Thursday 13 January 2011

Your Twitter security is an egg, not an onion

Hard to come up with a more fuzzy title really. Let me cut through the usual Twitter conversation show and pick only one:
.@CoCreatr @VenessaMiemis @dsearls Twitter DMs can be seen by 3rd parties < what part of "access" did u not understand?
That was a rather short version of the original tweet, including my comment. It led to a few other tweets, and my general awareness that people really don't think straight in this case. I think gullible is the right word

Behold the picture above: it is an example of a third party application asking to have access to your Twitter account. The beautiful oAuth architecture allows to do so without giving up your user name and / or password to that same third party application - but it ends there

If you allow someone access to your house, what do you think that means? There's only one front door, right?
If you allow someone, e.g. from the help desk, access to your PC, what do you think that means? There's only one PC there, right? And you're both talking about the same one? Check

Maybe your house has doors that are permanently locked, and the key is not in sight or conveniently under the door mat.
Maybe your PC has encrypted files or directories you can't access without every single time having to enter your 64-bit 72 character long illegible and secret password

Highly likely, none of that applies to you. Your house is an egg, and not an onion, and so is your PC. In security models, an egg, with its very hard shell, represents a single barrier between the inside and the outside, that is very hard and tough - but once you're in, you're in. Another model is the onion, with its many layers, that represents multiple barriers between the inside and the outside, which are soft and relatively easily to penetrate but they come in large numbers - once you've made it through the first one, you only have access to a small part of the entire inside

Twitter is an egg, not an onion. And you knew that already but only assumed it wasn't.
How much room for interpretation is left by the exemplary screen shot above? It is asking to be allowed access. Regardless of your thoughts, feelings, assumptions, what does it say really? It is asking for access.
What kind of access, really? Well, just access
How many types of access to your Twitter account do you know of, really? Come on know, you can do it - yes, yes?

That's right, only one type of access to your Twitter account that you know of. You enter your user name and password, access your account, and you have full control.
So. What makes you think this type of access is any different?

I'll allow for one excuse: seriously lousy application development over the last decade has made us all message-fatigued. Even business users read none of the messages they get from an application, they just click their way through. Still, it's them who do so

Pay attention to the messages you're getting: trust me, it pays off in the end

0 reacties:

Post a Comment

Thank you for sharing your thoughts! Copy your comment before signing in...