Follow

That Zoom shut down accounts and calls where people were talking about Tiananmen Square is bad enough. But you need to understand the subtext: Zoom says that their calls are encrypted and private, and yet they can monitor them.

Those two things are mutually exclusive. This entire video chat system is built on a foundation of lies and backdoors.

washingtonpost.com/technology/

They don't mean it is end-to-end encrypted.
They can livestream your meeting on YouTube, if you have given them your youtube credentials. They also allow company administration to view their employees during a meeting.

They can say it is encrypted because they use HTTPS. Your stream is encrypted on your computer and then sent to Zoom. It is decrypted there. And then it is encrypted again from their server to everyone else in the meeting.
@cyberpunklibrarian

They do have E2EE (end-to-end encryption) but many features people use such as screen share is unavailable in E2EE for some reason.

I also explained it in my blog: murtezayesil.me/digital-cleans

@cyberpunklibrarian

@murtezayesil That’s exactly my point — Zoom puts itself out there as a safe and secure service where your meetings are encrypted and everything is locked away.

Except for this stack of caveats, exceptions, and disclaimers.

I cannot fathom why so many businesses are relying on this service after so many incompetencies, missteps, hacks, and abuses of power. It’s not safe, it’s obviously monitored, and they’ll shut you down if someone doesn’t like what they’re hearing.

What exception?

As far as I know, there are no exceptions. Everyone using Zoom with default configuration is equally monitored.
@cyberpunklibrarian

@murtezayesil I'm talking about the exceptions to the E2EE system and the encryption itself. Zoom tells you your meetings are safe and encrypted.

Except if you're not using the full E2EE system... which isn't the default. Even then, I've my own doubts how effective their E2EE system is.

Zoom doesn't monitor your meetings. Their privacy and security page says they don't. zoom.us/privacy-and-security

Except they obviously do.

@cyberpunklibrarian @murtezayesil I mean, WhatsApp is end to end encrypted too. They just listen in on your local client because hey, you gotta use their client as well as you use Zoom's.
So end2end only means it's encrypted on the way, it doesn't mean they're not sending a second copy somewhere else or do some local analysis or whatever...

@cyberpunklibrarian

> I cannot fathom why so many businesses are relying on this service

Because when it comes to #infosec, very few businesses have a clue.

My company bans any form of computer-based remote meeting tech. We stick to #POTS. Is it more #secure? No, but we understand and can manage the threat better and it's a baseline that everyone can achieve.

@murtezayesil

@0 @murtezayesil I agree, and I admit that part of the statement comes from working with the IT departments I've worked with over the years. (Given my day job and previous gigs, that's gotta be around 30 different departments.) I've seen so many good ideas shot down by IT "professionals" because they have "security concerns" and once upper admin hears that, the discussion is over.

Quite often these "security concerns" meant "IT will have to learn/support a new thing."

@0 @murtezayesil I don't want to mix correlation with causation, but the fact that Zoom received IT blessing in so many places looks more to me like they decided it was easy, didn't need a lot of support or anything from IT except an install, and then they could gleefully ignore it.

¯\_(ツ)_/¯

And goddess knows, I've got one helluva bias against Zoom after watching their history develop over the last year.

@cyberpunklibrarian

Yeah, and that would be an #infosec failure. One thing that happens all too often is that responsibility for information security is dumped on the #IT department when those are closely related but different roles, with a degree of conflict as you state above.

Even if #infosec implementation is left to IT, the decision making and supervision should be independent.

@murtezayesil

@cyberpunklibrarian @murtezayesil

The whole thing is compounded by the fact that by its nature, you also need to consider the actions and capabilities of other actors (suppliers, clients and so on) you communicate with.

@cyberpunklibrarian

Zoom hit a gold mine with timely marketing.

On top of that, Zoom works really well. If it was a crap product, this would be the year people would have found a reason to get rid of it, but it works well.

I’ve tried lots of different solutions for the last couple of years, and This year showed how big a pile of crap video solutions are.

@cyberpunklibrarian

Self-hosted video conferencing solutions are rare, and FOSS video conferencing solutions are in their infancy.

Jitsi/8x8 Meeting is promising, but they still have a long way to go.

@murtezayesil @cyberpunklibrarian It is not technically impossible. They just want to discourage users to enable E2EE, and let them be ignorant of what merit E2EE should provide.

Their term "Enhanced security" is not really enhanced one, unless E2EE is either enabled or forced.

@cyberpunklibrarian the calls are encrypted to and from there servers, this is normally what encryption means on the internet, i think they made it sound like they were going to implement end to end encryption, which would mean they couldn't monitor the contents of calls, but thats been know to not be true for some time now

@dreadfulscribbler @cyberpunklibrarian If that's the case then encryption is honestly a waste of processing power on that service. tbh. :blobglarenervous:

@Jo @dreadfulscribbler E2EE is available, but optional, and there are limits to what you can do versus what you can do with their regular encryption. So it's not the default.

Zoom also claims not to monitor meetings or their contents, and ya know... that might be true.

But if so, they seem to be copacetic with other entities monitoring their meetings and contents. They'll certainly take action based upon someone else's monitoring.

@cyberpunklibrarian @Jo it seemed like they could have been getting the information from publicly advertised events, so they wouldn't need to actual watch/listen in for that

@Jo @cyberpunklibrarian
without encryption between users and servers anyone between, eg your isp, who ever runs the wifi etc can monitor and change the date, for example copying all your login details, adding extra ads to webpages or serving completely different sites to the ones you asked for

so its still useful but you can only trust it as much as you trust who ever runs the server

@dreadfulscribbler @cyberpunklibrarian Eh, I feel like if it's open to one unauthorised party, its potentially open to anyone, but probably being paranoid. :blobawkward:

@marnanel @Jo @dreadfulscribbler @cyberpunklibrarian probably not your i.s.p., but that definitely opens the possibility for hackers to gain access to zoom's servers and listen to communications there. these hackers could be sponsored, or be part of, a state government. or a state government could demand to hand over communications from a specific user, or tap into them n.s.a./prism-style.

of course, the level of concern would depend on what threats one considers dangerous.

@marnanel @Jo @dreadfulscribbler @cyberpunklibrarian for me in russia, i do not think the f.s.b. is directly spying on me, and i'm not enough of a political activist or whatever for anyone to consider me a threat, but i know that russian government agency data very often gets sold on the black market, to the point that (ironically) journalists can use it to find out which russian intelligence operatives tried to poison alexey navalny.

@devurandom @Jo @dreadfulscribbler @cyberpunklibrarian fair enough!

I figure GCHQ knows everything I do anyway, unfortunately.

@marnanel @dreadfulscribbler @cyberpunklibrarian Companies like Zoom are always one tiny cockup away from having a major breach.

@Jo @marnanel @dreadfulscribbler With Zoom, I figure the breach is coming from the inside.

In my opinion, a company only gets so many "oopsies."

Zoom leaves a web server installed on your Mac even after you uninstall it: OOPSIE!

People can guess Zoom meeting IDs for Zoom Bombing: OOPSIE!

Zoom lied about E2EE: OOPSIE!

Zoom lied about their number of daily users: OOPSIE!

tomsguide.com/news/zoom-securi

@cyberpunklibrarian @Jo @dreadfulscribbler holy crap that's quite a string of failures

I was shocked that the House of Commons decided to run stuff over Zoom without much discussion of whether it was safe to let the infrastructure of an entire *parliament* be handed over to an unaccountable foreign corporation

@cyberpunklibrarian isn’t it illegal to say that there, in the same way it’s illegal to deny the holocaust in germany?

sounds like they are just complying with the law…

@pernia @cyberpunklibrarian yeah that’s different. i guess that’s what you get for choosing a chinese communication company to do stuff that is illegal in china. idiots.

@pernia @cyberpunklibrarian that’s definitely suspicious then. The CEO is called Eric Yuan which likely goes some way to explain why this sort of thing is happening.

@cyberpunklibrarian

I fully agree. #signal has now added the group call function, but I didn't test it yet.

signal.org/blog/group-calls/

@cyberpunklibrarian yiiiiikes

from the article, it sounds like these privacy violations happened in spring and summer and particularly around June 4th; zoom released their E2EE draft in mid-June with plans to start rolling it out in July as an opt-in thing: https://blog.zoom.us/end-to-end-encryption-update/ So I'm not sure they're straight-up lying about E2EE, but they're definitely not doing enough to protect users and set safe defaults.

@xenofem From Tom's Guide:

In a blog post April 1, Zoom Chief Product Officer Oded Gal wrote that "we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. "

"We recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it," he wrote.

-----

They claimed before that they were E2EE, thanks to phoney definitions.

@xenofem @cyberpunklibrarian Their "E2EE" was released only after a backlash (they were previously claiming to have E2EE because your data was sent to their server over HTTPS then sent to other people in the meeting via HTTPS) and E2EE is automatically disabled silently if you do any sort of video sharing, be it webcam or screen share.

@cyberpunklibrarian by the way, most videocalls with Mord than 2 persons aren't e2ee. Signal just introduced this feature.
Zoom published some month ago that they are working on it but will offer it exclusively to paid accounts.

I don't get it how chinese dissidents could be that silly to trust in Zoom.
The internet is full of information's about their horrible insecure desktop client and the company is widley known to focus on quantity, not on quality.

While most of the competitors invested time in security, Zoom scaled up their network operating center to the max.

@cyberpunklibrarian it's called a "front door" for law enforcement 😉

@cyberpunklibrarian They can be encrypted and monitored in the sense of looking for predefined keywords on the local machines. But if the account is shut down then there is at least the information that a pattern was detected (and zoom knows the potential patterns). This is a pice of information derived from the call, so the call is no more completely private. So there is still a lie.

Sign in to participate in the conversation
glammr.us Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!