Former Gizmodo Writer Changed Name To 'Slackbot,' Stayed Undetected For Months

Tom McKay successfully masqueraded as a "Slackbot" on Slack after leaving Gizmodo in 2022, going unnoticed by the site's management for several months. The Verge reports: If you're not glued to Slack for most of the day like I am, then you might not know that Slackbot is the friendly robot that lives in the messaging service. It helps you do things like set reminders, find out your office's Wi-Fi password, or let you know when you've been mentioned in a channel that you're not a part of. When it was his time to leave, McKay swapped out his existing profile picture for one that resembled an angrier version of Slackbot's actual icon. He also changed his name to "Slackbot." You can't just change your name on Slack to "Slackbot," by the way, as the service will tell you that name's already been taken. It does work if you use a special character that resembles one of the letters inside Slackbot, though, such as replacing "o" with the Unicode character "o."

The move camouflaged McKay's active Slack account for months, letting his account evade deletion. It also allowed him to send bot-like messages to his colleagues such as, "Slackbot fact of the day: Hi, I'm Slackbot! That's a fact. Have a Slack-ly day!" My colleague Victoria Song, who previously worked at Gizmodo, isn't all that surprised that this situation unfolded, and says, "As Tom's former coworker and a G/O Media survivor, this tracks."

When it was his time to leave

[NobleNobbler]

(When he got fired)

I mean come on guys.

No SSO?

[bill_mcgonigle]

G/O Media doesn't have SSO that enforces AAA?

Be careful with all the media layoffs happening.

All I Know

[cstacy]

You're pink to Bob till he sees the green of your money.

Re:

[sg_oneill]

Eternal life or triple your money back!

Does anyone care?

[cruff]

Not sure why this has any meaning.

Wow

[93 Escort Wagon]

So you're saying that a website which relies on volunteer and/or minimally-compensated piece-workers doesn't have a rigorously enforced termination policy, monitored by their professional HR staff?

I am shocked. SHOCKED! Well, not that shocked...

Re:

[NomDeAlias]

HR is too busy decolonizing.

Re:Wow

[VampireByte]

I wonder if there will be a "Spartacus" type moment where everyone begins saying "I'm Slackbot"

Sounds Like Shitty IT Security

[Vandil X]

It doesn't matter what your Slack name it. Your identity token remains the same. Any workplace worth shit has an offboarding script.

If there is any truth to this story, this person was reduced to part-time or contract/correspondent and allowed to remain on Slack, and decided to be a goof.

Re:

[tlhIngan]

Well, there are many possibilities.

One, their slack is not linked to SSO, so his credentials weren't revoked.

Two, more likely, his account was disabled. But Slack relies on authentication cookies so he simply logged in again, and those authentication cookies let him in despite not having an account. I've seen this happen where you can lose access to your email and such but then still use other applications

I don't know what to think about this

[Dictator For Life]

A story on /. relies upon a unicode character which is blithely presented as if nothing ever happened. “Inconceivable.”

I've seen this guy lurking on Slashdot too!

[Tony Isaac]

I mean, when you see "Anonymous Coward", are you *sure* that isn't really somebody masquerading as a bot? Or a bot masquerading as a person?

Yikes

[reanjr]

Don't admit to using a company's network resources without authorization. That way lies liability.

Re:

[mysidia]

Well, the account is on Slack.com, so it's Slack resources he continued to use without notification from Slack that his authorization to access that website had been terminated.

Non-story

[bb_matt]

The company just clearly didn't do due diligence to remove the account, which wouldn't be associated with the visible name, but an ID token.

Also, I would suspect the former gizmodo writer could be headed for a court case should the company choose to pursue it. Very silly.

Re:

[nevermindme]

You have to show harm in this sort of case. Gizmodo is a site full of ads, this his lurking do anything to the ad delivery system. The rest is filler to go between ads. Did he detract from the filler content? No. Gizmodo screwed up, dude has every right to his account and if he found out a day early that the reviews for an apple visor product were going to be glowing but you look like a half a turd wearing them, that isn't really surprising.

Re: Non-story

[OrangeTide]

Were any of the connected computers used in interstate commerce? Then make a federal case of it with the Computer Fraud and Abuse Act.

Re:

[mysidia]

Were any of the connected computers used in interstate commerce? Then make a federal case of it with the Computer Fraud and Abuse Act.

All Internet traffic is interstate commerce; Slack's servers are not at any internet users' local ISP, so you'd definitely have to go out to the internet to reach those servers -- getting to them has to cross an Internet Exchange, Peering point, or Transit prpovider link. Even when the Source and Destination peers are in the same state, the routing hops will almost alway

Re:

[OrangeTide]

It used to be that the computers have to be government, military, or financial computers. But they keep expanding the protection of the Act to cover more and more. Basically if a woman accessed her partner's smartphone it seemingly falls under the act. It's nuts.

There is this theory that buying chat services from Slack or Microsoft Teams some how protects a business legally. But I don't think it does. It tends to make for a very low bar during discovery to dig into every message on a corporate Slack server,

Re:

[OrangeTide]

Ooops. I forgot to add. The idea of damage caused by his unauthorized access would be important in a civil case. But in a criminal case, which as far as I know isn't being pursued, that there is essentially no damages isn't a barrier to a felony conviction. But it can make for a very light sentence.

Re:

[mysidia]

It used to be that the computers have to be government, military, or financial computers. But they keep expanding the protection of the Act to cover more and more. Basically if a woman accessed her partner's smartphone it seemingly falls under the act. It's nuts.

Your partner's Smartphone; If it has a passcode can be considered a protected computer system, And if it's not shared community property, then you would need authorization from the owner of that property yes.

However the DOJ has a whole manual on s [justice.gov]