« swipe left for tags/categories
swipe right to go back »
When LinkedIn posted LinkedIn Intro: Doing the Impossible on iOS I was intrigued. The post title was provocative (presumably as intended) and drew a lot of attention from various people in the security world. Several of these posts were deeply critical which generated another post from LinkedIn titled The Facts about LinkedIn Intro. By this point I had sent emails to several of my friends who were experts in the email / SMTP / IMAP / security ecosystem and was already getting feedback that generally trended negative. And then I saw this post titled Phishing With Linkedin’s Intro - a clever phishing attack on Intro (since fixed by LinkedIn).
All of this highlights for me my general suspicion around the word “impossible” along with the complexity that is increasing as more and more services interconnect in non-standard ways.
One of the thoughtful notes I got was from Scott Petry – one of my good friends and co-founder of Authentic8 (we are investors). Scott co-founded Postini and a bunch of email stuff at Google after Google acquired Postini in 2007. Following are his thoughts on LinkedIn Intro.
I am all for seamless integration of services. And while “man in the middle” is commonly seen as a pejorative, the MITM approach can enable integrations that weren’t readily available previously.
Postini, which started life as a spam filtering service became a huge email MITM enabling all sorts of email processing not available on the mail server itself. Seamless integration was a big part of our success – companies pointed their mx record to Postini, Postini filtered and passed the good stuff on to the company’s mail server. While controversial in 1999, DNS redirect-based services have become accepted across all ports and protocols. Companies such as Cloudflare, OpenDNS, Smartling, and more all offer in-line services that improve the web experience through DNS-level MITM-type model. Simple to configure and high leverage. They just aren’t thought of as MITM services.
Extending functionality of services by authorizing plug-ins to gain access to your data can be really useful as well. I use Yesware in Gmail to help track messages and automate responses when I send company-related marketing/sales emails. It’s a great service, enabling functionality not previously available, and you could think of this as a man in the middle as well. It is important to point out that in the case of Yesware and DNS style integrations, I need to explicitly approve the integration. The details are made available up front.
New levels of integrated services are coming online daily. And vendors are getting more and more clever with APIs or skirting them altogether in order to get their app in front of us. It’s natural to be sucked in by the value of these services and it’s easy to overlook any downside. Especially given that for many of them, the people who are paid to think about security ramifications aren’t in the loop. They can be installed and configured by end users, not IT. And most users take the security for granted … or overlook it all together.
Last week, on the LinkedIn engineering blog, details on the new LinkedIn Intro app were shared. Intro integrates dynamic LinkedIn profile information directly into the iOS email app. It didn’t get much attention when it was launched, but once the engineering team blogged about how did the impossible to integrate with the iOS email client, the story blew up.
Details on their approach here (http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios).
LinkedIn Intro does a beautiful job of auto-discovering your environment and auto-configuring itself. A click or two by the user, and they’re up and running with active LinkedIn data in their email app.
All this clever engineering hides the fact that LinkedIn is accessing your email on your behalf. Intro uses an IMAP proxy server to fetch your mail where they modify it, then deliver it to your iPhone. Classic Man in the Middle.
If you remember setting up your mail service on your iPhone, it is a bit clunky. You need to know the host names of your service, the ports, encryption values, etc. It isn’t easy. But you don’t do any of this with Intro. Instead of going through the usual configuration screens on iOS, Intro uses Apple’s “configuration profiles” capability auto discover your accounts and insert their servers in the middle. And since it uses OAuth to log in, it doesn’t even need to ask for your credentials.
They do such a good job of hiding what they’re doing that the significance of the data issues were lost on everyone (except the security researchers who raised the brouhaha).
This weekend, LinkedIn made another blog post. In their words, they wanted to “address inaccurate assertions that have been made” and “clear up these inaccuracies and misperceptions”. The post, here (http://blog.linkedin.com/2013/10/26/the-facts-about-linkedin-intro/) followed the PR playbook to the letter.
With one small exception concerning a profile change, the post does nothing to clear up inaccuracies and misperceptions. Instead, their post lists their reassurances about how secure the service is.
Even with these assurances, the facts remain. LinkedIn Intro pipes your email through their servers. All of it. LinkedIn Intro inserts their active web content into your email data. At their discretion.
With its clever engineering, Intro became a violation of trust. And worse, potentially a massive security hole. If the research community didn’t raise the alarm, the details of Intro’s integration wouldn’t have hit the radar.
I think the lesson here is two-fold:
1) We live in a world where our data is scattered across a variety of disparate systems. It is incumbent on us to understand the risks and weigh them against the reward of the shiny new app promising to make our lives better. If something appears to be too good to be true, it probably is.
