Feedback & Followups
- Cloudflare’s WARP VPN Enters Beta for macOS, Windows — www.macobserver.com/…
- Related: WireGuard, the new and very promising open source VPN protocol that powers WARP VPN has reached 1.0, and has been added to the Linux kernel (as of Linux 5.6) — arstechnica.com/…
Deep Dive — To Zoom or not to Zoom?
Thanks to some great work by Glenn Fleishman at TidBits, there’s no need for me to do a deep-dive into the technical details of the many many Zoom security and privacy stories that have broken this week. Glenn explains them all extremely clearly, what what’s more, he ends each description with instructions for what you can or must do to protect yourself — tidbits.com/…
Zoom’s business model is freemium, so it’s not FreePI, so the incentives should not be pushing the company to invade your privacy, and yet, we’ve seen a lot of privacy problems mixed in with the security problems, what’s going on?
Because of the extreme arrogance shown by the company last summer when it was discovered their app installed and insecure web server that bypassed important Safari user protections in the name of ease of use, and then left that vulnerable web server behind when the app was uninstalled, my initial impression of the company was extremely negative. So negative in fact that I have been actively boycotting them, but I think that first impression was not quite fair.
Fleishman chooses to use the word careless, and I think that’s much closer to the mark. I think it’s also extremely important to point out that while their response last summer was most charitably described as poor, their responses this month have been much better — they have apologised, explained, and, more importantly, patched quickly. They’ve even gone so far as to announce a 90-day feature freeze so they can focus all their attention on patching security bugs and addressing the myriad privacy concerns that have been raised.
I’m not sure it’s a defence, but the motivation for some of their most galling behaviour has been to create a more user-friendly experience. I personally think it’s utterly inappropriate to undermine your users’ security in the name of convenience, but I still think motivation matters when judging a company, and user convenience is absolutely not a malicious motivation, and that’s gotta be worth something!
Zoom is one of the single most popular online meeting apps — why? Because it works really well, even for really big groups, because it’s easy to use both for people organising meetings, and for people invited into meetings, and because there is a feature-rich free tier.
In these days when we’re forced to keep our physical distance, tools that allow us to remain socially close from afar are more valuable than ever!
So, should you use Zoom? That’s your call — all I suggest is that you take the time to make an informed decision. Does the value out-weight the risks, and are you prepared to take the extra steps needed use Zoom in as secure as manner as is currently possible?
Since the value is obvious, what are the risks?
Looking at Zoom’s history, it seems clear to me that they have accrued massive technical debt — years of sloppy programming has resulted in a code-base littered with bugs, some of which have been found and patched, but many more almost certainly remain, and they could bite Zoom users badly at any moment.
We also know that at a technical level, Zoom’s encryption is poorly designed and weak. They have promised to fix it, but that will take time, so at least for now, we know it’s not a safe way to communicate private information. That’s unlikely to be a show-stopper for home users (just assume someone could be listening in and behave accordingly and you’ll be grand), it’s a huge problem for higher risk users like reporters, activists, campaigners, political leaders, and corporations likely to be the targets of industrial espionage.
Finally, it also seems clear to me that Zoom’s sloppiness goes beyond their code to their decision making and their policies. They’re not thinking things through properly before implementing them, and their policies have tended to air on the side of allowing the company far more rights than it needs. Their recently updated privacy policy is a massive improvement, but that doesn’t obviate the many poor decisions that have yet to be reversed like their automatic sharing of information between people who’s email addresses happen to be on the same domain.
Finally — always remember there are alternatives:
- Videoconferencing Options in the Age of Pandemic — tidbits.com/… (also by Glenn Fleishman)
- 5 Zoom Alternatives to Maintain Your Privacy — www.macobserver.com/…
- Best Alternatives to Zoom in 2020 — www.imore.com/…
❗ Action Alerts
- Apple have patched all their OSes, including security updates as well as new features:
- Apple Releases macOS 10.15.4 Catalina, watchOS 6.2, tvOS 13.4, and iOS 13.4 for HomePod — tidbits.com/…
- ⚠️ A bug has been found in VPN support in iOS that is not patched by this latest update — enabling a VPN does not force existing connections to terminate and re-route through the VPN, so data can be leaked — nakedsecurity.sophos.com/…
- macOS Catalina 10.15.4 Lets You Import Chrome Passwords to iCloud Keychain — www.macobserver.com/…
- Security Update 2020-002 (Mojave and High Sierra) — tidbits.com/…
- Safari 13.1 — tidbits.com/…
- Apple Releases macOS 10.15.4 Catalina, watchOS 6.2, tvOS 13.4, and iOS 13.4 for HomePod — tidbits.com/…
- Adobe have released an emergency out-of-band patch to a nasty vulnerability in Creative Cloud that allowed remote attackers to delete files on victim computers — nakedsecurity.sophos.com/…
- Mozilla has released a critical fix for Firefox that patches a zero-day vulnerability that is being actively exploited in the wild — www.us-cert.gov/…
- Keep an eye out for next Tuesday’s updates from Microsoft, they are expected to contain a patch for a zero-day that is being actively exploited in the wild — nakedsecurity.sophos.com/…
- Patch now! Critical flaw found in OpenWrt router software — nakedsecurity.sophos.com/…
- Two critical bugs have been fixed in the popular WordPress plugin Rank Math, if you run this plugin, patch ASAP! — nakedsecurity.sophos.com/…
Worthy Warnings
- A reminder that, like with every disaster and crisis, malefactors are exploiting our understandable fears about and interest in the COVID-19 pandemic and attempting to defraud us all:
- Cybercriminals are preying on coronavirus fears — www.intego.com/…
- Hijacked Twitter accounts used to advertise face masks — nakedsecurity.sophos.com/…
- Watch out! Scummy scammers target home deliveries — nakedsecurity.sophos.com/…
- 🇺🇸 Watch out for the new wave of COVID-19 scams, warns IRS — nakedsecurity.sophos.com/…
- Marriott International confirms data breach of up to 5.2 million guests — nakedsecurity.sophos.com/…
Notable News
- Security researchers have found yet another way Android apps are invading users’ privacy: Android apps are snooping on your installed software — nakedsecurity.sophos.com/…
- Court filings by grey-hat security company NSO Group allege Facebook tried to buy their controversial Pegasus spyware solution intended for use by law enforcement to spy on users as part of their highly problematic and now-defunct Onavo VPN — www.vice.com/…
- iPad Pro Adds Mac-Like Microphone Disconnect Feature — www.macobserver.com/…
- Evidence that Apple’s Bug Bounty program is working: Apple paid out $75,000 to a hacker who used zero-day exploit to hijack iPhone camera — www.imore.com/…
- Google’s Threat Analysis Group has released their 2019 report which includes the fact that Google sent about 40K warnings to targets of state-backed hacking groups (down 25% from 2018) — nakedsecurity.sophos.com/…
- Location Tracking and COVID-19
- Google is now publishing coronavirus mobility reports, feeding off users’ location history — techcrunch.com/…
- 🇪🇺 8 major European cellphone carriers have agreed to share anonymised location data with the European Commission to help them track COVID-19 spread — www.engadget.com/…
- 🇺🇸 The US is using mobile ad data to track people’s movements during coronavirus lockdown — www.businessinsider.com/…
- Related Analysis: Should governments track your location to fight COVID-19? — nakedsecurity.sophos.com/…
- 🇺🇸 Court: Violating a site’s terms of service isn’t criminal hacking — arstechnica.com/…
- 🇺🇸 Phone carriers must authenticate calls to fight robocalls, says FCC — nakedsecurity.sophos.com/…
Interesting Insights
Palate Cleanser
Chris Ashley of SMR Podcast on Daily Tech News Show talks about how nice we are online right now: 1999 Nice + 2020 Memes – DTNS 3753 – Daily Tech News Show
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |