
SpaceX bans Zoom over privacy concerns - mortenjorck
https://www.reuters.com/article/us-spacex-zoom-video-commn/elon-musks-spacex-bans-zoom-over-privacy-concerns-memo-idUSKBN21J71H
======
hunter2_
The fact that they show end users (no pun intended) an "end-to-end encrypted"
badge on the meeting window itself, and elsewhere explain how a Zoom server
(not Zoom client) is what constitutes an "end" despite the whole rest of the
electronic communication industry using "end-to-end" to refer exclusively to
user agents, is bonkers.

~~~
paulryanrogers
Agreed. It's unlikely they stumbled onto an industry standard phrase like that
alone, then innocently used it without knowing the generally accepted meaning.
This is deceptive advertising.

~~~
intopieces
Not defending zoom here -- they done fucked up -- but there is a huge
disconnect between the marketing folks and the technical folks. It's possible
that E2E Encryption was something they planned on implementing but haven't,
and the marketing department either didn't get the memo or didn't understand
and still kept the wording.

~~~
tyre
If marketing misuses a term on the website because they didn't understand what
it meant, that's their fault. If they listed a feature that hasn't yet
shipped, that's their fault.

It's natural that there is a divide and marketing isn't expected to understand
every engineering thing (nor the other way around.) If your job is to write
words, though, you are responsible for the words you right.

~~~
PakG1
_you are responsible for the words you right._

Wait, did you do that on purpose? :)

~~~
tyre
:)

------
nilkn
Zoom is such a bizarre product. For huge video calls, it tends to perform as
well or better than everything else out there. Yet at the same time it
literally seems like straight-up malware and seems to violate your trust and
privacy left and right every step of the way, even in the installer (!).

~~~
allover
To be fair it does perform _better_ than everything else, which is why people
are so forgiving of it, but it still doesn't excuse their ineptitude on
privacy and security.

~~~
grahamburger
In my experience Google's Hangout Meetings have been at least as good or
better quality and the interface is far superior in my opinion. For example it
works in the browser without any plugins (even in Firefox.)

~~~
ajmurmann
I haven't used Hangouts on a professional setting in a while. Does it finally
support tile view? Another feature I find really valuable is allowing two
windows. One for participant view and a separate one for shared screen.

~~~
yellow_postit
Nope. Have to resort to chrome extension to get the tile view.

~~~
plussed_reader
When not in presentation mode.

------
_ph_
The problem with Zoom isn't, that it doesn't have end-to-end encryption. If
you consider the problem, it is extremely difficult to solve, as in contrast
to a 1:1 video call, the server somehow has to to multiplex the streams and
thus at least some access to them. With a trustworthy provider, this isn't a
big issue. A trustworthy provider will have a clear policy which ensures that
only the multiplexer has access to the unencrypted data. After all, you are
running a proprietary client from that provider, and each client of course has
access to all unencrypted data.

The problem is, that the actions of Zoom doesn't make them look like a
trustworthy provider. They lied about the end-to-end encryption. What they
should have done instead is to be transparent on how unencrypted data is used
on their servers and what their protocols are to prevent unauthorized access
to that data. Which is especially important in a business context, because the
business users themselves have confidentiality agreements, they need to
guarantee and using an external provider for confidential data required that
provider passing the neccessary scrutiny.

And of course, the huge pile of security issues coming up with their client,
the web server, the mac installer, the script host, give any reason to believe
that they either don't know what they are doing or completely reckless at
least. And the term "reckless" doesn't fit in a conversation about security
:).

~~~
mdavidn
No. "End-to-end encryption" does not protect metadata necessary to route the
data over a network, just the contents of the communication. The clients could
negotiate keys to protect the contents of a meeting end-to-end. In other
words, Zoom servers could deduce who was speaking, when they spoke, and for
how long, but not what they said.

Your internet service provider can deduce the same about your HTTPS
connections.

~~~
IshKebab
> The clients could negotiate keys to protect the contents of a meeting end-
> to-end.

Not really because Zoom makes fairly extensive use of the _decrypted_ video
streams on their servers, e.g. to detect who is talking, pause video for
people with slow connections, etc. You could _maybe_ do it for meetings with a
few people in, but good luck doing it for meetings with 100 people.

Hell the cryptography of group end-to-end encryption hasn't really been worked
out yet. WhatsApp doesn't do it and that's just for text. I'm pretty sure
Signal doesn't either.

There's really nothing bad with not having end-to-end encryption for group
video conferencing apps. The shitty thing is that they pretended that they
did.

~~~
dwaite
> Not really because Zoom makes fairly extensive use of the decrypted video
> streams on their servers, e.g. to detect who is talking, pause video for
> people with slow connections, etc. You could maybe do it for meetings with a
> few people in, but good luck doing it for meetings with 100 people.

You encrypt audio and video streams separately. If your connection is slow you
stop grabbing the video stream. Detecting who is talking is a local function
because you are receiving audio packets from them. Encryption doesn't have to
change the amount of data sent.

> Hell the cryptography of group end-to-end encryption hasn't really been
> worked out yet. WhatsApp doesn't do it and that's just for text. I'm pretty
> sure Signal doesn't either.

Two ways: 1\. Your password does not need to be shared with Zoom for entry
into the meeting room. That password and the meeting room number are converted
into a symmetric encryption key, so everyone who is able to join the meeting
successfully has the same group shared secret for both sending and receiving
video and audio.

2\. You have an invitation system where the host of the meeting approves
people. This approval causes the symmetric key of the meeting to be shared
with the person seeking approval, encrypted to their public key. People who
can supply a proof of possession of the password or whose public keys were
associated with the meeting get invited without requiring confirmation by the
host, although the participants in the room becomes a log of who was able to
view the meeting.

These get harder if you want to say have a periodic key rotation while a
meeting is going, for sure. They also get harder if you try to encrypt routing
metadata or disguise that the traffic is audio/video in general.

The real thing that kills E2E for a corporate product like Zoom are the phone
dial-ins. Hardly a point for all that security if you have one person calling
in having the now unencrypted voice traffic bounced all over the place.

> There's really nothing bad with not having end-to-end encryption for group
> video conferencing apps. The shitty thing is that they pretended that they
> did.

100% agreed within Zoom's market because of integration of external services
like dial-in/dial-out voice.

~~~
iguy
I presume they also resize video, so that you download small streams for
thumbnails, plus a bigger one for the main view. If it's just two sizes you
could do it before uploading, but this would be harder if it's actually 10
different qualities.

~~~
genocidicbunny
Zoom also has a feature that lets people join a meeting by phone. There's no
way they could do that without being able to access the unencrypted stream.

------
nojvek
That's the right thing to do. If SpaceX is important to national security,
then Zoom security and privacy is so bad, that a bad actor could steal SpaceX
technology.

At my previous job, we used to dial in random zoom numbers and entered into
random conversations of other companies. Once we landed into a Facebook call
where they were talking about Libra (before it was a thing).

If you turn of camera and video, the host doesn't even know you're there
unless they check guest list.

~~~
gnicholas
Doesn’t it chime when someone enters?

~~~
chance_state
Sure, but with a large enough call, legitimate users may come and go during
the call too.

------
scotth
I looked into adding Zoom to our Slack workspace this morning, and was beside
myself with the set of permissions they requested — reading the contents of
every channel and private chat they're included in? For a slash command?

That's a hard no. Turned me off the service entirely.

~~~
RandallBrown
It's only available in the paid version, but slack's video conferencing works
pretty well.

~~~
aidos
It works, but it burns through so much CPU your computer will be a gibbering
mess. There's some pretty silly inefficiencies going on, for example; if you
switch away to another window, they display a small video player while keeping
the big one running the background. Each time you switch into screen sharing
mode, they drag you back to the app again. If you draw on the screen, someone
has screwed up their linear algebra so you end up seeing double with an extra
copy of what you're drawing, in totally the wrong place.

Annoyingly it's a bit too convenient, so going out of band is a pain.

~~~
leecb
I regularly have complaints that people can't hear me over my laptop's fan
when using slack video conferencing, or jokes about hair driers. Computer is a
MBP16.

Seems like they need to get their CPU use under control.

~~~
jachee
You could also get a headset instead of yelling at your built-in mic. As a
100% remote employee, even before Covid, the coworkers with headsets are
_much_ easier to understand, and have less background/foreground noise.

As a headset user myself, no one ever asks me to repeat myself, notices when I
type, or hears anything not within an inch of my mouth. Plus, I've got a
physical mute switch for instant, unambiguous mute, as-needed.

------
shirro
I feel very conflicted on Zoom. It mostly just works and on every platform,
even Linux. My kids use it to do their music lessons now. It really is very
good at what it does in a time when such solutions are needed. Also they
responded to the mobile facebook sdk issue and the macos issue quickly.

But I agree the way they suggest it is end to end encrypted is misleading. I
don't think it really can be end to end to get the performance and features.
People just need to see each other at the moment. You can do anything
sensitive with more secure communication. But it clearly doesn't belong in any
place discussing technology with military applications.

I still think it is solid for my kids to keep up with their lessons or for a
weekly meeting about some web development. There are genuine criticisms of
Zoom at the moment that need to be taken seriously but there is likely also
some negative media being generated from their competition that are missing
out.

~~~
simonh
They did not address the OSX issue for ages. They claimed it was intentional
and a valuable feature for customers. In the end Apple had to release a
security update to remove the web server.

------
ramshorns
So what's a good open source replacement? Jitsi, Jitsi Meet, Linphone, Ekiga,
Jami and a bunch of others look okay [1], but it's hard to say how easy they
are to use.

[1]
[https://en.wikipedia.org/wiki/Comparison_of_VoIP_software](https://en.wikipedia.org/wiki/Comparison_of_VoIP_software)

~~~
Maakuth
I've used Jitsi Meet with ordinary (that is, non-IT) people without
trouble.I've also recommended it to elementary school teachers, who have been
happy with it. It works with desktop browser, on mobile it offers a minimal
app installation. Self-hosting is quite easy with their apt repo.

------
m0zg
As they should, since they're subject to ITAR regulations, and ITAR is not a
joke.

~~~
annoyingnoob
Came to say the same thing. Zoom is impossible if you are considered part of
the DoD supply chain. Most of the public products are untenable if you need to
talk about ITAR projects or about anything considered CUI.

~~~
catalogia
Even if they weren't supplying the DoD with anything, rocket technology is
missile technology. (Granted, liquid fueled ICBMs are old-school, but they'd
nevertheless still be under ITAR even if they took no government contracts.)

------
JohnJamesRambo
Guys, I'm starting to think this company isn't worth a P/E ratio of 1600.

~~~
julianlam
I'm surprised by the concerns raised by the HN commenters. When Zoom filed
their S1, HN was nothing but complimentary about their product and business
model.

The time to pull out might be after their next quarterly report.

------
gonesilent
Spacex is a targeted environment. It's smart for them to not use such a
service. Many years back it was getting hardware shipments intercepted and
bugged. A company was spun out of just dealing with the amount of attempts to
root Elons devices.

~~~
Robotbeat
Which company?

~~~
bootloop
Many claims. Not enough sources.

------
dsimms
I have to agree that Zoom just doesn't seem to care very much about privacy or
security. Once? Sure, maybe an honest mistake. But, come on.

Also, I have been enjoying this: [https://github.com/arkadiyt/zoom-
redirector](https://github.com/arkadiyt/zoom-redirector) which highlights how
optional the use of the native client is.

------
echelon
SpaceX is strategic national defense, so this makes sense. I expect many
similar companies to follow suit.

~~~
bob1029
Seems like any organization under ITAR should prefer in-house solutions in
areas relating to dissemination of sensitive design notes.

~~~
gpm
"In house (software)" is usually synonyms with "not properly tested or
secured"... I'd generally rather they relied on third party code audited by
the nations security services.

~~~
nisse72
Rather than "NIH" solutions, I think that such businesses commonly choose
products that can be hosted on premise.

There's also MS Government Cloud: [https://azure.microsoft.com/en-us/global-
infrastructure/gove...](https://azure.microsoft.com/en-us/global-
infrastructure/government/dod/)

------
namelosw
Zoom's hidden doctrine "convenience over privacy" works really well. They
assume their user wouldn't care too much about security and privacy, and
sadly, for the vast majority, they assumed correct.

------
JumpCrisscross
To those saying SpaceX is subject to ITAR and defence standards, what does
that say for anyone in healthcare, finance, California or Europe?

Zoom is looking like it’s closer to Discord than Slack.

~~~
stonogo
Zoom and Slack are both FedRamp authorized for government use. Zoom is even
authorized Moderate, while Slack is still being audited for that rating.

[https://marketplace.fedramp.gov/#/product/zoom-for-
governmen...](https://marketplace.fedramp.gov/#/product/zoom-for-government)
[https://marketplace.fedramp.gov/#/product/slack](https://marketplace.fedramp.gov/#/product/slack)

~~~
annoyingnoob
You don't get zoom's government platform by default, you have to ask for it
and I'll bet it has different pricing. I suspect you also lose some features,
like recording (at least at the server). I haven't checked Zoom but other
FedRamp products I've seen are 3x the price of the standard offering.

~~~
eitally
FedRAMP moderate doesn't require an isolated, US citizen-only-staffed,
environment. Only FedrAMP High requires that, so they can still be on shared
infra for moderate.

------
Ohn0
It was clear from Zoom's security vulnerability last year that they value
ease-of-use over security, so it seems obvious to me they wouldn't care about
privacy.

------
moron4hire
Setting up Jitsi on a very basic Linux VM is super easy. I know, because I am
terrible at server setup and even I was able to do it in a couple of hours
this morning.

~~~
pugworthy
Yes, but what do you know about its security?

~~~
moron4hire
Well, it's my own server, and the code is open source, so... pretty trivial to
verify.

~~~
nemothekid
> _and the code is open source, so... pretty trivial to verify._

* laughs in Heartbleed _

------
georgewfraser
I've found Hangouts to be equal in call quality to Zoom, and it runs entirely
in the web browser. The only down side is it consumes a LOT of power, so you
need to stay plugged in while you use it.

~~~
waynenilsen
Also can't have too many attendees

~~~
georgewfraser
You can have 200, and you can also live-stream large meetings. It is a bit
weird that you have to split the stream, but it's worked great for us doing
~300 person all-hands meetings.

~~~
tonyztan
Google Meet also works well if you have G Suite:
[https://gsuite.google.com/products/meet/](https://gsuite.google.com/products/meet/)

------
droithomme
I'm not Zooming, but everyone I know is, and it looks pretty damn slick and
seems to work great. I can't think of any service that has had as fast and
huge an adoption, which is obviously due to blind luck/things beyond their
control (no one saw global apocalypse coming and hoping for such would be a
horrible business plan).

Of course there's been other services working just as well or better for at
least 10 years now. Interesting things converged suddenly on Zoom. I guess
full cross-platform support was the key? Also interesting is the deluge of
anti-zoom articles that are blanketing the cybersphere :-) just as they are
getting traction. Jealous rivals? Disgruntled lovers?

~~~
dang
Zoom is the deluge du jour (literally—today has been the day of Zoom deluge
complaints), but Occam called and wanted to let us know that we don't need any
sinister explanations. It's obviously (or at least, explicable) as an effect
of the covid crisis.

[https://news.ycombinator.com/item?id=22754135](https://news.ycombinator.com/item?id=22754135)

[https://news.ycombinator.com/item?id=22751116](https://news.ycombinator.com/item?id=22751116)

~~~
droithomme
Thanks, that "black hole story" is a really useful and compelling metaphor.

------
HenryBemis
Has anyone noticed how hard some late-night-US-TV-shows are pushing
(advertising) Zoom? Stephen Colber, Seth Meyers... Zoom is spending big $$$$
to advertise. While competition (WebEx for example) has been silently killing
it. I feel that Zoom wants to be "the new cool kid" in town for which nobody
knows anything about.. and while we do learn it looks that it's got some shady
practices (as we discuss here).

------
garyclarke27
I use MS Teams in my company, seems to work very well, great quality video,
I’m don’t fully understand the security issues with Zoom, so I’m curious, does
anyone know how MS Teams compares to Zoom?? The school my kids go to (in
Portugal) also use Teams, for online learning, seems to be working well for
them now. (Europe had issues a few weeks ago with Teams, when most of the
schools first closed)

~~~
LatteLazy
I believe...

MS Teams is better but you have to pay for it (and maybe it's complex to
implement too).

Zoom is free (and supports large numbers of participants which other free
alternatives don't). Also meetings can be setup with about 4 mouse clicks by
the user himself with no other kit than a browser in Zoom. Getting your art
department home workers to correctly

It has been weird watching people insist we use zoom because it supports so
many users, when there are only three of us actually in a meeting. So the
cynic in my suspects it's being used by (say) schools and universities (as the
Skype limit was 32 people, now 50). And other people have assumed it's better
since Harvard\Cambridge use it, so now they use it for 4 people...

~~~
garyclarke27
Thanks - Teams is surprisingly easy (for a Microsoft product) to set up a
glitch free video conference call. I was curious how secure it is? Its free
with an Office 365 subscription and they are quite cheap, office is pretty
much essential for most businesses, I think schools get it very cheap or even
for free.

------
W-Stool
I've never heard of the Zoom app until about three weeks ago and now I'm
reading something about it here on HN almost every day. Why is this company
and their app suddenly so popular and so critiqued? I thought the world was
Skype, FaceTime, WebEx, that whole cluster of technologies and related
applications. Why are the Zoom folks suddenly on the front page everywher?

~~~
twic
WebEx is terrible, FaceTime is Apple-only, Skype is circling the drain since
being bought by Microsoft, so there is a lot of pent-up demand for a good
cross-platform videoconferencing tool. Zoom is one of the front-runners.

There is a good overview of the options in an article recently posted here -
see under "Videoconferencing":

[https://apenwarr.ca/log/20200309](https://apenwarr.ca/log/20200309)

------
crankylinuxuser
Being the Linux geek, I use MS Teams. I even use it with its Linux client, and
works astonishingly well.

My only 2 grievances with it are:

1\. Teams steals focus to make the next message on a group, rather than in the
threat ALL THE TIME. Ive been there for a dozen comments because Teams stole
cursor focus.

2\. Its easy to make an invite to a one-shot room, rather than use an existing
room. Doing so loses all history and provenance and discussion. And there's no
"merge this room with the real place" when that happens.

But all in all, Ive been on 130+ person calls with no issue. Works very well,
aside those issues above.

~~~
btilly
I have to use MS Teams and hate it.

The fact that I lived with the bug described in
[https://news.ycombinator.com/item?id=22741348](https://news.ycombinator.com/item?id=22741348)
for a long time with no idea how to fix it didn't help.

------
keyle
"Please use email, text [...]" as an alternative with concern over privacy?

------
zkid18
Why ppl are so obsessed with e2e as a de-facto synonym for security?

Another question, why ppl who so care about security keep relying marketing
stuff rather than using open-source solution?

------
rasz
Remember the movie Antitrust, where Bill Gates type character played by Tim
Robbins records everyones computer screens to steal secrets? Thats Zoom for
you, minus the murders.

------
Antoninus
Think of the poor engineers working to roll out some form of legit end-to-end
protocol while this blows up in management's face. Godspeed.

------
fbnlsr
I'm completely out of the loop with Zoom. What's so great about this compared
to Google Meet for instance?

------
tmoravec
So what video conferencing solution do they use instead?

------
etaioinshrdlu
They also don't use AWS.

~~~
galacticaactual
Pretty definitive statement there. Source?

~~~
etaioinshrdlu
Can't seem to find it right now :/ sorry.

~~~
numpad0
Plausible though, considering Musk’s fundamentalist tone

~~~
gpm
And the amount of classified material they handle, and the fact that Jeff
Bezos is a direct competitor so Amazon is very very closely affiliated with a
direct competitor.

~~~
slenk
So, SpaceX.com at least uses an IP address owned by Amazon:
[https://www.abuseipdb.com/whois/50.112.120.214](https://www.abuseipdb.com/whois/50.112.120.214)

    
    
      slenk@Enterprise:~$ host spacex.com  
      spacex.com has address 50.112.120.214
      [output truncated]

~~~
_ph_
Well, there is no security problem to host a public web site on e.g. AWS. I
think the restrictions more affect internal, confidential data.

~~~
slenk
You're probably right. Just proving that broad blanket statement wrong

------
rootsudo
Good, the less we use Zoom the better. Even facebook Messenger is more secure.

~~~
kiwijamo
Would you suggest organisational video conference meetings of e.g. 25-100
people over Messenger...? There is a niche Zoom is occupying very well.

~~~
rootsudo
It's more of a "trusting" facebook transparency vs if Messenger has the same
solution that Zoom fits in.

Meanwhile, it's 2020. Didn't think video conferencing was such a big deal.

------
dba7dba
I really really wish Apple would build a replacement for zoom, that is
available on as many devices as zoom is.

This is a matter of national issue. This rush to remote is not something that
will go away completely.

I think many security minded people are not comfortable with zoom, but have to
use it.

Please Apple, build something that can replace zoom.

------
deminature
This is a knee-jerk reaction. Zoom was indirectly sending information to
Facebook as part of their Facebook SDK integration to enable login, not
directly as part of explicit information gathering. Any app that integrates
with the Facebook SDK does this, and they've also patched it already [1].

The supposed root exploit found in Zoom also requires physical, logged-in
access to the machine, at which point a Zoom exploit is the least of your
problems [2].

Zoom is a solid piece of software, and the developers are responsive and seem
to care. I'm disappointed to see it getting dumped on during the past few
days. A cynic might even suspect a co-ordinated campaign by Cisco, considering
Zoom was started by frustrated ex-Cisco employees and has had runaway growth
during the viral crisis, while the same cannot be said for Cisco's competitor
product WebEx.

[1] [https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-
facebo...](https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-
in-ios-client/)

[2] [https://9to5mac.com/2020/04/01/new-zoom-bugs-takeover-
macs-c...](https://9to5mac.com/2020/04/01/new-zoom-bugs-takeover-macs-cam-mic-
root/)

~~~
cynix
> Zoom is a solid piece of software, and the developers are responsive and
> seem to care.

The dodgy things they've been doing suggest otherwise.

* Hijacking package preflight script rather than standard package installation mechanism, so their software is installed before the user clicks Install.

* Installing a hidden web server without user consent.

~~~
vbezhenar
That's more about management decisions and unethical developers. It still
could be a solid software despite those issues.

~~~
kempbellt
Does it matter which part of Zoom is causing the issue? It ends up making it
shady either way.

------
rflrob
The rumor that I've heard is that the "security and privacy concerns" are that
Boeing has somehow gotten access to their Zoom. I don't know what that means,
exactly, but it's at least somewhat more rational than being concerned that
facebook is siphoning up the data.

~~~
34679
Where did you hear this rumor?

~~~
pugworthy
I'd like to know that too. Worthy of a downvote until substantiated.

