BeTwittered is a simple and comfortable gadget that you can add to your site, such as your iGoogle homepage.

Since BeTwittered is just a bridge between you and Twitter, it has to first log you into your account. Here is where things go horribly, horribly wrong.

1. BeTwittered does not use SSL to secure requests to its servers

All authentication information is transmitted to BeTwittered servers in plain text and is easily sniffable by an attacker, both on your own network and outside of it. You can read more about SSL encryption here.

Since BeTwittered passes your Twitter username and password unencrypted as GET parameters, it may as well be serving them to potential attackers on a silver platter (note that passing this data in a POST request would change nothing, security-wise).

Here is an example request:

http://betwittered.com/api/?_=1265242511260&req=verify_credentials&username=foo&password=bar

Ugh…

2. BeTwittered stores your username and password in unencrypted cookies

Because BeTwittered tries to keep you logged into Twitter, it caches the username and password, unencrypted, inside browser cookies.

This means that an attacker needs to simply look at your cookies to steal this information. This can be done using these methods, among others:

• using an XSS vulnerability
• sniffing the network traffic
• walking up to your computer

3. Because BeTwittered passes your authentication information to its servers, it's already insecure

If someone gets access to BeTwittered servers, it's safe to assume at that time that all accounts are potentially compromised.

Smaller sites generally cannot dedicate appropriate resources to securing their servers, which can make breaching them easier for hackers. Even Twitter itself was hacked numerous times.

The Alternative Solution

oAuth

If the endpoint application supports oAuth (Twitter has for months), do us all a favor and use it. Please.

oAuth allows delegating authentication to Twitter itself and only giving the application easily revokable limited access.

If BeTwittered were using oAuth, the user would be redirected to Twitter, where he or she would login. Then, the user would be sent back to BeTwittered, but now bearing special tokens. Any requests to Twitter would then be accompanied by these tokens, which would be validated by Twitter every time they're used – all of this without ever passing your password around.

You can find a nice overview of the oAuth architecture here.

Otherwise

If the endpoint application doesn't support oAuth, then

• use SSL encryption (https)
• store the authentication information on the server side instead of the client side in a cookie. Instead, use the cookie to store some sort of an internal ID pointing to this server-side data. Alternatively, encrypt the username and password via a secure salted two-way hash and only then store the encrypted version in a cookie
• make sure to stay on top of securing your servers (and give your sysadmin a raise). It's a time-consuming commitment, please take it seriously

Conclusion

What other secure authentication technique or tips do you know about? Feel free to share in the comments.

Oh, and this goes without saying – stop using BeTwittered, at least until they implement a more secure login option. I've alerted the creators about the issue and also started these threads on HN and Reddit.

• sysbench – Linux Test Bench
• Do NOT Use This Perl Module: Passwd::Unix
• How To Fight Clickjacking (Using The Recent Twitter Hijacking As An Example)
• Debugging Weird sshd Connection Problems + What Happens When You Stop sshd
• How To Fix Palm Pre's "Error Sending Mail" Problem

Password Protected Garage Door Remotes

As a paranoid person and a recent homeowner, I started to wonder how safe I actually am in my house. Consider this likely scenario that nobody seems to be concerned with:

I park my car outside for one night and don’t take out my portable garage door remote, the one with a single open/close button. Or, even worse, the remote code is programmed into one of those garage opener buttons built into the car. A car burglar comes along, breaks the window, and trashes my car. Wow, an added bonus – a free entrance into the house!

Needless to say, this is bad already. How many of you lock the door between the house and the garage? What if you forget to do that as well? Is there a spare house key laying around in the garage? You may say “but I’ll hear the garage door open” but does it actually make you feel better? You will be present with an intruder in your house, which will scare the living shit out of you non-governator types.

So here’s my question to you, Internet, is there a garage door remote I can buy that has a programmable keypad, so that a password is needed for the button to work? In fact, it would be almost the same as the one that mounts next to the garage door. And can it not cost $100?

Twitter Security

This part is not about computer security, as you may have thought at first, although I did recently discuss it in the Clickjacking article. I also know that I’m not the first one to bring this issue up but I think it’s worth discussing some more. Consider this scenario:

You’re a cheerful, outgoing snowboarding enthusiast with 3000 twitter (plurk, facebook, or another social network but twitter is the most relevant example) followers. Or maybe you have 3 followers. There’s a 99.9% chance that your profile and updates are public (if you have 3000 followers with a private profile, you must be some sort of a chump. And yes, I did just make the stats up, want fight about it?).

So, on Friday night, you send the following tweet: “Gone snowboarding for the whole weekend. But not before getting piss trashed Friday night at the casino. Wooooo”.

Since anybody can watch your tweets absolutely anonymously and it’s extremely easy to dig up an address knowing very little about a person, what you just said was “If you are a burglar looking for the next opportunity, just drop everything and come on by Friday night. I will be far-far away but my house (located at 123 Main St) will be available for your robbing pleasures. You only have 2 days before anyone is home, so feel free to crash on the couch and eat my food. Don’t forget to feed the cat. Kthx.”

Is this a likely scenario? Not really, unless twitter raises the tweet length to more than 140 characters, but otherwise you see where I’m going with this. Don’t be stupid – avoid advertising exact details of your whereabouts, vacation plans, etc. There are plenty of uses for Twitter without giving up most of your privacy. Ask yourself: would you post a note with your whereabouts on your door every time you leave the house for a while?

How Do Trains And Buses Know Where They Are?

If you live in a relatively large city, you have seen relatively accurate bus and train arrival predictions and, in some cases, almost exact locations of each vehicle. For example, here in San Francisco we have MUNI stations with live maps of trains’ whereabouts and bus stops with bus predictions on small electronic displays.

What is the technology behind it? It cannot be just GPS, because trains go underground where there is no reception. If it’s a combination of externally mounted sensors, are they also placed outside, once the train gets out into the street? Or is it some sort of a 2-way GPS (a conventional GPS device is just a receiver) underground that switches to sensors above ground? I don’t know but I want to.

Train/Bus Drivers And Bathrooms

While I’m on the public transportation subject, here’s what I want to know: if you are a train/bus/trolleybus driver, what do you do if you NEED to go somewhere when you are half way down your route? All of us had such moments at least once, and sometimes you just HAVE TO drop the bomb, sink some submarines, drop the kids off at the pool, release the chocolate hostage, plant some potatoes, give birth to a VB programmer, down the proctoscope, bake some brownies, you know what I mean (if you don’t, you’re a senile muppet, what are you doing on the Internet?).

They can’t just leave the train in the middle of the street, can they? Have you ever seen one run out in the middle of the street? I’m really curious here.

All Of Dilbert

Is there a Dilbert collection somewhere that has every Dilbert comic in an easily browseable manner, ideally with ratings I can sort by? 100 Dilberts per page would be ideal. Ah, looks like the new Dilbert.com finally made it a reality: all Dilbert comics sorted by votes, 49 per page.

Where Can I Buy A Circus Tent?

Who sells them? The ones where elephants and clowns could fit. It could also double as a portable office.

Who Gets To Eat The Most Delicious Burger In Burger Commercials?

And where do I sign up? I’m serious.

● ● ●

Yeah, so that’s pretty much what’s on my mind right now. What’s on yours?

• Enable A Twitter Retweet (RT) Button That Lets You Add Comments Before Retweeting
• [Twitter] The Most Useless Tweet To Date Discovered
• Twitter.com Autocomplete, Auto URL Expansion, Auto URL Shortener, RT Button, Nested Replies, Inline Media Embed, Search Tabs, And More
• The Real Reasons To Use Twitter (Get Over Your Prejudice Already)
• Amazon Posts The Deal Of The Century: Ultimate Ears TripleFi 10 & 10vi Earphones – $99, Down From $399 – Amazing Value, Perfect For Mobile Phones