TSR: In Ur Accounts, Deletin Ur Stuffs!

[No No No]

I'll just post the rest of this conversation, so we can skip that.

- Team Johan: We were right.

- Quorneter: You were wrong.

- A Pirate: You were wrong.

- Team Johan: We did what we thought was best!

- Quorneter: It wasn't best.

- A pirate: You knew it was wrong.

- Team Johan: It was an emtional decision stemming from poor morale after being robbed by pirates!

- Quorneter: It's against the law.

- A Pirate: Ah your poor feelings. They're totally worth doing illegal things for.

- Team Johan: Well we're sorry for doing illegal things. It felt justified. We will never do it again. (Hopes pirates post this everywhere and that many people read.)

- Quorneter: *pat pat pat*

- Bunch of Pirates: FAKE


Note: In business world, this is a classic method of gaining sympathy after a company has been caught doing something wrong. To gain back the cliënts trust, work on their emotions. Tell them the 'mistake' did not come from deliberate actions or bad skills, but from something very few people can control: emotions. Then, to not look like a total incompetent, remove the one that made the emotional decision, to make the cliënt believe this will not happen again in the future. They may be just a scapegoat for the ones in charge.
The only thing they'll 'forget' is to fire those 'responsible'. This is a family project after all.

[Pescado]

Have you seen any kind of evidence for our "history of hacking" that i assume is what makes it likely that we hacked the petition? More than just Pescados stories that is.
If not, what makes it likely he would be telling the truth? Isn't it in his interest to make us look guilty considering what PMBD stands for?

I don't really need to HELP you look guilty, you do a fine job of that on your own. Notice how I don't have any VILE PEGGY ATROCITIES to point out. The fact of the matter is that TSR is so good at looking guilty that fingers will be pointed your way even if you had nothing to do with it, and I've specifically ruled out TSR involvement in several instances of hacking in the past. I say this because I know hacking, and what it looks like. YOU may find it inconceivable that the organization you belong to is linked to all these shady doings, but remember: The average Enron employee didn't do anything wrong, either. No one is accusing YOU personally of doing anything. If you think you haven't done anything wrong, maybe you haven't, but you are not the entireity of TSR.

[johan]

I don't really need to HELP you look guilty, you do a fine job of that on your own. Notice how I don't have any VILE PEGGY ATROCITIES to point out. The fact of the matter is that TSR is so good at looking guilty that fingers will be pointed your way even if you had nothing to do with it, and I've specifically ruled out TSR involvement in several instances of hacking in the past. I say this because I know hacking, and what it looks like. YOU may find it inconceivable that the organization you belong to is linked to all these shady doings, but remember: The average Enron employee didn't do anything wrong, either. No one is accusing YOU personally of doing anything. If you think you haven't done anything wrong, maybe you haven't, but you are not the entireity of TSR.

You're right, i'm not the entirety of TSR and realistically i can not give any guarantees for anyones actions other than my own.
What i can guarantee is that we (as in the group of founders and paid staff) do not encourage nor endorse any kind of hacking activity.
If you or anyone else here have evidence that someone from TSR is behind such things we would appreciate it if you would let us know because that person is not someone we want to be associated with.

I would be delighted to hear more about the hackings you haven't already ruled out and why you think it's possible or even likely it was someone from TSR.

[kenmtl]

[Pescado]

I would be delighted to hear more about the hackings you haven't already ruled out and why you think it's possible or even likely it was someone from TSR.

Well, let's just look at this very thread: There has never been a satisfactory explanation for how that information was "mysteriously" leaked from the DB and used to hack specific accounts and websites. Various wild explanations have been bandied about in an attempt to explain this, with completely inconsistent claims of whether or not there was a security "leak". However, even a security leak does not explain the attack profile used. If we ASSUME there was a security leak that was OUTSIDE of your control, it leads to the conclusion that this was a targeted leak: Someone working INSIDE the community did it, as a "wild" hacker would not have the motivation to attack single specific targets, and never conduct attacks in such a manner, due to the fact that it does not maximize the number of sites they can deface. Given that our "mystery hacker" is now a figure from inside the Sims community, who has a specific motive to use the information "leaked" from your DB to attack specific sites and accounts, we have two explanations that are coherent:
1. That this was an inside job, performed with the complicity of an administrator with database access.
2. That a wizard did it.

You'll understand why I don't consider "a wizard did it" a compelling explanation, as wizards are are artifacts of the early days of computer systems and do not really exist as of the 21st century. The days when people could call themselves wizards and attack specific systems on demand, at will, are gone. While it is plausible that you, yourself, would never condone such an action and are not lying when you would not believe that someone in TSR's command staff WOULD, the fact remains that there are no other explanations plausible to an individual who understands hacking and networked systems security. For someone to attack, on demand, YOUR specific system, requires that you either be using public code that has known vulnerabilities which are open to public exploit, which I know isn't the case, because I tried that already, or that this person be a wizard of ancient myth and legend. This means that the system was never attacked, and that someone GAVE the database information to someone. Can something like this be proved to a legalistic standard? Probably not. The legal system, however, traditionally has absolutely no understanding of technology and it is nearly impossible to attain physical proof of anything, given the fact that hard evidence quickly ceases to exist when the systems it could exist on are under the control of the guilty party, or disinterested parties. I have no such shortcomings. To me, the guilt of someone within TSR is as clear as a fiberoptic endoscope in the bowels. The explanation for this necessarily requires that one of your database administrators is guilty, or that a wizard exists in the Sims community, someone with far greater skill than figures like Delphy or myself, or indeed, anyone known outside the community. Is that plausible? I don't think so, and unless you think mind-control rays are beamed down from cellular phone masts, and that you need a tinfoil hat to protect yourself from that, you don't either. When all other explanations are ruled out, whatever is left, however unpalatable, must be the truth.

So how many database administrators do you have? Which one of them do you believe did it? All other possibilities are ruled out. If you REALLY would never do such a thing and would not allow someone in your staff to do so, either someone is doing so without your approval, but possibly the approval of someone higher in the chain of command, perhaps their own, or you are lying. If we discard the explanation that you are lying, because you seem like a decent enough sort, then you still have snakes on your plane. So, is enough, enough? Have you had it with these motherfucking snakes on your motherfucking plane? Then go open some windows...if you even have the authority to sack who you think is guilty.

[dietofworms]

Pescado:  I've had my differences with you, but that was masterful.

I wonder if we'll see Johan again.

[Moune]

Pescado:  I've had my differences with you, but that was masterful.

I concur. Wholeheartedly. That reply makes it pretty impossible - not to mention ridiculous - for anyone to deny that there has been shady dealings inside TSR.

[SnarkyShark]

As their committee researches an answer, I'd just like to mention that I can't wait to bring up what I just learned about wizards and data base vulnerabilities at the next party. Maybe now I'll finally be able to impress the tech crowd who are always hanging out in the basement listening to Interpol.

[karu]

[johan]

Well, let's just look at this very thread: There has never been a satisfactory explanation for how that information was "mysteriously" leaked from the DB and used to hack specific accounts and websites. Various wild explanations have been bandied about in an attempt to explain this, with completely inconsistent claims of whether or not there was a security "leak". However, even a security leak does not explain the attack profile used. If we ASSUME there was a security leak that was OUTSIDE of your control, it leads to the conclusion that this was a targeted leak: Someone working INSIDE the community did it, as a "wild" hacker would not have the motivation to attack single specific targets, and never conduct attacks in such a manner, due to the fact that it does not maximize the number of sites they can deface. Given that our "mystery hacker" is now a figure from inside the Sims community, who has a specific motive to use the information "leaked" from your DB to attack specific sites and accounts, we have two explanations that are coherent:
1. That this was an inside job, performed with the complicity of an administrator with database access.
2. That a wizard did it.

