
Zoom 5.0 - throw0101a
https://zoom.us/docs/en-us/zoom-v5-0.html
======
fossuser
Looks like a good update and they're moving in the right direction.

I think this should fix the main issues people have had with them (at least
the most public problem with 'zoom bombing').

There's not much they can do about having all their development in China, but
at least their focus on security otherwise seems to be paying off.

###

Quick Feature Summary:

\- Mandatory GCM encryption requires Zoom clients to upgrade to 5.0 by May
30th [0]

\- Hosts can prevent screenshare, chat, user renaming

\- Hosts can report users to Zoom’s Trust & Safety team, who will review any
potential misuse of the platform and take appropriate action.

\- All hosts may now turn on the Waiting Rooms while their meeting is already
in progress.

\- Lock your meeting after everyone has arrived to prevent any unwanted
disruptions.

\- The host may remove a participant and they will be unable to re-enter the
meeting.

\- Waiting Room enabled by default

\- Complex Meeting IDs

\- Meeting passwords are now more complex and enabled by default

\- Meeting Registration and Authentication (require email
registration/restrict meetings to preset profiles)

\- All cloud recordings are encrypted with complex passwords on by default.

\- Audio Watermarks/Screen Share Watermark (help prevent leaks)

\- Message Preview Options (Users can now enable Zoom Chat notifications to
not show chat content while screen sharing.)

\- Host or account admin can disable the ability for participants to show
their profile picture or change it in a meeting.

\- Hosts can now select which data center regions they would like their in-
meeting traffic to use when scheduling a meeting, and participants can see
which data center they are connected to by clicking on the info icon at the
top left of the client window.

\- Zoom 5.0 supports a new data structure for larger organizations, allowing
them to link contacts across multiple accounts so people can easily and
securely search and find meetings, chat, and phone contacts.

[0]:
[https://en.wikipedia.org/wiki/Galois/Counter_Mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode)

~~~
beefee
> There's not much they can do about having all their development in China,
> but at least their focus on security otherwise seems to be paying off.

They could start moving their development to the US. There are plenty of
successful software companies in the US. There's a good ecosystem, a huge
amount of talent, and tons of enthusiasm about their problem space.

What they can't do anything about is the trust they lost by misleading their
customers about their security model.

~~~
thedudeabides5
Dev team is different than actual server location.

Anyone know if they still passing non China video data through mainland China
server? Unclear from this.

~~~
moltar
They aren’t. They fixed that almost immediately. They said it was just a mis
configuration.

------
dddddaviddddd
Most dystopic feature:

> Audio Watermarks: Turn this on to embed a user's personal information into
> the audio as an inaudible watermark if they record during a meeting. If the
> audio file is shared without permission, Zoom can help identify which
> participant recorded the meeting.

~~~
elldoubleyew
I wonder how they are doing this. Wouldn't a low quality recording render this
fingerprint invisible?

~~~
grenoire
I wonder if it can be filtered out, on the other hand. Does anybody have
knowledge on audio fingerprinting/watermarking? Or is it perhaps security
theater?

~~~
banger180
My Guess is that it is mostly a security through obscurity thing for now, we
do not know exactly how they mark the audio. When someone figures this out I
believe that it should be possible to filter this out.

It would be interesting if they found a way to watermark the audio in such a
way that removing the mark makes the audio unusable.

~~~
slezyr
Just compare two records from two different users.

------
ponsin
A few weeks ago they required login to join a meeting from the browser. This
make it harder for older people who I like to talk to. Since then I have moved
to jit.si . The quality is slightly lower, but it is much easier to use

~~~
skinnymuch
Jitsi is much worse in a number of ways. If you use it casually with small
crowds then it’s prob fine. Otherwise the pains of Jitsi are huge for the year
I had to use it a lot.

------
fidla
I'm very concerned about the China connection. there has been zero analysis of
what they actually look at and how they use the data

~~~
Awtem
According to their 10-K filings, zoom has more than 700 heads in RnD in China,
and about 5 subsidiaries in China IIRC, but none of those are listed as
subprocessors of personal data, which I, personally, find somewhat hard to
believe

------
dybber
Nice to see all the security improvements, however, the new UI seems less
crisp, the fonts have become much more blurry, with too much anti-aliasing
going on. Also the up-arrows for audio/video settings have been made much
smaller and thus harder to hit - you will mute yourself rather than opening
the audio settings.

~~~
dybber
The font smoothing/antialiasing problem is not everywhere, which makes it look
even weirder. See this dialog for instance:
[https://i.imgur.com/L5S8Tqn.png](https://i.imgur.com/L5S8Tqn.png)

Where the text "0 participants per room" have been applied too much anti-
aliasing.

