Inkbunny

IB Gear Latest Popular Members Search
 
Welcome to Inkbunny...
Allowed ratings
To view member-only content, create an account. ( Hide )
Blackraven2

Today I blocked my second keyword on IB

by
Inkbunny has this awesome feature, you can block content by tags/keywords of stuff you don't want to see. Most likely this was meant to protect viewers from unwanted content in the images themselves, but this tool is more powerful if applied - not to image content - but to the motives behind the image.

This is apparent from my blocklist. I blocked:

YCH - Because tagged with this keywords are myriads of YCH auctions that have popped up in recent years (thankfully it's dying down slowly). Almost all YCH auctions are by definition sketchy and incomplete, as the main characters are just boilerplates. They are an eyesore to look at, and worse they are nothing but advertisement. Which brings me to the second keyword I decided to block today:

Patreon - Tagged such (thankfully) are images that are - although usually high in quality - all but teasers for content hidden behind a certain subscription Paywall. A centralized subscription Paywall that doesn't take the protection of their users data very serious. As helpful as this platform may be for Artist to seek some regular revenue, its role is bad news for their clients, as it's one centralized place where all the information about everyone's secret weaknesses (those they are even willing to pay money for) are combined with personal and financial information. And Patreon has a more than spotty record of keeping this sensible information safe, they were hacked at least once already.

Unfortunately it seems to get more and more popular with artists, and more and more content is placed there, demoting sites like Inkbunny and their galleries to the role of glorified add banners. I am sick of being teased with hints of content that I'll never be able to see - even if I could afford it - because I'm unwilling to get my credit card details anywhere near that particular site.

Luckily Inkbunny has the means to block this spam before I have to go to more drastic measures - like unwatching the artists who decide to go that route. I still can't see their paywalled works, but at least I'm no longer get it rubbed in my face every single fucking time.

Thanks, Inkbunny. Awesome feature!
Viewed: 117 times
Added: 7 years ago
 
27 Comments on this Journal
Leave a Comment...
ColeDragonKnight
ColeDragonKnight
7 years ago
link
FA needs to catch the fuck up on stuff like this, half my inbox is patron or YCH or vore
SpearMintWolf
SpearMintWolf
6 years, 1 month ago
link
I don't mind the vore. =333
SilentHunter
SilentHunter
7 years ago
link
Wow thanks for the warning friend! I never thought of Patreon being dangerous.
Xennos
Xennos
7 years ago
link
Well if you don't like it then just block it. It's totally your choice I can respect that and probably pretty much understanding it too.
But is it really that necessary to make a crusade against it's concept and people who doing it? People have own different needs and must even I for one doing it too. Much like your works that require audiences with the capability to understanding others perspective and a clear opened mind to appreciate it's beauty... I'm just surprised on why you failed to do that very same thing to others perspectives yourselves.  
Blackraven2
Blackraven2
7 years ago
link
Edited 7 years ago by Owner
Yes, the crusade is - unfortunately necessary.

The issue is, from an individual artist perspective, Patreon seems to be the (although not perfect, still among the best) solution to their problems. And for their clients it wouldn't seem to matter which platform they use, they do want to support their favorite artists. Except of course it's convenient the site is so popular one that they already have an account on and don't have to sign up on yet another page that's an added bonus.

For any individual on their own, the downsides seem to be negligible compared to the personal benefit, and such it grows and grows.

Except these downsides grow exponentially worse, the more people use it.
It's like this secluded beautiful beach that becomes more and more popular with the tourists, until its so crowded you can't see the sand and all the beachfront is paved with expensive hotels.

Patreon has reached a level where an artist has almost no choice anymore where to go if they want money. But if all the artists are on Patreon, then any transaction to any artist has to run through their hands. And because there's payments involved, Patreon knows everything about you. Your real name, your address, your credit card and bank account numbers. Among with what fetishes you like based on the artists and works you support. Now again if it was just you, you'd be safe. Noone is going to hack into a site database just to deliberately and personally pick you.

