If you're on LinkedIn, and you use a smart phone...
I hate to do this, but it's something that anyone managing email servers (or just using a smart phone to update LI) needs to know about. I just saw this on another list I'm on, and I know that there are folks on NANOG that are on LinkedIn. ++++++++++ http://www.bishopfox.com/blog/2013/10/linkedin-intro/ LinkedIn released a new product today called Intro. They call it “doing the impossible”, but some might call it “hijacking email”. Why do we say this? Consider the following: Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers. You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like. ++++++++++ Read the full article. If you're using LI via your smart phone, and you have already installed this app, you probably need to save off your contacts and data, and wipe the phone. I wouldn't trust uninstalling as enough, myself. In the long run, I'll be deleting my account. No, I don't use a smart phone to update any social media. No, I especially do not trust LI (never have, never will). BTW, they're currently adding back any contacts you've deleted. Thanks for reminding me that Joe Barr, Len Sassaman, and Jay D Dyson are gone from this world. -- Life may not be the party we hoped for, but while we are here, we might as well dance.
Well, this concerned me at first, but then I read the description of how it's done (http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios): We understand that operating an email proxy server carries great responsibility. We respect the fact that your email may contain very personal or sensitive information, and we will do everything we can to make sure that it is safe. I find this completely reassuring. I'd expand on that, but I have to go buy a used car now. Jim Shankland
Also... I got some sand in the desert for sale... act now I even throw in some alligators This is a limited time offer too... Operators are standing by... Ruff, Ruff...! Network IPdog Ephesians 4:32 & Cheers!!! A password is like a... toothbrush ;^) Choose a good one, change it regularly and don't share it. -----Original Message----- From: Jim Shankland [mailto:nanog@shankland.org] Sent: Friday, October 25, 2013 9:46 AM To: nanog@nanog.org Subject: Re: If you're on LinkedIn, and you use a smart phone... Well, this concerned me at first, but then I read the description of how it's done (http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios) : We understand that operating an email proxy server carries great responsibility. We respect the fact that your email may contain very personal or sensitive information, and we will do everything we can to make sure that it is safe. I find this completely reassuring. I'd expand on that, but I have to go buy a used car now. Jim Shankland
"Here is the view from your new homesite...." Aaron D. Osgood Streamline Solutions L.L.C P.O. Box 6115 Falmouth, ME 04105 TEL: 207-781-5561 MOBILE: 207-831-5829 ICQ: 206889374 GVoice: 207.518.8455 GTalk: aaron.osgood AOsgood@Streamline-Solutions.net http://www.streamline-solutions.net Introducing Efficiency to Business since 1986. -----Original Message----- From: Network IPdog [mailto:network.ipdog@gmail.com] Sent: Friday, October 25, 2013 1:00 PM To: 'Jim Shankland'; nanog@nanog.org Subject: RE: If you're on LinkedIn, and you use a smart phone... Also... I got some sand in the desert for sale... act now I even throw in some alligators This is a limited time offer too... Operators are standing by... Ruff, Ruff...! Network IPdog Ephesians 4:32 & Cheers!!! A password is like a... toothbrush ;^) Choose a good one, change it regularly and don't share it. -----Original Message----- From: Jim Shankland [mailto:nanog@shankland.org] Sent: Friday, October 25, 2013 9:46 AM To: nanog@nanog.org Subject: Re: If you're on LinkedIn, and you use a smart phone... Well, this concerned me at first, but then I read the description of how it's done (http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios) : We understand that operating an email proxy server carries great responsibility. We respect the fact that your email may contain very personal or sensitive information, and we will do everything we can to make sure that it is safe. I find this completely reassuring. I'd expand on that, but I have to go buy a used car now. Jim Shankland
I saw some antectdotal stuff on this yesterday but reading their engineering blog entry makes me feel all warm and fuzzy inside. Oh nevermind, that's just the alcohol. This is perhaps one of the worst ideas I've seen concocted by a social media company yet. -Phil On 10/25/13, 6:56 PM, "George Bakos" <gbakos@alpinista.org> wrote:
Anyone who has access to logs for their email infrastructure ought probably to check for authentications to user accounts from linkedin's servers. Likely, people in your organization are entering their credentials into linkedin to add to their contact list. Is it a problem if a social media company has your users' credentials? I guess it depends on your definition of "is." The same advice might apply to this perversion of trust as well, but I'm not sure how linkedin is achieving this "feat." On Fri, Oct 25, 2013 at 7:25 PM, Phil Bedard <bedard.phil@gmail.com> wrote:
When a user signs up for a social media account they generally do so by providing an email address like victim@freewebmailsite.com and selecting a password. The social media site can obviously probe freewebmailsite.com and attempt to authenticate using the same password that you just provided to them (for the purpose of logging into their social media site). I guess offering an email proxy or asking if it's ok to worm through your email for contacts is merely a formality. How many social media users do you guess would use the same password on the social media site as they would for freewebmailsite.com (and likely their employer's organization's email)? It's kind of like when google asks their users with android phones to provide their mobile phone number for SMS password recovery. Laszlo On Oct 25, 2013, at 11:43 PM, Chris Hartley <hartleyc@gmail.com> wrote:
On Fri, Oct 25, 2013 at 6:43 PM, Chris Hartley <hartleyc@gmail.com> wrote:
Perhaps a prudent countermeasure would be to redirect all POP, IMAP, and Webmail access to your corporate mail server from all of LinkedIn's IP space to a "Honeypot" that will simply log usernames/credentials attempted. The list of valid credentials, can then be used to dispatch a warning to the offender, and force a password change. This could be a useful proactive countermeasure against the UIT (Unintentional Insider Threat); of employees inappropriately entering corporate e-mail credentials into a known third party service with outside of organizational control. Seeing as Linkedin almost certainly is not providing signed NDAs and privacy SLAs; it seems reasonable that most organizations who understand what is going on, would not approve of use of the service with their internal business email accounts. -- -JH
Well said -- Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN On Oct 26, 2013, at 2:06, Jimmy Hess <mysidia@gmail.com> wrote: On Fri, Oct 25, 2013 at 6:43 PM, Chris Hartley <hartleyc@gmail.com> wrote:
Perhaps a prudent countermeasure would be to redirect all POP, IMAP, and Webmail access to your corporate mail server from all of LinkedIn's IP space to a "Honeypot" that will simply log usernames/credentials attempted. The list of valid credentials, can then be used to dispatch a warning to the offender, and force a password change. This could be a useful proactive countermeasure against the UIT (Unintentional Insider Threat); of employees inappropriately entering corporate e-mail credentials into a known third party service with outside of organizational control. Seeing as Linkedin almost certainly is not providing signed NDAs and privacy SLAs; it seems reasonable that most organizations who understand what is going on, would not approve of use of the service with their internal business email accounts. -- -JH
There's a reason I use an email alias if I sign up to places like that and why I do not place much information on these sites... There's a reason I maintain somewhere approaching 20 passwords in my head too and why the password I use for accessing my own systems will never be the password I use to access a system neither I nor my employer control. It's just common sense. Remember, the greatest threat to your privacy and security is YOU! How many of us go about detailing every aspect of our lives on facebook or twitter or something and, if someone is of a mind to comb through it, in the process self-disclose everything necessary for someone to basically become us? The hackers/corporate scrapers don't even really *HAVE* to try to thieve information anymore. We give it to them all without them even asking! -Wayne On Sat, Oct 26, 2013 at 02:16:05AM -0400, Jason Hellenthal wrote:
--- Wayne Bouchard web@typo.org Network Dude http://www.typo.org/~web/
On 26. okt. 2013 08:06, Jimmy Hess wrote:
Depends on linkedin beeing nice, but could this be an idea? In addition to the proposed network level controls of course. At least users could get a informative response rather than just some dumb error / "it doesnt work" if you block Intro. http://feedback.intro.linkedin.com/forums/227301-linkedin-intro-feedback/sug... Votes maybe? I considered proposing making it opt-in on the domain level, but that wont fly for them I'm sure.
I don't see that happening. I have heard of a couple companies sending out emails saying installing it violates company IT policies and I'm sure those using MDM will create policies to disable it. It's one of those things which should probably just fade into history quietly. Maybe LinkedIn should petition Apple to find a way to integrate the info. Windows Phone for instance already internally does exactly what Intro does without scraping emails. Phil
----- Original Message -----
From: "Jimmy Hess" <mysidia@gmail.com>
Alas, it can't. Using it against LI would work, cause you have a hope of knowing what address space their proxies are in. You can't do that generically, unless you somehow whitelist the IPs your users will be validly coming from, or figure out a way to determine what client is connecting. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
On Sun, Oct 27, 2013 at 1:19 PM, Jay Ashworth <jra@baylink.com> wrote:
Alas, it can't. Using it against LI would work, cause you have a hope of knowing what address space their proxies are in.
LI's behavior is unique. LI is probably the only one you need to detect.
This may be easier than you think, if remote account access is allowed only using Web-based mail, and company managed mobile devices. Whitelist the cell carrier's mobile network, using ActiveSync. An IMAP connection attempt from anywhere is immediately suspect.
-- jra
-- -JH
On Fri, 25 Oct 2013 22:56:48 -0000, George Bakos said:
next thing you know, Google is going to be offering free email so they can do the same thing.
The difference is that Google only does it to your @gmail.com address. It doesn't snarf up all your outbound gbakos@alpinista.org mail too.
The other difference is that Google tells you up front, LinkedIn installed this out of the bleue without any real permissions. Of course if this where an opt in thing, nobody would be opting in! Well, I never did install their app and most certainly never will, and am telling all of my friends about this as well. Gary Baribault Courriel: gary@baribault.net GPG Key: 0x685430d1 Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 10/25/2013 08:24 PM, Valdis.Kletnieks@vt.edu wrote:
On Sat, Oct 26, 2013 at 7:46 PM, Gary Baribault <gary@baribault.net> wrote:
Have you actually confirmed it's NOT opt-in? The screenshots on the Linked-in engineering blog referenced earlier certainly make it look like it is. http://engineering.linkedin.com/sites/default/files/intro_installer_0.png Of course, you could argue there's a difference between opting-in for "enhancing your email with Intro" and opting-in for "Please MITM all of my email and dynamic modify it", but that's really just semantics - it definitely appears to be opt-in. Scott
Scott Howard wrote:
There's consent and then there's informed consent. Unless they explicitly disclaim that "WE CAN AND DO READ EVERY PIECE OF MAIL YOU SEND AND RECEIVE AND USE IT FOR WHATEVER WE WANT" then it isn't informed consent. My guess is that the confirmation dialogs are more along the lines of "DO YOU LIKE CUTE KITTENS?" Mike
It's opt-in in that if you bother to read the 240,405 pager of the agreement when you install the 'upgrade' software, then you have in fact opted in .. so legally (IANAL) you have opted in. BS! Gary B Gary Baribault Courriel: gary@baribault.net GPG Key: 0x685430d1 Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 10/26/2013 04:23 PM, Scott Howard wrote: like it is.
http://engineering.linkedin.com/sites/default/files/intro_installer_0.png
Of course, you could argue there's a difference between opting-in for
"enhancing your email with Intro" and opting-in for "Please MITM all of my email and dynamic modify it", but that's really just semantics - it definitely appears to be opt-in.
Scott
And then of course there was this: http://www.informationweek.com/social-business/social_networking_consumer/li... Linkedin denies the allegations, but I'm convinced there's something to them. I was receiving a steady stream of linkedin invites on behalf of one acquaintance until I marked them as spam. Is Linkedin the kind of organization I would feel comfortable with exposing my email to? Hell to the no! On Fri, Oct 25, 2013 at 7:48 PM, Paul WALL <pauldotwall@gmail.com> wrote:
(My apologies to those of you who are also on the mailop list and have already seen these remarks.) This isn't particularly surprising: LinkedIn are spammers. Have been since forever. They hit real addresses, fake addresses, mailing lists, spamtraps, never-existed addresses, everything. And like other dedicated spammers before them -- Spamford comes to mind -- they're quite happy to shift their abuse modality. (You'll recall that Spamford tried junk faxing, adware, etc.) This is certainly a novel approach, but it's completely in keeping with their "business philosophy". The response is what will determine whether we'll get more of this (of course with the self-serving lie that one can always "opt-out"). I do hope that the aggregate reply to this vicious attack on the privacy, security and integrity of the Internet is met with widespread firewalling and null-routing -- because if it's not, if this is actually allowed to succeed, it WILL be copied. (I'll add "and with legal action", but I'm not an attorney and thus unqualified to speak to whether litigation is appropriate or even possible.) ---rsk
participants (21)
-
Aaron D. Osgood -
Andre Tomt -
Chris Hartley -
Gary Baribault -
George Bakos -
Jason Hellenthal -
Jay Ashworth -
Jay Farrell -
Jim Shankland -
Jimmy Hess -
Laszlo Hanyecz -
Leo Vegoda -
Michael Thomas -
Network IPdog -
Paul WALL -
Phil Bedard -
Rich Kulawiec -
Scott Howard -
Shrdlu -
Valdis.Kletnieks@vt.edu -
Wayne E Bouchard