Archive for April 10, 2020

Friday, April 10, 2020

Contact Tracing

Russell Brandom and Adi Robertson (Hacker News, MacRumors):

Apple and Google announced a system for tracking the spread of the new coronavirus, allowing users to share data through Bluetooth Low Energy (BLE) transmissions and approved apps from health organizations.

The new system, which is laid out in a series of documents and whitepapers, would use short-range Bluetooth communications to establish a voluntary contact-tracing network, keeping extensive data on phones that have been in close proximity with each other. Official apps from public health authorities will get access to this data, and users who download them can report if they’ve been diagnosed with COVID-19. The system will also alert people who download them to whether they were in close contact with an infected person.

Matthew Panzarino:

A quick example of how a system like this might work:

  1. Two people happen to be near each other for a period of time, let’s say 10 minutes. Their phones exchange the anonymous identifiers (which change every 15 minutes).
  2. Later on, one of those people is diagnosed with COVID-19 and enters it into the system via a Public Health Authority app that has integrated the API.
  3. With an additional consent, the diagnosed user allows his anonymous identifiers for the last 14 days to be transmitted to the system.
  4. The person they came into contact with has a Public Health app on their phone that downloads the broadcast keys of positive tests and alerts them to a match.
  5. The app gives them more information on how to proceed from there.

[…]

All identification of matches is done on your device, allowing you to see — within a 14-day window — whether your device has been near the device of a person who has self-identified as having tested positive for COVID-19.

Mark Gurman:

Apple and Google stressed on Friday that their system preserves users’ privacy. Consent is required and location data is not collected. The technology also won’t notify users who they came into contact with, or where that happened. The companies said they can’t see this data either, and noted that the whole system can be shut down when needed.

Steve Troughton-Smith:

Contact Tracing framework preliminary API reference (!)

Surprisingly, it’s in Objective-C.

Update (2020-04-17): Ross Anderson:

There have recently been several proposals for pseudonymous contact tracing, including from Apple and Google. To both cryptographers and privacy advocates, this might seem the obvious way to protect public health and privacy at the same time. Meanwhile other cryptographers have been pointing out some of the flaws.

There are also real systems being built by governments. Singapore has already deployed and open-sourced one that uses contact tracing based on bluetooth beacons. Most of the academic and tech industry proposals follow this strategy, as the “obvious” way to tell who’s been within a few metres of you and for how long.

[…]

But contact tracing in the real world is not quite as many of the academic and industry proposals assume.

[…]

Fifth, although the cryptographers - and now Google and Apple - are discussing more anonymous variants of the Singapore app, that’s not the problem. Anyone who’s worked on abuse will instantly realise that a voluntary app operated by anonymous actors is wide open to trolling.

Via Bruce Schneier:

So I agree with Ross that this is primarily an exercise in that false syllogism: Something must be done. This is something. Therefore, we must do it. It’s techies proposing tech solutions to what is primarily a social problem.

[…]

As long as 1) every contact does not result in an infection, and 2) a large percentage of people with the disease are asymptomatic and don’t realize they have it, I can’t see how this sort of app is valuable. If we had cheap, fast, and accurate testing for everyone on demand...maybe.

Joe Rossignol:

Apple today in a press briefing indicated that its upcoming COVID-19 contact tracing system with Google will have a verification flow, meaning that users will be required to submit proof in order to report that they have tested positive for the disease.

EFF:

Regularly rotating identifiers used by the phone is a start, but if an adversary can learn that multiple identifiers belong to the same user, it greatly increases the risk that they can tie that activity to a real person. As we understand Apple and Google’s proposal, users who test positive are asked to upload keys that tie together all their identifiers for a 24-hour period. (We have asked Apple and Google for clarification.) This could allow trackers to collect rotating identifiers if they had access to a widespread network of bluetooth readers, then track the movements of infected users over time. This breaks the safeguards created by using rotating identifiers in the first place. For that reason, rotating identifiers must be uploaded to any central authority or database in a way that doesn’t reveal the fact that many identifiers belong to the same person. This may require that the upload of a single user’s tokens are batched with other user data or spread out over time.

[…]

When the COVID-19 crisis ends, any application built to fight the disease should end as well. Defining the end of the crisis will be a difficult question, so developers should ensure that users can opt out at any point. They should also consider building time limits into their applications themselves, along with regular check-ins with the users as to whether they want to continue broadcasting. Furthermore, as major providers like Apple and Google throw their weight behind these applications, they should articulate the circumstances under which they will and will not build similar products in the future.

