Hacker News new | comments | show | ask | jobs | submit login

I don't care who the company is, or how trustworthy you think they are: avoid giving third parties credentials to your inbox.



Not that we should trust anybody, but let's not forget that LinkedIn already has a history of losing user credentials: http://www.pcworld.com/article/257045/6_5m_linkedin_password...


No, they don't, and you keep posting that they do despite being proven wrong several times in the past. They lost hashed passwords which are not user credentials.


> No, they don't, and you keep posting that they do despite being proven wrong several times in the past.

You must have me confused with someone else.

> They lost hashed passwords which are not user credentials.

While you may be technically correct about credentials vs. hashed passwords, that distinction isn't relevant here. Losing hashed but unsalted passwords is still just as harmful.

Otherwise, articles like this one would not exist: http://mashable.com/2012/06/08/linkedin-stolen-passwords-lis...


> "hashed passwords"

Take a wild guess at what they are storing this time around.


> They lost hashed passwords which are not user credentials.

These passwords were unsalted sha1, that's about as good as rot13. Linkedin has clearly proved completely unable to do things correctly, if that applies to passwords it applies to everything else.


You do realize that cracking unsalted SHA1 passwords isn't that hard, right? Perhaps you should educate yourself on the wonderful world of GPU password cracking and the enormous speeds a handful of consumer-grade video cards working in concert can utterly smash through a database like this.

edit: Here's a blog post about being able to brute force 33.1 billion MD5 hashes a second using GPU's: http://blog.zorinaq.com/?e=43


Couldn't agree more, not just because of the possible security implications, but also because it can seriously back-fire against you, in terms of potentially damaging your reputation.

A closely related example would be of a web app I stumbled upon recently via an unexpected email I received in my LinkedIn inbox about a new educational platform that supposedly one of my contacts was recommending me to try. Curious and suspicious, I opened the link and clicked on 'connect with LinkedIn'. In small script, the app was requiring me to authorize it to send emails on my behalf, which is exactly the case of the original unsolicited message I had received: another unsuspecting user just glossed over the terms and connected their LinkedIn account to this app....resulting in all of their contacts being spammed with the message. The 'victim' was displeased to say the least when I warned them what their account was doing without their knowledge.

Had I not been careful about that and proceeded to authorize the app, I would've most likely been booted off at least a few people's contact lists for spamming them with such stuff irrelevant to their interests.


If you think about the reach Linked in has, combine that with each contact the linked in user has and you have a very fast database of emails that can be misused.


If you look at one of LinkedIn's alternate applications, LinkedIn Contacts, http://contacts.linkedin.com/ it actually is a light-weight CRM application. The CRM meaning, it automatically connects to your email and calendar to your LinkedIn account to know when and how you are interfacing with people. I get a daily email with the meetings that I had the day before about who I met, as well as information on their LI profile about the last email conversation I had with them. This is super nice if you meet a bunch of people and need a way to take notes on who they are and what they are doing, independent of their business card.

The contacts application also sends things like reminders for your contacts work anniversaries or when they change positions (something that you can't access in the LI API).

I sometimes think that I shouldn't be giving LI all of this information, but this is a typical case where the benefit received is greater than my privacy concerns.


Isn't that the whole point of Rapportive? They're the only company I can think of that has successfully solved the "social profile matching" problem that I can think of off the top of my head.


Ark does, and with significantly more data.


Except the third party that actually is your inbox?


That would be the second party.


The first party is on my lawn.



And the third party that wrote the mail client you are using?

Not to say that this isn't a bad idea though. It would have been an easier sell if you could do the IMAP proxying on the local device somehow.


> It would have been an easier sell if you could do the IMAP proxying on the local device somehow.

This should be easy to run an background proxy under Android. Not sure if this is possible under iOS7 though.


And the third party that wrote your operating system's networking stack? And your ISP?



...wuift is why we host our own mailservers :)!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: