Stories
Slash Boxes
Comments

SoylentNews is people

Scrutiny Needed for Teleconferencing Software and Their Backing Companies

posted by Fnord666 on Sunday April 05 2020, @03:22AM   Printer-friendly
from the look-before-you-leap dept.

canopic jug writes:

Zoom has had a meteoric rise as a result of the SARS-CoV-2 outbreak. Jitsi and other useful teleconferencing tools are not very well known, though still widely used. Nearly all the buzz has been about the newcomer instead, but few have actually evaluated it. One group has. The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, at the University of Toronto, has investigated Zoom briefly, covering both the technology, especially its lack of encryption, and the company itself:

Key Findings

  • Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
  • The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
  • Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.

In a nutshell, throughout the mad rush to adopt teleconferencing software, due diligence has been largely abandoned and licenses left unread and software unevaluated. More scrutiny was needed, and still is needed, when acquiring and deploying software. That goes double for communications software.

Previously:

Original Submission

 
This discussion has been archived. No new comments can be posted.
Scrutiny Needed for Teleconferencing Software and Their Backing Companies | Log In/Create an Account | Top | 16 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0, Touché) by Anonymous Coward on Sunday April 05 2020, @10:21AM (1 child)

    by Anonymous Coward on Sunday April 05 2020, @10:21AM (#979347)

    WTF has this website become a marketing arm for Zoom? Isn't there anything else to write about?

    Starting Score:    0  points
    Moderation   0  
       Troll=1, Touché=1, Total=2
    Extra 'Touché' Modifier   0  
    Total Score:   0  

  • (Score: 2, Informative) by Anonymous Coward on Sunday April 05 2020, @11:24AM

    by Anonymous Coward on Sunday April 05 2020, @11:24AM (#979350)
    Who the hell would want to use a security fuckup like Zoom? No one in their right mind would use them now, not even after they've supposedly fixed their security vulnerabilities. We're just supposed to take their word for it then? The only way they would ever regain trust is if they submitted to several reputable third-party security audits or if they made their core code Free Software.