Zoom transmits your info through China, and uses non-standard encryption, researchers say

Originally published at: https://boingboing.net/2020/04/03/zoom-transmits-your-info-throu.html

“Researchers conclude that Zoom uses non-industry-standard cryptographic techniques with identifiable weaknesses and is not suitable for sensitive communications.”

I’m required to use Zoom for many work needs. For exactly these reasons, I tried to get it to run in a VM. Unfortunately I couldn’t get audio or video to work properly and I never could figure it out. This is exactly what a VM would be good for.

From all those of us who have been ranting to people for years about our mounting privacy debt…

Flaming dumpster fire.gif

Seriously, this is at least the 5th Negative article of privacy concerns about Zoom in only 24 hours, at least 3 today alone

People, please use an alternative. Signal- get off your asses and make encrypted group calls possible, please!

Having a ton of new Signal users would be 100 fold good for infosec- not only would a lot of people finally be using encryption by default, but it would increase the development value of privacy minded projects.

Signal, please!

Running it inside a VM would not help at all with bad encryption and potentially compromised keys, though.

Where the fsck did Zoom come from anyway, and how did it suddenly become the de-facto video-conferencing software? I’d barely heard of it before this quarantine started.

Okay, so what should we use instead?

Teams, Facetime, WhatsApp, Signal, Nextcloud, Jitsi, Bluejeans, seriously just pick anything else and it probably doesn’t use Electronic Coloring Book. (PDF)

Maybe a second cheap video card and USB sound card passed directly to the VM would do the job? The video card would have to be non-Nvidia, because Nvidia purposefully blocks consumer cards from being used in VMs.

A VM would sandbox the app from your main machine but this is talking about the encryption of the video stream so I don’t see how a VM would protect you here.

This podcast goes into the issues The Privacy, Security, & OSINT Show Episode 163 Working & Schooling From Home

tl;dl - too long; didn’t listen.

Make separate partition with a different OS to your usual one and dual boot. Zoom and other things run from the new partition so your information doesn’t leak across. As with all things security and privacy related convenience is not your friend. Recall last year’s Zoom controversy where they surreptitiously installed an unsecured web server on Macs to avoid security prompts to hide ‘difficult’ things from users. PHB, ‘I just want to press one button and have everything work’.

The different OS is to make it more obvious which environment you are in so you don’t accidentally do the wrong thing from the wrong environment.

In a work setting the best option is to have the employer provide work-only devices.

Zoom has been around for some time, and was known for good audio and video quality, a generous free plan that works for must private use cases, and a really low barrier to entry. You can sign up and set up a free call that others can join from their browser in a couple of minutes.

The price of that are massive security and privacy issues, put it appears that people are willing to pay that price.

Just like for phone calls we need an interoperable standard for video conference calls, so you can connect to anyone, have a choice of clients, codecs and encryption, and essentially just pay for the bandwidth. Now that would be a good use of government money to get that up and running.

You mean WebRTC?

It think what I’m looking for is more like matrix.

Anyone have any thoughts on Jitsi? It looks good on paper but I don’t know much about it.

These are work-related calls that aren’t that sensitive. If hackers could decrypt it, wouldn’t change anything for me, and probably would have no impact on work, other than making them upset.

I am worried about what else the Zoom client does on my machine which is why I wanted the VM. I’m continuing to look into this.

Jitsi is pretty good, it’s also free and you can use it anonymously in your browser at https://meet.jit.si

You could also try Discord or Jami, both are free services.

(Nextcloud Hub or Riot also come to mind, both need hosting, but you can get your own Riot instance at Modular for $1.5 per user per month, that is next to nothing considering it gives you text chat, voice and video conferencing AND bridging to Slack or IRC.

Of course all products I mentioned here are Open Source.

Thanks for this. A few of my friends have been spooked by the rumours of hacks related to Houseparty so I’ll check out these alternatives.

This topic was automatically closed after 5 days. New replies are no longer allowed.