Will Gawker start buying "Julia Allison" ads, to cement its ownership of that unhappy subject? Will Valley entrepreneurs buy their own names as keywords, to prevent rivals from doing so? Will we all eventually pay a tax to Google — advertise our side of the story, or let others tell us for it? All intriguing. While you muse over that, I'm going to start pricing out "Jason Calacanis" ads.

Thompson: What's the possibility that Fark could be wrong? And if that happens, what can be done to redress Phillips' damaged reputation? Curtis: Our chances of being wrong are close to nil. Even with the information we currently have we're standing at 99.9%. Our data indicates that only one individual was using the dphillips Fark account for the entire time it's been in existence. That individual worked at Fox, used a Verizon Wireless card, and a Comcast cable modem account in the Memphis area.

It's either Phillips or he's been completely owned by someone else, who coincidentally has access to all of his websites, email accounts, PayPal information, work and home computers. That's a huge stretch.

Given that, it's odd that the Fox station has made no comment in this matter. Odd, especially, because according to Thompson, the station had promised a statement earlier this week, but none has materialized. At this point, some might say that Fox's silence is beginning to speak volumes.

Curtis told Valleywag that electronic evidence pointed nearly conclusively to Phillips and that he was pursuing legal action to obtain records and eliminate any doubt. Since then, Phillips and Fox have not commented publicly on the incident. Many observers have expressed disbelief, or suspected satire, given Fark users' reputation for sarcasm and tomfoolery. But Curtis, in sharing the incident, was deadly serious. Curtis today told me he plans to "file a civil claim in federal court to get subpoenas sent." Equally serious is the evidence he's assembled. After the jump, I'm sharing the timeline Curtis's team put together, as well as some other observations tipsters have shared.

In Mediaverse Memphis, a local news blog, a commenter left the following comment to a follow-up story on Valleywag's exclusive:

Has Darrell ever asked you to open a suspicious email attachment?

I hope you thought twice about it.

I think a lot of people who Darrell has screwed in the past are going to enjoy this.

The investigative news team at WHBQ was usually very well intentioned and thorough. I am sure the actions are those of Phillips and whatever idiots he thought could help him pull off a hacking scheme. This is in the Memphis market. Not exactly reaching out to the best and brightest with the most upstanding journalistic integrity. Phillips was hoping to make a name and move to a larger market.

One caveat: It's possible, of course, that Phillips's machine was compromised by an outside hacker. But is Fox's corporate network that insecure? And would a hacker, having access to a machine inside the Fox network, and control of Phillips's PayPal account, merely use them to implicate Phillips, rather than conducting larger mischief? I'll let you be the judge, after you review the evidence. (Note: I've redacted staff email addresses and logins, as well as full IP addresses, to avoid giving amateur hackers obvious targets.)

Subject: early August 2007 hack/trojan summary

—-— Short version of what's happened:

On August 8, several Fark staff received suspicious email encouraging us to visit a particular website. Through August 12, more similar emails continued to arrive for other Fark volunteer staff, most pretending to be *from* other staff. Three websites were given in these emails, and the sites all contained links to two different trojan horse programs (effectively viruses that don't replicate themselves). If the trojan .EXE files were downloaded and run, the computer would be infected.

The emails all came from a computer in Australia (or in three cases, from Gmail.com). An infected computer would try to communicate with a computer in Tennessee. Antivirus programs did not always find the infection, but researching the behavior suggested they were modified versions of existing trojans, whose purpose was to steal passwords and send them to the Tennessee computer.

Searching Fark's logs for both computers' IP addresses returned no matches on the Australia computer, but revealed many matches for the Tennessee computer. The latter showed multiple attempts to break into Fark accounts belonging to both staff and end-users, and in the latter case was successful once.

They also used other existing accounts, at least two of which might belong to the actual owner of the Tennessee computer. Following logs to find activity on those accounts from other IP addresses, we found identical break-in attempts from elsewhere. Based on their attack patterns, we strongly suspect a Fark staff's Gmail.com account was also broken into.

Based on the other non-malicious behavior of those accounts, including the legit purchase of a Totalfark subscription, we believe our guy is in Memphis, Tennessee, and is probably a Fox13 television journalist named Darrell Phillips; however it's all circumstantial evidence without subpoening records from the ISP's owning all the IP addresses, and trojan-hosting websites, in question.

—-— Longer version of what happened:

Between August 8 and 12, Fark staff received some suspicious emails trying to get us to visit these three websites:

http://clipsmoke.com/diggtracker.html
http://h1.ripway.com/jumpstart/videomailer-3225.html
http://tinyurl.com/37prcs

so really there are two webhosting companies involved.

Each site contained a link to download an .EXE file, though it pretended to be something else. Three different .EXE files, all of which turned out to be trojan horse programs (though only two distinct programs; #3 was the same as #2). If run, the computer would be infected.

The emails were sent from a computer hosted in or near Melbourne, Australia (or in three cases, from gmail.com), but most of the emails were forged so they'd appear to be from other Fark staff or friends or relatives of Fark staff.

Infected computers would attempt to send data to computers named "fromage.no-ip.info" and "salad5.no-ip.info". In the August 8 to 12 timeframe, those names were aliases for "c-XX-XX-XX-105.hsd1.tn.comcast.net" which is likely a Comcast cable modem customer in Tennessee.

Numerous attempts to hack Fark accounts were found in the same time frame from that same Comcast address. No malicious activity was found from the Australia address, other than the forged emails. This is why the Comcast subpoena is at the top of the list.

I'm not sure any of our staff actually got their computers infected. At the present time, neither no-ip.info hosts works any more — meaning the trojan doesn't really work any more either.

Anyway... The first site (clipsmoke) had a link to a "diggtracker.exe" tool, which was the trojan. There was also a signup form to create an account that would allegedly give you stats on digg.com and notify of new stories or something, according to the emails we got about it. One staffer filled this form out, and a few hours later got a "thanks for signing up" email — from the same Australian IP address. I think the purpose of the form was really to steal emails and passwords rather than provide any real service.

The ripway site emails said that the site had a funny video on it. If you went there, there was a fake Flash movie (meaning the movie file was too small to contain actual video), and a link below it saying "click to download movie plugin". This link went to http://h1.ripway.com/jumpstart/jumpplayer.exe which was the first trojan.

The tinyurl site just redirects immediately to http://h1.ripway.com/jumpstart/boypics(compressed).exe — a direct link to the second trojan back on the ripway site.

All of these sites no longer work. I saved a copy of the ripway site before it was removed. Meg got a partial copy of the clipsmoke site.

While all this was going on, the computer at the Tennessee Comcast address was trying to hack into Fark accounts. Other accounts were in use by that same address, possibly the real account of the computer's owner, and we followed the logs of other computers used by that account to find other computers, and the logs from those computer IP's showed strikingly similar breakin attempt patterns. They also used the probably-legit account to submit a lot of links to news websites in Memphis.

I am still collecting three or four sets of different logs together into one cohesive set. Until then, here is a summary and event timeline of all of them:

Notes:
"clipsmoke/diggtracker" means an email trying to get us to click
http://clipsmoke.com/diggtracker.html
"ripway" means an email trying to get us to click
http://h1.ripway.com/jumpstart/videomailer-3225.html
"tinyurl" means an email with http://tinyurl.com/37prcs
This site simply redirects to
http://h1.ripway.com/jumpstart/boypics(compressed).exe

Source IP notes:

XX.XX.XX.247 is the Australian source of the phishing emails
XX.XX.XX.105 is Comcast Tennessee, destination of the trojan output and source
of most of the Fark password hack attempts.
XX.XX.XX.225 is an IP that seems to encompass multiple Fox TV sites
nationally — probably a corporate-wide proxy server.
Many many users coming from there submitting links to sites like
myfoxdc, myfoxatlanta, etc.
XX.XX.XX.172 is Verizon Wireless
XX.XX.XX.2xx is an anonymizing service at upsideout.com

I suspect the Comcast address is his home, Fox TV is his work, and upsideout was him trying to hide his real source IP.

DATE/TIME SOURCE IP EVENT
—-—-—-—- —-—-—-—--
—-—-—-—-—-—-—-—-—-—-—-—-—-—-—-—-—-—-—-—-—-—-—-—-—
Aug 8 22:32 XX.XX.XX.247 Email from "Cindy Dolan" gmail account to [REDACTED]@fark.com advertising the ripway site. [REDACTED]@fark.com also got one of these, and probably [REDACTED]@fark.com too. Source IP is in Australia. Cindy Dolan likely doesn't exist.

