Zoom vows to spend next 90 days thinking hard about its security and privacy after rough week, meeting ID war-dialing tool emerges Video-conferencing app maker Zoom has promised to do better at security after a bruising week in which it was found to be unpleasantly leaky in several ways. The pledge came in a memo to customers from CEO Eric S. Yuan, in which he said: “Over the next 90 days, we are committed to dedicating the resources needed to better …
This week, the biz admitted to infosec journo Brian Krebs that this password-protected-by-default feature may not be working as intended, leaving people's meetings exposed.
Very true. Especially if people (re)use their personal meeting room, of which the meeting ID does not change. I'm not sure, but I believe there is a specific Zoom setting that, so that for a personal room meeting no password is generated and/ or required. What I do know however, is that in the period since Zoom introduced the new password rule, I didn't encounter a single time I had to enter one (avg. 3-5 Zooms/ wk).
This. With webex it was easy, when you started a meeting as host you had to give a password, it could be different for each meeting. Zoom makes it a real PITA to do. You can set a default password for your personal room, but once that becomes common knowledge it serves little purpose. They need to add a way to easily choose a password each time you host a call.
The famous story about the 'CUBA' mutual fund Thaler-the-cuba-fund
tldr: a USA fund with the ticker symbol CUBA (nothing to do with the island) doubled in value when Obama talked about easing sanctions. It stayed high as everybody laughed about the story and then went up again when Castro died !
I've had to. In a five-way Skype videocall, two people couldn't see two other people's video, the feedback was horrendous, and one person got dropped. That was after it took about an of hour messing about for two people to add each other to their contact list even knowing their Skype ID (not e-mail address).
How did Microsoft manage to turn Skype into such a turd?
Lync was always a festering bag of shite. Microsoft had two choices - fix it, or rename it to Skype for Business to try and hide its awfulness behind a rebrand.
No guesses for which approach they took.
As a general rule, the quality of software is inversely proportional to the frequency of name changes.
... and prior to Lync, it was OCS (Office Communicator Suite)2007/2010...
Skype for Business is based on the same source code and has the same complex architecture.
Part of me wishes that we had paid the Cisco tax and gone to Jabber - it certainly integrates better with Call Manager and (rumor has it) slightly easier to set up and maintain...
I still haven't forgiven them for killing off messenger, simple, did what it needed to and with no real extra cruft (barring the last couple of versions) then they thought "people aren't moving to Skype so lets force messenger users onto skype"
Most people I knew were on either msn messenger or ICQ, now folk are on a whole range of stuff from dumpster fires like bookface and instagram, to snapchat to whatsapp and several more I forget.
I was talking about this the other day with a friend and she said the same thing, used to be easy to hold a 3 or 4 way chat, just add them to the msn convo or create a new one. Now however everyone is so fragmented its like herding cats and no one wants to use anything bar what they are on...
This post has been deleted by its author
Why did you need 5 simultaneous video streams? I try and hide these whenever I'm on calls where people have the camera running. It would be nice if you could easily switch off incoming video feeds.
Used Skype a lot recently and quality has generally been okay but I think a lot will depend on the network traffic on whichever server is doing the mixing of feed.
Pretty easy on zoom to not see faces.
On a mobile device is has something ironically* called safe driving mode....
You just get a big button which toggle your mute status, and no other info on screen.
Of course it’s probably still streaming all the video feeds anyway...
* at least I hope it’s ironic.
Assuming the lockdowns do get eased, It's gonna plummet, but not going to the levels it was, now people have been forced to make videoconferencing work of sorts. A significant percentage of companies and/or of meeting organisers are going to realise it really doesn't need people blowing valuable time travelling and the associated costs quite as much as before.
Just a shame someone needed to show all the other videoconferencing "experts" how to write software that actually works - most of the time.
Employers have a duty of care to their employees. That's regardless of where they are working - tell the HSE they are wrong if you disagree. Depending on the interpretation of temporary you need to carry out normal checks as you should/would at work.
If you expect/need someone to work outside the office you duty of care doesn't stop at the office front door.
The security issues are very concerning, but hats off to them for coping with a 20 fold increase in users in a few months. Webex has been appalling for the last few weeks and hangouts meet seems to display about 5 pixels from everyone's webcam despite the mighty Google running it. Lets just hope they can improve the security and privacy issues without killing off the performance.
... that's utter shite designed to get around corporate IT environments not letting their users have local admin, and it makes corporate IT admins both cranky and sad at the same time, because guess who gets called when the app decides to misbehave?
My camera is off too. Off in the Bios, that is. Bios from 2019 on a Dell XPS from 2015 with Windows 10.
Zoom doesn't care and can activate it. Ain't it creepy?
I contacted Dell, they said it's out of warranty but I can still contact their legal department. What a great answer. There was a (Zoom) update last week and now Zoom says it "doesn't find" a camera.
So the news website of a major public UK Broadcaster has picked up on this to highlight the potential encryption issues.
Considering how the UK Government have both used it, and are also making the same calls as the US that they should have a back door for all encryption. I find it more than a little ironic and funny
According to Citizenlab.ca there are major flaws in Zoom:
1. the encryption is not what they claim, and is, in fact AES-128-CBC
2. crypto keys have been observed being exchanged via Chinese servers
Read the report here:
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
Please someone ask NCSC/CESG/GCHQ whether our politicians, businesses and critical national infrastructure should be using this?
... picks up coat, heads off to server room to implement another instance of Jitsi ...
Mike
Whilst the encryption isn’t what they claim it’s still pretty decent. According to Bruce it’s AES-128-ECB (not CBC). The key and block sizes make it infeasible to brute force the key or abuse SWEET32.
ECB is commonly considered to be weaker than CBC, but it has a simpler implementation and thus less room for catastrophic error (POODLE says hi, and ECB mode isn’t vulnerable to SWEET32 either, whereas CBC mode is). The thing with crypto is the crypto nerds get hyper excited about theoretical attacks like breaking 3 rounds of cipher X, or having utterly impractical requirements. It’s great to publish those findings as they can be built upon to create more powerful attacks, but the media (social included) tend to run ridiculous headlines as a result.
The Chinese server involvement is certainly worthy of investigation, but would it be any better if that server were hosted in the US/Europe but rented by a shell company operated by Chinese sigint? Geolocation counts for shit.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
