Tuesday, February 11th, 2014

LibraryThing adds SSL

https

LibraryThing has added SSL encryption to all pages that ask for private data.

That means the data you submit for signing in—signing up, changing your password, changing your email, etc.—is securely encrypted between you and LibraryThing. Depending on your browser, this will show up as a “lock” symbol, or just a change in the LibraryThing URL from http:// to https://.

Is LibraryThing going all-SSL?

We have decided on this as a first step, with the intention of going to all-SSL, or all-SSL for signed-in members only, as soon as practicable.

Going all-SSL is going to require considerable work, sifting through all the non-http URLs to avoid “mixed content” messages. Although these vary in their obtrusiveness browser-by-browser, going all-SSL without extensive testing is likely to lead to a lot more in confusion that it solves in potential problems.

As a result of this change, if you previously chose to browse LibraryThing using SSL, ignoring the warnings, you will no longer be able to do so. Rather, if you’re on one of the selected, user-data pages, it now forces you to use https. If you’re not on one of these pages, it forces you to use http.

At present, the solution covers LibraryThing.com and all its subdomains, like dk.LibraryThing.com (Danish), br.LibraryThing.com (Brazilian Portuguese). It is not installed on separate domains, like LibraryThing.de (Germany) and LibraryThing.nl (Holland). We will be weighing our options there, as SSL certificates are expensive.

Come discuss this on Talk, if you like.

Labels: new features, security, servers

Tuesday, February 4th, 2014

Security Notice and LibraryThing Password Reset

As a security precaution, we are requiring ALL members to change their passwords, here: http://www.librarything.com/changepassword.php

A security review and search of our records has determined that LibraryThing suffered a data breach in November of 2011. The breach was narrow. We have found no evidence that any catalog or other book data was accessed, changed or lost. The breach did not include member names, so it is unlikely the hacker(s) were after LibraryThing accounts.

Unfortunately, the hacker(s) did assemble and retrieve two key pieces of data–email addresses and encrypted passwords of members who had listed an email and joined before that date. Our passwords are stored as a one-way encyption (in technical terms, a salted hash). Such hashes are difficult, but not impossible, to break, especially for simple passwords.

Although a minority of accounts were affected, we are requiring all members to change their password to take advantage of increased account security features.

The breach. The hacker(s) gained partial access to our system through a flaw in our WordPress blogging software. Read more in “The Full Details” below.

All evidence points to this being an email-hacking attack. We have every reason to believe no other LibraryThing data was taken, not even user names. The intent was probably to grab the emails for spam, and break the password hashes, if possible. When broken, the passwords could be used against members who used the same password for their email, or email-based services, as they used on LibraryThing. Using the same password across many services is bad practice, but not uncommon. No financial data could have been taken. We do not get or store credit card numbers or any other financial information.

Our response. Security has been tightened significantly since late 2011, and has been further improved across the board since we discovered the event during a security review on January 21st, 2014. We have now moved our WordPress blog off our servers entirely, so a successful hack leads nowhere. Our password and account-recovery systems have been upgraded to meet the highest industry standards, and we have implemented a slate of additional security measures.

Email notices are being sent out to all members with email addresses. You can change your password any time; you don’t need to wait for the email.

Our apology. The hack may come as a shock; it certainly was to us. Although events of this sort–and far worse–have become numbingly frequent, they are failures indeed. I regret and apologize that any such event could happen on my watch, and the rest of the team feels the same way. We are all committed to ensuring that LibraryThing is as secure as possible going forward.

We hope this failure will not sour you on our service or community. LibraryThing members are a dedicated and passionate bunch, and a pleasure and honor to serve. After years of getting by, the company has significant profits to sink back into development of the main site; we will meet this event with renewed dedication and resources. (Please see, and spread, our recent job ad.)

Because the hack undermines a customer relationship, we have chosen to upgrade to “lifetime” accounts all members who joined before November 20th, 2011. We included those who did not have email addresses listed.

Come ask questions and discuss on Talk. You are also welcome to email tim@librarything.com.

