LinkedIn: Unsalted, Assaulted and Faulted
Jun 9, 2012 5:00 AM PT
An extremely determined and talented digital intruder can find a way to break through the security of just about any website. So when you hear about a site getting hacked, the fact that there was a break-in doesn't necessarily mean that anyone was incredibly lazy or inept or asleep at the switch. Sometimes a site just gets outplayed by a criminal genius.
Other times, though, the circumstances of an intrusion indicate that the site really was flat-out doing security wrong. Sometimes a site really does leave the door unlocked and wide open.
That seems to be what happened with LinkedIn recently. The site suffered a break-in, and the intruders swiped files containing many users' logins and passwords. That's not good, but it's a setback that could have been mitigated by following some longstanding best practices, like encrypting that data so that even if someone should steal it, they couldn't make any sense of it.
But apparently that practice had not been followed. After the breach, LinkedIn indicated that going forward, the new passwords that victims put on their accounts, as well as the passwords used by members whose data wasn't stolen, will be hashed and salted. That's a delicious way to say that the data will be scrambled in order to make it very difficult for thieves to use it. It also implies that at the time of the break-in, LinkedIn wasn't hashing and salting anything. The thieves stole raw potatoes.
Sure enough, millions of users' passwords appear to have been exposed.
If LinkedIn indeed hadn't been hashing and salting users' passwords, the incident has exposed an embarrassingly weak security practice. Some users took it in stride, saying that if anyone breaks into their LinkedIn profile, that'll be the first visit it's had in years. For others, it's no joke -- LinkedIn's a site for career networking, and some profiles could hold some very sensitive info.
Mucking around with people's actual LinkedIn pages probably isn't what the intruders really have in mind, though. Like with a lot of other sites, LinkedIn users log in using an email address/password combo, and lots of people are in the habit of using the exact same email-password combo for all the sites they visit, including banking and credit card sites. Try enough cracked combos at enough sites, and odds are you'll gain access to something much more interesting than who someone's coworkers are.
Listen to the podcast (13:12 minutes).
Off the Map
Apple's and Google's erstwhile friendship has been ice-cold for years, mostly due to their growing rivalry in the the smartphone market.
I wasn't always like this. Back in 2007, it came as no surprise at all to see the iPhone debut with a few Google technologies built in, such as the phone's Maps feature, which uses Google Maps on its back end. Now, though, it's a wonder your iPhone doesn't explode in fit of rage if you even think about using it to do a Google search. The companies are fighting an enormous proxy legal battle, and it seems Apple ought to feel pretty awkward about relying on Google for one of the iPhone's most useful built-in apps.
Come to think of it, is iOS Maps really as useful as it could be? Can you do turn-by-turn directions with it, like a dashboard navigation device? No, you have to buy a third-party app for that, and some of them are kind of pricey. Android users get that feature for free. iOS Maps does Street View, but it sure took a long time to get to the iPhone.
In fact, The Wall Street Journal reports that Google has delayed or refused to provide certain Maps features to Apple, and now Apple's going to do something about it. It's going to kick Google Maps off its platform entirely, relying instead on its own mapping system. It's been collecting map companies and technologies for years, and soon it'll be ready to plug a 100-percent homegrown app into iOS and dump the one rooted in Google.
The rollover could happen very soon. On June 11, Apple will hold its annual WWDC keynote, where it's expected to introduce a cornucopia of new hardware and software. New MacBook Pros are highly expected to arrive -- some rumors even suggest Apple will refresh its entire Mac line, all the way from Mini to Pro. And since it's a developer conference, Mountain Lion is probably on the guest list, as is iOS 6. Chances are good that Apple will provide a preview of its next mobile OS, but the actual release of a new iOS usually doesn't come until a new iPhone has landed, and that might not happen until sometime this fall.
Google's certainly not one to sit around and mope about its impending breakup, though. Just after the Journal's report -- which really just reinforced rumors that were already bubbling -- Google showed off some new features for its own map platform, including 3D "flyover" enhancements, offline access to Google Maps for Android users, and a big, ridiculous-looking backpack that can be used to create Street View images of offroad locations.
A Safer Bet?
A couple of years ago a young man in Russia turned a simple idea into a quick online phenomenon. Chatroulette let anyone anywhere in the world hook up with an anonymous stranger for a round of video chat. If you got bored you could just hit "next" and instantly go face-to-face with another anonymous stranger. What you were supposed to talk about was completely up to you. Also, there weren't really any moderators to speak of.
As you can probably guess, if you don't already know, the service almost immediately turned into complete online cesspool.
But the basic concept of Chatroulette seems to have provided inspiration for Airtime, a new online video chat service that aims to eliminate some of the ... let's say, liabilities of looking through a completely random, anonymous and unmoderated window to see whatever it is the person on the other side wants to show someone.
Airtime is the creation of the tech world's two most famous Seans: Sean Parker and Shawn Fanning, who worked together to cofound Napster a decade ago. It's browser-based video chat that users log into via their Facebook accounts. So there's no complete anonymity. You can choose to remain anonymous to the person on the other end for as long as you want, but Airtime itself knows who you are.
