squirrelitude | Recent Entries

We've ended up modifying the 5BX (Five Basic Exercises) program to pull in some from the XBX (Ten, the women's program), which has more stretches.

We're currently on chart 1, and here's what we're doing each morning:

- [5BX] toe touches
- [XBX #2] standing knee lifts
- [XBX #3] standing lateral bend
- [5BX] situps
- [5BX] prone chest and leg raises
- [XBX] #7] lying side leg lifts
- [5BX] pushups
- [XBX] #9] lying forward leg lifts
- [5BX] running in place

At our current level, this is nominally supposed to take less than 17 minutes, and we're doing it in about 12 (plus some time for stretches afterwards.)

It feels really good and hasn't been a burden, so I'm pretty pleased with it!

Livejournal was hacked in 2014. Someone managed to download a list of all users, and has posted it on the web. (I'm not telling exactly where, for reasons that will become clear.) It contains over 30 million records with email addresses, usernames, and raw passwords.

You know what to do when your password is leaked: You change it to something new, something you haven't used anywhere else, something complicated. Maybe you store it in a password manager so you don't have to remember it. And check to see if you used it anywhere else, especially on Dreamwidth.

But this is worse: Your email address is now linked to the usernames of any accounts you created with that email. Here are some scenarios:

You created two LJ accounts with public entries, one for everyday stuff and one for your sexploits. Someone who knows the "public" username can see what email it was registered with, search for that email, and find your sex blog.
You have a well-known but pseudonymous journal. Someone who wants to identify you can now find your email address, from which they can likely find your identity.
You have a journal that is again pseudonymous, but not necessarily well known, and was registered with your regular email address. Someone who knows your email and is curious can check to see if you had any LJ accounts.
You used a different email to register your two journals, but the same password. Now someone can determine that those accounts were likely registered by the same person, as long as that password is uncommon enough.

And of course all of that remains true for Dreamwidth, even though DW wasn't breached, as long as you used the same username when you moved from LJ to DW.

(Livejournal has not yet acknowledged the breach, but multiple people, myself included, have identified their own LJ-specific passwords, usernames, and email addresses in this dump.)

So, this sucks. I guess people can go and lock down their old journals if needed, if they still have access. But in some cases the damage is not preventable. People entrusted their privacy and identities to Livejournal, and inevitably that trust was broken; once that information is out there, it's out there. I wish I had something to offer people that were better at preserving privacy, but I don't think the right thing exists yet. (I'm working on something, but it's still pretty early. It's a hard problem!)

Technical notes

It looks like Have I Been Pwned doesn't yet have the emails and passwords, but in the meantime if you're technically inclined I have a few extracts of the data that are safe to share. I'm making a list of SHA-1 hashes of unique email addresses available over IPFS under the address QmYaKzshXTD6g2aMwbhWyYcTTkgi5Qugnjx3mT4xw5r5sk. It's about 1 gigabyte. Additionally, I've created a list of SHA-1 hashes of passwords under IPFS address QmX4BLvyrQLJapZXw44gQ8DyDKPZmNQpGKEfSrNkZCegim, again about a gigabyte, and this time with occurrence counts. Here's an example usage showing that the password "qwerty" was used over 27 thousand times:

$ read -p "Enter text to hash: " pw; echo -n "$pw" | sha1sum
Enter text to hash: qwerty
b1b3773a05c0ed0176787a4f1574ff0075f7521e  -

$ grep b1b3773a05c0ed0176787a4f1574ff0075f7521e ~/Downloads/lj-password-sha1-uniq-count.txt 
  27625 b1b3773a05c0ed0176787a4f1574ff0075f7521e

If someone would like to host those as a torrent or create a website for querying the data, that would be cool, but I'm sure HIBP will have it very soon so maybe don't worry about it. :-)

Updates

2020-05-26 22:30: ~~Passwords and~~ emails have now been incorporated into Have I Been Pwned: https://haveibeenpwned.com/PwnedWebsites#LiveJournal. I suppose breach notifications will be rolling out soon.

