January 8, 2011: FA Technical Exposé

[Eevee]

the code probably still has as many holes as it did this time last month.

Confirming that FA is still completely vulnerable to the same attack that caused FAleaks.  It'd be slightly more complicated to pull off, but that's all.

[u63r]

Could you guys explain what you're talking about in a slightly less nerdy fashion?

Oh, who am I kidding, I know enough about webmastering to figure it out myself.

[MazelTovCocktail]

Could you guys explain what you're talking about in a slightly less nerdy fashion?

Oh, who am I kidding, I know enough about webmastering to figure it out myself.

I just narrow everything down from context to, "here's another area where the coders fucked up" and call it good.

From the sound of things, I can take solace in knowing that I'm only slightly less web coding literate than the people who actually do the coding for FA, though.

[Pi]

furaffinity.net.        172800  IN      NS      ns23.worldnic.com.
furaffinity.net.        172800  IN      NS      ns24.worldnic.com.
;; Received 119 bytes from 192.43.172.30#53(i.gtld-servers.net) in 298 ms

www.furaffinity.net.    7200    IN      A       70.33.186.196
;; Received 53 bytes from 206.188.198.12#53(ns24.worldnic.com) in 173 ms

So, they have their own router and switches, in addition to their colo facility's router and switches. They're even running a couple of BIND nameservers facing the internet (on their mailserver and their ASKCOW PROJECT MANAGEMENT server (both of which are virtual machines (so if their VM box keels over they lose dns (great job!)))).

But they aren't actually running their own DNS! Wow.

[Pi]

I updated the article a bit to take the information provided by net-cat and otherwise dug up around here into account.

[threadshitter]

furaffinity.net.        172800  IN      NS      ns23.worldnic.com.
furaffinity.net.        172800  IN      NS      ns24.worldnic.com.
;; Received 119 bytes from 192.43.172.30#53(i.gtld-servers.net) in 298 ms

www.furaffinity.net.    7200    IN      A       70.33.186.196
;; Received 53 bytes from 206.188.198.12#53(ns24.worldnic.com) in 173 ms

So, they have their own router and switches, in addition to their colo facility's router and switches. They're even running a couple of BIND nameservers facing the internet (on their mailserver and their ASKCOW PROJECT MANAGEMENT server (both of which are virtual machines (so if their VM box keels over they lose dns (great job!)))).

But they aren't actually running their own DNS! Wow.

Some of this I understand, some I don't, but from my point of view it seems really stupid to not be running a physical Dns, and given the resources they do have, less essential services should have been virtualized instead.

[Jim Demintia]

As I've said many times before, I'm not a network-type, but it seems to me that for what FA supposedly does (web site), virtualization isn't necessary, especially when you have exclusive control over the hardware, and you own it. Of course, as we've seen from the article, apparently several people get to use FA's resources for whatever personal endeavors they see fit, so FA's "purpose" isn't so singular, I guess.

[Pi]

$ rpcinfo -p 70.33.186.200
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  52212  status
    100024    1   tcp  35550  status
    391002    2   tcp    643


Holy shit, SLIGHT IMPROVEMENT! They're still exposing the actual service that has had security problems, but now they're not binding as many things to it!

[nrr]

As I've said many times before, I'm not a network-type, but it seems to me that for what FA supposedly does (web site), virtualization isn't necessary...

I can understand if they're sticking certain infrastructure services (like mail, DNS, etc.) into their own logical containers, but the application and the database, not to mention other components that may (or, in this case, may not) comprise FA like memcache, MogileFS, et al., really don't make a whole lot of sense when run inside separate logical containers like that.

[Jim Demintia]

As I've said many times before, I'm not a network-type, but it seems to me that for what FA supposedly does (web site), virtualization isn't necessary...

I can understand if they're sticking certain infrastructure services (like mail, DNS, etc.) into their own logical containers, but the application and the database, not to mention other components that may (or, in this case, may not) comprise FA like memcache, MogileFS, et al., really don't make a whole lot of sense when run inside separate logical containers like that.

Containers, yes. Solaris zones (I think), and Linux has some stuff along these lines. My understanding was this was VMware or some shit, which is a waste of resources, imho.

[nrr]

Containers, yes. Solaris zones (I think), and Linux has some stuff along these lines. My understanding was this was VMware or some shit, which is a waste of resources, imho.

Actually, if it were VMware, I'd be pretty happy about it.  I deal with a massive VMware ESXi infrastructure at work, and a lot of the measures that it takes to de-duplicate things in RAM is pretty sweet.  It makes (sanely) overbooking a node less of a risky proposition.

Also, when I use the word 'container' here, I typically mean 'virtual machine' or 'Solaris Zone' or 'OpenVZ container' or similar.  I tend to lump everything together in that respect.

[ProvincialTwit]

That would assume they bought the 'good' licensed VMWare, instead of trying to make due with the shittastic old free version.

[nrr]

That would assume they bought the 'good' licensed VMWare, instead of trying to make due with the shittastic old free version.

If memory serves, in order to get the deduplication benefits, you need to purchase ESXi.  I don't think any version of Server has it.

