Post AMCPQcIZZ90ey9aDWS by tek@freeradical.zone
(DIR) More posts by tek@freeradical.zone
(DIR) Post #AMCNNRqzk8PnnY2rxo by tek@freeradical.zone
2022-08-04T22:47:23Z
0 likes, 0 repeats
Dumb security bug of the day goes to Slack. Summary: they discovered a problem with the mechanism of inviting new users to your company.>The bug we discovered was in this invite link event: along with the information about the shared invite link, *we included the hashed password of the user who created or revoked the link*. This information was sent over the websocket to all users of the workspace who were currently connected to Slack.Peachy.
(DIR) Post #AMCNX7NIjpAlBClcyu by lightweight@mastodon.nzoss.nz
2022-08-04T22:49:09Z
0 likes, 0 repeats
@tek reinforcing our organisational policy of having nothing to do with Slack...
(DIR) Post #AMCNcWCZrKe5cxKIHA by tek@freeradical.zone
2022-08-04T22:50:04Z
0 likes, 0 repeats
@lightweight I'm not an advocate, but it's the less bad thing in that space that I've used.
(DIR) Post #AMCNroocw6MnhUQ4CO by lightweight@mastodon.nzoss.nz
2022-08-04T22:51:49Z
0 likes, 0 repeats
@tek been using our own self-hosted Rocket.Chats (fully FOSS version) for 4-5 years now, and see no need for Slack or MS Teams. If people want to work with us, they use open tools, rather than dragging us into their proprietary abyss.
(DIR) Post #AMCOCMRHdOgNm1IPgm by lightweight@mastodon.nzoss.nz
2022-08-04T22:53:03Z
0 likes, 0 repeats
@tek I'm an active advocate *against* Slack and Teams and any other proprietary service for the reasons explained here: https://davelane.nz/notslack
(DIR) Post #AMCOCMq698X30yuEMq by tek@freeradical.zone
2022-08-04T22:56:37Z
0 likes, 0 repeats
@lightweight All valid points, but it's very easy to sell less-technical coworkers on Slack, which they've likely used before.Also, I'd say the network effect here is that everyone and their dog support API integrations with Slack. Want your ticketing system to send a message to a channel automatically? Guarantee they already support it.
(DIR) Post #AMCOXxe0V9TFFEXyvA by lightweight@mastodon.nzoss.nz
2022-08-04T23:00:30Z
0 likes, 0 repeats
@tek yup, agree most of that, especially with the api integrations (although Slack has a history of arbitrarily limiting their API, kneecapping people who've invested (sometimes heavily) in integration... That's a 'feature' of proprietary services)... but still wouldn't touch them with a barge pole - putting so much potentially valuable organisational/community data in the hands of a hostile 3rd party is poor risk management. But most businesses are already so screwed that way, it's too late.
(DIR) Post #AMCPEtZnV9oj533CwC by mhoye@mastodon.social
2022-08-04T23:08:17Z
0 likes, 0 repeats
@tek got a url for that please?
(DIR) Post #AMCPQbo5OUchRbJs0G by lightweight@mastodon.nzoss.nz
2022-08-04T23:07:33Z
0 likes, 0 repeats
@tek most businesses and organisations are already just non-voting subsidiaries of the tech corporations on whose proprietary cloud services they've developed a complete dependence. They haven't been burned by it yet, but stochastics suggests it's just a matter of time. When people say I'm being alarmist I ask them how many MS Silverlight dev shops they remember. I vaguely recall a few. They swaggered around town saying they were they next big thing until suddenly, overnight, they were gone.
(DIR) Post #AMCPQcIZZ90ey9aDWS by tek@freeradical.zone
2022-08-04T23:10:24Z
0 likes, 0 repeats
@lightweight I've been running Linux since the 386 days, but sometimes you've gotta choose you battles. This is one of them for a lot of organizations. We don't have the time or money to maintain all the services we'd like to use, because those aren't our core competencies.
