Modern Software Experience

2009-03-20

Twitter

TweepMe

TweepMe is an application for twitter that runs on the tweepme.com website. It is a commercial application. There was an introductory giveaway for the first few signup. The resultant buzz soon backfired with people calling TweepMe a scam, trojan and a virus.

why

The TweepMe website makes it very clear why the site exists and why you should start it using it right now; TweepMe is the fastest way to accumulate followers on Twitter.

TweepMe is clearly aimed at the new user frustrated with their low follower count; Want to be a big shot power twitterer with thousands of followers? Twitter status can be yours for a nominal fee. That's what makes TweepMe Awesome!.

how

So how does this work? The TweepMe site explains it thus: TweepMe is an opt-in group where we all follow each other on Twitter. For each new member that joins TweepMe, they automatically follow every member, and every member follows them..

Surely you are imagining how this works already; if twenty thousand others join TweepMe, you’ll get 20.000 followers! And oh, If at ANY point a member no longer wishes to participate, they can end their subscription and KEEP their followers!. What a sweet deal.

fastest way

First of all, is any of this true? Well, most of it, except that the fastest way to accumulate followers on Twitter is to be listed on Twitter’s own controversial Suggested User Page. That is good for thousands of new followers per day, and it seems unlikely that TweepMe is going to beat that.

follow

It is reasonable to assume that the rest is true enough - just not very complete. The website is quick to point out that you are going to get lots of followers by joining the TweepMe club, but does not follow through by highlighting the other side of this equation; you will be following all the other participants. Perhaps you’ll get 10.000 followers, but only because you will all follow each other. You have to follow those 10.000 other participants.

You cannot realistically expect to read all that, nor to reply to even a fraction of that. It will be an overwhelming continual stream of tweets, so the only reasonable solution will be to unfollow them all? Gasp! That would be breaking the TweepMe pact and you just cannot do that. That would be unethical. If you do that, the system breaks down.

That sounds like quite a dilemma, but there is a solution; follow them all, but use some Twitter client that allows you to ignore all their tweets anyway. That way you can have your cake and eat it (of course not, but if you don’t think it through, it may seem that way).

instant gratification?

appeal

The TweepMe website appeals to a desire for instant gratification; just sign up here, and you’ll get the thousands of followers you want. No need to tweet anything, absolutely no need to engage with those followers, just sign up and pay our nominal fee.

That offer sure appeals to desire for instant gratification, but the TweepMe site does not offer that. The home page states very clearly that the process of new members following you is gradual and happens over the course of weeks or months depending on the number of TweepMe members.

a few per day

If you sign up now, you may indeed get 10.000 follows from other participants, but you will most definitely not have those 10.000 followers by tomorrow. The site does not promise that, even warns you that it is not going to happen. You are going to get just a few per day, and it is going to take many days, weeks, months, perhaps even years for all of those followers to appear. And even when they do appear, there is a still a very high likelihood that they will at some point quit TweepMe, decide to unfollow everyone, and start over.

follow rate

Here’s a thought for you. It is not known yet at what rate TweepMe is going to hook participants up with each other, nor at what rate participants will undo the follows that TweepMe makes for them.
There are various reasons why the net rate will not be very high, the unfollow are just one of them. Let’s assume, for the sake of argument, that the net effect is a few additional followers each day.

Anyone who is moderately interesting is likely to do better with just a few tweets everyday. If those who signed up with TweepMe get one thousand followers in a year, their tweets will get them in half a year.
TweepMe is for those who are too lazy to put in those few tweets a day, to earn their following. TweepMe is for the impatient and greedy who want it now.

overpromise & underdeliver?

Do note that if you sign up and do get a few followers each day, you will not be able to claim that TweepMe overpromised and under delivered. The website does not promise any particular pace of follower accretion. You may have imagined overnight status when you read about every member following you and stopped reading right there, or did not stop to think about how just how gradual TweepMe might turn out to be; your mind was too busy basking in your overnight status change - which TweepMe does not promise.
Even if you were to get just one additional follower per day, and they all unfollowed you the day after, you’d still have no grounds to demand your money back.

buzz & backlash

AlohaArleen

In the many tweets about TweepMe, @AlohaArleen, a twitterer with more than 55.000 followers, features prominently. She was quick to tweet about TweepMe. She was encouraging others to sign up and try it the new site while it was still in beta, and was the one who got the free signup extended from the first thousand to the first five thousand.

2009-03-16 20:55 AlohaArleen @lezam I don't believe www.tweepme.com has reached 1000 members yet as I just joined for free.

2009-03-16 21:05 AlohaArleen @Kerrysherin Really? www.tweepme.com already got 1000? No more free? Let me try to contact them & C what I can do!

2009-03-17 08:48 AlohaArleen Made arrangements earlier 2day (your yesterday) 4 http://www.tweepme.com 2 extend FREE sign up from 1st 1K to 1st 5000! They’ll be gone soon

Her level of involvement with TweepMe has become a complex subject of intense debate, with many attacking her for what they perceive as advertorial tweets promoting a service That’s a disservice to Twitter.

signup

Say you were one of the first tweeps to hear about TweepMe and decided to check it out. You’d visit the site, enter your Twitter username and password, and click the login button. Now that the promotion is over, your next step would be to register some details to pay your first monthly fee, but if you were one of the first 5000 to do so, you’d get to see the Register for Free button.

TweepMe registration

This above dialog is part of a screen capture of Twitter newbie @nidwid signing up with 1605 free accounts left. Have a good look at that signup dialog. You were probably lured to TweepMe by the promise of a lifetime free subscription, but it is not entirely free. You have to do at least one thing in return. You have to tweet a message that invites others. There are two ready-made messages to choose from. You cannot make your own message. There is an option to not tweet any message, but the text above all three options makes it clear that you need to tweet one of the two ready-made messages to get your free lifetime subscription.

2009-03-17 18:35 nidwid http://www.tweepme.com - the first 5,000 members receive free lifetime subscriptions #TweepMe

The predictable result of this tactic was a steady stream of these messages in the tweet stream, which prompted others to sign up and contribute yet another message to the stream. Soon, Twitter was buzzing about TweepMe.

Nidwid Demo

viral spam

TweepMe sure takes the price as the worst viral Twitter spam yet.
Since marketroids discovered viral marketing, there seems no escaping it, but many of the Twitter services that suggest that you spam a viral message to promote their service, make you click a button to send the message, they do not demand the message as a condition for your free account.

Then, when you do click that message, you usually find yourself at your own twitter home page with their message in your edit box; they prompt you to tweet, but leave you in control. It is still up to you whether you want to send it. You don’t have to.

With TweepMe, the service sends the message as soon as you sign up. There is no chance to edit it, no chance to change your mind. As soon as you signed up with TweepMe, you spammed their message to all your followers.
So, if you did sign up with TweepMe, all your followers now know that. You can delete the message, but not their memory, and it will still show on Twitter search. Google has been diligently indexing those tweets, and various third parties monitor the live Twitter stream.

suspended

Twitter suspended the @TweepMe account and later the @bobbr account too. Many interpreted this as Twitter disliking TweepMe. Both accounts resurfaced using different names, and Bobbr’s story is that the original accounts was suspended for something else he did while developing TweepMe.
That may be true, but it still does not sound great; sorry for the inconvenience, TweepMe is perfectly okay, I merely did something else that wasn’t okay.

scam?

During the rush on the first five thousand accounts, there was no need to pay and TweepMe did not ask for any credit card details or anything like that, but what did raise suspicion about the nature of the site is that TweepMe did not even show any method of payment either.

And oh, there was no Privacy Policy, there were no Terms of Service, and no one who had subscribed was noticing a torrential in-flux of followers yet. In fact, no one noticed a drizzle. Nothing seemed to be happened.
There was just this new site that asked for your Twitter Name and password.

In short, to anyone with more than two functioning brain cells, it looked like a poorly executed scam to get twitter passwords. Soon, various sensible persons, including yours truly, were warning people to stay away from TweepMe and change their Twitter password.

2009-03-17 17:33 TamuraJones #tip TweepMe scam storing passwords? Just what I warned against in "Two Passwords Twitter Tip"! http://tinyurl.com/twotwitip

2009-03-17 17:33 TamuraJones #tip Did you join TweepMe? Change your password. Do it Now. NOW!

Two Passwords

Change your password. That was, is and remains solid advice for anyone who gave it away. You should not give your password to anyone. The Two Passwords Twitter Tip article explains a practical way to dealing with the many twitter services that want a password; use two twitter passwords, one for yourself, and one for third parties, and switch between them before and after using such a service. It is not perfectly safe, and it is a bit of hassle, but it is a lot safer than letting all these services in on your one password, and more practical than not using these services at all.

If Twitter were using two passwords for each account, one power password that lets you do anything, and a read-only password that you can hand over to services, you would never have to give out your power password.
I don’t think Twitter is going to do this, however simple it is, because it is already working on supporting the OAuth standard. But just imagine for a moment that Twitter did.
You would never need not hesitate to give out the extra password to third parties, because your account would remain safe, yet you would hesitate to give your password to TweepMe. See, TweepMe wouldn’t be satisfied with that regular read-only password, TweepMe wants your power password to make changes on your behalf.

account changes

We trust many Twitter related sites with our password, because we don’t think they are going to make changes to our account. With TweepMe, the whole idea is to let it make changes to your account. You may be in it for the followers, but none of the participants is going to get any followers if TweepMe cannot add them to each other’s follow list.

storing passwords

Most of us choose to believe that the third-party Twitter services we use do not store passwords. We don’t choose to believe that because we have any real basis for that believe, we are just not so eager to believe the opposite. We’d rather delude ourselves, and somehow try to rationalise our decision to hand over our password, then face the fact that it is plain stupid to do so. We prefer to believe services that claim they just need the password for verification, and throw it away immediately afterwards.

Most third party twitter services can count on us to continue to delude ourselves this way, but TweepMe cannot. To make the changes you signed for, TweepMe needs your password. Once you understand that TweepMe cannot work without your password, you understand that TweepMe does store your password. Once you grok that, there is no way you can still delude yourself into trusting the site, and have face the cold hard facts: You gave TweepMe your password, TweepMe stores it, and can use it to do whatever it likes to do.

exodus

As tweets from saner people woke the herd of early adopters out of their euphoria, many of these twitterers regained their sanity, and decided to cancel their membership, while tweeting that they could not believe how easily they had just been duped.

plain-text

I’d hazard a guess that TweepMe does not just store your password, but stores it in plain text too. Security violations do not come much more basic or serious than that.
You gave TweepMe your password, so it can make changes on your behalf. TweepMe keeps that password around. It has to, because every time that TweepMe starts a session to make changes for you, Twitter demands that it provide your password. TweepMe cannot do the usual thing and store a password hash, it needs to store the password itself.

I do not care much that TweepMe uses Secure Socket Layer for communication if the database contains plain-text passwords. Maybe Bob Ullery himself is not planning to use it for anything but TweepMe, but a plain-text password database is a very tempting target, and just how much does Bob know about web site security? Do you trust him to keep your password secure?

I just experienced an application error trying view his own web bobbr.com site.

Bobbr Home Page

What the bobbr.com home page (http://www.bobbr.com/default.aspx) looks like…

The Google cache for his site tells us that he only started the company in 2005, so his knowledge and experience seems a bit limited (but read the update).
TweepMe is an ASP.NET application running on Microsoft ISS 7.0. He is probably using SQL Server to store the passwords and hosting it all with Mosso on Rackspace, as he does for his clients. That could all be fine, but here is the big question: do you think his code can withstand a SQL injection attack, and if so, what is your basis for that believe?

PayPal

There is another security issue. Not only does TweepMe keep a database of Twitter usernames and password, it also tracks which subscribers paid through PayPal. Now your Twitter and PayPal password are different, of course, but do you have any idea how many people use one username and password for everything… Shudder.

This issue is not specific to TweepMe, just something you should keep in mind whenever you decide on a password for financial sites like PayPal; if it is too much to ask to have separate password for all sites, at least keep separate passwords for financial sites.

members

TweepMe is not trying to be secretive. It uses it members to spam its existence throughout the Twitterverse, and it uses it website to show who its members are. The TweepMe member directory is a public list of twits that signed up for TweepMe. isn’t that Awesome!; a public display of twits you should not hesitate to unfollow.

cost

Suppose you wanted to sign up for TweepMe anyway, what would that cost you? TweepMe is currently charging 8,95 American dollars per month, which works out to 107,40 dollars per year. That is rather steep for a simple web service that took very little effort to create and takes practically no bandwidth.
So in a sense everyone trying to game themselves to a higher Twitter status, every twitterer eager for a bit of follower fame, is being gamed already. What a crime.

punishment

Some people have suggested that everyone who participated in this scam should have their account suspended. Well, that is one way of dealing with it, but I don’t think it is necessary.
I suspect that all who joined in are going to experience the TweepMe Effect, and so much so, that they will voluntarily cancel their current account to start over.

updates

2009-03-20 TweepMe mail

Bob Ullery emailed me and says the @bobbr and @tweepme accounts will be reinstated on 2009 Mar 26, and that his bobbr.com web site was only down because it was swamped with more than 100.000 visitors in a day. He started programming a dozen years ago, and assures me that TweepMe has full protection against SQL injection attacks.

2009-03-21 TweepMe Effect

Published the TweepMe Effect article, an Open Letter to the TweepMe Tribe.

2009-03-21 TweepMe compilation

Peter Jebsen (@pjebsen) has compiled a collection of tweets and annotated overview of articles about TweepMe.

links