Slashdot Mirror
Slack Doesn't Have End-to-End Encryption Because Your Boss Doesn't Want It (vice.com)
Business communications service Slack, which has more than three million paying customers, offers a bouquet of features that has made it popular (so popular that is worth as much as $9 billion), but it lacks a crucial feature that some of its rivals don't: end-to-end encryption. It's a feature that numerous users have asked Slack to add to the service. Citing a former employee of Slack and the company's chief information security officer, news outlet Motherboard reported Tuesday that the rationale behind not including end-to-end encryption is very simple: bosses around the world don't want it. From the report: Work communication service Slack has decided against the idea of having end-to-end encryption due to the priorities of its paying customers (rather than those who use a free version of the service.) Slack is not a traditional messaging program -- it's designed for businesses and workplaces that may want or need to read employee messages -- but the decision still highlights why some platforms may not want to jump into end-to-end encryption. End-to-end is increasingly popular as it can protect communications against from interception and surveillance. "It wasn't a priority for exec [executives], because it wasn't something paying customers cared about," a former Slack employee told Motherboard earlier this year.
Mattermost is an open source, privately hostable clean room reimplementation of Slack that supports a variety of encryption options that Slack does not.
Three Step Plan:
1. Take over the world.
2. Get a lot of cookies.
3. Eat the cookies.
that there's a big hole in the OpSec at many development firms.
This is a trivial thing to fix for a business. Slack can always have all messages done as part of a certain company (both to and from) be encrypted with an additional decryption key (ADK).
PGP Desktop had this functionality since the early 2000s, allowing encryption, but allowing businesses to easily recover encrypted E-mails, but yet not subverting private key security with key escrow or other backdoors.
With all the people into blockchains and applied cryptography, it is amazing this wasn't done.
doesn't mean they shouldn't, and not making it available creates a risk in situations where they suddenly discover they need it yesterday.
As a designer you frequently put things into a product that customers never asked for. Sometimes, yes, it is a waste of time. But if you don't bring expertise to the table the customers don't have, then what are they paying you for?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
So when your company experiences a massive breach of security because your sales and marketing team openly discuss designs, your C levels openly discuss M&A, and your engineers openly share passwords over your chat program, you can look back and say "well at least we didnt have a bunch of meaningless features we didnt want to pay for" when you're busy packing your shit into a box and filing for unemployment.
For those of us who'd like to keep a job longer than it takes to teach little johnny how to encrypt, Use mattermost instead. https://www.mattermost.org/
Good people go to bed earlier.
Why not have end-to-end encryption for security while also optionally allowing employers to see employees' messages by giving them access to the encryption keys?
There are ways to protect communication links end-to-end yet allow access to messages. If an employer wants access to messages in a particular chat, that can be built in by centralizing their archival at the same time they're sent through a cryptographic chain of trust. It's not trivial, but I don't buy that unencrypted communications are the alternative for the reasons they state.
If I were Slack, I'd be much more worried about Microsoft Teams. Microsoft is pouring huge sums of money into Teams at the moment to make it the new paradigm and push for online, with the added benefit of tighter Office/O365 integration as well as integration of other pieces to make a unified communication solution. I get a bit concerned in that respect for market dominance by MS, but it is what it is.
It wouldn't be so bad if the company can generate and keep the keys, but other than that encrypted employee communication is a worse risk than potential loss of IP. The management and company is held responsible for for all sorts of "nanny" issues in the workplace, including any kind of alleged harassment, threat, insult, discrimination, etc. Without hard records of who said what to whom, the company is at much bigger risk from lawsuits from their own employees than from competitors stealing tech. It is management's job to police internal communication as much or more than to actually run the company; and trust me, most of us don't like doing it, but it is a legal requirement that we do, and a huge economic risk if we don't.
I think you mean my boss doesn't want slack because it doesn't have end to end encryption... We recently switched from Jabber to Skype because Jabber keeps IM history and that is considered a security risk. So instead we get to deal with hit or miss desktop sharing and file transfers, and often not being able to properly connect to the servers any given morning. I think the issue is mostly with our IT, not Skype, but I do know Jabber was dead stable for years. ...not biased at all.
This is a product, not a project. They could easily put it in place for paying customers. Yet sometimes IT people are so focused on computer language that they think that they must adapt it to normal language as well.
"You did not say to do it, so we didn't" is one I have seen more than once. The "That is not the procedure" is another nice one.
One company I worked for I asked the price to add an option. They said the procedure was to request the option. I did not wanted to do that, because I did not know if this would be financially interesting.
There where three options pricewise:
1) So expensive, it was not worth it
2) Expensive enough that we can sell it as an extra.
3) Cheap we will use it as marketing "We have X included"
In the end it was just putting a cross in a web interface. It was the reason they bought the package in the first place, just never activated it. Literally 2 minutes of work (including the coffee). Took 4 months to get there.
BOFH is still alive in many places.
Don't fight for your country, if your country does not fight for you.
Exactly!
The Boss only really cares about what features they actively need for the money. Normally they will only care about it until after something happens that hurt them enough to change their thinking about it.
A massive Hack due to poor security will then change your bosses mind. However most cases of poor security go by without much consequences.
Strong Security is about having features in it that you hope you never need, but is there in case something happens.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
There is a huge difference between "bosses around the world don't want it," and "it wasn't something paying customers cared about." (emphasis added for clarity) The former implies (as observed in the quoted summary in the parent thread) that bosses may be actively seeking to eavesdrop; the latter implies that bosses don't care either way, as long as they don't have to pay extra for encryption.
Clearly, the concerns of the actual end-users is that perhaps the former is more likely the case... which probably tends to drive those end-users to other platforms (those which do enable encryption) for any of their more casual interactions. And obviously, when you default to an "unofficial" platform in this fashion, you're not particularly likely to bother going back to the "official" platform just to conduct business with those same people -- except when you're forced. And we all know what happens when you try to force someone to do something that they don't want to do; they pretend to do it, or they only do it just barely enough to get the boss off of their back.
End result: ironically, those "paying" customers may stop paying, if Slack can't actually convince the end-users to use the tool properly... which I would suggest makes this a potentially self-defeating scenario.
I think having corporate chat being monitored or logged is a good thing. I communicate professionally and in good faith. Having logs means I have something to point to in case of an issue. If there's anyone I'm comfortable talking with about sensitive subjects, work related or otherwise, we can always take it to a non-corp message protocol, which there are several good options.
Why would you listen to bosses on technical implementation details? They rarely have any idea, which is why they hire people who do.
This is my signature. There are many like it, but this one is mine.