The Furaffinity break-in and the revelations that followed are perhaps the biggest scandal to rock the subculture in many years. The sum total of the ugliness that came out that day has had far-reaching implications, none of them good.
(TRIGGER WARNING - This article contains an account of what is believed to be a real-life rape case. Please be advised.(1))
Wednesday, February 15. 2012
"Makes me sick motherfucker, how far we done fell" - The Bunk
FurAffinity was hacked into several times over the course of two days, from December 16 to 17 of 2010. The break-in resulted in the (known) release of the private messages of 22 users, most of them administrators. Some of the leaked messages contain some highly unpleasant bombshells that reflect very badly on not just the people they involved but the subculture as a whole.
The attack leveraged several known exploits in FurAffinity's code. (There is speculation that information from the Gawker leak(2) may have played a role as well.) At first, accounts were wiped, fake messages were posted, that sort of thing. After that dry run the attackers struck again the next day. They went straight for a special administration panel(3) that allowed access to the private message inbox of any user on the site. It is from that interface that the private messages were lifted. The leaked material was posted to the usual suite of bitlocker sites, with their presence announced on the infamous furry imageboard lulz.net.
Not every user who had their account breached had their private messages released, and we still do not know the name of every user account that was broken into. According to posts from someone claiming to be among those responsible for the attack, at least one of the targeted inboxes was empty. FurAffinity's admins put the number of breached accounts at 41.
These are the known targets:
Not a lot has been said about who may have pulled off the attack. It is unlikely that we will know the identity of those who were responsible. Whoever they were, they were pretty up-front that they did it for laughs. They also seemed to have more than a passing knowledge of what the furry subculture is actually like. I say "they" because there is a strong impression that multiple people were involved, both in selecting the targets and in pulling off the attack. There is also a strong impression that there are many people who know (or have been in contact with) those responsible - but are keeping quiet.
What has mostly been discussed is how such an embarrassing and trivial break-in was allowed to happen. As everyone knows, FurAffinity is barely functional. It's usable, but it's held together with a series of bodges that would look hilarious and terrifying to any seasoned web developer. Security is not taken seriously at all despite the large number of users on the site. It says a lot that the primitive XSS vulnerability that was used to get at the private messages was made public months earlier and no attempt was made to fix it.
FA's leadership is and always has been in over it's head. They are terrified of what might happen if they were to let someone else take the controls. Through some combination of pride, laziness and paranoia, they do not take outside advice seriously, even if it comes from a knowledgeable source. The result is that technical problems with the website are not fixed unless they threaten to take the site completely offline. Minor fixes can take months. Even the most trivial new features can get stalled indefinitely. Very few people understand the spaghetti mess of PHP that is FurAffinity's codebase, and they are in no hurry to fix or replace it.
Much of the blame for these and other problems lies directly with Sean "Dragoneer" Piche, the site's owner and webmaster. He really has no idea how to run the site, or how to bring in talent that would be able to get things done. He will fight getting rid of dead weight at every turn, especially dead weight that is loyal to him. He just expects everything to work out fine with an absolute bare minimum of time and effort invested.
During many on-site disputes, the entire FA administration would almost always side with those who were either popular with the administration, or with the artists who brought the most visitors to the site. The site's rules felt arbitrary at times. Granted, just about every community site owner on the planet does this (furry or not), but FA's completely dysfunctional internal culture meant that a bad administrator could run amok for some time before being reigned in. Dragoneer also had a habit of occasionally caving to mob pressure and punishing individuals on-site for off-site activities(4).
Dragoneer has worked harder to make himself a target than any furry showrunner before or since. He would participate directly in gossip, use his power openly against individuals he disliked, and rewarded loyalty above all else. He did it without the slightest bit of discretion, without the minimal amount of moderation or secrecy that his peers and predecessors employed when they did (and do) the exact same thing(5). That made him vulnerable. Not just to legitimate criticism, not just to people pissed off enough to want to hurt others just to get to him, but also to the kind of assholes the hacker(s) were: people willing to stir shit just for the sake of stirring shit. His security strategy says a lot about this - he must have genuinely believed that there was nobody out there willing to put forth the effort to publically humiliate him and his userbase. In Dragoneer's various exploits in the year or so leading up to the break-in, we might find a motive for why someone might want to go to all the trouble of trying to dig up his dirty laundry.
A small site known as Watch Your Step figures heavily in these exploits. In the list of known hacked accounts there are a number of people who were involved with the site in some way, suggesting that it might have been a subject of interest to the hackers. Dragoneer played an active role in some of Watch Your Step's activities, and that may very well have helped make him (and those around him) an enticing target.
