Weeeell, Tick Tock Tommy didn't want to reply. Total silence. So we have to form our own conclusions.
Phishy Timeline
(corrected as new info comes in)
June 19
8:04 PM: Lisa Loving solicits help on facebook to hack a blog
June 20
12:27 PM Lisa Loving outs Richard/Winston Smith for reporting her attempt to solicit hacking services from a kid
Jun 21 FRI
9:58 AM Lisa Loving goes on rampage, sending an email accusing Hadrian of being behind the "yellow blog"
June 22 SAT
8:46 AM: Lisa Loving continues rampage, sending an email accusing Ben Hoyne of being behind the "yellow blog".
Aug 8
12:21 AM: In part of an email received by blog contact, Tom Hood is mentioned as possibly sharing his audio of board meeting:
Tom Hood had a better set up and didn't rely on battery
power. I am
pressing for his recording to be posted to KBOO's fragile
website soon. Based on the fact that a board member I trust already has
possession of this audio, I assume that this will happen soon.
Aug 9 FRI
9:50 AM: Time Tom Hood claims his account was hacked
9:52 AM: And email with the subject: TRANSACTION CONFIRMATION is sent from Tom Hood's account to multiple people including Hadrian and at least a couple others who have been attacked by the "Inner party". It contains a link to a phishing file hosted at http://drivesdocs.freehostingchamp.com/ with the words:
CLICK HERE to view the important document I uploaded for you.
Clicking on the link directs to a fake Google docs login page.
10:15 am: A recipiant recieves and queries tom about suspiscious email
10:20AMish : Tom hood replies to query
1:01 PM: Hadrian see and opens email; queries Tom about suspicious contents
7:31 PM: Tom send reply to Hadrian claiming his account was hacked at 9:50AM
Aug 10 SAT
11:09 AM Hadrian warns readers of phishing file going around that might be playing on expectation of receiving audio of last board meeting.
12:05 PM: Forward of file recieved by blog contact email. By this time phish file returns error instead of reported login
10:31 PM: http://drivesdocs.freehostingchamp.com/ reported by Hadrian to host
Aug 11 SUN
9:13 AM: Hadrian reports http://drivesdocs.freehostingchamp.com/ suspended by host
10:07 AM Theresa Mitchell's blog savekboo.org gets hit with extreme trolling for lulz
11:44AM: Indymedia article reporting the Phishing attempt appears called "Keep KBOO KBOO fraudulent, dangerous to KBOO"
1:26 PM: By this time Indymedia article is deleted
2:30ish : Reportedly Tom Hood is sent email to come clean. Soon after Conser is reportedly emailed through KBOO.fm contact page.
3:30 PM: Theresa Mitchell might be blocking visitors by IP address
4:00 PMish more reports from people who received phishing email
Aug 12 MON
10:20 AM: Phishing expedition reported to Department of Homeland Security's
National Cybersecurity and Communications Integration Center and their
United States Computer Emergency Readiness Team.
10:43 AM Hadrian emails Tom Hood the phishing incident has been reported to multiple agencies, requesting his help:
"As you see, I take illegal actions such as this seriously. Any
information you can provide about this incident would be helpful in
protecting the people who were targeted by this attack.
Thanks."
10:46 AM: confirmation of US-CERT report received: incident number
PH0000002058026
2:00 PM Phishing incident reported to Oregon Department of Justice
2:24 PM Incident reported to FCC
Aug 13 TUE
4:00AMish Trolling of Facebook pages and profiles begins, including "Committee to Keep KBOO KBOO":
https://www.facebook.com/KeepKBOO
Email Headers(edited):
The headers tell their own tale. All IP addresses are private, probably Google gmail routers. A couple are identical to both emails, implying they were sent from the same location. Even a hacker using Toms email should show a different location.
This is not a spoof. A spoof is an email apparently sent from one account, but really from another. This was sent from Tom's account. The headers imply that Tom never lost control of his account.
Header of 1st email:
Delivered-To: xxxxxx@xxxxxx
Received: by 10.70.129.226 with SMTP id nz2csp91964pdb;
Fri, 9 Aug 2013 09:53:01 -0700 (PDT)
Return-Path: <hood.quimbyxxxxxx>
Received-SPF: pass (google.com: domain of hood.quimby@xxxxxx designates 10.60.xxxxxx as permitted sender) client-ip=10.60.xxxxxx
Authentication-Results: mr.google.com;
spf=pass (google.com: domain of hood.quimby@xxxxxxdesignates 10.60.xxxxxx as permitted sender) smtp.mail=hood.quimby@xxxxxx;
dkim=pass header.i=@gmail.com
X-Received: from mr.google.com ([10.60.xxxxxx])
by 10.60.140.168 with SMTP id rh8mr1280722oeb.76.1376067179971 (num_hops = 1);
Fri, 09 Aug 2013 09:52:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=eu7X2gSfRZZddRQSHNF3K4i5MF7OtV+tOygFQIv6QmY=;
b=Y1CqaiWpe2e1XpWkCm5qWD5/5mRBCHiXeLoJ3nYHmOWHL0Xn8VSOwFVhViJUzswlEn
WEOTnMbeFGfOHq0mwn9To/PV/WjIRIJelv2a2jwBvEE6RKt1jOD/brHZj6ppJu4TzjXM
YlLlRYnx0LbiSvwY4O2z5gzlKr/r46QQhItXtewg0nKDe4fh49mZmXit3Xf5VNFOLSBX
BzFE43W6pShxzyeo8anrQoTxW5i7cTwRb+50F9ZojQJyQMiN0OX0iD4Nq1HHPS6sIqMW
AyToieblsqLU14+EAEKOkRYMyXBrQWxXp1V2AohfeN3d9PUpCl5Vhj48Rnt7JrQRMiuq
aTYg==
MIME-Version: 1.0
X-Received: by 10.60.xxxxxx with SMTP id rh8mr1280722oeb.76.1376067179964;
Fri, 09 Aug 2013 09:52:59 -0700 (PDT)
Received: by 10.76.135.8 with HTTP; Fri, 9 Aug 2013 09:52:59 -0700 (PDT)
Date: Fri, 9 Aug 2013 09:52:59 -0700
Message-ID: <CANpciL+-y27vkfqnugUSmQY1rHb-7W4F5YY0p5mbAvS1UE5J_Q@mail.gmail.com>
Subject: TRANSACTION CONFIRMATION
From: Tom Hood <hood.quimby@xxxxxx>
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=047d7b2e4c4672f63f04e3869b35
Bcc: xxxxxx@xxxxxx
Header of 2nd email (from "Real Tom")
Delivered-To: xxxxxx@xxxxxx
Received: by 10.182.88.234 with SMTP id bj10csp473obb;
Fri, 9 Aug 2013 19:31:37 -0700 (PDT)
X-Received: by 10.60.61.115 with SMTP id o19mr2353818oer.85.1376101868035;
Fri, 09 Aug 2013 19:31:08 -0700 (PDT)
Return-Path: <hood.quimby@xxxxxx>
Received: from mail-oa0-x244.google.com (mail-oa0-x244.google.com [2607:f8b0:4003:c02::244])
by mx.google.com with ESMTPS id nk8si10830982obb.37.2013.08.09.19.31.08
for <xxxxxx@xxxxxx>
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Fri, 09 Aug 2013 19:31:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of hood.quimby@xxxxxx designates 2607:f8b0:4003:c02::244 as permitted sender) client-ip=2607:f8b0:4003:c02::244;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of hood.quimby@xxxxxx designates 2607:f8b0:4003:c02::244 as permitted sender) smtp.mail=hood.quimby@xxxxxx;
dkim=pass header.i=@gmail.com;
dmarc=pass (p=NONE dis=NONE) d=gmail.com
Received: by mail-oa0-x244.google.com with SMTP id j6so2441312oag.11
for <xxxxxx@xxxxxx>; Fri, 09 Aug 2013 19:31:08 -0700 (PDT)
Return-Path: <hood.quimby@xxxxxx>
Received-SPF: pass (google.com: domain of hood.quimby@xxxxxx designates 10.60.xxxxxx as permitted sender) client-ip=10.60.xxxxxx
X-Received: from mr.google.com ([10.60.xxxxxx])
by 10.60.140.168 with SMTP id rh8mr2902280oeb.76.1376101866286 (num_hops = 1);
Fri, 09 Aug 2013 19:31:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type;
bh=AfyVNUEtoKL/78rN5icqP+ZgyN82xTJJVfDPHQLT+sc=;
b=jFv3Gu1Z4KedeZ7d9LXkjFVE9vgZjKipV19o2/DjByojT7wbUoR3CRn+9dYZp7s3tZ
67bykHvTC+i8cpzuAxVIUwTYFoUUTWBubyKbgI2GU8ogEOEaSLQtX0POB+m3V8xN5Guh
79eBZIE3thUq4ZOBOY5VGisdpkwzcgnTZlOmrbWkLA6SgafTOrnMNv97bP3ZJZCKIs6s
kPdGNG9QbST4u4A7BJta7czLxFuhYhxcfKyOoywystlpopZXF4nsl65UQjiJWSZpgUoX
ctxjqlOLqI/2G+uIwhHjzO4iqklTnk6eZowORXn8hfZC+xYbTSqE20W6NrEjG6aDtVQN
ACWA==
MIME-Version: 1.0
X-Received: by 10.60.xxxxxx with SMTP id rh8mr2902280oeb.76.1376101866281;
Fri, 09 Aug 2013 19:31:06 -0700 (PDT)
Received: by 10.76.135.8 with HTTP; Fri, 9 Aug 2013 19:31:06 -0700 (PDT)
In-Reply-To: <CAChsR50tsrkC+XsAJ25NxhTjiRBXCFEA=5zEWxGtN14zN-VBkA@mail.gmail.com>
References: <CANpciL+-y27vkfqnugUSmQY1rHb-7W4F5YY0p5mbAvS1UE5J_Q@mail.gmail.com>
<CAChsR50tsrkC+XsAJ25NxhTjiRBXCFEA=5zEWxGtN14zN-VBkA@mail.gmail.com>
Date: Fri, 9 Aug 2013 19:31:06 -0700
Message-ID: <CANpciLKnK=YE-MJ8JMtXJcRk6DyxeUms8+QJkBTRdwfvRc8YGg@mail.gmail.com>
Subject: Re: TRANSACTION CONFIRMATION
From: "hood.quimby" <hood.quimby@xxxxxx>
To: xxxxxx <xxxxxx@xxxxxx>
Best hypothesis so far: Someone Tommy knew set up the phish file at champs account. Tommy agreed to use his email to send out link.
Speculated motive: find out if any enemies of the people were running the evil yellow blog.
Foreknowledge: in comments it was pointed out people were expecting an email from Tom Hood about the last board meeting audio.
In an email received this was referenced clearly:
Tom Hood had a better set up and didn't rely on battery
power. I am
pressing for his recording to be posted to KBOO's fragile
website soon. Based on the fact that a board member I trust already has
possession of this audio, I assume that this will happen soon.
This email was clearly prepping the blog contact to expect an audio file from Tom, in some way. Receiving an email from his address, with words saying, "
CLICK HERE to view the important document I uploaded for you. " would fit the pattern of a set up.
That the email was never received by the blog contact might be the most pathetic failure and cancer in this situation.
The KBOO/Portland Indymedia Connection
It hasn't escaped readers attention that when anything embarrassing about the Inner Party is published on the PIMC newswire it tends to vanish. Not everything, but enough to make readers wonder. Rumors for weeks imply that Portland Indymedia is not only deleting articles for the clique controlling KBOO, but have been logging IP addresses and passing them on to Inner Party members.
More recently it was discovered the so called problems with "lost" compost articles were bogus, the compost link being connected to a blank page, while the real current compost link was orphaned:
Link from Indy front page: http://portland.indymedia.org/en/compost/compost2012.shtml
Real link: http://portland.indymedia.org/en/compost/compost2013.shtml
It was pointed out in comments someone was very busy on July 30 apparently deleting or disabling compost archives back to 2000.
http://www.portland.indymedia.org/portland/en/compost/
Portland IMC seems to be taken over by "radicals" of the same stripe as the "Inner Party", in other words, not very radical and at least as controlling as the most annoying Republican. B
ut now we know, from a tip in comments, the most likely culprit "massaging" the newswire for Keep KBOO KBOO: "Joe Anybody".
The latest "massage" being suppressing the KBOO related phishing article by banishing it to the compost:
http://portland.indymedia.org/en/2013/08/424517.shtml
Keep KBOO KBOO fraudulent, dangerous to KBOO
author: theduhfiles
Since
May a small clique of KBOO insiders afraid of losing control have been
branding themselves as "anti-corporate" and "saving" KBOO. The truth is
they will keep a strangle hold on the funds troubled station even if it
means committing a series of felonies and attacking KBOO membership
"Joe"(apparently his
real name is Mike Tabor) networks on Facebook with all the usual suspects:
Ani:
Theresa:
Lisa Loving:
On his about page, he lists himself as an Indymedia volunteer:
https://www.facebook.com/Average.JoeAnybody/about
Under work and education
Of course, who knows how many Indy volunteers there are and what Joe's status is. He could have admin privileges or be Drone 398.
