What is the deal with Zoom, and how you can fix it (kinda)

Zoom has some major security problems. I won’t blame you if you don’t use it at all. But there are a few things you can do to make yourself more safe, if you use it, or a competing service.

What’s Zoom anyway?

You live under a rock. Zoom.us is a video chat service and application that makes it incredibly easy to join a call / meeting without having to sign up for an account.

Because it’s so easy, schools, families, businesses and even doctors have used it. The last thing you want when trying to get a call going is to deal with, “OK, first, you gotta sign up for an account. Then, you have to go back to your email or text to confirm an account. Then, you…”

Forget that. The reason why Zoom exists is because

1. Microsoft screwed up Skype (forgot about consumer Skype outside of emojis) and created a separate Skype for Business that was just a renamed Lync video chat service, which also sucks.
2. Google screwed up Hangouts (saying they’d shut it down, killing off Google Allo, and offering Hangouts functionality as new services named Chat and Meet. Never mind that they had used Chat previously years ago. Basically, Google don’t know what they’re doing.)

What’s wrong with Zoom?

A few things. The obviously noticeable one is that it was super convenient to set up a call (they call them meetings). Yes, that makes it fast to set up a call, but it also means that it was open to some abuse.

• The most common abuse has been zoombombing.

Zoombombing is where you publish your meeting ID somewhere accessible and some 13-year-olds or neo-Nazis come in and shout disgusting stuff at you. (this happens in online gaming, too. The common answer is, “grow a thicker skin” – which is BS. What if instead of being dicks, people encouraged each other? But that change isn’t happening today.

• Zoom wrote a customized Mac installer to get around Apple’s built-in security. Basically, they included a web browser whose sole job was to automatically click “allow” to launch the app from within your regular web browser when clicking on a meeting link. Violating an operating system’s security in the name of ‘easier usability’ is not a great idea, Zoom
• They were sharing data with Facebook. Facebook are not known for taking privacy seriously as a whole.
• The FBI issued a warning about zoombombing.
• The NY AG sent a letter to Zoom asking about what steps they’re taking.
• A class action suit was filed in CA.
• It’s discovered that Zoom could let bad actors use the mic and camera, unauthorized.
• The custom Zoom installer we mentioned above? It could gain root access on Mac, something that should never happen.
• A bug on Windows allowed for password theft to happen from Zoom.
• Zoom claims to use End-to-End encryption. They don’t.
• There was a feature meant to be a company directory in Zoom that was leaking user email addresses and photos to strangers.
• and more zoombombing – zWarDial is an application that discovers about 100 non-password protected zoom calls in an hour.
• Congress gets involved and starts sending letters to Zoom, inquiring about security. (This is a little absurd, given Congress’s repeated interest in outlawing encryption.)
• Zoom calls put recordings up on line for anyone to find.
• Zoom routed some calls through China, that should never have been routed through China.
• Some school districts are banning Zoom as a result, Taiwan bans zoom from government use.
• The US Senate has been advised to not use Zoom.
• The German government is banning zoom for goverment use.
• Google has banned Zoom for remote workers. (Google would prefer everyone use Allo Chat Hangouts Meet Hangouts and Chat.)
• Facebook’s former chief security officer, Alex Stamos has volunteered to help Zoom fix their problems. It’s not certain how this works out yet. (Stamos is known for leaving Facebook because he had difficulty getting them to take security as seriously as he wanted.)

What is Zoom doing?

• issuing updates to try and fix these problems.
• turning on passwords for meetings by default
• for education, turning on waiting rooms so that only approved people may join a call
• only allowing teachers to share content

What can you do?

If you’re going to use Zoom, there are some steps you can take to secure yourself a little better.

• Make sure your meetings have a password. Do not share that password publicly on social media or the web.
• Make sure you have a waiting room enabled, so you can let people in individually.
• If the meeting has begun and everyone is in it, lock the meeting so no one else can join. Click ?Participants? in the bottom of a Zoom window, then click ?Lock Meeting.?
• If you do find an unauthorized person who has joined your Zoom meeting, you can remove them. 

• Go to the participant?s pane on the right.
• Hover over the name of the person and select ?Remove.?
• By default, an ousted guest cannot rejoin.
• The host can also mute participants in their settings.

• Make sensitive meetings private, and do not allow recordings.

If you’re looking for alternatives to Zoom, Google has some, and Microsoft has Skype, Skype for Business, and Microsoft Teams.

If you’re into open source, Jitsi.org is a good answer. When using it person to person, it is person to person encrypted. When using multiple people, it uses a server in the middle, with encryption to that server. Any recordings are deleted after the call ends. One of the benefits of it being open source is that you could run your own server, so that you don’t have to go through a server you don’t own. (Of course, running your own server has all kinds of other security risks.)

It’s a shame we have to talk about this. Trying to teach school over video chat is hard enough without some idiot nazi dicks interrupting the class.