Roque Lachica Jr via plug on 4 Apr 2020 18:17:17 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Fwd: Zoom bombing

---------- Forwarded message ---------
From: Roque Lachica Jr <>
Date: Sat, Apr 4, 2020, 7:25 PM
Subject: Re: [PLUG] Zoom bombing
To: George Zipperlen <>

You guys are excellent!!!!!!
Though i rarely contribute for lack of knowledge,-- I've been with PLUG since my first visit in 2015; looking for someone to download Ruby on my laptop to begin my IT career.
I still have not started my IT career unfortunately because of life, working  2 jobs--though down to one now, and oh-yeah, global pandemics (supposedly).  Maybe now with the 'shelter in place'-- 'social distancing'--'lock down' pseudo martial law enactment in effect; the 'Man of Sin' will finally give me the opportunity to finish the Linux Bible, and get Red Hat certified-- so I can hangout with all of God's divine hackers trying to save His world before His Son returns really pissed, to complete the prophecy in His book.
May the Source be with you all.
Blessings to you and yours in the final events of this earth.

On Apr 4, 2020 5:44 PM, "George Zipperlen via plug" <> wrote:
Clarifying the point.  Sorry that I wasn't clear

On Apr 3, 2020, at 3:06 PM, George Zipperlen <> wrote:

Zoom hackers not as 133+ as I thought.

Not script kiddies exploiting Zoom's privacy backdoors.

Just randos finding re-used meeting ids...

The last line had little to do with Zoom specific weaknesses

Meeting organizers are re-using the same ids for sequences of meetings,
and these meeting ids are being sent, and re-sent through insecure channels

I.e. Zoom telephone number style meeting ids posted on public web pages like 
MeetUp, or even Twitter and FeceBook...

Meetup seems to [now?] have a mechanism to turn posted online meeting URLs 
into "This event has passed"

The analogy is apt -- telephone numbers, like e-mail addresses need to be 
kept from pranksters, spammers, scammers, and phishers

So "PLUGCentralApril2020" is better than "PLUGCentral" (kudos!)

and "PLUGCentralApril2020" sent to limited "Plug Mailing List" and word-of-mouth is better 
than announced by Goodyear Blimp and emergency text message to all  (kudos again)

Getting back to Jitsi vs Zoom, this is why Jitsi suggests those "MangoSerenityForLavenderTractors"
"ColorlessGreenIdeasSleepFuriously" large search space, one time mnemonic ids.

Now returning to Zoom's specific weaknesses:

Zoom telephone number style ids are a smaller search space, susceptible to both 
"knowing the number" and "robocall" attacks

Residues linger in browser history,  cookies, etc. Including URLs that contain
hashed (or even unhashed) substrings

So we (anyway) sandbox all browser activity, and all of this browser cruft is more-or-less 
well known

Closed source Apps, are even more opaque than obscure and obscured _javascript_,

So, depending on your trust level, they require more severe sandboxing

Things like Zoom should be freshly downloaded into a temporary sandbox that is deleted 
after each use,  So one session has no local knowledge of other sessions

Hypothesis here: Zoom grabs data and metadata from #all# your meetings...
They have global knowledge of all your sessions that share a fingerprint,
either actual login account, or shared characterics such as IP, OS type, etc;

When this data is stored in some kind of local cache, it is potentially available
to other sessions, not just Zoom.

Hackers thus have multiple paths to this data.

Don't these people understand that a 'back door' is not necessarily a one way turnstile,
and that even a 'secure turnstile' is easier to pass than a brick wall,,,

<Three letter agency sourced elliptic curve parameters...>

I need to find that sweet spot between too brief, and TL/DR


Philadelphia Linux Users Group         --
Announcements -
General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --