Home

Brian Oberkirch Stirs Up The Internet

Submitted by jjeff on Fri, 11/14/2008 - 9:26am.

DIWD speaker Brian Oberkirch caused me embarrassment and ultimately made me change my Twitter password.

Now don't get me wrong. Brian is a great guy. But with Twitterank gaining popularity and thousands of Twitter users (myself included) accepting the disclaimer "I'm not out to steal ur twitterz" as confidence enough to enter their Twitter passwords into a 3rd party site, he never should have joked that "Twitterrank is a vast conspiracy I created to steal all of your passwords and shame Twitter into OAuthing. And to make you look vain.". And Tantek Çelik should have never retweeted Brian's post prompting Oliver Marks to write an article on ZDNet entitled, "Gullible Twitter users hand over their usernames and passwords - did you get your Twitterank yet?!.

Incidentally, this is the point where I changed my Twitter password. And this is the point where Ryo Chijiiwa, creator of Twitterank, decided to tell ZDNet his side of the story. See, he's just a guy who had an idea to create a quick Twitter analysis tool. But without a complete and open API, the only way he could think of to get the information he needed was to ask for people's passwords.

Ryo thought asking for passwords was ridiculous. Tantek thought asking for passwords was ridiculous. Brian thought asking for passwords was ridiculous.

Yet, this sort of behavior has become very common on the internet in the past few years. LinkedIn asks for your GMail username and password so it can collect your contact list to compare against its membership list. Facebook's "Friend Finder" has a similar feature. Of course, these are giant monolithic websites. They're not going to steal my passwords. But they make this behavior allowable. And smaller and smaller sites get in to the game until it's just "some guy" with a $9-per-year hosting account asking for your passwords. He's going to do something really cool with your information. Are you going to give it to him?

Facebook's Friend Finder

See, Brian is an astute observer of all things Internet. This isn't really Ryo's fault. In fact, Ryo says, "frankly, I wish I didn't have to ask for your account info, but Twitter doesn't offer APIs using any other authentication mechanism". Brian knows this is a problem that needs to be solved in a larger way. Solutions like OAuth and OpenID allow users to interact across sites WITHOUT sharing their passwords and personal data in insecure ways. And I think we've proven that without a secure alternative, users and website creators will resort to doing whatever-it-takes to achieve their goals, whether those goals are quickly setting up your business networking, finding old friends, or vainly wanting to find out how popular you are on Twitter.

My Twitterank is 84.

Brian joins us next month in New Orleans to talk about these and other issues that anyone building a dynamic website should be aware of. He has blogged his view of this story and the general ire it stirred up.

Reading DMs is fun!

Submitted by Brian Oberkirch on Fri, 11/14/2008 - 9:27am.

Jeff: I did so enjoy perusing your direct messages. Saucy!

Facebook's not stealing my password

Submitted by Rob Russell on Fri, 11/14/2008 - 9:47am.

I'm not so quick to trust Facebook, LinkedIn or any other giant monolithic websites. The thing about companies is they're made of people. The company doesn't decide to do stuff, people do. Like the people at Facebook who skim private profiles for fun.

So even though I expect any web developer making a tool that asks for a third-party password will do what they can to throw that info away, I don't know how successful they'll be at it. They might not want my password but what about the person that replaces them in that job? Or their coworkers who are bored at work and wouldn't mind skimming Robert Scoble or Adam Curry's gmail?

It's just one of those things that if you do it and someone finally is out to steal ur twitterz, you'll get 0 sympathy after the fact.

raising awareness is a good thing

Submitted by Tantek on Fri, 11/14/2008 - 11:26am.

Have to disagree with you Jeff, these "enter your other site username and password" interfaces are teaching users to be phished, period, and the more we educate users and developers that that's wrong, the better.

Brian's joke, my retweet, Oliver's article all served to raise awareness, get people to stop, think, question, and talk about it, all good things that we need more of in order to reduce, and hopefully halt and reverse this particular (somewhat rampant) pollution of user interface design.

Raising awareness is great.

Submitted by jjeff on Fri, 11/14/2008 - 4:49pm.

Raising awareness is great. But it seemed like no one was actually focusing on the problems that BOTH Brian and Ryo were bringing up. This is insecure. Think twice before entering your password.

And yes, I totally agree, no one should ever need to enter their password for one site on another. It's just dumbass. And I totally did it.

Pls clue me in

Submitted by Anonymous on Mon, 11/17/2008 - 12:02pm.

Tweetdeck, Twitpic, and a host of other (what appears to be legit) services ask for your Twitter username and pwd.

"Nearly everyone" - the linkedins, facebooks, gmail, try to coyly nab your address book

Though not suggesting nefarious plots are being crafted everywhere, seems there are compelling privacy issues at work here.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • You can use Markdown syntax to format and style the text. Also see Markdown Extra for tables, footnotes, and more.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <p>
  • Lines and paragraphs break automatically.

More information about formatting options