| George Zipperlen via plug on 4 Apr 2020 14:44:42 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Zoom bombing |
Clarifying the point. Sorry that I wasn't clear On Apr 3, 2020, at 3:06 PM, George Zipperlen <George.Zipperlen@mail.com> wrote:
The last line had little to do with Zoom specific weaknesses Meeting organizers are re-using the same ids for sequences of meetings, and these meeting ids are being sent, and re-sent through insecure channels I.e. Zoom telephone number style meeting ids posted on public web pages like MeetUp, or even Twitter and FeceBook... Meetup seems to [now?] have a mechanism to turn posted online meeting URLs into "This event has passed" The analogy is apt -- telephone numbers, like e-mail addresses need to be kept from pranksters, spammers, scammers, and phishers So "PLUGCentralApril2020" is better than "PLUGCentral" (kudos!) and "PLUGCentralApril2020" sent to limited "Plug Mailing List" and word-of-mouth is better than announced by Goodyear Blimp and emergency text message to all (kudos again) Getting back to Jitsi vs Zoom, this is why Jitsi suggests those "MangoSerenityForLavenderTractors" "ColorlessGreenIdeasSleepFuriously" large search space, one time mnemonic ids. Now returning to Zoom's specific weaknesses: Zoom telephone number style ids are a smaller search space, susceptible to both "knowing the number" and "robocall" attacks Residues linger in browser history, cookies, etc. Including URLs that contain hashed (or even unhashed) substrings So we (anyway) sandbox all browser activity, and all of this browser cruft is more-or-less well known Closed source Apps, are even more opaque than obscure and obscured _javascript_, So, depending on your trust level, they require more severe sandboxing Things like Zoom should be freshly downloaded into a temporary sandbox that is deleted after each use, So one session has no local knowledge of other sessions Hypothesis here: Zoom grabs data and metadata from #all# your meetings... They have global knowledge of all your sessions that share a fingerprint, either actual login account, or shared characterics such as IP, OS type, etc; When this data is stored in some kind of local cache, it is potentially available to other sessions, not just Zoom. Hackers thus have multiple paths to this data. Don't these people understand that a 'back door' is not necessarily a one way turnstile, and that even a 'secure turnstile' is easier to pass than a brick wall,,, <Three letter agency sourced elliptic curve parameters...> I need to find that sweet spot between too brief, and TL/DR -- |
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug