Hello, welcome to the Tuesday, December 17th, 2019 edition of the Santernet Storm Center's

Stormcast. My name is Johannes Ulrich. And then I'm recording from Jacksonville, Florida.

If you ever shared a file online, you probably realized that whoever received this file can take it and

reshare it.

Apparently, cloud authorization company Polyrise considered this sort of a new and unwanted

functionality in Slack and reported it as a security vulnerability.

The problem Polyrise outlined is that once a file is shared in a private

conversation, any member of that conversation can take the file shared in the public channel

and with that make it public. And this is not undone if the original owner unshairs the file.

If you unshare the file, you just remove it

from the location that you shared it, which would be this private channel in this example.

Slack pretty much told Polyrise that, well, this is just how it works on the internet and

they're not really going to fix this.

I actually agree a little bit with Slack here in the sense that once you share a file

with someone they can download it, they can add it to an email and send it away so it's

not that Slack is implementing some kind of DRM here or so to limit the distribution of these files beyond Slack.

And sticking with the authorization topic here, Google announced a plan to turn off

a password-based authentication for G Suite apps. If you do want to use an app in G Suite, you have to essentially

switch to OAuth. Now, you do have a little bit of time here. It starts happening June 15th next

year, so you have about, what is it, six months left to switch your applications. After that date,

new users can no longer use any applications to connect via password-based authentication. Now, after

February 15th, 2021, which is essentially a little bit more than a year from today, then all LSAs

...