OAuth isn't the solution for everything, but it at least eliminates the stupid practice that's creating a culture of risk (due to acceptance), that requires consumers to hand over their password between unreleated entities.
API's are at the core of not just the mashup culture on the web, but of future innovation and business models. To only be able to use a third party application that needs to query an API, by forcing users to give up their service password, is bloody ridiculous. The most recent news was a brute-force, but there have already been several instances where third-party Twitter apps abused the trust of their users. Again, OAuth can still be abused, but it's one small step to something better than the status quo. On Fri, Jan 9, 2009 at 2:19 PM, Sherif <sherifgmans...@gmail.com> wrote: > > Forget about oAuth - none of this problem gets fixed until we get some > decently coded applications! > More to my point: > http://news.zdnet.co.uk/security/0,1000000189,39588628,00.htm > > Twitter hackers - a brute force attack. Twitter has no limit on login > attempts, no challenge-response and no Captcha. > > They are now working on changing all that.. > > On Jan 8, 10:46 pm, Sherif <sherifgmans...@gmail.com> wrote: > > @silky - totally agree, Twitter need to adopt a password anti- > > pattern:http://adactio.com/journal/1357/ > > > > FriendFeed does it really well - they have a 'remote key' which third- > > party applications use - and not your actual username and passwords. > > Its been well thought out... > > > > I'm really amazed at how bad twitter is written (the many outages we > > had months ago (due to it being written more like a blog-architecture > > than a message-queue type of solution), and even more recently > > recently the phishing attacks) > > > > Just goes to prove to get a successful startup its a lot to do with > > timing and getting a big user-base .. they have done that very well. > > Hats off to them, you can deliver an average service - thats so > > popular - it takes something big to move all users off twitter... will > > this be it? I don't think it will... > > > > On Jan 8, 9:13 pm, Rex Chung <rex.ch...@gmail.com> wrote: > > > > > Mashable had several post about this. > http://mashable.com/2009/01/03/warning-twitter-phishing-attack-underway/ > > > > > "You can follow updates on the attack by subscribing to the Twitter > > > topic #phishingalert" > http://search.twitter.com/search?q=%23phishingalert > > > Rex > > > -- > > > Sydney: +61 421 591 943 > > > HK: +852 6901 2682 > > > > > Ankoder - Video Encoding On Demandhttp://www.ankoder.com > > > > > On Thu, Jan 8, 2009 at 6:02 PM, John Masson <jmas...@gmail.com> wrote: > > > > > > An excellent point that some of us at work were discussing a few > weeks > > > > ago, there are SO many dodgy looking sites asking for twitter > > > > credentials to do who knows what with it's scary!! It's like phishing > > > > attacks without even pretending to look like something else :) > > > > > > Will definitely aim to talk about this in our next Instantiate > > > > Podcast. > > > > > > JM > > > > > > On Jan 4, 5:06 pm, Elias Bizannes <elias.bizan...@gmail.com> wrote: > > > > > Hi everyone, > > > > > > > I personally believe Twitter is being irresponsible by creating an > > > > > ecosystem off their API without creating appropriate safeguards to > > > > > protect users like us. I am looking for some Aussie bloggers to > help > > > > > me make some noise. The silicon beach community literally turned > the > > > > > fight against the clean feed to a whole new level, so I'm looking > for > > > > > us do it again by creating a better Internet through example. > > > > > > > Quick background: > > > > > For you to give access to things like third party apps (like > Twhirl), > > > > > you need to give up your login and password. As has been reported > in > > > > > the tech news this last week, there have been security breaches of > > > > > people taking your Twitter password and selling it and the like. A > > > > > simple change to their API can avoid this bad password > anti-pattern. > > > > > > > With delegated authunentication or through the use of an open > standard > > > > > called "oAuth" you can actually allow websites to access your data > > > > > without you needing to give up your password (by simply giving them > > > > > permission through the Twitter interface). What happens is that > > > > > instead of you punching in your password, and giving some random > your > > > > > personal details which they can then take advantage of, you can > > > > > instead have them request Twitter for authorisation, and you can > > > > > simply click a button saying "approved". > > > > > > > I will be posting something on the DataPortability Project's blog > > > > > about the issue and hope to give it some attention. The more people > we > > > > > have posting a synchronised blog post, the better chances we can > turn > > > > > this into news and get them to pull out their finger out. I know > for a > > > > > fact the only reason they are not doing this is because they don't > > > > > give it a high enough priority - but of course they don't, as it's > not > > > > > them hurting but us. With a bit of awareness, we can make people > > > > > realise there is a simple way to fix a very serious issue, which is > > > > > comprimising your online identity. > > > > > > > I've already had to change my passwords a few times due to third > party > > > > > apps, and I am sick of doing it, and it annoys me when I know I > don't > > > > > need to do it! > > > > > > > Please contact me if you are willing to participate. For those > looking > > > > > to get a bit more exposure of their blogs, this is a good way to do > > > > > it :) > > > > > > > Thanks! > > > > > Elias > > > -- Elias Bizannes http://liako.biz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Silicon Beach Australia" group. To post to this group, send email to silicon-beach-australia@googlegroups.com To unsubscribe from this group, send email to silicon-beach-australia+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/silicon-beach-australia?hl=en -~----------~----~----~----~------~----~------~--~---
