« swipe left for tags/categories
swipe right to go back »
When LinkedIn posted LinkedIn Intro: Doing the Impossible on iOS I was intrigued. The post title was provocative (presumably as intended) and drew a lot of attention from various people in the security world. Several of these posts were deeply critical which generated another post from LinkedIn titled The Facts about LinkedIn Intro. By this point I had sent emails to several of my friends who were experts in the email / SMTP / IMAP / security ecosystem and was already getting feedback that generally trended negative. And then I saw this post titled Phishing With Linkedin’s Intro - a clever phishing attack on Intro (since fixed by LinkedIn).
All of this highlights for me my general suspicion around the word “impossible” along with the complexity that is increasing as more and more services interconnect in non-standard ways.
One of the thoughtful notes I got was from Scott Petry – one of my good friends and co-founder of Authentic8 (we are investors). Scott co-founded Postini and a bunch of email stuff at Google after Google acquired Postini in 2007. Following are his thoughts on LinkedIn Intro.
I am all for seamless integration of services. And while “man in the middle” is commonly seen as a pejorative, the MITM approach can enable integrations that weren’t readily available previously.
Postini, which started life as a spam filtering service became a huge email MITM enabling all sorts of email processing not available on the mail server itself. Seamless integration was a big part of our success – companies pointed their mx record to Postini, Postini filtered and passed the good stuff on to the company’s mail server. While controversial in 1999, DNS redirect-based services have become accepted across all ports and protocols. Companies such as Cloudflare, OpenDNS, Smartling, and more all offer in-line services that improve the web experience through DNS-level MITM-type model. Simple to configure and high leverage. They just aren’t thought of as MITM services.
Extending functionality of services by authorizing plug-ins to gain access to your data can be really useful as well. I use Yesware in Gmail to help track messages and automate responses when I send company-related marketing/sales emails. It’s a great service, enabling functionality not previously available, and you could think of this as a man in the middle as well. It is important to point out that in the case of Yesware and DNS style integrations, I need to explicitly approve the integration. The details are made available up front.
New levels of integrated services are coming online daily. And vendors are getting more and more clever with APIs or skirting them altogether in order to get their app in front of us. It’s natural to be sucked in by the value of these services and it’s easy to overlook any downside. Especially given that for many of them, the people who are paid to think about security ramifications aren’t in the loop. They can be installed and configured by end users, not IT. And most users take the security for granted … or overlook it all together.
Last week, on the LinkedIn engineering blog, details on the new LinkedIn Intro app were shared. Intro integrates dynamic LinkedIn profile information directly into the iOS email app. It didn’t get much attention when it was launched, but once the engineering team blogged about how did the impossible to integrate with the iOS email client, the story blew up.
Details on their approach here (http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios).
LinkedIn Intro does a beautiful job of auto-discovering your environment and auto-configuring itself. A click or two by the user, and they’re up and running with active LinkedIn data in their email app.
All this clever engineering hides the fact that LinkedIn is accessing your email on your behalf. Intro uses an IMAP proxy server to fetch your mail where they modify it, then deliver it to your iPhone. Classic Man in the Middle.
If you remember setting up your mail service on your iPhone, it is a bit clunky. You need to know the host names of your service, the ports, encryption values, etc. It isn’t easy. But you don’t do any of this with Intro. Instead of going through the usual configuration screens on iOS, Intro uses Apple’s “configuration profiles” capability auto discover your accounts and insert their servers in the middle. And since it uses OAuth to log in, it doesn’t even need to ask for your credentials.
They do such a good job of hiding what they’re doing that the significance of the data issues were lost on everyone (except the security researchers who raised the brouhaha).
This weekend, LinkedIn made another blog post. In their words, they wanted to “address inaccurate assertions that have been made” and “clear up these inaccuracies and misperceptions”. The post, here (http://blog.linkedin.com/2013/10/26/the-facts-about-linkedin-intro/) followed the PR playbook to the letter.
With one small exception concerning a profile change, the post does nothing to clear up inaccuracies and misperceptions. Instead, their post lists their reassurances about how secure the service is.
Even with these assurances, the facts remain. LinkedIn Intro pipes your email through their servers. All of it. LinkedIn Intro inserts their active web content into your email data. At their discretion.
With its clever engineering, Intro became a violation of trust. And worse, potentially a massive security hole. If the research community didn’t raise the alarm, the details of Intro’s integration wouldn’t have hit the radar.
I think the lesson here is two-fold:
1) We live in a world where our data is scattered across a variety of disparate systems. It is incumbent on us to understand the risks and weigh them against the reward of the shiny new app promising to make our lives better. If something appears to be too good to be true, it probably is.
2) Vendors need to be more transparent about what they’re doing with our data. Especially if the vendor has a spotty reputation in privacy and security realms. If they’re not, the Internet community will do it for you.
My long time friend Terry Kawaja (history question – which Colorado-based company was Terry once CFO of) from Luma Partners sent me his latest parody video titled Use Bitcoin. I knew it was a parody of something, but I didn’t remember “Wear Sunscreen” (which I saw when it first came out in the late 1990′s) until I read the liner notes on Terry’s Youtube post.
Both are awesome. But to really grok how awesome Use Bitcoin is, you have to watch Wear Sunscreen first. It follows.
Now – Use Bitcoin.
Count me inspired. And amused.
