social networking

Recently, the Chicago Transit Authority released its CTA Bus Tracker API. For those of you who don't live in Chicago, CTA Bus Tracker is just about the greatest thing ever. It allows you to look up online, in real time, when the next bus is coming to a stop. It was rolled out over the last few years, and within the last year or so, has been available for every bus. My only major complaint about it was that it was only available via the Bus Tracker website, so if you did not have a smartphone with a web browser, you were out of luck. But, there was very little I could do, since there wasn't an open API for accessing their Bus Tracker data.

Yesterday, I saw a few tweets about various Canadian public transit systems that had opened their APIs to varying degrees. Curious, I looked up whether CTA had done anything in the last few months to open up the Bus Tracker API. They had! Back in September, they posted it online. They require you to make an account on Bus Tracker and apply for a developer key, so I decided to go for it and see if they'd allow me to start using it.

...and, I got my developer key this afternoon!

This led to me spending the vast majority of the afternoon and early evening playing around. The Bus Tracker API itself is pretty straightforward, but I hadn't yet learned the python commands for creating DOM objects and parsing XML. (In fact, I didn't even know what a DOM object was until this afternoon--I just assumed that there had to be an easier way to parse XML than parsing it with regular expressions or pattern matching within the strings.) At this point, I have gotten the hang of pulling the Bus Tracker XML data and parsing it, which means that I can start to do something useful.

My thought is to do a Twitter interface. I enjoy working with the Twitter API, and back when I didn't have a smartphone (but could use Twitter by SMS), I wished there was a way I could text for bus times. A good Twitter interface for Bus Tracker would solve that problem.

Of course, the challenge is going to be crafting a "good" interface. The code is not going to be the difficult part. Finding a way to make a Twitter interface that is intuitive to use is going to be the difficult part, since there is so much information that Bus Tracker needs to give the user the times: bus route, direction, and stop. The difficulty will come because people will format their queries in different ways (for example, referring to the same stop as either Belmont and Sacramento or Sacramento and Belmont or Belmont/Sacramento or Belmont & Sacramento, et cetera), and it would be extremely obnoxious for the user to have to be all that picky about their formatting or street name order if they are rushing to find out when their bus is going to come.

This afternoon, I was reading my Twitter feed, and @n3tg33k retweeted a twitter.com address: twitter.com/server-status. Since I'm mentioning it on here, I'm sure you know it doesn't refer to a Twitter username @server-status, but rather is a link to a page that displays server status information for some of Twitter's servers. A few minutes after seeing that link on my feed, there was another retweet from @agent0x0, referencing twitter.com/balancer-manager--another page with server information that probably should not be publicly available.

Out of curiosity, I decided to poke around to see if I could find any more data leaks on there. My original tactic was rather haphazard: I found a list of standard Apache modules, and brute-forced some URLs based on them. However, I got a much better idea--since these were public-facing pages, maybe I should try a little Google hacking before I spent the rest of my day trying to read the minds of the webmasters at Twitter. Since both of the data leaked pages I had heard about so far were web server status pages, I Googled "Apache/2.2.11" site:twitter.com and looked through the results.

A link to server-status showed up on the first page in the initial list. The link to balancer-manager didn't show up in the initial result set, although when I asked Google to show similar results, balancer-manager showed up as well as server-status. However, these were the only two Twitter data leak pages that showed up under that search; the rest of the approximately fifty hits were from Twitter users who tweeted about installing that version of Apache, or tweeted lines from Apache status pages for whatever reason. I double-checked by searching Google for the entire Server Version line (Apache/2.2.11 (Unix) PHP/5.1.6 mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5); this only returned the same two data leak hits as before. Of course, this is not to say these are the only two data leaks on Twitter.com. There may be more lurking, connected to things other than Apache/2.2.11, or not yet cached by Google. But, there are at least two that have been cached, as well as passed around the social media security geek corners of Twitter--and that's two too many.

What does this mean? It means that Twitter should change its settings so that these two pages are accessible by their server administrators, but not the public at large. It also means that if you are responsible for maintaining a website, you should make sure that all of the pages created by your web server that are meant for internal monitoring and maintenance are kept just that: internal. Otherwise, if someone malicious knew what they were looking for, they could find that information, scour it for any indication that your system had a known vulnerability, and exploit it. Defending against exploits is inevitable when running any computer system, of course, but there is no use in making it easier by keeping internal server monitoring and maintenance data exposed.

Epilogue: It appears that Twitter has blocked access to these two pages. For a few minutes, I was getting a page that told me that they liked my enthusiasm, but I was rate-limited to prevent abuse and should try again in 60 minutes. This happened when I tried to access either of the aforementioned URLs. This happened not only from my computer from which I was doing all of the poking around and reloading, but also from my smartphone, which I had not yet used to access either of the data leak URLs.

Within ten minutes after first seeing the rate limit pages, I was getting 403 Forbidden errors instead.

Tangential to the data leak weirdness, it's interesting to see a rate limit web page on Twitter. I've had plenty of experience and frustration dealing with rate limits on API calls, since I've written some rather API-call-intensive Twitter bots in the past. However, I've never seen any documentation about rate limits on Twitter's web interface--either a limit on the number of times a certain user or IP address can reload a Twitter web page, or on the number of times that users in general can access a page per hour.

Has anyone else who is reading this seen a web page that said they were rate-limited, or do you have any knowledge about any restrictions Twitter has on how many times a web page of theirs can be accessed? I would be interested to know.

It seems like the hottest thing on the internet right now is a Google Wave invite. The day that Google began to offer Wave invites, I felt like I was the only person on my Twitter feed who was not tweeting either about the fact that she had one, or the fact that she wanted one. Since then, I still see some tweets about it, but it has mainly calmed down on my feed.

However, Twitter is still abuzz with people passing links to supposedly free Wave invites around. It seems simple enough to the unintiated: give some website your Twitter name and your email address, retweet the link to their website, and get your hands on one of thousands of invites. Sounds simple, right?

But...anyone can put up a site claiming that they have Wave invites, or anything else. It has all the marks of a scam: someone you don't know has harvested your email address, and they can send whatever spam they want to you. They've also matched your email address to your Twitter account...which makes it easier to crack your accounts, especially if the passwords to them are the same.

I was having a conversation about this with Hellekin on Twitter earlier today, and he suggested putting up a site that culled the tweets that passed around the spam links, and call the people out on the fact that it's probably a scam. I am not all that adept at putting up websites--however, I really do enjoy making Twitter bots, and started becoming very good friends with the Twitter Search API last week, while writing an IRC bot that (among other things) searches for tweets that reference my hackerspace. Thus, I took a little code from that IRC bot, took a little other code from the Kanye Bot, tweaked it a little bit, and made a bot that digs up tweets that are likely to be from people who have fallen for the scams. It lightheartedly tells them that their email address has now been taken by a scammer, and advises them that it may be good to change their password.

The bot is posting at @WavePwned. Right now, the way it's coded, it hits a few false positives, since the search terms are google wave invite http: So, in addition to hitting people who are tweeting links to span sites about Google Wave invites, it also hits people who are linking to articles about Google Wave invites. However, it is almost impossible to craft something more specific and hit such a large amount of the people propagating these phishing links, since there are so many new links made with the same kind of spam, and the phrasing of the spam tweets changes so often.

Hopefully, this little bot will alert at least a few people to what a hoax all of these Google Wave invite sites are, and make them think a little more before giving some random website their information. The morals of the story: if it sounds too good to be true it probably is, and think before you give out your social networking or email address information.

(thanks, @hellekin, for the idea!)

This Friday night, from 5:00pm until late, Pumping Station: One is hosting a get-together at Howl at the Moon!

If you live in Chicago (or will just so happen to be passing through this weekend) and want to get to know the hackerspace community in town, this is a great opportunity! This party is open to everyone, and the first 100 people who show up between 5:00pm and 7:00pm get two $1 drinks. There will be other drink specials all night for everyone, so even if you can't come before 7:00, the party will be going on well into the night.

Howl at the Moon is at 30 W. Hubbard St., in downtown Chicago. If you have any questions about it, send me an email, and I'll let you know any more details that you need.

I hope you can come out!

Just because Twitter is ubiquitous doesn't mean that it should be applied to everything.

Case in point? Vantage Credit Union has introduced a new feature called tweetMyMoney. It is exactly what it sounds like: people can now send bank account management commands--and receive bank account information--through Twitter. People can check balances, transfer funds between accounts, check recent transactions, and check recent holds.

The first question on the tweetMyMoney FAQ supposedly touches on why the feature is secure. It reads:

Q. How is mobile banking using Twitter secure?
A. As always, your account security is our utmost priority. When you use tweetMyMoney to access your account information, keep in mind that the information provided DOES NOT include account numbers, passwords, PINs or any other secure information. Also, tweetMyMoney uses the application’s direct message feature so no one else sees the account information you request.

