FA+
Shop
FA hack, and community annoyances
9 years ago
I was going to be a bit more specific about the FA hacking incident and web site security in general, but... I'm in a bad mood. I just feel like rambling, so I'll continue my usual tradition of lumping a whole lot of random stupid stuff into one journal.
"OBLIGATORY 'YOU CAN FIND ME HERE' JOURNAL":
Just stop.
FA already has a profile area where you can specify other sites where you host your content. If you keep the info up to date and any of your fans are really fans, they will find you. If FA's built-in linker doesn't support your site of choice, then just put the link in your regular profile.
If you do commissions or have bought commissions, and didn't get an artist's/client's e-mail address or alternate contacts, well... shame on you.
FA SUX, LOL!
You know, I certainly don't believe in website loyalty, but I really do think it's dumb to say FA is a horrible place bordering on Hell itself and people should jump ship. The reality is that the site wouldn't have become this popular and important in the fandom if it really sucked. Truly sucky products die on their own, and generally quickly. They don't need to be forced to die.
You may have to accept that the reason why the site is still around after so many screw-ups and hacks is because the site isn't really that bad. It's completely illogical to say that something popular is horrible.
It's a hobby site that specializes in hosting galleries for fans of a particular fandom. It's not critical information and if you're putting exceedingly personal information in your gallery or notes, you're doing it wrong. Stop whining about how "dangerous" FA has become and how you "can't afford the risk." If you don't like the site, that's understandable, but you really can't expect anyone to believe that FA is the more horrible place on Earth and will destroy the fandom simply by continuing to exist.
Besides, can you seriously tell me the competition is better? This is the furry fandom we're talking about. We're self-destructive by nature.
But... WEASYLE... FURRY NETWORK...
Ugh... no.
I'll avoid specifics, but I have no interest in using Weasyl. I am not happy with the administrative decisions made there, despite the endless heralds of how great the staff is. I don't like the general vibe of the community, either. I have an account to watch other artists, but without significant changes I won't upload art.
Furry Network is among the most broken, sluggish, and disastrously designed sites I've used in a long time, and I have no confidence it the site's code quality, usability, or security practices. Why this site has become the Next Big Thing™ is beyond me. It's a case of coffee-fueled JavaScript addicts gone wild, I can see easily that it's even more broken than FA. I won't follow anyone who moves there.
My second home is InkBunny. I have quibbles about its reputation, yes, but it's a nice site and it works well, and I cross-post all my art between FA and IB.
Don't even get me started about DA. If DA gets even greedier adds even more commercial BS to their TOS, I'll likely delete all my art there. Incompetence I can handle, but not malice.
ACCOUNT ACCESS
Yes, it was necessary to do a full password reset for every user. That tends to happen when a database is compromised.
No, it was not necessary to create a new account if you lost access to your old one. Instead of jumping the gun, you should have contacted an admin, as described here. It was posted in the Administrator Notice, after all. Didn't you read it?
Also, stop whining that you can't reset your password because you used a throwaway e-mail that has since expired. If you want to enjoy the obfuscation benefits of a temp e-mail, you must be responsible for the upkeep... namely, replacing a temp e-mail with another temp e-mail on a regular basis.
If you forgot which e-mail you used, then I feel for you. Most web sites will just send verification codes to the e-mail on file. Why FA needed you to verify your e-mail before sending a verification code is beyond me.
SECURITY
For the most part, the damage control seems to be as good as we can expect, but there are a couple things that annoy me:
First, I don't like the idea of forcing people to choose new passwords. If each password uses a unique salt, as it should, then resetting your account with the same password should result in a different hash every time. Even if the database were compromised, only exceeding popular artists (large targets) would need new passwords, because it's likely those passwords would have been brute-forced. For 99% of the community, reusing an old password shouldn't be a problem. Of course, if FA had a fixed salt for all passwords (which it probably did), then my gripe does not apply, because that's dumb. Still, I think it's worth letting users face responsibility for their own choices. If they want to use an older password, let them.
