I'm surprised they're even allowed to use Zoom for a national cabinet meeting. Wouldn't the Gov have its own video chatting software that is self hosted?
Number 10 has had Video Conferencing since 1998 (I set it up with college and received first call from there), was H320 via ISDN2 affair and had dedicated black box encryption unit GCHQ supplied and dealt with.
DOH (Department of Health) also had dedicated VC rooms as did all the regional officers and MCU bridging for multi point conferencing was outsourced when needed. All main DOH sites could do upto 384 with bonded ISDN line (UK ISDN was 64k per channel and seperate D channel, no bit stealing going on here).
That without a doubt all changed many times and somewhat supprised they are using Zoom, and would of thought at least would of contracted to run their own private server connected via VPN. Very supprised and when American politicians all loved their blackberry's, they had their own dedicated servers they controlled access to, supplied by RIM.
But the DOH and all the other government departments are entities unto themselves, and I'm not that up on anything the last couple of decades, but suspect that there isn't any common solution to enable what they need to do for remote working in isolation. I'm sure much will change after this. Also fairly sure GCHQ probably bashing their heads on the table.
But I can see how they got to where they are, knowing aspects of government workings and departmental fencing, still - does kinda make you go WTF still.
They'll undoubtedly have new iterations of that, based on the same premise that they install and own the kit at each end.
I suspect Zoom just happens to be the choice this particular group has settled on. While across government people have been scrabbling to just make something work now that security's previous modus operandi is being trumped by the need to let people work from home.
Government even more than the private sector have been slow to allow for home working. I'm hopeful this will change that.
I think video chatting with normal citizens would be quite difficult if you expect them to install VPN's and special video conference software that probably only works with gov.uk accounts. Grabbing a random laptop, connecting to the internet and using zoom sounds a lot easier.
The link shared by @verytrivial to Boris Johnson’s twitter account isn’t showing “normal citizens”, it is showing the executive branch of the UK, plus an account identified only as “iPhone” who has their camera and microphone switched off.
I worked on a minor, non-secure, tangentially GHCQ-aligned project. They're the most risk averse organisation I've ever met. Like, pathologically risk averse. I'd bet a small mortgage they had no oversight of that call.
Literally copying the literal Stasi approach to spying (not the rest, just spying) would simultaneously improve the quality of the data and reduce the negative side effects relative to the UK’s Investigatory Powers Act 2016.
By definition, in their line of work if you knew exactly how useful and effective they were they would not be doing their job properly. They report to the UK government, not to you and not to me even though I am a UK citizen (as you may be, I don't know). They have worked for governments lead by or including all three main political parties in the UK and they all decided they were useful enough to them to keep, in pursuing their goals on behalf of the people who elected them. That's good enough for me.
But we do know how effective they aren't. And we do know that they have placed themselves above the law. If that doesn't concern you it really should.
The macho pose that comes out everytime someone suggests they should be subject to, you know, the law and behave better than Stalin's henchmen is very worrying.
So who is the politician who will is effective enough to provide true oversight and rein them in when required.
In general (moreso focused on the EU than the Brits) I've never understood why the EU doesn't pump a billion a year, or a billion worth of dev hours a year into open source. That's an absolutely tiny, almost infitismal amount of EU budget (and even tinier for most member states their budget) and it would allow them to get out of the noose of closed source corporate support contracts and being beholden to foreign companies.
Imagine how much a billion a year would accomplish spread over projects like LibreOffice, Matrix/Riot, an EU Linux distro, etc.
Whenever the government doles out money, the incentives are to do it in return for political favours. To counter that, various processes and institutions enforce checks and balances and accountability. In practice, that takes the form of grant applications, tendering, and the like. That then attracts a bunch of grifters who want to effectively steal the government's money, so the grant process get longer and more complex, and things get more bureaucratic with heavy-handed checks and balances.
If a government anointed any given handful of OS organizations as preferred benefactors of donations, I'd expect grifters to infiltrate those organizations and parasitically siphon off the funds one way or another.
Incentives matter. Government incentives are to be popular, or attract the support of other people who are popular or influential. Being efficient or effective is only a small part of that. I don't know that there's a good solution to the incentive problem.
> If a government anointed any given handful of OS organizations as preferred benefactors of donations, I'd expect grifters to infiltrate those organizations and parasitically siphon off the funds one way or another.
I’d expect companies like Raytheon, Cerner, Lockheed Martin, Boeing, and HPE/CSC/DXC to win a supermajority of those contracts.
They probably would not even bid. Working on an OS project is fundamentally providing labor hours. Not high margin, no lock in, no investment and high profit tail on the business. It would end up going to little companies providing bodies at a low labor rate.
No way if those companies had to OS their code.
You could pump money into OS slowly by making government departments pay a royalty to the maintainers/projects they work with. Things such as Drupal, Tomcat etc.
Maybe because it wouldn’t solve the problem? Building a great product requires so much more than just the money needed to do it. If money was the only thing required, no startup would probably exist and everything would be built by either governments or large corporations.
Well the idea would of course be to use the budget to invest into suitable European startups. To create a market, where startups could operate and innovate.
