Vivisector
Daggers and Spears and Songs => FA Obsession Collection => Topic started by: a pigeon on December 16, 2010, 05:59:18 am
-
Some people are reporting that they've had submissions deleted from their gallery before the site was taken offline:
(http://i55.tinypic.com/258z3oy.jpg)
This was posted on the front page just before FA was taken offline:
(http://i52.tinypic.com/2empis1.jpg)
I wonder what it was this time. Certainly looks like the "Fender" account was compromised. The link to a raffle redirected people to this: http://www.youtube.com/watch?v=MebsbmufgVQ (Apparently NSFW)
-
Well, you can still log in at the https login page, as that's the one I have bookmarked. You enter your username and password and it then brings up the "FA will return shortly" page.
Oh, and I don't know how many folks here are aware, but Gawker Media was hacked recently and more than 185,000 passwords (http://www.slate.com/id/2277768/) have been leaked onto the public Internet. This has been more damaging than you'd think because a lot of people use the same god damn password for everything. This has resulted in a lot of collateral damage, ex. Gmail accounts hacked and the like.
It would not surprise me in the least if at least one FA admin was one of those people who uses one password for everything. In fact, it would surprise me if there wasn't at least one FA admin who did this.
-
That's pretty cute, although I probably would have pointed that link here (http://www.youtube.com/watch?v=l8AUPSfgk18) instead.
-
Gawker Media was hacked recently and more than 185,000 passwords (http://www.slate.com/id/2277768/) have been leaked onto the public Internet. This has been more damaging than you'd think because a lot of people use the same god damn password for everything. This has resulted in a lot of collateral damage, ex. Gmail accounts hacked and the like.
http://www.bbc.co.uk/news/technology-11998648
Most common hacked Gawker passwords:
123456 (3074)
password (1954)
12345678 (1119)
lifehack (661)
qwerty (418)
Oh dear
-
So much for "god", "sex", "love", and "money". Hurp lurp 90s reference.
Anyway it seems like it's someone who knows at least something about FA and/or furries in general, if they named specific artists (are those people popular? I have no idea). So once again Furry Will Eat Itself.
If it was anyone from Viv, they will be given a fucking medal of honor better off not admitting it or I guess we'll have to ban them or something, maybe.
-
Zaush is Adam Wan. I am told his ED article is pretty much true, so go there and see Patient Zero in the Popular Asshole That Could Not Succeed Outside of Furry disease.
Oh, and to be fair about the Gawker passwords, it's not like a blog commenting account is a banking account, so who really cares if you use a dumb password. The problem is when the password on your blog commenting account(s) and your bank account are the same. I had to lol at the OMG SRS BZNSS tone of all the blog posts about it though. C'mon people. Gawker writes semi-substantiated gossip for self-important hipsters. Who gives a shit, really?
-
<yak[away]> cue rage about recycled passwords
<@Pi> cue rage about your admins being morons
<yak[away]> not all
<@Pi> oh, just the vast majority of them, my mistake
<@Pi> fwiw your userbase sees it as a triumph that you've "only" been compromised due to insecure passwords three times
<yak[away]> the userbase [isn't] at all tech savvy. if whoever got admin account knew what they were doing the damage could have been ugh, slightly less then catastrophical.
-
So what was the damage, in all? And who the hell's account was it? And you know, I know this is way beyond Yak's pay grade, but it occurs to me that if admin account X (or any account really) is accessed from Reston, VA (to name a place completely and totally at random) at 3:01AM and then again from San Francisco, CA at 3:34AM...SEEMS LIKE SOMETHING MIGHT BE UP. Maybe? I dunno.
-
<yak[away]> cue rage about recycled passwords
<@Pi> cue rage about your admins being morons
<yak[away]> not all
<@Pi> oh, just the vast majority of them, my mistake
<@Pi> fwiw your userbase sees it as a triumph that you've "only" been compromised due to insecure passwords three times
<yak[away]> the userbase [isn't] at all tech savvy. if whoever got admin account knew what they were doing the damage could have been ugh, slightly less then catastrophical.
That's the reason they don't patch security holes either. "Nobody's smart enough to use them!" Yeah okay...
So what was the damage, in all? And who the hell's account was it? And you know, I know this is way beyond Yak's pay scale, but it occurs to me that if admin account X (or any account really) is accessed from Reston, VA (to name a place completely and totally at random) at 3:01AM and then again from San Francisco, CA at 3:34AM...SEEMS LIKE SOMETHING MIGHT BE UP. Maybe? I dunno.
I'm sure in the coming hours Dragoneer will send his white knight brigade (Twitter) after them. FOR THE GOOD OF THE COMMUNITY!
-
So what was the damage, in all? And who the hell's account was it?
You know that we won't ever get an answer, just a series of internet memes.
My money is on Pinkuh. She seems just that dumb.
-
So what was the damage, in all? And who the hell's account was it?
You know that we won't ever get an answer, just a series of internet memes.
My money is on Pinkuh. She seems just that dumb.
(http://img440.imageshack.us/img440/2484/pinkuhfail.png)
Yep...
EDIT: I love how most users on FAF are pointing fingers, blaming the "trolls", and giving FA asspats instead of questioning FA's security practices. Password expiration? What's that?
-
EDIT: I love how most users on FAF are pointing fingers, blaming the "trolls", and giving FA asspats instead of questioning FA's security practices. Password expiration? What's that?
You really don't even need that. I see a lot of people suggesting that and other stuff in the wake of the Gawker attack, but you know what? My dad used to work for a major multinational. They had stringent security policies and a strict password policy. They enforced it. Well, as much as they could. He pretty much openly admitted to me that he had the same password for years and years but just incremented a number on the end. People will go to great lengths to subvert your password policy. At some point you approach inconvenience, and that brings another set of security problems with it.
My suggestion is to have a basic strength requirement in place and then do server side monitoring. Like I said, it's not hard to establish a pattern of normal access, credit card companies have done this for years, if not decades. They pioneered the technique. People are going to access their accounts from the same places, most of the time. If some access seemingly violates the laws of time and space, then something should happen. An alert maybe. Maybe a secret question should be asked. Who knows. I'm not going to invent this system for them, but the technology exists.
There's a million ways to mitigate this stuff, it's just a question of available skill, really.
For what it's worth, I never got a Gawker commenting account because something about having to impress some dumbshit blogger to get my comments published seemed like a gigantic waste of time.
-
Now they're claiming it's not Pinkuh.
Time to run the rest of the admins through that thing and see what happens.
-
Dragoneer will tell someone in a private chat and the log will be leaked in 3...2...
-
If it would've been Pinkuh, I think it would've been a twist of delicious irony if the person who got into the account kept things on the down-low, had some sort of huge shitfit (preferably in a manner as close to being in Pinkuh's character as possible), and got the account banned.
If it was Pinkuh's, I'm very disappointed in whoever got in there for not making that happen. I'd have paid, like, a million pesos to watch the banbitch get banned.
-
I downloaded the Gawker database and ran every FA admin's username, and if they listed it, email address through it. I got two results other than Pinkuh.
A possible match for Irreverent. They list no email address on their FA page, and the email doesn't seem to support a match.
Then there's Rhainor (http://www.furaffinity.net/user/rhainor), or Gawker user zachcoggin. Email addresses match. The irony here is his FA page says "Greetings. My name, as you can see, is Rhainor. No, it's not my Real name; I'm not about to give my Real name across an unsecured web site.", yet it seems he used his real name for his Gawker username.
-
It seems like people are just wishing it was Pinkuh. It seems a more likely scenario is one of those semi-dormant administrators they have got hacked. I don't know if they de-op inactive admins, but I remember from the FA retrospectacle thread they seemed to have a lot of admins who did very little with the site.
Another thing to remember is there are like 1.2 million accounts in that database, but only 185,000 or so were accompanied by decrypted passwords.
-
So here's a really interesting question.... does the admin shoutbox still have the same XSS holes they had in the mouse-over previews? I remember being able to send off user cookies to a server and then using those session IDs to log in as the user..... Could you imagine if they had harvested some user accounts by posting that News item?
Also, on the note of passwords, at work I have to change mine every 3 (2 maybe?) months and I can't use any password I've used in the last NINETEEN times I've changed it.
-
Also, on the note of passwords, at work I have to change mine every 3 (2 maybe?) months and I can't use any password I've used in the last NINETEEN times I've changed it.
My High School made us change our passwords monthly. It was set up to let people keep the same one (even though the teachers and staff always said you couldn't), though... I just don't think they were aware that was broken (Their tech people may have been more incompetent than FA.)
-
It seems that now, every single member of staff (Except Yak) has had their account changed to "member" level or set as "deceased". Dragoneer also had his gallery wiped & a journal was posted on his account:
(http://i53.tinypic.com/29ykzyw.jpg)
Edit:
(http://i55.tinypic.com/2me24g9.jpg)
(http://img205.imageshack.us/img205/3759/ttsg.jpg)
(http://img525.imageshack.us/img525/1839/notesy.jpg)
(http://i51.tinypic.com/288vbti.png)
In Dragoneer's own words, this is apparently what happened:
It turns out there's an XSS vulnerability in the trouble ticket system. Somebody was attacking every single point of the site, and apparently one of the reason updates to the TT's broke something, and they managed to exploit it that way. We saw a lot of other attempted XSS attacks, then this.
Ratte's account got hijacked simply because she was trying to help people, and then Ratte's account was used to attack FA (and then mine). So that's what we're seeing right now. We've closed off almost everything admin-wise.
-
Some people are having their accounts fucked around with:
(http://i53.tinypic.com/2f05e2o.jpg)
(http://i53.tinypic.com/140dj5l.jpg)
-
The interesting part is that FA seems to be under persistant attack at the moment and the admins, while aware, are not visably doing anything on site. I think the admins are locked out of their own site, at a software level, at the moment.
-
A few minutes ago, someone managed to get into the admin control panel on the FA forums and made all the admin forums visible:
http://i56.tinypic.com/34rdkz8.jpg
They took the forums down right quick after that.
-
Oh my fucking god.
I have no words besides "I told you so".
-
Dragoneer cannot fix the site being at work right at the moment
Today he had problems with his superior for being stuck on the internet (he needs a working proxy because he's FIREWALLED... soon to be FIRED)
He will be able to take back the control of FA when back home
That's all I know from a friend in FA's staff - a cool guy so no name, both sides could attack him
(emphasis mine)
I think it's cute how someone thinks there's two "sides" here. This attack is pretty obviously carried out by another furry (or someone who might as well be, given their familiarity with the non-notable names at the top), not some external influence.
-
It's all lulz.net's fault:
As frustrating as it may be, there's nothing in those logs I don't stand by.
But at least we do know it was Lulz know, given everything was directly pumped right up there. So I'm sure they'll be enjoying Christmas, reading through boring notes, dull comments and more.
-
They appear to have absolutely no idea what's going on:
As it stands, we're not sure what they did. We know who they did it /to/, but not the how. The forums also got hit, but the compromised account was not one of the ones in the first compromise. Which makes it a bit weirder.
<&net-cat> Do any of you know what actually happened? And I mean that in a technical sense. Not in a "lol management" sense.
<Pi> no
<Pi> we have no idea
<Eevee_> dragoneer says it was XSS in trouble tickets
<Eevee_> that's all I've heard technically
<Pi> because your chain of communication is fucked
<@Carenath> Eevee_: And that's all I know either.
<Eevee_> (I don't know why dragoneer is making technical announcements in furrydrama_2)
<Pi> and that's fucking pathetic
/*/ mode/#furaffinity-dev [+m] by net-cat
<&net-cat> Then I thank you for you input.
<&net-cat> I am at work right now and I don't need an editorial on how much I suck.
<&net-cat> I need solutions to the immediate issue.
<&net-cat> If anyone has any to offer, please /query me or yak[work]
I PM'd him, saying the solution to the immediate issue is getting someone who gives a shit about security in to mop up. He said something along the lines of "but i heard you hacked us once and stole all the codes". It was promptly followed up with "<net-cat> I wasn't there for that.".
Yep.
-
<Eevee_> (I don't know why dragoneer is making technical announcements in furrydrama_2)
Dragoneer seems to greatly prefer posting updates and information on furrydrama_2, as opposed to telling other members of FA staff or making it public so that the people who use FA can be informed:
For the record, it's not so much as two break-ins in a row... as it's just a continued extension of the first time.
And it doesn't help that one of the admin's personal e-mail accounts was broken into and used to do p/w resets against, which lead up to what we're experiencing right now.
Whoever did it got the passwords from somewhere, and it wasn't FA... which stands to reason as my earlier suspision. Bijoux's personal account was broken into, which is what we're dealing with right now.
So it was Bijoux's account that was compromised originally. Well, from what I remember of her, she could have been replaced with an IRC bot that said: "I agree with Pinkuh".
-
Today he had problems with his superior for being stuck on the internet (he needs a working proxy because he's FIREWALLED... soon to be FIRED)
That'd be the icing on the cake at this point, honestly. Apparently space Santa from Jupiter has decided to give those of us who believe in karma an early merry fucking Christmas.
-
<Eevee_> dragoneer says it was XSS in trouble tickets
lololololol wasn't this on Eevee's security hole list?
Today he had problems with his superior for being stuck on the internet (he needs a working proxy because he's FIREWALLED... soon to be FIRED)
The sad thing is, it's probably true. "I can't fix that laptop, sir, my porn website is getting fucked over because I never bothered to fix the security! bawww!"
All I can say is, it's about time. Maybe Dragoneer will finally realize that running a website like FA isn't supposed to be all fun and games all the time.
-
<Eevee_> dragoneer says it was XSS in trouble tickets
lololololol wasn't this on Eevee's security hole list?
I guessed that there might be something and that it would be the worst of the lot, but couldn't be sure without actually seeing/poking the admin pages. Looks like someone did the poking for me.
Dragoneer tells me he's not entirely sure it's XSS, and it wouldn't explain the forum break-in anyway. So, nobody even seems sure what happened.
-
And here's what Yak has to say, or rather, how Yak is passing the buck:
<yak[away]> Eevee, the thing is, I can. i have full control on where fa goes, technical side, and how it does this. i just need a good fucking rest and a week of time to organize something
<yak[away]> and i haven't had a moment's rest since. my $job is retardedly demanding. more like two jobs seing as how things are
<@Pi> clearly you don't actually know what you're doing when it comes to security
<@Pi> you need someone with the experience and the credentials, not some 13 year old kid
<@Pi> how many times am i going to have to repeat this before you find SOMEONE
<@Pi> ANYONE
<yak[away]> okay, caps lock time
<@Pi> here comes the big fat excuse
<yak[away]> I CANT JUST GIVE FULL ACCESS TO A RANDOM HOMO WITHOUT AT LEAST MAKING A SECURE ENVIRONMENT FIRST, AND I NEED TIME FOR THAT
<@Pi> yak[away]: you're not going to have a secure environment in time for the next attack. you'll just go back to "welp i think we got these holes closed, gotta get back to making sure the site doesn't collapse under its own load"
<yak[away]> I don't have the time to keep up with this conversation. Your points were made long ago and I am aware of them. Belive it or not I am taking care of the issue that is myself. It will take some time but it will get done; in a month or two.
<yak[away]> so far the official reason for yesterday's hack is a hijacked session, and today's is a continuation of yesterday's, via a password reset on an admin account whihc email was changed.
Let's try and follow the logic here. "We can't let someone (anyone) who knows about security work on the site, because we don't have a secure environment. The production site is swiss-fucked-cheese, but we can't accept help fixing that, without setting up a secure testing environment." Kinda putting the cart before the horse, innit?
Don't they have 4 servers sitting in the rack serving up video games or doing something similarly useless?
(I'm sure this is bound to get plenty of retards crowing about how this means I'm butthurt because they aren't recognizing my obvious superiority, or some other EDtastic crap. Whatever.)
-
Don't they have 4 servers sitting in the rack serving up video games or doing something similarly useless?
One (http://70.33.186.194/) of those servers (the one Dragoneer made a big deal out of bringing online) is running what he calls "Advanced data logging" software (see: pretty chart creator) to crack down on people that use too much bandwidth. Because that's what makes the site slow.
The other three are doing absolutely nothing but hemorrhaging money, from what I can tell.
-
They've got an entire server running graphing software? Fucking lol.
-
They've got an entire server running graphing software? Fucking lol.
Good to see everybody's donation money going to good use.
-
Guess who's notes have been leaked!
http://filesmelt.com/dl/Dragoneers_Notes.7z
Most of them involve him removing game screenshots and memes.
Fun quotes:
We code to standards compliant.
What does it take to be an Admin?
Generally, be established in the community, be helpful, keep your nose out of drama...
If people are coming to his page to harass him... we can investigate that. But we'll also have to investigate the accusations as well. If they're legit...
There are several ways you could act on this:
1. Do nothing. Everything continues as before. Concerns are raised, they fall on deaf ears, and when something bad inevitably happens, a shitstorm occurs.
2. Hire a professional code auditor. It's their damn job to find holes, errors, and exploits in the site's code. Sure, this costs money, but that's what donations are for - maintaining the site.
3. Make the code open source. Allow the community to volunteer and test the code themselves. This is free, simple, and lets glaring errors and exploits come to light that much faster. This may or may not be feasible, but at least it draws on the communitiy's skills, rather than a few individuals.
4. Be proactive. Seriously. Everything I hear about the administration during events like these is that people tried to warn them, but nobody listened. Stop that. LISTEN. ACT ON IT.
5. Shuffle the admin team around. Hopefully you won't have to actually do this, but it might be possible that some of the admin team may in fact not be suitable for their position. You know,
Again, the intent of this note is not to cause drama or troll you, or anything of that sort. Rather, it is to have a short, objective look at what's been happening on the site with regards to security, brought to light by last night's events, and my take on what could (should) be done to address these concerns so that they do not happen again.
Thank you.
We're going to be doing a version of #2 soon enough, and we've been pondering #3 for a while.
I say this in all sincerity and seriousness. It is time to add another coder. Right now it sounds like Yak is the only one and he's really not patching the holes he should be. Maybe it's too much work, I don't know. Let's just say after a long time of listening to Wolfblade rant I've gotten the definite impression that Yak codes as he likes, when he likes, and he leaves projects undone. And heck, I see examples of that myself. I don't have a full understanding of coding, true, but what I do know is that's not something that should be left to one person that just doesn't seem that motivated to get stuff fixed. It's time to let that sandbag go. By that I mean, bring in another coder. Still have Yak around, sure, but someone should be helping. Fresh perspective, more hands to get the work done. And more importantly, you shouldn't be as hostage to one coder.
Incidentally, Wolfblade and I no longer talk, now. We had a big falling out, not sure if you noticed, over him badmouthing FA and not saying a damned thing about Inkbunny and Starling over here on his rant journal.
The issue is not yak, but the holes int the coding.
Yak is not the problem. Having a coder who codes for a site when they have a full time job and a life...
We've *had* a lot of coders come in. We've had a metric fuckton of coders come our way, and most talk a good game, but when it comes to coding, they're empty and shallow. Now, if you to know the best coder FA ever had, but lost? Gavin. When Crypto was lead coder of Ferrox, Gavin was trying to join the team. Crypto, because he wanted all the credit for himself, told Gavin we didn't want, need him.
Gavin later left and went off to form Furocity.
We're looking for coders, and are trying to tap into reliable sources... but GOOD coders, and coders who can work as part of a team -vs- "it's my way, or not at all (see: Jurann, Eevee, Crypto, etc.) is difficult.
I made Yak a job offer to work on FA full time. If yak spent his time working on FA, we wouldn't have these problems. He'd be able to code as a job, get paid, and resolve all the issues. And FA would have a full time coder.
If he accepts is another story. Yak is solid though, and he's proven and tested. Wolfblade doesn't know what the hell he's talking about because he's always too busy trying to white knight for anybody he feels is being picked on.
Unfortunately, FA is an all-volunteer site, and we do not pay since we run almost primarily off of donations. Not even I get paid.
Hi there!
I worked some more on those badges for you!
You told me you'd send me the payment 3 weeks ago.
I don't want to be annoying, but I'd just appreciate some kind of money, even if it's just part of it, before I move on to animating and stuff.
Just so we can say we both do our part of the deal :D
I'll talk to you later!
Haha. I was wonderin' if you'd be up for a picture of Dragoneer, *massive* udder... kinda dribblin', leakin' on the floor... Sciggles perched on top of it with sort of a curious look at it as sort of looks down at the thing. =D
Just no freebies. I don't accept 'em!
How much would I need to.. Donate.. To have my account un-agelocked? Just the mature art, not adult.
The system was coded very brokenly by the original coder, and there's no great way to split it up. Yet.
Notice how he doesn't condemn the bribe...
Sorry if I seemed frustrated. He called me at work during a meeting, and I got in trouble with my boss. Only calls I get on my cell are generally important high level stuff.
Oh shit! WYS stuff!
Hey,
Aurora gave me a call tonight and told me what was going on with Syn and Derek. Both got a 5 Day Bans from the forums for Violations of the Offsite Harassment Policy.
She said your staff are starting to give you shit for it as well. In all fairness, 'Neer - if me, Aurora or anyone for that matter step over the line? Feel free to hand us our asses for it. We're just guests in your house, so if we don't follow your rules, give us the timeout for it, you know?
But yeah, Syn and Derek both got 5 Day timeouts on our end, and were told next one is a perma from our site. I apologize for the trouble they caused, and while I can't say the same for Syn, I don't think Derek will be an issue again.
If either do it again, let us know and we'll take care of our end of things.
Later 'Neer!
-Silver
http://labs.henriwatson.com/facsrf/
There are tests for all of them on there. I only recommend running "hell" on a test account because it changes a lot of stuff. I haven't told anyone about the details of the exploits and won't until these are fixed. There are also two other exploits that I haven't implemented here and three that I haven't tested (login, change account settings and trouble tickets).
- Journal deletion
Simple, call http://www.furaffinity.net/controls.....rnal/JournalID
Replace JournalID by the journal's ID and if the users has permission to delete it, it will be deleted
- Submission deletion
Pretty much the same as above, except the base URL is http://www.furaffinity.net//control.....e/SubmissionID
I apologize in advance if I shouldn't have tested on www., your journal on the exploits was deleted when I started coding so I didn't know the specifics.
Okay... now I just lost my custom profile that I worked hard on tonight... FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Better warnings as to what the exploits do is good. But these will definitely be good. I would suggest you coordinate with yak, as he's the main "Fix it" guy.
I specifically told you not to run it on your main account and to run it on a test account instead!
There's so much more, and I don't feel like posting much more. Except this delicious Adam Wan drama!
(http://img820.imageshack.us/img820/6277/zaushsohornyrepost.jpg) (http://img820.imageshack.us/i/zaushsohornyrepost.jpg/)
-
This is awesome.
Also, not surprised at all that there are more XSS exploits - it's all over the site because they never though "Oh, hey someone could put malicious JavaScript code in their posts!" - shit, even Twitter has been hit by XSS but at least it's rare and fixed immediately. It was funny enough that the preview tags had it, the commission page had it; now even their own Trouble Ticket system has it.
Delicious incompetence. :)
-
This is awesome.
IT'S A CHRISTMAS MIRACLE.
I wonder how far whoever's doing this is willing to take it. Because frankly, at this point, they could probably get him fired from his job. Or rather, they could create enough trouble on FA that he'd get himself fired from his job for fucking around even more than usual on the clock.
-
Is anyone else puzzled as to why FA has not been temporarily taken down to stop this in the short term?
Or maybe at least go to the server and tell it to deny access from all but a few IPs so that the admins can work on it in isolation?
They managed to shut down FAF within maybe 30mins of it being compromised afterall. Considdering the time they've had to play on FA today, people are lucky that FA doesn't have an easy way to delete/purge accounts.
-
They managed to shut down FAF within maybe 30mins of it being compromised afterall.
I hope a leak of the admin forums is the next thing to come out. They should have been able to grab a backup of the database if they got in vBulletin's AdminCP.
-
God damn Adam Wan is far more nasty than I ever imagined. Jesus christ he really is this close to being a sex offender.
-
(http://clanspum.net/~pi/rapeadvicefromdragoneer.png)
"if you talk about this, you risk your reputation".
It's like Dragoneer only cares about appearances!
-
My God.
The amount of hypocrisy on Dragoneer's part is absolutely mind-blowing.
-
Yet another piece of general "wat":
As an fyi on the Private Notes thing, all admins can see any private note they are directly linked to...we can't go crawling through people's inboxes or anything like that.
yes, hello
if you know anything about how computers work
you can turn this into "any person on who has access to an administrator account can see any private note (ps this person is not necessarily an admin)"
-
I'm getting curious as to why they haven't rolled back the database. I mean, they have an entire server dedicated to backups, but have yet to use it. I thought for sure we'd see a rollback today because a lot of galleries were wiped, including Adam Wan's, who FA bent the rules for just so he could keep his precious comments and +favs when he blanked his gallery.
-
Well, they can't go read only (because it doesn't work). They can't go admin only (doesn't work). They don't know how to fix it yet because it took them a while to narrow down which problem it actually was.
They're dead in the water until they think they've got their duct tape in the right place. And this is assuming they can restore.
-
yes, hello
if you know anything about how computers work
you can turn this into "any person on who has access to an administrator account can see any private note (ps this person is not necessarily an admin)"
Maybe what she said is technicly true. Maybe the admin system doesn't allow for admins to crack open anyone's list of notes and read them, the site is poorly put together so that feature could be absent and I think this is likely. That said, Witchiebunny doesn't account for 'Any admin could change the password on your account, take it over and just read your notes by logging in as you'.
-
you can turn this into "any person on who has access to an administrator account can see any private note (ps this person is not necessarily an admin)"
Maybe what she said is technicly true. Maybe the admin system doesn't allow for admins to crack open anyone's list of notes and read them
Instead of coming up with a longwinded rebuttal, including a few lines about how stupid you are, i'm just going to post a link to a note: http://www.furaffinity.net/viewmessage/972564/
-
Instead of coming up with a longwinded rebuttal, including a few lines about how stupid you are, i'm just going to post a link to a note: http://www.furaffinity.net/viewmessage/972564/
Was that link supposed to work?
-
14:59 < yak[away]> I wanted the status update to be 'yes we we hacked. yes we have everything under cntrol. we are currently figuring out the extent of the damage. so far we know that 41 people including admins had their notes leaked and some people had their galleries deleted; the latter we can restore. I will post more updated as we have them'
-
I downloaded the Gawker database and ran every FA admin's username, and if they listed it, email address through it. I got two results other than Pinkuh.
A possible match for Irreverent. They list no email address on their FA page, and the email doesn't seem to support a match.
Then there's Rhainor (http://www.furaffinity.net/user/rhainor), or Gawker user zachcoggin. Email addresses match. The irony here is his FA page says "Greetings. My name, as you can see, is Rhainor. No, it's not my Real name; I'm not about to give my Real name across an unsecured web site.", yet it seems he used his real name for his Gawker username.
Did you account for every FA admin's alternate username(s)? Running "Preyfar" through the aforementioned Slate widget (http://www.slate.com/id/2277768/) gives you: Your password was released, and it's been decrypted. You should change it ASAP. Hmm...
-
Did you account for every FA admin's alternate username(s)? Running "Preyfar" through the aforementioned Slate widget (http://www.slate.com/id/2277768/) gives you: Your password was released, and it's been decrypted. You should change it ASAP. Hmm...
(http://img259.imageshack.us/img259/692/preyfardatabase2.png)
gg Sean. What a secure password.
-
But it isn't Princess Piche's fault. He's only human after all.
-
But it isn't Princess Piche's fault. He's only human after all.
He's still way out of his league (http://www.youtube.com/watch?v=w_er72QbMpk).
-
IT'S HAPPENING AGAIN.
-
They sure do have some important (http://clanspum.net/~pi/86379-What-The-Hell-Happened-to-Ben.htm) things (http://clanspum.net/~pi/88909-Lando-s-Alvin-amp-Chipmunks-mature-material.htm) to talk about in the admin
treehouseforums.
-
(http://img405.imageshack.us/img405/7168/ddosm.png)
-
Yes it really stopped the attack. That's why the site is working fine right now.
Oh, wait. ::) No it's not.
-
Yes it really stopped the attack. That's why the site is working fine right now.
Oh, wait. ::) No it's not.
Supposedly part of the problem is someone on Lulz reminded everyone of http://www.furaffinity.net/browse/999.
Gee their inefficient coding is now being used for a DDoS attack who would have thought.
-
So they've been under a supposed DDoS attack for a few hours... Loading it directly doesn't load but going to it's IP (http://70.33.186.210) half works (ever since the facdn.net split that site never loads images). Their data server (the Dell with 64GB of RAM) seems to be the one being raped as it takes forever to load images who's addresses I have saved.
Yes, that's right, they're being DDoSed and the servers are still up. The dataserver even has a RAC! They can shut it off remotely! SHUT IT DOWN ALREADY.
-
If the site goes down entirely people notice and ask what happened.
If it doesn't then a ton of users have no idea anything's been going on.
-
The issue has been escalated (whatever that means), soldiers in the furry army are at the push of pike and the FBI are readying the cuffs:
(http://i54.tinypic.com/2cxb04m.jpg)
No admin notice on the site of course.
-
Rodox_video nailed it in the other thread: the FBI does not care that the alpha dorks of a cartoon porno site were actually proven to be massively incompetent and douchey. You know, as opposed to it just being sort of a rumor.
I'm sure he filled out that same form that 4chan fills out on fbi.gov whenever there's a raid. GOOD LUCK WITH THAT.
OH and what's this, he still has that same cellphone? Aren't you due to buy a new gadget yet, Sean Piche? You don't want to lose your "materialistic whore" status, do you?
-
"Hello, this is 911, state your emergency."
"Help! Police! Someone has leaked the personal info of rapists, pedophiles and dogfuckers from my cartoon porn website!"
"HA HA VERY FUNNY! WHAT ARE YOU GONNA SAY NEXT, MY REFRIGERATOR IS RUNNING!?" click
":'("
-
Hello, everyone. Just wanted to say hello and that I really love the info I have gotten from Vivisector. Quite a nice site.
Anyway, I noticed Dragoneer pulled the journals about what happened with the site and Zaush. You know, the revised ones he made about 48 hours ago? What a fucking moron. Speaking of Zaush, I found something on Wolfyboy16's (Conner Hemming, some notorious FA ban evader) Twitter. He links to some .rar link about some Zaush-related stuff of Dragoneer's . I don't know what's on it. I'm very un-tech savvy and don't know how to download and prevent getting viruses. Figured maybe one of you folks can find some use for it. http://www.mediafire.com/?3998a7zhqdrhcxy
-
Hello, everyone. Just wanted to say hello and that I really love the info I have gotten from Vivisector. Quite a nice site.
