Simple Illustration of Zoom Encryption Failure

Zoom engineering management practices have been exposed as far below industry standards of safety and product security. They have been doing a terrible job, and it is easy now to explain how and why. Just look at their encryption.

The Citizen Lab April 3rd, 2020 report broke the news on Zoom practicing deception with weak encryption and gave this top-level finding:

Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.

It’s a long report with excellent details, definitely worth reading if you have the time. It even includes the famous electronic codebook (ECB) mode penguin, which illustrates why ECB is considered so broken for confidentiality that nobody should be using it.


I say famous here because anyone thinking about writing software to use AES surely knows of or has seen this image. It’s from an early 2000s education campaign meant to prevent ECB mode selection.

There’s even an ECB Penguin bot on Twitter that encrypts images with AES-128-ECB that you send it so you can quickly visualize how it fails.

A problem is simply that using ECB means identical plaintext blocks generate identical ciphertext blocks, which maintains recognizable patterns. This also means when you decipher one block you see the contents in all of the identical blocks. So it is very manifestly the wrong choice for streams of lots of data intended to be confidential.

However, while Citizen Lab included the core image to illustrate this failure, they also left out a crucial third frame on the right that can drive home what industry norms are compared to Zoom’s unfortunate decision.

The main reason this Linux penguin image became famous in encryption circles is because it shows huge weakness faster than trying to explain ECB cracking. It makes it obvious why Zoom really screwed up.

Now, just for fun, I’ll still try to explain here the old-fashioned way.

Advanced Encryption Standard (AES) is a U.S. National Institute of Standards and Technology (NIST) algorithm for encryption.

Here’s our confidential message that nobody should see:


Here’s our secret (passphrase/password) we will use to generate a key:


Conversion of password from ASCII to Hex could simply give us a 128 bit block (16 bytes of ASCII into 32 HEX characters):

77 68 79 77 6f 75 6c 64 79 6f 75 75 73 65 45 43

Yet we want to generate a SHA256 hash from our passphrase to get ourselves a “strong” key (used here just as another example of poor decision risks, since PBKDF2 is a far safer choice to generate an AES key):


We then take our plaintext “zoom” and use our key to generate the following ciphertext blocks (AES block size is always 128 bit — 32 Hex characters — even when keys used are longer such as AES-256, which uses 256 bit keys):



I’ve kept the 128 bit blocks separate above and highlighted the middle two because you can see exactly how “zoom” repetitive plaintext is reflected by two identical blocks.

It’s not as obvious as the penguin, but you still kind of see the point, right?

If we string these blocks together, as if sending over a network, to the human eye it is deceptively random-looking, like this:


And back to the key, if we run decryption on our stream, we see our confidential content padded out in blocks uniformly sized:


You also probably noticed at this point that if anyone grabs our string they can replay it. So using ECB also brings an obvious simple copy-and-paste risk.

A key takeaway, pun intended of course, is that Zoom used known weak and undesirable protection by choosing AES-128 ECB. That’s bad.

It is made worse because they told customers it was AES-256; they’re not disclosing their actual protection level and calling it something it’s not. That’s misleading customers who may run away when they hear AES-128 ECB (as they probably should).

Maybe run away is too strong, but I can tell you all the cloud providers treat AES-256 as a minimum target (I’ve spent decades eliminating weak cryptography from platforms, nobody today wants to hear AES-128). At least two “academic” attacks have been published for AES-128: “key leak and retrieval in cache” and “finding the key four times faster“.

And the NSA published a revealing doc in 2015 saying AES-256 was their minimum guidance all the way up to top secret information.

On top of all that, the keys for Zoom were being generated in China even for users in America not communicating with anyone in China.

Insert conspiracy theory here: AES-128 was deemed unsafe by NSA in 2015 and ECB has been deemed unsafe for streams by everyone since forever… and then Zoom just oops “accidentally” generates AES-128 ECB keys on Chinese servers for American meetings? Uhhhh.

It’s all a huge mess and part of a larger mismanagement pattern, pun intended of course. Weak confidentiality protections are pervasive in Zoom engineering.

Here are some more examples to round out why I consider it pervasive mismanagement.

Zoom used no authentication for their “record to cloud” feature, so customers were unwittingly posting private videos onto a publicly accessible service with no password. Zoom stored calls with a default naming scheme that users stored in insecure open Amazon S3 “buckets” that could be easily discovered.

Do you know what encrypted video that needs no password is called? Decrypted.

If someone chose to add authentication to protect their recorded video, the Zoom cloud only allowed a 10 character password (protip: NIST recommends long passwords. 10 is short) and Zoom had no brute force protections for these short passwords.

They also used no randomness in their meeting ID, kept it a short number and left it exposed permanently on the user interface.

Again all of this means that Zoom fundamentally didn’t put the basic work in to keep secrets safe; didn’t apply well-known industry-standard methods that are decades old. Or to put it another way, it doesn’t even matter that Zoom chose broken unsafe encryption routed through China and lied about it when they also basically defaulted to public access for the encrypted content!

Zoom sold you an unsafe barn AND forgot to put doors on. Any reasonable person should be very surprised to find horses inside.

It would be very nice, preferred really, if there were some way to say these engineering decisions were naive or even accidental.

However, there are now two major factors prohibiting that comfortable conclusion.

  1. The first is set in stone: Zoom CEO was the former VP of engineering at WebEx after it was acquired by Cisco and tried to publicly shame them for using his “buggy code“. He was well aware of both safe coding practices as well as the damage to reputation from bugs, since he tried to use that as a competitive weapon in direct competition with his former employer.
  2. The second is an entirely new development that validates why and how Zoom ended up where they are today: the CEO announced he will bring on board the ex-CSO of Facebook (now working at Stanford, arguably still for Facebook) to lead a group of CSO. The last thing Zoom needs (or anyone for that matter) is twelve CSO doing steak dinners and golf trips while chatting at the 30,000 foot level about being safe (basically a government lobby group). The CEO needs expert product security managers with their ear to the ground, digging through tickets and seeing detailed customer complaints, integrated deep into the engineering organization. Instead he has announced an appeal-to-authority fallacy (list of names and associations) with a very political agenda, just like when tobacco companies hired Stanford doctors to tell everyone smoking is now safe.

