SoylentNews is people
SoylentNews
Zoom will provide end-to-end encryption to all users:
Zoom's CEO Eric S. Yuan today announced that end-to-end encryption (E2EE) will be provided to all users (paid and free) after verifying their accounts by providing additional identification info such as their phone number.
"We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform," Yuan said.
"This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform."
This update in Zoom's plans comes after the company announced on May 27 that E2EE will be available only to paying customers, with free/basic users to only get access to 256-bit GCM encryption.
[...] To provide all Zoom users with access to E2EE, Yuan says that they will have first verify their accounts through various means such as by verifying their phone numbers via text messages.
"Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts," Yuan explained.
"We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse."
An initial draft cryptographic design for Zoom's planned E2EE offering was published on GitHub on May 22 and a second updated version was committed today (a list of all the changes is available here).
According to an update to the company's 90-day security plan, "end-to-end encryption won't be compatible with an older version of the Zoom client, and all participants must have an E2EE-enabled client to join the meeting."
The company also said that it will not force users with free accounts to use E2EE as both free and paid users will have the choice to enable it for their meetings.
Previously:
(2020-06-06) Zoom Says Free Users Won’t Get End-to-End Encryption so FBI and Police Can Access Calls
(2020-05-07) Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform
(2020-04-21) This Open-Source Program Deepfakes You During Zoom Meetings, in Real Time
(2020-04-20) Every Security Issue Uncovered so far in the Zoom Video Chat App
(2020-04-15) Over 500,000 Zoom Accounts Sold on Hacker Forums, the Dark Web
(2020-04-13) Zoom Admits Data Got Routed Through China
(Score: 0) by Anonymous Coward on Friday June 19 2020, @06:16PM (6 children)
-New company formed.
-New company re-creates existent technology in their proprietary product.
-New company eventually adds more existent technology in their proprietary product.
None of those steps above I care to read about here.
(Score: 2) by Mojibake Tengu on Friday June 19 2020, @06:28PM
You can establish some kind of a meta-news site, where actual events become generalized to abstract patterns of events.
That could have a great success, at least as a model of human culture available for study by machines.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 1, Interesting) by Anonymous Coward on Friday June 19 2020, @06:34PM (4 children)
I agree. Fuck bleepingcomputer, a MS shill site, and fuck this disgusting slaveware.
(Score: 0) by Anonymous Coward on Friday June 19 2020, @06:46PM (1 child)
It would be nice if TFAs had the link destination included in brackets like the comments do.
(Score: 4, Informative) by takyon on Friday June 19 2020, @06:49PM
You can turn that on if you have a user account:
https://soylentnews.org/my/comments [soylentnews.org]
Display Link Domains? (shows the actual domain of any link in brackets)
Never show link domains
Show the links domain only in recommended situations
Show link domains in comments and stories
X Link domains for comments only
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 5, Funny) by DannyB on Friday June 19 2020, @07:20PM (1 child)
First, you should not say "slaveware". Try something more politically correct like "Software as a Service (SaaS)", or "In the cloud!".
Second, while bleepingcomputer may be an MS shill site, the fact that a computer is bleeping does not mean it wants you to have amorous intentions towards it. The CD drive door becomes sticky and difficult to open. Have you tried goats?
If a minstrel has musical instruments attached to his bicycle, can it be called a minstrel cycle?
(Score: 0) by Anonymous Coward on Saturday June 20 2020, @05:46PM
"Have you tried goats?"
the line was too long and ilhan omar was taking too long.
(Score: 2) by looorg on Friday June 19 2020, @06:23PM (1 child)
So the customers didn't like the idea of "only paying customers gets encryption cause the rest of you are criminal scum that we have to snitch on to the feds!"?
Nevermind. Apparently you are only worthy of encryption after we have all your contact information. If it's something then they enable I guess it can't be to hard to do, which also can't make it to hard to disable it when needed. I wonder how this verification process will be in reality. Could you just plonk down any old digits and such? Is this GDPR compliant, since you are in essence then building a giant database filled with personal information.
(Score: 4, Interesting) by Thexalon on Friday June 19 2020, @06:35PM
I would generally also assume that E2EE or no, and absolutely regardless of Zoom's public statements, the list of who is participating in Zoom meetings with whom is being sent to the FBI (for domestic traffic) or NSA (for foreign traffic), and that if those agencies want to tap into anybody's calls they have a way of doing so.
After all, that's pretty much the deal with phone traffic and most other Internet traffic.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 4, Informative) by Immerman on Friday June 19 2020, @07:34PM (1 child)
Translation: The FBI, etc. were pissed that they couldn't eavesdrop on our paying customers, so we back-doored the end-to-end encryption so that they can listen in on everyone again. But we're still going to claim our product is secure, because encryption!
I suppose there's also a possibility they're requiring real-world authentication to get a free account, so that reported abuse can be traced to a real individual, while still maintaining secure communications. But that seems rather unlikely in this day and age.
(Score: 0) by Anonymous Coward on Friday June 19 2020, @08:54PM
Yeah, I was just going to say that the built-in back door is well encrypted.
(Score: 5, Touché) by DannyB on Friday June 19 2020, @07:43PM (1 child)
First connection has two endpoints: YOU and Zoom. That is End to End encrypted.
