from the all-your-keybase-are-belong-to-us dept.
Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform:
Popular communications platform provider Zoom Video announced on Thursday that it has acquired secure messaging and file-sharing service Keybase for an undisclosed sum. The move is the latest by the company as it attempts to bolster the security of its offerings and build in end-to-end encryption that can scale to the company's massive user base.
"There are en-to-end encrypted communications platforms. There are communications platforms with easily deployable security. There are enterprise-scale communications platforms. We believe that no current platform offers all of these. This is what Zoom plans to build, giving our users security, ease of use, and scale, all at once," Eric Yuan, CEO of Zoom, said in a statement.
Zoom said it would offer an end-to-end encrypted meeting mode to all paid accounts.
[...] "This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom's wide variety of uses," Yuan wrote in a blog post. "Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform. Keybase's experienced team will be a critical part of this mission."
Details on Zoom's encryption roadmap are available on the Zoom blog.
Previously:
(2020-04-21) This Open-Source Program Deepfakes You During Zoom Meetings, in Real Time
(2020-04-20) Every Security Issue Uncovered so far in the Zoom Video Chat App
(2020-04-17) Looking for Alternative, Self-Hosted Audio (or Video) Chat Services
(2020-04-15) Over 500,000 Zoom Accounts Sold on Hacker Forums, the Dark Web
(2020-04-13) Zoom Admits Data Got Routed Through China
Also at TechCrunch and The Verge.
Related Stories
Zoom admits data got routed through China - Business Insider:
In a statement late Friday, Zoom CEO Eric Yuan admitted to mistakenly routing calls via China.
"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began," Yuan said. "In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect."
He did not say how many users were affected.
During spells of heavy traffic, the video-conferencing service shifts traffic to the nearest data center with the largest available capacity – but Zoom's data centers in China aren't supposed to be used to reroute non-Chinese users' calls.
This is largely due to privacy concerns: China does not enforce strict data privacy laws and could conceivably demand that Zoom decrypt the contents of encrypted calls.
Separately, researchers at the University of Toronto also found Zoom's encryption used keys issued via servers in China, even when call participants were outside of China.
[...] Zoom has faced multiple high-profile security issues in recent weeks as it struggles to cope with an unprecedented surge in traffic and new users.
Zoom did not immediately respond to Business Insider's request for comment and clarification.
Over 500,000 Zoom accounts sold on hacker forums, the dark web:
Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.
These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.
Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.
Cybersecurity intelligence firm Cyble told BleepingComputer that around April 1st, 2020, they began to see free Zoom accounts being posted on hacker forums to gain an increased reputation in the hacker community.
These accounts are shared via text sharing sites where the threat actors are posting lists of email addresses and password combinations.
In the below example, 290 accounts related to colleges such as the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida, and many more were released for free.
With all of the Pandemic precautions that have been put into effect, many people are turning to "free" on-line conferencing services. As the saying goes, "If you are not paying for the service, you are the product". And, even if paid for (by yourself or by an employer), that does not mean freedom from having your information mined for advertising or other purposes.
I've not used any of the following, so please forgive me if I got the product names incorrect. Here are some of the big "free" services that I've seen mentioned: Zoom (whose security issues have been cited many times on SoylentNews), Apple (Group Facetime), Google (Hangouts), Facebook (Facebook Live) and Microsoft (Teams).
I suspect many Soylentils have now acquired some experience with on-line conferencing. I am hoping to draw upon your experience. Better still, I would love to see development and proliferation of alternatives to the "Big Names". Solutions that are self-hosted and as free as reasonably possible from the prying eyes of the big, data-warehousing corporations. Open source — free as in beer and libre — would be good, too
Zoom: Every security issue uncovered in the video chat app:
As the coronavirus pandemic forced millions of people to stay home over the past month, Zoom suddenly became the video meeting service of choice: Daily meeting participants on the platform surged from 10 million in December to 200 million in March.
With that popularity came Zoom's privacy risks extending rapidly to massive numbers of people. From built-in attention-tracking features to recent upticks in "Zoombombing" (in which uninvited attendees break into and disrupt meetings with hate-filled or pornographic content), Zoom's security practices have been drawing more attention -- along with at least three lawsuits against the company.
