GSC has been hacked

[Johan]

No, Scotty & i both don't use the same password or even the same accounts anywhere let alone TSR. The IP used to hack into both GSC & SV was thru a proxy server.

I might have worded that a little wrong, i meant did you have the same password as an account on TSR? (nothing to do with Scotty)

[Scotty]

I do have an account with TSR, but I havent logged into that place in several years. I do know that I dont have the same password there. And I have changed my Admin password at the GSC. I am also the only one that has access to my database. (Which has a different password than what I use anywhere else)

[Witchboy]

I might have worded that a little wrong, i meant did you have the same password as an account on TSR? (nothing to do with Scotty)

I really don't remember what my password was on SV. I hadn't logged into SV in quite awhile. All i know is i can't get in to change it now. As for a TSR password, the one i have now was most probably not the same as my SV password but a variation of.

[J. M. Pescado]

If you by initial leak refer to the Buggybooz incident i have also told you before that i think that was someone on your side given the actual evidence we had.

Seems unlikely, given that everyone on this side of the community is using stock board software that hashes passwords, and nobody else would have the technical ability to change that. The attacker's MO is very consistent, however, and demonstrates a slight iterative refinement with each subsequent attack, which makes it very much appear to be the same attacker, rather than a copycat.

[Inge]

Hang about, what on earth has Coconut got to do with GSC?  I mean, how come *she* was able to produce these details, rather than the person whose site it is (ie you)?  What is that a screenshot of, exactly?

[Scotty]

That ip was provided to Witchy from one of the Mods at Sim Vention. He gave that ip to Coconut, and she did a search on it. That screenshot is what she found. I got that same ip when I did a search on my site.

[Inge]

What sort of search on your site?  Why did you pick that particular IP as being the one that had caused the problem?

[Scotty]

Well, Witchboy's account was hacked at Sim Vention. That ip was associated with Witchy's account at the time of the hacking. And that same ip came up at my site. Both incidents happened at the same time.

[Inge]

That ip was associated with Witchy's account at the time of the hacking.

What you are saying is that someone from that IP was using Witchy's account?   And was someone from that IP using your account at the time you were hacked?   Was that IP associated with any other account on either of your sites, ever?

It's lucky you were both taking a backup at the very moment your sites were being hacked, or you would never have known which IP was logged into your account at the time, seeing as they deleted the whole lot.   One thing I am still confused about though is where did they make the name change, seeing as all the data (presumably including the text that holds the name of your site) was deleted?

[Zazazu]

Johan, if there's anyone at TSR I'd believe not to have destructive motives, it's you. That's not saying much. I think you've chosen to pull the wool over your eyes. You need to have an in-depth talk with your brother. If you really want to find out who in your organization might be orchestrating these attacks, you need to start with the person who provided Thomas with the hacked lists of names and emails from the epetition.

References:
http://tsr.mustbedestroyed.org/?p=858
http://www.petitiononline.com/mod_perl/signed.cgi?EANOTOK1

[Johan]

I have searched for that IP in our login log at TSR and came up empty.
It's interesting that both accounts were hacked by what seems to be the same person, this could make it a little easier to figure out if you could find the lowest common denominator.
It's probably not smart to list all sites where you might have used those passwords in public before you have changed them on those sites (if any) but that could give a lead.
To carefully examine the webserver logs for around the time of the attacks could also give something.

If you're using webmail you might want to consider changing the password and see if you can list the logins to it.

[Johan]

Johan, if there's anyone at TSR I'd believe not to have destructive motives, it's you. That's not saying much. I think you've chosen to pull the wool over your eyes. You need to have an in-depth talk with your brother. If you really want to find out who in your organization might be orchestrating these attacks, you need to start with the person who provided Thomas with the hacked lists of names and emails from the epetition.

References:
http://tsr.mustbedestroyed.org/?p=858
http://www.petitiononline.com/mod_perl/signed.cgi?EANOTOK1

I have talked to my brother. I know him far better than anyone else here (or anywhere else for that matter) and just because i choose to believe him based on what i know doesn't mean i'm pulling wool over my eyes.
Thomas has not received any hacked petition list, that was probably just another stunt by Coconut. I actually think she said Thomas gave it to Atwa, have she changed the story now?

[J. M. Pescado]

I am not willing to condemn someone merely for "Receiving Dox", which I do not believe qualifies as an atrocity in and of itself, and there is no evidence that this list was ever distributed anywhere, based on its relative worthlessness on a strategic level. On the other hand, while you may be entirely willing to vouch for your own brother, I highly doubt you are willing to vouch for the character of Atwa, who is, even by TSR standards, slimy, underhanded, and untrustworthy.

Conversely, while I'm sure you don't care for Coconut at all, I know that Coconut simply does not have the technical ability, the opportunity, or the access, needed to acquire this particular list ex-nihilo. Someone from TSR enabled this list to be acquired, even if nothing was done about it, and TSR was very quick to deny responsibility for anything involving said list even before the fingers had been pointed. And the fact remains, you DO have a rogue operator and he IS still at large.

[Johan]

I am not willing to condemn someone merely for "Receiving Dox", which I do not believe qualifies as an atrocity in and of itself, and there is no evidence that this list was ever distributed anywhere, based on its relative worthlessness on a strategic level. On the other hand, while you may be entirely willing to vouch for your own brother, I highly doubt you are willing to vouch for the character of Atwa, who is, even by TSR standards, slimy, underhanded, and untrustworthy.

Conversely, while I'm sure you don't care for Coconut at all, I know that Coconut simply does not have the technical ability, the opportunity, or the access, needed to acquire this particular list ex-nihilo. Someone from TSR enabled this list to be acquired, even if nothing was done about it, and TSR was very quick to deny responsibility for anything involving said list even before the fingers had been pointed. And the fact remains, you DO have a rogue operator and he IS still at large.

You're correct in that i'm not willing to vouch for Atwa, i barely know her. What she does or doesn't do is completely on her own.
I haven't seen anything at all that supports the theory that someone from TSR enabled the list to be acquired.
You sound very certain, do you know something about it that it don't?

Given the purpose of the petition i would imagine someone from TSR would be the last person to get access to it.
I believe it was established that the password was not from TSR in this case to?

You're wrong about when we denied responsibility, that was done after Coconut had accused us of it, a couple of days after if i remember correctly.
You're probably right about Coconut not having the technical assets to get access to the petition by some kind of hack though.
Would it be very unlikely that someone just gave it to her? She could at least put it to some use.

You seem to be quite sure about the rouge TSR operator and while i won't completely disregard that possibility there is reason to look elsewhere to. Especially considering what was found when me and Delphy investigated the Buggybooz incident, there was a very distinct trail leading elsewhere.

Either way i would certainly want to know based on things that can be verified ant not just theories.
It should be possible to find out if an email also used on TSR that has the same/similar password could have been used to recover a password for example.
In that case it might be possible to get a list of previous logins to see from what IP they came (at least if it's webmail).

[Witchboy]

That ip was associated with Witchy's account at the time of the hacking.

What you are saying is that someone from that IP was using Witchy's account?   And was someone from that IP using your account at the time you were hacked?   Was that IP associated with any other account on either of your sites, ever?

It's lucky you were both taking a backup at the very moment your sites were being hacked, or you would never have known which IP was logged into your account at the time, seeing as they deleted the whole lot.   One thing I am still confused about though is where did they make the name change, seeing as all the data (presumably including the text that holds the name of your site) was deleted?

I had no idea about SV being hacked into until yesterday when i tried to log in over there. I contacted Nei via MSN. She checked SV for me & found the info i posted earlier. I immediately told Scotty. SV is not mine or Scottys site. Destin owns SV, btw which will be gone after this month. Destin is no where to be found & Nei has limited access. The hacking into SV was done via my account as Nei stated in my earlier post. No one on SV or GSC was taking backups of anything during the hackings.

I am a creator and moderator on both SV & GSC. Scotty is Admin on GSC & just a regular member on SV. The ip used to attack GSC is the same ip that went in on SV & changed all my info & soft deleted my creations.

As for the motive of both sites being hit. I am pro pirate/file share friendly. Scotty and GSC pro pirate/file share friendly. SV pro pirate/file share friendly. Plus the TWAT has had it in for me ever since she busted me on Sims File Vault for file sharing.

[Inge]

There was also apparently an anti-gay element to the GSC hack (the name change), so it would be interesting to look back at anything ATWA has posted and see if that fits her persona.  Normally women are more tolerant of male homosexuality than men, especially very young ones.

[rufio]

Yes, but this is Atwa we're talking about.

[Scotty]

I must live under a rock, because I've never heard of ATWA before this all happened.

[J. M. Pescado]

Given the purpose of the petition i would imagine someone from TSR would be the last person to get access to it.
I believe it was established that the password was not from TSR in this case to?

I don't believe anything was really firmly established about the passwords in this case, because the person in question has been dead for a very long time and this event was roughly contemporaneous with the original Buggybooz incident, IIRC.

You're wrong about when we denied responsibility, that was done after Coconut had accused us of it, a couple of days after if i remember correctly.
You're probably right about Coconut not having the technical assets to get access to the petition by some kind of hack though.
Would it be very unlikely that someone just gave it to her? She could at least put it to some use.

Unlikely, given that I have explicitly ordered no such actions be taken. It would serve absolutely no purpose, given that the from a strategic standpoint, such an act has no value.

You seem to be quite sure about the rouge TSR operator and while i won't completely disregard that possibility there is reason to look elsewhere to. Especially considering what was found when me and Delphy investigated the Buggybooz incident, there was a very distinct trail leading elsewhere.

There wasn't so much a "distinct trail leading elsewhere" as a "lack of smoking gun". Delphy is unwilling to do anything without a level of proof suitable for a legal prosecution. As we are not interested in legal prosecution, we simply don't need that. It is enough that I recognize the signs. The information used could not really have come from anywhere else, and you have already admitted that the information was stored in a form that was easily accessible. Such attacks in the community had been completely unheard of until that point, and the fact that attacks of the same pattern continue to appear sporadically following that incident suggests that the list continues to be in use, even if it is not being updated anymore.

Either way i would certainly want to know based on things that can be verified ant not just theories.
It should be possible to find out if an email also used on TSR that has the same/similar password could have been used to recover a password for example.
In that case it might be possible to get a list of previous logins to see from what IP they came (at least if it's webmail).

Sure, it would be "possible" to find out. All you have to do is hit the "lost password" button on any website, and most standard software will contact the email with a reset link. You know this, I know this, everyone knows this. Of course, unless you want to hack someone's account merely to prove an obvious, known fact, this line of inquiry serves no useful purpose.

[Grimma]

May I just note that the fact that Johan came Whiteknighting as soon as whispers of "Hey, this reminds me of that incident in 200whatever, remember that, we still think that was TSR based on what we know, this looks very much like that did" started has completely re-assured me that there is, in fact, no TSR involvement. At all. Because they said so. Definately. Just like last time. And the time before that. And the time before that.

[Johan]

I don't believe anything was really firmly established about the passwords in this case, because the person in question has been dead for a very long time and this event was roughly contemporaneous with the original Buggybooz incident, IIRC.

So the link to TSR would be that Bluesoup had an account at TSR with the same password as for the petition and that password was leaked somehow in the same way as for Buggybooz?

First of all i find it hard to believe Bluesoup used the same password as on a TSR for a petition against EA's collaboration with TSR.
Even if she did you would have to know the secret part of the URL in order to log in and manage the petition. This URL is only sent to the petition author.

This means the rouge operator also had access to Bluesoups email or that she willingly shared that URL with someone and that someone passed it on to the operator.
I find it unlikely she used the same password for her email as on TSR. (if she indeed have or have had an account on TSR, i can't find an account named Bluesoup or one that uses the email used in the petition)

From what i can gather by googling this Bluesoup claimed the petition was "hacked" March 18 or earlier, the Buggubooz incident happened March 30.

Unlikely, given that I have explicitly ordered no such actions be taken. It would serve absolutely no purpose, given that the from a strategic standpoint, such an act has no value.

Does this mean you knew the petition had leaked and you ordered coconut or anyone else not to do anything with it, or what?

I'd say it suits your purpose perfectly from a strategic standpoint. Isn't the general consensus that TSR was behind the petition leak and is now spreading it around/uses it for evil purposes?
That surely has a lot of value in the anti TSR camp.

