Ratte goes postal and leaks a bunch of TOP SECRET CLASSIFIED INFORMATION

[Conan]

FA admin Ratte finally lost it tonight and posted several dozen screenshots of threads from the admin forums.

http://imgur.com/a/ACkFu - General FA staff threads, including the mod voting results, AUP discussion, How the "Ask a Mod" threads came to be, Various staff going on leaves of absence (this happens an awful lot), Love! having been an alt of Rigor Sardonicus, how Rhainor's hacking was handled, and many more!
http://imgur.com/a/R8tQb - Juicy stuff pertaining to Skittle, featuring Gaz!
http://imgur.com/a/bwlwI - Stuff pertaining to Deo.
http://imgur.com/a/xI3RS - Stuff pertaining to Cyanide_Tiger.
http://imgur.com/Vo9to&n2Cr6&6sgza - Stuff pertaining to Ben.
http://imgur.com/a/lX6DP - Stuff pertaining to Shay Feral.
http://imgur.com/a/pVsd6 - Clayton stuff.
http://imgur.com/a/sqRs2 - JCFynx stuff.
http://imgur.com/a/2R7GA - Pi, Eevee, and Accountability stuff.
http://imgur.com/aK9fU&nBFRC - Mr Meatballs Stuff.
http://imgur.com/G6zG7&X4dTC - Lyxen stuff.

http://i.imgur.com/J263e.jpg - Sauvignon brags about driving drunk.
http://i.imgur.com/s0lB0.jpg - Mongrel-Mutt suspended for bestiality and pedophilia.
http://i.imgur.com/47eTy.jpg - Smelge and Ainoko have a slapfight.
http://i.imgur.com/yiKg7.png - Coyotez being dumb.
http://i.imgur.com/BOeVV.png - ElizabethAlexandraMary causes the mods to question the ethics of all caps.
http://i.imgur.com/k0pq2.png - LostAngel being a creeper to Wolf-Bone.
http://i.imgur.com/beV7k.png - Sek-X being incredibly tasteless.
http://i.imgur.com/gzs2R.png - Draconas being a whiner.
http://i.imgur.com/i1c3I.png - Cerbrus displaying his lacking sense of humour.
http://i.imgur.com/ZmrYq.png - Rukh_Whitefang acts like a jackass.
http://i.imgur.com/9dGRZ.png - Redregon believes that suicide and "murdur" are the same thing.
http://i.imgur.com/vt0SQ.png - Nekomimi has a twin sister who is also a furry, believe her guys!
http://i.imgur.com/mkb8n.png - Kimor being a crybaby and complaining about Jashwa. This is also the same dude who advocates fursuit sex.
http://i.imgur.com/Ezpth.jpg - User makes pregnancy fetish thread, does not think this is inappropriate for 13 year olds.
http://i.imgur.com/EkWvV.png - Satellite One/CynicalCirno spreading anti-Palestine propaganda.
http://i.imgur.com/yMg7N.png - RayO_Gatubelo, managing to be incredibly creepy even when trying to do the opposite.
http://i.imgur.com/CGpUU.png - Wolfy2449 being an incredible moron.
http://i.imgur.com/Uf0Ba.png - GatodeCafe making a good topic.
http://i.imgur.com/SgKXg.png - 15 year old admits to fucking dogs.
http://i.imgur.com/bvYIs.png - Adroable thread from Jardad.
http://i.imgur.com/zgsgv.png - Why was Corto ever a mod again?
http://i.imgur.com/OcHwk.png - Ladyfaegassr crying about Smelge.

Out of all these threads, the one from when Rhainor's account was hacked contains some of the best information. They still, at the time, did not have *@furaffinity.net email addresses. Instead, they were being asked to sign up for Gmail with specific instructions on how to make a "secure" account.





Yak claimed in January that all staff members were going to get furaffinity email addresses. Obviously that did not happen. Also, why not just use Google Apps if they think Gmail is so much more secure?

[a pigeon]

In one of the screenshots, there is a link to a chatlog of Ratte talking with someone called fritter ( who mentions skittle and says that skittle is friendly with Sean, presumably it's this fritter and skittles: https://forums.vivisector.org/index.php/topic,494.0.html) discussing FA:

http://pastebin.com/ZR7ZkvQZ
(in case of deletion: http://pastebin.com/1anxcLZd)

[11:53:14] Ratte: well i just wish that neer would quit being a retard when picking staff

[12:59:18] Skittle: You going to talk to 'Neer?
[12:59:31] Ratte: he never responds to me

Edit:

Ratte posted a journal about this, saying that her account was broken into (Dragoneer in the comments said she was being let go due such having happened 3 times):

http://www.furaffinity.net/journal/2275323/

I'm Sorry

For anything that I have done that may have caused people to dislike, for anything I have done that may have lead to my accounts getting hacked into, and anything I have done that may have upset anyone.

