Disney To Stop Using Salesforce-Owned Slack After Hack Exposed Company Data

Disney plans to transition away from using Slack as its companywide collaboration tool after a hacking group leaked over a terabyte of data from the platform. Many teams at Disney have already begun moving to other enterprise-wide tools, with the full transition expected later this year. Reuters reports: Hacking group NullBulge had published data from thousands of Slack channels at the entertainment giant, including computer code and details about unreleased projects, the Journal reported in July. The data spans more than 44 million messages from Disney's Slack workplace communications tool, WSJ reported earlier this month. The company had said in August it was investigating an unauthorized release of over a terabyte of data from one of its communication systems.

Time for an on-prem messaging tool?

[ctilsie242]

Whatever happened to on-prem messaging tools? Ages ago, ircd would be good enough, but one needs to be able to have attachments stored somewhere, and some places have documentation for long term reference.

If someone came up with something like Slack or Teams, except 100% on-prem and used interfaces to the server or load balancer, I'm sure it would be useful. Maybe even offer cloud-brokered redirection so people outside the firewall can still communicate, but all data still remains on the physical servers, or something like AWS GovCloud with a guarentee of physical custody.

Re:Time for an on-prem messaging tool?

[TigerPlish]

Where I'm at we assiduously assail every cloudification effort, we're even more paranoid than our own infosec peeps. If cloud's the only way, then we do it.

We also have some infrastructure in the cloud, as a last-resort lifeboat kinda thing for email and AD and such. But it's all built by us, not some 3rd party consultant thing. We're even more paranoid than our own infosec is. They love cloud =o/

Too many people are drinking Flavor-Aid (tm) and falling for AI buzzwords. Clownstrike is an example -- we called it out something like 4 years ago and we also nixed many others.

Buying things based on marketing is retarded but that's how most managers (most, not all) do it. Directors nearly always do it. You don't buy the shiniest and prettiest, you buy the one that does the job best.

Re:

[NoWayNoShapeNoForm]

Totally Agree. Would +1 if I had Mod points.

Re:

[ctilsie242]

I am going to go out on a limb and say that a lot of the cloud services can be put on-prem, with something that can do cloud brokering. For example, something like RealVNC never needs to jump a firewall in, because both machines are connecting to the cloud broker, and creating a connection from that.

If we can do this with internal file sharing and other apps, the crown jewels can remain in a secure area, while people have access without needing a VPN. Best of all worlds.

Re:

[destined2fail1990]

Then their servers would have got hacked too potentially and they'd have lost all data.

This isn't Slack's fault. Disney failed to secure it, not Slack. The only two real alternatives are Slack and Teams. Maybe if Discord went professional version they'd be a contender.

Yes, there are other chat applications out there, but they are no where near as powerful as Slack. This is a stupid move on Disney's part.

They can always run Spark for internal messaging or roll their own (even make it open source! tha

Re:

[Malc]

Discord's not immune to hacking either:
https://www.malwarebytes.com/b... [malwarebytes.com]

Matrix open standard protocol

[radoni]

Whatever happened to on-prem messaging tools? Ages ago, ircd would be good enough, but one needs to be able to have attachments stored somewhere, and some places have documentation for long term reference.

If someone came up with something like Slack or Teams, except 100% on-prem and used interfaces to the server or load balancer, I'm sure it would be useful. Maybe even offer cloud-brokered redirection so people outside the firewall can still communicate, but all data still remains on the physical servers, or something like AWS GovCloud with a guarentee of physical custody.

Matrix open standard protocol then? https://matrix.org/ [matrix.org]

Re:Time for an on-prem messaging tool?

[Tony Isaac]

What on earth makes you think on-prem would be more secure than in the cloud? Are your company's IT staff better trained in security than Microsoft or AWS? Most places I've worked, there were a few guys on the IT team, and they had to juggle security concerns with a long list of other IT demands. Security issues often took a back seat, because they weren't "urgent." For Microsoft and Amazon, security is critical to their success, it's what they do, and they have the money to do it. I'd personally trust them far sooner than my own company's often inept IT department.

Re:

[ctilsie242]

Three reasons:

1: Physical security and control of data. I know where the data is at all times. I can throw it to tape without huge egress fees, and since WORM tape is relatively cheap, having an attacker destroy those tapes is a lot harder than the cloud where it just takes a delete command. Yes, there is object locking, but nuking other stuff is easy. Data exfiltration is a lot easier to protect against when you can air gap it, and know it won't be exiting that network, barring a Stuxnet type of attac

Re:Time for an on-prem messaging tool?

[Tony Isaac]

I'd rather pay for what I know

THIS is the key. You know on-prem systems better than you know cloud systems. This makes it a good choice for you, but it doesn't make on-prem inherently safer.

If you know your cloud systems, you can manage your systems with lower cost and higher security than on-prem. How many on-prem systems employ geo-redundant real-time backups?

Cloud systems are rapidly making it much, much harder to leave your stuff open to the world. Security settings like encryption at rest and encryption in transit are enabled by default. Key vaults or secrets storage are part of the package. On-prem, you have to specifically install a secrets manager and require people to use it, and not many companies do this.

You're right, it's entirely possible to botch cloud configurations, but no more easily than on-prem configurations. In the cloud, phishing attacks are blunted through use of managed identities. There *is no password* to be accidentally leaked. That's not so easy to do on-prem.

The truth is, once you get to *know* how security works in the cloud, you find out that it's much more robust than most on-prem systems.

Re:

[zlives]

the other issue with cloud is the disparate systems and settings. lets say you actually kept 1-1 support staff for on prem to a cloud migration, but in cloud now you need some one that knows azure, aws and google cloud plus any third party cloud apps that may have different mechanisms for deployment security and monitoring, if you even have that control.

cloud has always sold as a cost saver and not what it is actually good for, flexible growth or shrinkage. thus no one thinks about if we go cloud we are goi

Would it help it though?

[PoopMelon]

I'm all for on premise technology, i don't think it helps "hackability", i think it makes it even easier with mismanagement. It is not known how was the hack done, but since we didn't other slack leaks of other companies i don't think that the issue is with slack but rather most likely spyware on employee's computer or accessed email login with someone being able to get into employee'a account. Considering how many companees are terrible at security i would trust a third party that actually takes measures i

Re:

[jmccue]

If someone came up with something like Slack or Teams, except 100% on-prem and used interfaces to the server or load balancer, I'm sure it would be useful

There was some few years ago, the ones I remember were by Lotus. Lotus Sametime plus one version of it that never made it out the door, Notes-buddy. Notes-buddy was far better then any version of Sametime. But by then IBM had their hands into Lotus and started ruining the products. So after that IBM moved to slack and other third party products.

But people want miracles. They want 100% security while allowing people outside the organization to attach pictures, word and excel documents and lol cats. So

Re:

[KlomDark]

Check out Nextcloud and it's Nextcloud Talk service. Solid, open source, on-prem: https://nextcloud.com/talk/ [nextcloud.com]

Re:

[dskoll]

Mattermost exists. It's a pretty good Slack replacement; most of the features with none of the anti-features and you can self-host it.

Re:

[Zucht]

Whatever happened to on-prem messaging tools?

It's called Zulip https://zulip.com/plans/#self-... [zulip.com]

bad management

[Big Hairy Gorilla]

Simply put, contracting out management and security are management malpractice.

"Management" is the company. If you don't manage your own company, then you're giving away the core purpose of the company to a third party.

Here's "management" today: Here are the keys to my kingdom, don't break anything, I'll be on an island in the Carribbean, call me if you need anything.

Following the crowd and cutting costs without understanding the implications, leads to this.

Could have seen this coming

[CEC-P]

If you want the perfect summary of Salesforce's level of competence and effort, to this day, they send redirecting HTML file attachments in their to-customer emails instead of links. Our system filters out all HTML attachments because of Kryptix, among others. They don't know security. They don't want security. They don't "do" security.

In other words....

[leonbev]

They're going to switch to Microsoft Teams just like most major corporations did, mostly because the license for it is bundled in their Office 365 subscription.

I like how this article tries to make it about data security and privacy, but it's probably more of a cost savings measure.