I'm still not sure what to think of the whole debacle.
Zoom could be a victim of the internet mob justice, where every inevitable misstep is blown out of proportion. Perhaps the mob is helped along by some competing interests. Or Zoom could be yet another tech company with dubious ethics (like U: or F). I doubt they are outright a PLA branch, that would be far too obvious.
This isn't just idle musings - I love how Zoom allows me to share screen/whiteboard, and see people's faces at the same time. It works really well for remote dev collaboration, in some ways better than physical presence. And yet the question of safety remains.
Occam’s Razor. Zoom usage went up by 8x in a few months. Usually doubling in two years is great for a public company. So that’s 6 years of great growth, compressed into a few months. It shouldn’t be surprising to see six years of security problems also compressed into those three months.
I think Zoom is on track to fix these problems quickly and cement their spot as the best solution for videoconferencing.
Zoom had the same security issues with half the traffic. Acting like usage causes them is disingenuous.
Technically speaking, zoom has shown off great and remarkably stable/scalable features.
But that is orthogonal to whether they are putting people at risk (e.g. not-so-secret therapy sessions) or lying about their feature set (clearly claiming to have end to end encryption).
I agree that increased scrutiny does not make the problem ok, but does reveal the problems more quickly.
But the only reason those points matter in the "Should I use Zoom?" question is if you're assuming all other products have the same flaws and just haven't been looked at. To which, I'm pretty confident they don't all share these problems, particularly but not limited to the "blatantly lied about the basic security features".
if bloomberg broke this (not sure), they are fully known to monetarily reward market-moving stories. sources easily searchable.
If I were a writer/editor working under this policy, making a big stink about a teleconferencing company enjoying huge growth in the current covid 19 climate would be a no brainer.
Devil's advocate, I guess: 8 times the users, 8 times (at least) the number of people to notice those problems.
Especially when work from home is now at the center of our conversation, and journalistic outlets shift their attention to newly-popular services like Zoom and Houseparty.
Regarding your last example, I'm also continually confused at the claim that Zoom has been lying about end-to-end encryption. I don't see any place where they ever claimed to encrypt anything end-to-end except for chats, and only after enabling the feature:
When I'm in a Zoom meeting, it says that my connection is encrypted (the green E lock thing). It does not say "end-to-end." So I always assumed that just meant that the transport layer is encrypted.
It's not blown out of proportions. If anything the major securities issues went mostly unnoticed in the noise of the media trying to bank some ads revenues.
There were 2 RCE that would have allowed anybody to easily take over any computer using zoom. The first one last year was wormable, triggered by simply visiting a website with no interaction (like a javascript ad).
Other video conference tools don't have these because they didn't try to provide the same features or work around the OS.
Except for Skype, that still has one samba relay attack left like zoom, that went mostly unnoticed. From my research they had the exact same issue but blocked the RCE part in 2018 CVE-2018-8311 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8311
"The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China."
So were they really sending data to servers in China? From what little I've heard and read about this, that is what stood out to me. Not sure they should ever be trusted again after that.
As I read it they accidentally routed some data to China based servers for a month (Feb 2020) due to a config mess up during their crazy fast scaling period. This is since fixed.
They were making requests to IPs in China long before Feb 2020. At the time I assumed they’d been hacked, but in retrospect it seems like this was just how their organisation is distributed.
Needless to say, I have decided not to endorse their videoconferencing solution.
I'm inclined to believe that for now. Though I fully expect that a bunch of security researchers will be taking a very close look indeed at exactly what data is still going to or through China. I am open to changing my mind upon seeing evidence that, after being informed of the problem and promising to correct it, they failed to resolve the issue and continue to send data to any country it doesn't need to go to.
Serious hypothetical question: suppose you're able to capture all Zoom calls. If you're a foreign government, how do you scale the analysis, and what can you generally do with the information?
It'd be hard to get a useful amount of trade secrets or know-how. You'll see partial schematics and design docs, but without much context. At the executive level, you could at least scale the analysis to have actual people monitoring the calls. You could get broad strategy (e.g. launch a mid-range 5G phone in 2021 Q1) and enough financial information to make some well-informed trades.
