Twitter blog campaign to pull their finger out
0 views
Skip to first unread message
Elias Bizannes
Jan 4, 2009, 1:06:29 AM1/4/09
to Silicon Beach Australia
Hi everyone,
I personally believe Twitter is being irresponsible by creating an
ecosystem off their API without creating appropriate safeguards to
protect users like us. I am looking for some Aussie bloggers to help
me make some noise. The silicon beach community literally turned the
fight against the clean feed to a whole new level, so I'm looking for
us do it again by creating a better Internet through example.
Quick background:
For you to give access to things like third party apps (like Twhirl),
you need to give up your login and password. As has been reported in
the tech news this last week, there have been security breaches of
people taking your Twitter password and selling it and the like. A
simple change to their API can avoid this bad password anti-pattern.
With delegated authunentication or through the use of an open standard
called "oAuth" you can actually allow websites to access your data
without you needing to give up your password (by simply giving them
permission through the Twitter interface). What happens is that
instead of you punching in your password, and giving some random your
personal details which they can then take advantage of, you can
instead have them request Twitter for authorisation, and you can
simply click a button saying "approved".
I will be posting something on the DataPortability Project's blog
about the issue and hope to give it some attention. The more people we
have posting a synchronised blog post, the better chances we can turn
this into news and get them to pull out their finger out. I know for a
fact the only reason they are not doing this is because they don't
give it a high enough priority - but of course they don't, as it's not
them hurting but us. With a bit of awareness, we can make people
realise there is a simple way to fix a very serious issue, which is
comprimising your online identity.
I've already had to change my passwords a few times due to third party
apps, and I am sick of doing it, and it annoys me when I know I don't
need to do it!
Please contact me if you are willing to participate. For those looking
to get a bit more exposure of their blogs, this is a good way to do
it :)
Thanks!
Elias
I personally believe Twitter is being irresponsible by creating an
ecosystem off their API without creating appropriate safeguards to
protect users like us. I am looking for some Aussie bloggers to help
me make some noise. The silicon beach community literally turned the
fight against the clean feed to a whole new level, so I'm looking for
us do it again by creating a better Internet through example.
Quick background:
For you to give access to things like third party apps (like Twhirl),
you need to give up your login and password. As has been reported in
the tech news this last week, there have been security breaches of
people taking your Twitter password and selling it and the like. A
simple change to their API can avoid this bad password anti-pattern.
With delegated authunentication or through the use of an open standard
called "oAuth" you can actually allow websites to access your data
without you needing to give up your password (by simply giving them
permission through the Twitter interface). What happens is that
instead of you punching in your password, and giving some random your
personal details which they can then take advantage of, you can
instead have them request Twitter for authorisation, and you can
simply click a button saying "approved".
I will be posting something on the DataPortability Project's blog
about the issue and hope to give it some attention. The more people we
have posting a synchronised blog post, the better chances we can turn
this into news and get them to pull out their finger out. I know for a
fact the only reason they are not doing this is because they don't
give it a high enough priority - but of course they don't, as it's not
them hurting but us. With a bit of awareness, we can make people
realise there is a simple way to fix a very serious issue, which is
comprimising your online identity.
I've already had to change my passwords a few times due to third party
apps, and I am sick of doing it, and it annoys me when I know I don't
need to do it!
Please contact me if you are willing to participate. For those looking
to get a bit more exposure of their blogs, this is a good way to do
it :)
Thanks!
Elias
David Jones
Jan 4, 2009, 2:34:16 PM1/4/09
to silicon-bea...@googlegroups.com
Here is an example of why what Elias is proposing is important. The twitter signin has 'groomed' ppl into poor privacy practices and so the bad guys have moved in.
I've been waiting for phishing to start for a while and also you can expect malware on the end of the tinyurl, tr.im, bit,ly urls because it hides the destination (we subconsiously scan urls and assess trust of that link by its name).
So here is a good writeup on this weeks emergent twitter phishing - it uses all the standard bad guy techniques - they just needed an incentive to start.
http://threatchaos.com/2009/01/twitter-phishing/
d.
silky
Jan 4, 2009, 4:53:06 PM1/4/09
to silicon-bea...@googlegroups.com
Yeah, this is why I don't use those services.
oAuth is an option, but even twitter doing something trivial
themselves would be nice, like I proposed here a while back:
http://lets.coozi.com.au/content/token-based_authentication_for_api_access.html
--
noon silky
http://www.boxofgoodfeelings.com/
oAuth is an option, but even twitter doing something trivial
themselves would be nice, like I proposed here a while back:
http://lets.coozi.com.au/content/token-based_authentication_for_api_access.html
noon silky
http://www.boxofgoodfeelings.com/
Elias Bizannes
Jan 4, 2009, 9:06:00 PM1/4/09
to silicon-bea...@googlegroups.com
Thanks David and Michael - I've incorporated those posts into the blog post that will be published tomorrow morning.
John Masson
Jan 8, 2009, 5:02:53 AM1/8/09
to Silicon Beach Australia
An excellent point that some of us at work were discussing a few weeks
ago, there are SO many dodgy looking sites asking for twitter
credentials to do who knows what with it's scary!! It's like phishing
attacks without even pretending to look like something else :)
Will definitely aim to talk about this in our next Instantiate
Podcast.
JM
ago, there are SO many dodgy looking sites asking for twitter
credentials to do who knows what with it's scary!! It's like phishing
attacks without even pretending to look like something else :)
Will definitely aim to talk about this in our next Instantiate
Podcast.
JM
Rex Chung
Jan 8, 2009, 5:13:17 AM1/8/09
to silicon-bea...@googlegroups.com
Mashable had several post about this.
http://mashable.com/2009/01/03/warning-twitter-phishing-attack-underway/
"You can follow updates on the attack by subscribing to the Twitter
topic #phishingalert"
http://search.twitter.com/search?q=%23phishingalert
Rex
--
Sydney: +61 421 591 943
HK: +852 6901 2682
Ankoder - Video Encoding On Demand
http://www.ankoder.com
http://mashable.com/2009/01/03/warning-twitter-phishing-attack-underway/
"You can follow updates on the attack by subscribing to the Twitter
topic #phishingalert"
http://search.twitter.com/search?q=%23phishingalert
Rex
--
Sydney: +61 421 591 943
HK: +852 6901 2682
Ankoder - Video Encoding On Demand
http://www.ankoder.com
Sherif
Jan 8, 2009, 6:46:18 AM1/8/09
to Silicon Beach Australia
@silky - totally agree, Twitter need to adopt a password anti-
pattern: http://adactio.com/journal/1357/
FriendFeed does it really well - they have a 'remote key' which third-
party applications use - and not your actual username and passwords.
Its been well thought out...
I'm really amazed at how bad twitter is written (the many outages we
had months ago (due to it being written more like a blog-architecture
than a message-queue type of solution), and even more recently
recently the phishing attacks)
Just goes to prove to get a successful startup its a lot to do with
timing and getting a big user-base .. they have done that very well.
Hats off to them, you can deliver an average service - thats so
popular - it takes something big to move all users off twitter... will
this be it? I don't think it will...
On Jan 8, 9:13 pm, Rex Chung <rex.ch...@gmail.com> wrote:
> Mashable had several post about this.http://mashable.com/2009/01/03/warning-twitter-phishing-attack-underway/
pattern: http://adactio.com/journal/1357/
FriendFeed does it really well - they have a 'remote key' which third-
party applications use - and not your actual username and passwords.
Its been well thought out...
I'm really amazed at how bad twitter is written (the many outages we
had months ago (due to it being written more like a blog-architecture
than a message-queue type of solution), and even more recently
recently the phishing attacks)
Just goes to prove to get a successful startup its a lot to do with
timing and getting a big user-base .. they have done that very well.
Hats off to them, you can deliver an average service - thats so
popular - it takes something big to move all users off twitter... will
this be it? I don't think it will...
On Jan 8, 9:13 pm, Rex Chung <rex.ch...@gmail.com> wrote:
> Mashable had several post about this.http://mashable.com/2009/01/03/warning-twitter-phishing-attack-underway/
>
> "You can follow updates on the attack by subscribing to the Twitter
> topic #phishingalert"http://search.twitter.com/search?q=%23phishingalert
> Rex
> --
> Sydney: +61 421 591 943
> HK: +852 6901 2682
>
> Ankoder - Video Encoding On Demandhttp://www.ankoder.com
> "You can follow updates on the attack by subscribing to the Twitter
> topic #phishingalert"http://search.twitter.com/search?q=%23phishingalert
> Rex
> --
> Sydney: +61 421 591 943
> HK: +852 6901 2682
>
Sherif
Jan 8, 2009, 10:19:43 PM1/8/09
to Silicon Beach Australia
Forget about oAuth - none of this problem gets fixed until we get some
decently coded applications!
More to my point: http://news.zdnet.co.uk/security/0,1000000189,39588628,00.htm
Twitter hackers - a brute force attack. Twitter has no limit on login
attempts, no challenge-response and no Captcha.
They are now working on changing all that..
decently coded applications!
More to my point: http://news.zdnet.co.uk/security/0,1000000189,39588628,00.htm
Twitter hackers - a brute force attack. Twitter has no limit on login
attempts, no challenge-response and no Captcha.
They are now working on changing all that..
Elias Bizannes
Jan 8, 2009, 10:25:18 PM1/8/09
to silicon-bea...@googlegroups.com
OAuth isn't the solution for everything, but it at least eliminates the stupid practice that's creating a culture of risk (due to acceptance), that requires consumers to hand over their password between unreleated entities.
API's are at the core of not just the mashup culture on the web, but of future innovation and business models. To only be able to use a third party application that needs to query an API, by forcing users to give up their service password, is bloody ridiculous.
The most recent news was a brute-force, but there have already been several instances where third-party Twitter apps abused the trust of their users. Again, OAuth can still be abused, but it's one small step to something better than the status quo.--
Elias Bizannes
http://liako.biz
API's are at the core of not just the mashup culture on the web, but of future innovation and business models. To only be able to use a third party application that needs to query an API, by forcing users to give up their service password, is bloody ridiculous.
The most recent news was a brute-force, but there have already been several instances where third-party Twitter apps abused the trust of their users. Again, OAuth can still be abused, but it's one small step to something better than the status quo.
Elias Bizannes
http://liako.biz
Shaon Diwakar
Jan 8, 2009, 10:46:00 PM1/8/09
to silicon-bea...@googlegroups.com
Implementing OAuth can get tricky when retrofitting, especially since
a lot of sites such as Twitter may have unique/custom user
authentication models, but it's definitely a step forward.
For everyone working on a web app, please consider the following Top
Ten common threats [1] along with the excellent materials at OWASP [2].
It's good to think about security early in the requirements gathering
phase (especially when outsourcing development) and Twitter's woes
goes to show that its important to invest in safeguards.
I can understand that its expensive to implement security when you're
boot-strapping, but when you get to a scale like Twitter - there's
really no excuse!!!
[1]: http://www.owasp.org/index.php/Top_10_2007
[2]: http://www.owasp.org/
a lot of sites such as Twitter may have unique/custom user
authentication models, but it's definitely a step forward.
For everyone working on a web app, please consider the following Top
Ten common threats [1] along with the excellent materials at OWASP [2].
It's good to think about security early in the requirements gathering
phase (especially when outsourcing development) and Twitter's woes
goes to show that its important to invest in safeguards.
I can understand that its expensive to implement security when you're
boot-strapping, but when you get to a scale like Twitter - there's
really no excuse!!!
[1]: http://www.owasp.org/index.php/Top_10_2007
[2]: http://www.owasp.org/
Sriram Panyam
Jan 8, 2009, 11:38:07 PM1/8/09
to silicon-bea...@googlegroups.com
you know all said and done how the hell do you technically safe guard against "Happiness" as a password?
but yes a dictionary attack is something they could have prevented with rate-limiting!--
Blog: http://panyam.wordpress.com
URL: http://www.geocities.com/spany_1
but yes a dictionary attack is something they could have prevented with rate-limiting!
Blog: http://panyam.wordpress.com
URL: http://www.geocities.com/spany_1
silky
Jan 8, 2009, 11:42:30 PM1/8/09
to silicon-bea...@googlegroups.com
On Fri, Jan 9, 2009 at 3:38 PM, Sriram Panyam <sri.p...@gmail.com> wrote:
> you know all said and done how the hell do you technically safe guard
> against "Happiness" as a password?
> you know all said and done how the hell do you technically safe guard
> against "Happiness" as a password?
The problem is not so much that (it's bad, arguably, and even you
could force some complexity or length (personally I recommend
long-sentences)) but really the fact that it was trivial to do the
password reset on the accounts.
What should've been done is that a secondary token is required to do
the reset. For example, the crystal account requests a reset, is sent
a 'confirm reset thing' to an offline area (her email, an internal
twitter site, etc) and then it's processed there (possibly with yet
another token).
> but yes a dictionary attack is something they could have prevented with
> rate-limiting!
--
noon silky
http://www.boxofgoodfeelings.com/
Reply all
Reply to author
Forward
0 new messages