add draft : Digital Cleansing - Jitsi
This commit is contained in:
Ali Mürteza Yeşil
parent
614b296b93
commit
965ded3974
|
|
@ -0,0 +1,59 @@
|
|||
title: Digital Cleansing - Jitsi
|
||||
date: 2020-07-18 00:00
|
||||
tags: privacy, jitsi, 100DaysToOffload
|
||||
category: tech
|
||||
summary: My family and relatives live different countries and make good use of video calling services regardless of who is offering the service
|
||||
status: draft
|
||||
comment:
|
||||
hundreddaystooffload: 5
|
||||
|
||||
My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the __Communication__ problem.
|
||||
|
||||
We have 3 kinds of communication needs in the family:
|
||||
1. Text messages
|
||||
2. Voice Calls
|
||||
3. (Mostly group) Video Calls
|
||||
|
||||
---
|
||||
### Text Messaging & Voice Calls
|
||||
I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️
|
||||
|
||||
---
|
||||
### Group Video Calls
|
||||
We still need a trustable video calling service provider though. Current choice of my family is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.
|
||||
|
||||
Zoom was [launched in September 2012](https://en.wikipedia.org/wiki/Zoom_(software)#History "History of Zoom on Wikipedia"), reached [1 Million user base in January 2013](https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm "Zoom Video Communications Reaches 1 Million Participants - TMCnet") and rapidly grow during global quarantine to a point that Zoom got [2.13 Million downloads on March 23 2020](https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak "Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]").
|
||||
|
||||
Given that Zoom reached 1 Million userbase within 5 months (from September 2012 to January 2013) and they were a subscription based service that cost 9.99$/month, it was a profitable business. I expect such company to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived.
|
||||
__Windows__ : [Attackers can use Zoom to steal users’ Windows credentials with no warning - ars technica](https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/)
|
||||
__MacOS__ : [Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post](https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/). This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.
|
||||
__MacOS__ : [Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! - InfoSec Write-ups](https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5) allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.
|
||||
__MacOS__ : [Zoom App installation uses the same method used by malwares to gain root priviledges](https://nitter.net/c1truz_/status/1244737672930824193)
|
||||
__iOS__ : [Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account - Vice](https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account)
|
||||
__Android__ :
|
||||
|
||||
> "Zoom has just had so many missteps."
|
||||
> - Patrick Wardle, Jamf
|
||||
|
||||
You can read about Zoom's vulnerabilities on MacOS and iOS in detail in [this blog post of Objective-See](https://objective-see.com/blog/blog_0x56.html "The 'S' in Zoom, Stands for Security - Objective-See").
|
||||
|
||||
These issues were __FIXED__ by Zoom. But some of them took long time as if Zoom didn't really care about the user privacy and security. Not to mention, God knows when they would start working on fixing vulnerabilities if it wasn't for public backlash.
|
||||
|
||||
Since those vulnerabilities are fixed it should be safe to use, right?
|
||||
Unfortunately, NO. They changed their privacy policy for better but not assuring enough.
|
||||
|
||||
They introduced end-to-end encryption, E2EE. Is it insecure encryption?
|
||||
AES-256 ECB is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use it. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.
|
||||
|
||||
---
|
||||
|
||||
When I started thus blog post, I didn'y expect it to turn into a rant about
|
||||
|
||||
I wanted to learn about Having 1 Million users since 2013 and not testing your softwares throughly for vulnerabilities is bad. Through Zoom, [attackers were stealing users' Windows credentials](https://web.archive.org/web/20200401220504/https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/ "Attackers can use Zoom to steal users’ Windows credentials with no warning - ars technica [archive]"), [Zoom MacOS client vulnerabilities](https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 "Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! - InfoSec Write-Ups on Medium") that [can force MacOS users to join Zoom meeting with camera open and even reinstall Zoom after being uninstalled](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13450 - CVE), [send iOS users' data to Facebook](https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account "Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account - Vice"),
|
||||
|
||||
I know there wasn't much pressure on Zoom before the pandemic and they weren't well known company. Therefore independent cyber security researchers didn't test on Zoom's vulnerabilities. But Zoom should have hired cyber security folks and get their software tested much more firmly. Zoom was a company prioritizing user convenience over user privacy and data security.
|
||||
|
||||
|
||||
--- previous attempts #1 ---
|
||||
|
||||
Of course our communications isn't only through voice and video calls. We have a family group on WhatsApp. And when I say family group, this includes my close relatives too. It won't be easy to convince everybody to switch to a more secure alternative such as Telegram. Especially my grandparents are having hard time whenever they need to learn something new.
|
||||
Reference in New Issue