I've been on the fence about it for a year now. I get more recruiter spam than value.
I'm also a bit too old for the schadenfreude that accompanies news of my overpaid friends getting canned. I'm running my own race these days and I've never been happier since I stopped comparing my lot in life to the few lucky SOBs I know that survived the cull of sub-prime.
I think a better strategy is (1) your own domain and/or (2) a site on github with actual code to validate* your talents.
*I hate those "Joe Schmo supported you skill in [insert banal technical skill here]" messages. I once put down C++ because I had been working with it for a couple years. Then, I thought better (I would not take a C++ programming job. Period. Hate that language.) and took it off. Next thing I know, I've got coworkers supporting my C++ acumen and LinkedIn trying to push it back on my profile. Ugh. I call that invasive feature creep.
On top of that, they seem to leave the backdoor open a bit too much for a company with $20b market cap.
LinkedIn's value is not centered around your personal profile - it's about the other people that are linked to you and will always have an up-to-date CV/contact details for you.
It is a self-updating rolodex, Outlook Contacts list, phone book, whateveryouwanttocallit.
I really don't want to bookmark 300+ individual pages that all have different creative layouts, get moved, etc. My LinkedIn profile stays up-to-date, you update yours, that's the implicit deal. And we all profit from it. all being defined as a western work related group, english spoken. this is not facebook. Link your gitbub repo from there, absolutely, good idea, but having LinkedIn as your standardized contact info is very valuable.
is LinkedIn managed in a bad way? sure. But for some reason the modern business world has chosen it to focus on it. Xing and other local players never grew enough. the benefits of starting out it in the US. all the surrounding crap they're building is fluff, their core feature is being a global rolodex. would love to slap sense into their product management team.
I don't even have that; just my name and the other required stuff. I still accept connections in the hope that I will join one day, but that seems more and more unlikely.
This feature was interesting, but on the other hand it affected my own ability to look at other people's profiles - because, no, I don't want people to know that I looked at their profile.
Which is why I completely disabled it. Having the ability to see who viewed your profile seemed cool at first, but then again, it's useless and the downsides are great.
>I think a better strategy is (1) your own domain and/or (2) a site on github with actual code to validate* your talents.
That's because their target audience is not restricted to the tech savvy. Not everyone knows how to host and maintain their own domain. Not everyone uses github or know what git is.
This was basically why LinkedIn came into fruition in the first place.
> I think a better strategy is (1) your own domain and/or (2) a site on github with actual code to validate* your talents.
Possibly, but that's for programmers. There are more professions out there.
I just closed my account too. The help page said that my account would no longer be visible on LinkedIn, but after closing and logging out, I still get the "sign up to see the full profile" bait on visiting my old URL (search result from Google).
I feel a little unloved because recruiters almost never contact me on LinkedIn. I guess my skills aren't cool enough, or else it's because I do more hiring than job seeking..?
I would have thought with Java, C#, objective C, php, node, etc that I'd be a good catch but apparently not!
The DNS was not exactly hijacked, there were issues inside of LinkedIn's top level DNS provider whom were delegating www.linkedin.com authorization to unauthorized nameservers, namely NS[SOMETHING].ztomy.com. The ztomy DNS replaces its delegated domains to point to a domain parking page if there is no record exiting. These changes were then propagated to other nameservers and thus to the end user. End result, dns doesn't point where you think it does.
Au contraire; having the delegation going somewhere unwanted is practically the definition of a DNS hijack. The question is - how did that happen? A malicious third party? a blundering sysadmin? or a bug in some provisioning code?
It does sound like LinkedIn's NOC are playing the blame game already. Well, I guess they've gotta get all those spamming recruiters & sales reps back online.
ahaha, the job posting is a good find. We'll know if you are right if tomorrow a different add asking for "Total badass, Expert guru knowledge of Bind 9"
That makes sense since we just saw the same problem with USPS realtime shipping rates via production.shippingapis.com, which seems like an odd attack target.
edit: and I mean the exact same issue, it was resolving to a confluence owned IP that was serving a squatter page for the domain.
Because they allow HTTP, which for any sensitive site is a very bad idea. Their setup enables MITM attacks even against users that are careful to always use HTTPS for visiting LinkedIn.
I was an engineering intern there for a summer. The interviews were as difficult as any other tech company in the valley, as was the workload. It is most certainly a tech company.
dsl, no offense, but you seem to have a problem with any company that doesn't hire/provide employment to your average local community college CS grad and instead hires globally based purely on merit.
Linkedin interviews are on par with facebook/google et al.
I don't know anything about dsl's commenting history, but this comment sounds elitist. Not sure if you meant it that way, but your point would have been made without the implication that top schools are a requirement to be globally meritorious.
I hire people purely on technical merit, I don't even bother reviewing educational credentials. I am opposed to abusing the H1-B system rather than opening offices overseas to bring in skilled labor and raise local standards of living.
Opening new offices overseas is obviously not feasible in all cases and scalable.
And I don't think companies like Linkedin, Facebook, Google etc abuse the H1-B system. People there are genuinely smart.
However, there are certain consulting companies like Accenture, Infosys, TCS, Cognizant, various body shops etc that abuse the shit out of it. The govt. should definitely be more proactive in banning these companies and not play to the likes of NASSCOM. Infact, I'd argue that the govt. should come up with a whitelist of companies to grant H1-Bs to.
One of the DNS issues I tried to fix with NIS+ was the 'maintaining a list of trusted servers' problem by distributing the management of the authoritative servers. Trust was built bottom up, and authority came top down.
The way it worked was that clients used a 'coldstart' file which was the (small number) of servers you trusted to provide your namespace lookups. You to their public key and you put it into your coldstart file. Similarly, a server put the key(s) of the servers it trusted above it in the name space in its coldstart file. And at company 'root' level was a set of servers run by a trusted authority.
Locating the authoritative name server for x.y.z from p.q.z (same as DNS root is rightmost) client in x.y.z asks its server for a trusted y.z server, gets it, and asks that server for a trusted z. server, then asks that server for a q.z. server and finally for a p.q.z. server. Once this has happened once you know trusted servers can can jump to the nearest one to start resolving a new path in the namespace.
It was slower on initial lookup and then just as fast as DNS on later ones.
It had the downside that compromised (or borked) high level servers could send you on a different path to different root if the server above them was incorrect.
It is one of the more fun problems in the whole name/directory service space.
DNS SEC doesn't seem any closer to solving this problem, unfortunately.
Do you know of any designs that require a quorum at each level prior to trust? BitCoin seems to be having success with this model, but I'm wondering if anyone's built something like that with the primary intent of creating a directory service.
I don't think they have, much of the work on directory services died when people gave up. DNS was "too hard" to change and Microsoft wasn't going to let anything make into a standard that killed off the need for Active Directory. The LDAP guys, being formerly X.500 guys, went off solving a different problem and ended up somewhat stuck between AD and DNS. Sad really.
That said, your idea about poaching the Bitcoin quorum ideas is a good one. Essentially a data structure, equivalent to the block chain, where it only gets authenticated if enough people ack that its the most valid version of reality. Probably a publishable paper in exploring that question.
I love the fact that AD, and this newer posixy clone FreeIPA essentially operate as independent but interdependent directory services: LDAP, Kerberos, and DNS, and they still need X.500 in the form of SSL CA trusts to finish gluing it all together.
You may see an email from me in the next few weeks asking for feedback on such a paper.
Looks like app.net isn't perfect either. Their HSTS isn't implemented correctly. Only 'alpha.app.net' and 'join.app.net' are protected while 'app.net' is not. They fell into one of the common pitfalls with their http->https redirects: http://coderrr.wordpress.com/2010/12/27/canonical-redirect-p...
You can verify this at: chrome://net-internals/#hsts
My understanding is app.net is trying to be a paid version of twitter. There was/is much debate whether it could ever take off. This is the first time I've ever seen someone link to it. Although now I realize that the link is to the app.net cofounder so that doesn't really say much.
