Site Outage Information & Updates
8 years ago
We would like to thank the users of the site for being understanding and patient with us. We’ve been reading your posts on Facebook, Twitter, Reddit, and the FA forums. We appreciate your words while we worked to fix the issues. We understand your frustration, and will be continuing to work to improve the site.
As many of you know Fur Affinity has recently been subjected to an attack. We have managed to recover from the attack and restore the deleted submissions, user profiles, and watches from our most recent backup. Unfortunately the backup was from May 11th. This means the users that have registered, submissions that have been uploaded, and new watches that have been made on user accounts since then are now lost. Other information, such as journals and notes, remain untouched.
We would like to stress that while we have no hard evidence to believe that user account data has been compromised, the nature of the attack made it technically possible. We encourage users of the site to change their passwords as a precautionary measure.
The attack stemmed from an exploit in ImageMagick, one of the most widely used image processing libraries available. The exploit was used to initially download our source code and plant the means by which the second attack (the one that forced us to take the site offline) was carried out. This occurred before we discovered and patched the exploit earlier this month.
Timeline of Events[
May 4th: The first incident took place when attackers used a recent vulnerability in the ImageMagick library to gain access to the Fur Affinity application server and download the site’s source code. We were not aware of the breach at this time.
May 5th: We were made aware of the existence of the exploit and immediately applied the recommended patch to ImageMagick to fix the issue.
May 17th: At 0100 EST (1AM) we were notified that individuals were passing out USB drives containing copies of the Fur Affinity source code at a convention. Shortly thereafter we secured a zip file containing a copy of the USB drive’s contents and began to analyze them. We had to determine whether or not the code was real or a hoax, and whether it was code from the live servers, old code, or code which had existed from other projects.
At roughly 11:44AM the site was attacked a second time which caused the complete deletion of the submissions, watch, and user data. The moment we realized what had occurred we took the site offline and began to perform steps to mitigate further damage.
It took some time but we found out how the attackers have been accessing our server and shut them down. Since then we have been performing security audits to the code and server environment to track down potential further issues. We have also been making backups.
In the process we have identified and closed several holes in the code. Server contents have been scanned to identify and remove any leftovers of the original attack. IMVU lended a hand in providing technical assistance with the process.
May 18th: The site has been brought back online. We’re continuing to monitor and look for issues and will be working to continue securing the site.
At this time we do not know who executed the attacks on this site. An analysis of the attack vector used suggests these individual(s) were experienced attackers and not casual bystanders.
Where Do We Go From Here?
We have been working on a complete re-code of the site for some time. At this point the project is roughly 80% complete. We are working to bring in additional help to complete the project and get FA upgraded to a new code base.
In the meantime we will be continuing to analyze site security and take proactive steps to track down any existing issues which could pose a threat.
If anyone has information as to who perpetrated the attack or distributed the USB flash drives please contact Dragoneer privately at dragoneer[at]furaffinity.net or via Trouble Ticket.
Known Issues
* Users’ message centers may not show the correct number of notifications. This will re-calculate once you remove any new or existing notifications of that type (note: remove them manually instead of using the nuke option).
* Multiple counters such as the number of comments made and received, number of favorites, and so on may have gone out of sync for many users. A script at a later date will be written to re-sync these counters globally.
* Comments left by users that no longer exist have been hidden as opposed to having been removed. This was done to prevent comment trees from breaking. These comments will be shown as having been “Hidden by the Administration” to avoid confusion.
* Message center notifications for content uploaded by the no longer existing users will be shown as if that content has been removed by the users in question.
* Any changes you have made to your account since May 11th (changing your email address, updating your password, new watches, blocking users, faved content, etc) have been reverted as part of the restoration.
Special Thanks
We would like to thank the staff of BLFC. Their security team was essential in helping us get copies of the flash drive and alerting us to the existence of the problem.
FAQ
Q: What info was affected?
A: In addition to the site’s code being leaked, all user accounts, submissions, and watches were deleted from the database. We have restored this information from our most recent backup (as of May 11th).
Q: Exactly when did we patch the exploit?
A: The exploit which lead to the initial attack was patched on May 5th. At the time we were not aware there had been an intrusion.
Q: What sort of changes will we be making to decrease the chances of this happening again?
A: As previously stated, the new code is roughly 80% complete. We’ve added additional staff to the coding project. In addition we are working on bringing the site up to modern standards with an emphasis on security and ease of use.
Q: How does FA encrypt passwords?
A: All passwords are hashed and salted. We are still encouraging users to change their passwords as a precautionary measure.
Q: Why doesn’t FA have daily or incremental backups?
A: Our current backup and storage solution is nearing capacity. We have been working to procure a new server with ample storage as well as look into long term storage solutions. We aim to have the server implemented within the next few weeks.
As many of you know Fur Affinity has recently been subjected to an attack. We have managed to recover from the attack and restore the deleted submissions, user profiles, and watches from our most recent backup. Unfortunately the backup was from May 11th. This means the users that have registered, submissions that have been uploaded, and new watches that have been made on user accounts since then are now lost. Other information, such as journals and notes, remain untouched.
We would like to stress that while we have no hard evidence to believe that user account data has been compromised, the nature of the attack made it technically possible. We encourage users of the site to change their passwords as a precautionary measure.
The attack stemmed from an exploit in ImageMagick, one of the most widely used image processing libraries available. The exploit was used to initially download our source code and plant the means by which the second attack (the one that forced us to take the site offline) was carried out. This occurred before we discovered and patched the exploit earlier this month.
Timeline of Events[
May 4th: The first incident took place when attackers used a recent vulnerability in the ImageMagick library to gain access to the Fur Affinity application server and download the site’s source code. We were not aware of the breach at this time.
May 5th: We were made aware of the existence of the exploit and immediately applied the recommended patch to ImageMagick to fix the issue.
May 17th: At 0100 EST (1AM) we were notified that individuals were passing out USB drives containing copies of the Fur Affinity source code at a convention. Shortly thereafter we secured a zip file containing a copy of the USB drive’s contents and began to analyze them. We had to determine whether or not the code was real or a hoax, and whether it was code from the live servers, old code, or code which had existed from other projects.
At roughly 11:44AM the site was attacked a second time which caused the complete deletion of the submissions, watch, and user data. The moment we realized what had occurred we took the site offline and began to perform steps to mitigate further damage.
It took some time but we found out how the attackers have been accessing our server and shut them down. Since then we have been performing security audits to the code and server environment to track down potential further issues. We have also been making backups.
In the process we have identified and closed several holes in the code. Server contents have been scanned to identify and remove any leftovers of the original attack. IMVU lended a hand in providing technical assistance with the process.
May 18th: The site has been brought back online. We’re continuing to monitor and look for issues and will be working to continue securing the site.
At this time we do not know who executed the attacks on this site. An analysis of the attack vector used suggests these individual(s) were experienced attackers and not casual bystanders.
Where Do We Go From Here?
We have been working on a complete re-code of the site for some time. At this point the project is roughly 80% complete. We are working to bring in additional help to complete the project and get FA upgraded to a new code base.
In the meantime we will be continuing to analyze site security and take proactive steps to track down any existing issues which could pose a threat.
If anyone has information as to who perpetrated the attack or distributed the USB flash drives please contact Dragoneer privately at dragoneer[at]furaffinity.net or via Trouble Ticket.
Known Issues
* Users’ message centers may not show the correct number of notifications. This will re-calculate once you remove any new or existing notifications of that type (note: remove them manually instead of using the nuke option).
* Multiple counters such as the number of comments made and received, number of favorites, and so on may have gone out of sync for many users. A script at a later date will be written to re-sync these counters globally.
* Comments left by users that no longer exist have been hidden as opposed to having been removed. This was done to prevent comment trees from breaking. These comments will be shown as having been “Hidden by the Administration” to avoid confusion.
* Message center notifications for content uploaded by the no longer existing users will be shown as if that content has been removed by the users in question.
* Any changes you have made to your account since May 11th (changing your email address, updating your password, new watches, blocking users, faved content, etc) have been reverted as part of the restoration.
Special Thanks
We would like to thank the staff of BLFC. Their security team was essential in helping us get copies of the flash drive and alerting us to the existence of the problem.
FAQ
Q: What info was affected?
A: In addition to the site’s code being leaked, all user accounts, submissions, and watches were deleted from the database. We have restored this information from our most recent backup (as of May 11th).
Q: Exactly when did we patch the exploit?
A: The exploit which lead to the initial attack was patched on May 5th. At the time we were not aware there had been an intrusion.
Q: What sort of changes will we be making to decrease the chances of this happening again?
A: As previously stated, the new code is roughly 80% complete. We’ve added additional staff to the coding project. In addition we are working on bringing the site up to modern standards with an emphasis on security and ease of use.
Q: How does FA encrypt passwords?
A: All passwords are hashed and salted. We are still encouraging users to change their passwords as a precautionary measure.
Q: Why doesn’t FA have daily or incremental backups?
A: Our current backup and storage solution is nearing capacity. We have been working to procure a new server with ample storage as well as look into long term storage solutions. We aim to have the server implemented within the next few weeks.
Merch Store
thank u for being rad
i like this website despite everyone shitting all over it :3
excellent work recovering it~
Guess it's not haha
CHANGE YOUR PASSWORDS, PEOPLE
There is word that passwords have been seen and used. (source) FA should have assumed that all data was compromised since it was theoretically possible. This is a huge assumption to make and is a complete mistake.
LOOK AT THE UPDATED, READ ONLY JOURNAL
GOOD LORD IT KEEPS GETTING WORSE
JK
Listen here..
Your only cool if you make the memes Dank. B3
oh hai Hatch, almost didn't recognize you. still running LU?
It is just that when I saw your icon and name, I'm reminded of the first time I submitted anything to the internet at Liger's Union.
Just a bit of nostalgia I guess.
kill me pls
backups should happen more often so that peopel arent losing things :/
but i lost watchers that i dont know the names of
But I'm glad the site was fixed quickly and that it was taken down before worse damage could be done.
It does kind annoy me too, but I know what is lost can usually be regained, so don't worry, you'll get them back and reach your target soon ^-^
Only thing that is frustrating for me is, now I have to upload, this weeks batch of 9 images with the 8-10 i already posted posted since they got deleted...
i always say "Computers work for who understands them best." and if a hacker has better skills then you well then you are screwed.
Computer don't really make errors, it's the people that program the computers that make errors.
To be fair, it was only a matter of time before something like this happened, not negative way drama hype like due to poor code or whatever they say, but in terms of availability and popularly, it's a big site for furries, You here about other major sites, blogs and stuff getting hacked into or taken down by someone. i am actually surprise it took someone this long to screw up FA.
Seems most logical. :3
Buuuut I really keep hearing from people most of the times, that they find new people to watch through other users favourites actually and maybe on other sites like FB. Myself I never browse any other person's favourites, so I can't relate much. But like I said, I heard it suuuuper often of people, even a lot of those who watch me seem to have found me like that, lol. xD So I can imagine, if someone get's 500 favs on a picture, that can mean 500 chances of someone randomly stumbling upon it and taking a closer look.
So I guess someone already having a huge followerbase can have it easier to be found through new people, than someone barely known. After all, stuff is on the frontpage only for as long as it is, a matter of fact no matter to what time you post it. :3 In fact, myself I remember getting 20 new watchers out of the blue, and later I figured out that some of my stuff got shared at e621 by someone who's a watcher of mine. So the support of followers really should not get underrated.
And hey, 1300 watchers = 1300 comments a piece? That would be so damn awesome, a dream for every artist I guess. xD Haha, but sure, 'watchers' are often rather pretty looking numbers, doesn't mean much in the end, other than 'chances' for support of any kind. So people never should fret over numbers. Anyone who really liked what an artist does and takes notice of the 'erased' watches, will go back and re-watch the people they truly want to follow. :3
And sorry if I am writing too much, I feel kind of communicative right now, lol. xD
Since I'm watching lots of artists I also won't watch people who mostly upload content I don't like or not interested in because it already takes ungodly amount of time to go through my submission feed, so I want as little noise in it as possible. And I'm sure I'm not the only one.
Then also, the more exposure, the more people checking your gallery the more will eventually watch.
But it in my opinion that is also called artistic journey and variety. Watchers and fanbase will get important when I'm done exploring. And I don't want to be inactive for months or years until I have found a consistent style. Of course I can't be surprised about less watchers then and when the time comes to earn money with art I'll probably have to keep my gallery clean of anything experimental or small.
And just one thing. I don't get your second paragraph. Isn't it normal to not watch people, who's stuff I don't like? So of course people who don't like what I do won't watch me. It is not like I'm expectign the opposite xD
But anyway, experimenting is cool nothing wrong with it! Just it was my 2 cents on why you don't get more watchers. When you feel like you mostly found the style you want, you can start getting more consistent and then a follower base starts to build up from people who like that style.
A friend of mine who lost 30 watchers now (but sometimes gets 10-20 or more a day after uploading something big) experienced a significant decrease in watches and favs when he changed his style to something he liked more, even though it wasn't a big change, and it took a while until the numbers went up again but now he gets even more than before and his new style is getting more love, just his existing watchers watched him from his old style and not all of them liked the new.
Anyway, thanks for the critique!
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
Was even thinking of doing some kind of kiriban thing.
Oh well, just have to get them back lol.
- I think the community would love to know more about this. Much more. We would like to know details, and we would like to see regular updates on this so we can see you are working on it actively.
Involve us!
What I was saying was that there is no reason to rush into making statements about the rewrite. That project is not urgent in the same sense as dealing with the results of these attacks.
All administrative action, whether it's done by anonymous moderator accounts or Administrator accounts, is logged, and the exact same IP/activity logging takes place for privileged accounts as for any other accounts. If you think a message from an account with staff privileges is hinky, you can always file a dispute ticket and have the action reviewed, regardless of which account it is. The anonymity is only anonymity towards users - we still know who is/should be associated with any given account. The accounts being anonymous makes them no more or less safe than any other account with privileges.
Because regardless of whether your ticket is replied to by Moderator-Species or quoting_mungo, you do not, realistically, have any way of knowing that it's the individual that should be behind the account, that is responding to you.
What I'm trying to say is that if administrative action doesn't seem right, there's always the option to appeal the action, and if an appeal is filed, realistically the account would be found to be compromised and stripped of privileges quite promptly.
The point is, that FA was a live landmine waiting for someone to step on it, and it still is. But shit is out of the closet now. Without naming anyone specifically, we know that the code has issues, and management has issues too, and the general approach of staff so far was diplomatic silence and avoidance of certain questions. But with recent events this won't work anymore. The cat is out of the box and you can't hide it anymore.
Right now if you want to make sure FA has a brighter future, staff and management has to come out of the closet and start talking to us about the issues and about what can we, the whole community together do about it.
Though I'm afraid that as long as certain people are in power based on friendships and or one-man decisions rather than having a management entirely composed of capable and well suited people FA remains a card castle.
