ASQ’s Bill Levinson undercover as an anonymous Oxebridge hater.

The false claim that Oxebridge “hacked its own website” — twice — is making new rounds, after being utterly ignored by a US Federal court judge as part of the Oxebridge v Elsmar lawsuit. Now it’s being repeated by ASQ’s Bill Levinson, who is republishing the debunked Elsmar documents and trying to fuel yet another wild conspiracy theory. Levinson is posting these on his new defamation site Osteinfo.net and his fake twitter handle “@Oxebridge_watch.”

Said nutjob theory goes like this: Oxebridge not only hacked its own website and even created the websites Oxebridge.co and Osteinfo.com to defame itself. According to the Elsmar gang, I intentionally seeded Google search results with highly incendiary information about myself, and then defaced my own website, thereby permanently corrupting my online reputation, all to get back at some imaginary enemy. Since then, I have voluntarily increased my website costs by more than 20 times just to pay for additional hosting security services that I never needed, to maintain the appearance that I pulled off this grand scheme.

That makes sense to these idiots.

Meet the Geniuses Who Think “IT” is a Pronoun

Here are the facts. The Oxebridge site was hacked twice. The first time was in July 2015, and was via a simple HTML 1.0 page that replaced the home page with a message in support of Elsmar. We are pretty sure we know how it happened, and it’s blindingly stupid: some of the site’s passwords were still set at their default settings, similar to how wi-fi routers come out of the box with their user/password combination set to “admin/admin.”  Another possibility is that a former disgruntled Oxebridge employee was pissed and gave the passwords over to the hacker. Either way, it was a simple hack, and largely because of our own stupidity in not resetting the default passwords.We never thought Oxebridge.com would become interesting enough for someone to hack it, and therefore we had nearly ZERO controls in place. Consider that a lesson for your own sites, folks.

SparkyJoe (visual approximation)

Now enter the aging internet geniuses who don’t live in their mothers’ basements because even their own mothers threw them out for being d-bags. “SparkyJoe,” a user from Elsmar (who has since been revealed as UK ISO consultant Matt Judge), got cracking and said the hack graphic was actually created by me, in Adobe Photoshop Elements CS6. He pointed to the fact that the image had my name in the metadata, and that it appeared on the website in a variety of different dimensions, which matched the default image sizes offered by Photoshop. SparkyJoe surmised that no hacker would automatically upload various sizes of a graphic, and thus suggested this was evidence enough to “prove” I hacked my own website by making the graphic myself. Even in the email he sent to Elsmar, which is now being reposted by Levinson, SparkyJoe immediately walked back his accusation, saying “prove may be too strong a word.” Levinson missed that part because it didn’t fit his narrative, natch.

SparkyJoe may have thought he was an expert, but he’s actually a complete technical moron. The Oxebridge site relies on the blog platform WordPress for image management, and any image uploaded to a blog post — like those embedded in the Oxebridge hack announcement post — is automatically scaled to multiple dimensions to accommodate what is called “responsive design”: this allows the graphic to appear properly sized no matter the dimensions of the screen you’re viewing it on, showing larger versions for large-screen PC monitors, medium-sized versions for tablets, and tiny versions for cell phone screens. The entire process is automatic, and even adjusts for whether you’re viewing the page using your mobile device in landscape or portrait mode. From WPShout:

Every time you upload an image to your WordPress site, WordPress automatically generates a resized version of that image for every custom image size that your theme (and parent theme, if you’re on a child theme) has registered.

The fact that the default dimensions created by WordPress match those used by Adobe Photoshop is only because they are common default image dimensions.  I don’t even own a copy of Adobe Photoshop, if that matters.

Next, the fact that the graphic SparkyJoe found had my name in the metadata means nothing, since he was never examining the actual image uploaded by the hacker, but a copy made for the hack announcement post. The actual graphic uploaded in the hack was not done via WordPress, but via FTP, so the multiple dimensions were never created. The graphic SparkyJoe examined was, instead, one I made using the “print screen” feature in Windows to include in the hack announcement, so of course it would include my name in the data. The actual hack involved replacing the site’s home page with a simple HTML page comprised of a tiled background image which was much smaller, with the “Elsmar Strikes Back!” wording laid over as plain text. If you’ve ever set your computer desktop to tile (repeat) an image, then you know the drill. The original graphic was a tiny rectangular image, in bitmap (BMP) format that doesn’t even support EXIF metadata. SparkyJoe presented himself as an expert, when in fact he didn’t even understand HTML from the late 1980’s. The Elsmar website is comprised of equally outdated technology, using unpatched open source software that hasn’t been updated to protect from the latest security concerns, so it’s no wonder their in-house geniuses haven’t kept up their skills since they dialed in on AOL.