------
j7ake
There was discussion before that Zoom had serious security issues. Have these
been fixed in the new version of zoom ? Eg would companies that previously
banned zoom now allow zoom 5.0?

Eg some previous issues with zoom
[https://news.ycombinator.com/item?id=22736608](https://news.ycombinator.com/item?id=22736608)

------
terrywang
Not a security expert but deal with PKI (openssl, openssh, etc) /
OpenGPG/GnuPG a lot on a daily basis, I just don't understand why Zoom would
let their marketing people put buzzword like `GCM Encryption` on such an
important landing page, not nitpicking, seriously...

At least, use AES-256 (mode can be optional as most people don't even know
what GCM XTS CBC stands for).

~~~
DonHopkins
Because focus groups liked the sound of "GCM Encryption". Be glad they didn't
slap on a bunch of Trim Level Designators like "GCM LX Sport Encryption CE".

[https://www.liveabout.com/glx-gls-se-si-lx-what-do-they-
mean...](https://www.liveabout.com/glx-gls-se-si-lx-what-do-they-mean-4083747)

[https://en.wikipedia.org/wiki/Trim_level_(automobile)](https://en.wikipedia.org/wiki/Trim_level_\(automobile\))

------
andruby
Why are they touting "GCM encryption" without explaining what that means? Do
they mean "Galois/Counter Mode" [0]? If so, _why_ is that better than the
encryption they were using before?

[0]
[https://en.wikipedia.org/wiki/Galois/Counter_Mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode)

~~~
jsmith12673
They were using ECB mode before

------
dreamercz
I was hoping a new major version would help me fix the problem I have with the
Zoom desktop application on Xubuntu. Every time I join a meeting, the entire
desktop start lagging. Sadly, this update did not help.

------
ojilles
"How was your experience?" [Great] / [Had issues]

So infuriating. And yes it disappears by itself after a while, but no, I do
not need that dialog box.

Anyone know how to turn that off?

~~~
JadeNB
It's a setting that's exposed on the website ("Feedback to Zoom"), but, at
least for my licence, it's locked. Incidentally, I am able to close the box,
rather than just waiting for it to go away, in case that's better.

------
judge2020
Thankfully the major version update doesn't mean a completely new UI, which
would have cut their userbase in half.

------
jedisct1
"GCM encryption". What? o_O

------
diebeforei485
Still no Mac App Store version? Sigh...

~~~
welder
Probably due to the Apple tax.

~~~
saagarjha
No, it's probably because then the app would need to be sandboxed and they
wouldn't be able to justify their insane Hardened Runtime exemptions.

------
sinatra
Can Zoom stop logging me out from current computer (while I'm using Zoom) just
because there's another computer on standby where I forgot to log off Zoom
(and I'm not in any Zoom call on that computer)?

~~~
skinnymuch
Hah finally a criticism for Zoom I can immediately relate to and is really
frustrating. Why log me out like you said if I’m not in a call.

------
SlowRobotAhead
Real end to end encryption? No? Must be a hard problem that other people have
solved.

~~~
thekyle
To my knowledge there is no zoom competitor that has end to end encryption and
allows people to join a call from landlines.

~~~
jxy
bluejeans? Skype for business? Webex?

~~~
bearcobra
All those services don't encrypt connections if they include PTSN phone calls
or other features. Example: [https://help.webex.com/en-us/WBX44739/What-Does-
End-to-End-E...](https://help.webex.com/en-us/WBX44739/What-Does-End-to-End-
Encryption-Do)

------
BrowserMeeting
Some of these features sound like anti-security and definitely anti-privacy
features. Will definitely make you think twice about having a “private”
meeting on Zoom if they’re going to embed my email on a screenshot someone
else takes. Great way to get a meeting organizers email...

> Screen Share Watermark Superimposes the image of a meeting participant’s
> email address onto shared content in the event a participant takes a
> screenshot.

~~~
WhyNotHugo
I wonder how zoom determines if a screenshot is taken.

On Linux/Wayland at least, there's no API for an app to determine that this is
happening. So they'd have to show the watermark all the time.

~~~
diebeforei485
Likely by detecting certain keystrokes (that's what Snapchat does on iOS for
example). Idk if there are other ways on macOS or Windows.

~~~
KMnO4
There is an API on iOS: UIApplicationUserDidTakeScreenshotNotification

[https://developer.apple.com/documentation/uikit/uiapplicatio...](https://developer.apple.com/documentation/uikit/uiapplicationuserdidtakescreenshotnotification?language=objc)

~~~
diebeforei485
I was not aware of this- thank you!

