failwhaleIt seems like just the other day when I had to change a whole bunch of my passwords thanks to LinkedIn having it’s password database stolen by crackers, and now I’m having to do it again. This time it was Twitter that dropped the ball, but I am at least grateful that they’ve publicised the incident so widely.

Username/Password systems suck, I’ve written about this before. We should, as an industry, aim to move past them as quickly as possible, and it’s nice to see some attempts at this (although, a lot of those attempts are attempts to centralise identity in one form or another).

Like most people, I did recycle passwords on a number of services, and yes I know this was bad, but I only have a limited space in my head and I don’t enjoy having to remember long strings of alphanumeric characters. The main issue I’m having with this latest breach, other than the hassle of having to go around and change a bunch of passwords again (which is largely my fault I admit), is that Twitter, like Facebook and Google, can be used as a way to log into other services via OAuth.

This is very handy, and means that you can quickly sign on to a 3rd party service without having to create yet another password to remember. However, the downside, is that this central identity MUST be secure. Facebook and Google both add extra security to their accounts by having 2-factor authentication systems in place, so, when you access your account via a new device, you have to go through an extra security challenge – typically, entering a code sent to your phone or from a key generator app.

Twitter, on the other hand, doesn’t have this extra level of security. This means that the crackers could have access to not only your twitter account, but also any 3rd party service you’ve used twitter to log in with.

This is a big deal.

Personally, I think that any service that provides OAuth logins to other services, but doesn’t provide 2-factor authentication, is being somewhat irresponsible, and I really hope that Twitter fixes this with the utmost urgency. I for one will be using my Google account more…

I had a need, in one of the projects I have been hacking on recently, for a way for an automated process to send messages to a twitter feed based on certain system events – log file changes, inotify updates, etc.

The various existing projects seemed to do much more than I needed and were not easily apt-getable, so I hacked a quick one together in PHP.

A simple toy, no mistake, but combined with a number of other simple tools turns out to be quite handy for automation, given how twitter (currently) glues many disparate services together and acts as an informal protocol between them.

So, being a good FOSS citizen, here you go. Perhaps it’ll save someone a couple of minutes!

» Visit the project on Github…

Over the past few weeks it seems that Twitter has been moving to drastically redefine what the service is about. Moving to limit API connections and placing restrictions on how third parties interface with it.

This has limited the usefulness of third party tools that others love and risks damaging the ecosystem that has built up around the service – although, as I have remarked in the past, building a business around a single third party service is asking for trouble.

Now, there must be sound business reason why the folks at the big blue bird decided to do this but I can’t help feeling that they’re missing an opportunity to reach out to these developers.

Twitter is more than a messaging service, it’s a protocol. It’s a way of loosely connecting services together without having to write a specific connection mechanism, for example, this is how I get IFTTT updating my todo list.

It would be a real shame to see the utility of this sacrificed in order to turn Twitter into just another eyeball engine for adverts. Thankfully, other systems exist, and my hope is that we will see a more distributed ecosystem evolve.

Update 20/9/12: Got an email from IFTTT today, and it seems that they are being forced to remove all Twitter triggers from their service. Which means no more archiving, or traffic updates among other things. I’m sure this must all make sense from a business point of view, but it seems a crying shame to systematically make the service less useful to people.

Image “Fail Whale” by Yiling Lu