Monday 24 August 2015

What we know about Hamza Tzortzis and AshleyMadison.com


This blog post has moved here





It was the 20th of August when I downloaded the hacked Ashley Madison database. It wasn't long before I found an account that seemed to belong to Hamza Andreas Tzortzis. I contacted the email address registered against the account, sending my name + mobile number and asked the owner to call me, but received no reply.

The next day (Friday) I emailed Hamza on his iERA email address and informed him of what I had found. From the very start Hamza wouldn't believe me. He insisted I was playing a joke on him, and only started to take me seriously once I had revealed the last four digits of his credit card. From the outset Hamza has denied responsibility for signing up this account, and from the beginning I have told him I do not believe him but would continue to look at the data to see what I could find out. I suggested he should make a public statement explaining what I had found before someone else finds the same information and exposes him.

Over the next day or two Hamza sent me multiple requests to help him to understand the nature of the data associated with him in the database. Despite being on a long weekend holiday with my family I agreed to work on answering his questions.

Islam teaches us fairness. In no way can the Rationaliser be accused for anything concerning my ID fraud, he actually helped me a lot with access to the data and by interpreting it.Hamza Andreas Tzortzis - iERA

From there onwards a lot has been reported by the press, some of which I found a little misleading, and so I have decided to write this blog explaining what is and is not known about the whole affair. The approval of Mr Tzortzis was sought before publishing this blog.


Credit card information

The person who opened the account used a credit card registered to Andreas Tzortzis. To achieve this they would need to know his real name (readily available), home address (readily available at Companies House), his full credit card number, card expiry date, and the 3 digit security number on the back of the card. In addition to this it is possible the card issuer would have demanded confirmation this was not fraud by requesting the user enter Hamza's online banking password; this is a pretty standard security feature when using your card in an unexpected way or from an unusual location (the transaction was executed from Australia).

The first payment of £54 was issued to the site on the 22nd of October 2014. This would have been the initial membership fee. There were eight subsequent charges for £15 each taken on approximately the same date of each subsequent month, totalling £174 over 9 months.

From this payment information it is possible to assertain the following additional information.

  1. The membership number of the account (99904794).
  2. The email address used to sign up to the site (A_Tzortzis@yahoo.com).
  3. The IP address from which the payment was made (119.17.35.98), which is assigned to Sydney Australia.

Again, the email address is public information. It is possible that Hamza doesn't check this email address often (or at all), it is very likely an old email address as it does not include any indication of his chosen Muslim name "Hamza". However, Hamza certainly has used this email address since becoming a Muslim, for example, a quick Google search reveals content associated with this address from around 2008...but (it seems) nothing recently.

The interesting data here is the IP address. A quick IP -> Geo Location lookup shows it is in Australia. Hamza's public statement on FaceBook (now deleted) stated that £54 had been charged to his card while he was in Australia, and concluded that is where the account was opened from. The server time given for the account creation is 10:09 am, and the last time the account was modified was the same day at 11:43 am. As I don't know the time zone of the server I cannot check what time it would have been in Australia. This information could prove useful if anyone can answer.

The profile 

(Table name: am_am_member)
The profile for 99904794 lists the area in which the account owner can be found for sex as London N16 7TN. The map co-ordinates are 51.5543658, -0.073289 which, according to Google Maps, is Somerford Grove, London, N16 7TN. A check on the free electoral role website reveals Hamza's parents live on that street.

The profile lists Hamza's correct date of birth (21st of September 1980) but again this information is readily available. The profile caption read "Compassionate male seeks friendship" and the summary "I long for a sincere friendship with the ability to connect physically and mentally. I would consider myself compassionate, and someone who thinks a lot.". The profile lists Hamza as weighing 88452 grammes (13st 13lbs or 195lb) which I cannot verify. It lists his height as 178cm (5' 10"), which again I cannot verify but seems about right.

(Table name: aminno_member)
Searching by signup date, signup IP there is a single row matching the account information above. This reveals a profile number of 29425606. The alias for the website is set to AndrewT14, most likely a play on Andreas T, but I don't know for certain what the 14 represents.  The date of birth is the same in this table too, as expected. At the time of the hack this profile had no public photos and no private photos associated with it, so a subsequent release of hacked photos will probably not reveal anything (unless some were uploaded then removed, and the server does not physically delete the image files).

There are some dates indicating the last time certain events occurred that are empty, suggesting the account was not used to email anyone and the user didn't chat with anyone.

Mailing options & user activity

(Table name: amminno_member_email - I will use Y/N instead of 1/0 as per the data)

email=a_tzortzis@yahoo.com, isvalid=Y, optin=Y, notify_newmail=Y, notify_newmember=Y, notify_login=Y, notify_offer=Y

From the developer comments associated with each of these fields it would seem that an email would be sent if there was a special offer, if contacted by another user, or if someone in the account owner's favourites list logged into the website. I cannot say whether any special offers were emailed out to accounts already paid in full or not, or if anyone nearby matching the criteria had signed up resulting in an email being sent, but if the system was working correctly and the dates in aminno_member were being updated then the data suggests no contact was made with anyone as there are no valid date/times set against the fields bc_mail_last_time, bc_chat_last_time, or reply_mail_last_time.

Observations

For this account to have been set up by anyone other than Andreas (Hamza) the account creator would need access to some publicly available information (date of birth, address etc). They would need to put in extra work to find his parent's address. My intuition says a frauster would use the same address that had already been entered during the billing stage. To use an address 1 hour drive away from Andreas's home suggests the account creator was trying to disassociate the account from him rather than bring attention to it. A malicious person probably would be more likely to use account details easily associated with Andreas so that the profile would be discovered. The same goes for the profile name, similar enough to his real name for Andreas to remember, but dissimilar enough to not associate it with him directly. Obviously there was no way this person knew the AshleyMadison.com database would be made public, so it is reasonable to assume this is information hiding rather than exposure.

This person would also require full access to information on both sides of his credit card (16 digit number, expiry date, 3 digit security code on the back) and to have been in Australia at the same time as Andreas in order to sign him up and make it look like he had done it himself.

They would really have had to have done some research to get his weight and height correct, or approximately correct. This high level of detail seems to have the purpose of accurately portraying one's self to attract a partner rather than to mislead the public into identifying Andreas as the account holder.

I can easily accept that Andreas's Yahoo email account is not checked any more. I can confirm that my attempt to contact Andreas via that email address was not successful, whereas an email to his iera account the next day received an immediate response. I have old email accounts I can no longer even access. I can also accept he did not notice the payments coming out of his account via his card. Personally I never check my card statements, I don't even look at my bank statements to see how much is being paid to my card account.

Clarifications

The website does not require you to click a confirm link in an email in order to get into the website. I have tried it myself, my profile name is DirtyJanet if you'd like to look me up ;-)

The flag in the database "isvalid" marked against an email address is stored against the user's emailing preferences. In my experience, flags to indicate the user has confirmed their email address via an email link are typically stored against an account table with a name like "Verified", and not in an email campaign preferences table as found in this database. The presence of a 1 (yes) against this flag on this account does not suggest a link in an email was clicked to activate the account.

An email address can be considered "valid" if it meets the Internet standard on structure. ThisEmailDoesNot@ExistInRealLifeBecauseIJustMadeItUp.com is a valid email address, it just doesn't exist. It isn't uncommon for email campaign scripts to assume an email address is valid and exists and then mark it as defunct when "does not exist" email responses come back.

To me the idea this flag is an email-bounce flag is the most plausible. If the flag were set to zero by default and only marked 1 when the user followed a link in an email then the system would have to send emails to people with emails marked as isvalid=0 in order for them to become marked as valid. I hope you'll agree, sending emails to people with addresses marked as invalid makes the whole purpose of the flag redundant. The expert in this article might be an expert in data analysis but that doesn't make him an expert on the writing of software. I've been employed writing business software for about 19 years now, and I disagree.