What you seem to be getting at is more a false sense of security than anything - the feeling that "because I know who this is, I can trust that they will always be that person". There's only one moderator behind each moderator account. If you get a ticket response from Moderator-Jabberwock (not a real mod at this time!) today, it will be written by the same individual who responded with the Moderator-Jabberwock account yesterday, or last week, or last month. If a ticket response (since that's the only contact moderator accounts have with individual users) sounds suspect, it can easily be appealed, investigated, and the possibility of the account being compromised either confirmed or dismissed.
I get that you're among the people who don't like the anonymous accounts. I can even agree that there are very valid arguments against them. There are, however, also excellent arguments in favor of them, not least protecting our staff members from being targeted for unpopular decisions or from potential pressure from friends and acquaintances (whose cases policy prohibits them from handling, but I have seen examples on other services of people expecting friends with administrative privileges to side with them). I do not agree that they pose any significant security risk that any privileged account doesn't, however.
There is currently a nebulous public understanding of what code FA is exactly comprised of (mostly custom, no?) which was fine when it was in the dark but now if even pieces of its backend are out there, regardless of what the breach resulted from, it's dangerous to stay the usual course. The wrong things for users to focus on right now are "FA going down again and therefore sucks" and whatever upload/fav data was lost over the past days. The right thing to focus on is everyone informing each other that this source code exposure has standing consequences beyond drama that will not be resolved without a core site shift. The main choices FA has right now are: try to stay afloat with in-house staff as usual in hopes the current team and current code can contend with an army of cerebral exploiters currently picking apart your exposed code (in my opinion this puts users at the most risk,) seeking IMVU funding for a professional site re-code, or embracing an open source platform with a real developer community that can help you plug the various holes that hackers will certainly find and exploit. Attackers find exploits with far less information than what appears to have been exposed here so this should in no way stand as a simple "whew, FA's back up" thing in anyone's mind. It should be a perpetual "ohhh SHIIII" thing until that core new avenue is taken up and explained to the public. I'm glad a recode is at 80%, but everyone needs to know when it's 100% because we're on thin ice. Anything else operates on this site's old backbone which has now been crippled by this leak. This isn't about your coders lacking skill or being at fault anything of the sort. [Users before you crucify the FA staff, this exploit was via ImageMagick, a 3rd party system FA employed. But this problem has gone beyond that.] A core shift (reworking the site) is what professionals have to do when an exposure on this scale happens. Private code of this kind gone unintentionally public in simple terms cannot have undergone the proper scrutiny to deal with the malicious world prying at its naked form. Attacks happen to sites everywhere of course but with this one... if FA attempts the "it's back up and we got this" solution and not following through with a recode we'll be suffering worse attacks than ever (and far too late patches for those attacks.) It may also not be long after that begins that IMVU decides this place is a giant security liability and shut it down completely. If they are smart they are currently trying to find the path that leads to stable revenue with the fewest legal and security troubles and that is NOT the usual "it's back up, we got this" conclusion. It might have worked in the past but security through obscurity is no longer valid. Users here need to know that without either a rewrite of this site, open source platform, or other security paradigm shifts, the security of their sensitive data is at greater risk than any time since FA's inception. They need to know where you stand on addressing that issue long term. The FA administration has an opportunity to relate their trajectory from this event right now and users need that information to decide if their data remains safe here.
Please respond to this event wisely, yo. And thanks!
Seriously, though, I didn't know FA was that big, or at this much risk. >.<
People are giving whoever did this waaaay more credit to the skills of the people responsible for this than what should be credited. When it comes to exploits as widely known as the imagemagic one, someone with just really basic knowledge can pull something like this off.
I'd be more comfortable with a month or two downtime than I am with the site being back up as quickly as it has, especially if it comes with the risk that personal info may be compromised.
Furryleaks was bad enough; I'd rather wait for my porn on a more secure platform, than see it happen again.
In all honesty, I agree with Yawg.
I will say that it was 2010. But you might have to dig up the info on your own >_>
- User database
- User database control (they deleted some accounts accoriding to first post)
- Registration and personal information (email, passwords...)
- Site opreration, execution codes, javascript...
- Ad banners information (Users that bought one, or many, data, emails...)
- Location for databases, plugins and external tracking and style/javascript/enhacements
- IP adresses that access this website, which means, country, state, city...
- Full administrative priviledges, due to having the source code, thus exploiting possible undiscovered security holes that could grant full control over the site, and all it's features.
- Not to mention that, Furaffinity is the only Furry website all over the net that still relies on a non secure connection, instead of forcing https:// (Deviantart, Weasyl, FurryNetwork, Blogger, Tumblr and even Hentai Foundry already implemented this,). In this point, it doesn't matter if you have CloudFare, you change all the code 100% and pray to a lizzard, if you still use non secure conections to sustain this site, MORE and more attacks will be at sight, and they will succeed, because NOTHING except (probably, not guaranteed due to outdated non-SSL technology) passwords are encrypted... And even in this regard I would be worried, because traffic is not encrypted over a non-secure network connection, so it doesn't matter if you encrypt the password in a SQL database, if I intercept traffic while sending a password during a login request, I can steal thousands of user's accounts. Scary? Yes it is.
So... if
You have no time guys... start working over this security holes, fix everything you need and then, GET the site back online. Doing this is just patching shit, without removing the real problem from it's roots...
No excuses... DO IT
Seriously, if they don't fix all the issues listed above, we all are at great danger, and that means, if you care about your sensitive data, you will close your account and leave FA for the good.
Sad panorama if you ask me... it's better if they move their asses, shut the site down for a few months, fix all the crap and then, they get back online for bussiness.
#Makefuraffinitygreatagain!
- Has a larger community and support, you get help faster and wih more information.
- Security patches come out almost instantly (see linux distros, open office softwares...)
- Usually, they use less resources
I agree also that, it doesn't matter how much time it takes, as long as it ensures FurAffinity is back, more secure, less bloated and less prone to hacker attacks. Just playing the band-aid game just raises the risk and solves nothing, and this will end in people mass-leaving FA because their sensitive information is not safe anymore.
So,
#Makefuraffinitygreatagain!
(Actually, I like this hashtag, If I were Canadian and American, I would vote you and Trump for presidents XD)
I would definetely vote you :3
You explained the problem just perfectly. I have quite my doubts the recode is at anywhere near 80%, but even then it shouldn't be up at the risk of people's info being leaked or the site having a way bigger damage done to it.
Not that I'm surprised really, because the points you make are very valid and very strong. I was shocked that FA went online again as quickly as it did in the light of basically everything you've said.
But oh well, at best, artists will use this opportunity to import their stuff to somewhere else.
Second, they say it was an advanced attack. Yet all they did was delete this or that. Does not sound advanced. I am concerned about the users being exploited to compromise their computers, phones, and tablets. If the attacker really had a plan they likely deleted what they did to force a restore for some other purpose. Like cause a user flood to open more exploits and start injecting their own code. I agree this is likely the beginning.
I am honestly trying to avoid becoming too active on FA again until we know more about what their plans are. Imo a site recode is absolutely essential at this point. I'm shocked it was up after two days.
And security through obscurity never was a good approach in my opinion, and what happened is a perfect example of why. It can add an extra layers of obstacles for attackers but if your code is not secure enough that you could make it open source without a worry then your code is not secure at all.
I have ghost comments and notes now though.. >m>
FA didn't hack itself. ^^;
if you uploaded something AFTER the 11th, it's gone
"This attack targeted the site’s database by deleting user information, submissions, and watches. It was stopped before any further damage could be done. Other information such as journals, notes, passwords, and personal information was not affected."
It tells you that journals, notes, passwords and personal information were not affected by the mass deletion. Not that they couldn't have been accessed. As for notifying the users, I agree an email should go out and a forced password reset should take place.
FA doesn't collect, let alone keep, data of that sort.
The California statutes also only apply to unencrypted data, and only to data pertaining to residents of California, so FA would only legally need to inform Californian users, but since the information that was compromised or potentially compromised isn't considered personal information under the definitions used in California's data breach notification laws, that issue is moot anyway.
It's still wise to change your password, but legally, none of the information that could have been taken from this site applies to those laws.
Either way, in a breach like this it's simply good practice to go above and beyond the reporting requirements even if they don't apply. Other services that have been compromised do similar things. Take Patreon for example, no sensitive personal information was compromised when their services were attacked, but they still required a password reset, sent out a data breach notification, and were very proactive in dealing with it. Why? Because after something like this you need to take active steps to regain and reassure the trust of your users.
There is a major difference between FA having a legal requirement to take the steps you mentioned and you assuming that FA might be using an algorithm that might make it a requirement to inform a tiny minority of the users.
The issue isn't what FA should do, the issue is what you claim FA is required to do, which it is not.
Fur Affinity is also a subsidiary of IMVU, a company with its principal place of business in California. That means it's definitely under the jurisdiction of California laws. I explained above why it's quite possible that the California data breach law does apply to this particular scenario.
Furthermore 46 other states have data breach notification laws that are somewhat similar to California's. Here's a handy chart that explains many of them: http://www.bakerlaw.com/files/Uploa.....ach_Charts.pdf
Again even if the data breach laws don't apply here, it's still good practice to send out a notification following the format of the laws. It's a CYA move, it protects your business interests, and helps ensure customers that you're taking proactive steps to ensure the security and safety of their accounts and data.
The rules about passwords generally apply only to passwords that are A: unencrypted and B: can be used to access secure personal information such as medical records or financial information. Basically, these are laws to protect people against identity theft and regular theft, not against inconvenience. As your chart shows, the situation and how the laws apply differs from state to state. And that's not even counting the differences between the laws in various states and the laws in other countries.
For example, here in Canada we have a number of provincial laws and a federal law, the latter of which requires companies to notify users if there is a "risk of significant personal harm" coming from the breach. In Canada, that significant harm can even take the form of humiliation or significant stress, which unlike most of the American state laws, actually could conceivably apply here. However, neither FA nor IMVU physically operate in Canada, so while Canadian users of FA have been impacted, they are not protected by the Canadian data-breach laws or for that matter by most of the American laws.
Welcome to the wonders of the internet era. You have a website that operates and provides the same service in dozens of countries, but each of those countries and some of their component states or provinces all have different legislation, much of which does not actually protect a large proportion of the site's users.
Trust me, I work in the privacy and compliance field. In a situation like this you basically want to comply with whatever the strictest relevant notification law is (probably California) and then you can send it to all your users. There's literally nothing to lose from sending this notification, if anything it builds up trust with the community and helps to secure accounts.
Again it doesn't matter that these state or provincial specific laws don't protect the large proportion of the site's users. You're still expected to comply with them within those jurisdictions. Yes, it's a bit harder because IMVU doesn't have offices in the EU or Canada, for example, but it doesn't necessarily mean those countries won't try to apply their laws as well. Nor does it mean the individual states won't try to apply their laws.
Also just to clarify, residents of states can file complaints with their attorney generals for violations of their data breach law regardless of whether the "majority" of FA users hail from that state or not, so long as the threshold triggering that state's data breach notification law applies. In California's case, it's any California resident. I don't know why you keep harping on whether or not the "majority" of FA users are impacted by these laws because it doesn't matter. One is enough in California. 500 is enough to trigger the requirement that it be reported to the state attorney general's office.
Your assumption that FA's password encryption is below industry standards is just that: an assumption. We also don't know which authorities IMVU/FA have reported the breach too, so assuming the relevant authorities aren't already involved is also an assumption.
My comments have never been saying that FA shouldn't be taking the steps you recommend, only that given the information we have, its highly doubtful that they could face any legal penalties whatsoever for failing to do so, let alone for not doing so within the first three days after the breach occurred. Obviously, FA/IMVU should be taking every precaution that they can and should be doing everything that is within their power to assure their users that their data is safe. That would be the ethical thing to do and the logical thing to do from a business and legal perspective. As you say, FA has literally nothing to lose by taking those steps.
But if some furries do file complaints, at this point I wouldn't expect much to come of it.
Further again you seem to be intentionally misreading the statute which explicitly states that the username/password combination need only be usable to access ANY online account, not specifically one related to financials / education / health etc.
But you're right and we do agree that it is the sensible thing to do even if the data breach laws don't apply. But my point is just that the law is a bit more broad than people tend to realize.
Kudos for acting as fast as you did.
What I'm saying here is, if you take a look at all the other sites out there that are any bit as notorious as FA, does FA perform bad in comparison?
I doubt it, I've seen governmental sites which don't just go over art, but over peoples identity and livelihood perform worse.
Everyone on the entire planet is a bloody screwup who makes mistakes on a regular basis.
And it's got to be said, being a programmer myself: The only way to find out definitively if something CAN go wrong, is to MAKE it go wrong.
If no one was able to in time test for this for whatever reason, then they literally did not know, and issues like these become unavoidable.
Earthquakes fuck stuff up too, humans might've been able to avoid it if we weren't all a screwup, does that mean it's reasonable to blame humanity for earthquakes?
Not in my opinion.
For a site that is as popular and frequently visited as FA is. It should have loads more security, better networking infrastructure, a team that actually doesn't fuck around and servers that are industry standard. What FA currently has is a big chunk of outdated hardware compared to current tech. In no way you can justify what has happened, 6 days of data was lost, 6 DAYS. In a modern industry this is not acceptable in any sense of the word. If you want to defend FA thats fine but at the end of the day their team is incredibly crap, they have a dev lead who is unwilling to accept new ideas and constantly stone walls others, this isnt just a "Screw up" its a complete and utter failure. Your entire comment is white knighting them.
In all fairness: You could've backed up all your work too, you could've switched to a different place if you're unsatisfied with their services. And never did they claim to be flawless.
If they had claimed to never let the site crash, I'd be flustered, but they never did, you knew what you got yourself into the moment you joined.
This site's issues, and the backup problems, in particular, can, I believe, be attributed to mostly laziness and people simply not caring. On top of that, there is no planning. As a result, every time these people turn around, something new is sneaking up behind them to bite them (and by extension us) in the butts.
Nearly all of the problems that this site has experienced over the years, have been completely avoidable.
I've listened to Dragoneer whine and cry over and over again that running this site is just often-times too much.
Well, Dragoneer, and Fur Affinity staff, you are running it. Come to terms with that fact, quit your whining and get off your duffs and run it. You want the recognition for running the most popular website in the fandom, then be willing to take on the responsibility that comes with that kind of recognition!
'Nough said.
Your laziness, your lack of foresight and your lack of taking real ownership of responsibility is what is causing all of this site's problems. Not a bug, dude and dudettes. It is you leaving this site wide open to all of these problems.
I've never seen FA staff fuck up this badly before. Usually the site goes down for maintenance from time to time but how in the fucking hell do you allow your source code to be freely distributed at a convention? You people are incapable of this level of incompetence. And WE are now paying for it.
