FurBuy down for 'months' after spat with security researcher

Edited as of 18:48
FurBuy pack-rat mascot by FurryVenus Furry auction site FurBuy remains offline, a month after it was abruptly taken down, leading to severe corruption of the 19-year-old site's database.

Site owners say May 23's emergency shutdown was intended to recover from a freeze triggered by a self-styled security researcher's access, and announced a months-long renovation.

The researcher revealed their involvement, claiming to have been blocked by FurBuy after contacting them on Twitter. They said they did not access the database, but that someone using the vulnerability they found would be able to do so - which is disputed by the site owners.

Modern database systems and server hardware are meant to cope with unanticipated downtime by writing to disk in such a way that the data can always be recovered to a consistent state; however, this requires appropriate configuration, and tends to decrease overall performance. It is also possible for hardware to fail under stress.

The last successful backup of the site was made in October 2017, but this remained unnoticed after the death of long-time system administrator Mordrul last August, from thyroid cancer.

[The] attack locked-up our database server while we were in the middle of performing an emergency database backup, and we required our on-site host to perform a hard reboot of the server. The combination of an old server, a very strong attack, and having to hard power-off the server during a backup caused the disk volume (hard drive) to become corrupted. We repaired the disk to the best of our ability, but the database was damaged irrevocably and all of our attempts to restore the database have failed. We were able to repair a few tables completely, most partially, and several others were completely lost.

[...] For now, we are retiring the old (very old) software we wrote (mostly in 1999) which means there will be no FurBuy for the time being. It's honestly amazing that the site was able to run for as long as it has on as old a system as it's on. The same physical hardware has been running the site since 2007 when we upgraded it from the original hardware it was built on. The database server was on its last leg.

FurBuy claim users' own "personal data, emails, passwords" were not accessed, other than any personal data within images uploaded (not emailed) to the site.

While FurBuy did not dispute that source code with credentials was accessed, they say that they could not be used to access the 3.5 GB site database without being in a certain location with VPN access. Regardless, passwords were stored using a possibly-unsalted SHA-2 hashing function, which is not recommended for this role.

FurBuy is not offering refunds of past subscriptions; rather, new subscriptions for the site they promise to create, for which they are soliciting testers and say they've purchased 10U of hardware for. Those wishing to obtain a refund regardless will have to consult PayPal's own terms for their jurisdiction, to see if they are entitled.

For now, it seems erstwhile competitor The Dealers Den and non-fan auction and social media sites are receiving the lion's share of FurBuy's traffic.


Got a few typos here: "an months-long renovation.", "sever hardware", think that's all. Also, what is it with furry sites and outdated tech, bad code, security holes, etc? It seems chronic or even endemic.

Furry sites, even quite large ones that fans rely on, are typically run on a technical basis by one or maybe two people on a shoestring budget, often as a spare-time project. In fan commerce, the website is typically not the product itself, and may have been a one-off contract. Both of these situations are conducive to flawed coding and use of outdated technology.

There are exceptions, obviously; Bad Dragon is responsible for so many sites that they have a professional admin team - but even there, the programming of a fan site is done by site staff, who may not be qualified to write secure applications.

I know enough to doubt my own abilities when writing secure code, so I tend to punt to widely-developed application frameworks such as Drupal and MediaWiki, while trying to maintain standards on the administration side. Beware any site festooned with "tested for security" badges.

I meant to write this sooner but better late than never (some of us have demanding day jobs)
I have spent the last decade working in infosec. Writing secure applications involves a skillset that is not being taught anywhere these days. Also its my belief that web applications are inherently insecure because of the fact that so many of them run code client side. That is one of the biggest reasons why I do not like the way many websites work and why I hate all this fancy HTML5 and CSS3 BS.

But yes, another site that is seriously lacking in OpsSec is Thanks to Dragoneer's stupidity or utter carelessness, some of my art, and other information about me is in the dark web. It appears unauthorized access was obtained to a backup of their server at some point during 2018: the backup in question being quite old, dating to when I still had an account on FA.

Of course you cannot discuss this with furries. The usual strong reactions come out to play, and I really don't care for that.

Let's put it to you like this- Ever met a furry that has money to spend, or actually has any to spend?
I have met one or two, and they were rich, spoilt modicoddled brats that had it very easy in life. As predicted they turned out later to be A+++ grade assholes. One or two of them hang around here and speak from such faux authority it actually sickens me, but its all good- this last vestige of free speech means I can give them a good old slap and put them back in their place. Whilst respect for elders has gone the way of the dodo, there's still respect for people who know what they are doing, or people who are actually very knowledgeable in their field.

Anyway I digress...
Furry shoestring...
Its endemic for sure, it can be seen when it comes to paying for good art, and charging for same. My experience in life has taught me one thing- Furries want everything for free, and this is why people who run serivces have to do them as cheap as possible, because every fur wants it, but will not pay a dime for it.

Rich people, in general, are assholes, but furries being cheap comes from the majority of furries being broke as fuck imo.

