FA implements comment hiding, exploits found, thrashing and flailing results

[Jim Demintia]

I've had a good few people tell me I don't have the right to do what I did.  I haven't argued.

It's actually a well-known delimma. Not that any furry would ever understand it, but when you have a belligerent vendor with a vulnerable user base, sometimes that's the only way to get their attention and get them to act. Almost *everyone* takes security seriously in this day and age, like I said earlier, the attitude you got is straight out of the late '90s.

All furries see is someone "hacking" FA. If you genuinely expected any support whatsoever, you need to get a lot more cynical a lot faster if you're going to be in the furry fandom and/or the tech industry.

[MazelTovCocktail]

Witchiebunny is an FA admin...

I've had a good few people tell me I don't have the right to do what I did.  I haven't argued.

I was hoping to see more people wonder why FA has the right to expose its users to ever more vulnerabilities, but that seems to have been lost as the story got muddled.

As far as I'm concerned, a lot better that someone who doesn't have entirely malicious intentions gets to it before someone who does gets to it.

[loki]

The funniest thing is how they don't blame Dragoneer or FA at all; despite having a huge security flaw that was exploited days after being released. No, they blame the white/grey hat hacker instead cause you know it's totally his fault that FA is coded by GED-educated morons. :I

[Arche Kruz]

To be quite honest, I am glad that Eevee did what he did. The exploit he found about comment hiding is something almost anyone could have figured out, and if something had to happen to force the issue to the attention of the coders, I would much rather have it happen with someone who wanted to get the message out even if it was tinged with some mischievous intent, than to have it happen by someone with a genuinely malicious intent like say... Allan.

[Heimdal]

When you think about it, Eevee's only mistake was confessing. He could have done all of that and gotten away with it if he wanted to. So if he kept hidden, where would the fault have gone? To the shitty implementation, of course. That's where fault should go regardless. Eevee's confession should never have been demonized quite like it has. But furries need scapegoats, and an enemy is anyone who doesn't kiss their ass.

Anyone else notice the lack of information on FA's end? Eevee's journal went into a decently extensive detail, while Dragoneer's summary was vague shit. I mean, it's not good when other people can supply better security status information to the users than the site itself can.

[AshleyAshes]

When you think about it, Eevee's only mistake was confessing. He could have done all of that and gotten away with it if he wanted to. So if he kept hidden, where would the fault have gone? To the shitty implementation, of course. That's where fault should go regardless. Eevee's confession should never have been demonized quite like it has. But furries need scapegoats, and an enemy is anyone who doesn't kiss their ass.

Hmm, that's a great point.  Had Eevee been stealthy about it, all the FA users would have just feared the 'Invisible Enemy' and then demanded to know why FA wasn't protecting them from the 'Invisible Enemy'.  Instead Eevee just made himself the scapegoat so they wouldn't have to answer for the flaws.

[MazelTovCocktail]

But furries need scapegoats, and an enemy is anyone who doesn't kiss their ass.

Truer words about the furry fandom are rarely spoken.

[Pi]

In a somewhat related note, Insane Kangaroo states that the 12-year-old kid hosting WYS approached Dragoneer with news of security holes before Eevee published his list. He seems to think that this is a reason to prefer FA over one of its competitors, Inkbunny.

I was especially amused by this:

Oh I don't know, how about the owner of the site harbors people who cause drama in the community while doing nothing about drama baiting on his own site, including those which bash FurAffinity since those individuals were banned for good reason.

I think I'm having an irony overdose.

[Jim Demintia]

I just clicked through to that journal, and may I just say I find this $50 bounty per exploit thing fucking hilarious. Anyone who thinks that: a) it's going to get anything fixed, and/or b) anyone will actually see a penny from Dragoneer, is delusional.

[Pi]

I just clicked through to that journal, and may I just say I find this $50 bounty per exploit thing fucking hilarious. Anyone who thinks that: a) it's going to get anything fixed, and/or b) anyone will actually see a penny from Dragoneer, is delusional.

He turned down the reward money out of the goodness of his heart, apparently.
I've been keeping up on the FA Forum Accountability thread. It's making my head hurt.
<@Pi> the rules are not applied consistently
<@Pi> and they're jumping up and down and are like THAT'S A FEATURE
<@Pi> the site is insecure and a 12-year-old is running around making PoCs
<@Pi> and they're jumping up and down and are like THAT'S A FEATURE
<@Pi> the administration only speaks in internet memes and obsessive self-deprecation
<@Pi> and they're jumping up and down and are like THAT'S A FEATURE

And it's the kind of self-deprecation meant to placate critics, but which is totally hollow and completely avoids any responsibility for improvement. How can people defend this shit? It's entirely beyond me.

[Jim Demintia]

At least as it applies to Dragoneer, the meme-speak thing and the frail attempts at self-deprecative humor appear to me as his attempts to mask his inability to communicate and his lack of anything worthwhile to contribute to, well, pretty much anything. He always has struck me as that person who, in lieu of anything to add to a discussion, just starts babbling and babbling and babbling and thinks that will cover up the fact that they're fucking retarded.

It's pretty transparent. To most normal folks, anyway.

As far as the topic of this thread, though, what I don't understand is the late focus on security. The site has been the way its been for years, that's part of the fucking problem in the first place. A new feature was added and the same preschool mistakes were made that were made years ago. Nothing has changed. The "news" here is that the FA coders are still as idiotic as they've always been, but no observer of those sorts of things needed any confirmation of that, anyway.

I mean, it's like the great unwashed masses have suddenly realized the emperor has no clothes, and instead of demanding accountability, they're in a panic, running around like chickens with no heads.

[Arche Kruz]

Well, what do you expect? When you employ coders to work for your site for free, shitty coding is almost always what you'll get, because no self-respecting site developer would be willing to sift through the thousands of lines of  rubbish coding that makes up FA without being paid/compensated generously for it.

[u63r]

I have to admit, I tend to side with 'Neer in these sort of things, just because he's usually less passive-aggressive. Case in point;

You're right, I got angry at the Internet a lot. For that, I do apologize.

But please try to understand what I saw. I mean, this is probably the most you have ever said to me. Ever! Hiding some comments for a few hours got your attention much better than months of useful work from scratch.

[Pi]

I have to admit, I tend to side with 'Neer in these sort of things, just because he's usually less passive-aggressive. Case in point;

You're right, I got angry at the Internet a lot. For that, I do apologize.

But please try to understand what I saw. I mean, this is probably the most you have ever said to me. Ever! Hiding some comments for a few hours got your attention much better than months of useful work from scratch.

I'd be with you there, but for the fact that immediately after some vague promise of trying to be more transparent (from witchiebunny, not even dragoneer), all that happened was dragoneer accidentally deleted the forum thread, restored it with some screenshots, and swept the whole issue under the rug. So, no, dragoneer's side isn't any less passive-aggressive.

[Jim Demintia]

I tend to side with 'Neer in these sort of things, just because he's usually less passive-aggressive.

Haha what?

[Conan]

Eevee got wind of Dragoneer badmouthing him on, where else, WYS:

@dragoneer http://img820.imageshack.us/img820/4436/eeveen.jpg I've had enough. Stop lying about me. Stop scapegoating. YOU killed Ferrox.

No Twitter response from Dragoneer yet, though all he's been tweeting about lately is stupid links.

[Eevee]

I have to admit, I tend to side with 'Neer in these sort of things, just because he's usually less passive-aggressive. Case in point; ...

Wait, what?  Did I sound passive-aggressive there?

[Pi]

Eevee got wind of Dragoneer badmouthing him on, where else, WYS:

@dragoneer http://img820.imageshack.us/img820/4436/eeveen.jpg I've had enough. Stop lying about me. Stop scapegoating. YOU killed Ferrox.

No Twitter response from Dragoneer yet, though all he's been tweeting about lately is stupid links.

Jesus. The whole "eevee killed ferrox" thing is so transparently, patently false. I've debunked it before, and everything. Not to mention the whole "wrote a converter, had it summarily ignored" thing. Yeah, that totally killed the project, and not, y'know, Dragoneer's uncommunicative mismanagement.

Dragoneer also says crypto ran off all the other coders. He sure knows how to point fingers.

[MazelTovCocktail]

Well let's see here, Dragoneer.  Of all the coders who are or have ever been responsible for the coding on FA, the ONLY one who actually noticed your security hole and exploited it harmlessly to show you that it was there and something needed to be done (as opposed to leaving it for somebody to take actual advantage of it) is the one who killed Ferrox?

I dunno eevee, sounds to me like you should've warned Princess Piche to get lubed up and ready before you played with his precious website.  He sounds like his ass is hurting so bad over the ordeal that he can't even walk straight.

[Conan]

Speaking of FA, does anyone know if the search feature is completely coded by FA? I found an open source search software earlier and it looks horribly efficient (and wouldn't kill a server like FA search did).