×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

LinkedIn's New Mobile App Called 'a Dream For Attackers'

timothy posted about 6 months ago | from the throw-off-your-chains dept.

Security 122

An anonymous reader writes with a link to the New York Times' summary of a security and privacy disaster that's been inspiring angry posts on various social networks, including LinkedIn itself: "Security researchers are calling LinkedIn's new mobile app, Intro, a dream come true for hackers or intelligence agencies... Intro redirects e-mail traffic to and from users' iPhones and iPads through LinkedIn's servers, then analyzes and scrapes those e-mails for relevant data and adds pertinent LinkedIn details... Researchers liken that redirection to a so-called man-in-the-middle attack in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

122 comments

Yeah (-1, Troll)

Anonymous Coward | about 6 months ago | (#45241493)

Niggers are the color of faeces. It explains the smell yo.

Who cares. (5, Funny)

kurt555gs (309278) | about 6 months ago | (#45241499)

I have had a Linkedin account forever. I never even go there any more. I've never met any women on Linkedin, so I find it totally useless.

Re:Who cares. (2, Insightful)

Anonymous Coward | about 6 months ago | (#45241553)

No even occasional sex with your manager ?

Re:Who cares. (1)

Anonymous Coward | about 6 months ago | (#45241599)

I don't use it. I keep it just in case I need to find another job. That is pretty much all.

Re:Who cares. (0)

Anonymous Coward | about 6 months ago | (#45241837)

Exactly. Nobody I know ever uses it for anything *but* that.

Especially in certain parts of the IT industry. Keeping track of the ridiculous number of people you work with is impossible. Having a nice list - even if it spams your inbox with recruitment crap while you're not actively seeking employment opportunities - is a damned handy thing to have if you find yourself in a position to actually need to look for a job.

Re:Who cares. (5, Interesting)

Wycliffe (116160) | about 6 months ago | (#45242101)

Exactly. Nobody I know ever uses it for anything *but* that.

Especially in certain parts of the IT industry. Keeping track of the ridiculous number of people you work with is impossible. Having a nice list - even if it spams your inbox with recruitment crap while you're not actively seeking employment opportunities - is a damned handy thing to have if you find yourself in a position to actually need to look for a job.

I'm not for sure why any employer or anyone else trusts or cares about linkedin especially in the IT field.
Most of the people on my linkedin profile who have vouched for my computer knowledge know nothing about
computers. They've said I'm an expert at java, php, and any other language that linkedin suggests even
if I know absolutely nothing about said language. To them it's all the same and it makes my linkedin profile
utterly useless as I'm ranked higher in languages I don't know than I am in languages I actually do.

Re:Who cares. (0)

Anonymous Coward | about 6 months ago | (#45242335)

I use it to verify the resume I get looks close to what they publicly post on Linked In. If the two are not close to each other, I either question them about directly or indirectly at the interview or do not even bother calling them in for one.

I've seen some people put in a resume they were at their current position since 2010 and Linked in shows since 2013. Or totally different time frames that do not match.

Re:Who cares. (1)

dav1dc (2662425) | about 6 months ago | (#45242599)

You're right - they have "commodified" the reference, turning it into a "like" and a "+1" with seriously debased value.

Too bad the emphasis in social networks has been placed on creating quantity of content, and not content with quality and substance...

Re:Who cares. (0)

dbIII (701233) | about 6 months ago | (#45243401)

I'm not for sure why any employer or anyone else trusts or cares about linkedin especially in the IT field. Most of the people on my linkedin profile who have vouched for my computer knowledge

About the only time I've looked at that site it was to look at the profile of the utter loser that lost the White House emails. That person (Bank VP on graduation and similar sinecures all the way) now works at a data recovery company! I suppose that send the message that if you've been told the data needs to be recovered but your really want it lost then we've got just the person for you, nudge nudge, wink wink, say no more.

Re:Who cares. (1)

lgw (121541) | about 6 months ago | (#45243481)

The references and social media aspects are pretty useless. It's just a place to put your resume online, like that other site, starts with a "D", hmm, something.

Legitimate recruiters (plus the other kind) search it for candidates worth contacting. That what it's for: to help make that first contact. Just like a resume, once you're talking to a human it's done its job and you're past it.

Re:Who cares. (1)

MysteriousPreacher (702266) | about 6 months ago | (#45244069)

Yeah, the "click to endorse" endorsements are LinkedIn's equivalent to a Facebook "like"; largely pointless. I get plenty of endorsements from people who know me from previous jobs, or work with me now but really don't know much about my proficiency in the skills for which they endorsed me. I'm a little more conservative in my endorsements. i.e. if I knew you as a trainer then I'm not going to endorse your project management skills if I have no first hand experience of your project management abilities.

Written endorsements are more valuable, and it's interesting to note the networks they have. i.e. I'm going to take a profile as an IBM sales engineer more seriously if I can see they have connections that'd suggest they are well connected in this field. A network consisting of every Tom, Dick and Harry is going to confuse matters.

I've not done recruiting in some time now, so I'd be very interested in knowing if recruiters consider the points I made?

Re:Who cares. (0)

Anonymous Coward | about 6 months ago | (#45241739)

I have had a Linkedin account forever. I never even go there any more. I've never met any women on Linkedin, so I find it totally useless.

as a Apple customer this isn't a bug, it is a feature!

Re:Who cares. (0)

Anonymous Coward | about 6 months ago | (#45241771)

Some companies mandate employees have a Linkedin account and make connections with everyone...

Re:Who cares. (1)

Anonymous Coward | about 6 months ago | (#45242069)

Are you shitting us? I know people have a compulsion to link-in with everyone, but a corporate mandate?

Re:Who cares. (5, Informative)

SternisheFan (2529412) | about 6 months ago | (#45242209)

Are you shitting us? I know people have a compulsion to link-in with everyone, but a corporate mandate?

A few years ago I 'tried' to apply for a job for a local company. Sent my resume to them in a plain text email, which wasn't good enough, they replied, I need send it through LinkedIn. "WTF is LinkedIn?", I thought. Got part of the way through the signup process before realizing that this site wants an awful lot of personal information from me, and I canceled out before sending any info. Called the company saying that I live nearby and could just drop off my printed resume to them, still wasn't acceptable, they needed any applications to be done only via LinkedIn, that ended that job search. Knowing more and moew about LinkedIn today makes me grateful I don't have an account with them.

A decade or more ago the internet was so full of promise for "Better living through technology", nowadays it seems so damn invasive in so many ways I'm wondering whether using todays tech is worth the price. I'm starting to see why more and more people are "pulling the technology plug" out and living a simpler, no tech life. I'm seriously considering doing just that myself one day. It's gotten less and less attractive to me.

Re:Who cares. (1)

SternisheFan (2529412) | about 6 months ago | (#45242227)

Pardon the typos. Inputting through an android phone with a 2 1/2" screen. :-(

Re:Who cares. (0)

Anonymous Coward | about 6 months ago | (#45244585)

A decade or more ago the internet was so full of promise for "Better living through technology", nowadays it seems so damn invasive in so many ways I'm wondering whether using todays tech is worth the price.

Pardon the typos. Inputting through an android phone with a 2 1/2" screen. :-(

Evidently not

Re:Who cares. (2)

Zontar The Mindless (9002) | about 6 months ago | (#45243239)

Well, we *did* get free international video calling and a rather nice operating system out of the deal.

But, yeah, it feels like the dream is pretty much over.

Re:Who cares. (0)

Anonymous Coward | about 6 months ago | (#45242125)

[citation needed]

Why is anyone surprised? (5, Insightful)

Anonymous Coward | about 6 months ago | (#45241527)

It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.

They are going to keep getting more invasive as they figure out new ways to screw you over for a profit.

Re:Why is anyone surprised? (5, Informative)

fuzzyfuzzyfungus (1223518) | about 6 months ago | (#45241595)

I'm not surprised ('social networks' in general make you the product, linkedin has always been a touch sleazy, especially for an ostensibly 'professional' site that could theoretically be making its money on the semi up-and-up by offering useful recruiting services); but I am fucking shocked at just what a clusterfuck this particular app is.

So, you install the 'app'. It applies an iOS configuration profile to your phone. those can do rather a lot [apple.com] ... In this case (so far) what it does is set up an MiTM that routes all your email through their servers, and dynamically rewrites it to add content of their choice to messages.

It's totally normal for 'social networks' to own you like livestock in everything you do on that network; but reaching out and grabbing all 3rd party email (Oh, man, are some corporate IT/Security people going to be spitting napalm about this one...) that passes through your handset, and including that? Ballsy. Really, really, ballsy. Makes the old "Hey, let's grab their entire contact list!" sleaze-scheme look like amateur hour.

Re:Why is anyone surprised? (5, Informative)

immaterial (1520413) | about 6 months ago | (#45241665)

Informative summary; in case anyone cares LinkedIn's official explanation is here: http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios [linkedin.com]

Re:Why is anyone surprised? (4, Insightful)

icebike (68054) | about 6 months ago | (#45241781)

Pretty smug and self congratulatory.
Everyone make sure you put Martin Kleppmann on your DO NOT HIRE list.

I hope Apple steps up and kicks them out of the App Store.

Re:Why is anyone surprised? (5, Insightful)

fuzzyfuzzyfungus (1223518) | about 6 months ago | (#45241877)

It is admittedly a cute hack (presented in a smarmy tone); but the sheer tone-deafness and unwillingness or inability to recognize that you are proposing to subject potentially-hundreds-of-thousands of people's private information to your cute hack is sickening.

That's what really gets me: If this were random geek giving a little chat about 'stupid IMAP regex tricks; the closest thing to greasemonkey for iOS mail!' and showing off an architecturally similar system for on-the-fly-rewrites of mail to add useful hooks to present features absent in the client, it'd be clever and endearing. But that isn't the game we are playing here. This is a slick, weaponized, weasel-worded-for-wide-deployment dangerous toy we are talking about here.

