[HN Gopher] 'War Dialing' tool exposes Zoom's password problems ___________________________________________________________________ 'War Dialing' tool exposes Zoom's password problems Author : feross Score : 307 points Date : 2020-04-02 18:41 UTC (4 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | andrewstuart wrote: | How hard is this for them to fix? | saagarjha wrote: | Not hard, everyone needs to password-protect their meetings. | rayvd wrote: | Why? | diebeforei485 wrote: | Generating a random 6-digit passcode for each meeting by | default? Not hard at all. | | Rate-limiting incorrect password attempts could take a bit | longer to implement, but still not a particularly difficult | problem to solve. | chrismarlow9 wrote: | I never understood "presenter will let you in" security. It's | based on someone letting me in if they recognize my recorded | name and that I work there? Surely that wont backfire in a | world where everyone post every detail about every day of | their life online. I mean who even uses LinkedIn anyway? | wolco wrote: | They may decide there is nothing to fix. If you want to use a | password you can.. but don't force it on the average user who | would trade having no password with the potential of someone | random joining. | | If you want to keep it private use a password. | [deleted] | crazygringo wrote: | I worked in videoconferencing for a while. When it comes to | meeting identifiers, striking the right balance between ease of | use and security is really hard. | | On the one side, maximum ease-of-use is a name or code short | enough for someone to say over the phone. "Here, just jump into | the videoconferencing meeting 'mikefred' or 'john10' or '39584'". | That works particularly well for small meetings where it's | immediate obvious if someone else joins and you can stop talking | and ask them who they are and kick them out if they shouldn't be | there. | | On the other hand is long random identifiers in a space large | enough they're impossible to guess. If you're joining a meeting | from a link then nobody cares, but if you're telling someone over | the phone or typing it into the phone it _sucks_. (And you are | _very often_ needing to jump from one form of communication to | videoconferencing, where there 's no way to "just paste a link" | into the initial form.) | | There's also no real difference between a short meeting name plus | password and a long meeting name, except that passwords tend not | to be displayed on screen so it's even harder to find it to tell | someone over the phone. | | Also there's another big issue in how easy or convenient you make | it for people from within your domain/company to join, versus | outsiders. Half the company wants to make it harder for outsiders | to join (for security), the other half (salespeople) want it to | be easier. | | The only solution, unfortunately, is educating users to | understand the differences. Zoom already has most if not all the | necessary options, even modes like "waiting room". But the same | options will never work for every meeting. Whoever hosts a | meeting needs to understand the options. There's just no | substitute. | pdehaan wrote: | For the phone only route, it seems like you could still mostly | automate it by going oldschool. Give the host an option to play | the meeting code as a DTMF signal (or whatever) while the other | person holds their phone near the mic. | kelnos wrote: | This is a really good point, and I actually sympathize with how | difficult it is for Zoom to strike the right balance here. | | If the only method of operation here were for people to invite | others by copy/pasting a URL, and the invitees' only method of | joining were to click on that link, then long UUIDs or such | would be just fine. | | But Zoom lets you dial in audio-only from a regular phone. You | simply just cannot use "long random string" as an identifier if | you're expecting someone to punch it into a telephone keypad. | Even having an 9- to 11-digit meeting code plus say a 6-digit | passcode would be a burden for some people, though it's really | the only way to do that portion of it right. | | Now, one thing I do _not_ cut Zoom any slack for is having an | API where you can request validity and status of any meeting | ID, without any rate limits placed on it. That 's Security 101 | right there. | aidenn0 wrote: | I don't know if botnets are still a thing, but it used to be | that any rate-limits needed to be multiplied by 10k for even | a modest attacker, as being able to query from 10k unique | nodes was a fairly trivial problem by renting a botnet. | _red wrote: | All good points. | | There is no reason why short meeting codes + 2-3 sec delay | before joining + temporarily banning users who enter more than | 10 invalid meeting codes in a row can't work. | | There are ways to improve the security without putting on the | clients shoulders. A 6 digit room code is fine if a person can | only "war dial" 10 tries before being banned for an hour or so. | cbsmith wrote: | There's a really good reason why that wouldn't work. There's | no reason why a war dialer can't create millions of users. | The 2-3 second delay doesn't really accomplish much unless | you limit their capacity to have requests pending. | bscphil wrote: | s/users/ips/ | Slartie wrote: | With IPv6, I can assign myself a gazillion perfectly | routable unique public IPs. | xboxnolifes wrote: | What about a long, unique identifier for the baseline, and the | ability to generate temporary, single (or `n`) use, short | identifiers that can be used when speaking the id? | | Clicking a long I'd link takes practically training, and | entering a short ID would only require training the salespeople | how to generate one (would should only be a few clicks tops). | | This way, a conference is secure by default and easy for people | to join by link, and is still easily accessable by code for | when needed. | wyattpeak wrote: | When I think about having two different solutions for two | slightly different usecases, my mind always goes to | Microsoft's decade-long battle to teach their users the | difference between Standby and Hibernate. | | There was very real value in the distinction to those who | used it, but it proved so irresolvably confusing to the vast | majority of users that eventually they pulled the plug and | just gave the one Sleep option. | | Educating users about technicalities they've probably never | thought about is really hard. Doing so without an actual | training session, just through interface, verges on | impossible. And if Microsoft couldn't convince businesses to | train their users, I doubt Zoom can. | afrcnc wrote: | Hey... I created a tool that can hack Zoom meetings faster.... | let me tip Brian Krebs about it and advertise it to the world. | | I don't understand why this article exists. It's like a beacon | for all the bored skidz now. | jfjrjri9nn wrote: | They're explaining how seriously they take security using | Wordpress. | david_shaw wrote: | I know that WordPress doesn't have the greatest security | record, but it seems unfair to judge an organization for using | WP. | | Many, _many_ respectable businesses use WordPress for their | brochureware or corporate blogs. In my experience, it 's not a | security nightmare if it's well maintained. | gchamonlive wrote: | Sometimes it is not just a matter of good maintenance. WP has | a bad quality control for plugins and that can be | catastrophic: https://wordpress.org/support/topic/amazon- | cloudfront-invali... | | > I have had the same issue with the plugin. This was on a | simple WooCommerce site with a few thousand products. Notice | it incurred over $6,000 in fees. | | > Amazon CloudFront Invalidations $6,485.76 > $0.000 per URL | - first 1,000 URLs / month.1,000 URL$0.00 > $0.005 per URL - | over 1,000 URLs / month.1,297,151 URL$6,485.76 | | After a user reporting a plugin costing his business over | 6000 USD, months go by without proper attention to this | issue. If there was good quality control, the plugin should | have been pulled. It just shows how the ecosystem is not | designed with robustness and security in mind. | | But I agree, WP cannot be a proxy to judge how companies | treat security. This just illustrates how bad WP itself is. | elwell wrote: | If you think you can find a security hole in their blog, ask | them for a bug bounty. | cs702 wrote: | One positive thing about all these horrendous security flaws that | have been recently discovered in Zoom, due to its popularity, is | that the company seems to be taking them seriously, recently | instituting a feature freeze to focus on fixing them: | https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-u... | | As a consequence, I suspect Zoom's security is more likely than | not to improve going forward... although it will surely take a | long while. Security is _Capital-H Hard_. | | Also, I cannot think of any other multi-video-conferencing | solution that "just works" and has been as thoroughly stress- | tested and attacked by bad actors in the wild at such a large | scale. If Zoom does a decent-to-good job fixing all the security | issues, it looks likely to continue to dominate its market. | bluntfang wrote: | >recently instituting a feature freeze to focus on fixing them | | Or they're having productivity problems like every other | company right now and are spinning it to seem like they are on | top of things. These security issues have been around for | years. | dang wrote: | Discussions: https://news.ycombinator.com/item?id=22757697 | | https://news.ycombinator.com/item?id=22756730 | Spooky23 wrote: | I'm not a fan of Zoom... But the pile-on of grief is | ridiculous. | | The "war dialing" issue is a great example. Webex has had the | exact same "flaw" for a decade, with the exact same solution - | set a meeting password. Other solutions like Google Meet or | Skype have the "lobby" approach. | somethoughts wrote: | Fun fact - perhaps not widely known and perhaps why it shares | a similar philosophy as Webex: | | Zoom was founded in 2011 by Eric Yuan, a lead engineer from | Cisco Systems and its collaboration business unit WebEx.