This is far less secure than OAuth and is actually not much better
than requiring a username and password.
One of the core benefits of OAuth is the ability to be very specific
regarding what each authorised application is allowed to do, on a per
application basis. It also allows you to selectively revoke the
permissions of any specific application without needing to ask or even
tell the application about it. To do this with the API key system you
effectively need to re-authorise every app you use when you want to
block just one of them. No real difference between this and having to
change your password.
I would much prefer that the guys (and gals) at Twitter concentrate on
getting OAuth properly implemented (which is harder than it sounds)
than their attention gets diverted by developers too impatient to wait
for the right solution to the problem.
-Stut
--
Alex Payne - API Lead, Twitter, Inc.
http://twitter.com/al3x
Truly OAuth is needed, and is a priority to the Twitter team (they've said
so). However, there is nothing in the link that Scoble has up saying directly
that the buyer is planning to use the information Twply has harvested (namely
usernames and passwords) for nefarious purposes other than to continue
running the site. They certainly could, but Scoble needs to chill out a
little.
More to the point, there is nothing about OAuth that prevents a similar
bad actor from behaving badly. This older post puts it in perspective very
succinctly:
http://groups.google.com/group/twitter-development-talk/msg/16bf699d39c7f804
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- 10% of computer users [use] Mac ... the top 10 percent. -- Douglas Adams ---
I agree that OAuth can't arrive too soon, but this episode sucks
mainly because there is no need for something like twply to need your
password. This annoyed me so much that I spent this afternoon coding
up a site to prove that point.
Feedback greatly appreciated: http://replies.twitapps.com/
-Stuart
That's pretty clever. Nice work.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- Shady business do not make for sunny life. -- Charlie Chan -----------------
Thanks.
> Quick question: How are you ensuring that you see *all* posts in the
> public timeline? I didn't think that was quite possible yet with the
> Twitter API.
It's actually using the search API not the public timeline.
-Stuart
I'd find more reputable sources for that argument.
--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron
Whilst there's an element of truth in your statement (just about all
of the prominent tech bloggers remain prominent by stirring up drama),
lots of people have been saying similar things for a long time. Ad
hominem attacks don't change the fact that the message is right. You
could start here : http://adactio.com/journal/1357 .
I think we all understand, however, that the twitter engineering team
first needed to make twitter stable before they could add features
like this one. Now that they've largely done that, it appears they're
responding to demand for features like this one, which is great news.
Mark
So let's say Scoble is right. How, in fact, does OAuth prevent a bad
actor from using credentials to act badly?
OAuth solves many problems; it doesn't solve this one.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- BOND THEME NOW PLAYING: "The Man With the Golden Gun" ----------------------
> Whilst there's an element of truth in your statement (just about all
> of the prominent tech bloggers remain prominent by stirring up drama),
> lots of people have been saying similar things for a long time. Ad
> hominem attacks don't change the fact that the message is right. You
> could start here : http://adactio.com/journal/1357 .
Agreed, and that's a much better source.
>
> I think we all understand, however, that the twitter engineering team
> first needed to make twitter stable before they could add features
> like this one. Now that they've largely done that, it appears they're
> responding to demand for features like this one, which is great news.
Yep. So not really a lot of point in continuing the "oh boy, this is a
big problem! thing, I think, when they're on it and have given many
updates here recently." That's not a criticism of you in particular,
but of folks who apparently don't search the archives before posting
something along the lines of "Scoble said this is a big deal, so you'd
better do it!" It doesn't help in any way.
And this.
I think it's getting more urgent day by day:
http://scobleizer.com/2009/01/01/twitter-warning-your-data-is-being-sold/
Richie
http://twitter.com/RMetzler
Maybe for apps, but not for users. A user that thinks he's secure and is
not is far worse off than a user who's insecure and knows he isn't. If this
makes people think about who they give credentials to -- OAuth or no -- then
the experience will be a painful but useful lesson.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- BOND THEME NOW PLAYING: "The World is Not Enough" --------------------------
There are several problems to be solved, though.
The first is a malicious actor with access to a single system (in this
case, twitter) spamming. OAuth doesn't solve the problem of someone
using an account to spam using messages from that user (unless that
app doesn't need to message, and twitters OAuth implementation has
granular permissions).
The second is a malicious actor with access to a single system gaining
control of other systems that user has access to because they've used
the same username and/or password. Whilst this is bad practice on the
part of the user, we'd be silly to pretend that this isn't a large
problem. OAuth *does* solve that problem, which is one of the
problems in this scenario.
The third is a malicious actor with access to a single system locking
the user out of their own account (by changing their password) and
claiming the account for themselves (which has been known to happen
with gmail accounts, for example). Twitter, so far as I'm aware,
doesn't allow changes of passwords via the API, and I would assume
that an OAuth implementation would only allow access to the API, and
not the web interface. Even were these things not the case, it
wouldn't make sense to allow an OAuth client to change the user
password. So OAuth does solve this problem, also.
Mark
Clearly. But the point I'm making is that *this* particular situation isn't
solved by OAuth. You're absolutely right about the rest of the similar
issues it *does* improve -- no one is contesting OAuth's utility -- but it
wouldn't help this particular hypothetical situation.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- Friends don't let friends use Windows. -------------------------------------
Actually, it does.
On Jan 2, 11:06 am, "Jesse Stay" <jesses...@gmail.com> wrote:
>
> It's true, OAuth doesn't really solve this problem, but the general public
> thinks it does.
With OAuth you can turn off a particular token, blocking a *specific*
application (i.e. Twply).
It doesn't prevent bad actors from behaving badly, but it does given
provide a pathway to give users more control over third-party access
to their account.
If you don't like what your application does, or find it hard to do
what you want, I might also suggest that you developed your
application at the wrong time. Making financial commitments that rely
on a service which you have no agreement to level or service seems
like a bad idea.
--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron
Whether its writing books or developing applications, it's typically
bad form to assume your own experience mirrors others' experience when
doing a similar type of activity. Generally leads to incorrect
assumptions.
If you don't like what your application does, or find it hard to do
what you want, I might also suggest that you developed your
application at the wrong time. Making financial commitments that rely
on a service which you have no agreement to level or service seems
like a bad idea.
Of course, once we offer OAuth, it would be nice to see the same
community pressure that's been applied to us put towards companies
like Amazon. The Amazon.com iPhone app collects my username and
password, and that account is actually tied to my credit card
information. Where are the blog posts about their anti-patterns?