Either he knows that, and just doesn't give a fuck (in which case he is somewhere beneath contempt and heading further down), or he's dangerously myopic to an almost unbelievable degree.

Re:Why is anyone surprised? (1)

cbybear (256161) | about 6 months ago | (#45244523)

Bingo! You nailed it exactly. No sense of morals or social obligation. Just does whatever comes to his little mind and thinks he is the most clever thing since the last shitstain to come along and think he know more about tech than everyone else. What he fails to understand is that the people that created all this stuff we use knew how to do all this evil stuff, they just had better guiding values. Heck, they had guiding values period!

Re:Why is anyone surprised? (5, Informative)

fuzzyfuzzyfungus (1223518) | about 6 months ago | (#45241951)

"All communication from the Mail app to the LinkedIn Intro servers is fully encrypted. Likewise, all communication from the LinkedIn Intro servers to your email provider (e.g. Gmail or Yahoo! Mail) is fully encrypted."

And all (transient) storage of the data being communicated while they are on the LinkedIn servers?

Hmm... Didn't think so.

Also worth noting: In their 'Pledge of Privacy' [linkedin.com] (which may change from time to time, to 'clarify' things) they have an adorable little elision...

"Do you read my email?

In order to provide the Intro service, the servers use software to extract information from each message: for example, the sender's email address is extracted, so that the servers can search for their LinkedIn profile to include in the message."

Well, ok, the system obviously wouldn't work if it didn't parse the email, right?

"Do you store my email or my password?

During usage, the servers may temporarily cache your emails in order to make emails download faster. When your device starts to download a mail folder, such as your inbox, the servers will pre-emptively download and cache recent messages in that folder. A few seconds later, when your device downloads the individual messages, the servers will provide the cached messages. Your messages are only cached until your device downloads them, and never for more than 1 hour. Typically, your messages are cached for no more than a few minutes."

Well, ok, fast downloads are good, and temporary cache is temporary, so you totally aren't building a giant dossier of all my email, whew.

Now... " the servers use software to extract information from each message". Hmm... it doesn't say a thing about the storage, use, retention, or anything else of that 'extracted information'. Nor (aside from giving the one example that is architecturally necessary, and thus trivial), does it provide any detail about what information is extracted. So, in fact, the only thing I know is that they say that a literal copy of my email is not being stored (Maybe they only store my metadata, like the NSA?) Maybe they store any substrings that match a set of keywords? Who knows? Not you or me.

Re:Why is anyone surprised? (0)

Anonymous Coward | about 6 months ago | (#45243213)

Now... " the servers use software to extract information from each message". Hmm... it doesn't say a thing about the storage, use, retention, or anything else of that 'extracted information'. Nor (aside from giving the one example that is architecturally necessary, and thus trivial), does it provide any detail about what information is extracted. So, in fact, the only thing I know is that they say that a literal copy of my email is not being stored (Maybe they only store my metadata, like the NSA?) Maybe they store any substrings that match a set of keywords? Who knows? Not you or me.

You don't even know that. Think like a lawyer:

Q: What information does your software extract?
A: A sequence of bytes. The first byte of the email, the second byte of the email, up to the nth byte of an n-byte-long email.

Q: But isn't that the entire email?
A: According to NSA, it's not collecting data if a human doesn't look at it.

Re:Why is anyone surprised? (5, Insightful)

dcollins (135727) | about 6 months ago | (#45242427)

Nice link. Fascinating how they cream themselves for 2,000 words on the technical challenges they overcame to break into a system not meant for that, but only 3 short sentences that privacy is fine, they're serious, see this link. (At least until uproar made them add the italicized part at the end.) Very telling.

Re:Why is anyone surprised? (1)

Frobnicator (565869) | about 6 months ago | (#45243263)

Wow. That is an eye-opening list, the things it can modify is rather nasty. Just these alone scream that it should be blacklisted from any corporate environment:
  • * VPN settings
  • * LDAP directory service settings
  • * Credentials and keys

The absolute last thing I want on a phone with corporate network access is to have those permissions.

Re:Why is anyone surprised? (1)

Nerdfest (867930) | about 6 months ago | (#45241693)

Even their old Android app had ridiculous permissions. LinkedIn is handy if you're looking for work, but web-only.

Re:Why is anyone surprised? (2)

aztracker1 (702135) | about 6 months ago | (#45242543)

I haven't ever, and don't believe anyone I know has gotten a job via linked in. I deny anyone I don't know personally. I don't install apps that ask for excessive permisions.. amazing how many flashlight apps you have to look through to find one without spyware.