There wasn't so much a "distinct trail leading elsewhere" as a "lack of smoking gun". Delphy is unwilling to do anything without a level of proof suitable for a legal prosecution. As we are not interested in legal prosecution, we simply don't need that. It is enough that I recognize the signs. The information used could not really have come from anywhere else, and you have already admitted that the information was stored in a form that was easily accessible. Such attacks in the community had been completely unheard of until that point, and the fact that attacks of the same pattern continue to appear sporadically following that incident suggests that the list continues to be in use, even if it is not being updated anymore.

There was a pretty distinct trail, in case you forgot here's what we found when investigating it (using data from both TSR and MTS):

Whoever was behind this must have known what username buggybooz had on TSR and that was not well known in the community. Her account on TSR was logged in to by someone with exactly the same user agent string (which were not a very common one, i compared it to other logins in our login history and it was fairly unique) and an IP that was the same or was in the same range as was used on s2c (Hide my IP), slightly after the hacking took place on MTS.
That same signature also:
* logged in as "hamilton" on MTS (that's Thomas account on there)
* logged in as "sherriesim" on MTS, both with Hide my IP and unproxied IP's
* logged in as "leftywillnot" on TSR
* logged in to a bunch of FA accounts and removed a lot of files

In the list of IP's Atwa got from the service provider when she found out someone had been reading her email we were able to match them to the unproxied IP's of sherriesim. Unfortunately we didn't get the user agent from that list but i have a very strong suspicion that it would have matched the hackers signature.

We clearly have a very different POV.
From where i stand this is a smoking gun and it's not fitting with your idea of a rouge TSR operator.
The person behind the Buggybooz incident didn't get caught so he/she could possibly have been behind other hackings.

Sure, it would be "possible" to find out. All you have to do is hit the "lost password" button on any website, and most standard software will contact the email with a reset link. You know this, I know this, everyone knows this. Of course, unless you want to hack someone's account merely to prove an obvious, known fact, this line of inquiry serves no useful purpose.

That isn't what i meant. It should be possible to find out exactly how it works in the case of Scotty and Witchboy without any kind of hacking.
IE, would it be possible just by knowing their email address to gain access and "hack" their accounts?
If the answer is no then there is no link whatsoever to TSR.

[J. M. Pescado]

So the link to TSR would be that Bluesoup had an account at TSR with the same password as for the petition and that password was leaked somehow in the same way as for Buggybooz?

First of all i find it hard to believe Bluesoup used the same password as on a TSR for a petition against EA's collaboration with TSR.

Are you kidding? This is BLUESOUP. BlueSoup is a fatheaded idiot. I mean, what do you expect from someone who starts e-Petitions? Everyone with half a brain knows those are utterly worthless. Hell, it's already been firmly debunked on Snopes.

Even if she did you would have to know the secret part of the URL in order to log in and manage the petition. This URL is only sent to the petition author.

I don't know how "secret" such a URL is, but the Fathead would be dumb enough to lose her email that way, yes.

From what i can gather by googling this Bluesoup claimed the petition was "hacked" March 18 or earlier, the Buggubooz incident happened March 30.

Like I said, roughly contemporaneous. I distantly recall them as events that occurred within the same year only, and wasn't even sure which came first, but you have nicely put a date on them that has them seperated by less than 2 weeks, which rather tightens the association between these two events nicely!

Does this mean you knew the petition had leaked and you ordered coconut or anyone else not to do anything with it, or what?

No, it means that I have explicitly ordered people NOT to perform any such false-flag operatons or actual hackings.

I'd say it suits your purpose perfectly from a strategic standpoint. Isn't the general consensus that TSR was behind the petition leak and is now spreading it around/uses it for evil purposes?
That surely has a lot of value in the anti TSR camp.

Actually, at the time, the petition being hacked was mostly blamed on BlueSoup's incompetence and not specifically linked to TSR. In fact, the origin of the name list wasn't even resolved until later. The petition thing had been really entirely blown off and forgotten about within days, as no real proof was ever found, and besides, those things are stupid as hell. What brought it back to light was the fact that the list was intercepted circulating the halls of TSR. At first, it was speculated that it was a selected list from TSR's database again, something that TSR issued a suspiciously quick denial of, but this idea never really gained traction and pretty much died out instantly after the BlueSoup Petition Theory was proposed.

