Zoom end to end encryption

Just to address this one issue, Zoom’s end to end encryption.

There were a lot of rumors about Zoom but now we have the facts from Zoom. Zoom mischaracterized their end to end encryption. To enable connectors to non-Zoom IO they must be able to decrypt the video stream. This is a “feature!”

For users that must have absolute secrecy, Zoom is not an option but this could change if Zoom decided to provide a truly secure end to end encryption that they cannot decode. This is perfectly feasible but the service would only work on Zoom native apps. I would expect this option to be offered some time in the future after the current more urgent issues are resolved.

Users who have a lower security need threshold now have end to end encryption if they use only Zoom native IO. My best estimate is that most videoconferencing can live with that.

In any case security lies mostly with users. Security is PITA but if you want it you have to work for it. Passwords, waiting rooms, etc. Most of my financial websites require me to change my password periodically.

As for the price drop, some of it is profit talking after a furious run-up. Some of it is fear of hacking. So far I like how management has reacted, acknowledging the problem, explaining the issues, and promising action.

From August through December I had a loss on ZM but I got back in on February 24 at $107.85 based on the coronavirus driven events. It was nice to be up 60% in just one month but I’m holding because this security issue seem to me to be just a hiccup.

Denny Schlesinger

20 Likes

Just as a point of reference. Cisco’s CEO was on Mad Money last night. He spoke about Webex. He says there has been an explosion of use over the last few weeks. Here are some points he talks about:

In the month of March:
They did almost 15 billion person meeting minutes.
Have 330 million users.
They did 4 million + meetings of 3+ people (they don’t count one on one meetings).
Asia is 3 times the volume than it was before the COVID outbreak.
Europe is 4 times the volume from before COVID
U.S. 2.5 times the volume from before COVID
All the usage from all areas continues to grow positively.
He also went on about security of their system. He does not give any specific data other than their entire system is encrypted.

Not implying anything on how they will or will not effect ZM, just passing along some data stats from a major competitor of theirs. Kind of shows just how much market share is out there. 15 Billion meeting minutes is a lot considering I would say the bulk of their use is business and not just social.

Cisco, just like others I’m sure, offers E2E encryption but its doesn’t look like its on by default and limits enduser features and integrations.

From their own document:
https://help.webex.com/en-us/WBX44739/What-Does-End-to-End-E…

Limitations:
when end-to-end encryption is enabled, the following features are not supported:

Join Before Host
Telepresence Video End Points (formerly known as Collaboration Meeting Rooms Cloud)
Cisco Webex Meetings Web App
Linux clients
Network-Based Recording (NBR)
Saving session data, Transcripts, Meeting Notes, and etc…
Remote Computer sharing
Uploading shared files to the meeting space at the end of the Cisco Webex Meetings
Personal Meeting Rooms

2 Likes

Limitations:
when end-to-end encryption is enabled, the following features are not supported:

Sounds similar to Zoom’s “connectors.”

The question for WebEx would be, can they decrypt (eavesdrop) at the server or is their end to end truly end to end?

Denny Schlesinger

2 Likes

As I always preface my comments on subjects such as “end-to-end encryption”; I am not a techie. I prefer to listen to these boards and to people smarter than me in various subject matters and then make an educated decision. Along those lines, here is a tidbit from an analyst speaking on Zoom’s end-to-end encryption issue with a completely unique take that I don’t think I have heard elsewhere:

"Secondly, end to end encryption is not used in enterprise B2B products because the company wants records of the what the employees are doing. Slack and MSFT Teams do not have end to end encryption for this reason. Zoom may need to release a consumer version of their software that has E2E encryption and then a corporate product that does not have this.

But a product blowing up “and breaking” (as Facebook used to say) is every CEO’s dream come true. This is what you strive for."

For the tech savvy investors on this board, do you think this “holds water” or is this analyst missing the mark?

Harley

4 Likes

I failed to mention in the previous post, that I have added to my already large Zoom position yesterday and day in the $80/share range.

Harley

1 Like

Here is a Forbes article published today by the analyst I referenced in my earlier posts (Beth Kindig of beth.technology):

https://www.forbes.com/sites/bethkindig/2020/04/03/zoom-vide…

And since Beth has placed her feelings on Zoom out in the public domain, I will add another thought from her on the “Zoom Bashing” as of late:

“Third, I’ll just throw out there that when a lot of independent security professionals start to talk about a product, they’re usually paid by the competitors. They make a lot of money hacking products, looking for vulnerabilities, etc. Some companies pay them to hack their own products so they can fix them before it goes to a PR thing. Point being, just another day in tech/security as far as bugs or hacking goes. Skype has had plenty of them.”

16 Likes

"Secondly, end to end encryption is not used in enterprise B2B products because the company wants records of the what the employees are doing.

True as that may be there is a difference between on-prem and cloud. Make sense on-prem but in the cloud third parties can get the info…

Denny Schlesinger

Harley quoted:

"Secondly, end to end encryption is not used in enterprise B2B products because the company wants records of the what the employees are doing.

Denny stated:

True as that may be there is a difference between on-prem and cloud. Make sense on-prem but in the cloud third parties can get the info…


Note that as per the Zoom E2E encryption blog post, it appears recording meetings precludes being able to encrypt communications:

To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.

1 Like

Just got an e-mail from Zoom that starts:

We’re always striving to deliver you a secure virtual meeting environment. Starting April 5th, we’ve chosen to enable passwords on your meetings and turn on Waiting Rooms by default as additional security enhancements to protect your privacy.

16 Likes

Our corporation will now have all Zoom meetings password protected. Screen sharing, chat, and file transfer options will be disabled for all meeting participants, except the host. We will use the waiting room feature so the host can admit or remove guests, and no one can enter the room until the host has entered. Our corporation held 30,000 Zoom meetings this week.

15 Likes

nreid: “Our corporation will now have all Zoom meetings password protected. Screen sharing, chat, and file transfer options will be disabled for all meeting participants, except the host. We will use the waiting room feature so the host can admit or remove guests, and no one can enter the room until the host has entered. Our corporation held 30,000 Zoom meetings this week.”

nreid…the operative word in your post is “corporation”. I was thrilled to see your post because it confirms what I have presented in previous posts on this board as well as what I heard Eric Yuan discuss on his interview on an ABC affiliate station out of San Jose, CA.

As a corporation, your corporation has an IT department that will be preemptive and configure Zoom accordingly for the needs of your corporation and its employees. It is this “technology IQ” of your corporation that will eliminate or minimize all the anecdotal blunders we have seen posted here and represented in various articles around the internet about “Zoombombing” and the “chicken littles” talking about how Zoom can not be used for Home Learning because during Jimmy’s lesson on long division, somebody posted inappropriate content that the whole class was subjected to.

The point is that your corporation’s professional efforts contrasts with the millions of Zoom newbies around the world with much lower technology IQ’s that have just recently downloaded the app and immediately start hosting Zoom conferences for social interaction with friends and family, home learning with teachers and students and WFH’ers keeping in contact with associates without ever familiarizing themselves with these security features.

This Zoom bashing is an overreaction; the key is better education of newbies for proper onboarding. That will come in time.

To all the Zoom haters out there, keep bashing. Your efforts may hopefully drive valuations down due to fickle investors with “Zoombombing” panic. I will be the one waiting for a market overreaction and buying additional shares.

Harley

[Please don’t make this post about E2E encryption. That is a related topic, but not point of this post.]

2 Likes

Harley, you’re exactly right. Glad you could read between the lines there. Our IT Department just set all of those settings across our entire corporation to eliminate any security risk/threat. Our corporation is comprised of 7 separate companies so our corporation will do over a million Zoom meetings this year. We have Teams and Skype on our systems, but those were mentioned as just available as an alternative in case we want to use them personally to talk to other associates, but no corporate meetings will be held on those platforms. Seeing our corporation stick with and embrace Zoom during all the negative news reinforced my position as an investor that it is the preferred platform and isn’t just a flash in the pan. I think it was mentioned on these boards, Zoom may be the next Google, or Facebook in pop culture. When you want to look something up you say just Google it, not let me go to Bing and search for it. Zoom is becoming that phrase, changing it from a noun to a verb. Let’s Zoom!

3 Likes

These kinds of security vulnerability problem are not unique to ZM and are in fact very common in new hitech products. I encountered this at the security company FireEye in 2012 when I joined as the new director of quality assurance. Their network cyber attack detection technology was revolutionary and pulled down the dirty cyber pants of the whole world especially China. Every global 2000 company was clamoring for the FireEye web security product. But in a rush to market and riches, the product had never been hardened from attack itself. I was astounded by the lack of concern by people who were so called security experts.

When your product gets name recognition in the world, you go from a hardly noticed company/product to a prime #1 target by the black hats. If you as a hacker can break in, you get bragging rights or even more. Fortunately with the help of others at FireEye, we were able to get it hardened before any major public security exposures. But even once the appliance was reasonably well hardened, attackers would figure out a way to exploit something or another. Then the extortion would begin whereby the vulnerability will be disclosed to the press if a sum of money was not paid. This is the normal daily life that Zoom will live with from here on forward. Growing pains.

The end to end encryption in my mind is not a huge concern. Most folks on webex typically require pre-join before the host and recording/playback. And most do not use passwords on their meetings because they get lazy. How many breeches have to seen in the press on webex? Well actually quite a few…here they are:
https://www.cvedetails.com/vulnerability-list/vendor_id-16/p…

And here are the ZM CVEs (Common Vulnerability and Exposures).
https://www.cvedetails.com/vulnerability-list/vendor_id-2159…

Albeit, these Zoom early basic vulnerabilities will be corrected very quickly. But the cyber war Zoom fights will continue for the long term. Albeit some Zoom corporate users will drop their use right away so I expect some revenue impact from the short term contracts. Chief security officers (CSOs) will fallback to their webex, Teams, etc. Next they will assess if the Zoom security changes are adequate. Zoom will need to bring in an independent third party to assess the product security and report. For Zoom personal users or small business users with no fallback, most will not really understand or change their service.

So I believe in time this blemish will pass. The impact to revenue with all this massive growth is hard to determine. But it will impact. I will continue to hold ZM through these growing pains.

-zane
long ZM

12 Likes