Just because we're letting Zoom into Parliament doesn't mean you can have fun, House of Commons warns Brit MPs Britain's House of Commons' embrace of "hybrid scrutiny" sessions represents the biggest change in its Parliamentary protocol in generations. But guidelines released shortly after the measure was approved show no signs of standards slipping, with members expected to dress smartly and behave with the, er, usual decorum. At any …
https://blog.talosintelligence.com/2020/04/zoom-user-enumeration.html
The vulnerability arises from the lack of validation to ensure the requesting user belongs to a queried domain. This allows arbitrary users to request contact lists of arbitrary registration domains. The exploitation process requires the user to properly authenticate to Zoom with a valid user account, the user then sends an XMPP message with the content below to receive a list of users associated with the domain arbitrary_domain.com:
<iq id='{XXXX}' type='get' from='unknown_xmpp_username@xmpp.zoom.us/ZoomChat_pc' xmlns='jabber:client'>
<query xmlns='zoom:iq:group' chunk='1' directory='1'>
<group id='arbitrary_domain.com' version='0' option='0'/>
</query>
</iq>
In the reply, the Zoom server discloses a directory of users registered under this domain. This includes details such as the autogenerated XMPP username along with the user's first and last names. This information combined with other XMPP queries could be leveraged to disclose further contact information including the user's email address, phone number and any other information that is present in their vCard. As a large number of users come online with video conferencing for the first time, there is a large attack surface. It's important to note that because this is a server-side cloud issue, as is customary, a CVE will not be assigned.
I suspect a certain amount of Dunning-Kruger in the Zoom offices. I don't know him myself, but a friend of mine knows Eric Yuan, CEO of Zoom; and my friend says Yuan is smart and generally well-informed on technological matters, and alert to potential issues.
So I suspect - based only on this testimonial, mind - that the Zoom development team were told to make security a priority, but lacked the necessary expertise, and weren't aware they lacked the expertise. That would explain one of their most famous blunders, the use of ECB. ECB says "we knew we needed encryption, so we threw in a library and picked some settings without understanding the consequences". Similarly their incorrect1 use of the term "end-to-end encryption" seems more likely due to a failure to employ security experts than a disregard of security.
That might seem like splitting hairs, and I'm not advocating for Zoom. (I don't use it myself.) But I do think there's a difference in attitude and culpability between Zoom and, say, Voatz. The latter can I think be justifiably accused of both a cavalier attitude toward security and a hostile one toward being called out on it. Zoom, on the other hand, seem to be making good-faith efforts to fix things.
1In the casual, common sense of "not as understood as a term of art in the industry". In the strict sense there's no governing authority specifying a precise meaning of the term, so they weren't incorrect in any prescriptive sense.
Zoom seems to work, but it needs the crap of a exe running on your Windows box, otherwise painless. Security doubtful, owned by Chinese.
MS teams is crap, while it offers a web browser mode it only works with Chrome (Edge does not count as another browser, it is Chrome). How come a company the size of MS can't make a system that actually works on many browsers like, say, Zoho can? Security maybe better, but USA jurisdiction.
Don't know where you got that idea, as Zoom has versions of it' application for Linux, Mac, Android, etc.
Also you don't need the .exe file it downloads when you click on an email link (in Windows), you can just copy the meeting ID and join directly on the Zoom app
Teams seems to be inconsistent. I used to use it for some purposes (not all functions were supported) in Pale Moon and Comodo Dragon, but at some point in, I think, March, I started getting pop-ups telling me that the browser wasn't supported.
Teams is pretty much rubbish from any angle, with its horrible UI that doesn't use the built-in browser controls (so, for example, you can't use the Chrome Rescroller extension to fix the dreadful too-thin, disappearing scrollbars in most of the panes), its lack of end-user configurability, its utter inability to scroll back through conversations to older posts without going haywire...
Videoconferencing from the "native" Teams app does seem to work decently for me, though.
> Baroness Jean Coussins mentioned that despite the perceived security concerns, she finds Zoom – which is used by the Foreign Office to conduct language lessons – easier to use.
And what a certain sergeant of mine would have said: you volunteered for the job, nobody asked you to come.
> Tory peer Lord Kirkhope of Harrogate also raised an issue of usability. Demonstrating a cast-iron grasp of technical terminology, he said: "I congratulate everybody concerned with this effort to set up virtual TV for us.
Teacher of mine in the 70s said the illiterate of the future would be those who didn't know how to use computers. We all had 40+ years to prepare so not sure what a valid excuse could be.
Perhaps the fact that at the moment you do not need any for of sign in when you are a participant. Click on the link and it just works.
Zoom my have its issues but other solutions use similar technologies. The only reason Zoom is the focus of attention is because if the huge increase in use.
As far as the encryption goes, anything that needs to have a traditional phone number dial-in has to be decrypted servers side otherwise you will just send a stream of incomprehensible garbage to those users.
"And they definitely should avoid mouthing epithets at other members – a lesson learned by erstwhile Labour leader Jeremy Corbyn in 2018, when he appeared to mutter "stupid woman" at Theresa May."
Meanwhile in Wales - https://www.bbc.co.uk/news/uk-wales-politics-52385006
"The health minister has been caught swearing about a Labour colleague in a virtual Welsh Assembly session after he left his microphone on by mistake."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