Watch Your Step was a complex situation all it's own, marked by a number of petty disputes over asinine things that rocketed out of control. It was utterly childish, and not all that memorable. Watch Your Step's administration and userbase consisted largely of Dragoneer's supporters. The site featured a moderately-sized forum with a "secret" section. Despite various countermeasures, information would leak out of the "secret" forum every so often. Most of it was worthless bickering and harassment. WYS gained the most attention when it became involved with a dispute between FurAffinity and e621 that culminated in attacks on both e621's sources of funding and hosting providers. It was mainly over e621's reluctance to remove reposted artwork, but other reasons (such as the eternal dispute over "cub porn") were brought into play in a bid to get the site dropped by it's ISP.
This dispute was basically a continuation of an old rivalry between Dragoneer and Arcturus (then the current owner of e621, and long ago one of FA's co-founders). The brouhaha led to accusations that Dragoneer was using his supporters over at Watch Your Step to try to mask attacks against people and sites he didn't like. Evidence would later surface to further back up these accusations. Using Watch Your Step as a sort of personal army may not have been his original intent at first, but Dragoneer continued his involvement with the site long after he should have backed away.
Watch Your Step was itself hacked around October of 2010, although nobody on the outside would know this until July 2011. It was quickly and quietly pulled once it's owners figured out what was going on, so the database rip that was eventually released the following year is not complete. However, analysis of that database rip reveals that Dragoneer was making a variety of inflammatory posts under a number of aliases, with some of them directed at people he had held grudges against for years.
The majority of the bile was directed at Anthrocon head Samuel "Uncle Kage" Conway. In a bizarre turn, some of these posts were made under the alias of Dragoneer's departed former roommate, Patrick "Furp/Firepyro" Reed. There is a long-standing rivalry between Kage and Dragoneer that would take too long to discuss at length, but basically it looks like the entire thing started as relationship drama among their mutual friends many years ago and has since taken on a life of it's own. As for Furp, he lived with Dragoneer when they were doing contract work in Kyrgyzstan. Whatever happened between those two, it apparently resulted in him having a hatred for the man that continues long after his death.
The only reason I've taken this major detour into the Watch Your Step affair is because I have a hunch that the people who broke into the WYS forum are the same people who broke into FA. I don't have much to support it other than the fact that people involved with WYS appear to have been a priority target for the hacker(s) and the fact that both sites were broken into within a few months of each other.
In any matter, the Watch Your Step machinations cannot completely account for why so many other users were targeted in the FA break-in. Whoever broke into FA already had a low opinion of the furry subculture; their primary objective was to cause chaos. Going after other people at the top of the subculture was probably the next logical step. Besides several administrator accounts, the rest of the breached accounts were those of people who had lengthy ED articles, people who posted in drama communities, people who were the subject of multiple posts in drama communities, and people who were popular. Still, even given that criteria there were some odd omissions. There is no shortage of other popular artists, or individuals with scandalous (even criminal) backgrounds that they could have targeted. I suppose that if they could, they would have found a way to grab every single note from everyone on the site and "let God sort 'em out", but they did not have the technical expertise (or the time, or the patience) to do so.
So what was in those private messages? The vast majority of them turned out to be worthless and uninteresting. Most of the really important discoveries were made in Dragoneer's notes. Since he runs the site, and since he is a major subculture figure because of it, people in trouble would sometimes come to him for advice. A great deal of user issues went through him as well, what with him being the site administrator and all. This meant that he dealt with (or became peripherally involved in) a lot of problems, scandals, and even a few criminal cases. He was not particularly well-equipped to deal with some of the more serious and unexpected issues that came his way.
With a few exceptions, most of the really bad shit that happens in furry doesn’t get talked about over FurAffinity’s private message system(6). But as we're about to see, those exceptions were pretty nasty indeed.
By far, the worst thing found in the notes were accusations of date rape against Adam “Zaush” Wan, one of the most popular furry artists of all time. Wan was in an open relationship with another artist (alias "Keovi") for some time, and was trying to get a third person (with the alias "Ferality") involved. Ferality was visiting Adam over the course of a weekend in January 2010, and it was then that he coerced her into having unprotected sex. She came to Dragoneer for advice and to see if he had any information on Wan that could be useful to her:
Dragoneer basically told her that going public about it would be a bad idea, and that he couldn't help her if she did. He comes off as somewhat insensitive for saying this, but Ferality had little or no intent of going public about what happened to her anyway. She was mostly interested in warning other female artists about Wan's violent and manipulative tendencies.
None of this had any business being public, and everything just went straight to hell when the leak hit and the news broke. The outrage that resulted when everyone realized just what had happened was unlike anything seen in the subculture before or since. Fortunately for her, Ferality's story is widely considered to be far more plausible than it ordinarily would have been because it was not meant for public consumption.
A lot of people backed her up, but some did not, and many failed to recognize what happened as rape. (Apparently sex education in this country is a joke. Who knew?) A few even chose to blame the victim for what had happened. Wan took full advantage of this; instead of keeping quiet, he chose to "retaliate" with a series of internet posts so utterly self-incriminating and grotesque that it will take a whole other article just to deal with them.
It was truly disgraceful. It was disgusting to watch. It is highly unlikely that this information would have gotten out had there been no attack on FA, and it certainly would have been better if it didn't. In the vast majority of rape cases, the victim knows her attacker. It can take a long time for the victim to come to terms with what has happened and come forward (if she comes forward at all), and by then she usually has the odds stacked against her. Ferality certainly realized this, and she seems to have been in the earlier stages of building support for her case, trying to connect with anyone else who might have been abused or harassed by her attacker and looking for figures who would be able to give her support.
Making this information public can only have set her efforts back. It would have been nice if this whole situation played out where it belonged - in a courtroom. Instead, we got a bunch of cretins arguing about it on a bunch of imageboards. The chances of legal action being taken against Wan in the future are now severely diminished - and given the circumstances, they may have already been pretty slim to begin with.
I honestly wonder sometimes if it's a good idea to even be talking about this situation, but it's far too late to just pretend it never happened. It's public, and public in the worst possible way, and there's no going back. Everyone knows what happened. Now that the information is out there, it is up to us to make the best of it.
We do know that this kind of thing has happened before; just going on statistics alone there have to have been dozens of incidents on par with (or worse than) what Adam Wan did that have involved members of the subculture. But we know almost nothing about them. Now that we have a specific incident to draw from, maybe the next time this kind of thing happens it won't be so much of a shock. Maybe we could even get to a point where measures are taken to actually try to prevent people like Wan from getting as far as he did. Maybe people will know how to handle this type of situation the next time it happens - because the sad truth of the matter is is that there will be a next time.
The rest of the revelations in these notes are comparatively minor, but still nasty in their own right. Take the Javachickn scandal - it is well-represented here:
In the immediate aftermath of the discovery of her zoophilic activities, it appears that she sought Dragoneer’s assistance in wiping the slate clean. I have to wonder if she made a similar impassioned plea to the Beastforum administration - only to learn that the site is a brutal profit machine that exploits human and animal alike. (For those not in the know, Beastforum has a fairly unique policy of not deleting posts for any reason. This is because the site makes it's money off of selling access to user-posted content.)
Dragoneer's response was a confused effort at damage control. It might not have been the wisest thing to do, but the Javachickn Incident was a hard lesson for just about everyone involved. Nobody in a position to know what was happening took action against Reed until everything was out in the open - and by then it was too late. Still, Dragoneer is just about the only person we know of that Reed has made a direct, unambiguous confession to. It would have been nice if he had forwarded that message on to the Humboldt County Sheriff's department. Not his job, I know, but still - it would have been the right thing to do.
The animal abuse continues when Dragoneer gives a heads-up to Ian “Mobianfox” Dettmering, telling him to stop visibly drooling over pictures of people’s pets because some people might take him to task for it:
The only reason anyone noticed or reported Mobianfox in the first place was because he was once involved with Petlust, one of the last known professional bestiality porn producers. He appeared in a number of their videos, and every now and then his filmography catches up with him. Sadly, typically, law enforcement is unlikely to do the same.
Dettmering could have figured out that he was being targeted on his own, but Dragoneer's decision to intervene on his behalf before checking the source of the allegations did not help matters. It's kind of odd that a man who has been known to watch the drama communities like a hawk suddenly plays dumb when confronted with a scandal that has been plastered all over them, but whatever.
Between this and the Java disaster (among several other smaller incidents), this is evidence that (for a while at least) Dragoneer was not taking the issue of animal sexual abuse within the furry community seriously. Given the relative popularity of both users at the time, there is also the possibility that Dragoneer was playing favorites yet again. It's a moot point, though - there wasn't much point in punishing either user for crimes that had nothing to do with the site anyway. Charges were never filed against either individual, and that is the real scandal.
The worst of the notes aren’t quite over. I’d be remiss in not giving Richard “Betawolf/Sinistrtaz” Helms at least a casual mention. There was no substantial real-life criminal activity here, but nonetheless his notes resulted in the unearthing of a number of unpleasant skeletons. Sinistrtaz had previously made a name for himself with his increasingly hostile and abusive attitude towards the artists he commissioned. On top of this, he was commissioning these artists for porno that was violent or pedophilic (or both) in nature. Granted, this is cartoon porn - does anyone really care what the subject matter is as long as everyone involved is capable of keeping their demons on paper?
