
Zoom Endpoint-Security Considerations - Semaphor
https://dev.io/posts/zoomzoo/
======
mhils
Zoom is the Windows of conferencing apps: It is the most popular one, so
researchers actually look at it and say it's shit, but the alternatives aren't
much better [1].

[1] Just one example: [https://github.com/jitsi/docker-jitsi-
meet/blob/master/CHANG...](https://github.com/jitsi/docker-jitsi-
meet/blob/master/CHANGELOG.md#stable-4384-1)

~~~
microcolonel
But honestly, the main reason people use Zoom is that it is by far the most
reliable video conferencing app out there. Anyone who has used other video
conferencing systems on uncontrolled networks knows the pain that Zoom seems
to magically avoid.

Now, it seems lately others have been getting better, but I'm not really sure
what the source of that is; when I've been pulled into Zoom calls over the
last five years, they've been absolutely rock-solid.

~~~
microcolonel
Separate from whether it works or not, I will not install it unsandboxed on
any endpoints, nor use it deliberately.

Their security architecture is ???, and their excuse for its use of servers in
PRC to move encryption secrets makes no sense, and honestly gives me the
impression that at some level, somebody working on Zoom made that decision
with the conscious intention to make secrets available to the PLA.

------
Pxtl
I feel like this article is conflating things... it is absolutely possible to
do SQL string concatenation safely. I've done it many times to work around
aggressively-bad SQL APIs. Assuming SQL concatenation is _automatically_ bad
is the kind of thinking that makes me roll my eyes at security researchers.

~~~
shakna
Building SQL queries from strings is possible safely, in the same way that C's
memory model is safe.

It can be done... But not by most people. Are history proves it, time [0]
after time [1] and time [2] after time [3].

It is simply not worth it, if you can make use of parameterized queries.

[0]
[https://web.archive.org/web/20161024090111/https://ico.org.u...](https://web.archive.org/web/20161024090111/https://ico.org.uk/about-
the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-
record-400-000-fine-for-failing-to-prevent-october-2015-attack/)

[1] [https://www.nytimes.com/2014/08/06/technology/russian-
gang-s...](https://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-
amass-more-than-a-billion-stolen-internet-credentials.html?_r=0)

[2] [https://www.baltimoresun.com/education/bs-
xpm-2014-03-07-bs-...](https://www.baltimoresun.com/education/bs-
xpm-2014-03-07-bs-md-hopkins-servers-hacked-20140306-story.html)

[3]
[https://web.archive.org/web/20150219165019/http://www.batblu...](https://web.archive.org/web/20150219165019/http://www.batblue.com/united-
nations-internet-governance-forum-breached/)

~~~
jackewiehose
> Building SQL queries from strings is possible safely, in the same way that
> C's memory model is safe.

But still you wouldn't say that every software written in C is automatically
insecure. You have to look into the actual case. Just grepping for SQL-string-
concatination or uses of sprintf doesn't say much.

~~~
Grollicus
The difference is that there are sometimes no real alternatives to doing
memory management by hand - which means there are prople that are really
really really good at this.

With sql that's different, every sane sql client library supports some form of
prepared statements out of the box and they are really simple to use. There is
no reason whatsoever to do this by hand, except for people that don't know
better.

~~~
ufmace
I disagree with the part that there is always an alternative to building
strings for SQL statements. Yes, all client libraries support prepared
statements. But none of them support placing prepared statement fields in any
part of the SQL statement.

Prepared statements work fine as long as you just have simple SELECT
statements with a few WHERE values as parameters. They completely fail if you
need to do any advanced SQL with anything dynamic. Like optionally add more
sophisticated calculated properties to the SELECT fields, conditionally JOIN
in extra tables, use any of the DB engine's more advanced XML or JSON parsing
features in a conditional way, support choosing <, > or =, etc.

~~~
wahern
The real problem is doing ad hoc SQL string concatenation. In the situations
you point out, one could (and should) write a simple formatting library that
makes it easy to join string literals (the operators) with dynamic data, the
same way one would write a basic prepare wrapper around a SQL driver that
lacked prepared statements--a simple (and proper--not regex hack) format
string parser that quotes and concatenates its arguments. Doing this ensures
you'll end up structuring your code for easier auditing of code and data
admixtures--there should literally be a _single_ line in the entire code base
calling the abominable "escape" routine for quoting and escaping special
characters. Ironically, this is the type of thing that's really trivial in C
because it's so simple to write a small state machine (while + switch loop,
with a variable for escape state) for parsing the format string and building a
new string character by character.

------
godzillabrennus
And yet the adoption rate is through the roof.

Seems that to succeed you don’t focus on security till you get caught.

None of this will change unless there is a shift of liability back onto
companies for securing data.

~~~
poisonborz
For the average user, a privacy/security concern is a possible/theoretical
issue, missing features a very real, instantenous issue.

Slack, Teams & co flat-out ignored calls and screen sharing until now. They
were sidelined so-so features. Hell, on Slack you couldn't even see screen
sharing from mobile, and you did not even got a notification that another
person is sharing. Never mind missing even the most basic annotation features.

No wonder Zoom eats all the pies now. Sure, they made a lot of mistakes, but
it was a huge landfall on a small(ish) company. That said, if the others top
up their game, I'm happy to get rid of an additional app - but that's how
market works.

~~~
ScoutOrgo
Just general video/audio performance too. Zoom is the only one I've used where
everyone can have an open mic, have noise in the background (or even music),
and the whole group can still have a good conversation.

------
rshnotsecure
We have been measuring and tracing Zoom traffic from the various client apps
for the last couple of weeks.

One weird thing. It appears Zoom uses SCO Cloud [1] and HunTel Engineering
Nebraska [2] to form sort of their own IPX? I have been a cloud architect for
the last decade and haven't seen anything like this. The costs must be
enormous if we are measuring correctly (no guarantee).

SCO Cloud though is quite the character. Apparently they are part of some
group that has been trying to sue the Linux kernel for the last 20 years,
until the case was put to rest in 2017 I think [3].

[1] - [https://scocloud.com](https://scocloud.com)

[2] - [https://htleng.com](https://htleng.com)

[3] - [https://arstechnica.com/tech-policy/2017/10/appeals-court-
ke...](https://arstechnica.com/tech-policy/2017/10/appeals-court-keeps-alive-
the-never-ending-linux-case-sco-v-ibm/)

~~~
mshade
The SCO that birthed all the lawsuits is pretty long defunct. I doubt SCOcloud
is at all related. Their site doesn't seem to match the MO of the old SCO.

------
wardnath
As a quick note, no affiliation whatsoever on my part - I've had great success
running online meetups on the LGPL project bigbluebutton. Hope it helps some
members here with their pain point.

[https://bigbluebutton.org](https://bigbluebutton.org)

------
mappu
On Linux, you can get Zoom as a Snap or Flatpak, that provides a useful layer
of sandboxing.

~~~
ryukafalz
Some, I guess, but not enough to make much difference. The Flatpak for it
mounts the user's home directory:

[https://github.com/flathub/us.zoom.Zoom/blob/master/us.zoom....](https://github.com/flathub/us.zoom.Zoom/blob/master/us.zoom.Zoom.json#L14)

...and the Snap seems to as well, though I'm less familiar with Snaps and it
seems like this may not provide access to hidden files:

[https://github.com/ogra1/zoom-
snap/blob/master/snap/snapcraf...](https://github.com/ogra1/zoom-
snap/blob/master/snap/snapcraft.yaml#L32)

So your SSH keys may be safe there, your photos and documents probably aren't.

------
foolinaround
Can someone comment on this angle, where zoom traffic was routed through
China, not exactly a paragon of openness?

~~~
fsflover
Discussion:
[https://news.ycombinator.com/item?id=22768494](https://news.ycombinator.com/item?id=22768494)

------
fock
did see the same things with the Linux binary. Especially funny to see these
old (and unsupported) OpenSSL-libraries. Isn't nearly every valley-company
today built around the assumption of having a development model which makes
things as this highly unlikely?

~~~
mgbmtl
Zoom also does weird OS-detection which seems to fail with Debian-testing, so
I can't use screensharing on Wayland. Works fine with Jitsi Meet. They also
don't support dual-screen mixed-scaling (4k laptop with 1080p external
screen).

Feels like using Skype: worked for a while under Linux, then never got updated
and became very unpredictable/clunky.

~~~
wryun
One way to work around this, stolen from somewhere on the internet:

bwrap --dev-bind / / \--ro-bind /opt/zoom/os-release /etc/os-release
/usr/bin/zoom %U

Where you set /opt/zoom/os-release to something appropriate. Should be enough
to copy your current one and set VERSION_ID to 10.

(it's pretty simplistic)

------
user5994461
What about the last one? Code execution through turbojpeg.dll

Might be possible to share a picture through zoom and when zoom will attempt
to render the picture it's gonna execute it?

Edit: nevermind looks like this CVE vulnerability only exists on ARM64 CPU, in
optimized codepaths using neon instructions.

[https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2019-2201](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2019-2201)

[https://www.openwall.com/lists/oss-
security/2019/11/11/1](https://www.openwall.com/lists/oss-
security/2019/11/11/1)

------
Mave83
quite unfortunate that there is no alternative with the same great user
experience like zoom.

Linux, Windows, Mac, every device all just working without a problem. Delay
free screen sharing (Not like MS Teams/webex), even remote support is
possible.

Fantastic product from a user perspective. I hope they will fix the issues or
some other currently crappy solution will take over the user experience
centric thinking.

