Slash Boxes

SoylentNews is people

posted by Fnord666 on Monday April 13 2020, @06:48AM   Printer-friendly
from the not-a-great-choice dept.

Zoom admits data got routed through China - Business Insider:

In a statement late Friday, Zoom CEO Eric Yuan admitted to mistakenly routing calls via China.

"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began," Yuan said. "In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect."

He did not say how many users were affected.

During spells of heavy traffic, the video-conferencing service shifts traffic to the nearest data center with the largest available capacity – but Zoom's data centers in China aren't supposed to be used to reroute non-Chinese users' calls.

This is largely due to privacy concerns: China does not enforce strict data privacy laws and could conceivably demand that Zoom decrypt the contents of encrypted calls.

Separately, researchers at the University of Toronto also found  Zoom's encryption used keys issued via servers in China, even when call participants were outside of China.

[...] Zoom has faced multiple high-profile security issues in recent weeks as it struggles to cope with an unprecedented surge in traffic and new users.

Zoom did not immediately respond to Business Insider's request for comment and clarification.

Related Stories

Student Privacy Laws Still Apply if Coronavirus Just Closed Your School 6 comments

Student privacy laws still apply if coronavirus just closed your school:

Hundreds of colleges and universities are suddenly shutting their doors and making a rapid switch to distance learning in an effort to slow the spread of novel coronavirus disease. Likewise, hundreds of K-12 districts nationwide have either already followed suit or are likely to in the coming days.

[...] Even when all of the immediate logistical and technical needs have been triaged and handled, though, there remains another complicating factor. While the United States doesn't have all that much in the way of privacy legislation, we do, in fact, have a law protecting some student educational data. It's called the Family Educational Rights and Privacy Act, or FERPA.

FERPA applies to both written and digital student records. For students under age 18, the provisions about what may (or must) be shared or not shared apply to their parents or guardians. Once a student turns 18, the protections transfer to them directly. The provisions also apply directly to any student enrolled in a college, even if that student is not yet 18 (such as in community college dual-enrollment programs for high school juniors and seniors).

The act prohibits "improper disclosure" to third parties of personally identifiable information (PII) derived from student records. Schools are not prohibited from allowing vendors access to information for the purpose of providing services—you can use third-party digital tools for administrative and educational purposes without being in violation of the law. But the school may then be held responsible if the vendors then do shady things with student data.

[...] Software platforms allowing videoconferencing, recording, and screen sharing have all seen a massive spike in use in recent weeks. Microsoft, Google, Slack, and Zoom are all offering discounts or extra features to businesses, groups, and individuals to help with the everything from home era in which we (hopefully temporarily) find ourselves. Not all of those tools, many of which are designed for enterprise use, are necessarily going to be compliant with educational regulations.

[...] In 2013, a group of students sued Google over its "creepy" data-mining from Google Apps for Education tools. Google ended the practice in 2014, only to be sued again in 2016 by a group of current and former university students alleging their data was collected and retained from their Google academic accounts in violation of the Electronic Communications Privacy Act.

Original Submission

School Quits Video Calls After Naked Man ‘Guessed’ the Meeting Link 12 comments

School quits video calls after naked man 'guessed' the meeting link – TechCrunch:

A school in Norway has stopped using popular video conferencing service Whereby after a naked man apparently "guessed" the link to a video lesson.

According to Norwegian state broadcaster NRK, the man exposed himself in front of several young children over the video call. The theory, according to the report, is that the man guessed the meeting ID and joined the video call.

One expert quoted in the story said some are "looking" for links.

Last year security researchers told TechCrunch that malicious users could access and listen in to Zoom and Webex video meetings by cycling through different permutations of meeting IDs in bulk. The researchers said the flaw worked because many meetings were not protected by a passcode.

Original Submission

Now That Everyone's Using Zoom, Here Are Some Privacy Risks You Need to Watch Out For 24 comments

Now that everyone's using Zoom, here are some privacy risks you need to watch out for:

Now that you've finished choosing your custom Zoom background, mercifully sparing your fellow workers-from-home the sight of a growing pile of gym socks behind your desk, you might think you've got a handle on the conference call software du jour. Unfortunately, there are a few other data security considerations to make if you want to hide your dirty laundry.

Privacy experts have previously expressed concerns about Zoom: In 2019, the video-conferencing software experienced both a webcam hacking scandal, and a bug that allowed snooping users to potentially join video meetings they hadn't been invited to. This month, the Electronic Frontier Foundation cautioned users working from home about the software's onboard privacy features.

[...]Here are some of the privacy vulnerabilities in Zoom that you should watch out for while working remotely.

[...] Tattle-Tale
Whether you're using Zoom's desktop client or mobile app, a meeting host can enable a built-in option which alerts them if any attendees go more than 30 seconds without Zoom being in focus on their screen.

