Let’s start with a brief history of my investment-led fight against the perils of spam and my never-ending love of SMTP.
We were investors in Postini and my partner Ryan sat on the board. It transformed my life – with one minor change of an MX record some time in 2002 all the spam in my inbox disappeared. Well – it disappeared before it got to my inbox. Or even my server. The awesomeness of Postini was that it was the first cloud-based email anti-spam solution. And it was a beautiful thing that Google acquired in 2007 for $625m.
One of the benefits of our investment in Postini is a life-long friendship with Scott Petry. Scott is the co-founder of Authentic8, which we are also investors in. Scott also sits on the board of Return Path, which is run by another life-long friend Matt Blumberg.
Scott worked at Google for three years after the transaction for Dave Girouard (who used to run all of enterprise for Google and now is CEO of Upstart and on the board of Yesware with me) integrating Postini into all of Gmail’s infrastructure. We continued to use Postini as our spam filter (in front of Gmail) until Google transitioned all of Postini into the Google apps service.
You get the picture. There’s a nice thread through all of this SMTP, email deliverability, and anti-spam stuff in my world, both in investment and relationships. So I generally don’t think much about spam since in the past it just disappeared, or well, never appeared in the first place.
When I came home from my one month sabbatical in Bora Bora, I archived all the 3200+ emails in my inbox. If you missed my vacation reminder during that time, it said:
I’m on sabbatical and completely off the grid until 12/8/14.
I will not be reading this email. When I return, I’m archiving everything and starting with an empty inbox.
If this is urgent and needs to be dealt with by someone before 12/8, please send it to my assistant Mary (firstname.lastname@example.org). She’ll make sure it gets to the right person.
If you want me to see it, please send it again after 12/8.
On Thursday, 12/4, Amy decided to scan through her email so I went to the business center at the St. Regis in Bora Bora with her and did the same. I simply started at the top and “read / archived” each of the around 3,300 emails (using the “[” shortcut). I’m a fast reader so I skimmed the emails I cared about. Mostly I just played a video game with the [ key.I might have had a tropical drink while I was doing this.
I didn’t respond to anything and just ran this drill again early Monday morning to finish up. I then turned off my vacation reminder, had Inbox Zero, and got started again.
Yesterday, I had a weird feeling that I’d missed something that I heard about in another email thread. I was procrastinating from working on the final edits to my new book Startup Opportunities (yes – I’m doing that some more right now, but I’ve got a nice empty day in front of me) so I randomly checked my Spam folder in Gmail. I never, never, never do this so I was suprised when on the first page I saw a legitimate email. I opened it, clicked on Not Spam, and scrolled to the next page, where I saw another one. And another one.
I had 5,500 messages in my spam folder since I got back on 12/8. I went through all off them – it only took about 10 minutes. I found 39 legitimate emails. Not notifications, not email newsletters – but real emails sent to me by people I often get emails from. Here’s a screenshot of the legit ones.
I did my dutiful work and hit “Not Spam” on all of them. I was perplexed and talked to my friends at Return Path who gave me some feedback.
This morning, I had 433 messages in my Spam folder. This time, they all looked like they should.
I’m hoping that this was only a temporary glitch in the matrix. However, I’ll be checking my Gmail spam folder on a daily basis for a while. Boo.
When LinkedIn posted LinkedIn Intro: Doing the Impossible on iOS I was intrigued. The post title was provocative (presumably as intended) and drew a lot of attention from various people in the security world. Several of these posts were deeply critical which generated another post from LinkedIn titled The Facts about LinkedIn Intro. By this point I had sent emails to several of my friends who were experts in the email / SMTP / IMAP / security ecosystem and was already getting feedback that generally trended negative. And then I saw this post titled Phishing With Linkedin’s Intro – a clever phishing attack on Intro (since fixed by LinkedIn).
All of this highlights for me my general suspicion around the word “impossible” along with the complexity that is increasing as more and more services interconnect in non-standard ways.
One of the thoughtful notes I got was from Scott Petry – one of my good friends and co-founder of Authentic8 (we are investors). Scott co-founded Postini and a bunch of email stuff at Google after Google acquired Postini in 2007. Following are his thoughts on LinkedIn Intro.
I am all for seamless integration of services. And while “man in the middle” is commonly seen as a pejorative, the MITM approach can enable integrations that weren’t readily available previously.
Postini, which started life as a spam filtering service became a huge email MITM enabling all sorts of email processing not available on the mail server itself. Seamless integration was a big part of our success – companies pointed their mx record to Postini, Postini filtered and passed the good stuff on to the company’s mail server. While controversial in 1999, DNS redirect-based services have become accepted across all ports and protocols. Companies such as Cloudflare, OpenDNS, Smartling, and more all offer in-line services that improve the web experience through DNS-level MITM-type model. Simple to configure and high leverage. They just aren’t thought of as MITM services.
Extending functionality of services by authorizing plug-ins to gain access to your data can be really useful as well. I use Yesware in Gmail to help track messages and automate responses when I send company-related marketing/sales emails. It’s a great service, enabling functionality not previously available, and you could think of this as a man in the middle as well. It is important to point out that in the case of Yesware and DNS style integrations, I need to explicitly approve the integration. The details are made available up front.
New levels of integrated services are coming online daily. And vendors are getting more and more clever with APIs or skirting them altogether in order to get their app in front of us. It’s natural to be sucked in by the value of these services and it’s easy to overlook any downside. Especially given that for many of them, the people who are paid to think about security ramifications aren’t in the loop. They can be installed and configured by end users, not IT. And most users take the security for granted … or overlook it all together.
Last week, on the LinkedIn engineering blog, details on the new LinkedIn Intro app were shared. Intro integrates dynamic LinkedIn profile information directly into the iOS email app. It didn’t get much attention when it was launched, but once the engineering team blogged about how did the impossible to integrate with the iOS email client, the story blew up.
Details on their approach here (https://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios).
LinkedIn Intro does a beautiful job of auto-discovering your environment and auto-configuring itself. A click or two by the user, and they’re up and running with active LinkedIn data in their email app.
All this clever engineering hides the fact that LinkedIn is accessing your email on your behalf. Intro uses an IMAP proxy server to fetch your mail where they modify it, then deliver it to your iPhone. Classic Man in the Middle.
If you remember setting up your mail service on your iPhone, it is a bit clunky. You need to know the host names of your service, the ports, encryption values, etc. It isn’t easy. But you don’t do any of this with Intro. Instead of going through the usual configuration screens on iOS, Intro uses Apple’s “configuration profiles” capability auto discover your accounts and insert their servers in the middle. And since it uses OAuth to log in, it doesn’t even need to ask for your credentials.
They do such a good job of hiding what they’re doing that the significance of the data issues were lost on everyone (except the security researchers who raised the brouhaha).
This weekend, LinkedIn made another blog post. In their words, they wanted to “address inaccurate assertions that have been made” and “clear up these inaccuracies and misperceptions”. The post, here (https://blog.linkedin.com/2013/10/26/the-facts-about-linkedin-intro/) followed the PR playbook to the letter.
With one small exception concerning a profile change, the post does nothing to clear up inaccuracies and misperceptions. Instead, their post lists their reassurances about how secure the service is.
Even with these assurances, the facts remain. LinkedIn Intro pipes your email through their servers. All of it. LinkedIn Intro inserts their active web content into your email data. At their discretion.
With its clever engineering, Intro became a violation of trust. And worse, potentially a massive security hole. If the research community didn’t raise the alarm, the details of Intro’s integration wouldn’t have hit the radar.
I think the lesson here is two-fold:
1) We live in a world where our data is scattered across a variety of disparate systems. It is incumbent on us to understand the risks and weigh them against the reward of the shiny new app promising to make our lives better. If something appears to be too good to be true, it probably is.
2) Vendors need to be more transparent about what they’re doing with our data. Especially if the vendor has a spotty reputation in privacy and security realms. If they’re not, the Internet community will do it for you.