Years ago I won the TSA competition for security slogans.
I’m not proud, especially because I didn’t enter it and nobody told me my slogan had won until an external investigator pointed out that someone borrowed it from my 2006 blog post and claimed the prize for themselves.
Anyway I’ve written a little here about the strange dearth of security slogans, a missed opportunity, during COVID-19.
Obey the laws, and wear the gauze. Protect your jaws from septic paws.
Seems applicable today. If I don’t find posters of this soon I may just start making them myself. With luck, someone at TSA will notice and then submit to their next competition as their own.
Speaking of being owned, while reading the news about security flaws in popular video conferencing my mind wandered onto the rhyme… gloom and doom for a chat room vacuum. How soon could it ruin the zoom boom?
Not quite “loose lips sink ships” but maybe if I work at it a little I could get closer with chat room vacuum ruins zoom boom. The problem is it’s too specific to one company, but hopefully you get my drift.
I had a little bird,
And its name was Enza.
I opened the window
And in-flu-enza.
Ok, I couldn’t resist. Here’s a simple security education poster from WWII, which I’ve updated simply to reflect COVID-19:
It’s become infuriating to me every time I hear someone say they’ve seen 0 deaths so far, or who ask why worry if they don’t know someone personally affected. Education campaigns are sorely missing here.
Security professionals ought to be good at predicting likelihood and severity of harms. Prediction is what the industry is supposed to be doing in order to put controls in before it’s too late (as well as clean up afterwards, but let’s not go there). So let’s have some slogans going and get word out maybe?
A simple viz shows why the 0-deaths-so-far-crowd need quickly to get a clue, but it doesn’t make for a pithy phrase or poster.
Let me know if you can think of any good way to condense that graphic into a rhyme…
Zoom has become known for being in a hurry to grow revenues, not for being safe or honest about its safety features. Have their customers been treated like dummies?
It’s pretty clear from a series of rapid and unfortunate missteps by Zoom that there’s something fundamentally wrong with the company. This is way worse that what I was warning about here in 2007.
We already knew the origin story didn’t sound great.
A VP of Engineering at WebEx, after being acquired by Cisco, didn’t like working for the parent company and left to start a direct competitor to move faster. The new company was basically the Chinese engineers rejecting their American parent company. The revolt even was funded by one of the WebEx founders who used the same money acquired from Cisco to compete with Cisco.
…he knew how to write computer code, and he landed an engineering job with the videoconferencing software company WebEx. WebEx sold to Cisco for $3.2 billion a decade later (the platform is now known as Cisco Webex). Yuan became the tech giant’s vice president of engineering, earning compensation in the “very high six-figures.” But he was unhappy. […] In Yuan’s opinion, the product didn’t evolve quickly enough, making it a chore for customers to use. (In fact, Yuan told CNBC earlier this year that Cisco was still using the same buggy code he wrote for WebEx roughly two decades ago.)
The article goes on to say that claim by Yuan about the WebEx code is false, a lie.
…senior vice president and general manager of Cisco’s team collaboration group, says the company has “redesigned Webex from the ground up” since Yuan’s tenure…
It’s very weird for Zoom’s CEO to suggest WebEx is bad code because his team of Chinese engineers wrote it. Does that make you want to use his new product founded by the same team when he’s shaming his old product? I mean it really opens the door to people (like me) pointing out this guy is willfully allowing bad code into production because that’s “his way” of doing things. He literally poached the WebEx engineering team to compete directly with WebEx, while calling the WebEx code buggy.
For the first two years of Zoom’s history, the company was just a small team – mostly engineers from WebEx [in China].
Is it time yet to use one of the safer alternatives to Zoom?
Clearly something seems off kilter in Zoom executive management ethics related to product safety. Security appears to have been treated as a non-feature and afterthought. Just look at these recent examples:
Zoom security flaw exposes email addresses, full names and profile photos, as well as allowing non-invited attendees to initiate a chat
Zoom security flaws in OSX allow (local) installer priv-esc vulnerability to root, (local) injection flaw allowing access to mic & camera
Zoom security flaws of weak encryption and suspicious key traffic to China
Zoom security flaw of disclosing Windows user passwords and local file execution
Zoom security flaw in meeting identification facilitated unauthorized access
Zoom security flaw allows any website to enable your camera without your permission
Zoom security flaw allowed unauthorized command execution on Windows, Mac and Linux
Zoom security architecture allows interception of traffic, opposite of marketing materials claiming end-to-end encryption
I’ll stop to point out, perhaps for those who haven’t worked in product security, that this kind of “scientists crapping all over Zoom” list (also known as audit findings) is exactly the kind of pressure that helps an internal team fight more effectively for safety fixes earlier in the development lifecycle.
Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video.
How is that not just straight up deceptive practices and delivering a known unsafe product to market? The centralized management of a single key by Zoom, and decryption capability of meeting traffic by Zoom, violates both the spirit and letter of end-to-end encryption.
And if I understand the Zoom architecture correctly, any time someone uses a mobile device to dial into a video chat (which is basically all the time) Zoom is decrypting the meeting on their servers. The very thing that Zoom’s CEO said he started a new company to solve, by moving faster than he was allowed to at WebEx, is this mobile device compatibility architecture decision that undermines privacy while deceptively marketing it as safe.
And on top of weak key management, that key is routed through China even when nobody in a meeting is in China. Apparently 80% of Zoom 2019 revenues were from China, and just last September that country said Zoom traffic had to route through servers based in China or Zoom would be blocked completely.
When researchers asked why traffic from the US was routed through China, however, the CEO tried to play dumb and said it must have been a mistake.
With this kind of obviously compromised decision-making, deceiving customers about encryption (calling it end-to-end when it is not), it brings front and center the fact that Zoom has issued no transparency report (PDF) about who is in fact getting access to the data.
A lack of transparency about access to internal data, coupled with a lack of leadership integrity and pressure to force it, allowed Zoom to run far afoul of basic security principles.
New transparency from researchers is bringing external pressure that should have been applied internally all along. One can hope late is better than never, yet experience suggests all these flaws are mere symptoms.
Zoom has said they will now stop feature development to focus on privacy, which is just another symptom. Remember the CEO comment about WebEx running his buggy code? He went into this knowing right from wrong and developed code the wrong way anyway. Privacy is a feature just like usability, so to see it called something that stops feature development… is part of a wider leadership ethics problem.
It goes back to that questionable origin story. A company was founded on impatience and greed (masked as usability from highly responsive user-focused engineering), which typically doesn’t mix well with safety values.
Making “Zoom bombing” a crime may help dissuade some abusers taking advantage of the safety weaknesses inherent to Zoom. However, that doesn’t fix the problem of Zoom itself being an untrusted company.
Right now shifting to a different product may be the easiest and most secure measure relative to Zoom’s problems. Consider the many options that may be in a better position right now, including of course WebEx. Here are links to their trust team and/or privacy policies:
One of the most interesting options is Jitsi because it is open source (like Jami and BigBlueButton) and allows you to run your own server for meetings. While true end-to-end encryption is difficult to implement given the nature of video conferencing protocols and features, moving to a hosted server means you can have more confidence that any necessary decryption is done within a trusted zone.
Also a quick caveat about Zoom’s buggy code because it found its way into the hands of a lot of people. Here are some of the major brands who run it under the covers and also tend to be vulnerable to security mismanagement and exploits:
RingCentral, Telus Meetings, BT Cloud Phone Meetings, Office Suite HD Meeting, AT&T Video Meetings, BizConf, Huihui, UMeeting, Zhumu, Zoom CN, EarthLink Meeting Room, Video Conferencia Telmex, & Accession Meeting
Beware what’s under the covers of your video conferencing system.
TL;DR – meeting password protection can be bypassed by simply showing up in a meeting room before the host arrives
A benefit of open source over proprietary projects is how security flaws like this can be so easily raised and monitored.
That being said, this is a pretty awful bug. No software is devoid of flaws so it really comes down to how this entered the product (e.g. how symptomatic is it of wider issues), how the response goes and how it is communicated.
More details on this in terms of Zoom handling flaws, in comparison to WebEx, is in a new post.
Update April 22: Jitsi has announced an update to end-to-end encryption. Their security page already was very clear about privacy modes, risks and trade-offs. Now it’s been updated.
Thanks to the insertable stream API, that recently landed in Chrome Canary, Jitsi Meet is now able to manipulate encoded packets before sending them on the network, and as a result we have been able to launch our new efforts on end-to-end encryption. Check out the demo and our next steps here: https://jitsi.org/e2ee
Great news and I appreciate it was announced on availability!
Update May 7: Zoom has blasted the news cycles with a pre-announcement a future release of some encryption that may happen someday. This is garbage. The company being acquired says:
Initially, our single top priority is helping to make Zoom even more secure. There are no specific plans…and we’ll see where that takes us.
Zoom admits it won’t have much of an impact, assuming it even happens, and it backpedals in its own announcement describing the desire for privacy as a loss.
…for hosts who seek to prioritize privacy over compatibility, we will create a new solution… for paid accounts… end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems.
In other words, people who pay for accounts so they can have things like bridges, recordings and room systems won’t benefit from the new solution that’s being designed for paid accounts alone to use.
Zoom hates privacy and uses these deceptive fluffy pre-announcements to fool people. Don’t use Zoom.
Update May 12: on a typical day I’ll be asked to connect on a half dozen video conferencing platforms. Everyone seems to prefer their own. This seems fine, although a standard that all the clients could interoperate on would be better.
Anyway, out of them all I’m seeing a trend in the most highly aware security and privacy groups to invite me to Whereby meetings.
Besides being a fantastic user experience, the very clear and simple Whereby privacy site makes it easy to see why it has become a leader.
This is excellent stuff:
Consent clearly set per individual purpose. Whereby has a one-click button that dumps all your data in a handy json format.
Today is National Vietnam War Veteran’s Day, set on March 29th because in 1973 it was the last day American combat troops were in the Republic of Vietnam. The White House in 2012 gave a Presidential Proclamation to create a national day for Vietnam War veterans.
NOW, THEREFORE, I, BARACK OBAMA, President of the United States of America, by virtue of the authority vested in me by the Constitution and the laws of the United States, do hereby proclaim March 29, 2012, as Vietnam Veterans Day.
Congress then wrote a “Vietnam War Veterans Day Act” for March 29 recognition, which in 2017 was signed into law.
The bipartisan bill was sponsored by Sen. Pat Toomey, R-Pa., and Sen. Joe Donnelly, D-Ind. The bill passed the Senate last month and the House last week.
In an odd twist the a man who signed it was gifted five deferments from service in the Vietnam War; four were academic and one was lying about his fitness.
“They were spurs,” he said. “You know, it was difficult from the long-term walking standpoint.”
He played football, tennis, squash and golf through his deferments; he even later boasted about his health as “perfection” and “bone spurs” being not an issue, yet somehow he pulled the 1-Y “disability” deferment (qualified for service only in time of war or national emergency) a year before the lottery draft system began.
The 1-Y status kept him out of the draft until 1971 when that classification was abolished generally. He was then given a 4-F “disability” (unable to meet physical, mental or moral standards) and no longer eligible; soon after his business was sued by the Nixon administration for widespread racist practices (violating the Fair Housing Act).
They died with their face to the foe and that pathetic inadequate [long-term walking spur] couldn’t even defy the weather to pay his respects to the Fallen.
Anyway, today got me thinking about presidential election tampering, and in particular reminded me of the corrupted 1955 national referendum in Vietnam that arguably is what set America on a path to war.
A man named Ngo Dinh Diem essentially was chosen by Americans in 1954 to lead the country, and his access to American aid helped position him as Prime Minister under the ruling “French Puppet” Bao Dai, who he then deposed.
Diem was no champion of representative democracy. His political philosophy was a not entirely intelligible blend of personalism (a quasi-spiritual French school of thought), Confucianism, and authoritarianism. He aspired to be a benevolent autocrat…Diem’s idea was to create a cult of himself and the nation. “A sacred respect is due to the person of the sovereign,” he claimed. “He is the mediator between the people and heaven.” […]
To secure his winnings, Diem called for a referendum to determine whether he or Bao Dai, the former Emperor, should be head of state. Diem won, supposedly with 98.2 per cent of the vote. He carried Saigon with 605,025 votes out of 450,000 registered voters. [CIA’s Major General Edward] Lansdale’s main contribution to the campaign was to suggest that the ballots for Diem be printed in red (considered a lucky color) and the ballots for Bao Dai in green (a color associated with cuckolds)… this simplified Nhu’s instructions to his poll watchers: he told them to throw out all the green ballots.
Throw out all the green ballots.
On top of that, Diem used legal threats to prevent Bao Dai from running any campaign material, while his own campaign mostly ran personal attacks and smears including false claims like Bao Dai had a “preference for gambling, women, wine, milk, and butter“.
Just to re-iterate, their 1955 anti-communist campaign platform was that red meant go, green meant stop and… a preference for milk and butter is immoral just like gambling, booze and sex.
If all that isn’t crazy-sounding enough, allegedly hundreds of thousands of more votes were cast in the capital city of Saigon than the actual number of people listed on the electoral roll.
In an election filled with fraud, Diem was proclaimed the winner in October with 98.2 percent of the vote, winning 605,000 votes in Saigon where there were only 405,000 registered voters. The dishonesty in the election was largely ignored by the American press.
Diem declared himself President with much public fanfare as a result of an obviously fraudulent “election”, labelled anyone else claiming rights or power to be a dangerous threat to stability, and slid South Vietnam into a cruel and undeniable totalitarian state.
Thousands of Vietnamese suspected of disloyalty were arrested, tortured, and executed by beheading or disembowelment. Political opponents were imprisoned. For nine years, the Ngo family was the wobbling pivot on which we rested our hopes for a non-Communist South Vietnam.
This election was a crucial turning point as President Eisenhower the following year ordered the first American military advisers into South Vietnam to train Diem’s conventional Army, used in harsh repression of the country, while the French prepared to exit completely by 1956.
