Looks like the Twitter phishing attacks over the weekend led to some hilarious results.
Looks like the Twitter phishing attacks over the weekend led to some hilarious results.
There’s a phishing scheme being run against Twitter users right now. It looks like the objective is the collection of more Twitter passwords, but I’d expect that there is some other fraudulent angle as well that is perhaps yet to be revealed. In any case, avoid clicking on links in direct messages and if you’ve given your password to a third party service, you may want to change it.
This morning a friend of mine sent an email asking whether Will Muschamp had opted out of being “head coach in waiting” at the University of Texas and taken the job as head football coach at Auburn. He said he’d heard something on the radio.
My first stop was Google News, but there were no stories today that mentioned Muschamp. I was despairing being out of the loop a little bit when it occurred to me that the next best stop was search.twitter.com and found that Twitter was abuzz with the latest Muschamp-related scuttlebutt.
I don’t think I realized until that moment that Twitter is perhaps the ultimate resource for tapping into the zeitgeist of the moment. Blogs are a great resource for tapping into what’s happening today, Twitter is where you find out what’s happening this second.
Stephen O’Grady talks about the risks of using Twitter to publish personal information:
But for the majority of us, I always thought the costs of keeping everything under lock and key far outweighed the benefits. Now, however, I am being forced to reconsider that view. Because, as John Simonds reports (not to rag on John here, he’s just the messenger), one or more of the professional communities I interact and work with may use the tool to form an impression of me.
It’s not obvious to me that this impression would be anything less than professional. I’m generally not Twittering after a night on the town, every other word is not something that would be considered unprintable, and I’m not posting the intimate details of my day to day existence. But I need to consider it, still, because as I’ve discussed in the past, Twitter is a personal tool for me first, professional tool second. A distant second.
I think this is why we’re seeing more people with two Twitter accounts, a public persona and a private one that they share with friends. I haven’t gone that route, however, I will say that my Twitter feed is currently protected.
(This reminds me that I need to write that post I’ve been meaning to about the value I see in Twitter in general.)
Today I stumbled across the Twitter feed for the Los Angeles Fire Department. I thought it was sort of a silly novelty until I clicked on the Twitter feed for the only person LAFD is following, Brian Humphrey, a public spokesperson for the department. Humphrey’s use of social sites to create a lightweight process for disseminating news from the department is clever and effective.
LAFD also publishes alerts to a Google Group, LAFD_ALERT, which contains the same information as the Twitter feed, and a blog that publishes longer articles. The home page for the Google Group explains what the alerts are for and how they’re used.
What I like about Humphrey’s approach is that it works with the web rather than just being on the web. Had LAPD put a form on their Web site that said, “subscribe to LAPD alerts,” it would be unlikely that they’d be seeing the public engagement that they get by taking advantage of existing services for which people have already registered. This approach surely works for him because implementing it was free of cost (other than his own time) and probably red tape (he didn’t need to get any help from IT to set it up). But the side effects are worthwhile in and of themselves. It’s a great example of how it can be more effective to reach users on the services they already use than to build a new service and expect them to come to you.
The LA Voice and Governing magazine have both published articles on Humphrey’s work if you’re interested in reading more.
Alex King posts about lowering the noise on Twitter. He suggests that Twitter change “What are you doing?” to “Say something interesting,” which works for me.
The truth of Twitter is that it is many things to many people and the beauty of it is that you can mold the Twitter experience to your own tastes. If I want to follow people who treat Twitter like a shorter-form blog, I can, or if I want to follow coworkers who keep everyone abreast of what they’re working on up to the minute, I can do that as well. Ultimately we all get to decide who’s interesting to us, and limit our Twitter experience to only those people. As Russell Beattie points out, that’s a powerful thing.
The thing I like about Twitter is that it’s much more conversational. I don’t know who reads my blog unless they leave comments, and most people whose blogs I read probably don’t know that I do so. On Twitter there’s a reasonable expectation that people who are following you read your tweets, and that there’s a decent chance that someone you address directly will read your tweet as well. It seems like that relationship makes it much easier to build a community quickly, as you find among LiveJournal users or Vox users if you use those sites.
We had that type of community when there were many fewer blogs. Many moons ago, it seemed like basically everybody read everybody else’s blog. I could pretty much guess who would link to my posts as I made them. If I could come up with one innovation, it would be a way to ease building communities among bloggers running their own sites the way you can with Twitter and other sites where everyone is swimming in someone else’s pool.
© 2024 rc3.org
Theme by Anders Noren — Up ↑
How Twitter was exploited
Now it can be told (apparently). The Twitter abuse that I posted about yesterday resulted from a Twitter employee giving their password to a third party service. Someone then used that password to access Twitter with administrative rights and amuse themselves.
Part of the problem here is that the credentials required to access your account through the API are the same as those required to access the site through the Web interface. But the other lesson here for developers is that you should really split up the administrative features of your application and the end user features into separate accounts. They probably shouldn’t even use the same interface. That may be more painful for users but it eliminates a lot of risks. And of course employees should know better than to hand out their passwords to random Web sites.
Update: Turns out the password in question was guessed, not phished. Either way, it’s an argument for separating the administrative functions from the standard user interface.