[1] | [1] https://en.wikipedia.org/wiki/Zoom_Video_Communications#H | ist... | teraflop wrote: | IMO, when it comes to security, the fact that other people | have made the same mistake makes a design flaw more | egregious, not less. | RobotCaleb wrote: | Why do people keep saying it just works? It just works if you | install their app, probably. But audio doesn't work at all in | Firefox. That's not really just works for me. | wutbrodo wrote: | Yea, Hangouts is a lot more "it just works" than Zoom is for | me. That being said, the quality of the actual calls on Zoom | is _way_ better than Hangouts. | devin wrote: | I mean, I don't really know how "consistently high call | quality" is not the most important feature of any video | chat application. My experience on hangouts has always been | garbage. Delays, choppy sound, my machine starts going | insane while rendering other people's live video. It may | just work in the sense that you can immediately use it, but | if even 20% of the time you use it the call quality sucks, | then it's a crap product IMO. | devin wrote: | I'm not sure about "just works", but I am sure about "works" | in the sense that is head and shoulders above every other | video chat app I've used when it comes to audio and video | quality, especially for large numbers of participants, audio | sharing, document camera sharing, multiple participants | sharing simultaneously, and there are plenty more. | | I've never used the web version, but it wouldn't surprise me | if it's not the same experience. The video and audio encoding | and decoding stuff seems like it just makes more sense as a | native app. Given the number of variables that browsers, | versions, sandboxing, etc. bring to the equation, I can tell | you where I'd spend the majority of my efforts if I were | doing video chat: on a great native app. You have a lot more | control over that experience, IMHO. | | Anyway, your comment reads to me like someone who will never | install it, but I would encourage you to at least test out | the difference to see why it's become so popular. | r00fus wrote: | Neither does Webex's browser version - even though I give it | permissions, audio requires Webex to call me. | | Latest Safari/macOS. | ryandrake wrote: | Pro: A worldwide, motivated, unpaid volunteer team is doing | their thorough security audit, privacy review and QA testing | for them. | | Con: After the product was released :) | heipei wrote: | Oh the number of times I've been on 20+ people Zoom meetings | which were interrupted after a minute by someone asking "Hold on | folks, who is the phone-user who just dialed in?" Or whenever | someone connected who had the wrong nick set (happened on Linux) | and hadn't turned the video on yet, which basically meant the | conversation stopped until the new arrival had identified | himself. | fock wrote: | I think a tool which is basically yet another webchat-solution | but tries too push their omnipotent app onto you, no matter what, | has some issues beyond security. All the "user"-friendly | execution looks like some 2002 nigerian adware. I guess | userfriendly is really easy if your app can never be closed (not | sure about that), can't be uninstalled and you nag the user twice | to actually really start that app before allowing to use a | runtime under his/her control. | brundolf wrote: | [deleted] | saagarjha wrote: | That wasn't really arbitrary code execution. | jascii wrote: | I always wondered why teleconferencing systems don't incorporate | a workflow where people connecting in need an approval from the | organizer before actually entering the meeting. | zwily wrote: | Most do, but in Zoom it's off by default. (Waiting room) | bronson wrote: | And it's a responsibility/pain for the facilitator when it's | on. Often they'll be caught up in the meeting and leave | anyone who arrived 3 minutes late to spend the rest of the | meeting waiting to be admitted. | twistedpair wrote: | Why doesn't Google Hangouts/Meet have this issue? | beckingz wrote: | Hangouts has this issue as well. | markthethomas wrote: | https://unicorn.computer/zoom-wins-malware-of-the-year-march... | elwell wrote: | Chatroulette Zoom Edition | curiousgal wrote: | Hey look it's Mr "it's 2020 but I still don't give a shit about | mobile users". Why would anyone want to alienate a substantial | amount of users especially if they're serving ads on their blog? | criddell wrote: | Maybe it isn't a substantial number of users? | | FWIW I loaded the article on my Pixel 2 and it looks fine. In | the Chrome browser if you double tap on the article text it | zooms in to the article. | ebg13 wrote: | > _Hey look it 's Mr "it's 2020 but I still don't give a shit | about mobile users"._ | | Nobody owes you their site behaving a certain way on your | phone. | gjs278 wrote: | are those metal implants for your head? | curiousgal wrote: | It's not really about entitlement. He's the one benefiting | from people consuming his content, why not make it more | accessible? All at the cost of some CSS rules. | ebg13 wrote: | > _It 's not really about entitlement._ | | The tone of your opening sentence fooled me then. | | > _why not make it more accessible?