Users can seek out chat partners based on common interests -- in fact, Parker and Fanning originally met each other over online chat 15 years ago. Users who don't feel like talking up a total stranger can also start chat sessions directly with their known Facebook friends. Users can also share live experiences, like watching YouTube clips together. Airtime's creators say more content-sharing options are on the way.
Critics have already pointed out at least one supposed technical weakness of Airtime, though. It relies on Adobe Flash. Lots of other sites use Flash too, but the technology seems to be gradually losing support, and other video ventures that have tried to pair Flash with Facebook have often done poorly. Flash bashers say a brand-new site that relies so heavily on video should be built with tech like WebRTC.
In terms of concept, though, it seems Airtime offers a more controlled and sanitized version of Chatroulette. Chatroulette did catch a decent following for a while, but it's unclear whether that was despite or because of its out-of-control and decidedly unsanitary nature.
One of the many, many reason investors have been squeamish about Facebook -- besides the untested business model, suspicion that its advertising doesn't work, its weakness in mobile, and accusations of underhanded goings-on just prior to the IPO -- has been the network's potential for future growth. Almost everyone who's interested in being on Facebook is on Facebook.
So how does it get any bigger? If it can't create a huge influx of new users, it's going to have to squeeze a lot more revenue from the users it does have, and judging by FB's market performance, investors have very little faith it's going to be able to do that -- at least not to a degree that justifies its present valuation.
But there is one group that Facebook has been intentionally turning away ever since the site was created: children. Facebook won't allow kids under 13 to join the network. Presumably this is due to some very understandable safety concerns. Also, any info posted on the Web has the potential to stay in existence forever, and it's clear that even adults often have trouble judging whether posting something highly personal is a good or bad idea.
Besides that, there's the fact that most kids don't have any money. That's no problem for ad makers, though. Just watch 15 minutes of cartoons on a Saturday morning. It's like an iron fist of advertising reaching straight through the screen and punching you in the throat.
Facebook is reportedly considering letting younger kids into the network, though the company hasn't confirmed it. If it does decide to lower its age requirement, it would likely need to set up a special kids' corner -- a place with extra protections against objectionable content and contact with strangers. There are already several kid-friendly social networks out there, so it can be done.
However, the issue of privacy follows Facebook everywhere, and when the privacy of children is in question, the issue becomes a million times more sensitive. In order to profit from the inclusion of kids, Facebook will need to give advertisers some kind of info about the kids using it. It would have to tread with extreme caution, and even then, stepping on some kind of PR landmine will probably be inevitable.
Even if Facebook Junior becomes a reality, it's unclear just how many new users the network would actually gain from it. Again, almost anyone who's interested in using Facebook is using Facebook, and that includes under-13 kids who simply lie about their age -- sometimes with Mom and Dad's permission.
Pay Now or Pay Later
Buying a smartphone can be expensive, but under most carriers' postpaid smartphone plans, the service agreement is what really bleeds your wallet dry -- slowly, month by month. The handset is discounted down to $200 or $300, but you'll be paying somewhere around $100 or more per month for service.
Prepaid phones are a different matter. You pay full price for the phone, and since you never owe the carrier anything in regard to the cost of the unit, the monthly bill is usually lower and you can back out whenever you want.
The actual phones you find on offer for prepaid are usually feature phones or maybe a few plain-vanilla smartphones. But that's beginning to change. Prepaid is beginning to go high class. Over the last few days, not one but two U.S. prepaid carriers have begun offering iPhones. And they're not a bunch of ancient iPhone 3Gs from a crate someone dug out of a warehouse. Buyers can get an iPhone 4 or even an iPhone 4S and pay on a month-by-month basis.
Of course that rule about paying full price for the phone still applies, and since it's an iPhone, that price is rather huge. You'll be shelling out up to $650 to get one. But after that, your monthly bills will be a lot cheaper.
For instance, Virgin Mobile offers plans for as little as $30 per month for 300 minutes of talk time, unlimited texts and unlimited data. Well, the data gets throttled after you've used 2.5 GB in a month, but you won't see overage charges. Whether that represents savings will vary based on your personal use habits, but some customers could theoretically save a couple hundred bucks over the course of a few years by going prepaid.
Virgin's plans are more flexible, but its phones are also more expensive. Cricket Wireless will give you the same iPhone for less up front, but it only offers an unlimited-everything plan for $55 a month. Same throttling rule applies.
By striking deals with these small prepaid carriers, Apple could open up availability to a wider range of customers. The iPhone's through being exclusive and aloof; now it just wants customers, anyway, anyhow, any method of payment.
That may not make traditional post-paid carriers especially happy. AT&T's no longer putting as much marketing muscle behind the iPhone now that it's no longer an exclusive, for instance, and Sprint may currently be having doubts about having paid through the nose for iPhone rights last year.
Virgin Mobile USA happens to be a Sprint subsidiary, though, so at least Sprint's getting something out of the prepaid iPhone deal.