[twitter-dev] Re: How you are notified of whitelisting status

[Goblin]

You get notification in the form of a DM to the account you applied
for whitelisting with.

In my experience it takes anything from 2 days to over a week,
depending on how much DDoS Twitter is under at the time.

On Aug 21, 5:40 pm, Neicole  wrote:
> We applied for whitelisting this past weekend and haven't heard a
> peep, or a tweet. How long does it usually take and how are you
> notified?
>
> Thanks!

[twitter-dev] Re: Accessing Twitter API from UK

[Goblin]

There are location specific trend lists?

On Aug 18, 12:53 am, Carl  wrote:
> Hi there,
>
> I would like to lookup the top UK trends by accessing the twitter api
> from US, I don't see a locale parameter as part of the method, any
> pointers?
>
> Thanks

[twitter-dev] Re: oAuth Codeigniter

[Goblin]

I use Elliot's library on www.twitlonger.com and it is really easy to
work with. Integrates nicely, easy to maintain and, quite frankly,
when there's something out there to do the boring bit it's a much
better idea to use that than writing your own.

On Aug 14, 7:51 pm, Peter Denton  wrote:
> Hello
> Has anyone integrated oAuth with CodeIgniter?
>
> Can you recommend libs?
>
> I have seen Elliott Haughin's but had some questions.
>
> Any help would be much appreciated.
>
> Regards
> Peter

[twitter-dev] Re: Cease & Desist from Twitter

[Goblin]

Nice little footnote to the story, got this email from Jillian at
Twitter which has made me feel all warm and fuzzy:

Hey Stuart,

Thanks for bringing this to our attention and for reaching out.  Our
Platform team should be communicating our goals (in relation to C&Ds,
and why they're sent) to the Developer community soon, but I just
wanted to thank you for making those changes to your site and let you
know that our intentions were never to be pushy.  Things sometimes get
lost in translation, and while we wanted to make sure your site was
understood as a third party app and not a subset of Twitter, we do
understand that your application is great and thank you for your
support.

Kindest Regards
Jillian (I deal with our TM protection here)

On Aug 14, 6:14 pm, Duane Roelands  wrote:
> Lots of folks don't understand trademark law.
> Other folks are mad because they've been asked to stop selling spam-o-
> trons.
>
> I can't fault Twitter for their behavior in this matter.
>
> On Aug 14, 11:42 am, David Fisher  wrote:
>
>
>
> > How are some of you failing to see the difference between "Powered by
> > Twitter" being something they want you to do and "http://
> > TwitterApplication.com" is something they don't want you to do?
>
> > Why don't they want the latter? Because someone with the email of
> > "adultsexdatin...@googlemail.com" registered the domain. Not exactly
> > the type of company that Twitter wants to associate itself with. Yet,
> > for applications and sites that DO comply with the ToS, they want an
> > attribution and link back to their site. Aren't some of you self
> > proclaimed SEO/Marketing experts? Everyone wants links back to their
> > site, including Twitter.
>
> > Making a logo downloadable doesn't mean either that they want you to
> > use it, or their font on your website when doing your own branding.
>
> > Some people here are confused
>
> > dave

[twitter-dev] Re: Cease & Desist from Twitter

[Goblin]

I would assume the logo download is for use in press articles.

On Aug 14, 3:31 pm, Vision Jinx  wrote:
> Thanks for this post! I am wondering when Twitter trademarked "Twit",
> Blue and Birds?
>
> Maybe Twitter should be considered an offensive word when making apps
> and use Twi***r instead? Makes me really question making apps using
> this service. :(
>
> Additionally, I also don't get the dual stance on things, why it's OK
> for some and not others?
>
> Maybe people/companies who are using "Tweet" in their apps prior to
> Twi***rs claim to the name should challenge it and do the same back?
> (If they want to keep the name) If Twi***r trademarks it then then
> encourage ppl to use it anyways, then why bother trademarking it in
> the first place, unless they plan on being selective or whatever (or
> being able to change their mind later or charge licensing fees for its
> use). Just a thought.
>
> The other thing that comes to mind is from what I am able to gather
> (maybe I'm wrong here) Twi***r is a privately funded company (http://
> twitter.com/about#about) and does not have the ad revenue or a hefty/
> unlimited source of income ("we spend more money than we make.") like
> say Google does so if people challenge these law suites and go the
> distance how long is Twit***s funders going to want to donate their $$
> $ to pay for these legal battles? If I was investing in the company I
> would want my dollars going somewhere productive not to launch legal
> battles with half the internet.
>
> Also (last thought here), why do they allow people to download and use
> their logo then? What am I missing here? >> "Download our 
> logo"http://twitter.com/about#download_logo
>
> I'm just confused by most this :(
>
> Thank you for your time dev community! :)
>
> On Aug 13, 4:32 pm, Twitlonger  wrote:
>
>
>
> > I recently got a letter by email from a UK law firm representing
> > Twitter claiming that my websitewww.twitlonger.comwasinfringing on
> > their trade mark and was inherently likely to confuse users. The
> > version of the website they were objecting to didn't have a similar
> > font but did use the same birds as the old version of the site (fair
> > enough to be asked to remove them).
>
> > The timing coincided with a redesign of the site anyway which went
> > live this week. I emailed them back pointing this out and then ended
> > up on the phone with them with the claim being that the site as it
> > stands now could still be seen as "potentially confusing". I want to
> > know how different they expect a site to be (especially when it
> > doesn't even include the full word "twitter" in the name. Compare this
> > to Twitpic, Twitvid etc who are using the same contraction AND the
> > same typeface.
>
> > This feels so much like a legal department doing stuff that is
> > completely contrary to the Twitter team who have been so supportive of
> > the third party community. Of course, all these applications have been
> > granted access to be listed in the posted from field in the tweets,
> > been granted special access to the API via whitelisting which requires
> > the application to be named and described and, in many cases, been
> > registered with OAuth, again requiring the name and description of the
> > app.
>
> > Has anyone else received similar letters where they have no problem
> > with the service but can't seem to tell the difference between two
> > sites if blue is present in each?
>
> > :(
>
> > Letter copied below.
> > ---
> > TWITTER - Trade Mark and Website Presentation Issues
> > We act for Twitter, Inc. in relation to intellectual property issues
> > in the UK.
> > Twitter has asked us to contact you about your ww.twitlonger.comwebsite
> > (the..Website..).Twitter
> > has no objection to the service which you are offering on the Website.
> > However, Twitter does need
> > you to make certain changes to the Website. We have set out the
> > reasons below.
> > Your Website
> > Twitter owns a number of registrations for its TWITTER trade mark,
> > including Community trade mark
> > registration number 6392997. Your use of a name for the Website which
> > is based on the TWITTER
> > trade mark is inherently likely to confuse users of the ww.twitter.com
> > website into thinking that the
> > Website is owned or operated by Twitter, when this is not the case.
> > You are using a font on your Website which is very similar to that
> > used by Twitter for its TWITTER
> > logo. You have no doubt chosen to use this font for this very reason.
> > You are also using a blue
> > background and representations of blue birds. These blue birds are
> > identical to those which Twitter
> > has previously used on thewww.twitter.comwebsite. The combination of
> > these factors and the name
> > of your Website inevitably increase the likelihood of confusion.
> > We therefore ask you to confirm that you will, within seven days of
> > giving the confirmation:
> > 1. incorporate a prominent non-affiliation disclaimer on

