back to article Just because we're letting Zoom into Parliament doesn't mean you can have fun, House of Commons warns Brit MPs

Britain's House of Commons' embrace of "hybrid scrutiny" sessions represents the biggest change in its Parliamentary protocol in generations. But guidelines released shortly after the measure was approved show no signs of standards slipping, with members expected to dress smartly and behave with the, er, usual decorum. At any …

  1. Captain Hogwash

    Re: avoid holding sensitive conversations, even when on mute

    Open the pod bay doors HAL.

  2. Warm Braw Silver badge

    The UK has a bicameral parliament

    Not any more, for all meanings of "camera"...

  3. Anonymous Coward
    Anonymous Coward

    UKGovt hacked in 3,2,1....

    https://blog.talosintelligence.com/2020/04/zoom-user-enumeration.html

    The vulnerability arises from the lack of validation to ensure the requesting user belongs to a queried domain. This allows arbitrary users to request contact lists of arbitrary registration domains. The exploitation process requires the user to properly authenticate to Zoom with a valid user account, the user then sends an XMPP message with the content below to receive a list of users associated with the domain arbitrary_domain.com:

    <iq id='{XXXX}' type='get' from='unknown_xmpp_username@xmpp.zoom.us/ZoomChat_pc' xmlns='jabber:client'>

    <query xmlns='zoom:iq:group' chunk='1' directory='1'>

    <group id='arbitrary_domain.com' version='0' option='0'/>

    </query>

    </iq>

    In the reply, the Zoom server discloses a directory of users registered under this domain. This includes details such as the autogenerated XMPP username along with the user's first and last names. This information combined with other XMPP queries could be leveraged to disclose further contact information including the user's email address, phone number and any other information that is present in their vCard. As a large number of users come online with video conferencing for the first time, there is a large attack surface. It's important to note that because this is a server-side cloud issue, as is customary, a CVE will not be assigned.

    1. monty75

      Re: UKGovt hacked in 3,2,1....

      " As of the publication of this blog the issue appears to be patched."

      Not that that proves it's secure now. Zoom have had a rather cavalier attitude to security.

      1. Michael Wojcik Silver badge

        Re: UKGovt hacked in 3,2,1....

        I suspect a certain amount of Dunning-Kruger in the Zoom offices. I don't know him myself, but a friend of mine knows Eric Yuan, CEO of Zoom; and my friend says Yuan is smart and generally well-informed on technological matters, and alert to potential issues.

        So I suspect - based only on this testimonial, mind - that the Zoom development team were told to make security a priority, but lacked the necessary expertise, and weren't aware they lacked the expertise. That would explain one of their most famous blunders, the use of ECB. ECB says "we knew we needed encryption, so we threw in a library and picked some settings without understanding the consequences". Similarly their incorrect1 use of the term "end-to-end encryption" seems more likely due to a failure to employ security experts than a disregard of security.

        That might seem like splitting hairs, and I'm not advocating for Zoom. (I don't use it myself.) But I do think there's a difference in attitude and culpability between Zoom and, say, Voatz. The latter can I think be justifiably accused of both a cavalier attitude toward security and a hostile one toward being called out on it. Zoom, on the other hand, seem to be making good-faith efforts to fix things.

        1In the casual, common sense of "not as understood as a term of art in the industry". In the strict sense there's no governing authority specifying a precise meaning of the term, so they weren't incorrect in any prescriptive sense.

  4. Doctor Syntax Silver badge

    "imagine themselves as posing for a passport photo."

    So no need to look like themselves.

  5. Paul Crawford Silver badge

    Zoom seems to work, but it needs the crap of a exe running on your Windows box, otherwise painless. Security doubtful, owned by Chinese.

    MS teams is crap, while it offers a web browser mode it only works with Chrome (Edge does not count as another browser, it is Chrome). How come a company the size of MS can't make a system that actually works on many browsers like, say, Zoho can? Security maybe better, but USA jurisdiction.

    1. Doctor Syntax Silver badge

      "How come a company the size of MS can't make a system that actually works on many browsers like, say, Zoho can?"

      Don't confuse "can" with "want".

    2. MiguelC Silver badge

      Re: " it needs the crap of a exe running on your Windows box"

      Don't know where you got that idea, as Zoom has versions of it' application for Linux, Mac, Android, etc.

      Also you don't need the .exe file it downloads when you click on an email link (in Windows), you can just copy the meeting ID and join directly on the Zoom app

      1. Anonymous Coward
        Anonymous Coward

        Re: " it needs the crap of a exe running on your Windows box"

        "you don't need the .exe file it downloads when you click on an email link"

        Thank God for that...

        Just click on the link below to see my latest cat video

    3. Yet Another Anonymous coward Silver badge

      >Security doubtful,

      Parliament is public

      >owned by Chinese.

      Public owned, listed on the Nasdaq

      (Of course that's what the lizard people want you to think......)

    4. phuzz Silver badge

      [Teams] only works with Chrome

      Not sure where you got that from mate, I've just tested it in Firefox and even in IE11.

      There's a Linux client as well, although I've not tried that yet.

      1. Paul Crawford Silver badge

        Maybe it is the version of Firefox, but it told me I had to install Chrome. I told them fsck off

      2. Michael Wojcik Silver badge

        Teams seems to be inconsistent. I used to use it for some purposes (not all functions were supported) in Pale Moon and Comodo Dragon, but at some point in, I think, March, I started getting pop-ups telling me that the browser wasn't supported.

        Teams is pretty much rubbish from any angle, with its horrible UI that doesn't use the built-in browser controls (so, for example, you can't use the Chrome Rescroller extension to fix the dreadful too-thin, disappearing scrollbars in most of the panes), its lack of end-user configurability, its utter inability to scroll back through conversations to older posts without going haywire...

        Videoconferencing from the "native" Teams app does seem to work decently for me, though.

  6. Anonymous Coward
    Anonymous Coward

    BBC Dad

    I'm sure everyone has seen this but just in case you haven't (nsfw as has swearing)

    https://twitter.com/Ivorbaddiel/status/1251847717539774466

  7. deadlift

    Double bubble

    Given that Parliament manages to have two separate catering companies depending on which end of the building you're in, it's no surprise that they have competing, incompatible VC systems.

  8. Anonymous Coward
    Anonymous Coward

    Are we talking about Zoom, that bastion of security

    that schoolchildren in New York aren't allowed to use?

    (Or Tesla, Amazon, etc., etc.)

    1. Yet Another Anonymous coward Silver badge

      Re: Are we talking about Zoom, that bastion of security

      To share parliament sittings that are reported in Hansard and broadcast on the Parliament channel ?

  9. Anonymous Coward
    Anonymous Coward

    > Baroness Jean Coussins mentioned that despite the perceived security concerns, she finds Zoom – which is used by the Foreign Office to conduct language lessons – easier to use.

    And what a certain sergeant of mine would have said: you volunteered for the job, nobody asked you to come.

    > Tory peer Lord Kirkhope of Harrogate also raised an issue of usability. Demonstrating a cast-iron grasp of technical terminology, he said: "I congratulate everybody concerned with this effort to set up virtual TV for us.

    Teacher of mine in the 70s said the illiterate of the future would be those who didn't know how to use computers. We all had 40+ years to prepare so not sure what a valid excuse could be.

    1. ibmalone Silver badge

      I wonder what about zoom she thinks is easier? Open application, join meeting. Is that challenging?

      1. hoola Bronze badge

        Perhaps the fact that at the moment you do not need any for of sign in when you are a participant. Click on the link and it just works.

        Zoom my have its issues but other solutions use similar technologies. The only reason Zoom is the focus of attention is because if the huge increase in use.

        As far as the encryption goes, anything that needs to have a traditional phone number dial-in has to be decrypted servers side otherwise you will just send a stream of incomprehensible garbage to those users.

  10. Cuddles Silver badge

    Act with decorum

    "And they definitely should avoid mouthing epithets at other members – a lesson learned by erstwhile Labour leader Jeremy Corbyn in 2018, when he appeared to mutter "stupid woman" at Theresa May."

    Meanwhile in Wales - https://www.bbc.co.uk/news/uk-wales-politics-52385006

    "The health minister has been caught swearing about a Labour colleague in a virtual Welsh Assembly session after he left his microphone on by mistake."

    1. Anonymous Coward
      Anonymous Coward

      Re: Act with decorum

      Add Frank Drebben's trip to the loo in the Naked Gun series...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020