FA implements comment hiding, exploits found, thrashing and flailing results

[a pigeon]

On the 13th of October FA implemented a new comment hiding feature, however it was exploitable. Upon finding out some of these exploits, Lexyeevee communicated with members of the FA staff about them. Little enough was done it seems, so he used one of the exploits to hide some comments on the site to make the FA staff sit up and do something. FA was then put into read only mode by the staff, pointlessly because the exploit still worked in even in read only mode(!), and it seems there was much flailing and thrashing and then Lexyeevee was banned.

Here is his LJ entry about it:

[...]
Here's what actually happened, because Dragoneer always writes for damage control, and nobody seems to quite get what's going on. [...]

On Wednesday, FA rolled out soft comment deletion. You can now hide any comment you wrote, or that's posted on a journal/submission you own. Unless you're an admin, in which case you can hide anything, naturally. Some may recall that, until very recently, deviantArt's similar system had a glaring flaw: hidden comments were still in the page source, just hidden with CSS. You could view-source, or use Web inspector tools, or get a Greasemonkey script to see hidden comments. This is a pretty simple feature, and even dA and their buckets of money screwed it up.

With that in mind, I was curious to see how FA managed. The first thing I noticed was that hidden comments were still, technically, visible. Normally, when you click the "reply" link, you jump to the form at the bottom of the page. But there's also a non-javascript version of replying (which is good!), which just shows a barebones page containing the original comment. The URL looks something like http://www.furaffinity.net/replyto/journal/1234/. A quick test confirmed that you can still see this page even if the comment is hidden—the only catch is that you need the comment id. You'd have to fumble in the dark to find it and there's no way to be sure it's the right one... but at the very least, if you see a comment someone made, you can keep that reply page open and prove they said it in case of deletion.

So, not a huge problem, but still an obvious oversight. Let's call this exploit A. This is when I made this tweet

The next most obvious thing was that comments were hidden by clicking on a link. This is bad. This is very, very bad. This is like basic security mistake #2. Because this is susceptible to cross-site request forgery; CSRF.

The basic idea here is: because it's a link, it's very easy for me to trick you into visiting it. I can take the link http://example.com/delete_everything, put it in an <img> tag, and put it on webspace I control somewhere. As soon as you come along and see my page, your browser will hit that URL, trying to find an image. The server doesn't know or care that it's in an image tag; it just knows you're hitting the "delete everything" page, and you're logged in, so it dutifully does what you ask and deletes everything.

So we have exploit B. I mentioned this in an IRC channel where FA's only semi-developer lurks, considering how to do a quick demonstration against the journal where Dragoneer announced the comment-hiding feature. He piped up to say he knew they were issues and didn't really care.

I think that's sort of a terrible attitude, so I did it anyway. I put together "hide me" URLs for every comment on that journal, put them all in img tags, and posted them to LJ, knowing that Dragoneer has me friended. As soon as he—or any other admin, actually—saw my entry anywhere, they'd hit FA a bunch of times "asking" to have all those comments hidden.

And it worked, and it looked very silly, and a laugh was had by all, and I more or less forgot about it after that.


Now, while waiting for someone to see my post that exploited B, a thought occurred to me.

The links for deleting comments look like this: http://www.furaffinity.net/journal/1234/?action=remove_comment&comment_id=5678

There's something slightly fishy about this. Consider carefully.

Why does FA need to know both the comment id and the journal id? Comments are already attached to journals; given a comment, it should be very easy to find out what journal it belongs to. The journal id is completely useless.

But it's there, which means it might be used for something it shouldn't be. A potential exploit C.

So I tried another mini test. I used a journal id for a journal I'd written, which I had permission to hide comments on. But I used a comment id from a different journal—Dragoneer's, again.

Unfortunately, someone stumbled across the LJ post about the time I tried this, which hid every comment including the one I tested against. I never noticed the results or thought to try again. But yak did say, later, that oddly one comment was marked as having been admin-deleted by me; I'd already forgotten my C test and wrote it off as an odd curiosity.

Tonight, what he said occurred to me again. So I took another look.

It turned out that he'd tried to defeat B, by adding an invoker_id to the comment hiding URL containing your user id. I guess the idea was that I couldn't just take my own URL and get Dragoneer to visit it, because it'd have the wrong user id in the URL. But that's pretty easy to work around; just put Dragoneer's user id in the link. Whoops.

