Slashdot Mirror

← Back to Stories (view on slashdot.org)

Slack Doesn't Have End-to-End Encryption Because Your Boss Doesn't Want It (vice.com)

Posted by msmash on from the plain-and-simple dept.

Business communications service Slack, which has more than three million paying customers, offers a bouquet of features that has made it popular (so popular that is worth as much as $9 billion), but it lacks a crucial feature that some of its rivals don't: end-to-end encryption. It's a feature that numerous users have asked Slack to add to the service. Citing a former employee of Slack and the company's chief information security officer, news outlet Motherboard reported Tuesday that the rationale behind not including end-to-end encryption is very simple: bosses around the world don't want it. From the report: Work communication service Slack has decided against the idea of having end-to-end encryption due to the priorities of its paying customers (rather than those who use a free version of the service.) Slack is not a traditional messaging program -- it's designed for businesses and workplaces that may want or need to read employee messages -- but the decision still highlights why some platforms may not want to jump into end-to-end encryption. End-to-end is increasingly popular as it can protect communications against from interception and surveillance. "It wasn't a priority for exec [executives], because it wasn't something paying customers cared about," a former Slack employee told Motherboard earlier this year.

92 comments

  1. Mattermost is an alternative by sinator · · Score: 5, Informative

    Mattermost is an open source, privately hostable clean room reimplementation of Slack that supports a variety of encryption options that Slack does not.

    --
    Three Step Plan:
    1. Take over the world.
    2. Get a lot of cookies.
    3. Eat the cookies.
    1. Re:Mattermost is an alternative by TJ_Phazerhacki · · Score: 2

      It's also (at least as of 6-8 months ago when we demo'd it) completely unready for Primetime Enterprise use, with flaky mobile implementation and a configuration that feels like the bad old days of setting up stuff like phpBB.

      --
      Physics is nothing like religion. If it was, we'd have an easier time trying to raise money!
    2. Re:Mattermost is an alternative by halfnerd · · Score: 2

      It's open core. Look into matrix.org / riot.im instead

    3. Re:Mattermost is an alternative by jader3rd · · Score: 1

      So how does it handle legal ediscovery? Employers are responsible for coughing up employee communications during trial.

    4. Re:Mattermost is an alternative by Woeful+Countenance · · Score: 2

      So how does it handle legal ediscovery? Employers are responsible for coughing up employee communications during trial.

      Maybe. I am not a lawyer, but the case of the governor and the disappearing text messages seems relevant. Maybe, if the company never had access to the messages, it doesn't have a responsibility to reveal them.

    5. Re:Mattermost is an alternative by Anonymous Coward · · Score: 0

      I've used this and loved every bit of it.

    6. Re:Mattermost is an alternative by Dragonslicer · · Score: 1

      (I am not a lawyer)

      I think the company only has to produce materials that they have at the time they are notified that legal action is coming. If the company sets an email retention policy of 30 days, then they aren't responsible for producing emails from 5 years ago, since those were deleted in the ordinary course of business. The same would likely apply to material that the company never had possession of in the first place, such as SMS messages sent between personal phones or email sent between personal addresses.

      As for Slack (and any similar IRC-like systems), I had thought that one of the big selling points was being able to join a channel and see messages from before you joined. In that case, where are those messages stored?

  2. It's good to know by cordovaCon83 · · Score: 2

    that there's a big hole in the OpSec at many development firms.

    1. Re:It's good to know by Anonymous Coward · · Score: 1

      Except it's not, because it is encrypted between the users and the slack server, it's only saying that the don't provide client to client encrypted tunnels for DMs, which is hardly the big deal that this article title makes it out to be.

    2. Re: It's good to know by Anonymous Coward · · Score: 0

      Who are you to say it's hardly a big deal? Just because all you don't need end to end encryption, doesn't mean it isn't important to someone else.

    3. Re: It's good to know by Anonymous Coward · · Score: 0

      Hello from China! I like your thinking, keep up the inventing! We'll be waiting.

  3. Trivial to fix and keep secure -- use an ADK by Anonymous Coward · · Score: 2, Interesting

    This is a trivial thing to fix for a business. Slack can always have all messages done as part of a certain company (both to and from) be encrypted with an additional decryption key (ADK).

    PGP Desktop had this functionality since the early 2000s, allowing encryption, but allowing businesses to easily recover encrypted E-mails, but yet not subverting private key security with key escrow or other backdoors.

    With all the people into blockchains and applied cryptography, it is amazing this wasn't done.

  4. And Also by Anonymous Coward · · Score: 0

    Not being a bloated piece of shit isn't something executives cared about, apparently.

  5. Just because your customers don't care about it by hey! · · Score: 4, Insightful

    doesn't mean they shouldn't, and not making it available creates a risk in situations where they suddenly discover they need it yesterday.

    As a designer you frequently put things into a product that customers never asked for. Sometimes, yes, it is a waste of time. But if you don't bring expertise to the table the customers don't have, then what are they paying you for?

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  6. hindsight is 20/20 by nimbius · · Score: 3, Insightful

    So when your company experiences a massive breach of security because your sales and marketing team openly discuss designs, your C levels openly discuss M&A, and your engineers openly share passwords over your chat program, you can look back and say "well at least we didnt have a bunch of meaningless features we didnt want to pay for" when you're busy packing your shit into a box and filing for unemployment.

    For those of us who'd like to keep a job longer than it takes to teach little johnny how to encrypt, Use mattermost instead. https://www.mattermost.org/

    --
    Good people go to bed earlier.
    1. Re:hindsight is 20/20 by jeff4747 · · Score: 4, Informative

      Alternatively, you could realize not having end-to-end encryption is not the same as not having encryption.

      The client-server communications are encrypted. You just can't send a DM that the server can not read. At least, not directly through Slack.

    2. Re: hindsight is 20/20 by Anonymous Coward · · Score: 0

      So broken by design?

    3. Re: hindsight is 20/20 by jeff4747 · · Score: 1

      Only if your requirements include DMs not being able to be read by the server.

      Security-wise, end-to-end encryption would only protect against a very narrow set of attacks where the server is compromised, but not so compromised that it won't serve up a fake key as the recipient's key. I can't think of a realistic way to get into that state.

    4. Re: hindsight is 20/20 by Cinnamon+Beige · · Score: 1

      On the other hand, it lacking end-to-end encryption and having the server able to read everything in DMs certainly suggests a good route of attack, and it also would suggest that those running any given server cannot make a strong claim of not having a clue about the content of DMs. "We promised not to look and didn't" is a lot stronger when you can point out that you couldn't have looked anyway.

      Sometimes, the point of security is not to protect against hackers but your own rear from having the legal system decide that having them in plaintext where you can see them means you should totally be reading it. (That this is roughly as reasonable as expecting anybody who has been in a bookstore or a library to have read every single book there merely because they are physically capable of reading any of them, but good luck getting those writing the laws to stop thinking computers are magic.)

    5. Re: hindsight is 20/20 by jeff4747 · · Score: 1

      On the other hand, it lacking end-to-end encryption and having the server able to read everything in DMs certainly suggests a good route of attack, and it also would suggest that those running any given server cannot make a strong claim of not having a clue about the content of DMs. "We promised not to look and didn't" is a lot stronger when you can point out that you couldn't have looked anyway.

      Except the context here is Slack running in a business. They aren't promising to not read your DMs, in fact they usually warn you they are reading your DMs.

      If the context is a random person chatting with someone via DMs over a random server they find on the Internet, then Slack isn't your best choice....and never was.

      End-to-end encryption would also harm the ability to scan messages for malware, which companies really, really love to do.

      Sometimes, the point of security is not to protect against hackers but your own rear from having the legal system decide that having them in plaintext where you can see them means you should totally be reading it.

      There's not going to be many situations where "we couldn't read the message" is going to excuse a company from liability. Let's say it's sexual harassment or similar interpersonal harm. The victim prints the DMs, takes them to HR who does nothing and there's a lawsuit. Monitoring the DMs would not have avoided the liability, since the problem comes from failing to deal with the harassment once it has been reported, not over detecting the harassment.

      Let's say it's theft of trade secrets or other company-to-company lawsuit. Subpoenas can get the messages from the recipients just as easily (or not easily if they've been deleted).

      If you're imagining some future law where businesses are supposed to magically find terrorists or similar, I really don't see any companies deciding not being able to read their employee's messages is better than a dumb keyword search that lets them pretend they're complying with the law with little to no effort.

    6. Re: hindsight is 20/20 by Cinnamon+Beige · · Score: 1

      Sometimes, the point of security is not to protect against hackers but your own rear from having the legal system decide that having them in plaintext where you can see them means you should totally be reading it.

      There's not going to be many situations where "we couldn't read the message" is going to excuse a company from liability. Let's say it's sexual harassment or similar interpersonal harm. The victim prints the DMs, takes them to HR who does nothing and there's a lawsuit. Monitoring the DMs would not have avoided the liability, since the problem comes from failing to deal with the harassment once it has been reported, not over detecting the harassment.

