eruthros: Aang from Avatar:TLA facepalming (Avatar - facepalming aang)
I know a lot of y'all don't use lj, but in case you do, there seems to be a bug that caused (is causing?) a security/privacy breach: multiple people have reported that when they try to edit their own entries/profile/inbox, they are taken to another random user's edit entries/profile/inbox page, and can see all of that user's flocked and private entries. Basically, the system seems to think that they're logged in as another user. Here are some of the early bug reports from last night:

cocanuts reports the logged-in-as-another-user bug
itsaserket reports the logged-in-as-another-user bug
rachelmanija reports the same bug (and also reports that it stopped happening to her) (ETA: she expanded on what the bug looked like in comments here)
nix_this reports the same bug (with other details in nix_this's lj)
kazzisato reports the same bug

... but there are a ton of comments on the lj releases post now; those are just the first reports of the problem that I saw. LJ staff have not yet commented to my knowledge, so all that there is so far is a series of bug reports - nobody seems to know the extent or scale of the problem, whether it was a temporary glitch that has already been fixed or whether it's ongoing, or basically any other details. I haven't seen any bug reports from users who noticed unauthorized access of their journals - just from people who noticed being logged in as someone else.

There's also an overview post about this lj bug at unfunnybusiness. There don't seem to be any suggestions for fixes yet, but the lj release entry for their recent code release has 800+ comments and is growing, and I haven't looked at everything. I haven't seen any reports on why it's happening, but some folks are suggesting that it might be related to an (unannounced) change in handling cookies that has also affected plugins like LJ Login and dreamwidth's comment importing.

Unfortunately, while you can tell pretty easily if you have access to the wrong journal (click edit entries, see what happens, if something goes wrong log out and log back in), so far there's no way to tell if anyone else has access to yours. Will ETA if I learn more.

ETA1: I haven't seen any bug reports from people who experienced the bug after mid-morning today UTC (but I could have just missed them) - if you know of any, please let me know and I'll ETA again. Now I've seen some more recent reports, so it hasn't stopped happening. I have also seen people reporting that it's no longer happening to them, though - [personal profile] rachelmanija, linked above, and [personal profile] wendelah1 in comments here.

ETA2: [livejournal.com profile] fallacy_angel took a screencap of the journal they were temporarily logged into; see also their comment at lj releases.

ETA3: Strike ETA1; I think [journalfen.net profile] dapperdinosaur is reporting the bug shortly after it happened to them, which makes a bug report from about 4:00 am UTC on the 27th.

ETA4: [personal profile] lorax experienced the bug at about 3:15 pm UTC on the 26th, and wrote up an detailed report of what the bug looked like plus some notes about lj's response.

ETA5: In the comments here, [personal profile] silveraspen describes the response to their pm to a site staffer (at 2:46 pm UTC on the 27th) which suggested that info was going to go up at [livejournal.com profile] lj_maintenance soonish.

ETA6: There's a new lj maintenance post that describes the problem: they're saying that it didn't allow people to edit other users' pages, just view them, so it wasn't a security risk. (This is one of the times when I facepalm about lj's communication - site security vs security of people's info would maybe have been a good thing to mention there.) They also describe it as a bug that lasted for only three minutes - while it's true that most of the bug reports I saw were clustered around the same time period, I've also seen a couple more recent reports, so that seems ... unlikely.

ETA7: Make that a really recent one - here's [livejournal.com profile] snailbones's report of the problem happening after that lj maintenance post was made.

ETA8: This is the first instance I've seen of someone saying that they actually did something with the account they were logged into (I think - it's somewhat confusingly worded, so definitely grain of salt here), plus some discussion of how long the problem was happening: [livejournal.com profile] misstiajournal's comment at the lj maintenance post.

ETA9: [livejournal.com profile] moropus also reports that they accidentally commented as another user when they experienced the bug (note that the comment also has anti-Russian sentiment)

ETA10: [personal profile] siljamus talks about things to do to minimize the risk of this happening to your journal, which mostly involve logging out of all of your livejournal login sessions, and then not logging back in at all (which includes not crossposting from dw).

ETA11: I haven't seen a live report of the bug since [personal profile] snailbones's, linked above, at 9:38 pm UTC on the 27th. Anyone else seen anything? Yup, other people have seen something - see ETA14.