The reason the "year of the Linux desktop" hasn't happened yet and open source hasn't conquered the consumer world isn't because of the lack of money. It's because none of the projects have a goal per-se; everyone works in their corner, on their own time, mostly just scratching their own itch. Donating money to them won't solve this problem. There's also a lack of certain skill sets like user experience design, project management, branding, etc.
If the EU wants an open-source conferencing solution they have to do it in-house (whether from scratch or fork an existing solution) and treat it like a business with a clear objective and actual employees (instead of benevolent devs donating their time & effort) including positions which open source projects often deem unnecessary like UI & UX design, and so on.
Also interesting about that photo: Five of the 25 have portrait-oriented video feeds. Tbh this may make more sense for this kind of thing (shows more of the person rather than more of the space they're in) but I'm thinking about the hardware—am I correct in inferring that those five are zooming from their mobile? Do high-level UK cabinet ministers not have laptops?
I'm speculating, but they might find it more convenient to use a separate device for the video chat? Especially if you're using your laptop a lot during the video call, it's quite convenient to have the chat open elsewhere.
Given how cavalier zoom is about privacy and its history on the Mac, the only place I'd be willing to use it is on my phone or ipad where it's boxed in by Apple's restrictions and has undergone app review. Apple had to push a silent OS update to remove zoom's insecure secret web server.
If they have filed the paperwork[0] then they are. (Whether their solution to be compliant is or is not enough would have to be audited.)
Apple's FaceTime is not HIPAA compliant because they haven't filed the paperwork.[1]
(Obviously, there are a lot more steps to it than signing a Business Associate agreement, but I would bet FaceTime is probably a little more secure than Zoom)
Microphone quality is still not a solved problem on laptops, and Windows' sound preferences UI does not make it easy to switch to a Bluetooth headset (that is, if you even have one on you).
I only ever use Zoom on my phone - it frees up my laptop to be used during the call, and I refuse to install anything developed by that company on my laptop.
You can join Zoom meetings on your browser too. It's behind these twelve easy steps:
1. Go to zoom.com
2. Click "Join a meeting"
3. Enter meeting id and click Join
4. Ignore the automatic app download
5. Go back
6. Click "Join a meeting" again
7. Enter meeting id and click Join again
8. Ignore the app download again
9. Click at "If nothing prompts, click here"
10. Click "Join from your browser"
11. Agree to terms of service
12. Enter password and name, click Join
Yes, it actually requires you go back and try again at step 5. What dark pattern?
> Johnson, on his doctor’s recommendation, has withdrawn into his chambers for seven days and will forgo all public appearances and in-person group meetings. He will have his food left at the door to his apartment, his aides said.
> “He’s self-isolating in his flat,” said his official spokesman.
Yes, and every MP has a public email address that is staffed by slaves/interns/SpAds, they also have personal private emails that have much more sensitiive political information in them.
Doesn't have to be the candidate's home address. Some use the local constituency office address, for personal security and/or to avoid stalking by nutters.
On a couple of pictures you can see balcony doors, house layouts, ceilings, vents, etc, doors. Every now and then CNN shares photos of the houses of rich and famous. They must be taking them from some magazine. Anyway, I remember looking at Cara Delevingne's amazing home, and I noticed that apart from walls with decorations, furniture, bathtub, etc there was NO view of doors, windows, balcony doors. Basically anything that would give away the location of the rooms (e.g. photo of bedroom with trees outside that would help identify floor and where in the building that room is). I am sure that these people have far more important things (documents) in their homes than Cara (but far worse taste).
The woman in the bottom left corner has the right idea.
A white wall!
And you're right about their houses. However with everyone home and the plods out on the empty streets. Now is not the time for a B&E
Why is the exposing of a government employee's email address a security risk to you?
Edit, because downvotes: government email addresses can be retrieved easily through public records laws, and is done routinely, and can easily be scraped or inferred. I've done both many, many times, and it's trivial.
Well at the very least it presents a soft target for hacking into his personal email adddress (it's gmail not govenrment) and secondly, compromising it literally gives you access to dial into cabinet meetings.
And like one of the other comments in this chain points out - his personal email address was being used for government affairs, and that made it open to public records law suits. The public already has access to it.
Was it not solved in FaceTime group chats? I can’t see the Apple Security Guide right now, but I know they claim that FaceTime 1-to-1 is e2e, and with their whole marketing thing being privacy, I bet they did it for group conversations too (not that it’s Enterprise ready since there’s no user management or SSO or whatever).
I’ve noticed over the years that FaceTime is much more likely than other video chat software to drop the video connection and move to audio only in case the connection is unstable whereas most others will hitch and lag for 30 seconds before looking into it, so maybe they got around it by only shipping the video in one or two resolutions?
Yeah, there seem to be multiple statements by Apple saying they can't access the content of FaceTime calls, without any qualification that it only applies to one-to-one calls. So it's probably a reasonable assumption that even the group ones are e2e encrypted.
How many participants can you have in a FaceTime group call?
I have also noticed that FaceTime drops the video much more often that other software.
You have to send all available qualities of the stream yourself. Normally the server does the recompression for lower qualities. That means: more processing power and more bandwidth needed. Where normally you'd be able to send 720p, now your device may not be able to handle doing both that and lower quality (2-3 streams) at the same time. This multiplies again with screen sharing.
Basically it's doable, but if you can prevent people complaining about the fans taking off and the CPU usage... why would you risk it?
H.264 has a spec for 'scalable video coding' [1] where one stream can contain multiple quality levels, allowing a video's quality to be reduced by just selectively dropping packets.
(No idea how widespread encoder/decoder support is compared to vanilla h264 though)
That's pretty cool. I wonder how well does it work with bidirectional communication. It sounds like for just sending/receiving where you can saturate the link, that would be awesome.
Zoom automatically switches between quality levels based on your connection speed, who's talking and the size of the viewport. 720p would look fairly rough when fullscreened on most non-mobile displays, but it's orders of magnitude more than necessary when viewed as a thumbnail on a mobile device. Making multi-user video work in a mostly seamless fashion is a surprisingly hard problem.
Using a single stream would substantially degrade the experience, which may be a worthwhile tradeoff for high-security environments but certainly wouldn't be a worthwhile tradeoff for most users.
It's not just about the resolution, but also the bitrate and fps. Perceived video quality is a big deal to companies like Zoom. I don't blame them for not using E2E, it's a tough technical issue, but I do blame them for lying about it.
720p is the standard laptop camera these days. You notice if anyone streams less. Next, desktop sharing is going to be at least 1080p. Then you need to have lower resolutions for anyone who can't handle that much on their connection. Same for desktop share.
I am out of the loop as to why Zoom is suddenly "blowing up". Even my workplace is using it now. Previously, we were using either Skype, Webex, or Jitsi. What does Zoom offer that the other three doesn't?
1. The gallery view (aka 'Brady Bunch' view) works significantly better than any other system, with a large number of users. Especially now where everyone is working remotely and you have large group chats IMO this is the biggest factor.
2. Related to the above, I have rarely, if ever, had a problem with Zoom quality.
3. The onboarding for new users (basically just share a link) is dead simple. Zoom realized that the install process was a significant barrier and did more than anyone else to lower that barrier (of course, with lots of security/privacy issues to boot, but your average Joe isn't aware of those).
4. A smaller factor but perhaps a bigger one for people using Zoom for personal reasons (e.g. teenagers and college kids) are the 'fun' features like virtual backgrounds.
> 2. Related to the above, I have rarely, if ever, had a problem with Zoom quality.
Massive factor here. You can use it and it mostly works extremely well. Much better than almost anything else, including the previously beloved Google Hangouts. In fairness to Microsoft, Teams is probably up there for quality nowadays too, but does lack a good gallery feature.
Compare this with WebEx. I can only assume Cisco are gradually winding it down to EOL because I haven't been on a WebEx call that was anything other than an absolute shitshow since around 2014. Even before this it was really just the best of the worst.
> 3. The onboarding for new users (basically just share a link) is dead simple. Zoom realized that the install process was a significant barrier and did more than anyone else to lower that barrier (of course, with lots of security/privacy issues to boot, but your average Joe isn't aware of those).
Again, agree. Zoom "just works"(TM) for most people, most of the time. And for most people, most of the time, that outweighs any security concerns.
It frustrates me that a certain segment of IT security professionals do not understand this. If you're one of these people, you need to realise that security is necessary but not sufficient. Security is a minimum requirement, but it is not even close to the bare minimum.
Your product actually needs to be good within the context of what users are trying to achieve with it. It needs to do exactly what it's supposed to without drama and fuss. The product is the means, not the end and so, by implication, is the security product.
Human nature is generally to choose things that reduce friction over those that add it, so find a way to build a product that is both secure and gets out of the way.
> 3. The onboarding for new users (basically just share a link) is dead simple. Zoom realized that the install process was a significant barrier and did more than anyone else to lower that barrier (of course, with lots of security/privacy issues to boot, but your average Joe isn't aware of those).
I really don't get why Jitsi hasn't taken over the world yet, given that it's even simpler: just share the link, and the receiver doesn't even have to install anything.
(Also, doesn't the gallery view exist in every major videoconf platform? I've seen it in at least Jitsi, Whereby and Gotomeeting... And Zoom's browser mode (which is less accessible than Jitsi's) doesn't even support it.)
The gallery view in other videoconf platforms doesn't even compare. I've had flawless experiences with 12-16 people, all in a grid across my screen. Every other system I've used had some version of rotating people in/out when there are more than 4 people. Was a night and day experience.
My therapist tried a whole bunch of different services with different clients. We first tried doxy.me which is a HIPAA approved tele-medical service. But the quality was HORRIBLE, it was unusable, so she asked me if I would be ok using Skype (since Skype is not encrypted) I said ok (since I need the session more than it being secure). It was fine. Then we tried Zoom next time around. I thought Zoom was better in terms of quality and "just works out of the box". Just a datapoint. Getting video streaming correct is actually pretty hard, it's part of what I'm working on for my day job, and it's a very challenging problem.
It's hard because it's dependant of other systems that are often not fully functional.
The things that needs to work for a video call is: The network must be reasonably reliable and not overloaded. The camera must be configured and not privacy blocked. The correct recording device must be used, it must be recording (opportunity for both user error and OS issues here). If hardware codes are used (a requirement on lower end devices) it must support low enough bitrates, must have the right options.
Typically all these things are slightly different between different devices and operating systems. It's typically easy to build a proof of concept with great quality and reliable connections between two given devices over a given network. It's super hard to make a product that is reliable enough that millions of users only rarely run into issues.
When you stream a Youtube or Netflix video, you can download several seconds ahead over boring old HTTP. It's a one-to-one link, you don't have to upload anything, and you don't need access the user's camera or microphone.
To be competitive in videoconferencing these days, you need:
* Low latency, so people don't talk over each other
* Video and audio compression that doesn't get confused by dropped packets.
* Setup so easy first-time users won't be late to their video job interview.
* Group calls for 10+ people
* HD quality
* Adaptive bitrates, for users on different speed links
* Skip-free audio even if a user's link goes from uncongested to heavily congested.
* Reliable support for every webcam and USB headset on the market, and hot-plugging them during the call, and changing OS permissions during the call.
* Reliable support for unreliable bluetooth headsets and unreliable bluetooth dongles.
* Echo cancellation that works with every device and room configuration going. Including devices that have their own built-in echo cancellation.
* Audio that's clear even in the presence of background noise, and different people at different distances from the microphone.
* Users behind every type of misconfigured firewall you can imagine.
* Roaming between different Wifi access points, and between wifi and cell data while on a call (including links with no connectivity sometimes)
* Never (or almost never) forcing a user to update their software at the moment they're trying to join an important meeting or job interview.
* Update support (or long-term compatibility) for users who don't have administrator rights.
* Graceful recovery if the user sleeps then resumes their device.
* Screen sharing that retains good readability, even if a user has unwisely made the text on their presentation a bit small.
* Screen sharing of Youtube videos without making them blurry or choppy, even if they're embedded in presentations.
* CPU and battery efficiency.
* Free of charge
* All the above on iOS, Android, Windows, Mac, Linux and WebRTC.
It seems like, in the current use case, this one isn't as important? Institutions would pay for something that does everything else really well. Source: All the paid accounts my institution shelled out for on Zoom in our transition to remote work. So I guess n=1.
All the hard bullets are already handled by existing math (codecs), protocols/libraries (reliable networking), operating systems (hardware support), etc., no?
This is not to say it is easy at all, of course; there a thousand things to do to implement it, but I think other fields face similar constraints, like videogame engines and distributed simulations.
The companies selling video streaming and conferencing have other issues, such as service costs. And they typically don't retain very good engineering teams.
> Why did no one else crack this issue? Google has some smart people and so does MSFT. Perhaps just lack of caring?
They're probably not huge revenue drivers (if at all). Why would they be a priority for either of those companies? And I can't imagine they're particularly inspiring projects to work on, which can be a self-reinforcing cycle if the best people don't want to work on them.
My professor uses the whiteboard when giving lectures. Useful as well. Also, he shares his screen and just shows us his pdf files :)
The Uni tried a different software before Zoom (forgot the name but it started with a K, from a company I never heard of before). And it was VERY GOOD but the video was choppy.
There is one huge difference, if I'm not mistaken. In our tests neither Skype nor Google Hangouts allowed the speaker of a talk to view the audience while screen sharing. It's annoying and feels very odd to give a two-hour lecture to your laptop with zero feedback from the audience.
Maybe we did something wrong, though, and missed features in Hangouts and Skype. If that is the case I'd be very happy if someone could point it out to me. (Our whole university is using Google Hangouts right now, because our administration doesn't want to pay for additional Zoom subscriptions.)
Cisco owns Webex, so of course they'd use it. I've suffered through Webex with a previous employer and a current client, and it's just horrible. GoToMeeting is much better, and Zoom is better yet.
The founder of Zoom (Eric Yuan) used to be a respected leader at Cisco but he eventually quit to focus full-time on Zoom.
Cisco didn’t fully understand the opportunity he saw to reduce the amount of friction needed to use most video conferencing (VC) software tools, including the tools by Cisco, which is understandable since Cisco was afraid they might cannibalize sales in their VC hardware business.
My attempts at Zoom meetings were met with distorted audio, and the organizer quickly changed to Jitsi in both cases. It worked much better for whatever reason.
From experience with many options, and having used zoom for over a year now: Video quality is better, audio quality is better, video and audio are streamed separately and during low bandwidth situations audio takes priority over video (video starts lagging but audio remains as perfect as possible), seamless to join meetings even when youre not a 'user' of their ecosystem, and has neat UX like informing you that your microphone is soft-muted when it notices you speaking, etc etc.
Whenever I've used Zoom from my home connection during the last few weeks, I've experienced laggy, blocky video, occasional audio dropouts (with frequent alert messages within the app to restart the Zoom client's audio), disturbingly high CPU usage, and meetings which take minutes for everyone to join.
Honestly in my experience, there's no real benefit when compared with Skype, Hangouts, or Discord except for the frequently mentioned large 50 person+ video streaming.
known zoom for a while... the "it just works" and "it has better quality" comments are very surprising to me and got me skeptical. are skype, slack, gotomeeting, hangouts, meet, webex, &c. all really crashing on people now? in a huge conspiracy?
things i thought could be the real reason: novelty (for some/most people), popularity (someone online famous/influencer mentioned it), shadow marketing, luck.
but wikipedia told me is actually going on: schools have decided that zoom will be the de-facto remote schooling platform. a bunch of young people appropriated the platform it seems.
hope that helps. the superiority talk is just that. but now they are in a good position to become better than any other video conferencing software.
I've been working at remote-first companies for about the last four years, my current and previous company independently tested a bunch of video conferencing apps and both settled on zoom. It just works better than the alternatives. Yes better than skype, slack, gotomeeting, hangouts, meet and webex (and teams, since that's the other big one).
Sometimes it's call quality, sometimes it's stability, sometimes it's usability, sometimes it's features.
> are skype, slack, gotomeeting, hangouts, meet, webex, &c. all really crashing on people now? in a huge conspiracy?
It's astonishing how so much low-quality software gets distributed, but: yes. Hangouts and Slack are a pain to get everyone logged in / invited to. Everything else on your list just breaks a lot.
> but wikipedia told me is actually going on: schools have decided that zoom will be the de-facto remote schooling platform. a bunch of young people appropriated the platform it seems.
That's a non-explanation. Zoom is popular with young people, sure. Why? The same reason it's popular with everyone else, because it works better.
I've used everything on that list, except meet, in an institutional setting. 1-on-1, small groups, large groups. The only one that our institution has used that works straight out of the box 100% of the time for everyone who has access to data, is zoom.
My short time working in higher education taught me that zoom is baked into some education software. If I recall it is part of the barns and noble cloud education suite.
With the lock down, more online classes, more people seeing the Zoom logo?
...and the even more predictable, dismissive, contrarian response: "Look at how silly and repetitive all the critics are. They always point out problems, haha."
Fortunately, we have really enlightened people among us who point that out.
I attended a PhD defense yesterday that got zoom bombed. They quickly moved it to an actively managed call and the presenter did a fine job of keeping their composure and getting back on track. Now we're circulating guides about how to set up secure rooms and webinars, so I don't anticipate this will happen again.
Normally I'd wave this off as a childish prank, but both the URL and loading screen prominently indicated the name of a major medical school, and the contents of the presentation were proteins and chemical structures. Bombing this meeting in particular seems to be in especially bad taste during a pandemic.
> Bombing this meeting in particular seems to be in especially bad taste during a pandemic.
For what it's worth, it likely wasn't targeted. My understanding is that the search space is so short that you can just cycle through it until you find something.
This happened to a local political debate I was attending. Disturbing to say the least. It's not hard to defend against as a power-user host, but the default case might be better locked down. Maybe this preference should prominent in account setup.
In general PhD defenses are open to public, I mean, in some places it isn't even valid if it wasn't public announced (by a printed paper glued to some wall, for all it's worth) and the access is restricted to the public.
Of course different times require different actions but I think that some challenges remain for the _formal_ part of it.
> Bombing this meeting in particular seems to be in especially bad taste during a pandemic
Either that... or it's a way to get high profile attention to blatant security issues in a commonly used business meeting tool where sometimes sensitive information is shared.
I too am much happier when Chinese/Russian/French spies quietly infiltrate a presentation on power grid weak points from a mid sized private firm with no security to speak of.
Trolling is gods way of teaching basic opsec to idiots.
Not going to defend a bunch of trolls, if that's what you're implying.
However, if we don't secure our systems, what do we expect? If there were no bad-actors in the world, people like tptacek would be out of work. What a glorious world it would be, no need for locked doors, fences, passwords, pin codes and more - but that's not the world we live in.
Instead, we're in a world where Zoom has laughable security for barging into potentially sensitive meetings being conducted by businesses and world leaders[1].
If it takes a few meetings getting trolled for Zoom to finally take action, I'm not going to feel much sympathy. Just be glad trolling is all they're doing right now.
So, while I'm sorry your meeting got trolled, it will just continue to happen until you get mad at the people that made it possible - Zoom.
I hope you're wearing a hard hat at all times; if not - then it's your fault when complete stranger smashes you with a brick. Who you will be mad at after that ?
On the other hand, when I get smashed with a brick and the hard hat I'm wearing crumples like a paper bag I guess I'm still a little mad at the hard hat company?
I'm just saying that kids have been signing into Kahoot with names as Naughtius Maximus and Biggus Dickus since forever. There used to be a kahootbombing subreddid that eventually got banned. If you just have a username and no password there's problems. Why is that even news?
Trolling is not a security advisory. If it were intended that way it would be sufficient to hold up a sign saying 'warning, this meeting is not secure'. Instead people are using it abuse others. Stop making excuses for that behavior.
This is a feature not a bug, to make joining meetings frictionless. (And in videoconferencing there's little distinction between meeting ID and password anyways -- they form a single access credential.)
