[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Free software / quarantine success stories
|
From: |
Greg Farough |
|
Subject: |
Re: Free software / quarantine success stories |
|
Date: |
Fri, 17 Apr 2020 14:37:02 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) |
Hi, all,
A mailing list member who would like to remain anonymous requested
that we share this message:
---
My experience with this so far is that technology alone does not appear
to be the answer; there are human elements and network effects that are
hard to break. Of course, if anybody has any suggestions to this effect,
then I'll be happy to listen.
I have recently set up a Jitsi meet instance on my VPS and proposed the
idea of using Jitsi at work. I work at a Sillicon Valley company the
name of which is irrelevant, but just wanted to mention that to give you
some context here. My proposal was simple:
1. I presented the relevant facts: 1. Zoom is not only not end-to-end
encrypted, but the company behind it has lied about this. Shared the
relevant publication from The Intercept. 2. As CitizenLab later showed,
video is encrypted using 128-bit AES keys in ECB mode (yuck), and the
key first travels through a server in China before it is sent to the
parties involved in the call (kill me right there).
2. I proposed the alternative: Jitsi, while also not end-to-end
encrypted, allows you to run servers on-premise, so you don't have to
trust anyone other than your own ability to set it up correctly (we have
IT and security teams, so it shouldn't be hard). While Zoom also allows
this (provided you pay top dollar), the software is closed source, so
you can't fundamentally trust it; Jitsi, on the other hand, is
free/libre software, so you don't have to trust anyone. And I mean, it's
also cheaper.
3. Corollary: are you willing to expose trade secrets over a proprietary
network you can't trust? And it's not just Zoom whom you are trusting,
you are also trusting that none of the state-sponsored hackers and other
denizens of similar nature have not already broken into the network.
The response I got was as underwhelming as it was unsurprising:
1. Individuals would understandably prefer to use the "company-approved"
tool. Even I prefer this given the circumstances because if I end up
getting hacked, the fact that I used the company-approved tool is like a
free ticket to zero responsibility. Or at least, it's less worse than
getting hacked using your own personal communication channels.
2. The company doesn't really know what Jitsi is nor do they appear to
care much. Everybody is using Zoom, so I guess that gives them a false
sense of security: if they get hacked, everybody else gets hacked
anyway. More importantly, however, it appears that InfoSec is providing
companies tips on protecting their video calls, like setting passwords,
screening peers before they are allowed to join the room, muting people
on by default, etc. They do not appear to have concerns about using Zoom
per se, however. If at least the security guys used free software, that
would be a start.
3. Another point I imagine is relevant is that not all companies might
have the expertise or resources to securely set up Jitsi servers.
Understandably, they'd rather out-source that kind of stuff. I suppose
you could also pay Jitsi/8x8 to do this, but at that point you are
trading away the freedom that comes with running the software
on-premise, so you might as well just pay Zoom instead.
So no real buy-in for now. Although I guess that getting Sillicon Valley
to use free software is like playing the game in ultra-hard mode. I'll
keep trying, though.
---
--
Greg Farough // Campaigns Manager
Free Software Foundation
Join the FSF and help us defend software freedom: https://my.fsf.org
signature.asc
Description: PGP signature