Over the past decade I've had to deal with a lot of executives and security people who don't actually understand security all that well. Or at all. (Not that I'm a security expert, but that hardly makes it better when even I can see that something is nonsense).
Right now I know of at least half a dozen products that are marketed as having E2E encryption but do not actually implement this (no, I'm not going to out them. See second to last paragraph as to when to be wary). In part because executives, marketers and salespeople don't know what it means. And in part because when explained what it means they will insist on their own definition/interpretation and demand the product is marketed as E2E.
It is also important to note that quite often you are not dealing only with the company that makes a product, but the regulatory bodies that can pressure companies into complying with their wishes.
As for Zoom, I don't understand why people trust them or still use their product if they are at all concerned about security. It makes very little sense.
> It is also important to note that quite often you are not dealing only with the company that makes a product, but the regulatory bodies that can pressure companies into complying with their wishes.
While considering the regulatory requirements helps explain the desire to lie, it does not make the lie any more defensible. Even if a regulatory body is making impractical demand, I very much doubt they are demanding companies lie to their users and potential users. Even if they were "just following orders guv" is not an acceptable excuse.
The key facts: Zoom lied. They didn't have to. They could have accurately reported what encryption they use and what they were working towards if that was due to change.
Even if we accept that the initial claims were wrong due to executives misunderstanding what their own security/dev people had stated, that doesn't defend continuing to make the claim without seeking further clarity after questions were raised.
"In part because executives, marketers and salespeople don't know what it means."
Being a technical founder, I found some non-technical founders use this an advantage. They can lie to customers without guilt or investors with brimming confidence about their "MVP". They can use "making it simple" or "ignorance" as an excuse, if at all they get caught. These kind of lies are grey lines and exist everywhere.
I've worked with these types of people and what I've noticed is, even after you explain to them simply what they're saying is false, they insist or pushing those statements or as close to those labels as they can. They may even be angry after you inform them because they lose plausible deniability.
I've also been in situations where an ultimatum like E2E encryption is dictated by a marketing team and then expected to be created without adequate budgeting or time, essentially creating pressures on development teams, project/product managers, etc to lie.
The conclusion I've come to in business is that ultimately, your product or service is going to be falsely advertised and oversold one way or another. It's a lot easier for some to lie, act deceitful, and/or feign ignorance than it is to actually deliver. Your competitors are doing it, if you don't, you lose.
The way I deal with this nonsense is that I make it a point at least once in meeting or fairly tracable record like an email that others know what is and isn't true once and it's up to them to decide who they want to lie to. I've been on the other side being pressured to lie and its not fun so I'll happily pass that responsibility. I didn't pursue a career in computing to be a constant liar, I'll let the people who want to lie, lie.
Some non-technical founders will just make stuff up. If they think it's a "small change", it may as well be done, so they speak about it as if it is. You correct them and you are ignored, or they tell you it's just for a high level discussion, so it doesn't matter. Sometimes they're right, sometimes they're not. It is a very fine line between stretching the truth and exaggeration, outright lies. As "technical" people we try to be precise on our language and want statements to reflect reality.
Have also encountered founders that know the difference, but lie about things by using 'weasel words' that are chosen to suit their audience, who may not be so knowledgeable :(
We're migrating stuff to a cloud provider, and they wanted to expose an internal only API to the internet so that the things could reach it. I was strongly against that, as it has no security involved at all. Fast and loose and all of that.
Two, count them, two people wanted to "just change it to use port 443, that way it's encrypted". I had to explain that you could pick any valid TCP port to pass TCP traffic, but simply changing a nonstandard port to "443" doesn't automatically make it start being encrypted. I had to explain that several times in order for it to sink in.
If it's AWS, the quickest path to doing this securely is AWS API Gateway mTLS authN[0]. You generate some certs, stuff the public halves in S3, slap an ACM cert on the Gateway, and you're done.
I have also used certificate authentication on TLS-terminating reverse proxies (e.g., this is easy to do with HAProxy) to do the same in other environments. You can pin the API's certificate on the client end in order to further reduce MITM risks.
If you don't want to supply a client certificate in your client application, Stunnel[1] is an acceptable wrapper that lets your clients remain TLS-unaware. You could use it for both ends of the tunnel, if you felt like it.
Either way, you end up with a secure tunnel through the internet to the proxy, at which point you're back inside private networks.
(Source: I build this kind of thing for a living.)
> As for Zoom, I don't understand why people trust them or still use their product if they are at all concerned about security. It makes very little sense.
I certainly don't trust them, but I do use Zoom (from a
dedicated unprivileged user, so it can't do any harm beyond
recording my conversations), because my colleagues use Zoom, and
because there doesn't seem to be any working alternative. I got
them to try Jitsi once, which simply didn't work.
PS. There may be working /secret-source/ alternatives, but I
don't know why one should think Zoom /more/ untrustworthy
than them.
Google's Meet has improved considerably and most importantly it comes free with G-Suite. They are also pushing it quite hard as every calendar invite has a Google Meet link automatically included.
The reason that people went with Zoom is "because it worked." As other products improve it's hard to see what Zoom's moat is and why we should continue to pay for it.
What does not work with jitsi? I've been using a lot recently and it is by far the easiest one to use. One link and done. I have lots of video and audio issues with zoom. Now, if you're a company, bluejeans may be the best one.
> from a dedicated unprivileged user, so it can't do any harm beyond recording my conversations
Unless I'm misunderstanding what you mean by that, I don't really see the point in it, TBH.
Have there been cases of Zoom infecting machines with malware or transmitting viruses? The whole concern, as far as I know, is terrible security on their end, allowing people into calls without permission, not having E2E encryption, etc, and running as an unprivileged user won't help with that at all.
I strongly recommend attempting to fix that and/or (while I am aware that it may be difficult in the current climate) searching for a new boss.
In the meantime be very careful to monitor anything your name is associated with, just in case any of your customers get wind of the situation and sue-balls are thrown.
You answered your own question in your last statement. People don't care about security. They care about it being easy to use and Zoom works better and for more (non-technical) users than any other tool of its kind.
For a long time zoom was the best choice for technical users too, as webex, Skype, and everything except for google hangouts had terrible Linux support.
> As for Zoom, I don't understand why people trust them or still use their product if they are at all concerned about security. It makes very little sense.
Phone calls and text messages aren't particularly secure either, doesn't stop people using them
At least phone calls are protected by law in some capacities (HIPAA allows for faxing but not email, warrants are supposed to be required for tapping phone lines but not email, etc)
Hi there! I'm in the video meeting space, and always looking to find that blend between usable and secure.
I'm curious - is there a video service out there you would recommend if you're conscious about security? Your third paragraph makes me think your opinion will be that no large company can be trusted, because they become a target for nation-state regulatory bodies.
Yes, although there are degrees and differences in culture.
For instance in the telco world you have a much more direct dependence on regulators because you need a stack of expensive and hard to acquire licenses to operate a network in most parts of the world. Some worse than others. In that environment there is a very high degree of compliance with regulators because they have to be given explicit permission to operate.
For pure internet services or P2P applications it is quite a bit different. You don't actually need anyone's permission to distribute software. And you can move your servers around the world. You don't depend on permission - just that nobody comes after you with warrants you cannot ignore.
So the advice is really to look at who you are dealing with and how dependent they are on regulators to operate.
Large internet companies tend to have entire divisions whose job it is to tell regulators to get lost or at the very least maintain a really high bar for interference. Of course, this becomes difficult when the government is also a large customer. So for instance you might want to be careful with vendors who make a lot of money in / off of the defense and intelligence sectors.
Use Jitsi (https://jitsi.org). You can find people to host or host your own. Open Source. No downloads for participants. try their instance meet.jit.si
> As for Zoom, I don't understand why people trust them or still use their product if they are at all concerned about security. It makes very little sense.
Actually it makes a lot of sense. Your boss sends you a Zoom link and asks you to install Zoom. Or you're having a meeting with the CEO of some company and they send you a Zoom link, saying it's the only thing their company uses. Or you are a high school student learning online and your teacher only delivers lectures on Zoom. Most people listen to their bosses and superiors instead of protesting their viewpoints about security.
Only privileged people can protest. Others just lose their jobs, or don't get their high school diploma.
For Zoom I suspect you are right. I think the engineers know what it means. But I have met a disturbing number of engineers (in security oriented jobs) who do not understand what the term means.
Regulation should prevent this from occurring. If you use a product that claims it is E2E and it is not, you should be able to sue wildly for potential damages given the sensitive nature of the software.
Well, there might be conflicting interests within government. From a consumer advocate perspective government might want to demand this.
From an intelligence services perspective you might want companies to lie.
> In part because executives, marketers and salespeople don't know what it means. And in part because when explained what it means they will insist on their own definition/interpretation and demand the product is marketed as E2E.
This sounds like precisely how Grammarly claim they're not a keylogger by trying to change the very definition of what a keylogger is.
It doesn't make sense to a computer savvy hacker news poster perspective. But to everyone else, the reason they use it because they don't really care or thought about it. It will continue to be the most popular meeting app despite the wailing and gnashing from Hacker News.
I see my significant other using it on a nearly daily basis. She started a uiversity course in her 30ies and due to Corona is in her second semester from home.
The university has a MS365 license free for all students, but for video lectures nobody uses it. Why? Because it is really, really cumbersome to use compared to zoom. Teachers and students alike love the functionality, the quality of video/sound and esp. the ease of use.
Compared to all other solutions available to students and teachers - in terms of what they all want to use Zoom just blows the competition out of the water.
And who is to blame them? These are regular folks. They wouldn't even care, if the lectures were tranmitted in the clear, without any encryption. Most regular students fresh out of school I talked to don't even know the difference between https/http, why it is important to have encryption or what end-to-end means.
> I don't understand why people trust them or still use their product if they are at all concerned about security.
I've been a Zoom apologist from the beginning, and this is the money shot for me. What exactly do you mean by "security"? You're concerned zoom servers are recording your video - on purpose or because theyre compromised? thats too much data to dragnet (even for the NSA), so you think the servers are recording and theyre targeting your meeting specifically? the threat model here is very small and very specific.
who are the ultrasecret sensitive information folks buying the newest, shiniest, unvetted tool for use where infosec matters? i bought zoom because the ui has simple, big, colorful buttons for my unskilled users where g2m et al. are just a little too complicated.
if i needed an SLA specifying encryption models because of "security", I'd have a contract I could sue over. yes, zoom was wrong. they did a wrong thing, but the outcry against them has just been disproportionate.
My therapist uses Zoom for her clients, as she was assured that the E2E would help her meet HIPAA requirements and protect her patients.
If someone can get a transcript of what was said, let alone record, in these therapy sessions, they'd have a goldmine to blackmail from.
Please note, this has legal significance for her and other doctors, who'd started seeing patients over Zoom. So it's not just an abstract, "lulz security"
There are people out there with different threat models from you. Please refrain from talking about use cases you may not understand.
Therapists, lawyers, courts including closed door courts, confidential internal meetings for publically traded companies, doctors appointments, exchanging passwords/etc. Even my mom just telling me about a medical situation she's having.
All of those have legal requirements for privacy, and many of them used Zoom because it was supposed to meet those requirements. Zoom lied and failed to meet those requirements. There are other ways to meet those requirements (instead of E2E encryption you can have other kinds of controls) but since Zoom claimed to have E2E, they didn't bother with those other ways of meeting the requirements.
This wasn't an accident or a discrepency. Zoom didn't accidentally have some kind of fancy attack that could be pulled off. They literally, knowingly and plainly misrepresented their product, to get sales they shouldn't have. There are words for that like "Fraud".
> Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base
What a slap on the wrist. "You blatantly lied to your customers for years. How about you just continue to implement the thing that you were working on anyways."
I don't think punishment is always the best solution but it seems that you should at least set some sort of example.
Punishment is the best solution. Incentives are what drive behavior, and learning that you can get away with lying will just lead to more getting away with lying.
When it comes to training humans and animals, positive punishment is far less effective than most other training techniques like positive reinforcement. Don't Shoot the Dog[1]!
> a prohibition on privacy and security misrepresentations
Why did they have to "agree" to that? Shouldn't that already not be allowed? Also, this sounds a bit like they're allowed to misrepresent other things...
Certainly with government access to messages. The minds in charge would never let such an opportunity slip. They are set in the cold war of terror and that won't change for the current generation. So it is still not a good idea to use Zoom.
Exactly. Any small startup owners would see jail time. Similar case in recent History is Trump non-profit (please no flamewars). There are tens of thousands of business-owners rotting in jail today because they embezzled half a million bucks or more - here with Trump charity you have case of at least $2 million stolen plus self-dealing and basically living your whole life/paying personal bills out of charity and what does the judge do? - "Here Mr. Trump is a $99 training seminar on "How not to steal" from your own charity. Go get you and your children watch this online class and report back when you done".
>What a slap on the wrist. "You blatantly lied to your customers for years. How about you just continue to implement the thing that you were working on anyways."
Honestly - that's inline with the severity of the crime.
>I don't think punishment is always the best solution but it seems that you should at least set some sort of example.
I'm not a fan of regulatory bodies making examples of companies for minor infractions. And this is a very minor infraction.
From my perspective, making security guarantees about a product is the same whether that product is software or hardware. If somebody guaranteed that their ferris wheel had x safety feature, then it turned out to be untrue, nobody would call that a minor infraction.
All they had to do was say "encrypted" instead of explicitly saying "end-to-end encrypted" when it very clearly wasn't end-to-end.
The former still could've been a bit weaselly and misleading (many non-technical users would probably have assumed "encrypted" implied total confidentiality), but what they actually did was so much worse. I hope they get hit hard on that.
I think the assumed implication with E2EE is that no one other than the partcipants can get at the content of your communications. To do that you need:
1. All cryptographic keys controlled by the users.
2. Some way to confirm you are actually connected to who you think you are connected to.
3. A way to confirm that the code you are running is not leaking keys/content.
So Zoom failed on all 3 points. There are lots of things out there claiming E2EE that fail on one or more of these points. Almost all fail on point 2 unless the user does things that they almost never do. Is the FTC going to come up with a E2EE definition for trade and start prosecuting those that don't meet that definition? Otherwise it would seem unfair that they only went after the entity that ended up in the general media.
> almost all fail on point 2 unless the user does things that they almost never do
Are you referring to the "scan this QR code to verify your partner's key" function in secure messaging apps? I definitely use that. I try to keep all my primary contact's keys verified. It's harder during COVID when you're not meeting up in person as often, because anything besides meeting in person and verifying the two devices directly exposes you to another unverified channel.
It's very hard to bootstrap this stuff. Sure, "web of trust" but that's hard too. Speaking of which, didn't Keybase get bought by zoom to help with exactly these issues?
"[S]ince at least 2016, Zoom misled users by touting that it offered 'end-to-end, 256-bit encryption' to secure users' communications, when in fact it provided a lower level of security," the FTC said today in the announcement of its complaint against Zoom and the tentative settlement. Despite promising end-to-end encryption, the FTC said that "Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers' meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised."
That's the concept of E2Z2EE (End2Zoom2End Encryption)
A deeper issue is how hard it is to "know" if companies hawking products with security implications (which is nearly everything, today) are lying.
I'm not even talking about the gradient ranging from innocent bugs to incompetent coders and how that gets papered over. When you buy shoddy physical goods, there are typically characteristics you can't hide, like cheap materials. But with software like this of course the only function your average person can verify is that the transmission happens, not how it is encoded. Neither Grandma nor your manager are likely to break out tcpdump to check.
And of course the DMCA complicates this in the US, and things are even worse for researchers elsewhere.
Third party audit and reputation are the only fixes I see. And the second one requires a commercial environment that rewards it. The current one doesn't; it rewards novelty and lies, so that's what we get.
You're right, but 3rd party audits can help, especially because the precedent set by Arthur Andersen w/ Enron. It destroyed their business completely when their fraud was discovered, so there would be a strong incentive for auditors to get it right. As you said, not a silver bullet, but it's a step up from nothing.
I completely agree, and that's a huge topic unto itself.
Briefly, the issue with auditing, as with most things, is incentives over time. The difference between fraud in finance and software engineering is how long the bezzle[1] lasts. In finance, it can last a very long time in up economies, leaving Big Three auditors plenty of time to scurry off. In software you have to deliver at some point, leaving lying auditors exposed to discovery by security researchers immediately.
There is certainly still room for shenanigans if not set up correctly, but less than in finance.
Auditors operate off money, too. I have seen this first hand. If I tell them about an egregious violation and they don't even bother to write it down, I know what type of "auditor" I am dealing with. If they write it down and the issue is not resolved, same thing.
I agree. I am writing my project a certain way to achieve a goal I call reimplementability.
This means that I try to design in such a way that a reasonably competent dev could sit down and rewrite the whole system in a couple hours/days/weeks.
How 'hard it is to "know"' is irreverent, and you agree to this when you accept the 'contract'. This isn't an issue of honesty, in fact; quite the contrary. They are extremely honest. It's just in the fine print.
Legal / Terms of Service / Terms of Use / Usage Policy
I find that a majority don't even hide unreasonable conditions in 'legal' terms anymore. Whilst there may be tens, hundreds, of pages in that ToS you tick before using the product - there's a few solid, clear, one sentence dot points that protect from all issues. The best of these is similar to: "We reserve the right to amend, change, or otherwise modify this agreement with - or without - notice.", or "We reserve the right to withdraw services/solutions with - or without - notice." Some, like the famous early React licenses (by Facebook), had indemnity clauses for simply using the product - even if your then legal engagement was entirely unrelated to your use of React. Impacted by Cambridge Analytica? Sorry. Many years ago you experimented with React. Immunity.
I don't think a third party audit is a fix. Even dismissing these previous statements. The volume of 'independent' auditors that are then found corrupt, or otherwise bias/incompetent in result, is pretty regular news. More often than not. Based on some experience with how contracts and engagements go with big corporations - some even factor in known 'expected losses' (such as fines, failing to meet SLA, etc) in their actual budget of contract.
The real fix is users taking responsibility. Don't like the ToS (And, believe me; you won't..). Don't accept it.
(@USERS, not @_jal) But don't complain that the product you did, or did not, pay a cent for - but blindly accepted the ToS - fails to deliver to your expectation. Sure.. It suggested, or possibly even states 'end to end encryption'. But the ToS clarifies context of that.
So will they get fined more than Snapchat for lying about ephemeral messaging or will this be the usual American "slap on the wrist" thing we usually see to protect the investors?
According to tha article, they won't be fined at all:
>"Today, the Federal Trade Commission has voted to propose a settlement with Zoom that follows an unfortunate FTC formula," FTC Democratic Commissioner Rohit Chopra said. "The settlement provides no help for affected users. It does nothing for small businesses that relied on Zoom's data protection claims. And it does not require Zoom to pay a dime. The Commission must change course."
Under the settlement, "Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false," Democratic Commissioner Rebecca Kelly Slaughter said. "This failure of the proposed settlement does a disservice to Zoom's customers, and substantially limits the deterrence value of the case."
” The European Commission has told its staff to switch to the encrypted Signal messaging app in a move that’s designed to increase the security of its communications.”
If Zoom made clear to users that connections were not secured to the same standards as competitors, and that potentially hundreds of employees could be silently listening in on any call, I think that would have prevented them becoming a leader in video conference tech.
So the right fine here is their entire market cap. That would put them back at square one, which is where an honest competitor would be right now.
Not defending them in any way - but don't think security was the primary reason for Zoom taking off. It was stability - it just worked and at the same time competitors didn't.
Everybody used to have Skype and I would have gladly handed over my data to MS if only it would have been able to do stable video calls. It was often a disaster for just 2-way calls, let alone group.
> don't think security was the primary reason for Zoom taking off. It was stability
Stability was the main draw, but company IT departments would have had more power to ban it if there were bigger and clearer risks of corporate secrets escaping.
> It was stability - it just worked and at the same time competitors didn't.
This is absolutely huge. We've tried Teams (and I have previously used Webex and Hangouts).
It seems like there is _always_ one person that struggles with other video services. Can't join, video/audio issues, CPU usage, latency, etc. Painful when 10%+ of a meeting is consumed by getting one last, key person trying to fix their issues.
It's much easier to make a stable communication product if you don't need to worry about security and privacy.
Just look at the troubles and hurdles Signal messenger need to overcome to implement some features, while the competition that is not so security focused has them since forever.
I wish that was true, but in practice I think it wouldn't matter. Zoom was the only one ready with infrastructure, multiple clients, automatic quality adjustment, screen sharing options, scheduling, and many other needed features.
Otherwise we had hangouts/meet with very basic features and jet-taking-off Mac behaviour, chime which is really good but nobody heard of it (Amazon is not interested in that market apparently), Skype which aims for social chat consumers, slack which works only within the org, jitsi, and a thousand of me-too apps with very basic feature set.
Zoom could kick your puppy at the end of each call, and it would likely still be the best choice at the time :-(
The market being $50B means there are $50B of sales to do per year.
Market cap is a multiplier of revenues, easily 10 or 20 for a tech company, that means a $1T market cap to be taken across the videoconference companies.
Wondering how numbers can be so high? Count $10 per month * 12 months in a year * 100 million employees in the US... that is $12B per year going to video software!
> I really think there is an unsustainable distortion happening.
Yes, soon any website can have their own videoconferencing using web technology like WebRTC. And implementation will be as simple as running "npm install".
> But Zoom, alone, already has a marketcap of $117.534B
Yes. Zoom having a market cap that's more than half of Intel? Come on now ...
Wild optimism aside, you can sell one or even a thousand ZM shares at approximately the current market price, but you can't sell the entirety of the company at the same price. The pool of buyers is much smaller for such volumes.
I don't really think so. I think we are just moving away from inefficient meetings that are IRL. I would love to see all meetings go remote for many reasons. I think this will stay even once Covid is gone.
Is it really different from competitors like Cisco (webex, jabber, ...)? A big selling point of all those is phone dial in which can't be done with e2e encryption (the phone gateway run by the operator has to have the keys)
> the right fine here is their entire market cap. That would put them back at square one
I don't think Zoom has transgressed anywhere nearly this badly, but even if I did it doesn't make sense to fine any company their entire value unless your goal is simply to destroy them. The company is only worth as much as it is because it is expected to continue as a company, and there would be no way for it to continue if it owed that much money to the government. Unless it was nationalized and run by the government, but I doubt you're proposing that? Which means instead the company liquidates, and its liquidation value is far less than it's value as a business.
A good punishment is government nationalizes it, paying shareholders nothing, then immediately sells those shares back onto the public markets. The government would earn close-ish to the market cap.
Effectively, allow the company to continue as before, but wipe out all shareholders. After all, they are the people who allowed this behaviour. They are the ultimate decision makers.
Is this about the audio streams? I imagine that if at any time there are a million video streams happening, and zoom wanted to sneak into 1% of them, it would pretty much need 10000 vCPUs of compute to do that? The current tech scales affordably because only the encoded packets get transmitted between callers (via "selective forwarding units") without needing server-side re-encoding?
edit: That was for video streams. For audio streams, certainly the cpus cost is lower - about 10%.
I don't think anyone except crypto-nerds cares about this. Normal people just assume everything can be wiretapped and Zuckerberg and friends are always listening.
You can be honest business or you can steal billions, get caught and pay a millions in fines. I think everyone can see a problem here. You pay back less then you stole so this is an active encouragement to steal.
Most recent example, morgan stanley fraud for bilions in profit pays fine of 1.5 mil [0].
Readit News
Right now I know of at least half a dozen products that are marketed as having E2E encryption but do not actually implement this (no, I'm not going to out them. See second to last paragraph as to when to be wary). In part because executives, marketers and salespeople don't know what it means. And in part because when explained what it means they will insist on their own definition/interpretation and demand the product is marketed as E2E.
It is also important to note that quite often you are not dealing only with the company that makes a product, but the regulatory bodies that can pressure companies into complying with their wishes.
As for Zoom, I don't understand why people trust them or still use their product if they are at all concerned about security. It makes very little sense.
While considering the regulatory requirements helps explain the desire to lie, it does not make the lie any more defensible. Even if a regulatory body is making impractical demand, I very much doubt they are demanding companies lie to their users and potential users. Even if they were "just following orders guv" is not an acceptable excuse.
The key facts: Zoom lied. They didn't have to. They could have accurately reported what encryption they use and what they were working towards if that was due to change.
Even if we accept that the initial claims were wrong due to executives misunderstanding what their own security/dev people had stated, that doesn't defend continuing to make the claim without seeking further clarity after questions were raised.
Being a technical founder, I found some non-technical founders use this an advantage. They can lie to customers without guilt or investors with brimming confidence about their "MVP". They can use "making it simple" or "ignorance" as an excuse, if at all they get caught. These kind of lies are grey lines and exist everywhere.
I've also been in situations where an ultimatum like E2E encryption is dictated by a marketing team and then expected to be created without adequate budgeting or time, essentially creating pressures on development teams, project/product managers, etc to lie.
The conclusion I've come to in business is that ultimately, your product or service is going to be falsely advertised and oversold one way or another. It's a lot easier for some to lie, act deceitful, and/or feign ignorance than it is to actually deliver. Your competitors are doing it, if you don't, you lose.
The way I deal with this nonsense is that I make it a point at least once in meeting or fairly tracable record like an email that others know what is and isn't true once and it's up to them to decide who they want to lie to. I've been on the other side being pressured to lie and its not fun so I'll happily pass that responsibility. I didn't pursue a career in computing to be a constant liar, I'll let the people who want to lie, lie.
I am sure they already lied in the past too https://news.ycombinator.com/item?id=22711169 preaching ignorance as an excuse.
We're migrating stuff to a cloud provider, and they wanted to expose an internal only API to the internet so that the things could reach it. I was strongly against that, as it has no security involved at all. Fast and loose and all of that.
Two, count them, two people wanted to "just change it to use port 443, that way it's encrypted". I had to explain that you could pick any valid TCP port to pass TCP traffic, but simply changing a nonstandard port to "443" doesn't automatically make it start being encrypted. I had to explain that several times in order for it to sink in.
I have also used certificate authentication on TLS-terminating reverse proxies (e.g., this is easy to do with HAProxy) to do the same in other environments. You can pin the API's certificate on the client end in order to further reduce MITM risks.
If you don't want to supply a client certificate in your client application, Stunnel[1] is an acceptable wrapper that lets your clients remain TLS-unaware. You could use it for both ends of the tunnel, if you felt like it.
Either way, you end up with a secure tunnel through the internet to the proxy, at which point you're back inside private networks.
(Source: I build this kind of thing for a living.)
[0]: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-...
[1]: https://www.stunnel.org/auth.html
I certainly don't trust them, but I do use Zoom (from a dedicated unprivileged user, so it can't do any harm beyond recording my conversations), because my colleagues use Zoom, and because there doesn't seem to be any working alternative. I got them to try Jitsi once, which simply didn't work.
PS. There may be working /secret-source/ alternatives, but I don't know why one should think Zoom /more/ untrustworthy than them.
The reason that people went with Zoom is "because it worked." As other products improve it's hard to see what Zoom's moat is and why we should continue to pay for it.
How can you say there is no alternative?
Unless I'm misunderstanding what you mean by that, I don't really see the point in it, TBH.
Have there been cases of Zoom infecting machines with malware or transmitting viruses? The whole concern, as far as I know, is terrible security on their end, allowing people into calls without permission, not having E2E encryption, etc, and running as an unprivileged user won't help with that at all.
In the meantime be very careful to monitor anything your name is associated with, just in case any of your customers get wind of the situation and sue-balls are thrown.
Phone calls and text messages aren't particularly secure either, doesn't stop people using them
I'm curious - is there a video service out there you would recommend if you're conscious about security? Your third paragraph makes me think your opinion will be that no large company can be trusted, because they become a target for nation-state regulatory bodies.
For instance in the telco world you have a much more direct dependence on regulators because you need a stack of expensive and hard to acquire licenses to operate a network in most parts of the world. Some worse than others. In that environment there is a very high degree of compliance with regulators because they have to be given explicit permission to operate.
For pure internet services or P2P applications it is quite a bit different. You don't actually need anyone's permission to distribute software. And you can move your servers around the world. You don't depend on permission - just that nobody comes after you with warrants you cannot ignore.
So the advice is really to look at who you are dealing with and how dependent they are on regulators to operate.
Large internet companies tend to have entire divisions whose job it is to tell regulators to get lost or at the very least maintain a really high bar for interference. Of course, this becomes difficult when the government is also a large customer. So for instance you might want to be careful with vendors who make a lot of money in / off of the defense and intelligence sectors.
Actually it makes a lot of sense. Your boss sends you a Zoom link and asks you to install Zoom. Or you're having a meeting with the CEO of some company and they send you a Zoom link, saying it's the only thing their company uses. Or you are a high school student learning online and your teacher only delivers lectures on Zoom. Most people listen to their bosses and superiors instead of protesting their viewpoints about security.
Only privileged people can protest. Others just lose their jobs, or don't get their high school diploma.
No, it's not right, but it is the reality.
It already exists. It's called "fraud".
Perhaps the term "security" suffers from the same problem as "E2E encryption".
The same reason I use Slack, because I have to.
This sounds like precisely how Grammarly claim they're not a keylogger by trying to change the very definition of what a keylogger is.
The university has a MS365 license free for all students, but for video lectures nobody uses it. Why? Because it is really, really cumbersome to use compared to zoom. Teachers and students alike love the functionality, the quality of video/sound and esp. the ease of use.
Compared to all other solutions available to students and teachers - in terms of what they all want to use Zoom just blows the competition out of the water.
And who is to blame them? These are regular folks. They wouldn't even care, if the lectures were tranmitted in the clear, without any encryption. Most regular students fresh out of school I talked to don't even know the difference between https/http, why it is important to have encryption or what end-to-end means.
It has no meaning to nearly all of them.
That is the moment when one calls up the corporate lawyer and asks about "false advertising"...
I've been a Zoom apologist from the beginning, and this is the money shot for me. What exactly do you mean by "security"? You're concerned zoom servers are recording your video - on purpose or because theyre compromised? thats too much data to dragnet (even for the NSA), so you think the servers are recording and theyre targeting your meeting specifically? the threat model here is very small and very specific.
who are the ultrasecret sensitive information folks buying the newest, shiniest, unvetted tool for use where infosec matters? i bought zoom because the ui has simple, big, colorful buttons for my unskilled users where g2m et al. are just a little too complicated.
if i needed an SLA specifying encryption models because of "security", I'd have a contract I could sue over. yes, zoom was wrong. they did a wrong thing, but the outcry against them has just been disproportionate.
If someone can get a transcript of what was said, let alone record, in these therapy sessions, they'd have a goldmine to blackmail from.
Please note, this has legal significance for her and other doctors, who'd started seeing patients over Zoom. So it's not just an abstract, "lulz security"
There are people out there with different threat models from you. Please refrain from talking about use cases you may not understand.
All of those have legal requirements for privacy, and many of them used Zoom because it was supposed to meet those requirements. Zoom lied and failed to meet those requirements. There are other ways to meet those requirements (instead of E2E encryption you can have other kinds of controls) but since Zoom claimed to have E2E, they didn't bother with those other ways of meeting the requirements.
This wasn't an accident or a discrepency. Zoom didn't accidentally have some kind of fancy attack that could be pulled off. They literally, knowingly and plainly misrepresented their product, to get sales they shouldn't have. There are words for that like "Fraud".
People at Zoom should be getting jail sentences.
What a slap on the wrist. "You blatantly lied to your customers for years. How about you just continue to implement the thing that you were working on anyways."
I don't think punishment is always the best solution but it seems that you should at least set some sort of example.
[1] https://www.amazon.com/Dont-Shoot-Dog-Teaching-Training/dp/0...
Deleted Comment
Why did they have to "agree" to that? Shouldn't that already not be allowed? Also, this sounds a bit like they're allowed to misrepresent other things...
https://www.theglobeandmail.com/opinion/article-participatin...
Exactly. Any small startup owners would see jail time. Similar case in recent History is Trump non-profit (please no flamewars). There are tens of thousands of business-owners rotting in jail today because they embezzled half a million bucks or more - here with Trump charity you have case of at least $2 million stolen plus self-dealing and basically living your whole life/paying personal bills out of charity and what does the judge do? - "Here Mr. Trump is a $99 training seminar on "How not to steal" from your own charity. Go get you and your children watch this online class and report back when you done".
Unbelievable.
Honestly - that's inline with the severity of the crime.
>I don't think punishment is always the best solution but it seems that you should at least set some sort of example.
I'm not a fan of regulatory bodies making examples of companies for minor infractions. And this is a very minor infraction.
From my perspective, making security guarantees about a product is the same whether that product is software or hardware. If somebody guaranteed that their ferris wheel had x safety feature, then it turned out to be untrue, nobody would call that a minor infraction.
The former still could've been a bit weaselly and misleading (many non-technical users would probably have assumed "encrypted" implied total confidentiality), but what they actually did was so much worse. I hope they get hit hard on that.
Did they? Which people? When? How?
1. All cryptographic keys controlled by the users.
2. Some way to confirm you are actually connected to who you think you are connected to.
3. A way to confirm that the code you are running is not leaking keys/content.
So Zoom failed on all 3 points. There are lots of things out there claiming E2EE that fail on one or more of these points. Almost all fail on point 2 unless the user does things that they almost never do. Is the FTC going to come up with a E2EE definition for trade and start prosecuting those that don't meet that definition? Otherwise it would seem unfair that they only went after the entity that ended up in the general media.
Are you referring to the "scan this QR code to verify your partner's key" function in secure messaging apps? I definitely use that. I try to keep all my primary contact's keys verified. It's harder during COVID when you're not meeting up in person as often, because anything besides meeting in person and verifying the two devices directly exposes you to another unverified channel.
It's very hard to bootstrap this stuff. Sure, "web of trust" but that's hard too. Speaking of which, didn't Keybase get bought by zoom to help with exactly these issues?
Yes. Or read the weird numbers/letters over the phone. Or look at the strange image and compare it somehow.
For all I know there is something out there that wants you to compare a tune...
That's the concept of E2Z2EE (End2Zoom2End Encryption)
Not that it should matter in the context of the feature being described.
I'm not even talking about the gradient ranging from innocent bugs to incompetent coders and how that gets papered over. When you buy shoddy physical goods, there are typically characteristics you can't hide, like cheap materials. But with software like this of course the only function your average person can verify is that the transmission happens, not how it is encoded. Neither Grandma nor your manager are likely to break out tcpdump to check.
And of course the DMCA complicates this in the US, and things are even worse for researchers elsewhere.
Third party audit and reputation are the only fixes I see. And the second one requires a commercial environment that rewards it. The current one doesn't; it rewards novelty and lies, so that's what we get.
Third party audits aren't a silver bullet. Enron and Worldcom had third party audits.
Briefly, the issue with auditing, as with most things, is incentives over time. The difference between fraud in finance and software engineering is how long the bezzle[1] lasts. In finance, it can last a very long time in up economies, leaving Big Three auditors plenty of time to scurry off. In software you have to deliver at some point, leaving lying auditors exposed to discovery by security researchers immediately.
There is certainly still room for shenanigans if not set up correctly, but less than in finance.
[1] https://moneyfyi.wordpress.com/2013/11/15/5358/
This means that I try to design in such a way that a reasonably competent dev could sit down and rewrite the whole system in a couple hours/days/weeks.
Reproducible builds remove this requirement.
https://en.wikipedia.org/wiki/Reproducible_builds
Legal / Terms of Service / Terms of Use / Usage Policy
I find that a majority don't even hide unreasonable conditions in 'legal' terms anymore. Whilst there may be tens, hundreds, of pages in that ToS you tick before using the product - there's a few solid, clear, one sentence dot points that protect from all issues. The best of these is similar to: "We reserve the right to amend, change, or otherwise modify this agreement with - or without - notice.", or "We reserve the right to withdraw services/solutions with - or without - notice." Some, like the famous early React licenses (by Facebook), had indemnity clauses for simply using the product - even if your then legal engagement was entirely unrelated to your use of React. Impacted by Cambridge Analytica? Sorry. Many years ago you experimented with React. Immunity.
