Fender

Can't submit artwork.

i saw that

Tell Dragoneer to stop cockvoring the servers

( ͡° ͜ʖ ͡°)

If FA had a thumbs up feature for comments you'd be the most popular commenter.

FA doesn't even have HTTPS. You wanting a "thumbs up" feature is asking them to work! Dude, don't do that D:

pssst, https everywhere add-on for firefox and chrome is a thing :)

Yeah perhaps, but you shouldn't have to rely on an Add-on for something that every single website - especially one with the amount of traffic FA has - should have by default.

oh of course! Anything with high traffic should have https, but it doesn't hurt to have backup in case they don't :)

Anything with high traffic and been hacked more times then a hooker has had sex should have forced HTTPS.

high-traffic websites should also get their code audited from time to time, else use code that's already vetted

yet not all high-traffic websites have high-IQ admins

that's OK though. we're all just trying to do our best here :)

Wow, that took less than thirty seconds to add to Chrome. https://www.eff.org/https-everywhere

I was surprised that FA didn't have HTTPS. I thought that was just something that any site would have. Oh well, it's fixed for me, at least.

but its a kludge that forces the site to use https only if that site has https functionality and a valid certificate... 'https everywhere' is a misnomer ...

in the case of FA the admins are just too stupid to auto-redirect all connections to https ...

have you tried putting a "s" after "http" in the url? That's what I did

I don't think you got my point; it is not the user's obligation to manually type "https://". This is something that should be, by default, happening in an automatic fashion. Of every site I go, Furaffinity is the only one I have to do that.

I think they meant it was like that already. I didn't manually type it & it's still https. Hm. *shrug*

my Chrome shows the link as https tho?

Almost as stupid as asking them to be unbiased when it comes to user disputes.

https://furaffinity.net
There you go, Furaffinity with HTTPS, it exists.

I like how you and most of the people didn't really get my point, but I will, once again, repeat it, hopefully in a way that's easier to understand.

It. Is. Not. The. User's. Obligation. To. Type. "HTTPS://".

The site itself should have that as an automated function. Which means, and I will repeat again: it should be done BY THE SITE ITSELF; the HTML coding should be set in a way that the site should be httpS by default, which is not the case on FA.

If after this small and concise sentence people still don't understand it, I strongly suggest either learning how to read and try to understand simple English.

Technically speaking HTTPS is a protocal much like other variants of URIs, such as http://, skype://, ftp://, etc.

The method you use to connect to a server is solely the client's responsibility and choice. HTML does not dictate whether or not you connect using HTTPS as opposed to HTTP. In order to force HTTPS connection, that would require modification of the web server's configuration and possible additional server side scripting.

It's not that I don't understand what you're saying, it's that protocols are client's choice and should remain the client's choice as forcing a protocol on someone else may be an unwanted action. If you choose to use furaffinity using HTTPS, then you may specify the HTTPS protocol.

I'm sure it's not hard to type one letter.

what a beast

Needs more keks on this comment.

I just realized, can you imagine how much cheeto dust is encrusted on the server racks for this site?

Savage.

Tell Dragoneer to stop cockvoring

But cockvore is hot!

No it's not.

Yes I am kinkshaming.

For me, top kinks go:

Unbirth
Cockvore
Anal vore
Vanilla sex
Oral vore
Dildo TF

Cockvore and anal vore are the only ones of these I've ever been even a little ashamed of.

It's good you're not ashamed.

But right at the top of what will be the most viewed page on this site for days, you felt a need to share a list of what you get off to.

Like...

not that its much of a secret all you gotta do is go to there page and look at there submissions/favs :P lol

*their page
*their submissions/favs

no one likes a grammar nazi :P

This aint a Grammar thing, its about Orthography.

and even then...we're furries. It's just assumed that we are all into some weird shit :/

lol if you wanna look at it that way :P

-pokes- What are secrets about kinks on FA anyway? Like, do they exist for more than a handful of people? :P

One of these things is not like the other~

Yeah, I know, cockvore is the only one that requires the male in the dominant position.

I'm such a hipster
We share Vanilla, but other than that I just like circumcision of furries XD

My fursona lacks a sheath for a reason

Sex in the missionary position for the purpose of procreation.

It's a beautiful thing indeed! I prefer cowgirl and doggystyle personally though.

Ashamed of vore?

And rightly so; sex is for creation, not for elimination. I like my kinks as much as the next guy, but there are just things that are fundamentally bad.

No offense-ish, though.

I just know I'm going to get sh*t for this... -.-

'sex is for creation' you do know not heterosexual sex exists right?

You mean homosexual? Yes, but at least it isn't KILLING any sentient organisms; it'a not really contradicting sex as it is being neutral. In fact, I'm homosexual myself.

never can tell with wording like that, you know how people can be!
At least vore can only (legally) be fictional. As long as it stays solely in art it's not harming anyone

Sorry about this cynical analogy, but that's like saying it's okay to have pedophilia fanfiction. The more you indulge yourself to a fantasy the more you'll want it to happen in real life--brain conditioning 101. Though it's not definite, I'd rather air on side of caution when it comes to chances with death and vore. I say sexual fetishist are for the living. Again, sorry for the cynicism, but I'm justifiably pessimistic when it comes to this subject.

err on the side of caution*

fetishes*

Sorry, autocorrect.

I feel like relating someone who wants to be swallowed by a giant dragon to people who indulge in pedophilic porn may be a little minimizing of pedophilia though?

Like I could see that opinion relating to violent gore/'realistic' vore. But in regards to vore as a whole the majority is highly unrealistic 'being swallowed whole' stuff. (I'm not into any of it personally, this is just what I see)

Yeah, some of the depictions ARE unrealistic at first but often evolve into sick and twisted deviancies such as these bloody examples here (it traumatized me as raichu is my fursona):

http://www.furaffinity.net/gallery/sparkythechu/

The ones that don't evolve into this are... "lucky," I suppose.

I think that vore covers a broad definition as far as kinks go. I've seen many people who are into 'soft' vore and are completely grossed out/uncomfortable with blood and such.

Basically what it comes down to is you don't condone and aren't comfortable with violent acts depicted in a sexual way, from what I can tell?
And I can certainly understand that.

ExACTly. I'm like security at airports; it's crucial that even the slightest suspicion is closely monitored. The chance of that pressure cooker being a bomb is slim, but very real.

And believe me, I've ran into a LOT of gore artists on furry sites.

There is no minimization bring performed as they both pertain to the survival of our species. Religion has imprinted the wrong messages into our brain about morals.

Sorry if I offended you with this indirect reply; I've just been in a lot of religion-based arguments lately. I'll try to keep it off that topic.

The human brain doesn't work like that. In fact, we have evidence for the exact opposite being the case.

There's plenty of evidence proving otherwise. It has been scientifically proven reacting to your anger conditions you to be much more aggressive. Somnophilia has been known to be the roots of necrophilia. True, I'm a somnophiliac, but I get immediately turned off by necrophilia, thank goodness. If I turned into a necrophiliac, I would promptly seek help.

Religion (sorry) is the biggest example of brain conditioning; just look at the extremists--otherwise normal people turned into suicidal maniacs. Brain conditioning exists and in great prominence in human society. If we applied it in the correct manner, we could work as one unit and advance at a much greater pace, but alas, our social intimacy is not great enough. We have too much mistrust for each other.


...The human form also has a lot to be desired. I don'the know what evolution was thinking.

Don't* Lollipop autocorrect is legitimately retarded.

Holy shit we get it you want people to think you're /r/veryclever

No one cares.

What, you think I talk like this just to show off? I talk like this all the time because I don't conform to the ill-conceived American standards of grammar, though I do it also to be taken more seriously than if I were 2 tlk leik dis. If you don't like what I'm saying but don't have a relevant response, then ignore it and move on. You aren't a part of this conversation.

justifiably? as in, you have experience on the subject?

As in the normal animal instinct to avoid harm.

Eating meat requires killing a "sentient" organism. I don't see you complaining about that.

Bad on a fundamental level is anything that can significantly reduce a population without any justification. This includes necrophilia, pedophilia (causes suicide), vorarephilia, trophy hunting (just an overlooked form of necrophilia), etc. This does not only apply to the respective species, but whatever population said species might affect.

Most lower animals aren't nearly sentient enough to be comparable to eating a human or even a DOLPHIN as they are operated more by instinct rather than voluntary actions; it's simply survival to eat another animal as food, not a fetish.

I'm aware of you consciously attempting to give "sentient" much too broad of a definition by inserting quotes.

Justification? Since when does a death in population have some sort of justification quota? I'm sure you're putting in bias to confirm what you think is right/wrong in something that doesn't even have some moral ground rules. It's pretty much inserting your own ethics and beliefs.
Sure, things like necrophilia, pedophila, and other very dirty attractions are condemned everywhere and for a good reason. Except I don't see how something as virtually impossible and fictional as vore is "bad." Compared to bondage and paw attractions, it's pretty tame and some friends that I know of can seperate fantasy from reality. There is something called fish swallowing, but rarely practiced. It's dangerous anyways.


It's still killing and eating for meat. Not much different. It can go on hand with bondage, a feeling of control/vise versa.

Oh like? Examples please.

Death is justified ONLY when an individual or population poses an unavoidable and immediate threat or when nourishment is needed, I'm sure you'll agree. Because of this, I don't believe in capital punishment because there can be other, albeit controversial, manners of avoiding further harm to anyone such as the severing/disablement of the nerves of limbs of the assailant--non fatal and eliminates any reasonable threat. Some people might consider it inhumane, but the fact is the extinguishing of life is the most inhumane thing you could do; quadriplegics can lead a rich and fulfilling life.

If you've ever been to the deep web, or at least heard of it, you'll know vore isn't just a fantasy, it's a very real and equally disturbing deviance that mustn't be ignored, but often is because of the anonymity of the deep web. Even now, hardcore vore fetishists are chatting on The Cannibal Cafe clones and such.

If you go on with the continued interest of vore, though unlikely, can spark a flame of sexual attraction of death and dismemberment. You know what time does to chances, though? It increases them. The more you wait, the bigger window you're giving that seemingly harmless spark to ignite that gasoline. Chances are increased still if you are teased with the fact you can never achieve satisfaction with this fetish unless you break humanity's greatest law. Psychopaths rarely realize they are so until it's too late.

Scientific research shows habits and interests are passed down by the parent to the child. I don't want a time bomb to be passed down to our children. Vore has no room in this, or any, species.

Lower animals are like robots. They have no significant consciousness or meaning to life. They are practically meant (and on some levels, literally) to be eaten. Destroying a computer isn't going to affect your consciousness, right? Like it or not, certain animals shouldn't live through their life expectancy. Depressing at first, but then you realize your emotions aren't noticed or understood by cattle.

The thing with bondage is that it doesn't necessarily signify harm. It can also promote submission when appropriate, which is actually a good trait for any social species. I actually find the act moderately arousing, especially on the receiving end. I also have a paw fetish.

I don't have any illogical biases.

Homosexuality alone might reduce a population, but can be easily countered by having heterosexual intercourse when necessary, hence bisexuality.

I'm not into digestion vore, I'm into intimacy vore as another outlet for fantasy couples of differing or inconsistent sizes to enjoy each others' bodies. Note how Unbirth is my #1.

Sucks that it's not physically possible. It's a futile fetish, another reason why I don't like it.

It's not physically possible but neither are TF, taurs, macro/micro, hyper (beyond a certain size there simply isn't enough blood in the body to support an oversized structure), herms, etc.

Heck furries aren't physically possible in general.

I knew you were going to respond with that, so I'll respond with this:

Genetic manipulation makes almost all that you listed physically possible. Hell, there are actually some primitive herm animals. Micro isn't possible because you can't shrink atoms; macro isn't possible because our anatomy can't support tremendous weight.

*Sorry, responded in the wrong thread.

"Fundamentally bad"
Mmmm, I'm smelling bias. The basis if something is bad as in "unethical" is debatable.

MMmmmhhhhhmmmmm. We will have to chat <3

You wouldn't happen to be a vore fetishist, would you? .3.

...You were talking to me, right?

I was actually talking to  ronintendo But if you are a vore fan too we can chat :3

I'm the opposite of a vore fan.

I love discussing such subjects; Notes or appropriate specific submission comments being the best places, generally.

Hi guys, I am under 18 and FA has my legitimate age. Could you please describe to me why you feel like posting your fetishes here? And could you also describe what they since this journal can't block mature content, as it's meant for everyone, and I don't know what most of those things are... Thank you! :D

Agreed, lol.

Though in all seriousness, to each their own. Still, some things out there scare me.

While I DO believe in the right to one's own opinion, there has to be a limit.

Oh that's just nasty.

For all we know, it might be Erin Anthony again. XD

But all the cool kids do it

i swear i saw a server of fa getting engulfed by his cock as i readed this, someone needs to draw that

We need that drawing

I've been thinking of drawing it, but I don't have anything that smutty in my gallery as of now so I'd probably be using trick angles to imply what's going on.

If you draw it ginme a shout in my page

We need a drawing of that please!

working hard or hardly working?

I hope, after all the runaround I faced just to log in, that you have installed some god-damned security for the passwords. 7X=E

When will mass removal be back on?

Alright, I will try to be constructive, though I can't resist to mention that you should've done all this many years ago. ByCrypt cam out in 1999!!!

"Changed password hashing backend to BCRYPT (with a high enough computational cost. maximum supported password length now is 72 characters)."
- Thank you! That is a good move (qwhich should have been done years ago...)! Although "high enough" is relative. Care to share the actual cost? Just curious. That info doesn't impair security as far as I know.

"Removed all ImageMagick use from the app server, and deleted the packages."
- Just to clarify, you mean you removed it from servers that don't need it, but it still does image processing on the appropriate machines, right?

"adding Captcha"
- There is no reason for the Captcha to be displayed by default. This is both annoying and breaking autologin. It should be enough to display it after the first failed login attempt. If you tie it to username and store the flag internally then it cannot be worked around by changing proxy etc. What do you think?

The rest sounds good to me, though there are many more things you could do to improve security. And I honestly hope that you truly managed to close all holes in the code in this short time period. It would suck if FA went down again in a few days.

Hasn't it generally been found that CAPTCHA is basically useless anymore anyway?

Well, with modern pattern recognition algorithms and the practice of hiring 200 poor boys in India to enter Captchas day and night make them not a real deal for anyone serious enough. They may still hinder script kiddies. But either way, Captcha by default serves only one thing: To stop Furry network's importer. :P

Knowing FA, they've probably completely removed ImageMagick even though it's already been patched. I mean, it's not like PHP's GD has ever had any sort of bugs. >.>

Funny, though, as this time this might have been the right call: there is a second, also serious, vuln found in both ImageMagick and GraphicsMagick

There's serious vulnerabilities found in pretty much every piece of code out there. At least ImageMagick practices responsible disclosure and rapidly patches their code.
Guess we'd better ditch PHP. since it has 475 CVEs: https://www.cvedetails.com/product/.....l?vendor_id=74
And Apache HTTPD since it has 190: https://www.cvedetails.com/product/.....l?vendor_id=45
And MySQL since it has 243: https://www.cvedetails.com/product/.....?vendor_id=185
I mean, ImageMagick only has 48; that's far too low! https://www.cvedetails.com/product/.....vendor_id=1749
And that's only bugs that have been assigned CVE numbers. Lord knows all of those products have been patched numerous other bugs.

And, if you want a surprise, the product with the most CVEs is... OS X followed by the Linux kernel. x3 https://www.cvedetails.com/top-50-products.php

now tell *that* to all those people who soley blame FA for everything that's bad in the world.

Ya I keep getting not allowed file or some such. Its a simple jpg ........

Are you working on all the email addresses that wound up getting changed? The email account I was using for my actual account  Dragonvcat seems to have been changed. which is odd, because I never once changed it. I was forced to make this 2nd account in an effort to get some actual attention because nobody is responding to my email. Some of my friends are having the same problem, that their email address has been changed from the one they've been using, and they can't reset their password or access their account because of this.

If you emailed accounts[at]furaffinity.net you will get a response. However, please be patient as it may take some time for our staff to go through all the account recovery requests received (in the thousands).

so it seems that something happened to the server or database you keep the email addresses in then, considering this has happened to so many other people.

Ditto what   Dragonvcat2 said.

Trying to do the email reset for my account   cobh and it says both my emails are not linked to the user name.

Email sent to accounts[at]furaffinity.net now just twiddling my thumbs over here.

At this point I'm just glad I'm not alone
I sent mine the moment I realized FA wasn't going to let me in and I'm starting day 2 of the wait period

It's kind of amazing that they could screw up to this extent. I mean, how the bloody hell do you manage to lose or reset people's email addresses while you're just resetting passwords?

MAGIC!~
Hopefully all this will get sorted in a day or two and everyone can move on >>

Did you send an Email to the staff yet?

yes, but i dont know if i will ever get access to my account again, kinda woud be sad if i cant

same here, I had nearly hit 200 watchers T.T

ya, i don't have too many watchers, but i have content that is on there that im afraid of moving to another account due to copyright rules

That's not much of a problem on FA since if you're not actively steal someones art no one cares and the only people that can really get you for copyright is the person who created it or owns it (like a record company)

Starting day three and its seems less and less likely. I hope that it is just that my email is that far down the que of people emailing and not me being locked out forever. Not that I'm wishing this screw up on others cuz it blows.

In the same boat myself. My main account, La-Glacefurball is not linked to any email I use at all, so I suspect that its email has been changed.



Sent two emails regarding this, now just gotta sit and twiddle my thumbs.

Got my account back, and happy to have it back! :D

Congratz! I'm still just twiddling my thumbs going on day three. Ugh..

Was a color code installed (green boxes that surround the confirmation announcements when successful)when modifying some of the account settings?

I believe so? I know code was introduced to make it more clear what was modified when account settings are changed, but I've not had a chance to look at it myself.

I have send an email 4 days ago and still no response....

We received thousands of emails, and can only respond so fast. You will get an answer once staff can get to you.

Give or take. How long are we expecting to wait between sending the emails and receiving responses? I've been waiting on a response for over a week now for my other profile.

I really can't give you an estimate at this point - the staff is responding to emails as fast as they possibly can without compromising account security.

My account has this problem too, Zork submitted email on Tuesday

any ETA on responses for those of us who's emails have gotten changed? I've been waiting for one since last night and I'm certain there are some who have been waiting for longer.

Hi I'm terrix.

I had a bit of a problem.....I've accidentally signed up a website named furry network as a mistake for google , and there is no way to deactivate my furry network account.

Can you me how figure a way to permanently delete my furry network account ?

So, the SFW button is gone and I am stuck on General only for viewing art is this everybody or just me.

Yup. Error give is as follows:

Fatal system error!
Submission type is not allowed! Please do not insert code that doesn't belong there.
[Click here to go back]

I'd give it a half-hour or so minimum before that changes, there's probably a flood of people all changing their passwords at the same time.

...Unless the code somehow got screwed up during the audit, then we might be waiting for a bit longer before we can submit anything...

I really hope it's the first one.

you can now

man i'm super happy FA is back online but the whole dang website gone upside-down for me now

Hilarious!

come to my page for more hot political commentary

jeegus christo this is fantastic

"FN - Import Data"

lmfao

They done did April Fools late!

From cockvoring to talking about kinks and sex.

Just a regular day on FA.

Good to know security is being looked at~ No dildos here!

one job.

damn it

one job!!!

Still no email warning users??
If you used the same password for FA on another site with the same user or email YOU NEED TO CHANGE THAT TOO. The hackers have peoples passwords, and your other accounts are at risk too.

Why FA isn't warning people of this, I have NO idea.

cheers m8

Didn't I see you on twitter talking about this? <3

Myself and thankfully a lot of other people. I'm really hoping enough people find out to spread the info, because apparently FA won't, even though they're required to do so.

I had a couple of website that used my (now old fa) password. While Fa was in read only mode I naturally changed those passwords associated with my old fa password. Is this what you (and many others) and encouraging for us to do? o3o

PS. I am just making sure I understand ^u^

Yes it definitely is, good on you :)

They've been mentioning it in their journals updating throughout this fiasco. I do agree that there should also be an email sent.

Huh, this is actually super interesting. I'm glad you dug this out and shared!

They did put up a big announcement that data had been stolen, however it was encrypted data, not unencrypted. It was up the entire time the site was down for read only mode. Not sure why you didn't see it, but that fully qualifies as notifying folks :P

Ah, I did read through some of it but it has been amended so many times that it becomes difficult to follow. I made it through the 2nd set of amendments before clicking out :P Without being in that specific format, however, all of that information has been posted over the last 3 days. I don't know if FurAffinity has a headquarters in California, specifically, though IMVU certainly is. Not sure if they are required to post notice as the parent company or if it relies on FA's 'headquarter' location.

Again, though, they stated it was ENCRYPTED data that was stolen, not unencrypted data.

You seem to confuse encryption and hashing. While you're right that it depends on the actual algorithms used, this is a moving target (SHA1 used to be secure, just isn't anymore), and "Industry best practice" is still salted hashes, with some repetition added. This included the current recommendation, bcrypt, which while using an encryption algo (blowfish) it still uses it as a hashing function.

I'm used to American people mentioning "their business" (even if it's not "their money") and throwing lawsuits left and right for the fun of it, though rarer that it specifically comes from the Silicon Valley non-corporate residents (we know the IT competence of typical law-making politicans around the world, don't we?), but we have a similar law in Germany in theory - and in practice I've never received one such information mail. Do other companies actually really comply with this?

(if it's not also mentioned in IT tickers, my usual method of detection is that every company gets a dedicated email address from me - the moment it is used for SPAM I know they either sold my data or have been breached. By the way, this happened to my bad-dragon-address already, and they didn't react to me neither)

You're mostly right on the theory, not so on the wording.

encryption is a reversible process, no information is lost. the cipher text can be transferred back to the plain text, knowing the used function and the (shared secret or assymetrical) key. This also implies that the cipher text usually is of same length as the plain text (disregarding padding), which is information leaking you don't want in password scenarios.

hashing is a function to generate a very short piece of bits (1 bit parity in the extreme to about 23 bytes for bcrypt) from arbitratily input length data - that is, it is by definition lossy. There is no definite way to get back the one plain text used to create the hash, and in general it is desired that even finding any kind of input resulting in the same hash should be "hard".

Passwords are generally always stored hashed. The idea is that when breaches like this happen, it is hard to get back to the original password, for which hashing functions are way more suited than encryption (this didn't stop Adobe from encrypting, instead of hashing, their passwords).

