I wonder. Are all the vulnerabilities and issues with Zoom because of its popularity?
Everybody is using zoom these days and in my opinion it's because it has an excellent user experience.
I'm wondering if something like Cisco WebEx is just as "broken" but everyone doesn't have their eyes on it.
One thing for sure. We need a way to run desktop applications in isolated containers in the same way mobile apps are run.
I joined a WebEx meeting the other day, downloading it's client. And after the meeting a little window popped up with my next meetings.
Without permission it'd hooked into my outlook calendar.
At the the very least, we could have some sort of virtual file system that by default applications only see.
I'm sure the capability exists in windows, because there's a mod management tool for Skyrim I've used where it creates a virtual folder for all your activated mods and the game itself sees that virtual folder when running.
As an aside, remember when Skype was the most popular audio/video chat app in the world?
Or even MSN messenger?
I also remember Hangouts getting popular but then stagnating in using 100% CPU and setting fire to your laps.
The CEO of Zoom is a former senior engineer on WebEx, funded by ex-WebEx employees and founders.
Zoom was originally him plus 40 software engineers in China.
If I was Cisco, I'd be wondering how much code was copied into Zoom.
And if I were you, I'd be wondering why people are using an essentially Chinese communications tool.
Zoom is not a normal US company that outsources to China - the entire development team started in China with a San Jose "HQ" (because Cisco is based in San Jose.)
Eric Yuan worked for WebEx before it was acquired by a Cisco. While he was at Cisco, he tried to improve WebEx, but none of his managers listened and he felt they were moving to slow [1]. He left and started his own company.
He’s an American. His wife is an American. His kids are American.
Chinese Ministry of State Security can inject a coder/sysmin who adds vulnerabilities which are then used for espionage against corporations/governments. The National Security Agency has done things like that in the past, so it is safe to assume the chinese do it to.
Playing devil’s advocate: what should the rest of the world do when using proprietary technology from the USA, given that NSA likes to have their nose in everything?
The software industry needs to adapt to the challenges of a fully digitized world and at the moment things are a bit behind. The first and most important part is to have reproducible builds and core signing, so in cases where the source is available, people should be able to easily trace what’s in the software they’re using and who contributed. I think this is a technical challenge and some software ecosystems are trying to solve it (Go, Rust etc.). The next thing that I would like to see happening is more commercial software licenses that allow making a living from selling software but that give access to the source. I prefer a world where I pay for software and developers can make a living, and at the same time be able to check that the promises that the developer makes are held.
How would code-signing help if NSA arm-twists you into introducing a backdoor in your code? Even for open-source, it is difficult for average-Joe to trace and figure out contributions (its like saying the automobile engine has blueprints available, so everyone should be able to figure out what's wrong). :-)
You know NSA is an American Agency, and America is not China - there is a free enterprise. The only way they can "arm-twist" you is by rules and regulations that every company has to follow. In other words - NSA cannot force you to break the law.
"The FBI wanted to work out an arrangement in which the developer would secretly feed its operatives information about Telegram’s inner workings—things like new features and other components of the service’s architecture that they might want to know about. The arrangement would be strictly confidential, and they were willing to pay."
source: https://thebaffler.com/salvos/the-crypto-keepers-levine
Isn't it ironic how the majority of threads on this forum currently discuss the abuse of power of government officials and the excessive violence of countless law enforcement agencies, while this thread abounds in commenters conspicuously ignorant of the problem?
Bribing the software engineers of an independent private business behind the owner's back, and/or showing up without announcement at private residences of major stake-holders is "arm-twisting" for all intents and purposes. Admittedly it's more subtle than the typical approach the Russian or Chinese governments would follow, yet the essence is the same. In rare cases, where bribery and coercion fail, there is the institution of FISA courts in the US and the lack of control over secret services in other countries.
The potential of a private business to say "okay we do it for money" is exactly the risk at hand and the reason for more than a handful of "accidental" security breaches in the recent past.
This is an ok thing for some Americans to believe in, but at least Google encrypted all its traffic between data centers specifically to avoid NSA eavesdropping. And many people in the rest of the world don’t think US respects the rule of law as it advertizes.
