Tag: Zoom safety

If you host Zoom meetings you probably received an email from Zoom today. They’ve made some changes to the default settings for meetings that will appear Sunday, April 5. Good changes. Bravo! Let’s hope they continue to step up.

With the announced changes, Zoom defaults to meetings with waiting rooms and passwords. These defaults will make zoom-bombing harder. I hope the Zoom devos are also fixing some of the other troubles that are not so obvious to users. This is the way I expect responsible software developers to work.

The Zoom interface is well-designed. I’ve been comparing online meeting platforms this week and Zoom is still tops with me, both in ease of use and performance. Without instrumentation, getting a meaningful read on performance is difficult because it depends on network conditions at least as much as the meeting platform. However, in my limited experience, Zoom yields a smoother meeting with fewer jerks and breakups than other platforms I’ve tried since social distancing began. Online synchronized swimming instructors take note.

Go Zoom!

This morning, I heard about another point of caution with Zoom. I’ve added two bullets to yesterday’s post on using Zoom. I will discuss them here. Also, if you are contemplating using Zoom in your business, you may want to read my note to businesses below.

Unsafe links

Unsafe links can appear in the Zoom chat windows that folks use for sidebar text conversations during meetings. Participants can place live links in their chat. If hackers insert a link that refers to the local network, clicking the link can reveal credentials for logging onto computers on your local network.

By using a web browser rather than the app, you can avoid this issue. However, Zoom can be persistent in trying to get you to use their app. If you don’t know your way around computing, you might be using the app and not realize it.

Zoom is said to be working on a fix, but until the fix is in place, don’t click on links in Zoom chats. Not all links in chat are dangerous, and not all local networks are vulnerable. For example, clicking on an HTTPS link to a well-known public site is likely to be safe. Also, if your local network has the port 445 (the SMB port) locked down you aren’t vulnerable. If this is gobbledygook to you, just don’t click on links in Zoom chats unless you are certain that the participant who posted the link is who they say they are, and you trust them. In fact, you should always be cautious about clicking on any link anywhere. If you don’t have a good reason and are not sure where the link will take you, any link can lead to danger.

Waiting rooms

I also added a bullet suggesting using Waiting Rooms. Instead of allowing anyone with a link to directly enter a meeting, participants enter the waiting room and wait until the host invites them in. This gives the host more control of who enters the meeting. Strictly controlling meeting links and meeting IDs is more important, but when you are forced to make a meeting accessible to participants you can’t control via distribution of the meeting links and IDs, a waiting room is helpful.

A note to businesses

The recommendations here do not apply to businesses, which face problems that individual users do not. A business with substantial networked assets must protect those assets. In the rapid transition to working from home that is going on now, businesses are forced to give employees access to assets, like shared documents and applications, held in their private network. Remote workers access these assets from outside the traditional business perimeter. Zoom may appear to be a ready and easy-to-use solution, but there are other solutions that have been used longer in business environment and have undergone more rigorous vetting as methods of sharing resources. For example, Zoom’s unsafe links are based on file-sharing vulnerabilities that IT pros have dealt with for decades.

Zoom’s data sharing proclivities are annoying to individuals, but may be outright threats to businesses.

Treat Zoom cautiously as easy-to-use meeting software. You will probably need more than Zoom to support your newly remote workers. Don’t try to stretch Zoom farther than it was designed. Invest in training and more robust solutions when you need them. You will not regret that decision.

 

Last week I was shocked when a friend, a senior vice president of cybersecurity at a large media corporation, posted this on Facebook:

“Just don’t use Zoom. It is a cesspool of security and privacy issues…”

I took his warning seriously. He knows what he is talking about. This post is no April Fool’s joke.

However, today Zoom is a lifeline for many people and important to me personally. With a heart condition, diabetes, and being over 70, I had best stick close to home with COVID-19 in the air.

Everyone uses Zoom today. My daughter in law school attends classes on Zoom all day. My library friends get together on Zoom to share a beer and discuss books. My wife and I met with our realtor on Zoom yesterday.

I don’t expect folks to quit using Zoom, and I don’t plan to quit myself. It’s popular for good reason: it works well and is remarkably easy to use. In my old job as a software architect working with developers on every continent but Antarctica, I’ve used just about every online meeting platform frequently. Zoom is excellent, particularly for people for who can’t take time to learn complex and balky platforms. Which makes Zoom security and privacy issues all the more troubling.

Zoom has not been a paragon of responsibility in fixing security vulnerabilities. I won’t go into the details of what is wrong with Zoom. I might in a future post. Here, I will tell you how to minimize the risks.

Concerns

First, Zoom shares data with companies like Facebook and other data brokers. That is what it is. I don’t like it, but it’s part of the 21^st century. I believe we can and should do something to fix the data sharing digital economy, but nothing will happen overnight. I wish Zoom would just stop it, but I have little hope that they will until they are forced to. Their sharing pays for your free service. If it makes you feel better, Zoom is not the only offender; your data is probably already being bought and sold all over the network.

Second, Zoom meetings are subject to unwanted intruders and harassment. Louts sneak in and flash pornography and hate messages. They dominate chat sessions. Meetings, like town meetings or church and temple services, can turn into travesties and have to break up.

Third, less of a concern to individuals, Zoom is susceptible to denial of service attacks. Meetings can be overwhelmed with unwanted messages which tank performance.

Finally, Zoom emits digital pheromones that drive cats to walk over keyboards, hit keyboard shortcuts, and take over the screen.

What can you do about it?

There are a few steps you can take that will considerably improve Zoom experiences.

• View the Zoom video tutorials. They’re easy and worthwhile. Become a Zoom expert.
• Access Zoom through your web browser. Don’t install the Zoom app. Many of the ongoing problems have come from the app, so avoid it, at least until Zoom gets their house in order.
• Guard the Zoom meeting link and ID. If you are not conducting a public meeting, don’t make it public. (Boris Johnson, UK prime minister, tweeted a screen shot of a cabinet meeting with the meeting ID prominent. Don’t do that.)
• Zoom has a meeting password option. Use it when appropriate.
• Let Zoom generate a random meeting ID. You can put in your own meeting ID like “Joes-Dance-Party”. Trolls could guess the ID and slip in.
• Use Waiting Rooms to control entry to the meeting.
• Protect the screen sharing option. When setting up a meeting, you can restrict who can share and who can start sharing when someone else is sharing. Change these settings during a meeting by clicking on the down caret next to the “Share Screen” button at the bottom of the screen.
• Do not click on links in Zoom chats unless you trust the participant who posted the link.

Zoom is not perfect, but these are not perfect times.