I hate to do this, but it's something that anyone managing email
servers (or just using a smart phone to update LI) needs to know
about. I just saw this on another list I'm on, and I know that there
are folks on NANOG that are on LinkedIn.
Well, this concerned me at first, but then I read the description of how it's done (http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios):
We understand that operating an email proxy server carries great responsibility.
We respect the fact that your email may contain very personal or sensitive
information, and we will do everything we can to make sure that it is safe.
I find this completely reassuring. I'd expand on that, but I have to go buy a used car now.
Jim Shankland
Also...
I got some sand in the desert for sale... act now I even throw in some
alligators
This is a limited time offer too...
Operators are standing by...
Ruff, Ruff...!
Network IPdog
Ephesians 4:32 & Cheers!!!
A password is like a... toothbrush ;^)
Choose a good one, change it regularly and don't share it.
"Here is the view from your new homesite...."
Aaron D. Osgood
Streamline Solutions L.L.C
P.O. Box 6115
Falmouth, ME 04105
TEL: 207-781-5561
MOBILE: 207-831-5829
ICQ: 206889374
GVoice: 207.518.8455
GTalk: aaron.osgood
AOsgood@Streamline-Solutions.net
http://www.streamline-solutions.net
Introducing Efficiency to Business since 1986.
next thing you know, Google is going to be offering free email so they
can do the same thing.
I saw some antectdotal stuff on this yesterday but reading their
engineering blog entry makes me feel all warm and fuzzy inside. Oh
nevermind, that's just the alcohol. This is perhaps one of the worst
ideas I've seen concocted by a social media company yet.
-Phil
Anyone who has access to logs for their email infrastructure ought
probably to check for authentications to user accounts from linkedin's
servers. Likely, people in your organization are entering their
credentials into linkedin to add to their contact list. Is it a
problem if a social media company has your users' credentials? I
guess it depends on your definition of "is." The same advice might
apply to this perversion of trust as well, but I'm not sure how
linkedin is achieving this "feat."
Adding Zaid Ali Khan for feedback.
The difference is that Google only does it to your @gmail.com address. It
doesn't snarf up all your outbound gbakos@alpinista.org mail too.
And then of course there was this:
Linkedin denies the allegations, but I'm convinced there's something to
them. I was receiving a steady stream of linkedin invites on behalf of one
acquaintance until I marked them as spam.
Is Linkedin the kind of organization I would feel comfortable with exposing
my email to? Hell to the no!
When a user signs up for a social media account they generally do so by providing an email address like victim@freewebmailsite.com and selecting a password. The social media site can obviously probe freewebmailsite.com and attempt to authenticate using the same password that you just provided to them (for the purpose of logging into their social media site). I guess offering an email proxy or asking if it's ok to worm through your email for contacts is merely a formality. How many social media users do you guess would use the same password on the social media site as they would for freewebmailsite.com (and likely their employer's organization's email)? It's kind of like when google asks their users with android phones to provide their mobile phone number for SMS password recovery.
Laszlo
Perhaps a prudent countermeasure would be to redirect all POP, IMAP, and
Webmail access to your corporate mail server from all of LinkedIn's IP
space to a "Honeypot" that will simply log usernames/credentials
attempted.
The list of valid credentials, can then be used to dispatch a warning to
the offender, and force a password change.
This could be a useful proactive countermeasure against the UIT
(Unintentional Insider Threat); of employees inappropriately entering
corporate e-mail credentials into a known third party service with
outside of organizational control.
Seeing as Linkedin almost certainly is not providing signed NDAs and
privacy SLAs; it seems reasonable that most organizations who
understand what is going on, would not approve of use of the service with
their internal business email accounts.
Well said
Chris Hartley wrote:
Anyone who has access to logs for their email infrastructure ought
probably to check for authentications to user accounts from linkedin's
servers. Likely, people in your organization are entering their
credentials into linkedin to add to their contact list. Is it a
problem if a social media company has your users' credentials? I
guess it depends on your definition of "is." The same advice might
apply to this perversion of trust as well, but I'm not sure how
linkedin is achieving this "feat."
Heck, it ought to show in the received headers. Of course they may purposefully
not be adding a received header in which their sleaze factor goes up even more.
Mike
There's a reason I use an email alias if I sign up to places like
that and why I do not place much information on these sites...
There's a reason I maintain somewhere approaching 20 passwords in my
head too and why the password I use for accessing my own systems will
never be the password I use to access a system neither I nor my
employer control.
It's just common sense.
Remember, the greatest threat to your privacy and security is YOU! How
many of us go about detailing every aspect of our lives on facebook or
twitter or something and, if someone is of a mind to comb through it,
in the process self-disclose everything necessary for someone to
basically become us? The hackers/corporate scrapers don't even really
*HAVE* to try to thieve information anymore. We give it to them all
without them even asking!
-Wayne
(My apologies to those of you who are also on the mailop list and
have already seen these remarks.)
This isn't particularly surprising: LinkedIn are spammers. Have been
since forever. They hit real addresses, fake addresses, mailing lists,
spamtraps, never-existed addresses, everything.
And like other dedicated spammers before them -- Spamford comes to mind --
they're quite happy to shift their abuse modality. (You'll recall that
Spamford tried junk faxing, adware, etc.) This is certainly a novel
approach, but it's completely in keeping with their "business philosophy".
The response is what will determine whether we'll get more of this
(of course with the self-serving lie that one can always "opt-out").
I do hope that the aggregate reply to this vicious attack on the privacy,
security and integrity of the Internet is met with widespread firewalling
and null-routing -- because if it's not, if this is actually allowed to
succeed, it WILL be copied.
(I'll add "and with legal action", but I'm not an attorney and thus
unqualified to speak to whether litigation is appropriate or even
possible.)
---rsk
The other difference is that Google tells you up front, LinkedIn
installed this out of the bleue without any real permissions. Of course
if this where an opt in thing, nobody would be opting in! Well, I never
did install their app and most certainly never will, and am telling all
of my friends about this as well.
Gary Baribault
Courriel: gary@baribault.net
GPG Key: 0x685430d1
Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
Have you actually confirmed it's NOT opt-in? The screenshots on the
Linked-in engineering blog referenced earlier certainly make it look like
it is.
http://engineering.linkedin.com/sites/default/files/intro_installer_0.png
Of course, you could argue there's a difference between opting-in for
"enhancing your email with Intro" and opting-in for "Please MITM all of my
email and dynamic modify it", but that's really just semantics - it
definitely appears to be opt-in.
Scott
Scott Howard wrote:
Have you actually confirmed it's NOT opt-in? The screenshots on the
Linked-in engineering blog referenced earlier certainly make it look like
it is.http://engineering.linkedin.com/sites/default/files/intro_installer_0.png
Of course, you could argue there's a difference between opting-in for
"enhancing your email with Intro" and opting-in for "Please MITM all of my
email and dynamic modify it", but that's really just semantics - it
definitely appears to be opt-in.
There's consent and then there's informed consent. Unless they explicitly
disclaim that "WE CAN AND DO READ EVERY PIECE OF MAIL YOU SEND AND RECEIVE
AND USE IT FOR WHATEVER WE WANT" then it isn't informed consent. My guess is
that the confirmation dialogs are more along the lines of "DO YOU LIKE CUTE
KITTENS?"
Mike
Depends on linkedin beeing nice, but could this be an idea? In addition to the proposed network level controls of course. At least users could get a informative response rather than just some dumb error / "it doesnt work" if you block Intro.
Votes maybe?
I considered proposing making it opt-in on the domain level, but that wont fly for them I'm sure.