FA+
Shop
Other places to find me
9 years ago
Although I'm technically not leaving FA, you can't help but get the feeling this place is falling apart
In any case,
Yes, I'm still on deviantArt: http://rickgriffin.deviantart.com/
Weasyl has been real stable: https://www.weasyl.com/~rickgriffin
I don't have my Furry Network account fully set up, and I still have no idea how anything is organized, but you can check it out anyway: https://beta.furrynetwork.com/rickgriffin/
I have a Patreon if you want to see the important stuff I'm doing: https://www.patreon.com/rickgriffin
I post art and ramble on my Twitter: https://twitter.com/RicksWriting
My art Tumblr: http://ricksketchbook.tumblr.com/
My whatever Tumblr: http://alabastermenagerie.tumblr.com/
And don't forget I actually have a website now, on which is posted the continuations of A&H Club: http://rickgriffinstudios.com/
In any case,
Yes, I'm still on deviantArt: http://rickgriffin.deviantart.com/
Weasyl has been real stable: https://www.weasyl.com/~rickgriffin
I don't have my Furry Network account fully set up, and I still have no idea how anything is organized, but you can check it out anyway: https://beta.furrynetwork.com/rickgriffin/
I have a Patreon if you want to see the important stuff I'm doing: https://www.patreon.com/rickgriffin
I post art and ramble on my Twitter: https://twitter.com/RicksWriting
My art Tumblr: http://ricksketchbook.tumblr.com/
My whatever Tumblr: http://alabastermenagerie.tumblr.com/
And don't forget I actually have a website now, on which is posted the continuations of A&H Club: http://rickgriffinstudios.com/
Name a website that isn't at risk of a security breach? Because even large organizations like Microsoft and Apple get hacked, they just have a ridiculous amount of staff, high grade equipment and money to deal with the issue 3 things FA has never had or even claimed to have. Any level of security you or anyone else expects from this site or any other is entirely down to your own assumptions. FA has to follow certain standards because of legality, and even then it's at risk of getting hacked. As is dA, Weasyl, Furry Network, Patreon, Twitter and Tumblr. But when stuff like this happens to them they get a lot more patience and understanding. Heck I live in the UK and our government has let primate info about citizens leak because they left a briefcase on a bus, or in a taxi. They still work in politics and yet FA has one issue and people act lie it's not allowed to make mistakes.
It's worth bearing in mind that this is like the 2000th or something journal that's blaming FA for something that they just didn't know about at the time. The staff are only human and they make mistakes. It gets tiring living in a world where people in some way have to bash on others for making mistakes, especially when those making those comments couldnt' do any better. So your journal just happened to be the one I commented on. They'll be others that comment like me on a variety of journals but it's just general exasperation.
Though it's worth saying what people should be doing is asking why IMVU isn't stepping in and helping more because at no point have the staff mentioned them aiding in the sites recovery. I'd say that's the most concerning part.
-If even Google/Microsoft/etc can be hacked, how do you expect FA to do better?
I've heard of a couple techniques to try and keep good security:
-Keep closed source code so that any mistakes made by the programmers are hidden and therefore unlikely to be exploited
-Keep open source code and hope that someone spots the mistakes and fixes them before any malicious finds those same mistakes and uses it
"When an entire website forces its members to reset their passwords after said website's source code was released, that's not entirely assuring. "
Umm... the hashes of the passwords (or whatever you call them) were stolen. Would you be more assured if FurAffinity pretended nothing was wrong? Of course not! Can you name a more secure thing they could have done?
I agree with Haru_Totetsu's sentiment regarding FA.
The fact is no website is perfectly secure, at any point your data could be hacked. heck these days its statistically more safe to write your passwords down on a piece of paper than it is to store it online, anywhere. The fact you expect FA a website staffed by 12 people (maybe more if the Site Staff page needs updating), to be able to somehow be on par with Google who employs 34,311 (this was shown in 2012, and is the best I can do...or am willing to do anyway, when it comes to checking since asking them could take awhile and I'd assume both of us would lose interest on the topic by then), shows a lack of any rational thought on this matter. Especially when you consider that some of the staff on FA aren't getting paid, they're volunteers. They don't spend their working days tending to FA they're too busy working their own job to keep themselves afloat. FA is at best, a hobby for them, no matter how dedicated they are as staff, no matter how capable, they own financial security comes first. So we don't even have staff as dedicated as the staff at Google because FA doens't make enough money in itself to survive...which I'm willing to admit I don't know how much that is and I don't actually trust Dragoneer to tell the full truth so...either find me a reliable source and lets do the math together to see if they can actually hire a decent amount of staff, or I think we're done here. Since either I've changed your mind or you won't, since clearly I'm not budging.
