# Why weren't the hackers stopped irl



## DKitty (May 20, 2016)

Okay WHY did anyone tried to stop any kind of suspicious activity concerning passing out so many USB drives or telling the furcon security about such? WHY? If this was prevented, FA would had never been attacked. Now our personal info is breeched all thanks to those who hate and despise this community. Honestly, I believe this was more than a mere hacking. This was out of malicious hate to destroy.


----------



## crashdoom (May 20, 2016)

DKitty said:


> This was out of malicious hate to destroy.



That's kind of why hackers do what they do.


----------



## Jeffron (May 20, 2016)

They should make a way to where if someone is hacking a system it makes their computer explode like a grenade! death or serious injury for harming others.

Seems sad people have no idea how to just live and let live. They just have to cause harm to everything...


----------



## DKitty (May 20, 2016)

Jeffron said:


> They should make a way to where if someone is hacking a system it makes their computer explode like a grenade! death or serious injury for harming others.
> 
> Seems sad people have no idea how to just live and let live. They just have to cause harm to everything...



In my entire 10 or so years on FA, we've never been hacked or info breeched. This is the first time.


----------



## crashdoom (May 20, 2016)

DKitty said:


> In my entire 10 or so years on FA, we've never been hacked or info breeched. This is the first time.



There's been a few hacks previously: http://stuff.veekun.com/fa-timeline.html


----------



## Jeffron (May 20, 2016)

crashdoom said:


> There's been a few hacks previously: stuff.veekun.com: FA Timeline


Frm what a freind tld me there was a breech back in 2008


----------



## DKitty (May 20, 2016)

crashdoom said:


> There's been a few hacks previously: stuff.veekun.com: FA Timeline


Not like this one though


----------



## Ryuu Girl (May 20, 2016)

You fail to realize nobody was aware about the USB drives, nobody knows how many there were, whoever knew kept it under secrecy. It's not some giant club where everyone knew otherwise this would have never happened.


----------



## Jeffron (May 20, 2016)

Ryuu Girl said:


> You fail to realize nobody was aware about the USB drives, nobody knows how many there were, whoever knew kept it under secrecy. It's not some giant club where everyone knew otherwise this would have never happened.



True. What I wonder is if it was sme person among the staff? or no?


----------



## Dragonley (May 20, 2016)

Ryuu Girl said:


> You fail to realize nobody was aware about the USB drives, nobody knows how many there were, whoever knew kept it under secrecy. It's not some giant club where everyone knew otherwise this would have never happened.



Rhyyyyuuuuuu


----------



## Dallas (May 20, 2016)

It was someone who knew about a security exploit and was able to extract FA's source code. Unfortunately that could be literally anybody. I'm just shocked that FA, having been around for quite some time now, has enough vulnerabilities in the actual code to cripple the site like this. Right after the con too, it didn't take months to find a vulnerability to exploit like it does with most software, it took days or maybe even hours.

You're telling me one or maybe more people who got their paws on these drives were able to sit down and within a couple days find enough vulnerabilities to steal personal information and passively delete data off of the servers.

If this is what someone can do in a few days with such unstable code, imagine what a real hacker could do in a month, or three months. I'm just shocked that it's so insecure. This is not the end, this is the beginning of the beginning. The code is out there now, who knows how many people have it and are analyzing it even as you read this. Sure you can fix whatever they exploited now, but I guarantee you they've got at least five other exploits on reserve and counting that'll allow them to do the exact same things all over again.


----------



## Jeffron (May 20, 2016)

Dallas said:


> It was someone who knew about a security exploit and was able to extract FA's source code. Unfortunately that could be literally anybody. I'm just shocked that FA, having been around for quite some time now, has enough vulnerabilities in the actual code to cripple the site like this. Right after the con too, it didn't take months to find a vulnerability to exploit like it does with most software, it took days or maybe even hours.
> 
> You're telling me one or maybe more people who got their paws on these drives were able to sit down and within a couple days find enough vulnerabilities to steal personal information and passively delete data off of the servers.
> 
> If this is what someone can do in a few days with such unstable code, imagine what a real hacker could do in a month, or three months. I'm just shocked that it's so insecure. This is not the end, this is the beginning of the beginning. The code is out there now, who knows how many people have it and are analyzing it even as you read this. Sure you can fix whatever they exploited now, but I guarantee you they've got at least five other exploits on reserve and counting that'll allow them to do the exact same things all over again.



Well shit. instead of doing that, maybe what you could of done is send this scary message to the devs so they can start doing some more patches.

*Sigh* It disgusts me that people never have a "live and let live" kind of situation.


----------



## Dallas (May 20, 2016)

Jeffron said:


> Well shit. instead of doing that, maybe what you could of done is send this scary message to the devs so they can start doing some more patches.
> 
> *Sigh* It disgusts me that people never have a "live and let live" kind of situation.



