{"id":24006,"date":"2014-03-13T13:57:55","date_gmt":"2014-03-13T19:57:55","guid":{"rendered":"http:\/\/rankexploits.com\/musings\/?p=24006"},"modified":"2014-03-13T13:59:54","modified_gmt":"2014-03-13T19:59:54","slug":"skeptical-science-visits-by-francois","status":"publish","type":"post","link":"https:\/\/rankexploits.com\/musings\/2014\/skeptical-science-visits-by-francois\/","title":{"rendered":"Skeptical Science: Visits by &#8220;Francois&#8221;."},"content":{"rendered":"<p>We&#8217;ve got enough comments on the SkS <a href=\"http:\/\/rankexploits.com\/musings\/2014\/sks-non-revelations-about-their-hack-part-i\/\">Part I-IV<\/a> saga, which has progressed to part V. I&#8217;m going to open a new thread for the five of us who have been reading the endless. I&#8217;ll also take the opportunity to compare SkS operation to mine. I know some people get annoyed at my blocking things.  But it seems to me my false  positive rate is way down, and I do block quite a large amount of sustained, potentially blog crashing scraping.  That said: my blocks also give some protection, which I can show by explaining how the specific example requests by the alleged hacker who SkS has nicknamed &#8220;Francois&#8221; would have been rebuffed at my site.<\/p>\n<p>Lets start with this comment connection allegedly made by &#8220;Francois&#8221;:<br \/>\n<code><font color='blue'>77.247.181.165<\/font> www.skepticalscience.com - [23\/Feb\/2012:04:52:05 +1100] \"GET <font color='blue'>\/comments.php<\/font> HTTP\/1.1\" 200 22031 \"http:\/\/www.skepticalscience.com\/\" \"Mozilla\/5.0 (Windows NT 6.1; rv:5.0) Gecko\/20100101 Firefox\/5.0\" \"PHPSESSID=ab1a5faa88ac1878784dcfa719dca226; __utma=198451757.12232104.1329923284.1329923284.1329923284.1; __utmb=198451757.52.10.1329923284; __utmc=198451757; __utmz=198451757.1329923284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expanded_dir_list=%3A%3Ahome%3A7-web%3A74%3A95%3Askepticalscience.com%3Apublic%3Awww%3A%3Apics; fm_root_atual=%2Fhome%2F7-web%2F74%2F95%2Fskepticalscience.com%2Fpublic%2Fwww%2F%2F; loggedon=d41d8cd98f00b204e9800998ecf8427e; order_dir_list_by=6D; UserId=6318\" 882 22405 urchindyn www.skepticalscience.com<\/code><\/p>\n<p>This entry indicates a visit to the SkS comments page http:\/\/skepticalscience.com\/comments.php . Nothing nefarious here. The &#8220;GET&#8221; indicates the visitor loaded to read the page. That said, 77.247.181.165 cannot visit my blog. It is blocked because the domain is on &#8220;torservers.net&#8221;.  If the IP happens to be a torexit node it would also be blocked for that reason.<\/p>\n<p>Had &#8220;Francois&#8221; visisted my site using that IP, he would have learned that further penetration would have required using something <I>other than<\/I> Tor. Mind you: if motivated, he might have come back using something else. Depending on his skill level or interest, he might have returned to continue.  His level of anonymity might be lower (or not. I really can&#8217;t be sure). <\/p>\n<p>In SkS&#8217;s case, evidently, Francois returned&#8211; still using Tor because they don&#8217;t block Tor.<\/p>\n<p>The next example is something I really wouldn&#8217;t want any random stray person to do:<\/p>\n<p><code><font color='blue'>87.225.253.174<\/font> www.skepticalscience.com - [23\/Feb\/2012:04:52:23 +1100] \"<font color='blue'>POST<\/font> \/sks<font>admin.php<\/font>?Action=Edit&UniqueIdentifier=1&TableName=topic&Search=<\/font> HTTP\/1.1\" 200 34372 \"-\" \"FAST Enterprise Crawler\/6 (www.fastsearch.com)\" \"UserId=4955\" 316 34780 urchindyn www.skepticalscience.com<\/code><\/p>\n<p>This is a visit to a page that looks like an admin type page as indicated by the \/sksadmin.php in teh uri. (I tried loading this address and it gives me a &#8216;page not available&#8221;.) Note the connection uses the POST method. POST method gets used for submitting form data, for example, when one submits a comment, a Quatloo bet, clicks submit on a search or any number of other activities. <\/p>\n<p>As it happens this connection would be blocked at my site because (a) The host associated with IP 87.225.253.174  is <font color='blue'>torproject<\/font>.org.all.de is banned from the entire site whether or not it&#8217;s currently an exit node, (b) unless whitelisted, I don&#8217;t permit useragents with the word &#8220;<font color='blue'>crawler<\/font>&#8221; to visit my site (c) I don&#8217;t let anything &#8220;POST&#8221; while spoofing the referrer (this prohibition reduces the success rate of spambots) and most importantly (d) I only allow <i>whitelisted IPs<\/i> visit my &#8216;admin&#8217; type files.  This final item gives my site a more protection than the average WordPress site.<\/p>\n<p>Also: if an IP tries these things too many times, I ban the IP for several days.  But in SkS&#8217;s case, they not only don&#8217;t block Tor, they don&#8217;t block Tor from the admin panel (or at least didn&#8217;t in 2012.)  <\/p>\n<p>I would suggest that SkS security guys consider blocking Tor from <I>the admin panel<\/i> at least.  If they have fewer than 10 people permitted into &#8216;admin&#8217;, they should use whitelisting to better protect it. <\/p>\n<p>The next example visit by &#8220;Francois&#8221; is not so nefarious. It appears to be an attempt to read a forum page&#8211; which is fine if one was logged in.<\/p>\n<p><code><font color='blue'>77.247.181.163<\/font> www.skepticalscience.com - [23\/Feb\/2012:04:59:46 +1100] \"GET \/thread.php HTTP\/1.1\" 200 7994 \"-\" \"Mozilla\/5.0 (Windows NT 6.1; rv:5.0) Gecko\/20100101 Firefox\/5.0\" \"__utma=198451757.12232104.1329923284.1329923284.1329923284.1; __utmb=198451757.54.10.1329923284; __utmc=198451757; __utmz=198451757.1329923284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ba02044b4d80154303866f6fc0da1017\" 574 8367 urchindyn skepticalscience.com<\/code><\/p>\n<p>I think http:\/\/skepticalscience.com\/thread.php used to be an address for their forum and accessible to many.  By itself, this is an innocent looking connection.   However,  IP 77.247.181.163 is on &#8216;lumumba.<font color='blue'>torservers.net<\/font>&#8216;, which would be blocked at my site.  It&#8217;s not clear to me that SkS should be permitting access to any &#8220;super-secret by invitation only&#8221; site using Tor. I wouldn&#8217;t: had this been <I>my<\/I> super-secret form, &#8220;Francois&#8221; would not have been able to read it using Tor.<\/p>\n<p>For now, the examples of alleged connections by &#8220;Francois&#8221; would have been blocked here at rankexploits.com.  I can&#8217;t say that means I can&#8217;t be hacked. Francois would have to devise some other way to hack.<\/p>\n<p>As for the main question: Can we be sure this wasn&#8217;t a leak? I&#8217;d say it&#8217;s looking like a hack. The site security did suck and there are connections that &#8212; at best&#8211; can be called &#8220;someone knows they shouldn&#8217;t be doing that&#8221; type connections.  But I&#8217;m still not sure that all that fiddling has been <i>proven<\/I> to be associated with the actual release. I&#8217;m not going to say much more because Part VI is promised. Maybe we&#8217;ll learn&#8230; something.<\/p>\n<p>Note also: Even if hacked, I think it&#8217;s fine to discuss the released files. Similarly, even though Gleick stole and faked Heartland documents, I&#8217;ve always thought it was fine to discuss those.  I&#8217;ve always maintained this position as have <I>many people<\/i> who discuss both at this site. <\/p>\n<p>Those who wish to further discuss the &#8220;hack\/leak&#8221; or what the &#8220;new&#8221; revelations might tell us, please continue on this thread. I&#8217;ll close the other one.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We&#8217;ve got enough comments on the SkS Part I-IV saga, which has progressed to part V. I&#8217;m going to open a new thread for the five of us who have been reading the endless. I&#8217;ll also take the opportunity to compare SkS operation to mine. I know some people get annoyed at my blocking things. &hellip; <a href=\"https:\/\/rankexploits.com\/musings\/2014\/skeptical-science-visits-by-francois\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Skeptical Science: Visits by &#8220;Francois&#8221;.<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[134],"tags":[],"class_list":["post-24006","post","type-post","status-publish","format-standard","hentry","category-politics"],"_links":{"self":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/posts\/24006","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/comments?post=24006"}],"version-history":[{"count":0,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/posts\/24006\/revisions"}],"wp:attachment":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/media?parent=24006"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/categories?post=24006"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/tags?post=24006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}