Sincerely,

Tim Spalding
Founder and President


The Full Details

What happened:

  • The hacker broke into the system through a flaw in WordPress, the blogging software that we use. This gave them only partial access to the system, but was sufficient to query the user database and save the results.
  • The breach occurred on November 19th, 2011.
  • We have no evidence of further data breaches. They are not impossible. We are confident no similar attacks could have taken place since at least January 2013, when we added some specific security features.
  • We discovered the breach on January 21st, 2014. As it happened so long ago, we believe whatever damage could be done, has already been done.
  • We waited two weeks in order to understand the attack and to implement a new password system and a series of other security steps before going public, and potentially drawing hacker interest.

What was taken:

  • The hacker(s) exported three fields: email address, password hash and the IP address at sign-up. (The IP would not be of much use to them.)
  • Only members with accounts opened before November 20th, 2011, with email addresses, were affected. In total, 685,259 emails were exported.
  • We have no indication that other LibraryThing data was accessed or taken. It is significant that the hacker didn’t even export LibraryThing user ids or user names. They were surely after emails and passwords, not book data.
  • LibraryThing does not receive or store credit card information or any other financial details. If you registered for a paid account via PayPal, PayPal has your credit card information, but they do not send the numbers to us.
  • We have reasonable suspicion that someone has used the data as a list of live email addresses, and sent spam to them. We have no evidence that any password hashes have been broken, or LibraryThing accounts compromised.

How passwords work:

  • Systems like LibraryThing do not store passwords per se. Rather, we store complicated cryptographic transformations, called hashes, which are “salted” for increased security.
  • In theory, you cannot get from the hash to the password. In practice, hackers with powerful computers can break hashed passwords, especially if the underlying password is simple (e.g., “book” rather than “mypencilbreaks71″ or “xyA1!oG3g”).
  • Hacked passwords are dangerous when someone uses the same password across multiple online services, so failure at any one service opens up the rest.
  • Members should change their password at LibraryThing and any other service on which they used the same password. Here and elsewhere, members should also choose longer, hard-to-guess passwords. We encourage you to read safe-password advice from Google or Twitter.

Security improvements:

We can’t go into detail about security improvements. (If we did, we’d be compromising security.) But we can say what you can see:

  • We have moved our WordPress blogs off LibraryThing servers entirely, and onto a separate subdomain, blog.librarything.com. This insulates us from potential WordPress problems.
  • We have upgraded our password system to the highest industry standards. Users who joined in the last week or so, or changed their passwords, are already on the new system. But for simplicity’s sake, we’re requiring everyone to change their password.
  • We have a new system for password resets and changes, including password-strength indicators.
  • Our password recovery system has been changed from one involving sending out a temporary password to one employing quick-expiring tokens.
  • We are now sending out emails whenever a password has been changed. When a member changes their email address, change notices go out to both the new and old email addresses.
  • To discourage spamming of public emails—something that happened recently to some members—we have added an option to show your public email to friends, to signed-in members or everyone. By default, everyone who formerly chose to display their email publicly will now be set to friends-only.

Free accounts:

  • All members with accounts opened before November 20th, 2011 have been upgraded to lifetime accounts.

Labels: security, sysadmin, systems adminitration

Tuesday, February 4th, 2014

February Early Reviewers batch is live!

The February 2014 batch of Early Reviewer books is up! We’ve got 106 books this month, and a grand total of 3,480 copies to give out.

First, make sure to sign up for Early Reviewers. If you’ve already signed up, please check your mailing/email address and make sure they’re correct.

» Then request away!

The list of available books is here:
http://www.librarything.com/er/list

The deadline to request a copy is Monday, February 24th at 6PM EST.

Eligiblity: Publishers do things country-by-country. This month we have publishers who can send books to the US, Canada, the UK, Israel, Australia, France, Germany, and many more! Make sure to check the flags by each book to see if it can be sent to your country.

Thanks to all the publishers participating this month!

