livejournal

19 comments on "TANSTAAFL"

LiveJournal (who host this blog) will no longer let new users sign up for their advertising-free “Basic” account. Instead, new users can get the “Plus” account, which has adverts (if you’re using some quaint non-Firefox browser which still shows you such things), or they can get the “Paid” account, which doesn’t.

The announcement of this changed followed LJ’s standard practices of bungling and evasion when communicating with their customers, which new-ish owners SUP correctly describe as “the values and legacy of LiveJournal”. This has annoyed a few people, but I’m not sure why, because they should be used to it by now.

Anyhoo, livredor and hairyears are hosting some interesting discussions about it, here and here. hairyears makes the point that buying LJ is not just about buying people’s writings, you’re also getting stewardship of a community (or lots of communities) with their own values. My impression is that this applies more to LJ than to “proper” blogging sites, because of LJ’s mix of blogging and what we’d now call social networking. Social networking sites have the feel of places we go with our friends, so it’s not very surprising that we can be vociferous in defending them (LJ isn’t the only one with epic failures of customer relations: Facebook had the Feed and Beacon debacles).

Servers and bandwidth are not free, as GreatestJournal has been finding out (the hard way). But how do you make money out of such a prickly bunch? danahboyd‘s commenters have some good suggestions.

Geeks who still use Usenet (you remember, Usenet) have suggested a peer-to-peer system as a way around all this nonsense (see the comments on both livredor and hairyears‘s postings). This sort of thing is a reflex response from geeks to any outside manipulation of their stuff, until their enthusiasm is curbed by older and wiser geeks. Having been curbed, I realise that you’d need good answers to questions about how you make such a thing work, how you make it usable by non-geeks, and, related to that, how you interest people who don’t think the peer-to-peer part is intrinsically cool. Freenet has been around a long time and hasn’t become popular. BitTorrent has, because it gets people something they want (warez, pr0n, TV programmes, Linux DVDs) in a way which scales better than the centralised alternative.

I think robhu is right to say that the web browser has to remain as the interface (though that in itself makes security interesting), but it’s not clear that HTTP has to be the transport for such a thing. His idea of a federation of LJ-like servers is interesting, but once you centralise, you’re back to the question of how the people running the big servers make any money. There might be a place for the Usenet model, where each ISP runs a server for their users, or perhaps for the MSP model (which Usenet is moving to as its popularity declines), where I pay the people running a good Usenet server a yearly fee to access it.

The networking effects are a killer: you need something special to get off the ground and up to the stage where people are joining because other people are there. That, or you bodge your thing on the side of an existing infrastructure: can we do this using XMPP or Usenet or email, I wonder?

4 comments on "I, for one, welcome our new Russian overlords"

I’d like to remind them that as a trusted radio personality, I can be helpful in rounding up fanficcers to toil in their underground salt mines.

Yes, the Russians bought LiveJournal. Either it’s a plot, which has been planned for over a year by the oligarchs, to destroy the free speech of the large number of Russian LJ users; or perhaps it’s just that Six Apart got fed up of all the complaints.

Theories abound: some people blame the sale plans for recent attempts to clean-up LJ, like the Strikethrough debacle and the recent introduction of the “denounce” button on everyone’s journal. (hairyears has a good posting on the latter, by the way, arguing that it’s an entirely sensible move on LJ’s part to prevent them from being sued by right-wing nutjobs).

Other good sources: Metafilter has some discussion, Encyclopedia Dramatica has some links to the stupidest responses so far, and vladmuthafucka records the thoughts of Putin himself.

I’ll stick around and see what happens, at least. ljdump runs every night here, just in case, but it’s far more likely that I’d use it to recover from some technical failure at LJ than to recover from a censored journal.

0 comments on "Attention stalkers!"

pw201_links is a LiveJournal feed of my bookmarks on del.ico.us. If you want to see stuff I’m looking at but haven’t yet bothered to write a proper post about, you can befriend it (it’s not equivalent to adding pw201 as a friend, it’s a separate thing which I set up but I don’t control directly, see below). It’ll be composed of equal parts religion stuff, technical stuff (security is a special interest at the moment, but that’ll vary with time), and random internet bollocks. There’ll probably a few posts a day at peak times, but usually one per day or less.

Exposition: pw201_links is what LiveJournal calls a syndicated account. There are lots of these on LJ, as paying users can create them from the feeds exported by other websites and then read those feeds on their friends page. I tend to read these feeds in Bloglines and keep my LJ friends list for people and communities who are actually on LJ; if you do that but want to spy on me anyway, add the RSS feed to your feed reader.

You can make comments on the postings on a syndicated account, but I won’t get notifications about them so probably won’t read them, and they’ll be deleted as postings fall off the bottom of the feed.

While we’re on the subject of syndicated accounts: sumanah, I tried to respond to your email the other say and got a bounce with the error code “553 5.3.0 sPoOf”. I’m not sure what that’s about, but it looks like I’m hitting a spam filter of some sort.

15 comments on "Rocks fall. Everyone dies."

In their latest spasm of incompetence in the on-going Strikethrough 2007 drama, LiveJournal’s admins have clarified that they were just kidding about that all that free speech and community stuff for long enough to get the last batch of permanent accounts sold.

Countdown to Harry Potter spoilers being posted in that thread: in 10… 9… 8…

ETA: Rocks Fall, Everyone Dies. Youtube and Google win again. I think I slightly prefer Harry Potter and the Brokeback Goblet, myself. Both spoiler free.

2 comments on "LiveJournal Paedogeddon"

Shock news tonight, as Livejournal administrators delivered a stairwell noncebashing, leaving many fanfic journals braindead and quadraspazzed on a life-glug (script here). LJ’s abuse team don’t seem to have realised that such excesses are unacceptable in the modern police service. There are persistent reports that journals for survivors of rape and incest were also deleted, but I’ve seen no real confirmation of this.

A group of hicks from the USA appear to have provoked this, dealing out street justice in between engaging in car chases with a fat sheriff; driving a car with the doors welded shut, a Confederate flag on the blogrollroof, and a horn that plays Dixieland. Some day the mountain might get ’em, but, alas, it seems the law never will.

This is, perhaps, a timely reminder that sites like LJ are businesses (LJ may have started as a hobbyist site, but has not been one since the 6Apart takeover, at the very latest). They are not your friends. They will defend your free speech exactly as far as it profits them to do so, and they’re certainly not prepared to undertake legal battles on your behalf. bubble_blunder has a realistic assessment of the likely outcomes of this latest LJ drama.

There are tools which will back-up your journals and comments, and you can configure LJ to email you your own comments on other people’s journals. It seems wise to make use of these facilities if you value your journal’s contents at all.

LJ are doing their usual headless-chicken imitation when faced with a crisis. They’ve made no public statement on this business, perhaps hoping that word of it won’t spread outside the Snape/Hermione fan-fiction writers. While I’ve no interest in slash, and I appreciate LJ’s right to avoid legal liability, their handling of their users once again sucks.

Edited to add: The CEO of 6Apart apologised. Best comment thread in the responses.

10 comments on "Mysterious comments explained, and ruminations on spam"

For a while now, I’ve been getting comments on my LiveJournal which apparently aren’t spam, but rather are questions which are totally out of context. For instance, I got one the other day which said “Hi. I find forum about work and travel. Where can I to see it?”

I recently got some more comment spam advertising something called XRumer, a clever and nasty program for spamming bulletin boards and other forums (like LJ), which is brought to us by some evil Russians (“No Meester Bond, I expect you to die”). One of the things the authors claim it can do is a crude form of astroturfing. They say you can configure it to post a comment asking about something, and response apparently from another user mentioning the site you actually want to advertise. It looks like this feature doesn’t quite work, and that the questions I’ve been seeing are examples of it misfiring. Mystery solved.

The spammers seem to favour certain entries of mine, so I’m screening anonymous comments on those entries (and on this one too, since I imagine it might attract undesirables). I don’t want to do that for my entire journal, as I get comments from people who aren’t on LJ but who say worthwhile things. In an ideal world, the way round this would be OpenID, but that’s not in widespread use yet, possibly because people who have an OpenID often don’t know they do. [Attention LJ users: you have an OpenID. Congrats. You’ve got a Jabber instant messaging account, too. See how good bradfitz is to you?]

A system which allows easy communication between two people who have no previous connection to each other is susceptible to spam. The trick is to keep this desirable feature while not being buried in junk (you could go the other way and remove this feature, of course, as many some IM users have, or make a virtue of it with social networking sites, but that’s not really an option for public blogs). Anything an ordinary user might to do create an identity, a spammer can do too, so cryptographic certificates aren’t a magical solution. Legislation doesn’t help, because the police don’t care and anyhow, spammers are in Wild West states like China or Russia, or at least run front operations there.

Most spam is still sent via email. Email spammers have been subject to an evolutionary arms race. The remaining effective spammers are bright and totally amoral. They’ll hijack millions of other people’s computers to send their spam or even to host the website they’re advertising, making it hard for blacklists to keep up (and they’ll use these computers to flood centralised blacklist sites with traffic in an attempt to knock them off the net). They’ll vary the text they use, to defeat schemes which detect the same posting lots of times. They’ll use images rather than text, or simply links to those images, to defeat textual analysis. You can bet that blog spammers will learn from this (some of them are probably email spammers too).

What’s working for email spam, and will similar ideas work for blog spam?

  • Banning mail sent directly from consumer ISP connections is the single most effective thing I do (you can do this with the Spamhaus PBL and with a few checks for generic rDNS to catch what the PBL misses). You can’t do that with blog comments, as spam or not, they almost all come from consumer ISP connections.

  • Banning mail sent from IPs which are known sources of spam is also effective. You can do that with blog comments, but you either need to be big enough to generate your own list (as LJ might be) or have the resources to run a centralised list like Spamhaus (which will be attacked by spammers). There are currently no IP blacklists devoted to blog spamming, as far as I know, although some spam comments I’ve seen came from IPs which were in the Spamhaus XBL.

  • Filtering on ways in which spamming programs differ from legitimate SMTP clients (greylisting, greet pause) is currently effective, but only as long as these methods don’t become so widespread that it’s worth the spammers’ while to look more like a legitimate sender. Still, this doesn’t seem that likely. Incompetent admins aren’t in short supply, and I don’t have to outrun the bear, only outrun them. This sounds promising against blog spammers. Apparently simple minded schemes are pretty effective.


What else can we do with a website that we can’t do on email?

  • CAPTCHAs are popular, but a bit of a bugger if you’re blind. The evil Russians claim to have defeated most of the deployed ones which use obscured letters, though that still leaves the “click on the picture of a cat” variant.

  • Proof-of-work or hashcash schemes are currently very effective, suggesting that blog spammers don’t yet have the huge amounts of stolen computing resources available to email spammers, or that they don’t have the knowledge to implement the hashcash algorithm in their spamming software. By using proof-of-work, we can at least drive the weak blog spammers to the wall.

    You can think of proof-of-work as a variant on the tactic of differentiating spam programs from real humans. Spammers can defeat simple-minded checks on how long a user has been reading a page before commenting without slowing their spamming rate up by much (how to do this is left as an exercise to the prospective spammer), but if a web browser has to do a computation which takes a fixed time and send the result along with the comment, the spammers have to slow down or do the work in parallel on many computers. If you can work out a way of doing the calculation in the background as the user looks at your page and writes their comment, so much the better. If you can dynamically generate the code you send to the browser to make it prove it’s done some work, you stop the spammers writing something equivalent in a real programming language and force them to run it in Java or Javascript. That’d really show them who’s boss.

    This hurts people who’ve turned off Javascript or Java, but it’s time for those dinosaurs to join the web 2.0 world, right?
4 comments on "April Fools Roundup"

I guess most people on LiveJournal saw their proposal to turn LJ into MySpace (lj_dirtycache is particularly good fun for anyone who’s ever looked at bands’ sites on MySpace). What’s funny about LJ’s effort is that LJ clearly understand what is going to provoke their users to apoplectic rage until they realise they’ve been had. By comparison, Facebook was a bit lame, merely offering to send someone round to physically poke the people you “poked” on Facebook. They should have announced some variant on the Facebook feed to get all the “OMG UR HELPING STALKERS” people up in arms again.

Google announced TISP, their IP-round-the-U-bend service, as well as Gmail Paper, for those who prefer their email on paper. Slashdot had a collection of unconvincing stories. Poor show.

Disappointingly, the IETF don’t seem to have done anything very exciting lately, at least nothing to match the seminal Standard for the transmission of IP datagrams on Avian Carriers.

Finally, robhu announced he’d reconverted to Christianity. It initially seemed he’d converted to a fluffy sort of Christianity in which God is a metaphor for the good which, in a very real sense, is in us all. However, in the discussion thread which followed, it soon became clear he’d reverted to his old evangelical habits, informing me that I was blinded by the devil and was “just as much of a fundamentalist as Richard Hawkings“. His later post contains the de-brief, in which it is revealed that I was in on it from shortly after he’d posted the entry. robhu used some excellent observational humour to convincingly impersonate evangelical responses to my ultra-atheist straight man.

In summary, burr86 and robhu jointly win the Internet. Tonight, we dine in Hell.

0 comments on "LJ New Comments updated again"

I’ve just updated LJ New Comments, fixing a bug pointed out by legolas and adding some code to make it try harder to draw a box around the currently selected comment (turns out I’d had the latter sitting around in my CVS repository without letting the public benefit).

While we’re on the subject of Greasemonkey, InYOFaceBook is an amusing hack to show full size profile images when you mouse over a small one, even for people who’ve been boring enough to hide their full profile. Hurrah for Stalkerbook!

2 comments on "Somebody’s watching me"

LiveJournal have improved the site’s email notification stuff, so that you can register an interest in any thread or posting and get email (or just a message to your message centre) when someone posts a comment on it. You can also register an interest in a particular user’s postings, and in various other stuff. Currently this is only available to paid and permanent account holders, but I think LJ are rolling out something a bit less good to everyone else soon (looks like free users will be restricted in how many things they can subscribe to).

This system has been carefully designed to only tell you about stuff that you can see anyway. They’ve also thought about the situation where you forget to select the right option and make a public post something which you meant to be locked: the notification email doesn’t contain the text of the entry, so you’ve got some grace about locking it. The new system is a very nice feature, something that makes LJ a much more useful place to have a discussion, since you can now easily monitor interesting posts once they’ve disappeared off your friends page. I’d thought about building something like this into LJ New Comments, but now I don’t have to. So that’s good.

Despite this, there are countless whinging lamers posting to the announcement saying that this feature is going to aid internet stalking (because an internet stalker isn’t obsessive enough to keep hitting refresh on a thread, or to use a free service or browser extension which will tell you when a web page changes). People who believe in security through obscurity are silly. You always assume that the bad guys are as clever as you are (or cleverer, in the case of the complainers).

LJ are also talking about extending the notification system so that soon you’ll have the option getting notifications using LJ Talk, LiveJournal’s instant messaging service. If you didn’t know LJ had an IM service, now you do. It’ll talk to any program which uses the standard Jabber protocol. I’m using Adium, Windows users might like Gaim (both of these support other protocols like MSN Messenger and AIM, so you don’t need to keep multiple IM programs running). By default, your buddies on the chat service are your LJ friends. Say hello if you see me on there.