Sadly, many students (and non-students) have Macs with 8GB RAM since that’s the default and Apple asks 240 Euro for an upgrade to 16GB last time I checked. A 2GB of 4GB RAM VM will probably slow their machine to a crawl.
Also, assuming that the Zoom Linux client support hardware H.264 encoding/decoding through e.g. VA-API (I don’t know if it does), will that still work in a VM? CPU fans spinning at high RPMs can be very annoying especially if someone also has a bad microphone or noise-cancellation does not work well. I have had to cancel meetings with students in the past, until they had a better setup, because they were inaudible or the ambient noise was so bad that it was impossible to have a conversation.
Alternatives for Mac/Windows: (1) use the web version of Zoom; (2) use Zoom on a phone or tablet (at least iOS has good sandboxing).
(Not saying that using a VM is not a solution, but it comes with strong disadvantages as well.)
I just installed Zoom and set up an account 2 days ago to do a few get-togethers with some friends, so I tried to actually read through all of the links:
According to the link on “malicious websites to enable your webcam”, this was from summer 2019. Supposedly they removed the hidden web server and implemented meeting join confirmations with video preview since that was reported. I think I’ll try and check on this myself later. Possibly pending any interesting later discoveries, yawn.
On “use your camera without consent”, we have evidence that the OS X installer is doing some sketchy things, and that there are some local-only privilege exploits. The article is dated April 1, 3 days ago. It also cites an update to the app, released April 2nd, 1 day later, that supposedly fixes these exploits. If the fix is real, fixing in 1 day is pretty impressive, even if the original code that allowed this is disappointingly sloppy. Still sounds like a big meh with all things put together.
On “Windows username and ability to steal credentials” - this sounds pretty weak to me. If you’re 1. On windows, on a domain account, and 2. Your windows domain account has some type of interesting access to internet-reachable servers and 3. Somebody posts a link to a malicious SMB file server in your Zoom chat, and 4. You click on that link, then the owner of that malicious SMB server might be able to steal your Windows credentials and use them to log onto those other interesting servers as you. Zoom’s big supposed weakness is that they make those links clickable. Meh. IMO, this sounds like a weakness for Windows and this SMB authentication, not so much for Zoom. Zoom seems to have responded by de-linking all links in chat. For all of the people who are zoom chatting with malicious people and using text chat on a video conferencing system.
People also seem to be complaining that meeting video and audio are not actually end-to-end encrypted, despite supposed claims. It’s mildly sketchy if they are falsely claiming that it is, but real E2E encryption for such large meetings sounds somewhere between very difficult and impossible to do properly. I don’t know of anybody else doing it. Lots of system seem to be having lots of trouble with video quality and reliability without challenges like E2E encryption. I’m not gonna really fault them for this.
In summary, I don’t see any issues of real concern. I think this is just bash on Zoom for the clicks season. I see no reason to go to the trouble of sandboxing the app. It sounds like Zoom on the whole has responded pretty well to a massive jump in userbase and use cases. Change my mind if you can.
I think the recent spate of Zoom articles/spam is due to bored developers being forced to use it for remote work, running Wireguard on the traffic, and freaking out that they’re forced to use privacy-invading software they presumably had no problems everyone else using in the Before Times.
I certainly agree, the long list of issues (even if some of them are resolved), will contribute to attracting attention to other details that might have been otherwise missed.
I don’t see any issues of real concern. I think this is just bash on Zoom for the clicks season
Considering we have no advertising and make no money from “clicks”, that’s hardly a motivation.
Since this was written, The Intercept also published a piece about their choice using AES with ECB mode, which cannot be explained away with “oh that was an accident”. Everyone knows ECB is bad, especially anyone developing software like this, (well they should).
Considering we have no advertising and make no money from “clicks”, that’s hardly a motivation.
It doesn’t have to be for actual cash money. We’re all writing for attention - myself included. Bashing on Zoom is in style now, so many people will write articles to jump on the bandwagon. The fact that very few of them will make any actual money isn’t really a factor in the phenomenon.
Personally, I tend to be highly suspicious of anything that appears to be a bandwagon.
Since this was written, The Intercept also published a piece about their choice using AES with ECB mode, which cannot be explained away with “oh that was an accident”. Everyone knows ECB is bad, especially anyone developing software like this, (well they should).
I am not an encryption expert. I don’t know if you are or aren’t. But I did see some discussion over on HN from some actual encryption experts. Like tptacek here, and this other thread here. Summary from those in the know is more that getting an actual secure encryption of a compressed AV stream that needs to be decoded on the server for recompression at different bitrates, needs to be encoded and decoded in realtime on thousands of devices, some of which might be pretty slow, needs to support slow, laggy, jittery, and otherwise flaky connections, and needs to support users joining and leaving at arbitrary times, is a very complex task. Shouting ECB is bad because I read it on Wikipedia doesn’t help much.
While I don’t claim to be an expert in any of the technical sub-fields, I have been involved in implementing solutions for large and complex real-world systems like this. Enough to easily envision the difficulties imposed by their requirements, and how inadequate commitment to ideological perfection is in the face of those requirements. There is a real network effect to these things, and a system that works for everybody, everywhere, 100% of the time, seamlessly, despite not being technically perfect, has a completely dominant advantage over technically superior systems that fall short on those other factors.
I had a Zoom party last night, for about a dozen non-technical friends. Everybody’s connection worked, despite old devices, poor internet connections, people entering and leaving at random, a variety of device types and operating systems, etc. I genuinely, politely want to know - what is the superior solution here? Is there something out there with better encryption that will work on everybody’s device the first time with no hassles, even if it’s kind of old or on a poor connection? I haven’t heard of anything that I trust to do that.
I do think there’s a third category there. Saying your product has E2EE when it does in fact not, and then doubling down on it by “redefining” what you think E2EE means is unforgivable. Using ECB mode with AES, for anything but random data (really there’s no reason to ever use ECB for anything), well if that’s not on purpose, then it shows that the developers responsible for that code are pretty incompetent. I really don’t know what else you can “call it”.
It supports Windows XP SP3, Mac OS 10.7 and many distributions and versions of Linux. It supports iOS, Android and even BlackBerry. Among browsers, it supports Safari 7, Chrome 30, Firefox 27 and Internet Explorer 11. In other words, even if you haven’t updated your browser in the last six years, or your operating system in the last twenty, you can still use Zoom!
Is not a good thing as it encourages people to stay on legacy unsupported systems with no security updates whatsoever.
I do think there’s a third category there. Saying your product has E2EE when it does in fact not, and then doubling down on it by “redefining” what you think E2EE means is unforgivable.
Using ECB mode with AES, for anything but random data (really there’s no reason to ever use ECB for anything), well if that’s not on purpose, then it shows that the developers responsible for that code are pretty incompetent. I really don’t know what else you can “call it”.
I don’t really know why anyone would intentionally use less secure encryption. I think this too falls under the category of accidental security flaws.
Now we learn that some calls were accidentally routed through China, that mixed with weak encryption doesn’t sound awesome.
Again, this seems to fall under the category of unintentional vulnerabilities, and so far, it really seems as though Zoom is receiving the criticism well. Of course we’ll have to see how much they actually fix, but then again, it can’t be easy to suddenly go from 10 million users to 200 million.
Is not a good thing as it encourages people to stay on legacy unsupported systems with no security updates whatsoever.
I think we just have different opinions on this. I obviously understand what you mean. But there are few things I dislike as much as arbitrarily limiting people’s freedom in the name of security, especially when it’s my own freedom, and especially when there’s only an indirect, potential threat, of which I am already aware.
I do think there’s a third category there. Saying your product has E2EE when it does in fact not, and then doubling down on it by “redefining” what you think E2EE means is unforgivable.
Using ECB mode with AES, for anything but random data (really there’s no reason to ever use ECB for anything), well if that’s not on purpose, then it shows that the developers responsible for that code are pretty incompetent. I really don’t know what else you can “call it”.
I don’t really know why anyone would intentionally use less secure encryption. I think this too falls under the category of accidental security flaws.
Anyone who is developing software with encryption should know that ECB is a bad choice. Everywhere I’ve ever seen it mentioned, it goes with warnings ie: never use this. Even the Wikipedia article very clearly states the issues with it.
The reason I said it was incompetence is because it shows the developers didn’t do minimal research before implementing this feature in this way. The alternative is malicious compliance. I hope we haven’t forgotten about Bullrun just quite yet.
As part of Bullrun, NSA has also been actively working to “Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets”.
Now we learn that some calls were accidentally routed through China, that mixed with weak encryption doesn’t sound awesome.
