Re: [twitter-dev] 1000 total updates per day
On 02/04/2010 03:33 AM, benguela wrote: On this page http://help.twitter.com/forums/10711/entries/15364 it says 1,000 total updates per day, on any and all devices I'm using the twitter4j library on my app. Does this mean that I can only call http://twitter4j.org/ja/javadoc/twitter4j/Twitter.html#updateStatus(java.lang.String) which calls http://api.twitter.com/1/statuses/update 1000 times per day That limit is per-user. Your application can call it more than 1000 times per day, so long as it's not all for the same user. Basically, users can't have more than 1000 status updates per day, no matter what apps they use. - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. Confused by the strange files? I cryptographically sign my messages. For more information see http://www.elehack.net/resources/gpg. signature.asc Description: OpenPGP digital signature
Re: [twitter-dev] Re: a security problem puzzled me about using oauth in Desktop Client
On 01/30/2010 02:43 PM, Isaiah Carew wrote: So, in simple language: Twitter's policy is that *every user* of *every open source client* register as a *new twitter application*? Or, have I misinterpreted something? And if so, could you explain further what mean? If that were the case, then it would be the requirement for all desktop apps. Open source just makes it easier to grab the key; if you stick your keys in your Air or .NET app, they can still be grabbed. Basically, if you're doing a desktop app (of any kind) with OAuth, there is a risk that your consumer key will be misappropriated. The OAuth spec explicitly acknowledges this, stating that the consumer key/secret is cannot necessarily be trusted to securely identify the consumer. - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. Confused by the strange files? I cryptographically sign my messages. For more information see http://www.elehack.net/resources/gpg. signature.asc Description: OpenPGP digital signature
Re: [twitter-dev] Re: A New API For Browserless Apps?
John Meyer wrote: okay, forgive me if I'm wrong, but wasn't the whole point of oAuth that the application didn't need to know the username/password? That the user would grant access to the application and then the application would store that rather than the actual username/password. Or am I missing the point of going to an oAuth system? Yes, that's the point of OAuth. However, the dynamics of a web-based application vs. a desktop application complicate things. If the user is trusting an application to run natively on their desktop, that application already has access to their username and password (it can read them from config files, do a keyboard grab when it spawns the browser, go snooping around in Firefox's memory space, any number of things). Thus, in the desktop application case, allowing the user to input their username and password does not decrease security except perhaps by not always enforcing don't give away your password. The web case is different - a web site doesn't have the user's credentials unless they explicitly provide them. I'm ignoring for the present sandboxed or sandboxable environments such as Java and AIR. The runtime may prevent the local application from having access to the username/password as used by other applications. - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. Confused by the strange files? I cryptographically sign my messages. For more information see http://www.elehack.net/resources/gpg. signature.asc Description: OpenPGP digital signature
Re: [twitter-dev] Re: A New API For Browserless Apps?
Duane Roelands wrote: There was a great opportunity here for Twitter to be a security leader in the social network space by saying We don't want our users giving their Twitter credentials to anyone except Twitter. It's a shame they didn't stick to their gun; the result is going to be a less- secure ecosystem. One potential middle ground, that would require enforcement manpower but potentially create a win-win scenario, is to say that web apps are not allowed to use the u/pw OAuth flow except as a migration strategy, and punish (by deactivation) apps that do not comply. - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. Confused by the strange files? I cryptographically sign my messages. For more information see http://www.elehack.net/resources/gpg. signature.asc Description: OpenPGP digital signature
Re: [twitter-dev] Please allow me to see people who RT me! !
