[twitter-dev] Re: Security Best Practices

2009-07-01 Thread DWRoelands
It seems as though revealing the Consumer Key and Consumer Key Secret of my application would be a pretty serious security risk. Anyone could write an application that impersonates mine, but they still would need an authorized user's Token and Token Secret in order to commit mischief. What sort

[twitter-dev] Re: User id range

2009-07-01 Thread DWRoelands
If you're asking what data type should you use to store these value, I'm using the .NET Int64 type in my library. The Int64 value type represents integers with values ranging from negative 9,223,372,036,854,775,808 through positive 9,223,372,036,854,775,807. I was seeing occasional overflows

[twitter-dev] Re: Retrieving data from the Twitter API

2009-07-01 Thread Christian Fazzini
So is this wrong if I save the image and user details locally (on our server) ? Also, how would it be possible to get the users profile pic at http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-users%C2%A0show using profile_image_url ? At current it only returns _normal.jpg, which is set at

[twitter-dev] Re: Retrieving data from the Twitter API

2009-07-01 Thread Christian Fazzini
hmmm On Jun 30, 10:45 pm, Abraham Williams 4bra...@gmail.com wrote: Twitter has said in the past they are more then willing to take care of the bandwidth for smaller applications but if you go huge they ask you to look at local caching. On Tue, Jun 30, 2009 at 08:12, Philip

[twitter-dev] Use Twitter for login oauth/authenticate method

2009-07-01 Thread Arnaud
Hello, I’m using the oauth/authenticate method (one click login) and I was wondering if I had to check the Use Twitter for login option in my application options. The application is Browser based (using a callback URL) . I’m quite confused with this option as I don’t really understand what it

[twitter-dev] Re: How-To: Load the Twitter XML into a VB.Net XML Document...

2009-07-01 Thread Obrzut
Right - I am not scraping the PIN? I am using the web browser in .NET (which is similar to Internet Explorer) to authenticate via a pin and username / password credentials. The only part of the workflow I do not follow is opening the URL in IE - I open in it VB.NET Web Browser. But - my user

[twitter-dev] Re: User id range

2009-07-01 Thread Philip Plante
You should use an unsigned 64 bit int for status and user ids to be safe. IDs will never be negative, so a signed value is wasted space. On Jul 1, 6:28 am, DWRoelands duane.roela...@gmail.com wrote: If you're asking what data type should you use to store these value, I'm using the .NET Int64

[twitter-dev] Re: How-To: Load the Twitter XML into a VB.Net XML Document...

2009-07-01 Thread Obrzut
Did I state otherwise? You are not reading my words - you are being blinded by the noise from your own head. What I stated is this; I authenticate my VB.NET web browser via PIN etc THIS means my browser is authenticated. If I try to access a page via the program with a TCP Client - I have to

[twitter-dev] Re: How-To: Load the Twitter XML into a VB.Net XML Document...

2009-07-01 Thread Abraham Williams
On Wed, Jul 1, 2009 at 07:00, Obrzutsa...@peyoteuk.com wrote: The library is faulty. It does not process leading zero pins. The OAuth implementation is stupid - because it does not authenticate an program but a TCP method. Hence, you guys are s off the mark here it hurts me to talk to

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Philip Plante
I do not feel you've made a mountain out of a mole hill here. This topic has been on my mind since I first encountered oAuth. I haven't seen any open source apps use oAuth yet. We have an open source application called Application X. The potential risk is that Application X becomes widely

[twitter-dev] Re: How-To: Load the Twitter XML into a VB.Net XML Document...

2009-07-01 Thread Stuart
2009/7/1 Obrzut sa...@peyoteuk.com: Did I state otherwise? You are not reading my words - you are being blinded by the noise from your own head. What I stated is this; I authenticate my VB.NET web browser via PIN etc THIS means my browser is authenticated. If I try to access a page

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread DWRoelands
If you check out the OAuth Core Abstract, Section 4 (http://oauth.net/ core/1.0#anchor4) states it pretty plainly: Service Providers SHOULD NOT rely on the Consumer Secret as a method to verify the Consumer identity, unless the Consumer Secret is known to be inaccessible to anyone other than the

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Andrew Badera
The secret should not reside in code. The secret should reside in a config file, or maybe even a machine datastore. Abstract it out, no one ever needs to see anything secret in your code. Thanks- - Andy Badera - and...@badera.us - Google me: http://www.google.com/search?q=andrew+badera - This

[twitter-dev] Re: How-To: Load the Twitter XML into a VB.Net XML Document...

2009-07-01 Thread DWRoelands
Obrzut: My application does exactly what you say is impossible. The user authenticates via the web browser, then my desktop application completes the process using the six-digit PIN. There's no need to fix any XML that comes from Twitter, and there's no need to process any HTML from a web page.

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread DWRoelands
That's not correct. Updates posted to Twitter via Basic Auth always appear with a source of From Web (unless the application in question was grandfathered in). Otherwise, it's not possible to impersonate another application via Basic Auth. On Jul 1, 9:34 am, Abraham Williams 4bra...@gmail.com

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread DWRoelands
True, but none of that addresses the central points that I'm trying to make: 1. The OAuth Core documentation says that providers should not rely on the Consumer Secret to identify consumers. 2. Twitter's implementation of OAuth appears to do exactly what the OAuth Core documentation says not to

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread funkatron
Might sorta work on webapps, or maybe desktop compiled code (assuming the config is compiled in at build time), but that doesn't help for desktop apps written in interpreted langs, where all source code and configs would be easily viewable (although I could imagine some initial setup stuff where

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread DWRoelands
Andrew, The Consumer Secret is the key that has to be associated with my application so that it can authenticate to Twitter. Regardless of how I distribute it, I still have to distribute it with the source code in order for the source code to work. No amount of abstraction will prevent someone

[twitter-dev] Re: Use Twitter for login oauth/authenticate method

2009-07-01 Thread Matt Sanford
Hi Arnaud, That option during application creation is really more trouble that it is worth. Right now applications that have that option checked include an extra sentence to tell users the application will be using twitter for login, that's all. In the future we may restrict the /

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Cameron Kaiser
Yes, but don't distribute it. Obviously config files are human readable, but you blank out secrets before publishing them. People using open source libraries will have to get their own keys. So, either you really are contributing in the spirit of open source, and you don't care about

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread DWRoelands
Andrew, I'm not talking about a -library-. I'm talking about a -client-. If I want to produce a Twitter client, it needs its own Consumer Key and Consumer Key Secret. If want to share the source code for that client, I will also have to share it's Consumer Key and Consumer Key Secret. You

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Cameron Kaiser
The worst that happens if you publish the consumer tokens in an opensouce app is someone malicious uses it to abuse Twitter and the consumer token gets banned. At which point you regenerate a new one and push a new version of the app. The cycle may or may not start again depending on the

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Andrew Badera
Not what I said in the least, but it's interesting that you should interpret it that way. Re-read what I said. If someone is open sourcing something, in the true spirit of open source, they shouldn't care about getting credit in the source parameter. Thanks you and good night, I'm here all

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Cameron Kaiser
Not what I said in the least, but it's interesting that you should interpret it that way. Re-read what I said. If someone is open sourcing something, in the true spirit of open source, they shouldn't care about getting credit in the source parameter. Tell that to Richard Stallman. --

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread DWRoelands
Andrew, This isn't about credit in the source parameter. It's about application security. Twitter has stated that Basic Auth will eventually be deprecated. OAuth will eventually be the only method of authentication available. When that happens, developers of open source clients will be forced

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Matt Sanford
Wow, so that's what our development list (and Stallman's name) have come to. Please don't make me close this thread. Let's keep is friendly and focused. — Matt On Jul 1, 2009, at 8:01 AM, Cameron Kaiser wrote: Not what I said in the least, but it's interesting that you should

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Andrew Badera
Amen and thank you Matt. On Wed, Jul 1, 2009 at 11:09 AM, Matt Sanfordm...@twitter.com wrote: On Jul 1, 2009, at 5:10 AM, Philip Plante wrote: I do not feel you've made a mountain out of a mole hill here.  This topic has been on my mind since I first encountered oAuth.  I haven't seen

[twitter-dev] Re: How-To: Load the Twitter XML into a VB.Net XML Document...

2009-07-01 Thread Nancy Miracle
If you force datatyping to alpha, six chars, this will be a nonproblem Sent from my iPhone On Jul 1, 2009, at 8:00 AM, Obrzut sa...@peyoteuk.com wrote: Did I state otherwise? You are not reading my words - you are being blinded by the noise from your own head. What I stated is this; I

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Abraham Williams
A technical solution I see working is a modified PIN flow where instead of a 6 digit PIN the user gets a 20 character token that acts as consumer token. No harder then using PIN flow but each desktop install would have a unique consumer sub token that could still be tied into the global consumer

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Nancy Miracle
Sounds like the assumption is that part of the keypair is in the source. That is clearly a bad idea ... The software should obly provide for processes and not ever content Sent from my iPhone On Jul 1, 2009, at 11:10 AM, Andrew Badera and...@badera.us wrote: No one's snarking, but

