Regarding Group Security and 'Hackers'

Hello Everypony,

This post is largely directed towards anyone who moderates or runs a MLP-related group on DeviantArt, but the information contained can be relevant to everyone.

Over the past few hours, there's been a note circulating around to various MLP groups, claiming that there is a small group of "hackers" (which is not the correct word) attacking MLP groups, taking them over, and vandalizing them. To counter this, the note is suggesting that groups should block all join requests, disable auto-accept, and then forward the note to every other group you know of.

Really, that's horrible advice, don't do that.

It is true that during the past few days, a couple of pony groups have been attacked by malicious users. However, there is no elaborate hack or security flaw that's allowing this to happen. Instead, the groups that were attacked simply had an incorrectly configured, yet easily fixable, setting in their group's permissions which allowed such attacks.

Most groups already are not affected by this issue. However, there are a few where the settings are less than secure. To check to see if your group is at risk, go into your "Admin Area", click on "Manage Members", and click on your "Co-Founder" role. Next, look for the "Join Requests" option, and make sure that it is set to "Not Allowed". If that option is not set to "Not Allowed", change it so that it is - this will prevent people from joining your group as a Co-Founder. Repeat this for the "Moderator" and "Contributor" roles, and this will prevent anyone from joining your group as anything but a regular member.

There is no need to disable join requests, or require moderator approval for new members to join your group - that just prevents your group from growing. I should also point out that the group who started circulating this note, suggesting that other groups disable join requests, has not done so themselves. Regular members cannot cause any damage to your group beyond spamming it (which can be dealt with easily enough), so there's no sense in preventing people from being able to become members.

A few more words of advice:

1) Always use a strong password, including a mixture of upper and lower case letters, numbers, and symbols. The longer and more random a password is, the more secure it is.

2) Do not use the same password on multiple sites. Instead, try coming up with a new password for each website you use. If you have difficulty remembering these passwords, look into using an encrypted password manager such as KeePass.

3) Do not ever download files from people you do not know, especially if they end in .zip, .rar, .7z, .gz, .exe, or .msi. Really, you shouldn't download _ANYTHING_ from someone you don't know, no matter what, but that holds doubly true for files ending in those extensions.

4) If you run a group on DA, do not let just anyone who asks become a moderator/co-founder/contributor of the group. Look into them a bit - how long have they been on DA? Do they mod any other groups? Do they interact with the community alot? Do any of your other mods/co-founders know them? If anything seems fishy or suspicious about them, or if you can't confirm that they'd be a good moderator, don't let them be one.

5) Finally, we ask that you please do not send mass-notes or mass-comments to every group you're a member of linking back to this journal, or copy/pasting its text. While it is a noble intention to want to warn the other groups, sending out mass notes/comments could be considered spamming, and may do more harm than good.

We hope that this journal entry was informative, helps you secure both your account and your group, and helps clear up any misconceptions and false information that have been floating around. While this situation is indeed a cause for concern, it has been blown a bit of proportion. Simply make sure that your groups are secure and you're using a strong password, and you'll have little to worry about.

~Fifth Element, Founder