Hacker News new | past | comments | ask | show | jobs | submit login


Yes, shared by the Prime Minister, number and all. What a time to be alive.

I'm surprised they're even allowed to use Zoom for a national cabinet meeting. Wouldn't the Gov have its own video chatting software that is self hosted?

Number 10 has had Video Conferencing since 1998 (I set it up with college and received first call from there), was H320 via ISDN2 affair and had dedicated black box encryption unit GCHQ supplied and dealt with. DOH (Department of Health) also had dedicated VC rooms as did all the regional officers and MCU bridging for multi point conferencing was outsourced when needed. All main DOH sites could do upto 384 with bonded ISDN line (UK ISDN was 64k per channel and seperate D channel, no bit stealing going on here).

That without a doubt all changed many times and somewhat supprised they are using Zoom, and would of thought at least would of contracted to run their own private server connected via VPN. Very supprised and when American politicians all loved their blackberry's, they had their own dedicated servers they controlled access to, supplied by RIM.

But the DOH and all the other government departments are entities unto themselves, and I'm not that up on anything the last couple of decades, but suspect that there isn't any common solution to enable what they need to do for remote working in isolation. I'm sure much will change after this. Also fairly sure GCHQ probably bashing their heads on the table.

But I can see how they got to where they are, knowing aspects of government workings and departmental fencing, still - does kinda make you go WTF still.

They'll undoubtedly have new iterations of that, based on the same premise that they install and own the kit at each end.

I suspect Zoom just happens to be the choice this particular group has settled on. While across government people have been scrabbling to just make something work now that security's previous modus operandi is being trumped by the need to let people work from home.

Government even more than the private sector have been slow to allow for home working. I'm hopeful this will change that.

I think video chatting with normal citizens would be quite difficult if you expect them to install VPN's and special video conference software that probably only works with gov.uk accounts. Grabbing a random laptop, connecting to the internet and using zoom sounds a lot easier.

The link shared by @verytrivial to Boris Johnson’s twitter account isn’t showing “normal citizens”, it is showing the executive branch of the UK, plus an account identified only as “iPhone” who has their camera and microphone switched off.

Dominic Cummings?

In 2020 open source conferencing software requires ZERO software apart from any recent browser or login.

e.g. https://meet.jit.si/hellozoomhowareyou

>Also fairly sure GCHQ probably bashing their heads on the table.

Not nearly hard enough. Not even close to hard enough. They need help with that, possibly with heavy machinery.

I worked on a minor, non-secure, tangentially GHCQ-aligned project. They're the most risk averse organisation I've ever met. Like, pathologically risk averse. I'd bet a small mortgage they had no oversight of that call.

> > Also fairly sure GCHQ probably bashing their heads on the table.

Core parts of GCHQ might love the potential honey pot. But their offshoot NCSC [1] will be table-flipping big time.

* [1] https://www.ncsc.gov.uk/

There is absolutely now way GCHQ signed off on this.

And yet they are powerless. Back to recording private conversations like the Stasi then. What a wonderful institution. They're useful how, exactly?

Not smacking their heads into the table nearly hard enough. Not even close.

That hyperbole might be an improvement.

Literally copying the literal Stasi approach to spying (not the rest, just spying) would simultaneously improve the quality of the data and reduce the negative side effects relative to the UK’s Investigatory Powers Act 2016.

By definition, in their line of work if you knew exactly how useful and effective they were they would not be doing their job properly. They report to the UK government, not to you and not to me even though I am a UK citizen (as you may be, I don't know). They have worked for governments lead by or including all three main political parties in the UK and they all decided they were useful enough to them to keep, in pursuing their goals on behalf of the people who elected them. That's good enough for me.

But we do know how effective they aren't. And we do know that they have placed themselves above the law. If that doesn't concern you it really should.

The macho pose that comes out everytime someone suggests they should be subject to, you know, the law and behave better than Stalin's henchmen is very worrying.

So who is the politician who will is effective enough to provide true oversight and rein them in when required.

Name that politician. Any party.

Do you see the problem now?

>...and behave better than Stalin's henchmen

Yes see, this is why almost nobody in the general population takes opinions like yours at all seriously.

A hydraulic press could be useful here, I think.

In general (moreso focused on the EU than the Brits) I've never understood why the EU doesn't pump a billion a year, or a billion worth of dev hours a year into open source. That's an absolutely tiny, almost infitismal amount of EU budget (and even tinier for most member states their budget) and it would allow them to get out of the noose of closed source corporate support contracts and being beholden to foreign companies. Imagine how much a billion a year would accomplish spread over projects like LibreOffice, Matrix/Riot, an EU Linux distro, etc.

Whenever the government doles out money, the incentives are to do it in return for political favours. To counter that, various processes and institutions enforce checks and balances and accountability. In practice, that takes the form of grant applications, tendering, and the like. That then attracts a bunch of grifters who want to effectively steal the government's money, so the grant process get longer and more complex, and things get more bureaucratic with heavy-handed checks and balances.

If a government anointed any given handful of OS organizations as preferred benefactors of donations, I'd expect grifters to infiltrate those organizations and parasitically siphon off the funds one way or another.

Incentives matter. Government incentives are to be popular, or attract the support of other people who are popular or influential. Being efficient or effective is only a small part of that. I don't know that there's a good solution to the incentive problem.

> If a government anointed any given handful of OS organizations as preferred benefactors of donations, I'd expect grifters to infiltrate those organizations and parasitically siphon off the funds one way or another.

I’d expect companies like Raytheon, Cerner, Lockheed Martin, Boeing, and HPE/CSC/DXC to win a supermajority of those contracts.

They probably would not even bid. Working on an OS project is fundamentally providing labor hours. Not high margin, no lock in, no investment and high profit tail on the business. It would end up going to little companies providing bodies at a low labor rate.

No way if those companies had to OS their code. You could pump money into OS slowly by making government departments pay a royalty to the maintainers/projects they work with. Things such as Drupal, Tomcat etc.

Maybe because it wouldn’t solve the problem? Building a great product requires so much more than just the money needed to do it. If money was the only thing required, no startup would probably exist and everything would be built by either governments or large corporations.

Well the idea would of course be to use the budget to invest into suitable European startups. To create a market, where startups could operate and innovate.

EU already does more than that, together with funding they get in touch with FOSS developers.

Please check https://joinup.ec.europa.eu/collection/eu-fossa-2/news/how-c...

The reason the "year of the Linux desktop" hasn't happened yet and open source hasn't conquered the consumer world isn't because of the lack of money. It's because none of the projects have a goal per-se; everyone works in their corner, on their own time, mostly just scratching their own itch. Donating money to them won't solve this problem. There's also a lack of certain skill sets like user experience design, project management, branding, etc.

If the EU wants an open-source conferencing solution they have to do it in-house (whether from scratch or fork an existing solution) and treat it like a business with a clear objective and actual employees (instead of benevolent devs donating their time & effort) including positions which open source projects often deem unnecessary like UI & UX design, and so on.

It's not billions, but the EU is funding some open source software. https://hexus.net/tech/news/software/125747-14-open-source-p...

I think France is also funding/developing Matrix.

FOSSA focuses on security audits, not development per se.

There's also EU Public License (EUPL). One notable example of software that uses it is Pi-hole.

One more interesting thing I can think of is Joinup, whose idea is to share solutions between administrations in the EU: https://joinup.ec.europa.eu/

You can self-host the video/audio parts of Zoom


Yeah, but you have take your computer to the IT team.

Also interesting about that photo: Five of the 25 have portrait-oriented video feeds. Tbh this may make more sense for this kind of thing (shows more of the person rather than more of the space they're in) but I'm thinking about the hardware—am I correct in inferring that those five are zooming from their mobile? Do high-level UK cabinet ministers not have laptops?

I'm speculating, but they might find it more convenient to use a separate device for the video chat? Especially if you're using your laptop a lot during the video call, it's quite convenient to have the chat open elsewhere.

Esp considering I have had the zoom app completely crash my laptop multiple times.

Given how cavalier zoom is about privacy and its history on the Mac, the only place I'd be willing to use it is on my phone or ipad where it's boxed in by Apple's restrictions and has undergone app review. Apple had to push a silent OS update to remove zoom's insecure secret web server.

How the heck is Zoom even HIPAA compliant?

Is it though?


> HIPAA/PIPEDA plans start at $$200 per month per account, which comes with 10 hosts.

A relevant thread from yesterday:


Zoom claiming it's compliant has nothing to do with it actually being compliant.

If they have filed the paperwork[0] then they are. (Whether their solution to be compliant is or is not enough would have to be audited.)

Apple's FaceTime is not HIPAA compliant because they haven't filed the paperwork.[1]

(Obviously, there are a lot more steps to it than signing a Business Associate agreement, but I would bet FaceTime is probably a little more secure than Zoom)



And what about GDPR?

Microphone quality is still not a solved problem on laptops, and Windows' sound preferences UI does not make it easy to switch to a Bluetooth headset (that is, if you even have one on you).

Works for them I guess but when screensharing especially for code, mobile phones and tablets don’t work well.

I doubt they code for a living.

I only ever use Zoom on my phone - it frees up my laptop to be used during the call, and I refuse to install anything developed by that company on my laptop.

You can join Zoom meetings on your browser too. It's behind these twelve easy steps:

1. Go to zoom.com 2. Click "Join a meeting" 3. Enter meeting id and click Join 4. Ignore the automatic app download 5. Go back 6. Click "Join a meeting" again 7. Enter meeting id and click Join again 8. Ignore the app download again 9. Click at "If nothing prompts, click here" 10. Click "Join from your browser" 11. Agree to terms of service 12. Enter password and name, click Join

Yes, it actually requires you go back and try again at step 5. What dark pattern?

That's.... a thing of beauty. Honestly, it brings a tear to my eye.

If you are in awe of that, take a look at the official article about doing find and replace in MS OneNote:


What? That's crazy to hide such a useful feature!

The meeting host can enable the browser client link without the hassle in their settings. Unfortunately it's disabled by default.

Could they be using iPads? I can’t see why a high level executive or politician couldn’t get away with one.

Maybe they didn't get audio to work on their notebooks?

He accidentally let slip that he lives at 10 Downing Street too.

Does Zoom let you put a password on the room? Could that room have a password that is only known to the participants?

Yes, and it did (according to somewhere else on the internet).

Yes and (in my experience) it displays it at the top of the screen!

no, but it gives the host the link to share WITH the password, so people sharing the link also share the password (encoded)

Ah, I suspected it was something like that.

This is an optional setting.

It was made the default a few weeks ago

That's not the only security leak in that photo.

Why would his security people allow him to do that?

Or do these guys just post this kind of stuff without even running it by their security folks?

To me, this sounds like a security 101 type issue.

How would they stop him? Wrestle the phone out of his hands? He's in quarantine, anyway. Nobody is in the room with him.

The current UK PM is not the type to ask experts about whether it's a good idea, anyway.

Quarantine does not mean someone is alone. Just that their isolated from most of humanity.

It's not much of a quarantine if he's locked in with all his staff.


> Johnson, on his doctor’s recommendation, has withdrawn into his chambers for seven days and will forgo all public appearances and in-person group meetings. He will have his food left at the door to his apartment, his aides said.

> “He’s self-isolating in his flat,” said his official spokesman.


This sounds like a name for a suite of team collaboration software.

Every UK MP has his or her address listed publicly. In fact, this is a requirement to stand at election even at the town council level.

Yes, and every MP has a public email address that is staffed by slaves/interns/SpAds, they also have personal private emails that have much more sensitiive political information in them.

Doesn't have to be the candidate's home address. Some use the local constituency office address, for personal security and/or to avoid stalking by nutters.

On a couple of pictures you can see balcony doors, house layouts, ceilings, vents, etc, doors. Every now and then CNN shares photos of the houses of rich and famous. They must be taking them from some magazine. Anyway, I remember looking at Cara Delevingne's amazing home, and I noticed that apart from walls with decorations, furniture, bathtub, etc there was NO view of doors, windows, balcony doors. Basically anything that would give away the location of the rooms (e.g. photo of bedroom with trees outside that would help identify floor and where in the building that room is). I am sure that these people have far more important things (documents) in their homes than Cara (but far worse taste).

The woman in the bottom left corner has the right idea. A white wall! And you're right about their houses. However with everyone home and the plods out on the empty streets. Now is not the time for a B&E

What else?

For one, Michael Gove's username appears to be the first part of an email address...

Why is the exposing of a government employee's email address a security risk to you?

Edit, because downvotes: government email addresses can be retrieved easily through public records laws, and is done routinely, and can easily be scraped or inferred. I've done both many, many times, and it's trivial.

Well at the very least it presents a soft target for hacking into his personal email adddress (it's gmail not govenrment) and secondly, compromising it literally gives you access to dial into cabinet meetings.

Michael Gove has an illustrious history with his private emails as well: https://www.bbc.co.uk/news/uk-politics-17235168

Read my edit. Email addresses can be received through public records requests routinely. It's a public record!

This email address could be at any provider - perhaps it's his personal gmail address, for example.

And like one of the other comments in this chain points out - his personal email address was being used for government affairs, and that made it open to public records law suits. The public already has access to it.

Posting something like that on Twitter is like a dare.

Whose role in the Cabinet is as the 'Chancellor of the Duchy of Lancaster', which today essentially means a minister without portfolio.

Maybe covid-19 will get them actually grok e2e encryption

e2e encryption for multi-party videoconferencing that works well enough to use for something like this is basically an unsolved problem at this point.

Was it not solved in FaceTime group chats? I can’t see the Apple Security Guide right now, but I know they claim that FaceTime 1-to-1 is e2e, and with their whole marketing thing being privacy, I bet they did it for group conversations too (not that it’s Enterprise ready since there’s no user management or SSO or whatever).

I’ve noticed over the years that FaceTime is much more likely than other video chat software to drop the video connection and move to audio only in case the connection is unstable whereas most others will hitch and lag for 30 seconds before looking into it, so maybe they got around it by only shipping the video in one or two resolutions?

Yeah, there seem to be multiple statements by Apple saying they can't access the content of FaceTime calls, without any qualification that it only applies to one-to-one calls. So it's probably a reasonable assumption that even the group ones are e2e encrypted.

How many participants can you have in a FaceTime group call?

I have also noticed that FaceTime drops the video much more often that other software.

You can video call up to 31 people (32 if you include yourself).

How would it be any different from any other e2e group chat?

You have to send all available qualities of the stream yourself. Normally the server does the recompression for lower qualities. That means: more processing power and more bandwidth needed. Where normally you'd be able to send 720p, now your device may not be able to handle doing both that and lower quality (2-3 streams) at the same time. This multiplies again with screen sharing.

Basically it's doable, but if you can prevent people complaining about the fans taking off and the CPU usage... why would you risk it?

H.264 has a spec for 'scalable video coding' [1] where one stream can contain multiple quality levels, allowing a video's quality to be reduced by just selectively dropping packets.

(No idea how widespread encoder/decoder support is compared to vanilla h264 though)

[1] https://en.wikipedia.org/wiki/Scalable_Video_Coding

That's pretty cool. I wonder how well does it work with bidirectional communication. It sounds like for just sending/receiving where you can saturate the link, that would be awesome.

Wow, that is awesome. I know what I'll be spending some coronatime doing!

Ugh. Multiple compression streams? Why? 720p would be too much IMHO.

>Multiple compression streams? Why?

Zoom automatically switches between quality levels based on your connection speed, who's talking and the size of the viewport. 720p would look fairly rough when fullscreened on most non-mobile displays, but it's orders of magnitude more than necessary when viewed as a thumbnail on a mobile device. Making multi-user video work in a mostly seamless fashion is a surprisingly hard problem.

Using a single stream would substantially degrade the experience, which may be a worthwhile tradeoff for high-security environments but certainly wouldn't be a worthwhile tradeoff for most users.

It's not just about the resolution, but also the bitrate and fps. Perceived video quality is a big deal to companies like Zoom. I don't blame them for not using E2E, it's a tough technical issue, but I do blame them for lying about it.

720p is the standard laptop camera these days. You notice if anyone streams less. Next, desktop sharing is going to be at least 1080p. Then you need to have lower resolutions for anyone who can't handle that much on their connection. Same for desktop share.

> 720p would be too much IMHO.

I may be spoiled with a good real 50/10 Mbit connection but for me in 2020 720p is the bare minimum. Expecially when screen sharing.

Where's the troll?

Ah, the guy at the top left.

More importantly, why does Liz Truss have a flagpole in her house?

Possibly a Zoom background?

Pork markets

I like that the Press HQ is not there... Makes perfect sense...

I wonder if the Zoom TOS allows them to monetize this kind of conversation in any way?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact