Fur Affinity attack results in privacy violations
Fur Affinity users are demanding answers after intruders stole and posted private message histories of over 40 users, including site owner Dragoneer and several staff.
All regular administrative access has been removed, and Dragoneer says it will not be restored until all problems are found:
Until we're 100% sure that the entire admin backend is revised, checked, double-checked and triple-checked we're playing it safe
The leaked notes appear both authentic and comprehensive, dating back to 2005, and their contents are already the subject of widespread debate.
Many well-known members were marked as "deceased", had journals posted under their names, and had their galleries deleted during the attack. Screenshots from Fur Affinity's administrative forums, subsequently suspended, were also posted.
Initial comments suggested that a cross-site scripting vulnerability in the trouble ticket system was used to compromise an administrative account. However, it has also been suggested that passwords from the last week's Gawker database leak may have been used to gain access.
Update (21 Dec): Dragoneer has posted more information, confirming the trouble ticket issue but denying Gawker's involvement.
Update 2 (23 Dec): Those directly impacted by the leaks have been offered a sponsor-level membership to FA: United 4.
Fur Affinity suffers from many long-running security issues. Just two months ago, a new feature was exploited to hide comments throughout the site.
About the author
GreenReaper (Laurence Parry) — read stories — contact (login required)a developer, editor and Kai Norn from London, United Kingdom, interested in wikis and computers
Small fuzzy creature who likes cheese & carrots. Founder of WikiFur, lead admin of Inkbunny, and Editor-in-Chief of Flayrah.
Comments
First! Luckily I'm so boring I have nothing to hide.
Well obviously we have a hacker in Furaffinity, he's climbing in yo servers. He's snatching yo usernames up, trying to break 'em. So ya'll need to hide yo yiff, hide yo murr, hide yo scritches. Cause they hacking everybody up here.
At this point the Administrators have control, but unfortunately there is still information the hackers took in which they're going to be be leaking at a later period of time.
Wow you really missed the joke there buddy.
(Didn't mean to edit mean to reply to my old reply)
EDIT: Yeah, I saw the Bed invader song like yesterday, I usually ignore the YouTube videos cause generally the masses love crap I don't want to watch. So the roo up there is an idiot.
Sounds like they're doing more than hacking everybody up here -- but I suspect with female victims, and how females are regarded in the fandom, no one will give a shit (and people are already doing the "its not rape rape" excuse,anyways). I suspect that story will just disappear. A male artist, a female victim? Guess who wins that fight in the furry fandom? We always lose. I'll never go to a con again. Neither will others, and all we've ever gotten was anger for it. No wonder there are so many zoophiles in the fandom -- dogs can't talk. "Bitches" can.
If you were a victim I would advise you come forth and try and press charges, and hope that it remains not posted on the in internet for the whole world to bear witness too, unless that's what you really want.
I mean, I am fine this thing got out in the open, if the victim is fine with it, but sometimes the victim doesn't want that, and announcing it to the world as Lulz did is almost making them a victim again. Luckily the victim came forward and said she didn't know what to do and in hindsite it was a mistake to ask Dragoneer about this.
It was, but it wasn't her fault, it's really our society which doesn't teach even our young adults who are going into sexual maturity what to do if this awful event occurs. They don't tell you about rape kits, getting the police involved, how to best approach it so the bastard pays.
It's something that most definitely needs to change.
10 bucks says this is because of FA's recent ban fetish.
No. The lulz.net userbase just really hates some people on FA.
I'd hate to say it but so long as Dragoneer is still a site owner lulz.net is going to keep trying to ddos Fa.
He really really needs to think about what is best for Fa, either be owner of a site that at this rate won't last another month, or step down and keep the fandom together?
1) FurAffinity is not the furry fandom.
2) Reacting because of a DDoS attack sets a bad precedent, because the next time they want to violate Net Neutrality principals by trying to politically persuade by effecting speed of content, then they'll know it worked the last time.
FA is not the Furry Fandom? I'm sorry, it must be the Pokemon fandom or something, amirite?
Also this comment wins;
"By good job to you mean by him sticking his fingers in his ears and going "LAW LAWL LAWL" everytime someone mentioned a serious security flaw?
It's a mess of their own fucking creation that many many many people warned against."
FA brought this on themselves. It's a good thing someone decided to give them a swift kick in their complacency.
I think it would have been a better thing if they didn't need it in the first place.
Well, it's certainly not the Sonic fandom anymore . . .
I think his point was that the fandom is more than FA, just as it is more than Anthrocon. While it can be nice to be all together, there are benefits to distribution, and one is that fans are not beholden to a single site's flaws.
"Well, it's certainly not the Sonic fandom anymore . . ."
And nothing of value was lost. ;3c
But I agree with greeny and Sonious (which fills me full of a great shame. J/k). Furaffinity, while better then the other furry art sites out there imho, is Not the furry fandom.
Don't get me wrong though, I think some serious changes need to happen around FA.
On a side note, Reaper, when are you going to open an art site. You can add it to your furry portfolio :p
Ummm... he's like one of the runners of Inkbunny :P
I did consider looking to take over an art site before I was invited to help moderate over at Inkbunny.
It's probably for the best that I didn't. I have a limited amount of time and web development skill.
Seems like FA is really getting reamed recently, you have to wonder how much longer it takes before they just decide to take the whole site offline till further notice. Security holes, losing their AP account, hacking. I mean, I know that furry sites are targets but FA is getting it about 10x worse. Either that or they're just the biggest so it's reported more. :/
I read this piece of news and I have this imagination of Dragoneer and other admin's private message cables being posted up on Wikileaks.
Except the DDoS attacks were against Wikileaks, not the organization that was leaked.
Dragoneer just posted more information about the attack on the FA LJ.
Those directly impacted by the leaks have been offered a sponsor-level membership to FA: United 4.
That's a no go.
From Dragoneer's Twitter:
"@almightytora I would love to offer Super Sponsor, but FAU is on a different budget from FA, and super isn't something we can do.
6:07 PM Dec 22nd via web in reply to almightytora"
That's super-sponsor, not sponsor. They're different things. You need to go to more conventions. :-)
The word 'more' implies that I currently had a number that could be added to. Replace the 'more' to 'a' and you'll be all set.
Zero is a number!
Probably time to close my FA account (but I can't.)I would only use it for communications. As other said I feel FA is part of the fandom but smut peddling embarrassment and I cannot come up with one reasio why I should defend FA and as far as my opinions go I would not call FA part of the fandom. if it goes away no love lost.
One problem is they have no means to deactivate and lock accounts.
You could always do as anyone else and make your page say you aren't there anymore, why would you need to lock your account from yourself? Unless you mean the whole shouts and comments thing, which there should be a way to lock that anyway.
If you can upload Youtube videos and deactivate comments, why not uploaded art?
I did not care about hard core porn especially the child porn , oh excuse me, cub art of interaction by a minor and minor or minor and adult. I pulled all my art out. I not like certain crusades, I left and felt making a big stink about fur affinity was be futile at best.
The problem is abandon accounts are a back door for hackers especially if the address info was never updated; there
Um, Furaffinity banned cub porn... like a month ago. As far as porn goes, if you disagree with it then why did you join FA in the first place, it was kind of there to begin with?
First, glad to see someone has a news site up. You guys should contact me through my Furtopia page and see if we can't find some people to get together and wrap this and other furry sites up into a one-stop resource site.
Anyway...
Furaffinity got attacked, right as they suspended my account. I posted a trouble ticket because someone created an account solely to post hate speech about furries. Pinkuh answered the trouble ticket, saying the page didn't violate the TOS. I had previously (like 3 months before) posted a trouble ticket on Smash/Infocides posting comments, and avoiding a ban (he has several names he uses now, Smash, Infocides, Shooshooangel, bpetersxx, and many, many more). At some point in this mess, I called Pinkuh ignorant for not shutting down Smash's hack accounts (he uses IP blocking software to avoid IP bans). He then responded to my trouble ticket about the fur-bashing FA account and said it didn't violate the TOS. I reiterated my assessment of his ignorance and posted a copy of the TOS which clearly stated hate speech was not permitted. He then proceeded to suspend my page for "harassing speech." Now, I'm sorry, but how can a PROFILE contain harassing speech? Unless you consider my opinions about Dragoneer and facts about Smash has harassing, my profile was not in violation of the TOS.
Dragoneer is a man who is so full of himself, its not funny. He has a secret security clearance, yet commits fraud by seeking donations and claiming FA is non-profit (it is clearly not, as it is owned by Furrox LLC, a FOR PROFIT corporation.) What bothers me is that Dragoneer is obsessed with both cub art, and zoophilia. He will ban anyone from the site for even a hint of zoophilia, despite it not being illegal in most states in the US; yet cub porn, which is illegal in the United States under 18 USC 1466a, was only recently banned, and only because of financial reasons. Combined with his comments on Tora's page, leads me to believe some pretty disturbing things about him, which are very well backed up by his promotion of criminal activity on Furaffinity. I'm not saying he is this or that, all I AM saying is that for anyone who wishes to make that assumption, or leap, or conclusion, the evidence is all right there. He is popular solely because of Furaffinity, period. But he runs the site so badly, its not funny. He makes himself quite the target.
I despise Furaffinity a great deal. I am not capable of launching any kind of hack against the site, nor would I because of my ethics. But dayamn; if I can hate on FA so much for all the right reasons; why wouldn't hackers, many of whom consider themselves to be revolutionaries, protecting us from bad people - or something like that.
FA deserved the attack. And FA users deserve everything they get from the site, its lack of security, its crappy admins, the constant harassment, libel, and more; and they deserve it because they tolerate it and promote it.
I myself am trying desperately to create a site to replace FA and other art hosting sites. I believe users should have full control over content on their own pages, and not have to take extra steps to prevent harassing comments, etc. I also despise how poorly run FA is and have an idea for better infrastructure. But I don't want credit for this, I just have an idea of how to give furries something better, and how to keep the furry fandom from degrading even further than it has.
Bleah. This shouldn't be so stupidly dramatic.
For the record, I will not be monitoring this post or site, so don't expect me to converse or otherwise further participate.
I was going to reply to Sonious above, but the site's code is FUBAR. Here is my reply...however...
...I noticed that the site is run by GreeReaper. Forget what I said about working together. GreenReaper has proven himself to be no better than Dragoneer. He runs WikiFur for his own benefit, and makes up the rules as he goes. He promotes harassment and libel. He is just as much a criminal as Dragoneer.
I wonder when this site will be hacked.
No offense, but if you ever had a site I probably wouldn't visit it, and if I did I probably be on it for long. It seems to me your idea of "harassment" and "libel" are so paper thin you'd probably only end up having a website of yes-men eventually. You seem to have an all or nothing idealist mentality, that if there is a little sin in the group then everyone deserves what they get. By that logic why stop at FurAffinity? Why stop at furry? Why not go for all of humanity?
Because someone in this world is a brutal dictator, all human beings deserve to fall on their knees to them, to be slayed because they are all equivalent to the dictator for sharing a planet with them? Because someone is using a service means they agree with everything the people running that service have to say? Because I'm a resident of the US mean I agree with everything politicians do with my name?
No.
The answer to those questions is no. I wouldn't have frowned upon this action as much if it only effected Dragoneer and those making the decisions that lead to this outcome, but others, who also don't get along with Dragoneer that well were effected.
To me I've see the use of libel and harassment has been used so much, it's almost become an act of terrorism used to try and frighten people from speaking their mind. Used to slander others who's only crime is speaking their mind, even if their opinions are sometimes factually askew.
In fact, you stated "What bothers me is that Dragoneer is obsessed with both cub art, and zoophilia."
Since Dragoneer has not been shown to have gotten off to animals, or had sex with them, nor has he been charged with related crimes, I think it kind of makes you hypocritical to your own set of ideals. If you don't want to see people make baseless accusation, maybe you shouldn't either.
I'm guessing this is about FurFest Northwest? My only edit to that article was add the guests of honour.
You came in, didn't like what you saw, made a legal threat on the talk page. Funny how history repeats itself.
A wiki is far more than its founder, just as a convention is far more than its chair.
An expert "Slander lawyer" accusing everyone of slander slanderously?
Isn't that ironic...
Post new comment