http://forums.furaffinity.net/threa.....mless-comments

See also: below.

Link broken

He was the one that was doing the hiding comment stuff because they didn't fix it when he told them the day they released hiding comments.

Well, by actually EXPLOITING the gaping security flaws, doesn't that kind of make him a danger to FA?

You can't be both the good cop and the bad cop at the same time.

Though I will readily admit that I probably don't have the "whole" story. I can only go off of what I've seen and heard so far. Still, even if he did point the flaw out to the FA administration, and even if they brushed it off, he shouldn't have just started causing a huge scene about it.

Maybe his methods will finally get the flaw fixed now, but it also earned him a ban. I'd ban someone too for exploiting security flaws.

You could try doing 'nothing' at that point. If you bring it to the admins' attention and they don't want to hear it, then let it bite them in the ass one day, but that doesn't mean that YOU have to be the one to do it.

I wouldn't use this logic for EVERY security related issue though. Obviously if it was something more along the lines of like, stealing passwords, then you could provide a proof of concept along with a few passwords you've managed to gather, and turn that over to the administration. In such a case, I'd much rather see an honest person demonstrate the exploit rather than a truly malicious person.

With an issue like just hiding comments though, Eevee simply should have let someone else take the fall. He did his part by informing the admins. Let actually exploiting it be someone else's fuck-up.

We all have security flaws in our lives, ways for burglars to break in. Do you think a defense for someone breaking in and taking something of yours should be, "Oh he was just showing you that you house could be broken into?"

He tried warning them privately, and he was told they did not care by the administrators and the programmers.

Also I got a problem with the home security thing comparison.

Eevee performed an action that would take 10 seconds to undo.
A breakin would require extensive cleanup.

(Also, I would download a car.)

If the home break in was done without damage to the property and all I stole was a bag of chips, it's still criminal trespass.

If I told you I could punch you in the face and you say "I don't care." and then I punch you in the face, it's still punching you in the face. "I don't care" doesn't mean. "Alright go ahead and make me care."

Correct, and "white hats" (slang for good hackers) are hired by people to try and exploit systems to test security efficiency. I'm aware of this show, but the essential thing to understand is that the home owner said. "We give you permission to break into my house."

Same with White Hats, they are given permission to exploit systems. They need to be very cautious they stay within the parameters of the contract and not exploit things outside the system requested. FA actually gave a sense of permission to Eevee to exploit the comment system so that it effected dragoneer's posts. He did and according to him they started to work on the issue. According to Dragoneer, 48 hours later, he then started to exploit other users outside the admin's circle, which he was not given permission to.

I'm with you on that one. Still if Eevee was thinking he'd know that as soon as he did that, there is the possiblity they'd lie about it. I mean, sheesh he's worked with these people, you would think he'd know how they behave.

You ever seen that movie with the guy in prison because he killed the guys attacking the apes and he said that people enslave themselves with structure of power and control? It seems the same to me from what I understand.

Though to me this seems Eevee was doing the same thing, which is why he started to hack users, so that users would be aware of the issue more then if he had just hacked the admins.

I don't really like controlling people, I offer advice, but never control. It's why I'd decline being an admin if given the opportunity.

Ignore the fact they're ignoring it and prey someone with a real agenda doesn't exploit it in the future.

You certainly don't announce that you found an exploit on Twitter for everyone to see before using the exploit yourself on people other then the administrator.

He's a hacker, he should know that Knowledge is power, and if you DON'T want people looking for ways to hack something you shouldn't be announcing it in public. He's trying to grey hat when he was not given permission to do so, which makes one by definition a black hat.

He tried warning them privately, and he was told they did not care by the administrators and the programmers.

Then guess what? You stop caring too because it's not your job to care or make others care.

As I said if he told the government of an exploit and they said "We don't care" it doesn't mean hack into their system and make them care.

The ends don't justify the means. And he put his knowledge of the exploits on twitter long before he performed them himself, which is dangerous in and of itself. That's why he said:

it's also possible for me to hide almost every comment across all of punchaffinity
5:14 PM Oct 13th via Twirssi

In other words, he said he can do it before he did it in a public forum. If I was a hacker myself, Eevee would be a good person to follow, he'll apparently tell people what systems can be exploited and on what websites.

If I was concerned about people exploiting it, I certainly wouldn't tweet it. I would only tweet such a thing to show off to people on my follower's list that I'm a smarter programmer then those at the location in question. He may have privately emailed the staff about it but he congruently publicly made statements about the exploit.

The best thing he could have done for himself would be to simply state on his LJ. "Today I've tried to address some exploits with the FA staff and they failed to listen. Should these exploits happen in the future, please know that I tried to get them to heed and they wouldn't."

What he does then, either hope someone does so he can say "I told you so." or actually hope FA doesn't get exploited, is not really his or anyone else's concern. People need to learn these things, sometimes the hard way. While I do feel they were lucky Eevee did it and not someone else, it was still done without consent.

Hackers 101: TRUST is your ultimate weapon, and social engineering can get you into places with minimal effort on your end. By exploiting the code on this site without consent he shows that he can't be trusted with the code, and therefore the trust is gone.

The ends don't justify the means. But the means will sometimes justify the ends. He should have let it be and had the staff eventually learn the hard way, or if they got lucky, just go on ignorant of the problem which may have never been exploited.

This is a service he uses. His choices are to stop using the service to remain safe, or be as vulnerable as everyone else, Perhaps more so as he is a high profiule target, having once been a programmer for the website.

Oh he can demand change.

Or if someone uses an exploit against him, since he already knows how they're doing it, he can figure out who did it and report them so they're banned.

That's a third possible option, correct?

How would he trace it? THe only reason lexy was "caught" was he told them he did it.

I was hosting a D&D game for the last 7 hours :3

My games tend to be less hack/slash/dungeon and more cloak/dagger political espionage sort of stuff, and 3.5 suits it better then 4 .o

4 really seems more oriented tword being a vidia game, imo. Not a /bad/ thing sometimes, but I can get the same experiance from FFT.

Using forth edition riles, Clever level 4 charecters build a functional unlimited ammunition lazer gun using just rituals, a stick of silver and Magic Missile! This was my 2nd campaign, and when they armed an army of Kobolds with them and started takeing over the few point sof civilisation left, I decided I liked 3.5 better :x

he casually mentioned something to Yak on another forum somewhere, although yak said "I don't really care at this point", he did not say he wasn't going to fix it, just that these new features always have teething problems and they will be dealt with in time, Evevee then waited 2 days before going around using the exploit and then broadcasting said exploit to the hole of the internet.

Eevee should have contacted more admins rather then mention something in passing conversation to yak and then only allowing 2 days for them to fix the problem, he should have given then atleast 30 or so days before going public about it and using it himself

I'm sort of annoyed with both sides. It SHOULD be the admin's responsibility to maintain the safety of the site AT ALL TIMES and they should have fixed it immediately after hearing about it, at least within 24 hours... but at the same time it was wrong of Eevee to make his point by actually exploiting the flaw, and making the members suffer instead of the ignorant admins.

It may have inconvenienced the users to some degree, but I view it as a very mild offense considering that the effects of it are completely reversible. The administration can easily unhide all the comments that were affected by the exploit. Furthermore, demonstrating the exploit to the users helped raise awareness that a security flaw even exists, and thus the coders are now more pressured to fix it.

Not all programmers are good enough to figure these things out in 24 hours, veekun obviously probably could, but he doesn't work for them. Still, if he tried to do what he did with FA's exploit with an exploit in say a banking website, we wouldn't be talking about a ban of his on a website he hardly used in the first place, but him going to jail.

He tried warning them privately, and he was told they did not care by the administrators and the programmers.

I am a web host and professional PHP web designer myself, and it is possible to fix a simple flaw like this within 24 hours, considering PHP (which I understand this site is based on) gives you plenty of debug tools to work with. If you can't figure out the problem given the resources available in PHP and on the internet, including reference sites like php.net, in 24 hours, you can call yourself a programmer or a host, but not an expert, and unfortunately, admins are supposed to be experts, or least hire people who are.

Considering the amount of time that elapsed AFTER Eevee warned them about the problem without any action being taken, that is shameful on the entire admin team's part. Surely among them, there should've been someone who could sort out the problem quicker then they did.

I'm aware that admins are people too and have lives, but admins should be able to make time to maintain their websites properly or else there isn't much point in being an admin.

you can't just fix something like that is 24 hours, it was considered a minor problem because the comments were not fully deleted just hidden, if it was something more serious IE passwords being stolen, accounts getting hacked etc, then they would have done something faster. Admittedly they could have just disabled that feature but given the HUGE amount of furries that insisted on such a feature being implemented in the first place I would think they didn't want to go for that option because they would have ended up with vast numbers if people bitching at them, like usual.

If my own website had a problem like that, it's highly likely I could find and apply a solution to such a problem in less then 5 hours solid if I worked at it the whole time, to be absolutely honest with you, ANY PHP professional will tell you that if you know your stuff and put in the time, a minor but critical bug such can be circumvented or eradicated completely in a matter of hours.

The reaction time to such a gaping flaw in the site's security, even AFTER being made aware of it, is shocking, and I'm going to be ABSOLUTELY honest here, but anyone who says otherwise really doesn't know what they're talking about.

yeah i like your attempt to make me out to be the idiot, nice try

I'm not buying it, I don't believe websites are that easy to do, not on this scale and especially when trying to implement new features but why is it such a big deal to give these people some breathing space in order to fix many things at once, these people do have jobs and lives outside this site, they probably cannot spend all day every day dedicated to this thing. Does that really justify eevee's actions though? does it really justify him to start broadcasting about this exploit and start using it himself just because he got a slightly apathetic reply of "well fix stuff eventually".

sorry but i can only see this as an attempt to look the cool kid, rather then actually helping the site, if he wanted to help the site he would merely teach people how to use the exploit, if I found an exploit and I thought I was getting an apathetic response i would merely harp on about it to as many admins as possible until they listened, not wait 2 days and start going on a massive rampage

Defensive aren't we?
See it however you want, I'm just stating the facts as they stand.

I don't know about anyone else, but I myself find PHP/MySQL extremely easy to use and debug and so do many other dedicated web hosts. This is not big talk. This is not bragging. This is not boasting. This is FACT!

PHP does not take a lot of time to debug. It was built for this purpose, among others.

The amount of time it takes would be different for each person diagnosing and fixing different problems, but with the amount staff on hand to deal with this matter for FA, combined with the amount of skill they often like to brag about, I find it extremely disgraceful that this problem went unsolved for as long as it did, and although I do not condone eevee's ways of showing the admins first hand, a simple, and obvious problem such as a flaw in parsing permissions could've been averted nice and easily if the admins so chose to do it.

I have fixed far worse problems on my own site in mere hours.

You can be a child and claim I have no idea what I'm talking about, but as it stands, you DON'T know me and hence do NOT know whether I know what I'm talking about or not and are just raving on because of the typical thought: "OMFG is he serious? He's not FA admin, he knows NOTHING!". I have 7 years experience in hosting websites and coding in PHP.

But I never came to this thread to argue with you or anyone else, I came to give my two cents on the matter and nothing more.

"You can be a child and claim I have no idea what I'm talking about, but as it stands, you DON'T know me"

errrr if you just want to go back and read what has been said between us, you tried to pull that shit on me first, I never doubted you RL skills/qualifications, merely your assessment of this situation and how you reacted to me, you seem to think I don't know anything on the basis that I contradicted you.

"I have fixed far worse problems on my own site in mere hours"

Oh so you run a site the size of FA then? I hope you do, otherwise that statement would be entirely irrelevant!

"I came to give my two cents on the matter and nothing more"

well then I guess we both have an opinion on this don't we, don't want people to argue with you? don't say anything at all

The reason I argue is because I've asked around a few people on this site and other sites, and asked people who also know a few things about dealing with exploits such as this one, and the general consensus seems to be, that for one individual person who isn't doing this full time, it is unfair to expect them to fix this problem in less then 48 hours. Many of them seemed to agree that it would take several people working full time to achieve such a thing. FA does not have a team of people, they have YAK and I'm pretty sure he doesn't work full time on this site. I also imagine this sites coding is incredibly complex and chances are, fixing one thing will actually mess up another so I'm pretty certain it's not the quick fix you reckon it is.

My site is definitely not as large as FA, but it's still pretty high traffic, clocking at least 2000 hits each day, despite having less then 100 members (most content does not require an account). I'm aware of the costs and manpower involved with maintaining a server. My site is powered by a single IBM eServer 2u Rackmount, but I am considering hiring a co-lo if my traffic gets any higher, as internet connections in Australia aren't really that equipped to host extreme traffic web servers.

However, it was a little misunderstanding on my part. I was told FA was managed by a whole team, not just one person. Thank you for clearing that up. But, if this is the case, they desperately need to expand their staff if they have any hope of maintaining stability and security for a site this large, which I understand can clock up to millions of hits a day.

yes as far as I know it's just Yak dealing with this stuff, and given that stuff with Arcturus in the past when he held FA's coding to ransom, I'm not at all surprised that Neer doesn't want to involve strangers he doesn't know and definitely doesn't want to fork out the extra money of officially hiring someone, I know I wouldn't given that no matter what dragoneer does, this site just isn't good enough for people so I wouldn't expect him to spend more money then he needs to

If I were Neer, I'd consider a complete overhaul of the site, in both coding and design, because in my opinion, both are horrible atm.

recoding the site is an option but surely that would take epic amounts of time for Yak to do, especially given that yak is doing this part time, I think there are plans eventually to overhaul the site but there's nothing set in stone, even if they did do an overhaul there would still be teething problems and yet more baaawwwing furries

Find the problem, report it, notice it isn't fixed as fast as you want to be, so exploit it just to prove a point, and get the same punishment as if you had just did it without reporting it in the first place.

It's how the real world work. Programmers are not gods. If you work for a home security system, and see a vulnerable home, you don't break in to prove that their home isn't secure enough, even if you are an expert in that field. You'd still get arrested, you'd still go to jail.

He tried warning them privately, and he was told they did not care by the administrators and the programmers.

Also I got a problem with the home security thing comparison.

Eevee performed an action that would take 10 seconds to undo.
A breakin would require extensive cleanup.

(Also, I would download a car.)

Never said the break in would be messy, if the home was insecure enough maybe someone could have gone in without doing any damage at all and then just sat and watched TV till the owner got home. It's still criminal Trespass, even if I didn't do any damage, my presence is the illegal action.

Try something else. Your strawman is lightweight, weak and flammable, but will likely tumble down the slick incline of your slippery slope.

And hacking a site without someone permission to prove a point is not a slippery slope to saying it's alright to exploit a site as long as the code isn't fixed? Just because someone's door is open doesn't mean you have permission to enter their house. That logic is slippery slope.

It's ironic how much people who claim straw men are setting them up straw men with the claim of straw men. And how many people set up slippery slopes by merely claiming all dissenting opinion is a slippery slope.

Your opinions followed would stop any progress or repairs to this website, however.

I thought it might've been the adult art favorited on a person claiming to be 14.

Make sure to change your FA passwords often.

No threat dude, You know anti furs and whatnot keep an eye on the website, and with so many holes and security vulnerabilities, you should do as I do and change the password every few days and make sure it's unlike any of your other passwords. This place is buggy, and the programmers don't care to fix it.

OK.

(Some of us do care if someone hacks us, Posts poor things, gets us banned, and makes us unable to make new accounts do to such a thing being ban evasion.)

Tonight, I checked Eevee's page for updates, and noticed your shout.

For one who claimed to not be effected by hackers, You seem to be giving attention (And therefore, Power) to Eevee.

all of the people who were +watching him

:awesome:

To the left, you'll find the admins, People who run this site. And to the right, You'll find users. But it matters not which way you go, they're both childish and immature.

But I don't want to go among the childish and immature.

Well, that can't be helped. We're all childish and immature here. 'neer, Eevee, Me, You.

How do you know I'm childish and immature?

Well, You are here, aren't you? If you weren't childish and immature, You wouldn't be here at all!

Man I hope that didn't pass you by :x Do kids even read books these days? i mean besides sparklevampire books?

anyway, You keep saying "lying" but Eevee speaks as much truth as Dragoneer or Yak. That is, He speaks his truth. Just as Dragoneer speaks his truth and Yak speaks his. Without being a member of the administration or programmer team yourself, How can you be certain anyone's words are lies?

you speak an Opinion on weather his actions were OK or not. An Opinion that I disagree with but is no less or more valid then mine.

But now you call Eevee a Liar, without log, photo, or even first hand experience. How can you be so sure of your accusation?
The answer is simple. That is your truth.

This one wonders if there is such a thing as "real truth" given that reality is a collection of all of our perceptions.

Then I will say I believe Eevee over the admins. Is my position more justified then yours? No it is not, nor is yours more justified then mine, for both you and I lack anything resembling a record of events. We both only have hearsay, perspective and bias.

I'm pretty sure eevee did not provide screencaps proving that he contacted more then one admin, you've also got to keep in mind that dragoneer and other admins get hundreds of notes all the time, so it is perfectly possible that he noted them and they never got around to reading his notes, that's even if he actually noted them in the first place, I'm pretty sure he contacted only Yak, and through a different site.

Eevee, Even now despite being banned, Has always been in close contact with Preyfar and Yak via IRC.

still no screencaps though, do you have any? Cos a few people are saying that he told the admins but so far there have been no screencaps to prove it

No one has screencaps, This includes the admins however.

No one is supporting the burdon of proof, therefore, Neither you nor I could say who holds the truth between the parties.

I guess but that means in the assumption that everyone is innocent until proven guilty, and evvee has admitted to exploiting FA, its safe to assume that little contact was made between the two

FA is not innocent of exposing your personal information (IE Passwords) to malicious intent

Eevee is not innocent of disrupting a service.

I've never assumed anyone was innocent.
In fact, there is no such thing as a safe assumption.

---

>My face when evvee

D: D:

D:

you think FA hands out passwords? on what basis?

Here's everything I know about, ranked by how easy it is to exploit. ☆☆☆ means it's technically possible, but scarcely worth the effort unless someone is super angry. ★★★ means I could be doing it to you as you read this paragraph. (No, I'm not.) Severity is up to you.

This information alone is not enough to inflict damage.

And yes, this is including the fixes from this weekend:
★★☆ An attacker can trick a user into watching any other user.
★★☆ An attacker can trick a user into unwatching any other user.
★★☆ An attacker can trick a user into faving any submission.
★★★ An attacker can trick a user into unfaving any submission.
★★☆ An attacker can trick a user into posting any submission.
★★☆ An attacker can trick a user into posting any journal.
★★★ An attacker can trick a user into creating any number of dummy submissions.
★★☆ An attacker can trick a user into replacing the content of any of that user's submissions.
★★☆ An attacker can trick a user into changing the description of any of that user's submissions.
★★☆ An attacker can trick a user into changing any of that user's journals.
★★★ An attacker can trick a user into deleting any submission the user owns.
★★★ An attacker can trick a user into deleting any journal the user owns.
★☆☆ An attacker can trick a user into deleting any combination of shouts on that user's page.
★★☆ An attacker can trick a user into making any comment on any journal or submission.
★★★ An attacker can trick a user into making a dummy comment on any journal or submission.
★★☆ An attacker can trick a user into posting any shout on any other user's userpage.
★★☆ An attacker can trick a user into hiding any comment the user is allowed to hide.
★★★ An attacker can trick a user into logging out.
★★☆ An attacker can trick a user into changing that user's profile text and metadata.
★★☆ An attacker can trick a user into changing that user's avatar.
★☆☆ An attacker can trick a user into replacing that user's existing avatars.
★☆☆ An attacker can trick an admin into exercising any administrative powers.
There's also a meta-exploit which would allow creating a socially-replicating worm, fairly untraceable, not requiring persistent hosting outside FA, and capable of doing any of the above.

