Hacker News new | comments | ask | show | jobs | submit login
LinkedIn ‘Intro’duces Insecurity (bishopfox.com)
565 points by shenoybr on Oct 24, 2013 | hide | past | web | favorite | 155 comments

One of the other subtle things they do with metadata is their fascination with IP addresses.

Intro will enable LinkedIn to have the IP address of all of your staff using it, and thus (from corp Wifi, home locations of staff, popular places your staff go) they will know which IP addresses relate to your staff members (or you individually if you are the only person on a given IP).

This means that even without logging onto LinkedIn, if you view a page on their site they can then create that "so and so viewed your profile", which is what they're selling to other users as the upgrade package to LinkedIn.

Worse than that, as a company you can pay to have LinkedIn data available when you process your log files, and from that you know which companies viewed your site. And that isn't based on vague ideas of which IPs belong to a company according to public registrar info, this is quality data as the people who visited from an IP told LinkedIn who they were.

Think of that when you're doing competitor analysis, or involved in any legal case and researching the web site of the other party.

And VPNs won't help you here, as you'd still be strongly identified on your device and leaking your IP address all the time.

There are so many reasons why this LinkedIn feature needs to die a very visible and public death, and very few about why it should survive. It's a neat hack for sure, but then so were most pop-up and pop-under adverts and the neatness of overcoming the "impossible" is no reason this should survive.

Worse than that, as a company you can pay to have LinkedIn data available when you process your log files, and from that you know which companies viewed your site.

To give a real world example of how true this is, I have a friend that owns a service company. He subscribes to Visistat for which he embeds a small snippet of Javascript into every page in his site. He uses a product of theirs called LeadCaster which then identifies the company name and often the contact name of people that visit the site. How does it do this? Look at Visitstat's Learning Center for an explanation:

NOTE: Contact information is supplied by the contact databases of Data.com (formerly Jigsaw), NetProspex and LinkedIn. Not all information will be available for every company and listing, however, your reports will show all the data we are able to access for you.

So for a real world example that he told me about a few hours ago, a lady was on his website. She left without doing anything more than viewing a few pages. Through Visistat, he was able to get her company name and contact information from LinkedIn. He looked up the phone number for her company and called her. He then said, "I understand you're interest in ..." She replied, "How did you know I am interested in ...?"

This is spooky as shit and almost made me delete my LinkedIn profile today.

On a side note, was your friend really that stupid? To call and say "I believe you're interested in our service" and not realize it would have this effect? That's amazing to me. A few years back we used a service called "Leadlander.com" It would tell us domain names that visited our site and what they did. We sold into large ISV/tech co's. So for example we might see someone from "Autodesk" showing up and looking at several pages over multiple days. I confess when we saw that we would email someone high level there and say "Hi, this is what we do and how we help companies. Not sure if this could be applicable to your or not but" Naturally more than once we got "You know, the funny thing is we are just starting to look at doing something like this"

Someone told me over the weekend that some companies use your cookies to track down prices and adjust their prices based on your surfing behavior.

These friends of mine discovered it while browsing an airline website, each with his own laptop, only to discover different prices being offered. Which they found very strange, given they were seated next to each other.

After cleaning the browser history and visiting the same web site with anonymous mode on, both got the same prices being offered.

I heard that Airlines do not like you shopping around for prices from someone who did this research. They log you when you first come on their site. If you come back 2-3 days later, they will jack up the price, presumably to scare you into buying tickets.

Yes, I heard the same story from these friends as they were telling me this.

One of them works for a travel agency.

What's the best work-around to avoid this price jack?

clearing cookies, or just using incognito mode in whichever browser you are using usually does it. They've been doing this for at least a decade now, IIRC.

I'm surprised it's legal. Didn't Amazon have to backtrack on something like this?

They did backtrack, but because of PR reasons, not legal ones. Unless there are antitrust issues, it's perfectly legal to offer different prices to different customers.

Semi-related fun fact: at least on American Airlines' Gogo service, in-flight wifi requires you to pay for each device separately and charges more for laptops than for mobile devices; but it just checks your MAC address and user agent, respectively. Have your laptop browser identify as a mobile to get the better price, or buy on your phone/tablet and then spoof its MAC address on your desktop to use both devices for the price of one.

This is total B.S.

When you do a search on a travel website (including most airlines official sites) you are actually being served results from a GDS. These companies (Worldspan, Sabre, etc) pull in airline/hotel/etc availability and produce an a search and fulfillment API. They are the reason you can get a flight that connects across multiple different carriers.

I've built a number of successful OTAs (Online Travel Agencies, aka websites) and never once been asked to provide visitor IP addresses or cookies.

