• Fur Affinity Forums are governed by Fur Affinity's Rules and Policies. Links and additional information can be accessed in the Site Information Forum.

5/17 Site Attack

Status
Not open for further replies.

MamaGennie

New Member
*beep* ... Also FA has a complete daily backup on the deep web ...*beep*

From the very first page, Dragoneer posted:

"Our most recent full backup is from May 11, so approximately 6 days worth of new user registrations, account watches, and new submissions have been lost due to the attack. We are still trying to evaluate the scope of the attack."

So, no, daily backups are not done, at least according to the information that has been presented so far that I have read.
 

maybeImAmazed

New Member
From the very first page, Dragoneer posted:

"Our most recent full backup is from May 11, so approximately 6 days worth of new user registrations, account watches, and new submissions have been lost due to the attack. We are still trying to evaluate the scope of the attack."

So, no, daily backups are not done, at least according to the information that has been presented so far that I have read.

I'm talking about deep web it's a .onion page.
 

---Storm---

Artist for hire
A reminder to please tone down the bickering
First of all, thanks for the update! But in all honesty you shouldn't be surprised that people are pissed.

The ImageTragick exploit was patched within hours of tech becoming aware of it. Bad luck meant that before this patch was employed, someone decided to use the exploit to download our source code.
Which happened FIVE DAYS after the patch was released. The whole Internet was talking about ImageTragick, even regular media did talk about it and you somehow still managed to completely miss it for five damn days. I believe you can admit that you are at fault there. But let the past be past, I'm not trying to mock you about anything, just pointing out that people are not pissed without a reason.

As we wouldn't want to restore the site just to have it attacked again (possibly with more serious consequences), a thorough audit is being done to identify and eliminate vulnerabilities
And that is the right thing to do! Only that you should've audited your code long before. You knew it's old and messy. You knew that when a code is not kept up to date, let alone being based on ancient code patched around again and again, it is only a matter of time until something like this happens.

Again, what's done is done, it's past now, however I hope you are learning from this and taking measures to make sure this won't happen again.

You and I, and anyone with related knowledge all know, that FA needs to be rewritten from scratch, because no matter how well you fix it up, it is still castle built of recycled cardboard and plastic bags, reinforced with duct tape. So please, once the current emergency is taken care of, do the right thing and start rewriting FA as a whole, before an even worse attack happens. Yes, I know that's tremendous work, but you are funded by IMVU, aren't you? Downtime is bad for them too, so it is their interest as well. Unless of course, they stopped caring when they realized that Furry is not what they believed it to be.
 

Gem-Wolf

da golden wuff
First of all, thanks for the update! But in all honesty you shouldn't be surprised that people are pissed.


Which happened FIVE DAYS after the patch was released. The whole Internet was talking about ImageTragick, even regular media did talk about it and you somehow still managed to completely miss it for five damn days. I believe you can admit that you are at fault there. But let the past be past, I'm not trying to mock you about anything, just pointing out that people are not pissed without a reason.


And that is the right thing to do! Only that you should've audited your code long before. You knew it's old and messy. You knew that when a code is not kept up to date, let alone being based on ancient code patched around again and again, it is only a matter of time until something like this happens.

Again, what's done is done, it's past now, however I hope you are learning from this and taking measures to make sure this won't happen again.

You and I, and anyone with related knowledge all know, that FA needs to be rewritten from scratch, because no matter how well you fix it up, it is still castle built of recycled cardboard and plastic bags, reinforced with duct tape. So please, once the current emergency is taken care of, do the right thing and start rewriting FA as a whole, before an even worse attack happens. Yes, I know that's tremendous work, but you are funded by IMVU, aren't you? Downtime is bad for them too, so it is their interest as well. Unless of course, they stopped caring when they realized that Furry is not what they believed it to be.

46 pages of comments, and this is the best damn response hands down!
 

ElCid

Member
From the very first page, Dragoneer posted:

"Our most recent full backup is from May 11, so approximately 6 days worth of new user registrations, account watches, and new submissions have been lost due to the attack. We are still trying to evaluate the scope of the attack."

So, no, daily backups are not done, at least according to the information that has been presented so far that I have read.

What worries me is that we have no knowledge of what time the backup was made that day...
 

Snowbbi

99% fluff
Da hell is a .onion page? Seriously I have no idea
I'm incredibly tired, but the best way I can describe it is that a .onion page is a deep web page. A site that isn't the typical .com, .net, that sort of thing. There are a lot of really nightmarish sites in the deep web, so I really wouldn't recommend looking for them.
 

