Re: [DNG] Zoom? Rather not...
On Thu, 2020-08-06 at 01:00 +0200, marc...@welz.org.za wrote: > The concern about using any gratis commercial videoconferencing > service is that quite a bit of biometric information can be > collected from you - in particular your voice and your face. > Your personal files are just a bonus. > > Recall a while ago some company called clearview.ai made the > news - given a picture of a person it finds all the other > photos of that person online, and does a good job of it too. > > Any videoconferencing service is remarkably well positioned to > generate an excellent facial model of you - given that there > is a bit of motion and much data of you staring at the camera, > a high-quality 3D model of your face can be constructed easily. > Zoom is introducing optional end-to-end encryption which would avoid this, after protest for free accounts as well as paid accounts, though free accounts would also need to verify themselves by providing a contactable phone number. The reason they say it can't be automatic is that it wont be available for dial-in phones, SIP/H.323 devices, web browsers, Zoom webinars, and Zoom chat. This seems more of a potential interception threat to some commercial uses (since some conference room facilities currently use dial-in for sound) if you can't then access end-to-end encryption. You also have to decide to enable it on a per session basis. Has anyone checked what their current TOC/EULA says about use of the images/sounds they can intercept on their servers? -- Marjorie ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom? Rather not...
marc wrote: >> For me security refers primarily to file access. This takes me back to >> my question. If I craete a new user, named zoom for example, and have >> it run zoom, won't that limit access files on my HD? > > Yes, under two conditions: > > - your other users (holding confidential data) have more restrictive > permissions on their directories (chmod 700 ~) > > - the application won't try a local privilege escalation exploit > (kernel or CPU bug, or even back door). > An additional layer of security would be for users to have encrypted home folders. Somehow I managed that on my ascii machine, but I'm not seeing the --encrypt-home option in adduser now. With encrypted home, as long as the user is not logged in, other users (even root) will not have access to useful data. Or, instead of encrypting home, you could only encrypt sensitive data, and make sure it's not currently unencrypted while using the new user and zoom. As a side note, this is one thing that drove me away from systemd. On the previous distro I used, I noticed that I could log on userA (with encrypted home), then log off userA, and userA's home folder remained mounted unencrypted until reboot. This was one of the first things I tested for functionality in Devuan -- and it does what I expected it to do: when logging off, the unencrypted home is unmounted. Not that I have anything to hide. Seriously, if someone were to confiscate or clone my hardware and manage to break the encryption, they would be very puzzled why I bothered to do so. :-) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom? Rather not...
> I'm a product of the Great > Depresssion, and so security for me fixates on political snooping. I'm > less concerned about being ripped off than looming fascism. I'm not > suggsting your concern is not important, jut that it is not the same > as my own. My concerns relate to both of those. People being easily identified and tracked in real life is something that strengthens authoritarian regimes (whether fascist or communist) as well coercive corporate interests. > For me security refers primarily to file access. This takes me back to > my question. If I craete a new user, named zoom for example, and have > it run zoom, won't that limit access files on my HD? Yes, under two conditions: - your other users (holding confidential data) have more restrictive permissions on their directories (chmod 700 ~) - the application won't try a local privilege escalation exploit (kernel or CPU bug, or even back door). regards marc ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom? Rather not...
Quoting ael (adrian.lawre...@physics.oxon.org): > One hopes so. But I had to install the zoom deb package via root. > Since it is closed source, who knows what the package might do? I hope you know that 'ar vx $THING.deb' unpacks $THING.deb in place, without installing it. Doing that gives you text file debian-binary with a brief package metadata statement, control.tar.gz containing md5sums and a control directory for building the package, and (last but not least) data.tar.xz, the tree of files that would be installed on your system. Or, if you just want the contents of the deb-enclosed data.tar.xz tree unpacked into the current directory with less fiddling: $ dpkg-deb -xv $THING.deb You might want to grab and sample .deb, put it in /tmp, and experiment, to see what I'm talking about. Anyway, root privilege is _not_ needed for such things. -- Cheers, Lost my car phone. Rick Moen-- Matt Watson (@biorhythmist) r...@linuxmafia.com McQ! (4x80) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom? Rather not...
> On 6 Aug 2020, at 20:52, Haines Brown wrote: > > For me security refers primarily to file access. This takes me back to > my question. If I craete a new user, named zoom for example, and have > it run zoom, won't that limit access files on my HD? With the dpkg-deb utility you can extract all the control information and pre/post install/rm scripts from the .deb file so you can inspect what the package would do on installation/removal. — Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom? Rather not...
Hello, On 06/08/20 15:27, ael wrote: Actually zoom does offer a tarball for download, so that can be checked and so is safer than a closed deb. Well if you want you can inspect debs too, Midnight commander even provides a "virtual filesystem" implementation for it Bye! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom? Rather not...
On Thu, Aug 06, 2020 at 02:23:04PM +0100, ael wrote: > On Thu, Aug 06, 2020 at 06:52:06AM -0400, Haines Brown wrote: > > For me security refers primarily to file access. This takes me back to > > my question. If I craete a new user, named zoom for example, and have > > it run zoom, won't that limit access files on my HD? > > One hopes so. But I had to install the zoom deb package via root. > Since it is closed source, who knows what the package might do? Actually zoom does offer a tarball for download, so that can be checked and so is safer than a closed deb. ael ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom? Rather not...
On Thu, Aug 06, 2020 at 06:52:06AM -0400, Haines Brown wrote: > For me security refers primarily to file access. This takes me back to > my question. If I craete a new user, named zoom for example, and have > it run zoom, won't that limit access files on my HD? One hopes so. But I had to install the zoom deb package via root. Since it is closed source, who knows what the package might do? It is probably safe since zoom would have a lot to lose if there was anything dubious in there, and many experts had tried to check. Maybe running zoom on a live image would be safer, but even there root has access to permanent storage. ael ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom? Rather not...
Marc, your insights much appreciated. Interesting, though, is a certain generation gap. Security these days seems to refer to personal information that evil doers can exploit to deprive you of your poions. I'm a product of the Great Depresssion, and so security for me fixates on political snooping. I'm less concerned about being ripped off than looming fascism. I'm not suggsting your concern is not important, jut that it is not the same as my own. For me security refers primarily to file access. This takes me back to my question. If I craete a new user, named zoom for example, and have it run zoom, won't that limit access files on my HD? -- Haines Brown ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom? Rather not...
On 2020-08-05 18:00, marc...@welz.org.za wrote: I understand the security advantages of using zoom on a laptop not much used for anything else. I suppose the sercurity conern is files being accessible to intruders. Someone made the interesting suggestion of settin up a new account just for zoom. The concern about using any gratis commercial videoconferencing service is that quite a bit of biometric information can be collected from you - in particular your voice and your face. Your personal files are just a bonus. Recall a while ago some company called clearview.ai made the news - given a picture of a person it finds all the other photos of that person online, and does a good job of it too. Any videoconferencing service is remarkably well positioned to generate an excellent facial model of you - given that there is a bit of motion and much data of you staring at the camera, a high-quality 3D model of your face can be constructed easily. This biometric information can be abused in so many ways, most of which are still to be invented. But recall the cambridge analytica scandal. It was supposed to have used rubbish online personality quizzes to generate custom ads to fix elections and referenda - with some success. Reportedly it is the reason brexit actually happened ... Now instead of having to rely on "do you like cats or dogs", the propaganda developers get to actually check out your microexpressions and changes in voice pitch... while A/B testing their evil on you. Anyway, if you value your free will then not using closed source video conferencing systems is a must. Similarly if you value your ability enter a store without hostile marketing logic giving you digital patdown... Remember the occasional news article showing off the big chinese control centres monitoring the cameras in some far away city, with a neat little onscreen name following every person walking down the street ? Odds are quite good that your video conferencing use will make it possible to add your name to that list. Some people are going to say "not possible, the call is end-to-end encrypted". Actually no. Illustrative example: The intercept reported that zoom claimed end-to-end encryption, but instead had one shared key, and used ECB (a really poor way of using a cypher). That is why it works so well, as a single lost packet doesn't garble the rest of the stream. More importantly, unlike Balsamic Vinegar or Zero Percent Fat, there is little enforcement of what these terms mean, and governments are keen to weaken encryption further. So if you ever hear "end-to-end video encryption" it is wise to assume "encrypted from your end to their data centre end". It is fashionable to use zoom as an example, given their strong connections to mainland china, but odds are excellent that this is happening on services too, where it is probably done better and more discretely. It is probably also the reason why tiktok is in the news regards marc Here's another reason tiktok is in the news https://news.antiwar.com/2020/08/02/tiktok-ban-for-national-security-or-us-tech-companies/ golinux ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom? Rather not...
> I understand the security advantages of using zoom on a laptop not > much used for anything else. I suppose the sercurity conern is files > being accessible to intruders. Someone made the interesting suggestion > of settin up a new account just for zoom. The concern about using any gratis commercial videoconferencing service is that quite a bit of biometric information can be collected from you - in particular your voice and your face. Your personal files are just a bonus. Recall a while ago some company called clearview.ai made the news - given a picture of a person it finds all the other photos of that person online, and does a good job of it too. Any videoconferencing service is remarkably well positioned to generate an excellent facial model of you - given that there is a bit of motion and much data of you staring at the camera, a high-quality 3D model of your face can be constructed easily. This biometric information can be abused in so many ways, most of which are still to be invented. But recall the cambridge analytica scandal. It was supposed to have used rubbish online personality quizzes to generate custom ads to fix elections and referenda - with some success. Reportedly it is the reason brexit actually happened ... Now instead of having to rely on "do you like cats or dogs", the propaganda developers get to actually check out your microexpressions and changes in voice pitch... while A/B testing their evil on you. Anyway, if you value your free will then not using closed source video conferencing systems is a must. Similarly if you value your ability enter a store without hostile marketing logic giving you digital patdown... Remember the occasional news article showing off the big chinese control centres monitoring the cameras in some far away city, with a neat little onscreen name following every person walking down the street ? Odds are quite good that your video conferencing use will make it possible to add your name to that list. Some people are going to say "not possible, the call is end-to-end encrypted". Actually no. Illustrative example: The intercept reported that zoom claimed end-to-end encryption, but instead had one shared key, and used ECB (a really poor way of using a cypher). That is why it works so well, as a single lost packet doesn't garble the rest of the stream. More importantly, unlike Balsamic Vinegar or Zero Percent Fat, there is little enforcement of what these terms mean, and governments are keen to weaken encryption further. So if you ever hear "end-to-end video encryption" it is wise to assume "encrypted from your end to their data centre end". It is fashionable to use zoom as an example, given their strong connections to mainland china, but odds are excellent that this is happening on services too, where it is probably done better and more discretely. It is probably also the reason why tiktok is in the news regards marc ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
