Aktuell fällt dem deutschen Michel die verpennte Digitalisierung der letzten 30 Jahre auf die Füsse. Alle suchen nach Wegen, ihre Tätigkeiten fortzuführen in Zeiten des covid19 “staythefuckhome” Virus. Da ich seit Tagen Fragen zu Zoom erhalten, hier eine Sammlung zu Vorfällen mit Zoom.
Mozilla hat einen Report zu Videokonferenzdiensten veröffentlicht, der sehr verständlich gestaltet ist.
2020-03-20 Richie Koch, Protonmail Blog: Using Zoom? Here are the privacy issues you need to be aware of
2020-03-21 @Ouren, Twitter: Everyone working remotely – Zoom monitors the activity on your computer and collects data on the programs running and captures which window you have focus on. If you manage the calls, you can monitor what programs users on the call are running as well. It’s fucked up.
2020-03-26 Lindsay Oliver, EFF: What You Should Know About Online Tools During the COVID-19 Crisis The host of a Zoom call has the capacity to monitor the activities of attendees while screen-sharing. This functionality is available in Zoom version 4.0 and higher. If attendees of a meeting do not have the Zoom video window in focus during a call where the host is screen-sharing, after 30 seconds the host can see indicators next to each participant’s name indicating that the Zoom window is not active.
Zoom allows administrators to see detailed views on how, when, and where users are using Zoom, with detailed dashboards in real-time of user activity. Zoom also provides a ranking system of users based on total number of meeting minutes. If a user records any calls via Zoom, administrators can access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges.
2020-03-26 Joseph Cox, Vice: Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account What the company and its privacy policy don’t make clear is that the iOS version of the Zoom app is sending some analytics data to Facebook, even if Zoom users don’t have a Facebook account, according to a Motherboard analysis of the app. […] Zoom users may not be aware it is happening, nor understand that when they use one product, they may be providing data to another service altogether.
2020-03-30 Update: Patrick Wardle The ‘S’ in Zoom, Stands for Security if you value either your (cyber) security or privacy, you may want to think twice about using (the macOS version of) the app.
In this blog post, we’ll start by briefly looking at recent security and privacy flaws that affected Zoom. Following this, we’ll transition into discussing several new security issues that affect the latest version of Zoom’s macOS client.
2020-03-31 The Intercept Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing “They’re a little bit fuzzy about what’s end-to-end encrypted,” Green said of Zoom. “I think they’re doing this in a slightly dishonest way. It would be nice if they just came clean.”
Without end-to-end encryption, Zoom has the technical ability to spy on private video meetings and could be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests. While other companies like Google, Facebook, and Microsoft publish transparency reports that describe exactly how many government requests for user data they receive from which countries and how many of those they comply with, Zoom does not publish a transparency report.
2020-04-03 Update Citizen Lab Move Fast & Roll Your Own Crypto A US Company with a Chinese Heart? While Zoom is headquartered in the United States, and listed on the NASDAQ, the mainline Zoom app appears to be developed by three companies in China, which all have the name 软视软件 (“Ruanshi Software”). Two of the three companies are owned by Zoom, whereas one is owned by an entity called 美国云视频软件技术有限公司 (“American Cloud Video Software Technology Co., Ltd.”) … this arrangement could also open up Zoom to pressure from Chinese authorities. While the mainline Zoom app (zoom.us) was reportedly blocked in China in November 2019, there are several third-party Chinese companies that sell the Zoom app within China (e.g., zoom.cn, zoomvip.cn, zoomcloud.cn).
Zoom as an Intelligence Target – Zoom’s success has led it to attract conversations that are of high priority interest to multiple governments. We suspect that this makes Zoom a high priority target for signals intelligence (SIGINT) gathering and targeted intrusion operations. Most governments conduct electronic espionage operations. Their targets include other governments, businesses, and individuals. Some, including the Chinese government, are known to conduct extensive industrial espionage. In addition, a growing number of governments have sought out mobile phone hacking technology * and abused it to target the personal phones of journalists, lawyers, judges, and others who seek to hold them to account.
* Anmerkung des Autors: Ebenfalls am 03.04.2020 sind Gerichtsdokumente bekannt geworden, die Belegen, dass NSO Group (um die es beim mobile phone hacking geht) in Gesprächen mit Facebook war. Facebook zeigte Interesse an einem Kauf der Spionagesoftware “Pegasus”, um ihre Nutzer besser überwachen zu können. Falls ihr 2020 noch einen Facebook Account habt, wäre spätestens jetzt ein guter Zeitpunkt diesen abschließend zu löschen.
2020-04-08 Pranav Dixit, Buzzfeed Google Told Its Workers That They Can’t Use Zoom On Their Laptops Anymore Google has banned the popular videoconferencing software Zoom from its employees’ devices, BuzzFeed News has learned. … Google sent an email to employees whose work laptops had the Zoom app installed that cited its “security vulnerabilities” and warned that the videoconferencing software on employee laptops would stop working starting this week.
2020-04-09 Tell HN: Cisco WebEx on OS X uses the same pre-installer tricks as Zoom
Ein Bericht beschreibt, dass die WebEx Lösung von Cisco die gleichen Tricksereien verwendet, um Sicherheitsmechanismen von macOS ausser Kraft zu setzen, wie Zoom. Kein Zufall: denn Zoom beschäftigt zum Teil die glleichen Entwickler. Zoom-Gründer Eric Yuan war Chefentwickler bei Cisco für WebEx. Small Worlds…: I noticed while installing WebEx today that the installer immediately terminated itself after popping up the pre-installation script. Running `strings` on the installation plugin (CWSPkgPlugin.bundle) shows why – it’s using a similar process to what Zoom does [1]
Previously discussed here: https://news.ycombinator.com/item?id=22736608
2020-04-16 Thorsten Schröder hat sich den Zoom Windows Client angeschaut (Heise)
2020-04-19 Fefe hat einen sehr treffenden Beitrag zur gesamten Problematik beschrieben, dass sich erst niemand mit diesen Theman auseinandersetzen möchte. Und nun wo alle die Technologie verwenden, geht das jammern los.
2019-07-08 Jonathan Leitschuh: Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business. […] Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.
Eine ausführliche Link-Liste zu diesem Problem ist bei Michael Tsai zu finden: https://mjtsai.com/blog/2019/07/09/zoom-vulnerabilities/
2022-04-29 Schwachstellen in Zoom ermöglichen Rechteausweitung und mehr
CVE-2022-22783, CVSS 8.3, hoch
CVE-2022-22782, CVSS 7.9, hoch
CVE-2022-22781, CVSS 7.5, hoch
https://www.heise.de/news/Videokonferenzen-Schwachstellen-in-Zoom-ermoeglichen-Rechteausweitung-und-mehr-7069420.html
2022-05-25 Angreifer könnten Zoom-Chats unter Android, iOS, Linux, macOS und Windows Zoom-Clients belauschen
CVE-2022-22784 hoch
CVE-2022-22785 mittel
CVE-2022-22786 hoch
CVE-2022-22787 mittel
https://www.heise.de/news/Sicherheitsupdate-Angreifer-koennten-Zoom-Chats-belauschen-7121961.html
2022-08-12 The Zoom installer let a researcher hack his way to root access on macOS – kann ja mal passieren 🤷
https://www.theverge.com/2022/8/12/23303411/zoom-defcon-root-access-privilege-escalation-hack-patrick-wardle
2023-08-07 AGB-Änderung: Zoom nutzt Daten von Nutzer:innen, um „Künstliche Intelligenz“ zu trainieren
https://netzpolitik.org/2023/agb-aenderung-zoom-nutzt-daten-von-nutzerinnen-um-kuenstliche-intelligenz-zu-trainieren/
Alternativen?
Jitsi
Liste öffentlicher Instanzen
FAQ von Jan Beilicke
nextcloud talk Teil von nextcloud. Ein nextcloud Konto bekommt man z.b. hier https://disroot.org/de/services/nextcloud es gibt viele weitere Instanzen.
BigBlueButton
Beispiel-Instanz: https://demo.bigbluebutton.org/gl/
2020-04-14 CVE-2020-12112 Tweet, Fixed in 2.2.5
Bei allen drei Lösungen (Jitsi, nextclout talk und BigBlueButton) ist es ratsam, sie auf eigener Infrastruktur einzurichten.
Wenn ihr also in einer Firma, Bildungseinrichtung oder der Verwaltung tätig seid, fragt eure IT-Abteilung, ob eine Lösung auf Hauseigener-Infrastruktur angeboten werden kann.
Wenn ihr Open Source Software verwendet, denkt daran, diese Projekte finanziell zu unterstützen. Ein Dauerauftrag mit Kleinspende 1€/Monat hilft den Projekten mehr, als eine einmalige Spende. Es müssen Beschäftigte bezahlt werden und ihr tragt euren Anteil dazu bei, dass auch in Zukunft Software unter Open Source Lizenz existiert, die jeder unkompliziert verwenden darf.
Noch mehr Entropie 