On Sat, 04 Sep 2010 20:55:19 +0200
Tom van der Woerdt wrote:
> On 9/4/10 8:51 PM, Bernd Stramm wrote:
> > On Sat, 04 Sep 2010 20:34:50 +0200
> > Tom van der Woerdt wrote:
> >
> >> On 9/4/10 8:13 PM, Bernd Stramm wrote:
> >>> On Sat, 04 Sep 2010 19:0
On Sat, 04 Sep 2010 20:34:50 +0200
Tom van der Woerdt wrote:
> On 9/4/10 8:13 PM, Bernd Stramm wrote:
> > On Sat, 04 Sep 2010 19:02:11 +0200
> > Tom van der Woerdt wrote:
> >
> >> On 9/4/10 6:08 PM, rrd wrote:
> >>> I have a website which gets friends
ze the clock.
>
> If that's not an option, then you should simply generate an "offset"
> by asking the Twitter server the time and comparing this to the Unix
> Time of the server (don't do that too often, daily is fine). Later
> you can use this offset and
t; > Looks like OAuth really works out for Twitter.
> > > Thx a lot guys, but it's time to look for something else than
> > > Twitter. Having enough people using the service and just doing
> > > that what you guys have done is absolutely not amusing.
> >
>
ng/thread is entered).
>
> Looks like OAuth really works out for Twitter.
> Thx a lot guys, but it's time to look for something else than Twitter.
> Having enough people using the service and just doing that what you
> guys have done is absolutely not amusing.
>
--
;s
> statuses and sort them by time. But it's an overkill for an user with
> more following. Any other options?
- Create a fake user that has follows the same accounts,
Or,
- Pay Twitter for the data, I'm sure they will be happy to accommodate
you ;)
>
--
Bernd Stramm
ser name.
That's not what is normally called security.
OAuth as currently done with twitter only works when the "app" runs on
a small number of secure servers.
--
Bernd Stramm
bernd.str...@gmail.com
--
Twitter developer documentation and resources: http://dev.twitter.com/doc
AP
different, but that was some weeks ago.
>
> Tom
>
>
> On 9/3/10 6:47 PM, Bernd Stramm wrote:
> > On Fri, 3 Sep 2010 01:27:34 -0700 (PDT)
> > Ken wrote:
> >
> >> I thought I had found a solution, albeit a horrendously ugly one:
> >> redir
erhaps people should do that sort of
thing.
Bernd
--
Bernd Stramm
bernd.str...@gmail.com
--
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issue
ternity, or until twitter decides that it should be
possible to invalidate tokens.
Bernd
--
Bernd Stramm
bernd.str...@gmail.com
--
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker
a popular
smart phone, and you get a nice little login page.
--
Bernd Stramm
why is that the Ruby default? Did they Ruby author forget the year and
then decided to tack it on the end?
--
Bernd Stramm
ed in Google Maps, has been in the
same location for more than 5 years. The satellite image, with a
copyright of 2010, still doesn't show the building.
--
Bernd Stramm
hat says "http://this.that.com";.
--
Bernd Stramm
as an
agent for the user. They are no different than browsers in this respect.
--
Bernd Stramm
ing silly - why bother with analysis, when the
attacker can just run the program.
The oauth system comes from client/server concepts and client/server
thinking. In that scenario, the authentication is between one client
and two servers. That is not the case with most desktop/mobile apps.
--
Bernd Stramm
Ds. And of course every application developer has a website that
handles all the downloads, none of them use google code, sourceforge,
github, ... oh wait.
Oh well, why bother.
--
Bernd Stramm
e borrowed and stolen.
Sure you can make it harder to just grab the key/secret pair of open
source application A and implement application B, pretending to be A.
But what does that buy you? What does that protect against?
--
Bernd Stramm
get the list of user who have authorize my
> application.
Along the same lines: for my case, I don't particularly care about the
identity of users, but it could be interesting to just know the number
of users.
--
Bernd Stramm
easure the
really strong signals. That narrows what you can find, and you risk
that eventually you find only obvious things.
--
Bernd Stramm
t that is marked as a link, for example
"http://nasa.gov";, and it does not go to nasa.gov.
If a user clicks on the link saying nasa.gov, it goes to t.co,
which does business with a third party, not telling the user anything
about it.
How is that *not* deceptive?
> >
> > On Ju
t; that
> is, IIRC, the "Spirit of Twitter". ;-)
Really now, what is wrong with a person expressing themselves by making
human readable links?
If an application wants to provide the original intent of the user, it
is forced (by ToS), to present a link that doesn't go to where it says
it does. That is problematic, the application acts as spyware.
--
Bernd Stramm
, 12:18 pm, John Kalucki wrote:
> > Apps that don't update will continue to work, they will just display
> > something different than they do now.
--
Bernd Stramm
op/mobile apps? You have to
install the code on the user device, and that device at some point has
to generate the consumer secret in clear text, so it can be signed. An
intruder can examine the code and intercept the secret.
--
Bernd Stramm
Cloning an
application is thus very easy. If an intruder can then also capture an
authorization token, they can post fake tweets and get the user in
trouble. Or get the application blacklisted, or both.
Being able to actively expire an authorization token would help protect
against this.
Be safe,
Bernd
--
Bernd Stramm
e backlog of
> xAuth requests right now and only very few resources available to
> process the queue. They'll be handled as quickly as we can.
>
> Can any of you see your pending tickets on this page?
> http://support.twitter.com/tickets
>
yes I can see mine. It contains the email I sent.
--
Bernd Stramm
s I said before, a lot of this stuff is inherently insecure for
reasons completely unrelated to oauth or xauth.
In any case Jann, you have convinced me of something I strongly
suspected - I really should get xauth for my application as well.
Be safe,
Bernd
--
Bernd Stramm
On Sun, 30 May 2010 11:14:54 -0700
Abraham Williams <4bra...@gmail.com> wrote:
> On Sun, May 30, 2010 at 11:01, Bernd Stramm
> wrote:
>
> > The user does trust the app, otherwise they would not be using it.
> > The problem with the scheme of using the app *and* a b
this scheme were not thinking
about desktop/mobile apps, only about web based solutions. The rest is
an afterthought.
Be Safe,
Bernd
--
Bernd Stramm
s and tweets all day.
So I would advise users to not use any of the twitter environment and
surroundings for banking transactions. And if embarrassing pics
surface, at least users have plausible deniability.
Be safe,
Bernd
--
Bernd Stramm
)
Tell your browser to send a User Agent string that says its a mobile.
>
> Maybe there is an undocumented parameter we can use? Something like:
> http://twitter.com/oauth/authorize?mobile=1&oauth_token=123abc
--
Bernd Stramm
back from twitter with
"Expires" : "Tue, 31 Mar 1981 05:00:00 GMT"
on replies with good status. Nothing going wrong, auth works fine.
Just a funny looking date in there. Is that sombody's epoch? It looks
vaguely familiar.
--
Bernd Stramm
pairs being re-used by others.
Is there any consideration for this? Basically all that would be needed
is an API entry point where the consumer says "thanks but no more",
signed and verified as normal.
--
Bernd Stramm
s the missing twitter post is because of this:
Twitter Message from raffi a.k.a raffi
sent on Tue May 25 01:09:27 2010
Curious how to do uploadAndPost in OAuth Echo? http://post.ly/hEdl
Where raffi explains who uploadAndPost *will* work.
Any comments ? Advice ?
--
Bernd Stramm
;
>
> Questions:
>
> 1) how to get the time like "hh:mm:ss" from the result->created_at?
>
> 2) how to get the time in a specified time-zone, like UTC-03 (Brazil)?
Have you considered the PHP manual, for example here
http://www.php.net/manual/en/function.date.php
>
> Thank you.
--
Bernd Stramm
35 matches
Mail list logo