Mark Trapp

Testing, Testing, 1-2-3

This weekend, Twitter was the target of an extensive phishing campaign and a shady 3rd-party app that sold all its user data. Thousands of people were affected, and even the celebrities and news organizations were not spared. On FriendFeed, a 3rd-party application was introduced last night that produced unintended results: this week should serve as an indicator that we, as early adopters, need to take off our blinders and realize we need to add some thought before we try things out.

Phishing: yes, it’ll happen to you

On Saturday, a new Twitter-based app came out: it promised to send you all of your replies to your email. How genius is that? All it asked was for your Twitter user-name and password, and whether or not you want to support the project. Of course I want to support such an awesome project! Well, it wasn’t stated that ”supporting” the project meant sending out a tweet advertisement as if it came from you. It also didn’t state that it’d sell your data within 24 hours for the “lofty” sum of $1,200.

I’m really serious about the Phishing thing

On Sunday, a different Twitter direct message-based phishing scam broke loose, targeting thousands of Twitter and Facebook users. Within hours, not only were thousands of Regular Joe users taken advantage of, but also celebrities and news organizations like Barack Obama, Britney Spears, Fox News, and CNN’s Rick Sanchez. The deception was simple, and it followed the standard phishing scheme we should all fear from banking: the scammer created a page virtually identical to the Twitter and Facebook login pages and threw it up on a domain that, at first glance, was really similar to the actual legitimate service’s domain. Once the user logged in, the scammer used that user’s credentials to post obsence messages or to perpetuate the phishing scheme.

The reaction, almost across the board, was that this was Twitter’s fault: that they should have better security.1 But in reality, the weakest part of a security policy is an unsuspecting user. A phishing scheme is a con: and every con needs a mark.

Early adopting does not need to be early idiocy

The final incident I’m going to talk about is a new tool, FriendFeed/Disqus Comment Sync. From the 50,000 foot view, it seems like a no-brainer: combine the Disqus comments on your blog with the comments on FriendFeed! Who wouldn’t use this? However, when you get down to sea level, there were major flaws in the product. It breaks user moderation, it syncs long dead blog posts, it strips commenters of their ownership rights, its syncing period breaks the real-time web, and that’s not getting into the general problem in pushing together two different conversations. But people leaped on it like it was the best thing since sliced bread.

On FriendFeed, I called out the people who did, and Steven Hodson of WinExtra gave his justification: ”gee .. welcome to the world of trying new shit .. it doesn’t always go as planned but isn’t that the mantra of Web 2.0 .. build it - test it live and let the chips fall where they may?” and ”hey bud such is the life of being on the edge - we get to bleed first[.]” But being on the bleeding edge does not mean you need to sacrifice reflection and separating a good idea from pretty awful execution. What service are we doing to others, and more importantly to ourselves, by not coming up with a smell test for broken things?

Is this new toy good for the company?

In the always-apt movie Office Space, a soul-crushing Bill Lumbergh unveils Initech’s new motto, ”Is this good for the company?” Mark ”Rizzn” Hopkins used this line not six months ago, but I think it’s time for a reminder: early adopters, you need to ask the same about that new toy you just read about on Mashable or VentureBeat. What, exactly does the toy do? Are you sure about that? What problem does it solve? What information is it asking for? Is that request reasonable? Taking a few minutes to reflect on a new product or service could help social media withstand the peddlers, scammers, con-men, and awful ideas that leech off of innovation and productivity.


  1. Twitter eventually did implement and require OAuth. 


Comments and feedback are welcome and appreciated. Need help on your next project? Let's talk.