But then these are the same guys who insisted I shut down the entire Elsmar website, something that never happened, either.

SparkyJoe then provided details on how he accessed the directory where the site’s graphics were kept, but again, he fucked that up, too. He said he discovered the graphic in the WordPress directory wp-content/uploads, but that’s only the location used when graphics are intentionally uploaded as part of a blog post, such as the “print screen” graphic I uploaded. The hack graphic was uploaded to the site’s root directory via FTP (or some other direct means), and never populated any WordPress subdirectory at all. Fail.

Hack 2.0

The second hack, from May 2017, is still a mystery, but we know it had something to do with the Sucuri firewall. Sometime around May 23, the site went down. Over at one of the Elsmar-hosted defamation sites (osteinfo.com), someone was already bragging about it and mocking Oxebridge the failure. It’s not clear if someone gained access to the Sucuri password through Sucuri, or through some weakness in the Oxebridge site itself. At the time I had no idea we were even using Sucuri — it’s just another WordPress plugin — so I wasn’t sure how it worked, or even how to customize it.

I couldn’t do anything on the 24th, as I was flying that day, so on the 25th, I opened a trouble ticket with both Sucuri and our hosting company; the latter notified us that the site “ran out of memory” and was possibly under a Dedicated Denial of Service attack. This was after the hack event on the 23rd, or part of it; it’s not clear:

Meanwhile, Sucuri wrote me separately and reported someone using an anonymous “quality.management56@gmail.com” account was taunting them about it, something that raised red flags immediately:

At the same same time, in our Sucuri trouble ticket, a Sucuri rep confirmed they were concerned about the “quality.management56” email and felt I should take extra precautions to ensure he hadn’t accessed the account:

Throughout this time the site was intermittently up and down, as we updated it a new host plan with tighter security, updated the Sucuri account to a paid account, and wound up spending more than 20 times the money per month on site costs than we did previously. Here’s a shot of a typical billing invoice prior to the hacks:

And here’s one for our current plan (which does not include the additional money we pay for enhanced Sucuri firewall and IT support.)

Levinson, relying on bogus information he got from Elsmar, is claiming that the site was never actually down because someone pretending to be ASQ Tampa member Daniel Leon (yes, this gets weirder and weirder) posted on Twitter that he could still access the site. The real ASQ member Leon confirmed he know nothing about the Twitter handle, so Levinson wants us to believe a guy pretending to be someone else and offering no proof. Next, the site was visible to anyone who hadn’t manually cleared their browser cache, meaning the fake “Daniel Lion” probably did see the site, but was still viewing the content from before the hack, stuck in his browser cache.

From Elsmar filings / Osteinfo.net site

“Daniel Lion” (visual approximation)

Levinson recently admitted, on his Osteinfo.net defamation site, that it was he that wrote from the “quality.management56” account. Because, yes, he apparently puts his birth year in his screen name, like some idiot from OK Cupid. Because I then tweeted that he “involved himself in the hack,” he is now going apeshit-bananarama and screaming until his testicles reach his throat that it “no one hacked Oxebridge” at all. Now he’s harassing the hell out of Sucuri to try and disprove it, and failing miserable. Mind you, I never said Levinson did the hack — I specifically said he probably didn’t — but by harassing Sucuri to the point that two of their tech reps warned me that his emails made them suspect him, to say he’s “involved” in it is factually true.

The Gang (Of One) That Couldn’t Shoot Straight

Let’s look at how Levinson intentionally embroiled himself into the Elsmar hack story, thus negating his subsequent complaints. First, he set off alarm bells at Sucuri by writing that “quality.management56” email to harass Sucuri. Next, he reprinted the Elsmar materials on his various websites, and is actively supporting them to the point that he’s ready to waste his lawyer’s time trying to defend them in a case that doesn’t even have them as litigants. Next, he opened defamation sites using the same registrar and hosting companies used by Elsmar. Then he followed Elsmar’s example of illegal “cybersquatting” of our domain name (Elsmar used “oxebridge.co” and Levinson used “oxebridge.biz”).