      Not quite--the problem comes from failing to deal with the harassment once you are aware of it, last I checked. It would generally not be wise to wait for somebody to report it after you have, for example, had it happen rather publicly in front of a crowd that includes the head of HR. How much monitoring you're expected to do (vs waiting for somebody to report) will depend on local laws and judges.

      If you're imagining some future law where businesses are supposed to magically find terrorists or similar, I really don't see any companies deciding not being able to read their employee's messages is better than a dumb keyword search that lets them pretend they're complying with the law with little to no effort.

      Also, I also think you're vastly underestimating the stupidity involved to think a dumb keyword search on its own would be enough to fake compliance should we get a batch of legislators who will pass that sort of law. You are rarely going to overestimate a politician's understanding of what computers can and cannot do by working off the theory that they overall believe that computers are magical & can do anything without mistakes, errors, and/or failures.

      By the way, that future law is in the process of being made in the EU. Why do you think people are not happy with the EU's new Copyright Directive's Article 13? Seriously, start here and wander a bit as the EFF are not the only people who are pointing out just how bad this law is--I've seen it reported on here, too. Just because it's not the US passing a monumentally stupid law doesn't mean it shouldn't be a concern, especially when it's a law that will require you comply internationally--or decide it's just plain cheaper to give the EU market a hard pass.

    7. Re: hindsight is 20/20 by Anonymous Coward · · Score: 0

      Sounds to me that the technicalities of this are far from your actual concerns. You are worried your harassment or embezzlement will be caught by your boss.

    8. Re: hindsight is 20/20 by jeff4747 · · Score: 1

      How much monitoring you're expected to do (vs waiting for somebody to report) will depend on local laws and judges.

      [Citation Required]

      You are rarely going to overestimate a politician's understanding of what computers can and cannot do

      And because of that, they're not going to understand a keyword search is nearly useless. Nor even a far more sophisticated scan that theoretically determines context, since that is useless too.

      By the way, that future law is in the process of being made in the EU.

      Great! Point out in the draft legislation where something trivial like a keyword search wouldn't comply.....Oh wait! A keyword search is exactly what the EFF is worried about.

  7. Can't they just share the keys with employers? by JoeyRox · · Score: 2

    Why not have end-to-end encryption for security while also optionally allowing employers to see employees' messages by giving them access to the encryption keys?

    1. Re:Can't they just share the keys with employers? by jeff4747 · · Score: 2

      Two reasons:

      1) Because then the breathless article would be talking about how the end-to-end encryption is "flawed".

      2) The communications between the client and server are already encrypted. They're just decrypted on the server, re-encrypted for the recipient and sent on. End-to-end encryption with IT having a copy of your keys is functionally identical (assuming the server isn't compromised).

  8. This makes no sense by StandardCell · · Score: 4, Insightful

    There are ways to protect communication links end-to-end yet allow access to messages. If an employer wants access to messages in a particular chat, that can be built in by centralizing their archival at the same time they're sent through a cryptographic chain of trust. It's not trivial, but I don't buy that unencrypted communications are the alternative for the reasons they state.

    If I were Slack, I'd be much more worried about Microsoft Teams. Microsoft is pouring huge sums of money into Teams at the moment to make it the new paradigm and push for online, with the added benefit of tighter Office/O365 integration as well as integration of other pieces to make a unified communication solution. I get a bit concerned in that respect for market dominance by MS, but it is what it is.

    1. Re:This makes no sense by jeff4747 · · Score: 4, Informative

      It's not trivial, but I don't buy that unencrypted communications are the alternative for the reasons they state.

      The client-server communications are encrypted. The reason it isn't end-to-end encryption is the server decrypts the messages before encrypting them for the recipient's connection and sending them on.

      Basically, they do what you propose. But that isn't end-to-end because the server (aka "centalizing their archival") can read the contents of the messages.

    2. Re:This makes no sense by Anonymous Coward · · Score: 1

      No, and most likely the thing we're not privy to is a government court order that says to not put it in, and explain it in whatever way you want.

      Obviously, they would've put it in and at least added a switch for it if someone, as they claim, stubbornly refuses to use encryption.

      This is why people should use Mattermost instead of Slack -- Slack is not secure, and it is wide open for government and other hacks.

    3. Re:This makes no sense by PmanAce · · Score: 1

      Teams integrated with Outlook for example is so useful for meetings for example.

      --
      Tired of my customary (Score:1)
    4. Re: This makes no sense by Anonymous Coward · · Score: 0

      If it isn't end to end encryption then they aren't doing what he proposes. How are you being modded up? Slack must have a lot of fanboys on slashdot.

    5. Re: This makes no sense by jeff4747 · · Score: 1

      End to end encryption means the server can not decrypt the messages. Only the recipient can. Think PGP-encrypted email body, where the recipient is the only one with the private key to decrypt the message. Any intervening servers can not read the message.

      Skype encrypts the communication with the servers, but does not encrypt the messages. So the server can read the messages, but third parties can not (assuming the server has not been compromised).

      That poster proposes a key-escrow-like system, which would allow the server to decrypt the messages as needed....just like Skype's server does now. It would provide no real security boost since in both cases the server could read the messages.

    6. Re: This makes no sense by jeff4747 · · Score: 1

      s/Skype/Slack/

  9. End-to-end encryption must be open by GbrDead · · Score: 1

    You can't have end-to-end encryption with proprietary software. Even less so when it is done by a cloud service (a.k.a. man-in-the-middle).

    1. Re:End-to-end encryption must be open by jellomizer · · Score: 1

      You can setup SSH Port forwarding on the client.
      That is the cheap, quick and dirty way secure systems, that cannot be encrypted by its poor design.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:End-to-end encryption must be open by iggymanz · · Score: 1

      what nonsense, of course you can have end-to-end encryption with proprietary software and that's what the big enterprises use. you can have breakable encryption, weak encryption or no encryption with open source software too. where do you get your dumb wrong ideas?

    3. Re:End-to-end encryption must be open by Anonymous Coward · · Score: 0

      what nonsense, of course you can have end-to-end encryption with proprietary software and that's what the big enterprises use. you can have breakable encryption, weak encryption or no encryption with open source software too. where do you get your dumb wrong ideas?

      Since you're quick to throw stones, I'd love to know exactly how you're validating whether or not you're using "breakable" or "weak" encryption with proprietary/closed solutions.

      Not sure how the hell you managed to overlook the most obvious advantage of open source, which is the ability to audit the code, which was the entire point being driven here. I blindly trust crypto solutions about as far as I can throw the morbidly obese developer behind it.

      Oh, and thank you for clarifying exactly how the "big enterprises" get hacked. Obviously there's no shortage of ignorance.

    4. Re:End-to-end encryption must be open by Anonymous Coward · · Score: 0

      So, your actual concern isn't whether or not end-to-end encryption is possible with proprietary software (answer: it is possible), but that you have trouble trusting the proprietary vendor and validating their end-to-end encryption. A client being unable to validate the encryption doesn't mean that the encryption is broken.

    5. Re:End-to-end encryption must be open by iggymanz · · Score: 1

      the types of crypto that prioprietary devices use are listed and known. Are you imagining the aes-256-gcm in a palo firewall is different and inferior to the magic aes-256-gcm in an open source BSD?

      We've already proven that auditible code can result in trusted insecure junk being used for decades.

  10. IRC supports end to end encryption by Anonymous Coward · · Score: 0

    and it's free

    what is that phrase is about a fool and his money?

  11. RocketChat has an OTR (Off The Record) mode by paulc · · Score: 1

    I've been playing with RocketChat for a while and it's a fairly decent Slack alternative that's under active development. If you want to go off the record in a private chat, click the button, wait for the other person to confirm, and your conversation is now end to end encrypted. It's fairly easy to install if you want to self host, and they offer hosted versions too. I'm a fan.

  12. Simple Solution by Zorro · · Score: 1

    Let the employer generate and keep a copy of the keys.

    How you actually administer Bitlocker with employees on an enterprise network.

  13. I Absolutely care, and I'm paying!!!! by Anonymous Coward · · Score: 1

    I was never asked, and I pay for slack service for my startup team. I want secure comms that I can trust. We don't use slack for confidential strategy or product design calls. We use Signal. If I thought I could trust slack based on their design, we'd use it more. They just added 2 and 2 and got 17.

    1. Re:I Absolutely care, and I'm paying!!!! by Anonymous Coward · · Score: 0

      I was never asked, and I pay for slack service for my startup team. I want secure comms that I can trust.

      You want people you can trust even more.

      You'll realize that right after you recognize the value of monitoring those you thought you could trust.

    2. Re: I Absolutely care, and I'm paying!!!! by Anonymous Coward · · Score: 0

      What?

  14. shhhhhhhhh by Anonymous Coward · · Score: 1

    Slack HATES IRC. They love fooling everyone into paying for a free 30 year old technology.

