Zoom has had a meteoric rise as a result of the SARS-CoV-2 outbreak. Jitsi and other useful teleconferencing tools are not very well known, though still widely used. Nearly all the buzz has been about the newcomer instead, but few have actually evaluated it. One group has. The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, at the University of Toronto, has investigated Zoom briefly, covering both the technology, especially its lack of encryption, and the company itself:
Key Findings
- Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
- The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
- Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.
In a nutshell, throughout the mad rush to adopt teleconferencing software, due diligence has been largely abandoned and licenses left unread and software unevaluated. More scrutiny was needed, and still is needed, when acquiring and deploying software. That goes double for communications software.
Previously:
- Elon Musk's SpaceX Bans Zoom over Privacy Concerns (2020)
- Now That Everyone's Using Zoom, Here Are Some Privacy Risks You Need to Watch Out For (2020)
- Working from Home: Lessons Learned Over 20 Years (2020)
- Conferencing Application Zoom Allows Remote Activation of Your Mic and Cam Without Questions (2019)
Related Stories
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.
[...] This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.
On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install 'feature' continues to work to this day.
[...] According to Zoom, they will have a fix shipped by midnight tonight pacific time removing the hidden web server; hopefully this patches the most glaring parts of this vulnerability. The Zoom CEO has also assured us that they will be updating their application to further protect users privacy.
Proof of concept:
https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html
WARNING: Clicking this link starts a Zoom video call, no questions asked!
Dustin Kirkland has written a blog post about telecommuting for over two decades. He goes into a lot of detail about his particular setup. He closes asking what other people's remote offices look like and what, if anything, he missed.
In this post, I'm going to share a few of the benefits and best practices that I've discovered over the years, and I'll share with you a shopping list of hardware and products that I have come to love or depend on, over the years.
I worked in a variety of different roles -- software engineer, engineering manager, product manager, and executive (CTO, VP Product, Chief Product Officer) -- and with a couple of differet companies, big and small (IBM, Google, Canonical, Gazzang, and Apex). In fact, I was one of IBM's early work-from-home interns, as a college student in 2000, when my summer internship manager allowed me to continue working when I went back to campus, and I used the ATT Global Network dial-up VPN client to "upload" my code to IBM's servers.
If there's anything positive to be gained out of the COVID-19 virus life changes, I hope that working from home will become much more widely accepted and broadly practiced around the world, in jobs and industries where it's possible. Moreover, I hope that other jobs and industries will get even more creative and flexible with remote work arrangements, while maintaining work-life-balance, corporate security, and employee productivity.
See similar article at the BBC.
How much, if any, can you work from home? What tools are on your "gotta have it" list? What cautions, suggestions, and resources do you suggest for your fellow Soylentils?
Now that everyone's using Zoom, here are some privacy risks you need to watch out for:
Now that you've finished choosing your custom Zoom background, mercifully sparing your fellow workers-from-home the sight of a growing pile of gym socks behind your desk, you might think you've got a handle on the conference call software du jour. Unfortunately, there are a few other data security considerations to make if you want to hide your dirty laundry.
Privacy experts have previously expressed concerns about Zoom: In 2019, the video-conferencing software experienced both a webcam hacking scandal, and a bug that allowed snooping users to potentially join video meetings they hadn't been invited to. This month, the Electronic Frontier Foundation cautioned users working from home about the software's onboard privacy features.
[...]Here are some of the privacy vulnerabilities in Zoom that you should watch out for while working remotely.
[...] Tattle-Tale
Whether you're using Zoom's desktop client or mobile app, a meeting host can enable a built-in option which alerts them if any attendees go more than 30 seconds without Zoom being in focus on their screen.
Elon Musk's SpaceX bans Zoom over privacy concerns-memo
[...] In an email dated March 28, SpaceX told employees that all access to Zoom had been disabled with immediate effect.
"We understand that many of us were using this tool for conferences and meeting support," SpaceX said in the message. "Please use email, text or phone as alternate means of communication."
[...] NASA, one of SpaceX's biggest customers, also prohibits its employees from using Zoom, said Stephanie Schierholz, a spokeswoman for the U.S. space agency.
The Federal Bureau of Investigation's Boston office on Monday issued a warning about Zoom, telling users not to make meetings on the site public or share links widely after it received two reports of unidentified individuals invading school sessions, a phenomenon known as "zoombombing."
Also consider that one way to claim to have "end to end encryption" is to simply re-define the term. Zoom Meetings Aren't End-to-End Encrypted, Despite Misleading Marketing:
Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.
With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.
Zoom admits data got routed through China - Business Insider:
In a statement late Friday, Zoom CEO Eric Yuan admitted to mistakenly routing calls via China.
"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began," Yuan said. "In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect."
He did not say how many users were affected.
During spells of heavy traffic, the video-conferencing service shifts traffic to the nearest data center with the largest available capacity – but Zoom's data centers in China aren't supposed to be used to reroute non-Chinese users' calls.
This is largely due to privacy concerns: China does not enforce strict data privacy laws and could conceivably demand that Zoom decrypt the contents of encrypted calls.
Separately, researchers at the University of Toronto also found Zoom's encryption used keys issued via servers in China, even when call participants were outside of China.
[...] Zoom has faced multiple high-profile security issues in recent weeks as it struggles to cope with an unprecedented surge in traffic and new users.
Zoom did not immediately respond to Business Insider's request for comment and clarification.
(Score: 5, Insightful) by Rosco P. Coltrane on Sunday April 05 2020, @03:57AM
So what's new? If people actually did their research, read the licenses and evaluated the software, they'd never install the Facebook client or do a Google search.
(Score: 4, Insightful) by Runaway1956 on Sunday April 05 2020, @04:06AM (4 children)
Long, long ago, in a land far away, there were laws regarding "truth in advertising".
If your product includes the word "secure" or "safe" or "encrypted", then your product has to be safe, secure, and strongly encrypted. Once you make the claim, you can't weasel out of it. All weasel words in a contract, EULA, or license should be construed by the court to mean the worst possible thing, and used to hang the offenders.
Or, more succinctly, if your shit's not secure, don't make the claim for security.
(Score: 0) by Anonymous Coward on Sunday April 05 2020, @04:17AM (3 children)
What are you going to do about it? Government regulation? Licensing?
(Score: 2) by Runaway1956 on Sunday April 05 2020, @04:58AM (2 children)
A class action lawsuit would be appropriate. And, if the case doesn't succeed, then go to the legislators.
Seriously, a software that claims to be secure should be locked up tighter than tight, by default. Any attempt to relax security should be greeted by disclaimers about the security of the software being compromised at your own risk. And, generations-old encryption would never qualify as "secure" in today's world.
(Score: 0) by Anonymous Coward on Monday April 06 2020, @01:08AM (1 child)
The problem is that "safe" and "secure" are non-specific and on a continuum of values. Therefore, flat, generic claims like that are probably going to be considered "puffery" and not subject to a false-advertising suit. The only one you could arguably get traction on is "encrypted," but even the worst of encryption schemes is still "encrypted," and "256-bit," if 256 bit encryption isn't used anywhere in the stack, as both of those could be construed as black-and-white, specific claims about the product. False advertising claims are for objective claims like "new engine" or "clean title," not subjective ones like "runs good" or "better than the competition."
(Score: 2) by Runaway1956 on Monday April 06 2020, @01:37AM
I think you've put your finger on the problem. Standards. Advertising should measure up to standards. In 2001, it would have been legitimate to advertise 128-bit encryption as "safe, secure encryption". In 2020, not so much. More, in today's world, it is rapidly becoming negligent to assign default passwords that will be reused again and again. Every instance of this software should force the generation of a new password for people needing to join the conference.
Standards are important in all software, of course. Standards in advertising should also be a thing. Maybe Zoom isn't guilty of false advertising, but a strong case for negligence can be made here.
(Score: -1, Troll) by Anonymous Coward on Sunday April 05 2020, @04:15AM (1 child)
Nobody cares about your dork concerns and cryptonerd fantasies. What else is there? Email? Reading is for fags. I have business to get done.
(Score: 0) by Anonymous Coward on Sunday April 05 2020, @05:03AM
most likely business on his knees
(Score: 2) by turgid on Sunday April 05 2020, @10:08AM
I've used BlueJeans once for work for videoconferencing. How bad is that in comparison? And what are all the options for videoconferencing in general?
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 0, Touché) by Anonymous Coward on Sunday April 05 2020, @10:21AM (1 child)
WTF has this website become a marketing arm for Zoom? Isn't there anything else to write about?
(Score: 2, Informative) by Anonymous Coward on Sunday April 05 2020, @11:24AM
(Score: 2) by turgid on Sunday April 05 2020, @12:18PM (2 children)
I just did a search for free video conferencing applications, and I found one called Jitsi [jitsi.org] which is allegedly FOSS and lets you host your own server. Does anyone have any experience with it?
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 1, Interesting) by Anonymous Coward on Sunday April 05 2020, @01:15PM
Jitsi Meet is based on WebRTC. A two-person call will use peer-to-peer mode if the browser supports it. More participants are realyed through the central server; encryption is not end-to-end, but end-to-middle-to-end (but you can run your own server). If you have sufficient bandwidth to the server your client will send high-res, standard-res, and low-res frames and the server will dynamically relay one of those to other participants based on their bandwidth. By default room names are correct-horse-battery-staple style and you can optionally add a password to a room.
(Personally, I'm use Jitsi and only Jitsi for my personal, small-group conferencing through this (my employer subscribed to webex last week for business use).)
(Score: 2, Informative) by webnut77 on Sunday April 05 2020, @06:34PM
(Score: -1, Troll) by Anonymous Coward on Sunday April 05 2020, @03:38PM
In the mad rush to put everyone under house arrest, due diligence was tossed out.
(Score: 1, Interesting) by Anonymous Coward on Sunday April 05 2020, @07:16PM
Who gives a shit? Many, and probably most, of us here have never heard of this software before covid.
Stop feeding into news meme cycles. Cover something more interesting. Or... just don't post anything if there are no good stories.