Dumb security bug of the day goes to Slack. Summary: they discovered a problem with the mechanism of inviting new users to your company.

>The bug we discovered was in this invite link event: along with the information about the shared invite link, *we included the hashed password of the user who created or revoked the link*. This information was sent over the websocket to all users of the workspace who were currently connected to Slack.


@tek reinforcing our organisational policy of having nothing to do with Slack...

@lightweight I'm not an advocate, but it's the less bad thing in that space that I've used.

@tek been using our own self-hosted Rocket.Chats (fully FOSS version) for 4-5 years now, and see no need for Slack or MS Teams. If people want to work with us, they use open tools, rather than dragging us into their proprietary abyss.

@tek I'm an active advocate *against* Slack and Teams and any other proprietary service for the reasons explained here: davelane.nz/notslack

@lightweight All valid points, but it's very easy to sell less-technical coworkers on Slack, which they've likely used before.

Also, I'd say the network effect here is that everyone and their dog support API integrations with Slack. Want your ticketing system to send a message to a channel automatically? Guarantee they already support it.

@tek yup, agree most of that, especially with the api integrations (although Slack has a history of arbitrarily limiting their API, kneecapping people who've invested (sometimes heavily) in integration... That's a 'feature' of proprietary services)... but still wouldn't touch them with a barge pole - putting so much potentially valuable organisational/community data in the hands of a hostile 3rd party is poor risk management. But most businesses are already so screwed that way, it's too late.

@tek most businesses and organisations are already just non-voting subsidiaries of the tech corporations on whose proprietary cloud services they've developed a complete dependence. They haven't been burned by it yet, but stochastics suggests it's just a matter of time. When people say I'm being alarmist I ask them how many MS Silverlight dev shops they remember. I vaguely recall a few. They swaggered around town saying they were they next big thing until suddenly, overnight, they were gone.

@lightweight I've been running Linux since the 386 days, but sometimes you've gotta choose you battles. This is one of them for a lot of organizations. We don't have the time or money to maintain all the services we'd like to use, because those aren't our core competencies.


@tek I tend to reject that line of thinking. I think most orgs constantly say "it's not our core competency" or 'we don't have time or expertise'. Even hard-core tech companies say that. But I've been running those services - like dozens of them - for a bunch of years, and I think that both the time requirement claims and the expertise claims are greatly overstated. And the risks of not controlling your own shit are wildly understated.

@lightweight I can and have run such things for years. The official Postfix docs linked to my anti-spam recommendations for a long time. But honestly, I'm way more expensive than most small companies want to spend on such things.

@tek I hear you. I agree there's a desperate shortage of small service organisations running local personalised tech services for small businesses. I wrote this a few years back: davelane.nz/wanted-someone-mee it's about half of what my company did from '98-'12. The fact there aren't more out there is, I think, a market failure perpetrated by mega corporate monopolists and a governance failure among businesses allowing themselves to develop fundamental dependencies on those megacorps.

Sign in to participate in the conversation
Mastodon - NZOSS

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!