Fwd: [IP] Jitsi versus Zoom

[Desiree Miloshevic]

Prosledjujem ovde jer je diskisija je relevantna i mozda interesantna...

Open source ce pobediti ali

za to su nam je potrebna podrska EU i nasih regulatora.. etc

poz

—

Begin forwarded message:

From: Dave Farber <far...@gmail.com>
Date: 9 April 2020 at 07:07:58 CEST
To: Ip Ip <i...@v2.listbox.com>
Subject: [IP] Jitsi versus Zoom
Reply-To: ip <i...@ip.topicbox.com>



Begin forwarded message:

From: John-Mark Gurney <j...@funkthat.com>
Date: April 9, 2020 14:04:18 JST
To: Jeremy Stanley <fu...@yuggoth.org>
Cc: crypto...@metzdowd.com
Subject: Re:  [Cryptography] Jitsi versus Zoom

Jeremy Stanley wrote this message on Wed, Apr 08, 2020 at 23:45 +0000:

On 2020-04-08 15:10:45 -0700 (-0700), John-Mark Gurney wrote:

[...]

So, the best thing about Jitsi is that you can self host to ensure

the security of the server.

[...]

Well, and it uses standards-based protocols, and you get all the

source code, and you have the right to modify and redistribute it,

and the ability to run it without having to pay licensing fees to

the authors, and... basically all the benefits of relying on

free/libre open source software instead of some proprietary platform

which you'll at best be able to audit under a nasty NDA and won't be

able to legally modify at all if you need (and I say this as someone

who's in the process of helping stand up a slightly modified version

of Jitsi Meet for an open community who's wary of Zoom and similar

closed offerings, the patch we're applying is for integration with

another open collaboration tool we use and we're planning to work

with the Jitsi maintainers to get that incorporated upstream... try

doing that with Zoom?).

You mean all the auditing that doesn't happen w/ open source software?

See the recent package distribution bugs in OpenWrt[1], or on Debian's
apt that failed to handle redirects properly[2]...

Or the [in]ability of OSS authors to distribute software securely?

Hell, in trying to get OpenWrt installed on a router, I find that if
you follow OpenWrt docs to the letter, your initial install can still
be MitM'd, even after the recent CVE, and so an attacker could put their
own package key and repo in:
https://twitter.com/encthenet/status/1248036307147710465?s=20

Or that dnsmasq is distributed in an unauthenticated manner.  Yes,
the author signs his repo, but there isn't a link to his PGP key
anywhere, and so, if I just fetch "his" key that is from the repo
off a random key server, that isn't secure, because an attacker could
upload their own key that they signed the repo w/ that contains his
email address and look totally legit.

You mean that OSS?

We aren't even talking about complicated parts of software, the
simple distribution can't even be handled in a secure manner, and
people expect them to get more complicated parts correct?

I don't have the time or money to pay for even a half assed audit of
Jitsi.

There's something to be said to have a company that has people who
are paid to distribute and keep software secure.

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-7982
[2] https://www.debian.org/security/2019/dsa-4371

--
 John-Mark Gurney                Voice: +1 415 225 5579

    "All that I will do, has been done, All that I have, has not."
_______________________________________________
The cryptography mailing list
crypto...@metzdowd.com
https://www.metzdowd.com/mailman/listinfo/cryptography

ip / ip / see discussions + participants + delivery options Permalink

[Maxa]

Uhhhh... ja sam pisao na ovu temu na linkedinu, kod mene na poslu, smarao po nekim sec grupama, ali ne vredi ljudima i dalje nista ne znaci kada im se kaze "ok, neko moze da ti ownuje racunar i sve sa njega, kredencijale, ugrozices celu kompaniju i sebe jer koristis Zoom.." i nista, kazu "imas opciju da dignes ruku, to nema na jitsi" ili ne znam sta jos od supercool kretenskih feature-a, izvinjavam se na izrazu, vec uspevam da se iznerviram na ovu temu :D  Najteze mi je kada Zoom brane ljudi iz security branse...

Pozz

( ')> 

01101101011000010111100001100001

--
You received this message because you are subscribed to the Google Groups "haklab" group.
To unsubscribe from this group and stop receiving emails from it, send an email to haklab+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/haklab/86189683-866D-4CEE-B5CF-4039BFEE0FC2%40gmail.com.