back to article You lost your ballpoint pen, Slack? Why's your Linux version unsigned?

Slack is distributing versions of its chatroom app for Linux machines that are not digitally signed, contrary to industry best practice. The absence of a digital signature creates a means for miscreants to sling around doctored versions of the software that users wouldn't easily be able to distinguish from the real thing. El …

Silver badge

""Slack takes security very seriously."

Why do you journalists let them (PR people in general) get away with this when the circumstances say otherwise? Follow it up with "Then how do you account for...?". Make the bar stewards work for their money.

33
0

I think that John is trusting readers of El Reg to draw the logical conclusion from the statement based on our collective time exposed to PR bullshit.

21
0
Anonymous Coward

""Slack takes security very seriously."

Dead on! This game has been going on too long. GDPR must impose fines for companies who pull this bullshit! The last decade has seen corporations hiring more PR heads while firing Tech staff. Face it Slack, you're just another Equifux / Avast waiting to happen!

The cybercrims have won this round. Lets hope the next decade goes better. Its not rocket science. Start by hiring talented tech pros and paying them accordingly. Don't like that, cos you see tech guys as plumbers? Then, watch your bonuses get flushed away!

8
0

I agree, but perhaps it would be simpler to implement a this-is-bullshit font.

11
1
Silver badge

"I think that John is trusting readers of El Reg to draw the logical conclusion from the statement"

Sure we can. But that doesn't stop PR spouting the same self-serving crap every single time. I suspect they're simply saying it to get the statement on record to use in defence in any future court case. If they actually gave such a statement in court they'd be seriously challenged on cross-examination.

They really need to be challenged in the media as well. Tell them they're not being believed. Tell them their statement isn't going to be used at all unless they enlarge on how the events contradict the statement. Tell them that instead there'll be something like "We asked X for a statement but their response was so anodyne and bore so little relationship to events that we won't trouble you with having to read it because you won't believe it any way.".

13
0
Silver badge

"perhaps it would be simpler to implement a this-is-bullshit font."

No. The PR folk would just tell their masters that the text had been accepted with no further comment or request for clarification; job done.

4
0

That, and they need to ask questions like "the last six times you spoke to us, it turned out that what you said was untrue. Why should we believe you this time?"

10
0
Anonymous Coward

Re: perhaps it would be simpler to implement a this-is-bullshit font

HTML6 should definitely have a <bs> tag.

5
0
Anonymous Coward

>But that doesn't stop PR spouting the same self-serving crap every single time.

Isn't that their job?

3
0
Silver badge

"Isn't that their job?"

As long as they're allowed to get away with it, yes. But they shouldn't be allowed to get away with it.

3
0
Silver badge

> ...a this-is-bullshit font.

Comic Sans?

8
0
Silver badge

> Comic Sans?

This has my vote.

Reg, pretty please, can you implement the use of Comic Sans when quoting any obviously-bullshit canned statement in the future?

6
0
Gold badge
Unhappy

Re: perhaps it would be simpler to implement a this-is-bullshit font

HTML5 has <body>. That's almost the same thing.

If you want finer-grain control, here are some other suggestions:

<span class="bs">

<span class="porn">

<span class="terrrist">

<span class="troll">

2
0
Silver badge

Re: perhaps it would be simpler to implement a this-is-bullshit font

Instead of slapping Nazis, slap PR bods.

There are far more of them and it's a rewarding activity.

2
0

The multinational hotel chain I recently went to that wanted my credit card details sent in plain text said the same thing when I told them that this is bad security practice and surely a breach of PCI DSS. I think it's something that is taught to spokesdrones to always say as the very first thing when security is being questioned.

1
0

Plumbers

I think you are very unfairly disparaging plumbers: both plumbing and IT are jobs that require a good degree of technical knowledge and skills, and if either aren't treated with the relevant respect and importance, they don't work properly and the business gets covered in shit…

(And sometimes techies have to use the equivalent of a drain unblocker, too…)

1
0
Silver badge

PR blurb

"Slack takes security very seriously"

Yes so seriously we have done nothing about it even though its been on the roadmap for ages and so seriously we didn't just implement the security from the start . . .

11
0
Silver badge

It isn't that hard to do

Even I do it for the tiny repo that I have created - mainly for my own convenience.

Words are always cheaper than actions; so do they have a blame-someone-else script already written if/when it is hacked again? I notice that it was hacked in February 2015.

9
0
Anonymous Coward

Re: It isn't that hard to do

No, it is not hard, therefore taking it "seriously" and its on a "roadmap" suggest that the BS sniffometer is in the red zone with flashing light and klaxon on this one.

16
0
Silver badge

Re: It isn't that hard to do

Slack by name, slack by nature.

9
0
Silver badge

it's ok

I've scanned the download with CCleaner and it checks out safe.

34
0
Pirate

Re: it's ok

How could you miss adding the icon - for a product from a company called AVAST

LMFTFY--------------------->

10
0
Silver badge

"It's been on our roadmap for quite some time and is coming very soon."

We're just waiting for the horse to bolt first.

14
0
Silver badge

"It's been on our roadmap for quite some time and is coming very soon."

Sounds like "a dev wants to do this, and wrote it in, but management is making him work on 'value added' features"

11
0
Silver badge
FAIL

How long?

Red Hat have been signing their RPM's since 1999, should have been just about long enough for Slack to realise this is a good idea.

8
0
Silver badge
Trollface

To quote...

... (or at least paraphrase) a lot of the commentards' response to anything when Windows Phone was still a thing:

"Why worry? It's only 3% of the market!"

5
2
Silver badge
Windows

Re: To quote...

As you are fond of saying-

"yaaaaaaawnnnn"

You need new material.

4
3
Silver badge
Facepalm

"It's been on our roadmap for quite some time and is coming very soon." Yes, the road map with the ciggy burn, coffee stain, and a doodle that looks like Professor Farnsworth as a cowboy...

9
0
Silver badge

Obligatory Dr Evil meme : https://imgflip.com/i/1w93mq

3
0
Silver badge

"Slack takes security very seriously."

IS that the same as a hooker saying I take my health seriously so you don't need a condom ?

7
1

This is partly the fault of yum's maintainers. There should be a blatantly obvious warning and acceptance prompt if you try to install an unsigned package. That would force companies to do it to prevent complaints from users.

9
0

I was under the impression that yum would refuse to install unless you added --nogpgcheck to the command line.

That said, exactly how much time on "the roadmap" does it take to change:

rpmbuild -ba slack.spec

to

rpmbuild -ba --sign slack.spec

7
0
Gold badge

Re: rpmbuild -ba --sign slack.spec

Really? Is that it?

I've come to expect some pretty slap-dash, corner-cutting gobshite from web-based startups, but if it is that easy to sort out then their failure to do it right in the first place is hideously embarrassing incompetence and their subsequent failure to fix it in August is wilful negligence.

7
0

>This is partly the fault of yum's maintainers. There should be a blatantly obvious warning and acceptance prompt if you try to install an unsigned package. That would force companies to do it to prevent complaints from users.

There is. By default yum will scream at you if you try to installed unsigned packages; you have to explicitly configure yum to ignore signatures. Given that even the most lowly back-alley free projects can quite happily manage signing (as someone who has built plenty of RPMs myself I assure you it's utterly trivial!) I'm completely astonished by Slack.

Gotta live up to their name I guess.

2
0
Linux

Linux

Why dont you all upgrade your naff Linux to Windows 10?

Your comments are appreciated ... the down vote button is on the right.

3
7

Re: Linux

"Why dont you all upgrade your naff Linux to Windows 10?"

The sheer number of default settings that have been automatically adjusted away from "best practices" by automatically pushed updates is sufficient.

8
1
x 7
Silver badge

So who actually uses Slack anyway?

Its a hobbyist distribution, no-one uses it in real life

4
8

Someone didn't read the article!

Because if they did, they wouldn't have made a fool of themselves with such a moronic post. Since it was a bit TLDR for this person, let me explain to them.

Application, NOT Operating System.

BTW, *raises hand* Slackware 100% since 1997.

2
0
Silver badge
Windows

End of an era

Can't risk this, so have migrated Nan from Slack to MSFT Teams and she's delighted.

3
5

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018