[twitter-dev] SMS Notifications

2009-10-10 Thread Bob Thomson 

Can anyone confirm if there are ongoing issues with users registering
new devices or if anyone has had reports of users being sent SMS
messages even when they have SMS notifications turned off?

We're seeing several reports of the first and isolated reports of the
second from our users.

Thanks,

Bob

--

Founder, Twibbon.com

[twitter-dev] Re: New blocks still happening

2009-08-07 Thread Bob Thomson 

We are having the same issue. Everything came back online OK after the
DDoS but about an hour ago one of our whitelisted servers got banned.

I've taken this server out of the loop but we've only got a limited
number of whitelisted IPs so I don't know how long this will last.

Can't find any information on any of the relevant websites, blogs or
twitter accounts which is quite frustrating, although I appreciate
that the team at Twitter has had a long hard day.

Any additional info welcome,

Bob

Twibbon.com

On Aug 7, 2:16 am, Jesse Stay  wrote:
> This is also another nick against OAuth.  My users can't even log in right
> now because we're relying on OAuth for login.
> Jesse
>
>
>
> On Thu, Aug 6, 2009 at 8:45 PM, Dewald Pretorius  wrote:
>
> > I have seen the same thing.
>
> > So, if you have white listed IPs that are still showing a rate limit
> > of 20,000, DO NOT use them right now.
>
> > After a few minutes of use their rate limits are cut down to 150 per
> > hour.
>
> > Dewald
>
> > On Aug 6, 8:58 pm, Tinychat  wrote:
> > > So, like everyone else I was receiving 408's from all our production
> > > servers. Wasnt sure what was causing it, but it turned out to be that
> > > twitter is blocking the IPs. Ok, must be related to the ddos stuff
> > > from earlier on- Must have gotten caught in the crossfire.
>
> > > So I go ahead and use some development servers to start sending
> > > requests- All is fine, for about a hour. They are blocked now. So to
> > > anyone out there, there is no point using a new IP- It will get
> > > blocked within a hour or so. I guess we have to wait for twitters host
> > > to fix it, or use actionscript/ajax to have the end user request the
> > > data himself (Which is what I am going to do) so its always a unique IP

[twitter-dev] Re: Updating the APIs authentication limiting policy

2009-07-31 Thread Bob Thomson 

Hi Doug,

Is there a timescale for rolling back / making the change to the new
scheme?

We're just putting the finishing touches to moving to OAuth and we're
experiencing the issue when using verify_credentials to get the users
basic details once we've got the token back from the authentication
process. We're experiencing the issue when:

1. Testing our login and authentication processes
2. When users login and logout of our application frequently

A heads up on when these changes will be made would be useful. Thanks,

Bob

On Jul 29, 6:37 pm, Grant Emsley  wrote:
> Locked out of authenticated resources for that account, or will that
> IP not be able to login to any account?
>
> On Jul 29, 1:14 pm, Doug Williams  wrote:
>
> > Ray,For clarity, we will roll back the current restriction of 15 calls per
> > user per hour to account/verify_credentials, and implement the proposed
> > scheme:
>
> > > ... we will limit the total number of unsuccessful
> > > attempts to access authenticated resources to 15 an hour per user per IP
> > > address. If a single IP address makes 15 attempts to access a
> > > protected resource unsuccessfully for a given user (as indicated by an
> > HTTP 401),
> > > then the user will be locked out of authenticated resources from that
> > > IP address for 1 hour.
>
> > Thanks,
> > Doug
>
> > On Wed, Jul 29, 2009 at 9:51 AM, Ray  wrote:
>
> > > Doug,
>
> > > I'm in a similar situation as that voiced by TinBlue.  This change has
> > > affected our iPhone App.  We also want to encourage you to rollback
> > > this change ASAP.
>
> > > When you say "This approach is what we are going to take.", do you
> > > mean rolling back the fix so as not to affect multiple, successful,
> > > authorized logins?  I'm hopeful that "this approach" means that our
> > > apps will not be affected yet again by changing to a new auth
> > > approach.
>
> > > I appreciate you all keeping this thread informed.
>
> > > Ray
>
> > > On Jul 27, 11:23 am, Doug Williams  wrote:
> > > > Thanks to everyone who has contributed feedback. This approach is what 
> > > > we
> > > > are going to take.
> > > > Alex will be making this change shortly. I will update this thread when
> > > > there is timeframe to share.
>
> > > > Thanks,
> > > > Doug
>
> > > > On Mon, Jul 27, 2009 at 7:52 AM, TinBlue  wrote:
>
> > > > > What is happening?
>
> > > > > This rollback is taking far too long for something that has affected a
> > > > > lot of people!
>
> > > > > On Jul 25, 2:32 pm, Dewald Pretorius  wrote:
> > > > > > Doug,
>
> > > > > > I would prefer to adopt OAuth instead of writing code for Basic 
> > > > > > Auth.
>
> > > > > > So, you guys need to move OAuth out of public beta into full
> > > > > > production sooner rather than later. :-)
>
> > > > > > I manage 100,000+ Twitter accounts, and I simply cannot take on the
> > > > > > support workload of answering user tickets when there's a snag with
> > > > > > OAuth beta.
>
> > > > > > I monitor these forums and the API Issues and still see too many
> > > OAuth
> > > > > > issues being reported to give me a level of comfort that I can 
> > > > > > safely
> > > > > > switch over to OAuth.
>
> > > > > > On Jul 24, 5:46 pm, Doug Williams  wrote:
>
> > > > > > > Well said Joshua.
>
> > > > > > > Dewald, you have identified the risk of using basic 
> > > > > > > authentication.
> > > If
> > > > > > > your users being locked out due to malicious behavior, you should
> > > > > > > either implement further user-level rate limiting on your side or
> > > > > > > adopt OAuth.
>
> > > > > > > Are there any other glaring omissions in our thinking or should we
> > > > > > > proceed with this as our solution?
>
> > > > > > > Thanks,
> > > > > > > Doug
>
> > > > > > > On Fri, Jul 24, 2009 at 11:08 AM, Joshua Perry
> > > wrote:
>
> > > > > > > > Jim's concern is valid, fortunately OAuth is immune to
> > > brute-force
> > > > > attacks
> > > > > > > > once the access key has been issued to an application. For this
> > > > > reason alone
> > > > > > > > I would urge people to switch to OAuth if at all possible.  I
> > > would
> > > > > hope
> > > > > > > > (and assume) that if login attempts for an account are locked 
> > > > > > > > out
> > > > > that a
> > > > > > > > user would still be able to successfully use an already
> > > authorized
> > > > > OAuth
> > > > > > > > driven application.
>
> > > > > > > > Unfortunately allowing a successful un/pw login while an account
> > > is
> > > > > locked
> > > > > > > > out even when the correct password is presented effectively
> > > bypasses
> > > > > the
> > > > > > > > whole reason for a lockout in the first place, preventing
> > > brute-force
> > > > > > > > password attempts.  If an attacker used a dictionary or
> > > brute-force
> > > > > attack
> > > > > > > > and the account was locked out after 15 attempts, then they 
> > > > > > > > could
> > > > > continue
> > > > > > > > trying even though the system replied "locked out"; if they
> > > > > event