""Slack takes security very seriously."
Why do you journalists let them (PR people in general) get away with this when the circumstances say otherwise? Follow it up with "Then how do you account for...?". Make the bar stewards work for their money.
Slack is distributing versions of its chatroom app for Linux machines that are not digitally signed, contrary to industry best practice. The absence of a digital signature creates a means for miscreants to sling around doctored versions of the software that users wouldn't easily be able to distinguish from the real thing. El …
"I think that John is trusting readers of El Reg to draw the logical conclusion from the statement"
Sure we can. But that doesn't stop PR spouting the same self-serving crap every single time. I suspect they're simply saying it to get the statement on record to use in defence in any future court case. If they actually gave such a statement in court they'd be seriously challenged on cross-examination.
They really need to be challenged in the media as well. Tell them they're not being believed. Tell them their statement isn't going to be used at all unless they enlarge on how the events contradict the statement. Tell them that instead there'll be something like "We asked X for a statement but their response was so anodyne and bore so little relationship to events that we won't trouble you with having to read it because you won't believe it any way.".
Dead on! This game has been going on too long. GDPR must impose fines for companies who pull this bullshit! The last decade has seen corporations hiring more PR heads while firing Tech staff. Face it Slack, you're just another Equifux / Avast waiting to happen!
The cybercrims have won this round. Lets hope the next decade goes better. Its not rocket science. Start by hiring talented tech pros and paying them accordingly. Don't like that, cos you see tech guys as plumbers? Then, watch your bonuses get flushed away!
I think you are very unfairly disparaging plumbers: both plumbing and IT are jobs that require a good degree of technical knowledge and skills, and if either aren't treated with the relevant respect and importance, they don't work properly and the business gets covered in shit…
(And sometimes techies have to use the equivalent of a drain unblocker, too…)
The multinational hotel chain I recently went to that wanted my credit card details sent in plain text said the same thing when I told them that this is bad security practice and surely a breach of PCI DSS. I think it's something that is taught to spokesdrones to always say as the very first thing when security is being questioned.
Really? Is that it?
I've come to expect some pretty slap-dash, corner-cutting gobshite from web-based startups, but if it is that easy to sort out then their failure to do it right in the first place is hideously embarrassing incompetence and their subsequent failure to fix it in August is wilful negligence.
>This is partly the fault of yum's maintainers. There should be a blatantly obvious warning and acceptance prompt if you try to install an unsigned package. That would force companies to do it to prevent complaints from users.
There is. By default yum will scream at you if you try to installed unsigned packages; you have to explicitly configure yum to ignore signatures. Given that even the most lowly back-alley free projects can quite happily manage signing (as someone who has built plenty of RPMs myself I assure you it's utterly trivial!) I'm completely astonished by Slack.
Gotta live up to their name I guess.