GSC has been hacked

[Johan]

A false flag operation is when you covertly attack your own side and frame the other side for the act. Coconut is more into "wild speculation based on the available information" and does not have the technical ability or access to stage a false flag operation against anyone.

And when the information available isn't interesting enough she can get really creative and just make things up. A false flag operation from that end wouldn't surprise me the least if she had the opportunity. Like for example if she got a hold of the petition.
It's interesting that the incriminating evidence she claims to have still hasn't shown up.

What sort of "signs"? Merely logins from strange IPs? That could even be Thomas himself checking whether the proxy is working. While Thomas remains the main suspect for the rogue operator who released the information, it could also be someone else. And not all of your DB administrators are fambly, either, apparently. Either way, no matter what happened, SOMEONE leaked the DB information, and the only person who could have done that is a DB administrator. That, or you are postulating the existence of someone who is simultaneously skilled enough to discover and use an exploit in nonstandard software (ruling out script-kiddy public exploits), steal your password database, and inept enough to attempt manual wiping of forum posts as a user, a combination of "extremely skilled" and "extremely stupid, short-sighted, and inefficient" that is completely devoid of internal consistency regardless of what political motivations you wish to ascribe to them.

There were items in his download basket that he didn't put there. Unfortunately our login log has been purged so i can't investigate it any further now.

That login information leaked from the TSR database via some kind of exploit or compromised account is one possibility but there could be other explanations to this.
I don't _know_ exactly what happened and it annoys me a great deal.

Thomas don't have the knowledge to perform such operations without leaving a trace and my fellow sysadmin is also out of the question, even if he would have the technical skills required.
To think that one of the owners of TSR (who are the only ones with access to the member database) leaked login information is just not realistic. I know how we think and operate.

[J. M. Pescado]

And when the information available isn't interesting enough she can get really creative and just make things up.

I have not seen anything "made up" except theories. Certainly there has been no fabrication of actual EVIDENCE. And everyone is entitled to crackpot theories, after all. Sometimes they're even right.

A false flag operation from that end wouldn't surprise me the least if she had the opportunity. Like for example if she got a hold of the petition.
It's interesting that the incriminating evidence she claims to have still hasn't shown up.

Which incriminating evidence? I haven't seen any "claims".

There were items in his download basket that he didn't put there. Unfortunately our login log has been purged so i can't investigate it any further now.

I fail to see how that is meaningful. Any number of reasons could cause items to be added to a computerized download basket. Technical glitches, misclicks, or he could simply have forgotten. This happens all the time.

That login information leaked from the TSR database via some kind of exploit or compromised account is one possibility but there could be other explanations to this.
I don't _know_ exactly what happened and it annoys me a great deal.

Well, TSR's code is nonstandard. It's not an off-the-shelf component, and as such, is largely immune to attack by common script-kiddies. That means you're going to need some degree of actual wizardry to find and use an exploit. Let us postulate that such a event occurred and resulted in this outside party acquiring your DB. Why, then, is this same party using the access they have gained from it in such an inept, hamfisted way that is utterly inconsistent with anything a wizard would do? Wizards do not concern themselves with anything as boring and drudgerous as manually deleting posts off a site thread by thread. That would be stupid. A wizard would just drop the entire database in a single command. Or steal it and leave silently, without anything to indicate that something was amiss. That is how a wizard would operate. Given that this behavior is completely inconsistent with a wizard, and NO wizard would EVER do such a thing, we must consider the only other alternate hypothesis: An administrative user did so.

Thomas don't have the knowledge to perform such operations without leaving a trace and my fellow sysadmin is also out of the question, even if he would have the technical skills required.

You may very well be right. Maybe they don't have the knowledge to perform such an operation without leaving a trace...and guess what? They didn't. From your own testimony, big, fat, sloppy traces were left everywhere. Not traces solid enough to prove that one of them specifically did it, for whoever did it DID try to cover their tracks, but clearly, enough to reveal that one of them DID do it.

To think that one of the owners of TSR (who are the only ones with access to the member database) leaked login information is just not realistic. I know how we think and operate.

And yet you are left with a conundrum: You agree that TSR owners are the only ones with access to the member database. Yet, information from that database was leaked. Obviously, one of these must be false: Either TSR owners are not the only ones with access to the database, or you don't know how they REALLY think and operate.

I, on the other hand, know security. I know that in order to accomplish sucha thing WITHOUT authorized access to the database, one would have to be a wizard. This individual would have to have a decent understanding of PHP and SQL injection. He would have to understand this subject matter enough that he could devise his own attacks, for TSR is not stock code and cannot be attacked by script-kiddy methods. Having thus the ABILITY to gain access to the DB, he would then need to know exactly what to look for in the DB, and then, having found that information, he would need a motive and opportunity to USE it. Now, I know wizards. Wizards are very tight with the information they illicitly gain. They do not squander it casually, especially when it is so hard-won, and certainly are not inclined to allow mere hoi polloi to play with it, especially not in such a clumsy and amateurish fashion. So I argue that it is clear a wizard did not do this. Do you dispute this argument?

[Inge]

Yet, information from that database was leaked.

Pescado this is no longer in question.  Johan and Thomas have both openly stated that TSR admins (I think the actual agent was Steve) shared information from the database with a group of TSR artists, supposedly to boost their morale that was low due to having their work "stolen".   I am not sure what it was *intended* they should do with the information.   In Thomas's case he still thinks it was correct to have done this.  In Johan's case he's not so sure.   We haven't heard from Steve to find out how he feels about it now.

[Johan]

Yet, information from that database was leaked.

Pescado this is no longer in question.  Johan and Thomas have both openly stated that TSR admins (I think the actual agent was Steve) shared information from the database with a group of TSR artists, supposedly to boost their morale that was low due to having their work "stolen".   I am not sure what it was *intended* they should do with the information.   In Thomas's case he still thinks it was correct to have done this.  In Johan's case he's not so sure.   We haven't heard from Steve to find out how he feels about it now.

Not quite, the actual agents were Thomas and me. We posted names of pirates we caught by the watermark in a private forum.
The intention was somewhere in the line of a morale boost for our artist showing them we were able to do something about the pirate problem.
In all fairness Steve had nothing to do with it.

The watermarking was quite successful until Pescado ruined it all by cleaning the files before putting them in the booty.
Yes publishing names was short sighted, morally wrong and unthoughtful.
It happened but if i can help it it will not happen again.

Anyway, this is completely unrelated to the events we debate now.
Pescado firmly believes that the only way someone could have "hacked" Buggybooz account on MTS would be that the hacker got the password from the TSR database, this is the leak in question.

[Inge]

Johan, the screenshots of the chat I saw where artists were being given details of some users it was Steve with them, I am sure.  This was a chat not a forum.

[Johan]

I have not seen anything "made up" except theories. Certainly there has been no fabrication of actual EVIDENCE. And everyone is entitled to crackpot theories, after all. Sometimes they're even right.

You don't have to look further than her latest post on PMBD:

TSR stores password history, and despite what Team Johan tells you, it is NOT encrypted.

Two made up statements right there:
TSR doesn't store password history at all. Unless Coconut is one of the owners this is information she can't possibly know.
Team Johan was some drivel she posted earlier in that thread about my postings on PMBD and here would be some kind of team effort from TSR. Again presented as a fact, not a theory.

Which incriminating evidence? I haven't seen any "claims".

I was under the impression Coconut had evidence of the petition showing up at TSR, possibly with some involvement of Atwa. That's what i heard when asking if we should just take Coconuts word for what happened, IIRC.

I fail to see how that is meaningful. Any number of reasons could cause items to be added to a computerized download basket. Technical glitches, misclicks, or he could simply have forgotten. This happens all the time.

Sure, all of that is theoretically possible. It is also possible that someone used his account to download stuff and thus knew the password. That could also explain how other passwords could have been obtained if the perpetrator logged in to our admin area as Thomas.

Well, TSR's code is nonstandard. It's not an off-the-shelf component, and as such, is largely immune to attack by common script-kiddies. That means you're going to need some degree of actual wizardry to find and use an exploit. Let us postulate that such a event occurred and resulted in this outside party acquiring your DB. Why, then, is this same party using the access they have gained from it in such an inept, hamfisted way that is utterly inconsistent with anything a wizard would do? Wizards do not concern themselves with anything as boring and drudgerous as manually deleting posts off a site thread by thread. That would be stupid. A wizard would just drop the entire database in a single command. Or steal it and leave silently, without anything to indicate that something was amiss. That is how a wizard would operate. Given that this behavior is completely inconsistent with a wizard, and NO wizard would EVER do such a thing, we must consider the only other alternate hypothesis: An administrative user did so.

Having an in-house system is a double edged sword. It's pretty much immune to public exploits on the application level but the security of it is only as good as the knowledge in security possessed by its developers, which would be me and Per.
I'd like to think i have a pretty good understanding of it by i am by no means a wizard and neither is Per. Part of the codebase is more then 10 years old and during the time period of the hackings we were maintianing both the old system while working on stabilizing the new one. Stupid mistakes could very well have lead to weak security in some parts of it all.

Again, we actually don't _know_ that the password came from the TSR database to begin with, you just find it likely based on how you interpret the circumstances.

You may very well be right. Maybe they don't have the knowledge to perform such an operation without leaving a trace...and guess what? They didn't. From your own testimony, big, fat, sloppy traces were left everywhere. Not traces solid enough to prove that one of them specifically did it, for whoever did it DID try to cover their tracks, but clearly, enough to reveal that one of them DID do it.

A trace back to Thomas that i would recognize is what i meant. He certainly wouldn't be able to leave a trace going to sherrisim which is what we see here.
I believe that trace is genuine and not a cover up.

And yet you are left with a conundrum: You agree that TSR owners are the only ones with access to the member database. Yet, information from that database was leaked. Obviously, one of these must be false: Either TSR owners are not the only ones with access to the database, or you don't know how they REALLY think and operate.

I lean towards either someone had access to the database (via our admin system), a security breach or that the password didn't come from TSR.

I, on the other hand, know security. I know that in order to accomplish sucha thing WITHOUT authorized access to the database, one would have to be a wizard. This individual would have to have a decent understanding of PHP and SQL injection. He would have to understand this subject matter enough that he could devise his own attacks, for TSR is not stock code and cannot be attacked by script-kiddy methods. Having thus the ABILITY to gain access to the DB, he would then need to know exactly what to look for in the DB, and then, having found that information, he would need a motive and opportunity to USE it. Now, I know wizards. Wizards are very tight with the information they illicitly gain. They do not squander it casually, especially when it is so hard-won, and certainly are not inclined to allow mere hoi polloi to play with it, especially not in such a clumsy and amateurish fashion. So I argue that it is clear a wizard did not do this. Do you dispute this argument?

No i don't think it was a wizard either, the other scenarios i mentioned earlier would be much more likely.
So there, we agree on something at least.

Since you're moving stuff to Sweden perhaps i can offer some server space in our racks?

[Johan]

Johan, the screenshots of the chat I saw where artists were being given details of some users it was Steve with them, I am sure.  This was a chat not a forum.

Not sure what chat that might have beenthen, i was referring to the forum thread that Coconut got screenshots of.
Steve was not actively harvesting pirates there IIRC though he might have posted in the thread.

[J. M. Pescado]

Having an in-house system is a double edged sword. It's pretty much immune to public exploits on the application level but the security of it is only as good as the knowledge in security possessed by its developers, which would be me and Per.

Yes, but to even penetrate BAD security requires a level of understanding comparable to the people who wrote it, or better. Working from the assumption that you are not grossly incompetent, it therefore requires that someone be at LEAST as good as you to penetrate security effectively: As TSR's systems are all nonstandard, someone doing this would be entirely guessing about your database and directory structure, meaning we're dealing with blind PHP/SQL injection. Not exactly a topic that people in the community are terribly familiar with. The entry barrier to such an act combined with the limited pool of technical talent makes this scenario highly unlikely. Someone external to the community on the other hand, could possess the skills necessary to do this, but then would be devoid of community knowledge, so could not effectively exploit this information to attack along political lines as we have seen, nor would they have the motive to do such a thing. An attacker like this would just deface your website and move on. We haven't seen this, so this scenario, also, is highly unlikely.

Again, we actually don't _know_ that the password came from the TSR database to begin with, you just find it likely based on how you interpret the circumstances.

Well, if it did not come from TSR, where did it come from? You already admitted that TSR stored passwords in the clear, readable to anyone with even the bare minimum of database knowledge, providing they could gain access to it. Many of the attacked victims have admitted that they used their TSR password. A few cases are unconfirmed, but we have not had anyone categorically deny it. If the passwords did not come from TSR, where did they come from? The only other site with that kind of broad reach would be MTS2. But MTS2 is running vBulletin, a system that hashes passwords by default. It is possible that it was altered not to do so, but to pursue this line of reasoning would be to directly accuse Delphy of doing this instead. That does not seem like a particularly reasonable scenario given that Delphy has absolutely no motive for such a thing and has intentionally attempted to remain as neutral as possible on the issue. Therefore, I cannot conceive of any other scenario in which passwords which all coincidentally happen to be shared with TSR accounts could come to be compromised without the source being at TSR. Can you? Even if a third-party source were to acquire these passwords by an independent, non-TSR-related means, how would they know the passwords were shared with TSR so that they could selectively attack only those accounts?

A trace back to Thomas that i would recognize is what i meant. He certainly wouldn't be able to leave a trace going to sherrisim which is what we see here.
I believe that trace is genuine and not a cover up.

We don't really know if there is a trace going to Sherriesim. All we know is that Sherriesim was one of the accounts accessed through that proxy with that particular useragent. Numerous highly plausible scenarios present themselves:
1. Sherriesim's account was among those compromised. As the original owner is apparently deceased, this cannot be verified either way.
2. The useragent, seemingly unique, is actually falsified as a part of the using the proxy service. This is trivial and common. As a known public proxy service, as opposed to private or misconfigured proxies, such a practice would be quite common and independent usage by Sherriesim would not be surprising.
So yes, I believe the information you traced is probably genuine. However, it is also meaningless. The same proxy IP used over an extended duration by seemingly unrelated people is merely evidence that it is a public proxy service, which we knew.

I lean towards either someone had access to the database (via our admin system), a security breach or that the password didn't come from TSR.

Well, of these three scenarios, two appear highly unlikely for the reasons described above. While anything is certainly POSSIBLE, the latter two are unlikely for technical reasons, whereas the first has no particular technical barrier rendering it unlikely: The only reason it is unlikely is because of a computer technician's reading of people. Computer technicians are not exactly known for their great people-reading skills.

No i don't think it was a wizard either, the other scenarios i mentioned earlier would be much more likely.
So there, we agree on something at least.

You mentioned two alternate scenarios: That an unauthorized user hacked TSR and stole the information from TSR, or that the information did not come from TSR, but was manipulated to LOOK like it did. Both of them involve wizardry: Either someone managed to break security by their own efforts, using technical knowledge to do so, or someone created an elaborate phishing trap to steal information about TSR users without compromising the database, a work which would require a fair level of technical knowledge, as they would need to conduct a man-in-the-middle attack or hijack your DNS, AND create a convincing mock-up of TSR. After this display of technical wizardry, the attacker would then proceed to hack unrelated forums and manually delete posts thread by thread. This makes about as much sense as a terrorist acquiring a nuclear device, removing the detonation charge, and then using the conventional explosive as a suicide bomb.

But you just said you don't believe a wizard did it, either!

[Johan]

Yes, but to even penetrate BAD security requires a level of understanding comparable to the people who wrote it, or better. Working from the assumption that you are not grossly incompetent, it therefore requires that someone be at LEAST as good as you to penetrate security effectively: As TSR's systems are all nonstandard, someone doing this would be entirely guessing about your database and directory structure, meaning we're dealing with blind PHP/SQL injection. Not exactly a topic that people in the community are terribly familiar with. The entry barrier to such an act combined with the limited pool of technical talent makes this scenario highly unlikely. Someone external to the community on the other hand, could possess the skills necessary to do this, but then would be devoid of community knowledge, so could not effectively exploit this information to attack along political lines as we have seen, nor would they have the motive to do such a thing. An attacker like this would just deface your website and move on. We haven't seen this, so this scenario, also, is highly unlikely.

Those are good points, to find vulnerabilities in a non stock system requires a lot more than google skills so yes, not likely.
It would be relatively more likely that our forum got hacked, which is a pretty much standard vBulletin install.
The way we integrate it with TSR is that when you sign up on TSR a forum user is added using the same method the forum itself would use had you signed up using the stock install.

I don't find it likely someone within the community would have the skills required for such an attack either but there are lots of places on the net where script kiddies with egos that needs feeding gladly helps.

Well, if it did not come from TSR, where did it come from? You already admitted that TSR stored passwords in the clear, readable to anyone with even the bare minimum of database knowledge, providing they could gain access to it. Many of the attacked victims have admitted that they used their TSR password. A few cases are unconfirmed, but we have not had anyone categorically deny it. If the passwords did not come from TSR, where did they come from? The only other site with that kind of broad reach would be MTS2. But MTS2 is running vBulletin, a system that hashes passwords by default. It is possible that it was altered not to do so, but to pursue this line of reasoning would be to directly accuse Delphy of doing this instead. That does not seem like a particularly reasonable scenario given that Delphy has absolutely no motive for such a thing and has intentionally attempted to remain as neutral as possible on the issue. Therefore, I cannot conceive of any other scenario in which passwords which all coincidentally happen to be shared with TSR accounts could come to be compromised without the source being at TSR. Can you? Even if a third-party source were to acquire these passwords by an independent, non-TSR-related means, how would they know the passwords were shared with TSR so that they could selectively attack only those accounts?

Hashed passwords (in this case md5 + salt) are not immune to decoding. Google it if you're in doubt.
Buggys password was even of the sort you could have guessed and got lucky.

We don't really know if there is a trace going to Sherriesim. All we know is that Sherriesim was one of the accounts accessed through that proxy with that particular useragent. Numerous highly plausible scenarios present themselves:
1. Sherriesim's account was among those compromised. As the original owner is apparently deceased, this cannot be verified either way.
2. The useragent, seemingly unique, is actually falsified as a part of the using the proxy service. This is trivial and common. As a known public proxy service, as opposed to private or misconfigured proxies, such a practice would be quite common and independent usage by Sherriesim would not be surprising.
So yes, I believe the information you traced is probably genuine. However, it is also meaningless. The same proxy IP used over an extended duration by seemingly unrelated people is merely evidence that it is a public proxy service, which we knew.

In response to those scenarios:
#1 We also know that the Sherriesim account was accessed through a non proxy IP with that particluar useragent.
This is a significant detail. The origin of that IP fits with Sherriesim's location AFAIK.

Thomas or someone acting on his behalf would not be able to fake that.
Without this detail i would have agreed with your conclusion.

#2 The information about this particular user agent was not revealed until after the events took place.
The useragent string matched very few logins on TSR and MTS so it's not at all common within the community.
If any other community site would be interested to gig further into this i can post what useragent and IP (non proxied) to look for.

Well, of these three scenarios, two appear highly unlikely for the reasons described above. While anything is certainly POSSIBLE, the latter two are unlikely for technical reasons, whereas the first has no particular technical barrier rendering it unlikely: The only reason it is unlikely is because of a computer technician's reading of people. Computer technicians are not exactly known for their great people-reading skills.

I don't think i have any special skills reading people but i can usually tell if Thomas is lying to me, it's probably not very unusual within family.

I simply don't believe the password were willingly handed out by Thomas for many reasons but mostly because i know him very well.
There would be absolutely no gain for him and/or TSR to have someone hack buggys's account on MTS.

You might think he's stupid, evil, greedy and whatever else his reputation says he is and therefore you find it plausible or even likely he did it.
I know what he really is like and although i don't always agree with his ways it's really not _that_ bad.

[J. M. Pescado]

It would be relatively more likely that our forum got hacked, which is a pretty much standard vBulletin install.
The way we integrate it with TSR is that when you sign up on TSR a forum user is added using the same method the forum itself would use had you signed up using the stock install.

The forum coud be hackable, but again, let's look at the motives and opportunities of people who would do such a thing.
1. Random Net Kiddies: Someone like this simply would not have the patience to try to puzzle out your arcane DB structure and extract passwords. An attacking script kiddy will deface your forum and move onto the next target.
2. Someone from the community: Assuming you postulate an anti-TSR activitist doing this, one who is impulsive and disregards publicly-issued orders, would they honestly pass up an opportunity to simply vandalize your forum directly, or pass up the intelligence coup that being able to read your Secret Squirrel sections would be? Alternatively, if it is the work of an internal TSR faction, they would still be interested in your Secret Squirrelism.

I don't find it likely someone within the community would have the skills required for such an attack either but there are lots of places on the net where script kiddies with egos that needs feeding gladly helps.

And so we come to the fact that community is just not that technically apt. And script kiddies don't operate this way, they go for quantity: Vandalize, move on.

Hashed passwords (in this case md5 + salt) are not immune to decoding. Google it if you're in doubt.
Buggys password was even of the sort you could have guessed and got lucky.

It is possible to crack a salted md5 password, given a sufficiently weak password and sufficient time. However, this is nontrivial in both computational expense and skill required, because you'd need to rig up a small cluster to be able to break unrelated passwords in reasonable time. And there are simply far better ways of doing so if you can acquire a hashed password off someone else's database (also, md5 is losing popularity as a cryptographic hash and software that uses it is becoming uncommon, as most now prefer SHA or others). Additionally, it does not address the fact that even IF they acquired the password elsewhere, they would not know that users were ALSO using them on TSR, and thus would not be able to selectively attack only TSR users, unless they were testing every compromised user on TSR first, which you would notice. While it is possible that the Buggybooz password was individually guessed, a password guessing attack would A: Leave evidence of previous login failures unless they managed to completely luck out and guess the first time, and B: Not repeatedly occur and correlate with people-who-happened-to-reuse-TSR-passwords. With that in mind, I am quite certain the passwords originate from the TSR database. As for HOW they originated from the TSR database, we've ruled out pretty much all the Johan-supported scenarios, on technical grounds, so unless you've got a new scenario to propose, we're running out of non-ugly ways to see this.

In response to those scenarios:
#1 We also know that the Sherriesim account was accessed through a non proxy IP with that particluar useragent.
This is a significant detail. The origin of that IP fits with Sherriesim's location AFAIK.

"The UK" is not really a meaningful location to fit things to, as many people come from that area, including, but not limited to, say, Atwa, IIRC.

Thomas or someone acting on his behalf would not be able to fake that.
Without this detail i would have agreed with your conclusion.

Unless said person were, say, from the UK. In truth, the Sherriesim detail doesn't really answer the question of where the passwords came from. It only tells us that the attacker who directly carried out the action was possibly not Thomas himself.

I don't think i have any special skills reading people but i can usually tell if Thomas is lying to me, it's probably not very unusual within family.

You might think he's stupid, evil, greedy and whatever else his reputation says he is and therefore you find it plausible or even likely he did it.
I know what he really is like and although i don't always agree with his ways it's really not _that_ bad.

Fair enough, but that leaves unaddressed the question of who did it. Either Thomas is not showing any signs of lying because he genuinely believes what he told you is true, perhaps because you asked the wrong questions or he misunderstood the question or the acts, or someone else did it. Both could be entirely plausible.

I simply don't believe the password were willingly handed out by Thomas for many reasons but mostly because i know him very well.
There would be absolutely no gain for him and/or TSR to have someone hack buggys's account on MTS.

YOU simply wouldn't believe it. And you're right: There's absolutely no logical gain to be had from such an act. Doesn't mean people, particularly artiste-types, don't frequently and consistently behave stupidly and illogically. As a computer tech, this idea is probably not something you really grok, but people are frequently very stupid, irrational, and short-sighted. This is why they buy insurance, lottery tickets, and crap some spammer shilled.

[Inge]

As a T with some F, I say that a  twin *would* know if their twin was lying.  Whether techie or artistic.   And the liar would be finding it increasingly hard to look nonchalent as the pressure is maintained and the income of several people they are close to reduces as a result.

I have made the point that because Thomas has chosen to put on a bold face to the public and maintain he did nothing wrong in originally doxing members, it has *invited* suspicion of further, more heinous, acts that he probably did not commit.   Had he put his hands up in the first place and said the doxing was a mistake, like Johan has, then although there would still be disdain for TSR as a paysite, we probably would not be thinking of Thomas as the devil incarnate right now.

The reason most sims sites get hacked is a combination of poor security and a person who has a grudge against the site owner.  Everyone can take care of point 1, then 1000 devil Thomases with 1000 minion ATWAs working under their direct instruction can't touch you.   A hacker to your sims site does you a favour.  It teaches you about security before you make the same mistake with your company's website and lose a load of money.   Part of that security is about vetting the people you entrust with privileges and info on the site - and this comes full circle back to TSR trusting unvetted FAs with admin-level information.

[Johan]

The forum coud be hackable, but again, let's look at the motives and opportunities of people who would do such a thing.
1. Random Net Kiddies: Someone like this simply would not have the patience to try to puzzle out your arcane DB structure and extract passwords. An attacking script kiddy will deface your forum and move onto the next target.
2. Someone from the community: Assuming you postulate an anti-TSR activitist doing this, one who is impulsive and disregards publicly-issued orders, would they honestly pass up an opportunity to simply vandalize your forum directly, or pass up the intelligence coup that being able to read your Secret Squirrel sections would be? Alternatively, if it is the work of an internal TSR faction, they would still be interested in your Secret Squirrelism.

And so we come to the fact that community is just not that technically apt. And script kiddies don't operate this way, they go for quantity: Vandalize, move on.

A third option could be a combination of a 2 getting help from a 1.

