applecameron | Entries tagged with narcopolo

Hello...what's this? A tool for figuring out livejournal usernames from ip addresses on comments?

How very intriguing. And, what does it have to do with Frienditto, which lets you archive other people's posts, friendslocked or otherwise?

What an interesting combination, they seem almost to...to strike at the anonymous heart of LJ.

Note, also, the meta keywords for both frienditto and narcopolo pages include:

Frienditto:
<meta name="description" content="Frienditto. The ultimate archiving site on the internet.">
<meta name="keywords" content="narcopolo, frienditto, ljdrama, livjournal, livejournal usernames, lj usernames, craigslist archives, archives, ip address, lj username database, livejournal database">
<meta name="Robots" content="index,follow">
<meta name="GooglePray" content="Google, please rate me high by keyword livejournal">

Narcopolo:
<meta name="description" content="Narcopolo. The ultimate database containing livejournal usernames and the ip addresses that they post from".>
<meta name="keywords" content="narcopolo, frienditto, ljdrama, livjournal, livejournal usernames, lj usernames, ip address, lj username database, livejournal database">
<meta name="Robots" content="index,follow">
<meta name="GooglePray" content="Google, please rate me high by keyword livejournal">

LJ Drama.

Hm.

I disagree with the description "the ultimate archiving site on the internet", as the ultimate archiving site on the internet would make it easy for me to archive my stuff and retrieve it, which Frienditto does not. It makes it easy to archive other people's stuff, but even then, after a few entries, you can't find it again unless you bookmark the URL. What's the use of that? (Well, it's useful for posting on ljdrama and the like, but not really for someone trying to archive their own site, is it?)

(Learn about Frienditto.)

Thanks, Elke, I hadn't checked in a couple of days.

And look at their CYA legal policy regarding copyright!

The Service does not make any claim to copyright for any of the user entries submitted and will remove any content with a proper request from the copyright owner. All entries maintain the copyright of the respective owners. Users of the Service agree that at the time of submission they have proper permissions from the copyright owner. Frienditto does maintain copyright to all pages that it creates or generates, exclusive of the archived entry content.

My favorite is still Section 10, which says if you correspond with them at all, they'll publish everything you say.

Should you choose to present your e-mail address, physical home address, telephone number, full name or other personally identifying information to frienditto by any means whatsoever, we reserve the right to publish said personal information in whole or in part. Should you chose to contact any member of frienditto.com by any communication means, frienditto reserves the right to publish the conversation, in whole or in part, as seen fit to do so. Any and all e-mails may also be published in whole or in part. By communicating with frienditto.com staff, you consent to said publication and acknowledge you have no expectation of privacy whatsoever under federal or state law for materials discussed and/or submitted. Legally privledged materials and communication, and/or communication concerning an active ongoing law enforcement investigation will be kept confidential as required by law.

Now, what *I* think Frienditto should do, if they're serious about respecting other people's copyrights, which I don't think they are, but admittedly, that's just my opinion, is build a registry of no-archive/copyright-permission-denied LJ usernames. Anyone tries to archive a page from that user's account, the software refuses.

(Learn about Frienditto)

(Learn about Frienditto)

(ETA: look, a frienditto-monitoring community!

ditto_cops.)

Whatever this is, they took down all access to it in a hurry.

http://www.frienditto.com/members.php - for Frienditto 'members', which has no mention anywhere now, and, as you see, is 404'd.

I'm looking at a saved HTML page of one of their submission forms, and it's got:

( cut )

So, yesterday, there was such a thing as a Frienditto 'member'.

(Learn about Frienditto)

I tried using Frienditto's built-in search tool to find the friendslocked post(s) I added from my test LJ this evening. Any convenient way of looking for all of your posts that have been archived at Frienditto would be very helpful to those interested in have Frienditto remove material that was archived without their permission.

One: A search by username of the poster would be a very good idea, whether it checks for author's username or greps against the URL that the archiver feeds Frienditto when they submit your post to be archived. It does not seem to be available.

Right now, Frienditto's search checks only the Title and Description (entered by the archivist, not you) of an archived post, but not the URL itself.

Two: Use LiveJournal's built-in search on the Frienditto livejournal to search for your LJ username, to see if it's listed in any of the "this post has been archived on Frienditto" notices. That search, however, is actually an outside service provided by feedster.com, and it searches the RSS feed of your journal, if there is one, not your journal itself.

ETA: Interesting. Four hours ago or less, when I first was browsing the FAQ and submit page and whatnot, there was a link to create a Frienditto account (for $1 or something). That was for the private archive UI I mentioned in my initial post. I can't find it now.

ETA later: Edited in section Two to note that feedster searches RSS feeds.

(Learn about Frienditto)

According to Frienditto's Legal Policy, if you ask them to take something out of the archive, they will. (http://www.frienditto.com/legal.php)

6. Copyright infringement
The Service does not make any claim to copyright for any of the user entries submitted and will immediately remove any content with a proper request from the copyright owner. Users of the Service agree that at the time of submission they have proper permissions from the copyright owner. Frienditto does maintain copyright to all pages that it creates or generates, exclusive of the archived entry content.

Being the nitpicky kind of gal that I am, I wonder if they have a definition for "proper request from the copyright owner".

(Learn about Frienditto)

In previous entry, I started to test the friendslocked post archiving:

Three, and this is the big one that is concerning to so many: the archiving by a friend (or someone with their username and password) of friendslocked posts *you* make. There appears to be functionality for a LiveJournal user to archive an entry posted by an LJ-friend, and whether that friendslocked post is archived publicly or privately is not clear, but I'm betting (based, again, mostly on the FAQ) both.

OK, I've successfully handed over a username and password to one test LJ in order to post a friendslocked entry from the *other* test LJ. Saw the new (friendslocked) post show up immediately on the frienditto livejournal and on frienditto.com itself.

Completely public access to that post. At no point in time did I log in to any kind of account on Frienditto to do this, that might limit the access of others to the post in question.

I'm going to come back in a minute and see how to create a Frienditto account without handing over any personally identifying info or $$ (if possible), with its private archiving, but that's of far less import than the purely-public-access side of this system.

(Learn about Frienditto)

And, yes, there seems to be a strong connection between this "ljdrama.org" thing and frienditto, whether the latter was created for the specific purpose of serving the former or not. Just go to ljdrama, half the links are to frienditto posts.

It looks like:

One, anyone can publicly archive a public entry appearing on a LiveJournal at any time without logging into frienditto or having an account with them or doing anything that touches on any kind of passwording at all, including LJ ones (which means, no friends-locked posts). Go to the front page of frienditto.com, and you'll see NOTHING asking for LJ usernames or passwords. (Whomever did the archiving of a given post remains anonymous as well.) I just tested this functionality myself with a "test" LJ.

This behavior does not seem much different from bookmarking a page on your web browser or putting something into a LiveJournal 'memories' category. Although there is the archiving without permission issue, which contrary to the FAQ *is* a copyright problem, but that is not the subject of this post.

Two, frienditto users can sign up for a frienditto account and view "their" archive, at which point the *archiving on frienditto* of a given post potentially ceases to be anonymous, but also potentially ceases to be public. The frienditto user logs on and can see the LiveJournal posts they chose to archive, but it looks like (from the FAQ) that they can choose to have their archive be public or private.

Naturally, there's room for abuse here as the frienditto user may not keep their username and password private, so their archive becomes known to more than one frienditto user. This is also true, for example, of anyone who shares an email account with their spouse and is on a mailing list: more than just one reader may have access to that list's mail because more than one person has access to the email account subscribing to that list. Similarly for anyone who shares their LiveJournal username and password with others.

Three, and this is the big one that is concerning to so many: the archiving by a friend (or someone with their username and password) of friendslocked posts *you* make. There appears to be functionality for a LiveJournal user to archive an entry posted by an LJ-friend, and whether that friendslocked post is archived publicly or privately is not clear, but I'm betting (based, again, mostly on the FAQ) both.

[...]

I was just about to test this functionality with my two "test" LJs, to see whether or not friendslocked posts only go into private archives or are available both publicly and privately, when I started getting 403 errors over at frienditto up the yin yang.

Frienditto is down for the next two hours. In the interim, if you are genuinely concerned about whether your LJ friends may betray your friendslocked posts into this archive, I suggest you go through your friendslist with some care and thought.

Four, http://www.livejournal.com/users/frienditto/ does appear to be all new posts archived to frienditto. I see my test post on it. It's not an RSS feed but a regular journal, probably FD is automatically logging on and posting to LJ as a user in much the same way it can log in and pull from LJ as a user.

Five, per the FAQ, they don't archive the LJ usernames and passwords provided. The thing is, it's really easy to have that info hanging around in an Apache error log or something, used for debugging or whatnot, and a) neglect to delete it out of inattentiveness; or, b) deliberately hang on to that info and do something with it. And, item #4 above demonstrates the existence of a script on frienditto.com capable of logging in and posting as a LiveJournal user. Do you see the implications if someone decides to abuse this capacity? Whomever typed in their LJ username and password has just been hacked. Worse, they did it to themselves. (Now, this is dependent on someone deciding to store this LJ username and password information when it's provided - as I said, even though it's not getting stored in the database doesn't mean it's not getting dumped in an httpd.log somewhere.)

From a security perspective, the mistake people make here is in giving their LJ username and password to another person or system. This is a big honking no-no.

Six, my gut says this is an instance of the livejournal code running with modifications, or some portion of the codebase in use.

******

LJ Public Service Announcement at http://www.livejournal.com/users/rahalia_cat/805121.html and http://www.livejournal.com/users/allyoops/332260.html, and variations on the theme at http://www.livejournal.com/users/lori/430544.html and http://www.livejournal.com/users/elke_tanzer/587891.html. Let me reiterate what Elke says: don't give out your username and password to one system to someone running another. That's pretty much the diametric opposite of computer security, and it can have nasty consequences.