# Topic Drift from TT - Exploits and Coding



## Armaetus (Feb 28, 2011)

I think the main problem why FA's code has been stagnant and decaying  (compared to Sofurry, Inkbunny and Furocity) is due to a lack of trust of outside help. Sometimes you have to do this after careful consideration with said person, you really should not remain xenophobic and allow bit and software rot on the current codebase (This is doing towards Dragoneer and Yak especially) but at least have some work done on it before actually moving on and getting an ACTUAL NEW CODEBASE up.

You had your chance(s?) with Eevee (and even Verix?) but you simply did not go forward because noone knew Python along with a bunch of other factors, yet you now sit on an obsolete codebase yet this so-called new UI you paid someone to make is not going to cover up the faults behind the shiny new look. It might look new but in actuality it hasn't changed much at all, the same as giving a rusty looking and deteriorating  Ford Model T a shiny fiberglass exterior. It looks nice but the underlying problems are not changing.

You know if the current FA code was open source, outside help CAN be a big help on fixing all these (around 35) problems Eevee has posted on his journal, atop any minor flaws and glitches he does not know of. This could save you (Dragoneer) and Yak quite a bit of time if the community can take a look at the underlying code and even help with normal programmers, white and gray hats that exist in the fandom. Think about it, seriously (But I know you're not gonna care that much, that's my guess tho I harped you on Twitter over such issues).

Get with the times and stop pussyfooting around.


----------



## Accountability (Feb 28, 2011)

*Re: Trouble Ticket Policy for Site Admins?*



Summercat said:


> and getting three people I know on board to help out with coding crap and learning PHP myself so I can help reform the ticket system.


 
I don't know why everyone here is hellbent on doing certain things certain ways (The ONLY solution to needing a "knowledge base" is to buy a knowledge base script, the only way to fix trouble tickets is to do it ourselves) around here. There are plenty of ticketing system scripts available for free, and I have linked everyone a couple times to one of the most popular free (and open source) solutions. I set it up one night in about two hours, and that included installing the OS and setting up a VM (keep in mind that isn't even something I'm very good at, I have _months_ of Linux experience!). It can be easily integrated into FA, and with a little work it could easily support being able to click a "report" button and automatically including a link to the reported submission or even displaying the submission _right on the ticket_. All of the hard work is done, all you have to do is set up permissions and ticket formats and set it to use the FA user table for authentication. You could fix the tickets system in a _week_ instead of however long the self-coded solution takes...


----------



## Pi (Feb 28, 2011)

*Re: Trouble Ticket Policy for Site Admins?*

No response, Summer?

Who are these 3 people you're going to have work on the site? Do _they_ have any clue? You're just starting out with programming, so you aren't qualified to judge.


----------



## Summercat (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*



Pi said:


> No response, Summer?
> 
> Who are these 3 people you're going to have work on the site? Do _they_ have any clue? You're just starting out with programming, so you aren't qualified to judge.


 

Two of them work for a living with PHP and site stuff, and the third is a middle-to-advanced coder who has already done some widgets for me, to assist with handling trouble tickets. All three are people I go to with coding issues and have been helping me learn PHP and Python.


----------



## MandertehPander (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*

I, and 'Neer know ONE guy who could fix all your (FA's) problems. Very, Very easily.

:3c


----------



## Eevee (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*



Summercat said:


> Oh, and Eevee, if you are reading this, I'm still waiting for that list I asked for, of the security vulnerabilities you found and know of on FA.


As I told you, I have to _compile_ said list first.  I think I'm about done, save for hunting down any more low-picking fruit I've missed.


----------



## Armaetus (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*



MandertehPander said:


> I, and 'Neer know ONE guy who could fix all your (FA's) problems. Very, Very easily.
> 
> :3c


 
Is that who I think it is?

@Summer: Check his Livejournal, they are all on there.


----------



## Eevee (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*

No, he asked me to flesh it out into an explanation of the actual attacks and how to fix them.  (The first FA staff member to do so since October.)

Also I found a couple more in the meantime that I didn't bother adding to that list.


----------



## Redregon (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*

... far be it from me to really say this, but i'm starting to really think that all this drama that's being stirred up is getting rather transparent. 

now, if said list of vulnerabilities is given, that would help your credibility but in all fairness, if i were in Dragoneer's shoes, you'd have to work damn hard to prove yourself trustworthy given what you have done in the past. (and i'll bet he has something similar boiling through his head too... he may not be the best site admin i've ever known of but he certainly isn't an idiot.)


----------



## Eevee (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*



Redregon said:


> ... far be it from me to really say this, but i'm starting to really think that all this drama that's being stirred up is getting rather transparent.


What "drama" who's stirring up?



Redregon said:


> now, if said list of vulnerabilities is given


I said in October that I'd provide details if someone asked.  I said last week that I'd provide details if someone asked.  Someone asked.  I'm providing details.



Redregon said:


> that would help your credibility but in all fairness, if i were in Dragoneer's shoes, you'd have to work damn hard to prove yourself trustworthy given what you have done in the past.


My _technical_ credibility is in no need of your help, and I'm not terribly interested in whether FA's staff trusts meâ€”but I don't believe it matters.  These things are distractions, misdirection.  I've neither asked for nor proposed anything that requires faith in the purity of my intentions.