The NSA figured this out in the 90s -- you filter based on metadata and then retrieve the corresponding data if necessary. Aside from the fact that this (in the NSA's view) allows them to sidestep the 4th amendment, it's usually much more effective than sifting through billions of records every day. That same system lives on today with XKeyScore (or whatever they've replaced it with in the past 7 years).
There's no reason to think they'd have to wait a year. High value targets, like SpaceX had they not banned the use of Zoom, would obviously receive priority treatment by the Chinese intelligence community. My point here is that the analysis doesn't need to be done in real time, they could store the data and review it a few hours later, or whenever they wanted.
(For that matter, there is certainly a lot of data that would be useful a year later. Some data could be valuable even many years later. Taking SpaceX as an example, it should be obvious that old data could be valuable.)
Zoom's web SDK and web client were down for nearly four days over the weekend with minimal communication, and when they brought it all back they killed a key functionality the education market needs which is the ability to join a meeting without an account: https://devforum.zoom.us/t/in-progress-web-sdk-web-client-fr...
You can still activate this functionality in the settings, it now only deactivated by default due to the public outcry over Zoombombing etc.
Amusing that many of the changes lowered accessibility significantly (e.g. my grandmother wasn't able to join the meeting anymore after passwords became default). I still don't get it. Skype was way worse in my opinion and nobody ever cared about it.
Actually this isn't true anymore, they have since added the _option_ to not require an account when using the web client. The Web SDK still works like before and also doesn't require an account.
But I agree, the way it was handled was harrowing.
Many students aren't old enough to create their own accounts and getting parents to create accounts and provide credentials is a bureaucratic mess for the schools I volunteer with.
The school needs an education account and students should be able to join meetings hosted through a school account:
> Students under the age of 18 should not go to www.zoom.us to create an account because (i) they should only be joining Zoom meeting sessions as participants (not separate account holders) through the School Subscriber’s account and (ii) minors are not permitted to create an account per Zoom’s Terms of Service. The School Subscriber’s account administrator (e.g., teachers) should securely and confidentially provide meeting information and meeting passwords to the student users to ensure the school can maintain supervision and control over its student users’ meeting experiences. If students have already signed up for individual accounts, Zoom can assist schools in fixing this.
The school should contact their account rep about this. I bet they can fix it quickly.
Can you blame them? Most users and purchasers (at a lot of companies the people making purchase decisions aren't actually the users) don't really understand or care about how long real engineering takes. As long as they made a decision to pick a vendor based based on the principles of Cover Your Ass it's all that matters.
It's another primary reason why so many "enterprise" companies purchase Redhat over running CentOS.
Probably someone internally emailed Alex's Stanford profile to their blog content writer - the sender had email tracking enabled and the writer blindly copied the link.
and this is why product over security always wins.
there's mob mentality right now, but zoom got a TON of customers, and now is gonna have proof of end-to-end encryption in a couple of months.
boom.
zoom wins.
honestly just don't talk on zoom about something highly secretive such as ... idk... something a government is interested in as that isn't currently secure, other than that, don't sweat it.
They are very unlikely to have end-to-end security in a couple of months, for the same reason few (if any) of their competitors have it: it is really bandwidth intensive to send full-resolution video of every participant to every other participant. So everyone sends low-res for most participants, and at most one high-resolution stream. To do this you have to be able to make low-resolution streams out of the high-resolution one people are sending you (to pass along to others). That means you have to terminate encryption on the server side. Once you have done that you are no longer "end-to-end". This is just the state of things.
This is a valid tradeoff for most things, but the real problem here is that Zoom claimed (and continues to claim) "end-to-end encryption", while not providing it. That is a lie, and people naturally wonder what else you are lying about.
You can also send two streams (high and low quality) from each client and make other clients request the right one from the server. Yes, it's slightly more bandwidth than before and now complexity. No, it doesn't require full mesh of connections to be E2E.
And don't install the Zoom app on a computer where you store secretive data, such as medical information, private keys, passwords, credit card data or anything that you don't want the government or cyber-criminals to know.
There is some evidence that they have a form of useless end to end encryption now. Since hardly anyone knows what the prerequisites are for useful e2ee they can probably make the announcement whenever they want.
The very large company I work for banned all video conference software except for what is provided by the company. I don't think it is just about security, but make everyone use the same system(s) because it just got too confusing to communicate with other divisions or even departments. You can search for people in other divisions and then video chat with them if you want, or just plain old school voice chat.
Luckily, the software we are required use works pretty well on iOS, Android, OSX and Windows.
No one I know has had it happen yet at their places of work, but I saw a lot of discussion about New York City schools issuing a ban earlier this week [1].
They’re in the same bed as China. I don’t trust them for anything now, this to me is just a PR management exercise. They’re still going to give away your data
Would you please stop posting unsubstantive and/or flamebait comments to HN? We're hoping for a better quality of discussion than this, and (especially) than what it leads to. Case in point: see below.
There are valid criticism to be discussed about China's actions and how much Zoom should be trusted given its close relation.
There's been many criticism of the US government here and I never see anything flagged or removed, I would consider that nationalistic and provocative under the same guidelines. I just don't see why the China discussions are removed.
> There are valid criticism to be discussed about China's actions and how much Zoom should be trusted given its close relation
Yes, and that's why comments about it should be thoughtful and substantive—not drive-by flamebait leading to useless flamewars about NATO and Winnie the Pooh.
> There's been many criticism of the US government here and I never see anything flagged or removed
That happens often. If you never see it, that's because of a cognitive bias: we notice and weight more strongly—that is, we see—what we dislike. https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que.... People on the opposite side of this question have exactly the opposite complaint.
Zoom won the proverbial lottery with this pandemic and lost their ticket through greed/laziness. Great companies are always prepared when their big break comes. Zoom is not a great company.
You don't have to be a great company to win in the market. I'd bet that zoom still maintains dominance and manages to con people into believing that they're super secure now guys.
I can't quite figure out what's going on with this thread. It seems to have an eerie amount of posts about support for Zoom, perhaps by paid trolls ("wumaos")?
Please don't break the site guidelines by posting insinuations of astroturfing. Overwhelmingly, such perceptions are simply in the eye of the beholder. I say that based on many years of looking at that data, and you can find more explanations here than anyone would ever want to read: https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme....
If you're worried about this kind of thing, follow the site guidelines and email hn@ycombinator.com so we can look into it. (We always do.) In this case, though, the simplest explanation seems adequate: the community is divided. When there's a popular divisive topic, people who feel strongly for side A always feel like the amount of support for opposing side B is 'eerie', because it's hard to imagine how it could possibly be in good faith. Of course B feels the same way about A.
Edit: oh dear. It seems like you've been using HN mostly for nationalistic battle lately. We ban accounts that do that, so please stop. It's emphatically not what this site is for, regardless of which nations are at issue.
I can only assume CISO is Chief Information Security Officer? I hadn't seen the acronym before. Bad Zoom for not writing it out in full on the first instance.
"CISO" is a pretty standard acronym. People who don't work in cybersecurity or who don't have that background might not recognize it, but it seems like a minor detail.
Sure, it's a minor detail. And yes, you can say the audience for this post are people who work in cybersecurity. But it costs nothing to introduce the acronym, as is usually recommended. Without it you are alienating anyone who doesn't know the term.
Zoom could be a victim of the internet mob justice, where every inevitable misstep is blown out of proportion. Perhaps the mob is helped along by some competing interests. Or Zoom could be yet another tech company with dubious ethics (like U: or F). I doubt they are outright a PLA branch, that would be far too obvious.
This isn't just idle musings - I love how Zoom allows me to share screen/whiteboard, and see people's faces at the same time. It works really well for remote dev collaboration, in some ways better than physical presence. And yet the question of safety remains.
Should I go and research WebEx?