Tag: News

  • 2025 Furvana Fursuit Parade

    2025 Furvana Fursuit Parade

    Original post written by Ahmar Wolf

  • Dance Battle – Furry Migration 2025

    Dance Battle – Furry Migration 2025

    Original post written by Ahmar Wolf

  • Moving Beyond the NPM elliptic Package

    Moving Beyond the NPM elliptic Package

    Original post written by Soatok

    If you’re in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules.

    Art: CMYKat

    Why replace the elliptic package?

    Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof. This blog post was accompanied by a new chapter in their Testing Handbook about using Wycheproof as well as two CVEs.

    It’s pretty cool work, especially to applied cryptography nerds (and C2SP contributors like myself).

    But one can’t help but notice all the dates in the disclosure timeline are from 2024, which was last year.

    Soatok thinking sticker
    Art: CMYKat

    If you were to take a look at the elliptic project’s issue tracker, you would be greeted by this:

    A bunch of open issues, stretching back to August 2024, detailing security issues in this pacakge.

    Yeah, that’s not great.

    Some of these issues are unrelated, and some are duplicates (referencing the vulnerabilities disclosed in the aforementioned blog post), and one’s a false positive.

    Nonetheless, there’s a general lack of responsiveness from the elliptic maintainer on these security issues.

    But it’s not like it’s widely used or anything, right?

    elliptic has 3056 dependent packages on npm
    elliptic has 12,389,598 weekly downloads

    Oh, motherfucker!

    On Burnout and Open Source Software

    I don’t blame anyone for getting burned out by maintaining open source software. Especially if you’re not being paid for it. If your open source software is popular enough, it doesn’t necessarily guarantee you an income. Rather, it just means more people with more problems demanding more of your time and emotional bandwidth. The outcome is as common as it is unfortunate.

    To be clear: That the elliptic maintainer is largely unresponsive doesn’t necessarily mean that they’re experiencing burnout (they could just be really busy with things that don’t involve computers–who knows?), but I think we as a community should be mindful of this possibility.

    Deciding A Path Forward

    So, to recap:

    • The elliptic package has several public vulnerabilities that remain unfixed, including some that were made public last year.
    • The package maintainer has largely been unresponsive.
    • There are over 3000 dependent packages on NPM.

    Thus, the most important question in my mind is: How do we mitigate the security risk to the NPM ecosystem without adding pressure to, or punishing, a possibly burned-out unpaid software developer?

    After pondering it for a few hours, I decided to find a suitable replacement library and create a shim that replaces elliptic with a better implementation.

    Without falling back to native dependencies, the best bet for the Node.js ecosystem is noble-curves.

    Soatok Yay Sticker
    Art: AJ

    Introducing, elliptic-to-noble

    With all this background in mind, I’ve published the initial release of a package called elliptic-to-noble that provides a shim layer for noble-curves that imitates the elliptic package’s API.

    Additionally, if you install it according to the instructions in the README, then NPM will replace elliptic with my shim layer in all dependencies as well.

    CMYKat

    Why this approach and not a different one?

    This shim layer approach allows production code to quickly migrate towards a more secure implementation of elliptic curve cryptography in a pinch without introducing a lot of breaking changes to their source code.

    It also doesn’t involve NPM security wresting control of the elliptic package away from its maintainer (as is possible if they aren’t responding to security issues) or putting yet-even-more pressure on them (as is always the case when security issues are reported). Additionally, if fewer packages end up depending on elliptic in the long-run, it might even be a relief to its author.

    I think this strikes a balance between being humane to someone that isn’t communicating while still allowing the ecosystem to remain secure, and not requiring thousands of package maintainers to drop everything and replace a dependency.

    Why should we trust you?

    You don’t have to trust me. I have no official standing in the NPM ecosystem.

    The elliptic-to-noble shim library is a quick way to get off elliptic’s vulnerable implementations while you plan a longer migration to noble-curves.

    If you would rather do that work now than trust an Internet furry’s code to lurk in your node_modules directory? Great. I’m glad you’re proactive.

    But the fact remains that elliptic is vulnerable today. My shim library is one way to mitigate the risk while you replace your dependency.

    Happy hacking!

    Header art by AJ.

  • SCAM Tracking on Telegram

    Original post written by Ahmar Wolf

    Friends. I’ve watched the scammer problem evolve on this platform over the years.

    Scammers started this fight with an upper hand. We as a community weren’t prepared for this. We didn’t have a community ready to look out for these scams. We didn’t know what this would look like.

    Today, we see a different battlefield. Users actively call out scammers that enter their groups. A lot of furries know what the red flags are and can explain why this is a problem to their group admins.

    It’s gotten a lot harder for scammers to pull the casual scams.

    So, now they are intensifying the severity. If they can’t scam a lot of people for a few bucks they are going to try to scam a few people for everything.

    These sorts of scams lead to people losing their life savings and have directly lead to more than 27 suicide attempts in my country.

    Nearly a thousand groups have adopted the countersign bot. Many use rainrat bot. Some import our list to use with rose bot. A couple have made their own robot with our API.

    Most groups seem to be taking some sort of proactive measures now.

    But for various reasons we see some groups resisting removing scammers, even after being shown proof. Some worry about the fall out if they accidentally ban someone and they turn out not to be a scammer.

    It’s a valid concern, particularly given the history of ‘call out’ style lists in our community and their questionable accuracy.

    A lot of the lists that I think have caused concerns ran anonymously and used basic tooling to take snapshots of ‘problem’ groups. Once they were created they were static. No way to get off them, no way to see who is running it, no way for the community to chime in on if something is right or wrong.

    We are aiming to do things differently.

    Reports here are initially submitted by y’all. A team member does an initial research phase and marks each report as true, false, or needs more research.

    Once reports have enough info to be considered valid they are marked true, where they then get reviewed by me personally.

    I’ve spent the last 15 years in cybersecurity. Some roles directly involving brand security and banking fraud. That skill set lets me see more below the surface that your average user can and helps drive both the tooling and decisions.

    I review the report, the research, confirm everything and the account id numbers, then add them to the list.

    We usually don’t dump all of the info we received in a report into the new listing. We summarize it. By keeping some of the details to ourselves we’ve been able to show victims what specifically scammers are lying about mid-scam. It lets us keep scammers in the dark on how to avoid us and limits how they can craft their lies.

    So, accountability.

    I’m Yumi Kitsune. I’ve been in the fandom since 2007. Always as Yumi Kitsune.

    I take accountability for this list and this project. I am the only one who can add or remove people. If a mistake is made my community should judge me accordingly.

    Now, I ask group admins to be accountable.

    When a user gets scammed from someone they met in your group that user is going to start asking if you knew about the scammers, about the community efforts to combat them.

    Knowing and doing nothing isn’t a good look.

    Take accountability before something happens, so you don’t have to take accountability once there are community posts about xyz ending up in the hospital or dead from this sort of scam.

    Users. Screenshot when you tell admins about scammers. Start holding people accountable for harboring them and letting them find new victims. When something goes wrong, have the receipts.

    I see these victims regularly. See the threats sent to them. The harassment these scammers perform after.

    I’m fed up, I think the community is getting fed up. It’s time for accountability as a community.

    https://t.me/scamtracking/2992

  • CFF Shoutout to ArcticFux!

    CFF Shoutout to ArcticFux!

    Original post written by Ahmar Wolf

    CFF Shoutout to ArcticFux! She made the banner artwork for the Panel Room B and Registration. She also made the artwork for our Volunteer ad!

    🔗 https://arcticfux.art/

  • Furry Migration 2025 – Fursuiting Around the Gala

    Furry Migration 2025 – Fursuiting Around the Gala

    Original post written by Ahmar Wolf

  • Furry Migration 2025 | Priceless

    Furry Migration 2025 | Priceless

    Original post written by Ahmar Wolf

  • Special Cat Special

    Special Cat Special

    Original post written by rodney

    Channel 4 in the U.K. have announced an upcoming TV special currently in production: “Following the success of BAFTA-nominated, hand-drawn animated adaptation of Judith Kerr’s classic picture book Mog’s Christmas, Channel 4 has commissioned a seasonal special based on Kerr’s picture book Mog’s Bad Thing... Mog is the Thomas family tabby cat who always finds herself in big trouble. The family are hosting a cat show in their garden which should be Mog’s chance to shine, but in all the excitement she does a “bad thing” which means she hides in the attic feeling sorry for herself and misses the start of the show. Can Mog find a way to leave her hiding place, make her family proud and save the day?” Many of the folks working on this production also worked on The Tiger Who Came To Tea, which we’ve talked about before. Mog’s Bad Thing is scheduled for the holiday season in 2026, and then we’ll to find out if we get see it here in North America!

    Image c. 2025 Lupus Films

  • FA Data Breach

    FA Data Breach

    Original post written by Ahmar Wolf

    Exploit/Potential Breach Disclosure from FurAffinity Nov 17th, 2025

    “On Saturday, November 15th, we became aware of a short-lived exploit that impacted roughly 7,000 accounts. The site was taken offline briefly to address the issue.”

    “We are sending emails and notes to impacted users.”

    Sources:
    https://www.furaffinity.net/journal/11254459/
    https://discord.com/channels/991855522913460224/991864987750518855/1440123279875772428

  • Black Friday Deals at PDFC and Den Fur

    Black Friday Deals at PDFC and Den Fur

    Original post written by Ahmar Wolf

    Both Painted Desert Fur Con and Den Fur have a black Friday code out for you! Use BlackFriday2025 for 15% off reg! And why not book your hotel while you’re at it?