Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday April 05 2020, @03:22AM   Printer-friendly
from the look-before-you-leap dept.

Zoom has had a meteoric rise as a result of the SARS-CoV-2 outbreak. Jitsi and other useful teleconferencing tools are not very well known, though still widely used. Nearly all the buzz has been about the newcomer instead, but few have actually evaluated it. One group has. The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, at the University of Toronto, has investigated Zoom briefly, covering both the technology, especially its lack of encryption, and the company itself:

Key Findings

  • Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
  • The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
  • Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.

In a nutshell, throughout the mad rush to adopt teleconferencing software, due diligence has been largely abandoned and licenses left unread and software unevaluated. More scrutiny was needed, and still is needed, when acquiring and deploying software. That goes double for communications software.

Previously:


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Rosco P. Coltrane on Sunday April 05 2020, @03:57AM

    by Rosco P. Coltrane (4757) on Sunday April 05 2020, @03:57AM (#979278)

    due diligence has been largely abandoned and licenses left unread and software unevaluated

    So what's new? If people actually did their research, read the licenses and evaluated the software, they'd never install the Facebook client or do a Google search.

  • (Score: 4, Insightful) by Runaway1956 on Sunday April 05 2020, @04:06AM (4 children)

    by Runaway1956 (2926) Subscriber Badge on Sunday April 05 2020, @04:06AM (#979280) Homepage Journal

    Long, long ago, in a land far away, there were laws regarding "truth in advertising".

    If your product includes the word "secure" or "safe" or "encrypted", then your product has to be safe, secure, and strongly encrypted. Once you make the claim, you can't weasel out of it. All weasel words in a contract, EULA, or license should be construed by the court to mean the worst possible thing, and used to hang the offenders.

    Or, more succinctly, if your shit's not secure, don't make the claim for security.

    --
    👌 Play stupid games, win stupid prizes. - Kenosha Jury
    • (Score: 0) by Anonymous Coward on Sunday April 05 2020, @04:17AM (3 children)

      by Anonymous Coward on Sunday April 05 2020, @04:17AM (#979283)

      What are you going to do about it? Government regulation? Licensing?

      • (Score: 2) by Runaway1956 on Sunday April 05 2020, @04:58AM (2 children)

        by Runaway1956 (2926) Subscriber Badge on Sunday April 05 2020, @04:58AM (#979289) Homepage Journal

        A class action lawsuit would be appropriate. And, if the case doesn't succeed, then go to the legislators.

        Seriously, a software that claims to be secure should be locked up tighter than tight, by default. Any attempt to relax security should be greeted by disclaimers about the security of the software being compromised at your own risk. And, generations-old encryption would never qualify as "secure" in today's world.

        --
        👌 Play stupid games, win stupid prizes. - Kenosha Jury
        • (Score: 0) by Anonymous Coward on Monday April 06 2020, @01:08AM (1 child)

          by Anonymous Coward on Monday April 06 2020, @01:08AM (#979535)

          The problem is that "safe" and "secure" are non-specific and on a continuum of values. Therefore, flat, generic claims like that are probably going to be considered "puffery" and not subject to a false-advertising suit. The only one you could arguably get traction on is "encrypted," but even the worst of encryption schemes is still "encrypted," and "256-bit," if 256 bit encryption isn't used anywhere in the stack, as both of those could be construed as black-and-white, specific claims about the product. False advertising claims are for objective claims like "new engine" or "clean title," not subjective ones like "runs good" or "better than the competition."

          • (Score: 2) by Runaway1956 on Monday April 06 2020, @01:37AM

            by Runaway1956 (2926) Subscriber Badge on Monday April 06 2020, @01:37AM (#979543) Homepage Journal

            I think you've put your finger on the problem. Standards. Advertising should measure up to standards. In 2001, it would have been legitimate to advertise 128-bit encryption as "safe, secure encryption". In 2020, not so much. More, in today's world, it is rapidly becoming negligent to assign default passwords that will be reused again and again. Every instance of this software should force the generation of a new password for people needing to join the conference.

