On Mon, Apr 13, 2020 at 10:50:40PM -0400, Michael Richardson wrote: > The zoom programmers and managers mistakes are beyond incompetence: it really > looks like enemy action to me. It's so hard to tell now who's wacky and genuinely believes what they're doing and who's doing it on purpose these days. What's your skill? But then again, Zoom has 700 employees. They could have done a better job compromising the keys though. Letting some random team from UoT find out what they're doing seems like poor spying. Shouldn't they have had server-side APIs to request session keys and metadata, or to copy decrypted video streams? And if they wanted to hide that from most of the employees, shouldn't they have just compromised management, network admin, and devops, compromised the build system, and prevented developers from getting access to the production servers? For reference for those who haven't seen it yet, so not mcr or Dianne because they presumably already know. https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/ tl; dr, - ECB instead of GCM or comparative - Wait, you didn't just use TLS… - Calling s— single hop roll your own crypto “end to end security”, PGP takes great offense - Sending keys back to China because they went out of their way - Custom instead of plain old SRTP… I could do better than you with the ffmpeg CLI… - Why didn't you just use WebRTC… - Passwords by default instead of identity based authentication and prompting the organizer to let people in -- Manage your subscription: https://lists.linux-ottawa.org/sigs-l3go/listinfo.html