GSC has been hacked
Johan:
Quote from: J. M. Pescado on 2010 January 12, 01:38:19
I don't believe anything was really firmly established about the passwords in this case, because the person in question has been dead for a very long time and this event was roughly contemporaneous with the original Buggybooz incident, IIRC.
So the link to TSR would be that Bluesoup had an account at TSR with the same password as for the petition and that password was leaked somehow in the same way as for Buggybooz?
First of all i find it hard to believe Bluesoup used the same password as on a TSR for a petition against EA's collaboration with TSR.
Even if she did you would have to know the secret part of the URL in order to log in and manage the petition. This URL is only sent to the petition author.
This means the rouge operator also had access to Bluesoups email or that she willingly shared that URL with someone and that someone passed it on to the operator.
I find it unlikely she used the same password for her email as on TSR. (if she indeed have or have had an account on TSR, i can't find an account named Bluesoup or one that uses the email used in the petition)
From what i can gather by googling this Bluesoup claimed the petition was "hacked" March 18 or earlier, the Buggubooz incident happened March 30.
Quote from: J. M. Pescado on 2010 January 12, 01:38:19
Unlikely, given that I have explicitly ordered no such actions be taken. It would serve absolutely no purpose, given that the from a strategic standpoint, such an act has no value.
Does this mean you knew the petition had leaked and you ordered coconut or anyone else not to do anything with it, or what?
I'd say it suits your purpose perfectly from a strategic standpoint. Isn't the general consensus that TSR was behind the petition leak and is now spreading it around/uses it for evil purposes?
That surely has a lot of value in the anti TSR camp.
Quote from: J. M. Pescado on 2010 January 12, 01:38:19
There wasn't so much a "distinct trail leading elsewhere" as a "lack of smoking gun". Delphy is unwilling to do anything without a level of proof suitable for a legal prosecution. As we are not interested in legal prosecution, we simply don't need that. It is enough that I recognize the signs. The information used could not really have come from anywhere else, and you have already admitted that the information was stored in a form that was easily accessible. Such attacks in the community had been completely unheard of until that point, and the fact that attacks of the same pattern continue to appear sporadically following that incident suggests that the list continues to be in use, even if it is not being updated anymore.
There was a pretty distinct trail, in case you forgot here's what we found when investigating it (using data from both TSR and MTS):
Quote from: Johan on PMBD
Whoever was behind this must have known what username buggybooz had on TSR and that was not well known in the community. Her account on TSR was logged in to by someone with exactly the same user agent string (which were not a very common one, i compared it to other logins in our login history and it was fairly unique) and an IP that was the same or was in the same range as was used on s2c (Hide my IP), slightly after the hacking took place on MTS.
That same signature also:
* logged in as "hamilton" on MTS (that's Thomas account on there)
* logged in as "sherriesim" on MTS, both with Hide my IP and unproxied IP's
* logged in as "leftywillnot" on TSR
* logged in to a bunch of FA accounts and removed a lot of files
In the list of IP's Atwa got from the service provider when she found out someone had been reading her email we were able to match them to the unproxied IP's of sherriesim. Unfortunately we didn't get the user agent from that list but i have a very strong suspicion that it would have matched the hackers signature.
We clearly have a very different POV.
From where i stand this is a smoking gun and it's not fitting with your idea of a rouge TSR operator.
The person behind the Buggybooz incident didn't get caught so he/she could possibly have been behind other hackings.
Quote from: J. M. Pescado on 2010 January 12, 01:38:19
Sure, it would be "possible" to find out. All you have to do is hit the "lost password" button on any website, and most standard software will contact the email with a reset link. You know this, I know this, everyone knows this. Of course, unless you want to hack someone's account merely to prove an obvious, known fact, this line of inquiry serves no useful purpose.
That isn't what i meant. It should be possible to find out exactly how it works in the case of Scotty and Witchboy without any kind of hacking.
IE, would it be possible just by knowing their email address to gain access and "hack" their accounts?
If the answer is no then there is no link whatsoever to TSR.
J. M. Pescado:
Quote from: Johan on 2010 January 12, 22:53:26
So the link to TSR would be that Bluesoup had an account at TSR with the same password as for the petition and that password was leaked somehow in the same way as for Buggybooz?
First of all i find it hard to believe Bluesoup used the same password as on a TSR for a petition against EA's collaboration with TSR.
Are you kidding? This is BLUESOUP. BlueSoup is a fatheaded idiot. I mean, what do you expect from someone who starts e-Petitions? Everyone with half a brain knows those are utterly worthless. Hell, it's already been firmly debunked on Snopes.
Quote from: Johan on 2010 January 12, 22:53:26
Even if she did you would have to know the secret part of the URL in order to log in and manage the petition. This URL is only sent to the petition author.
I don't know how "secret" such a URL is, but the Fathead would be dumb enough to lose her email that way, yes.
Quote from: Johan on 2010 January 12, 22:53:26
From what i can gather by googling this Bluesoup claimed the petition was "hacked" March 18 or earlier, the Buggubooz incident happened March 30.
Like I said, roughly contemporaneous. I distantly recall them as events that occurred within the same year only, and wasn't even sure which came first, but you have nicely put a date on them that has them seperated by less than 2 weeks, which rather tightens the association between these two events nicely!
Quote from: Johan on 2010 January 12, 22:53:26
Does this mean you knew the petition had leaked and you ordered coconut or anyone else not to do anything with it, or what?
No, it means that I have explicitly ordered people NOT to perform any such false-flag operatons or actual hackings.
Quote from: Johan on 2010 January 12, 22:53:26
I'd say it suits your purpose perfectly from a strategic standpoint. Isn't the general consensus that TSR was behind the petition leak and is now spreading it around/uses it for evil purposes?
