When Closed-Source Software Wins The Day

We prefer to use open-source software as a matter of principle. We believe that putting software code in the open is the best way for the public to build trust in it.

You might find it curious, then, that we choose to foster communication and community through a tool like Slack, which is closed-source. (Note: you can request to join our Slack channel by sending a request to slack@simplysecure.org.) Many software teams that build privacy-preserving tools host similar spaces dedicated to communication with volunteers and users. Their spaces are usually built on IRC, though, which has multiple open-source options for both the client and the server. Why didn’t we go a similar route?

Our decision to go with Slack over IRC mirrors the decisions that people the world over make every day. If we take a minute to examine our reasoning, we can find some valuable lessons for open-source developers.

Instant access

One of the biggest advantages we found Slack has over IRC is how quickly it works in a variety of environments. You can get up and running on the web in less than a minute, and expand your experience to include a native client on your desktop or mobile device with a quick download. You don’t have to enter a channel name or configure the software to point at a particular server: you click on an invitation in your email, and you can get started after just one or two steps.

Slack has been pretty close to instantly accessible from an administrative point of view, too. We haven’t had to set up a server, do extensive configuration, or offer any kind of how-to information to our users other than “send us an email and we’ll invite you”. Given the diverse community of people we are trying to reach – including designers, researchers, and program managers – we expect we would either have to offer a lot of support to get the more adventuresome among them to try IRC.

Stateful, active participation

IRC grew up in the age of desktops, where you only participated in a real-time online conversation when you were seated at the keyboard. Some IRC clients may have evolved beyond this model, but vestiges of it remain. Today’s smartphone-weilding users operate in a different world, where they might be on their phone at one moment, a computer the next, and a tablet in a few hours. Slack tries to make this experience seamless. It remembers where in the conversation stream you left off, and helps you find your place across different devices. It also lets you get notifications when somone mentions you, so you can tune in even when you’re “offline”.

Friendliness

Beyond ease of first use and aspects of the software’s functionality, Slack is just so gosh darn friendly looking. For many people, staring at a screen full of monospace text is tortuous. Tasteful in-line image integration, textual hierarchies interspersed with whitespace, and tastefully-colorful menus all make Slack easier on the eyes. There’s a welcoming bot that helps you set up your profile, and pithy loading messages help you adopt a lighthearted mood when you join each day. Finally, Slack offers much of its functionality up front through graphical interfaces, rather than requiring the user to learn special textual incantations to access them. Although Slack is intended to help people communicate through text, its attention to other details is what makes the experience more enjoyable than current IRC clients for most people.

Image:
Screenshot of an IRC client. Image:
Screenshot of our Slack channel.
The IRC and Slack experiences are very different

The tradeoffs

Now that I’ve gushed about what Slack offers, I want to call out some of its downsides. Because it’s owned and operated by a third party, we don’t have ultimate control over our Slack community. We believe that the company has reasonable policies in place that prevent their employees from going in and mucking about, but there’s always a chance that a bad apple could get in and do damage of some kind.

This lack of control also manifests in the fact that Slack limits the number of archived messages that are available on unpaid accounts. In other words: if we want to access all of our archives, we need to pay them money – and given their rates for a community our size, we can’t afford to. The silver lining here is that they offer free upgrades to documented nonprofit organizations, so when our application for 501(c)3 status is approved, we should be able to gain access to those archives again. (We have also been trying to download the archives on a semi-regular basis for our archive, and are glad that Slack provides the facility to perform such downloads to administrators.)

Finally, being closed-source means that Slack may have all sorts of crazy vulnerabilities that could allow an attacker to compromise our community in some way, and only Slack employees would know. For some communities this alone is enough to make Slack an impossible option, which we understand and support. So if an open-source solution comes along that offers more of Slack’s benefits than current IRC options, we will definitely reconsider our choice (feel free to contact us if you know of one). But for the meantime, this abstract threat does not outweigh the benefits Slack offers, especially when one ponders how often both Slack and its open-source alternatives realistically undergo regular security reviews by skilled engineers.

This is one case where open-source options are currently losing the battle, at least right now.


Screenshot of the WeeChat IRC client, Fundación Wikimedia, Inc., published under a CC BY-SA 3.0 license.

Related

Lessons from Architecture School: Part 3

This is the third and final installment in the series on Lessons fromArchitecture School: Lessons for IoT Security. You can also read the first and... (Read more)

Encryption is not for terrorists

Recent attacks by Daesh in Turkey, Egypt, Lebanon, and Paris have fanned the flames of an ongoing debate about software that is resistant to surveillance.... (Read more)

Features – Like Backdoors – Are Forever

The news this week has been full of stories about Apple's resistance to a court order demanding they build a custom backdoor to a phone... (Read more)