# Announcement - Security Problem and Admin Resignation



## blueroo (Jul 23, 2007)

I have resigned my adminship with FurAffinity today. There are plenty of reasons not to do so, but one reason overall pushed me to take this drastic action.

It appears that the FurAffinity forums have been compromised by a user, Calorath, and the adminship can not or will not act to inform the usership. Because of this, I am forced to tell you. We do not know when the compromise happened, however we do know that for at least a week now Calorath has been able to access private areas of the forum, including the Admin forums where decisions are discussed and made, the Technical forum where design, coding, site security, and site vulnerability discussions are had, and probably private messages. Yes, your private messages. There is a possibility that an admin or former admin is leaking information to him, however all the information at this point suggests that there may be more happening than that.

It is highly likely that Calorath also has access to the entire forum database. Passwords within the database are encrypted with a one-way hash, however weak passwords can still be found with various techniques. If you have a simple password, I would advise changing it now. If your forum password is the same as your site password, I would advise changing your site password as well. If you conduct business by PM on the forum or the site, I would suggest stopping.

Damaratus, FA's lead administrator, wants this entire issue to be buried, worked out behind the scenes in secret. He believes assurances by Calorath that he would never do anything malicious. Believing the lies of a criminal is plain foolish. Damaratus' refusal to make a public announcement is what has prompted me to resign and make this announcement. Some members of the staff believe I am being childish, selfish, and that I am over-reacting. In the real world, I am a professional Systems Administrator and dealing with security is one aspect of my job. As administrators, we have a responsibility to our users. I believe that I am being a responsible administrator. Serious Business, perhaps. But my job none-the-less.

It was a pleasure to work on FurAffinity. I enjoyed working with the entire userbase, even those of you who are silly and like to troll, and it was really fantastic to see a lot of the changes and improvements that I made are what keep the site speedy and stable today. I'm only disappointed that I won't be able to finish some of the features I was working on and some of the features I wanted to work on, such as mailing lists and fetching site messages with mail clients, as well as advanced search. Yes, search is coming soon. I finished getting the search backend together and boy is it fast. It just needs site integration work now.

In short, keep up the good lulz, behave yourselves, and create more awesome (and not so awesome) art.

-Blueroo


----------



## Calorath (Jul 23, 2007)

Here is the only reply I will dignify this post with....

This administration exudes childish behavior, and your post is the perfect picture.

I do not, nor have I ever had access to anything that I shouldn't. I simply can not avoid hearing some of the things that leak out..... I hear lots of things actually. 

You would do well to perhaps remember that sometimes the things you do not understand merely would require a civilized conversation. Rather than idiotic drastic measures such as your little 'hissy' here.

Good day


----------



## ArrowTibbs (Jul 23, 2007)

What proof do you have that he has been accessing your forums?

You behave as though Calorath is an inherantly malicious person, but I think quite the opposite. You act as though he would purposely seek out passwords and other personal information out of malicious interest. 

I find that accusing him to be a 'criminal' is far out of line, especially without presenting proof.


----------



## verix (Jul 23, 2007)

Whoa, hold on a second. Calorath is part of the Hollywood Ten? Holy crap, I had no idea.


----------



## Dragoneer (Jul 23, 2007)

blueroo said:
			
		

> It is highly likely that Calorath also has access to the entire forum database. Passwords within the database are encrypted with a one-way hash, however weak passwords can still be found with various techniques.


I'm sorry, but if the passwords were at risk, I have doubt Calorath would merely sit on that information and/or exploit it to any degree. He and his friends have too much to lose due to that, and it would benefit nobody. Especially given that Calorath has greatly helped FA in the past, such a sudden change is both unlikely and, in my opinion, not likely. That's nto to say it couldn't happen, but in this instance... I don't believe it did.

If said exploit existed to such degree that it did, it would have been used against us with great voracity by those who truly want to see Fur Affinity fail.


			
				blueroo said:
			
		

> It is highly likely that Calorath also has access to the entire forum database. Passwords within the database are encrypted with a one-way hash, however weak passwords can still be found with various techniques.


I can not help but feel you are crying wolf on such an issue without any form of sufficient evidence to back up your claims on this matter. Where's the proof? There was an assumption that Calorath got access to the admin forum at about the time we upgraded the software, but I never saw any evidence or anthing to raise my suspision over it. I have combed over the security settings for the forums, and I don't believe there was an issue to begin with.

While I heard your concerns in the admin forums, and we pushed with an update to the forum software, this problem was not as dramatic as this post makes it sound. I never saw evidence of any leaks. I'm not going to say there aren't vulnerabilities, because that would be foolish of me, but I didn't see anything here to warrant a major announcement when we couldn't proove anything, let along to directly point accusationary fingers with no tangible evidence to support such claims.


			
				blueroo said:
			
		

> Damaratus, FA's lead administrator, wants this entire issue to be buried, worked out behind the scenes in secret. He believes assurances by Calorath that he would never do anything malicious. Believing the lies of a criminal is plain foolish.


And I agree with Damaratus' methods. Investigate before pointing fingers. Damaratus was trying to find information on the issue and trying to find out what happened in a tactful manner. Furthermore, can you please illustrate to me Calorath's criminal record? I'll admit, Calorath can be stubborn, but he's got an iron-like personality, yet has good intentions. To be openly honest, he can be a bit trollish at times, but not maliciously so.

There was no need to make any sort of "public announcement" because nothing was ever proven. There was no evidence against Calorath or any other user, nor any proof that anything had happened but some potential information leaks which, unfortunately, do happen. But it's not like any great secret was let out, and no real damage was done save for a small bit of paranoia and curiousity behind the scenes. 

I'm not sure what to make of this post, but I'm going to openly admit that I feel... quite a bit saddened.


----------



## Vitae (Jul 23, 2007)

Oh man, there has GOT to be something deeper then just this issue, Blueroo. 
It can't be just this ONE issue that is making you so upset that you want to leave.
Is it a combination of issues? Do you not want to discuss them?
If you'd like to talk about it, I'll be here online (catch me on aim batboydotjpg) if you need to talk to someone who can offer help.
I may be a big fan of the lulz, this is true.. but when I need to be serious I am serious.


PS: preyfar check your pms


----------



## Arshes Nei (Jul 23, 2007)

Calorath's criminal record was that IRC was for talking and he moderated and devoiced people on #furaffinity!


----------



## Litre (Jul 23, 2007)

IRC IS FOR TALKING


----------



## nobuyuki (Jul 23, 2007)

some quiet time will do this place doog


----------



## wut (Jul 23, 2007)

Accusations without proof and outright blaming a user/calling them a criminal? I wish I could say it was shocking but we've been here way too many times in the past.


----------



## Arshes Nei (Jul 23, 2007)

Having been around quite a while on FA, I have to say Calorath is not a hacker, nor compromised your site. It's likely a mess-up on the administrative end as to why you think he has the access you think he does. I don't get along or agree with a lot of people on the site, but if you just sit and observe you realize who is actually capable of what. You also realize who would do something more unethical than another person.

With this announcement, I do have to say, the more things change the more they stay the same. The same kind of accusations and easy irritability hangs about. 

I have disagreed with Calorath, not about what the administrative needs, but a lot of people are unhappy with current staff - (those who are more involved vs, the lower end user). My problem is that it's great to tell people "Well you need better staff" but it takes more thought to start suggesting who. I know there were people that wanted to help, that felt FA burned them and now won't help, there are those who feel they won't make a difference because of the bureaucracy involved in the site. I get a lot of boiler plate, and talking points "Well yes we know there are problems with the administrative" but it takes a better person to give solutions to fix things.

I can acknowledge I'm lazy and broke, but it means nothing if I'm not going to get a job so I can STOP being lazy and broke- Coming up with solutions aren't easy but it has been frustrating to see things have just taken a backseat because people are afraid to drive change, in the proper manner. It's very much easier said than done. Leadership is not easy to find either.

You have gotten the site further than most other sites, FAP and other sites are boring as hell, and I admit part of the reason I hang around is because of the hilarity that ensues from mismanagement, instead of saying "fuck it" and leaving. You have a site that is trying to be more encompassing than other sites and not so narrow focused or defined as "sex" (despite the fact people admit to using this as a porn dump) I can put my clean and mature works in one spot. I can put music here (if I so desire) so it isn't a extremely narrowed site with "networking" unlike other sites that seem to lack something.

I think though better administration, finding the right kind of people and working with better defined leadership roles will help the site. Yes, these are generalities, but since I keep getting "well you don't know what is going on behind the scenes" what else can you expect?


----------



## blueroo (Jul 23, 2007)

I can only say that Calorath was in possession of information that could only have come from the admin forums. In fact, he quoted an admin from the private forum word for word.

I am highly disappointed that the admin staff has decided to attempt to smear my name and call me a liar rather than address this issue.


----------



## Arshes Nei (Jul 23, 2007)

Ok, how are the admin forums accessed? Since I suggested the forum software, I know how they are actually and there is more than one way. So you have to think pretty hard if you're not accustomed  to Vbulletin and MyBB.


----------



## wicked sairah (Jul 23, 2007)

There is a lot more going on than just this stuff that Blueroo posted about. And the info in this post, I will not speak about right now. Now, when I say there is more stuff, I do NOT mean issues with FA or the FA staff, but issues with some users.

Because of this, I would be very interested in speaking with Preyfar about it in private, if he wouldn't mind e-mailing me at: Wicked_creatures@yahoo.com

I am very sad to see Blueroo go. I am not the only one that felt he was doing a fine job as an Admin.  After much thought, I do think this could have been handled differently all around.  But sometimes major stress (and harassment) can cause this to happen, and I actually hope that Blueroo would be welcome back as an Admin at a later date, and if so, I hope he would accept the job.


----------



## net-cat (Jul 23, 2007)

What the hell actually happened here?



			
				Arshes Nei said:
			
		

> Ok, how are the admin forums accessed? Since I suggested the forum software, I know how they are actually and there is more than one way. So you have to think pretty hard if you're not accustomed  to Vbulletin and MyBB.



It's not hard...

All of the forums I _couldn't_ get into.  (I/E: I got permission denied instead of an "Invalid forum" or and actual forum listing.)

http://www.furaffinityforums.net/forumdisplay.php?fid=5
http://www.furaffinityforums.net/forumdisplay.php?fid=11
http://www.furaffinityforums.net/forumdisplay.php?fid=17
http://www.furaffinityforums.net/forumdisplay.php?fid=24
http://www.furaffinityforums.net/forumdisplay.php?fid=34
http://www.furaffinityforums.net/forumdisplay.php?fid=51
http://www.furaffinityforums.net/forumdisplay.php?fid=52
http://www.furaffinityforums.net/forumdisplay.php?fid=58
http://www.furaffinityforums.net/forumdisplay.php?fid=59
http://www.furaffinityforums.net/forumdisplay.php?fid=61
http://www.furaffinityforums.net/forumdisplay.php?fid=62
http://www.furaffinityforums.net/forumdisplay.php?fid=68
http://www.furaffinityforums.net/forumdisplay.php?fid=70
http://www.furaffinityforums.net/forumdisplay.php?fid=72
http://www.furaffinityforums.net/forumdisplay.php?fid=73

Yes, I was really, really bored and went through all the numbers up to that point...


----------



## Arshes Nei (Jul 23, 2007)

Lol, you guys really don't understand the forum software...but keep going with that conspiracy theory, you're just really hurting yourselves with it.


----------



## nikuramon (Jul 23, 2007)

They say laughter is the best medicine...

well, I guess that makes FA my drug. XD


----------



## net-cat (Jul 23, 2007)

Arshes Nei said:
			
		

> Lol, you guys really don't understand the forum software...but keep going with that conspiracy theory, you're just really hurting yourselves with it.



... what?


----------



## Arshes Nei (Jul 23, 2007)

You're trying this "well let's put in category numbers to see if he's accessing it that way"

They're obviously looking at people's usergroups and permissions to see if he has access to any of them, I mean the first thing I do is look at the user directly in the control panel. However, it's fairly obvious that none of you understand why I'm laughing at this situation.


----------



## net-cat (Jul 23, 2007)

Ah. Yes. User Permissions and Group Permissions. I've run vBulletin forums before, so I know how they work there. (I've never dealt with MyBB, though.) If some idiot decided to grant a non-admin access to admin areas of the site and this is the ensuing drama, well, then lulz. If someone found a SQL or PHP injection (or any other of a myriad of potential security holes in web software) and took advantage of it, then we have a problem.

From what I understand, they're saying that he didn't have access in the control panel. And presumably they've looked through the request logs and haven't found anything there either. I suppose he could have somehow gotten access to one of the admin's computers and grabbed a copy of his sessions cookies. But all of this brings me back to my original question: What the hell actually happened here?

As for me trying forums number by number, well, what can I say? I was bored and don't have actually have access to the control panel. For all I know, they have a forum called "Reasons to ban that idiot net-cat."


----------



## Arshes Nei (Jul 24, 2007)

This thread is now a murry magical vagina void!


----------



## Damaratus (Jul 24, 2007)

See continuation of thread here. 

http://www.furaffinityforums.net/showthread.php?tid=10927


----------

