I'm not holding Slack to any kind of higher standard. It's curious that
you seem to think I hold other services to a lower standard. I'm
holding it to the same standard I hold any service to, and I filter data
as appropriate for ones I do use.
If you don't, that's fine, but you should be at least cognisant of the
security of services you're using and adjust your trust levels
accordingly. Many people I've spoken to seem to just naively assume
Slack is secure, and that anything they say through it is private, when
it's not.
On 07/12/15 13:17, Derek J. Balling wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
So basically it's no different than the 999,999,999 other various
cloud-based services companies make use of on a daily basis for all
sorts of stuff.
I've got no guarantee that Google is providing end-to-end encryption
on my Google Docs documents, or my mail, or such, but plenty of
companies (even security conscious ones) offload their mail,
calendaring and even some document management to them.
I'm not sure why folks are holding slack to a higher standard.
On 7/12/2015 4:10 PM, Paul Graydon wrote:
That doesn't indicate end-to-end encryption, just that your
connections to Slack are encrypted [1]. That leaves any
communication within their network completely open, and this is a
company that has been compromised not that long ago. They're
clearly storing your messages in a format they can read and provide
to you on demand [2].
For all intents and purposes, you should consider your
communication unencrypted, and treat it as such.
[1]
http://www.cantechletter.com/2015/03/slack-is-secure-says-stewart-butt
erfield/
<- With quotes from Slack CEO about the trade offs they're making.
[2]
http://www.theverge.com/2014/11/24/7255199/slack-alters-privacy-policy
- -to-let-bosses-read-your-messages
<- wouldn't be possible with end-to-end encryption. They shouldn't be
able to even *see* the content of messages. It's certainly
possible to achieve within an end-to-end encrypted model, but not
how they're doing it.
Paul
On 07/12/15 11:21, Derek Balling wrote:
According to Slack, they use encryption. Do you have data
contrary to this?
https://slack.com/security
On Jul 12, 2015, at 2:10 PM, Paul Graydon
<p...@paulgraydon.co.uk> wrote:
On 07/12/15 10:41, Mark McCullough wrote: As a security geek,
I find the Slack trend … troublesome.
It particularly disturbs me how many people are passing
confidential and sensitive data over Slack without giving it a
second thought. Everything from customer names, details,
through to architectural information. Even worse are those
using bots to automate their infrastructure, and hooking them
into Slack. You're passing sensitive information through an
unsecured channel (Slack doesn't employ end-to-end security,
and themselves tell you to consider it the same as using
Facebook, public facing email service, etc.), and you don't see
that as a problem? Worse with all powerful bots you're leaving
yourself open to malicious actors taking you down.
Paul _______________________________________________ Discuss
mailing list Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This
list provided by the League of Professional System
Administrators http://lopsa.org/
- --
I prefer to use encrypted mail. My public key fingerprint is FD6A 6990
F035 DE9E 3713 B4F1 661B 3AD6 D82A BBD0. You can download it at
http://www.megacity.org/gpg_dballing.txt
Learn how to encrypt your email with the E-Mail Self Defense Guide:
https://emailselfdefense.fsf.org/en/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJVostYAAoJEGYbOtbYKrvQxOIP/0nuVDooRItiP7sNY/BIVpnA
VcioLvFoTezBWSHiZ6+0ox7YI/8oD5vAKKIPrRhSjfHDYO3M10+ytoDW1m5qzQH0
E4Z+EsXjVEFzzLnfMbYewRnxytDaFjZzSQ8EWbfoP4Qw7h1q7OwM62fyJivRFOmx
dglGfqJsETMg5UsRblWaEcNKwZlOfUV6tyGy+YjDgWh0z2ycXFlxKP61PH00x8NX
O1w9QXMEypOwhy3or+hoY6CExpQyM+5HqXyPEdwnh26gA45nrTzhkZUKxn/YPM46
2au2wlsO+1pB63GPrOTQbADrnUvmCBHjIH7NBAqig6vEdvbVHLIZdEUdh5BscIPZ
J+NTk/wLeAKp6Y+qKVNogi716H2uFmtYDTtiDhIZXIzWdjdSNWIGeR4ph00K5/km
L4vKCtAU+EjNt8fKZjl8SCV7kE2Yped36V1P43OBe8k9OWMLaSLeVM/BbSC5ZFot
kmTy3CqvgJK1XcYqoPPsGXzJ0HHTyK5z5pTxikJFOgDLEhco+wgfDUHVoR5ufBlw
U8NoS4SZiaQ08X56oj8mTlwT1c7CJEF+qtlQJgcq3sFNe4r4ZaiO9ctqgVemCHpn
ik8A4zxF4M2lDlLXighxcTRl2vh/BrN4Z4Qs7gdLC8Kp7c05XqqwODFbDXn8XpsE
MyVJc6cJcZ81V1ttDztY
=0KN+
-----END PGP SIGNATURE-----
_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