    Slack would rather lie about IRC, or make idiotic excuses about encryption that are outright lies. The truth is, the Slack engineering team is so fucking stupid, they have no idea how to implement end to end encryption. Instead it's much easier for their inept engineering team to blame their lack of encryption on "my boss"

    What a bunch of assholes of the highest order.

    1. Re: shhhhhhhhh by Anonymous Coward · · Score: 0

      Some of the biggest companies right now are shitty implementations of free software, it boggles my mind. Slack, splunk, etc.

      But I guess we have better emojis now.

    2. Re: shhhhhhhhh by Anonymous Coward · · Score: 0

      Ahh...did somebody get replaced by a free software alternative?

    3. Re:shhhhhhhhh by Anonymous Coward · · Score: 0

      I can tell you're full of shit because you use the term "Slack engineering team", as if to imply that Slack team performs "engineering". They may call it that, but use of their product has shown it not to be the case.

      I'm pretty sure that no actual engineer would create a chat client that takes 4 processes and half a gig of RAM just to connect to the server.

      dom

  15. They Have To by ibpooks · · Score: 2

    It wouldn't be so bad if the company can generate and keep the keys, but other than that encrypted employee communication is a worse risk than potential loss of IP. The management and company is held responsible for for all sorts of "nanny" issues in the workplace, including any kind of alleged harassment, threat, insult, discrimination, etc. Without hard records of who said what to whom, the company is at much bigger risk from lawsuits from their own employees than from competitors stealing tech. It is management's job to police internal communication as much or more than to actually run the company; and trust me, most of us don't like doing it, but it is a legal requirement that we do, and a huge economic risk if we don't.

    1. Re: They Have To by Anonymous Coward · · Score: 0

      Sounds like a bunch of bullshit to me. Something a clueless ass boss would say.

    2. Re: They Have To by Anonymous Coward · · Score: 0

      Preach it brother, thatâ(TM)s why as an employer I have microphones and cameras everywhere in the building. Including the bathrooms. You never know when you have to provide evidence of that alleged âgropeâ(TM) in the lift, or the racial vilification called out from the neighbouring toilet cubicle. And not to mention the unionisation notes people keep passing around. I really need to do something about that. Iâ(TM)m thinking strip searches at random times and places around the office, and mandatory interrogation sessions to extract information that might be needed if something was somehow missed.

      Iâ(TM)m so glad Slack doesnâ(TM)t have end-to-end âoff the recordâ(TM) employee to employee chat. That would mean Iâ(TM)d have to have To go back to installing Back-Orifice or some other spyware on all the Windows domain based PCs (which is all of them - the Mac users have already been fired for harassment due to the glowering way they look at our PC users).

      So , dude, I fully agree with everything youâ(TM)re saying.

    3. Re: They Have To by Anonymous Coward · · Score: 0

      And BTW, since Iâ(TM)m the boss I can sit in my private unmonitored en-suite bathroom and post to Slashdot without any interference. Except for Skadhdotâ(TM)s incompetent handling of quotation marks and other otherwise useful subsets of Unicode.

  16. Wrong way around by Drethon · · Score: 2

    I think you mean my boss doesn't want slack because it doesn't have end to end encryption... We recently switched from Jabber to Skype because Jabber keeps IM history and that is considered a security risk. So instead we get to deal with hit or miss desktop sharing and file transfers, and often not being able to properly connect to the servers any given morning. I think the issue is mostly with our IT, not Skype, but I do know Jabber was dead stable for years. ...not biased at all.

    1. Re:Wrong way around by dysmal · · Score: 1

      If you're referring to Skype For Business, I thought it stored all of your conversations in your Outlook profile by default.

      Also, if you just switched to Skype For Business then get ready because MickeySoft is killing it slowly in favor of Teams.

    2. Re:Wrong way around by Drethon · · Score: 1

      If you're referring to Skype For Business, I thought it stored all of your conversations in your Outlook profile by default.

      Also, if you just switched to Skype For Business then get ready because MickeySoft is killing it slowly in favor of Teams.

      Yeah, Skype For Business, I forget there are two different Skypes as I use Skype For Business even for calls to my research adviser, though lately we've been using zoom more often as Skype For Business isn't very stable to my college campus either. You might be right about the history but maybe it can be disabled or they prefer the outlook server security? When I go to File->View Conversation History, nothing happens, so I'm thinking the prior.

      Yeah, not particularly thrilled with any MS office products as they always change and seem to break the most efficient ways of doing anything. About the only MS product I prefer not to live without is Visual Studio.

    3. Re:Wrong way around by Dragonslicer · · Score: 1

      We recently switched from Jabber to Skype because Jabber keeps IM history and that is considered a security risk.

      I'm fairly certain that the Jabber protocol (i.e. XMPP) does not mandate storing message history. I've used Kopete for OTR (end-to-end encrypted) messages, and Kopete lets you disable local logging.

      Did you mean some specific server or client software?

    4. Re:Wrong way around by Drethon · · Score: 1

      We recently switched from Jabber to Skype because Jabber keeps IM history and that is considered a security risk.

      I'm fairly certain that the Jabber protocol (i.e. XMPP) does not mandate storing message history. I've used Kopete for OTR (end-to-end encrypted) messages, and Kopete lets you disable local logging.

      Did you mean some specific server or client software?

      Yeah, I'm not IT. I just know what other people told me as to why we switched.

  17. Re:Just because your customers don't care about it by houghi · · Score: 2

    This is a product, not a project. They could easily put it in place for paying customers. Yet sometimes IT people are so focused on computer language that they think that they must adapt it to normal language as well.
    "You did not say to do it, so we didn't" is one I have seen more than once. The "That is not the procedure" is another nice one.

    One company I worked for I asked the price to add an option. They said the procedure was to request the option. I did not wanted to do that, because I did not know if this would be financially interesting.

    There where three options pricewise:
    1) So expensive, it was not worth it
    2) Expensive enough that we can sell it as an extra.
    3) Cheap we will use it as marketing "We have X included"

    In the end it was just putting a cross in a web interface. It was the reason they bought the package in the first place, just never activated it. Literally 2 minutes of work (including the coffee). Took 4 months to get there.

    BOFH is still alive in many places.

    --
    Don't fight for your country, if your country does not fight for you.
  18. Bullshit. It takes technical effort. by Anonymous Coward · · Score: 0

    Bullshit. It takes technical effort.

  19. 3 year roi on btc=+2,407.28% by Anonymous Coward · · Score: 0

    unless of course as with any electronic markets they turn it off? greed+fear+ego.. motives=results

  20. No encryption in Slack? by Anonymous Coward · · Score: 0

    This page claims Slack does indeed encrypt the data in transit and at rest:
    https://slack.com/security

    Is this just marketing fluff?

    1. Re: No encryption in Slack? by Anonymous Coward · · Score: 0

      No end to end encryption.

      The server encrypts and decrypts. It's a middle man. True end to end would secure the text from eberyone except the sender and receiver. Or whoever has the keys.

  21. Re:Just because your customers don't care about it by jellomizer · · Score: 2

    Exactly!
    The Boss only really cares about what features they actively need for the money. Normally they will only care about it until after something happens that hurt them enough to change their thinking about it.
    A massive Hack due to poor security will then change your bosses mind. However most cases of poor security go by without much consequences.

    Strong Security is about having features in it that you hope you never need, but is there in case something happens.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  22. But I bet your legal department does. by Anonymous Coward · · Score: 0

    Anything you or any of your employees say can and will be used against you in a court of law.

    Employees have mostly gotten the memo about avoiding certain topics in email, but they have yet to have similar qualms about IM.

    This is going to bite someone (likely in the financial sector) very, very badly, very, very soon. And then youâ(TM)ll see a very rapid change here.

  23. Watch me play a tiny violin by Anonymous Coward · · Score: 0

    slack is a crappy pile of poo anyhow. I'll stick to irc, thanks. For the job, too, yes, so dear mr. boss sir better respect that.

    I'm not a millennial, I use tech that works. No reason to change that now.

    1. Re:Watch me play a tiny violin by Anonymous Coward · · Score: 0

      slack is a crappy pile of poo anyhow. I'll stick to irc, thanks. For the job, too, yes, so dear mr. boss sir better respect that.

      I'm not a millennial, I use tech that works. No reason to change that now.

      You would be escorted out the door with that ancient attitude of yours. Technology often changes because the environment changes. You either adapt, or you'll be put out to pasture with the rest of the ignorant greybeards who also assume nothing has changed.

      I mean damn, it's like you've never even heard of the concept of insider threat before. You're the kind that would still insist on using FTP because "tech that works".

    2. Re:Watch me play a tiny violin by Anonymous Coward · · Score: 0

      Ha ha, "ignorant greybeards", as if being 25 years old means knowing everything and understanding everything, and the only thing you get with age is senility. It's a common attitude with the 25 year olds, but it's not how humans develop. You'll learn in a few short decades how that works. In the meantime, if you can't explain the tech to your mom, you're not very good at it. Likewise, if you can't explain why your environment says we do this or that, you haven't really understood that either.