ETA12: LJ mentioned the problem in passing in their most recent lj news update; many of the comments are angry about the in-passing remark, wording, challenge the details, etc.

ETA13: [personal profile] rachelmanija describes what the bug looked like (what she could see, how long it lasted).

ETA14: strike ETA11; [personal profile] majoline reports seeing the bug (or a different bug?) at about 3:30 pm UTC on 10/29. This bug report is different, though - they were taken to the edit entries page of a journal entry they clicked on, not to a random journal. No word on whether they could do anything on that page. [personal profile] majoline commented to say that the buttons were grayed out and couldn't be clicked on.

ETA15: It turns out that anyone can see anyone else's edit-entry page for a public post by putting in their username and the number of the entry; it only works for public posts, and it grays out the boxes and nothing can be clicked on. So a misdirected link could send someone there, and so could I if I manually entered it, and etc. [personal profile] darkspirited1 and [personal profile] xenotaku have been figuring out the parameters of how this works in a comment thread. The existence of this weird UI is irritating, because it means that the cache error(?) bug and this thing might be described in the same way by a user. The important differences seem to be that in the cache error, someone appeared to be logged in as someone else, so the edit entry page would appear normally but with someone else's data (buttons appeared pushable, someone else's username and icon, etc), whereas in this edit entry page looks weird and unusuable (buttons and text greyed out, at the top it looks like you're trying to edit a post in a community: [yourusername] in community [otherjournalname]).

ETA16 I just saw another new bug report on lj maintenance of something weird that looks a bit like the original bug circa 4:53 pm UTC 10/29. Their comment with screencaps got marked suspicious, but since the comment was emailed to me I saw the screencap, and they said I could link it here: screencap of the post entries page as [livejournal.com profile] snowsoftsong. It looks like the post entries page as if someone else was viewing it - there was no "in community..." or anything and the entry page wasn't greyed out - except that the username was [livejournal.com profile] snowsoftsong, and the original poster of that post was alwaystheheart in a different comm. So: WEIRD.

(Almost) everything I've linked to in this post is a single user's bug report or description of their issues - I have no way of checking the veracity of anyone's comments.
eruthros: Toph, Aang, and Momo from Avatar: TLA hugging Sokka (Avatar - group hug!)
1. More Festivids recs!

Attention Please, Paprika. PRETTY. I don't know what's going on at all, but I think that's part of the point. And the editing is really great, and uses the music really beautifully, and the whole vid has this cool hallucinatory quality.

Illumination, Joseon X-Files. Wow, this is completely gorgeous and atmospheric and ...oddly creepy, maybe? I love the way the vidder used movement of light and shadow, and the music is a great choice. I have never seen this show but clearly I must!

Space Oddity, Community. This is a really sweet Abed/Troy vid about their shared geekery, awwww. Their love of spaceships brings them closer together!

They Want More, Jurassic Park. I can't believe I forgot to rec this the other day, because it made me laugh and laugh. Dinosaur pov ftw.

Truth Is in the Dirt, V (2009). Oh, Erika Evans, ILU! This vid draws some interesting parallels between Erika and Anna, and uses the song and the atmospheric footage to great effect.


2. In knitting-related news, if you're going to drop a stitch, should you do it a) while doing some nice 2x2 ribbing, b) while setting up your short rows, or c) immediately after knitting your two stacked short row stitches? Yeah, I picked option c, who the hell even knows where these loops go. *rips back like twenty rows*


3. I was really sick of accidentally clicking on links that people had written to include hxxp (which some people do to anonymize links) so I installed a greasemonkey script to change hxxp to http. Then I realized that I was not respecting people's desire for anonymity and not incidentally was breaking the rules of some communities and forums, so I edited the script to change the hxxps to working anonym.to links instead. If you'd like to do the same thing, instructions for making an anonym.to redirect )

And now I am clicking on those links with ease. *is so lazy*


4. I am excited to see the permanent style=mine and style=site options (described in the latest news post), but reading people's comments about both options always reminds me that neither option is perfect for me. I often turn custom comment pages on not because I like the style or worked hard on it or anything, but because I want the sidebar or header (tags and links and etc) to be available on entry pages; I usually prefer to read in the site style. And especially in communities, if the entry page is in the site style, there's no obvious place to click for the rules or tags, which often leads to a lot of questions that are a pain in the ass ("where can I find ..." "but do you ..." "if I want to sign up ..."), or posts that don't follow the posting templates or rules or whatever. So I am still torn about site style versus custom comment pages.


5. Aren't these pantone-chip cookies pretty much the coolest thing ever? I love that she just mixed up colored icing and then matched it to a pantone color after it cooled.


6. And speaking of food, [personal profile] glass_icarus recently posted Potluck #1, a blog carnival dedicated to multicultural/intersectional posts about food.


7. And only loosely related to food, Happy New Year to everyone who celebrates! At the moment I am all eeee [community profile] white_lotus Lunar New Year Exchange eeee. The fanworks are SO GREAT GUYS, I am so glad to be posting them now where other people can see them. I have been so caught up in the excitement that I have even tried to make some treats, but I keep being interrupted by spreadsheets.
eruthros: Toph from Avatar: TLA preparing for battle (Avatar - toph getting ready)
1. misdirected email:
Good Afternoon [name], Thank you for registering for Friday’s Anonymous Sexual Addictions workshop.
Hey, facilitator dude, how about checking the email addresses before you send them? OR here's a thought: don't put anyone's name in your email! Then if it gets misdirected, nobody will know who was supposed to get it! And nobody will have been inadvertently outed! Just a thought.

Anyway, I can't decide if that was the worst (in the sense of most embarrassing or potentially harmful) misdirected email I've ever received, so I have made a poll:

Open to: Registered Users, detailed results viewable to: All, participants: 30


Worst misdirected email story:

View Answers

The thirty emails in a day from Wells Fargo about someone's account overdrafting
5 (16.7%)

The email from a pastor with a ton of details of a couple's marriage counseling
23 (76.7%)

The email from google informing me that my email address had just been set as the account-recovery address for someone's professional hotel reservations account
5 (16.7%)

The, like, 200 messages from eHarmony users about someone's online dating profile
3 (10.0%)

The abovementioned email about the anonymous sexual addiction workshop
16 (53.3%)

Listen, my story is much worse than that! Let me tell you all about it in the comments.
2 (6.7%)



2. joy: someone linked to this photo on tumblr, and it made me go all happy and awww. Because it is adorable!

Criminal Minds' Shemar Moore and Matthew Gray Gubler grinning with their arms around each other. Also, Shemar Moore is wearing a really kick-ass hat.

That's Criminal Minds' Matthew Gray Gubler (Spencer Reid) on the left, and Shemar Moore (Derek Morgan) on the right. I have no idea where or when it was taken -- because, you know, tumblr -- so I sadly can't go and look for other pictures that might also include Kirsten Vangsness grinning. Criminal Minds turned into a different (worse) show in its last few seasons, but listen, Morgan still has my HEART. Okay, he and Garcia are sharing it. Anyway: just look at those grins, awwwwww.

3. photo-spread misogyny: Apparently Vogue did a fashion editorial spread on a Spider-Man theme. It is like, here are the films (and a lot of the comics) in a nutshell: Mary Jane is menaced by various villains with phallic bits to their costumes while wearing designer dresses and looking beautiful and unconscious/threatened/withdrawn. It's all right, guys, Peter Parker will save her!

4. tv: Lately I have been watching The Sarah Jane Adventures? I started at the beginning after I watched the one with casting spoilers! ), which was awesome and made me go \o/. And mostly it is a great mood-improver and full of happiness. They save the world with hugs and talking about their feelings and hand-holding! Rani and Maria and Luke and Clyde are adorable! Sarah Jane is awesome and has issues and backstory! They are a FAMILY. That saves the world and talks about aliens and emotions and love. If only most of the villains weren't evil lady-types, and if only the good guys didn't do that awful Smallville-esque targeted amnesia shit, I would have basically my ideal show.

5. Avatar: The Last Airbender: You might've seen this already, but just in case, did you guys see [personal profile] such_heights's post in [community profile] white_lotus about an Avatar: The Last Airbender gift exchange? [personal profile] inkstone suggested the exchange + the lunar new year posting dates, and a bunch of people said they were interested, so it looks like it will happen! Fanfic, fanart, fanvids, etc all accepted. So if you have preferences for style/rules/etc, plz comment at that post; we're going to try to get rules up in a couple of days so that we can do signups before the end of November. \o/ ATLA exchange!

some links

Oct. 30th, 2010 12:13 pm
eruthros: Delenn building the crystal machine in season 1  of B5, captioned "foreshadowing" (B5 - Delenn incredible foreshadowing)
1. You guys, [livejournal.com profile] icepixie wrote The Heart's Compass, the Babylon 5 Delenn/Ivanova AU of my dreams, seriously, could I have had this show instead? It's a little awkward in places but, I mean, so was the show. And listen, it is a story where Delenn falls for Ivanova instead of Sheridan, early in the series, and it makes my heart happy.

[livejournal.com profile] icepixie also wrote a a post-Sleeping in Light Ivanova/Delenn story that I haven't read yet (Later Stars of Dawn), which added to the Ivanova/Delenn story that [personal profile] thingswithwings wrote for my birthday one year (Concerto for Violin, Cello, and Piano in C Major, Garibaldi/Franklin, Lennier/Vir, Ivanova/Delenn, postseries) makes three Ivanova/Delenn stories in the last few years. It is a small-fandom rare-pairing embarrassment of riches!

(Especially since there are also a few drabbles and short vignettes over at the AO3, though most of them are about unrequited love.)

2. Don't know what to be this Halloween? Check out wtf should I be for Halloween, which contains as many costume ideas as there are articles on wikipedia. And puts "sexy" in front of all of them.

Since it's completely randomized, there are some really great options. This year I plan on going as a Sexy Fort Reliance Water Aerodrome, for example. (There's also the potential for fail, because of course there are many pages on wikipedia that really shouldn't be indexed with "sexy" in front of them; I didn't encounter anything faily when I clicked through, but that doesn't mean it can't happen.)

3. I frequently encounter images on tumblr that are unattributed or dewatermarked, and sometimes that makes me really sad -- I don't know if that photographer has a ton more pretty image, or what the original context was, or anything. But if I see something really great and I really really want to know if there's more by the same photographer, I look for the picture over at TinEye, a reverse image search engine. Sometimes it even works! Anyway this is a link to TinEye, which I think I was first linked to three years ago when their image index was even smaller; now I do sometimes have some success with them.

4. The US Department of Justice recently filed a brief that said that genes shouldn't be patentable, which is ... kind of amazing.

5. Apparently TVTropes is going to have to take down, move, rename, or mark as NSFW a lot of their sex and sexuality-related content because google ads noticed that ads are running on pages with mature content. And they might have to make registration mandatory to view sex/kink/fetish tropes, and they are planning to make registration mandatory for editing pages. I don't hang out there or anything, but it still makes me sad -- many of those pages are very useful for vidding/iconing/etc. Or for [community profile] kink_bingo, where I have often used the TV Tropes pages for tentacles to find pictures or examples or video of canonical tentacles.
eruthros: A panel from a 1950s educational comic book showing a communist deflating -- I mean, blowing up, the Washington Monument (Communists!)
1. Are you, too, frustrated by the new lj facebook and twitter connect buttons under your comments? Fear not, for not one but two people have made magical solutions! Do not mess with tab order or people shall make greasemonkey scripts, lj. These solutions only fix your view of the page and your tab-order; other people in your journal will still see the facebook/twitter options, and will be able to crosspost their comments.

Option one: daluci wrote a greasemonkey script that takes away all the facebook/twitter connect buttons. Yay! It only works on the quick-comment page, though, not on the full reply page. ETA: Now it works for all comment pages! People are awesome.

Option two: [personal profile] chagrined describes a partial solution using stylish here. This is useful for: people who use stylish (me!), people who have javascript turned off on lj (also me!) because the above greasemonkey script only works on the java-enabled quick comment boxes. Sadly, however, it still leaves "settings" the first tab select after the comment box. Me: tab-enter ... oh damn. NARGH.

2. While I am linking to greasemonkey scripts for livejournal, I also really love daluci's bannering script. It turns the lj header back into a beautiful quiet blue bar. Against which I can read the text. Sometimes it gets a little wonky over on the right, depending on what lj has done with the custom header, but I just adblock the second lj logo and call it done.

3. Yesterday [personal profile] sineala linked to some macros that [personal profile] astolat made in like 2007 that I haven't seen mentioned elsewhere, so I thought I would signal boost them. It's a set of fanfiction conversion macros for Microsoft Word; they turn a story or post written in Word into pretty html or plain text, surrounding italicized text by html tags and stuff like that. (I can't tell from the post itself whether they also fix inappropriate characters like smart quotes and em dashes, but they might.) ETA: [personal profile] sineala confirms in comments that the macros fix em dashes and smart quotes and other special characters.

Misc

Aug. 18th, 2010 05:56 pm
eruthros: Aang from Avatar:TLA facepalming (Avatar - facepalming aang)
1. I have just rewatched "Interludes and Examinations," from B5 season 3. And I have only one thing to say about it: spoilery for which characters are alive in season three )

2. I followed a link to an Avatar story that I haven't started to read, because right at the top of the page I found this:
    TEXT KEY
    Narrative
    Thoughts/Intro/Song Lyrics
    "Spoken"
    Words on a screen/Handwritten on a page
    Stressed/Emphasized Word(s)
    "RAISED VOICE/YELLING"
    ONOMOTOPOEIA
And I was just like, I can't even deal. *stares at list again*

3. The thing about Dr. Laura's recent assholery -- short version: she said really racist things and is now threatening to leave radio to preserve her first amendment rights (both links are to critiques) -- is that I already have a song about Dr. Laura going off the air. Only that song dates to about 2001. And was about her departure from television.

... WHAT?

Aug. 12th, 2010 11:25 pm
eruthros: Delenn from Babylon 5 with a startled expression and the text "omg!" (B5 - Delenn OMG)
Listen, my mom told me that this sort of thing couldn't happen. And I was a lot happier when I believed that. Eeep.
eruthros: llamas! (llamas)
... *flops* I just caught up with the last [community profile] kink_bingo signups, and [personal profile] thingswithwings landed and found the internet and therefore I too have a kink bingo card )

But I haven't thought about it because I've been answering comments instead.

I have, however, thought about this robot plushie, and decided that it is pretty adorable but needs a mouth.
eruthros: Mythbusters screenshot of Jamie blushing red and laughing (Mythbusters - Jamie having an emotion)
1. Oh my god, they got Jewel Staite too?

For those keeping track, they also snagged Torri Higginson. And David Hewlett. Again.

2. Does anybody know why Icerocket doesn't index dreamwidth? And whether there's any way to get them to? I like to use icerocket as a casual search tool, but I want it to find DW posts too!

3. [personal profile] thingswithwings and I started to watch Fringe. We quite liked the pilot, with a few reservations, but then the second episode was all guess-what-the-camera-finds-women-being-killed-erotic. And I just can't take that anymore, no matter how interesting the characters or plots or whatever. So, friends who watch Fringe, does the show change? Was that a moment of complete screw-up that they backed off from? Or is it a show that I can't watch?

4. I find this Gloria Brame post about bondage as performance art really intriguing! It's just a little snippet, though.

5. Don't you hate it when you see an image on someone's blog without citation, and then you've got no idea when or where it's from? Well, I found one of those images, and I'd love to see the context of it.

So! Long shot and all, but can anybody tell me where this is from, or maybe a better way to google for it, or a reference book that might help me out? NSFW image under the cut )

6. Today I am using my Mythbusters icon because Mythbusters is back! Hurrah hurrah hurrah! [personal profile] thingswithwings and I ran out of Mythbusters a month ago, and since then we've only been able to rewatch things. But now! New Mythbusters! It is like an early birthday present for ME.

Profile

eruthros: Delenn from Babylon 5 with a startled expression and the text "omg!" (Default)
eruthros

February 2017

S M T W T F S
   1234
5678910 11
12131415161718
19202122232425
262728    

Syndicate

RSS Atom

Expand Cut Tags

No cut tags
Page generated Apr. 29th, 2017 01:29 pm
Powered by Dreamwidth Studios