_ | | Maybe because he doesn't give a shit about mobile users. | catalogia wrote: | > _accessible_ | | For what it's worth, his website works better with my | screen-reader than most modern-style websites. | saagarjha wrote: | Not having password protection enabled seems like an unfortunate | default, but I guess it's not that surprising given the number of | "barriers" that Zoom attempts to bypass when you join a call. | [deleted] | Twirrim wrote: | I feel a little bit sorry for the Zoom devs. All of a sudden | there are a _lot_ of eyes on Zoom. Every design decision and | mistake are under a big microscope, while also presumably having | to deal with some major scaling. | tpmx wrote: | It's a ~2k person company with a market cap of $34B. So the | valuation is $17M per employee. | | I don't feel sorry for them. | | Also: this crisis is giving them vast amounts of marketing for | free. | | I'm based in Sweden. I was just vaguely aware of Zoom until a | few days ago - now I suddenly hear of them all of the time from | Late Night hosts on Youtube. | Twirrim wrote: | The developers are still people. Doesn't matter the size of | the company, it's still a bunch of individuals who are likely | suddenly dealing with a lot of stress and pressure that could | never have been predicted, or have opportunity to scale up | their engineering to meet. | tpmx wrote: | Yeah.. no. | | Only on HN could these winners become "victims". | obmelvin wrote: | I'm sure there are plenty of people who would be delighted | to be in that situation. At the end of the day Zoom is | looking to stay a run-away success - assuming eng is being | compensated appropriately it's really one of the best | problems one could have in a job. | 0xff00ffee wrote: | It's 1985 all over again: I'm in my bedroom running a ProDOS | wardialer on my 300/1200 baud AppleModem; I have found zero | computers, but it is fun watching the numbers flick past, hoping | that I, too, can discover a WOPR and start global thermonuclear | war. | trhway wrote: | >It's 1985 all over again | | i think it is even earlier than that: | | >Each Zoom conference call is assigned a Meeting ID that | consists of 9 to 11 digits. | | 8 char passwd and 16 digit credit cards came way before 1985. | | Never mind, i have committed in memory our daily scrum 9 digit | pin code :) Very convenient. And if somebody else were to dial | in uninvited into our scrum ... well, it is at their own peril | as it carries (especially for a person not hardened by a long | tenure at a BigCo) the risk of brain damage, loss of ability to | perceive reality as it is, spontaneous suicidal desire, etc. | icedchai wrote: | Most Unix systems had 8 character password limits well into | the 90's (a limitation of the original DES-based crypt.) | softwaredoug wrote: | Yeah but this time, it's an easy as guessing a world leaders | zoom meeting, and tricking them into believing something | preposterous | chefandy wrote: | Modern Version: "Shall we play a game?" "Love to" "!!To play | Global Thermonuclear War, you must first update your flash | player. Click here!![?]" | the_af wrote: | An even _more_ modern version: | | "Shall we play a game of Global Thermonuclear War?" | | "Sure!" | | "Updating Steam client... It seems you're connecting from a | new device! Please check the 2FA code sent to your email... | Downloading more updates... Here are some popups about | unrelated games... Please register an account with MS Game | Live!... Downloading patches... [error in wopr.dll]" | kortilla wrote: | Those red exclamation points have convinced me this is | legitimate. | wolco wrote: | I remember a Montreal morning show doing this via phone and | tricking a few world leaders. Hopefully some funny things | come out of this. | saagarjha wrote: | Hopefully we don't have any unfunny things come out of | this. | hobs wrote: | Supposedly Captain Crunch got on the phone with Nixon, so it | isn't that far off. | kardos wrote: | Zoom is pretty lucky to get so much free security scrutiny. I | hope they make the most of it and fix all of these issues.. | floatingatoll wrote: | Three of the big issues reported in the past week have also | been corrected in the past week, so they're certainly trying. | catalogia wrote: | > _" KrebsOnSecurity is not naming the companies involved"_ | | This chart suggests that one of the companies they found was an | aerospace company: https://krebsonsecurity.com/wp- | content/uploads/2020/04/zward... | | I wonder if this is related to the news yesterday that SpaceX has | banned the use of Zoom. | moftz wrote: | SpaceX seems big enough that they pay for a self-hosted meeting | suite. I've worked at a couple places that use WebEx that is | self-hosted. You can only access it via dialing the number | (from any phone) or by being on the VPN to see the shared | presentation. Trying to log into the public version of WebEx | gives you an unknown user error. Someone could still wardial | their way into the call but it would require getting the non- | public phone number and guessing the meeting number AND | possibly guessing a meeting password. | devit wrote: | Not a good idea to use 9 to 11 digit long IDs with no password | requirement by default; they should have used at least 128-bit | random ids, i.e. 21 character long base64-encoded strings. | umvi wrote: | Yeah but then it sucks for people calling in to have to punch | in a 21+ character long meeting ID | toomuchtodo wrote: | Could you not use a telephone intent, where the meeting ID is | the suffix to the dial in number with commas for any | necessary pauses? Skype for business meeting invites have | this. Zoom might then support inviting mobile phone | conference participants using SMS, containing the link (think | weak 2FA). | | Example: tel://18005551212,,<meeting_id># | anamexis wrote: | That's not helpful when you have to punch it into a | conference room