Rich Kulawiec via plug on 4 Apr 2020 07:38:24 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Virtual Plug?

On Fri, Apr 03, 2020 at 10:57:42AM -0400, Rich Freeman wrote:
> > And it's unfixable.
> Everything is fixable.

No.  What's happened at Zoom was determined the day it was written on a
whiteboard.  It's baked-in.   Oh, sure, it can be patched.  It already
has been and it will be some more.  Those aren't "fixes", they're the
superficial appearance of fixes for PR/marketing purposes.

Creating a product/service that does the right things with privacy
and security requires making that the first design goal on the first
day and sticking with it throughout.  But privacy and security
never were design goals there -- see below.

> > kind of filth who run and staff Zoom
> Ah, yes, dehumanizing criticism.  People build something you don't
> like, therefore they are literally dirt.

Oh, no, not at all.  There are lots of things I don't like and usually
I don't even bother to criticize them.  This isn't because I don't like
them, it's because they've done absolutely horrible things WRT user 
security and privacy.  They're still doing them.

That's more than enough for me to call the "filth".  But right now,
they're also exploiting a global pandemic, and that clinches the deal.

Have you actually read the content at all the links I've posted?

BTW, I've collected those plus a few more that have come to my
attention here (fixes/additions welcome):

	Zoom security/privacy issues

One of new ones is EPIC's complaint to the FTC from July 2019, which I
wasn't aware of until yesterday.  My bad.  Another, and a good one,
is a Citizen Lab analysis ("Move Fast and Roll Your Own Crypto") that
was published yesterday.  I direct your attention in particular to
section 3 of their analysis which discusses how session keys for
conferences held in the US and Canada transited servers in China.

*That* is the big bright red alarm flashing and the klaxon sounding
at deafening volume.

Summary: it's much worse.  And every day that goes by we're finding
out that it's still worse than we thought.  But this isn't at all
surprising.  You know why?

Because Zoom didn't build a video conferencing product.  Zoom built a data
harvesting, surveillance-enabling machine and then slapped a video
conferencing service on top of it to entice people to use it.

That's why it can't be fixed: it's not broken.

It's doing exactly what it was supposed to do all along.

BTW, if you think I'm being harsh in this instance, you should see
what I've written about Facebook.  Or spammers. ;)

> > I'm busy with other projects and I don't particularly care about video
> > conferencing so I'm not volunteering.
> Wow, plenty of time to criticize, not much time to contribute?

First, informed criticism *is* a contribution.

Second, I've already discussed setting up an open source video
conferencing (osvc) mailing list to bring together everyone who wants
to collaborate on some yet-to-be-determined existing/new solution(s)
so that Zoom can be rendered irrelevant.  Will it happen?  I dunno.
But it's being discussed and this *seems* like it might be a good time
for it.  I'll let y'all know.

Third, y'know...I was contributing to FOSS and the 'net well before the
term "open source" was even coined.  I still am.  I have my grubby
little fingers in a bunch of things.  So if you want to compare
your track record over the last 40 years to mine: bring it.


p.s. Yes, "It will happen this way" is Joubert (Max von Sydow) speaking
to Turner (Robert Redford) in "Three Days of the Condor".  I'm currently
taking a lot of joy from the fact that some of you knew that.  It's an
amazing film and, I think, should be required viewing for anyone in
IT security because it has several lessons for us.

Alright, speaking of movies with lessons for IT security, for double
extra super bonus credit, try this one:

	"I know how to wreck them, and I know how to lie, steal, kidnap,
	counterfeit, suborn and kill.  That's my job. I do it with
	great pride."

And: what other films belong on that list?
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --