Tumblr-gedden as Tumblr removes Disqus and custom code from some sites

nguyen_header.jpg
Tumblr users who have been reveling in its ability to share content—and block trolls via the plug-in Disqus—got a rude shock today when due to code problems, users found their custom themes disabled and their comment boards wiped out. Among the missing—DC Women Kicking Ass’s lively comments section. DCWKA’s Sue took to Twitter to mourn the loss, and just as I write this it looks like she may have found the missing posts, but others were still searching.



Tumblr is great for sharing but, amazingly, lacks a built in commenting section. Disqus enabled not only comments, but a sophisticated blocking system which enabled many diverse communities to flourish without the chilling effect of trolling endemic to most of the internet.

However, Tumblr has also never been that friendly to plug-ins. While Tumblr hadn’t responded to an inquiry as I write this, it’s mostly likely the changes had to do with Heartbleed, the terrifying vulnerability that affects 2 out of 3 websites via the ubiquitous OpenSSL interface. This weakness, discoevred just yesterday, allows hackers to access passwords, sources, cookies, emails, passwords, you name it. (Is Heartbleed another name for I Killed The Watcher?)

My ISP already closed down open SSL and fixed one of my servers…but the vulnerability was there for two years—meaning its time to change those passwords YET AGAIN. The internet is NOT a safe place.

Tumblr has long been seen as a fairyland free for all of content and anonymity…even though last May it was purchased by Yahoo, which is notorious for bungling acquisitions under its previous ownership. While the current problems showcase the weakness of specific HTTPS vulnerabilities, it’s also a reminder that unless you have access to backing up your content, it can be removed in a heartbeat.

Comments

  1. Never trust a third party. If you want comments on your site, host comments on your site. Hell, if you even want a web site, run your own web site … don’t count on Facebook, Tumblr, etc for your online presence.

  2. Dave Hartley says:

    Can’t find much about Tumblr-gedden other than page’s referencing this article. I’m guessing Tumblr’s action has only affected a (relatively) small number of Tumblr sites but if there are any clues as to what triggered them to strike it would be interesting to know.

    On the much bigger OpenSSL thing it’s not necessarily going to help to change passwords until you’re sure that the server you’re doing it on has been made secure. That doesn’t just mean upgrading insecure versions of OpenSSL but also revoking and renewing existing SSL certificates – something that takes longer and may cost money. While as far as anyone knows the risks are not currently enormous, miscreants are undoubtedly scrambling to monetize this issue, and if you do update your password on an unsecure and compromised server you could simply be handing them the new password. You’d have been safer not logging in. At best the new password will be no more secure than the old one.

    Lists of potentially affected sites are starting to appear along with information about whether they have been made secure, as are online tools to check that sites are not still using the insecure versions of OpenSS AND have renewed their security certificates.

    Without wishing to add to the ‘end is nigh’ hype that’s already begun it’s important to be clear this isn’t just a potential security problem for web servers. It affects anywhere that these insecure versions of OpenSSL was used – which includes some linux distributions on personal computers, some devices with embedded operating systems including home routers and Network Attached Storage boxes, and as Google has confirmed today mobiles and tablets running Android version 4.1.1. While the majority of the affected versions of linux have updates available (but you do have to actually apply them) some of these devices won’t be fixable quickly. Sadly this issue is going to be with us for a while.

  3. But, Disqus is the one actually hosting the comments, all those conversations should still exist, right? And you’ve always been able to add Disqus comments to a theme that didn’t necessarily “support” them, you just need to go into the advanced CSS editing pane.

  4. Oh never mind, I misread the part about custom codes being locked out, that’s stupid.

Speak Your Mind

*