To prevent unwanted people from joining, the host simply has to turn on the waiting room feature -- where people who have dialed in have to be explicitly accepted by the host, which can be done individually or en masse.
You could have a second access code included in the invite but not printed right on the window in screenshots.
It would be similar to how a credit card number and CCV code are functionally the same as one longer number, except that you don’t go writing the CCV code alongside the credit card number, and that keeps it more secret.
Still not as frictionless as “anyone with the number can join,” but if this continues to be a problem it might be worth doing.
I just set up passwords on Zoom rooms for a little room automation project I'm building. There's no drawbacks; you can send out a link that includes the password, so nobody gets left out (no matter how technically challenged). And, someone who "stumbles upon" the room can't just get access.
All in all, Zoom has done a lot of things right, given the extremely challenging competitive environment they're in.
The password doesnt do anything for teachers who dont know how to use zoom. And people are not stumbling upon links. What happens is one kid sends the link to a bunch of other people, with the password, who can then join since zoom doesnt require accounts. There are obviously ways to alleviate this like the waiting room feature, or muting everyone and turning chat off, but the problem is that most teachers arent trained well with zooms capabilities and weaknesses.
Is including the password in the link always enabled? If you're looking at a link is there a way to tell if it has a password or not? I've had issues in the past where people with the link were unable to join since they didn't know the password.
Zoom has open conferences by default. Even if you host one on your business plan, anyone who has the number can dial into it. You could be paying a shitload of money for that, including their 'Zoom Rooms' where they fit out your meeting room with cameras and mics and their special app... and any fuckwit can dial in if they grab the phone number, which is also a US-based one.
I don't like to join company calls on an anon or personal account but Zoom makes absolutely zero effort to identify who you are and even if you're welcome. Most of the time I drop out and re-join under my corporate account. I cannot force other people to do the same, and their settings UI is insane.
By all accounts, Zoom deserves this intense scrutiny and I hope they take it seriously. All I see them trying to do is get their software on as many machines as possible.
I had a quick feedback call set up by a common investor with Eric, Zoom's CEO a few years ago. I remember I pointed out a few of those issues, and his reply was that the only problem he could see with the app was that it wasn't "pretty enough" and it needed new icons.
I hope Eric is learning something from this situation and will pay more attention in the future, every business gets those moments, maybe not that publicly.
I believe Chief Technology Offices will be reformed as Chief Security Offices since so many features are built-in that automated common sense is what sells.
It's a pretty low bar for the word 'break'. By the same token you could walk up to a bunch of people in a restaurant and start yelling at them while they're having dinner. That's also not a break. It's just a nuisance and proof that you're a jerk, and if you did it in person you'd likely end up with some dental work.
Except users don't realize that. They think they're sitting in a locked room that nobody else knows about, when in reality they're sitting at a restaurant table and most people just don't care to go bother them.
I know it's largely parts of the 4chan crowd. But who are those boards? Why are the people who go there so nuts?
Do you ever wonder if you've unknowingly met these people in real life? Chances are we all have, right? How do they manage to be so terrible and then go on with their lives?
I recently finished reading We Are the Nerds, which is about the history of Reddit (the company) and its community. One of the interesting parts was about the moderator of a bunch of subreddits that were full of all kinds of borderline illegal and definitely illegal content (u/violentacrez, if you feel the need to Google for yourself).
If you're a long-time Reddit user, you probably already know this, but here goes: He was eventually exposed by a journalist. Surprisingly, he is actually a pretty normal middle-aged man. He worked as a programmer (and was immediately fired when the news aired). He has a disabled wife for whom he is the sole financial support. If I remember correctly, he has adult children, who were aware of what he did on Reddit and had usernames that referenced their relationship with him. Apparently, he used his time on Reddit as a way to relieve stress, or something like that.
I'm not entirely certain what motivates people to act like that online when they're relatively normal offline, but it seems to be a somewhat common occurrence.
> I'm not entirely certain what motivates people to act like that online when they're relatively normal offline, but it seems to be a somewhat common occurrence.
Anonymity probably?
I'm a pretty normal dude offline, your average American programmer. On reddit I'm in all socialist/communist subreddits talking about revolution 24/7. Intellectually I agree with intersectional Marxism, but I don't feel comfortable enough to discuss these in real life, and I don't care enough to (or am too lazy to) act upon these ideas in real life. So, when I go to reddit I become "a different person", not because I try to be this person, but the comfort of anonymity allows me to express my ideas easier.
There is trolling-as-prank which is inclusive of others in the forum where it takes place (although it may involve mockery of individuals) and raiding behavior, which is designed to damage the forum itself. The latter is area denial which is meant to gain leverage over a platform and (ideally) to take it over. This originated in rivalries (friendly not-so-friendly) between bulletin- and image-board operators, but has since been weaponized to quasi-political ends.
> But who are those boards? Why are the people who go there so nuts?
I mean, in my darker, misanthropic side of my personality I think it would be pretty funny if someone Zoom-bombed my really, REALLY boring monthly electronic Database system update training I have to go to on Thursday morning at 7am for 90 minutes, and like... played videos of puppies or something. But I get a chuckle out of that thought and drink my coffee and pay attention to the training like I always do.
4chan is a big place with a long history. It's kind of like 50 different websites and communities under one domain, where there's surprisingly little overlap between them all. I think you'd find that most people who visit the less notorious boards on 4chan are your totally normal geek crowd.
It's crazy to me that people seem dumbfounded that young people love to piss off and troll (online and offline). Do they not remember being young, or were they raised around angels?
/b/tard here. If you do public stuff on the internet, it's practically the obligation of the internet to show up and do something stupid.
As far as I can tell, somewhere over the last 15 years, people began to confuse "the internet" with "real life". It's important to know that hosting a public space on the internet is not the same as hosting a public space in real life.
I don't think this is even a so terrible example of trolling. A well run AA group could use it as a teachable moment to reinforce their message. It's certainly memorable.
And the people trolling are probably all hanging out on discord, making friends, having the modern equivalent of old-fashioned fun. Just a bunch of bored people seeing what they can get away with to entertain themselves on the internet.
When I was a kid, the neighborhood boys got caught throwing rocks at cars just because they wanted to see what would happen. They also stuck firecrackers in things. Once some teenagers took a baseball bat to every mailbox on the street while hanging out of a car window. Trolling an AA zoom meeting is significantly less bad than any of that.
I would argue that trolling is actually a bit higher-minded than previous generations of trouble-making. When you're restricted to operating only online, outside of physical space, you have to be a bit more clever in your trouble-making. Clever probing of the world to see how it responds is fun, especially with the constraint of "must be done entirely online". It's also largely harmless, because nobody can get physically hurt, and it leads to better safeguards in our online systems.
If you view trolling in that way, I think it's really a sign that our culture is advancing. If a successful troll is possible, it indicates some kind of weakness that needs to be patched. You can't stop the trolls, so you might as well extract what value you can from their work. Also what and how they troll is a sign of the times. The Trump presidency was fairly predictable if you watched the steady increase in what we'd now call "alt-right" ideology on 4chan. As goes /b/, so goes mainstream culture. I guess, in a way, you could say that trolling is a art.
"aha XD I owned alcoholics look at how clever and advanced am I, you normal human beings wouldn't understand, this is actually a societal critique aimed at bettering the world, we're artists" - /b/
> you have to be a bit more clever in your trouble-making
Or you know, once you're not 14 years old anymore you can reassess your life and decide it's not ok to DDOS hospitals during an epidemic, or call the swat on someone who beat you in a video game.
DDoS'ing hospitals and swatting are both crimes. The groups involved do have a lot of overlap, but /b/ does not allow illegal content or conspiring to commit crimes.
Trolling AA isn't criminal, it's just stupid. The only impact it's going to have is that AA organizers will learn how to run an online meeting with a little more security.
Nonsense; 4chan doesn't hate women. They hate everyone. Every race, every gender, every religion, every nationality, every profession, every socioeconomic status. No matter who you are, 4chan will find a slur for you.
Zoom lets you require passwords or require the host admit guests in meeting settings. This is the same as anything else you might find on Shodan. Secure defaults hurt mass adoption, and insecure defaults result in this. Zoom is part of one of our oldest industry traditions in this respect.
The fact is that with these meeting/group products, the one that makes it easiest to join is the one that succeeds, because there's always one bozo who can't figure out how to type a password, so there's an incentive towards insecure product behaviors.
The progression is "People start doing a ton of things over an insecure system" -> "trolls start harassing people". This isn't some sort of reaction to anything about Zoom the company or the software.
I think it's more Microsoft in the early 2000s. "What do you mean there is an internet and people on the internet might not have your best interests at heart!"
When your product goes from being "a videoconferencing tool used in some workplaces" to "the primary way people communicate and gather for personal or professional reasons", it makes sense that there will be a lot of stories about it (good, bad and neutral) in the press.
>"the primary way people communicate and gather for personal or professional reasons",
I would be curious to see an article about why this happened? Is Zoom better than their countless competitors? They all seem pretty similar in my experience so why is it Zoom that is blowing up because of this and not any of the other companies?
Part of it is that, (at least in my experience, maybe this has changed) Zoom can scale to a couple hundred people in a way that tools like Google Hangouts can't.
But like, if we're being honest, it probably has a lot to do with how easy it is to start a Zoom call and invite people. You can host a 40 minute meeting for free. No one needs to sign up anywhere. It's super easy to install but also works in the browser if you can't install it. Computer on the fritz? You can call in from your phone. And yeah, they've also used some dirty tricks to make it as easy as possible, and some of those measures (like the auto-reinstall thing) were probably unnecessary. But they've clearly focused on being super super easy to start using, and when their moment came they were primed to seize it.
Last weekend my family had a "month's mind mass" in memory of my grandfather who passed a month ago. We were able to get dozens of people, many of them very non-technical, into the call, and we started basically on time. There was no "it doesn't work on my old phone" or "you mean I have to sign up for gmail?" or "whoops I couldn't get in because I signed in with my work email". That's why Zoom is winning the game right now.
You don't need an article to estimate the direction from which The sun will rise tomorrow.
Zoom is better than the alternatives on most verticals and has good PR. In fact, justified privacy concerns aside, it's hands down the best vid. conference app I've ever used.
I carefully evaluated all of the major players here (at least 2 hours in each one) and Zoom definitely has the 2nd best video/audio quality/latency after FaceTime (and you can't use FaceTime for meetings where even one person doesn't have an Apple device).
Probably because it was so easy to use. In my professional capacity I have used probably a dozen different conference software, and Zoom is by far at/near the top in terms of stability, usability and client install experience.
I've used a fair amount of WebEx (hosting and attending "meetings"). I don't particularly like WebEx, but Zoom feels like a cheap knockoff in comparison. I think Zoom is doing a better job marketing to individuals than the older players in the market.
WebEx is challenging - I work with industry partners who use WebEx and it just seems clunky.
I do think WebEx does some things better than Zoom (I like to share 2-3 apps - for Zoom it's 1 at a time or entire desktop) but Zoom has led to better client adoption for us.
> why is it Zoom that is blowing up because of this and not any of the other companies?
I suspect it seems that way because Zoom was already more aggressively seeking media spotlight as a growth startup, and experiencing more rapid growth in terms of multiples because it had a much smaller install base to start with than established competitors. Also, Zoom is the center of it's company’s business whereas Slack and Webex are just part of a large stable for their respective firms.
Several people in other comments explain that you could have a password protected session, or a session in which users must be waiting in a lobby until someone approves their admission. This seems pretty normal, and I think here Zoom may not be able to do much more.
But I have the feeling that this is difficult in pratice to use for a AA meeting. I'm actually lucky enough to not to have the need to participate to such a meeting, but from what I understand from it, the anonymous part is important, as well as the possibility for newcomers to participate. I doubt for these reasons that AA meeting groups have a list of participant clearly identified, to whom they can send a password protected link, or that they could use such a list to check that people are someone part of the group.
Unfortunately, I'm not sure that this kind of problem can be fixed (technologicaly. On the non-technology side, we could hope for a world without asshole, but that's only a dream)
Few things that are "free" handle massive numbers of participants well. Yes, Skype for Business etc can, but those options are commercial. There's also less usable, obscure stuff that does OK.
Skype for business + outlook integration doesn't even manage to handle chat history correctly, not without glitches that lose you the history for chats ever so often. Not fit for purpose.
I'm not really sure this should be called trolling, it's more just harassing/bullying/trespassing. When I think of trolling, at least when it's done well, it's more taking on overly self serious people to get a funny reaction (even if it's obnoxious). It's like a cousin of pranking, it shouldn't be cruel. There can be cruel pranks of course, but that's not the fundamental nature. Like Ken M leaving a really oblivious comments on facebook, or Something Awful forum members joining an online game chatroom as a weird cult ("the path is grey" :D ). Weird, funny, mostly harmless. I mean things like that are obnoxious sometimes but they can be funny and work as satire or social commentary. There's no cleverness to this.
(probably the wrong thing to write on HN since this place is uh not known for its sense of humor)
You get a "Personal" meeting room, which keeps the same ID. You can then create other "named" meetings which gets a separate one. That then lets you have different passwords for different meetings.
happened to my elder sister who is a teacher hosting video class due to lockdown in India. Some idiots think it is fun and the worst thing is that they put a video grab of this in their youtube channel - themed disruption or something - to drive traffic - yuck , the state of minds! and those who follow such channel. ( It is reported to local cybercell , but it left my sister who is bit older to all this technology very rattled)
this happened repeatedly and badly in a conference with 2500 people. The root of the cause was that zoom invite links, by default, contain the password, which then people share, making the password useless. otherwise it worked great
if FB didn't have privacy nightmares. They're well equipped to providing the solutions to the enterprise market. given that they probably have the most stable live video platforms which could be modified to support secure meetings
Right now zoom is going through a honeymoon phase. Only us geeks care about its security and privacy. After this is over though, people will start thinking it through and things will look a lot more like how FaceBook is viewed right now...
I'll happily trade my privacy for a video call that works properly. None of the various Zoom issues have been privacy problems that I really care about.
I dunno. My boss is an incredibly tech savvy developer and he loves Zoom and thinks it's fantastic so I don't really see it going anywhere for a while.
my homegroup switched over to zoom a couple of weeks ago and i have to say, i love it. like most of you, i'm sitting all day and to be able to join in an aa meeting while walking outside is AMAZING! i can finally get some exercise and not feel like i have to sacrifice one or the other.
to the people of zoom, thank you for making this time in our life a lot more pleasurable.
The culture and character of this site is being increasingly damaged by attempts at humor in a style common on another popular site, but the site rules discourage us from discussing this.
4 chan exist like 20 years or something. Does anyone ever thought about a legal way to shut it down and lock up couple of admins? I'm sure their stupid troll raids cost billions since it started.
15 years old. Admins grip the banhammer tight on raiding threads, comply with warrants, so it stays up. That activity was driven to other sites set up for that purpose.
Yes, and don't forget to shutdown Discord too! They will never be able to use another tool to organize these raids, this is genius. (this is sarcasm, of course)
Yes, shared by the Prime Minister, number and all. What a time to be alive.