Bethany House Henry Holt and Company Kregel Publications
Tundra Books Riverhead Books Bluffer’s Guides
Taylor Trade Publishing Akashic Books JournalStone
Galaxy Audio Candlewick Press Chronicle Books
Cleis Press Random House Ballantine Books
Human Kinetics Plume CarTech Books
Live Out Loud Publishing Quirk Books Divine Design
St. Martin’s Press Eerdmans Books for Young Readers Prufrock Press
Crown Publishing In Fact Books John Ott
Apex Publications Medallion Press Crux Publishing
Five Rivers Publishing Recorded Books Georgetown University Press
Avery Gotham Books BookViewCafe
Crossed Genres Publications Palgrave Macmillan Demos Health
The Permanent Press Minotaur Books Altaire Productions&Publications
Free Store Books Open Books Algonquin Books
Bantam Dell Phaeton Publishing ENVISION School Publishing

Labels: early reviewers, LTER

Tuesday, January 28th, 2014

Find LibraryThing a Programmer, win $1,000 in books.

LibraryThing is growing. We’ve long devoted a sizable hunk of our resources to our products for traditional libraries (LibraryThing for Libraries). That business is growing fast, as more and more libraries are discovering the value of our tools.

So it’s time to reap the benefits, and fund LibraryThing.com development.

And we need your help to get the word out.

We need to find a kick-ass PHP programmer, so we’re offering $1,000 worth of books to the person who finds them. Think of it. $1,000 in books. What would you buy? Everything.

Rules! You get a $1,000 gift certificate to the local, chain or online bookseller of your choice.

To qualify, you need to connect us to someone. Either you introduce them to us—and they follow up by applying themselves—or they mention your name in their email (“So-and-so told me about this”). You can recommend yourself, but if you found out about it from someone else, we hope you’ll do the right thing and make them the beneficiary.

Small print: Our decision is final, incontestable, irreversible and completely dictatorial. It only applies when an employee is hired full-time, not part-time, contract or for a trial period. If we don’t hire someone for the job, we don’t pay. The contact must happen in the next month. If we’ve already been in touch with the candidate, it doesn’t count. Void where prohibited. You pay taxes, and the insidious hidden tax of shelving. Employees and their families are eligible to win, provided they aren’t work contacts. Tim is not.

Here’s the job post:


What we want: LibraryThing is looking for a kick-ass programmer (coder, hacker, engineer, etc.) to join the team, working mostly on LibraryThing.com.

Basics:

  • You can be anywhere. LibraryThing is headquartered in Portland, Maine, but most technology employees are remote.
  • If you’re not local, we’d expect you to visit the office for team meetings from time to time.

Tangibles:

  • Necessary. LibraryThing is made with in non-OO PHP. You should be a sure-footed, experienced, secure and rapid PHP coder.
  • Core. JavaScript (with JQuery, Prototype), CSS, MySQL.
  • Bonus. Mobile development (native or not), Python, Solr, book- and library technologies, systems skills, design or UX chops.

Take the Quiz:

Want to work for us? We have a simple quiz, developed back in 2011. If you can do it in under five minutes, you should apply for the job!

» The LibraryThing Programming Test

Do it in your best language the first time. If you also want to do it in PHP, we won’t object.

Intangibles:

  • Creativity, diligence, optimism, and outspokenness are favored.
  • We like to hire people who care about books, and believe in a open and humane vision of the future of reading.
  • We like LibraryThing members, and people who should be LibraryThing members. Be sure to check out What Makes LibraryThing LibraryThing?
  • Working on LibraryThing.com means understanding and working with its members. Staff and members develop and refine ideas together. LibraryThing is for those members, and most of what makes LibraryThing great is created by members, so—in a way—you are their servant. That can be great, and it can (occasionally) suck. You need to want that dynamic.
  • Working on LibraryThing.com means working with Tim. A lot. Don’t worry, he’s really very nice.
  • LibraryThing is an informal, high-pressure and high-energy environment. This puts a premium on speed and reliability, communication and responsibility.
  • Working remotely gives you freedom, but also requires discipline and internal motivation.

Compensation:

Salary plus gold-plated health and dental insurance. We find the best programmers keep regular hours, but we are both understanding and flexible.

Other:

  • We are not looking for part-timers.
  • We are not looking for companies.
  • We do not discriminate on any irrational basis, such as age, race, sex or religion, but you should probably use a Mac.

How to Apply:

Send an email and resume to jobs@librarything.com.

Skip the cover letter, and go through the blog post in your email, responding to the tangibles and intangibles bullet-by-bullet.

Also include your solution to the quiz, and how long it took you. Anything under five minutes is fine. If it takes you longer than five minutes, we won’t know. But if you make it to interviews, they’ll involve some live coding of this sort, and will be painful for you.