Re:Why is anyone surprised? (1)

moteyalpha (1228680) | about 6 months ago | (#45241765)

I'm not surprised ('social networks' in general make you the product, linkedin has always been a touch sleazy, especially for an ostensibly 'professional' site that could theoretically be making its money on the semi up-and-up by offering useful recruiting services);

Linkedin has many dubious methods that aren't visible to a typical person. I know some of the methods they employ to extend their grasp. The problem is that there is no way to explain this to people without a CS degree. It just irritates the victim to be a tool so they ignore it.
To go from ironic to sardonic as well as a self deprecating , we are providing social comments on a site owned by a company that handles employment (DICE). So it is posters on a 'social network' that complain of the use of themselves as product on a 'social network'.
But, that aside, I agree that this is right out of the ball park for sleaze and greed.

Re:Why is anyone surprised? (1)

fuzzyfuzzyfungus (1223518) | about 6 months ago | (#45241963)

As much as your point about DICE is well taken, I'd honestly love to know how you would go about 'monetizing' a user who (voluntarily, and for no material reward, no less) impersonates a fungus with internet access in order to whine about surveillance and make bad geek jokes. I have the chilling suspicion that it can be done; but damned if I can imagine how...

Re:Why is anyone surprised? (0)

dbIII (701233) | about 6 months ago | (#45243417)

If a lone $2 app guy did that, disclaimers, informing the customer or not, they'd be facing many years of jail time. It's depressing that the law does not seem to apply to these intrusive mongrels that can cause more damage than a cracker.

platform limitations (1)

stenvar (2789879) | about 6 months ago | (#45243423)

LinkedIn's service seems to be based on Rapportive, which has been around for a while. On desktops, they can just hook into web mail services and mail readers through extensions; no rerouting required. Of course, the information still ends up on their servers, but that's kind of the point: how could they give you information related to your mail messages if they couldn't look at it?

On mobile, the hooks for this are missing. Furthermore, iOS is rather insistent on the precious specialness of Apple's own applications, so replacing the mail app is hard too. If they want to provide this service, inserting themselves in the middle is basically all they can do.

I was using Rapportive briefly on the desktop but didn't find it all that useful. I can imagine that for some people it is useful (e.g., if you're in HR and get a lot of emails from people you don't know), however. Since it's voluntary, I don't think it's a big deal.

As for corporate email providers, they have a simple way of stopping this.

Re:Why is anyone surprised? (1)

petsounds (593538) | about 6 months ago | (#45243639)

What's strange to me is that Apple even allows configuration profiles to be distributed and installed by non-enterprise, third-party apps. This seems like a giant security hole. If I was Apple I'd be pulling this app from the store posthaste and closing that attack vector.

Re:Why is anyone surprised? (0)

Anonymous Coward | about 6 months ago | (#45243821)

It applies an iOS configuration profile to your phone. those can do rather a lot [apple.com]

And iFags get all hysterical about Android because apps can send text messages....

Re:Why is anyone surprised? (0)

Anonymous Coward | about 6 months ago | (#45244293)

Profiles won't allow an app to send SMS messages or make phone calls through the cell account. They can request these, but it will always require consent and must go through the in-built mechanisms. Apps can send SMS through third party services, or make calls using VoIP services. This limitation prevents rogue apps from running up alarming bills. The only real cost an app can run up would be through data, and iOS 7 allows cell data to be enabled or disabled on an app specific basis.

That's the difference. If you look up apps that are able to make calls and send SMS you'll see they either run through third party services or require a jailbreak.

Re:Why is anyone surprised? (2)

rudy_wayne (414635) | about 6 months ago | (#45241707)

It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.

It amazes me even more that people think they need a LinkedIn app on their phone. Seriously. WTF.

If you think you need this app on your phone you get what you deserve.

Re:Why is anyone surprised? (1)

Blue Stone (582566) | about 6 months ago | (#45244421)

It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.

People don't realise this because it isn't true. What you describe is a relationship in which only the social network provider gains, but this isn't what people experience: people do get utility out of the functions the networking sites provide.

You can certainly argue that the relationship is skewed, or that the price users are paying for the networking is greater than they realise (I think it is) - but, this is not a one-sided relationship. The users get networking services AND the providers of that service turns their users into products.

It's a symbiotic relationship. It may also be an unhealthy symbiotic relationship, but it's not parasitic.

Umm... (-1)

Anonymous Coward | about 6 months ago | (#45241571)

How can an App "redirect e-mail traffic to and from users' iPhones and iPads"? So if I log into my Yahoo on Chrome for iPad, this LinkedIn App will redirect my email traffic? Sounds ludicrous to me.

Re:Umm... (2)

AuMatar (183847) | about 6 months ago | (#45241587)

If its running on your phone and you have an email app that downloads messages to your phone, it could be reading those files and sending them back to Linkedin. It wouldn't really be redirecting it, but it would be copying it and sending it back there.

Which is why I'm very careful with what apps I download. If the website provides the same services, why would I download an app?

Re:Umm... (0)

immaterial (1520413) | about 6 months ago | (#45241659)

An iOS app has no access to any other app's files. The scheme you describe would fortunately be impossible.