But Patreon doen't just have you, it has everyone. And that when this collective data becomes so valuable that it's worth pulling all registers. Hacking the site. Or buy into them as a major investor so you can affect their management decisions and get your organisation access to the data. Or if you are a three letter organisation, just send them one of these "national security letters"

Assume law enforcement in *insert country here* is searching people in possession of illegal material (and lets face it, whats on Inkbunny is illegal in a number of countries). Now all it needs is one image from any particular artist to fall under that category, to make any of their clients on Patreon a suspect. And guess what, Patreon has that complete list and can give it to them, to see if there's anyone in that country that they can prosecute. Or put their names on the "arrest on crossing the border" list.

And then of course you have criminals who can just get themselves access to the data by any illegal means.

Is that all an empty  threat?

From the Wikipedia page on Patreon:
"
In October 2015, the site was the target of a massive hacking attack with almost fifteen gigabytes' worth of password data, donation records, and source code taken and published. The breach exposed more than 2.3 million unique e-mail addresses and millions of private messages. Following the attack, some patrons received extortion emails demanding Bitcoin payments in exchange for the protection of their personal information.


When Jack Conte created Patreon, it was an unique and awesome idea. And it would still be that if it hadn't grown so large. But the more people use it the more powerful and the more dangerous it becomes for everyone. It has become a monster that has to be feared, even though it all came from good intentions. Like a baby kitten that has grown to the size of a house and now hunts people instead of mice cause its so hungry. Can you really blame it?

No, but I do blame everyone who keeps feeding the kitty after it already ate people!
Xennos
Xennos
7 years ago
link
Edited 7 years ago by Owner
If you put it that way.... well I hate to break it to you but the fact is there is no such thing as a safer place here on the internet... especially the social hub like here as such. You got to defend you own no matter where you are. And if this really is the real reason behind your crusade then allow me to point you the right place.... Facebook. As when Hackers hacking all they want is your social hub User/pass + email account...if they got these two anything else is a cake walk.. XD
Blackraven2
Blackraven2
7 years ago
link
Facebook I have on my bkocklist, to prevent every second site I visit from tattletelling Mr Zuckerberg where I've been. I am not using it, and I don't have to. Thats my choice and I can make it, freely.

But even if I made an account, I could do so with a throwaway pseudonyme never be used again. Noone forces me to give them my real name or credit card details.

But to become a Patreon, you need both, since payment is involved. That makes that page inherently more danferous than Facebook.

Of course if someone discloses his realname and private life details to Facebook for everyone to see, he will have much bigger problems .   But at least its their own choice, I can't help them there :-(
Xennos
Xennos
7 years ago
link
Not really... Most data breaker don't care much about banking info. As a direct approach will always be expected and will present some certain amount of risk cracking into. But in the contrast with FB enforcing real user names as an account IDs... well all I can say is it's like a data walmart for hackers. You can do nothing but pray you aren't a target. XD
Blackraven2
Blackraven2
7 years ago
link
Well "enforcing" is a relative term. I think I made an account as a certain Martin Smith once, when the site didn't accept testuser123 as a valid name. Once payment is involved however, most credit card companies will not make the transaction if the card holder name doesn't match, so unless you manage to get a credit card under a pseudonyme ( haven't found how to yet) you have few options.
Xennos
Xennos
7 years ago
link
It just confirm what I said. Real user IDs are far more valuable than raw banking infos. That's why I firmly believe that everywhere is equally dangerous not just Patreon. The only thing that really matter is not making yourselves a target.
kamimatsu
kamimatsu
5 years, 10 months ago
link
hate to break it to you, but staying off the grid is impossible now. if someone wanted to know your name, even if you never registered for anything, they'd already know it by now
kitsunelegend
kitsunelegend
7 years ago
link
To be honest, I've unwatched several artists already who pretty only post highly censored artworks on their accounts (be it FA or IB) and everything else is "patreon exclusive" I really hate that term now to be honest...Like, I watched your account here to enjoy and support your works and possibly get a commission from you down the road, but now I cant even do that, so whats the point of continuing to give that artist exposure?

However its not ALL bad. I know of several artists, who i do actually support on patreon, who have that "timed exclusive" thing going, where its posted on patreon first, then later to other galleries, usually in a slightly lower res (which is PERFECLY fine with my btw)

I just truly wish more artists would understand they'd get way more exposure by posting their art in a timed exclusive fashion, and not lock most if not all of their stuff behind the patreon paywall.... you actually end up getting less patreons that way, because less people see your art, how its supposed to be seen, and therefore have no idea you even exist...its sad really...


Sorry if this seems a little uh..ranty I guess...its nearly 3:30 am for me and I really should be in bed xD
AlexReynard
AlexReynard
7 years ago
link
Still not sure I agree about Patron, but ou bring up a point I'd never considered. Now that traitorous American legislators have given ISPs the go-ahead to harvest our data, we should probably all think about what that data is showing.

Also you said 'sensible' and meant 'sensitive'. Pet peeve of mine. I can't say how many times I've seen porn mention someone's 'sensible nipples'.
GreenReaper
GreenReaper
7 years ago
link
For the web, ii it's HTTPS, just the server, and various amounts of encrypted data - though that in itself might be suspicious. If HTTP, then it's far more of an open book. Then there's all the other protocols. But whether they'd care about you specifically is debatable; I suspect aggregated traffic data is one of the more saleable things (think making Alexa.com more accurate).
AlexReynard
AlexReynard
7 years ago
link
Yeah, that's one thing that gives me comfort: I'm only one among billions, and there's probably nothing I'm doing that's likely to catch anyone's attention.
Blackraven2
Blackraven2
7 years ago
link
Says possibly the most most prestigious authors of cub & snuffy.

I'm afraid, if *they*(tm) ever come after this sort of community at Inkbunny, you are the type of people they'd go for first, if just to set an example and intimidate everyone else.

OK, maybe after me, too, but I might still be a bit harder to get at ;)
AlexReynard
AlexReynard
7 years ago
link
Still not worried. Because I'm primarily an author, and censorious prudes almost never go after words if there's pictures nearby. I never saw ANY written cub smut taken down on FA during their great cub porn purge. It would require that these reactionary pricks actually READ and UNDERSTAND the content they're reflexively hating.
Blackraven2
Blackraven2
7 years ago
link
Yeah, well, I guess even as far as pictures are concerned, the admins usually go after stuff that someone complained about. The difference between a picture that got banned even though only a moron would see it as cub and another that is pretty clear cub porn that was left standing is that someone filed a complaint about the first but not about the latter - and the admins didn't even bother having a second glance. If someone complains about it, that's often enough reason to censor and ban. That way no one accuses them of not doing their job.

It's only if someone appeals, that they become creative in explaining what and why they did it, and why it's right. The admin is always right - especially on FA.

It's a system based on denunciation. So the reason why your stuff wasn't taken off wasn't that the admins who ban don't read, because those wouldn't even bother checking your gallery either way.
It's because the people who complain and bitch about it didn't bother reading, while visual works "spring to the eye" (then again so do keywords, but, well, yes, those too require reading...)

But that's not really the point here. I just think, "noone will come after me, cause I'm too insignificant" is a quote that is always ever valid until the very moment someone comes specifically after you. Who knows, maybe you pissed someone off personally, maybe just a disgruntled fan who holds a grudge because you didn't treat him as special as he thinks he deserves. Again its a system of denunciation. If someone went to the right (wing) politician in the right state in the US and complained "there's a cesspool of online childporn on these sites and you politicians do nothing about it" and sends a link to one of your art and stories -- it wouldn't matter that this is completely untrue and a falsification of facts, you - as well as Inkbunny - would potentially risk getting a lot of unwanted attention. Things like this can even lead to changes in laws - just because what its perceived as "wrong" is completely legal, so obviously that must be an omission and neglect in the legal system that needs to be fixed ASAP. All to protect the children of course!

It really sometimes only takes one single asshole knocking at the right doors to make all hell break loose.

We are off topic though, this used to be about Patreon beeing too centralized. The previous time Patreon had been hacked, the attackers used the data for identity theft and for extortion from users. If that happened now again, the damage would be much much greater.
Blackraven2
Blackraven2
7 years ago
link
Edited 7 years ago by Owner
One of the bigger issues lately - that kinda completely compromises HTTPS - is geocaching and content cloud-hosting.
To intercept HTTPS traffic, you'd need to either
- compromise the stream/cryptography (man in the middle attack, stream logging without perfect forward security, bad certificates, bad CA's in browsers, ...)
- compromise the client (backdoors in operating systems, ...)
- compromise the server

- the first might be viable against individual high profile targets, but it's fought against by the entire community with browsers kicking out CAs that do that
- the second can be avoided by avoiding mainstream operating systems and securing your own systems
- the third again is again only viable for individual high profile targets, no-one can hack the majority of servers on the net...
right?

