[HN Gopher] 'War Dialing' tool exposes Zoom's password problems
___________________________________________________________________
'War Dialing' tool exposes Zoom's password problems
Author : feross
Score : 307 points
Date : 2020-04-02 18:41 UTC (4 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| andrewstuart wrote:
| How hard is this for them to fix?
| saagarjha wrote:
| Not hard, everyone needs to password-protect their meetings.
| rayvd wrote:
| Why?
| diebeforei485 wrote:
| Generating a random 6-digit passcode for each meeting by
| default? Not hard at all.
|
| Rate-limiting incorrect password attempts could take a bit
| longer to implement, but still not a particularly difficult
| problem to solve.
| chrismarlow9 wrote:
| I never understood "presenter will let you in" security. It's
| based on someone letting me in if they recognize my recorded
| name and that I work there? Surely that wont backfire in a
| world where everyone post every detail about every day of
| their life online. I mean who even uses LinkedIn anyway?
| wolco wrote:
| They may decide there is nothing to fix. If you want to use a
| password you can.. but don't force it on the average user who
| would trade having no password with the potential of someone
| random joining.
|
| If you want to keep it private use a password.
| [deleted]
| crazygringo wrote:
| I worked in videoconferencing for a while. When it comes to
| meeting identifiers, striking the right balance between ease of
| use and security is really hard.
|
| On the one side, maximum ease-of-use is a name or code short
| enough for someone to say over the phone. "Here, just jump into
| the videoconferencing meeting 'mikefred' or 'john10' or '39584'".
| That works particularly well for small meetings where it's
| immediate obvious if someone else joins and you can stop talking
| and ask them who they are and kick them out if they shouldn't be
| there.
|
| On the other hand is long random identifiers in a space large
| enough they're impossible to guess. If you're joining a meeting
| from a link then nobody cares, but if you're telling someone over
| the phone or typing it into the phone it _sucks_. (And you are
| _very often_ needing to jump from one form of communication to
| videoconferencing, where there 's no way to "just paste a link"
| into the initial form.)
|
| There's also no real difference between a short meeting name plus
| password and a long meeting name, except that passwords tend not
| to be displayed on screen so it's even harder to find it to tell
| someone over the phone.
|
| Also there's another big issue in how easy or convenient you make
| it for people from within your domain/company to join, versus
| outsiders. Half the company wants to make it harder for outsiders
| to join (for security), the other half (salespeople) want it to
| be easier.
|
| The only solution, unfortunately, is educating users to
| understand the differences. Zoom already has most if not all the
| necessary options, even modes like "waiting room". But the same
| options will never work for every meeting. Whoever hosts a
| meeting needs to understand the options. There's just no
| substitute.
| pdehaan wrote:
| For the phone only route, it seems like you could still mostly
| automate it by going oldschool. Give the host an option to play
| the meeting code as a DTMF signal (or whatever) while the other
| person holds their phone near the mic.
| kelnos wrote:
| This is a really good point, and I actually sympathize with how
| difficult it is for Zoom to strike the right balance here.
|
| If the only method of operation here were for people to invite
| others by copy/pasting a URL, and the invitees' only method of
| joining were to click on that link, then long UUIDs or such
| would be just fine.
|
| But Zoom lets you dial in audio-only from a regular phone. You
| simply just cannot use "long random string" as an identifier if
| you're expecting someone to punch it into a telephone keypad.
| Even having an 9- to 11-digit meeting code plus say a 6-digit
| passcode would be a burden for some people, though it's really
| the only way to do that portion of it right.
|
| Now, one thing I do _not_ cut Zoom any slack for is having an
| API where you can request validity and status of any meeting
| ID, without any rate limits placed on it. That 's Security 101
| right there.
| aidenn0 wrote:
| I don't know if botnets are still a thing, but it used to be
| that any rate-limits needed to be multiplied by 10k for even
| a modest attacker, as being able to query from 10k unique
| nodes was a fairly trivial problem by renting a botnet.
| _red wrote:
| All good points.
|
| There is no reason why short meeting codes + 2-3 sec delay
| before joining + temporarily banning users who enter more than
| 10 invalid meeting codes in a row can't work.
|
| There are ways to improve the security without putting on the
| clients shoulders. A 6 digit room code is fine if a person can
| only "war dial" 10 tries before being banned for an hour or so.
| cbsmith wrote:
| There's a really good reason why that wouldn't work. There's
| no reason why a war dialer can't create millions of users.
| The 2-3 second delay doesn't really accomplish much unless
| you limit their capacity to have requests pending.
| bscphil wrote:
| s/users/ips/
| Slartie wrote:
| With IPv6, I can assign myself a gazillion perfectly
| routable unique public IPs.
| xboxnolifes wrote:
| What about a long, unique identifier for the baseline, and the
| ability to generate temporary, single (or `n`) use, short
| identifiers that can be used when speaking the id?
|
| Clicking a long I'd link takes practically training, and
| entering a short ID would only require training the salespeople
| how to generate one (would should only be a few clicks tops).
|
| This way, a conference is secure by default and easy for people
| to join by link, and is still easily accessable by code for
| when needed.
| wyattpeak wrote:
| When I think about having two different solutions for two
| slightly different usecases, my mind always goes to
| Microsoft's decade-long battle to teach their users the
| difference between Standby and Hibernate.
|
| There was very real value in the distinction to those who
| used it, but it proved so irresolvably confusing to the vast
| majority of users that eventually they pulled the plug and
| just gave the one Sleep option.
|
| Educating users about technicalities they've probably never
| thought about is really hard. Doing so without an actual
| training session, just through interface, verges on
| impossible. And if Microsoft couldn't convince businesses to
| train their users, I doubt Zoom can.
| afrcnc wrote:
| Hey... I created a tool that can hack Zoom meetings faster....
| let me tip Brian Krebs about it and advertise it to the world.
|
| I don't understand why this article exists. It's like a beacon
| for all the bored skidz now.
| jfjrjri9nn wrote:
| They're explaining how seriously they take security using
| Wordpress.
| david_shaw wrote:
| I know that WordPress doesn't have the greatest security
| record, but it seems unfair to judge an organization for using
| WP.
|
| Many, _many_ respectable businesses use WordPress for their
| brochureware or corporate blogs. In my experience, it 's not a
| security nightmare if it's well maintained.
| gchamonlive wrote:
| Sometimes it is not just a matter of good maintenance. WP has
| a bad quality control for plugins and that can be
| catastrophic: https://wordpress.org/support/topic/amazon-
| cloudfront-invali...
|
| > I have had the same issue with the plugin. This was on a
| simple WooCommerce site with a few thousand products. Notice
| it incurred over $6,000 in fees.
|
| > Amazon CloudFront Invalidations $6,485.76 > $0.000 per URL
| - first 1,000 URLs / month.1,000 URL$0.00 > $0.005 per URL -
| over 1,000 URLs / month.1,297,151 URL$6,485.76
|
| After a user reporting a plugin costing his business over
| 6000 USD, months go by without proper attention to this
| issue. If there was good quality control, the plugin should
| have been pulled. It just shows how the ecosystem is not
| designed with robustness and security in mind.
|
| But I agree, WP cannot be a proxy to judge how companies
| treat security. This just illustrates how bad WP itself is.
| elwell wrote:
| If you think you can find a security hole in their blog, ask
| them for a bug bounty.
| cs702 wrote:
| One positive thing about all these horrendous security flaws that
| have been recently discovered in Zoom, due to its popularity, is
| that the company seems to be taking them seriously, recently
| instituting a feature freeze to focus on fixing them:
| https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-u...
|
| As a consequence, I suspect Zoom's security is more likely than
| not to improve going forward... although it will surely take a
| long while. Security is _Capital-H Hard_.
|
| Also, I cannot think of any other multi-video-conferencing
| solution that "just works" and has been as thoroughly stress-
| tested and attacked by bad actors in the wild at such a large
| scale. If Zoom does a decent-to-good job fixing all the security
| issues, it looks likely to continue to dominate its market.
| bluntfang wrote:
| >recently instituting a feature freeze to focus on fixing them
|
| Or they're having productivity problems like every other
| company right now and are spinning it to seem like they are on
| top of things. These security issues have been around for
| years.
| dang wrote:
| Discussions: https://news.ycombinator.com/item?id=22757697
|
| https://news.ycombinator.com/item?id=22756730
| Spooky23 wrote:
| I'm not a fan of Zoom... But the pile-on of grief is
| ridiculous.
|
| The "war dialing" issue is a great example. Webex has had the
| exact same "flaw" for a decade, with the exact same solution -
| set a meeting password. Other solutions like Google Meet or
| Skype have the "lobby" approach.
| somethoughts wrote:
| Fun fact - perhaps not widely known and perhaps why it shares
| a similar philosophy as Webex:
|
| Zoom was founded in 2011 by Eric Yuan, a lead engineer from
| Cisco Systems and its collaboration business unit WebEx.[1]
| [1] https://en.wikipedia.org/wiki/Zoom_Video_Communications#H
| ist...
| teraflop wrote:
| IMO, when it comes to security, the fact that other people
| have made the same mistake makes a design flaw more
| egregious, not less.
| RobotCaleb wrote:
| Why do people keep saying it just works? It just works if you
| install their app, probably. But audio doesn't work at all in
| Firefox. That's not really just works for me.
| wutbrodo wrote:
| Yea, Hangouts is a lot more "it just works" than Zoom is for
| me. That being said, the quality of the actual calls on Zoom
| is _way_ better than Hangouts.