You'll understand why I don't consider "a wizard did it" a compelling explanation, as wizards are are artifacts of the early days of computer systems and do not really exist as of the 21st century. The days when people could call themselves wizards and attack specific systems on demand, at will, are gone. While it is plausible that you, yourself, would never condone such an action and are not lying when you would not believe that someone in TSR's command staff WOULD, the fact remains that there are no other explanations plausible to an individual who understands hacking and networked systems security. For someone to attack, on demand, YOUR specific system, requires that you either be using public code that has known vulnerabilities which are open to public exploit, which I know isn't the case, because I tried that already, or that this person be a wizard of ancient myth and legend. This means that the system was never attacked, and that someone GAVE the database information to someone. Can something like this be proved to a legalistic standard? Probably not. The legal system, however, traditionally has absolutely no understanding of technology and it is nearly impossible to attain physical proof of anything, given the fact that hard evidence quickly ceases to exist when the systems it could exist on are under the control of the guilty party, or disinterested parties. I have no such shortcomings. To me, the guilt of someone within TSR is as clear as a fiberoptic endoscope in the bowels. The explanation for this necessarily requires that one of your database administrators is guilty, or that a wizard exists in the Sims community, someone with far greater skill than figures like Delphy or myself, or indeed, anyone known outside the community. Is that plausible? I don't think so, and unless you think mind-control rays are beamed down from cellular phone masts, and that you need a tinfoil hat to protect yourself from that, you don't either. When all other explanations are ruled out, whatever is left, however unpalatable, must be the truth.

So how many database administrators do you have? Which one of them do you believe did it? All other possibilities are ruled out. If you REALLY would never do such a thing and would not allow someone in your staff to do so, either someone is doing so without your approval, but possibly the approval of someone higher in the chain of command, perhaps their own, or you are lying. If we discard the explanation that you are lying, because you seem like a decent enough sort, then you still have snakes on your plane. So, is enough, enough? Have you had it with these motherfucking snakes on your motherfucking plane? Then go open some windows...if you even have the authority to sack who you think is guilty.

Thank you for taking the time to explain your reasoning, i can understand your point of view.

I agree that it's most likely some individual(s) from within the community that is behind it but i wouldn't so easily jump to the conclusion that it necessarily has to be TSR though.
It could for example be someone from your side of the fence that likes to stir up shit and see what happens or just for giving TSR an even worse reputation.
If this is the case it has been working pretty well so far.

We can't completely rule out that information somehow was leaked from our database, either intentionally by someone on staff or by some security leak in our system.
Since i personally know everyone with access to the database (and we are very few) that option is not a compelling explanation to me, i truly do not believe it is the case.
I also don't see the motive for doing so.
What could we possibly have to gain from having some other site in the community hacked?
Before some pirate throws in a standard reply about how evil and immoral TSR is please think just a little bit further.
All continued hackings after the first one we got the blame for would only add to our "guilt" and for what? Just for the fun of messing with someone?

The other option, that we had a security leak, is to me no more attractive than the first option however it would be more likely.
Although i agree that an old school Wizard wouldn't do stupid shit like this the situation nowadays are a bit different.
You have probably just like me seen what happens to a server once you connect it to the Internet, it doesn't take very long before signs of port scans and other probes start showing up in your logs.
For the most part probably not real hackers in the proper meaning of the word but rather 12's hanging on various l33t sites are running scanners (that they didn't write themselves) to find known exploits in various systems.
Not only vulnerabilities at the web application level (SQL injections for example, which can work on all kind of web applications if you're not careful with checking POST/GET variables used in queries) but also on the operating system and services levels. Once you find one, inject a suitable pre-made rootkit and there you go. Or if you find a way to inject SQL get a list of logins or add yourself as an admin. You're in without necessarily having to know very much, you just need some time, persistence and access the right tools.
I've seen it happen

There were some weird things going on around the time of the buggybooz incident that we didn't manage to find adequate explanations for and because of that we took measures to improve security on our servers and applications.
We also changed the database to use encrypted passwords some time after that.

Perhaps it's even more likely that something like this is what happened to the other community sites, with the right tools you don't have to be a wizard in order to get access to a system.
I would imagine cheap shared servers are not always up to date and properly protected from such attacks. Even if they are at the operating system the forum software might be open for attacks, for example.

So although i can see the logic behind your arguments i think you over simplify things just a little too much, intentional or not.

[Paden]

What could we possibly have to gain from having some other site in the community hacked?
Before some pirate throws in a standard reply about how evil and immoral TSR is please think just a little bit further.

What would TSR have to gain by hacking other sites? Hmmm, removal of competition comes to mind. Internet dick-waving/bragging rights, for another. Making an example of the site hacked to other free sites to tremble in fear of that happening to them comes to mind, as well. Silencing opposition could be a factor, too. You didn't think much before you asked that question, did you?

[Witchboy]

Karu, that pic is FTW!

[dstar]

This does not make any sense Johan- you claim you know every one of your employees from your Executive Board down to your FA's and SA's and you are sure that the people who have access to our information (yes I used to subscribe and since you never remove inactive members from your database I am still registered at TSR) are trustworthy.

 However you also claim you don't do background checks on your employees. I work in Restaurant Management and as a Restaurant Manager I sure as hell do CORI (Criminal Offense Records Investigations) on ALL employees that will have access to the personal and financial information of my other employees, and my customers, as well as on any employees that will be dealing with the actual money be it cash or credit card receipts. AND I DON'T EVER GIVE THAT INFORMATION TO EMPLOYEES THAT HAVE NO BUSINESS WITH THAT INFORMATION- THE DISHWASHER DOES NOT GET OTHER EMPLOYEES  PAYROLL INFO OR A CUSTOMERS CREDIT CARD INFO-EVER!


If you haven't done background checks on your employees ( I am assuming since you don't investigate FA's - your business doesn't investigate anyone else pre-hire either- that is usually the way it works in companies with unethical or inefficient business practices-and sorry not removing registered by inactive members from the database-  having an unencrypted database, and sharing customers private info  with people who have no reason to have it indicates you qualify as both inefficient and unethical) how can you really know your " Employees" specifically your fellow executives and Sys Admins are trustworthy? Family is not an excuse- most people have plenty of un-trustworthy family members.


Lets be blunt- you cannot claim your employees are as trustworthy as your would like to believe- after all Atwa somehow (hmm I wonder how?) managed to somehow sneak in a back door (or had it opened for her deliberately) and nearly gained her FA position again. How can you claim your employees are trustworthy when a) your brother re-hired (with or without prior knowledge) a woman who has proven her hatred of TSR (after all she was ranting throughout the community that she was essentially going to see TSR employees heads roll if she did not get reinstated, and has been known to commit unethical acts in regards to the community that have cast your business in a very negative light), and the community in general.

Your employees are all trustworthy yet instead of terminating Shakeshaft, the thief and removing Buggybooz stolen content, she is still employed by our and she continues to act as an FA for both Sims 2 and Sims 3. Any other company she would have long since joined the dole line and been rejected along with other former employees of other companies that have been fired for theft.

You accuse us of being pirates (being essentially the entire free community since that list that you had access to somehow- had the names of creators and community members who have never been associated with the Anti-Paysite Movement in any way - e.g. Milano) yet it is really funny- I don't have any pay content whatsoever in my game unless it is per the creators TOU that meshes can be included with recolors, and lots. the site is dead and gone, or has  gone free like 37Sims. Any TSR content in my game (which consists of maybe 3 sets  since FREE creators have made comparable or better content to replace anything I downloaded as a paid sub) was paid for - by me.

All my games were  paid for by myself, or given to me as gifts- and all of my content creation programs are free programs - created by members of the free community (SimPE, CEP) or by shareware/freeware programmers like those that designed GIMP and Wings. So tell me- who is the pirate - the site that keeps in their employ thieves (Shakeshaft, Monica), Hackers and Stalkers (Atwa)., lies to the community, steals (sharing personal info with people who ought not have it is stealing) peoples identities, and refuses to remove the work of creators who have gone free (Aikea Guinea, Darqstar) who have repeatedly asked that it be removed, or to close and remove the accounts of people who no longer support your site in order to boost your membership numbers.

Most of the people in the Free Community that I know of including most members of PMBD and Sims Cave don't have pay content in their games,  except under the conditions that I have mentioned above e.g. dead site, FSF, or gone free., and have paid for all of their games, and Cc creation tools or gotten free programs from free sources. This in comparison to come of your FA's and SA's who have admitted to having pirated games and software.

So tell me- who is the pirate- the site that condones theft- hacking etc- by maintaining the employment of people who are known by a majority of the community as thieves and hackers, or the 3/4 of the community (no matter what your membership numbers say) that want nothing to do with such things. Most of us fight paysites by promoting free content from free sites over pay content from TSR or any other paysite not by stealing your content- most of us don't want it

The Booty is there, the files on Sims Cave are there, but honestly- about 80% of the sites on the fileshare lists for both are dead- and it is currently the only way anyone can access the content at all- and just because it is there does not mean everyone in the free community is taking advantage of it. After all who the heck wants Cashcraft when you can have Adele= Who wants Murano when we can have Buiggybooz and Tig027, who the heck wants Lianna when we have Escand, who wants Marko when we have Nouk, Agustin, and Anto?