Ben Thompson:

The reality that tech companies, particularly the big five (Apple, Microsoft, Google, Amazon, and Facebook), effectively set the rules for their respective domains has been apparent for some time. You see this in debates about what content to police on Facebook or YouTube, what apps to allow and what rules to apply to them on iOS and Android, and the increasing essentiality of AWS and Azure to enterprise. What is critical to understand about this dominance is why it arises, why current laws and regulations don’t seem to matter, and what signal it is that actually drives big company decision-making.

[…]

Moreover, it is baldly obvious that the only obstacle to this being involuntary is not the government, but rather Apple and Google. What is especially noteworthy is that the coronavirus crisis is the one time we might actually wish for central authorities to overcome privacy concerns, but these companies — at least for now — won’t do it.

Mattt Thompson:

In this article, we’ll take a first look at these specifications — particularly Apple’s proposed ContactTracing framework — and use what we’ve learned to anticipate what this will all look like in practice.

Ben Adida:

Last night, I spent some quality time with the Apple docs on the new contact tracing protocol and APIs they and Google are preparing.

I’m quite optimistic about this effort. Here’s why.

CloudKit Impressions From a NetNewsWire Developer

Maurice Parker (tweet):

One area that CloudKit outshines our RESTful service implementations is that it gets notifications when the data changes. This keeps our data more up to date. In the RESTful services, we sync which feeds you are subscribed to every so often via polling. This happens at shortest around every 15 minutes. Realtime updates to your subscription information isn’t necessary, but it is fun to add a feed on your phone and watch it appear in realtime on the desktop.

[…]

One thing I wanted to do was provide a centralized repository that knew which feeds had been updated and when. I planned to have a system that would use the various NetNewsWire clients to update this data and notify the clients. My theory was that checking one site for updated feeds would be faster than testing all the sites to see if their feeds had updated.

I ended up giving up on this task. I think it would have been possible to implement in CloudKit, but would not have been faster than checking all the sites for their feed updates. […] There is no such thing as a “JOIN” between CloudKit records. If I could have connected data from more than one record per query I could have done some data driven logic.

I’d like to switch (back) to NetNewsWire when this ships, although I haven’t decided what I’ll do about the smart folder and Pocket features I use in ReadKit.

Previously:

The Windmill Source Code Is Now Public

Markos Charatzas:

Effectively, by Apple putting Windmill on notice, the only way I can distribute Windmill on the Apple platforms is at the source code level. Even though this does not serve the mission to make continuous delivery accessible, whatever value Windmill brings even as source code, is better than none at all.

The development of Windmill did come to an abrupt end and didn’t get a fair chance to become what I had envisioned. It would bring me joy to know that developers will benefit from it by learning something new. It’s a way to give back to the community.

Windmill is not some example software after all. It is production grade that spans across the desktop, mobile and the server. The software engineering behind it is still relevant and the technologies used modern.

[…]

Releasing the source code of Windmill does not make it open-source. I don’t plan on contributing any time or energy developing it further.

Previously:

Every Zoom Security and Privacy Flaw So Far

Glenn Fleishman:

TidBITS contacted Zoom for its insights about how it has handled security and privacy issues, but the company didn’t reply. As I finished this article and in a few days that followed, however, Zoom publicly responded to disclosures of new security problems. The first response, unlike most previous ones, was a blog post with an apology and a full explanation. A subsequent post laid out the company’s plans for how it will improve its software and its culture around security and privacy. It’s a glimmer of hope for the future. A third responded to a privacy group’s investigation into the company’s weak choices in encryption algorithms and in routing some meeting traffic through China for non-Chinese participants. The rapid response and general frankness was in stark contrast to earlier behavior.

In this article, I walk through the many software, security, and privacy issues Zoom has encountered and its response to each.

This is really thorough.

See also: Hacker News (2, 3, 4).

Barbara Krasnoff:

We recently ran a roundup of some of the free videoconferencing apps available, including Zoom. Since so many questions have come up about Zoom’s security, we’ve decided to run the roundup again, this time excluding Zoom and adding other apps that you can use instead.

[…]

There are a number of apps we have not included, such as Facebook, WhatsApp, and FaceTime, that allow you to do video chats; they either require that all participants be members (Facebook, WhatsApp) or that you use a specific type of device (FaceTime, which is Apple-only). The following list includes more generalized applications that allow you to participate without having to actually register for the app (unless you’re the host).

