# The "Accountability" Thread



## Dragoneer (Oct 20, 2010)

Okay, so... uh, I just eff'd up. I double-posted a response, and went to delete my second post, selected the wrong option in vBulletin. Not very re-assuring, I know, but I'd rather be up front on it. Mistakes happen, and it wasn't meant in malice. I fess up.

Yeah. :| Post -vs- thread. Don't do admin-related things right when you wake up.

http://preyfar.furaffinity.net/accountability_thread1.jpg
 http://preyfar.furaffinity.net/accountability_thread2.jpg

Continue the conversation, derp-free. I wasn't trying to censor/cover that up. I just made an unfortunate booboo.


----------



## TakeWalker (Oct 20, 2010)

What are you talking about Dragoneer I mean you will burn in a thousand firey suns for your transgressions yes that is what I meant to say :|


----------



## Kirune (Oct 20, 2010)

is it not possible to just un-delete the thread


----------



## Dragoneer (Oct 20, 2010)

Kirune said:


> is it not possible to just un-delete the thread


 It is, but I didn't soft delete it. Was trying to remove the double post, and I eff'd up.


----------



## Carenath (Oct 20, 2010)

Kirune said:


> is it not possible to just un-delete the thread


 If you soft-delete, yes. If you accidentally hard-delete, no. The thread and it's associated posts get dropped from the database.


----------



## CannonFodder (Oct 20, 2010)

Carenath said:


> If you soft-delete, yes. If you accidentally hard-delete, no. The thread and it's associated posts get dropped from the database.


 I was wondering why my post count went down.


----------



## Accountability (Oct 20, 2010)

Dragoneer said:


> Okay, so... uh, I just eff'd up. I double-posted a response, and went to delete my second post, selected the wrong option in vBulletin. Not very re-assuring, I know, but I'd rather be up front on it. Mistakes happen, and it wasn't meant in malice. I fess up.
> 
> Yeah. :| Post -vs- thread. Don't do admin-related things right when you wake up.
> 
> ...


 
I think this is just a thinly veiled attempt to reset my post count to 0! Censorships!1!one! 

Back to the topic at hand: Are you willing to add others to the coding staff?


----------



## Witchiebunny (Oct 20, 2010)

No Post Count for You!

/soupnazi


----------



## Taralack (Oct 20, 2010)

Drama always happens when I am asleep


----------



## Dragoneer (Oct 20, 2010)

Accountability said:


> I think this is just a thinly veiled attempt to reset my post count to 0! Censorships!1!one!
> 
> Back to the topic at hand: Are you willing to add others to the coding staff?


 Yes, and we also have in the past. Yak has a list of people to call upon to increase the site coding staff, and once we're ready, we're /going/ to call on them. Yak and I were discussing this before the entire issue came up recently, and were going over some finer details of what we need to do to push the site into the direction it needs to go.

Edit: I take these issues seriously, I really do, to the point that I've been pushing things in some directions, though I can't talk about everything as plans are not solidified. "But that's no answer!". No, it's not. I'd love to give details now, but if I did, and things change, it'd be held over me.


----------



## Kirune (Oct 20, 2010)

Dragoneer said:


> Yes, and we also have in the past. Yak has a list of people to call upon to increase the site coding staff, and once we're ready, we're /going/ to call on them. Yak and I were discussing this before the entire issue came up recently, and were going over some finer details of what we need to do to push the site into the direction it needs to go.



You've been saying this forEVER. You guys only ever manage to: A) bring on shitty coders that don't do anything or B) bring on shitty coders that write unsatisfactory code, so nothing gets done anyway.
Either way, you're only bringing on more shitty coders.



> Edit: I take these issues seriously, I really do, to the point that I've been pushing things in some directions, though I can't talk about everything as plans are not solidified. "But that's no answer!". No, it's not. I'd love to give details now, but if I did, and things change, it'd be held over me.


 
You NEVER talk about ANYTHING. It's always "plans are not solidified" or "we are working on it."
It's just more of the same bull we've been getting for years.


----------



## Dragoneer (Oct 20, 2010)

Kirune said:


> Either way, you're only bringing on more shitty coders.


 Then you can thank certain previous other individuals who formerly worked for FA for telling all the good coders _"We don't want you, GTFO!" _and burning bridges without communicating to us. And some of those coders went on to make sites like Furocity and others, and we were never kept in loop about that due to certainly individuals who decided they wanted to do it all, and only themselves... and in the end, we discovered everything they EVER told on a coding standpoint is a lie.

I'm not proud of that, not one bit. But it is what it is. It is NOT something I ever approved of, nor would have.



Kirune said:


> You NEVER talk about ANYTHING. It's always "plans are not solidified" or "we are working on it."
> It's just more of the same bull we've been getting for years.


 Because until I talk to the person and clear it with them, I don't want to speak out. I'll discuss it with them before I speak out.


----------



## ElizabethAlexandraMary (Oct 20, 2010)

Kirune said:


> You NEVER talk about ANYTHING. It's always "plans are not solidified" or "we are working on it."
> It's just more of the same bull we've been getting for years.


Whoa, I think you need to chill. It's probably not the best idea to invoke the lack of presence of the staff in a thread Dragoneer just made an hour ago.
Yes, FA/FAF doesn't get a lot of PR. Users treat the admins/mods like shit and I kind of understand honestly they're tired of it, although it gets annoying sometimes.
But the fact alone Neer took time to address this issue, if not to fix it, but at least to remind us that there's still people out there who keep themselves in the know and actually "care" about the place is pretty cool.

It's not getting fixed because I don't think there's a need to investigate all of that time and resources we don't have, for the moment. Our projects are never finished, or work like shit, because there aren't any fucking coders; it's not because someone has fun "picking" bad ones or whatever.


The staff needs to talk more. The staff is sometimes wrong about some shit. But they do talk, and that's a huge step forward from nothing.


----------



## Dragoneer (Oct 20, 2010)

FrancisBlack said:


> It's not getting fixed because I don't think there's a need to investigate all of that time and resources we don't have, for the moment. Our projects are never finished, or work like shit, because there aren't any fucking coders; it's not because someone has fun "picking" bad ones or whatever.


 And this right here is the one thing I'm trying to fix, in more ways than one. I just can't openly discuss it until the other parties agree that it can be discussed. And I was TRYING to fix this before this entire thing ever came up.

People make the assumption I'm in some way happy with the way the current system is setup. I'm not.


----------



## CannonFodder (Oct 20, 2010)

Dragoneer said:


> Then you can thank certain previous other individuals who formerly worked for FA for telling all the good coders _"We don't want you, GTFO!" _and burning bridges without communicating to us. And some of those coders went on to make sites like Furocity and others, and we were never kept in loop about that due to certainly individuals who decided they wanted to do it all, and only themselves... and in the end, we discovered everything they EVER told on a coding standpoint is a lie.
> 
> I'm not proud of that, not one bit. But it is what it is. It is NOT something I ever approved of, nor would have.
> 
> ...


 Wow that sucks, and now you know and knowing is half the battle.
So pretty much the reason for all these vulnerabilities is the previous coders who caused all this bs and treated the other good programmers terribly?
In case you are wondering 'neer why I'm being a lot nicer today to you than in the past it's cause the person I just met knows you.


----------



## Accountability (Oct 20, 2010)

Kirune said:


> You NEVER talk about ANYTHING. It's always "plans are not solidified" or "we are working on it."
> It's just more of the same bull we've been getting for years.


 
To be fair I could see why he'd do this on some subjects (The site redesign, for example). For the security issues, though, I think a bit more detail would be good.


----------



## Verin Asper (Oct 20, 2010)

still doesnt change that it took Eevee to do the damage that was considered no problem to make it a true problem

it always seems to be the answer to wave something shiny in our face (ferrox), sadly some of us are going now "if this is a problem in this version, wouldn't these same issues exist in Ferrox?


----------



## Lobar (Oct 20, 2010)

dragoneer accidentally a thread.  yes the whole thing.


----------



## Carenath (Oct 21, 2010)

Kirune said:


> You've been saying this forEVER. You guys only ever manage to: A) bring on shitty coders that don't do anything or B) bring on shitty coders that write unsatisfactory code, so nothing gets done anyway.
> Either way, you're only bringing on more shitty coders.


And working out which coders are competant and know what they're doing, from which coders only know some things, but like to upsell to sound good.. which coders will be reliable and which ones will burn us, takes someone who know's what they're doing to vet them and find out. We've also been burned in the past by one individual who (as Dragoneer said) told all the other coders to GTFO, burning bridges, and in the end didn't do a damn thing. There are other examples I could give, but, I prefer to leave past events where they belong.
If you try and see things from our perspective, we really are caught between a rock and a hard place, something that is being worked on so we can bring on people to help.



CannonFodder said:


> Wow that sucks, and now you know and knowing is half the battle.
> So pretty much the reason for all these vulnerabilities is the previous coders who caused all this bs and treated the other good programmers terribly?


 To an extent, yes. Since we're now more careful about who we provide access to, lest it bite us in the ass again. At least, this is my understanding of it. I wasn't personally around when all this drama went down but I have heard about it, and, I have heard the other side of it from fellow staff members.



Accountability said:


> To  be fair I could see why he'd do this on some subjects (The site  redesign, for example). For the security issues, though, I think a bit  more detail would be good.


This isn't how it's done in the software business, Microsoft doesn't publish a detailed list of all the security holes people find in it's software, until they have had time to confirm it, put a fix in place, test it and publish it. Then it's up to users to fix it and in the time between, users are vulnerable, and users and systems do get attacked.
Generally, when you find a security issue, you report it, and you wait a month for them to fix it and test their fixes. If Microsoft found gaping holes in it's operating system why would they make those details public right away before they've had time to fix it? 

Oh, and fun fact, 'sniffing passwords' and 'sniffing sessions' affects hundreds of websites, and quite a large number of websites, forums, and community sites across the fandom. The reason being, is that very few, if any at all, use SSL for the logins, fewer still use SSL for the entire site. The fact that I know this, the fact that I don't trust public WiFi is why I either use my cellphone's data connection to get online at conventions, or, I use a secure connection when browsing sites.


----------



## Smelge (Oct 21, 2010)

Yeah, so finding who is reliable and who isn't.

I suggested in the last thread having a number of coders. Put an ad up on the main site, easy enough. You'll probably get plenty of offers. Write up a list of what is needed for the site, split it up in to tasks, assign each coder one of those tasks. They submit it, whoever is coding now looks it over, makes relevant changes then adds it to the whole.

It has to be quicker to proofread code and implement it than it is to write it all form scratch. If a coder submits shit code, drop them from the team. If nobody is playing with enough code to do damage, then deliberate exploits are more likely to be spotted, and if the proofreader is doing their job, it shouldn't get through anyway.

Honestly, you have over half a million users on the main site. There has to be people there who know what they are doing and are trustworthy. Crying that you've been burnt before is no excuse. You know what can happen, so make sure it doesn't by learning from your mistakes.


----------



## Rossyfox (Oct 21, 2010)

Hey, should we fix our outstanding security holes?
Nah, let's code a comment hide feature instead.

Security is not an attribute indicative of quality, it is a requirement for basic functioning.


----------



## SnowFox (Oct 21, 2010)

Would you ever consider making the current code publicly available?


----------



## Verin Asper (Oct 21, 2010)

SnowFox said:


> Would you ever consider making the current code publicly available?


 once they developed something called "trust" again they probably will
"God damn it FA, when will you learn the trust move"


----------



## Rossyfox (Oct 21, 2010)

SnowFox said:


> Would you ever consider making the current code publicly available?


 
yak believes in security through obscurity


----------



## Carenath (Oct 21, 2010)

Rossyfox said:


> yak believes in security through obscurity


Try asking deviantArt to make their current code publicly available, do see how far you get.


----------



## Verin Asper (Oct 21, 2010)

Carenath said:


> Try asking deviantArt to make their current code publicly available, do see how far you get.


 but first tell me, are they relying on a single coder like we do
and LOL Eevee be watching this tread


----------



## Rossyfox (Oct 21, 2010)

Carenath said:


> Try asking deviantArt to make their current code publicly available, do see how far you get.


 
Thanks for the strawman, it is soft and cuddly :3


----------



## Eevee (Oct 21, 2010)

Suppose I ought to chime in here.



Carenath said:


> Try asking deviantArt to make their current code publicly available, do see how far you get.


If everything deviantArt does is a good idea, why does FA exist?



Kirune said:


> You NEVER talk about ANYTHING. It's always "plans are not solidified" or "we are working on it."


Absolutely this.  If plans aren't solidified, that's fine; say so when you announce the plans.  If you're working on it, that's fine; say what you're working on.

Information is only released in the tiniest trickle and in the most obscure places; the occasional tweet, or something dragged out in a forum post.  FA's own frontpage news rarely contains anything of substance, deferring instead to announcements of new banners.  Registration was down for some nine months with no mention of what was actually going on until it was back up and people could just see for themselves.  The UI update was mentioned over a year ago, only shown as an easter egg of something else in Dragoneer's Twitter stream, and has barely been mentioned in the months since.  The commission information page has been down possibly longer than it was ever up.  The site was locked on Friday to deal with "an issue", without even mentioning what the issue _was_ for the benefit of people who'd been affected by it.

And now in the face of a list of real security problems, it's just nebulously in progress.  What's in progress?  How hard are these to fix?  How many have been fixed so far?  What has been done to fix them?  What's being done to prevent this from happening in the future?  And, perhaps most of interest, why has not a single representative of FA asked me what the exploits *actually are*?

Microsoft absolutely does disclose known security holes and _how to protect against them_ until they're patched, like pretty much every other vendor.  Leaving your users open to a known security issue is massively irresponsible.  People like to know what's going on, especially if it can affect them.

Dragoneer, you consistently emphasize the community aspect of FA, yet the process behind FA itself is left as a mystery.  How hard is it to write a paragraph or two at the end of the week saying what's going on?  If a project crashes and burns, oh well; coming out and saying that is far better than clamming up and hoping everyone forgets about it.  Maybe you'll even get people offering to pick it up and work on it for you.  It's like you're terrified to let the community find out that something non-positive happened, unless they already know about it.



Dragoneer said:


> Yes, and we also have in the past. Yak has a list of people to call upon to increase the site coding staff, and once we're ready, we're /going/ to call on them.


Who are they?  What are their qualifications?  What do you need to do to be ready?  What are they going to work on?  Why has this never been mentioned before now?

What about Pi, nrr, verix?  I even told Witchiebunny I'd happily plug holes.  All the people clever enough to have exploited the site in the past are shunned from patching anything because...  what, they might exploit the site?  Clearly there's no strong impediment to that _now_.



