Alex, is that *not* estimated or was it an iPhone being daft and changing now to not?
On Aug 5, 7:11 pm, Alex Payne <a...@twitter.com> wrote: > The change did not go live yesterday due to some deploy issues. It's > not estimated to go out tomorrow. Once again, sorry for the delay. > > > > On Wed, Aug 5, 2009 at 07:48, Dewald Pretorius<dpr...@gmail.com> wrote: > > > Alex, > > > Did the change go live on Tuesday? > > > I have very irate users due to this issue. There are spam bots out > > there that got hold of users' credentials. The users have changed > > their Twitter passwords to get rid of the spam tweets published in > > their timelines, but now those bots are locking them out 24x7 from all > > apps that use the API. > > > On Aug 3, 2:56 pm, Alex Payne <a...@twitter.com> wrote: > >> The rollback should be deployed tomorrow. Sorry for the delay. > > >> On Sat, Aug 1, 2009 at 23:36, Jesse Stay<jesses...@gmail.com> wrote: > >> > A timeframe would be very helpful. This is turning out to be a headache > >> > as > >> > I'm testing. If my own user is having to log in over and over to test my > >> > app, I'm quickly hitting the verify_credentials limit (and I'm even using > >> > OAuth). I'm getting really frustrated. > >> > Jesse > > >> > On Fri, Jul 31, 2009 at 8:01 PM, Bob Thomson <stormid...@googlemail.com> > >> > wrote: > > >> >> Hi Doug, > > >> >> Is there a timescale for rolling back / making the change to the new > >> >> scheme? > > >> >> We're just putting the finishing touches to moving to OAuth and we're > >> >> experiencing the issue when using verify_credentials to get the users > >> >> basic details once we've got the token back from the authentication > >> >> process. We're experiencing the issue when: > > >> >> 1. Testing our login and authentication processes > >> >> 2. When users login and logout of our application frequently > > >> >> A heads up on when these changes will be made would be useful. Thanks, > > >> >> Bob > > >> >> On Jul 29, 6:37 pm, Grant Emsley <grant.ems...@gmail.com> wrote: > >> >> > Locked out of authenticated resources for that account, or will that > >> >> > IP not be able to login to any account? > > >> >> > On Jul 29, 1:14 pm, Doug Williams <d...@twitter.com> wrote: > > >> >> > > Ray,For clarity, we will roll back the current restriction of 15 > >> >> > > calls > >> >> > > per > >> >> > > user per hour to account/verify_credentials, and implement the > >> >> > > proposed > >> >> > > scheme: > > >> >> > > > ... we will limit the total number of unsuccessful > >> >> > > > attempts to access authenticated resources to 15 an hour per user > >> >> > > > per IP > >> >> > > > address. If a single IP address makes 15 attempts to access a > >> >> > > > protected resource unsuccessfully for a given user (as indicated > >> >> > > > by > >> >> > > > an > >> >> > > HTTP 401), > >> >> > > > then the user will be locked out of authenticated resources from > >> >> > > > that > >> >> > > > IP address for 1 hour. > > >> >> > > Thanks, > >> >> > > Doug > > >> >> > > On Wed, Jul 29, 2009 at 9:51 AM, Ray <rvizz...@testlabs.com> wrote: > > >> >> > > > Doug, > > >> >> > > > I'm in a similar situation as that voiced by TinBlue. This change > >> >> > > > has > >> >> > > > affected our iPhone App. We also want to encourage you to > >> >> > > > rollback > >> >> > > > this change ASAP. > > >> >> > > > When you say "This approach is what we are going to take.", do you > >> >> > > > mean rolling back the fix so as not to affect multiple, > >> >> > > > successful, > >> >> > > > authorized logins? I'm hopeful that "this approach" means that > >> >> > > > our > >> >> > > > apps will not be affected yet again by changing to a new auth > >> >> > > > approach. > > >> >> > > > I appreciate you all keeping this thread informed. > > >> >> > > > Ray > > >> >> > > > On Jul 27, 11:23 am, Doug Williams <d...