[Owasp-leaders] Social Media - thunderclap quite excessive in what access rights it demands

Jonathan Marcil jonathan.marcil at owasp.org
Wed Nov 13 21:01:10 UTC 2013


If I understand correctly, Thunderclap is the crowd sourcing of social
media buzz. So when the goal is reached, a message is posted to your
timeline/feed by Thunderclap.

At that point you must trust Thunderclap with your "tweets" the same
ways people trust Kickstarter with their money.

If you remove the rights then I suppose it removes the backing since
that's the whole point of Thunderclap. If on their side they want to
trust you, they must analyze some data and that would justifies all the
required rights.

BTW I used @owaspmontreal twitter account to do so, that way it doesn't
mix with my own twitter account and automated message are acceptable to
me with that account with no privacy concern. I would suggest to do the
same if you have privacy concern, but don't register a stub account with
no followers since it won't help anyways.

See you all at AppSecUSA!

- Jonathan



On 2013-11-13 15:46, Michael Coates wrote:
> For comparison on the Twitter permissions:
> 
> For twitter they requested _all_ of these rights:
> - Read Tweets from your timeline.
> This is already possible for all twitter accounts (unless you've made
> your twitter account private)
> 
> - See who you follow, and follow new people.
> It is already possible to see who you follow (unless you've made your
> twitter account private
> Following new people - I haven't heard that they do this at all.
> Suspicious actions would of course reflect poorly on them.
> 
> - Update your profile.
> Agreed. This seems unnecessary. Abuse would not reflect well on Thunderclap
> 
> - Post Tweets for you.  (this is the only one I can understand and
> wanted to grant.)
> This is the purpose of ThunderClap.
> 
> 
> Here's the FAQ for ThunderClap: https://www.thunderclap.it/faq
> 
> For what it's worth Mozilla used ThunderClap several times and they are
> very privacy conscious.
> 
> And lastly you can always remove access via twitter at any point.
> 
> 
> But, of course make the right decision for you. This is a nice way to
> raise awareness if it feels right for your situation. There are many
> other ways everyone is supporting.
> 
> 
> -Michael
> 
> --
> Michael Coates | OWASP | @_mwc
> 
> 
> 
> On Wed, Nov 13, 2013 at 12:11 PM, Tobias <tobias.gondrom at owasp.org
> <mailto:tobias.gondrom at owasp.org>> wrote:
> 
>     Hi Tom,
> 
>     please forgive me for a small humble comment:
>     I just looked at the thunderclap link you gave and really wanted to
>     do this.
>     But when I went through the approval process for giving access to
>     one of my accounts, it was scary to what excessive degree they want
>     permissions. In the end after careful consideration I could not
>     bring myself to give that much access rights to thunderclap. :-(
>     I am fully supporting the cause and will post, re-tweet messages to
>     support our conferences but really felt that for me as a security
>     person that giving away that excessive access rights is not acceptable.
> 
>     To give you some indication why I find this excessive:
>     For twitter they requested _all_ of these rights:
>     - Read Tweets from your timeline.
>     - See who you follow, and follow new people.
>     - Update your profile.
>     - Post Tweets for you.  (this is the only one I can understand and
>     wanted to grant.)
>     For Facebook:
>     - Thunderclap will receive the following info: your public profile
>     and friend list.
>     (From my understanding the only thing they need is the right to post
>     a message to my timeline.)
> 
>     I can not see a reason why this company needs all that information
>     and access rights.
> 
>     Anyway, all the best and rest assured I will tweet/re-tweet about
>     the event independently. 
> 
>     Best regards, Tobias
> 
> 
>     On 13/11/13 19:49, Laicana Coulibaly wrote:
>>     I just did it.
>>
>>
>>     On Wed, Nov 13, 2013 at 7:04 PM, Michael Coates
>>     <michael.coates at owasp.org <mailto:michael.coates at owasp.org>> wrote:
>>
>>         Great idea tom!
>>
>>         For anyone that's not familiar on how Thunderclap works we
>>         have to hit the minimum number of supporters for our message
>>         to be sent at all. If we don't hit that minimum then none of
>>         the publicity is gained from the people that vouched support.
>>
>>         In other words, please do sign up and help spread awareness
>>         for one of our largest fundraisers of the year.
>>
>>         By the way, it's going to be an amazing event. There's still
>>         time to register if you haven't already.
>>
>>         See you there.
>>         -Michael
>>
>>
>>         --
>>         Michael Coates | OWASP | @_mwc
>>
>>
>>
>>         On Wed, Nov 13, 2013 at 10:32 AM, Tom Brennan - OWASP
>>         <tomb at owasp.org <mailto:tomb at owasp.org>> wrote:
>>
>>             Thunder Thunder Thunder… ok maybe you were not a
>>             Thundercats fan… but we know you LOVE OWASP
>>
>>             We are doing a experiment with THUNDERCLAP to raise
>>             awareness and would like your help worldwide.
>>
>>             https://www.thunderclap.it/projects/6403-hackers-hit-time-square-nyc
>>
>>             Thank you in advance for helping spread the word about the
>>             mission 
>>
>>
>>             _______________________________________________
>>             OWASP-Leaders mailing list
>>             OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 


More information about the OWASP-Leaders mailing list