The thread that leaked things on FAF was not my doing. I just want to say that here and now.

Everything that happened last night/this morning happened when I was asleep. I didn't find out until 8am CST, and by then it was too late.

Yes, I am upset. I really was trying to make FA a better place. I was trying my best.

Despite all of this, I have been removed from staff on the mainsite and the forums. I will never be allowed back.

I'm sorry for whatever I have done that caused the attacks on my account. I'm sorry for anything that may have been compromised because of the hacks. I'm sorry, everyone.

Whether or not FA/F was worth aiding was not my concern. I still tried, but I failed. Maybe someone else can do it, I don't know.

Sorry for everything. None of it was my doing.

Surely they will be hurting now, having been told that the sly slow hours shall not determinate the dateless limit of their exile from staff, but in the end I think it's the best thing, since being a member of staff on FA is marred by infighting, drama, tensions and other things which cause stress and can impact on one's growth as a person.

[Jim Demintia]

Yak claimed in January that all staff members were going to get furaffinity email addresses. Obviously that did not happen. Also, why not just use Google Apps if they think Gmail is so much more secure?

Google Apps is a decent suggestion, and a good balance between the competence and motivation of FA staff and "security". There are far more serious organizations using Google Apps that probably should not be, but it really does seem tailor made to a place like FA.

To be fair, honestly, mail servers are a royal pain in the ass to run. I'm not sure I'd even want to see them have to do it, sadistic as it may be.

[Pi]

Most of this is horrifyingly banal crap. This is what they talk about all day?

[ColeTrain]

Ratte decided to speak up about the matter in a thread that popped up on Lulz. net, and at one point Xaerun shows up as well:

http://lulz.net/furi/res/1553283.html#1553551

[a pigeon]

In case of deletion of the images linked to in the OP, here is a .zip containing the screencaps of the leaked staff forums threads:

http://www.megaupload.com/?d=P3BZA8XI

[loki]

That's some pretty banal stuff... and these people do it for free. I do like how they complain about Pi being mean and not giving "constructive criticism" though.

[Conan]

Ratte has also posted a journal, saying that this was a hacking.

For anything that I have done that may have caused people to dislike, for anything I have done that may have lead to my accounts getting hacked into, and anything I have done that may have upset anyone.

The thread that leaked things on FAF was not my doing. I just want to say that here and now.

Everything that happened last night/this morning happened when I was asleep. I didn't find out until 8am CST, and by then it was too late.

Yes, I am upset. I really was trying to make FA a better place. I was trying my best.

Despite all of this, I have been removed from staff on the mainsite and the forums. I will never be allowed back.

I'm sorry for whatever I have done that caused the attacks on my account. I'm sorry for anything that may have been compromised because of the hacks. I'm sorry, everyone.

Whether or not FA/F was worth aiding was not my concern. I still tried, but I failed. Maybe someone else can do it, I don't know.

Sorry for everything. None of it was my doing.

This of course led several to question FA's security practices again. And of course, Dragoneer responded to those the best he knows how: say "We're working on it" and make vague claims that the site is in fact secure.

We're not taking the victim's fault here. We're not. But, we also can't ignore that this has happened three times, and that in the three times sensitive information have been leaked out.

If it were just once? We could work with that. But when it hits the third time...

I have nothing personally against Ratte. We have to take security seriously, far more now than ever. It's not a "blame the victim" issue but a "three times is far, far too many".

Someone else then questions the vulnerabilities of the login form

Regretfully, this decision is correct, you should pull ratte away, at least for a while.. however, you are letting others tear at your site now.. and I will be totally honest.. your site is very insecure.

I just talked to one of your admins about your login function. He claims it locks you out, yet many attempts in and I'm still staring at a login page. You are very susceptible to a brute force attack if this is the case. So please tell me I'm wrong and it's a very insecurely high number of attempts...

also, you might want to talk to pi about these attacks. then again, I'm sure you already know that.

To which he replies

It doesn't lock you out, but it has securities of its own.

And then people start asking why he ignores people offering to help the security

If FurAffinity took security seriously, why didint anyone ever get back to Eevee, Pi, Nrr, Verix, Trapa, RainRat, _fox or myself? (I might be able to list others if I wasnt doing it just from memory)

Alot of us have offered to fix shit, and noone ever gets back to us, or its "we cant let you have access because blah" where blah is anything from "I need to do backups" to "I cant trust you."

If this lack of motivation to fix problems was happening amongst the staff of a furry convention, people would be fired (just as Im close to firing someone right now who has that attitude). I almost want to go to their convention just because I wonder of its run just like the site. But alas, Im somewhere else that weekend, good for me I guess.

Its just so frustrating that FA cant fix these problems in years and years when theres tons of people in the furry community that can do that in mere hours. Its also frustrating when you get misrepresented, ignored, mocked and belittled by the people your trying to help for free. I had thought when I found out about the break-in in December, that the site's management might actually change course and actually fix shit, it kinda looked a little like it was going to go in that direction, but as with all changes, it floundered.

As for the changes their promising for FAU? Im told the new site design developer quit and all of that hasnt been touched. Noone has investigated the white screens yet, and well, everything is so Top Secret... get over yourselves, I know what Top Secret is, it aint a furry porn site.

Also, #furaffinity-dev on FurNet is where the site improvement non-discussions take place.

Henri Watson, the 13-year-old, even has a completely legitimate way to secure the admin accounts.

Look, no offense here to any of the FA staff, but there's no reason as to why FA is not using dual-factor authentication. All the staff members have a mobile, text them when they login with a code that has to be entered on the site. This kind of stuff is standard and shouldn't take long to implement assuming everyone's carrier has an email->mms gateway.

[Freehaven]

Ratte has also posted a journal, saying that this was a hacking.

To which everyone immediately started thinking, "bullshit".

I have nothing personally against Ratte. We have to take security seriously, far more now than ever. It's not a "blame the victim" issue but a "three times is far, far too many".

ONE TIME IS ONE TIME TOO MANY. You should have been working on securing your shit after the first hack job, Piche.

If FurAffinity took security seriously, why didint anyone ever get back to Eevee, Pi, Nrr, Verix, Trapa, RainRat, _fox or myself? (I might be able to list others if I wasnt doing it just from memory)

They have minds of their own, that's why.

Look, no offense here to any of the FA staff, but there's no reason as to why FA is not using dual-factor authentication.

Yes there is: Piche and his team of cocksucking sycophants are lazy.

[Jim Demintia]

Look, no offense here to any of the FA staff, but there's no reason as to why FA is not using dual-factor authentication.

Yes there is: Piche and his team of cocksucking sycophants are lazy.

That quote is even more lol when you click through and find out who it's from. Does he even know what he means when he uses those words "dual-factor authentication"?

[nrr]

That quote is even more lol when you click through and find out who it's from. Does he even know what he means when he uses those words "dual-factor authentication"?

I don't know, but after reading the literature on how short messaging services work on the major mobile implementations, I'm actually really leery to suggest using SMS as another authentication factor.  In fact, I'd be more up to using something like X.509 certificates on smart cards or similar.  Assuming that this infrastructure only needs to be rolled out to 20-30 people, the USB readers for smart cards aren't terribly expensive (nor are the cards themselves), and everything for the most part works as described on the tin on every OS I've ever touched.

Furthermore, most smart card manufacturers ship their cards blank so that you can use a retransfer printer to print yiffy furry artwork on them.  Win?

[Jim Demintia]

Pretty much anything you do that isn't a complete joke is going to require some money spent on the part of the site. And not a one-time license fee either. You can't send SMS messages to just anyone without hooking into the telco network for that. And I'm pretty sure they charge for that. Some providers have email gateways, but they are specific to a particular carrier. Others don't have any mechanical way to send SMS (other than the above mentioned network) and others still control for spam or let users turn them off entirely. Getting a 5-digit "short code" is, I know, $500 a month. Which makes the spam that's recently been coming that way a bit of a mystery, but whatever.

And then it would require changes to the site code, which is never going to happen. Ultimately, all of this is really to protect the admins and Princess Piche himself, as the average furry has very little of value within their FA account. Journals, watchlists...stuff that's already all public. The only people who end up losing anything in these leaks are popular artists and site admins. And if you think sending a one-time SMS code to FA users to log in (something that would actually incur significant cost for some people who do not have unlimited SMS) is going to stop leaks, you're looking at the problem wrong.

But the point of my post was that HenriW understands none of this and is just saying that because he read the phrase somewhere. He's a dumb kid; that's what kids do. Even if he were serious, there's no way in hell there's ever going to be any overhaul of the auth system on that level. Anyone who's seen the last few years of FA should know that.