Not finished yet, he went and named his latest defamation site after the Elsmar site thought to be operated by the Danish hacker (Elsmar’s was “osteinfo.com,” Levinson’s is “osteinfo.net.”) The Levinson repeated the false claim made by Elsmar that Oxebridge “hacked its own website,” and continues to do so, long after even Elsmar gave up that phony argument.

But wait, there’s more. On the Elsmar Osteinfo.com website, details were published indicating that Levinson had entered into settlement negotiations to end his lawsuit before the first hearing was even held, making it appear that Levinson had been revealing his legal strategy to the owner behind the Osteinfo.com website. Around the same time, the Osteinfo.com website began running sympathetic articles about Levinson using the “fake news!” meme trotted out by Levinson in his various anti-Oxebridge pieces. Those articles appeared to have been written, literally, by Levinson. (Subpoenas will flush the truth out about that point.)

Next, where the Osteinfo.com site run by Elsmar was signed with the nickname “Katzenjammer Kids,” Levinson has been posting Katzenjammer Kids references on his @Oxebrige_Watch twitter feed, as if to literally take credit for the Elsmar site.

Finally, he has been harassing Sucuri more recently by sending them emails from at least three different email accounts, which gave them pause a second time since — let’s face it — changing your email address every time is a suspicious thing to do. Now even Sucuri is on alert to watch for his emails.

For a guy insisting he had nothing to do with it, Levinson has expended tremendous energy to paint himself as a suspect, and to needlessly inject himself into a problem that he has no business in. He has literally made himself part of the hack story. One wonder if he walks into crime scenes that don’t involve him, drooling his DNA and slathering his fingerprints on stuff, just for fun.

And, remember, gang: Levinson has professional risk management experience, and wrote a book on ISO 9001’s “risk-based thinking!” So clearly he assessed all the risks associated with his bizarre behaviors.

Nerd Logic

We only know that he couldn’t have done it because, remember, his technical savvy consists of using aliases with his profession and birth year in them. (At least he didn’t use “nerdgobbler6969”.) He’s probably lucky he doesn’t strangle himself when he ties his shoes, or set his apartment on fire when he waters the plants.

But to Levinson et al, it makes more sense that I jumped from spending $5 a month to $105 — totally behind the scenes — just to piss off some moron at Elsmar who would never see my invoices anyway. I also fabricated entire email chains with my hosting company and Sucuri, entered phony trouble tickets, and somehow convinced multiple companies to send me emails asking if my site was hacked. Because I’m that powerful.

What this does, however, is help us immensely in the defamation suits we have now, as well as those coming in 2018 to fight these internet trolls. They tend to rely on whatever selective information they can drum up to support their claims, not realizing that the courts rely on actual facts, not “alternative facts.” Which makes Levinson’s claims that he (through Elsmar) proved conclusively that I hacked my own site a lie, and thus defamation. The only defense of defamation is the truth, and Levinson does not have that on his side since he’s just making shit up. And keep this in mind: Levinson is a 60-year old man; he can’t explain away this juvenile behavior as youthful indiscretions.

Levinson’s been demanding apologies and retractions anytime I mention his name on the site. The one time I tweeted something about him incorrectly, he received a retraction and apology within minutes.  Let’s see if he has the testicular fortitude to do the same, now that his bogus conspiracy theory has been decisively disproved by actual facts.

I’m not holding my breath.

UPDATE Jan 12, 2018: Levinson has refused to issue a retraction, and has hunkered down, to the likely frustration of his attorney. Not only is he claiming I hacked my own website, he’s saying that it compares to the Nazis (again) who attacked their own base as part of the Gleiwitz incident of 1939.

So here’s our challenge to Levinson: stop being a coward. You admitted you ran the Osteinfo.net site, as well as the others. Put your name on them. Let the world see just who is the real peddler of “fake news” here. Put your name on the Ripoff Report postings. Take ownership of your actions. Act like a man, not a spineless wimp.

    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.