I've done some digging and from what i can tell it was Sinthe and a shared account (secret poster or something like that) that was compromised.
Some further digging got me to a post on PMBD where Delphy showed a screenshot from Sinthe with the logins, which i assume was for when simsecret got hacked (not sure about that though):
http://phorum.mustnotbenamed.com/index.php/topic,2399.msg141367.html#msg141367

The combination of IP's and useragent defenitley points to the same perpetrator as in the Buggybooz incident.

Yeah i think i'm leaning towards that option too. One strange detail though was that there had been some falied login attempts on some accounts using the wrong random passwords.


Yeah the technical reason being that he wouldn't be able to dump the member table even if he had a GUI db client and the all necessary information to connect to the database, Thomas is a pixel pusher and he doesn't know how that stuff works.
We don't have any functionality to get a list of passwords in admin so he would have had to pick the one by one to compile a list, which due to sheer size is next to impossible.
 

Theoretically possible but then again i have a lot of reason to believe he wouldn't do that. Membertable dump is definitely more likely than that but just as scary.

Has there been attacks where it has been confirmed that the password was not the same as a TSR account?

Do we know who had the account and if that person had an account on TSR with the same password?

Assuming all attacks were made on accounts that had the same password on TSR i can see what you mean. I don't think that is the case though?
Buggy is the only one i know for sure had the same password.



It was two separate attacks where multiple accounts (i think it was 5-10) were compromised.
That was probably not a case of random vandalism, somehow the attacker either found a vulnerability or got a hold of the passwords.

Would be possible if someone got a dump of the whole member table, which couldn't have been done by Thomas.
That he would have compiled a list of selected people he wanted hacked and all the attacks we've seen came from that list sounds unlikely to me.
A complete list of all the "TSR linked" attacks could help shed some light on this, the ones i know of are Buggy, Bluesoup (petition), Scotty and Witchboy.
Did i miss anyone?

Private individual chat of course, don't know if it was irc or skype, perhaps both.

It looks like a pretty good place to get help cracking a password if you have the hash and the salt. Most such requests seems to be answered very fast.
I'm not saying it's easy to get access to a database and obtain the necessary information i'm just saying that IF you do it would be far from impossible to crack the passwords.
Not as easy as plain text passwords of course but doable.

Regardless of the origin, TSR or elsewhere, you would need db access to get the plaintext or hashed password. With or without help of someone with such access.
Not sure i understand what you mean with "make them look like they came from TSR" but if a password is the same on both TSR and some other place there would be no need to massage it to make it look like it came from TSR?



I'm not sure i know what incident you're talking about but i don't think it's the same as i was thinking of.
Multiple FA accounts were affected and AFAIK none of them left us, at least not soon after. This happened at least 2 times.
We gave out the new random passwords in chat but as you say the new password could also have been obtained by the password recovery system we had when passwords were in plaintext. So if someone's email were compromised that would be one way to obtain it.
The relatively large number of accounts affected makes the probability if that scenario rather low though.


You're also saying the following hackings after buggy up until Scotty and Witchboy are linked and follows the same pattern which implies that one of the owners would still supply this agent with passwords.
Since we changed to hashed passwords they can no longer be supplied in plaintext.
In order to obtain the hashed ones you would need to know how to access the database and pull data from it. You would also need to obtain the salt which is store elsewhere.

Me and Per are the only ones that would be able to do that and we didn't.

A third option could be a combination of a 2 getting help from a 1.


http://www.waraxe.us/forum-57.html
This is an example of where you could get information on how to crack a hashed password, find someone to crack it for you and even get help hacking a forum.

The main reason i don't want to write this scenario off completely is that we have had other events where someone has managed to log in on multiple FA accounts on TSR being able to delete things.
We did not find out how that could have happened either and it also support the theory that passwords somehow leaked from the TSR database.
We changed passwords on those FA account to completely random ones to rule out the possibility that they could have been obtained elsewhere and even after that some accounts were compromised.




It's more specific than "The UK", at least one of the sherriesim IP's come from a Manchester ISP. Since this happened some time ago it might be hard to get more information about this now but if some other site owner is willing to have a look in the logs we could perhaps shed even more light on this.
Indeed it does not answer the question where the password came from but it says something about who did it.


Assuming the following hackings on various sites would also be Thomas that would amount to a level of stupidity i can't even begin to imagine given the debacle the Buggubooz incident resulted in.

Those are good points, to find vulnerabilities in a non stock system requires a lot more than google skills so yes, not likely.
It would be relatively more likely that our forum got hacked, which is a pretty much standard vBulletin install.
The way we integrate it with TSR is that when you sign up on TSR a forum user is added using the same method the forum itself would use had you signed up using the stock install.

I don't find it likely someone within the community would have the skills required for such an attack either but there are lots of places on the net where script kiddies with egos that needs feeding gladly helps.

Hashed passwords (in this case md5 + salt) are not immune to decoding. Google it if you're in doubt.
Buggys password was even of the sort you could have guessed and got lucky.

In response to those scenarios:
#1 We also know that the Sherriesim account was accessed through a non proxy IP with that particluar useragent.
This is a significant detail. The origin of that IP fits with Sherriesim's location AFAIK.

Thomas or someone acting on his behalf would not be able to fake that.
Without this detail i would have agreed with your conclusion.

#2 The information about this particular user agent was not revealed until after the events took place.
The useragent string matched very few logins on TSR and MTS so it's not at all common within the community.
If any other community site would be interested to gig further into this i can post what useragent and IP (non proxied) to look for.

I don't think i have any special skills reading people but i can usually tell if Thomas is lying to me, it's probably not very unusual within family.

I simply don't believe the password were willingly handed out by Thomas for many reasons but mostly because i know him very well.
There would be absolutely no gain for him and/or TSR to have someone hack buggys's account on MTS.

You might think he's stupid, evil, greedy and whatever else his reputation says he is and therefore you find it plausible or even likely he did it.
I know what he really is like and although i don't always agree with his ways it's really not _that_ bad.

Not sure what chat that might have beenthen, i was referring to the forum thread that Coconut got screenshots of.
Steve was not actively harvesting pirates there IIRC though he might have posted in the thread.

You don't have to look further than her latest post on PMBD:

Two made up statements right there:
TSR doesn't store password history at all. Unless Coconut is one of the owners this is information she can't possibly know.
Team Johan was some drivel she posted earlier in that thread about my postings on PMBD and here would be some kind of team effort from TSR. Again presented as a fact, not a theory.

I was under the impression Coconut had evidence of the petition showing up at TSR, possibly with some involvement of Atwa. That's what i heard when asking if we should just take Coconuts word for what happened, IIRC.

Sure, all of that is theoretically possible. It is also possible that someone used his account to download stuff and thus knew the password. That could also explain how other passwords could have been obtained if the perpetrator logged in to our admin area as Thomas.

Having an in-house system is a double edged sword. It's pretty much immune to public exploits on the application level but the security of it is only as good as the knowledge in security possessed by its developers, which would be me and Per.
I'd like to think i have a pretty good understanding of it by i am by no means a wizard and neither is Per. Part of the codebase is more then 10 years old and during the time period of the hackings we were maintianing both the old system while working on stabilizing the new one. Stupid mistakes could very well have lead to weak security in some parts of it all.

Again, we actually don't _know_ that the password came from the TSR database to begin with, you just find it likely based on how you interpret the circumstances.

A trace back to Thomas that i would recognize is what i meant. He certainly wouldn't be able to leave a trace going to sherrisim which is what we see here.
I believe that trace is genuine and not a cover up.

I lean towards either someone had access to the database (via our admin system), a security breach or that the password didn't come from TSR.

No i don't think it was a wizard either, the other scenarios i mentioned earlier would be much more likely.
So there, we agree on something at least.

Since you're moving stuff to Sweden perhaps i can offer some server space in our racks?

Not quite, the actual agents were Thomas and me. We posted names of pirates we caught by the watermark in a private forum.
The intention was somewhere in the line of a morale boost for our artist showing them we were able to do something about the pirate problem.
In all fairness Steve had nothing to do with it.

The watermarking was quite successful until Pescado ruined it all by cleaning the files before putting them in the booty.
Yes publishing names was short sighted, morally wrong and unthoughtful.
It happened but if i can help it it will not happen again.

Anyway, this is completely unrelated to the events we debate now.
Pescado firmly believes that the only way someone could have "hacked" Buggybooz account on MTS would be that the hacker got the password from the TSR database, this is the leak in question.

And when the information available isn't interesting enough she can get really creative and just make things up. A false flag operation from that end wouldn't surprise me the least if she had the opportunity. Like for example if she got a hold of the petition.
It's interesting that the incriminating evidence she claims to have still hasn't shown up.

There were items in his download basket that he didn't put there. Unfortunately our login log has been purged so i can't investigate it any further now.

That login information leaked from the TSR database via some kind of exploit or compromised account is one possibility but there could be other explanations to this.
I don't _know_ exactly what happened and it annoys me a great deal.

Thomas don't have the knowledge to perform such operations without leaving a trace and my fellow sysadmin is also out of the question, even if he would have the technical skills required.
To think that one of the owners of TSR (who are the only ones with access to the member database) leaked login information is just not realistic. I know how we think and operate.

It looks like this:
http://www.petitiononline.com/PMBDMBD/RUngyNUKAePJ.cgi
RUngyNUKAePJ being the secret part.
Feel free to sign my test petition by the way.
I don't know Bluesoup but i very much doubt she would give login details to the petition to someone on our side.

It is interesting that the events happened around the same time yes.

I don't know what constitutes a false flag operation but if it includes deliberately spreading false propaganda you should have a talk with Coconut again because it obviously didn't stick.

The use of a specific proxy service alone don't say much but combined with the rather unique user agent and the time line of events makes the trail pretty distinct.
There were also non-proxy IP's that had the same signature (same user agent and the account had been accessed by the same proxy service).

