Follow

Consider the following:

1. , a company with bad security track record and murky ownership now has clandestine supply-chain-attack capability on , and

2. Keybase is used by a lot of people to sign their commits and whatnot.

Therefore:

3. Zoom, a company with bad security track record and murky ownership now has potential supply-chain-attack capability on a lot of software whose git commits are signed using keys that touch Keybase.

@rysiek
fortunately, they can't compromise your PGP key retroactively.
If you stopped using keybase before the acquisition, and never uploaded your private key to their website (or their JS crypto was sound and you never entered your keybase password after the acquisition), you should be fine.

@wolf480pl
Wait a second? Upload private key?

People did that? Keybase expected them to? What the actual fuck?
@rysiek

@musicmatze @rysiek
It was supposedly encrypted client-side using JS crypto and a key derived from your password. And it was optional.

Back in the day, before KBFS and Keybase Chat, for each action on keybase they were 3 ways to do it:
A) directly through web interface (only if the web interface had your private key)
B) using keybase client
C) using curl and gpg (the web interface told you exactly the shell commands you need to run to accomplish the action)

Supposedly, some people chose A

@rysiek Microsoft also had a bad Security track record, and turned it around.
Cisco jsut released a ton of advisories for ASA, FTD and FMC that are pretty bad and tend to hide their issues until they can't.
Apple does not disclose the security issues they fix very easily if at all.
Zoom starts to take steps by getting people like Katie Mussouris and her company to help and actually has responded to the security findings at least. Shows intent to get better at it.

@siliconshecky re: Microsoft - bleepingcomputer.com/news/secu

re: everything else - I find it objectionable that it's still okay for shitty startups do shitty security while promising the world, get called out on it, pretend to apologize, and then do some more shitty security things, and *still* get credit for "trying"; meanwhile projects with sane security practices get crowded out of the market (and thus, funding).
imore.com/hacker-finds-another

@rysiek So Zoom has done nothing to address the security bugs you say? Honestly we can disagree, and it is obvious that we will never see eye to eye. I think the attitude you are showing does not translate into a more secure environment, as I read it as once shitty always shitty nothing ever changes.
As I said, believe what you want. I will respectfully disagree with your assessment.

@siliconshecky @rysiek zoom is a dumpster fire where the dumpster is also on fire while still copying user data to servers controlled by some of the very worst people on the planet. They can’t change that without a fundamental reworking of the entire corporate structure, employment structure and financing of the entire operation.

@siliconshecky and let me be very clear: for months(!) Zoom was doing way more than nothing to leave their security problems unaddressed.

Just look at the timeline and initial Zoom's response in this case:
medium.com/bugbountywriteup/zo

They were actively trying to sweep the thing under the rug. I don't care how much they do now to fix stuff. They should have ended up on the dumpster of history long ago, and stop crowding out projects that are so callous as to almost be malicious.

@rysiek A lot changes over a year.
Apple actively tries to sweep its stuff under the rug, so does Cisco.

@siliconshecky and the here point is?.. I am neither advocating Cisco nor Apple. In fact, I have no clue why Cisco and Apple even showed up in this conversation.

All the Microzon Facegoopples of this world should go the way for the Dodo for all I care. I'd just like them to take all the startup snakeoil salespeople like Zoom along for the ride. :blobcat:

@rysiek You talked about Zoom burying an issue a year ago (which they fixed in a couple of days after publicized). I was just showing that other companies do the same. In fact, it might have been the bug bounty programs fault and not Zooms that things got boggled, just as a what might have been.

@siliconshecky I know other companies do the same. That's kind of the point.

This kind of behaviour is incentivized, made into a winning business model. And defending such practices *is* co-responsible for these practices flourishing.

What I am saying is we must stop doing that. "All software has bugs" is the "boys will be boys" of the tech industry.

@rysiek Had to turn off some of my security features it seems. was throwing an error. Of course all that for a bug that was over a month ago and fixed since then. ;)

@siliconshecky yeah, sorry. But it was a bug that was somewhat similar to the one from the year ago, and was caused by a similar shady approach to installation and OS privileges: meaning "exploit whatever you can to your advantage, don't follow established protocols".

They got burned by that approach a year ago, and yet they persist.

@siliconshecky I'm not entirely sure what you're trying to argue here, but intent is meaningless without results.

Microsoft's has shown some results but arguably not yet sufficient improvement.

Cisco is one big overpriced garbage fire. They've shown little intent to improve and virtually no results.

Zoom is behaving just like Facebook. Lots if apology, noble intention (at least the appearance of it) but woefully inadequate results. They are not at all proactive, just reactive...

@rysiek

@siliconshecky

...anyway my take on the situation:

1. It is best to vote with your feet and make maximum effort to avoid products and services that are insufficiently secure or abuse users regardless of their intentions. Only support them once they adequately demonstrate they *presently* respect users and practice good security.

2. Any product or service, and especially those security related, should be viewed with suspicion if they are closed and cannot be completely self hosted.

@rysiek

@msh @rysiek
So Zoom has hires Luta Security to now handle its bug bounty program. Brought on Alex Stamos to help build/fix its security program, has been working with other security consultants to help with the security issues, put a 90 day feature freeze on its product to solely work on security issues, has released numerous updates to fix the issues at hand, made Passwords the default, New easier to access area for security settings...
Sounds like they have done nothing to me.

@siliconshecky this is very promising and good news to hear. They are going in the right direction.

But, I would say they still have critical issues that need addressing beneath all these surface level fixes they've released. I still need to be sold on their transparency and trustworthiness as well. As such I will continue to observe but Zoom will continue to be disallowed in my workplace.

@rysiek

@siliconshecky @msh oh sure. but consider, how much time and pressure it took for them to even start getting their shit together.

Now imagine the same amount of time, effort, and money is invested into something like Jitsi, BigBlueButton, or Nextcloud Talk. Where the security is mostly there, audit would be welcome, code is open, and usability issues could be ironed with such resources.

Once you do that you will perhaps understand why I refuse to cut Zoom any slack here.

@rysiek @msh I have used Kitsi, and I applaud some of these. Have you taught a non-tech person how toi set them up? Just curious.
And yeah there was pressure of a ton of people auditing and fuzzing Zoom as it ballooned for 10 Million to 200 million users in a few weeks time. Also issues were brought straight into the public, no responsible disclosure at all.
Yes Zoom has problems, but they are working on fixing them.
Just remember, Open source has issues also, and some take years to show.

@siliconshecky @msh set what up? A Jitsi call? Yes, I work with dozens of non-techie journalists, and they're using Jitsi calls AOK.

"FLOSS has issues", again, is true but also again: whataboutism. And I will eat my hat if it turns out Jitsi or BBB are using AES_ECB. Everybody knows not to use these. Unless you're Zoom!

The bug from a year ago I linked in another toot followed proper channels and responsible disclosure. I can understand why after that security researchers decided it's bonkers.

@rysiek @msh Also, you obviously did not see that they have started up a new bug bounty program with a reputable company.
I could not explain to my son's grandmother how to set up a jitsi setup. I'm talking the everyday person, which is where Zoom ballooned.
Listen, I get it, you love open source and that is fine. You probably do not use commercial unless you have to, that is fine. But if you do not allow for change and adjustments, you are not allowing for solutions.

@siliconshecky @msh Zoom had over a year for change and adjustments. Now it's too little too late.

And again, you are missing the point: had the same amount of money and resources been invested in projects like Jitsi or BBB, your grandmother could use them too. The difference is that it would be without a J. Random ScriptKiddie zoombombing the call.

It's not about Zoom, specifically. It's about how we seem to incentivise this kind of abusive developer behaviour.

@rysiek @msh Now we get to the core of it, and that is monetization which promotes said developer behaviour.
That said, Hitsi or BBB could have, but are not ready for a grandmother at this time. Not enough people willing to spend time working on them without getting paid? That could be, but then you run into the return on investment issue again.

@siliconshecky @msh and these will not get fixed unless the incentive structure changes *dramatically*. That requires, among other things, being way less forgiving for shitty security practices.

And yes, Jitsi is easy enough to use by your grandma. Just send her the link.

@siliconshecky the industry is pretty sick right now. Everyone externalises IT costs. It's always someone else's problem. Put it in the cloud. Use Free software but don't take any responsibility for your installations.

There has to be a change. Free software devs don't always need to be on payroll but they need support of big users who already have ample resources to do so.

Also, I'm curious about how Jitsi is "not ready" . You send a link, user clicks link, they connect!...

@rysiek

@siliconshecky ... I've had to deal with both Zoom and Jitsi meetings and honestly Jitsi is easier to support. No plugins or apps, everything is standard etc. After eliminating Zoom we have had less trouble overall.

Finally I think the repeated reference ro "grandmother" a bit insulting. My parents are in their 80s and are quite capable of learning. If mum could key COBOL code onto punch cards to run accounting batch jobs I'm sure she can figure out things as easy as Jitsi.

@rysiek

@siliconshecky look, if you care about Zoom getting better, just leak their source code.

noone has to know it was you. :awesome:

@rysiek @msh

@siliconshecky @rysiek @msh My kids (both 10 or under) can use Jitsi just fine, on our private instance. They run weekly dungeons and dragons with no tech help from me.

@rysiek I'm less worried about them performing a supply chain attack and more worried about them allowing someone else to

@ben oh totally! they are now the perfect organization to have a back-door into.

thankfully, they are known for their top-notch security!

@rysiek i'll do you one better: pretty much every single mac developer uses homebrew (which is spyware, but that's separate). homebrew gets its package database (including the hashes of the source tarballs it builds) from github. microsoft, a large us military contractor and eager participant in us hegemony/surveillance state/PRISM/et c owns github.

homebrew autoupdates.

the US military (via microsoft via github) has optional RCE on pretty much every mac developer's workstation if they want it

@rysiek Yeah it's been interesting to see everyone list their Keybase account in their profile, and then this. Just when we thought Zoom was gonna keel over, they slice at their detractor's achilles heels

@joeterranova well, see, it almost worked, but for the "decentralized" part. Decentralized encryption nerds kept away from Keybase.

Precisely because it's centralized and this kind of shit is bound to happen.

@rysiek Well probably not all of them, given that it was Mastodon users touting it so much. Folks are often willing to give up a bit of resiliency to tomfoolery for convenience, until it bites them.

@rysiek @joeterranova keybase jumped the shark because: 1. proprietary closed server 2. Crypto wallet (don't need that bs) 3. For profit venture funded company. 4. Centralized not distributed. If someone would make a free software decentralized federated not venture funded non capitalist version of keybase that would be ideal.

@ailurocrat @joeterranova totally. but we need to find ways to support that, including financially.

@rysiek the fact that they had eight figure venture money should've warned everyone off.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!