| devin wrote:
| I mean, I don't really know how "consistently high call
| quality" is not the most important feature of any video
| chat application. My experience on hangouts has always been
| garbage. Delays, choppy sound, my machine starts going
| insane while rendering other people's live video. It may
| just work in the sense that you can immediately use it, but
| if even 20% of the time you use it the call quality sucks,
| then it's a crap product IMO.
| devin wrote:
| I'm not sure about "just works", but I am sure about "works"
| in the sense that is head and shoulders above every other
| video chat app I've used when it comes to audio and video
| quality, especially for large numbers of participants, audio
| sharing, document camera sharing, multiple participants
| sharing simultaneously, and there are plenty more.
|
| I've never used the web version, but it wouldn't surprise me
| if it's not the same experience. The video and audio encoding
| and decoding stuff seems like it just makes more sense as a
| native app. Given the number of variables that browsers,
| versions, sandboxing, etc. bring to the equation, I can tell
| you where I'd spend the majority of my efforts if I were
| doing video chat: on a great native app. You have a lot more
| control over that experience, IMHO.
|
| Anyway, your comment reads to me like someone who will never
| install it, but I would encourage you to at least test out
| the difference to see why it's become so popular.
| r00fus wrote:
| Neither does Webex's browser version - even though I give it
| permissions, audio requires Webex to call me.
|
| Latest Safari/macOS.
| ryandrake wrote:
| Pro: A worldwide, motivated, unpaid volunteer team is doing
| their thorough security audit, privacy review and QA testing
| for them.
|
| Con: After the product was released :)
| heipei wrote:
| Oh the number of times I've been on 20+ people Zoom meetings
| which were interrupted after a minute by someone asking "Hold on
| folks, who is the phone-user who just dialed in?" Or whenever
| someone connected who had the wrong nick set (happened on Linux)
| and hadn't turned the video on yet, which basically meant the
| conversation stopped until the new arrival had identified
| himself.
| fock wrote:
| I think a tool which is basically yet another webchat-solution
| but tries too push their omnipotent app onto you, no matter what,
| has some issues beyond security. All the "user"-friendly
| execution looks like some 2002 nigerian adware. I guess
| userfriendly is really easy if your app can never be closed (not
| sure about that), can't be uninstalled and you nag the user twice
| to actually really start that app before allowing to use a
| runtime under his/her control.
| brundolf wrote:
| [deleted]
| saagarjha wrote:
| That wasn't really arbitrary code execution.
| jascii wrote:
| I always wondered why teleconferencing systems don't incorporate
| a workflow where people connecting in need an approval from the
| organizer before actually entering the meeting.
| zwily wrote:
| Most do, but in Zoom it's off by default. (Waiting room)
| bronson wrote:
| And it's a responsibility/pain for the facilitator when it's
| on. Often they'll be caught up in the meeting and leave
| anyone who arrived 3 minutes late to spend the rest of the
| meeting waiting to be admitted.
| twistedpair wrote:
| Why doesn't Google Hangouts/Meet have this issue?
| beckingz wrote:
| Hangouts has this issue as well.
| markthethomas wrote:
| https://unicorn.computer/zoom-wins-malware-of-the-year-march...
| elwell wrote:
| Chatroulette Zoom Edition
| curiousgal wrote:
| Hey look it's Mr "it's 2020 but I still don't give a shit about
| mobile users". Why would anyone want to alienate a substantial
| amount of users especially if they're serving ads on their blog?
| criddell wrote:
| Maybe it isn't a substantial number of users?
|
| FWIW I loaded the article on my Pixel 2 and it looks fine. In
| the Chrome browser if you double tap on the article text it
| zooms in to the article.
| ebg13 wrote:
| > _Hey look it 's Mr "it's 2020 but I still don't give a shit
| about mobile users"._
|
| Nobody owes you their site behaving a certain way on your
| phone.
| gjs278 wrote:
| are those metal implants for your head?
| curiousgal wrote:
| It's not really about entitlement. He's the one benefiting
| from people consuming his content, why not make it more
| accessible? All at the cost of some CSS rules.
| ebg13 wrote:
| > _It 's not really about entitlement._
|
| The tone of your opening sentence fooled me then.
|
| > _why not make it more accessible?_
|
| Maybe because he doesn't give a shit about mobile users.
| catalogia wrote:
| > _accessible_
|
| For what it's worth, his website works better with my
| screen-reader than most modern-style websites.
| saagarjha wrote:
| Not having password protection enabled seems like an unfortunate
| default, but I guess it's not that surprising given the number of
| "barriers" that Zoom attempts to bypass when you join a call.
| [deleted]
| Twirrim wrote:
| I feel a little bit sorry for the Zoom devs. All of a sudden
| there are a _lot_ of eyes on Zoom. Every design decision and
| mistake are under a big microscope, while also presumably having
| to deal with some major scaling.
| tpmx wrote:
| It's a ~2k person company with a market cap of $34B. So the
| valuation is $17M per employee.
|
| I don't feel sorry for them.
|
| Also: this crisis is giving them vast amounts of marketing for
| free.
|
| I'm based in Sweden. I was just vaguely aware of Zoom until a
| few days ago - now I suddenly hear of them all of the time from
| Late Night hosts on Youtube.
| Twirrim wrote:
| The developers are still people. Doesn't matter the size of
| the company, it's still a bunch of individuals who are likely
| suddenly dealing with a lot of stress and pressure that could
| never have been predicted, or have opportunity to scale up
| their engineering to meet.
| tpmx wrote:
| Yeah.. no.
|
| Only on HN could these winners become "victims".
| obmelvin wrote:
| I'm sure there are plenty of people who would be delighted
| to be in that situation. At the end of the day Zoom is
| looking to stay a run-away success - assuming eng is being
| compensated appropriately it's really one of the best
| problems one could have in a job.
| 0xff00ffee wrote:
| It's 1985 all over again: I'm in my bedroom running a ProDOS
| wardialer on my 300/1200 baud AppleModem; I have found zero
| computers, but it is fun watching the numbers flick past, hoping
| that I, too, can discover a WOPR and start global thermonuclear
| war.
| trhway wrote:
| >It's 1985 all over again
|
| i think it is even earlier than that:
|
| >Each Zoom conference call is assigned a Meeting ID that
| consists of 9 to 11 digits.
|
| 8 char passwd and 16 digit credit cards came way before 1985.
|
| Never mind, i have committed in memory our daily scrum 9 digit
| pin code :) Very convenient. And if somebody else were to dial
| in uninvited into our scrum ... well, it is at their own peril
| as it carries (especially for a person not hardened by a long
| tenure at a BigCo) the risk of brain damage, loss of ability to
| perceive reality as it is, spontaneous suicidal desire, etc.
| icedchai wrote:
| Most Unix systems had 8 character password limits well into
| the 90's (a limitation of the original DES-based crypt.)
| softwaredoug wrote:
| Yeah but this time, it's an easy as guessing a world leaders
| zoom meeting, and tricking them into believing something
| preposterous
| chefandy wrote:
| Modern Version: "Shall we play a game?" "Love to" "!!To play
| Global Thermonuclear War, you must first update your flash
| player. Click here!![?]"
| the_af wrote:
| An even _more_ modern version:
|
| "Shall we play a game of Global Thermonuclear War?"
|
| "Sure!"
|
| "Updating Steam client... It seems you're connecting from a
| new device! Please check the 2FA code sent to your email...
| Downloading more updates... Here are some popups about
| unrelated games... Please register an account with MS Game
| Live!... Downloading patches... [error in wopr.dll]"
| kortilla wrote:
| Those red exclamation points have convinced me this is
| legitimate.
| wolco wrote:
| I remember a Montreal morning show doing this via phone and
| tricking a few world leaders. Hopefully some funny things
| come out of this.
| saagarjha wrote:
| Hopefully we don't have any unfunny things come out of
| this.
| hobs wrote:
| Supposedly Captain Crunch got on the phone with Nixon, so it
| isn't that far off.
| kardos wrote:
| Zoom is pretty lucky to get so much free security scrutiny. I
| hope they make the most of it and fix all of these issues..
| floatingatoll wrote:
| Three of the big issues reported in the past week have also
| been corrected in the past week, so they're certainly trying.
| catalogia wrote:
| > _" KrebsOnSecurity is not naming the companies involved"_
|
| This chart suggests that one of the companies they found was an
| aerospace company: https://krebsonsecurity.com/wp-
| content/uploads/2020/04/zward...
|
| I wonder if this is related to the news yesterday that SpaceX has
| banned the use of Zoom.
| moftz wrote:
| SpaceX seems big enough that they pay for a self-hosted meeting
| suite. I've worked at a couple places that use WebEx that is
| self-hosted. You can only access it via dialing the number
| (from any phone) or by being on the VPN to see the shared
| presentation. Trying to log into the public version of WebEx
| gives you an unknown user error. Someone could still wardial
| their way into the call but it would require getting the non-
| public phone number and guessing the meeting number AND
| possibly guessing a meeting password.
| devit wrote:
| Not a good idea to use 9 to 11 digit long IDs with no password
| requirement by default; they should have used at least 128-bit
| random ids, i.e. 21 character long base64-encoded strings.
