RKNet Blog... Thing

I’m back in the humid, smelly Northeast and I figured I’d flex the ol’ guest-blogging muscles before they dwindle into insignificance… anyway, I was at SES San Jose 2007 last week. I must have made friends out there, since I noticed a LinkedIn invite in my inbox the morning after the Google Dance (I drink a lot so my autopilot is somewhat developed by this point).

I rolled into the office this morning, and I noticed another LinkedIn invite in Thunderbird. I clicked through from the link in the email and this is what I saw:

Facts:

• my name isn’t Jon,
• I know for a fact that I’m a major LinkedIn n00blar, and
• this account has like seven bazillion contacts associated with it

There’s no way this is my account. What’s more, the page clearly states: “you are not the intended recipient of this email”. It’s nice that they let me know, but why did I receive it in the first place? Beyond a doubt, I was logged into some guy’s LinkedIn account. I could have sent horse porn to all of his contacts (assuming I happened to have some lying around, which I didn’t, *ahem*). I could have ruined his life if I was so inclined. The implications are truly frightening. An entire network of professional contacts stood teetering, like a house of cards. Fortunately, I’m not that much of a douchebag, so I snapped a quick screenshot and closed Firefox.

So what happened? Discounting any server-side problems that might have caused this, maybe the URL I clicked was not a complete URL. Long URLs sometimes break in most email clients, so maybe whatever truncated version I clicked on ended up being a link to someone else’s account. If this is what happened, this is disturbing to contemplate. Someone smarter than me could play around with the URL parameters and probably gain access to all kinds of stuff in this fashion.

I’m likely to dismiss this as a possibility. LinkedIn probably obfuscates those URLs in some manner. I mean, everyone uses LinkedIn. They wouldn’t use it if it was fraught with security issues, right?

Then again, when one applies that kind of logic to things like Microsoft-built operating systems, that whole argument disintegrates like diarrhea in a chemical toilet.

I don’t feel like it’s LinkedIn’s fault. Yeah, something went wrong, but it is the kind of thing that can happen to anyone. If anything is to blame it is the nature of the internet itself.

There is an inherent fault in the way people view web-based applications these days. Caught up in the exuberance of “Web 2.0″, people sometimes talk about moving “beyond the desktop”. As if someday everything that we do with computers will happen independently of our own client machines. All of our data will be stored remotely on servers, and catalogued according to various folksonomies.

This vision of the future fails to take into account the intrinsically vulnerable state of any node in the www. Any site can be hacked. It is largely a question of how much time and expertise available to the hacker. Often those who assert the contrary, that a particular site is “hacker safe“, are somewhat disingenuous, to put it mildly.

Google would do well to consider the inherent vulnerability of all data on the Web, as several Google products, including Gmail, have been hacked in the past. When a web-based application is compromised, accountability becomes vague. Especially in the case of Google, whose employees are divided into a number of teams which often don’t have sufficient clearance to pass information between one another. Sure, they might have a flawless internal process for dealing with this kind of thing, but to an outsider visiting the ‘Plex, Google’s methods can appear bureaucratic and protocol-heavy at best, obfuscatory at worst (on the positive side, they do make a terrific tofu scramble with extra green onion).

In general, any attempts to divorce a user experience from the concept of the “desktop” are misguided. If anything we should be fortifying, streamlining and improving the desktop environment. Thankfully, this is already happening (download Xubuntu 7.04 for a scintillating example).

I don’t mean to propose we all become e-hermits either. I still plan on using LinkedIn, and I would recommend it to other people too. Simply put: don’t believe the hype, and don’t put sensitive information somewhere where you cannot personally oversee its physical security.

Play safe, kids.

Potentially Related posts

• Bots and Cibo Matto (0)
• Q & A Post Follow-up #1 (0)
• Attention DS Owners (0)
• Control Your iPod from Multiple PCs with Winamp (0)
• If Peanuts Were Written by Bukowski… (0)