Unpopular Fannish Opinion: LJLogin

[azurelunatic]

LJ just had a release, and somewhere in the stuff that went on, some changes were made to LJ's login cookie such that LJLogin, the amazingly popular tool for, well, logging you in to LJ, broke.

(For those who are saying "Hey wait, why not log in using username and password like the rest of us?", you are probably not the target audience for LJLogin. The target audience is from what I gather mainly roleplayers, who can easily have dozens of accounts, any five or ten of which may be interacting with each other in comments, choosing a different icon for each comment, in near-real-time-IM speed. It's amazing what people can use LJ to do. The people who use LJ for this often have not just one but multiple paid accounts, because number of icons is very relevant to roleplayers.)

Deep in the comments of the most recent lj_releases entry, markf explained: "This is actually unrelated to the release, but we did make a minor change today in the way we handle cookies which has affected this plugin, and it will require the developer of the plugin to make some changes to it before it will work again. The changes made will make life significantly more difficult for automated spammers, and is something we intend to leave in place."

That, there, full stop, is why I am not going to start yelling about this. LJ has a spam problem. LJ has a major spam problem and I am pathetically grateful every time I see a report that there are changes that look to be effective in the fight. One of the major reasons I now prefer comments on Dreamwidth, and lock many entries on LiveJournal that are public elsewhere, is because of the spammers hiding in the cushions at LJ. Even knowing that this may cost LJ paying members, if this will address some of the spamming, I cannot fault them for rolling it out as fast as they could. (I do not know any of the other considerations, but faster is better when it comes to dealing with spammers.)

There is a completely hypothetical requirements-gathering session for an LJ-side login switcher. (I already checked and the previous (2010 and 2007) suggestions discussions on the topic were not helpful enough to be worth the trouble of linking there in my opinion.)

The LJLogin (Firefox) dev, slarti sounds plenty mad on the grounds that it sounds like LJ knew this would break LJLogin before it was rolled out but did not give notice, did not include the change in a numbered release so there was no mention in the release notes, made the change at the same time as a numbered release which made it less obvious to the external observer what was going on, and has not made the actual nature of the changes easy to track down. The dev of LJ Juggler (Chrome) also joins the thread.

I am sure it could have been handled more gracefully, but I'm still willing to extend LJ the benefit of the doubt and hope that the next time something comes up that will affect legitimate users using mostly a single third-party tool, that they take the time to notify the maintainer of that tool as a courtesy. (It is much easier for me to feel this placid generosity of spirit now that, in the words of james_nicoll "I do not personally have a squid in this fight".)

I hope things improve for everyone, except for the spammers. Those can go crawl off a cliff or something. I don't like spam.

Comments

[siliconshaman]

it also kinda broke LastPass... I say kinda, because if you hit refresh page after autologin it works...darned if I know why.

[azurelunatic]

oh man, I wonder how the scrapbook login issue is going to work with this.

[fiddlingfrog.livejournal.com]

I don't think that's going to be a problem for much longer.

[cleverthylacine]

The reason I am white-hot furious is that every time anyone with a problem who is using LJLogin reports it, if the bug goes away without LJLogin, they tell you "Stop using LJLogin," rather than displaying any sign of caring about the bug, at least in my experience and that of other roleplayers I know. So far as I can tell most of LJ staff consider LJLogin to be an extreme annoyance and wish it would go the fuck away despite the fact that roleplayers are an important source of revenue.

I got flamed for saying this in Fandom Wank a few years ago, but now I see lots of other people saying this: I at one time had over a hundred LJ accounts that were managed through my game, and no less than 30-50 of my own accounts at any given time. I gave LJ upwards of $300 a year for a while--I had no less than 12 paid RP accounts plus my own paid account and my own paid fic account, so that was $350 a year. On top of that, I would often give people in the RP I ran a month or two of paid time because I would log into the RP and discover that the graphics were broken because someone had lazily loaded their graphics in their RP account's Scrapbook rather than their own and then forgot to keep it paid--SOP in those cases was to give a month or 2 of paid time and send a stern email to the journal owner that if they did not intend or could not afford to keep the journal paid at all times no matter what, they needed to move their journal graphics--or, in several cases, graphics that were part of posts and which the post made no sense without--to the RP group photobucket or their own LJ Scrapbook or basically any place they knew they could keep paid or wouldn't have to keep paid.