Again, this seems to fall under the category of unintentional vulnerabilities, and so far, it really seems as though Zoom is receiving the criticism well. Of course we’ll have to see how much they actually fix, but then again, it can’t be easy to suddenly go from 10 million users to 200 million.
Unfortunately with using services like this, we will never know if certain accounts may have their calls re-routed to less privacy friendly jurisdictions for certain reasons. If it can happen by accident, can it happen on purpose?
Without true E2EE those communications may not be safe.
Is not a good thing as it encourages people to stay on legacy unsupported systems with no security updates whatsoever.
But there are few things I dislike as much as arbitrarily limiting people’s freedom in the name of security, especially when it’s my own freedom, and especially when there’s only an indirect, potential threat, of which I am already aware.
Not all users may be “aware” of the threats. Software should be designed in a way the user does not need to keep track of all that, especially when not all of us have the ability or time to do so. Many of those threats may not be “potential” but in fact very real.
To expect largely abandoned platforms from 20 years ago to still be supported without any kind of support contract, is a form of entitlement. Support for legacy platforms quite often holds back features on newer platforms being developed with a simpler solution. It also expends time in providing a solution that will be compatible with legacy environments. This time would be far better invested on security and privacy in general.
Look, I’m not happy either that Zoom is a non-free, closed-source, non-end-to-end-encrypted service that, in the end, cannot be trusted. But I also realize how difficult it is to develop a good, usable and accessible product with end-to-end encryption. Zoom is doing well at the moment because they have a good, usable and accessible product (and support for old operating systems and browsers is a part of that).
And there’s a difference between security and privacy, which I think shouldn’t be ignored, considering the title of your post is “protecting your privacy”. Governments need security. Normal people primarily need privacy. Compared to popular alternatives, there are some security problems with Zoom, sure, but privacy issues? I don’t see them.
To expect largely abandoned platforms from 20 years ago to still be supported without any kind of support contract, is a form of entitlement.
I’m not expecting anything – you’re the one expecting that they withdraw support.
Zoom is doing well at the moment because they have a good, usable and accessible product (and support for old operating systems and browsers is a part of that).
Going back to your blog article:
It supports Windows XP SP3, Mac OS 10.7 and many distributions and versions of Linux. It supports iOS, Android and even BlackBerry. Among browsers, it supports Safari 7, Chrome 30, Firefox 27 and Internet Explorer 11.
Why stop there? Why not IE6, why not Windows 95. The point is a line needs to be drawn somewhere. I’d also highly doubt anyone was running Chrome 30, why frozen on that particular version? Chrome has always had auto-updates, and Firefox got that in version 15.
And there’s a difference between security and privacy, which I think shouldn’t be ignored, considering the title of your post is “protecting your privacy”.
You can’t have privacy without security. Privacy is obtained through the use of secure features. If it’s not secure it is going to inevitably be exploited and thus not private.
Governments need security. Normal people primarily need privacy.
They need both. That particular statement made me think of this: “we are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications,” and “not talking about protecting the nation’s nuclear launch codes.”
Compared to popular alternatives, there are some security problems with Zoom, sure, but privacy issues? I don’t see them.
A market decision, not a technical one. Look at what people are using, and see what you need to support to get your target percent-of-population-supported numbers.
Note that it’s much, much simpler to just run Zoom inside Firejail, if you run on a system that supports it: https://github.com/netblue30/firejail/blob/master/etc/zoom.profile
Yep, that’s another way of doing it, sadly many of our readers are students on Windows/Mac based systems.
Definitely see the value in starting with the most widely-applicable approaches; sure.
Sadly, many students (and non-students) have Macs with 8GB RAM since that’s the default and Apple asks 240 Euro for an upgrade to 16GB last time I checked. A 2GB of 4GB RAM VM will probably slow their machine to a crawl.
Also, assuming that the Zoom Linux client support hardware H.264 encoding/decoding through e.g. VA-API (I don’t know if it does), will that still work in a VM? CPU fans spinning at high RPMs can be very annoying especially if someone also has a bad microphone or noise-cancellation does not work well. I have had to cancel meetings with students in the past, until they had a better setup, because they were inaudible or the ambient noise was so bad that it was impossible to have a conversation.
Alternatives for Mac/Windows: (1) use the web version of Zoom; (2) use Zoom on a phone or tablet (at least iOS has good sandboxing).
(Not saying that using a VM is not a solution, but it comes with strong disadvantages as well.)
Or with bubblewrap or via Flatpak (which uses bubblewrap).
I just installed Zoom and set up an account 2 days ago to do a few get-togethers with some friends, so I tried to actually read through all of the links:
According to the link on “malicious websites to enable your webcam”, this was from summer 2019. Supposedly they removed the hidden web server and implemented meeting join confirmations with video preview since that was reported. I think I’ll try and check on this myself later. Possibly pending any interesting later discoveries, yawn.
On “use your camera without consent”, we have evidence that the OS X installer is doing some sketchy things, and that there are some local-only privilege exploits. The article is dated April 1, 3 days ago. It also cites an update to the app, released April 2nd, 1 day later, that supposedly fixes these exploits. If the fix is real, fixing in 1 day is pretty impressive, even if the original code that allowed this is disappointingly sloppy. Still sounds like a big meh with all things put together.
On “Windows username and ability to steal credentials” - this sounds pretty weak to me. If you’re 1. On windows, on a domain account, and 2. Your windows domain account has some type of interesting access to internet-reachable servers and 3. Somebody posts a link to a malicious SMB file server in your Zoom chat, and 4. You click on that link, then the owner of that malicious SMB server might be able to steal your Windows credentials and use them to log onto those other interesting servers as you. Zoom’s big supposed weakness is that they make those links clickable. Meh. IMO, this sounds like a weakness for Windows and this SMB authentication, not so much for Zoom. Zoom seems to have responded by de-linking all links in chat. For all of the people who are zoom chatting with malicious people and using text chat on a video conferencing system.
People also seem to be complaining that meeting video and audio are not actually end-to-end encrypted, despite supposed claims. It’s mildly sketchy if they are falsely claiming that it is, but real E2E encryption for such large meetings sounds somewhere between very difficult and impossible to do properly. I don’t know of anybody else doing it. Lots of system seem to be having lots of trouble with video quality and reliability without challenges like E2E encryption. I’m not gonna really fault them for this.
In summary, I don’t see any issues of real concern. I think this is just bash on Zoom for the clicks season. I see no reason to go to the trouble of sandboxing the app. It sounds like Zoom on the whole has responded pretty well to a massive jump in userbase and use cases. Change my mind if you can.
I think the recent spate of Zoom articles/spam is due to bored developers being forced to use it for remote work, running Wireguard on the traffic, and freaking out that they’re forced to use privacy-invading software they presumably had no problems everyone else using in the Before Times.
Don’t you mean Wireshark? :-)
I certainly agree, the long list of issues (even if some of them are resolved), will contribute to attracting attention to other details that might have been otherwise missed.
Duh, yeah I meant Wireshark. Too late to edit now!
Considering we have no advertising and make no money from “clicks”, that’s hardly a motivation.
Since this was written, The Intercept also published a piece about their choice using AES with ECB mode, which cannot be explained away with “oh that was an accident”. Everyone knows ECB is bad, especially anyone developing software like this, (well they should).
It doesn’t have to be for actual cash money. We’re all writing for attention - myself included. Bashing on Zoom is in style now, so many people will write articles to jump on the bandwagon. The fact that very few of them will make any actual money isn’t really a factor in the phenomenon.
Personally, I tend to be highly suspicious of anything that appears to be a bandwagon.
I am not an encryption expert. I don’t know if you are or aren’t. But I did see some discussion over on HN from some actual encryption experts. Like tptacek here, and this other thread here. Summary from those in the know is more that getting an actual secure encryption of a compressed AV stream that needs to be decoded on the server for recompression at different bitrates, needs to be encoded and decoded in realtime on thousands of devices, some of which might be pretty slow, needs to support slow, laggy, jittery, and otherwise flaky connections, and needs to support users joining and leaving at arbitrary times, is a very complex task. Shouting ECB is bad because I read it on Wikipedia doesn’t help much.
While I don’t claim to be an expert in any of the technical sub-fields, I have been involved in implementing solutions for large and complex real-world systems like this. Enough to easily envision the difficulties imposed by their requirements, and how inadequate commitment to ideological perfection is in the face of those requirements. There is a real network effect to these things, and a system that works for everybody, everywhere, 100% of the time, seamlessly, despite not being technically perfect, has a completely dominant advantage over technically superior systems that fall short on those other factors.
I had a Zoom party last night, for about a dozen non-technical friends. Everybody’s connection worked, despite old devices, poor internet connections, people entering and leaving at random, a variety of device types and operating systems, etc. I genuinely, politely want to know - what is the superior solution here? Is there something out there with better encryption that will work on everybody’s device the first time with no hassles, even if it’s kind of old or on a poor connection? I haven’t heard of anything that I trust to do that.
I’ll shamelessly re-post my thoughts on Zoom here and echo the opinion of MasonJar that I don’t see any big reasons for concern over Zoom and privacy.
I do think there’s a third category there. Saying your product has E2EE when it does in fact not, and then doubling down on it by “redefining” what you think E2EE means is unforgivable. Using ECB mode with AES, for anything but random data (really there’s no reason to ever use ECB for anything), well if that’s not on purpose, then it shows that the developers responsible for that code are pretty incompetent. I really don’t know what else you can “call it”.
Now we learn that some calls were accidentally routed through China, that mixed with weak encryption doesn’t sound awesome.
Also your last point there:
Is not a good thing as it encourages people to stay on legacy unsupported systems with no security updates whatsoever.
Well, at least they apologized.
I don’t really know why anyone would intentionally use less secure encryption. I think this too falls under the category of accidental security flaws.
Again, this seems to fall under the category of unintentional vulnerabilities, and so far, it really seems as though Zoom is receiving the criticism well. Of course we’ll have to see how much they actually fix, but then again, it can’t be easy to suddenly go from 10 million users to 200 million.
I think we just have different opinions on this. I obviously understand what you mean. But there are few things I dislike as much as arbitrarily limiting people’s freedom in the name of security, especially when it’s my own freedom, and especially when there’s only an indirect, potential threat, of which I am already aware.
Anyone who is developing software with encryption should know that ECB is a bad choice. Everywhere I’ve ever seen it mentioned, it goes with warnings ie: never use this. Even the Wikipedia article very clearly states the issues with it.
The reason I said it was incompetence is because it shows the developers didn’t do minimal research before implementing this feature in this way. The alternative is malicious compliance. I hope we haven’t forgotten about Bullrun just quite yet.
Unfortunately with using services like this, we will never know if certain accounts may have their calls re-routed to less privacy friendly jurisdictions for certain reasons. If it can happen by accident, can it happen on purpose?
Without true E2EE those communications may not be safe.
Not all users may be “aware” of the threats. Software should be designed in a way the user does not need to keep track of all that, especially when not all of us have the ability or time to do so. Many of those threats may not be “potential” but in fact very real.
To expect largely abandoned platforms from 20 years ago to still be supported without any kind of support contract, is a form of entitlement. Support for legacy platforms quite often holds back features on newer platforms being developed with a simpler solution. It also expends time in providing a solution that will be compatible with legacy environments. This time would be far better invested on security and privacy in general.
Look, I’m not happy either that Zoom is a non-free, closed-source, non-end-to-end-encrypted service that, in the end, cannot be trusted. But I also realize how difficult it is to develop a good, usable and accessible product with end-to-end encryption. Zoom is doing well at the moment because they have a good, usable and accessible product (and support for old operating systems and browsers is a part of that).
And there’s a difference between security and privacy, which I think shouldn’t be ignored, considering the title of your post is “protecting your privacy”. Governments need security. Normal people primarily need privacy. Compared to popular alternatives, there are some security problems with Zoom, sure, but privacy issues? I don’t see them.
I’m not expecting anything – you’re the one expecting that they withdraw support.
Going back to your blog article:
Why stop there? Why not IE6, why not Windows 95. The point is a line needs to be drawn somewhere. I’d also highly doubt anyone was running Chrome 30, why frozen on that particular version? Chrome has always had auto-updates, and Firefox got that in version 15.
You can’t have privacy without security. Privacy is obtained through the use of secure features. If it’s not secure it is going to inevitably be exploited and thus not private.
They need both. That particular statement made me think of this: “we are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications,” and “not talking about protecting the nation’s nuclear launch codes.”
We can thank the media for drawing attention to that or it would be still happening: Zoom Removes Code That Sends Data to Facebook. Zoom Tightens Privacy Policy, Says No User Videos Are Analyzed for Ads. Having read the privacy policy, it is in better shape than it once was.
A market decision, not a technical one. Look at what people are using, and see what you need to support to get your target percent-of-population-supported numbers.