Educause Security Discussion mailing list archives
Re: DingTalk software concerns?
From: "Barton, Robert W." <bartonrt () LEWISU EDU>
Date: Thu, 11 Feb 2021 16:26:55 +0000
I've had this conversation about our services in other countries, but China is even a little more different. Please see this from Stanford. https://uit.stanford.edu/security/travel/high-risk-countries-recommendations I know some recommendations that I have heard are to send new equipment and expect it to come home corrupted (don't even allow it back until 100% wiped), don't use your normal services (segment this group specially), rely more on manual process (if small group, email back grades to be input, etc.), and beware of physical security issues (not physical danger, but theft). Recommendations for Travelers to High Risk Countries - University IT<https://uit.stanford.edu/security/travel/high-risk-countries-recommendations> High risk countries Travel to High Risk Countries requires special consideration and preparation. Let’s start with what you’re taking with you. It’s important to take the minimum you need in order to get your work done while you’re gone. There are a range of options starting with the most secure and going down the minimum required actions. uit.stanford.edu Robert W. Barton Executive Director of Information Security & Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ramon Rentas <rentas () MACALESTER EDU> Sent: Thursday, February 11, 2021 10:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] DingTalk software concerns? I never heard of that app until now, so I did some google searches and found lots of articles warning about the app's weak security that would allow the Chinese Government to spy in the app's users. Below is one of such articles. https://www.cnbc.com/2019/10/14/china-xi-jinping-ideology-app-has-backdoor-that-could-let-beijing-snoop-on-users-report.html Good luck, Ramón --- Ramón Rentas Associate Director for Infrastructure, Security & Enterprise Services Information Technology Services rentas () macalester edu<mailto:rentas () macalester edu> 1600 Grand Avenue Saint Paul, MN 55105 USA [mac-sec-horizontal-logo-150w.jpg] Never email your password to anyone! The information transmitted may contain confidential material and is intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination or other use of, or taking of any action by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please delete the information from your system and contact the sender. The opinions expressed are those of the sender, and not necessarily those of Macalester College. On Thu, Feb 11, 2021 at 8:09 AM Bole, Jim A <jbole () albany edu<mailto:jbole () albany edu>> wrote: We have a faculty group planning to teach students at a Chinese university. The university, as well as a lot of folks in China, use DingTalk. Our faculty wants to install it to conduct classes, much in the same manner as they use Zoom. Anyone have any experience with this? I do have some privacy concerns for the faculty members using the software. It’s entirely possible that their activities would be tracked by someone in China. And that tracking could potentially include things like our network ranges, etc. But it looks like the software itself isn’t malicious. The mobile app has been vetted by Apple and Google. I’ve reviewed their privacy page: https://page.dingtalk.com/wow/dingtalk/act/privacy-en-lite? I’ve reviewed their security whitepaper (attached). First time I’d heard of ChaCha20 encryption. While it does have some interesting language, it covers most of the basics. It’s an interesting use case and I’d appreciate any feedback. Jim Bole Chief Information Security Officer Information Technology Services University at Albany ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- DingTalk software concerns? Bole, Jim A (Feb 11)
- Re: DingTalk software concerns? Ramon Rentas (Feb 11)
- Re: DingTalk software concerns? Barton, Robert W. (Feb 11)
- Re: DingTalk software concerns? Henry Wojteczko (Feb 11)
- Re: DingTalk software concerns? Barton, Robert W. (Feb 11)
- Re: DingTalk software concerns? Ramon Rentas (Feb 11)