New to Zoom - have their security issues been resolved?

Man, you really hate them

I noticed that Zooms blog post “mea culpa” was issued on April Fool’s Day.

Man, I really pay attention to the facts and news.

Look, that last article you posted with the list if problems is informative, So thanks for that. But as I read it, the main hacking problems have been fixed by recent software updates. You can prevent Zoombombing by setting a password and not making it public (imagine that!), and the other issues raised are more policy matters that are not illegal or unethical but that some people may not like because, well, they’re more paranoid about such things.

Like most things on the internet, don’t do anything stupid, take reasonable precautions, check your security settings, keep your software updated, and you’ll be fine.

Or some of us are just more paranoid than most people

Turn it up, folks!!

It’s not simply a matter of the (constant stream) of hacking of the service, or the leaking of email addresses, or its secret retention on user machines of a compromisable installed server even after people uninstall and think all Zoom software is off their systems, or the leaking of videos themselves - story after story continuing unabated in recent weeks. It’s more than a privacy policy that shows it doesn’t really care about user privacy. It’s more than a sleazy installer that does an end-run around normal macOS safeguards by installing components during preflight process.

It’s the service management itself, which flat-out lied about having end-to-end encryption for free chat (when caught a PR person tried redefining the term to a definition that simply is inaccurate). And most recently it’s the encryption keys are held in China combined with yesterday’s report that researchers tracked streams sent to China from outside the country when there was no reason for them to go there.

Zoom’s eventual reply? A “misconfiguration”.

Yeah, this is not about bugs - it’s systemic.

A good summary of what’s happening with Zoom

I disagree that a blog post calling Zoom’s response “impeccable” from a professor of an online Madrid-based MBA program offers a good summary, merely one man’s opinion. In the original post on his site he slagged WhatsApp and FaceBook for “una actitud horrible de tapar los problemas, negarlo todo y además, claramente beneficiarse de un mal uso de nuestros datos personales” while totally minimizing or ignoring the privacy compromises in Zoom, and ignoring the initial stonewalling, and the lies from the company about e2e encryption.

Security expert Bruce Scheier thinks their privacy policy stinks.

D3C0C845-9C48-4475-A4E7-95CE7760FB711382×862 109 KB

He details privacy and security lapses, which we’ve also discussed here. But he also looked at Zoom’s use of ECB mode in encryption and found it lacking: “ECB (electronic codebook) mode indicates that there is no one at the company who knows anything about cryptography.”

It’s a good read.

Also, yesterday the Washington Post reported that these issues bubbling up finally are resulting in some school districts moving away (as some large corporations have already):

He’s a colleague of mine, and teaches at the number one private university in the country. I don’t know where you got your information, but I teach in a classroom next to him, it’s definitely not online only! He is also the person that normally appears on the national news whenever there is a technology related topic. So, he is a very respected academic, not just another random guy giving his opinion. He’s the most famous technology expert in Spain.

He is also right about WhatsApp and Facebook, the security issues that those apps have had are much worse than the issues Zoom has had. If you had WhatsApp installed on your phone, all the data on your phone was been vulnerable for years (until they finally fixed it). Facebook is the worst thing for privacy in the history of the Internet.

I didn’t say it was online-only, but it is a large component of IE business school. My point in quoting him obviously was not that he was wrong about WhatsApp and Zoom, but that he blithely ignored the same very deficiencies in Zoom (and their lies) while minimizing the continued problems and calling their response “impeccable”. It just wasn’t “a good summary” of the situation.

Just because a university is the number one for online MBAs in the world (according to more than one league table), doesn’t mean most of the teaching is online. At the university in question (IE University/Business School), it is only a tiny fraction of the courses that are online. In fact, 90% are in-person (at least when there’s no quarantine!). Sorry to go off topic, but I don’t like misinformation spread about my employer.

Rob, you’re not paying attention. First you claimed I said it was online-only, then you claimed I said or implied “most of the teaching is online” Either you’re getting upset and having trouble reading what I wrote or you’re setting up straw-men arguments to knock down.

EDIT: Initially I did call him a professor for an online program, so that was not completely accurate, so I do apologize for that.

The Schneier article is great; I was just coming on here to post it. The comments are (or were yesterday, anyway) also well worth reading, as they contain some other perspectives and are generally well written.

My current thoughts about Zoom (I manage infosec for a small university):

1. They have had and continue to have significant problems regarding security and privacy.

2. They are currently, by far, the most responsive company that I have ever dealt with regarding the addressing of said security and privacy issues.

3. Their problems come from a culture of trying to make things easy, taking shortcuts, and damn the consequences. This will not be easy for them to fix and it won’t happen overnight.

4. They are agile.

5. They and Amazon are the only companies that will even talk with us about meeting data residency requirements. They can’t meet them but they at least have acknowledged them and have told us that they’re committed to trying to meet them. Microsoft won’t even look at us when we bring this up.

