Array
(
    [title] => Array
        (
            [0] => EduTech Spyware is Still Spyware: Proctorio Edition
        )

    [description] => Array
        (
            [0] => Spyware written for educational institutions to flex their muscles of control over students and their families when learning from their home computer is still, categorically, spyware. Depending on …
        )

    [url] => Array
        (
            [0] => https://soatok.blog/2020/09/12/edutech-spyware-is-still-spyware-proctorio-edition/
        )

    [type] => Array
        (
            [0] => rich
        )

    [tags] => Array
        (
            [0] => a:2:{i:0;s:7:"spyware";i:1;s:5:"still";}
        )

    [oembedImage] => Array
        (
            [0] => https://soatok.files.wordpress.com/2020/09/blogheader-edutechspyware.png?fit=440%2C330
        )

    [oembedImageWidth] => Array
        (
            [0] => 440
        )

    [embedImageHeight] => Array
        (
            [0] => 247
        )

    [oembedImages] => Array
        (
            [0] => a:12:{i:0;a:5:{s:3:"url";s:86:"https://soatok.files.wordpress.com/2020/09/blogheader-edutechspyware.png?fit=440%2C330";s:5:"width";i:440;s:6:"height";i:247;s:4:"size";i:108680;s:4:"mime";s:9:"image/png";}i:1;a:5:{s:3:"url";s:72:"https://soatok.files.wordpress.com/2020/09/blogheader-edutechspyware.png";s:5:"width";i:1200;s:6:"height";i:675;s:4:"size";i:810000;s:4:"mime";s:9:"image/png";}i:2;a:5:{s:3:"url";s:78:"https://soatok.files.wordpress.com/2020/09/blogheader-edutechspyware.png?w=640";s:5:"width";i:640;s:6:"height";i:360;s:4:"size";i:230400;s:4:"mime";s:9:"image/png";}i:3;a:5:{s:3:"url";s:79:"https://soatok.files.wordpress.com/2020/09/blogheader-edutechspyware.png?w=1200";s:5:"width";i:1200;s:6:"height";i:675;s:4:"size";i:810000;s:4:"mime";s:9:"image/png";}i:4;a:5:{s:3:"url";s:75:"https://soatok.files.wordpress.com/2020/09/soatoktelegrams2020-15.png?w=512";s:5:"width";i:512;s:6:"height";i:512;s:4:"size";i:262144;s:4:"mime";s:9:"image/png";}i:5;a:5:{s:3:"url";s:65:"https://soatok.files.wordpress.com/2020/09/proctorio-01.png?w=739";s:5:"width";i:739;s:6:"height";i:700;s:4:"size";i:517300;s:4:"mime";s:9:"image/png";}i:6;a:5:{s:3:"url";s:65:"https://soatok.files.wordpress.com/2020/09/proctorio-02.png?w=748";s:5:"width";i:748;s:6:"height";i:565;s:4:"size";i:422620;s:4:"mime";s:9:"image/png";}i:7;a:5:{s:3:"url";s:75:"https://soatok.files.wordpress.com/2020/08/soatoktelegrams2020-04.png?w=512";s:5:"width";i:512;s:6:"height";i:512;s:4:"size";i:262144;s:4:"mime";s:9:"image/png";}i:8;a:5:{s:3:"url";s:75:"https://soatok.files.wordpress.com/2020/09/soatoktelegrams2020-11.png?w=512";s:5:"width";i:512;s:6:"height";i:512;s:4:"size";i:262144;s:4:"mime";s:9:"image/png";}i:9;a:5:{s:3:"url";s:78:"https://soatok.files.wordpress.com/2020/04/soatok_stickerpack-hacker.png?w=512";s:5:"width";i:512;s:6:"height";i:512;s:4:"size";i:262144;s:4:"mime";s:9:"image/png";}i:10;a:5:{s:3:"url";s:84:"https://1.gravatar.com/avatar/146676f54771c654ed4b7e59e7513974?s=160&d=identicon&r=G";s:5:"width";i:160;s:6:"height";i:160;s:4:"size";i:25600;s:4:"mime";s:10:"image/jpeg";}i:11;a:5:{s:3:"url";s:98:"https://1.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536?s=25&d=identicon&forcedefault=y&r=G";s:5:"width";i:25;s:6:"height";i:25;s:4:"size";i:625;s:4:"mime";s:9:"image/png";}}
        )

