Zoom’s 90-day plan to bolster key privacy and security initiatives
blog.zoom.usI'm still not sure what to think of the whole debacle.
Zoom could be a victim of the internet mob justice, where every inevitable misstep is blown out of proportion. Perhaps the mob is helped along by some competing interests. Or Zoom could be yet another tech company with dubious ethics (like U: or F). I doubt they are outright a PLA branch, that would be far too obvious.
This isn't just idle musings - I love how Zoom allows me to share screen/whiteboard, and see people's faces at the same time. It works really well for remote dev collaboration, in some ways better than physical presence. And yet the question of safety remains.
Should I go and research WebEx?
Occam’s Razor. Zoom usage went up by 8x in a few months. Usually doubling in two years is great for a public company. So that’s 6 years of great growth, compressed into a few months. It shouldn’t be surprising to see six years of security problems also compressed into those three months.
I think Zoom is on track to fix these problems quickly and cement their spot as the best solution for videoconferencing.
Zoom had the same security issues with half the traffic. Acting like usage causes them is disingenuous.
Technically speaking, zoom has shown off great and remarkably stable/scalable features.
But that is orthogonal to whether they are putting people at risk (e.g. not-so-secret therapy sessions) or lying about their feature set (clearly claiming to have end to end encryption).
That's a straw man. GP argues that Zoom's increased popularity implies increased public scrutiny. Not that the problems are OK.
There's lots and lots of insecure software that Bloomberg doesn't write about. People click on articles about software they use.
I'm not following your argument.
I agree that increased scrutiny does not make the problem ok, but does reveal the problems more quickly.
But the only reason those points matter in the "Should I use Zoom?" question is if you're assuming all other products have the same flaws and just haven't been looked at. To which, I'm pretty confident they don't all share these problems, particularly but not limited to the "blatantly lied about the basic security features".
> To which, I'm pretty confident [other products] don't all share these problems
I am not confident of this.
I would assume that anything that isn't actively being sold into the large enterprise market has Zoom-level problems, or worse.
if bloomberg broke this (not sure), they are fully known to monetarily reward market-moving stories. sources easily searchable.
If I were a writer/editor working under this policy, making a big stink about a teleconferencing company enjoying huge growth in the current covid 19 climate would be a no brainer.
Devil's advocate, I guess: 8 times the users, 8 times (at least) the number of people to notice those problems.
Especially when work from home is now at the center of our conversation, and journalistic outlets shift their attention to newly-popular services like Zoom and Houseparty.
Regarding your last example, I'm also continually confused at the claim that Zoom has been lying about end-to-end encryption. I don't see any place where they ever claimed to encrypt anything end-to-end except for chats, and only after enabling the feature:
https://support.zoom.us/hc/en-us/articles/207599823-End-To-E...
https://support.zoom.us/hc/en-us/articles/201362723-Encrypti...
When I'm in a Zoom meeting, it says that my connection is encrypted (the green E lock thing). It does not say "end-to-end." So I always assumed that just meant that the transport layer is encrypted.
They removed the e2e claim after criticism.
It's not blown out of proportions. If anything the major securities issues went mostly unnoticed in the noise of the media trying to bank some ads revenues.
There were 2 RCE that would have allowed anybody to easily take over any computer using zoom. The first one last year was wormable, triggered by simply visiting a website with no interaction (like a javascript ad).
Other video conference tools don't have these because they didn't try to provide the same features or work around the OS.
Except for Skype, that still has one samba relay attack left like zoom, that went mostly unnoticed. From my research they had the exact same issue but blocked the RCE part in 2018 CVE-2018-8311 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8311
Sketchy package installer to boot https://macpkghallofshame.tumblr.com/post/138612887932/indis...
>dubious ethics
Yeah, I think datamining to steal and sell your LinkedIn account counts as dubious ethics. Or claiming to have E2E but actually they don't.
There is a good share of incompetence as well, like the CSP issues.
Using AES in ECB mode and doing key exchange on servers in the PRC are not simply "missteps".
"The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China."
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...
So were they really sending data to servers in China? From what little I've heard and read about this, that is what stood out to me. Not sure they should ever be trusted again after that.
I think this is the Zoom response to that one: https://blog.zoom.us/wordpress/2020/04/03/response-to-resear...
As I read it they accidentally routed some data to China based servers for a month (Feb 2020) due to a config mess up during their crazy fast scaling period. This is since fixed.
They were making requests to IPs in China long before Feb 2020. At the time I assumed they’d been hacked, but in retrospect it seems like this was just how their organisation is distributed.
Needless to say, I have decided not to endorse their videoconferencing solution.
Do you have evidence of this?
I'm inclined to believe that for now. Though I fully expect that a bunch of security researchers will be taking a very close look indeed at exactly what data is still going to or through China. I am open to changing my mind upon seeing evidence that, after being informed of the problem and promising to correct it, they failed to resolve the issue and continue to send data to any country it doesn't need to go to.
Serious hypothetical question: suppose you're able to capture all Zoom calls. If you're a foreign government, how do you scale the analysis, and what can you generally do with the information?
It'd be hard to get a useful amount of trade secrets or know-how. You'll see partial schematics and design docs, but without much context. At the executive level, you could at least scale the analysis to have actual people monitoring the calls. You could get broad strategy (e.g. launch a mid-range 5G phone in 2021 Q1) and enough financial information to make some well-informed trades.
The NSA figured this out in the 90s -- you filter based on metadata and then retrieve the corresponding data if necessary. Aside from the fact that this (in the NSA's view) allows them to sidestep the 4th amendment, it's usually much more effective than sifting through billions of records every day. That same system lives on today with XKeyScore (or whatever they've replaced it with in the past 7 years).
Hard drives are pretty cheap, particularly for a government. Store it all now, target your analysis narrowly later at your leisure.
Do you know how much data that would have to be? Scaling that seems improbable.
The NSA has built a data center in Utah specifically for this problem[1], so it's hardly beyond the realm of plausibility.
Year-old data isn't worth very much.
There's no reason to think they'd have to wait a year. High value targets, like SpaceX had they not banned the use of Zoom, would obviously receive priority treatment by the Chinese intelligence community. My point here is that the analysis doesn't need to be done in real time, they could store the data and review it a few hours later, or whenever they wanted.
(For that matter, there is certainly a lot of data that would be useful a year later. Some data could be valuable even many years later. Taking SpaceX as an example, it should be obvious that old data could be valuable.)
Zoom's web SDK and web client were down for nearly four days over the weekend with minimal communication, and when they brought it all back they killed a key functionality the education market needs which is the ability to join a meeting without an account: https://devforum.zoom.us/t/in-progress-web-sdk-web-client-fr...
You can still activate this functionality in the settings, it now only deactivated by default due to the public outcry over Zoombombing etc.
Amusing that many of the changes lowered accessibility significantly (e.g. my grandmother wasn't able to join the meeting anymore after passwords became default). I still don't get it. Skype was way worse in my opinion and nobody ever cared about it.
Actually this isn't true anymore, they have since added the _option_ to not require an account when using the web client. The Web SDK still works like before and also doesn't require an account.
But I agree, the way it was handled was harrowing.
Thanks! I fell out of the loop with this.
Shouldn’t schools be using SSO with Zoom Education, or does that cost money?
I believe that costs money. But quite cheap actually.
My college (~2200 students + a couple hundred faculty/staff) pays $18k/yr for Zoom Enterprise. Good value, I'd say.
Why is the need for an account a showstopper?
Many students aren't old enough to create their own accounts and getting parents to create accounts and provide credentials is a bureaucratic mess for the schools I volunteer with.
The school needs an education account and students should be able to join meetings hosted through a school account:
> Students under the age of 18 should not go to www.zoom.us to create an account because (i) they should only be joining Zoom meeting sessions as participants (not separate account holders) through the School Subscriber’s account and (ii) minors are not permitted to create an account per Zoom’s Terms of Service. The School Subscriber’s account administrator (e.g., teachers) should securely and confidentially provide meeting information and meeting passwords to the student users to ensure the school can maintain supervision and control over its student users’ meeting experiences. If students have already signed up for individual accounts, Zoom can assist schools in fixing this.
The school should contact their account rep about this. I bet they can fix it quickly.
"90 day plans" tend to be management & PR things... Real engineering is more of a "it takes as long as the job takes"...
Can you blame them? Most users and purchasers (at a lot of companies the people making purchase decisions aren't actually the users) don't really understand or care about how long real engineering takes. As long as they made a decision to pick a vendor based based on the principles of Cover Your Ass it's all that matters.
It's another primary reason why so many "enterprise" companies purchase Redhat over running CentOS.
Yep, entire post is pure marketing signaling and nothing in the way of details.
Eric Yuan is the real deal. He's an engineer and is taking this seriously. This isn't marketing spin.
uh, is that an outlook-email link with someone's username in? The one linking to Alex.
Yup. Looks to be their email address. Email is from PR firm Sard Verbinnen & Co.
Safelinks have the email address of the recipient of a link.
To be fair, Alex's public profile includes a link to his email: https://cisac.fsi.stanford.edu/people/alex-stamos-0
Probably someone internally emailed Alex's Stanford profile to their blog content writer - the sender had email tracking enabled and the writer blindly copied the link.
and this is why product over security always wins.
there's mob mentality right now, but zoom got a TON of customers, and now is gonna have proof of end-to-end encryption in a couple of months.
boom.
zoom wins.
honestly just don't talk on zoom about something highly secretive such as ... idk... something a government is interested in as that isn't currently secure, other than that, don't sweat it.
They are very unlikely to have end-to-end security in a couple of months, for the same reason few (if any) of their competitors have it: it is really bandwidth intensive to send full-resolution video of every participant to every other participant. So everyone sends low-res for most participants, and at most one high-resolution stream. To do this you have to be able to make low-resolution streams out of the high-resolution one people are sending you (to pass along to others). That means you have to terminate encryption on the server side. Once you have done that you are no longer "end-to-end". This is just the state of things.
This is a valid tradeoff for most things, but the real problem here is that Zoom claimed (and continues to claim) "end-to-end encryption", while not providing it. That is a lie, and people naturally wonder what else you are lying about.
You can also send two streams (high and low quality) from each client and make other clients request the right one from the server. Yes, it's slightly more bandwidth than before and now complexity. No, it doesn't require full mesh of connections to be E2E.
And don't install the Zoom app on a computer where you store secretive data, such as medical information, private keys, passwords, credit card data or anything that you don't want the government or cyber-criminals to know.
Doesn't sound as easy now.
There is some evidence that they have a form of useless end to end encryption now. Since hardly anyone knows what the prerequisites are for useful e2ee they can probably make the announcement whenever they want.
My company banned the use of Zoom on company computers or computer connecting to the company network.
Has anyone else had this happen to them?
The very large company I work for banned all video conference software except for what is provided by the company. I don't think it is just about security, but make everyone use the same system(s) because it just got too confusing to communicate with other divisions or even departments. You can search for people in other divisions and then video chat with them if you want, or just plain old school voice chat.
Luckily, the software we are required use works pretty well on iOS, Android, OSX and Windows.
No one I know has had it happen yet at their places of work, but I saw a lot of discussion about New York City schools issuing a ban earlier this week [1].
[1]: https://www.businessinsider.com/new-york-city-schools-bannin...
Supposedly Google just did.
Mac App Store version when?
Or even a non-MAS app that's sandboxed, if it's going to be free anyway and they prefer to manage their own release schedule.
I wonder if Google and Apple were directly involved in the campaign against Zoom.
They’re in the same bed as China. I don’t trust them for anything now, this to me is just a PR management exercise. They’re still going to give away your data
Would you please stop posting unsubstantive and/or flamebait comments to HN? We're hoping for a better quality of discussion than this, and (especially) than what it leads to. Case in point: see below.
I believe the GP was referencing Zoom's encryption going through China's servers, which was on HN's recently: https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...
There are valid criticism to be discussed about China's actions and how much Zoom should be trusted given its close relation.
There's been many criticism of the US government here and I never see anything flagged or removed, I would consider that nationalistic and provocative under the same guidelines. I just don't see why the China discussions are removed.
> There are valid criticism to be discussed about China's actions and how much Zoom should be trusted given its close relation
Yes, and that's why comments about it should be thoughtful and substantive—not drive-by flamebait leading to useless flamewars about NATO and Winnie the Pooh.
> There's been many criticism of the US government here and I never see anything flagged or removed
That happens often. If you never see it, that's because of a cognitive bias: we notice and weight more strongly—that is, we see—what we dislike. https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que.... People on the opposite side of this question have exactly the opposite complaint.
Zoom won the proverbial lottery with this pandemic and lost their ticket through greed/laziness. Great companies are always prepared when their big break comes. Zoom is not a great company.
You don't have to be a great company to win in the market. I'd bet that zoom still maintains dominance and manages to con people into believing that they're super secure now guys.
It looks to me like they've still won the lottery.
I can't quite figure out what's going on with this thread. It seems to have an eerie amount of posts about support for Zoom, perhaps by paid trolls ("wumaos")?
Please don't break the site guidelines by posting insinuations of astroturfing. Overwhelmingly, such perceptions are simply in the eye of the beholder. I say that based on many years of looking at that data, and you can find more explanations here than anyone would ever want to read: https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme....
https://news.ycombinator.com/newsguidelines.html
If you're worried about this kind of thing, follow the site guidelines and email hn@ycombinator.com so we can look into it. (We always do.) In this case, though, the simplest explanation seems adequate: the community is divided. When there's a popular divisive topic, people who feel strongly for side A always feel like the amount of support for opposing side B is 'eerie', because it's hard to imagine how it could possibly be in good faith. Of course B feels the same way about A.
Edit: oh dear. It seems like you've been using HN mostly for nationalistic battle lately. We ban accounts that do that, so please stop. It's emphatically not what this site is for, regardless of which nations are at issue.
I can only assume CISO is Chief Information Security Officer? I hadn't seen the acronym before. Bad Zoom for not writing it out in full on the first instance.
I only first encountered it a year or two ago. It's pretty difficult to keep up with management/marketing buzzwords.
In any case, anyone at the 'C' level almost by definition knows little or nothing about actual computer security.
"CISO" is a pretty standard acronym. People who don't work in cybersecurity or who don't have that background might not recognize it, but it seems like a minor detail.
Sure, it's a minor detail. And yes, you can say the audience for this post are people who work in cybersecurity. But it costs nothing to introduce the acronym, as is usually recommended. Without it you are alienating anyone who doesn't know the term.
Serious question - would you feel the same way about using CEO or CFO without spelling out what they stand for?