Hacker Newsnew | comments | show | ask | jobs | submit login

Well lets take these one-by-one:

-------------

1. Attorney-client privilege.

I'm guessing most law firms use third party email servers, anti-virus, anti-spam and archive/audit systems which this would also apply to. It would also apply if you're using Raportive, Xobni or the like (or integrated time-tracking, billing, crm, etc.).

-------------

2. By default, LinkedIn changes the content of your emails.

Irrelevant. Unless you read your emails in plain text every modern email client changes how email is displayed.

-------------

3. Intro breaks secure email.

Yes. Except iOS mail doesn't support crypto signatures anyway.

-------------

4. LinkedIn got owned.

Yes. LinkedIn adds an extra point of vulnerability.

-------------

5. LinkedIn is storing your email communications.

Well metatdata but yes.

-------------

7. It’s probably a gross violation of your company’s security policy.

Yes. As is using Linkedin itself. Or Dropbox. Or Github. Or Evernote. Or Chrome. Or any enterprise software that uses the bottom up approach.

-------------

8. If I were the NSA…

The NSA has access to your emails if they want them anyway. Email isn't a secure protocol against a well funded adversary.

-------------

9. It’s not what they say, but what they don’t say

This looks like a semantic dispute, but it doesn't look any more vague than say Google's privacy policy. Companies in certain circumstances are legally required to provide access to information.

-------------

10. Too many secrets

These all seem to be questions that can either be answered by testing or ones that LinkedIn would probably be happy to disclose, but unlikely to be major issues to mainstream users.

-------------

So fundamentally it comes down to two points, granting Linkedin access to your email creates a new point of attack and Linkedin themselves might use your email in ways you find undesirable.

So it's essentially a trade-off for the benefits you get from the app versus those risks. For a personal account which you use for private emails, personal banking, etc. the evaluation is obviously going to be very much different from say a salesperson's work account which they use for managing communication with leads.

In the later case they may already be trusting LinkedIn with similar confidential information and already use multiple services (analytics, crm, etc.) that hook into their email so the additional relative risk might be smaller.

As people with technical expertise we shouldn't use scare-mongering to push our personal viewpoints upon those with less expertise, but rather help people understand the security/benefit trade-offs that they're making so they can decide for themselves whether to take those risks.

It's important to treat the wider non-technical community with respect and as adults capable of making their own judgements and not as kids who need to be scared into safety.




> It's important to treat the wider non-technical community with respect and as adults capable of making their own judgements and not as kids who need to be scared into safety.

I think the technical community gets particularly worked up over email security for the same reason that many scientifically literate people get violently angry at the anti-vaccination crowd. Being lax about vaccination requirements can compromise herd immunity, just as allowing other people to hand over their email credentials can potentially compromise my email security if I ever have to communicate with them.

In this case, I think the technical crowd is largely justified in their outrage. Even though any adult should be able to exercise their own judgement, they're not making their decision in a vacuum. Their decision affects others, so those who care have a vested interest in encouraging them to choose wisely. There's a negative externality at play here.

-----


Emails should (admittedly they're often not) be treated like postcards, they're not secure. They'll go over the wire in plaintext, they'll be read in public, etc.

Most businesses which actually require secure messaging will tend to use self-hosted web based email (like most banks do), encrypted messaging (Salesforce Chatter, Reuters Messenger) or secure virtual deal rooms.

-----


That's a straw-man. LinkedIn is attacking the human side of information security, not the technical side. They're going after email today because it happens to be everywhere.

Tomorrow's communication system could be leagues more secure than email, but if we don't put LinkedIn in their place now, we're signaling to them that they're welcome to try the same thing tomorrow (perhaps using PGP keys instead of login credentials). Even the most secure cryptosystems are worthless if you can convince a small subset of users to hand you their keys to the castle.

Obviously email today is pretty terrible and should be treated like a postcard, but it's the principle that I'm getting upset about. I don't want LinkedIn conditioning my mom and dad into thinking that it's reasonable to hand over your login credentials, because it most definitely isn't.

-----


I agree that oauth is a better solution, but more broadly on this issue account/password sharing is pretty common in the business world because many services don't support multi-user access to accounts.

-----


1. A law firm paying for 3rd party email hosting is not the same as every employee routing their mail through some random website.

2. Executing software on your own device to reformat content is not the same as every employee sending their content out to a random website to have the content reformatted.

5. Please identify yourself and tell us how you know that Linkedin will not store the content of messages in the future.

I had to stop reading at #8. Now I think you are just being sarcastic.

-----


> 7. It’s probably a gross violation of your company’s security policy. > Yes. As is using Linkedin itself. Or Dropbox. Or Github. Or Evernote. Or Chrome. Or any enterprise software that uses the bottom up approach.

I doubt I could even find a company that prohibited accessing LinkedIn from a work computer anymore. Many don't disallow installing software either.

If you truly believe what you wrote, you almost certainly believe accessing work email from a personal device is prohibited at typical companies. Maybe this is true at large companies, but not anywhere I've worked.

