Don't know what is going on at Zoom, but I suspected at least part of it sneaky. For example, about 3 or 4 weeks ago I heard about this company, and learned that it has R&D in China per its SEC filing at IPO. However, checked its website, the career section led me to https://jobs.lever.co/zoom, and there was ONLY one opening at China per the website (I remember it was a position at marketing department). Then I searched the company in Chinese media, and saw that they were hiring all types of engineers. That made me feel uncomfortable in buying its stock. Interestingly, now you look at the same career website, and China is removed from the list of city dropdown - maybe they are cutting off or "decoupling" the Chinese R&D?
"Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities."
This explains how their web installer which is essentially glorified malware was made and not reported on some bay area dev's blog or leaked to the press immediately. I was always surprised that a US software team could make something like that in a consumer project in a prominent company and it not be talked about for so long.
It's basically what a lot of consumer goods companies are now. All the products are made and mostly designed in China, and then the US HQ does all the sales, marketing, and funneling product requirements back to China.
Because the CCP has no qualms about threatening an employee’s family to insert a backdoor or exfiltrate information, for one.
The decoupling has begun. Sentiment in the US toward China has never been as negative as it is now, from both sides of the aisle. I wouldn’t be surprised if we even see sanctions against China after the dust settles on this COVID fiasco.
The US is no white knight. But it is not doing anything close to what the CCP does on a regular basis. When was the last time a Trump protestor or Obama protestor disappeared and was never heard from again? Or disappeared and show up again months later, 30 lbs lighter and apologetic about how wrong they were about the government?
"Starting a war to deflect from problems at home", what the heck would you call the invasion of Tibet then?
And while not literally a war, what purpose do you think the bellicose suppression of the fact of Taiwanese independence both domestically and abroad serves?
Some people seem so obsessed with the country they live in, they can't see the rest of the world properly. An over focus on domestic politics distorts everything with parochialism.
Not exactly, Tibet is a different type
of thing, it’s more like chinas’s expansion rather than Xi wanting to deflect attention from his own problems. American wars weren’t for any purpose or even any benefit for the US and lots of money was wasted and stolen through military industrial complex.
The US does not start wars to distract from problems at home. That’s conspiracy horse manure. Whether you want to believe it or not, every president that has ever started a conflict or US involvement in an existing conflict has felt the action justified on foreign policy reasons.
Those reasons might be something you object with, or even downright stupid in hindsight. But only in Hollywood is it ever a smoke screen for domestic issues.
USA, Russia, Turkey, China do exactly that throughout history. It is also an indicator of a failed/non functioning democracy, this is what surprises me about the USA (it IS a functioning democracy). I understand Russia and Turkey (been to both countries) are democracy-challenged and instead of solving their internal problems they create new external to divert the attention and seek "greatness" (one of the things that Trump* also proclaims).
Humanity needs to be great together.
Together we stand, divided we fall (said the poet).
*I don't vote in the USA so I don't care who they/you elect. If it would be Clinton or Bush (Sr/Jr) or Obama saying "screw the world we should care only about ourselves" I would be equally judgemental (you should hear me discuss politics with Russians (they can't see why their dictator is bad for them) (and now I will get downvoted by both Americans AND Russians :)
Enforcing US IP protections isn't a partisan issue. I think it's crazy that people are trusting zoom for their critical communications (like design review meetings and screen sharing schematics/process diagrams!) when there's a non-zero chance that the CCP/PLA has the infrastructure to:
inb4 the whataboutism: yes, the US Government has (and might continue to) participated in state sponsored industrial espionage. But if I'm an American company, I'm not going to care about that.
I've worked for at least one company that outright refused to do business in China or with certain companies that had oversized presence in mainland China because of experiences with this kind of problem. I know of some engineers that were arrested upon entry to the USA because they stole company IP and founded a company in China that used it. I know of another company that had network hardware compromised by an employee over there and was used to attempt to penetrate US networks (and if you wanna get spooked, they weren't alerted by their stateside infosec team, but federal authorities). I don't know why people treat me like a conspiracy theorist for bringing this up about Zoom routing data through China and using less-than-best-practice security.