Enter google cloud, amazon S3, cloudflare, (and at least in theory also NearlyFreeSpeech.NET and LeaseWeb Netherlands ;) which serves content for InkBunny )

A growing number of websites uses a very limited number of commercial providers to serve their content to customers, for reasons such as
-DDOS mitigation
-higher performance and less latency
-lower prices
-...
-profit

but this changes the attack vector if you want to intercept the content of a large number of clients you don't need to hack all these clients or infiltrate millions of servers, all you need to do is send a national security letter to just 3 (4?) American companies that forces them to feed you a mirror-copy of all accesses - after the stream has been decyphered.

Or if you aren't the NSA, but have the resources, infiltrate those 3 by more cumbersome but also proven ways...

Edit: I think NearlyFreeSpeech is just a hoster, but LeaseWeb definitely offers geocaching. It's however not as vulnerable to national security letters >:>>>
GreenReaper
GreenReaper
7 years ago
link
Edited 7 years ago by Owner
LeaseWeb does serve much of our content, but we created own CDN from dedicated servers and VPSes rather than use their CDN network; their software is not terminating connections. This does not make it impossible to intercept, but significantly harder. I think Inkbunny was basically the only large furry art website not impacted by the recent CloudFlare debacle.

Attacks of various kinds are always a possibility, especially against a VPS, and they're one reason we only serve non-private content from them, don't direct cookies, user login details or web-page content via them, and do not regularly keep nginx access logs.
Blackraven2
Blackraven2
7 years ago
link
Yeah, don't get me wrong, Inkbunny is IMHO a shining example of how these things *should* be done.

You are a big portal, so you need some horsepower under the hood to deal with traffic (including malicious one) and as far as the solutions you took, I truly can see no better ones from both a security and privacy protection point of view.

At the same time Inkbunny's useability and features are also above and beyond most other similar sites. I wish some of the others would follow your example, but they either don't care or have different priorities ;/
GreenReaper
GreenReaper
7 years ago
link
Edited 7 years ago by Owner
To be honest, another big reason is performance. It'd be cheaper to pay for the bandwidth all in one place, and in fact our main and secondary server are sufficient for this. A lot less hassle, too. But obvious latency issues aside, we've seen significant bandwidth limitations between servers in Europe and clients elsewhere; and as files have grown, this has become more of an issue.

It's also inadvertently turned out to be a lot of fun making Russia's Internet censorship board work overtime, trying to track down every possible Inkbunny cache when they get a hard-on for one of Xennos's bunny boys…

As for server cracking, one of my next projects is full-disk encryption for Inkbunny's next main server. Will take a bit of processing power, but we have plenty spare (and the new CPUs are significantly faster). Of course there are other attacks; Inkbunny has a cut-down kernel, which might help to reduce the attack surface.
Blackraven2
Blackraven2
7 years ago
link
That's a fun endeavor. I put full disk encryption on Linux laptops a few times. You can read the key from keyboard or alternatively  from USB stick (with the passphrase for key-decypherment from keyboard) and there's lots of docu how to set that up using luks/cryptsetup.

But how do you practically do that with a server which is headless? Launch a mini-ssh-server from initrd, to which one must connect and initiate the decryption on every boot? Or leave the system unencrypted and only encrypt data? But either way at runtime the data is accessible. On my laptop I can close the lid/press a button if someone bangs on my door, but if someone tries to heist the server in a computing center, one has to get creative.

A deadman's switch that shuts down/flushs RAM if the server looses internet connectivity might be an option (one of the first steps of someone doing computer forensics is to isolate the system) but you'd also need some heuristics to detect suspicious activity while the system is running, or someone hacking one service on it can potentially access all the data.

