By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: April 3, 2020

Friday, 3 April 2020

NASA Brings Back Its Rightful Logo ★

NASA, with some much-needed good news:

Enter a cleaner, sleeker design born of the Federal Design Improvement Program and officially introduced in 1975. It featured a simple, red unique type style of the word NASA. The world knew it as “the worm.” Created by the firm of Danne & Blackburn, the logo was honored in 1984 by President Reagan for its simplistic, yet innovative design.

NASA was able to thrive with multiple graphic designs. There was a place for both the meatball and the worm. However, in 1992, the 1970s brand was retired - except on clothing and other souvenir items - in favor of the original late 1950s graphic.

Until today.

This should be the only logo NASA uses. 45 years old and it still feels like the future.

Security Researchers: Zoom’s Encryption Is ‘Not Suited for Secrets’; Key Servers and 700 Employees Are in China ★

Security researchers Bill Marczak and John Scott-Railton, in a cogent, eye-opening report for the University of Toronto’s Citizen Lab:

Key Findings:

• Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.

• The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.

• Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.

Apparently these security researchers aren’t aware that Zoom was designed with the security and privacy needs of the enterprise in mind.

Thousands of Zoom Videos Exposed Online Because File Names Are Guessable ★

Drew Harwell, reporting for The Washington Post:

Videos viewed by The Washington Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary school classes, in which children’s faces, voices and personal details were exposed.

Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people’s homes. Other videos include nudity, such as one in which an aesthetician teaches students how to give a Brazilian wax. […]

But because Zoom names every video recording in an identical way, a simple online search can reveal a long stream of videos elsewhere that anyone can download and watch. The Washington Post is not revealing the naming convention that Zoom uses, and Zoom was alerted to the issue before this story was published.

But Zoom was designed for the enterprise. I don’t get how this could happen.

Every Zoom Security and Privacy Flaw So Far, and What You Can Do to Protect Yourself ★

Because it’s by Glenn Fleishman, this piece is both a great read and comprehensive. Because it’s comprehensive — and about Zoom — it’s remarkably long.

Quick Turnaround From Zoom on Mac Issues, But Their Story Remains Bullshit ★

Zoom founder and CEO Eric S. Yuan:

Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes:

• Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.

Good for Zoom. I mean that. And no one can complain that Zoom acts slowly: on Wednesday they released a new version of their Mac app that fixed their installer issues and the security vulnerabilities discovered by Patrick Wardle just one day prior. They fixed at least one major Windows problem this week too.

But this blog post from Yuan contains a lot of bullshit:

First, some background: our platform was built primarily for enterprise customers — large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.

However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.

These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform.

It makes no sense on the surface that a product purportedly designed for the enterprise would have lousy security and privacy. Most of the known problems with Zoom are specifically about all the corners they cut to ease onboarding for consumer users. The truth is Zoom has had a bifurcated strategy: one for enterprise and one for consumers. The consumer thing did not just sneak up on them in the last few weeks.

For chrissake just think about that secretly-installed hidden web server issue from last summer. That wasn’t a feature for the enterprise. Zoom has been playing very loose with consumer security and privacy not by accident, but as part of a strategy that emphasized ease of use above all else.

‘The Case for Universal Cloth Mask Adoption & Policies to Increase the Supply of Medical Masks for Health Workers’ ★

White paper jointly authored by seven professors at Yale, including economists, statisticians, and MDs:

We estimate that the benefits of each additional cloth mask worn by the public are conservatively in the $3,000-$6,000 range due to their impact in slowing the spread of the virus. The benefits of each medical mask for healthcare personnel may be hundreds of times larger, and there is an ethical imperative to safeguard frontline healthcare workers. We must both encourage universal mask adoption and deal with the urgent policy priority that front-line healthcare workers face shortages of personal protective equipment, such as N95 respirators and surgical masks.

Twitter thread from lead author Jason Abaluck:

We have very good evidence that universal adoption of cloth masks will combat the spread of the virus. Specifically, we know that 1) asymptomatic people spread the virus, 2) mask wearing by infected people prevents them from transmitting the virus (the report provides citations).

How large are the benefits? Even if masks reduce transmission probabilities by only 10% (and as you’ll see, that is likely very conservative), the value of each cloth mask is between $3,000 and $6,000. Our best estimate is that their protective value is closer to 40-50%.

These estimates are of course sensitive to the assumptions made in the underlying epidemiological models. But even if those models overstate mortality risk by a factor of TEN, each cloth mask conservatively generates $300 in value!

Basically: even if cloth masks only reduce the rate of transmission a little (say 10%), every single one worn is incredibly valuable. And the current best estimates are that cloth masks in fact reduce transmission by 40-50%.

Both the paper and Abaluck’s tweet thread are worth reading in full. But the takeaways are: make cloth masks and wear them if and when you must venture out; reserve all medical-grade masks for health workers.

And I’ll add this: it’s humiliating that the richest nation in the history of civilization has no supply of paper fucking surgical masks. We should be handing them out like candy but we can’t.

CDC Recommends Face Masks for All Americans, Trump Undermines Message While Announcing It ★

Addy Baird and Miriam Elder, reporting for BuzzFeed News:

The Centers for Disease Control and Prevention called for all Americans to wear face coverings in public to help stop the spread of the coronavirus Friday, pushing for people to wear cloth coverings like a bandana or a scarf.

Announcing the move at his daily briefing, President Trump undermined the recommendation of his experts by emphasizing that it was voluntary and he would not be wearing one.

“So it’s voluntary, you don’t have to do it,” he said. “They suggest it for a period of time. This is voluntary, I don’t think I’m gonna be doing it.”

This fucking guy.

In the recommendation published online Friday, the CDC said that because the virus can “spread between people interacting in close proximity,” they would recommend “wearing cloth face coverings in public settings where other social distancing measures are difficult to maintain (e.g., grocery stores and pharmacies) especially in areas of significant community-based transmission.”

I implore all of you, get on board with Team Face Mask. Stay at home, wash your hands, use hand sanitizer, keep your distance from others when out, and, when out, wear a face mask. Every thing we can do helps, and wearing a mask helps.

‘Dilettantism Raised to the Level of Sociopathy’ ★

Michelle Goldberg, in her column for The New York Times:

Kushner has succeeded at exactly three things in his life. He was born to the right parents, married well and learned how to influence his father-in-law. Most of his other endeavors — his biggest real estate deal, his foray into newspaper ownership, his attempt to broker a peace deal between the Israelis and the Palestinians — have been failures.

Undeterred, he has now arrogated to himself a major role in fighting the epochal health crisis that’s brought America to its knees. “Behind the scenes, Kushner takes charge of coronavirus response,” said a Politico headline on Wednesday. This is dilettantism raised to the level of sociopathy.

The Times seems unsure how to headline this column. Right now on the web it’s running as “Putting Jared Kushner In Charge Is Utter Madness”. The <title> element in the page’s HTML (which, as I’ve noted several times in the past, often don’t change in many CMSes) is the rather anodyne “Jared Kushner Will Not Save Us From the Coronavirus”.

But when it first hit Twitter earlier today, the headline read “Jared Kushner Is Going to Get Us All Killed”.

The French Pronunciation of Letter ‘U’ ★

In my piece yesterday on the Amazon/Apple deal with Prime Video and Apple TV, I snuck in this sidenote regarding the French video service Canal+:

(So the “+” is pronounced plooce, not pluss.)

I heard from a bunch of French readers that the French hard U doesn’t sound anything like oo in English. Alas, looking into it, the French hard U doesn’t sound like anything in English. Maybe I should’ve spelled my phonetic approximation pleuse (like deuce), but given my hopelessly U.S.-English-centric ears, I should probably just give up.

2020 iPad Models Now Feature Hardware Microphone Disconnect ★

From Apple’s updated Platform Security Guide:

All Mac portables with the Apple T2 Security Chip feature a hardware disconnect that ensures the microphone is disabled whenever the lid is closed. On the 13-inch MacBook Pro and MacBook Air computers with the T2 chip, and on the 15-inch MacBook Pro portables from 2019 or later, this disconnect is implemented in hardware alone. The disconnect prevents any software — even with root or kernel privileges in macOS, and even the software on the T2 chip — from engaging the microphone when the lid is closed. (The camera is not disconnected in hardware, because its field of view is completely obstructed with the lid closed.)

iPad models beginning in 2020 also feature the hardware microphone disconnect. When an MFI compliant case (including those sold by Apple) is attached to the iPad and closed, the microphone is disconnected in hardware, preventing microphone audio data being made available to any software — even with root or kernel privileges in iPadOS or in case the firmware is compromised.

That first paragraph above is not new; the second paragraph obviously is. This is what it looks like when a company is focused on security as an utmost priority. (Via DJ Capelis.)