The UnSub

It’s ironic that real-timeness of information that made Twitter famous is now giving them a hard time. It started first with a couple of “worms” that irritated users. Now from end-users, it switched to developers who adopted public beta OAuth protocol into their services and are now affected by another security issue with the protocol.

OAuth is a means for 3rd party services to perform tasks on behalf of users (eg. update status) without the need of keeping users’ passwords, a user must first authorize these participating services via Twitter’s authorization page. Coming from a security stand-point, the worm blunders by Twitter indicates something deeper in terms of their development practices that have room for improvement.

However, this OAuth issue is not entirely Twitter’s fault. As the developer behind TweetSG, obviously it was annoying initially to learn that suddenly my sign-up is totally stalled by Twitter’s brake on their authorization page.

That being said, even after being in the trade, knowing the theory, designing and implementing systems, I still find a loop hole in my own TweetSG system which is yet to be fixed & I can’t now since their page is halted. It is truely not easy and straight forward to have an air tight system and I am not saying these to exclude anyone or myself from the responsibilities of keeping systems secure.

Looking at a bigger picture, I believe what Twitter did is right by stopping the affected portion of the system for a while to fix it.

As far as their service is concern, Twitter did not totally turned off OAuth per se since my TweetSG users are still able to update via OAuth. It was the authorization flow that had issues and it was not the doing of Twitter when it comes to designing the protocol. Twitter happened to be one of the early adopters alongside with Google, Yahoo and a few.

Yet because of the real-timeness in information powered by Twitter, it really gave a bigger punch in the face when it came to negative PR. This incident is another lesson of bitching folks and ignorant internet-repeaters spouting nonsense like the OAuth was being exploited when people are trying to prevent it from happening in the first place, are really a force to reckon with, and not the technology.

I started the service with the intention of tweeting (aka micro-blogging nowadays bo eng to write long posts) to a Singapore number instead of the UK official number. It started with a handful of people like 20 or so until I experimented with appending viral URL address to members’ updates.

Lo’ & behold, let there be buzz! And by some weird chance, StraitsTimes covered an article titled “Blogging is dated…” covering Twitter and there was small mentioned of twitter.sg. Visits boomed but I believe it is transient. Nonetheless, I conclude newspapers are powerful media. I also didn’t want to take chances of getting a lawyer’s letter from Twitter for infringement (thanks to @brainopera for the reminder), so I move the service to a new domain: Tweet.sg

The short traffic boost brought some interesting people to my attention. Particularly, someone wants to buy my system but feels a SGD$250 modem is too expensive. Another asked if it is possible to have 2 mobile numbers updating a single Twitter account (yes doable) and insisting in his correspondence “We should solve this together” which actually means “do it for me” (it didn’t work because of his own typo). A nicer chap asked the reverse, possible to have one phone updating two different Twitter accounts (sorry no).

Most of the folks are really supportive (special thanks to @sivasothi) except for one who tweeted “Are you stealing my password or spying on my messages”.

I told him to fuck off if he thinks so highly of his account or if his password could lead to his ATM account.

I don’t feel bad telling people off because it’s my system and system descriptions are clearly written. If you have dyslexia (which Twitter may be better for you than a standard blog) or read and not believe, it is your problem. This post can be thought of as a form of self-serving justification but frankly I don’t give a shit.

In retrospect, to “spy” on someone in Twitter is really easy, just open up a browser and type:

http://search.twitter.com/search?q=@twitterIDyouWannaSpyOn

You will see all tweets replied to that person and if you click on the ID, you see his/her timeline entries.

Oh, did I mentioned that all updates (except for direct messages) are viewable in public timeline too? Duh!

My deepest apology for this post that definitely exceeds 140 characters and cannot be Tweeted. So who said that blogging is dated?! It has just gotten faster and shorter with Twitter.

P.S. I am not trying to sell Twitter so that I can get a developer job. Twitter is not even sure of how to monetize, join sure retrench one.

BETTER THAN FREE, an excellent essay by Kevin Kelly, Senior Maverick at Wired magazine.