this post was submitted on 17 May 2024
66 points (98.5% liked)

TechTakes

1391 readers
81 users here now

Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.

This is not debate club. Unless it’s amusing debate.

For actually-good tech, you want our NotAwfulTech community

founded 1 year ago
MODERATORS
 

cross-posted from: https://infosec.pub/post/12406642

Body of the toot:

Absolutely unbelievable but here we are. #Slack by default using messages, files etc for building and training #LLM models, enabled by default and opting out requires a manual email from the workspace owner.

https://slack.com/intl/en-gb/trust/data-management/privacy-principles

What a time to be alive in IT. πŸ€¦β€β™‚οΈ

all 29 comments
sorted by: hot top controversial new old
[–] [email protected] 22 points 5 months ago (1 children)

"Data will not leak across workspaces because trust us."

Yeah, and every other LLM has demonstrated such great abilities to avoid reproducing training material πŸ™„

[–] [email protected] 11 points 5 months ago (1 children)

I have no idea how they feel like they can back up like half of these claims. Not that it matters, if something leaks they'll just say "oops, nobody could have seen this coming" and then move on.

[–] [email protected] 18 points 5 months ago

I, for one, welcome our all-almost-knowing trade-secret-leaking waste-of-time-and-resources LLM overlords

[–] [email protected] 11 points 5 months ago (2 children)

What does this mean regarding their claims that data is encrypted at rest and in transit? https://slack.com/resources/why-use-slack/slacks-enterprise-security-features

[–] [email protected] 21 points 5 months ago
  • β€˜at rest’ β†’ we're using filesystem encryption
  • β€˜in transit’ β†’ we're using TLS

neither is end-to-end encryption, the data is not private to the service provider.

[–] [email protected] 12 points 5 months ago* (last edited 5 months ago) (1 children)

That's just a fancy way of saying they use tls, like the rest of the world.

They decrypt it once it hits their servers and do whatever they want with it.

[–] [email protected] 6 points 5 months ago (5 children)

ah ok, so if it's not at rest and it's not in transit, what else is it?

[–] [email protected] 16 points 5 months ago
[–] [email protected] 9 points 5 months ago* (last edited 5 months ago) (1 children)

In their database lol. I'm sure whatever file storage they use is encrypted but doesn't matter when you have the keys and can view all the data unencrypted.

[–] [email protected] 5 points 5 months ago (3 children)

is it that easy to sell this shit to the average CTO?

[–] [email protected] 6 points 5 months ago

Unfortunately corporate security is a joke in many aspects.

[–] [email protected] 4 points 5 months ago (1 children)

there is a type of leader out there that takes gartner magic quadrants seriously and makes decisions from that information

and they're not rare.

[–] [email protected] 4 points 5 months ago* (last edited 5 months ago)

I've done UX on a few B2B SaaS things and the U meant CTO in most (sanctioned) cases

[–] Evotech 3 points 5 months ago

As long as you can check the boxes to an auditor.

[–] [email protected] 8 points 5 months ago* (last edited 5 months ago) (1 children)

you see, your data can never be at rest if they’re constantly using it to train LLM models and exploiting it for other marketing purposes

…god this is stupid enough that I’m very sure I’m going to hear it in earnest from some AI shithead next time one of our threads hits all

[–] [email protected] 9 points 5 months ago

at rest, in transit, in plunder

[–] [email protected] 7 points 5 months ago (1 children)
[–] [email protected] 8 points 5 months ago

they use it for their matrix screensavers

[–] [email protected] 4 points 5 months ago

out jogging: that's you keep data fit. gotta keep it moving. unfit data quickly starts falling into bitrot. that's what you get by buying a slack subscription - crosstrainers for your data!

trade secret tho, don't tell anyone

[–] [email protected] 3 points 5 months ago (5 children)

Has anyone used Mattermost? Has anyone switched to Mattermost? How's hosted Mattermost?

It passes the tickboxes of "actually open source" and "you can just buy hosting", but I don't know how it goes corporateishly

[–] [email protected] 4 points 5 months ago

@dgerard @rinze We have self hosted it for a few years. Small scale, but we did move a couple of GB of data archived from slack into it. I've found it pretty solid and like having focalboard built in.

Real deletes are an enterprise feature, but I have a nasty little script to remove "deleted" attached files.

[–] [email protected] 4 points 5 months ago (1 children)

(tried it some many years ago, probably long enough that lots of the following is entirely outdated)

then: install was relatively clean, UI shit still had a lot of work required (not showstoppers, just lots of not-quite-good things as often found in oss stuff), wasn't great to monitor/profile, client options were narrow, and lastly the standard problem of being non-goldenpath-choice meant you had to do a lot of things yourself

[–] [email protected] 4 points 5 months ago

it was an internal-only service in a always-use-vpns-for-everything company so further attempts at SSO and integration and ACL shit weren't investigated at the time

[–] [email protected] 3 points 5 months ago* (last edited 5 months ago)

My chair at TUM uses Mattermost for most internal communication. I'm aware of a couple different academic institutions that do that.

EDIT: Perhaps of important note, we're talking Computer Science systems people. Like, kind of an environment where you're professionally obligated to have strong opinions about Linux distributions.

In all cases it's self-hosted. I don't know anyone who bough hosting. If I get my hands on our sysadmin I could share more.

As for "switched" - I was at one company only that had an official/unofficial Slack and we were given stern talkings to about never ever sharing any company information through it. It was specifically for watercooler banter. Basically "treat it as a personal non-work environment". Specifically because our security officer was aware that Slack is not end-to-end encrypted and that's just an immediate dealbreaker in any sane company that handles sensitive data. God I miss that CSO, I didn't know how good I had it.

Microsoft has Yammer because they always need to choose the worst possible tool in existence.

[–] [email protected] 2 points 5 months ago

The company I work at uses selfhosted Mattermost. Granted, we're <50 Employees, so I don't know how well it scales for larger companies.