CyberDust | Mark Cuban's Privacy Keystroke Of Genius

The tension between technology and privacy is not new.  Imagine the excitement of the first man to hold a pair of binoculars, before the world knew that such a thing could even exist.  He could see what others thought was safely hidden.  (Boobs, one only assumes.)  Granted, the power to invade privacy with complete freedom can have its downside; just ask Gollum.

Before binoculars, a person had the right to believe that, if there was nobody visible outside her window, her privacy was secure.  After binoculars….if you didn’t close your blinds, you were looking to put on a show.

This basic human truth has evolved into a concept of law called “the reasonable expectation of privacy”.  It was birthed by our Supreme Court in Katz v. United States, where the Court decided that a person had the right to believe that his conversation in a phone booth would be private; even though he was in public.  That was a bad day for cops who wanted the only pair of binoculars in town.  Technology made an advance (the wiretap), and then privacy reclaimed some of that ground.  The system maintained some level of balance.

But in the nearly 50 years since Katz, privacy has been on a nasty losing streak.  Technology has done a progressively better job of capturing moments that had previously been private.  And now, with cameras and smart phones everywhere, the zone where you have a right to a “reasonable expectation of privacy” has narrowed to basically your bathroom with the lights off.  Most of the general public is not even sure what their privacy rights are, let alone what to demand as a fundamental privacy right.  As we are all conditioned to expect less and less privacy, expressions like “Don’t write anything in an email you wouldn’t want to see on the front page of the New York Times” start finding their way into our day to day life.

We are so used to the notion that everything we write and say is immune to privacy that it would serve us well to take a deep breath and realize just how f-ed up and out of proportion our world has become.  Really?  Just because you text “meet me at the restaurant” instead of saying it into someone’s ear, it HAS to exist for all time?  And if you’re meeting someone at the restaurant to pick up a dime bag of weed (in 48 states, at least), a cop can read the text and throw you in jail?  There has always been a tension between technology and privacy…but lately, technology has been the inmate with all the muscles and tattoos, and privacy has been the accountant convicted of tax evasion.

 

Well, good news for privacy fans:  Mark Cuban had a keystroke of genius (his record of success is far too long for it to be luck) with his new app called CyberDust. Cyberdust is the future of text messaging and replaces most email communications as well. Mark has publicly demonstrated that by conducting business via the cutting edge mobile app.  Earlier this year, BusinessInsider.com reported that after Mark Cuban’s email correspondence was leaked as a result of the Sony hack, he negotiated a new contract exclusively over Cyber Dust.  When the most demanding shark in the entire tank uses Cyber Dust every day, you can be sure the bugs have been worked out.

The concept is simple. Cyber Dust messages disappear 24 seconds after you open them. They do not get stored, saved, cataloged or archived. Once the message disappears, that’s it. At first it seems like a dream and a nightmare rolled into one.  What if you forget what you just read 30 seconds ago?  Our modern age has conditioned us NOT to remember things, because we know that information typically lasts forever.  But on the plus side….this does mean that you at least have a fighting chance of keeping your private conversations exactly what you indended them to be. Private.

Obviously, just because the technology exists doesn’t mean that it’s for everyone.  Some people like the transparency and permanence of the current state of technology.  Some think it’s an Orwellian nightmare from which we’ve been waiting for decades to emerge.  Reasonable minds can disagree.  I am sure that if you are in the “If you are doing nothing wrong, then you have nothing to hide” camp then you wouldn’t mind the government putting audio and video surveillance inside your home or asking you questions about your emails. You go ahead and volunteer and tell the rest of us how things are going.

The implications of Cyber Dust are more profound than the mere fact that some people will use it.  Its very existence opens the door to the fact that Americans could once again have a reasonable expectation of privacy in what happens on their phones.  Perhaps, just like in Katz, our Supreme Court could strike a blow against the kids (the cops) living the good life in the candy store (nearly ubiquitous access to our everyday lives).  Sure, a ruling like that would require not just the right facts, but for 2-3 conservative justices to die before President Obama leaves office; preferably at an “Eyes Wide Shut” type orgy gone horribly right; I mean, wrong.  (Hey, a libertarian can dream.)

From a privacy and security perspective, this app sets a new standard that many developers will find hard to live up to. It has a lot of the novelty that silicon valley craves, as well as keeping  end users protected, and even cultivating an environment where people on Hollywood’s A-List can feel safe & free to talk without having to worry about their unfiltered remarks ending up on the front page of TMZ.

You might not be shocked to learn that Mark uses the app he owns. Would you be surprised to learn that you can download the app  (available on Android & Apple Store)  and send Mark  a message that he will reply to?  His Cyber Dust ID is blogmaverick in case you wanted to give it a shot.  The other sharks from Shark Tank are on Cyber Dust, as well as numerous Mavericks players, celebrities and technology icons. Cyber Dust has a “popular” list of users here.

If you have any computer or cyber security questions, feel free to message me on CyberDust, my ID is +bryanthemapsguy.

About The Author
Bryan Seely is a former US Marine, ethical hacker, author and cyber security consultant.
Watch Bryan in his recent TEDx talk “Wiretapping The Secret Service Can Be Easy & Fun!” Link
Add Bryan on Linkedin.com 

 

 

Hacking LinkedIn and my surprising discovery

Hacking LinkedIn and my surprising discovery

I really need to find a better hobby. Apparently, normal people don’t think about website behaviors nor do they try to exploit them like some damn child prodigy looking at a crypto puzzle in a Bruce Willis Movie (Mercury Rising). I’m not saying I am a child prodigy by any means. I am 31.

This story starts on a sunny day in Seattle, and yes, we have plenty of those days here. 5 to be exact. The rest of the year is terrible so don’t move here, its awful, and you won’t like it. The traffic problem is bad enough as it is. So stay in Arizona, California, or whatever state you are still in because the grass is not greener here.

There I was at work, minding my own business and kicking ass as usual when I started to get the pangs of longing for engaging, collaboration and connecting that only LinkedIn could provide. LinkedIn has officially become more important to me than Facebook. I take my career very seriously as anyone can see from my LinkedIn profile.

Something had been bugging me though. It had to do with the way LinkedIn structured their website security / permissions around invitations and profile views. This persistent nagging turned into fierce annoyance after thinking about it for too long and finally I had enough. It was time to solve this mystery once and for all.

Here is what I was able to discover
Let’s say that you have a basic membership. There are a variety of restrictions in place that prevent you from being able to network with people outside of your work / social circles. Say you were to invite someone you don’t know. Either you will be asked to provide the users email address, or click a radio button to tell the person how you know them. This could be a colleague, friend, former co-worker or just some random girl you happen to be stalking because she is cute and you want to help her “develop her resume”.

Now I noticed that when users viewed my profile, there was a button to invite them at the bottom of their picture. Example below.

To the left you notice that this person viewed your profile while conducting his search for “henchmen.” He views your profile, but that’s it. Perhaps you are you not evil enough to his requirements, or maybe he is just too busy to send an invite.

If you click on the button to add him, it would send him an invitation. However, if you went to his profile first, and clicked connect, it would ask you to “clarify” your relationship with this person like a 14 year old clingy teenager passing notes in 3rd period. Some users don’t appreciate unsolicited invitations so theyrequire that someone knows their email address to be able to send an invitation. This security requirement was “waived” if they had viewed your profile. This was fine and dandy until I figured out that I could trick LinkedIn into thinking that anyone I wanted had viewed my profile.

Bring on the Geek Speak
This is where things get a little bit geeky. The URL that the above button linked to vs the regular connect button was different. The button’s behavior was centered around the fact that the user had viewed you and therefore knew of your existence. So if you could get someone to view your profile who had their security setting enabled to require an email address, it would make no difference in the world. Here is half of that URL string:

The part following “ed=” is some sort of variable that the link would populate to identify the individual user. This “token” was an identifier of the person that had viewed you, and the URL was the fast track to inviting them. I should note that this token is about 24 characters long and is NOT available on the users profile page. So how do you get that token? You have to look on other users pages for it. Here is how that was accomplished.

Search for Bryan Seely on LinkedIn you will find this little section to the right. There are 10 users. Now right click on the page and click “view page source”. CTRL-F to find a specific word, and look for “ed=” without quotes. Go to the bottom of the search results and you are going to find 10 results that all have this 24 character string after the ed=. Those tokens will be for the 10 people to the right in the “People Also Viewed” section.

Now if you haven’t put it together yet, don’t feel bad. Those strings can be inserted in place of the security token of the person who had previously viewed your profile.
Paste the original link from the Dr. Evil add button into notepad and then replace his token with one that you grabbed from my buddy Zuckerberg (although I have a feeling he might not return my calls due to my previous mention of Facebook not being as important anymore.)

Paste that link into a new tab, and an oddly shaped invitation page would come up with the person’s name, and the custom field to send them a message of your choosing. Click the send button and off it went.

So I now had the ability to invite whomever I wanted, but I hadn’t confirmed that the invitation was actually going to be sent out. So I proceeded to gather as many security tokens as I possibly could. As you might have guessed, I sent invitations to Bill Gates, Mark Zuckerberg, Michael Dell, Mark Cuban and even the CEO of LinkedIn. Whoops?

