Did Hal Bogner and Brian Mottorshead hacked USCF members' accounts?

Main

Date: 25 Sep 2007 14:38:26
From: Ray Gordon, creator of the pivot
Subject: Did Hal Bogner and Brian Mottorshead hacked USCF members' accounts?

Is it possible for these 2 crooks to hack into the USCF computers?
Does this mean that Hal Bogner will do the same with customers of
ChessMagnetSchool.com? Can they steal members' credit card information
and rob them?

Does anyone know the answer?

Date: 25 Sep 2007 20:59:03
From: Ray Gordon, creator of the pivot
Subject: Re: Did Hal Bogner and Brian Mottorshead hack USCF members' accounts?

On 25 Sep, 16:39, "Ray Gordon, creator of the pivot"
<[email protected] > wrote:
> Is it possible for these 2 crooks to hack into the USCF computers?
> Does this mean that Hal Bogner will do the same with customers of
> ChessMagnetSchool.com? Can they steal members' credit card information
> and rob them?
>
> Does anyone know the answer?

There is a pattern of confidentiality breeches within the USCF. The
pattern starts from the top, and it is filtered down to at least two
developers, who have both admitted to logging in as someone else and
accessing our personal accounts. Two confidentiality issues occurred
to me personally that affected the ability to perform as a volunteer,
and Bill Hall constantly ignored them. Unfortunately, their are
individuals within the USCF that do not like criticism, and once a
whistle blower has made an internal complaint, lawsuits are threatened
after the complaint. We should all be aware of how the USCF treats our
privacy and how they resolve an internal complaint.

I am web-developer, and a frequent visitor to the USCF Forums. I also
moderated this form for several months during a contentious election
season, currently I am the USCF College Chess Associate Chair, and
developed and maintain the college chess league site (http://
www.collegechess.org). I have worked hard; and just received
notification that I was nominated as the USCF Volunteer of the Month.
However, in my extensive dealings with the USCF, I have witnessed
confidentiality breeches and I have grave concerns on how they handle
our confidentiality. Please read on and try to imagine the following.

In September, a new website was released. You look at it, and find a
ton of bugs. You sit for a few days, look again, and decide to write a
thread titled 'I am not impressed with the site'. In this thread, you
annotate many bugs, the Interim System Administrator does not like
your negative comments, nor does the head website developer, and they
start attacking your comments. You post anyway, and just posted that
there may be a problem with the Private Messaging functionality, and
start to write another long post. You hit the submit button, and
noticed that you are suddenly logged out of the site. You ask your
friends via email if they are still on, the answer is yes, and after
several hours of not being able to log on, you complain using the
site. Now, after the reporting the incident, imagine reading the
following response:

"Gregory reported two problems in the forum regarding his account, and
was making a big fuss. Squeaky wheel getting the grease. I did not ask
Gregory for permission to log into his account... (but) sent him a PM
to let him know that I was temporarily substituting my password for
his on the account so that I could log in as him... This was a notice,
not a request for permission, sent as a courtesy in order to avoid any
more inconvenience to him than necessary... When working on the
latter, I went to (Gregory's) PM section of the User Control Panel,
but I did not open any of the PMs. I then logged out, and reset the
password back to his original password, or at least I believed I had
done so... Because the passwords are encrypted, one cannot simply look
up the password in the database and log in with it. You have to go
through the process of saving the user's encrypted password aside,
replacing it with a known password, encrypted, and then logging in
with the known password, later on restoring the original password. In
this particular case, because it was about 2AM and I was tired, I made
a mistake when restoring the password, so in the morning when Gregory
tried to login, he could not. The password was not correct.... Anybody
working on the forums, as I have, has access to the forums database,
which contains personal messages and the content of hidden private
forums... If I had wanted to read your PM's, I did not need to log
into your account, or tell you that I was doing so. I have access to
every PM in the entire database along with everything else. I could
have read every PM you have at any time in the last two and a half
months without telling you or anybody else. The same goes for every
other PM of every other user in the forums. However, if there is any
further public suggestion or implication that my conduct was in any
way improper, unethical, or unprofessional, or there is any other
aspersion cast on my professional reputation, then this will become a
matter involving lawyers, and, potentially, courts.

Sincerely,

Brian Mottershead"

These are real quotes from the Interim System Administrator, taken
from three letters. Are you a bit chilled regarding your privacy? Read
on, it gets worse.

Some may say that I must not care about confidentiality as I am
revealing the contents of emails; however, Brian is acting on behalf
of the USCF as the Interim Systems Administrator. The email goes into
detail how my account was accessed-- nothing in the emails is
personal. Hypothetically speaking; If I write an email to Acme credit
card services, and asked them why they charged me for not using the
credit card for a year, and they respond, I have a right to take it
public, right? This is the same hypothetical situation that happened
at the USCF. However the email that you read from Brian is not
hypothetical at all. It is real.

Before continuing; I would like to comment upon the Interim System
Administrator's points. First, in over 20 years in this business, I
have never looked at anyone's email, or private messages. The forums
that we are using, Phpbb3 makes sure that the password is encrypted to
prevent the developer from gaining access to a users account. This
design choice is intentional to discourage developers from getting the
users log-in credentials. I did not even think that Brian's tactic to
access my account was possible, in fact, I never thought of any way to
access someone's account at all. Even if I posses the keys to the
database, I am not going to try to figure it out. IMO, it is not the
right thing to do an ethical standpoint.

Even when I ask someone to volunteer to help on my own college chess
site, I am very careful to give them a quick lecture on privacy. I
clearly state that under no circumstance should you look at anyone's
messages unless given consent, and we must ensure that our customers
have the right to privacy. I am uncomfortable lecturing someone that I
trust, especially when I just asked them for help, however I state it
very clearly before I give anyone access. Good development processes
require that the senior developer take the time to review basic
privacy policies, and will often use development techniques to limit
database access. All developers that have full access should have been
very well trained on what they can do, and what they can't. Unless
required to by law, no one has the right to read other persons private
discussions without the person's explicit consent.

Brain has stated in the past that he 'just logged in to try to fix a
problem'. However, there is no reason for him to access my private
messages to find the problem. The private messages are created by a
single common phpbb3 template. From a technical standpoint, the
template processes the same exact logic regardless of whose account it
is. The fact of the matter is that Brian and I were in heated
exchanges in the forums when this took place, and then I was booted
out and he looked into my private message folder. Yes, Brian
discovered a clever way to circumvent the phpbb3 encryption system,
but even so, he had no reason to log in as me even if he was trying to
'just fix my account'.

This is really not about Brian per-say; it is about bad USCF policy,
and having management and some senior programmers that that have a
long track record of violating confidentiality. Also, the official
USCF response (and lack of it) of this incident concerns me. I took
this in-house and tried to settle it internally. Instead of being
formally apologize to, I was harassed for reporting it. Finally, it
was not I that broke confidentiality. That distinction belongs to the
head developer of the USCF, Hal Bogner.

Here is letter dated 9/16/2007 from the Head Developer, Hal Bogner:
"Important Note: This is a confidential email, and is not to be shared
outside of the recipients or other board members, with equal attention
to confidentiality..."

Followed up with:

Gregory:

I demand that you immediately cease and desist from posting or sending
by email or otherwise expressing any and all derogatory reks
concerning myself, my clients, my partners, my colleagues, my
associates, and/or my fellow volunteers, except of course those that
are true and that are clearly supported by publicly available facts. I
likewise demand that you remove and/or retract all such postings and
that you retract all such email statements.

Any further references to allegations you wish to make towards me will
be answered by attorneys, and any harm to the reputations of myself,
partners, colleagues, associates, and/or fellow volunteers may become
the subject of a lawsuit...

Sinecerely,

Hal Bogner"

Even though Hal clearly stated that this matter was confidential, a
few days later Hal posted this in the USCF Issues forum:

"On Saturday night, Gregory had a problem... the development team (and
now, the USCF executive board) saw the rather paranoid message he sent
us in the middle of the night... He wrote to the development team,
with cc's to three people: the USCF president, the USCF executive
director, and his boss at chessdiscussion.com. I've been wondering
about why he chose that particular USCF executive board member to
include, without also cc'ing the remaining five members, too.

I, for one, would really appreciate an apology from Gregory, both for
his erroneous assertions in this matter, and for past
misrepresentations regarding me, and also regarding my separate web
site operation, Chess Magnet School, too.

