What Thunderf00t did, and how.

By now, I’m certain you’ve read Phil Mason’s, AKA Thunderf00t’s, confession about how he’s done exactly what people have accused him of: accessing the back channel after being kicked off the blog.

He spins himself as a whistleblower about vast conspiracies within Freethought Blogs, how we’re looking to destroy people’s careers every time we commiserate with one another about someone who’s aggrieved us. How this back channel operates like a “clique” where achievements are lauded, messages amplified, and disagreements mocked mercilessly. In other words, it’s a social club for people who choose to participate, to help spread collegiality amongst our bloggers and support one another when under attack. As such, considering that many of these private thoughts are not fights we wish to pick publicly and how Thunderf00t now controls what fights we have with whom because of misplaced trust in what happened to be a compromised listserv, Thunderf00t now gets to control much of the dialog of this blog network.

How very conspiratorial.

You’ve probably also heard that he “doesn’t Doc Drop” in the same post where he violates several folks’ privacy in ways that amount to logistical hair-splitting — and worse yet, we have only his word to go on that he’ll take pains to protect the identity of those pseudonymous bloggers among us who have everything to lose. His word that he’s a good guy, all while he’s engaging in other gross violations of trust.

There are lots of reasons why people had every expectation that the FtB back channel was private, which Greta itemizes. Ashley weighs in on the issue out of pure outrage for the very real personal danger that Natalie Reed is in as a result of an accidental or intentional leak of her personal information, to the point where she’s put off of the atheist movement altogether. Stephanie deconstructs his chosen frame, given that Wikileaks this ain’t. And Zinnia is agog at the sheer disrespect for the very concept of privacy.

I helped Matt, our webmaster, investigate the breach. I will have to, by necessity, describe exactly what went wrong and why.

Server-side, we (up until recently) used a program called Mailman to handle the mailing list functionality for our server. It is a very mature codebase, with no if any known technical exploits for the version we were using. Configuration and security, however, is another story.

Mailman apparently never expires an invitation ticket — once you’re invited to a mailing list, the original email you receive asking for your confirmation allows you to log back in and thus rejoin if you’re ever kicked off. This produces no confirmation email to the administration under the default settings. This is probably by design, or a design oversight — Mailman was likely always intended to run mail lists that were free to join and leave, and only secondarily running private invite-only lists.

Thunderf00t was added with the batch of Youtube vloggers we brought on board:

Jun 07 11:07:01 2012 (23765) [list addy]: new [Thunderf00t’s Hotmail address], admin mass sub

When Thunderf00t was booted from the network, Ed got email confirmation that he was removed. Thunderf00t would have gotten a message saying he’d been unsubscribed. The logs also show it:

Jul 01 09:46:54 2012 (7837) [list addy]: deleted [Thunderf00t’s Hotmail address]; member mgt page

But they show more.

Jul 01 09:53:03 2012 (8689) [list addy]: pending [Thunderf00t’s Hotmail address] 78.80.[xxx.xxx — IP resolving to Czech Republic, either he was there or using a Tor proxy]
Jul 01 09:53:31 2012 (8716) [list addy]: new [Thunderf00t’s Hotmail address], via web confirmation

Less than ten minutes after he was booted from the mailing list he rejoined using the original auth ticket, and none of us were the wiser.

A month later, we were tipped off that he’d been leaking emails from our list to people in our community, stirring up shit that we simply hadn’t been publicly stirring up ourselves. We immediately started pursuing legal advice on the matter, and Matt booted him and changed the settings so all list changes had to be directly approved by an administrator even with a valid invite ticket.

Aug 02 18:10:38 2012 (12417) [list addy]: deleted [Thunderf00t’s Hotmail address]; member mgt page

The logs show that he immediately attempted to get back on again:

Aug 02 18:19:46 2012 (13060) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:20:51 2012 (13133) Reminder attempt of non-member w/ private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:21:52 2012 (13212) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:22:42 2012 (13266) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:30:10 2012 (13841) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:33:02 2012 (13976) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:35:31 2012 (14100) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:36:09 2012 (14150) Reminder attempt of non-member w/ private rosters: [Thunderf00t’s Hotmail address]

The reminder attempt log lines are instances of him attempting to use the password reminder form to get back in, assuming we’d locked him a different way than just deleting his account again. Ed would have been prompted to let him in if he’d actually requested directly, via the option to “join the list” on the Mailman page, and to my knowledge he didn’t try that — he only tried the easier options that were less likely to trigger repercussions. I cannot ascribe motivations on this, but it seems fairly self-evident why he wouldn’t directly ask to be let back on.

The log files show the date and time of the very last email our mail server sent to Thunderf00t:

2012-08-02 18:10:39 1Sx6PX-0003EI-MH < = [FtB’s postmaster address] H=localhost (dev.freethoughtblogs.com) [::1]:51819 P=esmtp S=985 id=mailman.0.1343956238.12417.[old FtB list address] T=”You have been unsubscribed from the Freethoughtbloggers mailing list” for [Thunderf00t’s Hotmail address]

So he’s off the list again. This time for good. We’re not even using that software any more, so I feel relatively safe in explaining all this.

Update: See also Ed’s statement on the matter, and PZ’s.

Update 2: Charly posted the following below:

As further evidence that this is real I can attest, that Thundef00t was indeed in Czech Republic. I have first hand information from admin of czech atheist organization website, that he and some other czech atheist activists met Thuindef00t in Prague.

Additionally, I’m putting a strict moratorium on speculation about legal actions. While there are possible routes of action FtB can take, we have not yet squared away all of this with the lawyer we apparently have on retainer for this issue. I’ve told you everything I can, and will not post unexpurgated logs publicly both out of respect for Thunderf00t’s privacy and for the potentiality of messing with any future legal remedies we may or may not attempt.

{advertisement}
What Thunderf00t did, and how.
{advertisement}

135 thoughts on “What Thunderf00t did, and how.

  1. 101

    Setar, what whistle blowing statutes have anything to with theft? What possible cause of action could the writer of a letter have against a party who encountered that letter on the floor and used the information contained theirin? And in what juisdiction could an insinuation of a true fact ( that the speaker knew what someone else had said) support a claim of defamation?

  2. 102

    “He spins himself as a whistleblower about vast conspiracies within Freethought Blogs, how we’re looking to destroy people’s careers every time we commiserate with one another about someone who’s aggrieved us. How this back channel operates like a “clique” where achievements are lauded, messages amplified, and disagreements mocked mercilessly. In other words, it’s a social club for people who choose to participate, to help spread collegiality amongst our bloggers and support one another when under attack”

    All true. Who gives a shit that you morons are too dumb to have an invitation expire? You deserved to be exposed. You are an embarrassment. Keep rolling around in your blog fanboy pigshit though, cries of privacy violation won’t shield you from the spotlight. Only rats are afraid of the light

  3. 103

    @FREE BORF #102:
    ~You deserve whatever happens to you; laws and ethics don’t apply.~
    Does not follow from
    ~I don’t like you.~
     

    Only rats are afraid of the light

    ‘Light’ woul also include misrepresentative quote mining or outing someone who was closeted to avoid being targeted by bigots.
    Anyone who doesn’t want that deserves to be dehumanized, right?

  4. 104

    Yep. Thunderf00t is a detestable, underhanded cad for “hacking” into an email server he didn’t have permission to access, but PZ is a hero for “hacking” into a phone conference with a code he didn’t have permission to use. Makes perfect sense.

  5. 107

    I find this whole thing pretty tiresome, & consider it to be something of a cross between a Witchunt & schism within the community. I assumed that because i myself was Atheist & got involved (in whatever small way) in the whole thing because of said Atheism that everyone felt the same. So if people who never really were that interested that much by Atheism want to now leave the movement or have nothing more to do with it, why does anyone even care? The self importance of people is amazing to me. I’m not a fan of TF, i don’t think he can debate, i think he comes across as socially inept & appears to be somewhat of a pseudo intellectual, but he was treated shabbily by FTB. He hasn’t done the right thing re; the private eMails but (again) i can understand why he did it, especially when some people want to throw him off the gravy train that the so-called “Top Atheists” have made for themselves with free travel around the world, where they get to speak at some conference or whatever. Ms Watson & her Ilk have achieved a lot, you should all be so proud at the outcome. I’m only a normal Atheist so what i have to say probably doesn’t count for much, me not being clevver & all, but i’m going to say it anyway. I’m going back to r/atheism, you get a better class of person there & i expect we can all agree on one thing now, “Good riddance”!

  6. 108

    I find this whole thing pretty tiresome, & consider it to be something of a cross between a Witchunt(sic) & schism within the community.

    Please explain the what you mean; in your analogy, who is the “witch” that’s being “hunted?”

    So if people who never really were that interested that much by Atheism want to now leave the movement or have nothing more to do with it, why does anyone even care?

    You are betraying your ignorance of what has actually happened here. No one is threatening to “leave the movement or have nothing more to do with it” because they “never really were that interested that much by Atheism,” again, who are you talking about here?

    The self importance of people is amazing to me.

    Which people? Be specific. Who are you trying to insult here?

    …but [TF] was treated shabbily by FTB.

    How so? Again, be specific and show your work.

    …i can understand why he did it, especially when some people want to throw him off the gravy train that the so-called “Top Atheists” have made for themselves with free travel around the world, where they get to speak at some conference or whatever.

    Is that the same “some people” whose self-importance is so amazing to you? Further, where are you getting this? Why do you think participation on a blog entitles anyone to “free travel around the world, where they get to speak at some conference or whatever?”

    Was it your intent to come here, lob a few transparently ignorant verbal grenades and then beat a hasty (and cowardly) retreat to r/atheism or do you at least have enough integrity to explain yourself inasmuch as who it is you’re trying to malign here and why?

  7. 111

    Thunderf00t is my hero. Very few people in this world are willing to put their asses on the line to stand up for others lie, break the law and lie some more all to cover his own ass, because he’s a whiny crybaby that the smart kids don’t want to play with.

    FTFY, diddums!

  8. 112

    Thunderf00t is my hero. Very few people in this world are willing to put their asses on the line to stand up for others.

    Kinda funny and ironic considering that it was his failure to “stand up for” some of the women that are part of the community to which he tried to ingratiate himself that ultimately led to his ass being on the line…

  9. 113

    Thunderf00t is my hero. Very few people in this world are willing to put their asses on the line to stand up for others.

    I don’t see the relationship between these two sentences.

  10. 114

    Zendo:

    Thunderf00t is my hero. Very few people in this world are willing to put their asses on the line to stand up for others.

    Your hero is a sexist, racist, douchebag. Are you sure want to idolize that?
    Oh, and his release of private information to third parties is incredibly unethical and could potentially hurt various anonymous bloggers. That’s something you’re idolizing?
    If that’s your idea of a hero, I don’t think this is the place for you.

  11. 115

    Borf:

    Keep rolling around in your blog fanboy pigshit though, cries of privacy violation won’t shield you from the spotlight. Only rats are afraid of the light

    I guess it would be no big deal if one of the anonymous bloggers used their real name in the back channel, only to have that released to a third party by Thunderf00t, huh? Have you thought through the very real consequences that could follow from Thunderf00t’s unethical actions? Or are you too busy basking in the glow of his magnificence to think rationally?

  12. 116

    Setar:

    Since it is not a crime for others to say horrible things about you, this action would not be protected under whistleblowing laws and thus, yes, you could be prosecuted for theft. That being said, it is far more likely that you would simply end up facing a lawsuit.

    I find it sad that TF’s defenders seem to think the only thing discussed in these emails/back channel is Thunderf00t. It’s as if they can’t conceive of the FtB bloggers chatting about something completely unrelated that they wish to remain private.

  13. 121

    […] Here’s another good example of bullying. For the record, this one resulted in one FtB blogger fearing for her own safety (oh, BTW… she is someone who is unsure of A+… and most of us over at A+ respect that, because her criticisms are legitimate and not couched in… well… bullying). I actually wrote my own blog post on this issue, too. […]

  14. 123

    I don’t think Thunderf00t was actively trying to get back in.
    All those logs seem to show is a mail application that is trying to do what it normally does : check for mail. It will keep doing that until it’s told not to but Thunderf00t isn’t monitoring the software all the time (that would be silly!) so of course there were attempts to connect.

    I’m willing to bet that much of these unsavory escallations were due to misunderstandings upon misunderstandings upon misunderstanding.

    Has there been a drop in ethics and unprofessionalism at some point? I bet there was, and you can’t turn back the clock and undo them but it is still important for people to recognise at some point that it takes more than one party to get into a ‘vicious circle’ like this. I don’t buy it for one second that Thunderf00t is the only meany in this story. Ego’s have clashed and innocent people got hurt. That’s life , kids. Now grow up. The lot of you.

  15. 124

    ps: trying to ‘reconnect with the list’ would only be a bad thing if ThunderF00t was aware that he was kicked off intentionally.

    If I found that I suddenly could not connect anymore to a Mailing list then I would do the same thing he did (with no harm intended) : look up the original mail and try to reconnect. It’s not persé an attempt to ‘hack’ his way back in. He possibly thought that something accidentally went bad with the IT behind the MailServer and simply did what he had done the first time to connect with it.
    … or not… but I hope you’ve considered that possibility.

  16. 125

    We have considered it, and considered that possibility very wanting. This is because he was informed that he was being kicked out of the blog, he received an unsubscribe notification from the back channel, and immediately rejoined (within fifteen minutes). He knew. He KNEW he was kicked out. Attempts to suggest otherwise are ridiculous.

  17. 126

    Are you guys for real? You invite him on your so-called “FreeThoughtBlog”, then kick him out a week later, supposedly because of his writing skills and argument style, as if you wouldn’t know that already with all the stuff he’s done… And then, when he gets some info on how freaking hypocritical you guys are, how you all pat yourself in the back for being so great and denigrating other people who don’t think like you, you set off to descredit him completely… ya, makes complete sense. If what your talking about in private on that mailing list is so bad as to have repercussion in your everyday life.. i can only imagine what kind of stuff you guys are talking about… we got a glimpse of it anyway, so ya i guess i’d be worried too in your situation.

    All the other stuff you’re throwing out there is just a smoke show to avoid the real issue (he didn’t agree with you and you didn’t like it) guess you’ve learn some good “avoiding the point” tatics from debating all those creationists. Kinda weird seeing you use their methods, but I guess anybody would do the same when lacking an actual good reason for his actions. It shows in the comments also… (ya i know, i’m not welcome here for thinking that yadiyadiyada. so much for free thoughts. Don’t worry, I won’t be back.)

  18. 129

    Thunderf00t simply clicked a bloody href in an email form.

    He did this 6 times.

    He broke no laws.

    Accusing him as such to the level it’s been taken here is, IMHO, deformation.

  19. 132

    You people are an insult to the atheist community as a whole. Cry all you want, but we still have the right to free speech and I can offend anyone I like. Poor Babies can’t take fair criticism, you slimy sexist whiners.

    If this comment is removed it only proves me point.

    Cry Babies.

  20. 133

    Ah, the “if you don’t publish this it proves my point” gambit. Special. Unique. Only used by true vanguards of Free Speech, which apparently means “freedom to say anything to anyone ever without any consequences”. How dare WE criticize YOU for saying douchetastic nonsense? How dare WE criticize YOU for being intentionally offensive and demonstrably antisocial? OUR speech is not free, but YOURS IS.

    I just want to scruff your wee head and tell you to run along and eat your pudding cup.

Comments are closed.