Thursday, October 24, 2013

It's Not a Bug, It's a Feature - LinkedIn Intro Edition

Dear LinkedIn - please stop with Intro.

Sincerely, every security professional.

Let me sum up with what has just happened over at LinkedIn, in a very simple manner: features won over [common sense] security. Again.

In a world where companies feel ever-more pressured to "do the impossible" (seriously, marketing people, stop) features often win over common sense security. This is no exception. As this TechCrunch article clearly points out - what's going on is your mailbox is being MITM'd (Man-in-the-Middle). This means that sensitive content (see the Bishop Fox post) that you're exchanging between you and your email partner is being intercepted, changed, and re-packaged then re-sent to your device. Who does this sound like a good idea to? Honestly... think about it?

Seriously though, the very smart folks over at Bishop Fox already have a great piece on why Intro is a train wreck waiting to happen, so I won't re-hash what has already been said - but rather I have a few things to add:

  1. LinkedIn setting a dangerous precedent - As I said on Twitter, if this thing grows legs and attains any sort of momentum it's going to set a precedent that it's OK to launch more products like this, which clearly create security issues for your users and spit in the face of common sense. Yet another reason to discount those kooky security people, because LinkedIn understands security trust them, and because you absolutely need this new completely useless gadgetry for your inbox(es). There are already lots of examples of bad security practices being explained away as "it's a feature, not a bug", but this is perhaps the most blatant in recent memory.
  2. End users don't know better - The people who use your services see a shiny new gadget and blindly trust (although I can't explain why any more than I can explain why people text when they drive) that you're keeping their information and private communications safe. Your blog posts do not outline the many security problems which the Bishop Fox post points out plain as day, and instead focuses on the gimmicks. You're doing a disservice to your users... and I think you know it. When this is inevitably used to hack millions of mailboxes can we than call this willful negligence, because you know the risks full well, but your products folks chose to ignore them? (something to think about)
Where were the risk people?
Where was the privacy and legal team?
I think we know the answers to those two questions right? They probably weren't invited to the meetings, or per the usual their lamentations were simply ignored. I refuse to believe risk, privacy and legal professionals would approve of something like this at a company like LinkedIn.

Once again ... I was pretty sure there were some very smart security people over at LinkedIn. Is this just a prime example of 'agile product development' (aka product and marketing people running feral), or is this a legitimate product that the company stands behind? To me, this product announcement proves (once again) why security people feel so disillusioned... a sad state of affairs indeed, but endemic to our trade.

Feature gimmicks win over even the most common sense security, nearly every time. Take it as fact.
So now what?

No comments: