Category: Technology

All things geeky.

Posted on by 10 Comments

Twitter API Severely Flawed

Twitter’s API (basically a way to let software developer’s work with Twitter’s data) has been a huge factor in Twitter’s success. When Twitter did not provide adequate search, a developer used the API to create http://summize.com/ which was so good that Twitter purchased it and incorporated the code as http://search.twitter.com/. Twitter does not provide stats but numerous developers have created applications such as Twitter Charts and Twitter Stats to provide statistics. (See also: Now You Can Graph Your Twitter Usage) The API has allowed people to get away from the phone and web interfaces by developing desktop applications such as Twhirl and TweetDeck (which includes features not built into Twitter such as grouping of friends). Twitter by default emails you when someone starts following but never tells you when someone quits following so software developers used the API to write Qwitter and Twitterless.

Where’s the flaw? The flaw is in the authentication. Many of these services or applications developed by a third party require you enter your username and password. There is nothing to say that this third party should be trusted and we give them the keys to the kingdom. With that username and password that developer could maliciously use your account for spam, sign you up for other services, or flat out lock you out of your own Twitter account. If one of these services started sending too many Tweets and causing your followers to quit following (see #7) you, the solution is to change your password. But, changing your password also breaks all the other Twitter services you have signed up to use.

What’s the solution? The solution is simple. For each service or application that requires a username and password to access my Twitter data, I should be able to generate a key instead of giving them my password similarly to the way Amazon Web Services works. This would give me the power to list all the services I use from my Twitter profile and to individually and at my own discretion disable each service. From a developer’s standpoint, the process is easy because a key is simply a GUID. The only challenging part to Twitter developers is changing the authentication process and developing the profile screen to manage the keys.

Until Twitter implements a key scheme, I am no longer giving my password out to third party Twitter applications and services (unless they are really cool and look really trustable!). I made an exception today for TwitterFone so I could compare it to Jott.

See also:
Twitter Guide: How To Do Things With Twitter

Update Dec 15, 2008: See also Is Twitterank Ranking Your Popularity Or Stealing Your Password? Others see the same flaw I do.

Update: OAuth looks like a very viable solution.

Update Dec 29, 2008: Alex Payne, The Twitter API Lead developer, confirms that Twitter is testing OAuth! Yes! OAuth is coming.

Update Jan 2, 2009: See also Allen Stern’s Sheep Line Up in Perfect Twitter Formation and Louis Gray’s Twitterank Can Have My Password, No Questions Asked.

Update Jan 3, 2009: I’ve now officially been phished through Twitter. I didn’t bite. I’m betting someone used a 3rd party website that looked legitimate while collecting usernames and passwords (maybe it promised to send @ replies through email or give Twitter stats or something) and then using the Twitter API ran a muck sending direct messages from "trusted" people hoping to get people to click through to the bad website. The one I received:

softclothing Hey, i found a website with your pic on it… LOL check it out here http://twitterblog.access-logins.com/login

Posted on by Leave a comment

Pownce RIP – application lives 1 year

Pownce RIP Jun 27 2007-Dec 15 2008 (open to pub Jan 22 2008) N’vr used it much but liked its format and function see: Goodbye Pownce, Hello Six Apart

With only one year of useful life in the application, it was purchased by SixApart for "an undisclosed amount" which to me sounds like it made money for Rose and others.

Posted on by Leave a comment

Computer with early onset Alzeheimer’s

Nothing makes Black Friday blacker than rebooting your development server to see the ever familiar memory test run and instead of completing having the message "Memory Error!" appear on the boot screen. My first game console was an Atari 2600 circa 1978. My first computer was an Atari 400 around 1980 and my father with me helping (looking over his shoulder) upgraded the memory from 8kb to 32kb by soldering a chip to the motherboard. Can you imagine the tech support calls if that was the procedure today? "Yes sir. My name really is Steve. Now, did the soldering iron go all the way through the motherboard or just your CPU?" I have never seen a memory error until today. I made it through a reboot so hopefully it was a fluke.

Posted on by Leave a comment

The next hour’s challenge

My current project has been experimented on, tweaked, and change requested into a CSS mess. I’m going to dump all the CSS and start fresh. This has to happen and many projects skip this step as cumbersome.

Update: Really cleaned up the development environment and production server by removing test files, unnecessarily included (old and unused) code, and so forth. Much improved!

Posted on by 1 Comment

Vista Fails to Connect to Samba

I was (still am) a huge fan of the e-smith gateway server (now SME Server see also http://contribs.org) which was a very simplistic way to take almost any computer and have it up and running as a email, web, database server and more in under 2 hours. It has reliably been my development server of choice for years although my next nix server is likely to be Ubuntu.

I am having a problem getting Vista to authenticate across the network to allow me to browse directories and work on my development files. As it turns out, the default Vista security is set to use only NTLMv2 authentication. Samba can’t handle this. One solution is:

To solve the problem run secpol.msc to get into the Local Security Policy screen. Goto "Security Options" then find "Network Security: LAN Manager authentcation level." Change it from "NTVLM2 responses only" to "LM and NTLM – use NTLMv2 session security if negociated”.

Now, to exasperate the problem, Vista Home Premium does not have secpol.msc. Instead you must manually edit the registry. Use caution when editing the registry! Run regedit. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Look for the key LmCompatibilityLevel, right click, choose modify, and change the number to the appropriate value of 0 to 5.

0 – Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

1 – Clients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2 – Clients use only NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM, and NTLMv2 authentication.

3 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

4 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2.

5 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.

[Source, Microsoft TechNet, LmCompatibilityLevel]

In this case, to support Samba, I want the value to change from the default of 3 to 1.

After doing this, reboot for the change to take affect. Next, read Security Watch The Most Misunderstood Windows Security Setting of All Time.

See also.

Posted on by Leave a comment

Da da dum daaa

A moment of silence please. My motherboard on my ever importance workhorse of a desktop I use for everything Internet personal and business has died. Yesterday the computer spontaneously turned off 8 times. This morning it would not turn on at all. Assuming it was just dust inside, I went to clean the machine this morning and discovered at least 5 capacitors that were leaking and partially exploded. I need this machine working so I may try replacing the bad capacitors but more than likely it is my turn for an upgraded computer. Fortunately, the college student’s "gaming" computer appears available. He won’t be pleased but it will make due for me in this pinch.

Posted on by 1 Comment

Is hate worth the trouble?

I’ve just been on the phone with Sprint because one of their customers has left a pseudo-threatening/hateful comment on my wife’s blog. They advised immediately filing a police report so that their corporate security department could escalate the issue faster than if I handle it myself. I really don’t like giving hateful people this much attention. It’s best if they just go away. People, the Internet is far from anonymous! In cases like this, you don’t leave a bread crumb trail; you leave a paved boulevard.

Posted on by 11 Comments

Firefox Crash Recovery Fails

My workstation is having trouble. I suspect a piece of hardware is dying or a huge dust bunny is wrecking havoc inside the case. It spontaneously reboots a few times a day which is not really a problem because I wouldn’t take breaks otherwise and Firefox always comes back in the same state as before the crash…well, almost always. I don’t help myself because of the way I use the computer. I have many apps open at once and typically will have multiple Firefox windows open with 10 to 20 tabs open in each one. This is how I do research and it is typically work related or blog related. In today’s instance I had 4 windows open. 3 were work related and 1 was filled with information I might one day blog about. These are usually just bookmarked at Delicious for that day I finally get a round to it. Considering my machine was having trouble and I had far too many tabs open, I was just starting to bookmark everything and reduce my windows down to the very few I needed when the computer crashed hard. Upon coming back up, Firefox opened to just a single blank window…no tabs. I needed that work related research! I can reproduce it but this is just frustrating!

So, is there a way to tell Firefox, "restore the previous, previous state?" I think I’m faced with scrolling through the mornings history and pulling up pages one at a time.

Posted on by 2 Comments

Today’s Coding Challenge

In one of my applications, I use jQuery’s UI Datepicker as part of the interface for easy date selection in adding and editing some data. I have two screens that show the current date. One screen is a report that says "Today’s date is…" and shows the current date. The other is the form for adding this data. The datepicker calendar is supposed to default to today’s date.

Problem 1: On the development server, the report and the form both default to today’s date. On the staging server, the report and the form both default to today’s date. On the production server, the report defaults to today’s date; the form defaults to December 31, 1998.Solved. In a special case, a null string was being passed when a date type was expected.

Problem 2: When editing, if the date is in the current monthmonths of March and November, the highlights for datepicker don’t work. The day still gets selected appropriately but the date itself is never highlighted making the user think they didn’t click the date. Click to see a working example of the problem. Update: This is partially fixed. In UI version 1.5.2, the highlight does not work in November or March. This is demonstrated at http://sidesigns.com/pub/datepicker/index152.php. I tested with the 1.6rc2 release candidate and November now works but March is still not highlighting correctly (the first week highlights but no others). This is demonstrated at http://sidesigns.com/pub/datepicker/index16rc2.php. I’ll be submitting a bug report to the jQuery UI team.

Posted on by Leave a comment

Today’s Programming Challenge

I am working on a PHP application that is mysteriously losing the value of a particular session variable. There is only one place in all the code that the variable is set. All comparisons have been confirmed as comparison operators == instead of assignment =. In debugging a vardump shows the variable as:
[“foo”]=> &string(2) “35”
and a second later it becomes
[“foo”]=> ∫(35).

Does the ∫ symbol mean undefined? And if so, why does it still show the value? echo “***”.$_SESSION[‘foo’].”***” shows ****** in the later instance and ***35*** in the previous.

Ah ha! It’s the integral symbol. I just didn’t expect to see that in debugging. Why is my string suddenly an integral?

Update: From the notes on vardump "Now ∫ translates into an integral sign, and since the browser may be inclined to overlook the missing semicolon, you may be seeing integrals where you were expecting &int"

Update: Solved. A locally scoped variable of the same name was being set to null. I’m still unclear on why the session variable would assume the value of the locally scoped variable.