If you recall, ezboard, Inc. claimed to have been the victim of a hacker when they lost 70,000 or so messages from our ezboard alone when the alleged hacker deleted current posts and the “backups” that we were paying them to keep for us - see my earlier post on this.

Following this data loss and the ensuing debacle with ezboard, Inc. clearly being caught with their pants down, followed by one of their Customer Services [sic] people making false accusations against me when I began asking awkward questions of them, I began watching and taking part on a board hosted by ezboard. As more and more details emerged in that forum, ezboard’s employees started editing and deleting posts and banning users taking part in an effort to silence us. Fortunately, copies of posts were kept and shortly before ezboard deleted the message board in its entirety, a full backup copy of the board was taken. Ironic isn’t it that some users could achieve what ezboard themselves had failed to do.

In the meantime, a number of us users were invited to start posting on a similar message board hosted by InvisionFree which was basically private for viewing purposes. That board included the only link at that time to the ezboard backup hosted on a secured server elsewhere. The server logs started showing access attempts from a number of unidentified IP addresses, so that raised some questions as to who they were and how they knew about the backup.

Around that same time, I discovered a security flaw in Yuku: in common with most message board systems, the board Administrators and Sysops can see the IP address of the person making posts on the board. Unfortunately, the implementation of Yuku at that time was such that although the IP addresses of those posting on forums such as the Yuku Help [sic] Forums were not visible when viewing the forums in a browser, they were as soon as the source code was viewed, so that any Tom, Dick or Harry could see the IP addresses of anyone who’d posted on the Yuku Help [sic] Forums.

Cross-checking the IP addresses from those running authentication hack attempts and the IP addresses for ezboard’s staff and CEO revealed a number of matches. Attempts had been made to access the ezboard backup using usernames and passwords that would only have been known to the ezboard users or those with enhanced privileges at ezboard, Inc.

Another message board has since been set up on InvisionFree to discuss ezboard and Yuku following the infiltration of the first one and there is a full discussion about the successful authentication hack attempt in this thread, which I’ll reproduce below:

How ezboard employees hacked into my server…, … and our former Invisionfree board!

Yes, you read that right. The company who claims to be hacked in May 2005 accessed without permission my private webserver starting the 16th of february 2006, and after access was restricted with a password continued trying to access it after using a so-called authentication hacking attack, in this case using ezboard usernames and passwords trying to get in. This attack, logged in detail on my server, initially failed. The authentication was eventually cracked by a ezboard employee using information gleaned from a cloaked forum at Invisionfree called EzDisasterOf2005, a community for ezboard critics only. This forum only could have been accessed by using usernames and password equal to those at ezboard that some people used on that forum. A little further checking has given us evidence that at least one account had been breached that way and was used up until the 15th of April to access that private forum before all the passwords were changed. Of course by then we already basically stopped posting in that place and started a public one again; the one you’re reading right now.

Also I’ve learned ezboard filed complaints at Invisionfree about violation of certain copyright (against a private and cloaked forum they had no authorized access to!). Even though these few bits were removed in the end the complaint had no legal base at all, since criticism, comment and parody are fair-use, and so this was basicaly just plain harassment by ezboard, added to their unauthorized access.

Let me try to put it into context a bit and add some specifics as well. I have left some detail like IP addresses and hostnames out for security reasons. But you can be sure I’ve them all ready if challenged to provide them!

On February the 18th without any warning ezboard closed down a board called The Great Ezboard Disaster of 2005. It was locked down claiming accordance with the Terms of Use. Why exactly a board that existed already ten months, discussing quite candidly the The Great Hack as well as the future of ezboard and the coming Yuku was closed will remain a question. It doesn’t matter for this story though, even while I’ve some ideas since some material was posted there in February by a ‘newcomer’ that was censored out immediately by ezboard staff without warning. Maybe material for a future follow-up…

Back to that locked down board. In the summer of 2005 some of the members there already felt the need to have a cloaked board away from ezboard and started a private community at Invisionfree to speculate more freely about things all the while thinking ezboard might close down the older public board at some point. When posts at the original board, The Great Ezboard Disaster of 2005, started being edited by ezboard staff in February 2006 some of us wondered if the last days of that community finally had been entered. This brought me to the action of spidering the board to create an off-site archive. After spidering it was converted in into a PHPBB for ease of search by a great phpbb-mod called ezboard-conv.

