Is Skeptical Science Stupid, or Does it Think We Are?

There is no question Skeptical Science uses fabricated quotes. There is no question the Skeptical Science team is willing to keep using fabricated quotes after discovering them, discussing the issue in their private forum but doing nothing in public. In short, there is no question the Skeptical Science team is dishonest. The question there is, is, are they stupid, or do they just think we are?

For two years Skeptical Science has claimed it was hacked. For two years it has based this claim largely upon a single argument:

Anyone who has viewed the file containing the hacked forum can confirm that it contains the entire user database and that the forum was amended to display the email and IP address of every person posting on the forum.

This argument has been repeated time and time again. It is the only argument Skeptical Science has offered for two years, and it is either a bald-faced lie, or it indicates a level of stupidity so great I struggle to imagine how John Cook remembers to breathe.

The argument is idiotic. It is completely and utterly impossible. Any investigation of the released material would show this. All you have to do is think for one moment, “What is my IP address”?

Odds are you have no idea. However, I’m sure you know your IP address is different on your computer than it is on your phone. I’m sure you know it is different when you’re at home than when you are on vacation. I’m sure you know you may have used hundreds of different IP addresses in your life. So the question is, what “IP address” did this supposed hacker add?

If a hacker accessed user information, why would he be given IP addresses for users? Their IP address could be different every time they logged in. The average person’s IP address changes on a daily basis. Are we supposed to believe Skeptical Science stored a single IP address for each user when it would inevitably be out of date by the next day? If so, why? What could John Cook possibly do with a single, outdated IP address for each user? And how would he pick which IP address to store for each person?

It is mind-bogglingly stupid to think John Cook stored an IP address for each user. And even if he did do it, what possible reason would a hacker have to include it? The “hacked” forums had years of posts. Why would a hacker bother adding the same IP address to every post by a given user in 2010 as in 2012?

What kind of imbecilic story is this? How could anyone who knows anything about computers believe it? It’s ludicrous. And even worse, it’s obviously untrue. We can see that just by looking at the “hacked” forums. Pick a topic, any topic at all, and odds are good it’ll prove this story is a total fabrication. Here’s a screenshot from one I picked at random:

sks_example

Notice anything about those comments? BaerbelW posted twice. Her IP address was given as 93.231.145.193 one time, 93.231.166.207 the other. John Cook commented twice, once with the IP address 124.185.20.155 and once with the IP address 123.211.206.13. Earlier in the same thread, Cook commented with 124.185.151.34 and 121.222.93.62.

How could a hacker have added dozens of different IP addresses to comments by the same user? What, did he find a list of every IP address every user had ever visited the forums with and start matching them up with comments? How would he have done it? Why would we have done it? Hell, why would that data have even been stored? Is anyone actually stupid enough to look at the forums and believe the hacker found each person’s “IP address” and added it to each comment by them? Is John Cook? Is Bob Lacatena?

Are you? I don’t think so. I think you’re a functioning member of society capable of stringing together a chain of thought more straightforward than an Escher drawing. I think your mental landscape is more coherent than a Picasso painting. I think you, like any rational member of the internet community, would expect to see something like this in a blog administrator’s comments panel:

sks_Rational

That’s a partial screenshot of a comment shown in my blog’s dashboard. You’ll note it has my name, my website, my e-mail address and the IP address I used when I submitted the comment. That is exactly what we see in the “hacked” Skeptical Science forum, save that forum uses a row for full names instead of web site URLs (and it doesn’t use avatars).

What an amazing coincidence, right? I mean, according to Bob Lacatena of Skeptical Science, that’s all it could be. After all, he said:

There was no way that someone just got into the forum, went into every thread, and saved the web pages. You couldn’t generate the data released in the hack that way. Someone would have had to put a lot of work into editing the pages, to merge them all and to change the presentation. It would take a lot of work, too, to cross reference every user with their full name, e-mail and IP address, to insert those.

Skeptical Science has repeatedly claimed an IP address (singular) was added for each user. Skeptical Science claims a hacker “put a lot of work into” adding that singular IP address to each comment. In reality, we have clear and indisputable evidence many IP different addresses were shown for each user. The only sane interpretation is every comment had an IP address associated with it when it was made.

So we now know the hacker didn’t have to “cross reference every user with their” IP address. Why then should we believe he had to do it “with their full name” or their e-mail address? Why shouldn’t we assume those were stored with each comment like the IP addresses were?

And if we know Skeptical Science has been telling a false story about those IP addresses for two years now, why should we believe any of their story? Why should we believe the forum we’ve been given wasn’t just some naturally occurring output? On what basis can we conclude it wasn’t what you’d get if you made a backup or looked at the forums with the right administrative settings?


TL;DR: Skeptical Science has been telling a story which is obviously insane if you even glance at the evidence. Given that, why should we trust any of their claims about this “hack”? Either they’re incredibly stupid, or they think we are.

Advertisements

7 comments

  1. The only sane interpretation is every comment had an IP address associated with it when it was made.
    This is how phpBB and SMF both store comments– each with the user name, email and IP along with the comment itself and time stamp. It helps to colocate for spam or ‘troll’ control later one because you can find all comments by same (or similar) IP and /or all comments by same email and so on easily when all are stored with each comment.

