FA admin account compromised (yet again)

[Conan]

This was posted on lulz, it seems to be a copy paste of the e-mail or note which has been sent to people whose notes were leaked:

http://i56.tinypic.com/10oeh49.jpg

They get a free registration to the fur-affinity convention.

TORA reacts:

Just got an e-mail from @Dragoneer offering me a free sponsor membership to @FAUnited due to the leaks. I don't know if I should take it...

http://twitter.com/almightytora/status/17758606275379202

I will be IMing @Dragoneer when he's online. A $75 Sponsorship to his convention (not even Super Sponsor!?) is not really worth the damage.

http://twitter.com/almightytora/status/17762279961403392

Survivor (Sponsor)$75.00 USD
All the basics of the regular Lone Wanderer package, but with an added New Jersey Wasteland Survival guide, tokens to the FAU Sponsor cocktail party. Not only that, but you snag an FAU4 exclusive "Wasteland" lanyard and FAU4 badge*.

* "Survivor" badges are available with customization (engraved names) only with pre-reg.
Wastelander (Super Sponsor)$150.00 USD
For the survivor on the go who demands it all, you snag all the basics of the Lone Wanderer (con reg, water!) and the Survivor (cocktail tokens, NJ Wasteland Survival Guide, Lanyard and Badge!) but you also snag a full course dinner with the Guests of Honor, our special Wasterlander Super Sponsor gift, and the happy, warm fuzzy feeling that comes with knowing $10 of your registration goes to support the adorable mutant puppies of the NJSPCA.

So in other words, Dragoneer doesn't want to give them free food.

Free food after their personal information was leaked all over the interwebs.

Plus how many people will actually take him up on the offer? God forbid he have to pay for six people's dinner and their trinket.

hahahaohwow.jpg

EDIT: And in another instance of "Sean not thinking ahead", he's now invited a known pedophile to his con! Ahahahahahaha.
EDIT EDIT: AND he would have had to invite Allan and Arcturus. BRB lolling forever.

[UncreativeUsername]

EDIT: And in another instance of "Sean not thinking ahead", he's now invited a known pedophile to his con! Ahahahahahaha.
EDIT EDIT: AND he would have had to invite Allan and Arcturus. BRB lolling forever.

Well, this is interesting. First of all, does anyone know if anything new was found in Tora's and Allan's notes? Second, did Dragoneer bother to ban Allan from FA:U? Third, why in blazes do they insist on using the same names and personae? I mean, seriously, they're so attached to their names and likenesses that they let themselves be tracked and ridiculed constantly? If I was outed as someone who committed fraud or had sex with a 14-year-old, I'd go underground, change names, and only let a select few friends know my actions. Is the fandom actually just accepting them back and only a few of us bother with remembering what they did? I thought they were pariahs even within the fandom.

[AshleyAshes]

Well, this is interesting. First of all, does anyone know if anything new was found in Tora's and Allan's notes?

It doesn't matter.  Dragoneer revealed that TORA was using FA notes to sexually groom underage boys some time ago.  There was this huge thing because Dragoneer accidently leaked a log of the AIM convo on some pastedump site.  There's a whole Wikifur article on TORA which quotes Dragoneer's banning TORA for using FA to talk to underaged boys about sucking their own cocks.

This was all known before the FA note leaks. :X

[UncreativeUsername]

Well, this is interesting. First of all, does anyone know if anything new was found in Tora's and Allan's notes?

It doesn't matter.  Dragoneer revealed that TORA was using FA notes to sexually groom underage boys some time ago.  There was this huge thing because Dragoneer accidently leaked a log of the AIM convo on some pastedump site.  There's a whole Wikifur article on TORA which quotes Dragoneer's banning TORA for using FA to talk to underaged boys about sucking their own cocks.

This was all known before the FA note leaks. :X

Yeah, I was wondering how that AIM log got leaked. That was pretty revealing. Dragoneer was even debating going to the police and hated to ban him. I was just wondering if maybe he had more contact with other minors or if there was a cover-up we didn't know about earlier. Dragoneer is insane if he allows him at FA:U at all, especially after what happened at AC.

[Pi]

<yak[work]> error_page 404 /default_avatar.gif;   # sweet
 * yak[work] deletes a bajillion default user avatars and story/poetry/music thumbnails
<yak[work]> nginx directive to return a default image instead of a 404 page. for a content deliver note, means that if the user's avatar for example is the default one (as is for new users who haven't uploaded them yet), i can skip copying the decault one to their data folder.
<yak[work]> works even better for default thumbnails for stories/music/etc, if the user hasn't uploaded a custom one. instead of a million copies i store only one
<yak[work]> getting rid of ~5M useless small files can't be a bad thing

For those of you not well-versed in beardy sysadmin shit: they used to make a new copy of the default avatar/submission icon for every single upload. Now they don't do that, instead faking it with a default 404 image.

WHY they made copies of the default icon in the first place is goddamn beyond me. Jesus.

[Eevee]

It doesn't matter.  Dragoneer revealed that TORA was using FA notes to sexually groom underage boys some time ago.  There was this huge thing because Dragoneer accidently leaked a log of the AIM convo on some pastedump site.  There's a whole Wikifur article on TORA which quotes Dragoneer's banning TORA for using FA to talk to underaged boys about sucking their own cocks.

I knew TORA years before all this crap, and he couldn't sexually groom his way out of a hair salon.  He's hilariously harmless; just completely tactless and oblivious to others' boundaries to the point of creepiness.

[loki]

For those of you not well-versed in beardy sysadmin shit: they used to make a new copy of the default avatar/submission icon for every single upload. Now they don't do that, instead faking it with a default 404 image.

WHY they made copies of the default icon in the first place is goddamn beyond me. Jesus.

FYI, I brought this up to them like... a year and a half ago because I noticed each user had its own copy of the default user icon - how the hell they never though to use *gasp* a link to a single common location is beyond me; it's like yak is the dumbest motherfucker on this planet. That or he's so dense he can't even do basic shit like use common sense. :I

[AshleyAshes]

I knew TORA years before all this crap, and he couldn't sexually groom his way out of a hair salon.  He's hilariously harmless

Harmless?  He was in prison after an event involving him, his boyfriend, a 14yo boy and a hotel room!

[Jim Demintia]

You know, going along with furries' complete inability to create anything that doesn't reference anime, video games, or some other banal low-level geek bullshit, I'm pretty sure there are multiple people in the fandom named "Tora" or some variation thereof. I'm not sure what the reference is, but I am sure I don't care.

It took me a while to realize this guy was separate from another "Tora" that I had heard of before I heard of him.

[a pigeon]

Looks like they're still having problems:



Someone's been making a string of accounts and doing that this evening. Seemed to have hijacked a few accounts as well to do it.

[Fiz]

<yak[work]> error_page 404 /default_avatar.gif;   # sweet
 * yak[work] deletes a bajillion default user avatars and story/poetry/music thumbnails
<yak[work]> nginx directive to return a default image instead of a 404 page. for a content deliver note, means that if the user's avatar for example is the default one (as is for new users who haven't uploaded them yet), i can skip copying the decault one to their data folder.
<yak[work]> works even better for default thumbnails for stories/music/etc, if the user hasn't uploaded a custom one. instead of a million copies i store only one
<yak[work]> getting rid of ~5M useless small files can't be a bad thing

For those of you not well-versed in beardy sysadmin shit: they used to make a new copy of the default avatar/submission icon for every single upload. Now they don't do that, instead faking it with a default 404 image.

WHY they made copies of the default icon in the first place is goddamn beyond me. Jesus.

WHAT. This is so unbelievably stupid.

Looks like they're still having problems:

Someone's been making a string of accounts and doing that this evening. Seemed to have hijacked a few accounts as well to do it.

I don't know if this was an exploit with the thumbnail dimensions limit or just a generally 'duh' thing involving the website, however none of those uploads had file extensions. I'll assume its relative to the giant thumbnails there, though feel free to correct me if I'm wrong with that.

[UncreativeUsername]

Hijacked accounts? And, people are swamping Dragoneer's shoutbox with complaints about this, too. I wonder if this is the start of a new attack.

[ProvincialTwit]

We can only hope.

Godspeed you! Black hat.

[loki]

I'm sure if it is a real attack it will be posted to FD_2 before anything else again - just need to make sure we leave out 99% of the userbase of what's going on. Also, people think the messed up images is part of some XSS exploit but I'm not so sure..

[Conan]

Looks like they're still having problems:



Someone's been making a string of accounts and doing that this evening. Seemed to have hijacked a few accounts as well to do it.

Who wants to bet Yak's shoddy coding created another easily-abused hole?

Or even his inability to use a test site to do code changes.

[Pi]

Or even his inability to use a test site to do code changes.

remember, they need a secure environment before they can work on making a secure environment

[Jim Demintia]

Who wants to bet Yak's shoddy coding created another easily-abused hole?

You know, I respect the people who offered Dragoneer help, even if I question their judgment a bit in offering Dragoneer help, but hey, not everyone knows all the gory details of the innards of FA. But I'm willing to guess that even if some of these people, who have usually either gone off to found their own successful art site(s) or are otherwise respectably employed, really knew the full extent of the disaster that is the code base, or knew what they were in for inre: the personalities of the admins and the management style (or lack thereof) of Dragoneer, they'd pull out right quick. That sort of environment is an environment you'd only stay in if they were paying you damn well, and even then you'd have people who would still leave just to get away from the poisonous people and the utterly unfulfilling work of fixing someone else's retardery. Programmers are most content when they are productive. That work almost by definition will never ever be "productive". Nothing new will come of it, the FA site will just come up to a baseline it should have been at years and years ago.

At this point I see stuff happen and I think of a solution in the space of five minutes. Of course, that's without seeing the code base, but shit, I think, I'm not even going to post anything about it because they don't deserve any help whatsoever, however indirect.

[Conan]

It seems that in Yak's "Fix things that should be fixed, but they really don't need to be fixed now because there's more important stuff to do" spree, the usericon on the front page news items has been made significantly larger. This, of course, has added more empty space to the page, joining the rest of the empty spaces in the header.



The site mat still have vulnerabilities, but now everyone can see the massive Fender icon of the week easier!

[ProvincialTwit]

BIG BROTHER IS WATCHING

[Jim Demintia]

It seems that in Yak's "Fix things that should be fixed, but they really don't need to be fixed now because there's more important stuff to do" spree, the usericon on the front page news items has been made significantly larger. This, of course, has added more empty space to the page, joining the rest of the empty spaces in the header.

The code is a mess, and fixing the "important stuff" is massively unrewarding work, however necessary it may be. The work involved is probably highly tedious. You'd probably have to replace code that takes user input with something less fucktarded, but here's the catch- in a well designed code base there'd be a couple of classes that dealt with actually issuing SQL, reading and parsing user input, etc. I.e. that sort of dangerous stuff would be limited to a small area, and more importantly it would exist in only one area. You would then make good use of inheritance to build layers on top of that. So when your DB code needs fixed, it can be fixed in one place, end of story.

But it's likely that there are mysql_query() calls and echo() calls littered throughout the code, and I'm sure the pattern (hah) in which they are used is inconsistent, so you can't just do some semi-robotic find and replace type operation. You'd have to decipher each part of the code, figure out what it does (and what unintended behaviors other parts of the code may be relying on) and then rewrite it in a secure way. All of this is extremely fragile, because without any sort of modularization or information hiding, you have no idea how your changes will affect other parts of the site.

Frankly, if these were any kind of reasonable adults we were dealing with, any hypothetical "consultant" would likely tell them to throw the code base out and start over anew. Which is a whole 'nother can of worms as we all know.

Yak probably lacks the motivation and skills to do anything like this. It's also more immediately rewarding to do stuff like play with CSS templates, especially if you're lazy and unwilling to wait for hard(er) work to pay off.