Here’s the garbage post that Zoom made about their future of security, which is little more than boasting about political circles, authority and accolades.

…Chief Security Officer of Facebook, where he led a team charged with understanding and mitigating information security risks for the company’s 2.5 billion users… a contributor to Harvard’s Defending Digital Democracy Project and an advisor to Stanford’s Cybersecurity Policy Program and UC Berkeley’s Center for Long-Term Cybersecurity. He is also a member of the Aspen Institute’s Cyber Security Task Force, the Bay Area CSO Council, and the Council on Foreign Relations. And, he serves on the advisory board to NATO’s Collective Cybersecurity Center of Excellence.

We are thrilled to have Alex on board. He is a fan of our platform…

None of that, not one sentence is a positive sign for customers. It’s no different, as I said above in point two, from tobacco companies laying out a PR campaign that they’ve brought on board a Stanford or Harvard doctor to be on a payroll to tell kids to smoke.

Even worse is that the CEO admits he can’t be advised on privacy or security by anyone below a C-level

…we are establishing an Advisory Board that will include a subset of CISOs who will act as advisors to me personally. This group will enable me to be a more effective and thoughtful leader…

If that doesn’t say he doesn’t know how to manage security at all, I’m not sure what does. He’s neither announcing promotion of anyone inside the organization, nor is he announcing a hire of someone to lead engineering who he will entrust with day-to-day transformation… the PR is all about him improving his own skills and reputation and armoring against critics by buying a herd to hide inside.

This is not about patching or a quick fix. It really is about organizational culture and management theory. Who would choose ECB mode for encryption, would so poorly manage the weak secrets making bad encryption worse, and after all that… be thrilled to bring on board the least successful CSO in history? Their new security advisor infamously pre-announced big projects (e.g. encryption at Yahoo in 2014) that went absolutely nowhere (never even launched a prototype) is accused of facilitating atrocities and facing government prosecution for crimes, and who demonstrably failed to protect customers from massive harms.

Zoom just hired the ECB of CSOs, so I’m just wondering how and when everyone will see that fact as clearly as with the penguin image. Perhaps it might look something like this.

Update April 12: Jitsi has posted a nice blog entry called “This is what end-to-end encryption should look like!” These guys really get it, so if you ask me for better solutions, they’re giving a great example. Superb transparency, low key modest approach. Don’t be surprised instead when Zoom rolls out some basic config change like AES-256-GCM by default and wants to throw itself a ticker-tape parade for mission accomplished. Again, the issue isn’t a single flaw or a config, it’s the culture.

Update April 13: a third-party ( security assessment of the Zoom linux client finds many serious and fundamental flaws, once again showing how terrible general Zoom engineering management practices have been, willfully violating industry standards of safety and product security.

It lacks so many base security mitigations it would not be allowed as a target in many Capture The Flag contests. Linux Zoom would be considered too easy to exploit! Perhaps Zoom using a 5 year out of date development environment helps (2015). It’s not hard to find vulnerable coding in the product either. There are plenty of secure-coding-101 flaws here.

These are really rube, 101-level, flaws that any reasonable engineering management organization would have done something about years ago. It is easy to predict how this form of negligence turns out, so ask why did Zoom believe they could get away with it?

Murder Your Darlings

Despite my best efforts to stop the practice of using such a phrase, I find people sometimes still say cloud computing is all about “cows not pets”. What they mean to say is in the harsh world of cloud you shoot the vulnerable instead of caring for them.

The truth about cows is the opposite, however. Ranchers spend a ton of money on veterinarian science and care about cattle health improving because if they can fix one they can translate that to tens or hundreds of thousands of others saved.

It’s a lot of money on the line when looking at cattle health because typically there are many cows to one owner, just like cloud but not in the way expressed.

The economics of investing to keep cows alive is very unlike pets where most people have a few at most and put them down before they’d spend $500 on care.

It’s a harsh truth but proof of it is in how little is actually known about domestic cat health.

Unlike cattle health being rigorously studied in universities around the world and funded for obvious macro economic reasons, researchers rarely if ever find a pet owner willing to pay for science studies that would improve the lives of cats… owned individually by other people.

Anyway, while the cows not pets saying drags on incorrectly in tech circles, I ran across a Cambridge lecture by Arthur Quiller-Couch in January 1914 (“On the Art of Writing”) that has a particularly famous phrase in it:

If you here require a practical rule of me, I will present you with this: Whenever you feel an impulse to perpetrate a piece of exceptionally fine writing, obey it—whole-heartedly—and delete it before sending your manuscript to press. Murder your darlings.

Suddenly a thought occurred to me… instead of trying to untangle economics about cows and pets I should instead propose people adopt this Quiller-Couch phrase to explain cloud.

Comparison of WebEx Security Versus Zoom Shady Practices

Recently I pointed out in a blog post that the Zoom CEO was the VP of Engineering at Cisco who left to start a direct competitor because, according to him, he was unhappy about the speed he could operate at.

Being secure, to be frank, is about flaw management practices such as transparency and handling much more than being devoid of flaws. How one educates users about a serious bug should be in the spotlight right now and Zoom is failing catastrophically.

Reading between the lines it looks a bit like the CEO didn’t like being told to do the right thing (follow safety processes) by Cisco management, and he allegedly saw it as an opportunity to exit and do a much easier thing — get rich doing what’s wrong, then apologize and hope for no accountability.

So let’s put this business management theory to a simple product security management test.

Here is a 2020 WebEx security vulnerability advisory:

I’d rate that security page and overall site as excellent and extremely useful to keeping everyone safe.

It stems from the main page, where you can easily query and sort on WebEx vulnerabilities.

Let’s now compare that level of transparency and operational excellence to the Zoom outfit, run by the celebrated billionaire CEO.

First, the page is a lot of marketing material fluff. We know already that these marketing materials are deceptive (e.g. end-to-end encryption is claimed, yet in reality it’s client server using a shared key that’s half the strength claimed and distributed in China…but I digress).

You have to scroll all the way to the bottom (it’s long) to find anything about security practices, like patches and advisories. Even then, security practices appear at first glance to be severely lacking, hosted at this oddly complicated US support URL.

Second, I will test this support page using Patrick Wardle’s announcement (“The ‘S’ in Zoom, Stands for Security: uncovering [local] security flaws in Zoom’s latest macOS client“) from March 30, 2020.

Patrick kindly has updated his own announcement page in April that “Zoom has patched both bugs in Version 4.6.9 (19273.0402)”. Was the Zoom response well done? No.

Look very closely and very carefully at the Zoom security practices page:

A huge security news story, details about the vulnerability, announcement of the patch… none of it, nothing at all can be found anywhere in this support page or the top-level security page.

How would you know to update for a security flaw or even who it affects and how bad it is when it doesn’t appear anywhere except an obscure security researcher’s personal blog page?

I’d rate that as awful, and way below industry practices (again, look above at WebEx). This company supposedly obsessed with technology being “easy and fast to use” has a terribly convoluted hidden security site with CVE tossed in like a mixed bag among some random thoughts by their support team that hasn’t been updated in half a year.

It’s April 2020 and given the news so far this year there should be far more CVE on this page (even if only placeholders, we’ve seen one for Windows and one for OSX).

That’s just to begin with, as this really should elevate to a URL and be easily sorted and searched as well as linked to product release/fix notes. I would imagine a truly sorry CEO would put up a giant box on the top level security page that says the industry standard WARNING: SECURITY FLAW.

Do it now Zoom, if you really are interested in moving fast.

Third, pop over to the release notes for the version Patrick mentions, which aren’t even linked from this page, you won’t find the word security mentioned anywhere.

This is unbelievable levels of bad management practice. Both the security page and the release page are far below acceptable. The practices are truly below baseline and should fail regulations and audits.

Please, anyone, someone explain to me why these release notes don’t use the word security anywhere, let alone don’t have a CVE with details and aren’t connected to the security advisory page.

There’s really not a need at this point for me to get into interesting and messy details of CVE, CWE, CVSS, etc when it’s obvious just how far below a safe baseline Zoom is operating.

I’ve shown enough already how Zoom practices may be a danger to society.

My take on this is the CEO has not enabled his security team (buried in US support), is not listening to his security critics (2020 vulnerabilities not listed), and does not yet take security seriously (sends out apologies to get sympathy without making necessary changes).

I may be forced to look further.

It’s like watching a dumpster burning and hard for me to take my eyes off at this point. Ok, ok let’s go just a little bit onward.

Fourth, I drop down into Security: CVE-2019-13450 shows Zoom has a severity score of 3.1 out of 10 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N):

HOLD ON TO YOUR HATS everyone because… wait for it… NIST shows this vulnerability officially filed as 6.5 out of 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), more than double what Zoom wrote on their security support pages!

Here are the calculations side-by-side, which shows how Zoom ended up publishing a false score in their useless security page (Attack Complexity High, Confidentiality Low) while everyone in the world will pull an official higher risk number from NIST’s database:

Zoom: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Look, I’ve spent a lot, and I mean a lot, of time inside the sausage factories called software development working on CVSS scores like these. There can be endless debates and fights and it isn’t always easy. I get that, trust me. I even established one of the first 70 CVE Numbering Authority (CNA) in the world for a major software vendor to pump out vulnerabilities that had been obscured.

But I will tell you right now that Zoom claiming complexity is high and confidentiality is low is completely and utterly wrong. It’s deceptive and it’s harmful. Here is the excellent NIST text explaining a CVSS score of 6.5:

…attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled…

That is a text book case of high confidentiality loss. Does it really get any higher than to be spied on from your camera? And it has a reliable service (text book case of low complexity) that remains vulnerable even after a user tries to remove it? Come on Zoom people.

From there I drop into another CVE they have listed and another, and see problems everywhere…

Their last update on vulnerabilities is from six months ago called “Security: 2019-11 Zoom Connector for Cisco, Poly, and Lifesize” which has a CVSS of 8.1 and no CVE number assigned. I get that they might not be a CNA, or have trouble getting a CVE, but it doesn’t say anything at all.

In the meantime, with no CVE and no advisories page and no links from the main security pages, who exactly is expected to know they need to patch a CVSS 8.1 from October 2019?

There are a million more examples I could give but honestly it’s just so bad I think people need to understand that a major product security and safety overhaul is overdue at Zoom.

I’m not saying anyone should use WebEx, but at least take a look at what they’re doing right to understand just how far off the mark Zoom is. I do not see anything approaching a safe product with proper management practices at Zoom.

And I don’t know if any of this yet means the CEO has to go, or that the AG and FTC should be breathing fire.

However, I can tell you as a long-time product security leader that so far everything I’m looking at from my perspective shows very broken software lifecycle; it’s substantial evidence of misleading and deceptive practices, which clearly harm customers.

Only YOU can prevent video conferencing fires.

COVID19 Security Slogans

Years ago I won the TSA competition for security slogans.

I’m not proud, especially because I didn’t enter it and nobody told me my slogan had won until an external investigator pointed out that someone borrowed it from my 2006 blog post and claimed the prize for themselves.

Anyway I’ve written a little here about the strange dearth of security slogans, a missed opportunity, during COVID-19.

Now I’m really getting curious why US officials are trying to encourage things like mask wearing, yet nobody has come up with basic jingles to promote it.

A quick search has only turned up a 1918 example from San Francisco.

Obey the laws, and wear the gauze. Protect your jaws from septic paws.

Seems applicable today. If I don’t find posters of this soon I may just start making them myself. With luck, someone at TSA will notice and then submit to their next competition as their own.

Speaking of being owned, while reading the news about security flaws in popular video conferencing my mind wandered onto the rhyme… gloom and doom for a chat room vacuum. How soon could it ruin the zoom boom?

Not quite “loose lips sink ships” but maybe if I work at it a little I could get closer with chat room vacuum ruins zoom boom. The problem is it’s too specific to one company, but hopefully you get my drift.

Speaking of drift, the US Naval History Blog in 2019 posted a very graphic warning about pandemic risks, and it starts by quoting a 1918 children’s rhyme:

I had a little bird,
And its name was Enza.
I opened the window
And in-flu-enza.

Ok, I couldn’t resist. Here’s a simple security education poster from WWII, which I’ve updated simply to reflect COVID-19:

It’s become infuriating to me every time I hear someone say they’ve seen 0 deaths so far, or who ask why worry if they don’t know someone personally affected. Education campaigns are sorely missing here.

Security professionals ought to be good at predicting likelihood and severity of harms. Prediction is what the industry is supposed to be doing in order to put controls in before it’s too late (as well as clean up afterwards, but let’s not go there). So let’s have some slogans going and get word out maybe?

A simple viz shows why the 0-deaths-so-far-crowd need quickly to get a clue, but it doesn’t make for a pithy phrase or poster.

Let me know if you can think of any good way to condense that graphic into a rhyme…

Safer Alternatives to Zoom

Zoom has become known for being in a hurry to grow revenues, not for being safe or honest about its safety features. Have their customers been treated like dummies?

It’s pretty clear from a series of rapid and unfortunate missteps by Zoom that there’s something fundamentally wrong with the company.

We already knew the origin story didn’t sound great.

A VP of Engineering at WebEx, after being acquired by Cisco, didn’t like working for the parent company and left to start a direct competitor to move faster. The new company was basically the Chinese engineers rejecting their American parent company, revolting and funded by one of the WebEx founders using money from the Cisco acquisition.

…he knew how to write computer code, and he landed an engineering job with the videoconferencing software company WebEx. WebEx sold to Cisco for $3.2 billion a decade later (the platform is now known as Cisco Webex). Yuan became the tech giant’s vice president of engineering, earning compensation in the “very high six-figures.” But he was unhappy. […] In Yuan’s opinion, the product didn’t evolve quickly enough, making it a chore for customers to use. (In fact, Yuan told CNBC earlier this year that Cisco was still using the same buggy code he wrote for WebEx roughly two decades ago.)

The article goes on to say that claim by Yuan about the WebEx code is false, a lie.

…senior vice president and general manager of Cisco’s team collaboration group, says the company has “redesigned Webex from the ground up” since Yuan’s tenure…

It’s very weird for Zoom’s CEO to suggest WebEx is bad code because his team of Chinese engineers wrote it. Does that make you want to use his new product founded by the same team when he’s shaming his old product? I mean it really opens the door to people (like me) pointing out this guy is willfully allowing bad code into production because that’s “his way” of doing things. He literally poached the WebEx engineering team to compete directly with WebEx, while calling the WebEx code buggy.

For the first two years of Zoom’s history, the company was just a small team – mostly engineers from WebEx [in China].

Is it time yet to use one of the safer alternatives to Zoom?

Clearly something seems off kilter in Zoom executive management ethics related to product safety. Security appears to have been treated as a non-feature and afterthought. Just look at these recent examples:

  • Zoom security flaw exposes email addresses, full names and profile photos, as well as allowing non-invited attendees to initiate a chat
  • Zoom security flaws in OSX allow (local) installer priv-esc vulnerability to root, (local) injection flaw allowing access to mic & camera
  • Zoom security flaws of weak encryption and suspicious key traffic to China
  • Zoom security flaw of disclosing Windows user passwords and local file execution
  • Zoom security flaw in meeting identification facilitated unauthorized access
  • Zoom security flaw allows any website to enable your camera without your permission
  • Zoom security flaw allowed unauthorized command execution on Windows, Mac and Linux
  • Zoom security architecture allows interception of traffic, opposite of marketing materials claiming end-to-end encryption
  • Zoom weak security default left private recordings exposed to the public
  • Zoom secretly was recording user information without authorization
  • Zoom secretly was recording device information without authorization and forwarding to Facebook
  • …and the list goes on and on.

I’ll stop to point out, perhaps for those who haven’t worked in product security, that this kind of “scientists crapping all over Zoom” list (also known as audit findings) is exactly the kind of pressure that helps an internal team fight more effectively for safety fixes earlier in the development lifecycle.

For example, an independent cryptography analysis (see also my explanation here) has found this:

Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video.

How is that not just straight up deceptive practices and delivering a known unsafe product to market? The centralized management of a single key by Zoom, and decryption capability of meeting traffic by Zoom, violates both the spirit and letter of end-to-end encryption.

And if I understand the Zoom architecture correctly, any time someone uses a mobile device to dial into a video chat (which is basically all the time) Zoom is decrypting the meeting on their servers. The very thing that Zoom’s CEO said he started a new company to solve, by moving faster than he was allowed to at WebEx, is this mobile device compatibility architecture decision that undermines privacy while deceptively marketing it as safe.

And on top of weak key management, that key is routed through China even when nobody in a meeting is in China. Apparently 80% of Zoom 2019 revenues were from China, and just last September that country said Zoom traffic had to route through servers based in China or Zoom would be blocked completely.

When researchers asked why traffic from the US was routed through China, however, the CEO tried to play dumb and said it must have been a mistake.

With this kind of obviously compromised decision-making, deceiving customers about encryption (calling it end-to-end when it is not), it brings front and center the fact that Zoom has issued no transparency report (PDF) about who is in fact getting access to the data.

A lack of transparency about access to internal data, coupled with a lack of leadership integrity and pressure to force it, allowed Zoom to run far afoul of basic security principles.

New transparency from researchers is bringing external pressure that should have been applied internally all along. One can hope late is better than never, yet experience suggests all these flaws are mere symptoms.

Zoom has said they will now stop feature development to focus on privacy, which is just another symptom. Remember the CEO comment about WebEx running his buggy code? He went into this knowing right from wrong and developed code the wrong way anyway. Privacy is a feature just like usability, so to see it called something that stops feature development… is part of a wider leadership ethics problem.

It goes back to that questionable origin story. A company was founded on impatience and greed (masked as usability from highly responsive user-focused engineering), which typically doesn’t mix well with safety values.

Making “Zoom bombing” a crime may help dissuade some abusers taking advantage of the safety weaknesses inherent to Zoom. However, that doesn’t fix the problem of Zoom itself being an untrusted company.

Right now shifting to a different product may be the easiest and most secure measure relative to Zoom’s problems. Consider the many options that may be in a better position right now, including of course WebEx. Here are links to their trust team and/or privacy policies:

One of the most interesting options is Jitsi because it is open source (like Jami and BigBlueButton) and allows you to run your own server for meetings. While true end-to-end encryption is difficult to implement given the nature of video conferencing protocols and features, moving to a hosted server means you can have more confidence that any necessary decryption is done within a trusted zone.