| umvi wrote:
| Yeah but then it sucks for people calling in to have to punch
| in a 21+ character long meeting ID
| toomuchtodo wrote:
| Could you not use a telephone intent, where the meeting ID is
| the suffix to the dial in number with commas for any
| necessary pauses? Skype for business meeting invites have
| this. Zoom might then support inviting mobile phone
| conference participants using SMS, containing the link (think
| weak 2FA).
|
| Example: tel://18005551212,,<meeting_id>#
| anamexis wrote:
| That's not helpful when you have to punch it into a
| conference room speakerphone.
|
| I did once put together a hack that would scrape the
| meeting ID from the Zoom UI and emit the touchtones from my
| laptop to dial in.
| toomuchtodo wrote:
| There is always a trade off between security and
| usability. I like your hack though, any chance you'd put
| it on Github?
| PeterCorless wrote:
| The most secure computer is a non-networked standalone
| box sunk in concrete sunk hidden at the bottom of a deep
| sea trench. It is not, however, very usable.
| anamexis wrote:
| I haven't used it in a while, so I wouldn't be surprised
| if the Zoom bit is broken, but here it is:
|
| https://gist.github.com/micahbf/91a295016f4472b47acfe317d
| 714...
| josteink wrote:
| > Yeah but then it sucks for people calling in to have to
| punch in a 21+ character long meeting ID
|
| I may be out of touch with the average biz-guy, but how many
| people are realistically calling in manually, over
| traditional phone-lines these days?
|
| Is it really a significant percentage?
| nevi-me wrote:
| I've been working home since before the lockdown in my
| country. Since the lockdown, the number of online meetings
| that I have in a day has tripled. I think in about 2-3
| meetings a day I have problems with microphone/hearing, and
| end up dialing in from my phone. This is normally for Skype
| for Business meetings.
|
| The same tends to happen with a few colleagues ... Some
| anecdote.
| RHSeeger wrote:
| I call in for every meeting I can. My hearing is poor; the
| sound quality on the computer just isn't good enough for
| me. Then add in that my computer is heavily loaded, so it's
| ability to encode/decode sound is degraded.
|
| I have a high quality desk phone on a land line
| (admittedly, VOIP from FIOS, but not via my computer) and I
| will fight tooth and nail to keep it.
|
| All that being said, I'm comfortable typing in an arbitrary
| length password on my phone. All I ask is that it be
| formatted to make that easy (groups of 3-4 numbers with
| spaces).
| azinman2 wrote:
| My husband is a market researcher, and is now conducting
| market research over Zoom & other platforms. The first
| thing he does is have _everyone_ dial in. It's been a major
| help in reducing latency and dropped packets, which in turn
| has a majorly positive effect in getting stranger to be
| able to talk normally with each other. It helps prevent the
| "you go no you go" as latency allows people to unknowingly
| step over each other.
| techopoly wrote:
| My place of work didn't have a soft-phone connection to our
| computers until this COVID-19 mess started. I imagine we
| weren't alone.
| apocalyptic0n3 wrote:
| Far greater than you would expect, I think. This is
| anecdotal, but we're an admittedly small company (~20-25
| employees) and all of our interactions with other companies
| (clients) are either direct line-to-line or if we do a
| conference call, we all call in over the phone. Many of the
| companies who send us WebEx or join.me or Hangouts Meet or
| whatever invites only send the phone number even, not even
| bothering to give us a link (and if you go to the room
| manually in your browser, you're the only one actually
| connected via computer)
| [deleted]
| larrik wrote:
| Most of my zoom meetings have at least 20% dial-ins.
| lonelappde wrote:
| From landlines?
| larrik wrote:
| usually cell phones, but no one wants to install the app
| wolco wrote:
| Don't forget soft phones.
| randycupertino wrote:
| Working in global research, 40% of our ROW (rest of world)
| sites and vendors use landline or cell pones to join our
| meetings, depends on their institutional security and IT
| settings.
| lonelappde wrote:
| Smart phones can dial a long code in software. Only dumb
| phones and landlines can't
| kube-system wrote:
| Some smartphones, using some applications, and some input
| devices, can dial some long codes.
|
| Jim from sales who is dialing in from his company's
| oddball calendar app over Bluetooth on the infotainment
| system in his rental car probably can't.
| kube-system wrote:
| When I did consulting, almost every meeting had at least
| one dial-in. If you didn't include a dial-in, you'd be
| guaranteed to either get a request to add one, or you'd get
| people who didn't show.
|
| There was always:
|
| 1. someone who was on the road - a traveling consultant or
| someone in sales
|
| 2. a client or potential who called in because of the same,
| or because they don't sit at a computer all day and/or
| don't have a headset for their computer.
|
| 3. People in a conference room
|
| 4. a client who sucks at computers and dials in because
| they can't figure out how to install the latest version of
| CiscoGoToZoomMeetingWebEx.exe in IE8 on their macbook.