The trickiest thing is likely someone making a snapshot on a virtual server/ VPS. They can always go back to the snapshot whenever the system outsmarted them, until they outsmarted the system and got the keys, while the "real" server keeps running none the wiser that it's clone is being attacked. The hypervisor can always read all your RAM, theres not much protection against a malicious hypervisor. I'm not sure if that can be secured at all.

Apropos censorship, gurochan (which also had had issues with the Russian authorities) apparently has both a TOR hidden node running to provide the site to those who can't access it the normal way, and also has its real system hidden in a VPN, exposed by a few frontend proxies - the main one I think is now in Switzerland and France if I'm not mistaken - after they got issues with Roskomnadzor.   Maybe a TOR frontend to IB might be an idea, too for those too paranoid or too censored to access it any normal way.  (Or do you already have one and I just missed it? ;) )


Another thing you could do is a distributed database, where each users gallery and critical data are stored on a separate - possibly even physically distinct node.  That way if someone gets access to the backend he'd only get one user's stuff, but not more. Login to the site for restricted content could be tied to the database access credentials - so even a proxy/webserver that could access all data can only do so if someone with admin rights logs in (which would only temporarily kept in RAM as long as the admin is logged in) - if you combine that with "admins don't use the public proxies but access inkbunny through "admin.inkbunny.net" which points to a special system not too exposed to the internet, then no publicly accessible system ever has the access credentials loaded to access all Inkbunny data.

Of course for most submissions, any account will have access, but not for PMs and private stuff.

Just some random thoughts ;)
Blackraven2
Blackraven2
7 years ago
link
phiysically distinct nodes for everyone are obviously are a non-idea, considering you'd need as many servers as IB has users. But one could likely use some jailing within VMs on a hypervisor, where each node runs on an encrypted disk containter with its own microkernel and a sleek DB server of some kind. Dunno how much overhead that would create, maybe still not doable at this time, but somewhen in the future.  An issue might be aggregate functions over all users' data which would have to gather from many many nodes, I don't think that could run realtime, they'd need cashes, which of course could become out-of-sync... and thats just where the headaches begin ;) Might be worth the effort to develop it though, there'd be other applications than just Inkbunny :)
GreenReaper
GreenReaper
7 years ago
link
Edited 7 years ago by Owner
Yes, there are methods to provide a SSH server via e.g. Dropbear. Or a key might be obtained remotely by it drawing from a server which is only enabled at the time that a reboot is commanded. Or you enter it through the KVM of the out-of-band management system - of course, at that point you're relying on that system to be valid, but that is true for any remote operations (and, frankly, you rely on the BIOS etc. as well).

The security of ephemeral keys is always tricky to arrange; we have some already for certain data, including PM bodies. Stopping it from being swapped out may help.

There are also tools to turn a system off if you plug in a USB device (or, of course, you can simply disable USB input devices in the kernel). It would not stop an attacker who started probing the circuitboards and freezing the RAM.

We have considered interaction with Tor, such as hosting a hidden service, but it's low on the priority list. As it is, it's hard enough to resist the temptation to block it due to abuse.

VM performance has improved on Broadwell; but I have no real experience there. I suspect the kind of people who feel the security of a per-user microserver is a beneficial addition would probably not be comfortable entrusting their data to people they don't know personally. :-)
Blackraven2
Blackraven2
7 years ago
link
This is actually a point where "trusted computing" modules can become useful. If you put your own certificates into the BIOS cert storage and sign your own bootloader, kernel and initrd, you could create a handshake sequence where a remote system provides a valid key only after both identity and integrity of the server system in question have been validated and proven. Unlike most desktops and laptops where EFI and secure boot are only a nuisance, server boards commonly let you put your own master keys in the BIOS, so you can have your own secure chain. It's still possible to compromise the system via hardware/bus probes, RAM freezing and all these nice techniques that are commonly employed by the jailbreaker scene, but the hurdle is so high that it would become exceedingly difficult to do so on the fly. Someone would have to take the system offline and inspect it and by then you'd know something is up and revoke the decryption keys.

But again that only works for physical systems, not for VMs where you don't control the hypervisor.

But at that point you are long at a situation where the risk of someone intruding over active network services on the system is much higher than a malicious attacker with actual physical access. You can only ever harden so much, if someone finds a zero day exploit in your HTTP daemon (or TLS library) you can still get owned pretty much regardless of the countermeasures you have in place. SElinux and software behaviour policying can mitigate that to some point, as can a nice intrusion monitoring and detection system, but with the amount of "dumbfire attacks" that botnets run on each and every server these days round the clock, it's hard to distinguish serious attacks from all the chaff.

The funniest complaint I once got was from a client of the same computing center complaining that my server had attacked them. I checked the log and found out that the opposite had been the case. They had gotten infected with a botnet client that spreads through ssh bruteforce, and their system had tried to spread to my system. That was before fail2ban was really commmon, so I had my own mitigation script running that responded to brute force attacks by blocking the IP - with a nasty "mirror" rule, so any packet was sent back to sender with source and destination IP swapped.

As an effect, the bot successfully attacked and infiltrated its own system, (as it was vulnerable in the first place) probably a few hundred times in very short succession until it server crashed. When the customer checked their logs, they of course saw my IP in the logs, but of course I had the matching log entry to prove that "they shot first" ;) I'm sure the techies at the hosting provider had a laugh out of it :)
Blackraven2
Blackraven2
7 years ago
link
I just stumbled upon an ugly stain on Inkbunny's white privacy vest.

While the site as a whole doesn't load ads from any third parties nor includes any trackers, it does embed 3rd party scripts for the player of uploaded audio files (mp3) (and possibly other media)

The embedded player does load javascript from its maker, jwpcdn.com which belongs to New York based Long Tail Add Solutions Inc. The scripts loaded from there in turn try to exchange data with another domain jwpltx.com registered with the same company.

From the first domain, javascript code is loaded, under the URL https://ssl.p.jwpcdn.com/6/2/jwpsrv.js
This includes heavily obfuscated javascript code which identifies the browser and its capabilities in order for audio playback
It also sends another HTTP request to fetch the following image file

https://jwpltx.com/v1/jwplayer6/ping.gif which itself is just a 1 pixel transparent gif. However the request includes parameters in the URL, in my case the following:

"
    [tv] => 1.1.0
    [n] => 5500405556257547
    [aid] => 3bbFfoa8EeKKoiIACp8kUw
    [e] => e
     => 0
    [ifd] => 0
    [pv] => 6.2.3115
    [m] => 1
    [d] => 1
     =>
    [ed] => 1
    [ph] => 0
    [ps] => 5
    [fv] => 24.0r0
    [pl] => 30
    [wd] => 480
    [sdk] => 0
    [emi] => r4sw9q28y3p0
    [pli] => 3vbno6xo4h90
    [mu] => https://nl.ib.metapix.net/files/full/1866/1866920_Black...
    [eb] => 0
    [pu] => https://inkbunny.net/submissionview.php?id=1329315
    [id] =>
    [pt] => Down Down Down Down (4 ch Track, 2 samples) by Blackraven2 < Submission | Inkbunny, the Furry Art Community


In other words, your typical web bug, augmented with all the information the Javascript code could previously gather, including.
URL of the page, Filename of the media file, Title of the submission, Various version information data, browser capabilities, viewport, and calculated ids at least potentially suited to further track the user across sites.

The javascript code loading it (from the previously loaded file) reads

document.readyState,h={
trackerVersion:"1.1.0",serverURL:"jwpltx.com",serverPath:"v1/"+c+"/ping.gif?",playerVersion:jwplayer.version,config:a,SDKPlatform:a.sdkplatform||"0",isiOSSDK:f,iFrame:e,pageURL:e,pageTitle:e,pageLoaded:g,queue:[],debug:b,positionUtils:d
}

If you weren't aware of this, I thought you might wanna know :)
New Comment:
Move reply box to top
Log in or create an account to comment.
 

Help

Information

Policy & Legal

Twitter Facebook LinkedIn

All artwork and other content is copyright its respective owners.

Powered by Harmony 'Gravitation' Release 80.

Content Server: Virginia Cache - provided by Inkbunny Donors. Background: Blank Gray.

The Inkbunny web application, artwork, name and logo are copyright and trademark of their respective owners.