
Trolls break into meetings on Zoom - pseudolus
https://www.businessinsider.com/aa-intergroup-meetings-zoom-bombing-trolls-alcoholics-anonymous-2020-3
======
verytrivial
[https://mobile.twitter.com/BorisJohnson/status/1244985949534...](https://mobile.twitter.com/BorisJohnson/status/1244985949534199808)

Yes, shared by the Prime Minister, number and all. What a time to be alive.

~~~
blahedo
Also interesting about that photo: Five of the 25 have portrait-oriented video
feeds. Tbh this may make more sense for this kind of thing (shows more of the
person rather than more of the space they're in) but I'm thinking about the
hardware—am I correct in inferring that those five are zooming from their
mobile? Do high-level UK cabinet ministers not have laptops?

~~~
sc11
I'm speculating, but they might find it more convenient to use a separate
device for the video chat? Especially if you're using your laptop a lot during
the video call, it's quite convenient to have the chat open elsewhere.

~~~
dexterdog
Esp considering I have had the zoom app completely crash my laptop multiple
times.

~~~
dhosek
Given how cavalier zoom is about privacy and its history on the Mac, the only
place I'd be willing to use it is on my phone or ipad where it's boxed in by
Apple's restrictions and has undergone app review. Apple had to push a silent
OS update to remove zoom's insecure secret web server.

~~~
sixothree
How the heck is Zoom even HIPAA compliant?

~~~
Legogris
Is it though?

~~~
judge2020
[https://zoom.us/healthcare](https://zoom.us/healthcare)

> HIPAA/PIPEDA plans start at $$200 per month per account, which comes with 10
> hosts.

~~~
Legogris
Zoom claiming it's compliant has nothing to do with it actually being
compliant.

~~~
kemotep
If they have filed the paperwork[0] then they are. (Whether their solution to
be compliant is or is not enough would have to be audited.)

Apple's FaceTime is not HIPAA compliant because they haven't filed the
paperwork.[1]

(Obviously, there are a lot more steps to it than signing a Business Associate
agreement, but I would bet FaceTime is probably a little more secure than
Zoom)

[0]:[https://www.hipaajournal.com/become-hipaa-
compliant/](https://www.hipaajournal.com/become-hipaa-compliant/)

[1]:[https://www.hipaajournal.com/facetime-hipaa-
compliant/](https://www.hipaajournal.com/facetime-hipaa-compliant/)

------
tqi
It feels like the tech news cycle is so predictable...

Stage 1: This company you probably hadn't heard of before is blowing up /
changing the world!

Stage 2 (current stage): Actually it turns out this company has some
unexpected problems!

Stage 3: Actually this company is actively contributing to society's One Big
Problem!

Stage 4: Actually here is why Zoom actually isn't as bad as everyone thinks!

Stage 5: This OTHER company you probably hadn't heard of before is blowing up
/ changing the world!

~~~
syockit
I am out of the loop as to why Zoom is suddenly "blowing up". Even my
workplace is using it now. Previously, we were using either Skype, Webex, or
Jitsi. What does Zoom offer that the other three doesn't?

~~~
hn_throwaway_99
1\. The gallery view (aka 'Brady Bunch' view) works significantly better than
any other system, with a large number of users. Especially now where everyone
is working remotely and you have large group chats IMO this is the biggest
factor.

2\. Related to the above, I have rarely, if ever, had a problem with Zoom
quality.

3\. The onboarding for new users (basically just share a link) is dead simple.
Zoom realized that the install process was a significant barrier and did more
than anyone else to lower that barrier (of course, with lots of
security/privacy issues to boot, but your average Joe isn't aware of those).

4\. A smaller factor but perhaps a bigger one for people using Zoom for
personal reasons (e.g. teenagers and college kids) are the 'fun' features like
virtual backgrounds.

~~~
Vinnl
> 3\. The onboarding for new users (basically just share a link) is dead
> simple. Zoom realized that the install process was a significant barrier and
> did more than anyone else to lower that barrier (of course, with lots of
> security/privacy issues to boot, but your average Joe isn't aware of those).

