• Fur Affinity Forums are governed by Fur Affinity's Rules and Policies. Links and additional information can be accessed in the Site Information Forum.

5/17 Site Attack

Status
Not open for further replies.

Horsefur

Mountain Mew
Look at the bright side...at least the forum will get more than 10 page views per day because of this.
 

Mitsuketa

kanan matsuura
Ya know i used to give the benefit of the doubt to the admins, but I simply can't anymore.
that's understandable but you need to realize that everyone makes mistakes. if the admins happen to be at fault for this and aren't telling the whole story, then they made a mistake and it's fine that they did - the mistake is awful but its normal for someone to fuck up - surely you aren't perfect. surely you've made a small error. and if you haven't ever made a mistake, then i'll be damned.
sure the admins have fucked us over before, but have some faith in them. it's going to take time, probably years for FA to be stable and have decent security. we don't have the income that other websites do.
 

Rythas

Squeaky Angel Durgon
I know nobody will, but go read all of the pages before this ;) Plenty of answers have been said already, you just have to look. Someone pointed out earlier as well that website handling has been a lot better than it was before, which is cool to hear.
 

SGRedAlert

Member
things honestly have gotten better the site got a new look that actually works and alot of subtle differences and not having to raise funds all the time...changes take time sadly just cause we dont see it doesnt me its not happening
I'm sure they have tons of stuff in the works - just because it's not happening *right now* doesn't mean it won't ever happen. I always thought people should have more faith in the administrators, even if a lot of the time they've shown themselves to not only be incompetent but almost patronizing. Still. They're only human, and I mean that - I sincerely doubt the biggest of Dragoneer's haters have made any less mistakes than he has. It's just easier to point fingers when someone's mistakes involve being broadcasted to thousands of people, as well as businesses (although if you run a business off of a website known for it's instability, you should have the brains to back up your info.)
 

supersonicbros23

Appearance: unoriginal; Personality: out to lunch
I just realized... what ever happened to the "read-only" caches that got deployed during routine server maintenance?
 

deragorka

Dragon.rar
Ya know i used to give the benefit of the doubt to the admins, but I simply can't anymore.
I'm with you on this one. Sure folks screw up from time to time, but this is major. Does no one check security exploits at any time during development?
 

AliothFox

That High-Flyin' Foxy
I'm sure they have tons of stuff in the works - just because it's not happening *right now* doesn't mean it won't ever happen. I always thought people should have more faith in the administrators, even if a lot of the time they've shown themselves to not only be incompetent but almost patronizing. Still. They're only human, and I mean that - I sincerely doubt the biggest of Dragoneer's haters have made any less mistakes than he has. It's just easier to point fingers when someone's mistakes involve being broadcasted to thousands of people, as well as businesses (although if you run a business off of a website known for it's instability, you should have the brains to back up your info.)

They do back up their info; they just don't have the resources to do it every single day.
 

SGRedAlert

Member
They do back up their info; they just don't have the resources to do it every single day.
I dunno man, it only takes a couple of minutes to screenshot some notes and save it. I know there's even a screenshot keystroke on Macs and PC's that will save it to a designated folder, I just don't remember what it is (PrintScreen does just fine for me.) That option only takes seconds of your time. Hardly any necessary "resources" and if you're a business with any respect for their customers, you should probably make it a habit not to lose valuable information.
 

deragorka

Dragon.rar
that's understandable but you need to realize that everyone makes mistakes. if the admins happen to be at fault for this and aren't telling the whole story, then they made a mistake and it's fine that they did - the mistake is awful but its normal for someone to fuck up - surely you aren't perfect. surely you've made a small error. and if you haven't ever made a mistake, then i'll be damned.
sure the admins have fucked us over before, but have some faith in them. it's going to take time, probably years for FA to be stable and have decent security. we don't have the income that other websites do.
I would agree with you except this is no "small mistake." This is a massive mistake that has opened many users to potential security risks on their accounts. Sure passwords etc. are safe now, but next time? Who knows? Security needs to be checked on a regular basis. Period.
 

KaiyaShadowBlaze

New Member
They use an exploit to presumably run a command on the server, which would copy the site code back to the attacker, who is free to do whatever they want with it.
I know. But what gets me worried is that there are also USBs' still out there possibly as well, with the sites code on it. I mean why do that to the site, then pass out USB's to others at a convention too? Its like saying:"..here's a free site to use for your purpose "

Like a blunt hit to the head, but with a sharp point to leave a scratch. This attack, angers me and upsets very much more than most, because I've been a secret furry fan for awhile, then recently mad that secret open to a few trustworthy friends, and to a few family members. I mean that is like say ing the attack is towards us furries, and that or main site is like a trashy get together for us, and just an excuse to be here. Its very disconcerting to see this happen and not even know who exactly the culprit is for chasing this from the start.
 