Aug 9 14:26 (gmail.com) Email from "Laurie Dobbins" gmail account to [REDACTED]@fark.com advertising the clipsmoke.com/diggtracker.html site. This one comes direct from gmail.com, not Australia. Laurie Dobbins is probably also a fake name. They claim to be a journalist, which is interesting given what comes next...

Aug 9 19:04 66.193.225.40 The computer logged into Fark account "jsp2000" logs into "dphillips" account. This IP belongs to foxtv.com; it appears to be a corporate proxy used by Fox TV stations across the country, so many accounts are seen coming from this IP address, mostly submitting links to whoever their local Fox TV affiliate site is.

Aug 10 11:25 XX.XX.XX.225 Fark account "dphillips" submits a link to a Memphis media site.

Aug 10 12:11 (gmail.com) Another email from "Laurie Dobbins" gmail account, this one to [REDACTED]@fark.com, again advertising the clipsmoke.com/diggtracker.html site.

Aug 10 13:?? (approx) One of us fills out the signup form on the diggtracker site.

Aug 10 14:31 (approx) Meg asks on our Fark moderator email mailing list if anyone knows anything about diggtracker

Aug 10 ??:?? The one that filled the signup form out thinks their gmail account was broken into between 13:00 and 18:24; we're still investigating this possibility

Aug 10 17:31 XX.XX.XX.247 Email from admin@dgtrk.com to [REDACTED]@yahoo.com: "You signed up for diggtracker". Note source IP is the same Australia one.

Aug 10 18:24 XX.XX.XX.247 Forged email from [REDACTED]@hotmail.com to [REDACTED]@[REDACTED] advertising the ripway site. Source is Australia again. The two addresses are Drew's sister and wife they might have obtained them from the compromised gmail account (we're still investigating that possibility). Fark's spam filter blocks this message.

Aug 11 00:00 XX.XX.XX.105 Someone started poking around Fark's webmail setup. They tried to log into some email accounts, but failed because our webmail doesn't actually work at all due to a configuration mistake on my part. Source IP is Comcast in Tennessee, using IE6 on Windows XP.

Aug 11 00:35 XX.XX.XX.105 Five failed attempts to log into Fark as users '[REDACTED]' and '[REDACTED]'. (The latter doesn't exist)

Aug 11 00:37 XX.XX.XX.105 View the Fark user proflies for '[REDACTED]' (not there) and [REDACTED] profile. They have suddenly switched to using Firefox, but still Windows XP.

Aug 11 00:54 XX.XX.XX.105 Logs into Fark as "[REDACTED]", getting the password right immediately. This name/password may have come from the maybe-compromised gmail also. Tries to log into TotalFark right after that as [REDACTED], but fails because [REDACTED] isn't a TotalFark subscriber.

Aug 11 00:54 XX.XX.XX.105 Viewed [REDACTED]'s user profile.

Aug 11 01:59 XX.XX.XX.105 Tried to use the Fark Moderator version of the user profile viewer to look at user "[REDACTED]" (Fark's contract web designer); attempts to use [REDACTED]'s moderator account to get in, but can't get the password right.

Aug 11 06:19 ? Forged email from [REDACTED]@gmail.com to [REDACTED]@gmail.com advertising ripway site. Source unknown, but probably Australia. These are both Fark moderators. Interestingly, they misspell "[REDACTED]", which tips off the recipient that something's not right.

Aug 11 08:49 XX.XX.XX.105 Tries again to use the Fark Moderator version of the profile viewer to look at [REDACTED]'s profile, which again asks for a moderator account first: he again tries "[REDACTED]" 5 times, "[REDACTED]@fark.com 4 times, "[REDACTED]" 2 times (note [REDACTED] is not actually a moderator), "[REDACTED]" 5 times, "[REDACTED]" again 3 times. This all lasts til 09:31. All unsuccessful. First 5 tries were IE6, then switches to Firefox.

Aug 11 09:20 XX.XX.XX.247 Forged email from [REDACTED]@gmail.com to [REDACTED]@gmail.com re ripway site; note continued misspelling of "[REDACTED]". [REDACTED] is an older address of another Fark moderator.

Aug 11 11:42 XX.XX.XX.247 Forged email from [REDACTED]@gmail.com to [REDACTED]@gmail.com advertising the site http://tinyurl.com/37prcs — which is really just a redirect to ripway. Yet another misspelling; it should have been [REDACTED].

Aug 11 16:49 XX.XX.XX.105 Attempt to view Fark user profile "[REDACTED]". It doesn't exist, but [REDACTED]'s dad has a similarly named account that he doesn't find...

Aug 11 22:41 XX.XX.XX.105 Attempt to view Fark user profile "DanAndJenn". That account is a spammer that we banned, possibly from Dallas. Friend? Accomplice? We don't know so I won't speculate further. Curiously, while the IP address is the same, he's now using IE7 from a Windows Vista computer. I suspect the Vista machine is his home desktop computer, and the XP machine is a laptop; you'll see why shortly...

Aug 11 22:43 XX.XX.XX.105 Tried once to log into the Fark profile viewer as Meg with a blank password

Aug 12 0?:?? The owner of the possibly-compromised gmail account changes the password after getting suspicious about all this.

Aug 12 12:16 XX.XX.XX.105 Logs out of the [REDACTED] account and into the dphillips account, and submits a link to a Memphis news site

Aug 12 16:48 XX.XX.XX.105 Logs out and then logs into account "lafollette.will". This one has the same password as "dphillips".

Aug 12 17:18 XX.XX.XX.105 Tried logging into Totalfark as [REDACTED] and [REDACTED] again, and fails. Logs out of lafollette.wil, then logs into Fark as [REDACTED] successfully.

Aug 12 17:24 XX.XX.XX.247 Forged email from [REDACTED]@bitO.com to [REDACTED]@fark.com with tinyurl URL. Yet another misspelling: [REDACTED]@[REDACTED]0.com (that's [REDACTED]-zero) is me, but they used [REDACTED]O (that's [REDACTED]-capital-letter-O). They did get around their inability to spell [REDACTED]@gmail.com by using [REDACTED]@fark.com this time — they're the same person, a Fark moderator.

Aug 13 14:35 XX.XX.XX.172 Next day. Jumps to Verizon Wireless and views the "dphillips" Fark profile. This is IE6 on Windows XP again; use of Verizon Wireless strongly suggests (but doesn't prove) that they're using a laptop.

Aug 13 14:36 XX.XX.XX.172 Switches to Firefox, and goes to profile viewer; the session cookie indicates that [REDACTED] had previously been logged into that computer. This and the viewing of "dphillips" implies that this Verizon Wireless IP is the same computer that was at Comcast IP XX.XX.XX.105 yesterday.

Aug 13 14:38 (Paypal) Less than 2 mins later, logs in as dphillips and buys a $5 Totalfark subscription for himself. In the transaction, Paypal gives us his name as Darrell Phillips and an email of [REDACTED]@dnphillips.com. (He also had darrell.phillips@[REDACTED] on his Fark account.)

Aug 13 14:44 XX.XX.XX.172 Still using Firefox, goes to Fark's headline search tool.

Aug 13 15:12 XX.XX.XX.225 30 minutes after that, they're on a foxtv.com address, logged in as dphillips.

Aug 13 15:39 XX.XX.XX.225 Does headline search again (for "animation")

Aug 13 16:10 XX.XX.XX.247 Email from admin@dgtrk.com to [REDACTED]@yahoo.com: "your Diggtracker account is inactive, please log in to reactivate it" email from Australia.

Aug 13 16:50 XX.XX.XX.225 dphillips submits a link to Fark

Aug 13 17:08 XX.XX.XX.225 dphillips submits a link to Fark

Aug 13 17:40 XX.XX.XX.22x While logged in as dphillips, tries to log into Fark 'motherh' using his own password, then two totally different passwords, and fails. In between attempts, he tries logging out of his own account, presumably thinking it would help (but it doesn't). New source IP's for this session, all starting with XX.XX.XX. and ending in .223 .232 .236 .219 — these IP's all belong to the "upsideout.com" anonymizing service. (Hosted in Houston by ev1.net who hosts a lot of popular anonymizing services.) Presumably trying to cover his tracks now, but not doing a very good job of it...

Aug 13 17:47 XX.XX.XX.225 A "forgot my password" request comes into Farkback from user "motherh".

Aug 13 17:48 XX.XX.XX.225 Views motherh profile — we're back on foxtv.com's network now, using IE6 / XP.

Aug 13 17:48 XX.XX.XX.225 View TotalFark page using "dphillips" Totalfark account.

Aug 13 17:53 XX.XX.XX.235 Tries to submit a link as "motherh" but can't get password right — back on the anonymizing service 6 minutes after the previous hit.

Aug 13 18:13 XX.XX.XX.213 Another "forgot my password" request from 'motherh' except they were logged into Fark as "lafollette.will" when they sent it. Oops.

Aug 13 18:16 XX.XX.XX.218 Logs in as lafollette.will to submit link

Aug 13 19:04 XX.XX.XX.225 Back to foxtv network, a computer that was logged in as "jsp2000" logs in as "dphillips"

Aug 13 21:37 XX.XX.XX.105 Back to Comcast IP 2.5 hours later: Logs out of [REDACTED] and into lafollette.will

Aug 13 21:38 XX.XX.XX.105 Looks at [REDACTED] profile. They're using IE7 on Windows Vista now.

Aug 13 21:39 XX.XX.XX.105 Hits logout button.

Aug 13 22:03 (gmail.com) Forged email from [REDACTED]@fark.com to multiple recipients — the To: line says [REDACTED]@gmail.com but [REDACTED]@gmail.com and maybe others get copies; all giving the tinyurl site URL again. Unlike the last tinyurl email, this comes straight from gmail and not Australia.

Aug 13 22:51 XX.XX.XX.105 Logs out of lafollette.will and into dphillips

Aug 13 23:08 XX.XX.XX.105 Submits link to Fark as dphillips

Aug 14 00:43 XX.XX.XX.247 Email from admin@dgtrk.com to [REDACTED]@yahoo.com: "there's a lot of login failures on your digg/farktracker account, you should sign in to check it". I think this is the first time it mentions "farktracker"; all previous ones had been diggtracker.

Aug 14 01:25 XX.XX.XX.210 Logs in as dphillips (using anonymizer)

Aug 14 03:00 ([Fark employee]) I lock the Fark accounts dphillips, dhphillips, lafollette.will, and change [REDACTED]'s password; I block inbound emails to Fark from Australian IP XX.XX.XX.247

Aug 14 04:00 ([Fark employee]) I discovered clipsmoke/diggtracker site had been shut down by its owner.

Aug 14 04:00 ([Fark employee]) I saved a copy of the ripway site in case it disappears later (which it does).

Aug 14 04:00 ([Fark employee]) Emailed abuse@ripway.com and abuse@no-ip.info asking sites and domains be shut off.

Aug 14 08:36 XX.XX.XX.105 Attempts logins to dphillips, lafollette.will, [REDACTED], dphillips in that order, multiple times until 09:13, all from Comcast IP

Aug 14 08:36 XX.XX.XX.105 Views dphillips profile (using Firefox / XP)

Aug 14 08:37 XX.XX.XX.105 Tries to get into his user profile

Aug 14 09:53 XX.XX.XX.225 Attempts login to dphillips, dnphillips several times

Aug 14 10:01 XX.XX.XX.225 dphillips sends Farkback saying "I forgot my password"

Aug 14 11:00 ([REDACTED]) Discovered ripway-hosted site had been shut down due to TOS violation.

Aug 14 11:33 XX.XX.XX.225 Views dphillips profile from FoxTV network (IE6/XP)

Aug 14 11:33 XX.XX.XX.225 Attempts login to dphillips

Aug 14 12:05 XX.XX.XX.225 dphillips sends Farkback saying "I think I was banned..."

Aug 14 12:23 XX.XX.XX.225 Attempts login to dphillips

Aug 14 17:39 75.203.255.69 Attempts login to motherh

Aug 14 18:23 XX.XX.XX.225 Attempts login to dphillips

Aug 14 21:35 ([REDACTED]) Discovered both no-ip.info names now resolve to 0.0.0.0, rendering the trojan ineffective

Aug 15 15:03 ([REDACTED]) Discovered ports 2000 and 2002 don't respond on XX.XX.XX.105 anymore; these were the ports the trojan attempted to connect to.

At least one other moderator got one of the suspicious emails but deleted it before they could forward it to me.

Around the same time [the dphillips account] started trying to get the 'motherh' account, he started using the anonymizer. Maybe he suspected we were on to him by then and wanted to try to cover his tracks.

—-— Analysis of the trojans:

Two distinct trojan .EXE files were placed on the ripway and clipsmoke sites.

I deliberately infected a sacrificial system of mine that was disconnected from the Internet and had no useful data on it, and monitored what it was attempting to do with the network using a packet sniffer.

First, they both create a set of keys in the Windows Registry, presumably so they know not to run multiple copies of themselves.

They attempt to look up the IP address of a hostname: one uses "fromage.no-ip.info" and the other "salad5.no-ip.info". Between August 8 and 12, both names resolved to the Comcast IP XX.XX.XX.105. Since my scratch machine didn't have Internet access, I had Windows lie to the trojan and tell it the names resolved to something fake so that it could continue to the next step...

From there, they tried to connect to port 2000 (on fromage) and 2002 (on salad5). If I set up a fake server on the same machine, it transmitted what looked like garbage (probably encrypted) to the (fake) server.

Researching the registry keys created indicate that these are variants of a trojan known in antivirus circles as "Bifrose", which is known to log keystrokes in order to steal passwords. I tried two antivirus programs and neither one recognized either trojan, though. I submitted both to the ClamAV antivirus people, and their next night's software update now detects one of them. It might detect both by the time you read this.

Curtis believes that Phillips, or someone working with Phillips, sent him and several other Fark employees deceptive emails in an attempt to get them to download a trojan, a form of computer virus. The Trojan was designed to capture their passwords and give the author access to Fark's servers. In one case, it succeeded, giving a hacker passwords to a file server and one Fark employee's email account; he tried, but failed, to break into Fark's Web servers and email. Unfortunately for the hacker, Fark was able to trace his attempts to break into their system back to a machine in Memphis connected to a Comcast high-speed Internet connection.

At the same time, Phillips, already a Fark member, logged into several other user accounts on Fark — either ones he'd created or ones to which he'd somehow gotten access. Phillips also purchased, using PayPal, a paid subscription to TotalFark, a premium Fark service. The accounts all used the same IP addresses as the hacker. Busted. Curtis says he's "99 percent sure" it's Phillips — and is now attempting to pursue legal action, seeking detailed data from Comcast, to remove his doubts.

What does this mean? Curtis is unsure of Phllips's potential motives — assuming Phillips is, indeed, the hacker. Phillips may have had accomplices, after all — or his own accounts may have been compromised, which would be embarrassing enough for the reporter, who's apparently somewhat Internet-savvy.

But consider this: Phillips's station has launched a news aggregator, OnMemphis.com. The hacker appears to have been hunting for source code and trying to log into Fark's Web-based moderation tools. A look at either would be helpful to someone designing a social-news website.

Phillips might claim he was researching a story on the security of social news sites. If so, the fact that Fark employees so readily detected the intrusion and shut it down doesn't leave him with much of a tale to tell. But certainly, for a newsman, this would at least be a plausible cover story.

And one last motivation that should be mentioned, in the service of conspiracy theorists everywhere: Could Phillips have been working on behalf of higher-ups at News Corp.? It's a well-established fact that Fox News producers are fans of the thoroughly puerile headlines featured on Fark — so much so that a newspaper reporter caught one red-handed using the site as a source for story ideas. That episode, in turn, got some News Corp. executives interested in Fark, for whom the site might be a logical acquisition. If so, the assault on Fark's servers could, just possibly, be a spectacularly hamhanded form of due diligence. It's unlikely veering on unbelievable, but when we're talking about someone who works for Rupert Murdoch, it would be foolish to rule it out altogether.

KLIMANIS: There are no formal rules other than use better judgment than your own and don't walk into this with the intention of maliciously hurting someone either physically or spiritually. [...]

GIBSON: By the way, Gints, we've been looking at this video but when you came on, I was wondering if my eyes deceived me. Do you have what amounts to an injury across the bridge of your nose and is that from this?

KLIMANIS: Well, this is from this activity two days ago. We do fight with a facial mask, which enables us to swing weapons at one another. The mask doesn't offer a lot of protection because it's light, but without it you'd lose an eye having a stick or having a blunt training object being stuck into your face. Safety is always important.

Silicon Valley Fight Club: Dorky, unmanly, but still ridiculously dangerous.

Bonus notes: When Gints says "this activity," he's using "distancing language," a speech pattern used in awkward situations to deny responsibility. Come on, Gints! Be proud to be a battling nerd!

Earlier: "Gentlemen's Fight Club": programmers armed with Hello Kitty toilet seats [Valleywag]