We’ve got enough comments on the SkS Part I-IV saga, which has progressed to part V. I’m going to open a new thread for the five of us who have been reading the endless. I’ll also take the opportunity to compare SkS operation to mine. I know some people get annoyed at my blocking things. But it seems to me my false positive rate is way down, and I do block quite a large amount of sustained, potentially blog crashing scraping. That said: my blocks also give some protection, which I can show by explaining how the specific example requests by the alleged hacker who SkS has nicknamed “Francois” would have been rebuffed at my site.

Lets start with this comment connection allegedly made by “Francois”:
77.247.181.165 www.skepticalscience.com - [23/Feb/2012:04:52:05 +1100] "GET /comments.php HTTP/1.1" 200 22031 "http://www.skepticalscience.com/" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" "PHPSESSID=ab1a5faa88ac1878784dcfa719dca226; __utma=198451757.12232104.1329923284.1329923284.1329923284.1; __utmb=198451757.52.10.1329923284; __utmc=198451757; __utmz=198451757.1329923284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expanded_dir_list=%3A%3Ahome%3A7-web%3A74%3A95%3Askepticalscience.com%3Apublic%3Awww%3A%3Apics; fm_root_atual=%2Fhome%2F7-web%2F74%2F95%2Fskepticalscience.com%2Fpublic%2Fwww%2F%2F; loggedon=d41d8cd98f00b204e9800998ecf8427e; order_dir_list_by=6D; UserId=6318" 882 22405 urchindyn www.skepticalscience.com

This entry indicates a visit to the SkS comments page http://skepticalscience.com/comments.php . Nothing nefarious here. The “GET” indicates the visitor loaded to read the page. That said, 77.247.181.165 cannot visit my blog. It is blocked because the domain is on “torservers.net”. If the IP happens to be a torexit node it would also be blocked for that reason.

Had “Francois” visisted my site using that IP, he would have learned that further penetration would have required using something other than Tor. Mind you: if motivated, he might have come back using something else. Depending on his skill level or interest, he might have returned to continue. His level of anonymity might be lower (or not. I really can’t be sure).

In SkS’s case, evidently, Francois returned– still using Tor because they don’t block Tor.

The next example is something I really wouldn’t want any random stray person to do:

87.225.253.174 www.skepticalscience.com - [23/Feb/2012:04:52:23 +1100] "POST /sksadmin.php?Action=Edit&UniqueIdentifier=1&TableName=topic&Search= HTTP/1.1" 200 34372 "-" "FAST Enterprise Crawler/6 (www.fastsearch.com)" "UserId=4955" 316 34780 urchindyn www.skepticalscience.com

This is a visit to a page that looks like an admin type page as indicated by the /sksadmin.php in teh uri. (I tried loading this address and it gives me a ‘page not available”.) Note the connection uses the POST method. POST method gets used for submitting form data, for example, when one submits a comment, a Quatloo bet, clicks submit on a search or any number of other activities.

As it happens this connection would be blocked at my site because (a) The host associated with IP 87.225.253.174 is torproject.org.all.de is banned from the entire site whether or not it’s currently an exit node, (b) unless whitelisted, I don’t permit useragents with the word “crawler” to visit my site (c) I don’t let anything “POST” while spoofing the referrer (this prohibition reduces the success rate of spambots) and most importantly (d) I only allow whitelisted IPs visit my ‘admin’ type files. This final item gives my site a more protection than the average WordPress site.

Also: if an IP tries these things too many times, I ban the IP for several days. But in SkS’s case, they not only don’t block Tor, they don’t block Tor from the admin panel (or at least didn’t in 2012.)

I would suggest that SkS security guys consider blocking Tor from the admin panel at least. If they have fewer than 10 people permitted into ‘admin’, they should use whitelisting to better protect it.

The next example visit by “Francois” is not so nefarious. It appears to be an attempt to read a forum page– which is fine if one was logged in.

77.247.181.163 www.skepticalscience.com - [23/Feb/2012:04:59:46 +1100] "GET /thread.php HTTP/1.1" 200 7994 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" "__utma=198451757.12232104.1329923284.1329923284.1329923284.1; __utmb=198451757.54.10.1329923284; __utmc=198451757; __utmz=198451757.1329923284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ba02044b4d80154303866f6fc0da1017" 574 8367 urchindyn skepticalscience.com

I think http://skepticalscience.com/thread.php used to be an address for their forum and accessible to many. By itself, this is an innocent looking connection. However, IP 77.247.181.163 is on ‘lumumba.torservers.net‘, which would be blocked at my site. It’s not clear to me that SkS should be permitting access to any “super-secret by invitation only” site using Tor. I wouldn’t: had this been my super-secret form, “Francois” would not have been able to read it using Tor.

For now, the examples of alleged connections by “Francois” would have been blocked here at rankexploits.com. I can’t say that means I can’t be hacked. Francois would have to devise some other way to hack.

As for the main question: Can we be sure this wasn’t a leak? I’d say it’s looking like a hack. The site security did suck and there are connections that — at best– can be called “someone knows they shouldn’t be doing that” type connections. But I’m still not sure that all that fiddling has been proven to be associated with the actual release. I’m not going to say much more because Part VI is promised. Maybe we’ll learn… something.

Note also: Even if hacked, I think it’s fine to discuss the released files. Similarly, even though Gleick stole and faked Heartland documents, I’ve always thought it was fine to discuss those. I’ve always maintained this position as have many people who discuss both at this site.

Those who wish to further discuss the “hack/leak” or what the “new” revelations might tell us, please continue on this thread. I’ll close the other one.