Anyway, I tried C again. And it worked. FA checked that I owned the journal, and it checked that the invoker_id was me, but it didn't check that the comment matched the journal. This is a nigh-unbelievable oversight.

I would like to take another paragraph to emphasize how incredible this is. If you aren't a nerd, find one, and explain this issue to him. He will laugh until he cries. Really. This is like installing a lock on your door but letting any key fit in the keyhole because you forgot the actual locking mechanism. Since I don't have to wait for someone to stumble across an image or link I lay in wait for them, this is much much easier to abuse. So I abused it much much more.

I set off three little shell loops, all just piping things through wget, the command-line downloader.
- One to hide every comment in all of Dragoneer's journals, starting in the present and going backwards.
- One to hide the most recent comment made, then every 133rd comment, going backwards.
- One to shotgun hide comments completely at random.

I figured this would demonstrate the problem a little better. Even better, because I wasn't the comment or journal owner, the site defaulted to claiming that all these comments were hidden by "an Administrator". Several thousands of comments later, cue a little panic amongst the ranks. I found half a dozen journals asking what was going on, and for good measure, hid one or two comments from each of them—picking the ones that sounded the most conspiracy-theory-ish.

Anyway, the site was put into read-only mode, which didn't actually stop the exploit. I killed my wget loops and pointed this out. The site was then put into admin mode, which also didn't actually stop the exploit. Useful lever to have, there. I was banned, the problem was ostensibly fixed (though I can't tell because I'm banned), and the comments are for some reason being restored manually, case-by-case. Which has got to suck when I deleted a ton of them totally at random.

So if I may comment on all of this.

I. I was running off of the following information:
1. It would take about ten seconds to fix this problem. One line of code.
2. It would take about ten seconds to undo what I did. One database query.
3. None of this could cause permanent damage.

It seems I neglected to account for yak's crazy Russian sleeping schedule, which after two years I still can't get right. And apparently some people conduct business via comments, which is... not a phenomenon I was aware of.

II. I didn't do this to show off, or to get attention, or because I'm a sociopath, or whatever. I did it because it was really, really funny.

Well, okay. I'm also exasperated seeing even brand new features be riddled with holes. This is a grade-school error and could have been caught any number of ways (such as, you know, asking me to beat on it before releasing it). Not to say I was trying to "teach a lesson"; it was more like going "LOOK GUYS THERE'S A PROBLEM RIGHT HERE" and then kicking one of the sixty hornets' nests in your living room. Except the hornets were pacifists and the nest was empty. I don't know there's no good analogy here.

III. I didn't want to step on anyone's toes or cause any permanent damage. I certainly didn't expect the entire site to be locked down when the whole thing could have been undone in seconds. I do sincerely apologize to anyone who was seriously bitten by this. You were the target audience, not the target.

IV. I hope this legitimately garnered FA's attention, because it's far from the worst problem. There are potential exploits for deleting any journal or submission, permanently destroying it, and they aren't hard to figure out.

I have no problem explaining these issues to FA dudes. But FA has been indifferent towards development for about as long as I've known of it, save for when it generates some PR, and I have no reason to believe they'll suddenly care today. It's not that I'm spiteful; it's that this just didn't even occur to me as a legitimate way to get anything done. Even yak said he didn't care about the CSRF exploit B, which was functionally equivalent to the exploit C from today.

[...]

TL;DR: The exploits from Wednesday and today were different. The fix on Wednesday didn't actually fix anything. The exploit today was really, really, really stupid. I'm a jerk. FA is swiss cheese.

http://eevee.livejournal.com/329409.html

On Furrydrama_2 Lexyeevee and Dragoneer discussed things. It's quoted it here since it might give you more of an insight (if you care) into FA's disastrous history, how the leadership works (or doesn't), "the community" etc:

Eevee used to be Lead Ferrox Dev on FA.

If anybody is wondering, "What happened to Ferrox?" you're looking at the results of what we had to deal with. Just instead of bullshit on OUR side, he decided to fuck over the site rather than go "Hey, dipshits! LOOK AT THIS!".

http://community.livejournal.com/furrydrama_2/213784.html?thread=17979416#t17979416

This doesn't quite match my memory.

What happened to Ferrox is that neither the admins nor the userbase had any real interest in it. It was used as a scapegoat for distant-future features, and nothing more. Proposing anything other than "FA + fresh paint" got shrugs from you guys and flamewars from users. You personally never wanted to step in and take a definitive stand, whether it was to agree with me or not.

