https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf

Web Browser Privacy: What Do Browsers Say When They Phone Home?

 

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006#march-23-flaw

 

https://www.cbsnews.com/news/corona...-isolation-social-distancing-police-patients/

"People in quarantine have a choice: either receive unexpected visits from the police, or download this app,"

 

https://www.nbcnews.com/news/us-new...-ride-past-burglarized-home-made-him-n1151761

I didn't have a problem with the warrant for Apple to unlock the phone in the San Bernadino case and I never understood some of the claims being made. Assuming that Apple had the physical capacity to unlock the phone (which raises some of it's own concerns), the warrant was for a specific device that belonged to the specific suspect. Apple made a big deal about being required to give the ability to unlock any (suitably similar) phone the government. That's something I would certainly oppose. But I would not oppose Apple being required to use its capabilities to unlock THAT phone and provide THAT unlocked phone (or its equivalent virtual image) to the government pursuant to the warrant.

I do have a problem with geofence warrants. They involve conducting searches on lots of people for whom you have no reason to suspect them of any involvement whatsoever in order to identify a suspect. I liken it to getting a warrant to search every home in the vicinity of a crime looking for anything -- pictures, receipts, parking receipts, etc. -- that might help identify people that were in the vicinity at the time of the crime.

Could tactics like that possibly identify the culprit in some heinous crime? Quite possible. So, according to the reasoning that the proponents of geofence warrants tout, these kinds of vicinity warrants should be allowed, too.

Linked in the article and far more troubling:

https://www.phoenixnewtimes.com/new...vondale-wrongful-arrest-molina-gaeta-11426374

I sure hope he wins that suit.

 

https://www.cbsnews.com/news/corona...-isolation-social-distancing-police-patients/

How long before someone writes another app to let someone take a whole slew of selfies and then monitor the tracking app for a request, modify the meta data in one of the selfies, and upload it at a random time within the twenty minute window.

Other apps that are being deployed simply send your GPS data to the server periodically to "ensure" that you are staying put. So I download the app to my phone and then leave my phone on my nightstand while I go wherever I want.

These apps are all aimed at forcing people that don't want to do something to do it, which means that those users have motivation to find ways around the app.

One app that I think does make sense and that I think I'm okay with is the app that logs your close device-to-device interactions with other people and stores the data on your device for a period of time. Then if you test positive they can (with your permission) pull the log and use it to identify and reach out to some of those people.

 

I sure hope he wins that suit.

Read the article. Poor fella. I hope he wins it too.

 

https://citizenlab.ca/2020/04/move-...look-at-the-confidentiality-of-zoom-meetings/

This report examines the encryption that protects meetings in the popular Zoom teleconference app. We find that Zoom has “rolled their own” encryption scheme, which has significant weaknesses. In addition, we identify potential areas of concern in Zoom’s infrastructure, including observing the transmission of meeting encryption keys through China.

As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including:

• Governments worried about espionage
• Businesses concerned about cybercrime and industrial espionage
• Healthcare providers handling sensitive patient information
• Activists, lawyers, and journalists working on sensitive topics

 

https://citizenlab.ca/2020/04/move-...look-at-the-confidentiality-of-zoom-meetings/

It never ceases to amaze me how pervasive the roll-your-own-crypto is out there -- and it is almost always bad crypto as a result. It's not like good crypto is expensive or hard to get.

 

It never ceases to amaze me how pervasive the roll-your-own-crypto is out there -- and it is almost always bad crypto as a result. It's not like good crypto is expensive or hard to get.

With Zoom IMO these errors are likely intentional because they are so obvious as vectors to intercept data.

 

With Zoom IMO these errors are likely intentional because they are so obvious as vectors to intercept data.

I think I'd need to see some decent evidence before coming to that conclusion -- there's is SO much bad roll-your-own crypto out there that it's more likely the case of don't ascribe to malice that which is perfectly well explained by incompetence. Which is not to say that malicious intent can't masquerade as incompetence to stay below the horizon.

