I totally agree that things Could Have Been Done Better.  Thats really not my call though - thats how they want to run thier own business.  It *is* worrying they have plaintext passwords, but they are going to be changing that soon anyway, so maybe it wont be an issue for long.

I guess we shall see how things go from here.

Actually, read back on what Johan said.  He said that what *I* said never happened - and what I said was that the *entire* userbase was vulnerable.  What actually happened was that multiple Staff and FA accounts *where* compromised.  So in essence, it was I who misinterpreted the original statement.

I have pages upon pages of log files, database dumps and so on - all from TSR - all stuff that I have not seen before, but ALL stuff I have verified independantly with my own databases.  I have also corroborated this against independant reports other non-TSR people have told me regarding thier accounts there.  In my mind, the information that I have been sent *is* correct: The hacking *did* happen, TSR did suffer massive security issues, and was repeatedly infiltrated multiple times. 

neriana, lets just agree to disagree, ok?

Pescado, since you are awake let me ask you a question.  Why do you think it's a statistical coincedence that only 5 or 6 people share the exact same IP address *and* the same browser string (which in itself is a fairly unique one) out of a database of tens of millions of rows?  Sharing the same IP address is not uncommon.  Having the same browser string as the person next to you is also not uncommon, but consider this:  The browser strings never actually came up *until* I posted my first thread on S2C.  How could one person *randomly* choose the exact same browser string as the ones used in the MTS2 and TSR logs if this information was never public?  As far as I can tell none of the oher sites that got hacked have this information - they only have IP addresses.  So how would a hacker get it?  The simple answer (and the one that fits the evidence) is: They didn't.  The simple answer is that it's the same person, so therefore it is *not* statistically a coincedence, as you seem to think, that very very few people share the same IP and browser.

I'd like your thoughts on this please.

Yeah, you basically implied it when you said this:


Not inviting other people + keep inviting TSR = only inviting TSR.  Apologies if your implied statement was not your actual one.


You dont?  I would think that "The Maxoids are being PAID by TSR" to mean that you think they *are* unprofessional, as well as illegal and underhanded.

Either you think they are unprofessional or you don't - and if you *dont* then it pretty much means the entire "Maxoids are paid by TSR" theory is based on... well, nothing, really.  (and lets face it's there is zero evidence to suggest that this theory is based on anything resembling facts, but we have years of evidence to prove that TSR talk closely with the Maxoids.  I know which one I would pick... but then I'm probably one of the sanest here. )

Actually, "Maxis" does exist in the sense that there are still "Maxoids".  I was referring to a personal relationship between TSR and the Max*oids*, not neccesarily Maxis as a now-defunct entity. 

Multinational corporations aren't run on huggles, no, but we are not talking about multinational corporations as a whole - we are talking about *individual* people with *individual* biases for or against particular sites, ethics, and colours of the rainbow.  So, it's really *not* a huge leap to go from "TSR and the Maxoids have a long standing relationship" to "Maxoids will favour TSR on thier own site".  It's *certainly* a hell of a lot better an explanation that the "Maxoids are being paid by TSR" which makes about as much sense as a chocolate fireplace.

TSR *is* nice - to the Maxoids.  Doesn't matter what TSR do in terms of "violating" the EULA or with some few adult bits of contact - if the *primary* contact that the Maxoids have with TSR *is* nice, then of course that is going to foster a good relationship.  Come on, it doesn't take a leap of faith to see that people are, well, people, and have feelings and thoughts too, and, in reality, they act on those a hell of a lot more than logic.  Think about it: If you cultivate a nice relationship with somebody it's far easier to overlook thier faults than if you pick them apart, bash them left right and center and generally *be* an ass rather than trying to kiss it.  And since the Max*oids* have a huge say in who gets invited to events (something they have direct control over), as well as how things play out on thier own site (again, direct control), then of *course* it's going to be biased.  But this is nothing to do with the "EA multinational" - it's purely personal, and so long as it can be justified and doesn't backfire, who in the corporate world is really going to care?

When things really come down to it, as *people*, who do you think the Maxoids are going to side with?  The people that constantly bash them, and thier parent company, that deride every decision they ever make, call them names, and generally act like douchebags on thier site... or the people that you have been talking to and have built up a relationship with over *8* years?  Yes, it sucks, no it's not fair, but it *is* a wholly personal thing, and the only way to stop it from happening is to get somebody impartial dealing with the community instead.  To be honest, you pirates are labouring against that 8 years of communications and dialogue, and petty name calling and spamming and so on really will achieve nothing.

With regards to the fansite list: TSR is most likely on the list becuase they *care* about being on the list and becuase of this long standing relationship.  I, on the other hand, do *not* care if I am on the list of fansites.  If I did I'd probably be on them a lot more to put me back, but quite frankly, I don't want to put the time and effort into doing that just to attract a bunch of 12s to my site.

Oh and come on - you know better than I do that TSR are *not* the sole invitee to the events that the Maxoids throw! So the part of your argument that "EA only ever invite TSR" is basically useless and backed up by evidence thats actually provable - ie *all* of the events that have gone down in the past 4 years.

I think it's actually more likely there is *no* such business or legal arrangement, but instead it's a more personal one.  After all, TSR have had years to talk to the Maxoids, get to know them, and so on - just as we had that opportunity on MTS2 when MaxoidTom was around.  So it's probably much *more* likely that the Anti-anti-TSR stance comes more from a personal trust element (as in trust between the Maxoid and the TSR staff) rather than anything business like.  I think *this* explanation is way simpler than any one involving money, since we *know* that Maxis/EA has contact with fansites and we *know* they talk to them from time to time, so therefore it only makes sense that they would favour some over others, but this does *not* mean it's anything legal, concrete, or set in any kind of financial terms - it'd be more of a bias rather than anything else.

Let's think about this for a second.  You have these sites - one of which you have been talking to for years and who you have built up a relationship with.  Not a business one, just a personal one.  So you have this community - on the one hand is the "pirate" side - with sharing of EA owned materials (Castaway etc) and other such dubious dealings but, more importantly, with zero contact with the Maxoids.  Then you have the other hand - that of TSR and the paysites - who are way more likely to basically kiss ass, to say nice things about the game, to basically do whatever they can to be invited to events, and to, essentially, create a higher profile for thier own site.  Again, nothing business like, nothing legal, no money under the table. 

I think that some people forget this long standing relationship in thier haste to be all "TSR is evil".  Just becuase *you* think TSR is evil does not mean that the Maxoids (who have had *years* of talking to them, inviting them to events, etc) think they are, and does not mean that the Maxoids are taking cuts under the table.  In fact, I think the entire theory of the Maxoids being paid by TSR is, actually, ludicrous, and it's way more likely that any such goings on by the Maxoids on the BBS are more becuase of this long standing personal relationship than anything else.

It's pure and simple a personal relationship between TSR and the Maxis people, thats been going on for years, and that is *extremely* unlikely to be broken by any such antics as done by the pirate faction up till now.

Oh and I'd like to add that this is just my thoughts and feelings based on my years in the community and as owner of a Sims 2 fansite who *has* been contacted by EA and has dealings with Maxoids.  It's not becuase I am pro-TSR, I'm just simply pointing out that the theory that the Maxoids are being paid by them is mired in implausibility and, in my opinion, *extremely* unlikely.

For you tl;dr people.  To sum up:

- TSR and Maxis have a personal relationship going back years
- TSR always is nice to Maxis
- Maxis is therefore going to be more nice to TSR

- Pirates and Maxis have a personal relationship spanning in nanoseconds
- Pirates always bash TSR and Maxis
- Maxis is therefore going to be less nice to Pirates

That simple enough for you Neriana?

I don't really think thats the *simplest* solution, though.  As scrappysim points out, a lot of the SimMasters left, so obviously there was a power vacuum, and it was clear to EA or the community manager of Maxis that something had to be done. 

Even if we *do* consider the idea that the Maxoids where in the pay of TSR, isn't EA a public company? Do they not have accounts?  Why would an *employee* of one of the largest software companies in the world want to get a cut from what is, essentially, a fly in the ointment?  There is no logical rhyme nor reason why "the maxoids are in the pay of TSR" - not from a financial standpoint.  Even if you consider the possibility that TSR is somehow paying the Maxoids under the table, as a public company they would be obliged to investigate any such allegations and accusations, so why has nothing come out?

Whats actually *more* likely is the other way round - TSR are linked to EA via some kind of license deal or a advertising deal or something like that. 

If we consider the "evidence", it's more akin to them simply wanting to control the forums (aka the BBS) more in the run up to the Sims 3, and shutting down any dissedent talk, rather than them being specifically in the pay of TSR.  If they *where* in the pay of TSR, then test it - put up a post saying how great say, Parsiminous is, or another huge free site - and see what happens.  No bashing, no name calling, no "Parsim are better than TSR" or whatever - just a fan thread about the site.  If your theory is correct, then this would be seen as competition and would be shut down.  Indeed, the thread BlueSoup is still up... and that has a lot of anti-TSR statements in it, but the *actual subject itself* is more general for the game. If the maxoids *where* in the pay of TSR, wouldn't BlueSoups thread be shut down too?  It seems to not make any sense with your scenario.

No, I think it's more likely that people equate any *anti*-TSR deletions to "the maxoids are being paid by TSR", but I think the same thing would apply to bad mouthing *any* site there.  In this case it's probably more the "evidence" that is flawed - or, rather, the assumptions made *from* the evidence, rather than the evidence itself.  After all, as I said, why would the largest gaming company in the world need to be paid by a *fansite*? 

But if you *really* want to test things - go ahead and do it, instead of assuming that it's true. 

With regards to the whole Sim Masters thing, it could just be that EA/Maxis want more control over the forums and the information on them.  I mean, since the whole Sims Store stuff we know that they are moving much more into the social/online areas, so it's logical to think that they would want to have extra control, and I think that perhaps the whole thing that has happened lately was just the straw that broke the camels back, in terms of who does what and who has power - especially when you think that a lot of sim masters left not that long ago.

I'm not really going to draw any conclusions into it - I just see it as more of a control thing rather than anything tinfoil hattery related like TSR paying them, etc etc.  Occams razor, people, remember?

I'm confused - why would it be a "security breach" for people who have left MTS2 to still have accounts?  It's a free site, anybody can make an account, but only buggybooz had the password to her MTS2 account.  I really don't think that investigating ex-MTS2 people is really relevant, and Shakeshaft was actively logged into MTS2 multiple times (pretty much once a day) stretching back months, so I don't think it's really that relevant about any logins on the 26th.

On another note, the whole thing re: browser strings and what "coconut" said doesn't sit well with me - yes they arent' that hard to change but the fact remains that the browser string is *identical* in all the various cases, complete with a not-so-common ImageShack toolbar.  So it's my feeling that it's not just a coincedence but, when combined with the *other* evidence, is, in fact, quite important to note.

Steve said that it was possible that Thomas' details had been gotten by a 3rd party (ie they'd been hacked) but that it was months ago, and later said that it was *only* FA and Staff access that was gotten.  It was something that was mentioned more in passing rather than a detailed explanation, so I do not know the full details, but it was definately mentioned and something I questioned him on to try and explain how this could have happened.


This is one of my key problems with the "coconut did it" theory - even HAD somebody gotten Thomas' password months ago, they would have no way of getting Buggy's (since the account was unknown) during the same hack.  Since nobody outside of TSR knew what buggys account on TSR *was* (not even I did, and Steve certainly didn't give me the impression he knew either for sure when we first talked) then this doesn't cover any theft of buggys account details there. This is one of the points I am awaiting to get details back from Steve on (among other things).

I haven't forgotten about it - I'm just waiting for some answers to some questions back from Steve at TSR. 

I've edited my post on S2C to point to the discussion here, and rewrote parts of it, since we are now dealing with multiple attacks on multiple sites spanning months, and it's not clear to me yet who is behind this.  I'm also still in contact with Steve, and I have asked for more clarification regarding IP addresses and so on.

This is actually a unique opportunity here - to figure out, once and for all, who "hacked" all these various sites.  I know a lot of you are thinking "TSR did it!" but I am more cautious and have posted as such - if it *does* turn out to be some previously unknown quantity inside TSR, or elsewhere, then we can take it further from there.  It's certainly *linked* to TSR since the latest event started around the stolen content allegations, but I am not convinced that (as I have said) this was anything TSR sanctioned, as many of you believe.

So I'm going to go ahead with investigating as much as I can, checking out any IP addresses, times, dates, and try and build up as much investigate documentation as possible - and we shall see where this takes us.

(You may now commence allegations of bullying, believing lies, calling me a cockbagel, or whatever... but I'm just after the truth, no matter who it leads to.)

I'll investigate the IP addresses Nouk is forwarding, but I have to say this:  A simple list is not enough!  If we just had IPs we would never have posted anything up in the first place.  IP addresses themselves aren't conclusive proof.  If we just take IPs, and list them, then we could say "Yes, Thomas used that proxy IP" - but thats totally disregarding the fact that the proxy IP was used *months* later and was never used on his account prior to that.  This is primarly the reason why I am *not* in the "Thomas did it!!" camp, but am instead questioning the hows, whys and wherefores of *everything* going on.

What I personally think is interesting is more along the lines of the SherrySim/leftywillnot angle - people have said this is Atwa, but do we have confirmed times and dates and browser match strings to prove this?

What we need are times and dates and browser strings where possible.  This is to build up a picture of who logged in using what PC at what time.  Then we can say "Okay so-and-so logged in from a *confirmed* IP that is verified by a third part, then logged out, then logged in via the cloaked proxy 1 min later then did x y z".  In other words, a chain of events linking everything.  Isolated IP addresses with no dates or other corroborating evidence are, for me, simply not enough.  I know I'll probably raise the ire of some people here by saying that, but until *all* parts of the stories check out or can be explained I am not going to conclusively say "So-and-So Did this!".

As I said, though, I'll investigate anything sent on to me.

Johan, talk to your boss (Steve) then.   Becuase he said this: "...for Tom's login, it *is* possible it was obtained from his end... thats a loophole we fixed just after Christmas".

Chatting with Steve I don't think I "got the wrong idea" since we where talking *specifically* about security of accounts and logins, etc.

I would suggest that, before you go around trying to discredit me, you first check your own source.  "No our users login details where not compromised" does not tally with "thats a loophole we fixed after Christmas".

Either actual TSR accounts *where* compromised or they weren't.  The explanation that Steve told me was that they *where*, and this is how people managed to get into Thomas' MTS2 account *and* buggys.  If, however, you are saying that they where NOT compromised... then the ONLY people that would have access to the account information to log into those two accounts... are TSR themselves.

Okay this is gonna be long and slightly repeating myself here.  So here goes.

First, the screenshot from Sinthe:



As I have said, none of the IPs marked there are logged against Thomas' account on MTS2.  Let's examine this:

mysql> select * from iplogtable left join user on (user.userid=iplogtable.userid) where iplogtable.ipaddress in ('75.168.197.143', '75.168.189.143', '78.129.197.69', '83.142.228.139', '75.168.199.213');

+--------------+----------------+----------------------------------------------------------------------------------------------------------+
| username     | ipaddress      | info                                                                                                     |
+--------------+----------------+----------------------------------------------------------------------------------------------------------+
| Sinthe       | 75.168.199.213 | Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 Creative ZENcast v2.01.01 |
| Sinthe       | 75.168.197.143 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4               |
| sherriesim   | 83.142.228.139 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7)    |
| Sinthe       | 75.168.189.143 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4               |
| Adele Somers | 83.142.228.139 | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) |
| leftywillnot | 83.142.228.139 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7)                |
+--------------+----------------+----------------------------------------------------------------------------------------------------------+

Now let's examine the other IP addresses used for NaturalSims:

+------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| username         | ipaddress     | info                                                                                                                                                                                                    |
+------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| xxxx         | 70.85.179.186 | Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9) Gecko/2008052906 Firefox/3.0 (de) (TL-FF)                                                                                                          |
| yyyy | 70.85.197.178 | Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0                                                                                                                    |
| yyyy | 70.85.179.186 | Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0                                                                                                                    |
| zzzz            | 70.85.197.178 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Sky Broadband; Sky Broadband)                                                                                 |
| aaaa        | 70.85.197.178 | Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3                                                                                                              |
| bbbb         | 70.85.179.186 | Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5                                                                                                              |
| bbbb         | 70.85.179.186 | Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5                                                                                                              |
| ccccc        | 70.85.197.178 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Foxy/1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; Foxy/1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; MAXTHON 2.0) |
| dddd   | 70.85.197.178 | Mozilla/5.0 (Windows; U; Windows NT 5.1; cs; rv:1.9.0.6) Gecko/2009011913 Firefox/2.0.0.3                                                                                                               |
| buggybooz        | 70.85.179.186 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7)                                                                                                   |
| Hamilton         | 70.85.179.186 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7)                                           
| leftywillnot | 70.85.197.178 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7) |
                                                      |
+------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

(I've blanked out the names of the other people using these same IPs. None of them are particularly stand outworthy).  The interesting ones are the ones that share the same IP and the same browser info.

Let's look at that browser string, too, since it's fairly uncommon:

+------------+----------------+-------------------------------------------------------------------------------------------------------+
| username   | ipaddress      | info                                                                                                  |
+------------+----------------+-------------------------------------------------------------------------------------------------------+
| sherriesim | 87.194.217.73  | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7) |
| sherriesim | 83.142.228.139 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7) |
| sherriesim | 90.212.232.224 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7) |
| buggybooz  | 70.85.179.186  | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7) |
| Hamilton   | 70.85.179.186  | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7) |
| leftywillnot | 70.85.197.178  | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7) |
| leftywillnot | 83.142.228.139 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7) |
| leftywillnot | 70.85.197.178  | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; FDM; ImageShack Toolbar 4.5.7) |
+------------+----------------+-------------------------------------------------------------------------------------------------------+

The date on the IP address usage on Thomas' MTS2 account was a few hours *after* the intrusion on buggy's account.  So whoever it was logged into buggy's account *first* and then logged into Thomas' after (not the other way around).  This could be for one of two reasons: Either they wanted to check everything out from a "normal" users perspective to make sure everything of buggys was gone, or they wanted to deliberately create a link between the two.

With regards to the security thing, and the timings, I do think that it's *very* suspicious that somebody would keep ahold of user account logins for *months* and not use them and then only use them now and *also*, at the end of it all, change buggys profile to a pro paysite friendly one.  This last act is the one that suggests it's more personal, rather than general.

Also as an update, according to Steve they investigated the item, confirmed it was the same, and have since removed it in the past couple hours.  Since I don't have a TSR account I obviously can't check.

Edited to add info from S2C.