TSR sinks to an all-time low…

30 March 2009 at 23:37 (Random Randomness, Sims 2) (, , , , )

The depths Thoma$ will sink to… Buggybooz @ MTS2, who PS is one of my fave CC artists, recently had her stuff ripped off by Shakeshaft, one of T$R’s Featured Arti$ts. Obviously, Buggy was very upset and threw up a fuss.

Then Buggy’s MTS2 account got hacked, and her stuff all pulled. Her policy was changed to ‘do whatever you like with my content’. Coincidence? I think not. An IP check reveals a match with Thoma$$…

From MTS2’s Delphy:

I think it’s clear here one of the following things happened:

– Either Thomas himself removed Buggy’s stuff, or
– Thomas gave the password to his account to somebody else at TSR and they removed it

In addition to the above, they must have gotten buggy’s password from somewhere, which indicates one of two things:

– Either the TSR admins have a way of unencrypting passwords of members, or
– The passwords are not stored encrypted.

Either way, the blatant violation of buggy’s personal details is clear – and either a TSR admin used them (a clear violation of privacy) or gave them to somebody else (which is an even bigger issue).

“But wait!” I hear TSR say. “We didn’t do this, you can’t prove it.” Sorry, but the account clearly belongs to a TSR representative, and clearly has not been used until such time as buggy reported the bad TSR content. The timing and the individuals involved, combined with the proof of IPs and browser info, are too blatant to ignore. I expect the “We didn’t do it, please remove the false accusation” PMs and mails to arrive any day now.

I really don’t know what TSR expected to achieve here. Nothing was lost, everything is back the way it was, and really the only things that got hurt is their own reputation becuase even if they gave the password to somebody else, did they expect nobody to find out? Did they expect buggy – or the community – to take this at face value?

It’s clear to me that TSR either sanctions underhanded tactics, or uses such tactics internally. The best thing to do when getting reports of stolen items is to actually investigate such reports and deal with them, not to go to another site, use blatently private information such as passwords to login, and then delete stuff – which as you can see, didn’t work anyway.

The lesson to be learned here is:
1. Don’t use the same password on TSR as you use ANYWHERE else.
2. TSR can and will share any of your personal details, INCLUDING password, and use it however they want.
3. If you ever report anything to them about one of their FAs, they will take “action” against you.

All this just goes to show how EAs new best friend really treats the community and what it thinks of private user details.

Regards,
Delphy

Get the full story @ S2C
Working link: http://www.modthesims.info/showthread.php?t=331314

Unfortunately, Team Johan came to the rescue and fed Delphy all kinds of disinformation, making him retract the accusation against T$R.

Quote from Nouk:

Sorry Delphy, but you are being lied to.
– The Proxy Service is definitely and specifically linked to TSR Thomas
– He has apparently used the same ip’s on unrelated sites, being Thomas
– The same method of getting the info needed to break in has been used, all on an administrator level
Are you telling me that poor Thomas’s computer has been hacked, and the hacker is the one that conversed with Atwa and gave her the ip’s she needed to return to TSR and do all kinds of other crap? Because you realize that that story of Thomas buying her ip’s has been confirmed by others besides Coconut? Because, Atwat couldn’t keep her mouth or her behaviour in check?

This is TSR trying to pin this on an ‘inside hacker’, namely Coconut, and you’re just being used to slowly get there.

——

TSR admins are really the only ones who have all tools available to them.

– full access to user accounts – check
– real time knowledge of BuggyBooz’s complaints – check
– have been using the same proxy service in the past – check
– knowledge about the community in general, knowing the implications of all this – check

Random script kid? – Nope, does not posses the knowledge of the community, and of the ****storm this would cause, it’s too specific. More importantly, the same random script kid would have needed access to MTS2’s featured creator forum to know if BuggyBooz was going to complain about something. They would have had access to TSR blocked for them 3 months ago. Extremely unlikely.
Coconut the hacker? – Not possible, the simsecret hacker used a proxy service ip used by Atwa on Naturalsims
Atwa the hacker? – Possible, but Atwa hasn’t had access to user accounts for many months. This means she had help from an admin at TSR. OR hacked simsecret and TSR which I very seriously doubt, as the hacking wasn’t real hacking, but simply trying out if TSR password was being used elsewhere.
TSR admin the hacker? – Possible, have full access, have all tools available, and even suckers to do it for him.

However, we still have the old jerk Pescado fighting our corner. The following quotes are from Pes @ PMBD, not all from the same post. The thread is here.

Sinthe posted that when her Life Journal account was hacked in November last year, her password for TSR and LiveJournal where the same.

This means that, months and months before TSR claims to have had the breach, they have already used the same method to get Sinthe’s password, and used the same proxy service to attack Simsecret.
So yeah, Thomas is full of ****. Surprise surprise?

This whole fake hacking thing was, like alot of people said back then, a way to expose and/or discredit Coconut and blame her for being a hacker. And this is what they are steering towards, to keep EA and now Delphy on their good side.
———-
It looks like the IP belongs to a professional proxy service. nmapping the server reveals that it is a Linux, probably CentOS 5, which is NOT consistent with the browser string given. This means the browser string is either faked entirely, or passed transparently. Nmap also reveals that only ports 80, 90, and 7007 are open, and all are running ssh. These are NOT standard ports for ssh. In fact, 80 is HTTP. The only clear reason someone would be running a SSH on port 80 is to intentionally bypass firewall blocks like those set by workplaces or schools, as most firewalls leave port 80 open so people can view websites. Again, supports “professional proxy service”.

Of course, this means there is no actual way into the server that isn’t secure. Therefore, there is no way a “hacker” could be randomly using this service. No true hacker would ever pay for a “secure” proxy service knowing it would leave a paper trail back to him, and so many free “open” proxies exist on the Internet. This sort of service is only paradoxically used by those who don’t understand privacy at all AND have money to throw around. Who do we know that fits that profile?

Last but not least, unconfirmed, but isn’t this the same IP address implicated in the SimSecret hackings? Someone doublecheck 70.85.179.186.

———-

Well, lookie there. We got the same browser string, and one of these IPs is, surprise surprise, Thomas himself dating back to olden times. We can clearly see our h4x0r wannabe trying, and failing, at using proxycondoms, probably because noob how-tos don’t cover how to configure Furryfox, and as a result, BUSTED.

———-

(Quote from: Quinctia on 12 April 2009, 12:43:26
Unfortunately, I’m betting Delphy offered way more information than he should have.)

That is what the information I’ve seen indicates, yes. Delphy basically said too much, and TSR was able to take what he had given them and spit out some more things to play into that. Not to mention TSR already knew what he had to begin with. Because Delphy provided that much information to the public, it became clear as to how TSR could spin this and who they could pin the blame on.

And Team Johan tries and fails:

Quote from: johan on 10 December 2009, 12:12:19
I agree that it’s most likely some individual(s) from within the community that is behind it but i wouldn’t so easily jump to the conclusion that it necessarily has to be TSR though.
It could for example be someone from your side of the fence that likes to stir up **** and see what happens or just for giving TSR an even worse reputation.
If this is the case it has been working pretty well so far.

That could be a plausible theory, IF the hacking had been attained with independent information. However, the flaw in this argument is that to acquire the information necessary to carry out the hack, one would have to be a TSR DB admin. That means this individual is one of yours, not one of ours. Believe me, if I had a TSR DB admin, I wouldn’t be squandering it on anything as utterly puerile as false-flag defacement.

Quote from: johan on 10 December 2009, 12:12:19
We can’t completely rule out that information somehow was leaked from our database, either intentionally by someone on staff or by some security leak in our system.

A computer security leak on your system would require that someone have the technical skills needed to independently find and exploit it. To independently find and exploit such a vulnerability would involve skills on par with some of the best in the community. For this individual to be sufficiently motivated to want to smear TSR, so unknown as to not be one of us already, and so stupid and short-sighted as to squander such an advantage on false-flag defacement would be extremely implausible. If it is a figure OUTSIDE the community, then they would simply not CARE about attempting a false flag defacement using your database’s information, and would simply have vandalized your site, and run home to brag about it to his friends. Given this understanding of how hackers operate, it is clear and obvious that whoever is doing this is one of your staff, one of your staff with database access. If it is not you and you do not know who it is, then TSR has some real problems internally.

Quote from: johan on 10 December 2009, 12:12:19
Since i personally know everyone with access to the database (and we are very few) that option is not a compelling explanation to me, i truly do not believe it is the case.

I have every reason to believe that it is likely the case that the person with the database access did not personally carry out the hackings. However, it is manifestly clear that this person clearly released this information to people who he knew WOULD. This seperation between knowledge and use also fits the pattern of destruction, as the information used was not employed skillfully, and effectively squandered any advantage that your side could have gained through its use. Basically, one of you felt that TSR could avoid responsibility for it by releasing the information to a rogue operator. From a legalist standpoint, this is almost certainly true, as enough plausible deniability can be created by such a scenario to rule out any real possibility of legal conviction, but that is not sufficient to convince ME. I know how the game works, and I see what you did there.

Quote from: johan on 10 December 2009, 12:12:19
I also don’t see the motive for doing so.
What could we possibly have to gain from having some other site in the community hacked?
Before some pirate throws in a standard reply about how evil and immoral TSR is please think just a little bit further.
All continued hackings after the first one we got the blame for would only add to our “guilt” and for what? Just for the fun of messing with someone?

Motive? Well, from a logical, calculating perspective, this was an utterly stupid, bone-headed move. If you were going to misuse private information to hack sites, such an act effectively squandered any possible advantage you could have gained through its long-term use. So you are right, the motive for this does not make any logical sense and TSR has absolutely nothing whatsoever to gain from such an act. This is why you disbelieve it.