Re:Umm... (4, Informative)

icebike (68054) | about 6 months ago | (#45241827)

It is possible. Read what they say on their own web page [linkedin.com] :

Once we got the IMAP proxy working, we were faced with another problem: how do we configure a device to use the proxy? We cannot expect users to manually enter IMAP and SMTP hostnames, choose the correct TLS settings, etc — it’s too tedious and error-prone.
Fortunately, Apple provides a friendly way of setting up email accounts by using configuration profiles — a facility that is often used in enterprise deployments of iOS devices. Using this technique, we can simply ask the user for their email address and password, autodiscover the email provider settings, and send a configuration profile to the device. The user just needs to tap “ok” a few times, and then they have a new mail account.

The users have no idea why they are clicking OK, but once its done it works so they ask no questions.
After all, they are Linkedin users, so they automatically aren't too bright.

Re:Umm... (1)

immaterial (1520413) | about 6 months ago | (#45242041)

The method they use has absolutely nothing to do with accessing the emails/files with the Mail app as described by AuMatar - it's an injection via a proxy before the data ever hits the Mail app. I was specifically addressing AuMatar's fear that "you have an email app that downloads messages to your phone, it could be reading those files and sending them back to Linkedin."

Also, there is some interesting hilarity in you getting modded up for pointing me to a link that *I* introduced to this thread.

Re:Umm... (1)

fuzzyfuzzyfungus (1223518) | about 6 months ago | (#45242499)

An iOS app has no access to any other app's files. The scheme you describe would fortunately be impossible.

A given app doesn't have access to another app's files; but since their scheme also employs a configuration profile [apple.com] , I suspect you could have some fun with quietly twiddling per-app VPNs, the global HTTP proxy, silent installation of trusted certificates, and other useful little toys.

Re:Umm... (0)

Anonymous Coward | about 6 months ago | (#45242973)

Hello iOS update 7.0.4!!

Re:Umm... (2)

icebike (68054) | about 6 months ago | (#45241807)

They just proxy all mail.

Normally your device connects directly to the servers of your email provider (Gmail, Yahoo, AOL, etc.), but we can configure the device to connect to the Intro proxy server instead.
The Intro proxy server speaks the IMAP protocol just like an email provider, but it doesn’t store messages itself. Instead, it forwards requests from the device to your email provider, and forwards responses from the email provider back to the device. En route, it inserts Intro information at the beginning of each message body — we call this the top bar.

http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios [linkedin.com]

I wonder if he will be so smug when they perp walk him out of his office.

Re:Umm... (5, Informative)

immaterial (1520413) | about 6 months ago | (#45241627)

You have to allow their app to install a configuration profile that sets up iOS's Mail app to get your email through LinkedIn's proxy server; then LinkedIn can read your email and inject relevant code directly into the message before it hits the mail client: http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios [linkedin.com] *barf*

Re:Umm... (-1)

Anonymous Coward | about 6 months ago | (#45241669)

Now that's evil. Imma delete my (mostly unused) LinkedIn account in protest.

Re:Umm... (0)

Anonymous Coward | about 6 months ago | (#45241757)

I'm waiting on how they blame this on a programming error, they obviously neeeeever wanted to MITM all mails...

Re:Umm... (-1)

Anonymous Coward | about 6 months ago | (#45241939)

You have to allow their app to install a configuration profile that sets up iOS's Mail app to get your email through LinkedIn's proxy server

Why do you have to do that? Why can't you just not install their app?

Certainly LinkedIn is acting pretty damn evilly, but their evil requires active cooperation from the victim. You don't have to have a LinkedIn account. You don't have to install their app.

Re:Umm... (0)

Anonymous Coward | about 6 months ago | (#45241941)

Fucking invasive apps that's why.

The linked in apps are the most fucking invasive apps ever. Most app writers actually give a slight fuck about your privacy. But linked in hooks into absolutely every system on your mobile device and utilized those services for whatever they want. So if you ever install it, consider all your emails, contacts, phone calls, instant messages, text messages, and GPS location theirs.

And that was the previous app.

Much too easy for this to happen (1)

Anonymous Coward | about 6 months ago | (#45241577)

Now I feel a little less cowardly for having virtually no voluntary apps loaded on my android gadgets because of all the permissions required and no convenient way to limit access to my data.

Re:Much too easy for this to happen (2, Interesting)

Anonymous Coward | about 6 months ago | (#45241625)

Let me give you some friendly advice.

1) Root it
2) Install AFwall
3) Configure AFwall to block most traffic

Re:Much too easy for this to happen (1)

icebike (68054) | about 6 months ago | (#45241839)

The trick they used only works on IOS.

(Not that I'm denying there could be an equivalent trick on Android).

Re:Much too easy for this to happen (0)

Anonymous Coward | about 6 months ago | (#45241857)

Android would be easier, since there appears to be no permissions keeping VPN redirects from being installed whatsoever, so any app can easily route all the device's traffic through their servers.

Re:Much too easy for this to happen (1)

icebike (68054) | about 6 months ago | (#45241909)

Its not really a vpn re-direct, they simply proxy all mail through their own servers. Admittedly, you get some clues and warnings, when they ask you for your passwords for you rmail, but I'n not convinced its that easy to tell the mail client on android to start suddenly using a proxy instead of what is configured into the phone.