It turns out that a lot of people care quite a bit, but no matter where you stand in the "cub porn" debate there is no denying that Betawolf's antics were a problem. He was using the threat of blackmail to goad many artists into drawing material that was far outside of their respective comfort zones. He would throw around all manner of bizarre, baseless legal threats in casual conversation. He would come up with weird draconian contracts for artists to sign in an attempt to give him full legal rights over whatever pornographic scribblings he’d paid them to draw. He is the epitome of the e-tough guy.
So Helms is, to put it simply, a massive asshole. He is also completely nuts. He also holds some astonishingly Wrong opinions; this made him a household name on the drama sites. Once, he posted an FA journal saying that most real-life child pornography should be legalized because, in his mind, “the damage has already been done”. In private, he went a step further, admitting that he had an interest in acquiring child porn:
Of course, he was too chicken to actually do something as fucking stupid as trying to get his hands on the Real Deal, or at least not dumb enough to actually admit to it. A small but essential part of what made Helms's antics possible is the fact that he somehow has a shitton of money (by furry standards, anyway) to throw around and nothing better to spend it on. This means that he can literally pay people to shut up, which is depressing - and just a little bit scary. There is a silver lining to all of this; Betawolf is not a terribly bright individual. He is also incredibly abrasive, to the point where nobody really wants to deal with him (much less help him out) if they can help it.
There's more nastiness lurking in the notes of course, but we've hopefully covered what is widely regarded to be the worst of it. Every now and then someone finds something in the notes that helps make sense of some recent event or another, but all the major bombshells were found in the first few days of the massive shitstorm that surrounded the FA breach.
At first it seems shocking how little this incident has changed things, but it's really not that shocking once you look at the big picture. And what is the big picture? This is the kind of shit that eventually happens if you let enough sex, money and anonymity boil over long enough, and it's been happening for a very long time. In some way, EVERY community of young people is like this. EVERY youth subculture is this bad. The furries have historically fancied themselves as some kind of exception to this rule when in fact there are no exceptions.
Give or take a month or two, it's now been a year since the FurAffinity break-in took a giant sloppy shit all over half the entire subculture's holiday vacation. It's depressing how little has changed; in the immediate aftermath people were vowing left and right that they'd never have anything to do with FurAffinity again. Or, they were hoping that all the big-name artists would migrate somewhere else and the site would wither and die like so many of it's predecessors. None of this happened. None of it will happen anytime soon. We're all right back where we started. In fact, I'd venture to say that things have taken a turn for the worse. Furry is an uglier, nastier place thanks to the events of 12/16.
1. You can argue about trigger warnings until you're blue in the goddamn face, but reading about this sort of situation never fails to ruin my day, and nothing bad has ever happened to me. I can scarcely imagine what it must be like for a PTSD sufferer. Maybe there is something to be said for this newfangled practice!
2. The passwords of several FurAffinity administrators were found in the Gawker hack that had occurred just days before. It is speculated that at least one of them reused their password for the site elsewhere. In all likelihood, the attack on FA was a bit more sophisticated than a simple reuse of a compromised password. However, the close proximity of both events led many to speculate that there was a connection.
3. It goes without saying, but the attacker(s) wouldn't have gotten anywhere if it wasn't for the shocking incompetence of the FA staff. They could have shut the site down at any point during the break-in, but instead sat on their asses for hours. They watched them as they deleted shit, altered accounts, and accessed the admin panel that allowed private messages to be dumped, user by user.
4. I'm referring to the Chewfox Incident here, but I'd like to also say that my earlier position that every known zoophile or similar offender should be banned from FA and elsewhere was misguided. Banning them won't do a thing; the only action that is appropriate is heavy monitoring. If they're running their mouths, that is a good thing, especially if there is a chance of law enforcement getting involved. Inkbunny has the right idea.
5. To be completely fair: Dragoneer's predecessors - that is to say the people who ran the webhosts, MUCKs and conventions that furry relied on in the 90s and early 00s - really weren't much different. They threw their weight around too, and it looks for all the world like he was just following their example. The only difference is that he was sloppy. The existence of Encyclopedia Dramatica and the imageboard crowd, something FA's predecessors managed to avoid having to deal with, certainly didn't help either.
6. Looking back, it's kind of a wonder that anyone discussed anything confidential through a website that has security holes big enough to drive the Mobile Launcher Platform through, but here we are.
Click here to discuss this article in our forum