Hal Bogner
[email protected]
http://www.ChessMagnetSchool.com"

It seems like Hal chose to forget that he expressed confidentiality.

There are serious concerns regarding Hal's past regarding
confidentiality. Ask anyone on the FOC or moderation teams how Hal
compromised their confidentiality. Privately; I am sure that most will
agree that on many occasions Hal violated our privacy (I was a
moderator at the time). Bill Hall originally set up the moderators to
be private. However, it is a well known fact that Hal accessed the
private moderations lounges, and then revealed the moderators names
publicly. According to a letter sent to the ED from David Quinn, Hal
originally accessed the private lounge by using the log-in credentials
of his friend in the FOC. When publicly questioned, Hal originally
stated that he was authorized to access the lounge with Bill Hall's
approval, but later denied this, and reversed his tune again after the
election.

Even worse, Hal Bogner accessed a private complaint from one of our
members that we serve, and he then propagated it around to his
friends. This nearly became a serious legal issue. You can't ask a
fellow member to complain to the USCF representatives when your
complaint when you know that your complaint might go public and be
spread all over the net. Hal's continued access, and the lack of
accountability by the ED caused a huge issue with the effectively of
the FOC and moderation teams as we did not know who to trust.
Ramifications to the effectiveness of the FOC and moderators are
continuing to this day. I wish that we could limit this issue to Hal
Bogner, but the Executive Director is involved in this too.

When discussing this issue with Bill Hall, I asked Bill bluntly about
Hal Bogner's prior access as it is a related confidentiality issue. I
let him know that four of my friends and colleagues stated to me
privately that they all called Bill and asked him if he gave Bogner
access. Bill denied this. However, for approximately four months, a
few of us asked Bill to state this publicly. Bill said nothing. When I
talked to Bill last week, I pointed this out, and really put Bill on
the spot-did you, or didn't you, authorize Hal? Bill fumbled around a
bit, and then stated that 'Hal informed me that he had access to the
FOC lounge by using another FOC members log-in, and asked if he should
report anything that might be wrong, and I said yes... Hal framed the
question in such a way to have plausible deniability.'

It is not my intent to cause long term harm to the USCF. I could sued
for an invasion of privacy, or took this matter public immediately,
but instead chose to try to solve the issue in-house. Unfortunately,
other than two EB board members, this issue has been ignored.
Therefore, it is my intent to release this information so the members
can be for-warned regarding the right to the choice of privacy of
their own discussions, and to highlight what the Executive Director
thinks about our right to privacy. The USCF is priily a democratic
institution; however slowly, we the members have the ability to make
change. We can petition the Executive Board members or the Delegates,
and make sure that the organization cares about our privacy and their
representatives to not threaten legal action against a member that is
raising the issue internally. To conclude, it is my desire that the
processes that allowed the confidentiality breeches to occur in the
first place be changed, and training and awareness, along with
accountability is assured to respect our right to confidentiality.

Thank-you for your time,

Gregory Alexander

Date: 25 Sep 2007 19:22:22
From: Ray Gordon, creator of the \pivot\
Subject: I am being impersonated again.

"Ray Gordon, creator of the pivot"

did not write either of the two previous posts.

The REAL Ray Gordon posts through pghconnect.com and a Comcast IP address.

--
Ray Gordon, The ORIGINAL Lifestyle Seduction Guru
http://www.cybersheet.com/seduction.html
Limit of TEN students. Act now!

For older free material that is now mainstream:
http://www.cybersheet.com/library.html
Includes 29 Reasons Not To Be A Nice Guy

Don't rely on overexposed, mass-keted commercial seduction methods which
have been rendered worthless through mainstream media exposure. It really
is game over for community material.

http://moderncaveman.typepad.com
The Official Ray Gordon Blog

Date: 26 Sep 2007 10:10:49
From:
Subject: Re: I am being impersonated again.

Ray Gordon, creator of the "pivot" wrote:
>
>"Ray Gordon, creator of the pivot"
>
>did not write either of the two previous posts.
>
>The REAL Ray Gordon posts through pghconnect.com and a Comcast IP address.

You choose to be a victim by not PGP/GPG signing your posts.

Date: 25 Sep 2007 14:39:29
From: Ray Gordon, creator of the pivot
Subject: Did Hal Bogner and Brian Mottorshead hack USCF members' accounts?