If you want something serious from Terry, his 20 minute State in the State of Digital Media 2013 is definitely worth watching.
I got an interesting email from a friend who has historically been a huge Apple fanboy. I asked him if I could repost it verbatim and he said yes. It follows – I’m curious what your response is to this.
While I’m still very involved with the art world here in Colorado and still working on conservation issues we’ve actually just returned from almost a year away, the last 6 months in India. I realize that a lot of what I see is colored with the lens of India, but maybe that’s helping to make things more clear.
Anyway, in preparation for re-entry after India (we were in rural, south east India, without much electricity so I figured home might be a shock), I started to try and catch up on things. Your blog was one of my tools for this. I read the post on creating the best product, agreed, and moved on. One of the first things I planned on doing once home was to buy a shiny new macbook to replace my 4 year old white macbook. Maybe going to the mall, rather than just buying it online was my first mistake, but the cult of apple and the temple that is that store made me gag the second I walked in there. And while my macbook may be old, my use of apple products is right where they want it to be… had the iPhone5 the 2nd day it was out, mcgyvered the Airtel sim cards to work as nano-sims card in india, have a small film production crew all working on the latest macbook pros and iMacs, iPads and iPods at home… on and on. But in the store, what I noticed was a culture of elitism and insincerity. I had a 4 year old laptop with me, and was treated like a Luddite because I didn’t look up to speed. Insulted, I kept the $4,500 in my pocket, thinking I’d keep the laptop running, which I did. Small thing I know, but my thought was “if apple doesn’t care about me, who do they care about?” Today an even smaller issue illuminated this even more. I went in again, this time to replace the defective “top case/keyboard” from these old white plastic macs, and was told that the machine was now “vintage” (that’s the official apple label), and that they couldn’t replace the “defective part” (also their official language) as they had done in the past, because it is more than 4 years old. I thought that maybe I should just get a new machine and quit belly aching, but I pushed a little just to see what apple thought about a customer like me… and called apple to ask if there was anything more they could do. After a lot of insincere apologies, I asked if there was really nothing they could do. The support supervisor insisted that there was no more senior person to address this issue but that I might try craigslist. I was pretty surprised that apple’s official support process ended with telling the customer to check out craigslist for an old mac to scrap for parts. I’m such a pushover that if he’d offered me $100 credit towards a new macbook, I’d have smiled and bought another apple product.
As I right this, it sounds too much like a rant. But I couldn’t help writing, first to say hello after a long while (I did hear about the 3D printed tooth in Croatia…amazing!) and second to just try an make sense of what apple could possibly be thinking… the “cool factor” is clearly waning, they’re products are overpriced, and now they’re indifferent, even hostile, to customer who regularly spend tens of thousands of dollars on their products. Can they really be thinking that the best product is the one that you replace really quickly with something “cooler” and more expensive? I think this time, I might really go get the chromebook. I can’t be alone, and that can’t be good for them.
Marc Andreessen recently wrote a long article in the WSJ which he asserted that “Software Is Eating The World.” I enjoyed reading it, but I don’t think it goes far enough.
I believe the machines have already taken over and resistance is futile. Regardless of your view of the idea of the singularity, we are now in a new phase of what has been referred to in different ways, but most commonly as the “information revolution.” I’ve never liked that phrase, but I presume it’s widely used because of the parallels to the shift from an agriculture-based society to the industrial-based society commonly called the “industrial revolution.”
At the Defrag Conference I gave a keynote on this topic. For those of you who were there, please feel free to weigh in on whether the keynote was great, sucked, if you agreed, disagreed, were confused, mystified, offended, amused, or anything else that humans are capable of having as stimuli-response reactions.
I believe the phase we are currently in began in the early 1990′s with the invention of the World Wide Web and subsequent emergence of the commercial Internet. Those of us who were involved in creating and funding technology companies in the mid-to-late 1990′s had incredibly high hopes for where computers, the Web, and the Internet would lead. By 2002, we were wallowing around in the rubble of the dotcom bust, salvaging what we could while putting energy into new ideas and businesses that emerged with a vengence around 2005 and the idea of Web 2.0.
What we didn’t realize (or at least I didn’t realize) was that virtually all of the ideas from the late 1990′s about what would happen to traditional industries that the Internet would distrupt would actually happen, just a decade later. If you read Marc’s article carefully, you see the seeds of the current destruction of many traditional businesses in the pre-dotcom bubble efforts. It just took a while, and one more cycle for the traditional companies to relax and say “hah – once again we survived ‘technology’”, for them to be decimated.
Now, look forward twenty years. I believe that the notion of a biologically-enhanced computer, or a computer-enhanced human, will be commonplace. Today, it’s still an uncomfortable idea that lives mostly in university and government research labs and science fiction books and movies. But just let your brain take the leap that your iPhone is essentially making you a computer-enhanced human. Or even just a web browser and a Google search on your iPad. Sure – it’s not directly connected into your gray matter, but that’s just an issue of some work on the science side.
Extrapolating from how it’s working today and overlaying it with the innovation curve that we are on is mindblowing, if you let it be.
I expect this will be my intellectual obsession in 2012. I’m giving my Resistance is Futile talk at Fidelity in January to a bunch of execs. At some point I’ll record it and put it up on the web (assuming SOPA / PIPA doesn’t pass) but I’m happy to consider giving it to any group that is interested if it’s convenient for me – just email me.