But if Microsoft has teams in China, Russia work on MS Teams, I will be very concerned. The same goes with Slack, that many companies now rely on to keep business going.
I'm very sure that Microsoft (and plenty of other companies including Apple) has teams in China, Russia and other countries to develop and update proper localizations for those apps.
If you have eng in US, having a decent chunk of it in China is much less threatening. For example, your internal controls can specify code review by american employees. Your key servers can remain in America or EU with stronger privacy protection regimes (not necessarily strong; just stronger than China).
This isn't perfect, but it makes subversion (1) more difficult, (2) probably more targeted (see eg Saudi Arabia using Saudi nationals employed by Twitter to steal identities of critics on Twitter), (3) more likely to be discovered.
My company's security model doesn't include the Chinese government / national security / military, but it could include the Chinese government giving our sales leads (which are evident if you can see our Zoom calls) to a domestic competitor. Broad exfiltration of data like that is much much harder if the engineering core is in the US or EU.
What alerted me at that time was the discrepancy between their HR site at U.S of the Chinese opening (only one), and their job postings in Chinese job sites.
I doubt it is a complicated conspiracy. Someone probably pushed the wrong button on the HR site.
I’d guess the one opening you saw was coming out of a US manager’s budget, and the manager wanted some physical presence in China to help work with teams that are based there.
It’s not surprising that they wouldn’t target China-based positions in fluent Chinese language offices at their US based English language site.
Also, I’ve been using Zoom at work for years. They’re more popular with younger firms (“anything but Cisco”, maybe?).
I think OP was alluding to Zoom not showcasing the reqs on the US careers site. Most companies including Microsoft do display open positions in all countries including China on their US page.
I very much doubt Microsoft does any serious development of their core products in China. Localisation,some local support and other,less sensitive stuff.
Anti-China sentiment is being stoked heavily in the US right now. Anything China-related is widely seen as evil and/or untrustworthy. Usually these opinions are expressed on China-sourced hardware.
The R&D centers in China (I think there are 3 of them) are their competitive advantage - this can help them manage cost to be profitable from early on. I also think the engineering teams there can share with their peers of the other local Chinese tech firms. For example, China was literately put in lock down in February, and all of the business and schools went on-line in couple of days - that was a enormous achievement for anyone who participated the scaling infrastructure at the big tech companies in China, and I would not be surprised that the Zoom engineers in Chinese R&D learned couple of lessons from them. Zoom even has a feature that you can choose to "soften" your appearance to look "better" in the video conference, which has been feature of camera/image software popular in Asian market. So I suspect their product team may also have some connections there.
However, Zoom's biggest advantage is also its biggest risk, if they want to be part of the communication infrastructure of any business/government/university/etc in western countries, especially after so many security incidents that happened in the past years.
Zoom is fully aware that associating themselves with China considering the latest developments would be catastrophic for them, whether its job listings or some of its servers being in China.
What’s wrong with having R&D in China? The talent market is attractive and assuming Zoom founder is Chinese it seems more reasonable in some point compare to opening another office in US.
Lots of big tech companies has strong R&D presence in China like MSFT, GOOGL.
Btw, I might be wrong but CCP banned Zoom about half a year ago.
Is it the same company? We have "employees" around the world, but that ranges from employed by the mother ship, employed by one of the various subsidiaries (all with very similar sounding names) or not officially employed but via a local agent (for both liability, regulatory and in certain regimes, mandated).
I don't think this is likely to succeed -- Zoom can argue that the stock price has gone down because of "Zoombombing" and security/privacy concerns that have nothing to do with exact details of what was disclosed in privacy/security documents, which barely anyone reads anyways.
Also, it's awfully hard to argue losing shareholder value when the stock has still more than doubled in the end -- Zoom can easily make the plausible-enough case that it made the right tradeoffs in the end for shareholder value that allowed it to scale. (I'm not saying that's true, just that it's plausible.)
