About Tanoro

Christopher "Tanoro" Gray is a web programmer and science advocate especially concerned with resource management technologies, biology, and artificial intelligence. He is a student of epistemology and philosophy as well as an Atheist competent in Christian theology.
HOME > View Blog  >  Thunderf00t has Turned Hack
Thunderf00t has Turned Hack
Posted by: Tanoro - Aug 10, 2012 1:37PM

I am saddened by the recent turn of events. I've been a fan of Freethought Blogs (FtB) for ages and I became excited when the network was joined by Aron Ra, Cristina Rad, and Thunderf00t (TF) back in late June. I subscribe to all of them on Youtube. Most of us know by now that Thunderf00t didn't stay on the network long. He wrote a few scathing posts discussing his views on feminism, notably criticized some of the other FtB bloggers, and then was promptly booted from the network. I have been on the fence on this issue, hence the reason I have been silent about it. I am a follower of all parties involved, so it has been difficult for me to weed out the facts. Unfortunately, I feel the villain has been unambiguously revealed.

Why was TF booted from FtB? Well, that depends on who you ask. According to the other bloggers at FtB, TF and one other blogger were both removed for unprofesional behavior and shoddy writing. Their blogs remain in place, so it is difficult to claim censorship. However, TF and his followers claimed censorship anyway, declaring that he was booted for stating his opinions of feminism. Which reasons are factual is difficult to for me say, but I will say that FtB appears to encourage its bloggers to maintain a professional writing style that doesn't jive with Thunderf00t's more aggressive "online chit-chat" style of writing. In addition, I have seen the bloggers at FtB disagree on lots of topics in the past and nobody was banned for it. I also happen to believe that censorship involves the removal of expression or one's ability to express by any and all means. Thunderf00t's blogs didn't go anywhere and he remains free to express his views in any way he wants. Removal from one website has not hendered his freedom of expression. Thus, censorship has not taken place. I am forced to question Thunderf00t's accusation.

All this is an aside, however. As alleged by numerous recent posts by numerous bloggers at FtB, Thunderf00t has seen fit to hack into their private e-mail list through a known security hole and share the personal information of many of the FtB bloggers with third parties, some of which include some damaging personal details. Thunderf00t has apparently confessed that he has, indeed, done so.

Turns out freethoughtblogs has a secret mailing list which they use, among other things to conspire against people [...]. Now as with many top secret mailing lists of course FTB has some footer saying how everything on this mailing list is ultra-confidential ... but that doesn't stop FTB OPENLY disclosing/ leaking whatever they want on that list when it suits their purpose. For instance they were quite happy to openly talk about Greg Ladens 'threats of violence' on the mailing list and PZ was quite happy to discuss the happenings of this 'ultra confidential' list in his video (sorry too late to delete the evidence boys, I've got it all!).

So what TF is saying here is that members of this private e-mail list who are authorized to be there are allowed to discuss its content with third parties, but TF, who is not authorized to be there, is not. That is a facepalm moment if I have ever seen one. The FtB bloggers are allowed to "leak" anything they want from that list because they are all authorized to be there. The list is effectively their collective property. Any disagreement regarding its use is between them. If PZ released some confidential information from that list in his discussions, his fellow bloggers would call him on it. Breaking into the server and releasing their private discussions is not acceptable behavior. Thunderf00t, this action amounts to breaking the law in pursuit of evidence for a tenuous hypocrisy accusation. You just checked your king just to take down a pawn.

As many of you know, I am a web programmer. I write security features for the applications I develop and I am familiar with the legal implications of breaching them. If the administrators of FtB can, indeed, prove that Thunderf00t accessed their e-mail list without authorization, I fear for his career. We are in the age of Anonymous, where unauthorized access to stored communications can bring entire corporations and government agencies to their knees. Illegally accessing a private network is a federal crime and, apparently, Thunderf00t is unaware of this.

§2701. Unlawful access to stored communications

  1. Offense.—Except as provided in subsection (c) of this section whoever—
    1. intentionally accesses without authorization a facility through which an electronic communication service is provided; or
    2. intentionally exceeds an authorization to access that facility;
  2. Punishment.—The punishment for an offense under subsection (a) of this section is—
    1. if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain, or in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or any State—
      1. a fine under this title or imprisonment for not more than 5 years, or both, in the case of a first offense under this subparagraph; and
      2. a fine under this title or imprisonment for not more than 10 years, or both, for any subsequent offense under this subparagraph; and
    2. in any other case—
      1. a fine under this title or imprisonment for not more than 1 year or both, in the case of a first offense under this paragraph; and
      2. a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under this subparagraph that occurs after a conviction of another offense under this section.


