GPF News Archive

Hey there, folks. Again, I apologize for my lengthy drought between News posts. While I tend to post more frequently on social media (links to those feeds can be found on the Contact Us page), many of those posts tend to be either random, humorous comments and links, or auto-generated reminders about various site updates. I've had a number of things I've been wanting to write at length about, but I just haven't been able to scrape together enough time to download my thoughts. Today's post is one of those topics and, given that recent events have pushed me to a final decision on it, I felt it was high time I sat down to write about it.

Over the past year, I've received a number of queries from readers about Patreon, the patronage site that lets fans of creative works support their favorite artists. A number of you are patrons of other webcomic artists on Patreon and have expressed interest in supporting GPF in a similar way. First, I want you to know I've heard those requests and have taken them to heart. I've been researching Patreon for quite some time now (I first mentioned this back in January of this year), trying to find the best way to fit Patreon into GPF's portfolio of offerings. My biggest concern has been the possible perception of Patreon competing with GPF Premium, our in-house, pre-existing patronage system. At best, supporting both systems would mean I'd have to deal with juggling two separate sets of patron exclusives; at worst, it could cause massive reader confusion and frustration, especially if one patron system offered exclusives that the other couldn't and supporters would have to choose between them. I reached out the Patreon's support staff back in August, hoping they might have some suggestions on how I could integrate Premium into Patreon or vice versa, but their answer was sadly unhelpful. (While friendly and cheerfully worded, it amounted to something like, "You could post links to content in your exclusive silo from within our exclusive silo of content, but we wouldn't suggest that because it'll be too confusing." (Duh, that's what I've been saying all along.) "Maybe you should move all your stuff to our system instead?") I tried to come up with some way on my own of granting Patreon supporters access to GPF Premium content, but I couldn't come with a secure, reliable way to validate Patreon supporters without compromising Premium's existing security.

And then... this happened. In short, Patreon was hacked, and a subset of their production user database was released onto the Web. (Propeller-heads might enjoy reading the technical details of the hack.)

First of all, let me say that Patreon did a lot of things right. I am not an Internet security expert, but I have been a professional software developer for nearly two decades, and in that time I've learned a lot about the right—and wrong—way to set up, configure, write, and maintain applications in the incredibly hostile environment of the World Wide Web. I spent months developing and testing GPF Premium and the rest of the GPF site prior to leaving Keenspot and, even though I was incredibly careful and thorough in how I planned and implemented everything, there were still plenty of bugs that had to be squashed. (Even after all these years, I'm still grateful for all the volunteers who helped debug things during the transition.) Patreon claims that user passwords were salted and hashed so they could not be reverse engineered (which is good) and that no credit card data was released (they use a third-party credit card processor, who wasn't hacked). However, tax information—including Social Security Numbers—was accessed (very, VERY bad), but was supposedly "safely encrypted with a 2048-bit RSA key" (could be good... for the next fifteen or so years). While technically not Personally Identifiable Information (PII), website activity, private messages, and payment histories have also released, meaning anyone can now see just how much patrons have paid, how much artists have made, and any content that was intended to be exclusive and protected may now be out in the open for anyone to search.

Sadly, this data dump also includes me. I set up a Patreon account in order to do research into the company (the amount of information available without an account is woefully lacking), so despite the fact that my Patreon page has never been public, all of that information is now potentially out there. While I'm not worried about my e-mail address (which has been a spam magnet from years of public posting on this site) or my passwords (which are always unique per site and are pseudo-random gibberish generated by a password manager), and I never had a chance to post anything exclusive so I have nothing to lose there, I do have to worry about something much more sensitive (my SSN), which may or may not be "safely encrypted", exposing me to possible identity theft. In short, through careless development practices, Patreon betrayed my trust before I even had a chance to take advantage of their service, and I had a lot less to lose than the vast majority of their users.

So in light of these events (and to answer the long-standing question), GPF will NOT be using Patreon for the foreseeable future. As frustrating as all of this has been, I cannot in good conscience use their service, nor can I ask any of my readers to potentially expose themselves to similar risks. If you wish to support GPF directly, we ask that you use our existing GPF Premium service.

My sincerest sympathies go out to everyone already affected by this breach, both artists and patrons alike. Not everyone is fortunate enough to be able to develop an in-house solution like Premium. I don't say that to brag or sound elitist; designing and implementing GPF Premium was hard work, and I had to call upon years of professional experience in order to do that. Many, if not most, online artists don't have that kind of experience, nor do they have access to seasoned developer friends who do. I knew it was a difficult challenge when I decided to undertake it, and it was just as difficult as I imagined it would be. In many ways, Patreon has been a wonderful blessing for those who couldn't do something like this on their own: "let us do the hard part and we'll help you get support from your fans". For the past several months, I've seriously struggled with the pros and cons of Premium vs. Patreon, and more than once I've thought that if Patreon had existed back in 2008, GPF Premium would never have come into existence. That said, whenever we the Internet populace place our faith in a third-party service, a great deal of trust is required. I depend heavily on PayPal and Square to keep GPF running and I've had few problems with either service, but I've heard more than a few horror stories from individuals whose trust in these companies have been dashed. For me, Patreon has lost the little tentative trust I gave them, and it pains me to think of the many other artists who don't have the same alternatives I have to fall back on.

For those unfamiliar with our Premium service, you can get a brief overview at our GPF Premium hub. If you're a Patreon patron supporting other artists, Premium's primary disadvantage is the fact that you'll need to sign up for a separate account. However, the advantages of Premium over Patreon are numerous, since many of Premium's features are deeply integrated into the GPF site: ad-free surfing, end-to-end encryption, exclusive content embedded directly into each archive page, and more. None of this could be possible under Patreon's umbrella. Best of all, the closest thing to PII we collect is your e-mail address; heaven forbid we ever get breached, but if we did, it's not like anyone's going to get anything useful out of us.

I have a long treatise brewing about Internet advertising, ad blockers, and how these affect GPF and my livelihood but, alas, that's a lengthy post for another day. For now, I just want to finish with a hearty thank you to all of you who support GPF, and thanks for taking the time to read my silly little comic. Sometimes it feels like I'm the only one who cares about this stupid little website, but whenever I start thinking that way, thankfully someone tends to pipe up and remind me that I don't do it in a vacuum. Thank you for reading, and I hope you continue to enjoy it for as long as it lasts.