23:58: Emails are rolling out, but passwords aren't loaded in yet.

2020-05-28 12:30: Firefox is now warning people who visit Livejournal about the breach. There is an update from DW. There is also a very skimpy and vague denial from Livejournal. And (see comments) I think I can narrow the dump date down to May 2012, so the LJ DB would have been compromised before that date.

I set up the suet feeder a few weeks back with a brick of hot pepper suet, and the squirrel-resistant seed feeder a few days ago with a seed mix laced with cayenne. This is the approach I took last winter that seemed to keep the squirrels at bay. And yes, I've seen only woodpeckers, house sparrows (oh well), and cardinals partaking so far.

This morning I went over to the back door and looked out, and there on the railing sat one of the fattest, fluffiest squirrels I've ever seen. It was sitting up, looking straight at me. It looked up at the suet feeder. It looked back at me. It distinctly said "Churt." Looked back at the feeder. Back at me. And then slowly walked down the railing and off the porch.

I think it was trying to tell me that there was something wrong with the food, and possibly that it was going to leave a 1-star review on Yelp. No kidding, squirrel. Tell all your buddies.

(I do want to set up the corn-on-a-rope squirrel feeder I had last year, but unfortunately there's now a car parked there.)

Hooray for snow! This is the first snowfall of the year that could really bear the name (not just a couple of quickly glimpsed flakes) and not only is it sticking, it's actually shovelable! None of these fakeouts about "one to three inches" followed by a light dusting. (Same deal as last year, actually.)

I ran outside barefoot to leave some tracks and feel the fluffy snow (it's a really pleasant texture, even if I can't stand it for long).

The landlord hires a snow-removal company, which I feel weird about. I've always shoveled out my own sidewalk and driveway, and never really minded it. (Even as a teenager, with a 150 foot long gravel driveway.) If it were up to me I'd tell him to not worry about it but I'd have to talk to the upstairs neighbors about it, and I suspect they're happy enough to have the service. In the meantime, I guess I can shovel out curb cuts and hydrants and crosswalks instead.

...and after a bit of canning we now have 3 gallons of diced tomatoes put up for the winter, across 12 quart jars. It's definitely not going to keep us until spring, but I really want to reduce the amount of tomatoes we eat from resin-lined cans (which have BPA or BPA-substitutes in the lining).

These tomatoes are all from the CSA, and I'm curious to try them out. Many of the jars were made with "seconds" tomatoes that needed a couple spots trimmed off but were at peak ripeness. Others had somewhat less ripe fruits. One is made entirely from plum tomatoes!

I also really hope the seals hold. I have very little experience with canning, and made various mistakes, but hopefully not serious ones. (Biggest problem is that I put the citric acid in near the top of the jars, rather than the bottom, so some may have gotten pushed out. On the other hand, all of these tomatoes are destined to be heavily re-boiled to make spaghetti sauce or similar, which should destroy any botulinum toxin that manages to occur...)

I think I feel confident I could put away another few gallons. I'd want to change some things, though. In this batch, I did two rounds of raw-pack, which meant with the second round I was in the awkward situation of having a pot of recently-boiling water and a collection of room-temperature glass jars; I had to do some annoying work to get the jars heated to boiling in stages by juggling hot and cold water. I think next time I'll do a hot pack to avoid that problem, which will also have the bonus of reducing the water content of the tomatoes. (Again, they're destined for spaghetti sauce and similar.) And I'll remember to put the citric acid in the bottom, too. :-P

Incidentally, if you know of anyone around here making canned local tomatoes in *glass* who can provide them for $4/lb (is that reasonable?) I'd very much like to know. I'm willing to do the work, but it's also a problem I'm happy to throw money at.

I took a walk in a strong rain with the kid today under an umbrella so that we could follow a stream of water down the road. (Me: "Where do you think that water is going?" Her: "I don't know, maybe it goes on forever" Me: "Let's follow it and find out!") We found the storm drain and stuck our feet in the cold water, and I talked about storm sewers and how they take the water out to the river or the ocean so it doesn't build up and flood the roads.

Then we went back to the porch and I asked her why the water isn't building up in the garden and making streams, and why the garden doesn't need a storm drain. She didn't quite get it, so I talked about what happens when we water plants, and how the water soaks into the soil, and that water *doesn't* soak in to the roads and sidewalks (that they're "impervious surfaces") and asked her to find other big things that the water didn't soak into. I had to give her a hint about the porch we were sitting on, and we talked a bit about how water runs off of houses too. Some day, when she has developed a little more capacity for hypotheticals, we can talk about what happens as you add impervious surfaces to a city.

Out on the porch we were getting a bit of mist from the rain, and she eventually wanted to go in to get warm. Right now I'm feeling appreciative of how water doesn't soak into my house, and that it's a very dry and warm place I can retreat to. I take that as a given far too often.

Now the sky has turned a beautiful yellow and the rain is tapering off.

We took the train down to my parents' place in Virginia for the week. It's great to see them, it's good to be around a dog, and it's *fantastic* to again be in a place where there are delightful insects and plants and birds everywhere. The ecosystem is so rich here compared to the sparse, disconnected plantings in Somerville (as green as it is).

The highlights so far have been an enormous funnel spider, extremely persistent butterflies that want to lick my face and don't mind being picked up and put down again (some kind of fritillary?), and some wheel bugs in the act of mating.

My "Tina James' Magic" evening primroses started blooming a couple weeks ago, and are now at the peak of their season: Every night, over the course of 20 minutes, 30 flowers open on each plant, often in under a minute each. [1] They're big, yellow flowers, so it's quite a spectacle.

I grew up with them, so the amazement of watching them open has faded a bit. Now I get more joy from watching people watch the flowers. After the season started, I invited everyone on the neighborhood mailing list to come watch them, and managed to gather a small crowd for a few consecutive nights. It was great to see people's reactions, with some people even gasping or stepping back in surprise. Just tonight, I waved some folks down from the sidewalk to watch the last few of tonight's "show", and it sounds like they're interested in growing some of their own. I encouraged them to take some seeds when the pods ripen. (And I was pleased to get to share them with

minerva42 tonight as well.)

I feel compelled to share them. Not just the experience of watching these plants, but the seeds and seedlings, too. I've scattered seeds in a few weedy yards in Somerville, offered plants, gifted seeds. I might see if I can get a patch started on the Somerville Community Path in one of the full-sun areas. It feels a little odd, like the plants have co-opted me as a propagation vector. It reminds me even of parasites that control their hosts. But in this case, the symbiosis is a mutualism: The plants get spread, and I get a free show every summer evening.

[1] The best ones open all at once in 15-30 seconds. Many of them take a break in the middle, though—they flare out into a pinwheel shape in about 15 seconds, then wait a few minutes, and finally burst out into full bloom in about 15 more seconds. I think those count as well.

We're planning on renting a car for Baitcon, but I wonder if we could carpool with one other person—either in their car, or in one we rent. We pack relatively light (two frame packs, plus a little more for the kid) and I think we could manage another light-packer's stuff.

We would be doing the Friday to Monday schedule. Anyone else in the greater Somerville area with compatible travel plans?

(x-posted https://baitcon.dreamwidth.org/180832.html)

Today was the first day of the CSA, so I took the kid in the bike trailer out to the farm in Waltham. The crops are only just starting to come in, but we saw some interesting animals: Teenage chickens getting used to people, an Extremely Smol mouse that we cornered near the bathrooms, a hawk getting mobbed, a very industrious honeybee.

On the way back, we stopped at Alewife Reservation to walk around briefly, and within the first *minute* we saw:

- ducks
- a muskrat (?) swimming just under the surface, carrying a lily pad
- a male red-winged blackbird that landed not 5 meters from us on the boardwalk railing, and sang gloriously—then flew to practically within arm's reach to hang out for a bit (did it want food?)

Of course, my camera's battery was dead. so in the next 15 minutes, we also saw a turtle, some fish, a rabbit, and 2 adult swans and their 3 cygnets. (Oh, and a groundhog also ran across the bike path just before we arrived.)

I really need to wander over to Alewife Reservation more often.

1) DW is 10 years old today! https://dw-news.dreamwidth.org/39419.html announces a collection of incremental improvements, but also some quota increases for paid users.

2) I rediscovered a super cool feature: The network reading page. This shows all posts made by friends and friends-of-friends. Except that's my network reading page; you can find yours in the top nav menu under Read -> Network Page. (You can look at mine too, though, if that floats your boat!) I don't know exactly how it works—DW separates "friend" into "grants access" and "subscribes to", and I'm not sure which of those is used here. Probably it is people who grant access to people who grant access to you. Anyway, it's a nice way to find people you might already know but didn't know the username of. (Or just people with similar interests.)

I'd love it if they could add a "friends of friends" post privacy level, which would make that network page even more useful.

3) I finally looked up the full docs for how to filter your Reading Page. I already knew how to make a custom Reading Page so that I can just include the people I don't already have in my feed reader, but apparently there's also a way to exclude entries by tag. For instance, I could say "yeah, I do want davis_square entries, but not the ones tagged 'airplane-noise'". Tag filtering is a paid feature, so heads-up on that.

I'm late getting seeds into the ground, but I've got some things started. The kid's potatoes and flowers are coming up, and I have seeds in the ground: Tomato, pepper, ground cherry, oregano, thyme, savory, prickly pear, lovage, cleome, sunflower, basil, lemon balm.

More soon. Not exactly the selection I was hoping for; I forgot to stratify things in time, yet again. Now I have a yearly calendar event set for January 15th to remind me about that. I wonder if that's too early or late, assuming a 6–8 week stratification and a week or two in seed flats.

Planting the tiny seeds of plants in the Lamiaciae (oregano, thyme, savory, basil...) I am again amazed at how my thick meat-fingers can sense and manipulate such tiny objects.

Some of these things are easier to grow from cuttings or root division. But I feel compelled to grow them from seed. Something in me values the genetic diversity (and possibility of new varieties) more than the ease and reliability of clonal propagation.

I'm also starting to harden off the perennials so they can live in the front yard again. It'll be nice to get the citrus out again under the bright sunlight they deserve.

Two and a half months after tearing a hole in my Ortlieb bike bag, I've finally repaired it.

( cut for length (has photos) )

Today I cooked with fresh shiitake mushrooms for the first time (and I've only used dried ones once before, I think.) I roasted them with sweet potatoes, olive oil, red wine, salt, black pepper, and thyme, then blended it all fairly smooth. Pretty nice! The mushroom is mostly a background flavor, where it belongs. :-P

----

This weekend I also took the fatty bits from some goat loin chop that

elusiveat cooked, chopped them up fine, and boiled them with water. Once it was cool, I took off the fat layer, reheated it, and strained out the chunks. Then I prepped a wick (taken from a candle dismantled for other purposes) and the metal wick tether from a used up tealight, poured in the tallow, and let it set. I made a candle!

(The stored energy of the tallow is offset by the energy that went into rendering the fat, but this was an experiment, and if we had been making stock with the leftovers, that energy would have been "free". We have some beef tallow from a while back that we acquired that way.)

The candle sputters a bit, so I guess I didn't separate out the water as well as I could have. I might set it on the stove next time I bake something to remelt it. Maybe I can get some of the water to separate out at the bottom.

...among other violations, in the latest reveal on Facebook's Potemkin privacy settings, from the New York Times: <https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html> Bing, Yahoo, Amazon and other companies were also given access to private or sensitive information after Facebook claimed it had stopped doing so.

One odd thing in the NYT report, which I admit I have only skimmed:

Facebook has never sold its user data[.] Instead, internal documents show, it did the next best thing: granting other companies access to parts of the social network in ways that advanced its own interests.

They engaged in contracts with other companies that gave them access to the data. Did those contracts not involve some kind of payment back to Facebook? Or perhaps non-monetary compensation? It seems like they were trying to keep it to "giving away user data in exchange for favors", which... I'm not sure that's actually any better than outright selling the data.