Well Arabia and Russia are starting to force data being processed and stored in their territory by blocking foreign comm-tech. But i don't think that is a solution, that is just digital nationalism driven by fear of espionage and demand for the power of mass surveillance.
What "the world" should do is lobby against nation-states and mega-corps having their noses in everything, because it is a central building block of totalitarianism. Even if the state doesn't go all out authoritarian, it opens back doors that leave people vulnerable to abuse by bad actors.
The rest of the world can (and should) avoid US software if they want do. Playing devil's advocate here doesn't make a lot of sense because no US regime has ever been anything close to CCP.
The US government can just walk in and say zoom.us has to feed all the data into MYSTIC for national security reasons. The CCPs ability to pressure some developers into adding bad code which might enable them to hack zoom infrastructure is laughable in comparison. Yes in theory they could attack some high value target that way, but only the hosting nation can exfiltrate mass surveillance without an alarm going off. Which is why zoom.cn is hosted in china.
While it's probably a little easier with a "home field advantage" there's no reason to think they don't do this to stuff built outside of China also. As you say, the NSA does this, and certainly other large nations have institutions that do this as well. It's probably safe to assume all large communications systems are riddled with intentional errors.
They don’t even need to do that. The government can much more easily coerce the existing employees to do things by threatening them or their family members. This is the risk that Chinese employees in the US with family back in China pose to US companies.
Its a play on the whole "they warn about the dangers of supply chain hacks". If asked how they can be so sure that is happening, they say: well we would do it that way.
A proven case? Look at Crypto AG. Sure one might argue the whole company was planted, so it doesn't count ...
Come on, everyone knows this is not about denigrating Chinese people. To have an entire software team located in China puts the product at risk because of the potential interference of the CCP.
While this is true, both he and his wife were born in China, and it's not clear if they renounced their Chinese citizenship. I buy their explanation that development is done in China to save money, but it's an interesting choice for someone so concerned with looking like an American company.
"Talented engineer leaves old, bloated company to found new startup that becomes a massive success, disrupting a stagnant industry" is a classic tech success story. Awesome to point out such a cool bit of backstory- SV folks love these scrappy underdog stories, the developers who take a risk, leaving their comfy corporate jobs to create a product customers love.
>And if I were you, I'd be wondering why people are using an essentially Chinese communications tool. //
Why not? As I'm in the UK I assume that either I use a USA based product and have my data open to USA government sponsored TLAs, or use proprietary products from other countries and have their secret agencies have some sort of access.
With Five-Eyes, or Maximator, mainstream development in one of the countries involved suggests there's going to be intelligence agency access.
For private citizens access by CCP is probably (unless you have links to China) far lower risk than using software connected to Western nations.
I don't have need of secret communications really; Jitsi (meet.jit.si serves my needs when I get to choose the video chat software; family and friends seem happy with it).
> I'd be wondering why people are using an essentially Chinese communications tool.
People use it because it's currently the best product.
For us at our university, ease of use and the fact that it allows the speaker of a talk to see the audience while sharing screen made it the preferable tool.
I've found it's rather difficult to get from an amp link to the original, especially on mobile where editing the url isn't as straightforward as I would hope. Plus google seems to ignore non-amp pages in favor of amp. amp is a real poison on the web.
I'm on mobile, it was part true. I really had no idea I needed to click on that tiny i and didn't have time to do a search by title.
Typing in mobile is really fast type days. I have a full keyword/small phone. I started training myself to type faster on mobile by coding on a mobile editor a few years ago. It is so much more difficult at first but you become more focused with time. Add in a free editor app with ad popups every few minutes for additional challenge.
Quick search gets result [1]. Can't find the discussion now, but zoom personnel came up in other discussions here and someone mentioned, with source, 700 devs on China.
The debacle with zoom installing a secret webserver that stays on your computer after uninstalling so it can reinstall zoom and also had rce vulns, happened a year ago. That was before covid and zoom's current level of popularity. So i'm going to go with no.
If you can make a virtual machine equivalent to your computer: make one, get a list of all the files (and dump the registry on windows), then install and uninstall zoom and repeat. Then just inspect whatever the diff is.