Also a quick caveat about Zoom’s buggy code because it found its way into the hands of a lot of people. Here are some of the major brands who run it under the covers and also tend to be vulnerable to security mismanagement and exploits:

RingCentral, Telus Meetings, BT Cloud Phone Meetings, Office Suite HD Meeting, AT&T Video Meetings, BizConf, Huihui, UMeeting, Zhumu, Zoom CN, EarthLink Meeting Room, Video Conferencia Telmex, & Accession Meeting

Beware what’s under the covers of your video conferencing system.

Update April 6: a serious security issue was just reported in Jitsi:

TL;DR – meeting password protection can be bypassed by simply showing up in a meeting room before the host arrives

A benefit of open source over proprietary projects is how security flaws like this can be so easily raised and monitored.

That being said, this is a pretty awful bug. No software is devoid of flaws so it really comes down to how this entered the product (e.g. how symptomatic is it of wider issues), how the response goes and how it is communicated.

More details on this in terms of Zoom handling flaws, in comparison to WebEx, is in a new post.

Update April 22: Jitsi has announced an update to end-to-end encryption. Their security page already was very clear about privacy modes, risks and trade-offs. Now it’s been updated.

Thanks to the insertable stream API, that recently landed in Chrome Canary, Jitsi Meet is now able to manipulate encoded packets before sending them on the network, and as a result we have been able to launch our new efforts on end-to-end encryption. Check out the demo and our next steps here:

Great news and I appreciate it was announced on availability!

Update May 7: Zoom has blasted the news cycles with a pre-announcement a future release of some encryption that may happen someday. This is garbage. The company being acquired says:

Initially, our single top priority is helping to make Zoom even more secure. There are no specific plans…and we’ll see where that takes us.

Zoom admits it won’t have much of an impact, assuming it even happens, and it backpedals in its own announcement describing the desire for privacy as a loss.

…for hosts who seek to prioritize privacy over compatibility, we will create a new solution… for paid accounts… end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems.

In other words, people who pay for accounts so they can have things like bridges, recordings and room systems won’t benefit from the new solution that’s being designed for paid accounts alone to use.

Zoom hates privacy and uses these deceptive fluffy pre-announcements to fool people. Don’t use Zoom.

Update May 12: on a typical day I’ll be asked to connect on a half dozen video conferencing platforms. Everyone seems to prefer their own. This seems fine, although a standard that all the clients could interoperate on would be better.

Anyway, out of them all I’m seeing a trend in the most highly aware security and privacy groups to invite me to Whereby meetings.

Besides being a fantastic user experience, the very clear and simple Whereby privacy site makes it easy to see why it has become a leader.

This is excellent stuff:

Consent clearly set per individual purpose.
Whereby has a one-click button that dumps all your data in a handy json format.

Red and Green Ballots: How the CIA Poisoned Vietnam’s 1955 Presidential Elections

Today is National Vietnam War Veteran’s Day, set on March 29th because in 1973 it was the last day American combat troops were in the Republic of Vietnam. The White House in 2012 gave a Presidential Proclamation to create a national day for Vietnam War veterans.

NOW, THEREFORE, I, BARACK OBAMA, President of the United States of America, by virtue of the authority vested in me by the Constitution and the laws of the United States, do hereby proclaim March 29, 2012, as Vietnam Veterans Day.

Congress then wrote a “Vietnam War Veterans Day Act” for March 29 recognition, which in 2017 was signed into law.

The bipartisan bill was sponsored by Sen. Pat Toomey, R-Pa., and Sen. Joe Donnelly, D-Ind. The bill passed the Senate last month and the House last week.

In an odd twist the a man who signed it was gifted five deferments from service in the Vietnam War; four were academic and one was lying about his fitness.

“They were spurs,” he said. “You know, it was difficult from the long-term walking standpoint.”

He played football, tennis, squash and golf through his deferments; he even later boasted about his health as “perfection” and “bone spurs” being not an issue, yet somehow he pulled the 1-Y “disability” deferment (qualified for service only in time of war or national emergency) a year before the lottery draft system began.

The 1-Y status kept him out of the draft until 1971 when that classification was abolished generally. He was then given a 4-F “disability” (unable to meet physical, mental or moral standards) and no longer eligible; soon after his business was sued by the Nixon administration for widespread racist practices (violating the Fair Housing Act).

This is the same guy who in 2018 at the Aisne-Marine American cemetery cancelled with no warning because allegedly he didn’t want to be in the rain, instead of paying respects to the 1,000 Marines killed in the important Battle of Belleau Wood.

They died with their face to the foe and that pathetic inadequate [long-term walking spur] couldn’t even defy the weather to pay his respects to the Fallen.

Anyway, today got me thinking about presidential election tampering, and in particular reminded me of the corrupted 1955 national referendum in Vietnam that arguably is what set America on a path to war.

A man named Ngo Dinh Diem essentially was chosen by Americans in 1954 to lead the country, and his access to American aid helped position him as Prime Minister under the ruling “French Puppet” Bao Dai, who he then deposed.

Diem was no champion of representative democracy. His political philosophy was a not entirely intelligible blend of personalism (a quasi-spiritual French school of thought), Confucianism, and authoritarianism. He aspired to be a benevolent autocrat…Diem’s idea was to create a cult of himself and the nation. “A sacred respect is due to the person of the sovereign,” he claimed. “He is the mediator between the people and heaven.” […]

To secure his winnings, Diem called for a referendum to determine whether he or Bao Dai, the former Emperor, should be head of state. Diem won, supposedly with 98.2 per cent of the vote. He carried Saigon with 605,025 votes out of 450,000 registered voters. [CIA’s Major General Edward] Lansdale’s main contribution to the campaign was to suggest that the ballots for Diem be printed in red (considered a lucky color) and the ballots for Bao Dai in green (a color associated with cuckolds)… this simplified Nhu’s instructions to his poll watchers: he told them to throw out all the green ballots.

Throw out all the green ballots.

On top of that, Diem used legal threats to prevent Bao Dai from running any campaign material, while his own campaign mostly ran personal attacks and smears including false claims like Bao Dai had a “preference for gambling, women, wine, milk, and butter“.

Just to re-iterate, their 1955 anti-communist campaign platform was that red meant go, green meant stop and… a preference for milk and butter is immoral just like gambling, booze and sex.

