[HN Gopher] Zoom lied to users about end-to-end encryption for y... ___________________________________________________________________ Zoom lied to users about end-to-end encryption for years, FTC says Author : eddieoz Score : 1257 points Date : 2020-11-10 09:55 UTC (13 hours ago) (HTM) web link (arstechnica.com) (TXT) w3m dump (arstechnica.com) | Quarrelsome wrote: | So will they get fined more than Snapchat for lying about | ephemeral messaging or will this be the usual American "slap on | the wrist" thing we usually see to protect the investors? | Ardren wrote: | A slap on the wrist would be something [1] | | They don't even need to tell their customers that they lied [2] | | 1: | https://www.ftc.gov/system/files/documents/cases/1923167zoom... | 2: | https://www.ftc.gov/system/files/documents/public_statements... | eddieoz wrote: | In a world where US and EU are willing to ban Signal because it | doesn't allow a 'master key', Zoom is the BFF of governments | and regulators. | matheusmoreira wrote: | Aren't government officials using Signal themselves precisely | because it is so secure? | danielscrubs wrote: | What? | | " The European Commission has told its staff to switch to the | encrypted Signal messaging app in a move that's designed to | increase the security of its communications." | | This was February 2020, has something changed? | macrolime wrote: | Yes | | https://news.ycombinator.com/item?id=25028411 | thrwyoilarticle wrote: | The EU isn't a single individual. It isn't even a group | of individuals with aligned interests. As such, its many | different heads shouldn't be expected to have consistent | messaging. This is a draft so, as of now, it's factually | untrue to say the EU are willing to ban encryption. | ckocagil wrote: | That's encryption for the state, not for us peasants. | matheusmoreira wrote: | Can the govenment somehow restrict end-to-end encrypted | messaging to officials only? | vorpalhex wrote: | They can try the same as they can pass any other law. Of | course, whether or not practically they can do it is | another issue altogether... | Notorious_BLT wrote: | Given the opportunity, most governments would. Just look | at the US's attempts to force phone OS vendors to include | backdoors | moftz wrote: | They would just have a single state-run CA and ban all | E2E messaging apps from app stores. Only state employees | would have access to an E2E messaging app that would only | use govt certs from the CA. Any apps that continue to | operate outside of an app store could have their domestic | servers seized and anything foreign would be blocked by | all domestic ISPs. The govt could allow for civilian apps | to use weak encryption as some sort of compromise but | anything the govt can't crack instantly would be banned. | It would require a Great Firewall-level of control with | the govt playing whack-a-mole for a while but with enough | time and money, civilian E2E would be near impossible. | Fortunately, this is still a pipe dream for even the most | extreme statists but if large corporations can come | around to the idea of giving the govt an unlimited | backdoor to their internal communications, say good bye | to any/strong encryption for the average person. | | This level of planning is like the US govt outlawing all | guns tomorrow, it just isn't going to happen any time | soon since not only are gun-owners usually not the type | to want to give up a gun, the prevalence of gun ownership | is so massive that it would take equally massive | resources to run a completely successful confiscation | program. | shbooms wrote: | According to tha article, they won't be fined at all: | | >"Today, the Federal Trade Commission has voted to propose a | settlement with Zoom that follows an unfortunate FTC formula," | FTC Democratic Commissioner Rohit Chopra said. "The settlement | provides no help for affected users. It does nothing for small | businesses that relied on Zoom's data protection claims. And it | does not require Zoom to pay a dime. The Commission must change | course." | | Under the settlement, "Zoom is not required to offer redress, | refunds, or even notice to its customers that material claims | regarding the security of its services were false," Democratic | Commissioner Rebecca Kelly Slaughter said. "This failure of the | proposed settlement does a disservice to Zoom's customers, and | substantially limits the deterrence value of the case." | a_nar wrote: | I saw this on /r/privacy a few hours ago. Funny how things from | reddit can appear on HN, and vice-versa | tester34 wrote: | What's wrong/funny with that? | | Both are news "aggregators" | residentfoam wrote: | fake it until you make it | frabjoused wrote: | Few years ago I noticed BBM Enterprise touts end-to-end | encryption pretty strongly in their marketing, without mentioning | an up-front caveat. | | https://www.blackberry.com/us/en/products/bbm-enterprise | | Turns out that by default, BBME is not end-to-end. The initial | handshake is transparent to Blackberry, and they could use that | to decrypt future messages without your knowledge. | | To enable true end-to-end, you have to opt in to an out of band | handshake to start each new conversation, an option you can turn | on in their admin console. | | How many people are actually going to opt in to dealing with a | confirmation SMS for every new thread? | | I reached out to Blackberry at the time to update their | literature as it was misleading, but no action was taken by them. | dane-pgp wrote: | BlackBerry has always been untrustworthy when it comes to | encryption: | | > The defence in the case surmised that the RCMP must have used | the "correct global encryption key," since any attempt to apply | a key other than BlackBerry's own global encryption key would | have resulted in a garbled mess. According to the judge, "all | parties"--including the Crown--agree that "the RCMP would have | had the correct global key when it decrypted messages during | its investigation." | | https://www.vice.com/en/article/mg77vv/rcmp-blackberry-proje... | londons_explore wrote: | If Zoom made clear to users that connections were not secured to | the same standards as competitors, and that potentially hundreds | of employees could be silently listening in on any call, I think | that would have prevented them becoming a leader in video | conference tech. | | So the right fine here is their entire market cap. That would put | them back at square one, which is where an honest competitor | would be right now. | sriku wrote: | Is this about the audio streams? I imagine that if at any time | there are a million video streams happening, and zoom wanted to | sneak into 1% of them, it would pretty much need 10000 vCPUs of | compute to do that? The current tech scales affordably because | only the encoded packets get transmitted between callers (via | "selective forwarding units") without needing server-side re- | encoding? | | edit: That was for video streams. For audio streams, certainly | the cpus cost is lower - about 10%. | cheschire wrote: | The processing doesn't need to happen live. Bitstreams can be | captured along with metadata for later searching, a la | xkeyscore. | jefftk wrote: | _> the right fine here is their entire market cap. That would | put them back at square one_ | | I don't think Zoom has transgressed anywhere nearly this badly, | but even if I did it doesn't make sense to fine any company | their entire value unless your goal is simply to destroy them. | The company is only worth as much as it is because it is | expected to continue as a company, and there would be no way | for it to continue if it owed that much money to the | government. Unless it was nationalized and run by the | government, but I doubt you're proposing that? Which means | instead the company liquidates, and its liquidation value is | far less than it's value as a business. | londons_explore wrote: | A good punishment is government nationalizes it, paying | shareholders nothing, then immediately sells those shares | back onto the public markets. The government would earn | close-ish to the market cap. | | Effectively, allow the company to continue as before, but | wipe out all shareholders. After all, they are the people who | allowed this behaviour. They are the ultimate decision | makers. | yepguy wrote: | No, abandoning property rights is not even close to an | appropriate punishment, even for those directly responsible | for the fraud, let alone for ignorant shareholders. | pjc50 wrote: | I don't think people would be calling for this level of | punitive fines if Zoom were a Silicon Valley company making | misleading claims. | fakedang wrote: | Fun fact, Zoom is a Silicon Valley company making misleading | claims. It was started in California originally, not China. | amelius wrote: | Totally agree, and this should hold for any kind of illegal | growth hacking. | johannes1234321 wrote: | Is it really different from competitors like Cisco (webex, | jabber, ...)? A big selling point of all those is phone dial in | which can't be done with e2e encryption (the phone gateway run | by the operator has to have the keys) | thesimon wrote: | The thing is: Our team doesn't use phone dial-in, haven't | even seen the feature so I guess it's not enabled, but still | we don't have e2e encryption. | | That doesn't make sense. | user5994461 wrote: | Phone dial-in is always a paid addon. | | I guess it's the same on Zoom and your company doesn't pay | for it. | johannes1234321 wrote: | No doubt their, but GP refered to competitors and in that | segment e2e is rare. | jrochkind1 wrote: | > If Zoom made clear to users that connections were not secured | to the same standards as competitors... | | Which competitors offered true E2E? | | I think mostly they were (misleadingly/lyingly) promissing | something _above_ what most of their competitors offered, no? | Spooky23 wrote: | Their competitors were using the same standard of security. | | FaceTime is the big E2E service. Most anything else allows dial | in, and is not E2E. Zoom's sin is bad marketing copy. | eddieoz wrote: | Some reports say the whole video conferencing market, being | very optimistic, will reach $50B in 2026 (considering Covid-19 | - https://www.gminsights.com/industry-analysis/video- | conferenc...) | | But Zoom, alone, already has a marketcap of $117.534B | (https://finance.yahoo.com/quote/ZM/) | | I really think there is an unsustainable distortion happening. | user5994461 wrote: | The market being $50B means there are $50B of sales to do per | year. | | Market cap is a multiplier of revenues, easily 10 or 20 for a | tech company, that means a $1T market cap to be taken across | the videoconference companies. | | Wondering how numbers can be so high? Count $10 per month * | 12 months in a year * 100 million employees in the US... that | is $12B per year going to video software! | vitus wrote: | Actually, price / earnings (P/E ratio) is typically 10-20 | for _any_ company in the S&P 500. When you look at big | tech, the numbers are drastically higher: | | - AMZN: 92 | | - GOOG: 34 | | - FB: 33 | | - NFLX: 76 | | - AAPL: 35 | | - MSFT: 35 | | Compare this to, say, 3M, at 19, or GM with 17. | | edit: incidentally, apparently Zoom's P/E is... 527, which | is grossly inflated even for a tech company. Tesla is also | in the same category with a P/E of 834. | chasebank wrote: | P/E ratio formula is listed above correctly, however, | earnings is earnings per share, not revenue. So the | parent's market valuation rationale is whacky. | | Side note - Go read about Japan's lost decade and you'll | see how dangerously close our (US) current speculative | investing environment is to theirs before it fell. | A4ET8a8uTh0 wrote: | It is, but markets can stay irrational longer than you | can stay liquid to paraphrase somewhat famous quip. I was | also one of those people who tried shorting TSLA since I | believe they are way overvalued. I agree with you, but | the market has spoken. | Spooky23 wrote: | Market cap is the paper value of the company. It has little | to do with the market. Zoom's planned pivot is into boring | markets like business VoIP. | | Zoom went bananas because they won the space at a point in | time that mattered. FaceTime is too proprietary and lacks | features due to E2E, WebEx is run by incompetents, Google | Meet is hard to use, and Teams is too complex. There's a | thousand other competitors with a few users. | | Speculators poured billions into the consort and the | valuation went nuts. That could go away in a week. | amelius wrote: | > I really think there is an unsustainable distortion | happening. | | Yes, soon any website can have their own videoconferencing | using web technology like WebRTC. And implementation will be | as simple as running "npm install". | | > But Zoom, alone, already has a marketcap of $117.534B | | Yes. Zoom having a market cap that's more than half of Intel? | Come on now ... | clusterfish wrote: | Wild optimism aside, you can sell one or even a thousand ZM | shares at approximately the current market price, but you | can't sell the entirety of the company at the same price. The | pool of buyers is much smaller for such volumes. | newh90 wrote: | I don't really think so. I think we are just moving away from | inefficient meetings that are IRL. I would love to see all | meetings go remote for many reasons. I think this will stay | even once Covid is gone. | velcro wrote: | Not defending them in any way - but don't think security was | the primary reason for Zoom taking off. It was stability - it | just worked and at the same time competitors didn't. | | Everybody used to have Skype