FurRag forums
August 23, 2017, 12:40:58 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
 
   Home   Help Search Login Register  
Pages: [1] 2 3
  Print  
Author Topic: ALERT: Possible Security Breach on FurRag.com  (Read 19872 times)
Osfer
Administrator
Full Member
*****
Offline Offline

Gender: Male
Posts: 233


Uncrowned King of FurRag and Bad Dog Books.


View Profile WWW
« on: September 13, 2013, 09:23:38 PM »

Hi all,

Alex Vance here, the 'absentee landlord' of FurRag.com.

I've been made aware of a list of usernames, e-mail addresses and MD5 hashes that has been leaked and determined that it was stolen from FurRag on 2 September.

For the security of our users I'm putting the site in Maintenance Mode until further notice, while I seek help in investigating the source of the security breach, the nature and extent of it, and what solutions there can be.

In the meantime, I advise you all to change the password on any accounts you have that use the same e-mail and password combination as you use for FurRag.

Note that this is precautionary advice: there's currently no evidence that anyone has access to your password.

Further information will be posted here, as it becomes available.

Please be patient. I will do what I can and seek the help I need to get this resolved.

Kind regards,



- Alex F. Vance
« Last Edit: September 13, 2013, 11:38:44 PM by Osfer » Logged
Osfer
Administrator
Full Member
*****
Offline Offline

Gender: Male
Posts: 233


Uncrowned King of FurRag and Bad Dog Books.


View Profile WWW
« Reply #1 on: September 13, 2013, 10:44:42 PM »

Preliminary research indicates that the list of usernames came from FurRag.com itself and that the forum has not been compromised.

The list seems to consist of users from multiple sites that use the same codebase as FurRag, some 10% of which are actually from FurRag users.

Analysis of the list plus spot checks suggest that the list was taken on 15 December 2012.
Logged
Osfer
Administrator
Full Member
*****
Offline Offline

Gender: Male
Posts: 233


Uncrowned King of FurRag and Bad Dog Books.


View Profile WWW
« Reply #2 on: September 13, 2013, 10:48:33 PM »

I believe the leaked list contains usernames from multiple sites that use the same codebase as FurRag, a CMS called eFiction which has not been maintained since 2010.

This suggests that the leak is due to an inherent and previously unknown security flaw in eFiction itself. Investigation is ongoing.
Logged
IronJack
Newbie
*
Offline Offline

Posts: 10


View Profile
« Reply #3 on: September 25, 2013, 02:24:09 PM »

Out of curiosity is there any time table on when the Furrag site will become active again?
Logged
Lonely Wolf
Newbie
*
Offline Offline

Gender: Male
Posts: 7


Alone by choice


View Profile
« Reply #4 on: September 25, 2013, 06:53:36 PM »

Hi all,

Alex Vance here, the 'absentee landlord' of FurRag.com.

I've been made aware of a list of usernames, e-mail addresses and MD5 hashes that has been leaked and determined that it was stolen from FurRag on 2 September.

For the security of our users I'm putting the site in Maintenance Mode until further notice, while I seek help in investigating the source of the security breach, the nature and extent of it, and what solutions there can be.

In the meantime, I advise you all to change the password on any accounts you have that use the same e-mail and password combination as you use for FurRag.

Note that this is precautionary advice: there's currently no evidence that anyone has access to your password.

Further information will be posted here, as it becomes available.

Please be patient. I will do what I can and seek the help I need to get this resolved.

Kind regards,



- Alex F. Vance
Wow, all of this happened on my birthday?!
Logged

"I cannot tell my story without going a long way back"
-Hermann Hesse
Osfer
Administrator
Full Member
*****
Offline Offline

Gender: Male
Posts: 233


Uncrowned King of FurRag and Bad Dog Books.


View Profile WWW
« Reply #5 on: September 29, 2013, 07:14:37 AM »

Hi all,

First of all, my apologies for the length of time it's taken to follow up. Secondly, I'm afraid I don't have good news.

I've had only limited success in securing information about why the list of usernames, e-mail addresses, and password hashes was able to be retrieved, though the most common suspicion is an inherent flaw in the codebase. Again, FurRag is based on the eFiction codebase, which hasn't been actively maintained since 2010.

I've reached out to a few nerd acquaintances, none of whom are available to review and overhaul the codebase. This is understandable; it's a massive amount of work and it's a serious responsibility. Those friends whom I believe to have the necessary skills and experience to audit and repair FurRag are also ones who have more than full time occupations.

Some others have shown insight into the security breach and proposed possible fixes, some have shown enthusiasm for the task of finding the security leak(s) and repairing it/them. However, while I have no reason to doubt their intentions and sincerity, these are people I don't personally know, and for whose character I can't vouch. To let un-vetted persons poke around at the code would be the antithesis of the security we're trying to achieve.

All this means that, as it currently looks, FurRag is destined for the knacker's yard.

We can't in good conscience keep the site up, knowing that our users' information is at risk due to unknown and unfixed security flaws in the codebase. We don't have the resources to fix it ourselves.

FurRag will be shut down, but I'm currently investigating how to best do that. On the one hand, it would be good to leave the site on in a read-only fashion so that folks can get at their stories and comments and archive them somehow; on the other hand, doing so would prevent folks from being able to delete stories, or their own profiles, should they not wish them to be available anymore. Further, it does not currently appear that the eFiction codebase even has a facility for a read-only mode.

My current plan is to find some way to create a read-only version of FurRag that will remain active for a few months, and then take the site offline for good.

We've had a good run, guys. All of you have made this little corner of the web a lively little literary litter-box. I'm happy that I could slap the site up for you to enjoy, I'm proud of the authors that made the site worth visiting and I'm immensely thankful for the admins, Altivo in particular, who cultivated this little community during my negligence. You guys are awesome, and I want to do right by you.

So please, chime in with your thoughts!

Kind regards,

- Alex
Logged
Communicator
Newbie
*
Offline Offline

Posts: 2


View Profile
« Reply #6 on: September 29, 2013, 07:31:28 PM »

It really is a shame that this is the way it has to be, but it's been a great experience, for more reasons than I'd care to name. My preference would be that the site goes back up for a few months, whether in read only or in its entirety, as a chance for us writers to retrieve our stories and say our goodbyes.

I completely agree, but I also had a thought. What does everyone think of something like this?

http://www.reddit.com/r/FurRag/

I know it wouldn't be the same, but it might not be a bad reincarnation so to speak.
Logged
chipotle
Newbie
*
Offline Offline

Posts: 15


View Profile
« Reply #7 on: October 05, 2013, 03:09:00 AM »

As much as I like Reddit in some respects (you'll see me post there occasionally as "chipotlecoyote"), I don't think it's really the right format for something like this. It's a good way to collect links to stories posted elsewhere, of course -- link aggregation is what Reddit was made for -- but it's not very good for posting stories there.
Logged
Communicator
Newbie
*
Offline Offline

Posts: 2


View Profile
« Reply #8 on: October 05, 2013, 06:05:06 AM »

As much as I like Reddit in some respects (you'll see me post there occasionally as "chipotlecoyote"), I don't think it's really the right format for something like this. It's a good way to collect links to stories posted elsewhere, of course -- link aggregation is what Reddit was made for -- but it's not very good for posting stories there.


That crossed my mind as I was formatting everything for the thread, but I hadn't considered links as the primary method. Not a bad option. But of course, the ideal thing would be for FurRag to return as it was.
Logged
Nights Angel
Newbie
*
Offline Offline

Gender: Male
Posts: 17


View Profile
« Reply #9 on: October 05, 2013, 02:22:51 PM »

the truth is we have two choices here. one we do nothing and let the site fall and run like rat off a sinking ship. or. two we as a whole pull together and find away to save our site. sadly i don't know anything of code or the web world at large so i might have just put my paw in my muzzle. but the point is flight or fight. thank you God bless
Logged

Think what you want. I might have a better idea
Altivo
Administrator
Hero Member
*****
Offline Offline

Gender: Male
Posts: 1126


Wandering about distractedly...


View Profile WWW
« Reply #10 on: October 05, 2013, 08:00:48 PM »

There is some truth in what Ray says, but it's a complex issue. Hard to say what the actual intentions of the hackers may have been. They posted a list of e-mail addresses, user names, and encrypted passwords to a website. No threats, no ransom notes, just that. If you used the same password and name or e-mail elsewhere, than someone capable of decoding your password can steal your identity on some other site. There are a lot of "if" statements in that, and the likelihood is small but not zero.

At the very least, someone who could decode a password could take advantage of that to impersonate someone else on Furrag. Why? No good reason I can think of, but there are a few well-known people on there like Kyell Gold and K.M. Hirosaki. Neither has been active for a long time, but...

For the present, Osfer is being very cautious. I think perhaps he also underestimates the number of active users there were on the Furrag main site. This forum has generally been very quiet, but watching read statistics rise on the main site told me that we did have a lot of silent visitors.
Logged

-
“Don't be seduced into thinking that that which does not make a profit is without value.” ― Arthur Miller
Quinn Yellowfox
Global Moderator
Hero Member
*****
Offline Offline

Gender: Male
Posts: 654



View Profile
« Reply #11 on: October 05, 2013, 10:29:43 PM »

I sincerely believe that FurRag is a small but precious gem within our community. It's spirit should be maintained even if it falls away as Yerf did.

Osfer needs to be cautious for very good reasons. Keeping a site open and active after discovery of a security breach is irresponsible, unethical and may result in unwanted attention from lawyers. Until a patch can be developed or a way to open the site is found that doesn't compromise member security, the most appropriate action for now is a lock down.

Idle talk can lead to speculation and disappointment. There are a few folks out there, myself included, who continue to pursue ideas. If the E-fiction software used for FurRag is irreparable, then something better needs to replace it. Defining "better" then becomes the key issue.

Rather than mourn the past, let's look to what we can learn from FurRag and build on the positive aspects of it's legacy. I've posted a poll on the subject to better see what others like. If our little internet home can be preserved, and I truly hope it will, then we will also be better prepared for the next build.

Let's celebrate the past as we prepare for the future. Sometimes old friends need leave in order to make room in our lives for new ones. Sometimes they return and are better appreciated after their absence. Either way, the future approaches....
Logged

"A little nonsense now and then is relished by the wisest men." Roald Dahl
Nights Angel
Newbie
*
Offline Offline

Gender: Male
Posts: 17


View Profile
« Reply #12 on: October 06, 2013, 12:49:23 AM »

I agree. thou the trailing off at the end does seem ominous. if it is willed by powers greater than ourselves then that is the path we shall follow and lead others as well. do not look into the darkness as the end but as the night preceding a new dawn.
i was just pointing out more or less the choice of just walking away or banding together in hopes of better things to come. i never meant what i said to mean run or fight for what we had. but i will cut myself off there before i start running my maw off. thank you God bless
Logged

Think what you want. I might have a better idea
Altivo
Administrator
Hero Member
*****
Offline Offline

Gender: Male
Posts: 1126


Wandering about distractedly...


View Profile WWW
« Reply #13 on: October 09, 2013, 10:07:15 PM »

I don't think archive.org takes site-specific requests. I'm not sure what their algorithm is for when to capture or how deep to follow the tree. I do know that what they have of Furrag is sparse and very out of date. Unfortunately, they can't capture the site as it stands now because it's completely closed off anyway.
Logged

-
“Don't be seduced into thinking that that which does not make a profit is without value.” ― Arthur Miller
A Quiet Fan
Newbie
*
Offline Offline

Gender: Male
Posts: 3


View Profile
« Reply #14 on: October 14, 2013, 09:14:19 PM »

Hello, all who are reading this; I am a faithful reader of the stories on FurRag.

I don't have an account, not because I'm lazy,I just never got around to it, and when I heard it was closing down for good, it pretty much tore my heart out and crushed it. I have no idea where to find stories from all you authors out there, other than on FurRag, so let me just say that I had to get my two-cents in before it all fell apart(I registered on this site just so that I could). There are lots of incredible people and stories on the site that will all but vanish if and when it shuts down, and to me, that's like holding a digital book-burning. I am a huge fan of you all,(I'm looking at you, Alex Vance) and since I can't get on FurRag anymore, I needed to let my voice be heard somehow on the topic. There are not only writers and admins and registered folks, there are countless unnamed readers, too. I'm not ordering the site to be saved, I'm simply asking you to try; if not for the writers, then for the readers who sit on the sidelines,not wanting to make a fuss. If there was anything at all I cold do to help out,then I would. And while ranting isn't going to solve the problem, taking a stand is a damn good place to start.

If it can be saved, then that's wonderful! If not, then I hold no ill will towards any of you. Not all stories can have happy endings, after all.

If you are like me and have something to say, say it. For whatever difference it makes.
LET YOUR VOICE BE HEARD.

I am a guest on FurRag, and I WILL NOT be ignored.


Yours Truly,

A Not-So-Quiet Fan.
« Last Edit: October 16, 2013, 08:21:11 PM by A Quiet Fan » Logged

There is a certain amount of madness in every brilliant idea.
Pages: [1] 2 3
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.14 | SMF © 2006-2011, Simple Machines LLC Valid XHTML 1.0! Valid CSS!