[twitter-dev] Re: Cease & Desist from Twitter

[Goblin]

Yep.

I'm at the stage now for personal projects (and clients if they are
cool with it) that I'm just not worrying anymore about IE6.

Twitlonger runs about 3% IE6 so it's just not worth degrading the
experience for the people with decent browsers to make exceptions for
those living in the past.

Out of curiousity, have you tried the Unit PNG fix to deal with IE6?
Interested to know if you did and it didn't work out for you.

On Aug 14, 12:18 pm, Andrew Badera  wrote:
> On Fri, Aug 14, 2009 at 7:16 AM, Goblin wrote:
>
> > LOL, problems are now all sorted, lawyers happy it isn't confusing
> > anymore.
>
> friggin IE6. Had to GIF some PNGs recently myself.
>
> ∞ Andy Badera
> ∞ This email is: [ ] bloggable [x] ask first [ ] private
> ∞ Google me:http://www.google.com/search?q=(andrew+badera)+OR+(andy+badera)

[twitter-dev] Re: Cease & Desist from Twitter

[Goblin]

LOL, problems are now all sorted, lawyers happy it isn't confusing
anymore.

Turns out that he thought there was a big grey box in it, similar to
the new Twitter front page, but only because he was using IE6 and I
don't bother applying any transparent png fixes :)

On Aug 14, 3:16 am, Zac Bowling  wrote:
> Wow. Twitters legal team thinks twitter owns blue backgrounds. Hehe.
>
> Sent from my iPhone
>
> On Aug 13, 2009, at 3:32 PM, Twitlonger   
> wrote:
>
>
>
>
>
> > I recently got a letter by email from a UK law firm representing
> > Twitter claiming that my websitewww.twitlonger.comwas infringing on
> > their trade mark and was inherently likely to confuse users. The
> > version of the website they were objecting to didn't have a similar
> > font but did use the same birds as the old version of the site (fair
> > enough to be asked to remove them).
>
> > The timing coincided with a redesign of the site anyway which went
> > live this week. I emailed them back pointing this out and then ended
> > up on the phone with them with the claim being that the site as it
> > stands now could still be seen as "potentially confusing". I want to
> > know how different they expect a site to be (especially when it
> > doesn't even include the full word "twitter" in the name. Compare this
> > to Twitpic, Twitvid etc who are using the same contraction AND the
> > same typeface.
>
> > This feels so much like a legal department doing stuff that is
> > completely contrary to the Twitter team who have been so supportive of
> > the third party community. Of course, all these applications have been
> > granted access to be listed in the posted from field in the tweets,
> > been granted special access to the API via whitelisting which requires
> > the application to be named and described and, in many cases, been
> > registered with OAuth, again requiring the name and description of the
> > app.
>
> > Has anyone else received similar letters where they have no problem
> > with the service but can't seem to tell the difference between two
> > sites if blue is present in each?
>
> > :(
>
> > Letter copied below.
> > ---
> > TWITTER - Trade Mark and Website Presentation Issues
> > We act for Twitter, Inc. in relation to intellectual property issues
> > in the UK.
> > Twitter has asked us to contact you about your  
> > ww.twitlonger.comwebsite
> > (the..Website..).Twitter
> > has no objection to the service which you are offering on the Website.
> > However, Twitter does need
> > you to make certain changes to the Website. We have set out the
> > reasons below.
> > Your Website
> > Twitter owns a number of registrations for its TWITTER trade mark,
> > including Community trade mark
> > registration number 6392997. Your use of a name for the Website which
> > is based on the TWITTER
> > trade mark is inherently likely to confuse users of the ww.twitter.com
> > website into thinking that the
> > Website is owned or operated by Twitter, when this is not the case.
> > You are using a font on your Website which is very similar to that
> > used by Twitter for its TWITTER
> > logo. You have no doubt chosen to use this font for this very reason.
> > You are also using a blue
> > background and representations of blue birds. These blue birds are
> > identical to those which Twitter
> > has previously used on thewww.twitter.comwebsite. The combination of
> > these factors and the name
> > of your Website inevitably increase the likelihood of confusion.
> > We therefore ask you to confirm that you will, within seven days of
> > giving the confirmation:
> > 1. incorporate a prominent non-affiliation disclaimer on all pages of
> > the Website;
> > 2. permanently stop any use on the Website of a font which is
> > identical or similar to the font used by
> > Twitter for its TWITTER logo; and
> > 3. permanently stop any use on the Website of (i) representations of
> > blue birds which are identical or
> > similar to the blue bird design previously or currently used by
> > Twitter on thewww.twitter.com
> > website; and (ii) a blue background.

[twitter-dev] Re: Cease & Desist from Twitter

[Goblin]

Yeah, I think it's a pretty easy going C&D, but I don't really want to
keep making tiny changes and have a lawyer hhmm and ahh to decide if
it's not "potentially confusing".