After having posted the URL to the archive at the private and cloaked Invisionfree board for reference, right away a lot of IP addresses started accessing the archive. Some of those were very familiar but some were not: they belonged to ezboard staff. The way I knew this is because back then IP-addresses showed up in Yuku when posts or announcements were made by staff or the CEO. This ‘feature’ was disabled later on but helped to track down this hack. There are a couple of other sites where over time the link between IP and certain ezboard staff could be verified. It’s a 100% match without any doubt in terms of dynamic IP addresses or things like that. What do we have exactly then?

Unauthorized access of the private archive by so-called ezmods, to be more precise “alison aka ezAtlas aka Pink”, “mishmaroo aka ezMish”, “GoalieAunt” and “jennifer aka Ezjennifer”, as well as access from what appears to be a San Francisco office where ezboard often operates out from, using Covad as DSL supplier (just to let you know we have the details here). The most serious authentication hacking attack occurred from this last address only and we can only assume the ezmods followed or assisted in…. whatever they were looking for in an archived ezboard community they had nuked the day before themselves! The evidence of the authentication hacking consists of a logfile showing several ezboard accounts and passwords being used that were in use at the original ezboard community, see also the attachment to this post. All from the same IP address in San Francisco, one I know is used by ezboard staff, one I know is used to post CEO announcements and by the main developer at times.

I don’t know who accessed our private forum at Invisionfree using ezboard usernames and passwords from their user administration but we know from logfiles ‘mishmaroo Ezmish’ was still reading there in April 2006. We tracked down the account she had hijacked for this purpose and changed passwords there too.

So here we have the whole wonderful ezboard family, the ones we’re supposed to love and trust and feel bad for how they were ‘hacked’ in May 2005. But if hijacking accounts of other messageboard systems and guessing passwords to enter private servers is the habit for these people, I really start to wonder if these people can be trusted to tell the truth about anything at all, especially when they claim to be ‘hacked’ by some very mysterious shadowy hacker who had access to almost everything.

The case is too complex for a legal battle over hacking since my private server was not in the USA. While a case has been filed at various abuse departments the abuse is just too small for ISPs to take much action. But perhaps the truth can get out with this post nevertheless.

This boils down to ethics: why ezboard, as a ‘respected’ company, should attempt to access our password protected backups (as if they can be trusted with it), why they should hack, infiltrate or attempt to harass consumer groups. Feel free to respond or just draw your own conclusions.

(Attached: cleaned up logfile with authentication hacking in progress)”

This is what the attachment says:

h-68-167-xxx-xx.snfccasy.covad.net - - - [23/Feb/2006:09:55:47 +0800] “GET /ezboard/archive/tged2005/index.php HTTP/1.1″ 401 409 h-68-167-xxx-xx.snfccasy.covad.net - Dinkster123 xxxxxxx [23/Feb/2006:09:56:40 +0800] “GET /ezboard/archive HTTP/1.1″ 401 409 h-68-167-xxx-xx.snfccasy.covad.net - Dinkster123 xxxxxxx [23/Feb/2006:08:57:08 +0800] “GET /ezboard/archive/ HTTP/1.1″ 401 409 h-68-167-xxx-xx.snfccasy.covad.net - I love MJNet xxxxxxx [23/Feb/2006:10:12:13 +0800] “GET /ezboard/archive/ HTTP/1.1″ 401 409 h-68-167-xxx-xx.snfccasy.covad.net - RichardHMorris xxxxxxx [23/Feb/2006:10:12:40 +0800] “GET /ezboard/archive/ HTTP/1.1″ 401 409 h-68-167-xxx-xx.snfccasy.covad.net - zanack xxxxxxx [23/Feb/2006:10:13:21 +0800] “GET /ezboard/archive/ HTTP/1.1″ 401 409 h-68-167-xxx-xx.snfccasy.covad.net - AutobotXYZ xxxxxxx [23/Feb/2006:10:13:53 +0800] “GET /ezboard/archive/ HTTP/1.1″ 401 409 h-68-167-xxx-xx.snfccasy.covad.net - soggybendoggy xxxxxxx [23/Feb/2006:10:14:19 +0800] “GET /ezboard/archive/ HTTP/1.1″ 401 409 h-68-167-xxx-xx.snfccasy.covad.net - finally got it! xxxxxxx [23/Feb/2006:11:48:16 +0800] “GET /ezboard/archive/tged2005/index.php HTTP/1.1″ 200 21669 

Like the original post says, draw your own conclusions.

Of course, given that ezboard, Inc.’s CEO apparently reads this Blog (or at least someone claiming to be him and using the same IP address range as our records indicate), Rob Labatt might choose to ’set the record straight’ by commenting here…