
Zoom rolled their own encryption scheme, transmit keys through servers in China - gasull
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
======
dang
Matthew Green's article on this is has a thread here:
[https://news.ycombinator.com/item?id=22771193](https://news.ycombinator.com/item?id=22771193)

The Intercept article on it has a thread here:
[https://news.ycombinator.com/item?id=22767807](https://news.ycombinator.com/item?id=22767807)

It's probably too much of a stretch to merge all these, because many comments
are about specifics of those posts, and the ones that aren't are kind of
generic and so maybe not worth merging anyway
([https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=by%3Adang%20generic%20discussion&sort=byDate&type=comment)).

~~~
Judgmentality
Hi dang,

Thanks in advance for all your moderation efforts that make HN the site we all
love to use on a regular basis.

I'm curious if you've ever considered writing a blog post about some of the
things you've learned from your years of moderation? You spend so much time on
HN, you must have seen lots of patterns and have lots of insights on...well,
everything that gets posted on HN to everybody that posts on HN. I'd genuinely
be interested in reading it if you ever did.

Cheers, a semi-anonymous HN user

~~~
Leary
While you wait for his response:

[https://www.newyorker.com/news/letter-from-silicon-
valley/th...](https://www.newyorker.com/news/letter-from-silicon-valley/the-
lonely-work-of-moderating-hacker-news)

~~~
thrwaway69
_At first, the site attracted about sixteen hundred daily visitors, and Graham
moderated and maintained it himself. Today, around five million people read
Hacker News each month, and it’s grown more difficult to moderate. The
technical discussions remain varied and can be insightful. But social,
cultural, and political conversations, which, despite the guidelines, have
proliferated, tend to devolve. A recent comment thread about a Times article,
“YouTube to Remove Thousands of Videos Pushing Extreme Views,” yielded a
response likening journalism and propaganda; a muddled juxtaposition of
pornography and Holocaust denial; a vague side conversation about the average
I.Q. of Hacker News commenters; and confused analogies between white
supremacists and Black Lives Matter activists. In April, when a story about
Katie Bouman, an M.I.T. researcher who helped develop a technology that
captured the first photo of a black hole, rose to the front page, users combed
through her code on GitHub in an effort to undermine the weight of her
contributions.

The site’s now characteristic tone of performative erudition—hyperrational,
dispassionate, contrarian, authoritative—often masks a deeper recklessness.
Ill-advised citations proliferate; thought experiments abound; humane
arguments are dismissed as emotional or irrational. Logic, applied narrowly,
is used to justify broad moral positions. The most admired arguments are made
with data, but the origins, veracity, and malleability of those data tend to
be ancillary concerns. The message-board intellectualism that might once have
impressed V.C. observers like Graham has developed into an intellectual style
all its own. Hacker News readers who visit the site to learn how engineers and
entrepreneurs talk, and what they talk about, can find themselves immersed in
conversations that resemble the output of duelling Markov bots trained on
libertarian economics blogs, “The Tim Ferriss Show,” and the work of Yuval
Noah Harari._

Not sure whether to agree or disagree.

~~~
pdwcyl
I find that the opposite is true. Most comments are emotional, and I have to
search for controversial comments to find anything objective/worth reading.
Like Reddit, this site is biased to the political left (USA). I wish we could
just avoid all politics in tech.

~~~
cyphar
I don't think it's possible to avoid politics in any profession. Teachers care
about education reform, which is a political subject. Doctors care about the
healthcare system, which is a political subject. Civil engineers care about
building codes and safety regulations, which are political subjects.
Accountants care about tax laws, which are an incredibly political subject.
Social workers care about welfare programs, which is also a very political
subject. You might not talk about it in the realm of politics while at work,
but it has an impact on your work as well as the lives of the public.

You could even argue that being "apolitical" actually means that your
political opinion is that the status quo is acceptable, which other people may
disagree with. For instance, some people believe that selling water is
unethical because it's a basic human need which you should always have free
access to -- saying that the status quo is acceptable means that you don't
think that for-sale water is unethical. There's nothing wrong with that
opinion, but it is an opinion (and a political one at that).