Labels: jobs

Friday, January 10th, 2014

The February and March Group Read Winners Are…

Last week the staff here at LibraryThing came up with a list of candidates for our next two One LibraryThing, One Book selections, and put them up for a vote. The results are in!

February

The Picture of Dorian Gray

Dracula and Frankenstein were pretty neck-and-neck (ha!), but Oscar Wilde’s only published novel won with an impressive lead. Dublin City Public Libraries tackled this one as a One City, One Book read a few years ago, too.

Official discussion will begin on February 10th at 12pm Eastern. Thinking about joining us for this read? Introduce yourself, or look for the threads labeled “Dorian Gray,” over on the One LibraryThing, One Book group.

For now, staff will be creating new threads, but feel free to start your own come February 10! You might also want to make use of our new Spoiler feature, if you’d rather not ruin the plot for others.

March

American Gods

In another landslide victory, Neil Gaiman’s meandering journey through deities from pantheons the world over beat out The Poisonwood Bible and, the 18th most-added book on LibraryThing for December, Where’d You Go, Bernadette.

Official discussion for American Gods will begin on March 10th at 12pm Eastern, but feel free to get started early! If you’d like to join us for this read, Introduce yourself to the group, and look for threads labeled “American Gods” on the One LibraryThing, One Book group page.

As above, staff will be handling creating new threads for American Gods until official discussion begins on March 10. Prior to that date, please use Spoiler tags liberally! After that point, all group members are free to start new threads.

More?

I hope you’ll join us for one—if not both—of these reads! If you have any general One LibraryThing, One Book questions or feedback, those are always welcome in this thread.

Labels: One LibraryThing One Book

Friday, January 10th, 2014

New Feature: Spoiler Alert!

To accompany the next few rounds of One LibraryThing, One Book, we’ve rolled out another nifty feature that’s been requested for quite some time now: a spoiler tag. Use it throughout OLOB discussion, and anywhere you deem necessary on LibraryThing.

How does it work?

All you have to do is enclose the spoiler-y text in a “spoiler” tag, like so:

“And the real murderer was actually <spoiler>you</spoiler> all along!”

Your result will look like this:

“And the real murderer was actually you all along!”

If you’re desperate to share what happened at the end of a good book, but don’t want to give too much away, just wrap the sensitive lines in a spoiler tag. You’ll avoid unintentionally ruining someone’s read-through (and if they do actually click on it, well, they’ve had fair warning).

Questions? Comments?

Let us know over on Talk.

Labels: features, new features

Tuesday, January 7th, 2014

January Early Reviewers Batch is Live!

Our very first batch of Early Reviewer books for 2014 is up! We’ve got 87 titles this month, and a grand total of 2,890 copies to give out.

First, make sure to sign up for Early Reviewers. If you’ve already signed up, please check your mailing and/or email address and make sure it’s correct.

» Then request away!

The deadline to request a copy is Monday, January 27th at 6PM Eastern.

Eligiblity: Publishers do things country-by-country. This month we have publishers who can send books to the US, Canada, the UK, Israel, Australia, France, and many more! Make sure to check the flags by each book to see if it can be sent to your country.

Thanks to all the publishers participating this month!

Tundra Books Henry Holt and Company Ashland Creek Press
Indie Streets Pets Unchained JournalStone
Bethany House Putnam Books Riverhead Books
21 Pages Prospect Park Books Bards and Sages Publishing
John Ott Quirk Books Bluffer’s Guides
William Morrow Demos Health Orca Book Publishers
Blacksmith Books Taylor Trade Publishing Muskrat Press, LLC
Crown Publishing Gotham Books Akashic Books
Apex Publications Penguin Young Readers Group Fantastic Books
Ballantine Books Recorded Books Palgrave Macmillan
Bantam Dell CarTech Books HotCore Yoga Press
Eerdmans Books for Young Readers BookViewCafe PublicAffairs
Rocky Pines Press Zonderkidz The Permanent Press
Blue Mongoose Publishing Random House

Labels: early reviewers, LTER

Friday, January 3rd, 2014

Vote for One LibraryThing, One Book

One LibraryThing, One Book is kicking off the new year with a referendum! Following considerable discussion, and a concerted staff huddle, we’ve collected a few options for both February’s and March’s One LibraryThing, One Book.

