Two quick things

[denise]

Cloudflare

We've had people ask us about the Cloudflare leak reported a few days ago. We are Cloudflare customers, and it is possible that login cookies or passwords may have been exposed as part of the incident. We believe the risk to you is relatively low -- it was a small percentage of Cloudflare's requests that were involved over a relatively short period of time, and we haven't found any evidence that anything from us was among them. This is not an absolute guarantee that none of your accounts were affected, but we don't think the likelihood is very high.

Because we believe the risk to be low, we aren't automatically expiring everyone's session cookies and requiring you to log back in and change your password -- whenever we do that, it does lock some people who they can't remember their passwords and no longer have access to their confirmed email addresses out of their accounts, and we believe that will affect more people in this case.

Still, it's always a good idea to change your passwords regularly, and now would be a good time to do it, especially if you want peace of mind. We have a FAQ on how to change your password. If your browser logs you in automatically and you don't remember your password, you can reset it. If you've forgotten your password and no longer have access to your most recent confirmed email address, you can have the password reset email sent to any email address you've confirmed on your account by entering both your username and your old email address at the Lost Info page.

Unfortunately, if you've forgotten your password and no longer have access to any email address you've confirmed on your account, you probably won't be able to reset your password. In some cases, if you've previously paid for your account, we can validate your payment details to confirm your identity and reset your password. If you can't reset your password, but think you may have paid for your account in the past, you can open a support request in the Account Payments category and I'll check into it for you.

LiveJournal imports/crossposts/feeds

LiveJournal has temporarily blocked about 2/3rds of our webservers from contacting their site, presumably because they feel that we're requesting data from them too often. This affects the ability to import your journal, the ability to crosspost entries from your Dreamwidth account to your LiveJournal account, and whether syndicated feeds of accounts on LiveJournal will update on Dreamwidth. Those features will fail when they're unable to contact LJ because of the block.

It isn't every one of our webservers, so things will work intermittently -- if you crosspost two entries one right after the other, one might succeed while the other fails. Unfortunately, there isn't much we can do to resolve this other than contacting them and asking them to unblock us (which I'll be doing right after I hit 'post' on this entry).

EDIT 2249 EST 25 Feb: We appear to be down to zero unblocked webservers, so imports, crossposts, and feeds will all fail until LJ unblocks us.

EDIT 26 Feb noon EST: LJ unblocked and whitelisted us this morning, so all is working again!

Comments

[dewline]

I've been reducing my cross-posting anyway, and planning to shut down my account there, so...

[bytebuster]

Thank you for letting us know! Hopefully it gets resolved soon.

You may know that many of us who fled from LJ (especially on December'16) usually set up crossposting from DW to our old LJ-accounts to keep our old audience.
However, LJ is constantly increasing their censorship attempts.
So they *may* track the DW IPs that (cross-)post entries that Russian censorship considers bad, and they may block your addresses for this very reason.

Not sure if this helps, but just letting you know.

[denise]

Oh, no, this sort of thing happens occasionally. It's because we have multiple servers that all hit LJ relatively frequently (for importing and crossposting and stuff) -- we try to keep things under their access limits, but sometimes we trip their "aaaaack there's a site out there that's hammering our servers, block them!" automatic detection and blocking. Previously we'd been whitelisted, but we forgot to let them know what our new IP addresses were after we switched hardware in December.

[kyrielle]

Well, if LJ would like me to leave entirely, I guess I can.... *irked look at them*

[archangelbeth]

Thanks for the update on both!

[irilyth]

I had a cross-post work just now, FWIW. (http://irilyth.livejournal.com/703912.html)

[nepeanois]

my advice to the fellow ex-ljusers: bite the bullet, screw the lj. they screwed us already, why do we care what happens there now?

[conuly]

Some of us have good friends who won't make the jump.

[nepeanois]

they won't make it for you - they don't really care. that's my opinion

[redbird]

Or they think I don't care: there's a symmetrical "communicate in X way if you want to talk to me" going on here.

At some point I may leave LJ entirely, but I won't do so thinking "Jo doesn't care what I have to say," it would be "for some reason, Jo dislikes DW, I will have to get my main life news to her some other way."

[conuly]

And when I want your opinion of my best friend, I'm sure I'll ask for it.

[veritas_poet]

Yep. Absolutely right.

[beatrice_otter]

LJ bows to Russian governmental pressure, moves servers to Russia where Putin's word goes and security and privacy don't mean jack.

Lots of LJ users flee to DW.

LJ blocks DW from accessing their site, so that you can't crosspost or import stuff. (At least not directly, could you download your entire LJ using Semagic and then re-upload it to DW?)

Pretty petty, there, LJ.

[digitalsidhe]

Ugh, so sorry to hear about the problems with LJ. My sympathies to all the users affected. I am so glad I bailed out and quit even bothering to crosspost last month, after they moved their servers to Russia. It looks like I got out just in time.

[sovay]

EDIT 2249 EST 25 Feb: We appear to be down to zero unblocked webservers, so imports, crossposts, and feeds will all fail until LJ unblocks us.

Thanks for explaining what happened. Regardless of what crossposting users choose, I hope they unblock you soon, because that is just stupid.

[pronker]

I crossposted yesterday with no problem; I hope the issues resolves soonest. :(

[beldmit]

Thank you very much for the information!

[heliopausa]

I've just posted, and crossposting worked fine.

[madfilkentist]

Thanks for the update, and too bad (though not very surprising) to hear about what LiveJournal is doing.

However, I can't agree that changing passwords regularly, without a specific reason, is a good idea. It doesn't improve the password's security, and it makes it more likely people will pick easy-to-remember passwords or have to write them down.

[denise]

Well, absolute best practice is to use a password manager that auto-generates unique passwords for each site, and protect it with a passphrase or pass-sentence rather than a password, sure. But getting people to do that is hard, and given that data indicates that up to 70% of people reuse passwords across multiple sites, the 'change your password regularly' advice still has its place, because chances are pretty good a large number of our users a) use the same password on DW as they do elsewhere on the internet; b) have had the password of one of their 'elsewhere on the internet' breached in something in the time since they've last changed their password. Sometimes you give security advice for the audience you have, not the audience you want...

And really, I'd be perfectly happy if people used unique passwords for DW but wrote them down and stuck them in their wallet or whatever! People are used to protecting the contents of their wallet. Even "written down and stuck in the top drawer of the desk" is better than "reused over multiple sites since 2009" or whatever, especially since DW is the kind of service that people use at home (and how many people are going to be poking around in your desk at home) and not at work.

[wolverine]

I keep all of mine on a notepad, each site is listed separately with each login (be it a username or email I have to use to log in) and the password for it after it, if it's something I'm going to want to access from my phone I make it something easy to remember but hard for anyone else to guess. But having a notepad file (and having it backed up on an external drive) has really helped me out. Each time I need to log in I open it up and scroll to the login I need. I don't really even trust autosaving passwords for really important stuff like bank and paypal, who knows if some day someone can figure out how to access your computer and hack that.

[hhimring]

I have just cross-posted successfully.

[cmcmck]

Fwiw I got one to x post just now (Sunday mid morning).

[angrboda]

I also had a succesful crosspost just now. Perhaps it's working again already?

[moth2fic]

I crossposted this morning with no problem but it was 'only' a birthday greeting.

I have lived here happily for a few years now, but as not all my favourite comms have moved, I have conversations/relationships with people 'over there' and it seems churlish not to crosspost when I can go and read their posts so easily. I do hope things get sorted out.

My biggest concern is that as I originally bought a permanent membership on LJ (back in the olden days), I use their Scrapbook feature to host my pics and am not at all sure what to do - all my pics are backed up on my computer but not organised into albums. If anyone can suggest a sensible alternative I would be happy to move everything - and yes, I know DW are now hosting pics but as I said, I have organised albums etc.

[wendelah1]

I just cross-posted a test post. No problems at all.

Perplexed

[stranger]

The post implies that there can be more than one email address associated with a DW account. However, I don't see a way to add emails (except "for display" which isn't what I want) so there will be more than one, in case my current email goes down for any length of time. Is there supposed to be a back-up email in place somewhere?

Re: Perplexed

[denise]

You can add another email address to your account by changing your address to the other address, confirming it by clicking the link you get in email, then switching it back to the first. For instance, if my email history looks like:

• denise@example.org then changed to
• denise.2@example.org then changed back to
• denise@example.org,

I could have a password reset sent to denise.2@example.org even though my currently confirmed address is denise@example.org.

Re: Perplexed

[stranger]

Thanks for explaining! Email maneuver performed.

Re: Perplexed

[denise]

\o/

(And, for the record, you can also remove email addresses as long as they're not your first confirmed address and as long as you reconfirm an earlier email address first -- like, in my example above, if I wanted to I could remove denise.2@example.org because I'd reconfirmed denise@example.org after it. But that's a more advanced maneuver, to guard against someone breaking into your account and adding their email address.)

[my_tucker]

Thanks for your transparency about being a potentially affected site with this Cloudbleed thing. I hadn't heard about it. It's good to know that you consider the risk to your users is very low. I've changed the passwords on my accounts just in case. Re expiring session cookies - is that something we can do ourselves via the manage login sessions part of our account settings?

Also, the article you've linked to said most of the cloudbleed activity happened between 13th -18th Feb. Within that period I bought a paid account and a large number of icon slots (on another DW account) - would my credit card details, address or anything like that potentially have been exposed IF by some small chance this issue affected my Dreamwidth session? Or journal entries? Or would it just be passwords and or/login cookies. I do realise you think it very unlikely Dreamwidth was affected - I'm just curious about what might have been exposed if you were.

And excelllent news that LJ has whitelisted DW again. :) DW is my journalling home now, but I do still x-post to LJ.

[denise]

Logging out of the site and logging back in, or changing your password, expires your session cookies! So if you've changed your password, you're good.

Yeah, theoretically, if you made a credit card payment during the time the leak was happening, there's a small chance that your details may have been exposed. Personally, if I'd made a credit card payment during those days, I wouldn't be worried about it at all, but if you're concerned, just keep an eye on your CC statement for a while for any unfamiliar charges!

[my_tucker]

Thanks. I thought that was the case re login cookies but just wanted to check (at the risk of it being a dumb question)!
OK, re CC. I won't lose sleep but I will keep an eye on that account. It looks as it should atm.

CF maybe blocking Russian users from DW

[pishu]

Here is what I discovered.

If you are behind Russian IP, you cannot reach DW. If you are routing via VPN in Iceland, DW looks OK.




Also CF cache seem to work slow if at all on low traffic sites, so if you post a pic on DW from your self-hosted site, DW is unable to fetch it for weird reason.

Re: CF maybe blocking Russian users from DW

[denise]

Hm. We don't have Cloudflare set to reject connections from Russia or anything, so it may be the Russian government having realized we moved hardware back in December -- they've blocked us in the past because of various content that's blockable under Russian law but not under US law.

Re: CF maybe blocking Russian users from DW

[pishu]

Thank you for insights