If Twitter came out and said they were going to have to ask everyone
to stop using twit in application names and move to tweet then at
least we'd know where we stand. It's the ambiguity over it all, not to
mention the dozens of websites in a similar position to mine that have
a look and feel way closer to Twitter (past or present). www.twitterholic.com
is my favourite: "Styles ripped directly, and we mean directly, from
Twitter.com."

At this rate, the only app not needing to change it's name will be
Seesmic :)

On Aug 14, 1:14 am, Neil Ellis  wrote:
> To be fair Goblin, reading the letter they only ask you to make
> clear you're not affiliated. Not change the domain.
>
> However, point taken it's confusing.
>
> Take Twitterific's page:http://iconfactory.com/software/twitterrific
>
> That bird looks familiar and the blue and there is no disclaimer.
>
> I keep wanting apply everyday logic, but in the legal world it just
> seems to go out of the window :-)
>
> Now I really must do some coding :-)
>
> On 14 Aug 2009, at 01:08, Goblin wrote:
>
>
>
>
>
> > I think the blog post actually makes things more confusing:
>
> > "Regarding the use of the word Twitter in projects, we are a bit more
> > wary although there are some exceptions here as well."
>
> > So, what are these exceptions? Does it come down to the projects @ev
> > and @biz particularly like? What if it's twit*** which obviously isn't
> > using their trademark but uses the same base (heck, by that logic
> > @leolaporte should be on my case)?
>
> > It would seem odd that mine is the only site to have received a
> > letter. If the primary concern was the twitter bird then why is the
> > new version an issue? When I was on the phone I think he said he was
> > waiting to hear back from California, so there is more than a passing
> > chance that it was personal opinion of a guy in London instead of
> > Twitter's own people.
>
> > As has been said, some proper clarification and a bit more
> > transparency with the community would go a really long way here
> > (although are Twitter now at the stage they can't comment on legal
> > matters until the lawyers check things over?)
>
> > On Aug 14, 12:59 am, Dewald Pretorius  wrote:
> >> On Aug 13, 8:44 pm, Goblin  wrote:
>
> >>> It would be nice to hear from the horses mouth if all the "twit*/
> >>> twitter*" apps were to use "tweet" instead, would that sort the  
> >>> issue
> >>> out.
>
> >> Doesn't this blog post [1] from the "big horse's mouth" already  
> >> settle
> >> that question?
>
> >> [1]http://blog.twitter.com/2009/07/may-tweets-be-with-you.html
>
> >> It is also interesting that Biz wrote favorable blog posts about
> >> TwitterCounter [2] and Twitterific [3]. Wonder how that will impact
> >> anything, if at all.
>
> >> [2]http://blog.twitter.com/2008/07/follower-stats-by-twittercounter.html
> >> [3]http://blog.twitter.com/2008/06/congratulations-twitterrific.html
>
> >> Dewald

[twitter-dev] Re: Cease & Desist from Twitter

[Goblin]

I think the blog post actually makes things more confusing:

"Regarding the use of the word Twitter in projects, we are a bit more
wary although there are some exceptions here as well."

So, what are these exceptions? Does it come down to the projects @ev
and @biz particularly like? What if it's twit*** which obviously isn't
using their trademark but uses the same base (heck, by that logic
@leolaporte should be on my case)?

It would seem odd that mine is the only site to have received a
letter. If the primary concern was the twitter bird then why is the
new version an issue? When I was on the phone I think he said he was
waiting to hear back from California, so there is more than a passing
chance that it was personal opinion of a guy in London instead of
Twitter's own people.

As has been said, some proper clarification and a bit more
transparency with the community would go a really long way here
(although are Twitter now at the stage they can't comment on legal
matters until the lawyers check things over?)

On Aug 14, 12:59 am, Dewald Pretorius  wrote:
> On Aug 13, 8:44 pm, Goblin  wrote:
>
> > It would be nice to hear from the horses mouth if all the "twit*/
> > twitter*" apps were to use "tweet" instead, would that sort the issue
> > out.
>
> Doesn't this blog post [1] from the "big horse's mouth" already settle
> that question?
>
> [1]http://blog.twitter.com/2009/07/may-tweets-be-with-you.html
>
> It is also interesting that Biz wrote favorable blog posts about
> TwitterCounter [2] and Twitterific [3]. Wonder how that will impact
> anything, if at all.
>
> [2]http://blog.twitter.com/2008/07/follower-stats-by-twittercounter.html
> [3]http://blog.twitter.com/2008/06/congratulations-twitterrific.html
>
> Dewald

[twitter-dev] Re: Cease & Desist from Twitter

[Goblin]

To be fair, the new version mostly seemed to please the guy I was on
the phone with, but I got the impression he was shooting from the hip
when he said that I would probably need to change the blue in the
logo.

It just seems weird that we spend two or three years building sites
with the twit/tweet theme running so it is clear they are add-ons to
Twitter and *then* the lawyers decide to get antsy. I know Twitter is
in the position that if they don't act to protect their trademarks
they can lose them, but it would be nice if we were told a few months
back "Look guys, we're going to need to start enforcing trademark
stuff. It might be a hassle for you so we're giving you a heads up".

It would be nice to hear from the horses mouth if all the "twit*/
twitter*" apps were to use "tweet" instead, would that sort the issue
out. I have www.tweetlonger.com (and @tweetlonger) so it would be
reasonably trivial to migrate over to the new domain if that would
sort things out.

The before page wasn't really potentially confusing, especially since
I designed it, resulting in it looking like a 4 year old had been let
loose with MS Paint, but you'd have to be pretty confused to think the
new one and the Twitter homepage are the same people.

