(Click image to enlarge)
Pickled Tink and lchris were supposed to have access. Citroenlady and Xeno were given temporary access to help lchris try to get the confusing situation under control.
(Click image to enlarge)
Even though the join dates indicate that they joined in 2009, that can be double-checked in other areas of the database. We can tell when they were created by checking two things, the user number and the password date.
User numbers are given sequentially and can help determine when the accounts were registered on the forum. The later you joined, the higher your number. The first user number assigned in August 2009 was 2208. The last number assigned in September 2009 was 3962. If those accounts were created in August or September of 2009, their user numbers would be between 2208 and 3962.
What were the user numbers of the new admins? From the user log and admin log, I can establish the following member numbers. (I have included jayme in the list because that member was used and altered in similar ways to the others.)
User name | User id |
EvaMarie | 8036 |
kaydaniels | 8101 |
roseym | 8102 |
kaydaniels | 8106 |
Looie | 8108 |
Jayme | 8109 |
The user numbers indicate that, in spite of the join dates shown, those were new accounts. The user numbers are over 8000. User numbers of 8000 or greater were not given to new members until June 22nd, 2010. That means that those user accounts must have been established after that date. Those members joined in June and July of 2010.
Why did kaydaniels have two user numbers? Because the first kaydaniels (user id = 8101) was “killed” by EvaMarie (user id = 8036). To “kill” in vBulletin is to “run code to remove item in database”. When an account is killed, it is removed from the registered user group. However, some records still exist in the admin logs. The admin log shows that the first kaydaniels account was “killed” on July 18th at 8:30 pm. The IP address used by EvaMarie to perform this action was the same as that used by staff member Danileo.
adminlogid | userid | dateline | script | action | extrainfo | ipaddress |
48091 | 8036 | 1279503005 | user.php | find | 6x.xxx.xx.xx7 (Danileo) | |
48092 | 8036 | 1279503005 | user.php | edit | user id = 8101 | 6x.xxx.xx.xx7 (Danileo) |
48093 | 8036 | 1279503027 | user.php | remove | user id = 8101 | 6x.xxx.xx.xx7 (Danileo) |
48094 | 8036 (EvaMarie) | 1279503037 07 /18 /10 @ 8:30:37pm EST | user.php | kill | user id = 8101 (kaydaniels) | 6x.xxx.xx.xx7 (Danileo) |
The password date can also help confirm when a user account was created. The password date is the date on which the password was established. It also shows if a password was later changed. Both actions are recorded. (The password code is a series of 32 numbers and letters and is not decipherable. But in the interest of safety and privacy, I have not shown all the numbers here.)
Let’s take a look at the password history. EvaMarie was given a password on June 30th. It was changed on July 17th . The rest of the accounts were given passwords July 18th and 19th. Roseym changed her password once on the 18th. A few other members signed up on that day, also getting user numbers in the 8000s. Lovin’ Every Minute, larryF and ClixPix are among them.
userid | password code | passworddate |
8036 (EvaMarie) | 8(xx)0 | 2010-06-30 |
8036 (EvaMarie) | A(xx)d | 2010-07-17 |
8101 (kaydaniels) | 8(xx)5 | 2010-07-18 |
8102 (roseym) | 1(xx)2 | 2010-07-18 |
8102 (roseym) | b(xx)c | 2010-07-18 |
8103 (member) | d(xx)9 | 2010-07-18 |
8104 (Lovin’ Every Minute) | 7(xx)1 | 2010-07-18 |
8105 (larryf) | b(xx)c | 2010-07-18 |
8106 (kaydaniels) | 5(xx)6 | 2010-07-18 |
8107 (ClixPix) | 8(xx)d | 2010-07-18 |
8108 (Looie) | c(xx)d | 2010-07-18 |
8109 (jayme) | e(xx)d | 2010-07-19 |
It is clear from both the user numbers and the password dates that the new admin accounts were created in June and July of 2010. Yet the join dates shown for those new admin accounts were in 2009.
The record was altered to make it appear that the accounts were not newly created.
Join dates were not the only thing fake about the new admins. The IP addresses shown in the user log were also altered. They did not actually use those IP address for their subsequent actions. The join dates are all that would be visible to most members of the forum. Only the staff would be able to check the IP addresses in the user log. Were those IP addresses intended to fool other staff members who might check? (Assuming they didn’t recognize the significance of the user numbers.)
The new admin accounts were not the only time that a join date was altered to make it appear that a member was not brand new. As shown in the password chart above, the account for larryF was also created on July 18. But the join date shown in his posts was Aug 2009.
(Click image to enlarge)
Again, the purpose appears to be deception. The post log shows that the posts by larryF were made from the same IP address as that used by staff member LonniR. It is legitimate for a staff member to have a second account in order to view the forum as a member would see it. But there is no legitmate reason for a staff member to create a second account solely for the purpose of confirming her own opinion and spreading misinformation.
postid | threadid | username | userid | dateline | ipaddress |
299443 | 8132 | larryF | 8105 | 1279506565 07 /18 /10 @9:29:25pm EST | 7x.xxx.xxx.x1 (Lonni) |
299454 | 8132 | larryF | 8105 | 1279507032 07 /18 /10 @ 9:37:12pm EST | 7x.xxx.xxx.x1 (Lonni) |
Did the “investigator” used by the Board examine the records of these new admins? For those members familiar with the staff of the forum, the names Evamarie, kaydaniels, roseym and Looie appearing in the admin control panel were clearly a sign of a problem. But did the investigator recognize that those names were suspicious? Did he even look at the activities recorded in the admin log? Would he have known who should be shown in that log and who should not?
What did the Board report say about these new admin accounts?
Lchris also raised concerned that PT had not “authorised” the creation of 2 test admin accounts by Judyokla and Danileo in July however, they had notified PT by email of the creation of these accounts in accordance with lchris's own advice on redundancy. These accounts had no admin permissions attached to them and were fully visible in the admin panel and were never “secret.”
The six accounts above have become “2 test admin accounts” in the report. And they were supposedly created, on the advice of lchris, for “redundancy”. If that were true, there would be no need to alter the record to hide when they were created. The report also claims that the “test accounts” had no admin permissions. If that were true, would EvaMarie have been able to “kill” the account of kaydaniels (8101)?