I am Bryan’s Complete Lack of Surprise
I was not surprised when none of them accepted my invitation to connect, until Steve Wozniak did. Then Daymond John the CEO of FUBU accepted too. The invitations were showing up in my sent items and famous people were either ignoring me or they will get to adding me when they are back from Africa fighting malaria / tuberculosis or whatever other selfish pursuits they are throwing tens of Billions of dollars at. I feel good giving $100 to charity, imagine how good you would feel giving $50 Billion, see? Selfish.

I must clarify that some of the users that I sent invitations to did not have email address validation requirements. But some of them did. This URL trick didn’t seem to care about that at all. This was a definite problem. Not only did it allow me to send invitations to anyone, it also allowed me to send messages to whomever I wanted, without having to pay for Inmail or any upgrade to my account.

After sufficient testing and the creation of a dummy account to test the receipt of the invitations, I sent an email to security@linkedin.com. Now my relationship with large website security teams thus-far has not been ideal. I spent months telling Google of a huge problem, and had to record conversations to the Secret Service and FBI to get them to do anything about it. They refused help, they refused advice, and refused to fix the problem. They shared nothing, admitted no problems, and essentially denied that the problem even existed. They shut off new business registrations for over a month, and didn’t fix a thing. It’s actually worse now than it was when I reported it. I could easily do it all over again and Google won’t stop it.

Color Me Impressed
Within a few hours of sending LinkedIn an email, an actual human responded. I was going to call the person Steven Tyler (because he is a frickin rock-star) but that is not giving proper credit where it is due. David Cintz is a Technical Program Manager with LinkedIn Security. He isn’t a low level Tier 1 analyst, or a customer service rep. This is a guy who can actually fix the problem. I don’t know what the internal escalation steps are, but LinkedIn treats problems seriously and doesn’t waste time having someone unqualified pull up an email and then try to figure out if it is serious or not. David Cintz handled everything perfectly, from start to finish. He responded to every email, with either acknowledgement or thanks, promptly, and I was treated with respect. This is the way to handle this. David and his team set the bar for what my expectations are for every company that I will ever deal with in the future.

Now keep in mind that this was Thursday and he replied numerous times on Friday, Saturday and Sunday. This guy isn’t some shift worker that works odd days of the week. This is a technical program manager in the security department who is responding in the evenings and over the weekend to make sure that they are able to solve this problem to protect their members.

#notsorry
Forgetting for a moment that by discovering this exploit, I probably screwed up a few people’s weekend plans, the LinkedIn Security Team had the problem entirely fixed well before start of business on Monday. They even politely asked me not to release the exploit details until they had a fix in place. I am certain that other companies would lawyer up, make threats or otherwise escalate the situation. LinkedIn handled the entire situation with grace, tact, and professionalism. They recognized that I was not the enemy and didn’t waste a single second to protect their members, and in doing so, they were able to engage and communicate with me to fix the issue much faster than if they had ignored or otherwise mishandled the situation.

The Merch of Silicon Valley
After it was all said and done, the problem was fixed quickly. I politely asked for a potential reward to include but not limited to: T-shirt or polo shirts, stickers, a LinkedIn branded Ferrari, cute female interns, or perhaps a water bottle or pen. They sent me a majority of the things on my list as a thank you. The Barbie doll riding a Hot-Wheels car inside of the water bottle was a nice touch.

Kissing A** and Dropping Names
I am a huge fan of LinkedIn. It has allowed me to now network with several heroes of mine, Kevin Mitnick and Steve Wozniak being two of the biggest. I met people who then got me the job that I have now. I was connected to a charity which allowed me to mentor young Marines and other veterans coming back to the civilian world. I have made friends, colleagues, and been able to engage others to form relationships that are transforming my life daily. After this extremely positive interaction with LinkedIn Security and seeing how well lead and managed they are at every step of the way, I can safely say that I am in good hands with AllState LinkedIn.com.

Bold Type and Bold Claims
Hell, the CEO might love LinkedIn, but I wager to say I love it more. On a percentage basis, it has changed my life far more than I ever thought possible and LinkedIn has gained an evangelist for life.

What’s next for me? I wish I knew. Stay tuned though, I am just getting warmed up. Now I really have to go prep for Miss America 2015, as hacking is not an easy thing to showcase during the talent portion. I have to do well on the talent portion as the swimsuit portion seems to give me problems.

Your friendly neighborhood ethical hacker, US Marine and comedian,
Bryan Seely
Twitter: @bryanthemapsguy
Email: bmseely@gmail.com

If you like this, please share, like or feel free to just send me large suitcases full of money.

For spelling or grammar complaints: 1-800-THIS-IS-TOO-MANY-NUMBERS
or
email: m_as_in_mancy@aaaaa_thats6as.com

Also, for those people who want to say this is not technically hacking, you are correct. If you can think of a verb that better describes what this was in 2 syllables or less, please feel free to let me know. Otherwise write your complaint out, and then go search Google for your purpose in life because you need to do something more constructive with your time.