On 1/18/2010 8:16 PM, M. Edward (Ed) Borasky wrote:
I'm trying to define a minimum viable product that I can *sell*.
Nothing I've seen in this thread so far has convinced me that a
desktop application accessing Twitter is viable, with or without
oAuth. "Without oAuth" isn't viable because it's deprecated by
Twitter, and "with oAuth" isn't viable because it's *easy* to
compromise. Sure, a server *can* be compromised, but it's a lot
harder. On a server, I can control the choice of the entire stack -
hardware, OS, application framework, DBMS, etc. I may not be able to
prevent a DOS attack, but I can keep that away from Twitter - I can't
control how users interact with Twitter using a compromised desktop
app.
But you still control your own keys. If you find that somebody has
compromised your program, you can revoke those consumer keys through
twitter and regenerate them.
And I would assume that, given the derth of Twitter applications out
there, your application will do a bit more than just Twitter (if it
doesn't, you're probably better off giving it away as
freeware/resumeware). Twitter is a viable platform but it's only a means
to an end, it is not an end. The value that you will generate in
addition to twitter (molding Twitter to a GIS app, for instance) is
where you will realize a profit, not in just locking onto twitter and
being concerned about the security of an oAuth vs Basic system.
Is oAuth the best solution? Hardly. If I had my druthers it would be
more of a captcha response that would let developers have a bit more
control over how to display that data. But no security system short of
ripping the cables out of the Twitter server will ever be perfect.
There must be some other developers on this list - does *anybody* who
develops Twitter apps for a living want to chime in and tell me I'm
full of hot air here - that there *is* a way to develop and deploy a
viable secure desktop Twitter app?
You guys are all freaking out about this when this is how the internet
works. Just look at email. With a single line of PHP I can send any of you
an email from any email address.*
Abraham
*There technologies to stop this but very few mail servers use them.
Currently Gmail refuses email from paypal.com unless it is signed by their
key.
This is how the Internet works *now* - with 90 percent of the desktops
running Windows, many of those not up to date on Windows Updates or
virus scanner code and virus definitions, botnets controlling millions
of PCs, the government of China exploiting holes in IE 6, bloggers
calling openly for iPhone users to mount a DDOS against AT&T, GMail
peeking at the content of my emails to suggest commercial products
that I might happen to consider competitors, and Facebook selling your
private data to scammers and spammers. There may be a thousand and one
ways to get hurt on the Internet, but I'm not interested in deploying
the 1002nd.
That could all change with ChromeOS netbooks. I can dream. ;-)
--
M. Edward (Ed) Borasky
http://borasky-research.net/smart-at-znmeb
"A mathematician is a device for turning coffee into theorems." ~ Paul
Erdős
