[simonh]

We're talking about videos of children in their homes, in many cases probably their bedrooms. If they have to use it for school, they may also use it with their friends other than for school work as they will have it set up and know how to use it. I think the risks of illicit access to that material are pretty clear, and there are several serious vulnerabilities in Zoom that can grant direct access to video chats and saved videos, plus numerous other vulnerabilities.

[arcticbull]

None of that, while distasteful seems to signal any national security or personal security risk. This seems pretty hyperbolic. Why on earth would the Chinese government want access to videos of children in bedrooms? Ridiculous.

[est31]

There are more reasons to not give access than personal or national security. Privacy is one. We shouldn't be in a situation where you need to explain why you need privacy. It should be the default.

[arcticbull]

I don't disagree, I'm just tired of the (in this case blatant) "but think of the children" in situations where it's totally irrelevant.

[simonh]

"Think of the Children" is when an issue that is only tangentially or tenuously anything to do with children, and may not even be a legitimate concern anyway, uses a notional impact on children as emotional leverage to gain undeserved attention.

This case is literally and specifically about the protection of specific children from a proven risk.

[arcticbull]

Is the proven risk that China is snooping on American children? If so, I'm sure I'd have read it everywhere. If not, it's sensationalism. The case is literally and specifically about Zoom having the ability to snoop. Children are ancillary.

[simonh]

I'll reluctantly repeat the below from another post of mine on this thread:

There are two vulnerabilities in particular that can grant access to videos to anyone. One is that Zoom video chat IDs are short enough and low enough entropy to be guessable so it's possible to crash meetings. Also saved videos have a standard naming scheme that makes their file names guessable and therefore accessible publicly, as anyone who knows the file name can access any saved video.

Both of these are deliberate choices. They made meeting IDs short and memorable, which makes them guessable. They also wanted saved videos to have meaningful names derived from meeting and user metadata, but again that means they are guessable, and easy to access without annoying security controls.

[valuearb]

What "proven risk" is that?

[simonh]

I already answered that to a sibling post to yours 2 hours before your post.

[simonh]

There are two vulnerabilities in particular that can grant access to videos to hostiles. One is that Zoom video chat IDs are short enough and low enough entropy to be guessable. Also saved videos have a standard naming scheme that makes their file names guessable and therefore accessible publicly. However, any vulnerability, especially intentional ones knowingly trading convenience for security or implemented deceptively, is not acceptable especially when we're dealing with the privacy of children.

[valuearb]

That's a pretty silly concern when photos and videos of the same children are spread across Facebook and other platforms willy nilly.

[simonh]

Those are photos and videos they have intentionally shared. Not supposedly secure private video sessions. If private chats and videos on Facebook of e.g. teenage girls virtual sleepover parties were also trivially accessible by strangers, that would also be an equal concern.

[thawaway1837]

Can you imagine the lawsuits that are gonna come pouring in because some hacker was able to control the webcam on a students MacBook because Zoom’s installer basically acts as an insecure root kit, and takes videos of a kid in his private moments and releases them to the internet?

[valuearb]

No one has hacked their installer.

[irjustin]

So why target Zoom specifically?

You're asking a broader question of children's safety. 100% it's a valid concern, but video tele-learning should be under fire then.

[eagsalazar2]

Zoom isn't being "targeted". They have repeatedly been in the news for gross security failures and personal privacy abuses. Other video services have not because they have not had this series of failures and abuses. That is not "targeting" zoom, that is reality being appropriately reported that zoom has bad and suspicious security practices and probably should be avoided.

[simonh]

Because Zoom in particular not only has numerous demonstrated security vulnerabilities, many of which are apparently intentional features, but has also shown a recklessly cavalier attitude to security generally. Surely it makes more sense to use and promote solutions from companies with better track records on security and privacy, which at this point seems to be pretty much anybody else.

[zkid18]

I would agree with you on the point on adoption outside the school. Btw, what kind of serious vulnerabilities in Zoom are you talking about? Been using it in a big tech company for almost two years already. Our sec department seems confident with it afaik.

[valuearb]

Please elucidate these "risks", because they are far from clear.