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
We were not aware that the source code had been downloaded (using an exploit in a third-party software library which we patched shortly afterwards) by the third party who later distributed it at the convention. Even if we had been aware, it is not realistic to expect we would have been able to prevent the distribution of the USB drives any more than, say, the vendor who sold the drives the code was distributed on.
Fact of the matter is, it's not simply storage that limits FA's backup options. In order to upgrade to the backup solution we would like, there are other upgrades we need as well. This was being worked towards but not yet complete.
We are running this site, many of us without pay. Our coders have missed sleep in order to get the site back to users sooner. You have every right to be upset that things went wrong, but please do not accuse staff of not caring, or of being lazy. It's not true, and it is, quite frankly, rude.
If your ego will allow you all to take some professional advise, you all need to admit your limits; some heads need to be removed from rectums and you need to seriously re-evaluate your positions in the matter and start actually either brushing up on your skills, or find some people with those skills who are still willing to forgive all the past shit-flinging and corruption that's happened over the years and help bring FA up to modern standards.
The fact that this isn't the first time someone has done this, and with apparent relative ease is shameful, and if I was an FA admin right now i'd be F*ing embarrassed.
My daddy always had a saying any time I ever tried to take on a new project, and especially after I managed to let that project fail, or I just walked away from it because it became too much:
"I don't want to hear the whining," he'd say. "You knew going in that it was going to be a big project. It was you who didn't see it through. The project was just the project. Don't blame it for your failure."
Fact of the matter is, it's not simply storage that limits FA's backup options. In order to upgrade to the backup solution we would like, there are other upgrades we need as well. This was being worked towards but not yet complete.
Really? How long have you all been operating the site again? Ten years? Twelve? Fifteen? And you still don't have a backup solution?
We are running this site, many of us without pay. Our coders have missed sleep in order to get the site back to users sooner.
Really? Well, your staff wanted the responsibility. Or did they just want the praise that comes with being staff of a site this large? Ooh err... well, which ever it is, the responsibility is what it is. You have a site with members that number in the thousands - you host a database which those thousands of members were given the expectation that they could reliably upload pictures to. You made those promises, promised that availability. Staying up late some nights, losing sleep is all just part of it. And the no-pay part comes with volunteering. It is why it's called 'volunteering'.
And then there's this:
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
You're the ones who created this juggernaut. Now stop your whining and especially this kind of authoritarian nose-biting because that juggernaut became too big for you and is now stepping all over you.
It was your mismanagement and lack of foresight and/or lack of giving a damn that has brought you to this point. If you want to prove to us how right you are and how wrong we are, get up off of your duffs and show us. Make this site so that it stands up to the faith that your many thousands of users have placed in it. If you had been all along, it is my guess that you'd have never gotten to this point at all.
Is it reasonable to expect better performance when the site has a 6 day lag on a critical backup? Absolutely. To be frank a site the size of FA needs a daily backup solution. The fact the site's owner worked in an Amazon datacenter means he should have known this rather than come up with excuses as to why the site does not have this solution implemented, especially with a corporation owning the site. Ignorance cannot be claimed in this scenario. If anything that level of experience should have seen to it that this site runs about as smoothly as Amazon does. Granted Amazon's downtime is usually measured in minutes, not days. But in the case of this site downtime should be limited to mere hours, not days and certainly not with nearly a week of lost data.
What we have going on here is a failure to heed the basics of systems security which for large scale sites such as this daily backups should be the bare minimum, period. Not counting the fact previous coders had noted how vulnerable the code actually is so realistically this isn't a mere matter of "oops! we just discovered an exploit we didn't know about." The fact remains they got caught with their pants down despite being called out on it in the past and are just now getting around to patching up security holes.
Government systems may periodically go down (often due to shitty budgeting... you are aware that the IRS for example still uses computers from the 80's and 90's ya?) but their data backups are very much spot on so when shit does hit the fan you don't typically have lost identities. As a programmer even you should know how critical daily backups are let alone on a large scale website. Storage nowadays is dirt cheap as well. The operators of the site do not have the luxury of being able to claim "we're just a small site, our resources are simply too limited." This is part of the game when you want to run a massive website with high traffic.
Of course in your later response you more or less place blame on the end user which in my opinion is merely a cop-out. That's as asinine as the "buyer beware" copout when people get robbed of their money via artists that take the money for commissions and conveniently vanish or put off the work for years because of personal problems.
While 100% uptime is not realistic for any site, a daily backup solution is. There's just no excuse to not have one in place especially when it's a bona fide business need as noted by the statement that IMVU is helping out and will be assisting with a proper backup solution after the fact. But any webmaster worth their salt knows daily backups are essential, especially on high traffic sites.
Errr, no it can't. It is waste-water injection wells, which have been in use for more than 60 years, that sometimes cause them.
Geothermal power causes far more regular quakes, yet you don't see that reported all that often.
Improvements have continuously been made to the site's backend. The ImageMagick exploit that enabled this attack to happen is also not a vulnerability that was long known, or noted by previous coders. Without that exploit, this most recent attack would most likely never have taken place.
-Smiley
The issue with inkbunny is that it has such a limited user base and is designed purely for NSFW work. Not everyone wants to join an NSFW only website. It's just boring/doesn't meet everyone's interest. Furry Network is basically FA 2.0, it has both NSFW and SFW categories while also suiting stuff like fettish and what not.
Fixes and updates are employed continually. Just because you do not see them (backend updates are rarely visible on the user end) does not mean they aren't there.
Here's the problem, those backup solutions should have been worked on a long time ago. Waiting for an event to suddenly "rush things along" is not acceptable at any level of industry standard. Literally going through college or university or whatever teachers tell you to make back ups constantly/nightly/daily/etc. You can not have a site like furaffinity live off weekly backups for so long, the fact that its taken until now is simple, no one gave a fuck. Suddenly you guys have this issue come up and then it hits you "hang on, we need more constant back ups right now!", this happens every time something major goes down with furaffinity, when the HDD went down causing a site outage for a week, there was no back up server for the site to run off so it was down for almost 2-3 weeks. That's not acceptable in any sense of the word, you guys seem to suck at planning for events/getting up to date with modern tech. There are so many people who have called you guys out on it but yet the team just sits on their hands and do nothing. We know Yak hinders the development of the site too so i dont know why the hell anyone on the team isn't standing up to him too, hell he's as much to blame for this as is the person responsible, honestly. These are such basic things the department should be fully aware of that can happen.
In no sense of the word can you justify anything like this taking so long to implement.
tldr: you guys need to get ontop of your game and actually work on shit, the sites suffering from it and the user base has constantly pointed this out yet no one listens. Yak hinders development.
The backup solutions were already being worked towards. I already said this. We do not have the budget to just completely replace all our hardware in one go, so replacing/upgrading old systems is something that is done gradually. Teachers tell you to back up your work constantly for the same reason they tell you to save your work frequently - so that you won't lose your own work. Fur Affinity is many things, but it is not a backup of your personal files. Comparing the two is comparing apples and oranges. Sure, they're both fruit, but beyond that...?
Our team does not "sit on their hands" - there have been both feature and back-end updates happening all along, and that 80% done ground-up code rewrite didn't materialize out of thin air. Yak has worked incredibly hard these past two days and heaping blame on him for some perceived shortcoming is undeserved, especially now.
Im really not sure how you believe its faulty when there was a long 20 minute video detailing how the team works. Which mind you got taken down in the end by the FA legal team. You completely missed my point about backups, if you thinking i am implying that i use it as a "personal file" site you are incredibly misreading that section. It was more so a metaphor for the site being backed up on a regular basis, not weekly, REGULAR.
The team does sit on its hands unless something major comes up, there is all the criticism you guys get and feedback but yet 0 of it is used. The code-rewrite shouldn't have even happened and how ever that code got out is on you guys for letting it even happen. Hell that has never even happened before in the history of most sites i use to this date.
Honestly there is so much evidence against your team and other people in support of seeing change yet its constantly being shut down by people who have their heads too far up their assess. This is simply my opinion but the team needs to get its shit together and sort out what ever ego problems there is, its hindering development 10x over.
1) Keep posts civil, constructive and polite
2) Keep discussion on topic to the post at hand.
3) Treat your fellow posters with respect.
See what I did there? Just making sure you noticed.
Anyway, here's my two cents:
Instead of bashing the FA team for what you -think- they should have done but didn't, calling the site "garbage" and the FA staff "lazy", why don't you get off your ass, learn how to code and develop websites, and offer to help? Or is it easier for you to bitch and point the finger than it is to actually try and do something productive?
Furthermore, if you don't like the site so much, why the hell are you here using it?
FA has a long and storied history of only acting upon site security issues after attacks have happened, rather than being intelligent and using the vast resources at their disposal to prevent them in the first place. Believing that the core FA team are capable of doing anything other than running around going 'oh shit' when things fall apart instead of taking preventative measures is simply laughable, and my point is proven quite nicely through this whole debacle. We have had several similar attacks in the past, where malicious persons have exploited known, obvious issues with the site in order to do damage - again, most of these issues and loopholes were known about well in advance of those attacks taking place. The fact that you think the staff are somehow capable of acting proactively is utterly fucking hilarious, and I have history on my side to prove the point further.
At this point, no amount of criticism will amount to good, since, again, the core team are complacent in their positions of power and will only move to act when provoked rather than being pro-active. As for why I use this site at all? Simple - I come here to obtain decent references to help me with my artwork projects. FA, unfortunately, has the furry monopoly, and most users here are either too die-hard, too stupid, or too lazy to seek more viable alternatives. I'm forced here because this is where the fanbase is - otherwise, I would quite happily be elsewhere.
And on another note- Did you read the part in the journal where it says the issue was not with FA or the site, but ImageMagick? It had nothing to do with FA, the website, or its coding and staff. The people who run ImageMagick made FA's staff aware of the exploit only when -they- became aware of it. However, by that time FA had already been compromised. It is not the fault of FA's staff or developers that they did not notice an exploit in the coding of a third-party image server right away. This could have happened to any website making use of ImageMagick's servers.
So I hope you learn to read and understand things better in the future. Placing all the blame on FA staff for not fixing an exploit in third-party software that they weren't aware of until the ImageMagick team made them aware of it is kind of shitty. Breaches like this can and will happen to any website ever made, anywhere, anytime. No website is 100% completely secure- hackers can and will find a way to exploit and take advantage of whatever loopholes they discover.
Image Magick is also opensource, also means that they can do whatever they want with the code, but it seems they chose to do nothing.
As for how you defend them, please tell me again how does it contribute to the improvement of FA? Do you know how they run things?
As for the ImageMagick thing, yeah, I'll admit I didn't know exactly what it is and how it works, an oversight on my part. But on the same note, neither does the original poster to whom I was replying. It's not exactly anyone on FA staff's responsibility to pour through third-party software code to identify/fix possible exploits and loopholes- that's what ImageMagick's development team is for, and that's who found the exploit and informed those who used their software of said exploit.
Just because FA's staff didn't catch some software coding exploit that someone else -did- doesn't mean they're "lazy". And, since you're going to point the finger at me and ask -me- if I know how FA runs things, I'll go ahead and ask you the same question. And unless you're actually -part- of FA's website and development team, you can sit there and speculate all you want and try to tell me you -think- you know how they run things, but you're not going to convince me. And I don't care if you have coding experience or if you work on development for some other site.
Besides, it isn't really like it impacted you in particular. So I don't really see what the wall of text is about?
Pointing out that a nightly backup, which most sites with FA's level of traffic do, is an important thing they should really be doing, isn't exactly bashing. That's just common sense for a site that has thousands of users posting, noting, faving, etc, ever day.
There is no reason to assume there isn't a plan for the hardware upgrades. They are being done incrementally because replacing/upgrading everything at once would be prohibitively expensive.
So no, I'm not "chang[ing] [my] story".
Yeah, some people just like to whine and point fingers. It's sad. I'm just glad the site's up and running, and I for one am thankful for the hard work the staff put in to get this fixed!
It's almost like they're forgetting something. ....I wonder what that might be?
...Oh yeah. It's the whole idea that this website, and all of its services (save for those artists who pay to have their ads up) are completely, 100% free of charge. There is no subscription service tying them to use of this site. Dragoneer, Fender, and anyone else on staff are not holding guns to their heads demanding they stay here.
All in all, I think the FA team handled the breach and the outage in the best way they could have. All this bullshit from people complaining that they weren't omniscient and omnipresent and missed a critical exploit in third-party software that they very likely have no coding access to is just equivalent to a bunch of 8 year olds whining that some bully broke their favorite toy and it's mommy's and daddy's fault that they didn't stop it from happening.
But yeah. Exactly.
That was a long outage
Glad that you were able to bring it back online nonetheless.
What will be the solution to compensating those who bought advertisements for their lost time and revenue?
Which honestly isn't a big deal at all except on the advertisements page it states you'll be up much sooner. Like at least write the truth, lol. "Your ad will appear in a few weeks' time"
Those trolls are actually hurting other people's lifes.
Possibly this is nothing more than another attempt to bully us.
There might also be more sinister reasons, but that treads on conspiracy theory stuff, which I presume unlikely and will spare you from.
It's not 2006 anymore; 90% of people online in the year 2016 could give a flying tit if you're a furry- it's just one more "oh okay" subculture, like anime fans or competitive gamers, or whatever.
People need to stop pretending that the fandom doesn't have an incredibly large number of drama queens and people who like to cause trouble.
If there is "hate" against the furry fandom, it is mostly self inflicted. The inability of a number of furies at RainFurrest being unable to be civilized in public is just one example.
Lol... Thanks for all your hard work getting the site up!
I managed to fix the current counts on my submission numbers and journal numbers by doing this, but it's still saying that I have 1 comment notification, and when I click on it, there is nothing there.
So I have kind of a phantom notification, if you will. Might be worth looking into if you guys haven't been made aware of this problem yet.
Also, great job getting the site back up. You guys are awesome! ^w^
Alright.
I created a page on the 12th, and so everything from my account had been wiped. However, when I recreated my account, I used all the same information to create my login and found that when I went to my profile, it had retained the same icon that I had used when I created the original account.
I dunno how that works, but I think it's super cool how it kept something from the original account.
The weirder possibility is some ghost information remained after implementing a restore point that brought back only profiles from a week or so ago and later, but still kept the data from profiles created in that lost time window. If that's the case it's not cool because creating your account and finding info already there should throw a flag or in the least scrub anything it finds for a clean profile setup. I doubt it's this second thing though. :v
As it was only database information that needed to be restored, the (temporarily unused) avatar was still on our server, and was pulled when the file name once again corresponded to an existing account.
Nothing to worry about.
sometimes they hack for good, sometimes for bad. :V
Furries are still hated, and this might just have been nothing more than an attempt at bullying.
I'm glad this was handled quickly and efficiently. Thankz dudes
I can't decide if its best to wait for the wave of reuploaded submissions to pass by or not.. who knows.. aahh jeezz this stinks.
