The Slack Threat

During a long era, electronic mail was the main communication tool for enterprises. Slack, which offer public or private group discussion boards and instant messaging between two people, challenge its position, especially in the IT industry.

Not only Slack has features known and used since IRC launch in the late ’80s, but Slack also offers file sending and sharing, code quoting, and it indexing for ulterior searches everything that goes through the application. Slack is also modular with numerous plug-in to easily add new features.

Using the Software-As-A-Service (SAAS) model, Slack basic version is free, and users pay for options. Slack is now considered by the Github generation like the new main enterprise communication tool.

As I did in my previous article on the Github threat, this one won’t promote Slask’s advantages, as many other articles have already covered all these points ad nauseam, but to show the other side and to warn the companies using this service about its inherent risks. So far, these risks have been ignored, sometimes voluntary in the name of the “It works™” ideology. Neglecting all economic and safety consideration, neglecting all threat to privacy and individual freedom. We’ll see about them below.

Github, a software forge as a SAAS, with all the advantage but also all the risk of its economic model

All your company communication since its creation

When a start-up chooses Slack, all of its internal communication will be stored by Slack. When someone uses this service, the simple fact to chat through it means that the whole communication is archived.

One may point that within the basic Slack offer, only the last 10.000 messages can be read and searched. Bad argument. Slack stored every message and every file shared as it pleases. We’ll see below this application behavior is of capital importance in the Slack threat to enterprises.

And the problem is the same for all other companies which choose Slack at one point or another. If they replace their traditional communication method with it, Slack will have access to capital data, not only in volume, but also because of their value for the company itself… Or anyone interested in this company life.

Search Your Entire Archive

One of the main arguments to use Slack is its “Search your entire archive” feature. One can search almost anything one can think of. Why? Because everything is indexed. Your team chat archive or the more or less confidential documents exchanged with the accountant department; everything is in it in order to provide the most effective search tool.

The search bar, well-known by Slack users

We can’t deny it’s a very attractive feature for everyone inside the company. But it is also a very attractive feature for everyone outside of the company who would want to know more about its internal life. Even more if you’re looking for a specific subject.

If Slack is the main communication tool of your company, and if as I’ve experienced in my professional life, some teams prefer to use it than to go to the office next door or even bug you to put the information on the dedicated channel, one can easily deduce that nothing—in this type of company—escape Slack. The automatic indexation and the search feature efficiency are excellent tools to get all the information needed, in quantity and in quality.

As such, it’s a great social engineering tool for everyone who has access to it, with a history as old as the use of Slack as a communication tool in the company.

Across borders… And Beyond!

Slack is a Web service which uses mainly Amazon Web services and most specially Cloudfront, as stated by the available information on Slack infrastructure.

Even without a complete study of said infrastructure, it’s easy to state that all the data regarding many innovative global companies around the world (and some of them including for all their internal communication since their creation) are located in the United States, or at least in the hands of a US company, which must follow US laws, a country with a well-known history of large scale industrial espionage, as the whistleblower Edward Snowden demonstrated it in 2013 and where company data access has no restriction under the Patriot Act, as in the Microsoft case (2014) where data stored in Ireland by the Redmond software editor have been given to US authorities.

Edward Snowden, an individual—and corporate—freedom fighter

As such, Slack’s automatic indexation and search tool are a boon for anyone—spy agency or hacker—which get authorized access to it.

To trust a third party with all, or at least most of, your internal corporate communication is a certain risk for your company if the said third party doesn’t follow the same regulations as yours or if it has different interests, from a data security point of view or more globally on its competitiveness. A badly timed data leak can be catastrophic.

What’s the point of secretly preparing a new product launch or an aggressive takeover if all your recent Slack conversations have leaked, including your secret plans?

What if… Slack is hacked?

First let’s remember that even if a cyber attack may appear as a rare or hypothetical scenario to a badly informed and hurried manager, it is far from being as rare as she or he believes it (or wants to believe it).

Infrastructure hacking is quite common, as a regular visit to Hacker News will give you multiple evidence. And Slack itself has already been hacked.

February 2015: Slack is the victim during four days of a cyber attack, which was made public by the company in March. Officially, the unauthorized access was limited to information on the users’ profiles. It is impossible to measure exactly what and who was impacted by this attack. In a recent announcement, Yahoo confessed that these 3 billion accounts (you’ve read well: 3 billions) were compromised … late 2014!

Yahoo, the company which suffered the largest recorded cyberattack regarding the compromised account numbers

Officially, Slack stated that “No financial or payment information was accessed or compromised in this attack.” Which is, and by far, the least interesting of all data stored within Slack! With company internal communication indexed—sometimes from the very beginning of said company—and searchable, Slack may be a potential target for cybercriminal not looking for its users’ financial credentials but more their internal data already in a usable format. One can imagine Slack must give information on a massive data leak, which can’t be ignored. But what would happen if only one Slack user is the victim of said leak?

The Free Alternative Solutions

As we demonstrated above, companies need to find an alternative solution to Slack, one they can host themselves to reduce data leaks and industrial espionage and dependency on the Internet connection. Luckily, Slack success created its own copycats, some of them being also free software.

Rocket.chat is one of them. Its comprehensive service offers chat rooms, direct messages and file sharing but also videoconferencing and screen sharing, and even most features. Check their dedicated page. You can also try an online demo. And even more, Rocket Chat has a very simple extension system and an API.

Mattermost is another service which has the advantages of proximity and of compatibility with Slack. It offers numerous features including the main expected by this type of software. It also offers numerous apps and plug-ins to interact with online services, software forges, and continuous integration tools.

It works

In the introduction, we discussed the “It works™” effect, usually invoked to dispel any arguments about data protection and exchange confidentiality we discussed in this article. True, one single developer can ask: why worry about it? All I want is to chat with my colleagues and send files!

Because Slack service subscription in the long term put the company continuously at risk. Maybe it’s not the employees’ place to worry about it, they just have to do their job the more efficiently possible. On the other side, the company management, usually non-technical, may not be aware of what risks will threaten their company with this technical choice. The technical management may pretend to be omniscient, nobody is fooled.

Either someone from the direction will ask the right question (where are our data and who can access them?) or someone from the technical side alert them officially on these problems. This is this technical audience, even if not always heard by their direction, which is the target of this article. May they find in it the right arguments to be convincing.

We hope that the several points we developed in this article will help you to make the right choice.

About Me

Carl Chenet, Free Software Indie Hacker, founder of the French-speaking Hacker News-like Journal du hacker.

Follow me on social networks

Translated from French by Stéphanie Chaptal. Original article written in October 2016.

 

12 thoughts on “The Slack Threat

  1. These positive features of Rocket.chat and Mattermost are also features of Slack. What makes them *different* from Slack? For example, one problem with Slack is that it’s centrally hosted; is it possible to self-host Rocket.chat or Mattermost? Can users on different servers communicate with each other?

    Matrix is another option (see matrix.org). Matrix can be self-hosted. It can be configured so that it interoperates with other Matrix servers (like email) — or not, so that it’s completely private.

    Matrix also aims to interoperate with other services like IRC, Slack, Rocket.chat and Mattermost, by “bridging” messages between the services. (Inevitably, bridging leaks data to those services; bridging is optional.)

    (I use Matrix, but that’s all — I gain nothing by promoting it, except more users on the network!)

    • it would have taken you less than half a minute to check out the homepages for both these projects, if the fact that they are free (libre) software isn’t indication enough.

      mattermost: « Open source, private cloud Slack-alternative » (the first thing you read on their page ffs)

      rocketchat: « Server & Web Client for self-hosting » (on their download page)

    • Riot.im/Matrix is a great option and so is Zulip (which has threading that’s much better than Slack’s version of it): https://sourcecontribute.com/2017/09/10/riot-im-0-12-is-out-yes-its-better-than-slack/

      I’ve used IRC for ages and at first I promoted the hell out of Slack at every company because the alternative was always Skype, Lync or some other proprietary tool which was very poor at sharing code and very poor for discussions in general. Slack was the lesser of two evils. But now that Matrix and Zulip and Mattermost exist, there’s no excuse to switch to Slack. I find it extremely harmful for the free/open source community to be relying on a proprietary tool that has free/open source alternatives. We should be dog-fooding our community’s tools and making them better and promoting instead of throwing up our hands and resigning ourselves to yet another proprietary software-as-a-service that will be hacked and will leak our data.

  2. Talking about alternatives to Slack, there is also good old XMPP for basic chatting and multi-user chats. In the last two years, some clients finally got decent :~)

    We use self-hosted XMPP in my company for internal communication. But it is federated, so we can communicate with the outside world if we want to.

    A little bit more « slack-like » is SàT (Salut à Toi, https://salut-a-toi.org/), but unlike others there is no company behind it, only volunteers, so it is not as advanced.

  3. Just a friendly heads-up, you probably meant « bug you » and not « bugger you » in this sentence:

    > some teams prefer to use it than to go to the office next door or even bugger you to put the information on the dedicated channel

    « Bugger » means something _very_ different 😅

  4. Slack (or any IM system) is also a threat in other ways.

    I find that it’s often is real productivity killer; all those notifications and the feeling of being « left out » if you don’t participate force you to constantly check your channels/feeds to see if there’s anything new. More often than not, this has prevented from from doing real work.

    But at the same time, its use is encouraged, and it gives you the false impression of being productive because you can « instantly provide an answer to a question or give feedback ». But at the same time, you lost your focus in what you were doing.

    Just my 2 cents!

  5. https://a.slack-edge.com/4c1ae/img/security_ent/Security_White_Paper.pdf

    Please read the security paper provided by Slack about their infrastructure and provide your critiques. Then, please elaborate on how you think that somehow every company in the world has the ability to build and maintain that level of security.

    You can complain about user freedom and security threats and on and on but I can guarantee 90% of companies out there are less secure than the companies providing these services. So yes if they get hacked things get exposed. But can you imagine how much worse it would be if every company implemented their own security? Security is expensive and directly cuts into the bottom line so you know – you KNOW – companies cut corners and hire the high school graduate who « knows how to set the clock on my TV so he’s our CSO. » There’s a difference between how things « should » be and how things « will » be and this world is composed of people who don’t care until it affects them and their money directly.

    I have not used Slack for more than a couple minutes, mind you. I just get frustrated with people who rag on something without considering what it would mean with the alternative. I HAVE used RocketChat and it is a dung heap. RocketChat is just a Slack copy-cat without the usefulness and includes (for free) a frustrating interface. Don’t search on duck duck go for « Slack alternatives » and slap them in your article because . Or please tell me how much you love RocketChat because that would be hilarious!

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *