FA admin account compromised (yet again)

[loki]

The best thing would be to hand them a book on anti-patterns and tell them "This is how dumb you are!" - it wouldn't get through but I'm willing to bet money that they have at least several anti-patterns in their code on top of the total lack of design or even basic OOP logic like reusing common classes....

[Eevee]

The code was all written by Alkora, who hasn't been involved in ages.  They already know the thing sucks.  They just don't have any programmers to fix it.

[UncreativeUsername]

The code was all written by Alkora, who hasn't been involved in ages.  They already know the thing sucks.  They just don't have any programmers to fix it.

Could they have hired a paid programmer to do this with the money they've taken in/squandered, or are they too stupid and paranoid to even do that?

[Jim Demintia]

The code was all written by Alkora, who hasn't been involved in ages.  They already know the thing sucks.  They just don't have any programmers to fix it.

Could they have hired a paid programmer to do this with the money they've taken in/squandered, or are they too stupid and paranoid to even do that?

I'd imagine so; and frankly no one in their right mind is going to do that kind of work for free. Especially when you'd basically be donating thousands of dollars worth of your time to Dragoneer, who'd use your code for his own personal enrichment. I'd be demanding a percentage cut of the profits, honestly. I know that's insanity but I'm also not about to do anything for FA at any price.

I also think that Dragoneer & co. are more "hardware oriented", to put it charitably. In other words, they see shiny plastic shit and wet their pants. They don't exactly appreciate the necessity of quality software to make any use of their overpriced crap.

[UncreativeUsername]

I see. I wonder who wrote the code and stuff for InkBunny and where the original funding came from. They are a much smaller site (getting much larger from the last two fiascoes, though), yet I see staff at IB can make rapid, effectual repairs or modifications (they even took the site down for 4 days to make critical repairs lately), whereas the fuckwits at FA never bothered to even restore the commissions tab and only react (and badly at that) when something goes wrong. I think Dragoneer's embarrassed and has even publically said he's not sure he's on good terms with IB.

SoFurry's current funding comes from Toumal (the owner) himself primarily and he can sustain it on his own, but I don't know a thing about the competency of their coders or who originally paid to start up Yiffstar, SoFurry's former name.

[Jim Demintia]

What I've seen of Toumal is that he's nowhere near as good as he thinks he is, but I guess in light of FA everyone looks pretty damn good. His Twitter was annoyingly fanboyish when I looked at it.

The thing that's so mind-numbingly stupid about FA's incompetence is that it really does not take all that much programming genius to write and maintain a web site. PHP coders and "web designers" are not exactly at the top of the pecking order.

[GreenReaper]

I wonder who wrote the code and stuff for InkBunny and where the original funding came from.

Starling wrote the code; site design was by Symm, backgrounds by Lando. Initial funding was provided through donations and personal loans.

Inkbunny became able to cover its hosting through fees a couple of months ago, though as of right now we're back to donations until we arrange another payment provider.

I paid this month's hosting bill to avoid the risk of downtime while said donations cleared. I expect to get it back; I've loaned money to Starling before and it was repaid on time, which is more than I can say for some furs.

[UncreativeUsername]

Starling wrote the code; site design was by Symm, backgrounds by Lando. Initial funding was provided through donations and personal loans.

Inkbunny became able to cover its hosting through fees a couple of months ago, though as of right now we're back to donations until we arrange another payment provider.

I paid this month's hosting bill to avoid the risk of downtime while said donations cleared. I expect to get it back; I've loaned money to Starling before and it was repaid on time, which is more than I can say for some furs.

Ahh. Well, Starling seems to know what he's doing, unlike a certain digimon... I don't know if he could get another furry to loan him that kind of money at this point. Then again, there are so many people with more money than sense. Like Dragoneer, for example.

[Eevee]

Could they have hired a paid programmer to do this with the money they've taken in/squandered, or are they too stupid and paranoid to even do that?

This question comes up a lot.  I still don't understand why anyone thinks this is remotely possible.

FA currently pays, for bandwidth/rackspace: $1700/month.
Bare minimum full-time entry-level programmer salary is: $3500/month.

Sure, you could only hire the guy part-time, and maybe halve that—but even then, FA would need to double its income to afford one guy.  One guy who is willing to work half-time for a paltry wage to rewrite a furry porn site, but yet is still competent.

This is not going to happen.

[UncreativeUsername]

FA currently pays, for bandwidth/rackspace: $1700/month.
Bare minimum full-time entry-level programmer salary is: $3500/month.

Sure, you could only hire the guy part-time, and maybe halve that—but even then, FA would need to double its income to afford one guy.  One guy who is willing to work half-time for a paltry wage to rewrite a furry porn site, but yet is still competent.

This is not going to happen.

So, if he had a donation drive/he got a loan or another credit card and maybe did this for one to two months, this would not work? I'm thinking maybe if they got professionals in to fix this horrible code all at once, after that volunteer people could maintain it and make adjustments and stuff as needed. Professionals would not have as much of a trust issue I've heard Dragoneer going on about earlier. They're not furries who care about the drama. They would have a job to do and would do it, then leave after the job ended.

[Jim Demintia]

People think this is possible because no one really knows what resources Dragoneer and FA actually have available to them.

What they pay for hosting is irrelevant.

[Conan]

Remember, Dragoneer's notes revealed he offered to hire Yak full-time to fix the site.

I made Yak a job offer to work on FA full time. If yak spent his time working on FA, we wouldn't have these problems. He'd be able to code as a job, get paid, and resolve all the issues. And FA would have a full time coder.

I'm sure money was one of the reasons he declined.

[ProvincialTwit]

Not exactly the kind of thing you can put on a resume

[Fate]

Not exactly the kind of thing you can put on a resume

2010-2011   Head Software Engineer, Emergency Emotional-Support Blowjob Technician - Furry Porn Site.

[Jim Demintia]

so, anyone else noticed that FA is just about to pass submission ID 5 million?

What I did notice was the drooling furry masses bringing this up a while back, and all I could think was, "gee, what a convenient distraction". It led me to wonder if one of the LJ communities, or Twitter accounts, connected with Dragoneer or FA had mentioned this in sort of a, "HEY, LOOK. OVER THERE."

[Pi]

I'm thinking maybe if they got professionals in to fix this horrible code all at once

The only way to fix this code  is to throw it right out the fucking window. Anything else would just be patching on patches patched by someone who patched it a few years ago to patch around a patchy patch.

, after that volunteer people could maintain it and make adjustments and stuff as needed.

Given the quality of the volunteer people currently working on this, any adjustments/maintenance they do would open up new holes, assuming that they could wrap their heads around the newly rewritten code.

Professionals would not have as much of a trust issue I've heard Dragoneer going on about earlier. They're not furries who care about the drama.

I'm assuming, actually, that Dragoneer would probably still have a trust issue: he didn't personally vet these people, they aren't his friends, he might not like them.

They would have a job to do and would do it, then leave after the job ended.

Or they'd get fed up with the internal politics and say "fuck this". Either one.

[loki]

Offtopic, but I noticed that their entire comment system has nothing to check for multiple HTTP POST requests when making a comment... found this out when I accidentally double clicked the submit button and it made the comment double up. In theory, you could write a link that forces the victim to spam multiple comments onto a journal post or submission... since each entry is a row in the DB, this could cause a good amount of load on the system if someone maliciously started doing this. What I really want to know is if deleting a journal is a hard delete of the journal and all the comments or is it some stupid thing with the notes where they just delete the link in the inbox? I just want to see how bad it is out of a morbid curiosity....

But yea, as to what Pi said, there's no hope for their code. There's so many possible avenues to abuse their half-assed implementation (see above) that you would save time by starting over from scratch.

[AshleyAshes]

Weird.  This morning FA stopped rendering the comments for journals.  It says there are X ammount of comments under the journal but it doesn't render any of them.  Had some other people varify it as well.  Doesn't seem to affect submissions however.

[a pigeon]

Offtopic, but I noticed that their entire comment system has nothing to check for multiple HTTP POST requests when making a comment [...] In theory, you could write a link that forces the victim to spam multiple comments onto a journal post or submission..

"Comment posting on journals has been temporarily disabled while we are working on an issue." has been freshly added to the recent admin announcement about the attacks. Presumably what you've related here is "an issue".

(The site was also down for a while, and the outage page directed you to the site status forum, which of course led to the forums outage page)

[Jim Demintia]

This is pure speculation, but I wouldn't be too surprised if someone from FA is reading this thread or these forums and getting a free security audit.

I have no idea if that's actually the case but the timing of this comment thing vs. loki's post is exceedingly odd.