Slashdot Mirror
Are Your Slack Conversations Really Private and Secure? (fastcompany.com)
An anonymous reader writes:
"Chats that seem to be more ephemeral than email are still being recorded on a server somewhere," reports Fast Company, noting that Slack's Data Request Policy says the company will turn over data from customers when "it is compelled by law to do so or is subject to a valid and binding order of a governmental or regulatory body...or in cases of emergency to avoid death or physical harm to individuals." Slack will notify customers before disclosure "unless Slack is prohibited from doing so," or if the data is associated with "illegal conduct or risk of harm to people or property."
The article also warns that like HipChat and Campfire, Slack "is encrypted only at rest and in transit," though a Slack spokesperson says they "may evaluate" end-to-end encryption at some point in the future. Slack has no plans to offer local hosting of Slack data, but if employers pay for a Plus Plan, they're able to access private conversations.
Though Slack has 4 million users, the article points out that there's other alternatives like Semaphor and open source choices like Wickr and Mattermost. I'd be curious to hear what Slashdot readers are using at their own workplaces -- and how they feel about the privacy and security of Slack?
The article also warns that like HipChat and Campfire, Slack "is encrypted only at rest and in transit," though a Slack spokesperson says they "may evaluate" end-to-end encryption at some point in the future. Slack has no plans to offer local hosting of Slack data, but if employers pay for a Plus Plan, they're able to access private conversations.
Though Slack has 4 million users, the article points out that there's other alternatives like Semaphor and open source choices like Wickr and Mattermost. I'd be curious to hear what Slashdot readers are using at their own workplaces -- and how they feel about the privacy and security of Slack?
It's only accessible over the intranet, so no privacy worries here (at least from 3rd parties -- I know that management reviews chat logs periodically, as is their right).
Palaces, barricades, threats, meet promises
No.
I am from the era where 'net news' (nntp) was popular.
for a few years, I was at SGI and they were HUGE into nntp. in fact, one of the most memorable ones was 'sgi.ba' and ba stood for 'bad attitude' (seriously). first day there, getting the HR orientation, they told us all about the usenet hier at work and how its GOOD to be aware of, and reading, sgi.ba. you'd hear about complaints but also the reasons behind them. HR was ok with that! those were the cool days in silicon valley, when it was still fun to live and work here, and companies were still pretty fun to work for.
anyway, I never understood what's wrong with usenet for internal threaded and persistent chats? you WANT it to stay around so you can find out the reasons for why this or that design was done. its part of the company history. but slack, unless you pay, fades away. how stupid! and yet, when I asked for nntp at work instead of slack, no one seemed to even KNOW what nntp was and to this day, they have no plans to implement it.
'chat' programs seem the most useless things; fully redundant to the MANY other forms of e-communication that we ALREADY have.
when usenet mostly 'ended' and web forums took over, I was sad. seems we continue to throw out old, free, WORKING tools for newfangled OH SHINEY! bullshit.
I don't get it. I really don't.
--
"It is now safe to switch off your computer."
That's not what concerns me. What concerns me is that my private conversations are really slack.
On the Internet, nothing is certain except for surveillance, hacking, spam, and trolls.
(actually Bruce didn't say that, but it's customary to try to sell these epigrams by attributing it to a famous person).
are doomed to reinvent it, poorly. IRC has had end to end TLS and EECDH cryptography for quite some time. it even boasts key based authentication. This is the opinion of a Greybeard, so hold on for a rant. I dont think "chat-ops" brings anything to the table we havent had for 3 decades already. its a nice buzzword for startups to throw around when touting their agile workplaces.
Do one thing, and do it well. If im chatting with you, i dont need to see your face or hear your voice. Asterisk lets me place a call to you if its really that necessary but video conferencing is just compensating for managements insecurity. if you want to show me your code, send me a link to your gitlab or pastebin or gerrit (we have pull requests you know.) if you need to share your screen, tmux and novnc do it just fine but you should take a moment to determine why your screen has to be shared for me to understand a particular concept or issue. So in short, no. I dont see value in slack and mattermost. I dont want another goddamn client on my desktop and i dont need another website that loads 50mb of content just to make sure my manager can see my living room.
Good people go to bed earlier.
Slack has no end-to-end crypto - it isn't generating keypairs for messages on an individual basis - so what idiot thought that the conversations could be private? You can download and search prior messages - indicating that - duh - anyone could do so.
you WANT it to stay around
Except they don't.
They throw shitfits because their communications - on software paid for by their company, run on hardware paid for by their company, during hours they're being paid by their company - might be monitored!
Trying to get useful archives out of Slack is absurd.
It wasn't only working, it also 'was' (surprise: It still is) structured and hierarchical, so you didn't have to live in uncertainty whether your search engine had found all the forums that covered the topic you're interested in.
Another example of stupidity if you ask me.
"Trump!!", the new Godwin.
Are your conversations on the Internet? Then no, they aren't private or secure.
I could be wrong, but I doubt many smart people would bet on it.
Log in or piss off.
I just put up a Mattermost server this week to replace Slack for my family messaging. I chose it over Jabber or IRC because the features it sports are a little friendlier to the less-tech-savy or younger (6 year old) user. The traffic is encrypted with my own cert, and the box is my own (physical, not AWS or anything) and it's encrypted. I know that to use push notifications on mobile you have to allow the notification to route through their services, but you can limit the info to simply be "person has sent you a message". From what I could see in my research Mattermost seemed like it was private, easy, and had some nice features. I'd recommend it...unless of course I missed something on the privacy side...
The main problem with Usenet is the client side readers are old and clunky. Back in the day working in a terminal shell was more common.
if you use an American product, assume they have all your files and data, and if your project is critical to your mission and success in your market, simply change to Mattermost instead.
Hierarchies and structure are too much for the WWW hipsterNet. The DNS will continue to flatten, databases have no schema, and AI will be required to make sense of any of it.
-IOVAR Web Dev Platform
what is slack? or is this an ad? why abp didn't block dammit...
And why should I use it in place of email or the telephone?
Some of the archived threads in groups like comp.lang.c++ are still worth the read.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
do you use slack? Yes? You're a loser. Man up and use IRC.
The main problem with Usenet is the client side readers are old and clunky.
If by "old and clunky" you mean "work dramatically better than web browsers on modern web forums", then yes!
With client side readers, for starters you can pick which one you want, instead of the web forum software deciding what features you may or may not have for its forums. They handled threaded conversations well, which only some web forums do. They supported local kill files. You could easily sort and search locally by any criteria you wanted, with none of the bullshit restrictions web forums often have such as "no searching for less than 4 character strings". Everything was organized in a semi-well constructed hierarchy, rather than being spewed around 6030945 different little forums. You'd have the same reader interface to everything, rather than each web forum supplying its own "look and feel" with different sets of capabilities. You didn't have to sign up separately for every one you wanted to use.
Web forums were a big step back in capability and ease of use.
Slack is a centralized, closed service. Why would anyone think data shared with a 3rd party is private or secure, unless you personally encrypted it first? But hey, as long as you get to use emojis in chat, it's all good I guess.
That was my reaction too: it's not too difficult to notice that the search in Slack is searching chat messages that you have never seen locally, is it? What's more, this feature is not unusual among HipChat clones... Even Discord just launched search.
I'm not sure who the misunderstanding belongs to -- the people at Fast Company reporting the story as it is at the Gawker people the story was about.
Reporters need to get computer literate... and then hopefully go beyond that to become involved in choosing products that do what they need them to do.
Reporters need to realize that understanding the features of a software product can mostly be done by using it, and paying attention to what is happening and figuring out why.
There is a lot of discussion in the security blogosphere about the security of various messaging platforms that are trying to focus on actual security features, and while there is value in the details that they are hashing out, just knowing what software they are talking about is better than sticking your head in the sand.
Slack and GitHub Both are backed by Jared Kushner's VC firm and both should be considered tools of the Republican Trump Administration at this point.
Thrive Capital is a major backer of both:
https://www.crunchbase.com/org...
https://www.crunchbase.com/org...
https://www.crunchbase.com/org...
A Tox client uses Tox servers to direct traffic and then I think it's p2p from there. The connections are encrypted and Tox clients are open source. Plus, it supports text, audio, and video calling, as well as file sharing. And after you create a profile, which stays on your desktop so no data stays on any server, you can share that profile to your other computers and devices with Tox clients and "sign in" that way. It's a lot like sharing an OpenVPN settings profile, but for Tox. Most clients have QR code support to because of the really long public address (kind of like PGP key) associated with sharing contact info. -- TheOuterLinux.com
Is there literally ANYONE using Slack that is under any impression that their conversations are private or secure? It's a web-based service that epitomises the phrase "the cloud is someone else's computer".
If you want private and/or secure conversations, use Signal, or Wire. Or shit, even Whatsapp is probably more secure.
We're setting up mattermost behind a vpn. full stop.
IRC and NNTP has a slighty different purpose, IMHO.
IRC sort of requires online presence when stuff happens, and discussions usually are pretty sequential.
NNTP could fork of a discussion into different threads.
Slack is, as you know, basically an IRC overlay with better integration for mobiles and other platforms. We use it at work and it's pretty ok.
I would love NNTP at work, but not for replacing Slack. I would like it to replace Yammer. Yammer so incredibly inefficient at searching for information.