The following link,
showing Joe helps run a list for PIMC, proves he is trusted with more access than the average "drone":
http://lists.indymedia.org/mailman/listinfo/imc-portland-requests
imc-portland-requests list run by afterthought at riseup.net, salaud at resist.ca, joeanybody at riseup.net, quill at riseup.net
imc-portland-requests administrative interface (requires authorization)
Overview of all lists.indymedia.org mailing lists
EDIT: an important thing about this clown to remember: he's a KBOO member:
https://kboo.fm/user/8394
Personal information. First name: joe; Last name: anybody; Listen Online? History. Member for: 1 year 20 weeks.
And for anyone who wants to know what he looks like? Like a "constitutional protection" according to a fan:
https://www.facebook.com/Average.JoeAnybody/posts/650465214963653
This is what our Constitutional protections looks like.
Mkay. If you say so. We assume "constitutional protections" might include "free speech" at Indymedia. Guess we were wrong.
Maybe, since he seems to be some kind of "journalist", he can look into Comrade Hollywood Hood's phishing expedition.
But don't hold your breathe. According the the Antifas, "Joe" hangs out with a pretty sleazy crowd:
http://rosecityantifa.weebly.com/1/post/2012/09/portland-911-truth-alliance-hosts-right-wing-bomber-courtesy-of-city-bikes-president-tim-calvert.html
Another Portland Indymedia player is Jesse London, who helps "Joe" at PIMC as "salaud at resist.ca".
Old whois puts Jesse in Portland in 2011; whether he's still in physically in Portland is not clear:
Domain ID:D12298727-LRMS
Domain Name:J512.INFO
Created On:05-Mar-2006 08:55:23 UTC
Last Updated On:06-Mar-2010 16:59:35 UTC
Expiration Date:05-Mar-2011 08:55:23 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:CR21954693
Registrant Name:Jesse London
Registrant Organization:
Registrant Street1:PO Box 11681
Registrant Street2:
Registrant Street3:
Registrant City:Portland
Registrant State/Province:Oregon
Registrant Postal Code:97211
Registrant Country:US
Registrant Phone:+1.5035732343
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:salaud@resist.ca
Jesse London was involved with Portland indymedia since 2002 in spite of hailing from North Carolina:
http://portland.indymedia.org/en/2002/11/35652.shtml
http://lists.indymedia.org/mailman/public/imc-portland-editorial/2002-November/003688.html
A blog by Jesse, with Indymedia links, imply he studied law in some capacity:
http://cornellnlg.blogspot.com/2009_12_01_archive.html
http://cornellnlg.blogspot.com/2009/12/free-is-really-free.html
Friday, December 18, 2009
From Civil Liberties Defense Center:
PORTLAND
- Dec 16th, 2009 - Jeff "Free" Luers, political prisoner and
environmental activist, was released from the Columbia River
Correctional Institution this morning after serving nine and half years.
Luers was originally sentenced in 2001 to twenty two years and eight
months for the politically motivated arson of three SUV's at a car
dealership in Eugene, OR. This sentence was deemed grossly
disproportionate to the damage sustained by the car dealership and was
condemned by legal professionals, human rights groups and activists
worldwide. At an appeal hearing in 2007 it was ruled that Luers'
original sentence was illegal, and was consequently reduced to ten
years.
Luers' release today comes after what Oregon Department of
Corrections described as a 'mistake' when they released him early on
October 20th this year. After a few short hours of freedom, Luers was
taken back into custody in Eugene after the State agency reversed its
decision and determined that he did not qualify under the new House Bill
3508 for an additional 10% reduction in sentence. DOC's gross
incompetence in this situation, and the emotional toll borne by his
family and loved ones, is just one of many examples of the distressing
levels of bureaucratic impropriety that Luers has endured during his
years behind bars.
Upon his release this morning, Mr. Luers stated:
"The
last 9½ years have been difficult at best. I have witnessed things in
prison that I will carry with me for the rest of my life. I have endured
hardship and loss. Without a doubt, this experience has changed me.
What hasn't changed is my commitment to environmental and social
justice."
Posted by
Jesse London
at
1:48 AM
If Jesse is actively involved with Portland Indymedia, then he's aware of the phishing article they composted and readers shouldn't trust him any farther than they can throw him.
We can assume the Portland Indymedia collective is not representing any anarchist, progressive or revolutionary independent media force in Portland at this time.
More to come....
The phishing email received at around 9am. Tom's reply to my inquiry about it received at around 9pm. Tom says he was hacked and spent all day dealing with that - which did not include notifying any of us in that 12 hours or so that he had been hacked...