I don't think a third party audit is a fix. Even dismissing these previous statements. The volume of 'independent' auditors that are then found corrupt, or otherwise bias/incompetent in result, is pretty regular news. More often than not. Based on some experience with how contracts and engagements go with big corporations - some even factor in known 'expected losses' (such as fines, failing to meet SLA, etc) in their actual budget of contract.
The real fix is users taking responsibility. Don't like the ToS (And, believe me; you won't..). Don't accept it.
(@USERS, not @_jal) But don't complain that the product you did, or did not, pay a cent for - but blindly accepted the ToS - fails to deliver to your expectation. Sure.. It suggested, or possibly even states 'end to end encryption'. But the ToS clarifies context of that.
https://zoom.us/terms
>"Today, the Federal Trade Commission has voted to propose a settlement with Zoom that follows an unfortunate FTC formula," FTC Democratic Commissioner Rohit Chopra said. "The settlement provides no help for affected users. It does nothing for small businesses that relied on Zoom's data protection claims. And it does not require Zoom to pay a dime. The Commission must change course."
Under the settlement, "Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false," Democratic Commissioner Rebecca Kelly Slaughter said. "This failure of the proposed settlement does a disservice to Zoom's customers, and substantially limits the deterrence value of the case."
” The European Commission has told its staff to switch to the encrypted Signal messaging app in a move that’s designed to increase the security of its communications.”
This was February 2020, has something changed?
They don't even need to tell their customers that they lied [2]
1: https://www.ftc.gov/system/files/documents/cases/1923167zoom... 2: https://www.ftc.gov/system/files/documents/public_statements...
So the right fine here is their entire market cap. That would put them back at square one, which is where an honest competitor would be right now.
Everybody used to have Skype and I would have gladly handed over my data to MS if only it would have been able to do stable video calls. It was often a disaster for just 2-way calls, let alone group.
Stability was the main draw, but company IT departments would have had more power to ban it if there were bigger and clearer risks of corporate secrets escaping.
Also due to deception, it auto reinstalled on macs until they were caught.
This is absolutely huge. We've tried Teams (and I have previously used Webex and Hangouts).
It seems like there is _always_ one person that struggles with other video services. Can't join, video/audio issues, CPU usage, latency, etc. Painful when 10%+ of a meeting is consumed by getting one last, key person trying to fix their issues.
Just look at the troubles and hurdles Signal messenger need to overcome to implement some features, while the competition that is not so security focused has them since forever.
They did not provide the service the advertised: they provided something much inferior (and that's actually unsuitable for many industries).
It's not really really about "what would clients have done otherwise". It's a matter of giving money back.
If you pay me to write a program, and it only does half of what I promise, wouldn't you want [part of] your money back?
That is what was great about zoom. The security becomes important after it works.
Otherwise we had hangouts/meet with very basic features and jet-taking-off Mac behaviour, chime which is really good but nobody heard of it (Amazon is not interested in that market apparently), Skype which aims for social chat consumers, slack which works only within the org, jitsi, and a thousand of me-too apps with very basic feature set.
Zoom could kick your puppy at the end of each call, and it would likely still be the best choice at the time :-(
So there was a competitor after all?
But Zoom, alone, already has a marketcap of $117.534B (https://finance.yahoo.com/quote/ZM/)
I really think there is an unsustainable distortion happening.
Market cap is a multiplier of revenues, easily 10 or 20 for a tech company, that means a $1T market cap to be taken across the videoconference companies.
Wondering how numbers can be so high? Count $10 per month * 12 months in a year * 100 million employees in the US... that is $12B per year going to video software!
Yes, soon any website can have their own videoconferencing using web technology like WebRTC. And implementation will be as simple as running "npm install".
> But Zoom, alone, already has a marketcap of $117.534B
Yes. Zoom having a market cap that's more than half of Intel? Come on now ...
That doesn't make sense.
FaceTime is the big E2E service. Most anything else allows dial in, and is not E2E. Zoom’s sin is bad marketing copy.
I don't think Zoom has transgressed anywhere nearly this badly, but even if I did it doesn't make sense to fine any company their entire value unless your goal is simply to destroy them. The company is only worth as much as it is because it is expected to continue as a company, and there would be no way for it to continue if it owed that much money to the government. Unless it was nationalized and run by the government, but I doubt you're proposing that? Which means instead the company liquidates, and its liquidation value is far less than it's value as a business.
Effectively, allow the company to continue as before, but wipe out all shareholders. After all, they are the people who allowed this behaviour. They are the ultimate decision makers.
edit: That was for video streams. For audio streams, certainly the cpus cost is lower - about 10%.
Which competitors offered true E2E?
I think mostly they were (misleadingly/lyingly) promissing something above what most of their competitors offered, no?
But that's not how capitalism works.
You can be honest business or you can steal billions, get caught and pay a millions in fines. I think everyone can see a problem here. You pay back less then you stole so this is an active encouragement to steal.
Most recent example, morgan stanley fraud for bilions in profit pays fine of 1.5 mil [0].
Reality is borrowing from Kafka.
[0] https://coinweek.com/bullion-report/morgan-stanley-mitsubish...