Stories
Slash Boxes
Comments

SoylentNews is people

Security and Privacy Implications of Zoom

posted by Fnord666 on Saturday April 04 2020, @03:43PM   Printer-friendly
from the thus-spoke-Schneier dept.

upstart writes in with an IRC submission for carny:

Security and Privacy Implications of Zoom - Schneier on Security:

Over the past few weeks, Zoom's use has exploded since it became the video conferencing platform of choice in today's COVID-19 world. (My own university, Harvard, uses it for all of its classes. Boris Johnson had a cabinet meeting over Zoom.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here is to summarize all of the problems and talk about solutions and workarounds.

In general, Zoom's problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.

Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.

Now security: Zoom's security is at best sloppy, and malicious at worst. Motherboard reported that Zoom's iPhone app was sending user data to Facebook, even if the user didn't have a Facebook account. Zoom removed the feature, but its response should worry you about its sloppy coding practices in general:

"We originally implemented the 'Login with Facebook' feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data," Zoom told Motherboard in a statement on Friday.

Finally, bad user configuration. Zoom has a lot of options. The defaults aren't great, and if you don't configure your meetings right you're leaving yourself open to all sort of mischief.

Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure. Now that it's in the spotlight, it's all coming out. (Their 4/1 response to all of this is here.) On 4/2, the company said it would freeze all feature development and focus on security and privacy. Let's see if that's anything more than a PR move.

Previously:
(2020-04-02) Elon Musk's SpaceX Bans Zoom over Privacy Concerns
(2020-03-28) Now That Everyone's Using Zoom, Here Are Some Privacy Risks You Need to Watch Out For
(2020-03-27) School Quits Video Calls After Naked Man ‘Guessed’ the Meeting Link
(2020-03-23) Work from Home Pwn2Own Hackers Make $130,000 in 48 Hours from Windows 10 Exploits
(2020-03-21) Homeschooling Resources
(2020-03-14) Student Privacy Laws Still Apply if Coronavirus Just Closed Your School

Original Submission

 
This discussion has been archived. No new comments can be posted.
Security and Privacy Implications of Zoom | Log In/Create an Account | Top | 28 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by arubaro on Saturday April 04 2020, @10:44PM (1 child)

    by arubaro (8601) on Saturday April 04 2020, @10:44PM (#979161)

    i am a professor at an university without a big budget. My colleagues and me have tried some alternatives, but almost all are using zoom at this moment.
    the reasons? lack of better alternatives.
    For example, moodle has a built in option for teleconferences (a nice one in fact, with several option good for teaching), but... you need a decent bandwidth form the university, that we lack
    (you need to support some thousand student watching at the same time different courses). that was the main tool we used, until now.
    jitsi meet have some features, but not as many as zoom.
    also zoom is free as in beer (at least for 99 or less students attending the course), if you don't mind to stop the class every 40min, and take a break is not so a bad thing.
    and finally: zoom is easy to use, meaning that someone without computer background can easily share screen, manage students speaking, etc...

    the quarantine has taken lots of institutions of guard, and IT departments (if they had), had to offer a quick solution easy to use.
    if someone has an alternative, lot of us are willing to try,

    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Total Score:   3  

  • (Score: 4, Interesting) by bzipitidoo on Saturday April 04 2020, @11:21PM

    by bzipitidoo (4388) on Saturday April 04 2020, @11:21PM (#979169) Journal

    That's a bit deflating. I've just been tasked with finding video conferencing that works, is secure, available on many platforms, and easy to use. My tentative searches haven't turned up anything other than a whole lot of questions. There are a couple dozen. Whether any of them are good enough is hard to say. Meanwhile, they made a snap decision to run with VSee, and instantly ran into problems. Acts wonky. You think you've logged in, and then, when the browser finishes loading, you see only the login page again. In browsers, VSee uses Flash. Yuck.

    Multicasting is part of IPv4, but I understand it's uncommon. I don't know which platforms have that in their IP stack. Without broadcasting capability at the network level, video conferencing with many participants is more technically challenging. Also, the codecs are pretty important. Should use Opus for the audio. AV1 might be a good choice for the video, if it wasn't so relatively new. It may be that there is no really good video conferencing solution, because the underlying tech isn't there.