[twitter-dev] Re: How you are notified of whitelisting status
You get notification in the form of a DM to the account you applied for whitelisting with. In my experience it takes anything from 2 days to over a week, depending on how much DDoS Twitter is under at the time. On Aug 21, 5:40 pm, Neicole neic...@trustneicole.com wrote: We applied for whitelisting this past weekend and haven't heard a peep, or a tweet. How long does it usually take and how are you notified? Thanks!
[twitter-dev] Re: Accessing Twitter API from UK
There are location specific trend lists? On Aug 18, 12:53 am, Carl morningc...@gmail.com wrote: Hi there, I would like to lookup the top UK trends by accessing the twitter api from US, I don't see a locale parameter as part of the method, any pointers? Thanks
[twitter-dev] Re: oAuth Codeigniter
I use Elliot's library on www.twitlonger.com and it is really easy to work with. Integrates nicely, easy to maintain and, quite frankly, when there's something out there to do the boring bit it's a much better idea to use that than writing your own. On Aug 14, 7:51 pm, Peter Denton petermden...@gmail.com wrote: Hello Has anyone integrated oAuth with CodeIgniter? Can you recommend libs? I have seen Elliott Haughin's but had some questions. Any help would be much appreciated. Regards Peter
[twitter-dev] Re: Cease Desist from Twitter
LOL, problems are now all sorted, lawyers happy it isn't confusing anymore. Turns out that he thought there was a big grey box in it, similar to the new Twitter front page, but only because he was using IE6 and I don't bother applying any transparent png fixes :) On Aug 14, 3:16 am, Zac Bowling zbowl...@gmail.com wrote: Wow. Twitters legal team thinks twitter owns blue backgrounds. Hehe. Sent from my iPhone On Aug 13, 2009, at 3:32 PM, Twitlonger stu...@abovetheinternet.org wrote: I recently got a letter by email from a UK law firm representing Twitter claiming that my websitewww.twitlonger.comwas infringing on their trade mark and was inherently likely to confuse users. The version of the website they were objecting to didn't have a similar font but did use the same birds as the old version of the site (fair enough to be asked to remove them). The timing coincided with a redesign of the site anyway which went live this week. I emailed them back pointing this out and then ended up on the phone with them with the claim being that the site as it stands now could still be seen as potentially confusing. I want to know how different they expect a site to be (especially when it doesn't even include the full word twitter in the name. Compare this to Twitpic, Twitvid etc who are using the same contraction AND the same typeface. This feels so much like a legal department doing stuff that is completely contrary to the Twitter team who have been so supportive of the third party community. Of course, all these applications have been granted access to be listed in the posted from field in the tweets, been granted special access to the API via whitelisting which requires the application to be named and described and, in many cases, been registered with OAuth, again requiring the name and description of the app. Has anyone else received similar letters where they have no problem with the service but can't seem to tell the difference between two sites if blue is present in each? :( Letter copied below. --- TWITTER - Trade Mark and Website Presentation Issues We act for Twitter, Inc. in relation to intellectual property issues in the UK. Twitter has asked us to contact you about your ww.twitlonger.comwebsite (the..Website..).Twitter has no objection to the service which you are offering on the Website. However, Twitter does need you to make certain changes to the Website. We have set out the reasons below. Your Website Twitter owns a number of registrations for its TWITTER trade mark, including Community trade mark registration number 6392997. Your use of a name for the Website which is based on the TWITTER trade mark is inherently likely to confuse users of the ww.twitter.com website into thinking that the Website is owned or operated by Twitter, when this is not the case. You are using a font on your Website which is very similar to that used by Twitter for its TWITTER logo. You have no doubt chosen to use this font for this very reason. You are also using a blue background and representations of blue birds. These blue birds are identical to those which Twitter has previously used on thewww.twitter.comwebsite. The combination of these factors and the name of your Website inevitably increase the likelihood of confusion. We therefore ask you to confirm that you will, within seven days of giving the confirmation: 1. incorporate a prominent non-affiliation disclaimer on all pages of the Website; 2. permanently stop any use on the Website of a font which is identical or similar to the font used by Twitter for its TWITTER logo; and 3. permanently stop any use on the Website of (i) representations of blue birds which are identical or similar to the blue bird design previously or currently used by Twitter on thewww.twitter.com website; and (ii) a blue background.
[twitter-dev] Re: Cease Desist from Twitter
Yep. I'm at the stage now for personal projects (and clients if they are cool with it) that I'm just not worrying anymore about IE6. Twitlonger runs about 3% IE6 so it's just not worth degrading the experience for the people with decent browsers to make exceptions for those living in the past. Out of curiousity, have you tried the Unit PNG fix to deal with IE6? Interested to know if you did and it didn't work out for you. On Aug 14, 12:18 pm, Andrew Badera and...@badera.us wrote: On Fri, Aug 14, 2009 at 7:16 AM, Goblinstu...@abovetheinternet.org wrote: LOL, problems are now all sorted, lawyers happy it isn't confusing anymore. friggin IE6. Had to GIF some PNGs recently myself. ∞ Andy Badera ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me:http://www.google.com/search?q=(andrew+badera)+OR+(andy+badera)
[twitter-dev] Re: Cease Desist from Twitter
Nice little footnote to the story, got this email from Jillian at Twitter which has made me feel all warm and fuzzy: Hey Stuart, Thanks for bringing this to our attention and for reaching out. Our Platform team should be communicating our goals (in relation to CDs, and why they're sent) to the Developer community soon, but I just wanted to thank you for making those changes to your site and let you know that our intentions were never to be pushy. Things sometimes get lost in translation, and while we wanted to make sure your site was understood as a third party app and not a subset of Twitter, we do understand that your application is great and thank you for your support. Kindest Regards Jillian (I deal with our TM protection here) On Aug 14, 6:14 pm, Duane Roelands duane.roela...@gmail.com wrote: Lots of folks don't understand trademark law. Other folks are mad because they've been asked to stop selling spam-o- trons. I can't fault Twitter for their behavior in this matter. On Aug 14, 11:42 am, David Fisher tib...@gmail.com wrote: How are some of you failing to see the difference between Powered by Twitter being something they want you to do and http:// TwitterApplication.com is something they don't want you to do? Why don't they want the latter? Because someone with the email of adultsexdatin...@googlemail.com registered the domain. Not exactly the type of company that Twitter wants to associate itself with. Yet, for applications and sites that DO comply with the ToS, they want an attribution and link back to their site. Aren't some of you self proclaimed SEO/Marketing experts? Everyone wants links back to their site, including Twitter. Making a logo downloadable doesn't mean either that they want you to use it, or their font on your website when doing your own branding. Some people here are confused dave
[twitter-dev] Re: Cease Desist from Twitter
To be fair, the new version mostly seemed to please the guy I was on the phone with, but I got the impression he was shooting from the hip when he said that I would probably need to change the blue in the logo. It just seems weird that we spend two or three years building sites with the twit/tweet theme running so it is clear they are add-ons to Twitter and *then* the lawyers decide to get antsy. I know Twitter is in the position that if they don't act to protect their trademarks they can lose them, but it would be nice if we were told a few months back Look guys, we're going to need to start enforcing trademark stuff. It might be a hassle for you so we're giving you a heads up. It would be nice to hear from the horses mouth if all the twit*/ twitter* apps were to use tweet instead, would that sort the issue out. I have www.tweetlonger.com (and @tweetlonger) so it would be reasonably trivial to migrate over to the new domain if that would sort things out. The before page wasn't really potentially confusing, especially since I designed it, resulting in it looking like a 4 year old had been let loose with MS Paint, but you'd have to be pretty confused to think the new one and the Twitter homepage are the same people. On Aug 14, 12:28 am, Neil Ellis neilellis1...@googlemail.com wrote: Man that's sad, your website is unmistakable and there is no doubt you are not Twitter. It sounds like it was potentially confusing before. Hmmm... outsourcing trademark checking seems to have pitfalls (i.e. eating into company goodwill). It makes you really stop and think about building a business around someone's API doesn't it - that's what we're doing right now, but it encourages me to diversify pretty darn fast. I suppose it was naive of me not to consider just how much you can be beholden to the API owner in the first place. It doesn't put me off working with Twitter, but it does make me want to get some more baskets for these eggs :-) Thanks for letting us know your situation and good luck. All the best Neil On 13 Aug 2009, at 23:32, Twitlonger wrote: I recently got a letter by email from a UK law firm representing Twitter claiming that my websitewww.twitlonger.comwas infringing on their trade mark and was inherently likely to confuse users. The version of the website they were objecting to didn't have a similar font but did use the same birds as the old version of the site (fair enough to be asked to remove them). The timing coincided with a redesign of the site anyway which went live this week. I emailed them back pointing this out and then ended up on the phone with them with the claim being that the site as it stands now could still be seen as potentially confusing. I want to know how different they expect a site to be (especially when it doesn't even include the full word twitter in the name. Compare this to Twitpic, Twitvid etc who are using the same contraction AND the same typeface. This feels so much like a legal department doing stuff that is completely contrary to the Twitter team who have been so supportive of the third party community. Of course, all these applications have been granted access to be listed in the posted from field in the tweets, been granted special access to the API via whitelisting which requires the application to be named and described and, in many cases, been registered with OAuth, again requiring the name and description of the app. Has anyone else received similar letters where they have no problem with the service but can't seem to tell the difference between two sites if blue is present in each? :( Letter copied below. --- TWITTER - Trade Mark and Website Presentation Issues We act for Twitter, Inc. in relation to intellectual property issues in the UK. Twitter has asked us to contact you about your ww.twitlonger.comwebsite (the..Website..).Twitter has no objection to the service which you are offering on the Website. However, Twitter does need you to make certain changes to the Website. We have set out the reasons below. Your Website Twitter owns a number of registrations for its TWITTER trade mark, including Community trade mark registration number 6392997. Your use of a name for the Website which is based on the TWITTER trade mark is inherently likely to confuse users of the ww.twitter.com website into thinking that the Website is owned or operated by Twitter, when this is not the case. You are using a font on your Website which is very similar to that used by Twitter for its TWITTER logo. You have no doubt chosen to use this font for this very reason. You are also using a blue background and representations of blue birds. These blue birds are identical to those which Twitter has previously used on thewww.twitter.comwebsite. The combination of these factors and the name of your Website inevitably increase the likelihood of
[twitter-dev] Re: Cease Desist from Twitter
I think the blog post actually makes things more confusing: Regarding the use of the word Twitter in projects, we are a bit more wary although there are some exceptions here as well. So, what are these exceptions? Does it come down to the projects @ev and @biz particularly like? What if it's twit*** which obviously isn't using their trademark but uses the same base (heck, by that logic @leolaporte should be on my case)? It would seem odd that mine is the only site to have received a letter. If the primary concern was the twitter bird then why is the new version an issue? When I was on the phone I think he said he was waiting to hear back from California, so there is more than a passing chance that it was personal opinion of a guy in London instead of Twitter's own people. As has been said, some proper clarification and a bit more transparency with the community would go a really long way here (although are Twitter now at the stage they can't comment on legal matters until the lawyers check things over?) On Aug 14, 12:59 am, Dewald Pretorius dpr...@gmail.com wrote: On Aug 13, 8:44 pm, Goblin stu...@abovetheinternet.org wrote: It would be nice to hear from the horses mouth if all the twit*/ twitter* apps were to use tweet instead, would that sort the issue out. Doesn't this blog post [1] from the big horse's mouth already settle that question? [1]http://blog.twitter.com/2009/07/may-tweets-be-with-you.html It is also interesting that Biz wrote favorable blog posts about TwitterCounter [2] and Twitterific [3]. Wonder how that will impact anything, if at all. [2]http://blog.twitter.com/2008/07/follower-stats-by-twittercounter.html [3]http://blog.twitter.com/2008/06/congratulations-twitterrific.html Dewald
[twitter-dev] Re: Cease Desist from Twitter
Yeah, I think it's a pretty easy going CD, but I don't really want to keep making tiny changes and have a lawyer hhmm and ahh to decide if it's not potentially confusing. If Twitter came out and said they were going to have to ask everyone to stop using twit in application names and move to tweet then at least we'd know where we stand. It's the ambiguity over it all, not to mention the dozens of websites in a similar position to mine that have a look and feel way closer to Twitter (past or present). www.twitterholic.com is my favourite: Styles ripped directly, and we mean directly, from Twitter.com. At this rate, the only app not needing to change it's name will be Seesmic :) On Aug 14, 1:14 am, Neil Ellis neilellis1...@googlemail.com wrote: To be fair Goblin, reading the letter they only ask you to make clear you're not affiliated. Not change the domain. However, point taken it's confusing. Take Twitterific's page:http://iconfactory.com/software/twitterrific That bird looks familiar and the blue and there is no disclaimer. I keep wanting apply everyday logic, but in the legal world it just seems to go out of the window :-) Now I really must do some coding :-) On 14 Aug 2009, at 01:08, Goblin wrote: I think the blog post actually makes things more confusing: Regarding the use of the word Twitter in projects, we are a bit more wary although there are some exceptions here as well. So, what are these exceptions? Does it come down to the projects @ev and @biz particularly like? What if it's twit*** which obviously isn't using their trademark but uses the same base (heck, by that logic @leolaporte should be on my case)? It would seem odd that mine is the only site to have received a letter. If the primary concern was the twitter bird then why is the new version an issue? When I was on the phone I think he said he was waiting to hear back from California, so there is more than a passing chance that it was personal opinion of a guy in London instead of Twitter's own people. As has been said, some proper clarification and a bit more transparency with the community would go a really long way here (although are Twitter now at the stage they can't comment on legal matters until the lawyers check things over?) On Aug 14, 12:59 am, Dewald Pretorius dpr...@gmail.com wrote: On Aug 13, 8:44 pm, Goblin stu...@abovetheinternet.org wrote: It would be nice to hear from the horses mouth if all the twit*/ twitter* apps were to use tweet instead, would that sort the issue out. Doesn't this blog post [1] from the big horse's mouth already settle that question? [1]http://blog.twitter.com/2009/07/may-tweets-be-with-you.html It is also interesting that Biz wrote favorable blog posts about TwitterCounter [2] and Twitterific [3]. Wonder how that will impact anything, if at all. [2]http://blog.twitter.com/2008/07/follower-stats-by-twittercounter.html [3]http://blog.twitter.com/2008/06/congratulations-twitterrific.html Dewald
[twitter-dev] Re: FW: Twitter is Suing me!!!
I got a letter from a UK law firm too regarding www.twitlonger.com (which clearly doesn't use the word Twitter). They weren't too draconian in their claims. They want a disclaimer put on the site (fair enough) and for me to stop using the little blue birds (again, fair enough. This is what happens when a stupid weekend project turns into half million uniques a month). What isn't quite as fair is that I have to stop using a font identical or similar to that used in the Twitter logo. I'm using Arial Rounded which is significantly different to the custom font Twitter uses and as common a typeface as you can get, though the colours are similar. This one's the kicker though, they want me to permanently stop use on the website of a blue background. WTF? Twitter now owns blue? I'm about a day away from dropping a redesign anyway, but being told what colours I can use is a bit much. This was all on the same day that they approved my whitelisting :) On Aug 12, 5:27 am, Jeremy Darling jeremy.darl...@gmail.com wrote: I really really want to see them backup the tweet trademark. All birds are now being sued by twitter, they can no longer say; tweet tweet LOL. Seems lil twitter grew up and found lawyers. While I don't agree or like the product that Dean sells, I dis-agree more with the misuse of legal representation by a corporation even more. I remember when MS started this everyone threw stones (and courts threw it out), now twitter starts it and its OK!? I warn developers to watch their backs, your little cheezy app that uses twitter may bite you in the arse. Of course, I don't see twitter going after the advertising/marketing companies utilizing the API and hitting the service just as many times to mine for data or to use what they mine to target sales. That seems to be a complete and total ethical use of the service, course a few $$ thrown the right direction always does sway a corporations view of grey. - Jeremy On Tue, Aug 11, 2009 at 11:13 PM, jim.renkel james.ren...@gmail.com wrote: I guess I should have pointed out that my tongue was firmly planted in my check when I wrote my previous post. My bad! :-( Dean: I don't mean to make light of your particular situation. Sometimes I just can't not point out absurdities, which the logic I presented clearly is. What I was trying to do, perhaps not too well, is point out that the API TOS may need to be revised to say that developers may use twitter's trademarks, but only in approved ways. BTW, twitter is trademarking tweet as well as twitter. You have been warned! :-) Jim
[twitter-dev] Re: FW: Twitter is Suing me!!!