If the FA devs couldn't figure that out themselves by now then honestly there's not much hope for the site, as much as it pains me to say that. I'll give them the benefit of the doubt however.


----------



## Wither (May 20, 2016)

Hindsight is 20/20~
Nothing could be done IRL.
Something could have and should have been done on FA's part a long fucking time ago, though. Ignorance is a powerful thing, though.


----------



## Jeffron (May 20, 2016)

Dallas said:


> If the FA devs couldn't figure that out themselves by now then honestly there's not much hope for the site, as much as it pains me to say that. I'll give them the benefit of the doubt however.



Indeed....What I wanna know is, why didn't they try making improvements on EVERYTHING since they were supposedly getting more money from being bought out by IMVU with all those freakin' ads?


----------



## Dallas (May 20, 2016)

Jeffron said:


> Indeed....What I wanna know is, why didn't they try making improvements on EVERYTHING since they were supposedly getting more money from being bought out by IMVU with all those freakin' ads?


Ask them, I'd rather not speculate.


----------



## vaati9999 (May 20, 2016)

Code is a lot more complicated when it comes to a new team of programmers...


----------



## Dallas (May 20, 2016)

vaati9999 said:


> Code is a lot more complicated when it comes to a new team of programmers...


This isn't a high level programming language we're talking about here, any scripting, query, or markup language is probably going to look the same no matter who codes it.


----------



## Tobia-SIN (May 20, 2016)

It's kinda hard to find hackers. Well first off...they're hackers. They can easily cover up their tracks when they do things like this.
My father used to work in the police force, and even trained cops with high computer skills have trouble too. It's so complex to find hackers that cops have to take "Hacking classes" to fully understand hackers and to at least boost chances of catching them.


----------



## vaati9999 (May 20, 2016)

Dallas said:


> This isn't a high level programming language we're talking about here, any scripting, query, or markup language is probably going to look the same no matter who codes it.


spaghetti code (or anything else really) could be causing these issues.


----------



## Dallas (May 20, 2016)

vaati9999 said:


> spaghetti code (or anything else really) could be causing these issues.


So could negligence.


----------



## Tobia-SIN (May 20, 2016)

Dallas said:


> So could negligence.


Having a large website like fA is a lot of work, so I agree.


----------



## Dallas (May 20, 2016)

Tobia-SIN said:


> Having a large website like fA is a lot of work, so I agree.


And this is where putting off all of that work for tomorrow 700 times in a row gets you.

I doubt that's what happened but you never know.


----------



## vaati9999 (May 20, 2016)

Dallas said:


> So could negligence.


Although there is a fair ammount of chances this bug was not caused by the site itself, rather by the software they used. If this bug exists, it is probably due to negligance by either the conceiver of this software or the scripters that omitted to check what are the bugs to be noted (and patched) about this software. This issue is actually a lot older than a few weeks (or so I guess) since this bug was probably documented long ago.


----------



## Dallas (May 20, 2016)

vaati9999 said:


> Although there is a fair ammount of chances this bug was not caused by the site itself, rather by the software they used. If this bug exists, it is probably due to negligance by either the conceiver of this software or the scripters that omitted to check what are the bugs to be noted (and patched) about this software. This issue is actually a lot older than a few weeks (or so I guess) since this bug was probably documented long ago.


I'm not even sure what you're talking about, the attacks that were carried out using the source code have nothing to do with the vendors of the software used on the site.


----------



## Tobia-SIN (May 20, 2016)

Dallas said:


> And this is where putting off all of that work for tomorrow 700 times in a row gets you.
> 
> I doubt that's what happened but you never know.



It could be a number of possibilities There is a lot of different tasks related to having a large website, from maintenance to design. You need to keep them balanced. If one slips...then you got a problem.
Maybe the mods were so focused that they neglected certain parts and made it vulnerable. Like I said, there's a lot of possibilities.


----------



## vaati9999 (May 20, 2016)

Dallas said:


> I'm not even sure what you're talking about, the attacks that were carried out using the source code have nothing to do with the vendors of the software used on the site.


They used ImageMagik. There is a documented exploit that was used by the hackers. In fact, you could google exploit and the name of this exploit to find exactly how this works. The makers of ImageMagik probably forgot a little detail that causes this bug, hence the attack. Although, the site's dev team should have patched the exploit before it was put to use.


----------



## Dallas (May 20, 2016)

Tobia-SIN said:


> It could be a number of possibilities There is a lot of different tasks related to having a large website, from maintenance to design. You need to keep them balanced. If one slips...then you got a problem.
> Maybe the mods were so focused that they neglected certain parts and made it vulnerable. Like I said, there's a lot of possibilities.


That's where priorities come into play. The integrity of the source code takes priority over the banner being the wrong shade of orange for example. Or rather it should.


----------



## Tobia-SIN (May 20, 2016)

Dallas said:


> That's where priorities come into play. The integrity of the source code takes priority over the banner being the wrong shade of orange for example. Or rather it should.


That is right, since most people wouldn't care about the banner that much. They're probably mostly concerned where their info is going, and the security of the site that holds their info. I was worried about my info when registering for fA, so I created an all new email so in case stuff like this happens. (And thankfully I did, because you know hackers are. I've lost personal info from them, and it's not fun.)


----------



## vaati9999 (May 20, 2016)

Technically, not all hackers have to be stopped since some of them have good intent (white hats). Grey hats are most often harmless but should nonetheless be checked. Black hats are the interesting ones.


----------



## Dallas (May 20, 2016)

vaati9999 said:


> They used ImageMagik. There is a documented exploit that was used by the hackers. In fact, you could google exploit and the name of this exploit to find exactly how this works. The makers of ImageMagik probably forgot a little detail that causes this bug, hence the attack. Although, the site's dev team should have patched the exploit before it was put to use.


That's not how it works, I'm sure the vendors went to work at patching the exploit as soon as it was discovered. If not, then they're only partially to blame for two reasons.

One, if they did push out an update quickly and FA failed to implement it, it's not their fault.

Two, if they took their time and took weeks to publish the update, then they're only partially to blame for the following reason.

I don't know what that particular software application's function is, as I've never even heard of it, however I do know for sure that there is something else out there that is more than capable of replacing it temporarily while providing the site with close to, if not exactly, the same functionality as the original application granted you may have to tweak the settings on the new but one so what.

If a piece of software was being used and it was publicly known that a vulnerability in that software would lead to the source code of the entire website being siphoned off, that piece of software should have immediately been suspended as soon as the devs found out. Choosing to continue using it knowing they were at risk was their first mistake, and now that the source code is out what's done is done.


----------



## Dallas (May 20, 2016)

vaati9999 said:


> Technically, not all hackers have to be stopped since some of them have good intent (white hats). Grey hats are most often harmless but should nonetheless be checked. Black hats are the interesting ones.


This is irrelevant to the conversation. To me it feels like you're just throwing around terminology to try and fit in and look better. You're better off if you just don't. That sort of behavior will get you the exact opposite of what you're trying to do.


----------



## vaati9999 (May 20, 2016)

Dallas said:


> That's not how it works, I'm sure the vendors went to work at patching the exploit as soon as it was discovered. If not, then they're only partially to blame for two reasons.
> 
> One, if they did push out an update quickly and FA failed to implement it, it's not their fault.
> 
> ...



I'd suggest you go take a look at this link... but I don't think anyonwould trust this kind of links... here it is anyways : https://www.cvedetails.com/vulnerability-list/vendor_id-1749/Imagemagick.html 
A lot (I really mean a LOT) of other applications/sites/etc. are running on software with faulty code. It would be extremely costly if they had to patch everything. It is, in fact, how it works (ImageMagik being one example out of many). Here is another from none other than Word (microsoft office) : https://www.cvedetails.com/cve/CVE-2016-0198/


----------



## vaati9999 (May 20, 2016)

Dallas said:


> This is irrelevant to the conversation. To me it feels like you're just throwing around terminology to try and fit in and look better. You're better off if you just don't. That sort of behavior will get you the exact opposite of what you want.


Isn't the title : Why weren't the hackers stopped irl


----------



## Dallas (May 20, 2016)

vaati9999 said:


> I'd suggest you go take a look at this link... but I don't think anyonwould trust this kind of links... here it is anyways : https://www.cvedetails.com/vulnerability-list/vendor_id-1749/Imagemagick.html
> A lot (I really mean a LOT) of other applications/sites/etc. are running on software with faulty code. It would be extremely costly if they had to patch everything. It is, in fact, how it works (ImageMagik being one example out of many). Here is another from none other than Word (microsoft office) : https://www.cvedetails.com/cve/CVE-2016-0198/


I honestly feel like you don't have a clue about how software works. You don't typically pay a vendor in order to receive critical updates to their software's security, or even updates in general. Also when was the last time you heard a company had a bunch of personal information stolen because someone hacked into Microsoft Word? Probably never because it's a word processing application that has absolutely nothing to do with running a server, and Microsoft patches security vulnerabilities for free via Windows Update. Whether or not consumers download and install those updates is their problem.


----------



## vaati9999 (May 20, 2016)

Dallas said:


> I honestly feel like you don't have a clue about how software works. You don't typically pay a vendor in order to receive critical updates to their software's security, or even updates in general. Also when was the last time you heard a company had a bunch of personal information stolen because someone hacked into Microsoft Word? Probably never because it's a word processing application that has absolutely nothing to do with running a server, and Microsoft patches security vulnerabilities for free via Windows Update. Whether or not consumers download and install those updates is their problem.


Word was another example... Updates patches holes. Updates are made from code, and code often brings bugs. Therefore, patches can bring bugs, but that is way off topic. Why don't we talk about the topic? Unless you insist, you could always start a new thread.


----------



## Dallas (May 20, 2016)

vaati9999 said:


> Word was another example... Updates patches holes. Updates are made from code, and code often brings bugs. Therefore, patches can bring bugs, but that is way off topic. Why don't we talk about the topic? Unless you insist, you could always start a new thread.


Bugs are flaws in the code that physically prevent the program from functioning the way it's intended to, not security vulnerabilities.


----------



## vaati9999 (May 20, 2016)

Dallas said:


> Bugs are flaws in the code that physically prevent the program from functioning the way it's intended to, not security vulnerabilities.


I'm quite certain it was not intended to be able to delete database records by manipulating an image...


----------



## Gem-Wolf (May 20, 2016)

@vaati9999 and @Dallas break it up


----------



## Dragoneer (May 20, 2016)

Dallas said:


> It was someone who knew about a security exploit and was able to extract FA's source code. Unfortunately that could be literally anybody. I'm just shocked that FA, having been around for quite some time now, has enough vulnerabilities in the actual code to cripple the site like this. Right after the con too, it didn't take months to find a vulnerability to exploit like it does with most software, it took days or maybe even hours.


It wasn't even just a simple coding issue. ImageMagick is an incredibly popular, widely used open source image processing library. The vulnerability was within ImageMagick, not FA. I'm not saying our coding was great, but this came down to open source software which someone found a hole and exploited said hole. I'm not happy about it. The moment we were made aware there was an exploit we patched and fixed it, but unfortunately, not before someone used it against us.


----------



## Gem-Wolf (May 20, 2016)

Dragoneer said:


> It wasn't even just a simple coding issue. ImageMagick is an incredibly popular, widely used open source image processing library. The vulnerability was within ImageMagick, not FA. I'm not saying our coding was great, but this came down to open source software which someone found a hole and exploited said hole. I'm not happy about it. The moment we were made aware there was an exploit we patched and fixed it, but unfortunately, not before someone used it against us.


If we changed our passwords when the site cane back do we have to change them again? Also, any idea when FA is open again?


----------



## Dragoneer (May 21, 2016)

Gem-Wolf said:


> If we changed our passwords when the site cane back do we have to change them again? Also, any idea when FA is open again?


We wiped all passwords to be thorough, so yes, you'll need to change it again. We didn't want to take chances. And we're still testing the new encryption and setting up some additional failsafes to help prevent abuse.


----------



## Gem-Wolf (May 21, 2016)

@Shaun Dreclin as Neer stated above - Yes we do have to change passwords just like I said earlier


----------



## Willow (May 21, 2016)

Why is it that whenever the site goes down for things like this, people assume it's because of evil mean people who hate furries? Even if it was, people have been telling staff they need to actually fix the code instead of applying band-aid fixes to it for years. This is just the unfortunate but inevitable result



DKitty said:


> If this was prevented, FA would had never been attacked. Now our personal info is breeched all thanks to those who hate and despise this community.


if the code was being passed around at a furry convention, wouldn't that make the likelihood it was someone _in_ the community quite high?


----------



## DKitty (May 21, 2016)

Gem-Wolf said:


> @DKitty i have seen a lot of your comments/threads over the past few days and well...look we all love FA but I honestly think you are borderline obsessive



I just came back here today...I haven't been on this forum in a year or so


----------



## Gem-Wolf (May 21, 2016)

DKitty said:


> I just came back here today...I haven't been on this forum in a year or so


Ahhhhhh shit you are totally right!! I just went to check and the person I thought was you - wasn't you!
I humbly apologise and will remove my comment


----------



## DKitty (May 21, 2016)

Gem-Wolf said:


> Ahhhhhh shit you are totally right!! I just went to check and the person I thought was you - wasn't you!
> I humbly apologise and will remove my comment



No worries.


----------



## SSJ3Mewtwo (May 21, 2016)

Because Neer has answered in this thread, I am going to close it up to keep it from devolving into just speculation and finger-pointing.

The question of 'why didn't anyone stop the USBs from being handed out' is answered with a direct 'No one knew of their significance at the time, and it only came about after investigation (hindsight, in other words).'  I can't agree more that it's very frustrating things played out this way, but the site was rectified as quickly as able, and we are doing our best to ensure this cannot be repeated.


----------