      As to me, I'd use FTP if that's appropriate for the task. Or TFTP. Or anything else sensible. And possibly many things less than entirely sensible. I am, after all, one of those people who're expected to keep all that shit running.

      But pray tell, what exactly in the environment changed that necessitates using a giant pile of javascript crap to do something that my ircII-in-a-screen has been doing for the last 20 years, and will co-operate with just about any other client anyone else would care to use? Including so many bots to do any and all extra task you might want it to do. Something that pile-of-poo slack certainly does not.

      It's like saying that you now need a smartphone with facial recognition and fingerprints and a regularly exploding battery just to make calls. Well, this here phone on my desk is from 1939 and still makes calls just fine. It's exactly where I need it when I need it, and its simplicity gives me a lot more surety that it'll work at that time, too. Old tech isn't automatically bad, but while I'll buy that newer tech can do more, that doesn't automatically mean I need it to do more, too. In the case of the phone, what it gives me is really all I need from it. In the case of ircII, same thing. What more do you expect me to need, and why? Do explain.

      If that thing in the environment turns out to be idiot management, as is highly likely, then they're welcome to escort me out of the building, after paying my golden parachute of course. Then I'll be enjoying popcorn watching the shop burn. That way we all get what we deserve.

  24. Pay. Get worse product. by Anonymous Coward · · Score: 0

    Free market for the win or whatever.

  25. Re:Just because your customers don't care about it by stealth_finger · · Score: 1

    doesn't mean they shouldn't, and not making it available creates a risk in situations where they suddenly discover they need it yesterday.

    Yeah but that way you get to charge extra to put it in. A lot extra if they want it soon.

    --
    Wanna buy a shirt?
    https://www.redbubble.com/people/stealthfinger/shop?asc=u
  26. Re:Just because your customers don't care about it by Anonymous Coward · · Score: 0

    One company I worked for I asked the price to add an option. They said the procedure was to request the option. I did not wanted to do that, because I did not know if this would be financially interesting.

    1) Request feature.
    2) Get estimate of cost to add feature.
    3) Approve or drop as appropriate.

    I fail to see why is so wrong with that approach. Unless you were for some reason required to pay a penalty at step 3 if you chose to drop the feature request.

  27. Re:Just because your customers don't care about it by jeff4747 · · Score: 1

    What is a possible scenario where their customers need end-to-end encryption right now.

    And keep in mind that's end-to-end encryption. Not "encryption". Communications between the client and server are encrypted. The reason it isn't end-to-end is the server decrypts the messages before re-encrypting them for the recipient's collection.

    Assuming your Slack server is running on a properly-configured host, that's compliant with things like HIPAA that "pop up out of nowhere".

  28. Huge difference between "want" and "care"... by zarmanto · · Score: 2

    There is a huge difference between "bosses around the world don't want it," and "it wasn't something paying customers cared about." (emphasis added for clarity) The former implies (as observed in the quoted summary in the parent thread) that bosses may be actively seeking to eavesdrop; the latter implies that bosses don't care either way, as long as they don't have to pay extra for encryption.

    Clearly, the concerns of the actual end-users is that perhaps the former is more likely the case... which probably tends to drive those end-users to other platforms (those which do enable encryption) for any of their more casual interactions. And obviously, when you default to an "unofficial" platform in this fashion, you're not particularly likely to bother going back to the "official" platform just to conduct business with those same people -- except when you're forced. And we all know what happens when you try to force someone to do something that they don't want to do; they pretend to do it, or they only do it just barely enough to get the boss off of their back.

    End result: ironically, those "paying" customers may stop paying, if Slack can't actually convince the end-users to use the tool properly... which I would suggest makes this a potentially self-defeating scenario.

  29. I prefer it this way by laurent420 · · Score: 2

    I think having corporate chat being monitored or logged is a good thing. I communicate professionally and in good faith. Having logs means I have something to point to in case of an issue. If there's anyone I'm comfortable talking with about sensitive subjects, work related or otherwise, we can always take it to a non-corp message protocol, which there are several good options.

  30. All run on Supermicro by emil · · Score: 1

    Not to pick on a particular server vendor, but it must be assumed that the network is compromised, and that all communications will be recorded and analyzed by many unknown parties.

    We got off telnet for a reason.

    1. Re:All run on Supermicro by Anonymous Coward · · Score: 0

      As Jeff4747 brought up, not having end-to-end encryption is more like using SSH to write to a plain text file on a remote server.