The question is, are they going to be going after Twitteriffic, Twitterholic, Twitpic, Twitvid, Twittelator, Twitterena, Twitterfon, iTwitter etc? I admit that I was fair game having the blue birds in the backdrop (as I say, it was a stupid project that got traction and the new version is live now anyway), but if Twitter is deciding to take down everyone with Twit in their name then there are going to be some serious issues. I know they have to show they are attempting to protect trademark or risk losing it, but this seems a little heavy handed :( On Aug 12, 10:54 am, Andrew Badera and...@badera.us wrote: On Wed, Aug 12, 2009 at 5:52 AM, Richrhyl...@gmail.com wrote: I'm not aware of this but this linkhttp://blog.twitter.com/2009/07/may-tweets-be-with-you.html, published only last month says We have applied to trademark Tweet because it is clearly attached to Twitter from a brand perspective but we have no intention of going after the wonderful applications and services that use the word in their name when associated with Twitter. In fact, we encourage the use of the word Tweet. Thanks, I'd missed that. I only saw the original, unupdated article that brought up the issue on TechCrunch. Great to know. --ab
[twitter-dev] Re: FW: Twitter is Suing me!!!
Here's a thought, if Twitter has allowed a specific site to have their application name added to the posted from list, is that tacit permission to use the name? They've been happy to show messages as posted from Twitteriffic, which uses their name and, it could be argued, have explicitly allowed this use. On Aug 12, 4:43 pm, Dossy Shiobara do...@panoptic.com wrote: On 8/12/09 10:14 AM, Dean Collins wrote: So has anyone heard from or know any of the other developers? Did they also get an email last night? IANAL, but, I think the horse has already left the barn for Twitter. Unless someone is building a short-message service called Twitter it's hard to claim dilution here. The few years that Twitter hasn't policed the infringing use of their mark should be reasonable basis for estoppel, too. However, all legal issues aside, they can still shut down third-party services from using their API or otherwise accessing their service, which is probably stronger than the actual legal recourse they may be entitled to. -- Dossy Shiobara | do...@panoptic.com |http://dossy.org/ Panoptic Computer Network |http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: DDoS Status Update
OAuth is working fine for my site. To be honest, for something that does nothing but interact with Twitter I haven't seen much of a drop in activity. On Aug 7, 7:28 pm, Rich rhyl...@gmail.com wrote: Thanks for the update, however PLEASE get oAuth back up and running ASAP please! On Aug 7, 7:05 pm, Ryan Sarver rsar...@twitter.com wrote: I wanted to send everyone an update to let you know what has been happening, the known issues, some suggestions on how to resolve them and some idea of how to move forward. *Whats been happening* As you know all too well Twitter, among other services, has been getting hit pretty hard with a DDoS attack over the past 24+ hours. Yesterday we saw the attack come in a number of waves and from a number of different vectors increasing in intensity along the way. We were able to stabilize our own service for a bit, hence Biz's post saying all was wellhttp://blog.twitter.com/2009/08/update-on-todays-dos-attacks.html, but that didn't mean the attacks had ceased. In fact, at around 3am PST today the attacks intensified to almost 10x of what it was yesterday. In order for us to defend from the attack we have had to put a number of services in place and we know that some of you have gotten caught in the crossfire. Please know we are as frustrated as you are and wish there was more we could have communicated along the way. *Known Issues* * - HTTP 300 response codes* - One of the measures in thwarting the onslaught requires that all traffic respect HTTP 30x response codes. This will help us identify the good traffic from the bad. * - General throttling* - Try to throttle your services back as much as possible for you to continue operating. We are working on our end to better understand the logic used in throttling traffic on the edge of the network and will communicate what we can, but the best idea is to just throttle back as much as you can in the mean time. * - Streaming API* - as part of the edge throttling we know requests to the Streaming API with lists of keywords or uses are getting dropped because the request is too large. We are working to get this filter removed and will update the list when we know more. - *Unexpected HTTP response codes* - we know people are seeing a lot of other weirdness and we aren't exactly sure what to attribute