Nope!
According to this article[0], Dropbox used to use Zoom internally, and no matter how many serious bugs they discovered+reported, many are still in the software today, years later.
> I wonder. Are all the vulnerabilities and issues with Zoom because of its popularity?
In a sense, yes. I think Zoom has achieved far more popularity than Zoom was prepared for. Everything about Zoom feels like it was thrown together hastily and for a much smaller audience.
It may seem unrelated, but I think a microcosm of all this was: Attention tracking. They removed this feature because of its unpopularity after privacy people flagged it, which may have not happened if Zoom hadn't gotten popular. But it also shows that they have no internal brakes on this sort of thing; no strong product lead or anyone else able to push back on the PowerPoint prodders with "nope, not happening, that's fucking weird and creepy".
Can you expect good code to come out of that environment?
Notably, these vulnerabilities were in features I, a daily user of Zoom in these weird times, did not even know existed (code snippets and GIFs). Strikes me as more "shit rushed out of the door with no oversight and minimal code review to get boxes checked".
Because there are other factors to consider for each user's use case.
Jitsi wouldn't work for the Zoom meetings I admin. It's too technical for a very untechnical audience.
Zoom was hard enough, and 90% of the meetings in our ecosystem use Zoom, meaning they only need one app. Asking them to use Jitsi would require two (as every other meeting uses Zoom), which means a non technical audience has to learn 2 technical things instead of 1.
In the case of E2E encryption, every attendee has to type in the meeting key when they join for it to work. The users I work with will forget/won't understand why etc. They just want to speak to people. So that will render e2e useless if 1 out of 20 attendees doesn't do it.
Not to mention we have attendees who don't own a smartphone so have to dial in. Making the E2E Jitsi stuff pointless.
Jitsi is great for technical people. Zoom is great for non technical people.
90% of our Zoom users use smart phones and install the app, which is a normal and understood process by most smartphone users.
EDIT -- I've actually just gone off to try out jitsi again (i do actually check to see if it's worth switching platforms) and it turns out it asks me to install an android app too. So Jit.si itself actually needs me to download software on my smartphone. So......
There are a myriad of things that mean Zoom fits our use case better. I'm not going to enumerate all of them as I'd be here for an hour.
My point was that Zoom fits some use cases better, and that seems to be the case more often than not for users with less technical ability than the HN userbase.
Posted this in reply to another reply to my original parent.
> I've actually just gone off to try out jitsi again (i do actually check to see if it's worth switching platforms) and it turns out it asks me to install an android app too. So Jit.si itself actually needs me to download software on my smartphone. So......
This is exactly one of the points I was trying to make. 90% of of the other meetings in our eco-system of meetings use Zoom. Adding additional barriers is something we have to try and avoid in our use case.
I'm the only administrator and we have meetings running 7 nights a week.
I'd quite like to not have to unexpectedly sacrifice 4 hours of my time finding a bug in the config. Nor do I really want to spend (at least) a weekend to double check all the install/config works correctly to start with.
I'm busy enough with the day job without starting a second one. I admin this voluntarily and I'd rather work smart, not hard.
EDIT: You can see my reply to the parent for user side technical effort. A helpful hint might be to think about this problem in people terms, rather than systems terms.
> My point was that Zoom fits some use cases better, and that seems to be the case more often than not for users with less technical ability than the HN userbase.
Some of our users may be, in the kindest possible way, completely batshit insane with their life falling apart when they first turn up to our meetings.
Meeting hosts [0] can explain Zoom to them in three/four steps and look after them from there with in meeting controls. With Jitsi, they've got to keep asking them to stop unmuting themself because they keep pressing buttons... Which means they have to stop the meeting for 5 minutes, again and again and again.
EDIT for further information / clarity:
Zoom also enables users to chat without any additional steps [1]. With Jitsi you have to create a name to even see the chat. So new users may connect, not hear anything [2] and then just leave and not come back. Zoom, they can see the message we send them and then we can guide them from there.
