murteza
/
blog.old
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
This repository has been archived on 2022-02-01. You can view files and clone it, but cannot push or open issues or pull requests.
blog.old/output/digital-cleansing-jitsi.html

217 lines
21 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Digital Cleansing - Jitsi</title>
<link rel="stylesheet" href="https://murtezayesil.me/theme/css/main.css" />
<link rel="stylesheet" href="https://murtezayesil.me/theme/css/tooltip.css" />
<link href="https://murtezayesil.me/feeds/atom.xml" type="application/atom+xml" rel="alternate" title="Ali Murteza Yesil Atom Feed" />
<link href="https://murtezayesil.me/feeds/rss.xml" type="application/rss+xml" rel="alternate" title="Ali Murteza Yesil RSS Feed" />
<!-- This border added via BLACK_LIVES_MATTER toggle in site settings -->
<style>
body {
border-width: 5em ;
border-color: #000000 ;
border-style: none solid solid solid ; /* top border : none, right bottom left : solid */
}
</style>
<!--[if IE]>
<script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
<body id="index" class="home">
<!-- This banner added via BLACK_LIVES_MATTER toggle in site settings -->
<div style="background-color: black; padding: 1em; margin-bottom: .8em">
<h1 style="text-align: center; margin-bottom: 0em"><a href="https://blacklivesmatter.com/" style="color: #fce21b; font-size: 2em">Black Lives Matter</a></h1>
</div>
<header id="banner" class="body">
<h1><a href="https://murtezayesil.me/">Ali Murteza Yesil <strong>Blog</strong></a></h1>
<nav><ul>
<li><a href="https://murtezayesil.me/pages/about.html">About</a></li>
<li><a href="https://murtezayesil.me/pages/contact.html">Contact</a></li>
</ul>
<form id="search" action"#" onsubmit="javascript:window.open('https://duckduckgo.com/?q='+document.getElementById('keywords').value+'+site:https://murtezayesil.me');">
<input id="keywords" type="text" />
</form>
</nav>
<div id="submenu">
<ul>
<li><a href="https://murtezayesil.me/category/draft.html">draft</a></li>
<li><a href="https://murtezayesil.me/category/notes.html">Notes</a></li>
<li><a href="https://murtezayesil.me/category/personal.html">Personal</a></li>
<li class="active"><a href="https://murtezayesil.me/category/tech.html">Tech</a></li>
</ul>
<div>
</header><!-- /#banner -->
<section id="content" class="body">
<article>
<header>
<h1 class="entry-title">
<a href="https://murtezayesil.me/digital-cleansing-jitsi.html" rel="bookmark"
title="Permalink to Digital Cleansing - Jitsi">Digital Cleansing - Jitsi</a></h1>
</header>
<div class="entry-content">
<footer class="post-info">
<span>Sat 18 July 2020</span>
<span>| in <a href="https://murtezayesil.me/category/tech.html">Tech</a></span>
<span>| tags: <a href="https://murtezayesil.me/tag/digitalcleansing.html">digitalcleansing</a><a href="https://murtezayesil.me/tag/privacy.html">privacy</a><a href="https://murtezayesil.me/tag/jitsi.html">jitsi</a><a href="https://murtezayesil.me/tag/100daystooffload.html">100DaysToOffload</a></span> <span>| Day <strong>5</strong> of #100DaysToOffload</span>
</footer><!-- /.post-info --> <p>My family is spread into 3 countries in 3 different continents. If we include my close relatives too, these numbers go even higher. It is important to stay in contact with your family and relatives in Turkish culture and we try to do that. Let it be weekend Zoom meetings (in 40 minute chunks :) or phone calls on WhatsApp (owned by Facebook), we heavily rely on third party services for communication. After launching NextCloud for my family to use, I what I wanted to tackle the <strong>Communication</strong> problem.</p>
<p>We have 3 kinds of communication needs in the family:<br>
1. Text messages<br>
2. Voice Calls<br>
3. (Mostly group) Video Calls</p>
<hr>
<h3>Text Messaging &amp; Voice Calls</h3>
<p>I have been usign Telegram wherever I can for few years. Its UI is very similar to that of WhatsApp which I hope will ease the transition for my relatives. Since it also has voice calling, I don't need to look for another service for that. I love hitting two birds with one stone (only in metaphor) 😄️ <br>