6. In the space of a week, we transformed a university that was nearly all in-person into one that is nearly 100% online. We had very limited time to evaluate anything, but we did our best. Zoom came out way on top for our needs; nothing else even came close. Their push for ease of use has given them a significant advantage over others, despite the problems that it has caused. We are not, however, using it for course delivery.

7. Their claims of end-to-end encryption irk me and I wish that they would come clean about it. I wouldn’t hold it against them for not having that feature, as I have no idea how anyone could offer it at scale. (If anyone has insight and wants to share, I’m genuinely interested. FaceTime has a limit of 32 concurrent users, I believe, which is minuscule for a lot of use cases (not a shot at FaceTime in the least))

When we consider everything above (and probably stuff that I’ve missed but I’m still on my first coffee of the day) and apply a proper risks-of0use vs benefits vs risks-of-using-something-else, Zoom is the least bad option. For now. Things are changing very quickly.

I’m in contact with my counterparts across the province and the country, and we (my university) are far from unique in this course of action.

Here’s an opinion piece that echoes (mostly) my feelings about Zoom at the moment: https://medium.com/@gevron/get-off-zooms-case-i-trust-them-and-so-should-you-66e187f38ab

Tomorrow I’m going to be (virtually (and not in Zoom)) meeting with my counterparts (university CISOs and ITSec managers) from across the country to discuss the Zoom situation in light of the pandemic. I’ll happily share anything that comes out of that discussion that I can share.

https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/

So out of the meeting I can share:

1. Opinions are all over the place on this, but my sense is that most of my colleagues who are at sites that are using Zoom will not recommend that its use be discontinued.

2. Most of us agree that Zoom not currently suitable for discussions involving sensitive information.

3. Zoom’s response to security issues has been exceptionally fast. This does not excuse some of the boneheaded things that they’ve done.

4. Their (now abandoned, but held onto for far too long) insistence that their service employs end to end encryption when it does not, is absolutely inexcusable. The fact that it’s likely not possible to do true end to end encryption at scale does not make this any less inexcusable, nor should it prevent them from using it for sessions with small numbers of users.

My opinion:

Zoom’s problems stem mostly from a development culture that prioritizes(ed) frictionless service delivery over everything else, especially security and privacy. They claim that they have learned their lessons and have pivoted to be more security and privacy focussed. That they have engaged Alex Stamos as an advisor makes me think that they’re serious: If he doesn’t think that they’re doing the right things, I’m absolutely certain that he’d disengage with them. Time will tell, but so far I’m exceptionally impressed with their “awakening”, and also healthily sceptical.

As the person who heads the information security group for my organization, where we have begun to use Zoom as a part of our work from home strategy, I have recommended that we continue to use it but not for meetings in which nightly sensitive issues are discussed.

For us the benefits that we see in service quality, scalability, ease of use, and the company’s willingness to at least discuss issues like data residency outweigh the risks as we currently understand them, for the use cases for which we currently endorse the use of Zoom. (These include student wellness activities like online yoga classes and similar things, which have been hugely popular with students who are enduring a time of extreme stress.)

This is not an endorsement or recommendation that anyone reading this should do the same thing. Security decisions are made by carefully considering risks, consequences, and benefits; the tolerances and scopes those things are unique to every person or organization.

People who give unqualified “always do A” or “never do B” IT security advice generally should be avoided, and so nothing here should be considered advice to anyone.

This is a departmental webpage about the use of Zoom that the University of Waterloo put up to give guidance to their community. I like it.

As an aside, the meeting that I attended today was via WebEx and attended by about forty people. The experience wasn’t great compared with Zoom sessions for a comparable number of people and the fans on my MBP were running very audibly, something that does not happen with Zoom (or Amazon Chime).

This may seem like a rebuttal to some of the anti-Zoom stuff. It’s not really intended that way. The criticism of Zoom has been much deserved, if sometimes a little sensationalized. It’s my hope that the result of all of this will be a company offering a great produced with a much improved privacy and security culture.

Finally, this is a very rapidly evolving situation. Next week I may have completely different thoughts or opinions. In fact, if I’m doing my job well, I will

I don’t feel comfortable to install Zoom application on my computer after reading about their behaviors, so I simply use the web client whenever I have to attend a Zoom meeting. To do so, you only need to change the /j/ part immediately after the domain in the invitation link to /wc/join/ and visit the modified link with your browser, e.g., for to join a meeting with the link https://zoom.com/j/123456789 you visit https://zoom.com/wc/join/123456789.

A caveat is that the Zoom web client doesn’t work for me using Safari or Firefox — maybe another flag of Zoom’s privacy concerns — it only works in Chromium-based browsers.