~~~
DeathArrow
I don't express my political beliefs here because I think I would be massively
down voted. I think that's true for lots of other users.

~~~
Kye
The way it's presented makes a huge difference. People are obliterated for any
political opinion if presented in a way that treats politics like a game
instead of something that affects everyone.

Make a polite, clear-headed enough argument for something like eugenics and
people will upvote you. It's troubling, but I can make a pro-socialism post
under the same conditions. It's an uneasy peace.

------
tptacek
The serverside key handling stuff is bad, but generally known (Zoom has
features whose natural implementation require them to keep keys serverside).

People are dunking on Zoom for rolling their own crypto and coming up with
AES-128-ECB. This is also bad, but people should be aware that it's a lot more
complicated than "you can see penguins through it".

You can see penguins through an ECB-encrypted bitmap because discrete blocks
of the bitmap image repeat, and thus have the same ciphertext, and these
correspondences carry obvious meaning in a bitmap. The same is not
automatically true of video or audio data with normal codecs. Aaron Toponce
points out that sensor noise will likely scramble ECB ciphertexts, for
instance.

Colm MacCárthaigh makes an even more important point, which is that it's
already very trick to reliably encrypt voice tracks, because common encoding
and transmission techniques make them susceptible to traffic analysis. So, for
instance, you can quickly find papers about exploiting silence suppression to
make predictions about speech in an encrypted audio channel. The point here
being, cryptanalytic attacks on ECB are unlikely to be anyone's first
recourse.

Obviously, the 128 bit AES key thing doesn't really have any practical impact.

Designers should religiously avoid ECB mode, but the real danger of ECB is in
interactive settings, where we as attackers get to _induce_ plaintext
patterns, and use chosen boundaries to isolate targeted ciphertext. Bulk video
and audio transmission isn't that kind of interactive setting. You still don't
want to read people saying that ECB is OK; it's bad.

Essentially: it seems like Zoom's cryptography is bad, but not in a way that
really matters compared to brochure-level badness of non-end-to-end-
encryption.

~~~
stubish
Screen sharing a presentation is problematic; lots of discrete blocks of
bitmap image being repeated.

~~~
firebones
If Zoom supports stock background filters or modes, that would seem to be
another massive source of repeating plaintext, depending on the
implementation.

~~~
tptacek
I mean, it won't be, for the same reason 'tedunangst points out above. But
even if it was: the repeats you'd be referring to would be leaking... stock
background filters and modes.

------
gen3
This is honestly the best “Zoom is bad” summery I’ve seen so far. While I
certainly believe some of the Zoom hate is blown out of proportion, this
article does a good job explaining to someone who isn't a security expert what
the issues are. I've been getting questions about the company from family and
friends, and will be forwarding this to them. Well done.

~~~
consonaut
This is a great article, but as an educational provider it fails to answer one
question: Why should I care?

The only concerning thing for me is, why would they lie about using AES-256
when none of my users (and I assume most of their users) would care in any way
about AES-256 vs. AES-128 in ECB mode. Why would they lie?

Even after this, having my users conducting university lessons over something
that might be decrypted in China is honestly not that big of an issue. I would
of course prefer it if these meetings would be private from the PRCs scrutiny
but at least in my situation (and I think most educational contexts) this is
not really that important.

~~~
tlear
Lets say these lessons are a politics seminar discussing whatever PRC finds
objectionable, then family of the student back in the old country get their
social credit score deducted.

Or even better use those recording in the future as compromat as needed.

~~~
Igelau
I don't know how much free time they have over there, but snooping in on
courses that a relative outside the country is taking and storing all of
them... I mean, if you want to peg someone's social credit score, just
stakeout their house and wait for them to spit outside or something. Hell,
just make something up and dare them to come argue. Why go to all that effort?

