Creative Commons license icon

security

FurBuy down for 'months' after spat with security researcher

Your rating: None Average: 3.8 (13 votes)

FurBuy pack-rat mascot by FurryVenus Furry auction site FurBuy remains offline, a month after it was abruptly taken down, leading to severe corruption of the 19-year-old site's database.

Site owners say May 23's emergency shutdown was intended to recover from a freeze triggered by a self-styled security researcher's access, and announced a months-long renovation.

The researcher revealed their involvement, claiming to have been blocked by FurBuy after contacting them on Twitter. They said they did not access the database, but that someone using the vulnerability they found would be able to do so - which is disputed by the site owners.

Modern database systems and server hardware are meant to cope with unanticipated downtime by writing to disk in such a way that the data can always be recovered to a consistent state; however, this requires appropriate configuration, and tends to decrease overall performance. It is also possible for hardware to fail under stress.

The last successful backup of the site was made in October 2017, but this remained unnoticed after the death of long-time system administrator Mordrul last August, from thyroid cancer.

High Tail Hall data breach revealed; owners say new site "MUCH more advanced"

Your rating: None Average: 4.4 (24 votes)

HTH Studios The BBC reports the theft of user data relating to decade-old furry adult game High Tail Hall and its successors.

HaveIBeenPwned lists the disclosure of 411,755 HTH Studios accounts from August 24, including data such as:

Browser user agent details, dates of birth, email addresses, IP addresses, names, phone numbers, physical addresses, purchases, usernames

Passwords were stored as "salted" SHA-1 and MD5 hashes, which may decrease the impact of their being compromised - however, such protections are no longer considered sufficient to protect original passwords, due to the speed at which these types of hashes may be computed.

High Tail Hall, originally released on Newgrounds in July 2004, is described by its creators as:

a puzzle game where you can have erotic encounters with the surrounding characters, and work out your frustrations if you come across a particularly complex puzzle.

Fur Affinity restoring from six-day-old backups after server compromised; site source code distributed at BLFC

Your rating: None Average: 3.6 (25 votes)

Fur Affinity has been "pulled offline temporarily" after users' accounts and submissions went missing.

Update (21 May): FA returned for a day, but is now in read-only mode. Passwords were said to be hashed and salted, but if you've used the same one elsewhere, now is the time to change it to be unique per-site.

Update 2 (23 May): Fur Affinity has returned; however, all passwords have been reset, which is causing problems for those with an old/invalid email address.

It has been confirmed that an exploit was used to copy Fur Affinity's source code, later distributed at Biggest Little Fur Con. A subsequent attack deleted user profiles, submissions, and watches.

FA users took to Twitter and the Fur Affinity Forums looking for answers – which appeared to have been preemptively provided by a post asking "What would you do if you found an exploit on FA?", posted last Sunday on the Phoenixed Forums. However, more recent posts by the original poster disclaim responsibility.

The recent "ImageTragick" vulnerability in widely-used processing library ImageMagick was soon turned into an exploit and has been identified by FA as the original attack vector.

Fur Affinity community manager Dragoneer reports that backups exist, but are six days old:

The majority [of the site's data is secure], yes. The backup we have is 6 days old. We're still going through and trying to determine the extent of the issue, and once we have more information, we'll post it publicly and give a full, transparent run down of what happened.

Hacked repeater brings furry podcast FurCast to FM radio

Your rating: None Average: 5 (5 votes)
The Lift FM

Are furry podcasts unsuitable for breakfast? FM listeners in Colorado sure thought so!

On the morning of April 5, Denver-area FM station KIFT 106.3 "The Lift" suffered a broadcast signal intrusion on a relay station serving a remote valley. Instead of Bruno Mars, listeners in Breckenridge, Colorado were treated to Paradox Wolf, Fayroe and friends.

Denver station KCNC-TV "CBS 4" contacted The Lift for an explanation, and were told they send programing from their studio to four transmitters via the Internet. Somehow, the Breckenridge repeater K258AS (99.5 FM) was compromised, and someone had spliced in Furcast Episode 224 in place of The Lift.

Thankfully, the primary FM and webcasts of both The Lift and Furcast.FM / XBN were unaffected, but a large amount of NSFW programming, including swearing, was broadcast without censorship for several hours, with The Lift's engineers unable to kill the studio/transmitter link remotely.

On FurCast's end, their server saw a gradual rise in connections to its podcast archive (used on its website and iOS and Android apps for listeners) from 06:00 AM EDT onwards, until they were able to temporarily disable access at 02:30 PM EDT. The archives have since come back online at a new address, with a long list of blocked IP addresses to prevent a recurrence.