In the early days of the internet doing repeated searches would increase prices because these systems were designed for travel agents to do a small number of searches, and a spike in searches was a demand signal. Almost all demand based pricing has been eliminated from air and hotel because of internet "casual shoppers" and price wars.

Well it's true. I've had it happen to me multiple times. Do a search and find a flight at price X. Clear your cookies and repeat search (maybe on another day?). The same flight will show up for a lower price.

Do a google search for "clear your cookies before booking flights" and you can read all about it.

If you're doing it on another day, the inventory (and thus price) probably changed. The price of a seat on a plane is dependent on how many other seats have been sold.

Sorry, my wording was confusing. I'm saying that on another day if you repeat your search you might get a higher price. Then, clear your cookies and search again- boom, back to the lower price. I've seen it happen 3 or 4 times now.

Will blocking third party cookies prevent this? Or is this a server-to-server transfer of regular (second-party?) cookies?

Perhaps partially. Doesn't stop evercookies or IP address tracking or ever more inventive means.

Check out Pardot if you want to get an idea of what's possible. They drop a cookie on you the moment you browse the site and it logs every interaction you have with the site. When you finally sign up or fill in a form somewhere it'll associate those sessions with your new account and let you better target drip campaigns and market to them.

There's a lot of other ways to identify someone. It's like in Serenity -- everything has a fingerprint.

Thanks for your valuable information. I'm glad I deleted my Linkedin profile one month ago.

The only people that are going to use this new feature are people who already use LinkedIn a lot. In which case, they already know your IP addresses, since you're likely using LinkedIn from work, home, and mobile anyway. So if they're mining IP addresses, I'm not sure that this is providing something new.

fyi most of the major marketing automation platforms already let you do this. They're based upon a peer-to-peer exchange of lead information (i.e you identify yourself to one site and they'll sell that information to other sites in exchange for identifying information about other users), hence it's already far more accurate than public registrar information.

Hey Imran (chatted to you in IRC a few times),

I do realise that lead information is sold, and I've had enough offers to sell my own users (which I've declined) to realise just how prevalent the practise is.

LinkedIn sell a fairly complete business dataset. My point is that a lot of people might imagine they could do this, but probably don't really believe that they are doing this.

Then when you add in Intro's almost constant tracking (vs occasionally accessing one of the sites that sells your data - or LinkedIn on the web) it is easy to see just how complete one would be making that dataset.

I'd say that most people don't really understand believe that this happens and how good (if that's the word) that dataset already is.

Which LinkedIn dataset are you talking about ? - Rapleaf used to sell one but I don't think that's available anymore.

Citation needed. There's no reference anywhere on LinkedIn's site to selling data sets at all. The only thing they sell are subscriptions to their site and there's nothing anywhere that indicates any of those include any kind of this data.

If I read this right, Visistat itself says that they aggregate visit data provided by a list of websites that include LinkedIn:


Looking at their live demo it looks like you just sign-in with the linkedin auth and they use the regular LinkedIn API to enrich people information, so it's not anything the average user can't access via Linkedin anyway.

If this is true, this whole thread is full of misinformation.

What platforms do this?

I'm pretty curious how they advertise the fact that they do something like this as well.

marketo for example.

I think I'm confused as to what, exactly, they do that you're objecting to.

Some time ago on HN I remember reading about a company that embeds forms on websites. So if I filled out a contact form on Site A, the third party collects the information, stores a cookie on my computer. Then when I visit Site B, the cookie uniquely identifies me, and the third party company gives my email address to Site B, even though I didn't fill out a form.

Is this what you're suggesting marketo does?

Giving away email credentials to a third party service, regardless of reason, should be both covered in your internal training materials, as well as be maintained as a firing offense.

This is really just a case of well-branded spearphishing. You should already be protecting against that.

> This is really just a case of well-branded spearphishing.

Spearphishing is distinguished from phishing more generally by having very narrow, specific target selection.

If we are going to look for a analogies to techniques of catching fish, this is more weir phishing than spearphishing.

This is really just a case of well-branded spearphishing. You should already be protecting against that.

Well really, it's somewhere between generic phishing and tightly targeted (spear) phishing.

But the thing you have to remember about "phishing", about "spear phishing", about "social engineering" and about the cons that con-artists have been pulling since before computers existed is you are never just protected from this since every social con is based on exploiting a reflexive, habitual response and the con-artist will always find those no matter how people are simply trained (indeed, the more robot-like you make people's reactions, the more reflexes the con-artist has to work with).

So basically, any serious organization has to keep on top of the new threats coming. Every organization has to warn it's people not to do what they already ought to know better than to do.

Eternal vigilance... Reminds me of something else.

It's more subtle than that, since the "Intro" iOS profile simply sets up a proxy.

This would take about three clicks from an end-user, and at no point do they knowingly disclose their passwords...

Seems like Linkedin have posted an update on http://engineering.linkedin.com/mobile/linkedin-intro-doing-...:

Update, 10/24/13

We wanted to provide additional information about how LinkedIn Intro works, so that we can address some of the questions that have been raised. There are some points that we want to reinforce in order to make sure members understand how this product works:

- You have to opt-in and install Intro before you see LinkedIn profiles in any email. - Usernames, passwords, OAuth tokens, and email contents are not permanently stored anywhere inside LinkedIn data centers. Instead, these are stored on your iPhone. - Once you install Intro, a new Mail account is created on your iPhone. Only the email in this new Intro Mail account goes via LinkedIn; other Mail accounts are not affected in any way. - All communication from the Mail app to the LinkedIn Intro servers is fully encrypted. Likewise, all communication from the LinkedIn Intro servers to your email provider (e.g. Gmail or Yahoo! Mail) is fully encrypted. - Your emails are only accessed when the Mail app is retrieving emails from your email provider. LinkedIn servers automatically look up the "From" email address, so that Intro can then be inserted into the email.

Are Linkedin still working out of Mom's garage? Do they not have a single person on staff capable of looking at the current environment regarding internet privacy and say, "Uh, guys...maybe put this one on ice for a year..?"

Remember, LinkedIn has grown so much in part because so many people are willing to hand over their email passwords so LinkedIn can take a look at their contacts.

LinkedIn knows exactly how many people will hand over full control of their email if it means that they have a better chance of finding a better job.

Think I have to agree with you on that. Despite all the umbrage from HN, etc crowd, they prolly know it isn't really hurting them & the financial rewards are great.

Just doesn't seem like the greatest marketing strategy at the moment :-)

Yeah one would hope these guys had some kind of ethical compass but history of Big Data (Google, FB, ad networks and their ilk) shows otherwise. Everyone in "social" just wants their Fuck You Money and "fuck users" because they're the product. Apathy and subversion of the web from the big players or anyone with a Facebook Jr biz is why the surveillance state exists.

"Silicon" Valley is working on spy tools and innovative ways to get more people to click ads.

> Do they not have a single person on staff capable of looking at the current environment regarding internet privacy and say, "Uh, guys...maybe put this one on ice for a year..?"

They probably do. And that guy probably got overruled by another guy who said, "Forget that naysayer and instead think about how much more aggressively we can market ourselves and how much more money we can make..."

What's the difference between this and using an app such as Mailbox?

> What's the difference between this and using an app such as Mailbox?

IMHO, for what it's worth, this is why I would never use Mailbox.

On the HN thread for the blog post announcement yesterday, tptacek said "I don't care who the company is, or how trustworthy you think they are: avoid giving third parties credentials to your inbox."[0]

I would agree with that above statement - whether it's a company with a good reputation for security or a bad one (or even a nonexistent one), that's way too much power to give to any third party.

Remember that when we talk about security being about trust, it's not only about trusting their intentions, but also their power and ability. Mailbox has access to inboxes of thousands of people, some of whom have incredibly valuable emails in their inbox. Combine that with the number of services that use email as a means for authentication, and you have an incredibly attractive target for an attacker.

For what it's worth, I should mention that I've been working on a self-hosted product that provides the functionality of Mailbox/Boomerang, but without the privacy and security implications of using a third-party: https://github.com/ChimeraCoder/go-yo

[0] https://news.ycombinator.com/item?id=6600879

Asked the same question, but nobody answered. https://news.ycombinator.com/item?id=6601179

I mean, Mailbox literally does the same thing (editing your messages on their backend -- http://www.mailboxapp.com/blog/?p=1#javascript-now-filtered-...) and no one cares. LinkedIn does it and the Internet goes shit crazy.

I have never heard of Mailbox before, but I have heard of LinkedIn.

Mailbox is part of Dropbox

Worth noting is that they originally were not. http://techcrunch.com/2013/03/15/mailbox-cost-dropbox-around...

I've never heard of Mailbox before, but based on that description, I would never use it.

Welcome to Hacker News.

There is at least one difference: Mailbox only supports gmail, and as such only asks for oauth credentials with permissions to read from and write to your inbox, not username/password. Linkedin does the same thing with gmail (and google apps) but they also support mail services that don't have this support.

I guess Mailbox will support other email soon

More people know what LinkedIn is.

And, perhaps more importantly, people don't like LinkedIn.

Tons of people use LinkedIn...

Using it and liking it aren't the same thing. Shedloads of people here use Facebook, and a fair percentage of them would no doubt gleefully criticize it given half a chance.

And there's also tons of people who don't necessarily like using the service, but somewhat forced to for a number of reasons. I, for one, don't find the service that useful, however, most employers find it particularly odd if you don't have one.

So, you're kind of put into an odd position by electing to go against the service in this day and age. Granted, no one is putting a gun to your head and telling you to use LinkedIn. Yet societal pressures (specifically in professional circles) have somewhat made it difficult to go against the grain.

No. It's pretty simple actually. You delete your account and you say you're not on LinkedIn.

Intro doesn't have a waiting list.

In terms of access to your mail data, there is no difference. The Oauth token you grant is operationally equivalent to an IMAP password.

Nothing, and that's why I won't use either.

This is ridiculous. LinkedIn is offering a feature, optionally, to users who chose to install it. They have been upfront about how it works. If you don't like how it works, don't use it. Problem solved, myopic holier-than-thou rant avoided.

Do you honestly believe that most users who will install this will fully understand the ramifications of that choice? if yes, why do you think that, in spite of all the evidence that most users are clueless about security? If no, then in what sense are they really giving consent, if that consent is not informed?

I don't get why this is any different to anything else. What's to stop Microsoft backdooring the next Outlook, MSWord or Windows itself? Why is there so much ZOMG-FUD over this from LinkedIn than there is over anything else?

"Most users" blindly type the same password into Facebook that they do for Twitter, LinkedIn, Gmail, OK Cupid, eBay and PayPal. Any of those services can (and do) get hacked and the password opens all the other services. Should we shut them down too?

By this rationale, almost nobody could ever install any software at all. In practice, LinkedIn's software may be a blunt instrument that I would not want to use, but the vast majority of software really is run on faith based on the provider's reputation. (And yes, it does sometimes bite people, even with things that are not LinkedIn Intro.)

Maybe we should also ban junk food. I mean, I'm sure many people don't "fully understand the ramifications of that choice".

Are you really saying people don't understand junk food is unhealthy to the same degree they don't understand IT?

The idea is to be consistent, not please the majority.

I can't say if people's understanding of how junk food is bad for them is greater than their understanding of internet security, but I wouldn't say that they're fundamentally different things.

My point is that "what people understand" is not universal, and is highly subjective. We can't assume that everybody understand why alcohol, smoking, junk food, lack of physical activity, medecine, etc. are potentially "bad" for them. Yet, we don't ban most of these things "in case some people don't understand"?

We teach people about health and nutrition, why shouldn't we do the same about IT (I mean, it's such a huge part of our lives now that we can't ignore it)?

Too many people jump on the "prohibition" train, when it's rarely the best solution. Rather than limit what companies can do (it's rarely objectively bad, they're offering users a feature in exchange for a subjective downside. I would focus on teaching people, not limit what can be done.

But maybe that's just me.

> Problem solved, myopic holier-than-thou rant avoided.

There will be many many people who will use it and won't be aware of all these facts. It is important to discuss these things so that everyone knows and possibly, stays away. If you don't know what it does, you may install it. See - it goes full circle.

It's not just that. If I, as a non-Intro using person, email someone who uses Intro (whether I know this or not), LinkedIn has that email.

> 1. Attorney-client privilege.

Really? I guess you better have your own SMTP server set up then, or hope your email provider is willing to go to bat for your rights...

> 8. If I were the NSA…

Yeah, it sounds like they definitely have needed it so far...

5 other of the things are basically the same point, remade in 5 different ways. This is a really weak list. There are certainly concerns, but most of these problems are symptomatic of our email system as it is. And have we all forgotten how crazy everyone went when we found out google was going to start advertising in Gmail?

Incidentally, many lawyers and law firms run their own mail servers for precisely this reason.

I think there's more to it than that. They want audit trails and backups, they don't want you reading email from unapproved devices, etc.

Yes, but it's a part. When I was a law student, confidentiality was named as the main reason why we weren't allowed to use Gmail for legal clinic work. If you just want audit trails and backups, there are other ways of accomplishing that don't involve outright banning use of a third party mail service.

"why we weren't allowed to use Gmail for legal clinic work."

Since that time (I assume this was a while ago, i can't imagine it was recent since most of these schools now use hosted email providers), almost every single state has issued opinions stating that storing email with a cloud provider does not break privilege.

AFAIK nobody has cared much since New York's ethics opinion in 2008.

Nope, this was still the rule for Berkeley as of 2012. Since then though, they've been replacing Berkeley's prior system with a Google apps. I'm not sure if that changed anything.

I should also note that there have been a couple of cases since 2008 where courts ruled that use of an employer's e-mail system broke privilege with respect to that employer. See, e.g., Holmes v. Petrovich, 191 Cal. App. 4th 1047 (Jan. 2011). It might be a stretch, but I could see someone trying to argue that Gmail use voided A/C privilege with respect to a lawsuit against Google.

There are also a lot of court cases the other way, and those cases were more about employment agreements, handbooks, and TOU, than they were about by general privilege breaking by using a cloud email provider.

LinkedIn just seems overwhelmingly sleezy to me. How do they keep getting away with this stuff?

Right? Are they purposely trying to come off like a Disney villain? Absolutely everything they do is ruthless and aggressive. If you sign up for an account now, they email everyone you know. It just happens; even if you try to avoid it. Then they ask for a second email address.. you know, in case the first.. goes inactive suddenly? People fall for that, thinking LinkedIn is legit enough to be trustworthy.

I deleted my account forever ago, but I get emails constantly saying so-and-so wants to connect with me. After the first 3-5, I looked into it. Nope-- no one's trying to contact me through LinkedIn at all. Just LinkedIn doing its thing.

you know, in case the first.. goes inactive suddenly?

Yes, exactly. In case you signed up using your work email, like practically everybody does, and then one day find yourself not working where you used to work.

In case you signed up using your work email, like practically everybody does

1) Why would anyone use a temporary email to sign up to a social service?

2) Why would anyone use their work email for a job networking social site knowing full well that work emails are not private?

There are a lot of people who use their work e-mails with LinkedIn because LinkedIn provides a useful adjunct to their actual work. A company that I used to work for, for example had a link to each person's LinkedIn profile on their biography page. The testimonials they received on LinkedIn were worth rather more than the ones that might be put up ib the business' own site.

Because your invitation came from a coworker who used, you guessed it, your work email.

People tell LinkedIn "Please, please, pretty please build something that lets me view LinkedIn contact info while reading email on my phone." LinkedIn builds it.

> People tell LinkedIn "Please, please, pretty please build something that lets me view LinkedIn contact info while reading email on my phone."

Did they? Did they really?

No. LinkedIn spent considerable effort building something that nobody wants and nobody will opt into.

I think you're joking, but we both know this isn't the first time they've done that.

> No. LinkedIn spent considerable effort building something that nobody wants

That's pretty much what I thought, i.e "LinkedIn spent considerable effort building something that very few of their users want".

Thanks for confirming that there's no evidence otherwise.

It's more common than you may think, especially for companies where the user is not a paying customer and the feature benefits the company. Sure somebody wants this feature. Somebody who works for linkedin and isn't a security geek.

And for companies with poor-decision-making skills or short-term thinking.

To be fair, he didn't say which people...

Getting away with what? Can you tell me what they should have done to offer the same end-user functionality in a way that would not seem "sleazy" to you?

HN is a huge LinkedIn fanboy site. Surprised to see this.

I wonder if they called it "intro" to make it impossible to google for so that no one can ever figure out what they're agreeing to when they install it.

What does the sig it appends look like? I will have to make sure to never send email to anyone who has the tell-tale "I opt into spyware" flag.

Nicely stated, what I didn't see mentioned was the iframe it introduces into the mail. It can use this iframe to collect all kinds of additional data about you.

In the first instance I thought this was an app that was running in the background on your phone, I would have called that doing the impossible. This is just a MITM, and not a very good one at that.

I'm not saying 1 bad turn deserves another, but this is no worse than what any company operating at scale does when they serve https through a gateway service (Scrubbers, CDN, whatever).

To celebrate this, I removed LinkedIn apps from my devices.

Why not just delete your account as well? I deleted mine a year ago and I have no reason to look back

Do you expect some kind of reward? Sheep of the year maybe?

There's no need to be mean to people doing something you agree with.

Whether I agree or not is not the point. It was a "me too" comment, and I made sure to point it out.

Could I have done a better job at it? Probably.

This idea is such a disaster I don't even know how it was allowed to see the light of day. The sad fact is that there are untold numbers of people who will install this monstrosity.

Serious questions though, if you are an IT shop - how do you defend against this trojan horse app?

Maybe you can scan email coming into your corporate accounts, looking for LinkedIn SMTP servers in the headers? It may then be straightforward to find out (after the fact) if your users are using this service.

Aside: as Raymond Chen often asks, "What if two companies did this?" Can you layer this service with a hypothetical similar one from Facebook? If not, it seems like a huge first-mover advantage.

Right, first mover. I'm afraid LinkedIn has selfishly crossed a line that we will all suffer for. Other companies will no doubt try to do similarly idiotic things in the name of "convenience", "features", etc.

Related: https://news.ycombinator.com/item?id=6430893

"LinkedIn Founder says 'all of these privacy concerns tend to be old people issues.'"

The bit about privacy starts at the 13 minute mark.

I desperately want to delete LinkedIn, but I am also looking for my first developer jobs in the tech field. In my former field, no one would ever ask for your LI profile. You send a resume, link to a resume, whatever. In the tech field, every single company I've interviewed with so far has looked at my linkedin profile before our interview and specifically requested it. Until the field changes, or I have a stronger status as a developer, I feel I have to be there or get overlooked for someone who is there.

Simply tell them you don't use it because of ethical reasons, and explain why if asked. If you would like a replacement then check out http://careers.stackoverflow.com/ (requires a certain amount of SO rep or an invite, which I would be willing to give but I see no way of doing that with you).

If an employer is worth any salt they should be placing a higher value on your StackOverflow account, Github account and/or personal site (with resume). I don't see any value in LinkedIn - to me its still just a glorified resume site (and one without any verification - many people make stuff up).

Turn this to your advantage. I'd be more impressed by a reasoned explanation of why you aren't on LinkedIn than any puffery you might have on your page.

In other news, e-mail is an insecure protocol and most people transmit in the clear and don't have their own e-mail infrastructure anyway.

It's interesting this "blog post" came from a professional security company who makes it money from scaring individuals and companies about security threats.

Is it just me, or is this firm even worse than LinkedIn?

I wonder how this affect BYOD to work. Corporations would be furious to have their email content scanned by linkedin.

Well lets take these one-by-one:


1. Attorney-client privilege.

I'm guessing most law firms use third party email servers, anti-virus, anti-spam and archive/audit systems which this would also apply to. It would also apply if you're using Raportive, Xobni or the like (or integrated time-tracking, billing, crm, etc.).


2. By default, LinkedIn changes the content of your emails.

Irrelevant. Unless you read your emails in plain text every modern email client changes how email is displayed.


3. Intro breaks secure email.

Yes. Except iOS mail doesn't support crypto signatures anyway.


4. LinkedIn got owned.

Yes. LinkedIn adds an extra point of vulnerability.


5. LinkedIn is storing your email communications.

Well metatdata but yes.


7. It’s probably a gross violation of your company’s security policy.

Yes. As is using Linkedin itself. Or Dropbox. Or Github. Or Evernote. Or Chrome. Or any enterprise software that uses the bottom up approach.


8. If I were the NSA…

The NSA has access to your emails if they want them anyway. Email isn't a secure protocol against a well funded adversary.


9. It’s not what they say, but what they don’t say

This looks like a semantic dispute, but it doesn't look any more vague than say Google's privacy policy. Companies in certain circumstances are legally required to provide access to information.


10. Too many secrets

These all seem to be questions that can either be answered by testing or ones that LinkedIn would probably be happy to disclose, but unlikely to be major issues to mainstream users.


So fundamentally it comes down to two points, granting Linkedin access to your email creates a new point of attack and Linkedin themselves might use your email in ways you find undesirable.

So it's essentially a trade-off for the benefits you get from the app versus those risks. For a personal account which you use for private emails, personal banking, etc. the evaluation is obviously going to be very much different from say a salesperson's work account which they use for managing communication with leads.

In the later case they may already be trusting LinkedIn with similar confidential information and already use multiple services (analytics, crm, etc.) that hook into their email so the additional relative risk might be smaller.

As people with technical expertise we shouldn't use scare-mongering to push our personal viewpoints upon those with less expertise, but rather help people understand the security/benefit trade-offs that they're making so they can decide for themselves whether to take those risks.

It's important to treat the wider non-technical community with respect and as adults capable of making their own judgements and not as kids who need to be scared into safety.

> It's important to treat the wider non-technical community with respect and as adults capable of making their own judgements and not as kids who need to be scared into safety.

I think the technical community gets particularly worked up over email security for the same reason that many scientifically literate people get violently angry at the anti-vaccination crowd. Being lax about vaccination requirements can compromise herd immunity, just as allowing other people to hand over their email credentials can potentially compromise my email security if I ever have to communicate with them.

In this case, I think the technical crowd is largely justified in their outrage. Even though any adult should be able to exercise their own judgement, they're not making their decision in a vacuum. Their decision affects others, so those who care have a vested interest in encouraging them to choose wisely. There's a negative externality at play here.

Emails should (admittedly they're often not) be treated like postcards, they're not secure. They'll go over the wire in plaintext, they'll be read in public, etc.

Most businesses which actually require secure messaging will tend to use self-hosted web based email (like most banks do), encrypted messaging (Salesforce Chatter, Reuters Messenger) or secure virtual deal rooms.

That's a straw-man. LinkedIn is attacking the human side of information security, not the technical side. They're going after email today because it happens to be everywhere.

Tomorrow's communication system could be leagues more secure than email, but if we don't put LinkedIn in their place now, we're signaling to them that they're welcome to try the same thing tomorrow (perhaps using PGP keys instead of login credentials). Even the most secure cryptosystems are worthless if you can convince a small subset of users to hand you their keys to the castle.

Obviously email today is pretty terrible and should be treated like a postcard, but it's the principle that I'm getting upset about. I don't want LinkedIn conditioning my mom and dad into thinking that it's reasonable to hand over your login credentials, because it most definitely isn't.

I agree that oauth is a better solution, but more broadly on this issue account/password sharing is pretty common in the business world because many services don't support multi-user access to accounts.

1. A law firm paying for 3rd party email hosting is not the same as every employee routing their mail through some random website.

2. Executing software on your own device to reformat content is not the same as every employee sending their content out to a random website to have the content reformatted.

5. Please identify yourself and tell us how you know that Linkedin will not store the content of messages in the future.

I had to stop reading at #8. Now I think you are just being sarcastic.

> 7. It’s probably a gross violation of your company’s security policy. > Yes. As is using Linkedin itself. Or Dropbox. Or Github. Or Evernote. Or Chrome. Or any enterprise software that uses the bottom up approach.

I doubt I could even find a company that prohibited accessing LinkedIn from a work computer anymore. Many don't disallow installing software either.

If you truly believe what you wrote, you almost certainly believe accessing work email from a personal device is prohibited at typical companies. Maybe this is true at large companies, but not anywhere I've worked.

Your argument has no validity. You claim that it's absurd for IT to differentiate between "sending your email to your phone" and "sending your email through a third party with no connection to email deliverability and no business relationship"

obviously you've never worked in any industry that has regulatory obligations. I work for a bank, on the team that looks after blocking all of this. We don't allow linkedin. We don't allow installing arbitrary software. We don't allow accessing personal email from work devices or vice versa. Regulators can, and will, fine you for doing these things without consulting them.

Apple prohibits developers from listing details of what they're working on on their linkedin profile for trade secret reasons.

Countless companies prohibit salespeople from connecting to potential leads on linkedin to prevent it leaking to competitors.

I'm guessing you've not worked in enterprise because it's pretty normal to have a company policy on "bring-your-own-device" (typically companies will only allow access from devices that meet security requirements on password, anti-virus, etc. often they'll also require the ability to remotely wipe your device)

Every (serious) company prohibits it's employees from disclosing secret information, be it Linkedin or by phone, and even verbally with your friends. That doesn't mean it's forbidden to use Linkedin, make phone calls, or talk to people.

You doubt you could find a company that prohibited accessing LinkedIn from a work computer? In that scenario, how hard would you be trying? Many companies I know don't let their employees upgrade their IE from 6 or 7 (which is where that market share comes from), I sincerely doubt those companies are letting employees on LinkedIn.

Regarding your #3 point: http://support.apple.com/kb/HT4979

iOS supports S/MIME.

Just for completeness sake, there's also GPG for iOS as well: https://itunes.apple.com/us/app/opengp-lite/id405279153?mt=8

Fair enough, assuming that Intro breaks the S/MIME support (which I'm guessing that it does) then it adds the risk that users using S/MIME can't verify the integrity of mail in the app. So that's something else that S/MIME users should evaluate when judging the risks.

Do you work at/for/rendered services to LinkedIn in any way?

No. I have no relationship with LinkedIn other than as a user.

> 1. Attorney-client privilege. I'm guessing most law firms use third party email servers, anti-virus, anti-spam and archive/audit systems which this would also apply to. It would also apply if you're using Raportive, Xobni or the like (or integrated time-tracking, billing, crm, etc.).

I can't speak for all law firms, but mine has been resistant to using any such third party services. I know some firms have relaxed their policies and there are plenty of lawyers who use Gmail, but the overall law here isn't settled and can vary from state to state.

> every modern email client changes how email is displayed.

The point is, Linkedin is a third-party app. It broke the sandbox mechanism in iOS.

A third party email server does not change this. The user's email server is not used. That's the point.

If a client sends an attorney an email from their Iphone, it will go to LinkedIn, instead of the client's own email server.

If an attorney sends a client an email from their Iphone, it will go to LinkedIn, instead of the attorney's own email server.

Just for point 7, it might be completely legitimate for an HR or a recruiter to use linkedin as part of his/her work.

In number 7, what do you mean by bottom up approach?

To me the bigger news was that iframes in emails are run inside mail clients. Anyone know if other mail clients do this or is it just the one in iOS?

I would really like to know this as well. I use gmail, which by default blocks images from loading unless explicitly allowed. I would be pretty upset if I knew that people could insert hidden iframes and achieve the same goal without it at least prompting me. Unfortunately I can't seem to figure out how to write html email from the gmail web interface and I don't feel like installing an email client just to test it out.

Just tried it in Thunderbird with a gmail account, it doesn't render the contents of the iframe unless you click the "Show remote content" button.

Interestingly, will then display images if that is in the src attribute but still doesn't render https://google.com.

I'd put money on this being fixed/removed/blocked in 7.0.4/7.1.

Shhhh! Don't bring rationality into this HN anti-LinkedIn Circle-jerk!

> Shhhh! Don't bring rationality into this HN anti-LinkedIn Circle-jerk!

That's a reddit-level comment.

People with technical, ethical or privacy concerns are just as relevant to the discussion. LinkedIn already has a shady history in terms of unauthorized data slurping, privacy and handling of users. No one has to swallow what they're offering now as altruistic if they don't want to.

Plenty of concerns indeed...

6.5 Million LinkedIn Password Hashes Leaked


LinkedIn sued by users who say it hacked their e-mail accounts


Your iPhone calendar isn’t private—at least if you use the LinkedIn app


LinkedIn: The Creepiest Social Network


LinkedIn opts 100 million users into sharing information with ads


LinkedIn is Evil


LinkedIn was also pulling down your contacts/address book through that iOS flaw just like Path and several other apps were at the time.

The thing that I find interesting is if LinkedIn goes ahead and does this, how many other companies will want to join the bandwagon and then we'll end up with our email being bounced around through a slew of different proxies so everyone can add their spam and ads to it.

And with each one trying to remove the content produced by the others in some "clever" way.

seriously? this is what Intro is? how is it not a bigger deal?people get upset over the littlest Facebook changes, but something this big barely shows up?

Probably because you have to explicitly enable this. With Facebook changes you don't get the choice.

I'm still not able to believe if I read that right. Does LinkedIn really re-routes your emails to their servers in their entirety? I looked at their announcement and video at http://blog.linkedin.com/2013/10/23/announcing-linkedin-intr.... There is NOT even a hint of disclosure that they are doing this. I can imagine 10 ways to achieve the similar user experience without re-routing entire emails. So if this is true, LinkedIn really really fundamentally screwed up with customer trust.

I just can't fathom how something so ridiculous could pass so many engineers at LinkedIn, without raising flags on how bad this is. The moment I saw the word "proxy" I cringed!

I wonder how's Rapportive doing this days. That is, whether this plug-in seats in people's GMail app and sends out data to LinkedIn or not.

After all, we are talking about the same team more or less, and surely the same company who owns Rapportive today.

If my concerns are real. One might find this is ironic that Rapportive was backed by YC and Paul Buchheit, the creator of Gmail, and now this very company violating GMail users' privacy.

Yikes. I've still been using Rapportive, but learning that it's being adapted into this monstrosity has instantly dissolved any trust I had for the product. Removing it now.

> Intro breaks secure mail.

If it's modifying the message, it likely breaks DKIM too. meaning your messages will be more likely to be flagged as spam.

More generally, this is the catalyst for me leaving LinkedIn. They've never generated any new business (not even a single lead), and if I'm honest the only reason I use it is more about my ego than anything useful.

The idea itself is not that compelling that I would install it even if it fulfilled all the criteria of security.

Good thing I use gmail.

Good for you. Google Tells Court You Cannot Expect Privacy When Sending Messages to Gmail http://www.consumerwatchdog.org/newsrelease/google-tells-cou...

This is incorrect. Completely out of context and actually quite the opposite to what happened.


I was being ironic.

That shows that no engineer has any say in what linkedin does. I can't imagine any tech security aware individual would take such responsibility upon himself.

How did the C-people even found out such thing is possible? Some intern who just found out how mail works probably was flapping his jaw too much.

Is this claim true? I thought the Feds were claiming that using any hosted email (Gmail, Hotmail, etc), is considered a 3rd party subject to subpoena.

> These communications are generally legally privileged and can’t be used as evidence in court – but only if you keep the messages confidential.

Opportunity time... are there any more scrupulous alternatives to LinkedIn?

So make a plugin for your email client which raises a little Intro flag when you receive an email from an Intro user.

Hmm if enough people complain Apple might close this feature. At least it's opt-in. As for me, I would say no.

Shocking how something like this came out of Linkedin and Apple has not booted them from the App store yet?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact