Is Zoom Secure?

Should you use Zoom or not?

There has been a lot of controversy & confusion about the security of online Zoom meetings. There have been security experts telling people to not use Zoom, and other tech experts saying they don’t know what all of the fuss is about and that it’s fine to use Zoom. I hope to summarize and clarify a few details about these these general recommendations in this post so that you can make a better informed decision. The source of information presented here comes from my own experience and online references included in this post.

TLDR; I will join Zoom meetings, but I won’t install their software. In my opinion Zoom as a company exhibits a pattern of behavior related to security that makes me not trust the software they produce. This may change in the future, but they’ll have to earn my trust back. In the meantime, there are many alternatives for online meetings from companies that have a history of handling security better than Zoom has.

If you want further reading on this topic, I strongly recommend you read this post by Bruce Schneier, Security and Privacy Implications of Zoom. I have only touched on a few points from his post.

Who has banned Zoom?

There are a number of organizations that have banned Zoom. Some of the companies include: Tesla, SpaceX, Daimler AG, Bank of America, Google (telling employees to use Google Duo instead), Ericsson AB, Smart Communications, and NXP Semiconductors.
Various school districts have also banned the use of Zoom, including New York City’s Dept of Education, Clark County Public Schools in Nevada, and Singapore as a whole.
Then you have the government agencies that have bans in place. This list includes NASA, government agencies in Taiwan, the German foreign ministry, the Australian Defense Force, and the U.S Department of Defense. The US Senate sergeant at arms has told lawmakers’ offices to avoid using Zoom . Even China started blocking Zoom last September.

History of (in)security at Zoom

Why so much fuss over it? Let’s take a look at Zoom’s record.
Uninstallable security hole

July 8, 2019 – Zoom allows a malicious website to enable your camera without permission.
This is when I decided I didn’t want to install Zoom software on any of my devices. In this case, your system was still vulnerable even after uninstalling Zoom. Apple stepped in and silently sent out a patch to fix Zoom’s problem.
March 20, 2020 – Zoombombing – where someone uninvited joins and disrupts your meeting
March 31, 2020 – Zoom doesn’t use end-to-end encryption even though they say it does
April 1, 2020 – It could be used to steal Windows login credentials.
April 2, 2020 – It secretly displayed data from people’s LinkedIn profiles.
April 3, 2020 – It appears that no one at the company has an adequate grasp of cryptography.

Zoom behaves similar to malware

Example #1: Incomplete uninstall process – Have you tried to uninstall malware before? It seems to never go away or cripple your system in the process of getting removed. (See July 28, 2019 above for details)
Example #2: Zoom makes it difficult to join a meeting without installing their software. Try joining a Zoom meeting in your browser. They do everything they can to get you to download and install Zoom before letting you join the meeting. Here is what you have to go through.

First you click on your meeting link and this comes up. Hey look, the only option is to “download & run Zoom”

After waiting for a few seconds, you get another prompt to “download & run Zoom” or “launch the meeting” (which means download & run Zoom)


Then, finally clicking on “click here” and waiting a few more seconds, you get a small link to “join from your browser” You’d think they don’t want you do do that!

Recommendations for using Zoom, if you must

  • Join Zoom meetings through the browser. Only install the Zoom software if necessary.
  • If you are hosting a meeting, set and distribute a password to those that will be attending. Don’t share meeting passwords in public spaces, such as social media.
  • Use a waiting room when possible to control who enters your meeting.

In Summary

Should you stop using Zoom completely? Unless you’re discussing state secrets or things that are extremely sensitive in your meetings, I don’t think that is necessary. But here are a few precautions that you can take:

I can hear some people saying, “All software has security holes, Zoom isn’t that bad.” It is true that all software has security holes. But if I have an alternate option that comes from a company with a proven security record, development process that includes security, and quickly patches holes when they’re found, I’ll choose that.

Here are a few alternatives to Zoom:

  • Google Meet (formerly Hangouts)
  • Microsoft Teams
  • Slack
  • Cisco Webex
  • GoToMeeting
  • Skype
  • Facetime
  • Signal
  • Discord
  • WhatsApp
  • Jitsi

References:

(June 15, 2020) Edit to add: On the surface, Zoom has been taking some actions that might improve their security. But they’re still not doing all they can. More info here.

Introduction to the Raspberry Pi

Links are below the slides…

Here are a few links to get you started:

Shopping list (full kit here – without keyboard/mouse)

  • Raspberry Pi 3 model B – $35 (here or here)
  • 8GB micro SD card – $7  (here, get a bigger one depending on how much data you plan to store on it)
  • Case – $5 (here or here, or a fun one here)
  • Power Supply – $8 (here)
  • USB keyboard & mouse – $9 (here)

This site has a lot of sensors, add-ons and projects for the raspberry pi.

Project links

Open Letter to Rep. Webb on HB60

I just sent this email to Rep. Webb. I’ll be updating this post with any replies or conversation that continues as a result.


Subject: HP60 questions

Hello Representative Webb,

I'd like to better understand how HB60 benefits citizens and businesses in Utah. It seems like it hinders competition between ISPs which means higher prices for Internet access.

For example, let's say people or businesses in an area (business park, new house development, or existing neighborhood) want to foot the bill to have fiber installed and allow those people or businesses in that area to connect using an ISP of their choosing. Allowing this extra competition between ISPs means lower Internet costs for those people or businesses in this scenario.
It appears that this bill prevents such a thing from happening with no real benefit to the people.

I figure I must be missing something, will you please help me to understand why HB60 is a good thing?

I'm anxiously awaiting your reply.

Thanks,
Michael

President
Millcreek Systems, Inc.

Amazon AWS reduces prices again!

Amazon has reduced their AWS prices again. Hourly instances have been reduced by anywhere from 2% to 30% depending on the instance type and location. Outbound bandwidth prices have been reduced anywhere from 26% to 83% depending on the location you’re using.
You can see read their announcement for all of the details.

Amazon Lowers S3 pricing

It seems like Amazon is always giving you more bang for your buck.  Today, they reduced S3 pricing.  Here is how they’re changing effective Feb. 1:

                          Old         New
First 1TB           $0.140    $0.125
Next 49TB         $0.125    $0.110
Next 450TB       $0.110    $0.095
Next 500TB       $0.095    $0.090
Next 4000TB     $0.080    $0.080 (no change)
Over 5000TB     $0.055    $0.055 (no change)

Here is where you can get full Amazon S3 price details for all regions.