Category: zoom

What you need to know about Zoom doom and gloom

zoom

By Kiki Schirr, {grow} Contributing Columnist

In this time of social distancing and sudden transition to working from home, Zoom has emerged as the primary tool for online collaboration.

Their stock price has soared to ridiculous levels. Zoom’s PE ratio, a measurement of the value of all their stock against one year’s revenue, is far above the 13-15 ratio most investors seek. Over the last few weeks, Zoom’s PE ratio has been in the 1000’s, with a high of over 6,400.

And during these last few weeks, Zoom has abruptly changed from an obscure service with 10 million business users. Now, amid this coronavirus crisis, Zoom has become the connection point for an economy that relies on communication and collaboration. Within a few weeks, Zoom ballooned to  200 Million users.

And privacy advocates are up in arms because Zoom is a security mess.

Zoom’s security problems

News outlets as prestigious as NPR have bashed Zoom’s lack of user protections. EFF, the digital privacy advocacy group, has written about them numerous times, often in relation to the class action lawsuit currently levied against Zoom. The suit posits that Zoom gave user information to Facebook even if Zoom users did not have a Facebook account.

Zoom CEO Eric Yuan said he “really messed up” and is struggling to restore the reputation of the video tool.

In light of Zoom’s new popularity, the EFF has renewed their warnings with a fresh wave of articles. I’ll recommend the most important of these later in this post.

Wired magazine laid out all of Zoom’s security failures in a dizzyingly long list of offenses.

Senators and government prosecutors have launched independent investigations into security failures, the most damning of which might be Ohio Senator Sherrod Brown’s letter to the FTC seeking an investigation of Zoom’s advertising claim of providing end-to-end encryption of messages and other data shared between users.

Zoom is trying to address security issues

Likely in response to Brown’s letter, Zoom wrote a blog post clarifying that not everything is encrypted, with diagrams and definitions to help Zoom users discern when they have or have not been protected.

Even with my technical knowledge, I find the blog post overly complicated. The crux of the post seems to be that if you don’t download their software onto your computer or phone (and grant Zoom greater access to your systems and personal data), they will not guarantee your protection in return. This fact has not been clear in Zoom’s marketing efforts, according to Senator Brown.

And The Guardian went so far as to question if Zoom is malware in the headline of a widely circulated article.

Being malware is a serious charge. Trojan viruses are probably the most famous form of malware, but ransomware attacks on hospitals are quickly catching up. These attacks target patient medical data and lock hospital staff out of their own files until the hospital pays the attacker to retreat. And recently, we have discovered that these hackers are even willing to lock COVID-19 research.

Zoom’s CEO also made a public statement on April 1st vowing to pause any development projects that were not security-focused in order to make safety their primary directive. However the security conditions on Zoom seem to only be getting worse as new users, and new trolls, sign up.

Zoom and harassment

In my view, Zoom’s lack of security seems to be more oversight or incompetence than malicious intent. However, because I think Zoom is culpable, I’m confused by the United States government’s haste to prosecute so-called Zoombombers.

As Internet trolls became more aware of Zoom’s vulnerabilities, they began to use Zoom as a platform for harassment. In particular, they tend to target racial minorities and women. Black women professors at Historically Black Colleges and Universities seem to be the most desirable target. Zoombombers post pornographic images and racial slurs into group discussions and there is no method of defense after a bomber enters the room, beyond ending the call.

If that isn’t bad enough, remember that many grade schools are now using Zoom, and a Texan Sunday school was recently exposed to pornography and harassment.

Zoom just enacted a measure that could prove helpful. Zoom has turned on, by default, the password-protection, and waiting room visual identity confirmation and approval tools within their software that hadn’t been widely adopted. Time will tell whether this will solve the Zoombombing issue.

Uncomfortable truths

While Zoombombing is both criminal and vile, I am concerned that the United State’s government’s crackdown on troll perpetrators doesn’t address that Zoom’s service is also at fault.

I think it is fair to liken Zoom’s vulnerabilities to the legal definition of an attractive nuisance. An attractive nuisance creates a dangerous situation for children that also appeals to them. The most common offense in real life is having a swimming pool without a lock or barrier. I see the illegal but easy act of Zoombombing as similarly dangerous and appealing to young would-be hackers who wish to prove themselves online.

While the age of Internet trolls has yet to be a focus of research, anyone who plays Fortnite is aware that trolls begin at very young ages. Last year a mother in California attempted to raise awareness when she discovered that her teenage sons had been targeted by white supremacist groups. These groups were recruiting minors with Hitler memes and funny YouTube videos with subtle anti-Semitic overtones.

It is very likely that many of the Zoombombers are underage. Some might be pre-teens. It is possible that over the next few weeks we might begin to see children being accused of criminal activity on Zoom.

Alternative video services for working from home

I’m sorry to present all this Zoom gloom-and-doom in one sitting, but a quick and jargon-free summary should be useful.

If at this point you’ve probably decided to avoid using Zoom and if you aren’t compelled to use it by company or university policy, there are more secure alternatives.

My favorite option is FaceTime. Apple has emerged as the dark horse of privacy advocacy in tech. Among the technology giants like Amazon, Google, and Facebook, Apple stands out as the only company that hasn’t sold user data as a primary source of income.

Someone at Apple must have recently realized that this was a selling point. In 2019 Apple launched a highly effective and very blunt marketing campaign to pose the iPhone and all Apple products as the secure option in a sea of personal data leaking devices.

But FaceTime is limited in terms of the maximum number of attendees—32 videos total, including the room’s initiator.

If you need to host larger video meetings, Microsoft Teams allows 250 users to congregate.

While Microsoft has a less stellar record than Apple on privacy over their lifetime, it is only fair to note that many of the complaints once lobbed against them have since been resolved. Further, if you Google “Microsoft Teams security issues” the results that suggest there could be vulnerabilities all seem to be pages devoted to selling corporate data protection services. So take those with a grain of salt.

But Teams is aimed at corporate groups only. Their landing page now has a link for individuals seeking a video calling solution. It brings you to the Skype homepage.

If you have to use it for work

Many of you might be required to use Zoom. If you are, I apologize for what might seem like an alarmist article. But, in the words of G.I. Joe: “Now you know, and knowing is half the battle.”

And there are many ways to protect your data even when you have to use Zoom.

First, start by reading and following the EFF’s guide to optimal Zoom settings for privacy.

This guide is wonderful. It not only gives instructions for each setting with images but also tips on how to avoid common pitfalls.

The most important pitfall is that even if a Zoom password is enabled, and you take the necessary precaution of sending the password via a secure route like encrypted email, you could accidentally expose that password by sharing the Zoom room location publicly.

EFF explains that if you use the “Copy Invitation” button to copy-paste your Zoom room’s location invite link, it often inserts the password into the URL, allowing instant access to anyone who sees only the invite link and knows what to look for. EFF says that if you notice that the URL you have saved to your clipboard is unusually long and contains a question mark, it probably has your password embedded inside.

Another quick way to protect yourself is that if you are not the host of Zoom meetings, you can often avoid downloading the software on your device. Use Zoom’s in-browser solution as a more secure alternative. That means losing a lot of fun features like digital backdrops. If you’re disappointed, weigh that against the possibility that Zoom (or Facebook, if you believe the lawsuits) could have a list of everything you ever bought on Amazon.

Another option many people are pursuing is adding VPN to your work-at-home arsenal. A good resource to learn about that can be found here: what is a VPN guide by Surfshark.

Or try using nothing but Zoom

Should you have to host meetings, another option could be to limit your use of the app to a quarantined device. An old computer or smartphone that you don’t use anymore would be perfect. Wipe the hard drive, go through set up again, and afterward only use that device to access Zoom, turning it off between uses.

This method might not be perfect since you’re going to be spending so much time on home wifi, but it will make it much harder to get interesting information about your Internet use.

Alternatively, if you are one of the few individuals who use a work computer as her IT department wishes she would, you might already possess a rather private device! But keep in mind that checking your bank account, ordering something from an online retailer, or having ever accessed Facebook on that work computer does pretty much compromise its use as a quarantined device.

I hope that you’ve found this post helpful. If you want to keep up with developing news regarding Zoom or privacy in general, I would recommend setting a Google Alert for “Zoom + security” or periodically checking EFF.org.

If you have any other tips or video platform recommendations, feel free to share them with the {grow} community in the comments.

KikiSchirrKiki Schirr is a freelance marketer who enjoys absorbing new trends within the tech scene. She is also the former founder and CEO of a small video chat company. During their short run, her team realized that while closing security holes in video software can feel impossible, it is always worth the effort to protect your users. Kiki is most easily reached via Twitter.

Disclosure: Surfshark VPN link is affiliate link

 

The post What you need to know about Zoom doom and gloom appeared first on Schaefer Marketing Solutions: We Help Businesses {grow}.

Zoom admits some calls were routed through China by mistake

Hours after security researchers at Citizen Lab reported that some Zoom calls were routed through China, the video conferencing platform has offered an apology and a partial explanation.

To recap, Zoom has faced a barrage of headlines this week over its security policies and privacy practices, as hundreds of millions forced to work from home during the coronavirus pandemic still need to communicate with each other.

The latest findings landed earlier today when Citizen Lab researchers said that some calls made in North America were routed through China — as were the encryption keys used to secure those calls. But as was noted this week, Zoom isn’t end-to-end encrypted at all, despite the company’s earlier claims, meaning that Zoom controls the encryption keys and can therefore access the contents of its customers’ calls. Zoom said in an earlier blog post that it has “implemented robust and validated internal controls to prevent unauthorized access to any content that users share during meetings.” The same can’t be said for Chinese authorities, however, which could demand Zoom turn over any encryption keys on its servers in China to facilitate decryption of the contents of encrypted calls.

Zoom now says that during its efforts to ramp up its server capacity to accommodate the massive influx of users over the past few weeks, it “mistakenly” allowed two of its Chinese datacenters to accept calls as a backup in the event of network congestion.

From Zoom’s CEO Eric Yuan:

During normal operations, Zoom clients attempt to connect to a series of primary datacenters in or near a user’s region, and if those multiple connection attempts fail due to network congestion or other issues, clients will reach out to two secondary datacenters off of a list of several secondary datacenters as a potential backup bridge to the Zoom platform. In all instances, Zoom clients are provided with a list of datacenters appropriate to their region. This system is critical to Zoom’s trademark reliability, particularly during times of massive internet stress.”

In other words, North American calls are supposed to stay in North America, just as European calls are supposed to stay in Europe. This is what Zoom calls its datacenter “geofencing.” But when traffic spikes, the network shifts traffic to the nearest datacenter with the most available capacity.

China, however, is supposed to be an exception, largely due to privacy concerns among Western companies. But China’s own laws and regulations mandate that companies operating on the mainland must keep citizens’ data within its borders.

Zoom said in February that “rapidly added capacity” to its Chinese regions to handle demand was also put on an international whitelist of backup datacenters, which meant non-Chinese users were in some cases connected to Chinese servers when datacenters in other regions were unavailable.

Zoom said this happened in “extremely limited circumstances.” When reached, a Zoom spokesperson did not quantify the number of users affected.

Zoom said that it has now reversed that incorrect whitelisting. The company also said users on the company’s dedicated government plan were not affected by the accidental rerouting.

But some questions remain. The blog post only briefly addresses its encryption design. Citizen Lab criticized the company for “rolling its own” encryption — otherwise known as building its own encryption scheme. Experts have long rejected efforts by companies to build their own encryption, because it doesn’t undergo the same scrutiny and peer review as the decades-old encryption standards we all use today.

Zoom said in its defense that it can “do better” on its encryption scheme, which it says covers a “large range of use cases.” Zoom also said it was consulting with outside experts, but when asked a spokesperson declined to name any.

Bill Marczak, one of the Citizen Lab researchers that authored today’s report, told TechCrunch he was “cautiously optimistic” about Zoom’s response.

“The bigger issue here is that Zoom has apparently written their own scheme for encrypting and securing calls,” he said, and that “there are Zoom servers in Beijing that have access to the meeting encryption keys.”

“If you’re a well-resourced entity, obtaining a copy of the Internet traffic containing some particularly high-value encrypted Zoom call is perhaps not that hard,” said Marcak.

“The huge shift to platforms like Zoom during the COVID-19 pandemic makes platforms like Zoom attractive targets for many different types of intelligence agencies, not just China,” he said. “Fortunately, the company has (so far) hit all the right notes in responding to this new wave of scrutiny from security researchers, and have committed themselves to make improvements in their app.”

Zoom’s blog post gets points for transparency. But the company is still facing pressure from New York’s attorney general and from two class-action lawsuits. Just today, several lawmakers demanded to know what it’s doing to protect users’ privacy.

Will Zoom’s mea culpas be enough?

China Roundup: Enterprise tech gets a lasting boost from coronavirus outbreak

Hello and welcome back to TechCrunch’s China Roundup, a digest of recent events shaping the Chinese tech landscape and what they mean to people in the rest of the world. This week, a post from Sequoia Capital sounding the alarm of the coronavirus’s impact on businesses is reaching far corners of tech communities around the world, including China.

