Security Bits Logo no alpha channel

Security Bits — 5 April 2020

Feedback & Followups

Deep Dive — To Zoom or not to Zoom?

Thanks to some great work by Glenn Fleishman at TidBits, there’s no need for me to do a deep-dive into the technical details of the many many Zoom security and privacy stories that have broken this week. Glenn explains them all extremely clearly, what what’s more, he ends each description with instructions for what you can or must do to protect yourself — tidbits.com/…

Zoom’s business model is freemium, so it’s not FreePI, so the incentives should not be pushing the company to invade your privacy, and yet, we’ve seen a lot of privacy problems mixed in with the security problems, what’s going on?

Because of the extreme arrogance shown by the company last summer when it was discovered their app installed and insecure web server that bypassed important Safari user protections in the name of ease of use, and then left that vulnerable web server behind when the app was uninstalled, my initial impression of the company was extremely negative. So negative in fact that I have been actively boycotting them, but I think that first impression was not quite fair.

Fleishman chooses to use the word careless, and I think that’s much closer to the mark. I think it’s also extremely important to point out that while their response last summer was most charitably described as poor, their responses this month have been much better — they have apologised, explained, and, more importantly, patched quickly. They’ve even gone so far as to announce a 90-day feature freeze so they can focus all their attention on patching security bugs and addressing the myriad privacy concerns that have been raised.

I’m not sure it’s a defence, but the motivation for some of their most galling behaviour has been to create a more user-friendly experience. I personally think it’s utterly inappropriate to undermine your users’ security in the name of convenience, but I still think motivation matters when judging a company, and user convenience is absolutely not a malicious motivation, and that’s gotta be worth something!

Zoom is one of the single most popular online meeting apps — why? Because it works really well, even for really big groups, because it’s easy to use both for people organising meetings, and for people invited into meetings, and because there is a feature-rich free tier.

In these days when we’re forced to keep our physical distance, tools that allow us to remain socially close from afar are more valuable than ever!

So, should you use Zoom? That’s your call — all I suggest is that you take the time to make an informed decision. Does the value out-weight the risks, and are you prepared to take the extra steps needed use Zoom in as secure as manner as is currently possible?

Since the value is obvious, what are the risks?

Looking at Zoom’s history, it seems clear to me that they have accrued massive technical debt — years of sloppy programming has resulted in a code-base littered with bugs, some of which have been found and patched, but many more almost certainly remain, and they could bite Zoom users badly at any moment.

We also know that at a technical level, Zoom’s encryption is poorly designed and weak. They have promised to fix it, but that will take time, so at least for now, we know it’s not a safe way to communicate private information. That’s unlikely to be a show-stopper for home users (just assume someone could be listening in and behave accordingly and you’ll be grand), it’s a huge problem for higher risk users like reporters, activists, campaigners, political leaders, and corporations likely to be the targets of industrial espionage.

Finally, it also seems clear to me that Zoom’s sloppiness goes beyond their code to their decision making and their policies. They’re not thinking things through properly before implementing them, and their policies have tended to air on the side of allowing the company far more rights than it needs. Their recently updated privacy policy is a massive improvement, but that doesn’t obviate the many poor decisions that have yet to be reversed like their automatic sharing of information between people who’s email addresses happen to be on the same domain.

Finally — always remember there are alternatives:

❗ Action Alerts

Worthy Warnings

Notable News

Interesting Insights

Palate Cleanser

Chris Ashley of SMR Podcast on Daily Tech News Show talks about how nice we are online right now: 1999 Nice + 2020 Memes – DTNS 3753 – Daily Tech News Show

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published.

Scroll to top