(And of course, since Facebook harvests people's email and phone address books, this affects people who haven't even signed up or connected with each other, such as when they recommended that several patients of the same psychiatrist friend each other. "Shadow profiles" presumably are sold or given away as well.)

----

In unrelated news, various companies (including Google) had user data breaches and didn't report them.

What's fascinating and horrible is that this still is largely not illegal, in the US! We really need something like the GDPR here, and I suspect we're going to get *some* kind of privacy laws; I hope it turns out as well as the GDPR has. There's a lot of room for worse, and frankly not much room for better.

Here's an excellent and heartening followup on Arisia's turnaround: https://drwex.dreamwidth.org/1008603.html

drwex explains why it took so long to get to a public apology, and it makes quite a bit of sense: There were a lot of things that had to happen before that public apology could be made in a *meaningful* way.

I am not, in general, an Arisia attendee, but a large part of my social circles does attend. I think it's in good hands, even though yes it will take time for some people to be sufficiently assured that things have changed at a deep enough level that they'll feel safe attending. I wouldn't think poorly of anyone for making the choice to go *or* not to go this Spring.

(Also, I still can't believe they managed to pull off the venue change! That's a friggin' miracle.)

Dreamwidth is a little unusual in giving everyone their own subdomain. Off the top of my head, I can only think of three other sites that do this: Its predecessor (Livejournal), Tumblr, and DeviantArt. There are almost certainly others, but it's uncommon.

Even though all communications to the site are done over a secure connection, so the *contents* of the pages are hidden from your ISP, any government interlopers, nosy parents who have installed spyware on the home router, and people snooping on your use of insecure café WiFi... the domain name you're visiting (here, squirrelitude.dreamwidth.org) is still being broadcast in two ways:

When your computer asks the Domain Name System for the IP address of the site, it sends the domain name out in the clear[1], and the DNS server of course knows what domain you're asking for
When your computer then connects to that IP address, it mentions the domain name in the initial message to the server[2]

That means that within a few minutes of poking around on Dreamwidth, anyone who can watch your internet traffic likely knows 1) who your friends are, and 2) by that token, who *you* are. (If you stick to just your Reading Page, you are not leaking your circle's usernames to any watchers, but you are leaking your own.)

I feel like this is maybe something that could and should be changed, since DW is already a centralized service and doesn't *need* separate domain names. (My social media prototype will *need* it, to some extent, which is a sobering thought.) I don't know if I believe this strongly enough to advocate for it,

Another option is to access DW via Tor! I just fired up TAILS and confirmed that I can log in to Dreamwidth just fine. [3] (No captchas or other nonsense.) Unlinking your home IP from the domain you're visiting (and those domains from each other) in the eyes of someone snooping on network traffic is *precisely* what Tor is for. So regardless of whether DW takes action on this, if this is a privacy issue for you, there is a way you can protect yourself. (Also applies to Tumblr, DeviantArt, etc.)

[1] This first part does not apply for people using experimental DNS-over-HTTPS—only the DNS server can read the request

[2] The Server Name Indication TLS header, which is unencrypted in current versions of TLS. TLS 1.3 allows encrypting it, but that's still being rolled out.

[3] Tor is quite safe to use as long as you're visiting HTTPS websites, which is most sites these days. But advice to heed browser warnings about invalid certificates applies doubly so over Tor. If you ignore those, Tor becomes *less* safe than using the internet directly. So don't. :-)

A few months ago (in October) Facebook put out new policies on sexual solicitation [archive 2018-12-06]. These policies are incredibly overbroad, to the point that they cover any of these:

A post that includes explicit discussion of sex
Using sexual slang (while mentioning a sex act)
Discussing fetishes (while mentioning a sex act)
"Hey, anyone else want to go to the Boston Baby Dolls show tonight?" (local burlesque show)
Mentioning sexual orientation (while mentioning a sex act)

This only hit the press recently, and Facebook of course has denied that their moderators (their oh so consistent and wise, overworked, underpaid, and undertrained moderators) would remove posts based on e.g. sexual orientation. But this is Facebook, so I'm taking their statement with a whole pile of salt, spread out into a shape that spells "YEAH RIGHT".

And of course, no reassurances from them on whether they would remove frank discussion of sex, such as might occur in (off the top of my head) rape victim support groups, or private posts where people are asking advice.

This is likely all further fallout from SESTA/FOSTA, which passed earlier this year. The stated aim was to make sex trafficking more difficult, but actual anti-sex-trafficking groups derided it (even the Justice Department hated it) because it actually makes life worse for people who are victims of sex trafficking, and for sex workers who aren't being exploited. And now it's hitting people who aren't even in the sex business in any way, shape, or form and just want to talk about sex, as adults sometimes do.

A fairly upsetting post by a former member of the Arisia board on repeated mishandling and ignoring of reported conduct issues:

"Why I’m Not At Arisia Anymore: My Rapist is President. Again."

I don't go to Arisia anyway, but I know a bunch of you do, so I wanted to give it a bit of a signal boost.

(h/t rushthatspeaks)

Scammers have gained access to a list of Livejournal usernames and passwords. I'm not sure how long ago the breach was, but your best bet is to change your password now. Also, if you used that password anywhere else, change your password there as well and if possible check those accounts for signs of compromise. (Change them all to *different* passwords. Use a password manager such as 1Password or Firefox's built-in password manager, or just memorize them and write the less important ones down in a physical notebook.)

Source: People (including myself) are receiving scam emails with some bullshit claim about having installed malware, giving an email address and password as proof. They're using emails and passwords from compromised sites, such as Last.fm, LinkedIn, and now Livejournal. LJ was not known to be compromised, but it's not at all a surprise to me. Other sources:

- https://bifurious.co.uk/livejournal-compromised-in-more-ways-than-one/
- https://siderea.dreamwidth.org/1453052.html
- https://dw-news.dreamwidth.org/38612.html (doesn't name LJ, but you know it)
- https://www.livejournal.com/support/request/?id=2085067 (has since been locked down, although I archived it first and have since been in touch with that user)

You can sign up for https://haveibeenpwned.com/ to keep abreast of further password database breaches (and other leaks of your personal information) although Troy hasn't yet posted about this one, probably since the leaked DB hasn't yet made its way into his hands.

(There is not yet evidence that anyone has used the passwords to log into LJ and scrape your post and comment history and the posts and comments of your friends, but it could happen. If you have abandoned LJ but have *not* wiped out all your posts and unfriended everyone, please go ahead and change your password anyway to protect your friends.)

Update 2018-10-09: I can confirm that the breach happened on or before 2017-04-27. In that first link, a commenter narrows it down to the 2011–2014 window.

Update 2020-05-08: Spammers started using the dump to take over DW accounts and advertise their sites: https://dw-maintenance.dreamwidth.org/81865.html

Profile

squirrelitude

August 2024

S	M	T	W	T	F	S
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

Syndicate

Page Summary

Active Entries

1: Notes on covid deisolation guidelines

Style Credit

Style: Neutral Good for Practicality by timeasmymeasure

Expand Cut Tags

No cut tags

Page generated Jul. 7th, 2025 06:46 am

Scamperings

Recent Entries

Update on 5BX

[public] PSA for Livejournal users (and many on Dreamwidth): You can be deanonymized

Technical notes

Updates

A railing review

SNØ!

I dulled my knife on 10 kg of tomatoes...

A teaching walk in the rain

Virginia, with butterflies and parents

Apostle of the flowers

Ridesharing to/from Baitcon?

Aminals

Three Dreamwidth things

Starting seeds

Repairing my bike bag

Accomplishments: Shiitake, candle

« Facebook [...] gave Netflix and Spotify the ability to read Facebook users’ private messages »

Arisia making progress

A disquieting thought on DW and DNS privacy

PSA: Facebook has banned discussion of sex (more or less)

Maybe don't go to Arisia this year

Change your Livejournal password; their user database has been breached [public]