lj_refugees | (no subject)

My unease at having the feature present was relieved when sharing locked stuff was disabled for non-Cyrillic Services users.

My unease at having someone think that having officially validated links to locked content was a good idea in the first place remains, as does my unease that a news post could get posted without someone double-checking to make sure that the statement about accounts to be deleted for inactivity did not have content in them was actually correct, and my unease that code enforcing male/female only could make it as far as being checked in and getting posted to changelog.

All of these are slips that would be perfectly normal if they were internal only.

So someone proposes that people be able to link offsite to everything they post, ever. Great. But someone should have asked, "But what about locked stuff?"; it seems to me that since the checkbox was unchecked on locked stuff, that the question was asked, and the answer was "Only if they decide it's a good idea on that specific thing", rather than "If it's not their own entry, no way", just as Share This was never on locked entries.

Someone should have asked, "But wait, does this mean that if someone goes to Costa Rica for 27 months, that their whole journal will be gone? Are you sure this is what's intended?" before that news post went up. (This is not an arbitrary example: there is a long-time, much-beloved volunteer who went to Costa Rica with the Peace Corp, and is the Support Volunteers' default example for the case of seemingly-abandoned accounts which are actually not abandoned.) Only after there was the barrage of questions was there the sudden research and the clarification that no, it was only to be content-free accounts.

The developer who created the force-gender-selection code should have been clear before developing that it was intended to be, enforce that the user pick one of the three options (male, female, other/not-disclosed) rather than enforcing that the user pick one of two, male or female.

The fact that all of these things happened says to me that there are, at minimum, bad communication problems somewhere, with results that I'm very much not comfortable with. And then there was the crown jewel, the Lord King Bad security bug that arose from the unintentional intersection of two amazingly bad ideas.

Bad idea #1: this is an old one, and a thorn in my side from the first day I met it. To make things less painful for people using email clients instead of webmail, HTML email notifications (the "rich" ones, with the icons and the little reply window) allow you to reply to that comment as the user who was sent the notification, whether or not you are logged in. This does mean that if you forward a LiveJournal HTML notification to someone else, that someone else can reply to that comment as you. So, really guys, don't do that. (This is not an issue on Dreamwidth. Which does make life harder for people using email clients.)

Bad idea #2: I have no idea precisely why they did it, and I certainly hope that there is a very well-supported development reason that they did it, but they removed the "Log me in?" checkbox from the option to comment as a different account. The result of this was that after you commented, you were always and inevitably logged in as the account you had just commented with.

When Bad Idea #2 dawned on me, I had a sudden horrible thought, and rushed to test it. I found that I was correct. At that time, this meant that if you commented via the HTML email form, you were logged in as the account who had gotten the notification. Even if you were logged in as a different account before that. Which meant that if you were in possession of an HTML comment notification from someone else's account, you could gain access to that account. You wouldn't have the password, but you could be able to see everything they could see from within the account, just like having unrestricted access to a computer they were logged in on. (Which is how I lost a friend, once upon a time, as he abused his access to my computer in a hugely dramatastic way.) Naturally I reported this to Support directly, both through email and in person to one of the admins who is my friend. She was suitably appalled and tested. I was soon notified that it had been confirmed and was passed along to developers.

The security hole has since been fixed. Possession of an HTML comment email no longer means that your account is open wide to someone. It still scares the fuck out of me that this happened at all, and that if I had not checked for it and reported it, that it might have gone unnoticed until it was too late. This, more than any other thing that has happened at LJ, terrifies me.

I don't expect that everyone will share my horror, but it struck too close to home for me, and shattered my resolve that I would stay with LiveJournal forever no matter what. I still have friends who have no intent to leave, and at least for now I will maintain an account and keep following them, and I certainly hope that LiveJournal the company stays around a good long time, as they have all that rich history of cross-linked lovely content. But that security bug broke my heart.

At that time, this meant that if you commented via the HTML email form, you were logged in as the account who had gotten the notification.

... I actually FELT my heart speed up for a second there. Holyyyyy green winged fishies, that could have been severely disastrous. Glad they fixed it, but WOW.

My response at that point in time was not particularly printable. I am glad they fixed it. I respect the work of the developers. But why did no one spot it before it hit the live site? It's flattering to think that I might just be enough of a twisty-minded genius, but it still got out there live.

I can imagine so, and if it were printable, I suspect there would be copious use of the punctuation marks in all their variety. It is really frightening to think that anyone could have accessed any account, including LJ official accounts. How the hell did no one think of that before it got out?! *shakes head*

The thing that makes it less scary is that (I hope, oh god I hope) people are not usually in the habit of forwarding their comment notifications, they seem to be in the habit of just linking. And if they do forward their comment notifications, they're plain-text (I hope), which does not have the same associated risks.

I think this terrifies me most because I am in the habit of occasionally forwarding my notifs, since I'm paid over there. Rather than c&p a long comment in email, I'll sometimes just forward my own comment. I do use plain-text, but not *always*. Definitely an uncomfortable thing.

Actually, while I was saying bad words to my friends, I was very very calm when saying them.

LOL I used to tell my coworkers that. "If I'm swearing, I'm not that angry. YET. Icy-cold furious involves no profanities whatsoever."

I know there are some points that involve icy-cold profanity, for me.

Oh, wow. That's.. terrifying. I'm glad you caught it and were able to get it elevated to the right people. I wish it didn't feel like things are just going up haphazardly lately.

Holy. Crow.

I get the email HTML notifications from LJ. Thank God I never forwarded one to anyone else - though I trust my friends (the ones that I would forward such a thing to!) not to do anything stupid.

That is amazingly scary. Thank God you saw it, reported it and it's been fixed. The consequences if it han't been just don't bear thinking about!

Indeed. LJ is incompetent and employs stalkers.

I wonder what their next major security fail is going to be.