Event horizon

Wizard of Oz: As for you, my galvanized friend, you want a heart. You don’t know how lucky you are not to have one. Hearts will never be practical until they can be made unbreakable.
Tin Woodsman: But I still want one.

I’ve mentioned observability issues far too many times already, so, I’m not going to re-rant all that stuff. All previous rants included herein by reference, yadayada. Anyway, it just bit me in the ass again.

By now, those of you on both the LJ and t.c.o. sides have probably noticed a change or two. Notably, commenting is now restricted to logged-in users (minus one), some entries are non-public, and commenter IP logging is enabled. Out of respect for a good friend (and general fuck-you-ness to a good enemy), it’s probably going to stay that way, at least for a little while.

As for the “minus one”, that also includes AIM, etc. It was fun for a little while though, letting him run…and run, and run. Like a broken timeserver that spews bullshit instead of time, and in limitless supply, as long as you keep sending an [ACK] every so often. Give a dog* enough rope to hang himself, and chances are he will.

Lj’s recent security fixes, intended to (among some other things) clear up some XSS vulns, in conjunction with the recent need to put an IP-block on a certain individual, got me thinking. When I looked at my server logs today I realized LJ makes it entirely too easy for someone to determine the IP of a specific user without their knowledge…whether or not they actively traverse off-site links. I hope I don’t scare anyone here :-) These are only a few “wild guesses” to demonstrate the concept. I won’t reveal any names or IP addresses.

S. – Comcast, near Cambridge (an Ubuntu user!)
L. – RCN, Somerville. Someone in the house has a cleverly-concealed web server. :-) (And they know my IP too now, drat.)
K. (not K*) – Dumped XO Communications for RCN, Waltham. I wonder who there knows me? (And do they really think pictures look different under OS X?) Into the plonkfile ye go. (…again.)
J. – RCN, Downtown or South Boston

Directions: I’ve made some guesses correlating a few friends (and one not-so-friend) on LJ to an IP address. I don’t want to post anyone’s IP, so I’m just going to say the service provider it’s on and the approximate location of the first hop. If your first initial is in the table above, see if I got your ISP correctly and let me know whether I was right. I guess that doesn’t really say much, considering Comcast and RCN are pretty much the only games in town (often only one or the other, depending where in town). But if they’re all correct, LJ users (or LJ itself) should probably be made aware of this issue at some point…

If there is sufficient interest I’ll explain how this is done; it’s ridiculously easy, but I’d be damned if I knew how one would go about fixing it.

* Dogs are interesting creatures. You often see two of them fighting over a toy, or other object of property, that one or both doesn’t even really want. Or growling over their food bowls…not even hungry, until they catch sight of another dog sniffing around.







