RE: [twitter-dev] @ Message read rate for non-followers
Zero percent, and report for spam. Date: Sun, 17 Jan 2010 22:13:33 -0800 Subject: [twitter-dev] @ Message read rate for non-followers From: abstar...@gmail.com To: twitter-development-talk@googlegroups.com Hey Guys, Do you know what % of people read @ messages if you are not a follower + targeting them based on keywords or search api's? Thanks, Abir _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010
Re: [twitter-dev] @ Message read rate for non-followers
On Mon, Jan 18, 2010 at 3:00 AM, Ken Dobruskin k...@cimas.ch wrote: Zero percent, and report for spam. Date: Sun, 17 Jan 2010 22:13:33 -0800 Subject: [twitter-dev] @ Message read rate for non-followers From: abstar...@gmail.com To: twitter-development-talk@googlegroups.com Hey Guys, Do you know what % of people read @ messages if you are not a follower + targeting them based on keywords or search api's? Thanks, Abir ++ to reporting as spam. ∞ Andy Badera ∞ +1 518-641-1280 Google Voice ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=andrew%20badera Windows Live: Keep your friends up to date with what you do online.
[twitter-dev] Re: Basic Auth Deprecation in June
Ryan Sarver said it last last year http://twitter.com/Scobleizer/status/6493268213 On Jan 17, 4:46 am, Hwee-Boon Yar hweeb...@gmail.com wrote: On Jan 14, 8:30 am, twittme_mobi nlupa...@googlemail.com wrote: Hello , Regarding Basic Auth Deprecation is June Any where this is announced? -- Hwee-Boon
Re: [twitter-dev] Re: OAuth best practice
You are correct. The PIN handshaking is only for Desktop Apps. Ryan On Mon, Jan 18, 2010 at 9:12 AM, eco_bach bac...@gmail.com wrote: Jeff, I might be wrong, as there seems to be some confusion on this, but I believe the extra PIN handshaking is ONLY required for what Twitter defines as 'Desktop Apps'. See the response to my questions here http://bit.ly/5xbydH As a newcomer to OAuth and the Twitter API I'm currently muddling thru the whole proxy requirements(I'm using actionscript)
Re: [twitter-dev] Re: Social Graph API: Legacy data format will be eliminated 1/11/2010
On Sun, Jan 17, 2010 at 12:54 PM, Abraham Williams 4bra...@gmail.comwrote: From the numbers I've seen in this thread more then 95% of accounts are are followed less then 25k times. It would not seem to make sense for Twitter to support returning more then 25k ids per call. Especially since there are only ~775 accounts with more then 100k followers: http://twitterholic.com/top800/followers/ Abraham Yet, those 775 accounts have the potential ability to reach up to 775,000+ (+, considering the number of retweets they each get) of Twitter's user base. When they're dissatisfied, people hear. IMO those are the ones Twitter should be going out of their way to satisfy. Add to that the fact that many of those are the ones willing to pay the biggest bucks when/if Twitter implements a business account, they could also be a contributing factor to Twitter's revenue model in the future. It makes total sense for Twitter to support those ~775 accounts. If they're ignored, they'll take their followers with them. Jesse
[twitter-dev] Re: Basic Auth Deprecation in June
Thanks. Hope it's not official. I don't remember reading anything like that on the 2 lists. -- Hwee-Boon On Jan 18, 7:01 pm, Rich rhyl...@gmail.com wrote: Ryan Sarver said it last last yearhttp://twitter.com/Scobleizer/status/6493268213 On Jan 17, 4:46 am, Hwee-Boon Yar hweeb...@gmail.com wrote: On Jan 14, 8:30 am, twittme_mobi nlupa...@googlemail.com wrote: Hello , Regarding Basic Auth Deprecation is June Any where this is announced? -- Hwee-Boon
Re: [twitter-dev] Re: Basic Auth Deprecation in June
yes, it's official. The depreciation of Basic Auth will start in June. Ryan On Mon, Jan 18, 2010 at 10:57 AM, Hwee-Boon Yar hweeb...@gmail.com wrote: Thanks. Hope it's not official. I don't remember reading anything like that on the 2 lists. -- Hwee-Boon On Jan 18, 7:01 pm, Rich rhyl...@gmail.com wrote: Ryan Sarver said it last last yearhttp:// twitter.com/Scobleizer/status/6493268213 On Jan 17, 4:46 am, Hwee-Boon Yar hweeb...@gmail.com wrote: On Jan 14, 8:30 am, twittme_mobi nlupa...@googlemail.com wrote: Hello , Regarding Basic Auth Deprecation is June Any where this is announced? -- Hwee-Boon
[twitter-dev] Follow Limit Frustrations
Hi there, As part of my application I've written a script which monitors the followers of my twitter account and updates my database accordingly. The idea being that the number of records in my database table (users) is identical to the number of followers of my Twitter account. I've hit a problem a couple of times while debugging it that I've accidently ended up unfollowing all my users. Stupid I know but accidents happen :-). The end result of this is my account has 14 following and I've 0 followers. I'm now hitting this You are unable to follow more people at this time. Learn more here. message constantly to the point that everything comes to stand still and I can't do anymore application work because I don't have any users :-(. If I left it for a while things seem to reset themselves but reading the documentation on this help page I'm a bit confused as to what rule I've hit for this to be caused.. http://help.twitter.com/forums/10713/entries/66885 My application is whitelisted, I have less than 2000 users and I'm not likely to get anymore followers just now as the application is in testing. Any help in this would be much appreciated. Cheers, James
[twitter-dev] Re: When will delete list members and delete list be fixed?
Dear Team Twitter, I don't mean to be rude about this, but how can we expect that Twitter will role out an all new developer support center that's going to be more responsive when inquiries about a major defect in the API are left hanging for months on end? There is an open issue that is making list functionality completely unusable for a lot of people and has received zero comment from Twitter staff: http://code.google.com/p/twitter-api/issues/detail?id=1239 On Jan 11, 12:22 pm, Orian Marx (@orian) or...@orianmarx.com wrote: There has been an accepted defect in the issue tracker which really should be a high priority and there has been no word of any status on a fix. The defect is that any developers who cannot use a DELETE request were supposed to be able to make a POST request with a _method=DELETE param, but that has never actually worked. This leaves list management functionality *complete broken* for any client that cannot issue a DELETE request. This was first noted in November, and the defect was accepted one month ago:http://code.google.com/p/twitter-api/issues/detail?id=1239
Re: [twitter-dev] Re: Basic Auth Deprecation in June
Thanks. Hope it's not official. I don't remember reading anything like that on the 2 lists. No, it wasn't posted here at the time. I insert a fairly loud *ahem* to ensure such things are posted here also in the future. -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- Two can live as cheaply as one, for half as long. --
[twitter-dev] search api results down by a factor of ten since Jan 15, 2010
Hello, you may have heard of twimpact.com. We are using the search api to get a filtered list of retweets only. We have just noticed that since January 15, 2010, about midnight UTC, the volume of results returned by the search API (JSON format) has gone down by about a factor of ten. I would like to ask whether this decrease is somehow connected to the suggested migration to the streaming API, or whether it's just us. Our system's user agent begins with twimpact/1.0, just in case. Best, Mikio Braun
[twitter-dev] Server Resources to handle (well at peak times) 5000 users
Hi --- Is their any benchmark that would allow us to plan well into the future for server resources? example: : we would be using the real time streaming API --- : 5000 users use our service: all would need to see and interact with their Home statuses time line-- : 1 to 2% are power users that have more then 1K +++ followers such as R.Scoble --- and friends : would a - 4 core XEON 8GB - machine be enough for a plan of 5000 users - and their respective followers time time status? Thanks Regards Joao
[twitter-dev] OAuth Authorization login page
I think I've seen this mentioned before, but I'll add one vote to getting it fixed... When logging in via a web app, the default action is Deny. So on my iPhone when I put in my username and password and hit Go it denies access. Quite counterintuitive. Cheers, Mike Sent from my iPhone
Re: [twitter-dev] Re: OAuth best practice
Is a mobile app more like a desktop app or a web app? The PIN in the 'desktop' flow handles this in the 'non-desktop' flow: Once Jane approves the request, Faji marks the Request Token as User-authorized by Jane. Jane’s browser is redirected back to Beppa, to the URL previously provided http://beppa.com/order together with the Request Token. This allows Beppa to know it can now continue to fetch Jane’s photos. With desktop (and possibly unanticipated) mobile apps, there isn't that redirect back. I'm all for whatever makes the best UX for oath+mobile. On Mon, Jan 18, 2010 at 6:20 AM, ryan alford ryanalford...@gmail.comwrote: You are correct. The PIN handshaking is only for Desktop Apps. Ryan On Mon, Jan 18, 2010 at 9:12 AM, eco_bach bac...@gmail.com wrote: Jeff, I might be wrong, as there seems to be some confusion on this, but I believe the extra PIN handshaking is ONLY required for what Twitter defines as 'Desktop Apps'. See the response to my questions here http://bit.ly/5xbydH As a newcomer to OAuth and the Twitter API I'm currently muddling thru the whole proxy requirements(I'm using actionscript)
[twitter-dev] Re: Update profile image API using OAuth
Ok people. Finally managed to crack it. Thanks to Raffi for sharing the raw text of the request. While working this API i figured out there are very less resources available on Internet with regards to the usage of multipart with OAuth and there is lot of confusion and misleading data. I will share what ever method worked for me with you people in a hope that others will not have to go searching for the info again. 1. Method POST 2. The paramters which should be considered for the OAuth signature base - Request method(.i.e POST in this case) - Encoded API Url(.i.e http://twitter.com/account/ update_profile_background_image.format in this case) - OAuth consumer key - OAuth nonce - OAuth Signature method - OAuth timesatmp - OAuth token - OAuth version That is basically all the default OAuth parameters.Please note that the image parameter should not be included. 3. Where to place the OAuth parameters and the OAuth signature? It should be placed in the Authorisation header of the request. Please look at the Authorisation header in the stream data attached by Raffi in previous post for reference. Note you may have stuck the OAuth parameters in the request body for other API requests. But it is absolutely necessary that you stick them in to the Auth headers for this API.(Have to check the reason for this, will update this space once i find something) 4. Other headers which need to be set ContentType = multipart/form-data; boundary=+boundary (this a pre generated random alphanumeric value, please google out the way this needs to be generated) Example boundary = 645033dcf9bb ContentLength = [Total length of the string in your request body (This includes the byte array of the image data)] 5. What should the request body look like? Let the final Request Body be = requestBody I shall divide this into 3 parts: Currently requestBody = Part 1: --{0}\r\nContent-Disposition: form-data; name=\{1}\; filename= \{2}\\r\nContent-Type: {3}\r\n\r\n {0} = boundary(same as the one you attached in the ContentType header) {1} = image(this is essentially the form parameter whose data you are sending as multipart, which in this case is image) {2} = [The name of the image which you are sending(including the extension)] {3} = image/[extension of the image you are uploading], For example image/jpeg. Now your requestBody = Part 1 Part 2: Get the binary Byte Stream of the image you are uploading, say this Part 2. Now your requestBody = Part 1+Part 2. Part 3: \r\n+-- + boundary(same as the one generated earlier) + -- Your final requestBody = Part 1+Part 2+Part 3. This all I feel you need to know to get this API working. If you are still facing issues. Then somethings which could help you debug the issue are as follows: - Please compare the raw text of your request stream with the request stream which Raffi has shared in the above post. - The best free tool for sniffing the HTTP requests happening for your machine is Fiddler. You can download it from here http://www.fiddlertool.com/dl/Fiddler1Setup.exe - Please check the headers and OAuth signature. How set the tile parameter is a question for which even I need find answer for. Will update this space once something turns up. Hope this helps all those people who are trying to build twitter API library using OAuth.
Re: [twitter-dev] Re: OAuth best practice
Native mobile apps(native Android, native IPhone, etc., meaning they run on the device itself and NOT in the browser) are considered Desktop apps. Yes, the mobile UX is one of the biggest issues with Twitter's OAuth implementation. Ryan On Mon, Jan 18, 2010 at 11:35 AM, Jeff Enderwick jeff.enderw...@gmail.comwrote: Is a mobile app more like a desktop app or a web app? The PIN in the 'desktop' flow handles this in the 'non-desktop' flow: Once Jane approves the request, Faji marks the Request Token as User-authorized by Jane. Jane’s browser is redirected back to Beppa, to the URL previously provided http://beppa.com/order together with the Request Token. This allows Beppa to know it can now continue to fetch Jane’s photos. With desktop (and possibly unanticipated) mobile apps, there isn't that redirect back. I'm all for whatever makes the best UX for oath+mobile. On Mon, Jan 18, 2010 at 6:20 AM, ryan alford ryanalford...@gmail.comwrote: You are correct. The PIN handshaking is only for Desktop Apps. Ryan On Mon, Jan 18, 2010 at 9:12 AM, eco_bach bac...@gmail.com wrote: Jeff, I might be wrong, as there seems to be some confusion on this, but I believe the extra PIN handshaking is ONLY required for what Twitter defines as 'Desktop Apps'. See the response to my questions here http://bit.ly/5xbydH As a newcomer to OAuth and the Twitter API I'm currently muddling thru the whole proxy requirements(I'm using actionscript)
Re: [twitter-dev] Using OAuth keys in an open source application
On 1/18/2010 1:19 AM, Ryan McCue wrote: Hey guys, I'm looking to integrate Twitter posting into an application I'm developing. The catch to this is that because it's open source, and programmed in PHP, I'd have to distribute the secret key with it. What's the best way to go about this? I've fallen back onto the ordinary basic auth API for now. Thanks, Ryan. Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key.
Re: [twitter-dev] Using OAuth keys in an open source application
that's precisely what i would do - author your code to read from a configuration file that contains the keys. don't distribute that configuration file, but, instead, distribute a README or an example configuration file that the end user would fill in. On Mon, Jan 18, 2010 at 9:43 AM, John Meyer john.l.me...@gmail.com wrote: On 1/18/2010 1:19 AM, Ryan McCue wrote: Hey guys, I'm looking to integrate Twitter posting into an application I'm developing. The catch to this is that because it's open source, and programmed in PHP, I'd have to distribute the secret key with it. What's the best way to go about this? I've fallen back onto the ordinary basic auth API for now. Thanks, Ryan. Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Re: Basic Auth Deprecation in June
we have a command line tool that acts exactly like curl but does all the oauth signatures transparently to the end user (the user simply needs to register the keys with the tool). this way people who rely on the ability to use curl to interact with the API (such as scripts, etc.) can still do so. we'll be releasing that tool soon. On Mon, Jan 18, 2010 at 9:35 AM, TJ Luoma luo...@luomat.net wrote: On Mon, Jan 18, 2010 at 11:05 AM, ryan alford ryanalford...@gmail.com wrote: yes, it's official. The depreciation of Basic Auth will start in June. So — I will ask again — what are those of us using curl programs (commandline, not web) supposed to do then? TwitReport works on this: curl --location --referer ;auto -D - -s --netrc if I can't do that from the commandline, I might as well start telling people now and stop working on the next version. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] search api results down by a factor of ten since Jan 15, 2010
Perhaps someone from Search can comment? In the mean time, please see: http://groups.google.com/group/twitter-api-announce/browse_thread/thread/c8c713bb63fac24c On Mon, Jan 18, 2010 at 2:37 AM, mikiobraun mikiobr...@googlemail.comwrote: Hello, you may have heard of twimpact.com. We are using the search api to get a filtered list of retweets only. We have just noticed that since January 15, 2010, about midnight UTC, the volume of results returned by the search API (JSON format) has gone down by about a factor of ten. I would like to ask whether this decrease is somehow connected to the suggested migration to the streaming API, or whether it's just us. Our system's user agent begins with twimpact/1.0, just in case. Best, Mikio Braun
Re: [twitter-dev] Re: Basic Auth Deprecation in June
On Mon, Jan 18, 2010 at 12:48 PM, Raffi Krikorian ra...@twitter.com wrote: we have a command line tool that acts exactly like curl but does all the oauth signatures transparently to the end user (the user simply needs to register the keys with the tool). this way people who rely on the ability to use curl to interact with the API (such as scripts, etc.) can still do so. we'll be releasing that tool soon. Well just about everything that I do with the API is through curl, so let me know if you need any beta testers :-) Otherwise I'm just going to put everything on hold for now before I waste any more time on stuff I'm just going to have to redo later. TjL
Re: [twitter-dev] Using OAuth keys in an open source application
You are reading it correct. You do not want to give out your Consumer Key or Consumer Secret. If somebody downloads the source of your application, they are most likely going to be using it in their own application. Therefore, they need their own Consumer Key and Consumer Secret. Ryan On Mon, Jan 18, 2010 at 12:56 PM, Isaiah supp...@yourhead.com wrote: So you're saying that each individual end-user of the open source app would register with Twitter for separate Twitter Application credentials, add those credentials to the app, and then recompile the application? Or did I read that incorrectly? Isaiah YourHead Software supp...@yourhead.com http://www.yourhead.com On Jan 18, 2010, at 9:46 AM, Raffi Krikorian wrote: that's precisely what i would do - author your code to read from a configuration file that contains the keys. don't distribute that configuration file, but, instead, distribute a README or an example configuration file that the end user would fill in. On Mon, Jan 18, 2010 at 9:43 AM, John Meyer john.l.me...@gmail.comwrote: On 1/18/2010 1:19 AM, Ryan McCue wrote: Hey guys, I'm looking to integrate Twitter posting into an application I'm developing. The catch to this is that because it's open source, and programmed in PHP, I'd have to distribute the secret key with it. What's the best way to go about this? I've fallen back onto the ordinary basic auth API for now. Thanks, Ryan. Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Using OAuth keys in an open source application
Something like that. Ideally, what I would do is configure the app so that if the consumerkeys (both secret and non) are not present, the user is directed to a screen to input those for themselves (with maybe a helpful link to get them in the first place). On Jan 18, 2010, at 9:46 AM, Raffi Krikorian wrote: that's precisely what i would do - author your code to read from a configuration file that contains the keys. don't distribute that configuration file, but, instead, distribute a README or an example configuration file that the end user would fill in. On Mon, Jan 18, 2010 at 9:43 AM, John Meyer john.l.me...@gmail.com mailto:john.l.me...@gmail.com wrote: On 1/18/2010 1:19 AM, Ryan McCue wrote: Hey guys, I'm looking to integrate Twitter posting into an application I'm developing. The catch to this is that because it's open source, and programmed in PHP, I'd have to distribute the secret key with it. What's the best way to go about this? I've fallen back onto the ordinary basic auth API for now. Thanks, Ryan. Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Re: Social Graph API: Legacy data format will be eliminated 1/11/2010
Yet, those 775 accounts have the potential ability to reach up to 775,000+ (+, considering the number of retweets they each get) of Twitter's user base. When they're dissatisfied, people hear. IMO those are the ones Twitter should be going out of their way to satisfy. Add to that the fact that many of those are the ones willing to pay the biggest bucks when/if Twitter implements a business account, they could also be a contributing factor to Twitter's revenue model in the future. It makes total sense for Twitter to support those ~775 accounts. If they're ignored, they'll take their followers with them. Jesse Getting way off topic, but I think you're wrong here. They won't be taking their followers anywhere. Commonly the majority of the large number of followers aren't engaged followers. http://dashes.com/anil/2010/01/nobody-has-a-million-twitter-followers.html Anil's blog post matches my own experiences with traffic fluctuations after receiving tweets. Tim.
