FA admin account compromised (yet again)

[a pigeon]

Some people are having their accounts fucked around with:

[AshleyAshes]

The interesting part is that FA seems to be under persistant attack at the moment and the admins, while aware, are not visably doing anything on site.   I think the admins are locked out of their own site, at a software level, at the moment.

[a pigeon]

A few minutes ago, someone managed to get into the admin control panel on the FA forums and made all the admin forums visible:

http://i56.tinypic.com/34rdkz8.jpg

They took the forums down right quick after that.

[Pi]

Oh my fucking god.

I have no words besides "I told you so".

[Pi]

Dragoneer cannot fix the site being at work right at the moment
Today he had problems with his superior for being stuck on the internet (he needs a working proxy because he's FIREWALLED... soon to be FIRED)
He will be able to take back the control of FA when back home
That's all I know from a friend in FA's staff - a cool guy so no name, both sides could attack him

(emphasis mine)

I think it's cute how someone thinks there's two "sides" here. This attack is pretty obviously carried out by another furry (or someone who might as well be, given their familiarity with the non-notable names at the top), not some external influence.

[a pigeon]

It's all lulz.net's fault:

As frustrating as it may be, there's nothing in those logs I don't stand by.

But at least we do know it was Lulz know, given everything was directly pumped right up there. So I'm sure they'll be enjoying Christmas, reading through boring notes, dull comments and more.

[Pi]

They appear to have absolutely no idea what's going on:

As it stands, we're not sure what they did. We know who they did it /to/, but not the how. The forums also got hit, but the compromised account was not one of the ones in the first compromise. Which makes it a bit weirder.

<&net-cat> Do any of you know what actually happened? And I mean that in a technical sense. Not in a "lol management" sense.
<Pi> no
<Pi> we have no idea
<Eevee_> dragoneer says it was XSS in trouble tickets
<Eevee_> that's all I've heard technically
<Pi> because your chain of communication is fucked
<@Carenath> Eevee_: And that's all I know either.
<Eevee_> (I don't know why dragoneer is making technical announcements in furrydrama_2)
<Pi> and that's fucking pathetic
/*/ mode/#furaffinity-dev [+m] by net-cat
<&net-cat> Then I thank you for you input.
<&net-cat> I am at work right now and I don't need an editorial on how much I suck.
<&net-cat> I need solutions to the immediate issue.
<&net-cat> If anyone has any to offer, please /query me or yak[work]

I PM'd him, saying the solution to the immediate issue is getting someone who gives a shit about security in to mop up. He said something along the lines of "but i heard you hacked us once and stole all the codes". It was promptly followed up with "<net-cat> I wasn't there for that.".

Yep.

[a pigeon]

<Eevee_> (I don't know why dragoneer is making technical announcements in furrydrama_2)

Dragoneer seems to greatly prefer posting updates and information on furrydrama_2, as opposed to telling other members of FA staff or  making it public so that the people who use FA can be informed:

For the record, it's not so much as two break-ins in a row... as it's just a continued extension of the first time.

And it doesn't help that one of the admin's personal e-mail accounts was broken into and used to do p/w resets against, which lead up to what we're experiencing right now.

Whoever did it got the passwords from somewhere, and it wasn't FA... which stands to reason as my earlier suspision. Bijoux's personal account was broken into, which is what we're dealing with right now.

So it was Bijoux's account that was compromised originally. Well, from what I remember of her, she could have been replaced with an IRC bot  that said: "I agree with Pinkuh".

[Jim Demintia]

Today he had problems with his superior for being stuck on the internet (he needs a working proxy because he's FIREWALLED... soon to be FIRED)

That'd be the icing on the cake at this point, honestly. Apparently space Santa from Jupiter has decided to give those of us who believe in karma an early merry fucking Christmas.

[Conan]

<Eevee_> dragoneer says it was XSS in trouble tickets

lololololol wasn't this on Eevee's security hole list?

Today he had problems with his superior for being stuck on the internet (he needs a working proxy because he's FIREWALLED... soon to be FIRED)

The sad thing is, it's probably true. "I can't fix that laptop, sir, my porn website is getting fucked over because I never bothered to fix the security! bawww!"

All I can say is, it's about time. Maybe Dragoneer will finally realize that running a website like FA isn't supposed to be all fun and games all the time.

[Eevee]

<Eevee_> dragoneer says it was XSS in trouble tickets

lololololol wasn't this on Eevee's security hole list?

I guessed that there might be something and that it would be the worst of the lot, but couldn't be sure without actually seeing/poking the admin pages.  Looks like someone did the poking for me.

Dragoneer tells me he's not entirely sure it's XSS, and it wouldn't explain the forum break-in anyway.  So, nobody even seems sure what happened.

