|
Main
Date: 25 Sep 2007 14:38:26
From: Ray Gordon, creator of the pivot
Subject: Did Hal Bogner and Brian Mottorshead hacked USCF members' accounts?
|
Is it possible for these 2 crooks to hack into the USCF computers? Does this mean that Hal Bogner will do the same with customers of ChessMagnetSchool.com? Can they steal members' credit card information and rob them? Does anyone know the answer?
|
|
|
Date: 25 Sep 2007 20:59:03
From: Ray Gordon, creator of the pivot
Subject: Re: Did Hal Bogner and Brian Mottorshead hack USCF members' accounts?
|
On 25 Sep, 16:39, "Ray Gordon, creator of the pivot" <[email protected] > wrote: > Is it possible for these 2 crooks to hack into the USCF computers? > Does this mean that Hal Bogner will do the same with customers of > ChessMagnetSchool.com? Can they steal members' credit card information > and rob them? > > Does anyone know the answer? There is a pattern of confidentiality breeches within the USCF. The pattern starts from the top, and it is filtered down to at least two developers, who have both admitted to logging in as someone else and accessing our personal accounts. Two confidentiality issues occurred to me personally that affected the ability to perform as a volunteer, and Bill Hall constantly ignored them. Unfortunately, their are individuals within the USCF that do not like criticism, and once a whistle blower has made an internal complaint, lawsuits are threatened after the complaint. We should all be aware of how the USCF treats our privacy and how they resolve an internal complaint. I am web-developer, and a frequent visitor to the USCF Forums. I also moderated this form for several months during a contentious election season, currently I am the USCF College Chess Associate Chair, and developed and maintain the college chess league site (http:// www.collegechess.org). I have worked hard; and just received notification that I was nominated as the USCF Volunteer of the Month. However, in my extensive dealings with the USCF, I have witnessed confidentiality breeches and I have grave concerns on how they handle our confidentiality. Please read on and try to imagine the following. In September, a new website was released. You look at it, and find a ton of bugs. You sit for a few days, look again, and decide to write a thread titled 'I am not impressed with the site'. In this thread, you annotate many bugs, the Interim System Administrator does not like your negative comments, nor does the head website developer, and they start attacking your comments. You post anyway, and just posted that there may be a problem with the Private Messaging functionality, and start to write another long post. You hit the submit button, and noticed that you are suddenly logged out of the site. You ask your friends via email if they are still on, the answer is yes, and after several hours of not being able to log on, you complain using the site. Now, after the reporting the incident, imagine reading the following response: "Gregory reported two problems in the forum regarding his account, and was making a big fuss. Squeaky wheel getting the grease. I did not ask Gregory for permission to log into his account... (but) sent him a PM to let him know that I was temporarily substituting my password for his on the account so that I could log in as him... This was a notice, not a request for permission, sent as a courtesy in order to avoid any more inconvenience to him than necessary... When working on the latter, I went to (Gregory's) PM section of the User Control Panel, but I did not open any of the PMs. I then logged out, and reset the password back to his original password, or at least I believed I had done so... Because the passwords are encrypted, one cannot simply look up the password in the database and log in with it. You have to go through the process of saving the user's encrypted password aside, replacing it with a known password, encrypted, and then logging in with the known password, later on restoring the original password. In this particular case, because it was about 2AM and I was tired, I made a mistake when restoring the password, so in the morning when Gregory tried to login, he could not. The password was not correct.... Anybody working on the forums, as I have, has access to the forums database, which contains personal messages and the content of hidden private forums... If I had wanted to read your PM's, I did not need to log into your account, or tell you that I was doing so. I have access to every PM in the entire database along with everything else. I could have read every PM you have at any time in the last two and a half months without telling you or anybody else. The same goes for every other PM of every other user in the forums. However, if there is any further public suggestion or implication that my conduct was in any way improper, unethical, or unprofessional, or there is any other aspersion cast on my professional reputation, then this will become a matter involving lawyers, and, potentially, courts. Sincerely, Brian Mottershead" These are real quotes from the Interim System Administrator, taken from three letters. Are you a bit chilled regarding your privacy? Read on, it gets worse. Some may say that I must not care about confidentiality as I am revealing the contents of emails; however, Brian is acting on behalf of the USCF as the Interim Systems Administrator. The email goes into detail how my account was accessed-- nothing in the emails is personal. Hypothetically speaking; If I write an email to Acme credit card services, and asked them why they charged me for not using the credit card for a year, and they respond, I have a right to take it public, right? This is the same hypothetical situation that happened at the USCF. However the email that you read from Brian is not hypothetical at all. It is real. Before continuing; I would like to comment upon the Interim System Administrator's points. First, in over 20 years in this business, I have never looked at anyone's email, or private messages. The forums that we are using, Phpbb3 makes sure that the password is encrypted to prevent the developer from gaining access to a users account. This design choice is intentional to discourage developers from getting the users log-in credentials. I did not even think that Brian's tactic to access my account was possible, in fact, I never thought of any way to access someone's account at all. Even if I posses the keys to the database, I am not going to try to figure it out. IMO, it is not the right thing to do an ethical standpoint. Even when I ask someone to volunteer to help on my own college chess site, I am very careful to give them a quick lecture on privacy. I clearly state that under no circumstance should you look at anyone's messages unless given consent, and we must ensure that our customers have the right to privacy. I am uncomfortable lecturing someone that I trust, especially when I just asked them for help, however I state it very clearly before I give anyone access. Good development processes require that the senior developer take the time to review basic privacy policies, and will often use development techniques to limit database access. All developers that have full access should have been very well trained on what they can do, and what they can't. Unless required to by law, no one has the right to read other persons private discussions without the person's explicit consent. Brain has stated in the past that he 'just logged in to try to fix a problem'. However, there is no reason for him to access my private messages to find the problem. The private messages are created by a single common phpbb3 template. From a technical standpoint, the template processes the same exact logic regardless of whose account it is. The fact of the matter is that Brian and I were in heated exchanges in the forums when this took place, and then I was booted out and he looked into my private message folder. Yes, Brian discovered a clever way to circumvent the phpbb3 encryption system, but even so, he had no reason to log in as me even if he was trying to 'just fix my account'. This is really not about Brian per-say; it is about bad USCF policy, and having management and some senior programmers that that have a long track record of violating confidentiality. Also, the official USCF response (and lack of it) of this incident concerns me. I took this in-house and tried to settle it internally. Instead of being formally apologize to, I was harassed for reporting it. Finally, it was not I that broke confidentiality. That distinction belongs to the head developer of the USCF, Hal Bogner. Here is letter dated 9/16/2007 from the Head Developer, Hal Bogner: "Important Note: This is a confidential email, and is not to be shared outside of the recipients or other board members, with equal attention to confidentiality..." Followed up with: Gregory: I demand that you immediately cease and desist from posting or sending by email or otherwise expressing any and all derogatory reks concerning myself, my clients, my partners, my colleagues, my associates, and/or my fellow volunteers, except of course those that are true and that are clearly supported by publicly available facts. I likewise demand that you remove and/or retract all such postings and that you retract all such email statements. Any further references to allegations you wish to make towards me will be answered by attorneys, and any harm to the reputations of myself, partners, colleagues, associates, and/or fellow volunteers may become the subject of a lawsuit... Sinecerely, Hal Bogner" Even though Hal clearly stated that this matter was confidential, a few days later Hal posted this in the USCF Issues forum: "On Saturday night, Gregory had a problem... the development team (and now, the USCF executive board) saw the rather paranoid message he sent us in the middle of the night... He wrote to the development team, with cc's to three people: the USCF president, the USCF executive director, and his boss at chessdiscussion.com. I've been wondering about why he chose that particular USCF executive board member to include, without also cc'ing the remaining five members, too. I, for one, would really appreciate an apology from Gregory, both for his erroneous assertions in this matter, and for past misrepresentations regarding me, and also regarding my separate web site operation, Chess Magnet School, too. Hal Bogner [email protected] http://www.ChessMagnetSchool.com" It seems like Hal chose to forget that he expressed confidentiality. There are serious concerns regarding Hal's past regarding confidentiality. Ask anyone on the FOC or moderation teams how Hal compromised their confidentiality. Privately; I am sure that most will agree that on many occasions Hal violated our privacy (I was a moderator at the time). Bill Hall originally set up the moderators to be private. However, it is a well known fact that Hal accessed the private moderations lounges, and then revealed the moderators names publicly. According to a letter sent to the ED from David Quinn, Hal originally accessed the private lounge by using the log-in credentials of his friend in the FOC. When publicly questioned, Hal originally stated that he was authorized to access the lounge with Bill Hall's approval, but later denied this, and reversed his tune again after the election. Even worse, Hal Bogner accessed a private complaint from one of our members that we serve, and he then propagated it around to his friends. This nearly became a serious legal issue. You can't ask a fellow member to complain to the USCF representatives when your complaint when you know that your complaint might go public and be spread all over the net. Hal's continued access, and the lack of accountability by the ED caused a huge issue with the effectively of the FOC and moderation teams as we did not know who to trust. Ramifications to the effectiveness of the FOC and moderators are continuing to this day. I wish that we could limit this issue to Hal Bogner, but the Executive Director is involved in this too. When discussing this issue with Bill Hall, I asked Bill bluntly about Hal Bogner's prior access as it is a related confidentiality issue. I let him know that four of my friends and colleagues stated to me privately that they all called Bill and asked him if he gave Bogner access. Bill denied this. However, for approximately four months, a few of us asked Bill to state this publicly. Bill said nothing. When I talked to Bill last week, I pointed this out, and really put Bill on the spot-did you, or didn't you, authorize Hal? Bill fumbled around a bit, and then stated that 'Hal informed me that he had access to the FOC lounge by using another FOC members log-in, and asked if he should report anything that might be wrong, and I said yes... Hal framed the question in such a way to have plausible deniability.' It is not my intent to cause long term harm to the USCF. I could sued for an invasion of privacy, or took this matter public immediately, but instead chose to try to solve the issue in-house. Unfortunately, other than two EB board members, this issue has been ignored. Therefore, it is my intent to release this information so the members can be for-warned regarding the right to the choice of privacy of their own discussions, and to highlight what the Executive Director thinks about our right to privacy. The USCF is priily a democratic institution; however slowly, we the members have the ability to make change. We can petition the Executive Board members or the Delegates, and make sure that the organization cares about our privacy and their representatives to not threaten legal action against a member that is raising the issue internally. To conclude, it is my desire that the processes that allowed the confidentiality breeches to occur in the first place be changed, and training and awareness, along with accountability is assured to respect our right to confidentiality. Thank-you for your time, Gregory Alexander
|
|
Date: 25 Sep 2007 19:22:22
From: Ray Gordon, creator of the \pivot\
Subject: I am being impersonated again.
|
"Ray Gordon, creator of the pivot" did not write either of the two previous posts. The REAL Ray Gordon posts through pghconnect.com and a Comcast IP address. -- Ray Gordon, The ORIGINAL Lifestyle Seduction Guru http://www.cybersheet.com/seduction.html Limit of TEN students. Act now! For older free material that is now mainstream: http://www.cybersheet.com/library.html Includes 29 Reasons Not To Be A Nice Guy Don't rely on overexposed, mass-keted commercial seduction methods which have been rendered worthless through mainstream media exposure. It really is game over for community material. http://moderncaveman.typepad.com The Official Ray Gordon Blog
|
| |
Date: 26 Sep 2007 10:10:49
From:
Subject: Re: I am being impersonated again.
|
Ray Gordon, creator of the "pivot" wrote: > >"Ray Gordon, creator of the pivot" > >did not write either of the two previous posts. > >The REAL Ray Gordon posts through pghconnect.com and a Comcast IP address. You choose to be a victim by not PGP/GPG signing your posts.
|
|
Date: 25 Sep 2007 14:39:29
From: Ray Gordon, creator of the pivot
Subject: Did Hal Bogner and Brian Mottorshead hack USCF members' accounts?
|
Is it possible for these 2 crooks to hack into the USCF computers? Does this mean that Hal Bogner will do the same with customers of ChessMagnetSchool.com? Can they steal members' credit card information and rob them? Does anyone know the answer?
|
|