All posts in “Leaks”

Beware! Slack leaks are the new email leaks

When Amy Pascal’s ruthless emails leaked in the infamous Sony hack, friends of mine who worked in the entertainment industry were less than shocked, recalling that her emails just reflected how everyone speaks, and how deals get made, in Hollywood. 

And when John Podesta’s leaked emails revealed the wheeling and dealing surrounding the Democratic National Committee and Hillary’s nomination, people in politics expressed a similar sentiment to me: That’s just how things get done.

In both cases, the fault lay not in the actual content of leaked emails, but with the executives and politicians who put too much truth in writing. Silly old people. They should have known better!

Now, a new kind of leak is becoming the norm: Slack messages sent between co-workers. As the popular office-chat client has grown to 6 million daily users, multiple instances of leaked Slack conversations have revealed sometimes embarrassing, sometimes enlightening information about the true thoughts and feelings of a company’s employees — and it’s already led to firings.  

When we spurned email for its ability to burn us, we turned to chat. But Slack’s particular user interface can make even those of us who are wary of putting anything in an email spill our guts in both direct messages and office slack channels — complaining about the bosses in the same breath as the weather. 

Conversations among colleagues can and should be truthful, honest, funny — even occasionally unflattering. But we’ve started rendering permanent these sorts of conversations by chatting them, rather than speaking them out loud. Silence is not more secure: Slack’s channels — its immediacy, its private-public, highly recordable format — is starting to get people, and institutions, in trouble. 

The Slack leak is the new email leak.

Drip drip drip

On Wednesday, the Huffington Post printed a Slack transcript of New York Times employees airing complaints about a controversial tweet from op-ed columnist Bari Weiss, as well as faults they found with larger policies at the Times.

Coming from one of the leading newsmakers in the world, the NYTimes chat transcript represents the most significant Slack leak to date. Through the laughably simple means of copying and pasting internal conversations, whoever is responsible for the leak provided an inside look into how ire around the management of the op-ed pages, liberal-versus-conservative fracturing, and diversity initiatives are causing a heated level of strife. 

With a restrictive social media policy, the Times takes pains to prevent its employees from revealing their opinions to the public (as the Huffington Post leak article notes). So whether readers find the content of the leak predictable or shocking, the leak was organizationally damning: It revealed a side of the company management clearly did not want the public to see.

But this wasn’t the first time a leaked Slack transcript provided an inside look into the organizational workings and private thoughts of employees. In fact, the low-tech method responsible for this leak has led to breaches at Breitbart, Reddit, and a high school. Breitbart leaks have been similar to the ones from the Times. They show more internal dialogue and a less united front than Breitbart would like to present to its readers. The alleged Reddit leak of a moderator’s Slack channel provided fodder for conservative trolls looking for bias in “anti-Trump” moderators.

The security breach at a Rhode Island high school recently revealed several teachers using Slack to bash students, calling them “idiots,” and complaining about their parents. A teacher’s email was reportedly hacked in order to disseminate the leak via a shared Google doc, but the conversations themselves were copied through good old-fashioned screenshots. 

The school fired the teachers for what they said over chat. And while the New York Times does not appear to be disciplining its employees, who’s to say whether organizations with leaked chats containing employee complaints or bad behavior will be as forgiving in the future.

Coming back to haunt you

And then there was the meta-Slack leak. Splinter acquired a screengrab of a Slackbot message from CNN’s Slack. The message informed channel members that “Team Owners” would as-of that message be able to “export communication history, including the content of private group and direct messages, subject to your team’s message retention and deletion policy.” 

That is, the bosses would be able to read your DM’s. 

In 2014, Slack changed its policy to allow this oversight and export capability. Employees should understand that that little padlock next to private channels doesn’t mean jack if their company has enabled this setting.

But it’s not just the Slack owners who have access to your chats. 

In the Gawker-Hulk Hogan lawsuit, Hogan’s council pressed a Gawker employee on the significance of a joke one employee made about Hogan to another. In a reflective essay, the author of the joke characterizes what he said as a throwaway comment, but he recognizes the larger significance. “This is a scary realization,” he writes. “Hulk Hogan’s lawyers have a better sense of many conversations I had in 2012 than I do.”

This is just one instance in which one’s private chats become discoverable evidence in a lawsuit; a seemingly innocuous chat may have contributed to the bankruptcy of a major media organization. 

