> As for Zoom, I don't understand why people trust them or still use their product if they are at all concerned about security. It makes very little sense.
I certainly don't trust them, but I do use Zoom (from a
dedicated unprivileged user, so it can't do any harm beyond
recording my conversations), because my colleagues use Zoom, and
because there doesn't seem to be any working alternative. I got
them to try Jitsi once, which simply didn't work.
PS. There may be working /secret-source/ alternatives, but I
don't know why one should think Zoom /more/ untrustworthy
than them.
Google's Meet has improved considerably and most importantly it comes free with G-Suite. They are also pushing it quite hard as every calendar invite has a Google Meet link automatically included.
The reason that people went with Zoom is "because it worked." As other products improve it's hard to see what Zoom's moat is and why we should continue to pay for it.
> The reason that people went with Zoom is "because it worked." As other products improve it's hard to see what Zoom's moat is and why we should continue to pay for it.
Ironically, I would say Google Meet defines "it just works" for me way more than does Zoom.
Joining a Google Meet:
1. Enter the URL in your browser.
2. Click join.
Joining a Zoom:
1. Enter the URL in your browser.
2. Accept launching an executable.
3. Watch a window or two pop up and close.
4. Decide if you're using video or not.
5. Watch more windows pop up and close.
6. See the main Zoom window appear.
7. Decide if you're using audio or not.
Perhaps part of my beef with Zoom is how many times its window shuffling steals focus during the several seconds needed to join a meeting. If I'm trying to get work done while waiting for a meeting to start, the focus stealing is very obnoxious.
"You don't need a Google Account to participate in Meet video meetings. However, if you don’t have a Google Account, the meeting organizer or someone from the organization must grant you access to the meeting."
Each of those alternatives is just as likely to offer government wiretap support to any government that asks as Zoom is, unless I’ve missed statements of refusal to do so to the contrary from them.
I think the concern is trade secret theft. Sure the US or EU might demand a wiretap but their goals are different. You don't see the CIA stealing trade secrets and handing them over to Apple or Microsoft. Businesses are primarily worried about their IP.
I know of more than one company where installing zoom on any company owned equipment, or using zoom on your own client devices for company business is a fireable offense.
These are companies that deal with some very sensitive data.
Sorry, I didn't think in terms of degrees of untrustworthiness.
What I miss is an open-source alternative. Doesn't Microsoft
let the NSA tap into Skype calls?
>Doesn't Microsoft let the NSA tap into Skype calls?
Yes, but it seems like Skype was doing that prior to being acquired (though Microsoft seems to have accelerated things). From some quick Googling to refresh on PRISM –
>• In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;
>• Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;
>Eight months before being bought by Microsoft, Skype joined the Prism program in February 2011.
> According to the NSA documents, work had begun on smoothly integrating Skype into Prism in November 2010, but it was not until 4 February 2011 that the company was served with a directive to comply signed by the attorney general.
I wouldn't assume that any given service is secure just because it hasn't been outed yet. Your guess is as good as mine with regard to which service is more secure or less secure.
What is immensely important is to raise the cost of lying to where it becomes something investors care about. The only real thing a company and its investors are afraid of is losing its customers.
If we teach companies it is okay to lie by staying with them, they will lie more.
There are at least half a dozen of open-source alternatives. Have you tried all of them ?
For instance Big Blue Button : it's not perfect, because it's Canadian, it's hosted on Microsoft's Github, and might have some outstanding security issues [1], but I would probably still trust it more than Zoom or anything GAFAM.
What does not work with jitsi? I've been using a lot recently and it is by far the easiest one to use. One link and done. I have lots of video and audio issues with zoom. Now, if you're a company, bluejeans may be the best one.
If you're going to have 10+ People in the meeting, there will be issues. Video/Audio getting bad, People loose have signal, etc. There is also a very noticable load on even more powerful PCs once you have some more people in the call.
So jitsi might work for one-on-ones but slightly bigger conference calls are a no-go.
I tried this and can confirm! I always had about 6-8 persons and never got this issue before. Well, this actually explains a lot of comments I see about Jitsi.
There was a period a few months ago where jitsi was consistently crashing chromebooks. Obviously, if a webpage can crash the OS, it's an OS problem, but it still made jitsi unusable for those with chromebooks.
The native app doesn't work with the free 8x8 rooms, as far as I could tell.
I'm not sure I consider not crashing the OS when the conference starts 'good performance' so much as 'working'. Running it in Firefox at the time was bad performance (sluggish), haven't tested since.
I think both video and audio were skippy to the point of uselessness. I've also used Jitsi with moderate success with a couple of interlocutors, where video disappeared now and then.
I'm not a company, I'm at a university, and the u. has decided to use Zoom, perhaps because it doesn't care about security, or because it thinks being concerned about Zoom is being paranoid.
> from a dedicated unprivileged user, so it can't do any harm beyond recording my conversations
Unless I'm misunderstanding what you mean by that, I don't really see the point in it, TBH.
Have there been cases of Zoom infecting machines with malware or transmitting viruses? The whole concern, as far as I know, is terrible security on their end, allowing people into calls without permission, not having E2E encryption, etc, and running as an unprivileged user won't help with that at all.
You don't see the point of being suspicious of secret-source? and especially of an entity that is known to be dishonest? unless it is known to have been dishonest in the precise manner in question?
I can vouch for it, it is very very effective, I discussed with a friend whom believed that a cabal of jews control the world and other one whom believed that the earth is flat
It should be noted that it is not easy to do, you need to have foundational knowledge of these topics and quick historical references to people/historical characters whom also made the "mistake" of believing what your interlocutor did, that way you can both set a reference for your interlocutor so he/she doesn't feel alone and as an outcast, and thread a narrative needle through history itself showing how people used to think that but now don't because of x, y, z evidence, think it like James Burkes idea of linking different topics through history, if anybody is interested I'd very much recommend listening to the Dan Carlin James Burke podcast episode and then checking James Burke books on it
But as OP said, I very, very much have enjoyed the conversations with "them" as I see them basically as adversarial journalists of sorts, asking some very tricky epistemological questions to which the foundations of modern science, history and modernity itself are built
And lastly a key, "There are no Good Great Men", everyone whom got to power in history is basically by definition Not A Good Person, and that is because just to get power at all one must play dirty most often than not. There are are just a very few select people whom we might look as being "Good"
We know our educational systems fail people, conspiracy thinking is what happens when critically thinking people lack the foundation to see the world around them and therefore start questioning the foundations of it, because again they are critical in thinking, after that first layer then you have socialization, ego, collective identities and other things that reinforce their loss aversion to changing their world view, but the core is critical thinking
Imagine this as if you were talking to a classical Babylonian, or to Plato itself and through foundational analogies such as the Anarchic Pirates of Plato you explain the world and logic
I've tried a few times and comprehensively failed. Now if topics like this come up in social settings (not that those happen anymore) I simply state my disagreement with their views and change the subject to something less confrontational.
Since everybody is now using Zoom and not Skype, I would expect the NSA to try to get the same access to Zoom conversations as they have to Skype conversations. And I don't have the impression that Zoom would say no to billions of dollars to protect its users' privacy.
Isn't the whole point of end-to-end encryption -- not to have to
trust any third party -- undermined by secret source? If
one does not trust Zoom not to snoop on content passing
unencrypted through their servers, why should one trust them to
provide true end-to-end encryption? And, if one does trust them
to provide true end-to-end encryption, why might one not as well
trust them not to snoop on unencrypted content?
The point of end-to-end encryption is to prevent a government from being able to access your communications afterwards. Zoom or any other private company is much more able to implement a standard technical solution like end-to-end encryption than to resist legal subpoenas for information they have but would prefer to not have.
Zoom offers a service to record meetings in the cloud, as almost all providers do. So they can intercept, and can probably be compelled to do so by court order.
I'll be the first to admit that I am very far from a crypto expert, but - does this implication necessary follow? Couldn't they just be recording and persisting the (encrypted) stream, and then making it available to "someone who has the key"?
That might work for a 2 party call. But I was on a call this afternoon with 70 participants — which of the 70 recordings do you want to keep?
It’s a hard problem, which gets much easier and delivers a better UX if you can trust the service provider. Also consider why you trust 70 meeting participants more than Zoom/Microsoft/Google/Verizon?
It's not that hard. Instead of generating 70 end-to-end encrypted recordings of your meeting, you just generate 70 end-to-end encrypted packets with a shared symmetric key inside that allow you to decrypt the meeting encrypted with that shared key. You only need one version of the recording because there is only one symmetric key, but you transmit that to each client using their public/private keypair.
> consider why you trust 70 meeting participants more than Zoom/Microsoft/Google/Verizon?
For the very simple reason that "the people that I choose to communicate with are people that I have chosen to communicate with", whereas the communication medium chosen is "the least-bad available". I am able to take whatever other measures I wish via other channels to verify and built-trust-in the participants, but I cannot do so with the communication medium owner.
The Zoom backend serves as a router for (possibly hundreds) individual encrypted streams of audio and video during a meeting. In order to support a cloud-save feature, they must first decrypt those streams in order to re-encode them into a unified multimedia file. Even if they were to store encrypted versions of all of these individual audio/video streams, how would they ultimately present that back to the user on request? There is no practical or easy way to do this.
> Even if they were to store encrypted versions of all of these individual audio/video streams, how would they ultimately present that back to the user on request? There is no practical or easy way to do this.
You would play it similar to how you attend a Zoom meeting. They could probably reuse most of the client code for this feature. But yes, I agree this is likely not the user experience that most users want.
Well, yes, definitely. It isn’t a peer-to-peer architecture, so at some point Zoom is storing files that correspond to your video calls. At some point I’m sure they’re deleted but someone with a subpoena can access them before they are. End-to-end encryption means there is never any window when a government could mandate access.
Not a crypto expert, but isnt possible to remain e2e and yet giving you have a central middle-man, that this middle-man have access to all the unencrypted data?
The middle-man shares a temporary key where his end-point can decrypt the message at any time, generating a new key to deliver the message to its original destiny.
I mean, i've always understood e2e encryption with centralized points of distributions as whatsapp, having the understanding that they, and they only, could still claim e2e while at the same time being able to decrypt the messages themselves.
So i never trust the claim of full secrecy unless i know its e2e over a real p2p channel without a middle-man working as a broker between the parties (where the broken can generate and distribute the keys)
Its looks like snake oil to me. Of course far from the eyes of north korea, who is barely a treat to anyone, but with all we know about things like PRISM, probably being available to all the north-american agencies.
> Not a crypto expert, but isnt possible to remain e2e and yet giving you have a central middle-man, that this middle-man have access to all the unencrypted data?
No; this is specifically what end-to-end encryption is designed to prevent. In E2E, the data is encrypted at one end and it is not decrypted until it reaches the other end, because no one in the middle has the decryption key.
The middle-man in this case is a trusted one, the owner of the centralized infrastructure, not like in MITM.
Isnt possible that one peer encrypt, pass it to the central server who have the other key, the central server than encrypts again and share it with the real end making it believe the key he is using actually is the same one generated in the first part of the process?
Its like the OR from tor but with 3 parties instead.
How the receiving party can be sure the key was not switched by the all-mighty middle man who can control everything?
> How the receiving party can be sure the key was not switched by the all-mighty middle man who can control everything?
From the article:
> Participants will also see the meeting leader’s security code that they can use to verify the secure connection. The host can read this code out loud, and all participants can check that their clients display the same code.
Obviously the vast majority of people won't do this, so the vast majority of people won't be fully protected against active MITMs. But the potential of meeting participants doing this will discourage attackers in many cases.
Yeah in E2EE key distribution is always the tricky part.
For "good" UX, usually it is based on trust that the peer keys are exchanged with help of the centralised service as middle man but that it does not alter the keys.
For good security, each party should ideally check public key fingerprints with each other party via another mean of communication to ensure that there was no man in the middle. But that's poor UX and might be unpractical for large meetings of participants that do not know each other.
I agree. But I suppose it does have a slight benefit that if you trust the individuals at Zoom who implemented the encryption, now you no longer need to also trust the individuals at Zoom who have access to network traffic and/or server-side code but not client application code.
This slight benefit is fairly silly, because we have no reason to give greater credibility (regarding ethics) to one set over another. At least it's a smaller set, though.
> This slight benefit is fairly silly, because we have no reason to give greater credibility (regarding ethics) to one set over another. At least it's a smaller set, though.
Well, before we had to trust simply that people with networking access were non-malicious. Now, we can simply trust that at least one of [crypto, network] people are non-malicious. That seems like an improvement to me.
For me, hiring the Keybase team did not increase my trust in Zoom; it sadly lowered my opinion of the Keybase team (which had already taken a hit due to their integration of cryptocurrency into the Keybase platform).
Because "raise the question" doesn't have the same connotation as the commonly-understood meaning of "beg the question".
Begging the question means (to most people, I think) that there is an obvious question in response to the statement. The statement itself is "begging" for this question to be asked.
Raising the question means that one's response to the statement is to ask a question. It may not be obvious, and it's not an attribute of the statement itself that implies this response.
That's a valid point. But isn't it a bit archaic to have the thing begged for as a direct object? Wouldn't it be more normal to say `beg for the question'?
Yeah I can see that. But it feels weird to say it.
The English expressions I do wish people would get right are "moorish" meaning spicy (after the Moors), not "I want more of this", and "enormity" meaning horrible, not huge. But English is always changing, and using these phrases in their correct meaning now confuses people.
I certainly don't trust them, but I do use Zoom (from a dedicated unprivileged user, so it can't do any harm beyond recording my conversations), because my colleagues use Zoom, and because there doesn't seem to be any working alternative. I got them to try Jitsi once, which simply didn't work.
PS. There may be working /secret-source/ alternatives, but I don't know why one should think Zoom /more/ untrustworthy than them.