      A "telnet" example would be to use telnet to connect to an encrypted database. An important part of it not being "end-to-end" is that it is encrypted somewhere, and that is usually over the wire (SSH,TLS,etc.).

  31. Skype by Anonymous Coward · · Score: 0

    Skype does not allow you to export all chat history. Same story reasons.

  32. Tells you everything about Slack by RonVNX · · Score: 1

    Money money money. Speaking of money, when the boss and the boss's boss are fired and by shareholders for gross and possibly illegal negligence with legally protected data and company trade secrets, I'm sure Slack will pitch in for his lost income and legal expenses.

  33. Features follow the money by Anonymous Coward · · Score: 0

    Once again, developers will build stuff that customers are willing to pay for. If you are not the paying customer, more often than not your specific wants and needs will be ignored over the wants and needs of those who actually pay. All those 'free' services from companies like Facebook, Google, and others are built for the benefit of their real customers...the advertisers. Your privacy, your needs, and your wants will always take a backseat to the demands of those actually paying the bills.

  34. Why would you listen to bosses? by king+neckbeard · · Score: 2

    Why would you listen to bosses on technical implementation details? They rarely have any idea, which is why they hire people who do.

    --
    This is my signature. There are many like it, but this one is mine.
    1. Re:Why would you listen to bosses? by Pascoea · · Score: 1

      Why would you listen to bosses on technical implementation details?

      I'm sure the conversations are more like:
      Boss: We need comms
      Underling: Ok, here's one that's encrypted and one that's not.
      B: Which ones more expensive?
      U: Well, the unencrypted one. But it's less secure.
      B: Thanks
      Boss' boss: Great buy the cheaper one.

    2. Re:Why would you listen to bosses? by Anonymous Coward · · Score: 0

      I rather suspect they listened to lawyers actually.

  35. Re:Just because your customers don't care about it by Anonymous Coward · · Score: 0

    doesn't mean they shouldn't, and not making it available creates a risk in situations where they suddenly discover they need it yesterday.

    As a designer you frequently put things into a product that customers never asked for. Sometimes, yes, it is a waste of time. But if you don't bring expertise to the table the customers don't have, then what are they paying you for?

    How is this modded insightful? Also the summary does not at all say that bosses do not want it.

    It's spelled out in the quote from Slack. It's not something that paying customers cared about. It doesn't mean it's a bad feature, but the reality of developing a product is that there's only so much time in a given day, and work tasks have to be prioritized. If paying customers say they want a particular feature, that feature goes to the top of the priority list for development. It costs developer time to make something like this, and those developer salaries need to be paid by revenue from paying customers.

    If you think it's a valuable thing to develop, then work for Slack for free, because if customers won't pay for it then it's not worth doing.

  36. Re:Just because your customers don't care about it by Anonymous Coward · · Score: 0

    Worth considering that the bosses aren't the ones using it, and if the concerns of the users are ignored, nobody else will use it either.

  37. Priorities of its paying customers by PPH · · Score: 1

    China?

    --
    Have gnu, will travel.
  38. Re: Just because your customers don't care about i by Anonymous Coward · · Score: 0

    End to end encryption isn't a feature. It's a necessity.

  39. slack = msn messenger (~2002?) by Anonymous Coward · · Score: 0

    Seriously want is the deal with slack? it's nothing more than msn messenger that most teen used in the early 2000 era.
    It just doesn't deserve any discution. No?

    1. Re:slack = msn messenger (~2002?) by Anonymous Coward · · Score: 0

      it's actually more like IRC than msn, but yeah.

  40. This is why we don't use it. by lythander · · Score: 1

    Specifically for anything sensitive.

    It would be fine if we could host it, so the unencrypted bits were in our enterprise (a feature once promised but I think gone from the roadmap.) Also fine would be an option to encrypt the store on their end for just our bit (the encryption doesn't need to be mandatory.)

  41. Re: Just because your customers don't care about i by Anonymous Coward · · Score: 0

    End to end encryption isn't a feature. It's a necessity.

    If it's a necessity, then they'd be willing to pay for it. The only necessities is where people are willing to put a limited resource, time or money, onto it. Otherwise, it's just an opinion.

  42. Re:This is false by Anonymous Coward · · Score: 0

    Idiot

    Look up 'end to end'.

    You just made the best argument against using proprietary software but somehow missed it. Oh well, expecting business types to understand anything is a fool's errand, especially if said fool doesn't understand the issues.

    numbnuts