I am sorry,but, as someone who has run a business, and as a former sub at TSR- I don't buy your excuses. Empty words are just that, and you have come over here spouting them far to many times for anyone to believe you. While one must read what Coconut posts as being interpreted via her own  moral and ethical principles and views on your site. I believe her evidence over your excuses. Since well- she has evidence- you have excuses- making excuses that you didn't do something when someone has evidence you did- only makes you look guilty. Good luck getting anyone in the Free Community to believe the excuses this time Johan- to many respected community members in the Sims Community as a whole had their personal shit revealed for this to go ignored even by sites, communities and creators that aren't normally anti-pay or anti TSR

[Pescado]

I agree that it's most likely some individual(s) from within the community that is behind it but i wouldn't so easily jump to the conclusion that it necessarily has to be TSR though.
It could for example be someone from your side of the fence that likes to stir up shit and see what happens or just for giving TSR an even worse reputation.
If this is the case it has been working pretty well so far.

That could be a plausible theory, IF the hacking had been attained with independent information. However, the flaw in this argument is that to acquire the information necessary to carry out the hack, one would have to be a TSR DB admin. That means this individual is one of yours, not one of ours. Believe me, if I had a TSR DB admin, I wouldn't be squandering it on anything as utterly puerile as false-flag defacement.

We can't completely rule out that information somehow was leaked from our database, either intentionally by someone on staff or by some security leak in our system.

A computer security leak on your system would require that someone have the technical skills needed to independently find and exploit it. To independently find and exploit such a vulnerability would involve skills on par with some of the best in the community. For this individual to be sufficiently motivated to want to smear TSR, so unknown as to not be one of us already, and so stupid and short-sighted as to squander such an advantage on false-flag defacement would be extremely implausible. If it is a figure OUTSIDE the community, then they would simply not CARE about attempting a false flag defacement using your database's information, and would simply have vandalized your site, and run home to brag about it to his friends. Given this understanding of how hackers operate, it is clear and obvious that whoever is doing this is one of your staff, one of your staff with database access. If it is not you and you do not know who it is, then TSR has some real problems internally.

Since i personally know everyone with access to the database (and we are very few) that option is not a compelling explanation to me, i truly do not believe it is the case.

I have every reason to believe that it is likely the case that the person with the database access did not personally carry out the hackings. However, it is manifestly clear that this person clearly released this information to people who he knew WOULD. This seperation between knowledge and use also fits the pattern of destruction, as the information used was not employed skillfully, and effectively squandered any advantage that your side could have gained through its use. Basically, one of you felt that TSR could avoid responsibility for it by releasing the information to a rogue operator. From a legalist standpoint, this is almost certainly true, as enough plausible deniability can be created by such a scenario to rule out any real possibility of legal conviction, but that is not sufficient to convince ME. I know how the game works, and I see what you did there.

I also don't see the motive for doing so.
What could we possibly have to gain from having some other site in the community hacked?
Before some pirate throws in a standard reply about how evil and immoral TSR is please think just a little bit further.
All continued hackings after the first one we got the blame for would only add to our "guilt" and for what? Just for the fun of messing with someone?

Motive? Well, from a logical, calculating perspective, this was an utterly stupid, bone-headed move. If you were going to misuse private information to hack sites, such an act effectively squandered any possible advantage you could have gained through its long-term use. So you are right, the motive for this does not make any logical sense and TSR has absolutely nothing whatsoever to gain from such an act. This is why you disbelieve it.

However, you disregard the element of simple stupidity. The fact of the matter is, most people are NOT calculating and saavy hackers and veteran netwarriors, and this likely holds true for most of your staff. Someone on your staff acted out of a desire for simple, petty vengeance against something that pissed them off. They ignored what would have been logical in favor of acting irrationally. Is this hard to believe? TSR staffers are not chosen because they are robot-like beings stripped of most emotional impulses. Such people do not make good artists and do not relate well to the type of community you keep.

