that's understandable but you need to realize that everyone makes mistakes. if the admins happen to be at fault for this and aren't telling the whole story, then they made a mistake and it's fine that they did - the mistake is awful but its normal for someone to fuck up - surely you aren't perfect. surely you've made a small error. and if you haven't ever made a mistake, then i'll be damned.Ya know i used to give the benefit of the doubt to the admins, but I simply can't anymore.
I'm sure they have tons of stuff in the works - just because it's not happening *right now* doesn't mean it won't ever happen. I always thought people should have more faith in the administrators, even if a lot of the time they've shown themselves to not only be incompetent but almost patronizing. Still. They're only human, and I mean that - I sincerely doubt the biggest of Dragoneer's haters have made any less mistakes than he has. It's just easier to point fingers when someone's mistakes involve being broadcasted to thousands of people, as well as businesses (although if you run a business off of a website known for it's instability, you should have the brains to back up your info.)things honestly have gotten better the site got a new look that actually works and alot of subtle differences and not having to raise funds all the time...changes take time sadly just cause we dont see it doesnt me its not happening
I'm with you on this one. Sure folks screw up from time to time, but this is major. Does no one check security exploits at any time during development?Ya know i used to give the benefit of the doubt to the admins, but I simply can't anymore.
I'm sure they have tons of stuff in the works - just because it's not happening *right now* doesn't mean it won't ever happen. I always thought people should have more faith in the administrators, even if a lot of the time they've shown themselves to not only be incompetent but almost patronizing. Still. They're only human, and I mean that - I sincerely doubt the biggest of Dragoneer's haters have made any less mistakes than he has. It's just easier to point fingers when someone's mistakes involve being broadcasted to thousands of people, as well as businesses (although if you run a business off of a website known for it's instability, you should have the brains to back up your info.)
I dunno man, it only takes a couple of minutes to screenshot some notes and save it. I know there's even a screenshot keystroke on Macs and PC's that will save it to a designated folder, I just don't remember what it is (PrintScreen does just fine for me.) That option only takes seconds of your time. Hardly any necessary "resources" and if you're a business with any respect for their customers, you should probably make it a habit not to lose valuable information.They do back up their info; they just don't have the resources to do it every single day.
I would agree with you except this is no "small mistake." This is a massive mistake that has opened many users to potential security risks on their accounts. Sure passwords etc. are safe now, but next time? Who knows? Security needs to be checked on a regular basis. Period.that's understandable but you need to realize that everyone makes mistakes. if the admins happen to be at fault for this and aren't telling the whole story, then they made a mistake and it's fine that they did - the mistake is awful but its normal for someone to fuck up - surely you aren't perfect. surely you've made a small error. and if you haven't ever made a mistake, then i'll be damned.
sure the admins have fucked us over before, but have some faith in them. it's going to take time, probably years for FA to be stable and have decent security. we don't have the income that other websites do.
I know. But what gets me worried is that there are also USBs' still out there possibly as well, with the sites code on it. I mean why do that to the site, then pass out USB's to others at a convention too? Its like saying:"..here's a free site to use for your purpose "They use an exploit to presumably run a command on the server, which would copy the site code back to the attacker, who is free to do whatever they want with it.
Having access to the source shouldn't be a problem. Auguste Kerckhoff in 1883 told us to expect that any attacker "knows the system" (to quote/paraphrase Claude Shannon's later restatement of Kerckhoff's desideratum). Thus, having access to the site sources should not be a problem. Look at the Linux kernel and utilities, and at the different BSDs. Especially look at OpenBSD, which is probably the most secure of the UNIX-like out there right now. All the source is freely available and readable to anyone, and OpenBSD in particular has had very, very few exploits.It was brought to our attention last night (May 16) that someone had obtained a copy of Fur Affinity's source code via the recent “ImageTragick” exploit in the ImageMagick library (a common server-side image processing software). This exploit was patched earlier in this month, but not before a malicious user was able to download a copy of our source code, and later actively distributed it via USB drives at a convention.
I work with PDP-11s (as a hobby), and both RSX-11/M+ BRU and RSTS/E's duo of BACKUP and RESTORE support incremental backups; this is a technology from the 70s. Why does FA not run a nightly incremental to go along with the full backup? I hate calling you out on that, but honestly it's not a terrifyingly complex idea to have incrementals. We do them at my workplace on our AutoDesk Vault (must protect the CAD files at all costs), and we run the incrementals twice daily alongside a full dump at week's end.We are also working to restore the deleted data. Our most recent full backup is from May 11, so approximately 6 days worth of new user registrations, account watches, and new submissions have been lost due to the attack. We are still trying to evaluate the scope of the attack.
Computer security conventions — "hacker conventions" — are a perfectly normal thing, and don't involve actually hacking websites and systems; since that's illegal. They discuss exploits and how to fix them. At least that's the experience I've had with them. There are some which have "hackathons" as you mentioned, where the con goers can hack a system provided just for that purpose. CanSecWest up here in Canada famously has "Pwn2Own", where the first con goer to hack ("pwn") a system is given it.Right now I'm in Las Vegas and at the Mandalay bay casino (we went there for the shark reef) there is a hacker convention going on right now. It's called "hack-a-thon" I think. I thought it would be a white hat convention but now I'm not so sure. Do you think it could be THIS convention where the hack started, or was distributed?
If so, should I go there and investigate?
Yeah most computer security cons (that aren't tiny, podunk affairs) have some people there from various agencies. The NSA famously attends Black Hat and Def Con; and even recruits from those conventions. Hell they've even presented before....a hacker convention? Why wouldn't the police be monitoring that? I mean hackers can only be good right? Pfff.
Just for safe measure, it wouldn't hurt to stroll through there. Dunno much about conventions, they let almost anyone in right? For all we know theres probably a few fur-hackers out there who got word of it.
They still do that, but this isn't server maintenance that's being done. They are repairing broken code and testing the security at the moment.I just realized... what ever happened to the "read-only" caches that got deployed during routine server maintenance?
I'm with you on this one. Sure folks screw up from time to time, but this is major. Does no one check security exploits at any time during development?
I'm not going to pretend to know a god damn thing about servers or website security but this is on the very first page of this thread;I'm with you on this one. Sure folks screw up from time to time, but this is major. Does no one check security exploits at any time during development?
The site was developed a decade ago. During that time, hacking and site coding has changed exponentially. They would have to rewrite the entire site to fix a lot of the holes and issues in the code today.I'm with you on this one. Sure folks screw up from time to time, but this is major. Does no one check security exploits at any time during development?
I dunno man, it only takes a couple of minutes to screenshot some notes and save it. I know there's even a screenshot keystroke on Macs and PC's that will save it to a designated folder, I just don't remember what it is (PrintScreen does just fine for me.) That option only takes seconds of your time. Hardly any necessary "resources" and if you're a business with any respect for their customers, you should probably make it a habit not to lose valuable information.
Aw, it's too bad we can't turn this thread into a fun party meeting thing.
If the code is secure, it really shouldn't matter. Look at linux, the code is all available for anyone to look at and it's going a long just fine.I know. But what gets me worried is that there are also USBs' still out there possibly as well, with the sites code on it. I mean why do that to the site, then pass out USB's to others at a convention too? Its like saying:"..here's a free site to use for your purpose "
Like a blunt hit to the head, but with a sharp point to leave a scratch. This attack, angers me and upsets very much more than most, because I've been a secret furry fan for awhile, then recently mad that secret open to a few trustworthy friends, and to a few family members. I mean that is like say ing the attack is towards us furries, and that or main site is like a trashy get together for us, and just an excuse to be here. Its very disconcerting to see this happen and not even know who exactly the culprit is for chasing this from the start.
First time posting here. I just created an account to do it. Though I've lurked for a long while...
Having access to the source shouldn't be a problem. Auguste Kerckhoff in 1883 told us to expect that any attacker "knows the system" (to quote/paraphrase Claude Shannon's later restatement of Kerckhoff's desideratum).
I work with PDP-11s (as a hobby), and both RSX-11/M+ BRU and RSTS/E's duo of BACKUP and RESTORE support incremental backups; this is a technology from the 70s. Why does FA not run a nightly incremental to go along with the full backup? I hate calling you out on that, but honestly it's not a terrifyingly complex idea to have incrementals. We do them at my workplace on our AutoDesk Vault (must protect the CAD files at all costs), and we run the incrementals twice daily alongside a full dump at week's end.
Computer security conventions — "hacker conventions" — are a perfectly normal thing, and don't involve actually hacking websites and systems; since that's illegal. They discuss exploits and how to fix them. At least that's the experience I've had with them. There are some which have "hackathons" as you mentioned, where the con goers can hack a system provided just for that purpose. CanSecWest up here in Canada famously has "Pwn2Own", where the first con goer to hack ("pwn") a system is given it.
Yeah most computer security cons (that aren't tiny, podunk affairs) have some people there from various agencies. The NSA famously attends Black Hat and Def Con; and even recruits from those conventions. Hell they've even presented before.
As an idea, to make the site's codebase better in general, why does FA not open source development of their code? It's a proven model for creating working — safe — code; just look at Theo de Raadt's OpenBSD project (which is where OpenSSH, among other software, comes from).
If the code is secure, it really shouldn't matter. Look at linux, the code is all available for anyone to look at and it's going a long just fine.
It's been down for over 12 hours at this point.Holy shit, this hasn't even been going on that long, and we already have 27 pages on this thread alone lol.
Nah, I was talking about the businesses, dude. It should have been obvious. I am not braindead enough to think you can screenshot the entirety of a website as big as FA. Why would I even mention respect for customers? We don't pay FA anything for this. Which is another reason people should be a little more forgiving.Yeah, but we're not talking about screenshotting a few notes. We're talking about accessing and copying terabytes upon terabytes' worth of data. That's not a quick thing, and with the hardware that they have available (which they lack the resources to adequately upgrade), they wouldn't be able to do that every day without making the site prohibitively slow.
If FA open sourced it, or allowed the community to help in someway(obviously with approval before code is pushed to prod), then it could be on par with Linux.Yea but FA doesn't have the same coders that linux does lol