SammyChasity

New Member
Da hell is a .onion page? Seriously I have no idea
You're supposed to download a program called "tor" and use it in order to go onto the deep web. It's basically the layer of the internet below the "seen" internet, like ".net" and ".com" with a lot of red-rooms and things like that, where you use bitcoins to pay for things. You can get things like drugs and stuff like that on it. It's where all of the really unnerving parts of the internet are.
 

Gem-Wolf

da golden wuff
I'm incredibly tired, but the best way I can describe it is that a .onion page is a deep web page. A site that isn't the typical .com, .net, that sort of thing. There are a lot of really nightmarish sites in the deep web, so I really wouldn't recommend looking for them.


You're supposed to download a program called "tor" and use it in order to go onto the deep web. It's basically the layer of the internet below the "seen" internet, like ".net" and ".com" with a lot of red-rooms and things like that, where you use bitcoins to pay for things. You can get things like drugs and stuff like that on it. It's where all of the really unnerving parts of the internet are.
I think I get it now, but I kinda don't at the same time if that makes sense. anyway thanks guys
 

protocollie

Un Tiss Un Tiss Un Tiss
Would it be impossible to reverse this process? From what experience I have with programming, it would not be very hard to reverse engineer this process from the source code.

The entire point of hashes is that they're not reversible; that's why they're used to store passwords. You'd have to be doing some otherworldly level brilliant work to figure out how to reverse engineer a hash, and you'd compromise the security of the entire internet if you did it. Even with the code to generate the hash, your only option for reversing the hash is to come up with a list of every single string of characters that could be hashed and what the hashed output was and then do a comparison. That's something called a rainbow table.

Not to mention, with a custom browser (or maybe just using the console) it would also be possible to input the hash directly, skipping the hashing process. (Trust me, it's possible)

Short of another exploit, no, it's not. This is enforced on the server side, not the client side. When you hit the authentication endpoint on FA, the server decides whether or not to hash it - not the web browser. Short of another remote exploit there's nothing you could do to authenticate with a hash, the hash would just be hashed again and fail the comparison.

It's silly enough that people toss out technical advice all over the place, but it's more silly when they just make it up. If you don't know what you're talking about, don't say anything. C'mon now.
 

Mid-Nightshade

New Member
"Fighting", and yet this simple observational post is just my first reply to all the responses in this thread to my first post -- including an admin response at, like, 5 AM or some shit.

I'm not the first person to be dismissed as causing drama for furries without issuing any personal attacks or even punching back against any of the passive aggressive responses to my post. I'm not even fighting - - the drama is an illusion in your heads.

Sigh. Wasted words.

I am a gentleman who does not persist long where he is not wanted. As asked for by the administrative staff member, I will take my leave where there is no mutual respect lost.

This wasn't directed at you, but a general observation of a lot of people on the forums so far deciding to take out their frustration with words against one another and bickering.
 

Daniel Arken

New Member
I don't have time to read through 50 pages of comments, but I've been reading as I have time.

A lot of people seem unfamiliar with how software coding works within a company. FA is a web page, but effectively, it follows the same rules as software in terms of how the code itself is written and how you have to process changes. We get exposed to it where I work, but we see it through a web UI, as users who request bug fixes and additional functionality. It takes a lot of time to make even simple changes, and a lot of work goes into it. FA code is probably needing to be reworked and rewritten in parts due to the audit.

Basically, when we need to make changes to the software, a lot of things have to happen:

1] The changes are proposed to the development team. The team has to understand the scope of the changes and potential ramifications. In this case, this would be done internally, so additional information would be requested and provided by the same people.

2] A plan of action is laid out. How the software will be adjusted and rewritten is laid out to understand how (possibly) several components need to be adjusted simultaneously. This is done on a high level such that everyone is aware of what each other is going to do, and how they will do it.

3] Code is adjusted in a test environment. The immediate results are documented, and code is rewritten over and over again until the immediate results work as expected. This can take weeks, sonce multiple cogs in the machine usually need to be adjusted independently, even though they affect each other.

4] The entire site/software package requires an audit, usually a set of tests or test cases to ensure functionality has not been lost or altered in any other areas of the software or web page.

5] Steps one through four are repeated to eliminate bugs and errors. This can get done dozens of times, depending on how drastic the initial change was.

6] Once the audits come through clean and the change(s) have been fully validated, the changes are implemented into a live environment. At this point, you hope that the live environment is the same as the test environment. But...usually it is not.

7] When all of this has been completed, repeat steps one through six when the things you could not foresee/could not test for start popping up.

A lot of business situations are bound by the triad model: quality, cost, time. Circle two. That's what you can feasibly accomplish, but you'll sacrifice the third.

Personally, I don't care about the time it takes. I'm all for quality, and I know the FA team is somewhat limited in resources by funding. Sure, you could rewrite the whole site in three days, and have it run flawlessly. Have fun hiring a thousand coders and web development people.

In short...be patient, and don't be quick to judge and lay blame on the development team. Managing a site of this size and functionality is incredibly difficult. Things like this happen to big, high-profile sites. Hindsight is 20/20, and there's always something someone could have done. Stating those things is irrelevant and doesn't help the situation, it only creates anger. If you could make something completely unhackable, the IRS and companies like Anthem BCBS would never get hacked. Companies like Sony would never get hacked. But, you saw all of that happen in the last year.

FA will return.
 

quoting_mungo

Well-Known Member
First of all, thanks for the update! But in all honesty you shouldn't be surprised that people are pissed.
Oh, believe me, I get that people are upset. I'm not berating them for being distressed, at all. But there's been some unnecessarily pointed things said between posters, that I don't want to see in here. Attacking one another won't fix anything, and only serves to make this place unpleasant.
Which happened FIVE DAYS after the patch was released. The whole Internet was talking about ImageTragick, even regular media did talk about it and you somehow still managed to completely miss it for five damn days. I believe you can admit that you are at fault there. But let the past be past, I'm not trying to mock you about anything, just pointing out that people are not pissed without a reason.
I have no idea what path information would have taken. I personally had not heard of the exploit until it was mentioned in staff chat yesterday. I spend 80%+ of my waking time on the Internet. Ideally we'd have known sooner, yes, but to the best of my knowledge, that was when it came to tech's attention and it was promptly patched at that time. I'm mainly clarifying this to make sure everyone is on the same page - there have been people assuming that ImageTragick was being exploited yesterday, or that tech sat on the knowledge of the exploit for days or even weeks, and neither is the case.
And that is the right thing to do! Only that you should've audited your code long before. You knew it's old and messy. You knew that when a code is not kept up to date, let alone being based on ancient code patched around again and again, it is only a matter of time until something like this happens.
Code was being updated - it's not like tech has been sitting on their hands. It's a precarious balance between fixing functionality bugs (may or may not be visible to users), updating ugly or vulnerable code tech is already aware of (not visible to users unless something is seriously wrong, and nothing has been that wrong thank goodness), implementing new functionality (the only updates guaranteed to be visible to users), and auditing the code as a whole to check for vulnerabilities that may or may not be there. In an ideal world, there would be resources, time, and patience to do all of the above starting at the invisible (since the invisible is generally where the stuff that can have HUGE CONSEQUENCES lies), but unfortunately what we're stuck with is a balancing act. And experience tells us when only invisible updates happen, that breeds discontent, because from the outside it looks like nothing is being done at all (and not everyone is willing to believe us if we say "actually backend updates are happening"). So we've tried to do the best we can while keeping everyone as happy as possible.

It sucks that someone decided to take advantage of the old codebase to screw over the entire userbase. No one wishes this had never happened more than we do. And yes, vulnerabilities in our code enabled it to happen. Unfortunately, having funding and having unlimited resources are two very different things, so doing things instantly (or anywhere close) is not an option.

Ultimately though, it all comes down to, as you said, what's happened, happened. We can try to repair it but we can't undo the last 24-36 hours. We can only go from here.

Now I have to scram, because I'm late to an important date, but I'll try to keep you guys updated as best I can.
 

IT-Werewolf

New Member
Well it's only really a slight inconvenience. Nobody will die from lack of FA, although I feel for those that have lost vital commission info.

As for why people do this, I can venture three guesses:
1 Fun
2 Protest
3 Money

Don't discount protest or fun just because these people are part of FA, after all, some sociopaths will always try to cause chaos for fun. And as for protest, well, this is the fury community, enough said...
As for money, who knows? Maybe they were paid, for one reason or another, to bring FA down?

Of course, it's no use shouting at the admins to backup or fix it because there will always be vulnerabilities which can be exploited in any website or its plugins.
 

torchlight

New Member
It's silly enough that people toss out technical advice all over the place, but it's more silly when they just make it up. If you don't know what you're talking about, don't say anything. C'mon now.

That's the problem, most of the time they actually do think they know what they're talking about and believe what they're saying is true.
 

scorcher836

New Member
well in the mean time if anyone wants to chat, both my steam and skype are scorcher836. go ahead and add me if you'd like. i dont mind meeting new furs. :p
 

Tenaki

New Member
Anyone who is interested in a chat group to talk and discuss their feelings or want to meet new friends, add me on skype @ tenaki1995 :3
 

PatrickQuin

New Member
Yes, I'm another one of those who created an account for the first time just to participate in this thread. But I have a particular motive:
xdH4DCR.png

To be expected, granted, and I won't deny there is such a thing as being a bunch of fussy babies. I don't think this is one of those cases. This may be the one time that a serious issue with FA is not associated with deep problems within the culture of this communities' leaders (oft dismissed as "drama" in addition to "whining"), problems that are easy look to look up, are touchy matters (especially to mods, a subset of said leadership), some of which may be categorized (I'd say unfairly) as gossip, so I won't enumerate them here.

Nevertheless, this may be a relevant video:

Edit: I'm not advocating harassment. I'm arguing against dismissing serious complaints over say, the risk of exposure of any of our PII (which IMVU will be legally responsible for), as whining.
 

---Storm---

Artist for hire
Oh, believe me, I get that people are upset. I'm not berating them for being distressed, at all. But there's been some unnecessarily pointed things said between posters, that I don't want to see in here. Attacking one another won't fix anything, and only serves to make this place unpleasant.
Right, I agree with that. And thanks for responding to my criticism in a professional manner!

I have no idea what path information would have taken. I personally had not heard of the exploit until it was mentioned in staff chat yesterday.
OK, I have to correct myself here. I've got the dates wrong. Full public disclosure happened 3th May. It got widely publicized by articles on 4th May. So you fixed within 1-2 days.

In this light I retract my previous statement. You reacted with 1-2 days, that is reasonable.

I'm mainly clarifying this to make sure everyone is on the same page - there have been people assuming that ImageTragick was being exploited yesterday
I believe that's partly due to unclear communication from Dragoneer. When people asked about how the site was hacked he repeatedly said it was ImageMagick without clarifying he is talking about the theft of the code and that the theft happened weeks ago, and not yesterday's attack.

Code was being updated - it's not like tech has been sitting on their hands.
This is however, where I believe you are taking the incorrect approach. You spend time and energy developing features and changing things in the current Frankenstein style code instead of focusing on a complete rewrite from scratch.

What I believe you should do is feature-freeze FA, and only fix vulnerabilities and critical bugs, while dedicating all the remaining manpower to the rewrite. New skin, gallery features and stuff for a code that needs to be trashed is wasted resources.

And experience tells us when only invisible updates happen, that breeds discontent, because from the outside it looks like nothing is being done at all
That is easy to fix. While doing the rewrite, you can constantly post updates and journals reporting your progress. Let's say, a weekly report so we can see that you've been busy. And as soon as you reach an alpha stage, put up a demo and let people mess with it. Later, you can allow registrations into the demo system, which also gives you valuable live testing data. Let people mess around, let them do stupid things, let them try to break it and so on. You may still add minor features to the old site, that don't take much resources, and have a high impact/resource value.

Of course, there will be negativity and there will be whiners and trolls, but there always are. However, doing constant surgery on the current code simply doesn't worth it compared to spending those resources on the rewrite.

Ultimately though, it all comes down to, as you said, what's happened, happened. We can try to repair it but we can't undo the last 24-36 hours. We can only go from here.
And this is the perfect time to explain to everyone that what is happening right now is exactly why you need to feature freeze and do a complete rewrite for the sake of the future of FA.

I would be very happy to hear the team's opinion on my above proposal. Do you agree a rewrite would be better? If no, why not? If yes, what is needed to make it happen?


And thank you again for your professional reply!
 

ZeePower

New Member
As a former IT professional and webmaster, I can sympathize with the FA tech staff. This attack looks like the modern incarnation of industrial espionage. You guys have my sympathy and respect for how you are dealing with it.

Reading some of the criticisms in this thread, I am reminded of an old joke:

"When you're dead, you don't know that you're dead - it only hurts the people around you. It's the same when you're stupid."
 
Status
Not open for further replies.
Top