• Fur Affinity Forums are governed by Fur Affinity's Rules and Policies. Links and additional information can be accessed in the Site Information Forum.

[split] Announcement - Security Problem and Admin Resignation

Status
Not open for further replies.

Damaratus

Care to join me in my lab?
RE: Announcement - Security Problem and Admin Resignation

Well I suppose after all of that I will have to put my hand in on this one, since obviously it is turning into something greater than it even needs to. I'd like to thank Yak for at least attempting to give me a small level of privacy in this particular instance, since everything that has happened on this particular thread seems to be quite similar to another administrator who decided to resign and then post lots of private stuff that happened.

Do keep in mind that the notes that passed between me and Calorath were read by Blueroo, and that had he considered any of you commenting on this thread as someone who might pose some kind of threat to him or the site, he would have dug through your conversations just as readily. As far as the adminstrative rules are concerned that is a big no-no, because we would like you all to maintain a level of privacy on this site, you all should feel comfortable in passing notes between each other without the worry that someone is reading through your private messages and painting you in a bad light in the process. Obviously my conversation with Calorath did occur, in fact we talked a couple of times. So here is my reasoning in this process, and perhaps you all will give the benefit of the doubt:

When the first "security issue" popped up, the evidence surrounding it was actually not empirical, but it was a known situation which included the coders (who are the people who could truly fix things if there was really such a problem). There was no way to tell whether there was any particular security breach, rather it looked more like a leak, and the information was not critical. The matter was looked into, I contacted Calorath, in part because I have been on this site long enough to know comprehend motive behind action. We had our conversation over notes, and it became clear to me, that this wasn't so much a matter of security, just more of a necessity to move on from this nonsense. He got rid of the picture, and I continued to inquire about security issues with Dragoneer. It's better to quell the surface issue and continue one's investigation unimpeded by the drama.

The second time that things were brought up, it was Blueroo who did so. At this point he had become entirely worried about multiple things, and was not only concerned about Calorath, who one again presented inconclusive evidence to being able to "see something" and in turn spurred on Blueroo to panic, but also about other people. At any point during this, had I seen any form of hard, empirical evidence to suggest that there was a serious and harmful breach in the security of the forums or the main site, I would have taken the measures to make sure that it was taken care of. There was never anything to suggest that, and I was constantly talking to Dragoneer and the other coders about the situation and what was going on.

It was then that I found out that Blueroo had been going through user notes, looking at private conversations. Trying to get information, not only was he looking at the stuff from Calorath, but other users who he considered to be troublesome. That's right, without asking, without inquiring with the rest of the staff, he went through private user notes, and came out with more conspiracies. He then pushed an ultimatum on me that he would resign and post this particular thread if I did not post the information myself. I am not the type to be bullied, especially when I have a grasp of the situation.

I once again contacted Calorath, I talked with him again. I found out the way that he was doing things, and that's when I informed Blueroo that I was not going to post a forum/journal post telling people to panic because their information is in danger, because it wasn't. If Calorath had accessed sensitive information and had wanted to cause serious harm the site or its users he would have done so already. I have not seen evidence that he has done so, nor do I have any evidence that he will. I don't approve of the methods that he was doing things, and he is quite aware of this, but I did not see a reason to incite panic in the thousands of users on this site, for the sake of inconclusive, paranoid conspiracies that were generated from a poor overall concept of the situation.

It is much easier to approach someone about something on common ground, without major accusations, rather than than utilize fear-mongering and painting someone in the darkest light simply because you do not have the full story.

So to you Blueroo, I wish you well enough. For the help that you did give the site, thank you, you had some good ideas about projects for the site, some that may still be incorporated.

For the damage that you caused to members of the site, and the attempt to drag others through the mud in the process of you leaving the administration, that's as unprofessional as the ultimatum you gave me when you resigned, I do not think that what you did was a positive thing for you or your reputation, even if you feel that what you did was right.

Edit: To make it perfectly clear, there is no particular forum security exploit that Calorath was using to get what little information that he decided to mention.

