| Keith C. Perry via plug on 18 Jun 2020 12:05:01 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] taskbook, Zoom |
"We only consider your right to privacy valid if you're a paying customer" is not a very good stance to take." ***smh*** no it isn't and yet people still will use Zoom. I don't get that. Threat priorities aside, that is a polite smack in the face. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Keith C. Perry, MS E.E. Managing Member, DAO Technologies LLC (O) +1.215.525.4165 x2033 (M) +1.215.432.5167 www.daotechnologies.com ----- Original Message ----- From: "brent timothy saner via plug" <plug@lists.phillylinux.org> To: plug@lists.phillylinux.org Sent: Thursday, June 18, 2020 2:57:19 PM Subject: Re: [PLUG] taskbook, Zoom On 6/18/20 10:53 AM, Rich Freeman via plug wrote: > On Thu, Jun 18, 2020 at 10:38 AM jeff via plug > <plug@lists.phillylinux.org> wrote: >> >> Zoom decided to encrypt end-to-end, after the yelling. > > While I obviously support E2E encryption, I think that people > complaining about this don't have a great grasp on the threat model. > > The only people that E2E encryption protects you from are those with > access to the telecom infrastructure. Oh, speaking of telecom, dial-in POTS/PBX bridge is disabled for E2EE Zoom sessions (which makes sense; it'd be a bunch of static otherwise). The E2EE can be disabled or enabled without disrupting the session. > This is all professionally > managed and unless you are concerned about government spying/etc I > think the risk of an attack here is relatively low. Of course it is > nonzero and so E2E encryption should be preferred. > > What E2E encryption doesn't help with is attacks on the endpoints > themselves - which are probably cellphones or desktop PCs. > > Which do you think is more likely? That some hacker managed to > install a rootkit on somebody's Win10 PC? Or that some hacker managed > to install a rootkit on some router/switch at Verizon? Or someone got port mirror access on the Starbucks' switch (which is SMB stuff), or ARP poisoned their neighbour's consumer router, or compromised one of those Linux-driven IoT devices on their network (because most end-consumers aren't VLANning that stuff), or... Remember, a lot of people are still working from home and with a cantenna/yagi, you can do some pretty impressive things. Might not even need a directional antenna if you're in a densely populated area like the city. And consumer router firmware is a sieve. (Hyperbolic, of course, but it's... a problem. A very big and prevalent one.) > > My point here isn't so much that you shouldn't care about E2E > encryption. Rather, my point is that simply having a features > checklist in the software you're using doesn't make you secure. > Usually the weak point in any chain of security is you... > Sure, but that doesn't mean citizens don't have a right to privacy, which E2EE grants. It's not about where the risk factor is, it's about ethics first and foremost. Which is why there was so much outcry with their initial response - "We only consider your right to privacy valid if you're a paying customer" is not a very good stance to take. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug