The Facts about LinkedIn Intro
blog.linkedin.comCory Scott was a director at Matasano, ran our west coast office, and is as trustworthy an appsec person as I know.
Cory also postdates LinkedIn's security drama; he was brought in after the credential leak, which was a good call on LinkedIn's part and sort of a brave move on Cory's part.
(And, full disclosure: iSEC is one of Matasano's sister companies; take this for whatever its worth, but their reputation is excellent).
I would tend to believe anything he says about this or any other LinkedIn system he's worked on.
That said, I would still under no circumstances give LinkedIn access to my mail spool, or any other third party.
I'm also a little queasy about the idea of "norming" these kinds of systems. Look at how much work LinkedIn put into securing Intro, and ask whether any startup will have the means to do the same. I doubt it.
Your last point nails it. I can't help but think there are a good number of people now angling to build similar hacks in a much less rigorous fashion and then build entire companies around this hack. The next year is already, from my vantage point, lining up to be a year full of "give us OAuth access to your GMail account" products. This adds another vector for this type of product. In any case, users are not going to care about security and just tap "OK", so it's kind of scary that this train is really moving now. Imagine if Facebook (or the Next Facebook) required e-mail access and this was normalized.
I think it may have been a bit short-sighted for LinkedIn to post a developer-focused, "hey look at what we did" kind of post around Intro, regardless of how properly they implemented it behind the scenes.
If Steve Sinofsky is to be believed, this is the natural order of things:
http://blog.learningbyshipping.com/2013/10/25/on-the-exploit...
> Cory also postdates LinkedIn's security drama; he was brought in after the credential leak
Thanks, that was the thing I was most curious about: has LinkedIn really started taking security seriously and does it have any idea what it's doing? Because for those of us not following the ins and outs closely, going from "we don't salt our passwords" to "we want all of your email to pass through us" didn't just sound ill-advised; it sounded crazy.
I have no professional relationship with LinkedIn and all signs I can see point to them taking security as seriously as any other Large West Coast Tech Company --- which, if you're wondering, is actually a pretty high bar compared to the Fortune 1000.
I'm not going to use Intro, but I have to ask, how is giving LinkedIn access to my email account any worse than giving access to Google, Yahoo, or Microsoft--by virtue of using their webmail?
A secret is kept secret by sharing it only with someone you trust, and with the smallest number of people possible. Ultimately, you have to share your credentials with your email provider, because they have to authenticate you in order to gain access to the information stored on their systems. Each additional party you share your credentials with increases your attack surface.
Given the number of security disclosures -- oops, someone got our database full of passwords, but don't worry, they're MD5 hashed -- that have occurred over the last couple of years, I'd be extremely cautious of that practice.
maybe so, but Cory's post says (minus the bullshit):
All the claims are totally correct, but we tried super duper hard (though we sure as hell aren't going to put our money on the line if we're wrong) to make this secure. And if we don't keep this up, or if we do get hacked? Ain't our problem.
I don't see any bullshit in that post at all. What bullshit do you see? Maybe I can spot terms of art that you missed.
I also don't see him saying "ain't our problem" anywhere.
Its a response that doesn't address most of the criticisms and attempts to deflect them into an argument about how supposedly secure their systems are instead of addressing the concerns about the system period.
And not only the post but the linked privacy policy consist entirely of weasel language. eg:
where someone not an asshole would answerDo you store my email or my password? LinkedIn servers will temporarily cache information in order to provide you with the fastest service possible. Here are the full details: During installation, the servers temporarily cache your password in order to add a new Mail account to your device. Your password is only cached for the length of time it takes to install Intro, and never for more than 2 hours. Typically, your password is cached for no more than 1 minute. During usage, the servers may temporarily cache your emails in order to make emails download faster. When your device starts to download a mail folder, such as your inbox, the servers will pre-emptively download and cache recent messages in that folder. A few seconds later, when your device downloads the individual messages, the servers will provide the cached messages. Your messages are only cached until your device downloads them, and never for more than 1 hour. Typically, your messages are cached for no more than a few minutes. All cached information is held securely to industry standards. Each piece of data is encrypted with a key that is unique to you and your device, and the servers themselves are secured and monitored 24/7 to prevent any unauthorized access."yes"
>What bullshit do you see?
