Are Your Slack Conversations Really Private and Secure?

An anonymous reader writes: "Chats that seem to be more ephemeral than email are still being recorded on a server somewhere," reports Fast Company, noting that Slack's Data Request Policy says the company will turn over data from customers when "it is compelled by law to do so or is subject to a valid and binding order of a governmental or regulatory body...or in cases of emergency to avoid death or physical harm to individuals." Slack will notify customers before disclosure "unless Slack is prohibited from doing so," or if the data is associated with "illegal conduct or risk of harm to people or property."

The article also warns that like HipChat and Campfire, Slack "is encrypted only at rest and in transit," though a Slack spokesperson says they "may evaluate" end-to-end encryption at some point in the future. Slack has no plans to offer local hosting of Slack data, but if employers pay for a Plus Plan, they're able to access private conversations.
Though Slack has 4 million users, the article points out that there's other alternatives like Semaphor and open source choices like Wickr and Mattermost. I'd be curious to hear what Slashdot readers are using at their own workplaces -- and how they feel about the privacy and security of Slack?

Running an internal Jabber server here

[Kargan]

It's only accessible over the intranet, so no privacy worries here (at least from 3rd parties -- I know that management reviews chat logs periodically, as is their right).

Re:

[OzPeter]

If management gets to review my chat logs, I should damn right be able to review theirs.

Remind me again who employs who?

Re:Running an internal Jabber server here

[OzPeter]

Management isn't employing anyone. The company is. Managers are employees as well.

Ah I see. Willful ignorance in order to try and make a point.

Now remind me again who employs who and (the bit you are deliberately ignoring) creates this thing called a hierarchy (you're heard of them haven't you?) and grants people at different levels of said hierarchy different responsibilities and powers.

Re:

[rmdingler]

Indeed. One of my favorite ways to rapidly escalate a roadside interview is to agree to a search of my vehicle if the officer allows me to search his, as well.

Re:Running an internal Jabber server here

[molarmass192]

I'll have to try this. I've always wondered what it feels like to get tasered and clubbed over the head with a flashlight.

Re:

[murdocj]

Why?

Short answer:

[bravecanadian]

No.

we have slack at work, and I don't understand why

[TheGratefulNet]

I am from the era where 'net news' (nntp) was popular.

for a few years, I was at SGI and they were HUGE into nntp. in fact, one of the most memorable ones was 'sgi.ba' and ba stood for 'bad attitude' (seriously). first day there, getting the HR orientation, they told us all about the usenet hier at work and how its GOOD to be aware of, and reading, sgi.ba. you'd hear about complaints but also the reasons behind them. HR was ok with that! those were the cool days in silicon valley, when it was still fun to live and work here, and companies were still pretty fun to work for.

anyway, I never understood what's wrong with usenet for internal threaded and persistent chats? you WANT it to stay around so you can find out the reasons for why this or that design was done. its part of the company history. but slack, unless you pay, fades away. how stupid! and yet, when I asked for nntp at work instead of slack, no one seemed to even KNOW what nntp was and to this day, they have no plans to implement it.

'chat' programs seem the most useless things; fully redundant to the MANY other forms of e-communication that we ALREADY have.

when usenet mostly 'ended' and web forums took over, I was sad. seems we continue to throw out old, free, WORKING tools for newfangled OH SHINEY! bullshit.

I don't get it. I really don't.

Re:

[slashrio]

It wasn't only working, it also 'was' (surprise: It still is) structured and hierarchical, so you didn't have to live in uncertainty whether your search engine had found all the forums that covered the topic you're interested in.
Another example of stupidity if you ask me.

Re:

[lannocc]

Hierarchies and structure are too much for the WWW hipsterNet. The DNS will continue to flatten, databases have no schema, and AI will be required to make sense of any of it.

Re:

[mea2214]

The main problem with Usenet is the client side readers are old and clunky. Back in the day working in a terminal shell was more common.

Re:

[Anonymous Coward]

The main problem with Usenet is the client side readers are old and clunky.

If by "old and clunky" you mean "work dramatically better than web browsers on modern web forums", then yes!