speakerphone. | | I did once put together a hack that would scrape the | meeting ID from the Zoom UI and emit the touchtones from my | laptop to dial in. | toomuchtodo wrote: | There is always a trade off between security and | usability. I like your hack though, any chance you'd put | it on Github? | PeterCorless wrote: | The most secure computer is a non-networked standalone | box sunk in concrete sunk hidden at the bottom of a deep | sea trench. It is not, however, very usable. | anamexis wrote: | I haven't used it in a while, so I wouldn't be surprised | if the Zoom bit is broken, but here it is: | | https://gist.github.com/micahbf/91a295016f4472b47acfe317d | 714... | josteink wrote: | > Yeah but then it sucks for people calling in to have to | punch in a 21+ character long meeting ID | | I may be out of touch with the average biz-guy, but how many | people are realistically calling in manually, over | traditional phone-lines these days? | | Is it really a significant percentage? | nevi-me wrote: | I've been working home since before the lockdown in my | country. Since the lockdown, the number of online meetings | that I have in a day has tripled. I think in about 2-3 | meetings a day I have problems with microphone/hearing, and | end up dialing in from my phone. This is normally for Skype | for Business meetings. | | The same tends to happen with a few colleagues ... Some | anecdote. | RHSeeger wrote: | I call in for every meeting I can. My hearing is poor; the | sound quality on the computer just isn't good enough for | me. Then add in that my computer is heavily loaded, so it's | ability to encode/decode sound is degraded. | | I have a high quality desk phone on a land line | (admittedly, VOIP from FIOS, but not via my computer) and I | will fight tooth and nail to keep it. | | All that being said, I'm comfortable typing in an arbitrary | length password on my phone. All I ask is that it be | formatted to make that easy (groups of 3-4 numbers with | spaces). | azinman2 wrote: | My husband is a market researcher, and is now conducting | market research over Zoom & other platforms. The first | thing he does is have _everyone_ dial in. It's been a major | help in reducing latency and dropped packets, which in turn | has a majorly positive effect in getting stranger to be | able to talk normally with each other. It helps prevent the | "you go no you go" as latency allows people to unknowingly | step over each other. | techopoly wrote: | My place of work didn't have a soft-phone connection to our | computers until this COVID-19 mess started. I imagine we | weren't alone. | apocalyptic0n3 wrote: | Far greater than you would expect, I think. This is | anecdotal, but we're an admittedly small company (~20-25 | employees) and all of our interactions with other companies | (clients) are either direct line-to-line or if we do a | conference call, we all call in over the phone. Many of the | companies who send us WebEx or join.me or Hangouts Meet or | whatever invites only send the phone number even, not even | bothering to give us a link (and if you go to the room | manually in your browser, you're the only one actually | connected via computer) | [deleted] | larrik wrote: | Most of my zoom meetings have at least 20% dial-ins. | lonelappde wrote: | From landlines? | larrik wrote: | usually cell phones, but no one wants to install the app | wolco wrote: | Don't forget soft phones. | randycupertino wrote: | Working in global research, 40% of our ROW (rest of world) | sites and vendors use landline or cell pones to join our | meetings, depends on their institutional security and IT | settings. | lonelappde wrote: | Smart phones can dial a long code in software. Only dumb | phones and landlines can't | kube-system wrote: | Some smartphones, using some applications, and some input | devices, can dial some long codes. | | Jim from sales who is dialing in from his company's | oddball calendar app over Bluetooth on the infotainment | system in his rental car probably can't. | kube-system wrote: | When I did consulting, almost every meeting had at least | one dial-in. If you didn't include a dial-in, you'd be | guaranteed to either get a request to add one, or you'd get | people who didn't show. | | There was always: | | 1. someone who was on the road - a traveling consultant or | someone in sales | | 2. a client or potential who called in because of the same, | or because they don't sit at a computer all day and/or | don't have a headset for their computer. | | 3. People in a conference room | | 4. a client who sucks at computers and dials in because | they can't figure out how to install the latest version of | CiscoGoToZoomMeetingWebEx.exe in IE8 on their macbook. | jedieaston wrote: | Yes. If you're in a conference room and it's not a Zoom | Room(tm), or has a Cisco system, or whatever, you have to | use the conference phone. You might be able to tell the | Zoom meeting host to call the conference phone and bring it | into the meeting, but it'd be easier just to type the ID in | (unless it was really 128 char, but then that'd give people | a reason to buy new conference hardware I guess). | | Also if you don't want to install the Zoom client, you can | just dial in from your cell phone or desk phone. | Nextgrid wrote: | The telephone dial-in option should've been separate - if the | user chooses to enable it then they can fall back to shorter | IDs, while meetings that don't need it (or where it doesn't | make sense anyway - screen shares, presentations, etc) would | use longer, more secure IDs. | azinman2 wrote: | which means all you gotta do is war dial the phone | network... | Nextgrid wrote: | Even if the phone dial-in ID would be enabled by default | (which isn't what I am suggesting), the extra latency and | cost of brute forcing them over the phone network will | make these attacks much harder. | bobbyi_settv wrote: | The "just works" nature is why Zoom is popular. No one | wants to have every meeting start with "Is Larry here? Oh, | I think he's trying to dial in. I'm going to cancel this | meeting and send out a new ID so he can dial in. Everyone | watch for that so you can reconnect" | Nextgrid wrote: | The second ID can be generated in addition to the first, | primary ID. | Symbiote wrote: | As we've used it at work, the phone dial-in option is the | backup plan -- useful when people can't set up their | computer's microphone correctly, or lose Internet access | for whatever reason. | panarky wrote: | What's worse, entering a 21-character meeting ID on the | phone, or entering an 11-character meeting ID plus a | 10-character password? | chapium wrote: | I've always preferred conf systems with a call-me-at function | better anyway. With most lines, sign in over phone is a | horrible waiting game where one missed digit means sitting | through instructions for another minute. | shiado wrote: | It's an incredibly simple thing to screw up. I wonder where | else they use low entropy random strings. I wonder if their | password reset functionality can be brute forced too. Another | problem is where they put rate limiting as it seems probable | based on this article there are holes. | jlmorton wrote: | I mean, this is intentional. They even allow you to set your | meeting ID to a well-known number, like your company's | published phone number. | | If you want to join the all-hands meetings of a company I | used to work for, you only need to go their website and | lookup their primary phone number. That's the Zoom meeting | ID. | andor wrote: | Real engineering is about compromises. | | In this case, relatively short numeric meeting ids allow | users to dial in via plain old phone lines. If my meeting | guests had to enter a UUID via their phone keypad, they would | probably skip the meeting instead. | shiado wrote: | That actually makes sense I didn't know you could dial in | with a phone. | KaoruAoiShiho wrote: | Every time I read about a Zoom "screwup" I see a feature | that's UX centric. It's pretty cool tbh. | pkulak wrote: | Or my personal favorite for anything you show to a user: | | https://www.crockford.com/base32.html | bo1024 wrote: | Good idea for this! But trickier for phone calling into a | conversation. They could also just add 3 digits and a slight | delay in their connection API, making it much harder to brute | force, albeit only by a constant factor. | diebeforei485 wrote: | This is likely to support dial-in over the telephone network. | | I think "no password" is the bigger issue, because repeated | attempts with incorrect passwords can be rate-limited. Zoom | should be generating a random 6-digit password for each meeting | by default. | | There may be use cases for not having any password, but that | should be explicitly opt-in and have a warning message to every | participant that anyone can join and broadcast in this meeting. | x0x0 wrote: | They are as of the update to my client this morning. | disiplus wrote: | i'm sure the reason for that is the UX. the zoom had a | reputation of "just works" and part of it was that is so easy | to jump in to a meeting. if now i have to manage access and | so on, it would not be "it just works" like it was | lonelappde wrote: | In this context, a password is the same as an id. | | There's never a reason to share the id without the password. | spacehunt wrote: | How would that support phone dial-ins? (Yes, lots of people | still dial into meetings all the time.) | NikolaeVarius wrote: | I enjoy being able to dial meeting IDs into my phone | wgjordan wrote: | I would also enjoy being able to punch in '12345' as my | password everywhere instead of launching LastPass all the | time, but I accept that some conveniences aren't worth | security consequences. | kube-system wrote: | That's a fine compromise for internal teams. | | For those working with current or potential customers | remotely, you have to use a solution that is convenient or | you don't make money. | motohagiography wrote: | This is what technical debt gets you. | | I really don't know that zoom has a lot or much at all, but I do | know that the number of viable solutions to this could be taken | off the table internally because they probably made tech debt | commitments in their architecture during their scale up phase | that prevents bolting on obvious fixes. I have a lot of sympathy | for their position. They aren't evil or bad, but they could do a | massive mea culpa PR coup on the level of the netflix culture | deck if they did a case study retrospective about the effect of | tech debt on scale at critical moments. | | It's also a product management fail, where that lack of | transparency on encryption is what a project-manager would pull, | where a smarter product manager would have weighed the cost of | losing their e2e-crypto compliance market. | | I can also see why they have security issues because today, | security people are on a much longer tailed skill distribution | than they were 10y ago and it's hard to listen to most of us. | Getting someone to approach it as, "ok, we get that a 9-digit key | is literally your product selling UX advantage, let's see what | else we can do" is exceedingly rare. Privacy has massive brand | implications. Remember blackberry? They launched a new flagship | tablet product while their CEO got into an issue with government | surveillance and the story became about their risk in India and | Asian markets and not whatever that product was called. Zooms | story is becoming about privacy problems too. | | PMs need to be smarter about this. | softwaredoug wrote: | I think you overestimate the reliability of the alternatives. | | Zoom focused all their early engineering muscle on reliability. | When we build new products, we don't have infinite resources to | attack every front simultaneously. We have finite resources to | prove a concept, and we incur debt in just about every other | dimension. | | Now that everyone is using them (precisely because of | reliability) the emphasis becomes other things - UX, security, | etc. | | Tech debt is what the 2nd generation of engineers gets to | complain about after the 1st gen made the product succesful at | something. | motohagiography wrote: | That last statement, I'm there with you on. Tech debt is | necessary, it could even be renamed "tech leverage," because | that's what a lot of it is. | | My thing is that there are tons of potential ways to mitigate | zoombombing, even incrementally, and that they haven't or | chose not to indicates it's because there were cost barriers | to doing it. It has the tech debt smell, and it's what I've | seen in other orgs. | jariel wrote: | It's not technical debt, because it was not a problem before. | | More likely just a poorly designed system. | | Security is always a game of 'staying ahead' - with a totally | new userbase context, the security parameters have changed | under their feet. So now they need to quickly adapt their | product to the new context. | | A vastly new usage context is going to create all sorts of | stresses. | dylan604 wrote: | >It's not technical debt, because it was not a problem | before. | | You mean it wasn't problem before just because it wasn't | being actively exploited before? A problem is a problem | regardless if is as of yet undiscovered. Or do you mean it | wasn't a problem because it wasn't preventing any forward | progress on the product? | deegles wrote: | > This is what technical debt gets you. | | Becoming one of the top names in video conferencing and | displacing dozens of established players virtually overnight? | Sign me up. | chrismarlow9 wrote: | > Becoming one of the top names in video conferencing and | displacing dozens of established players virtually overnight? | Sign me up. | | What!? That's small thinking. You could be so many greater | things than that if you're willing to compromise peoples | security and personal information. | deegles wrote: | I know you're being sarcastic but there are a ton of | companies that have a terrible security track record and | yet are quite large... | sgustard wrote: | Exactly! I've built plenty of rock-solid flawless products | that never got any traction. I can assure you none of them | were dissected on Hacker News. Personally I'd go for getting | mass adoption followed by endless free security consulting | provided by the internet while it's stuck at home. | rsync wrote: | Shout outs to l0pht and cdc, but not to Minor Threat[1] ? | | [1] https://en.wikipedia.org/wiki/Chris_Lamprecht | varelaz wrote: | TLDR: With 17 digits meeting password is not needed at all. If | meeting will be 17 numbers it will be the same as to protect 11 | length digit number with 6 digit password. So basically that's | the trade off. One could say that password is not the same as | meeting ID, but usually they both sent in one email/message and | lifetime and protection for them is equal. Also it's easier to | input one number than 2 different. | diebeforei485 wrote: | Please don't think of this in entropy terms alone. There is a | massive usability difference between the two. | kingludite wrote: | Do it in base 9000 with baby names and common words. "Join us | in _black raven deodorant daisy mega delta leo_ " | | Also create dud rooms with prerecorded conversation. | dsimms wrote: | or honeypot rooms with soft porn | dsimms wrote: | or honeypot rooms with super secret sounding military talk | jascii wrote: | I'm not sure I understand your point. The usability of | clicking a link stays equal regardless of the amount of | digits in the ID. Adding a password reduces the usability. | aidenn0 wrote: | The other day my wife got an e-vite with a link to a zoom | meeting, but the e-vite software will prerender all the | text to an image, so the link had to be copied in :( | madeofpalk wrote: | Security pretty much always reduces usability - that's the | trade off. | jtaft wrote: | I've been thinking about security and usability for a | while. IMO a big part of use-ability issues are related | to interfaces people have to interact with. This is | mainly concerning authentication and crypto related | processes. | | I generally like the idea of smartcards, or having some | physical thing you carry around which is used to | authenticate with systems. | madeofpalk wrote: | Two factor auth - some physical thing you carry around | with you to authenticate with systems - is the very | definition of decreasing usability in order to increase | security. | jtaft wrote: | To clarify, do you mean usability as "how easy is it for | an end user to perform X?" I feel in general, adding | security to a system without security does decrease | usability. | | I think focusing on "relative usability" is important | too. IMO it should be able to increase relative usability | AND security. | | For instance, I use a yuibkey to store cryptographic | secrets. Generally I leave it plugged into my laptop, so | it does not add inconvenience to me in using it. Before I | had to type in a long password to decrypt my SSH key. Now | it's stored on a YubiKey, protected by a shorter PIN, and | requires a physical touch to perform a cryptographic | operations. By moving cryptographic secrets from a system | with a large attack service (the laptop) to a device | which requires physical access and has a smaller attack | service(the yubikey), I find the system is easier to use, | while increasing security. | | I also find unlocking my phone and paying with apple pay | is easier to use than taking out my wallet and paying | with a card. Having my credit card information encrypted | on the phone makes it harder for a thief to use, when | compared to gaining access to the physical credit card. | | One could argue a lack of security can lead to a | decreases usability. Ex, a system under a successful DoS | attack makes the system not very useable. I digress | though, as I do not believe this is what you were getting | at. | minitech wrote: | I think they're referring to passwordless login with | physical keys. One unphishable factor that can't be | brute-forced or cloned and doesn't require typing and | password management. | madeofpalk wrote: | Still suffers from the same usability constraints. | dewey wrote: | An important Zoom feature is that you can dial in from a | regular cell phone / landline and conference phones. That's | one of the selling points of Zoom. | antoncohen wrote: | But when joining a Zoom call from your phone you dial a | number, then enter the meeting ID. The meeting ID has the | same number of digits as a US phone number, but it isn't | the number you dial. The calendar invites generated by | Zoom format the number + meeting ID in such as way that a | user can tap them and it will dial the number _and_ enter | the meeting ID. | | Basically, in both cases (computer/app or dial-in), | increasing the number of digits of the meeting ID has | very little impact on the users. Forcing a user to enter | a password after joining (which is just more digits) does | impact the user. | kube-system wrote: | >Basically, in both cases (computer/app or dial-in), | increasing the number of digits of the meeting ID has | very little impact on the users. | | It is a frequent use-case that people join meetings from | devices that are not running a calendar application, or | the calendar does not have the meeting invite. | | For example: conference rooms. | Terr_ wrote: | > The usability of clicking a link | | The situations and use-cases behind meeting-software are | such that you can't rely on this. | | There are many situations where you want to transcribe the | information. For example, dialing in as voice-only with a | private phone based on an e-mail on your work-laptop. | | Or perhaps a conference room at a client-site where the | client-guy has their corporate-approved presentation | laptop, but he can't find the e-mail/chat message with it. | Meanwhile you've got it up on-screen, but your device is | not approved for any kind of internet connection in this | part of the labs, and even your phone has no signal. (Yes, | I've been there.) | DrJokepu wrote: | If you don't separate the access key from the secret you can't | change the secret if and when it gets compromised. | panarky wrote: | Neither one is secret if you send them both to every | recipient at the same time. | chapium wrote: | Privately issue a certificate from the organizer and don't just | have a link anyone can join. | johannes1234321 wrote: | This makes it hard to have meetings with varying parties. | rtkwe wrote: | One way they're different is with an ID and password you can | lock people out of meetings. With just an ID other than rate | limiting clients there's no way to tell an authorized | connection from someone war dialing the number. | jackson1442 wrote: | It seems to me as if having a password could be a useful | feature to get additional features for a call. For example, a | webinar host could give a password to a select few authorized | to use camera/mic during the call, and just the meeting code to | all other spectators. I'm not too familiar with zoom, but this | feels like a better application than just two-step call | joining. ___________________________________________________________________ (page generated 2020-04-02 23:00 UTC)