Could it be fined by the SEC for misstating key details in their public filing? Maybe, although these are tiny details. But a class-action suit by shareholders? This feels like a stunt to me. Also, since a suit by shareholders could depress the stock price further, this feels like a short-seller trying to profit, no?
> Zoom can argue that the stock price has gone down because...
Two general steps to a securities suit.
First, show the company defrauded investors. That can be as simple as omitting or mis-stating material information. (Zoom publicly claimed to use certain encryption standards that it didn't.) So the battle, here, will be around materiality. Critically, this step does not typically require proving damages.
Once materiality is met, the second step is showing damages. At this point, the change in (and attribution of) stock prices comes into play.
Once fraud is shown, the company is in a bad place. Even if a particular investor faced no discernible loss, everyone who bought at higher prices will now sue. It also invites state and federal investigators to start pursuing management and senior staff.
> this feels like a short-seller trying to profit, no?
No. You have to disclose your positions when entering into a shareholder lawsuit. Shareholder lawsuits are comically common. And there is limited precedent for short sellers doing this.
Disclaimer: I am not a lawyer. This is not legal advice. Don't buy or sell securities based on my internet comments.
Am i the only one struggling to use Zoom properly since they introduced the latest security changes?
The slack integration (write /zoom to start a meeting) was working ok-ish even though we always had problem with the meeting not starting unless the host of the meeting was logged in (gosh...why so complicated?)
Now they added this waiting room, there is no sound notification to let you know that people are waiting. Doing daily standup become a sufference.
It's crazy how quickly they lost us as users with literally two badly implemented features.
Happy to hear if any of you also had the same struggle and if there is a good alternative.
I think most of these are settings that can be changed in the advanced settings menu. Zoom changed the defaults, but you can still change the settings to what you prefer them to be
I would think that meetings being company users only by default could side step a lot of these clunky security measures. You would only need them for external meetings. No zoom bombing or war dialing issues with that default permission set.
My company has been trying to find a solution since the Coronavirus hit. (We're not used to working from home)
We were using Slack's built-in conferencing at first, but aside from the quality being generally bad, there was a 15 person limit, and we're ~ 17 people.
I didn't want us to use Zoom with everything that's going on, so I suggested Google Meet. We tried it, and it worked, but not well—people's voices would frequently break up and become hard to hear.
And so we tried Zoom this past Monday.
It was incredible. I could actually hear and see everyone. I'm not happy about all their issues, but damn their product is just really good.
It's hard to argue that a product from targeted-advertising companies like Google and Microsoft wouldn't exhibit much worse privacy concerns, and the other major competitor, Cisco, was the architect of China's great firewall. Zoom works pretty great. I have been on very large conference calls almost daily over a year and they've been pretty flawless. They also sign HIPAA BAAs which is great for the industry I'm in.
I don't think there was an implication to the contrary. I read that comment as an explanation for why any lawsuit would come from the shareholders rather than the users.
Technically you weren't damaged, the fund was. If there is any settlement it would go to the fund, not you. Then you'd have to hope the fund passed down the settlement to you (or sue them for it).
Yes, just this week the FTC brought a tech company to justice for false and misleading promises to users about information security:
> “We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Tech companies should remember the basics—when you promise security, you need to deliver security.”[1]
Armed with clear and indisputable evidence of Tapplock's blatant lies, the bulldog enforcement lawyers at the FTC took the opportunity to make an example out of the company. After 18 months of hard-fought negotiations the FTC announced a settlement agreement[2] whereby the Commission agreed to resolve the matter in exchange for Tapplock's pinky promise to not get caught doing that again. Per the arduous terms of the settlement, Tapplock neither admits nor denies any of the FTC's allegations.
So when a company promises their users security that company better deliver security. Or else... absolutely fuckall will happen.
Shareholders sue companies all the time. Usually an enterprising law firm will cook up some claim and start collecting plaintiffs (shareholders) and then when they win the law firm collects their paycheck.