Anyway, I noticed Dragoneer pulled the journals about what happened with the site and Zaush. You know, the revised ones he made about 48 hours ago? What a fucking moron. Speaking of Zaush, I found something on Wolfyboy16's (Conner Hemming, some notorious FA ban evader) Twitter. He links to some .rar link about some Zaush-related stuff of Dragoneer's . I don't know what's on it. I'm very un-tech savvy and don't know how to download and prevent getting viruses. Figured maybe one of you folks can find some use for it. http://www.mediafire.com/?3998a7zhqdrhcxy
Considering the filename, it's most likely just Dragoneer's deleted journal about "The Event".
-
Perhaps. Maybe Dragoneer said something in his journal or someone else revealed some info that prompted him to delete, and none of us saw it between the remark and time of deletion.
-
Perhaps. Maybe Dragoneer said something in his journal or someone else revealed some info that prompted him to delete, and none of us saw it between the remark and time of deletion.
Verix anokorok posted XSS using the URL code into that journal. They then disabled BBcode and deleted the journal. That's probably why.
Edit: I can't fucking read.
-
Perhaps. Maybe Dragoneer said something in his journal or someone else revealed some info that prompted him to delete, and none of us saw it between the remark and time of deletion.
Verix posted XSS using the URL code into that journal. They then disabled BBcode and deleted the journal. That's probably why.
I'm sorry, I don't know what all that means. I'm good with drama, not technical stuff. Sounds like Verix was being a jerk (not like I blame him) Why was he not banned?
Also, I see my username wasn't deemed creative enough. I rather liked it. Ehh, well.
-
I'm sorry, I don't know what all that means. I'm good with drama, not technical stuff. Sounds like Verix was being a jerk (not like I blame him) Why was he not banned?
Also, I see my username wasn't deemed creative enough. I rather liked it. Ehh, well.
Cross-site scripting.
And actually I was wrong, it wasn't Verix. It was someone else and they were banned. My bad.
-
And actually I was wrong, it wasn't Verix. It was someone else and they were banned. My bad.
Ahh, I see. No worries, we all make mistakes (especially me). At least Eevee has some company now. I wonder what the chances are a hacker will break in once again within the next few days and cause get another shitstorm. By all I have read here and elsewhere, FA's coders and few in number and horrible in quality, and Eevee could do some extreme damage if he wanted to. I'm honestly surprised this hasn't happened before now.
-
Funny thing is, Eevee didn't do anything that was all that bad. Inconvenient, sure. Malicious? Very slightly.
They banned him anyway, because exploiting security issues is something that only the evil trolls do.
-
Funny thing is, Eevee didn't do anything that was all that bad. Inconvenient, sure. Malicious? Very slightly.
They banned him anyway, because exploiting security issues is something that only the evil trolls do.
Yeah, he had comments randomly 'hidden by the administration' and forced the fuckwits to do something about it. They should have thanked him for not, you know, doing what happened lately and just sticking to randomly hiding remarks, rather than ban him. Well, it's to be expected from Princess Piche, though.
-
I did something designed to be fixable and reversible within a matter of minutes. :T Alas the one moderately competent person on staff was asleep at the time.
The XSS thing was just "javascript:alert('Hi!')", as far as I know. It didn't do any damage whatsoever; it was just a proof of concept. Not sure why that's deserving of a ban. Maybe I missed something.
-
Yeah, he had comments randomly 'hidden by the administration' and forced the fuckwits to do something about it. They should have thanked him for not, you know, doing what happened lately and just sticking to randomly hiding remarks, rather than ban him. Well, it's to be expected from Princess Piche, though.
They didn't really listen to him, they got rid of him and swept it all under the rug. Now they have this much more serious problem... and they are probably just looking into a new, bigger rug to sweep it all under again. What a bunch of idiots. Laziness is one thing, but they didn't even seem to think this would happen. Pure incompetence.
This has been very entertaining! I wonder what will happen next?
-
This has been very entertaining! I wonder what will happen next?
Nothing. They'll patch the holes (heh), if they even know what the holes are, considering the story keeps switch from the Gawker PW leak, to XSS vulnerabilities in the trouble ticket system, to e-mail issues. Then they won't listen and this will happen all over again. Considering it's now officially been proven that something like this can happen to site, someone else is going to keep prodding at the site until they break it again. I mean, Eevee posted a large list of issues he knows about the site, with things as serious as "An attacker can trick an admin into exercising any administrative powers." and "CSRF session hijacking" and they've still not even asked him about the majority of the list. Why? Probably because he "can't be trusted" and "killed Ferrox".
Okay, fine, whatever, then why are you refusing help from other people? People sending fucking resumes, people willing to sit down and explain this shit in detail to you. What is the obsession with needing to go "LOOK MOM I DID IT BY ALL MYSELF!"? Holy smell.
I could bitch about this all day. Point is nothing will initially happen, things will get quiet, and it'll inevitably happen again, most likely at a bigger magnitude.
It's no longer a question of if, it's now a question of when.
-
It's no longer a question of if, it's now a question of when.
It was always a question of when, they just ignored the obvious.
You're probably right. They are going to place a bunch of buckets under the leaks and pretend the roof is all fixed, then it will happen again. Right now though, I'm referring to what will happen next in regards to social responses. To some, their credibility is blown to shit, but probably the vast majority will stick by them out of stupidity or just have no idea anything happened at all. Still.. I anticipate something interesting popping up that our assumptions won't have covered.
-
This has been very entertaining! I wonder what will happen next?
Very entertaining to me, too! Maybe in his notes we'll find Dragoneer is a zoophile or a pedophile. I do know from one of the notes he rejected a bribe by an minor who was age locked not with moral outrage or a ban, but by the assertion the code was so broken he didn't know how (which is very believable, but, still). God only knows what gems are still hidden in the admins' notes.
-
Right now though, I'm referring to what will happen next in regards to social responses. To some, their credibility is blown to shit, but probably the vast majority will stick by them out of stupidity or just have no idea anything happened at all. Still.. I anticipate something interesting popping up that our assumptions won't have covered.
It's pretty much exactly what you said. Some no longer have any trust, some don't fucking care, some have no idea of what happened and when they do no what happened, they probably won't care as well.
-
This has been very entertaining! I wonder what will happen next?
Very entertaining to me, too! Maybe in his notes we'll find Dragoneer is a zoophile or a pedophile. I do know from one of the notes he rejected a bribe by an minor who was age locked not with moral outrage or a ban, but by the assertion the code was so broken he didn't know how (which is very believable, but, still). God only knows what gems are still hidden in the admins' notes.
I found this:
(http://img204.imageshack.us/img204/2420/20101219205626.png)
I don't know, for someone who could lose his job over being in Furry, he sure does put himself out there quite a bit.
The "studying to be a Journalist" bit also explains how he can spin any story and make him/FA look like the winner
-
I found this:
(http://img204.imageshack.us/img204/2420/20101219205626.png)
I don't know, for someone who could lose his job over being in Furry, he sure does put himself out there quite a bit.
The "studying to be a Journalist" bit also explains how he can spin any story and make him/FA look like the winner
I bet he won't want to be dealing with the media if they ever covered these debacles.
It's pretty much exactly what you said. Some no longer have any trust, some don't fucking care, some have no idea of what happened and when they do no what happened, they probably won't care as well.
Yeah, it's what you said. This will only benefit the rival porn sites, though. Some furries actually care about reputation and security.
-
The "studying to be a Journalist" bit also explains how he can spin any story and make him/FA look like the winner
Something tells me his educational past rivals that of Sarah Palin in terms of dropping out/transfers/changing majors/etc. If he even has a degree, he probably took 8 years and six colleges to get a BA in communications. I exaggerate, but you get the idea.
Wth is "the Globo TV media"? Apparently there's few links in journo departments to the English department anymore.
-
This will only benefit the rival porn sites, though.
It does concern me that it will come out that some rival porn slinger was somehow behind this. Verix made reference to developing his own site...while it would absolutely be par for the course in furrydom, it would sort of be depressing. I'd prefer this person remain nameless and faceless, it's better that way since the furries have no one to scapegoat that way. That makes it hard for them to rationalize the whole thing. They start rationalizing--no more chance for introspection. Not that there ever was; the headless-chicken effect is amusing for now, though.
-
FURRY WILL EAT ITSELF
Seriously I'm more than happy to sit back here and watch the whole thing collapse in on itself. But it'll keep going; A.F.F. has been predicting the end of furry for 20 years now.
-
It does concern me that it will come out that some rival porn slinger was somehow behind this. Verix made reference to developing his own site...while it would absolutely be par for the course in furrydom, it would sort of be depressing. I'd prefer this person remain nameless and faceless, it's better that way since the furries have no one to scapegoat that way. That makes it hard for them to rationalize the whole thing. They start rationalizing--no more chance for introspection. Not that there ever was; the headless-chicken effect is amusing for now, though.
You think someone like Jery or Toumal or Varka was behind this, or are you referring to some small fry few furs have heard about?
-
You think someone like Jery or Toumal or Varka was behind this, or are you referring to some small fry few furs have heard about?
I have absolutely no reason to think that. It worries me though that whoever did it did it for personal gain, i.e. killing the competition, either for a current or future site. I don't know of any names; I don't really care about any of the names.
Whores, all of them.
-
Something tells me his educational past rivals that of Sarah Palin in terms of dropping out/transfers/changing majors/etc. If he even has a degree, he probably took 8 years and six colleges to get a BA in communications. I exaggerate, but you get the idea.
Wth is "the Globo TV media"? Apparently there's few links in journo departments to the English department anymore.
First he was in school to be a Journalist.
Then he became an Animator.
Then he graduated, got a job as an animator, and ragequitted when he didn't advance fast enough.
Then he got into IT.
Perhaps they were talking about Globo (http://en.wikipedia.org/wiki/Rede_Globo), the Brazillian TV network? Or maybe they misspelled Global, from Canada.
Either way, at least he has enough brains to realize locking the media out of your convention is a sure fire way to get a guaranteed "The freaks are in town" story.
-
I found this:
(http://img204.imageshack.us/img204/2420/20101219205626.png)
I don't know, for someone who could lose his job over being in Furry, he sure does put himself out there quite a bit.
The "studying to be a Journalist" bit also explains how he can spin any story and make him/FA look like the winner
Oh, hey, CraftyAndy. He's been leaving some really awful comments defending dogfucking in my LJ post about this debacle, something about dogs enjoying orgasms or something? Also a delicious smattering of misogyny. This would make sense, if he was GOOD BUDZ with dragoneer and all.
-
Whatever their ISP did on the router level was hit-or-miss at best; it seems like maybe 60-70% of the time you could not establish a connection to the site. Hit Enter again on your URL bar and it would likely work.
However, it's slowly getting worse. I have 100% no idea about how DDoS is mitigated, so I have no clues why that might be.
-
Whatever their ISP did on the router level was hit-or-miss at best; it seems like maybe 60-70% of the time you could not establish a connection to the site. Hit Enter again on your URL bar and it would likely work.
However, it's slowly getting worse. I have 100% no idea about how DDoS is mitigated, so I have no clues why that might be.
From what I saw it didn't work at all. The DDoS continued after that for a few hours before the people doing it quit. I doubt InfoRelay did anything since they offer DDoS protection for $500 a month (http://inforelay.com/protection.php). Way out of FA's price range.
-
Well, DDoS is pretty shitty. "woo boy i can sling packets!!"
Of course, during a DDoS would be kind of a great time to take the site down and let someone who knows what they're doing give the code a good once-over.
Instead, we get twitter updates saying "We did fix it. The hole was closed day one. The other issues were more complex, but were likewise closed."
-
Someone on FD2 asked what I would do, were I the owner. In the interest of preserving this somewhere not locked behind moderated membership:
Shut the thing down, all hands on deck, audit the fuck out of it. Restore forums as soon as possible so users have somewhere to go.
Reset all admin passwords. Remove privileges of anyone on staff who uses a stupid or shared password again, permanently. Add a second authentication layer for admin actions, like client certs. Disallow using admin powers against other admins. Restrict super-admin abilities (like viewing full note history) to my IP address. Implement soft deletion for artwork. Implement flashing red warning lights for highly unusual activity, like staff logins or sessions from new IPs.
Then, and only then, bring it back up. Apologize profusely, explain the problem, explain the fix, explain the steps taken to prevent anything similar from happening in the future. Drink heavily.
-
Someone on FD2 asked what I would do, were I the owner. In the interest of preserving this somewhere not locked behind moderated membership:
Shut the thing down, all hands on deck, audit the fuck out of it. Restore forums as soon as possible so users have somewhere to go.
Reset all admin passwords. Remove privileges of anyone on staff who uses a stupid or shared password again, permanently. Add a second authentication layer for admin actions, like client certs. Disallow using admin powers against other admins. Restrict super-admin abilities (like viewing full note history) to my IP address. Implement soft deletion for artwork. Implement flashing red warning lights for highly unusual activity, like staff logins or sessions from new IPs.
Then, and only then, bring it back up. Apologize profusely, explain the problem, explain the fix, explain the steps taken to prevent anything similar from happening in the future. Drink heavily.
I would force them to associate staff emails with their accounts. No more Gmail, no more Yahoo/MSN/ect. Admins/mods use @furaffinity.net and that's it. That way I can control how strong their email password is, force password resets, and disable the ability to allow anyone to reset the password.
I'd also probably remove the ability for admin accounts to have passwords automatically reset as well. Oh, and the usual "you get 5 login attempts before 15 minute lockout/captcha" for everyone else.
The best thing about the "shutdown" thing right now: It wouldn't drive away users. Inkbunny is down and SoFurry just doesn't seem that popular. It's practically guaranteed that everyone would come back, but it would mean sacrificing those uptime numbers that show how good of a website admin you are, apparently.
-
Not even saying that it's a DDOS or giving any further information:
(http://i53.tinypic.com/2vj5uli.jpg)
"core issues" in this case is PR speak if ever I heard it.
-
THIS gets an admin notice, but not "we were just hacked twice"?
What the fuck is WRONG with these people?
-
The best thing about the "shutdown" thing right now: It wouldn't drive away users. Inkbunny is down and SoFurry just doesn't seem that popular. It's practically guaranteed that everyone would come back, but it would mean sacrificing those uptime numbers that show how good of a website admin you are, apparently.
Yeah, I noticed IB has had a very lengthy downtime. It seems like it was because of a pre-existing issue having nothing to do with FA's debacle, but the timing is pretty bad.
-
A freshly minted 'neer comment:
Seriously. What happened to us could easily have happened to /any/ other site. Maybe the damage may not have been as severe, but... one slip in coding, a simple problem...
It's unfortunate.
(made about 15 minutes ago @ time of posting)
http://www.furaffinity.net/journal/1954308/#cid:16250550
-
I suppose I should document my brilliant reply for when he later deletes it:
You have been having these "slips in coding" and "simple problems" for how long? How many people have tried to tell you about them? How long have you ignored/banned/shunned these people?
It's unfortunate.
-
Seriously. What happened to us could easily have happened to /any/ other site. Maybe the damage may not have been as severe, but... one slip in coding, a simple problem...
It's unfortunate.
So he's admitting the damage was worse on his site because it happened on his site? Wow. I wonder if he's drunk. I wouldn't blame him if he was at this point, frankly.
