Here's 30 ideas: http://ycombinator.com/ideas.html

Good list. Three years ago I made a working demo of #22 but then got distracted by personal problems. Thanks for reminding me.

Every non-trivial app has vulnerabilities. One indication of a vuln is not "blatant incompetence"

I've responsibly reported my fair share of Twitter vulns over the years. In general Twitter fixed them quickly. (Except some CSRF/XSRF issue which was non-trivial and was when they had fewer resources.)

Dave Naylor was just irresponsibly publicizing something, which makes him somewhat of a jerk. Being a jerk is not necessarily a Bad Thing and of course we/I don't know the entire story here, but that's what it sounds like.

There are still lots of features I want to add, but any feedback is appreciated! :)

There are a few internationalization issues to fix, but the basics work.

Some of the rectangle sizes look wrong. Compare "Walmart Profits" to "OPEC Climate Change Fund". Compare Google to Facebook.

webpagetest actually renders the document and all referenced items. It's more similar to what firebug/yslow will tell you, and very useful for designing a site to load quickly.

Be careful not to confuse uniques with impressions.

Assuming 10 impressions per unique, that's still a very respectable CPM of $15.

That's the point, though, $15 CPM is enormous compared to the article's claim that the social network average is 40 cents.

I can confirm that claim.

This is over a sample of about 3 million uniques / month.

Yeah, XSSI has been well known for a while.

This article's argument against using custom headers is a bit bunk. If you're not properly disabling proxy caching for sensitive data, you're asking for trouble anyways. Disabling caching properly is a bit tricky, but there are some useful details here: http://code.google.com/p/browsersec/wiki/Part2#Document_cach...

Perhaps there are some interesting corner-cases where the browser will locally cache the JSON. Time to go play with it...

I think they have value for branding.

Because the cost to register an account is just one captcha solution, squatting twitter names seems to becoming more common.

Any thoughts on how I should expand the tool? I can see it going two paths...

1) Add more social network sites and more features such as auto-registering your desired name once it's free.

2) Generalize it to notify you when the data on any web page changes. Perhaps leverage dapper.

Or of course option 3: ditch the couple hours of work on tweettaker and concentrate on my next project.

Every* web developer should be familiar with cross-site scripting (XSS) and how to prevent it. http://www.google.com/search?q=xss

* If you don't have a login system or any sensitive data, it might not matter much.