They aren't. The lawsuit is really being filed by lawyers hoping to get a windfall. They don't even need to have much of a case, at worst Zoom will pay their fees and more for the nuisance to go away.
However, they do need to pretend for the court that this more than just a lawyer led money grab and that they actually represent the interest of a plaintiff. Enters Michael Drieu. If you read the complaint [1] you'll see Michael Drieu claim damages of ... $300. He's basically enabling a shakedown out of either malice or stupidity but not greed.
So no, it is not as if the shareholders of Zoom were up in arms against the company, this is just ambulance chasing with a puppet plaintiff.
> Enters Michael Drieu. If you read the complaint [1] you'll see Michael Drieu claim damages of ... $300. He's basically enabling a shakedown out of either malice or stupidity but not greed.
Those are pretty strong statements for an 11 minute old account.
Dang, you can go ahead and scold me for insinuations of shilling. I just can't help myself.
I have an older account, and agree with the parent. Shareholder lawsuits against companies simply transfer money from the company to the lawyers, and to shareholders who sold their stock between discovering the fraud and disclosing it. Shareholder lawsuits against executives would be a better way of policing fraud, but they are uncommon, likely because they are not as lucrative for lawyers.
Good. There needs to be a serious crackdown on 'puffery' aka lying ( whether lying about product feature or anything else is irrelevant ). Fingers crossed and it will go beyond $2 credit on future Zoom services for affected users.
I'm betting the payout will be a custom emoji for affected users. Maybe a tinfoil hat. And the court will be ok with that so long as the lawyers get paid in hard currency.
Will be interesting if Zoom is compelled to disclose their security architecture. On the same page can they be forced, in court, to make a statement on the interference by the Chinese government?
If the lawsuit gets past the pleadings stage, then relevant information would be subject to discovery. So the plaintiffs would be able to get and use that info in court, but Zoom would probably ask the judge for a protective order
so that it doesn’t become public.
I don't get why this is downvoted? Maybe I was too concise. Then: even if the company may say what they do, the company cannot check and tell what each employee does. This doesn't have to be a malicious intent of the employee, but it can be.
Yeah. The problem here is that Zoom lied about it.
And, like, why? Sure, if no one ever caught them, e2e could be a reason to choose Zoom—but it's like lying on a resumé. Which, I guess is also a thing that happens sometimes, but it's generally understood to be a bad idea.
Because it was clearly botched marketing material rather than a coordinated plan. Hypothetical: somebody asked an engineer what kind of encryption Zoom used, the engineer responded somewhat vaguely and the marketing person heard "we encrypt between endpoints" as "end to end encryption" and then nobody noticed when reviewing the text.
Ooops. That sounds like it's going to hurt. If not, it sends the message "Hey, say you're HIPAA compliant, but it doesn't matter if you're not (wink wink)"
I develop electronics and firmware for medical devices, I have (almost) nothing to do with regulations compliance (except to the extent that I'm working on something where there is an intersection, like storage of patient data). But anyway, not a day goes by that I don't hear someone ask, "Is that HIPAA compliant?"
So yeah. Companies that have used Zoom based on that claim are probably going to extract some blood out of Zoom.
The odd thing is that EARN-IT pushers want to ban strong encryption "for the children" but they want to excoriate Zoom over weak encryption "for the children".
This nonsense happens all the time with public companies. All it takes is a law firm with the gumption to file a suit claiming that the company misrepresented something material which resulted in a significant change to share prices.
Not surprising. Crazy how zoom in the beginning of the crisis was hailed for helping folks get together, but now with all the highlighted security concerns they are receiving a ton backlash. Hopefully they can recover and learn from this.
I’m more shocked that this massive tech industry has like one decent solution to remote video conferencing. Maybe we really have gone too far down the road of making bullshit apps, and stopped solving real problems.
Shame on the telcos who prevent residential customers from using the internet as intended. If everyone was given an IPV6 address block and freedom to accept outside connections from anywhere, none of this would be an issue.
>freedom to accept outside connections from anywhere
Without NAT from home gateways (like consumer routers) preventing inbound connections from the internet, security would be far more of a nightmare than it is today. Requiring that people manually forward specific ports is the best way to handle it. We would be seeing news about Blaster-like worms pretty much every week of the past 20 years, otherwise.
Also, even if it were a good idea, this still wouldn't solve the problem at all. The NAT-traversing capability of Zoom and other products is like 0.01% of the value they provide. You still need good software.
And it runs on Ubuntu! To be honest I'd rather not use software made or hosted on US/Chinese/Russian soil but I don't really have much choice at my workplace. If it didn't ran on Ubuntu I'd dual boot to windows just for meetings.
This would be a great time for some proper European alternatives.
And yet, almost nobody has commented on this sad state of affairs. You'd think there would be plenty of healthy competition in this space, but there is none. Why not?
I've worked for a couple of companies where capacity planning was way out of whack with the sales side.
The worst case of this was when a manager came and told me we had just landed a big customer and my response was, 'Oh, fuck me'.
When your product isn't built for scale, you can sell the hell out of it to small and medium sized customers, or sit back and let organic growth bring you people by word of mouth, and they will all be happy. Invite yourself to the Big Show before your systems are ready and you're gonna have a bad time.
In this case, there is probably nothing Zoom could have done to avoid this level of scrutiny at this time. Handle that scrutiny better? Sure. But it was going to happen either way.
Apart from that FBI warning of Zoombombing, I don't know a single non-tech person that's actually aware of all these security concerns, including China privacy.
Yeah, I've been seeing this all over. For example my sister in law hosted her wedding over Zoom this past weekend. Approx. 0% of the people who attended couldn't have cared less about encryption or security concerns. They just wanted the easiest way to join in on a video feed with their friends and family. It's even become a verb now: "zooming in" e.g. "Please zoom in to our meeting". That's the mark of something that's going to stick. Once searching on the web became "googling" in the general population it became impossible to unseat Google. I think the same will hold true for Zoom.
Well, I mean, I’m sure it was a throw in claim made for sales. Sales is always a little sleazy. I just don’t think the company expected ... you know, the whole world to be using their product. Sleazy got caught :p
I am beginning to get concerned also. The University of California has contracts with Zoom, and so many of us have moved over to using Zoom for all our research lab meetings, especially since the pandemic. We all know that China has pushed research espionage, with several convictions that I know about. The possibility of intimate ties with China raises the specter that Zoom is pushing video, or transcripts of that video through China, and hence through Chinese spy agencies, which would be really concerning.
Note: I love the Chinese people, and my Chinese colleagues. I do NOT like the oppressive, and frankly, evil and callous crimes committed by the Chinese government. Downvotes or upvote the comment as you will, won't change their crimes or my opinion..
Looking back, there isn't actually any evidence that Zoom is not, as they put it, "encrypted from end point to end point". But it is clear that Zoom itself is kind of confused about the whole thing. I don't think that Zoom is all that good with technical stuff...
To have any assurance that a video conferencing system is actually secure e2e you would have to have access to the verified source code of the client programs and verify the identity of each and every participant. That is likely impractical so I think it is safe to say that you should not use any video conference system provided by others to discuss secret things. If you absolutely must do so then you can set up a server under your physical control and then would not have to bother with e2ee at all.
Security audits are done all the time, for which access to the source is given. In Zoom’s case, going through an audit from a reputable firm, may just be the answer of getting the public’s confidence back.
And of course it’s fairly extreme to claim you should not use any video conference system for any sensitive discussions; security is not black and white, and each situation deserves an appropriate level of security; it needs to be balanced with convenience. There are a lot of situations where I would prefer “mostly” secure communication, rather than no communication at all.
>There are a lot of situations where I would prefer “mostly” secure communication, rather than no communication at all.
We are not talking about "mostly" here for the video conference case. We are talking about a situation where most providers have access to the data of their users without very much work. If you are actually willing to confirm the identity of your correspondent using verified binaries you can get end to end protected communications ... if someone claims that they have something easier then they are lying. You can't beat the law of logic. The fact that anyone is even suggesting that Zoom could of been e2ee in any way that mattered is kind of depressing. I think we have some education to do.
Security audits are pointless unless you can confirm that the software that was audited is the software actually running on your device.
I don't really want to go through the laundry list of issues I have because none are critical, just the software is very rough around the edges on Linux. It just feels less than flushed out, and I've had a million little problems and bugs that I've reported and never heard anything back (as a paying user!).
Can Apple be sued for the same? I'm reminded of their advertising against windows for security, but their products have had a myriad of security flaws over the years.
my employer currently signs up for zoom, apparently managed via our SSO-solution. so far so good.
Right now, I got an email from Zoom, not showing any relation to my employer or mentioning its name: "congratulations for signup, use your account now". Ok. Password reset yields an usable basic account. Seems like somehow Zoom created a personal account for me with my work email. As I didn't get the activation email I got on my private spam-account, I assume somehow they got/requested all the employees email-adresses and automatically created private accounts, not related to the actual business acc..
What the actual f* is that?!? And yeah, I think conceptually this is the same behavior as shown by the ad/malware/spam campaigns ca. 2003. I wonder what had happened if I had just typed a password when signing in with my account... Maybe they just grab the passwords of the illiterate users and check them by trying to login with the university website? (that's sooo userfriendly!)
I set up Zoom for our company and nothing like this happened. It seems much more likely (than your wild conspiracy theory) that your company added a "basic", rather than "licensed" account for you and you got an email as a result.
no, don't know what kind of mess they made; the official login is via SSO (and works with <companyname>.zoom.us). to my understanding the account is typically created on login there (otherwise we would sync our whole list of employees with 100s of services...). and even if it was just a random invitation sent to an email they bought somewhere, it doesn't really explain how I could reset the password for my email then (without ever activating an account)?!
It might be a messup from someone but it's definitely strange and I just didn't sign up there, yet got spam and had a working basic account...
> Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
You know, I had never considered being a shareholder and using said standing to sue a company into security best practices when they lie about it, considering regulation has failed to create the appropriate incentives.
I would say that anyone who ever tries to encrypt some data and does the bare minimum google/stackoverflow search for how to do it would see extremely vigorous warnings not to touch ECB with a 10 foot pole.
Unfortunately, crypto libraries have a history of having a terrible UI and defaulting to ECB. Years ago I ran into this with pycrypto. I worked on a team that joked about how important it was not to do ECB and it turns out they had done ECB. https://www.dlitz.net/software/pycrypto/api/current/Crypto.C...
Images are uniquely bad for ECB mode since they almost definitionally will have repeated material. ECB mode is bad and shouldn't be used. But it isn't like somebody listening to your zoom traffic can transparently see penguins.
Isn't an h264 stream even worse given that unlike a random image it has a very well defined repeating structure? The risk isn't that someone will look at zoom traffic directly and see the content Matrix-style. The risk is that it should become possible to just completely decode the encryption given what you know about the plaintext. In that context the penguin image is a great illustration.
Shareholders can sue you for pretty much anything you do that damages your value that you didn't warn them about.
I.e. they put in their IPO prospectus that there might be a negative impact on their reputation from them having Chinese R&D, so they have a defense against that. They didn't put "We have misleading marketing materials that might become subject to widespread public attention" in there I think.
Public markets bid up a stock to an insane valuation in a matter of weeks and then the price comes down (due to technicals, fundamentals, whatever) and you have shareholders trying to weasel out of their gambling losses by suing company.
Let a customer who was actually harmed by this sue. Much more compelling to me.
It should teach companies not to lie in their marketing, or as Zoom calls it, "have a discrepancy between the commonly accepted definition of e2e and how [they're] using it".
If they weren't making shit up, stocks go up, stocks go down, but the gamblers wouldn't have any grounds to sue.
