Category: social-networking

I’m exploring moving my journal to WordPress over the Holiday Break, as the critical mass of commenters over here on LJ seems to be shrinking, and LJ is having its various troubles. The version of WordPress I can install at cahighways.org is 3.1. Does anyone know if that version (a) can import entries from Livejournal (only public entries are fine); (b) can cross-post to both Livejournal and Dreamwidth; and (c) can support either comment moderation or OpenID commenting?

If you are using WordPress for your blog/journal, I’m curious what version you are using, and what you think of it.

Those of you who follow the news posts on LiveJournal saw a reference to “a service issue that sprung up a couple days ago and was quickly resolved”. If you followed the link and read the comments, you discovered it was more than a “minor service issue”: it was a major LJ kerfluffle™. What happened, in short, was that there was an error with their page serving cache, and for some period of time (LJ says it was under three minutes; others say it was longer), people were served random pages from other people that were in the cache. This included, naturally, pages that included friends-locked and private entries. LJ classifies it as minor because no one could change any page; others are much more concerned because their private information was exposed to some other party—and they are not going to be happy until LJ does something unspecified, including recognizing it was major.

My assessment: It’s not as minor as LJ classified it, but it also isn’t a major privacy problem or security risk (such as the flaw just discovered in Facebook that allows someone to attach an executable to a message). Yes, private information was exposed, but (a) was exposed in a random manner, meaning that the user that saw the private data was likely someone who didn’t know the individual whose data it was—and thus the exposure risk was likely lower than exposing it to someone who knows the individual. Secondly, there was no ability to navigate in that person’s account purposefully, and so specific locked entries could not be seen. This is not to downplay the risk—it was a breach—but the exposure risk and the exploitation risk was low.

I’m sure a lot of people who are upset about this are operating on the naive assumption that security mechanisms on websites work, and that their computers are secure. Of course, we know that to be false, but we like to believe the artifice so we can sleep at night. People should always work on the philosophy that you shouldn’t post something on a website that you don’t want the world to see. Breaches will occur; it is the nature of the beast. Protections fail; databases are sold. You can only have a level of confidence in someone that has a fiduciary interest (meaning a legal obligation) to protect your data… and this is distinctly not true for social networking sites, no matter what we might believe.

Will this prompt me to leave LJ? I thought about it. I could easily set up a WordPress blog on cahighways.org (they have version 3.1—does anyone know if that version can interact with LJ?). But I likely won’t do it, for the same reason I don’t leave FB: the people I want to interact with are on LJ (or FB). They are not commenting on random WordPress blogs; they are not present with sufficient mass on DreamWidth. The people I care about reaching are on LJ. Further, *I* do not have the privacy concern, because my LJ posts are (99.9%) public, and I don’t talk about things I don’t want to be public. At worst, people discover a party I was planning 3 years ago, or a fight I had with my wife 4 years ago. Big deal. But I do know that for others, even the slightest risk is a big concern. Everyone has their own risk tolerance level.

I’d like to know your thoughts on the exposure kerfluffle? Is it making you leave LJ? If so, where are you going: DW, your own blog, G+, FB, or somewhere else? When do you think that LJ will lose enough critical mass in the English-speaking world that it effectively becomes a true niche player?

The DDOS attacks on LiveJournal have now made it to Time magazine. Here’s an interesting article giving the why’s and wherefors: Why Have Hackers Hit Russia’s Most Popular Blogging Service? – Yahoo! News. There are times I’m actually proud to be a permanent member of LJ… and this is one of them.

A lunchtime musing: As folks know, I’ve been closely following the debate about Facebook Connect and Livejournal. If you read through the volumnious discussion on news, you’ll see that the common cry is for an “opt out”. In general—and this is a call that’s been going on since the days of brad, long before the purchase by SixApart—the call is that users should be able to opt out of any new features. Some want this because they don’t like change at all, and some fear the privacy or publicity risks. A lot of folks don’t understand why LJ doesn’t implement the “opt out”s—it seems so intuitively simple for them.

However, it isn’t, and that’s what I’d like to discuss here. When can you provide too many options? When can too many choices lead to bad security choices?

Let’s look at some examples. A number of folks are running over to Dreamwidth. Dreamwidth has tried to keep the good and eliminate the bad from LJ. An example of this are friends list, which in LJ conflate the notions of who you read with who can read your private posts. Dreamwidth separates these, and thus when you look at a profile, you see the following (and this is just for users):

Open Mutual Access
Open Also Access To
Open Also Access From
Open Mutual Subscriptions
Open Also Subscribed To
Open Also Subscribed From

For communities, you have:

Open Member Of
Open Subscriptions
Open Posting Access

I’ll argue this is confusing, and where there is confusion, there is more chance of having access errors occur. The “Friendlist” approach, while flawed, is much easier to understand. Facebook actually learned this a while back. Their privacy controls (which they do have) were actually too fined grained and too hard to understand, which forced them to simplify their privacy controls. This is a trend: Google is simplifying their privacy policies as well, going for understandability over complete control. Folks may remember that even LJ did this a while back, simplifying and reorganizing their settings pages to make things easier to modify and control.

This, then, could be the reason why LJ doesn’t add an opt-out with every new feature. Over time, the opt-out space would get far too confusing. There needs to be intelligent choice in what opt-outs are provided, and how they are grouped so that they can be understood and used. Designing this right takes time, and this could be why they just don’t add the opt-out immediately in this particular case. One might argue that the features shouldn’t be implemented until the control design is done, but when have you known any commercial company to delay implementing a feature because of security :-).

I hope that, with respect to this feature, that LJ figures out the right way to control the LJ/Facebook interaction. Personally, I don’t believe the answer is an “opt out”. Rather, I think the answer is a posting level between Public and Friends-Only that I’ll call “LJ only”. This posting level would prohibit redistribution off of LJ, via the ShareThis or Facebook Connect features for either the post or comments. It would also treat non-LJ users as anonymous users for the point of view of commenting restrictions (currently, FB and OpenID users—including Dreamwidth users—are viewed as registered users, not-anonymous). LJ-Only posts would otherwise be public—they would be visible to anonymous users as well as FB Connect/OpenID users.

What are your thoughts on this question?

I’ve been reading through the latest news post on Livejournal, and have been getting more and more frustrated by the comments. Even with the Fix-To-Come™, there’s this uproar about public comments still being cross-posted against the journal owner’s wishes, and how LJ is violating a journal owner’s privacy by doing this. One post I read called this something like the worst privacy violation in history.

At Livejournal. At Facebook. At MySpace. Throughout the Internet. The person who is responsible for protecting your privacy is YOU.

First and foremost, don’t talk about something publically that isn’t public information. Don’t believe you’re protected by hiding under a pseudonym; that’s like locking your door and leaving the key under the doormat. It is false protection.

If you don’t want your real world identity connected to an online identity, scrub, scrub, scrub. Ensure your privacy settings are correct. Go to your profile and hide every way someone can connect to you. Screen all comments, and don’t approve those that make any personal references. If a user cross-posts a comment, ban them immediately from your journal. Make that policy clear in your profile and at the bottom of every post.

LJ may provide options, but it is humans that exercise those options. If you are reading the journal of someone that is obviously trying to disconnect from the real world, respect that wish. Don’t rebroadcast the comments you make there.

In traffic safety, they talk about the four “E”s: Engineering, Education, Enforcement, and Emergency Trauma Services. They apply in Computer Security as well. Live them. Understand them. Even if LJ did everything correctly, there would still be privacy risks. Educate yourself about what you are exposing, and what choices you are making. Have policies regarding privacy, and ruthlessly enforce them. Lastly, have a plan in place for what you would do if your idenities got connected, for in this world of data mining and everything being accessible, that possibility always exists. Remember: If your secret—whatever it is—is too sensitive to ever be exposed, then don’t post it on the Internet.

Remember your role in protecting your privacy.

Today’s post by theferrett regarding Dreamwidth and crossposting has prompted me to state my position:

I’m staying on Livejournal.

Yes, I have an account on Dreamwidth; same user name as a matter-of-fact. But the community I interact with tends to be over here on Livejournal; I’ve established my Livejournal identity as the source of my online blog. I see no reason to confuse people. Furthermore, I’m not as bothered by the LJ kerfluffles as most: I figure they will be sorted out over time, and since my posts are 99.9% public anyway, I don’t have the same risk worries. Furthermore, my account it permanent here, and I’m loathe to pay for something and not use it.

You may ask: So why don’t you do like many people have done, and post on Dreamwidth and have it mirror on LJ? The simple reason I that I have LJ set up like I like it; my account on DW is a free one with a style that I don’t like. Going over there is work I don’t need to do.

You may say: But I’m on Dreamwidth because I’m scared of Livejournal, and I can’t read you anymore. To that I say: nonsense. You can always have my RSS or Atom feeds added as syndications on Dreamwidth, or read them in your local RSS reader. My posts are 99.9% public. If I learn that I have a significant group of friends who are ONLY reading Dreamwidth, then I’ll consider copying any friends-locked posts over there. I’ll note that you are free to comment on LJ using your Dreamwidth account as OpenID.

I’ll also note that I intend to propagate public posts I make to Facebook. Not comments. If you are wondering why, the answer is in the paragraph above: I do have a significant group of friends that are ONLY reading Facebook. This allows them to keep up with me and to comment.

So, that’s my position. I’m staying on Livejournal, and I’m hoping that you stay as well. Yes, the LJ staff doesn’t know how to communicate their way out of a paper bag. Still, it has been my blogging home for 6 years now, and I’ve just grown very attached to the people on my friends list here.

I always find it interesting to read comments. They really illustrate the how people think… or don’t. I’m seeing this well illustrated in the uproar over in news about the Facebook Connect feature. People seemed to have turned off their critical thinking abilities—a problem that Steve Allen called dumbth in his book of the same name published in the 1990s. They are all worried that their private identities over on Livejournal will somehow become public and the world will end in some way, shape or form.

Here are my thoughts on the matter:

• First and foremost, the FB Connect option isn’t enabled for checking in posts and comments if you don’t first enable it in your settings box. If you don’t check it there, and don’t provide it with your FB identity, it won’t be posting to Facebook. [Later note: Note, however, the commenters can cross post their comments to FB, if they have FB connect enabled.]
• Locked posts remain that way: locked. The news post indicated that locked posts wouldn’t be cross-posted to Facebook, unless you choose to override that setting: “only your public LiveJournal posts (those marked as “Everyone”) will default to cross-post, but you can override this on a per-post basis beneath the text box” [Later note: An upcoming change will restrict the ability of commenters to propagate comments on locked posts.]
• If something goes over to Facebook, it respects your privacy settings there. That means you can furthur restrict the visibility on that side.
• With respect to posting of comments (something I find odd and funky): if the post is public anyway, who cares?. If it is a f-locked post, the cross-posting needs to be enabled manually… and if a friend did that (because only friends could read that post), I’d pull them off my friends list.
• The whole notion of trying to hide your LJ existance is odd to me. You need to view an online existance as public these days, because someone will find you out. The false illusion of privacy is much more dangerous. [Later note: After having some discussion, I now understand why some folks do it. I still don’t believe it is ultimately effective, but at least I understand the “why”.]
• There seems to be a concern about accidentally checking the cross-posting box. My feeling is that if you do that accidentally, you deserve what you get. You should always review all aspects of your post or comment before you commit to posting it—it should never be automatic.

Now, I’ll admit I’ve never been a fandom type. I’ve never been into slash fiction. I’ve never been into online role-playing. I’ve never had a life I’ve tried to hide. I’m what my profile says I am: a meek-mannered computer scientist with an interest in highways. There could be some concerns I just don’t get. But I certainly don’t see this as the end of the world as some do.