Skeptical Science author Bob Lacatena wrote a 2,500 word post discussing the hacking of their web site two years ago. About the only kind of hacking he described is his own as his comments prove he is a hack. He has no idea what he is talking about. Why should you believe me, you ask? That’s simple: I hacked Skeptical Science.
Bob Lacatena writes 600 words before saying anything actually relevant to the supposed hacking. 600 words before finally writing:
To mask his identity, [the hacker] fired up a Tor browser.
Don’t bother asking what a “Tor browser” is. Bob Lacatena never says. Instead, he writes 300 words which sound like a bad high school research project on Tor. That is “Tor,” not a “Tor browser.”
Tor is software and a network which allows users to anonymize internet traffic. It can be used with almost any internet communication. That includes command line tools, messaging programs and yes, internet browsers. A “Tor browser,” on the other hand,” is just an internet browser bundled or packaged with Tor for convenience. There is no way to know a person actually used “Tor browser” rather than simply using Tor.
A minor issue? Perhaps. However, that ten word sentence is the only meaningful information Lacatena offers about this hack. After his hundreds of words discussing what Tor is, he says:
Safe in his room, buried under layers of onions, focused on his screen, probably with a caffeinated drink and a snack beside his keyboard on his desk, the hacker comfortably and earnestly began his work.
More than a month passed, certainly not uneventfully, but without any knowledge on our part that we’d been hacked.
What happened to the hacking? One minute the hacker “fired up a Tor browser” and “began his work.” The next minute they’d “been hacked.” We never find out what happened in between. We just get more than a thousand more words telling us nothing of value and a, “To be continued…”
Fortunately, Bob Lacatena responded to several comments left on his post. The relevant one for this post came when a user asked if Skeptical Science could block Tor. He responded:
Yes to blocking Tor IP addresses, and many web sites do, but building the map is a huge task. Generally you have to pay to get a good Tor IP list, or you can get a less reliable and complete list for free. Just google it.
This answer is wrong in almost every way. To demonstrate, let’s take his advice and “google it.” The first hit I get is a web site where a user asks if it is possible to block Tor. He’s promptly told how to get “a good Tor IP list.” As the answer shows, if one wants to get a list of IPs to ban for Skeptical Science, they could just use this URL. It’s free, updated regularly and is complete. It’s also easy to find via the Tor website’s Abuse FAQ page. All anyone needs to do is plug in the IP address of whatever they’re interested in protecting.
And what about it being easy? My fourth hit is to a post by the blogger lucia discussing how she bans Tor. As she says, it’s “trivially easy.” The reality is you can block Tor and keep your block up to date with only a dozen lines of code. I can write the code from scratch in fifteen minutes.
Bob Lacatena’s screwup of claiming to know the hacker used a “Tor browser” isn’t incidental. He clearly doesn’t know much about Tor. He thinks you have to pay to get a list of IP addresses to block for his site when you can get it just by looking on the Tor website. He thinks blocking Tor “is a huge task” when it can be done in 15 minutes. Most troubling, he thinks telling people to “google it” will support his view when in reality 30 seconds with Google proves his excuses wrong.
There’s a lot more wrong with his post, and I’ll discuss that over the next few days. For the moment, I just want to point out Bob Lacatena’s post is uninformative and written by a hack unsuited for such a topic. Thus far his explanation is nothing more than:
Which fits the attitude described in this completely out of context quote from him:
my attitude has always been that the less people know about things, the better
And if you need a reason to trust my knowledge of hacking, just remember, I hacked Skeptical Science. They said so.