Opinion: Hotel management doesn't care what your fursona is

Your rating: None Average: 3.4 (15 votes)

In 2002, I wrote an article here about the problematic side of furry fandom, and what we needed to do about it. In 2007 I gave the fandom positive grades for progress made. In 2011 I praised the fandom for it's growth and outreach while also cautioning that growth can also come with its own difficulties. But now I fear that I need to talk to the fandom again.

The fandom has grown. With that comes a growth in the number of idiots and trouble makers, so risk isn't a hypothetical anymore. Damaging chairs, wrecking public areas, inappropriate conduct and a return to the "squick the mundanes" attitude that I'd hoped we'd moved beyond. This has already resulted in the failure of one major convention, Rainfurrest, and we need to all act to prevent it from happening to another.

FurrTrax is a new furry social network

Your rating: None Average: 3.9 (26 votes)

FurrTrax is a mobile app, social networking site and collaboration system to help members of the furry fandom organize, plan events, make friends and find other furries in their local areas or with simular interests.

Key features include public and private chatrooms, including video chatrooms, a public shoutbox, webmail hosting, heavily customizable user profiles, with user manageable comments walls and user image gallery and file sharing, GPS distances of members (but not actual pinpoints), event posting and planning, singles and dating, private messaging, image galleries, a section for authors and their stories, including fiction and non-fiction, user forums, a classified section, a user to user store, groups pages with group walls and status updates and notification. Instant messaging is not yet available but is coming soon.

FurrTrax is not a paysite, or a subscription site, and does not require any purchase of any kind to use all of the sites sections. There is however a Donator Rank which offers some basic bonuses including choice of name color, colored chat text, the ability to add background images to profiles, attach extra profile pictures over the default of 10, embed YouTube videos on profile and access the rich profile editor tool. The minimum donation is one dollar. All features not listed here are given to basic members by default.

The FurrTrax mobile site is also in transition to a new Jquery mobile theme, so some pages may not match the look of others. This is temporary.

FNN ceases operation in wake of hack attack, after 4-year run

Your rating: None Average: 3.9 (18 votes)

FNN 2014 Logo Furry news aggregator Furry News Network has closed its doors – for now – after an attack which left the site replaced with a password entry form.

While the attack was "the final straw", health issues had limited the efforts of FNN founder Markos for some time, as he explained April 1:

Due to health issues, and a recent hacking attack, I have decided to end this version of Furry News Network. The site and its content has been archived. I've been considering this for several months, and the hack attempt that took the site off line March 30, 2015 was the final straw. I've really enjoyed working with members of the Furry community to bring the content to you. For those of you who don't know my history, I've had health issues for the past 14 years. I lost a kidney in 2001, had heart issues start in 2007 and was hospitalized with an auto-immune disorder in 2009. In 2014, I fell and broke my hip and have never fully recovered. I am now fighting stage 3 kidney disease and anemia. I need to deal with my health. I will sorely miss many of you and look forward to the day I can bring Furry News Network back. Thank you!

Comparison of furry website HTTPS configurations

Your rating: None Average: 3.6 (7 votes)

Security is necessary for one's own protection, both offline (to protect one's physical safety and possessions) and online (protecting identity, money and, as the our digital and real lives become more integrated, even physical possessions). Our own behaviours and security systems need to work together to be effective. It's no good having the latest burglar alarm, strong locks on your doors and a security gate if one leaves the door wide open. Similarly, it's great to lock the door each time one goes out - but if that door is secured solely by a latch, it won't be effective. As I've given some basic guidelines on how to stay safe online, I'm now comparing how furry sites are helping their users stay safe.

Update (Jan 28): All Weasyl servers now receive an A grade, however the server configuration is still not consistent.

Doing the FA tango; one step forward, two steps back

Your rating: None Average: 4.1 (18 votes)

One must wonder whether it's time Dragoneer stepped down as head of Fur Affinity, as he continues to make poor leadership decisions. Earlier this year, he stirred controversy by announcing Zaush, who'd been accused of rape, as development lead for Project Phoenix. This time he has made sure there are no lingering doubts over the suitability of his appointments by choosing a fur with a history of maladministration.

StarryKitten was recently announced as the new head of the FA tech team, tasked in part with “bringing more transparency” to FA. Some noticed that StarryKitten had only joined FA about a week before the announcement was made. As it transpires, StarryKitten was an alternate account created by the infamous Zidonuke, the real head of the FA tech team.

StarryKitten: I am Zidonuke (Fur Affinity)

With the concept of irony easily going right over Dragoneer's head, it was further revealed that the tech lead with a puppet account has been a secret member of staff since 2013:

I've actually been a hidden admin on the FA staff for over a year now.

Online security in furry fandom

Your rating: None Average: 4 (2 votes)

Hopefully, all Internet users have, by now, heard about the United State's widespread spying programme which has recorded huge volumes of data passing through America. Just as concerning is the looming, default porn block in the UK which will not only block porn by default but also violence, alcohol, smoking and Internet forums, among other things. These programmes should be of major concern to all Internet users. They are also a perfect opportunity to talk about online security.

Dragoneer's Dorsai complaints spark FurFright spat

Your rating: None Average: 4 (11 votes)

October saw up to 1500 furs converge on Cromwell, Connecticut for annual Halloween-themed furry convention FurFright. However, the event was marred by controversial reports about the actions of the Dorsai Irregulars security staff.
Dorsai Irregulars logo
On 28 October, Dragoneer declared he would not return to FurFright until the Dorsai's removal, citing complaints about their behaviour ranging from minor, unprofessional annoyances to threats of having him arrested.

I'm done. I'm done with this. Furfright is (was?) my go-to convention. I love this con, and I love the staff, but the security have overstepped their bound year after year, and I'm done with it. I've brought up these issues every year for the past five years to the convention and nothing has ever happened. Hell, I've even been told the Dorsai are not to SPEAK to me unless they went through certain Furfright staff first due to the shit that happened in previous years.

Dragoneer's sentiments were echoed by his fiancée, Sciggles, and Silver/ThatDamnWolf – a member of FurFright staff who subsequently resigned, saying he is unlikely to return even if the Dorsai are removed. A petition to this end had gained 266 signatures as of 5 November.

Weasyl goes up, then down again over "obvious issues"

Your rating: None Average: 3 (6 votes)

Weasyl on an easelNew art site Weasyl has been taken down after just a day online, while developers "work on some obvious issues".

The site's support forum has been flooded with threads reporting a variety of issues and feature requests.

More seriously, some are already probing for vulnerabilities, though at least one has been reported responsibly.

Weasyl appears to be hand-coded, raising the spectre of security holes, although past experience may have been enough to encourage the use of basic precautions.

Update (8 Oct): Weasyl is back, with a laundry list of fixes.

FA user suspended over alleged 'password harvesting'

Your rating: None Average: 3.6 (8 votes)

Fur Affinity user Xaevo was suspended from the main site and banned from #furaffinity after being accused of password harvesting and insulting Summercat, a support administrator.

Xaevo posted a link in the chatroom to a site that he claimed would allow people to see their FA stats regardless of who they were logged in as. Summercat criticised the site asking for users' FA passwords and requested that the site be taken down as it was phishing.

[14:18:14] <Summercat> Xaevo, please take it down.
[14:18:23] <Xaevo> no, i see no reason to take it down

Xaevo continued to protest the accusations of phishing, saying that phishing only applied when you were masquerading as a trustworthy entity. He maintained that his source code was public and did not save any passwords. When Summercat called it password harvesting, Xaevo called him a 'noob', and was banned from the chat room and suspended from the main site.

Update: 45 minutes later, Xaevo's suspension was lifted.

Rogue coder's attack takes F-List down

Your rating: None Average: 4 (3 votes)

Furry roleplaying description site F-List is down after an attack from a disgruntled developer.

While the developer's SSH access had been removed, he regained access through a backdoor. The coder gave all users administrative rights, including access to email addresses and IP logs.

In a maintenance notice, F-List founder Hexxy urged calm:

F-List will be fine. The only interest we have is in bringing the site back up, and ensuring everything is secure. A former coder uses his access to F-List's servers to mess things up. No permanent damage has been done, but things are a little emotional right now. Don't do anything stupid, that doesn't help anyone, it just creates more damage.

Repairs to the site are expected to take at least two days, but a temporary copy is available.

Third-party tracking cookie removed from Flayrah

Your rating: None Average: 5 (3 votes)

AddToAny – the blue + on Flayrah that allows you to share articles – adds an undocumented third-party tracking cookie (map.media6degrees.com) to aid behavioural advertising.

I have disabled the cookie and filed a feature request to disclose this option in documentation. Users concerned with privacy may consider opting out of behavioural tracking.