Guardian Article on Zoom

Smorgasbord1 · April 2, 2020, 4:49pm

Just out a few hours ago:

‘Zoom is malware’: why experts worry about the video conferencing platform

https://www.theguardian.com/technology/2020/apr/02/zoom-tech…

on Thursday, the company announced it would freeze all new feature development and shift all engineering resources on to security and safety issues that have been called to attention in recent weeks.

and

Zoom meetings can be accessed by a short number-based URL, which can easily be generated and guessed by hackers…

and

A report from Motherboard found Zoom sends data from users of its iOS app to Facebook for advertising purposes, even if the user does not have a Facebook account.

The Guardian article seems a bit overdone to me. For instance, it raises the end-to-end encryption controversy, mentioning that Zoom apologized but not mentioning the rationale for what Zoom actually does encryption wise and why true end-to-end encryption isn’t actually possible in all circumstances. What should be discussed is whether that since Zoom obviously has the ability to decrypt on its servers, do we trust Zoom to not perform this decryption?

For instance, in Zoom’s statement (https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-… ), they say:

we have created specialized clients to translate between our encrypted meetings and legacy systems. We call these Zoom Connectors, and they … are effectively Zoom clients that operate in Zoom’s cloud.

So, it’s clear that Zoom does have the ability to decrypt in their cloud. And they try to calm us down by saying:

Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes

This doesn’t really address enough of the issues. The “live” qualifier leaves open whether Zoom can decrypt recorded meetings, perhaps Zoom even recording meetings without users being aware. And the “for lawful intercept purposes” is another disclaimer, leaving open other reasons for decrypting meetings. And they do! They just admitted they decrypt to support clients that can’t decrypt. Obviously, that’s a really good reason to have that capability, but they can’t say they don’t have the capability.

What would be interesting is to know how secure any of the other video conferencing services really are. Is Cisco’s Webex any more secure, for instance?

branmin · April 2, 2020, 5:11pm

This I think is totally blown out of all proportion. Absolutely anything is hackable. The unthinkable happened to Experian, remember that? Literally all our information for others to see.

How could a Company know that in one month they would explode like some rocket ship and obviously there will be problems to correct. It’s now they have to urgently sort them out and not to mention others will be out for their blood hence some of these stories.

Are they correct? I don’t know.
I’m along for the ride until this train develops real engine trouble. With that said, look at LK today. That was a whole lot of steam, without the coffee.

NevadaGolfer · April 2, 2020, 5:28pm

The story has gone viral now and until they put better default security in place we can expect to see more Zoom bombs and thus more schools and other free users to have more bad experiences and complain publicly about it. I assume paid users are better educated on how to use the software to make their Zoom meetings secure or is there something about the free version that is inherently less secure?

tamhas · April 2, 2020, 5:46pm

The “live” qualifier leaves open whether Zoom can decrypt recorded meetings,

It would seem to me that recording an encrypted meeting would be largely pointless since it wouldn’t be shareable.

KayakerRW · April 2, 2020, 5:50pm

The story has gone viral now and until they put better default security in place we can expect to see more Zoom bombs and thus more schools and other free users to have more bad experiences and complain publicly about it. I assume paid users are better educated on how to use the software to make their Zoom meetings secure or is there something about the free version that is inherently less secure?

Teachers all across the country were asked to put together lessons in a short time using technologies they were not familiar with, often with little to no training. My former district had planned to close to students for one day in March to offer in-service training in using resources for online teaching, but the Governor closed all public schools before that date so teachers were left scrambling.

Many teachers are also parents having to home school or monitor their kids while also teaching classes. Under a great deal of stress, more than a few used Zoom without knowing much about it, including how to change default settings or manage settings to prevent Zoombombing.

Add in bored kids at home with free time and enough technical expertise and you get Zoom bomb stories and some bad experiences.

Those should be corrected easily enough and shouldn’t affect the company’s prospects significantly.

An earlier thread linked an article that suggested how to improve the default security.

The data sharing is a bigger issue. The company seems to be working to address it. Their response in the near future will be important. A good response will make people quickly forget the negative stories.

On the plus side, numerous people who had not even heard of Zoom a few months ago have heard of it now.

All the best,

Raymond

Smorgasbord1 · April 2, 2020, 6:21pm

Absolutely anything is hackable.

Sure, but did the company do its due diligence? Is it excusable that they didn’t know what “end to end encryption” actually meant, and can you trust them?

I don’t know. I still own shares but it’s a medium-size position for me.

With that said, look at LK today.

Yeah, as if we needed yet another reminder to avoid Chinese companies.

draj · April 2, 2020, 6:24pm

IMHO the public statement by Eric Yuan released today makes it clear that he is ready to supply any level of encryption and security measures necessary to meet the needs of all users.