[sbr464]

I recently had a sales call with a potential vendor (they were a startup). They used the same number and meeting code for all of the meetings. I had accidentally called in about 10 minutes early and was dumped into another conversation, and heard the other potential customer talking. It was odd how insecure and weird it was. I think this is a potential issue for all meeting services.

[sbr464]

I just checked and the meeting code is still valid, It was from a meeting from mid June 2018, using the zoom.us service. It's a meeting room/code assigned to a specific rep. Reused/resent to all leads.

[syntheticnature]

Probably their "personal meeting room" -- Zoom makes it very easy to just use that for all of one's meetings. For intracompany use, I've used it, but I prefer to not use it for intercompany discussions, too much chance of leakage.

[sbr464]

Yes that's correct, it was a personal meeting room for a salesperson. But don't you think it's odd that I can call into to any meeting for months on end? Or that someone could do that to you? We were talking to them about a partnership deal, and would of needed to sign a contract which included certain non-disclosures etc. Yet someone could just call in and listen?

[jobigoud]

Massive security hole. You could setup a bot constantly in the call and record all the conversations. It could be setup with a seemingly official name like "admin" or the name of the company, so any one looking at the live list of attendees would think it's a normal maintenance bot from either the company or the service.

[r00fus]

It's possible the lock out the conference room from new attendees. Also as someone who drives conference calls, I would be sure to eject anyone who I did not know on the call... I monitor participants constantly.

[ajmurmann]

I use zoom for interviews and run into the same issue using my personal room for back-to-back interviews. My solution is to enable the waiting room feature. This makes it so that people can call in, but need to be admitted to the actual room. This works well for the interviews. The problem is that it's a account wide setting and cannot be disabled for specific meetings. So now the is a problem of I set up the room for a recurring meeting and am out sick and forgot to disable the waiting room.

[sbr464]

I see two issues with that strategy. If you lock a meeting, people can't connect who may just be late, or if they disconnect accidentally, they can't reconnect. The second is most calls aren't webinars or organized events. These services get used by 1-on-1, 2-on-1 etc, smaller calls frequently. It could be difficult to stay engaged and be expected to diligently secure a call.

I don't think we'd expect this level of security to be acceptable for email access. It's really just a matter of enforcing a pin number, along with a meeting code.

[tingletech]

I get an email if someone enters my personal waiting room. I would notice if someone I didn't know was logged in during a meeting.

[sbr464]

I also mentioned it to the sales guy, but he was unfazed, which I think shows a lack of respect for customer privacy, even though he probably didn't realize it.

[themodelplumber]

This is really unfortunate but all too common. Sales guys are typically (as a type/group) improvisational in nature. They actually thrive in insecure environments, because solving problems as they occur (i.e. putting off security for later) gives them more freedom and flexibility _right now_, which is what they crave. They tend to wonder "why are you using valuable money-making time to secure that which is constantly expanding--maybe we won't even need this system tomorrow" and so on.

(So goes the thinking; it obviously has its pros and cons...and HN readership eats these guys' psychology for breakfast anyway, with a generally systems-focused mindset)

[acct1771]

Also, you can't know what you aren't taught.

[acct1771]

You don't know what you don't know.

[wild_preference]

You keep responding to your own post. Curious why you thought this was appropriate or necessary.

[jcrawfordor]

The meeting/conferencing system at my workplace generates a unique code for each meeting. The major downside to this is that the codes are very long, twice as long as they'd need to be if we just assigned a code to every employee (which is what my last employer did)