[fweespeech]

> Umm... why do people always assume "hosting it yourself" is more secure and not less? Do you have Slack's security expertise and budget? In my experience when small to mid-size companies attempt to manage security themselves they do a passable job but are convinced they are doing an excellent job - until they get hacked.

I'm not exposing it to the WAN, just the LAN. :\

I don't think people really appreciate how massive of a security difference that is. It doesn't matter how big your budget is if you sit on the WAN all day. Someone will _always_ tag you eventually.

LAN with hardened VPN/SSH setups are virtually impossible to get into in a software-is-at-fault kind of way. And even if they did, they'd then have to launch the attack from someone's workstation at which point you've already been compromised anyway.

Oh, and then to get to the chat service they'd still need to break the security of an open source chat service which is non-trivial.

[tatersolid]

Your LAN is protected Only if you know that no workstation which connects via VPN, WiFi, or cable can ever be compromised elsewhere and then connect. Which is clearly not possible unless your workstations are air-gapped and immobile, with no USB ports, etc.

The majority of non-trivial breaches involve some sort of pivot or lateral movement inside the "protected" LAN. These often originate from a workstation.