Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday June 19 2020, @06:13PM   Printer-friendly
from the grudging-acquiescence dept.

Zoom will provide end-to-end encryption to all users:

Zoom's CEO Eric S. Yuan today announced that end-to-end encryption (E2EE) will be provided to all users (paid and free) after verifying their accounts by providing additional identification info such as their phone number.

"We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform," Yuan said.

"This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform."

This update in Zoom's plans comes after the company announced on May 27 that E2EE will be available only to paying customers, with free/basic users to only get access to 256-bit GCM encryption.

[...] To provide all Zoom users with access to E2EE, Yuan says that they will have first verify their accounts through various means such as by verifying their phone numbers via text messages.

"Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts," Yuan explained.

"We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse."

An initial draft cryptographic design for Zoom's planned E2EE offering was published on GitHub on May 22 and a second updated version was committed today (a list of all the changes is available here).

According to an update to the company's 90-day security plan, "end-to-end encryption won't be compatible with an older version of the Zoom client, and all participants must have an E2EE-enabled client to join the meeting."

The company also said that it will not force users with free accounts to use E2EE as both free and paid users will have the choice to enable it for their meetings.

Previously:
(2020-06-06) Zoom Says Free Users Won’t Get End-to-End Encryption so FBI and Police Can Access Calls
(2020-05-07) Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform
(2020-04-21) This Open-Source Program Deepfakes You During Zoom Meetings, in Real Time
(2020-04-20) Every Security Issue Uncovered so far in the Zoom Video Chat App
(2020-04-15) Over 500,000 Zoom Accounts Sold on Hacker Forums, the Dark Web
(2020-04-13) Zoom Admits Data Got Routed Through China


Original Submission

Related Stories

Zoom Admits Data Got Routed Through China 13 comments

Zoom admits data got routed through China - Business Insider:

In a statement late Friday, Zoom CEO Eric Yuan admitted to mistakenly routing calls via China.

"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began," Yuan said. "In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect."

He did not say how many users were affected.

During spells of heavy traffic, the video-conferencing service shifts traffic to the nearest data center with the largest available capacity – but Zoom's data centers in China aren't supposed to be used to reroute non-Chinese users' calls.

This is largely due to privacy concerns: China does not enforce strict data privacy laws and could conceivably demand that Zoom decrypt the contents of encrypted calls.

Separately, researchers at the University of Toronto also found  Zoom's encryption used keys issued via servers in China, even when call participants were outside of China.

[...] Zoom has faced multiple high-profile security issues in recent weeks as it struggles to cope with an unprecedented surge in traffic and new users.

Zoom did not immediately respond to Business Insider's request for comment and clarification.

Over 500,000 Zoom Accounts Sold on Hacker Forums, the Dark Web 8 comments

Over 500,000 Zoom accounts sold on hacker forums, the dark web:

Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Cybersecurity intelligence firm Cyble told BleepingComputer that around April 1st, 2020, they began to see free Zoom accounts being posted on hacker forums to gain an increased reputation in the hacker community.

These accounts are shared via text sharing sites where the threat actors are posting lists of email addresses and password combinations.

In the below example, 290 accounts related to colleges such as the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida, and many more were released for free.


Original Submission

Every Security Issue Uncovered so far in the Zoom Video Chat App 8 comments

Zoom: Every security issue uncovered in the video chat app:

As the coronavirus pandemic forced millions of people to stay home over the past month, Zoom suddenly became the video meeting service of choice: Daily meeting participants on the platform surged from 10 million in December to 200 million in March.

With that popularity came Zoom's privacy risks extending rapidly to massive numbers of people. From built-in attention-tracking features to recent upticks in "Zoombombing" (in which uninvited attendees break into and disrupt meetings with hate-filled or pornographic content), Zoom's security practices have been drawing more attention -- along with at least three lawsuits against the company.

Here's everything we know about the Zoom security saga, and when it happened. If you aren't familiar with Zoom's security issues, you can start from the bottom and work your way up to the most recent information. We'll continue updating this story as more issues and fixes come to light.

The story provides a day-by-day list with details of what was reported. Apologies as there are no anchors in the story to which we could provide links. The dates and headlines are excerpted below. See the original story for the details.

This Open-Source Program Deepfakes You During Zoom Meetings, in Real Time 20 comments

This Open-Source Program Deepfakes You During Zoom Meetings, in Real Time:

Video conferencing apps like Zoom and Skype are usually boring and often frustrating. With more people than ever using this software to work from home, users are finding new ways to spice up endless remote meetings and group hangs by looping videos of themselves looking engaged, adding wacky backgrounds, and now, using deepfake filters for impersonating celebrities when you're tired of your own face staring back at you in the front-facing camera window.

Avatarify is a program that superimposes someone else's face onto yours in real-time, during video meetings. The code is available on Github for anyone to use.

Programmer Ali Aliev used the open-source code from the "First Order Motion Model for Image Animation," published on the arxiv preprint server earlier this year, to build Avatarify. First Order Motion, developed by researchers at the University of Trento in Italy as well as Snap, Inc., drives a photo of a person using a video of another person—such as footage of an actor—without any prior training on the target image.

With other face-swap technologies, like deepfakes, the algorithm is trained on the face you want to swap, usually requiring several images of the person's face you're trying to animate. This model can do it in real-time, by training the algorithm on similar categories of the target (like faces).

"I ran [the First Order Model] on my PC and was surprised by the result. What's important, it worked fast enough to drive an avatar real-time," Aliev told Motherboard. "Developing a prototype was a matter of a couple of hours and I decided to make fun of my colleagues with whom I have a Zoom call each Monday. And that worked. As they are all engineers and researchers, the first reaction was curiosity and we soon began testing the prototype."


Original Submission

Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform 21 comments

Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform:

Popular communications platform provider Zoom Video announced on Thursday that it has acquired secure messaging and file-sharing service Keybase for an undisclosed sum. The move is the latest by the company as it attempts to bolster the security of its offerings and build in end-to-end encryption that can scale to the company's massive user base.

"There are en-to-end encrypted communications platforms. There are communications platforms with easily deployable security. There are enterprise-scale communications platforms. We believe that no current platform offers all of these. This is what Zoom plans to build, giving our users security, ease of use, and scale, all at once," Eric Yuan, CEO of Zoom, said in a statement.

Zoom said it would offer an end-to-end encrypted meeting mode to all paid accounts.

[...] "This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom's wide variety of uses," Yuan wrote in a blog post. "Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform. Keybase's experienced team will be a critical part of this mission."

Details on Zoom's encryption roadmap are available on the Zoom blog.

Previously:
(2020-04-21) This Open-Source Program Deepfakes You During Zoom Meetings, in Real Time
(2020-04-20) Every Security Issue Uncovered so far in the Zoom Video Chat App
(2020-04-17) Looking for Alternative, Self-Hosted Audio (or Video) Chat Services
(2020-04-15) Over 500,000 Zoom Accounts Sold on Hacker Forums, the Dark Web
(2020-04-13) Zoom Admits Data Got Routed Through China

Also at TechCrunch and The Verge.


Original Submission

Zoom Says Free Users Won’t Get End-to-End Encryption so FBI and Police Can Access Calls 40 comments

Zoom says free users won't get end-to-end encryption so FBI and police can access calls:

Video calling company Zoom confirmed this week that it won't enable end-to-end encryption for free calls in part because it wants to give law enforcement access to these calls if necessary. "We think this feature should be a part of our offering" for professional customers, said Zoom CEO Eric Yuan in a meeting with investors Tuesday. "Free users — for sure we don't want to give [them] that, because we also want to work together with the FBI, with local law enforcement, in case some people use Zoom for a bad purpose."

Encryption is a key issue for Zoom, which has been attempting to beef up its privacy and security after heavy usage exposed weak points during the COVID-19 pandemic. Reuters reported last week that the company will only roll out high-security end-to-end encryption to paying customers, potentially with exceptions for dissident groups or nonprofits that require the added security.

Additional Coverage At:
Zoom Restricts End-to-End Encryption to Paid Users
Zoom's End-to-End Encryption Will Be for Paying Customers Only
Zoom says free users won't get end-to-end encryption so FBI and police can access calls
Zoom faces criticism for denying free users e2e encryption


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Friday June 19 2020, @06:16PM (6 children)

    by Anonymous Coward on Friday June 19 2020, @06:16PM (#1010131)

    -New company formed.
    -New company re-creates existent technology in their proprietary product.
    -New company eventually adds more existent technology in their proprietary product.

    None of those steps above I care to read about here.

    • (Score: 2) by Mojibake Tengu on Friday June 19 2020, @06:28PM

      by Mojibake Tengu (8598) on Friday June 19 2020, @06:28PM (#1010141) Journal

      You can establish some kind of a meta-news site, where actual events become generalized to abstract patterns of events.

      That could have a great success, at least as a model of human culture available for study by machines.

      --
      Rust programming language offends both my Intelligence and my Spirit.
    • (Score: 1, Interesting) by Anonymous Coward on Friday June 19 2020, @06:34PM (4 children)

      by Anonymous Coward on Friday June 19 2020, @06:34PM (#1010143)

      I agree. Fuck bleepingcomputer, a MS shill site, and fuck this disgusting slaveware.

      • (Score: 0) by Anonymous Coward on Friday June 19 2020, @06:46PM (1 child)

        by Anonymous Coward on Friday June 19 2020, @06:46PM (#1010147)

        It would be nice if TFAs had the link destination included in brackets like the comments do.

      • (Score: 5, Funny) by DannyB on Friday June 19 2020, @07:20PM (1 child)

        by DannyB (5839) Subscriber Badge on Friday June 19 2020, @07:20PM (#1010165) Journal

        I agree. Fuck bleepingcomputer, a MS shill site, and fuck this disgusting slaveware.

        First, you should not say "slaveware". Try something more politically correct like "Software as a Service (SaaS)", or "In the cloud!".

        Second, while bleepingcomputer may be an MS shill site, the fact that a computer is bleeping does not mean it wants you to have amorous intentions towards it. The CD drive door becomes sticky and difficult to open. Have you tried goats?

        --
        If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
        • (Score: 0) by Anonymous Coward on Saturday June 20 2020, @05:46PM

          by Anonymous Coward on Saturday June 20 2020, @05:46PM (#1010430)

          "Have you tried goats?"

          the line was too long and ilhan omar was taking too long.

  • (Score: 2) by looorg on Friday June 19 2020, @06:23PM (1 child)

    by looorg (578) on Friday June 19 2020, @06:23PM (#1010136)

    So the customers didn't like the idea of "only paying customers gets encryption cause the rest of you are criminal scum that we have to snitch on to the feds!"?

    ... after verifying their accounts by providing additional identification info such as their phone number.

    Nevermind. Apparently you are only worthy of encryption after we have all your contact information. If it's something then they enable I guess it can't be to hard to do, which also can't make it to hard to disable it when needed. I wonder how this verification process will be in reality. Could you just plonk down any old digits and such? Is this GDPR compliant, since you are in essence then building a giant database filled with personal information.

    • (Score: 4, Interesting) by Thexalon on Friday June 19 2020, @06:35PM

      by Thexalon (636) on Friday June 19 2020, @06:35PM (#1010144)

      I would generally also assume that E2EE or no, and absolutely regardless of Zoom's public statements, the list of who is participating in Zoom meetings with whom is being sent to the FBI (for domestic traffic) or NSA (for foreign traffic), and that if those agencies want to tap into anybody's calls they have a way of doing so.

      After all, that's pretty much the deal with phone traffic and most other Internet traffic.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 4, Informative) by Immerman on Friday June 19 2020, @07:34PM (1 child)

    by Immerman (3985) on Friday June 19 2020, @07:34PM (#1010167)

    Translation: The FBI, etc. were pissed that they couldn't eavesdrop on our paying customers, so we back-doored the end-to-end encryption so that they can listen in on everyone again. But we're still going to claim our product is secure, because encryption!

    I suppose there's also a possibility they're requiring real-world authentication to get a free account, so that reported abuse can be traced to a real individual, while still maintaining secure communications. But that seems rather unlikely in this day and age.

    • (Score: 0) by Anonymous Coward on Friday June 19 2020, @08:54PM

      by Anonymous Coward on Friday June 19 2020, @08:54PM (#1010182)

      Yeah, I was just going to say that the built-in back door is well encrypted.

  • (Score: 5, Touché) by DannyB on Friday June 19 2020, @07:43PM (1 child)

    by DannyB (5839) Subscriber Badge on Friday June 19 2020, @07:43PM (#1010168) Journal

    First connection has two endpoints: YOU and Zoom. That is End to End encrypted.

    Second connection has two endpoints: Zoom and other party receiving your message. That is also End to End encrypted.

    What happens to the unencrypted message while it is in the clear at Zoom is left as an exercise for the NSA. Or the highest bidder.

    But it definitely is End to End encrypted. By some definition. Just as a 2 TB drive can be advertised as "2.2 Terabytes!" (2 * 1024^4)

    (Choosing Marketing or Advertising as a profession says a lot about a person.)

    --
    If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
    • (Score: 2) by jmichaelhudsondotnet on Saturday June 20 2020, @02:50PM

      by jmichaelhudsondotnet (8122) on Saturday June 20 2020, @02:50PM (#1010384) Journal

      well said, i would upvote but you are already at 5

      End to end encryption does not mean what it is most often used to mean.