Regardless, there were no assumptions: I was making some statements contrary to fact ("If it were...") and marking them off as such by using the subjunctive.  Make no mistake: I know that FA isn't competent enough to choose halfway worthwhile pieces of architecture and then, subsequently, maintain them properly.  Given their experiences with this kind of thing, even if they were to run ESXi, there's nothing preventing them from letting every single last one of their VMs balloon while also not giving a single fuck about it.  "Oh, that VM's running slow?  Wait, it's thrashing I/O!  Oh, the VM's ballooned...  :effort:"

[Jim Demintia]

I've said it before, but that crowd are not "software" people. They are unlikely to spend money on it (whatever that may mean), and I kind of doubt they have the skills and experience necessary to appreciate quality software if they see it. And that's not even getting into their own remarkable inability to produce it. On the other end of things, it's easy to impress any random doofus by pointing to a blinky, shiny box and saying, "that cost five thousand dollars". So that's what they go for.

All that said, I do think some of VMware's lesser products have deduplication or something similar...I remember reading about something of that nature in Workstation. I am sure it is not as sophisticated.

[Pi]

I threw another nmap at them last night.

Remember what Yak said on the 19th:

<@Pi> how about you give me access to your fucking router
<@Pi> and i put in a firewall
<@Pi> and then i will shut the fuck up about your production credentials and your fucked template system and your buck-passing fucking shit for at least 24 hours
<yak[away]> we're working on redoing FA's entire networking. what is there now is legacy setup that evolved from a two server network

Basically nothing significant enough has changed for me to have cause to update either my diagram or the table in the article. Maybe I'll strike out some of the ports they did manage to close later, but this is getting dangerously close to giving them a SECOND free security audit from a competent professional in the fieldmaking sean piche look bad on the internet. Because that's the only possible reason I could have to be doing this, right?

[Eaglebird]

I don't think you should be giving them any free anything. They haven't seen reason since the "6 years!" thread over on FAF since the dawn of time, and the situation continues on through those people they appoint for positions of power. I'm sure everyone can name a few! I hate to say it, but if they won't listen, it really seems like the attacks FA suffers aren't just nuisances, they're necessary. Watch FA:U roll around and see these problems continue to stack up. Someone will find the 2% of vulnerabilities and really give FA a whopping what-for, not simply downtime.

[nrr]

I don't think you should be giving them any free anything. They haven't seen reason since the "6 years!" thread over on FAF since the dawn of time, and the situation continues on through those people they appoint for positions of power. I'm sure everyone can name a few! I hate to say it, but if they won't listen, it really seems like the attacks FA suffers aren't just nuisances, they're necessary. Watch FA:U roll around and see these problems continue to stack up. Someone will find the 2% of vulnerabilities and really give FA a whopping what-for, not simply downtime.

This is largely why I just don't give a fuck anymore. I have a full-time job and a myriad of side-projects I'm trying to kick into gear, and the least of my worries really should be some furry art site that isn't all that relevant in the grand scheme of things.

[MazelTovCocktail]

I don't think you should be giving them any free anything. They haven't seen reason since the "6 years!" thread over on FAF since the dawn of time, and the situation continues on through those people they appoint for positions of power. I'm sure everyone can name a few! I hate to say it, but if they won't listen, it really seems like the attacks FA suffers aren't just nuisances, they're necessary. Watch FA:U roll around and see these problems continue to stack up. Someone will find the 2% of vulnerabilities and really give FA a whopping what-for, not simply downtime.

This is largely why I just don't give a fuck anymore. I have a full-time job and a myriad of side-projects I'm trying to kick into gear, and the least of my worries really should be some furry art site that isn't all that relevant in the grand scheme of things.

That's pretty much where I'm at. 

I'm content to sit back and laugh.  Getting up-in-arms about anything that happens on FA is a waste of my energy.  If I get banned, no biggie.  If my account gets hacked and the hacker changes everything on my page to say I LIEK CAWKS, no biggie.  If FurAffinity implodes into a metaphorical black hole where a furry porn site used to be, no biggie. 

[Pi]

I'm content to sit back and laugh.  Getting up-in-arms about anything that happens on FA is a waste of my energy.  If I get banned, no biggie.  If my account gets hacked and the hacker changes everything on my page to say I LIEK CAWKS, no biggie.  If FurAffinity implodes into a metaphorical black hole where a furry porn site used to be, no biggie.

Fair enough. I'm turning a lot of this geek rage into some shining examples for fellow geeks about how not to run things, so to that end I'm going to keep digging at FA for a bit longer. And if I get banned, they lose their free code review and security auditor. I think they know that, so I think they won't ban me very hard.

Plus, forcibly educating stupid people is something I do all day every day, so it's hard to get out of the habit.

[Eaglebird]

And if I get banned, they lose their free code review and security auditor. I think they know that, so I think they won't ban me very hard.

I just hope something actually comes of it. I can be apathetic towards the whole situation but in the long run I'd actually like to see things get better. Maybe someone that can do something about FA will see, and really move to overhaul the site, or maybe someone that can do something TO FA will see, and as I mentioned already, give them a real what-for. If they're so high and mighty that downtime must be minute, then maybe serious downtime is the antidote. Still, I'd much prefer the lesser of two evils, so to speak, 'cause mass gallery deletion (with no backups!) is bad, even if it is funny.
It's unfortunate, though, that even if the site were to get fixed, the administration won't, and I think just abut everyone is well aware of the need for some sort of power-check for the "~*~staff~*~". I am of the opinion that, as shoddy as FA's code could ever be, bigger problem reside in the politics that surround it all.




tl;dr if it brings positive change I'm all for it