Zoom, Take 3 (and final)

I promise this is the last post on Zoom – the material below was developed by the National Center for State Courts – it pretty much parallels what I wrote earlier, and suggests, in their words, that Zoom, handled correctly, is pretty much “bullet proof.”

The concerns outlined:

Apple pulled Zoom from the Mac Appstore amid privacy concerns – this happened last summer and has been fixed.
Zoom was sending all the data to facebook – it turns out just their iOS (iPhone, iPad) app was using the Facebook development kit to login facebook users. Included in that kit is a “call-home” beacon to facebook. This kit was removed from their app last weekend.

Zoombombing, other people jumping into zoom meetings, etc – this is all people using poor cybersecurity practices. We’ve configured our Zoom by default to have the host control over admitting participants. We encourage hosts to 1) have unique meeting ID links, 2) have meeting passwords, 3) Vet the list of people in the waiting room to make sure no strangers are in.

In all cases so far, its been users that have blasted a public meeting with no waiting room and had the link shared far and wide.

Zoom leaks your email address and profile photo to strangers – this is in a feature that we’ve got turned off for our Zoom installation – doesn’t apply to us [in the courts].

Zoom doesn’t use end to end encryption – true – they use transport encryption, just like the majority of things. Email, web surfing, things we do all the time, use transport encryption and not end-to-end.

Zoom allows malicious links to be sent in chat – again, we’ve configured it so that the host has to admit participants. OCA’s guidance is for the hosts to vet participants in the waiting room. Please don’t allow people that are likely to send malicious links in the chat.

Zoom has zero day flaws in it – there was a zero day published yesterday that outlines an exploit where an attacker can take control of your webcam, mic, and computer as whole. In the technical details, it is mentioned that this is a local attack, meaning that the attacker has to have physical access to the machine – as in he/she has to steal it (or otherwise be in possession of it) in order to exploit it.

Whether or not you feel Zoom is still the best option for us to use for our public and our secure meetings?

OCA is still comfortable (I personally am too). For all meetings, I’d make sure the host is the one governing who can enter. Have a password for that meeting.

For public meetings, I recommend that you only allow the participants in on zoom and use YouTube to webcast to achieve the public part (people can see on YouTube, but can’t speak or do anything).