07-19-2019 until 09-29-2025
devonin
Very Grave Indeed
FFR Simfile AuthorFFR Veteran
 
devonin's Avatar
 
Join Date: Apr 2004
Location: Ontario, Canada
Age: 36
Posts: 10,098
Send a message via AIM to devonin Send a message via MSN to devonin
FFR Information Breach/Security

Hello everybody.

As some of you may have seen from the forums, there is reporting that there was a breach of FFR in July of 2019, resulting in the compromising of Usernames, Email Addresses, Dates of Birth and IP information, as well as Salted MD5 password hashes. We had a similar breach in 2016, and this latest breach appears to have compromised an additional ~85,000 accounts.

What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away.

What it means for FFR passwords is a little more complicated. Some leveling with you is going to happen now.

Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we'll ever be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. Our version of vBulletin is as updated as we can make it, and our version of Wordpress is one we're stuck with because none of those things can be changed without Synthlight's involvement, so in the near-term in today's information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password.

Out of the salted hashes compromised in the breach, nearly 150,000 of them remained uncracked. Those were likely users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked today, sufficiently strong passwords are at least some deterrent to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass or lastpass to generate you very strong passwords unique to each source. If you don't want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblance to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc).

We are definitely sympathetic to anybody who had passwords and information compromised that are used in any other places, especially if they are newer users who joined the site after the last breach, at which time we also had to be frank about the reasons why we're unable to properly secure user data. But as much as we would love to make the changes needed to secure FFR, our hands are sadly, tied.

Devonin and the FFR Team


Update: It is believed that the particular vulnerability that led to this breach has been found and closed. It appears that whoever carried out the breach took advantage of a disabled Wordpress plugin which has since been deleted completely. As well, as a precaution, every such plugin has been completely removed. This seems the most likely source of the breach as a number of other sites have also been breached in recent months via Wordpress Plugin issues. While this does appear to be a fix that will prevent further breaches exploiting this same vulnerability, the general weakness of site security remains, so all precautions above regarding passwords and data management still apply. Thank you everybody for your patience, and willingness to hear our explanations regarding our difficulties in safeguarding your data.
devonin is offline  
09-16-2016 until 10-17-2025
devonin
Very Grave Indeed
FFR Simfile AuthorFFR Veteran
 
devonin's Avatar
 
Join Date: Apr 2004
Location: Ontario, Canada
Age: 36
Posts: 10,098
Send a message via AIM to devonin Send a message via MSN to devonin
FFR Sitewide Rules (READ THIS)

Hello and Welcome to FFR!

This announcement spells out all of the rules for the entire site (Which includes the forums, the game, multiplayer, profile chat [which is plugged directly into the discord server] and any other present or future areas of the site that come to exist and the system for enforcement. This is to make sure that you know what is acceptable as part of this community and also make transparent the rules for moderation and enforcement so you know what to expect. We care very much about fostering a safe, comfortable and relaxed community, and these rules are all in service of that goal.


If you have any questions of concerns about the rules or their enforcement, please contact a staff member with the 'User Support' tag from our team list here:

General Rules


Your FFR Account:
You are responsible for any actions or activity associated with your account. Do not share your password or access to your account with anybody else at any time. Offenses committed by your account will be actioned on your account whether you the account owner are the one who did them or not.

Site Access:
To remain compliant with the Children's Online Privacy Protection Act (COPPA) nobody under the age of 13 can create an account on this site without submitting parental permission in writing. You are free to play the game as a guest, but because we allow you to display personally identifying information on profiles, any account seen to belong to a user under the age of 13 will have to be banned until they are 13.

Forum Rules

Avatars:
Avatars must be no larger than 200x200 pixels. The content of avatars is subject to all of the same posting and content rules described below. Violating avatars will be removed without notice and accounts will receive appropriate infractions.



Signatures:
Signatures must be no larger than 800 pixels wide and 350 pixels tall. The content of signatures is subject to all of the same posting and content rules listed below. Violating signatures will be removed without notice and accounts will receive appropriate infractions. The images in your signature may not exceed 1MB combined.



FFR: The Game Rules

Accounts:
You are allowed to create multiple accounts for the purposes of stat tracking for certain playstyles. For example, spread players having another account for only playing one-hand or index etc. Please do not create large numbers of multiple accounts whether for gameplay or posting purposes.

Cheating:
No type of cheating is tolerated at all. The game is based heavily around statistics and leaderboards, and anything that jeopardizes the integrity of those statistics will be dealt with. Accounts caught cheating will have all of their scores wiped, and depending on the offense, may have their account permanently banned. If you create an alternate account for the purposes of cheating, your primary account may also be effected. Examples of cheating include but are not limited to
- Using bots to automate play
- Exploiting glitches in the game client
- Having another person record scores on your account
- Using Double Setup (manipulating keymapping to have more than one input per output)

The Infraction System and Offenses

FFR uses an infraction system on the forums to handle violations of the rules. Different offenses will cause you to gain an amount of Infractions. Infractions slowly decay over time, and if you reach certain numbers of infractions, your account will be banned for a time.