I remain a subscriber to Thunderf00t on Youtube, but I am putting serious thought into unsubscribing in protest of his behavior. If the administrators of FtB pursue action, Thunderf00t just might encounter Kent Hovind face-to-face as he is said to be leaving prison this year.



A comment earlier pointed out something that needs clarification. I went to read the technical details of how TF got back into the e-mail list. Depending on your definition of the terms, his breach would be considered more of an "exploit" than a "hack." Hacking typically means that you have probed at some code or loosely built interfaces looking for holes into a service not intended by the developers of the software. Exploits typically involve simple misuse of standard features to gain access.

When TF was originally invited to FtB, he received an invitation e-mail which provided an access link to the e-mail list. The administrators of FtB concluded that TF saved his invitation e-mail and used it to re-insert himself into the e-mail list. The invitation e-mail contained a token link that didn't expire after TF originally used it. It is unclear if this was an intentional choice by the programmer. As a programmer myself, I consider this behavior clumsy. TF didn't technically hack any code or interfaces, so my apologies for providing that impression. What TF did was, in fact, exploit the invitation features of the list knowing that his presence was no longer welcome there.

These are all technicalities worth mentioning, but the legal implications remain the same. There is a digital paper trail on both sides of this issue detailing that TF knew he was not permitted access to this service, but let himself in anyway. Whether or not he actually poked some code makes little difference.

Matt Dillahunty has posted his opinions on Youtube.


Update: Aug 11, 2012 4:50pm

I was noticing a lot of traffic coming to my blog from Thunderf00t's, so I got curious about the discussion over there. One comment in particular stood out to me.

It's patently simple, the auth ticket is like key, you give someone a key, you give them permission to access. Ask for the key back, you’re baring them access. You forget to ask for the key, it’s your own damned fault. The admin didn’t remove the key, simples.

It's not a hack, nor an exploit. There was no root kit, there was no keylogging software, there was no brute force, there was no unauthorized access. The software didn't have a flaw TF was aware of, nor was any flaw used to get back on the list. There was no user intervention causing a divide by zero error circumventing the add to list function, no circumvention of any kind. He was given access to the listserv by an authorized user by means of a ticket, and that same ticket was used to get back on the listserv after he was unsubscribed. He was, by definition, an authorized user.

You're an idiot! Authorization keys are just numbers in a database, not physical objects that you must request back. You cannot request them back nor can you technically change your locks! Using an existing feature to grant yourself access to a service that you knowingly do not have permission to access is an exploit. Get over it.

I keep seeing this argument floating around that Thunderf00t was technically allowed to be on the e-mail list since he was once invited and wasn't technically banned from it. Oh, my Flying Spaghetti Monster -- the idiocy burns. The criteria for being technically banned from an online service is highly unlikely what a courtroom judge would examine because these are arbitrary distinctions written into the software by the developers and may differ depending on the software, its features, and its quality. For example, I could write a feature into my CMS that describes a "banned" user as any user whose user name appears in blue. Do you think the judge would want to analyze and consider that? Whoops! Thunderf00t's name wasn't in blue. He must not have been technically banned!

I could also say a user can't technically be banned. They can only be "deleted," "unsubscribed,", "scrubbed," "purged," "queued up," or whatever terminology the developer wants to use in describing what counts as a "removal of access." Or I can say that a user is only "removed" when a certain set of permissions are applied to the account. If one of the rules didn't get written in for whatever reason (i.e. glitch, bug, database corruption, server hiccup, etc.), does it count? These are all highly arbitrary distinctions put in place by the programmer to make the software function in whatever way and it becomes even more fuzzy when the software has a small and obscure bug in it, which happens. If the banning feature was bugged and didn't remove the user properly, does that count?

This is technical and complicated. A judge is not going to sift through the technical behaviors of the software and determine what counts as a removal of access. If Thunderf00t knew his invitation was revoked, that is all that matters. I suggest that a judge will only ask three questions.

  1. Was Thunderf00t notified that his invitation to be on the server was revoked?
    Yes! Both PZ and Thunderf00t have published e-mails on their blogs (and on TF's Youtube channel) showing e-mails were sent and Thunderf00t read them. Therefore, this is unarguable.
  2. Did the administrators attempt to hinder him from further accessing the server?
    Yes! They deleted his subscription. This is an attempt to hinder him from accessing the server.
  3. Did Thunderf00t have permission to allow himself back into the server?
    No! He can present no written or evidence of verbal permission to be back on that server after his notice of termination.

Everything else is hair-splitting. Thunderf00t knew he was permitted to be on that service and he let himself back into it anyway.

This blog is an editorial and contains only the opinions of the author. The author claims no expertise on most topics of discussion and this blog is not to be cited as an alternative for properly vetted journalism or scientific sources.

comments powered by Disqus