Zoom’s 90-day plan to bolster key privacy and security initiatives

Zoom’s 90-day plan to bolster key privacy and security initiatives(blog.zoom.us)

114 points by karambir 6 years ago | 98 comments

DenisM 6 years ago |

I'm still not sure what to think of the whole debacle.

Zoom could be a victim of the internet mob justice, where every inevitable misstep is blown out of proportion. Perhaps the mob is helped along by some competing interests. Or Zoom could be yet another tech company with dubious ethics (like U: or F). I doubt they are outright a PLA branch, that would be far too obvious.

This isn't just idle musings - I love how Zoom allows me to share screen/whiteboard, and see people's faces at the same time. It works really well for remote dev collaboration, in some ways better than physical presence. And yet the question of safety remains.

Should I go and research WebEx?

lacker 6 years ago | |

Occam’s Razor. Zoom usage went up by 8x in a few months. Usually doubling in two years is great for a public company. So that’s 6 years of great growth, compressed into a few months. It shouldn’t be surprising to see six years of security problems also compressed into those three months.

I think Zoom is on track to fix these problems quickly and cement their spot as the best solution for videoconferencing.

ergothus 6 years ago | | |

Zoom had the same security issues with half the traffic. Acting like usage causes them is disingenuous.

Technically speaking, zoom has shown off great and remarkably stable/scalable features.

But that is orthogonal to whether they are putting people at risk (e.g. not-so-secret therapy sessions) or lying about their feature set (clearly claiming to have end to end encryption).

user5994461 6 years ago | |

It's not blown out of proportions. If anything the major securities issues went mostly unnoticed in the noise of the media trying to bank some ads revenues.

There were 2 RCE that would have allowed anybody to easily take over any computer using zoom. The first one last year was wormable, triggered by simply visiting a website with no interaction (like a javascript ad).

Other video conference tools don't have these because they didn't try to provide the same features or work around the OS.

Except for Skype, that still has one samba relay attack left like zoom, that went mostly unnoticed. From my research they had the exact same issue but blocked the RCE part in 2018 CVE-2018-8311 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8311

NegativeLatency 6 years ago | | |

Sketchy package installer to boot https://macpkghallofshame.tumblr.com/post/138612887932/indis...

ggggtez 6 years ago | |

>dubious ethics

Yeah, I think datamining to steal and sell your LinkedIn account counts as dubious ethics. Or claiming to have E2E but actually they don't.

There is a good share of incompetence as well, like the CSP issues.

brobinson 6 years ago | |

Using AES in ECB mode and doing key exchange on servers in the PRC are not simply "missteps".

anoraca 6 years ago | |

"The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China."

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...

k33n 6 years ago |

So were they really sending data to servers in China? From what little I've heard and read about this, that is what stood out to me. Not sure they should ever be trusted again after that.

pwarner 6 years ago | |

I think this is the Zoom response to that one: https://blog.zoom.us/wordpress/2020/04/03/response-to-resear...

As I read it they accidentally routed some data to China based servers for a month (Feb 2020) due to a config mess up during their crazy fast scaling period. This is since fixed.

hyko 6 years ago | | |

They were making requests to IPs in China long before Feb 2020. At the time I assumed they’d been hacked, but in retrospect it seems like this was just how their organisation is distributed.

Needless to say, I have decided not to endorse their videoconferencing solution.

ufmace 6 years ago | | |

I'm inclined to believe that for now. Though I fully expect that a bunch of security researchers will be taking a very close look indeed at exactly what data is still going to or through China. I am open to changing my mind upon seeing evidence that, after being informed of the problem and promising to correct it, they failed to resolve the issue and continue to send data to any country it doesn't need to go to.

dehrmann 6 years ago | |

Serious hypothetical question: suppose you're able to capture all Zoom calls. If you're a foreign government, how do you scale the analysis, and what can you generally do with the information?

It'd be hard to get a useful amount of trade secrets or know-how. You'll see partial schematics and design docs, but without much context. At the executive level, you could at least scale the analysis to have actual people monitoring the calls. You could get broad strategy (e.g. launch a mid-range 5G phone in 2021 Q1) and enough financial information to make some well-informed trades.

cyphar 6 years ago | | |

The NSA figured this out in the 90s -- you filter based on metadata and then retrieve the corresponding data if necessary. Aside from the fact that this (in the NSA's view) allows them to sidestep the 4th amendment, it's usually much more effective than sifting through billions of records every day. That same system lives on today with XKeyScore (or whatever they've replaced it with in the past 7 years).

makerofspoons 6 years ago |

Zoom's web SDK and web client were down for nearly four days over the weekend with minimal communication, and when they brought it all back they killed a key functionality the education market needs which is the ability to join a meeting without an account: https://devforum.zoom.us/t/in-progress-web-sdk-web-client-fr...

jpdus 6 years ago | |

You can still activate this functionality in the settings, it now only deactivated by default due to the public outcry over Zoombombing etc.

Amusing that many of the changes lowered accessibility significantly (e.g. my grandmother wasn't able to join the meeting anymore after passwords became default). I still don't get it. Skype was way worse in my opinion and nobody ever cared about it.

flippyhead 6 years ago | |

Actually this isn't true anymore, they have since added the _option_ to not require an account when using the web client. The Web SDK still works like before and also doesn't require an account.

But I agree, the way it was handled was harrowing.

makerofspoons 6 years ago | | |

Thanks! I fell out of the loop with this.

jedieaston 6 years ago | |

Shouldn’t schools be using SSO with Zoom Education, or does that cost money?

kyawzazaw 6 years ago | | |

I believe that costs money. But quite cheap actually.

My college (~2200 students + a couple hundred faculty/staff) pays $18k/yr for Zoom Enterprise. Good value, I'd say.

criddell 6 years ago | |

Why is the need for an account a showstopper?

makerofspoons 6 years ago | | |

Many students aren't old enough to create their own accounts and getting parents to create accounts and provide credentials is a bureaucratic mess for the schools I volunteer with.

londons_explore 6 years ago |

"90 day plans" tend to be management & PR things... Real engineering is more of a "it takes as long as the job takes"...

wuunderbar 6 years ago | |

Can you blame them? Most users and purchasers (at a lot of companies the people making purchase decisions aren't actually the users) don't really understand or care about how long real engineering takes. As long as they made a decision to pick a vendor based based on the principles of Cover Your Ass it's all that matters.

It's another primary reason why so many "enterprise" companies purchase Redhat over running CentOS.

tommoor 6 years ago | |

Yep, entire post is pure marketing signaling and nothing in the way of details.

DevX101 6 years ago | |

Eric Yuan is the real deal. He's an engineer and is taking this seriously. This isn't marketing spin.

TheChaplain 6 years ago |

uh, is that an outlook-email link with someone's username in? The one linking to Alex.

technicaldonut 6 years ago | |

Yup. Looks to be their email address. Email is from PR firm Sard Verbinnen & Co.

basch 6 years ago | | |

Safelinks have the email address of the recipient of a link.

cobookman 6 years ago | |

To be fair, Alex's public profile includes a link to his email: https://cisac.fsi.stanford.edu/people/alex-stamos-0

arkadiyt 6 years ago | |

Probably someone internally emailed Alex's Stanford profile to their blog content writer - the sender had email tracking enabled and the writer blindly copied the link.

Justsignedup 6 years ago |

and this is why product over security always wins.

there's mob mentality right now, but zoom got a TON of customers, and now is gonna have proof of end-to-end encryption in a couple of months.

boom.

zoom wins.

honestly just don't talk on zoom about something highly secretive such as ... idk... something a government is interested in as that isn't currently secure, other than that, don't sweat it.

larkost 6 years ago | |

They are very unlikely to have end-to-end security in a couple of months, for the same reason few (if any) of their competitors have it: it is really bandwidth intensive to send full-resolution video of every participant to every other participant. So everyone sends low-res for most participants, and at most one high-resolution stream. To do this you have to be able to make low-resolution streams out of the high-resolution one people are sending you (to pass along to others). That means you have to terminate encryption on the server side. Once you have done that you are no longer "end-to-end". This is just the state of things.

This is a valid tradeoff for most things, but the real problem here is that Zoom claimed (and continues to claim) "end-to-end encryption", while not providing it. That is a lie, and people naturally wonder what else you are lying about.

viraptor 6 years ago | | |

You can also send two streams (high and low quality) from each client and make other clients request the right one from the server. Yes, it's slightly more bandwidth than before and now complexity. No, it doesn't require full mesh of connections to be E2E.

sandov 6 years ago | |

And don't install the Zoom app on a computer where you store secretive data, such as medical information, private keys, passwords, credit card data or anything that you don't want the government or cyber-criminals to know.

Doesn't sound as easy now.

upofadown 6 years ago | |

There is some evidence that they have a form of useless end to end encryption now. Since hardly anyone knows what the prerequisites are for useful e2ee they can probably make the announcement whenever they want.

tmaly 6 years ago |

My company banned the use of Zoom on company computers or computer connecting to the company network.

Has anyone else had this happen to them?

mullen 6 years ago | |

The very large company I work for banned all video conference software except for what is provided by the company. I don't think it is just about security, but make everyone use the same system(s) because it just got too confusing to communicate with other divisions or even departments. You can search for people in other divisions and then video chat with them if you want, or just plain old school voice chat.

Luckily, the software we are required use works pretty well on iOS, Android, OSX and Windows.

ssully 6 years ago | |

No one I know has had it happen yet at their places of work, but I saw a lot of discussion about New York City schools issuing a ban earlier this week [1].

[1]: https://www.businessinsider.com/new-york-city-schools-bannin...

downerending 6 years ago | |

Supposedly Google just did.

diebeforei485 6 years ago |

Mac App Store version when?

ken 6 years ago | |

Or even a non-MAS app that's sandboxed, if it's going to be free anyway and they prefer to manage their own release schedule.

adultSwim 6 years ago |

I wonder if Google and Apple were directly involved in the campaign against Zoom.

throwaway15392 6 years ago |

They’re in the same bed as China. I don’t trust them for anything now, this to me is just a PR management exercise. They’re still going to give away your data

dang 6 years ago | |

Would you please stop posting unsubstantive and/or flamebait comments to HN? We're hoping for a better quality of discussion than this, and (especially) than what it leads to. Case in point: see below.

https://news.ycombinator.com/newsguidelines.html

s_y_n_t_a_x 6 years ago | | |

I believe the GP was referencing Zoom's encryption going through China's servers, which was on HN's recently: https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...

There are valid criticism to be discussed about China's actions and how much Zoom should be trusted given its close relation.

There's been many criticism of the US government here and I never see anything flagged or removed, I would consider that nationalistic and provocative under the same guidelines. I just don't see why the China discussions are removed.

jimbob45 6 years ago |

Zoom won the proverbial lottery with this pandemic and lost their ticket through greed/laziness. Great companies are always prepared when their big break comes. Zoom is not a great company.

tcoff91 6 years ago | |

You don't have to be a great company to win in the market. I'd bet that zoom still maintains dominance and manages to con people into believing that they're super secure now guys.

blast 6 years ago | |

It looks to me like they've still won the lottery.

teknologist 6 years ago |

I can't quite figure out what's going on with this thread. It seems to have an eerie amount of posts about support for Zoom, perhaps by paid trolls ("wumaos")?

dang 6 years ago | |

Please don't break the site guidelines by posting insinuations of astroturfing. Overwhelmingly, such perceptions are simply in the eye of the beholder. I say that based on many years of looking at that data, and you can find more explanations here than anyone would ever want to read: https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme....

https://news.ycombinator.com/newsguidelines.html

If you're worried about this kind of thing, follow the site guidelines and email hn@ycombinator.com so we can look into it. (We always do.) In this case, though, the simplest explanation seems adequate: the community is divided. When there's a popular divisive topic, people who feel strongly for side A always feel like the amount of support for opposing side B is 'eerie', because it's hard to imagine how it could possibly be in good faith. Of course B feels the same way about A.

Edit: oh dear. It seems like you've been using HN mostly for nationalistic battle lately. We ban accounts that do that, so please stop. It's emphatically not what this site is for, regardless of which nations are at issue.

yalooze 6 years ago |

I can only assume CISO is Chief Information Security Officer? I hadn't seen the acronym before. Bad Zoom for not writing it out in full on the first instance.

downerending 6 years ago | |

I only first encountered it a year or two ago. It's pretty difficult to keep up with management/marketing buzzwords.

In any case, anyone at the 'C' level almost by definition knows little or nothing about actual computer security.

munchbunny 6 years ago | |

"CISO" is a pretty standard acronym. People who don't work in cybersecurity or who don't have that background might not recognize it, but it seems like a minor detail.

yalooze 6 years ago | | |

Sure, it's a minor detail. And yes, you can say the audience for this post are people who work in cybersecurity. But it costs nothing to introduce the acronym, as is usually recommended. Without it you are alienating anyone who doesn't know the term.