
GoogleMeetRoulette: Joining random meetings - yowie
https://www.martinvigo.com/googlemeetroulette
======
sbr464
I recently had a sales call with a potential vendor (they were a startup).
They used the same number and meeting code for all of the meetings. I had
accidentally called in about 10 minutes early and was dumped into another
conversation, and heard the other potential customer talking. It was odd how
insecure and weird it was. I think this is a potential issue for all meeting
services.

~~~
sbr464
I also mentioned it to the sales guy, but he was unfazed, which I think shows
a lack of respect for customer privacy, even though he probably didn't realize
it.

~~~
wild_preference
You keep responding to your own post. Curious why you thought this was
appropriate or necessary.

------
martyvis
> "I would claim that nobody pays attention or verifies that there are no
> unexpected attendees before starting a meeting, specially for longer ones."

I know for our work Skype for Business meetings we interrogate unidentified
guests and boot them if they fail to appropriately identify themselves.

I have thought that long running recurring meetings is a security risk because
of the use of the same pin

~~~
felipelemos
When you have a long list of attendees in a large organization, it's almost
impossible to do that with everyone.

~~~
TallGuyShort
To use calculus as an analogy, as the number of people in your meeting
approaches infinity, the confidentiality of that meeting approaches 0 anyway.
You may still verify everyone's identity, but someone is going to be leaking
enough information that it's close enough to just having a lurker who
shouldn't be there.

~~~
mLuby
Could add breaks where key information is given that's slightly different for
each participant.

Mole-Hunter-As-A-Service™

~~~
redler
How about a security feature designed by old computer game aficionados? Every
fifteen minutes there's an enforced break. Hold music begins playing. After a
moment the music fades and a synthesized voice says "Turn to page...23...of
your employee manual. In the...third...paragraph, note the...first...word.
Enter the first three letters of that word using the keys on your touchtone
phone, and you will rejoin the meeting."

------
djhworld
That was a wonderful read, thank you.

The post mentions that Google made some fixes and reverted them due to
customer complaints, do we know what those fixes were? Have they fixed the
issue?

~~~
timdavila
It looks like they fixed the brute forcing PIN issue. When I set up a new
meeting, the phone in PIN is 9 digits long (compared to the 4 mentioned in the
article)

However it seems the recurring meeting number+pin doesn't change. I feel this
is a better UI, and only a minor risk with an easy workaround - update the
meeting - which you would probably do anyway to remove the attendee who is no
longer included

~~~
kxrm
I just tested this since we use google meet. You can open an existing calendar
event and remove the google meet details and recreate them. Seems to give you
all new PIN and meet address.

------
PeterStuer
I can't be the only one that thought many meetings could be improved by a
random person joining a meeting and asking some obvious questions from outside
the company bubble.

~~~
hohenheim
Reading the title I had the complete opposite expectations. Thinking that he
is talking about a system where you want to have meeting with random people to
talk about business.

------
rb808
What I'd love for every voice conference was an online screen with a list of
everyone dialled in (caller Id based). It would be good for security but even
better would be a little noise level meter on each line so you can see which
%%%%er is heavy breathing all the time.

(also a choice of on hold music would be nice but that is just dreaming)

~~~
dfee
I think UberConference does all of that.

~~~
sunsetMurk
Yup. Uberconf is my go-to, and they have a decent free tier.

------
nojvek
I do this all the time with BlueJeans. If you mute your speaker and mic, the
other party doesn’t even easily know you’ve joined.

Most of the times, random codes failed but once I managed to accidentally dial
in into a Facebook meeting.

Fun times!

------
martinald
Slightly OT, do you have to be on Gsuite enterprise to get intl dial in
numbers to show up? It'd be great to have that but it just shows US numbers
for me in the UK.

~~~
giovannibajo1
Yes, and that's really unfortunate. Doubling the cost of G Suite to get intl
numbers is a hard sell, but US numbers basically make the feature completely
unavailable for many people.

~~~
martinald
It's actually 5x the cost. $25 vs $5/month for basic.

------
spectaclepiece
Felt just like reading about Kevin Mitnicks adventures. Such a brilliant piece
of work this.

------
foobaw
how much was the bounty for something like this?

~~~
hsk0823
Why would there be a bounty on basically a brute force attack?

~~~
femto113
Felt legit to me. Sites can, should, and do take steps to mitigate brute force
attacks, his approach showed some shortcomings in those steps, e.g. they
already only allow 3 bad PINs per call, but he showed that by hanging up
immediately after the 3rd bad PIN they make it relatively trivial for the
attacker to detect the failure. He also demonstrated that due to the partial
phone number masking in the UI the attack could be done from an apparently
trusted phone number.

------
sephware
I'm intrigued by this idea of random-socialization online. Obviously the sites
like this have thus far catered more towards sexual content, but I feel like
there's huge potential for online streaming socialization that Twitch and
Discord haven't fully tapped. I can't put my finger on what, but there have
been nights I just want to hop online and meet random strangers to talk about
common interests about. Kind of like going to a bar to meet people, but with a
higher chance that they'll be interested in the same things as you, so a cross
between going to a bar and coming to HN to discuss interesting things.

~~~
Joeri
ICQ used to have this in the late 90's. You could find random people on the
network based on what they filled out in their profile and start chatting with
them. I live in Europe and made a friend in South Africa that way, who I ended
up visiting a few years later.

Of course, you couldn't do this nowadays because abusive people would show up
and ruin it for everyone. I don't know why they didn't back then.

~~~
shobith
> Of course, you couldn't do this nowadays because abusive people would show
> up and ruin it for everyone. I don't know why they didn't back then.

People who had early access to Internet (or any tech) were more likely to be
nerds.

~~~
TallGuyShort
I don't think you can explain this by simply categorizing people. You can find
more than a few stories of nerds being abusive to other people.

I think initially the Internet brought people closer together. It was like ham
radio - you could connect with people in a relatively small but very
distributed community of hobbyists and experts. Once everyone joined and it
became ubiquitous, it's had the opposite effect - it's replaced most of our
social interactions but there's an increased anonymity and social separation.

~~~
shobith
> I don't think you can explain this by simply categorizing people

I was not trying to categorize people, but I was trying to abstractly point
out how this might happen, but I used a "category" to explain it simply.

> I think initially the Internet brought people closer together. It was like
> ham radio - you could connect with people in a relatively small but very
> distributed community of hobbyists and experts. Once everyone joined and it
> became ubiquitous, it's had the opposite effect - it's replaced most of our
> social interactions but there's an increased anonymity and social
> separation.

Exactly!

"nerds" is just a type of social circle, who're also the initial adopters of a
tech, you don't want to be an outcast by doing something that is not "nerdy"
in the early stages, because it is easily noticeable by other nerds of that
tech. When the social circle expands to potentially bring in other types of
social circles (by going mainstream) and becomes (pseudo)anonymous, you'll
obviously find a large variation of (acceptable) behaviors among the different
social circles, which may or may not overlap with each other.