[twitter-dev] Re: Using OAuth keys in an open source application
OK ... let me make *sure* I understand this. Is this the best practice?: 1. I write a desktop application. Whether it's closed or open source is irrelevant. I advertise this application for sale, saying, It runs on Windows, Macintosh and Linux desktops (KDE, Gnome, XFCE, let's say), it does all these wonderful things, *and* it's oAuth-secure! 2. I *sell* Bob a copy of my application. It contains code but *no* oAuth tokens of any kind. 3. Bob installs the application. Bob starts up the application. 4. The application starts up the browser and points it to http://twitter.com/apps/new, and directs Bob to do the following: 4.a. Log in to Twitter. 4.b. Fill in the form. I tried this with a dummy application, and the Application Name must be *unique*. So what does Bob put in this field? Bob's copy of Ed's wonderful application? 4.c. Now Bob has a consumer key and consumer secret, unique to *his* copy of the application, *not* generic to the application. 5. The application instructs him to enter the freshly-minted consumer key and secret via copy and paste into a dialog box, checks them for validity against the Twitter oAuth servers, and then stores them someplace that an attacker can't find them. This is, of course, platform dependent - the application needs special code for Windows, Mac, and at least two Linux desktops. See http://apiwiki.twitter.com/Security-Best-Practices for the application's responsibilities in this area. 6. OK, now Bob has registered the application with Twitter. He actually wants to use it now. The application starts up, picks up the stored consumer key and secret, starts up the browser again, and goes to the PIN-generation site. If Bob hasn't logged in to Twitter yet, that site will ask him to do so. Bob gets his PIN and copies it into a dialog box. The application does its thing, and Bob tweets about how wonderful it is that he can do all this stuff with Ed's wonderful application. I sell 3,000 copies of it, hire a support engineer, and make the front page of Mashable! ;-) But there's two ways I can go with this: 6.a. Grant Bob indefinite permission by getting the PIN once and storing the resulting tokens on his machine, again someplace that an attacker can't find them. 6.b. Require Bob to get a new PIN each time he uses the application. What's the best practice here? Personally, I'm leaning towards a new PIN each time as long as it isn't an impact to Twitter servers, because it exposes one less place for an attack. -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Re: Using OAuth keys in an open source application
There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. If a user is installing your application to use, then your code would include your consumer key. If a user is downloading your open source code to use for their own app, then they need to get their own consumer key to relate to their app. Ryan Sent from my DROID On Jan 18, 2010 2:18 PM, M. Edward (Ed) Borasky zzn...@gmail.com wrote: OK ... let me make *sure* I understand this. Is this the best practice?: 1. I write a desktop application. Whether it's closed or open source is irrelevant. I advertise this application for sale, saying, It runs on Windows, Macintosh and Linux desktops (KDE, Gnome, XFCE, let's say), it does all these wonderful things, *and* it's oAuth-secure! 2. I *sell* Bob a copy of my application. It contains code but *no* oAuth tokens of any kind. 3. Bob installs the application. Bob starts up the application. 4. The application starts up the browser and points it to http://twitter.com/apps/new, and directs Bob to do the following: 4.a. Log in to Twitter. 4.b. Fill in the form. I tried this with a dummy application, and the Application Name must be *unique*. So what does Bob put in this field? Bob's copy of Ed's wonderful application? 4.c. Now Bob has a consumer key and consumer secret, unique to *his* copy of the application, *not* generic to the application. 5. The application instructs him to enter the freshly-minted consumer key and secret via copy and paste into a dialog box, checks them for validity against the Twitter oAuth servers, and then stores them someplace that an attacker can't find them. This is, of course, platform dependent - the application needs special code for Windows, Mac, and at least two Linux desktops. See http://apiwiki.twitter.com/Security-Best-Practices for the application's responsibilities in this area. 6. OK, now Bob has registered the application with Twitter. He actually wants to use it now. The application starts up, picks up the stored consumer key and secret, starts up the browser again, and goes to the PIN-generation site. If Bob hasn't logged in to Twitter yet, that site will ask him to do so. Bob gets his PIN and copies it into a dialog box. The application does its thing, and Bob tweets about how wonderful it is that he can do all this stuff with Ed's wonderful application. I sell 3,000 copies of it, hire a support engineer, and make the front page of Mashable! ;-) But there's two ways I can go with this: 6.a. Grant Bob indefinite permission by getting the PIN once and storing the resulting tokens on his machine, again someplace that an attacker can't find them. 6.b. Require Bob to get a new PIN each time he uses the application. What's the best practice here? Personally, I'm leaning towards a new PIN each time as long as it isn't an impact to Twitter servers, because it exposes one less place for an attack. -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
[twitter-dev] Re: Basic Auth Deprecation in June
Another beta tester here! ;-) On Jan 18, 9:54 am, TJ Luoma luo...@luomat.net wrote: On Mon, Jan 18, 2010 at 12:48 PM, Raffi Krikorian ra...@twitter.com wrote: we have a command line tool that acts exactly like curl but does all the oauth signatures transparently to the end user (the user simply needs to register the keys with the tool). this way people who rely on the ability to use curl to interact with the API (such as scripts, etc.) can still do so. we'll be releasing that tool soon. Well just about everything that I do with the API is through curl, so let me know if you need any beta testers :-) Otherwise I'm just going to put everything on hold for now before I waste any more time on stuff I'm just going to have to redo later. TjL
[twitter-dev] Q: Retrieving and purpose of authenticity_token
Hiu Am building an AS3 based twitter client. Once the user has authorized access at the Twitter OAuth sign in page, 1 Twitter returns an oauth_token and an authenticity_token 2 Twitter redirects the user back to the application URL, appending the oauth_token to the application url. My question is, since by default I am in a new browser window at the authorization stage, how do I retrieve this authenticity_token? Basically after sign In-authorization and returning to my application, ALL I have is the oauth_token stripped from the URL. What is the purpose of the authenticity_token? Is it just application and NOT user specific? Don't I need an access token IN ADDITION TO this oauth_token returned? Thanks in advance!
[twitter-dev] Re: Server Resources to handle (well at peak times) 5000 users
On Jan 18, 3:50 am, techtimes techf...@gmail.com wrote: Hi --- Is their any benchmark that would allow us to plan well into the future for server resources? example: : we would be using the real time streaming API --- : 5000 users use our service: all would need to see and interact with their Home statuses time line-- : 1 to 2% are power users that have more then 1K +++ followers such as R.Scoble --- and friends : would a - 4 core XEON 8GB - machine be enough for a plan of 5000 users - and their respective followers time time status? Thanks Regards Joao I'd recommend hiring a capacity planner. This kind of detailed planning is exactly what we do for a living. Email me off-list and I'll give you some pointers for finding one in your area. -- M. Edward (Ed) Borasky http://borasky-research.net/ A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Agreed. The reason you don't want to give out YOUR consumer key and consumer secret in your open-source code is because somebody could download your code, make malicious changes to make it do something bad, and now their app looks exactly like yours to Twitter since the consumer keys are the same. So when that app starts causing problems for users, it YOU that they start contacting. Ryan On Mon, Jan 18, 2010 at 2:32 PM, John Meyer john.l.me...@gmail.com wrote: On 1/18/2010 12:22 PM, ryan alford wrote: There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. If a user is installing your application to use, then your code would include your consumer key. If a user is downloading your open source code to use for their own app, then they need to get their own consumer key to relate to their app. Ryan An addendum. If you were seriously concerned about others grabbing those codes you could specify that the app fetches those keys from an ftp server or some sort of web service that you ran. But I would guess that this would be a bit more paranoid than what you are trying to prevent.
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Seriously, are we still beating this dead old horse? Closed or open source doesn't matter. The fact that a consumer key and secret (!) are redistributed = design FAILURE. It's trivial to recover the consumer key and secret from a closed source application, which can in turn be used in a malicious application ... The consumer key and secret CANNOT be used as a form of application authentication. It's not trustworthy enough. This is an inherent design deficiency in OAuth. On 1/18/10 2:46 PM, ryan alford wrote: Agreed. The reason you don't want to give out YOUR consumer key and consumer secret in your open-source code is because somebody could download your code, make malicious changes to make it do something bad, and now their app looks exactly like yours to Twitter since the consumer keys are the same. So when that app starts causing problems for users, it YOU that they start contacting. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Just the consumer key, or both the consumer key and consumer secret? both are needed when doing OAuth. Ryan On Mon, Jan 18, 2010 at 2:52 PM, M. Edward (Ed) Borasky zzn...@gmail.comwrote: On Jan 18, 11:32 am, John Meyer john.l.me...@gmail.com wrote: On 1/18/2010 12:22 PM, ryan alford wrote: There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. If a user is installing your application to use, then your code would include your consumer key. Just the consumer key, or both the consumer key and consumer secret? If a user is downloading your open source code to use for their own app, then they need to get their own consumer key to relate to their app. Ryan An addendum. If you were seriously concerned about others grabbing those codes you could specify that the app fetches those keys from an ftp server or some sort of web service that you ran. But I would guess that this would be a bit more paranoid than what you are trying to prevent. The paranoia is directly from Twitter's Security Best Practices http://apiwiki.twitter.com/Security-Best-Practices: Don't store passwords. Just store OAuth tokens. Please. As aforementioned, for optimal security you should be using OAuth. But once you have a token with which to make requests on behalf of a user, where do you put it? Ideally, in an encrypted store managed by your operating system. On Mac OS X, this would be the Keychain. In the GNOME desktop environment, there's the Keyring. In the KDE desktop environment, there's KWallet. As an aside, 90% of the desktops/laptops out there run Windows. I'd hope that the Security Best Practices document would include a little more on dealing with Windows desktops than a link to the MSDN Security Developer Center. ;-) I think the FTP server idea is a good one - it gives me a log file of everyone who's obtained the consumer key and secret for Ed's Wonderful Desktop App, so when someone fires up a debugger, runs my app, grabs all the authentication codes and uses them to do a DOS attack on Twitter and gets my app blacklisted, I'll have a list of people for my attorney to call and depose. ;-) -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
[twitter-dev] TwitVid upload function
I'm part of the TwitterVB library project. Part of my effort is to write an object that encapsulates a connection to TwitVid.com I'm currently testing the upload function but am having problems: Upload = String.Empty If DateTime.Now m_dtTL Then Me.Authenticate() End If Try Dim bMovieFile() As Byte = System.IO.File.ReadAllBytes(p_strFileName) Dim strBoundary As String = Guid.NewGuid.ToString() Dim strHeader As String = String.Format(--{0}, strBoundary) Dim strFooter As String = String.Format(--{0}--, strBoundary) Dim rqUpload As HttpWebRequest = DirectCast(WebRequest.Create(TWITVID_UPLOAD_URL), HttpWebRequest) With rqUpload .PreAuthenticate = True .AllowWriteStreamBuffering = True .ContentType = String.Format(multipart/form-data; boundary={0}, strBoundary) .Method = POST End With Dim strFileType As String = application/octet-stream Dim strFileHeader As String = [String].Format(Content-Disposition: file; name={0}; filename={1}, media, p_strFileName) Dim strFileData As String = Encoding.GetEncoding(iso-8859-1).GetString(bMovieFile) Dim strContents As New StringBuilder() With strContents .AppendLine(strHeader) .AppendLine(strFileHeader) .AppendLine([String].Format(Content-Type: {0}, strFileType)) .AppendLine() .AppendLine(strFileData) .AppendLine(strHeader) .AppendLine([String].Format(Content-Disposition: form-data; name={0}, token)) .AppendLine() .AppendLine(m_strOauth) .AppendLine(strHeader) .AppendLine([String].Format(Content-Disposition: form-data; name={0}, message)) .AppendLine() .AppendLine(p_strMessage) .AppendLine(strFooter) End With Dim bContents() As Byte = Encoding.GetEncoding(iso-8859-1).GetBytes(strContents.ToString()) rqUpload.ContentLength = bContents.Length Dim rqStreamFile As Stream = rqUpload.GetRequestStream() rqStreamFile.Write(bContents, 0, bContents.Length) Dim rspFileUpload As HttpWebResponse = DirectCast(rqUpload.GetResponse, HttpWebResponse) Dim rdrResponse As New StreamReader(rspFileUpload.GetResponseStream()) Dim strResponse As String = rdrResponse.ReadToEnd() Dim xResponse As New XmlDocument xResponse.LoadXml(strResponse) Dim xnRSP As XmlNode = xResponse.SelectSingleNode(//rsp) If xnRSP.Attributes(stat).Value = ok Then Upload = xnRSP.SelectSingleNode(//mediaurl).InnerText Else Upload = strResponse End If Catch ex As Exception MsgBox(ex.Message) End Try Return Upload End Function Calling this function gives me this error: ?xml version=1.0 encoding=UTF-8? rsp stat=fail err code=1002 msg=No file specified to upload / /rsp if anybody has any ideas I'd appreciate it (note I've put the file on the front and in the back. Both return the same error).
[twitter-dev] Streaming API - Partial word match
Search API team is recommending developers to migrate over to Streaming API. To get started with this, i was looking at the Streaming API docs and they state that if using Track for query parameter, Terms are exact-matched, and also exact-matched ignoring punctuation. From what i can figure out from that statement and running couple of tests, Streaming API is not returning partial word matches, which Searce API does. For example - keyword bit.ly returns all results on Search API with *bit.ly*, while Streaming API returns only results with exact bit.ly. Are there any plans to support partial word matches in the Streaming API?
[twitter-dev] Re: Using OAuth keys in an open source application
On Jan 18, 11:48 am, Dossy Shiobara do...@panoptic.com wrote: Seriously, are we still beating this dead old horse? Closed or open source doesn't matter. The fact that a consumer key and secret (!) are redistributed = design FAILURE. It's trivial to recover the consumer key and secret from a closed source application, which can in turn be used in a malicious application ... The consumer key and secret CANNOT be used as a form of application authentication. It's not trustworthy enough. This is an inherent design deficiency in OAuth. If that's the case, then *desktop* Twitter applications are not a viable business model. You *must* have a server, with the extra overhead that involves, and the extra cost that must be passed on to your customers, in order to protect yourself and Twitter from malicious users. Given the other limitations of the desktop application model, e.g., no production access to the Streaming API and no easy mobile deployment options, it's seriously looking like I am wasting my time developing desktop applications. Sigh ... off to do some more research ... -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Why would you be required to have a server? To keep your consumer key and consumer secret out of your app? It's not required. Mine are stored in a database that is coupled with my application. The database is password protected, so nobody is getting in. Ryan On Mon, Jan 18, 2010 at 4:27 PM, M. Edward (Ed) Borasky zzn...@gmail.comwrote: On Jan 18, 11:48 am, Dossy Shiobara do...@panoptic.com wrote: Seriously, are we still beating this dead old horse? Closed or open source doesn't matter. The fact that a consumer key and secret (!) are redistributed = design FAILURE. It's trivial to recover the consumer key and secret from a closed source application, which can in turn be used in a malicious application ... The consumer key and secret CANNOT be used as a form of application authentication. It's not trustworthy enough. This is an inherent design deficiency in OAuth. If that's the case, then *desktop* Twitter applications are not a viable business model. You *must* have a server, with the extra overhead that involves, and the extra cost that must be passed on to your customers, in order to protect yourself and Twitter from malicious users. Given the other limitations of the desktop application model, e.g., no production access to the Streaming API and no easy mobile deployment options, it's seriously looking like I am wasting my time developing desktop applications. Sigh ... off to do some more research ... -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Hint: If the data is in RAM at any point in time, your entry-level hacker kiddie can recover the keys in cleartext. Storing your key on a remote server and fetching it doesn't protect it either. As long as that key is brought to a machine that an attacker has full control over, it might as well be stored with the app in plaintext. On 1/18/10 4:50 PM, ryan alford wrote: Why would you be required to have a server? To keep your consumer key and consumer secret out of your app? It's not required. Mine are stored in a database that is coupled with my application. The database is password protected, so nobody is getting in. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Maybe OT: rsp status vs stat
I don't know if this is the right place to ask about this, but why am I on several sources (Twitvid, filesocial, etc) receiving a rsp status when an upload succeeds but an rsp stat when it fails? Or is the documentation a little bit off?
Re: [twitter-dev] Streaming API - Partial word match
I've been able to track act.ly urls by using act. So try bit and just throw out anything that isn't a bit.ly url. On Mon, Jan 18, 2010 at 1:05 PM, vivekpuri v...@vivekpuri.com wrote: Search API team is recommending developers to migrate over to Streaming API. To get started with this, i was looking at the Streaming API docs and they state that if using Track for query parameter, Terms are exact-matched, and also exact-matched ignoring punctuation. From what i can figure out from that statement and running couple of tests, Streaming API is not returning partial word matches, which Searce API does. For example - keyword bit.ly returns all results on Search API with *bit.ly*, while Streaming API returns only results with exact bit.ly. Are there any plans to support partial word matches in the Streaming API?
Re: [twitter-dev] Re: Using OAuth keys in an open source application
It would be less work for me to run charles proxy and see catch the consumer key/secret in transit then to decompile it and figure out where in the code it is actually stored when distributed with the app. Previously with basicauth you could use anybodies source param and spoof their application. At least with OAuth you have to acquire their consumer key/secret first. You guys are all freaking out about this when this is how the internet works. Just look at email. With a single line of PHP I can send any of you an email from any email address.* Abraham *There technologies to stop this but very few mail servers use them. Currently Gmail refuses email from paypal.com unless it is signed by their key. On Mon, Jan 18, 2010 at 15:35, M. Edward (Ed) Borasky zzn...@gmail.comwrote: On Jan 18, 2:27 pm, Dossy Shiobara do...@panoptic.com wrote: Hint: If the data is in RAM at any point in time, your entry-level hacker kiddie can recover the keys in cleartext. Ayup :-( Storing your key on a remote server and fetching it doesn't protect it either. As long as that key is brought to a machine that an attacker has full control over, it might as well be stored with the app in plaintext. -- Abraham Williams | Moved to Seattle | May cause email delays Project | Intersect | http://intersect.labs.poseurtech.com Hacker | http://abrah.am | http://twitter.com/abraham This email is: [ ] shareable [x] ask first [ ] private.
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Also, the consumer secret is harder to get since its not sent as a parameter. Ryan Sent from my DROID On Jan 18, 2010 7:18 PM, Abraham Williams 4bra...@gmail.com wrote: It would be less work for me to run charles proxy and see catch the consumer key/secret in transit then to decompile it and figure out where in the code it is actually stored when distributed with the app. Previously with basicauth you could use anybodies source param and spoof their application. At least with OAuth you have to acquire their consumer key/secret first. You guys are all freaking out about this when this is how the internet works. Just look at email. With a single line of PHP I can send any of you an email from any email address.* Abraham *There technologies to stop this but very few mail servers use them. Currently Gmail refuses email from paypal.com unless it is signed by their key. On Mon, Jan 18, 2010 at 15:35, M. Edward (Ed) Borasky zzn...@gmail.com wrote: On Jan 18,... -- Abraham Williams | Moved to Seattle | May cause email delays Project | Intersect | http://intersect.labs.poseurtech.com Hacker | http://abrah.am | http://twitter.com/abraham This email is: [ ] shareable [x] ask first [ ] private.
[twitter-dev] Re: Is this API limit work around ok?
This doesn't seem to be working for me. When I check my rate limit, it appears it's still applied to the IP address and not the account. I am trying to authenticate with the following script. Anyone have any tips? Does this look correct? $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, https://twitter.com/users/show/;. $twitterUsername..xml); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); curl_setopt($ch, CURLOPT_USERPWD, 'myusername:mypassword'); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); $result = curl_exec($ch); curl_close($ch); $twitterXML = simplexml_load_string($result); On Jan 15, 10:02 pm, Abraham Williams 4bra...@gmail.com wrote: Yes you can make the calls using basic authentication to target the rate hit to the account. On Fri, Jan 15, 2010 at 12:50, Robb robert.stro...@gmail.com wrote: Hello all, I am developing a Twitter web app currently on shared hosting. The only Twitter API call that I make is an unauthenticated call to users/ show which is counted against my IP address API rate limit. I do not have a static IP address so I can't whitelist my IP until I get my own server. I can only whitelist my username. Can I add my accont authentication to the following call: http://twitter.com/users/show/username.xml in order to count the rate limit against my username instead of my IP for every user that visits my site? I am still a novice at PHP, especially security. Would it be ok for me to make this call with basic authentication inside a PHP script, only returning the bits of info that I need to the user? Note that this feature of my site will not be behind a login for Twitter users, so I can not have users login and then have the API rate limit applied to their username. Thanks for the help, Robb -- Abraham Williams | Moved to Seattle | May cause email delays Project | Intersect |http://intersect.labs.poseurtech.com Hacker |http://abrah.am|http://twitter.com/abraham This email is: [ ] shareable [x] ask first [ ] private. Sent from Seattle, WA, United States
[twitter-dev] Re: Server Resources to handle (well at peak times) 5000 users
I think that the resources will be determined in great deal by how your your application handles it's data and processes. Remember that much of the interaction towards twitter Api will use network (bandwidth) resources and very little machine (CPU, Ram) resources. In our personal experience much of our resource optimization has been geared towatds minimizing API calls (Process waiting for api responses) and Not Hardware resources. Hope this helps. BTW We are looking into optimizing our algorithm for API calls. Anyone want to discuss what were doing? On Jan 18, 5:50 am, techtimes techf...@gmail.com wrote: Hi --- Is their any benchmark that would allow us to plan well into the future for server resources? example: : we would be using the real time streaming API --- : 5000 users use our service: all would need to see and interact with their Home statuses time line-- : 1 to 2% are power users that have more then 1K +++ followers such as R.Scoble --- and friends : would a - 4 core XEON 8GB - machine be enough for a plan of 5000 users - and their respective followers time time status? Thanks Regards Joao
[twitter-dev] Search more than 1500 tweets
I was working on an app, which needs to get all the RT for a given query. However, i found out that it cap's out to 1500 (100tweets*15pages) Also, all these queries could be within a short span of time (hours to a few days). So, in some cases if I get RT more than 1500, my current implementation will ignore the tweets sent before the latest 1500. Is there a workaround to get more than 1500 tweets. Thanks.
[twitter-dev] Profile Widget rate limit
Hi, I've been asked to help implement and test the Profile Widget found here http://twitter.com/goodies/widget_profile onto a company website. I've implemented it easily, but I have concerns about the rate limits. I found that: A) 1,000 total updates per day, on any and all devices (web, mobile web, phone, API, etc. ) B) 250 total direct messages per day, on any and all devices C) 150 API requests per hour 1) Do all of these limits apply when using the Profile Widget? 2) The widget is to be used along side a video stream where notes references will be tweeted as the conference proceeds. So apart from whitelisting and caching how can I prepare for this? Is there a better solution for this situation? 3) Is there a business plan/package? If I have problems with the above concerns the company is willing to pay for a corporate package for extra support. Thanks so much!! Thip
Re: [twitter-dev] Using OAuth keys in an open source application
John Meyer wrote: Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. Right, so everyone would have to get their own API key? Sounds a bit counter intuitive to me. ryan alford wrote: You do not want to give out your Consumer Key or Consumer Secret. If somebody downloads the source of your application, they are most likely going to be using it in their own application. Therefore, they need their own Consumer Key and Consumer Secret. ryan alford wrote: There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. The problem with that is that the application is written in PHP, so they need the source to run it, hence, any normal users would need to have an API key. -- Ryan McCue http://ryanmccue.info/
[twitter-dev] tweeting selective followers
I was directed to this user group by Twitter Support in regards with my query. I am interested in tweeting selective followers of an user who have declared interest in receiving specific tweets based on some categorization. Creating a separate account for each such category or sending DM to each user are not practical options with huge number of categories or when one user is interested in tweets from multiple categories. In addition Support indicated, I may run into rate limit issues and / or break twitter rules. Has anyone achieved this or has a suggestion? Thanks!
[twitter-dev] Re: After changing the callback URL, it is still going to the old one
I'm having this issue too. How long is the turnaround supposed to be? On Jan 15, 2:19 am, Gavin Bong rubyco...@gmail.com wrote: Hi, I changed my application'scallbackURL but twitter is still calling the oldcallbackURL. It was changed 8 hours ago. What gives ? What should I do ? Regards, Gavin
[twitter-dev] turnaround time for callback URL changes?
( posted a reply to an old topic, but it appears to have disappeared into the ether ) My changes to the callback URL don't seem to be taking effect. I've tried changing it a few times over the last week, and it never seems to have gone through. Is anyone else having problems with this? Thanks!
Re: [twitter-dev] Using OAuth keys in an open source application
PHP as in web-based? Why wouldn't the user just login to the website? Ryan Sent from my DROID On Jan 18, 2010 10:03 PM, Ryan McCue li...@rotorised.com wrote: John Meyer wrote: Technically, you don't. All opensource requires is that you distribute the so... Right, so everyone would have to get their own API key? Sounds a bit counter intuitive to me. ryan alford wrote: You do not want to give out your Consumer Key or Consumer Secret. If someb... ryan alford wrote:There is a difference between giving your application to others to install ... The problem with that is that the application is written in PHP, so they need the source to run it, hence, any normal users would need to have an API key. -- Ryan McCue http://ryanmccue.info/
[twitter-dev] Re: Using OAuth keys in an open source application
I'm trying to define a minimum viable product that I can *sell*. Nothing I've seen in this thread so far has convinced me that a desktop application accessing Twitter is viable, with or without oAuth. Without oAuth isn't viable because it's deprecated by Twitter, and with oAuth isn't viable because it's *easy* to compromise. Sure, a server *can* be compromised, but it's a lot harder. On a server, I can control the choice of the entire stack - hardware, OS, application framework, DBMS, etc. I may not be able to prevent a DOS attack, but I can keep that away from Twitter - I can't control how users interact with Twitter using a compromised desktop app. There must be some other developers on this list - does *anybody* who develops Twitter apps for a living want to chime in and tell me I'm full of hot air here - that there *is* a way to develop and deploy a viable secure desktop Twitter app? You guys are all freaking out about this when this is how the internet works. Just look at email. With a single line of PHP I can send any of you an email from any email address.* Abraham *There technologies to stop this but very few mail servers use them. Currently Gmail refuses email from paypal.com unless it is signed by their key. This is how the Internet works *now* - with 90 percent of the desktops running Windows, many of those not up to date on Windows Updates or virus scanner code and virus definitions, botnets controlling millions of PCs, the government of China exploiting holes in IE 6, bloggers calling openly for iPhone users to mount a DDOS against ATT, GMail peeking at the content of my emails to suggest commercial products that I might happen to consider competitors, and Facebook selling your private data to scammers and spammers. There may be a thousand and one ways to get hurt on the Internet, but I'm not interested in deploying the 1002nd. That could all change with ChromeOS netbooks. I can dream. ;-) -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
[twitter-dev] Re: OAuth best practice
On Jan 18, 11:48 am, Jeff Enderwick jeff.enderw...@gmail.com wrote: mobile browser cpu/mem requirement mobile twitter client cpu/mem requirement. Yeah ... I don't develop mobile apps, but I suspect you're right. It's too bad pure HTML has such a lame user experience, because if you could live without Flash, Java, JavaScript and all that other rich stuff, browsers would be just fine. Lynx FTW. ;-) -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Using OAuth keys in an open source application
On 1/18/2010 6:43 PM, Ryan McCue wrote: John Meyer wrote: Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. Right, so everyone would have to get their own API key? Sounds a bit counter intuitive to me. No, the point I was trying to make was that you don't HAVE to distribute the key. Nothing in the open source license requires you to give that information to another person. You can distribute it if you want to, but you are perfectly free to give them the source code and tell them that if they want it to work they need to go get their own consumer keypair. In short, once you are done unit testing the product you can delete out those variables and tell them where to fill in their own information. Nothing in the open source license requires you to give that information anymore than it requires you to publicize what the root password on your mysql database server is.
Re: [twitter-dev] Re: Using OAuth keys in an open source application
On 1/18/2010 8:16 PM, M. Edward (Ed) Borasky wrote: I'm trying to define a minimum viable product that I can *sell*. Nothing I've seen in this thread so far has convinced me that a desktop application accessing Twitter is viable, with or without oAuth. Without oAuth isn't viable because it's deprecated by Twitter, and with oAuth isn't viable because it's *easy* to compromise. Sure, a server *can* be compromised, but it's a lot harder. On a server, I can control the choice of the entire stack - hardware, OS, application framework, DBMS, etc. I may not be able to prevent a DOS attack, but I can keep that away from Twitter - I can't control how users interact with Twitter using a compromised desktop app. But you still control your own keys. If you find that somebody has compromised your program, you can revoke those consumer keys through twitter and regenerate them. And I would assume that, given the derth of Twitter applications out there, your application will do a bit more than just Twitter (if it doesn't, you're probably better off giving it away as freeware/resumeware). Twitter is a viable platform but it's only a means to an end, it is not an end. The value that you will generate in addition to twitter (molding Twitter to a GIS app, for instance) is where you will realize a profit, not in just locking onto twitter and being concerned about the security of an oAuth vs Basic system. Is oAuth the best solution? Hardly. If I had my druthers it would be more of a captcha response that would let developers have a bit more control over how to display that data. But no security system short of ripping the cables out of the Twitter server will ever be perfect. There must be some other developers on this list - does *anybody* who develops Twitter apps for a living want to chime in and tell me I'm full of hot air here - that there *is* a way to develop and deploy a viable secure desktop Twitter app? You guys are all freaking out about this when this is how the internet works. Just look at email. With a single line of PHP I can send any of you an email from any email address.* Abraham *There technologies to stop this but very few mail servers use them. Currently Gmail refuses email from paypal.com unless it is signed by their key. This is how the Internet works *now* - with 90 percent of the desktops running Windows, many of those not up to date on Windows Updates or virus scanner code and virus definitions, botnets controlling millions of PCs, the government of China exploiting holes in IE 6, bloggers calling openly for iPhone users to mount a DDOS against ATT, GMail peeking at the content of my emails to suggest commercial products that I might happen to consider competitors, and Facebook selling your private data to scammers and spammers. There may be a thousand and one ways to get hurt on the Internet, but I'm not interested in deploying the 1002nd. That could all change with ChromeOS netbooks. I can dream. ;-) -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
[twitter-dev] Re: Sent URLs received incompletely if not urlencoded - how to fix?
I suspect that you're sending something like 'text ' + urlencode (url). Note that sending involves urlencoding. On the other end, twitter url urldecodes the status as a whole, but try to figure out what's url encoded in the status. Don't do that. Instead, send 'text ' + url. Your send routine should urlencode the whole thing. On the other end, twitter will urldecode that whole thing and you'll get what you want. Note that you do have to do something about '' and ''. . On Jan 18, 2:15 am, Tinobee tino...@googlemail.com wrote: hi ed, as i already stated 2 times i used urlencoding. i wanted to prevent my tweets looking like this http%3A%2F%2Fwww%2Fmydomain%2F.xyz %2Findex.php%3Fkey1%3Dvalue1%26key2%3Dvalue2%26%3Dvalue3 . this looks pretty ugly. i am basically wondering why there isn't a solution to wrap these ugly urls like hrefs in html using a title for the link name and a/a tags to wrap!? regards, tino On 17 Jan., 04:19, Ed Costello epcoste...@gmail.com wrote: Are you absolutely certain that the entireURLis being posted to twitter? Is it possible that some filter is interpreting the “” character and stripping off the remainingURLbefore you post it to twitter? Do you have a log of what is being transmitted to twitter? Are you transmitting through any proxies which could potentially be stripping the data off? Is twitter the only site with which this problem is occuring? I can’t reproduce the problem, including posting theURLyou listed, but I amURLencoding “” to “%26”. By definition (seehttp://apiwiki.twitter.com/Things-Every-Developer-Should-Know#5Parame...) tweets are supposed to beURLencoded before transmitting to twitter, so I don’t understand what you mean byURLencoding. If you want the “” to have meaning within your tweet (regardless of whether it’s in aURLor just text), you MUST convert it to %26 otherwise it will appear to twitter as a variable on par with source, geo, status and in_reply_to_status_id. If you are notURLencoding the tweet then start doing so. -- -ed costello- Hide quoted text - - Show quoted text -
Re: [twitter-dev] Re: Anyone using phirehose?