That surely has a lot of value in the anti TSR camp.
Actually, at the time, the petition being hacked was mostly blamed on BlueSoup's incompetence and not specifically linked to TSR. In fact, the origin of the name list wasn't even resolved until later. The petition thing had been really entirely blown off and forgotten about within days, as no real proof was ever found, and besides, those things are stupid as hell. What brought it back to light was the fact that the list was intercepted circulating the halls of TSR. At first, it was speculated that it was a selected list from TSR's database again, something that TSR issued a suspiciously quick denial of, but this idea never really gained traction and pretty much died out instantly after the BlueSoup Petition Theory was proposed.
Quote from: Johan on 2010 January 12, 22:53:26
There was a pretty distinct trail, in case you forgot here's what we found when investigating it (using data from both TSR and MTS):
If by "trail", you mean "the IP of a public proxy service", which coincidentally happened to match someone who was also probably a user of that network...totally meaningless, really. The ONE trend of this is that the attacker ALWAYS uses proxy SERVICES, never simply open proxies scanned from the open Internet. It's always some kind of known service provider of proxies, as opposed to the many unknown random proxies dotting the Internet. Other than that, not much of a trail, except that it tells us the attacker does not have the technical ability or interest to scan for his own proxies, and may even be paying money for access to these proxies.
Inge:
Quote
* logged in as "hamilton" on MTS (that's Thomas account on there)
* logged in as "sherriesim" on MTS, both with Hide my IP and unproxied IP's
* logged in as "leftywillnot" on TSR
* logged in to a bunch of FA accounts and removed a lot of files
Looks like it could have been Thomas himself then?
Johan:
Quote from: J. M. Pescado on 2010 January 13, 10:00:55
I don't know how "secret" such a URL is, but the Fathead would be dumb enough to lose her email that way, yes.
It looks like this:
http://www.petitiononline.com/PMBDMBD/RUngyNUKAePJ.cgi
RUngyNUKAePJ being the secret part.
Feel free to sign my test petition by the way.
I don't know Bluesoup but i very much doubt she would give login details to the petition to someone on our side.
Quote from: J. M. Pescado on 2010 January 13, 10:00:55
Like I said, roughly contemporaneous. I distantly recall them as events that occurred within the same year only, and wasn't even sure which came first, but you have nicely put a date on them that has them seperated by less than 2 weeks, which rather tightens the association between these two events nicely!
It is interesting that the events happened around the same time yes.
Quote from: J. M. Pescado on 2010 January 13, 10:00:55
No, it means that I have explicitly ordered people NOT to perform any such false-flag operatons or actual hackings.
I don't know what constitutes a false flag operation but if it includes deliberately spreading false propaganda you should have a talk with Coconut again because it obviously didn't stick.
Quote from: J. M. Pescado on 2010 January 13, 10:00:55
If by "trail", you mean "the IP of a public proxy service", which coincidentally happened to match someone who was also probably a user of that network...totally meaningless, really. The ONE trend of this is that the attacker ALWAYS uses proxy SERVICES, never simply open proxies scanned from the open Internet. It's always some kind of known service provider of proxies, as opposed to the many unknown random proxies dotting the Internet. Other than that, not much of a trail, except that it tells us the attacker does not have the technical ability or interest to scan for his own proxies, and may even be paying money for access to these proxies.
The use of a specific proxy service alone don't say much but combined with the rather unique user agent and the time line of events makes the trail pretty distinct.
There were also non-proxy IP's that had the same signature (same user agent and the account had been accessed by the same proxy service).
Quote from: Inge on 2010 January 13, 15:02:54
Quote
* logged in as "hamilton" on MTS (that's Thomas account on there)
* logged in as "sherriesim" on MTS, both with Hide my IP and unproxied IP's
* logged in as "leftywillnot" on TSR
* logged in to a bunch of FA accounts and removed a lot of files
Looks like it could have been Thomas himself then?
Yeah i think that was the idea with the login to MTS. There was only this one login to MTS with this signature (user agent and IP), the other logins to his account on MTS were normal (not using a proxy and with a different user agent).
Thomas used the same password on multiple sites including MTS and TSR and there were signs of his TSR account being compromised.
J. M. Pescado:
Quote from: Johan on 2010 January 13, 15:56:01
I don't know Bluesoup but i very much doubt she would give login details to the petition to someone on our side.
Willingly? Probably not. But she's incredibly stupid and does some very insecure things. And has a fat head.
Quote from: Johan on 2010 January 13, 15:56:01
I don't know what constitutes a false flag operation but if it includes deliberately spreading false propaganda you should have a talk with Coconut again because it obviously didn't stick.
A false flag operation is when you covertly attack your own side and frame the other side for the act. Coconut is more into "wild speculation based on the available information" and does not have the technical ability or access to stage a false flag operation against anyone.
Quote from: Johan on 2010 January 13, 15:56:01
Thomas used the same password on multiple sites including MTS and TSR and there were signs of his TSR account being compromised.
What sort of "signs"? Merely logins from strange IPs? That could even be Thomas himself checking whether the proxy is working. While Thomas remains the main suspect for the rogue operator who released the information, it could also be someone else. And not all of your DB administrators are fambly, either, apparently. Either way, no matter what happened, SOMEONE leaked the DB information, and the only person who could have done that is a DB administrator. That, or you are postulating the existence of someone who is simultaneously skilled enough to discover and use an exploit in nonstandard software (ruling out script-kiddy public exploits), steal your password database, and inept enough to attempt manual wiping of forum posts as a user, a combination of "extremely skilled" and "extremely stupid, short-sighted, and inefficient" that is completely devoid of internal consistency regardless of what political motivations you wish to ascribe to them.
Navigation
[0] Message Index
[#] Next page
[*] Previous page