Zoom Mac Client Vulnerability Enables Cameras Without Permission



Have you used Zoom for web conferencing, podcasting, or anything else? Be aware that there is a vulnerability in the Mac Zoom Client that can enable your camera without your permission. Uninstalling Zoom does not fix the problem.

Jonathan Leitschuh posted a very detailed article on Medium explaining the situation. In short, the vulnerability in the Mac Zoom Client allowed any malicious website to enable your camera without your permission. According to Jonathan Leitschuh, this issue potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

If I’m understanding this correctly, the vulnerability takes advantage of a Zoom feature that allows users to send anyone a link. When the person opens that link in their browser, the Zoom client opens on their machine. A mean-spirited person could embed a specific piece of code into a website. When a Zoom users visits that website, the user will be connected to Zoom with their video running.

Zoom posted a “Response to Video-On Concern” on the Zoom blog. In the blog, Zoom explains that “if the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user’s video feed.”

Zoom explains that the Zoom client runs in the foreground upon launch. It would be readily apparent to a user that they had unintentionally joined a meeting, and the user could change their video settings or leave the meeting immediately. According to Zoom, “we have no indication that this has ever happened.”

You can click on a link in the Zoom blog to connect with their support team. Zoom says it will go live with a public vulnerability disclosure program in the next several weeks. Until then, I recommend putting a sticker over your camera.


Instagram Bullying #1380



Instagram Bullying is on the decline according to the company as they have been stepping up moderation and using AI to detect activity that should be reviewed. It’s an upward battle as their numbers of users continue to grow and the innovative ways people find to beat their current systems. Lot’s of continued travel on my end and recording on the road is starting to feel like the new norm.

Subscribe to the Newsletter.
Pickup Ohana Gear.
Join the Chat @ GeekNews.Chat (Mastodon)
Email Todd or follow him on Facebook.
Like and Follow Geek News Central Facebook Page. Download the Audio Show File

Support my Show Sponsor:
30% off on New GoDaddy Orders cjcgeek30
$4.99 for a New or Transferred .com cjcgeek99 @ GoDaddy.com
$1.00 / mo Economy Hosting with a free domain. Promo Code: cjcgeek1h
$1.00 / mo Managed WordPress Hosting with free Domain. Promo Code: cjcgeek1w
Become a GNC Insider: Support this podcast

Continue reading Instagram Bullying #1380


California Law Bans Bots from Pretending to be Real People



California has passed a law that went into effect on July 1, 2019. It amends part of the state’s existing Business and Professions Code. The purpose of the amendment is to require bots to make it clear that they are not a human.

The “Bots: disclosure” amendment includes the following:

It shall be unlawful for any person to use a bot to communicate with or interact with another person in California online, with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election. A person using a bot shall not be liable under this section if the person discloses that it is a bot.

A “bot” is defined as: “an automated online account where all or substantially all of the actions or posts of that account are not the result of a person.”

A “person” is defined as: “a natural person, corporation, limited liability company, partnership, joint venture, association, estate, trust, government, governmental subdivision or agency, or other legal entity or any combination thereof.”

According to The New Yorker “Violators could face fines under the statutes related to unfair competition.” The article points out that California is “testing society’s resolve to get our (virtual) house in order after more than two decades of a runaway Internet.”

The legislation is a California state law. This means that the person behind a bot will have to disclose itself as a bot if it communicates with people who live in California. That said, those who are running bots will, by default, likely have to disclose that they are a bot to everyone on social media in order to avoid being fined by California’s law.


Microsoft Introduces New Outlook on the Web



Microsoft has introduced a new Outlook on the web. In the past 8 months, Microsoft made improvements to the new Outlook based on submitted feedback and suggestions.

Email is the heart of Outlook and where people spend a significant part of their day. We have designed the new mail experience around you and the people that are important to you – You can personalize your experience, have a little fun, do things faster, and keep those people front and center with new updated features.

Features include:

Categories – Now easier to identify, right from your message list. Categories make it easy to tag, find, or organize your messages. Add multiple categories to a message, ad a category as a favorite, or use Search to find it.

Dark Mode – Personalize your inbox with dark mode for those time when your eyes are a little tired. You can “turn on the lights” when you want to read a specific email or when composing one.

Expressions – Microsoft now allows you to add emojis and GIFs to your messages from Outlook.

Favorites – You can favorite a contact, a group, or a category so you have easier access and can see the message count for each. Once you favorite them, they sync to Outlook mobile, too.

Time Management – Microsoft recently announced new features in Outlook to help you save time with intelligent technology. Meeting Insights gives you relevant information so you can quickly prepare for your meeting. Suggested Replies let you quickly pick from a few options and send an email. One suggested option is “schedule a meeting”, which helps you book meetings faster.

The new Outlook experience will start in late July. Your ability to see it appears to depend on whether or not your organization has blocked the opt-in toggle. The Outlook update is clearly designed for business needs.

Those who use email mostly to communicate with friends and family do not need it. Some of these new features for Outlook have already been introduced in Gmail and other services.


Hacker Gets 27 Months in Prison for DDoS Attacks



A few years ago, a hacker decided to be a jerk right around Christmas time. He launched DDoS attacks against several gaming companies. The purpose seemed to be to prevent children (and adults) who received new video games and/or consoles as gifts from being able to use them. This mean-spirited hacker has now been sentenced to 27 months in prison.

Information about this case was posted on the U.S. Department of Justice website (more specifically, on the part for the U.S. Attorneys Southern District of California). The information was posted on July 2, 2019.

Austin Thompson of Utah was sentenced in federal court today to 27 months in prison for carrying out a series of so-called denial-of-service computer hacking attacks against multiple victims between 2013 and 2014. The defendant was also ordered to pay $95,000 in restitution to one of the victims – Daybreak Games, formerly Sony Online Entertainment.

Austin Thompson is free on bond, and must surrender to authorities on August 23, 2019.

ZDNet reported that Austin Thompson is 23 years old, and used the name @DerpTrolling on Twitter. He used that Twitter account to announce attacks and also to take requests for services that other Twitter users wanted him to take down.

According to ZDNet, Austin Thompson launched DDoS attacks against Sony’s PlayStation Network, Valve’s Steam, Microsoft’s Xbox, EA, Riot Games, Nintendo, Quake Live, DOTA2, and League of Legends Servers, among others.

Hopefully, this will be a warning to other “trolls” who think it would be funny to launch DDoS attacks “for the lulz”. There is now legal precedent that launching a DDoS attack can result in a huge fine and prison time.


Superhuman Makes Changes After Criticism



Superhuman describes itself as “the fastest email experience ever made”. That may sound great to people who send and receive a lot of email. Unfortunately, Superhuman was also doing some very creepy, and potentially dangerous, things.

After some very detailed criticism of Superhuman by Mike Davidson, (on his personal blog), the Founder and CEO of Superhuman, Rahul Vorhra, decided to make some badly needed changes.

Mike Davidson pointed out that Superhuman decided to embed hidden tracking pixels inside of the emails that customers of Superhuman send out. Superhuman called that feature “Read Receipts”. It turns on by default for Superhuman customers, and without the consent of the recipients of the emails.

The so-called “Read Receipt” function enables the sender to know how many times the recipient opened that email, the times the email was opened, and the location of the recipient when they opened it. The recipient, who likely is not using Superhuman for their email, has no idea they are being tracked this way. In short, this function enables people to stalk whomever they send an email to.

Rahul Vohra provided details about changes that he would make to Superhuman in a post on Medium. In it, he explains how Superhuman users can turn read statuses off. When you do that, Superhuman will not include tracking pixels in sent emails.

Superhuman will also stop logging location information for new email. It will no longer show location information. They are deleting all historical data from their apps, and making the “read status” feature something users must opt-into.

Personally, I think that means that some of the email you receive from Superhuman users will contain tracking pixels. The opt-in does not solve the problem – it allows it to continue.

I highly recommend reading both of those posts in order to get the full details about the situation. The problems with Superhuman could have been avoided if Rahul Vorha and his team had bothered to take the time to get feedback from a diverse group of people before implementing features that invade people’s privacy.


SpaceX Reusability Plan #1379



SpaceX is ramping up it’s reusability of rocket bodies and even I am amazed at there end goal of re-using a rocket body up to a 100 times. I have some thoughts on what this means for everyone over time and the upfront risk it poses to SpaceX. I am a road warrior at the moment and working as hard as I ever have. The show will be off for the 4th and I will be back next week with you for a two-show week.

Subscribe to the Newsletter.
Pickup Ohana Gear.
Join the Chat @ GeekNews.Chat (Mastodon)
Email Todd or follow him on Facebook.
Like and Follow Geek News Central Facebook Page. Download the Audio Show File

Support my Show Sponsor:
30% off on New GoDaddy Orders cjcgeek30
$4.99 for a New or Transferred .com cjcgeek99 @ GoDaddy.com
$1.00 / mo Economy Hosting with a free domain. Promo Code: cjcgeek1h
$1.00 / mo Managed WordPress Hosting with free Domain. Promo Code: cjcgeek1w
Become a GNC Insider: Support this podcast

Continue reading SpaceX Reusability Plan #1379