That being said, I won't actually talk much about WhatsApp. Facebook bought WhatsApp back in February 2014. I believe that was a great deal for Facebook and a terrible deal for users.<br>
I know I mentioned Telegram but there is one more great alternative to WhatsApp (or even Telegram). It is called <a href="https://signal.org/" title="Official page">Signal</a> and it is developed by a non-profit founded by Co-founder of WhatsApp, Brian Acton. It is one freaking secure messaging app 😎️</p>
<hr>
<h3>Group Video Calls</h3>
<p>My families' and relatives' current choice of Group Video Calling service is Zoom, just like millions of other people who needed a video calling service for remote work, distance education and calling their loved ones. But Zoom seemingly popped out of nowhere for many people. I wanted to learn more about who Zoom is and how trustable it is. I hope my findings will help you to make educated decisions.</p>
<p>Zoom was <a href="https://en.wikipedia.org/wiki/Zoom_(software)#History" title="History of Zoom on Wikipedia">launched in September 2012</a>, reached <a href="https://www.tmcnet.com/topics/articles/2013/05/23/339279-zoom-video-communications-reaches-1-million-participants.htm" title="Zoom Video Communications Reaches 1 Million Participants - TMCnet">1 Million user base in January 2013</a> and rapidly grow during global quarantine to a point that Zoom got <a href="https://web.archive.org/web/20200422125131/https://www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak" title="Zoom booms as demand for video-conferencing tech grows - The Guardian [archive]">2.13 Million downloads on March 23rd 2020</a>.</p>
<p>After some research (reading Wikipedia) I found that Zoom had many wounds that hurt many of its users. Given that Zoom reached 1 Million userbase 5 months after launching (from September 2012 to January 2013) and they were charging 9.99$/month, I expect Zoom to invest into infrastructure and app security. I am saying this because they clearly had time to fix issues in their apps before the pandemic arrived. Here are few examples to show how Zoom messed up:<br>
<strong>Windows</strong> : <a href="https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/">Attackers can use Zoom to steal users Windows credentials with no warning - ars technica</a><br>
<strong>MacOS</strong> : <a href="https://threatpost.com/zoom-zero-day-mac-webcam-hijacking/146317/">Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking - threat post</a>. This prompted Apple to use its MRT (Malware Removal Tool) to remotely delete Zoom from Mac computers.<br>
<strong>MacOS</strong> : <a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5">Zoom Zero Day: 4+ Million Webcams &amp; maybe an RCE? Just get them to visit your website! - InfoSec Write-ups</a> allowing Zoom to reinstall itself after being uninstalled and join a video call with camera activated without user's permission.<br>
<strong>MacOS</strong> : <a href="https://nitter.net/c1truz_/status/1244737672930824193">Zoom App installation uses the same method used by malwares to gain root priviledges - Twitter thread on Nitter</a><br>
<strong>iOS</strong> : <a href="https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account">Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account - Vice</a><br>
<strong>Android</strong> : I didn't find any news about Zoom Android App vulnerabilities. But if they used Facebook tracker in iOS app, I don't see any reason why zoom wouldn't use the same on Android
<strong>Linux</strong> : No vulnerability was found YET. Remember that <a href="https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-08%22%2C%22dateEnd%22%3A%222020-06%22%2C%22plotKeys%22%3A%5B%7B%22platform%22%3A%22Linux%22%7D%2C%7B%22platform%22%3A%22Mac%20OS%22%7D%2C%7B%22platform%22%3A%22Chrome%20OS%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D" title="Less than 4%">Linux desktop has a small marketshare</a> and apps for it are less likely to be targeted by hackers.</p>
<blockquote>
<p>"Zoom has just had so many missteps."
