Cory also postdates LinkedIn's security drama; he was brought in after the credential leak, which was a good call on LinkedIn's part and sort of a brave move on Cory's part.
(And, full disclosure: iSEC is one of Matasano's sister companies; take this for whatever its worth, but their reputation is excellent).
I would tend to believe anything he says about this or any other LinkedIn system he's worked on.
That said, I would still under no circumstances give LinkedIn access to my mail spool, or any other third party.
I'm also a little queasy about the idea of "norming" these kinds of systems. Look at how much work LinkedIn put into securing Intro, and ask whether any startup will have the means to do the same. I doubt it.
I think it may have been a bit short-sighted for LinkedIn to post a developer-focused, "hey look at what we did" kind of post around Intro, regardless of how properly they implemented it behind the scenes.
http://blog.learningbyshipping.com/2013/10/25/on-the-exploit...
Thanks, that was the thing I was most curious about: has LinkedIn really started taking security seriously and does it have any idea what it's doing? Because for those of us not following the ins and outs closely, going from "we don't salt our passwords" to "we want all of your email to pass through us" didn't just sound ill-advised; it sounded crazy.
Given the number of security disclosures -- oops, someone got our database full of passwords, but don't worry, they're MD5 hashed -- that have occurred over the last couple of years, I'd be extremely cautious of that practice.
All the claims are totally correct, but we tried super duper hard (though we sure as hell aren't going to put our money on the line if we're wrong) to make this secure. And if we don't keep this up, or if we do get hacked? Ain't our problem.
I also don't see him saying "ain't our problem" anywhere.
Let´s look at the double speak here, which intends to give a statement weight even though it has zero weight. On the left side original statement with zero weight, after the slash how the statement would have weight
1. We isolated Intro in a separate network segment and implemented a tight security perimeter across trust boundaries./ Doesn't say anything at all again
2. REDUCED exposure to third-party monitoring services and tracking/PREVENT exposure to third-party monitoring services and tracking
3. We also had iSEC Partners, a well-respected security consultancy, perform a line-by-line code review of the credential handling and mail parsing/insertion code./ That statement isn't saying anything at all
4. make sure identified vulnerabilities WERE ADDRESSED/ make sure there are NO vulnerabilities
5. we make sure we NEVER persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is DELETED from our systems./ These two words have weight.
6. MINIMIZE exposure/REMOVE exposure
7. We WORKED TO HELP ENSURE/ We ENSURE
Overall, Linked avoids using terminology that is actually a commitment except for 5. Fortunately, people picked up on double speak and Linkedin has managed to corrupt trust with its users further.
Somebody should fire the person that think sthis kind of "clarification" gets back their user's trust.
I don't like this part of the full statement. It doesn't specifically address what assertions are incorrect and which are correct. Systems are and never will be 100% secure. No matter how much technology you throw at something, there is always going to be a balance between accessibility and security.
I do believe LinkedIn has a done a massive amount of due diligence (much more so than many other organizations would care to do) which is great and I'm glad they took the time to respond. However, correct me if I'm wrong, but there is an underlying assumption from the general populace that if a security expert says something is secure than this means this never can get hacked. Which I would respond - not true.
>"We performed hardening of the externally and internally-facing services and reduced exposure to third-party monitoring services and tracking."
What do those points even mean? They're written like the marketing department wrote them and fluffed them to the max. "Performed hardening"....really? It just sounds like they don't know what they're talking about. "Oh yeah we totally isolated and secured the perimeter, the app is good now". If my dad heard that he'd think "Oh like in those war movies where they secure the perimeter? Awesome!". A lot of the other points they listed are like this too, I just picked out the first couple.
If there are "misperceptions" about Intro, let us include LinkedIn's own misperception of how some of us view account security.
I think that is the problem. The security team should have said: "Stop. This is an insanely stupid idea. No matter how we implement it, let's just not do this."
Instead they tried to make the best of it.
I feel sorry for those folks. I bet in their heart they all know it is an utterly stupidly designed product that should never have seen the light of day.
I'd argue the best way to deliver this would be by working with mail providers not by subverting them. LinkedIn could open itself up and allow people to query names and profile information (probably would have to be opt-in) given an email address. A client would just send information an email address, and LinkedIn would hand back name and (public) profile information. If the client chooses to send their own email address, LinkedIn could send back a richer set of information including connections. The email client would then display the information in a way that it knows best.
The whole idea is so simple and straightforward that I cannot help but think LinkedIn's ultimate goal is not to just know who is sending emails to whom but also what they are saying. Cory Scott may know that the implementation is solid but I doubt he knows the motivations of his corporate overlords.
Perhaps LinkedIn should put a badge on all profiles of members who have opted in to the Intro service so I can cut all ties with them.
Google is actually much more terrifying in that they have more information about me than any other entity (Search, Gmail, Google Analytics, Chrome, GChat, etc.) Yet, I tend not to give it much thought.
Some people are upset about LinkedIn spam - but that's never been a problem for me. I haven't figured out a good answer to this yet.
1) Google has a proven track record with email and email security (Gmail) over many years now
2) LinkedIn has a bad reputation for security
3) Most of the people I know who use LinkedIn probably wouldn't even have thought "how does this work". I don't like that any company can "get away with" something like this that could put so many peoples' jobs at risk. It feels shady and unfair.
To the average user, LinkedIn made no attempt what so ever to explain that by doing this, you were putting approximately the same level of trust in them as you do in Google/some other mail provider. This is particularly troubling if most people, as I do, don't have an existing trust relationship with LinkedIn simply because everything we have on their is public.
The core idea behind this "service" of injecting LI info into any mail is broken. No security theater around it will change that.
LI should have worked with Apple to come up with a way to embed this kind of info natively into the mail app. And if that is not possible, add an email inbox to their LI app, so that the email header would be post-processed within the app. Make people use LI as their mail client (who knows, maybe someone would have liked this).
But injecting crap into the normal iOS mail app? What a strange approach.
"We promise that the only thing we do with your data is what we said we do inside this huge legal document."
The issue is that LinkedIn wants to provide mail services without saying it's your mail provider.
If you want to be a mail host, be a mail host. Don't half ass it by pretending you're offering a value added service to someone else's MX.
Convince me there's a reason to use your mail service. Show me there's a reason to trust you. I evaluate it and decide if I want to switch. This process works. It's proven. We expect things out of MXs.
No one knows how to evaluate an MX proxy on a consumer basis. There's no reason to change this. I don't care if you're LinkedIn or anyone else.
This smacks of shortcut taking. Don't trust them.
Why was your account created 30 minutes ago just to post two comments on this story?
Even assuming that they are technically able to do this securely, it's the opacity about how they will use the data and how long they'll keep it that bothers me.
Surely it can't be hard for a company like LinkedIn, about as important as Facebook, to ask Apple or Google to provide some way of hooking into a third party application or well documented API?
It might take longer and be a bit more complicated but it must be a better way to go about this than MITM.
Talking about a more generalized hook-in API is a good idea, but not in strict preference to proxying-tricks. Rather, it makes sense as a parallel or subsequent followup, after the value has been prototyped and proven.
From the excellent Old New Thing blog: http://blogs.msdn.com/b/oldnewthing/archive/2005/06/07/42629...
"Error establishing a database connection"
Can't even keep a website up and running, what a very tech savvy company.