This access is by no means limited to opposing councils. Just like other tech companies including Apple and Facebook, Slack complies with law enforcement requests to provide data and history on users. 

There has yet to be a major Slack security breach. But the introduction of chat logs into evidence, law enforcement and organization’s ability to access data, and simple copy and pasted transcripts have shown that there does not need to be a hack of the Sony or Wikileaks variety to prove that Slack leaks are real and that chat logs are searchable. And with such free-flowing dialogue about company politics and sensitive topics, the leaks are sure to keep coming.

Letting those fingers fly

The quick and casual way we use chat is certainly at the root of Slack’s ability to hurt us when the conversations we have on it leak. But there are several features of Slack’s particular user interface that seem to encourage treating its channels — private and public — like an employee lounge.

Chat, of course, breeds immediate responses. You don’t have to open a new message window, and all you have to do is press enter. Have you ever written a joke to a comment, followed by a little nagging question of whether you really should have said that? The immediacy contributes to sending those questionable jokes and complaints, pressing send before we’ve thought through what we’re saying. In its own study about the use and nature of chat, Facebook says that messaging leads to more “authentic” and meaningful conversation. Though sad but true, authenticity might not be the best feature of all messages we send to our colleagues.

Slack’s differences from email also help blind us to how easy it is for our messages to be passed on, or read by people who might not like what we have to say. Chats distinctly lack that “Forward” button. Sure, emails can be copy and pasted, just like Slacks. But the existence of the email Forward button reminds us of our words’ ability to have a life of their own.

Slack channels also more effectively mask the actual recipients of the messages you send. When writing an email, you either have to type in directly who you’re sending your message to, or send to a list. In office clients like Outlook, you can click on a list to see who you’re actually sending your email to. This makes you more aware of how far and wide your message is spreading. Plus, you have the ability to delete any recipients you might be wary of.

But Slack channels don’t give you the option to delete recipients — that requires a DM. Sure, you can click on the people icon under the channel name. But who’s really thinking about all of the people who have access to your messages in an open Slack channel? The New York Times leak had to have originated from an internal source — a Times employee who had access to the channel. You never know how an employee you might not be thinking about may take an opinionated message, or even a joke. Sending messages out into the ether of office chat is not as private, or secure, as you might think while firing off a chat.

Stemming the tide

While there’s not much you as an individual can do to prevent a fellow employee from leaking a copy and pasted message, there are steps you can take to protect yourself from getting your words leaked, and facing potential consequences. 

First, of course, is watching what you say. Don’t treat public Slack channels like private DM’s. Save company complaints for in person conversations, not messages that can be taken out of context, or make your employer look bad. That’s not to say that companies and bosses shouldn’t be questioned, and that you shouldn’t speak your mind. But if Amy Pascal — formerly one of the most powerful people in Hollywood — can fall for doing business, so can you.

Next up is checking whether your company has access to your private messages. This is a setting called “Compliance Exports” that companies can choose to enable in Slack. To check whether your company has turned this feature on, click the downward arrow in the top right corner next to your company’s workspace. Click on “Profile & account,” and your profile will open in a sidebar. Click the downward arrow underneath your photo, and navigate to “Open account settings.” This will take you to your “Account” page in your browser. (You can also go straight here by typing in the URL of your workspace plus /account/settings). 

Now, click on workspace settings. Here, you’ll find a bunch of handy info: who your workspace owners and admins are, how often messages in public and private slack channels and DM’s get deleted, and of course, whether the “Compliance Exports” capability is turned on. Scroll all the way down to find the “Compliance Exports” section: here, you can see if your bosses have the ability to read your DM’s. From there, proceed wisely.

Your company may have set the “Retention and deletion” settings for all types of messages; IE, whether and how frequently messages get automatically hard deleted from your company’s and Slack’s servers. 

However, your company may have allowed employees to override these settings, specifically in private channels and DMs. It’s a good idea to have your messages auto-delete: even if you think you haven’t said anything damaging, you don’t want something you don’t even remember saying to become discoverable evidence in a lawsuit that costs your company money, and maybe even costs you your job.

To see if you are able to change how frequently messages get deleted, click the gear icon in a private channel or DM. Click “Edit message retention” if it appears, choose how long you want to keep your messages, then save and apply. Reportedly, when messages are deleted, Slack hard deletes all messages and back-ups from their servers within 14 days — and they’re no longer accessible to anyone who asks for them. Phew.

Just do it

In the middle of the leaked New York Times transcript, an employee tells the channel “hey all. whatever we’re saying here is leaking outside the Times. I’ve got a message from a reporter outside the building asking me to screen shot this conversation.”

The employees carry on as if she hasn’t said anything. They’re clearly frustrated and looking for a way to voice their concerns — public eye be damned (and maybe even embraced).

Who doesn’t roll their eyes at the refrain to not talk shit in chat, keep your words professional in the office at all times and on all platforms, think before you speak? Mashable’s Rachel Thompson recently reported that email is on the way out for entrepreneurs because its slow pace can’t keep up with start-up culture; instead, millennial workers turn to chat and project management clients. 

We don’t have time to think before we speak, the attitude seems to say. Plus, in what world could our boring work convos actually have any consequences? It seems like an old wive’s tail, a warning from an older generation. And it’s just no freaking fun. We don’t want to live in the buttoned up world where we can’t be our authentic selves in the office. That’s what our generation, the generation of seeking out purpose in work, is all about.

But we are just at the beginning of learning about the consequences of chat. Over the last decade, we gradually stopped sending those bitchy emails, those “ughs” to our work friends, in the forwarded message body above a particularly annoying note from that colleague you hate. Email stopped being fun because it stopped being honest and emotive. With email, no matter how banal our messages seemed, the stories detailing the consequences executives and employees alike faced for their emails, changed the way we used email, too. 

So despite all the custom dancing emoji in the world, with every new Slack leak, life on Slack will (have to) change, too.

[embedded content]

Apple is none too pleased with seeing leaked iPhone source code on GitHub

Coming for you.
Coming for you.

Image: JOSH EDELSON /Getty Images

Apple’s legal team has been busy. 

Less than 24 hours after Motherboard reported that a leaked version of some iPhone source code was posted to GitHub, the iBoot files in question have been pulled down and replaced with a Digital Millennium Copyright Act takedown notice. 

At issue, explains a statement on behalf of Apple by law firm Kilpatrick Townsend & Stockton LLP, is the alleged “Reproduction of Apple’s ‘iBoot’ source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software.”

The files had allegedly been floating around the internet since 2016, but their landing on GitHub was apparently a step too far for the Cupertino-based behemoth.  

“The ‘iBoot’ source code is proprietary and it includes Apple’s copyright notice,” reads the statement. “It is not open-source.”

An excerpt from the iBoot code.

An excerpt from the iBoot code.

Image: iboot

Importantly, this code is several years old so it’s not exactly clear what impact, if any, this leak will have on iPhone users. 

We reached out to the person who, under the username of ZioShiba, posted the source code to GitHub in the first place in an effort to determine his or her motives, but have not received a response as of press time. 

Apple, on the other hand, definitely has some thoughts. 

“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code,” the company said in a statement to Mashable. “There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.”

Even though Apple appears to be playing it cool, it’s safe to assume that the legal team it hired isn’t too happy, and will do everything in its power to make sure this code is permanently wiped from Github. 

Unfortunately for everyone in Cupertino, at the time of this writing what appears to be three copies of the code have already been uploaded to GitHub. So, yeah, once it’s out there there’s not really any going back. 

This story has been updated to include comment from Apple, and a tweet from Will Strafach. 

[embedded content]

Apple’s historic iOS 11 leak may have been an inside job, report says

Image: Jaap Arriens/NurPhoto via Getty Images

We’re now accustomed to a minor hardware and software leaks in the weeks and months ahead of any major Apple event, but Saturday’s massive Golden Master version iOS 11 leak may be the worst ever suffered by the incredibly secretive company. 

Like, ever.

So now, just a couple of days away from Apple’s big iPhone event, we await the inevitable leak blowback, and it’s already begun: We now have new details on how the leaks may have made it to the public. 

That leak exposed a wide range of details ahead of Apple’s Tuesday event, including the names of the new iPhones, a new LTE Apple Watch, the name of Face ID and how it works, and a number of software goodies that would have otherwise wowed the audience in a couple of days. 

Now? Assuming all the information from the leak pans out, it’s difficult to imagine many surprises from Tim Cook when he hits the stage in about 48 hours. And you can bet Cook isn’t happy about that. 

Following the leak, Apple-focused podcaster and blogger John Gruber, who occasionally delivers insider details on the company’s products, explained how the leak information was likely obtained. And rather than pinning the leak on a hacker, he points the spotlight in a very surprising direction. 

