Daniel Rainey

Zoom, Take 3 (and final)

I promise this is the last post on Zoom – the material below was developed by the National Center for State Courts – it pretty much parallels what I wrote earlier, and suggests, in their words, that Zoom, handled correctly, is pretty much “bullet proof.”

The concerns outlined:

Apple pulled Zoom from the Mac Appstore amid privacy concerns – this happened last summer and has been fixed.
Zoom was sending all the data to facebook – it turns out just their iOS (iPhone, iPad) app was using the Facebook development kit to login facebook users. Included in that kit is a “call-home” beacon to facebook. This kit was removed from their app last weekend.

Zoombombing, other people jumping into zoom meetings, etc – this is all people using poor cybersecurity practices. We’ve configured our Zoom by default to have the host control over admitting participants. We encourage hosts to 1) have unique meeting ID links, 2) have meeting passwords, 3) Vet the list of people in the waiting room to make sure no strangers are in.

In all cases so far, its been users that have blasted a public meeting with no waiting room and had the link shared far and wide.

Zoom leaks your email address and profile photo to strangers – this is in a feature that we’ve got turned off for our Zoom installation – doesn’t apply to us [in the courts].

Zoom doesn’t use end to end encryption – true – they use transport encryption, just like the majority of things. Email, web surfing, things we do all the time, use transport encryption and not end-to-end.

Zoom allows malicious links to be sent in chat – again, we’ve configured it so that the host has to admit participants. OCA’s guidance is for the hosts to vet participants in the waiting room. Please don’t allow people that are likely to send malicious links in the chat.

Zoom has zero day flaws in it – there was a zero day published yesterday that outlines an exploit where an attacker can take control of your webcam, mic, and computer as whole. In the technical details, it is mentioned that this is a local attack, meaning that the attacker has to have physical access to the machine – as in he/she has to steal it (or otherwise be in possession of it) in order to exploit it.

Whether or not you feel Zoom is still the best option for us to use for our public and our secure meetings?

OCA is still comfortable (I personally am too). For all meetings, I’d make sure the host is the one governing who can enter. Have a password for that meeting.

For public meetings, I recommend that you only allow the participants in on zoom and use YouTube to webcast to achieve the public part (people can see on YouTube, but can’t speak or do anything).

Zoom, Take 2

The Zoom question is complicated, particularly because of the negative press the platform is getting.

 
To begin, remember the rule that one can never absolutely guarantee privacy online.  Having said that, I think Zoom is still relatively low risk.  The negative news has been about a few specific issues related to the platform. 

First, that the platform is subject to Zoombombing – having unauthorized users break into meetings to eavesdrop or inject objectionable content.  I dealt with this a bit in an earlier blog post, but to recap, the interruption of Zoom meetings that fit under this category have been, to my knowledge, either due to compromised linkage software that allows users in a company’s internal system to connect to Zoom (where the linking software is the hackable weakness), or due to careless handling of URL login’s and passwords.  I am not aware at this point of any hacks of Zoom meetings conducted using Zoom apps on both ends.

 
A second bit of bad news is that Zoom used its platform to gather information about users.  My response to this is that most, if not all, online platforms do this.  Due to the negative publicity, Zoom has disabled the function that allowed users who paid for Zoom’s marketing service to access user LinkedIn data, but the fact remains that just about any online service has the ability, and the inclination, to gather user data.  That’s just part of the business they are in. 

The other bad news has been that Zoom was not totally up front about the “end-to-end” encryption they use.  For reasons I won’t go into, true end-to-end encryption with multiple users is damned hard to do.  If they are to be believed, FaceTime does it, but most platforms don’t.  According to some tech investigators, Zoom encrypts video, audio, and text for meetings held with all users on the Zoom platform – the encryption is from the user to Zoom’s servers, and from Zoom’s servers back to the user, but not between Zoom servers in the cloud.  This allows Zoom to view/hear meeting content on its own servers, but makes hacking the stream from user to user very difficult.  There may have been one, but I do not know of a case of hacking that has broken the encryption in transit, nor do I know of a case of hacking involving Zoom’s cloud servers.  Again, the Zoombombing and data problems of which I am aware have been due to either connecting software or bad user behavior.  As an aside, the way Zoom handles encryption means that they could comply with court orders to reveal information stored on their servers, and that info is not encrypted (except for text in the chat room, which is apparently really encrypted end-to-end in the classic sense).

So, should you still use Zoom?  I’d say the answer is a slightly qualified “yes.”  If you are dealing with info that would truly ruin you if it were compromised, and if you had a way to send that information in offline ways, or in self-encrypted formats, I’d not use any online platform.  But most info does not fall into that category – if may be sensitive or proprietary, but the question of whether to deal with it online is a risk/damage assessment that would make using a reasonably secure platform ok.  Zoom is a reasonably secure platform, in my opinion.  Apparently, some of the organizations that have blocked the use of Zoom have suggested that employees share information by email (perhaps the most vulnerable online platform that exists) or by phone (making the simple act of hacking mobile systems a risk).  I still think WebEx, as a web video platform. is slightly more secure, but it is not as user friendly – if you set Zoom up well, use it with all participants on the Zoom platform (not calling in by phone or joining from another platform) using computer audio, and you are smart about how to handle URL login information and passwords I think you can use it responsibly and ethically with parties.