[tptacek]

Cory Scott was a director at Matasano, ran our west coast office, and is as trustworthy an appsec person as I know.

Cory also postdates LinkedIn's security drama; he was brought in after the credential leak, which was a good call on LinkedIn's part and sort of a brave move on Cory's part.

(And, full disclosure: iSEC is one of Matasano's sister companies; take this for whatever its worth, but their reputation is excellent).

I would tend to believe anything he says about this or any other LinkedIn system he's worked on.

That said, I would still under no circumstances give LinkedIn access to my mail spool, or any other third party.

I'm also a little queasy about the idea of "norming" these kinds of systems. Look at how much work LinkedIn put into securing Intro, and ask whether any startup will have the means to do the same. I doubt it.

[gfodor]

Your last point nails it. I can't help but think there are a good number of people now angling to build similar hacks in a much less rigorous fashion and then build entire companies around this hack. The next year is already, from my vantage point, lining up to be a year full of "give us OAuth access to your GMail account" products. This adds another vector for this type of product. In any case, users are not going to care about security and just tap "OK", so it's kind of scary that this train is really moving now. Imagine if Facebook (or the Next Facebook) required e-mail access and this was normalized.

I think it may have been a bit short-sighted for LinkedIn to post a developer-focused, "hey look at what we did" kind of post around Intro, regardless of how properly they implemented it behind the scenes.

[Spearchucker]

If Steve Sinofsky is to be believed, this is the natural order of things:

http://blog.learningbyshipping.com/2013/10/25/on-the-exploit...

[icambron]

> Cory also postdates LinkedIn's security drama; he was brought in after the credential leak

Thanks, that was the thing I was most curious about: has LinkedIn really started taking security seriously and does it have any idea what it's doing? Because for those of us not following the ins and outs closely, going from "we don't salt our passwords" to "we want all of your email to pass through us" didn't just sound ill-advised; it sounded crazy.

[tptacek]

I have no professional relationship with LinkedIn and all signs I can see point to them taking security as seriously as any other Large West Coast Tech Company --- which, if you're wondering, is actually a pretty high bar compared to the Fortune 1000.

[snowwrestler]

I'm not going to use Intro, but I have to ask, how is giving LinkedIn access to my email account any worse than giving access to Google, Yahoo, or Microsoft--by virtue of using their webmail?

[bradleyland]

A secret is kept secret by sharing it only with someone you trust, and with the smallest number of people possible. Ultimately, you have to share your credentials with your email provider, because they have to authenticate you in order to gain access to the information stored on their systems. Each additional party you share your credentials with increases your attack surface.

Given the number of security disclosures -- oops, someone got our database full of passwords, but don't worry, they're MD5 hashed -- that have occurred over the last couple of years, I'd be extremely cautious of that practice.

[x0x0]

maybe so, but Cory's post says (minus the bullshit):

All the claims are totally correct, but we tried super duper hard (though we sure as hell aren't going to put our money on the line if we're wrong) to make this secure. And if we don't keep this up, or if we do get hacked? Ain't our problem.

[tptacek]

I don't see any bullshit in that post at all. What bullshit do you see? Maybe I can spot terms of art that you missed.

I also don't see him saying "ain't our problem" anywhere.

[x0x0]

Its a response that doesn't address most of the criticisms and attempts to deflect them into an argument about how supposedly secure their systems are instead of addressing the concerns about the system period.

And not only the post but the linked privacy policy consist entirely of weasel language. eg:

   Do you store my email or my password?
   LinkedIn servers will temporarily cache information in order to provide you 
   with the fastest service possible. Here are the full details:
   
   During installation, the servers temporarily cache your password in order to 
   add a new Mail account to your device. Your password is only cached for the 
   length of time it takes to install Intro, and never for more than 2 hours. 
   Typically, your password is cached for no more than 1 minute.
   During usage, the servers may temporarily cache your emails in order to make 
   emails download faster. When your device starts to download a mail folder, 
   such as your inbox, the servers will pre-emptively download and cache recent 
   messages in that folder. A few seconds later, when your device downloads the 
   individual messages, the servers will provide the cached messages. Your 
   messages are only cached until your device downloads them, and never for 
   more than 1 hour. Typically, your messages are cached for no more than a few 
   minutes.
   All cached information is held securely to industry standards. Each piece of 
   data is encrypted with a key that is unique to you and your device, and the 
   servers themselves are secured and monitored 24/7 to prevent any 
   unauthorized access.

where someone not an asshole would answer

"yes"

[001sky]

>What bullshit do you see?

The biggest issue is the title: "The Facts about...".

Its apparent from the language that the only "facts" discussed are couched in non-falsifiable language, are in the past-tense, and self-referential.

___________

We made sure we built

We isolated

We performed

and we worked...to make sure

We made sure

we make sure we never persist

We worked to help ensure

____________

Although its not clear the author would have picked the language for the title himself (was likely PRs).