If you use LJtoys for your mood icons...

[rabidsamfan]

Please let me know. I found some very uncomfortable html behind one of their images this morning (it broke the flock for one of the people in my flist) and I would like to avoid them as much as possible.

ETA... hmm. there is a chance I am panicking slightly prematurely about the html part of this... But I still can't explain the image that's so big it gets filtered and then hasn't anything there.

ETA 2: I think I'm definitely panicking about the flock thing. *whew* LJtoys, however, does seem to be putting up a "webbug", a tiny invisible icon linked to a javascript in posts where the user hasn't selected a mood icon (they can count hits from the mood icon directly.) Blocking javascript would disable that or setting your journal to always use your own mood icons even on other people's posts...

ETA 3: I am an idiot! Hooray! The flock thing was me misinterpreting what I was seeing. *whew* As Rosannadanna would say, "Never mind!"

And thank you, fictualities, for straightening me out.

Comments

[fictualities.livejournal.com]

What IS lj-toys? Whatever it is, it tries to run some kind of javascript whenever someone using it is on one of my friends filters. (I've taken those four people off my regular reading filters until I can figure out what this thing is trying to do.) How does it break friends-lock?

[rabidsamfan.livejournal.com]

It hosts mood icons, as near as I can tell, and will do stats for people.

In my settings I've got images over a certain size blocked -- I get a "here's an image" icon instead of the image when I look at my flist. I have to click on the image or go into the actual entry to see it.

Well, lately I've been seeing images that "aren't there" when I go to look at them. I fussed at one of the folks it's happening with, and she added a mood icon to that post. But when I looked at the post again, even though now the "here's an image" icon didn't show up on my flist, there was something that looked like a link when I moved my mouse over the same place where it had been. Right clicked on *that* and got a shitload of html, which included every post that had been on the most recent twenty five posts on my flist. Two of those posts were flocked. Now, those two posters were friend of the person who owned the problem post too, so it may have been her password LJ toys was using, but in my not so humble opinion, ljtoys had no business dumping all that stuff onto their servers.

Yes, it's some kind of widget, no I don't know how it works, and yes, I'm peeved.

[fictualities.livejournal.com]

Jesus Christ. They're hacking people's friends-locked posts? That's disgusting.

Thanks for the warning! Gah, how scary. As I said, four people on my flist use lj-toys -- I wonder if they know what it does? I use a Firefox extension called NoScript that prevents unwanted javascript from running in my browser, so lj-toys' scripts don't actually run on my flist, thank God. But NoScript catches the little buggers trying to get in from the four journals in question, and it pisses me off. What if someday lj-toys comes up with a hack before NoScript comes up with a fix? Much better to keep lj-toys users quarantined on a separate filter, where the only people whose privacy will be violated are other lj-toys users.

[rabidsamfan.livejournal.com]

I use firefox at home. How do I find "NoScript" and can I tell it which javascript I do want?

This is very frustrating, because I don't think the people using ljtoys have any idea that that's what's happening.

[fictualities.livejournal.com]

You can get NoScript from the Firefox addons site here --

https://addons.mozilla.org/en-US/firefox/addon/722

I HIGHLY recommend it. NoScript works on a whitelist basis; that is, it blocks javascript by default (and can be set to block Java, Flash, and an incredibly insecure and annoying Microsoft invention called Silverlight). If you want to run javacript on a site -- say, your bank, or iTunes -- you can click on the little NoScript icon at the bottom of your browser, and it will add the site to your whitelist. So for example: I have LiveJournal itself on my whitelist, so I can use LiveJournal's javascripts. But other scripts that try to run from LJ pages (from lj-toys.com, from snap.com) are blocked. So you get the js you want and not the js you don't want.

I can't even tell you how important a security tool this is. Even pages on big mainstream websites now can try to run scripts from as many as ten or fifteen different servers, and in many cases the site you trust has some kind of an advertising deal with the sites you don't trust, and they don't review the scripts from the sites you don't trust. Those scripts just run with no one from the trusted site knowing what they do. Huge security problem and a big vector for spyware/trojans on windows-based machines.

NoScript also blocks web bugs from untrusted sites (tiny, often invisible graphics that report back to a third-party server when you access a page).

Unfortunately hackers are endlessly inventive and no system can keep you 100 per cent safe on the web. But blocking untrusted scripts is still a great idea. I think it's just as important as running a firewall and antivirus (on a Mac it's probably even more important than antivirus).

[cpsings4him.livejournal.com]

RSF, I wonder could you please look again at the html and see if it might have also included posts that were f-locked and whom we WEREN'T both friends of?

This whole thing makes me sad and frustrated. :(

[rabidsamfan.livejournal.com]

I'll do that -- but it may have to wait until I'm home from work. I have to at least pretend to get something done today!

I'm frustrated too, because I know you aren't the kind of person to do this sort of thing deliberately, and because the image that was the problem wasn't your mood icon -- it was up in the body of the text.

[rabidsamfan.livejournal.com]

please send me an e-mail so I can show you more easily. at gmail, same name.

[cpsings4him.livejournal.com]

I just sent you an e-mail to your username at gmail.com. :)

[claudia603.livejournal.com]

How do you know if someone is using it??? It is very important for me to keep my personal posts flocked!

[rabidsamfan.livejournal.com]

The frustrating thing is that I can't tell how much of this stuff they retain on their servers...

[rabidsamfan.livejournal.com]

Try setting your internet to only allow javascript if you give it permission. That should block the problem stuff.

[cpsings4him.livejournal.com]

*raises hand*

I use it, but I SWEAR it's not to break open f-locked posts. I'm not even sure that's exactly what it did, actually - as the post RSF is referring to is someone (I have no idea since I haven't yet seen the HTML) who we are BOTH friend's with - so it may have used MY login info - not RSFs (which seems more likely since I'm the LJToys user. To my knowledge, all it's supposed to do is a)host mood icon images (custom) and b0 keep a log of hits to the USERS's journal (who's visited my journal, by ip addy, etc.). I nearly never use the second feature since I'm not e-famous and I can pretty much tell by who's left comments. Please don't panic - at least not yet. I've sent an e-mail to the admin of LJTOYS (who have been operating for at least a couple of years now, so if they were doing anything they shouldn't be, surely it would have come out before now?? I so hope this turns out to be a premature panic. *miserable*

[claudia603.livejournal.com]

Mmm...that makes sense that because you were both friends with the person that that would be a valid explanation as to why RSF could see the flocked post...I'm not going to panic then -- I will then just attempt to take RSF's advice about the javascript! :-)) (No misery allowed!!! It's Froday! *looks very stern*)

[rabidsamfan.livejournal.com]

I also may be panicking prematurely. I have to look at this again later when I can figure out the html (at which I am the most amateurish of amateurs.)

But I still don't understand the invisible pictures part...

[rabidsamfan.livejournal.com]

I was definitely panicking prematurely, and you don't have to worry -- not about the flock anyway. I made a silly mistake and conflated it with a real puzzle. But fictualities has figured out the mess. *whew*

[claudia603.livejournal.com]

yay, what a relief! *wipes brow*

[rabidsamfan.livejournal.com]

*hugs* I know it's not you darlin', that's why I didn't name you in the post. And there is something at the top of the html that says "noarchive" but I can't figure out why it exists at all. (Or why it showed my flist and not yours.)

[fictualities.livejournal.com]

Hmmm. "Noarchive" is part of a standard meta tag that tells search engines not to archive a page. That is what you are telling LJ to insert into your pages when you tell it not to let search engines access your site. It's a standard way of communicating with Google, Yahoo, etc. and asking them to bugger off. Without seeing the code I can't be sure, but "noarchive" might be a perfectly innocent part of your own security.

[rabidsamfan.livejournal.com]

I also may be looking at the wrong thing with the html, I just realized. *headdesk* I am a complete amateur at computers...

But I still don't know why a gif would be blocked for being too large in my flist and then not have anything in it!

GAAAAHHH!!!

[fictualities.livejournal.com]

Hmmm. Could be one of those little web bugs I was telling you about. If you insert a hotlink to a single-pixel transparent GIF into someone's journal entry, and the gif is located on a third party server, then the third party server can keep track of hits to the journal entry by counting the number of hits to the gif on its own server. All this without the end user seeing a graphic, because the graphic is invisible.

This may be the way lj-toys does most of its stats collection. Each hit to the embedded invisible gif would tell the lj-toys server a) the referrer, that is, from whose friends' list the journal entry was being read; b) the IP number of the person reading the page, c) the geographical location of the person reading the page (this is deducible from the IP number), and sometimes d) the name and address of the person reading the page (if they have a fixed IP registered to themselves).

No, web bugs are no one's friend. And web counters like LJ toys have the capacity not only to report this information back to their users but to log it, and potentially sell it to marketers and any other interested parties. Don't know if they log their data or not -- it would cost money, for one thing. But any info that's collected can be logged and resold. Best to do everything you can to keep your data from being logged in the first place. (Of course LJ itself collects all this stuff, as does any other web site. You can't go anywhere on line without leaving traces. But it seems like a good idea to limit the logging to companies you've evaluated yourself and decided to do business with, not random third parties that are along for the ride.)

[rabidsamfan.livejournal.com]

I also may be looking at the source for my own flist page *headdesk headdesk headdesk*

But why is the image that isn't an image popping up? Why? Could it be one of those web-bugs of which you speak?

[cpsings4him.livejournal.com]

I *think* (if I understand correctly - and that's a pretty big IF), that ljtoys is, by definition a "webbugs" site...it "bugs" your lj (through your mood icons) so that you can track your hits. Maybe.

[fictualities.livejournal.com]

Oops! We crossed messages in the ether; I answered this above. In short: yes, probably an invisible gif being used as a web bug. You can block those with NoScript too.

LJ will let you block mood icons that are being used as web bugs -- set LJ to show your own mood icon set on other people's pages. That way you won't be able to see other people's cute mood icons, but, erm, you'll be a little more secure.

[cpsings4him.livejournal.com]

"noarchive" might be a perfectly innocent part of your own security.

*prays*

Please, Lord, let it be that...and not that I have unwittingly been compromising LJ security for a very long time. D'oh!

[rabidsamfan.livejournal.com]

I'm hoping that I'll end up pulling a Rosannadanna and saying "Never Mind..."

[cpsings4him.livejournal.com]

LOL - That made me laugh! I'm hoping you do, too.

[fictualities.livejournal.com]

If what showed up in RSF's html was this:

meta name="robots" content="noindex, nofollow, noarchive"

then it is absolutely nothing to worry about and completely standard operating procedure. It's just LJ telling Google et al not to archive people's friends pages. LJ puts this in themselves; lj-toys has nothing to do with it.

lj-toys does try to run js of some kind, but that could be all about counting hits to people's journals, which can definitely be done without hacking into people's friends-locked posts. RSF, is that what you saw? If so, this is probably a false alarm; I'm not a huge fan of web bugs, but they don't show anyone friends-locked posts.

[rabidsamfan.livejournal.com]

*goes to look at the html -- finds the right stuff!*

Hooray hooray hooray! I am an idiot! Hoooooorrrraaayyy!!!


Err... thank you.

[cpsings4him.livejournal.com]

LOL! I'm so glad you're an idiot!! (j/k!!)

*dances*

[cpsings4him.livejournal.com]

I know we've never met but...

*squishes you with a hug*

Thank you for knowing this! I've been miserable most of the day thinking I'd unwittingly unlocked f-locked posts!

*hugs you again*

[fictualities.livejournal.com]

*hugs back*

Glad to help! And I'm relieved, too -- I know four people on my own flist use LJ-toys, and they're all really nice people. Unknown javascript always makes me anxious, but it looks like they're just letting you know who's reading your LJ -- information that all web sites automatically record anyway, and all you wanted to know. :)

[rabidsamfan.livejournal.com]

Thank you for being patient and curious enough to help me figure this out. It really had me bothered, because the images that weren't actually there were getting on my nerves. And I will definitely be doing something about javascripts on my home computer, as soon as I get home!

[sayhello.livejournal.com]

OK, that qualifies as downright scary, as well as frustrating!!!

Hewene

[rabidsamfan.livejournal.com]

Very...

I'm working on figuring out the limits, but as fictualities points out, blocking javascript seems to block the widget.

[rabidsamfan.livejournal.com]

I may have panicked somewhat prematurely, but i am soooo very mixed up right now. And at work. Which I need to do some of soon.

[sayhello.livejournal.com]

Do work at work? What a novel concept...

Hewene

[rabidsamfan.livejournal.com]

Not very much. But at least the flock thing has turned out to be not a concern. The webbug is still there, but... *whew* I'm an idiot, but sometimes that's a gooood thing.

[claudia603.livejournal.com]

*snort* I had to do that today. I think out of my time at work today, I did about 10 minutes of actual work... How 'bout you, byotch?

[sayhello.livejournal.com]

Well, your bitch did manage to get a certain amount of work done, because she had 3 meetings today... ick! And then decided to do a couple of quick tasks that aren't due for a while, but which are now out of the way. And subsequently found that my co-worker (who's out on paternity leave) made a boo-boo in a piece of work he did for me. Whoops. We'll deal with that on Monday... Rest of the day was spent surfing LJ...

*smooch*
Hewene

[semyaza.livejournal.com]

Late to the party, as usual. I wish people wouldn't use LJtoys. That's my contribution to the discussion. :D