2) Vendors need to be more transparent about what they’re doing with our data. Especially if the vendor has a spotty reputation in privacy and security realms. If they’re not, the Internet community will do it for you.
Amy and I just underwrote the renovation of Wellesley College’s new Human-Computer Interaction Lab. The picture above is a screen capture of the Wellesley College home page today (called their “Daily Shot” – they change the home page photo every day) with a photo from yesterday when Amy did the ribbon cutting on the HCI Lab.
Amy went to Wellesley (graduated in 1988) and she regularly describes it as a life changing experience. She’s on the Wellesley College Board of Trustees and is in Boston this week for a board meeting (which means I’m on dog walking duty every day.) I’m incredibly proud of her involvement with Wellesley and it’s easy to support the college, as I think it’s an amazing place.
The Wellesley HCI Lab also intersects with my deep commitment to getting more women engaged in computing. As many of you know, I’m chair of National Center for Women & Information Technology. When Amy asked if I was open to underwriting the renovation, the answer was an emphatic yes!
I’m at a Dev Ops conference today being put on by JumpCloud (I’m an investor) and SoftLayer. It’s unambiguous in my mind that the machines are rapidly taking over. As humans, we need to make it easy for anyone who is interested to get involved in human-computer interaction, as our future will be an integrated “human-computer” one. This is just another step in us supporting this, and I’m psyched to help out in the context of Wellesley.
Amy – and Wellesley – y’all are awesome.
I’ve been thinking a lot about human – computer love recently given my obsession with Battlestar Galactica. It evolved from “can Cylons have feelings?” to “can Cylons and humans love each other?” to “what changes when Cylons become mortal?”
So – when I saw the trailer for Her, I thought – yup – this is our future, and we’d better start getting our minds around it.
I look forward to Siri starting to sound like Samantha.
My partner Jason Mendelson sent me a five minute video from Wired that shows how a Telsa Model S is built. I watched from my condo in downtown Boulder as the sun was coming up and thought some of the images were as beautiful a dance as I’ve ever seen. The factory has 160 robots and 3000 humans and it’s just remarkable to watch the machines do their thing.
As I watched a few of the robots near the end, I thought about the level of software that is required for them to do what they do. And it blew my mind. And then I thought about the interplay between the humans and machines. The humans built and programmed the machines which work side by side with the humans building machines that transport humans.
Things are accelerating fast. The way we think about machines, humans, and the way the interact with each other is going to be radically different in 20 years.
I’ve been asserting for at least six years that patent system is completely broken for the software industry. I’ve given numerous examples, dealt with the issue first hand as patent trolls have tried to extort many of the companies I’m an investor in, and I’ve had many public discussions about the topic.
On my run on Sunday, I listed to This American Life - When Patents Attack… Part Two! It is easily the best and most detailed expose I’ve ever heard on this issue. If you care to really understand how patent trolls work, spend an hour of your life and listen to it.
The issue has finally gone mainstream. Here’s a great quote on patent trolls from an article in Time Magazine (how much more mainstream can you get than that.)
“In 2011, Apple and Google spent more money on patent litigation and defensive patent acquisitions than on research and development. That’s not a good sign for the U.S. economy; in fact, it’s a stark indication that our intellectual-property system is broken. Rampant patent litigation is impeding innovation and ultimately increasing the costs of gadgets for consumers, according to legal experts and industry observers. Now President Obama says he wants to reform the system.”
There was an outcry of support last week when President Obama issued a set of executive orders and suggested legislative actions to fix the broken patent system. While the press release from the White House had a bland title, the substance was solid and the articles about it got to the point.
- Obama Plans to Take Action Against Patent-Holding Firms
- 3 Silly Abuses Obama’s Patent Troll Executive Order Could Stop
- Obama Orders Regulators to Root Out ‘Patent Trolls’
- President Obama to take aim at patent trolls with executive actions on Tuesday
As expected, plenty of people suggest all of this is misguided or overblown. I read John Sununu’s (former New Hampshire Senator) Boston Globe OpEd Who is a patent troll? Obama calls nation’s techies to arms, but enemy is difficult to define and grimaced as he mostly missed the point, while at the same time blaming it on the government and lawyers.
All of this is shining a bright light on a deeply rooted problem that has spiraled completely out of control and has become an enormous tax on innovation in the United States. While I don’t believe Obama’s executive orders go nearly far enough, they are a start in something that has been ignored by the White House and our government for far too long.