I really don't get why Jitsi hasn't taken over the world yet, given that it's
even simpler: just share the link, and the receiver _doesn 't even have to
install anything_.

(Also, doesn't the gallery view exist in every major videoconf platform? I've
seen it in at least Jitsi, Whereby and Gotomeeting... And Zoom's browser mode
(which is less accessible than Jitsi's) doesn't even support it.)

~~~
hn_throwaway_99
The gallery view in other videoconf platforms doesn't even compare. I've had
flawless experiences with 12-16 people, all in a grid across my screen. Every
other system I've used had some version of rotating people in/out when there
are more than 4 people. Was a night and day experience.

~~~
Vinnl
Really? Did the ones you tried happen to be other ones than those I mentioned?
Because they just showed all 12-16 at the same time, IIRC.

------
j-wags
I attended a PhD defense yesterday that got zoom bombed. They quickly moved it
to an actively managed call and the presenter did a fine job of keeping their
composure and getting back on track. Now we're circulating guides about how to
set up secure rooms and webinars, so I don't anticipate this will happen
again.

Normally I'd wave this off as a childish prank, but both the URL and loading
screen prominently indicated the name of a major medical school, and the
contents of the presentation were proteins and chemical structures. Bombing
this meeting in particular seems to be in especially bad taste during a
pandemic.

~~~
Alupis
> Bombing this meeting in particular seems to be in especially bad taste
> during a pandemic

Either that... or it's a way to get high profile attention to blatant security
issues in a commonly used business meeting tool where sometimes sensitive
information is shared.

~~~
anigbrowl
Trolling is not a security advisory. If it were intended that way it would be
sufficient to hold up a sign saying 'warning, this meeting is not secure'.
Instead people are using it abuse others. Stop making excuses for that
behavior.

~~~
mmhsieh
As a poor man's red team, the reward of being a jerk is the compensation paid
to the troll.

~~~
anigbrowl
No.

~~~
mmhsieh
Yes.

~~~
anigbrowl
No. That's an asshole's charter.

------
crazygringo
This is a feature not a bug, to make joining meetings frictionless. (And in
videoconferencing there's little distinction between meeting ID and password
anyways -- they form a single access credential.)

To prevent unwanted people from joining, the host simply has to turn on the
waiting room feature -- where people who have dialed in have to be explicitly
accepted by the host, which can be done individually or en masse.

Overall I'd say the system works pretty well.

~~~
wlesieutre
You could have a second access code included in the invite but not printed
right on the window in screenshots.

It would be similar to how a credit card number and CCV code are functionally
the same as one longer number, except that you don’t go writing the CCV code
alongside the credit card number, and that keeps it more secret.

Still not as frictionless as “anyone with the number can join,” but if this
continues to be a problem it might be worth doing.

~~~
topher515
I believe Zoom has the exact feature you’re describing—passwords for meetings.

[https://support.zoom.us/hc/en-
us/articles/360033559832-Meeti...](https://support.zoom.us/hc/en-
us/articles/360033559832-Meeting-and-Webinar-Passwords-?mobile_site=true)

------
pjkundert
I just set up passwords on Zoom rooms for a little room automation project I'm
building. There's no drawbacks; you can send out a link that _includes_ the
password, so nobody gets left out (no matter how technically challenged). And,
someone who "stumbles upon" the room can't just get access.

All in all, Zoom has done a _lot_ of things right, given the extremely
challenging competitive environment they're in.

~~~
bostonvaulter2
Is including the password in the link always enabled? If you're looking at a
link is there a way to tell if it has a password or not? I've had issues in
the past where people with the link were unable to join since they didn't know
the password.

~~~
rmccue
Yes, it has a ?pwd query string (which appears to be a base 64 encode of the
password)

~~~
eat_veggies
The pwd parameter is always 32 characters long, so I assume it's either a hash
or a random nonce, rather than a direct encoding of the password.

------
ljm
Zoom has open conferences by default. Even if you host one on your business
plan, anyone who has the number can dial into it. You could be paying a
shitload of money for that, including their 'Zoom Rooms' where they fit out
your meeting room with cameras and mics and their special app... and any
fuckwit can dial in if they grab the phone number, which is also a US-based
one.

I don't like to join company calls on an anon or personal account but Zoom
makes absolutely zero effort to identify who you are and even if you're
welcome. Most of the time I drop out and re-join under my corporate account. I
cannot force other people to do the same, and their settings UI is insane.

By all accounts, Zoom deserves this intense scrutiny and I hope they take it
seriously. All I see them trying to do is get their software on as many
machines as possible.

~~~
luckydata
I had a quick feedback call set up by a common investor with Eric, Zoom's CEO
a few years ago. I remember I pointed out a few of those issues, and his reply
was that the only problem he could see with the app was that it wasn't "pretty
enough" and it needed new icons.

I hope Eric is learning something from this situation and will pay more
attention in the future, every business gets those moments, maybe not that
publicly.

~~~
solidasparagus
Seems like Zoom was right that they were better off focusing on the UX aspects
over the privacy ones?

~~~
luckydata
If you stretch the definition of UX and ignore the clear lesson in this story,
sure.

~~~
solidasparagus
What clear lesson? Zoom is not in a bad situation right now.

------
guessbest
They don't implement security by default to gain traction, both the service
and the user groups. The expected happened unexpectedly.

~~~
brianpan
The inevitable happened expectedly?

~~~
guessbest
I believe Chief Technology Offices will be reformed as Chief Security Offices
since so many features are built-in that automated common sense is what sells.

------
jacquesm
It's a pretty low bar for the word 'break'. By the same token you could walk
up to a bunch of people in a restaurant and start yelling at them while
they're having dinner. That's also not a break. It's just a nuisance and proof
that you're a jerk, and if you did it in person you'd likely end up with some
dental work.

~~~
DarkWiiPlayer
Except users don't realize that. They think they're sitting in a locked room
that nobody else knows about, when in reality they're sitting at a restaurant
table and most people just don't care to go bother them.

------
Wowfunhappy
I know it's beside the point, but who are these people heartless enough to
break into Alcoholics Anonymous meetings to tell them how good Alchohol is?

There isn't even any monetary benefit. Who the heck thinks this is funny?

~~~
zionic
4chan

~~~
Wowfunhappy
I should have phrased that differently.

I know it's largely parts of the 4chan crowd. But _who_ are those boards? Why
are the people who go there so nuts?

Do you ever wonder if you've unknowingly met these people in real life?
Chances are we all have, right? How do they manage to be _so terrible_ and
then go on with their lives?

~~~
snazz
I recently finished reading _We Are the Nerds_ , which is about the history of
Reddit (the company) and its community. One of the interesting parts was about
the moderator of a bunch of subreddits that were full of all kinds of
borderline illegal and definitely illegal content (u/violentacrez, if you feel
the need to Google for yourself).

If you're a long-time Reddit user, you probably already know this, but here
goes: He was eventually exposed by a journalist. Surprisingly, he is actually
a pretty normal middle-aged man. He worked as a programmer (and was
immediately fired when the news aired). He has a disabled wife for whom he is
the sole financial support. If I remember correctly, he has adult children,
who were aware of what he did on Reddit and had usernames that referenced
their relationship with him. Apparently, he used his time on Reddit as a way
to relieve stress, or something like that.

I'm not entirely certain what motivates people to act like that online when
they're relatively normal offline, but it seems to be a somewhat common
occurrence.

~~~
gnulinux
> I'm not entirely certain what motivates people to act like that online when
> they're relatively normal offline, but it seems to be a somewhat common
> occurrence.

Anonymity probably?

I'm a pretty normal dude offline, your average American programmer. On reddit
I'm in all socialist/communist subreddits talking about revolution 24/7\.
Intellectually I agree with intersectional Marxism, but I don't feel
comfortable enough to discuss these in real life, and I don't care enough to
(or am too lazy to) act upon these ideas in real life. So, when I go to reddit
I become "a different person", not because I try to be this person, but the
comfort of anonymity allows me to express my ideas easier.

------
throwaway5752
Zoom lets you require passwords or require the host admit guests in meeting
settings. This is the same as anything else you might find on Shodan. Secure
defaults hurt mass adoption, and insecure defaults result in this. Zoom is
part of one of our oldest industry traditions in this respect.

------
freepor
The fact is that with these meeting/group products, the one that makes it
easiest to join is the one that succeeds, because there's always one bozo who
can't figure out how to type a password, so there's an incentive towards
insecure product behaviors.

------
mikorym
I think the progression here is "Zoom has privacy concerns" -> "Zoom operates
like macOS malware" -> "Zoom gets trolled".

~~~
majormajor
No, this has been ongoing. For instance, from six days ago:
[https://www.latimes.com/california/story/2020-03-25/zoombomb...](https://www.latimes.com/california/story/2020-03-25/zoombombing-
usc-classes-interrupted-racist-remarks)

The progression is "People start doing a ton of things over an insecure
system" -> "trolls start harassing people". This isn't some sort of reaction
to anything about Zoom the company or the software.

------
csunbird
This is like 5th topic about Zoom today.

~~~
Uehreka
When your product goes from being "a videoconferencing tool used in some
workplaces" to "the primary way people communicate and gather for personal or
professional reasons", it makes sense that there will be a lot of stories
about it (good, bad and neutral) in the press.

~~~
slg
>"the primary way people communicate and gather for personal or professional
reasons",

I would be curious to see an article about why this happened? Is Zoom better
than their countless competitors? They all seem pretty similar in my
experience so why is it Zoom that is blowing up because of this and not any of
the other companies?

~~~
Uehreka
Part of it is that, (at least in my experience, maybe this has changed) Zoom
can scale to a couple hundred people in a way that tools like Google Hangouts
can't.

But like, if we're being honest, it probably has a lot to do with how easy it
is to start a Zoom call and invite people. You can host a 40 minute meeting
for free. No one needs to sign up anywhere. It's super easy to install but
also works in the browser if you can't install it. Computer on the fritz? You
can call in from your phone. And yeah, they've also used some dirty tricks to
make it as easy as possible, and some of those measures (like the auto-
reinstall thing) were probably unnecessary. But they've clearly focused on
being super super easy to start using, and when their moment came they were
primed to seize it.

Last weekend my family had a "month's mind mass" in memory of my grandfather
who passed a month ago. We were able to get dozens of people, many of them
very non-technical, into the call, and we started basically on time. There was
no "it doesn't work on my old phone" or "you mean I have to sign up for
gmail?" or "whoops I couldn't get in because I signed in with my work email".
That's why Zoom is winning the game right now.

~~~
ThePowerOfFuet
It doesn't work for shit in the browser; it's deliberately crippled (compare
browser-based Zoom to Google Meet or Whereby).

And even then the browser interface is hidden behind multiple attempts to make
you install and use their client instead.

~~~
dylan604
Zoom tells me browser isn't modern enough and that I should use Chrome. Even
in Chrome that still push to install their app. Thanks, next

------
yoda222
Several people in other comments explain that you could have a password
protected session, or a session in which users must be waiting in a lobby
until someone approves their admission. This seems pretty normal, and I think
here Zoom may not be able to do much more.

But I have the feeling that this is difficult in pratice to use for a AA
meeting. I'm actually lucky enough to not to have the need to participate to
such a meeting, but from what I understand from it, the anonymous part is
important, as well as the possibility for newcomers to participate. I doubt
for these reasons that AA meeting groups have a list of participant clearly
identified, to whom they can send a password protected link, or that they
could use such a list to check that people are someone part of the group.

Unfortunately, I'm not sure that this kind of problem can be fixed
(technologicaly. On the non-technology side, we could hope for a world without
asshole, but that's only a dream)

------
kzrdude
Why has Zoom picked up so much? Hangouts, Skype, facebook all are established
with video group calling functionality

~~~
mlyle
Few things that are "free" handle massive numbers of participants well. Yes,
Skype for Business etc can, but those options are commercial. There's also
less usable, obscure stuff that does OK.

~~~
orthoxerox
Skype for Business is a dumpster fire. We use it at work and it's terrible at
graceful degradation, even for voice.

~~~
kzrdude
Skype for business + outlook integration doesn't even manage to handle chat
history correctly, not without glitches that lose you the history for chats
ever so often. Not fit for purpose.

------
overgard
I'm not really sure this should be called trolling, it's more just
harassing/bullying/trespassing. When I think of trolling, at least when it's
done well, it's more taking on overly self serious people to get a funny
reaction (even if it's obnoxious). It's like a cousin of pranking, it
shouldn't be cruel. There can be cruel pranks of course, but that's not the
fundamental nature. Like Ken M leaving a really oblivious comments on
facebook, or Something Awful forum members joining an online game chatroom as
a weird cult ("the path is grey" :D ). Weird, funny, mostly harmless. I mean
things like that are obnoxious sometimes but they can be funny and work as
satire or social commentary. There's no cleverness to this.

(probably the wrong thing to write on HN since this place is uh not known for
its sense of humor)

------
dewey
Zoom’s CEO says they are going to fix it and change the defaults:
[https://twitter.com/ericsyuan/status/1245110791772073985?s=2...](https://twitter.com/ericsyuan/status/1245110791772073985?s=21)

------
k__
I broke into a meeting by accident once.

Someone sent me a meeting URL and I clicked it, to see if everything was
right.

Little did I know that people just get one Zoom URL for ALL of their meetings.

~~~
auscompgeek
Each meeting gets its own ID. Of course, nothing prevents someone from reusing
a meeting ID though.

------
alexcpn
happened to my elder sister who is a teacher hosting video class due to
lockdown in India. Some idiots think it is fun and the worst thing is that
they put a video grab of this in their youtube channel - themed disruption or
something - to drive traffic - yuck , the state of minds! and those who follow
such channel. ( It is reported to local cybercell , but it left my sister who
is bit older to all this technology very rattled)

------
sys_64738
The news stations here are saying make your zoom session private and make sure
desktop sharing is host only.

------
buboard
this happened repeatedly and badly in a conference with 2500 people. The root
of the cause was that zoom invite links, by default, contain the password,
which then people share, making the password useless. otherwise it worked
great

------
dzonga
if FB didn't have privacy nightmares. They're well equipped to providing the
solutions to the enterprise market. given that they probably have the most
stable live video platforms which could be modified to support secure meetings

~~~
consultutah
Right now zoom is going through a honeymoon phase. Only us geeks care about
its security and privacy. After this is over though, people will start
thinking it through and things will look a lot more like how FaceBook is
viewed right now...

~~~
solidasparagus
I'll happily trade my privacy for a video call that works properly. None of
the various Zoom issues have been privacy problems that I really care about.

------
spsrich2
Making fun of people in AA. Beneath contempt.

------
thrownaway954
my homegroup switched over to zoom a couple of weeks ago and i have to say, i
love it. like most of you, i'm sitting all day and to be able to join in an aa
meeting while walking outside is AMAZING! i can finally get some exercise and
not feel like i have to sacrifice one or the other.

to the people of zoom, thank you for making this time in our life a lot more
pleasurable.

------
CobrastanJorji
Ah, that is problematic. I saw a documentary on Netflix about the British IT
crowd. They were not an impressive bunch.

~~~
rmason
You're not referring to this show perhaps are you?

[https://en.wikipedia.org/wiki/The_IT_Crowd](https://en.wikipedia.org/wiki/The_IT_Crowd)

It is of course a comedy. The Brits in IT that I've met can compete with
anyone on the planet.

~~~
bschwindHN
Yes that is the joke.

------
strategarius
4 chan exist like 20 years or something. Does anyone ever thought about a
legal way to shut it down and lock up couple of admins? I'm sure their stupid
troll raids cost billions since it started.

~~~
cc-d
> Does anyone ever thought about a legal way to shut it down and lock up
> couple of admins?

Why on earth do you feel like this is an appropriate response to some people
joining random zoom meetings?

------
Wmamouth
Crashing random online classes:
[https://youtu.be/wUQJvBreues](https://youtu.be/wUQJvBreues)

I must say, this was pretty well done.

~~~
megous
Not bad. Actual zoom calls start at around the middle of the video.

