Misc:  DW Sheep

lorax

Did I Make Me Up, Or Make the Face 'til It Stuck?

I Do The Best Imitation of Myself.


Misc:  DW Sheep
lorax

On LJ Security Fail

Okay, I've been poking around about the LJ thing, so I'm going to say what happened here, since I've had a few people PM to ask. I haven't seen a links round up yet, so here's one for now until I find someone who is doing it better.

First, I'll describe what happened to me.

Yesterday, I logged in over at LJ, and went to edit an entry. Instead of redirecting to an edit entry, it dumped me into the log-in page, logged into an unfamiliar journal. (For logistic purposes, I was on a mac running Snow Leopard, using Firefox 7, and my LJ account type is a permanent account. I was not using LJ-Login at the time, but logging in manually, as I already knew LJ Login was borked.)

I was mostly kind of baffled at first, and clicked on the journal I was logged into, whereupon I saw their journal, including obviously locked entries. This was not a journal I had ever seen before, or should have had any permissions to read f-lock or private entries with, obviously.

I scanned the page enough to see what had happened, and the user was, I believe, Russian, but had entries in English as well. I then rapidly logged out, when I realized, and was unsettled. Not sure what had happened, I made my last entry, and then started reading around.

I logged back onto LJ, changed my password, just in case, and filed a support request. As far as I could tell at the time, that report quest was PUBLIC. As of now, it is listed as PRIVATE, but has not been responded to. I can't see anything in the public support queue about this problem, so I'm guessing that all support requests about it are being set to private by the support team/admins. (This may just be standard procedure with login/security related problems, for all I know, but I find it ANNOYING that they're hiding the problem without offering any kind of official response yet.) [E.T.A. - in comments, [personal profile] azurelunatic pointed out that as far as they knew, it IS standard to private anything security related, or requiring higher-ups to address.]

[personal profile] boundbooks then replied to my entry, giving a link to their entry about the situation. My flist also pointed me to stunt_muppet, who says that people are reporting access to other people's entries and account information. (I did not stay logged in long enough to see if I was given access to edit the other user's entries, or to see if I could look at their account information, but given that I was logged in AS them, I think it's very likely I could have.) Their E.T.A.'s also include links and further information that seem to indicate this is not yet a solved problem.

They also directed me to unfunnybusiness over at journalfen, where there's a discussion going about it. Users in that thread are mentioning the UI changing to Russian language default. (And started up an obligatory DW code thread.)

[staff profile] denise at [site community profile] dw_maintenance posted that Lj's release had broken the crossposter..

[personal profile] eruthros has a round up of incidents as well, including a link to fallacy_angel's post at lj_releases, which includes a screencap.

I begin to dig through the lj_releases entry, where the problem was being mentioned, and mentioned, and mentioned some more, but with no official response other than "tell support" that I've seen. Most of the official responses within the comments are concerning the ljlogin/ljjuggler issue with no real acknowledgement of the very real secure issue. (Note, there are many more comments about the privacy issue, but I didn't link all of them, feel free to link me to any relevant subthreads I should include.) There is also a public support request I spotted about journals set to private/flocked having the defaults continually reset to public, which means any new entries are public. It's now edited to say resolved, which may have been a fix on LJ's part, I don't know, as I DID see someone mentioning the same problem elsewhere, but haven't been able to track down where I saw it again yet.

I've had issues with LJ before, but this was a very jarring, personal issue. I was given access to someone else's PRIVATE journal entries/LOCKED journal entries, and likely their personal information as well. Which leads me to wonder who had access to MINE? This is a very real, highly disturbing security problem, even for me, who has no real personal identity to hide, but is just uncomfortable with the idea. For someone who may have very real reasons to hide their identity, or want to keep their entries private, this could be a nightmare. People could make previously private entries in journals not their own public. They could have access to phone numbers of those who have a cell phone set up in their profile for texting. For those who have auto-payment set up in their billing, they might have access to credit cards. (Again, I did not personally check to see if I could see the account info of the other journal, but as I was logged in as them, I think it's probable.)

So in short, I was disturbed, appalled, and now I am INVESTED in being extremely angry about this.

Feel free to link this around, and if you have any updates, drop a comment and I'll try to keep editing them in, as I find new information.

Sadly, I did not think to get screenshots of these things as they were happening. If you want to link to caps and links, then I suggest you blur out any journal names/entry texts of people whose journal you were accidentally logged in to, for the sake of not making this worse than it already is.

I'm filtering comments to DW, so I don't have to maintain them at two entries, and anon commenting is on for those who don't have DW accounts. (Also, if anyone is looking for invites, I do have a few, and there's always dw_codesharing.)

E.T.A. - And as of now, we have an official response from LJ Maintenance, which says there is no effect on security as you couldn't interact with the features of the journal you were shown as logged in to. If true, that does ease the mind on questions of viewing personal profile information or editing entries - but it does nothing for the fact that private entries/locked entries were viewable. From their entry:
The following occurred - while updating the configuration of our internal caching system, Varnish, for a few minutes the system began to issue cached pages from the users who most recently visited the same page, as the system considered this the most relevant source of data. Thus, for 3 minutes, some users may have seen pages which appeared as though they were logged in as another random account, but it was actually just a snapshot of the page of the last visitor. It had no effect on security, as it was not possible to perform any actions on behalf of this other account. When attempting to load another page during these few minutes, another cached page was served in most cases.


E.T.A. 2 - Pointed out by [personal profile] eruthros in comments:
I did the math on the first reports, and they were all just after midnight UTC - about 12:20 am 10/26 UTC (or 5:20 PDT or 8:20 EDT on 10/25 for folks in the USA). So that's the first instance, but then you seem to have experienced it about 15 hours after that, which kind of ... doesn't sound like a three minute problem to me.

Given that, the three minute window story in the official LJ release. . . makes no sense, unless they are referring to there being a three minute window after each user's login, as in if someone else logs in within three minutes of you, they could be redirected to your journal. (Or at least that's the only feasible explanation I can think of.) So their explanation is either poorly worded. . . or not accurate.

E.T.A. 3 - And the official has a comment saying this is a continuing problem. And another that says that actual action (as in posting as someone else) was taken while the log-in switch was happening. (The wording seems a little contradictory in comments, but might just be an issue with stating something oddly.)

E.T.A. 4 (Friday, the 28th, 6:53 am, eastern time) - As of this morning, LJ released an update to the much-more-widely-read news comm. The security incident was mentioned very briefly in the first paragraph, and was downplayed pretty strongly. The only mention read:
Happy Halloween and welcome to the official newsletter for all things LiveJournal! Bringing you information about system updates, community events, LJ social outreach, and other newsworthy nuggets from the world of LiveJournal. A quick note before we jump in: we've posted an update at lj_maintenance outlining a service issue that sprung up a couple days ago and was quickly resolved.

Comments immediately came up objecting to the downplaying, and they were directed to the maintenance post. I'm having trouble getting LJ to load at all, so parsing through comments to see if there has been official response to the "not actually three minutes" issue, or the "actually, people were posting as the accidentally logged-in-journals". As far as I see, there has been no reply to either of those facts, but I might have missed it.

[personal profile] marahmarie commented with a take on the caching problem, and thinks that the ability to use the cookies cached for actions such as posting was probably likely. (I have no technical knowledge, so I won't debate, but given the multiple reports of posting as someone else, I tend to believe their take on it.)

[personal profile] eruthros ETA's on their post also has some additional links to reports of people posting as the hijacked journals as well.

E.T.A. 5 (Friday, the 28th, 10:05 am, eastern time) - Spotted via [personal profile] rydra_wong, [personal profile] siljamus says in their post:
Be aware that the problem is still being reported by some user after this announcement. Someone who is very tech literate suggested this as a way of trying to keep your journal(s) safe for the time being:

Log out of LJ entirely, expire all sessions, and stay logged out until the problem is no longer being reported.

This should protect you from having your logged-in account cached for someone else to see.


E.T.A. 6 (Friday, the 28th, 1:55 pm, eastern time) - I had a reply from LJ support concerning the ticket I placed. (I got the email at 11:34, but forgot to update with the response until now.) It gives no real new information, just directing to the maintenance post. Quoting the response in full:
Dear user sullensiren,

Thank you for your inquiry. A post has been made in the lj_maintenance community that discusses the issues that occurred yesterday [http://lj-maintenance.livejournal.com/131843.html]. I apologize for the confusion this problem caused you and other users, and please know that the issue was resolved very quickly once it was identified.

Regards,
LiveJournal Community Care Team

I continue to think that it is not as resolved as they claim, or as harmless as they seem to believe.

E.T.A. 7 (Saturday, the 29th, 6:55 am, eastern time) - Reports of the problem seem to have tapered off, as I haven't seen any new accounts in the comments of the maintenance/news posts, though I did see reports of still being randomly logged out. busaikko commented on the maintenance post to give support's reply to their request for a copy of their cache to see who has accessed their journal. The reply they quoted was:
Dear user busaikko,

Thank you for your inquiry. It is not possible to provide you with the information that you requested, as there is no record kept of what pages are shown to every user of the site -- such a record simply is not systematically possible on a site the size of LiveJournal.

As the problem occurred for only a very short period of time, it is likely that most users had no pages of theirs shown to another person -- the problem was resolved within a matter of minutes. Cached pages are also static; even if another person saw a page of your journal, they did not actually have access to your account. They were not actually logged in as you, and did not actually have control of the account. They could not have made any changes to the page they were on, nor could they have chosen to view any other page or settings of your journal.

I am sorry for the frustration and worry that this situation caused you and other users, and I apologize that the announcement regarding the problem was so delayed -- I definitely agree that information about the problem should have been made available sooner. While I hope that you will continue to keep using LiveJournal to keep in touch with friends and family, I certainly understand that this incident may prevent you from being able to do so.

Regards,
LiveJournal Community Care Team


There was no direct links of the person affected, so not linking, but there was discussion in comments of people who had friends who got dumped into others inboxes, where they could read private PM exchange the contained phone numbers, so while that might be an isolated incident, the LJ line about it not being a real security problem seems even more false.

E.T.A. 7 (Saturday, the 29th, 1:34 am, eastern time) - (F.Y.I., I put the times on for when I edited the ETA's in, not necessarily when the bugs were reported, just so it's obvious when this post was last updated.)

Via [personal profile] boundbooks in comments, [personal profile] majoline reported a new version of the bug that didn't dump them into a random journal, but instead took them to the edit page of the fic link/journal page they had clicked on to read. From their post:
they're still messing up - I right clicked on a story rec link to open it into a new tab, and instead it took me to that particular journal entry's edit page. >:(

Reported to lj, but still... thought everyone would appreciate the head's up.


As far as I've seen, that version of the bug is entirely new, and actually quite a bit worse, since it means any popular post that's getting a lot of hits (popular fics, meta, round ups, etc) would be more likely to be hit, and if they can actually be edited (which LJ did say wasn't possible, but people seemed able to comment, so I'm not really believing that, still), then people could find their entries altered. (Though that is supposition and not any actual facts from me, so grain of salt. I'm not tech-savvy.) So far that's the only report of that type that I've seen, but if anyone spots more, links would be welcome.

E.T.A. 8 (Saturday, the 29th, 5:17 am, eastern time) - [personal profile] majoline dropped by in comments to say that the edit buttons were grayed out when they ended up there. [personal profile] boundbooks also has a follow-up post with a few added links and information.

E.T.A. 9 (Saturday, the 30th, 7:43 am, eastern time) - [personal profile] briar_pipe dropped a comment pointing to a more recent comment from margi_lynn where they say the edit problem is still happening.

E.T.A. 10 (Saturday, the 30th, 5:40 pm, eastern time) - from a comment, there may be two separate bugs, one of which is an existing bug that doesn't expose locked entries, it just directs to an unusable edit page for public entries, and the one we've been seeing for the past couple of days. (they explain it better in comments, and in their roundup post as well.)

And there does seem to be a more recent report of the original bug as well, which did have a screencap but the auto-spam bot caught it as suspicious, for the moment.

This entry was originally posted at dreamwidth, and has comment count unavailable comments.


C&H:  Calvin "Stupid World"
lorax

Uhhhhh

Okay, I have NO idea what's going on with LJ, and I don't see anything on my flists about this yet, but apparently something happened with the last LJ release, and there's a security issue about randomly logging people into other people's journals? Which I know, because I just clicked over there and was in someone else's journal, including seeing their LOCKED entries. (I did not read, I clicked right the hell out when I realized something was up.)

What the hell? Anyone else seeing anything other than a few buried things in the release entry comments?

This entry was originally posted at dreamwidth, and has comment count unavailable comments.


Dexter:  Dexter "Friendly Serial Killer"
lorax

Kings!

I saw via svmadelyn that the DVD set of Kings is on sale for $8 on amazon! If I can scrounge it up, I'm going to grab a set so I have an official one. For those who haven't watched, this is an excellent, 13 episode series. It's a modern take on the story of biblical David, with Ian McShane as King Silas, Chris Egan as David, and Sebastian Stan as Prince Jack. There is Ian McShane being AWESOME, David being adorably, sincerely likable. Jack being the scorned, closeted heir, and a lot of great performances, awesome writing, and beautiful scenery and direction. It's a short show, but well worth a watch, and everyone should watch it before Yuletide this year so we can have LOTS OF FIC. Go forth! Watch!

I have Halloween candy! Which, since we don't get trick or treaters, is FOR ME, and I'm not even guilty. Because CANDY. *bounces*

This entry was originally posted at dreamwidth, and has comment count unavailable comments.


Sandman:  "D is for Lots of Things"
lorax

This is Halloween, everybody scream!

I just realized that next year, we'll be in a place where we might actually get trick or treaters! We haven't had them the whole time we lived here. Maybe we'll actually do the whole carving a jack o' lantern and all too.

But for this year, I'm just going to do my yearly kicking everyone out and watching scary movies. Give me recs? Please! My rules are:
1. No Saw-style torture porn.
2. No really old classic horror flicks, because I'm uncultured and get bored by them. I'm uncultured, I know.
3. Preferably not any straight-up zombie flicks. (I liked 28 Days Later and don't mind zombie flicks like that, though.)
4. I'll watch most genres, but prefer psychological horror over monster movies or slasher types!

On my list so far is Paranormal Activity, Case 39, and the Descent. (Last year I did Quarantine, the Crazies, 28 Days Later, and I forget what else.) I tend to miss a lot of movies, so if there's something from a few years ago, feel free to rec away!

This entry was originally posted at dreamwidth, and has comment count unavailable comments.


YR:  Buck & Ike
lorax

Captain!

I managed to actually DL and watch Captain America. So I have now finally seen all the Avengers lead ups! And can now go browse fic. Heh. But as for Cap, cut for spoilersCollapse )

Now I can read all the Marvelverse crossovers everyone has been doing! (I might already be shipping Steve/Bucky and Tony/Steve to go along with my existing ships.) I WILL READ ALL THE THINGS. Or some of the things. A sampling of the things. I need some Avengersy icons.

I am watching Merlin now. My heart still ships the hell out of this show.

This entry was originally posted at dreamwidth, and has comment count unavailable comments.


SPN:  Dean "Winchester"
lorax

YAY!

My laptop is home! Duma, I missed you so much! He is home, and with $1400 worth of repairs that I DID NOT HAVE TO PAY FOR. Extended warranty, you have made yourself completely worthwhile. But he's got a new touchpad, a new battery, and new keyboard. And I think a new processor, possibly. But he's running perfectly and now I can catch up on things I haven't watched due to being ensconced in my room with no TV.

So far, I've caught up on Glee, Fringe, Vampire Diaries, Gossip Girl, Terra Nova, and watched Thor. Cut for some rambling about Thor.Collapse )

And now ramblies for TV stuff I mentioned.Collapse )

And there are my way-late-as-usual reactions. Have a meme!

Ganked from pretty much everyone on my CDj flist.
List fifteen (damn it was hard to narrow it down to 15) of your favourite TV shows/Movies/Books/stc and post them here for everyone to guess your favorite character from each. Strike the show out when someone guesses correctly, and put the answer and who guessed it.


1. Avatar: The Last Airbender
2. Battlestar Galactica - Guessed by [personal profile] bansidhe (Starbuck)
3. Buffy the Vampire Slayer - Guessed by [personal profile] banesidhe (Faith)
4. Community
5. Doctor Who - Guessed by [personal profile] banesidhe (Donna)
6. Dragon Age
7. Friday Night Lights
8. Game of Thrones (TV) - Half-Guessed by dreamt (Tyrion, though I had two in mind)
9. Harry Potter
10. The Hunger Games - Guessed by livelovehump (Finnick)
11. Leverage - Guessed by [personal profile] banesidhe (Hardison)
12. Sandman
13. Teen Wolf
14. The Vampire Diaries Guessed by dreamt (Caroline)
15. West Wing - Guessed by [personal profile] banesidhe (CJ)

This entry was originally posted at dreamwidth, and has comment count unavailable comments.


Buffy/Angel:  Giles "Profoundly Stupid"
lorax

Dorkage

My lappy continues to be somewhere where I am not, which is saddening. But it's marked as "parts ordered" now, so it is being fixed! I am hopeful that it will be returned to me next week, and then I will tell it how much I loved it and missed it. Which will be true, but also probably somewhat creepy to watch.

Because I am laptop less and can't go without computer for long, I've not actually watched anything on TV lately hardly. I am behind on everything that is currently airing. I did go out tonight to watch the first half of the two hour premiere of Terra Nova with the family tonight though. (We can only consume things in one hour blocks on weeknights since mom gets up ungodly early to commute, hence only seeing half.) The following conversations took place. Spoilers in a very vague sense for Terra Nova.Collapse )

Unrelated to dinosaurs, but R.I.P., Steve Jobs. Whether or not you love Apple and Apple products, I don't think anyone can deny the man helped change the world, and will be missed.

This entry was originally posted at dreamwidth, and has comment count unavailable comments.


XM:  Brotherhood "Punch & Pie"
lorax

XMFC Fic

I did a pinch hit for the XMM Ficathon, and that is now live, so here it is. Also on the A03! Hello Marvelverse, I've missed you.

Title: Soon to Become
Author: Lorax/SullenSiren (voicessayhello(at)gmail(dot)com)
Fandom: X-Men: First Class (Vague mentions of Marvelverse comics canon and later movie canon.)
Characters: Charles Xavier, Erik Lensherr, Raven Darkholme, Alex Summers, Hank McCoy
Pairing: Charles/Erik, mentions of Erik/Magda and Mystique/Azazel
Summary: "No matter where you go, or what you see, you'll always be looking out at it through these windows." An AU version of events from the end of First Class, seen through Charles' perspective.
Spoilers: Through the end of X-Men: First Class, with a few mentions of characters and events appearing later in the X-Men series.
Word Count: 9700
Rating: PG
Warnings: None major.
Disclaimer: I own nothing. Marvelverse belongs to Marvel, and the movieverse belongs to Fox, I claim nothing as my own!
Feedback: Always welcome, and makes my day.
Author's Notes: Written for the XMM Ficathon, for billystarpip, who asked for a fix it from the beach scene. Hopefully this works for you! The timeline is decidedly iffy, but I handwaved some things to try to make it work. Title from the Wordsworth sonnet, Dissenssions. Thank you to [personal profile] kaydeefalls for a super speedy beta.

Fake Link or On the A03


In decidedly not-fic news, we apparently have mice, somewhere. I know this because while I was working on said fic, Sam (the black and white one) was going nuts playing with what I THOUGHT was his felt mouse, and was actually an ACTUAL mouse, and he flung it in the air where it landed on my mouse pad. I was bemused at the appropriate placement.

This entry was originally posted at dreamwidth, and has comment count unavailable comments.


SPN:  Sam "For Fuck's Sake"
lorax

(no subject)

So after much fucking around with things, I had pretty much settled on diigo, and then read this and even though the vast majority of my bookmarks are private anyway (I use it more as a PERSONAL bookmark archive, not as a social one), I decided to hell with that, and ponied up the cash for pinboard. So I'm at lorax, for the interested, and am working on getting stuff organized and figuring out how things work. I like having an add-on for delicious, so I'll miss that, but the site seems smooth and speedy, which is nice.

If Avos/Delicious have given any response to the criticism, I have yet to see it, which I think is probably a bad sign. (There was a pretty broad and definite DO NOT WANT response, it happened on a weekday, not a weekend like some past fandom kerfluffles which explained the time it took to be addressed at all, at least in part. So I think there should have been some very public response of SOME kind by now.) All I've seen so far is a laughably back-patty post about how they've had so much feedback! And people were making stacks! I BET they've had feedback, man.

There's some things I can't figure out how to do on pinboard yet. (Like delete an entire tag all at once, since delicious randomly added some has: tags to a bunch of stuff.) But so far I think I'm pretty happy with it. And the siteowner is fandom friendly - actively trying to entice fic writers over and looking at suggestions fandomers are making, specifically. (There's a post here with a googledoc linked with suggestions, for the interested. Also the migration googledoc, which I am too afraid of messing up to edit. And the most comprehensive link round up I've seen so far is here, from [personal profile] somnolentblue.) I don't really mind the one time fee, but I hesitated initially because it was a BLIND fee, as in no free trial first. But it seems well worth it to me, so far.

I'll keep reading around and watching for developments, but I think even if delicious rights themselves, I'll stick at pinboard and possibly just backup to delicious.

Completely unrelated to the delicious shenanigans, but is anyone up for a Beta read on an X-Men: First Class fic? Charles/Erik, non-explicit.

This entry was originally posted at dreamwidth, and has comment count unavailable comments.


Misc:  Puffy Kitten "Hate Everything"
lorax

I am FULL OF FEELINGS

Most of them are very, very angry.

WTF, Delicious! I knew with a new company there would probably be some changes I grumble about, but it's COMPLETELY unusable, with all the actual attractive features of the site gone. Not to mention any tag with an underscore (_) or slash (/) does not work at all.

I imported all my stuff to Diigo, but they imported in some arcanely bizarre order so nothing is findable. I'm poking at pinboard to see if it's any better but I'd just really like them to fucking fix what they broke. (Is Pinboard pay-only, or am I missing the link for the free sign up, somewhere?) Arrgh. I could just go back to using google bookmarks, but I really didn't like it that much.

Kink Meme maintainers/tag maintainers must be WEEPING right about now.

(Also it's a minimum two weeks before I get my laptop back, and I MISS IT.)

This entry was originally posted at dreamwidth, and has comment count unavailable comments.


?

Log in