• Fur Affinity Forums are governed by Fur Affinity's Rules and Policies. Links and additional information can be accessed in the Site Information Forum.

It's Time for Real Account Security

How do you feel about adding the option to use a hardware security token to log in?

  • It sounds great - do it tomorrow!

  • It seems like a good idea, but I have reservations.

  • I'm not sure if that's such a good idea.

  • I think that's probably a bad idea.

  • This is a terrible idea.

  • I don't want to have to buy hardware for this.


Results are only viewable after voting.
Status
Not open for further replies.

Chrontius

New Member
I'd like to see FA adopt two-factor authentication.

If you're familiar with Battle.Net authenticator tokens, you know what I mean. If you use smartcard-and-PIN to log into computers at work, you do too.

If you don't, I use Yubikeys to secure my accounts elsewhere. Unlike smartcards, Yubikeys work with anything that has a USB port - iOS and Android phones, with an adapter, plus Android devices with NFC. Also, since it only cares about keyboard drivers, you don't need a special client app, and it works with Linux, Chrome OS, Mac, and not just Windows. I've set up a PGP smartcard, and it's not anything I'd wish on anyone who's not a six-figure IT guru. PIV is even worse.

FIDO authentication lets you use far cheaper tokens - some as little as $5 or $6 - but only works with Chrome, at the moment. Still, as an open standard, other browsers are likely to get support for it in the near future.

I'd like to see FA adopt some military-grade account protection so I don't have to worry about this stuff any more.
 

Wither

Is honestly confused by life.
It was time for real account security a loooong time ago, mate. It shouldn't have been put off until shit hit the fan. That said...
I'd like to see FA adopt some military-grade account protection so I don't have to worry about this stuff any more.
You're taking your fur porn a little too seriously, mate.

Just properly encrypt user data.
 
Last edited:

PatrickQuin

New Member
You're taking your fur porn a little too seriously, mate.
There is no way I'm paying for anything on FA unless I'm buying art!
These things tie together. Financial information may not be handled by FA, but arrangements are made often via FA, be it personal contact info or actual accounts.

Finances aside, even as someone who has no porn on his profile (yet) I'm personally rather miffed that the email I registered my FA handle under may be public now. In doing so it ties my personal sensitive matter handle (dealing with the brunt of gender and sex politics, and relating to less privileged people dealing with the brunt of such on a more personal level) with my more publicly facing handle. My mistake for not making a burner email account, possibly, but still.
 

Wither

Is honestly confused by life.
These things tie together. Financial information may not be handled by FA, but arrangements are made often via FA, be it personal contact info or actual accounts. Even as someone who has no porn on his profile (yet) I'm personally rather miffed that the email I registered my FA handle under may be public now. In doing so it ties my personal sensitive matter handle (dealing with the brunt of gender and sex politics, and relating to people dealing with such on a more personal level) with my more publicly facing handle. My mistake for not making a burner email account, possibly, but still.
One would not expect a popular website to be coded as badly as it is.
 

Gem-Wolf

da golden wuff
These things tie together. Financial information may not be handled by FA, but arrangements are made often via FA, be it personal contact info or actual accounts. Even as someone who has no porn on his profile (yet) I'm personally rather miffed that the email I registered my FA handle under may be public now. In doing so it ties my personal sensitive matter handle (dealing with the brunt of gender and sex politics, and relating to people dealing with such on a more personal level) with my more publicly facing handle. My mistake for not making a burner email account, possibly, but still.
Doesn't matter! It's not my responsibility to pay for things that the site can't afford themselves. If they can't afford it then they shouldn't offer such services. I have children to feed so I can't afford to pay to use the site, and I still have a right to use it like anyone else does.
 

Wither

Is honestly confused by life.
Doesn't matter! It's not my responsibility to pay for things that the site can't afford themselves. If they can't afford it then they shouldn't offer such services. I have children to feed so I can't afford to pay to use the site, and I still have a right to use it like anyone else does.
Actually, that's not how luxuries work. If they ask for money you can't give, you don't get it. You're not entitled to anything.

That said, it'd be a bad move on their part as they'd lose a lot of traffic and money.
 

Dragoneer

Site Developer
Site Director
Administrator
I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").
 