----------



## Redregon (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*



Eevee said:


> What "drama" who's stirring up?
> 
> maybe not you directly (though you do seem to be rather aggressive to some of the mods here) but certainly your friends from vivisector.
> 
> ...


----------



## Arshes Nei (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*

Red,

The main reason for this is because I believe they feel like someone is listening than being put off. There is a part that feel these guys have nothing better to do than watch the site die and watch it destroyed, however, there is some people like myself that do feel that while watching a sinking ship there is some small hope for things turning out to be better. I cannot speak for them per say, it's just my observations. I know other members of the staff had and still have a rather bad history with them, not all of us did.


----------



## LizardKing (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*



Redregon said:


> [conspiracy theories and suchlike]



Did you miss the part where he's _handing over a list of exploits that he knows how to use_ and is telling them _how to fix them?_

You don't _need _keys to the site when you have an assortment of crowbars and sledgehammers.

And read that last line again.



> I've neither asked for nor proposed anything that requires faith in the purity of my intentions.



Everything you have said is utterly irrelevant. It does not matter.


----------



## Redregon (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*



LizardKing said:


> Did you miss the part where he's _handing over a list of exploits that he knows how to use_ and is telling them _how to fix them?_
> 
> really? can you refresh my memory as to where those exploits are exactly? a handy-dandy link would be especially appreciated, relevant and convenient for all involved.
> 
> ...


----------



## Eevee (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*

I apologize for derailing the thread, but "calling out" is now a punishable offense, and it seems that responding to redragon in a new thread could be construed as such.  I hope the following is thorough enough to conclude this:



Redregon said:


> if you re-read, i wasn't asking for how the current admins handled your insistence, i'm talking about actual vulnerabilities. you say you have them, well, post a couple. show us that you're not just trying to blow smoke up our asses.


I did, quite some time ago.  What Summercat requested is a list of explicit details: how to attack, and fix, each exploit.



Redregon said:


> here is someone that used to be admin on a site... they were removed... then they hacked it and turned it into their personal playground


I was never an FA admin; I was a developer.  I was not removed; I resigned.  I attacked the site once, with the assumption that the damage (which I knew to be trivially reversible) would be...  trivially reversed.  This proved to be ill-advised.



Redregon said:


> you were burned by the site and decided to make your own (which is still under development apparently... for quite some time too)


I've thought about building an art site for quite some time.  I joined the Ferrox project _because_ I wanted to build an art site.  Resigning didn't change that.



Redregon said:


> take out FA somehow (which having access to the source code of the site would allow) and what does that leave for it's users to use as an art site? oh, yeah... yours.


I can't imagine why you think access to the source code is the one hurdle preventing anyone from "taking out" FA.  It's full of known vulnerabilities _now_, and aside from causing some mayhem, even the worst of hacks couldn't permanently destroy the site.  They'd just restore from some backups, throw up the last known good copy of the software, and keep buggering on.  Even if the data were all lost permanently, a significant chunk of the users would doubtless return and start from scratch.

It's odd that I have more faith in FA's resilience than you, my accuser.

Anyway, what point is there in destroying my "competition" long before my own offering is ready for public use?



Redregon said:


> and for someone that's been all about sticking it to dragoneer in the past


My motivation has never been to "stick it" to anyone.  I'm curious where the "all about" comes from, as well, since I've done precisely one actively antagonistic thing to FA.



Redregon said:


> also, let's not forget how some of your allies have in the past admitted that they somehow had some inside information that would lead to FA's collapse (talk to your friend Verix about his lovely post here on FA to that extent) and it makes it seem mighty suspicious.


I haven't a clue what verix had in mind, but fear not: he seems to have abandoned that approach.



Redregon said:


> but maybe you are merely interested in this for the good of the fandom... i can accept that... but your past actions make that a hard sell. basically, you've acted in a way that would lead people to have a lack of faith in you and you're asking them to just hand over the keys to the site... am i the only one that thinks this is all some song and dance? am i the only one that thinks you've got some motive you're not telling us?


1. I don't know if I've said my motivation is the "good of the fandom", but I wouldn't really put it like that.  I'm a giant nerd, and I have something of a passion for _good technology_.  My motiveâ€”with many things, reallyâ€”is to _increase the amount of good technology_.  My social circle currently revolves around bad technology, and I would like to see that fixed.

2. I've long since lost interest in writing free code for FA again.  But the most I ever proposed was a security audit.  Not specifically one from me; just one from _anybody_ remotely qualified, and that I'd be willing.  Nothing has really been done to harden security except reactively after an attack, and that alarms me greatly.  (Note, again, that revealing the source code is not so much of a security concern when _you already have known security holes_.  Nor is releasing code inherently risky.)


----------



## Redregon (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*



Eevee said:


> I apologize for derailing the thread, but "calling out" is now a punishable offense, and it seems that responding to redragon in a new thread could be construed as such.  I hope the following is thorough enough to conclude this:
> 
> 
> I did, quite some time ago.  What Summercat requested is a list of explicit details: how to attack, and fix, each exploit.



all that that link shows is that there are vulnerabilities... but, no actual details of where they are, how they're vulnerabilities and how to fix/exploit them... basically, i agree with summercat... you say you've got the knowledge, well, prove it. don't just speak in generalities like in that post, just post them.