With client side readers, for starters you can pick which one you want, instead of the web forum software deciding what features you may or may not have for its forums. They handled threaded conversations well, which only some web forums do. They supported local kill files. You could easily sort and search locally by any criteria you wanted, with none of the bullshit restrictions web forums often h

Re:

[140Mandak262Jamuna]

Some of the archived threads in groups like comp.lang.c++ are still worth the read.

Could be a good idea

[fuzzyf]

IRC and NNTP has a slighty different purpose, IMHO.
IRC sort of requires online presence when stuff happens, and discussions usually are pretty sequential.
NNTP could fork of a discussion into different threads.

Slack is, as you know, basically an IRC overlay with better integration for mobiles and other platforms. We use it at work and it's pretty ok.
I would love NNTP at work, but not for replacing Slack. I would like it to replace Yammer. Yammer so incredibly inefficient at searching for information.

Re:

[jon3k]

That's kind of like saying nntp is a replacement for irc. It's really not. Slack is really an alternative to irc which for real time text chat. The advantage that Slack (or Mattermost, etc) have over IRC (imo) is it's easily accessible from mobile devices. Sure you can use an IRC client from your phone, but with Slack the mobile client is actually GOOD and you can control notifications well (only alert me on my lock screen if you @me or DM me) and you have persistence. If I open Slack on my phone I can

Re:

[Dog-Cow]

Slack also handles multimedia. Even things like formatted code snippets are way up there, in comparison to IRC. Then there's all the integrations with things like JIRA, and you have a client that makes it a lot easier to work with other devs. Who the fuck cares if it's loosely based on IRC? It isn't IRC.

Re:

[jon3k]

Yeah that's a great point. One of the first things we did was to integrate alerting from our network monitoring systems into Slack. Our inboxes are truly grateful. Also Screenhero is awesome for sharing your desktop, and the built in voice/video chat makes creating a conference call a one click operation.

Also to your point about multimedia, the ability to paste screenshots directly into slack is great. Being able to just drop things like a PDF into a channel has been really handy.

Anyone who thinks

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[davidwr]

Do one thing, and do it well.

If that one thing is "communicate," well, then that "one thing" may encompass sharing screens, sharing code, sharing text, sharing audio, sharing video, etc. etc. etc. or at the very least, calling some under-the-hood program to do those things for you while the user perceives it as "one seamless thing."

If that "one thing" is "texting" then that "one thing" may include getting typed input from the user, determining who the recipient is, determining how to send it to the recipient, sending it, receiving data

Re:

[murdocj]

What if I want to do all those things (talk, chat, share screens, share files) w/o having to configure 15 different programs and figure out to get each one thru the firewalls? What if I just want to click the "share screen" button and have it, you know, work?

I use skype, and whatever I need to do, it just plain works. That's what I want. Not 15 obscure programs to configure, update, and have break.

Re:

[murdocj]

I'll agree with one thing, I don't want webcam video. We had our daily standups via hipchat and I just left my webcam off. People know what I look like, they don't need to see me grimacing as they lay out absurd schedules.

Re:

[flacco]

> video conferencing is just compensating for managements insecurity

I would have agreed with you until recently, when I started collaborating on a creative project with a non-technical friend. He was really in favor of occasional video conferencing, so we've been doing that, and it really has added an important dimension to our work.

I prefer to self-host whenever possible, so while we conduct much of our communication via a Mattermost instance, I would really like to ditch Google Hangouts for something

Re:

[Aighearach]

greynecks know, we had dozens of solutions for this before they even implemented this featureless proprietary pap!

Wait, people thought they were secure?

[hsmith]

Slack has no end-to-end crypto - it isn't generating keypairs for messages on an individual basis - so what idiot thought that the conversations could be private? You can download and search prior messages - indicating that - duh - anyone could do so.

Re:

[davidwr]

Slack may not have end-to-end crypto, but there is nothing technical stopping me and the person I am taking to from using a Secret Decoder Ring or for that matter, a one-time pad, to encrypt our messages.

Reporters need to get computer literate

[rakslice]

That was my reaction too: it's not too difficult to notice that the search in Slack is searching chat messages that you have never seen locally, is it? What's more, this feature is not unusual among HipChat clones... Even Discord just launched search.

I'm not sure who the misunderstanding belongs to -- the people at Fast Company reporting the story as it is at the Gawker people the story was about.