Here's everything we know about the Zoom security saga, and when it happened. If you aren't familiar with Zoom's security issues, you can start from the bottom and work your way up to the most recent information. We'll continue updating this story as more issues and fixes come to light.
The story provides a day-by-day list with details of what was reported. Apologies as there are no anchors in the story to which we could provide links. The dates and headlines are excerpted below. See the original story for the details.
This Open-Source Program Deepfakes You During Zoom Meetings, in Real Time:
Video conferencing apps like Zoom and Skype are usually boring and often frustrating. With more people than ever using this software to work from home, users are finding new ways to spice up endless remote meetings and group hangs by looping videos of themselves looking engaged, adding wacky backgrounds, and now, using deepfake filters for impersonating celebrities when you're tired of your own face staring back at you in the front-facing camera window.
Avatarify is a program that superimposes someone else's face onto yours in real-time, during video meetings. The code is available on Github for anyone to use.
Programmer Ali Aliev used the open-source code from the "First Order Motion Model for Image Animation," published on the arxiv preprint server earlier this year, to build Avatarify. First Order Motion, developed by researchers at the University of Trento in Italy as well as Snap, Inc., drives a photo of a person using a video of another person—such as footage of an actor—without any prior training on the target image.
With other face-swap technologies, like deepfakes, the algorithm is trained on the face you want to swap, usually requiring several images of the person's face you're trying to animate. This model can do it in real-time, by training the algorithm on similar categories of the target (like faces).
"I ran [the First Order Model] on my PC and was surprised by the result. What's important, it worked fast enough to drive an avatar real-time," Aliev told Motherboard. "Developing a prototype was a matter of a couple of hours and I decided to make fun of my colleagues with whom I have a Zoom call each Monday. And that worked. As they are all engineers and researchers, the first reaction was curiosity and we soon began testing the prototype."
Zoom will provide end-to-end encryption to all users:
Zoom's CEO Eric S. Yuan today announced that end-to-end encryption (E2EE) will be provided to all users (paid and free) after verifying their accounts by providing additional identification info such as their phone number.
"We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform," Yuan said.
"This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform."
This update in Zoom's plans comes after the company announced on May 27 that E2EE will be available only to paying customers, with free/basic users to only get access to 256-bit GCM encryption.
[...] To provide all Zoom users with access to E2EE, Yuan says that they will have first verify their accounts through various means such as by verifying their phone numbers via text messages.
(Score: 2, Insightful) by Anonymous Coward on Thursday May 07 2020, @10:46PM
All your base are belong to us.
(Score: 4, Insightful) by looorg on Thursday May 07 2020, @10:54PM
Owning it and integrating it could be two different issues, it might be easier said then done and turn into some slow and bug ridden piece of crap. But perhaps that doesnt matter to them.
(Score: 5, Insightful) by Booga1 on Thursday May 07 2020, @11:36PM
Translation: We lied. We never actually had the features we claimed to have, but it's OK! We swear others didn't have that stuff either. At least, they didn't have all of them at once. We promise we'll have all of them someday. Please don't abandon us, because we just spent a bunch of money to buy a company that does one of the things we totally meant to have in place before we lied about it. As for the rest of the stuff we lied about, we're totally gonna fix that. Won't you trust us just a little bit longer, at least until we can offload our stock portfolios?
(Score: 1, Funny) by Anonymous Coward on Thursday May 07 2020, @11:36PM
They had end-to-end encryption a few months ago, until some idiot in legal removed the feature.
(Score: 2) by Runaway1956 on Friday May 08 2020, @01:46AM (1 child)
I thought the people doing the zoom bombing were just looking around for doors hanging open, and "inviting" themselves to the meeting. Encryption keys will be distributed when, exactly? At time of invitation? Or, when the parties enter the meeting? If keys are handed out like door prizes upon entry, encryption will do nothing about the zoom bombing we've read about. I won't argue against secure encryption, but it seems that Zoom's primary focus should be elsewhere.
(Score: 1) by AHuxley on Friday May 08 2020, @03:26AM
Look at what Keybase offers.
2 people chatting, the GUI use and website chat use.
(Score: 4, Insightful) by lentilla on Friday May 08 2020, @04:16AM (5 children)
Firstly - a statement: surely it would have been both cheaper and easier to implement this feature using libre software? Cheaper because you don't have to pay for free software, and easier because you still have to bolt the pieces together and libre encryption software has been designed for just this purpose without the fees and time-lag associated with the vertical integration consultant mob.
Cynically: my gut tells me this acquisition is pure spin. Implementing encryption does not require purchasing a whole company - but it does give the CEO a way to deflect bad press.
Secondly - a question. I know how end-to-end encryption works person-to-person but I don't see how it works (efficiently) in a group chat. Assuming Alice, Bob and Charlie want to chat securely - the only ways I can see is for each client to connect peer-to-peer in three distinct streams (AB AC BC), or using hub-and-spoke solution (AH BH CH) where the hub aggregates and forwards. In both cases all parties need keys to decript all other parties' messages. Do other better solutions exist?
Cynically: they won't implement it properly. Even if they manage to defeat Hanlon's Razor ("never attribute to malice that which is adequately explained by stupidity") they won't be allowed to do so and survive by various nation states.
(Score: 1, Insightful) by Anonymous Coward on Friday May 08 2020, @05:14AM
If it was open source, the customers would either have reason to believe their marketing, or have proof that the marketed features don't work as advertised. Hmm.
As for buying a company, they also just aquired a bunch of developers who have recent end-to-end encryption software on their resumes - probably a lot easier than finding them somewhere else.
(Score: 2) by deimtee on Friday May 08 2020, @06:35AM (3 children)
One way I could see it working is if one participant was designated "the hub". You could have the clients negotiate amongst themselves to see which machine had the most spare compute capacity. Reduces the effective number of participants and streams by one.
That way if say A was designated Hub, your AH - BH - CH system becomes HB-HC. If you were going to do this a lot, you would probably designate a powerful machine for it, and the system devolves into simply having a private hub.
That's probably good enough anyway. Remember: "Three can keep a secret, if two are dead". If you have more than four or five participants stuff is probably going to leak even if the video chat security is perfect.
...
I just thought of a useful improvement. Most of the video conferencing I have done has involved people spread over two or three sites, with maybe one or two connecting from outside. You could designate a hub at any site where you have a LAN. If you had two facilities, everyone at site A connects to Hub A and at site B to Hub B. The two hubs then talk to each other, and to external participants. Still heavy on the local network, but reduces the external traffic a lot. If you trust your internal network, you would only need encryption on the H-H and H-Ext links.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 0) by Anonymous Coward on Friday May 08 2020, @09:12AM
They all get the same data from the other people. They could either use a broadcast key, where all participants in a particular call use the same key to talking to the whole group, or a multicast key, where each participant uses the same key to send their data to everyone else. For key security, it would be a per-session key, where a session is defined as a new person entering/exiting and it would roll over every X amount of time/data. The actual exchange would happen over public-key encryption using part of the account info to authenticate it. All the hub would have to do is relay the key exchanges, set up the UDP hole punching, and forward any firewalled user data.
That is a rough sketch off the top of my head, there is probably a better way but it is hardly impossible.
(Score: 0) by Anonymous Coward on Saturday May 09 2020, @01:12PM (1 child)
Quite a while ago i played with an e-mail encryption add-on whose name I no longer remember but I believe it used PGP. Anyhow, as I recall the technique for writing to several recipients was fairly straight-forward. A very big random encryption key was created and then used with an extremely fast *symmetric* encryption algorithm. The random key was then encrypted with the public key of each recipient. And the entire mess was then transmitted as the message to each recipient. Thus each recipient could decrypt the random key and use it to decrypt the actual message. In any case, this is how I would do it if I were Zuckerberg.
(Score: 0) by Anonymous Coward on Sunday May 10 2020, @03:38AM
I was going to reply to my comment, but I'll respond to yours so you can see it too.
