Zoom security breaches

An increasing number of security breaches are being reported. With so many folx using the platform these days, this is particularly problematic. The Electronic Frontier Foundation has some guidelines we can follow to help make our zoom experience more secure.

4 Likes

I was just reading about the security risks! There’s security problems including links providing sensitive login information.

2 Likes

I hope the EFF measures will help. I trust that they will, actually. EFF is a fantastic organisation! (I have fantasies of my husband, a computer programmer, working for them :sun_with_face: )

1 Like

I was just talking about this on another thread, not realizing it had a thread of its own.

My concern is not just that the meeting is not secure. I’m also worried that Zoom is able to bypass certain password features once through the door. I will not use Zoom.

https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

1 Like

Whoa! More sketchy than I knew.

Are you aware of any alternative platforms similar to Zoom that we could use?

I certainly would not want to have any sort of meeting in which security was an issue.

I admit to only having scanned the Citizen Lab article, so I hope you won’t mind a question. Is there any concern about Zoom creating/enabling a back door into individual users’ computers?

To be perfectly honest, I trust Zoom more than I trust the FBI at this point. I’ve never had any issues with Zoom. As far as I can tell, all the things mentioned can be controlled by settings on the Zoom meeting host’s end. I know A LOT of people who have been using Zoom for a long time and not one of them has had any security problems. Just make sure you check your preferences and take responsibility for your own privacy settings.

6 Likes

Also, today I got an email from Zoom telling how they are addressing these concerns by making some of the security preferences (like having a “waiting room” as a default setting).

4 Likes

This is basically the intention of my initial post, to share suggestions for tightening up security on the user end :slight_smile:

3 Likes

Back doors? That’s a question I’m not qualified to answer, but my Witch Doctor friend used to be in the State Department and is my advisor on these things. My guess is that he’ll say rude things about OSs other than Linux in terms of security and leave it at that. I doubt it could, say, install spy software on my machine. But on a Windows machine or Mac, all bets are off. And that leaves your passwords and any financial dealings you do on line exposed.

2 Likes

AODA isn’t using Zoom for anything that would require sharing passwords, etc. I don’t think any of the other platforms out there are as useful and stable as zoom, which is why we chose it.

We’ve had some Q&A this past week with our campus IT folks, and the general consensus from them is that if you are just using it to talk with other people, you are totally fine. What you don’t want do is send any sensitive data because it doesn’t do end-to-end encryption.

I think its certainly something to keep in mind, but for the ways that AODA is using it, I don’t think its any kind of risk.

4 Likes

I think this is the way to look at it. I’m going to put on my “25 Years in Corporate Systems Engineering Hat”. Pardon the length here, I’m going to go into negatives first, but end on positives for the AODA use case.

First off, I disagree with a lot of how Zoom has positioned themselves and used creative redefinitions of terms (e.g. E2EE - or End to End encryption, which they don’t have). Some of their more egregious failings in the past were installing (without user consent) a web server on the client machine to bypass a security warning. That webserver was unprotected and malicious parties could take control of the video camera. They have also been disingenuous about the use of customer data (i.e. “We don’t sell it… but we do share it with partners” - semantics again).

The thing to remember in computer security is to not think “why would anyone want my information / come after me” - often times it’s just for laughs, or pivot attacks (i.e. taking over a machine to get at others and make you the fall guy) and in Zoom’s case now the biggest problem is trolling. Now the good news.

This is where the EFF guidelines come in, and there are some mitigations in there that help lower what is called the “surface area” of bad actors. Zoom also has a lot of eyes on it (ha!) both from the customer standpoint, but also the media, congress, and the FBI. They are not likely to play security shenanigans with this much bad press.

So in the AODA use case, there’s a low risk. My recommendation for users would be to just install the client and use it without signing up (that’s what I did). The organizer can set the conference to require them having joined first, and sharing of link URLs should be private (or not at all) - just giving out the meeting ID number.

To sum up then - I think it’s being done right here: You always have to find the balance between usability and security and for what we’re doing Zoom seems to be the best fit in spite of some problems overall.

7 Likes

Thanks heaps for your input @genericperson! If I’m understanding you, you think the EFF guidelines are solid and worth doing. Yes?

Absolutely. I wasn’t clear that their guidelines were the mitigations / “fixes” that I was referring to.

1 Like

As someone who worked in the IT field for 20 years…If you use the internet you should assume people are watching. This idea that anyone has anonymity online has always been false.
Zoom is no safer than anything else…I know, people hate to hear it…

3 Likes

Very true. I think we’re talking about something different than anonymity, though.

1 Like

I’m going to stick to my position.

I understand that the risk of using the software, as designed, for conferences, is low. However, if anyone with that many security issues wants to install software on my computer, then my concern is for my computer and what malware may have been inserted by some third party into Zoom’s unsecure software. Microsoft has decades of history with the word “Oops”, based on people taking them at their word that there are no security flaws. Then comes disappointment. Part of the Linux design philosophy is that eliminating those kind of bugs is prioritized, because anyone can look at the software and see how it works and find the security holes. Only when the software in question has been thoroughly vetted is it placed in the repositories, where less technical people like me can access it with confidence. Because Zoom refuses to prioritize this, I have to assume that malware embedded within their work is entirely possible. I just can’t afford to pay off a ransomware attack. So I’m going to play it safe and only use software I can get from a Linux repository.

2 Likes