[irjustin]

As the previous discussion already noted it seems disingenuous.

Spacex has real security concerns with national security secrets and trade assets.

Schools primary goal should be accessibility when it comes to teaching and Zoom arguably with its better video/audio has the best even with glaring security flaws (that do not necessarily seem decidedly worse than Hangouts).

Banning Zoom seems to be getting on the negative news train and applying the old adage, "everything looks like a nail."

[simonh]

We're talking about videos of children in their homes, in many cases probably their bedrooms. If they have to use it for school, they may also use it with their friends other than for school work as they will have it set up and know how to use it. I think the risks of illicit access to that material are pretty clear, and there are several serious vulnerabilities in Zoom that can grant direct access to video chats and saved videos, plus numerous other vulnerabilities.

[arcticbull]

None of that, while distasteful seems to signal any national security or personal security risk. This seems pretty hyperbolic. Why on earth would the Chinese government want access to videos of children in bedrooms? Ridiculous.

[est31]

There are more reasons to not give access than personal or national security. Privacy is one. We shouldn't be in a situation where you need to explain why you need privacy. It should be the default.

[arcticbull]

I don't disagree, I'm just tired of the (in this case blatant) "but think of the children" in situations where it's totally irrelevant.

[simonh]

"Think of the Children" is when an issue that is only tangentially or tenuously anything to do with children, and may not even be a legitimate concern anyway, uses a notional impact on children as emotional leverage to gain undeserved attention.

This case is literally and specifically about the protection of specific children from a proven risk.

[arcticbull]

Is the proven risk that China is snooping on American children? If so, I'm sure I'd have read it everywhere. If not, it's sensationalism. The case is literally and specifically about Zoom having the ability to snoop. Children are ancillary.

[valuearb]

What "proven risk" is that?

[simonh]

There are two vulnerabilities in particular that can grant access to videos to hostiles. One is that Zoom video chat IDs are short enough and low enough entropy to be guessable. Also saved videos have a standard naming scheme that makes their file names guessable and therefore accessible publicly. However, any vulnerability, especially intentional ones knowingly trading convenience for security or implemented deceptively, is not acceptable especially when we're dealing with the privacy of children.

[valuearb]

That's a pretty silly concern when photos and videos of the same children are spread across Facebook and other platforms willy nilly.

[simonh]

Those are photos and videos they have intentionally shared. Not supposedly secure private video sessions. If private chats and videos on Facebook of e.g. teenage girls virtual sleepover parties were also trivially accessible by strangers, that would also be an equal concern.

[thawaway1837]

Can you imagine the lawsuits that are gonna come pouring in because some hacker was able to control the webcam on a students MacBook because Zoom’s installer basically acts as an insecure root kit, and takes videos of a kid in his private moments and releases them to the internet?

[valuearb]

No one has hacked their installer.

[irjustin]

So why target Zoom specifically?

You're asking a broader question of children's safety. 100% it's a valid concern, but video tele-learning should be under fire then.

[eagsalazar2]

Zoom isn't being "targeted". They have repeatedly been in the news for gross security failures and personal privacy abuses. Other video services have not because they have not had this series of failures and abuses. That is not "targeting" zoom, that is reality being appropriately reported that zoom has bad and suspicious security practices and probably should be avoided.

[simonh]

Because Zoom in particular not only has numerous demonstrated security vulnerabilities, many of which are apparently intentional features, but has also shown a recklessly cavalier attitude to security generally. Surely it makes more sense to use and promote solutions from companies with better track records on security and privacy, which at this point seems to be pretty much anybody else.

[zkid18]

I would agree with you on the point on adoption outside the school. Btw, what kind of serious vulnerabilities in Zoom are you talking about? Been using it in a big tech company for almost two years already. Our sec department seems confident with it afaik.

[valuearb]

Please elucidate these "risks", because they are far from clear.

[Nullabillity]

How on earth is it acceptable to force students (who have pretty much no position to argue) to install what is effectively malware?

[zulln]

You can use Zoom online without installing anything.

[igetspam]

I tried that the other day and could only get a 403. Is their web portal still active? I ended up just dialing in.

[GhostVII]

They disabled it temporarily (https://status.zoom.us/incidents/16ll08mmddk6)

[Nullabillity]

After exhausting all other options. And the malware peddlers are still ultimately getting their payday.

[puszczyk]

What would you instead?

[est31]

NYC could set up a jitsi instance.

https://github.com/jitsi/docker-jitsi-meet#quick-start

[igetspam]

That's what I'm planning. I've been happy enough with jitsi that I'm going to run my own and enforce auth policies.

[valuearb]

Whatever it is has to be super easy to use.

Source: Father of two teenagers struggling with getting them acclimated to online school right now.

[pm24601]

https://highfive.com/

[eagsalazar2]

"negative news train", disregarding importance of security for schools? What are you talking about? The negative news train is just the negative series of revelations about Zoom. There is no media conspiracy here.

[fermienrico]

Zoom sent data to Chinese data centers during the surge. Source: https://www.wsj.com/articles/zoom-ceo-i-really-messed-up-on-...

[satysin]

I respectfully disagree. I feel it is safe to say that Zoom have some serious issues in their development process. It seems every other day there is some new issue. Install fuckery on macOS, lying about E2EE, including code they did not properly understand, etc.

We talk so much about wanting to protect children that we should not be using software that gives audio and video access to their computers that we do not have confidence in.

[thefounder]

>> including code they did not properly understand, etc. Yeah we understand all of our code, right? I'm developing an Electron app. I let you guess how much I know about the code behind electron/chronium.

>> We talk so much about wanting to protect children that we should not be using software that gives audio and video access to their computers that we do not have confidence in.

Let's start banning facebook. Shall we?

[igetspam]

I know you're saying that in jest but it's a good idea. If my wife wasn't sometimes active with a NPO, I'd have it filtered at the network.

[satysin]

> Yeah we understand all of our code, right? I'm developing an Electron app. I let you guess how much I know about the code behind electron/chronium.

I get your point however I feel there is a different between not having full understanding of the platform you are using (be it Electron, Windows, macOS, Linux, etc) and a small library from Facebook of all companies. The fact they were able to change/fix the issue within a day(?) says to me they just didn't bother to look at what it was really doing in the first place.

> Let's start banning facebook. Shall we?

Is Facebook not banned, or at least extremely restricted within the New York school network? My daughters school in the UK has a complete block on Facebook.

But yes I would happily ban Facebook. I feel the value it adds is not worth the trade off. For the purely social connection functionality (which I do see value in obviously) there are other options that are not as dirty as Facebook.

[MaxBarraclough]

Regarding the macOS installer: did this turn out to be real? Last time I saw this turn up, there seemed to be some question: https://news.ycombinator.com/item?id=22750619

[presumably]

There is no question that it was a real problem, details available in the linked post: https://objective-see.com/blog/blog_0x56.html

The only question is different interpretations of “fake”: it is a real system dialogue, invoked by a deprecated API; it is fake in that the text is set by Zoom to trick the user into allowing it to install itself without approval.

[battery_cowboy]

The reason SpaceX banned it is because of legal reasons: they can't export their tech. When children are involved, there are very similar legal concerns: they can't export the data associated with the children, aka: the video feed. I think both bans of Zoom are reasonable.

[valuearb]

Why would schools need to export video feeds?

[battery_cowboy]

Right now it's been proven zoom lied about some parts of it's tech, particularly the end to end encryption part, so the state probably sees it as a legal risk if anything were to accidentally get out or get hacked.

[wdr1]

> As the previous discussion already noted it seems disingenuous.

> Schools primary goal should be accessibility when it comes to teaching and Zoom arguably with its better video/audio has the best even with glaring security flaws (that do not necessarily seem decidedly worse than Hangouts).

Schools also have the primary goal that elementary school children are not exposed to male genitalia, pornography, graphic violence & the like under __any__ circumstances.

It doesn't matter if the first occurrence was a zoombomb, and it's fixed now, or the standard tech reply of "oh, well, it's the had the wrong settings."

Parents have zero tolerance for these things. They'll be coming for someone's head if it happens. Let alone if it happens again.

And no school administrator is going to put their job on the line once trust in a platform is destoryed.