
Zoom Has a Dark Side – and an FBI Warning - jonbaer
https://www.npr.org/2020/04/03/826129520/a-must-for-millions-zoom-has-a-dark-side-and-an-fbi-warning
======
crazygringo
The ability for someone to crash your Zoom meeting was _extensively_ discussed
here yesterday, and Zoom already has all the necessary tools to prevent it,
but people aren't necessarily aware of them:

[https://news.ycombinator.com/item?id=22762173](https://news.ycombinator.com/item?id=22762173)

But a fear-mongering article like this has no place on HN. A "dark side"? "FBI
warning"? This is pure propaganda and sensationalism -- that if someone joins
your unprotected Zoom meeting, they can stream whatever they want (obviously)
which could include pornography.

You might as well issue an FBI warning about phones because someone can
randomly dial you and say gross stuff.

I don't have a problem with HN articles about legitimate security concerns
around a newly popular tool, but linking it to pornography is pure
fearmongering at its worst.

This article doesn't deserve to be here.

~~~
zaroth
Just today it comes out that _Safari_ would let sites silently spy on users
through the camera and microphone.

Orders of magnitude worse than anything Zoom ever did. Will it be reported
with the same level of hair rending?

~~~
hairofadog
You’re right that that’s bad. For me it comes down not to mistakes but to
intentions. I might be wrong, but it seems like it’s in Apple’s DNA to do
their best to provide privacy and security, while Zoom so far seems to me to
have a Facebook-like “growth at all costs” mindset. I can forgive mistakes –
every tech company (and all humans) will make them – but their shenanigans
with the installer, for example, seems less like a mistake than a decision
made with bad intentions.

That said, I also agree with some of the sentiment here that it feels like
there are a dozen articles per day posted about Zoom that are nothing more
than hyperbole or worse, simply an aggregation of links to articles posted
earlier in the week. I say this as someone who has argued against Zoom being
used in my workplace and who refuses to install it on my machine (I use it
through Chrome): I’ve simply started to roll my eyes each time I see a new
Zoom post.

~~~
zaroth
I agree with everything you wrote. The salient point for me is that it’s no
longer a question of the technical merit, it’s just a political judgement
against Zoom being Good or Evil.

It’s easy for technologists to forget that video-conferencing was terribly,
horribly broken not because of some terribly difficult technological
challenge, but because the average user simply couldn’t get it to work.

Security always involves either bootstrapping of an existing trust, or some
level of ease-of-use trade off.

For example, the calculus for “I need this meeting to start on time” and “My
meeting password needs more entropy against brute force attacks” necessarily
comes down on the side of starting the meeting in most threat environments.

But in the end I just don’t see Zoom as the evil empire, and I’m deeply
suspicious of articles which try to convince me otherwise. I’m not sure where
your perception of “growth at all costs” comes from.

From what I can tell, they make one of the best conferencing products on the
market in terms of quality and usability. I think the privacy and security
issues are significantly overblown.

For example, why refuse to install their client software? It seems highly
unobtrusive, it’s not malware, nor spyware, nor adware... it doesn’t ever nag
me or get in the way, or randomly start sapping CPU or give annoying update
prompts. It’s quick and simple to install and uninstall. Overall it seems
nicely written.

I see the “dirty tricks” they had to pull to make their install simpler
overall as reasonable hacks aimed at improving their end user experience and
increasing the percentage of users who are successfully able to get into a
meeting.

Again, I think we tend to underestimate how hard using computers can be for so
many people. Making video conferencing accessible to quarantined populations
is pretty crucial right now.

Zoom doesn’t have a monopoly position to leverage like some do to pre-install
their product on billions of devices. So they need every little bit they can
find to make on boarding fast and easy.

They screwed up on their marketing of end-to-end encryption and should be
fined by the FCC for that. I never saw that marketing claim, but nor would I
stop using their product knowing that it’s not decentralized.

------
netflixandkill
This has been a better study of media behavior than investigation of zoom.

Apparently there isn't enough going on in the world so every outlet feels the
need to repeat previously disclosed information with less detail and more
pearl clutching. At least npr was decent enough to link to some of the better
sources.

Meanwhile we still get another few potential RCEs in Windows every month and
the same editors are like "whatcha gonna do, bill gates amirite."

~~~
Loughla
It's attacking the 'new' leader. Windows had its moment in the sun, in terms
of shitty practices. I remember when Bill Gates's philanthropy was attacked
because he did such shitty things at microsoft. Hell, M$ is still an
appropriate abbreviation of that company in some places.

Now it's zoom, last year it was facebook, next year it will be someone else.
Don't know what value this comment adds, just an observation.

------
withinboredom
I don’t understand this bashing of a fairly good tool. There are worse tools
(when it comes to privacy, especially when it comes to privacy)

~~~
s_dev
It's because people are insisting on it's use.

e.g. College Lectures giving online lectures. Employers hosting meetings.

Normally you pick software to your preference but things like social media
have strong network effects. This is the battle thats being fought.

If you're going to make me use something I'm going to push back if it's not up
to scratch. Otherwise I wouldn't care.

~~~
Loughla
But it is being used because of the networking effect. Just to speak from
higher education - do you think colleges had zero connection to zoom before
this?

Anecdotal, sure, but I'm betting it's a good indicator - I work at a small,
small, small, under-resourced community college in 'average' America. Zoom has
been a thing on our campus for at least two years. We never really used it,
because we didn't _need_ to. Until about three weeks ago.

We chose it during our crisis planning sessions, because they were already in
our space. They got in our space years ago through clever partnerships and
integrations with our learning management system (online course delivery
platforms). They were the 'preferred provider' according to the LMS teams,
both on campus and nationally. They have automatic integration with our
accessibility tools for live transcriptions/captions and interpreting. They
were the suggested provider by our professional organizations related to
disabilities, under-represented students, and ease-of-use technology.
Therefore, we use them exclusively now.

Students never saw any of that back-end conversation, because it is literally
irrelevant to their experience. But it was there, and it 100% impacted our
conscious choice to move to zoom for live meetings.

If we were targeted for all of this, with a student population of <2000, I
guaran-damn-tee larger institutions were.

------
acmdas
So far, those open AA meetings had all their access tokens advertised on the
web - as open AA meetings do. Yes, there's a "WarDialing" app that can find
Zoom calls, but I've seen no reports of calls that had passwords set being
accessed or bombed. I don't follow the big media that much, but looking at the
other links on the page, NPR seems to be in major "Hair's On Fire" mode - is
that typical? I guess that's how to get clicks.

~~~
Loughla
Generally NPR is slower and cleaner in their reporting (except when it comes
to fair coverage of political candidates). This is disappointing.

------
dumbfounder
Schools seem to be moving away from it in droves, warranted or not. My 5 year
has a whole-class zoom today and if someone nefarious dropped by it would be
seriously bad news. The teacher said this is the last one though before they
move to MS Teams. Yes, they could just lock it down, but that is onerous for a
big group (I am guessing, haven't tried it), and also the teacher wouldn't
feel confident about it without experience. Which they won't get because DC
public schools has already sent out a memo recommending to discontinue usage.

------
selimthegrim
Is William S. Sessions coming for all of us now?

------
microcolonel
This is really hammed up by NPR. The "FBI warning" is more or less "don't use
open calls if you don't want random strangers to enter your call".

A couple days ago, more scrupulous reporters were able to explain this
succintly and help people avoid it.

Yes, Zoom should amend their bug bounty policy to allow for responsible
disclosure, rather than _non-disclosure_ , but it's not like they're alone in
that failing, nor most of the other failings involved in this dogpile.

I like it when vendors are held to account, but the way that this has been
reported over the last few days has seemed like more of a shakedown than a
genuine consumer reporting effort.

