ARGH ARGH ARGH!

[branchandroot]

OMG, LJ YOU UTTER FUCKERS!

Not ONLY do they fuck up the latest release so it allows random people access to random other people's journals and HAVEN'T ROLLED THE RELEASE BACK, but NOW LJ-SEC CAN'T LOG IN. Because those remote log-in pathways that just changed?

AFFECT THE ONLY APPLICATION THAT CAN DO BULK DELETION OF LJ ENTRIES.

RAGE.

*breathing heavily* I can only hope that the lj-sec developer is a kind soul and releases an update soon. Because this is absolutely it, I'm not leaving my content on that service for another second than I have to. Nothing but public links to other sites!

ETA: It has been suggested by a party who wishes to remain unnamed, but who has some cause to know, that the reason a release like this will not be rolled back despite security failure is most usually that this release fixes some /other/ security bug that was being actively exploited. Additional recommendation: try logging out of LJ and not logging back in until it's fixed. This would kill one possible cause of the mad account access swapping. If it's another cause, apparently we're fucked until LJ's worker bees can scramble a fix. *sighs*

Comments

[ldybastet]

...

-_-

I take two days off the Interwebs to paint the walls at my new workplace... and LJ breaks them? My poor Interwebs! Godammit. Grrr. God what a horrible bunch of fuckups. *sigh*

[branchandroot]

Utter. Utter. Fuckups. Not a word on the news comms. Not rolling it back! For fuck's sake, that should have been the first thing they did, but instead they tried to fix it in situ, and last I heard reports of the bug are still coming in.

[ldybastet]

*headdesk* I'm reading a bit of the posts and comments about it now, and ... oh god. How can they not roll this back when the security breach is so terrible? O.o

And the damn, completely frustrating and incomprehensible silence abotu the issue? Makes me see red. Also, makes me sad that so few will actually open an account over here, despite this. :(

[seagull2eagle]

And I love the fact that we hear the information from *Dreamwidth* and not LJ. That just sucks. LJ, what a piece of... ~..~

[branchandroot]

If I'm being charitable, I could suppose they're trying to not cause a panic. But once word starts to spread, it's time to say something. And, for fuck's sake, /roll the update back/. This is not a trivial bug!

[annotated_em]

Wait, there was an application that let you do bulk deletes? Damn.

I'm slowly working my way through the archive of my journal, but it's so dispiriting.

(Ye gods, I was a twerp.)

[branchandroot]

Yes, there is. Only it's login ability is buggered. *sighs* Argh, argh, argh.

Oh, it's a PC program, so you'd need to run it on a work computer. If it ever works again. Or if it works before you've done everything by hand. *quails at the thought*

[annotated_em]

*grimace* It goes kinda fast once you get a rhythm going, but it's a pain in the butt.

It did lead me to the epiphany that, had there been Twitter when I was an undergrad, I would have been an early adopter liek whoa. I was microblogging before microblogging was cool!

[mitsuhachi]

Yeeeeaaaahhhh....I've gotta admit, there's a lot of shiny people over on LJ. But damn am I glad I cut and run way back when. O.O That sounds like a MONUMENTAL fuckup. I kind of wish there were somewhere over there to offer DW/AO3 invite codes.

[branchandroot]

Man, seriously. *hugs her nice, safe DW account*

[dancing_serpent]

There's dreamwidth, as far as I know, where people usually offer codes.

[mitsuhachi]

Oh, thank you!

[synecdochic]

Additional recommendation: try logging out of LJ (ideally restarting your browser) and logging back in. This would fix one possible cause of the mad account access swapping. If it's another cause, apparently we're fucked until LJ's worker bees can scramble a fix.

actually, in *most* cases the problem could be (and please note that I have no idea what the problem is or whether it's something other than the Varnish misconfigs they mention in http://lj-maintenance.livejournal.com/131843.html and claim to have fixed), logging out of LJ entirely, expiring all sessions, and staying logged out until the problem is no longer being reported, would most likely do it. If it's cache/Varnish problems the way they say, that would prevent you from loading a page logged in and thus having your logged-in account cached for someone else to see; if it's something more serious like a fucked up master cookie->login session table or something, it would prevent your master cookie or login session from existing (and thus from being confused with someone else's).

[branchandroot]

Ooooo. *grimaces* Yeah, sounds like a good day to put my invite codes up on codesharing.

[synecdochic]

Yeah. I feel so horrible for my old team; they're probably on the phone shouting at the tops of their lungs right now :(

[branchandroot]

I can only imagine. Talk about a nightmare.

[synecdochic]

Even if it really was the Varnish caching problem they mentioned (which I'm not convinced of, given that the reports kept going for ~24h or so after the supposed fix), that post was nobody's idea of a good explanation :(

[dragonwolf]

So...um....why is Varnish even set up to cache the pages that should be encrypted and pretty much by security definition not cached, even if everything else is cached and not encrypted? Hell, if only the "sensitive" pages (ie - payment, login, etc) are the only ones that are encrypted (the issues with things like Firesheep notwithstanding), it should make it easier to filter out such stuff, because it will be on a different port. In fact, I'm fairly certain Varnish ignores port 443 by default, at least on the standard installs.

Yeah...their explanation seems fishy to me.

/end rant of fellow developer/sysadmin

[synecdochic]

I am pretty sure the answer involves a firm bit of Dunning-Krueger.

[foxinthestars]

Not being knowledgeable about programming at all, my initial reaction was "that can even happen!?" After reading the comments here I put up a quick post offering my DW invites to my LJ friends, logged out and restarted my browser...

[branchandroot]

*glum* Yeah. On the off chance that it works, I am not logging into LJ again until someone keeping track reports that there are no new log-in bugs reported.

[dragonwolf]

If by "that" you mean the Varnish snafu...it's one of those things that can, but really shouldn't. You have to actually tell Varnish to cache anything that goes over HTTPS, which is what the really sensitive pages, at least (login, account info, etc), if not everything when logged in, should go over. If it truly is/was a Varnish issue, that says to me that someone who's dealing with Varnish...well...shouldn't be.