The biggest issue is the title: "The Facts about...".
Its apparent from the language that the only "facts" discussed are couched in non-falsifiable language, are in the past-tense, and self-referential.
___________
We made sure we built
We isolated
We performed
and we worked...to make sure
We made sure
we make sure we never persist
We worked to help ensure
____________
Although its not clear the author would have picked the language for the title himself (was likely PRs).
Why do the billion dollar companies just not get that people can see through double speak now.
Let´s look at the double speak here, which intends to give a statement weight even though it has zero weight. On the left side original statement with zero weight, after the slash how the statement would have weight
1. We isolated Intro in a separate network segment and implemented a tight security perimeter across trust boundaries./ Doesn't say anything at all again
2. REDUCED exposure to third-party monitoring services and tracking/PREVENT exposure to third-party monitoring services and tracking
3. We also had iSEC Partners, a well-respected security consultancy, perform a line-by-line code review of the credential handling and mail parsing/insertion code./ That statement isn't saying anything at all
4. make sure identified vulnerabilities WERE ADDRESSED/ make sure there are NO vulnerabilities
5. we make sure we NEVER persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is DELETED from our systems./ These two words have weight.
6. MINIMIZE exposure/REMOVE exposure
7. We WORKED TO HELP ENSURE/ We ENSURE
Overall, Linked avoids using terminology that is actually a commitment except for 5. Fortunately, people picked up on double speak and Linkedin has managed to corrupt trust with its users further.
Somebody should fire the person that think sthis kind of "clarification" gets back their user's trust.
Your proposed change to 4. is a statement that no one could ever honestly make.
Correct, which makes "Intro" and all other third party apps, which reroute entire communication channels, untenable ones.
5 is worthless if you are worried about them looking at it.
> This blog post is intended to provide more information and address inaccurate assertions
I don't like this part of the full statement. It doesn't specifically address what assertions are incorrect and which are correct. Systems are and never will be 100% secure. No matter how much technology you throw at something, there is always going to be a balance between accessibility and security.
I do believe LinkedIn has a done a massive amount of due diligence (much more so than many other organizations would care to do) which is great and I'm glad they took the time to respond. However, correct me if I'm wrong, but there is an underlying assumption from the general populace that if a security expert says something is secure than this means this never can get hacked. Which I would respond - not true.
>"We isolated Intro in a separate network segment and implemented a tight security perimeter across trust boundaries."
>"We performed hardening of the externally and internally-facing services and reduced exposure to third-party monitoring services and tracking."
What do those points even mean? They're written like the marketing department wrote them and fluffed them to the max. "Performed hardening"....really? It just sounds like they don't know what they're talking about. "Oh yeah we totally isolated and secured the perimeter, the app is good now". If my dad heard that he'd think "Oh like in those war movies where they secure the perimeter? Awesome!". A lot of the other points they listed are like this too, I just picked out the first couple.
That article misses the key point; a MITM proxy for mail is the actual problem, no matter how well implemented it is.
Agreed. The third party to defend against is not only an intruder to LinkedIn, but LinkedIn itself.
If there are "misperceptions" about Intro, let us include LinkedIn's own misperception of how some of us view account security.
Isn't this the exact same approach taken by Mailboxapp, proxying your IMAP server?
Does this reduce the problem in any way?
The idea that this is a "problem" is subjective; if the value prop is compelling and there is sufficient trust established, someone should be free to use Mailboxapp OR Intro.
The problem doesn't ever go away - if you're using Mailboxapp, you're forever going to be vulnerable; you're free to use them and accept that risk, of course, but it's still a security problem with that service.
There is no such thing as 'sufficient trust estabilished' - trusting Mailboxapp right now doesn't in any way imply that it will be trustworthy enough for your needs (however large or small) after, say, a year. If you're using software X, for example, then you can think about renewing trust only when going to software X+1; but with such a service they can go from 'doing only good things' to 'intentially selling you out' at any arbitrary time.
For example, look at what's happening at Buffer. By using intro or Mailboxapp, you've just added another company whose decisions may screw you up, and that is a problem.
Well put. All due respect to Cory, but this article could have been titled "why we think you shouldn't freak out over our MiTM attack".
"When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible."
I think that is the problem. The security team should have said: "Stop. This is an insanely stupid idea. No matter how we implement it, let's just not do this."
Instead they tried to make the best of it.
I feel sorry for those folks. I bet in their heart they all know it is an utterly stupidly designed product that should never have seen the light of day.
Maybe they did, but they aren't going to tell us how the internal debate played out. That's not how it works. Security teams can make recommendations and can escalate to upper management if need be, but they don't make the final call on new products. Ultimately it's the CEO who decides whether a risk is worth taking.
This is the essence of application, or any security: the tension between features and security.
The issue wasn't with their implementation, it was with sending all our emails through a single company, and a company whose policies border on spam at that.
Let's take a step back at what value LinkedIn Intro is supposed to give to me. What would be a better way to deliver this value?
I'd argue the best way to deliver this would be by working with mail providers not by subverting them. LinkedIn could open itself up and allow people to query names and profile information (probably would have to be opt-in) given an email address. A client would just send information an email address, and LinkedIn would hand back name and (public) profile information. If the client chooses to send their own email address, LinkedIn could send back a richer set of information including connections. The email client would then display the information in a way that it knows best.
The whole idea is so simple and straightforward that I cannot help but think LinkedIn's ultimate goal is not to just know who is sending emails to whom but also what they are saying. Cory Scott may know that the implementation is solid but I doubt he knows the motivations of his corporate overlords.
Perhaps LinkedIn should put a badge on all profiles of members who have opted in to the Intro service so I can cut all ties with them.
I don't think much of this was the issue – the issue was "do you trust LinkedIn with something so vital to your identity". I think it was assumed that the feature would be implemented technically competently.
After the previous discussion, I kept wondering why I didn't trust LinkedIn with my email, but did trust Google.
Google is actually much more terrifying in that they have more information about me than any other entity (Search, Gmail, Google Analytics, Chrome, GChat, etc.) Yet, I tend not to give it much thought.
Some people are upset about LinkedIn spam - but that's never been a problem for me. I haven't figured out a good answer to this yet.
For me there are a few reasons:
1) Google has a proven track record with email and email security (Gmail) over many years now
2) LinkedIn has a bad reputation for security
3) Most of the people I know who use LinkedIn probably wouldn't even have thought "how does this work". I don't like that any company can "get away with" something like this that could put so many peoples' jobs at risk. It feels shady and unfair.
Exactly. I have never heard of Google sending emails on my behalf through gmail without me knowing about it.
The outrage here I think is that LinkedIn didn't explicitly state that risk. We know google has our email and can do things with it.
To the average user, LinkedIn made no attempt what so ever to explain that by doing this, you were putting approximately the same level of trust in them as you do in Google/some other mail provider. This is particularly troubling if most people, as I do, don't have an existing trust relationship with LinkedIn simply because everything we have on their is public.
By now this is a complete clusterfuck.
The core idea behind this "service" of injecting LI info into any mail is broken. No security theater around it will change that.
LI should have worked with Apple to come up with a way to embed this kind of info natively into the mail app. And if that is not possible, add an email inbox to their LI app, so that the email header would be post-processed within the app. Make people use LI as their mail client (who knows, maybe someone would have liked this).
But injecting crap into the normal iOS mail app? What a strange approach.
Is linking to their privacy policy supposed to be comforting in some way?
"We promise that the only thing we do with your data is what we said we do inside this huge legal document."
To be fair the document is well presented and much easier to read than most other privacy statements I've seen. The pledge of privacy is succinct too: https://intro.linkedin.com/micro/privacy
What worries me here is not trusting a third party with mail - we all already do that, this is the nature of SMTP.
