This is really a ‘dogpile’ event. As Zoom usage has grown from 10 million users a day in January to 200 million users a day now, they are just trying to keep the wheels on the bus. And everyone says that they found some new problem.
In fairness, they didn’t seem to be as security conscious as some of the other paid conferencing vendors until recently, but equally fairly, much of it is user error. Many of their accounts were and are free accounts and it is not fair to expect the same level of confidentiality as you get from a paid corporate account.
Here are some tips to make your Zoom world safer.
1. If you care who joins your Zoom call, do not post the Zoom conference information on social media. Apparently people do that and are surprised when uninvited guests show up.
2. Do not post screen shots of Zoom meetings on the Internet. The meeting ID (until this week’s patch is installed) shows up in the screen shot, allowing anyone who sees it to try and join your meeting.
3. Don’t create meetings without passwords. That is really hard now that Zoom is forcing meeting passwords, but forcing passwords is recent (like two weeks ago). Don’t delete the password either. Don’t use a password of 123456 either.
4. Use the Zoom waiting room feature – again, I think they turned it on by default this week, but up until then it was turned off by default. With this feature on, the host has to individually let people into the meeting. Don’t turn the feature off. This feature makes it virtually impossible for someone to luck out into a meeting.
5. Use the Zoom room lock feature – this stops anyone from joining the meeting after the meeting has been going on for 10 minutes.
6. Make sure that you install Zoom updates. When a meeting ends, it gives you the CHOICE to install updates. If you don’t do the install, you are vulnerable. Lately, every time I use the app it says there is an update.
7. Don’t use a personal meeting ID. This is a feature that allows you to reuse the same meeting ID over and over. It is convenient. For you AND ALSO FOR ANYONE WHO EVER HAD THAT ID information.
For more information, see this article at CNet.
None of the above items are Zoom’s fault.
But there are issues which are Zoom’s fault —
a. They were routing some traffic (and encryption keys) through China. That happened as they tried to deal with a 2000% usage increase. Once that was pointed out, it was fixed in days.
b. Allow people to pick what countries your call can be processed in – this is a new feature for all paid accounts – implemented within a week of discovering (a) above.
c. Do better security testing. This really was a weakness on their part. They have very rapidly enhanced this and hired some very well known security people such as Alex Stamos (formerly CISO of Facebook and currently a professor at Stanford).
d.They have about 700 developers in China. **IF** they have good code review procedures in place, this is not a problem. If they did not, Alex will absolutely fix this one.
e. Implement a better bug bounty program. They have had one, but it wasn’t very good. They just announced a new one today and new firm to manage it. Fund it aggressively.
f. . End to end encryption – I give them a pile of poop for saying that they had end to end encryption. They don’t. They prefer to say that they don’t have end to end encryption in the generally understood definition of that word. The generally understood definition of end to end is, well, end to end. Its not hard to understand. Its not confusing. DON’T LIE. You are likely to get caught at it. Tell the truth. ANY CLOUD BASED VIDEO CONFERENCING SERVICE THAT OFFERS TO RECORD YOUR CALLS (LIKE GO TO MEETING AND WEBEX, FOR EXAMPLE) DOES NOT OFFER END TO END ENCRYPTION. What is important is to tell the truth.
So, while people are making a big deal out of this, in large part the problem resides between the keyboard and the chair, so to speak.