This isn't an important point in so far as Andreas not seeing emails to an old account, but I think it is beyond doubt that it has been demonstrated the person signing up did not also require access to the yahoo.com email account.

UPDATE (27 Aug 2015): I am currently looking at the schema and can confirm the default value for isvalid is in fact a 1, so my original conclusion was correct.

UPDATE (31 Mar 2016): After the libellous statements made against me by Dawah Man on Facebook regarding this issue I decided to re-read this article through. Regarding the information used from Andreas's credit card: obviously this would be very difficult for someone to obtain, unless of course it was a company credit card in his name, in which case a small number of people within iERA could have had access to that information. This would mean that it is possible someone who works for iERA, accompanied Hamza to Australia, and stayed in the same hotel chain could be responsible.

The third hypothesis

I find it a little annoying that the alternative to Andreas signing up is presented as someone else doing it and then hacking the website to expose him, and nothing else is considered. It would be possible that someone would sign up an account not identifiable as Andreas in the hope that at some point in the future the monthly £15 debit would be spotted by his wife and cause suspicions that could damage his marriage. Meaning that the hack was unexpected, and the only reason we got to find out about it. I don't subscribe to this hypothesis at all, I just wanted to put forward a more balanced article and point out the stupidity of some scenarios being proposed as the only alternative.

Conclusion

I strongly suspect that while in Australia Andreas decided to have a look around on the web and found this website. He signed up using an old email address he knew wouldn't be checked, entered his credit card details, and then spent the next 94 minutes looking around the website before giving up. He probably then forgot all about it and, because he doesn't check his old email or his card statements, had no idea this website was still taking £15 per month off him for a service he wasn't using.

The profile on the site is now marked as Unavailable. If there is a flag in the database indicating this state then it will be possible to determine whether it was hidden after the exposure or before. If before then it supports the above hypothesis that the account was only used for 93 minutes (assuming that hiding a profile will update the column in the DB recording when the profile was last updated). Frankly, I've had enough of looking through the DB so that can be an exercise for someone else.

I expect at some point he will give up the excuse he came up with while panicking and confess that he looked but did not touch, and then never went back. I seriously doubt this will hurt his career, only Allah can judge him after all, and it's not as if it is an offence that carries a death sentence.


Sunday 16 August 2015

Geocentricism - Can you help me to find some downloads?

Here is a list of works I'd like to read, in some cases there is just an author's name. I am after links to these works, and suggestions of other works concerning geocentricism. If you can help me with any of these I'd appreciate it very much (therationaliser at gmail.com).

·         Abū Yahyā Zakariyyā ibnMuhammad ibn Mahmūd al-Qazwīnī (c. 1203 – 1283 CE)
o   Kitāb ‛Ajāib alMakhlūqat wa Gharāib wa al-Mawjūdāt [“Marvels of Creatures and Rarities of the World”]
·         Al Farabi (872-951 AD)
o   The gathering of the ideas of the two philosophers
·         Shihāb al-Dīn Ahmad ibn Mājid ibn Muhammad al-Sa‛dī (15th/16th century)
o   Kitāb al-Fawā’id fī Ma‛rifad ‛ilm al-Bahr wa’l -Qawā’id [“Uses and Knowledge of Sea Science and Rules”]
·         Al Ghazzali (1058-1111 AD)
o   Incoherence of the Philosophers
o   Ihya' Ulum al-Din or Ihya'u Ulumiddin (The Revival of Religious Sciences)
·         Ulug Beg (1393-1449)
o   Zij-i Sultani (Presumably heliocentric)
·         Abu al-Walid Muhammad ibn Ahmad ibn Rushd AKA Averroes (1126-1198 AD)
o   {Author H Davidson}
o   Tahafut al-Tahafut
o   Decisive Treatise
·         Muhyiddin Ibn Arabi (1165-1240 AD)
o   Al-Futûhât al-makkiyya ("The Meccan Openings")
·         Walī al-Dīn ʿAbd al-Raḥmān ibn Muḥammad ibn Muḥammad ibn Abī Bakr Muḥammad ibn al-Ḥasan Ibn Khaldūn (1332-1406 AD)
o   Muqaddimah
·         Mani’s book of giants? (Cosmogony)
·         al-Farghani 9th CE (Abu'l-Abbas Ahmad ibn Muhammad ibn Kathir al-Farghani)
o   Kitāb fī Jawāmiʿ ʿIlm al-Nujūm (كتاب في جوامع علم النجوم A Compendium of the Science of the Stars) or Elements of astronomy on the celestial motions, written about 833
o   Jawami ilm al-nujum wa usul al karakat al-samawiyya
·         Rhazes 9th CE (Muhammad ibn Zakariya al-Razi)
o   The Small Book on Theism
o   Response to Abu'al'Qasem Braw
o   The Greater Book on Theism
o   Modern Philosophy
o   Spiritual Medicine
o   The Philosophical Approach (Al Syrat al Falsafiah)
o   The Metaphysics
·         Vienna/Avicenna 10th CE (Ibn Sina / Abū ʿAlī al-Ḥusayn ibn ʿAbd Allāh ibn Al-Hasan ibn Ali ibn Sīnā)
o   Kitāb al-shifā
o   Resāla fī ebṭāl aḥkām al-nojūm
o   Dānish nāma-i ʿalāʾī (Book of Knowledge)
·         al-Khujandi 10th CE, built observatory near Tehran in Iran (Abu-Mahmud Khojandi / Abu Mahmud Hamid ibn Khidr Khojandi)
o   {Axial tilt, potentially heliocentrist)
o   On the obliquity of the ecliptic and the latitudes of the cities
·         al Battam (d. 929)
o   Science of the stars
·         Abū ʿAbd Allāh Muḥammad ibn Jābir ibn Sinān al-Raqqī al-Ḥarrānī al-Ṣābiʾ al-Battānī
o   Kitāb az-Zīj ("Book of Astronomical Tables")
·         Abū Ishāq Ibrāhīm al-Zarqālī (d. 1087)
o   Al Amal bi Assahifa Az-Zijia
o   Attadbir
o   Al Madkhal fi Ilm Annoujoum
o   Rissalat fi Tarikat Istikhdam as-Safiha al-Moushtarakah li Jamiâ al-ouroud
o   Almanac Arzarchel
·         Mu'ayyad al-Din al-'Urdi (d. 1266)
o   Kitāb al-Hayʾa, a work on theoretical astronomy
·         Qutb al-Din al-Shirazi (d. 1311)
o   Eḵtiārāt-e moẓaffari It is a treatise on astronomy
o   Nehāyat al-edrāk. The work was dedicated to Mozaffar-al-Din Bulaq Arsalan.
o   Fi ḥarakāt al-dahraja wa’l-nesba bayn al-mostawi wa’l-monḥani a written as an appendix to Nehāyat al-edrāk
o   Nehāyat al-edrāk - The Limit of Accomplishment concerning Knowledge of the Heavens (Nehāyat al-edrāk fi dirayat al-aflak) completed in 1281
o   Ketāb faʿalta wa lā talom fi’l-hayʾa, an Arabic work on astronomy, written for Aṣil-al-Din, son of Nasir al-Din Tusi