If all that isn’t crazy-sounding enough, apparently 150,000 more votes were cast in the capital city of Saigon than the actual number of people listed on the electoral roll.

Diem declared himself President with much public fanfare as a result of an obviously fraudulent “election”, labelled anyone else claiming rights or power to be a dangerous threat to stability, and slid South Vietnam into a cruel and undeniable totalitarian state.

Thousands of Vietnamese suspected of disloyalty were arrested, tortured, and executed by beheading or disembowelment. Political opponents were imprisoned. For nine years, the Ngo family was the wobbling pivot on which we rested our hopes for a non-Communist South Vietnam.

This election was a crucial turning point as President Eisenhower the following year ordered the first American military advisers into South Vietnam to train Diem’s conventional Army, used in harsh repression of the country, while the French prepared to exit completely by 1956.

Getty Images 4/24/1955-Saigon, South Vietnam: “Troops of American backed Premier Ngo Diem and the rebel Binh Xuyen sect fought a breif street battle with machine guns. A nationalist soldier stands guard over a suspect after the fighting had died down. At least three persons were killed and eight wounded in the short clash. The fighting took place on the opposite side of the European residential district from the boulevard Gallien, meanwhile the general anarchy increased as gangs of thugs roamed the streets of Saigon kidnapping civilians and extorting ransoms.”

Repression by the new government fomented and grew resistance within South Vietnam and eventually a small faction on July 8, 1959 opened fire in an Army mess hall. The first American casualties in South Vietnam were two advisers (Maj. Dale Ruis and Master Sgt. Chester Ovnand) killed while watching a movie at Bien Hoa.

In 1960 JFK narrowly defeated Nixon (Eisenhower’s Vice President) at the polls, and all candidates said they would deliver anti-communism by supporting South Vietnam’s regime.

While Eisenhower of course had been an early proponent of information warfare, given his success in WWII’s North Africa campaigns. JFK’s strategy expanded involvement with Diem further into novel direct military counter-insurgency training, including American boots on the ground working in rural communities.

You can imagine why for Diem that represented a major difference between support from Eisenhower and JFK. The latter was literally enabling South Vietnamese people, especially minority groups, to defend themselves from an oppressor, not simply backing top-down regime tactics.

Thus, despite overall expanding commitments and years of increased aid from America, not to mention escaping multiple prior coup attempts, on 1 November 1963 Diem’s brutally repressive autocratic regime was abruptly deposed by South Vietnam’s own military and he was assassinated.

It was Diem personally losing the support of America, within JFK’s administration but not necessarily including LBJ, that often frames how the South Vietnam regime ended and when and why America threw itself deep into a Vietnam War.

The ultimate effect of United States participation in the overthrow of Ngo Dinh Diem was to commit Washington to Saigon even more deeply. Having had a hand in the coup America had more responsibility for the South Vietnamese governments that followed Diem. That these military juntas were ineffectual in prosecuting the Vietnam war then required successively greater levels of involvement from the American side. The weakness of the Saigon government thus became a factor in U.S. escalations of the Vietnam war, leading to the major ground war that the administration of Lyndon B. Johnson opened in 1965.

It had to be Vice President LBJ who opened the major war, as by that point he had become President. 21 days after Diem’s assassination, JFK himself was assassinated.

The dramatic power shift in both countries escalated American involvement in South Vietnam and brought ever more direct military intervention that eventually accounted for 58,220 U.S. military fatal casualties, over 150,000 wounded… before the March 29, 1973 final day of withdrawal.

As a footnote, the Vietnam War very nearly ended five years earlier in 1968. Nixon at that time cruelly campaigned on ending the war, while he also scuttled American peace talks to intentionally increase casualties.

Unclassified tapes have since proven his secret strategy was more Americans should die because it would help him get elected President.

Once in office he escalated the war into Laos and Cambodia, with the loss of an additional 22,000 American lives, before finally settling for a peace agreement in 1973 that was within grasp in 1968.

Election interference is definitely not new territory for the US, whether it be abroad or at home or some combination of the two. This National Vietnam War Veteran’s Day is perhaps a good time to reflect on what that means in the past as well as future.

Update March 30th: The man in the White House today openly stated that he believes suppression of votes gives him power and will continue to do so:

…admitted on Monday that making it easier to vote in America would hurt the Republican party. …made the comments as he dismissed a Democratic-led push for reforms such as vote-by-mail, same-day registration and early voting as states seek to safely run elections amid the Covid-19 pandemic. …Republicans have long understood voting barriers to be a necessary part of their political self-preservation.

Kipling on COVID-19 in America: “You Can Not Hustle the East”

The Works of Kipling
All the talk I hear in America lately about the necessity of naming a virus for Asian origins — to play racist blame games instead of saying COVID-19 or even 2020 pandemic (both obviously superior choices) — has started to remind me of the 1960s CIA “training” for Vietnam with Kipling’s book “Kim” and how they got it and another of his works completely wrong:

Americans back home became impatient for results in Vietnam, proponents of the war were always quoting—or, rather, misquoting—a little-known poem of Kipling’s (just four lines, written as a chapter heading for “The Naulahka”), saying that “you cannot hurry the East.” The phrase, Benfey writes, “wormed its way into the very highest levels of decision-making.” But what the poem actually says is that you cannot “hustle” the East, and even then, Benfey demonstrates, the word had connotations of cheating and deception. You come away from his book thinking that it might be a good idea to stop your ears whenever someone in authority starts invoking Kipling, unless it’s to quote from his “Epitaphs of the War”

If any question why we died,
Tell them, because our fathers lied.

The doctor who was principle architect of aggressive and successful South Korean response to COVID-19 put it like this, when reviewing the current US and UK approach to a pandemic:

…refusal to implement mass testing for the coronavirus in the United States will have “global repercussions” […] “The United States is very late to this,” he said. “And the president and the officials working on it seem to think they aren’t late. This has both national and global repercussions […] We in Korea were thinking, ‘Are these people in their right mind?'”

See also the new Center for Strategic and International Studies (CSIS) timeline of South Korea’s response.

