[Owasp-leaders] Social Media - thunderclap quite excessive in what access rights it demands

Michael Coates michael.coates at owasp.org
Wed Nov 13 20:46:42 UTC 2013


For comparison on the Twitter permissions:

For twitter they requested _all_ of these rights:
- Read Tweets from your timeline.
This is already possible for all twitter accounts (unless you've made your
twitter account private)

- See who you follow, and follow new people.
It is already possible to see who you follow (unless you've made your
twitter account private
Following new people - I haven't heard that they do this at all. Suspicious
actions would of course reflect poorly on them.

- Update your profile.
Agreed. This seems unnecessary. Abuse would not reflect well on Thunderclap

- Post Tweets for you.  (this is the only one I can understand and wanted
to grant.)
This is the purpose of ThunderClap.


Here's the FAQ for ThunderClap: https://www.thunderclap.it/faq

For what it's worth Mozilla used ThunderClap several times and they are
very privacy conscious.

And lastly you can always remove access via twitter at any point.


But, of course make the right decision for you. This is a nice way to raise
awareness if it feels right for your situation. There are many other ways
everyone is supporting.


-Michael

--
Michael Coates | OWASP | @_mwc



On Wed, Nov 13, 2013 at 12:11 PM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Hi Tom,
>
> please forgive me for a small humble comment:
> I just looked at the thunderclap link you gave and really wanted to do
> this.
> But when I went through the approval process for giving access to one of
> my accounts, it was scary to what excessive degree they want permissions.
> In the end after careful consideration I could not bring myself to give
> that much access rights to thunderclap. :-(
> I am fully supporting the cause and will post, re-tweet messages to
> support our conferences but really felt that for me as a security person
> that giving away that excessive access rights is not acceptable.
>
> To give you some indication why I find this excessive:
> For twitter they requested _all_ of these rights:
> - Read Tweets from your timeline.
> - See who you follow, and follow new people.
> - Update your profile.
> - Post Tweets for you.  (this is the only one I can understand and wanted
> to grant.)
> For Facebook:
> - Thunderclap will receive the following info: your public profile and
> friend list.
> (From my understanding the only thing they need is the right to post a
> message to my timeline.)
>
> I can not see a reason why this company needs all that information and
> access rights.
>
> Anyway, all the best and rest assured I will tweet/re-tweet about the
> event independently.
>
> Best regards, Tobias
>
>
> On 13/11/13 19:49, Laicana Coulibaly wrote:
>
> I just did it.
>
>
> On Wed, Nov 13, 2013 at 7:04 PM, Michael Coates <michael.coates at owasp.org>wrote:
>
>>   Great idea tom!
>>
>> For anyone that's not familiar on how Thunderclap works we have to hit
>> the minimum number of supporters for our message to be sent at all. If we
>> don't hit that minimum then none of the publicity is gained from the people
>> that vouched support.
>>
>> In other words, please do sign up and help spread awareness for one of
>> our largest fundraisers of the year.
>>
>>  By the way, it's going to be an amazing event. There's still time to
>> register if you haven't already.
>>
>>  See you there.
>>  -Michael
>>
>>
>> --
>> Michael Coates | OWASP | @_mwc
>>
>>
>>
>>  On Wed, Nov 13, 2013 at 10:32 AM, Tom Brennan - OWASP <tomb at owasp.org>wrote:
>>
>>>  Thunder Thunder Thunder… ok maybe you were not a Thundercats fan… but
>>> we know you LOVE OWASP
>>>
>>>  We are doing a experiment with THUNDERCLAP to raise awareness and
>>> would like your help worldwide.
>>>
>>>  https://www.thunderclap.it/projects/6403-hackers-hit-time-square-nyc
>>>
>>>   Thank you in advance for helping spread the word about the mission
>>>
>>>
>>>  _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131113/c7326ae1/attachment-0001.html>


More information about the OWASP-Leaders mailing list