虛擬會(huì)議軟件如雨后春筍般涌現(xiàn),其中最為知名的就是Zoom,不過(guò)最近出現(xiàn)了不少漏洞。
美國(guó)政府認(rèn)為遠(yuǎn)程工作趨勢(shì)將成為國(guó)家安全問(wèn)題。美國(guó)國(guó)家安全局最近發(fā)布了對(duì)13款最流行商業(yè)視頻聊天工具的評(píng)估報(bào)告。在該報(bào)告所附聲明中,國(guó)家安全局稱:“用戶可通過(guò)遵守操作指南,降低其風(fēng)險(xiǎn),而且也能更好地防范惡意攻擊者?!?/p>
國(guó)家安全局將最高評(píng)分給了Facebook的WhatsApp、Signal(WhatsApp便使用了其代碼)及其競(jìng)爭(zhēng)對(duì)手聊天應(yīng)用Wickr。其中的一些評(píng)分標(biāo)準(zhǔn)包括:該服務(wù)是否使用了能夠阻止竊聽和窺探的端對(duì)端加密技術(shù)?是否擁有可安全鎖定用戶賬戶的多重身份驗(yàn)證技術(shù)?該應(yīng)用采用的技術(shù)是基于可公開查驗(yàn)的開源代碼(業(yè)界認(rèn)為這類代碼比神秘的專屬軟件更安全)?
在國(guó)家安全局眼中,所有其他應(yīng)用至少都有一項(xiàng)缺陷。谷歌的G Suite和微軟的Teams缺乏端對(duì)端加密,而且并未使用開源代碼。思科的Webex、Zoom、Slack和Skype for Business的數(shù)據(jù)刪除政策均有不妥之處。GoToMeeting沒(méi)有提供多重身份驗(yàn)證選項(xiàng),而手機(jī)短信服務(wù)則在上述所有方面都不合格。
該報(bào)告并沒(méi)有做到面面俱到。國(guó)家安全局并沒(méi)有對(duì)代碼漏洞進(jìn)行評(píng)級(jí),也沒(méi)有對(duì)可利用漏洞的受攻擊頻率進(jìn)行統(tǒng)計(jì);任何有關(guān)Zoom“zero-days”漏洞或微軟Teams的GIF攻擊都不在該調(diào)查的范圍之列,它對(duì)Facebook的多次隱私泄露也是只字未提。
安全研究員約翰·斯科特·雷爾頓在一篇推文中抱怨說(shuō),該報(bào)告只是看到了Zoom實(shí)施端對(duì)端加密宣傳的表象,但他自己所做的調(diào)查卻給出了不同的結(jié)論。此外,最令人感到意外的是,該報(bào)告完全忽視了蘋果的FaceTime這一經(jīng)常受到安全專家贊賞的應(yīng)用。
在這場(chǎng)激烈的用戶爭(zhēng)奪戰(zhàn)中,各大科技公司通常會(huì)忽略安全措施和必要的審計(jì),這種決策雖然會(huì)刺激用戶數(shù)量的增長(zhǎng),但最終會(huì)給用戶帶來(lái)難以估量的傷害。佐治亞州立大學(xué)的法學(xué)副教授杰弗瑞·威格爾在安全博客Just Secutiry發(fā)表的一篇發(fā)人深省的文章中指出,各大公司會(huì)制定一些以增長(zhǎng)而非安全為目的的激勵(lì)政策,但它們往往會(huì)成為這類糟糕政策的犧牲品。
經(jīng)濟(jì)學(xué)家將其稱之為道德危害。(財(cái)富中文網(wǎng))
譯者:Feb
虛擬會(huì)議軟件如雨后春筍般涌現(xiàn),其中最為知名的就是Zoom,不過(guò)最近出現(xiàn)了不少漏洞。
美國(guó)政府認(rèn)為遠(yuǎn)程工作趨勢(shì)將成為國(guó)家安全問(wèn)題。美國(guó)國(guó)家安全局最近發(fā)布了對(duì)13款最流行商業(yè)視頻聊天工具的評(píng)估報(bào)告。在該報(bào)告所附聲明中,國(guó)家安全局稱:“用戶可通過(guò)遵守操作指南,降低其風(fēng)險(xiǎn),而且也能更好地防范惡意攻擊者?!?/p>
國(guó)家安全局將最高評(píng)分給了Facebook的WhatsApp、Signal(WhatsApp便使用了其代碼)及其競(jìng)爭(zhēng)對(duì)手聊天應(yīng)用Wickr。其中的一些評(píng)分標(biāo)準(zhǔn)包括:該服務(wù)是否使用了能夠阻止竊聽和窺探的端對(duì)端加密技術(shù)?是否擁有可安全鎖定用戶賬戶的多重身份驗(yàn)證技術(shù)?該應(yīng)用采用的技術(shù)是基于可公開查驗(yàn)的開源代碼(業(yè)界認(rèn)為這類代碼比神秘的專屬軟件更安全)?
在國(guó)家安全局眼中,所有其他應(yīng)用至少都有一項(xiàng)缺陷。谷歌的G Suite和微軟的Teams缺乏端對(duì)端加密,而且并未使用開源代碼。思科的Webex、Zoom、Slack和Skype for Business的數(shù)據(jù)刪除政策均有不妥之處。GoToMeeting沒(méi)有提供多重身份驗(yàn)證選項(xiàng),而手機(jī)短信服務(wù)則在上述所有方面都不合格。
該報(bào)告并沒(méi)有做到面面俱到。國(guó)家安全局并沒(méi)有對(duì)代碼漏洞進(jìn)行評(píng)級(jí),也沒(méi)有對(duì)可利用漏洞的受攻擊頻率進(jìn)行統(tǒng)計(jì);任何有關(guān)Zoom“zero-days”漏洞或微軟Teams的GIF攻擊都不在該調(diào)查的范圍之列,它對(duì)Facebook的多次隱私泄露也是只字未提。
安全研究員約翰·斯科特·雷爾頓在一篇推文中抱怨說(shuō),該報(bào)告只是看到了Zoom實(shí)施端對(duì)端加密宣傳的表象,但他自己所做的調(diào)查卻給出了不同的結(jié)論。此外,最令人感到意外的是,該報(bào)告完全忽視了蘋果的FaceTime這一經(jīng)常受到安全專家贊賞的應(yīng)用。
在這場(chǎng)激烈的用戶爭(zhēng)奪戰(zhàn)中,各大科技公司通常會(huì)忽略安全措施和必要的審計(jì),這種決策雖然會(huì)刺激用戶數(shù)量的增長(zhǎng),但最終會(huì)給用戶帶來(lái)難以估量的傷害。佐治亞州立大學(xué)的法學(xué)副教授杰弗瑞·威格爾在安全博客Just Secutiry發(fā)表的一篇發(fā)人深省的文章中指出,各大公司會(huì)制定一些以增長(zhǎng)而非安全為目的的激勵(lì)政策,但它們往往會(huì)成為這類糟糕政策的犧牲品。
經(jīng)濟(jì)學(xué)家將其稱之為道德危害。(財(cái)富中文網(wǎng))
譯者:Feb
Virtual conferencing software—most notably Zoom, despite many recently uncovered vulnerabilities—is surging.
The U.S. government considers the remote-working trend to be a matter of national security. The National Security Agency recently released an assessment of 13 of the most popular commercial video chatting tools. In a statement accompanying the report, it said, "By following the practical guidelines, users can draw down their risk exposure and become harder targets for malicious threat actors."
The NSA's highest marks went to Facebook's WhatsApp, Signal (whose code WhatsApp uses), and rival chat app Wickr. Some of the grading criteria: Does the service use end-to-end encryption, which blocks eavesdroppers and snoops? Does it have multi-factor authentication, an option that securely locks down user accounts? Is the technology based on publicly inspectable, open-source code, which is considered more secure than inscrutable proprietary software?
Every other service has at least one deficiency, in the eyes of the NSA. Google G Suite and Microsoft Teams lack end-to-end encryption and do not use open source code. Cisco Webex, Zoom, Slack, and Skype for Business have suboptimal data deletion policies. GoToMeeting has no multi-factor authentication option. SMS texting fails on pretty much all fronts.
The report isn't comprehensive. The NSA makes no attempt to rate code bugginess, nor the prevalence of exploitable vulnerabilities; any discussion of Zoom "zero-days" or Microsoft Teams GIF attacks are out of scope. Facebook's innumerable privacy breaches garner no mention.
John Scott-Railton, a security researcher, griped in a tweet that the report took Zoom's claims of implementing end-to-end encryption at face value, despite his research indicating otherwise. And perhaps most strangely, the report entirely omits a review of Apple's FaceTime, a service frequently praised by security experts.
In their breakneck quests to attract large followings, tech companies often disregard safety measures and proper audits, a decision that juices growth but ultimately hurts users in incalculable ways. As Jeffrey Vagle, an assistant professor of law at the Georgia State University College of Law, notes in a perspicacious piece for the security blog Just Security, businesses all too often fall prey to bad incentives, optimizing for growth rather than security.
A moral hazard, as economists call it.