On Aug 14, 12:28 am, Neil Ellis  wrote:
> Man that's sad, your website is unmistakable and there is no doubt
> you are not Twitter. It sounds like it was potentially confusing before.
>
> Hmmm...  outsourcing trademark checking seems to have pitfalls
> (i.e. eating into company goodwill).
>
> It makes you really stop and think about building a business
> around someone's  API doesn't it - that's what we're doing right now,
> but it encourages me to diversify pretty darn fast. I suppose it was
> naive of me not to consider just how much you can be beholden to the
> API owner in the first place.
>
> It doesn't put me off working with Twitter, but it does make me want
> to get some more baskets for these eggs :-)
>
> Thanks for letting us know your situation and good luck.
>
> All the best
> Neil
>
> On 13 Aug 2009, at 23:32, Twitlonger wrote:
>
>
>
>
>
> > I recently got a letter by email from a UK law firm representing
> > Twitter claiming that my websitewww.twitlonger.comwas infringing on
> > their trade mark and was inherently likely to confuse users. The
> > version of the website they were objecting to didn't have a similar
> > font but did use the same birds as the old version of the site (fair
> > enough to be asked to remove them).
>
> > The timing coincided with a redesign of the site anyway which went
> > live this week. I emailed them back pointing this out and then ended
> > up on the phone with them with the claim being that the site as it
> > stands now could still be seen as "potentially confusing". I want to
> > know how different they expect a site to be (especially when it
> > doesn't even include the full word "twitter" in the name. Compare this
> > to Twitpic, Twitvid etc who are using the same contraction AND the
> > same typeface.
>
> > This feels so much like a legal department doing stuff that is
> > completely contrary to the Twitter team who have been so supportive of
> > the third party community. Of course, all these applications have been
> > granted access to be listed in the posted from field in the tweets,
> > been granted special access to the API via whitelisting which requires
> > the application to be named and described and, in many cases, been
> > registered with OAuth, again requiring the name and description of the
> > app.
>
> > Has anyone else received similar letters where they have no problem
> > with the service but can't seem to tell the difference between two
> > sites if blue is present in each?
>
> > :(
>
> > Letter copied below.
> > ---
> > TWITTER - Trade Mark and Website Presentation Issues
> > We act for Twitter, Inc. in relation to intellectual property issues
> > in the UK.
> > Twitter has asked us to contact you about your  
> > ww.twitlonger.comwebsite
> > (the..Website..).Twitter
> > has no objection to the service which you are offering on the Website.
> > However, Twitter does need
> > you to make certain changes to the Website. We have set out the
> > reasons below.
> > Your Website
> > Twitter owns a number of registrations for its TWITTER trade mark,
> > including Community trade mark
> > registration number 6392997. Your use of a name for the Website which
> > is based on the TWITTER
> > trade mark is inherently likely to confuse users of the ww.twitter.com
> > website into thinking that the
> > Website is owned or operated by Twitter, when this is not the case.
> > You are using a font on your Website which is very similar to that
> > used by Twitter for its TWITTER
> > logo. You have no doubt chosen to use this font for this very reason.
> > You are also using a blue
> > background and representations of blue birds. These blue birds are
> > identical to those which Twitter
> > has previously used on thewww.twitter.comwebs

[twitter-dev] Re: FW: Twitter is Suing me!!!

[Goblin]

Here's a thought, if Twitter has allowed a specific site to have their
application name added to the "posted from" list, is that tacit
permission to use the name? They've been happy to show messages as
posted from Twitteriffic, which uses their name and, it could be
argued, have explicitly allowed this use.

On Aug 12, 4:43 pm, Dossy Shiobara  wrote:
> On 8/12/09 10:14 AM, Dean Collins wrote:
>
> > So has anyone heard from or know any of the other developers? Did they
> > also get an email last night?
>
> IANAL, but, I think the horse has already left the barn for Twitter.
>
> Unless someone is building a short-message service called "Twitter" it's
> hard to claim dilution here.
>
> The few years that Twitter hasn't policed the infringing use of their
> mark should be reasonable basis for estoppel, too.
>
> However, all legal issues aside, they can still shut down third-party
> services from using their API or otherwise accessing their service,
> which is probably "stronger" than the actual legal recourse they may be
> entitled to.
>
> --
> Dossy Shiobara              | do...@panoptic.com |http://dossy.org/
> Panoptic Computer Network   |http://panoptic.com/
>    "He realized the fastest way to change is to laugh at your own
>      folly -- then you can let go and quickly move on." (p. 70)

[twitter-dev] Re: FW: Twitter is Suing me!!!

[Goblin]

The question is, are they going to be going after Twitteriffic,
Twitterholic, Twitpic, Twitvid, Twittelator, Twitterena, Twitterfon,
iTwitter etc?

I admit that I was fair game having the blue birds in the backdrop (as
I say, it was a stupid project that got traction and the new version
is live now anyway), but if Twitter is deciding to take down everyone
with Twit in their name then there are going to be some serious
issues. I know they have to show they are attempting to protect
trademark or risk losing it, but this seems a little heavy handed :(

On Aug 12, 10:54 am, Andrew Badera  wrote:
> On Wed, Aug 12, 2009 at 5:52 AM, Rich wrote:
>
> > I'm not aware of this but this 
> > linkhttp://blog.twitter.com/2009/07/may-tweets-be-with-you.html,
> > published only last month says
>
> > "We have applied to trademark Tweet because it is clearly attached to
> > Twitter from a brand perspective but we have no intention of "going
> > after" the wonderful applications and services that use the word in
> > their name when associated with Twitter. In fact, we encourage the use
> > of the word Tweet."
>
> Thanks, I'd missed that. I only saw the original, unupdated article
> that brought up the issue on TechCrunch. Great to know.
>
> --ab

[twitter-dev] Re: FW: Twitter is Suing me!!!

[Goblin]

I got a letter from a UK law firm too regarding www.twitlonger.com
(which clearly doesn't use the word Twitter).

They weren't too draconian in their claims. They want a disclaimer put
on the site (fair enough) and for me to stop using the little blue
birds (again, fair enough. This is what happens when a stupid weekend
project turns into half million uniques a month).

What isn't quite as fair is that I have to stop using a font
"identical or similar to that used in the Twitter logo". I'm using
Arial Rounded which is significantly different to the custom font
Twitter uses and as common a typeface as you can get, though the
colours are similar. This one's the kicker though, they want me to
"permanently stop use on the website of a blue background". WTF?
Twitter now owns blue? I'm about a day away from dropping a redesign
anyway, but being told what colours I can use is a bit much.