Elon Musk's SpaceX Bans Zoom over Privacy Concerns 14 comments

Elon Musk's SpaceX bans Zoom over privacy concerns-memo

[...] In an email dated March 28, SpaceX told employees that all access to Zoom had been disabled with immediate effect.

"We understand that many of us were using this tool for conferences and meeting support," SpaceX said in the message. "Please use email, text or phone as alternate means of communication."

[...] NASA, one of SpaceX's biggest customers, also prohibits its employees from using Zoom, said Stephanie Schierholz, a spokeswoman for the U.S. space agency.

The Federal Bureau of Investigation's Boston office on Monday issued a warning about Zoom, telling users not to make meetings on the site public or share links widely after it received two reports of unidentified individuals invading school sessions, a phenomenon known as "zoombombing."

Also consider that one way to claim to have "end to end encryption" is to simply re-define the term. Zoom Meetings Aren't End-to-End Encrypted, Despite Misleading Marketing:

Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.

With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.

Automated Tool Can Find 100 Zoom Meeting IDs Per Hour 7 comments

Automated tool can find 100 Zoom meeting IDs per hour:

An automated tool developed by security researchers is able to find around 100 Zoom meeting IDs in an hour and information for nearly 2,400 Zoom meetings in a single day of scans, according to a new report from security expert Brian Krebs.

Security professional Trent Lo and members of SecKC, a Kansas City-based security meetup group, made a program called zWarDial that can automatically guess Zoom meeting IDs, which are nine to 11 digits long, and glean information about those meetings, according to the report.

In addition to being able to find around 100 meetings per hour, one instance of zWarDial can successfully determine a legitimate meeting ID 14 percent of the time, Lo told Krebs on Security. And as part of the nearly 2,400 upcoming or recurring Zoom meetings zWarDial found in a single day of scanning, the program extracted a meeting's Zoom link, date and time, meeting organizer, and meeting topic, according to data Lo shared with Krebs on Security.

Automated Zoom conference meeting finder 'zWarDial' discovers ~100 meetings per hour that aren't protected by passwords. The tool also has prompted Zoom to investigate whether its password-by-default approach might be malfunctioning

— briankrebs (@briankrebs) April 2, 2020

Original Submission

Security and Privacy Implications of Zoom 28 comments

Security and Privacy Implications of Zoom - Schneier on Security:

Over the past few weeks, Zoom's use has exploded since it became the video conferencing platform of choice in today's COVID-19 world. (My own university, Harvard, uses it for all of its classes. Boris Johnson had a cabinet meeting over Zoom.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here is to summarize all of the problems and talk about solutions and workarounds.

In general, Zoom's problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.

Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.

Now security: Zoom's security is at best sloppy, and malicious at worst. Motherboard reported that Zoom's iPhone app was sending user data to Facebook, even if the user didn't have a Facebook account. Zoom removed the feature, but its response should worry you about its sloppy coding practices in general:

"We originally implemented the 'Login with Facebook' feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data," Zoom told Motherboard in a statement on Friday.

Finally, bad user configuration. Zoom has a lot of options. The defaults aren't great, and if you don't configure your meetings right you're leaving yourself open to all sort of mischief.

'The Phone Slipped Into the Bath': Conference Call Tales 37 comments

'The phone slipped into the bath': Conference call tales:

"I was on a call last week and a colleague's half-naked boyfriend walked behind her," recalls communications consultant Jason Nisse.

His experience illustrates the pitfalls of videoconferencing, a technology that thousands of workers are getting used to as they attempt to work from home.

In one (genuine) email doing the rounds, a financial services worker is told: "Your screen is visible and we can all see you watching porn in between enquiries."

Teleconferencing apps like Zoom, Microsoft Teams and Google Meet are reporting dramatic user increases.

For many of us, this means getting to grips with a whole new way of working. Line quality, technology problems and of course user ineptitude add kerfuffle to meetings. Making sure everyone understands how the technology works can save a huge amount of time when it comes to the meeting going live.

Some bosses have also realised that conference calls show just how meetings are populated with staff who don't really need to be there. Cutting down the number of people involved also cuts down on the amount of unwanted noise.

Heavy breathing, sniffing, coughing, dogs and doorbells can all be dispatched by shutting off the microphone with the mute button.

Even without video, conference calls can be revealing.

"I remember a client was on a call while in the bath, and you could hear splashing and the tap running. He then realised the microphone was on and the phone slipped into the bath. Gurgle gurgle gurgle. He jumped out the bath to get another phone, slid and fell down the stairs," recalls Neil Henderson from Zurich Insurance.

Come on - share your best stories!

