Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(The Hill)   Is it correct to label them hackers when you publicly post the link and password to your Zoom meeting?   (thehill.com) divider line
    More: Dumbass, Wake Forest University, North Carolina, Winston-Salem, North Carolina, Wake Forest University staff, Online hackers, Zoom meeting, Nathan O. Hatch, Atlantic Coast Conference  
•       •       •

2154 clicks; posted to Main » on 26 Jun 2020 at 12:18 PM (7 days ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



41 Comments     (+0 »)
 
View Voting Results: Smartest and Funniest
 
2020-06-26 11:42:12 AM  
Unfortunately its not even relevant how they go into the system, merely accessing a system in an 'unauthorized fashion' is enough to be accused/charged of such.
 
2020-06-26 11:48:07 AM  
No, hacking requires real computer skills.
 
2020-06-26 11:51:00 AM  
No, those people are then known as "users" or "invitees."
 
2020-06-26 12:23:50 PM  
It's one thing if you forget to lock your door at home, somebody furtively gets in, and they take your TV and jewelry.

It's another if you go out of town and your teenage kid posts a bunch of "come party here" announcements, and then the mutant motorcycle gang from Weird Science trashes the place.
 
2020-06-26 12:24:35 PM  
Is it correct to label someone a burglar if you leave the keys in your door and they use them to get in your house?

/Jesus, subby, of all the goddam pointless things to argue
//yet I;m arguing
///I AM NOT ARGUING
 
2020-06-26 12:26:25 PM  

edmo: No, those people are then known as "users" or "invitees."


Not quite. Invitees is a legal term. Posting a meeting ID and password in a public place does not make the whole world an invitee.
 
2020-06-26 12:26:41 PM  
I dunno, to me, posting the meeting ID and password publicly to your website kinda implies it's a public meeting.

Basic human decorum and decency should apply to attendants, of course.  But it wasn't a private meeting at that point.
 
2020-06-26 12:27:37 PM  
No, the law is written such that any "unauthorized use" of a system is a crime.  In theory, if your boss told you to not be logged in after 6pm, and you lost track of time, logging out at 6:01pm, you just committed a felony (that is extreme, and your boss would have to be a giant dick to do it but it would count as "unauthorized use").  Skill, method, or feasibility are irrelevant.    I could even send you a log-in and password specifically for you, and then tell you not to use them - you logging in just to check would be a crime.

In some ways, it even shows a small bit of forethought - if you listed methodologies, then new techniques would be legal even if they were more invasive than old ones.  So, you would be constantly having to update the law every time some body discovered a new exploit.  On  the other hand, the vagueness of the language has also meant that people changing the URL have been labeled ultra-hackers.
 
2020-06-26 12:27:44 PM  
Why is "mute all" and not allowing participants to unmute themselves so hard to figure out?
 
2020-06-26 12:28:02 PM  

NotThatGuyAgain: Is it correct to label someone a burglar if you leave the keys in your door and they use them to get in your house?

/Jesus, subby, of all the goddam pointless things to argue
//yet I;m arguing
///I AM NOT ARGUING


That's called trespassing.     Just because the door is open, it is not an invitation to come in.
 
2020-06-26 12:28:17 PM  
Crashers.
 
2020-06-26 12:28:35 PM  
and them and their raves and electro music and such....glow-sticks and that
 
2020-06-26 12:29:13 PM  

FrancoFile: It's one thing if you forget to lock your door at home, somebody furtively gets in, and they take your TV and jewelry.

It's another if you go out of town and your teenage kid posts a bunch of "come party here" announcements, and then the mutant motorcycle gang from Weird Science trashes the place.


s31346.pcdn.coView Full Size


66.media.tumblr.comView Full Size
 
2020-06-26 12:30:09 PM  

Merltech: No, hacking requires real computer skills.


And a case of Jolt cola.

media1.giphy.comView Full Size
 
2020-06-26 12:30:17 PM  
d2e111jq13me73.cloudfront.netView Full Size

Penn Jillette>"Mr Plague, they have haxxored our zoom!"
pL@Gu3> "Impossible, I'm behind 7 proxies!!!1!"
 
2020-06-26 12:32:32 PM  

phalamir: No, the law is written such that any "unauthorized use" of a system is a crime.  In theory, if your boss told you to not be logged in after 6pm, and you lost track of time, logging out at 6:01pm, you just committed a felony (that is extreme, and your boss would have to be a giant dick to do it but it would count as "unauthorized use").  Skill, method, or feasibility are irrelevant.    I could even send you a log-in and password specifically for you, and then tell you not to use them - you logging in just to check would be a crime.

In some ways, it even shows a small bit of forethought - if you listed methodologies, then new techniques would be legal even if they were more invasive than old ones.  So, you would be constantly having to update the law every time some body discovered a new exploit.  On  the other hand, the vagueness of the language has also meant that people changing the URL have been labeled ultra-hackers.


The downside to this is enforcement relying on reporting - and, even less-likely - action by an investigator. Hacking attempts are par for the course in running a website or managing a server, and yet I Can't think of a single incidence in the hundreds of reports filed with ISPs that the abuse department did anything but send a form letter back (and that's for directed hacking attempts, not just IPS in china trolling for SSH brute force attacks or scanning for basic vulnerabilities).
 
2020-06-26 12:33:20 PM  
"Zoom has worked on improving its video conferencing platform to be less susceptible to online attacks from hackers and added AES 256-bit GCM encryption last month to increase resistance to malicious tampering and hacking."

That's not how any of this works btw.
 
2020-06-26 12:36:55 PM  

edmo: No, those people are then known as "users" or "invitees."


I was in this meeting. The admin tried ending the meeting and then only letting in people with wfu.edu accounts, but the zoombombers showed up again. One of them had access to a real user's account. I even had it set up to focus the screen on whoever was talking at that moment, and it went to a still photo of the person the account was supposed to be for when one of the zoombombers was speaking. They were definitely hackers of some kind.

I've thought about notifying IT of seeing the screen switch to a "real" user when a hacker was speaking, but then again, surely they know about that, right? What do the IT pros of Fark think?
 
2020-06-26 12:37:30 PM  
According to Hatch's statement, the hackers most likely got access to the secure meeting after a link and password were publicly posted online.

Yeah, no hacking required.  Do people not know what that word means?
 
2020-06-26 12:38:40 PM  

boozehat: "Zoom has worked on improving its video conferencing platform to be less susceptible to online attacks from hackers and added AES 256-bit GCM encryption last month to increase resistance to malicious tampering and hacking."

That's not how any of this works btw.


Well, it doesn't protect you against somebody using your credentials if you expose them, no, but, that just seemed like a throwaway paragraph at the end, not really a claim that the new features would have prevented this specific attack.
 
2020-06-26 12:39:22 PM  

Prank Call of Cthulhu: Why is "mute all" and not allowing participants to unmute themselves so hard to figure out?


I was in this meeting. One of them was also drawing swasticas all over the screen. Turning that off as well would have involved a lot of know-how that the admin probably didn't have.
 
2020-06-26 12:44:36 PM  

Fireproof: I've thought about notifying IT of seeing the screen switch to a "real" user when a hacker was speaking, but then again, surely they know about that, right? What do the IT pros of Fark think?


Zoom is a 3rd party out-sourced platform so your in-house IT folks have no better access to follow this up then you do, so unless they were present and noticing the same then you were they're in the dark.  They might appreciate the heads up, I guess is what I'm saying.

If it goes to the point of criminal charges I bet the local police could request access logs for each user, and knowing of one to home in on could be very helpful to them.
 
2020-06-26 12:49:46 PM  

Fireproof: I've thought about notifying IT of seeing the screen switch to a "real" user when a hacker was speaking, but then again, surely they know about that, right? What do the IT pros of Fark think?


To extend on my thoughts above:  Let's say the police did get involved, and they did get access logs and they did home in on this user account as the source of the shiat-speaking:  They could probably look up previous access logs of that user acting normally to confirm if they're coming from the same source IP.  If they were then that confirms your co-worker is about to get a very short email from their boss with HR CC'd, if its a different IP then at least that confirms the account was coming in from some where else and would partially exonerate your co-worker.
 
2020-06-26 12:54:23 PM  
Considering most breaches are phishing,I don't see why not.
 
2020-06-26 12:55:44 PM  

boozehat: NotThatGuyAgain: Is it correct to label someone a burglar if you leave the keys in your door and they use them to get in your house?

/Jesus, subby, of all the goddam pointless things to argue
//yet I;m arguing
///I AM NOT ARGUING

That's called trespassing.     Just because the door is open, it is not an invitation to come in.


That makes it even more tempting as trespassing is typically a misdemeanor and burglary is a felony.
 
2020-06-26 12:55:50 PM  

BumpInTheNight: Unfortunately its not even relevant how they go into the system, merely accessing a system in an 'unauthorized fashion' is enough to be accused/charged of such.


pbs.twimg.comView Full Size
 
2020-06-26 12:56:02 PM  

BumpInTheNight: Fireproof: I've thought about notifying IT of seeing the screen switch to a "real" user when a hacker was speaking, but then again, surely they know about that, right? What do the IT pros of Fark think?

To extend on my thoughts above:  Let's say the police did get involved, and they did get access logs and they did home in on this user account as the source of the shiat-speaking:  They could probably look up previous access logs of that user acting normally to confirm if they're coming from the same source IP.  If they were then that confirms your co-worker is about to get a very short email from their boss with HR CC'd, if its a different IP then at least that confirms the account was coming in from some where else and would partially exonerate your co-worker.


It was a picture of a black woman and a voice of probably a teenage white man. Definitely not the actual user.
 
2020-06-26 12:57:26 PM  
My buddies and I have spent the past three months on and off devil's advocate-ing each other about whether Zoom is secure or not.

I like the addition of a password by default, which was designed to AVOID shiat like this when the meeting ID leaks. But Zoom can't prevent folks from just sharing the password too :P
 
2020-06-26 1:00:51 PM  

Smackledorfer: Considering most breaches are phishing,I don't see why not.


Please, don't get me started at how frequently the firm sends us penetration tests by trying to phish us.
But I get it, many people fall for it, and better fall for a fake one* than a real one.

/and get a virtual slap on the wrist
 
2020-06-26 1:15:13 PM  

Fireproof: It was a picture of a black woman and a voice of probably a teenage white man. Definitely not the actual user.


Doesn't sound like the real legit user then indeed, if the IP of that session was the same as earlier ones from her though that could narrow down to the potential that its someone else directly accessing her computer/device/home network, possibly a real dick-bag friend of her kid(s) or something though.
 
2020-06-26 1:41:25 PM  
Another word that got misused into meaninglessness, like "supermodel."
 
2020-06-26 1:44:46 PM  

skozlaw: boozehat: "Zoom has worked on improving its video conferencing platform to be less susceptible to online attacks from hackers and added AES 256-bit GCM encryption last month to increase resistance to malicious tampering and hacking."

That's not how any of this works btw.

Well, it doesn't protect you against somebody using your credentials if you expose them, no, but, that just seemed like a throwaway paragraph at the end, not really a claim that the new features would have prevented this specific attack.


Decrypting SSL/TLS is fairly trivial, regardless of the encryption method and bit length.   But yeah, posting the password and link is pretty stupid.
 
2020-06-26 2:03:51 PM  

Publikwerks: [d2e111jq13me73.cloudfront.net image 640x360]
Penn Jillette>"Mr Plague, they have haxxored our zoom!"
pL@Gu3> "Impossible, I'm behind 7 proxies!!!1!"


God wouldn't be up this late...let's echo 23 and see what's up.
 
2020-06-26 2:11:18 PM  

FrancoFile: It's another if you go out of town and your teenage kid posts a bunch of "come party here" announcements, and then the mutant motorcycle gang from Weird Science trashes the place.


It's more like the prepubescent CoD guild from down the street comes in, gang moons your mom, calls you a [rhymes with Tigger], and leaves DogFart porn everywhere.

Some of the AA meetings I attend on Zoom actually miss the entertainment factor of the bombers.  But then we heckle each other harder than any adolescent 4chan newf*g could ever hope to do... I'm pretty sure we sent at least one of 'em home crying.

/rule 42
 
2020-06-26 2:17:41 PM  

madgonad: edmo: No, those people are then known as "users" or "invitees."

Not quite. Invitees is a legal term. Posting a meeting ID and password in a public place does not make the whole world an invitee.


You're probably right. That's more an advertisement. but then we have to argue about what they're selling.
 
2020-06-26 2:20:39 PM  

NotThatGuyAgain: Is it correct to label someone a burglar if you leave the keys in your door and they use them to get in your house?

/Jesus, subby, of all the goddam pointless things to argue
//yet I;m arguing
///I AM NOT ARGUING


i.imgur.comView Full Size
 
2020-06-26 2:59:49 PM  

Merltech: No, hacking requires real computer skills.


Yep.

When my church changed to Zoom for services, they initially said they were going to post the password on their website. Basically all of us who know tech at all were calling them idiots.

You have an email list, use it!
 
2020-06-26 3:02:29 PM  
No, they are not hackers. They're about as much a hacker as the i-jits who spam me with I RECORDED YOU!!!, with names like Master Zlotz, or, my favorite, Nightmare.

Protip: I didn't even have a camera before a couple months ago, you *bought* a list of usernames and passwords (which alone could send you to jail), and, oh, yes, no, there is no RAT on my Linux box.

Wannabee arseholes is all they are.
 
2020-06-26 4:47:39 PM  

phalamir: No, the law is written such that any "unauthorized use" of a system is a crime.  In theory, if your boss told you to not be logged in after 6pm, and you lost track of time, logging out at 6:01pm, you just committed a felony (that is extreme, and your boss would have to be a giant dick to do it but it would count as "unauthorized use").  Skill, method, or feasibility are irrelevant.    I could even send you a log-in and password specifically for you, and then tell you not to use them - you logging in just to check would be a crime.

In some ways, it even shows a small bit of forethought - if you listed methodologies, then new techniques would be legal even if they were more invasive than old ones.  So, you would be constantly having to update the law every time some body discovered a new exploit.  On  the other hand, the vagueness of the language has also meant that people changing the URL have been labeled ultra-hackers.


Posting a link and password publicly is the authorization.
 
2020-06-26 4:49:01 PM  

halifaxdatageek: My buddies and I have spent the past three months on and off devil's advocate-ing each other about whether Zoom is secure or not.

I like the addition of a password by default, which was designed to AVOID shiat like this when the meeting ID leaks. But Zoom can't prevent folks from just sharing the password too :P


Default is to put everyone in a waiting room when they connect. The meeting host admits them. If you have a lot of people attending then that can be cumbersome.
 
2020-06-26 7:49:34 PM  
boozehat:
Decrypting SSL/TLS is fairly trivial, regardless of the encryption method and bit length.   But yeah, posting the password and link is pretty stupid.

Not in transit, it's not, at least not if you're not a nation state.
 
Displayed 41 of 41 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking




On Twitter




In Other Media
  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.