Huh. Interesting. The problem is that I just don’t trust LinkedIn.
They’ve pulled shady stuff in the past, & I have no doubt that
they’d try to do it again.
And this is a big problem, regardless:
"Intro works by pushing a security profile to your device," said the
firm's blog. "But, these security profiles can do much, much more than
just redirect your emails to different servers. A profile can be used to
wipe your phone, install applications, delete applications, restrict
functionality, and a whole heap of other things."
[http://www.bishopfox.com/blog/2013/10/linkedin-intro/]
The question is, do you trust LinkedIn? And are the (minimal) benefits
worth the risks?
Scott
--
R. Scott Granneman
sc...@granneman.com ~ www.granneman.com ~ granneman.tel
Full list of publications @ http://www.granneman.com/publications
My latest book: Mac OS X for Power Users @
http://www.granneman.com/books
“Where a computer like the ENIAC is equipped with 18,000 vacuum tubes
and weighs 30 tons, computers in the future may have only 1,000 vacuum
tubes and weigh only 1 1/2 tons.”
---Popular Mechanics, March 1949
On 3 Nov 2013, at 14:46, Don Ellis wrote:
They indicate that only email sent via the custom email address
created for
Intro goes through LinkedIn.
From their response page:
Update, 10/24/13
*We wanted to provide additional information about how LinkedIn Intro
works, so that we can address some of the questions that have been
raised.
There are some points that we want to reinforce in order to make sure
members understand how this product works:*
1. *You have to opt-in and install Intro before you see LinkedIn
profiles in any email.*
2. *Usernames, passwords, OAuth tokens, and email contents are not
permanently stored anywhere inside LinkedIn data centers. Instead,
these
are stored on your iPhone.*
3. *Once you install Intro, a new Mail account is created on your
iPhone. Only the email in this new Intro Mail account goes via
LinkedIn;
other Mail accounts are not affected in any way.*
4. *All communication from the Mail app to the LinkedIn Intro servers
is
fully encrypted. Likewise, all communication from the LinkedIn Intro
servers to your email provider (e.g. Gmail or Yahoo! Mail) is fully
encrypted.*
5. *Your emails are only accessed when the Mail app is retrieving
emails
from your email provider. LinkedIn servers automatically look up the
"From"
email address, so that Intro can then be inserted into the email.*
6.
On Sun, Nov 3, 2013 at 2:33 PM, Scott Granneman <sc...@granneman.com>
wrote:
Nope. From The Verge:
"Essentially, when signing up for the service you authorize LinkedIn
to
scan your emails. When its server detects a person with a LinkedIn
profile,
it adds in data to your email and sends it to you. It's a neat trick,
but
it also means that a third party is scanning all your emails."
http://www.theverge.com/2013/10/25/5027334/linkedin-intro-
security-concerns-bishop-fox-mandiant
Scott
--
R. Scott Granneman
sc...@granneman.com ~ www.granneman.com ~ granneman.tel
Full list of publications @ http://www.granneman.com/publications
My latest book: Mac OS X for Power Users @
http://www.granneman.com/books
“Collect too many things together, and you re-produce the
conditions of
chaos you tried so hard to avoid. When the act of collecting comes to
take
precedence over the microcosm of the collection, when the
differentiation
of things begins to break down: collectors cease being collectors and
become hoarders. The hoard exemplifies chaos: the very thing the
collector
builds their catalogues in opposition to.”
---Daniel Rourke, ‘Kipple and Things: How to Hoard and Why Not
To
Mean’
On 3 Nov 2013, at 14:15, Don Ellis wrote:
As I read it, Intro gives you a custom email address, and only email
to/from that address goes through their proxy, and everything is
encrypted.
And, they've removed all SSLv2. They're trying to respond to BF, as
if
they're using BF to help beta test their product.
Yes, further examination of their structure is warranted. As I don't
have
an iPhone [yet], and I don't see any need for LinkedIn profiling on
my
email, I won't be pen testing it any time soon.
--Don
On Sun, Nov 3, 2013 at 10:30 AM, Scott Granneman
<sc...@granneman.com
wrote:
No, it’s still as bad.
Do you really want ALL of your email flowing through LinkedIn’s
servers?
No f'in way.
Scott
--
R. Scott Granneman
sc...@granneman.com ~ www.granneman.com ~ granneman.tel
Full list of publications @ http://www.granneman.com/publications
My latest book: Mac OS X for Power Users @
http://www.granneman.com/books
“Expectations are these things we invent to keep ourselves
perpetually
upset.”
---Anonymous
Don Ellis wrote:
LinkedIn published further information
http://engineering.linkedin.com/mobile/linkedin-intro-
doing-impossible-ios
that points to a followup from BF:
http://www.bishopfox.com/blog/2013/11/introspection-intro-security/
Maybe not as bad as first rumored...
--Don
On Tue, Oct 29, 2013 at 1:19 PM, Mike B. <mikeb2g...@gmail.com
<mailto:mikeb2g...@gmail.com>> wrote:
http://www.bishopfox.com/blog/2013/10/linkedin-intro/
--
--
Central West End Linux Users Group (via Google Groups)
Main page: http://www.cwelug.org
To post: cwelug@googlegroups.com
To subscribe: cwelug-subscr...@googlegroups.com
To unsubscribe: cwelug-unsubscr...@googlegroups.com
More options: http://groups.google.com/group/cwelug
---
You received this message because you are subscribed to the Google
Groups
"Central West End Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an
email to cwelug+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
--
Central West End Linux Users Group (via Google Groups)
Main page: http://www.cwelug.org
To post: cwelug@googlegroups.com
To subscribe: cwelug-subscr...@googlegroups.com
To unsubscribe: cwelug-unsubscr...@googlegroups.com
More options: http://groups.google.com/group/cwelug
--- You received this message because you are subscribed to the
Google
Groups "Central West End Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an
email to cwelug+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
--
Central West End Linux Users Group (via Google Groups)
Main page: http://www.cwelug.org
To post: cwelug@googlegroups.com
To subscribe: cwelug-subscr...@googlegroups.com
To unsubscribe: cwelug-unsubscr...@googlegroups.com
More options: http://groups.google.com/group/cwelug
---
You received this message because you are subscribed to the Google
Groups "Central West End Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cwelug+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
--
Central West End Linux Users Group (via Google Groups)
Main page: http://www.cwelug.org
To post: cwelug@googlegroups.com
To subscribe: cwelug-subscr...@googlegroups.com
To unsubscribe: cwelug-unsubscr...@googlegroups.com
More options: http://groups.google.com/group/cwelug
---
You received this message because you are subscribed to the Google Groups "Central West End Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cwelug+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.