If you don't make security a top priority, you will get breached. If you take nothing else away from this letter, let it be those words.
Let's talk, furries.
As we all know, FurAffinity got hacked not too long ago. Rather than rehash the events as they're still unfolding, let's just call it a grease-fire that the staff are desperately trying to put out by spraying it with water.
This has led a lot of people to consider leaving for alternatives. Some people have decided to start their own new FA alternatives.
I'd like to offer a few bits of unsolicited advice so you might avoid a similar fate.
What do all the big furry art sites have in common? They're closed source. You and I can't read the source code to see how they're implemented. You and I can't fork, improve, and contribute back enhancements that improve user experience or security.
We're forced to:
- Rely on a small cabal of technologist of unknown competence to keep our personal information from ending up in criminals' hands.
- Place our trust in a system whose security relies entirely on obscurity.
As soon as someone got the FA source code, they were able to exploit other vulnerabilities to steal user information and delete everything.
A well-engineered piece of software is secure even against adversaries that can see how it works.
Accept no compromises here. If it isn't open source, don't join it until they make their source code public (under a license that allows or even encourages participation).
Weasyl and FurryNetwork have indicated that they are planning on open sourcing their entire platform. This is a great start.
However, going from "we're developing in secret" to "we're developing in the open" can be a painful adjustment period, especially if you have really-obvious security vulnerabilities buried in obscure corners of your code.
If anyone runs a furry website and wants to transition from purely secretive to open source, but you're worried about a nightmare scenario unfolding the second you flip the "public" switch, get in touch and I'll see if I can help.
Being open source doesn't make you automatically more secure. Earlier tonight, another furry website that recently launched was brought to my attention, and a friend of mine started making noise because it didn't have HTTPS.
It turns out, that was the least of their worries. They decided to build on a proprietary platform called phpFox. To put it bluntly: PhpFox is a poorly-written backdoor that also behaves like a Facebook clone. I've reported several remote code execution vulnerabilities already, and there are undoubtedly hundreds of XSS vulnerabilities left to patch.
Their source code was open, but their code was still insecure due to early development decisions made by the team. (Silver lining: Because it's open source, we're able to bring these security issues to their attention.)
Open sourcing your code isn't enough, but it's the right first step to make.
...are worthless for proprietary code.
Open source your code, don't build on crappy frameworks, and don't promise to analyze the proprietary code you wrote for security holes you don't know exist like FurAffinity did.
Soatok (Twitter) is a dhole whose dayjob involves acting like a well-adjusted security researcher. He spends unreasonable amounts of time working on cryptography protocols, finding vulnerabilities in open source projects, and reading free research papers from venues like IACR.
Also, Reddit thread.