Others:
☆☆☆ An attacker can steal user passwords over open wifi (such as that at furry conventions).
★★☆ An attacker can steal user sessions over open wifi (such as that at furry conventions).
★★☆ An attacker can log out every logged-in user and prevent anyone else from logging in, including administrators.
★★★ Banned users can hide comments they would otherwise be able to hide.
★★★ Banned users can post comments on journals.
★★★ Blocked users can reply to comments on the blocker's submissions and journals.
Meta: read-only and admin mode are kind of worthless. They didn't stop the escalation exploit on Friday, and they didn't stop the PHP execution vulnerability I witnessed first-hand many years ago.

that didn't really answer my question, what makes you think they are doing it intentionally

Who said I felt they were doing this intentionally?

These are known issues. Yak, the only programmer, Knows the issues.
He has known about these issues for many months.
He has stated he did not care about these issues.
If it is an issue of time, He will not share the site code with other coders, even coders Dragoneer trusts.

It is not intentionally bad code,
But it remains bad code intentionally through inaction.

FA is not innocent of exposing your personal information (IE Passwords) to malicious intent

not innocent as in guilty? "to malicious intent" well what is that last part supposed to mean then?

He once stated in casual conversation that I wasn't worried about it, that doesn't mean he''s not doing anything about it, if the sites issues (such as apparent security issues) bother you so much why do you bother to stay on such a site? By your evaluation it seems like a total shit hole

It is the most populated shit hole.

I would like to switch gears- What opinion view or fact are you persuading me to see?
Currently, I am seeing you try to convince me Yak's right; Eevee is wrong.

Is this a summery of your views that you're trying to convince me of? This will aid me in the direction I go with my arguments and supporting facts.

Eevee was right in pointing out an exploit, but he was wrong with how he went about it, from warning only one person, to only allowing 2 day to sort out the problem, to then advertising the exploit. Yak shouldn't have come across apathetic, but he didn't say he wasn't going to do it, just that there are a lot of bugs that need fixing and that it will take a loyt of time, I dont believe 48 hours is enough time for a part time coder to fix something like that on a site like this that has probably been patched and re-patched so many times

Oh god I just need to get you to reply 4 more times :D!!

reply 1

you looking for that golden number in your journal comments?

How us babby formed??

I remember your hat being more red, and your fur being more white. In fact, You had a bandanna, Not a hat, Demon :x

Was going to respond to my own post if you had hidden it saying that furfags are incapable of accepting intelligent, witty responses that criticise them.

Plans foiled. Well. Oh yeah and quit browsing /v/, at the least don't browse it then splice /v/ memes on everyone in the outside world thinking the short term favour you win off will outweigh how unfunny you look to everyone ever.

I have a cooked fried chicken kebab skewer here even with tomatos, mushrooms, etc, and I was seriously thinking of doing Omnislash on you with it when I saw that 'I don't want to go among weaboos' comic half assedly regurgitated.

That's no meme, That's an adaptation of a conversation between Cheshire Cat and Alice. :x

Also, I've not hidden any posts.
Well, I did one. Dragoon made an accidental double post, heh.

reply 2

hello thar

'Cuz he's a douche.

PK Has said that Eevee makes her Vagina feel more refreshed.

See? Positive proof.

You should reply to me one more time :3

No.

>:O

=D