The title is no longer required
Tories In SNAFU Shocker. Should Corbyn Resign Over This?
UK Prime Minister Boris Johnson sparked security concerns on Tuesday when he shared a screenshot of “the first ever digital Cabinet” on his Twitter feed. It revealed the country’s most senior officials and ministers were using bog-standard Zoom to discuss critical issues facing Blighty. The tweet also disclosed the Zoom …
For data fetishists it's the biggest opportunity since 9/11.
I can't think of anything more apposite here. If the muppets in charge want to take away our end-to-end encryption because they want access to all our data to "protect us from terrorists & paedophiles", why the fuck should they be able to use it?
You have to feel sorry for the FSB/CIA/MMB agents taking down the transcript
Comrade, I have hacked the zoom feed but they seem to have some secret code....
"Wiff-waff, crikey, bit of a sticky wicket as we used to say in big skool. Well my old motto, scribi bolloxi on omnibus"
This post has been deleted by its author
"When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point"
"When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean- neither more nor less." Through the Looking Glass, Ch. 5
Ah. So I get to take all Zoom's stuff (obligatory XKCD link). Be right back; I need some new servers. Anyone else want stuff while I'm there?
If you want a brief overview of the likely reason for their economies of truth - the complexity of group key management - the introduction of this paper might be helpful. Or this RFC for a long read.
we don't sell it, we just give it away for some other consideration...
Yes - there are a lot of careful phrases in that "clarification". For example: " we do not use your data...for advertising purposes". OK, you might not use our data for advertising purposes, but you're not guaranteeing that our data doesn't end up with someone else for THEIR advertising (or other) purposes.
To be completely fair to Zoom the standard version of Webex does exactly the same thing. Webex has a dedicated client to client encrypted service with lots of functionality missing - zoom doesnt appear to offer an equivalent.
The rationale is that screen recording and other "in meeting" functions require interception and decryption of the stream.
TL;DR - 99% of use cases will be fine on Zoom - fine being defined as "similar functionality to webex"
So move along nothing to see here other than a convenient headline to bash the victim of today.
If using it's record to cloud feature (as opposed to record to this PC), the server would need to be given the session key used for the AES streams of that meeting. It is effectively another client for that call.
The telephone dial in numbers would also need the session key.
It could be done that way, but I an describing the feature as it currently exists, where I can email you an Uri, you click it and MP4 starts playing in your browser. As I described, the server needs the session key for that functionality.
I'm not advocating anyone use that feature, but if you do then that is how it would work. But if you disabled phone in and didn't record to cloud then no it should avoid sharing the session key to the server itself or remove that end to end encryption claim.
"If using it's record to cloud feature (as opposed to record to this PC), the server would need to be given the session key used for the AES streams of that meeting. It is effectively another client for that call."
Some solutions:
1. Record from a local client and upload. No key needed.
2. Record encrypted data and let it be decrypted by the users.
3. Fine, so meetings recorded to cloud need end-to-end turned off. But other meetings recorded locally or not recorded at all would use it. So all I have to do to ensure full encryption is not to record to cloud? Thanks for telling me. Oh, wait.
"The telephone dial in numbers would also need the session key."
Some solutions:
1. User approves numbers individually and sends them keys. The server doesn't need to know, only the phone endpoint, and that can erase them.
2. Provide an option for a secure, user-maintained call-in point. That would be run by the user and therefore can be trusted with keys.
3. Fine, so meetings including phone call-ins need end-to-end turned off. But other meetings using the software clients only, which is most calls, would use it. So all I have to do to ensure full encryption is not to use a phone to call in? Thanks for telling me. Oh, wait.
You are missing the point. The major problem isn't the lack of end-to-end encryption. The major problem is not having end-to-end encryption but lying that you do.
I'm not sure why you think I'm disagreeing with you or defending their claim. They should not be claiming end to end encryption. Anyone clever enough to implement encryption correctly knows damn well what that term means and TLS between server and client is not sufficient.
Point 1 is absolutely correct. It should not share the key with the server if you are not asking for a cloud based MP4 to be available. It does though, hence the controversy.
Point 2 would work, but that isn't what the feature does. You are trading off convenience of a sharable MP4 link for the complexity of requiring a bespoke player and a way to securely distribute the keys to your recipient. Again power to you if that's how you want to share it.
I agree 3 would be a reasonable compromise.
On your dial in suggestions, point 1, faking your dial in number is orders of magnitude easier than compromising the key.
Point 2 would work of course, but now your company needs an extra 50 phone lines for that once a week call. Similar to point 1, there are some security compromises in proving that the incoming call is the authorised party. It also means that all audio of that call is going through a public phone system, so that's where the weakest chain link is.
I don't disagree with point 3. If I ask for an end to end encrypted call, I expect any feature that cannot operate under that constraint to disable. It is wrong to create a false impression of security.
>I presume it's all about the slurp.
No I suspect Zoom does it that way because that was the way they did it in Webex (remember Webex and Zoom are like WhatsApps and Signal).
I suspect it was done this way so as to keep the client small and have a single stream from the client to the streaming server, thus able to execute on a wide range of systems. Also, architecturally it makes sense - Webex is effectively just an enhanced streaming server - remember webex was designed before today's obsession with communications security. So having the streaming server save a copy of the stream in massive purpose built storage array not only makes technical sense, but also commercial sense as you can make this a chargeable feature...
Also remember Skype was originally a one-to-one telephone call replacement, not a one-to-1000's conferencing solution.
WhatsApp and Signal share the same roots - as do Webex and Zoom. so they are 'like' in the way that they have a common history, so I fully expect weaknesses in Zoom to also be present in Webex. However, like Signal and WhatsApp, I would expect Zoom to do better than Webex.
"So move along nothing to see here other than a convenient headline to bash the victim of today."
Umm, what victim? Zoom falsely and fraudulently claim end to end encryption, an important feature for high-security meetings, WHEN THEY DON'T HAVE IT, and furthermore (so it's not just some marketing blurb error...) apparently have an in-app padlock symbol also falsely claiming E2E. The victims are the customers they've lied to that expected them to have this feature they claim to have,
"The rationale is that screen recording and other "in meeting" functions require interception and decryption of the stream"
And that rationale is nonsense. Obviously having Zoom record your session precludes E2E; so, you either grey those functions out (and have a switch to turn E2E on and off), or you have the app give a discreet warning saying E2E will be disabled when you use those functions, and people can decide if they want to use them or not.
JH: Now then, Humphrey, what is this I hear about Zoom not being encrypted end-to-end?
HA: Now then, Prime Minister, I understand that the phrase 'end-to-end' is open to some interpretation, the interpretation of Zoom was that messages were encrypted at each end of the communication and therefore were encrypted 'end', to 'end' in that multiplexing of communications over the micro-wave network means that although the encryption may not be unbreakable, indeed may have been designed to make decryption readily achievable with error-correcting codes using ...
JH: Humphrey! Humphrey! speak in English, please. What is going on?
BW: I think Sir Humphrey was merely pointing out that the encryption applied by Zoom was indeed 'end-to-end', it was not encryption to be relied upon for secrecy.
HA: Thank you, Bernard.
JH: You mean that the cabinet meeting I held was not, 'secret'? That anyone could have listened in?
HA: Not entirely, if you used a password for access to the meeting, someone would have needed technical capability to hack in to the meeting.
JH: Well, that's a relief, I expect that would be pretty difficult.
BW: Actually, Prime Minister, my nephew was listening in from his bedroom, he's doing GCSE computing.
JH: MY GOD! all our secrets revealed. The deepest strategies of my government open to all to see! <sighs>. Did he take notes?
BW: No, Prime Minister, he fell asleep.
JH: Bernard, Humphrey, this must not happen again. You must set up something secure for next time.
HA & BW: Yes, Prime Minister.
The Bavarian government was caught with their WebEx down as well.
Heise's c't magazine found the links to the Bavarian meeting rooms were all open, predictable (a path + a room number, which was sequential) and none of the meeting rooms were password protected.
Last week, they managed to sit in on a crisis meeting between the Minister-president of Bavaria, the police and the health ministry. After confirming that it was a private meeting, not meant for the public, they quietly left the meeting and informed the Ministry for IT Security (BIS) straight away. In the meantime, the meeting rooms have been password protected.
We already heard it over and over and we all know you don't sell the data because you can monetize them better by selling just their usage for targeting without disclosing to others what you have and losing the ownership.
We don't monitor - 'monitor' has a specific meaning, you may not 'monitor' and still 'collect' data - on the other side nobody would object to the monitoring of pure performance data, say latency or packet loss.
Anyway, they offer also a free service, again, where the money come from?
The English language is excellent for statements like this, you can say "We don't sell your data" but then you can do a lot of things with it that fall just outside the statement and have been cleared as OK by the company legal team because they don't meet the definitions of "we", "sell", "your" and "data".
"The English language is excellent for statements like this, you can say "We don't sell your data" but then you can do a lot of things with it that fall just outside the statement"
What the spammers used to do is swear up and down they would not sell your E-Mail address to anyone. And they didn't sell it, they "rented' the E-Mail list to other spammers. Wait, they copied it? Huh.
That said, I do find this unlikely. I think Zoom got caught with their pants down with a "you have no privacy" privacy policy, they are unlikely to have actually been doing everything this policy allows, it's to "cover your ass" if you want to do those things later. I think even if you want to assume they are evil, they've probably decided those sweet sweet $549 a month on up subscriptions are worth far more than selling off some marketing info but losing privacy-conscious users.
"[...] they've probably decided those sweet sweet $549 a month on up subscriptions are worth far more than selling off some marketing info but losing privacy-conscious users."
No - it is a classic avaricious case of wanting to both have the cake and eating it. They want the cherry on top too.
Surely they (Security Services) should have been sorting out a more secure solution?
It might not be as much fun as trawling through everyone's data , but they could make a bit of an effort.
Even if its the fault of someone at No 10 not liaising with the Security Services, you would have expected a near instant reaction from the Security Services when they saw the screenshots of zoom usage posted every where and they would have been onto No. 10 in a flash to help get them to sort something secure out.
GCHQ operates in a purely advisory role in this case; it is the Cabinet Office which is actually responsible for providing secure communications links. As I understand it, GCHQ heard that Zoom was going to be used and basically blew a gasket in response, however the Cabinet Office ignored them and went ahead anyway. the rest, unfortunately, is history.
"GCHQ operates in a purely advisory role in this case; it is the Cabinet Office which is actually responsible for providing secure communications links."?
I thought it was the responsibility of the Parliamentary Digital Services to provide technology to enable Minsters and MP's to communicate.
I suspect the Cabinet Office has no ready to roll secure conferencing solution that could be deployed within 24 hours to a variety of geographically dispersed users and their mobile devices...
"In the current lockdown you can't expect them to leave all the secret briefings in a wine bar or the back of a cab can you ?"
...and they're are not allowed to make visits to their mistress***. Still - the Russian agent is not allowed to visit her either.
***Or as was clarified recently - unless they are sharing looking after their offspring.
.... is not a new thing. It's precisely why my home firewall has these rules on outgoing connections:
target-port="88 135 137 139 389 445 593" protocol="6" action="reject"
target-port="88 137 138 389" protocol="17" action="reject"
(and before anyone asks, the rules for incoming connections are: very short whitelist, everything else dropped)
PS. here is reference list
Good enough for all the heads of Europe to use with each other, but not good enough for the cabinet.... It'll be those customisable backgrounds(*)
Yeah, it needs to be set up correctly to be secure but once it is....
Zoom appears to be leakier than a Crapita solution.
(*) First achieved by iChat and Quartz on the Mac: I miss the rollercoaster...
"Good enough for all the heads of Europe to use with each other, but not good enough for the cabinet."
Yeah, we don't want to follow the EU in anything. We are an independent country now.
Why let common sense override dogma? After all we don't need no steenking EU purchased ventilators.See here.
And if the "Torygraph" is having a pop at a Tory government then things must be bad.
"And if the "Torygraph" is having a pop at a Tory government then things must be bad."
The online DT has become almost readable again - the lunatics no longer seem to be dominating the articles. In the last few years its articles had gone from being a reasonable source of centre-right views to being laughable ******.
I suppose we should applaud them, after all they want everyone else to use man-in-the-middle broken encryption, so they're leading by example. Just leave the password off and it'll get us that much closer to properly open government.
(I read that GCHQ response as: "Of course they shouldn't, but you try telling them.")
"Currently, it is not possible to enable E2E encryption for Zoom video meetings...."
It's not just Zoom's lie about E2E encryption. It's the way they encourage 'ease of use'. I am regularly sent this legitimate (numbers changed) invite over open webmail, (by an outfit which believes what Zoom tells them).
>>>
Join Zoom Meeting
https://us04web.zoom.us/j/123456789?pwd=ZXJRchf9h379493JQWQ4Ufjeiweoifnf
Meeting ID: 123 456 789
Password: 123456
<<<
Zoom are lying f'cking idiots.
---
weren't doing the same re restricted materials.
---
Well, if they were using the zoom app, rather than the web client (which zoom tries _really_ hard to prevent you finding out about), the persistent surreptitious web-server with access to your mic and camera could be grabbing conversations being held in a room when the occupants _thought_ they were not "on zoom". Perhaps all zoom meeting should be held in a dedicated Cone of Silence.
Ah: further research
https://www.theverge.com/2019/7/9/20688113/zoom-apple-mac-patch-vulnerability-emergency-fix-web-server-remove
says this (_particular_ "bug") only affects Macs, and there is a patch. So if either No 10 is Windows only, or they diligently apply patches, No problem...
Somewhat surprised that one the supposedly most advanced nations on the planet doesn't have something a litte more.. dedicated.. less COTS over the internet, for remote gov conferencing.
Then again given the shower of shite that passes for intelligent governance these days, and the Army's having to fall back to WhatsApp, so I guess I'm not surprised at all.
Not sure what the issue is here, everyone knows that there's no legitimate need for end to end encryption online. That's what the UK government keeps telling us (along with governments around the world) to justify banning us from using it / back dooring its implementation, so it must be true right?
English government, later the UK, began infatuation with secrecy and surveillance during the reign of Elizabeth I and has taken it to a fine art. There are publicly acknowledged agencies such as GCHQ, MI5, MI6, and the military, with perhaps others lurking in shadows, able to draw upon some of the finest minds in present day communication technology and encryption. Yet, what does the Cabinet Office do when obliged to implement A/V conference calls with transmission of highly sensitive material? It draws upon services from an American company of obscure provenance. One it turns out able to permit US government agencies to listen in.
It would be surprising were there not technologies already in place for secure A/V communication, including possibility of conferencing, among military, security, police, and other agencies charged with protection of UK interests. What means of communication have been arranged for government ministers and regional co-ordinators when dispersed in emergency to second generation post Cold War bunkers and outposts?
It is almost unbelievable that the Cabinet Office would adopt a conferencing system for deployment by ministers and officials located in the UK, indeed most within short distance of Downing Street, that operates through servers under jurisdiction of another nation.
Had contingency demanding highly confidential/secret communication at Cabinet level crossed the minds of those responsible for thinking ahead a secure system would already have been to hand.
In devising such system there need be no call upon private contractors. A small team assembled from agencies containing requisite expertise could have written necessary computer code quickly. No cutting-edge brilliance would be required. It would merely be a matter of putting together existing communications and encryption technologies. Much of the necessary code is sitting within the agencies and anything else might be obtained from open source repositories. The experts' primary task would be testing fitness for purpose of whatever they assembled.
People are asking about the role of the security services and assuming that the poor buggers are not, right now, slapping their foreheads and rolling their eyes to the tune of—
Boss: "You mean Number Ten Downing Street just installed an ordinary public app to conduct a virtual meeting? They didn't pick up the phone to GCHQ, for chrissake, to ask what to do? They didn't think to check with anyone who had the first clue what they were doing? You shirley can't be serious??"
Shirley: "Well, the PM is a known liar, mediocre student of dead languages, can't keep his flies zipped, doesn't retain or understand even basic details, knows absolutely sweet FA about technology (and everything else, actually) and has a well-earned reputation for laziness and incompetence. And he's surrounded himself by useless yes-men. one of them used to sell fireplaces! We've learned to expect this level of idiocy."
Boss: "Fucking hell. What secrets has he let slip?"
Shirley: "None. We stopped telling him the sensitive stuff when he was still making a fool of himself in the Foreign Office."
Boss: "I don't know whether to laugh or cry."
Shirley: "Personally, I recommend you begin drinking heavily. And stop calling me Shirley."
Sadly, it's not lizard people, it's cunts like Bannon and Cummings, and global mega-corps like Halliburton. And the oil-producing Arab countries, as long as they can continue to pump money out of the ground.
edit - oh, and don't forget Vlad and his FSB/GRB cohorts.
I never said they were geniuses, it's just that if you don't give a shit about other people, it gives you a natural competitive edge. That's why, for example, capitalism has to be tempered with regulation, such as that limiting monopolies, to stop the greediest grabbing everything for themselves.
The thing that the people and entities I listed have in common is that they are motivated purely out of self-interest, with no regard for societal externalities. Stuff that is great for the individual is often not great for the human race as a whole. More people could do with giving humanism a go.
so I am on a thread full of know all security "experts" that are commenting to a clickbait article on a site full of ad's?
At least I have the sense to use a "burner" pc. And have the sense not to trust an ad/tracker blocker. After all, as I have read many times on this site, "if it is free you are the product"
Cheers… Ishy
You forgot to mention the spyware they installed on Mac computers for a long time (until they were caught out).
And that they turn on video by default unless you go in and change it. One time a colleague called in from bed (fully dressed, but still...). You don't expect an app to do this until you explicitly turn it on.
Stupidly negligent the use of Zoom may be at such high levels of government we must remember the actual individuals involved. The US or Chinese would get more sense bugging the whooping from London Zoo's monkey house.
Of course the Russians don't need to bug the Cabinet - they've bought them.
{Note absence of Joke icon]
Normally, I don't bother flagging typos (Regular readers will note I frequently make them - Vino Rosso, don't you know..)....however today has been bad.
"A link such as \\evil.server.com\foorbar.jpg will, when clicked on, cause Windows to connect to evil.server.com, supplying the logged-in user's credentials in hope of fetching foobar.jpg."
Errrr...."foorbar.jpg" != "foobar.jpg" so typo needs correcting, or the conclusion needs changing to "in hope of fetching a 404 page."
Does anyone remember Bob Quick being sacked—described as resigning—in 2009 for keeping Secret papers in a transparent folder, duly photographed by the paparazzi? And who was Mayor of London at the time who sacked him/took the resignation? The very same Boris J., now the UK's prime Minister!
https://www.theguardian.com/uk/2009/apr/09/bob-quick-terror-raids-leak
Crucially, the use of the Zoom software is likely to have infuriated the security services
Because? There was like 40 people that we could see ignoring staffers, families and the like. You think they discussed privileged information? Really? Oh dear.. That's not what cabinet meetings are for.
while also raising questions about whether the UK government has its own secure video-conferencing facilities
Nah man they just use Zoom for everything despite the contracts for video conferencing being fairly well publicised.
We asked GCHQ, and it told us that it was a Number 10 issue. Downing Street declined to comment.
As they should.
You people can't possibly be this simple? It's clearly a massive diversionary tactic. Pointless one sure, but lets get a grip? They wouldn't talk about anything of note over the public internet, full stop.
Zoom's policy regarding their ability to use your content is absolutely scary. But I have been looking at video conferencing generally, and not impressed by any of them. Does anybody know of a video conferencing system that would be regarded as secure enough for a virtual board meeting by a listed public company? That is, both physically secure, and not owned by somebody who is likely to monitor users content?
On another question, doesn't GCHQ have someone full time in No. 10 to keep an eye on what happens there, and how it happens?
For one-to-one, I'd say Signal. I don't think it can do multi-way video chats, though.
Potentially of interest, but I have no idea how secure they are, although judging from this kerfuffle, it's probably more realistic to say that open source software, done for the intellectual challenge and gradual polished codeworkery of it, rather than cobbled together to a too-rushed deadline, is hopefully less likely to have horrendous security design oversights and crufty coding shortcuts than any of these supposedly commercial-grade systems seem to, could be Jitsi Meet or Jami?
(And whatever happened to Firefox Hello (based on WebRTC)?)
Interesting thing is that all the rules for computer use / solutions for UK govt. etc. are actually handed down by the Cabinet Office.
With input from GCHQ and NCSC, but the buck stops with the Cabinet Office.
BIG set of rules.
There definitely are secure govt. conferencing solutions but this would probably have been a case of somebody rapping on the door of somebody in No. 10 IT office and saying we need to do this now, what do you mean you'd need to get accounts sorted out, paperwork, sign-offs? No, no, no, this is happening in 30 minutes JFDI or you're out the door.
This is one of those articles published on April 1 which you read very carefully and then admire the chutzpah and humour of the journalist. Except that it isn't. Hence Icon.
If there isn't anyone anywhere in the Civil Service who can find a self-hosted video conferencing tool, running on a server in a govt datacentre, with TLS security between punter and server, then I'm pretty astonished. If there isn't such a system around already, I'm even more astonished. Just try googling open-source video conferencing tools: there's some out there.
But I can see why they went for Zoom. Setup and use is idiot-proof.