Weeeell, Tick Tock Tommy didn't want to reply. Total silence. So we have to form our own conclusions.
(corrected as new info comes in)
8:04 PM: Lisa Loving solicits help on facebook to hack a blog
12:27 PM Lisa Loving outs Richard/Winston Smith for reporting her attempt to solicit hacking services from a kid
Jun 21 FRI
9:58 AM Lisa Loving goes on rampage, sending an email accusing Hadrian of being behind the "yellow blog"
June 22 SAT
8:46 AM: Lisa Loving continues rampage, sending an email accusing Ben Hoyne of being behind the "yellow blog".
12:21 AM: In part of an email received by blog contact, Tom Hood is mentioned as possibly sharing his audio of board meeting:
Tom Hood had a better set up and didn't rely on battery power. I am pressing for his recording to be posted to KBOO's fragile website soon. Based on the fact that a board member I trust already has possession of this audio, I assume that this will happen soon.
Aug 9 FRI
9:50 AM: Time Tom Hood claims his account was hacked
9:52 AM: And email with the subject: TRANSACTION CONFIRMATION is sent from Tom Hood's account to multiple people including Hadrian and at least a couple others who have been attacked by the "Inner party". It contains a link to a phishing file hosted at http://drivesdocs.freehostingchamp.com/ with the words:
CLICK HERE to view the important document I uploaded for you.
Clicking on the link directs to a fake Google docs login page.
10:15 am: A recipiant recieves and queries tom about suspiscious email
10:20AMish : Tom hood replies to query
1:01 PM: Hadrian see and opens email; queries Tom about suspicious contents
7:31 PM: Tom send reply to Hadrian claiming his account was hacked at 9:50AM
Aug 10 SAT
11:09 AM Hadrian warns readers of phishing file going around that might be playing on expectation of receiving audio of last board meeting.
12:05 PM: Forward of file recieved by blog contact email. By this time phish file returns error instead of reported login
10:31 PM: http://drivesdocs.freehostingchamp.com/ reported by Hadrian to host
Aug 11 SUN
9:13 AM: Hadrian reports http://drivesdocs.freehostingchamp.com/ suspended by host
10:07 AM Theresa Mitchell's blog savekboo.org gets hit with extreme trolling for lulz
11:44AM: Indymedia article reporting the Phishing attempt appears called "Keep KBOO KBOO fraudulent, dangerous to KBOO"
1:26 PM: By this time Indymedia article is deleted
2:30ish : Reportedly Tom Hood is sent email to come clean. Soon after Conser is reportedly emailed through KBOO.fm contact page.
3:30 PM: Theresa Mitchell might be blocking visitors by IP address
4:00 PMish more reports from people who received phishing email
Aug 12 MON
10:20 AM: Phishing expedition reported to Department of Homeland Security's National Cybersecurity and Communications Integration Center and their United States Computer Emergency Readiness Team.Aug 13 TUE
10:43 AM Hadrian emails Tom Hood the phishing incident has been reported to multiple agencies, requesting his help:
"As you see, I take illegal actions such as this seriously. Any information you can provide about this incident would be helpful in protecting the people who were targeted by this attack.10:46 AM: confirmation of US-CERT report received: incident number
2:00 PM Phishing incident reported to Oregon Department of Justice
2:24 PM Incident reported to FCC
4:00AMish Trolling of Facebook pages and profiles begins, including "Committee to Keep KBOO KBOO": https://www.facebook.com/KeepKBOO
The headers tell their own tale. All IP addresses are private, probably Google gmail routers. A couple are identical to both emails, implying they were sent from the same location. Even a hacker using Toms email should show a different location.
This is not a spoof. A spoof is an email apparently sent from one account, but really from another. This was sent from Tom's account. The headers imply that Tom never lost control of his account.
Header of 1st email:
Delivered-To: xxxxxx@xxxxxx Received: by 10.70.129.226 with SMTP id nz2csp91964pdb; Fri, 9 Aug 2013 09:53:01 -0700 (PDT) Return-Path: <hood.quimbyxxxxxx> Received-SPF: pass (google.com: domain of hood.quimby@xxxxxx designates 10.60.xxxxxx as permitted sender) client-ip=10.60.xxxxxx Authentication-Results: mr.google.com; spf=pass (google.com: domain of hood.quimby@xxxxxxdesignates 10.60.xxxxxx as permitted sender) smtp.mail=hood.quimby@xxxxxx; dkim=pass firstname.lastname@example.org X-Received: from mr.google.com ([10.60.xxxxxx]) by 10.60.140.168 with SMTP id rh8mr1280722oeb.76.1376067179971 (num_hops = 1); Fri, 09 Aug 2013 09:52:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=eu7X2gSfRZZddRQSHNF3K4i5MF7OtV+tOygFQIv6QmY=; b=Y1CqaiWpe2e1XpWkCm5qWD5/5mRBCHiXeLoJ3nYHmOWHL0Xn8VSOwFVhViJUzswlEn WEOTnMbeFGfOHq0mwn9To/PV/WjIRIJelv2a2jwBvEE6RKt1jOD/brHZj6ppJu4TzjXM YlLlRYnx0LbiSvwY4O2z5gzlKr/r46QQhItXtewg0nKDe4fh49mZmXit3Xf5VNFOLSBX BzFE43W6pShxzyeo8anrQoTxW5i7cTwRb+50F9ZojQJyQMiN0OX0iD4Nq1HHPS6sIqMW AyToieblsqLU14+EAEKOkRYMyXBrQWxXp1V2AohfeN3d9PUpCl5Vhj48Rnt7JrQRMiuq aTYg== MIME-Version: 1.0 X-Received: by 10.60.xxxxxx with SMTP id rh8mr1280722oeb.76.1376067179964; Fri, 09 Aug 2013 09:52:59 -0700 (PDT) Received: by 10.76.135.8 with HTTP; Fri, 9 Aug 2013 09:52:59 -0700 (PDT) Date: Fri, 9 Aug 2013 09:52:59 -0700 Message-ID: <CANpciL+-y27vkfqnugUSmQY1rHb-7W4F5YY0p5mbAvS1UE5J_Q@mail.gmail.com> Subject: TRANSACTION CONFIRMATION From: Tom Hood <hood.quimby@xxxxxx> To: undisclosed-recipients:; Content-Type: multipart/alternative; boundary=047d7b2e4c4672f63f04e3869b35 Bcc: xxxxxx@xxxxxx
Header of 2nd email (from "Real Tom")
Delivered-To: xxxxxx@xxxxxx Received: by 10.182.88.234 with SMTP id bj10csp473obb; Fri, 9 Aug 2013 19:31:37 -0700 (PDT) X-Received: by 10.60.61.115 with SMTP id o19mr2353818oer.85.1376101868035; Fri, 09 Aug 2013 19:31:08 -0700 (PDT) Return-Path: <hood.quimby@xxxxxx> Received: from mail-oa0-x244.google.com (mail-oa0-x244.google.com [2607:f8b0:4003:c02::244]) by mx.google.com with ESMTPS id nk8si10830982obb.37.2013.08.09.19.31.08 for <xxxxxx@xxxxxx> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 09 Aug 2013 19:31:08 -0700 (PDT) Received-SPF: pass (google.com: domain of hood.quimby@xxxxxx designates 2607:f8b0:4003:c02::244 as permitted sender) client-ip=2607:f8b0:4003:c02::244; Authentication-Results: mx.google.com; spf=pass (google.com: domain of hood.quimby@xxxxxx designates 2607:f8b0:4003:c02::244 as permitted sender) smtp.mail=hood.quimby@xxxxxx; dkim=pass email@example.com; dmarc=pass (p=NONE dis=NONE) d=gmail.com Received: by mail-oa0-x244.google.com with SMTP id j6so2441312oag.11 for <xxxxxx@xxxxxx>; Fri, 09 Aug 2013 19:31:08 -0700 (PDT) Return-Path: <hood.quimby@xxxxxx> Received-SPF: pass (google.com: domain of hood.quimby@xxxxxx designates 10.60.xxxxxx as permitted sender) client-ip=10.60.xxxxxx X-Received: from mr.google.com ([10.60.xxxxxx]) by 10.60.140.168 with SMTP id rh8mr2902280oeb.76.1376101866286 (num_hops = 1); Fri, 09 Aug 2013 19:31:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=AfyVNUEtoKL/78rN5icqP+ZgyN82xTJJVfDPHQLT+sc=; b=jFv3Gu1Z4KedeZ7d9LXkjFVE9vgZjKipV19o2/DjByojT7wbUoR3CRn+9dYZp7s3tZ 67bykHvTC+i8cpzuAxVIUwTYFoUUTWBubyKbgI2GU8ogEOEaSLQtX0POB+m3V8xN5Guh 79eBZIE3thUq4ZOBOY5VGisdpkwzcgnTZlOmrbWkLA6SgafTOrnMNv97bP3ZJZCKIs6s kPdGNG9QbST4u4A7BJta7czLxFuhYhxcfKyOoywystlpopZXF4nsl65UQjiJWSZpgUoX ctxjqlOLqI/2G+uIwhHjzO4iqklTnk6eZowORXn8hfZC+xYbTSqE20W6NrEjG6aDtVQN ACWA== MIME-Version: 1.0 X-Received: by 10.60.xxxxxx with SMTP id rh8mr2902280oeb.76.1376101866281; Fri, 09 Aug 2013 19:31:06 -0700 (PDT) Received: by 10.76.135.8 with HTTP; Fri, 9 Aug 2013 19:31:06 -0700 (PDT) In-Reply-To: <CAChsR50tsrkC+XsAJ25NxhTjiRBXCFEA=5zEWxGtN14zN-VBkA@mail.gmail.com> References: <CANpciL+-y27vkfqnugUSmQY1rHb-7W4F5YY0p5mbAvS1UE5J_Q@mail.gmail.com> <CAChsR50tsrkC+XsAJ25NxhTjiRBXCFEA=5zEWxGtN14zN-VBkA@mail.gmail.com> Date: Fri, 9 Aug 2013 19:31:06 -0700 Message-ID: <CANpciLKnK=YE-MJ8JMtXJcRk6DyxeUms8+QJkBTRdwfvRc8YGg@mail.gmail.com> Subject: Re: TRANSACTION CONFIRMATION From: "hood.quimby" <hood.quimby@xxxxxx> To: xxxxxx <xxxxxx@xxxxxx>
Best hypothesis so far: Someone Tommy knew set up the phish file at champs account. Tommy agreed to use his email to send out link.
Speculated motive: find out if any enemies of the people were running the evil yellow blog.
Foreknowledge: in comments it was pointed out people were expecting an email from Tom Hood about the last board meeting audio.
In an email received this was referenced clearly:
Tom Hood had a better set up and didn't rely on battery power. I am pressing for his recording to be posted to KBOO's fragile website soon. Based on the fact that a board member I trust already has possession of this audio, I assume that this will happen soon.This email was clearly prepping the blog contact to expect an audio file from Tom, in some way. Receiving an email from his address, with words saying, "CLICK HERE to view the important document I uploaded for you. " would fit the pattern of a set up.
That the email was never received by the blog contact might be the most pathetic failure and cancer in this situation.
The KBOO/Portland Indymedia Connection
It hasn't escaped readers attention that when anything embarrassing about the Inner Party is published on the PIMC newswire it tends to vanish. Not everything, but enough to make readers wonder. Rumors for weeks imply that Portland Indymedia is not only deleting articles for the clique controlling KBOO, but have been logging IP addresses and passing them on to Inner Party members.
More recently it was discovered the so called problems with "lost" compost articles were bogus, the compost link being connected to a blank page, while the real current compost link was orphaned:
Link from Indy front page: http://portland.indymedia.org/en/compost/compost2012.shtml
Real link: http://portland.indymedia.org/en/compost/compost2013.shtml
It was pointed out in comments someone was very busy on July 30 apparently deleting or disabling compost archives back to 2000.
Portland IMC seems to be taken over by "radicals" of the same stripe as the "Inner Party", in other words, not very radical and at least as controlling as the most annoying Republican. But now we know, from a tip in comments, the most likely culprit "massaging" the newswire for Keep KBOO KBOO: "Joe Anybody".
The latest "massage" being suppressing the KBOO related phishing article by banishing it to the compost:
Keep KBOO KBOO fraudulent, dangerous to KBOO
Since May a small clique of KBOO insiders afraid of losing control have been branding themselves as "anti-corporate" and "saving" KBOO. The truth is they will keep a strangle hold on the funds troubled station even if it means committing a series of felonies and attacking KBOO membership
"Joe"(apparently his real name is Mike Tabor) networks on Facebook with all the usual suspects:
On his about page, he lists himself as an Indymedia volunteer:
Under work and education
Of course, who knows how many Indy volunteers there are and what Joe's status is. He could have admin privileges or be Drone 398.
The following link, showing Joe helps run a list for PIMC, proves he is trusted with more access than the average "drone":
imc-portland-requests list run by afterthought at riseup.net, salaud at resist.ca, joeanybody at riseup.net, quill at riseup.net
imc-portland-requests administrative interface (requires authorization)
Overview of all lists.indymedia.org mailing lists
EDIT: an important thing about this clown to remember: he's a KBOO member:
Personal information. First name: joe; Last name: anybody; Listen Online? History. Member for: 1 year 20 weeks.
And for anyone who wants to know what he looks like? Like a "constitutional protection" according to a fan:
6 hours ago ·
Roger David Hardesty posted a photo to Joe Anbody's timeline.
Mkay. If you say so. We assume "constitutional protections" might include "free speech" at Indymedia. Guess we were wrong.
Maybe, since he seems to be some kind of "journalist", he can look into Comrade Hollywood Hood's phishing expedition.
But don't hold your breathe. According the the Antifas, "Joe" hangs out with a pretty sleazy crowd:
Another Portland Indymedia player is Jesse London, who helps "Joe" at PIMC as "salaud at resist.ca".
Old whois puts Jesse in Portland in 2011; whether he's still in physically in Portland is not clear:
Domain ID:D12298727-LRMSJesse London was involved with Portland indymedia since 2002 in spite of hailing from North Carolina:
Created On:05-Mar-2006 08:55:23 UTC
Last Updated On:06-Mar-2010 16:59:35 UTC
Expiration Date:05-Mar-2011 08:55:23 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant Name:Jesse London
Registrant Street1:PO Box 11681
Registrant Postal Code:97211
Registrant Phone Ext.:
Registrant FAX Ext.:
|poster of "CORPORATE ACTION"||26.Nov.2002 12:07|
|Jesse London||26.Nov.2002 12:46|
A blog by Jesse, with Indymedia links, imply he studied law in some capacity:
If Jesse is actively involved with Portland Indymedia, then he's aware of the phishing article they composted and readers shouldn't trust him any farther than they can throw him.
We can assume the Portland Indymedia collective is not representing any anarchist, progressive or revolutionary independent media force in Portland at this time.
More to come....