(Post a new comment)

	eilan 2007-08-07 02:03 pm UTC (link)
	Well, I can read f-locked entries with my deleted journal as well. They probably don't make a difference between suspended and deleted accounts on that level. I don't quite get where it is a security flaw, as the suspended or deleted journals can be taken off a user's friends-list. (Reply to this)(Thread)

	sheep 2007-08-07 02:30 pm UTC (link)
	I think it is, in that the majority of users probably aren't aware of it. (Reply to this)(Parent)(Thread)

	eilan 2007-08-07 02:33 pm UTC (link)
	I think we have different ideas of what constitutes a security flaw then :) (Reply to this)(Parent)(Thread)

	sheep 2007-08-07 02:40 pm UTC (link)
	It is a security flaw. People who are not members of LJ should not be able to read your locked LJ posts. It will always be a flaw until fixed, but the least LJ can do is inform people so that it's users can protect their LJ content if they wish. (Reply to this)(Parent)(Thread)

eilan
2007-08-07 02:44 pm UTC (link)

See, you think it's obvious this should not happen, I think it isn't and therefore isn't a flaw. Because these users once gave the other user permission to see their locked entries.

It's shit that they don't say that in their FAQs, and they should really include it so that people remember to de-friend deleted and suspended journals if they do not want these users to read their locked entries, but I don't see it as a security flaw.

(Reply to this)(Parent)(Thread)

	sheep 2007-08-07 02:45 pm UTC (link)
	Obvious to you doesn't mean it's not a flaw. I'm leaving it there. This isn't something I find interesting enought to wank over ;) (Reply to this)(Parent)(Thread)

	eilan 2007-08-07 02:47 pm UTC (link)
	Same here. (Reply to this)(Parent)

aristaea
2007-08-07 03:04 pm UTC (link)

I wondered what the flaw was at first, because I think it's probably a good thing if you want your suspended friends to still be able to read your journal. But after I thinking about it, I think I can see one.

I suspect many people who use filters have people on their flists they don't keep track of, and many people just keep completely flocked journals and friend anyone who wants to read. If I friended up someone who ended up harassing me, but they were then suspended, I personally would probably not think to remove that person from my flist just to stop them from reading my journal, because before now, I wouldn't have realised that they could still use their account. But that person might still have access to my flocked posts, which means they could continue to harass me in other ways.

So even if it's a minor, fixable flaw, people should still be aware that it exists, so that they can do something about it.

(Reply to this)(Parent)(Thread)

mireille
2007-08-07 03:34 pm UTC (link)

If I friended up someone who ended up harassing me, but they were then suspended,

Okay, I'm not arguing that this is an issue (I wouldn't call it a "security flaw," but it's definitely a bug), but if I friended someone who ended up harassing me, and I did not de-friend them, then I'm having a hard time coming up with a scenario where I would not be a moron. Because even the people I know who don't defriend anyone, including deleted LJs, defriend people who harass them.

(Reply to this)(Parent)(Thread)

aristaea
2007-08-07 03:58 pm UTC (link)

What if I friended someone, and they turned out to be a troll? And perhaps they were trolling several journals, and other people had reported them for abuse, and so shortly after they began harassing me, they were suspended? I might not have gotten to the point of de-friending or banning them from my journal, and if they were suspended before I got to it, I would not have thought to do so, because I would have seen the suspension as resolving the problem.

Maybe it isn't a "security flaw", but I do believe it is a problem that should be fixed, or at least publicised.

(Reply to this)(Parent)

ladybirdsleeps
2007-08-08 05:45 pm UTC (link)

I would remove anyone from my friends list who harassed me. However... a "friends" list isn't, really, and I don't pay close attention to everyone that's on it. There are even people who I've friended so they can see my entries but who I don't watch.

It's pretty easy to imagine one of them turning out to be a spectacular ass without me noticing before they got suspended for it.

I actually like this behavior because I think it's great that people who have been tossed for violations like Ponderosa can still read their friends' entries. But I'd like to be notified that this is actually what happens. Ideally, there would be a notification that someone I'm monitoring had been suspended and that they could still read my protected posts ("do you want to remove this person from your friends list?"), but since LJ seems pretty squirrely these days about publicizing suspensions, that would never happen.

(Reply to this)(Parent)(Thread)

	mireille 2007-08-08 06:25 pm UTC (link)
	LJ has always been pretty squirrelly about announcing suspensions, and I'm actually okay with the idea that they're keeping a lot of what LJ Abuse does confidential. But I'd like to see it in the FAQ, at least. (Reply to this)(Parent)

	white_serpent 2007-08-07 03:32 pm UTC (link)
	While, overall, I agree with you... conceptually, it seems to me that someone permanently banned from the site ought to actually be banned from the site. For journals removed voluntarily that the user can restore at will, the continued access to friendslocked material makes more sense. (Reply to this)(Parent)(Thread)

eilan
2007-08-07 04:36 pm UTC (link)

Well, suspended users aren't banned - they get their posting privileges removed. That they don't also get their viewing privileges removes might seem inconsistent, but it's something any user can fix manually.

The fact that deleted journals now don't show up on the normal user profile anymore makes this a problem, though. They should definetely fix that part and make it clear that deletion/suspension != can't view anymore.

(Reply to this)(Parent)(Thread)

ladybug218
2007-08-07 05:19 pm UTC (link)

They should definetely fix that part and make it clear that deletion/suspension != can't view anymore.

I would have assumed that suspended/banned did equal unable to view anymore, so, yeah, I think you're right that it needs to be made clear.

Personally, I don't like the asthetics of having a struck-out name on my userinfo page, but I'm sure that doesn't bother a lot of people, particularly owners of large communities.

(Reply to this)(Parent)

elke_tanzer
2007-08-07 02:57 pm UTC (link)

When it was easy to see the strikethrough, I'd have thought this was a small flaw, a coding glitch. Now with the boldthrough thing, where if you're viewing the short form of a userprofle or a profile not your own and the deleted/suspended journal doesn't even appear? It's a bigger problem, from my perspective.

It's probably an issue with every version of the LJ code, btw, not just LJ itself, but as far as I know, LJ is the only site that's gone the boldthrough-and-not-on-short-profiles route rather than the strikethrough route.

(Reply to this)(Thread)

	black_spot 2007-08-07 06:23 pm UTC (link)
	Yesterday, Stupid_free was bolded as a community on one of my friend’s user information. (Made me run post haste to check.) I did think it might have been because it was the only community we had in common, but there was another community that wasn’t - I’d turned off notification on that account though. Curious. (Reply to this)(Parent)(Thread)

	deliciouschaos 2007-08-07 06:31 pm UTC (link)
	If you both have a community in common that you both have friended, it'll be bolded. I stare and stare at that sentence and I still can't figure out how to make it less convoluted. (Reply to this)(Parent)

	qem_chibati 2007-08-07 08:43 pm UTC (link)
	If it's linked and bolded you share it. If it's not linked and bolded it's deleted. (Reply to this)(Parent)(Thread)

	bolboreta 2007-08-07 11:50 pm UTC (link)
	Also, you can only see the deleted journals on your own userinfo, where the only other bolded things are your mutual friends and the comms you're a member of and keep on your friends list. (Reply to this)(Parent)

	frequentmouse 2007-08-07 03:46 pm UTC (link)
	"This is not a security glitch." Wow, Bill Gates really has won, hasn't he? (Reply to this)(Thread)

	kadath 2007-08-07 04:31 pm UTC (link)
	Yeah, I'm not sure in what universe "users whose permissions have been removed retain access" isn't a security glitch. (Reply to this)(Parent)(Thread)

	missm 2007-08-07 04:55 pm UTC (link)
	Yep, I was just imagining the reaction if that were true on the sites we maintain at work. (Reply to this)(Parent)(Thread)

	frequentmouse 2007-08-07 05:10 pm UTC (link)
	"It's not a bug, it's a feature!" (Reply to this)(Parent)

	kadath 2007-08-07 06:32 pm UTC (link)
	"I know we fired Steve and took his email address out of the company directory, but actually deleting it would have been too much work. You should have taken him off your distribution list before sending out proprietary information!" (Reply to this)(Parent)(Thread)

missm
2007-08-07 06:58 pm UTC (link)

Good analogy! We actually had a situation where someone's LAN access was removed, but he still had access to a server with sensitive information that required a different password. Because, you know, how could he get into the system without a LAN password? It's not like he could have known someone else's, right? No one ever leaves their LAN password on a sticky on their PC (well, not in my office any more!) or tells someone else to log them in because they're running late and the boss takes attendance by checking sign-in times. (That last one will stop for good when we find a way to alter human nature.)

Fortunately, nothing bad happened, but that may have been because it didn't occur to anyone those passwords wouldn't automatically be deleted with the ones on the LAN. (They are now, and we have to change our passwords often.)

(Reply to this)(Parent)(Thread)

sashenka
2007-08-07 07:50 pm UTC (link)

You know, I was all "whatever, LJ is a business" about the whole situation, but now I think it's "LJ is an incompetent business run by idiots", because, as your example shows, in a business situation things like this can be a huge hazard to the business. LJ should at least warn about this if they don't want to muck with their coding, which I would understand. Though in the case of LJ, I usually don't post anything that personal or important under anything less than a filter with less than a dozen people, all of whom I know outside the internet, if I post it at all.

(Reply to this)(Parent)(Thread)

	missm 2007-08-07 08:15 pm UTC (link)
	Their lack of common business sense is astounding to me. I wish I could be surprised that it extends to things like security holes. (Reply to this)(Parent)(Thread)

	sashenka 2007-08-07 08:20 pm UTC (link)
	I don't really think it's 6A's fault, though, because this would probably be from very early coding. JF probably has the same problem, I would think. (Reply to this)(Parent)(Thread)

	missm 2007-08-07 08:33 pm UTC (link)
	I'm pretty sure it does, because I remember a fuss when someone who was a deleted user was able to post in a community. (Reply to this)(Parent)

	ladybug218 2007-08-07 07:41 pm UTC (link)
	Our IT Director recently left and we had mandatory password changes for every user, including our "guest" account (which our non-office workers use when they come in). It made sense to me, seeing how he had access to everyone's logins for everything -- not that I think he would have hacked us, he left amicably, but still. (Reply to this)(Parent)(Thread)

	missm 2007-08-07 08:56 pm UTC (link)
	It also protects him from suspicion in case something happens after he's gone. I once insisted someone change the combination to a safe before I'd sign my exit interview papers. (Reply to this)(Parent)

	prettypinkkitty 2007-08-07 07:45 pm UTC (link)
	DAMMIT, What happens in the dystopian future when we have to go underground for thoughtcrimes and the only way to ~~check our friendslists for cat macros~~ get crucial information for the resistance is by looking @ our friendslists, though we've been banned? (Reply to this)(Thread)

aristaea
2007-08-08 12:14 am UTC (link)

Well, obvs, in the future, we will all have thirty different aliases and fake papers, and we'll only have internet access via satellite from the back of vans speeding down the highway as we run from the police. And we'll all have to trade codes in order to read the sekrit resistance blogs ~~like icanhascheezburger~~. So probably at least one alias will still have a working LJ.

(Reply to this)(Parent)(Thread)

	kaesa 2007-08-09 08:20 pm UTC (link)
	I read "from the back of vans" as "from the backs of our hands." And I thought "WHOA, I WANT THAT KIND OF COMPUTER. Even if it's the product of a corporate dystopian hell!" (Reply to this)(Parent)