Come rank the titles you’d like to read and discuss with the community!

Winners will be finally set on January 10th, at 10am Eastern.

February 10: Classic Horror

Click to vote | Discussion topic

March 10: Contemporary Fiction

Click to vote | Discussion topic

More Information

Reading will begin as soon as voting closes, and we announce the winners in a blog post.

Discussion for February starts on the 10th at 12 noon Eastern time.

You can read through each (or either) title at their own speed. We will also create continuations of “Introduce Yourself” and “First Impressions” threads. As before, please keep these threads spoiler-free before the discussion officially begins.

Discussion for March starts March 10th at 12 noon Eastern time.

If you’re new to One LibraryThing, One Book, be sure to read through our original blog post.

We had a quite successful first OLOB; almost 100 members joined our discussions about The Circle, and we posted over 1,000 comments collectively. The dystopian novel sparked many topics concerning current online privacy issues and future predictions both good and bad (but mostly bad). We may encounter similar discussion topics, depending on which book is chosen, so keep this in mind when voting. No matter what, I think we’ll end up with some excellent selections!

How the Titles Were Picked

The titles were picked by the LibraryThing team, attempting to take praise and criticism of the last pick into consideration. All the books are widely available in libraries, as paperbacks and in the used market. All are highly regarded and have good ratings—Frankenstein and Dracula somewhat lower, probably because they’re often assigned in schools.

To discuss the selection further, come see the Talk topic here.

Questions? Comments?

As always, general questions/comments about One LibraryThing, One Book, are welcome on this thread.

Happy voting!

Labels: One LibraryThing One Book

Thursday, January 2nd, 2014

Throwback Thursday: Our Favorite Books from Childhood

Amidst all the year-in-review, and New Year’s resolution posts, I got to waxing nostalgic with the rest of the LT crew about my favorite books as a kid. Surprise surprise, we were all very big readers from young ages, and there were a number of repeats on our individual lists, so I’ve compiled them here.

» Add your childhood favorites to the list!

These six books/series were the most popular among the staff.

And here are a few honorable mentions. While none of his titles were repeated, Roald Dahl popped up three times!

Labels: lists, nostalgia

Tuesday, December 17th, 2013

Top Five Books of 2013

For the last two years running (2012 and 2011), LT staff members have each compiled a list of their top five reads for the year.

For 2013, we wanted everyone to get in on the fun, so we compiled a list that all of LibraryThing can add to. We’d like to see not just the most read books of 2013, but the best of the best. What were your five favorite reads of 2013?

» List: Top Five Books of 2013 — Add your own.


Continuing this grand tradition, here’s the wordier breakdown of the staff’s favorites, including some honorable (and dishonorable) mentions:

Tim

Parable of the Sower by Octavia E. Butler Mike’s suggestion. Wonderful atmosphere.

Eifelheim by Michael Flynn Unexpected story of aliens landing in 14c. Germany, and of misunderstanding and understanding.

Benjamin Bear in Fuzzy Thinking by Philippe Coudray First book my son read cover-to-cover.

The Horse and His Boy by C.S. Lewis I don’t believe I had read it before. Told it was a dud, but I loved it.

The Circle by Dave Eggers Not the greatest novel qua novel, but it’ll stick with me. And it was enormously validating to have some of my fears put out there.

Tim’s dishonorable mentions for 2013:
Wool by Hugh Howey: I love good science fiction, but most of it is crap. Hot or not, it’s crap…
The Black Cloud by Fred Hoyle: Bad “classic” science fiction. Didn’t finish.
Children of God by Mary Doria Russell: I adored The Sparrow. The sequel is a big disappointment. It’s a “negative sequel.” Like the Matrix sequels, it makes the original worse.
The Midwich Cuckoos by John Wyndham: Bad “classic” science fiction.


Abby

Life After Life by Kate Atkinson

Lavinia by Ursula K. Le Guin

Code Name Verity by Elizabeth Wein

Wonderstruck by Brian Selznick

Where’d You Go, Bernadette* by Maria Semple

*Abby would like it noted that she blames The Circle by Dave Eggers for making her put other books on hold, which might have actually been the best this year.


Kate

The Goldfinch by Donna Tartt

Special Topics in Calamity Physics by Marisha Pessl

Eleanor & Park by Rainbow Rowell

The Cuckoo’s Calling by Robert Galbraith

Everything Is Perfect When You’re a Liar by Kelly Oxford

Kate’s dishonorable mentions for 2013:
There Was an Old Woman by Hallie Ephron
The Never List by Koethi Zan
Three Graves Full by Jamie Mason
You Are One of Them by Elliott Holt: A 1980s Cold War bildungsroman, complete with spies and mistaken identities?! I was supposed to love this book. I did not love this book.


Chris H.

Rough Passage to London: A Sea Captain’s Tale by Robin Lloyd

The Unincorporated Man by Dani Kollin

The Road to Ubar: Finding the Atlantis of the Sands by Nicholas Capp

Priceless: How I Went Undercover to Rescue the World’s Stolen Treasures by Robert K. Wittman

The Inventor and the Tycoon: A Gilded Age Murder and the Birth of Moving Pictures by Edward Ball


Mike

The Golem and the Jinni by Helene Wecker

The Republic of Thieves by Scott Lynch

The Crown Tower by Michael J. Sullivan

The Daylight War by Peter V. Brett

Low Town by Daniel Polansky


Seth

Ender’s Game by Orson Scott Card

The Name of the Wind by Patrick Rothfuss

Little Brother by Cory Doctorow

Hyperbole and a Half by Allie Brosh

The Masters of Doom: How Two Guys Created an Empire and Transformed Pop Culture by David Kushner


Chris C.

Building Machine Learning Systems with Python by Willi Richert

A Wizard, a True Star: Todd Rundgren in the Studio by Paul Myers

Machine Learning for Hackers by Drew Conway

Frank: The Voice by James Caplan

Make: Electronics: Learning Through Discovery by Charles Platt


KJ

The Rathbones by Janice Clark

Will in the World: How Shakespeare Became Shakespeare by Stephen Greenblatt

Cypherpunks by Julian Assange

The Penelopiad: The Myth of Penelope and Odysseus by Margaret Atwood

Let the Great World Spin by Colum McCann

KJ’s honorable mentions for 2013:
The Cuckoo’s Calling by Robert Galbraith
Fangirl by Rainbow Rowell
Open City by Teju Cole


Loranne

The Lathe of Heaven by Ursula K. Le Guin
This one’s a re-read for me (for sci-fi book club), but it’s also one of my all-time favorites, so it’s going on the list.

Hyperbole and a Half by Allie Brosh
Definitely my most anticipated book of the year, and it did not disappoint. Allie Brosh is a hilarious, insightful genius.

Angelmaker by Nick Harkaway
This one didn’t change my reading life the way his first novel, The Gone-Away World did, but it’s also excellent.

Oryx & Crake by Margaret Atwood
I binged on the whole trilogy in about a month, but this was my favorite by far.

The Prisoner of Heaven by Carlos Ruiz Zafón
I absolutely loved The Shadow of the Wind and The Angel’s Game, but didn’t think this one quite measured up. Still very good, though.

Loranne’s dishonorable mentions for 2013:
The Circle by Dave Eggers: I really enjoyed doing One LibraryThing, One Book, but when I finally finished this one, I wanted to throw it against a wall. I just did not like it. At all.
Dhalgren by Samuel R. Delany: Another selection for sci-fi book club. I just couldn’t get into this one. I didn’t even make it to the halfway point. Kept waiting for things to get interesting/start making sense, and they never did.


Matt

Tutte le poesie by Eugenio Montale

Goodbye to All That by Robert Graves

The Collected Tales of Nikolai Gogol by Nikolai Gogol

The Flamethrowers by Rachel Kushner

The Origin and Goal of History by Karl Jaspers

Matt’s honorable mentions for 2013:
Locomotrix: Selected Poetry and Prose of Amelia Rosselli by Amelia Rosselli
The Professional Chef’s Book of Charcuterie by Tina G. Mueller
Brideshead Revisited by Evelyn Waugh

More?

Tell us about your favorites for 2013 on Talk, or add your own Top Five to our list!

Labels: holiday, lists, reading, recommendations