Second connection has two endpoints: Zoom and other party receiving your message. That is also End to End encrypted.
What happens to the unencrypted message while it is in the clear at Zoom is left as an exercise for the NSA. Or the highest bidder.
But it definitely is End to End encrypted. By some definition. Just as a 2 TB drive can be advertised as "2.2 Terabytes!" (2 * 1024^4)
(Choosing Marketing or Advertising as a profession says a lot about a person.)
If a minstrel has musical instruments attached to his bicycle, can it be called a minstrel cycle?
(Score: 2) by jmichaelhudsondotnet on Saturday June 20 2020, @02:50PM
well said, i would upvote but you are already at 5
End to end encryption does not mean what it is most often used to mean.
Like if you think signal and telegram are secure because there are two points in the communication between which it is encrypted, lol.
I expect at this point the display itself on iphone and android phones is able to route the information displayed to another chip in the phone, or everything typed into the touchscreen, so that between your finger and eyeball and the point at which the E2E(tm) begins, you are already hosed.
Real security includes the entire device, the entire signal chain, this is fact. Iphones and android phones will never, ever be this. Your only hope is that you arent interesting enough for anyone to look.
I know I am interesting enough, so I do not bother.
To actually even think at this level of security at this point is considered by the vast majority to be a mental illness, when it is simply understainding the meaning of the words involved beyond their newspeak definitions.
The situation is grim.
(Score: 3, Funny) by Snotnose on Saturday June 20 2020, @12:01AM
"Yeah, you have money, we'll keep your stuff private".
As opposed to
"You broke assed cracker, you deserve what you get".
I honestly don't get how the CXX suite did not get this before hand. Then again, I've been with enough startups where the CXX suite had this kind of myopia, if not more.
I came. I saw. I forgot why I came.
(Score: 2) by Runaway1956 on Saturday June 20 2020, @12:08AM
Provide the encryption. No verification, no nothing. Just provide the encryption. Don't try to pass it off as an "advanced feature" or any other bullshit. You either encrypt, or you don't encrypt. Now, STFU and get it done!
Abortion is the number one killed of children in the United States.
(Score: 3, Informative) by sjames on Saturday June 20 2020, @12:40AM (1 child)
Before the curent kerfluffel, didn't Zoom actually claim they HAD end to end encryption long before this, then have it come out that they don't actually?
If so, then they at least owe everyone already using Zoom end to end encryption with no strings and no additional cost just to make that false claim right. (and avoid bait and switch).
(Score: 2, Informative) by Anonymous Coward on Saturday June 20 2020, @04:11AM
You are. They originally claimed E2E until someone published about how it was transport encryption to the bridge. Then someone else saw that, reverse engineered their encryption, and made a huge post about how it is actually transport encryption to the bridge and some users used key servers in China as the default even if the bridge was somewhere else.
(Score: 3, Informative) by Rosco P. Coltrane on Saturday June 20 2020, @01:00AM
and the encryption key to the NSA. Everybody gets what they want.
(Score: 3, Informative) by hendrikboom on Saturday June 20 2020, @04:49AM (2 children)
Both of the links to pdf's in this paragraph in the summary are broken.
The link to the list of all changes does appear to work.
-- hendrik
(Score: 0) by Anonymous Coward on Saturday June 20 2020, @07:41AM
They linked to the master branch directly instead of a commit. They were subsequently moved. These links are to the new location on a specific commit, so they should work for an arbitrary time into the future, unless they decided to delete the commit:
https://github.com/zoom/zoom-e2e-whitepaper/blob/3de4dd8c586514aa125539e4f4a5594ece6057da/archive/zoom_e2e_v1.pdf [github.com]
https://github.com/zoom/zoom-e2e-whitepaper/blob/3de4dd8c586514aa125539e4f4a5594ece6057da/archive/zoom_e2e_v2.pdf [github.com]
(Score: 2) by jmichaelhudsondotnet on Saturday June 20 2020, @02:54PM
The links could say "fuck you we have all your data" and if you forwarded it to the new york times it still wouldnt be reported.
Even attempting to verify anything or confirm anything is perceived by the world today as an illness, and heaven help you should you be t he only person uncovering an uncomfortable difficult piece of information.
Advanced persistent threat, meet someone who thinks they have credibility, now sic em! - msg from bond villain mansion in new zealand or haifa
(Score: 0) by Anonymous Coward on Saturday June 20 2020, @03:45PM
Companies offering one time SMS message services have reported a massive increase in the use of their services!
For just 50c, payable in bitcoin, anyone can receive an SMS similar to how VPN works for any phone service in the world.
In further unrelated news services such as Discord and Google and Microsoft, who all require a phone number to create an account, have seen a very large increase in account creation using phone numbers that are invalid after a day.
Water is wet. Using a phone number for identity validation is asking to be sim jacked. News at 11.
(Score: 2) by corey on Sunday June 21 2020, @04:13AM
Zoom should just rename themselves to Chameleon. Their position on encryption has changed literally 4+ times. And reasons seem to always change too. First they had E2EE, then didn't, then some did, then all do, what's next? Meanwhile they acquired that company that does encryption.
I don't know how anyone can trust this company.
Sounds like the payment for E2EE was so they could obtain people's personal information. Because now it's free, but they still want the private information for the same purpose. Sounds like TLA's are driving this from behind.