Re: [irsg] Meetecho for interims?
Toerless Eckert <tte@cs.fau.de> Sun, 02 August 2020 02:53 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: wgchairs@ietfa.amsl.com
Delivered-To: wgchairs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FD8F3A0B03 for <wgchairs@ietfa.amsl.com>; Sat, 1 Aug 2020 19:53:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.655
X-Spam-Level:
X-Spam-Status: No, score=0.655 tagged_above=-999 required=5 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.652, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lwFb1ju9tGGj for <wgchairs@ietfa.amsl.com>; Sat, 1 Aug 2020 19:53:11 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C64C3A0AFF for <wgchairs@ietf.org>; Sat, 1 Aug 2020 19:53:10 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 7206F54802F; Sun, 2 Aug 2020 04:53:03 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 6A787440059; Sun, 2 Aug 2020 04:53:03 +0200 (CEST)
Date: Sun, 02 Aug 2020 04:53:03 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Carsten Bormann <cabo@tzi.org>
Cc: Leif Johansson <leifj@sunet.se>, WG Chairs <wgchairs@ietf.org>
Subject: Re: [irsg] Meetecho for interims?
Message-ID: <20200802025303.GG1772@faui48f.informatik.uni-erlangen.de>
References: <B3C59EE7-67C5-44F1-9A1B-6453267B8B58@tzi.org> <C0FD0348-93CD-417E-93E2-F8FA987C0A93@sunet.se> <07039CD4-D25E-46A3-A4AA-D34039AD5C35@tzi.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <07039CD4-D25E-46A3-A4AA-D34039AD5C35@tzi.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/wgchairs/kvyekeL8ThnCpj3LylEi6BNAwWo>
X-BeenThere: wgchairs@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Working Group Chairs <wgchairs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wgchairs>, <mailto:wgchairs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wgchairs/>
List-Post: <mailto:wgchairs@ietf.org>
List-Help: <mailto:wgchairs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wgchairs>, <mailto:wgchairs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Aug 2020 02:53:14 -0000
Carsten:
What specifically are the technical risks for which you would not have joined
a ZVC meeting, such as one of the IETF108 side meetings that used zoom ?
(or for that matter of course future interims, which this thread is about)
If the reason is fear of unknown undetected security risk due to lack of
trust into the security diligence of ZVC, would using the RTCweb browser
client instead of the native client resolve this issue ?
IMHO:
If we want future interims like past interims to be publically announced
without participant auhentication, i think zoombombing would be a risk
for any platform we choose: meetecho, webex, zoom, BBB, whatever.
Given how an interim is meant to be public and i hope recorded, there
is no risk of undesired recording by third party either (as in: please go ahaead).
Leaves as the biggest risk AFAIK the problem of clients creating backdoors,
and i would hope that w3c/ietf work on browser client platform security
would be sufficient.
Of course, we could argue that we would like authentication for all IETF
activities to also overcome zoombombing risks, but then it would be really
nice to extend the cover of authentication if not also tooling to what
is currently called inofficial side meetings.
Cheers
Toerless
P.S.: This is not meant to imply preference for any specific platform.
On Sat, Aug 01, 2020 at 06:09:59PM +0200, Carsten Bormann wrote:
> OK, this is getting a bit off-topic??? Apologies.
>
> >>>>>
> >>>>> At least, with Webex, I can be reasonably sure about the absence of criminal intent of the operator.
> >>>>
> >>>> That is a very serious allegation that you are making without evidence.
> >>>>
> >>>> -Jim
> >>>>
> >>>
> >>> I was just thinking the same thing.
> >>
> >> Actually, it is a statement of fact: I feel way more secure with software from Cisco than with software from Zoom Video Communications (ZVC), because I have good reason not to be certain about ZVC???s corporate intent. I didn???t know there would be an expectation that I would embellish this simple fact with formal indictment papers.
> >
> > Thats not what you wrote and I think you know the difference (hence the rest of the email)!
>
> Right, I wrote that *with Webex* I can be reasonably sure of the absence of criminal intent of the operator.
>
> > Incompetent sure, but how does this show criminal intent?
>
> I???m not a lawyer, so I cannot answer that question.
>
> But declaring that intentionally installing malware on my computer (that makes it vulnerable to first and third party attacks) is exactly what this company does, is *something*.
> I can report that it (and the time I now had to waste cleaning up my computer) destroyed any trust I might have had in this company to heed basic corporate responsibility ??? this incident was no longer grossly negligent, this was intentional. Hence my statement of uncertainty about what they will do in the future.
>
> > Srsly if I had a ??? for every ass-backwards handling of a vulnerability I???ve come across ... but to each her own , thx for the details!
>
> I continue to see a difference between badly handling a wide open backdoor and a statement that installing such backdoors is just the way the company intends to do business.
>
> We have grown such a deep distrust of software vendors that we may think the behavior we have seen here may be just the way it is. Not so. And we have to stop simply ignoring such behavior, or worse, becoming apologetic of it.
>
> Grüße, Carsten
--
---
tte@cs.fau.de
- Meetecho for interims? John Scudder
- Re: Meetecho for interims? Benjamin Kaduk
- Re: Meetecho for interims? Fred Baker
- Re: Meetecho for interims? Jeff Tantsura
- Re: Meetecho for interims? Jim Fenton
- Re: Meetecho for interims? Spencer Dawkins at IETF
- Re: Meetecho for interims? Carsten Bormann
- Re: Meetecho for interims? Leif Johansson
- Re: [irsg] Meetecho for interims? Carsten Bormann
- Re: [irsg] Meetecho for interims? Leif Johansson
- Re: [irsg] Meetecho for interims? Carsten Bormann
- Re: [irsg] Meetecho for interims? Toerless Eckert
- Re: [irsg] Meetecho for interims? Carsten Bormann
- Re: [irsg] Meetecho for interims? Toerless Eckert