(I know you know all this--this is for the benefit of people reading our exchange.)

I now have NO paid accounts on LJ and the fact that they (particularly one individual, LOL) seemed to regard RPers and their needs as an annoyance was a large part of why, although Strikethrough and the demise of Basic Accounts were the things that made us move to IJ; if we had to have fucking ads, we were gonna get more than 15 icons out of it.

The more and more of the old crowd goes away, the more and more hostile they seem to be. I have a hard time believing that they didn't DELIBERATELY decide not to tell Slarti and the Juggler dev, based on the reactions I've personally encountered and that have been reported to me by other RP people I generally regard as not likely to be lying liars.

Ironically I feel all the more free to be furious because I'm not RPing there any more--I have no fear that anything I say will bring the wrath of SUP down on my stuff. I'm only being THIS polite because a) we still have friends there and b) when I get my job hunt going again, not sure I want potential employers to see me excoriating LJ at the level I really deeply down want to do.

[foxfirefey]

Huh. Apparently people in that post are now complaining about weird privacy glitches popping up where they end up logged in on other people's accounts on certain pages.

[azurelunatic]

Oh ugh. :(

[azurelunatic]

... wait, other accounts that they own, or accounts belonging to complete strangers?

[bookofjude]

I had this happen to me years and years and years ago. But that was during the time when you actually had to create a new account for a journal in order to convert it to a community, and you could log into them once you were done. I never actually managed to work out if I could use that mechanism to read locked posts of community members... The support team seemed to indicate this would not happen, but I'm not entirely sure why!

[musyc]

I figured as soon as mine stopped working that it had something to do with LJ's code push. In the vernacular of the kids today, I ain't even mad 'bout that. Slarti's always been good about making fixes as soon as he can, so I knew he'd be on it.

What irritates and continually frustrates me is their lack of communication - and in this case, a deliberate lack. This isn't a situation where they made a change they didn't know would break something. They knew it would break, and the only comment they bother to make is tucked away on a late page and hidden in a thread. I understand, maybe, not making an announcement so as not to alert the spammers ahead of time, and I can possibly understand not saying "here's the exact changes we made" for the same reason.

It's not LJ's responsibility to alert every third party developer when they update code that might break something, but an email or some sort of contact to the developers of a major and heavily-used utility shouldn't have been that hard when it was a planned and deliberate break. It really does feel as though they just hoped no one would notice, which is a consistent problem with them and has been for years. Let's hope no one notices we're redirecting URLs, let's hope no one notices this security breach. I'm just surprised they didn't do this on a Friday so that they could run away for the weekend. (I also have issues with markf's stunning inability to perform any sort of customer service, so it appalls me that they continue to allow him to speak in a green-user official capacity, but that's a separate component of my frustration.)

ETA: Plus, whatever they did has prevented me from staying logged-in even with a hardlogin for more than ten minutes at a time SINCE.

[wibbble]

Major and heavily used by what percentage of their actual paying userbase?

It's really easy to over-estimate how widely-known or important something is when everyone in your social circle knows about it or uses it. Only the people behind the curtain can really look at LJ's entire paying userbase and decide if it's worth the engineering time to care about one thing or another.

Of course, not everyone actually weighs up business decisions like that, but since working with start-up companies I've gained a lot more respect for the need to be that pragmatic and numbers-driven than when I first started using LJ (over 11 years ago!).

As an aside, I've never heard of LJLogin before, so it's certainly not ubiquitous.

[jamoche]

This.

The problem isn't that LJLogin is broken, the problem is that the LJ release process is broken. $Big_OS_Developer just sent my company a heads up that an upcoming OS update has a change that was going to break us, so we get to fix things before either of us ship. This is how the pros do it.

[azurelunatic]

Even if they hadn't personally reached out to the devs, and if notice beforehand weren't an option (I don't know quite what the specific spam problem it was put in place to solve was), then an after-the-fact heads-up in lj_dev would have probably been the way to go, because that's where the devs for stuff working with LJ are supposed to hang out.

[senmut]

The only thing I despise in the roll-out was the lack of warning to the devs of those tools, or its users. BUT, arguing the other side, if warning was given, would somehow the spammers have been able to make use of the warning to prep some new way of cracking log-in?

[jamoche]

They'll probably have worked that out before the tools developers have finished their update.

[cleverthylacine]

Not hardly. LJ knows who these people are--unless the spammers are reading LJ private messages or emails, how would they know?

[bookofjude]

I am so happy that DreamWidth is here! Because I have literally stopped caring one iota about LiveJournal.

[azurelunatic]

I love Dreamwidth too! This is why I can be so calm about it all.

[lacey]

I wish I could be surprised or work up much outrage, but I can't. LJ has been in a long, slow decline for years now and it'll be awhile longer bride we're done. Thanking my lucky freaking stars (and D and Mark and Fu and all the Support peeps) that we have this resource.

[rebelsheart]

Well put

[isquiesque.livejournal.com]

I'm not making a statement on what happened one way or the other, but I am curious: is there really that big a spam issue? I have tons of public entries, and I do occasionally get spam, but it's really very very very occasional. One every few months, it feels like.

[amalnahurriyeh.livejournal.com]

FWIW, I probably get ten or so spam comments a week. I'm also disproportionately annoyed by them, because it feels like a violation of my space--probably because of how I overidentify with my journal.

What are your settings for anon comments? Mine is allowed-but-screened, and almost always the spam comes in as anon.

[azurelunatic]

Yes. It's not just spam comments, but spam entries to communities, spam serial adding, and spam middle-content hosting, and then links to the LJ entries containing that content are emailed out. I don't know how really bad it is anymore, but back in ... I want to say February or thereabouts ... one of the major organizations that tries to fight spam listed LJ as unreliable because of how ineffective it was at dealing with reported spammers. They made some quick improvements since then, but it's still bad.

http://www.livejournal.com/stats/latest.bml still has a ton of spam on it even when one discounts entries that one can't read. (I can't read Russian well enough to finely distinguish legitimate entries with a lot of pictures and links from spam entries.)

[scolaro]

Ah, now I know why I had to re-login tonight, even though there was no change (on my side). Personally I don't get much spam either, but I've heard there are tons and tons of spammers around, annoying people.
So yeah, if it helps...

[lady-angelina.livejournal.com]

As someone who depended on LJLogin to toggle between accounts without having to memorize my passwords... while I'm not thrilled about the add-on breaking as a result from the cookie-handling code change, I'll definitely survive. It's inconvenient not to have it, to be sure, but I've lived just fine without it on my mobile phone (especially during the month when that was ALL I had for Internet access). ;)

While I can't really speak for other users, I can say that what I really find unacceptable is the fact that there's an alleged security breach that the powers that be have failed to address in any shape or form, during the more than 36 hours since it was apparently first reported. To me, this is way more serious than spam-fighting efforts (and you know how much I hate spam, if a good number of my own past entries are any indication XD ). If the cookie-handling code that was meant to deter spammers was responsible for the privacy breach (if such is occurring, that is, since it may just be unfounded rumors at this point), then I'm all for rolling back the code and dealing with spam until the security issues have been taken care of.

[azurelunatic]

I am straight freaked over even the stuff I have heard so far about the security problems, and trying not to think about it too hard with this headache.