5/17 Site Attack
- Thread starter Dragoneer
- Start date
- Status
Mitsuketa
kanan matsuura
that's understandable but you need to realize that everyone makes mistakes. if the admins happen to be at fault for this and aren't telling the whole story, then they made a mistake and it's fine that they did - the mistake is awful but its normal for someone to fuck up - surely you aren't perfect. surely you've made a small error. and if you haven't ever made a mistake, then i'll be damned.
sure the admins have fucked us over before, but have some faith in them. it's going to take time, probably years for FA to be stable and have decent security. we don't have the income that other websites do.
Plenty of answers have been said already, you just have to look. Someone pointed out earlier as well that website handling has been a lot better than it was before, which is cool to hear.
SGRedAlert
Member
I'm sure they have tons of stuff in the works - just because it's not happening *right now* doesn't mean it won't ever happen. I always thought people should have more faith in the administrators, even if a lot of the time they've shown themselves to not only be incompetent but almost patronizing. Still. They're only human, and I mean that - I sincerely doubt the biggest of Dragoneer's haters have made any less mistakes than he has. It's just easier to point fingers when someone's mistakes involve being broadcasted to thousands of people, as well as businesses (although if you run a business off of a website known for it's instability, you should have the brains to back up your info.)
supersonicbros23
Appearance: unoriginal; Personality: out to lunch
I just realized... what ever happened to the "read-only" caches that got deployed during routine server maintenance?
deragorka
Dragon.rar
I'm with you on this one. Sure folks screw up from time to time, but this is major. Does no one check security exploits at any time during development?
AliothFox
That High-Flyin' Foxy
They do back up their info; they just don't have the resources to do it every single day.
SGRedAlert
Member
I dunno man, it only takes a couple of minutes to screenshot some notes and save it. I know there's even a screenshot keystroke on Macs and PC's that will save it to a designated folder, I just don't remember what it is (PrintScreen does just fine for me.) That option only takes seconds of your time. Hardly any necessary "resources" and if you're a business with any respect for their customers, you should probably make it a habit not to lose valuable information.
deragorka
Dragon.rar
I would agree with you except this is no "small mistake." This is a massive mistake that has opened many users to potential security risks on their accounts. Sure passwords etc. are safe now, but next time? Who knows? Security needs to be checked on a regular basis. Period.
KaiyaShadowBlaze
New Member
I know. But what gets me worried is that there are also USBs' still out there possibly as well, with the sites code on it. I mean why do that to the site, then pass out USB's to others at a convention too? Its like saying:"..here's a free site to use for your purpose "
Like a blunt hit to the head, but with a sharp point to leave a scratch. This attack, angers me and upsets very much more than most, because I've been a secret furry fan for awhile, then recently mad that secret open to a few trustworthy friends, and to a few family members. I mean that is like say ing the attack is towards us furries, and that or main site is like a trashy get together for us, and just an excuse to be here. Its very disconcerting to see this happen and not even know who exactly the culprit is for chasing this from the start.
CreideikiStormbringer
New Member
First time posting here. I just created an account to do it. Though I've lurked for a long while...
As an idea, to make the site's codebase better in general, why does FA not open source development of their code? It's a proven model for creating working — safe — code; just look at Theo de Raadt's OpenBSD project (which is where OpenSSH, among other software, comes from).
EDIT: Forgot some text after I made my point about Kerckhoff's Principle.
Having access to the source shouldn't be a problem. Auguste Kerckhoff in 1883 told us to expect that any attacker "knows the system" (to quote/paraphrase Claude Shannon's later restatement of Kerckhoff's desideratum). Thus, having access to the site sources should not be a problem. Look at the Linux kernel and utilities, and at the different BSDs. Especially look at OpenBSD, which is probably the most secure of the UNIX-like out there right now. All the source is freely available and readable to anyone, and OpenBSD in particular has had very, very few exploits.
I work with PDP-11s (as a hobby), and both RSX-11/M+ BRU and RSTS/E's duo of BACKUP and RESTORE support incremental backups; this is a technology from the 70s. Why does FA not run a nightly incremental to go along with the full backup? I hate calling you out on that, but honestly it's not a terrifyingly complex idea to have incrementals. We do them at my workplace on our AutoDesk Vault (must protect the CAD files at all costs), and we run the incrementals twice daily alongside a full dump at week's end.
Computer security conventions — "hacker conventions" — are a perfectly normal thing, and don't involve actually hacking websites and systems; since that's illegal. They discuss exploits and how to fix them. At least that's the experience I've had with them. There are some which have "hackathons" as you mentioned, where the con goers can hack a system provided just for that purpose. CanSecWest up here in Canada famously has "Pwn2Own", where the first con goer to hack ("pwn") a system is given it.
Yeah most computer security cons (that aren't tiny, podunk affairs) have some people there from various agencies. The NSA famously attends Black Hat and Def Con; and even recruits from those conventions. Hell they've even presented before.
As an idea, to make the site's codebase better in general, why does FA not open source development of their code? It's a proven model for creating working — safe — code; just look at Theo de Raadt's OpenBSD project (which is where OpenSSH, among other software, comes from).
EDIT: Forgot some text after I made my point about Kerckhoff's Principle.
Last edited:
Bourbon.
Member
They still do that, but this isn't server maintenance that's being done. They are repairing broken code and testing the security at the moment.
AliothFox
That High-Flyin' Foxy
Your security can be as tight as a drum, but when someone obtains a big piece of the source code (and goodness only knows what else) through an exploit that they *thought* they closed back on the 5th, the best security can only go so far. Sony has been hacked. Microsoft has been hacked. Websites get hacked - it happens. I'm honestly surprised at how well FA actually *does* manage to weather all the attacks, considering how little they have to work with in terms of hardware and other resources. I think the code is in need of some updates, but rewriting an entire site code isn't something that can be done easily or quickly. This is major, but it's not the end of the world.
SGRedAlert
Member
I'm not going to pretend to know a god damn thing about servers or website security but this is on the very first page of this thread;
"The exploit in question was not with FA's code but with a plugin called ImageMagick. Once we were made aware of the vulnerability it was patched, but were not aware that the source code had been leaked at that time." (from Dragoneer.)
Bourbon.
Member
The site was developed a decade ago. During that time, hacking and site coding has changed exponentially. They would have to rewrite the entire site to fix a lot of the holes and issues in the code today.
AliothFox
That High-Flyin' Foxy
Yeah, but we're not talking about screenshotting a few notes. We're talking about accessing and copying terabytes upon terabytes' worth of data. That's not a quick thing, and with the hardware that they have available (which they lack the resources to adequately upgrade), they wouldn't be able to do that every day without making the site prohibitively slow.
ZX6R
Member
If the code is secure, it really shouldn't matter. Look at linux, the code is all available for anyone to look at and it's going a long just fine.
reptile logic
An imposter among aliens.
Are you volunteering your services, or just trying to educate the masses? Speaking for myself only, I have no idea what you're talking about. Then again I freely admit my ignorance and general lack of interest in all things computer. Perhaps you should PM an admin or two and get more directly involved in the process. All it will take is some of your time and effort. Do you have any to spare?
Y
Yukkie
Guest
Holy shit, this hasn't even been going on that long, and we already have 27 pages on this thread alone lol.
Zepher_Tensho
Lodestar
Yea but FA doesn't have the same coders that linux does lol
Bourbon.
Member
It's been down for over 12 hours at this point.
It's mostly people engaging in discussion and speculation on who would be behind this.
SGRedAlert
Member
Nah, I was talking about the businesses, dude. It should have been obvious. I am not braindead enough to think you can screenshot the entirety of a website as big as FA. Why would I even mention respect for customers? We don't pay FA anything for this. Which is another reason people should be a little more forgiving.
ZX6R
Member
If FA open sourced it, or allowed the community to help in someway(obviously with approval before code is pushed to prod), then it could be on par with Linux.
- Status