April 2, 2020

How to use Zoom with a Sandbox

With Corona, video conferences are on the rise, and organizations tend to use Zoom. The problem is that Zoom shows more and more security holes, bad practices, and privacy-related problems.

Zoom has a version that runs in the browser, but in my experience, it runs much worse than the native application. As running the native application is a security and privacy risk, let's see how we can use Linux sandbox techniques to restrict what the Zoom client can access.

1) Use flatpak.
Flatpak uses a sandbox called bubblewrap that isolates it from most of your personal data. You can find Zoom on Flathub.

If you do not have flatpak, you could try to use the bubblewrap sandbox without flatpak or try using firejail, but for most people it is much easier to just use flatpak.

2) Use Flatseal to revoke access to data that Zoom does not need to be able to access before running Zoom the first time. You can remove access to all host files (filesystems=host and filesystems=home disabled) without any problems.

This already solves many security and privacy issues of Zoom.

The problem that still remains is that Zoom generates personalized identifiers by using your network card's unique hardware address.

3) Restricting Access to your network devices: Now Zoom is isolated from your private files, but when you already used Zoom and have a look at $HOME/.var/.var/app/us.zoom.Zoom/config/zoomus.conf you will notice that Zoom uses your MAC-Address as identifier in the line deviceID=XX:XX:XX:XX:XX:XX.

There is a way to protect against this when you really want Zoom not to know such unique identifiers by using network namespaces.

Our setup is based on this introduction to Linux network namespaces. We will need some additional routing for network access and a tool to allow normal users to run applications in a network namespace for running Zoom inside a private network namespace.

Setting up a network namespace for Zoom:

sudo ip netns add zoom # Create the namespace "zoom"
sudo ip link add veth0 type veth peer name veth1 # Create connected virtual interfaces
sudo ip link set veth1 netns zoom # Assign the second interface to the network namespace "zoom"

You can now verify that you only see the virtual interface by running ip netns zoom exec ip link show. This runs the command ip link show inside the namespace "zoom" and you should see a loopback interface "lo" and the virtual interface "veth1" inside the new namespace.

When running ip link show alone, you should see your usual host network interfaces and "veth0", but no device "veth1".

Next, we need to assign IPs and set up a default route inside the network namespace so that Zoom can reach its servers. We will use the net for the interfaces. When you already use this net, you need to choose another IP range.

# Activate the interface in the default namespace
sudo ip link set up veth0
sudo ip addr add dev veth0
# Activate the interface inside the zoom namespace
sudo ip netns exec zoom ip link set up veth1
sudo ip netns exec zoom ip addr add dev veth1
# Add a default route inside the namespace
sudo ip netns exec zoom ip route add default via
# Enable IP forwarding
sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

Now we can communicate with the host outside of the zoom namespace and need to add routing into the internet. We use iptables with a NAT setup for this:

sudo iptables -P FORWARD -j DROP # Drop all packets that are not matched by another rule.
sudo iptables -I FORWARD -s -j ACCEPT # Forward packets for IPs from inside the namespace
sudo iptables -t nat -A POSTROUTING -s -j MASQUERADE # Use NAT for packets from the zoom network

To be able to use the namespace without root privileges you need to install netns-exec. This tool allows every user on the computer to run programs in another network namespace, so do not install it if this is a problem for you.

Now run netns-exec zoom IP link as a normal user to verify that you can execute programs in the network namespace and that you can only see the virtual network device.

When everything works, you can start using Zoom by running

netns-exec zoom flatpak run us.zoom.Zoom

Afterward, you can verify that zoomus.conf contains the virtual MAC address from the veth network interface instead of the unique MAC address of your network card.

Feedback If anything does not work for you, please leave a comment so that I can improve this article.

Kategorien: english Software Linux Sicherheit
Tagged: Zoom Flatpak network namespace netns Security Privacy

4 Kommentare

Okt. 11, 2019

Links (132)

Kategorien: Links
Tagged: Privacy data collection Matrix Harry Botter Harry Potter Bot Zitate Neuronales Netz static Game CCC Chaos Communication Camp Raytracer Postscript WebGL fluid Simulation Firefox IPv6 Scientists Forscher Brief Letter Climate Klima Forschung

0 Kommentare

April 24, 2019

Links (130)

Kategorien: Links
Tagged: laser LIDAR self-driving Auto iOS Facebook Apps spyware Windows Windows 98 Zuckerberg Privacy Privatssphäre Icons targeting Ads Werbung drawing zeichnen Anleitung Handy englisch Anglizismus Tankstelle Überfall Brötchen schmieren 280 Bananas Bananen Radioaktivität Strahlung Physik Wasserfall Schwimmbad twitter headerbars Hipster Squirrel Eichhörnchen Perl Farbkleckse Überwachungsstaat Keybase TOFU TADA Trust Vertrauen Schlüssel Kryptografie Passwords Passwörter Nazis Rassisten

0 Kommentare

Aug. 20, 2016

Links (119)

Kategorien: Links
Tagged: Kryptografie Cryptography Emoji Gender Gap Pokemon Pokemon Go Datenschutz Datenweitergabe Gina Lisa statistics Dealer Psychopharmaka Sexualstrafrecht Privacy Snowden Erziehung Privatssphäre WIPP Neural Network voice machine learning Gesichtserkennung Berlin WLAN Tor Tor Projekt #kleinpeng

0 Kommentare

Juni 26, 2016

Links (118)

Kategorien: Links
Tagged: WLAN claw maschines Werbung Ads Web infinite Jukebox Stackoverflow RegEx HTML pay gap Gender Math american airlines Flightradar24 Privacy anonymity Vergewaltigung rape culture Maintainer upstream packaging forbes wired WiFi Lichtschalter Owncloud pwncloud April Webcomic fool Emoji miscommunication Kansas map geolocation farm neuronal net Neuronales Netz tensorflow

0 Kommentare

März 12, 2016

Links (117)

Kategorien: Links
Tagged: Feminismus Kindergarten Feminism notmyfeminism argument SJW Sexkaufverbot Ransom Bookmarklet urandom linux Kernel Maintainer Robot Breakfirst Snowden Privacy Fingerprints Dogs Google Maps CSS center Torvalds Communication E-Mail Storm Pets neurotic Pokemon Quiz Big Data Yale Hermit Smart Home Screenshots Developers Desktops TikZ Captchas Prinzessinen command line Raspberry Pi Hamster Schrittzähler Tetris Schach Chess Life Adblocker Stackoverflow victim blaming

0 Kommentare

Aug. 9, 2015

Windows 10 Privacy: Weitergabe privater E-Mails

Kleiner Ausschnitt aus der Microsoft Datenschutzbestimmung(Stand 09.08.2015):

Schließlich werden wir auf personenbezogene Daten zugreifen, diese offenbaren und bewahren, einschließlich privater Inhalte (wie der Inhalt Ihrer E-Mails und andere private Mitteilungen oder Dateien in privaten Ordnern), wenn wir in gutem Glauben sind, dass dies notwendig ist, um [...]*
(Abschnitt: "Gründe, Warum Wir Personenbezogene Daten Teilen")

Der Abschnitt ist nur ein Beispiel. In den "Datenschutzbestimmungen" sind noch weitere weitreichende Rechte für Microsoft definiert.

* Hier folgen verschiedene Rechtfertigungen, auf die ich nicht weiter eingehe, da ein Betriebssystemhersteller unabhängig von der Begründung niemals private Daten zugreifen und offenbahren sollte, egal in welchem Glauben er ist.

Kategorien: Software Windows Datenpanne Datenschutz
Tagged: Windows 10 Win10 Datenschutz Privacy E-Mails Datenschutzbestimmungen

0 Kommentare

Aug. 3, 2014

Links (106)

Kategorien: Links
Tagged: Überwachung Encryption NSA UberPOP Google Plus Owncloud Alterantiven Php british XKeyscore Email IP-Leak Test Erste Hilfe Journalist Equalist Backdoors Attack points Apple iOS Web Tracking Privacy Handbuch rPi Raspberry Pi Katzen schnurren Handy Teich Toilette

0 Kommentare

Juli 13, 2013

Links (92)

Kategorien: Links
Tagged: Trojaner Apps Norton Facebook Privacy git HTTP Software Windows linux Browsers Passwords Nerds Geeks Hashtags GUID UUID Familienpolitik Schröder Bash History CryptoCat IE11 Internet Explorer Adblock ABP Pitfalls VPN CyberGhost DRM Pacman Scrooge MacDuck Dagobert Geldspeicher Gender Gegner Crypto PRNG Kryptos Skulptur

0 Kommentare

Juni 13, 2012

Links (77)

Kategorien: Links
Tagged: Blog Ponies Kleinpferde Fefe Kellner Privacy deanonymisiert Katze Tape Klebeband Helikopter Katzenhubschrauber Linkedin Passwort Cracking Heave Metal Drummer Pointer S4 simple Storage Service

0 Kommentare