“Anything that needs a security clearance should not use Zoom. Not governments, not commercial secrets until Zoom can provide a true end to end encryption that they cannot decode at any point in the transmission.”
Denny…I always appreciate your input. One of the items I have been trying to flush out with nothing more than a Google search is whether or not other video communication providers have the same vulnerabilities. In my desktop research, there just appears to be so much conflicting information and misinformation.
Question: Do you or any other members of the board have an educated opinion regarding security/secrecy capabilities of the leaders in the video conferencing segment?
1 Like
Question: Do you or any other members of the board have an educated opinion regarding security/secrecy capabilities of the leaders in the video conferencing segment?
Only an educated guess. For complete end to end encryption all end user apps must have the encryption protocol. Zoom and all others that can connect with third party apps must be able to decrypt at the server and send clear to the foreign apps. If they can decrypt at the server secrecy is LOST and security is somewhat compromised.
Denny Schlesinger
Saul,
You might very well get your wish to buy more on Monday given how FUDsters are coming out on twitter 
:
https://twitter.com/PatrickMoorhead/status/12468779676214599…
"For everybody patting Zoom on the back for it’s apologies and promises to do better, keep in mind it LIED about:
-AE256 (128)
-E2E encryption (TLS)
-geofenced keys (China-US)
These aren’t “mistakes”. It has a culture issue.
Guess I am a little late to this thread but I have a couple comments.
The encryption algorithms, certificates, and key sizes that ZM uses should be easy for to change, either by a app upgrade or by reconfiguration at user sign in.
The routing of ZM sessions and load balancing of demand should be easy to reconfigure to not use China based servers or restrict to US servers.
The AES 128 vs 256 bit keys and EBC are all really low risk vulnerabilities. AES exploitation is extremely hard and expensive to achieve. Good enough for everybody except highly classified operations.
Lastly Zoom has FedRamp certification as of last May 2019! This means their services have had a full security colonoscopy. US government has already required this. I trust FedRamp certification process, there are no classified operations being performed with inadequate encryption services or by our US or Nclose allies on Chinese servers. A Fedramp certification is expensive, thorough, and takes along time.
Zoom Achieves FedRAMP Moderate Authorization
https://blog.zoom.us/wordpress/2019/05/07/zoom-achieves-fedr…
My only complaint on the ZM CEO is why he did not advertise his FedRamp approval. Hmmmm.
-zane
2 Likes
My only complaint on the ZM CEO is why he did not advertise his FedRamp approval. Hmmmm.
Only the Zoom For Government version, which apparently runs on government servers, received FedRamp.
Since the government controls the servers, it would be their fault, not Zoom’s, if encryption keys ended up on servers located in China. ;^)
5 Likes
Yep smorgasbord1 I know these policies and controls are only on the FedRamp cloud. But their FedRamp, FIPS, and other security software changes are most likely on both the commercial as well as FedRamp cloud. They are just not activated on the commercial cloud. That means these extra security policies could be enabled ‘as they make sense’ for the commercial cloud (e.g. crptographic modules, key management, AAA, etc.). (Some of these government changes would not make sense for commercial) The FedRamp certification also means that they had a complete external security assessment already. So their attack surface has been hardened to some extent.
So I am just saying the Zoom engineers did not just fall off a log in regards to security. And the Zoom software is not a bunch of rookie junk. The engineers just did not understand how easy it was for the casual user to expose their zoom meetings. In fact there were no clear instructions on how the user can better secure their meetings. This was their failing.
BTW My Windows Zoom app client just received an Update Available notice.
Release Notes 4.6.9
- removes meeting ID from the title
- move invite button
New and enhance features
- New security button in hosts meeting toolbar(need to try it)
Minor bug fixes.
Clearly they had some easy changes that they could get out right away. I believe all hands are on deck.
-zane
1 Like
Just tried the updated software.
The new Security Button now allows you to now lock the meeting so nobody else can join. So no more zoombombing I guess.
-zane
1 Like