science are computer illiterates above and beyond, they also thought the liberal arts major Mosher was behind Climategate.

  4. Your knowledge of networking security appears to be lacking since you waste people’s time on black listing nonsense that can be circumvented in seconds. Using CloudFlare though is good advice, it just helps if you are a site that matters.

    Explain to me how I can access Lucia’s site at will from proxies or Tor?

  5. You sound silly when you insult a person based upon nothing but delusions. I haven’t black listed anything.

    And quite frankly, I don’t believe a word you say about lucia’s site. You’ve made things up about her far too many times.

  6. Poptech, you said I “waste people’s time on black listing nonsense.” There is nothing in that sentence which implies you’re talking about advice I give rather than an action I take. That’s especially true since it’s just as delusional to claim I’ve advised anyone to blacklist things as to say I’ve blacklisted them myself. I’ve done neither. I don’t think anyone is going to fault me for not realizing your unclear sentence was a reference to one delusion you hold rather than another.

    In any event, I have no idea what to make of your ridiculous argument you’ve proved you can comment at lucia’s web site via Tor or another proxy when all you’ve done is link to comment you made at her site. Even if you did what you claim, your link does nothing to prove it. All it proves is you can make a comment at her site.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s