@twitter.com> wrote: > >> >> > > > > Thanks to everyone who has contributed feedback. This approach > >> >> > > > > is > >> >> > > > > what we > >> >> > > > > are going to take. > >> >> > > > > Alex will be making this change shortly. I will update this > >> >> > > > > thread > >> >> > > > > when > >> >> > > > > there is timeframe to share. > > >> >> > > > > Thanks, > >> >> > > > > Doug > > >> >> > > > > On Mon, Jul 27, 2009 at 7:52 AM, TinBlue <tinb...@gmail.com> > >> >> > > > > wrote: > > >> >> > > > > > What is happening? > > >> >> > > > > > This rollback is taking far too long for something that has > >> >> > > > > > affected a > >> >> > > > > > lot of people! > > >> >> > > > > > On Jul 25, 2:32 pm, Dewald Pretorius <dpr...@gmail.com> wrote: > >> >> > > > > > > Doug, > > >> >> > > > > > > I would prefer to adopt OAuth instead of writing code for > >> >> > > > > > > Basic Auth. > > >> >> > > > > > > So, you guys need to move OAuth out of public beta into full > >> >> > > > > > > production sooner rather than later. :-) > > >> >> > > > > > > I manage 100,000+ Twitter accounts, and I simply cannot take > >> >> > > > > > > on the > >> >> > > > > > > support workload of answering user tickets when there's a > >> >> > > > > > > snag > >> >> > > > > > > with > >> >> > > > > > > OAuth beta. > > >> >> > > > > > > I monitor these forums and the API Issues and still see too > >> >> > > > > > > many > >> >> > > > OAuth > >> >> > > > > > > issues being reported to give me a level of comfort that I > >> >> > > > > > > can > >> >> > > > > > > safely > >> >> > > > > > > switch over to OAuth. > > >> >> > > > > > > On Jul 24, 5:46 pm, Doug Williams <d...@twitter.com> wrote: > > >> >> > > > > > > > Well said Joshua. > > >> >> > > > > > > > Dewald, you have identified the risk of using basic > >> >> > > > > > > > authentication. > >> >> > > > If > >> >> > > > > > > > your users being locked out due to malicious behavior, you > >> >> > > > > > > > should > >> >> > > > > > > > either implement further user-level rate limiting on your > >> >> > > > > > > > side or > >> >> > > > > > > > adopt OAuth. > > >> >> > > > > > > > Are there any other glaring omissions in our thinking or > >> >> > > > > > > > should we > >> >> > > > > > > > proceed with this as our solution? > > >> >> > > > > > > > Thanks, > >> >> > > > > > > > Doug > > >> >> > > > > > > > On Fri, Jul 24, 2009 at 11:08 AM, Joshua > >> >> > > > > > > > Perry<j...@6bit.com> > >> >> > > > wrote: > > >> >> > > > > > > > > Jim's concern is valid, fortunately OAuth is immune to > >> >> > > > brute-force > >> >> > > > > > attacks > >> >> > > > > > > > > once the access key has been issued to an application. > >> >> > > > > > > > > For > >> >> > > > > > > > > this > >> >> > > > > > reason alone > >> >> > > > > > > > > I would urge people to switch to OAuth if at all > >> >> > > > > > > > > possible. > >> >> > > > > > > > > I > >> >> > > > would > >> >> > > > > > hope > >> >> > > > > > > > > (and assume) that if login attempts for an account are > >> >> > > > > > > > > locked out > >> >> > > > > > that a > >> >> > > > > > > > > user would still be able to successfully use an already > >> >> > > > authorized > >> >> > > > > > OAuth > >> >> > > > > > > > > driven application. > > >> >> > > > > > > > > Unfortunately allowing a successful un/pw login while an > >> >> > > > > > > > > account > >> >> > > > is > >> >> > > > > > locked > >> >> > > > > > > > > out even when the correct password is presented > >> >> > > > > > > > > effectively > >> >> > > > bypasses > >> >> > > > > > the > >> >> > > > > > > > > whole reason for a lockout in the first place, > >> >> > > > > > > > > preventing > >> >> > > > brute-force > >> >> > > > > > > > > password attempts. If an attacker used a dictionary or > >> >> > > > brute-force > >> >> > > > > > attack > >> >> > > > > > > > > and the account was locked out after 15 attempts, then > >> >> > > > > > > > > they could > >> >> > > > > > continue > >> >> > > > > > > > > trying even though the system replied "locked out"; if > >> >> > > > > > > > > they > >> >> > > > > > eventually sent > >> >> > > > > > > > > the correct password it would just bypass the lockout > >> >> > > > > > > > > and > >> >> > > > > > > > > they > >> >> > > > would > >> >> > > > > > then > >> >> > > > > > > > > know the correct password. > > >> >> > > > > > > > > Perhaps Twitter could implement a selective captcha, I > >> >> > > > > > > > > know they > >> >> > > > are > >> >> > > > > > > > > annoying but if executed properly it could be effective > >> >> > > > protection > >> >> > > > > > against > >> >> > > > > > > > > brute-force and dictionary attacks. Say after 3 or 4 > >> >> > > > > > > > > failed > >> >> > > > attempts > >> >> > > > > > without > >> >> > > > > > > > > a captch the API would then include a captcha image URL > >> >> > > > > > > > > in > >> >> > > > > > > > > it's > >> >> > > > > > response > >> >> > > > > > > > > that the application would then need to show to the > >> >> > > > > > > > > person > >> >> > > > > > > > > and > >> >> > > > > > include the > >> >> > > > > > > > > user's response with the next authentication attempt as > >> >> > > > > > > > > a > >> >> > > > > > > > > header > >> >> > > > or > >> >> > > > > > POST > >> >> > > > > > > > > variable. The site stackoverflow.com does this to great > >> >> > > > > > > > > effect, > >> >> > > > if > >> >> > > > > > you > >> >> > > > > > > > > create posts quicker than a certain threshold which a > >> >> > > > > > > > > person > >> >> > > > would > >> >> > > > > > not > >> >> > > > > > > > > exceed then they pop a captcha up, in the normal use of > >> >> > > > > > > > > the site > >> >> > > > you > >> >> > > > > > will > >> >> > > > > > > > > never see one; I've only hit two captchas in the last in > >> >> > > > > > > > > the last > >> >> > > > 8 > >> >> > > > > > months > >> >> > > > > > > > > using the site. > > >> >> > > > > > > > > Josh > > >> >> > > > > > > > > Dewald Pretorius wrote: > > >> >> > > > > > > > >> Jim raised a huge weakness with the authentication rate > >> >> > > > > > > > >> limiting > >> >> > > > > > that > >> >> > > > > > > > >> could essentially break third-party apps. > > >> >> > > > > > > > >> Anybody can try to add anybody else's Twitter account > >> >> > > > > > > > >> to > >> >> > > > > > > > >> a > >> >> > > > > > third-party > >> >> > > > > > > > >> app using an invalid password. If they do that 15 times > >> >> > > > > > > > >> with a > >> >> > > > > > Twitter > >> >> > > > > > > > >> account, the real owner of that Twitter account, who > >> >> > > > > > > > >> may > >> >> > > > > > > > >> have > >> >> > > > added > >> >> > > > > > > > >> his account a long time ago with the correct password, > >> >> > > > > > > > >> is > >> >> > > > > > > > >> locked > >> >> > > > out > >> >> > > > > > > > >> from using that app for an hour. > > >> >> > > > > > > > >> I believe you will absolutely have to reset / remove > >> >> > > > > > > > >> the > >> >> > > > > > > > >> lock as > >> >> > > > > > soon > > ... > > read more »