Edit 2: Please do note that the IRC log that Blueroo posted was a mere snippet of the conversation and that it is out of context of the whole of the situation as well as has been edited in portions to exclude some comments.
 

Shira

Member
RE: Announcement - Security Problem and Admin Resignation

Damaratus said:
I have not seen evidence that he has done so, nor do I have any evidence that he will. I don't approve of the methods that he was doing things, and he is quite aware of this, but I did not see a reason to incite panic in the thousands of users on this site, for the sake of inconclusive, paranoid conspiracies that were generated from a poor overall concept of the situation.

A user that is not an admin of any sort has full access to the site. Even if Calorath had no malicious intent, that's a critical security flaw that needs to be addressed as quickly as possible, because a malicious user could easily exploit the same security hole in the future if it is not fixed. An announcement to the site that such a hole exists and a rough idea of when it will be fixed (if it's possible to provide an estimate) would instill at least a bit more faith in the site as being capable of resolving its problems.
 

STrRedWolf

Lazy-ass Drygerskunk
RE: Announcement - Security Problem and Admin Resignation

It never does, even if it's to a hosting service that's similar to what FurAffinity is (although with very drastic differences -- the basics only being we both serve images).

However, in the posts exposed by Blueroo, I got the express feeling there's a technical hook that can be abused. I don't like that, especially when it makes my artwork at risk to be stolen (and I don't mean through just regular download-to-HD).

I do acknowledge a ton of caveats, including:
  • I do not know if the forums and the art host are on the same server. A DNS check may only go so far with how equiment can be configured in hardware and software (including virutalization).
  • I do not know if the admins are able to SSH into the art server from the forum server -- I've done that before on my setup.
  • I do not know the underlining processes and policies of FurAffinity's admins, and thus they are being treated like any ISP -- very suspicously.
  • I do know that I'm sounding like a hyper-paranoid, completely idiotic dork. :)

To be clear: I'm for re-securing the servers involved, investigating, and taking action based on the investigation. Blueroo may have some good points, and they'll need to be looked at. But we need to have a safe environment to do so, and given FA's known history of downtime... I'd love to have some reassurance from all FA staff that things are locked down.
 

Damaratus

Care to join me in my lab?
RE: Announcement - Security Problem and Admin Resignation

Shira said:
A user that is not an admin of any sort has full access to the site. Even if Calorath had no malicious intent, that's a critical security flaw that needs to be addressed as quickly as possible, because a malicious user could easily exploit the same security hole in the future if it is not fixed. An announcement to the site that such a hole exists and a rough idea of when it will be fixed (if it's possible to provide an estimate) would instill at least a bit more faith in the site as being capable of resolving its problems.

That's the thing, when I spoke to Calorath it became entirely clear to me that there wasn't such a security hole that gave him full access. The "evidence" that he presented made it quite clear that he did not have administrative access and could not get to the user data on the site, and it was not a security exploit that he was using. So there was no flaw to fix.
 

Janglur

Active Member
RE: Announcement - Security Problem and Admin Resignation

Just for the record, if the Admin choose to do a coverup, and you can ask Yahoo and AOL to verify this..


FA AND IT'S ADMIN BECOME COMPLETELY RESPONSIBLE FOR ANY MONETARY OR CRIMINAL DAMAGE WHICH OCCURS AS A RESULT OF THOSE INFILTRATING THE SYSTEM.
BECAUSE THE ADMIN ARE AWARE OF THE INFILTRATION AND IT'S POTENTIAL DAMAGE AND CHOOSE NOT TO TAKE ADEQUATE MEASURES AND WARN THE USERBASE, THEY ARE CONSIDERED ACCOMPLICES IN THE CRIME.

I think that not just civil, but POTENTIAL CRIMINAL IMPLICATIONS would be the best darn reason to ever pop up in this site to take action.
Coverups are NOT good, and do NOT benefit ANYONE.
 

net-cat

Infernal Kitty
RE: Announcement - Security Problem and Admin Resignation

Damaratus said:
That's the thing, when I spoke to Calorath it became entirely clear to me that there wasn't such a security hole that gave him full access. The "evidence" that he presented made it quite clear that he did not have administrative access and could not get to the user data on the site, and it was not a security exploit that he was using. So there was no flaw to fix.