Confluence Networks is a Colocation & Network service provider having tie-ups with data centers across various geographical regions. We don't host any services ourselves. Starting few hours ago, we received reports about some sites (including linkedin.com) pointing to IPs allotted to our ranges. We are in touch with the affected parties & our customer to identify the root cause of this event.
Note that it has already been verified that this issue was caused due to a human error and there was NO security related issue caused by the same. More details will be provided shortly.
I just ran it again this time using Google name servers and still a lot of subdomains are pointing to the 214 server. confirmed it running against their NS, which means it hasn't been changed yet.
[prhodes@captainchaos ~]$ whois 216.52.242.80@whois.arin.net
[Querying whois.arin.net]
[whois.arin.net]
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
#
# Query terms are ambiguous. The query is assumed to be:
# "n 216.52.242.80"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=216.52.242.80? showDetails=true&showARIN=false&ext=netref2
#
LinkedIn Corporation INAP-LAX-LINKEDIN-38682 (NET-216-52- 242-0-1) 216.52.242.0 - 216.52.242.255
Internap Network Services Corporation PNAP-8-98 (NET-216-52-0-0-1) 216.52.0.0 - 216.52.255.255
Was api.linkedin.com compromised/hijacked? If so, that means they'll need to reset a lot of OAuth token/secrets which will be very painful indeed (worse than just a site-wide session reset).
Isn't that the point of OAuth? (versus HTTP basic auth)
Your secret key shouldn't be compromised, because you're supposed to keep that secret. Also if you use HTTPS for requests you'd still get a cert error even if DNS was routing incorrectly. You're probably fine.
Indeed, I misspoke and meant to say tokens/refresh tokens. A similar thing happened for Evernote a while back and knocked down all tokens and required re-authentication across the board.
I think confluence-networks.com may be apart of Network Solutions (which is whom LinkedIn is registered with).
I had a domain (nitren.com), that I let expire after 3yrs and confluence-networks.com back ordered it, I remember looking it up a while back, but if I remember right, all the ip and domains were registered or associated with netsol.
I'm going to blatantly advertise my own project "RubyDNS" - it can be a lot of fun, and it is especially relevant because it allows you to perform these kinds of attacks in a controlled environment. http://www.codeotaku.com/projects/rubydns/index.en
My traceroute is going thru prolexic.com so there might be something else at play here. "Prolexic is the world’s largest and most trusted distributed denial of service (DDoS) mitigation service provider"
While I love your HTTPS anywhere extension and thought (cough) have it installed, I was dismayed that I was allowed to connect to http://www.linkedin.com/.
Then I found out it wasn't synched over last time I changed laptops.
HTTPS everywhere; that's all I have to say. Something like this is very malicious and very hard to detect -- unless you ALWAYS use SSL. I noticed right away that the DNS was incorrect.
I just realised; If you opened a website with a linked in share button, your cookie might be compromised as well; you didn't even have to go the the site while under the DNS Hijack...
Can someone examine the cookies that they set and tell if there is any sensitive information (passwords?) that are hashed in there? Should we consider this a password breach?
No. Cookies only get sent to the originating domain. What happened here is *.linkedin.com points to the rogue server so your cookies get passed to them instead of the real Linkedin.
When did they ever leak plaintext passwords before? If you're referring to the event a year ago, that was unsalted MD5 hashes (obviously not great, but let's not hyperbolize.)
I've been on the fence about it for a year now. I get more recruiter spam than value.
I'm also a bit too old for the schadenfreude that accompanies news of my overpaid friends getting canned. I'm running my own race these days and I've never been happier since I stopped comparing my lot in life to the few lucky SOBs I know that survived the cull of sub-prime.
I think a better strategy is (1) your own domain and/or (2) a site on github with actual code to validate* your talents.
*I hate those "Joe Schmo supported you skill in [insert banal technical skill here]" messages. I once put down C++ because I had been working with it for a couple years. Then, I thought better (I would not take a C++ programming job. Period. Hate that language.) and took it off. Next thing I know, I've got coworkers supporting my C++ acumen and LinkedIn trying to push it back on my profile. Ugh. I call that invasive feature creep.
On top of that, they seem to leave the backdoor open a bit too much for a company with $20b market cap.