Nick Heer:

It’s right to more heavily scrutinize Zoom as it plays a pivotal role in our self-isolated current state of affairs. But what are the alternatives? Fleishman compiled those, too, but even he acknowledged at the time that it “has emerged as the clear winner for large groups”. Competing options can be pricey — particularly for underfunded organizations like charities and schools. Most of these tools are also designed for businesses; they may not work as well as Zoom in a classroom context. It is critically important that Zoom gets this right, or security professionals are going to increasingly recommend that it be avoided entirely.

Pranav Dixit (via Hacker News):

Last week, Google sent an email to employees whose work laptops had the Zoom app installed that cited its “security vulnerabilities” and warned that the videoconferencing software on employee laptops would stop working starting this week.

Previously:

Update (2020-04-15): Ben Matasar (via Eric Blair):

Problems with Zoom:

- don’t always take security and privacy as seriously as I’d like
- privacy features aren’t very discoverable

Problems with alternatives to Zoom:

- hearing people
- seeing people
- connecting to calls

George Snow has posted some AppleScripts for adding and removing permissions for the camera and mic. He uses FastScripts to override Command-Q in Zoom so that he can quit the app and prevent it from recording anything with a single command.

Update (2020-04-23): Natasha Singer and Nicole Perlroth (Hacker News, Slashdot):

One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. The hackers soon uncovered a major security vulnerability in Zoom’s software that could have allowed attackers to covertly control certain users’ Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.

[…]

The former Dropbox engineers, however, say Zoom’s current woes can be traced back two years or more, and they argue that the company’s failure to overhaul its security practices back then put its business clients at risk. Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom’s security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom’s software code and that of a few other companies.

Joe Basirico:

Zoom is an interesting case study in the various ways that software can fail. The Zoom team has had to learn a lot of lessons quickly, including the pitfalls of reusing components, figuring out how to make security engineering improvements to their SDLC and DevOps processes, and the need for a CISO leadership team.

In this article I want to walk you through some of the issues that were recently publicized. I’ll break them into categories to understand the mistakes made and the subsequent decisions that were necessary. There has been a bit of a pile-on with security professionals each taking their turn to tell Zoom how they could have done better. Some of the issues that were uncovered are truly concerning, while others are natural tradeoffs between security and usability. In some cases, Zoom was actually following best practices (like reusing components), but got bitten anyway.

See also: Lessons for Zoom from Chatroulette, the original live video site.

Zoom Installation

Felix Seele (Hacker News):

Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed).

Cabel Sasser:

The true Zoom experience begins with the installer. You have the standard list of steps on the left. The sheet comes down that says “This package will run a program to determine if the software can be installed.” You click Continue. The installer quits. It’s done. WTFFFFF

Kyle Howells:

This, and every Zoom controversy, makes sense if you think of it this way. They value easy of use above all else. Above being a good platform citizen, above security, above everything.

Like most start ups maximise engagement and growth above all, Zoom maximises ease of use.

Eric Slivka:

Zoom CEO Eric Yuan responded to Seele, noting that while the installation method was “implemented to balance the number of clicks given the limitations of the standard technology,” he recognized the issue and promised to “continue to improve.”

Zoom has now updated its Mac app installer to no longer use the preflight installation method, instead using a traditional installation authorization process, as noted by The Verge.

mmastrac:

I noticed while installing WebEx today that the installer immediately terminated itself after popping up the pre-installation script.

Running strings on the installation plugin (CWSPkgPlugin.bundle) shows why - it’s using a similar process to what Zoom does

Oliver Hunt:

Ok, so given sandboxing exists, I feel it should be possible to make it so that installers can’t write to the file system (or poll the network) while the preinstall scripts are running[…]

Cabel Sasser:

One thing that freaks me out about Zoom is that there are no Retina images on first launch, but later they just kind of… appear. I do wonder if they’re not there in the first place because of this “Reitna” typo

Charlie Fish:

Is there ANY legit reason why @zoom_us needs admin privileges to support retina display on macOS? Never seen an application require admin privileges to use retina display.

Guilherme Rambo:

The initial download of the app doesn’t include retina assets, so they have to be downloaded and installed separately (why that requires admin privileges, I don’t know). Yet another “feature” they implemented without thinking about the implications.

Dan Amodio (Hacker News):

zoomAutenticationTool will run whatever script you give it, and ask you to authenticate as System. It’s like they wrote their own sudo tool.. Don’t think you can weaponize but weird practice.

Previously:

Update (2020-11-27): Pedro José Pereira Vieito:

Introducing InstaZoom: A Safari Extension that transparently redirects Zoom meeting links to Zoom in-browser web client so you can avoid installing the Zoom application.