Zoom Will Enable Waiting Rooms By Default To Stop Zoombombing (techcrunch.com) 47
Zoom is making some much-needed changes to prevent "Zoombombing," a term used to describe when someone successfully invades a public or private meeting over the videoconferencing platform to broadcast shock videos, pornography, or other disruptive content. The act was recently mentioned on the Department of Justice's website, warning that users who engage in this sort of video hacking could face fines and possible imprisonment. TechCrunch reports: Starting April 5th, it will require passwords to enter calls via Meeting ID, as these may be guessed or reused. Meanwhile, it will change virtual waiting rooms to be on by default so hosts have to manually admit attendees. [...] Zoom CEO Eric Yuan apologized for the security failures this week and vowed changes. But at the time, the company merely said it would default to making screensharing host-only and keeping waiting rooms on for its K-12 education users. Clearly it determined that wasn't sufficient, so now waiting rooms are on by default for everyone.
Zoom communicated the changes to users via an email sent this afternoon that explains "we've chosen to enable passwords on your meetings and turn on Waiting Rooms by default as additional security enhancements to protect your privacy." The company also explained that "For meetings scheduled moving forward, the meeting password can be found in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting join URL." Some other precautions users can take include disabling file transfer, screensharing or rejoining by removed attendees.
Zoom communicated the changes to users via an email sent this afternoon that explains "we've chosen to enable passwords on your meetings and turn on Waiting Rooms by default as additional security enhancements to protect your privacy." The company also explained that "For meetings scheduled moving forward, the meeting password can be found in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting join URL." Some other precautions users can take include disabling file transfer, screensharing or rejoining by removed attendees.
Security at gunpoint (Score:2)
It's sad that the only way we can get decent, or even passable, security on the products we use is to point a proverbial gun to a corporation's head and force them to do it. This is the result when you allow and entity to exist who's only reason to exist is to make the most money possible.
Re: (Score:3)
A gun to the head is rather pointless, as it will eventually create a backlash.
The better approach is to help them internalize the losses they create for their users by producing crappy software.
Let them face product liability for their defects like every other industry does, and you'll be surprised how fast things will improve and instead of bolt-on "security" you'll start seeing proper security design from the outset of development.
Re: (Score:2)
A gun to the head is rather pointless,
Not if the trigger is pulled. A dead criminal, or in this case dickwad, will never commit another crime.
Re:Security at gunpoint (Score:5, Insightful)
Don't be stupid. The only reason zoom security is a concern is because of stupid users. Zoom has always had security options such as the ability to password protect a meeting, force the lobby, or lock the meeting from additional joiners once the meeting is underway.
This is no different to someone not locking their front door and then being surprised when a stranger walked in.
Re: (Score:2)
Re:Security at gunpoint (Score:5, Informative)
It's a lie. Pure and simple. A lie.
They also claim to do AES-256, but in reality only do AES-128 with cypher-mode ECB, which indicates they know absolutely nothing about encryption.
The fact that somebody had to tell them that including Facebook SDK in their product means their product will be sending data to Facebook servers is just mindboggling. It's pretty clear that Zoom do not care about security or privacy at all, and that it is systematic for the entire company (especially management).
Don't make excuses, or try to shift the blame over to users.
Good article here: https://www.schneier.com/blog/... [schneier.com]
Re: (Score:2)
Re: (Score:3)
There are several protocols that involve sharing keys or sharings parts of keys and work with varying degrees of success.
But this is beside the point - the issue here is should you lie to your customers if you cannot implement it, and should you be responsible if damage occurs, the opinion of some slashdot asshole that "it is all users' fault" notwithstanding?
And the answer is obvious. You should not, and you should be.
Re: (Score:2)
How do you end-to-end encrypt a conversation between three or more users? Other than a separate connection between each pair of users, of course.
You set each individual up with public key encryption. You use that to distribute a session key from the originator of the meeting to each other participant. Now you just verified that people who are who they say they are, and the session key is the same for all users.
Re: (Score:2)
This is a long-solved problem. You just have every node generate a public-private key pair, and they all swap public keys. Each node then generates a session key, encrypts it with each of the recipient's public keys, and sends it to them. Everything that node now wants to send, it encrypts with that session key and sends to all others, usually via a server somewhere that handles all the inter-node communication. Problem solved. Erase session key at meeting close. Optionally erase public/private pairs too, t
Re: (Score:2, Flamebait)
Zoom claimed they do end-to-end encryption. But they don't.
That is a great criticism but completely irrelevant to the discussion at hand and the entire topic of zoombombing. Had zoom implemented 100% perfect end to end encryption the result would be no different as it doesn't prevent or impact users joining a session in the slightest.
Now end to end encryption would prevent MITM from snooping out private and protected sessions, but to date we have little evidence of that even being a problem.
TL;DR Nice Strawman that doesn't at all excuse zoombombing being 100% the u
Re: (Score:2)
The only reason zoom security is a concern is because of stupid users.
That statement is not limited to zoombombing, even if the article is
Stop being an ass
Re: (Score:2)
That statement is not limited to zoombombing, even if the article is
The article is about zoombombing, my post was about zoombombing. Your post was an irrelevant rant on something completely different. Go take your irrelevant off topic shit elsewhere.
Re: (Score:2)
Maybe you wanted to write:
The only reason zoombombing is a concern is because of stupid users.
But you wrote:
The only reason zoom security is a concern is because of stupid users
These sentences are not the same, and your argument that "security concern" is only referencing zoombombing is weak at best.
The fact of the matter is that zoombombing is not really that much of a security concern. It can easily be remedied by the users themselves. So when you mention "security concer
Re: (Score:2, Insightful)
Listen... Words matter.
Words don't matter nearly as much as the context which surrounds them. If you want to go all autism and read words context free of an article about zoombombing, context free of a poster that wrote about zoombombing, context free of a reply specifically about zoombombing being in control of a user, then expect to get called out for your inability to follow the conversation.
You post was off topic and irrelevant. Quoting a single line out of my post doesn't change that, it just reinforces that you have no idea
Re: (Score:3)
It's just natural that security issues are included in this discussion. If you don't agree, that is fine. But that does not mean you can define what is on topic by ignoring the article and focusing only on the title
Grandma doesn't use a business application, that is an entirely different audience.
Grandma doesn't have and admin.
Re: (Score:1)
I'm joking, don't come guns a'blazin' at me now!
*throws down smoke bomb and disappears*
Re: (Score:2)
I'm joking, don't come guns a'blazin' at me now!
You know what they say: "There is no opinion so absurd that some Slashdotter will not post it."
-- with thanks to Marcus Tullius Cicero, "Ad familiares"
Re: (Score:2)
Come on, fuzzyf. Don't listen to what thegarbz actually writes, listen to what is in his heart.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
> End-to-end is either true or false. Zoom handles all video/audio unencrypted on their servers. Encrypting to and from their servers is absolutely NOT end-to.end encryption for their users.
It's a lie. Pure and simple. A lie.
As usual, not so pure and simple. Did you read their architecture diagram?
You describe what people PRESUME is the case for a recorded session. They've stated that it's not the case for a non-recorded session.
You can go look at my comment asking for clarification on their Twitter post
Re: (Score:1)
Re: (Score:2)
Don't be stupid. The only reason zoom security is a concern is because of stupid users. Zoom has always had security options such as the ability to password protect a meeting, force the lobby, or lock the meeting from additional joiners once the meeting is underway.
OTOH, they could have made guessing IDs dramatically more difficult by putting more entropy in the meeting IDs. Hangouts IDs are 24 characters, randomly chosen from upper and lower-case aphabetics and numerics, giving them about 140 bits of entropy (a bit less than log_2(66^24), I suspect, since there's probably some filtering of offensive words, etc.). Even if every person in the world were on a half-dozen hangouts simultaneously, you'd never manage to guess one of the IDs.
You might argue that such lon
Re:Security at gunpoint (Score:5, Insightful)
There's always a trade-off between security and ease-of-use.
Imagine that Zoom had prioritized security from the get-go. The likely result would have been that many/most people would have had trouble getting Zoom to do what they want, due to all of the security-hoops they would have had to jump through before they could use it, so Zoom would be an obscure niche product now.
And we'd be having this exact same conversation about some other widely-used-but-insecure videoconferencing app that everybody is using, instead.
Money plays a role, but what's really popularizing insecure software is that people want software that "just works" without requiring any technical fiddling or troubleshooting by the user, and (so far, at least), making things secure usually leads to an inferior user experience.
Re: (Score:1)
> There's always a trade-off between security and ease-of-use.
I disagree.
Lets say that I setup private/public key to my machine and server. Now I can connect to the server without entering password at all. It is now more easy to use and more secure that it would with weak password.
You could claim that if someone can get into my computer, they get also the server. But if someone gets into my computer, they can just install keylogger and get the password that way also.
Another example: Some companies requi
Re: (Score:2)
Lets say that I setup private/public key to my machine and server. Now I can connect to the server without entering password at all. It is now more easy to use and more secure that it would with weak password.
Cool, I agree -- but try to get your grandmother to understand what a private/public key pair is, let alone install and maintain one on her machine. You'll likely end up either having to do it for her, or she'll give up in frustration and use an insecure alternative, instead.
Stupid government threats (Score:1)
The US DoJ really knows little about the law and likes to flex its lack of muscle.
It's not "video hacking". It's connecting to a URL. This has been already judged legal.
It's not a "criminal thing". That too has been adjudged legal.
If ANYTHING (not CFAA, not criminal, not arrestable) if the person "ZoomBombing" has an account, Zoom can cancel it and use its T&Cs to take further --civil not criminal-- actions. I didn't see it in the T&Cs but I am not a lawyer.
I'm also not a moron at the Department
Re: (Score:2)
Re:Stupid government threats (Score:4, Insightful)
The US DoJ really knows little about the law and likes to flex its lack of muscle.
It's not "video hacking". It's connecting to a URL. This has been already judged legal. It's not a "criminal thing". That too has been adjudged legal.
If ANYTHING (not CFAA, not criminal, not arrestable) if the person "ZoomBombing" has an account, Zoom can cancel it and use its T&Cs to take further --civil not criminal-- actions. I didn't see it in the T&Cs but I am not a lawyer.
I'm also not a moron at the Department of Justice that says stupid shit on record.
E
Walking through a door can be perfectly innocent, or it can be trespassing. Regardless of whether the door is locked.
It's not the intrinsic physical nature of the act that matters.
Re: (Score:2)
Re: (Score:2)
It's not "video hacking". It's connecting to a URL. This has been already judged legal. It's not a "criminal thing".
I'm no expert, but I expect that joining a video chat with K-12 school kids and then sharing pornographic content might contravene on or two laws.
Re: (Score:2)
Re: (Score:2)
The law is not always the clear, impersonal thing that programmers might think of. It's ugly. It has contradictions. It has people in it, and people are nasty.
Re: (Score:2)
Guess it's the first day on the internet for these boomer scum.
Not Zombo Bombing (Score:2)
Zoom is a shitshow (Score:1)
Re: (Score:2)
Just generate random long room ids or generate a token for every user who gets invited without which they cant join.
The former is an option, the latter while not an option in zoom (actually not a feature in most video conferencing software that isn't linked to some corporate active directory or someone's cloud account) is something that can easily be controlled by the meeting organiser.
Re: (Score:2)
The meeting id is nine digits in most cases. You cannot make it longer.
Re: (Score:2)
Not private meetings (Score:2)
Zoombombing doesn't work on private meetings. I assume people know the difference between private meetings (meeting in a secure area under your control) and a public meeting (meeting out in a random public place). If you want a private meeting then setup the meeting with a password, set it up to lock access once participants are in, or set it up with mandatory lobby.
The tools are there, they always have been. If people use them incorrectly what are you supposed to do?
IT Nightmare (Score:2)
As someone who handles IT, this is going to be an absolute mess. There's a reason why these features are off by default, and even offering these to our users, no one has enabled them. They make it harder for the average user to use. Thanks Zoom.
Re: (Score:2)
Obligatory (Score:1)