Second, CAPTCHAs are for spam, not security. FA doesn't allow guest commenting, so bot spam is not a problem. Adding a CAPTCHA to the login page is plainly dumb. If you're worried about bots trying to brute-force logins, the only solution is to restrict the number of login attempts in a given amount of time, and possibly lock accounts after a certain number of failed logins, which I believe FA is already doing. If IMVU is the one responsible for suggesting a CAPTCHA, please make a good case to inform them of what a CAPTCHA is for, and it's not for improving security. It's just a pain in the neck.
"OBLIGATORY 'YOU CAN FIND ME HERE' JOURNAL":
Just stop.
FA already has a profile area where you can specify other sites where you host your content. If you keep the info up to date and any of your fans are really fans, they will find you. If FA's built-in linker doesn't support your site of choice, then just put the link in your regular profile.
If you do commissions or have bought commissions, and didn't get an artist's/client's e-mail address or alternate contacts, well... shame on you.
FA SUX, LOL!
You know, I certainly don't believe in website loyalty, but I really do think it's dumb to say FA is a horrible place bordering on Hell itself and people should jump ship. The reality is that the site wouldn't have become this popular and important in the fandom if it really sucked. Truly sucky products die on their own, and generally quickly. They don't need to be forced to die.
You may have to accept that the reason why the site is still around after so many screw-ups and hacks is because the site isn't really that bad. It's completely illogical to say that something popular is horrible.
It's a hobby site that specializes in hosting galleries for fans of a particular fandom. It's not critical information and if you're putting exceedingly personal information in your gallery or notes, you're doing it wrong. Stop whining about how "dangerous" FA has become and how you "can't afford the risk." If you don't like the site, that's understandable, but you really can't expect anyone to believe that FA is the more horrible place on Earth and will destroy the fandom simply by continuing to exist.
Besides, can you seriously tell me the competition is better? This is the furry fandom we're talking about. We're self-destructive by nature.
But... WEASYLE... FURRY NETWORK...
Ugh... no.
I'll avoid specifics, but I have no interest in using Weasyl. I am not happy with the administrative decisions made there, despite the endless heralds of how great the staff is. I don't like the general vibe of the community, either. I have an account to watch other artists, but without significant changes I won't upload art.
Furry Network is among the most broken, sluggish, and disastrously designed sites I've used in a long time, and I have no confidence it the site's code quality, usability, or security practices. Why this site has become the Next Big Thing™ is beyond me. It's a case of coffee-fueled JavaScript addicts gone wild, I can see easily that it's even more broken than FA. I won't follow anyone who moves there.
My second home is InkBunny. I have quibbles about its reputation, yes, but it's a nice site and it works well, and I cross-post all my art between FA and IB.
Don't even get me started about DA. If DA gets even greedier adds even more commercial BS to their TOS, I'll likely delete all my art there. Incompetence I can handle, but not malice.
ACCOUNT ACCESS
Yes, it was necessary to do a full password reset for every user. That tends to happen when a database is compromised.
No, it was not necessary to create a new account if you lost access to your old one. Instead of jumping the gun, you should have contacted an admin, as described here. It was posted in the Administrator Notice, after all. Didn't you read it?
Also, stop whining that you can't reset your password because you used a throwaway e-mail that has since expired. If you want to enjoy the obfuscation benefits of a temp e-mail, you must be responsible for the upkeep... namely, replacing a temp e-mail with another temp e-mail on a regular basis.
If you forgot which e-mail you used, then I feel for you. Most web sites will just send verification codes to the e-mail on file. Why FA needed you to verify your e-mail before sending a verification code is beyond me.
SECURITY
For the most part, the damage control seems to be as good as we can expect, but there are a couple things that annoy me:
First, I don't like the idea of forcing people to choose new passwords. If each password uses a unique salt, as it should, then resetting your account with the same password should result in a different hash every time. Even if the database were compromised, only exceeding popular artists (large targets) would need new passwords, because it's likely those passwords would have been brute-forced. For 99% of the community, reusing an old password shouldn't be a problem. Of course, if FA had a fixed salt for all passwords (which it probably did), then my gripe does not apply, because that's dumb. Still, I think it's worth letting users face responsibility for their own choices. If they want to use an older password, let them.
Second, CAPTCHAs are for spam, not security. FA doesn't allow guest commenting, so bot spam is not a problem. Adding a CAPTCHA to the login page is plainly dumb. If you're worried about bots trying to brute-force logins, the only solution is to restrict the number of login attempts in a given amount of time, and possibly lock accounts after a certain number of failed logins, which I believe FA is already doing. If IMVU is the one responsible for suggesting a CAPTCHA, please make a good case to inform them of what a CAPTCHA is for, and it's not for improving security. It's just a pain in the neck.
Literally almost everything you said I can agree with and understand too. Except security which never crossed my mind really. It always seems like there's one thing you always say I can take into everyday life (sort of).
Cheers
Thanks for the kind words, BTW. I proofread a lot to keep my emotions from getting the better of me (most of the time).
But yeah, I agree with Wacoon. I've got a good set-up here, and while I may have secondary sites I also go to, FA is my current home.
I got sick of bot spam on my oekaki board, but I hate CAPTCHAs, so I figured I'd implement the cheeziest humanity test possible, and work my way up to something more complex until I found something that worked well enough to be manageable. I started with a simple addition problem with multiple-choice answers from a drop-down menu. That alone halted 99%+ of spam, and I never had the need to use something better. Sure, some spam got through, but my site went from several hundred spams a week, to maybe 3-4.
2. FA isn't perfect, but like democracy, it is the least worst option from my point of view. I've been here so long (nearly 10 years) I am reluctant to just pack up and leave.
3. I started a page on Furry Network because a friend suggested I do, but I don't think I'm likely to look there that much, nowhere near where I currently do with FA. It's just some furrycentric version of Tumblr, which I also don't use. It's hard enough managing both FA and DA together, don't need any more sites since everyone is already on FA or DA. Can't be bothered with Weasyl.
4. Maybe that is why I found seven new watchers in my inbox this afternoon... though I didn't recognise any of the names except one, and I can't remember if they even had an FA account before!
5. The CAPTCHAs are a stupid idea. Hackers in general are people and not computers so I don't see how these will work.
Hello there by the way :)
If people can't access their account because they used a Throwaway/Fake email, That's their own fault, Not FA's
When it comes to email, I keep at least 2 email accounts, One's family, One's personal.
I use my personal email for most stuff, My family email is usually used for my smartphone & other services. If i ever have a change in email, i ALWAYS update it on sites that use that email. (Well, Sites that i still vist anyways.)
I KNEW I WASNT THE ONLY ONE WHO THOUGHT FURRY NETWORK WAS A HORRIBLY DESIGNED SITE
IM SO FUCKING TIRED OF SITES THAT TRY TO BE THE NEXT BIG FUCKING THING BY LOOKING LIKE AN IPAD APP AND TAKING A FUCKING HALF GIGABYTE OF RAM
Web developers need to remember that their job is to make information accessible. You don't do that by using every trendy hack possible, flooding your design with animated effects and autoloaders, and trying to turn everything into an "app." Web pages are documents, not programs.
FA isn't perfect, but none of the other furry art sites are either. IB is a close second, mared chiefly by the kinds of content it allows
=^.,.^=
What has the WWW come to when a "web page" has system requirements?
Someday you'll have to list your detailed grievances with the other sites (DA,WSL, FN, etc). I think it'd be entertaining (and it'd provide some more content that makes one wish journals could be faved)
As for the "give up" journal, I'm enormously conflicted about it, especially at my age. On one hand, I'm pretty much fed up with computers and don't see things getting better any time soon, especially now that DRM is coming to hardware and it will be really hard to write your own software without a manufacturer's permission. On the other, I think I'd be really good at legacy toolkits, since there's always demand for that. If my compiled language skills were up to snuff, I'd love to be a UI designer for an alternative OS. The trouble, of course, is getting paid.
Web sites... ugh. I'm done with that crap. If everyone seriously believes the future of the Internet is WebAssembly and client-side templating, then the situation is hopeless. Dependency hell will ensure nothing will work. You can't make content accessible by turning a web browser into a glorified virtual machine.
The only issue I came across with this whole thing, was that my ages-old e-mail addy just wasn't being recognized so I couldn't reset. Sent an e-mail requesting some help with it, got an e-mail from Dragoneer that it was fixed, and here I am.
In regards to alternative furry content hosting services, for grins I've been trying out a new site who's name I won't mention, because so far, I'm not at all impressed with it.
Please elaborate.