the various issues to, but know that you aren't alone. As the attacks change our tactics for defense will likely need to change as well, so stay active on the list and let us know what problems you are seeing and we will do our best to help guide you along. *Moving forward * We will try to communicate as much as we can so you guys are up to speed as things change and progress. I personally apologize for not communicating more in the mean time but there hasn't been much guidance we have been able to give other than hold tight with us. We fully appreciate all the long hours you are putting in to keep your apps running and supporting your users and know we are frustrated with you. Continue to watch this list, status.twitter.com and @twitterapi for updates Thanks for your patience, Ryan PM, Platform Team @rsarver http://twitter.com/rsarver
[twitter-dev] Re: Updating the APIs authentication limiting policy
Alex, is that *not* estimated or was it an iPhone being daft and changing now to not? On Aug 5, 7:11 pm, Alex Payne a...@twitter.com wrote: The change did not go live yesterday due to some deploy issues. It's not estimated to go out tomorrow. Once again, sorry for the delay. On Wed, Aug 5, 2009 at 07:48, Dewald Pretoriusdpr...@gmail.com wrote: Alex, Did the change go live on Tuesday? I have very irate users due to this issue. There are spam bots out there that got hold of users' credentials. The users have changed their Twitter passwords to get rid of the spam tweets published in their timelines, but now those bots are locking them out 24x7 from all apps that use the API. On Aug 3, 2:56 pm, Alex Payne a...@twitter.com wrote: The rollback should be deployed tomorrow. Sorry for the delay. On Sat, Aug 1, 2009 at 23:36, Jesse Stayjesses...@gmail.com wrote: A timeframe would be very helpful. This is turning out to be a headache as I'm testing. If my own user is having to log in over and over to test my app, I'm quickly hitting the verify_credentials limit (and I'm even using OAuth). I'm getting really frustrated. Jesse On Fri, Jul 31, 2009 at 8:01 PM, Bob Thomson stormid...@googlemail.com wrote: Hi Doug, Is there a timescale for rolling back / making the change to the new scheme? We're just putting the finishing touches to moving to OAuth and we're experiencing the issue when using verify_credentials to get the users basic details once we've got the token back from the authentication process. We're experiencing the issue when: 1. Testing our login and authentication processes 2. When users login and logout of our application frequently A heads up on when these changes will be made would be useful. Thanks, Bob On Jul 29, 6:37 pm, Grant Emsley grant.ems...@gmail.com wrote: Locked out of authenticated resources for that account, or will that IP not be able to login to any account? On Jul 29, 1:14 pm, Doug Williams d...@twitter.com wrote: Ray,For clarity, we will roll back the current restriction of 15 calls per user per hour to account/verify_credentials, and implement the proposed scheme: ... we will limit the total number of unsuccessful attempts to access authenticated resources to 15 an hour per user per IP address. If a single IP address makes 15 attempts to access a protected resource unsuccessfully for a given user (as indicated by an HTTP 401), then the user will be locked out of authenticated resources from that IP address for 1 hour. Thanks, Doug On Wed, Jul 29, 2009 at 9:51 AM, Ray rvizz...@testlabs.com wrote: Doug, I'm in a similar situation as that voiced by TinBlue. This change has affected our iPhone App. We also want to encourage you to rollback this change ASAP. When you say This approach is what we are going to take., do you mean rolling back the fix so as not to affect multiple, successful, authorized logins? I'm hopeful that this approach means that our apps will not be affected yet again by changing to a new auth approach. I appreciate you all keeping this thread informed. Ray On Jul 27, 11:23 am, Doug Williams d...@twitter.com wrote: Thanks to everyone who has contributed feedback. This approach is what we are going to take. Alex will be making this change shortly. I will update this thread when there is timeframe to share. Thanks, Doug On Mon, Jul 27, 2009 at 7:52 AM, TinBlue tinb...@gmail.com wrote: What is happening? This rollback is taking far too long for something that has affected a lot of people! On Jul 25, 2:32 pm, Dewald Pretorius dpr...@gmail.com wrote: Doug, I would prefer to adopt OAuth instead of writing code for Basic Auth. So, you guys need to move OAuth out of public beta into full production sooner rather than later. :-) I manage 100,000+ Twitter accounts, and I simply cannot take on the support workload of answering user tickets when there's a snag with OAuth beta. I monitor these forums and the API Issues and still see too many OAuth issues being reported to give me a level of comfort that I can safely switch over to OAuth. On Jul 24, 5:46 pm, Doug Williams d...@twitter.com wrote: Well said Joshua. Dewald, you have identified the risk of using basic authentication. If your users being locked out due to malicious behavior, you should either implement further user-level