As always, the list of offenses below is a "including but not limited to" sort of thing. Something being absent from this list doesn't mean it is allowed, and common sense and 'don't be a jerk' should guide you any time you are deciding whether something is okay.

Avatar/Signature Size Rule Violation (1 point, expires in 7 days)
- Have a signature which is larger than the 800x375 allowed
- Have an avatar which is larger than the 200x200 allowed

Generic Low Level Infraction (1 point, expires in 15 days)
- Abuse of Report features
- Circumventing word filters
- Bumping old threads without adding legitimate additional content
- Posting excessively (double/triple posting, repeatedly posting 'yes' or 'ok' or other low-content things)
- Posting insultingly or aggressively towards other users

Overly Inappropriate Behavior Infraction (3 points, expires in 30 days)
- Flaming or insulting users of the site on the grounds of their race, religion, nationality, sex, gender, sexual orientation, age, or any other grounds which are discriminatory

Generic Medium Level Infraction (4 points, expires in 45 days)
- Violating a sub-forum ban
- Flaming or insulting staff
- Excessive commitment of lesser infractions all at once

Generic High Level Infraction (10 points, expires in 60 days)
- Requesting or Providing links to illegal content
- Aggressive or repeated harassment, flaming or trolling other users or staff
- Posting content which is racist, sexist, etc.

Distribution of User Information Without Consent (15 points, expires in 6 months)
- Doxxing, the posting of personally identifying information such as address, full name, phone numbers etc that are not already posted publically on this site (Being posted publically outside FFR is not sufficient)

Nudity/Depictions of Violence (20 points, expires in 12 months)
- Posting anywhere (forums, avatars, signatures, profiles etc.) images or video containing nudity or depictions of violence.

Pornography/Extreme Depictions of Violence (30 points, expires in 18 months)
- Posting anywhere (forums, avatars, signatures, profiles etc.) images or video containing pornography, or extreme depictions of violence.

Inexcusable (80 points, never expires, permaban)
- Compromise or Circumvent Site Security
- Render a DDOS attack
- Cheat
- Knowingly use game exploits or sharing game exploits/where to find them/use them
- Distribute protected property of FFR (Including but not limited to level charts, engine sources etc)
- Post Child Pornography, links to child pornography or anything that appears to be child pornography
NOTE: In the case of the above, your information will also be reported to the police.
- Evade a ban (The evading account will receive this infraction, and the original account may have their ban reset or increased)

Offenses Not Tied Directly to Infractions (The type and level of infraction for these offenses will be evaluated on a case-by-case basis as they are more types of thing than actual offenses themselves)
- Quoting inappropriate material after it has been deleted. (The infraction for this offense will be equal to the infraction for the original post. Quote flaming, infracted for flaming yourself. Quote porn, infracted for posting porn)
- Bait staff through the exploiting of loopholes in the rules. (If you think it is clever to do a bunch of things common sense tells you that you shouldn't, just because no rule says you can't, that is itself actionable. This is basically official notice that sticking your hand in our face and saying 'not touching you! not touching you!' is not going to end the way you want it to.)

Infractions Leading to Banning

If at any time you gain an infraction that puts your total points at or above one of these breakpoints, you will be banned for the requisite amount of time. If you have points expire, and then gain additional infractions, your current total is what determines your ban. For example, if you have a 1 point infraction, and then gain a 3 point infraction, you will receive the 4-point ban of 3 days. If your 1 point infraction expires, and you then commit another 1-point infraction, you go back to 4 points and will receive another 3-day ban.

3 points - 1 day ban
4 points - 3 day ban
7 points - 5 day ban
10 points - 2 week ban
15 points - 1 month ban
20 points - 3 month ban
30 points - 6 month ban
80 points - Pemanent ban

Reporting Issues

If you have any issue with another user, there are a number of tools in place to help you get assistance. For offenses commited on the forums, the Report Post button () is located on every post, this will create a thread in the staff forum notifying us of the post, and your explanation of the issue. On profiles, a similar Report Profile button is located in the upper right corner of all profiles that looks like this (!). For anything that is not still available to report, communicate via private message with any Global Moderator, Administrator, or Team Member with the 'User Support' tag and we'll be happy to render assistance.
devonin is offline  

 
Forum Jump


All times are GMT -5. The time now is 02:02 AM.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright FlashFlashRevolution