and I would have gladly handed | over my data to MS if only it would have been able to do stable | video calls. It was often a disaster for just 2-way calls, let | alone group. | londons_explore wrote: | > don't think security was the primary reason for Zoom taking | off. It was stability | | Stability was the main draw, but company IT departments would | have had more power to ban it if there were bigger and | clearer risks of corporate secrets escaping. | AmericanChopper wrote: | Any company IT department's power to ban something is | inversely related to how much it's users want to use it. | Also, the videoconference provider stealing company secrets | it not part of most companies threat model. Teams and Slack | are incredibly popular corporate tools, and neither of them | offer this feature. WebEx is the only reasonably popular | tool I can think of that supports it, and any security | department that cared strongly about E2EE, would be asking | questions like "do you perform key escrow" if they were | thinking of migrating off something like that. | baskire wrote: | Why isn't it? I highly suspect the CCP stole trade | secrets with zoom. | AmericanChopper wrote: | Because in order to operate a business (or any | organization), you have to at some point decide on a | group of service providers and other 3rd parties that you | trust. For most organizations, trusting a major | videoconferencing vendor is going to be within their risk | tolerance. For some organizations (or for some use-cases | within organizations) this wouldn't be acceptable (or | perhaps trusting Zoom wouldn't be acceptable, where a | different vendor might be), but at this point you're | starting to stray outside of Zoom's target market and | into a set of more specialized requirements. | | Defending against sophisticated state-level actors goes | even further beyond the requirements of most businesses. | Unless you had a specific reason to believe that you were | a target of such actors (dealing with national security, | or matters of significant national strategic importance), | you couldn't justify investing much resource into such | defensive measures. | mfer wrote: | Industrial espionage is real. There are many companies who | are concerned about this and take active steps to keep data | secret who would likely not have approved zoom use if | they'd known e2e encryption wasn't to the level they were | told. | | Some folks are concerned with more than stability and ease | of use. | Spearchucker wrote: | Once can't just delegate responsibility like that. Any | company should enage in some form of due dilligence | before procuring software. If there are expecations of | privacy then those should be proven by the company | procuring the software, not the vendor. | mysterydip wrote: | How would you verify e2e encryption on a proprietary | protocol? Not every company that cares about privacy has | crypto experts on staff. They should have a reasonable | expectation that the vendor is telling the truth. | posix_me_less wrote: | 1. Is the software proprietary? Liability, Denied. | jkepler wrote: | You can't. Don't trust, but verify. If a company or | individual needs strong privacy, they should verify any | encryption claims. | | This would mean using only libre/open source software | like Jitsu or Linphone, as one could verify the code or | higher experts to verify the code. | ClumsyPilot wrote: | You know what it's called when you purposefully lie about | your products or services to gain an advantage? Fraud. | | If this was happenening in any other industry (except | fonance?), the perpetrators would be in jail. | jfrunyon wrote: | So it's okay that Zoom lied because users should have | reverse engineered it to verify that what Zoom said about | their own product was true? | rndgermandude wrote: | No, if a company was really worried they shouldn't have | opted for a cloud product with a (partly) Chinese-owned | company. A lot of companies go through the trouble of | giving their employees (especially management) "throw | away" phones and/or computers when they send them to | "problematic" places, in particular China, but then they | install Zoom for their C-level and middle management | executives to use, huh? | peteradio wrote: | But everybody knows C-level and middle-management don't | actually know anything or do anything. Have at it! Its | like spamming the spammers. | moduspol wrote: | It's difficult to imagine a company that cares that much | about keeping their video chat data private, but would | use _any_ third party service. | | That doesn't justify zoom making false claims--I just | don't think the companies you're describing would be | using zoom. | rndgermandude wrote: | Or state secrets, or court secrets, or just preventing | random zoom admins from watching children in virtual class | rooms. | tonetheman wrote: | THIS THIS THIS. End users (generally) do not care about | security they just need it to work. | | That is what was great about zoom. The security becomes | important after it works. | SkyPuncher wrote: | > It was stability - it just worked and at the same time | competitors didn't. | | This is absolutely huge. We've tried Teams (and I have | previously used Webex and Hangouts). | | It seems like there is _always_ one person that struggles | with other video services. Can't join, video/audio issues, | CPU usage, latency, etc. Painful when 10%+ of a meeting is | consumed by getting one last, key person trying to fix their | issues. | pulse7 wrote: | It was stability and speed! It uses very little CPU for | everything! | WhyNotHugo wrote: | They took money from many clients to provide a service. | | They did not provide the service the advertised: they | provided something much inferior (and that's actually | unsuitable for many industries). | | It's not really really about "what would clients have done | otherwise". It's a matter of giving money back. | | If you pay me to write a program, and it only does half of | what I promise, wouldn't you want [part of] your money back? | unityByFreedom wrote: | > It was stability - it just worked | | Also due to deception, it auto reinstalled on macs until they | were caught. | eznzt wrote: | "this software I uninstalled keeps reinstalling itself. oh | well, I guess I will have to use it!" said no one ever. | unityByFreedom wrote: | Users were unaware this was happening. "It just worked" | because it would install itself in the background | unbeknownst to the user, thus obviating the need to take | time to install it when needed. | levosmetalo wrote: | It's much easier to make a stable communication product if | you don't need to worry about security and privacy. | | Just look at the troubles and hurdles Signal messenger need | to overcome to implement some features, while the competition | that is not so security focused has them since forever. | vaccinator wrote: | Skype was better before the MS aquisition... and it used to | be P2P. It'd be nice if the pre-MS source would leak somehow. | DangerousPie wrote: | I think you may be viewing history through slightly rose- | tinted glasses there - I used pre-MS Skype a lot and it was | never anywhere near as reliable as Zoom is and didn't | support group video chat at all. And the fact that it was | P2P meant that some features that everyone would expect to | work these days (offline messages, mobile support) were | simply not possible at all. | vaccinator wrote: | Or maybe your long term memory is corrupted? | sunshinerag wrote: | Amen | michaelmior wrote: | I'm not sure what would be accomplished if the source | leaked. Someone would still need to maintain both the | client and now a new set of servers. This would be | difficult given that Microsoft would almost certainly use | whatever means they could to stop this from happening. | colejohnson66 wrote: | Wasn't Skype pre-MS P2P, not server based? | michaelmior wrote: | Perhaps. But at minimum there would still be some server | necessary for discovery purposes. | vel0city wrote: | The client application was also the server application. | Clients with good connections which appeared to always be | online became super nodes which were the directory | "servers" you would connect to. The code base contained a | long list of previously known super nodes and would | attempt to connect to those on first start. As it ran it | would keep syncing the list of close super nodes. There | were many hundreds of super nodes, so the odds of all of | them changing or going offline were pretty slim. | | I imagine some people at Skype probably kept a few | instances of Skype running at the office. So they | technically hosted a few super nodes, but it wasn't | necessarily that they were running some vastly different | server version of the app. It wasn't until Microsoft | decided to cut down on the P2P aspect of the app and | hardcode only Azure-hosted super nodes into the | application that this changed. | michaelmior wrote: | Interesting. I didn't realize that Skype was _really_ | P2P. Thanks for sharing :) | colejohnson66 wrote: | Isn't that also how BitTorrent's DHT works? | eznzt wrote: | https://escargot.log1p.xyz/ | michaelmior wrote: | Wow. Brings back memories as MSN was the messenger of | choice during my college years :) | kristofferR wrote: | Fun fact, the original Skype developers also developed the | great (for its time) P2P filesharing app/network | Kazaa/FastTrack. | Xelbair wrote: | and it could be more stable because it didn't implement e2e | encryption. | viraptor wrote: | I wish that was true, but in practice I think it wouldn't | matter. Zoom was the only one ready with infrastructure, | multiple clients, automatic quality adjustment, screen sharing | options, scheduling, and many other needed features. | | Otherwise we had hangouts/meet with very basic features and | jet-taking-off Mac behaviour, chime which is really good but | nobody heard of it (Amazon is not interested in that market | apparently), Skype which aims for social chat consumers, slack | which works only within the org, jitsi, and a thousand of me- | too apps with very basic feature set. | | Zoom could kick your puppy at the end of each call, and it | would likely still be the best choice at the time :-( | ClumsyPilot wrote: | "chime which is really good but nobody heard of it" | | So there was a competitor after all? | viraptor wrote: | Amazon doesn't seem interested in that app being used by | random consumers. There's very few accessible guides around | it. It's technically good, but it's not even a competitor | as such. | newh90 wrote: | Sure, if you don't worry about privacy. | jcims wrote: | You can care about privacy yet still prioritize not killing | your company in a pandemic. | | Very few things that are hosted are immune to employee | buggery, that's why companies invest in third party risk | management; to assess those risks, which are always | material and non-zero and determine if they are within the | appetite of the organization. | newh90 wrote: | true. one could just use onsite or p2p tech that avoids | using servers beyond handshakes. | ForHackernews wrote: | I don't think anyone except crypto-nerds cares about this. | Normal people just assume everything can be wiretapped and | Zuckerberg and friends are always listening. | me_me_me wrote: | Sure, that sounds like fair solution. | | But that's not how capitalism works. | | You can be honest business or you can steal billions, get | caught and pay a millions in fines. I think everyone can see a | problem here. You pay back less then you stole so this is an | active encouragement to steal. | | Most recent example, morgan stanley fraud for bilions in profit | pays fine of 1.5 mil [0]. | | Reality is borrowing from Kafka. | | [0] https://coinweek.com/bullion-report/morgan-stanley- | mitsubish... | zelphirkalt wrote: | Hmmm, why am I not surprised right now? | 29athrowaway wrote: | Companies that mine data from users will often mislead users when | it comes to privacy. | | e.g.: "You have control over your data"... no, you don't. | cfstras wrote: | What other popular group video meeting tools are e2e? I know of | none. | | I remember reading a while back that Zoom claimed a few times | they were e2e-encrypted, but what they meant was transport | encryption. | izacus wrote: | Between others mentioned here there's also Google Duo, but it's | not really a meeting tool but a FaceTime competitor. | Aachen wrote: | If you want my popular products then nobody can answer because | you'd know of them already. So I'll generalize to what group | video tools are e2ee: | | -> Jami (according to their website, I only ever used their | chat and regular one-on-one calls) | | -> Wire (client and server open source, but not community-lead | development) | | -> WhatsApp (if you trust Facebook, proprietary back-end) | | And if you consider open source & on-premises / "can be | completely locked off from the Internet so only you can access | it" software to be end to end encrypted (if you personally run | the server, you're one of the endpoints): | | -> Jitsi Meet (full e2ee is under development, collab with | Matrix I think) | | -> BigBlueButton | | -> Apache OpenMeetings (I never used this one, can't vouch for | it) | | Signal and Threema don't do group calls as far as I can quickly | find online, correct me if I'm wrong. | | Anyhow, plenty of options whether you like to self host (saves | a ton of CPU on encryption and lets the server do stream | mixing) or have full end to end encryption. Why do you care | whether they're used by a billion people / "popular"? You can | still choose to use them and improve the status quo because why | not? | cfstras wrote: | - I was looking for "desktop-solutions" comparable to Zoom, | so WhatsApp and Telegram are out of the question (Telegram | doesn't do group calls AFAICS). | | Some notes: | | - Wire has published a detailed whitepaper on e2ee. | https://wire- | docs.wire.com/download/Wire+Security+Whitepaper... | | - Jami (formerly GNU Ring) has an interesting post about | having e2e here: | https://security.stackexchange.com/a/162603/243716 | | - Jitsi e2e is testable, but they note that it's not | completely finished. Key exchange has to be done manually. | | - https://github.com/bigbluebutton/bigbluebutton/issues/9893 | suggests BigBlueButton don't have e2e yet | | - Wikipedia claims "no encryption protocol" for OpenMeetings | https://en.wikipedia.org/wiki/Apache_OpenMeetings | | --- | | So that leaves Wire and Jami. Thanks for the info! | Aachen wrote: | Oh right sorry, Telegram indeed doesn't do group calls. | Removed them from the list. Thanks! | | As for Jitsi, BigBlueButton, and OpenMeetings, no indeed | they don't do encryption currently, hence them being in the | second section with open source self-hostable conference | software rather than the e2ee section above. To me, | depending on the use-case (if you can self host on a | trusted system) that would be equally secure and also | doesn't leak metadata (who calls who) to some central | system. | | Wire's most recent system (launched a few weeks ago to make | the video conferencing more efficient, bumping max | participants from 4 to 12) also tries to avoid learning who | is in a conference with who, but fact is that if you | observe their datacenter there'll be traffic going to | certain IP addresses that starts and stops at the same | time. | | For what it's worth, to add my experience/recommendations: | I really liked the BBB setups I've been in (largest was a | hundred or so people) and would recommend that if you're | looking for an alternative. Wire also works reasonably and | because it's end to end encrypted you don't need your own | setup to get started, but isn't as open source oriented as | BBB/Jitsi and the CPU load from the encryption during video | or screen sharing is quite significant. Jami, last I | tested, was quite buggy, but that was way before the | pandemic. Full disclose: so far I've only had to decline | one Zoom request and so I've never been in a Zoom(r) call | (not a single of our clients uses Zoom, yet people use the | brand name as a synonym for video call? I don't get it), so | I can't compare any of these with Zoom. | upofadown wrote: | I think the assumed implication with E2EE is that no one other | than the partcipants can get at the content of your | communications. To do that you need: | | 1. All cryptographic keys controlled by the users. | | 2. Some way to confirm you are actually connected to who you | think you are connected to. | | 3. A way to confirm that the code you are running is not leaking | keys/content. | | So Zoom failed on all 3 points. There are lots of things out | there claiming E2EE that fail on one or more of these points. | Almost all fail on point 2 unless the user does things that they | almost never do. Is the FTC going to come up with a E2EE | definition for trade and start prosecuting those that don't meet | that definition? Otherwise it would seem unfair that they only | went after the entity that ended up in the general media. | pbronez wrote: | > almost all fail on point 2 unless the user does things that | they almost never do | | Are you referring to the "scan this QR code to verify your | partner's key" function in secure messaging apps? I definitely | use that. I try to keep all my primary contact's keys verified. | It's harder during COVID when you're not meeting up in person | as often, because anything besides meeting in person and | verifying the two devices directly exposes you to another | unverified channel. | | It's very hard to bootstrap this stuff. Sure, "web of trust" | but that's hard too. Speaking of which, didn't Keybase get | bought by zoom to help with exactly these issues? | upofadown wrote: | >Are you referring to the "scan this QR code to verify your | partner's key" function in secure messaging apps? | | Yes. Or read the weird numbers/letters over the phone. Or | look at the strange image and compare it somehow. | | For all I know there is something out there that wants you to | compare a tune... | jtdev wrote: | The relationship between Zoom and China should outright | disqualify it from being used in any Democratic countries. | Dahoon wrote: | I don't see how democracy has anything to do with wanting to | secure video calls or not but anyways, how is this worse than | trusting anything from the US? Not trying to add whataboutism, | but curious if you have the same look on security when made by | companies that share data with someone that realistically could | come after you for anything done in those calls. PRC clearly | can't unless you live _in_ PRC while the FBI and CIA operate in | most of the world, more often than not hand in hand with local | police or agencies. | jtdev wrote: | Did the Polish scoff at the rise of the third reich simply | because their existed a line on a map dividing Germany and | Poland? | themacguffinman wrote: | No, they just find any possible family you might have in | China and threaten to hurt them if you don't either return to | the PRC or commit suicide [1], much better. | | [1] https://en.wikipedia.org/wiki/Operation_Fox_Hunt | temp667 wrote: | I was never confused, but am more technical. I mean, how do you | terminate to POTS, do the mix-ins etc without zoom decrypting on | their end? If it's E2E encrypted and I have a dial in number - | it's not E2E in that sense. | ahmetyas01 wrote: | why the servers are in Chine ? For asia market or for communist | part? | meowface wrote: | All they had to do was say "encrypted" instead of explicitly | saying "end-to-end encrypted" when it very clearly wasn't end-to- | end. | | The former still could've been a bit weaselly and misleading | (many non-technical users would probably have assumed "encrypted" | implied total confidentiality), but what they actually did was so | much worse. I hope they get hit hard on that. | istjohn wrote: | Per the article, they are not getting "hit hard." No fines and | no compensation for their customers. | sizt wrote: | Zoom lied. People spied. | macspoofing wrote: | >People spied. | | Did they? Which people? When? How? | carapace wrote: | That's kind of the point isn't it? You can't know, because | it wasn't actually e2ee, eh? That's the harm. | | Also, think of the competitors of zoom who lost customers | to them due to their lying, that's a harm too, eh? | | These are hard to quantify but they're not nothing. | crazygringo wrote: | Well, we _can_ know. | | It _was_ encrypted, but not E2EE, so the only person who | could have spied was Zoom itself, and we know the how too | - by the same mechanism it performs a video recording, | for example. | | We just don't know _if_. But seeing as we 've had _zero_ | reports of any real-world consequences that could only | have come about by Zoom spying, combined with the fact | that "spying on your customers" is anathema to your | business model and therefore a risk no sane and rational | board of directors would ever approve (moderate upside, | enormous possibly business-ending downside if ever | discovered)... Occam's Razor says no spying ever | occurred. | raxxorrax wrote: | Do you know about the every case of industrial espionage? | No, because neither victim nor perpetrator are interested | in sharing that info. | carapace wrote: | Ockham's razor doesn't apply in adversarial contexts. | lvs wrote: | "We can know" ... "We just don't know if." ?? | | And that's not what Occam's Razor means. | Schiendelman wrote: | You definitely can't apply Occam's razor simply because | you don't have _access_ to information. | [deleted] | Dahoon wrote: | All network traffic in the US should be seen as the | opposite of innocent untill proven guilty: Unless you can | prove otherwise, everything we know of surveillance tells | us that of course everything and everyone was spied upon. I | can't think of any reason the NSA and/or CIA should _not_ | have spied when they do so on everything else they can get | their hands on. | myself248 wrote: | Years ago, this attitude was seen as paranoid and | bonkers. Then Snowden proved it true. Not only true, but | barely scratching the surface. What's actually happening | is beyond the wildest fever-dreams of the most extreme | 90s crypto-punk ever. | | Why are people still able to pretend otherwise without | being laughed out of the room? | _jal wrote: | > Why are people still able to pretend otherwise without | being laughed out of the room? | | It is a variant of a Bible Thumper & Bootlegger | coalition. | | A large portion of the population really doesn't want to | believe it. A small population with a vested interest | (and lots of relevant tools at its disposal) is happy to | help them. | eru wrote: | They spy on network traffic outside the US, too. | eddieoz wrote: | "[S]ince at least 2016, Zoom misled users by touting that it | offered 'end-to-end, 256-bit encryption' to secure users' | communications, when in fact it provided a lower level of | security," the FTC said today in the announcement of its | complaint against Zoom and the tentative settlement. Despite | promising end-to-end encryption, the FTC said that "Zoom | maintained the cryptographic keys that could allow Zoom to access | the content of its customers' meetings, and secured its Zoom | Meetings, in part, with a lower level of encryption than | promised." | | That's the concept of E2Z2EE (End2Zoom2End Encryption) | xiphias2 wrote: | Customers or users? There's a huge difference between the 2, | and this excerpt uses the 2 words like if those were | interchangeable. | joombaga wrote: | What's the difference? Aren't they the same group of people | in this context? | rsstack wrote: | Free users are not customers. | agustif wrote: | Only drug dealers and tech call their customers -users- | sizt wrote: | Which explains why UI's generally are about as pleasant | as scoring a dime bag on a dark corner. | newh90 wrote: | haha yes, true. | xiphias2 wrote: | I'm sorry, I'm not a native English speaker. According to | the Oxford dictionary customers are people who buy a | product or service. | | Zoom was thinking of giving only them E2E encryption, and | actually I would pay for that service if I would trust | Zoom. Currently I use telegram to speak with my friends, | but the call drops quite often as we don't have stable | internet connection. | bigbubba wrote: | Maybe, since you admit your English language skills could | use some work, you should give up on linguistic pedantry | and find a new hobby. | xiphias2 wrote: | If my English here is so bad why do I see ,,end user'' in | Zoom's terms of license all the time, and customer for | paying customers? | | Can you provide a better legal definition than what I | see? (Only the legal meaning of the word matters in the | current context). | | We're talking about hundreds of millions of people being | effected vs few million people, it matters a lot. You | would understand that it's very far from pedantry if you | followed all announcements that Zoom had in the past. | oarsinsync wrote: | I think a better distinction is 'paying customers' and 'non- | paying customers'. Customers being a subset of users after | all makes it a bit ambiguous. | | Not that it should matter in the context of the feature being | described. | xiphias2 wrote: | I'm still not a native English speaker, but a Google search | shows that non-paying customers are people who don't pay | their bills, which is not the same thing as users who don't | have bills to pay. | | Also as I wrote, Zoom was thinking of selling E2E | encryption as a payed feature, that's why the distinction | really matters (I would happily pay for it if that would | give me a strong assurance that I just don't have so far). | pc86 wrote: | Non-paying customers can mean either customers who are | delinquent in paying their bills, or customers that are | using the service for free with permission. | selimthegrim wrote: | Non-revenue customers for the latter (from airlines) | bshipp wrote: | I don't think I'd happily pay for Zoom, regardless of | their encryption promises. I've personally struggled more | with zoom call quality issues and hardware conflicts than | I have with any other video conference provider. | olyjohn wrote: | Also anecdotally, I hear the opposite from every single | person I know. Zoom has been the video conferencing | system that works the best. Have you ever used | Go2Meeting, WebEx, Teams? Constant struggles with those | applications for me, my friends, and my co-workers. | tuukkah wrote: | In my experience, Google Meet is the one where no-one has | problems. Zoom and Teams are the least reliable of the | bunch. | mianos wrote: | You really have to use Teams every day to appreciate just | how buggy it is on all three platforms. I used slack | video for remote standups for a year or so and aside from | the odd little hiccup it was boringly stable. Teams fails | at least once a week. | 120photo wrote: | Oh no, a company based out of China lied to everyone? Say it | ain't so. | YinglingLight wrote: | You guyz, look at how CCP sponsored TikTok users trolled Trump | this time!!1 | WhyNotHugo wrote: | I find it amusing that congress is seeking to ban E2EE, yet the | FTC fining a company that lied about doing it. | koheripbal wrote: | It's not really a contradiction if you think about it. | kevmo wrote: | Yep. They're fining the customer fraud, not the lack of E2EE. | | I wish executives would start going to jail over this stuff. | Bet they'd stop lying to their customers then. | WhyNotHugo wrote: | Yeah, I get the impression that if some guy frauds a bunch | of rich guys, he goes to jail, but if a corporation frauds | millions of users, they're just politely asked to behave. | kevmo wrote: | Indeed. The government basically says "Please give us 1% | of the profit you made from defrauding millions, and we | will call it a day." | pluc wrote: | Where is the consequences addendum? | rwmurrayVT wrote: | There are none. | ineedasername wrote: | Companies that make claims like this should provide an external | audit to support their claims. | throwaway4good wrote: | I thought they made a deal with Trump/Oracle and that fixed all | this stuff? | simonh wrote: | You're thinking of Tiktok. | throwaway4good wrote: | From https://www.cnbc.com/2020/04/15/oracles-larry-ellison- | calls-... : | | Along with is growth in users, Zoom has seen concerns spike | about how it is protecting users' privacy. The Senate advised | members not to use the service, according to Ars Technica and | the New York City Department of Education banned its use for | remote learning. A group of state attorneys general are | probing the company after one of the officials was | "zoombombed" on a forum about the Census, meaning the chat | box was filled with profanities. | | Ellison's support could prove useful to Zoom as it wades | through the new challenges of becoming a consumer tech | company. Ellison is an influential billionaire with ties to | the Trump administration. He has supported Trump's campaign | and even told the President about an anti-malaria drug Trump | ended up touting as a possible treatment for the coronavirus, | according to The New York Times. Oracle CEO Safra Catz served | on Trump's transition team in 2016. | simonh wrote: | So Ellison 'supports' Zoom, but as far as I can tell the | connection with Trump is pure speculation. | throwaway4good wrote: | It is was a prelude to what happened to TikTok. Or almost | happened to TikTok as now with the Trump administration | is gone, it makes no sense to do a deal with Oracle. | morpheuskafka wrote: | Pretty ridiculous for the US to be enforcing this while they try | to ban and reduce availability of E2EE worldwide. Zoom et all are | doing them a great service by spreading FUD and confusion about | what E2EE even is. Once it's reduced to "complex math thing" in | people's minds no one will know or care when they ban it. | some_random wrote: | The US has more than one actor in it, only some of them care | about E2EE. This is true for literally everywhere. | micropoet wrote: | Is this the reason stock price going down? or Covid vaccine? | kevincox wrote: | > Zoom has agreed to a requirement to establish and implement a | comprehensive security program, a prohibition on privacy and | security misrepresentations, and other detailed and specific | relief to protect its user base | | What a slap on the wrist. "You blatantly lied to your customers | for years. How about you just continue to implement the thing | that you were working on anyways." | | I don't think punishment is always the best solution but it seems | that you should at least set some sort of example. | raxxorrax wrote: | Certainly with government access to messages. The minds in | charge would never let such an opportunity slip. They are set | in the cold war of terror and that won't change for the current | generation. So it is still not a good idea to use Zoom. | shyn3 wrote: | Is that a reference to the Chinese government because it | appears in Canada we are using Zoom as well. | | https://www.theglobeandmail.com/opinion/article- | participatin... | joering2 wrote: | > What a slap on the wrist. | | Exactly. Any small startup owners would see jail time. Similar | case in recent History is Trump non-profit (please no | flamewars). There are tens of thousands of business-owners | rotting in jail today because they embezzled half a million | bucks or more - here with Trump charity you have case of at | least $2 million stolen plus self-dealing and basically living | your whole life/paying personal bills out of charity and what | does the judge do? - "Here Mr. Trump is a $99 training seminar | on "How not to steal" from your own charity. Go get you and | your children watch this online class and report back when you | done". | | Unbelievable. | gmd63 wrote: | Punishment is the best solution. Incentives are what drive | behavior, and learning that you can get away with lying will | just lead to more getting away with lying. | [deleted] | acbart wrote: | When it comes to training humans and animals, positive | punishment is far less effective than most other training | techniques like positive reinforcement. Don't Shoot the | Dog[1]! | | [1] https://www.amazon.com/Dont-Shoot-Dog-Teaching- | Training/dp/0... | jvanderbot wrote: | Unfortunately, the positives are customer adoption, and | customers have already adopted zoom. This is like | continuing to feed the dog treats because it's what you're | used to, regardless of the outcome of their actions. | | But more generally, it's not obvious that _individual_ , | "reptile-brain" incentives translate to large company | leadership. I'd be hugely skeptical of applying positive | psychology to international corporate leadership, but what | do I know anyway. | unityByFreedom wrote: | Agree with your first paragraph, less so the second. | People learn corporate leadership in steps, starting with | a small group. The style of successful leadership doesn't | change IMO, just the number of variables and possibility | for greater success/failure. | darkerside wrote: | Wouldn't fees be considered negative punishment? | airstrike wrote: | Well, corporations aren't humans, contrary to what some | might try to argue. | ineedasername wrote: | _" Corporations are people my friend"_ | | --Mitt Romney [0] | | So we should all remember that Zoom is probably depressed | right now and could probably use some support from its | friends. Maybe urge GCal to send it a nice note. | | [0] https://www.npr.org/sections/itsallpolitics/2011/08/1 | 1/13955... | Mary-Jane wrote: | True enough. But they are comprised entirely of people. | To change their behavior you must appeal to the _people_ | running them. | dhimes wrote: | My gripe is the companies who failed to implement because | they couldn't do security in a way that was easy to use | and resulted in a good user experience, but chose to be | honest. | | I hate the | | (1) cheat to win and vanquish your competitors | | (2) when you're caught, say you're sorry, | | (3) win anyway because your competitors are gone | | progression. It seems like the penalty for that should be | existential or at least something painfully severe. | sirspacey wrote: | Sincerely curious - what competitors do you believe were | harmed here? | TeMPOraL wrote: | Not necessarily. Corporations are more than just sum of | the people - they are a process that runs _on top of_ | people. People themselves are replaceable - and if you | change the behavior of one to something the corporation | doesn 't want, it'll replace that person with someone | new. You want to change the behavior of the corporation | itself - and that's best done by creating monetary | incentives and disincentives (i.e. punishment). The | corporation will adjust the behavior of people on its | own. | | In other words: "appealing to the people" instead of | addressing the corporation itself is like trying to heat | up a climate-controlled room by lighting a small fire in | it. You'll be fighting the AC unit all the way and | causing lots of unnecessary damage, when the right way to | do it is to adjust the thermostat on the AC unit. | ineedasername wrote: | Actually intermittent reinforcement is much more effective. | If it's offered every time, then when it is not offered it | is less likely to trigger the desired behavior. Operant | conditioning using intermittent reinforcement trains to not | expect the reinforcement mechanism every time, so when it | doesn't come, the desired behavior is still displayed: | | https://www.sciencedirect.com/topics/psychology/intermitten | t... | macspoofing wrote: | >What a slap on the wrist. "You blatantly lied to your | customers for years. How about you just continue to implement | the thing that you were working on anyways." | | Honestly - that's inline with the severity of the crime. | | >I don't think punishment is always the best solution but it | seems that you should at least set some sort of example. | | I'm not a fan of regulatory bodies making examples of companies | for minor infractions. And this is a very minor infraction. | pasabagi wrote: | Is it minor? | | From my perspective, making security guarantees about a | product is the same whether that product is software or | hardware. If somebody guaranteed that their ferris wheel had | x safety feature, then it turned out to be untrue, nobody | would call that a minor infraction. | kevincox wrote: | I agree. I see false advertising as a serious crime. | | Obviously we should be utilizing critical thinking | ourselves, but I think that we also need the threat of | punishment. Because if we have that threat one critical | thinker can report the problem and it will be solved for | everyone. If there is no punishment then there is no | incentive for companies to tell the truth. | xbar wrote: | Exactly. Zoom should pay. Not crippling amounts, but non- | trivial ones. | throwaway936482 wrote: | Especially if one is ideologically committed to light | touch regulation / free market economics. This makes | false advertising a particularly serious crime because it | introduces a false information asymmetry between the | customer and supplier that damages the effective | functioning of the market. | saghm wrote: | > a prohibition on privacy and security misrepresentations | | Why did they have to "agree" to that? Shouldn't that already | not be allowed? Also, this sounds a bit like they're allowed to | misrepresent other things... | aofeisheng wrote: | All E2E encryption claims in closed source software are | untrustworthy. What're you expecting? | intricatedetail wrote: | Even with open source software you will never know what is | actually running on the servers. It's best to assume none of | the services are e2e encrypted and you should provide your own | encryption on top of the medium you communicate with if you | require privacy. By own encryption I mean exchanging keys and | encrypting offline using oss tools. | _-___________-_ wrote: | > Even with open source software you will never know what is | actually running on the servers. | | If the clients are open-source and properly implement end-to- | end encryption, and you verify that they are not sending your | keys to the servers, then what is running on the servers is | irrelevant. | intricatedetail wrote: | But they may run modified software e.g. with added | backdoors and you wouldn't know as you cannot check what is | actually running on servers. | _-___________-_ wrote: | Yes, but the servers only transfer encrypted payloads for | which the servers do not have the decryption keys, and | you can verify that just by looking at the clients (which | are open source in this scenario). That is the _entire | point_ of end-to-end encryption. | intricatedetail wrote: | Are you saying that MITM is not possible? For example | your client will receive a key prepared by rogue server | and it will decrypt and encrypt conversations on the fly. | You wouldn't be able to tell unless you find a way to | verify the person on the other side tried to exchange | different keys. | emiliobumachar wrote: | End-to-end encryption properly implemented on clients is | resistant to any malicious software that may run on | servers. | | The only relevant vulnerability is stealth updates | infecting the client, but the client could disallow it as | well. | DangerousPie wrote: | ... if you have the technical expertise to audit the full | source code, and run and audit your own build (on both | ends). | _-___________-_ wrote: | Sure, but that's a different argument than what parent | was making. | hajile wrote: | I'm qualified to audit loads of software I don't have the | time to write myself. | ent wrote: | Isn't the whole point of e2e that you don't need to worry | about what runs on the server, unless you're worried about | metadata leakage. | intricatedetail wrote: | Correct, but if there is something between you and other | user and can intercept key exchange then it can decrypt and | encrypt anything on the fly. I think you would have to | exchange keys offline to have true e2e experience. | matheusmoreira wrote: | Not only is the source closed and proprietary, the company and | the product themselves have terrible reputations when it comes | to security. Why would anyone even consider trusting whatever | encryption they offer? | roenxi wrote: | Pretty scandalous stuff. But to be fair it seems pretty likely | that any or all of the major players (Apple, Google, MS, | Facebook, AWS, etc) to be maintaining some sort of back-door | access to the channels they control for spying purposes. | | I suppose the risk with Zoom is leaks due to incompetence rather | than leaks due to government intervention. | _-___________-_ wrote: | Apple claims that FaceTime is end-to-end encrypted (and makes | some pretty strong statements about not having access to the | content of communications). Facebook similarly claims that | WhatsApp is end-to-end encrypted. Whilst I have little love for | either company, do you have any evidence that these claims are | lies? | orestarod wrote: | Whatsup is "end to end encrypted", but I had seen an article | here on HN about how Whatsup would snatch your data before it | begun transit, if needed - for "security reasons" - after | performing a local analysis on the messages. I don't know if | this has been implemented as of yet, but you can see the | intent for circumventing actual encryption - they can do it, | and since e2e has become a bother, they certainly will. | aborsy wrote: | I thought the lesson is clear. | | All e2e claims with closed source software must be dismissed | by default. The burden of proof is on the seller. | _-___________-_ wrote: | I mean, I agree with you, and I guess the "surely Apple is | not blatantly lying about being unable to read the content | of your communication" argument has eroded a bit after | Zoom's behaviour. But the penalties (both in terms of | reputation and in terms of monetary fines) for this kind of | misbehaviour are already large, and are likely to increase | over time, and it seems an unnecessarily extreme risk for | these companies to take. | | But yes, impossible-to-verify claims are not worth very | much at all. | jfrunyon wrote: | I don't... did you even read TFA? All the order says is | that they can't lie about it again. They don't have to | pay anything, they don't have to actually fulfill their | prior claims, and the other parts of the agreement they | likely already comply with, and if not it'll be quite | cheap (relatively) to do so. | _-___________-_ wrote: | > I don't... did you even read TFA? | | Yes, I did. Thanks for asking. | | > They don't have to pay anything | | Yes, but they endured reputational damage, and companies | hypothetically lying about it now could reasonably expect | to have to pay something in future enforcements, which is | what I was trying to get at in my previous comment. | Reading it now, it was really sloppily worded by lumping | together those things, but I'll leave it as it was so | that the rest of this thread makes sense. | | > they don't have to actually fulfill their prior claims | | Given that they don't claim it any more, I'm not sure | that they could be forced to start doing it -- put | another way, not having E2E encryption is not a crime as | long as you don't claim to have it. | jfrunyon wrote: | How much actual reputational damage could they have | possibly endured? I haven't noticed any fewer people | using Zoom. | | It's a consent order. They're willingly agreeing to it in | order to avoid other costs (like fines and a lengthy | trial). There's no "forced to" involved. | _-___________-_ wrote: | > I haven't noticed any fewer people using Zoom. | | I think this probably varies a lot between social groups; | I know of many people (including non-technical) who were | motivated to explore alternatives after reading news | articles about Zoom's behaviour. A bunch of non-technical | friends subsequently started to use meet.jit.si for | meeting up, playing board games, etc, for example. | gravitas wrote: | Zoom's revenue is in corporate accounts, just like Slack | - my 10k ppl company uses branded enterprise accounts on | both systems, we even have VOIP via them with DIDs. | Companies of size do not pivot quickly on telecom and | messaging system changes, it takes a lot more than a | single issue or two for our money to not be in their | pockets. | aborsy wrote: | As for fines, companies already do sophisticated risk | analysis so that the average outcome would be far more | than the average potential cost. I know oil companies do | highly sophisticated risk and reward calculations with | violations. | | As for 3reputational damage, that's a long term effect. A | few events won't have a lasting impact. If it turns out | that Apple Key Chain is not e2e, or worse iOS exfiltrates | key material from apps, that would be major news, but | soon people will forget (if they ever cared in the first | place) and keep buying iPhones unless the misbehavior is | a recurrent problem. A company like Apple will make it | extremely difficult to discover such misconduct. | ehejsbbejsk wrote: | Incompetence? That Zoom team has been working on video | communication for many many years over in China. | chrisjc wrote: | And several years before that at Cisco. | | https://www.acquired.fm/episodes/the-zoom-ipo-with-santi- | sub... | bborud wrote: | Over the past decade I've had to deal with a lot of executives | and security people who don't actually understand security all | that well. Or at all. (Not that I'm a security expert, but that | hardly makes it better when even I can see that something is | nonsense). | | Right now I know of at least half a dozen products that are | marketed as having E2E encryption but do not actually implement | this (no, I'm not going to out them. See second to last paragraph | as to when to be wary). In part because executives, marketers and | salespeople don't know what it means. And in part because when | explained what it means they will insist on their own | definition/interpretation and demand the product is marketed as | E2E. | | It is also important to note that quite often you are not dealing | only with the company that makes a product, but the regulatory | bodies that can pressure companies into complying with their | wishes. | | As for Zoom, I don't understand why people trust them or still | use their product if they are at all concerned about security. It | makes very little sense. | iamacyborg wrote: | > In part because executives, marketers and salespeople don't | know what it means. And in part because when explained what it | means they will insist on their own definition/interpretation | and demand the product is marketed as E2E. | | This sounds like precisely how Grammarly claim they're not a | keylogger by trying to change the very definition of what a | keylogger is. | qazxcvbnmlp wrote: | My boss is one of those people. He insists to our customers | (and engineers) our product has encryption. It does not. | vorpalhex wrote: | I would have a conversation with your companies legal | department. | atn89 wrote: | had a boss that marketed our product as having AI solutions | while it had nothing to do with AI, lol. | Jasper_ wrote: | Given how most actual AI solutions work under the hood, | this might not even be a lie! | TeMPOraL wrote: | That many (most?) companies in this space lie through | their teeth doesn't excuse the lie. | wil421 wrote: | Our system has an AI module. | | AI module: | | If something | | Else if something else | | Else if | | Else if | | ... | | Else Call Human | TeMPOraL wrote: | We practice responsible and safe approach to AI, by | detecting situations the AI can't handle and deferring to | human response. | | (It just so happens that the set of things the AI can | handle is empty.) | Jasper_ wrote: | To be honest, before the modern machine learning | approach, this was known as a decision tree and was | thought to be a valid way to approach "artificial | intelligence". Lots of "AI" hype in the 80s was based | around "Expert systems" and "Decision trees". | zelphirkalt wrote: | And there are even modern tree based approaches, that | beat some of the modern artificial neural network | approaches! It's not like it has become an absolutely | unusable class of algorithms. | WalterBright wrote: | > Given how most actual AI solutions work under the hood, | this might not even be a lie! | | Even back in the 80's, the computer algorithms that | played the other side in computer games was called "the | AI". | dspillett wrote: | I strongly recommend attempting to fix that and/or (while I | am aware that it may be difficult in the current climate) | searching for a new boss. | | In the meantime be very careful to monitor anything your name | is associated with, just in case any of your customers get | wind of the situation and sue-balls are thrown. | kryogen1c wrote: | > I don't understand why people trust them or still use their | product if they are at all concerned about security. | | I've been a Zoom apologist from the beginning, and this is the | money shot for me. What _exactly_ do you mean by "security"? | You're concerned zoom servers are recording your video - on | purpose or because theyre compromised? thats too much data to | dragnet (even for the NSA), so you think the servers are | recording and theyre targeting your meeting specifically? the | threat model here is very small and very specific. | | who are the ultrasecret sensitive information folks buying the | newest, shiniest, unvetted tool for use where infosec matters? | i bought zoom because the ui has simple, big, colorful buttons | for my unskilled users where g2m et al. are just a little too | complicated. | | if i needed an SLA specifying encryption models because of | "security", I'd have a contract I could sue over. yes, zoom was | wrong. they did a wrong thing, but the outcry against them has | just been disproportionate. | areoform wrote: | My therapist uses Zoom for her clients, as she was assured | that the E2E would help her meet HIPAA requirements and | protect her patients. | | If someone can get a transcript of what was said, let alone | record, in these therapy sessions, they'd have a goldmine to | blackmail from. | | Please note, this has legal significance for her and other | doctors, who'd started seeing patients over Zoom. So it's not | just an abstract, "lulz security" | | There are people out there with different threat models from | you. Please refrain from talking about use cases you may not | understand. | kryogen1c wrote: | > E2E would help her meet HIPAA requirements | | e2e is not a hipaa requirement. | | > So it's not just an abstract, "lulz security" | | by all means, show me all the concrete harm zoom has done. | wizzwizz4 wrote: | > _e2e is not a hipaa requirement._ | | But HIPAA does (iirc) require not having arbitrary third- | parties to communication. E2E prevents that, but if there | _wasn 't_ E2E... fairly sure Zoom isn't meant to be a | third-party to therapy sessions. | | > _by all means, show me all the concrete harm zoom has | done._ | | "Oh, they built houses badly? Show me all the concrete | harm that's done." We might not know until the next | (metaphorical) earthquake. | dragonwriter wrote: | > e2e is not a hipaa requirement. | | Encryption between the last HIPAA covered entity | (including business associates) on one end and the first | covered entity (including BAs) on the other (or between | covered entity on one end and patient on the other) is | effectively a requirement of HIPAA in communications | between HIPAA covered entities of PHI, since anything | else would constitute an unauthorized intentional | disclosure of PHI to the third party intermediary (which | is a _crime_ , as well as triggering civil liability), | and even a third party gaining access to unencrypted PHI | without an intentional disclosure is a breach of | unsecured PHI triggering mandatory reporting requirements | under the HITECH Act. | javagram wrote: | Does that mean whenever medical information is sent via | phone or Fax, HIPAA is being violated today? | | Because plain old telephone service is not E2E and the | phone company can eavesdrop on you quite easily (as can | the government with a warrant, or a bad guy with a phone | tap on your line...) | | Not saying that e2e shouldn't be used when practicable | but a blanket assertion that e2e is required for HIPAA | seems a little unbelievable to me when I've recently | received COVID test results from providers via a cell | phone call. | dragonwriter wrote: | > Does that mean whenever medical information is sent via | phone or Fax, HIPAA is being violated today? | | Phone and fax are not considered "electronic" under | HIPAA, so the rules, including the rule regarding | encryption for exposed PHI to be considered secured vs. | unsecured, specific to electronic communication don't | apply. I think they may be explicitly given special | treatment for some of the not-electronic-specific rules, | too. They are well-known to be legacy loopholes to HIPAA | privacy/security rules, which is one of the reasons fax | held on so long in healthcare as a way of minimizing | compliance costs. | | You absolutely should not try to intuit what HIPAA | requires for anything else by how fax and phone | communication in healthcare operates. | kryogen1c wrote: | Yes, this is a long way of saying e2e is not a hipaa | requirement. | | are you saying you have evidence of zoom retaining PHI | and not safeguarding appropriately? because that would be | a different conversation than everyone yelling because | zoom said they were e2e and werent. | vorpalhex wrote: | Therapists, lawyers, courts including closed door courts, | confidential internal meetings for publically traded | companies, doctors appointments, exchanging passwords/etc. | Even my mom just telling me about a medical situation she's | having. | | All of those have legal requirements for privacy, and many of | them used Zoom because it was supposed to meet those | requirements. Zoom lied and failed to meet those | requirements. There are other ways to meet those requirements | (instead of E2E encryption you can have other kinds of | controls) but since Zoom claimed to have E2E, they didn't | bother with those other ways of meeting the requirements. | | This wasn't an accident or a discrepency. Zoom didn't | accidentally have some kind of fancy attack that could be | pulled off. They literally, knowingly and plainly | misrepresented their product, to get sales they shouldn't | have. There are words for that like "Fraud". | | People at Zoom should be getting jail sentences. | kryogen1c wrote: | > Zoom lied and failed to meet those requirements. | | did it? non-e2e is not the same as non-encrypted. | | > They literally, knowingly and plainly misrepresented | their product | | Where has that been proven? as the parent pointed out, | there is a wide gulf between misunderstanding and knowingly | misrepresenting. | | > People at Zoom should be getting jail sentences. | | this is precisely why i lean against the anti-zoom | sentiment. jail sentences - seriously?! what is the maximum | possible harm zoom could have caused? they were wrong and | they deserve to be punished, but lets keep things in | perspective. | vorpalhex wrote: | > what is the maximum possible harm zoom could have | caused? | | + HIPAA violation | | + Violation of jury secrecy | | + FERPA violation | | + False advertising and fraud | | That's US specific. I'm sure foreign governments will | have their own opinions. | | You're right, you can be HIPAA compliant and not be E2E | encrypted - if you have the right paperwork and auditing | process. Zoom didn't because they claimed to be E2E | encrypted. | | There are some things you can lie about and it's crappy | but not a big deal. "Lag free video streaming!" - Sure, | whatever. "The best quality!" Again, don't care. When it | comes to information security claims though, lying has | very serious penalties because the damage you cause is | extremely serious. This wasn't them telling a white lie | about how awesome they are, this is them intentionally | and knowingly engaging in fraudulant behavior to make | profit at the expense and security of users - and we | should absolutely punish the hell out of people who do | that to line their own pockets with a few extra dollars. | PeterisP wrote: | > jail sentences - seriously?! what is the maximum | possible harm zoom could have caused? | | People have paid them some money because of an | intentional lie - that's fraud, and fraud (above a | certain amount) means jail sentences. There does not | necessarily need to be some grievous consequences to | justify jail - let's keep things in perspective, "just" | defrauding your customers isn't innocuous, it absolutely | justifies a criminal investigation and putting people | behind bars, not just some monetary fine to the | organization. | yjftsjthsd-h wrote: | >> They literally, knowingly and plainly misrepresented | their product | | > Where has that been proven? as the parent pointed out, | there is a wide gulf between misunderstanding and | knowingly misrepresenting. | | ...Is this not literally the point of the article that | we're discussing? Relevant sections: | | > "[S]ince at least 2016, Zoom misled users by touting | that it offered 'end-to-end, 256-bit encryption' to | secure users' communications, when in fact it provided a | lower level of security," the FTC said today in the | announcement of its complaint against Zoom and the | tentative settlement. Despite promising end-to-end | encryption, the FTC said that "Zoom maintained the | cryptographic keys that could allow Zoom to access the | content of its customers' meetings, and secured its Zoom | Meetings, in part, with a lower level of encryption than | promised." | | > The FTC complaint says that Zoom claimed it offers end- | to-end encryption in its June 2016 and July 2017 HIPAA | compliance guides, which were intended for health-care | industry users of the video conferencing service. Zoom | also claimed it offered end-to-end encryption in a | January 2019 white paper, in an April 2017 blog post, and | in direct responses to inquiries from customers and | potential customers, the complaint said. | soulofmischief wrote: | Regulation should prevent this from occurring. If you use a | product that claims it is E2E and it is not, you should be able | to sue wildly for potential damages given the sensitive nature | of the software. | bborud wrote: | Well, there might be conflicting interests within government. | From a consumer advocate perspective government might want to | demand this. From an intelligence services perspective you | might want companies to lie. | soulofmischief wrote: | > From an intelligence services perspective you might want | companies to lie. | | No, I don't. I don't want companies to lie. You can collect | intelligence the same way we've been collecting | intelligence for our entire history on this planet prior to | E2E comms. E2E isn't a hindrance, it's a way to enforce | limitations on government overreach. | | No freedom is without compromise. | bborud wrote: | You don't. But I'm afraid that is the reality. The only | way to change that is by law and then vigorous | enforcement of law. That isn't likely to happen. | WalterBright wrote: | > Regulation should prevent this from occurring. | | It already exists. It's called "fraud". | soulofmischief wrote: | On one level, yes. | | On the other hand, I think things involving cryptography at | scale ought to come with regulations on language | | For example, look at how the word "bank" is specially | regulated by most governments. I can't just call myself a | bank without meeting specific guidelines or else it's not | just typical fraud, it's major financial fraud coupled with | putting sensitive customer data at risk. | | Same here. We need specific legislation targeting these | scummy businesses who use corporate ignorance as an excuse | for selling a product under false pretenses of end-to-end | encryption. | dspillett wrote: | _> It is also important to note that quite often you are not | dealing only with the company that makes a product, but the | regulatory bodies that can pressure companies into complying | with their wishes._ | | While considering the regulatory requirements helps explain the | desire to lie, it does not make the lie any more defensible. | Even if a regulatory body is making impractical demand, I very | much doubt they are demanding companies lie to their users and | potential users. Even if they were "just following orders guv" | is not an acceptable excuse. | | The key facts: Zoom lied. They didn't _have_ to. They could | have accurately reported what encryption they use and what they | were working towards if that was due to change. | | Even if we accept that the initial claims were wrong due to | executives misunderstanding what their own security/dev people | had stated, that doesn't defend continuing to make the claim | without seeking further clarity after questions were raised. | dheera wrote: | Unless there was a gag order. We should make gag orders | unconstitutional. | NeutronStar wrote: | Gag orders don't force you to state wrong facts about your | products in the first place. | nsgi wrote: | > As for Zoom, I don't understand why people trust them or | still use their product if they are at all concerned about | security. It makes very little sense. | | Phone calls and text messages aren't particularly secure | either, doesn't stop people using them | whomst wrote: | At least phone calls are protected by law in some capacities | (HIPAA allows for faxing but not email, warrants are supposed | to be required for tapping phone lines but not email, etc) | 1vuio0pswjnm7 wrote: | "As for Zoom, I don't uderstand why people trust them or still | use their product if they are at all concerned about security." | | Perhaps the term "security" suffers from the same problem as | "E2E encryption". | desilentio wrote: | > As for Zoom, I don't understand why people trust them or | still use their product if they are at all concerned about | security. It makes very little sense. | | I certainly don't trust them, but I do use Zoom (from a | dedicated unprivileged user, so it can't do any harm beyond | recording my conversations), because my colleagues use Zoom, | and because there doesn't seem to be any working alternative. I | got them to try Jitsi once, which simply didn't work. | | PS. There may be working /secret-source/ alternatives, but I | don't know why one should think Zoom /more/ untrustworthy than | them. | jlarocco wrote: | > from a dedicated unprivileged user, so it can't do any harm | beyond recording my conversations | | Unless I'm misunderstanding what you mean by that, I don't | really see the point in it, TBH. | | Have there been cases of Zoom infecting machines with malware | or transmitting viruses? The whole concern, as far as I know, | is terrible security on their end, allowing people into calls | without permission, not having E2E encryption, etc, and | running as an unprivileged user won't help with that at all. | e12e wrote: | There's been a few zero day client remote code execution | vulnerabilities, along with some problems withe installer | AFAIK. | desilentio wrote: | You don't see the point of being suspicious of secret- | source? and especially of an entity that is known to be | dishonest? unless it is known to have been dishonest in the | precise manner in question? | newh90 wrote: | you could try: https://xroom.app or https://go.xroom.app | wil421 wrote: | As another poster said, the very large company I work at bans | Zoom. We can use Teams, Webex, Skype, etc. | | How can you say there is no alternative? | hackmiester wrote: | Teams does not allow users to place themselves in breakout | rooms. Webex does not allow Linux users to grant control of | their screens. | | When you use these platforms all the time, you find these | little issues. Generally speaking, Zoom does it best, | despite their problems. | mensetmanusman wrote: | You can set up channels in a 'team' and use those for | breakouts. | hackmiester wrote: | This would require all the attendees to be members of the | team ahead of the meeting; this isn't how we use Zoom. | walrus01 wrote: | I know of more than one company where installing zoom on | any company owned equipment, or using zoom on your own | client devices for company business is a fireable offense. | | These are companies that deal with some very sensitive | data. | desilentio wrote: | Sorry, I didn't think in terms of degrees of | untrustworthiness. What I miss is an open-source | alternative. Doesn't Microsoft let the NSA tap into Skype | calls? | bo1024 wrote: | How about Jitsi? | | https://meet.jit.si/ | | https://jitsi.org/ | mcrittenden wrote: | They said: "I got them to try Jitsi once, which simply | didn't work." | acoard wrote: | >Doesn't Microsoft let the NSA tap into Skype calls? | | Yes, but it seems like Skype was doing that prior to | being acquired (though Microsoft seems to have | accelerated things). From some quick Googling to refresh | on PRISM - | | >* In July last year, nine months after Microsoft bought | Skype, the NSA boasted that a new capability had tripled | the amount of Skype video calls being collected through | Prism; | | >* Microsoft helped the NSA to circumvent its encryption | to address concerns that the agency would be unable to | intercept web chats on the new Outlook.com portal; | | >Eight months before being bought by Microsoft, Skype | joined the Prism program in February 2011. | | > According to the NSA documents, work had begun on | smoothly integrating Skype into Prism in November 2010, | but it was not until 4 February 2011 that the company was | served with a directive to comply signed by the attorney | general. | | https://www.theguardian.com/world/2013/jul/11/microsoft- | nsa-... | wolco2 wrote: | Don't forget about teams. | bborud wrote: | I wouldn't assume that any given service is secure just | because it hasn't been outed yet. Your guess is as good | as mine with regard to which service is more secure or | less secure. | | What is immensely important is to raise the cost of lying | to where it becomes something investors care about. The | only real thing a company and its investors are afraid of | is losing its customers. | | If we teach companies it is okay to lie by staying with | them, they will lie more. | floatingatoll wrote: | Each of those alternatives is just as likely to offer | government wiretap support to any government that asks as | Zoom is, unless I've missed statements of refusal to do so | to the contrary from them. | baja_blast wrote: | I think the concern is trade secret theft. Sure the US or | EU might demand a wiretap but their goals are different. | You don't see the CIA stealing trade secrets and handing | them over to Apple or Microsoft. Businesses are primarily | worried about their IP. | aaisola wrote: | Google's Meet has improved considerably and most importantly | it comes free with G-Suite. They are also pushing it quite | hard as every calendar invite has a Google Meet link | automatically included. | | The reason that people went with Zoom is "because it worked." | As other products improve it's hard to see what Zoom's moat | is and why we should continue to pay for it. | jdright wrote: | What does not work with jitsi? I've been using a lot recently | and it is by far the easiest one to use. One link and done. I | have lots of video and audio issues with zoom. Now, if you're | a company, bluejeans may be the best one. | toast0 wrote: | There was a period a few months ago where jitsi was | consistently crashing chromebooks. Obviously, if a webpage | can crash the OS, it's an OS problem, but it still made | jitsi unusable for those with chromebooks. | desilentio wrote: | I think both video and audio were skippy to the point of | uselessness. I've also used Jitsi with moderate success | with a couple of interlocutors, where video disappeared now | and then. | | I'm not a company, I'm at a university, and the u. has | decided to use Zoom, perhaps because it doesn't care about | security, or because it thinks being concerned about Zoom | is being paranoid. | pkulak wrote: | I have an entire Windows VM set up just for Zoom meetings. | bborud wrote: | Yes, retention by strong network effect is scary. But I'm | being Captain Obvious here :-) | robotnikman wrote: | Cisco Webex is used in my workplace. We forbid anyone from | installing Zoom over security concerns | pbhjpbhj wrote: | What specific concerns that aren't also relevant to Webex? | InafuSabi wrote: | A working alternative is google _meet_ | wsinks wrote: | Hi there! I'm in the video meeting space, and always looking to | find that blend between usable and secure. | | I'm curious - is there a video service out there you would | recommend if you're conscious about security? Your third | paragraph makes me think your opinion will be that no large | company can be trusted, because they become a target for | nation-state regulatory bodies. | bborud wrote: | Yes, although there are degrees and differences in culture. | | For instance in the telco world you have a much more direct | dependence on regulators because you need a stack of | expensive and hard to acquire licenses to operate a network | in most parts of the world. Some worse than others. In that | environment there is a very high degree of compliance with | regulators because they have to be given explicit permission | to operate. | | For pure internet services or P2P applications it is quite a | bit different. You don't actually need anyone's permission to | distribute software. And you can move your servers around the | world. You don't depend on permission - just that nobody | comes after you with warrants you cannot ignore. | | So the advice is really to look at who you are dealing with | and how dependent they are on regulators to operate. | | Large internet companies tend to have entire divisions whose | job it is to tell regulators to get lost or at the very least | maintain a really high bar for interference. Of course, this | becomes difficult when the government is also a large | customer. So for instance you might want to be careful with | vendors who make a lot of money in / off of the defense and | intelligence sectors. | wsinks wrote: | Thank you for the explanation! Seems to me that you're | describing a trust chain where the product is directly | affected by the landscape in which the parent company | operates and their biggest customer base. | | I really appreciate your insight. | atsmyles wrote: | Use Jitsi (https://jitsi.org). You can find people to host or | host your own. Open Source. No downloads for participants. | try their instance meet.jit.si | dheera wrote: | > As for Zoom, I don't understand why people trust them or | still use their product if they are at all concerned about | security. It makes very little sense. | | Actually it makes a lot of sense. Your boss sends you a Zoom | link and asks you to install Zoom. Or you're having a meeting | with the CEO of some company and they send you a Zoom link, | saying it's the only thing their company uses. Or you are a | high school student learning online and your teacher only | delivers lectures on Zoom. Most people listen to their bosses | and superiors instead of protesting their viewpoints about | security. | | Only privileged people can protest. Others just lose their | jobs, or don't get their high school diploma. | | No, it's not right, but it is the reality. | QueensGambit wrote: | "In part because executives, marketers and salespeople don't | know what it means." | | Being a technical founder, I found some non-technical founders | use this an advantage. They can lie to customers without guilt | or investors with brimming confidence about their "MVP". They | can use "making it simple" or "ignorance" as an excuse, if at | all they get caught. These kind of lies are grey lines and | exist everywhere. | ababol wrote: | I totally agree with you. | | I am sure they already lied in the past too | https://news.ycombinator.com/item?id=22711169 preaching | ignorance as an excuse. | Frost1x wrote: | I've worked with these types of people and what I've noticed | is, even after you explain to them simply what they're saying | is false, they insist or pushing those statements or as close | to those labels as they can. They may even be angry after you | inform them because they lose plausible deniability. | | I've also been in situations where an ultimatum like E2E | encryption is dictated by a marketing team and then expected | to be created without adequate budgeting or time, essentially | creating pressures on development teams, project/product | managers, etc to lie. | | The conclusion I've come to in business is that ultimately, | your product or service is going to be falsely advertised and | oversold one way or another. It's a lot easier for some to | lie, act deceitful, and/or feign ignorance than it is to | actually deliver. Your competitors are doing it, if you | don't, you lose. | | The way I deal with this nonsense is that I make it a point | at least once in meeting or fairly tracable record like an | email that others know what is and isn't true once and it's | up to them to decide who they want to lie to. I've been on | the other side being pressured to lie and its not fun so I'll | happily pass that responsibility. I didn't pursue a career in | computing to be a constant liar, I'll let the people who want | to lie, lie. | danudey wrote: | > I've also been in situations where an ultimatum like E2E | encryption is dictated by a marketing team and then | expected to be created without adequate budgeting or time, | essentially creating pressures on development teams, | project/product managers, etc to lie. | | Basically "Our customers have been asking for E2E | encryption, so I'm adding that to our next sprint." | whatshisface wrote: | > _Your competitors are doing it, if you don 't, you lose._ | | What's far more interesting to me is the fact that your | _vendors_ are doing it. I wonder how much business | efficiency could be gained by taking advantage of the fact | that we all know the products our businesses are buying are | oversold? | t4nkd wrote: | You may find it interesting that recently Malwarebytes | was mentioned in relation to 230 of the DMCA which to my | mind relates directly to this. They are an AV solution | that holds "legitimate" software vendors that operate an | above board business to the fire when they start any | practice that they (Malwarebytes) determines is violating | a PC users reasonable expectations. That software begins | to be detected as "potentially unwanted software" and | recommended for quarantine just like any other virus. | | Malwarebytes spends a whole lot of time defending the | fact it recommends software from these companies for | removal and the recent SCOTUS memo on the topic sort of | implies that the problem -- how do we determine the | voracity of statements made by businesses regarding their | software, especially software which exists in a | constantly changing state -- may be headed towards | getting worse as so few people are familiar with | legislation also have good understanding of the inherent | complexity of software. | danudey wrote: | Tangent: Cheat Engine, an amazing piece of software, | mentions on their website that they may be detected as | malicious software because they do a lot of the same | things malicious software does - hook into other | processes and modify their behaviour, optionally with a | kernel hook. | | They don't mention that their installer ships with tons | of malware that they install, and more that they try to | trick you into installing but you can technically opt- | out. | kag0 wrote: | > how much business efficiency could be gained by taking | advantage of the fact that we all know the products our | businesses are buying are oversold? | | Not much tbh. Our only other option is to not buy, and | build in-house instead. Sometimes that's worthwhile, but | other times (like in the case of zoom) it still makes | sense to buy the vendor's product, even if you know that | it's not everything it's advertised as being. | | The real efficiency is found in having people who can | determine which and if you should buy a vendor's product, | or if you should go in house. Specifically people who can | see through the marketing BS and evaluate technologies | without personal or hype bias. | QueensGambit wrote: | It would be easy to ignore them, if they don't poison an | entire startup ecosystem. If such founder gets into press | and speaking circuit, lot of newbie founders assume such | exaggeration is needed to succeed and this behavior becomes | part of that ecosystem. Then it becomes hard to have | authentic conversation with anyone there. | hinkley wrote: | In an unfortunately rare case of reason conquering madness, | a VW exec (Oliver Schmidt) was extradited and convicted | over the diesel emissions scandal, instead of the engineers | taking the brunt of the punishment. | | We expect name brand products to indemnify their vendors to | an extent. Consumers don't want to chase down the guy who | made the screw that failed and caused a bunch of excess | deaths. You put the screw in the assembly, you took most of | the profit margins. So you get the lawsuit. | | If you want to go and sue your vendor to recover damages, | that's between you and the vendor. But the class action | goes to Acme Inc, not Acme Screws and Fasteners. | | Similarly, I'm not getting a mansion. I can barely get you | to buy the servers we need to make half of what you say not | a blatant lie. I'm not the one who should be punished when | they find out about it. I'm not the one lying to people's | faces while I pocket their checks. | hutzlibu wrote: | I doubt the case of the VW manager can be adressed to | reason (alone). Lots of politics going on, too. US vs. | EU. | | I doubt the same would have happened, if Ford or GM would | have been the one caught in the act. | icedchai wrote: | Some non-technical founders will just make stuff up. If they | think it's a "small change", it may as well be done, so they | speak about it as if it is. You correct them and you are | ignored, or they tell you it's just for a high level | discussion, so it doesn't matter. Sometimes they're right, | sometimes they're not. It is a very fine line between | stretching the truth and exaggeration, outright lies. As | "technical" people we try to be precise on our language and | want statements to reflect reality. | rutthenut wrote: | Have also encountered founders that know the difference, but | lie about things by using 'weasel words' that are chosen to | suit their audience, who may not be so knowledgeable :( | snarf21 wrote: | You answered your own question in your last statement. People | don't care about security. They care about it being easy to use | and Zoom works better and for more (non-technical) users than | any other tool of its kind. | dnautics wrote: | For a long time zoom was the best choice for technical users | too, as webex, Skype, and everything except for google | hangouts had terrible Linux support. | ProAm wrote: | > As for Zoom, I don't understand why people trust them or | still use their product if they are at all concerned about | security. | | The same reason I use Slack, because I have to. | antonzabirko wrote: | Tell us! | NDizzle wrote: | Oh man I had a great one last week. | | We're migrating stuff to a cloud provider, and they wanted to | expose an internal only API to the internet so that the things | could reach it. I was strongly against that, as it has no | security involved at all. Fast and loose and all of that. | | Two, count them, two people wanted to "just change it to use | port 443, that way it's encrypted". I had to explain that you | could pick any valid TCP port to pass TCP traffic, but simply | changing a nonstandard port to "443" doesn't automatically make | it start being encrypted. I had to explain that several times | in order for it to sink in. | 0xy wrote: | Why would any company with valuable IP use Zoom after this | security blunder, along with the fact they "accidentally" routed | domestic US calls via China. Zoom is software developed almost | entirely in China, meaning it is subject to Chinese law and the | very strong influence of the CCP. | | It is fact to say that Zoom could be compelled by the CCP to | plant backdoors in software to siphon valuable IP for use by | Chinese companies, as is usually the case with CCP-aligned | companies like Huawei (Huawei had a cash incentive program for | employees who delivered stolen IP to them). | intricatedetail wrote: | Many companies work WFH these days, so intercepting dev and r&d | meeting would be a dream for CCP. Can't see why they wouldn't | do it. | lixtra wrote: | (Industrial) Espionage is the ius prima noctis of superpowers. | | http://cryptome.org/echelon-nh.htm | X86IpodInsame wrote: | Chinse | buryat wrote: | Does it open Zoom to being sued by clients? If a company signed a | contract with Zoom in which e2e encryption was stated. | hatmatrix wrote: | Like a class action lawsuit? I think there have to be evidence | of damage done in that case. | dfxm12 wrote: | _If a company signed a contract with Zoom in which e2e | encryption was stated._ | | It sounds like OP is referring to a breach of contract. Even | if they can't prove damages, they could still be entitled to | some other remedy, like a partial refund. It would depend on | the language of the contract, of course. | tpxl wrote: | You can sue directly, no? The damage should be easy, you | thought you bought something and weren't delivered it, so | just refund all costs. | kube-system wrote: | Most of what was purchased was delivered. | mikro2nd wrote: | "Here are the keys to your new car" | | "Where are the wheels?" | | "Well... we delivered _most of what was purchased_ so you | don 't get to complain." | kube-system wrote: | Good example. If you bought a $40k car and it didn't come | with wheels, the damages would be the amount to remedy | the missing wheels, not $40k. | vict00ms wrote: | I don't think the example vindicates you in the manner | you believe. The damages would surely exceed the missing | wheels if resolved in the courtroom. | kube-system wrote: | Regardless, it wouldn't be a full refund, which is my | point. | ClumsyPilot wrote: | Could well be much more than that, if i have proof that | you did it knowingly and systemically. | klmadfejno wrote: | A better analogy would be if the car didn't come with | airbags, but even that is not as good because you have no | way of knowing if someone listened into your | conversations whereas airbags let you know just fine. | | Ford once paid $300M for a faulty airbags thing, but that | was negligence whereas this is fraud. Of course this | isn't a lethal risk. | | I would think the case would have legs. Haven't a clue | how much for. | WhyNotHugo wrote: | Why does there have to be damages? You paid for something, | and didn't get it. | | Go to the supermarket, but a box that says "ten apples". You | get home and open it, there's just five apples. You'll want | money back. What "damages" do you have to prove? | [deleted] | smokey_circles wrote: | I don't understand how the FTC arrived at the conclusion they're | not E2E? Or have I missed something? | | >Despite promising end-to-end encryption, the FTC said that "Zoom | maintained the cryptographic keys that could allow Zoom to access | the content of its customers' meetings, and secured its Zoom | Meetings, in part, with a lower level of encryption than | promised." | | Not wonderful but that still, technically, is an E2E encryption | scheme. Is it not? Or do they mean one end terminates in Zoom's | servers and it's not E2E through the whole pipe, but rather two | pipes stitched together? | | Agreed it's not as secure as they marketed, but this seems to | suggest if you want to offer E2E you need a specific kind of key | storage to meet this new precedent. Good in practice, but maybe | the FTC are not the right people to placing such a hurdle down? | | I'm sure I've missed something though. | _-___________-_ wrote: | Most videoconferencing systems are not E2E-encrypted. They | encrypt the link between each participant and the central | server. This makes implementation simpler in a few ways. | | A good E2E-encrypted system would involve Zoom never having the | keys at all, so "key storage" would be irrelevant. | | The issue here is merely that Zoom claimed to be E2E-encrypted | when they were not. They could have simply said "encrypted" and | there would be no issue. | bonzini wrote: | Wouldn't E2E encryption of a call with 40 participants | require each user to have 39 times the upload bandwidth, in | order to send 39 video streams encrypted with different keys? | And potentially several times the computational cost on the | client, in order to downsample video according to the | different available download bandwidth of every other | participant? | | Is there anyone doing _group_ videoconferencing with E2E | encryption, for more than a handful of participants? | _-___________-_ wrote: | Typically, the central server does not transcode. | Participants simulcast a few bitrates, and the central | server forwards to each other participant the sub-stream | with the appropriate bitrate for the bandwidth capacity of | that participant. This is compatible with E2E encryption, | by individually encrypting each sub-stream. Participants | can share a session key that is unknown to the central | server. | | FaceTime supports group calls and claims E2E encryption for | them. WhatsApp does too, I believe? I'm not sure how many | participants you can have. | treis wrote: | >Wouldn't E2E encryption of a call with 40 participants | require each user to have 39 times the upload bandwidth, in | order to send 39 video streams encrypted with different | keys? | | I think you use public key cryptography to securely | distribute an encryption key for that call. So the host | sends 39 messages encrypted with different keys containing | a shared key. Then everyone uses the shared key to | encrypt/decrypt the call data. | thesimon wrote: | The zoom definition of E2E is that the one end is one user and | the other end is the zoom server. | | At no point is there encryption directly from one user to | anothre. | treeman79 wrote: | A lot of the servers are in China. So You have state actors | involved. | | Our company had stop using zoom for security reasons. | viraptor wrote: | I'm not sure what you mean by "you need a specific kind of key | storage". You don't need any kind of key storage for e2e. You | only need to facilitate the key exchange as a server, then push | the opaque data both ways. If zoom (the company, not the | software client) can get the encryption key, the call is not | e2e encrypted. | smokey_circles wrote: | >If zoom (the company, not the software client) can get the | encryption key, the call is not e2e encrypted | | Ah, thank you. That was the bit I was missing. | | Silly question I know but I couldn't wrap my head around the | wording | krageon wrote: | What kind of hurdle do you see? What you've described isn't e2e | encryption, the FTC is absolutely correct. | | The FTC not doing something unreasonable here, I would wager | you are by implying they're placing undue hardship on a company | that peddles bald-faced lies. | minusSeven wrote: | I guess fake till you make it is name of the game these days. But | if that is really the case why did we vilify companies like | Theranos or Edison. | | I have often wondered if I should do it at work as well. | _jal wrote: | A deeper issue is how hard it is to "know" if companies hawking | products with security implications (which is nearly everything, | today) are lying. | | I'm not even talking about the gradient ranging from innocent | bugs to incompetent coders and how that gets papered over. When | you buy shoddy physical goods, there are typically | characteristics you can't hide, like cheap materials. But with | software like this of course the only function your average | person can verify is that the transmission happens, not how it is | encoded. Neither Grandma nor your manager are likely to break out | tcpdump to check. | | And of course the DMCA complicates this in the US, and things are | even worse for researchers elsewhere. | | Third party audit and reputation are the only fixes I see. And | the second one requires a commercial environment that rewards it. | The current one doesn't; it rewards novelty and lies, so that's | what we get. | phone8675309 wrote: | Any software you don't have the source for, haven't built | yourself, and don't host yourself is immediate suspect. | | Third party audits aren't a silver bullet. Enron and Worldcom | had third party audits. | LinuxBender wrote: | Auditors operate off money, too. I have seen this first hand. | If I tell them about an egregious violation and they don't | even bother to write it down, I know what type of "auditor" I | am dealing with. If they write it down and the issue is not | resolved, same thing. | _jal wrote: | I completely agree, and that's a huge topic unto itself. | | Briefly, the issue with auditing, as with most things, is | incentives over time. The difference between fraud in finance | and software engineering is how long the bezzle[1] lasts. In | finance, it can last a very long time in up economies, | leaving Big Three auditors plenty of time to scurry off. In | software you have to deliver at some point, leaving lying | auditors exposed to discovery by security researchers | immediately. | | There is certainly still room for shenanigans if not set up | correctly, but less than in finance. | | [1] https://moneyfyi.wordpress.com/2013/11/15/5358/ | eru wrote: | > [...] haven't built yourself, [...] | | Reproducible builds remove this requirement. | | https://en.wikipedia.org/wiki/Reproducible_builds | ineedasername wrote: | You're right, but 3rd party audits can help, especially | because the precedent set by Arthur Andersen w/ Enron. It | destroyed their business completely when their fraud was | discovered, so there would be a strong incentive for auditors | to get it right. As you said, not a silver bullet, but it's a | step up from nothing. | yourapostasy wrote: | _> It destroyed their business completely when their fraud | was discovered..._ | | I suppose rebranding and transferring assets is kind of | like a Chapter 7 "destroyed their business completely", but | no one involved went to jail, no one lost their Series 7 or | any other kind of licensing, no one was ever barred for | life from ever managing at a public company ever again, | _etc._ Sure, to laypeople a selling off of assets and | rebranding sounds pretty "destroyed...completely", but | unless there are lifelong, severe, natural person | repercussions, business people are thrilled with the | results. No clawbacks, no offender registration, can always | point the blame elsewhere in future discussions (like job | interviews). This is mostly regulatory theater, and all net | upside for those who benefited by unethical action or by | unethical omission. | ineedasername wrote: | Well, you make good points. I can't argue with that. | bigbubba wrote: | > _Firms That Imploded Have Something in Common: Ernst and | Young Audited Them_ | | https://www.wsj.com/articles/string-of-firms-that- | imploded-h... | | https://news.ycombinator.com/item?id=24802741 | | Nobody at Arthur Andersen went to prison and SCOTUS | reversed their conviction. The firm may have gone up in | smoke, but nobody was actually punished for their crimes. | Who at Ernst and Young has gone to prison for Wireguard or | WeWork? None by my count. | twicetwice wrote: | Did you mean Wirecard instead of Wireguard? | forgotmypw17 wrote: | I agree. I am writing my project a certain way to achieve a | goal I call reimplementability. | | This means that I try to design in such a way that a | reasonably competent dev could sit down and rewrite the whole | system in a couple hours/days/weeks. | okprod wrote: | Freely licensed software would allow for audits. | ineedasername wrote: | As long as you audit both the software _and_ the | implementation. | m3kw9 wrote: | Old news, is just FTC judgement but security has already proven | that back in April it wasn't E2E | peterwwillis wrote: | This is like suing Hillshire Farms because their bacon wasn't as | maple-honey-bourbon-flavored as they claimed. Nobody is buying | bacon just for flavoring. People use Zoom because it's a free | digital telephone with screen sharing. Not because it's super | duper secure. | | Telephones (VoIP, PSTN, SMS, etc) do not have end-to-end | encryption - or _any_ encryption - and we 've been using them for | conferences since _always_. Hell, _we use them for Zoom calls!_ | | This is some kind of government vendetta, probably pushed by | Zoom's competitors who make a bundle in government contracts. | Because they're currently the biggest provider, they're the | biggest target. But this standard has not been (and will not be) | held up to any of its competitors who make similar claims. The | political party that is sabre-rattling in this article is just | making themselves look good to their constituents. | benkarst wrote: | Oh you know that private video chat that that literally everyone | uses, it's not private. | | How is this getting almost no attention from the ms media? | vinniejames wrote: | Don't forget the hidden web server fiasco | https://medium.com/bugbountywriteup/zoom-zero-day-4-million-... | golemotron wrote: | > Democrats blast FTC/Zoom settlement because users won't get | compensation. | | Are they the same people who want to get rid of encryption? | noyoukhkh wrote: | if security is that much important to you, your company may be | you, your company should build a communication platform for | itself right!? | | you, people should believe or trust no one! thats the number one | rule for [e2e, or else] security I think. | boomboomsubban wrote: | The "trust no-one" mantra would still apply to your own team, | and unless you're putting tons of money into this project a | free software platform us probably more trustworthy. There's | more risk of outside infiltration but also far more bug | checking and security testing. | martinknapic wrote: | That's quite a claim. | joeblau wrote: | I wonder if this is the source for any "leaks" from tech | companies who use Zoom as their office communication tool? | feralimal wrote: | No! Corporations lie?! | | At least their feet will held to the fire! | | /s | | Tbh though, they will only be held to account, if another big | player wants to cripple them and take their market. | einpoklum wrote: | Zoom is also in the habit of censoring content it doesn't approve | of politically: | https://www.insidehighered.com/quicktakes/2020/10/27/zoom-fa... | | so, drop Zoom, use a Free and Open-Source alternative. Example: | Jitsi (jitsi.org) . It has more rough edges, but it works. | hubbabubbarex wrote: | Zoom, Google,twitter, Facebook what's common? All lies about your | privacy and you still keep using these scammy services? Why??? | hubbabubbarex wrote: | HN ease shadowbann me | cwkoss wrote: | Every business customer should now sue zoom for the full cost of | what they previously paid. ___________________________________________________________________ (page generated 2020-11-10 23:00 UTC)