#3

#3

steps continue.

steps continue.

first steps down a terrible slippery slope.

first steps down a terrible slippery slope.

but how DO you turn it off?

I go to Yelp to do a search only to see, up at the top:

Okay, whatever. I don’t want my experience personalized, though I get why people might. I don’t hate it, I just don’t want it. I go to turn it off on Facebook, as per the information on the “options” dropdown on Yelp. There, I see …

Wait, it’s not available for me yet? But it’s on! It’s on, and it’s for me! Maybe it’s because my language is set to English(UK). Maybe there’s some sort of “not available in England” bug hitting me.

I change the language. English(US). Log out, log back in.

Well, now there’s a “z” instead of an “s” in “personalization,” but it also clearly shows that I don’t have it turned on. Back to Yelp! Is it off?

Haha, no. 

To recap: at first, it wasn’t an option for me to even *have* instant personalization, though it was on and functioning on partner sites; now it’s an option, but it’s off — and still functioning on partner sites. 

Baffling. 

Rogue OAuth Apps: Like Vampires, You Must Invite Them Into Your Account*

Tweet this!

As most of you reading this blog know, I lead Twitter’s Trust and Safety department. Two of my teams are API Policy and Spam. While these teams have a number of responsibilities, they also both work to find and suspend bad apps that appear on Twitter. Sometimes, though, bad apps surface and trick users into authorizing them before we can suspend them. Given the variety of bad apps that have popped up lately, I think perhaps it’s time for a refresher course on OAuth apps and some examples of bad ones.

First: what’s an OAuth app? In a somewhat cyclical answer (and for the purposes of this blog post), it’s an app that uses OAuth to connect to your account. OAuth is an authentication method that lets you use apps without them storing your password. You can read more about Twitter apps and OAuth here.
 
You’ll know that an OAuth app would like to connect to your account if you click on a link somewhere and it takes you to an api.twitter.com page that looks something like this (though this isn’t an example of a bad app, just an OAuth connection request!): 



In this case, Favstar.FM (an app that I use and like) is asking me (@delbius) for account access. If a message like that pops up unexpectedly after clicking on a link somewhere (from Twitter or elsewhere), and you aren’t sure why it popped up or what the app does, do not click “Allow.” Even if you think you *do* know what the app does, you shouldn’t grant it access to your account if it claims to do anything in the following list that could well be titled (and is) “Things an OAuth app cannot do”.

Things an OAuth app cannot do:

allow you to spy on other people’s profiles
authorize your account
certify your account
force a celebrity to follow you
force anyone to follow you
get you followers fast
get you hundreds of followers fast
get you thousands of followers fast
give you access to shocking videos
give you access to salacious pictures
give you free food
give you free gadgets
give you free phones
grant you unlimited Twitter access
prevent your account from being deleted
show you a video no one can watch without laughing
show you a video no one can watch without dying
show you a video no one can watch without getting scared
show you a video no one can watch without looking down
show you who’s spying on your profile
show you who’s viewed your profile the most
show you who’s viewing your profile
show you who’s viewing your profile while not logged in
tell you everyone who’s ever unfollowed you prior to authorizing the app
tell you how many hours someone else has spent on Twitter
tell you how many hours you’ve spent on Twitter
tell you how you’ll die
tell you when you’ll die
tell you who’s stalking you on Twitter
verify your account

If you authorize an app like the ones listed above, it will spam your timeline, and thus your followers, with links and dramatic statements in an attempt to get more people to authorize it as well. If you’ve authorized a third-party application that you don’t recognize or that is spamming your account, you should revoke access. You can check which apps you’ve authorized by going to the Connections tab in Account Settings.

Note that these rogue apps are not types of malware, trojans, virii, or worms. The difference is that these apps only gain access to your account once you grant them permission. Fortunately, you can revoke access just as easily as you can grant it. Once you’ve revoked access for that bad app, it no longer has access to your account and, thanks to OAuth, your password won’t be compromised.  

Want some help pages? I thought you might. Here you go:

How to connect and revoke third party applications
How to keep your Twitter account secure
What to do if your account is compromised

*Though I’m aware the mythos surrounding the need for vampires to be invited into a home varies, I refer here, of course, to the text by Father Leone Allaci, originally published in 1645 (though cited most recently in Montague Summers’ The Vampire in Europe):

"For very often, inhabiting this body, he [the devil] comes forth from the grave, and going abroad through villages and other places where men dwell, more especially at night, he makes his way to what so ever house he will, and knocking upon the door he calls aloud by name in a hoarse voice one who dwells within. If such a one answers he is lost; for assuredly he will die the next day. But if he does not answer he is safe. Wherefore in this island of Chios all the inhabitants, if during the night they are called by anyone, never make reply the first time. For, if a man be called the second time it is not the vrykolakis who is summoning him but somebody else."

Further, Agnes Murgoci notes in her 1926 article “The Vampire in Roumania”

"At anytime of the year it is well, especially at night-time, never to answer until someone calls you three times, for vampires can ask a question twice but not three times. If you reply when they speak to you, they may turn your mouth askew, make you dumb, cut off your foot, or kill you."

So, y’know, keep that in mind too.

Passwords: Srs Business

Tweet this link on Twitter if you want others to read it.

You guys, seriously. Seriously, you guys. Password security is super-important.

I know you’ve heard this a lot, but given the preponderance of accounts that are “hacked” due to weak passwords or other poor practices around password security, it appears that at least some of you are not listening. While this list isn’t exhaustive, it’s got a few highlights.

DON’T share your password with people. No matter how strong your password is, if someone else knows it, it’s no longer a “secure” password. We see folks writing in who had a “co-owner” on their Twitter account (against our recommendations) and after a disagreement, the co-owner locked them out of the account. 

DON’T use a word that can be found in the dictionary as your password (and don’t use 123456, either!). If you want or need help managing passwords, check out @1Password or @lastpass; both are robust password management systems that will generate and store passwords for you. There are a number of other options as well, but I’ve used both of those successfully.

DON’T use your significant other’s name, your child’s name (if you have one) or your pet’s name. 

DON’T type your username and password into sites that you’ve arrived at via suspicious links! Might be worthwhile checking non-suspicious links too, honestly. Double-check that address bar to make sure that you’re really at the website you mean to be at, and if in doubt, type the address into the address bar directly.

DON’T use the same password on multiple sites or for multiple accounts on the same site. One compromise can lead to many others.

REMEMBER: security questions can be a point of vulnerability! If someone’s specifically targeting you, answers to questions like what city you were born in and what high school you went to can often be found online. For extra security, try lying about your answers to security questions (but, of course, make a note of what your lie was in, say, @1Password or @lastpass). Your favorite color? Totally houndstooth. If you have the option to create your security questions, don’t create questions where the answer can easily be found through a bit of Googling.

BE AWARE: “skeleton key” passwords, where part of your password stays consistent across multiple sites and part changes based on the specific site, can be broken if someone determines what the key and pattern is. Then, suddenly, all of your passwords are broken and you’re left sobbing and wondering why you didn’t use different passwords at each site.

SIGH, you’re still using the same password on multiple accounts, aren’t you? If you refuse to use different passwords for each site, at least try tiering — use the same password for sites that you really don’t care about and that don’t have any information on you, a more secure password for sites that you sort of care about, and multiple passwords for your most important sites — email, banking, etcetera. 

HELPFUL HINT: Need help thinking up a secure non-dictionary word password but don’t want to use a password manager for whatever reason? Use song lyrics and take the first initial of each word in a line — thus, “Lucy in the sky with diamonds!” can become “Litsw/d!” Capitalization and punctuation can go a long way to increase security and if you’re not using a password manager, song lyrics are more memorable. 

QUESTIONS? Seriously, this page is really great. Read the tips for your sake and for mine.

<pun about phishing>

Tweet this link on Twitter if you want others to read it.

Ever wondered how, exactly, phishing works and what happens once an account is phished? While there’s any number of reasons why someone might try to gain access to someone’s email or Facebook account or Twitter account, the most common reason for bulk phishing attempts is simply to make money via spam.

Perhaps you’ve noticed that after a phishing attack there are increases in waves of spam; these waves are often interspersed with additional waves of phishing. This is generally because the phishing is meant to gain access to accounts with which to spam. A sample attack might involve a mass phishing attempt — say, a faux log-in screen for a service — that then takes the account credentials gained by such an attack and divides them into three batches. 