I suppose I should document my brilliant reply for when he later deletes it:
You have been having these "slips in coding" and "simple problems" for how long? How many people have tried to tell you about them? How long have you ignored/banned/shunned these people?
It's unfortunate.
That's not brilliant. That's common sense.
-
The best thing about the "shutdown" thing right now: It wouldn't drive away users. Inkbunny is down and SoFurry just doesn't seem that popular. It's practically guaranteed that everyone would come back, but it would mean sacrificing those uptime numbers that show how good of a website admin you are, apparently.
Yeah, I noticed IB has had a very lengthy downtime. It seems like it was because of a pre-existing issue having nothing to do with FA's debacle, but the timing is pretty bad.
There's been a few rumors that they've extended their downtime to do a complete security review of the code before coming back online.
You know, like competent people do.
So he's admitting the damage was worse on his site because it happened on his site? Wow. I wonder if he's drunk. I wouldn't blame him if he was at this point, frankly.
Remember, this guy thinks people hate him just because he's an admin and does admin things. He has a severe persecution complex (see http://lists.claws-and-paws.com/pipermail/pa-furry/2003-November/005695.html).
-
That's not brilliant. That's common sense.
We're talking about FA here. Common sense is brilliance over there.
And now time for humor hour:
(http://img269.imageshack.us/img269/4755/everyoneonfa.png) (http://www.furaffinity.net/journal/1954737/#cid:16249256)
-
There's been a few rumors that they've extended their downtime to do a complete security review of the code before coming back online.
You know, like competent people do.
Yeah, that's a good point. Say what you will about cub porn enthusiasts, but, Jery and his staff I trust 10x more. They seem to know what the fuck they should do.
Remember, this guy thinks people hate him just because he's an admin and does admin things. He has a severe persecution complex (see http://lists.claws-and-paws.com/pipermail/pa-furry/2003-November/005695.html).
That was 7 years ago. As much as I hate the asshole, 7 years ago I was very immature compared to how I am now. Plus, he might really have been very slighted and insulted, and I would not have reacted to that well. Though, I have also heard he is insufferable to be around IRL.
-
That was 7 years ago. As much as I hate the asshole, 7 years ago I was very immature compared to how I am now. Plus, he might really have been very slighted and insulted, and I would not have reacted to that well. Though, I have also heard he is insufferable to be around IRL.
You'd be surprised how immature and spoiled some furries are; I know for sure I was an immature shit even like 5 years ago and some people I've known for that long of a time still behave the same they do now.
So anyone willing to take bets that FA gets hacked a third time?
-
That was 7 years ago. As much as I hate the asshole, 7 years ago I was very immature compared to how I am now. Plus, he might really have been very slighted and insulted, and I would not have reacted to that well. Though, I have also heard he is insufferable to be around IRL.
You'd be surprised how immature and spoiled some furries are; I know for sure I was an immature shit even like 5 years ago and some people I've known for that long of a time still behave the same they do now.
So anyone willing to take bets that FA gets hacked a third time?
Bets, I can't say. I mean, he should have been hacked 3 years ago. But, ability? Fuck, yes, he cannot fix this with his incompetent staff. Seeing as, according to Witchie, they just WATCHED the hacker for a while... Am I the only one hoping for a 3rd hacking and more info being leaked?
-
Seeing as I work for a prominent North American provider of enterprise-class hosting solutions these days, I get to witness (and, subsequently, mitigate) a lot of similar attacks through the course of my workday. It provides me endless hours of amusement by way of scouring logs and hacking up Juniper and Brocade/Foundry configuration information as appropriate.
Do you know what our normal course of resolution tends to be for a site that is defaced or compromised? Take it offline, notify the customer of the intrusion with a promise to bring the site back up ASAFP pending a security audit, offer further assistance if the customer requires it.
The only problem is that there's generally no way to monitor a lot of this directly and automatically unless the site is outright defaced, so we typically rely on customers telling us what's up...
-
It is interesting that Dragoneer is claiming in his tweets that IR did something about the DDoS yet either in this or the other thread Conan found they offered DDoS protection services for $500/month...
-
It is interesting that Dragoneer is claiming in his tweets that IR did something about the DDoS yet either in this or the other thread Conan found they offered DDoS protection services for $500/month...
IR probably did the least amount of work necessary to ensure their core network didn't cross a certain utilization threshold. That's typically what our upstreams all do in the face of a DDoS attack.
-
> ... wwwwooooooooooooooooowwwwwwwwwwwwwwww Why is anyone buying a single word that is coming out of your mouth? Tell me one good reason why I should believe that you missed info that was out there (and in places you frequent, no less) from day one? Nobody believed you when you claimed to have simply missed half of the damn Wan message. You think anyone's going to believe you here? On this? You think I'm going to believe you? You think Clayton's going to believe you? Do you have any idea how unbelievably hard it is to get an animal abuse case prosecuted? To get a beastiality case prosecuted? I always suspected that you never gave a flying fucking shit, that the only thing that mattered to Sean Piche was Sean Piche. And now we all have proof.
Their reply was:
Fine. I'm done sharing with FD2.
Now he's going to have to find a new treehouse, to avoid having to provide useful information to the ~proles~. Because "i'm done sharing with fd2" does not mean "i'm going to share with the people who this actually matters to (the COMMUNITY)"
-
Now he's going to have to find a new treehouse, to avoid having to provide useful information to the ~proles~. Because "i'm done sharing with fd2" does not mean "i'm going to share with the people who this actually matters to (the COMMUNITY)"
It would be swell if at one point he could share this with some of us FA users who, you know, don't post or look at closed friendslocked splurty drama communities. Because, you know.
-
(http://www.foxidlabs.net/~fixod/images/fadowntime.png)
-
Now he's going to have to find a new treehouse, to avoid having to provide useful information to the ~proles~. Because "i'm done sharing with fd2" does not mean "i'm going to share with the people who this actually matters to (the COMMUNITY)"
It would be swell if at one point he could share this with some of us FA users who, you know, don't post or look at closed friendslocked splurty drama communities. Because, you know.
You could let (http://murasadramon.livejournal.com) him (http://twitter.com/dragoneer) know (http://www.furaffinity.net/user/dragoneer/) that you'd like to hear actual information, but I'm not sure how fruitful posting to any of these is going to be. He'll just ignore it.
-
Now he's going to have to find a new treehouse, to avoid having to provide useful information to the ~proles~. Because "i'm done sharing with fd2" does not mean "i'm going to share with the people who this actually matters to (the COMMUNITY)"
It would be swell if at one point he could share this with some of us FA users who, you know, don't post or look at closed friendslocked splurty drama communities. Because, you know.
He keeps insisting there'll be a public post about it today. This should be interesting.
And I don't understand why they keep that community friends locked. I think it was to keep people from harassing posted folk over at FA but that is still done constantly by the fd2 members and they're never fucking kicked out.
Shit, at least open it up to new members. GOTTA KEEP OUR FURRY DRAMAS A SECRET
-
Now he's going to have to find a new treehouse, to avoid having to provide useful information to the ~proles~. Because "i'm done sharing with fd2" does not mean "i'm going to share with the people who this actually matters to (the COMMUNITY)"
Good news, everyone! WYS Forums are coming back soon! Of course, after they went down he claimed he was "done" with WYS. Can't wait to see what happens. I'm sure Silver will keep the meanies away from him.
-
Silver has claimed that WYS 2.0 will have no drama component to it. However, considering his recent incident of using faggot in a derogatory way on furrydrama_2, and the huge shitstorm that was created, I think I can tell that he's going to end up being a pretty bad leader, intentional drama or not.
But anyway, I'm kind of skeptical there will be any official announcement from Dragoneer and Co. As it is, most of the FA community actually is not mad about this whole thing, and many have simply shrugged at this whole massively compromising incident, and gone about their lives. Neer has always said that "If you just wait a week or two, it'll all blow over", and unfortunately, this appears to be true. Furries do not care whether or not it is morally corrupt to support a website that has done nothing to get to the point where it is today-- they just want their furry porn, and they don't want to jump through any additional hoops to get it.
Right now, Dragoneer has no reason to post an official explanation. The only people demanding it were the fd2 crowd, and considering he's apparently "done" with them, I can guarantee there will be no explanation, as it does not actually benefit him to do so. Unless a huge movement is made out of all this, FA really will be on top for several more years, until it finally does close down.
-
Yep, anyone hoping for any kind of meaningful change at this point is likely going to be disappointed. People are already saying they "don't care" about it anymore, which is furry-speak for "don't make me question my assumptions and allegiances".
Silver has claimed that WYS 2.0 will have no drama component to it. However, considering his recent incident of using faggot in a derogatory way on furrydrama_2, and the huge shitstorm that was created, I think I can tell that he's going to end up being a pretty bad leader, intentional drama or not
Right. See, thing is that just like Dragoneer is nothing without FA, Silver is nothing without WYS or some other sort of vigilante operation. It is his one trick the fandom cares about. If WYS doesn't come back soon he's gonna be forgotten. And WYS without "drama" (whatever that means) is not WYS. No one cares about yet another furry forum.
He probably knows this too.
-
Right now, Dragoneer has no reason to post an official explanation. The only people demanding it were the fd2 crowd, and considering he's apparently "done" with them, I can guarantee there will be no explanation, as it does not actually benefit him to do so. Unless a huge movement is made out of all this, FA really will be on top for several more years, until it finally does close down.
Yep. It's pretty much already blown over. FD2 doesn't even want to hear about it anymore, even when now there is evidence that they could have stopped this whole fucking thing. They simply don't care, nobody cares. The only people who do care have common sense and that is just very scary to the administration.
I'm not a programmer, I don't know any coding, and I've never hosted my own website but even I know that this is not how you handle the security of your website. You don't need experience to know this shit, you don't even have to be a fucking genius to know this shit. This is common sense.
-
Issues surrounding Zaush and his predatory behaviour will persist, I think. If he quits FA, there will be dispute and bad-feelings from those sad/mad to see him go and if he returns (i.e re-establishes his presence, which has been severely diminished by the gallery deletion) there will be dispute, disgust and bad-feelings surrounding his presence on the site. Given that he has over 25,000 watchers, the bad feelings, dispute and disgust will have a large path into the community of people who use FA (and the wider furry community).
I think there will be a large appetite for the leaked notes & over the coming weeks and months a lot of people will seek them out (if they haven't done so already). Those notes are going to float around for years to come and I think they will remind many people that this happened. (When I say "many" people, I'm not necessarily saying it will be enough to make a difference).
I think the damage this whole thing does, will mostly be felt in terms of a long term erosion of trust in Dragoneer/FA, which may diminish his ability to simply tough things out and bluster through. I certainly think any "incidents" which come on the heels of this, even if minor, will be all the more damaging and amplified by it. But we'll have to see how it all pans out and if it's enough to get people using other sites more.
Incidentally, I would love to hear more about that furrymuck master logs leak that was mentioned earlier, if anyone knows about it. It would be interesting if the log was actually floating around out there somewhere.
-
Thought also occurs to me, that despite what some might say about people being so swift to criticize and so forth, I suspect many people who are dissatisfied or disquieted with 'neer and FA are going to be reticent to speak out about for fear of being banned or involved in arguments and dispute. Some who do speak out will have their shouts, comments and journals censored/deleted and most will be ignored or brushed off. It's the people who blindly defend Dragoneer & Co that are going to be the most visible and vocal at this time. Furthermore, maybe some people who might change their minds later will circle the wagons now, when they're afraid FA might vanish (for all they know).
If people stop using the FA notes system, that's one less thing to tie them to the site and something that isn't immediately visible since notes and e-mails etc are private (till they're leaked!). So again, I think it's only in the longer term that we'll see how many people are aware of this and what lasting effect it has. In the short term, as people have said, I think Dragoneer is going to just brush this off.
Edit:
you know, I sometimes look at the actions page here (it shows what threads are currently being looked at), and threads from 2007, 08 and 09 seem to quite regularly be looked at. The threads on here about this incident will be be read in the years to come I think, and that will have a slow drip drip corrosive effect, be it ever so small, like the notes floating around.
-
An admin notice has appeared on FA now, directing people to FA's live-journal where Dragoneer has made a post:
December 2010 Hacking
By now, many of you know that Fur Affinity was attacked on Friday, December 17th 2010. Attackers were able to compromise the admin system using a previously unknown, unreported XSS exploit in the trouble ticketing system to gain control of an admin account. We pulled the website offline, and closed the hole that lead to the initial attack, but not before the intruder was able to illegally compromise the private notes of 41 users (including admins and staff) and the vandalism of several galleries. Regrettably, the leeching of notes occurred before the hacker made his presence known on the site, and we were not able to stop it.
At no point were user passwords or the site database compromised.
After closing the initial hole that the intruder was using to compromise the site, they then attacked an admin's e-mail, managing to compromise their email account to perform a password reset. With the new password, they were able to get back into the site and into the forums. At the same time, another attack was launched on a second admin, compromising a long-abandoned account they had which was setup as an e-mail fallback for their main account. In both instances, the attackers were able to gain access back into the system, causing scattered vandalism.
We were able to flush the attacker out of the system through multiple wipes of cookies and active login sessions (which some of you may have noticed when your account were logged out).
After Yak revised and recoded the security side of the admin panel, the attackers then launched a distributed denial of service (DDOS) attack against FA as a final measure. Working with our host, we were able to block the attack and restore services to the site. While we had initially suspected potential issues due to the 1.2 million Gawker passwords that were leaked (which had affected some regular users on the site), we want to clarify that the Gawker leaks WERE NOT an issue with the FA intrusion.
Galleries which were wiped are in the process of being restored, and we are working to strengthen and improve security. We have also removed the ability for certain admins to view notes. We will be bringing in additional coding help to perform security audits and improve upon the site's platform, as we do take security seriously. We regret that this happened, and ultimately the blame for this lay with us for letting the hole slip through the cracks. That said, it does not excuse the intruders for their actions, and we are working with law enforcement to pursue the issue.
On behalf of the entire staff of FA we apologize for what happened. We make no excuses for what happened.
----------------------------
If you have questions, please feel free to ask, we will update the thread with a Q/A. Keep responses civil, and honest. There has been enough drama over this, and we want to work towards peaceful resolution.
http://community.livejournal.com/furaffinity/213163.html
-
December 2010 Hacking
By now, many of you know that Fur Affinity was attacked on Friday, December 17th 2010. Attackers were able to compromise the admin system using a previously unknown, unreported XSS exploit
The casual attitude with which he lies through his teeth is kind of disgusting, really.
-
December 2010 Hacking
By now, many of you know that Fur Affinity was attacked on Friday, December 17th 2010. Attackers were able to compromise the admin system using a previously unknown, unreported XSS exploit
The casual attitude with which he lies through his teeth is kind of disgusting, really.
Well, no, that could be technically correct. The specific xss exploit used as part of this attack might not have been one we've found before. Of course, this is like a Catholic girl saying "I'm still technically a virgin" even though she's had 10 dicks in her ass.
-
We were able to flush the attacker out of the system through multiple wipes of cookies and active login sessions (which some of you may have noticed when your account were logged out).
I envision them flailing their arms and ignoring the giant red "SHUTDOWN" button in the middle of the room.
We make no excuses for what happened.
Yet you will make excuses in three months when it happens again and people ask why it wasn't fixed before.
Also, he forgot the part where they sat and watched all this unfold for a while before taking action.