- Patrick Wardle, Jamf</p>
</blockquote>
<p>You can read about Zoom's vulnerabilities on MacOS and iOS in detail in <a href="https://objective-see.com/blog/blog_0x56.html" title="The 'S' in Zoom, Stands for Security - Objective-See">this blog post of Objective-See</a>. </p>
<p>These issues were <strong>FIXED</strong> by Zoom. But Zoom took long time to responde some of the cyber security personel as if it didn't care about the user privacy and security. I only mentioned the vulnerabilities in Zoom's apps. Zoom also <a href="https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html" title="Zoom closed account of U.S.-based Chinese activist “to comply with local law” - Axios">contributed to censorship</a> by closing human rights activist Zhou Fengsuo's paid account and closing Social activist Lee Cheuk Yan's account upon China's request.</p>
<p>👉️ Since those vulnerabilities are fixed it should be safe to use Zoom, right?<br>
Unfortunately, NO. Even if apps became less vulnerable, users still are through weak privacy practices and use of third party trackers. Zoom's Privacy Policy is <a href="https://zoom.us/privacy#_Toc44414842">not assuring enough</a>.</p>
<p>👉️ They introduced end-to-end encryption, E2EE. Is it insecure encryption?<br>
AES-256 ECB algorithm used for E2EE is one of the greatest encryption algorithms out there. But it isn't enabled by default and enabling E2EE disables many features such as screensharing, which doesn't incentivise people to use E2EE. Both enterprise customers and teachers would want to use screensharing, thus not using E2EE.</p>
<p>👉️ They say Zoom encrypts every meeting by default. Are they lying?<br>
No, they are not. But they aren't telling the whole story either. When you start a Zoom meeting, your device establishes a connection to Zoom over <a href="https://en.wikipedia.org/wiki/Https#Security">HTTPS</a>. Meaning data is encrypted during transmission between you and Zoom. Data gets decrypted in Zoom and encrypted again before it goes to whoever you are meeting with. This is done because everybody in the meeting has different <a href="https://en.wikipedia.org/wiki/Session_key">session key</a> for encryption. Your meeting is apparent to Zoom, not hidden from it.</p>
<p>👉️ Zoom has faced <a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" title="Learn about zero day attacks on Wikipedia">0-day attacks</a> which weren't fair.<br>
Not a question but I get your point. When a cyber security personal discovers a vulnerability, (s)he informs the vendor about the vulnerability in disguise and asks for bounty. Vendor checks if that is a legit vulnerability or a scam. Then they work together to fix the issue and vendor pays the bounty. Many companies have a <a href="https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html" title="Intel offers upto 100,000$">bug</a> <a href="https://hackerone.com/verizonmedia?type=team" title="Verizon offers upto 15,000$">bounty</a> <a href="https://www.microsoft.com/en-us/msrc/bounty" title="Microsoft offers upto 100,000$">program</a>.<br>
A cyber security personal may choose to release the vulnerability to public for it to be exploited by other people, which turns a vulnerability into zero day attack. This action incentivises vendor to fix that issue immediately since issue became well-known.<br>
Zoom had time since 2013 for testing its softwares properly. Proper testing would uncover those bugs before hackers did. Any company that is careless about security and privacy of its customers' deserves to be pinched to start acting.</p>
<p>What if I am forced to Zoom by my employer/school/family?<br>
Desktop/laptop users:<br>
1. Windows: Use virtual machine and apply one of the below Linux methods<br>
2. MacOS: Use virtual machine and apply one of the below Linux methods<br>
3. Linux: Install Linux Live image on a USB and boot into it everytime you need to Zoom. Install Zoom into that Live environment. Zoom will only be able to access what is in that Live environment. Shutting down a Live environment deletes everything that was installed in that session.<br>
4. Linux: <a href="https://ar.al/2020/06/25/how-to-use-the-zoom-malware-safely-on-linux-if-you-absolutely-have-to/" title="How to use the Zoom malware safely on Linux if you absolutely have to - Aral Balkan">Install Zoom into a firejail</a>, greatly limiting what it can reach.<br>
Mobile users:<br>
1. Android: <a href="https://www.howtogeek.com/333484/how-to-set-up-multiple-user-profiles-on-android/" title="This process maybe different for different brands">Create a restricted user</a> on your phone and install Zoom there. Not in your main user.
2. Android: If you can, use Zoom on Linux as described above.
3. iOS: Don't give it permissions if you don't need them. Don't let it run in background. Uninstall after using.
4. iOS: If you can, use Zoom on Linux as described above.</p>
<p>PS: I don't own a Mac, iPhone or Windows PC. But since Zoom on those platforms seem to be the affected most, I recommend everybody to use Zoom on Linux in a firejail if you absolutely have to.</p>
<p>I also wanted to read articles <a href="https://medium.com/@rowantrollope/beyond-the-noise-7-reasons-its-safe-to-run-zoom-9a2e639b13ec">that</a> <a href="https://blog.prialto.com/3-reasons-why-zoom-provides-the-best-video-conferencing-software">defend</a> <a href="https://www.forbes.com/sites/rebeccabellan/2020/03/24/what-you-need-to-know-about-using-zoom/#3cee9d0d3284">Zoom</a>. But they are mostly talking about Zoom's E2EE feature (that is not default), how people got creative with Virtual Background feature, Zoom's clean UI, ability to fake paying attention and its price. They either say nothing about Zooms privacy policy or even if they say something, it is not assuring in my opinion.</p>
<hr>
<h1>Jitsi</h1>
<p>Jitsi is an open source alternative to Video Calling (Conferencing) services. I will prove that Jitsi is much better than Zoom with only 1 sentence.</p>
<h1 style="text-align: center;">You can host Jitsi on your own server without relying on another entity</h1>
<p>You want more?</p>
<ol>
<li>Jitsi has Clean UI that is familiar to that of Zoom. </li>
<li>Jitsi <strong>doesn't</strong> have looping video feature which helps students or emplyees fake paying attention. </li>
<li>Jitsi is <strong title="Free Open Source Software">FOSS</strong> developed by <a href="https://8x8.com">8x8</a>. </li>
<li>
<p>Hosting Jitsi doesn't require a server with powerful CPU or GPU. Important resource is bandwidth. </p>
</li>
<li>
<p>Jitsi doesn't have virtual background but it instead has background blurring in development.</p>
</li>
</ol>
<p>👉️ Is it truely E2EE?<br>
<strong>This is what I understood from reading <a href="https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-260652107">this threat</a>. Please correct me if I am wrong</strong><br>
Short answer is No.<br>
Long answer is: Just like in Zoom's case, connection between users and Jitsi VideoBridge (server) is encrypted. Server decrypts and encrypts everybody's stream for everybody else. But by having the control of Jitsi VideoBridge (server) by hosting it on your own server, you can assure that no other company/organization is holding your plain data except the recepient you are meeting with.<br>
That being said, Jitsi can establish P2P connection in rooms where there are only 2 people. This is a feature of WebRTC that Jitsi is built upon. It still <strong>isn't</strong> true E2EE.</p>
<p>👉️ Do anyone even use it?<br>
Glad you ask. Many companies banned use of Zoom and switched to alternatives such as Microsoft Teams, Skype, Hangout Meet and Jitsi. You probably won't see Jitsi's UI very often in the wild, but many companies use Jitsi VideoBridge as their backend for video conferences. Out of all the alternatives, only Jitsi allows self-hosting of server (Jitsi VideoBridge) AFAIK.</p>
<h2>How to install Jitsi server?</h2>
<p>I followed <strong>Nerd on the Street</strong>'s <a href="https://invidio.us/watch?v=IQRwtUamHQU">Host a Jitsi Meet Server</a> installation tutorial. It took about 30 minute of my time (I am a noob) to get the server running. It takes another 10 minutes to secure it.</p>
<hr>
<p>When I started this blog post, I expected to list 2 reasons not to use WhatsApp and Zoom then start talking about why Jitsi is the answer to my family's Group Video Calling needs. To fact check what I knew about about them (Zoom in particular) I searched them on <a href="https://en.wikipedia.org/wiki/Zoom_(software)" title="Read more about Zoom on WikiPedia">Wikipedia</a>. I learned much more than I expected. I am sorry for turning this post into "Rant of Zoom". I hope you learned a thing or two too.</p>
<hr>
<h3>Other side of the coin</h3>
<p>If you think I would be better of sticking to WhatsApp or Zoom, tell me more. Even though I read many negative things about Zoom, I will try my best to keep an open mind and hear people seeing other side of the coin. I am a human and can make mistakes. If there is something important I should know to better understand what is going on, please reply to comment toot linked below.</p>
</div><!-- /.entry-content -->
<!-- #100DaysToOffload message -->
<p>Day <strong>5</strong> of <a href="https://100daystooffload.com/" title="click to read about the challenge">#100DaysToOffload</a></p>
<!-- Comments -->
<hr>
<h2>Comments</h2>
<p>Toot on <a href="https://fosstodon.org/@murtezayesil/104535970036319662">this thread</a> to comment. This blog is a static site. Comments won't appear here.</p>
</article>
</section>
<section id="extras" class="body">
<div class="blogroll">
<h2>blogroll</h2>
<ul>
<li><a href="https://kevq.uk">Kev Quirk</a></li>
<li><a href="https://mikestone.me">Mike Stone</a></li>
<li><a href="https://yarmo.eu/">Yarmo Mackenbach</a></li>
</ul>
</div><!-- /.blogroll -->
<div class="social">
<h2>social</h2>
<ul>
<li><a href="https://murtezayesil.me/feeds/atom.xml" type="application/atom+xml" rel="alternate">atom feed</a></li>
<li><a href="https://murtezayesil.me/feeds/rss.xml" type="application/rss+xml" rel="alternate">rss feed</a></li>
<li><a href="https://fosstodon.org/@murtezayesil" rel="me">Fostodon</a></li>
</ul>
</div><!-- /.social -->
</section><!-- /#extras -->
<footer id="contentinfo" class="body">
<p>Powered by <a href="http://getpelican.com/">Pelican</a>. Theme <a href="https://github.com/blueicefield/pelican-blueidea/">blueidea</a>, inspired by the default theme.</p>
</footer><!-- /#contentinfo -->
<!-- IndieWeb Profile -->
<!-- ToDo : Make IndieWeb Profile auto generating according to site preferences -->
<!-- This profile is created by following https://kevq.uk/how-to-create-an-indieweb-profile/ blog post. Thanks to Kev Quirk -->
<section style="display: none;" class="h-card">
<!-- About me -->
<span class="p-name">Ali Murteza Yesil</span>
<span class="p-note">I'm a student, privacy advocate and SysAdmin wannabe. I was born in Turkey but I live abroad.</span>
<!-- Profile picture -->
<img class="u-photo" src="https://murtezayesil.me/images/avatar_polygon_128x128.png"/>
<!-- My location -->
<!-- <span class="p-locality">City, Country or Country</span> -->
<!-- Links -->
<a class="u-url u-uid" href="https://murtezayesil.me"></a>
<!-- Mail Template <a class="u-email" rel="me" href="mailto:USERNAME@SERVICEPROVIDER"></a> -->
<a class="u-url" rel="me" href="https://fosstodon.org/@murtezayesil"></a>
<!-- Twitter Example <a class="u-url" rel="me" href="https://twitter.com/USERNAME"></a> -->
<!-- Template <a class="u-url" rel="me" href="https://URL"></a> -->
<!-- Categories -->
<span class="p-category">Blogging</span>
<span class="p-category">Open Source Software</span>
<span class="p-category">Privacy</span>
</section>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink