Hi All
According to "The Intercept" Zoom has some issues, which can result in data leakage, privacy and apparently has encryption issues.
Does it have issues, during this crisis, as it is being actively used even by New Zealand Government agencies too for updates:
https://theintercept.com/2020/03/31/zoom-meeting-encryption/
https://www.businessinsider.com.au/zoom-privacy-issues-fbi-facebook-data-sharing-2020-3?r=US&IR=T
Or does someone have an agenda against the company?
Regards
Caute_cautim
There's always room for a good conspiracy theory isn't there? But, the IPO has passed and we are living with a deflated stock. Zoom software has always had some serious software defects that have been discussed in public for years. Did they ever fix them? No. Did anyone have the need to use their software? No. Times have changed. Now, they need to go back and re-engineer their product if they care about their reputation and stock price. Want more conspiracy? Just look at the 49 CVEs on record here. Btw those are just the published ones...
@AppDefects Thanks for the information - interesting that lots of new Zoom domains are being created actively every day: https://securityaffairs.co/wordpress/100752/cyber-crime/coronavirus-zoom-campaign.html
During this current worldwide situation. Seems they need to do a lot of work.
Regards
Caute_cautim
How long is this story going to run? https://www.theverge.com/2020/3/31/21201234/zoom-end-to-end-encryption-video-chats-meetings
Regards
Caute_cautim
We use it, and I don't think it is a big problem. Like a lot of companies, they have been thrust into the limelight due to Corona, and some issues are showing up. The privacy policy thing I'd like to understand, did they make changes to practices, or just clarify their policy language? That is, were they selling a bunch of information, then stopped when they got caught, or did they have very permissive language originally, but better practices, then trued up to the practices. I see a lot of complaints about people being able to crash meetings. OK, so enable your meeting passwords, which they have recently changed to as a default because of this. Maybe they should have had that as default for a while, but they offered it, for users to use to protect their meetings, and if they weren't used, are they to blame? Lastly, the encryption thing. To me it depends on what you consider and end. In a one on one call, the ends could be seen as the users. However, in a group conference call, the ends include the conferencing server, as they have to. You couldn't scale to a 100 users with 99^2 encrypted streams between them. Slightly overzealous marketing? Sure. That said, heavy on the slightly. Their definition of E2E encryption is far less concerning to me than a lot of things I see every day.
The iOS SDK thing, I'll give them poor monitoring practice marks, but the fact that it was only iOS to Facebook seems to indicate that is what it was, poor development practices that allowed something to be enabled. If they were serious about monetizing that information, they would have done it with a lot more client types.
In the end, I think they are generally a good company and product. There are certainly risks associated, as always, but one can minimize them, and in the balance of what they provide, I think it is a net gain.
I just saw this one, and have to update my comments to say that I think they have more quality issues than I thought. Some of the articles seem to be piling on, but things like this one show that they have poor practices from a security standpoint, so the balance is tipping in risk/reward.
There are a significant number of security issues with Zoom, but, overall, it seems to be a possible tool, if you know, and accept, the specific risks.
At the moment, the major one seems to be the popularity. As previously noted, at the moment everyone wants to get on the Zoom/teleconferencing bandwagon, and everyone is trying to download the app. (The fact that the Apple App Store, the Google/Android Play Store, and the Microsoft Store all have apps called zoom that have nothing to do with teleconferencing doesn't make things any easier.) Just to be clear, we are talking about zoom.us, and if you download something from some other zoom domain you may be in (malware) trouble.
A lot of hackers seem to be having fun with the conference number guessing. Since conferences are identified and managed via a nine digit number, hackers can "join" your conference if they guess the right number. At the moment, this seems to be more of a game where they "share" pr0n (drat you, dreaded "community" pr0n filter) in the middle of family calls, and other such annoyances (and sometimes more than annoyances). At the moment there doesn't seem to be too much in the way of targetted attacks. You can use a "password" to "protect" you call, but, since it is only a (six digit?) number, I'm not sure how much protection there is against automated password sequencing.
Yes, Zoom seems to have a pretty cavalier attitude towards security and privacy. It may become the "Facebook" of teleconferencing. Be aware of the various threats, attacks, and vulnerabilities, but, particularly in the midst of this crisis, it may be an acceptable risk for the communications benefit. We, in the Vancouver Chapter, are trying to set up a virtual meeting and presentation, likely around April 17th. (In fact, I'm running a practice test, for those interested in Zoom meetings, in less than an hour:
Topic: Security SIG test meeting
Time: Apr 1, 2020 11:00 AM Vancouver
Join Zoom Meeting
https://us04web.zoom.us/j/679324276
Meeting ID: 679 324 276 )
HI All
Apologies if this upsets anyone: https://www.theregister.co.uk/2020/04/01/zoom_spotlight/
It's just a headline from the Register UK source.
Even the Prime Minister of UK was caught using Zoom - crazy people.
Regards
Caute_cautim
Tech Crunch created a summary page of recent concerns.