> Begin forwarded message: > > From: Allan Irving <[email protected]> > Subject: Re: [lopsa-discuss] Slack > Date: 12 July 2015 21:36:51 BST > To: "Derek J. Balling" <[email protected]> > > It was just a suggestion - no need for the aggressive reaction. Email is > inherently insecure so I don’t see how Slack’s security comes into it. Slack > offers features email never will. Additionally, as opposed to filter rules - > you can open Slack when you can be bothered to respond to messages. Without > filters you have an inbox full of LOPSA discuss emails. > > It was just a suggestion but given the response for outdated technology which > is very insecure - it would seem that LOPSA really isn’t up to date. Are you > really sending sensitive data over a mailing list? Then who’s to blame for it > as a system administrator? A discussion list has and never should divulge > confidential information seeing as this one is indexed by Google. > > You can stay in the dark ages but some of us are thinking ahead. Given the > responses, it is clear to me that moving on into the modern century is the > way forward. > > Wishing you all the best, > > Allan > > > > > > > >> On 12 Jul 2015, at 21:17, Derek J. Balling <[email protected] >> <mailto:[email protected]>> wrote: >> >> Signed PGP part >> So basically it's no different than the 999,999,999 other various >> cloud-based services companies make use of on a daily basis for all >> sorts of stuff. >> >> I've got no guarantee that Google is providing end-to-end encryption >> on my Google Docs documents, or my mail, or such, but plenty of >> companies (even security conscious ones) offload their mail, >> calendaring and even some document management to them. >> >> I'm not sure why folks are holding slack to a higher standard. >> >> >> On 7/12/2015 4:10 PM, Paul Graydon wrote: >> > That doesn't indicate end-to-end encryption, just that your >> > connections to Slack are encrypted [1]. That leaves any >> > communication within their network completely open, and this is a >> > company that has been compromised not that long ago. They're >> > clearly storing your messages in a format they can read and provide >> > to you on demand [2]. >> > >> > For all intents and purposes, you should consider your >> > communication unencrypted, and treat it as such. >> > >> > [1] >> > http://www.cantechletter.com/2015/03/slack-is-secure-says-stewart-butt >> > <http://www.cantechletter.com/2015/03/slack-is-secure-says-stewart-butt> >> erfield/ >> > >> > >> <- With quotes from Slack CEO about the trade offs they're making. >> > [2] >> > http://www.theverge.com/2014/11/24/7255199/slack-alters-privacy-policy >> > <http://www.theverge.com/2014/11/24/7255199/slack-alters-privacy-policy> >> -to-let-bosses-read-your-messages >> > >> > >> <- wouldn't be possible with end-to-end encryption. They shouldn't be >> > able to even *see* the content of messages. It's certainly >> > possible to achieve within an end-to-end encrypted model, but not >> > how they're doing it. >> > >> > Paul >> > >> > >> > On 07/12/15 11:21, Derek Balling wrote: >> >> According to Slack, they use encryption. Do you have data >> >> contrary to this? >> >> >> >> https://slack.com/security <https://slack.com/security> >> >> >> >>> On Jul 12, 2015, at 2:10 PM, Paul Graydon >> >>> <[email protected] <mailto:[email protected]>> wrote: >> >>> >> >>>> On 07/12/15 10:41, Mark McCullough wrote: As a security geek, >> >>>> I find the Slack trend … troublesome. >> >>> It particularly disturbs me how many people are passing >> >>> confidential and sensitive data over Slack without giving it a >> >>> second thought. Everything from customer names, details, >> >>> through to architectural information. Even worse are those >> >>> using bots to automate their infrastructure, and hooking them >> >>> into Slack. You're passing sensitive information through an >> >>> unsecured channel (Slack doesn't employ end-to-end security, >> >>> and themselves tell you to consider it the same as using >> >>> Facebook, public facing email service, etc.), and you don't see >> >>> that as a problem? Worse with all powerful bots you're leaving >> >>> yourself open to malicious actors taking you down. >> >>> >> >>> Paul _______________________________________________ Discuss >> >>> mailing list [email protected] <mailto:[email protected]> >> >>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss >> >>> <https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss> This >> >>> list provided by the League of Professional System >> >>> Administrators http://lopsa.org/ <http://lopsa.org/> >> > >> >> -- >> I prefer to use encrypted mail. My public key fingerprint is FD6A 6990 >> F035 DE9E 3713 B4F1 661B 3AD6 D82A BBD0. You can download it at >> http://www.megacity.org/gpg_dballing.txt >> <http://www.megacity.org/gpg_dballing.txt> >> >> Learn how to encrypt your email with the E-Mail Self Defense Guide: >> https://emailselfdefense.fsf.org/en/ >> >> _______________________________________________ >> Discuss mailing list >> [email protected] <mailto:[email protected]> >> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss >> This list provided by the League of Professional System Administrators >> http://lopsa.org/ >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