Getty Images 4/24/1955-Saigon, South Vietnam: “Troops of American backed Premier Ngo Diem and the rebel Binh Xuyen sect fought a breif street battle with machine guns. A nationalist soldier stands guard over a suspect after the fighting had died down. At least three persons were killed and eight wounded in the short clash. The fighting took place on the opposite side of the European residential district from the boulevard Gallien, meanwhile the general anarchy increased as gangs of thugs roamed the streets of Saigon kidnapping civilians and extorting ransoms.”
In 1960 JFK narrowly defeated Nixon (Eisenhower’s Vice President) at the polls, and all candidates said they would deliver anti-communism by supporting South Vietnam’s regime.
You can imagine why for Diem that represented a major difference between support from Eisenhower and JFK. The latter was literally enabling South Vietnamese people, especially minority groups, to defend themselves from an oppressor, not simply backing top-down regime tactics.
Thus, despite overall expanding commitments and years of increased aid from America, not to mention escaping multiple prior coup attempts, on 1 November 1963 Diem’s brutally repressive autocratic regime was abruptly deposed by South Vietnam’s own military and he was assassinated.
It was Diem personally losing the support of America, within JFK’s administration but not necessarily including LBJ, that often frames how the South Vietnam regime ended and when and why America threw itself deep into a Vietnam War.
The ultimate effect of United States participation in the overthrow of Ngo Dinh Diem was to commit Washington to Saigon even more deeply. Having had a hand in the coup America had more responsibility for the South Vietnamese governments that followed Diem. That these military juntas were ineffectual in prosecuting the Vietnam war then required successively greater levels of involvement from the American side. The weakness of the Saigon government thus became a factor in U.S. escalations of the Vietnam war, leading to the major ground war that the administration of Lyndon B. Johnson opened in 1965.
It had to be Vice President LBJ who opened the major war, as by that point he had become President. 21 days after Diem’s assassination, JFK himself was assassinated.
The dramatic power shift in both countries escalated American involvement in South Vietnam and brought ever more direct military intervention that eventually accounted for 58,220 U.S. military fatal casualties, over 150,000 wounded… before the March 29, 1973 final day of withdrawal.
As a footnote, the Vietnam War very nearly ended five years earlier in 1968. Nixon at that time cruelly campaigned on ending the war, while he also scuttled American peace talks to intentionally increase casualties.
Unclassified tapes have since proven his secret strategy was more Americans should die because it would help him get elected President.
Once in office he escalated the war into Laos and Cambodia, with the loss of an additional 22,000 American lives, before finally settling for a peace agreement in 1973 that was within grasp in 1968.
Election interference is definitely not new territory for the US, whether it be abroad or at home or some combination of the two. This National Vietnam War Veteran’s Day is perhaps a good time to reflect on what that means in the past as well as future.
Update March 30th, 2020: The man in the White House today openly stated that he believes suppression of votes gives him power and will continue to do so:
…admitted on Monday that making it easier to vote in America would hurt the Republican party. …made the comments as he dismissed a Democratic-led push for reforms such as vote-by-mail, same-day registration and early voting as states seek to safely run elections amid the Covid-19 pandemic. …Republicans have long understood voting barriers to be a necessary part of their political self-preservation.
Update July 1st, 2020: Added reference and details on voter fraud numbers in 1955 election.
The Works of KiplingAll the talk I hear in America lately about the necessity of naming a virus for Asian origins — to play racist blame games instead of saying COVID-19 or even 2020 pandemic (both obviously superior choices) — has started to remind me of the 1960s CIA “training” for Vietnam with Kipling’s book “Kim” and how they got it and another of his works completely wrong:
Americans back home became impatient for results in Vietnam, proponents of the war were always quoting—or, rather, misquoting—a little-known poem of Kipling’s (just four lines, written as a chapter heading for “The Naulahka”), saying that “you cannot hurry the East.” The phrase, Benfey writes, “wormed its way into the very highest levels of decision-making.” But what the poem actually says is that you cannot “hustle” the East, and even then, Benfey demonstrates, the word had connotations of cheating and deception. You come away from his book thinking that it might be a good idea to stop your ears whenever someone in authority starts invoking Kipling, unless it’s to quote from his “Epitaphs of the War”
If any question why we died,
Tell them, because our fathers lied.
The doctor who was principle architect of aggressive and successful South Korean response to COVID-19 put it like this, when reviewing the current US and UK approach to a pandemic:
…refusal to implement mass testing for the coronavirus in the United States will have “global repercussions” […] “The United States is very late to this,” he said. “And the president and the officials working on it seem to think they aren’t late. This has both national and global repercussions […] We in Korea were thinking, ‘Are these people in their right mind?'”