The first batch — we’ll call it Round 1 — is used to, say, send out spam via public message. Maybe a status update, maybe an @ reply, maybe an email to a list of non-contact email addresses. This is pretty easily detected and generally these accounts have their passwords reset. Perhaps messages are tested to determine what will result in higher clickthroughs; perhaps it’s used to test analytics on the messages posted; generally, though, this round does less damage than Round 2.

The second batch — Round 2 — is perhaps used to send out spam via private message or DM or email to known contacts. Since folks receiving these messages are receiving them from friends (or acquaintances), it’s more likely that they’ll view the message with the expectation of legitimacy, increasing the chance of clickthroughs or views. 

The third batch — Round 3 — is reserved for another round of phishing, resulting in another round of compromised accounts, resulting in additional rounds of spam, resulting in additional rounds of phishing, and so on — spammers gonna spam.

Services regularly reset passwords on accounts that post or send messages that indicate they’ve been compromised; the reason, though, that these attacks are hard to stop quickly is because not all accounts that are compromised will display behavior that indicates they’ve been compromised.

Things to keep in mind: don’t follow sketchy links, don’t enter in your credentials (login/email address/password) into sites that you aren’t sure are legit, and don’t use the same password on multiple sites, as doing so will simply prolong the attack and give the attacker access to your account on multiple services. For more information on account safety (with a Twitter focus), check out this help page from our Help Center: http://support.twitter.com/articles/76036-safety-keeping-your-account-secure.

Content Agnosticism

Tweet this link on Twitter if you want others to read it.

My role at Twitter is to enforce our policies (which are by nature agnostic to specific beliefs and viewpoints) and protect (as well as fight for) our users.

I use my Twitter account (@delbius) to interact not only with users but also with friends. I answer what questions I can; I direct people to what help resources I know of; I provide links to policies and protocols when asked; I tell bad jokes; I share news and information that I find interesting, relevant, or important. I do not use my Twitter account to argue with people over whether or not I am doing (or not doing) something because I believe (or don’t believe) something else. Regardless of past accusations levied, I am not a godless commie, a treehugging bleeding-heart liberal, or a Nazi right-winger, or any other combination of those words. I am content-agnostic.

I am content-agnostic because Twitter does not mediate content, including potentially inflammatory content; Twitter is a communications platform, not a content mediator. I am also content-agnostic because the removal of content does not in and of itself resolve the issue that led to the content being posted in the first place. Finally, I am content-agnostic because the removal of content often leads to more of the same content being posted, and I am firmly of the belief that the correct answer to “bad” or “wrong” speech is more “good” speech. Related: the Streisand Effect.

All of this is to say, then: I will answer your questions and I will provide you with assistance as best I can, but casting aspersions on how and why I do my job the way that I do will result in me not answering you further.

Tweet

#wikileaks

Tweet this link on Twitter if you want others to read it.

We’ve sent reporters and the like this information already, but I’ve seen a lot of @ replies from folks asking about this, so, from our comms team, here it goes in an easily-linkable-for-me-format:

Twitter is not censoring #wikileaks, #cablegate or other related terms from the Trends list of trending topics.

Our Trends list is designed to help people discover the ‘most breaking’ breaking news from across the world, in real-time. The list is generated by an algorithm that identifies topics that are being talked about more right now than they were previously.

There’s a number of factors that may come into play when seemingly popular terms don’t make the Trends list. Sometimes topics that are popular don’t break into the Trends list because the current velocity of conversation (volume of Tweets at a given moment) isn’t greater than in previous hours and days. Sometimes topics that are genuinely popular simply aren’t widespread enough to make the list of top Trends. And, on occasion, topics just aren’t as popular as people believe.

Dir. of Trust and Safety, or: How I Learned to Stop Worrying and Let my Team Do Their Job

Tweet this link on Twitter if you want others to read it.

When I started working at Twitter in October of 2008, my assigned territory resembled nothing so much as the proverbial Wild West of the olden days — lawless, sprawling, and full of tumbleweeds. As the only person at Twitter solely focused on the problem of spam, I had free rein to develop policies as I saw fit. Over the next two years, my areas of responsibility expanded to include policy creation and enforcement, legal support, and API policy creation and enforcement. Along with these expanding responsibilities came an expansion in staff — what was once just me became me plus 17 others plus a four-person engineering team dedicated to Trust and Safety’s needs. While this expansion was hugely necessary and greatly anticipated, the hiring of these smart, talented, immensely capable team members was also a little terrifying for a control freak like me, particularly in light of the many months I spent doing all the work and dealing with all the problems by myself.

 

Even though I was filled with a mild sort of panic over these other people doing my job, I had every intention of being the very best manager possible. My spam team was increasingly capable of handling all of the tickets filed and determining the sorts of algorithmic adjustments needed to make our reports function at maximum efficiency; as a result, I started forcing myself to be more hands-off and instead making myself available to talk about side projects, proposed over-arching system changes, and needed changes in staffing and resource levels. Still, I more than once fell prey to the easiest trap of all: you see a problem that the team is wrestling with, you know the solution that worked last time, you tell them the solution, the problem is “fixed,” and you walk away with a sense of pride and achievement, having helped your team through a tough problem that could have taken them much longer to figure out and fix on their own.

 

There are a few things wrong with the above scenario. First, stepping in to solve a problem without waiting for your input to be solicited indicates to your team that a) you have a lack of faith in your team’s ability to solve the issue without your assistance and b) you don’t trust your team to come to you with questions they might have. Second, it reeks of micromanagement. Third, in a worst-case scenario, it can promote an attitude within the team that the real ownership for problems belongs to you, not to them, and that they do not really need to think up solutions themselves since you’ll swoop in and save the proverbial day. Not only does this approach not scale, it also hamstrings your team’s ability to grow and gain confidence in their own judgment. If, instead, you make yourself available to your team to give advice and/or insight when it is solicited, your team is more likely to feel confident in their choices and, as a bonus, consult you more for a final sign-off on a proposed solution rather than the quagmire-filled first steps through an old problem.

 

I took these truths I learned from dealing with the growth of my spam team and applied them to my other divisions and, in the process, had a few more (to me) revelations. The first of these is simply this: the people who do the work should write the policies about how the work they do should be done. By getting involved in the development of these policies, I was once more unwittingly hindering my team more than I was helping them. Due to the nature of my role as the director of the department, any suggestions I made about how something might/could/should be done carried unfair weight and had the possibility of putting a premature end to a team-centered discussion that in the long run might have come up with a better solution. Changing my role here to once more be the person who gives feedback when it’s solicited and signs off on the final draft led again to a team more comfortable in their roles and their judgment calls, as well as underscoring my faith in them. 

 

The second revelation was that the more power you give people over determining how their days at work are spent, the happier they are. This can’t be half-hearted, though — you have to genuinely believe that your employees are not only capable but also dedicated and that they are doing this job because this is the job that they want to do. Platitudes here will result in this whole system failing. If, though, you can say to your team, “We agree that these are the things that must be done. How they are done will be up to you. If you do them and find yourself with free time, find other things to do that will make your work easier for you or more enjoyable for you and then do them” — if you can say this and mean it and have faith that they will follow through — then your staff is going to feel more valued and trusted. Employees empowered to make judgment calls about how their time is spent and what extra projects they take on are more likely to be happier and care more about the work they’re doing. You want your employees to be as invested in the work that they are doing as you are in the work that you are doing; and if either of these investments is lacking, that’s a sign of a much larger problem.

 

My final revelation was one that seems naive but has thus far stood me in good stead — work should be as fun as possible; teams should be as cohesive as they want to be; and worrying about the “little things” — what time someone arrives at or leaves work, if people are chatting online with friends or browsing a website — is one of the fastest ways to destroy a perfectly good team. I’m lucky enough to have a remarkable team, mind you, and I’m sure not every manager is in as enviable a position. However, it always seems strange to me when I see people working closely together but lacking any sense of camaraderie. Whatever “this” is, from organization to organization and from team to team, you’re in “this” together, so why not share stories, successes, failures, irritants, and amusements? Likewise, when you have a team clearly invested in doing a good job, leave them alone. Don’t nag about things not being done the way you would do them unless you have (non-anecdotal) evidence as to why a given way is bad or won’t work. Be there when you’re needed, be available when you’re sought out, and otherwise put your trust in your team and — at least in my experience — they’ll put their trust in you.