The response to this all has been truly bizarre.  On both occasions yak chided me for my shenanigans, but he neither told me what the fix was nor asked what I'd actually done.  The fix for the first comment-hiding exploit didn't actually fix anything, and the fixes for force-watch and force-fav left both features still full of holes.  Dragoneer blamed the rampage on my being impatient, even though the two exploits were completely unrelated.  The fandom has rapidly played telephone with the story, adding such questionable details as "he used knowledge from when he was a coder".  Few people question why the same two dozen exploits have been around for some five years now.  And meanwhile nobody has asked about several exploits I discovered which were, to my knowledge, previously unknown.

What.

I posted the list to try making my point to the userbase a final time, but I was also curious whether anyone on staff would actually approach me.  And nobody has.  Not a blip of official response, publicly or privately, until someone started this thread.

You could have asked us to do a security review of FA years ago.  You could have asked us to review the comment-hiding system before it went live.  You could have asked us to review the comment-hiding system _after_ it went live and I'd hidden a bunch of your comments.  You could have asked me for details on those exploits when I posted them.  You could still ask for these things now.

I said at the time, and I told you on Saturday, that I left because there's no communication and little indication that anyone cares.  I stand by that today.


----------



## Verin Asper (Oct 21, 2010)

All I know now, that FA has a nasty bad habit of not trusting. Sure you get burned, but it doesn't mean shun everyone


----------



## Rossyfox (Oct 21, 2010)

Dragoneer is the one who always goes on about not caring what people think of him, yet he guards the things he could possibly be criticised on like a state secret.


----------



## Verin Asper (Oct 21, 2010)

Rossyfox said:


> Dragoneer is the one who always goes on about not caring what people think of him, yet he guards the things he could possibly be criticised on like a state secret.


Remember, neer doesnt care, until you continuously bad mouth his ass, draw his character in hate art etc...


----------



## Rossyfox (Oct 21, 2010)

Crysix Fousen said:


> Remember, neer doesnt care, until you continuously bad mouth his ass, draw his character in hate art etc...


 
Well, doing such things continuously is just being an asshole. Even I would care about that.


----------



## Verin Asper (Oct 21, 2010)

Rossyfox said:


> Well, doing such things continuously is just being an asshole. Even I would care about that.


 to the eye of the beholder, a person doesnt lable themselves, its someone else that does that.
but yea he doesnt care till you do that really


----------



## Eevee (Oct 21, 2010)

Hey could we not veer this thread into showing off how cool and anti-establishment we are?  Thanks.


----------



## Accountability (Oct 21, 2010)

Carenath said:


> This isn't how it's done in the software business, Microsoft doesn't publish a detailed list of all the security holes people find in it's software, until they have had time to confirm it, put a fix in place, test it and publish it. Then it's up to users to fix it and in the time between, users are vulnerable, and users and systems do get attacked.
> Generally, when you find a security issue, you report it, and you wait a month for them to fix it and test their fixes. If Microsoft found gaping holes in it's operating system why would they make those details public right away before they've had time to fix it?


 
http://www.microsoft.com/technet/security/bulletin/ms10-oct.mspx
http://www.microsoft.com/technet/security/current.aspx
http://www.microsoft.com/technet/security/advisory/default.mspx

You know what else Microsoft does when they find holes and exploits? They fix them. They don't say "Well our long-term goal is to fix them" or "We'll fix it when it's actually a problem".


----------



## ArielMT (Oct 21, 2010)

Accountability said:


> You know what else Microsoft does when they find holes and exploits? They fix them. They don't say "Well our long-term goal is to fix them" or "We'll fix it when it's actually a problem".


 
Oh, really?  MS08-068 was a vulnerability fully disclosed at DEFCON in 2000, and the Internet Storm Center rated it critical for client systems.

It's admittedly an extreme example (eight years), but an example all the same, of Microsoft not fixing full-disclosure vulnerabilities in a timely fashion.


----------



## Rossyfox (Oct 21, 2010)

ArielMT said:


> Oh, really?  MS08-068 was a vulnerability fully disclosed at DEFCON in 2000, and the Internet Storm Center rated it critical for client systems.
> 
> It's admittedly an extreme example (eight years), but an example all the same, of Microsoft not fixing full-disclosure vulnerabilities in a timely fashion.


 
lrn2logic

An exception does not change the point that the general rule should be to not rely on security through obscurity.`


----------



## ArielMT (Oct 21, 2010)

Rossyfox said:


> lrn2logic
> 
> An exception does not change the point that the general rule should be to not rely on security through obscurity.`


 
I didn't mean to imply otherwise.  However, security through obscurity also tends to rule out the ability to reliably separate the exceptions from the rule.

Edit: "Security through obscurity" isn't even the right term.  Regarding this argument, the proper terms are full disclosure, responsible disclosure, and no disclosure.


----------



## Rossyfox (Oct 22, 2010)

ArielMT said:


> Edit: "Security through obscurity" isn't even the right term.  Regarding this argument, the proper terms are full disclosure, responsible disclosure, and no disclosure.


 
http://en.wikipedia.org/wiki/Security_through_obscurity

We were discussing keeping source code secret for security reasons so yes, it is the right term.


----------



## Verin Asper (Oct 22, 2010)

Rossyfox said:


> http://en.wikipedia.org/wiki/Security_through_obscurity
> 
> We were discussing keeping source code secret for security reasons so yes, it is the right term.


 too bad Eevee pointed all some of the exploits on their LJ, just the many more there probably is the one thing we are wondering now.


----------



## Summercat (Oct 22, 2010)

Eevee said:


> What about Pi, nrr, verix?  I even told Witchiebunny I'd happily plug holes.  All the people clever enough to have exploited the site in the past are shunned from patching anything because...  what, they might exploit the site?  Clearly there's no strong impediment to that _now_.



I hate to speak up, and I'm not going to cast any doubt on the coding ability of the people listed here, but...

Having shown themselves to not being friendly to FA to the point where they are now either banned or held in ill favor, and having shown themselves willing to put forth the effort to attack the site, why by the sounds of the seven bells would you think that these people would be trusted enough to accept their help?

I don't know what went down between you and staff, Eevee, but what you're doing isn't exactly helping your case at all. 

/fox guarding the hen house...


----------



## Verin Asper (Oct 22, 2010)

Summercat said:


> I hate to speak up, and I'm not going to cast any doubt on the coding ability of the people listed here, but...
> 
> Having shown themselves to not being friendly to FA to the point where they are now either banned or held in ill favor, and having shown themselves willing to put forth the effort to attack the site, why by the sounds of the seven bells would you think that these people would be trusted enough to accept their help?
> 
> ...



cause its the same reason why we are down to one Coder, and FA admins and the coder(s) being all not trusting of others who wanted to help after.


----------



## Summercat (Oct 22, 2010)

Crysix Fousen said:


> cause its the same reason why we are down to one Coder, and FA admins and the coder(s) being all not trusting of others who wanted to help after.


 
After... what? After what event? What changed? And who was the focus of the change, if there was one?

Your statement is an incomplete sentence since it is very damn unclear what event 'after' is referring to. I /think/ it's 'after Eevee's departure', but I'm not certain and any assumption would just make an ass out of you, me, and shun.


----------



## Verin Asper (Oct 22, 2010)

Summercat said:


> After... what? After what event? What changed? And who was the focus of the change, if there was one?
> 
> Your statement is an incomplete sentence since it is very damn unclear what event 'after' is referring to. I /think/ it's 'after Eevee's departure', but I'm not certain and any assumption would just make an ass out of you, me, and shun.


 good you are understanding my stupid, but yes I do mean that event of eevee including the one Neer or Yak mentioned about furs who joined to only leave and make their own sites and such.


----------



## Pi (Oct 22, 2010)

Summercat said:


> Having shown themselves to not being friendly to FA to the point where they are now either banned or held in ill favor, and having shown themselves willing to put forth the effort to attack the site, why by the sounds of the seven bells would you think that these people would be trusted enough to accept their help?



It's pretty annoying to see these technical issues get lost in the baffling stew of furry trust politics.

_Nothing is being done about these long-standing fuckups_. Pinning the blame on Eevee is shooting the messenger.

What's far more untrustworthy is an administration which provides no transparency, uses emotional arguments to whip up supporters into irrational frenzies, and vilifies other people for egotistical gratification.


----------



## Accountability (Oct 22, 2010)

Summercat said:


> Having shown themselves to not being friendly to FA to the point where they are now either banned or held in ill favor, and having shown themselves willing to put forth the effort to attack the site, why by the sounds of the seven bells would you think that these people would be trusted enough to accept their help?


 
This all depends on their motives. Obviously Eevee was not attempting to "attack" the site but instead show the administration that a exploit he had discovered and the administration had deemed unimportant was, in fact, somewhat important. He tried to offer legitimate help and was promptly ignored. He's still offering legitimate help and is being ignored.


----------



## Eevee (Oct 22, 2010)

Summercat said:


> Having shown themselves to not being friendly to FA to the point where they are now either banned or held in ill favor, and having shown themselves willing to put forth the effort to attack the site, why by the sounds of the seven bells would you think that these people would be trusted enough to accept their help?


What is there to trust them with?  They've seen the old copy of the code.  They're clever enough to attack FA right now, security holes or not.  How is FA making itself any more vulnerable by accepting their help?  Besides, you don't really have to trust someone just to ask for advice or ask to slam against running code before it's released.

State of FA now: Full of holes.
Worst-case scenario if _ne'erdowells_ contribute: Full of holes.
I don't think I'm seeing the apocalypse you do.  Maybe we should drop the us-vs-them games and fix the damn site?  Dragoneer made plenty of comments about how unacceptable it was that I targeted the users, but none about how unacceptable it is that the users continue to be exposed like this or what's being done about it.  Can we not at least admit there's a problem without first having someone else to blame it on?

And frankly this part is just not my concern.  Remember, I'm not asking for a favor here; I'm wondering why FA isn't asking _me_ for one.  The next time some blackhat decides to run wild, I don't think my banned account is in a whole lot of danger.


----------



## Xenofur (Oct 22, 2010)

Summercat said:


> Having shown themselves to not being friendly to FA to the point where they are now either banned or held in ill favor, and having shown themselves willing to put forth the effort to attack the site, why by the sounds of the seven bells would you think that these people would be trusted enough to accept their help?


You have a few fallacies in there:

First off, they have not shown themselves to be unfriendly, and being banned is not in any way an indicator of their friendliness. It merely shows that the responsible administrator did not like what they did. Nothing else. At all.

Further, they have not shown willingness to attack the site. If they had been willing to attack the site, they would've kept anonymous and wrecked FA completely. Keep in mind that it is possible to even execute exploits on the site successfully while it is in "read-only" mode. This means an attacker could literally destroy every single piece of user-generated data on the site, given enough motivation.

Instead they stood behind things with their names, identified weak points, publicized them and demonstrated them. This is not what someone does who cares about attacking the site. This is something someone does who cares about the site fixing its shit.

Lastly, they do not need to be trusted with anything. All the FA administration would have to do is to ask them "What is wrong?", then verify that that thing is indeed wrong; then ask them "How would i best fix this?", then verify that their ideas are correct and implement them. They are freely offering advice and expect nothing in return, EVEN NOW.

Talking to someone and verifying what they say does not require trust. It only requires talking.

The problem is that the administration does not care to communicate at all.


----------



## Verin Asper (Oct 22, 2010)

The attack still did something though, it shook people up. Now making them question what other faults FA has, what other things they gotta worry about. Jingling keys isnt gonna work this time that seems to be what often Neer uses (giving us something else than what should of been done or concentrated on) Really hide comments is what we been asking for...I thought it was bringing back the Commissions area is what most folks wanted back.


----------



## Kirune (Oct 22, 2010)

Summercat said:


> I hate to speak up, and I'm not going to cast any doubt on the coding ability of the people listed here, but...
> 
> Having shown themselves to not being friendly to FA to the point where they are now either banned or held in ill favor, and having shown themselves willing to put forth the effort to attack the site, why by the sounds of the seven bells would you think that these people would be trusted enough to accept their help?
> 
> ...


 
i hate resorting to insult
but goddamnit, summercat
you are one of the worst ever

jesus christ


----------



## Rossyfox (Oct 22, 2010)

You don't have to trust people with the code for them to be able to find the holes.

This is why security by obscurity does not exist. Enough poking and you will find a hole, access to the source code or not.


----------



## Smelge (Oct 22, 2010)

I honestly think what Eevee did was a valid point.

If there is a major fault that has been denied or ignored for long enough, the best way to get it finally fixed is to make it so glaringly obvious, that it has to be fixed. Bring it down, maybe then someone will listen.

And let's face it, it is fair enough that there is only one person doing coding in their spare time, and the hide comment feature may be slightly useful, but it's not what was promised. Every time there's a shutdown or a delay, something else is promised as a bonus, but never happens. What happened to the folders that were promised to make up for the extended lack of registration? What happened to the Commissions pages that haven't worked in the two years I've been here?

No offence meant, but do you actually know how to fix these security holes? Has the commissions page been left dead because you can't figure out how to fix it, and it's on a to-do list until you can find a way? There's no shame in admitting you physically can't do it. And you really can't blame people who code for you then leave to do their own sites. If they're not stealing your code, then where is the problem? They identified a gap in the market and aimed for it. People do it all the time.

I accept that this site is free to use, and the owners and admin have no obligations to the users, but clarity really does help. Bundling it all up and missing self-imposed deadlines just looks unprofessional. If you're having setbacks or issues, tell people. We're not going to point and laugh, and it may even cut down on threads like this.


----------



## Rossyfox (Oct 22, 2010)

#1 furry computer security tip:
Don't use the same or a similar password that you use on Fur Affinity as your password anywhere else.


----------



## Summercat (Oct 22, 2010)

Because multiquote apparently hates me, here's just a few responses:



Eevee said:


> What is there to trust them with?  They've seen the old copy of the code.  They're clever enough to attack FA right now, security holes or not.  How is FA making itself any more vulnerable by accepting their help?  Besides, you don't really have to trust someone just to ask for advice or ask to slam against running code before it's released.
> 
> State of FA now: Full of holes.
> Worst-case scenario if _ne'erdowells_ contribute: Full of holes.
> ...



Again, you don't really address the idea of hiring the foxes to guard the henhouse. These people have, for whatever reason, made themselves - not their skills - not exactly welcome. I don't particularly care why at this point - but then again, I don't make policy here on FA, else everyone would be required to draw otters. 

I do not recall anyone currently on staff saying that the code is peachy keen and everything is rainbows and lollipops. I recall seeing the opposite being said: That the code is a mess. I don't really see how FA coding staff isn't admitting there is a problem.

As for an 'apocalypse', I don't see one. I do see a bunch of people who are upset over not being allowed to help - while also doing their idle best to hinder. 



Xenofur said:


> You have a few fallacies in there:
> 
> First off, they have not shown themselves to be unfriendly, and being banned is not in any way an indicator of their friendliness. It merely shows that the responsible administrator did not like what they did. Nothing else. At all.
> 
> ...



A few things that I can really reply to your post about...

First, I don't see any fallacies. These people, by their behaviors and actions, have made themselves unwelcome. This does not mean that are not trying to be friendly or helpful (although I personally doubt it). 

Second, using an exploit to draw attention to an exploit in a manner such as recently happened is working towards cross purposes. Speaking from what professional background I have, I do not illustrate the need for a client to have additional security personnel by breaching their security, being mischievous and causing a reaction/panic. 

Thirdly, what is preventing these coders from offering their advice freely now, especially those who have worked on the site before?

And lastly, communication is a two-way street, and apparently with some former members it was a two-way problem.



Kirune said:


> i hate resorting to insult
> but goddamnit, summercat
> you are one of the worst ever
> 
> jesus christ



Because due to our past history, that makes you such an unbiased judge, Kirune. Such a waste.



			
				Smelge said:
			
		

> I honestly think what Eevee did was a valid point.



In all honesty, the 'showing exploitable hole to people in charge via using it visibly' is an okay tactic.

...as long as you don't want praise for finding the exploit and then being graciously asked to help fix it. When you perform the action and use it as the focal point of "Hire me and my friends to help fix", not as much.


----------



## Rossyfox (Oct 22, 2010)

Summercat said:


> Again, you don't really address the idea of hiring the foxes to guard the henhouse.


 
You don't get it. The henhouse is not guardable. It will never be guardable. The only defence is to make the henhouse unbreakable. Currently the only people known to be willing and able to do this are the foxes, but that doesn't matter, because the henhouse is not guardable.


----------



## Eevee (Oct 22, 2010)

Summercat said:


> Again, you don't really address the idea of hiring the foxes to guard the henhouse.


Yes, I did.  To strain the analogy: you don't have to let the foxes _in_ the henhouse.  There is no practical reason to fear asking these people for advice.  If a matter of pride or spite or retribution is worth leaving the site vulnerable, again, that's not my problem and I can hardly do anything to fix it.



Summercat said:


> Thirdly, what is preventing these coders from offering their advice freely now, especially those who have worked on the site before?
> ...
> ...as long as you don't want praise for finding the exploit and then being graciously asked to help fix it. When you perform the action and use it as the focal point of "Hire me and my friends to help fix", not as much.


I don't want praise or admiration or a parade in my honor.  I just want someone to give a damn.  If seeing the staff show some proactive interest is enough of a cost that you're accusing me of holding them hostage for it, then something is _very_ fucked up here.

Do recall that I already spent quite a lot of free time for the better part of a year trying to inflict good suggestions on FA.


----------



## Pi (Oct 22, 2010)

Fine. We'll do it my way.

I'll pick a vulnerability off of Eevee's list (one of the three-star ones, because I'm lazy), and start exploiting it. Then, when you all get pissed about it, i'll make a wacky self-deprecating comment, blame Summercat for making me do it, wait a week and do it over again.

What do you mean, that's unacceptable? Modulo some details, it is how FA is currently run.

In other words, START DISPLAYING SOME FUCKING ACCOUNTABILITY. Your ostensibly-untrustworthy "attacker" is more accountable to his actions than the allegedly aggrieved "victims", for fucksake.


----------



## Xenofur (Oct 22, 2010)

Summercat said:


> professional


Professional behavior is only warranted if the other side exhibits it as well.

Professional behavior in infosec is that you acknowledge being notified of the security breach and then inform the reporter of your plans on dealing with this as well as when they can release them without it being a danger.

FA did pretty much the exact opposite and as such does not deserve any professionalism whatsoever in any way.


Also, the post i replied to said basically: THEY PROVED THEY'RE EVIL. Don't try to weasel around that. Also don't try to deny that that is patent bullshit.


----------



## Xenofur (Oct 22, 2010)

Pi said:


> In other words, START DISPLAYING SOME FUCKING ACCOUNTABILITY. Your ostensibly-untrustworthy "attacker" is more accountable to his actions than the allegedly aggrieved "victims", for fucksake.


 
Also this. Also look up accountability on wikipedia if you do not understand 100% what the word means.


----------



## Eevee (Oct 22, 2010)

Xenofur said:


> Professional behavior is only warranted if the other side exhibits it as well.


Even better: this isn't relevant at all.  If I'd caused legitimate destruction, laughed about it, and continued to do so to this day, FA would still be responsible for fixing these problems.  Third-party antics do not make security issues less severe.


----------



## Carenath (Oct 22, 2010)

Rossyfox said:


> http://en.wikipedia.org/wiki/Security_through_obscurity
> We were discussing keeping source code secret for security reasons so yes, it is the right term.


SoFurry, Inkbunny, DeviantArt, SheezyArt, Y!Gallery.. to my knowledge, none of these websites made their code publicly available. They don't have any reason to, irrespective of any potential security holes that may exist. So by that same token, FA is not required to release it's code to the public either, it's not necessary to do so, in order to ask for advice/assistance from the aforementioned skilled people in this thread.


----------



## Eevee (Oct 22, 2010)

If the source code were available, I could have submitted patchesâ€”as many people have insisted I should've doneâ€”a week ago.  Or even further back, possibly before the feature were even deployed.

Nobody said FA is _required_ to make its source available.  But doing so would have made all this a non-issue.  It would even make great strides towards reducing the massive communication gap.


----------



## Verin Asper (Oct 22, 2010)

Carenath said:


> SoFurry, Inkbunny, DeviantArt, SheezyArt, Y!Gallery.. to my knowledge, none of these websites made their code publicly available. They don't have any reason to, irrespective of any potential security holes that may exist. So by that same token, FA is not required to release it's code to the public either, it's not necessary to do so, in order to ask for advice/assistance from the aforementioned skilled people in this thread.


 but I do know Sofurry enjoy keeping their users in the know of the various things they are working on publicy on site, like how users were suddenly surprised over teh whole icon thing. Most were surprised, not realizing the whole thing was taking place on the forums.


----------



## Pi (Oct 22, 2010)

Carenath said:


> SoFurry, Inkbunny, DeviantArt, SheezyArt, Y!Gallery.. to my knowledge, none of these websites made their code publicly available. They don't have any reason to, irrespective of any potential security holes that may exist. And I By that same token, FA is not required to release it's code to the public either. Even if the people here (Pi, Eevee, Xenofur), who are all competent and knowledgeable programmers were asked for advice/brought on, to contribute fixes to the codebase and fix all these holes, it is still highly unlikely that the current code would be made public.



Fine. Whatever. Now quit jerking off over how much of a super-secret secret the code has to be, and start letting people _fix the goddamn thing_. What's the problem here? Why are you so insistent upon code secrecy but not _fucking security_?

Remember. _I can do bad things without the code._ I cannot _fix_ these things without the code.


----------



## Eevee (Oct 22, 2010)

Pi said:


> Remember. _I can do bad things without the code._ I cannot _fix_ these things without the code.


This point seems to be lost on almost everyone, even though it's what I wanted to get at in the first place:

*The site is vulnerable.  This is a fault of the code, not of outsiders.  That it is still vulnerable is a fault of FA's administration, not of outsiders.*

You can point fingers and assign blame and ostracize and keep everything secret all you'd like, but at the end of the day, the. site. is. still. *vulnerable*.  This is not a social problem and you cannot turn it into one.


----------



## Verin Asper (Oct 22, 2010)

We got the foxes, that want to bolster the henhouse to prevent far worst Foxes from getting in.
it was better that Eevee doing that demostration, over someone who would probably STILL be doing the attacks, but instead of hiding comments...how about deleting submissions, journals, etc..

Again: "We have Foxes that have no gawd damn interests in your chickens in that henhouse, who want to help bolster the henhouse against the Foxes who do"


----------



## Koronikov (Oct 22, 2010)

tl:dr Wait all of this could be solved if someone gave us some source code so that we could fix the problem but furaffnitiy has trust issue so we cant ?


----------



## Pi (Oct 22, 2010)

Eevee said:


> You can point fingers and assign blame and ostracize and keep everything secret all you'd like, but at the end of the day, the. site. is. still. *vulnerable*.  This is not a social problem and you cannot turn it into one.


 
They sure seem to think they can. We keep hearing how Crypto "chased off all the coders" (false) and that you "wanted to let kids view porn" and you didn't do exactly what Dragoneer wanted and used "secret hacker knowledge from when you worked on the code" (again, piles upon piles of bullshit) and how nrr wanted to steal the site to make artplz. I'm apparently enough of an asshole that Dragoneer felt the need to bitch about it within earshot of other people at AC. There is this whole rumor mill, _perpetuated in part by the administration_, that is distracting from the core issue: this site is swiss cheese and the responsible party does not give a shit.

This kind of stupid politicking is not what needs to be done. Why are the people who operate this site more concerned with their reputation and popularity (and pissing on other people for perceived personal slights) than functionality and security? Swallow your fucking pride and let the people who know what they're _doing_ get the job done. Failing that, provide us with something besides "we're working on it" and "we don't trust you because you make trouble".


----------



## Carenath (Oct 22, 2010)

Crysix Fousen said:


> but I do know Sofurry enjoy keeping their users in the know of the various things they are working on publicy on site, like how users were suddenly surprised over teh whole icon thing. Most were surprised, not realizing the whole thing was taking place on the forums.


 I wouldn't know, Im an infrequent-at-best user and don't talk that often to Toumal about what way SF does things. I'll have to take your word for it.



Pi said:


> Fine. Whatever. Now quit jerking off over how much of a super-secret secret the code has to be, and start letting people _fix the goddamn thing_. What's the problem here? Why are you so insistent upon code secrecy but not _fucking security_?
> 
> Remember. _I can do bad things without the code._ I cannot _fix_ these things without the code.


 I'm not the one you should be addressing, that would be Yak, don't waste your time talking to me about something I can't help you with.


----------



## Xenofur (Oct 22, 2010)

Summercat said:


> Thirdly, what is preventing these coders from offering their advice freely now, especially those who have worked on the site before?


 Ok, now that i'm back home, let me address the most salient post in your post.

NOTHING is preventing them from offering their advice freely. In fact, Eevee has done so and is doing so right now.

*READ THIS ENTIRE FUCKING THING:* http://eevee.livejournal.com/329817.html

When you're done, reread this quote from Eevee:



			
				Eevee said:
			
		

> *huge list of security issues*
> I will happily explain, to any FA admin who asks, how any of these work and how to prevent them.





Summercat said:


> And lastly, communication is a two-way street


Yes, and he has done more than enough to communicate in their direction in an amiable manner. You cannot possibly find fault in him here for them not responding.



Summercat said:


> "Hire me and my friends to help fix", not as much.


Nobody wants to get hired. We literally just want to see shit fixed because it makes us cranky to see broken shit.


----------



## Eevee (Oct 22, 2010)

Xenofur said:


> We literally just want to see shit fixed because it makes us cranky to see broken shit.


Yeah pretty much this.  If you were ever confused about my intentions, there you go.  I want to be less cranky.


----------



## Pi (Oct 22, 2010)

Carenath said:


> I'm not the one you should be addressing, that would be Yak, don't waste your time talking to me about something I can't help you with.


 
Honestly? If this is the case, you should stop wasting OUR time with your ass-backwards security rhetoric, and put us in touch with someone who CAN help.


----------



## Carenath (Oct 22, 2010)

Pi said:


> Honestly? If this is the case, you should stop wasting  OUR time with your ass-backwards security rhetoric, and put us in touch  with someone who CAN help.


 I told you who  to address, you know how to contact yak, go do it.


----------



## Smelge (Oct 22, 2010)

Pi said:


> Honestly? If this is the case, you should stop wasting OUR time with your ass-backwards security rhetoric, and put us in touch with someone who CAN help.


 
GHOSTBUSTERS!


----------



## SnowFox (Oct 22, 2010)

Pi, are the files you're hosting on clanspum a previous version of FA or an out of date version of the current code?

I tried getting it to run a while back, but it seems like some of the source files have randomly truncated lines.


----------



## yak (Oct 22, 2010)

Pi said:


> There is this whole rumor mill, _perpetuated in part by the administration interested party with an agenda_, that is distracting from the core issue: this site is swiss cheese and the responsible party does not give a shit does not see fit to waste time responding to an obviously orchestrated situation on a myriad of threads where the discussion about it takes place.


Rumor, speculation and bewildering assumptions. Arguments and "facts" rigged to look so convincing and obvious that they need no proof. Distorted grotesque versions of events that look distinctively different from what they really were. I'd say the rumor mill is working on the other side of the camp as well.



I want to tell everyone to stop assuming you know a lick about how FA is being ran, both from the technical and the administrative standpoint. Because you don't. We're not exactly broadcasting that many details, partly because individually some of us are too  lazy to do so, partly because these details are not your business, partly because we don't want others to decide for us what we need to do and how we should have done things, and partly for other reasons you don't know and need to know about. 
Neither you nor the people who are presenting you with "proof". Keep that in mind.

Sure. A lot of things that require fixing look way too easy or trivial to do so - but that's not how it works on FA. 
I have it worse then you think when it comes to a lot of things. Fixing glaring, textbook style omissions, flaws and errors in the code, being held accountable for it's extensions with small features that I am periodically throwing out there to stave off the "stagnant development" look at least somewhat; when having to stand up to the never ending criticism and mocking of the site and it's security record. Worse because I am held accountable for the code and all aspects of it, yet I merely adopted it; and has been cleaning it up ever since. 

The issues you know on FA? Those are the issues in the legacy code that was hastily put together to fill a niche by a dabbling coder in a very opportunistic times.  I know about 80% of them. And I am gradually fixing them one by one. More often they looks so obvious and so wrong that they shouldn't have even existed - or if they do - that they're easy to fix. They're not. Should have been, but they just aren't;  FA ceaselessly amazes me with new ways to make something so wrong it's a chore to see it set straight.

An until those issues I am aware of are fixed I am not even remotely considering opening up the code to the public review; solely on the fact that some of them are easily exploited even by non IT-savvy people. Unfortunate is that a lot of them are also, even if trivial, some of the most time consuming fixes to be done to the code; and time is the scarcest of all resources.

One of such vulnerabilities was recently - and quite enthusiastically, if I say so myself - advertised by Eevee. A person I know is aware of the situation and the issues from a first hand experience. Someone who has a copy of the code.
Someone who chose, in my view, to essentially extort immediate fixes out of FA for the issue he thought, in my place, was the most important of things to fix on FA. Dude, it's been there for years; another month or two until I eventually got to fixing that on a regular schedule wouldn't have changed anything. I actually had a big thing planned in that regard.
But now that the entire internet knows how to abuse a previously hidden FA vulnerability I have no choice left but to drop everything and prioritize the fix for it above all my other plans and schedules...... Which implies rewriting 60% of the codebase and more then half of FA's url rewriting rules away from a garbled mess of 2k era php+html+half of HTML taken out in a set of templates   model+view+controller+in-a-single-file to something remotely resembling MVC, and URLs that have some sort of consistency. 

Though from the outside it looks like a trivial case of writing a few token generating functions, going to all the templates and changing links to POST forms. It's far from being that easy because on FA:
1. Only part of the HTML is in external templates. A lot of fluff like individual links and blocks are generated in the code and passed as HTML blobs to the templates.
2. There is no controller or something resembling it. Page action processing is scattered around the entire body of the script responsible for processing an individual entity.
3. Action processing is done over both GET and POST.
4. Things like "+fav" are implemented as triggers, not as two individual action paths.
5. So many other things done wrong in the adjacent code that I want to stab my eyes out. It's hard to ignore the compelling urge to rewrite everything, but that's digressing from fixing the actual issue.

So everyone, do me a favor - don't pretend to claim the knowledge of how easy it is to fix yet another terrible, terrible bug on FA. You don't, okay? You just don't. You have no idea. 
The moment I feel that opening FA's source will not spell a living hell for the admins doing damage control of the resulting wave upon wave of attacks from script kiddies and "furry haters" using means described - or even scripts written - by people with good intentions demonstrating FA's vulnerabilities they've uncovered to everyone.... I will do it. Until then I'll keep hacking at the code and looking for trustworthy people to help me with that cause; and will keep in mind to dedicate some more time to the latter, the sooner the better. 
Call it security through obscurity or any other buzzword you wish; there are too many people wishing harm to "the fandom" through the site, a lot of the times they have too much dedication and free time on their hands, and there are too many ways to do it on current FA too easily. I prefer to see most them fixed or obsoleted with new code before FA's codebase made freely accessible. 
You may call me out on this judgment and we may have a debate, as long as it's kept civil.

Oh, and stop this pointless drama. Contrary to some people's beliefs it's not helping anything. I mean, if you want to continue then don't let me stop you, it's just... stupid.


----------



## Pi (Oct 22, 2010)

Carenath said:


> I told you who  to address, you know how to contact yak, go do it.


 
[14:34:50] <@Pi> yak apparently i'm supposed to tell you that carenath said i should talk to you about fixing your fucked shit
[14:34:54] <@Pi> only, we've done this
[14:35:07] <@Pi> and last i checked the answer was "you can't help because politics"

I've offered to help several times over the past few years.

Again I ask: Can you people get over your stupid popularity-contest high-school politics, so the people who know what they're doing can get their jobs done? You don't want Eevee's help because ... why, exactly? You don't want my help because... why, exactly?

You have failed to offer anything resembling a _reason_, instead merely insisting that we aren't ~trustworthy~. What in fuck inspires trustworthy feelings about the way things are currently run?

Over on Viv, in a thread from 2009, someone observes:
"FA tends to run on "out of context" whispers-and-gossip, though, and hasn't been able to raise itself from that level."

Why has this not been rectified? You're sitting here churning out PR and bluster, instead of doing what is supposedly your _job_ as an admin. You'd rather pass the buck. This is indefensible; why are you trying to defend it?


----------



## Eevee (Oct 22, 2010)

yak said:


> I want to tell everyone to stop assuming you know a lick about how FA is being ran, both from the technical and the administrative standpoint. Because you don't. We're not exactly broadcasting that many details, partly because individually some of us are too lazy to do so, partly because these details are not your business, partly because we don't want others to decide for us what we need to do and how we should have done things, and partly for other reasons you don't know and need to know about.


You may notice that we've been complaining about this throughout the thread.  FA doesn't say anything, and that is undesirable.

But how the backend works doesn't even matter.  Basic security problems are not being fixed and nobody is reflecting any interest in doing so until they become practical issues.  Whatever's _actually_ going on behind the scenes, whatever people _plan_ to do or _talk_ about doing, is completely irrelevant to the rest of us.  All that matters is what FA, as an entity, says and does.




yak said:


> Worse because I am held accountable for the code and all aspects of it, yet I merely adopted it; and has been cleaning it up ever since.


Staffing issues are Dragoneer's problem, or Dama's problem, or certainly someone's problem, but not your problem.  If you don't have enough time even to fix long-standing outlandish security problems, then there should be more development staff.  If there have been problems in the past, that sucks, but it's not an excuse to ignore the problem altogether.




yak said:


> One of such vulnerabilities was recently - and quite enthusiastically, if I say so myself - advertised by Eevee. A person I know is aware of the situation and the issues from a first hand experience. Someone who has a copy of the code.
> Someone who chose, in my view, to essentially extort immediate fixes out of FA for the issue he thought, in my place, was the most important of things to fix on FA.


Because this issue is serious, and I remain unconvinced that anyone else finds it sufficiently serious.  FA is currently protected by fingers in ears.

You say below that the fandom has a lot of enemies.  Why then is it unreasonable to treat security issues as a top priority, especially from the point of view of a _user_?




yak said:


> Dude, it's been there for years; another month or two until I eventually got to fixing that on a regular schedule wouldn't have changed anything. I actually had a big thing planned in that regard.


You can't be indignant that I didn't trust FA to fix the problems Real Soon Now, when nobody has indicated any intention to and they haven't been fixed in the many years they've been there.




yak said:


> Though from the outside it looks like a trivial case of writing a few token generating functions, going to all the templates and changing links to POST forms. It's far from being that easy because on FA:


You *just said* I have a copy of the code, and I did in fact consult it for whipping up my list of known exploits.  I've also _worked on_ the code briefly, before even the Ferrox days.  I know _exactly_ how hard it would be to fix these things, and I maintain that everything I named could be eliminated in the course of a weekend, even if you had to resort to tasteless amounts of copy/pasting.




yak said:


> So everyone, do me a favor - don't pretend to claim the knowledge of how easy it is to fix yet another terrible, terrible bug on FA. You don't, okay? You just don't. You have no idea.


You don't ask us for advice on how to fix these problems, you don't ask us to look for them in the first place, you insist that people who have _already seen the code_ aren't allowed to patch it, and you lament that we don't know what's going on even though we are quite eager to find out.  And all, apparently, for furry political reasons.  What the hell is going on?  And why does nobody with political sway on staff have any input on why this is happening?  Why are politics allowed to keep the site unsafe?




yak said:


> I prefer to see most them fixed or obsoleted with new code before FA's codebase made freely accessible.


Everyone keeps forgetting that comment hiding _was new code_, and it had a trivial privilege escalation bug.  I'm not only bringing up old holes; I keep asking why nothing's being done to prevent new ones from forming.


----------



## Kirune (Oct 22, 2010)

The staff of this site really astounds me.

Reading over this thread, valid points are being brought up left and right. But it seems like the entire staff is intentionally ignoring those facts to push their own ideas.
lalalalala CAN'T HEAR YOU


----------



## timoran (Oct 22, 2010)

Stumbled on this thread, and it really desperately needs feedback from a (professionally employed - by the government, no less) coder without an axe to grind.

*Re: Exploits were inherited old code*
I don't buy it. The comment hiding was new code, and the way it was implemented was incredibly stupid. From my understanding the architecture was only slightly more sophisticated than having a link to delete_comment.php?comment_id=1234 where editing in some other user's comment_id would let you delete their comment. The stuff on eevee's LJ might be inherited but I'm not buying it as far as the comment hiding exploit. That one was all yak.

Rule number one of web programming: Never, ever trust *anything* that comes from the user's browser. Apple has made the same mistake and it was exposed by a group called "Goatse Security" which I find both hilarious and extremely appropriate (note: Apple says AT&T did it).

*Re: Priorities*
Should closing all of those security issues be a priority? It depends.

Does anyone remember how slow FA used to be? Or when you would have to refresh a good 5-10 times to get a submission instead of an error page? Those problems affect everyone. Keeping the site usable is definitely more important than closing security holes, for the following reason.

A security hole doesn't affect anyone until it's exploited. For every security hole that has been exploited there could be hundreds that have yet to be exploited.

Exploits have happened on FA quite a few times and I think we are all familiar with the procedure when it happens. FA goes down for an evening, a weekend, a whole week if it's really bad, but eventually the site does get restored from a secure incremental backup (FA _does_ have that type of thing set up, right?) and it's back to normal, perhaps with a responsible feature or page (like commission information) gone, possibly never to return.

FA may have enemies but I believe that the number of enemies tomorrow will be about the same as today and the site isn't being exploited right this moment. If the hacking was out of control I'm sure it would be dealt with much more quickly. Trying to rush in a fix to the security holes that exist today, I believe, could result in being left with broken functionality. Wouldn't it be nice to have all of the security holes fixed... only to find that if you delete your own comment and your reply is more than five levels deep, every comment you ever posted disappears? That kind of thing would bother me a lot more than having a open security hole which is not being exploited and from which recovery is a simple process.

*Re: Coders*
Every coder should be treated as if he is your worst enemy even if the coder is your best friend. Yak shouldn't be coding, he should be reviewing code that others submit to him, and he should be reviewing it with the utmost skepticism. If that was how FA worked, you'd find that broken or insecure things make it into the live code much less often. And with that policy, you can enforce standards and quality so there's no need to worry about how qualified a coder is, just make sure everything gets a code review.

More coders are clearly needed, though. FA is not a "weekend project" and deserves better.

*Re: Communication*
Yes, I agree, FA's communication sucks. Dragoneer and Yak agree more coders are needed, but has anyone seen *any* type of request for coding assistance since Ferrox? (And I did offer back then, and the person I was working with got kicked off along with that whole team of coders, and that was the end of that.)


----------



## Accountability (Oct 22, 2010)

timoran said:


> Does anyone remember how slow FA used to be? Or when you would have to refresh a good 5-10 times to get a submission instead of an error page? Those problems affect everyone. Keeping the site usable is definitely more important than closing security holes, for the following reason.



Some (if not most) of these issues were hardware related. It's funny, hardware related issues seem to be fixed quite quickly. Probably because it's a lot more fun to dick around in a datacenter for a few hours than it is to get other people to fix the site code.



> A security hole doesn't affect anyone until it's exploited. For every security hole that has been exploited there could be hundreds that have yet to be exploited.
> 
> Exploits have happened on FA quite a few times and I think we are all familiar with the procedure when it happens. FA goes down for an evening, a weekend, a whole week if it's really bad, but eventually the site does get restored from a secure incremental backup (FA _does_ have that type of thing set up, right?) and it's back to normal, perhaps with a responsible feature or page (like commission information) gone, possibly never to return.


 
This is exactly what so many people around here are upset about. It shouldn't be an issue only when it's exploited. I'm not sure why the staff around here think that. Apparently "Sorry the site is offline for the next week and some data was lost because someone exploited security holes we were aware about but never got around to fixing" sounds *better* than "We're looking for some coders to help fix up the site code and help improve the user experience".

Sure, open security holes aren't being exploited _right now._ But they might be exploited tomorrow, or the next day. People are aware of them, it's only a matter of time before some script kiddie 4channer finds them and has some fun. _That's_ why they need to be fixed and fixed ASAP.


----------



## Rossyfox (Oct 22, 2010)

yak said:


> The moment I feel that opening FA's source will not spell a living hell for the admins doing damage control of the resulting wave upon wave of attacks from script kiddies and "furry haters" using means described - or even scripts written - by people with good intentions demonstrating FA's vulnerabilities they've uncovered to everyone.... I will do it. Until then I'll keep hacking at the code and looking for trustworthy people to help me with that cause; and will keep in mind to dedicate some more time to the latter, the sooner the better.


 
Then open it up to these people on a limited basis. Eevee has already seen a version of the code, as has Pi. Trust issues are really not relevant. They have the knowledge to attack the site right now, if they wanted to, or they could pass on this knowledge to others, if they wanted to.

But it's more than who has or has not seen the code. Sure, security by obscurity will keep the "script kiddies" out for a while, but as Eevee demonstrated (as he did NOT have access to the comment hide code) someone who is highly technically competent does not need to see the source code to discover these holes. CSRF is a pretty basic thing, someone can go looking for CSRF exploits without needing to see the code by guessing how they would work. An attacker doesn't have to know something is there to start looking for it, this is a pretty basic security principle.

As for pointless drama... drama is absolutely at the heart of all this. We know that Eevee was burned over the direction of the Ferrox project, we know that those team dynamics didn't work out. Who is at fault here does not matter; your staff are the ones who should drop the personal drama over OH WORKING WITH EEVEE WAS SO TERRIBLE. (Frankly, those who know him aren't buying it, because he is lovely really.) Eevee is not offering to come back in any sort of design, editorial, strategic capacity. He's offering to fix your bugs. He doesn't want his Ferrox project lead position back, he's basically offering himself up as your bug-fixing bitch, because he still kind of likes the site and knows you don't have time to do it on your own. You're the one who's letting past drama get in the way.


----------



## nrr (Oct 23, 2010)

I'm not going to say much here; I have better things to do than meddle in more bullshit drama of this nature.

That said, someone smarter than I am has some good things to say about vulnerability disclosure, and I would recommend reading the materials linked therein as well.  Listen to Schneier.  I can guarantee he knows things you don't, let alone that he's forgotten more things than you'll ever know.

I don't particularly approve of the behavior of either side of the fence in this entire spat.  You're all fucking morons.


----------



## Azure (Oct 23, 2010)

nrr said:


> You're all fucking morons.


 THIS a thousand fucking times. Both sides of this equation have essentially devolved into a nerdy, bitchy, messageboard slapfight. You ALL look like a bunch of immature kid. Congratulations, you've won at the internet. The only reason I even bother to post is I'm tired of seeing threads like this one pop up ALL THE TIME. Get over yourselves.


----------



## Eevee (Oct 23, 2010)

Come on, guys.  Strolling past an issue announcing both sides are idiots and continuing on your merry way is a great excuse to pat yourself on the back, but will hardly ever resolve anything.  If I've actually been unreasonable somewhere, please let me know.

I don't have anything left to say, anyway, so I'll bugger off.  I'm not hard to contact, should you need to.


----------



## STK (Oct 23, 2010)

Yeah, I know this is a little off topic... but the what the bloody hell happened to "Ferrox"? Instead of wasting so much time "fixing" issues in the current code, why not just rewrite the whole thing (since it apparently needs it!)?


----------



## ab2525 (Oct 23, 2010)

STK said:


> Yeah, I know this is a little off topic... but the what the bloody hell happened to "Ferrox"? Instead of wasting so much time "fixing" issues in the current code, why not just rewrite the whole thing (since it apparently needs it!)?


 Ferrox is dead. Long live floof. http://bugs.veekun.com/projects/floof


----------



## STK (Oct 23, 2010)

I know I read somewhere that they were planning on switching it from Python/Pylons to PHP sometime after Eevee left. Hence, why I asked.

Scratch that, I just read through the entire Ferrox thread.

edit// There is also no reason to to revive the project.


That there.
http://forums.furaffinity.net/threads/49368-Code-freeze-on-current-Ferrox-codebase.?highlight=Ferrox


----------



## Xenofur (Oct 23, 2010)

STK said:


> Yeah, I know this is a little off topic... but the what the bloody hell happened to "Ferrox"? Instead of wasting so much time "fixing" issues in the current code, why not just rewrite the whole thing (since it apparently needs it!)?


 
Short version: All involved programmers ran away.


----------



## Grr[Piggies] (Oct 23, 2010)

nrr said:


> I don't particularly approve of the behavior of either side of the fence in this entire spat.  You're all fucking morons.



I would have said it a little nicer than this, but yes. agreed.


----------



## nrr (Oct 23, 2010)

Grr[Piggies];2212899 said:
			
		

> I would have said it a little nicer than this, but yes. agreed.


 
Nice doesn't work here.  It never has.

I wouldn't be so sour if two things held true here.  Namely, Eevee should've done his due diligence in reporting the vulnerability _and then waiting an appropriate amount of time before attacking and disclosing_ (this emphasized part is what should've happened but didn't actually happen), and FA (yak, Dragoneer, Witchiebunnie, et al) should've taken the report a little more seriously.

So, okay, FA taking the report a little more seriously should have, at least in the case of comment hiding, entailed _rolling back_ the changes as to disable the functionality outright so that further review would be possible.  Leaving something blatantly broken in place like this with the attitude that yak had initially (combined with his "I trust you guys not to abuse this"-ish disclaimer in #hackerfurs) is also an inappropriate reaction of sorts, and I'm willing to hazard to guess that this is partially what sparked Eevee into ultimately doing what he did.

As far as the other vulnerabilities are concerned, well, I'm kinda with Timoran on this one.  Fix those as they become more severe, but don't waste too much time with them.  However, now that everyone's aware of them, they're pretty severe, so... yeah.

Eevee should've seriously waited four weeks before doing this.  I'd be a lot less irate with him had he done that.


----------



## Xenofur (Oct 23, 2010)

I like how everyone ignores the important part of his post.





nrr said:


> *someone smarter than I am has some good things to say about vulnerability disclosure*


And instead only attaches to the low-hanging bait.

Good job guys. (`-`)-b


----------



## Verin Asper (Oct 23, 2010)

nrr said:


> Nice doesn't work here.  It never has.
> 
> I wouldn't be so sour if two things held true here.  Namely, Eevee should've done his due diligence in reporting the vulnerability _and then waiting an appropriate amount of time before attacking and disclosing_ (this emphasized part is what should've happened but didn't actually happen), and FA (yak, Dragoneer, Witchiebunnie, et al) should've taken the report a little more seriously.
> 
> ...


 
big thing bugging me is, "would all the events that happen...still happen again?" in your said scenario


----------



## nrr (Oct 23, 2010)

Crysix Fousen said:


> big thing bugging me is, "would all the events that happen...still happen again?" in your said scenario


----------



## Verin Asper (Oct 23, 2010)

nrr said:


>


 Actually I answered my own question, "Most likely Eevee would get banned still and everything continues how we are now."


----------



## Firehazard (Oct 23, 2010)

Summercat said:


> In all honesty, the 'showing exploitable hole to people in charge via using it visibly' is an okay tactic.
> 
> ...as long as you don't want praise for finding the exploit and then being graciously asked to help fix it. When you perform the action and use it as the focal point of "Hire me and my friends to help fix", not as much.


 
I'm actually rather surprised that you're OK with him hacking the site. You deserve a point for understanding. But where did he say he or his friends want to be rehired? He doesn't _want_ to be rehired. He _quit_ because he was sick of the attitude here. He's using himself, and the other ex-coders, as examples of the apathy the staff has towards its coders as well as those who report vulnerabilities, and calling BS on the idea that bringing in more coders will really help anything. If Dragoneer really has "other people lined up", as he says, who's to say they're not just going to get the same "Oh that's nice, now stop bugging me" treatment that everyone else has?



Eevee said:


> If the source code were available, I could have submitted patchesâ€”as many people have insisted I should've doneâ€”a week ago.  Or even further back, possibly before the feature were even deployed.



And then those patches would have sat there ignored by the staff, just like, yanow, the entire Ferrox codebase did. Stop trying to drag us into your little open-source crusade, please. We've got a more serious issue to deal with, and you're being the guy at the union negotiation asking for a chocolate fountain.



nrr said:


> Eevee should've done his due diligence in reporting the vulnerability _and then waiting an appropriate amount of time before attacking and disclosing_ (this emphasized part is what should've happened but didn't actually happen)


 
According to his LJ post, they responded rather promptly with "We're not planning to fix it." I'm not sure how waiting longer would have changed that.


----------



## Carenath (Oct 23, 2010)

Xenofur said:


> I like how everyone ignores the important part of his post.And instead only attaches to the low-hanging bait.
> 
> Good job guys. (`-`)-b


 Actually, seeing as I just saw nrr's post, I'm going to read that for my own reference, irrespective of what happens on this site. I don't actually have anything further to comment or state on this thread with respect to either side.


----------



## nrr (Oct 23, 2010)

Firehazard said:


> According to his LJ post, they responded rather promptly with "We're not planning to fix it." I'm not sure how waiting longer would have changed that.



It seems I need to be a little clearer here.  It's a matter of ethics, and purely ethics, to wait four weeks between initially reporting a vulnerability privately and disclosing the details publicly.  Someone in the infosec space who does this is considered responsible.

Past that, whatever happens is on the vulnerable party's head, not the researcher's.


----------



## Accountability (Oct 23, 2010)

yak said:


> (long post where Yak talks about himself a lot)


 
If _you_ have it so bad and _you_ have to use your time then why don't _you_ call upon some of those coders you claim to have lined up ready to help so _you_ aren't so overloaded.



> I want to tell everyone to stop assuming you know a lick about how FA is  being ran, both from the technical and the administrative standpoint.  Because you don't. We're not exactly broadcasting that many details,  partly because individually some of us are too  lazy to do so, partly  because these details are not your business, partly because we don't  want others to decide for us what we need to do and how we should have  done things, and partly for other reasons you don't know and need to  know about.



As long as there are people donating money to this site to keep it operational, transparency in operations should be a priority. Once the site is able to run on ad revenue alone you can start using this "Nobody needs to know how we run" bullshit.



> One of such vulnerabilities was recently - and quite enthusiastically,  if I say so myself - advertised by Eevee. A person I know is aware of  the situation and the issues from a first hand experience. Someone who  has a copy of the code.
> Someone who chose, in my view, to essentially extort immediate fixes out  of FA for the issue he thought, in my place, was the most important of  things to fix on FA. Dude, it's been there for years; another month or  two until I eventually got to fixing that on a regular schedule wouldn't  have changed anything. I actually had a big thing planned in that  regard.


Woah, hold on a minute there. The comment feature is new code, how has it been there for years? If you can't code a *new feature* to be secure, how can we assume you're able to fix the existing security problems?

Am I the only one that sees a problem here?


----------



## AshleyAshes (Oct 23, 2010)

Accountability said:


> Woah, hold on a minute there. The comment feature is new code, how has it been there for years? If you can't code a *new feature* to be secure, how can we assume you're able to fix the existing security problems?
> 
> Am I the only one that sees a problem here?



Actually no, the hole existed for some time and it allowed multiple things.  Basically you could force someone to watch something, force someone to favorite something and stuff like that.  Adding in the new feature for soft-comment deletes just added something else that that hole could access and and force agianst the users wishes.


----------



## Rossyfox (Oct 24, 2010)

AshleyAshes said:


> Actually no, the hole existed for some time and it allowed multiple things.  Basically you could force someone to watch something, force someone to favorite something and stuff like that.  Adding in the new feature for soft-comment deletes just added something else that that hole could access and and force agianst the users wishes.


 
No, IIRC, these are all different CSRF holes. It is the same vulnerability, but recoded multiple times.


----------



## Accountability (Oct 27, 2010)

Since the forum moderators around here seem to think that closing a thread without waiting for an administrator to answer it is acceptable behavior, I guess I'll just ask again here.

Why was a 12-year-old allowed to have a FA account for 9 months before he turned 13?
Why do I get the feeling that, since said user is the host of a forum that has been described on other sites as "Dragoneer's Personal Army" that the administration here turned a blind eye to an offense that the TOS says shall be dealt with by having the account "closed without warning, and the user will be responsible to provide  verification that they are of sufficient legal age to continue use of  the site"?
Why does it seem like the administration around here is allowing the ToS to be enforced only when they feel like it? The hate art that Allan found that started the whole DMCA drama is against the AUP's Harassment section but it was allowed to stay out of what can only be assumed as spite. This is completely unacceptable behavior.


----------



## Gavrill (Oct 27, 2010)

Was the staff aware of his age before he turned 13?


----------



## ElizabethAlexandraMary (Oct 27, 2010)

Accountability said:


> Since the forum moderators around here seem to think that closing a thread without waiting for an administrator to answer it is acceptable behavior, I guess I'll just ask again here.
> 
> Why was a 12-year-old allowed to have a FA account for 9 months before he turned 13?
> Why do I get the feeling that, since said user is the host of a forum that has been described on other sites as "Dragoneer's Personal Army" that the administration here turned a blind eye to an offense that the TOS says shall be dealt with by having the account "closed without warning, and the user will be responsible to provide  verification that they are of sufficient legal age to continue use of  the site"?
> Why does it seem like the administration around here is allowing the ToS to be enforced only when they feel like it? The hate art that Allan found that started the whole DMCA drama is against the AUP's Harassment section but it was allowed to stay out of what can only be assumed as spite. This is completely unacceptable behavior.


*looks at thread*
"I'm also Watch Your Step's Tech Admin."
Oh.

But yeah, mods locking administrative issues related threads with "lol f u" replies are a major pain, half of the time you can't tell what's wrong with the whole ordeal, and feel like they've gotten their shit wrong because they're too lazy to bother typing out actual responses and end up making a cloudy, unclear mess of it. And then, more ranting threads and drama. Derp.



Molly said:


> Was the staff aware of his age before he turned 13?


 In all honesty, I think the staff would even prefer masturbating to pictures of gay furry porn than looking through every single user's profile/journal for hints that someone is underage.
So yeah, my theory is it was probably an overlook.


----------



## Aden (Oct 27, 2010)

Accountability said:


> Why was a 12-year-old allowed to have a FA account for 9 months before he turned 13?


 
Becauuuse he probably lied about or didn't disclose his age? :V


----------



## Gavrill (Oct 28, 2010)

FrancisBlack said:


> So yeah, my theory is it was probably an overlook.





Aden said:


> Becauuuse he probably lied about or didn't disclose his age? :V


 
A little from column A, a little from column B, I'm guessing.


----------



## Pi (Oct 28, 2010)

Neither Dragoneer or SilverAutomatic were aware that Henri was in 8th grade, even though his Twitter account has had it in the bio for God knows how long.

Dragoneer _thought_ he was 14. Turns out he just turned 13.



			
				mursadramon said:
			
		

> I had no idea that he was, in fact, 12 years old. I only found out. We had thought the dude was 14. I looked into that.
> 
> And no, I will not take action against HenriW. Normally, in a situation like this, I would ban the individual until they were 13. However, given HenriW has been helping and assisting FA in a matter of ways, I think a warning to abide by the site rules and policies will suffice.



Yep.


----------



## Gavrill (Oct 28, 2010)

Can you still register an account if you tell the truth about your age and you happen to be 12? Just wondering. I mean the old registration, not the new one.


----------



## Accountability (Oct 28, 2010)

> And no, I will not take action against HenriW. Normally, in a situation  like this, I would ban the individual until they were 13. However, given  HenriW has been helping and assisting FA in a matter of ways, I think a  warning to abide by the site rules and policies will suffice.



You have got to be kidding me.

What makes this kid so special? What has he done? Installed MyBB? I've done that too, _multiple times._ And I didn't even use some confusing domain name like "wys.mirror.henriwatson.com/forums".
What makes him better than the other people mentioned in this thread?
What makes him more "trustworthy" over the other people mentioned in this thread? I mean really, I never heard of this kid before this all came up. At least I remember Eevee from when he was in charge of Ferrox.


----------



## Aden (Oct 28, 2010)

Accountability said:


> You have got to be kidding me.
> 
> What makes this kid so special? What has he done? Installed MyBB? I've done that too, _multiple times._ And I didn't even use some confusing domain name like "wys.mirror.henriwatson.com/forums".
> What makes him better than the other people mentioned in this thread?
> What makes him more "trustworthy" over the other people mentioned in this thread? I mean really, I never heard of this kid before this all came up. At least I remember Eevee from when he was in charge of Ferrox.


 
oy
so what do you want them to do, ban the kid now that he's 13?


----------



## ElizabethAlexandraMary (Oct 28, 2010)

Aden said:


> oy
> so what do you want them to do, ban the kid now that he's 13?


 
hey man we're sorry but you need to be 13 more often
see you in a dozen more years


----------



## Pi (Oct 28, 2010)

Aden said:


> oy
> so what do you want them to do, ban the kid now that he's 13?


 
I just want to know why he's apparently willing to play ball with a 12-year-old telling him about his security vulnerabilities, when I was busy doing that back when Henri was still being taught his times tables. Not that Henri's apparently private disclosure had any overall effect, because the only time things get fixed around here is when people are loudly and publicly shamed.

Also, it's kind of shocking that in Dragoneer's oh-so-thorough checking out of HenriW that he never once asked "hey kid i've got some legal things that i have to be sure of just to cover my ass; are you over 13". So, either Dragoneer knew that he was dealing with a kid and didn't say anything (in which case he is malicious) or he is incompetent and shouldn't be trusted. And since it's an open secret that AUP enforcement is inversely proportional to how willing you are to stroke Dragoneer's, uh, ego...


----------



## Verin Asper (Oct 28, 2010)

Pi said:


> I just want to know why he's apparently willing to play ball with a 12-year-old telling him about his security vulnerabilities, when I was busy doing that back when Henri was still being taught his times tables. Not that Henri's apparently private disclosure had any overall effect, because the only time things get fixed around here is when people are loudly and publicly shamed.
> 
> Also, it's kind of shocking that in Dragoneer's oh-so-thorough checking out of HenriW that he never once asked "hey kid i've got some legal things that i have to be sure of just to cover my ass; are you over 13". So, either Dragoneer knew that he was dealing with a kid and didn't say anything (in which case he is malicious) or he is incompetent and shouldn't be trusted. And since it's an open secret that AUP enforcement is inversely proportional to how willing you are to stroke Dragoneer's, uh, ego...


 Remember kids: "Anything involving FA also involves Stroking neer's...um...ego"


----------



## Rossyfox (Oct 28, 2010)

Time for Dragoneer to sell the site


----------



## Smelge (Oct 28, 2010)

Rossyfox said:


> Time for Dragoneer to sell the site


 
Start saving then. www.dnScoop.com values FA at $210,800.


----------



## Rossyfox (Oct 28, 2010)

Smelge said:


> Start saving then. www.dnScoop.com values FA at $210,800.


 
I don't want him to sell it to me.

Anyway I don't know which is worse, the leaking info to WYS or covering for WYS.


----------



## Accountability (Oct 28, 2010)

Aden said:


> oy
> so what do you want them to do, ban the kid now that he's 13?


 
You're telling me they can't ban Henri for a few days like they do to everyone else who breaks the ToS around here? I've heard of people getting banned 7_ *months*_ after something happens and the admins finally stumble upon it.

When he signed up for the site, he broke the rules. Therefore he should be punished as such, and should need to prove that he is now 13 (because really, we have no proof other than his word right now. For all we know, he's lying about being 13).

So yeah. I do. That's how you fairly enforce site rules.


----------



## Aden (Oct 28, 2010)

Accountability said:


> You're telling me they can't ban Henri for a few days like they do to everyone else who breaks the ToS around here? I've heard of people getting banned 7_ *months*_ after something happens and the admins finally stumble upon it.
> 
> When he signed up for the site, he broke the rules. Therefore he should be punished as such, and should need to prove that he is now 13 (because really, we have no proof other than his word right now. For all we know, he's lying about being 13).
> 
> So yeah. I do. That's how you fairly enforce site rules.


 
Okay, so what should be the duration of the ban? Just a few days to kick him around a bit?


----------



## Kihari (Oct 28, 2010)

Clearly the TOS needs statutes of limitations. =V


----------



## Gavrill (Oct 29, 2010)

I'm pretty sure _every_ violation of the ToS is reviewed on the case-to-case basis. Certain forms of harassment are permitted, others are not. It depends on the situation. (As an example.)

Not to mention the PG-13 site thing, well. At the age of 12, those of us with the internet at that timed lied our asses off about our age. And it appears as if he didn't even lie, it seems like nobody asked. (Correct me if I'm wrong on this.)

I'm not attempting to whiteknight (sorry if it seems that way). I'm just saying, most of the other "rules" are incredibly flexible, so why shouldn't this one be?


----------



## Pi (Oct 29, 2010)

Liar said:


> I'm pretty sure _every_ violation of the ToS is reviewed on the case-to-case basis. Certain forms of harassment are permitted, others are not. It depends on the situation. (As an example.)


I dunno, it's pretty clear on this. The site is not intended for use by 12-year-olds. There doesn't appear to be much room for "it's okay if you're reporting bugs to Dragoneer". There also isn't room for saying "Yeah, Dragoneer can override COPPA because it's a private site".



Liar said:


> Not to mention the PG-13 site thing, well. At the age of 12, those of us with the internet at that timed lied our asses off about our age. And it appears as if he didn't even lie, it seems like nobody asked. (Correct me if I'm wrong on this.)



I'll admit that it's my speculation as to how Dragoneer arrived at the conclusion of HenriW being 14. But the words from the horse's mouth are "I thought", not "He told me", so yeah, it looks like nobody asked.

Which is weird, when the kid says "i'm an 8th grader from the dominican republic" on his twitter account. That would immediately raise the question of "just how fucking old is this kid", in my mind.



Liar said:


> I'm just saying, most of the other "rules" are incredibly flexible, so why shouldn't this one be?


That's exactly what we're bitching about here. The rules aren't applied in any reliable, consistent fashion. Instead, by all outward appearances, you can violate the rules with impunity if you suck up to Dragoneer. The most you'll get is a slap on the wrist, and _maybe_ only if someone points it out.

The _entire point_ of this thread is that we have no reason to trust anything anyone involved with FA says, ever. Dragoneer has shown that he's either malicious or incompetent. Slacktivist calls this "Reagan's Bind". Either way, he's untrustworthy and should be replaced with someone who isn't malicious or incompetent.


----------



## Verin Asper (Oct 29, 2010)

Pi said:


> The _entire point_ of this thread is that we have no reason to trust anything anyone involved with FA says, ever. Dragoneer has shown that he's either malicious or incompetent. Slacktivist calls this "Reagan's Bind". Either way, he's untrustworthy and should be replaced with someone who isn't malicious or incompetent.


 Like Varka...wait they have e621, why would they want FA


----------



## ElizabethAlexandraMary (Oct 29, 2010)

Yes, Dragoneer should be replaced. He should find a replacement, then fire himself.


----------



## Verin Asper (Oct 29, 2010)

ElizabethAlexandraMary said:


> Yes, Dragoneer should be replaced. He should find a replacement, then fire himself.


 or maybe pull a Bill Gates
Say you wont be the Owner of FA but remain as an admin while someone else be the owner to take all the blame instead


----------



## STK (Oct 29, 2010)

Holy shit, you guys are acting like Dragoneer and all the other admins are some kind of omnipotent Gods. It's fucking ridiculous. You honestly think that Dragoneer has the time to go around doing background checks on everyone who notes him about this or that? No. Could *you* do it? Hell no. Please shut the fuck up already. I seriously doubt anyone could do that. Everyone fucks up or misses something every once in a while. Nobody is fucking perfect, so stop acting like anybody who replaces Dragoneer would be any _"better_".


----------



## Verin Asper (Oct 29, 2010)

STK said:


> Holy shit, you guys are acting like Dragoneer and all the other admins are some kind of omnipotent Gods. It's fucking ridiculous. You honestly think that Dragoneer has the time to go around doing background checks on everyone who notes him about this or that? No. Could *you* do it? Hell no. Please shut the fuck up already. I seriously doubt anyone could do that. Everyone fucks up or misses something every once in a while. Nobody is fucking perfect, so stop acting like anybody who replaces Dragoneer would be any _"better_".


 but you do have background checks on those who be helping ya :V


----------



## STK (Oct 29, 2010)

Crysix Fousen said:


> but you do have background checks on those who be helping ya :V


 Actually, Dragoneer doesn't have to do anything of the sort. Henri wasn't given any sort of status for what he did. He was "just another user" who decided he wanted to help with pointing out some flaws within the system without taking advantage of them. It would have been different if he had been appointed to the FA team, then Dragoneer would have been forced to do it.


----------



## Pi (Oct 29, 2010)

STK said:


> Holy shit, you guys are acting like Dragoneer and all the other admins are some kind of omnipotent


No. In fact, I'm acting like Dragoneer et al do not enforce the rules in a consistent and accountable manner.

Eevee? Still banned. A kid who just turned 13? No action taken. Something is a little wrong here.

The core issue here: The parties responsible for the site are silent on major issues, and enforce their own rules inconsistently and in a fashion that has all of the outward appearances of favoritism.

You're probably OK with that, though.



			
				STK said:
			
		

> Actually, Dragoneer doesn't have to do anything of the sort.


I'm glad you speak for Dragoneer, since he apparently cannot speak for himself on this issue!


			
				STK said:
			
		

> Henri wasn't given any sort of status for what he did.


And? What does this have to do with anything?


			
				STK said:
			
		

> He was "just another user" who decided he wanted to help with pointing out some flaws within the system without taking advantage of them.


Did you somehow miss the part where people who are "just other users" have been pointing out "some flaws" (major ones) within the system for a few _years_? Yak's response to this most recent pointing-out-of-flaws was "yeah, i know it's broken and i don't care".


			
				STK said:
			
		

> It would have been different if he had been appointed to the FA team, then Dragoneer would have been forced to do it.


Again, it's amusing that you believe that you are so well-informed about what Dragoneer is and is not forced to do.

I'd rather see him forced to be held accountable to his actions in at least the most fucking cursory way, but I'm not going around stating absolutely that he must.


----------



## Verin Asper (Oct 29, 2010)

STK said:


> Actually, Dragoneer doesn't have to do anything of the sort. Henri wasn't given any sort of status for what he did. He was "just another user" who decided he wanted to help with pointing out some flaws within the system without taking advantage of them. It would have been different if he had been appointed to the FA team, then Dragoneer would have been forced to do it.


 oh no but it is an example of how the admins of this site works.
"Do something nice, you get a pass". Now tell me if that user didnt help would he gotten the suspension? (I would believe they would just get suspended instead of banned)


----------



## Accountability (Oct 29, 2010)

Crysix Fousen said:


> oh no but it is an example of how the admins of this site works.
> "Do something nice, you get a pass". Now tell me if that user didnt help would he gotten the suspension? (I would believe they would just get suspended instead of banned)


 
This. This is just one of the many, many issues this site has. The Administration quite clearly bends over backwards for "popular" artists, willing to bend the rules to keep them around. Remember when Zaush/Adam Wan replaced everything he uploaded with a black square? If anyone else did that, their gallery would have been deleted and they likely would have been banned or suspended. Wouldn't want to piss off the guy responsible for the new site UI. 

That's not right. That's not acceptable. Yet it was allowed to happen despite it being against the ToS. To use legal terms, this should have set precedent that would make it OK for _anyone_ to do this. And we all know what would happen if any plebeian around here tried to pull something like that.

Any competent site administrator would be active in this thread, attempting to communicate with "the community" as to how they can do their job better, answering the many allegations brought forward in this thread, and, for fuck's sake, at least *pretending* to care. This hasn't happened. Dragoneer is far too busy with things like writing lengthy posts on Watch Your Step or Twitter or vidya games. Guess that shows you where his true priorities lie.


----------



## ElizabethAlexandraMary (Oct 29, 2010)

STK said:


> Holy shit, you guys are acting like Dragoneer and all the other admins are some kind of omnipotent Gods. It's fucking ridiculous. You honestly think that Dragoneer has the time to go around doing background checks on everyone who notes him about this or that? No. Could *you* do it? Hell no. Please shut the fuck up already. I seriously doubt anyone could do that. Everyone fucks up or misses something every once in a while. Nobody is fucking perfect, so stop acting like anybody who replaces Dragoneer would be any _"better_".


 This is at the same time technically right and so wrong.


----------



## Gavrill (Oct 30, 2010)

Pi said:


> I dunno, it's pretty clear on this. The site is not intended for use by 12-year-olds. There doesn't appear to be much room for "it's okay if you're reporting bugs to Dragoneer". There also isn't room for saying "Yeah, Dragoneer can override COPPA because it's a private site".


I wasn't aware of COPPA until you pointed it out. So yes, it appears this kid did indeed break a serious rule. The only problem is that he's 13 now, so there's really no reason to punish him. 
That's how I feel about most situations in cases of people lying about their age, though. Once they turn that age, they should be allowed on that site. However, at the same time, the ones who do actually _lie_ about their ages deserve some sort of punishment, something like a temp ban. However, it appears as if Henri didn't go out of his way to lie  about his age (although clarification on that would be ideal).



> I'll admit that it's my speculation as to how Dragoneer arrived at the conclusion of HenriW being 14. But the words from the horse's mouth are "I thought", not "He told me", so yeah, it looks like nobody asked.
> 
> Which is weird, when the kid says "i'm an 8th grader from the dominican republic" on his twitter account. That would immediately raise the question of "just how fucking old is this kid", in my mind.


Dragoneer is following over 2k people on Twitter, so he probably doesn't look through profiles regularly. Any idea what Henri's FA profile listed at the time?




> That's exactly what we're bitching about here. The rules aren't applied in any reliable, consistent fashion. Instead, by all outward appearances, you can violate the rules with impunity if you suck up to Dragoneer. The most you'll get is a slap on the wrist, and _maybe_ only if someone points it out.
> 
> The _entire point_ of this thread is that we have no reason to trust anything anyone involved with FA says, ever. Dragoneer has shown that he's either malicious or incompetent. Slacktivist calls this "Reagan's Bind". Either way, he's untrustworthy and should be replaced with someone who isn't malicious or incompetent.


 
I admit, I would love for the mods/admins to be more consistent with the rules. There seems to be a huge issue with that. Plus I'm pretty sure that if I were an admin (especially a site owner) I would probably let off people who help the site out too, especially if they don't _act_ 12. On another note, Henri may have been unaware of the ToS before joining as well. I don't know any 12 year old that's aware of COPPA, especially so since he lives in a different country.


----------



## Rossyfox (Oct 30, 2010)

STK said:


> Holy shit, you guys are acting like Dragoneer and all the other admins are some kind of omnipotent Gods. It's fucking ridiculous. You honestly think that Dragoneer has the time to go around doing background checks on everyone who notes him about this or that? No. Could *you* do it? Hell no. Please shut the fuck up already. I seriously doubt anyone could do that. Everyone fucks up or misses something every once in a while. Nobody is fucking perfect, so stop acting like anybody who replaces Dragoneer would be any _"better_".


 
I used to stand up for Dragoneer when he wouldn't do it properly himself, then I got tired of it.

Personally I think he needs to go ASAP, I don't care which issue it is that forces him out.


----------



## Firehazard (Oct 31, 2010)

Pi said:


> I'm glad you speak for Dragoneer, since he apparently cannot speak for himself on this issue!


 
Translation: "The only people who are allowed to say anything in this thread are people who agree with me about Dragoneer, and Dragoneer himself."



Pi said:


> I'd rather see him forced to be held accountable to his actions in at least the most fucking cursory way, but I'm not going around stating absolutely that he must.



The only people he can be "forced to be held accountable" to in a case like this are the popo. Is that what you want? You want him to be carted off to the slammer and forced to shut down FA or hand it over to someone else? Granted, that _is_ what it will take to get him to not be running it anymore. Let's not kid ourselves here. Leaders don't just suddenly decide "Hey, I'm running this site/company/country into the ground; I'd better quit before I do any more damage" and resign. Not the good ones, and especially not the bad ones.


----------



## Accountability (Nov 1, 2010)

Firehazard said:


> The only people he can be "forced to be held accountable" to in a case like this are the popo.


That's the problem here.



> Is that what you want? You want him to be carted off to the slammer and forced to shut down FA or hand it over to someone else? Granted, that _is_ what it will take to get him to not be running it anymore.


As long as someone was paying the bills, he could still legally own and run FA even in jail. Just sayin'.



> Let's not kid ourselves here. Leaders don't just suddenly decide "Hey, I'm running this site/company/country into the ground; I'd better quit before I do any more damage" and resign. Not the good ones, and especially not the bad ones.


But leaders that run companies companies into the ground often get shoved out by the board or investors. Just recently the Tribune Company showed it's CEO the door because he was doing just that. Leaders of countries don't get re-elected, or they could get impeached, or they could get overthrown when the citizens under them revolt. Both instances here have leaders that have to be held accountable or they get forced out. That's the problem here, no one is holding FA accountable, and the administration doesn't think they should be. That's a recipe for disaster.


----------



## GingerM (Nov 1, 2010)

Accountability said:


> But leaders that run companies companies into the ground often get shoved out by the board or investors. Just recently the Tribune Company showed it's CEO the door because he was doing just that. Leaders of countries don't get re-elected, or they could get impeached, or they could get overthrown when the citizens under them revolt. Both instances here have leaders that have to be held accountable or they get forced out. That's the problem here, no one is holding FA accountable, and the administration doesn't think they should be. That's a recipe for disaster.


 
But none of us have a vested right in FA. We're not shareholders and FA is not a company, nor is FA a nation and us its citizens. FA is *Dragoneer*'s privately-owned website, and he lets the rest of us hang out here for exactly as long as he wants to. The only obligation I can think of is between *Dragoneer *and whomever supplies his hosting/server - or does he own that outright as well? I don't happen to know. However, even those of us who donate have not purchased any kind of interest or rights in FA. So while we might like him to explain himself, he is not accountable to anyone here, not even the admins and mods. In the end, if enough people feel strongly about it, they can send him a message by voting with their feet.


----------



## Accountability (Nov 1, 2010)

GingerM said:


> But none of us have a vested right in FA. We're not shareholders and FA is not a company, nor is FA a nation and us its citizens. FA is *Dragoneer*'s privately-owned website, and he lets the rest of us hang out here for exactly as long as he wants to. The only obligation I can think of is between *Dragoneer *and whomever supplies his hosting/server - or does he own that outright as well? I don't happen to know. However, even those of us who donate have not purchased any kind of interest or rights in FA. So while we might like him to explain himself, he is not accountable to anyone here, not even the admins and mods. In the end, if enough people feel strongly about it, they can send him a message by voting with their feet.



Yes. I realize that. My main point was at the end of my post. His lack of accountability will ultimately be the downfall of the site, since FurAffinity doesn't even seem to hold itself accountable to the people who _donate or by ads to keep the site afloat_ (aka the "community" Dragoneer loves to talk about how much he cares for).

I'm not here to be another one of the people shouting that Dragoneer needs to go. That's been done before, and it's a stupid thing to do. I'm am here, though, to try to get answers out of him. He often claims that he cares a lot about the "community" that uses FA, but right now I'm not seeing it because he has yet to reply to anything brought up in this thread since he accidentally deleted it. 

And it's been nearly two weeks.


----------



## Gavrill (Nov 1, 2010)

Now that you mention it, despite that I'm on around the same time 'Neer is on the forums, he hasn't been on in a _long_ time. Or if he has been on, it's never on a major thread.


----------



## GingerM (Nov 1, 2010)

Dragoneer will account for himself if and when he feels like it, and no amount of shouting by the populace will move him to speak sooner. Again, those who donate do not have any kind of claim on him. I had forgotten about the ads, and I don't know the terms of the agreement for running ads. However, I suspect it will be something like "for xx dollars per month, I guarantee that your add will be displayed yy number of times for zz seconds/minutes/hours" Or however it's worded. If he fails to provide that, then the advertisers might have some kind of recourse. But as to how he chooses to set the rules here? Pfui. If advertisers don't like the site rules, they can take their advertising elsewhere. They certainly don't get to demand that Dragoneer account to them for what rules he chooses to put in place.


----------



## Heimdal (Nov 1, 2010)

GingerM said:


> Dragoneer will account for himself if and when he feels like it, and no amount of shouting by the populace will move him to speak sooner. ... They certainly don't get to demand that Dragoneer account to them for what rules he chooses to put in place.


 It annoys me to see the numerous posts about how Dragoneer has no obligation to accountability. It's annoying because it's a moronically self-fulfilling prophecy. This site is dead without community... you are part of the community. It's simple. Now I know it seems hard to try and enforce accountability in this scenario, but that's just laziness and cowardice.

I know that he isn't omniscient, and he has a life that limits his time, but these justify nothing at all. A failure is a failure _because_ one lacks the capacity to do what is required.


----------



## Accountability (Nov 1, 2010)

GingerM said:


> Dragoneer will account for himself if and when he  feels like it, and no amount of shouting by the populace will move him  to speak sooner. Again, those who donate do not have any kind of claim  on him. I had forgotten about the ads, and I don't know the terms of the  agreement for running ads. However, I suspect it will be something like  "for xx dollars per month, I guarantee that your add will be displayed  yy number of times for zz seconds/minutes/hours" Or however it's worded.  If he fails to provide that, then the advertisers might have some kind  of recourse. But as to how he chooses to set the rules here? Pfui. If  advertisers don't like the site rules, they can take their advertising  elsewhere. They certainly don't get to demand that Dragoneer account to  them for what rules he chooses to put in place.


 
No! That's the problem! Dragoneer obviously WON'T account for himself  without provoking. Your post is exactly why, too! People don't think  they have a right to demand this! Guess what, *you do*! *Users* make the site. *Users*  donate money and equipment. Maybe I'm sitting on a couple great, barely  used servers here. Would I donate them to FA right now? No. Why?  Because the administration refuses to be held accountable to their  users. They don't answer to concerns. They don't acknowledge problems.  They just put on their rose colored glasses and think that if they  ignore everything bad, it will go away. And people around here think that's A-OK.

That's the wrong way to run a website. No matter if the site is making  money from ads or donations, or it's owned by a 13-year-old kid or a  Fortune 500 company. It's wrong. For god's sake, 4chan and Encyclopedia Dramatica run with more transparency and with administrators who are held accountable. Encyclopedia Dramatica actually *dismisses staff *that are controversial or abuse their powers!


----------



## GingerM (Nov 1, 2010)

Heimdal said:


> It annoys me to see the numerous posts about how  Dragoneer has no obligation to accountability. It's annoying because  it's a moronically self-fulfilling prophecy. This site is dead without  community... you are part of the community. It's simple. Now I know it  seems hard to try and enforce accountability in this scenario, but  that's just laziness and cowardice.
> 
> I know that he isn't  omniscient, and he has a life that limits his time, but these justify  nothing at all. A failure is a failure _because_ one lacks the  capacity to do what is required.





Accountability said:


> No! That's the problem! Dragoneer obviously WON'T account for himself  without provoking. Your post is exactly why, too! People don't think  they have a right to demand this! Guess what, *you do*! *Users* make the site. *Users*  donate money and equipment. Maybe I'm sitting on a couple great, barely  used servers here. Would I donate them to FA right now? No. Why?  Because the administration refuses to be held accountable to their  users. They don't answer to concerns. They don't acknowledge problems.  They just put on their rose colored glasses and think that if they  ignore everything bad, it will go away. And people around here think that's A-OK.
> 
> That's the wrong way to run a website. No matter if the site is making  money from ads or donations, or it's owned by a 13-year-old kid or a  Fortune 500 company. It's wrong. For god's sake, 4chan and Encyclopedia Dramatica run with more transparency and with administrators who are held accountable. Encyclopedia Dramatica actually *dismisses staff *that are controversial or abuse their powers!


 
Explain to me exactly *how *I have a *right *to *demand *that Dragoneer account to me or any other member of FA and FAF? What part of "private  website" is unclear? Yes, users make the site; we post art, we donate money. I'm not one of the admins, or a mod, and I have some issues with some things here - some of the AUP, for instance. I've asked for clarification. I haven't got it  yet, and I do plan to poke people in the side. But - and this is the key thing - *I cannot insist that Dragoneer or the staff address my concerns*. I have no contract of any kind with Dragoneer or anyone else here. The TOS does not oblige Dragoneer to do anything (other than, presumably, to provide the website, and that simply because TOS without a website is rather pointless).

You say (as an example; I'm not saying you really do) you have a couple of servers you might have donated? Fine! They would be your servers and whether you chose to donate them or not would be your business. Dragoneer certainly could not demand that you donate them, and if you should do so, then you could certainly require Dragoneer to account to you as part of the deal - and if he should not want to do that, he could refuse the donation. Only if he accepted with that condition and then reneged would you have any kind of standing to *demand *an accounting from him. So far as I know - and I admit I haven't read the TOS closely on this point - cash donations to FA are accepted without any stated or implied obligation by FA in return. You might prefer that there should be such an implication, but you can't insist that what you want you have a right to. Show me where Dragoneer has stated anything that even remotely looks like some kind of obligation to the users on FA; I'm willing to bet a wooden nickle he hasn't.

Encyclopaedia Dramatica dismisses staff that are controversial or abuse their powers? Fine! That's the decision of the person or people who own the site. Not mine, not yours (unless you happen to be one of the ED owners? I don't know). Maybe ED will outlast FA; maybe FA will outlast ED. How FA is run may be wrong by your lights, but that doesn't mean you or I or anyone else here has a right to insist Dragoneer run it differently. He owns it. If enough FA/FAF users get pissed off with Dragoneer, then FA may  fail. I don't know Dragoneer; I don't know his resources. It's entirely  possible that, even if all ad revenue and donations dried up, he is  capable of paying for FA entirely out of his own pocket. In which case,  all we have a *right *to do is take down our art and go elsewhere if we find the situation intolerable.

People are annoyed to see posts about how Dragoneer has no obligation to the community? I'm getting bloody annoyed to see all the posts going on about what various individuals want, and thinking that because they want it, they have a right to it. No. Want != have a right to, and it's time people realized that. The Internet entitlement culture is getting out of hand.


----------



## Kayla-La (Nov 1, 2010)

I don't think anyone's trying to say Dragoneer is literally obligated to do anything. It IS his website, and he can do whatever he wants.

It's more of a 'He would probably get less shit if he stopped/started doing this and this and this', and the fact that those suggestions are always brushed off with 'HE CAN DO WHAT HE WANTS SHUT UP' thing. As the owner, people will be judging him by what he does, and there's no getting away from that, and it's naive to try to pretend nobody will or should. Nothing is going to improve if he/the staff just ignores what users have to say half the time on the basis of 'I don't HAVE to listen to you!!'. Now if they want to say 'We don't care about improving', then that's their business, I guess. But then you end up with unhappy users. So I guess it comes down to how much they care about unhappy users.

Point being, I don't think anyone's trying to argue he's somehow obligated by law or something to listen. Just that it might be a good idea to hear people out and actually consider it sometimes.


----------



## Witchiebunny (Nov 1, 2010)

This is also something of a double edged sword, though, as I found out this weekend. 

With the Drages issue I had, when I saw that there were legit concerns in the journal left behind, I went in and wrote a very lengthy post before bed and addressed the points I could, and explained *why* what happened happened. 

Follow up questions were asked, and I answered. And instead of being seen as transparent, I was told I was spending too much time trying to "validate my actions" and "caring what others thought" instead of going out there and doing the work of an administrator and removing violations (which, ironically enough, I was doing during those conversations-Trouble Tickets are wonderful things.) 

So there are those, as well, who may in fact see what is a genuine attempt at transparency and accountability and twist it into "just creating drama/too concerned with drama" or "looking to validate ones actions". And when you're trying to be genuine and people are throwing it back in your face in such a manner, it begins to become less worth it to explain what you're doing to those with concerns and instead just continue doing what you're doing.


----------



## Heimdal (Nov 1, 2010)

GingerM said:


> People are annoyed to see posts about how Dragoneer has no obligation to the community? I'm getting bloody annoyed to see all the posts going on about what various individuals want, and thinking that because they want it, they have a right to it. No. Want != have a right to, and it's time people realized that. The Internet entitlement culture is getting out of hand.


 
It's a community site. What we want _is_ what we have a right to. He may not be legally obligated to fulfill that right, but a community website has to answer to it's community or it will die.

Lets look at this from another angle. Are people not allowed to criticize things they don't like? Can we not insist answers to concerns simply because the ToS doesn't say they need to? Do we hold ourselves accountable simply because the person who made the decisions decides he doesn't want to take responsibility? Should it matter that he has no official obligation in this regard.. are we obligated to accept that?

Stop giving them excuses.


----------



## medjai (Nov 1, 2010)

Witchiebunny said:


> <justifications>.


 
See, thing is, people hate being wrong, and I'm sure you do as much as anyone else. Problem is, even when you're right, which in that case you were, it isn't seen that way. If people can point fingers and avoid responsibility for their mistakes, all the while playing the victim card, then you can rest assured they'll take that avenue. Which is unfortunate for the staff, who put a lot of time into these things and shouldn't have to deal with these childish responses, but there it is.


----------



## Witchiebunny (Nov 1, 2010)

I agree, and I realize that that's what's going on. But being noted about how I "killed someone as an artist" because I removed their violations, or being told that I'm a terrible person, or being called a lesbian (lol wat??) and verbally spat on because I'm trying to hold myself accountable to the mob is more unfulfilling than my job normally is, especially since I'm actually going above and beyond my job description to BE transparent.


----------



## medjai (Nov 1, 2010)

Witchiebunny said:


> I agree, and I realize that that's what's going on. But being noted about how I "killed someone as an artist" because I removed their violations, or being told that I'm a terrible person, or being called a lesbian (lol wat??) and verbally spat on because I'm trying to hold myself accountable to the mob is more unfulfilling than my job normally is, especially since I'm actually going above and beyond my job description to BE transparent.


 
And getting bashed for it. I've been there before, and there's a reason I no longer staff online. It's fun for a while, but all the complaining just takes away the satisfaction after a while, and makes you really bitter and distant. For the record, don't do that. It's not fun.

And lesbian? How'd they try to spin that one?


----------



## Witchiebunny (Nov 1, 2010)

Told one of the staff who was backing me up that he "won" and "got the girl", implying that was the only reason he was backing me up. Said staff member responded with "I'm gay."

Drages switched to "Oh, well then she MUST be a lesbian then."

...Really? Huh. I'm sure my ex-husband would be interested in learning that.


----------



## medjai (Nov 1, 2010)

Witchiebunny said:


> Told one of the staff who was backing me up that he "won" and "got the girl", implying that was the only reason he was backing me up. Said staff member responded with "I'm gay."
> 
> Drages switched to "Oh, well then she MUST be a lesbian then."
> 
> ...Really? Huh. I'm sure my ex-husband would be interested in learning that.


 
Wait, what? Oh the things you can hear sometimes. At least their creativity can, on occasion, be amusing.


----------



## GingerM (Nov 1, 2010)

Heimdal said:


> It's a community site. What we want _is_ what we have a right to. He may not be legally obligated to fulfill that right, but a community website has to answer to it's community or it will die.



No, you don't have a right. If he's not "legally obligated", it's not a right, it's what you want. And FA is hardly the sole furry fandom website; there's any number of them out there, and none of them have to answer to "the community", because the community is much larger than any one website. And yes, it may die. Or not. 



Heimdal said:


> Lets look at this from another angle. Are people not allowed to criticize things they don't like? Can we not insist answers to concerns simply because the ToS doesn't say they need to? Do we hold ourselves accountable simply because the person who made the decisions decides he doesn't want to take responsibility? Should it matter that he has no official obligation in this regard.. are we obligated to accept that?



We have avenues to report issues and to discuss them, provided by Dragoneer. If we felt strongly enough about a topic, we could exchange IM ID or email addresses and discuss it there, and Dragoneer couldn't stop us. But in the end, he and the other staff don't have to act on it. And as Witchiebunny said above, when they do provide transparency, they get bitched out for causing/continuing drama. Let's not forget that the admins and mods are volunteers and are using their time to do this. Personally, after some of the crap I've seen directed at the admins and mods on the forums, if I were one - and the odds are very much against that ever happening - I'd have PM'd Dragoneer and said something along the lines of "I'm outta here; find someone else." I don't have the patience, nor the rhinocerous-like hide, to deal with that.

Personally I haven't had much occasion to complain to the staff. There's a point or two in the AUP that I wish they would explain more clearly, and I've been involved in discussions on that point, both in threads and in PMs. Do I think it's going to be clarified any time soon? Probably not. Am I happy about that? Not so much. Can I do anything else about it, other than walk away? No. I'm certainly not going to make a prat of myself by shouting from the rooftops that Dragoneer *has *to account to me, because he doesn't, and whether I like that or not is irrelevant to him.



Heimdal said:


> Stop giving them excuses.



There's a difference between making excuses and recognizing the reality of a situation. Stop crying for the moon; you're not going to get it.


----------



## Aden (Nov 1, 2010)

Witchiebunny said:


> ...Really? Huh. I'm sure my ex-husband would be interested in learning that.


 
maybe he is your ex because you discovered you were a lesbian
_we can't know_


----------



## Verin Asper (Nov 1, 2010)

Only thing I want is for them to sometimes explain their reasons for some things.
This site is itself somewhat incomplete in my eyes, and inconsistant in some things.

I mean really with a site of 400,000 users (I would say 400,000 accounts, as many users have duplicates with me having 5 with two that were closed/abandoned) we can all guess a good chunk of them hardly knows whats going on unless they have the watch the FA twitter, have Neer on their watch list, visit the front page to see the fender journals, or visit the forums.

The last part is something bad in a way as I stated in a journal "The Forums tend to control the main website on some issues"

Want to know why boob icons got to stay around, cause of folks who visited the forums decided to debate for it to stay and come up with new rulings on those kind of icons.


----------



## Witchiebunny (Nov 1, 2010)

Aden said:


> maybe he is your ex because you discovered you were a lesbian
> _we can't know_


 

Or I discovered he was gay. >.>

Crysix, if you want to discuss issues with me, feel free to note me.


----------



## Heimdal (Nov 2, 2010)

GingerM said:


> There's a difference between making excuses and recognizing the reality of a situation. Stop crying for the moon; you're not going to get it.



And the lesson of the day is: Never try.

No seriously, that's not actually how reality works. Sure you don't always get what you're after, but you will receive nothing if you want nothing. Action motivates change, it's pretty hard to argue against that. Eevee made Dragoneer accountable, and he got the change he was after; regardless of your opinion on his actions, it couldn't get truer than that.

I don't particularly have an issue with admins. I hate the "but they're doing it for free" excuse, because why not increase the number of admins to help them then? If it's so much trouble to handle, then someone should adjust things so they can get the job done. My concern seems to be more focused on Dragoneer. If I was him, I would form a board or committee and spread the power between them equally so there is no one person heading the website, and subsequently leads any blame and criticism to fall onto no one person (who can never seem to handle it w/o tons of excuses as it is now.) There would be an accountability system that ultimately makes them answer to the community in some way, and when one cannot get the job done they can be replaced by someone who can. Give _more_ people _less_ work. I would also do a shit-ton of business-model research into how this could work most efficiently. But I'm not him, so bummer.

I'm sorry that the admins find themselves unfulfilled with their volunteer work on FA. Why does the fault lay with the community rather than with the people/person with appropriate power to do something about it?


----------



## Summercat (Nov 2, 2010)

Heimdal said:


> I'm sorry that the admins find themselves unfulfilled with their volunteer work on FA. Why does the fault lay with the community rather than with the people/person with appropriate power to do something about it?


 
Look at the 'powers of GOD' thread for why the opinions and feelings of mods might sour over time.


----------



## Accountability (Nov 2, 2010)

Summercat said:


> Look at the 'powers of GOD' thread for why the opinions and feelings of mods might sour over time.


 
Honestly that type of attitude (and please note I'm not directing this to you, but to the staff in general) goes back to what I was saying in the old thread. If you don't feel like being here, you're doing more harm than good by sticking around just because you can.

The idea for a board or committee is a good idea. It works (mostly) for conventions, and I can only see it not working for FA if it was full of drama-causing people. With the right people (preferably not already staff members), it would work.


----------



## Verin Asper (Nov 2, 2010)

Witchiebunny said:


> Or I discovered he was gay. >.>
> 
> Crysix, if you want to discuss issues with me, feel free to note me.


 
You did already enough for getting me switched from being banned to Suspension
Right now I'm writing down a list of things for the suggestion area


----------



## Kayla-La (Nov 2, 2010)

Witchiebunny said:


> This is also something of a double edged sword, though, as I found out this weekend.
> 
> With the Drages issue I had, when I saw that there were legit concerns in the journal left behind, I went in and wrote a very lengthy post before bed and addressed the points I could, and explained *why* what happened happened.
> 
> ...



Certainly, but the appropriate reaction isn't to turn around and tell the community to F off (more or less). That kind of thing is why it takes a certain kind of person to be able to be an admin. If you have to consider between being at least somewhat transparent and doing work, well.. though I do want to say not EVERYTHING needs to be the user's business. But it shouldn't be the other extreme, either. It just makes you look untrustworthy when nobody ever shares anything.

You've gotta be able to let that kind of stuff roll off your back. I speak as someone whose received plenty of abuse over the years. I've been doing online customer service/volunteer type positions pretty much since I got here, like thirteen years ago. Eventually you start recognizing when people are complaining because they have a valid complaint, or when they're complaining because they got in trouble or just hate you for no reason other than you have a power they don't. You can't pay that any mind, or you're going to HATE your job.

TL;DR, some people are jerks, you can't let that direct how you treat the community as a whole.


----------



## Accountability (Nov 3, 2010)

So it's been nearly two weeks since this was re-posted, and in that time no real answers have been posted here. And it's not like Dragoneer is so busy he can't find the time, he favorited at least a dozen submissions on FA in the past 24 hours. IMO, dealing with site concerns > favoriting art.

He even posted a journal 50 minutes ago trying to encourage people to donate so they can get some image on their userpage. Why not encourage people to donate by proving you're deserving of their money to begin with?


----------



## redfoxnudetoons (Nov 3, 2010)

Accountability said:


> Why not encourage people to donate by proving you're deserving of their money to begin with?


 
I myself have stated this several times.


----------



## medjai (Nov 3, 2010)

Accountability said:


> So it's been nearly two weeks since this was re-posted, and in that time no real answers have been posted here. And it's not like Dragoneer is so busy he can't find the time, he favorited at least a dozen submissions on FA in the past 24 hours. IMO, dealing with site concerns > favoriting art.
> 
> And people are fine with that?


 
You need to understand something. How we feel about his lack of transparency and how he spends his time is not relevant. Sure you can rant and rave, but it solves nothing. This is a *private* site, and as such, nothing is required of Dragoneer relative to his policies and time management. Yeah, it may suck at times, but that is, quite simply, how it works. And the reality is, if he pisses off enough people, they'll leave, and this site will likely die. _But that is his call_, and no amount of complaining from you or your cohorts can change that. I'm sorry, but there is really nothing that can be changed until Dragoneer feels the need to account for himself by his own volition. End of story.

Though, I can't see that actually happening. In reality, there are not many people that care enough about the issues you're voicing to jump ship. You aren't going to change anything, you aren't going to change a significant number of minds, and you most certainly will not drag Dragoneer out of wherever he spends his time to talk to you. To be honest, well I don't entirely disagree with a lot of his actions or policies, I do find his lack of presence disconcerting. But nothing anyone here can do can ever change that.

Stop ruffling feathers and get used to it. Or leave. That is your choice, and the freedom of the Internet.


----------



## Asswings (Nov 3, 2010)

So which anti-hero are you trying to emulate, 'Accountability'? Batman?

Watching you post like you think you are god and the dark voice that fa needs is rather hilarious. Get off your high horse and go stroke your ego elsewhere, jesus christ. Maybe he hasn't responded because the kid is 13 and it no longer applies?


----------



## Willow (Nov 3, 2010)

This really seems like one of those arguments I'd rather not get into. Anyway though.  

I read the journal you're talking about, and after reading it, here's what I think. 

The money donated goes towards keeping the site running. They're not donating to get a little badge for their page, they're donating to support the site. Go google incentives. 
As for what 'Neer chooses to do with his time on FA, that's his own decision. Though, I don't see how he can't deal with site concerns and favorite art at the same time. It's not like favoriting art bars you from doing anything else productive.


----------



## medjai (Nov 3, 2010)

Willow said:


> This really seems like one of those arguments I'd rather not get into. Anyway though.
> 
> I read the journal you're talking about, and after reading it, here's what I think.
> 
> ...


 
Well, here's the thing. It's a donation to the site. There is no purchase of anything agreed upon. No membership, no implied say in the site, nothing. You are giving them money because you think they are doing a good thing and want to support it. That is it. So trying to claim the site 'owes' you for something you gave them is ludicrous. Nothing is owed at all, and saying something should be does not make it so. If you don't like the way the site is being run, or don't like the way it's being spent, or don't like the lack of transparency, or whatever else you may disagree with, simply don't donate. That's all there is to it.


----------



## Willow (Nov 3, 2010)

medjai said:


> Well, here's the thing. It's a donation to the site. There is no purchase of anything agreed upon. No membership, no implied say in the site, nothing. You are giving them money because you think they are doing a good thing and want to support it. That is it. So trying to claim the site 'owes' you for something you gave them is ludicrous. Nothing is owed at all, and saying something should be does not make it so. If you don't like the way the site is being run, or don't like the way it's being spent, or don't like the lack of transparency, or whatever else you may disagree with, simply don't donate. That's all there is to it.


 ..that's pretty much what I just said. :|

Seriously, go google incentives. It's just a little bribe to get more people to donate. Think of the badge as like a prize in cereal. The company doesn't owe you anything for buying the cereal, but the prize is just a little something to get you to buy the cereal. Get it now?


----------



## medjai (Nov 3, 2010)

Willow said:


> ..that's pretty much what I just said. :|
> 
> Seriously, go google incentives. It's just a little bribe to get more people to donate. Think of the badge as like a prize in cereal. The company doesn't owe you anything for buying the cereal, but the prize is just a little something to get you to buy the cereal. Get it now?


 
After rereading, it is. I may have misread what you said.


----------



## redfoxnudetoons (Nov 3, 2010)

medjai said:


> You need to understand something. How we feel about his lack of transparency and how he spends his time is not relevant. Sure you can rant and rave, but it solves nothing. This is a *private* site, and as such, nothing is required of Dragoneer relative to his policies and time management. Yeah, it may suck at times, but that is, quite simply, how it works. And the reality is, if he pisses off enough people, they'll leave, and this site will likely die. _But that is his call_, and no amount of complaining from you or your cohorts can change that. I'm sorry, but there is really nothing that can be changed until Dragoneer feels the need to account for himself by his own volition. End of story.


 
Normally, I would have to say that you are correct, but there's a small problem that you forgot about.

Asking for donations "to keep the site running" makes the website dependent on others. Accepting add revenue requires people to want to advertise on this website. And not addressing complaints about staff and how they are running things (like 'Neer's failed attempts at sock-puppetry in the past,) tend to decrease the willingness to donate and/or buy add space.

I have, for example had $200 that I was going to donate when there was need for new equipment to replace the broken stuff. But because of the attitudes and actions of key staff members, I withheld that donation.

So, though you do have a point, the moment you claim that "the site depends on donations" you better make yourself more accountable, or risk not getting those necessary donations. 

This is not to say that I agree with the actions of certain _users_, either. What Eevee did was inappropriate and could of been handled *much* more maturely. But the fact of the matter remains, that without accountability, you do risk loosing donations/add revenues.

I've been a part of FA as an active member since the beginning of 06, and I've been keeping tabs on the site when it first launched. I've seen a great deal of change on the site, mostly for the good. But I've noticed some things that, frankly, I find to be the cancer that will eventually kill FA. having FA staff become more accountable for their actions can prevent donations drying up to nothing, ending up with the website closing due to ISF problems. I really don't like the thought of that, but if the problems keep up, more and more people will, as you suggest people unhappy with the problems to do, simply leave.



medjai said:


> simply don't donate. That's all there is to it.


 
That is not the solution to the longevity to the website. the "Don't like it? leave!" attitude can and *will* have a negative effect on funds for site operations.

Fur affinity may be a _private_ website, but it is *dependent* on it's *users* for support.

And seeing as I've gone over this several times before, that is all I have to say on this topic.


----------



## medjai (Nov 3, 2010)

redfoxnudetoons said:


> Stuff


 
And you are absolutely correct. But the reality is there aren't enough of those that feel strongly enough to leave or withhold donations to take this site down. But even if there were, seeing as so much of the issues seem to be centred around the lead staff and their lack of communication with the member base, that is the decision they are making. They are keeping quiet at the risk that their silence may be returned with a ghost town. In the end, with this being a private site, they can make that call. They can take that risk. And the only power we have over them is our absence.

So we both have a choice. They can stay quiet and risk losing the community this site relies on to function, and we can choose to stay or leave based on our view of the management's actions. That's what it comes down to. There is no other real obligation required of either party in this instance.

They seem to have made their choice. What will yours be? What will the general community's be? Time will tell, but I wouldn't get your hopes up for serious change.


----------



## Carenath (Nov 3, 2010)

Watching this thread, right now, is like watching people beating a dead horse.

Closed.


----------

