Twitter cut off two of its biggest client apps on Friday, only reconnecting them on Sunday after they had implemented unspecified changes to their code. UberTwitter and Twidroyd, both published by UberMedia, got cut off on Friday for violating Twitter policies with regard to respecting the privacy of users' messages, using the …
"using the Twitter name in vain"
Haha, nice one Centurion.
As a Twidroyd user I wasn't overly impressed with how Twitter handled it, the first update from Twidroyd only returned a message about the client being suspended for unspecified TOS violations and a link to a blog post that didn't say much more. Then on each attempted update they returned adverts for their own Android client.
I don't know the details of the situation but, to me as an end user, it came over that Twitter were the ones being asshats.
...abysmal on the part of Twitter.
They told us that clients are expected to follow "simple rules", but then their head of "communications" said that the infringements "included, but were not limited to" the problems already discussed. UberMedia indicated that they had not changed any links in tweets, and that the privacy issue with the 3rd party was not of their making.
Not a good weekend, if Twitter think that they can control their platform completely then they're going to have to learn that it probably won't fly.
" if Twitter think that they can control their platform completely then they're going to have to learn that it probably won't fly"
yeah, how dare they think they can control their own products and services!!!! i mean, who in their right mind would start a business with the idea of being in control themselves.
2 sides people, for all we know Twitter might have been asking for compliance for weeks/months and were being ignored... this might have been their last resort.
but hey, ignore that, lets find guilty and shoot first
Becasue WE know best right ! after all, we are Reg Readers !
Whose side am I on?
" ...for all we know Twitter might have been asking for compliance for weeks/months and were being ignored... this might have been their last resort."
It might be, but that's not how it was presented to me as a user of one of these banned clients. Twitter may well have been in the right but - as I said - the way Twitter handled it made them look like the asshats. The way UberMedia responded made them look good.
....is public and allows other people to use their service. Despite the claims from Twitter about being in discussion with UberMedia since April last year, the features in Twidroyd that appeared to be problematic (although UberMedia dispute this) were only released on Wednesday with v5.0.
So, Twitter says "violations include, but are not limited to" about what was wrong, then provide three examples where one problem was due to the name of the client including the word Twitter. So, what were the other things that were wrong? If their rules are simple then either they should have provided accurate and precise reasons as to what was incorrect or they should have not suggested that there were extra things wrong that they had not listed. Can't have it both ways.
Oh and UberMedia had fixes implemented in 3 hours but Twitter took the best part of 3 days before they allowed access again. Doesn't sound very reasonable to me.
If Twitter want total control, then why allow 3rd party apps? It's lucky they do because their Android client is very poor in comparison with Twidroyd, Seesmic, Tweetdeck etc.
I'd hate to see that run afoul of the rules as it's a nice client. But if Twitter's smackdown sends a message to apps and protects users from a double dose of spamverts or spying then that's fine by me.
the problem is clear
The privacy problem is obvious. When a message is too long for twitter it is further truncated and a URL is inserted to the full version stored elsewhere. Something like http://tweet.dk/x17dg for example. The problem is the URL is too easily guessed and thus accessed by people who can't see the tweet itself. It might even be listed under the user's name.
They have chosen to fix this by simply not allowing long messages in private messages or if you have a locked profile.
A better fix would be to use the MD5 or SHA1 of the long message as its URL. e.g. http://tweet.dk/8ed3f9c68c4313a70b3dce05391e805c.
That's 48 characters but could be shortened to 38 if it used base64 instead of hex. Worse than the 20 or so now, but not too horrid and far harder to guess.
Security by obscurity...
Your degree is waiting for you at the universtiy of FAIL.
They said 'better' not 'good' :-)
Too easily guessed?
5 characters is enough to enable 62^5 combinations using alpha numeric chars. Nearly a billion combinations. I assume most url shortening services would have measures in place to stop brute force attacks in the space of a tries. e.g. put requesters in a timeout box if they ask for too many urls in too short a space of time or throw some kind of captcha at them.
Yes your right... pretend 'Security' is better than no security...
No! what would be better would be if there was not a link that could be FORWARDED or used by someone else, or RANDOMLY found...
It's not private if it does not require a login or authentication of some kind, there is no way around this!!!
It's stupid 'oh it'll be alright' decisions and impulses like this that lead to major fuckups.. go ask HBGary why they used the same passwords for all their media services... 'but the one password is seccure' and they are supposed to be security consious...
Cryptographically secure hashing
and "security by obscurity" have absolutely nothing to do with each other. Sarcastic know-it-all PFY type comment FAIL.
@AC, RE: Be Fair
Sorry, did you actually think that someone might have thought that an actual solution?
If you want to get serious about my jokey comment, go for it mate!
There is nothing to stop someone who gets a short tweet from passing that message on. Why should they be stopped from passing the URL of the full version on?
Say someone like Bradly Manning per chance? Even the US govt cant stop that!!! but you are advocating no security instead?
@Scott A. Brown re: @AC, RE: Be Fair
I believe I was first with 'jokey' comment. (a degree from the university of Fail is not a real Degree..) but yes it is a serious situation, some people who work in IT read this site and might have thought that was real security! I am however relieved that you argree that it is not an Actual Solution. And I promise to pay more attention to the joke on joke stack up in future.
@Cryptographically secure hashing
Your right! they dont have anything to do with each other.
Hence we should all point and laugh when someone thinks hiding a publicly accessible URL behind a random/hashed URL makes it in some way private or secure. Hiding a URL is called obscurity. believing it is secure is foolish.
So yes you are right, its nothing to do with Cryptographically Secure anything.
Why would TweetDeck need to change it's name?
Why would TweetDeck need to change it's name? Last i've heard is that the word "Tweet" can't be copyrighted. Twitter tried, but failed a couple of years ago.
Tweet can be *trademarked* either by just using it or registering it, but because it is an actual word it can only be protected in a specific context. Plus the software uses the services provided by Twitter so it can be cut off for arbitrary reasons. IANAL and all the usual commentard disclaimers apply of course.
"""Why would TweetDeck need to change it's name?"""
who's to blame
So why didn't UberTwitter tweet to say it was about to be removed until it had sorted things out.
Their app worked reasonably well on the Blackberry but it put itself on every menu available and came across more as spam in that respect. Like trying to get a browser installed on windows and it also installing half a dozen other things you don't need.... At least the official app doesn't splatter itself all over the device.
Anyway UberTwitter now removed and I doubt I'll have any reason to go back. I wonder how many people they lost this weekend.
my unofficial twitter client doesn't work! I'll have to tweet using the website!
Surprising lack of failwhale involved here.