FA admin account compromised (yet again)

[Fiz]

That's not brilliant. That's common sense.

We're talking about FA here.  Common sense is brilliance over there.


And now time for humor hour:

[UncreativeUsername]

There's been a few rumors that they've extended their downtime to do a complete security review of the code before coming back online.

You know, like competent people do.

Yeah, that's a good point. Say what you will about cub porn enthusiasts, but, Jery and his staff I trust 10x more. They seem to know what the fuck they should do.

Remember, this guy thinks people hate him just because he's an admin and does admin things. He has a severe persecution complex (see http://lists.claws-and-paws.com/pipermail/pa-furry/2003-November/005695.html).

That was 7 years ago. As much as I hate the asshole, 7 years ago I was very immature compared to how I am now. Plus, he might really have been very slighted and insulted, and I would not have reacted to that well. Though, I have also heard he is insufferable to be around IRL.

[loki]

That was 7 years ago. As much as I hate the asshole, 7 years ago I was very immature compared to how I am now. Plus, he might really have been very slighted and insulted, and I would not have reacted to that well. Though, I have also heard he is insufferable to be around IRL.

You'd be surprised how immature and spoiled some furries are; I know for sure I was an immature shit even like 5 years ago and some people I've known for that long of a time still behave the same they do now.

So anyone willing to take bets that FA gets hacked a third time?

[UncreativeUsername]

That was 7 years ago. As much as I hate the asshole, 7 years ago I was very immature compared to how I am now. Plus, he might really have been very slighted and insulted, and I would not have reacted to that well. Though, I have also heard he is insufferable to be around IRL.

You'd be surprised how immature and spoiled some furries are; I know for sure I was an immature shit even like 5 years ago and some people I've known for that long of a time still behave the same they do now.

So anyone willing to take bets that FA gets hacked a third time?

Bets, I can't say. I mean, he should have been hacked 3 years ago. But, ability? Fuck, yes, he cannot fix this with his incompetent staff. Seeing as, according to Witchie, they just WATCHED the hacker for a while... Am I the only one hoping for a 3rd hacking and more info being leaked?

[nrr]

Seeing as I work for a prominent North American provider of enterprise-class hosting solutions these days, I get to witness (and, subsequently, mitigate) a lot of similar attacks through the course of my workday.  It provides me endless hours of amusement by way of scouring logs and hacking up Juniper and Brocade/Foundry configuration information as appropriate.

Do you know what our normal course of resolution tends to be for a site that is defaced or compromised?  Take it offline, notify the customer of the intrusion with a promise to bring the site back up ASAFP pending a security audit, offer further assistance if the customer requires it.

The only problem is that there's generally no way to monitor a lot of this directly and automatically unless the site is outright defaced, so we typically rely on customers telling us what's up...

[Jim Demintia]

It is interesting that Dragoneer is claiming in his tweets that IR did something about the DDoS yet either in this or the other thread Conan found they offered DDoS protection services for $500/month...

[nrr]

It is interesting that Dragoneer is claiming in his tweets that IR did something about the DDoS yet either in this or the other thread Conan found they offered DDoS protection services for $500/month...

IR probably did the least amount of work necessary to ensure their core network didn't cross a certain utilization threshold.  That's typically what our upstreams all do in the face of a DDoS attack.

[Pi]

> ... wwwwooooooooooooooooowwwwwwwwwwwwwwww Why is anyone buying a single word that is coming out of your mouth? Tell me one good reason why I should believe that you missed info that was out there (and in places you frequent, no less) from day one?  Nobody believed you when you claimed to have simply missed half of the damn Wan message. You think anyone's going to believe you here? On this? You think I'm going to believe you? You think Clayton's going to believe you?  Do you have any idea how unbelievably hard it is to get an animal abuse case prosecuted? To get a beastiality case prosecuted? I always suspected that you never gave a flying fucking shit, that the only thing that mattered to Sean Piche was Sean Piche. And now we all have proof.
Their reply was:
 Fine. I'm done sharing with FD2.

Now he's going to have to find a new treehouse, to avoid having to provide useful information to the ~proles~. Because "i'm done sharing with fd2" does not mean "i'm going to share with the people who this actually matters to (the COMMUNITY)"

[bridgeportcat]

Now he's going to have to find a new treehouse, to avoid having to provide useful information to the ~proles~. Because "i'm done sharing with fd2" does not mean "i'm going to share with the people who this actually matters to (the COMMUNITY)"

It would be swell if at one point he could share this with some of us FA users who, you know, don't post or look at closed friendslocked splurty drama communities. Because, you know.

[ProvincialTwit]

[Pi]

Now he's going to have to find a new treehouse, to avoid having to provide useful information to the ~proles~. Because "i'm done sharing with fd2" does not mean "i'm going to share with the people who this actually matters to (the COMMUNITY)"

It would be swell if at one point he could share this with some of us FA users who, you know, don't post or look at closed friendslocked splurty drama communities. Because, you know.

You could let him know that you'd like to hear actual information, but I'm not sure how fruitful posting to any of these is going to be. He'll just ignore it.

[Fiz]

Now he's going to have to find a new treehouse, to avoid having to provide useful information to the ~proles~. Because "i'm done sharing with fd2" does not mean "i'm going to share with the people who this actually matters to (the COMMUNITY)"

It would be swell if at one point he could share this with some of us FA users who, you know, don't post or look at closed friendslocked splurty drama communities. Because, you know.

He keeps insisting there'll be a public post about it today. This should be interesting.

And I don't understand why they keep that community friends locked. I think it was to keep people from harassing posted folk over at FA but that is still done constantly by the fd2 members and they're never fucking kicked out.

Shit, at least open it up to new members. GOTTA KEEP OUR FURRY DRAMAS A SECRET

[Conan]

Now he's going to have to find a new treehouse, to avoid having to provide useful information to the ~proles~. Because "i'm done sharing with fd2" does not mean "i'm going to share with the people who this actually matters to (the COMMUNITY)"

Good news, everyone! WYS Forums are coming back soon! Of course, after they went down he claimed he was "done" with WYS. Can't wait to see what happens. I'm sure Silver will keep the meanies away from him.

[Ben]

Silver has claimed that WYS 2.0 will have no drama component to it. However, considering his recent incident of using faggot in a derogatory way on furrydrama_2, and the huge shitstorm that was created, I think I can tell that he's going to end up being a pretty bad leader, intentional drama or not.

But anyway, I'm kind of skeptical there will be any official announcement from Dragoneer and Co. As it is, most of the FA community actually is not mad about this whole thing, and many have simply shrugged at this whole massively compromising incident, and gone about their lives. Neer has always said that "If you just wait a week or two, it'll all blow over", and unfortunately, this appears to be true. Furries do not care whether or not it is morally corrupt to support a website that has done nothing to get to the point where it is today-- they just want their furry porn, and they don't want to jump through any additional hoops to get it.

Right now, Dragoneer has no reason to post an official explanation. The only people demanding it were the fd2 crowd, and considering he's apparently "done" with them, I can guarantee there will be no explanation, as it does not actually benefit him to do so. Unless a huge movement is made out of all this, FA really will be on top for several more years, until it finally does close down.

[Jim Demintia]

Yep, anyone hoping for any kind of meaningful change at this point is likely going to be disappointed. People are already saying they "don't care" about it anymore, which is furry-speak for "don't make me question my assumptions and allegiances".

Silver has claimed that WYS 2.0 will have no drama component to it. However, considering his recent incident of using faggot in a derogatory way on furrydrama_2, and the huge shitstorm that was created, I think I can tell that he's going to end up being a pretty bad leader, intentional drama or not

Right. See, thing is that just like Dragoneer is nothing without FA, Silver is nothing without WYS or some other sort of vigilante operation. It is his one trick the fandom cares about. If WYS doesn't come back soon he's gonna be forgotten. And WYS without "drama" (whatever that means) is not WYS. No one cares about yet another furry forum.

He probably knows this too.

[Fiz]

Right now, Dragoneer has no reason to post an official explanation. The only people demanding it were the fd2 crowd, and considering he's apparently "done" with them, I can guarantee there will be no explanation, as it does not actually benefit him to do so. Unless a huge movement is made out of all this, FA really will be on top for several more years, until it finally does close down.

Yep. It's pretty much already blown over. FD2 doesn't even want to hear about it anymore, even when now there is evidence that they could have stopped this whole fucking thing. They simply don't care, nobody cares. The only people who do care have common sense and that is just very scary to the administration.

I'm not a programmer, I don't know any coding, and I've never hosted my own website but even I know that this is not how you handle the security of your website. You don't need experience to know this shit, you don't even have to be a fucking genius to know this shit. This is common sense.

[a pigeon]

Issues surrounding Zaush and his predatory behaviour will persist, I think. If he quits FA, there will be dispute and bad-feelings from those sad/mad to see him go and if he returns (i.e re-establishes his presence, which has been severely diminished by the gallery deletion) there will be dispute, disgust and bad-feelings surrounding his presence on the site. Given that he has over 25,000 watchers, the bad feelings, dispute and disgust will have a large path into the community of people who use FA (and the wider furry community).

I think there will be a large appetite for the leaked notes & over the coming weeks and months a lot of people will seek them out (if they haven't done so already). Those notes are going to float around for years to come and I think they will remind many people that this happened. (When I say "many" people, I'm not necessarily saying it will be enough to make a difference).

I think the damage this whole thing does, will mostly be felt in terms of a long term erosion of trust in Dragoneer/FA, which may diminish his ability to simply tough things out and bluster through. I certainly think any "incidents" which come on the heels of this, even if minor, will be all the more damaging and amplified by it. But we'll have to see how it all pans out and if it's enough to get people using other sites more.

Incidentally, I would love to hear more about that furrymuck master logs leak that was mentioned earlier, if anyone knows about it. It would be interesting if the log was actually floating  around out there somewhere.

[a pigeon]

Thought also occurs to me, that despite what some might say about people being so swift to criticize and so forth, I suspect many people who are dissatisfied or disquieted with 'neer and FA are going to be reticent to speak out about for fear of being banned or involved in arguments and dispute. Some who do speak out will have their shouts, comments and journals censored/deleted and most will be ignored or brushed off. It's the people who blindly defend Dragoneer & Co that are going to be the most visible and vocal at this time. Furthermore, maybe some people who might change their minds later will circle the wagons now, when they're afraid FA might vanish (for all they know).

If people stop using the FA notes system, that's one less thing to tie them to the site and something that isn't immediately visible since notes and e-mails etc are private (till they're leaked!). So again, I think it's only in the longer term that we'll see how many people are aware of this and what lasting effect it has. In the short term, as people have said, I think Dragoneer is going to just brush this off.

Edit:

you know, I sometimes look at the actions page here (it shows what threads are currently being looked at), and threads from 2007, 08 and 09 seem to quite regularly be looked at. The threads on here about this incident will be be read in the years to come I think, and that will have a slow drip drip corrosive effect, be it ever so small, like the notes floating around.

[a pigeon]

An admin notice has appeared on FA now, directing people to FA's live-journal where Dragoneer has made a post:

December 2010 Hacking

By now, many of you know that Fur Affinity was attacked on Friday, December 17th 2010. Attackers were able to compromise the admin system using a previously unknown, unreported XSS exploit in the trouble ticketing system to gain control of an admin account. We pulled the website offline, and closed the hole that lead to the initial attack, but not before the intruder was able to illegally compromise the private notes of 41 users (including admins and staff) and the vandalism of several galleries. Regrettably, the leeching of notes occurred before the hacker made his presence known on the site, and we were not able to stop it.

At no point were user passwords or the site database compromised.

After closing the initial hole that the intruder was using to compromise the site, they then attacked an admin's e-mail, managing to compromise their email account to perform a password reset. With the new password, they were able to get back into the site and into the forums. At the same time, another attack was launched on a second admin, compromising a long-abandoned account they had which was setup as an e-mail fallback for their main account. In both instances, the attackers were able to gain access back into the system, causing scattered vandalism.

We were able to flush the attacker out of the system through multiple wipes of cookies and active login sessions (which some of you may have noticed when your account were logged out).

After Yak revised and recoded the security side of the admin panel, the attackers then launched a distributed denial of service (DDOS) attack against FA as a final measure. Working with our host, we were able to block the attack and restore services to the site. While we had initially suspected potential issues due to the 1.2 million Gawker passwords that were leaked (which had affected some regular users on the site), we want to clarify that the Gawker leaks WERE NOT an issue with the FA intrusion.

Galleries which were wiped are in the process of being restored, and we are working to strengthen and improve security. We have also removed the ability for certain admins to view notes. We will be bringing in additional coding help to perform security audits and improve upon the site's platform, as we do take security seriously. We regret that this happened, and ultimately the blame for this lay with us for letting the hole slip through the cracks. That said, it does not excuse the intruders for their actions, and we are working with law enforcement to pursue the issue.

On behalf of the entire staff of FA we apologize for what happened. We make no excuses for what happened.

----------------------------

If you have questions, please feel free to ask, we will update the thread with a Q/A. Keep responses civil, and honest. There has been enough drama over this, and we want to work towards peaceful resolution.

http://community.livejournal.com/furaffinity/213163.html

[Jim Demintia]

December 2010 Hacking

By now, many of you know that Fur Affinity was attacked on Friday, December 17th 2010. Attackers were able to compromise the admin system using a previously unknown, unreported XSS exploit

The casual attitude with which he lies through his teeth is kind of disgusting, really.