Tag: livejournal

Security, privacy & accessibility

The latest DDOS of LiveJournal has once again brought out cries of “Fix the security of the site!!!” I’ve made this analogy a few times, in a few different ways, and I think I finally have it nailed down.

Imagine LJ as a whole is an apartment building. Each person has an apartment (your journal) and the building has common areas like lobbies, meeting rooms and the gym (communities) & infrastructure like elevators, central heating, and plumbing (FAQs, the login system, various directories, etc…)

Now, this isn’t a perfect analogy because you do want your friends to be able to access your journal to see friends-only posts, and you want people, even anonymous people, to be able to read your public posts, but it’s good enough.

So a security breach would be like the superintendent leaving the front door to your apartment unlocked, or even worse, wide open. Anyone would be able to walk in, rifle through your stuff, take things, and even trash the place. In terms of LJ, this would be something like password failures, or someone breaking into the server directly instead of through the website.

A privacy breach would be like if the superintendent left your bedroom curtains open while he was fixing something. Anyone in the right place could look into your apartment, but they can’t steal or damage anything. In LJ terms this would be like the privacy failure of October 2011, where LJ briefly showed cached pages to people who shouldn’t have seen them.

A DDOS would be like if someone changed all the streetsigns in the city to direct every tourist to your building. They can’t get into the building because the doorman is keeping them out, but unfortunately you can’t get into the building either because the huge crowds are keeping you away from the door as well.

If This Then That

I discovered If This Then That a few days ago and I’m really impressed by the concept. The basic idea is that the ifttt service has channels that it can monitor and broadcast on. You select a trigger (the this) and an action (the that) and the system monitors every fifteen minutes to see if it should take action. A good example of how this works is “If (temperature drops under 55 degrees) then (send me an e-mail)” or “If (I upload a photo to Flickr) then (send a tweet linking to the picture)”.

Unfortunately they don’t have an LJ channel yet (I asked, and they said they’re looking into it), so I’ve been trying to hack something together using RSS feeds and e-mail posting. The way the e-mail channel works on ifttt is that you register, they send a PIN to that e-mail and then you type in the PIN to verify that you control that address. So you’d expect that all I would have to do is try to verify the post by e-mail address and I’d be golden. But no.
I can get it to post to my journal, and I can get it to post to my test journal (), but I can’t get it to post to the community I want it to post to (). I’ve tried a few things, and I think that the posting address for that last community is too long for ifttt to handle (fiddlingfrog+PIN@post.livejournal.com vs. fiddlingfrog.hjhtesting+PIN@post.livejournal.com vs. fiddlingfrog.ruljautonews+PIN@post.livejournal.com). According to the e-mail gateway log whenever I try to verify that last address nothing even shows up.

On another note, I’ve been thinking about what ifttt would need to do in order to create an LJ channel. To use LJ as an action channel (the that) all they would need is a username and PIN. Since post by e-mail is governed by authorized sender addresses, no password will be required.

To active the LJ channel, a user of ifttt would give them his LJ username and PIN. Ifttt would then post an activation code to the user’s journal, and he would input it on the ifttt website to prove that he does control the journal. That’s it, the channel is activated and he’s done.
When creating an action the user could then specify community to post to, tags, userpic, mood, music, and even disable comments if they wished.

I made a userhead (mostly)

Oh this is cool. I became aware a couple weeks ago of the new community and finally decided to enter (apparently it’s a contest, but I’m not sure because it seems mostly aimed at the Russian userbase) with the scuba diver head I made last year on a whim. (That image is hosted on new ScrapBook, so I fully expect it to break at some point in the near future.)
When I got home from Mercyhurst a bit ago I had two notifications waiting for me – 1) I won, and 2) I got my userhead as a gift. They altered the shirt back to standard LJ-head blue, but that’s alright. It’s a bit blurry too, but there’s already a patch to fix the width of the userheads.

Current Mood: 🙂pleased

Spam, spam, spam, spam

I’ve noticed a trend lately of spam accounts that have all started with xiaoqin, followed by a random assortment of letters. Running through all 1, 2, and 3 letter permutations led me to these valid accounts. There are too many 4 and 5 letter combinations to go searching, but I have seen them in the wild. I personally know that some of these suspended accounts were ones that I reported for spamming. Others haven’t posted anything or commented anywhere yet, but I presume they’ll be activated later.

Some observations:
* Most of the early ones had a listed location of Beijing, but further down the list they’re mostly listed as being in Flushing, NY.
* These accounts all list the same four auto-added communities. and are where I’ve seen the majority of comment spam by them. A few of them have added themselves as friends.
* When they’re spamming comments they’re typically advertising www.fullmalls.com
* They’ve all been created in the last four months or so.
* I’ve also collected a gallery of the userpics used by these accounts – I think the spammers found some pictures from some innocent person on the internet and have appropriated her pictures to make their spambots seem more human.

Continue reading Spam, spam, spam, spam

Howto: Impede logged-out users from reading your journal

Work in progress

Warning: This technique is not a guarantee. While this technique will prevent your journal from being read directly by logged out users, they can still read your public entries on the friends pages of your friends, or by using ?format=light on the end of the entry URL they were sent to. This technique is only a roadblock, not an actual stop. Do not rely on this technique to protect sensitive information.

This technique will display what looks like an LJ error page to anyone who visits your journal and is not logged in at LJ (log out and visit this entry again via this link). It gives the impression that there is a technical fault and they should try again later, but nothing will change until they log in.

Briefly:
1) Identify current layout and theme.
2) Create new theme layer.
3) Copy the contents of your current theme into the new theme layer.
4) Copy the code from the Page::print function in your current layout.
5) Paste the Page::print code from your current layout into the new code below, and then paste the entire thing into your new theme layer.
6) Edit your current style to use the new theme layer you just created.

Full instructions under the cut

How to eliminate “Share” on your journal

Work in progress.

This technique only applies if you have a paid/permanent account.

With LJ’s recent re-introduction of the Share function many people are again concerned with the un-attributed spreading of their own content. You can remove the link but it requires working with S2; you can’t remove it with CSS. Instructions for un-themed standard layouts (Smooth Sailing, Refried Paper, etc… Basically, any style where you accomplished everything through CSS instead of S2 coding.) will be at the end of this entry, with specific code replacements in the comments. If you’re already using a custom layout or theme please read on.

You need to be comfortable editing either your layout or your theme layer. If you’re not yet comfortable with that, please check out the tutorials available at , particularly Creating and Using a Theme Layer and Renaming edit and memories links.

Back already? Okay, here we go.

FaceJournal

Heh. To practice CSS and learn more about S2 I set myself a challenge: make an LJ layout that looks like Facebook. I did this in just under a week’s time and 85% was written from scratch.



Name: FaceJournal
In use: At my journal
Code: Public
To use: You need a paid account. Go to Your Styles and scroll to the bottom. Under Create Style choose a name, any name, and click create. On the next page choose your language (whatever you pick won’t make a difference) and choose other under the Layout dropdown. In the LayerID box that pops up put 27035570. You’ve now created a style using this custom layout as it’s base layer, so go back to the Style page, find your new style in the list, and select Use.
Features:

  • Logged in top navigation bar has a search bar
  • Logged-out top navigation bar includes links to log in
  • Calendar view includes links to all years of the calendar
  • Includes security icon on entry linkbar
  • Comment on an entry by clicking “like”
  • Recognizes if an entry was posted today, in the past, or is future-dated
  • Perma-link by clicking on the date
  • Includes space for one vertical ad on the right. If no ads displayed entries will spread to nearly the full width.
  • Different background color for screened comments
  • Mimics the Facebook layout as much as possible while still including all of LJ’s features.
  • English only – there’s currently no internationalization and no options for choosing your own text.
  • All styling is done with CSS so it should be pretty simple to change colors if you want to.
    Current Mood: accomplished