Also also, great job posting this offsite, in a place where it's less likely the average user will find it, in a place where anyone wishing to question them would need to have a Livejournal account.
-
So, if I'm reading this correctly, they were compromised three times, and the Gawker issue wasn't even related? That's worse than I thought. Does anyone happen to know about how many notes the hacker(s) ultimately got, and if it's possible people who just download them from a site could be breaking the law? Like, Theft by Receiving or something like that?
-
and if it's possible people who just download them from a site could be breaking the law? Like, Theft by Receiving or something like that?
If there was a law like this (or they enforced laws like this) they most certainly would have used it against WikiLeaks by now.
-
If there was a law like this (or they enforced laws like this) they most certainly would have used it against WikiLeaks by now.
The Supreme Court ruled in 1971 that at least as it applied to question relevant to the New York Times receiving and publishing the Pentagon Papers, that receiving leaked information was not a crime. Of course, that was more relevant to actual classified government information, but nonetheless it's more or less unheard of for those who download information, regardless of if it was legally obtained or not, to be (successfully) prosecuted.
-
Dragoneer is saying hes open to advice about the security issues. (http://community.livejournal.com/furaffinity/213163.html?thread=3338923#t3338923)
6. Are you willing to accept advice and criticisms about further site security? I'm sure theres plenty of people who know this kind of thing that would love to help at this point.
6) Yes.
Have at it, guys. ::)
-
My god, this thread (http://community.livejournal.com/furaffinity/213163.html?thread=3325099#t3325099).
http://i.imgur.com/NHyHD.png (http://i.imgur.com/NHyHD.png) in case of deletion.
-
My god, this thread (http://community.livejournal.com/furaffinity/213163.html?thread=3325099#t3325099).
(http://i832.photobucket.com/albums/zz249/zibzib200/HA_HA_HA_OH_WOW.jpg)
-
Dragoneer is saying hes open to advice about the security issues. (http://community.livejournal.com/furaffinity/213163.html?thread=3338923#t3338923)
He doesn't deserve it.
-
Fur Affinity was attacked on Friday, December 17th 2010.
I thought it started on Thursday...
We pulled the website offline, and closed the hole that lead to the initial attack
But they didn't shut the site down on Friday, they shut it down on Thursday. That same Thursday where Dragoneer assured us that FA was not hacked and that it was the fault of Gawker. How could the close the hole if he thought it was Gawker?
After closing the initial hole that the intruder was using to compromise the site
And that would be Friday. He just flat out lied about the Gawker thing on Thursday.
-
Furry News at 11: FurAffinity is now protected from any criticism because it is a "free service". More with that in a moment. (http://community.livejournal.com/furaffinity/213163.html?thread=3380907#t3380907)
First up on the hour is PrivatePoinkler insisting that if these security issues were made public, something would have been done about it! (http://community.livejournal.com/furaffinity/213163.html?thread=3407275#t3407275)
Wow it's the same song and dance every time. Sycophants are the cutest people.
-
Furry News at 11: FurAffinity is now protected from any criticism because it is a "free service". More with that in a moment. (http://community.livejournal.com/furaffinity/213163.html?thread=3380907#t3380907)
lol I guess that means every email provider and Facebook and Myspace and Twitter and everything else online can get away with something like this!
-
I saw something of interest on Dragoneer's ED page, in Chapter 5:
A "popufur" furry named Zaush right in king fur's(dragoneer) convention raped a girl at a furcon. But rather than turn in Zaush to the cops, cause the guy constantly had money being flung at him for commissions, he told the girl who got raped to try and like it. Well the victims brother didn't give a shit about "protecting the image of furry", rather than let 'neer get away with helping a rapist, he bashed right through Fa's security, with not even so much of a challenge. The brother then proceeded to wreak havoc on furaffinity. Hacking all the mods and admins, trying to get as much information to put Zaush and Dragoneer behind bars. He took screenshots of extremely damning stuff that the Admins had said and spread it all about. {please post the screenshots by the hacker to get Dragoneer behind bars}
You were saying you were working on his ED page in another thread, Conan, so, I'll ask you. Was this in reference to the latest hacking? If so, is this the incident with Ferality? I've never heard anywhere here or elsewhere that her brother was responsible for this.
Also, either his FA age is wrong or his ED birthyear is. He couldn't have been born in 1983 and be 30.
-
I'm pretty sure the 1983 comes from his IMDb page.
And no clue about the veracity of the allegations there. It'd be nice if MediaWiki had a function similar to "svn blame", but it doesn't. Best you can do is trawl through the history page and try to find the diff containing that paragraph.
Edit: It's this (http://encyclopediadramatica.com/Special:Contributions/C.F.) person who wrote that section.
-
In the state that Ms. Reed lives in bestiality is not illegal according to the information I had at the time, and the current laws right now.
Also, I was under the assumption Java had lived in North Carolina?
Maybe I saw "North California" as "North Carolina" when it was brought up ages ago. I've always been under the assumption she was from NC, which didn't have laws when I looked into it.
NC doesn't have laws, but California sure does. When someone brings you this kind of very, VERY obvious case of animal abuse it REALLY pays to look into it and not "misread" the laws.
She has two other accounts. She is living in Northern California. What will your actions be now that you have the evidence right in front of you?
Given all the evidence given to the police... did anything ever happen to her from that? I guess my question would be if the police have taken action, then I would have an issue.
Given it happened so long ago, I would say that's something I'd be interested in knowing. Have any further issues ever happened on FA?
HANDS THROWN IN AIR, GIVING UP ON THIS SHIT (http://community.livejournal.com/furaffinity/213163.html?page=2&view=3440043#comments)
-
Have any further issues ever happened on FA?
lol
-
I saw something of interest on Dragoneer's ED page, in Chapter 5:
A "popufur" furry named Zaush right in king fur's(dragoneer) convention raped a girl at a furcon. But rather than turn in Zaush to the cops, cause the guy constantly had money being flung at him for commissions, he told the girl who got raped to try and like it. Well the victims brother didn't give a shit about "protecting the image of furry", rather than let 'neer get away with helping a rapist, he bashed right through Fa's security, with not even so much of a challenge. The brother then proceeded to wreak havoc on furaffinity. Hacking all the mods and admins, trying to get as much information to put Zaush and Dragoneer behind bars. He took screenshots of extremely damning stuff that the Admins had said and spread it all about. {please post the screenshots by the hacker to get Dragoneer behind bars}
You were saying you were working on his ED page in another thread, Conan, so, I'll ask you. Was this in reference to the latest hacking? If so, is this the incident with Ferality? I've never heard anywhere here or elsewhere that her brother was responsible for this.
Also, either his FA age is wrong or his ED birthyear is. He couldn't have been born in 1983 and be 30.
No, this is the kind of shit that I was cleaning off the page.
-
First up on the hour is PrivatePoinkler insisting that if these security issues were made public, something would have been done about it! (http://community.livejournal.com/furaffinity/213163.html?thread=3407275#t3407275)
Reading PrivatePony's attempts at humor actually makes me embarrassed for him.
I bet he could kill 'em as an opener for 2, though.
-
Wasn't he like a regular (comment whore) in fd_2? I don't remember, because really, who gives a shit.
-
This was posted on lulz, it seems to be a copy paste of the e-mail or note which has been sent to people whose notes were leaked:
http://i56.tinypic.com/10oeh49.jpg
They get a free registration to the fur-affinity convention.
TORA (http://"http://forums.vivisector.org/index.php/topic,239.msg1934.html#msg1934") reacts:
Just got an e-mail from @Dragoneer offering me a free sponsor membership to @FAUnited due to the leaks. I don't know if I should take it...
http://twitter.com/almightytora/status/17758606275379202
I will be IMing @Dragoneer when he's online. A $75 Sponsorship to his convention (not even Super Sponsor!?) is not really worth the damage.
http://twitter.com/almightytora/status/17762279961403392
-
This was posted on lulz, it seems to be a copy paste of the e-mail or note which has been sent to people whose notes were leaked:
http://i56.tinypic.com/10oeh49.jpg
They get a free registration to the fur-affinity convention.
TORA (http://"http://forums.vivisector.org/index.php/topic,239.msg1934.html#msg1934") reacts:
Just got an e-mail from @Dragoneer offering me a free sponsor membership to @FAUnited due to the leaks. I don't know if I should take it...
http://twitter.com/almightytora/status/17758606275379202
I will be IMing @Dragoneer when he's online. A $75 Sponsorship to his convention (not even Super Sponsor!?) is not really worth the damage.
http://twitter.com/almightytora/status/17762279961403392
(http://img24.imageshack.us/img24/4563/juden.png)
Survivor (Sponsor)$75.00 USD
All the basics of the regular Lone Wanderer package, but with an added New Jersey Wasteland Survival guide, tokens to the FAU Sponsor cocktail party. Not only that, but you snag an FAU4 exclusive "Wasteland" lanyard and FAU4 badge*.
* "Survivor" badges are available with customization (engraved names) only with pre-reg.
Wastelander (Super Sponsor)$150.00 USD
For the survivor on the go who demands it all, you snag all the basics of the Lone Wanderer (con reg, water!) and the Survivor (cocktail tokens, NJ Wasteland Survival Guide, Lanyard and Badge!) but you also snag a full course dinner with the Guests of Honor, our special Wasterlander Super Sponsor gift, and the happy, warm fuzzy feeling that comes with knowing $10 of your registration goes to support the adorable mutant puppies of the NJSPCA.
So in other words, Dragoneer doesn't want to give them free food.
Free food after their personal information was leaked all over the interwebs.
Plus how many people will actually take him up on the offer? God forbid he have to pay for six people's dinner and their trinket.
hahahaohwow.jpg
EDIT: And in another instance of "Sean not thinking ahead", he's now invited a known pedophile to his con! Ahahahahahaha.
EDIT EDIT: AND he would have had to invite Allan and Arcturus. BRB lolling forever.
-
EDIT: And in another instance of "Sean not thinking ahead", he's now invited a known pedophile to his con! Ahahahahahaha.
EDIT EDIT: AND he would have had to invite Allan and Arcturus. BRB lolling forever.
Well, this is interesting. First of all, does anyone know if anything new was found in Tora's and Allan's notes? Second, did Dragoneer bother to ban Allan from FA:U? Third, why in blazes do they insist on using the same names and personae? I mean, seriously, they're so attached to their names and likenesses that they let themselves be tracked and ridiculed constantly? If I was outed as someone who committed fraud or had sex with a 14-year-old, I'd go underground, change names, and only let a select few friends know my actions. Is the fandom actually just accepting them back and only a few of us bother with remembering what they did? I thought they were pariahs even within the fandom.
-
Well, this is interesting. First of all, does anyone know if anything new was found in Tora's and Allan's notes?
It doesn't matter. Dragoneer revealed that TORA was using FA notes to sexually groom underage boys some time ago. There was this huge thing because Dragoneer accidently leaked a log of the AIM convo on some pastedump site. There's a whole Wikifur article on TORA which quotes Dragoneer's banning TORA for using FA to talk to underaged boys about sucking their own cocks.
This was all known before the FA note leaks. :X
-
Well, this is interesting. First of all, does anyone know if anything new was found in Tora's and Allan's notes?
It doesn't matter. Dragoneer revealed that TORA was using FA notes to sexually groom underage boys some time ago. There was this huge thing because Dragoneer accidently leaked a log of the AIM convo on some pastedump site. There's a whole Wikifur article on TORA which quotes Dragoneer's banning TORA for using FA to talk to underaged boys about sucking their own cocks.
This was all known before the FA note leaks. :X
Yeah, I was wondering how that AIM log got leaked. That was pretty revealing. Dragoneer was even debating going to the police and hated to ban him. I was just wondering if maybe he had more contact with other minors or if there was a cover-up we didn't know about earlier. Dragoneer is insane if he allows him at FA:U at all, especially after what happened at AC.
-
<yak[work]> error_page 404 /default_avatar.gif; # sweet
* yak[work] deletes a bajillion default user avatars and story/poetry/music thumbnails
<yak[work]> nginx directive to return a default image instead of a 404 page. for a content deliver note, means that if the user's avatar for example is the default one (as is for new users who haven't uploaded them yet), i can skip copying the decault one to their data folder.
<yak[work]> works even better for default thumbnails for stories/music/etc, if the user hasn't uploaded a custom one. instead of a million copies i store only one
<yak[work]> getting rid of ~5M useless small files can't be a bad thing
For those of you not well-versed in beardy sysadmin shit: they used to make a new copy of the default avatar/submission icon for every single upload. Now they don't do that, instead faking it with a default 404 image.
WHY they made copies of the default icon in the first place is goddamn beyond me. Jesus.
-
It doesn't matter. Dragoneer revealed that TORA was using FA notes to sexually groom underage boys some time ago. There was this huge thing because Dragoneer accidently leaked a log of the AIM convo on some pastedump site. There's a whole Wikifur article on TORA which quotes Dragoneer's banning TORA for using FA to talk to underaged boys about sucking their own cocks.
I knew TORA years before all this crap, and he couldn't sexually groom his way out of a hair salon. He's hilariously harmless; just completely tactless and oblivious to others' boundaries to the point of creepiness.
-
For those of you not well-versed in beardy sysadmin shit: they used to make a new copy of the default avatar/submission icon for every single upload. Now they don't do that, instead faking it with a default 404 image.
WHY they made copies of the default icon in the first place is goddamn beyond me. Jesus.
FYI, I brought this up to them like... a year and a half ago because I noticed each user had its own copy of the default user icon - how the hell they never though to use *gasp* a link to a single common location is beyond me; it's like yak is the dumbest motherfucker on this planet. That or he's so dense he can't even do basic shit like use common sense. :I
-
I knew TORA years before all this crap, and he couldn't sexually groom his way out of a hair salon. He's hilariously harmless
Harmless? He was in prison after an event involving him, his boyfriend, a 14yo boy and a hotel room!
-
You know, going along with furries' complete inability to create anything that doesn't reference anime, video games, or some other banal low-level geek bullshit, I'm pretty sure there are multiple people in the fandom named "Tora" or some variation thereof. I'm not sure what the reference is, but I am sure I don't care.
It took me a while to realize this guy was separate from another "Tora" that I had heard of before I heard of him.
-
Looks like they're still having problems:
(http://i52.tinypic.com/120l2f8.jpg)
Someone's been making a string of accounts and doing that this evening. Seemed to have hijacked a few accounts as well to do it.
-
<yak[work]> error_page 404 /default_avatar.gif; # sweet
* yak[work] deletes a bajillion default user avatars and story/poetry/music thumbnails
<yak[work]> nginx directive to return a default image instead of a 404 page. for a content deliver note, means that if the user's avatar for example is the default one (as is for new users who haven't uploaded them yet), i can skip copying the decault one to their data folder.
<yak[work]> works even better for default thumbnails for stories/music/etc, if the user hasn't uploaded a custom one. instead of a million copies i store only one
<yak[work]> getting rid of ~5M useless small files can't be a bad thing
For those of you not well-versed in beardy sysadmin shit: they used to make a new copy of the default avatar/submission icon for every single upload. Now they don't do that, instead faking it with a default 404 image.
WHY they made copies of the default icon in the first place is goddamn beyond me. Jesus.
WHAT. This is so unbelievably stupid.
Looks like they're still having problems:
Someone's been making a string of accounts and doing that this evening. Seemed to have hijacked a few accounts as well to do it.
I don't know if this was an exploit with the thumbnail dimensions limit or just a generally 'duh' thing involving the website, however none of those uploads had file extensions. I'll assume its relative to the giant thumbnails there, though feel free to correct me if I'm wrong with that.
-
Hijacked accounts? And, people are swamping Dragoneer's shoutbox with complaints about this, too. I wonder if this is the start of a new attack.
-
We can only hope.
Godspeed you! Black hat.
-
I'm sure if it is a real attack it will be posted to FD_2 before anything else again - just need to make sure we leave out 99% of the userbase of what's going on. Also, people think the messed up images is part of some XSS exploit but I'm not so sure..
-
Looks like they're still having problems:
(http://i52.tinypic.com/120l2f8.jpg)
Someone's been making a string of accounts and doing that this evening. Seemed to have hijacked a few accounts as well to do it.
Who wants to bet Yak's shoddy coding created another easily-abused hole?
Or even his inability to use a test site to do code changes.
-
Or even his inability to use a test site to do code changes.
remember, they need a secure environment before they can work on making a secure environment
-
Who wants to bet Yak's shoddy coding created another easily-abused hole?
You know, I respect the people who offered Dragoneer help, even if I question their judgment a bit in offering Dragoneer help, but hey, not everyone knows all the gory details of the innards of FA. But I'm willing to guess that even if some of these people, who have usually either gone off to found their own successful art site(s) or are otherwise respectably employed, really knew the full extent of the disaster that is the code base, or knew what they were in for inre: the personalities of the admins and the management style (or lack thereof) of Dragoneer, they'd pull out right quick. That sort of environment is an environment you'd only stay in if they were paying you damn well, and even then you'd have people who would still leave just to get away from the poisonous people and the utterly unfulfilling work of fixing someone else's retardery. Programmers are most content when they are productive. That work almost by definition will never ever be "productive". Nothing new will come of it, the FA site will just come up to a baseline it should have been at years and years ago.
At this point I see stuff happen and I think of a solution in the space of five minutes. Of course, that's without seeing the code base, but shit, I think, I'm not even going to post anything about it because they don't deserve any help whatsoever, however indirect.
-
It seems that in Yak's "Fix things that should be fixed, but they really don't need to be fixed now because there's more important stuff to do" spree, the usericon on the front page news items has been made significantly larger. This, of course, has added more empty space to the page, joining the rest of the empty spaces in the header.
(http://img684.imageshack.us/img684/263/fender.png)
The site mat still have vulnerabilities, but now everyone can see the massive Fender icon of the week easier!
-
BIG BROTHER IS WATCHING
-
It seems that in Yak's "Fix things that should be fixed, but they really don't need to be fixed now because there's more important stuff to do" spree, the usericon on the front page news items has been made significantly larger. This, of course, has added more empty space to the page, joining the rest of the empty spaces in the header.
The code is a mess, and fixing the "important stuff" is massively unrewarding work, however necessary it may be. The work involved is probably highly tedious. You'd probably have to replace code that takes user input with something less fucktarded, but here's the catch- in a well designed code base there'd be a couple of classes that dealt with actually issuing SQL, reading and parsing user input, etc. I.e. that sort of dangerous stuff would be limited to a small area, and more importantly it would exist in only one area. You would then make good use of inheritance to build layers on top of that. So when your DB code needs fixed, it can be fixed in one place, end of story.
But it's likely that there are mysql_query() calls and echo() calls littered throughout the code, and I'm sure the pattern (hah) in which they are used is inconsistent, so you can't just do some semi-robotic find and replace type operation. You'd have to decipher each part of the code, figure out what it does (and what unintended behaviors other parts of the code may be relying on) and then rewrite it in a secure way. All of this is extremely fragile, because without any sort of modularization or information hiding, you have no idea how your changes will affect other parts of the site.
Frankly, if these were any kind of reasonable adults we were dealing with, any hypothetical "consultant" would likely tell them to throw the code base out and start over anew. Which is a whole 'nother can of worms as we all know.
Yak probably lacks the motivation and skills to do anything like this. It's also more immediately rewarding to do stuff like play with CSS templates, especially if you're lazy and unwilling to wait for hard(er) work to pay off.
-
The best thing would be to hand them a book on anti-patterns and tell them "This is how dumb you are!" - it wouldn't get through but I'm willing to bet money that they have at least several anti-patterns in their code on top of the total lack of design or even basic OOP logic like reusing common classes....
-
The code was all written by Alkora, who hasn't been involved in ages. They already know the thing sucks. They just don't have any programmers to fix it.
-
The code was all written by Alkora, who hasn't been involved in ages. They already know the thing sucks. They just don't have any programmers to fix it.
Could they have hired a paid programmer to do this with the money they've taken in/squandered, or are they too stupid and paranoid to even do that?
-
The code was all written by Alkora, who hasn't been involved in ages. They already know the thing sucks. They just don't have any programmers to fix it.
Could they have hired a paid programmer to do this with the money they've taken in/squandered, or are they too stupid and paranoid to even do that?
I'd imagine so; and frankly no one in their right mind is going to do that kind of work for free. Especially when you'd basically be donating thousands of dollars worth of your time to Dragoneer, who'd use your code for his own personal enrichment. I'd be demanding a percentage cut of the profits, honestly. I know that's insanity but I'm also not about to do anything for FA at any price.
I also think that Dragoneer & co. are more "hardware oriented", to put it charitably. In other words, they see shiny plastic shit and wet their pants. They don't exactly appreciate the necessity of quality software to make any use of their overpriced crap.
-
I see. I wonder who wrote the code and stuff for InkBunny and where the original funding came from. They are a much smaller site (getting much larger from the last two fiascoes, though), yet I see staff at IB can make rapid, effectual repairs or modifications (they even took the site down for 4 days to make critical repairs lately), whereas the fuckwits at FA never bothered to even restore the commissions tab and only react (and badly at that) when something goes wrong. I think Dragoneer's embarrassed and has even publically said he's not sure he's on good terms with IB.
SoFurry's current funding comes from Toumal (the owner) himself primarily and he can sustain it on his own, but I don't know a thing about the competency of their coders or who originally paid to start up Yiffstar, SoFurry's former name.
-
What I've seen of Toumal is that he's nowhere near as good as he thinks he is, but I guess in light of FA everyone looks pretty damn good. His Twitter was annoyingly fanboyish when I looked at it.
The thing that's so mind-numbingly stupid about FA's incompetence is that it really does not take all that much programming genius to write and maintain a web site. PHP coders and "web designers" are not exactly at the top of the pecking order.
-
I wonder who wrote the code and stuff for InkBunny and where the original funding came from.
Starling wrote the code; site design was by Symm, backgrounds by Lando. Initial funding was provided through donations and personal loans.
Inkbunny became able to cover its hosting through fees (http://inkbunny.net/journalview.php?id=1719) a couple of months ago, though as of right now we're back to donations until we arrange another payment provider.
I paid this month's hosting bill to avoid the risk of downtime while said donations cleared. I expect to get it back; I've loaned money to Starling before and it was repaid on time, which is more than I can say for some furs.
-
Starling wrote the code; site design was by Symm, backgrounds by Lando. Initial funding was provided through donations and personal loans.
Inkbunny became able to cover its hosting through fees a couple of months ago, though as of right now we're back to donations until we arrange another payment provider.
I paid this month's hosting bill to avoid the risk of downtime while said donations cleared. I expect to get it back; I've loaned money to Starling before and it was repaid on time, which is more than I can say for some furs.
Ahh. Well, Starling seems to know what he's doing, unlike a certain digimon... I don't know if he could get another furry to loan him that kind of money at this point. Then again, there are so many people with more money than sense. Like Dragoneer, for example.
-
Could they have hired a paid programmer to do this with the money they've taken in/squandered, or are they too stupid and paranoid to even do that?
This question comes up a lot. I still don't understand why anyone thinks this is remotely possible.
FA currently pays, for bandwidth/rackspace: $1700/month.
Bare minimum full-time entry-level programmer salary is: $3500/month.
Sure, you could only hire the guy part-time, and maybe halve that—but even then, FA would need to double its income to afford one guy. One guy who is willing to work half-time for a paltry wage to rewrite a furry porn site, but yet is still competent.
This is not going to happen.
-
FA currently pays, for bandwidth/rackspace: $1700/month.
Bare minimum full-time entry-level programmer salary is: $3500/month.
Sure, you could only hire the guy part-time, and maybe halve that—but even then, FA would need to double its income to afford one guy. One guy who is willing to work half-time for a paltry wage to rewrite a furry porn site, but yet is still competent.
This is not going to happen.
So, if he had a donation drive/he got a loan or another credit card and maybe did this for one to two months, this would not work? I'm thinking maybe if they got professionals in to fix this horrible code all at once, after that volunteer people could maintain it and make adjustments and stuff as needed. Professionals would not have as much of a trust issue I've heard Dragoneer going on about earlier. They're not furries who care about the drama. They would have a job to do and would do it, then leave after the job ended.
-
People think this is possible because no one really knows what resources Dragoneer and FA actually have available to them.
What they pay for hosting is irrelevant.
-
Remember, Dragoneer's notes revealed he offered to hire Yak full-time to fix the site.
I made Yak a job offer to work on FA full time. If yak spent his time working on FA, we wouldn't have these problems. He'd be able to code as a job, get paid, and resolve all the issues. And FA would have a full time coder.
I'm sure money was one of the reasons he declined.
-
Not exactly the kind of thing you can put on a resume
-
Not exactly the kind of thing you can put on a resume
2010-2011 Head Software Engineer, Emergency Emotional-Support Blowjob Technician - Furry Porn Site.
-
so, anyone else noticed that FA is just about to pass submission ID 5 million?
What I did notice was the drooling furry masses bringing this up a while back, and all I could think was, "gee, what a convenient distraction". It led me to wonder if one of the LJ communities, or Twitter accounts, connected with Dragoneer or FA had mentioned this in sort of a, "HEY, LOOK. OVER THERE."
-
I'm thinking maybe if they got professionals in to fix this horrible code all at once
The only way to fix this code is to throw it right out the fucking window. Anything else would just be patching on patches patched by someone who patched it a few years ago to patch around a patchy patch.
, after that volunteer people could maintain it and make adjustments and stuff as needed.
Given the quality of the volunteer people currently working on this, any adjustments/maintenance they do would open up new holes, assuming that they could wrap their heads around the newly rewritten code.
Professionals would not have as much of a trust issue I've heard Dragoneer going on about earlier. They're not furries who care about the drama.
I'm assuming, actually, that Dragoneer would probably still have a trust issue: he didn't personally vet these people, they aren't his friends, he might not like them.
They would have a job to do and would do it, then leave after the job ended.
Or they'd get fed up with the internal politics and say "fuck this". Either one.
-
Offtopic, but I noticed that their entire comment system has nothing to check for multiple HTTP POST requests when making a comment... found this out when I accidentally double clicked the submit button and it made the comment double up. In theory, you could write a link that forces the victim to spam multiple comments onto a journal post or submission... since each entry is a row in the DB, this could cause a good amount of load on the system if someone maliciously started doing this. What I really want to know is if deleting a journal is a hard delete of the journal and all the comments or is it some stupid thing with the notes where they just delete the link in the inbox? I just want to see how bad it is out of a morbid curiosity....
But yea, as to what Pi said, there's no hope for their code. There's so many possible avenues to abuse their half-assed implementation (see above) that you would save time by starting over from scratch.
-
Weird. This morning FA stopped rendering the comments for journals. It says there are X ammount of comments under the journal but it doesn't render any of them. Had some other people varify it as well. Doesn't seem to affect submissions however.
-
Offtopic, but I noticed that their entire comment system has nothing to check for multiple HTTP POST requests when making a comment [...] In theory, you could write a link that forces the victim to spam multiple comments onto a journal post or submission..
"Comment posting on journals has been temporarily disabled while we are working on an issue." has been freshly added to the recent admin announcement about the attacks. Presumably what you've related here is "an issue".
(The site was also down for a while, and the outage page directed you to the site status forum, which of course led to the forums outage page)
-
This is pure speculation, but I wouldn't be too surprised if someone from FA is reading this thread or these forums and getting a free security audit.
I have no idea if that's actually the case but the timing of this comment thing vs. loki's post is exceedingly odd.
-
Offtopic, but I noticed that their entire comment system has nothing to check for multiple HTTP POST requests
POST?? Hahahaha.
This is pure speculation, but I wouldn't be too surprised if someone from FA is reading this thread or these forums and getting a free security audit.
No, a db restore went awry and journal comments got fucked up.
-
This is pure speculation, but I wouldn't be too surprised if someone from FA is reading this thread or these forums and getting a free security audit.
I have no idea if that's actually the case but the timing of this comment thing vs. loki's post is exceedingly odd.
Impossible, this would be the smart thing for them to do.
Seriously, there should at least be ~one~ person amongst the fa staff designated to research communities of this nature to at least keep an ear to the ground and yes, get the equivalent of a free security audit, but that might be my own paranoid nature. Also, Dragoneer seems to like doing that for himself, even if he is not thorough about it.
-
I dunno, the thought of it makes me want to say less about their site's security. Dragoneer has the equivalent of about six lifetimes worth of money, toys, and reputation that he doesn't deserve, something about contributing to that even a little bit bothers me.
-
This is pure speculation, but I wouldn't be too surprised if someone from FA is reading this thread or these forums and getting a free security audit.
No, a db restore went awry and journal comments got fucked up.
More precisely:
[03:09:11] <&yak[work]> I was trying to import a database dump into a separate DB but apparently mysql decided to use FA's main db for that. Sooooo journal comments table got nuked becore I was able to stop it. And I can restore them only till 2010-12-19, everything after that is gone
[03:11:38] <&yak[work]> I am actually doing daily backups, it's just that everything went fucked up due to all the DDoS going on, and I haven't restored everything back in operation yet
[03:12:55] <&yak[work]> Yeah. I pretty much expect a lot of people to tear me a new asshole over this.
And of course, the asspats:
[03:14:40] <@Carenath> yak[work]: You told me before.. mistakes happen.. after I went into 'oh fuck' mode two weeks back.
-
Seriously, there should at least be ~one~ person amongst the fa staff designated to research communities of this nature to at least keep an ear to the ground and yes, get the equivalent of a free security audit, but that might be my own paranoid nature. Also, Dragoneer seems to like doing that for himself, even if he is not thorough about it.
This is under the expectation that ANYONE on the FA staff would do something rational in the wake of all this. Which they haven't.
-
[03:09:11] <&yak[work]> I was trying to import a database dump into a separate DB but apparently mysql decided to use FA's main db for that. Sooooo journal comments table got nuked becore I was able to stop it. And I can restore them only till 2010-12-19, everything after that is gone
THE COMPUTER DID IT!!1!!1one!!! I hope no one gets an eye poked out with all this finger pointing going on at FA.
And in other news, Inkbunny is now encrypting all data and content all the time (https://inkbunny.net/journalview.php?id=4072).
-
Yeah, when the main guy whose responsible for keeping your porn site/welfare donation vehicle/excuse for being relevant operational is assigning sentient actions to the computer and random software packages, you...you've got a problem. Responsibility, pshaw.
And how much do you want to bet Yak's one of those people who doesn't really get the gist of the commands he mashes into the keyboard, and really only manages to achieve something close to the desired result because he remembers the right series of incantations to utter? Because those are the people who generally react this way (= have no clue what happened) when the magic spell doesn't work like they think it should.
And in other news, Inkbunny is now encrypting all data and content all the time (https://inkbunny.net/journalview.php?id=4072).
Don't worry, there's ways to attack that too. A lot of it relies on social engineering (stupidity), so look for furries to be the first ones to fall for it. Vivisector does the same thing and every time I load it on my Android device the browser complains about the certificate not being valid. If IB has the same or a similar problem then some kinds of attacks become possible. Granted, that's not the site's fault but SSL is not the panacea it seems to be being touted as of late.
-
Granted, that's not the site's fault but SSL is not the panacea it seems to be being touted as of late.
Sure it is! It makes MITM attacks Someone Else's Problem.
I'm not sure if I'm being snarky or not.
-
Boy, wouldn't it have been a good idea before doing ANYTHING directly on the DB to take a snapshot or 7z up the actual DB files? Especially when the site is live? Imagine the shitstorm if he nuked a table that tracks submissions to their authors or something like that...
-
Boy, wouldn't it have been a good idea before doing ANYTHING directly on the DB to take a snapshot or 7z up the actual DB files? Especially when the site is live? Imagine the shitstorm if he nuked a table that tracks submissions to their authors or something like that...
I do this literally 30-40 times per day.
svc -d /service/hurf_durf_some_j2ee_thing
svc -k /service/hurf_durf_some_j2ee_thing
su - postgres
pg_dump -O $DATABASE_NAME | gzip > ~/backups/misc/${DATE}__${DATABASE_NAME}__${EVENT}.dmp.gz
# do database shit here, maybe even drop the database!
exit
svc -u /service/hurf_durf_some_j2ee_thing && tail -f /service/hurf_durf_some_j2ee_thing/log/main/current
The incantation required for MySQL is eerily similar.
-
Boy, wouldn't it have been a good idea before doing ANYTHING directly on the DB to take a snapshot or 7z up the actual DB files? Especially when the site is live? Imagine the shitstorm if he nuked a table that tracks submissions to their authors or something like that...
He wasn't trying to do anything to the db. I think he was trying to load a dump into a different (testing?) database, but the dump contained CREATE DATABASE production; / USE production;.
-
He wasn't trying to do anything to the db. I think he was trying to load a dump into a different (testing?) database, but the dump contained CREATE DATABASE production; / USE production;.
Sorry, bro, but that constitutes doing something to the database! If you're connecting and doing anything but SELECT queries, you are potentially fucking something up.
-
Somehow I would have imagined that he would grep the database dump for "USE" and all that, like I often do before restoring a dump from one database into another database on the same server. But what do I know.
-
He wasn't trying to do anything to the db. I think he was trying to load a dump into a different (testing?) database, but the dump contained CREATE DATABASE production; / USE production;.
You might as well start doing DROP FA_SUPER_USER CASCADE (bye bye FA) at that point. Anyone who doesn't know that DDL commands force commits (they do in Oracle at least in most circumstances) probably shouldn't be allowed to play around with any sort of 'testing' database. Either way, you figure they would just make daily backups considering how much unused hardware they have. Even if they didn't have it, they could just keep backups for a few days back along with weekly or monthly iterations and you would be golden if something seriously bad happened.
Somehow I would have imagined that he would grep the database dump for "USE" and all that, like I often do before restoring a dump from one database into another database on the same server. But what do I know.
You figure you would always know what you're running when doing anything like this; I'm not a DBA but it's like, holy shit, use some common sense and make sure you know what you're doing before you pull the switch. "Haha, we just lost 10 days of journals" is not acceptable and I'm [not] surprised yak is still there. :I
-
Haha seriously who even includes the database structure itself in their mysql dumps. It's bad enough they are using DATABASE FOR BABBIES but still.
I mean hell don't you have to add some kind of wonky flags to the mysqldump command to make it throw in CREATE DATABASE/USE commands?
Oh wait sorry I forgot, Pi runs the show here and I don't know anything about how computers work HOW DID THESE WORDS GET HERE OH GOD
(ps fixed the ssl cert sorry about any errors or whatever)
-
Either way, you figure they would just make daily backups considering how much unused hardware they have. Even if they didn't have it, they could just keep backups for a few days back along with weekly or monthly iterations and you would be golden if something seriously bad happened.
They do have a backup server ("Neo Bahamut"), which according to WikiFur does "nightly backups of both data and DB".
Now whether it works or it's just there for show is another story. It apparently is quite a complicated process to restore old backups, since people who had their galleries wiped in the great hacking of 2010 still haven't had them restored. Presumably that's what Yak was working on when the comment thing happened.
-
according to WikiFur
Yes, well, we all know how that scene works: if you're popular and/or liked by the furry royalty, you can write (or remove) whatever you want there and it will be accepted as WikiTruth. But otherwise, expect to have your page kept around (despite your wishes to the contrary) and filled with sections like "Criticism" and "Controversy".
(cue GreenReaper in 3...2...)
-
You might as well start doing DROP FA_SUPER_USER CASCADE (bye bye FA)
Ha! That would imply foreign keys. Why do you think the "thing has been deleted" inbox message exists?
Anyone who doesn't know that DDL commands force commits (they do in Oracle at least in most circumstances)
DDL is all transactional in postgres, I think save for DROP TABLE. (And probably creating/dropping entire databases; I suspect transactions are per-database anyway.)
You figure you would always know what you're running when doing anything like this; I'm not a DBA but it's like, holy shit, use some common sense and make sure you know what you're doing before you pull the switch. "Haha, we just lost 10 days of journals" is not acceptable and I'm [not] surprised yak is still there. :I
I guess I sympathize with outright fatfingering, especially given what a horrendous nightmare mysqldumps are to work with. This was a pretty human mistake, oh well. github lost some activity recently, too.
What I would love to know is why he needed to load a second copy of the db on the production server in the first place, when they have a dozen machines sitting around doing fuck-all.
-
I guess I sympathize with outright fatfingering, especially given what a horrendous nightmare mysqldumps are to work with. This was a pretty human mistake, oh well. github lost some activity recently, too.
Sure it was, but at some point you have to say that losing user data is simply not acceptable. I don't know what happened with github (not particularly a fan of that site, but whatever), but I guess if your going to get the benefits of being perceived as professional (high traffic, being able to charge people money, etc.) you should get the responsibilities too.
"Mistakes happen" is sort of a worthless statement, imo. Especially when you're just shrugging off an incident. Sure, mistakes happen, but the professional thing to do is make sure that you aren't allowing them to (easily) happen, and if they do you figure out what happened so that whatever happened can never happen again. And really, something that can't be fixed (losing user data, as opposed to, say, downtime), is a far bigger deal than other kinds of mistakes.
I'm not saying that FA will do this, or that anyone realistically expects them to, but I guess I can't understand why you're defending the amateur hour clown show over there.
-
Along with the issue with multiple POST requests mentioned earlier, is there maybe an issue (judging by how many times you see "I meant to reply to the above poster") with posting replies being processed first in- first out, instead of properly linking to the parent post?
Please note: I don't know anything about site coding.
-
Along with the issue with multiple POST requests mentioned earlier, is there maybe an issue (judging by how many times you see "I meant to reply to the above poster") with posting replies being processed first in- first out, instead of properly linking to the parent post?
I cannot even imagine how poorly the whole thing would have to be written for that to happen. Seriously, it's such a no-brainer to write something like that, that I am unable to conjure up a way to do it -that- wrong.
-
Along with the issue with multiple POST requests mentioned earlier, is there maybe an issue (judging by how many times you see "I meant to reply to the above poster") with posting replies being processed first in- first out, instead of properly linking to the parent post?
I cannot even imagine how poorly the whole thing would have to be written for that to happen. Seriously, it's such a no-brainer to write something like that, that I am unable to conjure up a way to do it -that- wrong.
Pretty sure that's an issue on the client-side, because FA's style and presentation HTML still uses tables, the cutting edge technology of 1995. So instead of collapsing deeply-nested threads a'la LiveJournal, or whatever, the HTML sent to the browser just offsets a child reply table cell a little more to the right than its parent. At some point this scheme quits working (you run out of screen space) and even though (as far as I know) the replies are properly structured in the DB, you simply can't tell from the client-side HTML that is sent, either visually or (IIRC) in the HTML source.
This, incidentally, makes Greasemonkey-style DOM manipulation of FurAffinity more or less impossible in most cases, which is how I know the above.
-
according to WikiFur
Yes, well, we all know how that scene works: if you're popular and/or liked by the furry royalty, you can write (or remove) whatever you want there and it will be accepted as WikiTruth. But otherwise, expect to have your page kept around (despite your wishes to the contrary) and filled with sections like "Criticism" and "Controversy".
(cue GreenReaper in 3...2...)
True, but I always find it reliable for their hardware specs, mostly because Dragoneer edits those in himself, and we all know how he likes to throw around hardware specs. I have noticed inconsistency in the server's descriptions, though. Like how "Novastorm" went from being the web front-end server to being the database server (and "Figment" became the front-end server), and the old database server ("Tiamat") went to having no use listed. I guess we can just chalk that one up as another unused server then, bringing their total of unused servers to 5 (4 if you're counting the graphing server as being "used").
-
Pretty sure that's an issue on the client-side, because FA's style and presentation HTML still uses tables, the cutting edge technology of 1995. So instead of collapsing deeply-nested threads a'la LiveJournal, or whatever, the HTML sent to the browser just offsets a child reply table cell a little more to the right than its parent. At some point this scheme quits working (you run out of screen space) and even though (as far as I know) the replies are properly structured in the DB, you simply can't tell from the client-side HTML that is sent, either visually or (IIRC) in the HTML source.
Actually, the problem is... well, see for yourself.
function _nest($newnestid,$nestswitch,$rowid,$table="df_comments") {
Global $sql;
//echo "GO_TO_NEST => ('$newnestid','$nestswitch','$rowid','$table')<br/>";
if($table != "df_comments") $column = "journal"; else $column = "submissionid";
switch ($nestswitch) {
case 0:
$nimax = $newnestid + 999000000000000000000000000;
$nimin = $newnestid + 1000000000000000000000000;
$multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
$newnestid = $newnestid + (1000000000000000000000000 * $multiplier);
break;
case 1:
$nimax = $newnestid + 999000000000000000000000;
$nimin = $newnestid + 1000000000000000000000;
$multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
$newnestid = $newnestid + (1000000000000000000000 * $multiplier);
break;
case 2:
$nimax = $newnestid + 999000000000000000000;
$nimin = $newnestid + 1000000000000000000;
$multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
$newnestid = $newnestid + (1000000000000000000 * $multiplier);
break;
case 3:
$nimax = $newnestid + 999000000000000000;
$nimin = $newnestid + 1000000000000000;
$multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
$newnestid = $newnestid + (1000000000000000 * $multiplier);
break;
case 4:
$nimax = $newnestid + 999000000000000;
$nimin = $newnestid + 1000000000000;
$multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
$newnestid = $newnestid + (1000000000000 * $multiplier);
break;
case 5:
$nimax = $newnestid + 999000000000;
$nimin = $newnestid + 1000000000;
$multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
$newnestid = $newnestid + (1000000000 * $multiplier);
break;
case 6:
$nimax = $newnestid + 999000000;
$nimin = $newnestid + 1000000;
$multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
$newnestid = $newnestid + (1000000 * $multiplier);
break;
case 7:
$nimax = $newnestid + 999000;
$nimin = $newnestid + 1000;
$multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
$newnestid = $newnestid + (1000 * $multiplier);
break;
case 8:
$nimax = $newnestid + 999;
$nimin = $newnestid + 1;
$multiplier = mysql_num_rows($sql->query("SELECT * FROM $table WHERE $column='$rowid' AND nestid >= '$nimin' AND nestid <= '$nimax' ")) +1;
$newnestid = $newnestid + (1 * $multiplier);
break;
}
return $newnestid;
}
Commenting fucks up after a certain depth merely because this horrifying algorithm runs out of digits.
The db does store parent comment ids, but they seem to be decorative at best. I managed to use them to retroactively fix all comment nesting for Ferrox, but alas that code has never been used either.
-
Wow, that code is awesome(ly hilarious). That is the code of someone who failed a PHP course at their local community college and doesn't have the good sense to never write another line of code ever again.
-
Back to the original topic (though that particular piece of code always makes me laugh, seriously):
Sean Piche, have we learned the lesson that when your site is clearly being actively compromised, you PULL THE FUCKING PLUG? This way, you avoid having to pull shit like this: fatfingering a DB restore, dealing with the unknown effects of an attacker running amok, having to post another "oops we fucked up" notice, and the corresponding need to save face
No? You haven't learned that lesson? Welp
-
Haha I showed that coding to my boyfriend (professional programmer), he just sat there and said "This makes me physically ill." and "If I wrote code like this, I'd be fired."
It's sad that Eevee's fix for that was never implemented.
And the fact that they fucked up the comment tables while trying to do a db restore is just fucking retarded.
Sean Piche, have we learned the lesson that when your site is clearly being actively compromised, you PULL THE FUCKING PLUG?
Naw. He'll live by his decision and say it was the proper thing to do! With furries, there are no mistakes, because you'll always get someone telling you that it wasn't your fault.
-
So someone on Lulz (http://lulz.net/furi/res/1403801.html) is now reporting they're getting notifications for replies to comments they never made and don't exist.
I'm guessing Yak didn't go ahead and delete any data that was related to the data he erased?
-
Maybe IDs are somehow getting reused? Eevee? What would happen in this situation that would explain this?
-
If the comment ID is a foreign key in the messages table, and the old comments were deleted but the messages referring to them weren't, then yes - they should show up as people start making comments again.
It might be fixed by figuring out the datetimes affected and then wiping those comment entries, assuming that information is recorded in the messages table.
If it's not . . . hmm. You could be kinda screwed because people have also been making valid comments that should show up with those IDs. Maybe check whether they have any involvement whatsoever?
-
If the comment ID is a foreign key
AFAIK they don't have those. The code was originally targeting mysql 3, which didn't have relational support. If they added them to the schema, I would be surprised.
-
If the comment ID is a foreign key
AFAIK they don't have those. The code was originally targeting mysql 3, which didn't have relational support. If they added them to the schema, I would be surprised.
hahaohwow.gif
-
So someone on Lulz (http://lulz.net/furi/res/1403801.html) is now reporting they're getting notifications for replies to comments they never made and don't exist.
I'm guessing Yak didn't go ahead and delete any data that was related to the data he erased?
Most likely they're doing joins on the two tables together somehow and a sequence number has been reset somewhere (related to journals) while the actual comments probably still exist in some sort of relational table. That's just pure speculation but I'm sure it's something retarded like that.
Eevee: I really, really, really liked that piece of PHP code. Also, you (possibly?) exposed one of the DB tables they have - so now some wacko can probably find somewhere to run SQL injection and delete the shit out of df_comments - assuming that's the real table name... :D
-
Maybe IDs are somehow getting reused? Eevee? What would happen in this situation that would explain this?
Comments table had its auto_increment rolled back by the restore (remember, this is MySQL, where autoinc is a table property and not just "max of this column" or a first-class sequence), comment notification table still has its old data, new comments start being made with the ids that already had notifications sent. "This comment has been deleted" suddenly turns into "oh this comment DOES exist".
AFAIK they don't have those. The code was originally targeting mysql 3, which didn't have relational support. If they added them to the schema, I would be surprised.
