Are Your Slack Conversations Really Private and Secure?

An anonymous reader writes: "Chats that seem to be more ephemeral than email are still being recorded on a server somewhere," reports Fast Company, noting that Slack's Data Request Policy says the company will turn over data from customers when "it is compelled by law to do so or is subject to a valid and binding order of a governmental or regulatory body...or in cases of emergency to avoid death or physical harm to individuals." Slack will notify customers before disclosure "unless Slack is prohibited from doing so," or if the data is associated with "illegal conduct or risk of harm to people or property."

The article also warns that like HipChat and Campfire, Slack "is encrypted only at rest and in transit," though a Slack spokesperson says they "may evaluate" end-to-end encryption at some point in the future. Slack has no plans to offer local hosting of Slack data, but if employers pay for a Plus Plan, they're able to access private conversations.
Though Slack has 4 million users, the article points out that there's other alternatives like Semaphor and open source choices like Wickr and Mattermost. I'd be curious to hear what Slashdot readers are using at their own workplaces -- and how they feel about the privacy and security of Slack?

we have slack at work, and I don't understand why

[TheGratefulNet]

I am from the era where 'net news' (nntp) was popular.

for a few years, I was at SGI and they were HUGE into nntp. in fact, one of the most memorable ones was 'sgi.ba' and ba stood for 'bad attitude' (seriously). first day there, getting the HR orientation, they told us all about the usenet hier at work and how its GOOD to be aware of, and reading, sgi.ba. you'd hear about complaints but also the reasons behind them. HR was ok with that! those were the cool days in silicon valley, when it was still fun to live and work here, and companies were still pretty fun to work for.

anyway, I never understood what's wrong with usenet for internal threaded and persistent chats? you WANT it to stay around so you can find out the reasons for why this or that design was done. its part of the company history. but slack, unless you pay, fades away. how stupid! and yet, when I asked for nntp at work instead of slack, no one seemed to even KNOW what nntp was and to this day, they have no plans to implement it.

'chat' programs seem the most useless things; fully redundant to the MANY other forms of e-communication that we ALREADY have.

when usenet mostly 'ended' and web forums took over, I was sad. seems we continue to throw out old, free, WORKING tools for newfangled OH SHINEY! bullshit.

I don't get it. I really don't.

those who ignore IRC

[nimbius]

are doomed to reinvent it, poorly. IRC has had end to end TLS and EECDH cryptography for quite some time. it even boasts key based authentication. This is the opinion of a Greybeard, so hold on for a rant. I dont think "chat-ops" brings anything to the table we havent had for 3 decades already. its a nice buzzword for startups to throw around when touting their agile workplaces.

Do one thing, and do it well. If im chatting with you, i dont need to see your face or hear your voice. Asterisk lets me place a call to you if its really that necessary but video conferencing is just compensating for managements insecurity. if you want to show me your code, send me a link to your gitlab or pastebin or gerrit (we have pull requests you know.) if you need to share your screen, tmux and novnc do it just fine but you should take a moment to determine why your screen has to be shared for me to understand a particular concept or issue. So in short, no. I dont see value in slack and mattermost. I dont want another goddamn client on my desktop and i dont need another website that loads 50mb of content just to make sure my manager can see my living room.

Re:those who ignore IRC

[davidwr]

Do one thing, and do it well.

If that one thing is "communicate," well, then that "one thing" may encompass sharing screens, sharing code, sharing text, sharing audio, sharing video, etc. etc. etc. or at the very least, calling some under-the-hood program to do those things for you while the user perceives it as "one seamless thing."

If that "one thing" is "texting" then that "one thing" may include getting typed input from the user, determining who the recipient is, determining how to send it to the recipient, sending it, receiving data from someone else, displaying it on the screen, or at the very least, calling some under-the-hood program to do those things for you while the user perceives it as "one seamless thing."

Now, you and those you communicate with may communicate more efficiently using a "text only" medium most of the time, but not every team does. Some teams actually communicate better using a seamlessly-integrated multi-media communications tool that has audio, video, screen-sharing, file-sharing, etc. If that tool happens to use IRC protocols, VNC protocols, gitlib, pastebin, etc., under the hood or if it is using some other technology, the people who are participating in the conversation don't care nor should they have to.

Re:those who ignore IRC

[murdocj]

I'll agree with one thing, I don't want webcam video. We had our daily standups via hipchat and I just left my webcam off. People know what I look like, they don't need to see me grimacing as they lay out absurd schedules.

Wait, people thought they were secure?