      Like if you think signal and telegram are secure because there are two points in the communication between which it is encrypted, lol.

      I expect at this point the display itself on iphone and android phones is able to route the information displayed to another chip in the phone, or everything typed into the touchscreen, so that between your finger and eyeball and the point at which the E2E(tm) begins, you are already hosed.

      Real security includes the entire device, the entire signal chain, this is fact. Iphones and android phones will never, ever be this. Your only hope is that you arent interesting enough for anyone to look.

      I know I am interesting enough, so I do not bother.

      To actually even think at this level of security at this point is considered by the vast majority to be a mental illness, when it is simply understainding the meaning of the words involved beyond their newspeak definitions.

      The situation is grim.

  • (Score: 3, Funny) by Snotnose on Saturday June 20 2020, @12:01AM

    by Snotnose (1623) on Saturday June 20 2020, @12:01AM (#1010203)

    "Yeah, you have money, we'll keep your stuff private".

    As opposed to

    "You broke assed cracker, you deserve what you get".

    I honestly don't get how the CXX suite did not get this before hand. Then again, I've been with enough startups where the CXX suite had this kind of myopia, if not more.

    --
    Bad decisions, great stories
  • (Score: 2) by Runaway1956 on Saturday June 20 2020, @12:08AM

    by Runaway1956 (2926) Subscriber Badge on Saturday June 20 2020, @12:08AM (#1010205) Journal

    Provide the encryption. No verification, no nothing. Just provide the encryption. Don't try to pass it off as an "advanced feature" or any other bullshit. You either encrypt, or you don't encrypt. Now, STFU and get it done!

    --
    “I have become friends with many school shooters” - Tampon Tim Walz
  • (Score: 3, Informative) by sjames on Saturday June 20 2020, @12:40AM (1 child)

    by sjames (2882) on Saturday June 20 2020, @12:40AM (#1010214) Journal

    Before the curent kerfluffel, didn't Zoom actually claim they HAD end to end encryption long before this, then have it come out that they don't actually?

    If so, then they at least owe everyone already using Zoom end to end encryption with no strings and no additional cost just to make that false claim right. (and avoid bait and switch).

    • (Score: 2, Informative) by Anonymous Coward on Saturday June 20 2020, @04:11AM

      by Anonymous Coward on Saturday June 20 2020, @04:11AM (#1010264)

      You are. They originally claimed E2E until someone published about how it was transport encryption to the bridge. Then someone else saw that, reverse engineered their encryption, and made a huge post about how it is actually transport encryption to the bridge and some users used key servers in China as the default even if the bridge was somewhere else.

  • (Score: 3, Informative) by Rosco P. Coltrane on Saturday June 20 2020, @01:00AM

    by Rosco P. Coltrane (4757) on Saturday June 20 2020, @01:00AM (#1010215)

    and the encryption key to the NSA. Everybody gets what they want.

  • (Score: 3, Informative) by hendrikboom on Saturday June 20 2020, @04:49AM (2 children)

    by hendrikboom (1125) on Saturday June 20 2020, @04:49AM (#1010272) Homepage Journal

    An initial draft cryptographic design for Zoom's planned E2EE offering was published on GitHub on May 22 and a second updated version was committed today (a list of all the changes is available here).

    Both of the links to pdf's in this paragraph in the summary are broken.
    The link to the list of all changes does appear to work.

    -- hendrik

  • (Score: 0) by Anonymous Coward on Saturday June 20 2020, @03:45PM

    by Anonymous Coward on Saturday June 20 2020, @03:45PM (#1010400)

    Companies offering one time SMS message services have reported a massive increase in the use of their services!
    For just 50c, payable in bitcoin, anyone can receive an SMS similar to how VPN works for any phone service in the world.

    In further unrelated news services such as Discord and Google and Microsoft, who all require a phone number to create an account, have seen a very large increase in account creation using phone numbers that are invalid after a day.

    Water is wet. Using a phone number for identity validation is asking to be sim jacked. News at 11.

  • (Score: 2) by corey on Sunday June 21 2020, @04:13AM

    by corey (2202) on Sunday June 21 2020, @04:13AM (#1010572)

    Zoom should just rename themselves to Chameleon. Their position on encryption has changed literally 4+ times. And reasons seem to always change too. First they had E2EE, then didn't, then some did, then all do, what's next? Meanwhile they acquired that company that does encryption.

    I don't know how anyone can trust this company.

    Sounds like the payment for E2EE was so they could obtain people's personal information. Because now it's free, but they still want the private information for the same purpose. Sounds like TLA's are driving this from behind.

(1)