Zoom's Encryption Is 'Not Suited for Secrets' and Has Surprising Links To China, Researchers Discover (theintercept.com) 61
Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto. From a report: The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom's "waiting room" feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university's Citizen Lab -- widely followed in information security circles -- that Zoom's service is "not suited for secrets" and that it may be legally obligated to disclose encryption keys to Chinese authorities and "responsive to pressure" from them.
Factually, ECB *is* not suitable (Score:2)
Factually, the encryption used by Zoom is actually garbage.
I can see your video just fine without even needing to do any cool hacker stuff. The colors are just off. See:
https://blog.filippo.io/the-ec... [filippo.io]
With a little bit of work, I can correct the colors so I see the video just as you do - the encryption becomes worthless.
"Why ECB is worthless" is literally an early topic in the first weeks of an "intro to crypto" course, and as I recall it came up in "Intro the Network Security" as well.
What should be used
Zoom Issues Summary by Bruce Schneier (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
"Zoom isn't great, but I'm sure they're okay. Now let me complain about a totally different company!!!"
Zoom lied. They lied about their encryption, about selling your information, and lots of other things. This is not something that "any minimally knowledgeable person" can figure out.
I sometimes use telnet to debug things. That's fine; I understand the risks. But if I use ssh I don't expect those same risks, so an ssh which disables all encryption would be a problem.
Zoom China (Score:2, Troll)
Zoom has an offering in China. This requires them to have local staff to support it.
Guess what? AWS has two regions in China. How much shit do you use on a daily basis that connects to AWS? Do you just assume then that EVERYTHING you do online interacting with AWS also has "ties to China" !?
WELL CRAP, there goes 75% of the internet you're allowed to use. Please log off now.
Re:Zoom China (Score:5, Funny)
We can't! The log off function is located in China!
No worries... (Score:5, Insightful)
China can infect the entire planet with a virus and no one will do anything to them for it...
I wonder if our species has become basically one giant Stockholm experiment. Everyone and every government has failed... and not just in some small way. Catastrophic failure from all governments. Only Australia had the brass to do the right thing. With WHO becoming a parrot for China, China actively suppressing information and especially their involvement.
If the world does not sink China for this, China will know how far it can go with things... and it can already go too far. As things go, China has no problem letting its citizens die to make sure its economy stays healthy, spread misinformation, control information, murder/imprison dissenters, and when China has all that cash to flash against all the money starving nations that have murdered their economies in knee jerk response... well we will see how things shake out... won't we?
Re: (Score:1, Troll)
Re: (Score:2)
No, he can just blame you and assholes like you for sneezing or coughing on them after you caught the virus. Seriously asshole, if they would have contained the virus and not lied. Then the world wouldn't be in the shitter right now. But hey, all the world is wrong. And assholes like you are right.
looking for blame in situations like this is probably the most moronic course of action possible, it's simply irrational. you want to light a fire in a building that is crumbling down?
fun fact: by your own rationale if (most) of the rest of the world wouldn't have intentionally resorted to blunt denial despite of the evidence that emerged from china early enough it wouldn't be in the shitter right now. sounds familiar?
so, yeah: wash your freaking hands and stop projecting.
i would extend that recommendation
Re: (Score:1)
"looking for blame in situations like this is probably the most moronic course of action possible,"
Do you know what they call people that keep doing the same thing over and over but expecting different results?
If you do not find the blame, then the agents continue what they are doing because well... you don't care who did what. Your only action is to respond.
According to your logic... you are the fire fighter trying to save a burning building while ignoring the person pouring gas onto the fire. You can ca
Re:No worries... (Score:5, Insightful)
China actively engaged in information suppression and misinformation to save face in this ordeal.
Not only CAN I blame China for this, everyone SHOULD be blaming China for this and should kick China out of everything and sanction them. Eliminating China as an economic power is the best possible solution to this problem. As long as they keep getting by with this nothing changes.
Re: (Score:2)
You miss spelled stupid. That would be you. There is plenty of main media sites that are openly stating that China lied, china still has outbreaks, and china censored the speech of critics. Remember the doctor from China that died for speaking the truth. OH wait, your just some asshole that lets your hatred of Trump overrule anything else. Main stream media stating the obvious. Take your blinders off asshole. And bitch, I do wash my hands. But then, unlike you. I didn't have to be told. It's called common sense hygiene. I was taught that a long time ago. To bad you needed to be reminded to do it. Fucking moron.
And how does any of that mean
Trump actively engaged in information suppression and misinformation to save face in this ordeal.
Isn't true?
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
80/20/0 funny/hateful/stupid
10/80/10 funny/trolling/stupid
Take your pick.
We all know the kinds of people who will make a big fuss about someone elses fuckup in an attempt to try and hide their own.
(of course all sides do it, one just has more gullible people who fall for it)
Re: (Score:2)
Re: (Score:2)
Now now, they can both be terrible and have contributed to the current problem though their misinformation.
Yes, China's fuckup is killing Chinese people. Trump's fuckup is killing American people. Who do you care about more?
Re: (Score:2, Informative)
Re: (Score:2)
I just read this also. Just talking to someone can spread the virus. I have seen different articles on how far the distance these droplets can travel to how long they stay in the air.
Re: (Score:2)
WindBourne logic much? (Score:1)
As things go, China has no problem letting its citizens die to make sure its economy stays healthy,
Which is why they shutdown their economy so quickly trying to save all those people....
WindBourne logic much?
Re: (Score:2)
Re: (Score:1)
"Just don't let your hatred get in the way of recognizing truths you don't want to hear."
Yea, I am afraid even in the fact of worldwide death and economic disaster people will not avoid doing this.
Too many people would rather be dead & wrong than to admit they made a mistake or have a bias.
Give it a rest, shorts (Score:2)
Shorts gotta short I know, but the flood of stupid anti-Zoom articles is just getting old.
Zoom works well for many, many people so you ain't gonna be able to derail this train.
Re: (Score:3)
I don't own Zoom Stock (Score:1)
I've never owned Zoom stock. But given the record of success TSLA shorts had, I'm pretty sure I plan to buy some Zoom stock shortly. (ha!).
I just think maybe Slashdot has gone a teeny-tiny bit overboard on the bombastic Zoom hate articles, with eye-rollingingly misleading data about Zoom.
So sorry for your loss (and losses to come) Mr. Short!
Re: (Score:3)
p>I just think maybe Slashdot has gone a teeny-tiny bit overboard on the bombastic Zoom hate articles, with eye-rollingingly misleading data about Zoom.
Slashdot isn't writing the Zoom hate articles though. It's merely pointing them out.
If Slashdot stopped pointing them out, that isn't going to stop people from writing about all the lax privacy/security problems with Zoom's product.
Re: (Score:2)
Kind of. But even my son's band instructor is switching them off zoom, both because of security issues and quality issues. I'm not sure there's anything super secret they're worried about, it's just not working very well. I think Zoom may be Boom.
Good luck with that I say (Score:3)
Even my son's band instructor is switching them off zoom, both because of security issues and quality issues.
I see, and what is the band talking about that needs to be secure?
I wish him luck but the reason out company has been using Zoom for a year and a half now is the other systems were worse. I think Zoom's popularity might be affecting service to some degree but mostly it's still been working well for us.
I guess if you don't need more advanced tools like screen sharing other systems might be OK, but I
Re: Good luck with that I say (Score:2)
Re: (Score:2)
Lol, because I am on a number of shit list's here right now. What I was trying to convey to you is that I agree with you.
Re: (Score:2)
The "encryption keys came from servers in China" one ... is more serious.
(the "poor use of encryption" one is ... back to fear mongering. Everything that deals with connections that can drop will have to use block an EBC-like mode with similar issues. Otherwise a lossed frame loses much more.)
Re: (Score:2)
Also, most of these stories talk about the free version of Zoom. There is a paid version of Zoom that has contractual agreements to do end-to-end encryption with your own key/passcode management in North America, without Chinese datacenter involvement.
You're basically blaming the car manufacturer for not giving you the car when you just took a test drive.
"home grown encryption" (Score:2)
Any time someone thinks they can do encryption themselves.. they can't .. not even close
And with well proven OSS encryption available why on earth would anyone even bother trying? seriously?
Re: (Score:3)
Any time someone thinks they can do encryption themselves.. they can't .. not even close
And with well proven OSS encryption available why on earth would anyone even bother trying? seriously?
neither tfa nor the reference it references really prove they do encryption themselves. it seems more like a bad implementation of proven protocols and overall a weak design. that's far from "rolling their own crypto", that's actually the case with most vulnerabilities. granted, the design is weak, just as weak as much of the conclusion (the research seems proper, though, just someone felt the urge to drum it up).
Re: (Score:2)
SpaceX Stopped Using It (Score:1)
Re: (Score:2)
i work for a fedgov contractor and we've issued organization directives to not use zoom, but that's of our own doing, we've received no instructions to do so.
Mo bettah! (Score:2)
They're using ROT-14. It's one better than ROT-13!
Re: (Score:2)
Hype (Score:2)
Re: (Score:2)
As I am forced to use it through my work, I never really got why Zoom is so hyped. Despite being around for a while, only recently it has been the preferred go to solutions for online meeting. There is nothing inherently better than other platforms, and yet: despite having a poor track record, being a company with no reputation whatsoever in secure practices, ethically robust software development, companies embracing it with no deep thinking. This includes my employer, who jumped on it on two feet to soon have to put up security measures to contain potential risks. My question is: there are lots of other solutions that have been vetted more, and yet... When possible I prefer to use Meet, not because it's better (although the automated caption makes is fantastic), but because I "trust" Google more than I trust Zoom. And that should tell you something about the reputation of Zoom.
Where Zoom works better than a lot of other offerings is when you are Video Conferencing with more than 5 people. Some of our team meetings have 15+ people, all with video. Most other solutions get bogged down and you start seeing a lot of dropped frames. If you typically have videoconference meetings with 5 or less people, then other solutions may be a better fit.
But, yes, Zoom obviously needs to work on the product security.
Re: (Score:2)
Though I think it is also picking up refugees from Skype, which has been getting less and less functional lately.
Re: (Score:3)
Zoom works much much better than Webex, and I am using both now.
And Zoom has a real Linux client that works perfectly.
shocked I say (Score:5, Insightful)
More seriously, if you think that a teleconferencing service is suitable for discussing secrets, you have no business handling secrets. You, and anyone who handed you a secret, needs to be slapped. Derisively, with a back hand.
"Surprising" ? (Score:1)
That word, you keep using it....
Zoom for Government = servers are in THE US (Score:5, Informative)
Re: (Score:2)
Yes, because the NSA wants to keep tabs on the Americans.
Who to trust? (Score:2)
Home grown encryption? (Score:1)
I took a NSA sponsored encryption course in 1990. 30 years ago. Think you have a really good encryption scheme? Often those methods are used for home work they're so trivial to break. It's very likely so is this. Just use AES. That's what it's there for. It's free.