denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_maintenance2017-02-25 09:42 pm

Two quick things

Cloudflare


We've had people ask us about the Cloudflare leak reported a few days ago. We are Cloudflare customers, and it is possible that login cookies or passwords may have been exposed as part of the incident. We believe the risk to you is relatively low -- it was a small percentage of Cloudflare's requests that were involved over a relatively short period of time, and we haven't found any evidence that anything from us was among them. This is not an absolute guarantee that none of your accounts were affected, but we don't think the likelihood is very high.

Because we believe the risk to be low, we aren't automatically expiring everyone's session cookies and requiring you to log back in and change your password -- whenever we do that, it does lock some people who they can't remember their passwords and no longer have access to their confirmed email addresses out of their accounts, and we believe that will affect more people in this case.

Still, it's always a good idea to change your passwords regularly, and now would be a good time to do it, especially if you want peace of mind. We have a FAQ on how to change your password. If your browser logs you in automatically and you don't remember your password, you can reset it. If you've forgotten your password and no longer have access to your most recent confirmed email address, you can have the password reset email sent to any email address you've confirmed on your account by entering both your username and your old email address at the Lost Info page.

Unfortunately, if you've forgotten your password and no longer have access to any email address you've confirmed on your account, you probably won't be able to reset your password. In some cases, if you've previously paid for your account, we can validate your payment details to confirm your identity and reset your password. If you can't reset your password, but think you may have paid for your account in the past, you can open a support request in the Account Payments category and I'll check into it for you.


LiveJournal imports/crossposts/feeds


LiveJournal has temporarily blocked about 2/3rds of our webservers from contacting their site, presumably because they feel that we're requesting data from them too often. This affects the ability to import your journal, the ability to crosspost entries from your Dreamwidth account to your LiveJournal account, and whether syndicated feeds of accounts on LiveJournal will update on Dreamwidth. Those features will fail when they're unable to contact LJ because of the block.

It isn't every one of our webservers, so things will work intermittently -- if you crosspost two entries one right after the other, one might succeed while the other fails. Unfortunately, there isn't much we can do to resolve this other than contacting them and asking them to unblock us (which I'll be doing right after I hit 'post' on this entry).

EDIT 2249 EST 25 Feb: We appear to be down to zero unblocked webservers, so imports, crossposts, and feeds will all fail until LJ unblocks us.

EDIT 26 Feb noon EST: LJ unblocked and whitelisted us this morning, so all is working again!
dewline: (Default)

[personal profile] dewline 2017-02-26 03:07 am (UTC)(link)
I've been reducing my cross-posting anyway, and planning to shut down my account there, so...
bytebuster: (Default)

[personal profile] bytebuster 2017-02-26 04:08 am (UTC)(link)
Thank you for letting us know! Hopefully it gets resolved soon.

You may know that many of us who fled from LJ (especially on December'16) usually set up crossposting from DW to our old LJ-accounts to keep our old audience.
However, LJ is constantly increasing their censorship attempts.
So they *may* track the DW IPs that (cross-)post entries that Russian censorship considers bad, and they may block your addresses for this very reason.

Not sure if this helps, but just letting you know.
kyrielle: A photo of kyrielle, in profile, turned slightly toward the viewer (Default)

[personal profile] kyrielle 2017-02-26 04:17 am (UTC)(link)
Well, if LJ would like me to leave entirely, I guess I can.... *irked look at them*
archangelbeth: An anthropomorphic feline face, with feathered wing ears, and glasses, in shades of gray. (Default)

[personal profile] archangelbeth 2017-02-26 04:24 am (UTC)(link)
Thanks for the update on both!
irilyth: (Default)

[personal profile] irilyth 2017-02-26 04:27 am (UTC)(link)
I had a cross-post work just now, FWIW. (http://irilyth.livejournal.com/703912.html)
nepeanois: (cheers)

[personal profile] nepeanois 2017-02-26 04:34 am (UTC)(link)
my advice to the fellow ex-ljusers: bite the bullet, screw the lj. they screwed us already, why do we care what happens there now?
beatrice_otter: Me in red--face not shown (Default)

[personal profile] beatrice_otter 2017-02-26 05:44 am (UTC)(link)
LJ bows to Russian governmental pressure, moves servers to Russia where Putin's word goes and security and privacy don't mean jack.

Lots of LJ users flee to DW.

LJ blocks DW from accessing their site, so that you can't crosspost or import stuff. (At least not directly, could you download your entire LJ using Semagic and then re-upload it to DW?)

Pretty petty, there, LJ.
digitalsidhe: (Default)

[personal profile] digitalsidhe 2017-02-26 06:05 am (UTC)(link)
Ugh, so sorry to hear about the problems with LJ. My sympathies to all the users affected. I am so glad I bailed out and quit even bothering to crosspost last month, after they moved their servers to Russia. It looks like I got out just in time.
sovay: (Rotwang)

[personal profile] sovay 2017-02-26 06:27 am (UTC)(link)
EDIT 2249 EST 25 Feb: We appear to be down to zero unblocked webservers, so imports, crossposts, and feeds will all fail until LJ unblocks us.

Thanks for explaining what happened. Regardless of what crossposting users choose, I hope they unblock you soon, because that is just stupid.
pronker: (Default)

[personal profile] pronker 2017-02-26 06:34 am (UTC)(link)
I crossposted yesterday with no problem; I hope the issues resolves soonest. :(
beldmit: (Default)

[personal profile] beldmit 2017-02-26 07:58 am (UTC)(link)
Thank you very much for the information!
conuly: (Default)

[personal profile] conuly 2017-02-26 08:09 am (UTC)(link)
Some of us have good friends who won't make the jump.
heliopausa: (Default)

[personal profile] heliopausa 2017-02-26 09:41 am (UTC)(link)
I've just posted, and crossposting worked fine.
nepeanois: (jack)

[personal profile] nepeanois 2017-02-26 11:52 am (UTC)(link)
they won't make it for you - they don't really care. that's my opinion
madfilkentist: Photo of Carl (Default)

[personal profile] madfilkentist 2017-02-26 11:53 am (UTC)(link)
Thanks for the update, and too bad (though not very surprising) to hear about what LiveJournal is doing.

However, I can't agree that changing passwords regularly, without a specific reason, is a good idea. It doesn't improve the password's security, and it makes it more likely people will pick easy-to-remember passwords or have to write them down.
hhimring: (Default)

[personal profile] hhimring 2017-02-26 12:30 pm (UTC)(link)
I have just cross-posted successfully.
cmcmck: (Default)

[personal profile] cmcmck 2017-02-26 01:08 pm (UTC)(link)
Fwiw I got one to x post just now (Sunday mid morning).
redbird: closeup of me drinking tea (Default)

[personal profile] redbird 2017-02-26 01:56 pm (UTC)(link)
Or they think I don't care: there's a symmetrical "communicate in X way if you want to talk to me" going on here.

At some point I may leave LJ entirely, but I won't do so thinking "Jo doesn't care what I have to say," it would be "for some reason, Jo dislikes DW, I will have to get my main life news to her some other way."
conuly: (Default)

[personal profile] conuly 2017-02-26 02:05 pm (UTC)(link)
And when I want your opinion of my best friend, I'm sure I'll ask for it.
moreteadk: Close-up of hedgehog bristles, with my username written above (Default)

[personal profile] moreteadk 2017-02-26 02:12 pm (UTC)(link)
I also had a succesful crosspost just now. Perhaps it's working again already?
moth2fic: close-up of snakeshead fritillary bloom (Default)

[personal profile] moth2fic 2017-02-26 06:00 pm (UTC)(link)
I crossposted this morning with no problem but it was 'only' a birthday greeting.

I have lived here happily for a few years now, but as not all my favourite comms have moved, I have conversations/relationships with people 'over there' and it seems churlish not to crosspost when I can go and read their posts so easily. I do hope things get sorted out.

My biggest concern is that as I originally bought a permanent membership on LJ (back in the olden days), I use their Scrapbook feature to host my pics and am not at all sure what to do - all my pics are backed up on my computer but not organised into albums. If anyone can suggest a sensible alternative I would be happy to move everything - and yes, I know DW are now hosting pics but as I said, I have organised albums etc.
wendelah1: Mulder and Scully gazing what else (Default)

[personal profile] wendelah1 2017-02-26 06:02 pm (UTC)(link)
I just cross-posted a test post. No problems at all.
stranger: three stars from Orion's belt (3 stars)

Perplexed

[personal profile] stranger 2017-02-26 08:45 pm (UTC)(link)
The post implies that there can be more than one email address associated with a DW account. However, I don't see a way to add emails (except "for display" which isn't what I want) so there will be more than one, in case my current email goes down for any length of time. Is there supposed to be a back-up email in place somewhere?

stranger: three stars from Orion's belt (3 stars)

Re: Perplexed

[personal profile] stranger 2017-02-26 10:44 pm (UTC)(link)
Thanks for explaining! Email maneuver performed.
veritas_poet: (Speak the truth)

[personal profile] veritas_poet 2017-02-27 02:49 am (UTC)(link)
Yep. Absolutely right.
my_tucker: (Default)

[personal profile] my_tucker 2017-02-27 09:27 am (UTC)(link)
Thanks for your transparency about being a potentially affected site with this Cloudbleed thing. I hadn't heard about it. It's good to know that you consider the risk to your users is very low. I've changed the passwords on my accounts just in case. Re expiring session cookies - is that something we can do ourselves via the manage login sessions part of our account settings?

Also, the article you've linked to said most of the cloudbleed activity happened between 13th -18th Feb. Within that period I bought a paid account and a large number of icon slots (on another DW account) - would my credit card details, address or anything like that potentially have been exposed IF by some small chance this issue affected my Dreamwidth session? Or journal entries? Or would it just be passwords and or/login cookies. I do realise you think it very unlikely Dreamwidth was affected - I'm just curious about what might have been exposed if you were.

And excelllent news that LJ has whitelisted DW again. :) DW is my journalling home now, but I do still x-post to LJ.
Edited 2017-02-27 09:27 (UTC)
my_tucker: (Default)

[personal profile] my_tucker 2017-02-27 08:31 pm (UTC)(link)
Thanks. I thought that was the case re login cookies but just wanted to check (at the risk of it being a dumb question)!
OK, re CC. I won't lose sleep but I will keep an eye on that account. It looks as it should atm.
wolverine: (Default)

[personal profile] wolverine 2017-03-01 11:46 pm (UTC)(link)
I keep all of mine on a notepad, each site is listed separately with each login (be it a username or email I have to use to log in) and the password for it after it, if it's something I'm going to want to access from my phone I make it something easy to remember but hard for anyone else to guess. But having a notepad file (and having it backed up on an external drive) has really helped me out. Each time I need to log in I open it up and scroll to the login I need. I don't really even trust autosaving passwords for really important stuff like bank and paypal, who knows if some day someone can figure out how to access your computer and hack that.
pishu: (Default)

CF maybe blocking Russian users from DW

[personal profile] pishu 2017-03-15 08:06 am (UTC)(link)
Here is what I discovered.

If you are behind Russian IP, you cannot reach DW. If you are routing via VPN in Iceland, DW looks OK.




Also CF cache seem to work slow if at all on low traffic sites, so if you post a pic on DW from your self-hosted site, DW is unable to fetch it for weird reason.
pishu: (Default)

Re: CF maybe blocking Russian users from DW

[personal profile] pishu 2017-03-15 10:38 am (UTC)(link)
Thank you for insights