o   Šarḥ Taḏkera naṣiriya on astronomy.
o   Al-Tuḥfa al-šāhiya fi’l-hayʾa, an Arabic book on astronomy, having four chapters, written for Moḥammad b. Ṣadr-al-Saʿid, known as Tāj-al-Eslām Amiršāh
o   Ḥall moškelāt al-Majesṭi a book on astronomy, titled Ḥall moškelāt al-Majesṭi
·         Nasir al-Din al-Tusi (d. 1274) Khawaja Muhammad ibn Muhammad ibn Hasan Tūsī
o   Al-Tadhkirah fi'ilm al-hay'ah – A memoir on the science of astronomy
o   Sharh al-Tadhkirah (A Commentary on al-Tadhkirah)
o   sharh al-isharat (Commentary on Avicenna's Isharat)
·         Ibn al-Haytham (11th CE)
o   Al-Shukuk ala Batlamyus (meaning "Doubts on Ptolemy") [Still geocentric]
·         al-Kindi (9th CE) Abu Yūsuf Yaʻqūb ibn ʼIsḥāq aṣ-Ṣabbāḥ al-Kindī
o   The Book of the Judgement of the Stars
o   On the Stellar Rays
o   Treatise on the Judgement of Eclipses
o   On the Revolutions of the Years
o   Treatise on the Spirituality of the Planets
·         Ibn al-Shatir (D. 1375) Ala Al-Din Abu'l-Hasan Ali Ibn Ibrahim Ibn al-Shatir
o   Kitāb Nihāyat al-Suʾāl fī Taṣḥīḥ al-ʾUṣūl (كتاب نهاية السؤال في تصحيح الأصول The Final Quest Concerning the Rectification of Principles)
·         Ali Qushji (d. 1474) Ala al-Dīn Ali ibn Muhammed [Progressive, moving Earth]
o   A Latin translation of two of Qushji's works, the Tract on Arithmetic and Tract on Astronomy, was published by John Greaves in 1650.
·         al-Biruni
o   Al-Qānūn al-Masʿūdi (“The Masʿūdic Canon”)
o   Maqālīd ʿilm al-hayʾah (“Keys to Astronomy”)
o   Istīʿāb al-wujūh al-mumkinah fī ṣanʿat al-asṭurlāb (“Exhaustive Book on Astrolabes”)
o   Al-Tafhīm li-awāʾil ṣināʿat al-tanjīm (“Instruction in the Elements of the art of Astrology”)
o   Kitāb al-Āth ār al-Bāqiyya [“Chronology of Ancient Nations”]
·          al-Khwarizmi
o   Zij al-Sindhind (translated:al-Fazari, Yaqub ibn Tariq)
·         Al-'Abbas ibn Sa'id (9th CE) al-'Abbas ibn Sa'id al-Jawhari
o   Wrote a treatise – commentary on Euclid’s elements
·         Abu Sa'id al-Darir (9th CE) Abu Sa'id al-Darir al-Jurajani
·         Ahmed Al-Nahawandi (9th CE) Ahmad ibn Muhammad al-Nahawandi [Jundishapur]
·         Habash al-Hasib (9th CE) Ahmad ibn 'Abdallah al-Marwazi
·         Sanad ibn 'Ali
·         Yahya ibn abi Mansur
·         Fī an laysa li‐ʾl‐arḍ ḥarakat intiqāl
·         Ibrāhīm al-Fazārī (d. 777)
·         Yaʿqūb ibn Ṭāriq (d. 796) يعقوب بن طارق;
o   Tarkīb al‐aflāk (تركیب الأفلاك, "Arrangement of the orbs")
·         Muḥammad ibn Ibrāhīm al-Fazārī (d. 796 or 806)
·         Mashallah ibn Athari (d. 815)
·         Abu Ma'shar al-Balkhi (d. 886)
o   "Introductorium in Astronomiam", a translation of the Arabic Kitab al-mudkhal al-kabir ila 'ilm ahkam an-nujjum, written in Baghdad in the year 848 A.D. It was translated into Latin first by John of Seville in 1133, and again, less literally and abridged, by Herman of Carinthia in 1140 A.D.
·         Al-Birjandi (d.1528) Abd Ali ibn Muhammad ibn Husayn Birjandi (Persian: عبدعلی مممدبن حسین بیرجندی)
·         Nur ad-Din al-Bitruji / Abu Ishâk ibn al-Bitrogi (d. 1204)
o   Kitāb al-Hayʾah (The book of theoretical astronomy/cosmology, Arabic, كتاب الهيئة)
§  translated into Latin by Michael Scot in 1217 as De motibus celorum

·         al batanni 9th – 10th