    [feeds] => Array
        (
            [0] => a:3:{i:0;s:25:"https://soatok.blog/feed/";i:1;s:34:"https://soatok.blog/comments/feed/";i:2;s:87:"https://soatok.blog/2020/09/12/edutech-spyware-is-still-spyware-proctorio-edition/feed/";}
        )

    [publishedTime] => Array
        (
            [0] => 2020-09-12T06:01:47+00:00
        )

    [license] => Array
        (
            [0] => 
        )

    [text] => Array
        (
            [0] => a:45:{i:0;s:183:"Spyware written for educational institutions to flex their muscles of control over students and their families when learning from their home computer is still, categorically, spyware.";i:1;s:155:"Depending on your persuasion, the previous sentence sounds like either needless pedantry, or it reads like tautology. But we need to be clear on our terms.";i:2;s:122:"When vulnerabilities are discovered in malware, the normal rules of coordinated disclosure are out of scope. Are we clear?";i:3;s:29:"So lets talk about Proctorio!";i:4;s:266:"For anyone unfamiliar with it, Proctorio is a browser extension used to eliminate cheating through intense surveillance techniques. It records the computer screen while you take the exam to ensure you dont look anything up. However, its more than that. (Thread 1/11)";i:5;s:246:"I wont go into the details of Proctorio or why its terrible for (especially disadvantaged) students. Read Cassies Twitter thread for more context on that. Seriously. Im not gonna be one of those guys that talks over women, and neither should you.";i:6;s:94:"What I am here to talk about today is these dubious claim about the security of their product:";i:7;s:188:"In cryptography, there are a class of algorithms called Zero-Knowledge Proofs. In a Zero-Knowledge Proof, you prove that you possess some fact without revealing any details about the fact.";i:8;s:259:"Its kind of abstract to think about (and until were ready to talk about Pedersen commitments, Im just going to defer to Sarah Jamie Lewis), but the only thing you need to know about Zero Knowledge in Cryptography is that the output is a boolean (True, False).";i:9;s:104:"You cant use Zero Knowledge anything to encrypt. So Zero-Knowledge Encryption is a meaningless buzzword.";i:10;s:252:"As a cryptographer, I would like details on how on Earth it is using zero knowledge proofs in this situation. In all likelihood they're not doing what "zero knowledge" usually means, which quite frankly has me more worried about the security, not less.";i:11;s:77:"So what are they actually describing when they say Zero Knowledge Encryption?";i:12;s:200:"Okay, so theyve built their own key distribution system and are encrypting with AES-GCM and shipped this in a Chrome extension. But before we get to that, look at this Daily Vulnerability Tests claim.";i:13;s:266:"Running Nessus (or equivalent) on a cron job isnt meaningful metric of security. At best, it creates alert fatigue when you accidentally screw up a deployment configuration or forget to update your software for 4+ years. (Yknow, like JsZip 3.2.1, which they bundle.)";i:14;s:172:"A dumb vulnerability scan isnt the same thing as a routine (usually quarterly) penetration test or a code audit. And if youre working in cryptography, you better have both!";i:15;s:219:"If you download version 1.4.20241.1.0 of the Proctorio Chrome Extension, run src/assets/J5HG.js through a JS beautifier, and then look at its contents, you will quickly realize this is a JavaScript cryptography library.";i:16;s:91:"Since the zero knowledge encryption theyre so proud about uses AES-GCM, lets focus on that.";i:17;s:140:"Proctorios AES-GCM implementation exists in an object called dhs.mode.gcm, which is mildly obfuscated, but contains the following functions:";i:18;s:226:"If youre not familiar with AES-GCM, just know this: Timing leaks can be used to leak your GMAC key to outside applications, which completely breaks the authentication of AES-GCM and opens the door to chosen-ciphertext attacks.";i:19;s:78:"So is their implementation of AES-GCM constant-time? Lets take a look at aa():";i:20;s:104:"This is a bit obtuse, but this line leaks the lowest bit of f with each iteration: g = 0 !== (1 & f[3]).";i:21;s:211:"Since f gets bitwise right-shifted 128 times, this actually leaks the bit of every value of f in each block multiplication, since the execution of (f[0] ^= -520093696) depends on whether or not g is set to true.";i:22;s:116:"Also, they claim to be FIPS 140-2 compliant, but this is how they generate randomness in their cryptography library.";i:23;s:84:"I don't think NIST SP 800-90A would consider this secure  pic.twitter.com/qd2D1lURUH";i:24;s:124:"To mitigate these vulnerabilities, one needs look no further than the guide to side-channel attacks I published last month. ";i:25;s:57:"(Also, use WebCrypto to generate entropy! What the fuck.)";i:26;s:8:"Nothing.";i:27;s:167:"Schools that demand students install spyware on their personal computers are only a step removed from domestic abusers who install stalkerware on their victims phones.";i:28;s:55:"Proctorio isnt the problem here, theyre only a symptom.";i:29;s:123:"Schools that insist on violating the integrity and parental dominion of their students home computers are the problem here.";i:30;s:165:"Zoom school is really showing how much of American Education is just about controlling and punishing children and not actually, you know, teaching and educating them";i:31;s:232:"If you want to ensure the integrity of students education, try teaching them about consent and ethical computing. (Yknow, concepts that are fundamentally incompatible with the business model of Proctorio and Proctorios competitors.)";i:32;s:15:"Really? Really?";i:33;s:124:"This was a zero-day disclosure, because full disclosure is the responsible choice when dealing with spyware. Dont even @ me.";i:35;s:72:"Security engineer with a fursona. Ask me about dholes or Diffie-Hellman!";i:36;s:54:"Fill in your details below or click an icon to log in:";i:37;s:71:" You are commenting using your WordPress.com account. (LogOut/ Change) ";i:38;s:64:" You are commenting using your Google account. (LogOut/ Change) ";i:39;s:65:" You are commenting using your Twitter account. (LogOut/ Change) ";i:40;s:66:" You are commenting using your Facebook account. (LogOut/ Change) ";i:41;s:16:"Connecting to %s";i:42;s:36:"Notify me of new comments via email.";i:43;s:33:"Notify me of new posts via email.";i:47;s:20:" 2020 Dhole Moments ";i:48;s:24:" Blog at WordPress.com. ";}
        )

    [imageDescription] => Array
        (
            [0] => Laptop displaying a pirate flag / jolly roger on a red screen, possibly indicating malware, hackers or a different computer problem.
        )

    [image] => Array
        (
            [0] => https://images.unsplash.com/flagged/photo-1560854350-13c0b47a3180?ixlib=rb-1.2.1&q=80&fm=jpg&crop=entropy&cs=tinysrgb&w=1080&fit=max&ixid=eyJhcHBfaWQiOjY2NjA2fQ
        )

    [unsplash_ID] => Array
        (
            [0] => JJPqavJBy_k
        )

    [imageAuthor] => Array
        (
            [0] => Michael Geiger
        )

    [imageUsername] => Array
        (
            [0] => jackson_893
        )

    [_fusion] => Array
        (
            [0] => a:0:{}
        )

    [crp_related_posts] => Array
        (
            [0] => 
        )

    [avada_post_views_count] => Array
        (
            [0] => 0
        )

)
Image by: Michael Geiger

EduTech Spyware is Still Spyware: Proctorio Edition

Spyware written for educational institutions to flex their muscles of control over students and their families when learning from their home computer is still, categorically, spyware.

For anyone unfamiliar with it, Proctorio is a browser extension used to eliminate cheating through intense surveillance techniques.

Its kind of abstract to think about , but the only thing you need to know about Zero Knowledge in Cryptography is that the output is a boolean .

Okay, so theyve built their own key distribution system and are encrypting with AES-GCM and shipped this in a Chrome extension.

If you download version 1.4.20241.1.0 of the Proctorio Chrome Extension, run src/assets/J5HG.js through a JS beautifier, and then look at its contents, you will quickly realize this is a JavaScript cryptography library.

Zoom school is really showing how much of American Education is just about controlling and punishing children and not actually, you know, teaching and educating them

Original article