A mailing list member who would like to remain anonymous requested we share this message:
--- My experience with this so far is that technology alone does not appear to be the answer; there are human elements and network effects that are hard to break. Of course, if anybody has any suggestions to this effect, then I'll be happy to listen. I have recently set up a Jitsi meet instance on my VPS and proposed the idea of using Jitsi at work. I work at a Sillicon Valley company the name of which is irrelevant, but just wanted to mention that to give you some context here. My proposal was simple: 1. I presented the relevant facts: 1. Zoom is not only not end-to-end encrypted, but the company behind it has lied about this. Shared the relevant publication from The Intercept. 2. As CitizenLab later showed, video is encrypted using 128-bit AES keys in ECB mode (yuck), and the key first travels through a server in China before it is sent to the parties involved in the call (kill me right there). 2. I proposed the alternative: Jitsi, while also not end-to-end encrypted, allows you to run servers on-premise, so you don't have to trust anyone other than your own ability to set it up correctly (we have IT and security teams, so it shouldn't be hard). While Zoom also allows this (provided you pay top dollar), the software is closed source, so you can't fundamentally trust it; Jitsi, on the other hand, is free/libre software, so you don't have to trust anyone. And I mean, it's also cheaper. 3. Corollary: are you willing to expose trade secrets over a proprietary network you can't trust? And it's not just Zoom whom you are trusting, you are also trusting that none of the state-sponsored hackers and other denizens of similar nature have not already broken into the network. The response I got was as underwhelming as it was unsurprising: 1. Individuals would understandably prefer to use the "company-approved" tool. Even I prefer this given the circumstances because if I end up getting hacked, the fact that I used the company-approved tool is like a free ticket to zero responsibility. Or at least, it's less worse than getting hacked using your own personal communication channels. 2. The company doesn't really know what Jitsi is nor do they appear to care much. Everybody is using Zoom, so I guess that gives them a false sense of security: if they get hacked, everybody else gets hacked anyway. More importantly, however, it appears that InfoSec is providing companies tips on protecting their video calls, like setting passwords, screening peers before they are allowed to join the room, muting people on by default, etc. They do not appear to have concerns about using Zoom per se, however. If at least the security guys used free software, that would be a start. 3. Another point I imagine is relevant is that not all companies might have the expertise or resources to securely set up Jitsi servers. Understandably, they'd rather out-source that kind of stuff. I suppose you could also pay Jitsi/8x8 to do this, but at that point you are trading away the freedom that comes with running the software on-premise, so you might as well just pay Zoom instead. So no real buy-in for now. Although I guess that getting Sillicon Valley to use free software is like playing the game in ultra-hard mode. I'll keep trying, though. --- -- Greg Farough // Campaigns Manager Free Software Foundation Join the FSF and help us defend software freedom: https://my.fsf.org
signature.asc
Description: PGP signature
_______________________________________________ libreplanet-discuss mailing list [email protected] https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