[Pi]

And here's what Yak has to say, or rather, how Yak is passing the buck:

<yak[away]> Eevee, the thing is, I can. i have full control on where fa goes, technical side, and how it does this. i just need a good fucking rest and a week of time to organize something
<yak[away]> and i haven't had a moment's rest since. my $job is retardedly demanding. more like two jobs seing as how things are
<@Pi> clearly you don't actually know what you're doing when it comes to security
<@Pi> you need someone with the experience and the credentials, not some 13 year old kid
<@Pi> how many times am i going to have to repeat this before you find SOMEONE
<@Pi> ANYONE
<yak[away]> okay, caps lock time
<@Pi> here comes the big fat excuse
<yak[away]> I CANT JUST GIVE FULL ACCESS TO A RANDOM HOMO WITHOUT AT LEAST MAKING A SECURE ENVIRONMENT FIRST, AND I NEED TIME FOR THAT
<@Pi> yak[away]: you're not going to have a secure environment in time for the next attack. you'll just go back to "welp i think we got these holes closed, gotta get back to making sure the site doesn't collapse under its own load"
<yak[away]> I don't have the time to keep up with this conversation. Your points were made long ago and I am aware of them. Belive it or not I am taking care of the issue that is myself. It will take some time but it will get done; in a month or two.
<yak[away]> so far the official reason for yesterday's hack is a hijacked session, and today's is a continuation of yesterday's, via a password reset on an admin account whihc email was changed.

Let's try and follow the logic here. "We can't let someone (anyone) who knows about security work on the site, because we don't have a secure environment. The production site is swiss-fucked-cheese, but we can't accept help fixing that, without setting up a secure testing environment." Kinda putting the cart before the horse, innit?

Don't they have 4 servers sitting in the rack serving up video games or doing something similarly useless?

(I'm sure this is bound to get plenty of retards crowing about how this means I'm butthurt because they aren't recognizing my obvious superiority, or some other EDtastic crap. Whatever.)

[Conan]

Don't they have 4 servers sitting in the rack serving up video games or doing something similarly useless?

One of those servers (the one Dragoneer made a big deal out of bringing online) is running what he calls "Advanced data logging" software (see: pretty chart creator) to crack down on people that use too much bandwidth. Because that's what makes the site slow.

The other three are doing absolutely nothing but hemorrhaging money, from what I can tell.

[Jim Demintia]

They've got an entire server running graphing software? Fucking lol.

[MazelTovCocktail]

They've got an entire server running graphing software? Fucking lol.

Good to see everybody's donation money going to good use. 

[Conan]

Guess who's notes have been leaked!

http://filesmelt.com/dl/Dragoneers_Notes.7z

Most of them involve him removing game screenshots and memes.

Fun quotes:

We code to standards compliant.

What does it take to be an Admin?

Generally, be established in the community, be helpful, keep your nose out of drama...

If people are coming to his page to harass him... we can investigate that. But we'll also have to investigate the accusations as well. If they're legit...

There are several ways you could act on this:
1. Do nothing. Everything continues as before. Concerns are raised, they fall on deaf ears, and when something bad inevitably happens, a shitstorm occurs.

2. Hire a professional code auditor. It's their damn job to find holes, errors, and exploits in the site's code. Sure, this costs money, but that's what donations are for - maintaining the site.

3. Make the code open source. Allow the community to volunteer and test the code themselves. This is free, simple, and lets glaring errors and exploits come to light that much faster. This may or may not be feasible, but at least it draws on the communitiy's skills, rather than a few individuals.

4. Be proactive. Seriously. Everything I hear about the administration during events like these is that people tried to warn them, but nobody listened. Stop that. LISTEN. ACT ON IT.

5. Shuffle the admin team around. Hopefully you won't have to actually do this, but it might be possible that some of the admin team may in fact not be suitable for their position. You know,


Again, the intent of this note is not to cause drama or troll you, or anything of that sort. Rather, it is to have a short, objective look at what's been happening on the site with regards to security, brought to light by last night's events, and my take on what could (should) be done to address these concerns so that they do not happen again.

Thank you.
We're going to be doing a version of #2 soon enough, and we've been pondering #3 for a while.

I say this in all sincerity and seriousness. It is time to add another coder. Right now it sounds like Yak is the only one and he's really not patching the holes he should be. Maybe it's too much work, I don't know. Let's just say after a long time of listening to Wolfblade rant I've gotten the definite impression that Yak codes as he likes, when he likes, and he leaves projects undone. And heck, I see examples of that myself. I don't have a full understanding of coding, true, but what I do know is that's not something that should be left to one person that just doesn't seem that motivated to get stuff fixed. It's time to let that sandbag go. By that I mean, bring in another coder. Still have Yak around, sure, but someone should be helping. Fresh perspective, more hands to get the work done. And more importantly, you shouldn't be as hostage to one coder.

Incidentally, Wolfblade and I no longer talk, now. We had a big falling out, not sure if you noticed, over him badmouthing FA and not saying a damned thing about Inkbunny and Starling over here on his rant journal.

The issue is not yak, but the holes int the coding.

Yak is not the problem. Having a coder who codes for a site when they have a full time job and a life...

