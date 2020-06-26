 Skip to content
(The Hill)   Is it correct to label them hackers when you publicly post the link and password to your Zoom meeting?   (thehill.com) divider line
    Wake Forest University, North Carolina, Winston-Salem, North Carolina, Wake Forest University staff, Online hackers, Zoom meeting, Nathan O. Hatch, Atlantic Coast Conference  
BumpInTheNight [TotalFark] [OhFark]
‘’ 1 hour ago  
Unfortunately its not even relevant how they go into the system, merely accessing a system in an 'unauthorized fashion' is enough to be accused/charged of such.
 
Merltech [TotalFark]
‘’ 1 hour ago  
No, hacking requires real computer skills.
 
edmo [TotalFark] [BareFark] [OhFark]
‘’ 1 hour ago  
No, those people are then known as "users" or "invitees."
 
FrancoFile [TotalFark] [BareFark]
‘’ 54 minutes ago  
It's one thing if you forget to lock your door at home, somebody furtively gets in, and they take your TV and jewelry.

It's another if you go out of town and your teenage kid posts a bunch of "come party here" announcements, and then the mutant motorcycle gang from Weird Science trashes the place.
 
NotThatGuyAgain
‘’ 53 minutes ago  
Is it correct to label someone a burglar if you leave the keys in your door and they use them to get in your house?

/Jesus, subby, of all the goddam pointless things to argue
//yet I;m arguing
///I AM NOT ARGUING
 
madgonad [OhFark]
‘’ 51 minutes ago  

edmo: No, those people are then known as "users" or "invitees."


Not quite. Invitees is a legal term. Posting a meeting ID and password in a public place does not make the whole world an invitee.
 
Chakalaka015
‘’ 51 minutes ago  
I dunno, to me, posting the meeting ID and password publicly to your website kinda implies it's a public meeting.

Basic human decorum and decency should apply to attendants, of course.  But it wasn't a private meeting at that point.
 
phalamir [TotalFark]
‘’ 50 minutes ago  
No, the law is written such that any "unauthorized use" of a system is a crime.  In theory, if your boss told you to not be logged in after 6pm, and you lost track of time, logging out at 6:01pm, you just committed a felony (that is extreme, and your boss would have to be a giant dick to do it but it would count as "unauthorized use").  Skill, method, or feasibility are irrelevant.    I could even send you a log-in and password specifically for you, and then tell you not to use them - you logging in just to check would be a crime.

In some ways, it even shows a small bit of forethought - if you listed methodologies, then new techniques would be legal even if they were more invasive than old ones.  So, you would be constantly having to update the law every time some body discovered a new exploit.  On  the other hand, the vagueness of the language has also meant that people changing the URL have been labeled ultra-hackers.
 
Prank Call of Cthulhu [TotalFark]
‘’ 50 minutes ago  
Why is "mute all" and not allowing participants to unmute themselves so hard to figure out?
 
boozehat
‘’ 50 minutes ago  

NotThatGuyAgain: Is it correct to label someone a burglar if you leave the keys in your door and they use them to get in your house?

/Jesus, subby, of all the goddam pointless things to argue
//yet I;m arguing
///I AM NOT ARGUING


That's called trespassing.     Just because the door is open, it is not an invitation to come in.
 
joker420
‘’ 49 minutes ago  
Crashers.
 
Billy Liar
‘’ 49 minutes ago  
and them and their raves and electro music and such....glow-sticks and that
 
Mock26
‘’ 48 minutes ago  

FrancoFile: It's one thing if you forget to lock your door at home, somebody furtively gets in, and they take your TV and jewelry.

It's another if you go out of town and your teenage kid posts a bunch of "come party here" announcements, and then the mutant motorcycle gang from Weird Science trashes the place.


s31346.pcdn.coView Full Size


66.media.tumblr.comView Full Size
 
Claude Ballse
‘’ 47 minutes ago  

Merltech: No, hacking requires real computer skills.


And a case of Jolt cola.

media1.giphy.comView Full Size
 
Publikwerks
‘’ 47 minutes ago  
d2e111jq13me73.cloudfront.netView Full Size

Penn Jillette>"Mr Plague, they have haxxored our zoom!"
pL@Gu3> "Impossible, I'm behind 7 proxies!!!1!"
 
Somaticasual [TotalFark]
‘’ 45 minutes ago  

phalamir: No, the law is written such that any "unauthorized use" of a system is a crime.  In theory, if your boss told you to not be logged in after 6pm, and you lost track of time, logging out at 6:01pm, you just committed a felony (that is extreme, and your boss would have to be a giant dick to do it but it would count as "unauthorized use").  Skill, method, or feasibility are irrelevant.    I could even send you a log-in and password specifically for you, and then tell you not to use them - you logging in just to check would be a crime.

In some ways, it even shows a small bit of forethought - if you listed methodologies, then new techniques would be legal even if they were more invasive than old ones.  So, you would be constantly having to update the law every time some body discovered a new exploit.  On  the other hand, the vagueness of the language has also meant that people changing the URL have been labeled ultra-hackers.


The downside to this is enforcement relying on reporting - and, even less-likely - action by an investigator. Hacking attempts are par for the course in running a website or managing a server, and yet I Can't think of a single incidence in the hundreds of reports filed with ISPs that the abuse department did anything but send a form letter back (and that's for directed hacking attempts, not just IPS in china trolling for SSH brute force attacks or scanning for basic vulnerabilities).
 
boozehat
‘’ 44 minutes ago  
"Zoom has worked on improving its video conferencing platform to be less susceptible to online attacks from hackers and added AES 256-bit GCM encryption last month to increase resistance to malicious tampering and hacking."

That's not how any of this works btw.
 
Fireproof [TotalFark] [OhFark]
‘’ 41 minutes ago  

edmo: No, those people are then known as "users" or "invitees."


I was in this meeting. The admin tried ending the meeting and then only letting in people with wfu.edu accounts, but the zoombombers showed up again. One of them had access to a real user's account. I even had it set up to focus the screen on whoever was talking at that moment, and it went to a still photo of the person the account was supposed to be for when one of the zoombombers was speaking. They were definitely hackers of some kind.

I've thought about notifying IT of seeing the screen switch to a "real" user when a hacker was speaking, but then again, surely they know about that, right? What do the IT pros of Fark think?
 
trappedspirit
‘’ 40 minutes ago  
According to Hatch's statement, the hackers most likely got access to the secure meeting after a link and password were publicly posted online.

Yeah, no hacking required.  Do people not know what that word means?
 
skozlaw [TotalFark] [BareFark] [OhFark]
‘’ 39 minutes ago  

boozehat: "Zoom has worked on improving its video conferencing platform to be less susceptible to online attacks from hackers and added AES 256-bit GCM encryption last month to increase resistance to malicious tampering and hacking."

That's not how any of this works btw.


Well, it doesn't protect you against somebody using your credentials if you expose them, no, but, that just seemed like a throwaway paragraph at the end, not really a claim that the new features would have prevented this specific attack.
 
Fireproof [TotalFark] [OhFark]
‘’ 38 minutes ago  

Prank Call of Cthulhu: Why is "mute all" and not allowing participants to unmute themselves so hard to figure out?


I was in this meeting. One of them was also drawing swasticas all over the screen. Turning that off as well would have involved a lot of know-how that the admin probably didn't have.
 
BumpInTheNight [TotalFark] [OhFark]
‘’ 33 minutes ago  

Fireproof: I've thought about notifying IT of seeing the screen switch to a "real" user when a hacker was speaking, but then again, surely they know about that, right? What do the IT pros of Fark think?


Zoom is a 3rd party out-sourced platform so your in-house IT folks have no better access to follow this up then you do, so unless they were present and noticing the same then you were they're in the dark.  They might appreciate the heads up, I guess is what I'm saying.

If it goes to the point of criminal charges I bet the local police could request access logs for each user, and knowing of one to home in on could be very helpful to them.
 
BumpInTheNight [TotalFark] [OhFark]
‘’ 28 minutes ago  

Fireproof: I've thought about notifying IT of seeing the screen switch to a "real" user when a hacker was speaking, but then again, surely they know about that, right? What do the IT pros of Fark think?


To extend on my thoughts above:  Let's say the police did get involved, and they did get access logs and they did home in on this user account as the source of the shiat-speaking:  They could probably look up previous access logs of that user acting normally to confirm if they're coming from the same source IP.  If they were then that confirms your co-worker is about to get a very short email from their boss with HR CC'd, if its a different IP then at least that confirms the account was coming in from some where else and would partially exonerate your co-worker.
 
Smackledorfer [recently expired TotalFark]
‘’ 23 minutes ago  
Considering most breaches are phishing,I don't see why not.
 
Armyrec1 [TotalFark]
‘’ 22 minutes ago  

boozehat: NotThatGuyAgain: Is it correct to label someone a burglar if you leave the keys in your door and they use them to get in your house?

/Jesus, subby, of all the goddam pointless things to argue
//yet I;m arguing
///I AM NOT ARGUING

That's called trespassing.     Just because the door is open, it is not an invitation to come in.


That makes it even more tempting as trespassing is typically a misdemeanor and burglary is a felony.
 
covfefe [BareFark]
‘’ 22 minutes ago  

BumpInTheNight: Unfortunately its not even relevant how they go into the system, merely accessing a system in an 'unauthorized fashion' is enough to be accused/charged of such.


pbs.twimg.comView Full Size
 
Fireproof [TotalFark] [OhFark]
‘’ 21 minutes ago  

BumpInTheNight: Fireproof: I've thought about notifying IT of seeing the screen switch to a "real" user when a hacker was speaking, but then again, surely they know about that, right? What do the IT pros of Fark think?

To extend on my thoughts above:  Let's say the police did get involved, and they did get access logs and they did home in on this user account as the source of the shiat-speaking:  They could probably look up previous access logs of that user acting normally to confirm if they're coming from the same source IP.  If they were then that confirms your co-worker is about to get a very short email from their boss with HR CC'd, if its a different IP then at least that confirms the account was coming in from some where else and would partially exonerate your co-worker.


It was a picture of a black woman and a voice of probably a teenage white man. Definitely not the actual user.
 
halifaxdatageek [TotalFark] [BareFark] [OhFark]
‘’ 20 minutes ago  
My buddies and I have spent the past three months on and off devil's advocate-ing each other about whether Zoom is secure or not.

I like the addition of a password by default, which was designed to AVOID shiat like this when the meeting ID leaks. But Zoom can't prevent folks from just sharing the password too :P
 
Resident Muslim [TotalFark] [OhFark]
‘’ 17 minutes ago  

Smackledorfer: Considering most breaches are phishing,I don't see why not.


Please, don't get me started at how frequently the firm sends us penetration tests by trying to phish us.
But I get it, many people fall for it, and better fall for a fake one* than a real one.

/and get a virtual slap on the wrist
 
BumpInTheNight [TotalFark] [OhFark]
‘’ 2 minutes ago  

Fireproof: It was a picture of a black woman and a voice of probably a teenage white man. Definitely not the actual user.


Doesn't sound like the real legit user then indeed, if the IP of that session was the same as earlier ones from her though that could narrow down to the potential that its someone else directly accessing her computer/device/home network, possibly a real dick-bag friend of her kid(s) or something though.
 