So "encryption" is not the term, or even the practice, we're after here.
And "hashing" is what is, and ought to be, done.

In the days when rainbow tables were a thing - the time span between hard disks got cheap enough to store the sparsly pre-computed hashes and before GPUs became cheap enough that you just do brute force again (using e.g. hashcat) - salts were essential to ward those of, and even today it's necessary, to force an attacker to brute force each password individually instead of all at once. Some treat salts as secret (and it doesn't hurt to do that), but their strength lies not in secrecy, but in being different for each user.
So, "salting" is also what is, and ought to be, done.

"Reversing" a hash function should be easy in theory. Since it's lossy, there are so many more potential passwords which would fit the same hash. That's where the "cryptographic hash" is used - a function designed to make it really improbable to find matching plain texts (one would be enough, or two in cases like hash collission attacks for e.g. document signing spoofing), and "hard" to brute-force it. That is true today as it always was, but computers got so much more powerfull that the mathematics couldn't keep up in terms of complexity. So what is done today is repeating the step - password salt, hashing, take the result, hash it again, take the result, hash it again, a variable number of times easily in the thousands. This is also known as "key stretching".

And that's what bcrypt, currently industry best practice, does: repeatedly hashing salted intermediate results, beginning with the original password.
So I refute your claim that "Salting and Hashing" is "replaced in the industry" and that it would be "not secure".


The impression from the old continent is that Americans either do it for fun, or if they think they can somehow profit from it regardless of ethical values, and sometimes even just out of spite because they don't like someone or a differing opinion. The latter looking like running to mummy if the classmates say mean things.
Also companies, and the type of persons rising to the top of them, are not generally known for adhering to the law "because it IS THE LAW" (that's for the small henchmen, anyway), but because they can't get away with it otherwise. The newstickers are full of examples where they tried.


I'd be happy if you could point out the "we sell your mail address" in the Bad Dragons ToS for me, as I haven't noticed that back when I signed up some years ago.

Actually there isn't currently a requirement to notify people about data breaches under German law, from what I can find very quickly. That being said, the new General Data Privacy Regulations (GDPRs) that go into effect in 2018 (replacing the current Data Protection Directive 95/46/EC) do add a data breach notification requirement that will apply throughout the EU.

https://leginfo.legislature.ca.gov/.....201520160AB964

I'm afraid you've missed my point.

You see that's still the original text of the bill, not the text after it was amended and passed.

You are mistaken, I apologize but it's true.

You sway a lot of people to your point of view with that attitude? :P

You're a sweetheart.

>> Salting and Hashing isn't considered an industry standard since its been replaced and some algorithms you can use are easily cracked.

Really? Are you sure about that?

Salting and hashing passwords are an industry standard. They remain so. Your comment which you linked to appears to further reinforce this.

Also, hashing is not a form of encryption. Encryption is a method of concealing data. Hashing is a method of reducing or destroying data in a way where later another set of data can be hashed and compared to verify the data is the same. The important point is with the key encryption is reversible, whereas there is no way to reverse a hash.

In this case FurAffinity chose a password hash, bcrypt, which is specifically designed to be computationally slow. This is in opposition to normal cryptographic hashes like the SHA family, which are designed to be fast. This allows cost to be inserted into the password hashing scheme to slow down brute force attacks.

so theoreticly somebody could sue imvu over this? As long as they are a california resident?

Not really. The California data breach law does create a private right of action to sue for damages, but in this case it's more likely that the Attorney General would pursue action against IMVU for failure to comply with the law, if they determine that IMVU is violating the law. It'd be too hard to prove damages for ordinary users. But the attorney general action is a very real possibility.

I seem to recall seeing a warning from them on this site suggesting changing other account's passwords that were using the same password when the site first came back online. Just gotta read.

I don't think the equivalent of a "oh hey, PS" is adequate with a security breach of this scale.

Because then they have to admit how much they fucked up and how poorly encrypted their password system was.

man I feel bad for people who has outlook and they recently changed their backup info. They don't allow you to change anything for 30 days

And there it is.

if you're optimistic enough, anything can be a dildo~

Submission page is giving a fatal system error?

I'm too excited to post artwork again :U No idea why.

welp, hopefully the clusterfuck is over

So, we're good now?

Inb4moreproblems

when the avatar and the text matches up just right.

http://i.imgur.com/g4S3Ly7.png
looks like you were a little late

I see the problem there
you're using a mac

More problems are sure to come sooner or later, way more likely sooner with how things've been going

i hope this is restored i was on edge for that last few days since i could not change my password

Sweet. Good hussle with getting back in business there. :3

Yeah, uploading is broken

Otherwise, good to see a bit tighter security with logins now.

Well, honestly your email would have to be hacked to change it? So if your email is hacked, you probably have bigger problems.

Thank you guys for all you do.

It is GREATLY appreciated!

Does adding the captcha prevent me from having my gallery imported over to Furry Network?

I mean, if I'm stuck manually doing it that would suck, I'm just curious. :)

Yeah their Import system doesnt appear to be in working order right now and I am betting its cause of the captcha. Why is that part even necessary if you made every user reset their passwords.

"Additional Security"

It seems like good practice to implement a captcha.

Sucks that its inconvenient for robot programs, but those things are unethical as hell in the first place. The computational cost of spiders on a host website is boggling.

Not if the site is rate-limited through Cloudflare as hard as FA is. You'd have to own a botnet to use enough bandwidth to cause a disruption.

The point of Captchas is to prevent an attacker running a script that tries to login repeatedly. There is absolutely ZERO point of requiring a Captcha the first time, it should only be required after the first failed attempt.

What if you don't have an email address thats valid? What then?

What, did you register years ago and your email address expired in the meantime? You should've updated your account to match your newer email sometime.

...

Except how would you even be asking this question if you didn't?

It wasn't for me, it was for another. But we got it figured out.

I think a clever solution that would appease both parties would be to make a check-box to make captcha optional in account settings once you are logged in.

That way 3rd party software is still functional and security is at the users discretion.

That's insane.

Why is that insane? It would be pretty useful.

That would take a lot more coding that these guys clearly can't handle too well.

What makes you think FA wants to help people taking their business elsewhere? :D

What website allows someone to reduce password security on their account? Name one (not talking about disabling 2-factor).

Any site which has crappy password restrictions, any site that allows IP whitelisting, any site that allows trusted browsers, etc.

But that actually isn't the problem - you're right that the idea is insane, but the idea is insane because if you are hitting the captcha that means you are not logged in. The site therefore doesn't know whether you want a captcha or not, because it doesn't know who you are. So it'd be more or less impossible to implement, except maybe by checking on the backend *after* an invalid captcha is submitted to see if the username in question has captcha disabled. Which is silly.

How about blizzard? Blizzard's authenticator is free and super easy to use, but some people don't like using it.

I just removed the password request question from my secondary google account.

Literally just now.

wait, how would this work? the captcha is on login. before you log in, the site has no idea who you are and thus can't read your preferences.

Well, it could ask you to put your log in info, and then checks if the account has that option checked, and if you have it or not, take you to a captcha page.

You'd have to make sure it also shows a captcha if the password was incorrect, else it'd reveal that the password was valid.

Good point.

yup. can, meet worms.

perhaps cookies?

The point of Captchas is to prevent an attacker running a script that tries to login repeatedly. There is absolutely ZERO point of requiring a Captcha the first time, it should only be required after the first failed attempt.

There is no reason for the Captcha to be displayed by default. This is both annoying and breaking autologin. It should be enough to display it after the first failed login attempt. If you tie it to username and store the flag internally then it cannot be worked around by changing proxy etc. What do you think?

I like this better than my original idea. Captcha for 15 minutes after the first attempt. Some sites even lockout your IP's ability to login entirely for an hour if you fail more then 5 times (Brute Forcing)

I think thats good idea, would slowdown hackers but not legit users

I'm still confused why you have a captcha on EVERY login...

* After a failed login forcing that IP to captcha logins for an period? That's fine.
* Having a captha on every single password-reset-code-request? That's also fine.

But this is either:

1) Rushed out ("Quick, we need a Captcha! Just throw it on every login request...") which means the security audit as a whole was rushed so we're likely to go through this AGAIN.
2) Being done this way specifically to punish/block the FN and other automated migrate-off-FA tools while claiming security.

Since right now? It's not adding appreciable security.

Freakin' GMail and FaceBook doesn't require a captcha on initial login and they're attacked FAR harder and more constantly than FA ever has been.

Furry network has an importer that stopped working due to the Captcha. Draw your conclusions. ;)

Yeah, Furry Network is what I meant by FN, habit to use acronyms is too strong for me I guess. :)

Probably to prevent importers, though Furiffic's importer works perfectly fine :D

For some reason everything is in bold now?

Hopefully this won't happen again. It is worrying that personal data could of been accessed from this attack.

Weew. :D back. >:3

Nice.

Awesome updates, thorough thank you for your hard work!!

Longer PASSWORDS?! Hell yeah. *cracks knuckles*

So... no more hackers?

Maybe not today. :V

possibly tomorrow tho, this site gets hacked a lot

I'll give it any time within the week. Otherwise it will be overdue.

is it over? can we leave the Winchester and our nice cold pints now?

Best stay there and have another, just to be sure!

Also, will an email be sent out to explain to everyone what just happened? Communication is cool, and no, Reddit and Twitter don't replace sending a direct email.

This would be nice

Whilst this is a good idea, it can also be problematic for FA.
Nowadays, there are "reputation" companies that will look out for mass emails that have the same content, and mark it as spam without FA's knowledge.

And most e-mail providers will notice this, and filter the e-mail to be either:

- Deleted on arrival
- Sent to the Spam folder.

Which, in turn, would have an impact on new users waiting for their reset codes or registration codes.

That and according to my twitter feed, many dont use the email they registered to FA with (hotmail before outlook) and cant login to begin with

That and most furries dont like email in general in my experience so idk what itll do

Hence why they have provided an address to contact them if they have trouble.
They only have to be patient and wait their turn.

Oh yeah definitely, I was just saying thats why a mass email announcement wouldn't work, a lotta emails are dead

I can confirm. I could reset this group, but cannot reset my main account... because Hotmail refuses to receive the email even after you whitelist every FA domain there is!

If you need help recovering your account because the password recovery tool isn't working for you for whatever reason, please email accounts[at]furaffinity.net and let them help you out. Please note that we've received a lot of account recovery requests, however, so replies may take a while. You will get a response, however, just wait for it.

Sorry about the inconvenience!

The only problem is that, since Hotmail refuses to receive emails from Furaffinity, I'm worried whether Yahoo! Mail or Gmail might be having similar issues! There's no way to know if I'm not seeing a response because they haven't gotten to me yet, or if they sent me one but the provider is discarding it for unknown reasons. If it's the later case, I'm hoping there's a way to contact staff via their personal email or the Furaffinity Forum or a chat... for now I'm waiting and watching to be sure.

I've not personally had trouble with Gmail, but I obviously can't guarantee anything; I've seen users say they've been able to recover passwords to Hotmail addresses without issue, as well.

Just to let everyone know, I'm back on my main account. The staff set it to my gmail, which had no trouble receiving the reset email. Thanks

oh wow what a big surprise. have to change password again. thanks hackers and fa....thanks

And good on you for doing so. I like the new character limit >->/ a lot.

Same. I immediately came up with a new 75 character password. Microsoft doesn't even allow passwords that long! FINALLY I CAN UNLEASH MY PASSWORD FURY

IMPOSSIBLE TO CRACK
password111111111111111111111111111111-hits limit

Basically. xD

I just love long passwords in general so this just thrills me.

I always do something relatively simple, that becomes very difficult to crack. Just writing out a string of words, like a full sentence, then replacing a few things with numbers and symbols. Bam. A password that is nearly impossible to crack by any kind of algorithmic, random generator thingy.

Amazing how many people still don't know that length is much more important than numbers and spec characters if we are talking brute forcing. A 16 chars pass of letters only (that is not made of meaningful words) is much harder to crack than a 8 char pass with random numbers, letters and spec characters.
https://xkcd.com/936/

cat /dev/random|tr -cd '[:print:]'|fold -w 72|head -n 1

actually impossible to crack

and impossible to remember

I think personal information being accessed and potentially leaked elsewhere is a bigger "inconvenience" to be honest :v

I'm not judging for the hack, sites get hacked all the time. But I am a little peeved that you did not send us direct e-mails when you knew it happened. I only found out through the grapevine after a number of days had passed. It's even more important that you notify people when this happens, in this case, because the attackers could be people that know me, or will run into me at some point, and then it gets personal with what they can do. The fact that they took advantage of a published vulnerability means they could be stupid enough to use the data they gained for drama/trolling purposes (which real hackers know better not to do).

If it were just some guy in russia looking for credit card numbers that would be another thing.

Thank you for warning, I would have a heart attack seeing that I was 'kicked out' and couldn't know how to reset my password. No problem to me.
But I still have that little bug, the 1 comment which actually doesn't exist. I read in the previous update it would disappear, I hope it will soon by the way.

How hard is it to change a password?

Coming up with a new different password and memorizing it? It's a hassle.

offline password managers. the wonders of not needing to rely on fail-able human memory.

Those can also be a hassle to use, especially if you log in from multiple locations.

http://www.passwordcard.org/en

Generate a card from a code you can remember. Then any time go back to the site and regenerate the card if needed.

Brilliant. That way if someone breaches your computer security, they get ALL your stuff rather than just what's on the HD.

ever hear of Roboform-to-go? it's an offline password manager you can install on a usb stick.

*mind blown gif that i'm too lazy to look up and link*

especially when some of the other websites make you jump through hoops to find the password reset and actually change it in the first place.

hate to be blunt man, but this being one of my areas of knowledge, get used to it. the internet is not a nice place and there's a lot worse things that could happen than taking a few minutes to do something important and change a password. imagine if the exact same kind of hack (ie ImageMagick) had happened on somewhere with your credit card. a good thing it was FA and not something worse.

honestly this is probably the worst place other than maybe my email. when i get paid i turn it to cash the same day so my money is safe. it was like 90% scarsam

They have the hashed passwords, which were probably hashed with md5, maybe sha1, either way, even salted it doesn't take long with a VGA card based supercomputer to crack, and if you used the same pass everywhere, like 99% of people do, then you can already say good bye to your PayPal and possibly other things too.

doesn't matter if the password is different. i'm sorry, but while i get that the overwhelming truth is that 99% of people aren't security minded and don't use different passwords for everything, speaking as a person who has a lot of IT and security knowledge and, also, computer related paranoia because of all that.......in this day and age with hacks and exploits taking place almost every month, sometimes week, it's bluntly stupid to try and use "well it's too much trouble" even as a sarcastic excuse. call it over-reactionary, but hey, that's my opinion.

Ummm... are you sure you replied to the correct person? Because I don't really understand why are you writing this to me. Or am I missing something?

........i'll admit, you asking that makes me unsure........the way the comments are stacked it looks like a reply to something i said.....but if that's not the case i do sincerely apologize ^^;;;

Honestly, I don't know either anymore. :D I replied to lot of people. I recall I wrote that to emphasis how dangerous this breach was, but to whom, I don't remember.

the function used was this:

$hash = sha1(crypt($password, '$2a$07$'.sha1(md5('teststring')).'$'));

which is crypt using blowfish

LET'S GO

HEAVEN OR HELL LET'S ROCK OW OWWWWWWWWWWWWWWWWWWWWWWW

WHAT'S NEXT BABY

DESTROYED

SLASH

nice to see you here as well

good to be back, now to wait for the floodgates of art to open. . .

No dildo comments? 8U

Good. >=I

Oh wait... =\

Anyway, its good to see some improvements going on now. Hopefully this wont happen again and you guys find out who did this and pursue legal action against them, especially since user's personal data was involved.

"Anyway, its good to see some improvements going on now. Hopefully this wont happen again and you guys find out who did this and pursue legal action against them, especially since user's personal data was involved."

I... I wouldn't count on that. If you read this comment http://www.furaffinity.net/journal/...../#cid:49922548

You'll see that if they try that, due to their rather not apt way of acting with this and previous scandals, they are very well putting themselves on the line of fire to get themselves liable to some penalties. Even if those laws don't apply as is, it wasn't them getting hacked that would get em, but their irresponsible way to react to it since the moment they got the news of the first ImageMagick exploit. What any website has to do on such a situation is lock down, modify the code, alert users, and come back once they fixed their code, even if no data was lost, just to be safe. They kept on and on pushing back on doing any of this, acting as if it was okay even after it was shown that people had their passwords stolen from here, and only telling people 12 hours after the first row of password being stolen reports surfaced.

Not to mention no one knows who made these attacks (yeah I feel it was multiple ones, most likely some after the site was brought back up the first time but can't confirm, just speculate), so you can't call to trial anyone if you don't know who or what organization did that.

But they got rid of ImageMagick even though it's already patched and they responsibly disclosed the bug. Don't you love FA logic?

If we all threw sites to the trash each time a site has a big exploit, FA would have been at the very base of the dumpster years ago.

Well, apparently they throw modules to the trash after they've been patched. Guess we have to get rid of PHP and MySQL since they've all had exploits that were later patched as well!

I really thank you for putting additional security features. Looks like upload function is working now as soon as I type this.

The email address is spelled wrong in step 2 of the password recovery form

Password length can be 72 characters, but you missed something.

http://puu.sh/p1Dq9/3daa668f8f.png

Yeah, tried setting a 72char password (yay for keepass), and it seems that it only saved 50 characters of it. I had to cut it down by 22 characters to be able to log in.

That is the exact same tool I use. Set mine to a 64 character password and was getting frustrated with not being able to log in. Did a little digging into the HTML suspecting frontend truncation and there it is.

Nice catch! You get a cookie! :D

Fender, you are cute af. Do you know that?

with a high enough computational cost. maximum supported password length now is 72 characters...
Ehm I set it to 100... I hope that doesn't break shit in the long run?^^

the extra characters were probably truncated

That would be my guess too but I figured better ask

Wow, to think a single hacker could do so much damage.

The worst part is there are STILL USBs out there with the site's source code on them. While the admins have done their best, a total re-code of the site can't come soon enough.

So this will happen again? Geez, this is so evil of what hackers are doing.

Cross your paws and hope it doesn't. The admins said they've done their best to close holes in the code, but this may still be far from over.

I just hope they can at least track the hackers in case they come.

So...? Assuming they properly verified that user input is safely escaped before dealing with anything, it doesn't matter. Security through obscurity isn't security, it just results in a delay before someone finds that security issue.

I'm quite excited that Weasyl is planning to release the source code for their site.

What about those who no longer have access to the email they use for FA? It's not a problem with me but I know it will be for others.

trolllololololol

I have this problem haha

Thanks! :D

Given how many people don't recall the emails they registered with (and the fact many services like gmail allow alternate spellings), you're gonna get swamped with manual resets.
You know, would have made some sense to get this initial reset sent just to email on file without having to guess it.

Where is it? One my friends is having this exact issue. I don't see the email address in the post above.

Oh, NVM. I saw it. <v<

Where can I have acces to reset my accounts recently that my account email address I have no longer acces to it I just want my old account back

If you need help recovering your account because the password recovery tool isn't working for you for whatever reason, please email accounts[at]furaffinity.net and let them help you out. Please note that we've received a lot of account recovery requests, however, so replies may take a while. You will get a response, however, just wait for it.

Sorry about the inconvenience!

Yes I have requested a post I will wait for it :)

Hopefully they will learn a lesson: Keep your damn emails updated, exactly for this reason.

Yeah, like I'll use my real email with my real personal information for a fetish porn site that just leaked it's source code. More painless in the long run to make a new account.

Easy to say, harder in practice. Having made my FA account almost 10 years ago, it

Easy to say, harder in practice. Having made my FA account almost 10 years ago, what email I registered with has never even crossed my mind. I generally assume I used one of the two email addresses I've used for as long as I can remember. And considering the hundreds of accounts I have across the internet, checking every one for email is just out of the question :o)

Are all those hundred accounts important to you? Otherwise you can take care of the important ones.

Nice cherry picking.

LOL? I could say "nice straw man" but never mind. I was just trying to be constructive but please forget it.

Thank you, took long enough, almost was on my nerves

Furaffinity; the largest furry community website and using the same code since 2005...Until giant fuck ups like this happen.

I don't understand why you would wait to update your website's coding and security until after a giant attack like this one occurs instead of before as a preventive measure.

Like goddamn...

My thoughts exactly. Even new people to the whole website thing are aware that they need to update coding as soon as it is needed. Not after thosands of accounts were compromised.

I think it was a Bad timing, there do a recode, but then the attack happend and there must react quick.
So it's like early access.

Sry I'm almost new here and have no big clue how old the code/side is, I only have clues from the current event.

To Bad the code is not opensource, some pull requests would be nice.

The code running this site is most of a decade old and wasn't designed well from the start. If half what I've been told is true, its age really shows.

They don't want to open-source it because of all the vulnerabilities it has, even though doing so would allow those vulnerabilities to be spotted and fixed by people who actually care about making the code secure.

Truthfully, if it's as bad as I've heard, the better thing that would happen is what happened when Netscape open-sourced the barely-usable Navigator/Communicator browser in March 1998: Everyone working on it threw the 1998 code away and started from scratch, resulting in the Mozilla Browser (now Seamonkey) and Firefox.

Wait WHAT?!

Firefox is NETSCAPE?! Haha. I remember liking Netscape more than IE back when I was a kid, and was always pissed that the school computers used IE. That's really cool info!

Edit: "threw away the code and started from scratch, resulting in Seamonkey and Firefox." I can read, I'm just a bit tired. Haha.

This comment makes me wish I could fave comments.

But they don't have money for that. They didn't have any fundraisers, or acquisition by a big company, or getting paid and supported by that company, how would they have money for something so insignificant as fixing gaping security holes the size of the solar system...

*sarcasm*

The moment they received the news of the ImageMagick problem is when they had to take down the site temporarily, tell users to change their passwords, and only bring the site back up once they finished fixing the code, specially after they got the news of the exploit a day after the exploit was exposed, that being a huge window of time anyone can have to take advantage of it, specially one as widespread and easy to do as it. Not only they didn't do that, they brought the site back up after 1 day, didn't tell anyone to take precautions, and only told em to do so 12 hours after the first row of reports of stolen passwords appeared, just to be followed by a ton more.

So... no, they had plenty of time. If they had done what they should have when they got the news of the exploit, non of this would have happened.

Early access... as in...

Wait that's actually a pretty spot on comparison now that I think about it.

I'm skeptical about the notion that they really fixed all of their security problems in the past week. But who knows.

You'd be expecting too much from them.