GSC has been hacked

[Zazazu]

Nah, that's on my totally for real minister certificate from the Universal Church of Whatever or Such.

[J. M. Pescado]

But Pescado, what you're not seeing is that TSR don't *want* these hacking attacks that could look like TSR-related-originated-assisted to happen as it is bad publicity.  So why would they do them?

e-Peen? It's a surprisingly common motivation for seemingly illogical and counterproductive acts.

It's not like they're getting rid of pirate content, as everyone knows the hacked site owner simply restores the site immediately.  The anti-TSR brigade have far more motive to be doing this - "false flag" you call it?

Except for the catch: Assuming that TSR is NOT responsible, there is no plausible way an anti-TSR faction could acquire the technical data needed to carry out the attacks AND frame TSR for providing the data, without the complicity of at least one agent inside TSR. So even if they wanted to, they couldn't. In order to catch a large number of usable passwords like this, someone would either need to run a highly sophisticated phishing operation AND a means of verifying that the passwords stolen are shared WITHOUT simply trying them on TSR and thus setting off alarms.

[Inge]

Well, all this theorising on what errors of judgement may have taken place and what loose cannons they may have fired is still firmly in the realms of speculation.   The perp is as unlikely to be brought to justice as PMBD is, and for similar reasons.

What is the desired outcome, and how can this speculation help to bring it about?

Sysadmins - never use the same password on sites you have authority over, or investment in, as you do on ones where you are merely a visitor.   Always change your password and other system details after falling out with a fellow admin, and ensure the ex-admin is removed from *all* his membergroups - or delete his account and ask him to make a new one as a regular user.

[Johan]

The simsecret hacking over at LiveJournal has also been linked to Atwa/TSR, mainly because of IP similarities and the fact that the only posts that were deleted were ones with anti-TSR secrets.

Do we know who had the account and if that person had an account on TSR with the same password?

[DrNerd]

The simsecret hacking over at LiveJournal has also been linked to Atwa/TSR, mainly because of IP similarities and the fact that the only posts that were deleted were ones with anti-TSR secrets.

Do we know who had the account and if that person had an account on TSR with the same password?

I don't recall which of the former admins it was (sinthe, maybe), but she did admit at the time that she'd used the same username and password on TSR.
The IP info is here.

Simsecret posts regarding the hacking are here and here.

[Johan]

The latter seems more likely. If a true vulnerability existed, it would not have been easy to selectively target data using an SQL or PHP vulnerability, and your attacker would have simply deleted everything. Similarly, admin-level password compromise is thus unlikely, as if someone had an admin password, they would have been able to do far more damage.

Yeah i think i'm leaning towards that option too. One strange detail though was that there had been some falied login attempts on some accounts using the wrong random passwords.

Is there a technical reason, other than possibly sheer size, that would have made this impossible?

Yeah the technical reason being that he wouldn't be able to dump the member table even if he had a GUI db client and the all necessary information to connect to the database, Thomas is a pixel pusher and he doesn't know how that stuff works.
We don't have any functionality to get a list of passwords in admin so he would have had to pick the one by one to compile a list, which due to sheer size is next to impossible.
 

This does sound excessively laborious, but not impossible, if he selectively compiled anti-paysite activists. The more likely scenario is still whole or partial membertable dumping.

Theoretically possible but then again i have a lot of reason to believe he wouldn't do that. Membertable dump is definitely more likely than that but just as scary.

Of the known attacks, the Buggybooz, Shanow, and Scotty attacks are the ones known to me to have confirmed the TSR-password link. There may be others I don't recall offhand, and in none of the unconfirmed cases has this been ruled out as an possibility.

Has there been attacks where it has been confirmed that the password was not the same as a TSR account?

[Johan]

I don't recall which of the former admins it was (sinthe, maybe), but she did admit at the time that she'd used the same username and password on TSR.
The IP info is here.

Simsecret posts regarding the hacking are here and here.

I've done some digging and from what i can tell it was Sinthe and a shared account (secret poster or something like that) that was compromised.
Some further digging got me to a post on PMBD where Delphy showed a screenshot from Sinthe with the logins, which i assume was for when simsecret got hacked (not sure about that though):
http://phorum.mustnotbenamed.com/index.php/topic,2399.msg141367.html#msg141367

The combination of IP's and useragent defenitley points to the same perpetrator as in the Buggybooz incident.

[Witchboy]

The user agent for the IP that hacked into SV & GSC is as follows...

IP: 83.170.113.97 User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

[J. M. Pescado]

Yeah i think i'm leaning towards that option too. One strange detail though was that there had been some falied login attempts on some accounts using the wrong random passwords.

That doesn't mean anything. Random people randomly rattle doors on accounts all the time. This would only be a concern if there was a systemic pattern of door-rattling. Given that you run a paysite, it's entirely reasonable to expect that random people will attempt to rattle the doors on accounts simply to see if they can get any free swag, and people also lose their passwords and try to guess which of the set of usual passwords was the right one. Given the sheer size of your site, hundreds if not thousands of such attempts are probably made every week. The SUSPICIOUS thing would be when a strange IP logged into an account, then did nothing with it, and that account was subsequently attacked elsewhere, meaning that someone was trying to probe for a TSR commonality before attempting an attack.

Yeah the technical reason being that he wouldn't be able to dump the member table even if he had a GUI db client and the all necessary information to connect to the database, Thomas is a pixel pusher and he doesn't know how that stuff works.

I dunno about that. I mean, Spilt Pee Soup, a thoroughly nontechnical user, managed to figure out how to use phpmyadmin just fine. Also, there is no guarantee it was Thomas who personally did it. Thomas is the most likely suspect purely based on motives and opportunity, but he isn't the only one who could have done it.

We don't have any functionality to get a list of passwords in admin so he would have had to pick the one by one to compile a list, which due to sheer size is next to impossible.

Or, he could dump the entire thing and do a CRTL-F...

Theoretically possible but then again i have a lot of reason to believe he wouldn't do that. Membertable dump is definitely more likely than that but just as scary.

The exact methodology by which the information was acquired from the database is really less important than the fact that it clearly had to have been.

Has there been attacks where it has been confirmed that the password was not the same as a TSR account?

No. There have been no negative confirmations where a password-attack was conclusively NOT a TSR account password, only cases where confirmation could not be acquired due to either the user not remembering, or not being present. All other hacking attacks not related or suspected to be related to TSR account passwords have all been dismissed as common vandalism and bear no connection to any community politics.

[Inge]

Spilt Pee Soup, a thoroughly nontechnical user, managed to figure out how to use phpmyadmin just fine.

If you're talkign about Brynne, I don't think she did.   Every time she wanted to look at something she asked someone to do it for her, handing out temporary admin access if necessary.  Lol long after she thought she'd banned me I could have got in the back door.  Fortunately for her I wasn't the shady character she thought I was.