Zoom Accused of Misleading Users With 'End-to-End Encryption' Claims Amid Other Security Issues [Updated]

[NT1440]

It's also the best for screen shares too. Easy to debug with other developers without squinting. I have tried their major competitors (Webex, Skype, Bluejeans, etc), and none of them are as good as Zoom unfortunately.

That’s the thing, I implemented zoom at my company about 6 months ago after a loooong period of testing services. Nothing works as remotely well as zoom from both the technical side (great resolution, very little lag, sound quality) as well as ease of use for our end users and clients.

I don’t like what they’re doing, but we honestly have no other viable choice for the time being.

 

[chucker23n1]

That's actually exactly what I meant.

The product looks great, until you start looking at how it actually works. Kind of how Zoom's statement here might look like it makes total sense, unless you actually know what TLS and "end-to-end encryption" mean (in which case it's actually nonsense).

I mean, fair, but as someone else pointed out, it's actually rare for video conferencing to do E2E. FaceTime does, but other than that?

They're clumsy and dishonest, but, leaving aside privacy concerns, are they really worse?
[automerge]1585757488[/automerge]

That’s the thing, I implemented zoom at my company about 6 months ago after a loooong period of testing services. Nothing works as remotely well as zoom from both the technical side (great resolution, very little lag, sound quality) as well as ease of use for our end users and clients.

I don’t like what they’re doing, but we honestly have no other viable choice for the time being.

In terms of quality, I've found Teams to be just as good. I also used Pexip yesterday; also worked great.

I just really didn't care for Pexip's UI. Teams's is sort of OK. Zoom's is good.

 

[Chaos215bar2]

I mean, fair, but as someone else pointed out, it's actually rare for video conferencing to do E2E. FaceTime does, but other than that?

Easy solution: Don't claim end-to-end encryption! Or, make it explicitly clear what's actually end-to-end encrypted.

Kind of like, when you provide an script with your installer explicitly intended to verify system compatibility and nothing else, you don't have that script go ahead and install your app, without permission, and kill the installer as if that's what it was supposed to do.

 

[chucker23n1]

Easy solution: Don't claim end-to-end encryption! Or, make it explicitly clear what's actually end-to-end encrypted.

No argument.

Kind of like, when you provide an script with your installer explicitly intended to verify system compatibility and nothing else, you don't have that script go ahead and install your app, without permission, and kill the installer as if that's what it was supposed to do.

Yup.

 

[len5]

Zoom sounds almost as creepy as Facebook if that's even possible.

 

[Wags]

Nothings really free. They say free but their exploiting your hardware and data harvesting for their benefit.

 

[NT1440]

I mean, fair, but as someone else pointed out, it's actually rare for video conferencing to do E2E. FaceTime does, but other than that?

They're clumsy and dishonest, but, leaving aside privacy concerns, are they really worse?
[automerge]1585757488[/automerge]


In terms of quality, I've found Teams to be just as good. I also used Pexip yesterday; also worked great.

I just really didn't care for Pexip's UI. Teams's is sort of OK. Zoom's is good.

Teams doesn’t allow you to host meeting with people that aren’t in your organization or don’t have an office account.

It’s also not “just as good” when it comes to video quality. It’s not bad, but there is a clear difference for the 125+ people who use both in my company, the reviews are unanimous in terms of zoom having the edge in quality and lower response time.

 

[motm95]

I'm in the process of testing both Zoom and Webex for my business to host video calls with clients. It needs to be simple to use with no need for the person joining to create an account. Even if Zoom isn't perfect it might be the best option out there for our use case.

 

[chucker23n1]

Teams doesn’t allow you to host meeting with people that aren’t in your organization or don’t have an office account.

Yes it does. Just did that yesterday — I have Office 365 E3, and I can invite people from outside the org. They get a special link.

It’s also not “just as good” when it comes to video quality. It’s not bad, but there is a clear difference for the 125+ people who use both in my company, the reviews are unanimous in terms of zoom having the edge in quality and lower response time.

That could be.

It's more the UX I'm concerned with. Some stuff in Teams is really stupid (try scrolling through conversation history — it's extremely slow, and if someone else messages you in the meantime, it may lose scroll position, in which case you get to start over again).

Zoom, for video, has some nice stuff. For example:

• I can combine multiple devices well. So I can use my phone to take the audio call, and use the headset on that. Simultaneously, I can use the Mac to take video, and/or to see shared screens, so I have a big screen to see them on. If I try the same on Teams, the shared screen always ends up on the phone, which is of course almost uselessly small. So I have to instead take the audio on the Mac as well, which means now I can't walk around with the phone in my pocket (I guess I could lug the Mac around?).
• It has nice indicators of who's currently talking, whether there's cross-talk, that kind of thing.

 

[0924487]

All that's a perfect world. None of it stops a vulnerability being introduced. Not just directly by indirectly by an underlying library having vulnerabilities.

I do not understand folk who cling to this fallacy that somehow Open Source is better than anything else.

Why not ask the folks impacted by the Lodash issues from 2018 or the Linux kernel issue from 2019 of they think that Open Source is magically more secure.

Listen, I'm a developer myself - in the game 30 years. Nothing I've written in all that time is what is call "bug free" as everything relies on other libraries, routines, kernel calls, etc. that I've zero control over.

Audits cost money. No-one is going to audit every single release.

That is why you should trust packages wisely. That's the whole point of BSD. Every package included is vetted by the core team. If your software is so stupid and simple to a point where having a bug is obviously not possible, then, it is safe.

If you want features and cutting edge, then use Linux and ubuntu, and that has holes, obviously, and you know it and chose to accept it. You can easily choose Kali Linux etc.

 

[boomspot]

Zoom is the perfect solution to facilitate remotely firing your workforce, ask Bird scooters.

 

[CarlJ]

• Installing a secret web server on your computer that remained even after you uninstalled the program
• Sharing data with Facebook without disclosing it to customers
• Misleading Users With 'End-to-End Encryption' Claims

Any guesses on the next Zoom scandal?

Running Bitcoin mining on your machine? "to keep it from getting too cold!"
Taking inappropriate pictures of your dog? "because reasons"

 

[CarlJ]

Zoom is all the rage these days - some of our IT/security folks tried to warn management we shouldn't use it until a full security audit can happen, and they were gently pushed aside due to needing a solution right away, I guess this will only reinforce the need to look into it further.

The big concern at this point should be, get management to sign on to the idea that once IT/security vets a proper replacement, management will order everyone to change over rather than saying, "but we're all comfy using Zoom now, it would be hard to change."

 

[TiggrToo]

So, we've gone from

You should not trust a mission-critical communication software that is not open-sourced AND has never undergone a technical audit AND is not source available upon request.

To

That is why you should trust packages wisely. That's the whole point of BSD. Every package included is vetted by the core team. If your software is so stupid and simple to a point where having a bug is obviously not possible, then, it is safe.

If you want features and cutting edge, then use Linux and ubuntu, and that has holes, obviously, and you know it and chose to accept it. You can easily choose Kali Linux etc.

How does this help in this discussion now? In one breath you speak of audits and open source and have now leaped to "don't run on anything that's not BSD or Kali Linux".

 

[stars_fan]

We implemented Webex Cloud right as this started. I had everything ready for an April roll out.

We had 157,940 meeting minutes yesterday over 3,860 meetings. We’re still migrating users and I expect these stats to double. Nothing but good reports about quality.

Zoom pricing took them out of the running and ms teams was a big bag of fail for our testing.

 

[dampfnudel]

This company sounds shady. I was thinking of using Zoom, but I think it’s better to avoid it.

 

[I7guy]

Hopefully, Zoom will take this "criticism" and improve it's products. Doesn't really seem too many believe Zoom poses "real" security risks or high risk/regulated companies wouldn't be using Zoom. I believe they are one of the best out there.

 

[Michael Scrip]

I wonder if the 132,000 schools in the United States will stop using Zoom because of all this news.

It seems like every school is now using Zoom for online teaching. And every dance studio, yoga studio, Zumba, etc.

 

[0924487]

So, we've gone from



To



How does this help in this discussion now? In one breath you speak of audits and open source and have now leaped to "don't run on anything that's not BSD or Kali Linux".

That makes total sense. You need to focus on the level of trust and the hierarchy of trust.

You don't need 256 AES for your movie files stored on your junky NAS in the basement. You probably want performance for that. But your certificate manager server or your Root CA should probably use 256 AES full-disk encryption and a hardware TPM of some sort.

You don't put armours on your face even if you do need it, but that has mobility and visual compromises that you may not willing to forgo, hence you take some risk of getting an arrow in your face.

 

[Mitthrawnuruodo]

Elon Musk's SpaceX bans Zoom over privacy concerns

The use of Zoom and other digital communications has soared as many Americans have been ordered to stay home to slow the spread of coronavirus

The FBI’s Boston office on Monday issued a warning about Zoom, telling users not to make meetings on the site public or share links widely

https://www.scmp.com/tech/apps-soci...-musks-spacex-bans-zoom-over-privacy-concerns

Personally, I used to love it for its simplicity and better than average quality on video and sound, but have refused to use it since the news broke about it installing a secret web server on my Macs. That was enough for me to shun them, and later (and recent) news has just strengthened my resolve...

Luckily we use Teams for work, and I've been using Google Meet for some extra school work... and as long as I don't have to use the abomination that is Skype (on a Mac), I can avoid Zoom for now...

 

[winglet69]

So does theft, murder and mayhem, but to continue working towards a Type 1 civilization some basic rules / checks must be in place.

Errm that was quite a rhetorical flourish. Do you realize you somehow missed comparing Zoom to Hitler or Nazis?

The InterWebs is disappointed in your measured, understated remarks. ?

 

[Wags]

I wonder if the 132,000 schools in the United States will stop using Zoom because of all this news.

It seems like every school is now using Zoom for online teaching. And every dance studio, yoga studio, Zumba, etc.

Unfortunately, probably not. How much news does this need before anyone acknowledges. They are only hearing ’free’.
Not sure why there is not more public outrage when institutions get hacked for lack of effort. Seems like 2 days later, no one cares.

 

[ghanwani]

Finally one CEO that gets it.

Elon Musk's SpaceX Bans Employee Use Of Zoom: Report

Tesla (NASDAQ: TSLA) CEO Elon Musk's rocket company SpaceX is banning employees from using video conferencing app Zoom Video Communications (NASDAQ: ZM), citing "significant privacy and security concerns," Reuters reported Wednesday. On Monday, the New York Times reported that the office of the...

finance.yahoo.com

 

[bsmr]

The NASA also doesn't use Zoom anymore ;-)

And I think many others will follow!

 

[960design]

Errm that was quite a rhetorical flourish. Do you realize you somehow missed comparing Zoom to Hitler or Nazis?

The InterWebs is disappointed in your measured, understated remarks. ?

Hyperbole was my word of the day. Was sarcasm yours?
[The above was written tongue in check - just clarification - as it is often difficult to fully express meaning through words. I truly laughed at your reply and loved it. I should have gone with Hitler.]
[automerge]1585947462[/automerge]

If you need to review the code, you should do so at every stage of the release. For example, VPN clients are very vulnerable attack surfaces because everything in those apps such as OVPN profiles/scripts must run with root privileges.

This kills my soul. My company has fantastic security in place and then casually VPNs everyone. Stabby, stab, stab to my mind.
[automerge]1585947568[/automerge]

I'm in the process of testing both Zoom and Webex for my business to host video calls with clients. It needs to be simple to use with no need for the person joining to create an account. Even if Zoom isn't perfect it might be the best option out there for our use case.

Easy peasy: https://meet.jit.si
Zoom is the worst you could do.