White House Proposes America Try To “Sundown Town” COVID-19

Modern “Sundown Town” sign by a county’s “elected sheriff…in the position for 23 years who personally paid for the $553 sign, which includes an image of the county’s official seal.” Source: RawStory

I see reporters trying to find a normal angle when they write about a very abnormal announcement today on American risk management during a pandemic:

…a new plan to reopen swaths of the country shuttered by the coronavirus pandemic via a targeted, county-by-county mitigation effort…administration would categorize counties as “high risk, medium risk and low risk.” This would allow areas less impacted by the virus to put in place looser restrictions than ones that have been ravaged by the illness. It’s uncertain how effective such labels may be in containing the virus, however, given that asymptomatic carriers may move from region to region undetected…

Uncertain? It’s pretty clear just like using racist taunts to distract from a global pandemic this is not about containing the virus, it’s about restructuring power in America.

Looser restrictions in a county would encourage movement into it by the most contagious people (the asymptomatic). ScienceNews warns, for example. “Coronavirus is most contagious before and during the first week of symptoms“. Low risk counties would allow movement of the most high risk, which sounds plain stupid and dangerous.

So it begs an all too important question of how counties surrounded by high risk could even be expected to enforce tests of the asymptomatic at borders; how would they stay low risk while encouraging those most at risk to move about more? But wait one minute, what if that’s the wrong question entirely and there’s no intent to stop the spread of the virus?

Who gains new enforcement powers, and why, is the real key to this story.

The idea of county authority being used to stop the spread of a virus, thus bypassing the legal authority of states in favor of its counties, makes no sense until you move into a completely different frame of reference.

The White House giving a nod directly to county law enforcement for the special position to trap and keep people away who pose a “threat” to their jurisdiction…has a particular significance in politics and in American history.

America’s Black Holocaust explains how someone accustomed to exclusionary thinking might settle on counties being the preferred unit to handle boundary enforcement powers in America.

Beginning in about 1890 and continuing until 1968, white Americans established thousands of towns across the United States for whites only. Many towns drove out their black populations, then posted sundown signs. Others passed laws barring African Americans after dark or prohibiting them from owning or renting property. Still others just harassed and even killed those who violated the custom. Some sundown towns also kept out Jews, Chinese, Mexicans, Native Americans, or other groups. Sundown towns range in size from tiny villages to cities. There are also many “sundown suburbs” and neighborhoods -– and even entire counties.

Even entire counties.

How have counties handled enforcement of borders, especially when it comes to keeping non-whites out? The answer is a colonial-era concept of the Sheriff, an elected and very political position without accountability.

Don’t believe anyone who suggests Sheriffs are automatically somehow representative of their county population’s best interests, given they may be elected without any real qualifications at all. Also, when we look across America, the data says 80% are white and only 41 out of 3,000 are women.

Here’s an example of a Sheriff’s bizarre response to the pandemic:

…the government had forced the unnamed [infectious COVID-19] man to stay in his home. But this week, Nelson County Sheriff Ramon Pineiroa told the Kentucky Standard that deputies will park outside of the man’s home for 24 hours a day for two weeks.

Parking multiple deputized people outside a man’s home 24 hours a day is a taxpayer-funded protest, not a quarantine. They might as well be burning a cross on his lawn to send him a message about what happens if he leaves his home.

In case you missed the other news in the past year or so, it has been that Sheriffs in America are agitating for even more unaccountable power. They sometimes have a particularly virulent strains of extreme right-wing thinking and see themselves as militants at war with other Americans.

With his red “Make America Great” hat prominently displayed in his office here in Titusville, Ivey is part of a wave of county sheriffs who feel emboldened by [the White House occupant’s] agenda, becoming vocal foot soldiers in the nation’s testy political and culture wars.

The 2018 National Sheriffs Association event also recently brought forward some gushing commentary about how the White House and American political seats of county law enforcement are in lock-step.

“[Shaking hands with the White House occupant] was a highlight of what I have been doing all these years,” [Dickson County Sheriff] Bledsoe added. “It was a privilege and honor to be a part of that and meeting other sheriffs and having some common goals…”

A Sheriff having common goals with the current White House should concern everyone in America, if history is any guide.

Of course you might say not all Sheriffs are bad in America, and you’d be right. But think of it this way instead, Sheriffs who are the most loyal to the White House agenda would get discretionary powers while Sheriffs who don’t offer enough fealty get ranked as high risk until they are voted out.

I’ve written about problems like this here before in regard to a particular 2019 Sheriff in Iowa who arrested two men as they were working on a security project, because he didn’t like being audited and didn’t respect any higher authority than himself:

Sheriff Arrested Coalfire’s Pentest Team. Was it a Case of Posse Comitatus?

I’ve also written about it here before in regard to a particular 1960 Sheriff in Arkansas who murdered an innocent black man, fabricated a story about it with fake evidence and intimidated witnesses into silence, and faced no consequences:

1960 Police Murder of Marvin Williams. How is This Not a Movie?

And I’ve even written about it here before in regard to a particular 1917 Sheriff in Arizona engaging in militant “culture war” (ethnic cleansing):

Ethnic Cleansing in America: 1917 Bisbee Deportation

A bonus reference is that last blog post includes yet another example, the 1897 Lattimer massacre:

…Polish, Slovak, Lithuanian and German miners killed by being shot in the back by a Sheriff who decided to end legal protests by murdering everyone.

Sure there are good Sheriffs, but this is really about shifting dramatic new amounts of power to the bad ones.

There’s little positive outcome I see ahead from an America First platform of the White House when it uses a cover of pandemic concerns to propose more labeling and discriminatory power go directly to counties for their Sheriffs to enforce. Let’s be clear here that America First in 1916 meant KKK, in 1936 it meant Nazis…today it still means the same things.

America First political rally participants in their traditional garb.

These are the people who thrive on social unrest coming from high unemployment and who use fear-laced xenophobia to seize excessive powers through militant actions in what they see as their “culture war” (ethnic cleansing) to preserve white supremacy.

…a neo-Nazi movement leader based in northern Europe, said that he welcomed the pandemic as a necessary step to help create the world that his group wants to see. …it’s possible that a member of the target audience will decide to take action and commit an act of violence.

To me the announcement today has every appearance of turning America backwards 150 years towards the kind of white police state organized at the county-level that extremist right-wing violent groups like “Posse Comitatus” and “Citizens for Constitutional Freedom”, let alone America First, have very long dreamed about.

Ari Ne’eman, a scholar at Brandeis University, put it best when she said:

What this is really about at the end of the day is whether our civil rights laws still apply in a pandemic. I think that’s a pretty core question as to who we are as a country.

Anyone who knows a little Sundown Town history, or has spent time inside white supremacist groups, probably heard some very familiar and distinct sounds being whistled today.

Published 2018 by The New Press
(ISBN13: 9781620974346)

“…although many former sundown towns are now integrated, they often face ‘second-generation sundown town issues,’ such as in Ferguson, Missouri, a former sundown town that is now majority black, but with a majority-white police force.”

And now this…

The Influenza, 1890

A poem written in 1890 by Winston Churchill

Oh how shall I its deeds recount
Or measure the untold amount
Of ills that it has done?
From China’s bright celestial land
E’en to Arabia’s thirsty sand
It journeyed with the sun.

O’er miles of bleak Siberia’s plains
Where Russian exiles toil in chains
It moved with noiseless tread;
And as it slowly glided by
There followed it across the sky
The spirits of the dead.

The Ural peaks by it were scaled
And every bar and barrier failed
To turn it from its way;
Slowly and surely on it came,
Heralded by its awful fame,
Increasing day by day.

On Moscow’s fair and famous town
Where fell the first Napoleon’s crown
It made a direful swoop;
The rich, the poor, the high, the low
Alike the various symptoms know,
Alike before it droop.

Nor adverse winds, nor floods of rain
Might stay the thrice-accursed bane;
And with unsparing hand,
Impartial, cruel and severe
It travelled on allied with fear
And smote the fatherland.

Fair Alsace and forlorn Lorraine,
The cause of bitterness and pain
In many a Gaelic breast,
Receive the vile, insatiate scourge,
And from their towns with it emerge
And never stay nor rest.

And now Europa groans aloud,
And ‘neath the heavy thunder-cloud
Hushed is both song and dance;
The germs of illness wend their way
To westward each succeeding day
And enter merry France.

Fair land of Gaul, thy patriots brave
Who fear not death and scorn the grave
Cannot this foe oppose,
Whose loathsome hand and cruel sting,
Whose poisonous breath and blighted wing
Full well thy cities know.

In Calais port the illness stays,
As did the French in former days,
To threaten Freedom’s isle;
But now no Nelson could o’erthrow
This cruel, unconquerable foe,
Nor save us from its guile.

Yet Father Neptune strove right well
To moderate this plague of Hell,
And thwart it in its course;
And though it passed the streak of brine
And penetrated this thin line,
It came with broken force.

For though it ravaged far and wide
Both village, town and countryside,
Its power to kill was o’er;
And with the favouring winds of Spring
(Blest is the time of which I sing)
It left our native shore.

God shield our Empire from the might
Of war or famine, plague or blight
And all the power of Hell,
And keep it ever in the hands
Of those who fought ‘gainst other lands,
Who fought and conquered well.

And a map of “Impact of the Russian Flu on the United States, 1889-1890” by Tom Ewing

E. Thomas Ewing, Veronica Kimmerly, and Sinclair Ewing-Nelson, “’Look Out for La Grippe’: Using Digital Humanities Tools to Interpret Information Dissemination during the Russian Flu, 1889-1890.” Medical History Vol. 60, Issue 1 (January 2016), pp. 129-131. DOI 10.1017/mdh.2015.84

Bicycles Deemed Best NYC Transit During Pandemic

Proper bike lane on NYC Chrystie Street between Canal Street and 2nd Street. Image: Gothamist, NYC DOT

Nearly a decade ago I wrote about the increase in bicycle sales after disasters.

I won’t go into why people moved away from these logical options for transportation and to the illogical gasoline automobile. Kunstler does a good job of that in The Geography of Nowhere. Instead, I want to point out here that the recent tsunami devastation in Japan is showing a sudden uptick in two-wheeled commuters.

At no point in that post or since have I thought about the use of bicycles during a pandemic. I suppose my assumption was breathing would be elevated, increasing risk of infection or spreading the virus faster somehow.

I’ve also more recently written about the ridiculous state of bicycling in NYC, according to the data, ranking them near the bottom of America.

The city has a pollution-loving history with a huge “we’re busy trying to get rich/famous, leave us alone” lobby that claims doing the right thing for “others” is economically unfeasible in their list of priorities.

Color me completely surprised, therefore, when I read that NYC in pandemic disaster mode is accelerating bike lanes and recommending people cycle.

In early March, de Blasio encouraged commuters to “bike or walk” to reduce the spread of COVID-19 if they had to travel, and New Yorkers listened: According to the city’s Department of Transportation, bike traffic over its bridges has dramatically increased this month compared to the same time last year. Citi Bike also saw demand surge 67 percent in early March.

Very few cars are on the road, streets are mostly empty. Thus the risk of being hit and killed has suddenly evaporated. On top of that the air is incredibly clean now. And if that wasn’t enough, studies show cycling boosts your immune system.

Since cyclists tend to use physical distancing measures anyway when they ride, now that I think about it, the pandemic shelter in place instructions (keep 6 feet separation) are natural and easy to abide.

With all that in mind, the Big Apple is really ramping up their bike infrastructure right now.

DOT spokesperson Brian Zumhagen says the agency is looking at “using cones or movable barriers” to create temporary bike paths with space from traffic lanes, and may designate new parking for bikes on sidewalks and in pedestrian plazas. DOT is also working with Citi Bike to add more docks in parts of Manhattan.

On March 20, de Blasio announced that the city is rolling out new, temporary bike lanes on Second Avenue in Manhattan between 34th and 42nd streets and on parts of Smith Street in Brooklyn that doesn’t already have a bike lane.

“We’ll be looking for other areas all over the city that need them,” de Blasio told reporters at a Friday press conference announcing the new lanes. “Certainly want to encourage people to use bikes as much as they can at this moment…

Amazing. In just a week, due to the shift from selfish to societal impact values, NYC has flipped from dangerously car-heavy bottom-ranked streets for cycling to a Mayor encouraging bikes as much as possible.

Add pandemics to the list of disasters that lead to increased bicycle sales.

And yes, bike stores in NYC are staying open as some make the wise claim that repair shops qualify as “essential” (given that automotive repair is listed).

the poetry of information security