Zoom’s 90-day plan to bolster key privacy and security initiatives (opens in new tab)

(blog.zoom.us)

114 pointskarambir5y ago98 comments

98 comments

I'm still not sure what to think of the whole debacle.

Zoom could be a victim of the internet mob justice, where every inevitable misstep is blown out of proportion. Perhaps the mob is helped along by some competing interests. Or Zoom could be yet another tech company with dubious ethics (like U: or F). I doubt they are outright a PLA branch, that would be far too obvious.

This isn't just idle musings - I love how Zoom allows me to share screen/whiteboard, and see people's faces at the same time. It works really well for remote dev collaboration, in some ways better than physical presence. And yet the question of safety remains.

Should I go and research WebEx?

lacker5y ago

Occam’s Razor. Zoom usage went up by 8x in a few months. Usually doubling in two years is great for a public company. So that’s 6 years of great growth, compressed into a few months. It shouldn’t be surprising to see six years of security problems also compressed into those three months.

I think Zoom is on track to fix these problems quickly and cement their spot as the best solution for videoconferencing.

ergothus5y ago

Zoom had the same security issues with half the traffic. Acting like usage causes them is disingenuous.

Technically speaking, zoom has shown off great and remarkably stable/scalable features.

But that is orthogonal to whether they are putting people at risk (e.g. not-so-secret therapy sessions) or lying about their feature set (clearly claiming to have end to end encryption).

2 more replies

user59944615y ago

It's not blown out of proportions. If anything the major securities issues went mostly unnoticed in the noise of the media trying to bank some ads revenues.

There were 2 RCE that would have allowed anybody to easily take over any computer using zoom. The first one last year was wormable, triggered by simply visiting a website with no interaction (like a javascript ad).

Other video conference tools don't have these because they didn't try to provide the same features or work around the OS.

Except for Skype, that still has one samba relay attack left like zoom, that went mostly unnoticed. From my research they had the exact same issue but blocked the RCE part in 2018 CVE-2018-8311 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8311

NegativeLatency5y ago

Sketchy package installer to boot https://macpkghallofshame.tumblr.com/post/138612887932/indis...

ggggtez5y ago

>dubious ethics

Yeah, I think datamining to steal and sell your LinkedIn account counts as dubious ethics. Or claiming to have E2E but actually they don't.

There is a good share of incompetence as well, like the CSP issues.

brobinson5y ago

Using AES in ECB mode and doing key exchange on servers in the PRC are not simply "missteps".

anoraca5y ago

"The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China."

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...

k33n5y ago

So were they really sending data to servers in China? From what little I've heard and read about this, that is what stood out to me. Not sure they should ever be trusted again after that.

pwarner5y ago

I think this is the Zoom response to that one: https://blog.zoom.us/wordpress/2020/04/03/response-to-resear...

As I read it they accidentally routed some data to China based servers for a month (Feb 2020) due to a config mess up during their crazy fast scaling period. This is since fixed.

hyko5y ago

They were making requests to IPs in China long before Feb 2020. At the time I assumed they’d been hacked, but in retrospect it seems like this was just how their organisation is distributed.

Needless to say, I have decided not to endorse their videoconferencing solution.

1 more reply

ufmace5y ago

I'm inclined to believe that for now. Though I fully expect that a bunch of security researchers will be taking a very close look indeed at exactly what data is still going to or through China. I am open to changing my mind upon seeing evidence that, after being informed of the problem and promising to correct it, they failed to resolve the issue and continue to send data to any country it doesn't need to go to.

dehrmann5y ago

Serious hypothetical question: suppose you're able to capture all Zoom calls. If you're a foreign government, how do you scale the analysis, and what can you generally do with the information?

It'd be hard to get a useful amount of trade secrets or know-how. You'll see partial schematics and design docs, but without much context. At the executive level, you could at least scale the analysis to have actual people monitoring the calls. You could get broad strategy (e.g. launch a mid-range 5G phone in 2021 Q1) and enough financial information to make some well-informed trades.

cyphar5y ago

The NSA figured this out in the 90s -- you filter based on metadata and then retrieve the corresponding data if necessary. Aside from the fact that this (in the NSA's view) allows them to sidestep the 4th amendment, it's usually much more effective than sifting through billions of records every day. That same system lives on today with XKeyScore (or whatever they've replaced it with in the past 7 years).

catalogia5y ago

Hard drives are pretty cheap, particularly for a government. Store it all now, target your analysis narrowly later at your leisure.

2 more replies

makerofspoons5y ago

Zoom's web SDK and web client were down for nearly four days over the weekend with minimal communication, and when they brought it all back they killed a key functionality the education market needs which is the ability to join a meeting without an account: https://devforum.zoom.us/t/in-progress-web-sdk-web-client-fr...

jpdus5y ago

You can still activate this functionality in the settings, it now only deactivated by default due to the public outcry over Zoombombing etc.

Amusing that many of the changes lowered accessibility significantly (e.g. my grandmother wasn't able to join the meeting anymore after passwords became default). I still don't get it. Skype was way worse in my opinion and nobody ever cared about it.

flippyhead5y ago

Actually this isn't true anymore, they have since added the _option_ to not require an account when using the web client. The Web SDK still works like before and also doesn't require an account.

But I agree, the way it was handled was harrowing.

makerofspoons5y ago

Thanks! I fell out of the loop with this.

jedieaston5y ago

Shouldn’t schools be using SSO with Zoom Education, or does that cost money?

kyawzazaw5y ago

I believe that costs money. But quite cheap actually.

My college (~2200 students + a couple hundred faculty/staff) pays $18k/yr for Zoom Enterprise. Good value, I'd say.

criddell5y ago

Why is the need for an account a showstopper?

makerofspoons5y ago

Many students aren't old enough to create their own accounts and getting parents to create accounts and provide credentials is a bureaucratic mess for the schools I volunteer with.

1 more reply

londons_explore5y ago

"90 day plans" tend to be management & PR things... Real engineering is more of a "it takes as long as the job takes"...

wuunderbar5y ago

Can you blame them? Most users and purchasers (at a lot of companies the people making purchase decisions aren't actually the users) don't really understand or care about how long real engineering takes. As long as they made a decision to pick a vendor based based on the principles of Cover Your Ass it's all that matters.

It's another primary reason why so many "enterprise" companies purchase Redhat over running CentOS.

tommoor5y ago

Yep, entire post is pure marketing signaling and nothing in the way of details.

DevX1015y ago

Eric Yuan is the real deal. He's an engineer and is taking this seriously. This isn't marketing spin.

TheChaplain5y ago

uh, is that an outlook-email link with someone's username in? The one linking to Alex.

technicaldonut5y ago

Yup. Looks to be their email address. Email is from PR firm Sard Verbinnen & Co.

basch5y ago

Safelinks have the email address of the recipient of a link.

cobookman5y ago

To be fair, Alex's public profile includes a link to his email: https://cisac.fsi.stanford.edu/people/alex-stamos-0

arkadiyt5y ago

Probably someone internally emailed Alex's Stanford profile to their blog content writer - the sender had email tracking enabled and the writer blindly copied the link.

Justsignedup5y ago

and this is why product over security always wins.

there's mob mentality right now, but zoom got a TON of customers, and now is gonna have proof of end-to-end encryption in a couple of months.

boom.

zoom wins.

honestly just don't talk on zoom about something highly secretive such as ... idk... something a government is interested in as that isn't currently secure, other than that, don't sweat it.

larkost5y ago

They are very unlikely to have end-to-end security in a couple of months, for the same reason few (if any) of their competitors have it: it is really bandwidth intensive to send full-resolution video of every participant to every other participant. So everyone sends low-res for most participants, and at most one high-resolution stream. To do this you have to be able to make low-resolution streams out of the high-resolution one people are sending you (to pass along to others). That means you have to terminate encryption on the server side. Once you have done that you are no longer "end-to-end". This is just the state of things.

This is a valid tradeoff for most things, but the real problem here is that Zoom claimed (and continues to claim) "end-to-end encryption", while not providing it. That is a lie, and people naturally wonder what else you are lying about.

viraptor5y ago

You can also send two streams (high and low quality) from each client and make other clients request the right one from the server. Yes, it's slightly more bandwidth than before and now complexity. No, it doesn't require full mesh of connections to be E2E.

sandov5y ago

And don't install the Zoom app on a computer where you store secretive data, such as medical information, private keys, passwords, credit card data or anything that you don't want the government or cyber-criminals to know.

Doesn't sound as easy now.

upofadown5y ago

There is some evidence that they have a form of useless end to end encryption now. Since hardly anyone knows what the prerequisites are for useful e2ee they can probably make the announcement whenever they want.

tmaly5y ago

My company banned the use of Zoom on company computers or computer connecting to the company network.

Has anyone else had this happen to them?

mullen5y ago

The very large company I work for banned all video conference software except for what is provided by the company. I don't think it is just about security, but make everyone use the same system(s) because it just got too confusing to communicate with other divisions or even departments. You can search for people in other divisions and then video chat with them if you want, or just plain old school voice chat.

Luckily, the software we are required use works pretty well on iOS, Android, OSX and Windows.

ssully5y ago

No one I know has had it happen yet at their places of work, but I saw a lot of discussion about New York City schools issuing a ban earlier this week [1].

[1]: https://www.businessinsider.com/new-york-city-schools-bannin...

downerending5y ago

Supposedly Google just did.

diebeforei4855y ago

Mac App Store version when?

ken5y ago

Or even a non-MAS app that's sandboxed, if it's going to be free anyway and they prefer to manage their own release schedule.

adultSwim5y ago

I wonder if Google and Apple were directly involved in the campaign against Zoom.

throwaway153925y ago

They’re in the same bed as China. I don’t trust them for anything now, this to me is just a PR management exercise. They’re still going to give away your data

dang5y ago

Would you please stop posting unsubstantive and/or flamebait comments to HN? We're hoping for a better quality of discussion than this, and (especially) than what it leads to. Case in point: see below.

https://news.ycombinator.com/newsguidelines.html

s_y_n_t_a_x5y ago

I believe the GP was referencing Zoom's encryption going through China's servers, which was on HN's recently: https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...

There are valid criticism to be discussed about China's actions and how much Zoom should be trusted given its close relation.

There's been many criticism of the US government here and I never see anything flagged or removed, I would consider that nationalistic and provocative under the same guidelines. I just don't see why the China discussions are removed.

1 more reply

jimbob455y ago

Zoom won the proverbial lottery with this pandemic and lost their ticket through greed/laziness. Great companies are always prepared when their big break comes. Zoom is not a great company.

tcoff915y ago

You don't have to be a great company to win in the market. I'd bet that zoom still maintains dominance and manages to con people into believing that they're super secure now guys.

blast5y ago

It looks to me like they've still won the lottery.

teknologist5y ago

I can't quite figure out what's going on with this thread. It seems to have an eerie amount of posts about support for Zoom, perhaps by paid trolls ("wumaos")?

dang5y ago

Please don't break the site guidelines by posting insinuations of astroturfing. Overwhelmingly, such perceptions are simply in the eye of the beholder. I say that based on many years of looking at that data, and you can find more explanations here than anyone would ever want to read: https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme....

https://news.ycombinator.com/newsguidelines.html

If you're worried about this kind of thing, follow the site guidelines and email hn@ycombinator.com so we can look into it. (We always do.) In this case, though, the simplest explanation seems adequate: the community is divided. When there's a popular divisive topic, people who feel strongly for side A always feel like the amount of support for opposing side B is 'eerie', because it's hard to imagine how it could possibly be in good faith. Of course B feels the same way about A.

Edit: oh dear. It seems like you've been using HN mostly for nationalistic battle lately. We ban accounts that do that, so please stop. It's emphatically not what this site is for, regardless of which nations are at issue.

yalooze5y ago

I can only assume CISO is Chief Information Security Officer? I hadn't seen the acronym before. Bad Zoom for not writing it out in full on the first instance.

downerending5y ago

I only first encountered it a year or two ago. It's pretty difficult to keep up with management/marketing buzzwords.

In any case, anyone at the 'C' level almost by definition knows little or nothing about actual computer security.

munchbunny5y ago

"CISO" is a pretty standard acronym. People who don't work in cybersecurity or who don't have that background might not recognize it, but it seems like a minor detail.

yalooze5y ago

Sure, it's a minor detail. And yes, you can say the audience for this post are people who work in cybersecurity. But it costs nothing to introduce the acronym, as is usually recommended. Without it you are alienating anyone who doesn't know the term.

1 more reply

j / k navigate · click thread line to collapse

98 comments

DenisM5y ago

I'm still not sure what to think of the whole debacle.

Should I go and research WebEx?

lacker5y ago

I think Zoom is on track to fix these problems quickly and cement their spot as the best solution for videoconferencing.

ergothus5y ago

Zoom had the same security issues with half the traffic. Acting like usage causes them is disingenuous.

Technically speaking, zoom has shown off great and remarkably stable/scalable features.

But that is orthogonal to whether they are putting people at risk (e.g. not-so-secret therapy sessions) or lying about their feature set (clearly claiming to have end to end encryption).

2 more replies

user59944615y ago

It's not blown out of proportions. If anything the major securities issues went mostly unnoticed in the noise of the media trying to bank some ads revenues.

Other video conference tools don't have these because they didn't try to provide the same features or work around the OS.

NegativeLatency5y ago

Sketchy package installer to boot https://macpkghallofshame.tumblr.com/post/138612887932/indis...

ggggtez5y ago

>dubious ethics

Yeah, I think datamining to steal and sell your LinkedIn account counts as dubious ethics. Or claiming to have E2E but actually they don't.

There is a good share of incompetence as well, like the CSP issues.

brobinson5y ago

Using AES in ECB mode and doing key exchange on servers in the PRC are not simply "missteps".

anoraca5y ago

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...

k33n5y ago

So were they really sending data to servers in China? From what little I've heard and read about this, that is what stood out to me. Not sure they should ever be trusted again after that.

pwarner5y ago

I think this is the Zoom response to that one: https://blog.zoom.us/wordpress/2020/04/03/response-to-resear...

As I read it they accidentally routed some data to China based servers for a month (Feb 2020) due to a config mess up during their crazy fast scaling period. This is since fixed.

hyko5y ago

They were making requests to IPs in China long before Feb 2020. At the time I assumed they’d been hacked, but in retrospect it seems like this was just how their organisation is distributed.

Needless to say, I have decided not to endorse their videoconferencing solution.

1 more reply

ufmace5y ago

dehrmann5y ago

Serious hypothetical question: suppose you're able to capture all Zoom calls. If you're a foreign government, how do you scale the analysis, and what can you generally do with the information?

cyphar5y ago

catalogia5y ago

Hard drives are pretty cheap, particularly for a government. Store it all now, target your analysis narrowly later at your leisure.

2 more replies

makerofspoons5y ago

jpdus5y ago

You can still activate this functionality in the settings, it now only deactivated by default due to the public outcry over Zoombombing etc.

flippyhead5y ago

Actually this isn't true anymore, they have since added the _option_ to not require an account when using the web client. The Web SDK still works like before and also doesn't require an account.

But I agree, the way it was handled was harrowing.

makerofspoons5y ago

Thanks! I fell out of the loop with this.

jedieaston5y ago

Shouldn’t schools be using SSO with Zoom Education, or does that cost money?

kyawzazaw5y ago

I believe that costs money. But quite cheap actually.

My college (~2200 students + a couple hundred faculty/staff) pays $18k/yr for Zoom Enterprise. Good value, I'd say.

criddell5y ago

Why is the need for an account a showstopper?

makerofspoons5y ago

Many students aren't old enough to create their own accounts and getting parents to create accounts and provide credentials is a bureaucratic mess for the schools I volunteer with.

1 more reply

londons_explore5y ago

"90 day plans" tend to be management & PR things... Real engineering is more of a "it takes as long as the job takes"...

wuunderbar5y ago

It's another primary reason why so many "enterprise" companies purchase Redhat over running CentOS.

tommoor5y ago

Yep, entire post is pure marketing signaling and nothing in the way of details.

DevX1015y ago

Eric Yuan is the real deal. He's an engineer and is taking this seriously. This isn't marketing spin.

TheChaplain5y ago

uh, is that an outlook-email link with someone's username in? The one linking to Alex.

technicaldonut5y ago

Yup. Looks to be their email address. Email is from PR firm Sard Verbinnen & Co.

basch5y ago

Safelinks have the email address of the recipient of a link.

cobookman5y ago

To be fair, Alex's public profile includes a link to his email: https://cisac.fsi.stanford.edu/people/alex-stamos-0

arkadiyt5y ago

Probably someone internally emailed Alex's Stanford profile to their blog content writer - the sender had email tracking enabled and the writer blindly copied the link.

Justsignedup5y ago

and this is why product over security always wins.

there's mob mentality right now, but zoom got a TON of customers, and now is gonna have proof of end-to-end encryption in a couple of months.

boom.

zoom wins.

honestly just don't talk on zoom about something highly secretive such as ... idk... something a government is interested in as that isn't currently secure, other than that, don't sweat it.

larkost5y ago

viraptor5y ago

sandov5y ago

Doesn't sound as easy now.

upofadown5y ago

tmaly5y ago

My company banned the use of Zoom on company computers or computer connecting to the company network.

Has anyone else had this happen to them?

mullen5y ago

Luckily, the software we are required use works pretty well on iOS, Android, OSX and Windows.

ssully5y ago

No one I know has had it happen yet at their places of work, but I saw a lot of discussion about New York City schools issuing a ban earlier this week [1].

[1]: https://www.businessinsider.com/new-york-city-schools-bannin...

downerending5y ago

Supposedly Google just did.

diebeforei4855y ago

Mac App Store version when?

ken5y ago

Or even a non-MAS app that's sandboxed, if it's going to be free anyway and they prefer to manage their own release schedule.

adultSwim5y ago

I wonder if Google and Apple were directly involved in the campaign against Zoom.

throwaway153925y ago

They’re in the same bed as China. I don’t trust them for anything now, this to me is just a PR management exercise. They’re still going to give away your data

dang5y ago

https://news.ycombinator.com/newsguidelines.html

s_y_n_t_a_x5y ago

I believe the GP was referencing Zoom's encryption going through China's servers, which was on HN's recently: https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...

There are valid criticism to be discussed about China's actions and how much Zoom should be trusted given its close relation.

1 more reply

jimbob455y ago

Zoom won the proverbial lottery with this pandemic and lost their ticket through greed/laziness. Great companies are always prepared when their big break comes. Zoom is not a great company.

tcoff915y ago

You don't have to be a great company to win in the market. I'd bet that zoom still maintains dominance and manages to con people into believing that they're super secure now guys.

blast5y ago

It looks to me like they've still won the lottery.

teknologist5y ago

I can't quite figure out what's going on with this thread. It seems to have an eerie amount of posts about support for Zoom, perhaps by paid trolls ("wumaos")?

dang5y ago

https://news.ycombinator.com/newsguidelines.html

yalooze5y ago

I can only assume CISO is Chief Information Security Officer? I hadn't seen the acronym before. Bad Zoom for not writing it out in full on the first instance.

downerending5y ago

I only first encountered it a year or two ago. It's pretty difficult to keep up with management/marketing buzzwords.

In any case, anyone at the 'C' level almost by definition knows little or nothing about actual computer security.

munchbunny5y ago

"CISO" is a pretty standard acronym. People who don't work in cybersecurity or who don't have that background might not recognize it, but it seems like a minor detail.

yalooze5y ago

1 more reply

j / k navigate · click thread line to collapse