76 comments

[ 3.7 ms ] story [ 136 ms ] thread
LMAO, right. Lets see them catch the people doing this. Laughable at best.
Zoom has account & ip information and most of these people aren't going to be using a real vpn. It's probably easier to track them than swatting calls going to voice services.
I'm pretty sure that pretty much all of the people doing that will be using vpns. I mean come on, vpns are one of the most known services on the internet. In the wake of shadowbaning, global silencing by social networks and being penalized on the basis of anything that deviates at least a bit from the norm, anybody who wants to speak like a normal person on the internet has to use a vpn. You can bet that whoever goes way beyond what is considered normal on Zoom will be using a vpn.
Many people zoombombing are likely kids who don’t know any better, their OpSec is probably pretty poor.
Great, so you scoop up a bunch of 12 year-olds who don't know any better and send them to juvie. Sounds like a net positive on society.

/s

Nobody's yet proposed any concrete sentencing, and that is something the courts have a lot of leeway in, especially with 12 year olds.

Given reasonable handling (i.e. no actual prison sentences): yes, it does indeed sound like a net positive on society if a bunch of 12 year-olds learns to know better that stupid shit can have real, serious consequences.

Or society can learn that a 12yo has a very poor judgement and treat seriously the thing that actually matters - that most people have no knowledge or common sense with regards to security. If a 12yo can distrupt your corporate meeting, then IMHO the problem is not that underage kids are prone to stupid pranks. This is nothing else than an outlash by people who feel humiliated. Maybe, just maybe, they should feels stupid for a bit.
Very likely kids. I've been seeing tons of links to meetings with passwords being dropped into Discord chats asking for someone to bomb it at a certain time. While certainly there are some sophisticated bombers out there, it seems like there are quite a few who are just classmates wanting to disrupt classes.
> Zoombombing isn't a harmless prank; it's a crime.

These are by no definition mutually exclusive, unless you’re considering the harm of over litigious prosecutors on society.

> disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications

Uhh majority of those seem highly dependent and mostly disconnected from the actual zoomboming act and moreso with what you do once you're in the session.

Also, I'm not sure offhand what all entail "computer intrusion", but from my brief reading here[0], it seems that they must he stretching the definitions. Are you really "hacking" if you just join a meeting that someone posted openly on reddit, inviting others to troll? On the other hand, I've heard of people being prosecuted successfully for typing /../ in a URL or something along those lines.

Not defending people who do it, at least not on principle, but I'm just wary of the application of those laws. Out of all of them the first is the only that makes any sense, but zoom meetings are public now?

[0]https://www.wklaw.com/computer-intrusion-under-federal-law/

(comment deleted)
It's all about intent, not about how you did something or what.

>you just join a meeting that someone posted openly on reddit, inviting others to troll?

If you joined the meeting with the full knowledge and intention of trolling yes, that falls under statute. What that other person did doesn't really matter in your prosecution, he might be prosecuted as an accessory to your crime, but his actions don't provide you enough defensive cover.

What you're stating is like a gun murderer saying "I only pulled a lever, which billions of people do every day".

If someone posted a deep URL to a hospital oxygen system inviting reddit to troll, and you go there with the knowledge and intention to troll, and press the off switch and kill a bunch of people, you're going to be prosecuted for their deaths. "I just clicked a button lol" isn't a good defense and will probably just make the judge and jury think even worse of you. Same with typing /../, you're trying to access hidden and potentially protected sensitive information. It's like trying the handles of the cars parked on the road.

If cost_of_quality < cost_of_lobbyism_for_punishment do spend_more_on_lobbyism() end
This is an interesting topic. If I equate this to the physical world, would this be similar to a public town meeting being held with no security and no locked doors, then a protester walks in and starts protesting? What are the protestors typically charged with successfully?

This also reminds me of Gary McKinnon who logged into NASA windows servers as Administrator with a null password and no firewall. [1] He was looking for proof of UFO's. Point being, there was no security on the systems and so Gary basically walked in as a guest. No hacking required.

[1] - https://www.theguardian.com/uk/2009/may/25/gary-mckinnon-ext...

Isn't it more like a private meeting, say, in your house that has a door that's unlocked?

I personally dislike applying digital settings to real-world, but if you're going to make a comparison these aren't for the public or on public property.

Private homes have special protection (and would be more analogous to private computers).

This is more like invading rented lounge/room in a pub.

For a lot of kids, this is the same as ringing a door bell and running with your friends. Honestly if I were a kid today I wouldn’t be able to resist the urge to troll our remote class meetings with my friends.
I got a felony (which was later dropped) pressed against me for something like this. Changed my highschool's website to a rickroll, ended up in cuffs.
Thats not the same thing at all. You probably violated usc 1030 b-e
So how did you do it?
The system admins used the same password for everything. We ran the windows password file against a rainbow table. Once we figured out the password and that it worked on the admin portal to the website, we couldn't resist for the laughs.
LOL I don't blame you! Nice work! Sounds like you were a bright, bored kid!

