![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
So, I went to this frienditto thing
Mar. 4th, 2005 06:41 pm(Learn about Frienditto)
And, yes, there seems to be a strong connection between this "ljdrama.org" thing and frienditto, whether the latter was created for the specific purpose of serving the former or not. Just go to ljdrama, half the links are to frienditto posts.
It looks like:
One, anyone can publicly archive a public entry appearing on a LiveJournal at any time without logging into frienditto or having an account with them or doing anything that touches on any kind of passwording at all, including LJ ones (which means, no friends-locked posts). Go to the front page of frienditto.com, and you'll see NOTHING asking for LJ usernames or passwords. (Whomever did the archiving of a given post remains anonymous as well.) I just tested this functionality myself with a "test" LJ.
This behavior does not seem much different from bookmarking a page on your web browser or putting something into a LiveJournal 'memories' category. Although there is the archiving without permission issue, which contrary to the FAQ *is* a copyright problem, but that is not the subject of this post.
Two, frienditto users can sign up for a frienditto account and view "their" archive, at which point the *archiving on frienditto* of a given post potentially ceases to be anonymous, but also potentially ceases to be public. The frienditto user logs on and can see the LiveJournal posts they chose to archive, but it looks like (from the FAQ) that they can choose to have their archive be public or private.
Naturally, there's room for abuse here as the frienditto user may not keep their username and password private, so their archive becomes known to more than one frienditto user. This is also true, for example, of anyone who shares an email account with their spouse and is on a mailing list: more than just one reader may have access to that list's mail because more than one person has access to the email account subscribing to that list. Similarly for anyone who shares their LiveJournal username and password with others.
Three, and this is the big one that is concerning to so many: the archiving by a friend (or someone with their username and password) of friendslocked posts *you* make. There appears to be functionality for a LiveJournal user to archive an entry posted by an LJ-friend, and whether that friendslocked post is archived publicly or privately is not clear, but I'm betting (based, again, mostly on the FAQ) both.
[...]
I was just about to test this functionality with my two "test" LJs, to see whether or not friendslocked posts only go into private archives or are available both publicly and privately, when I started getting 403 errors over at frienditto up the yin yang.
Frienditto is down for the next two hours. In the interim, if you are genuinely concerned about whether your LJ friends may betray your friendslocked posts into this archive, I suggest you go through your friendslist with some care and thought.
Four, http://www.livejournal.com/users/frienditto/ does appear to be all new posts archived to frienditto. I see my test post on it. It's not an RSS feed but a regular journal, probably FD is automatically logging on and posting to LJ as a user in much the same way it can log in and pull from LJ as a user.
Five, per the FAQ, they don't archive the LJ usernames and passwords provided. The thing is, it's really easy to have that info hanging around in an Apache error log or something, used for debugging or whatnot, and a) neglect to delete it out of inattentiveness; or, b) deliberately hang on to that info and do something with it. And, item #4 above demonstrates the existence of a script on frienditto.com capable of logging in and posting as a LiveJournal user. Do you see the implications if someone decides to abuse this capacity? Whomever typed in their LJ username and password has just been hacked. Worse, they did it to themselves. (Now, this is dependent on someone deciding to store this LJ username and password information when it's provided - as I said, even though it's not getting stored in the database doesn't mean it's not getting dumped in an httpd.log somewhere.)
From a security perspective, the mistake people make here is in giving their LJ username and password to another person or system. This is a big honking no-no.
Six, my gut says this is an instance of the livejournal code running with modifications, or some portion of the codebase in use.
******
LJ Public Service Announcement at http://www.livejournal.com/users/rahalia_cat/805121.html and http://www.livejournal.com/users/allyoops/332260.html, and variations on the theme at http://www.livejournal.com/users/lori/430544.html and http://www.livejournal.com/users/elke_tanzer/587891.html. Let me reiterate what Elke says: don't give out your username and password to one system to someone running another. That's pretty much the diametric opposite of computer security, and it can have nasty consequences.
And, yes, there seems to be a strong connection between this "ljdrama.org" thing and frienditto, whether the latter was created for the specific purpose of serving the former or not. Just go to ljdrama, half the links are to frienditto posts.
It looks like:
One, anyone can publicly archive a public entry appearing on a LiveJournal at any time without logging into frienditto or having an account with them or doing anything that touches on any kind of passwording at all, including LJ ones (which means, no friends-locked posts). Go to the front page of frienditto.com, and you'll see NOTHING asking for LJ usernames or passwords. (Whomever did the archiving of a given post remains anonymous as well.) I just tested this functionality myself with a "test" LJ.
This behavior does not seem much different from bookmarking a page on your web browser or putting something into a LiveJournal 'memories' category. Although there is the archiving without permission issue, which contrary to the FAQ *is* a copyright problem, but that is not the subject of this post.
Two, frienditto users can sign up for a frienditto account and view "their" archive, at which point the *archiving on frienditto* of a given post potentially ceases to be anonymous, but also potentially ceases to be public. The frienditto user logs on and can see the LiveJournal posts they chose to archive, but it looks like (from the FAQ) that they can choose to have their archive be public or private.
Naturally, there's room for abuse here as the frienditto user may not keep their username and password private, so their archive becomes known to more than one frienditto user. This is also true, for example, of anyone who shares an email account with their spouse and is on a mailing list: more than just one reader may have access to that list's mail because more than one person has access to the email account subscribing to that list. Similarly for anyone who shares their LiveJournal username and password with others.
Three, and this is the big one that is concerning to so many: the archiving by a friend (or someone with their username and password) of friendslocked posts *you* make. There appears to be functionality for a LiveJournal user to archive an entry posted by an LJ-friend, and whether that friendslocked post is archived publicly or privately is not clear, but I'm betting (based, again, mostly on the FAQ) both.
[...]
I was just about to test this functionality with my two "test" LJs, to see whether or not friendslocked posts only go into private archives or are available both publicly and privately, when I started getting 403 errors over at frienditto up the yin yang.
Frienditto is down for the next two hours. In the interim, if you are genuinely concerned about whether your LJ friends may betray your friendslocked posts into this archive, I suggest you go through your friendslist with some care and thought.
Four, http://www.livejournal.com/users/frienditto/ does appear to be all new posts archived to frienditto. I see my test post on it. It's not an RSS feed but a regular journal, probably FD is automatically logging on and posting to LJ as a user in much the same way it can log in and pull from LJ as a user.
Five, per the FAQ, they don't archive the LJ usernames and passwords provided. The thing is, it's really easy to have that info hanging around in an Apache error log or something, used for debugging or whatnot, and a) neglect to delete it out of inattentiveness; or, b) deliberately hang on to that info and do something with it. And, item #4 above demonstrates the existence of a script on frienditto.com capable of logging in and posting as a LiveJournal user. Do you see the implications if someone decides to abuse this capacity? Whomever typed in their LJ username and password has just been hacked. Worse, they did it to themselves. (Now, this is dependent on someone deciding to store this LJ username and password information when it's provided - as I said, even though it's not getting stored in the database doesn't mean it's not getting dumped in an httpd.log somewhere.)
From a security perspective, the mistake people make here is in giving their LJ username and password to another person or system. This is a big honking no-no.
Six, my gut says this is an instance of the livejournal code running with modifications, or some portion of the codebase in use.
******
LJ Public Service Announcement at http://www.livejournal.com/users/rahalia_cat/805121.html and http://www.livejournal.com/users/allyoops/332260.html, and variations on the theme at http://www.livejournal.com/users/lori/430544.html and http://www.livejournal.com/users/elke_tanzer/587891.html. Let me reiterate what Elke says: don't give out your username and password to one system to someone running another. That's pretty much the diametric opposite of computer security, and it can have nasty consequences.