It is possible to crack a salted md5 password, given a sufficiently weak password and sufficient time. However, this is nontrivial in both computational expense and skill required, because you'd need to rig up a small cluster to be able to break unrelated passwords in reasonable time. And there are simply far better ways of doing so if you can acquire a hashed password off someone else's database (also, md5 is losing popularity as a cryptographic hash and software that uses it is becoming uncommon, as most now prefer SHA or others). Additionally, it does not address the fact that even IF they acquired the password elsewhere, they would not know that users were ALSO using them on TSR, and thus would not be able to selectively attack only TSR users, unless they were testing every compromised user on TSR first, which you would notice. While it is possible that the Buggybooz password was individually guessed, a password guessing attack would A: Leave evidence of previous login failures unless they managed to completely luck out and guess the first time, and B: Not repeatedly occur and correlate with people-who-happened-to-reuse-TSR-passwords. With that in mind, I am quite certain the passwords originate from the TSR database. As for HOW they originated from the TSR database, we've ruled out pretty much all the Johan-supported scenarios, on technical grounds, so unless you've got a new scenario to propose, we're running out of non-ugly ways to see this.

http://www.waraxe.us/forum-57.html
This is an example of where you could get information on how to crack a hashed password, find someone to crack it for you and even get help hacking a forum.

The main reason i don't want to write this scenario off completely is that we have had other events where someone has managed to log in on multiple FA accounts on TSR being able to delete things.
We did not find out how that could have happened either and it also support the theory that passwords somehow leaked from the TSR database.
We changed passwords on those FA account to completely random ones to rule out the possibility that they could have been obtained elsewhere and even after that some accounts were compromised.

"The UK" is not really a meaningful location to fit things to, as many people come from that area, including, but not limited to, say, Atwa, IIRC.

Unless said person were, say, from the UK. In truth, the Sherriesim detail doesn't really answer the question of where the passwords came from. It only tells us that the attacker who directly carried out the action was possibly not Thomas himself.

It's more specific than "The UK", at least one of the sherriesim IP's come from a Manchester ISP. Since this happened some time ago it might be hard to get more information about this now but if some other site owner is willing to have a look in the logs we could perhaps shed even more light on this.
Indeed it does not answer the question where the password came from but it says something about who did it.

YOU simply wouldn't believe it. And you're right: There's absolutely no logical gain to be had from such an act. Doesn't mean people, particularly artiste-types, don't frequently and consistently behave stupidly and illogically. As a computer tech, this idea is probably not something you really grok, but people are frequently very stupid, irrational, and short-sighted. This is why they buy insurance, lottery tickets, and crap some spammer shilled.

Assuming the following hackings on various sites would also be Thomas that would amount to a level of stupidity i can't even begin to imagine given the debacle the Buggubooz incident resulted in.

[J. M. Pescado]

http://www.waraxe.us/forum-57.html
This is an example of where you could get information on how to crack a hashed password, find someone to crack it for you and even get help hacking a forum.

Scriptkiddy site. Common, but of no real use. This misses one severe underlying difficulty: To get a HASHED password, you need to have access to the database the hashed password CAME from. You already admitted TSR didn't hash them, so getting access to the TSR database would have bypassed this problem to begin with. Conversely, if someone got a password from ELSEWHERE, they would not be able to know which ones are the same as TSR's, and therefore, would not be able to attack pretending the information came from TSR when it did not. Therefore, there are no plausible scenarios for this OTHER than the TSR-origin scenario. Can you think of a plausible origin in which someone could somehow acquire compromised passwords from a non-TSR source, and then make them look like they came from TSR without access to TSR itself? I can't. Even if the information could be gained from elsewhere, which is not likely, since you would need DB access there, too, there is no way to massage this information to then make it look like it came from TSR.

The main reason i don't want to write this scenario off completely is that we have had other events where someone has managed to log in on multiple FA accounts on TSR being able to delete things.

I'm not sure which incidents you're referring to, but if you're talking about what I think you're talking about, I seem to recall incidents in which an actual FA decided to soup from TSR, and did this on their own. This act was then immediately written off as the work of "hackers" officially.

We did not find out how that could have happened either and it also support the theory that passwords somehow leaked from the TSR database.
We changed passwords on those FA account to completely random ones to rule out the possibility that they could have been obtained elsewhere and even after that some accounts were compromised.

Alternatively, if we're talking about the same incident, or even a similar case, they COULD have simply bypassed the password change using the lost password recovery system, if they had access to the email, either because they actually *WERE* the user in question, only behaving in a manner that your staff didn't approve of by trying to leave, or because they had already hacked that particular user completely.

Assuming the following hackings on various sites would also be Thomas that would amount to a level of stupidity i can't even begin to imagine given the debacle the Buggubooz incident resulted in.

We have never specified that Thomas himself committed the hackings. In fact, this scenario seems unlikely. The more plausible scenario is that someone, possibly Thomas, possibly someone else, provided the agent who then proceeded to do this with the information needed to carry it out, and then turned them loose, disavowing any responsibility for their actions. While the Buggybooz incident turned out to be somewhat of a disaster, this may not even have been an intended outcome: It is possible that the original information was released for some other purpose, and, well, you can't put the genie back in the bottle.

[Inge]

But Pescado, what you're not seeing is that TSR don't *want* these hacking attacks that could look like TSR-related-originated-assisted to happen as it is bad publicity.  So why would they do them?  It's not like they're getting rid of pirate content, as everyone knows the hacked site owner simply restores the site immediately.  The anti-TSR brigade have far more motive to be doing this - "false flag" you call it?

[Soggy Fox]

It could just be that intent aside, being not as good as covering your tracks.  If being forced to watch Smoking Gun presents: World's Dumbest..... most people might think they are being clever, but really aren't.

[Zazazu]

The intent could just be for the "hacker" to look like they have a big dick. Even if they know they aren't causing permanent damage, they are causing those they believe to be pirates some frustration, which gives them the giggles.

As a T with some F, I say that a  twin *would* know if their twin was lying.  Whether techie or artistic.   And the liar would be finding it increasingly hard to look nonchalent as the pressure is maintained and the income of several people they are close to reduces as a result.

I am a horrible liar, so much so that I haven't even attempted one since I was a new 18. However, I can lie easily and do to my parents. The 'rents think I have a degree. They have seen a copy of this degree. They know the supposed classes I took while I finished said degree. I'd argue that sometimes the easiest people to lie to are family.

That said, I don't think it is Thomas doing the dastardly deeds. I have a few ideas, not limited to Atwa. I have absolutely no proof...just going off of general attitudes I've observed from being on both sides of the fence.

[Johan]

Scriptkiddy site. Common, but of no real use. This misses one severe underlying difficulty: To get a HASHED password, you need to have access to the database the hashed password CAME from. You already admitted TSR didn't hash them, so getting access to the TSR database would have bypassed this problem to begin with. Conversely, if someone got a password from ELSEWHERE, they would not be able to know which ones are the same as TSR's, and therefore, would not be able to attack pretending the information came from TSR when it did not. Therefore, there are no plausible scenarios for this OTHER than the TSR-origin scenario. Can you think of a plausible origin in which someone could somehow acquire compromised passwords from a non-TSR source, and then make them look like they came from TSR without access to TSR itself? I can't. Even if the information could be gained from elsewhere, which is not likely, since you would need DB access there, too, there is no way to massage this information to then make it look like it came from TSR.

It looks like a pretty good place to get help cracking a password if you have the hash and the salt. Most such requests seems to be answered very fast.
I'm not saying it's easy to get access to a database and obtain the necessary information i'm just saying that IF you do it would be far from impossible to crack the passwords.
Not as easy as plain text passwords of course but doable.

Regardless of the origin, TSR or elsewhere, you would need db access to get the plaintext or hashed password. With or without help of someone with such access.
Not sure i understand what you mean with "make them look like they came from TSR" but if a password is the same on both TSR and some other place there would be no need to massage it to make it look like it came from TSR?

I'm not sure which incidents you're referring to, but if you're talking about what I think you're talking about, I seem to recall incidents in which an actual FA decided to soup from TSR, and did this on their own. This act was then immediately written off as the work of "hackers" officially.

Alternatively, if we're talking about the same incident, or even a similar case, they COULD have simply bypassed the password change using the lost password recovery system, if they had access to the email, either because they actually *WERE* the user in question, only behaving in a manner that your staff didn't approve of by trying to leave, or because they had already hacked that particular user completely.

I'm not sure i know what incident you're talking about but i don't think it's the same as i was thinking of.
Multiple FA accounts were affected and AFAIK none of them left us, at least not soon after. This happened at least 2 times.
We gave out the new random passwords in chat but as you say the new password could also have been obtained by the password recovery system we had when passwords were in plaintext. So if someone's email were compromised that would be one way to obtain it.
The relatively large number of accounts affected makes the probability if that scenario rather low though.

We have never specified that Thomas himself committed the hackings. In fact, this scenario seems unlikely. The more plausible scenario is that someone, possibly Thomas, possibly someone else, provided the agent who then proceeded to do this with the information needed to carry it out, and then turned them loose, disavowing any responsibility for their actions. While the Buggybooz incident turned out to be somewhat of a disaster, this may not even have been an intended outcome: It is possible that the original information was released for some other purpose, and, well, you can't put the genie back in the bottle.

You're also saying the following hackings after buggy up until Scotty and Witchboy are linked and follows the same pattern which implies that one of the owners would still supply this agent with passwords.
Since we changed to hashed passwords they can no longer be supplied in plaintext.
In order to obtain the hashed ones you would need to know how to access the database and pull data from it. You would also need to obtain the salt which is store elsewhere.

Me and Per are the only ones that would be able to do that and we didn't.

[Inge]

We gave out the new random passwords in chat

!!  How secure is that?

[Johan]

We gave out the new random passwords in chat

!!  How secure is that?

Private individual chat of course, don't know if it was irc or skype, perhaps both.

[J. M. Pescado]

Regardless of the origin, TSR or elsewhere, you would need db access to get the plaintext or hashed password. With or without help of someone with such access.
Not sure i understand what you mean with "make them look like they came from TSR" but if a password is the same on both TSR and some other place there would be no need to massage it to make it look like it came from TSR?

Meaning, in order for someone to use passwords as if they came from TSR, they would have to make sure to ONLY use those that matched TSR passwords. They would thus have to intentionally pass up attack on people whose passwords they had, but could not access from TSR. Additionally, how would they KNOW the passwords matched TSR unless they tried them, and thus made it apparent that this was occurring? Without the knowledge that the passwords actually DID match TSR's passwords, the attack pattern could not be matched to TSR.

I'm not sure i know what incident you're talking about but i don't think it's the same as i was thinking of.
Multiple FA accounts were affected and AFAIK none of them left us, at least not soon after. This happened at least 2 times.

2 known incidents are not really relatable. Not every incident of vandalism is through the same vector or related. In fact, if someone really HAD externally compromised your DB, you would be seeing a lot more damage than two isolated wipes of FA accounts.

We gave out the new random passwords in chat but as you say the new password could also have been obtained by the password recovery system we had when passwords were in plaintext. So if someone's email were compromised that would be one way to obtain it.
The relatively large number of accounts affected makes the probability if that scenario rather low though.

You say "at least 2". That is not quite a large number, especially in the absence of any other connection. There are plenty of reasons why a password could be compromised in a vacuum without the need to resort to hacking theories, particularly when the vandalism is apparently unrelated, and much of this doesn't even qualify as hacking. Cats and angry siblings can cause plenty of random deletions without any hacking at all.

You're also saying the following hackings after buggy up until Scotty and Witchboy are linked and follows the same pattern which implies that one of the owners would still supply this agent with passwords.

Or that the old password sheet is still alive and still held by the hacker.

[retrotrut]

Oh man, that's the second Sim site that got hacked. The other day, I think it was around April last year, I went on Exnem Sims and someone had hacked it completely and deleted ALL the Community Downloads. And when I went into the forums it said "F*** You, This F***ing server is being hacked". Thats all that I remember and the sad part was that Exnem couldn't backup his site. Poor them. However I did manage to have some of the community downloads at the time, so I sent them all what I had to LyricLee.
At last your site has been saved. Exnem's site is completely ruined.

[Johan]

Meaning, in order for someone to use passwords as if they came from TSR, they would have to make sure to ONLY use those that matched TSR passwords. They would thus have to intentionally pass up attack on people whose passwords they had, but could not access from TSR. Additionally, how would they KNOW the passwords matched TSR unless they tried them, and thus made it apparent that this was occurring? Without the knowledge that the passwords actually DID match TSR's passwords, the attack pattern could not be matched to TSR.

Assuming all attacks were made on accounts that had the same password on TSR i can see what you mean. I don't think that is the case though?
Buggy is the only one i know for sure had the same password.

2 known incidents are not really relatable. Not every incident of vandalism is through the same vector or related. In fact, if someone really HAD externally compromised your DB, you would be seeing a lot more damage than two isolated wipes of FA accounts.

You say "at least 2". That is not quite a large number, especially in the absence of any other connection. There are plenty of reasons why a password could be compromised in a vacuum without the need to resort to hacking theories, particularly when the vandalism is apparently unrelated, and much of this doesn't even qualify as hacking. Cats and angry siblings can cause plenty of random deletions without any hacking at all.

It was two separate attacks where multiple accounts (i think it was 5-10) were compromised.
That was probably not a case of random vandalism, somehow the attacker either found a vulnerability or got a hold of the passwords.

Or that the old password sheet is still alive and still held by the hacker.

Would be possible if someone got a dump of the whole member table, which couldn't have been done by Thomas.
That he would have compiled a list of selected people he wanted hacked and all the attacks we've seen came from that list sounds unlikely to me.
A complete list of all the "TSR linked" attacks could help shed some light on this, the ones i know of are Buggy, Bluesoup (petition), Scotty and Witchboy.
Did i miss anyone?

[DrNerd]

A complete list of all the "TSR linked" attacks could help shed some light on this, the ones i know of are Buggy, Bluesoup (petition), Scotty and Witchboy.
Did i miss anyone?

The simsecret hacking over at LiveJournal has also been linked to Atwa/TSR, mainly because of IP similarities and the fact that the only posts that were deleted were ones with anti-TSR secrets.

[J. M. Pescado]

It was two separate attacks where multiple accounts (i think it was 5-10) were compromised.
That was probably not a case of random vandalism, somehow the attacker either found a vulnerability or got a hold of the passwords.

The latter seems more likely. If a true vulnerability existed, it would not have been easy to selectively target data using an SQL or PHP vulnerability, and your attacker would have simply deleted everything. Similarly, admin-level password compromise is thus unlikely, as if someone had an admin password, they would have been able to do far more damage.

Would be possible if someone got a dump of the whole member table, which couldn't have been done by Thomas.

Is there a technical reason, other than possibly sheer size, that would have made this impossible?

That he would have compiled a list of selected people he wanted hacked and all the attacks we've seen came from that list sounds unlikely to me.

This does sound excessively laborious, but not impossible, if he selectively compiled anti-paysite activists. The more likely scenario is still whole or partial membertable dumping.

A complete list of all the "TSR linked" attacks could help shed some light on this, the ones i know of are Buggy, Bluesoup (petition), Scotty and Witchboy.
Did i miss anyone?

Of the known attacks, the Buggybooz, Shanow, and Scotty attacks are the ones known to me to have confirmed the TSR-password link. There may be others I don't recall offhand, and in none of the unconfirmed cases has this been ruled out as an possibility.

[Assmitten]

I am a horrible liar, so much so that I haven't even attempted one since I was a new 18. However, I can lie easily and do to my parents. The 'rents think I have a degree. They have seen a copy of this degree. They know the supposed classes I took while I finished said degree. I'd argue that sometimes the easiest people to lie to are family.

So you printed out a fake degree?? Please tell me you used comic sans.