this post was submitted on 14 Jul 2024
1 points (100.0% liked)

Technology

59692 readers
2024 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

In a significant data breach, hacktivist group NullBulge has infiltrated Disney's internal Slack infrastructure, leaking 1.2TB of sensitive data. This breach, posted on the cybercrime platform Breach Forums on July 12, 2024, exposes many of Disney's internal communications, compromising messages, files, code, and other proprietary information.

top 50 comments
sorted by: hot top controversial new old
[–] pavnilschanda@lemmy.world 0 points 4 months ago

If the content includes the Disney Vault that'd be very cool

[–] Evotech@lemmy.world 0 points 4 months ago (2 children)

An export like this does not include private slack channels from what I know of Slack design and export mechanisms

[–] paf0@lemmy.world 0 points 4 months ago (1 children)

I think it would depend on the level of the account. They have that feature for compliance reasons in heavily regulated industries.

[–] Evotech@lemmy.world 0 points 4 months ago* (last edited 4 months ago) (3 children)

Kinda, but not even admin accounts can view/export private channels they are not a member of.

I don't think that's even a feature

[–] ArbiterXero@lemmy.world 0 points 4 months ago

https://slack.com/intl/en-gb/help/articles/201658943-Export-your-workspace-data

It absolutely is.

Slack must have this for compliance issues, or they would be locked out of many industries (like banking and insurance)

[–] bamboo@lemmy.blahaj.zone 0 points 4 months ago

I had to manage a Slack migration to another org we were merging with. As the owner, normally I couldn't even see the names of private channels, but when it came down to the migration, upgrading the account to Business+ tier, the full export included everything (private channels and DMs), which we imported into the new org.

Slack sends notifications to all Admins that the export was happening, and i've only seen that notification once after using Slack for 10 years.

[–] 5redie8@sh.itjust.works 0 points 4 months ago

IIRC Admins can not, but Org owners can in certain situations.

[–] Doorbook@lemmy.world 0 points 4 months ago

So where we can find these data to check out?

[–] PrivateNoob@sopuli.xyz 0 points 4 months ago (3 children)

Good. Based for Nullbulge that they have released the source for free. Their motive is to put pressure on Disney due to their wrongdoings against creative artists.

load more comments (3 replies)
[–] kate@lemmy.uhhoh.com 0 points 4 months ago (2 children)

Huh, I looked through the website of the hacking team and they use slurs and talk about posting on 4chan, it's not a great look for a group trying to get on the good side of creative peoples imo

[–] kate@lemmy.uhhoh.com 0 points 4 months ago (2 children)

Plus in their blog post they mention that they haven't read through most of the leaks themselves so they don't even know what kind of info they might be posting about potentially unrelated people, in an attack on "AI" that won't stop disney even a little bit. Like, I understand the desire to help creative people but I don't see how this is doing that

[–] kate@lemmy.uhhoh.com 0 points 4 months ago (5 children)

also while I am on my soap box, ai-bro and crypto-bro are gendered insults and we should do better

[–] JJROKCZ@lemmy.world 0 points 4 months ago (1 children)
[–] kate@lemmy.uhhoh.com 0 points 4 months ago

average lemmy.world user

[–] GiveMemes@jlai.lu 0 points 4 months ago (1 children)

How do ai-bitch and crypto-cunt sound?

[–] orrk@lemmy.world 0 points 4 months ago

nah, just stick to the AI-Bro and Crypto-Bro

[–] ragica@lemmy.ml 0 points 4 months ago (1 children)

Some alternate suggestions might be nice.

That's true, but it's so much more fulfilling to preach from upon my high horse. Do better.

[–] anivia@lemmy.ml 0 points 4 months ago* (last edited 4 months ago)

Bro is a gender neutral slang

load more comments (1 replies)
[–] JasonDJ@lemmy.zip 0 points 4 months ago (1 children)

If you're a grey-hat/chaotic-good hacker intent on exposing corporate greed or whatever, with a cache like that, you've got a couple options....either release inmediately, or review the data to minimize collateral damage and release.

If the intent was to help people, and there was no driving force to release immediately, then they should've waited and reviewed the data.

I really worry if this is going to lead to my overly-ambitious infosec group putting the kibash on our unofficial/shadow-IT (fully internal) MatterMost.

load more comments (1 replies)
[–] Tattorack@lemmy.world 0 points 4 months ago

A lot of hacker groups originated on 4chan.

[–] MNByChoice@midwest.social 0 points 4 months ago (2 children)

So many passwords will be in there. And cat photos.

[–] ArbiterXero@lemmy.world 0 points 4 months ago

And jokes about meatball Ron

[–] sheogorath@lemmy.world 0 points 4 months ago (1 children)

Passwords and lotsa creds. I know an infra engineer who stores all of the keys to the projects he's involved in his message to self Slack. When I asked him about it he told me 'when I found out that the company billed my time 5x my salary to clients I stopped caring' and I was like OK that's fair ¯\_(ツ)_/¯

[–] douglasg14b@lemmy.world 0 points 4 months ago* (last edited 4 months ago) (1 children)

Depends. Our engineering slack (Few thousand members) doesn't contain secrets for a few reasons:

  1. Secret scanning
  2. We have a /secret bot that will take your secret, store it securely, and then present a GUI for each person with access to display that secret "for just that person". And then after a set period of time it's made inaccessible, and wiped from the infra.
  3. Training and knowledge transfer on secret security

This has been incredibly effective. Especially the secret bot.

Turns out that the problem with people sharing secrets is just a matter of convenience. If you make a secure way convenient then everyone tends to just use it by default.

[–] MNByChoice@midwest.social 0 points 4 months ago (1 children)

"Secret Bot" sounds great!

Custom in-house or off the shelf?

[–] douglasg14b@lemmy.world 0 points 4 months ago (1 children)
[–] MNByChoice@midwest.social 0 points 4 months ago

Thank you. It sounds spectacular and well thought out. You must work with a great team.

[–] KingThrillgore@lemmy.ml 0 points 4 months ago (2 children)

So we gonna finally accept that maybe all these cloud services aren't that secure

[–] 5redie8@sh.itjust.works 0 points 4 months ago (1 children)

Internal slack infrastructure

Taking this part of the description at face value anyway, this sounds like the opposite of the cloud.

That being said, I still agree with the statement

[–] bamboo@lemmy.blahaj.zone 0 points 4 months ago (2 children)

I don't think Slack has a self hosted version, and does not offer IP allow listing. There's nothing preventing someone to go to https://disney.slack.com/. I think when they say "internal" they mean for internal employees, and not like a thing for fans.

[–] UtMan1988@lemmy.world 0 points 4 months ago (2 children)

They do. You pay extra for it. You have to have apache or a web server configured for it, and a lot of space. Source: I configured one like 4 years ago.

[–] ipkpjersi@lemmy.ml 0 points 4 months ago* (last edited 4 months ago)

That sounds like user error on Disney's part then. My company uses IP whitelisting just fine.

[–] bamboo@lemmy.blahaj.zone 0 points 4 months ago (3 children)

I've never heard of an on prem offering, which tier is that on? None of the plans mention it? https://slack.com/pricing

[–] douglasg14b@lemmy.world 0 points 4 months ago* (last edited 4 months ago)

Just because it's not marketed doesn't mean it's not offered

[–] weker01@feddit.de 0 points 4 months ago (1 children)

Welcome to the world of B2B where 98% of products are listed nowhere and of those products you get a listing the price is either hidden or not the price anyone really pays.

[–] Etienne_Dahu@jlai.lu 0 points 4 months ago

That's what I hate the most in B2B. No transparency. How am I supposed to trust you if we start this way?

[–] drislands@lemmy.world 0 points 4 months ago

I can't find it now, but my company attempted to get that from Slack and IIRC it was an option but more expensive than they were willing to pay.

[–] addie@feddit.uk 0 points 4 months ago (2 children)

I think when Disney demands an internally-hosted version of your product, then the sales team tells engineering that they'll provide one, and mark the price up accordingly. That kind of thing doesn't appear on the external listing for everyone else.

[–] femtech@midwest.social 0 points 4 months ago (2 children)

No, because the code would end up somewhere for others to use, hell the government uses the same cloud offerings.

[–] douglasg14b@lemmy.world 0 points 4 months ago (1 children)

Your logic isn't making sense.

The code would end up somewhere for others to use...? What?

One-off products or beta offerings are often kept private, sometimes indefinitely.

[–] homesnatch@lemm.ee 0 points 4 months ago

In this case, Disney is using Slack Cloud-hosted for internal communication, but I can definitely understand people interpreting it differently.

[–] anivia@lemmy.ml 0 points 4 months ago

Providing Disney with an internally hostable version of Slack doesn't require giving them the code. They can just ship them compiled binaries

[–] cmhe@lemmy.world 0 points 4 months ago* (last edited 4 months ago) (1 children)

Why would Disney demand that?

Why would they choose slack if they want to host, maintain and be responsible for the internal chat themselves?

They choose slack because they do it for them so that they don't have to do it themselves. That is the selling point for them.

Businesses buy cloud services, because they do not want to manage stuff themselves.

[–] towerful@programming.dev 0 points 4 months ago* (last edited 4 months ago)

They can still have support contracts and SLA etc from slack.
It's just that the servers slack runs on are on-prem and completely controlled by the business buying into the self hosted licence.
The benefits should be tighter security (say, can only be accessed via VPN), and for many many MAU probably lower costs. Chances are, Disney already has datacenter ops and hardware contracts.

And why choose slack? For quite a while, it was extremely common for developers (maybe even industry standard?). It had loads of features in the small market of internal chat programs. And it's easy to build extensions and integrations for.

I'm not saying that Disney is running on-prem slack, but I wouldn't be surprised if they were

[–] sunzu@kbin.run 0 points 4 months ago

In a shocking move, the wage slaves found that their bosses know that they are severely underpaid.

[–] 0x0@programming.dev 0 points 4 months ago

Is Disney blaming the fans yet for this hack?

load more comments
view more: next ›