| jedieaston wrote:
| Yes. If you're in a conference room and it's not a Zoom
| Room(tm), or has a Cisco system, or whatever, you have to
| use the conference phone. You might be able to tell the
| Zoom meeting host to call the conference phone and bring it
| into the meeting, but it'd be easier just to type the ID in
| (unless it was really 128 char, but then that'd give people
| a reason to buy new conference hardware I guess).
|
| Also if you don't want to install the Zoom client, you can
| just dial in from your cell phone or desk phone.
| Nextgrid wrote:
| The telephone dial-in option should've been separate - if the
| user chooses to enable it then they can fall back to shorter
| IDs, while meetings that don't need it (or where it doesn't
| make sense anyway - screen shares, presentations, etc) would
| use longer, more secure IDs.
| azinman2 wrote:
| which means all you gotta do is war dial the phone
| network...
| Nextgrid wrote:
| Even if the phone dial-in ID would be enabled by default
| (which isn't what I am suggesting), the extra latency and
| cost of brute forcing them over the phone network will
| make these attacks much harder.
| bobbyi_settv wrote:
| The "just works" nature is why Zoom is popular. No one
| wants to have every meeting start with "Is Larry here? Oh,
| I think he's trying to dial in. I'm going to cancel this
| meeting and send out a new ID so he can dial in. Everyone
| watch for that so you can reconnect"
| Nextgrid wrote:
| The second ID can be generated in addition to the first,
| primary ID.
| Symbiote wrote:
| As we've used it at work, the phone dial-in option is the
| backup plan -- useful when people can't set up their
| computer's microphone correctly, or lose Internet access
| for whatever reason.
| panarky wrote:
| What's worse, entering a 21-character meeting ID on the
| phone, or entering an 11-character meeting ID plus a
| 10-character password?
| chapium wrote:
| I've always preferred conf systems with a call-me-at function
| better anyway. With most lines, sign in over phone is a
| horrible waiting game where one missed digit means sitting
| through instructions for another minute.
| shiado wrote:
| It's an incredibly simple thing to screw up. I wonder where
| else they use low entropy random strings. I wonder if their
| password reset functionality can be brute forced too. Another
| problem is where they put rate limiting as it seems probable
| based on this article there are holes.
| jlmorton wrote:
| I mean, this is intentional. They even allow you to set your
| meeting ID to a well-known number, like your company's
| published phone number.
|
| If you want to join the all-hands meetings of a company I
| used to work for, you only need to go their website and
| lookup their primary phone number. That's the Zoom meeting
| ID.
| andor wrote:
| Real engineering is about compromises.
|
| In this case, relatively short numeric meeting ids allow
| users to dial in via plain old phone lines. If my meeting
| guests had to enter a UUID via their phone keypad, they would
| probably skip the meeting instead.
| shiado wrote:
| That actually makes sense I didn't know you could dial in
| with a phone.
| KaoruAoiShiho wrote:
| Every time I read about a Zoom "screwup" I see a feature
| that's UX centric. It's pretty cool tbh.
| pkulak wrote:
| Or my personal favorite for anything you show to a user:
|
| https://www.crockford.com/base32.html
| bo1024 wrote:
| Good idea for this! But trickier for phone calling into a
| conversation. They could also just add 3 digits and a slight
| delay in their connection API, making it much harder to brute
| force, albeit only by a constant factor.
| diebeforei485 wrote:
| This is likely to support dial-in over the telephone network.
|
| I think "no password" is the bigger issue, because repeated
| attempts with incorrect passwords can be rate-limited. Zoom
| should be generating a random 6-digit password for each meeting
| by default.
|
| There may be use cases for not having any password, but that
| should be explicitly opt-in and have a warning message to every
| participant that anyone can join and broadcast in this meeting.
| x0x0 wrote:
| They are as of the update to my client this morning.
| disiplus wrote:
| i'm sure the reason for that is the UX. the zoom had a
| reputation of "just works" and part of it was that is so easy
| to jump in to a meeting. if now i have to manage access and
| so on, it would not be "it just works" like it was
| lonelappde wrote:
| In this context, a password is the same as an id.
|
| There's never a reason to share the id without the password.
| spacehunt wrote:
| How would that support phone dial-ins? (Yes, lots of people
| still dial into meetings all the time.)
| NikolaeVarius wrote:
| I enjoy being able to dial meeting IDs into my phone
| wgjordan wrote:
| I would also enjoy being able to punch in '12345' as my
| password everywhere instead of launching LastPass all the
| time, but I accept that some conveniences aren't worth
| security consequences.
| kube-system wrote:
| That's a fine compromise for internal teams.
|
| For those working with current or potential customers
| remotely, you have to use a solution that is convenient or
| you don't make money.
| motohagiography wrote:
| This is what technical debt gets you.
|
| I really don't know that zoom has a lot or much at all, but I do
| know that the number of viable solutions to this could be taken
| off the table internally because they probably made tech debt
| commitments in their architecture during their scale up phase
| that prevents bolting on obvious fixes. I have a lot of sympathy
| for their position. They aren't evil or bad, but they could do a
| massive mea culpa PR coup on the level of the netflix culture
| deck if they did a case study retrospective about the effect of
| tech debt on scale at critical moments.
|
| It's also a product management fail, where that lack of
| transparency on encryption is what a project-manager would pull,
| where a smarter product manager would have weighed the cost of
| losing their e2e-crypto compliance market.
|
| I can also see why they have security issues because today,
| security people are on a much longer tailed skill distribution
| than they were 10y ago and it's hard to listen to most of us.
| Getting someone to approach it as, "ok, we get that a 9-digit key
| is literally your product selling UX advantage, let's see what
| else we can do" is exceedingly rare. Privacy has massive brand
| implications. Remember blackberry? They launched a new flagship
| tablet product while their CEO got into an issue with government
| surveillance and the story became about their risk in India and
| Asian markets and not whatever that product was called. Zooms
| story is becoming about privacy problems too.
|
| PMs need to be smarter about this.
| softwaredoug wrote:
| I think you overestimate the reliability of the alternatives.
|
| Zoom focused all their early engineering muscle on reliability.
| When we build new products, we don't have infinite resources to
| attack every front simultaneously. We have finite resources to
| prove a concept, and we incur debt in just about every other
| dimension.
|
| Now that everyone is using them (precisely because of
| reliability) the emphasis becomes other things - UX, security,
| etc.
|
| Tech debt is what the 2nd generation of engineers gets to
| complain about after the 1st gen made the product succesful at
| something.
| motohagiography wrote:
| That last statement, I'm there with you on. Tech debt is
| necessary, it could even be renamed "tech leverage," because
| that's what a lot of it is.
|
| My thing is that there are tons of potential ways to mitigate
| zoombombing, even incrementally, and that they haven't or
| chose not to indicates it's because there were cost barriers
| to doing it. It has the tech debt smell, and it's what I've
| seen in other orgs.
| jariel wrote:
| It's not technical debt, because it was not a problem before.
|
| More likely just a poorly designed system.
|
| Security is always a game of 'staying ahead' - with a totally
| new userbase context, the security parameters have changed
| under their feet. So now they need to quickly adapt their
| product to the new context.
|
| A vastly new usage context is going to create all sorts of
| stresses.
| dylan604 wrote:
| >It's not technical debt, because it was not a problem
| before.
|
| You mean it wasn't problem before just because it wasn't
| being actively exploited before? A problem is a problem
| regardless if is as of yet undiscovered. Or do you mean it
| wasn't a problem because it wasn't preventing any forward
| progress on the product?
| deegles wrote:
| > This is what technical debt gets you.
|
| Becoming one of the top names in video conferencing and
| displacing dozens of established players virtually overnight?
| Sign me up.
| chrismarlow9 wrote:
| > Becoming one of the top names in video conferencing and
| displacing dozens of established players virtually overnight?
| Sign me up.
|
| What!? That's small thinking. You could be so many greater
| things than that if you're willing to compromise peoples
| security and personal information.
| deegles wrote:
| I know you're being sarcastic but there are a ton of
| companies that have a terrible security track record and
| yet are quite large...
| sgustard wrote:
| Exactly! I've built plenty of rock-solid flawless products
| that never got any traction. I can assure you none of them
| were dissected on Hacker News. Personally I'd go for getting
| mass adoption followed by endless free security consulting
| provided by the internet while it's stuck at home.
| rsync wrote:
| Shout outs to l0pht and cdc, but not to Minor Threat[1] ?
|
| [1] https://en.wikipedia.org/wiki/Chris_Lamprecht
| varelaz wrote:
| TLDR: With 17 digits meeting password is not needed at all. If
| meeting will be 17 numbers it will be the same as to protect 11
| length digit number with 6 digit password. So basically that's
| the trade off. One could say that password is not the same as
| meeting ID, but usually they both sent in one email/message and
| lifetime and protection for them is equal. Also it's easier to
| input one number than 2 different.
| diebeforei485 wrote:
| Please don't think of this in entropy terms alone. There is a
| massive usability difference between the two.
| kingludite wrote:
| Do it in base 9000 with baby names and common words. "Join us
| in _black raven deodorant daisy mega delta leo_ "
|
| Also create dud rooms with prerecorded conversation.
| dsimms wrote:
| or honeypot rooms with soft porn
| dsimms wrote:
| or honeypot rooms with super secret sounding military talk
| jascii wrote:
| I'm not sure I understand your point. The usability of
| clicking a link stays equal regardless of the amount of
| digits in the ID. Adding a password reduces the usability.
