I'm still not sure what to think of the whole debacle.
Zoom could be a victim of the internet mob justice, where every inevitable misstep is blown out of proportion. Perhaps the mob is helped along by some competing interests. Or Zoom could be yet another tech company with dubious ethics (like U: or F). I doubt they are outright a PLA branch, that would be far too obvious.
This isn't just idle musings - I love how Zoom allows me to share screen/whiteboard, and see people's faces at the same time. It works really well for remote dev collaboration, in some ways better than physical presence. And yet the question of safety remains.
Occam’s Razor. Zoom usage went up by 8x in a few months. Usually doubling in two years is great for a public company. So that’s 6 years of great growth, compressed into a few months. It shouldn’t be surprising to see six years of security problems also compressed into those three months.
I think Zoom is on track to fix these problems quickly and cement their spot as the best solution for videoconferencing.
Zoom had the same security issues with half the traffic. Acting like usage causes them is disingenuous.
Technically speaking, zoom has shown off great and remarkably stable/scalable features.
But that is orthogonal to whether they are putting people at risk (e.g. not-so-secret therapy sessions) or lying about their feature set (clearly claiming to have end to end encryption).
I agree that increased scrutiny does not make the problem ok, but does reveal the problems more quickly.
But the only reason those points matter in the "Should I use Zoom?" question is if you're assuming all other products have the same flaws and just haven't been looked at. To which, I'm pretty confident they don't all share these problems, particularly but not limited to the "blatantly lied about the basic security features".
if bloomberg broke this (not sure), they are fully known to monetarily reward market-moving stories. sources easily searchable.
If I were a writer/editor working under this policy, making a big stink about a teleconferencing company enjoying huge growth in the current covid 19 climate would be a no brainer.
Devil's advocate, I guess: 8 times the users, 8 times (at least) the number of people to notice those problems.
Especially when work from home is now at the center of our conversation, and journalistic outlets shift their attention to newly-popular services like Zoom and Houseparty.
Regarding your last example, I'm also continually confused at the claim that Zoom has been lying about end-to-end encryption. I don't see any place where they ever claimed to encrypt anything end-to-end except for chats, and only after enabling the feature:
When I'm in a Zoom meeting, it says that my connection is encrypted (the green E lock thing). It does not say "end-to-end." So I always assumed that just meant that the transport layer is encrypted.
It's not blown out of proportions. If anything the major securities issues went mostly unnoticed in the noise of the media trying to bank some ads revenues.
There were 2 RCE that would have allowed anybody to easily take over any computer using zoom. The first one last year was wormable, triggered by simply visiting a website with no interaction (like a javascript ad).
Other video conference tools don't have these because they didn't try to provide the same features or work around the OS.
Except for Skype, that still has one samba relay attack left like zoom, that went mostly unnoticed. From my research they had the exact same issue but blocked the RCE part in 2018 CVE-2018-8311 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8311
"The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China."
So were they really sending data to servers in China? From what little I've heard and read about this, that is what stood out to me. Not sure they should ever be trusted again after that.
As I read it they accidentally routed some data to China based servers for a month (Feb 2020) due to a config mess up during their crazy fast scaling period. This is since fixed.
They were making requests to IPs in China long before Feb 2020. At the time I assumed they’d been hacked, but in retrospect it seems like this was just how their organisation is distributed.
Needless to say, I have decided not to endorse their videoconferencing solution.
I'm inclined to believe that for now. Though I fully expect that a bunch of security researchers will be taking a very close look indeed at exactly what data is still going to or through China. I am open to changing my mind upon seeing evidence that, after being informed of the problem and promising to correct it, they failed to resolve the issue and continue to send data to any country it doesn't need to go to.
Serious hypothetical question: suppose you're able to capture all Zoom calls. If you're a foreign government, how do you scale the analysis, and what can you generally do with the information?
It'd be hard to get a useful amount of trade secrets or know-how. You'll see partial schematics and design docs, but without much context. At the executive level, you could at least scale the analysis to have actual people monitoring the calls. You could get broad strategy (e.g. launch a mid-range 5G phone in 2021 Q1) and enough financial information to make some well-informed trades.
The NSA figured this out in the 90s -- you filter based on metadata and then retrieve the corresponding data if necessary. Aside from the fact that this (in the NSA's view) allows them to sidestep the 4th amendment, it's usually much more effective than sifting through billions of records every day. That same system lives on today with XKeyScore (or whatever they've replaced it with in the past 7 years).
There's no reason to think they'd have to wait a year. High value targets, like SpaceX had they not banned the use of Zoom, would obviously receive priority treatment by the Chinese intelligence community. My point here is that the analysis doesn't need to be done in real time, they could store the data and review it a few hours later, or whenever they wanted.
(For that matter, there is certainly a lot of data that would be useful a year later. Some data could be valuable even many years later. Taking SpaceX as an example, it should be obvious that old data could be valuable.)
Zoom's web SDK and web client were down for nearly four days over the weekend with minimal communication, and when they brought it all back they killed a key functionality the education market needs which is the ability to join a meeting without an account: https://devforum.zoom.us/t/in-progress-web-sdk-web-client-fr...
You can still activate this functionality in the settings, it now only deactivated by default due to the public outcry over Zoombombing etc.
Amusing that many of the changes lowered accessibility significantly (e.g. my grandmother wasn't able to join the meeting anymore after passwords became default). I still don't get it. Skype was way worse in my opinion and nobody ever cared about it.
Actually this isn't true anymore, they have since added the _option_ to not require an account when using the web client. The Web SDK still works like before and also doesn't require an account.
But I agree, the way it was handled was harrowing.
Many students aren't old enough to create their own accounts and getting parents to create accounts and provide credentials is a bureaucratic mess for the schools I volunteer with.
The school needs an education account and students should be able to join meetings hosted through a school account:
> Students under the age of 18 should not go to www.zoom.us to create an account because (i) they should only be joining Zoom meeting sessions as participants (not separate account holders) through the School Subscriber’s account and (ii) minors are not permitted to create an account per Zoom’s Terms of Service. The School Subscriber’s account administrator (e.g., teachers) should securely and confidentially provide meeting information and meeting passwords to the student users to ensure the school can maintain supervision and control over its student users’ meeting experiences. If students have already signed up for individual accounts, Zoom can assist schools in fixing this.
The school should contact their account rep about this. I bet they can fix it quickly.
Can you blame them? Most users and purchasers (at a lot of companies the people making purchase decisions aren't actually the users) don't really understand or care about how long real engineering takes. As long as they made a decision to pick a vendor based based on the principles of Cover Your Ass it's all that matters.
It's another primary reason why so many "enterprise" companies purchase Redhat over running CentOS.
Probably someone internally emailed Alex's Stanford profile to their blog content writer - the sender had email tracking enabled and the writer blindly copied the link.
and this is why product over security always wins.
there's mob mentality right now, but zoom got a TON of customers, and now is gonna have proof of end-to-end encryption in a couple of months.
boom.
zoom wins.
honestly just don't talk on zoom about something highly secretive such as ... idk... something a government is interested in as that isn't currently secure, other than that, don't sweat it.
They are very unlikely to have end-to-end security in a couple of months, for the same reason few (if any) of their competitors have it: it is really bandwidth intensive to send full-resolution video of every participant to every other participant. So everyone sends low-res for most participants, and at most one high-resolution stream. To do this you have to be able to make low-resolution streams out of the high-resolution one people are sending you (to pass along to others). That means you have to terminate encryption on the server side. Once you have done that you are no longer "end-to-end". This is just the state of things.
This is a valid tradeoff for most things, but the real problem here is that Zoom claimed (and continues to claim) "end-to-end encryption", while not providing it. That is a lie, and people naturally wonder what else you are lying about.
You can also send two streams (high and low quality) from each client and make other clients request the right one from the server. Yes, it's slightly more bandwidth than before and now complexity. No, it doesn't require full mesh of connections to be E2E.
And don't install the Zoom app on a computer where you store secretive data, such as medical information, private keys, passwords, credit card data or anything that you don't want the government or cyber-criminals to know.
There is some evidence that they have a form of useless end to end encryption now. Since hardly anyone knows what the prerequisites are for useful e2ee they can probably make the announcement whenever they want.
The very large company I work for banned all video conference software except for what is provided by the company. I don't think it is just about security, but make everyone use the same system(s) because it just got too confusing to communicate with other divisions or even departments. You can search for people in other divisions and then video chat with them if you want, or just plain old school voice chat.
Luckily, the software we are required use works pretty well on iOS, Android, OSX and Windows.
No one I know has had it happen yet at their places of work, but I saw a lot of discussion about New York City schools issuing a ban earlier this week [1].
They’re in the same bed as China. I don’t trust them for anything now, this to me is just a PR management exercise. They’re still going to give away your data
Would you please stop posting unsubstantive and/or flamebait comments to HN? We're hoping for a better quality of discussion than this, and (especially) than what it leads to. Case in point: see below.
There are valid criticism to be discussed about China's actions and how much Zoom should be trusted given its close relation.
There's been many criticism of the US government here and I never see anything flagged or removed, I would consider that nationalistic and provocative under the same guidelines. I just don't see why the China discussions are removed.
> There are valid criticism to be discussed about China's actions and how much Zoom should be trusted given its close relation
Yes, and that's why comments about it should be thoughtful and substantive—not drive-by flamebait leading to useless flamewars about NATO and Winnie the Pooh.
> There's been many criticism of the US government here and I never see anything flagged or removed
That happens often. If you never see it, that's because of a cognitive bias: we notice and weight more strongly—that is, we see—what we dislike. https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que.... People on the opposite side of this question have exactly the opposite complaint.
The GP comment was lazy and provocative, but please don't take HN threads further into nationalistic flamewar. These are all the same, therefore tedious, therefore off topic here. Also, they get nasty, which breaks the container.
Are you suggesting that China isn't responsible for repeated, massive state-sponsored hacks? That they aren't actively committing industrial espionage primarily through said state-sponsored hacking?
If you're not saying that, then why are you pretending the fact that Zoom is sending keys THROUGH CHINA and developing the product IN CHINA is not a big deal?
> Are you suggesting that China isn't responsible for repeated, massive state-sponsored hacks? That they aren't actively committing industrial espionage primarily through said state-sponsored hacking?
Nope, not at all. They're guilty of all of it and probably more.
> If you're not saying that, then why are you pretending the fact that Zoom is sending keys THROUGH CHINA and developing the product IN CHINA is not a big deal?
Because for me, as an European, it doesn't really make much difference does it? Both countries are currently led by lying dishonest governments which are spying on anything and everything that moves. If anything, it disappoints me that Americans are wasting so much time complaining about China while the worst parts of the Chinese regime are growing and thriving on their own backyard and affecting their own wellbeing.
Why do you think it doesn't make a difference? At a minimum, one country shares a mutual defense pact with most of Europe. The other doesn't (to say the least).
After agressive sanctions from US government for EU, the targeted EU travel ban and current presidents rhetoric, I have zero trust in any kind of mutual defense or military assistance coming from US in the time of crisis.
Remember, people of Italy are currently being helped by Chinese doctors while US president ignores and belittles the problem.
The talks between France and Germany about creating an independent defense pact also reflect the complete lack of trust into what NATO has become. So much was lost in so few years.
And that also ignores all the nasty surveillance stuff they've been doing these last few years - where the Five Eyes pact was used to surveil our own citizens by our own government by piping data through US. If there's one thing I'm sure of is that China won't share their spying data with my own government ;P
I think I'd be the first to admit that NATO has probably outlived it's useful life as a Cold War construction, but there's still a lot of history there. None of that exists with China, and China seems to be using the crisis in Europe as a means to exert its influence abroad (hello 5G rollout). Does Europe really want to trade that history for a new relationship with a country like China where the structure of that relationship is yet unknown?
Perhaps it's better to actually ask some hard hitting questions about fairness between US-EU trade relations (and admittedly since I am an American, it seems a bit unfair that the EU gets to essentially freeload on US defense in the western hemisphere and we get some stiff tariffs in return). So it seems perfectly reasonable, and probably a good thing, that France and Germany are creating an independent defense pact.
>If there's one thing I'm sure of is that China won't share their spying data with my own government ;P
And? Consider for a moment that sharing of this data between defense partners actually provides a useful signal of mutual capabilities and for what's being collected.
Its been my understanding that what we get in return for having our military everywhere is the continuation of the petro dollar and the usage of the dollar as the world's reserve currency.
I'd be totally open to arguments that we see a negative ROI on this, but I dont think it's necessarily fair to say that we don't get anything out of it.
I've heard this argument before, and after reading a lot about it (and breaking out some of my old economics textbooks) I'm not really sure what to make of it. I'm undecided on if the dollar as the "world" reserve currency is actually a good thing for regular Americans. It certainly gives the American government a lever of power that other countries do not have, but where I part ways with the prevailing wisdom on this (the wisdom that insists this is a worthwhile arrangement) is when we talk about what the United States uses this power for. Folks who've lost their jobs because of crappy trade deals, or see their towns evaporate because of global capital movement, feel no comfort from the fact that foreign banks and governments "seek safety in holding US dollars".
One would expect that this power would be used to enrich America. This isn't what's happening, so I'm frankly willing to part with the whole deal.
> If there's one thing I'm sure of is that China won't share their spying data with my own government.
They'll just share it with their allies; Chinese-state hackers, Russia, Iran, and North Korea so you'll have blackhats after you instead of your government.
Posting like this will get you banned on HN, regardless of problems with other comments. We've had to warn you about this kind of thing before. Please don't do it again—it's obviously destructive of the values of the site.
It's the industrial espionage angle that is probably more concerning. The Chinese government certainly can get attendee lists and keys for Zoom meetings; want to listen to meetings the cxx folks are in?
Or worse, steal prospects for domestic companies? I'd be pretty enthused about getting the list of people my competitors are doing sales calls with.
> There's many reasons not to trust the CPC. (ip theft, surveillance, etc.)
That's pretty much the summary of US attacks on our EU government as well (remember the backdoor direct attack on Belgacom?), soo... why does it make a difference? If anything, routing things through China denies our data to NSA and makes it less concentrated and useful. Similarly how spreading data over multiple cloud providers gives less power to Google et. al.
I just told you a few days ago that if you keep taking HN threads further into political, nationalistic, or ideological flamewar, we are going to have to ban you. You're still doing it.
This sort of tedious boilerplate gets certain juices flowing but it has nothing at all to do with intellectual curiosity, the purpose of this site. In fact, it drowns it out. Would you please review https://news.ycombinator.com/newsguidelines.html and take the spirit of this site more to heart? We want curious conversation here, not demon-fighting.
Zoom won the proverbial lottery with this pandemic and lost their ticket through greed/laziness. Great companies are always prepared when their big break comes. Zoom is not a great company.
You don't have to be a great company to win in the market. I'd bet that zoom still maintains dominance and manages to con people into believing that they're super secure now guys.
How is that not the biggest scandal around this company, as opposed to intentional or not misinformation about end to end encryption (not that it doesn't count, but for this one, if it's real, the company should be brought up to public scrutiny).
The presence of this subdomain does not necessarily prove what exactly _was_ behind this subdomain, but SecurityTrails shows that it did in fact exist during the period when Zoom has misconfigured their network and allowed their DNS records to leak from their internal network.
It additionally appears that there are many other obscene domain names that had leaked out, including f*ckmenumb.athena.ipa.zoom.us [1].
The issue of course is that to my knowledge there are no other historical DNS databases that corroborate the existence of this subdomain, it seems only SecurityTrails has this record.
Two additional notes:
1) The fact that calls are not E2E on Zoom makes the presence of this dashboard entirely possible from a purely technical standpoint.
2) Alex Stamos has been hired by Zoom, which I find interesting timing-wise..., perhaps I am missing context.
pretty bold claim... when you say "showed" do you mean personally or that you reached out to him somehow with no evidence that he received information about this?
I can't quite figure out what's going on with this thread. It seems to have an eerie amount of posts about support for Zoom, perhaps by paid trolls ("wumaos")?
Please don't break the site guidelines by posting insinuations of astroturfing. Overwhelmingly, such perceptions are simply in the eye of the beholder. I say that based on many years of looking at that data, and you can find more explanations here than anyone would ever want to read: https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme....
If you're worried about this kind of thing, follow the site guidelines and email hn@ycombinator.com so we can look into it. (We always do.) In this case, though, the simplest explanation seems adequate: the community is divided. When there's a popular divisive topic, people who feel strongly for side A always feel like the amount of support for opposing side B is 'eerie', because it's hard to imagine how it could possibly be in good faith. Of course B feels the same way about A.
Edit: oh dear. It seems like you've been using HN mostly for nationalistic battle lately. We ban accounts that do that, so please stop. It's emphatically not what this site is for, regardless of which nations are at issue.
I can only assume CISO is Chief Information Security Officer? I hadn't seen the acronym before. Bad Zoom for not writing it out in full on the first instance.
"CISO" is a pretty standard acronym. People who don't work in cybersecurity or who don't have that background might not recognize it, but it seems like a minor detail.
Sure, it's a minor detail. And yes, you can say the audience for this post are people who work in cybersecurity. But it costs nothing to introduce the acronym, as is usually recommended. Without it you are alienating anyone who doesn't know the term.
Zoom could be a victim of the internet mob justice, where every inevitable misstep is blown out of proportion. Perhaps the mob is helped along by some competing interests. Or Zoom could be yet another tech company with dubious ethics (like U: or F). I doubt they are outright a PLA branch, that would be far too obvious.
This isn't just idle musings - I love how Zoom allows me to share screen/whiteboard, and see people's faces at the same time. It works really well for remote dev collaboration, in some ways better than physical presence. And yet the question of safety remains.
Should I go and research WebEx?