“I can state with nearly 100 percent certainty that it was [leaked by an Apple employee]”

“As best I’ve been able to ascertain, these builds were available to download by anyone, but they were obscured by long, unguessable URLs,” wrote Gruber. “Someone within Apple leaked the list of URLs to 9to5Mac and MacRumors. I’m nearly certain this wasn’t a mistake, but rather a deliberate malicious act by a rogue Apple employee.”

Then on Sunday, the BBC reported that it had confirmed that an “anonymous source” had deliberately sent the leak information to 9to5Mac and MacRumors, allowing the publications to download the software “from Apple’s own computer servers.”

Gruber followed up on that report on Sunday by adding more intrigue to any questions around the leak’s origin.  

“The BBC doesn’t say definitively that the leak was sent by an Apple employee, but I can state with nearly 100 percent certainty that it was,” wrote Gruber. “I also think there’s a good chance Apple is going to figure out who it was.” 

That might sound ominous, but Apple has long been known for the lengths to which it will go to ensure the secrecy of its products, so Cook and his team are likely working overtime to track down the person who leaked the information, assuming that they haven’t already. 

“That person should be ashamed of themselves,” wrote Gruber, “and should be very worried when their phone next rings.”

Https%3a%2f%2fblueprint api uploaders%2fdistribution thumb%2fimage%2f81605%2f3e07624b 1ddc 4bc5 89c2 1f685b59044b

Apple iOS 11 leak reveals iPhone’s new Face ID set-up process

The epic leak of the Golden Master version of iOS 11 on Saturday continues to deliver surprises, and the latest offers more insight into how Apple’s new Face ID system may work. 

A Brazil-based iOS developer posted several screenshots and videos on Twitter not long after the initial leak, and the posts appear to show the process for setting up the iPhone’s new Face ID authentication

We get to see what appear to be the preference and settings screen for Face ID (a name indicated by earlier leaks on Saturday), which allows you to select whether you’d like to use Face ID for iPhone Unlocking, Safari Autofill, the App Store, or iTunes. 

And in the video, we also get to see what may be the Face ID authentication screen as it looks when you position your face in front of the camera for first time registration. 

Of course, none of this is confirmed, but the demonstrations and settings screens, when paired with the leak information from Saturday, are pretty convincing. 

We’ll know for sure in just a couple of days, when Apple CEO Tim Cook takes to the stage of the new Steve Jobs theater to reveal all. 

Https%3a%2f%2fblueprint api uploaders%2fdistribution thumb%2fimage%2f81605%2f3e07624b 1ddc 4bc5 89c2 1f685b59044b

The one iPhone 8 leak to rule them all

Image: Lili Sams/Mashable

For those who obsess about the iPhone, it was the mother lode.

After a long period without any substantive information (although plenty of whispers, speculation, and questionable photos), it finally happened: the biggest iPhone 8 leak so far. 

In what looks like an understandable but massive mistake, pre-release firmware for the Apple HomePod somehow got uploaded to a public server.

There’s a lot of interest in HomePod — the Apple “smart speaker” that’s meant for music and has Siri built-in. Apple plans to release it in December, so getting a look at the software four months early is definitely a big deal.

But that was just the beginning. The HomePod software actually included a lot of information about a new iPhone — what has generally been called the iPhone 8 — including details on the exact shape of its edge-to-edge screen, a new kind of biometric security that involves facial recognition, and other features.

One of the key people in deciphering the leak has been Guilherme Rambo, an iOS developer from Brazil. Rambo has been revealing the details he and others have discovered in the HomePod software on his Twitter feed, including references to something called “Pearl ID,” a virtual home button, and even an image of what the front of the iPhone 8 will supposedly look like (hint: get ready to hear the term “notch” a lot).

Rambo joins this week’s MashTalk podcast along with CNET Executive Editor and mobile analyst Roger Cheng and Mashable Senior Tech Correspondent Raymond Wong to fully unpack this huge leak, explore what this radically redesigned iPhone will mean (to users and Apple), and analyze the info to figure out what’s not in the leak.

You can subscribe to MashTalk on iTunes or Google Play, and we’d appreciate it if you could leave a review. Feel free to hit us with questions and comments by tweeting to @mashtalk or adding the #MashTalk hashtag. We welcome all feedback.

Listen on Google Play Music

Https%3a%2f%2fblueprint api uploaders%2fdistribution thumb%2fimage%2f80619%2fc2f33e39 3ec1 4643 8d80 e696388d73a4