I'm gunna wait, I'm sure people who maintain their inboxes are just going to auto delete anyway, might as well not be part of the flood ammirite?
Same with all the others. How should we go about fixing this?
The submissions in question do not actually exist anymore - they could not be restored when we restored deleted data from backup.
We've heard this for years, now, when's the truth?
Inb4 that shit.
I'm in a mindset right now where I don't even want to try and re-upload my pictures.
I hate to say this but after 6 years on this site I'm starting to loose grip on using it.
one time it was down for over a few weeks.
But thats years ago.
i understand its been down for months before zz
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
I think as long as it isn't obvious trolling bait then it should be ok. But how dare we call out incompetent staff for being incompetent.
Mungo's on everyone's back, he kinda needs to chill a lil.
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
Someone I knew was so enraged they lost 600 watchers in this attack so yeah...
Definitely need an extra week for us who got our ad banner spots.
I myself lost 25
600 is just... ouch! D:
Glad you guys caught it fast.
It hurts to lost all those faves I made and all the people I watched and I can't remember now
It was my understanding that part of the REASON FA was sold to IMVU was to improve site security, and funding for necessary hardware to increase space for things like...daily backups.
Also, never tell someone they don't need something, it really makes you look like and idiot when they do. There's nothing wrong with some redundancy in a system.
I just love how the administration still plays the "we're only volunteers" thing. They signed up to do it with no pay, and while I think it's shitty not to be compensated for their time to help the site, they came in full well knowing that. FA is owned by a company now with Neer to be a full-time worker. This isn't a hobby, person-owned site anymore. This site's the largest furry site and has been for YEARS. It's had dozens of very successful donation drivers and was even bought out to be funded. But somehow they always find a way to NEVER have any money to fix HUGE issues.
Like are you kidding me? Serious flaws in coding and exploits were never fixed prior because they didn't have enough time? There were problems in the code now and it took an attack for them to fix it (not talking about the third party bypass, but the errors in the code itself)? It was fixed IN A DAY, which means these issues are SUPER SIMPLE to patch up and it's nothing but people dragging feet and refusing to take any responsibility. They've been bought by IMVU for a year now, how was getting reasonable timed backups NOT a priority? If anything, I'm astounded by FA because the one thing always going wrong is always something they were "going to fix"/"almost done"/"about the be implemented" or other such garbage excuses. How were reliable backups and code patches NOT a priority? And the excuses if "we didn't need to fix it because we're getting a new site in a year" is so laughable. That's like saying you're not going to get new tires on a flat-tire car you still drive because you're getting a new one in a year. UGH.
Thank you to toxicaudri and barefootstallion. You and a few other people in this thread with more knowledge of coding and backups and in-depth technical knowledge are really a light at the end of the abysmal tunnel that is FA's constant mediocrity. And if you see this Mungo, I feel bad for you. It's clear you're very passionate and driven to see the site succeed and do well, but you seem to be the only admin who really cares (the rest are quiet and letting you fight their battles for them). It's sad to see you sitting next to people who've lied and made excuses to do nothing for years. And that's not speculation; mountains of proof and empty promises with a million more asinine excuses are heaped onto those. I admire you for your passion and dedication, and it makes me feel sorry that the people paid to run the site don't seem to care half as much as you do since they're in the position to actually fix it.
But yes, I share the same feelings as you. I like this site and want to see it succeed. That's why it's SO maddening to see things be terrible all the time. It's constant excuses, flaws, and incompetence. All the time, administration tells us that they care about the site and are doing their best - then leaks come out and show they're playing favorites, then former moderators and helpers with the code share their experiences about not being able to help, then the furry merger revealed dozens of people who came to help that wanted to make a difference but were shut down. I am sure all the staff here do care about the site, but that care is not enough to fix it or work passionately towards changing it. There are tons of issues, problems, and promises that are (while not easy, I'm sure), realistic to fix but no one ever gets around to doing it because they don't feel like it or they make up tons of excuses. If it was a couple of times, that's fair. but it's CONSTANT failed promises and lies, and I and many others (like yourself I'm sure) are just fed up and angry about it.
I've said multiple times throughout the year that if they had a subscription base like DA where you pay $5 a month for extra features, I'd do it. I DO want to see this site succeed and originally had no issues with administration. But it should come to no surprise to Mungo, Neer, Yak, or anyone else that many people are getting fed up with the constant subpar performance for YEARS. And criticism, offers to help, and peoples' resources have been underutilized at best and ignored at the worst.
And I know this all serves no purpose; talking about it. Our words won't rouse staff to care anymore than hundreds of people before us. Because that's just it - we're only hundreds of people on a site with hundreds of thousands. There's maybe a thousand vocal people (including some bigger artists, sure), so who cares what we think? They're only human and we're drawn to praise and ignore criticisms in favor of a sounding room full of yes men. No one wants to admit they messed up or accept blame or fix their problems. Every grievance on our end is unreasonable, a personal attack, or not constructive. This is just a vent to frustrations, because it IS upsetting and it's even more maddening that as much as we want it to change, it will not. And no offers to help have ever made a large difference so it's just become depressing. I love the community of this site, I love the way it looks and works. I'm just exasperated and tired of people making excuses to not make the site better and fake promises to tide us over.
If we're reaching capacity for storage, it's not at all unreasonable that our backup storage may also be close to capacity. By "long term storage solution", you have assumed that full backups will be kept for an extended amount of time. Keep in mind that in the long term, we would also like to increase size limits for uploads. This means that we need a long term solution for keeping available storage at or greater than the demand for storage. (Backup solutions also include more hardware than just drives to store the backed-up data, and as I recall we'd be needing a network upgrade to implement the backup solution we'd like to have in place.)
Fewer submissions are deleted than are uploaded. The storage demands for FA are only going to continue to increase. This is the "long term storage solution" being talked about.
Also please remember that having funding does not mean having unlimited resources. This is why a plan needs to be in place for how upgrades will be handled over time.
I don't understand why they would do backups weekly, if its even that. Granted a lot more could of been lost, but nearly a week's worth of stuff is a significant chunk to a lot of people. I'm glad that they got the site up and running again, but they need to do a few more backups a bit more frequently in case another attack happens. :<
Rather than constantly spending money on crappy stuff that seems to break down every few months- why not save up and get something that will actually do its job properly.
Sometimes its better to buy the brand than the generic. So to speak.
Since our budget is still not unlimited, upgrades have been happening gradually. We still have some hardware that's 8 years old in service. And since we do want our replacements/upgrades to do a good job, saving up and getting something that will do the job properly is exactly why we don't have the hardware resources to do daily incremental backups right now.
From the second line of this journal. It sucks, but you'll have to re-upload them, as they're now lost.
Watch
I've never had that error/warning before is that a result of the damage done or is that a safety thing in place until the fire cools?
UNTHINKABLE!
Give you an example:
Original link is http://www.furaffinity.net/view/19977789/
But you can still go here http://d.facdn.net/art/cathricorn/1....._request_3.jpg
it's driving me insane haha (i have 221 ghost submissions, 1 note and a few other t hings ahhHHH)
Would you like an award?
Notes haven't been affected.
Thank the gods!!
I'm using them to help me figure out who commissioned what and who's username goes where :3c
Things will be back to normal soon.
Artists I watch are uploading and they're not showing up in my inbox, mixed with the ghost submissions that's the only problems i'm having right now outside of lost data.
For example, lets say four users have the password 123456789, all four of them will have a different salt. That would be like making one password 123456789aaa, a second password 123456789bbb, and so on. The cracker knows the aaa and bbb, but now instead of calculating the hash of 123456789 once and figuring out the password of four users at once, it now takes him 4x as long because he has to calculate the hash for 123456789aaa, 123456789bbb, and so on. Of course a salt will be more complicated than aaa and bbb.
4x as long is a huge understatement though. If there are 1,000,000 users, without salts the password cracker only has to calculate 123456789 once and he has all users with that password. With salts, he now has to calculate 123456789 1,000,000 times before he can move onto 1234567891 which he then also has to calculate 1,000,000 times.
Hopefully this helps. It took me a while to understand why salting helps even though the cracker knows what the salt is.
With password lists of the most common passwords like "password" and "123456789", and a modern GPU, some passwords can be cracked. The problem is it has to try "123456789" for every account separately and as long as the person coding a site had even a small amount of common sense, he won't use MD5. Thus it would take hours just to find everyone on fa with "123456789". Now if it only tries the top 100 passwords, that's already days, maybe weeks, of waiting only to get the weakest passwords, and almost no hope of getting anything crappy, but better than "password" like "CatzRule123".
I'm thankful for the FA staff for acting quickly on this to prevent further loss, and I'm looking forward to living in a day and age where FA finally has new coding!
Also lost several submissions.
YAY
it might just be the site trying to catch up too since theyre going to be implementing a script to re-sync numbers.
Oh an if you want to see something cool yet somewhat scary go to map.ipviking.com it shows cyber-attacks in close to real time
GOOD NO DAY 23 UP !!!!!
Seems like a 'thing' that Humanity does... Wait for the worst, yet avoidable, accidents before doing what could have prevented them in the first place.
They've been re-posted :9
I'm just missing like, fifteen watchers and about 50 favorites. :c
Are there plans to make the backups daily? Losing 15 submissions and hilarious tags, a lot of watchers, favs is really rough, man.
Especially since I couldn't post anything on my birthday. :c
Meaning the code on those USBs will be invalid once the new code has been set to the website.
I think.
Correct me if I'm wrong, I'm not super techy.
You're asking the wrong person :)
FA's not a company with benefit purpose. These guys aim you to enjoy a free website without any compensation from you in return.
You better be thankful for them to work all this out this fast.
Dude (y) doesn't like change and I've heard some shady things about him.
word of mouth though....
Just because the site isn't falling apart (faster) doesn't mean that we wouldn't want change...
I'm just bummed that I lost a bunch of watchers, art, faves, etc.
I also have to re-start my raffle due to the lost watchers ;c
Someone needs to call/email the people at IMVU and get them involved, forcing Dragoneer to do his job right for once.
If Dragoneer isnt pressing the budget onto security stability, then that also falls on him too, not just the Tech Team.
But we're talking about problems that stem back a decade because of hardheadedness and rumors of Yak having a deathgrip on the site and not letting other coders help.
Yak is but a child, not letting else play with his toys. Dragoneer should be firing him, and getting actual people who genuinely care about FA. Then again if we did that Dragoneer would be fired too, since he seems to not care as much about FA like we all do at heart. *cough* screwing over hired technician out of paychecks for free services *cough*
"Yak is but a child, not letting else play with his toys. Dragoneer should be firing him"
I agree. There's been a lot of rumors of Yak misappropriating site resources, and the way he's treated other coders and no one knows anything about him, it's all just really bad looking.
Yak's just a ticking time bomb at this point. If this attack isnt enough to show Dragoneer that Yak's work is completely lackluster, then Dragoneer himself is stupid enough to believe anything Yak says from his toxic mouth.
The day that Yak agrees to make the site's coding Open Sourced, will be the day Dragoneer sits down at his desk and stops procrastinating. Two things we clearly will never see.
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
Or is it some of the furries themselves?
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
I can't believe this oh wait I do BELIEVE.
AAAAAANNND IT'S GONE!!
Okay, so what you're saying is, you have no logs that prove one way or the other whether some, any, or all of the information stored in plaintext in the database was copied off somewhere before the hackers made their presence known by mass deletions of tables. Before that, they could have been happily copying user data away (just as they did with the source code!) with impunity, to play with later, sell, whatever.
1. Everyone reading this should know that if a hacker is able to delete database tables, they are able to read them. This means you should assume any information you had on this site as of May 16 is compromised. Period. End of story.
2. Encouraging people to change their passwords, unless FA’s password encryption is garbage, is the least likely thing to actually make a difference, since it's probably the single thing on this site that is encrypted. What hackers almost certainly do have: the email you registered with, the entire contents of private notes, any comments you've made, your birthdate, in plain text. Everything. Changing your password is closing the barn door after the horse has long since left. The damage is already done.
You all got completely pwned, and are trying to pretend that a cursory audit of your code done in 36 hours will prevent it from happening again. Did you even reinstall your servers, assuming they themselves were rooted too? This is disgusting.
i've been here for 6 years though and this is the first time FA has lost THIS much data from an attack...despite the fast recovery i'd say this was the worst attack on FA since 2010
I have one favorite in my messages that I can't see nor delete, but at least it sounds like notifications will be fixed shortly
-Cake
Glad the site is back up, hopefully the site will have a better system soon :^>
But it's better to have to reupload a few things than my entire gallery. :D
If so, will you guys be pressing charges against them?
Those six days are six days of watchers generated from my ad that I lost, it's like not even having an ad up during that time period. I understand if it's not feasible, it just kind of sucks if I basically lost six days of advertisement because of these shenanigans.
I have the same question. 6 days is a huge lost for those, who have bought an ad. :<I know you can just re-watch said person and re-upload but yeah
Y'all moved really fast on getting the site back up, considering the severity of this problem.
It could of been better as well i know, but im sure doing daily backups is hell on drives
A gallery site such as this could - and should have a viable once-a-day archive window, preferably at times of low load when site performance is least likely to be affected.
I pity them.
there's been many a case where whitehats will point out security flaws to companies, whether through bug bounties or otherwise. when those companies don't listen, especially when those flaws put at risk user information, such as in this case, an attack that uses that weakness but mitigates damage can prompt them to fix that problem.
which, to me, sounds fairly familiar, given the circumstances.
but in the end, it's not always to stir shit up, and it did give us a bandaid that may not have come for some time and lead to an even worse attack. if that's pathetic and low, then...
I'm only too happy to burn out the guilty party's family while they sleep.
Not that I'm bitter, mind you . . .
Dis going ta be gud.
thank me later :^)
*hugs you all* ^^
you should
read the journal
then ask
because theres a lot of questions that are answered in even the second line of the journal
;)
I'm sorry, but where can I find the answer to where my submissions have gone? And why my notifications won't go away? And why I'm down watchers?Seriously though, it's right there guys.
I have to repost like 1 submission but I'm not complaining! ^_^ I'm just glad FA is back and fast at that. THANK YOU
Welcome back, FA
Welcome back,
Your dreams were your ticket out. ....
Welcome back,
To that same old place that you laughed about.
Well the names have all changed since you hung around,
But those dreams have remained and they're turned around...
I'm glad some things went effected like notes and apparently journals from what I heard. (thank god for the notes for commission info)
Though my some summations and watchers are gone now because of the week time in between the hack. Winch isn't so nice..
but seriously, don't take my comment seriously =P just trying to ligthen the mood. I for one am glad this place is back.
Tickets have not been lost, and do not take months or years to receive replies. Please stop spreading misinformation regarding ticket response times.
Form replies are used for many common issues in order to help ensure fair and equal enforcement and protect our anonymous Moderators' identities. The exact wording of the response received in no way means that the reported issue was not thoroughly investigated.
Made Sept, 26th 2014
Admin replied on May 28, 2015 and this isn't even the first time either
Also, I'm having problem making new password...everytime I enter it, it said password invalid.
If you guys are teamed with IMVU they should be helping you guys out with your sentry, because this will be the second this happened.
1: Why didn't you shut down the site the SECOND you figured out someone was passing out these USB drives? Why did you wait until AFTER things were being deleted? you could've saved yourself 6 days of lost progress and this whole issue would be a lot less serious. Seriously, you were basically told "you are going to be hacked" and you didn't immediately do anything. As a smart, logical precaution, you should've closed down the site, told everyone IMMEDIATELY what was going on (instead of 6 hours later) and began work on fixing the source code without loss of people's uploads and more.
2: Why in the world isn't FA's backup every day or at least every 2 days!? FA is an ART website! A website where hundreds of images writings and audio files are put up constantly. In case of an emergency, you want to have all of that backed up as frequently as possible. WHY IN THE WORLD IS THE BACK UP WEEKLY? This is unacceptable and should've never been implemented, you should have the intelligence to figure out that as an art website you need to have backups VERY frequently.
I have other questions like, "how do i get rid of the 2 non-existent comments my notification bar says I have," but that isn't as important as glaring issues i asked above.
Look i love FA, i love the layout, and its where i get a lot of business, which is why i get so angry when this shit happens. This site is and will always be the biggest furry website, and for that reason, you need to start taking this shit seriously and be on top of things. this site goes down all the time, and its unacceptable. You need to step up your game and actually give a shit about the website that you're in charge of, for everyone's sake.
Hopefully, the source code leaking will be the worst thing to happen to FA in a long time, and I really hope that this event is the kick in the head that gets the staff focused on getting serious about making sure this kind of thing doesn't happen.
There's old Russian saying, "One won't cross himself until roasted chicken pecks his butt"
Or if you prefer, "locking the barn doors after horses got stolen"
there was a glitch that did this a while ago, iirc you can fix it like this: the next time you get a notification in your inbox, select all and delete the selected instead of nuking everything and that should set it straight.
2: Because we do not currently have the resources to do daily or bidaily backups. In another couple of months we might have. (I do not have direct insight into the hardware/maintenance side of things, so I don't know how far along exactly preparations for more frequent backups were.)
I get that you're frustrated and irritated that the site went down and some data was lost. We don't like it any more than you do. But please do not accuse staff about not caring about the website or its users - if we didn't, we'd just walk away from posts like yours accusing us of not "giv[ing] a shit".
That 80% complete rewrite wasn't thrown together in two days. We have people being very serious about ensuring the site continues to function the best way it can, and this has been the case for a long time.
2: I would think that this kind of upgrade would be the first thing on the "to do" list. It just seems very odd to me that this wouldn't be the first priority a long time ago.
Actually I'm not frustrated at all that that the site went down and some data was lost. It's irritating sure and has hit some people hard, but that isn't why I'm frustrated. I'm frustrated because it was avoidable and should have never happened in the first place. It feels like staff "doesn't give a shit" because the issue wasn't treated with severity until it was too late, and it took 6 hours before anyone told us what was going on. This event was pretty much avoidable at many points in time, but no action was taken until after things broke. See it feels like staff doesn't care because FA always breaks before anyone decides to fix it, instead of making efforts to have it not break at all. It takes a serious event like this before any updates or changes happen, instead of staff making changes before in order to help prevent issues. To be fair you guys probably already do plent of updates that do help the site that we don't hear about, but still, that lack of urgency and frequency of downtime makes me feel like nobody cares.
I say all this because I want the largest furry website to be better. I get frustrated because I care. And this has nothing to do with you personally. It's about the staff as a whole. In the end, nothing I've said here really matters, what happened happened. What I hope is that the right lessons are learned from this. I also hope I'm not banned cause i got passionate about something i like. Cause believe it or not i like FA quite a bit. If I didn't care I wouldn't be bitching so much.
Unfortunately not everyone is as understanding as you are. Let's say, to pull an arbitrary number out of the air, that verifying the code would have taken 12 hours - my understanding is that this verification was not entirely complete by the time the attack was launched. Twelve hours of downtime over a "maybe" is a huge gamble. In hindsight, yeah, it would have been a great idea, but hindsight tends to pretty universally have a better prescription than at-the-time overview of situations. It's a bit of a lose/lose situation.
We've got hardware that's 8 years old, and that's after already having done upgrades/replacements of some of the oldest gear. I don't have great insight into the server setup side of things, since I'm not tech, but my understanding is that replacements have been triaged based on need as well as component age.
There are multiple reasons why a statement was not made earlier - we wanted to have a good idea of the damage done before saying anything; if we'd immediately issued a statement to the effect of "the site was taken offline due to a hacker attack" it would most likely just have resulted in panic, which would have helped no one. We also wanted to give IMVU a chance to review our statement before posting it. With that in mind, it was made as soon as we were able to do so.
See it feels like staff doesn't care because FA always breaks before anyone decides to fix it, instead of making efforts to have it not break at all. It takes a serious event like this before any updates or changes happen, instead of staff making changes before in order to help prevent issues. To be fair you guys probably already do plent of updates that do help the site that we don't hear about, but still, that lack of urgency and frequency of downtime makes me feel like nobody cares.
That's the problem with backend updates, unfortunately. Efforts are made to prevent things from breaking in the first place. Sometimes they work, and then nothing much happens, and life goes on as usual. Sometimes they fail, which means we're in a "FA breaks" situation to some degree. Since only the "FA breaks" situations are visible to the end user, no matter how hard tech works, the perception is liable to be "nothing gets fixed until FA breaks" due to confirmation bias if nothing else.
I wouldn't call FA's downtime in the last year or two particularly frequent, personally, but I admit I've not marked it on my calendar. It is the kind of perception that is quite prone to confirmation bias, so just be wary of that.
Just understand that we care about the site, and its users, quite a lot. A good chunk of us spend significant portions of our lives, or of our free time, working for the site without pay. We wouldn't be doing that if we didn't care.
I have 2 Notes in my notifications yet when I go to the note section I have no new notes.
though attacks are going to happen again.
I'm pretty sure the list of things people hate most would go
1. hitler
2. isis
3. the Taliban
4. child molesters
5. rapists
6. the DMV
7. furries
and
8. getting shot in the face!
but then...
there's still unanswered questions...
Who did this? (BLFC is a bigger, crowded con, somebody has to know.)
Why does this keep happening? - https://www.cloudflare.com/ <== wasn't this supposed to be preventing the attacks?
What ever happened to the FurAffinity donations? - are they still property of fA or belong to IMVU since fA was bought out by them? The security of a website is a very important concern for users and possibly investing in tighter security implications could be worthwhile. As users continue to invest in the site in hopes of improvement, pushing that forward seems to be taking awhile (just my gentle criticism, not meaning to be rude here.)
All of that aside, myself and others appreciate the staff working quickly to bring the site back up.
Cloudflare only prevents DDoS, it's more like a shield to buffer incoming traffic. This attack was done through an exploit found in a plugin called ImageMagick. FA did fix it pretty quick (within two days) but by then the damage had been done and the code had been stolen.
From what I can tell, donations are used to fund the site's hosting and hardware for the most part. There only seems to be two people working on coding, and one of them is the guy who wrote the clusterfuck of code in the first place.
Fur Affinity is no longer taking donations, and has not done so for quite some time. The donations accepted in the last donation drive that took place months before the sale of the site were largely or entirely used at the time to pay for improved Cloudflare protection, new hardware, and other site improvements, as well as to pay for donor incentives (which is a normal part of any donation drive featuring physical-product incentives).
It's good to see everything back up and running but the moral of the story is never help FA.
I
1) Keep posts civil, constructive and polite
2) Keep posts on topic to the post at hand
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
Guess I'll have to rebuild!
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
I don't blame them for the attack, but this much information shouldn't be lost. I'm lucky - I only lost one submission and a couple watches. Some people completely lost dozens of pieces, including commission things and YCH pieces. And yeah, about using other sites and keeping records, but people count on this site and there's no reason this much information should have been lost from this attack.
And I mean, it's nice that you know what tools "being purchased by a company" gives them, but just entertain the fact that maybe FA already does what it can with the resources it has. Unless, of course, you think that Dragoneer is out there taking money baths in all of your hard-earned $20 bills instead of putting them toward the equipment and software licenses and manpower work hours and general betterment of the site?
The reason for the weekly backups is plainly explained above -- it's what their current hardware can support, and they are looking at upgrading it -- so I guess you can take it or leave it. I'll pose this to you though: FA has objectively been more stable since it was purchased by a company. Downtimes have been fewer in number and shorter in duration. Dragoneer and others have been able to devote their time more completely to improving the site because it's a job now instead of something they do in their freetime. The site has seen improvements, both in UI and in the backend. Code is being rewritten, a brand new version of the site is being put together, and hardware is being updated pretty regularly. It's not like these guys have been sitting on their hands all this time. Just because it's not plainly visible to you doesn't mean it's not happening.
So while I think daily backups would be great, I also think we need to step back a bit and be real about this: FA is a constant work in progress, and it does what it can. Right now, what it can do is weekly backups. When they are able to get their equipment upgraded, it may be daily backups instead. But I guaran-damn-tee you that the second they begin daily backups, the same people bitching in these comments will be bitching that daily backups aren't enough. Moving goalposts is a bastard like that -- nothing's ever good enough, and everyone's always pissed -- and there unfortunately is a contingent of this fandom that specializes in it.
And again, yes it's what the current team has, but my point is they SHOULD have better. Dragoneer has known there were holes in the code for a long time - it's the reason eevee was angry enough to use them back when he was working on the code. FA has a huge history of knowing problems exist but refusing to fix them. That's not even speculation, that's how it's actually happened several times in the past. So they have known a long time all these problems existed. The exploit wasn't their fault, I agree with you. But FA is a big site, as Neer keeps pointing out, with a ton of traffic and userbase. That means it's a target, and it's historically been a target dozens of times over the year. The fact they never fix the code is a HUGE issue. And these fixes only took a day to do. So let me ask you, FA has been owned for a year by IMVU now; why was there never a day to fix something as important as problems in the code prior to a huge attack like this?
Yes, it's been better, yes there's (supposedly) a new rework that's almost done. But how could they have missed something as big as the coding of the entire website being fixed in that time? I mean, that seems unreasonable, don't you agree? There's no reason that known flaws in a big website should be left for more than a couple days, let alone a year when they're funded. FA also had a huge donation drive right before being bought so it's not like they didn't have the funds to spend a day fixing it. IMVU also (according to this journal) had people help after the attack. I find it hard to believe (read; impossible) that the company wouldn't have loaned them sooner had Dragoneer told them of the errors and holes in the coding and wanting to preemptively fix them. This site has a history of ignoring issues until they are a problem.
And you're right, some people will never be satisfied. But that doesn't excuse why there wasn't better hardware bought. I fully believe it was within their ability to get and that they just didn't. FA is a profitable site; that's why IMVU bought them, that's why dragoneer owed something like $10k to the IRS. I acknowledge for a long time that this was a part time job for Neer, and mods/admins still don't get paid for their help. But the site has been profitable enough to turn a profit and be able to afford better equipment, especially now that it's owned. I have to disagree that my thoughts aren't just musings from someone who knows nothing. I may not run a site or deal with coding work, but I've worked for several places and have enough thought to say "hey this is something that should be a huge goal" especially with previous attack history and all the holes in the coding. I don't think anything you've pointed out has excused those mistakes.
I mean, we are backed by a "mega corporation IMVU" now. Don't you think a big company like that could do their homework that even a smaller website like Weasyl could take note of before shit hits the fan and their userbase gets struck down?
You don't have to be a demigod to be knowledgeable about the software you're using and make use of the constant patches/announcements that your platform freely hands out, now do you? Or was Elder Scroll's Online that much more important than doing basic daily checkups? Then again, methinks that his time spent in a magical digital fairy world is more important than keeping a site for furry artists stable.
You sound like you're bound and determined to be pissy about this and everything though (seriously, what does ESO have to do with anything? Haven't you noticed that FA has been more stable than ever since that dang fascist IMVU takeover?), so I won't stand in your way. Godspeed. /salute
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
O Dragoneer, hero of thy craft, of thy way of life, glory be thy name! Shed that but an inkling of your grace upon thy life, for thou art pure and whole in thy ways and blah blah blah~
In no way did I suggest you needed to give blind praise, however we do expect you to be civil, and calling someone a sellout is hardly what I, or most people, would consider civil behavior.
Or are you just upset that I mentioned the IMVU sell out? Because that isn't an exageration, it's a fact.
And no, it is not fact. It is your opinion, and while you're welcome to have an opinion, you should try to be more respectful in how you share it. This was neither the time, the place, nor the way to do so.
Please do not continue to argue over this.
You're welcome!
Fucking morons
The only way people would move to a working one is if this one dies for good.
That site has gone to shit my friend
I was banned from there because I was accused of sexual roleplay there, I don't do that stuff. The DA staff are heartless monsters
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
Yak has missed out on a lot of sleep over these past couple of days, and deserves all respect for the work he's put in.
While it's been mentioned that daily backups are not a good idea, I recommend you take incremental backups of the site data, as well, going forward. It won't stop the site from crashing if/when there's another attack (pro tip: you're on the public net, you're open for skript kiddiez), but it'll minimize the data loss down to a maximum of a day. Also, if you can manage a mirror server for failover purposes, do it.
Keep up the good work.
I have to say though, a breach of this magnitude, where the very code that makes up the site has been compromised, has me concerned for security. I trust that you've closed the vulnerabilities you're aware of, including the one that allowed for this deletion of data, but I'm worried about what other exploits and vulnerabilities there may still be. I admittedly don't know much about coding and how access to that code works, but to me it doesn't feel like 36 hours is enough time to thoroughly audit the entire site's code and make sure that using the FA is necessarily safe.
I guess time will tell how things turn out, both in the short term and the long term. For now, I'm glad things are mostly back up and running. Thanks for your work. :)
Makes me want to stick with SoFurry...
I don't get people sometimes. >_>
Thanks for getting it back up guys.
Talk about your overdramatics. Now, I'm not saying that what you claim Dragoneer did or didn't do wasn't wrong, but I -am- saying you're seriously exaggerating the severity of it by comparing him to corrupt government officials.
I understand that there is much much more going on under the hood to take care of and rework. but if we are being honest here. FA hasn't changed much since its inception in 2005.
I would motion for the site to be rebuilt from the ground up, but I am not certain that the lead programmer or programmers would be too keen to have to build this from the ground up again.
but is seems clear now that it needed to be done some time ago.
though for my own curiosity, are their any hardware changes being planned?
Saying you'll change is one thing. Doing it, is another. After many, many ' I'll change 's, many broken promises, and empty ' I'll be more responsible! 's, I really do hope people now take a long, hard look, at what this site has to offer, and those who are in charge.
And if you're feeling saucy, take a peek at their journals, go back a few years, and look at how many times the words above in the journal were said.
there was nothing they could have done.
My hubby works in security and testing for his company. He said even his company would have fallen and wouldnt have been ready to go for about a week.
Some one had code. Thats not a hole or flaw in anything they did in the computer world but in the real world that they couldnt have guessed would happen.
Let up a bit will you?
i see your always on FA staffs butts every time there is a problem but this one really couldnt have been prevented
FA's code has always been super vulnerable and with more holes than swiss cheese. Being upset here comes mostly from how this could be mitigated waaaaay easier if only the had actually done what they should have done years ago as a responsible team, instead of waiting till someone abuses an exploit before they patch it (which if you have knowledge of this site's history, happened with pretty much all known exploits in it)
(things get obnoxiously quiet here around 11 PM)
I stick around cause this is where everyone is at, but its in everyones best interest to look into backup sites as well.
Regardless, I love the community here, so Ill stay.
For now~
Edit: That's not to say having multiple galleries is a bad thing, but rather not to assume that it'll be a good idea to move there just because it picked up for a few days.
maybe one day people will get the idea and move over.
If EVERYONE left once FA was back online, then nothing would change.
SO, Ill be using other sites in tandem with FA
Someone found an exploit in Imagick and somehow used that to obtain FA's source code.
FA realized this had happened and closed the exploit.
Someone used the knowledge of the source code to take the site apart... through the Imagick exploit, to get in to do so?
???
Or were they using other exploits they found by examining FA's source code? Not really clear on there. Has that subsequent exploit been closed? Big lack of info here.
Many times, vulnerable code is found in popular products, and site owners apply patches as soon as they find out. Keep in mind that the average IT person still has to sleep, and that they may not read about a vulnerability until hours after it's announced, or sometimes days, if the announcement is over a weekend or a holiday. Financial sites like eBay and Amazon, have teams of IT people dedicated real-time security 24/7. Your average site the size of FA likely has only one or two people catching these things, so hackers can often get those valuable extra minutes or hours needed to get into a site. Once in, they can do a whole lot in a very short time, usually without being noticed.
So, even after FA was patched, no one knew that a hacker had already gone in and copied the source code. The hacker also likely left one or more pieces of software on the system to enable them to get back in after the ImageMagick vulnerability was patched. The hackers probably did all of this in a matter of just a few minutes to avoid detection.
Twelve days go by and FA is made aware that someone might be passing their source code around at a con. They manage to get a copy so they can see if it really is FA's code, or just a stupid hoax. By the time they are discovering it is real, the attack is launched. People's accounts, submissions and watches are disappearing. FA decides to shut down to stop the damage. It is likely that the hacker would have done a lot more, the hacker was probably interrupted in progress when FA took the whole site down. Once the submission and watches were gone, I'm sure the hacker would have moved on to notes, and journals. The would almost surely have went on to copy user emails to bulk sell to spammers for money. They probably couldn't use any of our password data, as they are supposed to be hashed and salted. I don't think there's a feasible way to extract the plaintext passwords from what they could steal. If good enough, and no one was available to shut the system down, they probably could have even deleted any on-site backups that were accessible from the main system. Shutting FA down when they did almost certainly saved us from a lot of misery.
They didn't use the ImageMagick exploit to get in the second time, since that hole was patched. They may or may not have used a vulnerability in FA's code that they discovered from the leaked USB copies. FA may or may not know that for sure. More likely is that they used backdoor software that they planted on the system while they were stealing the code. That software being for the purpose of letting them back in.
It doesn't matter how good the FA's source code is if a hacker manages to plant some of their own software on the system via the ImageMagick vulnerability. Such software is usually designed to purposely allow a hacker back into an otherwise secure system. That's not saying there aren't issues with FA's code, but there doesn't need to be for this to have happened. The ImageMagick vulnerability was enough. Now that the FA code is out in the wild, if there are any vulnerabilities in it, they can be found and exploited, unless FA successfully finds and patched all of them.
Some people gripe all the time that the code is bad and full of security holes, but that usually comes from people who can't possibly know for sure. The code may be old, but that doesn't mean it is insecure. Actually, if it was as easy to hack as some people suggest, then hackers would not have needed to wait for the ImagMagick exploit in order to get in and do their damage. They would just exploit the code itself at any really bad time - like when most of the staff at at a con or something. I think the code here is a bit more secure than the average person thinks. It's never going to be perfect though. No large amount of code ever is. The hard part is continuously discovering and fixing vulnerabilities before hackers can discover and exploit them.
I think FA did pretty good with this under the circumstances. I just hope they can stay a few more steps ahead of the hackers in the future, because I don't think people who do these things will ever give up.
; v ;
Thanks for all the hard work!
Just had a though.
:3
Code nerding right now. X3
Thank the fluffy-noodles in the sky that BLFC and IMVU helped with the situation as well! This could have been a lot worse!
Thank you for taking such good care of the site, and thank you for saving our tails! You certainly do your jobs well ^.^
I always worry a hallmark will just be something stupid again
You know, actually, I'll refrain from making any political statements. I don't need the resulting headache.
It happened because of an exploit in a plugin called ImageMagick which was patched, but it allowed someone to upload something that could duplicate the site's code which allowed them to access the site through exploits and security holes in FA's coding.
Another thing I read is that the drives weren't passed out by hand, but left in inconspicuous locations like on tables and in bins. FA's had it's coding exploited before by people who don't work on the site but just hate it for any number of reasons. So assuming the people involved are ex-staff seems unlikely (I can only think of the most recent guy who was given access to FA's code, as he was threatening legal action against the site and IMVU and seemed really upset).
This is all speculation though. There's no evidence of any one person's involvement.
Glad to have a pleasant conversation with you! Have a good one!
And no problem! c: Have a good night.
The code was obtained via an exploit recently found in the server library ImageMagick. The contents of the USB drives distributed have been reviewed and the code distributed matches that timeline. We have no information as to why the individual who downloaded the source code decided to distribute it at the convention, and it doesn't really matter right now.
The imagemagick patch should have really come into place as soon as the threat was announced. Most other websites effected immediately took action within hours of hearing the news.
Unfortunately, news happened to not reach us until May 5. (The patch was, as I understand it, released or widely publicized on May 4.)
All in all, I just shake my head at the people who do these kind of things to the site and all of the drama and blame game stuff surrounding it. Some people have no lives and no conscience about who they may hurt with their actions.
It's a beautiful day outside.
Birds are singing, flowers are blooming...
On days like these, eye-popping-banner-making advertisers...
SHOULD BE BURNING IN HELL.
IMHO, of course.
It's a shame regardless but at least the timing couldn't have been better lol.
I hope you find out who was responsible for this. Whoever it was, you'd think they would have something better to do with their lives than to attack a website like this one, but no. That's all I will say on the matter; I don't want to get involved in this blame game that's been going around.
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an entirely appropriate comment for a site newspost; specifically the last two clauses.
But I suppose if we're all a joke to you, at least then we can take comfort in the knowledge that we bring you some amusement.
And I'm sure there are better ways of trying to put egg on all our faces than an illegal act that does far more direct harm to the site's artists than to the staff.
I'm still baffled you guys don't have daily incrementals running--space intensive, yes, but regular backups proper encryption is extra important considering the site's known issues with being outdated/old/unstable/etc. Still, good on you for doing an audit and getting it patched and back up so quickly.
Do like 3 of them a day, like any other reputable business.
At least this site's back up.
Just gotta wait for a commissioned art of mine to be reuploaded.
Really this is further evidence of 1. Don't use FA as a means to contact anyone. 2. Always back up your shit on the regular.
Not only am I expecting a flood of "where to find me" journals which become useless when the site goes down again but, also another "I'm quitting FA and going to (insert artsite here)"
Which is hard to almost impossible for some furries who are lucky enough to have a huge following and get a decent income. Trying to establish yourself elsewhere is just difficult because not everyone who follows you will know or be willing to follow you on other sites.
Someone I just started watching and talking to a few days ago is now completely gone from the system, like she never existed.
Unless someone else beat them to it after the site was brought back up, of course.
OH SHIT, that reminds me, I gotta sign in on my old Xbox LIVE account before they make my gamertag available for use! DX
What will be the solution to compensating those who bought advertisements for their lost time and revenue?
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
But I suppose if we're all a joke to you, at least then we can take comfort in the knowledge that we bring you some amusement.
Seriously though, some drama llama's are taking it way out of proportion
I lost one image and one Watcher (who Watched me back again), but it's okay. I have the info I typed up on DA so I can copy it.
I'd hate to see FA just suddenly flat-line and never recover. But I understand that all good things must come to an end. But I'd hate to see it end by an attack from some lowlife hacker.
You know that the source code leaked now and was in some way used to break into the site.
So you locked down the site and rolled backup.
And then you brought back the site using the exact same source code that was used before/when break-in occured.
Please tell me i'm wrong on this one, otherwise it's another break-in waiting to happen.
(or maybe they changed something but won't tell us?)
Anyways, i DO hope the metaphorical roasted chicken pecked their butt and the code rework will be done.
No, seriously, though, we are not using the exact same source code that was employed during the attack. A security audit of the code was performed while the site was done, vulnerabilities were found and closed up, and any remnants of the attack (which might have been used to facilitate further interference with the site's operation) have been cleaned up.
glad to see they're hard at work /s
Thank you FurAffinity Team for everything you do. We take this free website for granted and your team deserves praise. Thank you for your constant hard work to keep this site going.
-Dox Fennik
What a shitshow
That's huge loss.
Besides, really important things like notes were not affected. Submissions can be reposted (every sensible artists keeps copies of theirs and uploads them elsewhere too). Watches find their way back.
For a free to use site you can't assume them to have so much resources to backup all content constantly. Internet isn't a magical cloud where everything's safe.
Entire bulks of information accrued over a week, gone.
And we've been told before that we'd have a backup system working daily "soon".
It's not about what can be salvaged, it's about what can't be and how often this has happened.
We already know FA is unstable and from their history we know that things are handled bad, so why do people expect them to suddenly do well.
This kind of severe hack is just plain disastrous. If the notes were affected many artists would be in deep trouble right now in regards of client communications, but we have luckilly dodged that bullet cause the attackers made the oversight of focusing on deleting the replacable submissions.
I'll be honest tough. This kind of shows that FA is pretty vulnerable and that it REALLY needs to get improved asap. A week of data lost is pretty bad bad by current standards and the way how attackers could go and delete all submissions is kind of emberassing. I'm with the many that cry out that this site can't just keep coasting along in it's current state. Hopefully this disaster will put some extra fire into the development efforts!!!
It is important to understand, however, that all sites will have vulnerabilities. The question is merely whether third parties discover them and have the inclination to use them maliciously, before those vulnerabilities are caught by internal staff and patched up.
Now it's time for me to go get lost in all that furry artwork i've missed out on
^.^
Well, my deleted art don't cares me because I can reupload it, I'm glad the site is back.
Furry is much stronger than dumb anti-furry haters think!
I love you guys for this hell of working on precious FA code! You are gods!
Glory to Furry
*hugs*http://csrc.nist.gov/publications/n.....4/SP800-94.pdf
https://www.google.com/search?q=ope.....vention system
Maybe look into an open source system such as Snort. Maybe IMVU can provide some funding to get this into place paid for by the mountain of ads this site is buried under.
Lost all the watches I gained from BLFC, but that's better than losing my entire gallery.
Welcome back and thank you for both transparency and quick action! :)
They have better content anyway.
I thought it was a decent site until I saw all the cub porn. So now I just use it as a dumping ground for old work
But tbh, every furry art site when you look at the layouts, code or even the people running it it can be PPPPPRRROBLEMATIC to some sensitive babbys, but you gotta pick and choose which site is more catered to your tastes/style/userbase your aiming for. Like I mostly draw Sonic crap so Inkbunny is great for me, Weasyl not to much as 99% of it's users are tumblr incarnate and I hate that shit, but im gonna be trying out Varka's Furry Network and see how that goes since that's new.
1) Keep posts civil, constructive and polite
This is a gentle reminder to please consider your fellow users when you comment on newsposts. It's really rather disrespectful to dismiss babyfurs, diaperfurs, and related groups as "pedofurs", particularly considering the social stigma associated with pedophilia.
1) Keep posts civil, constructive and polite
This is a gentle reminder to please consider your fellow users when you comment on newsposts. It's really rather disrespectful to dismiss babyfurs, diaperfurs, and related groups as "pedos", particularly considering the social stigma associated with pedophilia.
On a side note, I appreciate your work in how you're on top of explaining stuff and helping users with their questions about all this.
what is it
I hates not being able to contact people but thank you for quickly and efficiently getting the site running as well as you can until the new code is finished c:
Thank you FA staff for getting us back up and running. I know creating backups as often as others might like can be hella expensive and am just glad the outage was relatively short and losses minor, thank you for being transparent.
1) We've never promised the site will never be brought down or compromised ever again. That would be a ridiculous promise to make, and even, say, Google wouldn't do that.
2) The issue that brought the site down about a year ago was a major DDoS attack, if memory serves. DDoS attacks and targeted hacks like these are like comparing an army to an assassin. What stops one does not necessarily stop the other. Our DDoS protection was significantly improved, and our code has continually been updated, but an assassin slipped through a hole that hadn't been found and patched up yet and caused some damage.
3) If by "this problem" you mean "occassional downtime" then no, it will never be completely fixed. Because, as noted above, 100% uptime is not feasible even for the online giants. Similarly, 100% free of code vulnerabilities/bugs is not something that can realistically be expected of any code. ImageMagick is 25 years old and open source (meaning a lot more coders have worked on the code than on FA's, for a longer time) and it still had a vulnerability that allowed the initial download of our source code before a patch could be installed by our techs. So saying "this problem will [never] be fixed" may, depending on your definition of "this problem", be technically correct, but if you make that wide an interpretation it's no longer a userful statement. It's sort of like saying "some people die after drinking water". It's true but it says nothing about how dangerous it might be to ingest water.
Apologies if I misunderstand, but the known issues info seems to suggest that Id have to delete all all my watch notifications and... what, all my notes to clear it?
How can I clear notes when I need to keep a lot of those (at least for the time being). And I have no watch notifications there at all to clear?
I guess Im just a little unclear what I need to do in this case to make it display the correct numbers?
And as for the watches, I currently have no new ones, so I guess I'll just have to wait till I get a new watcher to be able to do so?
If this comment goes against the AUP, good. Might be the most that FA Administration has ever done, deleting a comment.
Fixes and updates of site code have been happening on an ongoing basis. The fact that someone was able to execute an attack does not disprove this (and couldn't, as it's true). It sucks that the attack happened. You have every right to be upset, and I'm not trying to deny that. But please do not suggest that staff are lazy or otherwise disinclined to pull their weight.
The break in was a result of something that was not to be known or even anticipated, and though prepared for, it still broke in. FA is in the same place many companies are or were in, and eventually they'll have a structure more resilient to attack, but that cannot happen in a day.
Site security and monitoring systems Have been continuously upgraded, that I know for a fact, since certain more easily useable yet still very strong infiltration methods are completely useless, compared to prior testing. The coders are pouring all their free time into trying to fix the bugs, and unfortunately, user comfort does not come before site security, which is understandable, since there needs to be a secure place for users to feel comfortable, otherwise they're essentially sat in the open.
I hate the fact the attack happened, yes, so too do many others, and yourself included i expect, but that gives nobody, not even myself, the right to make rude, loathsome and insulting comments. You, as the administrator in charge of CoC enforcement, are likely under extremely unwarranted amounts of stress from the amount of comments and posts flying through FA and this journal on its own, and I am sorry for my rudeness in claiming that you and the other admins are lazy.
To everyone else, just wait a damn few days, they're doing it, not even i could do What they're doing, I'd fall asleep halfway through the first algorithm. So keep your tails on, and go have a coffee or something. Be thankful they got it up This quick, often this can take weeks on systems half the size of FA.
And as for my knowledge of the power and authority of the administrative team, yes, i know, I'm just prone to extremely dumb cheekiness.which i regret often.
##smallFAartisthype
also jfc people READ before you post "Why isnt my X working??", "What happened???" or "why is X showing me the wrong numbers after I nuked it??" like it's right there. ITS RIGHT THERE IN THE SECOND PARAGRAPH AAGHHH
1) Keep posts civil, constructive and polite
Just a gentle reminder that yours... may not be an appropriate comment for a site newspost.
You know what you do when people leave a moderately mean comment on a site update article? You ignore it and move on. People need to vent, but issuing warnings for something that kindasorta maybe breaks the rules (but really doesn't otherwise you'd actually hide the comment) is absolutely ridiculous and you know it.
Hostile comments breed a hostile environment. I understand that you may not agree with me, and that's fine. You are not obligated to.
I understand your wish is to create some sort of "safe place" that's devoid of harsh criticism but silencing people is not exactly a good PR move especially when PR for the site is already at an extreme low sans the white knights. The only posts we censored at Amazon were any that were blatantly racist, violent and flat out harassment. Harsh critique involving facts is not harassment no matter how you slice it. Rather than complain about someone saying "You failed"... do what other businesses do and own up to the responsibility. Your team did fail. Security was breached and 6 days of data was lost. That's not being rude or harsh... that's just flat out truth.
In any event it's pretty much common knowledge how outdated site security actually is and I'd argue this is a result pure negligence on part of the development team. I have no doubt an independent 3rd party investigation would prove this. Also considering the fact a site the size of FA being corporate backed for quite some time now had not already had a daily backup protocol implemented is also a part of that failure especially with the added advertisement users of the site now have pushed on them. You've got your dailies, your weeklies, monthlies, quarterlies and annuals. I mean quite frankly this is Network Administration 101 and something either someone either on your team or IMVU dropped the ball on.
Administration wants to treat the site like a business with all of the NDAs and keeping information secure, etc etc... then , from our perspective, it needs to start behaving like one from getting more up to date security, a proper backup protocol in place and none of this censorship nonsense because your team doesn't like what's being said. In business the customer has every right to bring even their harsh criticisms to representatives of the business, such as yourself or this news postings. We don't do nonsense like censorship because we find the comments hurtful no matter how much we'd like to give the customer the middle finger.
FA, or rather IMVU, is rather fortunate people are not preparing for a lawsuit right now especially given today's climate of how serious people take even something as mundane as an email address being safeguarded and the courts do tend to side with those who have had their information compromised. So, take from this whatever you will. I've rebuked your argument to my satisfaction. I understand you may not agree with me. You are not obligated too. You're a face for FA. It's your reputation at stake, not mine.
Also the copy/past of the site rules to people is kind of insulting as well as comes off as passive aggressive. To me, it seems like he's the one being uncivil and provoking.
" FA did not do a good job on keeping it's users safe from a hacker attack by letting a hacker stay in the system for a long enough time that they are still unsure on what what they stole and if there's a full on data breach. "
In the case of your comment, it was primarily not constructive, though since you're stressing the point I'll concede that, yeah, it was kind of uncivil, too.
The site was brought offline as soon as we were aware there was a breach. The reason we cannot be 100% certain (though I will stress we have no evidence to suggest that other information was accessed) is that the previous attack could potentially have made it possible for an attacker to doctor log files to hide what they accessed.
Basically, if there's any remote possibility that e.g. encrypted passwords were compromised, we're going to recommend users change their passwords to be safe. It's better to change your passwords one time too many than one time too few, wouldn't you agree?
Also you are telling me info I already know - however Dragoneer did say on reddit the hacker was in there for hours so you know there is that. So once again FA failed to keep it's users data safe by not closing FA asap instead waiting to see if it was a joke or not. Knowing FA's history that's a silly move and would have saved people a lot of problems.
Edit: now that I think about it you might want to change that rule to 'appropriate' it would make a lot more sense you can't quote a rule to me to keep it civil then NOT mean that.
I have no clue what you are talking about regarding Dragoneer making such a statement on Reddit, as it does not at all match the knowledge I have. What I know offhand he has said was that the security patch to ImageMagick was employed within hours of it coming to tech's attention, and that hours passed between tech receiving a copy of the data from one of the distributed USB drives and starting to review it to see if it actually posed a realistic risk, and the attack actually being executed. During that time, no one had any reason to believe someone had entered the system, and closing down the site just in case the data on the USB drives was the real deal before it had been analyzed just because it was alleged to be FA's source code would not have been particularly responsible.
"If someone found a hole in the fence...you also spend time having someone double check on the INSIDE of the compound instead of just patching the hole in the fence"
in other words if someone found an exploit you should also double check if something else had happen which we had 12 days.
You don't have to shut down the site but maybe...that security audit should of happened in that 12 days period after the initial event.
But since the attack have happened...there is a chance that source code is now online
The argument is this: Why wasnt this resolved earlier?
This isnt the first time FA's been hacked and situations like this occured. So the question is, why are hackers STILL getting in?
That's how software development works. You write code, you find bugs in your code, you fix the bugs. Repeat ad infinitum.
There is also the thing of "Just in case" as again "12 day gap" to check if something else had happened as currently no information provided stated you guys was checking on other things but just patching the exploit used.
If the team had taken the site down started the reworking then, as they should have, considering the circumstances, then by the time people wanted to try to use the info of the sourcecode it would be pretty much null. But nope, since the team didn't see any signs, you say there was no reason to think there was any intrusion, instead of assuming there might have been just to be sure.
You're skirting the issue. There's no question of it. Hackers got into the servers and deleted information. Information was accessed which means that all sensitive data needs to be treated as compromised.
Please do the right thing and urge people to change their passwords and email addresses. In the long run pretending that an issue doesn't exist in order to save face is going to hurt FA's already damaged reputation more than any attack on FA ever will. The important thing to focus on now is repairing the damage and alerting the community to the danger. Not just trying to make FA look good by saying everything is okay.
Q: How does FA encrypt passwords?
A: All passwords are hashed and salted. We are still encouraging users to change their passwords as a precautionary measure.
We are encouraging users to change their passwords. I'm not sure why you're insisting that we're trying to pretend everything is okay or that an issue does not exist. There is a difference between "we have logs showing that the password database was pulled" and what we have, which is "there is no evidence showing that anything was accessed outside of the data deletion, but we acknowledge that the nature of the attack makes it technically possible that our logs were doctored".
To me, reading them implied that the possibility of data being compromised was still under investigation and that the recommendation to change usernames and passwords hadn't been made yet.
It would appear I misunderstood your post and I apologise for that. I guess I got so caught up in my concern for the userbase here and in reading the comments that I neglected to read the OP closely enough. Sorry for my misunderstanding there.
I guess then I'm reiterating the same thing you guys are, that safety and security is paramount.
Do you people even have any security personnel? Or maybe bots to lock the site when there's an attack in progress like that? Something?
As for "lock bots," I've seen sites that prevent some things like mass editing and deleting.
The avatars are always named as your username.gif, and appear to be linked to people's accounts only by their username. If recreate an account with the same username, the avatar is already there for you. Anything else that is linked by username, that was not deleted, would likely be there when you recreated the account. The hacker apparently was interrupted when the system was shut down, before they got to our avatars, journals and notes.
If you could clarify what you mean by "zero pics displaying" that would help figure out what the problem might be.
What i meant was no icon/thumbnail... in fact ANY image is displayed. All shown up like "broken" symbol.
Anyway, i'll be monitoring this event with and without proxies & update you if there's any change.
The username doesn't exists anymore.
How ? Please tell me I'm not the only one who's account just got WIPED
I have the issue that I have one unread comment on a submission that was probably rolled back and deleted, but the notification is still there. The comment is not in my dashboard, however; not as removed by user or anything. So I have no way to get rid of the notificatrion.
Any suggestions how I can solve this?
Where do we go from here
The battle's done
And we kinda won
So we sound our victory cheer
Where do we go from here
When we know hope is near
Understand we'll go hand in hand
But we'll walk alone in fear, tell me
Where do we go from here
Good grief, you people are far too invested.
lmao
I took a Networking and security class in college, if you have good counter measures and people who know how to get things running quickly than attacks like this won't occur and potentially compromise peoples personal information.
A: All passwords are hashed and salted. We are still encouraging users to change their passwords as a precautionary measure.
The answer is answering nothing tbh. Would be nice to know what hashing algorihtm/s and salting is used.
So no I don't think hiding this kind of stuff anyhow hurts the security, on the contrary. Especially if codes themselves are leaked.
it's almost 10 years after that exploit got patched and man. badfurday was right, dA is horrible. :7
but tl;dr is every site has it's bugs, exploits and holes, but it all depends on how they take it, how transparent they are to the users that this was an issue, what got damaged/lost/leaked and how it happened. Even major social media sites if a bug is major can get crippled due to an opportunist that a lot of big sites will actually pay people who find bugs in layouts and code so disastrous exploits like never happen.
but I gotta say well done to the staff in dealing with it so quickly.
Unfortunately now everyone trying to re upload, I did one then figured I better wait a while till everything cools down.
Good work on containing the breach and getting things back in order, and if you are actually in the process of revising how the code is structured for this place, good on you and best wishes, but this should never have been an issue to begin with. We've been trying to tell you guys for years about the necessity for heightened security, and we keep seeing incidents happen. You guys need to get your stuff in order, and fast.
the donations people do in the fund past year hasn´t enough for keep this page without getting such troubles like this, people around here looks very optimistic of what happened here but i see this page switchs offline one or two times at month,today is a full speed, but when times passes gets more slower. I dont know how servers Works, but compared to other Art sites i see Furaffinity has very big flaws in their run.
Hope i dont get banned by quoting_mungo or admins just for say an opinion. i really doubt in trust in who handle this page really, but i dont have nothing to do but still sticking here because this page is the most claimed "Biggest furry community". and wanted people see my drawings too.
You will not get banned for asking questions or expressing your opinion. The best thing to do if you don't understand something is virtually always to ask, after all!
And sorry for being very upset with yours, but the removal of my drawings was something i can´t believe it happen, but i know the only way of recover my drawings back in my gallery its just upload it again.
quick reaction to the ImageMagick issue :)
As a WebDeveloper by my self, It's interesting how some one can hack the site only(?) with the Sourcecode.
So keep your db-pws and secret-keys private ;)
I hope you get the capacity (or money?) to store almost daily Backups, this Site has so much traffic/uploads every second it's amazing.
Cause my watchlist is complete empty and i subcribte to the channels last year...
I am thoroughly impressed with everyone involved in not only getting this site back up and working, but also with a re-write of the site code. Just so users can have this site to share with each other their works.
You people are Awesome!
Yes I had just submitted a story about a day before the site was attacked. And it was lost. Good thing I have a back up on my end.
Stay frosty.
But as the journal says, we've got a complete recode about 80% done, and we would not have had access to coders to address this latest issue as soon as we did without IMVU's support. (I also don't have an uptime graph in front of me, but I'm pretty sure we've improved on that score over the last few years, not gotten worse.)
*is still here hating and complaining on it*
Convincing. Cause the first thing I do when I grow to hate a place a bunch is return to it regularly.
Seriously, you're like someone walking into a Wal-Mart with K-Mart attire, holding up K-Mart signs, and telling everyone to shop at K-Mart instead, it's just bad for business. See me as a "blind fan" or "asshole" if you want, I'm just tired of seeing so many bitter people on FA who have accounts for the SOLE purpose of hating on and trying to destroy the very site they have accounts on. I mean, let's be honest, where else is the community going to go to? IB, the cub porn-infested, disgusting site? Weasyl, the attempt at dethroning FA that fell flat? dA the troll hive full of viruses and the worst staff on an art site known to man? SF is honestly the best alternative.
But whatever, the fire died out for me, and I doubt anything I'd say would change your mind, just as nothing you could say would change mine. To me, I KNOW the staff isn't perfect here, but who the hell is? Nobody is perfect, and the site is run by regular ol' furries like the rest of us. Seriously, ask yourself who would do a better job. Who would maintain composure while constantly bombarded by people like you and half these comments? Who else could hold this site together despite the constant drama and backlash at EVERY change on this site? I tell you right now, I couldn't, and if you think you could, I say make an art site and give it a shot yourself then, and I say that to all the other rabid, obsessed haters who do nothing but trash this site as well.
No, I don't know Neer personally or all that well at all, and I don't kiss anyone's ass, I'm just sick of the hypocrisy ("I hate this site, and the staff suck!" *proceeds to stay on the site and either try to destroy it while USING ITS SERVICES, or pretend they were never dicks about it*), drama, hatred, and bullshit about it all. I told Neer this long ago, I'll tell you and anyone else who cares to read it now: If this was MY website, I would've permanently closed it down long ago, as I feel most of these people who come on here and bash everything about the site, staff, and community don't deserve the privilege to use it.
Man that was long... This is all I got left to say on the matter, as it pisses me off just thinking about it. Wanna laugh, hate on me, belittle me, or call me whatever you wanna call me, go for it. I stated my position and pleaded my case, now it's out there for anyone else to put their two cents in.
I'll give them credit for choosing to not give me a complete ban, like they have others who have spoke out against the site.
I mean, let's be honest, where else is the community going to go to?
If the community as a whole can push to get off FA, then the community will gravitate to the best site. I have followed a ton of people on FN this week and more and more people are moving there.
To me, I KNOW the staff isn't perfect here, but who the hell is? Nobody is perfect, and the site is run by regular ol' furries like the rest of us.
This is part of my point. They are "just regular furs". They aren't furs who are experts in running sites. They aren't furs who have PR experience.
Seriously, ask yourself who would do a better job. Who would maintain composure while constantly bombarded by people like you and half these comments? Who else could hold this site together despite the constant drama and backlash at EVERY change on this site?
I don't know the answer to that question. But guess what, FA is owned by a corporation who have the resources to find people. FA "deals" with these issues by sweeping issues under the rug. The only maintain composure because all they do is hide comments that speak out against them and then pretend like nothing happened.
I say make an art site and give it a shot yourself then, and I say that to all the other rabid, obsessed haters who do nothing but trash this site as well.
You're suggesting that all furry sites have a flood of "haters". Let me ask you this, where are the haters for FN? Weasyl? SoFurry? (I won't list Inkbunny here since I know they have a CP problem, but that's a different story)
*proceeds to stay on the site and either try to destroy it while USING ITS SERVICES, or pretend they were never dicks about it*
I only use the site's services where necessary. Where possible, I commission artists outside of FA (especially since the notes system can't be trusted). I plan on soon unfollowing artists whom I have followed on FN.
If this was MY website, I would've permanently closed it down long ago, as I feel most of these people who come on here and bash everything about the site, staff, and community don't deserve the privilege to use it.
If this was my site, the administrative team would have been fired years ago. They don't deserve the privilege of the respect and support of the furry community.
Luckily there was the backup (and it's not that bad you had one just until the 11th of May, I'm pretty impressed!) and a very recent one! Well done.
other than that, i lost 7 watchers.... worked hard to get 'em... ;_;
"At this time we do not know who executed the attacks on this site."
Uhhhhh.....
I'm with your comment after mine, the story just ain't right. But fa's back up, woohoo!
An image processing library is supposed to process images... ideally it does so locally (on the server) once it receives what it needs from a client. It doesn't just have a flaw that lets you trick into randomly networking private data from the server! But even if it somehow did, why on Earth would it also allow you to delete things from that server?! That's like saying "someone ate their soup with a motorcycle"... the image library would have to be capable of doing things it's not meant to do, and allowed to do so without any security checks too! Something is really odd here.
Windows is plagued of security exploits that were patched by time, and some of them come from image procesing libraries. It's not a brainer, some libraries need some priviledges or accesses in order to make their job, the problem comes when the coder of said library, uses elevated priviledges in an unintended way to do a task. (most of the times, it's unintentional, that's why it gets patched afterwards)
Now you can make your own conclussions.
- Enumerating the number of images to process (This means, being able to access database)
- Dinamicaly changing thumbnails according to user changes, page layout and position (Again, access to database)
- Optimizing and probably adding multimedia controls for certain types of images (gif can be an example)
- Probably, some people need the library to execute certain tag tasks according to submission tags here is an example) JPEGs need tagging for example, for photos, in case they are already tagged within the jpeg header, either the plugin and the site need to acess that information, and the library can decode that to use the data later.
Many of this uses can look normal, but thinking it carefully, all needs access to database, which can be granted, but not with elevated priviledges that can allow remote code executions.
The biggest fail for me is that an image library was able to pass non-image data through, without anything in the application realizing that something was wrong, and at least raising an error about corrupted content. That's probably the software equivalent of someone carrying hundreds of buckets of water every single day, then suddenly being given a bucket of lava, but not realizing anything is out of the ordinary and carrying on as if it's perfectly alright.
So yes, the image processing library did "just have a flaw" that allowed the server to be compromised. These things unfortunately do happen.
This means I was right about elevated permissions from a third party plugin.
Well... shit happens, more if we talk about relying on third parties. I don't know about other websites and what they use for image processing but, probably it could be wise to look for an alternative that presents less vulnerabilities to the site (unless this plugin is the most secure, which means coders (in general) are not the same they used to be years back...
BTW, I guess you are considering forcing FA to switch to https all the time, that could raise security a bit more. Also, since you are part of the staff... any news about the new coding? Please tell me it's new from scratch and doesn't recycle anything from the current one. It would be a big mistake...
Either way, I commend you, for the timely and professional manner you handled the situation in. You went out of your way to ensure safety and happiness, instead of simply solving the issue, which I like!
You guys have every reason to be upset, but when it comes to Zero-day exploits (So named because the site author has exactly zero days to fix it before it's actually exploited), there's basically nothing you can do. I'm pretty sure that whatever hole FA had in the code is irrelevant, because the source code was accessed using a third-party exploit. Think of it like Jailbreaking.
So... yeah, they could have managed this a looooot better.
Personally, I liked the old "Furaffinity will return shortly" image that gave us a good view of Fender's butt to look at while the site is down.
There is nothing to gain from vandalizing someone's property out of revenge, gits and shiggles, etc. Whoever did it should be forced to explain the real reason why they did it.
My site settings were set on General by mistake and when I went to change them, I cannot change them. I mean the selection box says that it's set to all ratings and it will change properly but everything is still locked like it's on General when i go to view actual images.
Like, anything? It takes a ton of time, things go wrong and break the whole thing you're coding frequently, and it's VERY difficult. Tried it myself with game designing, and watched a friend try it with Linux. It's a pain. So expecting, with all due respect, rent-a-coders to make a flawless website overnight is ludicrous.
And yes, I have. I dabbled in it just a bit, had a brother who did coding as well more than I did. Yes, there's flaws that take ALOT of time to fix. But if it was something such as a program, that program was stopped before damage could be done and fixed before using it again. Which, again, should have been done in the first place along with an explanation why. Maybe I've just got some common sense, but having the site down for a week while they fix this issue and keep all my data is better than losing a week's worth of data because there weren't extra steps taken to stop the data from being lost.
And for any "But commissions through FA" comments towards the "I rather wait a week" comment, always take them to email or provide other means of contact with your clients. Really, relying on one website for contact is silly, especially when stuff like this happens.
My comment at the bottom replies to a lot of what you said. I can't think of many steps they could've taken like you said in your last reply. But yeah, the other 3 comments are pretty well covered in my big one below, feel free to add your two cents there.
But that doesn't mean we're not going to get a little nitpicky when this has been a frequent thing and has been stated that the coders are aware of the problems in the coding that can be exploited and have been extremely slow to fix.
What did happen, however, was that the site was down for an additional two days, and all user data was comprimised due to an outdated infrastructure. Not only is being exploited and being down due to that bad, but having user data so easily comprimised is entirely unacceptable.
"Is that so called new code stored anywhere near the actual FA code"
"Does it use any part of old code?"
And
"have you taken precautions against another attack, or to see if something else was taken"
Obviously it was not the entire fault of FA, but.. the fact backing does not occur every day (which.. even in the small studio I work for.. we have server back ups every. single. day.. and we are no where NEAR at the risk FA with people outright set on destroying it) not only should it be backed up daily in case of attacks, but fires and break ins etc. It's not worth that kind of risk. Learn from these mistakes, or it'll just keep getting worse. :( I don't really want this website to die, in spite of the frustration we've felt.
Not that watches and followers aren't important, but this is really a concern, and the staff has to take radical actions before we have something to be sorry...
Just my 2 cents.
The site needs to be taken completely offline for a few weeks and just have a cache'd version up for now and just re-code the entire site from the ground up. Remember that new layout that was promised in 2013? Never got it, would have meant changing too much code.
There is serious ego issues going on with the admins and some nefarious reasons why they wont re-code the entire system like any normal website. "Oh I made this code in 2004, I am so proud of it, I did such a good job and I don't ever want it to go away!" Meanwhile in the last decade it's been insincere promises and lies, and meanwhile Neer tweets every week about some new computer parts he bought for himself that wont ever go to fixing FA, and the parts that do go into FA's inventory do not last very long because they are the most expensive components that are all about appearance and not reliability and break within months.
2007: On 11 August 2007, Dragoneer's administrator account was compromised at FA: United when he used the hotel's unencrypted Wi-Fi connection to access it.
2010: On December 17 2010, a hacker was able to use a cross-site scripting (XSS) exploit[17] that existed in the trouble ticket system to take control of an administrator account. The site was taken offline while this was fixed, and resumed normal operations a few hours later. Critics said that FurAffinity was well aware that the site code was vulnerable to attacks like the initial XSS exploits for years, but have been slow to fix it.
2014: On Tuesday, October 14th Fur Affinity suffered a major Distributed Denial of Service attack
2016: On May 17th, 2016 at approximately 11:44 AM Eastern Time, Fur Affinity went offline, displaying the temporarily offline message. Using an exploit in FA's image processing software (ImageMagick), an unknown attacker gained a copy of Fur Affinity's source code.
How does that saying go? Those that don't learn from the past are doomed to repeat it. Keep rollin' along guys! Just another annual 3-year-hacking, nothing to worry about!
Those are all the questions your comment raised, answer however many you wish, if any. Don't, and honestly, you rove a couple points of mine I put in there.
Thanks again, F.a. You guys work hard at maintaining this site throughout all kinds of problems and I just wanted to voice a firm thank you for it all.
So many people hold accounts here strictly for being assholes when things go wrong and the staff is expected to be perfect and never make mistakes. I feel really bad for the staff here, ESPECIALLY the owners. Any security has holes, and this hole was in the art program to boot. Plus, it's an art site, people act like it's...I dunno, a lifeline? I guess some people use it as primary income, but I never got that, since the business is pure commission and very lucrative and risky. (nobody wants to buy your art? You're broke. This happens for an extended period of time? Homeless. High risk, low reward, but that's just how I view it, all the power to anyone else who can pull it off) Also, losing a week of data sucks, but considering from what I read that the hacker about destroyed the whole site, and the backup is what kept it alive, I say we got off easy. As for the frequency of attacks, it's a site for furries. You know, one of the most hated online communities? BIG target on our heads by the trolling hackers for the sake of ruining our lives, being an annoyance, or laughing at our pain...or all three. It's unfortunate, but that's life, and considering this site ain't Microsoft, Apple, or some other high-tech multi-billion dollar corporation website, these kinda things can and probably will happen.
PS HAPPY PAW DAY! ^_^
A friend of mine uses the same email address and password here and on her steam account and her steam account has sent her an email saying someone else has attempted to access her account since the hack here.
So if you use the same email address and/or password that you use here for other places then change those details now since they have been compromised!
Furries can be assholes too
But more importantly FA has a nasty track record, and a shifty past with the whole "so uh, wheres thata transparency yall promised?" and so forth.
Furries can be hackers, assholes, and downright malicious so all you'd have to do is figure out how many people in the community that furaffinity has pissed off, and your suspect list would be pretty big lol
The most problems occur within the fandom.
It's more likely to be another furry rather than someone outside the fandom. Or at least, someone who involves themselves with the fandom on a regular basis.
(Well, not every website. But a good chunk because I have memory problems and can't remember long strings of numbers/letters except for the ones I've been using for a while.)
(Please don't literally set your password to "correct horse battery staple"; come up with your own random words.)
Looks like the hackers have nicked personal details :/
They've recommended to change your passwords so if the accounts haven't, it's not necessarily the staff's fault this time. They got their asses covered there. If these accounts have already done so, something tells me it's more than just how the passwords in the site are stored and then yes that would be something to question the coders about.
But something tells me they'll find an excuse as to why they couldn't do that anyway.
Salting and Hashing is the form of protection which was apparently used by FA to protect said passwords. Hashing encrypted the passords, while salting added random elements to them. Both of these override the plaintext version of the password within the servers.
Now, with Salting added in with Hashing, it's not a truly fool proof method. If one simply hashed their password database, it would require only one ' Key ' to get all the passwords. But with salting, you need a different ' Key ' for each one, and that takes additional time. Yet, with the AMOUNT of accounts suddenly getting hijacked ( Read: MORE THAN POSSIBLE IN A DAY IF SALTED ), it's plausible that salting didn't even take place, only Hashing.
I am not challenging them covering their butts. I am challenging the lie they set in place about the security they have in place. Read. Between. The. Lines.
The fact that they've stated in the journal that it's a good idea to change your passwords, though, should give a hint they weren't sure if they implemented this security right, if at all.
Edit: It also probably doesn't help that they didn't force a password change as git has said.
Regardless of whether this security is there or not, the hackers still had the information needed for two weeks now to get what they need. Not defending the crappy coding of the site or anything buy that "within a day" statement may be a bit inaccurate.
So my previous statement still stands.
FA should have FORCED us to change our passwords the moment they knew there was a breach. Like fucks sake most places do that come on FA.
So not only do you want the code out there, as it already is, you want people making modifications and uploading to test servers and then to real world. Test servers that are just going to appear out of thin air apparently. God forbid that someone misses a backdoor, or a logger in there during a test phase as well. Given that almost every open source platform has had that happen, where they have teams checking the code and it still gets missed.
Unfortunately this is a matter of FA being popular, and a target, plus not well funded. I have no opinion on the leadership, I don't what they did or didn't do in years past with hardware that could have prevented this. At present the solutions people want are not obtainable without large sums of money and time. I don't have large sums of money, and while I enjoy FA. I am not willing to devout time to coding it, or applying to be a coder for it. So I can't really offer to be critical of them as I am just a non paying customer using their service for free.
Not even Dragoneer or Yak are poking their noses in to defend this shit - that's how bad things are getting around here. Not even the owners have the balls to defend this shit. It's fucking hilarious.
The bit that concerns me most is the Backup situation: I don't think it was ever publicly announced before that backups weren't being done every day - For a user submitted image site of this size, I think the reasonable taken as read expectation was that incremental backups were happening daily, so they could be bolted on to the last full backup to keep data loss to less than 24 hours. In fact, if FA was on a modern code base (Which was known publicly it wasn't but it was being worked on) - near real-time database replication backups would be impressive, but not unreasonable.
With that in mind, the three most important questions I have, and in this order are:
1) Currently, how often are Backups of FA Made? If something else was to happen - which is more possible with leaked source code - what's the maximum amount of days’ work that could be lost?
2) How many backup sets are kept? is there one backup that keeps getting overwritten, are (x) old copies kept before being deleted, or are they permanently archived?
3) We Know a security audit was/is being done in light of this attack: For clarity, is this being conducted internally (Fur Affinity/IMVU Staff), or is an external security company conducting it? I think it would help to regain user’s confidence if an impartial specialist company combed through the code to spot any more big issues, especially if the USB keys being passed around contains similar code.
I'd feel much happier if those concerns can be addressed. On that subject, I'm happy quoting_mungo is addressing questions and concerns, and moderating this thread, but I'm a little dissapointed no other admins are stepping in to comment - I don't think it's fair to put one person front and centre on a subject so charged.
if you don't like this wesbite just forget about your livelihood and fanbase here and LEAVE
sure we may have lost count of how many times we've gotten our shit severely fucked up here but i'm sure fa staff work very hard to keep that number at least below 6,000
Also, this is a legitimate concern of mine: Could this be because Anonymous found our Zootopia fan arts?
I mean, I'm not accusing Anonymous of anything (I sincerely apologize if it sounds like I am) but I'm saying maybe it's a possibility and maybe that's actually what Anonymous wants us to know.