Zoom Accused of Misleading Users With 'End-to-End Encryption' Claims Amid Other Security Issues [Updated]

[MacBH928]

If you believe what capitalist companies say in their privacy policy the fault is on you. We have seen this already many times and all we get is an "oops sorry" without any legal action against them.

Only few transparent companies we can trust as they have a clean record history and are transparent some examples: Mozilla, ProtonMail, DuckDuckGo

 

[ipponrg]

If you believe what capitalist companies say in their privacy policy the fault is on you. We have seen this already many times and all we get is an "oops sorry" without any legal action against them.

Only few transparent companies we can trust as they have a clean record history and are transparent some examples: Mozilla, ProtonMail, DuckDuckGo

Maybe you should follow your own advice, specifically about DuckDuckGo.
- DDG CEO used to own this site: https://en.wikipedia.org/wiki/Names_Database
- They got caught 5+ years ago sending tracking pixels: https://archive.is/qntuk

The lesson here is that trust should apply to ANY COMPANY.
[automerge]1585744694[/automerge]

I wonder if this is technical incompetence, or a deliberate obfuscation.

Probably a combination of both marketing and negligence.

 

[Halikaarn]

It is too late. Zoom is already a meme, a zeitgeist product in this crisis. Laymen will be "zooming" for a generation. But, once things settle down, we'll see many corps and orgs realizing and developing their own "solutions."

 

[ipponrg]

Still the Zoom conference is the best of the best in therms of large meetings, speed and video quality.

It's also the best for screen shares too. Easy to debug with other developers without squinting. I have tried their major competitors (Webex, Skype, Bluejeans, etc), and none of them are as good as Zoom unfortunately.

 

[ghanwani]

The more sleazy they can be, the better their stock will perform. (Just the unfortunate way our markets operate.)

These are the same guys that had a security hole with their camera that Apple needed to plug with a macOS update.

Serious Zoom security flaw could let websites hijack Mac cameras

Not good

www.theverge.com

It doesn’t sound like they take security or privacy very seriously.

 

[caliguy]

We’ve switched back to using GoToMeeting since their redesign. Product is very reliable and doesn’t have shady ties to the China Communist Party, which is a plus.

 

[DoctorTech]

"When we use the phrase 'End to End' in our other literature..."

Sorry but that sounds a little too much like, "It depends on what the meaning of 'is' is." The phase "End to End" has a broadly accepted meaning across the industry so to use that phase to mean anything other than the broadly accepted meaning is deceptive at best. I absolutely guarantee this is illegal. NOTE: when I use the phase 'absolutely guarantee' in my posts I mean I feel strongly that it should be illegal. /s

 

[satchmo]

MS Teams > Zoom

MS Teams is a pleasant surprise.
I hear they’re going to come out with a consumer version of teams.
In fact, MS OneDrive and MS in general is killing it under Nadella.

 

[0924487]

And one release later a developer makes a fatal mistake and an attack vector is created.

People should never assume open source is somehow magically better than anything else. All applications, no matter how well written, or where the source is, are one change away from exposing a massive vulnerability.

That is why we usually have release pipelines, internal, alpha, beta, public beta, stable release.

If you need to review the code, you should do so at every stage of the release. For example, VPN clients are very vulnerable attack surfaces because everything in those apps such as OVPN profiles/scripts must run with root privileges.

From initial alpha release to final stable release of a client can take more than 8 months.

If you are safeguarding something mission-critical such as the software signing key of iOS and macOS operating systems, then you should use hardware security key storage infrastructures and run secure BSD-based operating systems.

 

[jbachandouris]

A woman who graduated High School with me died two days ago from renal failure. Because of COVID, no public viewings are allowed. The sister is using Zoom for the wake/viewing. Sad times.

On a side note, the 'desktop' version of Zoom doesn't like Carolina so much. Virtual backgrounds are unavailable. App claims that I don't have the supported hardware nor software although I certainly have both conditions met.

 

[bsolar]

Their argument is ridiculous. Zoom is not an "End" in the communication, it's clearly a "Man-In-The-Middle" between different "Ends". What they are doing is obviously not End-To-End encryption.

 

[TiggrToo]

That is why we usually have release pipelines, internal, alpha, beta, public beta, stable release.

If you need to review the code, you should do so at every stage of the release. For example, VPN clients are very vulnerable attack surfaces because everything in those apps such as OVPN profiles/scripts must run with root privileges.

From initial alpha release to final stable release of a client can take more than 8 months.

If you are safeguarding something mission-critical such as the software signing key of iOS and macOS operating systems, then you should use hardware security key storage infrastructures and run secure BSD-based operating systems.

All that's a perfect world. None of it stops a vulnerability being introduced. Not just directly by indirectly by an underlying library having vulnerabilities.

I do not understand folk who cling to this fallacy that somehow Open Source is better than anything else.

Why not ask the folks impacted by the Lodash issues from 2018 or the Linux kernel issue from 2019 of they think that Open Source is magically more secure.

Listen, I'm a developer myself - in the game 30 years. Nothing I've written in all that time is what is call "bug free" as everything relies on other libraries, routines, kernel calls, etc. that I've zero control over.

Audits cost money. No-one is going to audit every single release.

 

[meboy]

I really don't understand how this service became the go to in the first place.

Is Skype not cool anymore?
Hangouts?
How did these two fail so badly to be overtaken by this nobody?

 

[gsurf123]

It's free which is the only requirement for most people.

 

[DoctorTech]

I really don't understand how this service became the go to in the first place.

Is Skype not cool anymore?
Hangouts?
How did these two fail so badly to be overtaken by this nobody?

I suspect it has to do with pricing. The university where I teach uses Zoom for connecting faculty and staff at satellite campuses (where I am located) to the main campus. Zoom is also used for things like department meetings and faculty senate meetings. I don't have any choice but to run zoom on my computer if I can't be at the meeting in person and now due to COVID-19, all our meetings are online.

 

[chucker23n1]

I really don't understand how this service became the go to in the first place.

Is Skype not cool anymore?
Hangouts?
How did these two fail so badly to be overtaken by this nobody?

Zoom just works really well.

Teams (née Skype for Business née OCS / Lync) is also fine.

Adobe Connect is really mediocre by comparison.

Did Hangouts ever play in this field at all?
[automerge]1585751533[/automerge]

Their argument is ridiculous. Zoom is not an "End" in the communication, it's clearly a "Man-In-The-Middle" between different "Ends". What they are doing is obviously not End-To-End encryption.

Yup. It's transfer encryption, but not E2E.

 

[DoctorTech]

Zoom just works really well.

Teams (née Skype for Business née OCS / Lync) is also fine.

Adobe Connect is awful.

Did Hangouts ever play in this field at all?

I used to love Adobe Connect but I am having way too many issues now with audio quality (even before everyone started working from home) and with it constantly crashing and not recognizing my USB microphone. I am getting tired of having to spend time talking to tech support. I have used Adobe Connect for the past 6 or 7 years but when my current annual license expires I am dropping it.

 

[Tech198]

wow.. this company has got some problems.

 

[bsmr]

wow.. this company has got some problems.

This company is a problem!

 

[kmichalec]

So what are really the best alternatives, then? (preference would be with a free option for casual users)

GoToMeeting?
Webex?
Facetime (on iOS)
Globalmeet Collaboration?
Lifesize?
Others?


Sounds Adobe Connect is not that great from above posts.

 

[Chaos215bar2]

I really don't understand how this service became the go to in the first place.

Is Skype not cool anymore?
Hangouts?
How did these two fail so badly to be overtaken by this nobody?

Marketing, and a product that, at least superficially, works pretty well.

Personally, after pulling the installation trick described earlier here, I won't touch a single product this company puts out. Ever. I'd bet a lot of people would never notice the difference, though.

 

[bsmr]

So what are really the best alternatives, then? (preference would be with a free option for casual users)

GoToMeeting?
Webex?
Facetime (on iOS)
Globalmeet Collaboration?
Lifesize?
Others?


Sounds Adobe Connect is not that great from above posts.

Maybe those:

Whereby.com
Jitsi.org
Bigbluebutton.org

 

[960design]

Interesting, the company I work for jumped on this solution because our in-house video conf service is unable to cope with everybody working remotely all of a sudden (it wasn't planned for this many people throughout the day and cannot scale up quickly, due to short-sighted decisions).

Zoom is all the rage these days - some of our IT/security folks tried to warn management we shouldn't use it until a full security audit can happen, and they were gently pushed aside due to needing a solution right away, I guess this will only reinforce the need to look into it further.

Try Jitsi. Free and open source. Download the source and build what you need or just click: Start a call.

Free Video Conferencing Software for Web & Mobile | Jitsi

Learn more about Jitsi, a free open-source video conferencing software for web & mobile. Make a call, launch on your own servers, integrate into your app, and more.

jitsi.org

[automerge]1585756478[/automerge]

Zoom just works really well.

So does theft, murder and mayhem, but to continue working towards a Type 1 civilization some basic rules / checks must be in place.

 

[chucker23n1]

So what are really the best alternatives, then? (preference would be with a free option for casual users)

GoToMeeting?
Webex?
Facetime (on iOS)
Globalmeet Collaboration?
Lifesize?
Others?


Sounds Adobe Connect is not that great from above posts.

Adobe Connect is… OK. (And to be fair, it could be that the version I use in a project is old? I don't run the server.)

For personal use, FaceTime is pretty good.

Maybe also Slack or Discord. For enterprise use, Zoom works best for me, but Teams also works well enough.

Marketing, and a product that, at least superficially, works pretty well.

Not just superficially.

Out of the ones I've used in recent weeks, Zoom wins.

 

[Chaos215bar2]

Not just superficially.

Out of the ones I've used in recent weeks, Zoom wins.

That's actually exactly what I meant.

The product looks great, until you start looking at how it actually works. Kind of how Zoom's statement here might look like it makes total sense, unless you actually know what TLS and "end-to-end encryption" mean (in which case it's actually nonsense).