[Lex Computer & Tech Group/LCTG] Security issues with the ZOOM application

George Gamota ggamota at stma-llc.com
Tue Apr 28 18:55:48 PDT 2020


Hi Dick

I tried both ZOOM and JITSI. However, I found JITSI does not work for overseas calls. Do you know why? I had to use Skype to have a dialogue with someone in Europe

George

 

From: LCTG <lctg-bounces+ggamota=stma-llc.com at lists.toku.us> On Behalf Of Dick Miller
Sent: Tuesday, April 28, 2020 9:33 PM
To: Lexington Computer & Tech Group <LCTG at lists.toku.us>
Subject: Re: [Lex Computer & Tech Group/LCTG] Security issues with the ZOOM application

 

Hi, Friends:

Good luck with tomorrow's virtual meeting. Hoping it will be taken as useful, I'll update several prior comments regarding Zoom's security as seen by the FOSS User Group in Natick.

Firstly, Olga said it right, and provided you with one good URL. If you didn't read it then, you should:



Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto. The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.

I'll add that there's a LOT more damning information available. Zoom's been found doing such things before; it tends to deny and to repeat. Also, its free services are limited to a maximum of 40 minutes.
Bottom line: Zoom is like Coronavirus; one should avoid spreading it! 

Secondly, what to use in its place? Our FOSS User Group is using Jitsi Meet, on its own sponsor's server, free for unlimited time and users. (Do NOT download any Jitsi software, unless you want to run it on YOUR server. It's open-source, so no Zoom-type surprises.) Just start here:
https://meet.jit.si/
To host a meeting:
https://meet.jit.si/AMeeting

Rob mentioned that our group fumbled with Jitsi, when we started using it. That's true, but needn't be a problem for you because we traced it to known issues with many popular web browsers. Jitsi's interim solution is to recommend using Google Chrome (on Windows and macOS) or open-source Chromium (on Linux) - and that works very well! Jitsi has chosen a superior network protocol which those browsers already support well, but which is not yet generally supported in full. (I'm a Firefox fan, and note that Jitsi gets overloaded by too many Firefox users now. Jitsi is helping Firefox to become fully compatible - hopefully on its next version.)

We've also looked at Jami; It wasn't handling larger groups, while Jitsi (which has been available long before Zoom) already did so. But Jami's also interesting, and it's coming along.

Trying Jitsi: You can fiddle with Jitsi on your own, in twos, or in fifties. If you like, hop on our own Jitsi meeting next Thursday, May 7th. The meeting begins 3PM, but we'll be online about 2:45PM so folks can test, confirm and get help if necessary. As you've probably guessed, at:
https://meet.jit.si/NatickFOSS


Best wishes from
--Dick Miller, Partner, MMS <TheMillers at millermicro.com <mailto:TheMillers at millermicro.com> >


  

Co-Leader, FOSS User Group at Natick Community-Senior Center <http://millermicro.com/FOSSUserGroupNatick.html>  


Sent from an awesome, inexpensive, non-proprietary <https://www.gnu.org/proprietary/> , no-lock-in, no-bloatware, virus-resistant, free open-source software, Linux <http://NatickFOSS.org/>  PC - with Ubuntu <http://www.ubuntu.com/desktop>  20.04 LTS/Unity 7.5 <https://linuxconfig.org/how-to-install-unity-desktop-on-ubuntu-18-04-bionic-beaver-linux>  and draft Fotoxx <http://www.kornelix.net/fotoxx/fotoxx.html>  21.





On 4/3/20 3:00 PM, Robert Primak wrote:

Steve, I'll keep my eyes and ears open. But at the moment I honestly think we're doing the most practical thing available for us. Natick FOSS spent the better part of a week getting Jit.si Meet to work, for only about 15 of us. And it's still spotty. You are doing great.

 

Hopefully, Zoom will  learn a few lessons and get with the program about privacy. Not holding my breath. 

 

-- Bob Primak

 

On Friday, April 3, 2020, 02:42:28 PM EDT, Steve Isenberg  <mailto:smisenberg at gmail.com> <smisenberg at gmail.com> wrote: 

 

 

Bob, no offense taken, I'm just trying to provide a means for the Lexington Computer and Technology Group to continue their meetings during these times.  If there's another or better alternative I'd like to know of it.  For what it's worth, Boston University (that I'm affiliated with) is using Zoom for their classes.

-steve

 

PS: This goes to the Lexington list.  If anyone on that list is interested in learning more about what the LCTG (Lexington Computer and Technology Group) is about, and maybe to join up, take a visit to http://LCTG.toku.us as it links past meetings and identifies our future plans.  Or if you're interested in presenting something that may be of interest, let me know (or email John Rudy who is the CEO of the group)(CEO used here means Coordinator and Exceptional Orator).

 

 

On Fri, Apr 3, 2020 at 1:50 PM Robert Primak <bobprimak at yahoo.com <mailto:bobprimak at yahoo.com> > wrote:

I should refer you folks to Bill Ricker , a member of Natick FOSS user group. He's been all over this issue, and has insider information which he may or may not be able to share.  Contact Dick Miller at Miller Micro if you want to know what the open-source community thinks of Zoom. 

 

TheMillers at millermicro.com <mailto:TheMillers at millermicro.com>  (This is not a link.)

 

The details are pretty bad as far as the parent company of Zoom is concerned. (This is a link.)

 

https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

 

I would say their response page is almost as bad as the Facebook response to the Cambridge Analytica revelations. We may not have a better choice for our meetings, but the claim made by Zoom that their service is HIPAA compliant is at this point totally laughable to me.

 

My Doctor used Zoom with me Wednesday afternoon for a Telemedicine Visit. I have no idea whether his office or network has taken additional steps to secure their instance of Zoom. I am betting they did not. Whoo-boy!!

 

We are all learning in these times. Sometimes we have to make choices where there are no truly good alternatives. 

 

And I in no way wish to override the judgment of Steve Isenberg. He has been very gracious and has worked very hard to keep us all in touch using Zoom and his other resources. These efforts are outstanding and commendable.

 

-- Bob Primak

 

On Friday, April 3, 2020, 01:24:55 PM EDT, Olga P. Guttag <opg1000 at rcn.com <mailto:opg1000 at rcn.com> > wrote: 

 

 

Though some of us don’t care about having truly secure virtual meetings, many companies do. The article below describes security vulnerabilities in the ZOOM application and how to avoid some of these security issues. 

 

https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/

 

Stay well,

Olga

===============================================
::The Lexington Computer and Technology Group Mailing List::
Reply goes to sender only; Reply All to send to list.
Send to the list: LCTG at lists.toku.us <mailto:LCTG at lists.toku.us>       Message archives: http://lists.toku.us/private.cgi/lctg-toku.us
To subscribe: email lctg-subscribe at toku.us <mailto:lctg-subscribe at toku.us>   To unsubscribe: email lctg-unsubscribe at toku.us <mailto:lctg-unsubscribe at toku.us> 
Future and Past meeting information: http://LCTG.toku.us
This message was sent to bobprimak at yahoo.com. <mailto:bobprimak at yahoo.com.> 
Set your list options: http://lists.toku.us/options.cgi/lctg-toku.us/bobprimak@yahoo.com

===============================================
::The Lexington Computer and Technology Group Mailing List::
Reply goes to sender only; Reply All to send to list.
Send to the list: LCTG at lists.toku.us <mailto:LCTG at lists.toku.us>       Message archives: http://lists.toku.us/private.cgi/lctg-toku.us
To subscribe: email lctg-subscribe at toku.us <mailto:lctg-subscribe at toku.us>   To unsubscribe: email lctg-unsubscribe at toku.us <mailto:lctg-unsubscribe at toku.us> 
Future and Past meeting information: http://LCTG.toku.us
This message was sent to s+lctglist at smistuff.com <mailto:s%2Blctglist at smistuff.com> .
Set your list options: http://lists.toku.us/options.cgi/lctg-toku.us/s+lctglist@smistuff.com





===============================================
::The Lexington Computer and Technology Group Mailing List::
Reply goes to sender only; Reply All to send to list.
Send to the list: LCTG at lists.toku.us <mailto:LCTG at lists.toku.us>       Message archives: http://lists.toku.us/private.cgi/lctg-toku.us
To subscribe: email lctg-subscribe at toku.us <mailto:lctg-subscribe at toku.us>   To unsubscribe: email lctg-unsubscribe at toku.us <mailto:lctg-unsubscribe at toku.us> 
Future and Past meeting information: http://LCTG.toku.us
This message was sent to themillers at millermicro.com <mailto:themillers at millermicro.com> .
Set your list options: http://lists.toku.us/options.cgi/lctg-toku.us/themillers@millermicro.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.toku.us/private.cgi/lctg-toku.us/attachments/20200428/0fd580ad/attachment.html>


More information about the LCTG mailing list