Your argument has no validity. You claim that it's absurd for IT to differentiate between "sending your email to your phone" and "sending your email through a third party with no connection to email deliverability and no business relationship"

-----


obviously you've never worked in any industry that has regulatory obligations. I work for a bank, on the team that looks after blocking all of this. We don't allow linkedin. We don't allow installing arbitrary software. We don't allow accessing personal email from work devices or vice versa. Regulators can, and will, fine you for doing these things without consulting them.

-----


Apple prohibits developers from listing details of what they're working on on their linkedin profile for trade secret reasons.

Countless companies prohibit salespeople from connecting to potential leads on linkedin to prevent it leaking to competitors.

I'm guessing you've not worked in enterprise because it's pretty normal to have a company policy on "bring-your-own-device" (typically companies will only allow access from devices that meet security requirements on password, anti-virus, etc. often they'll also require the ability to remotely wipe your device)

-----


Every (serious) company prohibits it's employees from disclosing secret information, be it Linkedin or by phone, and even verbally with your friends. That doesn't mean it's forbidden to use Linkedin, make phone calls, or talk to people.

-----


You doubt you could find a company that prohibited accessing LinkedIn from a work computer? In that scenario, how hard would you be trying? Many companies I know don't let their employees upgrade their IE from 6 or 7 (which is where that market share comes from), I sincerely doubt those companies are letting employees on LinkedIn.

-----


Regarding your #3 point: http://support.apple.com/kb/HT4979

iOS supports S/MIME.

-----


Just for completeness sake, there's also GPG for iOS as well: https://itunes.apple.com/us/app/opengp-lite/id405279153?mt=8

-----


Fair enough, assuming that Intro breaks the S/MIME support (which I'm guessing that it does) then it adds the risk that users using S/MIME can't verify the integrity of mail in the app. So that's something else that S/MIME users should evaluate when judging the risks.

-----


Do you work at/for/rendered services to LinkedIn in any way?

-----


No. I have no relationship with LinkedIn other than as a user.

-----


> 1. Attorney-client privilege. I'm guessing most law firms use third party email servers, anti-virus, anti-spam and archive/audit systems which this would also apply to. It would also apply if you're using Raportive, Xobni or the like (or integrated time-tracking, billing, crm, etc.).

I can't speak for all law firms, but mine has been resistant to using any such third party services. I know some firms have relaxed their policies and there are plenty of lawyers who use Gmail, but the overall law here isn't settled and can vary from state to state.

-----


> every modern email client changes how email is displayed.

The point is, Linkedin is a third-party app. It broke the sandbox mechanism in iOS.

-----


A third party email server does not change this. The user's email server is not used. That's the point.

If a client sends an attorney an email from their Iphone, it will go to LinkedIn, instead of the client's own email server.

If an attorney sends a client an email from their Iphone, it will go to LinkedIn, instead of the attorney's own email server.

-----


Just for point 7, it might be completely legitimate for an HR or a recruiter to use linkedin as part of his/her work.

-----


In number 7, what do you mean by bottom up approach?

-----


To me the bigger news was that iframes in emails are run inside mail clients. Anyone know if other mail clients do this or is it just the one in iOS?

-----


I would really like to know this as well. I use gmail, which by default blocks images from loading unless explicitly allowed. I would be pretty upset if I knew that people could insert hidden iframes and achieve the same goal without it at least prompting me. Unfortunately I can't seem to figure out how to write html email from the gmail web interface and I don't feel like installing an email client just to test it out.

-----


Just tried it in Thunderbird with a gmail account, it doesn't render the contents of the iframe unless you click the "Show remote content" button.

Interestingly, will then display images if that is in the src attribute but still doesn't render https://google.com.

-----


I'd put money on this being fixed/removed/blocked in 7.0.4/7.1.

-----


Shhhh! Don't bring rationality into this HN anti-LinkedIn Circle-jerk!

-----


> Shhhh! Don't bring rationality into this HN anti-LinkedIn Circle-jerk!

That's a reddit-level comment.

People with technical, ethical or privacy concerns are just as relevant to the discussion. LinkedIn already has a shady history in terms of unauthorized data slurping, privacy and handling of users. No one has to swallow what they're offering now as altruistic if they don't want to.

Plenty of concerns indeed...

6.5 Million LinkedIn Password Hashes Leaked

https://news.ycombinator.com/item?id=4073309

LinkedIn sued by users who say it hacked their e-mail accounts

https://news.ycombinator.com/item?id=6425444

Your iPhone calendar isn’t private—at least if you use the LinkedIn app

http://arstechnica.com/apple/2012/06/your-iphone-calendar-is...

LinkedIn: The Creepiest Social Network

https://news.ycombinator.com/item?id=5680680

LinkedIn opts 100 million users into sharing information with ads

https://news.ycombinator.com/item?id=2872030

LinkedIn is Evil

https://news.ycombinator.com/item?id=220138

LinkedIn was also pulling down your contacts/address book through that iOS flaw just like Path and several other apps were at the time.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: