|George Zipperlen via plug on 4 Apr 2020 14:44:42 -0700|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|Re: [PLUG] Zoom bombing|
Clarifying the point. Sorry that I wasn't clear
On Apr 3, 2020, at 3:06 PM, George Zipperlen <George.Zipperlen@mail.com> wrote:
The last line had little to do with Zoom specific weaknesses
Meeting organizers are re-using the same ids for sequences of meetings,
and these meeting ids are being sent, and re-sent through insecure channels
I.e. Zoom telephone number style meeting ids posted on public web pages like
MeetUp, or even Twitter and FeceBook...
Meetup seems to [now?] have a mechanism to turn posted online meeting URLs
into "This event has passed"
The analogy is apt -- telephone numbers, like e-mail addresses need to be
kept from pranksters, spammers, scammers, and phishers
So "PLUGCentralApril2020" is better than "PLUGCentral" (kudos!)
and "PLUGCentralApril2020" sent to limited "Plug Mailing List" and word-of-mouth is better
than announced by Goodyear Blimp and emergency text message to all (kudos again)
Getting back to Jitsi vs Zoom, this is why Jitsi suggests those "MangoSerenityForLavenderTractors"
"ColorlessGreenIdeasSleepFuriously" large search space, one time mnemonic ids.
Now returning to Zoom's specific weaknesses:
Zoom telephone number style ids are a smaller search space, susceptible to both
"knowing the number" and "robocall" attacks
Residues linger in browser history, cookies, etc. Including URLs that contain
hashed (or even unhashed) substrings
So we (anyway) sandbox all browser activity, and all of this browser cruft is more-or-less
So, depending on your trust level, they require more severe sandboxing
Things like Zoom should be freshly downloaded into a temporary sandbox that is deleted
after each use, So one session has no local knowledge of other sessions
Hypothesis here: Zoom grabs data and metadata from #all# your meetings...
They have global knowledge of all your sessions that share a fingerprint,
either actual login account, or shared characterics such as IP, OS type, etc;
When this data is stored in some kind of local cache, it is potentially available
to other sessions, not just Zoom.
Hackers thus have multiple paths to this data.
Don't these people understand that a 'back door' is not necessarily a one way turnstile,
and that even a 'secure turnstile' is easier to pass than a brick wall,,,
<Three letter agency sourced elliptic curve parameters...>
I need to find that sweet spot between too brief, and TL/DR
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug