• Fur Affinity Forums are governed by Fur Affinity's Rules and Policies. Links and additional information can be accessed in the Site Information Forum.

5/17 Site Attack

Status
Not open for further replies.

noveltybest

Member
well, YEAH! the whole website fell down and that means nobody, NOBODY can see their favorite furry artist's work, so they come here to voice their feelings.
that is if there's any big or favorite artist on this board looking at us now complain about it .(I'm looking at you big artist I might of watched)
 

supersonicbros23

Appearance: unoriginal; Personality: out to lunch
I honestly hope whatever code fixing they do doesn't drastically alter the site's appearance once it does go back up. I
loved the layout, nothing too fancy yet everything looked good and organized.
 

Redfurryfire

New Member
Unfortunately we don't know how much longer it'll take, but I can give you a comparison graph on how fast we're going compared to land mammals top speeds, if that helps.

62922c5493.png


tl;dr guys i love you so much thank you for continuing to be patient, we will tell you literally the moment we know thank you so much for waiting for us

You guys just had to make it 9001, didn't you?
 

Blackraven2

New Member
If you have a large but well maintained code base, the average to be expected rate of security flaws is one flaw every one thousand code lines.
If you put extraordinary effort into securing the code and make regular code audits, that goes down to one in ten thousand lines.

But there's always a few more. Security flaws have even been found in unix library code that had been 20 years old, open source and looked at by the community for the whole time.

With FA's code out in the hand of malicious attackers. The site cannot go on-line without getting rid of any flaws the attackers might easily find.
If a flaw allows an attacker sufficient privilege escalation, not even read-only-mode would stop him. They could burrough their way all the way to the database, or even its online backup regardless.

It's also not enough to close the holes they already found and used. It's not enough to close even all holes of the same type. You'd need a thorrough code audit, by experienced people - and also fix everything they might find - before you could risk bringing the site up in any form at all.

If FA staff brought the site back up too soon. It would likely just get hacked again. Except, the next attacker might not be after the database, he might be after the users and identity theft or similar and go unnoticed for much longer.


However a thorrough code audit by professionals would take weeks on even medium sized code bases. And you'd still have no guarantee that it'd have found everything.

The only way to make sure none of the potentially found flaws in the leaked code are exploitable is to throw it away and rewrite it from scratch. But that, too might take too long. Maybe less, maybe more. The older a code base is, the more sense a rewrite makes in cases like this.


But, all of that in mind, I don't expect FA to come back in the next few days. And if it does, it wouldn't stay up for long.


What could possibly be done, considering the code is already in the hand of attackers, if rewriting the codebase is not an option, one could crowdsource the audit.
Make your liability (leaked code) into an asset. Call to any experienced developers in the user base for help, put the code open source for everyone to see, and ask for as much help to find and close the holes as one can get.
 

skyliner_369

New Member
If you have a large but well maintained code base, the average to be expected rate of security flaws is one flaw every one thousand code lines.
If you put extraordinary effort into securing the code and make regular code audits, that goes down to one in ten thousand lines.

But there's always a few more. Security flaws have even been found in unix library code that had been 20 years old, open source and looked at by the community for the whole time.

With FA's code out in the hand of malicious attackers. The site cannot go on-line without getting rid of any flaws the attackers might easily find.
If a flaw allows an attacker sufficient privilege escalation, not even read-only-mode would stop him. They could burrough their way all the way to the database, or even its online backup regardless.

It's also not enough to close the holes they already found and used. It's not enough to close even all holes of the same type. You'd need a thorrough code audit, by experienced people - and also fix everything they might find - before you could risk bringing the site up in any form at all.

If FA staff brought the site back up too soon. It would likely just get hacked again. Except, the next attacker might not be after the database, he might be after the users and identity theft or similar and go unnoticed for much longer.


However a thorrough code audit by professionals would take weeks on even medium sized code bases. And you'd still have no guarantee that it'd have found everything.

The only way to make sure none of the potentially found flaws in the leaked code are exploitable is to throw it away and rewrite it from scratch. But that, too might take too long. Maybe less, maybe more. The older a code base is, the more sense a rewrite makes in cases like this.


But, all of that in mind, I don't expect FA to come back in the next few days. And if it does, it wouldn't stay up for long.


What could possibly be done, considering the code is already in the hand of attackers, if rewriting the codebase is not an option, one could crowdsource the audit.
Make your liability (leaked code) into an asset. Call to any experienced developers in the user base for help, put the code open source for everyone to see, and ask for as much help to find and close the holes as one can get.
This, I agree with completely. Perfection is impossible, and thus, all one can do is get as many hands working to get it as close to perfect as possible.
 

SGRedAlert

Member
No one is truly sane. We're all just varying levels of insane. It's like the thought of "normal" is a fallacy, if that makes sense.
"What is normal for the spider is chaos for the fly." I forgot who wrote that, but it's something that's stuck with me whenever someone's like "Ugh, you're not normal!" Well, neither are you. Everyone defines 'normal' differently, therefor 'normal' is an arbitrary concept, unless you're talking about irrefutable facts - like, I dunno, humans have two eyes. That's generally the norm, and a one-eyed individual is not normal.
 

DreadnoughtDT

The Storage Dragon
"What is normal for the spider is chaos for the fly." I forgot who wrote that, but it's something that's stuck with me whenever someone's like "Ugh, you're not normal!" Well, neither are you. Everyone defines 'normal' differently, therefor 'normal' is an arbitrary concept, unless you're talking about irrefutable facts - like, I dunno, humans have two eyes. That's generally the norm, and a one-eyed individual is not normal.

Yeah, that's essentially what I mean. That's an awesome saying BTW, I think I'll use that from now on.
 

skyliner_369

New Member
"What is normal for the spider is chaos for the fly." I forgot who wrote that, but it's something that's stuck with me whenever someone's like "Ugh, you're not normal!" Well, neither are you. Everyone defines 'normal' differently, therefor 'normal' is an arbitrary concept, unless you're talking about irrefutable facts - like, I dunno, humans have two eyes. That's generally the norm, and a one-eyed individual is not normal.
Truth!
 

noveltybest

Member
if the site gets fixed we are gonna go insane either way so I guess we are all crazy for stuff when disasters happen not saying this is a big tragedy just saying when something bad happens all the time and when its fixed its a relief for a short time.

(maybe its in most of our bodily functions the scientists might say.....)
 

skyliner_369

New Member
if the site gets fixed we are gonna go insane either way so I guess we are all crazy for stuff when disasters happen not saying this is a big tragedy just saying when something bad happens all the time and when its fixed its a relief for a short time.

(maybe its in most of our bodily functions the scientists might say.....)
Yeah, there's a good chance of that.
 

ArielMT

'Net Help Desk
Still, ImageMagik could be warned. Right?
The ImageMagick team released patches as soon as the ImageTragick vulnerability was announced. There was some miscommunication with the disclosure, but they knew from the start and worked with the hackers who discovered it to get the word out and encourage patching.
 

nyannom1

Member
"What is normal for the spider is chaos for the fly." I forgot who wrote that, but it's something that's stuck with me whenever someone's like "Ugh, you're not normal!" Well, neither are you. Everyone defines 'normal' differently, therefor 'normal' is an arbitrary concept, unless you're talking about irrefutable facts - like, I dunno, humans have two eyes. That's generally the norm, and a one-eyed individual is not normal.
I don't really believe in the concept of normal, and I can't put a direct example for normal, because it will vary so much.
 

SGRedAlert

Member
Yeah, that's essentially what I mean. That's an awesome saying BTW, I think I'll use that from now on.
Oh. Apparently it was spoken by Charles Addams, the writer of the Addams Family. Huh. The more you know!
It really is a wonderful saying, and people shut up the second they hear it, because you can't argue that!
 

supersonicbros23

Appearance: unoriginal; Personality: out to lunch
So I did some peeping around and found 1 or 2 recent threads on the attack elsewhere, but so far I can't find anything about someone "spilling the beans" so to speak, pretty much just "Hey guys did you hear about...?" stuff.
Anyone else do some snooping around?
(Honestly FA was the only thing that kept me busy really, without it I have much free time.)
 
Status
Not open for further replies.
Top