« swipe left for tags/categories
swipe right to go back »
When LinkedIn posted LinkedIn Intro: Doing the Impossible on iOS I was intrigued. The post title was provocative (presumably as intended) and drew a lot of attention from various people in the security world. Several of these posts were deeply critical which generated another post from LinkedIn titled The Facts about LinkedIn Intro. By this point I had sent emails to several of my friends who were experts in the email / SMTP / IMAP / security ecosystem and was already getting feedback that generally trended negative. And then I saw this post titled Phishing With Linkedin’s Intro - a clever phishing attack on Intro (since fixed by LinkedIn).
All of this highlights for me my general suspicion around the word “impossible” along with the complexity that is increasing as more and more services interconnect in non-standard ways.
One of the thoughtful notes I got was from Scott Petry – one of my good friends and co-founder of Authentic8 (we are investors). Scott co-founded Postini and a bunch of email stuff at Google after Google acquired Postini in 2007. Following are his thoughts on LinkedIn Intro.
I am all for seamless integration of services. And while “man in the middle” is commonly seen as a pejorative, the MITM approach can enable integrations that weren’t readily available previously.
Postini, which started life as a spam filtering service became a huge email MITM enabling all sorts of email processing not available on the mail server itself. Seamless integration was a big part of our success – companies pointed their mx record to Postini, Postini filtered and passed the good stuff on to the company’s mail server. While controversial in 1999, DNS redirect-based services have become accepted across all ports and protocols. Companies such as Cloudflare, OpenDNS, Smartling, and more all offer in-line services that improve the web experience through DNS-level MITM-type model. Simple to configure and high leverage. They just aren’t thought of as MITM services.
Extending functionality of services by authorizing plug-ins to gain access to your data can be really useful as well. I use Yesware in Gmail to help track messages and automate responses when I send company-related marketing/sales emails. It’s a great service, enabling functionality not previously available, and you could think of this as a man in the middle as well. It is important to point out that in the case of Yesware and DNS style integrations, I need to explicitly approve the integration. The details are made available up front.
New levels of integrated services are coming online daily. And vendors are getting more and more clever with APIs or skirting them altogether in order to get their app in front of us. It’s natural to be sucked in by the value of these services and it’s easy to overlook any downside. Especially given that for many of them, the people who are paid to think about security ramifications aren’t in the loop. They can be installed and configured by end users, not IT. And most users take the security for granted … or overlook it all together.
Last week, on the LinkedIn engineering blog, details on the new LinkedIn Intro app were shared. Intro integrates dynamic LinkedIn profile information directly into the iOS email app. It didn’t get much attention when it was launched, but once the engineering team blogged about how did the impossible to integrate with the iOS email client, the story blew up.
Details on their approach here (http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios).
LinkedIn Intro does a beautiful job of auto-discovering your environment and auto-configuring itself. A click or two by the user, and they’re up and running with active LinkedIn data in their email app.
All this clever engineering hides the fact that LinkedIn is accessing your email on your behalf. Intro uses an IMAP proxy server to fetch your mail where they modify it, then deliver it to your iPhone. Classic Man in the Middle.
If you remember setting up your mail service on your iPhone, it is a bit clunky. You need to know the host names of your service, the ports, encryption values, etc. It isn’t easy. But you don’t do any of this with Intro. Instead of going through the usual configuration screens on iOS, Intro uses Apple’s “configuration profiles” capability auto discover your accounts and insert their servers in the middle. And since it uses OAuth to log in, it doesn’t even need to ask for your credentials.
They do such a good job of hiding what they’re doing that the significance of the data issues were lost on everyone (except the security researchers who raised the brouhaha).
This weekend, LinkedIn made another blog post. In their words, they wanted to “address inaccurate assertions that have been made” and “clear up these inaccuracies and misperceptions”. The post, here (http://blog.linkedin.com/2013/10/26/the-facts-about-linkedin-intro/) followed the PR playbook to the letter.
With one small exception concerning a profile change, the post does nothing to clear up inaccuracies and misperceptions. Instead, their post lists their reassurances about how secure the service is.
Even with these assurances, the facts remain. LinkedIn Intro pipes your email through their servers. All of it. LinkedIn Intro inserts their active web content into your email data. At their discretion.
With its clever engineering, Intro became a violation of trust. And worse, potentially a massive security hole. If the research community didn’t raise the alarm, the details of Intro’s integration wouldn’t have hit the radar.
I think the lesson here is two-fold:
1) We live in a world where our data is scattered across a variety of disparate systems. It is incumbent on us to understand the risks and weigh them against the reward of the shiny new app promising to make our lives better. If something appears to be too good to be true, it probably is.
2) Vendors need to be more transparent about what they’re doing with our data. Especially if the vendor has a spotty reputation in privacy and security realms. If they’re not, the Internet community will do it for you.
Two of the themes we love to invest in are Protocol and Glue. We’ve especially been interested in companies that make software developers and DevOps lives better. Some examples include SendGrid, Urban Airship, VictorOps, Pantheon, MongoLab, and Cloudability.
To that end, Raj Bhargava and I created a company called JumpCloud late last year (our eighth venture together). After being involved in hundreds of technology companies, we know that young and fast growing technology companies have little time to devote to the details of managing their server infrastructure. Often, there is a perception that things are fine, until they aren’t. And then much pain ensues.
My partners and I often worry about companies we’ve invested in having enough bandwidth and resources to adequately cover issues of reliability, availability, and security. We know firsthand what that entails, especially as companies hit high-growth inflection points.
Enter JumpCloud. JumpCloud helps DevOps and IT attain high levels of reliability, prevent unplanned downtime, and manage their environments like the big guys, without slowing them down. Watch David Campbell, one of JumpCloud’s other co-founders, explain JumpCloud at TechCrunch Disrupt.
JumpCloud is an agent-based SaaS tool designed for both cloud and physical Linux servers which provides full user management across all your users, all your servers, and all your clouds. JumpCloud also monitors your servers, identifies missing security patches, watches for attacks in progress, and identifies anomalous resource usage. JumpCloud is completely complementary to your Chef / Puppet / Opsworks configuration / automation tools. Think of JumpCloud as taking over server maintenance, management, monitoring, and security once the provisioning tools have done their thing.
JumpCloud closes the gap between what you can do and what you know you should be doing with regard to user management and security of your cloud infrastructure. That means fewer late-night calls, an easier to manage environment, and more reliability for your customers.
Also, if you are a DevOps person or senior technical person in your organizations, Raj, Paul Ford from SoftLayer, and I are hosting a private DevOps Conference in Boulder on October 24th. While the event is for Foundry Group, Techstars, and Bullet Time Ventures portfolio companies, we have a few open slots in case a few folks would like to join us. Just reach out to me via email and I’ll get you connected.
StillSecure has been nailing it in the service provider segment with deals with XO, ViaWest, CoreSite, and others recently. StillSecure fundamentally believes that service providers – telcos, datacenter, cloud providers – will be the channel to market for security solutions and I agree. They have built an amazing set of solutions for colocation and dedicated server environments and have solutions that can apply to some higher-end cloud users. Today they are announcing a new host-based firewall management solution in conjunction with SoftLayer – a leader in the cloud market. Aimed at all cloud users, StillSecure’s new solution is the start of a major initiative for the company and is also a new category of solutions.
As most cloud users know, securing their systems is incredibly hard. The solutions are either just “cloud-washed” products that aren’t a fit or they are so expensive that they cannot fit within the elastic cloud model. StillSecure has taken nearly 12 years of history and experience and have built a product from the ground-up with the cloud users’ customer experience and profile in mind.
The solution, called Cloud SMS, is a free today and will expand into premium offerings very quickly. StillSecure and Cloud SMS are in the SoftLayer Tech Partner Marketplace, being promoted to SoftLayer’s 23,000 customers. The two companies are also beginning to explore offering the complete spectrum of StillSecure’s managed security services into SoftLayer’s broader offerings.
I’m excited for the StillSecure and SoftLayer teams – building a secure cloud is an incredibly important goal and one that many companies can take advantage of. Do yourself a favor – if you have any cloud instances out there, go download StillSecure’s cloud security product and please secure them.
My long time friend Alan Shimel has been blogging up a storm on Network World (if you want to hear any amusing story, ask him about the first time he met me.) When Alan started writing his column for Network World he asked me for introductions to a bunch of our portfolio companies that were using open source. Alan is a tough critic and calls it like he sees it so while I knew there was no guarantee that he’d go easy on the companies, I knew that Alan would do an even handed job of highlighting their strengths and weaknesses. I also know that everyone I invest in values any kind of feedback – both good and bad – and they work especially hard to delight their customers so any kind of feedback will make them better.
Earlier today, Alan wrote an article on Standing Cloud titled Seeding the Cloud with Open Source, Standing Cloud Makes It Easy. On Monday, Standing Cloud released their first version of their product (called the Trial Edition) which is a free version that lets you install and work with around 30 open source products on five different cloud service providers. It’s the first step in a series of releases over the next two quarters that Standing Cloud has planned as they work create an environment where it is trivial to deploy and manage open source applications in the cloud. Alan played around with Standing Cloud’s Trial Edition, totally understood what they are doing, and explained why the Trial Edition is interesting and where Standing Cloud is heading when they release their Community Edition at the end of April.
Alan’s also written several other articles about companies in our portfolio recently, including the open source work Gist has been doing with Twitter and a great review of the Pogoplug and how it uses open source.
I believe I’m one of the people that inspired Alan to start blogging a number of years ago. Through his personal blog Ashimmy, the blog he writes for Network World titled Open Source Face and Fiction, and the blogging he does on security.exe (his company CISO Group’s blog), Alan is one of my must read technology bloggers. And he’s often funny as hell, especially when he gets riled up. Keep it up Alan!
On Monday, StillSecure announced that it has acquired ProtectPoint. ProtectPoint is a managed security service provider (MSSP) and immediately adds a portfolio of managed security products to StillSecure’s award-winning product arsenal. Alan Shimel, the Chief Strategy Officer of StillSecure, does an excellent job of explaining the reasons for the acquisition in his post titled StillSecure acquires ProtectPoint, entering the MSSP market – Why?
This is the second time in less than a month that a company I’m on the board of has made an acquisition. At the end of January, in my post titled Rally Software is a Buyer I wrote:
“[With regard to an acquisition strategy] I’m seeing this pattern with a number of the established companies I’m an investor in. Having gone through this cycle several times and had success and failure with acquisition driven strategies, I’ve got a clear view on when and how it can work successfully. I’m not interested in garbage truck mergers (two crappy companies that get jammed together to hope something good comes out of it) – all of my energy is focused on having a market leader pick up a complementary technology or market “asset” that helps accelerate the product or market roadmap.”
As with Rally’s acquisition of 6th Sense Analytics, StillSecure has been working on building out a set of managed security offerings around their product set. The demand for managed security services (or security as a service, or whatever you want to call it) has been steadily increasing and StillSecure decided to explore a buy vs. build approach to accelerate their entry into the market. StillSecure went searching for a company to acquire and found a great fit (functionally and culturally) with ProtectPoint and now has a fully built out and well regarded MSSP offering as part of its product mix.
Having spent some time with Steve Harris, the CEO of ProtectPoint, I’m really excited about what he and his team bring to StillSecure. I also have another person to hang out besides Alan when I head to Florida for a break from winter. Steve and team – welcome aboard!