Unamused, LJ, unamused

[jlh]

If LJ is going to be so full of traps that we can't even click on a link in a friend's entry, seriously, where are we? This is ridiculous.

I'm hoping that I caught the entry in time to keep anyone else from clicking on that previous entry; it's gone now.

Also, for those of you who were talking to me last night, do you know what flung my page out of alignment? That's right, the Russian meme. Apparently the names won't wrap on Safari. But hey, at least I can go back to futzing on my new component style.

Comments

[fiatincantatum.livejournal.com]

er... is LiveJournal to blame for these?

[ladylisse.livejournal.com]

Well, it is their big honking security hole being exploited.

Maybe we could blame everybody?

[fiatincantatum.livejournal.com]

it's not really a security hole. If everyone who clicked that meme had been logged out, the code couldn't have posted to their LJ, because there wouldn't have been any access.

Calling being able to post via the web a "security hole" is a bit silly, don't you think? You would complain like mad if you couldn't post without entering your password every single time.

[jlh.livejournal.com]

Does that mean that everyone should approach LJ logged out? Because that would make it equally unusable.

Anyway, I meant it colloquially in the sense of, this is happening on my LJ. I would also use the phrase if my flist had errupted in some sort of ridiculousness. Just because I say I'm unamused at my LJ doesn't mean I am unamused at the people at livejournal.com, but that I'm unaumused at what happens when I go there.

[fiatincantatum.livejournal.com]

No. I'm saying there isn't a security breach because the person accessing your journal to post the sausage thing was YOU because YOU were logged in and clicked the link.

[jlh.livejournal.com]

Then I go back to my original statement:

Either, we can't be logged into LJ, because people can grab our passwords and we'd have to reset our password and clear our cookies every day,

or

no one can put links in their lj anymore, because no one else is going to trust them not to be something that will post without their knowledge, forcing them to change their password and clear their cookies once again.

[fiatincantatum.livejournal.com]

for the last bloody unprintable time.

NOBODY GRABBED YOUR PASSWORD!!!

YOU posted that sausage link. Nobody else did. It's the same as using something like Semagic to update your journal.

See? Nobody had access to your password except for you when that thing posted.

it's NOT a security hole. You have access to your journal. You posted. Nobody else posted. YOU POSTED.

I wish I could make this make sense... I'm tempted to just sit back and laugh at everyone.

[jlh.livejournal.com]

Actually, you didn't say that before, you just kept saying that "I posted" which yeah, I know that I posted. So you don't need to be snarky about it.

I'm sorry, Anna, that LJ is full of people who don't have a CS degree, and have to rely on other people to say, "Look out for this thing, we're not sure how it works but clear your cookies and change your password just to be safe." That was the advice I got yesterday and this morning, and that's what I did. If you're saying that this advice was overkill, then honestly, this is the first I'm hearing of that opinion. Seriously.

What might be helpful, rather than snapping at me here or sitting back and laughing at everyone, is to actually make a post and explain this to the unwashed masses, and then people can link to the knowledge and maybe stop running around like crazy people. Because I can only work with the knowledge that I have on hand, and while I do know a great deal about mid-20th century American History and Literature, and the media industry, I dont' know a lot about LJ code. And when people post silly half-baked things about the media industry, I do actually try to make posts to set them straight, because of course they don't know what I know, as they are not in the industry. I think it's just a way of paying it forward.

So, thank you for your insight, and if you could tell others, I think that would be great as well, and I would totally link to it. Thanks.

[jlh.livejournal.com]

When I say "Unamused, LJ" I don't mean, like, livejournal.com but rather that all this shit is popping up on LJ. That said, they are certainly taking excellent advantage of an upsetting hole in LJ security. And the point is more that, email is becoming unusable due to spam and viruses and worms, and it will be really irritating to have a period of time where LJ isn't all that usable, either, or at least, no one can use the "a href" code.

[fiatincantatum.livejournal.com]

except that it isn't a hole. It never WAS a hole. The reason the meme had access to your journal is because YOU have access to your journal. If you hadn't been logged in, there would have been no way the code could have posted, because YOU couldn't have posted.

I think everyone's being hysterical about this. Yeah, it wasn't a good idea to click, but the fact that it could access your journal isn't a security issue because it was YOU accessing your journal, using the code you'd just clicked.

[1anonymous1.livejournal.com]

I still have no clue what it really is. Half of the flist thinks its fine and is trying to spread it and the other half thinks its a bad thing.


But if its fucking with your computer so much and all the tech people say it could be really bad then I guess thats what Ill go with.

[legomymalfoy.livejournal.com]

Well, I asked LJ dev types in #lj_support since I'm curious like that ;)

Mostly it's a javascript form that uses your cookies to redirect to update.bml and update your journal. More recent versions of the Russian meme explain that typing your name into the box will add you to the 'sausage link'. Annoying as fuck? Yes. But not exactly dangerous. It doesn't gather your PW, but you can change it if you feel a little safer :D

That and this :

Right. So the solution is... we tell people not to click random links?
yes!
Brilliant!
and especially not links that ask you for personally identifying information (such as username)

[jlh.livejournal.com]

Well, now I feel like just taking this entry down, because clearly I was following the advice that was being given yesterday afternoon, and this morning, rather than the absolutely up to the second advice that you are giving me, and expressing annoyance at having to change my password.

And when people say these things--and I don't mean you, but the way what is above is worded--it always sounds like, "but of course you should have already known that."

When there have been memes around LJ for years that have you put in your username and you get your stalker or something like that, and how many people on your flist post things like "What the shit is THIS?" I feel fairly okay knowing that I clicked on something in Simon's journal as Simon, trustworthy. But it's like, "Oh, let the weirdo meme kick you, and make you feel like a moron, and then yes, let tech support make you feel like an even bigger moron for listening to them this morning when they told you something else."

[legomymalfoy.livejournal.com]

*nod*

There's been a lot of confusion too, especially for people like me who *need* the correct information to tell users. There is discussion of this going on in lj_dev but I don't know how much help it will really be. And I wasn't aware that you asked support already, and please understand that I wasn't trying to make you feel like a moron (the names in brackets didn't come through when I posted my comment, due to the way LJ thinks everything is html, but the snippet of conversation from above was between a volunteer and a developer).

I personally freaked out when I got tricked into that stupid russian meme yesterday, which caused me to ask the appropriate people.

[jlh.livejournal.com]

It's annoying that the names didn't come through, because it doesn't sound like a conversation, it sounds like one person being obnoxious. Stupid memes!

But I probably wouldn't have been as peckish if Anna hadn't already snarked at me, above, and said that she wanted to sit back and laugh at everyone, which is so not with the helpful.

But I'm not wrong--yesterday in lj_dev they were saying to change your PW and clear your cookies, weren't they? I'm just glad that in safari it's really easy to tell what cookies are from where, but changing my PW twice in 24 hours is really annoying. It would be good if as many people who said to do the former yesterday could tell us to do the latter today--is there something I could link to?

[eibbil-libbie.livejournal.com]

I got caught, too. Grrr.