Our client would make even less sense to you then. It's written in Scala! On Sun, Jan 17, 2010 at 9:56 PM, M. Edward (Ed) Borasky zzn...@gmail.comwrote: As an aside, could Twitter release the streaming client they use under some open source license, so we can use it as a prototype? I took a look at the one Tom May of Gist wrote using Apache HttpClient and it didn't make much sense to me - it was importing a bunch of Java libraries and I'm not a Java programmer. On Jan 16, 10:18 pm, John Kalucki j...@twitter.com wrote: Given a reasonable stack, it shouldn't be all that hard to build something robust. Our internal streaming client, which transits every tweet that you see on the streaming api, seems to work just fine through various forms of abuse, and it's, roughly, a few hundred lines wrapped around Apache httpclient. On the other hand, I suspect that dependability is all but impossible on some stacks, or will require some heroism on the part of a library developer. As a community, we need clients that trivially allow robustness in a variety of stacks. We'll get there soon enough. On Sat, Jan 16, 2010 at 10:05 PM, M. Edward (Ed) Borasky zzn...@gmail.comwrote: On Jan 16, 7:28 pm, John Kalucki j...@twitter.com wrote: I'd strongly suggest consuming the Streaming API only from persistent processes that write into some form of durable asynchronous queue (of any type) for your application to consume. Running curl periodically is unlikely to be a robust solution. Select one of the existing Streaming API clients out there and wrap it in a durable process. Write to rotated log files, a message queue, or whatever other mechanism that you choose, to buffer the arrival of new statuses before consumption by your application. This will allow you to restart your application at will without data loss. I don't know that there are any open source libraries out there yet that are robust enough to do that. At the moment, I'm working exclusively in Perl, and AnyEvent::Twitter::Stream seems to be the only Perl Streaming API consumer with any kind of mileage on it. As you point out, real-time programming for robustness is a non-trivial exercise. It would be nice if someone would build a C library and SWIG .i files. ;-) -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Using OAuth keys in an open source application
* Isaiah Carew isa...@me.com [100118 19:02]: If every person that uses an app accesses the API with their own personal app credentials that would mean the app would appear to Twitter as hundreds, or potentially thousands, of individual applications. One goal of application registration is to control application privileges en masse. So that when malware is found it's privileges can be revoked quickly. Or even in the more banal case: an app doing something taxing to the API. The privileges could be revoked/modified until the problem was fixed and then reenabled -- all while the users are blissfully unaware. If each person who uses an app registers it themselves then Twitter no longer has the ability to monitor the app as a whole, essentially crippling one of OAuth's most compelling reasons for being. Hopefully twitter suspends user accounts, not application access, when malicious activity is detected. Otherwise, all desktop apps, whether closed or open source, are vulnerable. It isn't difficult to extract the consumer key and secret from any desktop application that ships with them and use them in malicious code. Registering a consumer key/secret for every instance of a desktop application seems like an unreasonable requirement to place on users. So, I agree that isn't the solution. I certainly want to see the user count on my OAuth apps page for the desktop apps I release. Per user consumer keys not only prevent Twitter from application tracking, they also prevent the application developer from tracking it as well. Consider the consumer key and secret public for desktop apps. They are. -Marc
Re: [twitter-dev] Re: Streaming API
You can request access my emailing api at twitter dot com. 2010/1/17 hide pinarello.mar...@gmail.com Hi, I also want Gardenhose access level. Please let me know email address to get EULA. On 2009年12月28日, 午後12:00, John Kalucki j...@twitter.com wrote: All Twitter accounts have access to the Spritzer access level on /1/statues/sample.format. The Gardenhose rate increases the flow on that same resource by about three times. You have to agree to a EULA. Email a...@twitter.com to get started. -John Kaluckihttp://twitter.com/jkalucki Services, Twitter Inc. On Sun, Dec 27, 2009 at 11:14 AM, Arunachalam arunachala...@gmail.com wrote: Hi, The webpagehttp:// apiwiki.twitter.com/Streaming-API-DocumentationspecifiesThe *Gardenhose* access level provides a proportion more suitable for *data mining and research applications* that desire a larger proportion to be statistically significant sample. Please let me know how to get the access for the Gardenhose API and also usage of gradenhose feeds which is not mentioned in that webpage. Is it possible to access the Gradenhose API after getting the access rights using http://stream.twitter.com/1/statuses/gradenhose.json*? * Cheers, Arunachalam- 引用テキストを表示しない - - 引用テキストを表示 -
Re: [twitter-dev] Using OAuth keys in an open source application
The consumer secret is not public. The consumer key can be seen in the query parameters, but the consumer secret is not a query parameter. It would have to be reverse engineered using the signature. If twitter determines that a specific application is malware, I would only hope that they would blacklist the app. Ryan Sent from my DROID On Jan 18, 2010 10:45 PM, Marc Mims marc.m...@gmail.com wrote: * Isaiah Carew isa...@me.com [100118 19:02]: If every person that uses an app accesses the API with their own personal app credentials that wou... Hopefully twitter suspends user accounts, not application access, when malicious activity is detected. Otherwise, all desktop apps, whether closed or open source, are vulnerable. It isn't difficult to extract the consumer key and secret from any desktop application that ships with them and use them in malicious code. Registering a consumer key/secret for every instance of a desktop application seems like an unreasonable requirement to place on users. So, I agree that isn't the solution. I certainly want to see the user count on my OAuth apps page for the desktop apps I release. Per user consumer keys not only prevent Twitter from application tracking, they also prevent the application developer from tracking it as well. Consider the consumer key and secret public for desktop apps. They are. -Marc
Re: [twitter-dev] Streaming API Basics ...
1) The sample resource returns a sampled stream, best for statistical analysis and the like. The filtered resource returns a stream filtered by the supplied predicates. You will mostly be using the filtered resource. 2) Retweets can be found with the follow parameter. See http://apiwiki.twitter.com/Streaming-API-Documentation#follow. Mentions are best found by using track on the account name. So, track jkalucki and you'll see all tweets with jkalucki or @jkalucki in the text. Assume that you need to do post processing on the stream 3) You should have two accounts (and thus streams) at elevated access levels, one for follow and one for track, that perform the bulk of your work. You should also use two accounts at default access level for follow and track to find recent deltas without disrupting your main streams too often. Once the default streams are full, you'll have to cycle the main streams. 4) I don't understand your question. In some cases you'll need to fall back to the REST API to populate history before transitioning to the Streaming API. In other cases you can just use the maximum supported count parameter for your access level (note that track never supports count) and deduplicate the results. 5) You can use the geo tag feature, but the volume is so low. We don't have a feature in the Streaming API that allows selecting statuses by the self-reported profile information yet. -John Kalucki http://twitter.com/jkalucki Infrastructure, Twitter Inc. On Sat, Jan 16, 2010 at 12:11 AM, Twitter-Developer alamshe...@gmail.comwrote: Dear Experts, Well I have been developing Twitter applicaiton for quite a long now and has been using Twitter Search API for my goals. Here is my business overview: I have subscribers over 20K. Have their profiles containing their interests keywords, location and other geographic information. I use oAuth for authentication and then get following information for each subscriber. 1. Mentions (Cache each mention locally) 2. Retweets (Cache each retweet locally) 3. Search tweets for subscriber interests using their keywords etc and location. All these activities are being performed periodically, where I use sinceId to fetch mentions, retweets, so that I may have historical data and do not lose any mention or retweet of the user. Now I have read the API documentation and can see Streaming API is the most recommended API by twitter. I want to convert my application to use Streaming API. So as I see, with the default access level, I can subscribe to statuses/sample or statuses/filter method using any of my account (using basic authentication) and can fetch whatever I want, as the nature of API is event based, this is definitely going to be fast. Here are few questions though: 1. What is the difference between sample and filter method? When to use which? 2. What is best approach to get the retweets and mentions? Is it tracking my subscribers screen names or just specify there user ids in follow predicate? 3: If I have 20,000 subscribers, that means, I have at least 20,000 screen names to track or follow and suppose I have 3 keywords for each subscriber on average, that makes it 60,000 keywords to track as well, how to manage this? 4: If any of the subscriber changes location or keywords, I have to reconnect to update the predicates. right? I have read the documentation and can follow the best practices. However I am unable to understand the count variable logic. I want to see if any of the mentions or retweets is missing in my storage, what's the best approach to get it back? 5: How to track or follow based on users' location? So basically I am confused :) Any recommendations to move from here or quick answers to above will help. I'll be grateful for any help. Regards, Alam Sher
Re: [twitter-dev] Best practice - Stream API into a FILE or MySQL or neither?
Writing directly into the database ensures data loss during any sort of database maintenance, performance degradation, or outage. Writing first to a log file (or other asynchronous queueing mechanism) allows for considerable operational flexibility. The wiki sketches the recommended architecture. -John Kalucki http://twitter.com/jkalucki Infrastructure, Twitter Inc. On Sat, Jan 16, 2010 at 10:13 AM, GeorgeMedia georgeme...@gmail.com wrote: Just looking for thoughts on this. I am consuming the gardenhose via a php app on my web server. So far so good. The script simply creates a new file every X amount of time and starts feeding the stream into it so I get a continuous stream of fresh data and I can delete old data via cron. I plan to access the stream (files) with separate processes for further json parsing and data mining. But then that got me to thinking about simply feeding the data into a MySQL database for easier data manipulation and indexing. Would that cause a more stressful server load with the constant INSERT queries vs a process just dumping the data into a file [ via PHP fputs() ] that is perpetually open? What about simply running the php process and accessing the stream directly? Only grabbing a snapshot of the data when a process needs it? I'm not really concerned with historical data as my web based app is more focused on trends at a given moment. Just wondering out loud if simply letting the process run in the background grabbing data would eventually fill up any caches or system memory.
Re: [twitter-dev] Re: Using OAuth keys in an open source application
On Mon, Jan 18, 2010 at 19:57, Marc Mims marc.m...@gmail.com wrote: That isn't reasonable. If my desktop app has 10,000 users, and one user extracts and uses the consumer key pair, regenerating a new pair and distributing them is a huge burden on the developer and the 9,999 other users. And that single malicious user will have the new pair extracted and in use before you can finish pushing out the update. If rolling out a new update is a burdon on you and your user you are doing it wrong. http://code.google.com/p/omaha/ -- Abraham Williams | Moved to Seattle | May cause email delays Project | Intersect | http://intersect.labs.poseurtech.com Hacker | http://abrah.am | http://twitter.com/abraham This email is: [ ] shareable [x] ask first [ ] private. Sent from Seattle, WA, United States
Re: [twitter-dev] Re: Using OAuth keys in an open source application
On 1/18/2010 8:57 PM, Marc Mims wrote: * John Meyerjohn.l.me...@gmail.com [100118 19:38]: But you still control your own keys. If you find that somebody has compromised your program, you can revoke those consumer keys through twitter and regenerate them. That isn't reasonable. If my desktop app has 10,000 users, and one user extracts and uses the consumer key pair, regenerating a new pair and distributing them is a huge burden on the developer and the 9,999 other users. And that single malicious user will have the new pair extracted and in use before you can finish pushing out the update. Like I said earlier, Twitter needs to revoke access for malicious activity per user, not per app. Which would probably have its own feasibility problems. If I'm a malware producer, for instance, I'm not just going to compromise one user account with one consumer keypair. I'm going to compromise ten thousand users.
Re: [twitter-dev] Using OAuth keys in an open source application
* ryan alford ryanalford...@gmail.com [100118 20:01]: The consumer secret is not public. The consumer key can be seen in the query parameters, but the consumer secret is not a query parameter. It would have to be reverse engineered using the signature. If twitter determines that a specific application is malware, I would only hope that they would blacklist the app. Point is, reverse engineering it is easy. It isn't in the query parameters, but it is required to sign the request. So, stepping into the signature code in a debugger will expose it. The consumer key pair might as well be considered public for desktop apps. Calling it secret doesn't make it secret. If the only solution to the problem is requiring each user to register their own consumer key pair, then Twitter can't shut down a malware application. Each user will appear to have a different app. That defeats the whole purpose. -Marc
Re: [twitter-dev] Re: Using OAuth keys in an open source application
* Abraham Williams 4bra...@gmail.com [100118 20:10]: If rolling out a new update is a burdon on you and your user you are doing it wrong. http://code.google.com/p/omaha/ Rolling out a new version because someone compromised the consumer key pair is a burden. Are you prepared to roll out a new version every few minutes? -Marc
Re: [twitter-dev] Re: Using OAuth keys in an open source application
* John Meyer john.l.me...@gmail.com [100118 20:12]: Which would probably have its own feasibility problems. If I'm a malware producer, for instance, I'm not just going to compromise one user account with one consumer keypair. I'm going to compromise ten thousand users. That's the beauty of OAuth. Even if you know the consumer key pair, it's worthless without user access tokens. So, the bad guy can't exploit the entire app's user base. Which is why I think Twitter should not disable apps when they see malicious activity. They should disable user accounts. -Marc
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Who said that was even an option? I haven't seen one person who said that requiring every user to create their own consumer keys to use with an application was an option. The only reason that is even in this discussion is because somebody misinterpreted an answer and that's what they thought was meant. I have never seen one person from twitter even come close to suggesting this as an option. Raffi's answer in the third post was under the impression that the OP was referring to releasing his consumer keys as part of his open source code for others to download his CODE and use for their own applications. This is what Raffi was referring to when he said to use a configuration file to store the consumer keys and have a README file for the end user. The end user being the developer that downloaded the code. Ryan Sent from my DROID On Jan 18, 2010 11:53 PM, Marc Mims marc.m...@gmail.com wrote: * Abraham Williams 4bra...@gmail.com [100118 20:10]: If rolling out a new update is a burdon on you and your user you are doing it wrong. http://code... Rolling out a new version because someone compromised the consumer key pair is a burden. Are you prepared to roll out a new version every few minutes? -Marc
Re: [twitter-dev] Re: Using OAuth keys in an open source application
* ryan alford ryanalford...@gmail.com [100118 21:03]: Who said that was even an option? I haven't seen one person who said that requiring every user to create their own consumer keys to use with an application was an option. The only reason that is even in this discussion is because somebody misinterpreted an answer and that's what they thought was meant. I have never seen one person from twitter even come close to suggesting this as an option. Perhaps I misunderstood this: * John Meyer john.l.me...@gmail.com [100118 10:24]: Something like that. Ideally, what I would do is configure the app so that if the consumerkeys (both secret and non) are not present, the user is directed to a screen to input those for themselves (with maybe a helpful link to get them in the first place). And the original poster said he's developing an application, not a library. I may have misunderstood him, as well. My comments in this thread have simply been pointing out that for a desktop application, distributed to end users, the consumer key pair cannot be kept secret. Therefore, disabling an application because of inappropriate use is---well---inappropriate. The user account should be disabled, leaving the vast majority of (hopefully) well behaved users unaffected. -Marc
Re: [twitter-dev] Using OAuth keys in an open source application
ryan alford wrote: PHP as in web-based? Why wouldn't the user just login to the website? Ryan Yes, it's open source software that users run on their own servers. It is *not* a hosted service (if it was, it'd be fine). -- Ryan McCue http://ryanmccue.info/
Re: [twitter-dev] Using OAuth keys in an open source application
John Meyer wrote: No, the point I was trying to make was that you don't HAVE to distribute the key. Nothing in the open source license requires you to give that information to another person. You can distribute it if you want to, but you are perfectly free to give them the source code and tell them that if they want it to work they need to go get their own consumer keypair. In short, once you are done unit testing the product you can delete out those variables and tell them where to fill in their own information. Nothing in the open source license requires you to give that information anymore than it requires you to publicize what the root password on your mysql database server is. I'm aware of this, but the point is that it should actually work. This is made for end-users, not for developers to modify, and I'd rather not have everyone register separate API keys just to use it. -- Ryan McCue http://ryanmccue.info/
RE: [twitter-dev] @ Message read rate for non-followers
Further to this, I think Abir has raised a subject that gets little attention on this list, user behaviour. It is relevant as we must take it into account as we design our apps. My initial response to the OP was of course facetious. If a message arrives in my timeline I will read it, which is why spam must be dealt with mercilessly by Twitter. As another poster pointed out recently, keyword based fake @replies are a violation of Twitter TOS. As with email spam, this should apply equally to automated and manually composed messages. But it would be interesting to know more about the behaviour of different types of Twitter users and for this one would first need to establish a typology of users. I suggest two broad categories, readers and writers, and maybe a third category that would include those engaged in massive mutual following. Users who follow thousands of accounts can't possibly be reading much of their streams, and may not be writing much either. As a writer I tend to regard members of this group (those that are human) as disoriented, and focus my attention on followers who are following reasonable numbers of accounts. As for the effectiveness of 'targeting' users by keywords, I've seen a clever implementation lately whereby I was followed by an fully automated (or possibly, 'curated') account that was just amassing followers based on keyword. Checking out their website one finds thousands of similar keyword-based accounts, a big system. Evidently the intention is that you should follow them and click on a link or whatever. It was almost credible, I'll hand them that, but could not withstand any real scrutiny. Still, plenty of high quality accounts had followed them back.. What can you all say about user behaviour that you have observed? From: and...@badera.us Date: Mon, 18 Jan 2010 04:59:56 -0500 Subject: Re: [twitter-dev] @ Message read rate for non-followers To: twitter-development-talk@googlegroups.com On Mon, Jan 18, 2010 at 3:00 AM, Ken Dobruskin k...@cimas.ch wrote: Zero percent, and report for spam. Date: Sun, 17 Jan 2010 22:13:33 -0800 Subject: [twitter-dev] @ Message read rate for non-followers From: abstar...@gmail.com To: twitter-development-talk@googlegroups.com Hey Guys, Do you know what % of people read @ messages if you are not a follower + targeting them based on keywords or search api's? Thanks, Abir ++ to reporting as spam. ∞ Andy Badera ∞ +1 518-641-1280 Google Voice ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=andrew%20badera Windows Live: Keep your friends up to date with what you do online. _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010