The issue is that LinkedIn wants to provide mail services without saying it's your mail provider.
If you want to be a mail host, be a mail host. Don't half ass it by pretending you're offering a value added service to someone else's MX.
Convince me there's a reason to use your mail service. Show me there's a reason to trust you. I evaluate it and decide if I want to switch. This process works. It's proven. We expect things out of MXs.
No one knows how to evaluate an MX proxy on a consumer basis. There's no reason to change this. I don't care if you're LinkedIn or anyone else.
This smacks of shortcut taking. Don't trust them.
An advantageous move for LinkedIn might be to just launch it's own email service and compete with Gmail. So many add-ons and hacks exist to add LinkedIn capabilities to existing email, it might be worth it on their part to do it the Right Way.
After reading original announcement and this follow up post, and comments here. I find my self looking at it in a binary scenario - do they think they did a better job securing intro after the account breach - possibly, is the risk of letting one MORE entity (in addition to gmail with recent developments in mind) read thru your mails for marginal - at least for me - gain worth it? A solid NO.
Bishop Fox is a glorified gossip queen of a security company. What type of engineers, or so called hackers just make stupidly false claims without actually knowing what is going on behind the scenes. This is the software industry, not the Kim Kardashian, Honey Boo boo entertainment industry folks... Get the facts straight, or get a new job.
Their blog post said as much; that LinkedIn gave very little background about what's going on behind the scenes. This post doesn't actually address much.
Why was your account created 30 minutes ago just to post two comments on this story?
I think this is the most interesting documentation considering the debates I've seen here on HN: https://intro.linkedin.com/micro/privacy
I'd feel better if LinkedIn would be more transparent about the data they have collected on my network and how they make predictions, and would allow me to delete such information if I wish, because I find some of their "People you may know" recommendations to be decidedly creepy.
Even assuming that they are technically able to do this securely, it's the opacity about how they will use the data and how long they'll keep it that bothers me.
I hate the way LinkedIn handles criticism. Most of the discussion I've seen has centered on the concept, not the implementation. Instead of trying to allay concerns about the concept, LinkedIn spends the whole, defensive post chiding commentators for "inaccuracies and misperceptions" and proceeds to humblebrag about how thorough its security precautions were.
Why not talk to Apple or Google and make this a reality in some other way?
Surely it can't be hard for a company like LinkedIn, about as important as Facebook, to ask Apple or Google to provide some way of hooking into a third party application or well documented API?
It might take longer and be a bit more complicated but it must be a better way to go about this than MITM.
Why should Apple/Google be gatekeepers (and potential sources of arbitrarily long delay, complication or strategic-veto)? What about the N other IMAP providers?
Talking about a more generalized hook-in API is a good idea, but not in strict preference to proxying-tricks. Rather, it makes sense as a parallel or subsequent followup, after the value has been prototyped and proven.
call me cynical, but I bet it was discussed, and overruled on the point that this system allows them get access to all your juicy email under the pretence that "we can't do it any other way"
Well considering their password incompetence i would not trust them with any sensitive information for a long long time.
THEY host the intro proxy? Wouldn't it be better if each individual or organization had their own intro proxy that provided this? I.e. mail client-> my proxy -> (linkedIn + mailServer)?
Perhaps next we will hear from a bank robber that he will take very good care of our money.
Unsalted passwords.
Read a comment the other day wondering about what if two(or more) programs did this. Would you end up with a chain of proxies between you and the mail server?
From the excellent Old New Thing blog: http://blogs.msdn.com/b/oldnewthing/archive/2005/06/07/42629...
Reminiscent of the insane 100-layered iframe issue with ad networks all jousting each other for the coveted impression when the page loads.
Sounds interestering, any more info about this
I'm exaggerating of course but if you go onto most popular websites and really dig into their ads you'll see that you basically hop through a large number of layers of various ad exchanges before you get to the actual server that serves the ad. Usually via a series of nested iframes.
"Error establishing a database connection"
Can't even keep a website up and running, what a very tech savvy company.