| aidenn0 wrote:
| The other day my wife got an e-vite with a link to a zoom
| meeting, but the e-vite software will prerender all the
| text to an image, so the link had to be copied in :(
| madeofpalk wrote:
| Security pretty much always reduces usability - that's the
| trade off.
| jtaft wrote:
| I've been thinking about security and usability for a
| while. IMO a big part of use-ability issues are related
| to interfaces people have to interact with. This is
| mainly concerning authentication and crypto related
| processes.
|
| I generally like the idea of smartcards, or having some
| physical thing you carry around which is used to
| authenticate with systems.
| madeofpalk wrote:
| Two factor auth - some physical thing you carry around
| with you to authenticate with systems - is the very
| definition of decreasing usability in order to increase
| security.
| jtaft wrote:
| To clarify, do you mean usability as "how easy is it for
| an end user to perform X?" I feel in general, adding
| security to a system without security does decrease
| usability.
|
| I think focusing on "relative usability" is important
| too. IMO it should be able to increase relative usability
| AND security.
|
| For instance, I use a yuibkey to store cryptographic
| secrets. Generally I leave it plugged into my laptop, so
| it does not add inconvenience to me in using it. Before I
| had to type in a long password to decrypt my SSH key. Now
| it's stored on a YubiKey, protected by a shorter PIN, and
| requires a physical touch to perform a cryptographic
| operations. By moving cryptographic secrets from a system
| with a large attack service (the laptop) to a device
| which requires physical access and has a smaller attack
| service(the yubikey), I find the system is easier to use,
| while increasing security.
|
| I also find unlocking my phone and paying with apple pay
| is easier to use than taking out my wallet and paying
| with a card. Having my credit card information encrypted
| on the phone makes it harder for a thief to use, when
| compared to gaining access to the physical credit card.
|
| One could argue a lack of security can lead to a
| decreases usability. Ex, a system under a successful DoS
| attack makes the system not very useable. I digress
| though, as I do not believe this is what you were getting
| at.
| minitech wrote:
| I think they're referring to passwordless login with
| physical keys. One unphishable factor that can't be
| brute-forced or cloned and doesn't require typing and
| password management.
| madeofpalk wrote:
| Still suffers from the same usability constraints.
| dewey wrote:
| An important Zoom feature is that you can dial in from a
| regular cell phone / landline and conference phones. That's
| one of the selling points of Zoom.
| antoncohen wrote:
| But when joining a Zoom call from your phone you dial a
| number, then enter the meeting ID. The meeting ID has the
| same number of digits as a US phone number, but it isn't
| the number you dial. The calendar invites generated by
| Zoom format the number + meeting ID in such as way that a
| user can tap them and it will dial the number _and_ enter
| the meeting ID.
|
| Basically, in both cases (computer/app or dial-in),
| increasing the number of digits of the meeting ID has
| very little impact on the users. Forcing a user to enter
| a password after joining (which is just more digits) does
| impact the user.
| kube-system wrote:
| >Basically, in both cases (computer/app or dial-in),
| increasing the number of digits of the meeting ID has
| very little impact on the users.
|
| It is a frequent use-case that people join meetings from
| devices that are not running a calendar application, or
| the calendar does not have the meeting invite.
|
| For example: conference rooms.
| Terr_ wrote:
| > The usability of clicking a link
|
| The situations and use-cases behind meeting-software are
| such that you can't rely on this.
|
| There are many situations where you want to transcribe the
| information. For example, dialing in as voice-only with a
| private phone based on an e-mail on your work-laptop.
|
| Or perhaps a conference room at a client-site where the
| client-guy has their corporate-approved presentation
| laptop, but he can't find the e-mail/chat message with it.
| Meanwhile you've got it up on-screen, but your device is
| not approved for any kind of internet connection in this
| part of the labs, and even your phone has no signal. (Yes,
| I've been there.)
| DrJokepu wrote:
| If you don't separate the access key from the secret you can't
| change the secret if and when it gets compromised.
| panarky wrote:
| Neither one is secret if you send them both to every
| recipient at the same time.
| chapium wrote:
| Privately issue a certificate from the organizer and don't just
| have a link anyone can join.
| johannes1234321 wrote:
| This makes it hard to have meetings with varying parties.
| rtkwe wrote:
| One way they're different is with an ID and password you can
| lock people out of meetings. With just an ID other than rate
| limiting clients there's no way to tell an authorized
| connection from someone war dialing the number.
| jackson1442 wrote:
| It seems to me as if having a password could be a useful
| feature to get additional features for a call. For example, a
| webinar host could give a password to a select few authorized
| to use camera/mic during the call, and just the meeting code to
| all other spectators. I'm not too familiar with zoom, but this
| feels like a better application than just two-step call
| joining.
___________________________________________________________________
(page generated 2020-04-02 23:00 UTC)