The other option, that we had a security leak, is to me no more attractive than the first option however it would be more likely.

Well, a security leak, or someone is violating your stated policy. There is every reason to believe your security fault lies in the wetware rather than the software.

Although i agree that an old school Wizard wouldn't do stupid shit like this the situation nowadays are a bit different.
You have probably just like me seen what happens to a server once you connect it to the Internet, it doesn't take very long before signs of port scans and other probes start showing up in your logs.
For the most part probably not real hackers in the proper meaning of the word but rather 12's hanging on various l33t sites are running scanners (that they didn't write themselves) to find known exploits in various systems.
Not only vulnerabilities at the web application level (SQL injections for example, which can work on all kind of web applications if you're not careful with checking POST/GET variables used in queries) but also on the operating system and services levels. Once you find one, inject a suitable pre-made rootkit and there you go. Or if you find a way to inject SQL get a list of logins or add yourself as an admin. You're in without necessarily having to know very much, you just need some time, persistence and access the right tools.
I've seen it happen

I'm familiar this: But there's one key thing that differentiates such attackers, which are very common and have hit sites, but the ATTACK PROFILE is different. 12 year old l33t h4xx0r d00dz don't steal account information from databases and then strike back at people who have expressed anti-TSR sentiments. 12s will just vandalize your site, wipe your database, and run off to brag to their friends about it. Happens all the time, even in this community. Sometimes people blame TSR for that, but I always have rejected such claims, as the attack profile does not match that of a targeted move.

There were some weird things going on around the time of the buggybooz incident that we didn't manage to find adequate explanations for and because of that we took measures to improve security on our servers and applications.
We also changed the database to use encrypted passwords some time after that.

That seems to be the "official explanation", but I don't really buy that. While the database may NOW be using hashed passwords, this is a bit like closing the barn door after the horses have left.

Perhaps it's even more likely that something like this is what happened to the other community sites, with the right tools you don't have to be a wizard in order to get access to a system.
I would imagine cheap shared servers are not always up to date and properly protected from such attacks. Even if they are at the operating system the forum software might be open for attacks, for example.

Again, I know all this. However, remember, the attack profile. People who scan and nuke do so with automated scripts aiming for quantity, not quality. This is common netwar material and I basically disregard this as having any association with any community-relevant motive. Happens all the time, like you said. Every admin knows that. But this? This is different. This is a leveraged attack. Someone harvested SPECIFIC information, and then spent a lot of time looking for a SPECIFIC place to employ it to commit an act that shows every sign of being politically motivated. While not quite in the realm of wizardry, a targeted, politically motivated attack, using information gleaned from an undisclosed security flaw, is still highly skilled. For someone to do such an act, he would have to be on the skill level of someone like myself or Delphy. Such figures are not exactly COMMON in this community. So to claim that THIS is what happened is effectively to accuse either a known member of the community, or to postulate the existence of some unknown, yet powerful, dark horse coder with strong political motivations for one side (either to hack in the name of TSR, or to defame TSR by conducting a false flag attack). And that? That is on the verge of tinfoil hat territory.

So although i can see the logic behind your arguments i think you over simplify things just a little too much, intentional or not.

I don't simplify things too much at all. I consider all the angles, and I discard that which simply doesn't fit. The result seems like a simple Reader's Digest, but honestly, to explain it to people in this community, it sort of has to be. In short, the only explanation that FITS is that an agent is operating with the assistance of a database administrator. It is, in all likelyhood, NOT the database administrator himself, because such a smoking gun would render you open to criminal charges and would certainly destroy TSR's reputation utterly, as there would be no doubters if you could meet the level of proof needed to convince Delphy, who is a good programmer with a solid understanding of web programming, but not a netwarrior.

So, obviously, we're dealing with agent-by-proxy here. Someone released the information to an agent, perhaps on request, or simply knowing what they would do with it. You're certain NO ONE would EVER do that? That is a very strong assertion to make. Not even one I would make of my own staff, which is why I do not hand out database access. If you, personally, would never consider such an act, as, frankly, even if you were of malicious intent, from a technical standpoint, it is a really STUPID thing to do, and you seem like you have a decent understanding of technical things, are all of your database administrators techs? I doubt that.

[Witchboy]