Gem-Wolf

da golden wuff
I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").
That sounds great Neer, but if we have to start paying for FA I'll have to leave and I don't want that
 

Dragoneer

Site Developer
Site Director
Administrator
This I what I love about you :) for all the shit people spill about you, you still have our best interests at heart!
The situation, frankly, is awful. But we live in a world where attacks like this are common place. Sometimes it's large companies like Target and LinkedIn getting hacked, sometimes it's small guys like us. You can do a lot of things to protect your borders and improve code and security, but unfortunately, if a vulnerability comes along and you can't find it before the bad guys do... it can hurt. And badly.

Unfortunately, people chose to be destructive and hurt the community. They hurt the artists, writers, crafters, suiters, fans, posters... and for what? If people don't like me, don't like the site, that's one thing. Go after us. Don't hurt the people trying to make some extra cash to pay rent, buy food or share their creations.
 

Resua

I void warranties and load new firmware.
I think people misunderstand 2fa. Something you are, something you have, something you know. Those are your 3 factors. For FA, 2 factor could be as simple as something you know (password) and something you have (send an email when you login, with a code in it to complete the login.) Yes, they COULD use google authenticator, they could EVEN use google or facebook authentication. There ARE good reasons to do this (for example, not having to keep people's login information, just a token.) but in the end, it is a tradeoff between ease of use, and security.

@Dragoneer, I much appreciate all the hard work your team puts in. I'm a big fan of FA< and have hundreds of commissions, supporting the community and artists at large when I can. I do have a question (and I know there are many, you're a busy man today and this week, unfortunately.) Were the passwords stored as a hash? If so, did they have a seed? (md5, SHA1, SHA256), I suspect it wasnt done with bcrypt. Were they stored using reversible encryption? Like all good security minded individuals, I used a long, unique password, but I would like to know so we can put an end to the FUD and fearmongering.
 

Dragoneer

Site Developer
Site Director
Administrator
I think people misunderstand 2fa. Something you are, something you have, something you know. Those are your 3 factors. For FA, 2 factor could be as simple as something you know (password) and something you have (send an email when you login, with a code in it to complete the login.) Yes, they COULD use google authenticator, they could EVEN use google or facebook authentication. There ARE good reasons to do this (for example, not having to keep people's login information, just a token.) but in the end, it is a tradeoff between ease of use, and security.

@Dragoneer, I much appreciate all the hard work your team puts in. I'm a big fan of FA< and have hundreds of commissions, supporting the community and artists at large when I can. I do have a question (and I know there are many, you're a busy man today and this week, unfortunately.) Were the passwords stored as a hash? If so, did they have a seed? (md5, SHA1, SHA256), I suspect it wasnt done with bcrypt. Were they stored using reversible encryption? Like all good security minded individuals, I used a long, unique password, but I would like to know so we can put an end to the FUD and fearmongering.
We'll be posting a FAQ about what we were using when all is said and done. I know they were hashed and salted, but I don't have the specifics off hand.
 

Wither

Is honestly confused by life.
We'll be posting a FAQ about what we were using when all is said and done. I know they were hashed and salted, but I don't have the specifics off hand.
I can appreciate this.
I realize that the vulnerability had less to do with FA and more to do with ImageMagick. However, when you own up to the parts the FA team could have done to mitigate the damage (and hopefully learn from the mistakes), I can actually respect you more. As long as you don't stay in your own bubble of praise and can see the problems that you need to fix, you could easily earn my respect back, as well as others.
 

Resua

I void warranties and load new firmware.
We'll be posting a FAQ about what we were using when all is said and done. I know they were hashed and salted, but I don't have the specifics off hand.

Being hashed and salted is all I was concerned about! (i meant salted, not seed, sorry, ESL) Thank you for the answer. That should make any rainbow tables or pre-computed attacks impossible. SO no cheaters doing haslookups! Doesnt mean people with wicked cracking rigs (er... hi..) couldn't run oclHashcat if they were bored, but even on a psycho rig would need an absurd amount of time to exhaust the keyspace for 9 digit+ passwords with the basic rules of uppercase, lowercase, and punctuation, with good entropy.

As long as people had a sound password, this leak isnt particularly bad. For weak passwords well... mandatory resets site-wide with a double check to prevent people form reusing bad or weak passwords (force some rules, 8+, upper and lower case with a number or puncutation at least.) would be a good idea.

I feel for you @Dragoneer, keep on soldiering on! Been there before, and it's certainly brutal. Good luck to the FA staff!