You do look at Dragoneer's comments in that journal though and you really get the idea that all these months later, he hasn't done anything meaningful about security and more disturbingly, he doesn't know what to do and doesn't know how to find out. Of course, there is always banning/firing people who he sees as being involved in a specific incident. It's actually kind of amazing, if you consider the severity of what's happened to FA in the last six months. I guess there's always the possibility that the site could finally be destroyed—I'd have said "no way", but then look at what happened to ED. The site's continued existence is basically contingent on Sean Piche's continued employment and financial well being, both of which it has been demonstrated he plays fast and loose with. If he finally got fired for being a lazy ass at work, or if he got kicked out of his apartment, got sick...the possibilities are endless, FA would be gone within months.

[nrr]

Even if he were serious, there's no way in hell there's ever going to be any overhaul of the auth system on that level. Anyone who's seen the last few years of FA should know that.

Indeed.  Details aside, this is the crux of the whole issue.

That said, I was illustrating more that HenriW has this slight obsession with phones without quite understanding how modern mobile telephony works, let alone not quite understanding how trust works in the context of information security.  He has half a clue, but he hasn't quite gotten to the point, e.g., to verify that his assumptions hold.

You do look at Dragoneer's comments in that journal though and you really get the idea that all these months later, he hasn't done anything meaningful about security and more disturbingly, he doesn't know what to do and doesn't know how to find out.

Worse, he's sheltered himself from the few people in the community who know a thing or to about how this whole information security thing works.

The site's continued existence is basically contingent on Sean Piche's continued employment and financial well being, both of which it has been demonstrated he plays fast and loose with. If he finally got fired for being a lazy ass at work, or if he got kicked out of his apartment, got sick...the possibilities are endless, FA would be gone within months.

Quoted for truth.

[Pi]

HenriW has this slight obsession with phones without quite understanding how modern mobile telephony works, let alone not quite understanding how trust works in the context of information security.  He has half a clue, but he hasn't quite gotten to the point, e.g., to verify that his assumptions hold.

this is a thing that happens when you're 13 fucking years old and have no experience with the real world.

[Jim Demintia]

That said, I was illustrating more that HenriW has this slight obsession with phones

Mass market smartphones are about the worst freaking thing to happen since video games, in terms of the reasons people get into computers. Seems like as I go through school I hear it all the freaking time, "hurr, I wanna design video games!" but they can't even figure out how to sort a list in C++ for their intro programming course. Start talking about linked lists and memory organization and suddenly the classes are a lot thinner.

Next, it's gonna be "I'm gonna sell apps when I grow up, durr!"

Worse, he's sheltered himself from the few people in the community who know a thing or to about how this whole information security thing works.

Heh, not to make myself persona non grata here, but to be fair, I know people who do infosec irl, and they tend to be crazy a different breed. Yeah, let's put it that way.

I think most of the industry understands that that's just the nature of the beast, and that security is not an optional thing, but Piche is petty enough to let personalities dominate instead of putting the good of FA ahead of his own paranoia.

[ProvincialTwit]

I think most of the industry understands that that's just the nature of the beast, and that security is not an optional thing, but Piche is petty enough to let personalities dominate instead of putting the good of FA ahead of his own paranoia.

And there's your absolute proof that it's not about "The community", and it never was.  It's about Sean Piche and his ego/internet cred.  If it were REALLY about 'the community', he'd swallow his pride, bite his tongue, and ask for help.

Granted at this point he's not likely to get any real help, at least not from the fags who hang out here.

[loki]

What's a 13 year old doing on a furry porn site anyways? Where the hell are his parents?

Anyways, they could just use RSA authentication - hell the tokens costs a fair amount of money and they love spending money so that would work out brilliantly....

[Jim Demintia]

Anyways, they could just use RSA authentication - hell the tokens costs a fair amount of money and they love spending money so that would work out brilliantly....

What, haha, SecurID? Oh, man, my dad had one of those way back in the '90s,  dialing up through some dumb AT&T VPN software to access MS Exchange. The patent on those has to be long expired...and they're still costly? That's like, what $10 in parts in one of those things? If that?

Shit...they have open source systems that have soft tokens for smartphones. Since we all know furries love getting shiny, expensive cell phones, that shouldn't be a problem, right?

[ColeTrain]

Someone on Lulz.net brought up one comment on Ratte's journal, basically pointing out that the whole hack could be an inside work-that one of the admins (Lulzians believe it's Witchiebunny) sabotaged Ratte and messed with her account, then posted the screenshots, putting the blame on her. Knowing the reputation of FA's mods I wouldn't wonder if one of them really did that-especially Witchie.

[ProvincialTwit]

I'm just gonna sit here and cackle for a while.