Microsoft Puts Slack On Internal List of 'Prohibited and Discouraged' Software

PolygamousRanchKid shares a report: GeekWire obtained an internal Microsoft list of prohibited and discouraged technology -- software and online services that the company doesn't want its employees using as part of their day-to-day work. We first picked up on rumblings of the prohibition from Microsoft employees who were surprised that they couldn't use Slack at work, before tracking down the list and verifying its authenticity. While the list references the competitive nature of these services in some situations, the primary criteria for landing in the "prohibited" category are related to IT security and safeguarding company secrets.

Slack is on the "prohibited" category of the internal Microsoft list, along with tools such as the Grammarly grammar checker and Kaspersky security software. Services in the "discouraged" category include Amazon Web Services, Google Docs, PagerDuty and even the cloud version of GitHub, the popular software development hub and community acquired by Microsoft last year for $7.5 billion...

"It's not just the risk that Google will try to find trade secrets from data stored on their servers," said Christopher Budd, who has worked in security technology for 20 years, including past roles in Microsoft security and privacy communications. "When you're at Microsoft, you're at risk of state sponsored industrial espionage."
The article notes that in the past Microsoft adopted an even harsher stance to employees using competing products. "At a company meeting during his tenure as CEO, Steve Ballmer once famously snatched an iPhone from an employee and pretended to stomp on it..."

But GeekWire also argues that Microsoft's prohibiting of a popular chat tool "can have implications in a competitive recruiting environment."

Company restricts software on its computers

[Anonymous Coward]

How is this different than any other corporate policies companies have regarding acceptable use of computing resources? I guess since it's Microsoft, its big news?

Slow news day it is.

Re:

[Darinbob]

Except for those silly companies that embrace and adopt stuff in the cloud. Which is the company I'm in now, they're using Microsoft Azure for everything, all the worst of the worst MS products. Moving away from stuff that works to stuff that doesn't work and that doesn't even require VPN.

Re:

[Darinbob]

Sounds sensible. In the past where I was it was AOL Instant Messenger for internal chats, even sensitive stuff was on there, very strange (startups are always stupid though, I guess it's in their nature).

Re: What a retarded submission

[reanjr]

That's because Skype (and likely your email) provides end-to-end encryption. Slack does not. It's basic security policy that is likely in effect at most Fortune 500 companies.

Re:

[PCM2]

Slack does not? According to Slack, it provides data encryption in transit and at rest [slack.com]. It's also GDRP-compliant and is certified for HIPAA, FedRAMP, NIST 800-171 and more. Something tells me you don't actually know anything about it.

Re: What a retarded submission

[reanjr]

Lol. That doesn't mean it's end to end encrypted. Slack literally reads your messages to hook into APIs. What are you smoking to believe that's end-to-end encryption?

Slack employees don't even believe you: https://www.google.com/amp/s/w... [google.com]

Way to shill, though.

Hypocrisy

[TWX]

How is this different than any other corporate policies companies have regarding acceptable use of computing resources? I guess since it's Microsoft, its big news?

Slow news day it is.

It's hypocritical for them to push their own cloud-based systems while simultaneously complaining about the potential for exploitation of similar cloud-based systems with basically the same set of vulnerabilities. Or did you think that One Note, Office 365, and Microsoft Teams were somehow massively different in overall vulnerability?

Re:

[MachineShedFred]

So they are supposed to be concerned about them spying on them?

Sounds like internal security audit and review to me.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[grahamtriggs]

Plus, most businesses don't have their own versions of these tools. In 99% of cases, it makes sense for businesses to use the services of cloud providers.

Microsoft has it's own online office suite, it's own team communication software, etc. - not only does it not make sense for their confidential information to be stored unnecessarily on servers outside of their control, it is simply good for them to eat their own dog food, using the experiences to make their products better.

My list of discouraged software includes...

[QuietLagoon]

.. Windows 10 because of its corporate-based espionage, whimsically referred to by Microsoft as "telemetry."

Re:

[MachineShedFred]

Hey - maybe he takes a shitload of ambien and sleep-codes.

You don't know!

Re:

[drinkypoo]

Be sure to add Firefox to your list of banned software. It can send out "telemetry", as well as other user info, to a variety of destinations.

In Windows 10, even if you turn off all the presented options for spyware, Windows still phones home. Is that true of Firefox?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[MachineShedFred]

You can turn Firefox telemetry off. Give that a go with Windows 10 without hysterical workaround and ridiculous effort using extra hardware running non-Microsoft software. (e.g. blocking at router, DNS blackhole, etc.)

Re:

[Tough Love]

You can turn off Window 10 telemetry quite simply, just air-gap it. I recommend a rather large air gap, such as the distance between wherever you are, and Seattle.

Re: You mean like ... Slack?

[reanjr]

You need licenses because without a license to copy the code, you can't install or use it due to copyright law.

Re:

[QuietLagoon]

}}} But it's OK when Linux does it? {{{ --- I see that Microsoft's actions have become so abysmally bad that even Microsoft fanbois are afraid to defend it, going instead to the old deflection tactics.

Re:

[Tough Love]

Whataboutism, actually, and straw man at that.

Re:

[MachineShedFred]

Your whataboutism doesn't actually change the fact that you cannot disable the Windows Telemetry without taking hostile action on your network and constantly playing whack-a-mole every time an update changes it's behavior, versus literally every other OS that has a disable button that actually disables it.

Re:

[thegarbz]

What telemetry? Are you some poor consumer? No company puts Windows 10 on discourage software list because no company has to put up with telemetry.

Re:

[PhrostyMcByte]

Being heavily driven by unbiased data is something deeply ingrained into the Microsoft culture, and telemetry is part of how they get data.

I'd be lying if I said I was anything near comfortable with it when they first started doing it, and I'm still not 100% comfortable with it, but I really don't believe they're using it for "evil".

Re: My list of discouraged software includes...

[reanjr]

This is the big deal here. I don't use Windows or anything other than XBox, but I trust Microsoft because I've been dealing with them for decades without them giving me any reason to believe they are doing anything untoward with my data. Our priorities are aligned.

Privacy becomes more an issue with companies based on an ad model or companies you can't trust to be competent.

So fucking pay them

[Actually, I do RTFA]

Telemetry is only always-on in the lower tier versions of Windows 10. Write them a check and they let you cotnrol your own computer.

Re: My list of discouraged software includes...

[reanjr]

I believe it. Windows IT is a ghetto. The rest of the wide world is on *nix. Not doing Windows is like not selling individual cigarettes: it only makes sense when you live in the ghetto.

Someone at Microsoft trying to make money?

[Maelwryth]

Because that is certainly an interesting thing to come out straight after a company starts selling shares.

Re:

[Computershack]

Its more likely due to this vulnerability that was found last month which can redirect files: https://arstechnica.com/inform... [arstechnica.com]

Idiot

[Anonymous Coward]

Microsoft has its own competing product called Teams. Common sense says that want their employees using their product and not supporting a competing product.

My guess is that there's a ban on Bing employees using Google for search as well, because DUH.

Re:

[RhettLivingston]

Actually, know thy enemy is a real thing. I'm sure they know that not having people who are routinely using the competing products on staff risks creating a staff with blinders to the competition. It is risky to ban use of competing products.

I feel sure that the primary reason for the ban is to help prevent intellectual property and business intelligence leaks. I don't believe it is because they believe those other businesses might snoop. They are merely reducing the attack surface for nation state-level ha

Re:

[93 Escort Wagon]

Actually, know thy enemy is a real thing. I'm sure they know that not having people who are routinely using the competing products on staff risks creating a staff with blinders to the competition. It is risky to ban use of competing products.

Well, there’s another problem though. If you’re trying to sell a product (let’s call it “Teams”), and anyone within shouting distance of your product’s dev team is using a competing product (which we’ll refer to as “Slack”), you might be opening yourself up to legal issues when some new “Teams” feature closely mirrors what a “Slack” feature does. Especially if anyone on your large payroll has ever worked for the competitor, which

Re:Idiot

[Dutch Gun]

There's also the fact that a huge amount of confidential and propriety information gets disseminated in Slack, which is, after all, taking place on someone else's computers. And relying on that companies' computers means your business' internal communication is also held hostage to that company for reliability / uptime.

I think it's telling that, for companies Microsoft and Amazon (Amazon has the same policy, and has their own internal chat app), they're not so willing to trust their critical infrastructure to others, yet they keep trying to convince others that it's fine for THEM to trust them with YOUR data.

Re: Idiot

[reanjr]

It's basic risk management. There is risk to using third party security, but there is also a risk in handling your own security (especially in modern Docker-centric development where security patches only get applied if you release new code).

The main difference here is that I am 100% positive can build something more secure than Slack. I cannot say the same about Azure or AWS.

You have to weigh the whole problem, not just one aspect.

Re:

[MachineShedFred]

I have a feeling it's more about "we want to control our data, rather than trust someone else to control our data."

After all, they run competing services, and who is better to know just how much analysis and scraping can be done!

Re:Someone at Microsoft trying to make money?

[jwhyche]

I don't even see why this is news. Every company that I know of has a list of banned software allowed on their computers. It's not unheard of a company having rules preventing employees from using competing products on the job.

I remember a few years ago Coke fired a delivery driver for drinking a Pepsi on the job. Pepsi sent him a case, thanked him for trying their product, and offered him a job.

Re:

[Maelwryth]

I agree with you. It just makes me highly suspicious when these things happen at interesting times. There was another one a couple of days back where Facebook started advertising their own cypto-currency but they had banned the advertisement of crypto-currency last year. The timeline went,

2018 Jan - Facebook bans cryptocurrency advertising.

2019 Mar - Facebook rolls back ban.

2019 Jun - Facebook starts advertising its own cryptocurrency.

Which is also interesting. And now, at almost the exact same time that

wish the same

[jmccue]

I liked slack when we first started it at work a few years ago, it was just about like IRC.

But they added threads, now it is a major pain to use with people responding to threads that are 2 weeks old. One spends more time looking for unread items than anything else. And yes using the 'see all unread' is almost as bad as threads.

Re:

[Dan541]

I started going off slack when they closed their irc gateway. Now I have to run their memory hogging client.

Opposite take here

[SuperKendall]

But they added threads, now it is a major pain to use with people responding to threads that are 2 weeks old.

So far in teams I've been in thread use has been light and reasonable... I can see the problem with what you are saying but there are also times when threads are really great, we'll break a side conversation into 50 messages that would have swamped the primary area.

Maybe it should be a configuration option for the server to say you couldn't respond to threads more than a few days old, I also find bum

Re:

[Dutch Gun]

Not having threads is a huge pain when people are trying to have more than one conversation at a time. I haven't used Slack in a few years, since one of my last contract jobs, but I do remember it took a while to stop posting in the wrong thread. I just think Slack's UI isn't all that great.

Re:

[Tough Love]

Some connection between advent of Slack threads and legal weed at work perhaps.

Re:

[tbuskey]

We used slack at work. Management used Teams. We were forced to switch, and they blocked all our Slack accounts so we couldn't go to the history there.

Going back to read a few days in Teams is like doing it in your phone's texting system. It's tedious and requires clicking (no consistant page back/forward). I do slack for external groups and Slack's UX IMO is far easier to deal with.

So now, noone chats.

Former Slack User Here

[djbckr]

We used Slack when our team was first formed and we loved it. Then orders came from on high to use Teams. What a difference. Missed messages, horrible UI/UX, productivity down. What's not to like?

Re:

[Computershack]

We used Slack when our team was first formed and we loved it. Then orders came from on high to use Teams. What a difference. Missed messages, horrible UI/UX, productivity down. What's not to like?

If you're a business, this: https://arstechnica.com/inform... [arstechnica.com]

Re:

[Computershack]

We used Slack when our team was first formed and we loved it. Then orders came from on high to use Teams. What a difference. Missed messages, horrible UI/UX, productivity down. What's not to like?

If you're Microsoft or any other software company, last month's Slack vulnerability which allows diverting of downloaded files. https://arstechnica.com/inform... [arstechnica.com]

Re:

[agaku]

We used Slack when our team was first formed and we loved it. Then orders came from on high to use Teams. What a difference. Missed messages, horrible UI/UX, productivity down. What's not to like?

Can you install Slack on a private server? If not, it is obvious why Slack is on the list. Nearly all documents are company confidential.

Re:

[Tough Love]

More to the point, Microsoft needs to spy on its employees.

Re: Former Slack User Here

[reanjr]

For a company like MS which is regularly targeted by the most elite cyber offense in the world, they are probably far more concerned with other people spying on their employees.

This isn't some Web 3.0 AI powered blockchain ad network. Microsoft is responsible for the most critical infrastructure in the world.

Re:

[Tough Love]

Give me a break, nobody needs to be elite to target Microsoft successfully, any half wit script kiddie can do it. For example, just send a gimicked cat video to the HR director.

Re: Former Slack User Here

[reanjr]

Alright then, I'll give you half a Bitcoin if you can get me the daily build source of SQL Server. Should be easy, since all you need to do is go on Reddit and find some script kiddie to split the cash with.

You're a fucking moron.

Re:

[Tough Love]

You are a typical mouthy, dimwitted Microslut.

Re:

[ayesnymous]

Same with Hipchat. We're moving to Slack now, can't imagine it'd be any worse.

Re: Not a good strategy

[reanjr]

Does your employer allow you to run an unsecured IRC server open to the public Internet?

I bet they do not. Or at least they wouldn't if the knew what that meant.

Re:

[Cederic]

At the employer that did allow that the IRC admin was also the head of info security.

Most of the users were blissfully unaware of this ;)

Re: Google is abusing MS data?

[reanjr]

The only to way to ensure your day to day communication is safely encrypted is to not use Slack. What part of this don't you get?

Re:

[Chibi Merrow]

Slack is indispensable because it allows us to stop using Skype for Business. That's it, really.

The list?

[slashkitty]

Read through it and didn't actually see the full list. Is that posted anywhere?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[drinkypoo]

The United States government says itâ(TM)s bad, dangerous, and devoid of redeeming qualities.

I don't know about those first parts, but the last one is true. When it was new, AVP was about as accurate as anything else, and lightning fast. These days, however, it is the slowest A-level antivirus on the market, and has the most overhead of any of 'em AFAICT. It totally ruins performance, making the machine sluggish, like it's bogged down in metaphorical mud.

Re:

[drinkypoo]

What do you recommend these days? I'm on MacOS.

Linux.

Seriously though, I'm way out of touch on MacOS. I only own old macs, an SE and an iMac G4, and they're both in storage. And I sold the SE, but the guy kept not making contact with me when I tried to deliver it, so I still have it.

In-house testing and feedback

[Tim.Boyden]

Sounds to me like a sound policy, if you go by the old standard of "eating your own dog food". As a software company, you should be using your own products internally. 1) You are gaining valuable usage and issue feedback that can inform product development. 2) Why would you want to invest money in your competitor, and give free PR to them by using their products? 3) You generate good PR for yourself, by being able to demonstrate what you do with the software and its potential benefits to others. 4) You are building internal experience and knowledge of products, which is one of the more sought after commodities in the technology sector today.

Time to support Slack

[Openstandards.net]

If only it were more open.

Just use IRC

[Gravis Zero]

IRC is simple, you can run your own server, there are lots of clients and it's an open standard. I don't blame anyone for banning ShittyIRC because it's... shitty.

Re:

[93 Escort Wagon]

I find any always-on chat client to be detrimental to getting work done. Maybe it’d be worthwhile if every member of the team was disciplined and, consistently, only used it when necessary... but I’ve never been on such a team (and, to be fair, I’d probably fail that test as well).

Re:

[antdude]

What about medias like animated GIFs, videos, emojis, images, etc.? :P

Whoops

[ElizabethGreene]

It's awesome to learn about your own company's policies from a third party news headline.

For what it's worth, two of my customers use Slack and I'm on it all the time. As a service provider, I go where my customers are. I'm not going to make them come to me if I can go to them instead.

Re:

[ElizabethGreene]

I use Teams too, for all our internal communications, sorry if that wasn't clear.

As a rusty curmudgeon I complained a lot about the differences between it and Lync/Skype for Business. Quietly though, if you cornered me, I'd begrudgingly admit that Teams better than SfB. It doesn't have the weird issue where my Microphone gain would slowly creep up when I was on mute and then sound-bomb whenever I spoke up. It also doesn't drop me when I flip from phone data to wi-fi like SFB used to.

+1 for improved funct

makes sense

[sad_]

MS has competing products available of its own, why would you use the competition.
eat your own dogfood.

FAILS TO MEET SECURITY REQUIREMENTS, Duh!

[Fencepost]

I've talked to medical offices that wanted to use Slack for internal chat and had to tell them they couldn't, because the ONLY version of it that qualifies under HIPAA is the (I believe self-hosted) "Enterprise Grid" version - the same version specifically noted in the article as the only one that meets Microsoft's security requirements.

For the other things on the list, Kaspersky? The same AV software that's basically banned from all US Government computers over espionage concerns? Why would anyone care if Microsoft used that, it's not like the US Government is a significant Microsoft customer, right?

Amazon AWS? Why TF would anyone be OK with paying a competitor for hosting when you sell a directly competing product? Would anyone be surprised if AT&T had a policy of "We don't purchase business cell service from Verizon."?

And for Grammarly, again it's document security concerns. Third party plugins accessing everything in documents and webpages, does Grammarly do all of its processing locally or is there a cloud component?

What a flippin' non-story.

Re:

[Guspaz]

Teams is still a massive improvement over Skype for Business, and I'm very glad that we've migrated.