Yeah i think that was the idea with the login to MTS. There was only this one login to MTS with this signature (user agent and IP), the other logins to his account on MTS were normal (not using a proxy and with a different user agent). 
Thomas used the same password on multiple sites including MTS and TSR and there were signs of his TSR account being compromised.

So the link to TSR would be that Bluesoup had an account at TSR with the same password as for the petition and that password was leaked somehow in the same way as for Buggybooz?

First of all i find it hard to believe Bluesoup used the same password as on a TSR for a petition against EA's collaboration with TSR.
Even if she did you would have to know the secret part of the URL in order to log in and manage the petition. This URL is only sent to the petition author.

This means the rouge operator also had access to Bluesoups email or that she willingly shared that URL with someone and that someone passed it on to the operator.
I find it unlikely she used the same password for her email as on TSR. (if she indeed have or have had an account on TSR, i can't find an account named Bluesoup or one that uses the email used in the petition)

From what i can gather by googling this Bluesoup claimed the petition was "hacked" March 18 or earlier, the Buggubooz incident happened March 30.

Does this mean you knew the petition had leaked and you ordered coconut or anyone else not to do anything with it, or what?

I'd say it suits your purpose perfectly from a strategic standpoint. Isn't the general consensus that TSR was behind the petition leak and is now spreading it around/uses it for evil purposes?
That surely has a lot of value in the anti TSR camp.


There was a pretty distinct trail, in case you forgot here's what we found when investigating it (using data from both TSR and MTS):


In the list of IP's Atwa got from the service provider when she found out someone had been reading her email we were able to match them to the unproxied IP's of sherriesim. Unfortunately we didn't get the user agent from that list but i have a very strong suspicion that it would have matched the hackers signature.

We clearly have a very different POV.
From where i stand this is a smoking gun and it's not fitting with your idea of a rouge TSR operator.
The person behind the Buggybooz incident didn't get caught so he/she could possibly have been behind other hackings.

That isn't what i meant. It should be possible to find out exactly how it works in the case of Scotty and Witchboy without any kind of hacking.
IE, would it be possible just by knowing their email address to gain access and "hack" their accounts?
If the answer is no then there is no link whatsoever to TSR.

You're correct in that i'm not willing to vouch for Atwa, i barely know her. What she does or doesn't do is completely on her own.
I haven't seen anything at all that supports the theory that someone from TSR enabled the list to be acquired.
You sound very certain, do you know something about it that it don't?

Given the purpose of the petition i would imagine someone from TSR would be the last person to get access to it.
I believe it was established that the password was not from TSR in this case to?

You're wrong about when we denied responsibility, that was done after Coconut had accused us of it, a couple of days after if i remember correctly.
You're probably right about Coconut not having the technical assets to get access to the petition by some kind of hack though.
Would it be very unlikely that someone just gave it to her? She could at least put it to some use.

You seem to be quite sure about the rouge TSR operator and while i won't completely disregard that possibility there is reason to look elsewhere to. Especially considering what was found when me and Delphy investigated the Buggybooz incident, there was a very distinct trail leading elsewhere.

Either way i would certainly want to know based on things that can be verified ant not just theories.
It should be possible to find out if an email also used on TSR that has the same/similar password could have been used to recover a password for example.
In that case it might be possible to get a list of previous logins to see from what IP they came (at least if it's webmail).

I have talked to my brother. I know him far better than anyone else here (or anywhere else for that matter) and just because i choose to believe him based on what i know doesn't mean i'm pulling wool over my eyes.
Thomas has not received any hacked petition list, that was probably just another stunt by Coconut. I actually think she said Thomas gave it to Atwa, have she changed the story now?

I have searched for that IP in our login log at TSR and came up empty.
It's interesting that both accounts were hacked by what seems to be the same person, this could make it a little easier to figure out if you could find the lowest common denominator.
It's probably not smart to list all sites where you might have used those passwords in public before you have changed them on those sites (if any) but that could give a lead.
To carefully examine the webserver logs for around the time of the attacks could also give something.

If you're using webmail you might want to consider changing the password and see if you can list the logins to it.

I might have worded that a little wrong, i meant did you have the same password as an account on TSR? (nothing to do with Scotty)

IF there is a rogue operator somewhere within TSR then i would certainly want him/her caught. If Witchboy or Scotty have any more detail about this i would like to know.
A good start would be to find out if they have used a password that has also been used on TSR.
We changed to hashed passwords about a year ago so even if someone with database access (that is one of the 5 owners me included) would be a rouge operator all he could supply is a password that needs to be brute forced.

If you by initial leak refer to the Buggybooz incident i have also told you before that i think that was someone on your side given the actual evidence we had.
 
Since we repeatedly get the blame for stuff like this i would like to help investigate this.
 

How are they linked to TSR?

Have Witchboy and/or Scotty used the same password as an account on TSR and that password hasn't changed in a year or so?
Maybe Scotty could try and dig out the IP address from the server log to see if it matches the one used to "hack" Witchboys account?
The user agent string could also be interesting to compare (though i think our "hacker" have learned to hide it by now).

This really should go without saying but just for the record, TSR don't "hack" or in other ways mess up other websites.
We don't feel we need to destroy things, there's plenty of space out there