We will probably have to wait and see if this trick shows up on Android.

Re:Much too easy for this to happen (1)

HJED (1304957) | about 6 months ago | (#45242165)

I don't use it because I like some of the google apps, but I believe cyanmod allows you to control app permissions.

Re: Much too easy for this to happen (1)

Nerdfest (867930) | about 6 months ago | (#45242389)

You can use the Google apps in cyanogenmod.

Re: Much too easy for this to happen (1)

HJED (1304957) | about 6 months ago | (#45242491)

Some features are disabled on rooted phones (including cyanogenmod) I think its mainly the DRM on their music store means they won't let you buy on rooted phones. It is entirely possible they will disable other features future and I don't really see the need for me to change.

Re: Much too easy for this to happen (1)

ArbitraryName (3391191) | about 6 months ago | (#45242999)

I have no problem buying music (or anything) on a rooted Android. Not only that, people specifically root their phones to access other countries' Play stores. I'm not sure where you got that idea from.

They dump your address book, so I'm not surprised (5, Interesting)

Anonymous Coward | about 6 months ago | (#45241805)

The only thing I'm not surprised about is that this company hasn't been sued or hacked into the oblivion.

I have a private email address. Only friends and family know about it. I don't use it to sign up for anything on the internet, I have other addresses for that. This particular address is the one I give out to people who might need to pull down a direct line of communication to me, wherever I am on the planet, assuming I have cellular and data connectivity. I also know precisely who has this address, and they are well aware that they're not to give it out to other people without my consent.

One day I started getting spam from these LinkedIn assholes. The kind of spam that never stops, and just keeps badgering you to reply to it or click some stupid fucking button. If you want to "unsubscribe" from their awesome service, you have to go to a fucking website and enter in your email address. What the hell?

Anyways, the person who's account started badgering me to confirm I know them... Never actually gave my email address to LinkedIn. He knew how much I despise modern day social networking and I trust him when he says he would never sign me up for something without my prior permission (why he would ever have a reason to sign me up for anything was beyond the both of us). Yet, there I was- getting spam from LinkedIn irregardless, with no way to stop it except to go to their idiot website and enter in my friggin' email address.

The only conclusion that we could come to was that they leeched it from his phone or laptop *somehow*, because those were the only two places where my super private email address were being held. We later found out that a lot of other people on those address books started getting LinkedIn spam as well, so somehow, LinkedIn basically dumped his entire address book without his permission and started spamming everyone on it.

As far as I'm concerned, LinkedIn can fuck off and go rot in hell. I told myself the next time they spammed me I'd start mailing C&D letters, because I'm sick and tired of having to unsubscribe from their bullshit pestering service every 3 months that I clearly did not sign up for (and if their EULA somehow makes it OK for them to spam me because my friend clicked OK, well, I'd be more then happy to take these fuckers to court over that).

Re:They dump your address book, so I'm not surpris (2)

Ducho_CWB (900642) | about 6 months ago | (#45241851)

Maybe is that wonderful feature that asks for your email and password to check if your contacts already have a linkedin account so they will connect them for you.
My email and password? Are you kidding?

Re: They dump your address book, so I'm not surpri (1)

Yaur (1069446) | about 6 months ago | (#45242399)

Your friend is to dumb to not enter his email address/password into random websites... don't be surprised if this isn't the last of the spam.

Social engineering (0)

Anonymous Coward | about 6 months ago | (#45241811)

This is nothing more than social engineering done by a big public company... If it was an individual he could have been incriminated, isn't it?

I'm a Software Engineer and never used Linkedin (1)

Anonymous Coward | about 6 months ago | (#45241871)

I find it ridiculous when I read blog posts on the net that claims that you have to have a linkedin account to get a job in the "tech world". Really? Since when? Maybe some asshole recruiter will require it but I've never had issues not having one. But then again, maybe they looked me up and found this famous guy, which there are... Hell, no complaints though. The only time I got a linked-in account was to view someone's profile and then i cancelled my account which I created using a temporary e-mail account. Suck mah balls linked-in, we don't need you!

Lucky their app is dumb (2)

tompaulco (629533) | about 6 months ago | (#45241969)

Lucky for us their app is dumb. I will share what has happened several times to me. I get an e-mail saying "so and so has endorsed you". So and so probably doesn't really know what I do or know that am an expert in whatever they are endorsing me for, but let's skip that. Okay, it says "add to profile". Click! "Would you like to install the LinkedIn App?" Why, no, since I already installed it like a year ago. Okay, so what is my other choice, "open mobile site". Click! "Please Login" and then it has a google and a yahoo login. Um, no, I want to login to LinkedIn, not google or yahoo. If I login to Google or Yahoo, then LinkedIn will browse all my contacts and spam them. So obviously I am not doing that. Ok, well i guess I will leave that e-mail sitting around and maybe look at it from a real computer someday. At least it works from a real computer.

Re:Lucky their app is dumb (1)

icebike (68054) | about 6 months ago | (#45242093)

When someone sends me a LinkedIn Invite, I always consider the possibility that they don't understand that the Linkedin app
can mine all of their contacts by virtue of you handing over the passwords to your account. I send them an email and point to a couple on line sites that show them what is going on. Most of them are clueless that these invites are going out under their name.

This was the subject of another Slashdot Story [slashdot.org] back in September.

 

Re:Lucky their app is dumb (2)

93 Escort Wagon (326346) | about 6 months ago | (#45242531)

LinkedIn is going rapidly down the toilet because they a) want to be Facebook, and b) don't understand their audience.

Also, c) their iOS app is horrible. Seriously, it is several steps down even compared to their awful mobile website. It doesn't say much for a job networking and promotion company when they apparently were unable to hire a competent app designer (nor competent web designers, for that matter).

On a side note - has anyone here ever been endorsed for skills you actually have by people who actually are familiar with your work? I keep getting endorsements for bogus skills by connections who are not in a position to know what my true skills are at any level of detail.

LinkedIn does something intrusive? vote with feet! (1)

Anonymous Coward | about 6 months ago | (#45241979)

Simple solution: Remove LinkedIn from your handset. Their app doesn't integrate that good anyway..

How is this different from Gmail? (3, Insightful)

markjhood2003 (779923) | about 6 months ago | (#45242021)

I'm not trying to troll here, but not being a Gmail user, I'm not sure how LinkedIn's scraping of email is any different than Google scraping it for advertising services. I understand that technically LinkedIn is acting as a proxy, and Google as an ISP, but how is the result any different?

Re:How is this different from Gmail? (3, Informative)

icebike (68054) | about 6 months ago | (#45242221)

Google advertises to ME. They don't grab my contacts and send email to them.

Further, if you use a non-web client to read your gmail, you never even see the
ads that they target toward you.

I chose Gmail as my mail handler, knowing full well the rules of the game.
People who use Linkedin had no understanding that they were appointing them as their mail handler.

Re:How is this different from Gmail? (1)

Anonymous Coward | about 6 months ago | (#45243383)

What's more, if I don't use LinkedIn, but I email someone who is using this service and that person replies to my email (including my email within his email), then my original email text is exposed to LinkedIn's system.

So, I'd automatically not want to email anyone who'd open my communication up to that degree.

Re:How is this different from Gmail? (0)

Anonymous Coward | about 6 months ago | (#45243437)

You have to assume that if you send anybody email, it gets stored, shipped, and analyzed on dozens of servers these days.

If you want to communicate privately, don't use email.

Re:How is this different from Gmail? (0)

Anonymous Coward | about 6 months ago | (#45243675)

Don't use the telephone either. Thanks to the NSA that isn't private anymore either. Want to visit someone in person, better put that phone into a faraday cage on the way over. Your location data from your cell phone is no longer considered private. We are so far down the slippery slope, that ANY form of telecommunications technology, it is not considered private.

Re:How is this different from Gmail? (1)

sumdumass (711423) | about 6 months ago | (#45242395)

I would suggest a good portion of the difference is who has the email legitimately.

I mean is it worse for your roommate, who you have loaned your car to before to take your car and drive across town without asking or for me who you don't know or just met to do the same?

Re:How is this different from Gmail? (1)

Bite The Pillow (3087109) | about 6 months ago | (#45243177)

Does LinkedIn currently have access to a copy of every email you read from Gmail? Probably not, but they would with this extension.

Google parses your gmail, this would be Google processing your Outlook inbox on a Google server. Or me preprocessing all your mails and swearing that I'm not doing anything bad, even though its my revenue stream.

TOS anyone? (-1)

Anonymous Coward | about 6 months ago | (#45242077)

Not the TOS of F*dIn, but the TOS of my email provider.

HEY F*dIn, you piece of shit assholes, you can rot in hell the day you think I am going to give you my email account's password. You say you're only getting emails, but the password works both ways and I am responsible for emails that are sent from my account. Do you think I am going to trust you?

Complete fucking greedy ass, douchebags...

FUCK OFF LINKED IN!!! Consider my account CANCELLED, as of now.

I am going to sue your fucking ass off because you violated my email provider's TOS. You had better get lawyered-up, dickheads.

Re:TOS anyone? (1)

filthpickle (1199927) | about 6 months ago | (#45242733)

"you did WHAT?!?!"

Me, to some kid I work with upon him telling me he did that...with his company email login....(which is his network login). And. Nobody. Cared.

Dream for Attackers? That's a bit rich (1)

davidannis (939047) | about 6 months ago | (#45242229)

E-mail is fundamentally insecure. SMTP is easily spoofed because it has no authentication mechanism [cert.org] . By default every message travels unencrypted and nobody bothers to correct that. I can not remember the last time I got an e-mail that was encrypted. Sure gmail may provide me with an ssl connection to read my mail but any message in my inbox could have bounced all over the net in the clear. Every large e-mail provider has been repeatedly hacked. If you have are using a set of insecure protocols with no encryption adding another possibly insecure service doesn't change things much.