So doing the same for NNTP as Slack did for IRC could actually be a good idea. Slick interface for mobile and web and rebranded.
> you WANT it to stay around so you can find out the reasons for why this or that design was done.
*puts on his BigCo hat*
What you don't have, you can't provide in response to a subpoena.
> seems we continue to throw out old, free, WORKING tools for newfangled OH SHINEY! bullshit.
Yep. XMPP solved the Instant Messaging walled garden problem of the late 1990's and provided easy, standardized mechanisms to extend the standard so third-party client devs stood a fighting chance of interoperating with your whizz-bang new IM feature. Sadly, there's more short-term monetary and (internal) political profit to be made in creating captive audiences, so XMPP was thrown away and the walled gardens came back.
Demon Internet had a reader baded on Trumpet Winsock. It was DOS command line USENET browser. It worked in three modes. First one was to download the latest USENET hierarchy. There used to be elections to remove and add new forums. Next was to pick and choose which threads you wanted to download. Third mode was to read those threads and write replies. On a 56K modem, downloading USENET could take an hour.
There was also regular email which operated in the same way as now.
Check out matrix.org. It's a federated, open-standard, rich communication protocol. It can't do everything of Slack and Whatsapp yet, but it's moving along fast and you can help. There are already several clients to choose from, as well as integrations with other networks, APIs, and bot-like tools etc..
We used it at linux.conf.au 2017 to (inofficially) bridge between Slack and IRC, and had an update of ca. 33% of the conference within 3 days or so, while the number of Slack users went down to a low one-digit figure.
#matrix on Freenode is bridged to the main discussion room, so pop on over if you want.
Here's Matthew (one of the project leads) at FOSDEM (with video):
https://fosdem.org/2017/schedu...
https://fosdem.org/2017/schedu...
and my little lightning talk at LCA:
https://www.youtube.com/watch?...
-- @martinkrafft
echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
That's kind of like saying nntp is a replacement for irc. It's really not. Slack is really an alternative to irc which for real time text chat. The advantage that Slack (or Mattermost, etc) have over IRC (imo) is it's easily accessible from mobile devices. Sure you can use an IRC client from your phone, but with Slack the mobile client is actually GOOD and you can control notifications well (only alert me on my lock screen if you @me or DM me) and you have persistence. If I open Slack on my phone I can see the current state of the conversation along with all histories. It's also easily searchable. Sure, I do the same thing with tmux and irssi, but doesn't exactly work from my phone and doesn't provide a good system for notifications.
I really didn't get it until I started using Slack, now I actually really like it. We use it at work and 95% of our communication is via Slack now and everyone loves it. We used to use Jabber (Cisco) and literally every single person is over the moon happy we don't have to use that garbage anymore.
I used nntp for years, and it was great at the time and if you wanted to make an argument for nntp over forums, I wouldn't put up any fight. But having use Slack for a while as someone who has been a constant IRC user since the mid-90s (on multiple networks), I "get it".
Slack also handles multimedia. Even things like formatted code snippets are way up there, in comparison to IRC. Then there's all the integrations with things like JIRA, and you have a client that makes it a lot easier to work with other devs. Who the fuck cares if it's loosely based on IRC? It isn't IRC.
Yeah that's a great point. One of the first things we did was to integrate alerting from our network monitoring systems into Slack. Our inboxes are truly grateful. Also Screenhero is awesome for sharing your desktop, and the built in voice/video chat makes creating a conference call a one click operation.
Also to your point about multimedia, the ability to paste screenshots directly into slack is great. Being able to just drop things like a PDF into a channel has been really handy.
Anyone who thinks Slack is just a web based IRC client is totally missing the point.
But what about rocket.chat ?
We use Spark, built to provide a similar team based persistent chat experience akin to Slack except this tool does have full end to end encryption, including 3rd party integrations and video callin capabilities.
Here's a white paper
http://www.cisco.com/c/dam/en/us/solutions/collateral/collaboration/cloud-collaboration/cisco-spark-security-white-paper.pdf
Nobody disputes this. the article is about how your information is not encrypted end-to-end, meaning Slack themselves have access to your content (meaning it's available to anyone who Slack chooses to share it with).
We use Cisco Slack. It has all the team-based persistent chat capabilities of Slack, but benefits from end to end encryption (meaning even Cisco cannot access the content), as well as 3rd party integrations and video calling capabilities.
Worth a read:
http://www.cisco.com/c/dam/en/us/solutions/collateral/collaboration/cloud-collaboration/cisco-spark-security-white-paper.pdf
It works well for a loosely secured or unsecured chat environment where people of like interests can have sporadic conversations. I would not recommend taking it too seriously, and I certainly would not recommend building business requirements on top of it.