Here is an example of why what Elias is proposing is important. The twitter signin has 'groomed' ppl into poor privacy practices and so the bad guys have moved in. I've been waiting for phishing to start for a while and also you can expect malware on the end of the tinyurl, tr.im, bit,ly urls because it hides the destination (we subconsiously scan urls and assess trust of that link by its name). So here is a good writeup on this weeks emergent twitter phishing - it uses all the standard bad guy techniques - they just needed an incentive to start.
http://threatchaos.com/2009/01/twitter-phishing/ d. On Jan 4, 2009 5:06 PM, "Elias Bizannes" <elias.bizan...@gmail.com> wrote: Hi everyone, I personally believe Twitter is being irresponsible by creating an ecosystem off their API without creating appropriate safeguards to protect users like us. I am looking for some Aussie bloggers to help me make some noise. The silicon beach community literally turned the fight against the clean feed to a whole new level, so I'm looking for us do it again by creating a better Internet through example. Quick background: For you to give access to things like third party apps (like Twhirl), you need to give up your login and password. As has been reported in the tech news this last week, there have been security breaches of people taking your Twitter password and selling it and the like. A simple change to their API can avoid this bad password anti-pattern. With delegated authunentication or through the use of an open standard called "oAuth" you can actually allow websites to access your data without you needing to give up your password (by simply giving them permission through the Twitter interface). What happens is that instead of you punching in your password, and giving some random your personal details which they can then take advantage of, you can instead have them request Twitter for authorisation, and you can simply click a button saying "approved". I will be posting something on the DataPortability Project's blog about the issue and hope to give it some attention. The more people we have posting a synchronised blog post, the better chances we can turn this into news and get them to pull out their finger out. I know for a fact the only reason they are not doing this is because they don't give it a high enough priority - but of course they don't, as it's not them hurting but us. With a bit of awareness, we can make people realise there is a simple way to fix a very serious issue, which is comprimising your online identity. I've already had to change my passwords a few times due to third party apps, and I am sick of doing it, and it annoys me when I know I don't need to do it! Please contact me if you are willing to participate. For those looking to get a bit more exposure of their blogs, this is a good way to do it :) Thanks! Elias --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Silicon Beach Australia" group. To post to this group, send email to silicon-beach-australia@googlegroups.com To unsubscribe from this group, send email to silicon-beach-australia+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/silicon-beach-australia?hl=en -~----------~----~----~----~------~----~------~--~---
