Apparently Zoom is safe. Or it will be. If you pay ...
@rslade It is a PR job?
Bruce Schneier is now a lot less happy with Zoom, due to the pay for privacy feature.
See his new (6/4/20, or for our EU patrons 4/6/20) blog post,
In that post he does call them out for the subtle double-talk of how they describe e2e or not and other aspects of marketing language to fool the average potential customer.
Subsequent comments on Schneier's post are worth revising, too.
Right. Although, as a security person, I may hate to admit it, the Vancouver Chapter is using Zoom for its June 12th virtual/remote meeting. As part of the testing for holding it, we tried to figure out whether you actually need a Zoom account or have Zoom installed to "attend." The answer seems to be "no," but with some caveats.
Right, this is complicated. And I'm not sure that I am able to test a complete "no-install" situation, since my machines all appear to be contaminated with Zoom. (More on that later.) (I'm pulling up the old Android tablet right now to try and remove Zoom from it (it was a pre-5 version anyway: 4.4.5391.0520) and see if I can test that.) (But it never did cooperate.)
On my main desktop, I have never installed Zoom (since I don't have a Webcam on it), but I have done some work on my email@example.com account (via the Avast browser), and have used the Chrome browser with a Zoom install on the same account. I seldom use Edge, so I don't think I have anything installed on the Edge browser, but the install via Chrome seems to have "contaminated" my desktop Win10 machine in its entirety.
So, Fred set up a test meeting, and, on the Edge browser, I entered the URL and got the screen that shows as
Figure: zoom no install reg 6.PNG
I registered using my firstname.lastname@example.org address, which I have never before used for a Zoom meeting. This resulted in
Figure: zoom no install reg 5.PNG
I clicked on the link (the lo-o-o-ng URL) provided, and got
Figure: zoom no install reg 4.PNG
Now, at this point, I have to strongly note that I did not click on the "download & run Zoom" link. I did click on the "join from your browser" link. This, unfortunately, brought up
Figure: zoom no install reg 3.PNG
which was definitely not in my browser. Any of them. It was Zoom.
At this point, looking back at my browser, I took a screenshot of
Figure: zoom no install reg 1.PNG
There are two things to note. The first is that I definitely did not click on the "download Zoom" link. The second is to note the bottom message on the screen about Zoom_[hex numbers].exe. I did not either run or save it. As previously noted, the fact that Zoom came up was from a previous install via a different browser. At this point, I probably don't have any machines in the house that are uncontaminated by Zoom.
So, Zoom is very "helpful" about getting onto your machine. As a malware researcher, I'm not sure how I feel about that. On the one hand, we can probably offer the meeting to anyone with a browser, regardless of whether they have a Zoom account or have ever used Zoom. On the other hand, as a drive-by download, it works great, and I'm not really thrilled aobut having stuff installed on my machine with lots of access that I never gave it.
Anyone is welcome to join our meeting, of course, but anyone who has not used Zoom is particularly welcome, and we'd love to hear about your experiences. The registration for the meeting is here. It starts at 2 pm, Pacific time, but Fred and I will be on from 1:30 pm, and, if you want to do some testing from a "cold" machine and see how easy or hard it is to get on, we'd be grateful.
As a long time employee in the voice & video collab space, I was going to write a nice long response on this thread. Only to find out a blog post just dropped that hit on many of my key themes:
Ease of Use vs. Security: The Zoom Conundrum by Phil Edholm
... "As part of making that experience easier, Zoom calibrated the settings knobs to simplicity, often eschewing potential security considerations in the process."
"As the initial market for Zoom wasn’t the Fortune 100 IT departments, but rather SMBs and individual users ... Users didn’t need to learn complex controls to have the customer share something; it just worked. In fact, that has been the biggest compliment to Zoom — it just works."
It's worth the 4 minute read, no installation of self-downloading tools required.
How did the Chinese government even know that this call was taking place and what "local laws" were complied with?