While ImageMagik/ImageTragik was the source of the leak, there appears to have been a weakness somewhere in the code that was exploited later. While security by obscurity is no good, what happened was basically every last detail of the site was laid bare to people who would abuse it. This is essentially showing everyone EXACTLY how your lock works, every single detail, and your onley saftey is how well the lock is deisgned and trusting your key. The site wasn't developed in the open, codebase widely deployed, and regularly audited by the community from start to finish, so that's a hell of a battle to fight. I do not envy FA's or the Team's position. Having been there, I REALLY feel for em! Good luck guys. (and gals.)
 
Last edited:

Gem-Wolf

da golden wuff
The situation, frankly, is awful. But we live in a world where attacks like this are common place. Sometimes it's large companies like Target and LinkedIn getting hacked, sometimes it's small guys like us. You can do a lot of things to protect your borders and improve code and security, but unfortunately, if a vulnerability comes along and you can't find it before the bad guys do... it can hurt. And badly.

Unfortunately, people chose to be destructive and hurt the community. They hurt the artists, writers, crafters, suiters, fans, posters... and for what? If people don't like me, don't like the site, that's one thing. Go after us. Don't hurt the people trying to make some extra cash to pay rent, buy food or share their creations.
A-Men to that
 

LyrrenClock

Blarg~
I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").
actually I'm all for this I would love to see FA have the same notification system like you can find on sofurry it makes keeping track of comments and bids so much easier and safer too! as for buying hardware I would not want that but will if I must cause its where I get most my business however why not adopt the idea Battle.net has and make a phone app for the authentication you dont have to have a physical token for this method to work properly!
 

Resua

I void warranties and load new firmware.
Honestly being in IT and how FA is now owned by IMVU the police and FBI should of been notified. If this site keeps getting hacked it's just a matter of time until a user files a lawsuit against FA and IMVU.

That's not how the internet and the laws around it work.

We can set those aside, and lets take a look at the FBI. I have worked with the FBI many times, and they have what's called the 'investigation loss amount threshold.' Basically, a certain amount of money, value, or assets must be lost. While you can say 'My data is worth X' the FBI has its own standards. The threshold at many field offices is 100,000 dollars in REALIZED losses. Some offices are set at 500,000. I doubt you can prove, to the FBI's standards, that 100k in damage has occured, let alone 500k.

As for the police, which department do you notify? If you have literally 0 leads to offer the police, then there isnt much you or they can do. If there ARE leads, then we, the public at large, should NOT be made privy to them. Not even their very existence, as that would compromise any investigation. There may already be law enforcement involved, and if done correctly, we would not be permitted to know.

The basic requirement of a lawsuit is having a 'standing' with which to file. Unless you are specifically harmed, for an actual amount or other verifiable damage, you could not even articulate a lawsuit, let alone file it. You have to ACTUALLY be harmed.

Now, stop stirring stuff up and scaremongering for attention.
 

Gem-Wolf

da golden wuff
That's not how the internet and the laws around it work.

We can set those aside, and lets take a look at the FBI. I have worked with the FBI many times, and they have what's called the 'investigation loss amount threshold.' Basically, a certain amount of money, value, or assets must be lost. While you can say 'My data is worth X' the FBI has its own standards. The threshold at many field offices is 100,000 dollars in REALIZED losses. Some offices are set at 500,000. I doubt you can prove, to the FBI's standards, that 100k in damage has occured, let alone 500k.

As for the police, which department do you notify? If you have literally 0 leads to offer the police, then there isnt much you or they can do. If there ARE leads, then we, the public at large, should NOT be made privy to them. Not even their very existence, as that would compromise any investigation. There may already be law enforcement involved, and if done correctly, we would not be permitted to know.

The basic requirement of a lawsuit is having a 'standing' with which to file. Unless you are specifically harmed, for an actual amount or other verifiable damage, you could not even articulate a lawsuit, let alone file it. You have to ACTUALLY be harmed.

Now, stop stirring stuff up and scaremongering for attention.
HnZZ6jge-kWZuzTT7WPZM9gxAf4H5qw1j1a0LzChJkIEC7k7l03lMGgK22ynUFsAB_DLy9O7tpD2QhJGv2MVILk32eMQjp4=w444-h331-nc
 
Status
Not open for further replies.
Top