I'm almost positive the various "this thing is deleted" errors, and the occasional comment made by nobody, are all due to rows pointing to other rows that don't exist. (See above etc.) Adding foreign keys would break the site's "functionality".
Eevee: I really, really, really liked that piece of PHP code. Also, you (possibly?) exposed one of the DB tables they have - so now some wacko can probably find somewhere to run SQL injection and delete the shit out of df_comments - assuming that's the real table name... :D
The tables have all been renamed at least once since this code was leaked. And it doesn't matter anyway; I have a Ferrox importer script that quite clearly documents almost all of the schema, and Pi has it available publicly.
-
re: that wonderful piece of code, that's was (IIRC) Arcturus' "fix" of Jheryn's code. I have no clue what was wrong with Jheryn's original code that this was considered an improvement.
From April 1st 2005, over a few days, presented without comment:
Arcturus has ChannelCat offering 'help'. Hmm. A ploy to destroy FA, maybe?
<Arcturus> He offered to fix the comments, if I sent him the comment script.
<Xax> On the one hand, Sheezy's comment script sucks too. On the other hand, FA's is really broken.
<Laios> shivers at hearing about annonomous help.
Lunch_Wolf changes nick to Schizo_Wolf
<CBee> Seems to be a fair request.
<Arcturus> Maybe, but he's not getting his hands on FA's comment code. Nope.
<CBee> Why for?
<Arcturus> Probably for the same reason that SheezyArt isn't giving out copies of it's code?
<CBee> Fair enough.
<Xax> Because everyone hates the open-source movement?
<Xax> I mean, server integrety etc, but I fial to see how something as small as the comment code could cause havoc if leaked.
<CBee> Arn't the comments handled using DevoyBB?
<Nitro> Arcturus, do you have any idea when correct comment-ordering will be implimented >?
<Arcturus> Soon, alright. Jeez.
<Nitro> XD
<Arcturus> just found out her little brother is really sick, nearly had to go to hospital, so right now, fixing comments isn't a priority.
<Arcturus> bounces.
<Lt_Havoc> What now?
<Arcturus> I just fixed comment sorting ^_^
<Arcturus> is happy.
<Arcturus> ponders working through the actual buglist now.
<Arcturus> grumbles and finds that the sorting isn't going as well as she hoped and has a glitch, says fuck it and goes to eat dinner and play a game, before working on anything more.
Arcturus changes nick to Arcturus[AFK]
(Sadly, I can't find the time Arcturus posted part of the comment code in the channel and people reacted to it.)
-
For some reason fathomable only to Eris, I have been talking to Dragoneer. Sort of.
<Pi> "hey, $dude, my site is being actively compromised! we an't seem to shut the attackers out with our ineffective 'read-only-mode' and 'admin-only-mode' actions!"
<Pi> "well it sounds like you ought to pull the plug"
<Dragoneer> We did pull the plug the first time.
<Dragoneer> I would have done it the second time, but was advised against it by the people who "know what the fuck they're doing".
<Pi> then you need to get better people :I
<Pi> i can't imagine any situation in which a production site currently being compromised with a massive data leak in progress should remain online
Now, there's the possibility that my imagination isn't what it used to be, right?
-
<Dragoneer> I would have done it the second time, but was advised against it by the people who "know what the fuck they're doing"
GROW SOME BALLS, SEAN.
It should be obvious by now no one on your "ops team" knows what the fuck they're doing.
-
Assuming someone actually told him that, I'd love to know what their rationale was. Assuming they had any.
-
Assuming someone actually told him that, I'd love to know what their rationale was. Assuming they had any.
"They" had.
The notes leak took place before any visible modifications that made FA aware of the hack did. The site was initially shut down and re-opened only after an XSS hole in troubletickets was found, identified and fixed.
I didn't account for weak security in admins' personal emails, which allowed for the second hack to take place.
-
I didn't account for weak security in admins' personal emails, which allowed for the second hack to take place.
Well there's your problem.
-
Yeah I know. It's being worked on. Every admin will probably have an @fa.net email address in the end and additional session security will be implemented for admin cp to prevent a leaked session/hijacked admin account from causing damage without going through the secondary authentication. For now basic auth will do, it'll be improved later.
-
Yeah I know. It's being worked on. Every admin will probably have an @fa.net email address in the end and additional session security will be implemented for admin cp to prevent a leaked session/hijacked admin account from causing damage without going through the secondary authentication. For now basic auth will do, it'll be improved later.
Since you're here, what about this:
the code probably still has as many holes as it did this time last month.
Confirming that FA is still completely vulnerable to the same attack that caused FAleaks. It'd be slightly more complicated to pull off, but that's all.
-
Yeah I know. It's being worked on. Every admin will probably have an @fa.net email address in the end..
[12:29:42] <net-cat> Also, all the staff have @furaffinity.net email addresses. Some of us opt to not use it. It is not, as you say, a "paid privilege."
Will they be forced to use them or will they be allowed to "opt out" like net-cat says they can? Sounds to me like if they already all have them anyways, the easiest thing to do right now is to force them to use their FA email on their FA accounts. No exceptions. If someone has trouble checking a second email address every day than maybe their position on FA staff is too difficult for them as well.
-
They'll just pop them with whatever popular webmail service they prefer, leaving the whole thing just as open and insecure as ever.
-
Yeah I know. It's being worked on.
::)
-
additional session security will be implemented for admin cp to prevent a leaked session/hijacked admin account from causing damage without going through the secondary authentication.
That's nice. How about protecting your users from XSS?
For now basic auth will do, it'll be improved later.
Will it, now. Do you realize that you just offered to put yet another a band-aid fix on top of a band-aid fix that doesn't fully solve the problem?
-
Honestly Yak, I don't even get why you bother with FA anymore. The whole operation seems to be bugged on so many levels, that it just seems like a criminal waste of time to even bother with the site. This isn't to say you're completely free of liability here, but unlike Dragoneer, you can jump ship. What on earth is keeping you on the staff?
-
and additional session security will be implemented for admin cp to prevent a leaked session/hijacked admin account from causing damage without going through the secondary authentication. For now basic auth will do, it'll be improved later.
Will be implemented? This attack was a month ago now; why isn't it long since implemented? You still have plenty of other holes. Stop taking this lightly.
By the way, I believe your basic auth can be trivially circumvented at least two ways—one obscure but simple, the other well-known but tricky.
-
Honestly Yak, I don't even get why you bother with FA anymore. The whole operation seems to be bugged on so many levels, that it just seems like a criminal waste of time to even bother with the site. This isn't to say you're completely free of liability here, but unlike Dragoneer, you can jump ship. What on earth is keeping you on the staff?
He wants all the laudations and the elevated community status while doing the least amount of work.
-
He wants all the laudations and the elevated community status while doing the least amount of work.
Naw, that's not Yak. He doesn't say enough of anything to warrant that. That is more of Dragoneer's thing.
Most of the tech staff on FA really keep quiet. For good reason, really. If they talked more, people would remember "Hey! The site has coders!".
-
http://www.furaffinity.net/system/sql.sys
http://pastebin.com/6XWucRUF
Someone posted that link on lulz. Apparently one ought to block random requests to things like that and its credentials are bad.
-
$sql->server = '192.168.1.1';
$sql->user = 'furaffinity';
$sql->password = 'kayWrolv~quoles6';
...
are these...
are these the fucking PRODUCTION CREDENTIALS? Holy jesus fuck, this shouldn't ever be anywhere near the web root. What in the fklasd;glkjsadlg
-
See, between this and the whole "We're redesigning the site, honest to God!" crap, I have no faith in Dragoneer to actually fix the site.
-
Apparently /functions.sys is also sitting out there. These files just shouldn't be sitting around accessible to the whole world. What in the fuck are they smoking over there?
-
Could an explanation of the seriousness be explained for people who probably don't quite get it? It would probably be most helpful.
-
That's the username and password information that the website uses to read (and presumably write) data to the database.
-
Could an explanation of the seriousness be explained for people who probably don't quite get it? It would probably be most helpful.
FA's database password is now a matter of public record. They left it in a publicly visible location. This is an such amateurish and shortsighted mistake that I am reduced to staring at my screen and frowning.
-
FA's database password is now a matter of public record.
In before even more hacking.
-
Apparently /functions.sys is also sitting out there. These files just shouldn't be sitting around accessible to the whole world. What in the fuck are they smoking over there?
I like the SHA1 and MD5 hashes:
function _encrypt($string)
{
$first = crypt($string, '$2a$07$'.sha1('d67c5cbf5b01c9f91932e3b8def5e5f8').'$');
$final = sha1($first);
return $final;
}
//
// Part of the newer authentication system
//
//
function _password_hash($password, $salt)
{
$static_salt = md5('g>m$`w6;8+BL/(p7`dvn+$n2mtjU7}3`');
return hash('whirlpool', $salt.md5($password).$static_salt);
}
I don't know much about how those PHP functions work but doesn't knowing the salt allow you to more easily brute force/dictionary attack those passwords?
Edit:
Looks like they exposed SQL tables in functions.sys as well. Hooray!
$query = 'INSERT INTO messagecenter_comments_submission VALUES ('.$target_id.', '.$comment_id.')';
$sql->query($query, 'send subm. comment notification', __FILE__);
Edit2:
More exposed files:
http://www.furaffinity.net/system/header.sys
http://www.furaffinity.net/system/end.sys
That hard-coded nesting function is still there too, unchanged:
function _nest($newnestid, $nestswitch, $rowid, $table='comments_submission')
...
-
Between this, the money issues, and, well, everything else I'd say their days are numbered but that goddamn site is unkillable. Dragoneer will somehow stumble through this, I'm sure.
That and if they really were about to go offline due to lack of funds some dumb white trash furfag would offer up their tax refund or something. They'll never face a financial apocalypse.
-
//// Used to verify that the value is what it is supposed to be...
// IE: if i need the numeric ID of a board, it needs to verify that the value is an integer, not a string.
// This way, we can make sure that SQL isn't injected.
//
function check($value, $constant)
{
if($constant == 1)
if(is_numeric($value) == TRUE)
return $value;
else
return FALSE;
if($constant == 3)
if(is_float($value) == TRUE)
return $value;
else
return FALSE;
if($constant == 4)
if(is_array($value) == TRUE)
return $value;
else
return FALSE;
// These, strip out anything that MUST be stripped
//
if($constant == 2)
return addslashes(stripslashes(stripslashes($value)));
if($constant == 5)
return makeproper($keyword);
}
In which Yak can count! 1, 3, 4, 2, 5! What in the FUCK?
return addslashes(stripslashes(stripslashes($value)));
I, uhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
-
furaffinity.net/system now returns a 404.
They just hid it better now.
-
furaffinity.net/system now returns a 404.
They just hid it better now.
So, FA wasn't aware their code was publically viewable, and someone told them within the last 24 hours? Could someone still use the password and name thing Pi mentioned and wreak havoc with FA no matter what, or could they have already changed it and averted another disaster?
-
So, FA wasn't aware their code was publically viewable, and someone told them within the last 24 hours? Could someone still use the password and name thing Pi mentioned and wreak havoc with FA no matter what, or could they have already changed it and averted another disaster?
Putting that kind of thing in the webserver's view is staggeringly wrong in so many ways that I'm not really sure how to explain it. Amazingly, though, there's no obvious way to dump the database — that's on the one server whose MySQL port wasn't exposed to the public. I'm sure some digging around would have found some kind of PHPMyAdmin installation, from where the DB could be dumped.
If they were smart, they will have changed it.
If they were smart, they would have put up more extensive firewalling (they haven't. i can still. reach. the. sunrpc. portmapper. on. their. big. box. it has been at least a week.)
If they're smart, they would have done so many things differently.
Long story short: They have no idea what the fuck they're doing, but they keep trying to spin it like the problem is on our end for complaining about it.
-
So (again, not really having a whole lot of knowledge here), what is the correct way to do this, then? Not defending their stupidity, but I notice a lot of the PHP apps I have used have a subdirectory in their distribution usually called conf/ from which a file is included that includes stuff like the db password. Thing is though, those files are usually prefaced with a call to exit() or if a variable isn't defined, die("access denied") or something. That said, the file is still technically in the web server's view, and I see no way to fix that without modifying the app itself.
Really then, it seems to me their idiocy is not having some kind of guard like that on critiical configuration files, just allowing them to be dumped like that.
And re: phpMyAdmin, I get bots on my DSL-line webserver looking for that (it isn't there, I don't use it). I would think that if there was a phpMyAdmin install on a hosted domain like FA, hackers would have found it by now, and not necessarily furries either.
-
So (again, not really having a whole lot of knowledge here), what is the correct way to do this, then?
Run your application as an application, not as a hodgepodge of files that paste themselves into each other and need hacks to pretend they're not supposed to be directly callable.
Not defending their stupidity, but I notice a lot of the PHP apps I have used have a subdirectory in their distribution usually called conf/ from which a file is included that includes stuff like the db password. Thing is though, those files are usually prefaced with a call to exit() or if a variable isn't defined, die("access denied") or something. That said, the file is still technically in the web server's view, and I see no way to fix that without modifying the app itself.
Yes see this is all pretty retarded.
But it's extra-retarded in FA's case because these files had a different extension that made them non-executable, so nginx cheerfully served them raw.
-
So (again, not really having a whole lot of knowledge here), what is the correct way to do this, then? Not defending their stupidity, but I notice a lot of the PHP apps I have used have a subdirectory in their distribution usually called conf/ from which a file is included that includes stuff like the db password. Thing is though, those files are usually prefaced with a call to exit() or if a variable isn't defined, die("access denied") or something. That said, the file is still technically in the web server's view, and I see no way to fix that without modifying the app itself.
A well-written app will have a configuration file outside of the web root. The reason PHP apps do that is because PHP developers are generally stupidPHP apps are frequently deployed on shared hosting where your only directory may be the web root. In this case, their configuration files have a .php extension so the server will parse them, instead of returning them as text, or a .htaccess denying access to everything under that directory. FA apparently cargo-culted this kind of structure without considering the implications or checking to ensure that their kludge properly locked down their includes. Typical FA, really. And of course Dragoneer has to flat-out lie about things:
Sean, your site just leaked the production database credentials. You need to stop the PR spin and focus on the very real issues you are having, right now. I mean seriously look at them, not sit there and say "good points, I'll think about 'em" like you usually do.
And it helps absolutely nobody that the first thing you do is download it, re-upload it them wave around and go "LOOK WHAT I'VE GOT! Everybody download it and attack the site."
Really then, it seems to me their idiocy is not having some kind of guard like that on critiical configuration files, just allowing them to be dumped like that.
They have enough control over their application that this just shouldn't be a problem, since they're not on shared hosting and can require() files that don't live in the web root. They also have enough control over their network that I shouldn't be able to reach somewhat-sensitive UNIX services. C'ést la Vie, I guess.
-
Jouva pointed this out to me:
$first = crypt($string, '$2a$07$'.sha1('d67c5cbf5b01c9f91932e3b8def5e5f8').'$');
Note this MD5 sum above: d67c5cbf5b01c9f91932e3b8def5e5f8
From http://www.adamsinfo.com/creating-an-md5-on-linux-with-md5sum/ (http://www.adamsinfo.com/creating-an-md5-on-linux-with-md5sum/)
echo -n “teststring”|md5sum
Results in:
d67c5cbf5b01c9f91932e3b8def5e5f8
He literally copy-pasted an example into the code and never bothered to change it.