On Sun, Jan 4, 2009 at 7:32 PM, Jesse Stay <[email protected]> wrote: > On Sun, Jan 4, 2009 at 5:20 PM, Lachlan Hardy <[email protected]> > wrote: >> >>> Those who expect OAuth to be a panacea for identity theft on Twitter >>> simply don't understand the issues involved. Operating a modern >>> computer involves a lot of trust - trusting applications you run on >>> your machine, trusting web sites you set up accounts on, and the like. >>> And when you trust, there's always the potential for getting burned. >>> OAuth doesn't change that fundamentally. >> >> I agree completely with your post, Ed. I put forward my thoughts on OAuth >> and phishing in April last year: >> http://log.lachstock.com.au/past/2008/4/1/phishing-fools/ >> >> Basically, I think OAuth is awesome, but the idea that it's going to >> somehow stop phishing is extreme. > > I don't get how it won't help fight phishing. Right now the worm is being > spread via an App.
Help us out here with what "worm" you mean -- there are lots of them 8) > (if it's not, then Twitter really needs a Captcha on the > Twitter login page) At the moment all Twitter can do is chase down IPs to > kill the App. Sure. > With OAuth it would be as simple as killing the API key > itself and the worm would be dead. If the malicious application uses OAuth via Twitter, yes. > Could they go in and create another one? > Probably, but it makes it a whole lot harder for someone to create such a > worm. This is the reason most of the Facebook worms right now are spreading > through simple screen scraping and not the App platform. It's too much work > to do it on the App platform there because Facebook would just shut you down > each time their alarms went off. I'd note that it used to be too much work to spam Google Groups because of CAPTCHAs too, but almost all CAPTCHAs can be defeated now programatically and via mechanical turk-style attacks. I and a few others have to review posts from all new users for this reason. Also, why do you assume that phishing attacks would have to come via Twitter messages, though? Most come via email or web content on other sites. Twitter currently uses email notifications for several events -- faking those would be quite easy to do, for example. OAuth may have mitigated (not blocked) *one* particular worm that was sending messages directing people to a phishing site. And yes, removing everyone's shoes does stop the shoe bombing attack. Whether or not this actually makes you *safer* is something we should very carefully consider. Personally, I'd say it helps, but only a little -- far less than most of our Thought Leaders claim. -- Ed Finkler http://funkatron.com AIM: funka7ron ICQ: 3922133 Skype: funka7ron
