False Ban/DNT - Myturtles

Link to/reason for TWC/DNT/Ban: Blackhat Activities

Link to your vouches:Myturtles Vouch Page

Detailed description of the events that took place and why you disagree with the decision:
Chronological Order of Events:
1) Discussed on Re-opening our service platform/rebrand. Partner told me to create something like MyPvM.
2) Upon doing research, (if the plugin is official on Runelite, source code will be available on the repository, so you are able to use it and create your own and further publish it as offiicial) it was found that their Plugin was indeed not a official plugin.
3) Created a ticket in which their staff confirmed it was not a official plugin and they are side loading.
4) Spoke about it in a private discord group (will be referenced further) where everyone was in shock of the matter and people did not know they were 3PC (which clearly shows that if they had other sellers duped, they definitely had their customers duped) and thus the ANONYMOUS report ensued.
5) Upon posting the report, (I had not reached out to any workers) a member of this same group had forwarded me information from an unknown source (he did not want to be disclosed) and had forwarded me the messages which I had promptly posted, ANONYMOUSLY.
6) Followed by this, the unknown user then forwarded a google docs link which I was then sent by the same user from which I scraped the files, made a imgur of, and promptly posted here as well. Before doing so, I had to verify the legitimacy of the claims made, thus I opened the files in a Java viewer which has simple deobfuscation methods built in. Using those, their front end portion of the plugin was fully deobfuscated to nearly 80-90% of source code which showed that they were injecting into the client.
7) I had then decided to look into the second file (back end portion) to see if they were using any automation for login/log out/bank pin, etc; but this was more heavily secured as it contained more information and methods regarding Private Keys, Keys for certificate generation, decryption keys upon landing, etc. (This is important for later.)
8) Upon looking into the files, I was able to learn their protection method and how to reverse it, but am unable to do so.
9) The user @Keith invited the MyPvM team to the Private Group Chat (Reason Keith did this was to prove his innocence that he was "not involved" as he is a big wuss and didn't want to report them initially as he did not want any drama [even though he has a scam report weekly, funny enough] and mentioned that I may be the "perpetrator" which allowed MyPvM to be retaliatory) in which they saw the conversations and had snipped the conversations in the parts which truly twisted the entire scenario. Everyone in the group chat knew that I was not aiming for Database access, but more so looking at the security aspect.
10) MyPvM had posted a blackhat violation report with snipped imTages of chat (When I read Sythe reports, don't full chat logs need to be posted? Funny there was a exception here allowing chat to be taken out of context? How much did MyPvM bribe ya'll?) which are clearly out of context and they missed all the parts of people talking about their security and potential customer bans. Seems legit.
11) I posted proof regarding this matter which clearly shows HOW to do it but I stopped before doing it. There are chats present which clearly show the lack of my ability, lack of tools for the deed, lack of BEING A WORKER FOR MyPVM, etc. (Will explain the bold/underlined point further below.)
12) A 1 month ban and DNT were posted in my name which I was notified via discord from other users this morning.

Now, why do I disagree. I said I will take a ban if it was fair, but the ban reason is incorrect. In this post from Pikachu:
https://www.sythe.org/posts/86250209/
The ban reason is: "Blackhat/Malicious Activities: Using software tools for deceptive, malicious, or harmful intent directly or indirectly affecting Sythe users. Will result in a temporary ban and a DNT." with the response from @Pikachu being: "I don't like banning a user who was reporting an issue, as it would most likely have been overlooked if it weren't for the attempt to perform malicious activities on a user by brute-forcing their database. However, the screenshot above clearly shows intent to engage in blackhat activities by attempting a brute-force attack on a database."

Now lets refer to lack of ability/tools/worker from earlier. I did not need to nor did I use any Brute forcing techniques. I actually do not have knowledge in this type of brute forcing. In this scenario, they use a configuration of using a certificate with private keys to send information which is going to be decrypted upon use (Button press on client to login, etc). So to even start the process, you need to 1) Launch their software which I will not do.
2) Be a worker to gain access to their system.
3) Attain their connection end points. (I mentioned I LOCATED them in the code. It never showed or mentioned I was able to get the raw address as the chat logs were....oh yea! CROPPED.)
4) Recreate their certificate.
5) Create/use a tool to BRUTE FORCE their database at random. Still need to ascertain how specifically they assign a login to a user which would require an additional brute force attack to send the logins to the worker which can then be decrypted once you have the decryption key and method.
6) Overall, to actually Brute force their database, a lot of work is needed and realistically, it stops at step 1/2. I am not a worker, nor have I applied. Without this, you can not even gain access to their system to do anything.

Lets dum it down some. At one point we used some type of cracked/nulled software like microsoft windows/office/photoshop, etc. For the person who crack's it, they first need to attain a working, paid for, operational software and only then can you be able to reverse and run it. It is the same in this scenario, you need to be a worker to be even able to start viewing connections (incoming and outgoing). Once you are a worker, you need to be assigned a job and need to capture the incoming payload via wireshark/burp and locate the end points that way (much easier than breaking the code encryption). You also need to decrypt the keys and forge a certificate (I honestly have no clue how ngl, so no knowledge on this matter for the certificate.) and then use a tool for spamming the API. If what Pikachu claims is present, MyPvM would have logs for their API for spammed attempts. If this was not provided, I assume @Pikachu, no offense intended, has no idea what he speaking of.

Now we explained that point, lets go to "the attempt to perform malicious activities on a user".
I in no way harmed MyPvM regarding their back end. No attempts were made to replicate/steal/share raw code or a rebuilt functional plugin. I DO NOT have any tools for doing the actions I described. I do not have Wireshark nor Burp Suite installed. I can even provide Windows event logs to show I never installed/uninstalled them. I can provide the exact methodology for deobfuscating and what was used. It is all available on github and is open source and are official tools for java development. The user was not directly nor indirectly affected/harmed in any way. No attempt was made to harm the user. As I previously said, the post was not competition driven (otherwise, I would have posted on my main account? I'm not scared lol. Idc about posting as advertisement, but more for exposing bad practices of a user for the community/customers.)

Also, lets mention that the burden of proof is on the person posting the report. I would like to revisit this matter now. I offered Sythe Staff to contact me and I would provide them any information needed, but I have not been reached out to. No questions asked. No accusations were cleared of confusion. All that exists are cropped chatlogs. On what @Pikachu said, "Brute forced their database", can you confirm if MyPvM had provided you with their API Request logs? If not, it is clear as night and day that no such activity occured nor was attempted. There was no intent or even attempt made. I wanted to see if a worker is able to do what I had described above and that was the reason I looked into the back end. It was more security related rather than a 3PC proving point. As I said previously in the original post, it is possible for the worker to learn, spend a few months and figure this out. It would take them time but nothing is impossible. MyPvM can flaunt all they want but no security is ever truly secure. It is just the ineptitude of the user, which in my case, I am not afraid to admit that I am not skilled enough for such a task.

Furthermore, after going through the code for 15 minutes or so, I said "cba" which stands for "can't be asked". I did not delve into the code after a certain point because it was a waste of time for me and I don't have all the time in the world to sit here and do this. I do this for fun, not really for money so I am not driven to get their database access, steal their customers gp/accounts. As I said multiple times, the whole reasoning for this was to Expose MyPvM's bad practices. Although security is a issue no matter what, it is protected to a point where higher skill level people need to be a worker which would not be seen as someone with that level of skill would be paid much more than as a worker at MyPvM and would not even bother.

Link to previous disputes: N/A

Anything else you wish to say:
1) What is the point of an anonymous report if it isn't anonymous?
2) I don't know how I need to be a be a customer to report someone for their wrong doings. Do I need to go report a scammer for scamming after I scam even though it is a clear scam? No, right? So based off your post @Pikachu, a TWC/DNT is more and proper definitive action against MyPvM as they duped thousands of customers with their false statements. Sythe staff has made multiple exceptions for the rules and the ruling on this matter clearly shows that its not aligned with the right people. You were for the provider and not on the side of the customers/users. As I said, this will show which side Sythe stands on and it is clear, its not the right side.
3) This is 100% a clear retaliatory report based off of their 3PC report. The sole reason is to bad mouth/shame the person reporting them and bully them into submission. Surprising that it is allowed on Sythe in such a public manner. Not only is it false, but a false punishment was given as well for a statement which is irrelevant and incorrect?
4) Many people said this feels like "Targetted Protection", "Doesn't seem fair", doing the right thing with no ill intent, no harm done leads to a retaliatory ban while the original user at fault is off with an infraction? Things do not make sense here. But at the end of the day, IDC. I just want my false Ban/DNT to be gone and I'll keep chugging on. This clearly shows why there is so much disdain against Sythe and their policies.
5) You noted I am a competitor? I will be possibly in the future, but still as of right now, my services server is not completed and is still in the works. My current server isn't even hand done services. Its mainly account sales and botted activities which are clarified as well. I clearly posted that this was not a post regarding competition at all and thus was made anonymously.

If you have any further questions or need any type of clarification, please reach out. You have my discord, my Sythe inbox. That is enough places to reach me.

 

Told by Pikachu to add it in here. Sorry for the long post.
TLDR: Whoever send the chats, snipped only the pieces that made me look bad. I will send the rest which shows the full "intent" was not even there and I could not be bothered IRL as I am studying for the NAPLEX (North American Pharmacy Licensure Examination) right now as I am a Doctorate in Pharmacy training to become a Licensed Clinical Pharmacist in practice.

imgur.com

Lotta chats, but entire chat log where I break down their security and no mention for going after them for anything other than 3pc. I had 0 intent to do anything else. At the time, I was literally just replying on sythe spam posts on the violations report fishing them for anything so they can guilt themselves (which they eventually did by modifying their TOS slightly) and I don't blame @Pikachu for the (in my opinion) wrongful punishment. If I was given a BH ban on the point that I "cracked" their software, I would understand, but as it is not a paid product and is a tool for workers, and there is no authorization key, there is nothing to crack. As I mentioned,
2 Files, front end and back end. Front end is the runelite side login portion, backend is the hook for the database. The back end file, I could not get into the raw code at all as I am not skilled enough to reverse that without the use of specialized software which I do not have nor have the access to. I would need to reach out to colleagues to be able to even begin. The process occurs on specialized versions of Linux as well which I do not even have a VM setup for. Their front end file showed clearly that it modifies runelite as they mentioned in their report how they use the login parameters/bank pin plugins to enter in the information for them. 1password and such are allowed and approved by runelite, thus official changes that are approved. But, even if they imitate them, it is considered 3pc as they are not on the official github repo. If they were to be official, their entire source code would be listed and posted which is not safe as then, you can attain their backend server in raw code as well no matter how much they try to hide it.

For who am I? I am not a competitor so MyPvM as of right now. We plan to open services for our customers who buy accounts and want certain things done on them, but we are primarily an bulk volume account seller/builder of higher end accounts as well as running Botted Infernals/Quivers all on scripts made by yours truly. I am a private bot scripter on Runelite so making the plugin they have, is something in my ability. Making something and reversing something you made after securing it are 2 whole different ball games.
I.E, you made a pizza, how hard would it be to scientifically reduce the pizza back to its raw ingredients, very difficult yes? It's same with coding basically.

I hope this TLDR brings some light in on the matter.

Reason for the report: I was looking into using something similar for my service to automate it for the workers, and upon due diligence; I found they side load/3pc it in. I notified the private chat and no one seemed to know. Tried getting Keith to report them (since we mates and I am busy irl) but he didn't want to because of "connections with them", thus I trolled with his ratnem name.

P.S Blackblasses <3 no hate on you g, just gotta do what I gotta do to sit these ratnem. They got bad ego issues as a RS Service provider LOL.