 

Don't mean to be the cynic here ... but I'm under the impression that rather than having implemented bad encryption into their software, they implemented a bad backdoor ... and were discovered and exposed.

 

I think I'd need to see some decent evidence before coming to that conclusion -- there's is SO much bad roll-your-own crypto out there that it's more likely the case of don't ascribe to malice that which is perfectly well explained by incompetence. Which is not to say that malicious intent can't masquerade as incompetence to stay below the horizon.

AES-128 is not a bad choice or roll-your-own crypto. It has encryption bleed when used in Electronic Code Book mode.
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_(ECB)

https://forum.allaboutcircuits.com/...-home-made-hardware-dongle.73297/#post-514892

Lost link from the above post.
http://www.turbocrypt.com/documents/whitepapers/backup_attack.pdf

 

https://www.privateinternetaccess.c...as-a-built-in-shut-up-command-for-censorship/

China’s “New IP” proposal to replace TCP/IP has a built in “shut up command” for censorship

 

https://www.businessinsider.com/taiwan-bans-government-officials-zoom-2020-4?r=US&IR=T

Taiwan's government bans official use of Zoom, days after the firm admitted to 'mistakenly' routing some calls through China

https://www.businessinsider.com/elon-musk-bans-zoom-security-concerns-2020-4?r=US&IR=T

Elon Musk's SpaceX bans Zoom over security and privacy concerns

 

There has been quite a bit of kickback over Zoom security and it has been also banned by several education systems.

 

I'm sure Zoom will have those security flaws fixed pretty soon, and then they'll make a grand announcement about it and try to encourage people to use it again. But now most corporations have lost their trust in it and are using different platforms instead. I doubt that trust will ever be gained back.

It's a shame when a company loses a unique opportunity to expand a dominate the market due to incompetent unpreparedness.

 

I'm sure Zoom will have those security flaws fixed pretty soon, and then they'll make a grand announcement about it and try to encourage people to use it again. But now most corporations have lost their trust in it and are using different platforms instead. I doubt that trust will ever be gained back.

It's a shame when a company loses a unique opportunity to expand a dominate the market due to incompetent unpreparedness.

Maybe it's true about incompetence vs malfeasance in this case. The chain of flaws is so obvious and complete that only the superior method of stupidity could account for it.

 

I'm sure Zoom will have those security flaws fixed pretty soon, and then they'll make a grand announcement about it and try to encourage people to use it again. But now most corporations have lost their trust in it and are using different platforms instead. I doubt that trust will ever be gained back.

It's a shame when a company loses a unique opportunity to expand a dominate the market due to incompetent unpreparedness.

I hope they go down in flames. It's not even anything against Zoom, per se. But rolling your own crypto package is such a well known bad thing that is so routinely ignored, perhaps it will take a company going down in flames because of doing so for others to finally start getting the hint.

If they DID do it intentionally, then perhaps going down in flames over it will teach a different, but equally valuable, lesson.

 

Zoom security has been also banned by several education systems.

Around here the schools all jumped on Zoom. Teachers are generally smart but maybe not on computer security. I guess that CEO guy was so busy watching the money that, well you know.

On a related note my wife got herself hired by the Census and then promoted to some management position. Yesterday they had some Webex training. Took 45 minutes to get going. Not a problem since the boss admitted the whole idea was to get some hours for the workers so they don’t quit

where’s my $1200?

 

Around here the schools all jumped on Zoom. Teachers are generally smart but maybe not on computer security. I guess that CEO guy was so busy watching the money that, well you know.

It's hard to say -- in general most of these start-ups (and even more established companies) simply don't know how difficult it is to do crypto properly. They also don't know that security-through-obscurity is a bad thing. Many honestly believe that rolling their own crypto and keeping everything proprietary has to be better because, after all, if the bad guys don't know how you're doing the crypto it must be more secure. So until I see something pointing in another direction, I'm willing to grant them the benefit of the doubt. But it still falls into the category of not doing due diligence when planning your project, so I'm not going to shed any tears over their troubles, either.