Many echo Sequoia’s observation that the companies that are the “most adaptable” are the likeliest to survive. Others cling to the hope of “[turning] a challenging situation into an opportunity to set yourself up for enduring success.”

Two weeks ago I wrote about how the private sector and the government in China are working together to contain the epidemic, bringing a temporary boost to the technology industry. This week I asked a number of investors and founders which of these changes will stand to last, and why.

B2B on the rise

The business-to-business (B2B) space was rarely a hot topic in China until online consumer businesses became relatively saturated in recent times. And now, the COVID-19 epidemic has unexpectedly breathed life into the once-boring field, which stretches from virtual meetings, online education, digital healthcare, cybersecurity, telecommunications, logistics to smart cities, analysis from investment firm Yunqi Partners shows.

For one, there is an obvious opportunity for remote collaboration tools as people work from home. Downloads of indigenous work apps like Dingtalk, WeChat Work, TikTok’s sister Lark as well as America’s Zoom jumped exponentially amid the health crisis. While some argue that the boom is overblown and will dissipate as soon as businesses are back to normal, others suggest that the shift in behavior will endure.

Like other work collaboration services, Zoom soared in China amid the coronavirus outbreak, jumping from No. 180 in late January to No. 28 as of late February in overall app installs. Data: App Annie 

“People are reluctant to change once they form a new habit,” suggests Joe Chan, partner at Hong Kong-based Mindworks Ventures. The virus outbreak, he believes, has educated the Chinese masses to work remotely.

“Meeting in person and through Zoom both have their own merits, depending on the social norm. Some people are used to thinking that relationships need to be established through face-to-face encounters, but those who don’t hold that view will have fewer meetings. [The epidemic] presents a chance for a paradigm shift.”

But changes are slow

Growth in enterprise businesses might be less visible than what China witnessed over the SARS epidemic that fueled internet consumer verticals such as ecommerce. That’s because software-as-a-services (SaaS), cloud computing, health tech, logistics and other enterprise-facing services are intangible for most consumers.

“Compared to changes in consumer behavior, the adoption of new technologies by enterprises happen at a slower pace, so the impact of coronavirus on new-generation innovations [B2B] won’t come as rapidly and thoroughly as what happened during SARS,” contended Jake Xie, vice president of investment at China Growth Capital.

Xie further suggested that the opportunities presented by the outbreak are reserved for companies that have been steadily investing in the field, in part because enterprise services have a longer life cycle and require more capital-intensive infrastructure. “Opportunists don’t stand a chance,” he concluded.

As for changing consumer behavior, such as the uptick in grocery delivery usage by seniors trapped indoors, the impact might be short-lived. “The only benefit that the epidemic brings to these apps is getting more people to try their services. But how many of them will stay? The argument that people will keep using these apps over concerns of getting sick in offline markets is unsubstantiated. The strength of a business lies in its ability to solve user problems in the long term, for example, providing affordability and convenience,” suggested Derek Shen, chairman of Danke Apartment, the Chinese co-living startup slated to list on NYSE.

Summoned by Beijing

The adjacent sector of enterprise services — at-scale technologies tailored to energizing government functions — has also seen traction over the course of the epidemic. Private firms in China have teamed up with regional authorities to better track people’s movements, ramp up facial recognition capacities aimed at a mask-wearing public, develop contact-free consumer experience, among other measures.

Tech firms touting services to the government are no stranger to criticisms concerning the lack of transparency in how user data is used. But the appeal to private firms is huge, not only because state contracts tend to provide a steady stream of long-term revenue, but also that certain public-facing projects can be billed as a fulfillment of corporate social responsibilities. Following the virus outbreak, Chinese tech companies of all sizes hastened to offer contributions, with efforts ranging from making monetary donations to building tools that keep the public informed.

On the flip side, the government also needs private help in emergency management. As prominent Chinese historian Luo Xin poignantly pointed out in podcast SurplusValue’s recent episode [1:00:00], some of the most efficient and effective responses to the public health crisis came not from the government but the private sector, whether it is online retailer JD.com or logistics firm SF Express delivering relief supplies to the epicenter of the outbreak.

That said, Luo argued there are signs that some local authorities’ tendency to centralize control is getting in the way of private efforts. For example, some government offices have stumbled in their attempts to develop crisis management systems from scratch, overlooking a pool of readily available and proven infrastructure powered by the country’s tech giants.