Comments on: Twitter Security Fiesta Post-Mortem http://startupsecurity.info/blog/2009/01/06/twitter-security-fiesta-post-mortem/ Security, for Startups Mon, 21 Sep 2009 16:57:21 +0000 http://wordpress.org/?v=2.9 hourly 1 By: yourguy http://startupsecurity.info/blog/2009/01/06/twitter-security-fiesta-post-mortem/comment-page-1/#comment-24 yourguy Wed, 04 Feb 2009 01:02:57 +0000 http://startupsecurity.info/?p=138#comment-24 This is exactly what I needed to see. This is exactly what I needed to see.

]]> By: Steven Livingstone http://startupsecurity.info/blog/2009/01/06/twitter-security-fiesta-post-mortem/comment-page-1/#comment-23 Steven Livingstone Tue, 06 Jan 2009 23:40:57 +0000 http://startupsecurity.info/?p=138#comment-23 I agree in the main, but there are some things worth pointing out... baring mind the majority and most concerning of these phishing issues came from people giving their credentials out and the 3rd parties assuming their identities and the associated trust with that. 1. oAuth could have allowed me to provide access for 3rd party systems in a case by case basis - not providing the credentials that could be stored and re-used. 2. oAuth would allow me to disable access immediately for a 3rd party site. 3. oAuth, as used in GMail, could be used to restrict the levels of access you permit of 3rd party applications. Therefore i may allow a site to read my contacts (which most do) but not sent replies or DM's on my behalf (in fact this is what GMail can allow). I agree in the main, but there are some things worth pointing out… baring mind the majority and most concerning of these phishing issues came from people giving their credentials out and the 3rd parties assuming their identities and the associated trust with that.

1. oAuth could have allowed me to provide access for 3rd party systems in a case by case basis – not providing the credentials that could be stored and re-used.

2. oAuth would allow me to disable access immediately for a 3rd party site.

3. oAuth, as used in GMail, could be used to restrict the levels of access you permit of 3rd party applications. Therefore i may allow a site to read my contacts (which most do) but not sent replies or DM’s on my behalf (in fact this is what GMail can allow).

]]> By: Damon Cortesi http://startupsecurity.info/blog/2009/01/06/twitter-security-fiesta-post-mortem/comment-page-1/#comment-22 Damon Cortesi Tue, 06 Jan 2009 21:59:47 +0000 http://startupsecurity.info/?p=138#comment-22 You are correct, thanks Blaine. Updated appropriately. (You think my brain would have that...) You are correct, thanks Blaine. Updated appropriately. (You think my brain would have that…)

]]> By: Blaine Cook http://startupsecurity.info/blog/2009/01/06/twitter-security-fiesta-post-mortem/comment-page-1/#comment-21 Blaine Cook Tue, 06 Jan 2009 21:49:02 +0000 http://startupsecurity.info/?p=138#comment-21 Thanks for the fantastic post. I completely agree, particularly about the relative importance of bank vs. Twitter security. :-) (one little nit-pick, I think you've read the internet population incorrectly -- the world's total population is 6.6 billion, and the online population is approximately 1.5 billion) Thanks for the fantastic post. I completely agree, particularly about the relative importance of bank vs. Twitter security. :-)

(one little nit-pick, I think you’ve read the internet population incorrectly — the world’s total population is 6.6 billion, and the online population is approximately 1.5 billion)

]]>