Dumb security bug of the day goes to Slack. Summary: they discovered a problem with the mechanism of inviting new users to your company.
>The bug we discovered was in this invite link event: along with the information about the shared invite link, *we included the hashed password of the user who created or revoked the link*. This information was sent over the websocket to all users of the workspace who were currently connected to Slack.
@tek been using our own self-hosted Rocket.Chats (fully FOSS version) for 4-5 years now, and see no need for Slack or MS Teams. If people want to work with us, they use open tools, rather than dragging us into their proprietary abyss.
@lightweight All valid points, but it's very easy to sell less-technical coworkers on Slack, which they've likely used before.
Also, I'd say the network effect here is that everyone and their dog support API integrations with Slack. Want your ticketing system to send a message to a channel automatically? Guarantee they already support it.
@tek yup, agree most of that, especially with the api integrations (although Slack has a history of arbitrarily limiting their API, kneecapping people who've invested (sometimes heavily) in integration... That's a 'feature' of proprietary services)... but still wouldn't touch them with a barge pole - putting so much potentially valuable organisational/community data in the hands of a hostile 3rd party is poor risk management. But most businesses are already so screwed that way, it's too late.
@tek most businesses and organisations are already just non-voting subsidiaries of the tech corporations on whose proprietary cloud services they've developed a complete dependence. They haven't been burned by it yet, but stochastics suggests it's just a matter of time. When people say I'm being alarmist I ask them how many MS Silverlight dev shops they remember. I vaguely recall a few. They swaggered around town saying they were they next big thing until suddenly, overnight, they were gone.
@tek I tend to reject that line of thinking. I think most orgs constantly say "it's not our core competency" or 'we don't have time or expertise'. Even hard-core tech companies say that. But I've been running those services - like dozens of them - for a bunch of years, and I think that both the time requirement claims and the expertise claims are greatly overstated. And the risks of not controlling your own shit are wildly understated.
@lightweight I can and have run such things for years. The official Postfix docs linked to my anti-spam recommendations for a long time. But honestly, I'm way more expensive than most small companies want to spend on such things.
@tek I hear you. I agree there's a desperate shortage of small service organisations running local personalised tech services for small businesses. I wrote this a few years back: https://davelane.nz/wanted-someone-meet-massive-latent-market-demand it's about half of what my company did from '98-'12. The fact there aren't more out there is, I think, a market failure perpetrated by mega corporate monopolists and a governance failure among businesses allowing themselves to develop fundamental dependencies on those megacorps.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!