back to article Zoom vows to spend next 90 days thinking hard about its security and privacy after rough week, meeting ID war-dialing tool emerges

Video-conferencing app maker Zoom has promised to do better at security after a bruising week in which it was found to be unpleasantly leaky in several ways. The pledge came in a memo to customers from CEO Eric S. Yuan, in which he said: “Over the next 90 days, we are committed to dedicating the resources needed to better …

  1. NATTtrash Silver badge

    This week, the biz admitted to infosec journo Brian Krebs that this password-protected-by-default feature may not be working as intended, leaving people's meetings exposed.

    Very true. Especially if people (re)use their personal meeting room, of which the meeting ID does not change. I'm not sure, but I believe there is a specific Zoom setting that, so that for a personal room meeting no password is generated and/ or required. What I do know however, is that in the period since Zoom introduced the new password rule, I didn't encounter a single time I had to enter one (avg. 3-5 Zooms/ wk).

    1. Phil O'Sophical Silver badge

      This. With webex it was easy, when you started a meeting as host you had to give a password, it could be different for each meeting. Zoom makes it a real PITA to do. You can set a default password for your personal room, but once that becomes common knowledge it serves little purpose. They need to add a way to easily choose a password each time you host a call.

      1. John Robson Silver badge

        It is easy - it's just below the date/time settings...

  2. Mr Dogshit

    I really fancy a Lyons Maid lolly now.

    1. Smooth Newt Silver badge
      Happy

      I really fancy a Lyons Maid lolly now.

      Keep quiet about it. Walls have ears.

      1. KittenHuffer Silver badge

        I know, I found one in my Cornetto!

        1. David 132 Silver badge
          Happy

          Just one?

          1. stiine Silver badge
            Coat

            One lolly or one cornetto?

            Guess what's in the pockets...

          2. RegGuy1 Silver badge

            Give it to me!

  3. ibmalone Silver badge

    A Chinese company called Zoom Technologies also enjoyed a surge in investment after buyers mistook its $ZOOM ticker symbol for Zoom's $ZM.

    Ah, the invisible hand strikes again.

    1. Doctor Syntax Silver badge

      Helped along by the fat finger.

      1. Yet Another Anonymous coward Silver badge

        The famous story about the 'CUBA' mutual fund Thaler-the-cuba-fund

        tldr: a USA fund with the ticker symbol CUBA (nothing to do with the island) doubled in value when Obama talked about easing sanctions. It stayed high as everybody laughed about the story and then went up again when Castro died !

        1. adam 40

          Castrol died? No wonder the price of oil has collapsed!

          1. zuckzuckgo Bronze badge

            He was a very slippery fellow.

  4. Dr_N Silver badge

    Anyone else...

    ... hear the Fat Larry's Band track in their head every time this service/app is mentioned?

    1. Vometia Munro

      Re: Anyone else...

      I do now. D:

      1. Dr_N Silver badge

        Re: Anyone else...

        My job here is done.

  5. Dan 55 Silver badge

    To be honest you can't blame people for going to Zoom

    I've had to. In a five-way Skype videocall, two people couldn't see two other people's video, the feedback was horrendous, and one person got dropped. That was after it took about an of hour messing about for two people to add each other to their contact list even knowing their Skype ID (not e-mail address).

    How did Microsoft manage to turn Skype into such a turd?

    1. Oh Matron! Silver badge

      Re: To be honest you can't blame people for going to Zoom

      "How did Microsoft manage to turn Skype into such a turd?"

      Is this a rhetorical question?

      1. robidy Silver badge

        Re: To be honest you can't blame people for going to Zoom

        It's end of life, due to die 2021 for business, not sure about consumer version.

      2. dinsdale54

        Re: To be honest you can't blame people for going to Zoom

        Lync was always a festering bag of shite. Microsoft had two choices - fix it, or rename it to Skype for Business to try and hide its awfulness behind a rebrand.

        No guesses for which approach they took.

        As a general rule, the quality of software is inversely proportional to the frequency of name changes.

        1. J. Cook Silver badge

          Re: To be honest you can't blame people for going to Zoom

          ... and prior to Lync, it was OCS (Office Communicator Suite)2007/2010...

          Skype for Business is based on the same source code and has the same complex architecture.

          Part of me wishes that we had paid the Cisco tax and gone to Jabber - it certainly integrates better with Call Manager and (rumor has it) slightly easier to set up and maintain...

        2. CountCadaver Bronze badge

          Re: To be honest you can't blame people for going to Zoom

          I still haven't forgiven them for killing off messenger, simple, did what it needed to and with no real extra cruft (barring the last couple of versions) then they thought "people aren't moving to Skype so lets force messenger users onto skype"

          Most people I knew were on either msn messenger or ICQ, now folk are on a whole range of stuff from dumpster fires like bookface and instagram, to snapchat to whatsapp and several more I forget.

          I was talking about this the other day with a friend and she said the same thing, used to be easy to hold a 3 or 4 way chat, just add them to the msn convo or create a new one. Now however everyone is so fragmented its like herding cats and no one wants to use anything bar what they are on...

      3. This post has been deleted by its author

    2. Gordon 10 Silver badge

      Re: To be honest you can't blame people for going to Zoom

      The same way Cisco made Webex such a turd?

      Zoom isn't by any means perfect. It just a damn sight better in UX than any other of the Virtual meeting tools out there.

    3. robidy Silver badge
      Joke

      Re: To be honest you can't blame people for going to Zoom

      Give Microsoft a month or so and they'll buy Zoom and we'll have Zoom meetings for Teams and in 5 months time Teams will be chargable to everyone.

      1. tin 2

        Re: To be honest you can't blame people for going to Zoom

        and they'll make zoom rubbish somehow.

        1. noboard

          Re: To be honest you can't blame people for going to Zoom

          You mean make it even worse, from the article it's already pretty terrible for serious use.

          1. robidy Silver badge

            Re: To be honest you can't blame people for going to Zoom

            Zoom is great for a free 50 user video conf call product...security and privacy aside...

    4. Charlie Clark Silver badge

      Re: To be honest you can't blame people for going to Zoom

      Why did you need 5 simultaneous video streams? I try and hide these whenever I'm on calls where people have the camera running. It would be nice if you could easily switch off incoming video feeds.

      Used Skype a lot recently and quality has generally been okay but I think a lot will depend on the network traffic on whichever server is doing the mixing of feed.

      1. Dan 55 Silver badge

        Re: To be honest you can't blame people for going to Zoom

        Er, family. Contrary to popular belief I wasn't hewn from rock.

        1. sabroni Silver badge

          Re: Er, family. Contrary to popular belief I wasn't hewn from rock.

          TBH even seeing the mugs of the team I work with is welcome these days....

          Curses, wot am I saing?!?!

          1. Fred Dibnah Silver badge

            Re: Er, family. Contrary to popular belief I wasn't hewn from rock.

            +1 for Molesworth.

      2. John Robson Silver badge

        Re: To be honest you can't blame people for going to Zoom

        Pretty easy on zoom to not see faces.

        On a mobile device is has something ironically* called safe driving mode....

        You just get a big button which toggle your mute status, and no other info on screen.

        Of course it’s probably still streaming all the video feeds anyway...

        * at least I hope it’s ironic.

  6. AMBxx Silver badge
    WTF?

    90 Days?

    By then, the lockdown is hopefully going to be eased. At that point Zoom traffic is going to plummet as people realise video conferencing while working from home is just Internet Presenteeism.

    I wish I had the nerve and capital reservers to short Zoom stock.

    1. robidy Silver badge
      FAIL

      Re: 90 Days?

      If it's a sure fire bet when do you need reserves?

      1. AMBxx Silver badge

        Re: 90 Days?

        That's how shorting works - you need the margin.

        1. robidy Silver badge

          Re: 90 Days?

          Butif it's a sure fire bet, you have "nothing to lose" so why do you need reserves.

    2. tin 2

      Re: 90 Days?

      Assuming the lockdowns do get eased, It's gonna plummet, but not going to the levels it was, now people have been forced to make videoconferencing work of sorts. A significant percentage of companies and/or of meeting organisers are going to realise it really doesn't need people blowing valuable time travelling and the associated costs quite as much as before.

      Just a shame someone needed to show all the other videoconferencing "experts" how to write software that actually works - most of the time.

      1. Charlie Clark Silver badge

        Re: 90 Days?

        Not when they realise how much it will cost to bring home offices up to the safety standards demanded of normal offices.

        1. Jimmy2Cows Silver badge
          Holmes

          Re: 90 Days?

          Ummm.... since when have the safety requirements for each been remotely equivalent?

          1. robidy Silver badge

            Re: 90 Days?

            Employers have a duty of care to their employees. That's regardless of where they are working - tell the HSE they are wrong if you disagree. Depending on the interpretation of temporary you need to carry out normal checks as you should/would at work.

            If you expect/need someone to work outside the office you duty of care doesn't stop at the office front door.

          2. Charlie Clark Silver badge

            Re: 90 Days?

            Employment law in most countries says that the rules are the same wherever the work is carried out.

        2. 96percentchimp

          Re: 90 Days?

          Don't worry, Cummings Wyrmtongue will soon have Boris (or Raab if the Poundland Churchill expires) erase all of those pesky H&S laws. Impediment to the free market, All Hail Sant Margret of Grantham etc etc

  7. BigAndos

    The security issues are very concerning, but hats off to them for coping with a 20 fold increase in users in a few months. Webex has been appalling for the last few weeks and hangouts meet seems to display about 5 pixels from everyone's webcam despite the mighty Google running it. Lets just hope they can improve the security and privacy issues without killing off the performance.

  8. Anonymous Coward
    Anonymous Coward

    http://www.commitstrip.com/en/2019/08/30/the-future-of-video-conferencing/

  9. General Purpose

    Odd install and incomplete uninstall

    Rather unusually, the Windows Zoom Client installs into %user%\Appdata\Roaming\Zoom, placing many dlls and executables in a \bin folder there.

    Uninstalling doesn't remove its firewall rules.

    1. Ken Hagan Gold badge
      Pint

      Re: Odd install and incomplete uninstall

      Now that you mention it, neither does my product. Thanks for the bug report. We don't do bug bounties but you can have a virtual one.

      1. General Purpose
        Pint

        Re: Odd install and incomplete uninstall

        Cheers!

      2. Anonymous Coward
        Anonymous Coward

        Re: Odd install and incomplete uninstall

        Don't worry, your product is not alone. An older version of the Slack client for windows still had the debug symbol tables compiled in.

    2. J. Cook Silver badge

      Re: Odd install and incomplete uninstall

      ... that's utter shite designed to get around corporate IT environments not letting their users have local admin, and it makes corporate IT admins both cranky and sad at the same time, because guess who gets called when the app decides to misbehave?

      1. Anonymous Coward
        Anonymous Coward

        Re: Odd install and incomplete uninstall

        Just like that bag of shite teams.

        1. Anonymous Coward
          Anonymous Coward

          Re: Odd install and incomplete uninstall

          TEAMS is great now it's got a video backdrop feature!

          Only kidding, it's ****ing pants.

  10. Doctor Syntax Silver badge

    "So much so, Zoom published advice on how to keep uninvited morons out of private conferences."

    That's half the problem solved then.

  11. Anonymous Coward
    Anonymous Coward

    Zoom / Teams / Hangouts

    Not a problem for me - I leave the camera off as I'm often just in pants/PJs/dressing gown (like Arthur Dent).

    No point being dressed if I'm not leaving the house...

    1. Ken Moorhouse Silver badge

      Re: Not a problem for me - I leave the camera off

      You do disconnect the camera, or tape over it. Don't you?

      1. Richard 12 Silver badge
        Holmes

        Re: Not a problem for me - I leave the camera off

        I point it at a photo of Chuck Norris.

      2. Anonymous Coward
        Anonymous Coward

        Re: Not a problem for me - I leave the camera off

        Have a slide door cover for the camera!

    2. Patrick R
      FAIL

      Re: Zoom / Teams / Hangouts

      My camera is off too. Off in the Bios, that is. Bios from 2019 on a Dell XPS from 2015 with Windows 10.

      Zoom doesn't care and can activate it. Ain't it creepy?

      I contacted Dell, they said it's out of warranty but I can still contact their legal department. What a great answer. There was a (Zoom) update last week and now Zoom says it "doesn't find" a camera.

  12. DevOpsTimothyC

    Reversible Encryption

    So the news website of a major public UK Broadcaster has picked up on this to highlight the potential encryption issues.

    Considering how the UK Government have both used it, and are also making the same calls as the US that they should have a back door for all encryption. I find it more than a little ironic and funny

  13. adam 40
    Pint

    I started a Zoom "Virtual Pub"

    To be honest it was a bit quiet today - would've been perked up with a few Zoombombers posting a bit or pr0no!

  14. Mike Tubby
    Mushroom

    Its much worse than that... Complete Infosec fail?

    According to Citizenlab.ca there are major flaws in Zoom:

    1. the encryption is not what they claim, and is, in fact AES-128-CBC

    2. crypto keys have been observed being exchanged via Chinese servers

    Read the report here:

    https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

    Please someone ask NCSC/CESG/GCHQ whether our politicians, businesses and critical national infrastructure should be using this?

    ... picks up coat, heads off to server room to implement another instance of Jitsi ...

    Mike

    1. robidy Silver badge
      Mushroom

      Re: Its much worse than that... Complete Infosec fail?

      Bruce Schneier's done a piece on it too, seriously dodgy.

      https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html

    2. Pier Reviewer

      Re: Its much worse than that... Complete Infosec fail?

      Whilst the encryption isn’t what they claim it’s still pretty decent. According to Bruce it’s AES-128-ECB (not CBC). The key and block sizes make it infeasible to brute force the key or abuse SWEET32.

      ECB is commonly considered to be weaker than CBC, but it has a simpler implementation and thus less room for catastrophic error (POODLE says hi, and ECB mode isn’t vulnerable to SWEET32 either, whereas CBC mode is). The thing with crypto is the crypto nerds get hyper excited about theoretical attacks like breaking 3 rounds of cipher X, or having utterly impractical requirements. It’s great to publish those findings as they can be built upon to create more powerful attacks, but the media (social included) tend to run ridiculous headlines as a result.

      The Chinese server involvement is certainly worthy of investigation, but would it be any better if that server were hosted in the US/Europe but rented by a shell company operated by Chinese sigint? Geolocation counts for shit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020