[hsmith]

Slack has no end-to-end crypto - it isn't generating keypairs for messages on an individual basis - so what idiot thought that the conversations could be private? You can download and search prior messages - indicating that - duh - anyone could do so.

Re:Wait, people thought they were secure?

[davidwr]

Slack may not have end-to-end crypto, but there is nothing technical stopping me and the person I am taking to from using a Secret Decoder Ring or for that matter, a one-time pad, to encrypt our messages.

Re:Running an internal Jabber server here

[OzPeter]

If management gets to review my chat logs, I should damn right be able to review theirs.

Remind me again who employs who?

Re:Running an internal Jabber server here

[OzPeter]

Management isn't employing anyone. The company is. Managers are employees as well.

Ah I see. Willful ignorance in order to try and make a point.

Now remind me again who employs who and (the bit you are deliberately ignoring) creates this thing called a hierarchy (you're heard of them haven't you?) and grants people at different levels of said hierarchy different responsibilities and powers.

Re:Running an internal Jabber server here

[rmdingler]

Indeed. One of my favorite ways to rapidly escalate a roadside interview is to agree to a search of my vehicle if the officer allows me to search his, as well.

Mattermost

[revjtanton]

I just put up a Mattermost server this week to replace Slack for my family messaging. I chose it over Jabber or IRC because the features it sports are a little friendlier to the less-tech-savy or younger (6 year old) user. The traffic is encrypted with my own cert, and the box is my own (physical, not AWS or anything) and it's encrypted. I know that to use push notifications on mobile you have to allow the notification to route through their services, but you can limit the info to simply be "person has sent you a message". From what I could see in my research Mattermost seemed like it was private, easy, and had some nice features. I'd recommend it...unless of course I missed something on the privacy side...

What is slack?

[RightwingNutjob]

And why should I use it in place of email or the telephone?

Re:What is slack?

[aklinux]

And why should I use it in place of email or the telephone?

Because keeping up with a dozen team members in geographically, time zone and time schedule diverse places is a pain. More than once I have ended up working with instructions or a document that had been superseded and I was unaware of the fact that it had been superseded.

You end up in a situation with a dozen people hitting "reply all" or calling each other on the telephone leaving messages. While you're listening to one message or talking to one person, three others call and leave more messages and sending emails in between.

Maybe Slack isn't "The" answer, maybe it still needs some work, but it's a step in the right direction.

Re:Running an internal Jabber server here

[molarmass192]

I'll have to try this. I've always wondered what it feels like to get tasered and clubbed over the head with a flashlight.

Use a Tox client

[TheOuterLinux]

A Tox client uses Tox servers to direct traffic and then I think it's p2p from there. The connections are encrypted and Tox clients are open source. Plus, it supports text, audio, and video calling, as well as file sharing. And after you create a profile, which stays on your desktop so no data stays on any server, you can share that profile to your other computers and devices with Tox clients and "sign in" that way. It's a lot like sharing an OpenVPN settings profile, but for Tox. Most clients have QR code support to because of the really long public address (kind of like PGP key) associated with sharing contact info. -- TheOuterLinux.com

Holy obvious problem Batman

[trawg]

Is there literally ANYONE using Slack that is under any impression that their conversations are private or secure? It's a web-based service that epitomises the phrase "the cloud is someone else's computer".

If you want private and/or secure conversations, use Signal, or Wire. Or shit, even Whatsapp is probably more secure.

Re:Holy obvious problem Batman

[Vegan+Cyclist]

This. And no, I don't really care if someone snoops and sees that we've ordered x vegan food product, or are short on y vegan food product and need to order more, or checks out the business card design draft I've posted. Slack is easy for our staff to use, which is why we go to it, but we're under no delusion that it's particularly 'secure'. Mundane conversations abound!

matrix.org is the answer

[alfino]

Check out matrix.org. It's a federated, open-standard, rich communication protocol. It can't do everything of Slack and Whatsapp yet, but it's moving along fast and you can help. There are already several clients to choose from, as well as integrations with other networks, APIs, and bot-like tools etc..

We used it at linux.conf.au 2017 to (inofficially) bridge between Slack and IRC, and had an update of ca. 33% of the conference within 3 days or so, while the number of Slack users went down to a low one-digit figure.

#matrix on Freenode is bridged to the main discussion room, so pop on over if you want.

Here's Matthew (one of the project leads) at FOSDEM (with video):
https://fosdem.org/2017/schedu...
https://fosdem.org/2017/schedu...

and my little lightning talk at LCA:
https://www.youtube.com/watch?...

-- @martinkrafft