5/17 Site Attack

[Bourbon.]

Nah, I was talking about the businesses, dude. It should have been obvious. I am not braindead enough to think you can screenshot the entirety of a website as big as FA. Why would I even mention respect for customers? We don't pay FA anything for this. Which is another reason people should be a little more forgiving.

The biggest problem with that cunning plan is that it doesn't provide clickable links. FA uses a link shorthand for links that have more than a certain number of characters, which makes it impossible to look at it and re-type it elsewhere. For people who deal in a LOT of business, bookmarking all these references would also not be feasible. There's also the possibility of mixing up references and links when going over the notes and not having the ability to click them.

 

[Flam1ngDem0n]

Do we have any current information on the status of the USB drives? Are they still being handed out (for anyone who's been at any current or recent Cons)? Is the data on the USB drives still a source of future attacks? I know a lot of people are concerned out the loss of content but as much as it sucks to say it, there's probably nothing that can be done to get it all back properly.

Personally I am more concerned with the future. Will another attack be possible with the USB drive data? Are they still being given out? Have we found anyone who knows about their origin point (who originally created them)? Or has someone found a "source" that has been able to tell us more?

My other big question is: What sort of legal action can be take when (and if) they find the person(s) responsible for this? Whether it's the actual hacker them-self or the person who created the USB drives and was handing them out. Can any legal action be taken? I am pretty sure (at least in the US, though I don't know where the actual server machine(s) are for the site) that hacking a domain and tampering with content (editing or deleting) is a huge crime.

I don't think sewing the heck out of someone will solve it (as they can just rebuild and do it all again. Plus sewing someone is a overused "solution" to everyone's problems these days (just look at Hollywood), so it doesn't actually solve the problem. It just delays another attack. So if the perpetrator is found, is possible jail time a thing? Like I said, I don't know the FA server location (in the world) but depending on where they are, the severity of legal action can range from a fine to long time behind bars.

 

[Zepher_Tensho]

If FA open sourced it, or allowed the community to help in someway(obviously with approval before code is pushed to prod), then it could be on par with Linux.

I bet but....to many trolls would be dicking around with it. Also it's owned by a private company now, who probably wouldn't do that.

 

[Bourbon.]

Do we have any current information on the status of the USB drives? Are they still being handed out (for anyone who's been at any current or recent Cons)? Is the data on the USB drives still a source of future attacks? I know a lot of people are concerned out the loss of content but as much as it sucks to say it, there's probably nothing that can be done to get it all back properly.

Personally I am more concerned with the future. Will another attack be possible with the USB drive data? Are they still being given out? Have we found anyone who knows about their origin point (who originally created them)? Or has someone found a "source" that has been able to tell us more?

My other big question is: What sort of legal action can be take when (and if) they find the person(s) responsible for this? Whether it's the actual hacker them-self or the person who created the USB drives and was handing them out. Can any legal action be taken? I am pretty sure (at least in the US, though I don't know where the actual server machine(s) are for the site) that hacking a domain and tampering with content (editing or deleting) is a huge crime.

I don't think sewing the heck out of someone will solve it (as they can just rebuild and do it all again. Plus sewing someone is a overused "solution" to everyone's problems these days (just look at Hollywood), so it doesn't actually solve the problem. It just delays another attack. So if the perpetrator is found, is possible jail time a thing? Like I said, I don't know the FA server location (in the world) but depending on where they are, the severity of legal action can range from a fine to long time behind bars.

Unfortunately, I think it's difficult to assess how many copies were made or if they will continue to be distributed. BLFC barely happened last weekend, so there's not much to go off of to speculate about the future.

Also, FA is hosted in the US.

 

[hera]

Is it time to opensource FA and have volunteers suggest security fixes? I mean its just a matter of time before it becomes public. Why not fight fire with fire.

 

[SGRedAlert]

The biggest problem with that cunning plan is that it doesn't provide clickable links. FA uses a link shorthand for links that have more than a certain number of characters, which makes it impossible to look at it and re-type it elsewhere. For people who deal in a LOT of business, bookmarking all these references would also not be feasible. There's also the possibility of mixing up references and links when going over the notes and not having the ability to click them.

Well in which case, maybe people shouldn't base their businesses off of an unstable website in the first place. /shrug/ I'm just expressing how not sorry I feel for businesses who lost information in this - I'm not sure why you would rely on a website known for it's instability for something as important as that.
I suppose this is why many fursuit businesses have off-site websites with commission forms. For this very reason.

 

[zilchfox]

Is it time to opensource FA and have volunteers suggest security fixes? I mean its just a matter of time before it becomes public. Why not fight fire with fire.

I was literally just talking to someone about how FA might be better off as open source.

 

[ZX6R]

I bet but....to many trolls would be dicking around with it. Also it's owned by a private company now, who probably wouldn't do that.

(obviously with approval before code is pushed to prod)

Github is a private company. Part of what powers Github is on Github itself. Linux is on Github. A large part of the reddit code is available on Github. If you follow these 3 examples, then there's no problem. Sure, you could spam pull requests, but it's not going to go into production until you approve it to do so, and the server fetches the newest revision. It doesn't have to be Github, any version control software should work in theory.

 

[LyrrenClock]

Is it time to opensource FA and have volunteers suggest security fixes? I mean its just a matter of time before it becomes public. Why not fight fire with fire.

that sounds like a good idea in theory sadly though with the kind of people among our community it might end up hurting us more than helping let alone with the sheer amounts of negative onlookers too it is basically putting a giant bulls eye on the site in my honest opinion but I see where you are coming from and how it would be a good idea taking all these negative outcomes out of the situation

 

[BigbirdTKF]

When I opened the translator, I totally can't understand what you're talking about.
It would be better if I close it.
Now I won't trust any translator...

 

[Zepher_Tensho]

Github is a private company. Part of what powers Github is on Github itself. Linux is on Github. A large part of the reddit code is available on Github. If you follow these 3 examples, then there's no problem. Sure, you could spam pull requests, but it's not going to go into production until you approve it to do so, and the server fetches the newest revision.

Hmmm, well I wasn't aware since I haven't gotten involved in anything open source, although I'm pro-open source.

 

[Bourbon.]

Well in which case, maybe people shouldn't base their businesses off of an unstable website in the first place. /shrug/ I'm just expressing how not sorry I feel for businesses who lost information in this - I'm not sure why you would rely on a website known for it's instability for something as important as that.
I suppose this is why many fursuit businesses have off-site websites with commission forms. For this very reason.

Well FA happens to be the only viable business model for a lot of people. Blaming the victims because they happen to use FA helps no one.

(Also, that probably has more to do with how much more revenue fursuit business brings in than other art types.)

 

[Gem-Wolf]

So many people complaining! What was it that most artists say to people who are getting free art? hmmm *taps chin and ponders*
Oh yeah that's right - "if its free, you have no rights to complain. Be grateful that you are getting it in the first place"
Time to practice what you preach people!

 

[Bourbon.]

So many people complaining! What was it that most artists say to people who are getting free art? hmmm *taps chin and ponders*
Oh yeah that's right - "if its free, you have no rights to complain. Be grateful that you are getting it in the first place"
Time to practice what you preach people!

Me thinks you doth protest too much.

I've only seen a handful of people complaining. This thread has primarily been speculation and discussions on site security.

 

[CreideikiStormbringer]

Are you volunteering your services, or just trying to educate the masses? Speaking for myself only, I have no idea what you're talking about. Then again I freely admit my ignorance and general lack of interest in all things computer. Perhaps you should PM an admin or two and get more directly involved in the process. All it will take is some of your time and effort. Do you have any to spare?

I updated the text of my post a bit, because I realized I left out an important point after I mentioned Kerckhoff's Principle.

In any case, I'm not a web dev. My coding skills lie in embedded applications/systems development and process control systems. So, long story short I'm not volunteering my services in helping fix up FA's code.


What I am trying to do is educate the masses, somewhat, in a topic which has been known in the cryptography circles since 1883. Namely, never to have the security of your system be reliant upon the function of the system remaining secret; rely on the strength of the algorithms the system implements for your security. We have a wide corpus of work showing how relying on security through obscurity simply does not work (see: the German Enigma cipher of WWII fame; which was broken so hard the Germans couldn't even believe it after they were told about it at the end of the war). The variety of Linux and BSD systems show this, their codebase is free and open, and you most often only see exploits on those systems occurring in closed source "binary blobs" from third party developers. OpenBSD, like I mentioned, is known to be extremely security focused, and there are many commercial entities who use software and code written in the OpenBSD project in their products. (Example: The Core Force firewall for Windows is essentially a straight port of OpenBSD's pf firewall. Microsoft's own Windows Services for UNIX (and it's derivative Services for UNIX Applications) are built on OpenBSD code as well.)

So to TL;DR my point, I'll just quote the preeminent Claude Shannon: "one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them".

 

[TwistedTeeth]

So many people complaining! What was it that most artists say to people who are getting free art? hmmm *taps chin and ponders*
Oh yeah that's right - "if its free, you have no rights to complain. Be grateful that you are getting it in the first place"
Time to practice what you preach people!

Doesn't really pertain to the situation, as fA is a website. It's also a major source of income for some people as well as a social platform, it doesn't really matter if it's free or not. The site has had multiple instances of loopholes in the code security and it's high time something is done to FILL those loopholes. People aren't complaining so much that it's down, it's more a matter of the fact that it's down due to attacks like this so often.

 

[deragorka]

So many people complaining! What was it that most artists say to people who are getting free art? hmmm *taps chin and ponders*
Oh yeah that's right - "if its free, you have no rights to complain. Be grateful that you are getting it in the first place"
Time to practice what you preach people!

Honestly, that's a crappy excuse for being a shit service. "Free" does not mean certain quality standards should not be met. Websites go down. That's life. But something of this magnitude is catastrophic. And those complaining probably have their livelihoods built around their art commissions here. Try living a week without pay only to see your paycheck either $0 or half of what it should be.

 

[hera]

So many people complaining! What was it that most artists say to people who are getting free art? hmmm *taps chin and ponders*
Oh yeah that's right - "if its free, you have no rights to complain. Be grateful that you are getting it in the first place"
Time to practice what you preach people!

This isn't a simply factor of a site being down. With the source code leaked, there could be further ramifications. I have justifiable concerns about site security.

 

[ZX6R]

I updated the text of my post a bit, because I realized I left out an important point after I mentioned Kerckhoff's Principle.

In any case, I'm not a web dev. My coding skills lie in embedded applications/systems development and process control systems. So, long story short I'm not volunteering my services in helping fix up FA's code.


What I am trying to do is educate the masses, somewhat, in a topic which has been known in the cryptography circles since 1883. Namely, never to have the security of your system be reliant upon the function of the system remaining secret; rely on the strength of the algorithms the system implements for your security. We have a wide corpus of work showing how relying on security through obscurity simply does not work (see: the German Enigma cipher of WWII fame; which was broken so hard the Germans couldn't even believe it after they were told about it at the end of the war). The variety of Linux and BSD systems show this, their codebase is free and open, and you most often only see exploits on those systems occurring in closed source "binary blobs" from third party developers. OpenBSD, like I mentioned, is known to be extremely security focused, and there are many commercial entities who use software and code written in the OpenBSD project in their products. (Example: The Core Force firewall for Windows is essentially a straight port of OpenBSD's pf firewall. Microsoft's own Windows Services for UNIX (and it's derivative Services for UNIX Applications) are built on OpenBSD code as well.)

So to TL;DR my point, I'll just quote the preeminent Claude Shannon: "one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them".

I think people think access to the code is like having the keys to the castle. In poorly coded enviroments, possibly. In well implemented ones, it's not worth much.

 

[AsheSkyler]

Well FA happens to be the only viable business model for a lot of people. Blaming the victims because they happen to use FA helps no one.

(Also, that probably has more to do with how much more revenue fursuit business brings in than other art types.)

Aye. Etsy only goes so far for crafters before a niche creator has to go find a niche platform to sell on and leave the other platforms to be the supplement to your income supplement.

 

[SGRedAlert]

Well FA happens to be the only viable business model for a lot of people. Blaming the victims because they happen to use FA helps no one.

(Also, that probably has more to do with how much more revenue fursuit business brings in than other art types.)

As someone who once sold quite a bit of art on FA - that's bull. They're not victims. They, as presumably responsible business-people, need to make damn sure their information is not going to be lost. That's why we back up our computers whether they're new or old - why skimp on that sort of responsibility here, especially when it involves other people and their money, no matter how much? All I'm saying is, you should make sure if you don't want something lost - back it up somewhere. :/ Why call someone a victim for simply being irresponsible? I would feel equally not as bad for someone who lost information on a much more stable site.

 

[ohtar]

This is golden. I have to keep coming back every few hours to see how much worse its gotten!

So far its gone from
- random jerk who wants to stir up drama
- random jerk who hates furries
- Bored hacker who just wants to watch the world burn
then suddenly it jumps to religious extremists and an entire convention of hackers who aren't even at the same convention!

I wonder when someone is gonna spin the government conspiracy theories as something more than just for the lulz XD

between this and
"Are all my files gone??"
"no your files are fine."
"OMG I HAVE TO REUPLOAD ALL MY FILES I JUST KNOW IT"
"I just said your files are fine...."
"Did someone say files? All our notes are deleted! OMG life is over!"
"Guys! can you not..."
"Did you all hear? the whole site was deleted and now Islam is trying to kill us all!"
"..... for the love of....."

 

[Bourbon.]

As someone who once sold quite a bit of art on FA - that's bull. They're not victims. They, as presumably responsible business-people, need to make damn sure their information is not going to be lost. That's why we back up our computers whether they're new or old - why skimp on that sort of responsibility here, especially when it involves other people and their money, no matter how much? All I'm saying is, you should make sure if you don't want something lost - back it up somewhere. :/ Why call someone a victim for simply being irresponsible? I would feel equally not as bad for someone who lost information on a much more stable site.

I honestly doubt you'd say the same about other larger sites built around users selling things (such as etsy or ebay). People aren't upset because they can't access notes, they are upset because they can't continue to conduct business so long as FA remains offline.

 

[AliothFox]

So many people complaining! What was it that most artists say to people who are getting free art? hmmm *taps chin and ponders*
Oh yeah that's right - "if its free, you have no rights to complain. Be grateful that you are getting it in the first place"
Time to practice what you preach people!

Wow, a tad bit salty over something completely irrelevant? The "it's free, so you don't have a right to complain" argument is really old. For one thing, there are a whole lot of artists (including myself) who make a considerable portion of their living from FurAffinity. Sure, I'm glad it's a free service! But me using their site and promoting my profile on their site also boosts their ad revenues, their Alexa ranking, and a whole lot of other things. And if a big enough portion of the site's userbase were to actually take our business elsewhere, FurAffinity wouldn't be able to survive, because it would quickly turn into a money pit for its owners. It's a symbiotic relationship.

Secondly, most of the people here (with some exceptions, I'm sure), genuinely don't want to see FA fail. We're not "complaining" - we're discussing our thoughts on why the site might be having these problems, who might be responsible, and how they might be avoided in the future. This is simple "water cooler" talk. We're shooting the breeze while we're waiting for the site to come back up. No need to be so hostile.

 

[Altair_the_lugia]

I think people think access to the code is like having the keys to the castle. In poorly coded enviroments, possibly. In well implemented ones, it's not worth much.

In poorly coded enviroments huh? like FA?