There is already an RFC [ietf.org] for this. Interestingly, it was also written by Zimmermann, who was key to the invention of PGP. While a little out of date in the security department, the baseline is very solid. It also isn't a lot of work to extend that to support multiple users or broadcast situations with the same key.
(Score: 3, Insightful) by bradley13 on Friday May 08 2020, @07:38AM (7 children)
In the last few weeks, I've used various platforms, but somehow Zoom hasn't been one of them. Can someone explain why/how Zoom suddenly became so popular? Does it actually have a better interface than other platforms? Or was it just good marketing?
I had my last teleconference yesterday evening. All of the software I've used so far basically sucks. Transmission quality is variable at best, unless everyone is on fiber. When things inevitably degrade, the fallback behavior is poor (example: audio should be prioritized over video). Obvious features are missing. The software is seriously unimpressive...
Anyhow, Zoom: Advertising what they don't have, and using this to justify a massive IPO. This would be a great time for some of those famous American lawsuits. That sort of behavior needs to be seriously penalized.
Everyone is somebody else's weirdo.
(Score: 4, Insightful) by MostCynical on Friday May 08 2020, @07:53AM (5 children)
Zoom is very very easy.
it 'just works'. Grandparents, 7 year olds, anyone can just make it work.
The web ("online") version is basically the same as the application (minus a few options around meeting controls)
Skype for business isn't cheap. Skype is okay, but clunky. MS Teams/Lync is very good, but overkill for most people.
40 minutes free for .. free is pretty good and completely enough for most people.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by turgid on Friday May 08 2020, @10:15AM
I've never done videoconferencing before, until the lockdown (newfangled nonsense) but I've been using Jitsi [jitsi.org]. It's FOSS, you can run your own sever if you want to, and it's easy to use: this link starts a meeting instantly [meet.jit.si].
Why Zoom? Well, it has a groovy name and it's payware (people like payware - "it must be good") but they let you have a few minutes free.
I've been using Jitsi at home and at work.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by corey on Friday May 08 2020, @11:33PM (3 children)
Wife was saying that it has a feature where the host can break groups of participants out into isolated groups and then join then all back up, like a lot of training sessions. This is a useful feature in business, and AFAIK is not present in any other client.
I really dislike zoom though and have refused to use it at work.
(Score: 2) by MostCynical on Friday May 08 2020, @11:39PM (2 children)
also possible in teams, which is geared to online learning groups.
if you have refused to use it, do they just not invite you to meetings, or are you senior enough that they use something else to talk to you?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by corey on Saturday May 09 2020, @03:01AM (1 child)
Bit of both. We normally use Cisco WebEx but there have been a couple of roadshows from the CEO in zoom, didn't attend those. I also have lobbied IT to refuse it, I think my knowledge of crypto and security is greater than theirs.
(Score: 0) by Anonymous Coward on Sunday May 10 2020, @03:27AM
No, their understanding of who writes their checks or can make their life hell is better than yours. If the CEO tells IT they want to do something and IT tells them "no," then they better have a reason the CEO can understand and accept. Otherwise, they are getting in the way of the perceived profit centers for no good reason. And people who get in the way of profit for no good reason are liabilities, not assets. And in business, a liability gets dealt with, which means they get fired, or worse. And people who get fired or worse either don't get their checks or have their life made hell.
(Score: 3, Interesting) by corey on Friday May 08 2020, @11:36PM
We use WebEx a lot. The other day while in a meeting I had a look at the session technical stats and it said it was using x264 video and opus audio. That's pretty good, only x265 or VP9 is better. But data rate was only about 200KBps. I'm on a 50mbps link. So it's not trying to be high quality.
(Score: 0) by Anonymous Coward on Friday May 08 2020, @01:46PM
I've been using Keybase for years, and it's been a great tool. The Stellar stuff was a distraction. But the tools worked great. And now Zoom buys them. I fear this is step 1 in the Keybase tools going behind a paywall/subscription, or getting left to rot. I hope they can open source their code before Zoom ruins it all.