Er. That doesn't make sense. Unless I'm missing something, he had access to stuff he shouldn't have had access to. I mean, whether someone made a mistake in configuration or there's an actually, bona fide exploit involved, it's still a security problem that should be fixed, whether that means tweaking permissions or patching code...
 

Damaratus

Care to join me in my lab?
RE: Announcement - Security Problem and Admin Resignation

Janglur said:
Coverups are NOT good, and do NOT benefit ANYONE.

Once again, there was nothing to cover up here, the users were not in danger, and the issue was not one that needed to cause panic. Unless you like to have someone bring up every possible conspiracy and inconclusive theory that can be come up with.
 

STrRedWolf

Lazy-ass Drygerskunk
RE: Announcement - Security Problem and Admin Resignation

Shira said:
A user that is not an admin of any sort has full access to the site. Even if Calorath had no malicious intent, that's a critical security flaw that needs to be addressed as quickly as possible, because a malicious user could easily exploit the same security hole in the future if it is not fixed. An announcement to the site that such a hole exists and a rough idea of when it will be fixed (if it's possible to provide an estimate) would instill at least a bit more faith in the site as being capable of resolving its problems.

Shira has hit it on the head. When I changed something on CG, but did not say anything about it, I had 10,000+ people crying fowl about why they were not informed about things. Doing such never goes well and you will get burned. Keeping the community informed is always a good thing.

It's one of the reasons why the server migration over at CG went so smoothly: I and my co-admin posted notices (and I actually addressed in person 50 of them) that we were getting a new server and we're moving whole-hog to it. This has met with much fanfare plus the understanding of alot of the community that some problems will be related to the (now completed) move.
 

Calorath

Narcissistic Curmudgeon
RE: Announcement - Security Problem and Admin Resignation

No exploits, no security compromises, or any hax0ring.

Guys, some of you gossip, fear-monger and speculate worse than old ladies.

I am quite amused.
 

Damaratus

Care to join me in my lab?
RE: Announcement - Security Problem and Admin Resignation

net-cat said:
Er. That doesn't make sense. Unless I'm missing something, he had access to stuff he shouldn't have had access to. I mean, whether someone made a mistake in configuration or there's an actually, bona fide exploit involved, it's still a security problem that should be fixed, whether that means tweaking permissions or patching code...

It wasn't an exploit, he never had any greater access to things on the forums, his permissions were the same as every other user. This was a human element, the one involving people with access talking about things to people without. A leak is quite different than an exploit, and that is something that is being fixed.
 

Arshes Nei

Masticates in Public
RE: Announcement - Security Problem and Admin Resignation

Like I said I know what essentially happened because of the combination of forum experience, as well as Calorath's statement to me, I know he told Damaratus, because well he asked nicely what happened. So you can all take your pitchforks and go home now, Calorath is no scapegoat for security. It's not even a real security issue, it's something that can get easily overlooked depending on your knowledge of the capabilities MyBB has to offer.
 

Janglur

Active Member
RE: Announcement - Security Problem and Admin Resignation

Security aside, i'm still extremely upset.

This much drama from staff?

Drama is, inherently, a security flaw. As we've seen today by calorath and damaratus' raped privacy.

Hopefully this problem has now resigned. But i'm skeptical, and the recent event-after-event occurances have degraded my feelings about FA to where I no longer feel safe, or welcome, on FA.
 

net-cat

Infernal Kitty
RE: Announcement - Security Problem and Admin Resignation

Damaratus said:
It wasn't an exploit, he never had any greater access to things on the forums, his permissions were the same as every other user. This was a human element, the one involving people with access talking about things to people without. A leak is quite different than an exploit, and that is something that is being fixed.
Well, there you go. I'm satisfied with that explanation. (Technically, that's still a security problem.)

Although the explanation being that mundane raises some very interesting questions.
 

Damaratus

Care to join me in my lab?
RE: Announcement - Security Problem and Admin Resignation

net-cat said:
Although the explanation being that mundane raises some very interesting questions.

Indeed it does, and I have some of the same.
 

Almafeta

Member
RE: Announcement - Security Problem and Admin Resignation

So why hasn't this compromise been announced on the main site?
 

Arshes Nei

Masticates in Public
Announcement - Security Problem and Admin Resignation

Almafeta said:
So why hasn't this compromise been announced on the main site?

1. It's not a real compromise, unless you want to talk about Blueroo going through people's notes - because Calorath didn't do the compromise

2. It's much ado about nothing quite honestly. It was such a small situation that blew up.

By the way, it's not a security problem, leaks happen, we're all human. FA is not making rocket and nanite tech, they're running a website. It's one thing to leak an entire block of code that can be easily exploitable, it's another for a conversation to get out between members. The latter is just considered unprofessional, not so much a security issue.

However, I'll state again that it would be good to fully understand your software. Apparently people are making assumptions that there aren't other ways to access the information if an admin doesn't understand all of the ways that can be a security risk. Removing someone from the admin group doesn't always guarantee that a former admin didn't set up permissions to see the forums other ways on another account. I had created invisible admins this way, though I'm not sure if MyBB's newer version set up things a bit different. That is the tip end of ways they can view admin stuff by the way. Viewing however, is a bit different than replying and adminning.


I thought people weren't supposed to read other people's private messages btw? Ouch. Not good.
 

uncia

Member
RE: Announcement - Security Problem and Admin Resignation

Arshes Nei said:
I thought people weren't supposed to read other people's private messages btw? Ouch. Not good.

http://www.furaffinity.net/lm/tos/
"Fur Affinity Administration and Staff reserve the rights of the following:
....
To monitor User’s private data, submissions, comments and/or notes to investigate issues which could constitute illegal activity by state, Federal or International Law or to further protect the interests of the site, the Terms of Service, Submission Agreement and Acceptable Upload Policy or to monitor transmissions which could be considered threatening, "spam" or "flaming"."

Of course, it's also easy enough to twist "looking for evidence of a conspiracy against oneself" into "trying to protect the interests of the site" if you wish to justify that in your mind and justify doing so on that basis.

In general, however, any browsing through other community member's private notes/PMs was meant to be done in an open manner (from an admin p.o.v.) relating to a specific issue per that ToS clause above, declared visibly on the admin fora, and not be carried out on a personal vendetta basis. I can't recall if that was formalised into a specific admin rule, but those were the broadbrush guidelines, I believe. (*waves over for clarification, if required*)
 

Arshes Nei

Masticates in Public
RE: Announcement - Security Problem and Admin Resignation

uncia said:
Arshes Nei said:
I thought people weren't supposed to read other people's private messages btw? Ouch. Not good.

http://www.furaffinity.net/lm/tos/
"Fur Affinity Administration and Staff reserve the rights of the following:
....
To monitor User’s private data, submissions, comments and/or notes to investigate issues which could constitute illegal activity by state, Federal or International Law or to further protect the interests of the site, the Terms of Service, Submission Agreement and Acceptable Upload Policy or to monitor transmissions which could be considered threatening, "spam" or "flaming"."

Of course, it's also easy enough to twist "looking for evidence of a conspiracy against oneself" into "trying to protect the interests of the site" if you wish to justify that in your mind and justify doing so on that basis.

In general, however, any browsing through other community member's private notes/PMs was meant to be done in an open manner (from an admin p.o.v.) relating to a specific issue per that ToS clause above, declared visibly on the admin fora, and not be carried out on a personal vendetta basis. I can't recall if that was formalised into a specific admin rule, but those were the broadbrush guidelines, I believe. (*waves over for clarification, if required*)

Oh no, please understand my statement. First off, ANYONE with access to the Database can read user notes. I don't care of any assurances that it won't happen otherwise. I just remember this becoming a big issue because Oz Kangaroo was reading user notes during the last time this ordeal came up and Dragoneer didn't want this happening anymore.

I particularly don't care if the admins can read my notes, as stated if there is a legitimate case of harassment or something criminal you do want to access those notes just in case. We're using their website, you have to understand that they can access it, you can't just assume privacy otherwise. You just have to have faith that the admins aren't abusive or snooping just for shits and giggles.

However, when there wasn't a real cause to read the notes, this became something personal as you said.
 

uncia

Member
RE: Announcement - Security Problem and Admin Resignation

Arshes Nei said:
Oh no, please understand my statement. First off, ANYONE with access to the Database can read user notes. I don't care of any assurances that it won't happen otherwise. I just remember this becoming a big issue because Oz Kangaroo was reading user notes during the last time this ordeal came up and Dragoneer didn't want this happening anymore.
Yep, that's probably when those guidelines (even if not a firm admin rule) came into play. I can't answer that definitively for obvious reasons: no problems being corrected on that, if not. :)

Arshes Nei said:
You just have to have faith that the admins aren't abusive or snooping just for shits and giggles.
*nods*

Arshes Nei said:
However, when there wasn't a real cause to read the notes, this became something personal as you said.
There were at least two concurrent threads here, the second being off the back of Swampwulf's thread (which definitely /was/ being taken as a personal conspiracy matter), and I can see easily how that could have been twisted into the first on the basis of "trying to protect the interests of the site" per the ToS.
Even if that were so, I presume that the scope of any general investigations would have been displayed clearly on the admin fora and at least tacit permission obtained to carry that out in a neutral manner.

JM02c from my understanding, anyhow,
d.
 

yak

Site Developer
Administrator
RE: Announcement - Security Problem and Admin Resignation

Arshes Nei said:
However, when there wasn't a real cause to read the notes, this became something personal as you said.
I have realized my mistake by making the note reading an available admin tool.
As of now i have left this privilege only to myself. All requests for user notes will pass through me or my successor, if and when the time comes.
 

ArrowTibbs

Probably still lives in a giant bucket
RE: Announcement - Security Problem and Admin Resignation

I just find that he was reading notes to be creepy, to be honest. ._. After all his warnings about Calorath reading PMs and warning against people doing business via them...Eesh.
 

Arshes Nei

Masticates in Public
RE: Announcement - Security Problem and Admin Resignation

yak said:
Arshes Nei said:
However, when there wasn't a real cause to read the notes, this became something personal as you said.
I have realized my mistake by making the note reading an available admin tool.
As of now i have left this privilege only to myself. All requests for user notes will pass through me or my successor, if and when the time comes.

Honestly, yak you really shouldn't even have to do that. You just need to have staff that understand ethics of doing such things. Like I said I don't particularly care that admins can read my notes, they're upset by what I say, that's their problem. I do expect them however to realize that there are more important matter than, "ZOMG what is so and so saying about me" and taking the time to read them to begin with.

The fact that you guys have to make "A sole successor" that's utterly ridiculous. Other sites have this ability, they just have staff that are responsible.

The more you play lockdown because you guys chose horrid staff, the more you hurt yourselves in the long run.
 

Screaming Organism

That Guy Who Banged Demona
RE: Announcement - Security Problem and Admin Resignation

Regardless of what is said here I'd rather be safe than sorry. It's a simple two-minute process that could ensure the integrity of your account.

I don't know who to believe, nor do I care at this moment in time, but I'm not about to find out the hard way just what Cal's intentions are.

I've heard mixed messages about him so far. He might actually be a good individual. But I'm not going to take my chances. Passwords are changed.
 

verix

some dragon
RE: Announcement - Security Problem and Admin Resignation

Yeah, those pesky Reds are everywhere.
 

wut

Member
RE: Announcement - Security Problem and Admin Resignation

Let's judge everything off completely second/third/fourth/etc. hand information.

That worked oh so well in the past.
 
Status
Not open for further replies.
Top