LivingSims Forum

Originally Posted by Delphy
Hi All,

I don't usually post threads here - and especially not about dramaz, but I thought I'd like to share something about the problems buggybooz has had in the past day or so.
Within the past few days, Buggy noticed that one of the FAs, Shakeshaft, had stolen some of her work (mesh, UV mapping, and textures) and was using the stolen content in items up on TSR for pay. Buggy reported the theft to TSR. It's important to note that this was very recent (discovered and reported in the past couple of days), to give a timeframe to these events.

This morning, buggy discovered that every single one of her downloads on her MTS account had been soft-deleted, her password changed, and subsequent investigation revealed the email had changed too. In addition, her Creator Policy had also been changed to make it "paysite friendly". See the image,

Account-Buggybooz.jpg, for a screenshot of her profile.

We investigated, referring to our logs, looking at what had happened around the time of the changes on the profile and the deletion of the downloads. There was only one IP address that was registered on buggy's account today and it was wildly different from every single other one she'd used going back months. So, obviously, someone else had used Buggy's account. See the image IPs-BuggyboozAccount.jpg, which shows the latest IPs used on her account. Notice the last entry. Some of you might say "Buggy could have done that herself!". Well, the IP address used is clearly not anywhere close to the range she usually uses, and the new account she registered to report the issue matches her *old* account details. See the image, IPs-BbuggyboozAccount.jpg.

Tracking the IP address most recently used on Buggy's account led to something interesting... a match of only 4 other users on MTS besides buggy herself. One of those users had an identical IP address and browser details as registered on buggy's account today.

So by looking at the logs, we have basically proved that this specific person logged into buggy's, deleted her downloads and changed her details, including the profile policies.

How could this have happened? It wasn't a "hack", and as far as I can tell no actual exploits were used. All that happened was that buggy, unfortunately for her, used the same password on both sites. I'll get to why this is bad in a bit.

On a normal vBulletin setup (as MTS uses, and TSR too - for the forums), when you login to an account, if you don't post anything, your IP address is not recorded anywhere except the server logs which are hard to read through. Obviously whoever did this probably assumed that it would be too hard to trace, and that no proof could be gathered on the perpetrator. On MTS, however, we track IPs with each login, regardless of whether or not you post.

My guess is that the person doing this thought, "Okay let's go in, make out like Buggy deletes ALL her stuff and changes her profile to a paysite friendly one. Nobody will ever know it was us and not her, she won't be able to prove the dates on the stuff she says is stolen, and she'll look like a loony, right?". Usually on vBulletin, when you soft-delete a post, all the files get zapped too - but again, this is not how MTS works. In fact, absolutely zero files were lost at all. Zip. Zilch. Nada. All the thumbnails, all the attachments, all the threads - the entire thing has now been restored.

So, in essence, what was gained from this? Absolutely nothing, other than revealing who the perpetrators are and the lengths that they will go to to stop their pay content on TSR from being seen as "stolen".

So who did this? None other Thomas from TSR.

Thomas's use of the account name "Hamilton" has been known to us for quite a long time. He has used it previously to try to recruit free creators to go pay on TSR. See the image, PMs-Hamilton.jpg for proof that the Hamilton account is indeed his. (Yes, admins and admins only can read PMs - no, we don't do it all the time, and we have to go into a specific user's account and then click to see PMs, and then click to unhide individual PM texts - we don't go reading PMs on a regular basis unless there's something suspected that would require it.)

See the image, IPLog-IPSearch.jpg, which shows usage of the IP address last used on Buggy's account. Those not involved have had their usernames and other IPs blurred (and Buggy has given permission for her info to be posted) - the pasted data indicates when the other accounts last used the IP. The last time anybody OTHER than the Hamilton account (and the one usage on Buggy's account) used that same IP was back in July 2008, yet it was used the same day on the Hamilton account as it was on Buggy's account.

The Hamilton account on MTS has the exact same IP and browser details (and I mean *exact*) as the last record on buggybooz's account. See the image, IPs-HamiltonAccount.jpg. Compare this to the previously-referenced image, IPs-BuggyboozAccount.jpg. So this basically proves that whoever did this used Hamilton's MTS account - and how many people would actually do that other than the Hamilton account owner - Thomas himself?

I think it's clear here one of the following things happened:

- Either Thomas himself removed Buggy's stuff, or

- Thomas gave the password to his account to somebody else at TSR and they removed it

In addition to the above, they must have gotten buggy's password from somewhere, which indicates one of two things:

- Either the TSR admins have a way of unencrypting passwords of members, or
- The passwords are not stored encrypted.

Either way, the blatent violation of buggy's personal details is clear - and either a TSR admin used them (a clear violation of privacy) or gave them to somebody else (which is an even bigger issue).

"But wait!" I hear TSR say. We didn't do this, you can't prove it. Sorry, but the account clearly belongs to a TSR representative, and clearly has not been used until such time as buggy reported the bad TSR content. The timing and the individuals involved, combined with the proof of IPs and browser info, are too blatant to ignore. I expect the "We didn't do it, please remove the false accusation" PMs and mails to arrive any day now.

It's clear to me that TSR either sanctions underhanded tactics, or uses such tactics internally. The best thing to do would be to actually investigate such reports and deal with them, not to go to another site, use blatently private information such as passwords to login, and then delete stuff - which as you can see, didn't work anyway.

I really don't know what TSR expected to achieve here. Nothing was lost, everything is back the way it was, and really the only things that got hurt is their own reputation becuase even if they gave the password to somebody else, did they expect nobody to find out? Did they expect buggy - or the community - to take this at face value?

The lesson to be learned here is:

1. Don't use the same password on TSR as you use ANYWHERE else.

2. TSR can and will share any of your personal details, INCLUDING password, and use it however they want.

3. If you ever report anything to them about one of their FAs, they will take "action" against you.

All this just goes to show how EAs new best friend really treats the community and what it thinks of private user details.

Regards,

Delphy

Images referenced:

http://www.modyourpanties.com/hostin...-Buggybooz.jpg

http://www.modyourpanties.com/hostin...s-Hamilton.jpg

http://www.modyourpanties.com/hostin...tonAccount.jpg

http://www.modyourpanties.com/hostin...oozAccount.jpg

http://www.modyourpanties.com/hostin...g-IPSearch.jpg

http://www.modyourpanties.com/hostin...oozAccount.jpg