Really?

Sensitive information should simply not be transmitted via Twitter. There's always the risk of a DM fail: if you accidentally tweet @myvcu without using a direct message, you are in effect announcing to the entire internet that you are using tweetMyMoney, and that control of your Twitter account gives them at least some control over your bank account. Furthermore, your Twitter direct messages are not encrypted--so, if someone is watching the network, they can have your username, your login credentials, and the fact that you use this service, even if you sent a direct message. They can also see what the credit union is sending back to you--including your account balances, as well as the code that supposedly authenticates that the message is from Vantage and not from someone else. If they're sending the code to you unencrypted, you get no assurance that the code hasn't been stolen.

I'm sure I'm just scratching the surface here, and that there are even more security flaws in this that I have yet to think of. I hope other banks don't follow suit on this, and I hope Vantage jettisons this feature soon. Otherwise, there could be some serious issues on the horizon.

(hat tip to @nickhacks for telling me about tweetMyMoney.)

Sometimes, coding is serious business.

And, sometimes, coding is not serious business at all.

I've done a little bit of playing around with Twitter in the past. Last year, I wrote a simple twitter client bash script, so I could update my status from the command line. I've gotten some work done on a twitter bot that actually tries to fool people into thinking it is human. I haven't put it online yet, since I need to finish writing the content that implies that this bot is up to interesting things during different parts of different days.

However, this morning, Rob T Firefly gave me the idea to take that silly Kanye West internet meme and turn it into a Twitter bot. Right now it polls the public timeline every thirty seconds, and searches for tweets that say "thanks" or "thank you." If it finds any such tweets, it responds to the writer of the tweet and tells them that it is happy for them and will let them finish, but that whoever tweeted just before them in the public timeline had one of the best tweets of all time. I am also adding functionality that spits back a random Kanye West quote from a list if anyone @ replies to the bot.

The code is still a work in progress, but the latest version of it is up on my projects page. I'm quite pleased that it has been running on Twitter for about ten hours so far, and the account has not yet been deleted for being a spam bot.

This morning, Andrew Hay borrowed a page from the Facebook playbook, posted five facts about himself in his security blog, and tagged a handful of people to play along. One of them, Erin Jacobs, tagged me. Although I am going to adhere to my longstanding policy of not tagging anyone else to do a meme that I have chosen to do, I do think it's a fun way for you to get to know me a little better, especially since my site is so new and since I am so new to the community. As Erin so wisely did, I am going to try and keep the facts at least slightly professional, so it can remain responsive and interesting to this site's intended audience.

Without further ado, here are five things you may not know about me:

1. I can't shake the idea that I would be even geekier than I already am if my family had owned a computer with a command line interface when I was a girl. Instead, my family's first computer was a Macintosh 512 that it got when I was three years old, and its second was a Macintosh Classic it got when I was ten or eleven.
2. When I first got into computer programming, in middle school, the only computers my family had were those Macs. We didn't have any kind of BASIC interpreter for them. So, my programming process involved writing my BASIC code on notebook paper, typing it into the school computers if I had the chance to do so, and translating all of my code to the Texas Instruments graphing calculator language so I could run my code on my calculators away from school.
3. It always made me sad that I did not have a Commodore computer when I was younger. I finally fulfilled that dream earlier this year when a fellow member of Pumping Station: One gave me a Commodore 128 earlier this year. I am especially proud of the musical suite I composed on it for PS:One's Geek Prom in June of this year, and I plan to post the code from that project on this site as soon as I once again have a functioning cassette drive which I can use to access the code.
4. I have an almost obsessive desire to know how things work at the deepest possible level. I started teaching myself Python last year. It's great for rapid prototyping, but many of the calls felt way too much like black boxes to me. As such, I decided that the only logical response would be to teach myself C. I find C more satisfying still, but I still can't shake the idea that there are still things under the hood that I can understand better. I know that the next step in this trajectory will involve learning assembly language, although I know myself too well to call this the "end" of this trajectory.
5. Doing this meme is reminding me of a comment that Tom Eston made in one of his talks (the one at Notacon, if I remember correctly): that the 25 Things meme on Facebook was a clever way for malicious people to suss out the answers to your password questions on social networking sites. As such, I have been extra-vigilant in writing these in order to make sure that these answers do not touch upon my internet security questions.

Hopefully some of this gives you all a better idea of how I tick.