Original Submission

Scrutiny Needed for Teleconferencing Software and Their Backing Companies 16 comments

Zoom has had a meteoric rise as a result of the SARS-CoV-2 outbreak. Jitsi and other useful teleconferencing tools are not very well known, though still widely used. Nearly all the buzz has been about the newcomer instead, but few have actually evaluated it. One group has. The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, at the University of Toronto, has investigated Zoom briefly, covering both the technology, especially its lack of encryption, and the company itself:

Key Findings

  • Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
  • The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
  • Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.

In a nutshell, throughout the mad rush to adopt teleconferencing software, due diligence has been largely abandoned and licenses left unread and software unevaluated. More scrutiny was needed, and still is needed, when acquiring and deploying software. That goes double for communications software.


Original Submission

Senator Mad That Zoom Not Actually Offering the Encryption His Law Will Outlaw 20 comments

While this is quasi related to the recent Zoom article on SN, this is mostly about attempting to outlaw End To End Encryption.

From TechDirt:
Senator Blumenthal Is Super Mad That Zoom Isn't Actually Offering The End To End Encryption His Law Will Outlaw

Richard Blumenthal has been attacking internet services he doesn't understand since before he was even a US Senator. It has carried over into his job as a Senator, and was abundantly obvious in his role as a co-sponsor for FOSTA. His hatred of the internet was on clear display during a hearing over FOSTA in which he flat out said that if smaller internet companies couldn't put in place the kind of infrastructure required to comply with FOSTA, that they should go out of business. Blumenthal's latest ridiculous bit of legislation lose your Section 230 protections. And while Blumenthal likes to pretend that the EARN IT Act doesn't target encryption, he also lied about FOSTA and insisted it had no impact on CDA 230 (which it directly amended).

But Blumenthal has now taken his ridiculousness up a notch. Following the (legitimately concerning) reports that the suddenly incredibly popular videoconferencing software Zoom was not actually providing end-to-end encrypted video chats (despite its marketing claims), Blumenthal decided to step in and play the hero sending an angry letter to the company, while linking to the Intercept's original story about Zoom's misleading claims about encryption:

Millions of Americans are now using @zoom_us to attend school, seek medical help, & socialize with their friends. Privacy & cybersecurity risks shouldn't be added to their list of worries. I'm calling for answers from Zoom on how it handles our private data.

        — Richard Blumenthal (@SenBlumenthal) March 31, 2020

So outlaw end to end encryption. When a company pretends to offer end to end encryption, but actually doesn't, then feign outrage over the lack of privacy; the privacy you want to deny everyone with your own legislation.

Are you confused yet?

Original Submission

Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform 21 comments

Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform:

Popular communications platform provider Zoom Video announced on Thursday that it has acquired secure messaging and file-sharing service Keybase for an undisclosed sum. The move is the latest by the company as it attempts to bolster the security of its offerings and build in end-to-end encryption that can scale to the company's massive user base.

"There are en-to-end encrypted communications platforms. There are communications platforms with easily deployable security. There are enterprise-scale communications platforms. We believe that no current platform offers all of these. This is what Zoom plans to build, giving our users security, ease of use, and scale, all at once," Eric Yuan, CEO of Zoom, said in a statement.

Zoom said it would offer an end-to-end encrypted meeting mode to all paid accounts.

[...] "This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom's wide variety of uses," Yuan wrote in a blog post. "Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform. Keybase's experienced team will be a critical part of this mission."

Details on Zoom's encryption roadmap are available on the Zoom blog.

(2020-04-21) This Open-Source Program Deepfakes You During Zoom Meetings, in Real Time
(2020-04-20) Every Security Issue Uncovered so far in the Zoom Video Chat App
(2020-04-17) Looking for Alternative, Self-Hosted Audio (or Video) Chat Services
(2020-04-15) Over 500,000 Zoom Accounts Sold on Hacker Forums, the Dark Web
(2020-04-13) Zoom Admits Data Got Routed Through China

Also at TechCrunch and The Verge.

Original Submission

Zoom Will Provide End-to-End Encryption to All Users 23 comments

Zoom will provide end-to-end encryption to all users:

Zoom's CEO Eric S. Yuan today announced that end-to-end encryption (E2EE) will be provided to all users (paid and free) after verifying their accounts by providing additional identification info such as their phone number.

"We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform," Yuan said.

"This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform."

This update in Zoom's plans comes after the company announced on May 27 that E2EE will be available only to paying customers, with free/basic users to only get access to 256-bit GCM encryption.

[...] To provide all Zoom users with access to E2EE, Yuan says that they will have first verify their accounts through various means such as by verifying their phone numbers via text messages.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Troll) by Runaway1956 on Monday April 13 2020, @07:11AM (1 child)

    by Runaway1956 (2926) Subscriber Badge on Monday April 13 2020, @07:11AM (#981868) Journal

    Isn't the world upset over geofencing? []

    We've finally beat Medicare! - Houseplant in Chief
    • (Score: 0) by Anonymous Coward on Monday April 13 2020, @02:01PM

      by Anonymous Coward on Monday April 13 2020, @02:01PM (#981963)

      Some call it quackery but many Westerners are wary of potential for contracting a zoomnotic virus.

      /me ducks

  • (Score: 2, Disagree) by MostCynical on Monday April 13 2020, @08:05AM (2 children)

    by MostCynical (2589) on Monday April 13 2020, @08:05AM (#981878) Journal

    Soi the Chinese now know (possibly) the IP and MAC addresses of a few people.

    If unencrypted, they may also know that CR038 failed two of the end-to-end test cases.

    If your company is working on cutting-edge research and/or development, use properly tested, encrypted software (or have your company ban using zoom - cf Tesla)

    Otherwise, so what?

    "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
    • (Score: 1, Insightful) by Anonymous Coward on Monday April 13 2020, @11:16AM (1 child)

      by Anonymous Coward on Monday April 13 2020, @11:16AM (#981909)
      My relatives had a big zoom meeting to wish happy birthday to a 90+ year old relative. Think of all the schools, churches etc using zoom (before the security issues, bans etc).

      Will be hilarious if the Chinese Gov is spending resources to sift through all that. Storing all that successfully will make the network, hardware and HDD manufacturers very happy. As they say- like drinking from a firehose.

      If you want to troll them, continue using Zoom for very public stuff but randomly mention uighur, tiananmen, xinjiang, jihad and other juicy keywords.
  • (Score: 4, Insightful) by hendrikboom on Monday April 13 2020, @01:18PM (5 children)

    by hendrikboom (1125) Subscriber Badge on Monday April 13 2020, @01:18PM (#981941) Homepage Journal

    Those seriously concerned with security would be running teleconferencing software on their own servers.

    -- hendrik

    • (Score: 0) by Anonymous Coward on Monday April 13 2020, @04:55PM

      by Anonymous Coward on Monday April 13 2020, @04:55PM (#982074)


      I wish that were true, but I know too many techies who believe the promises of big companies. If they say "end to end encrypted" you'll get a lot of people trusting it. The number of people who have repeated the claim of long passwords taking exponentially longer to decrypt is staggering. They don't realize the number of ways crypto can be compromised.

      I'm sure you're correct for certain instances like a meeting where actual data/specs are being discussed, but corporate espionage can involve a lot of mundane type of information that a manager might not think is a big deal.

    • (Score: 2) by legont on Monday April 13 2020, @04:59PM (3 children)

      by legont (4179) on Monday April 13 2020, @04:59PM (#982075)

      My employer which is a large bank and very much concerned is using Zoom simply because nothing else currently reliably works - our own net is overloaded as is and we need our bandwidth to provide service to the customers - you.

      "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
      • (Score: 0) by Anonymous Coward on Monday April 13 2020, @07:27PM

        by Anonymous Coward on Monday April 13 2020, @07:27PM (#982168)


      • (Score: 1, Insightful) by Anonymous Coward on Tuesday April 14 2020, @01:08AM

        by Anonymous Coward on Tuesday April 14 2020, @01:08AM (#982325)

        Why are businesses freaking out about needing to see people on a video conference? What's wrong with the good old fashioned telephone conference with slides sent out beforehand? There is even software to share computer screens for remote presentations where you don't need to turn on any cameras. Why is everyone running to Zoom (especially even when other solutions existed before anyone heard of them last year)? Is this just simple social media herd mentality?

      • (Score: 2) by hendrikboom on Tuesday April 14 2020, @02:56AM

        by hendrikboom (1125) Subscriber Badge on Tuesday April 14 2020, @02:56AM (#982381) Homepage Journal

        I was going to suggest jitsi, which s free software that will run on your own server (and which I haven't tried yet myself), but ... if your net connexion is overloaded, I see your point.

        I presume you have some way of using zoom without a net connexion?

        -- hendrik

  • (Score: 2) by Rosco P. Coltrane on Monday April 13 2020, @05:22PM (1 child)

    by Rosco P. Coltrane (4757) on Monday April 13 2020, @05:22PM (#982087)

    China does not enforce strict data privacy laws

    That one has to be the understatement of the year.

    • (Score: 2) by DannyB on Monday April 13 2020, @05:39PM

      by DannyB (5839) Subscriber Badge on Monday April 13 2020, @05:39PM (#982097) Journal

      Also: China does not enforce strict data piracy laws.

      Trump is a poor man's idea of a rich man, a weak man's idea of a strong man, and a stupid man's idea of a smart man.