Reporters need to get computer literate... and then hopefully go beyond that to become involved in choosing prod

Simple answer...

[c]

Are your conversations on the Internet? Then no, they aren't private or secure.

I could be wrong, but I doubt many smart people would bet on it.

Mattermost

[revjtanton]

I just put up a Mattermost server this week to replace Slack for my family messaging. I chose it over Jabber or IRC because the features it sports are a little friendlier to the less-tech-savy or younger (6 year old) user. The traffic is encrypted with my own cert, and the box is my own (physical, not AWS or anything) and it's encrypted. I know that to use push notifications on mobile you have to allow the notification to route through their services, but you can limit the info to simply be "person has sent you a message". From what I could see in my research Mattermost seemed like it was private, easy, and had some nice features. I'd recommend it...unless of course I missed something on the privacy side...

Re:

[flacco]

We have Slack at work. I recently set up a Mattermost instance for a personal project. Very much a work-alike - and of course can be self-hosted.

Though I didn't use it, Mattermost has an "omnibus" install that encapsulates pretty much everything requires to run it - web server, database server, etc.

Re:

[revjtanton]

Yeah I saw the Docker stuff but decided to set it up myself end to end because I use that server for a few other things internally, and I wasn't sure how the packaged solution would work with that. Overall I was pleased with the simplicity of setting it up. The only curveball I had to overcome was using apache (so as not to interfere with other working things) and my own cert. Reverse proxy to feed traffic back to the default Mattermost port and easy peasy.

What is slack?

[RightwingNutjob]

And why should I use it in place of email or the telephone?

Re:

[aklinux]

And why should I use it in place of email or the telephone?

Because keeping up with a dozen team members in geographically, time zone and time schedule diverse places is a pain. More than once I have ended up working with instructions or a document that had been superseded and I was unaware of the fact that it had been superseded.

You end up in a situation with a dozen people hitting "reply all" or calling each other on the telephone leaving messages. While you're listening to one message or talking to one person, three others call and leave more messages and sendi

Re:

[RightwingNutjob]

Ah. So you want a widget to solve a problem in management style. Yeah. And I've got some real estate off the coast of Florida to sell you.

Re:

[Dog-Cow]

Slack is a communications program useful for people who aren't bigots and better-than-thou shit heads who go by stupid pseudonyms, such as RightwingNutjob.

Use a Tox client

[TheOuterLinux]

A Tox client uses Tox servers to direct traffic and then I think it's p2p from there. The connections are encrypted and Tox clients are open source. Plus, it supports text, audio, and video calling, as well as file sharing. And after you create a profile, which stays on your desktop so no data stays on any server, you can share that profile to your other computers and devices with Tox clients and "sign in" that way. It's a lot like sharing an OpenVPN settings profile, but for Tox. Most clients have QR code

Holy obvious problem Batman

[trawg]

Is there literally ANYONE using Slack that is under any impression that their conversations are private or secure? It's a web-based service that epitomises the phrase "the cloud is someone else's computer".

If you want private and/or secure conversations, use Signal, or Wire. Or shit, even Whatsapp is probably more secure.

Re:

[Vegan Cyclist]

This. And no, I don't really care if someone snoops and sees that we've ordered x vegan food product, or are short on y vegan food product and need to order more, or checks out the business card design draft I've posted. Slack is easy for our staff to use, which is why we go to it, but we're under no delusion that it's particularly 'secure'. Mundane conversations abound!

matrix.org is the answer

[alfino]

Check out matrix.org. It's a federated, open-standard, rich communication protocol. It can't do everything of Slack and Whatsapp yet, but it's moving along fast and you can help. There are already several clients to choose from, as well as integrations with other networks, APIs, and bot-like tools etc..

We used it at linux.conf.au 2017 to (inofficially) bridge between Slack and IRC, and had an update of ca. 33% of the conference within 3 days or so, while the number of Slack users went down to a low one-digit figure.

#matrix on Freenode is bridged to the main discussion room, so pop on over if you want.

Here's Matthew (one of the project leads) at FOSDEM (with video):
https://fosdem.org/2017/schedu... [fosdem.org]
https://fosdem.org/2017/schedu... [fosdem.org]

and my little lightning talk at LCA:
https://www.youtube.com/watch?... [youtube.com]

-- @martinkrafft