And then you accused me of not keeping anyone up to date on what was going on. I fought to get a live development deployment; I fought to get the code freely available; I put up a damned Twitter account that mentioned every single change made. Anyone could look and comment at any time. We conjectured features on the forums and talked in the IRC. We sort of half-tried to have a bug tracker, though I think we all sucked at that. Nobody took any real interest.

yak was aware of problems when this was launched, and even noted this exploit before I realized it was one. You don't listen, and he doesn't care. Please don't play the victim card here. I deliberately didn't do anything that would take more than five seconds to fix, either code-wise or data-wise.

http://community.livejournal.com/furrydrama_2/213784.html?thread=17983256#t17983256

We had a hell of interest it, but I left you to your own devices rather than policy and look over your shoulder every five minutes.

I didn't accuse you of not keeping anybody up-to-date. I checked into see what was going on from time to time, and I followed the Twitter as well, but I still wanted to check in from you.

But then you started going off the handle, flaming ANYBODY who disagreed with you, and making the entire administration look like jackasses. At least Crypto had the courtesy to at least not do ANYTHING. Crypto just never coded anything, at all... at least THAT I could be like "Fuck, whatever! Time lost".

You just flamed anybody who didn't meet your vision of what YOU wanted FA to be, and you didn't want "FA". You wanted your own site.

And Ferrox was meant to START as a new platform. We wanted FA with a "fresh coat of paint" so that it had an entire working infrastructure, a base, with well coded features, designs, filters and more. It was meant to be a stepping stop. Get Ferrox out the door, then build UP. Fix the site, then improve it.

And yak was had applied a patch, and was trying to get it fix. We thought he had.

But oh no, you had to go fucking all out and start wiping ANYBODY's comments in order to prove your point. God forbid you give a shit about anybody you burn.

http://community.livejournal.com/furrydrama_2/213784.html?thread=17984536#t17984536

You're right, I got angry at the Internet a lot. For that, I do apologize.

But please try to understand what I saw. I mean, this is probably the most you have ever said to me. Ever! Hiding some comments for a few hours got your attention much better than months of useful work from scratch.

I wanted to build something good and useful. I wanted to re-examine every bit of FA, because I knew it was built largely in the shadow of DA and other generic sites, and we deserved better. I wanted to get everyone, or at least you, excited to see what fabulous things we could have for ourselves.

And nobody was. Nobody on staff seemed so much as interested, and certainly nobody had my back. So, yes, I was sort of irritated that the only interest I garnered was argument that my ideas were terrible because they bucked the status quo.

You're right, I didn't want "FA". "FA" barely means anything! You have posting, commenting, watching, favoriting. It's all the most barebones features, and even half of those are missing and are done manually by administrators. There's no heart or soul to the software itself—you even said on multiple occasions that it's "about the community". So what does it matter what I wanted to build?

I was building a new platform. But you can't very well build a platform without knowing what direction you're going in, or you'll end up with FA again! I wanted to have some idea of what the ultimate ideal goal was, so I could at least build a foundation that would support it. You didn't want to commit to anything one way or the other, and that is why I gave up.

I don't fling comments at you to be a snarky dick. I mean it. FA has no programmers; yak is a sysadmin, and I'm not sure net-cat and tsawolf really do anything. And you are a great guy and all, and you are great at PR, but you don't lead and that is very harmful. FA is quietly stagnating, held up by inertia and lack of sufficiently impressive competition. I complain because I want to see it be amazing, and I gripe because nobody else shares this interest.

yak's patch was bad and didn't even fix the original exploit. He knows how to fix this for real. Several of us have told him how to fix this for real. I would cheerfully explain it in grotesque detail. No interest.

And I'm not the super blackhat you make me out to be here. I knew people would notice quickly, I knew the hider's username was recorded, and I knew it was easily reversible. I have no interest in doing anything legitimately destructive.

http://community.livejournal.com/furrydrama_2/213784.html?thread=17984536#t17984536

And I wanted FA to work. At no one point did you *EVER* say to me "It just doesn't make sense to do it the way you wanted."

I wanted FA to have a solid core, and finally get away from the fucking bug-riddled shit we've had to deal with. That was my concern, that we give it a proper base to ensure everybody can use the site, then build it up and make into something great.