What are you doing these days?

Thanks! Still a hacker. Mainly JS, React, Rails, and Flutter these days. :)
Or possibly a more apt question, how old were you when you decided to do this?
> Changed my highschool's website to a rickroll

Sounds like more than joining a meeting you're not supposed to join (and share your screen). Sounds like actual hacking, like an actual crime.

But I'm on your site, if a student can hack the school, the school should be charged for having such vulns. Same logic on zoom: if you don't have a password / leak that password, it's no wonder that people join. If you design a system so anyone can enter private calls by guessing 9 digits, you're not making private calls.

(comment deleted)
I'm curious what distinguishes those kids who can vs. can't resist that urge.

I don't mean that judgmentally. I'm just curious if/how various factors (pyschology; impulse control; family environment; etc.) come into play.

Ringing the bell and running is a massive adrenaline rush.

Trolling the teacher in school is just plain fun. I’m rolling with the parallels today, but again, it’s the same as throwing a paper ball at the teacher when they turn around to write on the board. Most kids in the classroom don’t do it, but it’s just a ton of fun because the teacher doesn’t know who in the crowd did it (and the class doesn’t rat anyone out). You effectively disrupt class for several minutes, and the majority of the class loves that. Same is probably happening with Zoom, the kids are deliberately sharing the links.

Now, if you’re looking for a answer along the lines of ‘are there particular kids that are hyperactive and lack impulse control’, you won’t get that answer from me. Most of us grew out of this by High School, and we’re all doing fine. But, you couldn’t take the joy of doing this stuff away from me in Middle School.

There is one word to describe that mentality and mindset. It also appears in the name of this site we are commenting on.
> I'm curious what distinguishes those kids who can vs. can't resist that urge.

Friends pushing (or being in awe of) it

growing up in the 70/80ies making prank calls to random people was one of our most fun things to kill boredom.

my fav one was we called some rando and ask for "Frank". The obvious answer was "There is no Frank". You repeat this a couple of times until they get really annoyed, then wait a few hours and have the second person makes the call and say "This is Frank, has anyone called for me?"

Another one was us calling a classmates parents home who we didn't like and who liked to bully us. Convince the parents that the son filled out a form for a raffle at our mall and he won and the parents should come to shop XYZ to pick up the price. Knowing personal info helped with the social engineering ofc.

All this today would create a sh1tstorm but it was business as usual back then. Nobody cared and some people/victims actually saw the humor and even laughed.

This rings as an especially empty threat. Even with account data and IP addresses, it would be costly and time consuming for the police to track down and charge the "zoombombers" - even if all the attackers were part of their jurisdiction.

Their effort would be better spent recommending alternative services or providing guidance for how to configure private Zoom calls.

They only need a couple dozen well-publicized arrests and prosecutions to deter 99% of the trend.
Yes, thankfully we don't have online drug sellers or ransomware hackers anymore. Arrested a couple and all the online crime stopped.
A security concept so vulnerable to this should be the real crime. Kids like to troll, this has always been the case and will always be the case. I am quite annoyed the internet culture is more and more invaded by these lawyers. The internet has always and should always be built on the concept that whatever can be exploited will be and the people who open themself to exploits carry the majority of blame. Maybe that's just my wishful thinking for a more wild west anarchistic internet...
So you wish that the digital world, a place where the majority of the youth are spending an ever-increasing amount of their time, to be subject to a culture we wouldn't tolerate in the physical world? Perhaps first define an internally consistent worldview. The reality is the internet isn't this blank space for hackers experimentation and exploitation anymore (used to be one of those kids by the way). It's becoming more and more integral to people's lives. It can cause real harm to people. It can even cause the loss of life. These things need to be taken seriously much more so than our childish notions of some anarchistic society of hackers and trolls doing as they please. Save that for the playgrounds and the skateparks. The real world works differently.
If you leave a door open in the "physical world", someone will enter. If you have easy to exploit vulns, you'll be exploited.

I tolerate that logic in the real life. Ofc the people who enter are bad, but there will always be bad people, so you're to blame for not protecting against them.

That is true, but it is also true that people are rightly punished for doing so.
When it comes to technology, I trust NP-hard problems much more than any government's court system.

Rooms are password-protected by default. If it must be public, enable the waiting room feature (though there are currently undisclosed zero-day's for it).

Apply that to the real world, if someone broke into your house with a battering ram you wouldn't report the theft and intrusion, and would just try to build a 6 inch thick steel door?
Sure, if it was as cheap and easy as setting a password I'd gladly build a 6-inch steel door.
They are not bad, they are just rascals. Must we live in a binary world? The kids are going to do this, implement some good moderator tools for the host of these meetings so they can ban ips, disable features. Those moderating feature literally exist because this is the reality of trolling since the beginning of time.

We’re a community of mostly professional tech workers, and even we need shit to downvote and flag stuff.

There's a term for this. "Victim Blaming".

Its also the same kind of excuses heard when a woman was dressing well and gets raped. Then the refrain is "she was asking for it", or "she deserved it with the way she dressed".

Notice that if a front door is unlocked and someone goes inside, its still trespassing. Just because its easier to commit a crime doesnt make the thing not a crime.

(Please note, that I'm making this argument in good faith. I'm sure many here have digitally trespassed on others' computer systems without permission. It's not "trolling"; its a straight-up violation of the CFAA.)

It's still trespassing, but it isn't breaking and entering. Visiting a public URL isn't hacking.
That's definitely still to be argued.

I would have a reasonable amount of privacy if I used a random GUID to provide a hidden link. In that implementation, the link is a username-less password. That's how Craigslist, Pastebin, and email resets for all sorts of services work.

And that too goes to the heart of passwords are inherently obfuscation. But that's a discussion for another time.

Yes, but you still don't leave your door open when leaving your house even when everybody perfectly knows that trespassing is a crime.
(comment deleted)
"Its also the same kind of excuses heard when a woman was dressing well and gets raped. "

Are you high? This is in an entirely different ballpark. You are not seriously equating some trolling and digital damage with the violation of a human body, are you?

Obviously if there are serious consequences there needs to be a deterrant, but this is some trolling on the internet, not rape.

We are "victim blaming" people for severe neglect all the time. Look at Facebook and other services if user data is stolen. It's called neglect or do you say "oh the hacker shouldn't have stolen the data, not Facebook's fault".

> Are you high?

Really now? That's uncalled for.

> You are not seriously equating some trolling and digital damage with the violation of a human body, are you?

I am not equating digital trespass with rape. However I am comparing that victim blaming has been used to deflect both, and in the rape, victim blaming is finally rejected as any sort of valid response.

> Obviously if there are serious consequences there needs to be a deterrant, but this is some trolling on the internet, not rape.

That makes trolling sound awfully close to "locker-room talk".

> We are "victim blaming" people for severe neglect all the time. Look at Facebook and other services if user data is stolen. It's called neglect or do you say "oh the hacker shouldn't have stolen the data, not Facebook's fault".

You use the word "neglect". Keep in mind that neglect of a dependent is a crime (indiana https://www.in.gov/meth/files/IC_35-46-1-4_Neglect_of_a_Depe... ). And that definition of neglect doesn't match up with yours in much of any ways. However it is neglect of a dependent if school admins allow sex crimes to happen against public school students in their stead....

And FB is its own problem. Please stop trying to move goalposts.

This is a classic case of false equivalence. The door trespassing thing seems like a clear straw man. Where is that logical fallacies infographic when you need it.
Sometimes blame can be shared among more than just one. If I go run around on the highway and someone hits me, is it purely the fault of the driver that hit me? Is it victim blaming to say I should not have run around on the highway?
If someone’s house is robbed because their front door was left unlocked you might admonish them for poor security practices, but no one really debates that the robber was in the wrong and committed a crime.
leaving the front door, or your parked car window open, or your wallet on the table when visiting the toilet in the pub is illegal, and you can get fined for it in most countries.

edit: couple of sources:

AU: https://www.examiner.com.au/story/442855/police-warning-over...

DE: https://www.augsburger-allgemeine.de/panorama/Ein-offenes-Au...

I am pretty certain that this isn't true. At least the "most countries" part.

How would they even catch you? Do you live somewhere where the police go door-to-door checking locks? Because that's terrifying...

(comment deleted)
Citation very much needed. I've done all of these things in the rural midwest for many years. A lot of times I didn't even take the keys out of the ignition.
Is robbing a house with the front door open, or unlocked car or stealing wallet left on table legal in those countries?
To be clear, that isn't something in all of AU, it's a local law in Tasmania: "The regulation was introduced to the Tasmanian Traffic Regulations in November 2009". And I'm not positive about the German article, but it seems to imply that's a local Munich ordnance.

Oh, and none of this contradicts the main point, which is that nothing in those articles suggests that robbing an unlocked car is legal.

EDIT: though interestingly, at least in some municipalities breaking into an unlocked car may be a lesser crime than forcibly breaking into a locked car. Still a crime, but basically you're charged simply with stealing rather than some sort of breaking and entering.

Well, that's theft, which is entirely separate from intrusion.

Let's say you left your front door unlocked overnight, and a teenager opened it and screamed "LEROY JENKINS!" as loud as he could into your home, waking your whole family up, before closing the door and running away.

Would you really say that the teenager deserves to be charged with trespassing or B&E for this? Is jail really the answer to this transgression? If it happened every night, wouldn't you mostly be to blame for never locking your door, especially after experiencing first-hand what happens when you do not?

If Zoom is an analogy for your home, then imagine that your landlord refuses to put an actual lock on the door of your apartment, even after you tell him that people are opening it and screaming into your home.

With that said, most computer intrusions don't include theft or damages of any kind, so theft really isn't a great analogy. If someone does damage, they have done more than simply intrude.

And if you refuse to take steps to prevent these things from happening, the more it happens, the more it becomes your fault (of the fault of whoever is in charge).

> Would you really say that the teenager deserves to be charged with trespassing or B&E for this?

Absolutely yes, so that they can learn stupid stuff like this is not tolerated. What if in the middle of that B&E the homeowner shoots the harmless kid?

This idea that petty crimes are tolerable so long as the perpetrator has a "good intentions" is pure irresponsible silliness.

(comment deleted)
I wouldn't go so far as to say "the real crime," but I wholeheartedly agree that zoom should share some responsibility here. If we're going to routinely put children in a virtual space, that virtual space should be able to be secured for them. If an after-school children's program put children in a position where, say, sexual predators easily had access to them, we'd not only blame the sexual predators, but also the system that put the kids within reach to them.

I've always been very surprised zoom has an easily-guessable meeting ID namespace. It's a user experience tradeoff, but in my opinion, either the meeting IDs should be sparse and hard to guess, or there should be passwords (or possibly both).

The guessing the meeting ID thing is probably not the real vector. I’m positive college kids and k-12 kids are sharing the private links online and amongst themselves.

In that case Zoom needs what any forum software inevitably has to implement: moderating tools. Meeting hosts should be able to ban ips, if they are getting hit via a proxy, the host should be able to mute everyone/disable sharing video of everyone, etc. It’s not that hard to mitigate this stuff, the key word being mitigate not ‘stop’.

> people who open themself to exploits carry the majority of blame

So a homeowner or car owner that leaves their door opens should be responsible for burglaries? Someone that wears a nice watch that leads to a mugging?

How about people that commit crimes take responsibility for them?

Since some people are entirely mistaking my point, here some more in-depth thoughts.

We should hold the companies and individuals operating on the internet to the highest standard to prevent such security violations. I am talking about a balance of the barrier here. Guessing meeting IDs is such an obvious and trivial attack vector that it should be expected to be abused.

We look at companies like Facebook and expect them to keep our data safe and if they don't, we hold them accountable even though they are a victim of a crime. Some comment equated that to victim blaming in case of rape and that is just an insane analogy.

Obviously if there is a real world consequence and people having damage they should have the right to get compensated and that is why we expect providers and companies to keep logs, but honestly how do we expect services to develop the highest standard if they can pass the blame to an attacker. At least an equal part if not the majority should be the organization that engineered a vulnerability because in most cases these happen due to improper design. (See programming vs. civil engineering quality discussion)

We are talking about a minor inconvinience through trolling easily fixed by a proper token system on Zoom's end. This is not what the criminal justice system should be prosecuting some teenagers for.

Zoom's inaction here seems to better fit the concept of an attractive nuisance than a crime.
Everybody 'operates on the internet'. We're going to hold everybody to the highest standards of security?

This is silly. There's already plenty of law around contract damages etc. Is there any need to rail about this example, and propose new rules?

If you can show monetary losses due to using Zoom, go ahead and sue. Using a free account? Then there's no contract between you and Zoom - has to be 'value received' to have a contract, and you didn't pay them anything.

Since there are and have been alternative to Zoom for a decade, it's hard to make this some national priority.

I think its more of "Think of the children" argument cropping up. IIRC there was a few high profile naked people (primarily men) doing obscene things. And there was at least 1 porno track being played. Of course, it was all during k-12 zoom.

Once you introduce sex crimes against children in a public (online) school room setting, all bets are off.

Wow that seems very prosecutable. Doesn't Zoom know who attended each meeting?
Here we see out of touch people supporting actions that can destroy lives, for no benefit.
Key quote: "Zoombombers have exposed themselves to schoolchildren and shouted racial slurs."

Kinda knocks down the "hacker kids having harmless fun" image in my book.

I don't understand why people are comparing this to realspace crimes. I get that we have plenty of laws covering them, but the online world is completely different. It's possible for people to commit cybercrime and still be undetected. How can you arrest someone if you can't find them? The internet is still very much the wild west, and it needs to be treated as such, with lots of locks and keys. Doing anything less is negligence.