Chuck Blakeman wrote: Unless I'm missing something here, this is the single worst (and only) degradation of service Twitter has ever put in place. A big step backwards for three reasons - 1) It completely ignores the concept of relationship building, 2) it promotes elitist arrogance on Twitter, and 3) it will increase meaningless RTs exponentially - What am I missing here on what's good about this? Have you tried looking at the Your tweets, retweeted tab in the Retweets page on Twitter's web site? - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. Confused by the strange files? I cryptographically sign my messages. For more information see http://www.elehack.net/resources/gpg. signature.asc Description: OpenPGP digital signature
[twitter-dev] Re: Tracking Retweets
Andrew Badera wrote: Witty I think is using the recycling symbol ... As is Gwibber. On Tue, Aug 4, 2009 at 6:17 PM, Peter Denton petermden...@gmail.com mailto:petermden...@gmail.com wrote: Hello, Does anyone have a list of RT conventions they are using to track? Right now, I am seeing: * RT * via * HT (hat tip) * c/o Does anyone track anything else? Part of this will depend on what you want to count as a retweet. If I take a link you posted and tweet it, with my own text, and possibly my own shortening, and use HT or via to credit you as the source, do you want that to count as a retweet? Or is it only supposed to be a retweet if I use some of your text too? What if I got the link from your blog post rather than a tweet, but use HT or via to credit you? The use case you have for tracking retweets will likely affect how you want to handle these. - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. Confused by the strange files? I cryptographically sign my messages. For more information see http://www.elehack.net/resources/gpg. signature.asc Description: OpenPGP digital signature
[twitter-dev] Re: Using twitter for internal enterprise communication
Andrew Badera wrote: On Wed, Aug 5, 2009 at 11:15 AM, michel777 laszlo.miha...@gmx.net mailto:laszlo.miha...@gmx.net wrote: Dear group, some questions for using twitter in a closed group (enterprise): 1) is there already a solution using twitter for a closed group ? 2) is it possible to integrate LDAP for authentication / authorization ? 3) is also possible to communicate via https + client certificate ? Thanks in advance, Michel It's called Yammer. There is also laconi.ca, which can be self-hosted. status.net should be providing laconi.ca hosting sometime soon, but I am unsure on the timeline and on their support for closed networks. - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. Confused by the strange files? I cryptographically sign my messages. For more information see http://www.elehack.net/resources/gpg. signature.asc Description: OpenPGP digital signature
[twitter-dev] Re: Should consumer token be kept secret?
Duane Roelands duane.roela...@gmail.com writes: No, there's really not a good solution for open source developers. :( If there really isn't a good solution for open source developers, there isn't a good solution for *any* developers unless you're running through a private proxy (and even that has problems). I think that the PIN solution is about as workable as anything at the present, and haven't seen any solid ideas for improving upon it without breaking the core principles of OAuth. As far as app reputation and source reporting goes, the OAuth solution is no less secure than basic auth source parameters (there's no verification that an application is authorized to use a given source parameter). -Michael -- mouse, n: A device for pointing at the xterm in which you want to type.
[twitter-dev] Re: OAuth Desktop Application Changes - Incompatibility Alert
Matt Sanford m...@twitter.com writes: 2. If your application is registered as a desktop application there will be a PIN the user must enter in your application Details: In the current code desktop applications end in a dead- end page. This new flow will give the user a PIN that they enter in the application and that must be provided to swap a request token for an access token. This will help secure tokens for desktop applications since the security of the consumer key and secret cannot be relied upon. Feedback: We are planning to make this a required step but I am open to discussion if anyone feels there is a compelling case for desktop applications without a PIN. Email me directly with feedback. Let me make sure I understand the proposed flow correctly: 1. Application uses consumer key/secret to get request token, sends user to Twitter authentication page. 2. User authenticates with Twitter and authorizes application. 3. Twitter gives user PIN number which they then enter in to the application. 4. Application uses PIN and request token to get access token and proceeds as normal with OAuth-authenticated requests. With this setup, will users be able to authenticate multiple instances of the same application? If so, it might be useful to allow the user to optionally assign a name to the application instance, so long as that doesn't make the user experience too confusing. - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. Confused by the strange files? I cryptographically sign my messages. For more information see http://www.elehack.net/resources/gpg.
[twitter-dev] Re: Adding @username replies to twitter feed?
J jpic...@gmail.com writes: Username celebfood. I'm looking to add a functionality where ANY reply @celebfood from a twitter user can be added to the feed. Not just the reply feed, the public feed. If you can run a service authenticated as celebfood, you can pull down the public and replies/mentions timelines for celebfood and merge them into one timeline. As far as I know, that's about all you can do (and will be similar to what you're already doing with the search and Pipes), unless you want to retweet all replies. - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. Confused by the strange files? I cryptographically sign my messages. For more information see http://www.elehack.net/resources/gpg.