First time posting here. I just created an account to do it. Though I've lurked for a long while...

It was brought to our attention last night (May 16) that someone had obtained a copy of Fur Affinity's source code via the recent “ImageTragick” exploit in the ImageMagick library (a common server-side image processing software). This exploit was patched earlier in this month, but not before a malicious user was able to download a copy of our source code, and later actively distributed it via USB drives at a convention.
Having access to the source shouldn't be a problem. Auguste Kerckhoff in 1883 told us to expect that any attacker "knows the system" (to quote/paraphrase Claude Shannon's later restatement of Kerckhoff's desideratum). Thus, having access to the site sources should not be a problem. Look at the Linux kernel and utilities, and at the different BSDs. Especially look at OpenBSD, which is probably the most secure of the UNIX-like out there right now. All the source is freely available and readable to anyone, and OpenBSD in particular has had very, very few exploits.


We are also working to restore the deleted data. Our most recent full backup is from May 11, so approximately 6 days worth of new user registrations, account watches, and new submissions have been lost due to the attack. We are still trying to evaluate the scope of the attack.
I work with PDP-11s (as a hobby), and both RSX-11/M+ BRU and RSTS/E's duo of BACKUP and RESTORE support incremental backups; this is a technology from the 70s. Why does FA not run a nightly incremental to go along with the full backup? I hate calling you out on that, but honestly it's not a terrifyingly complex idea to have incrementals. We do them at my workplace on our AutoDesk Vault (must protect the CAD files at all costs), and we run the incrementals twice daily alongside a full dump at week's end.


Right now I'm in Las Vegas and at the Mandalay bay casino (we went there for the shark reef) there is a hacker convention going on right now. It's called "hack-a-thon" I think. I thought it would be a white hat convention but now I'm not so sure. Do you think it could be THIS convention where the hack started, or was distributed?
If so, should I go there and investigate?
Computer security conventions — "hacker conventions" — are a perfectly normal thing, and don't involve actually hacking websites and systems; since that's illegal. They discuss exploits and how to fix them. At least that's the experience I've had with them. There are some which have "hackathons" as you mentioned, where the con goers can hack a system provided just for that purpose. CanSecWest up here in Canada famously has "Pwn2Own", where the first con goer to hack ("pwn") a system is given it.


...a hacker convention? Why wouldn't the police be monitoring that? I mean hackers can only be good right? Pfff.
Just for safe measure, it wouldn't hurt to stroll through there. Dunno much about conventions, they let almost anyone in right? For all we know theres probably a few fur-hackers out there who got word of it.
Yeah most computer security cons (that aren't tiny, podunk affairs) have some people there from various agencies. The NSA famously attends Black Hat and Def Con; and even recruits from those conventions. Hell they've even presented before.




As an idea, to make the site's codebase better in general, why does FA not open source development of their code? It's a proven model for creating working — safe — code; just look at Theo de Raadt's OpenBSD project (which is where OpenSSH, among other software, comes from).

EDIT: Forgot some text after I made my point about Kerckhoff's Principle.
 
Last edited:

AliothFox

That High-Flyin' Foxy
I'm with you on this one. Sure folks screw up from time to time, but this is major. Does no one check security exploits at any time during development?

Your security can be as tight as a drum, but when someone obtains a big piece of the source code (and goodness only knows what else) through an exploit that they *thought* they closed back on the 5th, the best security can only go so far. Sony has been hacked. Microsoft has been hacked. Websites get hacked - it happens. I'm honestly surprised at how well FA actually *does* manage to weather all the attacks, considering how little they have to work with in terms of hardware and other resources. I think the code is in need of some updates, but rewriting an entire site code isn't something that can be done easily or quickly. This is major, but it's not the end of the world.
 

SGRedAlert

Member
I'm with you on this one. Sure folks screw up from time to time, but this is major. Does no one check security exploits at any time during development?
I'm not going to pretend to know a god damn thing about servers or website security but this is on the very first page of this thread;
"The exploit in question was not with FA's code but with a plugin called ImageMagick. Once we were made aware of the vulnerability it was patched, but were not aware that the source code had been leaked at that time." (from Dragoneer.)
 

Bourbon.

Member
I'm with you on this one. Sure folks screw up from time to time, but this is major. Does no one check security exploits at any time during development?
The site was developed a decade ago. During that time, hacking and site coding has changed exponentially. They would have to rewrite the entire site to fix a lot of the holes and issues in the code today.
 

AliothFox

That High-Flyin' Foxy
I dunno man, it only takes a couple of minutes to screenshot some notes and save it. I know there's even a screenshot keystroke on Macs and PC's that will save it to a designated folder, I just don't remember what it is (PrintScreen does just fine for me.) That option only takes seconds of your time. Hardly any necessary "resources" and if you're a business with any respect for their customers, you should probably make it a habit not to lose valuable information.

Yeah, but we're not talking about screenshotting a few notes. We're talking about accessing and copying terabytes upon terabytes' worth of data. That's not a quick thing, and with the hardware that they have available (which they lack the resources to adequately upgrade), they wouldn't be able to do that every day without making the site prohibitively slow.
 

ZX6R

Member
I know. But what gets me worried is that there are also USBs' still out there possibly as well, with the sites code on it. I mean why do that to the site, then pass out USB's to others at a convention too? Its like saying:"..here's a free site to use for your purpose "

Like a blunt hit to the head, but with a sharp point to leave a scratch. This attack, angers me and upsets very much more than most, because I've been a secret furry fan for awhile, then recently mad that secret open to a few trustworthy friends, and to a few family members. I mean that is like say ing the attack is towards us furries, and that or main site is like a trashy get together for us, and just an excuse to be here. Its very disconcerting to see this happen and not even know who exactly the culprit is for chasing this from the start.
If the code is secure, it really shouldn't matter. Look at linux, the code is all available for anyone to look at and it's going a long just fine.
 

Huskehn

New Member
2QWt4Al.jpg
 

reptile logic

An imposter among aliens.
First time posting here. I just created an account to do it. Though I've lurked for a long while...


Having access to the source shouldn't be a problem. Auguste Kerckhoff in 1883 told us to expect that any attacker "knows the system" (to quote/paraphrase Claude Shannon's later restatement of Kerckhoff's desideratum).



I work with PDP-11s (as a hobby), and both RSX-11/M+ BRU and RSTS/E's duo of BACKUP and RESTORE support incremental backups; this is a technology from the 70s. Why does FA not run a nightly incremental to go along with the full backup? I hate calling you out on that, but honestly it's not a terrifyingly complex idea to have incrementals. We do them at my workplace on our AutoDesk Vault (must protect the CAD files at all costs), and we run the incrementals twice daily alongside a full dump at week's end.



Computer security conventions — "hacker conventions" — are a perfectly normal thing, and don't involve actually hacking websites and systems; since that's illegal. They discuss exploits and how to fix them. At least that's the experience I've had with them. There are some which have "hackathons" as you mentioned, where the con goers can hack a system provided just for that purpose. CanSecWest up here in Canada famously has "Pwn2Own", where the first con goer to hack ("pwn") a system is given it.



Yeah most computer security cons (that aren't tiny, podunk affairs) have some people there from various agencies. The NSA famously attends Black Hat and Def Con; and even recruits from those conventions. Hell they've even presented before.




As an idea, to make the site's codebase better in general, why does FA not open source development of their code? It's a proven model for creating working — safe — code; just look at Theo de Raadt's OpenBSD project (which is where OpenSSH, among other software, comes from).

Are you volunteering your services, or just trying to educate the masses? Speaking for myself only, I have no idea what you're talking about. Then again I freely admit my ignorance and general lack of interest in all things computer. Perhaps you should PM an admin or two and get more directly involved in the process. All it will take is some of your time and effort. Do you have any to spare?
 
Y

Yukkie

Guest
Holy shit, this hasn't even been going on that long, and we already have 27 pages on this thread alone lol.
 

Bourbon.

Member
Holy shit, this hasn't even been going on that long, and we already have 27 pages on this thread alone lol.
It's been down for over 12 hours at this point.

It's mostly people engaging in discussion and speculation on who would be behind this.
 

SGRedAlert

Member
Yeah, but we're not talking about screenshotting a few notes. We're talking about accessing and copying terabytes upon terabytes' worth of data. That's not a quick thing, and with the hardware that they have available (which they lack the resources to adequately upgrade), they wouldn't be able to do that every day without making the site prohibitively slow.
Nah, I was talking about the businesses, dude. It should have been obvious. I am not braindead enough to think you can screenshot the entirety of a website as big as FA. Why would I even mention respect for customers? We don't pay FA anything for this. Which is another reason people should be a little more forgiving.
 
Status
Not open for further replies.
Top