Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Privacy

Disney To Stop Using Salesforce-Owned Slack After Hack Exposed Company Data (reuters.com) 25

Disney plans to transition away from using Slack as its companywide collaboration tool after a hacking group leaked over a terabyte of data from the platform. Many teams at Disney have already begun moving to other enterprise-wide tools, with the full transition expected later this year. Reuters reports: Hacking group NullBulge had published data from thousands of Slack channels at the entertainment giant, including computer code and details about unreleased projects, the Journal reported in July. The data spans more than 44 million messages from Disney's Slack workplace communications tool, WSJ reported earlier this month. The company had said in August it was investigating an unauthorized release of over a terabyte of data from one of its communication systems.
This discussion has been archived. No new comments can be posted.

Disney To Stop Using Salesforce-Owned Slack After Hack Exposed Company Data

Comments Filter:
  • by ctilsie242 ( 4841247 ) on Thursday September 19, 2024 @07:54PM (#64801385)

    Whatever happened to on-prem messaging tools? Ages ago, ircd would be good enough, but one needs to be able to have attachments stored somewhere, and some places have documentation for long term reference.

    If someone came up with something like Slack or Teams, except 100% on-prem and used interfaces to the server or load balancer, I'm sure it would be useful. Maybe even offer cloud-brokered redirection so people outside the firewall can still communicate, but all data still remains on the physical servers, or something like AWS GovCloud with a guarentee of physical custody.

    • by TigerPlish ( 174064 ) on Thursday September 19, 2024 @08:24PM (#64801429)

      Where I'm at we assiduously assail every cloudification effort, we're even more paranoid than our own infosec peeps. If cloud's the only way, then we do it.

      We also have some infrastructure in the cloud, as a last-resort lifeboat kinda thing for email and AD and such. But it's all built by us, not some 3rd party consultant thing. We're even more paranoid than our own infosec is. They love cloud =o/

      Too many people are drinking Flavor-Aid (tm) and falling for AI buzzwords. Clownstrike is an example -- we called it out something like 4 years ago and we also nixed many others.

      Buying things based on marketing is retarded but that's how most managers (most, not all) do it. Directors nearly always do it. You don't buy the shiniest and prettiest, you buy the one that does the job best.

      • Totally Agree. Would +1 if I had Mod points.
      • I am going to go out on a limb and say that a lot of the cloud services can be put on-prem, with something that can do cloud brokering. For example, something like RealVNC never needs to jump a firewall in, because both machines are connecting to the cloud broker, and creating a connection from that.

        If we can do this with internal file sharing and other apps, the crown jewels can remain in a secure area, while people have access without needing a VPN. Best of all worlds.

    • Then their servers would have got hacked too potentially and they'd have lost all data.

      This isn't Slack's fault. Disney failed to secure it, not Slack. The only two real alternatives are Slack and Teams. Maybe if Discord went professional version they'd be a contender.

      Yes, there are other chat applications out there, but they are no where near as powerful as Slack. This is a stupid move on Disney's part.

      They can always run Spark for internal messaging or roll their own (even make it open source! tha
    • Whatever happened to on-prem messaging tools? Ages ago, ircd would be good enough, but one needs to be able to have attachments stored somewhere, and some places have documentation for long term reference.

      If someone came up with something like Slack or Teams, except 100% on-prem and used interfaces to the server or load balancer, I'm sure it would be useful. Maybe even offer cloud-brokered redirection so people outside the firewall can still communicate, but all data still remains on the physical servers, or something like AWS GovCloud with a guarentee of physical custody.

      Matrix open standard protocol then? https://matrix.org/ [matrix.org]

    • by Tony Isaac ( 1301187 ) on Thursday September 19, 2024 @10:32PM (#64801667) Homepage

      What on earth makes you think on-prem would be more secure than in the cloud? Are your company's IT staff better trained in security than Microsoft or AWS? Most places I've worked, there were a few guys on the IT team, and they had to juggle security concerns with a long list of other IT demands. Security issues often took a back seat, because they weren't "urgent." For Microsoft and Amazon, security is critical to their success, it's what they do, and they have the money to do it. I'd personally trust them far sooner than my own company's often inept IT department.

      • by ctilsie242 ( 4841247 ) on Thursday September 19, 2024 @11:02PM (#64801695)

        Three reasons:

        1: Physical security and control of data. I know where the data is at all times. I can throw it to tape without huge egress fees, and since WORM tape is relatively cheap, having an attacker destroy those tapes is a lot harder than the cloud where it just takes a delete command. Yes, there is object locking, but nuking other stuff is easy. Data exfiltration is a lot easier to protect against when you can air gap it, and know it won't be exiting that network, barring a Stuxnet type of attack.

        2: Cost. A basic closet with some basic HVAC is going to be a lot cheaper than a cloud buildout.

        3: You have to do the same securing with data in AWS as you do on-prem. Router ACLs, security groups, VLANs, VPCs, and so on, you need to have people who know how to configure AWS, as one wrong command, and now you have something open for the entire world to attack, while a sane firewall on an on-prem network can greatly reduce the chance of some open machine being attacked.

        4: I have not seen cloud deployments be any more secure than on-prem. You still have phished users, ransomware, backup issues. In fact, you also have the fact that cloud stuff has a lot of expenses, and can be harder to back up than VMs sitting on VMWare, Hyper-V, or Proxmox.

        5: Availability. Yes, cloud stuff has a nod there, but I can get some pretty good nines out of COTS hardware, MinIO, a load balancer, two 100gigE switches, and a number of SuperMicros with drives. MinIO does multiple disk and multiple machine erasure coding quite well, so objects stored there are just as secure as objects stored on AWS.

        Either way, you are paying for that server. I'd rather pay for what I know. On-prem security is a well known item, and done remotely right, it is pretty secure. In any case, the breaches are almost always users, like credential stuffing attacks, or logging on an untrusted endpoint.

        The cloud is just a tool. It isn't a magic wand you can wave over a company and claim they are 100% secure. If you don't have a solid AAA mechanism, your company is toast, no matter where the bits are located.

        • by Tony Isaac ( 1301187 ) on Thursday September 19, 2024 @11:18PM (#64801723) Homepage

          I'd rather pay for what I know

          THIS is the key. You know on-prem systems better than you know cloud systems. This makes it a good choice for you, but it doesn't make on-prem inherently safer.

          If you know your cloud systems, you can manage your systems with lower cost and higher security than on-prem. How many on-prem systems employ geo-redundant real-time backups?

          Cloud systems are rapidly making it much, much harder to leave your stuff open to the world. Security settings like encryption at rest and encryption in transit are enabled by default. Key vaults or secrets storage are part of the package. On-prem, you have to specifically install a secrets manager and require people to use it, and not many companies do this.

          You're right, it's entirely possible to botch cloud configurations, but no more easily than on-prem configurations. In the cloud, phishing attacks are blunted through use of managed identities. There *is no password* to be accidentally leaked. That's not so easy to do on-prem.

          The truth is, once you get to *know* how security works in the cloud, you find out that it's much more robust than most on-prem systems.

          • "it's entirely possible to botch cloud configurations, but no more easily than on-prem configurations"

            There's even a hidden advantage for cloud systems: if your botch your on-prem system your competitors are still running. ;-)

        • by zlives ( 2009072 )

          the other issue with cloud is the disparate systems and settings. lets say you actually kept 1-1 support staff for on prem to a cloud migration, but in cloud now you need some one that knows azure, aws and google cloud plus any third party cloud apps that may have different mechanisms for deployment security and monitoring, if you even have that control.

          cloud has always sold as a cost saver and not what it is actually good for, flexible growth or shrinkage. thus no one thinks about if we go cloud we are goi

    • I'm all for on premise technology, i don't think it helps "hackability", i think it makes it even easier with mismanagement. It is not known how was the hack done, but since we didn't other slack leaks of other companies i don't think that the issue is with slack but rather most likely spyware on employee's computer or accessed email login with someone being able to get into employee'a account. Considering how many companees are terrible at security i would trust a third party that actually takes measures i
    • by jmccue ( 834797 )

      If someone came up with something like Slack or Teams, except 100% on-prem and used interfaces to the server or load balancer, I'm sure it would be useful

      There was some few years ago, the ones I remember were by Lotus. Lotus Sametime plus one version of it that never made it out the door, Notes-buddy. Notes-buddy was far better then any version of Sametime. But by then IBM had their hands into Lotus and started ruining the products. So after that IBM moved to slack and other third party products.

      But people want miracles. They want 100% security while allowing people outside the organization to attach pictures, word and excel documents and lol cats. So

    • by KlomDark ( 6370 )
      Check out Nextcloud and it's Nextcloud Talk service. Solid, open source, on-prem: https://nextcloud.com/talk/ [nextcloud.com]
    • by dskoll ( 99328 )

      Mattermost exists. It's a pretty good Slack replacement; most of the features with none of the anti-features and you can self-host it.

    • by Zucht ( 677117 )

      Whatever happened to on-prem messaging tools?

      It's called Zulip https://zulip.com/plans/#self-... [zulip.com]

  • bad management (Score:4, Interesting)

    by Big Hairy Gorilla ( 9839972 ) on Friday September 20, 2024 @08:37AM (#64802569)
    Simply put, contracting out management and security are management malpractice.

    "Management" is the company. If you don't manage your own company, then you're giving away the core purpose of the company to a third party.

    Here's "management" today: Here are the keys to my kingdom, don't break anything, I'll be on an island in the Carribbean, call me if you need anything.

    Following the crowd and cutting costs without understanding the implications, leads to this.
  • If you want the perfect summary of Salesforce's level of competence and effort, to this day, they send redirecting HTML file attachments in their to-customer emails instead of links. Our system filters out all HTML attachments because of Kryptix, among others. They don't know security. They don't want security. They don't "do" security.
  • They're going to switch to Microsoft Teams just like most major corporations did, mostly because the license for it is bundled in their Office 365 subscription.

    I like how this article tries to make it about data security and privacy, but it's probably more of a cost savings measure.

  • XMPP has everything you need. Write your own with XMPP as the starting point.
    Or don't ...
    Just use open solutions like Jabber, Prosody, Conversations, and the like which are self hosted opensource and wall to wall encrypted.

    Don't use Whatsapp or Telegram, or Microsoft Anything. Don't use commercial apps. They own you.
    You're late to the party if you don't know that.

If you're not part of the solution, you're part of the precipitate.

Working...