Is your kids' school forcing Zoom on them too?

Coleman Kane ckane at colemankane.org
Sat Aug 8 13:30:26 EDT 2020


On Fri, Aug 07, 2020 at 10:26:57PM -0400, Kyle Smith wrote:
> On Fri, Aug 7, 2020 at 7:18 PM Matt Minuti <matt.minuti at gmail.com> wrote:
> 
> > Virtually all of the security "issues" are irrelevant for the use case of
> > public schools. All the "hacking" I've heard of has been nothing more than
> > people doing the modern equivalent of wardialing, joining in meetings that
> > have no password by picking random numbers. That's not zooms fault, that's
> > just bad IT policy on any platform (which schools ought to know how to
> > address now).
> >
> > There's been no remote execution exploits (AFAIK), so that's a non-issue.
> >
> > Maybe I'm missing something, but what exactly is the problem with Zoom in
> > this context, and what better alternative are you proposing? Jitsi is cool
> > and open source (yay!), and a thousand times better than WebEx, but it's
> > subject to similar server-side concerns as zoom (compromised server MITM),
> > and I wouldn't put much trust in the local SAU IT guy to handle installing
> > it let alone running it securely for hundreds or thousands of simultaneous
> > users.
> >
> 
> This is essentially the main benefit of a hosted solution. Even if there
> are open-source alternatives that are equivalent or superior, most school
> don't have the resources (e.g. IT staff) to do this correctly. At least
> with Zoom it's consistent, and when security fixes go out they go out to
> everyone.

Hi everyone, long time since I chatted with many of you since moving back to
Cincinnati. However, as I am in a similar boat and also working in a cyber
security capacity for the past 10 years, I'll provide some insights around
Zoom that I and my friends are recommending. Mind you, Zoom can be as secure
as any other SaaS offering (Google Meet, WebEx, etc.).

All of the "security concerns" around Zoom boil down to two main categories:

1) Insecure by default - Default config options being "weak" to favor usability
or availability were the driving factor in many of its embarassing press pieces
earlier on. From what I can tell, none of these are much different from the
problems typically resulting from common (and flawed) software engineering 
methodologies. A lot of these are fixable, it just requires going exhaustively
through all of the system options prior to rolling it out.

My recommendation would be to offer to consult for your local school district
for free, to help them lock down their Zoom deployment and also build a list
of SOP to distribute to employees of the district.

2) Privacy concerns - supposedly a large amount of Zoom's contracted labor
workforce is located in China. People have derived that this also means a lot
of the server infrastructure is also located there. I'm not 100% sure, but I
am pretty skeptical of this claim - as just the bandwidth concerns alone would
seem to make this very unlikely to produce a working system. That said, there
had still been concerns early on about the lack of E2E encryption, and weak
algorithms, but Zoom has since fixed both of those. Now, even the free Zoom
accounts support E2E encryption. By my estimate, Zoom is about on-par with
MS Teams, Google Meet, and Cisco WebEx nowadays.

My kid's school district uses Google Enterprise Suite for education, which
works really well, and provides Google Meet for meetings (rather than Zoom).
It's too late this year, but if your school district is seeking out some sort
of lower-cost alternative to MS+O365, the Google Suite is a nice alternative
that also allows you to "activate" any Chromebook with the student's managed
account - basically managing their "desktop" in the Google cloud. At the very
least, everyone's data exists within the district "enclave". 

As always the above presumes some concessions around personal privacy, which
I realize can be a hot button topic. Not my biggest preference, but there are
so many usability and availability benefits to these SaaS productivity systems
that they're becoming commonplace for any large organizations that lack the
buying power of big corporate entities in their IT departments. Solutions like
the above can make it easier for the district's IT dept to manage and secure
what is going on within the student body, in scalable ways that installing a
bunch of dedicated-server software may not.

Coleman Kane

> 
> 
> > On Fri, Aug 7, 2020, 5:52 PM Joshua Judson Rosen <rozzin at hackerposse.com>
> > wrote:
> >
> >> So..., pandemic. That's still a thing, and school is about to start up.
> >>
> >> I hear a lot of schools have decided to make everyone use Zoom,
> >> whether they're at school or remote. That's apparently what's happening
> >> at my kid's school.
> >>
> >> If you haven't heard..., Zoom has turned out to be a complete privacy-
> >> and security-nightmare
> >> (the set of links out from the Wikipedia article is not even exhaustive,
> >> but holy crap).
> >> Though I suspect that most of the people on this list know all about it.
> >>
> >> How are you dealing with it?
> >>
> >> We've been trying to talk to our school's administration ever since they
> >> sent out an e-mail
> >> telling everyone to `expect to use a video-conferencing tool like Google
> >> Meet or Zoom'),
> >> and finally managed to get a meeting with... the Assistant Principal (who
> >> honestly is great, but powerless),
> >> and at this point have basically got a response of "wish you'd raised the
> >> issue earlier, but we already bought Zoom"
> >> (which might not be _as_ frustrating if we hadn't actually first raised
> >> this issue back in _March_...).
> >>
> >> NH does make it fairly straightforward to just give up and homeschool if
> >> it comes to that...,
> >> but must it really come to that?
> >>
> >>
> >> --
> >> Connect with me on the GNU social network! <
> >> https://status.hackerposse.com/rozzin>
> >> Not on the network? Ask me for more info!
> >> _______________________________________________
> >> gnhlug-discuss mailing list
> >> gnhlug-discuss at mail.gnhlug.org
> >> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >>
> > _______________________________________________
> > gnhlug-discuss mailing list
> > gnhlug-discuss at mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
> 
> 
> -- 
> Kyle Smith

> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/



More information about the gnhlug-discuss mailing list