[twitter-dev] Re: Updating the APIs authentication limiting policy
Did the rollback happen? On Aug 3, 6:56 pm, Alex Payne a...@twitter.com wrote: The rollback should be deployed tomorrow. Sorry for the delay. On Sat, Aug 1, 2009 at 23:36, Jesse Stayjesses...@gmail.com wrote: A timeframe would be very helpful. This is turning out to be a headache as I'm testing. If my own user is having to log in over and over to test my app, I'm quickly hitting the verify_credentials limit (and I'm even using OAuth). I'm getting really frustrated. Jesse On Fri, Jul 31, 2009 at 8:01 PM, Bob Thomson stormid...@googlemail.com wrote: Hi Doug, Is there a timescale for rolling back / making the change to the new scheme? We're just putting the finishing touches to moving to OAuth and we're experiencing the issue when using verify_credentials to get the users basic details once we've got the token back from the authentication process. We're experiencing the issue when: 1. Testing our login and authentication processes 2. When users login and logout of our application frequently A heads up on when these changes will be made would be useful. Thanks, Bob On Jul 29, 6:37 pm, Grant Emsley grant.ems...@gmail.com wrote: Locked out of authenticated resources for that account, or will that IP not be able to login to any account? On Jul 29, 1:14 pm, Doug Williams d...@twitter.com wrote: Ray,For clarity, we will roll back the current restriction of 15 calls per user per hour to account/verify_credentials, and implement the proposed scheme: ... we will limit the total number of unsuccessful attempts to access authenticated resources to 15 an hour per user per IP address. If a single IP address makes 15 attempts to access a protected resource unsuccessfully for a given user (as indicated by an HTTP 401), then the user will be locked out of authenticated resources from that IP address for 1 hour. Thanks, Doug On Wed, Jul 29, 2009 at 9:51 AM, Ray rvizz...@testlabs.com wrote: Doug, I'm in a similar situation as that voiced by TinBlue. This change has affected our iPhone App. We also want to encourage you to rollback this change ASAP. When you say This approach is what we are going to take., do you mean rolling back the fix so as not to affect multiple, successful, authorized logins? I'm hopeful that this approach means that our apps will not be affected yet again by changing to a new auth approach. I appreciate you all keeping this thread informed. Ray On Jul 27, 11:23 am, Doug Williams d...@twitter.com wrote: Thanks to everyone who has contributed feedback. This approach is what we are going to take. Alex will be making this change shortly. I will update this thread when there is timeframe to share. Thanks, Doug On Mon, Jul 27, 2009 at 7:52 AM, TinBlue tinb...@gmail.com wrote: What is happening? This rollback is taking far too long for something that has affected a lot of people! On Jul 25, 2:32 pm, Dewald Pretorius dpr...@gmail.com wrote: Doug, I would prefer to adopt OAuth instead of writing code for Basic Auth. So, you guys need to move OAuth out of public beta into full production sooner rather than later. :-) I manage 100,000+ Twitter accounts, and I simply cannot take on the support workload of answering user tickets when there's a snag with OAuth beta. I monitor these forums and the API Issues and still see too many OAuth issues being reported to give me a level of comfort that I can safely switch over to OAuth. On Jul 24, 5:46 pm, Doug Williams d...@twitter.com wrote: Well said Joshua. Dewald, you have identified the risk of using basic authentication. If your users being locked out due to malicious behavior, you should either implement further user-level rate limiting on your side or adopt OAuth. Are there any other glaring omissions in our thinking or should we proceed with this as our solution? Thanks, Doug On Fri, Jul 24, 2009 at 11:08 AM, Joshua Perryj...@6bit.com wrote: Jim's concern is valid, fortunately OAuth is immune to brute-force attacks once the access key has been issued to an application. For this reason alone I would urge people to switch to OAuth if at all possible. I would hope (and assume) that if login attempts for an account are locked out that a user would still be able to successfully use an already authorized OAuth driven application.
