By now, I’m certain you’ve read Phil Mason’s, AKA Thunderf00t’s, confession about how he’s done exactly what people have accused him of: accessing the back channel after being kicked off the blog.

He spins himself as a whistleblower about vast conspiracies within Freethought Blogs, how we’re looking to destroy people’s careers every time we commiserate with one another about someone who’s aggrieved us. How this back channel operates like a “clique” where achievements are lauded, messages amplified, and disagreements mocked mercilessly. In other words, it’s a social club for people who choose to participate, to help spread collegiality amongst our bloggers and support one another when under attack. As such, considering that many of these private thoughts are not fights we wish to pick publicly and how Thunderf00t now controls what fights we have with whom because of misplaced trust in what happened to be a compromised listserv, Thunderf00t now gets to control much of the dialog of this blog network.

How very conspiratorial.

You’ve probably also heard that he “doesn’t Doc Drop” in the same post where he violates several folks’ privacy in ways that amount to logistical hair-splitting — and worse yet, we have only his word to go on that he’ll take pains to protect the identity of those pseudonymous bloggers among us who have everything to lose. His word that he’s a good guy, all while he’s engaging in other gross violations of trust.

There are lots of reasons why people had every expectation that the FtB back channel was private, which Greta itemizes. Ashley weighs in on the issue out of pure outrage for the very real personal danger that Natalie Reed is in as a result of an accidental or intentional leak of her personal information, to the point where she’s put off of the atheist movement altogether. Stephanie deconstructs his chosen frame, given that Wikileaks this ain’t. And Zinnia is agog at the sheer disrespect for the very concept of privacy.

I helped Matt, our webmaster, investigate the breach. I will have to, by necessity, describe exactly what went wrong and why.

Server-side, we (up until recently) used a program called Mailman to handle the mailing list functionality for our server. It is a very mature codebase, with no if any known technical exploits for the version we were using. Configuration and security, however, is another story.

Mailman apparently never expires an invitation ticket — once you’re invited to a mailing list, the original email you receive asking for your confirmation allows you to log back in and thus rejoin if you’re ever kicked off. This produces no confirmation email to the administration under the default settings. This is probably by design, or a design oversight — Mailman was likely always intended to run mail lists that were free to join and leave, and only secondarily running private invite-only lists.

Thunderf00t was added with the batch of Youtube vloggers we brought on board:

Jun 07 11:07:01 2012 (23765) [list addy]: new [Thunderf00t’s Hotmail address], admin mass sub

When Thunderf00t was booted from the network, Ed got email confirmation that he was removed. Thunderf00t would have gotten a message saying he’d been unsubscribed. The logs also show it:

Jul 01 09:46:54 2012 (7837) [list addy]: deleted [Thunderf00t’s Hotmail address]; member mgt page

But they show more.

Jul 01 09:53:03 2012 (8689) [list addy]: pending [Thunderf00t’s Hotmail address] 78.80.[xxx.xxx — IP resolving to Czech Republic, either he was there or using a Tor proxy]
Jul 01 09:53:31 2012 (8716) [list addy]: new [Thunderf00t’s Hotmail address], via web confirmation

Less than ten minutes after he was booted from the mailing list he rejoined using the original auth ticket, and none of us were the wiser.

A month later, we were tipped off that he’d been leaking emails from our list to people in our community, stirring up shit that we simply hadn’t been publicly stirring up ourselves. We immediately started pursuing legal advice on the matter, and Matt booted him and changed the settings so all list changes had to be directly approved by an administrator even with a valid invite ticket.

Aug 02 18:10:38 2012 (12417) [list addy]: deleted [Thunderf00t’s Hotmail address]; member mgt page

The logs show that he immediately attempted to get back on again:

Aug 02 18:19:46 2012 (13060) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:20:51 2012 (13133) Reminder attempt of non-member w/ private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:21:52 2012 (13212) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:22:42 2012 (13266) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:30:10 2012 (13841) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:33:02 2012 (13976) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:35:31 2012 (14100) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:36:09 2012 (14150) Reminder attempt of non-member w/ private rosters: [Thunderf00t’s Hotmail address]

The reminder attempt log lines are instances of him attempting to use the password reminder form to get back in, assuming we’d locked him a different way than just deleting his account again. Ed would have been prompted to let him in if he’d actually requested directly, via the option to “join the list” on the Mailman page, and to my knowledge he didn’t try that — he only tried the easier options that were less likely to trigger repercussions. I cannot ascribe motivations on this, but it seems fairly self-evident why he wouldn’t directly ask to be let back on.

The log files show the date and time of the very last email our mail server sent to Thunderf00t:

2012-08-02 18:10:39 1Sx6PX-0003EI-MH < = [FtB’s postmaster address] H=localhost (dev.freethoughtblogs.com) [::1]:51819 P=esmtp S=985 id=mailman.0.1343956238.12417.[old FtB list address] T=”You have been unsubscribed from the Freethoughtbloggers mailing list” for [Thunderf00t’s Hotmail address]

So he’s off the list again. This time for good. We’re not even using that software any more, so I feel relatively safe in explaining all this.

Update: See also Ed’s statement on the matter, and PZ’s.

Update 2: Charly posted the following below:

As further evidence that this is real I can attest, that Thundef00t was indeed in Czech Republic. I have first hand information from admin of czech atheist organization website, that he and some other czech atheist activists met Thuindef00t in Prague.

Additionally, I’m putting a strict moratorium on speculation about legal actions. While there are possible routes of action FtB can take, we have not yet squared away all of this with the lawyer we apparently have on retainer for this issue. I’ve told you everything I can, and will not post unexpurgated logs publicly both out of respect for Thunderf00t’s privacy and for the potentiality of messing with any future legal remedies we may or may not attempt.

The post What Thunderf00t did, and how. appeared first on Lousy Canuck.