(DIR) Post #AMCPYHcWKaCd9ZZM3s by lightweight@mastodon.nzoss.nz
2022-08-04T23:11:07Z
0 likes, 0 repeats
@tek the moral of the story is that while we've got 'less technical coworkers', we who get this stuff need to protect them from themselves. We're the vanguard in helping to bring the world out of the Digital Dark Age it's currently in. https://davelane.nz/darkage
(DIR) Post #AMCPa5G3GUmJOJuzaa by tek@freeradical.zone
2022-08-04T23:12:08Z
0 likes, 0 repeats
@mhoye It hasn't hit the Googles yet. I just got an email from them warning me about it, with the subject "Security notice from Slack regarding Shared Invitation links".
(DIR) Post #AMCPgG1m8VvkWxBV0i by lightweight@mastodon.nzoss.nz
2022-08-04T23:13:10Z
0 likes, 0 repeats
@tek I tend to reject that line of thinking. I think most orgs constantly say "it's not our core competency" or 'we don't have time or expertise'. Even hard-core tech companies say that. But I've been running those services - like dozens of them - for a bunch of years, and I think that both the time requirement claims and the expertise claims are greatly overstated. And the risks of not controlling your own shit are wildly understated.
(DIR) Post #AMCPnbR0wZTKwzUa1I by tek@freeradical.zone
2022-08-04T23:14:34Z
0 likes, 0 repeats
@lightweight I can and have run such things for years. The official Postfix docs linked to my anti-spam recommendations for a long time. But honestly, I'm way more expensive than most small companies want to spend on such things.
(DIR) Post #AMCQPvh84A8kn1J00e by lightweight@mastodon.nzoss.nz
2022-08-04T23:20:51Z
0 likes, 0 repeats
@tek I hear you. I agree there's a desperate shortage of small service organisations running local personalised tech services for small businesses. I wrote this a few years back: https://davelane.nz/wanted-someone-meet-massive-latent-market-demand it's about half of what my company did from '98-'12. The fact there aren't more out there is, I think, a market failure and a governance failure among businesses allowing themselves to develop fundamental dependencies on foreign businesses.
(DIR) Post #AMCQebSjZTKcNtZLua by lightweight@mastodon.nzoss.nz
2022-08-04T23:23:03Z
0 likes, 0 repeats
@tek I hear you. I agree there's a desperate shortage of small service organisations running local personalised tech services for small businesses. I wrote this a few years back: https://davelane.nz/wanted-someone-meet-massive-latent-market-demand it's about half of what my company did from '98-'12. The fact there aren't more out there is, I think, a market failure perpetrated by mega corporate monopolists and a governance failure among businesses allowing themselves to develop fundamental dependencies on those megacorps.
(DIR) Post #AMCwtpAm4l4hmcTElk by szakib@freeradical.zone
2022-08-05T05:25:26Z
0 likes, 0 repeats
@tek 😂 This is epic!
(DIR) Post #AME2tGFLLoTMmu6FIO by tek@freeradical.zone
2022-08-05T18:07:18Z
0 likes, 0 repeats
@szakib I mean, you did *what*?! 😂
(DIR) Post #AMFpQaPuMudJrKxRVA by eviljarred@waytoomuch.info
2022-08-06T14:45:13Z
0 likes, 1 repeats
@tek guarantee you a security engineer opened a ticket titled “password hash improperly transmitted via URI” 3 years ago and no one did shit about it until now
(DIR) Post #AMFyl22uFlzkvc1Tou by tek@freeradical.zone
2022-08-06T16:30:25Z
0 likes, 0 repeats
@eviljarred “We’ve added that to our backlog. Thanks!”
(DIR) Post #AMGKuHm7L8S5JEzIK8 by nacho@frankenwolke.com
2022-08-06T20:38:33Z
0 likes, 0 repeats
@tek @eviljarred My bet is that somebody decided to accept that risk 😅 https://youtu.be/9IG3zqvUqJY