[twitter-dev] Re: Updating the APIs authentication limiting policy
Seems fine. Is there a timescale for rolling this out? On Jul 24, 9:46 pm, Doug Williams d...@twitter.com wrote: Well said Joshua. Dewald, you have identified the risk of using basic authentication. If your users being locked out due to malicious behavior, you should either implement further user-level rate limiting on your side or adopt OAuth. Are there any other glaring omissions in our thinking or should we proceed with this as our solution? Thanks, Doug On Fri, Jul 24, 2009 at 11:08 AM, Joshua Perryj...@6bit.com wrote: Jim's concern is valid, fortunately OAuth is immune to brute-force attacks once the access key has been issued to an application. For this reason alone I would urge people to switch to OAuth if at all possible. I would hope (and assume) that if login attempts for an account are locked out that a user would still be able to successfully use an already authorized OAuth driven application. Unfortunately allowing a successful un/pw login while an account is locked out even when the correct password is presented effectively bypasses the whole reason for a lockout in the first place, preventing brute-force password attempts. If an attacker used a dictionary or brute-force attack and the account was locked out after 15 attempts, then they could continue trying even though the system replied locked out; if they eventually sent the correct password it would just bypass the lockout and they would then know the correct password. Perhaps Twitter could implement a selective captcha, I know they are annoying but if executed properly it could be effective protection against brute-force and dictionary attacks. Say after 3 or 4 failed attempts without a captch the API would then include a captcha image URL in it's response that the application would then need to show to the person and include the user's response with the next authentication attempt as a header or POST variable. The site stackoverflow.com does this to great effect, if you create posts quicker than a certain threshold which a person would not exceed then they pop a captcha up, in the normal use of the site you will never see one; I've only hit two captchas in the last in the last 8 months using the site. Josh Dewald Pretorius wrote: Jim raised a huge weakness with the authentication rate limiting that could essentially break third-party apps. Anybody can try to add anybody else's Twitter account to a third-party app using an invalid password. If they do that 15 times with a Twitter account, the real owner of that Twitter account, who may have added his account a long time ago with the correct password, is locked out from using that app for an hour. I believe you will absolutely have to reset / remove the lock as soon as the Twitter account uses the correct password. On Jul 22, 4:58 pm, jim.renkel james.ren...@gmail.com wrote: My concern with this proposal is that it opens up denials of service, not to twitter.com, but to associated sites such as twitpic, or my site twxlate, among others For example, Lance Armstrong is a heavy user of twitpic. It is very easy for anyone to find Lance's twitter ID (@lancearmstrong), view his status updates, and see that he is a frequent user of twitpic. Now, someone that is unhappy with Lance, say one of George Hincapie's ardent fans that really believes that Lance was a significant contributor to George not winning the maillot jeune last Sunday, could go to twitpic, fail to login as Lance the requisite number of times, and deny Lance access to twitpic. Not only celebrities would or could be subject to such denials of service. I notice that @dougw occasionally uses twitpic! :-) One solution to this problem is to add to each twitter account another private ID. By default this private ID would be equal to the existing (public) ID (If not equal to the account's public ID, it would have to be unique among all twitter IDs, both public and private.). The public ID would be used just as the existing twitter ID is now: others would use it to follow, mention, DM, etc., the user. But the user MUST use their private ID for authenticated requests through the API, and CAN also use it for non-authenticated requests. In either case, twitter would treat a request from a private ID as if it came from the corresponding public ID. Blocking the public ID because of excessive authentication failures would NOT block the associated private ID unless they were equal. Changing your public ID would also change your private ID if the two were the same before the change, i.e., they would remain the same after the change. It may seem onerous to require all users to also have a private ID, but since it defaults to be the same as their public ID, only those concerned about their service being denied would change it and subsequently use it instead of their public