Not just assholes, but stingy too! Only buying someone half a tattoo. Don't stay rich by splurging too much after all :3

Oh look at me, Mister Moneybags able to afford an entire tattoo

You legit didn't get that I was implying you're rich, since you said rich folks are assholes, did you? I think I'm starting to understand you better now... BTW that too is a reference to something else you said earlier. I've just come to accept I'm gonna have to play with kid gloves here.

Does this mean you're done pretending that you're never talking to me again? :D

Nope, you go ahead and have the last word now. I'm done with you.

That's not how that works.

Yes, I totally have a moral obligation to keep talking to people who annoy me, much like I'm obliged to keep my mouth shut about how annoying they are. I did for a while, but simply being ignored wasn't sending the message apparently. So I've said my piece and that's the end of that discussion as far as I'm concerned and, yes, that is how it works.

It's called saving up or budgeting for it you moron!
Yes I am calling you that, because I've come to realise what the others are on about regarding you.
Your presence on this board is exactly the perfect definition of trolling.

Oh wait... furries... and their attitude to paying for art... Oh wait, its us non-furries, those of us with stable employment, whom are more accurately described as anthropomorphism fans, that get all the nice things 'cause we can pay for it.

You should try budgeting for yourself, perhaps then you can have enough "bankroll" to experience the joy of being inked. Although I think that it won't really suit you.

And yes I am passionate about the art form, as I am about a certain blue hedgehog!

Sonikku and blackdog:

Can you think of a more iconic pair?

I'll wait.

So I think that's twice you've insinuated me and Sonikku are a couple. Based on what? Because I don't join in on the juvenile dog-piling (and hell, I probably have on a few occasions) any time he posts? I've told the guy plenty of times when I think he's misguided or flat-out wrong, but I don't play these stupid little games like you and the small handful (and I do mean you could count them literally on one hand) of users who monopolize the comments section (and probably drive others away). I guess that's not good enough for some assholes. The kind who call themselves Christians while not even trying to live it, unless homophobic humor counts.

But yeah I could think of a more fitting pair than me and Sonikku.

You and Genesius. A couple of faux Christianfurs who can't make a YouTube video worth a shit. Yes, I've seen your one "effort".

At least you can write worth half a toss, even if you have to use the same words and expressions over and over again to do it.

Uh oh, somebody doesn't like me on the Internet, guess I better spend upwards of an hour trawling the web for anything I don't like about them, that way whenever I need to protect my ego I feel like I have ammo against them

Walk it off, Princess!

This is coming from somebody who had to be given an ultimatum by GR to stop contributing to ED, which before KF was the place for "trawling". And what, is one supposed to simply refrain from Googling people (or searching Wikifur...) when one wants to know what their major malfunction is? Like virtually everyone else on the internet, including you at some point? You're not even capable of recognizing your own hypocrisy, are you? Don't appeal to some illusory sense of honor you don't even possess.

Uh oh, better do it again, even if I have to keep repeating the same ammo I think I have since it didn't work the first time!

Also, four days? Queen of stating his plans and sticking to them. I stan.

Well when you can't exactly refute anything I say or answer the pretty obvious questions it raises about your character/credibility as someone who has any place to tell me how to think or behave, yet keep flappin' your gums as if this is some luck-based speech check you're guaranteed to win if your snark stat is high enough, it doesn't exactly discourage me. Yeah, I "recycled my material" or whatever, but your whole repertoire is just variations of like the same 3 disses and comebacks. It's fucking boring.

Seems you are referring to me. Erm I am confused a bit?
I don't have a lot of time to post here and I certainly don't recall you telling me I am misguided plenty of times... hmm.

Also don't recall you or anyone else having any issue with me... Equivamp, on the other hand... right out of nowhere, like Rambo coming out the trees, machine gun blazing.

As a side comment on religion. That is probably what is wrong with some people who comment here. Any religion has negative effects on people. I've seen it happen enough times to comment justifiably on it. That, framed with the question of what is wrong with furries- well as hinted in another article's comments I think, its not in the water, or the air, its probably chemicals in the bottles and plastics, mixed with a good dose of entitlement (special snowflakeism)

I've openly disagreed with you probably at least half a dozen times on here, mainly about what's really wrong with the fandom. Generally, I try not to be an asshole about it, though I try not to exactly mince words either. So you probably never took it as an attack, so it doesn't stand out as much. So I don't really have a problem with you, I just don't agree with you all the time. The kinds of people I have a problem with, they just get off on being assholes for its own sake. If they had any higher purpose it'd have been made evident by now through their own words and conduct. I'm trying to improve that for my part because, frankly, I feel pretty fucking low whenever I stoop to their level, which is probably the entire point on their end. I think if one were to apply Occam's Razor here, they're basically attention whores. They were having fun before, but now they're getting salty because I'm not playing ball with them the way they want.

Your rating: None Average: 1 (2 votes)

So that's why.. I never saw your side as a disagreement. I saw it as an alternative point of view. Hence why I had to try and rack my brain about what you were on about.

As for what is wrong with the fandom- its just my opinion. I do however, look forward to the day when we know for sure.

As for your closing comments. Understood ;)

Third option, here, but, uh, what if there's, you know, nothing wrong?

Now, if you want to influence it in a certain direction that you'd prefer to its current state, super, but, uh, maybe just don't jump in what is basically the tail end of a decades long conversation and be all like "you guys are doing this all wrong; luckily for you I'm here to tell you what you need to fix!" You see why that might rub people the wrong way.

Granted, furry isn't perfect, and I certainly understand it's not living up to whatever "ideal furry" you guys have in mind, but you know what, it's not living up to mine either. But here's the thing, guys; I've been working on changing it for the last decade, and I'm just now getting to the point where I can look at certain things and go "huh, that got better just the way I wanted it to!"* So if you want to change something, you gotta realize that you're not the only one trying to change it; the furry fandom is the way it is because a lot of people have worked to make it that way.

Once again, if you want to work on "improving" the furry fandom, super. Knock yourself out. But expect pushback. Duh.

Also, everything else aside, maybe making spectacles of yourself in a small, out of the way website's comments every other week ... maybe not the best strategy. Just a thought.

*Of course, the real kick in the nuts is that I have no idea if this change is due to my actions or it was just going to happen anyway.

I have no desire or intention to do anything with the furry fandom. What I said earlier was an opinion, not me trying to "fix" or change anything. I can honestly say I don't want to be a part of it ever, but unfortunately my fandom has folks in it who are furries so I have to be tolerant. Hence my strategy is now one of tolerance. I don't have to like it or get involved, I can just smile and nod and be tolerant and continue to be me.

I am also not here to make spectacles of myself. I wasn't even aware that was the case, so don't worry.

I will say you're kind of in the wrong spot to be uninvolved with furries.

Because we're kind of all furries here. You're kind of involved with us. I'm not going to do that snotty thing furries sometimes do where they talk about our critics as "closeted" furries, but the the fact remains that you're here. And it follows you're here for a reason.

Whatever that reason is, that's your little red wagon. You do with it as you please. But, fair warning, your rather active style of "tolerance" is kind of causing us to have to practice "tolerance" of you. What I'm saying is if somebody snaps at you, I mean, do take it personally, actually, but don't get too upset about it.

Because it's just going to happen.

You had the unfortunate ... unfortune to pop out of the woodwork with actual accounts at almost the exact same time, so the joke fit. So, no beef, now let me finish reading the final paragraph, got a little ahead of myself ...

oh boy

I had not noticed... it totally passed me by

Uh What?

You're wrong. Rich people aren't assholes in general.
I suspect you are the same sort they refer to in the Sleepthinker parody video.

The 2019 crop of posters is such a joy.

Your rating: None Average: 1 (3 votes)

Your rating: None Average: 3 (2 votes)

This got a lot of discussion by the Defcon Furs group and I got a lot of tips but held off from saying much due to no special knowledge about tech. Glad it got some notice. As far as I could tell there were good intentions from people who said they were just concerned about the security issues.

Your rating: None Average: 5 (3 votes)

In my experience, it is perfectly possible to take down a site by accident, be it through over-eager indexing or a flawed BBcode parser that just happens to be tickled by a story.

Having previously reported a security issue to FurBuy myself, I can also sympathize with the third party, as it took some time for them to even appreciate that there was a problem.

Of course, "first, do no harm" is a maxim that should be adhered to by white hats as it is by doctors in white. If it seems that your actions are causing a site to struggle, it's incumbent upon you to stop them.

There's a bit of a history of sites ignoring reported problems and then banning/blocking people who eventually make it public knowledge.

"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~

FurBuy has also made its own problems. (After they got suspended for doing the same thing earlier - did it on IB as well.)

Your rating: None Average: 5 (1 vote)

Your rating: None Average: 1.8 (6 votes)

You're a fine one to talk
You only updated your own graveyard of a site, on your own African time, after sufficient noise was made about it. You are just as guilty!

I would like to begin by saying I think this story covers very important issues that we should all be concerned about but also the front page needs more stories illustrated by sexy rat pinups is still my main takeaway.

Your rating: None Average: 3.7 (3 votes)

The real question: what happened to the artist, FurryVenus? This was the last work they posted to FA. Did they take another name, start using another site, or just disappear into the ether?

Your rating: None Average: 1 (4 votes)

Yeah that was my first thought when I checked out that account. "No one ever leaves the fandom" is a myth, either a well-wishing myth or a cynical myth depending on who's saying it. People leave never to return all the time. Like it dawned on me some time after I made my first reply on this article - "oh right, the techies that actually know their shit leave, for jobs where they're paid/appreciated".

There a lot of website issues going around lately. I know there were some other problems at some sites which I might write a short little bit about. I need to see what new information comes out first.

"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~

Never used that site, never will. But I am with those saying having a 20 yo server is a terrible idea. You're supposed to migrate those.

Well, I'll be...

Right, and who's paying for that migration and the new servers? You?