~~~
kart23
Doesnt go exactly like that. More like: CCTV captures someone going to an area
where known rebels or political activists live. (Look up videos on chinas face
recognition, its insane.) Police decide to look through the person's zoom
meeting transcripts, making a search on certain keywords. They find evidence
of rebellious activities, and order further surveillance on the individual or
arrest them.

~~~
Igelau
In a surveillance state of the scope you've described, triangulating the zoom
transcripts of an international relative's course work back to someone you
spotted on CCTV is still hardly worth the extra trouble. At that level of
erosion of civil liberties, they can already send the jackboots to break down
the door when they make the CCTV match. Don't find anything? You plant
something or coerce them into ratting on someone else. Why would you go mining
terabytes of data that's mostly boring meetings and calls from grandma?

~~~
killjoywashere
It's all take data collection and they mine it later. 10 years from now they
go looking for video from you. And yes, if you don't think people have weird
incentives and time on their hands, have a look at the shitshow of US
Presidential politics.

------
rzimmerman
Using AES in ECB mode is clearly a bad choice, but honestly it's not that
horrible for high entropy data like compressed audio/video. I'm sure someone
could prove me wrong one day, but it seems hard to extract any useful patterns
out of compressed audio/video. It does check the box of "uses encryption" for
regulatory reasons (while missing the intent). It's pretty egregious
considering how easy this is to get right.

The 128-bit key is not inherently wrong if they were rotating these out during
the stream. That being said, there's no reason not to do it right and use a
mode like GCM with a longer key - most hardware supports acceleration for
AES-256 these days. It can actually be slower to use a 128-bit key on 64-bit
systems.

While I respect the decision not to disclose the waiting room vulnerability,
it's pretty obvious what's going on given the context. They probably shouldn't
have mentioned where the vulnerability is.

I'm honestly surprised anyone with technical knowledge thought that Zoom was
actually doing end-to-end encryption given how the software works. All of the
video transcoding/downconversion is clearly happening on the server. Your
client is not sending multiple compressed streams for varying connection
bandwidths. That's the main reason a lot of people like Zoom - it actually
works well with dozens or hundreds of participants.

~~~
kop316
> Using AES in ECB mode is clearly a bad choice, but honestly it's not that
> horrible for high entropy data like compressed audio/video. I'm sure someone
> could prove me wrong one day, but it seems hard to extract any useful
> patterns out of compressed audio/video.

...you're joking right? The Wikipedia example for why ECB is not recommended
is literally an image:

[https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation)

Edit: This applies to compression too. Please refer to Shannon's source coding
theorem.

~~~
rzimmerman
It's definitely a terrible choice for _uncompressed_ images or video. I'm
arguing it _probably_ isn't that bad for highly compressed video. That being
said, if you're encrypting any data stream you should use an appropriate
stream cipher.

~~~
miked85
If the encryption scheme is poor, why would the data being compressed or not
matter?

~~~
stouset
Compression already makes a compressed file roughly indistinguishable from
random noise (module access to the decompressor). So the patterns have been
removed.

That doesn’t make this _good_ , but it means that one specific example isn’t
immediately applicable.

~~~
monocasa
There's more in the stream than just compressed data. There'll be metadata
info that you can make reasonable guesses about. ECB mode lets you take that
information and apply it to other blocks in the ciphertext.

~~~
_jal
This thread is an _excellent_ illustration of why you don't want your
encryption implemented by merely good coders. You need people who know what
they are doing.

~~~
stouset
I’m literally one of those people who “knows what they’re doing”. This is the
problem with discussing ECB on an online forum. There’s no space to have a
nuanced discussion without people cargo culting “ECB bad” over every comment.

Yes, ECB is almost always the wrong choice. Yes, there are other ways it’s
going to fail in this use case. Yes, compression before encryption itself
often enables other attacks. No, I should not have to prefix a comment about
ECB with this type of disclaimer when I’m making (what should be) an
uncontroversial statement that the tux attack doesn’t directly apply to
compressed image data.

Ironically, when designing a protocol for my company, one of the reasons we
_didn’t_ use ECB when it would have been entirely justified (each chunk of
data was precisely one block in size and keys were only ever used once) was
because of potential backlash from people who only know “ECB bad” and nothing
more.

------
WheelsAtLarge
"Zoom, a Silicon Valley-based company, appears to own three companies in China
through which at least 700 employees are paid to develop Zoom’s software. This
arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying
US wages while selling to US customers, thus increasing their profit margin.
However, this arrangement may make Zoom responsive to pressure from Chinese
authorities."

I'm not here to defend zoom but any and all companies that can do this have
and are doing the very same thing to minimize costs. It's not great but it's
the expected way of managing a software company in 2020. It would be hard to
do business otherwise.

Whether it's good or bad that's a question that will need to be reexamined
given the current situation.

------
thesausageking
Given Zoom is blocked in China, what reason is there for the main key server
to be there?

Even ignoring the appearances, for latency and the fault tolerance reasons,
China is the last place you'd want to put it a critical server for an app used
in the West.

~~~
physicles
Zoom is no longer blocked in China.

------
NikolaeVarius
I really don't think this counts as rolling your own crypto. They just used a
weak implementation of existing methods.

No more rolling your own crypto than if I were to use DES.

~~~
rzimmerman
I agree - all security is assembled from lower level primitives and can be
insecure despite using good building blocks. AES (even AES-128) is a fine
choice, ECB mode is even okay in some contexts, but using that a stream cipher
is not appropriate.

~~~
noahtallen
Definitely. Some other places (I think Telegram iirc) do actually create their
own encryption algorithms without using existing ones. That’s what I thought
rolling your own crypto scheme was. If the problem with Zoom is that they
chose a poor mode for the algorithm, why doesn’t the headline say that?
Creating your own encryption algorithm is way worse.

If rolling your own encryption scheme is just choosing what algorithm you use
— every system does that. So it’s not headline worthy. :/ I get that zoom
needs to make better choices, but the rhetoric around it has been pretty poor
and unhelpful.

------
013a
> Zoom’s most recent SEC filing shows that the company (through its Chinese
> affiliates) employs at least 700 employees in China that work in “research
> and development.”

Wow. What could all of these people possibly be doing? It can't be development
and QA; what's going on over there?

~~~
ziyao_w
You do realize development include software engineering, right? 700 people
doing programming isn't even remotely surprising.

Not to defend them against the recent security fiasco, but innuendos such as
this that links "employees working in China" directly with "shady business"
makes me at least uncomfortable.

~~~
blunte
I didn't read it as suggesting it was "shady business". I read it as an
insinuation that the company didn't know what it was doing from the top down,
so they didn't hire smartly or manage well; they just threw numbers of people
at the problem (and got predictably bad results).

With good management, a team of 50 should be able to provide what Zoom
provides.

~~~
ziyao_w
Yeah, moments after replying I realized there is a more charitable read :-)

Of course, with this read comes the age old question of "I can build Google/FB
with 20 good men, what are they doing?"

~~~
thaumasiotes
> Of course, with this read comes the age old question of "I can build
> Google/FB with 20 good men, what are they doing?"

Well, this would explain Google's pattern of constantly churning out new
products on the theory that hey, maybe someone somewhere wants it.

If you need 20 people to run your actual operations but you've hired 20,000
people, what are the other 20,000 people supposed to do?

------
duxup
>However, this arrangement may make Zoom responsive to pressure from Chinese
authorities.

Zoom doesn't even have to be responsive to pressure, just a developer has to
be. And they live there so yah they'll be understandably responsive.

------
AshamedCaptain
Seriously, all people who are surprised about this type of news should really
understand that most "successful" (as in, popular) tech/.com/SV "startups"
these days are like this.

If you "waste" time on the real important stuff such as a good design, user
security, or the like, you will lose over to a competitor who didn't and
therefore was able to spend more time on marketing.

If you waste your time on user privacy you will be totally crushed by that
competitor whose definition of "privacy" was "how much can I pester this user
until he gives me access to his address book so I can spam his friends?".

I don't think this is good. I think this is very sad. But it is what it is.

I still remember the Whatsapp founders coming into the jabber mailing lists
with "please let me configure my server"-type questions, for god's sake.

~~~
restingrobot
This is a bad point. The difference between using AES-128 and AES-256 from a
code standpoint is trivial. The only explanation for this is either gross
incompetence or malevolence. Personally I don't use Zoom, nor would I
recommend its use for even personal conversation.

~~~
dpeck
the difference is a copy and paste from an older StackOverflow post.

~~~
restingrobot
Using code without understanding its implications would fall in the gross
incompetence category.

~~~
AshamedCaptain
And my point is that this happens all the time. Natural selection seems to
favor the type of company that would just copy&paste from SO (then spend their
resources on some fancy viral marketing) instead of the one that would stop to
think about it.

~~~
catalogia
People shouldn't be surprised, but they _should_ be upset.

------
api
Why can't people bother to construct a minimally secure encryption system
given that there are so many good documents and code examples out there?

I don't mean anything with ratcheting, forward secrecy, replay protection,
nonce reuse resistance, or any other bells and whistles, just basic competent
symmetric encryption without gaping holes or ridiculous bizarre design
choices?

It's not hard!

(1) Generate 12 bytes of random nonce using a good secure random source,
prepend to message.

(2) Use nonce to initialize AES-GCM.

(3) Run it through AES-GCM, append tag.

(4) Done.

That's not hard and it's secure enough for common use cases.

~~~
rzimmerman
The only thing I can think if is that _maybe_ the protocol Zoom is using
precludes prepending the nonce due to the packet format. But surely there's
some way to do this with packet counters and user IDs. It's possible this was
an intermediate step but I'm really stretching for excuses here.

~~~
api
Yes you can construct an IV from other state, though it's not ideal. Another
good fit might be modes designed for disk encryption as those are designed for
cases where you can't pad (e.g. disk blocks).

There's also AES-GCM-SIV and its relatives which construct the nonce from a
MAC of the plaintext and _technically_ do not require a separate IV, though if
you don't use one any duplicate message will be obvious.

Those are somewhat more complex but honestly even if you don't get those
perfect it's almost definitely better than ECB.

------
maest
Was this done in the interest of convenience, as most Zoom appologists have
been clamining?

~~~
api
This looks like either incompetence or intentionally weak crypto.

~~~
rzimmerman
I agree, it's probably lack of appropriate expertise. There are much more
subtle and useful ways to make this intentionally weak (like subtle nonce
reuse with GCM). Or just giving Chinese authorities access to the key like the
article implies.

------
jtdev
Is it possible that China is actually gleaning foreign IP from Zoom customers?

~~~
est
Is it possible that China is actually part of routable public Internet at all?

Should ICANN give each assigned IP block a flag to indicate whether it's
capitalist or communist, so vendors can connect more carefully?

------
bedros
always wondered why zoom.us url not zoom.com which they both own.

it's basically to give the perception it's US company and assumed trustworthy.

~~~
huslage
It is a US company. It’s a US Public company.

------
stefan_
Keynote:

 _Zoom’s encryption and decryption use AES in ECB mode_

~~~
ummonk
Jesus, that's a textbook example of a bad encryption mode.

~~~
cassalian
Makes you wonder how someone could approve that pull request...

~~~
gregcoombe
It's possible it comes from a corporate culture that is focused on ease-of-use
over security. This is not the first time that they've done some questionable
things to reduce friction. See for example
[https://www.theverge.com/2019/7/9/20688113/zoom-apple-mac-
pa...](https://www.theverge.com/2019/7/9/20688113/zoom-apple-mac-patch-
vulnerability-emergency-fix-web-server-remove), where they installed a secret
webserver to save Mac users a single click.

------
songshuu
Could we fix the title of this post please? There is a GULF of difference
between 'transmit keys through servers in China' and the actual text from the
article, " We suspect that keys may be distributed through these servers."

Implication is fine, but it should not be declarative without proof.

~~~
dmitrygr
The article is quite direct: key directly sent to client in USA directly from
a server in china. what is unclear?

~~~
songshuu
Have read the whole article myself, I did not see that explicitly stated.
Could you provide the quote?

~~~
saagarjha
> In addition, we identify potential areas of concern in Zoom’s
> infrastructure, including observing the transmission of meeting encryption
> keys through China.

~~~
songshuu
Thanks! Indeed that was in their opener, but their clarifying statement is
broader.

FTA "We suspect that keys may be distributed through these servers. A company
primarily catering to North American clients that sometimes distributes
encryption keys through servers in China is potentially concerning, given that
Zoom may be legally obligated to disclose these keys to authorities in China."

"We suspect" is not the same as "we are certain".

~~~
gregcoombe
They observed keys being transmitted to Chinese servers, which makes them to
suspect that Zoom is distributing keys via these servers. They have worded
this very carefully to avoid claiming something that they cannot confirm
(distribution to multiple users).

------
remarkEon
Is there any reasonable explanation for why this scheme was designed in this
manner?

~~~
rzimmerman
It's possible some protocol issues prohibit the use of other stream cipher
modes like AES-GCM. I can't think of any but maybe:

* Dropped packets/out of order packets. You should be able to include the IV/counter with the packet but maybe the protocol prohibits that.

* Avoiding reusing counters between participants - seems like you could just use the participant ID as part of the counter and avoid this

* Concerns about partial packet loss - shouldn't happen with UDP and GCM would handle this just as well

I'm trying but I can't think of a good reason to do it this way.

------
chvid
If I were to design a video conference platform my focus would be usability,
video quality, speed.

Because those are the things that matters to end-users; if it gives up some
security because there is a server somewhere that decrypts, converts and
reencrypt the traffic then that is a trade-off but so be it if the goal is to
create a popular widely used platform.

------
bitwize
What'd I tell you? This is either malice, or sufficient incompetence as to be
indistinguishable from malice.

------
dstroot
Zoom deserves a lot of animosity for its _privacy_ issues like sharing data
with Facebook.

On the other hand I am mystified by all the security hype. Yes I might be able
to guess a Zoom meeting ID, just as if I might guess your phone number and
prank call you. In a Zoom meeting _you can see who is connected_. In the old
days of conference calls do you remember asking “who’s on the line?”. What are
you talking about that requires encryption?

If so there are tools for that - signal, etc.

~~~
stordoff
> What are you talking about that requires encryption?

The UK are using it for Cabinet meetings -
[https://www.bbc.co.uk/news/technology-52126534](https://www.bbc.co.uk/news/technology-52126534)

~~~
NikolaeVarius
> In a crisis, communication at speed is the priority.

And UK officials say the risks of not communicating in the middle of fast-
moving events far outweigh the possible security risks of using such a system.

They add most government work to do with the coronavirus is unclassified and
anything highly classified is communicated over secure systems

Government meetings use the paid-for version of the system and are password
protected to prevent "Zoom-bombing", when uninvited individuals intrude on
calls.

The UK Ministry of Defence also said Zoom should not be used for classified
conversations.

And it is understood Nato's policy not to use Zoom for any meetings, briefings
or conversations between member state ambassadors if classified or sensitive
information is shared.

Nato staff are understood to be using "more stable and secure" means of
communication.

=====

They seem to be perfectly well aware of their threat model

------
3xblah
Just out of curiousity I decided to check for a particular representation on
the Zoom website. There must be some "magic" in these words because so many
tech companies use them.

" _We take security seriously_ and we are proud to exceed industry standards
when it comes to your organizations communications."

[https://zoom.us/security](https://zoom.us/security)

------
badrabbit
Just a pet-peeve here: I am well aware if the CCP and how they run things in
China as well as their hostilities against the west. But sending traffic or
anything to or through China in itself is not a security risk. If the data
goes through the US and you are european, whatever protocol weakness exists
should also worry you because of possible network and server-side adversaries
in the US.

"China" is a threat not a vulnerability is all I meant, and using it for hype-
training seems dishonest.

I've had meetings with people in different companies using webex,goto
meeting,skype , zoom,teams and hangouts. I found hangouts to be the most
worrysome with regards to privacy (not security). A lot of the issues that
keep popping up about zoom this week might also apply to the others (looking
at you webex!).

Zoom became popular because you can see everyone's video all at once. They had
a betterr product. Vulnerabilities don't make a product bad, how you handle
them does! If anything, I would like someone to show me how the free security
audit zoom received by the hype crowd this week does not make it a superior
alternative (provided they continue patching it).

------
dang
The Intercept article about this has a thread here:
[https://news.ycombinator.com/item?id=22767807](https://news.ycombinator.com/item?id=22767807)

------
thinkingemote
On Ubuntu would installing Zoom via Snap be preferable than as a normal
package when it comes to security / sandboxing, should the case be that they
turn evil?

~~~
stubish
Yes, that would be vastly preferable. Normally, the client would still have
access to quite a bit (Lots of $HOME for example, minus security sensitive
files). It would be possible for the packager to turn off that access too and
completely lock it down, turning off those interfaces and providing a fake
$HOME etc. A good reason for the packager to not be Zoom Corp, but getting a
distribution license might be tricky.

------
someonehere
Is there any validity to the claim from earlier in the week (comments here on
HN) that they Have engineers based out of China and it’s essentially tied to
the CCP?

------
DeathArrow
I didn't use Zoom. What advantages does it have over Microsoft Teams, Webex or
Skype?

------
smsm42
Looks like Zoom to video conference security is like Flash to web browser
security.

------
daffy
Is it possible to use Zoom on Linux from an ordinary user without sudo rights?

~~~
a-nikolaev
I just downloaded their binary build and it worked without sudo (you need to
run "ZoomLauncher" file).

That being said, I did not get the impression of an easy to use app that "just
works" (at least with my tiling window manager), things were confusing, clunky
and rather idiosyncratic (e.g. sharing a screen was weird, and the whiteboard
did not work).

~~~
daffy
Did you use it to talk to someone? I ran it too, but wanted to make sure it
really works without being installed.

~~~
a-nikolaev
Yeah, I used it for calls, did not install anything.

------
HashThis
Zoom has betrayed us all! Congress must require zoom to explain why they are
sending encryption keys to China when all participants are USA citizens. Zoom
is betraying USA citizens and their customers. We must pressure USA zoom execs
to explain exactly why they are doing this.

------
awaythrower
And this is why you don't use unproven apps that come out of nowhere simply
because they are "popular."

------
737min
A Chinese founder cooperating with Chinese government is not something to be
critical about, there is different political perspective.

------
pvijeh
[https://classicprogrammerpaintings.com/post/148027314949/we-...](https://classicprogrammerpaintings.com/post/148027314949/we-
rolled-our-own-crypto-pieter-bruegel-the)

------
tibbydudeza
Zoom just works great ... just focus on making a better product (aggh Google
Hangouts) than hyping up the hysteria by adding China to the mix.

It is rather suspicious to see all the articles of late.

~~~
umeshunni
Nothing suspicious.

Zoom is in the news lately, so there are more researchers and others looking
at their security practices.

Bloggers know that they'll get clicks by writing about Zoom.

China is just thrown in since they're the Boogieman in the US these days.

