• Fur Affinity Forums are governed by Fur Affinity's Rules and Policies. Links and additional information can be accessed in the Site Information Forum.

5/17 Site Attack

Status
Not open for further replies.

Snowbbi

99% fluff
You guys really think that FA will have to start all over? So we lose all our watchers, submissions and all the hard work we did? You really truely believe FA can afford that kind of downfall??
I don't think it'll go down. We might lose a bit of work and progress, but it won't die.

But let's say, for the sake of what you're asking, it does have to start again. I still don't think it'll die completely. Even if it takes a year to come back to life, people will flock back. There's the idea of "brand recognition", where something is associated with an concept or object. Even though Oreos weren't the original sandwich cookie, when we think of them, it's Oreos. FA has been around for a really long time, despite its glaring issues and how many times this kind of thing has happened, people come back.

Honest question though, since I've only recently come back to FA, this is the longest I've seen it down. Is this amount of time normal or...?
 

jukajo

New Member
I couldn't find anything via the forum search, so I have a question: Will people who've paid for banners have that banner's uptime expanded? For the downtime and the 6 days that were lost? These 6 days probably meant around ~50 watchers that are now gone ):
 

Hackerman1998

New Member
They can backup the database but as for the platform itself, they may have no choice. I don't think you fully realize the damage that can be done now that someone has the source code. They can do everything an admin can do on a software level, including perv at your notes and any sensitive PayPal information you may have mentioned..

Nope, not true.

It depends at the level this exploit has been used. If the hacker stole the source code in its complete, unedited live state ( so what you see on www.furaffinity.net ), there is a great chance the user was also able to get the MySQL database passwords from the stolen code ( after all, most SQL librarys such as PDO or default PHP mysqli queries require you to enter your password in plain text ). But it really depends on how FurAffinity handles their database queries.

But no, the person ( or persons ) with the source code have no 'admin' powers on Fur Affinity, nor can they 'snoop' Mails.
 
D

Deleted member 82554

Guest
nor can they 'snoop' Mails.

You may be right about everything else but I might have to call BS on that part. One of my mates is a web developer and was going one about hacking notes on FA, claimed it's not that hard. Never provided any evidence to the contrary, though.
 

RestrainedRaptor

Helpless for you
It can actually take a lot longer than months to replace the hardware. (Depending on how much/old it is.) I am sure they are doing their best and you should have more faith in what they are doing if you do not know the specifics of their operation.

@Lunarmagic Perhaps, but Dragoneer also received a lot of donations prior to that in, the quest for new hardware. Now that Dragoneer works full time, I would have considered these things to be top priority. Oh well... History repeats itself.

Also, this forum doesn't appear to notify me when people reply with quotes, and I'm not sure if @mentions work either. I can't read through 50 pages, so just let me know if you reply.
 

Hackerman1998

New Member
You may be right about everything else but I might have to call BS on that part. One of my mates is a web developer and was going one about hacking notes on FA, claimed it's not that hard. Never provided any evidence to the contrary, though.

I work as a Chief Technology Officer ( which means I work as a web-developer which overlooks other web-developers and talk to executives about tech ) , if your friend has no evidence assume nothing of his claims.
 

Gem-Wolf

da golden wuff
??? Nobody said that. What we say is it needs to be REWRITTEN from scratch. That doesn't mean they could not migrate the existing database then.

Yes Mr. Fox did and several others further back as seen here:
They're going to have to start all over again, someone has the source code. That isn't just a simple patch and put FA back online job, the people that have the source will always have access to everything on a software level unless they make some serious back-end changes.
 
D

Deleted member 82554

Guest
I work as a Cheif Technology Officer ( which means I work as a web-developer which overlooks other web-developers and talk to executives about tech ) , if your friend has no evidence assume nothing of his claims.
No I don't. But the notion that it's feasible without admin rights is a scary thought in and of itself.

It wouldn't surprise if he's telling the truth. One of the people that used to work with the FA dev team said so himself the code base is a clusterfuck. All those vulnerabilities.
 

Snowbbi

99% fluff
They are not going to start from scratch. Fur Affinity will probably be made open source officially.
Wouldn't that just open it up to more of this? I honestly don't know crap about coding or anything, I'm not trying to sound aggressive.
 

---Storm---

Artist for hire
Wouldn't that just open it up to more of this? I honestly don't know crap about coding or anything, I'm not trying to sound aggressive.
Well, making something open source can actually help security, because then any user who knows programming can go through it and look for issues and can report them. Generally, if the site is WRITTEN PROPERLY then seeing the source should not pose any risk. If security depends on hiding the source then the code is bad.

Some of the most trusted platforms, and even encryption algorithms are open source because of the above.
 

Snowbbi

99% fluff
Well, making something open source can actually help security, because then any user who knows programming can go through it and look for issues and can report them. Generally, if the site is WRITTEN PROPERLY then seeing the source should not pose any risk. If security depends on hiding the source then the code is bad.

Some of the most trusted platforms, and even encryption algorithms are open source because of the above.
Ah, thanks.
 

Hackerman1998

New Member
Wouldn't that just open it up to more of this? I honestly don't know crap about coding or anything, I'm not trying to sound aggressive.

If anything is leaked, generally speaking you can no longer control it. Fur Affinity does not know how many copies of the source code were leaked and providing an official open source project defers people from using the leaked source code. Thus bringing back control to Fur Affinity.

Remember, all it takes for one of these suposed holders of the leaked source code to upload it to GitHub for everybody to see.
 

DShain

New Member
Several suggestions were given to broaden your horizons, you ignore them and look where it lands you.

You put all of your eggs in one basket. communications? references? the ability to conduct business? you've been locked out all of this AND MORE for 20+ hours, and some of you still have the gall to bitch and complain "well XYZ doesn't get enough traffic" then go there and make traffic. "their interface is shit" you could've spent today learning the interface for another site, it's not that hard.

All I and several others are saying: branch out, because you'll never know when furaffinity will cease to exist all together, data included, and then what are you going to do?
Need a way to contact someone? make an easy to access means to communicate, hell even a "business" email.
Need someone's ref? store that shit somewhere off site while you're doing business, dropbox or google drive works wonders, the free storage space is good enough, and if those services temporarily go down? you still have local access to them.

Quit making excuses of why you can't (or wont in this case) branch out to other fronts, spend a weekend or two to try it out, and who knows? you might end up getting more customers from multiple communities.
Even a personal website wouldn't be a bad idea neither to put your art and a way to commission/contact you, I have one of these going on just for the hell of it, and im not even an artist.

I've only been lurking a bit, but I want to put emphasis on what Draconas has said here because I wholeheartedly agree. I think people are actually really chill in this forum discussion and aware that FA will return in time and things can resume as normal (as always), but this is still good advice to those who don't already know these things.

But I do know there are lots of people who strictly conduct business through FA and, when it's out, they can't work. Maybe those people aren't among the group actively chatting in the forum now, but maybe they're lurking. Do not conduct your business through notes... build an effective and easy-to-organize way to conduct your business. If your financially depend on commissions through FA and are really worried and freaking out that things are lost, then you've gotta learn from that lesson. Don't put yourself in such a risky situation. Also, I wouldn't rely on a URL to a reference image not being broken (or perhaps linked to a website that experiences outages..), so you should take measures to always have access to them.
 

TheBlackKnight

New Member
A question for Dragoneer regarding the ImageTragick exploit used for the initial site breach:

At what point did FurAffinity become aware that there was a publicly disclosed RCE exploit in ImageMagick? And at what point prior to the second breach, if any, did FurAffinity take action to mitigate the risks associated with the ImageTragick exploit?

If, hypothetically, Fur Affinity patched the exploit within a reasonable time-frame of the critical CVE being posted regarding ImageTragick, and the initial attacker simply beat you too it, then I would be happy to accept that this was a case of “Bad Luck” more so then a case of ineptitude on the part of yourself and Fur Affinity’s technical staff.

However, if that was not the case, and it took a substantially longer period for Fur Affinity staff to become aware of and mitigate the exploit in question, then I’d say: “You need to revise your processes regarding how your monitor for new exploits and resolve them – Since clearly they're not good enough at present.“

And finally, if the answer is as I suspect, “We didn’t know about the exploit prior to the second breach” or “We never upgraded ImageMagick to a non-affected version” then I would say, “Get out of hosting, because such ineptitude is completely unacceptable from a for-profit organisation.”

So, for my own amusement and that of everyone else in this thread, which one is it?
 
Last edited:

TheBlackKnight

New Member
I work as a Chief Technology Officer ( which means I work as a web-developer which overlooks other web-developers and talk to executives about tech ) , if your friend has no evidence assume nothing of his claims.

A 20 year old CTO. Amazing. That has to be the most gratuitous case of self-serving title inflation I've ever seen. Bravo and thank you for the laughs.
 
Status
Not open for further replies.
Top