There was a pretty distinct trail, in case you forgot here's what we found when investigating it (using data from both TSR and MTS):

If by "trail", you mean "the IP of a public proxy service", which coincidentally happened to match someone who was also probably a user of that network...totally meaningless, really. The ONE trend of this is that the attacker ALWAYS uses proxy SERVICES, never simply open proxies scanned from the open Internet. It's always some kind of known service provider of proxies, as opposed to the many unknown random proxies dotting the Internet. Other than that, not much of a trail, except that it tells us the attacker does not have the technical ability or interest to scan for his own proxies, and may even be paying money for access to these proxies.

[Inge]

* logged in as "hamilton" on MTS (that's Thomas account on there)
* logged in as "sherriesim" on MTS, both with Hide my IP and unproxied IP's
* logged in as "leftywillnot" on TSR
* logged in to a bunch of FA accounts and removed a lot of files

Looks like it could have been Thomas himself then?

[Johan]

I don't know how "secret" such a URL is, but the Fathead would be dumb enough to lose her email that way, yes.

It looks like this:
http://www.petitiononline.com/PMBDMBD/RUngyNUKAePJ.cgi
RUngyNUKAePJ being the secret part.
Feel free to sign my test petition by the way.
I don't know Bluesoup but i very much doubt she would give login details to the petition to someone on our side.

Like I said, roughly contemporaneous. I distantly recall them as events that occurred within the same year only, and wasn't even sure which came first, but you have nicely put a date on them that has them seperated by less than 2 weeks, which rather tightens the association between these two events nicely!

It is interesting that the events happened around the same time yes.

No, it means that I have explicitly ordered people NOT to perform any such false-flag operatons or actual hackings.

I don't know what constitutes a false flag operation but if it includes deliberately spreading false propaganda you should have a talk with Coconut again because it obviously didn't stick.

If by "trail", you mean "the IP of a public proxy service", which coincidentally happened to match someone who was also probably a user of that network...totally meaningless, really. The ONE trend of this is that the attacker ALWAYS uses proxy SERVICES, never simply open proxies scanned from the open Internet. It's always some kind of known service provider of proxies, as opposed to the many unknown random proxies dotting the Internet. Other than that, not much of a trail, except that it tells us the attacker does not have the technical ability or interest to scan for his own proxies, and may even be paying money for access to these proxies.

The use of a specific proxy service alone don't say much but combined with the rather unique user agent and the time line of events makes the trail pretty distinct.
There were also non-proxy IP's that had the same signature (same user agent and the account had been accessed by the same proxy service).

* logged in as "hamilton" on MTS (that's Thomas account on there)
* logged in as "sherriesim" on MTS, both with Hide my IP and unproxied IP's
* logged in as "leftywillnot" on TSR
* logged in to a bunch of FA accounts and removed a lot of files

Looks like it could have been Thomas himself then?

Yeah i think that was the idea with the login to MTS. There was only this one login to MTS with this signature (user agent and IP), the other logins to his account on MTS were normal (not using a proxy and with a different user agent). 
Thomas used the same password on multiple sites including MTS and TSR and there were signs of his TSR account being compromised.

[J. M. Pescado]

I don't know Bluesoup but i very much doubt she would give login details to the petition to someone on our side.

Willingly? Probably not. But she's incredibly stupid and does some very insecure things. And has a fat head.

I don't know what constitutes a false flag operation but if it includes deliberately spreading false propaganda you should have a talk with Coconut again because it obviously didn't stick.

A false flag operation is when you covertly attack your own side and frame the other side for the act. Coconut is more into "wild speculation based on the available information" and does not have the technical ability or access to stage a false flag operation against anyone.

Thomas used the same password on multiple sites including MTS and TSR and there were signs of his TSR account being compromised.

What sort of "signs"? Merely logins from strange IPs? That could even be Thomas himself checking whether the proxy is working. While Thomas remains the main suspect for the rogue operator who released the information, it could also be someone else. And not all of your DB administrators are fambly, either, apparently. Either way, no matter what happened, SOMEONE leaked the DB information, and the only person who could have done that is a DB administrator. That, or you are postulating the existence of someone who is simultaneously skilled enough to discover and use an exploit in nonstandard software (ruling out script-kiddy public exploits), steal your password database, and inept enough to attempt manual wiping of forum posts as a user, a combination of "extremely skilled" and "extremely stupid, short-sighted, and inefficient" that is completely devoid of internal consistency regardless of what political motivations you wish to ascribe to them.