Re:Dream for Attackers? That's a bit rich (0)

Anonymous Coward | about 6 months ago | (#45243693)

Ever hear of SPF records? Not ironclad authentication, but properly implemented it greatly reduces spoofing.

Time for Apple to Step Up (4, Insightful)

Hangtime (19526) | about 6 months ago | (#45242231)

I'm calling on Apple to kick 3rd party applications out of the ability to make a configuration like this. This appears to be a significant security threat to the iOS platform and should be treated as such. Applications should not be able to do this on their own and as we have seen with LinkedIn, it can lead to no good.

For those sysadmins who would like to block this from occurring within their network or on their devices this was taken from Reddit. See the IMAP and SMTP configuration below and block it at the firewall.

IMAP: imap.intro.linkedin.com
SMTP: smtp.intro.linkedin.com
From the Apple configuration profile:
IncomingMailServerHostName imap.intro.linkedin.com IncomingMailServerPortNumber 143 .... OutgoingMailServerHostName smtp.intro.linkedin.com OutgoingMailServerPortNumber 587

Re:Time for Apple to Step Up (2)

Bogtha (906264) | about 6 months ago | (#45244095)

Applications should not be able to do this on their own

They can't. All they can do is provide a configuration profile. This then prompts the user, who has the choice whether to install it or not.

This feature is aimed at the enterprise market, where you don't want to walk your ten thousand employees through how to set up their email because even if 1% of them are idiots, you end up with a hundred people wasting your time.

Makes it easier to scene IT candidates (2, Interesting)

Anonymous Coward | about 6 months ago | (#45242253)

Anyone with the linked in app.. REJECTED. Your too fucking stupid to be in IT.

Re:Makes it easier to scene IT candidates (2)

HycoWhit (833923) | about 6 months ago | (#45242373)

Not sure why folks haven't figured this out. Linkedin is simply an aol.com email address for the younger generation. If you have still have a Linkedin--your not very bright.

LinkedIn is not a social network (1)

Jonah Hex (651948) | about 6 months ago | (#45242295)

Not sure how it keeps getting called a social network. It's an evil that has taken over a large segment of the job hunting market, especially in IT. I've got an account but actually read what I click so I haven't spammed my email contacts, and definitely won't be installing their crapware app. - HEX

wow (0)

Anonymous Coward | about 6 months ago | (#45242409)

and it's going to un-install so gracefully. probably just delete itself from the middle and leave email unusable.... can't wait for those help calls to start.

The whole social network internet meme (0)

Anonymous Coward | about 6 months ago | (#45242463)

needs to die.

Linked in is the ultimate sleeze company (1)

WaffleMonster (969671) | about 6 months ago | (#45242657)

Everything about this company is seedy and disgusting. Their "engineer" openly bragging on a blog about "doing the impossible" with a little IMAP MITM is breathtaking. Just about what we've come to expect from these assholes.

At this point I have to ponder who in their right mind would associate with or hire anyone still idiotic enough to keep using this "service"?

Re:Linked in is the ultimate sleeze company (1)

lgw (121541) | about 6 months ago | (#45243519)

Amazing how many posts their are in this story saying "if you use Dice's competitor, you're an idiot". Makes one wonder.

jumped the shark (0)

Anonymous Coward | about 6 months ago | (#45243541)

This is shocking.

It's grossly and obviously wrong and there was no-one at LinkedIn who stopped it from happening; indeed, there must have been some poeple who thought it should, and a bunch of people who thought it was a bad idea and were ignored or did nothing.

I quit LinkedIn about six months ago, when I properly appreciated that I was delivering up a ton of personal data to everyone - Government agencies included - rather than just to the people I intended it for (employers).

Prior to that, I had stopped using their mobile app, because the T&C was so incredibly long that it was unreadable. Never sign anything you do not understand, and if you can't *read* the T&C, all bets are off.

I've had some engagement recently with LinkedIn customer support, as they keep still sending me email where people are requesting connections (after I deleted my account).

To call them useless would be to over-estimate their utility. Engagement with them has and has only been a loss, and when I make a second support issues about the response to the first being useless, I was asked to provide a SCREENSHOT of the conversation... (despite providing the previous support case number).

As such, the solution to this problem in fact needs to come from my side, where I will reasonably soon change my email address.

All in all, LinkedIn pretty much look like they suck.

Is seems to be a classic failure mode for large social networks.

I'll wave to your data as I pass by (1)

sizzzzlerz (714878) | about 6 months ago | (#45244435)

I work in Sunnyvale where LinkedIn is putting up 3 very large, multi-story buildings for their new galactic headquarters. As I pass by them, I've wondered how they would possibly fill those buildings. Now I know. They're actually putting up their version of a data storage center, similar to the one NSA has built in Utah. They need room for the disk farms that store all these emails they've captured from their users.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...