The reason the site got hacked so easily because
FagoneerDragoneer was too busy hiring buttbudies as staff instead of competent coders who know what they're doing. This incident is the result of YEARS of neglect from a security standpoint; if the staff kept the site up-to-date and patched exploits ASAP, acquiring the source code would have been a lot more difficult.Oh, and our personal information and passwords wouldn't be out there in the wild either.
-FA has been doing a code rewrite. Why would you fix your old code if it isn't a real problem and you're going to throw it out?
-It turns out that the code was a huge problem in at least a few spots. Does this prove that the staff are incompetent? No, it proves they make mistakes (like everyone else in the world). The thing about "patching exploits" is that you need to know that the exploit is there first. Until the source code had been analyzed, you'll notice that no one had hacked the site. FA found out that their code had been leaked only hours before an unknown exploit had been used against them -- the only better action they could have taken was to take the site down immediately (which would only have saved the last week's worth of content), but then people would rage at them if they were wrong and it turned out that there was no threat after all, so I can understand why they might have been hesitant. Imagine a close status on the header, "There is a small chance that something's wrong, so we're closing the site until we can be sure." (Or, imagine you being the one to have to close the site with that message -- FA already has a lot of people hating it, would this just add fuel to the fire? Remember - you don't know for sure that anything will go wrong. Surely you have time to take another look at the source code and try to figure out if any of it is insecure?)
-You say, "The reason the site got hacked so easily" and " acquiring the source code would have been a lot more difficult.", but it wasn't even FA's fault their source code was released! Was it not reported that it was a 3rd party exploit that was used to steal the source code?
Didn't tons of sites use software that had the Heartbleed bug on it? Didn't that cause a whole bunch of sites's users to have to change their passwords? Now that a similar problem has occurred for FA, it's suddenly all FA's fault? (Heartbleed: https://en.wikipedia.org/wiki/Heartbleed )
" passwords wouldn't be out there in the wild either."
FYI: Your original password is still unknown (ie, the original text), just the hash (or whatever it's called) is known. A proper website never stores your password, just the hashed version (and hashes are one-way). I don't know if many sites use the same algorithm to deal with passwords or not; if they do, only the exact original password has been revealed, otherwise it's only been revealed on this site.
I'm not saying there aren't reasons to dislike/distrust FA (I actually don't know; I hear rumours, but tend to find them unfounded or unfair), but what you've explained isn't it.
"FA has been doing a code rewrite. Why would you fix your old code if it isn't a real problem and you're going to throw it out?" - First of all, can you give me actual proof that they are rewriting things? Have you seen the actual code? Dragoneer has been promising many features and rewrites for years and very few of them were actually realized. To put it bluntly, he and the rest of the staff has a long history of promising things and almost never delivering them. For example, FA is still using HTTP instead of the more secure HTTPS.
And yes, the fact that there was a huge problem in 'a few spots' (I'd wager we're talking more than just a few...) is indeed the staff's fault because they've been neglecting an actual security audit for years. Sites like Weasyl, IB and FN (since it seems to be so hop) have gained more features in a year or two than FA did in its entire lifetime. How long did it take for FA to get simple things such as folders? Or a revised note system? The new UI Dragoneer has been wetting his pants about for the past few months (which has been restarted a couple of times since around 2009...)?
Let's not forget that Dragoneer and co. has access to the source code 24/7, so they had plenty of times to analyze it and bring it into a better shape. If they took it at least 1/10th as seriously as they are nowadays, the site probably would have been much more difficult to hack regardless of the ImageMagick exploit.
"FYI: Your original password is still unknown" - That may well be, but a proper website doesn't use your account name as the unique ID in their database either. Up until a day or so after the leak, we did not even know how passwords are being stored. Also, even if we don't count the passwords, the fact that account and personal information is out there - and those two were leaked using an exploit right in FA's source code, not the 'ImageTragick' exploit.
So yes, there are plenty of reasons to distrust the people running the show.
Ah, sorry about that.
"First of all, can you give me actual proof that they are rewriting things?"
Nope... but there's this "beta" feature (I don't use it). Isn't that part of the rewrite? (I don't actually know the story for it.)
"For example, FA is still using HTTP instead of the more secure HTTPS."
HTTPS is available, it just isn't automatic. I use Chrome and an add-on which I've customized to redirect all of my requests to a furaffinity page to the https equivalent. I presume it's secure since Chrome seems to warn me when I try and access an 'https' page that isn't actually secure.
"actual security audit for years." Hmm.. have the other art sites done this? (I tried searching for this information, but found nothing and am unsure if it would even be posted anyway.)
"has access to the source code 24/7" I've not done a ton of programming in my life, but my impression is that programmers don't generally spend time rereading the source code unless they know something's wrong with it (or need to extend/change it, or I suppose if they're doing those security audits). Of course, your point about the security audit still stands... though if I trust the person who authored this forum post:
http://forums.furaffinity.net/threa.....dated.1531930/
then I would argue that it might be unrealistic to expect it of them.
"but a proper website doesn't use your account name as the unique ID in their database either."
Why not? (Also, I'm curious - where did you get that piece of information?) I've essentially only programmed for a start-up for 4 months in the business world (and done a bunch of other programming, but none with databases), and they used a number as the unique ID, but the tables would nonetheless contain all other information (like user names, emails, etc). Even if you put them in other tables, you'd still have to connect them to an ID (or else your own website wouldn't know), and a simple database query could gather up all the information anyway. So I guess I'm asking, what's the advantage in using a number over a string? (One advantage would be that you could allow multiple users with the same username, but this usually is disallowed for other reasons.)
"the fact that account and personal information is out there - and those two were leaked using an exploit right in FA's source code"
You've been saying "personal information", but what personal information is actually out there? Isn't it just the email? (I don't think our names, financial details, etc are even input into furaffinity - oh, I suppose there is date of birth, though I'm not sure what a malicious person can do with that information - especially since it can't be validated)
Also, of course the ImageTragick exploit was technically only responsible for furaffinity's code being released - if furaffinity's code was miraculously perfect, nothing would have been lost. But, again, I find this expectation unreasonable (though obviously inconvenient).
"Up until a day or so after the leak, we did not even know how passwords are being stored."
I haven't heard of how passwords are being stored on any site (I mean, I've read about methods, but I haven't seen a site come out and say "We store your passwords with ______ algorithms!" or anything like that).
"the site probably would have been much more difficult to hack regardless of the ImageMagick exploit."
Have you done any website programming where you were being conscious of security vulnerabilities? I'm just wondering if you're speaking from experience, or whether you're just assuming that it should be relatively easy to do ("if only the programmer cared"). If the latter is the case, let me assure you that there's no avoiding bugs. Further, if it's just one person programming, you can look at the code, say "Oh, I remember how this works" and then your brain might just skip the step of actually reading it and checking for exploits.
"...'a few spots' (I'd wager we're talking more than just a few...)"
Probably xD
Actually, it's just a new user interface that's currently in beta. It has nothing to do with the underlying engine itself being rewritten.
"HTTPS is available, it just isn't automatic. I use Chrome and an add-on which I've customized to redirect all of my requests to a furaffinity page to the https equivalent."
It should be automatic; people shouldn't require an add-on just to access this site in HTTPS, especially since it's been the norm for many years now.
"Hmm.. have the other art sites done this? (I tried searching for this information, but found nothing and am unsure if it would even be posted anyway.)"
Not necessarily, no, but the alternatives such as Weasyl and InkBunny were actually built from the ground up with more focus on security. If either of those sites were hacked, I argue the attackers would have a much harder time acquiring personal information there than they did here.
"I've not done a ton of programming in my life, but my impression is that programmers don't generally spend time rereading the source code unless they know something's wrong with it (or need to extend/change it, or I suppose if they're doing those security audits)."
They don't necessarily do so, but there's been a lot of feedback from previous coders highlighting security vulnerabilities and users have been reporting site bugs and various errors for years, so it is impossible that Dragoneer and co. did not know anything about the vulnerabilities.
"but a proper website doesn't use your account name as the unique ID in their database either."
Why not?
Because this is what prevents them from implementing simple features such as changing usernames or completely deleting accounts. It's inconvenient and doing so with the username being the ID itself would cause a major fuckup in at least the Favorites area and who knows what else. Assigning a unique ID to them instead of using the usernames themselves as the ID would be the proper way to go. Also, a simple check for currently existing usernames at registration could prevent someone from attempting to register a username that's already in use.
"You've been saying "personal information", but what personal information is actually out there? Isn't it just the email?"
Really, any kind of personal information being out there is bad news regardless of what exactly it might be. E-mail addresses, payment information, notes (most of which may contain very sensitive information if it was exchanged between an artist and a customer). Hell, some people actually used fake accounts to hide their identity and the leaked stuff may contain information that can be used to actually identify someone.
"I haven't heard of how passwords are being stored on any site (I mean, I've read about methods, but I haven't seen a site come out and say "We store your passwords with ______ algorithms!" or anything like that)."
Not many websites announce the way they store passwords, but up until now, we had no idea whether they were being stored as plain text or actually hashed/salted/etc. There were several incidents where hackers gained access to a company's servers and leaked data exposed the fact that they were storing passwords in plain text files. This incident at least made it known that this is not the case here. However, the fact that the staff forced EVERYONE to reset their password does mean that there may be a slight chance that the attackers could have decrypted the leaked passwords. And let's not forget that there are still a LOT of people out there who use the same password for many services. A leaked e-mail address and a possibly decrypted password could enable the attackers to gain access to a person's Facebook account, for example.
"Have you done any website programming where you were being conscious of security vulnerabilities? I'm just wondering if you're speaking from experience, or whether you're just assuming that it should be relatively easy to do ("if only the programmer cared"). If the latter is the case, let me assure you that there's no avoiding bugs."
I have done some web programming, although not a lot. I never said it's easy, but as I have said above, Dragoneer and the staff were made aware of several vulnerabilities in the past couple of years and the fact that our information was leaked thanks to vulnerabilities in the source code itself (this has nothing to do with the ImageTragick exploit) leads me to believe that there's been a significant negligence when it comes to patching said vulnerabilities. There is no avoiding bugs, but you CAN make it much more difficult for potential attackers to gain access and with FA being THE go-to site of the fandom, it should come with the most security because with the amount of traffic that comes and goes here on a daily basis, it's obvious that potential attackers would prioritize this site instead of Weasyl, InkBunny, etc. with only a fraction of FA's total userbase. That's why you see hundreds of thousands of viruses being written for Windows while there are very, very few viruses for Linux systems.
You want to expect FA to be as safe and secure as Google can be. You need a reality check.
Just because some people can't be bothered to do so and take proper responsobility for their lack of effort does not mean I need a reality check.
FA in fact is like how Microsoft was when it started, just a group of friends trying to make something...but it never had their level of success financially speaking. Until it has a good financial backing we can't expect anything from them. And something tells me IMVU isn't forking out the amount of cash you think it is.
Also you're assuming that they were aware of the hole in their security and that they chose to ignore it. That is never the case. Holes are apparent in security all the time, heck most things are generally given back door in case of an emergency. What happened took them by surprize. They didn't think it was that severe and then realized how sever it was and instantly went into correcting their mistakes. That's just how it works. A hacker exploits the mistakes and then you patch them. The only other option is to spend a lot of money getting a team of professionals to try and hack your site and then tell you about the hole in it, how they did it and what not. The staff don't just sit there staring at the code day in day out and spot hole sin it. They have other things to do, and that just how it is. They have lives outside of FA too, as much as that may surprise you. And they don't have alternate staff members to tend to things while they're off doing something else like MS and Google do.
But I'm going out on a limb here and going to assume that your personal dislike and lack of trust in Dragoneer and every other member of staff, outways your ability to rationalize the fact that humans can be unwittingly ignorant to errors in their own work (I've read fully published books that have one through several reviews by professionals and it STILL has spelling mistakes when it hits the shelves). So since you aren't going to use you clearly vast amount of experience, knowledge and wealth to get ownership of the site and "fix" everything, and you and I certainly aren't going to see eye to eye, there's not much point in continuing a pointless conversation, that in fact has no end.
Though I do have one question. Where on earth did you find the contract that Dragoneer signed with IMVU concerning the purchase, that makes it clear that your expectations of IMVU and how they should be working on/with FA to make improve it? Because I'd very much love to read it myself and be shown how valid your expectations are.
And they're not even guaranteed to find it, are they? (Even if they are highly likely). And of course, the moment you change or add any code, you could theoretically be adding a security vulnerability, right?
"(I've read fully published books that have one through several reviews by professionals and it STILL has spelling mistakes when it hits the shelves)"
I like this analogy =)
Go and be an FA apologist elsewhere.
On the one hand, you can say "Why are you being so hard on them? They're only five!"
On the other hand . . .
...we have a foot...
Gonna miss having all the artists I watch in one place.
I know Rick isn't leaving FA yet, but several artists I follow are or have, so I'm already going to have to juggle Weasyl, FN, Sofurry, Inkbunny, and FA accounts if I want to keep doing what I have been from now on. As many problems as this place has, it was nice to have the community in one place.