So I havent ever done this journal thing on FA, it never really interested me enough to post, but there have been some things about FA that have been irritating me too much for me to leave them alone anymore. So if you really dont care about how FA is doing, it serves up your porn and stuff just fine for you, then dont read this, because all its gonna be is hard questions about how the "largest furry site" is run.
To break down these questions Ive attempted to seperate them into 4 catagories, the technical, legal, administrative and ones that consist of a mash of these. Ive also tried to provide explainations and strike a balence between being too breif and too verbose.
- How many of the vulnerabilities addressed by Eevee's journal (http://eevee.livejournal.com/329817.html) have been resolved and have these resolutions been verified? The details of these vulnerabilities have been disclosed to the FA administration and technical staff by Eevee several months ago and as far as I know have not been provided to the public. These issues pose real problems to the site, some of which can be used to cause large amounts of data loss or gain access to personal communications. Why have these issues not been comprehensively addressed?
- How do you plan on dealing with the whitescreen problem and what has been done to date to resolve this issue? This issue has been discussed alot in #furaffinity-dev and to day we only have seen that Yak vaguely recollects looking at the issue, vaguely recollects the errors involved, but did not have access with him at home to investigate further and did not appear to care about fixing it.
- Have you had an independant party review the php code to find vulnerabilities? Many parties, including myself, have offered to review the code, even under the most encompassing NDAs and identify issues and undetected security vulnerbilities. To date only one person has participated and he is no longer welcome to contribute to this endevor.
- Have you injection tested and/or fuzz tested the site to find vulnerabilities? I have seen no indication of this being conducted, there are packages and services out there that conduct both targeted tests and random input tests to find issues in nearly any type of software, but especially web applications.
- Has a bugtracker been setup to coordinate the efforts of all parties involved in fixing these problems? No indication of a bug tracker has been seen in the communications to the public by the administration. Most large projects with multiple developers need bugtrackers to coordinate the massive effort, that FA does not have one may be hindering its internal development efforts.
- How is session hijacking being dealt with? It was theorized long ago that FurAffinity.net was vulnerable to session hijacking, that the site does not use PHPSessions meant that FireSheep did not immediately have a plugin to do this, but from what has been indicated, it is trivial to implement and such a plugin now exists in the wild.
- What is the status of the new UI? Last I was told the principal developer on this project had all but quit and no mention of it has been made since January. This has been promissed by FA:U which is in two weeks, but there does not appear to have been any development effort on this since January.
- What is your roadmap for new features? Most sites have a vaguely internal and sometimes blatantly public roadmap to add features, sometimes this is incorporated into their bugtracker (see above), but I have not seen FA have such a roadmap or seem to have any longterm guide to what needs to be done, as features seem to be added based on show shiny they are and who requests them rather than general need or usefullness.
- Why does FA need a load balencer to have full site SSL? Most sites that have implemented full site SSL have noted that the overall impact has been nearly nil, in terms of actual numbers Google reported less than a 10% increase in cpu time and less than 1MB total increase in RAM in their web wroker servers. Inkbunny has reported nearly the same. I personally only have experience with the RainFurrest site, while hosted on a dual P3, has only seen marginal increase in CPU load related to enforcing full site SSL, which in this case took approximately 10 minutes to implement.
- From what has been indicated, FA is still storing passwords in a manner that would be vulnerable to rainbow tables, even if generated specifically for FA. What is being done to address the rainbow table password attack vector? You could sit here and state that it would take a large amount of time to generate tables of sufficient size, but furry lends itself towards being a technical community, when someone as lowly as me can have a small supercomputer in his garage, what says another furry interested in breaking into your site wont have even more capability or access to such?
- How is the backlog of trouble tickets being addressed? Ive seen many complaints on the forums that people have pet trpouble tickets, or their ownly trouble ticket, that have not been addressed for months or even years. Some of the admins have candidly stated that the backlog has been growing larger and not much has been done to address it. Some have said that when all of your staff are volunteers you shouldint expect them to be dedicated to getting things done, but in reality Ive seen nothing to indicate that you cant tell people that if your an admin you should be doing work, if you cant do the work, you should quit. This seems to work just fine when running furry conventions, why not furry sites.
- How is the issue of administrative despotism being addressed? It has definately been noticed by the furry community that administators on FurAffinity tend to both fail to avoid issues where their friends are involved and come to the aide of their friends. Sometimes people who are friends of the administration can do things that normal users cannot and not get banned. Sometimes these people gain extra protection because they are firends of the administration, and sometimes people get harassed or banned because they are not friends of the administration.
- Why has the administration avoided dialog about many of these problems? If I was running a site like this, I would be going out of my way to become aware of and address issues with the site, including going where the people are complaining, trying to talk to them and trying to fix the problem. In most of these cases, fixing the problem really does involve fixing the problem and making sure everyone knows youve fixed the problem, not promissing a fix and then slacking on actually doing it.
- What is being done about the hemmoraging of administrators from the FurAffinity staff? Some have noticed that recently several of the administrators have quit or otherwise left, this appears to be resulting in a dwidling amount of administrators, not very many hands to make light work of the site's maintenece at all. What do you plan on doing to fix this?
- Why is advertizing on FurAffinity so hard? Ive seen many complaints in the forums that it takes months for anyone to get back to potential advertizers, and I know from what I have heard in the RainFurrest meetings, at the very least RainFurrest's experience seemed to mesh with these experiences. If one of your core revenue streams is advertizing, shouldint you be providing excellent customer service to the advertizers at least?
- Does FurAffinity (Ferrox Art in this case) plan on seeking 501c7 or 501c3 status? The track record of FurAffinity suggests that it would be better off trying to conduct itself as a non-profit or not for profit social club, this way the use of the term "donations" is less shady in the "its legal but not exactly ethical" sense.
- Otherwise, do you have a solid plan to deal with the revenue stream problems (IE: require a signup fee, have premium memberships, etc)? What is stopping the site from going belly up tommorow? Since so many users have invested so much time in this site, it exists based on the contrubutions of these people, how is FurAffinity making sure these contributions do not evaporate overnight?
- The issue has been raised about the intermingling of assets, since Ferrox Art is an LLC, you must maintain a seperate ledger and bank accounts for the LLC and the property of the LLC must remain seperate from its stakeholders, how Ferrox Art conducts business has suggested that this seperation does not exsist. Are you conducting the business of the LLC properly to avoid it being dissolved into a sole proprietorship upon challenge?
- If not, why does Ferrox Art exist as an LLC and not as a sole proprietorship? I dont really have much comment on this one, since I would be speculating more than I like, but does Ferrox Art exists so that Dragoneer can claim that FA and himself are not one in the same?
- If Ferrox Art, LLC is doing business in Virginia and New Jersey, why does it not have business licenses for those states? Generally you must obtain business licences for each and every state that you do business in, just ask the people in your dealers den. This includes the state where you have business assets being used to conduct business in, Virginia, and the state where you are holding a profit generating event, New Jersey, moreso NJ than VA.
- How did you let the SSL certificate expire? Generally speaking, SSL certification providers send large numbers of emails if you have not purchased a renewal, that it did expire brings up deep questions about how well FurAffinity is about paying the bills. On the flipside, that it took several hours for this to be detected and corrected speaks to the speed at which FurAffinity can detect and correct techincal issues.
- Does the site not consider its users stakeholders in a small way? Since the existance of the entire site hinges on the contributions of its users, do you not consider them stakeholders when making descisions about how to conduct the business of the site? As far as I have been able to determine there is no way indicated in my interactions with the admins of this site to be considered someone who's opinion is worthwhile, even if I were to donate as I have in the past its not worth anything, from what Ive gathered only the most popular artists get their opinions considered.
- What is being done to address the issue raised above of no fresh eyes on the php code that runs the site? From what has been indicated, there has not been much done to even make the preparations for allowing outsiders too see the code, which apparently includes backing up the entire site on a nightly basis or some quite involved backup project.
- Why have many parties that have offered to help been told they would be able to soon, and then they are not ever contacted again? I know of at least two, myself and Trapa. I shouldnt need to say that people sometimes offer to help when they have free time and might not be available later on, and otherwise many people becomes discouraged and disinterested when you never get back to them.
- Why was Ferrox abandoned? From what IVe been able to see there was a substantial amount of code written for this project and alot of this code may be usefull in establishing a foundation for a new FA, and thus getting it going faster than say, going at it from scratch. From what Ive seen, the latest attempt at Ferrox was going at it from scratch (having been said to be written in PHP, which is not exactly similar to Python at all).
- What has been done to deal with the slippage of most of the features promissed to the sites users? It has been demonstrated that many promissed features and upgrades have slipped into oblivion. Some include folders, new UI, full site SSL, security improvements, Ferrox, the URL shortener, the hosting service, etc. But no explaination is ever provided for why these improvements never show up, little own on time.
- Why did it take 3 years to deal with the cleartext password problem? This was one of my pet issues, we even considered setting up a wall of sheep at one California convention to make people aware of this issue in particular. Dragoneer himself told me that he was in the process of buying the SSL cert to fix this in 2006, why did it take till 2009 to actually set this up?
- If FurAffinity is asking for money, providing accounting of donations and mentioning expendatures, why is FurAffinity not providing more comprehensive accounting and an explaination of the expendatures? This topic has come up in the forums and so far no official word has surfaced.