However, you disregard the element of simple stupidity. The fact of the matter is, most people are NOT calculating and saavy hackers and veteran netwarriors, and this likely holds true for most of your staff. Someone on your staff acted out of a desire for simple, petty vengeance against something that p****d them off. They ignored what would have been logical in favor of acting irrationally. Is this hard to believe? TSR staffers are not chosen because they are robot-like beings stripped of most emotional impulses. Such people do not make good artists and do not relate well to the type of community you keep.

Quote from: johan on 10 December 2009, 12:12:19
The other option, that we had a security leak, is to me no more attractive than the first option however it would be more likely.

Well, a security leak, or someone is violating your stated policy. There is every reason to believe your security fault lies in the wetware rather than the software.

Quote from: johan on 10 December 2009, 12:12:19
Although i agree that an old school Wizard wouldn’t do stupid **** like this the situation nowadays are a bit different.
You have probably just like me seen what happens to a server once you connect it to the Internet, it doesn’t take very long before signs of port scans and other probes start showing up in your logs.
For the most part probably not real hackers in the proper meaning of the word but rather 12’s hanging on various l33t sites are running scanners (that they didn’t write themselves) to find known exploits in various systems.
Not only vulnerabilities at the web application level (SQL injections for example, which can work on all kind of web applications if you’re not careful with checking POST/GET variables used in queries) but also on the operating system and services levels. Once you find one, inject a suitable pre-made rootkit and there you go. Or if you find a way to inject SQL get a list of logins or add yourself as an admin. You’re in without necessarily having to know very much, you just need some time, persistence and access the right tools.
I’ve seen it happen 😦

I’m familiar this: But there’s one key thing that differentiates such attackers, which are very common and have hit sites, but the ATTACK PROFILE is different. 12 year old l33t h4xx0r d00dz don’t steal account information from databases and then strike back at people who have expressed anti-TSR sentiments. 12s will just vandalize your site, wipe your database, and run off to brag to their friends about it. Happens all the time, even in this community. Sometimes people blame TSR for that, but I always have rejected such claims, as the attack profile does not match that of a targeted move.

Quote from: johan on 10 December 2009, 12:12:19
There were some weird things going on around the time of the buggybooz incident that we didn’t manage to find adequate explanations for and because of that we took measures to improve security on our servers and applications.
We also changed the database to use encrypted passwords some time after that.

That seems to be the “official explanation”, but I don’t really buy that. While the database may NOW be using hashed passwords, this is a bit like closing the barn door after the horses have left.
[Silver’s note: According to Coconut, passwords are still not encrypted.]

Quote from: johan on 10 December 2009, 12:12:19
Perhaps it’s even more likely that something like this is what happened to the other community sites, with the right tools you don’t have to be a wizard in order to get access to a system.
I would imagine cheap shared servers are not always up to date and properly protected from such attacks. Even if they are at the operating system the forum software might be open for attacks, for example.

Again, I know all this. However, remember, the attack profile. People who scan and nuke do so with automated scripts aiming for quantity, not quality. This is common netwar material and I basically disregard this as having any association with any community-relevant motive. Happens all the time, like you said. Every admin knows that. But this? This is different. This is a leveraged attack. Someone harvested SPECIFIC information, and then spent a lot of time looking for a SPECIFIC place to employ it to commit an act that shows every sign of being politically motivated. While not quite in the realm of wizardry, a targeted, politically motivated attack, using information gleaned from an undisclosed security flaw, is still highly skilled. For someone to do such an act, he would have to be on the skill level of someone like myself or Delphy. Such figures are not exactly COMMON in this community. So to claim that THIS is what happened is effectively to accuse either a known member of the community, or to postulate the existence of some unknown, yet powerful, dark horse coder with strong political motivations for one side (either to hack in the name of TSR, or to defame TSR by conducting a false flag attack). And that? That is on the verge of tinfoil hat territory.

Quote from: johan on 10 December 2009, 12:12:19
So although i can see the logic behind your arguments i think you over simplify things just a little too much, intentional or not.

I don’t simplify things too much at all. I consider all the angles, and I discard that which simply doesn’t fit. The result seems like a simple Reader’s Digest, but honestly, to explain it to people in this community, it sort of has to be. In short, the only explanation that FITS is that an agent is operating with the assistance of a database administrator. It is, in all likelyhood, NOT the database administrator himself, because such a smoking gun would render you open to criminal charges and would certainly destroy TSR’s reputation utterly, as there would be no doubters if you could meet the level of proof needed to convince Delphy, who is a good programmer with a solid understanding of web programming, but not a netwarrior.

So, obviously, we’re dealing with agent-by-proxy here. Someone released the information to an agent, perhaps on request, or simply knowing what they would do with it. You’re certain NO ONE would EVER do that? That is a very strong assertion to make. Not even one I would make of my own staff, which is why I do not hand out database access. If you, personally, would never consider such an act, as, frankly, even if you were of malicious intent, from a technical standpoint, it is a really STUPID thing to do, and you seem like you have a decent understanding of technical things, are all of your database administrators techs? I doubt that.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: