
Zoom will enable waiting rooms by default to stop Zoombombing - vpontis
https://techcrunch.com/2020/04/03/zoom-waiting-rooms-default/
======
bretpiatt
Except waiting rooms have a separate security problem
[https://citizenlab.ca/2020/04/move-fast-roll-your-own-
crypto...](https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-
quick-look-at-the-confidentiality-of-zoom-meetings/)

HN thread
[https://news.ycombinator.com/item?id=22768494](https://news.ycombinator.com/item?id=22768494)

~~~
detaro
So attackers have now ~24 hours to exploit this unpublished security issue
before the second stage, required passwords, becomes active.

~~~
prophesi
Hopefully passwords are implemented in a way to slow down brute-forcing. I
guarantee the majority of them will be a simple word or number sequence.

------
bartread
"Building development teams that include skeptics and realists, rather than
just visionary idealists, could keep ensure products get safeguarded from
abuse before rather than after a scandal occurs."

On the face of it this sounds fair, but the problem is that being "sceptical"
and "realistic" is far easier and requires much less effort than being
"visionary"[1]. Too much of the former early on can really suck the life out
of a team, increasing the risk that the product fails, or is simply never
built.

Safeguarding from abuse is much better achieved by systematic thinking and
discipline (which are learned skills) rather than hiring "realists" who might
simply turn out to be whiners and energy vampires.

As much as Zoom is currently in the spotlight, and I can't say I'm overjoyed
by a number of the issues I've read about (e.g., encryption keys being passed
through Chinese servers?!??), many of them are the problems of success, and
every successful company has or will experience their fair share of those.

 _[1] I might also add that it 's far easier to commentate and to critique
than to do, eh, TechCrunch?_

~~~
Traster
I'm so tired of these types of comments. "The reason you have this issue is
you're missing X", "Yeah but if we only had X we wouldn't have been able to do
this at all!", "Yes, which is why I said you should have more X, not
completely abandon everything but X".

Let's be clear: The issues that Zoom is having were seen by other businesses
in the same industry decades ago. At a time where every other messaging system
in the world has been moving to end to end encryption - even facebook, Zoom is
still lying about it to customers. It doesn't require a room full of sceptics
to figure that out, it requires some sort of development process that involves
a the tiniest bit of thought before rushing out a feature - a culture that is
apparently consistently lacking in large parts of silicon valley.

Btw, If you think that what we've seen over the last few years is that
commentating on tech is an easy career to make a living at, you haven't been
paying attention to the state of journalism.

~~~
bartread
I really shouldn't rise to this but, OK, let's do this.

The comment I quoted by TC was clearly intended as a general point with broad
application across tech companies, not just Zoom. Now either TC meant that, in
which I disagree as outlined in my previous comment, or they didn't, in which
case it's sloppy phrasing and journalism.

> Btw, If you think that what we've seen over the last few years is that
> commentating on tech is an easy career to make a living at, you haven't been
> paying attention to the state of journalism.

I said it was easy to commentate or critique (it is, and it happens on HN all
the time). I didn't say it was easy to make a career out of it nor, frankly,
do I think it should be. There are far too many lazy, bottom-feeding media
outlets in the world and not nearly enough good ones, so I will not shed a
tear for the demise of the former.

To address your specific points about Zoom: it is demonstrably false that
"every other messaging system in the world has been moving to end to end
encryption".

Microsoft Teams does not implement end to end encryption for audio or video
meetings because they can't: they support dialling into meetings using the
plain old telephone system meaning that the back-end services become an
endpoint and have to be able to decrypt traffic. Sure, Teams could do it for
text chat (and it's even a suggestion on UserVoice:
[https://microsoftteams.uservoice.com/forums/555103-public/su...](https://microsoftteams.uservoice.com/forums/555103-public/suggestions/33921943-end-
to-end-encryption)) but, as far as I'm aware, they don't even do that yet.

Whether that's a big deal or not depends on your use case.

That Zoom lacks E2E encryption is not the problem: that they _claimed_ to
implement E2E encryption when they don't is. Contrast with Microsoft, who _don
't_ claim E2E encryption for Teams and, as a result, there is no significant
controversy.

Some people and use cases do need E2E encryption but, for many, the trade-offs
aren't yet worth it.

As already highlighted you lose support for POTS, which in my experience is
used pretty regularly: e.g., people on the move, or dialling in from outside
the organisation.

Another example: I suspect E2E encryption would make it difficult, even with
modest numbers of participants to implement Zoom's gallery view because they'd
have to send all encrypted streams in full to all participants, and clients
would have to decrypt and decode all video streams. Even if it didn't prove
overwhelming from a bandwidth perspective, it would eat CPU and drain battery
life very quickly. Without E2E you can decrypt and multiplex on the server
side then re-encode and re-encrypt to reduce bandwidth usage over the network
and resource usage on clients.

Of course, this isn't insurmountable: clients could send two encrypted
streams, one hi-def, and one for gallery view, and the server could route them
to clients as appropriate depending on their viewing preferences. Still, this
probably isn't as efficient as dealing with it on the server side.

(Obviously you might not care about gallery view, but it seems really popular
for remote social gatherings.)

It's all about trade-offs: for virtual pub with my friends, I don't really
care about E2E encryption, but gallery view is really great. I don't even care
about E2E encryption at work that much - certainly not enough to make it more
difficult for people to dial in to meetings.

But, as I say, none of this is the issue: the issue is the claims Zoom are
making about their product.

~~~
xenonite
1) false claims are a indeed problematic because they erode trust in Zoom

2) having no E2E is more dangerous in Zoom than with other software

For example, there is no E2E in Teams, but we have it running on servers in
the same country with no direct US/CN connection. Or even better: run it on
your own servers in a DMZ. Then, E2E is not so crucial any more.

------
TACIXAT
I see some people running meetings who can barely find the chat. I'm not sure
I trust them to manage a waiting room.

~~~
godelski
Giving the benefit of doubt here, if you enter full screen mode chat opens in
a different window and no longer gives you notifications. At least on linux. I
honestly find this quite painful and rather surprising. I'm not sure why full
screen and chat isn't equivalent to just maximizing the window (where the chat
is on the right and users are above) with tabs to open and close chat (and
users). New windows seems like a weird decision.

------
arkadiyt
> Starting April 5th, it will require passwords to enter calls via Meeting ID

A meeting id with a password is semantically the same as a longer meeting id
(or a meeting id with a character space larger than just digits). I wish
they'd do that instead (make meeting ids longer) so I could continue to enter
my company meetings with only a link but not have to worry about getting
wardialed.

~~~
bowmessage
Except the search space is much, much, larger.

~~~
godelski
Don't we want the search space larger? That way it is harder to wardial?
YouTube has 11 characters composed of [a-Z] and [0-9]. (26*2+10)^11 is a
pretty big number. There's no reason it couldn't be longer.

~~~
lmz
It would also make it harder to dial by phone, if you need to do so.

------
jdlyga
I work for a large multi-national media company, and we've been using
BlueJeans for video conferencing for the last few years. It's been very
reliable, but I haven't heard of very many others using BlueJeans. I'm curious
if the security issues in Zoom vs its competitors more have to do with the
amount of people using it and putting eyes on it.

~~~
mroche
Red Hat uses Blue Jeans for their webinars, and the OKD project uses it for
the WG meetings. Not sure about internally or other projects as I don’t have
experience with them nor am I an employee.

~~~
cozzyd
Did Red Hat use Blue Jeans before being acquired by IBM?

~~~
agrover
yes

------
wcoenen
Techcrunch links seem to redirect through guce.advertising.com nowadays, which
is blocked by my ad blocker. Also, according to redirect-checker.org it takes
5 requests before finally landing on the actual page. Seems excessive.

------
blackrock
I’ve used a lot of these tools, and I have to admit, Zoom is the best.

As for the Zoombombing, I can’t say that I am surprised. All you really need
is the URL.

And all the other tools are like that too. Sure, you can require a separate
passcode, but damn it, it’s like trying to figure out rocket science to enter
the passcode.

1) you have to dial the number

2) you have to punch in the meeting ID

3) you have to punch in the passcode.

4) ERROR. You flipped it, and used the passcode for the meeting ID instead.
Aargh.. frustration.

5) Forget about the passcode. Just let everyone in that has the meeting ID.
And monitor if there’s someone unknown on the line.

~~~
GordonS
> you have to dial the number

It must have been at least a decade since I actually dialled into a video
conference using a phone, on any conferencing platform - I always connect
audio via my laptop or phone, which I use with a Bluetooth headset.

I was actually having this conversation with a bunch of colleagues the other
day, and every person in the call said the same thing, only difference was
some used a USB headset, rather than Bluetooth.

------
faitswulff
Waiting rooms don't help because you don't see any identifying information. My
sister's call got zoombombed even with a moderated waiting room. They were
trying to keep within their university's students, but they couldn't see the
email addresses associated with the zoom user name in the waiting room, so a
griefer got through.

~~~
raverbashing
For these cases required sign in might be best

~~~
achow
Seems like User Interface design issue.

At the minimum they could show anonymized email id:
ab<..hidden..>gh@univname.com

------
mavsman
Hopefully they do this for existing users as well. One of my fellow teachers'
classes got bombed today even after we were all sent instructions about
securing our meetings, enabling waiting rooms, etc.

She didn't follow the recommendation because she "didn't think someone would
join" because she hadn't posted the meeting link on social media. You have you
protect your users that won't protect themselves.

------
rdlecler1
Wouldn’t it have been easier to present an option to the presenter once X
number of people joined? So 3-5, no, but more then a dialog pops up asking the
presenter if they’d like to have a waiting room.

------
wodenokoto
My understanding was that chats simply had too easy to guess names.

Would this be solved by generating chat names through a cryptographic hash
algorithm?

I have google docs that are edible by anyone with the link and I’m kinda
assuming that the link is as hard to guess as logging in with a password.

Am I completely off and in dire need of reevaluating my personal web security?