This was all on the same day that they approved my whitelisting :)

On Aug 12, 5:27 am, Jeremy Darling  wrote:
> I really really want to see them backup the tweet trademark.  All birds are
> now being sued by twitter, they can no longer say; tweet tweet LOL.
>
> Seems lil twitter grew up and found lawyers.  While I don't agree or like
> the product that Dean sells, I dis-agree more with the misuse of legal
> representation by a corporation even more.  I remember when MS started this
> everyone threw stones (and courts threw it out), now twitter starts it and
> its OK!?
>
> I warn developers to watch their backs, your little cheezy app that uses
> twitter may bite you in the arse.
>
> Of course, I don't see twitter going after the advertising/marketing
> companies utilizing the API and hitting the service just as many times to
> mine for data or to use what they mine to target sales.  That seems to be a
> complete and total ethical use of the service, course a few $$ thrown the
> right direction always does sway a corporations view of grey.
>
>  - Jeremy
>
>
>
> On Tue, Aug 11, 2009 at 11:13 PM, jim.renkel  wrote:
>
> > I guess I should have pointed out that my tongue was firmly planted in
> > my check when I wrote my previous post. My bad! :-(
>
> > Dean: I don't mean to make light of your particular situation.
> > Sometimes I just can't not point out absurdities, which the logic I
> > presented clearly is.
>
> > What I was trying to do, perhaps not too well, is point out that the
> > API TOS may need to be revised to say that developers may use
> > twitter's trademarks, but only in "approved" ways.
>
> > BTW, twitter is trademarking "tweet" as well as "twitter". You have
> > been warned! :-)
>
> > Jim

[twitter-dev] Re: DDoS Status Update

[Goblin]

OAuth is working fine for my site. To be honest, for something that
does nothing but interact with Twitter I haven't seen much of a drop
in activity.

On Aug 7, 7:28 pm, Rich  wrote:
> Thanks for the update, however PLEASE get oAuth back up and running
> ASAP please!
>
> On Aug 7, 7:05 pm, Ryan Sarver  wrote:
>
>
>
> > I wanted to send everyone an update to let you know what has been happening,
> > the known issues, some suggestions on how to resolve them and some idea of
> > how to move forward.
>
> > *Whats been happening*
> > As you know all too well Twitter, among other services, has been getting hit
> > pretty hard with a DDoS attack over the past 24+ hours. Yesterday we saw the
> > attack come in a number of waves and from a number of different vectors
> > increasing in intensity along the way. We were able to stabilize our own
> > service for a bit, hence Biz's post saying all was
> > well,
> > but that didn't mean the attacks had ceased. In fact, at around 3am PST
> > today the attacks intensified to almost 10x of what it was yesterday. In
> > order for us to defend from the attack we have had to put a number of
> > services in place and we know that some of you have gotten caught in the
> > crossfire. Please know we are as frustrated as you are and wish there was
> > more we could have communicated along the way.
>
> > *Known Issues*
> > * - HTTP 300 response codes* - One of the measures in thwarting the
> > onslaught requires that all traffic respect HTTP 30x response codes. This
> > will help us identify the good traffic from the bad.
> > * - General throttling* - Try to throttle your services back as much as
> > possible for you to continue operating. We are working on our end to better
> > understand the logic used in throttling traffic on the edge of the network
> > and will communicate what we can, but the best idea is to just throttle back
> > as much as you can in the mean time.
> > * - Streaming API* - as part of the edge throttling we know requests to the
> > Streaming API with lists of keywords or uses are getting dropped because the
> > request is too large. We are working to get this filter removed and will
> > update the list when we know more.
> > - *Unexpected HTTP response codes* - we know people are seeing a lot of
> > other weirdness and we aren't exactly sure what to attribute the various
> > issues to, but know that you aren't alone.
>
> > As the attacks change our tactics for defense will likely need to change as
> > well, so stay active on the list and let us know what problems you are
> > seeing and we will do our best to help guide you along.
>
> > *Moving forward *
> > We will try to communicate as much as we can so you guys are up to speed as
> > things change and progress. I personally apologize for not communicating
> > more in the mean time but there hasn't been much guidance we have been able
> > to give other than hold tight with us. We fully appreciate all the long
> > hours you are putting in to keep your apps running and supporting your users
> > and know we are frustrated with you. Continue to watch this list,
> > status.twitter.com and @twitterapi for updates
>
> > Thanks for your patience, Ryan
>
> > PM, Platform Team
> > @rsarver 

[twitter-dev] Re: Updating the APIs authentication limiting policy

[Goblin]

Alex, is that *not* estimated or was it an iPhone being daft and
changing now to not?

On Aug 5, 7:11 pm, Alex Payne  wrote:
> The change did not go live yesterday due to some deploy issues. It's
> not estimated to go out tomorrow. Once again, sorry for the delay.
>
>
>
> On Wed, Aug 5, 2009 at 07:48, Dewald Pretorius wrote:
>
> > Alex,
>
> > Did the change go live on Tuesday?
>
> > I have very irate users due to this issue. There are spam bots out
> > there that got hold of users' credentials. The users have changed
> > their Twitter passwords to get rid of the spam tweets published in
> > their timelines, but now those bots are locking them out 24x7 from all
> > apps that use the API.
>
> > On Aug 3, 2:56 pm, Alex Payne  wrote:
> >> The rollback should be deployed tomorrow. Sorry for the delay.
>
> >> On Sat, Aug 1, 2009 at 23:36, Jesse Stay wrote:
> >> > A timeframe would be very helpful. This is turning out to be a headache 
> >> > as
> >> > I'm testing. If my own user is having to log in over and over to test my
> >> > app, I'm quickly hitting the verify_credentials limit (and I'm even using
> >> > OAuth).  I'm getting really frustrated.
> >> > Jesse
>
> >> > On Fri, Jul 31, 2009 at 8:01 PM, Bob Thomson 
> >> > wrote:
>
> >> >> Hi Doug,
>
> >> >> Is there a timescale for rolling back / making the change to the new
> >> >> scheme?
>
> >> >> We're just putting the finishing touches to moving to OAuth and we're
> >> >> experiencing the issue when using verify_credentials to get the users
> >> >> basic details once we've got the token back from the authentication
> >> >> process. We're experiencing the issue when:
>
> >> >> 1. Testing our login and authentication processes
> >> >> 2. When users login and logout of our application frequently
>
> >> >> A heads up on when these changes will be made would be useful. Thanks,
>
> >> >> Bob
>
> >> >> On Jul 29, 6:37 pm, Grant Emsley  wrote:
> >> >> > Locked out of authenticated resources for that account, or will that
> >> >> > IP not be able to login to any account?
>
> >> >> > On Jul 29, 1:14 pm, Doug Williams  wrote:
>
> >> >> > > Ray,For clarity, we will roll back the current restriction of 15 
> >> >> > > calls
> >> >> > > per
> >> >> > > user per hour to account/verify_credentials, and implement the
> >> >> > > proposed
> >> >> > > scheme:
>
> >> >> > > > ... we will limit the total number of unsuccessful
> >> >> > > > attempts to access authenticated resources to 15 an hour per user
> >> >> > > > per IP
> >> >> > > > address. If a single IP address makes 15 attempts to access a
> >> >> > > > protected resource unsuccessfully for a given user (as indicated 
> >> >> > > > by
> >> >> > > > an
> >> >> > > HTTP 401),
> >> >> > > > then the user will be locked out of authenticated resources from
> >> >> > > > that
> >> >> > > > IP address for 1 hour.
>
> >> >> > > Thanks,
> >> >> > > Doug
>
> >> >> > > On Wed, Jul 29, 2009 at 9:51 AM, Ray  wrote:
>
> >> >> > > > Doug,
>
> >> >> > > > I'm in a similar situation as that voiced by TinBlue.  This change
> >> >> > > > has
> >> >> > > > affected our iPhone App.  We also want to encourage you to 
> >> >> > > > rollback
> >> >> > > > this change ASAP.
>
> >> >> > > > When you say "This approach is what we are going to take.", do you
> >> >> > > > mean rolling back the fix so as not to affect multiple, 
> >> >> > > > successful,
> >> >> > > > authorized logins?  I'm hopeful that "this approach" means that 
> >> >> > > > our
> >> >> > > > apps will not be affected yet again by changing to a new auth
> >> >> > > > approach.
>
> >> >> > > > I appreciate you all keeping this thread informed.
>
> >> >> > > > Ray
>
> >> >> > > > On Jul 27, 11:23 am, Doug Williams  wrote:
> >> >> > > > > Thanks to everyone who has contributed feedback. This approach 
> >> >> > > > > is
> >> >> > > > > what we
> >> >> > > > > are going to take.
> >> >> > > > > Alex will be making this change shortly. I will update this 
> >> >> > > > > thread
> >> >> > > > > when
> >> >> > > > > there is timeframe to share.
>
> >> >> > > > > Thanks,
> >> >> > > > > Doug
>
> >> >> > > > > On Mon, Jul 27, 2009 at 7:52 AM, TinBlue 
> >> >> > > > > wrote:
>
> >> >> > > > > > What is happening?
>
> >> >> > > > > > This rollback is taking far too long for something that has
> >> >> > > > > > affected a
> >> >> > > > > > lot of people!
>
> >> >> > > > > > On Jul 25, 2:32 pm, Dewald Pretorius  wrote:
> >> >> > > > > > > Doug,
>
> >> >> > > > > > > I would prefer to adopt OAuth instead of writing code for
> >> >> > > > > > > Basic Auth.
>
> >> >> > > > > > > So, you guys need to move OAuth out of public beta into full
> >> >> > > > > > > production sooner rather than later. :-)
>
> >> >> > > > > > > I manage 100,000+ Twitter accounts, and I simply cannot take
> >> >> > > > > > > on the
> >> >> > > > > > > support workload of answering user tickets when there's a 
> >> >> > > > > > > snag
> >> >> > > > > > > with
> >> >> > > > > > > OAuth beta.
>
> >> >> > > > > > > I m

[twitter-dev] Re: Updating the APIs authentication limiting policy

[Goblin]

Did the rollback happen?

On Aug 3, 6:56 pm, Alex Payne  wrote:
> The rollback should be deployed tomorrow. Sorry for the delay.
>
>
>
> On Sat, Aug 1, 2009 at 23:36, Jesse Stay wrote:
> > A timeframe would be very helpful. This is turning out to be a headache as
> > I'm testing. If my own user is having to log in over and over to test my
> > app, I'm quickly hitting the verify_credentials limit (and I'm even using
> > OAuth).  I'm getting really frustrated.
> > Jesse
>
> > On Fri, Jul 31, 2009 at 8:01 PM, Bob Thomson 
> > wrote:
>
> >> Hi Doug,
>
> >> Is there a timescale for rolling back / making the change to the new
> >> scheme?
>
> >> We're just putting the finishing touches to moving to OAuth and we're
> >> experiencing the issue when using verify_credentials to get the users
> >> basic details once we've got the token back from the authentication
> >> process. We're experiencing the issue when:
>
> >> 1. Testing our login and authentication processes
> >> 2. When users login and logout of our application frequently
>
> >> A heads up on when these changes will be made would be useful. Thanks,
>
> >> Bob
>
> >> On Jul 29, 6:37 pm, Grant Emsley  wrote:
> >> > Locked out of authenticated resources for that account, or will that
> >> > IP not be able to login to any account?
>
> >> > On Jul 29, 1:14 pm, Doug Williams  wrote:
>
> >> > > Ray,For clarity, we will roll back the current restriction of 15 calls
> >> > > per
> >> > > user per hour to account/verify_credentials, and implement the
> >> > > proposed
> >> > > scheme:
>
> >> > > > ... we will limit the total number of unsuccessful
> >> > > > attempts to access authenticated resources to 15 an hour per user
> >> > > > per IP
> >> > > > address. If a single IP address makes 15 attempts to access a
> >> > > > protected resource unsuccessfully for a given user (as indicated by
> >> > > > an
> >> > > HTTP 401),
> >> > > > then the user will be locked out of authenticated resources from
> >> > > > that
> >> > > > IP address for 1 hour.
>
> >> > > Thanks,
> >> > > Doug
>
> >> > > On Wed, Jul 29, 2009 at 9:51 AM, Ray  wrote:
>
> >> > > > Doug,
>
> >> > > > I'm in a similar situation as that voiced by TinBlue.  This change
> >> > > > has
> >> > > > affected our iPhone App.  We also want to encourage you to rollback
> >> > > > this change ASAP.
>
> >> > > > When you say "This approach is what we are going to take.", do you
> >> > > > mean rolling back the fix so as not to affect multiple, successful,
> >> > > > authorized logins?  I'm hopeful that "this approach" means that our
> >> > > > apps will not be affected yet again by changing to a new auth
> >> > > > approach.
>
> >> > > > I appreciate you all keeping this thread informed.
>
> >> > > > Ray
>
> >> > > > On Jul 27, 11:23 am, Doug Williams  wrote:
> >> > > > > Thanks to everyone who has contributed feedback. This approach is
> >> > > > > what we
> >> > > > > are going to take.
> >> > > > > Alex will be making this change shortly. I will update this thread
> >> > > > > when
> >> > > > > there is timeframe to share.
>
> >> > > > > Thanks,
> >> > > > > Doug
>
> >> > > > > On Mon, Jul 27, 2009 at 7:52 AM, TinBlue 
> >> > > > > wrote:
>
> >> > > > > > What is happening?
>
> >> > > > > > This rollback is taking far too long for something that has
> >> > > > > > affected a
> >> > > > > > lot of people!
>
> >> > > > > > On Jul 25, 2:32 pm, Dewald Pretorius  wrote:
> >> > > > > > > Doug,
>
> >> > > > > > > I would prefer to adopt OAuth instead of writing code for
> >> > > > > > > Basic Auth.
>
> >> > > > > > > So, you guys need to move OAuth out of public beta into full
> >> > > > > > > production sooner rather than later. :-)
>
> >> > > > > > > I manage 100,000+ Twitter accounts, and I simply cannot take
> >> > > > > > > on the
> >> > > > > > > support workload of answering user tickets when there's a snag
> >> > > > > > > with
> >> > > > > > > OAuth beta.
>
> >> > > > > > > I monitor these forums and the API Issues and still see too
> >> > > > > > > many
> >> > > > OAuth
> >> > > > > > > issues being reported to give me a level of comfort that I can
> >> > > > > > > safely
> >> > > > > > > switch over to OAuth.
>
> >> > > > > > > On Jul 24, 5:46 pm, Doug Williams  wrote:
>
> >> > > > > > > > Well said Joshua.
>
> >> > > > > > > > Dewald, you have identified the risk of using basic
> >> > > > > > > > authentication.
> >> > > > If
> >> > > > > > > > your users being locked out due to malicious behavior, you
> >> > > > > > > > should
> >> > > > > > > > either implement further user-level rate limiting on your
> >> > > > > > > > side or
> >> > > > > > > > adopt OAuth.
>
> >> > > > > > > > Are there any other glaring omissions in our thinking or
> >> > > > > > > > should we
> >> > > > > > > > proceed with this as our solution?
>
> >> > > > > > > > Thanks,
> >> > > > > > > > Doug
>
> >> > > > > > > > On Fri, Jul 24, 2009 at 11:08 AM, Joshua
> >> > > > > > > > Perry
> >> > > > wrote:
>
> >> > > > > > > > > Jim's co

[twitter-dev] Re: Updating the APIs authentication limiting policy

[Goblin]

Seems fine. Is there a timescale for rolling this out?

On Jul 24, 9:46 pm, Doug Williams  wrote:
> Well said Joshua.
>
> Dewald, you have identified the risk of using basic authentication. If
> your users being locked out due to malicious behavior, you should
> either implement further user-level rate limiting on your side or
> adopt OAuth.
>
> Are there any other glaring omissions in our thinking or should we
> proceed with this as our solution?
>
> Thanks,
> Doug
>
>
>
> On Fri, Jul 24, 2009 at 11:08 AM, Joshua Perry wrote:
>
> > Jim's concern is valid, fortunately OAuth is immune to brute-force attacks
> > once the access key has been issued to an application. For this reason alone
> > I would urge people to switch to OAuth if at all possible.  I would hope
> > (and assume) that if login attempts for an account are locked out that a
> > user would still be able to successfully use an already authorized OAuth
> > driven application.
>
> > Unfortunately allowing a successful un/pw login while an account is locked
> > out even when the correct password is presented effectively bypasses the
> > whole reason for a lockout in the first place, preventing brute-force
> > password attempts.  If an attacker used a dictionary or brute-force attack
> > and the account was locked out after 15 attempts, then they could continue
> > trying even though the system replied "locked out"; if they eventually sent
> > the correct password it would just bypass the lockout and they would then
> > know the correct password.
>
> > Perhaps Twitter could implement a selective captcha, I know they are
> > annoying but if executed properly it could be effective protection against
> > brute-force and dictionary attacks. Say after 3 or 4 failed attempts without
> > a captch the API would then include a captcha image URL in it's response
> > that the application would then need to show to the person and include the
> > user's response with the next authentication attempt as a header or POST
> > variable. The site stackoverflow.com does this to great effect, if you
> > create posts quicker than a certain threshold which a person would not
> > exceed then they pop a captcha up, in the normal use of the site you will
> > never see one; I've only hit two captchas in the last in the last 8 months
> > using the site.
>
> > Josh
>
> > Dewald Pretorius wrote:
>
> >> Jim raised a huge weakness with the authentication rate limiting that
> >> could essentially break third-party apps.
>
> >> Anybody can try to add anybody else's Twitter account to a third-party
> >> app using an invalid password. If they do that 15 times with a Twitter
> >> account, the real owner of that Twitter account, who may have added
> >> his account a long time ago with the correct password, is locked out
> >> from using that app for an hour.
>
> >> I believe you will absolutely have to reset / remove the lock as soon
> >> as the Twitter account uses the correct password.
>
> >> On Jul 22, 4:58 pm, "jim.renkel"  wrote:
>
> >>> My concern with this proposal is that it opens up denials of service,
> >>> not to twitter.com, but to "associated" sites such as twitpic, or my
> >>> site twxlate, among others
>
> >>> For example, Lance Armstrong is a heavy user of twitpic. It is very
> >>> easy for anyone to find Lance's twitter ID (@lancearmstrong), view his
> >>> status updates, and see that he is a frequent user of twitpic. Now,
> >>> someone that is "unhappy" with Lance, say one of George Hincapie's
> >>> ardent fans that really believes that Lance was a significant
> >>> contributor to George not winning the maillot jeune  last Sunday,
> >>> could go to twitpic, fail to login as Lance the requisite number of
> >>> times, and deny Lance access to twitpic.
>
> >>> Not only celebrities would or could be subject to such denials of
> >>> service. I notice that @dougw occasionally uses twitpic! :-)
>
> >>> One solution to this problem is to add to each twitter account another
> >>> "private" ID. By default this private ID would be equal to the
> >>> existing (public) ID (If not equal to the account's public ID, it
> >>> would have to be unique among all twitter IDs, both public and
> >>> private.).
>
> >>> The public ID would be used just as the existing twitter ID is now:
> >>> others would use it to follow, mention, DM, etc., the user.
>
> >>> But the user MUST use their private ID for authenticated requests
> >>> through the API, and CAN also use it for non-authenticated requests.
> >>> In either case, twitter would treat a request from a private ID as if
> >>> it came from the corresponding public ID.
>
> >>> Blocking the public ID because of excessive authentication failures
> >>> would NOT block the associated private ID unless they were equal.
> >>> Changing your public ID would also change your private ID if the two
> >>> were the same before the change, i.e., they would remain the same
> >>> after the change.
>
> >>> It may seem onerous to require all users to also have 

[twitter-dev] Re: Updating the APIs authentication limiting policy

[Goblin]

I've been updating my site to use OAuth and have found this to be a
big problem. Without the ability to call verify_credentials I haven’t
found a reliable way to ensure that logged in users with a valid
session are still authorised with Twitter. It's unlikely they will
revoke access in the middle of using the site, but the potential is
there for an action to fail because of this. With verify_credentials I
am able to check their OAuth tokens are still valid and also make sure
their profile info is up to date. Spent several hours having a
headache over this, especially since the API says these calls are
unlimited. I was looking all over for unescaped loops and all sorts :)

Agree that either making OAuth calls unlimited (since there shouldn't
be a security vulnerability there) or making valid calls unlimited
(same reason) whilst limiting invalid calls makes the most sense. As
you say, you're still getting the security you want but without
penalising legitimate users. If this is going to be a quick fix/
rollback, I'll go back to using the method and deal with the low limit
when testing for this week.

Stuart

On Jul 22, 6:49 am, Jesse Stay  wrote:
> Josh, is there a way, without verify_credentials, to identify that users
> have changed their Twitter passwords (and therefore you are no longer able
> to authenticate for them)?  For client apps, I don't see this being as much
> of a problem, but for server-based apps that run regular scripts on behalf
> of users this could become a regular issue, which is why we were running it.
> In addition, what is the best way with OAuth to identify the screen name of
> an individual?  verify_credentials is the only way I'm aware of, unless
> there's something I'm missing (which is probably very likely).  I'd love to
> know if there's a better way.  A best practices doc on how to retrieve user
> information, and how to best verify users have not changed their passwords
> would certainly be useful I think.  I'd like to know how Twitter recommends
> we do this.
>
> Jesse
>
>
>
> On Tue, Jul 21, 2009 at 8:50 PM, Josh Perry  wrote:
>
> > To be honest ever since the x-rate-limit HTTP headers were added we
> > removed the call to verify_credentials from our Twitter API layer.
>
> > Every time that our Twitter API layer does an HTTP request it
> > squirrels away the header values and any requests to our API from the
> > application for rate-limit information is just fulfilled from those
> > saved variables. So we don't need verify_credentials for rate-limit
> > information
>
> > Every time that our API does an HTTP request it watches for
> > unauthorized HTTP responses, so we don't need verify_credentials to
> > verify that our app is still authorized on the account or that the
> > user's password is still the same.
>
> > Every single twitter API method could be used to brute-force by
> > sending HTTP auth headers and watching the HTTP response, but you are
> > rate-limited to 150 requests/hour/ip, if this rate-limit is good
> > enough for all the other attack vectors it should probably be good
> > enough for verify_credentials. In fact verify_credentials is basically
> > a nop function, which IMHO really isn't needed any longer.
>
> > Josh
>
> > On Jul 21, 7:00 pm, Doug Williams  wrote:
> > > Devs --A change shipped last week that limited the number of times a user
> > > could access the account/verify_credentials method [1] in a given hour.
> > This
> > > change proved hasty and short-sighted as pointed out by the subsequent
> > > discussion [2]. We apologize to any developer that was adversely
> > > affected. Given the problems, we want to fix this in a
> > > public and transparent manner.
> > > Like most web services, we limit the number of attempts users can make to
> > > login to
> > > their accounts on Twitter.com to prevent brute force dictionary
> > > attacks. This same security is not extended to the platform
> > > and leaves accounts vulnerable to the same method of attack through the
> > API.
>
> > > The change we shipped to limit user accounts to 15 calls an hour to the
> > > account/verify_credentials method [1] was intended to mitigate this risk.
> > It
> > > was thought to limit the number of tests a potential attack could run in
> > the
> > > hour, even in a distributed fashion. However, we only protected a single
> > > resource which still leaves all other authenticated methods exposed as a
> > > vector of attack (limited only by the API rate limit).
>
> > > Our thinking is now that we will limit the total number of unsuccessful
> > > attempts to access authenticated resources to 15 an hour per user per IP
> > > address. If a single IP address makes 15 attempts to access a protected
> > > resource unsuccessfully for a given user (as indicated by an HTTP 401),
> > then
> > > the user will be locked out of authenticated resources from that IP
> > address
> > > for 1 hour.
>
> > > This scheme has all of the positive effects that we need, however we want
> > to
> > >