[martyvis]

> "I would claim that nobody pays attention or verifies that there are no unexpected attendees before starting a meeting, specially for longer ones."

I know for our work Skype for Business meetings we interrogate unidentified guests and boot them if they fail to appropriately identify themselves.

I have thought that long running recurring meetings is a security risk because of the use of the same pin

[felipelemos]

When you have a long list of attendees in a large organization, it's almost impossible to do that with everyone.

[TallGuyShort]

To use calculus as an analogy, as the number of people in your meeting approaches infinity, the confidentiality of that meeting approaches 0 anyway. You may still verify everyone's identity, but someone is going to be leaking enough information that it's close enough to just having a lurker who shouldn't be there.

[bigiain]

A more cynical person might suggest the limit is approached as the number of participants approaches two...

"Three may keep a secret if two of them are dead." -- Benjamin Franklin

[mLuby]

Could add breaks where key information is given that's slightly different for each participant.

Mole-Hunter-As-A-Service™

[redler]

How about a security feature designed by old computer game aficionados? Every fifteen minutes there's an enforced break. Hold music begins playing. After a moment the music fades and a synthesized voice says "Turn to page...23...of your employee manual. In the...third...paragraph, note the...first...word. Enter the first three letters of that word using the keys on your touchtone phone, and you will rejoin the meeting."

[felipelemos]

Unless you can ensure that everyone on the meeting is an authenticated user or was a approved to join by one.

[TallGuyShort]

No what I'm saying is with enough people, even if you authenticate everyone, one of them will violate confidentiality anyway. I've been in meetings where there was no teleconferencing of any kind, but sure enough the decision was leaked before being official anyway. As you get more an more people (or as you get enough people that the above solutions are considered unscalable) that approaches inevitability.

[mmt]

Do you happen to know if there are any published studies on this? I'd find it particularly interesting how well this number (curve) correlates with Dunbar's Number.

[TallGuyShort]

I don't. Hadn't even heard of Dunbar's Number and had to Google it :) I would imagine, though this is pure speculation, that it's highly variable and hard to measure accurately since most leaks are hard to pinpoint. Probably depends on company culture, nature of the deal, etc. I just think that if you're at the scale that verbally confirming who has dialed in via insecure means is unscalable, you're likely enough to be past this limit that you should be taking other countermeasures anyway.