We've *had* a lot of coders come in. We've had a metric fuckton of coders come our way, and most talk a good game, but when it comes to coding, they're empty and shallow. Now, if you to know the best coder FA ever had, but lost? Gavin. When Crypto was lead coder of Ferrox, Gavin was trying to join the team. Crypto, because he wanted all the credit for himself, told Gavin we didn't want, need him.

Gavin later left and went off to form Furocity.

We're looking for coders, and are trying to tap into reliable sources... but GOOD coders, and coders who can work as part of a team -vs- "it's my way, or not at all (see: Jurann, Eevee, Crypto, etc.) is difficult.

I made Yak a job offer to work on FA full time. If yak spent his time working on FA, we wouldn't have these problems. He'd be able to code as a job, get paid, and resolve all the issues. And FA would have a full time coder.

If he accepts is another story. Yak is solid though, and he's proven and tested. Wolfblade doesn't know what the hell he's talking about because he's always too busy trying to white knight for anybody he feels is being picked on.

Unfortunately, FA is an all-volunteer site, and we do not pay since we run almost primarily off of donations. Not even I get paid.

Hi there!

I worked some more on those badges for you!
You told me you'd send me the payment 3 weeks ago.
I don't want to be annoying, but I'd just appreciate some kind of money, even if it's just part of it, before I move on to animating and stuff.

Just so we can say we both do our part of the deal

I'll talk to you later!

Haha. I was wonderin' if you'd be up for a picture of Dragoneer, *massive* udder... kinda dribblin', leakin' on the floor... Sciggles perched on top of it with sort of a curious look at it as sort of looks down at the thing. =D

Just no freebies. I don't accept 'em!

How much would I need to.. Donate.. To have my account un-agelocked? Just the mature art, not adult.

The system was coded very brokenly by the original coder, and there's no great way to split it up. Yet.

Notice how he doesn't condemn the bribe...

Sorry if I seemed frustrated. He called me at work during a meeting, and I got in trouble with my boss. Only calls I get on my cell are generally important high level stuff.

Oh shit! WYS stuff!

Hey,

Aurora gave me a call tonight and told me what was going on with Syn and Derek. Both got a 5 Day Bans from the forums for Violations of the Offsite Harassment Policy.

She said your staff are starting to give you shit for it as well. In all fairness, 'Neer - if me, Aurora or anyone for that matter step over the line? Feel free to hand us our asses for it. We're just guests in your house, so if we don't follow your rules, give us the timeout for it, you know?

But yeah, Syn and Derek both got 5 Day timeouts on our end, and were told next one is a perma from our site. I apologize for the trouble they caused, and while I can't say the same for Syn, I don't think Derek will be an issue again.

If either do it again, let us know and we'll take care of our end of things.

Later 'Neer!
-Silver

http://labs.henriwatson.com/facsrf/

There are tests for all of them on there. I only recommend running "hell" on a test account because it changes a lot of stuff. I haven't told anyone about the details of the exploits and won't until these are fixed. There are also two other exploits that I haven't implemented here and three that I haven't tested (login, change account settings and trouble tickets).

- Journal deletion
Simple, call http://www.furaffinity.net/controls.....rnal/JournalID
Replace JournalID by the journal's ID and if the users has permission to delete it, it will be deleted

- Submission deletion
Pretty much the same as above, except the base URL is http://www.furaffinity.net//control.....e/SubmissionID

I apologize in advance if I shouldn't have tested on www., your journal on the exploits was deleted when I started coding so I didn't know the specifics.

Okay... now I just lost my custom profile that I worked hard on tonight... FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Better warnings as to what the exploits do is good. But these will definitely be good. I would suggest you coordinate with yak, as he's the main "Fix it" guy.

I specifically told you not to run it on your main account and to run it on a test account instead!

There's so much more, and I don't feel like posting much more. Except this delicious Adam Wan drama!

[loki]

This is awesome.

Also, not surprised at all that there are more XSS exploits - it's all over the site because they never though "Oh, hey someone could put malicious JavaScript code in their posts!" - shit, even Twitter has been hit by XSS but at least it's rare and fixed immediately. It was funny enough that the preview tags had it, the commission page had it; now even their own Trouble Ticket system has it.

Delicious incompetence.

[Jim Demintia]

This is awesome.

IT'S A CHRISTMAS MIRACLE.

I wonder how far whoever's doing this is willing to take it. Because frankly, at this point, they could probably get him fired from his job. Or rather, they could create enough trouble on FA that he'd get himself fired from his job for fucking around even more than usual on the clock.

[AshleyAshes]

Is anyone else puzzled as to why FA has not been temporarily taken down to stop this in the short term?

Or maybe at least go to the server and tell it to deny access from all but a few IPs so that the admins can work on it in isolation?

They managed to shut down FAF within maybe 30mins of it being compromised afterall.  Considdering the time they've had to play on FA today, people are lucky that FA doesn't have an easy way to delete/purge accounts.

[Conan]

They managed to shut down FAF within maybe 30mins of it being compromised afterall. 

I hope a leak of the admin forums is the next thing to come out. They should have been able to grab a backup of the database if they got in vBulletin's AdminCP.