Eevee said:


> I was never an FA admin; I was a developer.  I was not removed; I resigned.  I attacked the site once, with the assumption that the damage (which I knew to be trivially reversible) would be...  trivially reversed.  This proved to be ill-advised.



you were still staff... nittering over semantics will only get you so far.

and hacking a site and such is trivial? hmm... well, newsflash, even though those vulnerabilities were "being exposed so the site can fix them" it is still something that Dragoneer could very well press charges for. hacking, no matter how justified it may be, is still an offence. and really, hacking the site because people wouldn't listen to you? you do know that that makes you sound like some spoiled little child throwing a tantrum, right? explain to me how someone that has shown themselves to be childish and petty like that should be trusted at all?



Eevee said:


> I've thought about building an art site for quite some time.  I joined the Ferrox project _because_ I wanted to build an art site.  Resigning didn't change that.



thought about and are doing... or so your signature links say. (http://floof.us/)



Eevee said:


> I can't imagine why you think access to the source code is the one hurdle preventing anyone from "taking out" FA.  It's full of known vulnerabilities _now_, and aside from causing some mayhem, even the worst of hacks couldn't permanently destroy the site.  They'd just restore from some backups, throw up the last known good copy of the software, and keep buggering on.  Even if the data were all lost permanently, a significant chunk of the users would doubtless return and start from scratch.



granted, but for a lot of users, it would be seen as an issue of reliability and there ARE a handful that would be quite willing to jump ship if the site is down for more than a day or two (or at least that is what they whine about in various communities... given how they're such wonderful artists that one day down will cause a financial meltdown...)



Eevee said:


> It's odd that I have more faith in FA's resilience than you, my accuser.



9_9 mmmhmm... there's a difference between being faithful in a site's resilience and being an idiot by putting all my eggs in one basket.



Eevee said:


> Anyway, what point is there in destroying my "competition" long before my own offering is ready for public use?



*shrugs* i dunno... but like i said, the political side of this isn't something that can easily be ignored.



Eevee said:


> My motivation has never been to "stick it" to anyone.  I'm curious where the "all about" comes from, as well, since I've done precisely one actively antagonistic thing to FA.



gee, that sounds like someone i know of at AC a couple years ago whining how "why don't people like me?" guess who it was? yep... jehryn... whining that what he did wasn't that big of a deal and being "baffled" why people are taking it so seriously. 



Eevee said:


> I haven't a clue what verix had in mind, but fear not: he seems to have abandoned that approach.



you can learn more about a person when they've lost their cool than you can when they're calm and collected. their true face is easier seen that way.



Eevee said:


> 1. I don't know if I've said my motivation is the "good of the fandom", but I wouldn't really put it like that.  I'm a giant nerd, and I have something of a passion for _good technology_.  My motiveâ€”with many things, reallyâ€”is to _increase the amount of good technology_.  My social circle currently revolves around bad technology, and I would like to see that fixed.
> 
> 2. I've long since lost interest in writing free code for FA again.  But the most I ever proposed was a security audit.  Not specifically one from me; just one from _anybody_ remotely qualified, and that I'd be willing.  Nothing has really been done to harden security except reactively after an attack, and that alarms me greatly.  (Note, again, that revealing the source code is not so much of a security concern when _you already have known security holes_.  Nor is releasing code inherently risky.)


 
well, of course releasing code for a site nobody uses isn't risky... nor is releasing said code when it's got very little content or meat to it. apple? meet orange. say hello, orange... don't be shy, apple won't bite... hard.

i will agree, however, that it's better to be proactive... but let's be clear here... the people coding the site are novices, maybe intermediate level... and how large is the code? also, it's not like bugs and such have a nice little hash-tag saying "hey, i'm a bug... fix me or i'll do THIS!" trust me, from one who can code to another... looking for bugs isn't the easiest of tasks... especially when the code is something that was handed to you from someone else.

you want to help? offer your help. if they turn you down? just give it up. prattling on continually about it only proves your childishness... want to know how that translates? 

eevee: "awww, they don't want my help... so i'm going to whine about it and hack the site... then they'll want my help." that kind of behavior won't get you a job in any professional setting so why do you think that the maintenance of a site run by fans of it's content is any different?


----------



## Arshes Nei (Mar 1, 2011)

*Re: Trouble Ticket Policy for Site Admins?*



Eevee said:


> I apologize for derailing the thread, but "calling out" is now a punishable offense, and it seems that responding to redragon in a new thread could be construed as such.  I hope the following is thorough enough to conclude this:


 
I created a new thread for the drift, fair enough?


----------



## Pi (Mar 1, 2011)

Redregon, nothing you say makes any sort of coherent sense, and your little flameout wherein you banned me from your journal doesn't make any sense either.

Feel free to conspiracy-theory all you want, but it won't really change the fact that your screed is not grounded in reality.

You don't get to talk about professionalism and behavior when you pull motivation and accusations out of your ass.



> it is still something that Dragoneer could very well press charges for. hacking, no matter how justified it may be, is still an offence



This is basically wrong and you do not know what you are talking about. Stop saying words.


----------



## Eevee (Mar 2, 2011)

*Re: Trouble Ticket Policy for Site Admins?*

A lot of what you said doesn't seem to fit what you replied to, or is otherwise meandering.  Most of the stuff about _me_ is, really, a big fat red herring.  Re the rest...



Redregon said:


> all that that link shows is that there are vulnerabilities... but, no actual details of where they are, how they're vulnerabilities and how to fix/exploit them... basically, i agree with summercat... you say you've got the knowledge, well, prove it. don't just speak in generalities like in that post, just post them.


Let me get this straight: you _want_ me to post idiot-friendly precise instructions on how to attack FA?

Again: I said that I would reveal details _to any FA staff member, as soon as one asked_.  This did not happen until a few days ago.

I'm not at all confident that the list is complete, anyway.  And it doesn't solve the core problem: that FA, despite its sad track record, has little visible interest in security.



Redregon said:


> and hacking a site and such is trivial?


Please read more carefully.  I said what I did was trivially _reversible_.  That is, I knew from the beginning that it would take mere seconds to undo everything I did, and I would not have done it otherwise.



Redregon said:


> and really, hacking the site because people wouldn't listen to you? you do know that that makes you sound like some spoiled little child throwing a tantrum, right? explain to me how someone that has shown themselves to be childish and petty like that should be trusted at all?


You, others, and most of the FA staff continue to fixate on this from a purely social perspective, and I don't understand why.  You're concerned with how I _appear_, and what the staff _think_ of me, and assume all of my motives were about _spite_ and _personal vengeance_.  Everything is interpreted as a personal slapfight.  From my point of view, I'm personally not relevant to the issue at all.

FA had, and still has, a serious problem.  FA's staff does not appear to believe that this problem exists, or is worth concern.  I demonstrated otherwise.

I guess I said I'd got the knowledge, and I proved it.



Redregon said:


> want to know how that translates?
> 
> eevee: "awww, they don't want my help... so i'm going to whine about it and hack the site... then they'll want my help."


A compelling and thought-provoking argument to be sure, but as I said, this has never been about _me_ or _my_ help.

FA is, objectively, factually, insecure.  Even brand-new tested code is, objectively, factually, insecure.  Its management is either uninterested in fixing or unable to fix these serious, recurring issues.  This is bad.  Calling me names and scrutinizing my motives does not make these problems less real or less severe.

You and the staff are far more concerned with mocking detractors than actually fixing the problems that are pointed out.  Half a dozen people who are very good in their fields are all turned down because, as translated by multiple other staff members, Dragoneer just plain doesn't like them.  I can't understand this attitude.  The implication is that it's okay to leave serious security holes open, to prioritize them below personal conflict, but not okay to criticize.

Is it that "security holes" are a thing that happen _to_ FA, making them a victim?  Can we not hold people accountable for actions not taken?  Why are you, a user, more bothered by the rantings of a single banned guy than the complacency of an entire organization?  Are we as a subculture really so averse to pointing out objective failings?

It's okay to fuck stuff up; that doesn't make you a bad person.  Just, you know...  fix it.


----------



## Arshes Nei (Mar 2, 2011)

I just wanted to say, staff is not a hive mind. While I understand the need to check first before saying things that represent the site as a whole (so that at least we look like we're on the same page). It doesn't mean we are wholly united by opinion or statement. It just means a certain level of support. However, this fracturing - and I am well aware that when I brought up the issue this would show further (in the original thread) means that not all of us just cast help aside.

It is also hard to ask for help because if you're not in the position to make things happen, you also become apathetic yourself. For example, I also could have asked but I didn't think that what I'd receive would go anywhere or further. Just some *nods* and everything goes to dark until the next drama bomb 


Despite the fact that, yes a security audit can be done, there is that voice in your head where you may see or fear how people will drag out and have a lulzfest with the holes and essentially causing more issues. It's not just about how difficult it can be to accept help from those you've been at odds with for a long time, but I am no dummy and understand why the cynicism. Accepting that help can be more than you bargained for. It's something someone can also blackmail you for later. 

This isn't just some piece of art where people tear it apart with critiques, but it has an impact on the user base as well. 

I think though overall, what bothers me is that all these years and we couldn't get another programmer for the site? It was either 1 guy who was in charge of new projects like Ferrox. Or like now we have one main admin working on patches for the current site. I'm not looking for a big team of programmers, but really? Just 2 people with their own lives and also ideas and goals? One who is in a different time zone which can affect certain matters too with the site? If this was a rather small site, no this really wouldn't be a big deal. However, the site is growing and there is no steady goal I can see. That's troubling.


----------



## LizardKing (Mar 2, 2011)

*Re: Trouble Ticket Policy for Site Admins?*

Well I guess I'll reply now it's in a new thread and isn't derailing...



Redregon said:


> mmmhmm... yeah, the den is elsewhere, try shitposting there (wait, you already do that... nevermind) (do you get tired of getting your jollies out of trying so hard to be so offensive to furries? your life really must be quite sad if that's your main source of entertainment.


 
...if there was anything coherent to reply to. I'm not sure how much clearer any of these responses could be phrased, so I'll just leave you to it.


----------



## Redregon (Mar 2, 2011)

Pi said:


> Redregon, nothing you say makes any sort of coherent sense, and your little flameout wherein you banned me from your journal doesn't make any sense either..



translation: "baawww, i tried to be a bitch in someone's journal and was blocked... waah." cry moar fa**ot.



Pi said:


> Feel free to conspiracy-theory all you want, but it won't really change the fact that your screed is not grounded in reality.
> 
> You don't get to talk about professionalism and behavior when you pull motivation and accusations out of your ass..



who said anything about me having to be professional or whatever? you talk out of your ass, i'll call you on it. don't like it? go back to your butbuddies on lulz or vivisector or wherever the fuck it is you go to pretend you're valid, worthwhile and smrt... i'm sure they'll stroke your e-dick and tell you you're right when you really aren't.



Pi said:


> This is basically wrong and you do not know what you are talking about. Stop saying words.


 
wow, you're being an idiot here... so, hacking is not illegal? since when?

http://www.justice.gov/criminal/cybercrime/1030_new.html

whoops, looks like a little research has proven you completely wrong in this respect. ohnoes! what are you going to say in the face of actual facts? do we have yet another case of someone saying what they're doing is awwright just because they want it to be? looks like it... shit, you're just as bad as the pedophiles and dog-fuckers that frequent the mainsite.


----------



## Eevee (Mar 2, 2011)

Arshes Nei said:


> I just wanted to say, staff is not a hive mind. While I understand the need to check first before saying things that represent the site as a whole (so that at least we look like we're on the same page). It doesn't mean we are wholly united by opinion or statement. It just means a certain level of support.


No matter how big a ship's crew is, it still only follows one course at a time.

I try to be careful about holding "FA" as an organization accountable instead of individual people, because this really isn't and shouldn't be personal, but of course there are only a couple people actually holding the reins.  Or the wheel, or whatever metaphor we're using.



Arshes Nei said:


> It is also hard to ask for help because if you're not in the position to make things happen, you also become apathetic yourself. For example, I also could have asked but I didn't think that what I'd receive would go anywhere or further. Just some *nods* and everything goes to dark until the next drama bomb


It's more interesting that the technical "contact" we supposedly had, who spent months in #hackerfurs, never asked me about the list.  I can only imagine that it was spun as an attack on FA's integrity, and thus acknowledging it would mean that I "win"?



Arshes Nei said:


> Despite the fact that, yes a security audit can be done, there is that voice in your head where you may see or fear how people will drag out and have a lulzfest with the holes and essentially causing more issues. It's not just about how difficult it can be to accept help from those you've been at odds with for a long time, but I am no dummy and understand why the cynicism.


It doesn't have to be a security audit from me, or Pi, or nrr, or whoever else has a fraction of a clue.  It doesn't even have to be a hired guy.  There are organizations that compile detailed lists of basic categories of attacks, and you can find exploits just by knowing these and poking around on a bored afternoon.

Though, still, not the problem.  Many of the easy exploits on my list have the same root cause.  yak knows about them, knows the cause, knows how to fix it, and has known all of these things since at least November or so.  But the crappy codebase makes it hard and the new UI is coming Real Soon Now, so they're never fixed.



Arshes Nei said:


> I think though overall, what bothers me is that all these years and we couldn't get another programmer for the site? ... However, the site is growing and there is no steady goal I can see. That's troubling.


There seems to be a dangerous culture of mistrust surrounding FA and its technology, shared by everyone who touches or controls it.


----------



## Eevee (Mar 2, 2011)

Redregon said:


> http://www.justice.gov/criminal/cybercrime/1030_new.html
> 
> whoops, looks like a little research has proven you completely wrong in this respect. ohnoes! what are you going to say in the face of actual facts?


Not to be nitpicky or anything, but I haven't done anything listed in this document.  Please try to read things you quote more carefully; this is several times in a single page of posts now.



Redregon said:


> cry moar fa**ot.





Redregon said:


> wherever the fuck it is you go to pretend you're valid, worthwhile and smrt... i'm sure they'll stroke your e-dick





Redregon said:


> shit, you're just as bad as the pedophiles and dog-fuckers that frequent the mainsite.


Weren't you just trying to slam me for being "whiny" and "childish"?  Good grief.


----------



## Pi (Mar 2, 2011)

Redregon said:


> translation: "baawww, i tried to be a bitch in someone's journal and was blocked... waah." cry moar fa**ot.
> 
> who said anything about me having to be professional or whatever?


hahahahahaha okay



> you talk out of your ass, i'll call you on it. don't like it? go back to your butbuddies on lulz or vivisector or wherever the fuck it is you go to pretend you're valid, worthwhile and smrt... i'm sure they'll stroke your e-dick and tell you you're right when you really aren't.


... really?



> wow, you're being an idiot here... so, hacking is not illegal? since when?
> 
> http://www.justice.gov/criminal/cybercrime/1030_new.html


Kid, this law talks about breaking into computers and causing more than $5000 in damages with intent to defraud. That didn't happen here. You _really_ don't know what you're talking about.


----------



## Redregon (Mar 2, 2011)

Eevee said:


> Not to be nitpicky or anything, but I haven't done anything listed in this document.  Please try to read things you quote more carefully; this is several times in a single page of posts now.



fair enough, but, see, i'm not trying to pretend that i'm doing this for the good of the site. i'm just doing it because i'm bored and easily amused. 

p.s. section 2c applies as the information that is being denied is crossing state boundaries and even national boundaries... same with section 5ai, ii and iii... and section 7 could apply if you're somehow edging for a position on staff, but you've said you're not so that could be considered moot. please re-read what you're discounting.


----------



## Eevee (Mar 2, 2011)

Redregon said:


> fair enough, but, see, i'm not trying to pretend that i'm doing this for the good of the site.


*Again*, I'm not doing this for "the good of" anyone at all.  This is not about _people_ to me; people are just necessarily related.  This is about technology.



Redregon said:


> p.s. section 2c applies as the information that is being denied is crossing state boundaries and even national boundaries... same with section 5ai, ii and iii... and section 7 could apply if you're somehow edging for a position on staff, but you've said you're not so that could be considered moot.


2C does not apply, because I didn't obtain any information.
5A does not apply, because it requires that 5B also apply, and those are all about causing financial or physical harm.
7 would not apply, because a position on staff is not a _thing_ of value.


----------



## Redregon (Mar 2, 2011)

Eevee said:


> *Again*, I'm not doing this for "the good of" anyone at all.  This is not about _people_ to me; people are just necessarily related.  This is about technology.


 
you offered your assistance, you were turned down. what about this doesn't jive with you? this is a site for furry porn, not like it going down would be the end of the world.

and really, if a site having bad code bugs you to the level that you say it does, you need therapy... because obsessing over something like you have been doing can't be healthy or productive. 

basically, i'm suggesting you shut the hell up. because, well, you offered help, they refused... then you hacked the site... and you now expect the site owner to even listen to you? shit, son... you've got one hell of a case of unwarranted self importance.


----------



## Xenke (Mar 2, 2011)

Redregon, let me give you my thought about why you should be shutting up.

Although like you I don't fully understand why Eevee want to help the site so much, I do like him hanging around and trying to help because he's at least polite (at least publicly) about it. He's not like you, or other people, who seem to be only interested in bitching every time something goes wrong.

Honestly, I don't see why you have such a big problem that he's trying to work with the staff. You jealous or something?


----------



## Eevee (Mar 2, 2011)

My objections are about things FA is doing, and things FA is vulnerable to.  My actions and motives remain entirely irrelevant.  Redragon, you're the only one here trying to make me important.


----------



## Redregon (Mar 2, 2011)

Xenke said:


> Redregon, let me give you my thought about why you should be shutting up.
> 
> Although like you I don't fully understand why Eevee want to help the site so much, I do like him hanging around and trying to help because he's at least polite (at least publicly) about it. He's not like you, or other people, who seem to be only interested in bitching every time something goes wrong.
> 
> Honestly, I don't see why you have such a big problem that he's trying to work with the staff. You jealous or something?


 
Hahahah, no. i just like poking things with sticks.

don't like it? tough shit.


----------



## Pi (Mar 2, 2011)

Redregon said:


> this is a site for furry porn, not like it going down would be the end of the world.


No, it isn't. It's the central gathering point for a large portion of the furry community. Trivializing it as "just a porn site" is asinine.



> and really, if a site having bad code bugs you to the level that you say it does, you need therapy... because obsessing over something like you have been doing can't be healthy or productive.


Excuse me? First you act like someone gave you a Juris Doctor and admittance to the Bar, and now you're acting like you've got a Ph.D. in psychology?



> basically, i'm suggesting you shut the hell up. because, well, you offered help, they refused... then you hacked the site... and you now expect the site owner to even listen to you? shit, son... you've got one hell of a case of unwarranted self importance.


"just shut up and go away xd nobody should listen to you because you hacked!!" -- you

Do I even need to go into what's wrong with this?


----------



## Xenke (Mar 2, 2011)

Redregon said:


> Hahahah, no. i just like poking things with sticks.
> 
> don't like it? tough shit.


 
You mean like how I poked weed threads with sticks? :roll:


----------



## Redregon (Mar 2, 2011)

Pi said:


> No, it isn't. It's the central gathering point for a large portion of the furry community. Trivializing it as "just a porn site" is asinine.
> 
> 
> Excuse me? First you act like someone gave you a Juris Doctor and admittance to the Bar, and now you're acting like you've got a Ph.D. in psychology?
> ...


 
go for it... not like i'll give a shit what some neckbeard with an axe to grind has to say. you're just words on a screen and you have no value to me. so say whatever the hell you want. it's not like you have any impact in my life... you are basically a non-entity in my books and what you do to try and "pwn" me is rather useless because i really just don't care.

hell, you could whine about how your life sucks like some little emo fag and show pictures of how you're trying to an hero and i'd care just about as much as i do for the life of a fruitfly. am i insane or somehow lesser because of that? well, if you want to think so... but that doesn't change the fact that you are just words on a screen to me.


----------



## Redregon (Mar 2, 2011)

Xenke said:


> You mean like how I poked weed threads with sticks? :roll:


 
fair enough... but apples aren't oranges. a furry website and it's life on the web isn't nearly close to comparing to one's freedom to choose what they do with their body.


----------



## dinosaurdammit (Mar 2, 2011)

Redregon said:


> fair enough... but apples aren't oranges. a furry website and it's life on the web isn't nearly close to comparing to one's freedom to choose what they do with their body.


 
Apples and oranges are both fruits, that grow on trees.


----------



## Redregon (Mar 2, 2011)

dinosaurdammit said:


> Apples and oranges are both fruits, that grow on trees.


 
Wait... oh, I C wut you did there... Â¬_Â¬


----------



## Aden (Mar 2, 2011)

*Redregon*, this thread now consists almost entirely of you trying to attack the character of specific people instead of its intended topic. This is your warning - cut it out.

Also, you self-censored the word "faggot". What the hell?


----------



## Redregon (Mar 2, 2011)

Aden said:


> *Redregon*, this thread now consists almost entirely of you trying to attack the character of specific people instead of its intended topic. This is your warning - cut it out.



okiee dokie.



Aden said:


> Also, you self-censored the word "faggot". What the hell?


 
problem? Admin?


----------



## Freehaven (Mar 2, 2011)

It still amazes me just how complacent and half-assed the top administration and the coder(s) are when it comes to FA. How is this site still up?


----------



## Jashwa (Mar 2, 2011)

Freehaven said:


> It still amazes me just how complacent and half-assed the top administration and the coder(s) are when it comes to FA. How is this site still up?


 The willpower of furries wanting to upload their horribly drawn porn.

It's FA's secret.


----------



## Arshes Nei (Mar 2, 2011)

Freehaven said:


> It still amazes me just how complacent and half-assed the top administration and the coder(s) are when it comes to FA. How is this site still up?


 
This is why you should , or rather the site has more shared responsibilities. More one is in power without some checks it leads to negligence or corruption. No matter how well meaning this started.


----------



## Plague Wolfen (Mar 2, 2011)

Arshes Nei said:


> I just wanted to say, staff is not a hive mind.



How dare staff not act in a Borg-like, collective manner!

Sorry. Reading comment after comment of back and forth accusations between staff and members as if it's going to do anything other than cause more netz-raging, warranted a silly moment.


----------



## Accountability (Mar 2, 2011)

So apparently the old trick of <Doing X> to cause anyone who visits the site to get their profile wiped still works. Arcturus claims to have wiped quite a few in the last few hours by putting this on the Yiffyleaks site.

This is one of those things that is not hard to fix, but is ignored for whatever reason (probably just people being lazy) and in the end it's the community that suffers.


----------



## Arshes Nei (Mar 3, 2011)

Hi Accountability, (keep in mind I haven't seen Eevee's list so it may be in there).

Was this reported to what staff members before someone went vindictive and used the exploit. Also when were you aware this was reported to those members?


----------



## Accountability (Mar 3, 2011)

Arshes Nei said:


> Hi Accountability, (keep in mind I haven't seen Eevee's list so it may be in there).
> 
> Was this reported to what staff members before someone went vindictive and used the exploit. Also when were you aware this was reported to those members?


 
This is included on Eevee's original Livejournal list from October as "â˜…â˜…â˜† An attacker can trick a user into changing that user's profile text and metadata."


----------



## Arshes Nei (Mar 3, 2011)

Thanks, and I see the course of the thread that he didn't give specifics or more accurately our coders, didn't ask for specifics on how to create and fix?

Seems most of these attacks are though the use of "mangled bbcode" tags where one can embed? Is this correct?


----------



## Eevee (Mar 3, 2011)

Arshes Nei said:


> Thanks, and I see the course of the thread that he didn't give specifics or more accurately our coders, didn't ask for specifics on how to create and fix?


Correct.  Summercat was the first to ask for specifics last week, and he now has them.



Arshes Nei said:


> Seems most of these attacks are though the use of "mangled bbcode" tags where one can embed? Is this correct?


No, it has nothing to do with bbcode, and there's nothing mangled about it.  It's perfectly legitimate HTML and HTTP requests.  CSRF is a confused deputy problem.


----------



## LizardKing (Mar 3, 2011)

Accountability said:


> So apparently the old trick of <Doing X> to cause anyone who visits the site to get their profile wiped still works. Arcturus claims to have wiped quite a few in the last few hours by putting this on the Yiffyleaks site.
> 
> This is one of those things that is not hard to fix, but is ignored for whatever reason (probably just people being lazy) and in the end it's the community that suffers.


 
I think I've just seen what you're referring to. I'm shocked that it works.

Edit: Just tried it with something I wrote in notepad in about 20 seconds and it worked fine. Oh jesus.

Edit edit: Think I got NoScript to block it.


----------



## Arshes Nei (Mar 3, 2011)

Thanks for the explanation Eevee, I appreciate it.

Of course I wonder how long this takes for the staff in charge of coding to get this issue fixed.


----------



## Pi (Mar 3, 2011)

Arshes Nei said:


> Thanks for the explanation Eevee, I appreciate it.
> 
> Of course I wonder how long this takes for the staff in charge of coding to get this issue fixed.


 
I'm telling you, a weekend with a bottle of gin and the code, and I could fix at least the lowest-hanging fruit. These are not difficult problems to solve.

Or y'all could just let yak do it, but every time he codes something new, it comes with some pretty stellar holes (that could have been avoided if he let anyone else look at the code...).


----------



## Armaetus (Mar 3, 2011)

Pi said:


> Or y'all could just let yak do it, but every time he codes something new, it comes with some pretty stellar holes (that could have been avoided if he let anyone else look at the code...).


 
If this keeps on happening, why is he still on the coding team? What he really needs is at least two coders by his side to review and fix any potential holes brought up with his code. And I am not buying the "malicious intent/xenophobe" excuses from him or Dragoneer. It is not excusable for them to leave holes wide open for years and waiting for someone to exploit them before actually fixing them.


----------



## Ricky (Mar 3, 2011)

For what it's worth, I had offered to help a few times before but got no response.

I suck at art so I feel it's the one way I could contribute to the community so if my help is wanted I'd be glad to discuss, though I won't have a lot of time coming up soon for a while because of a recent promotion, among other projects I've taken up.


----------



## Armaetus (Mar 3, 2011)

Open source would likely be the best choice because anyone can find faults and show it to 'Neer and co, as posted in my first post on top.


----------



## Ricky (Mar 3, 2011)

Glaice said:


> Open source would likely be the best choice because anyone can find faults and show it to 'Neer and co, as posted in my first post on top.


 
I agree...  I mean, it's not like someone is just going to host the app elsewhere and everyone leave FA (I wouldn't think).

At least any more gaping security holes would get pointed out quickly.


----------



## Freehaven (Mar 3, 2011)

Glaice said:


> If this keeps on happening, why is he still on the coding team?



Because Dragoneer is too paranoid to let anyone who doesn't outright kiss his ass 24/7 have access to the FA codebase. Only close friends of the Dear Leader get to peek behind the curtain.


----------



## LizardKing (Mar 3, 2011)

Freehaven said:


> Because Dragoneer is too paranoid to let anyone who doesn't outright kiss his ass 24/7 have access to the FA codebase. Only close friends of the Dear Leader get to peek behind the curtain.


 
You should've called it the iron curtain for a combo bonus.


----------



## Ricky (Mar 3, 2011)

Freehaven said:


> Because Dragoneer is too paranoid to let anyone who doesn't outright kiss his ass 24/7 have access to the FA codebase. Only close friends of the Dear Leader get to peek behind the curtain.


 
You see, that's just dumb.  There are ways to let people check in code and review the diffs.

We use contractors here all the time.


----------



## Arshes Nei (Mar 3, 2011)

Ricky said:


> For what it's worth, I had offered to help a few times before but got no response.
> 
> I suck at art so I feel it's the one way I could contribute to the community so if my help is wanted I'd be glad to discuss, though I won't have a lot of time coming up soon for a while because of a recent promotion, among other projects I've taken up.


 
I have to say that it is very troubling that I keep hearing the same from multiple people. That no one gets back to.

It is starting remind me about co workers where they feel job security is through obscurity.


----------



## Bobskunk (Mar 3, 2011)

Ricky said:


> I agree...  I mean, it's not like someone is just going to host the app elsewhere and everyone leave FA (I wouldn't think).
> 
> At least any more gaping security holes would get pointed out quickly.


 
Yeah, pretty much.  It leaves two options:


Dude throws up FA clone as is from public, makes no fixes or changes.
Dude throws up FA clone as is from public repo, makes extensive changes and improvements to FA code.

The first case, the only thing it MIGHT have going for it is different staff, but ANY site would necessarily have different staff.  The technical problems that plague FA would still be intact and it would necessarily lack the biggest draw FA has- existing userbase.  Nobody would move from their established spot on FA for a cheap clone, there's too much effort involved.  The threat to FA hegemony diminishes even more if two, three, four other people just make direct clones of FA's code.  It's just more segmentation without added value.

The second case, if FA's code was licensed right, all changes/improvements that third party make would also have to be made public as derivative works, which would allow FA itself to vet and implement them.  Net result: FA benefits from whoever runs and alters their FA-software based gallery through added features and security fixes.  The site itself becomes a community project like Linux, or more specifically Ubuntu (about two years ago.)  While an altered/fixed FA-based FA alternative would then be better poised to compete with FA on its own merits, FA would get those same improvements, and then it becomes a matter of getting a large enough userbase (unlikely) and avoiding staffing issues.  I still don't see an FA-derivative overtaking FA should the codebase be made open source, but I can see a lot of benefit.

Put in different terms, if some giant assfuck proprietary forum like GaiaOnline released their code for this purpose and anyone could then run their own version of GaiaOnline...  Then you'd have a bunch of people running the software for their five friends.  The original site would not face much of a threat from upstarts/clones.  But any nerds writing patches and fixes with access to the original code would benefit the main site.  I'd have said vBulletin and SA but vBulletin isn't SA's proprietary code.

In FA's case, they have so many security issues that just opening up their software would make plain and obvious dozens of attacks.  Eevee's list was based on poking a black box- the actual code going public would be like throwing the doors wide open.  That's why they'd need to audit and fix the broken shit first, but that's apparently going nowhere.  Open or closed source, it's simply something they have to do, or else they'll just keep getting attacked.  I can sympathize with someone getting their car stolen because they left it unlocked.  I can't sympathize with someone getting their car stolen multiple times because it is always left unlocked, and saying "dude lock your fucking car" makes them/their friends throw a tantrum about how nobody has the right to tell them what to do.  And then their car gets stolen again.

Besides, I'm pretty sure Ekigyuu's Art Piles is/was supposed to be publicly released code, yet there's nothing floating around using that code but the site itself, which never even gets a mention when discussing FA alternatives.  Which is all the better, considering how FAP went down.


----------