  2. I’m also puzzled by the SkS “proof”. In what universe does someone not interpret what the comment at Tom Nelson said as claiming:
    1) The database information is in the .zip at http://skepticalscience .c om/logs/blahblah.zip and
    2) That information was formatted for convenient display and the reformatted stuff is at http://whatever . ru/bobo.zip?

    The argument seems to be that because the stuff in the formatted version was not formatted the way SkS formatted it, that means the database was “hacked”.

    Why in the world are we reading nothing about what was in …/logs/blahblah.zip ?

    I mean… this isn’t hard. The first post should have been:
    1) post /logs/blahblah.zip and the entire /logs file was accessible to the public.
    2) It contained these files: show directory list. Possibly show contents.
    3) Or at least state: none of the files in the /logs directory included contents of the database. (Possibly show what was in these files.)

    Those points would constitute the main evidence the way the ‘leaker’ said things happened didn’t happen. Because the ‘theory’ of how it happened was that somehow for some reason someone at SkS put the database contents in the /logs/ directory. No amount of saying “to create that display they needed the database” or “we think they edited to only reveal the bits they wanted to reveal” is going to disprove a theory that is based on the assumption that they had the database. If they had the database, they could do all those things. And pretty much everyone thinks the database itself was leaked.

    Once we have 1-3,

    4) In addition, we have evidence someone got into the admin side around that time. We think they downloaded the database.

    But we are getting Bob droning on and on and on and on about (4) with no real proof anyone actually downloaded the database. This is so annoying. Worse: they are not going to convince anyone of anything until they cut to the chase and address 1-3. And that’s pretty much ALL they need to address.

    Oh well…maybe part III?

  3. Brandon,
    To answer your question, Yes.

    And to pose one of my own, did you reduce the font size on this post to annoy older eyes, or was it accidental? [No big deal actually, CTRL+ works fine.]

    On topic: has SkS ever put forward logs (or extracts therefrom) to support Bob’s narrative? I see lots of assertions but no evidence.

  4. HaroldW:
    1) I have seen nothing from server logs.
    2) I have seen no lines from their special SQL injection logs.
    3) I have seen nothing that shows a record over every MySQL command recorded nor anything to show that Francois backdated his “join” date or anything similar.

    But for now, we don’t need that because based on the narrative, SkS hasn’t shown the data in the .ru file had to come from a hack even if we assume that inspecting various logs would show precisely what Bob says happens.

    We have to wait for exciting Part III. Let’s hope that the plan isn’t to make this a 15 part series!

  5. lucia, that is one of the many issues I didn’t bring up. There is so much wrong with these two posts, I couldn’t hope to cover it all. I especially can’t when I’m already struggling to reign in the adjectives and ranting.

    HaroldW, I’ve been debating on what font size I want to use. I actually prefer this smaller size. I especially like that it makes blockquotes and whitespace stand out more. I had actually intended to switch to this size earlier (one of my previous posts was in this font), but for a while I forgot how to do it. WordPress.com wants font sizes to be a feature only available for premium users so you have to know how to get around their attempts to stop you.

    The funny thing is technically changing this font size like this counts as hacking. Despite what many people in the public think, the word hacking doesn’t inherently imply anything about breaking into a system. Basically, you hack whenever you find an unintended way to use something.

  6. The idea to compartmentalize the private forum from the public blog seems like a good one. OTOH the implementation wasn’t as thoughtfully executed. It’s hidden from view just because there aren’t any links? Also, your post shows that the user names in the forum were the same as those used publicly. Call me crazy but that seems like a bad idea.

    Giving the hacker the user names to the forum provided a significant head start for whatever method he/she used to gain access. At that point all that was necessary was to steal the password. OK, that’s obvious but it also matches Bob’s narrative. The hacker stole an admin password.

    Obviously for a brute force attack having the user name is helpful. But Bob claims this was an SQLI. I’ve never attempted that sort of hack or any other (besides changing font sizes). Am I wrong to think that is an advantage? Wouldn’t the ability to inject a known user name, as in “where UserName = ‘John Cook'”, provide an angle to exploit? Perhaps in a hardened system, i.e. wordpress, that’s less important but the SKS blog and forum are homegrown.

    Also, does the zipped file give any indication if same user name gave John Cook and/or the other admins access to higher level administrative functions at the secret forum?

    Thanks.

  7. Lucia –
    Thanks. I hadn’t noticed any log entries. I usually find a structure of assertion accompanied by evidence to be more convincing. When I see assertion followed by further assertions and no evidence, I assume I’m being snowed. I applaud your and Brandon’s patience with the pace of the narrative.

    Brandon –
    As it turns out, even the small font size is fine when I’m looking at the post on a regular monitor (vs. a laptop screen). And you’re certainly right that the blockquote stands out better. No problem with keeping the size which you prefer; when I’m on a laptop I’ll just magnify and curse my declining vision.

    As to your definition of hack — are you saying that a hack is “slang for a clever (and legitimate) technique”? đŸ˜‰

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s