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread DWRoelands
Nancy, You're right - it is a bad idea. However, it appears to be the only option that Twitter has left to open-source developers who wish to implement OAuth. There doesn't seem to be any way around distributing my application's Consumer Key Secret. Regards, Duane On Jul 1, 11:17 am, Nancy

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread JDG
The problem is that by everyone getting their own consumer keys, the source parameter will be different for every person. Now, I'm not interested in getting my name in lights in the Twitter world -- I could honestly care less. That said, if I'm going to spend a significant portion of my time

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread DWRoelands
Actually, since Twitter has said that Basic Auth will eventually go away, OAuth is going to be the only choice for authentication. Twitter has forced the choice by implementing OAuth in the way that they did. Why should a user who chooses to support open source by using an open- source Twitter

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Bruce Brown
How difficult is it to, as part of the build, check for a key file, if it doesn't exist, go to Twitter and do the stuff to get the tokens, parse the tokens and save in the key file, and then continue on with the build. Seems easy enuff. -- Bruce Sent from my iPhone On Jul 1, 2009, at 8:23

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Matt Sanford
Hello again, I do not recommend having individual end users register for consumer keys/secrets [1] under any circumstances. So, with that out of the way, let us focus the discussion a bit more. What can we change about OAuth that would make this better? A complete technical [2][3]

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread DWRoelands
I'm not sure that Twitter exposes any API or web service that allows you to programatically register a new application (which you need to do to receive the Consumer Key and Consumer Key Secret). Even if you could, that still requires the end user to compile the source with a modified build

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Abraham Williams
I think this got lost under all the mess: On Wed, Jul 1, 2009 at 10:15, Abraham Williams4bra...@gmail.com wrote: A technical solution I see working is a modified PIN flow where instead of a 6 digit PIN the user gets a 20 character token that acts as consumer token. No harder then using PIN

[twitter-dev] Re: How-To: Load the Twitter XML into a VB.Net XML Document...

2009-07-01 Thread Bojan Rajkovic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DWRoelands wrote: Obrzut: My application does exactly what you say is impossible. The user authenticates via the web browser, then my desktop application completes the process using the six-digit PIN. There's no need to fix any XML that comes

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread DWRoelands
Mark, Thanks for weighing in. Much appreciated. Here are my thoughts. I see two separate issues here: User Authentication vs. Application Authentication. User Authentication: Ensuring that the Twitter user is who they say they are. Application Authentication: Ensuring that the Application is

[twitter-dev] Re: Use Twitter for login oauth/authenticate method

2009-07-01 Thread Isaiah Carew
I'm still not sure I understand the option. Is there any reason why someone would choose NOT to check this box currently? Also, if you are in the process of redesigning the auth page, could I make a request: Could there be a super-lightweight version for mobile? No images, no scripts,

[twitter-dev] Re: Use Twitter for login oauth/authenticate method

2009-07-01 Thread Matt Sanford
Hi there, A mobile version does not exist but it's on the roadmap. — Matt On Jul 1, 2009, at 10:21 AM, Isaiah Carew wrote: I'm still not sure I understand the option. Is there any reason why someone would choose NOT to check this box currently? Also, if you are in the process of

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Support
Matt, Thanks for weighing in and hopefully taming this snarl. As the person who might have posed the question originally, I figured I at least owed a bit of constructive critique. What can we change about OAuth that would make this better? 1) User experience - it's been echoed a

[twitter-dev] Re: Use Twitter for login oauth/authenticate method

2009-07-01 Thread Support
Super! Thanks, Isaiah YourHead Software supp...@yourhead.com http://www.yourhead.com On Jul 1, 2009, at 10:23 AM, Matt Sanford wrote: Hi there, A mobile version does not exist but it's on the roadmap. — Matt On Jul 1, 2009, at 10:21 AM, Isaiah Carew wrote: I'm still not sure I

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Neil Ellis
On a completely separate note, your website is stunning, did you design it yourself? If not may I ask who were your designers. All the best Neil http://www.peepwl.com On 1 Jul 2009, at 20:22, Support wrote: Matt, Thanks for weighing in and hopefully taming this snarl. As the person

[twitter-dev] Re: Security Best Practices

2009-07-01 Thread Matt Sanford
On Jul 1, 2009, at 10:17 AM, DWRoelands wrote: Mark, Thanks for weighing in. Much appreciated. Here are my thoughts. I see two separate issues here: User Authentication vs. Application Authentication. User Authentication: Ensuring that the Twitter user is who they say they are.

[twitter-dev] Re: off topic

2009-07-01 Thread Isaiah Carew
yep, just me, thanks, isaiah p.s. subject changed to protect the on-topic folks. @isaiah for more. ;-) On Jul 1, 2009, at 12:27 PM, Neil Ellis wrote: On a completely separate note, your website is stunning, did you design it yourself? If not may I ask who were your designers. All

[twitter-dev] searching for stocktwits (searching for $$)

2009-07-01 Thread Ryan
I'm using the API and am trying to search for stocktwits (those tweets which contain the string $$ or $ followed by a ticker symbol). I can easily search for $aapl for example, and it works fine. But if I search for $$ the API never returns any results, so I must be searching for it incorrectly.

[twitter-dev] Re: searching for stocktwits (searching for $$)

2009-07-01 Thread Matt Sanford
Hi Ryan, The search.twitter.com system does not support $$ or a wild-card for all stock symbols. Thanks; – Matt Sanford / @mzsanford Twitter Dev On Jul 1, 2009, at 1:49 PM, Ryan wrote: I'm using the API and am trying to search for stocktwits (those tweets which contain the

[twitter-dev] Re: off topic

2009-07-01 Thread Neil Ellis
Yep my mistake, will contact you off line. On 1 Jul 2009, at 20:38, Isaiah Carew wrote: yep, just me, thanks, isaiah p.s. subject changed to protect the on-topic folks. @isaiah for more. ;-) On Jul 1, 2009, at 12:27 PM, Neil Ellis wrote: On a completely separate note, your website is

[twitter-dev] Re: Tweet threading

2009-07-01 Thread Scott Haneda
Hope this is not out of line, but this list has been pretty busy lately in traffic, and I am looking for a little hand holding on tweet threading... so bump :) On Jun 30, 2009, at 3:53 PM, Scott Haneda wrote: I am finding near all apps I use with twitter in some way or another fail at

[twitter-dev] Re: User Clone Profiles

2009-07-01 Thread Slicey
Thanks On Jun 29, 3:10 am, Abraham Williams 4bra...@gmail.com wrote: Pretty much. Usehttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-users%C2%A0show to get all their profile info. On Sat, Jun 27, 2009 at 09:11, Sliceysli...@live.co.uk wrote: I'm building a site which allows a

[twitter-dev] Re: Profile image urls - how to update

2009-07-01 Thread Francis Shanahan
Has there been any update or advance on how to keep Profile Images up to date? They're driving my nuts, especially with the Iran green- overlay nonsense. -fs On May 22, 12:36 pm, Ollie Parsley olliedud...@googlemail.com wrote: Haven't figured out caching yet. Thats on the agenda after a

[twitter-dev] Twitter search XML Dataset

2009-07-01 Thread Raza
Hello everyone in my application i am trying to pull xml dataset using following link http://search.twitter.com/search.atom?lang=enrpp=150q=+google Problem is i cant get more than 100 results in the tables even though i have given 150 rpp. can someone please explain why is that? thanks --

[twitter-dev] Re: Search twitter for within certain timestamp

2009-07-01 Thread Mehroz Raza
Thanks for your replay guys i menage to it using Published feild in XML results. i have another problem if you guys can help me there. in my application i am trying to pull xml dataset using following link http://search.twitter.com/search.atom?lang=enrpp=150q=+google Problem is i cant get

[twitter-dev] Re: Twitter search XML Dataset

2009-07-01 Thread Abraham Williams
If you look at: http://apiwiki.twitter.com/Twitter-Search-API-Method%3A-search You will find that rpp only supports up to 100. Abraham On Wed, Jul 1, 2009 at 20:17, Razamahrozer...@gmail.com wrote: Hello everyone in my application i am trying to pull xml dataset using following link

[twitter-dev] daily follow/unfollow/update limit

2009-07-01 Thread Developer In London
I saw on the API documentation the daily limit is 1000 per day. But it seems its lower then that. Is it a %age based limit? Thanks Nayeem

[twitter-dev] Re: Use Twitter for login oauth/authenticate method

2009-07-01 Thread Arnaud
Ok, great. I'll let it check, so. By the way, OAuth is working like a charm here. Great job you did there! I'm happy to have finally switched to it. All the best, Arnaud. On Jul 1, 4:50 pm, Matt Sanford m...@twitter.com wrote: Hi Arnaud,      That option during application creation is

[twitter-dev] Re: Tweet threading

2009-07-01 Thread Arnaud
Take a look on the app I'm workig on, Twitoaster: http://twitoaster.com The threading part is not that hard. Recursive function jumping from parents to parents. You should use the getMentions method, instead of hiting the search API. You'll get the full object that way, so you won't have to use