            Standards are important in all software, of course. Standards in advertising should also be a thing. Maybe Zoom isn't guilty of false advertising, but a strong case for negligence can be made here.

            --
            👌 Play stupid games, win stupid prizes. - Kenosha Jury
  • (Score: -1, Troll) by Anonymous Coward on Sunday April 05 2020, @04:15AM (1 child)

    by Anonymous Coward on Sunday April 05 2020, @04:15AM (#979282)

    Nobody cares about your dork concerns and cryptonerd fantasies. What else is there? Email? Reading is for fags. I have business to get done.

    • (Score: 0) by Anonymous Coward on Sunday April 05 2020, @05:03AM

      by Anonymous Coward on Sunday April 05 2020, @05:03AM (#979291)

      most likely business on his knees

  • (Score: 2) by turgid on Sunday April 05 2020, @10:08AM

    by turgid (4318) Subscriber Badge on Sunday April 05 2020, @10:08AM (#979342) Journal

    I've used BlueJeans once for work for videoconferencing. How bad is that in comparison? And what are all the options for videoconferencing in general?

  • (Score: 0, Touché) by Anonymous Coward on Sunday April 05 2020, @10:21AM (1 child)

    by Anonymous Coward on Sunday April 05 2020, @10:21AM (#979347)

    WTF has this website become a marketing arm for Zoom? Isn't there anything else to write about?

    • (Score: 2, Informative) by Anonymous Coward on Sunday April 05 2020, @11:24AM

      by Anonymous Coward on Sunday April 05 2020, @11:24AM (#979350)
      Who the hell would want to use a security fuckup like Zoom? No one in their right mind would use them now, not even after they've supposedly fixed their security vulnerabilities. We're just supposed to take their word for it then? The only way they would ever regain trust is if they submitted to several reputable third-party security audits or if they made their core code Free Software.
  • (Score: 2) by turgid on Sunday April 05 2020, @12:18PM (2 children)

    by turgid (4318) Subscriber Badge on Sunday April 05 2020, @12:18PM (#979357) Journal

    I just did a search for free video conferencing applications, and I found one called Jitsi [jitsi.org] which is allegedly FOSS and lets you host your own server. Does anyone have any experience with it?

    • (Score: 1, Interesting) by Anonymous Coward on Sunday April 05 2020, @01:15PM

      by Anonymous Coward on Sunday April 05 2020, @01:15PM (#979366)

      Jitsi Meet is based on WebRTC. A two-person call will use peer-to-peer mode if the browser supports it. More participants are realyed through the central server; encryption is not end-to-end, but end-to-middle-to-end (but you can run your own server). If you have sufficient bandwidth to the server your client will send high-res, standard-res, and low-res frames and the server will dynamically relay one of those to other participants based on their bandwidth. By default room names are correct-horse-battery-staple style and you can optionally add a password to a room.

      (Personally, I'm use Jitsi and only Jitsi for my personal, small-group conferencing through this (my employer subscribed to webex last week for business use).)

    • (Score: 2, Informative) by webnut77 on Sunday April 05 2020, @06:34PM

      by webnut77 (5994) on Sunday April 05 2020, @06:34PM (#979454)
      Linux Weekly News has a review [lwn.net] of Jitsi.
  • (Score: -1, Troll) by Anonymous Coward on Sunday April 05 2020, @03:38PM

    by Anonymous Coward on Sunday April 05 2020, @03:38PM (#979406)

    In the mad rush to put everyone under house arrest, due diligence was tossed out.

  • (Score: 1, Interesting) by Anonymous Coward on Sunday April 05 2020, @07:16PM

    by Anonymous Coward on Sunday April 05 2020, @07:16PM (#979463)

    Who gives a shit? Many, and probably most, of us here have never heard of this software before covid.

    Stop feeding into news meme cycles. Cover something more interesting. Or... just don't post anything if there are no good stories.

(1)