And I've taken a much stronger stance on leadership since the time you were there. It's been almost two years, and I've taken more initiative. I'm not going to say I'm great at it, and I never fessed up to being great at it.

When I started on FA, I started as a user... a user who gave a shit about the community. When it died, I helped rebuild, I helped bring it back up. I got put into the position I was in, not entirely by my choice, and I ran with it. And I did everything I could to protect the community.

I never claimed to be a coder, a leader, the guy. I don't run around telling people how great I am like Kage, or putting on some special show and trying to lead and influence the fandom. I've just been me, and fighting to keep the community running and alive for god damn years.

And I'm taking measures to ensure things are done *RIGHT* from this point on. I have been, and we've been working towards that.

It's not perfect, but neither is FA.

http://community.livejournal.com/furrydrama_2/213784.html?thread=18015256#t18015256

When did you ever say to me "let's absolutely do this"? It always felt like I was just some guy who was stuck interacting with the PR persona like everyone else.

I'll happily admit I probably sucked at communicating. But it was definitely not a one-sided problem.

You still don't keep people in the loop, man. News sort of leaks out of several Twitter accounts and journals and buried forum posts, largely in the form of "we have something in the works". You don't tell people what's going on, what the status of it is, or whether they can help. And I felt the same working on Ferrox, except I had to build a thing that was "in the works" and not very well defined beyond that. Even right now, FA just says it's down due to "an issue", and details on what the issue is have to find their way through user gossip.

If you suck at this sort of thing, then find a dude who doesn't and make him the Customer Relations Manager or whatever.

FA is held together by duct tape and hope, and if the software were rewritten to be completely perfect, the staff would still be held together by duct tape and hope. Keeping something going like that is respectable, but as an engineer it drives me bonkers.

From what I recall from when I was an admin, when Lexyeevee was doing Ferrox, what he says there about the Ferrox development issues/FA leadership/communication/etc is true, not sure If I'd buy Dragoneer being "great at PR" though.

[a pigeon]

In another comment on FD_2, a chatlog with FA's sysadmin, Yak was posted:

14:14 < yak[away]> Before anyone tell me yes, I know you can still read hidden comments if you're creative enough, andyou can still hide other comments in the same way as forcing people to watch someone works. I don't care. Probably going to do a "click here to see" on comments tomorrow, and for the latter there isn't an easy fix
14:15 < Eevee> of course there's an easy fix
14:15 < yak[away]> Yeah. change all links to POST forms across all thetemplates.
14:15 < Eevee> that wouldn't fix it entirely either.
14:16 < yak[away]> I didn't even bother to prevent you from replying to hidden comments if you know the comment ID

I don't know, what do you want me to do? Break into the datacenter and fix it myself?

[AshleyAshes]

The main issue I see here is that Eevee managed to villify himself with this move so it'll allow the FA staff to fix the immediate issue and return to leaving much of FA to be poorly maintained.  I mean for fucks sake, six MONTHS to fix new user registration?  But yeah, Eevee himself is 'the big news' so 'FA is full of busted stuff' will get largely ignored.

[Jim Demintia]

What gets me every time is not that the FA staff have a bad attitude towards stuff, and say things like "I don't care" inre: exploits that obviously can and will be posted in chatlogs later, it's that furries never, ever hold Dragoneer's feet to the fire and they pretty much let him get away with bullshitting, scapegoating, and generally vilifying people who, in any sort of sane world, would be listened to before things got out of control. AND then he has an army of fanboys who will attack anyone who goes against the mob mentality.

Every goddamn time.

Oh and lol @ eevee calling himself an "engineer". IIRC from the "FA retrospectacle" thread, he was barely a kid at the time of all the stuff discussed in that thread.

[Jim Demintia]

The main issue I see here is that Eevee managed to villify himself with this move so it'll allow the FA staff to fix the immediate issue and return to leaving much of FA to be poorly maintained.  I mean for fucks sake, six MONTHS to fix new user registration?  But yeah, Eevee himself is 'the big news' so 'FA is full of busted stuff' will get largely ignored.

Yeah, but I can understand where he's coming from. If he hadn't done anything he would have been roundly ignored.

It's like Microsoft circa 2001.

[a pigeon]

Just an FYI, I  realized that if you visit lexyeevee's live journal, his FA account will be added to your watchlist (if you're logged in on FA) due to another exploit that hasn't been fixed.

[Pi]

What gets me every time is not that the FA staff have a bad attitude towards stuff, and say things like "I don't care" inre: exploits that obviously can and will be posted in chatlogs later, it's that furries never, ever hold Dragoneer's feet to the fire and they pretty much let him get away with bullshitting, scapegoating, and generally vilifying people who, in any sort of sane world, would be listened to before things got out of control. AND then he has an army of fanboys who will attack anyone who goes against the mob mentality.

You mean, dragoneer uses FA as an ego enhancer to assuage his hurt feelings about not being invited to olive garden? say it ain't so!

The comments to his journal are just so full of boot-licking that it makes me sad.

Oh and lol @ eevee calling himself an "engineer". IIRC from the "FA retrospectacle" thread, he was barely a kid at the time of all the stuff discussed in that thread.

Having met Eevee and talked shop with him for a while, I don't think said thread was accurate.

No, we knew you could user the invoker_id from the get-go. We didn't feel that was as big an issue. It was going to be fixed, but it was not a huge "up there". We knew that was a problem from the start.

So wait. They DELIBERATELY deployed a BROKEN NON-fix? Anywhere competent, that's a hanging offense.

[Jim Demintia]

Does anyone know why they decided to implement this now? I'm sure everyone remembers how the PM system got revamped; popular artist complains about inbox overflow, some other popular artists pipe up, and oh, look, suddenly the problem is "fixed".

Just an FYI, I  realized that if you visit lexyeevee's live journal, his FA account will be added to your watchlist (if you're logged in on FA) due to another exploit that hasn't been fixed.

You used to be able to make people +/- fav artwork, too, probably in the same way.

[Eevee]

CSRF with ±fav still works.  The trick is that the same URL does both +fav and -fav, so the best you can do is toggle.

[GreenReaper]

Yeah, you still can. The same issue affects watches, submission deletion (!), trouble tickets and probably journals.

I spent a couple of hours back in April detailing the CSRF issues and submitting potential solutions to the administrators (any one of which would probably have blocked an attack like this), and ultimately made a public news post about it. It was never fixed.

For comparison, I told Starling about similar problems during the Inkbunny beta, and they were fixed sitewide in an update ten days later, along with a bunch of other things. In fairness, I think that was his full-time job at the time, but they've had months to do some very simple fixes.

It still doesn't excuse screwing up everyone's comments. Financial transactions aside, actions like this just make it harder for responsible developers to work with the site. Eevee, as a developer you have a lot of power, but with great power comes great responsibility. Please don't do this sort of thing ever again.

[Jim Demintia]

It still doesn't excuse screwing up everyone's comments. Financial transactions aside, actions like this just make it harder for responsible developers to work with the site. Eevee, as a developer you have a lot of power, but with great power comes great responsibility. Please don't do this sort of thing ever again.

Yes it does. Because if he hadn't done that, the issue would have been roundly ignored until someone malicious came along. And I have to ask, do you really think any "responsible developer" is ever going to touch FurAffinity while Princess Piche is at the helm? If they've got two brain cells, they won't. Especially since he doesn't pay, AFAIK. FurAffinity does not exist to be a functional web site. It exists for one reason, to facilitate Dragoneer's popularity and attention-whoring. Whatever state the code itself is in is irrelevant as long as it's functional enough that furries will flock to the site for their porn. And I think we've seen over the last half-decade that "functional enough [for] furries" is "barely hanging on by a thread". No competent developer is ever going to knowingly walk into a situation like that.

FWIW, volunteer coding only works when people get credit and get their name out there, and get some recognition for what they did. Being Dragoneer's free code slave gets you the quality of work...well, just look at FA.

[GreenReaper]

Dragoneer claims they were aware of continuing problems and planned to implement a better solution over the weekend. The discussion with yak brings this into question, although I suspect part of that was miscommunication.

Either way, Eevee was way out of line taking it out on regular users, regardless whether the administrators had the technical means to fix it. There were other, less disruptive means to get the message out.

On FA's side, they should probably have started by taking the feature offline until it had been properly reviewed. I also don't understand why they released a new feature with the same vulnerability as that shared by older code, though perhaps it has to do ith the fact that the feature was initially only available to administrators.

Everyone has their own reasons for being a volunteer coder. I'm sure there's some coders out there who'd be happy just to know that they'd made FA a safer place. Granted, probably not many at this point. Perhaps some of that donation money should go towards fixing the code rather than buying shiny new hardware.

[rodox_video]

FA's brain drain is getting to be so bad that at this point they probably couldn't even pay someone to work on the goddamn site(providing the money was there, and it is not).

[Jim Demintia]

Dragoneer claims they were aware of continuing problems and planned to implement a better solution over the weekend.

Why is it that you're willing to give him the benefit of the doubt even though he says something to this effect every time and it's never accurate?

There were other, less disruptive means to get the message out.

Sometimes your naivete about the fandom is cute.

[Pi]

Dragoneer claims they were aware of continuing problems and planned to implement a better solution over the weekend.

Why is it that you're willing to give him the benefit of the doubt even though he says something to this effect every time and it's never accurate?

Basically this. In a similar vein:

Which is why we're coding a new UI.

Who do you have coding this? What is it written in? Does it have a sane backend database? Can anyone see the code? What assurance does anyone have that the new codebase is going to be ANY different than the old one in terms of security?

At least when Eevee was working on Ferrox, I could answer these questions for myself.

She replied with something along the lines of "yak and netcat obviously, i'll see about getting more transparency".

Long story short, they're doomed. Neither Yak or net-cat know or care about protecting against "babbies first webapp vulnerability", as evidenced.

[Jim Demintia]

Wait, I thought the "new UI" was already deployed, wasn't that that "sigma" thing where they tested a new stylesheet for most of this year? And I find the notion that there's ANY separation between the backend logic and the UI in that code base to be rather amusing.

[Jim Demintia]

I also don't understand why they released a new feature with the same vulnerability as that shared by older code, though perhaps it has to do ith the fact that the feature was initially only available to administrators.

Well, it's certainly possible, but that is also not acceptable design practice. Really, the "right way" to do such thing is a security system grained by privileges, and then the notion of "administrator" or "user" becomes a standard collection of "has permission to do X", Y, and so on. Then, as has been proven in the past, when they find out they cannot trust an administrator or administrators, giving that person permission, say, only to moderate submissions becomes easy.

Of course, this is FA, and there are screen shots out there of the admin console that allowed SQL to be entered and evaluated from the Web. Dragoneer claims that feature is gone now, but it gives you some idea of the grade-level you're dealing with here.

[a pigeon]

Witchiebunny is an FA admin

You shouldn't have done anything AT FUCKING ALL DIPSHIT.

You're a selfish sad pathetic fuckwit who feels that since he's mad at a site that he feels wronged him (and yet he still keeps using it for some fucked up reason) that he can just abuse the hell out of the code and attack the admins, and users and community.

You're a fucking asshole. NOTHING gives you the right to exploit a site and community like this. Not your anger, not your knowledge of the code, not your sense of entitlement, and certainly NOT your pathetic little justifications that the site is ill managed and such. If you don't like the fucking site then FUCKING LEAVE. Don't fucking attack it for others and purposefully exploit it like a fucking child who can't play ball with the rest of the kids and so finds a way to make sure no one can play ball at all.

Fucking ass.

http://community.livejournal.com/furrydrama_2/213784.html?thread=17984792#t17984792

While I agree that what the guy did was a pretty big dick move, unloading like that on him probably won't help matters one bit.

Well it's not often I can vent my frustrations about something like this AT the person responsible. I feel much better now. ^.^;

Immature/unprofessional of me as an admin? Perhaps.

As a user, I feel I'm justified.

[Eevee]

Wait, I thought the "new UI" was already deployed, wasn't that that "sigma" thing where they tested a new stylesheet for most of this year? And I find the notion that there's ANY separation between the backend logic and the UI in that code base to be rather amusing.

No, that was an intermediate patch or something.  Dragoneer asked Adam Wan to mock up a new design from scratch and "leaked" screenshots of it in February or so, saying it would be coming soon.

I'm curious to see how this will turn out.  I don't think Wan contributed any more than images (both Dragoneer and yak are extremely protective of the codebase), and as far as I can tell, yak is... not quite a CSS guru.

Witchiebunny is an FA admin...

I've had a good few people tell me I don't have the right to do what I did.  I haven't argued.

I was hoping to see more people wonder why FA has the right to expose its users to ever more vulnerabilities, but that seems to have been lost as the story got muddled.

[loki]

I think people are freaking over nothing. A bunch of comments disappeared temporarily on a furry porn website. Oh no!!!

People need to grow up. :I