Then there's the fact that meeting hosts cannot screen share from smartphone with Jitsi -- 90% of our users/hosts are smartphone only [3]. This would require them buying a laptop. Many hosts cannot do this / adds to technical effort.
Then there's the fact that we'd have to type in the name of the Jitsi meeting EXACTLY whenever we want to start the meeting. Hosts would have to get the name of the meeting ID exactly correct every week. To make meeting IDs secure, that'd mean they have to type a complex character sequence out perfectly every day. (Yes they can copypasta, but some aren't even that technically adept).
Then of course there's always the chance someone else uses that meeting ID at the same time by accident! There's no method I saw where you can reserve a Jitsi meeting ID only for our use [4]. Oh, and while I'm here, what about the fact that you cannot schedule a jitsi meeting ID ahead of time? So there's no scheduling a call / meeting available.
I might as well talk about security too -- anyone in a Jitsi meeting can start a live recording [5]. And any participant can just remove and change the meeting password at any time. And no waiting rooms. And once a user is removed, they can just join again -- repeat Zoombombings, woo!
And then this doesn't even begin to cover the fact that hosts need to go through all the steps to set up a meeting [6] every time they start a meeting. Zoom handles all that with the default settings I enable for them as admin.
Some of this can be covered by custom Jitsi server installs. But that introduces way more technical effort on my side and doesn't cover dial in phone options (at least in a simple and forward maintainable way).
I'd rather pay Zoom £20 a month.
====
Addendum: I just tried setting up a password for a meeting and then inviting myself. The password wasn't required to join... Pretty poor!
[0]: not me, I'm admin
[1]: e.g. in the case of buggy audio
[2]: maybe they didn't accept the permissions properly
[3]: tested on latest android app
[4]: I could be wrong, but this is a simple option for Zoom
[5]: An absolute no-no for us.
[6]: set up the password, mute participants to start with, chat with host only (not an option on jitsi), amongst others
> EDIT -- I've actually just gone off to try out jitsi again (i do actually check to see if it's worth switching platforms) and it turns out it asks me to install an android app too. So Jit.si itself actually needs me to download software on my smartphone. So......
Posted in reply to a child comment earlier ^.
When I originally scoped out which platforms fitted our use case best, it was Jitsi vs. Zoom in the end. This was 3 months ago.
We ended up with Zoom for several reasons specific to our use case.
No software is a magic bullet that solves 100% of use cases. This is why competition exists.
> Are all the vulnerabilities and issues with Zoom because of its popularity?
Partly, but they also actively go out of their way to disable security mitigations for reasons that are unclear so I’m not all that surprised. On Linux I think they were one simple buffer overflow away from arbitrary code execution, which is all but asking for an attack if you parse data from the network in an unsafe language.
To be fair, if you're parsing data from the network in an unsafe language, you are always a simple buffer overflow away from arbitrary code execution. So your point is: don't use an unsafe language.
Is the user experience on zoom that good? To me it’s barely passable because I think the bar is higher in 2020 than it was in 2000 (where getting on the conference was a miracle).
1. Today zoom links load a webpage that hits a local web server which launches the app (after some delay). There has to be a better way. Why do I need an app at all? Yes I know there is a trick to avoid using/installing the app but it’s not full featured.
2. Fans run on high during a simple video conference and my cpu melts during a screen share. Why is GPU acceleration not a thing here?
None of that happens with google meet for example. Most modern CPUs have hardware support for h264/5 encoding decoding. I shouldn’t need to blow my CPU budget to show a video and play some sounds.
Also in my experience Zoom's web interface is completely broken in Firefox, and in Chromium the audio frequently disconnects without any visual indication.
I wonder. Are all the vulnerabilities and issues with Zoom because of its popularity?
Zoom is a shady company that does crap like secretly install a web server on Macs that allows it to reinstall itself once installed. I refuse to install Zoom on any computer. I installed it on my iPad out of necessity where I know it’s in a strict sandbox.
This is why I appreciate having the Zoom snap. It runs sandboxed, which provides some level of mitigation against vulnerabilities. The same sandbox stops me getting "surprise integrations" that I don't want.
We set up a jitsy-meet server for those cases when the customer does not have teams or teams decides to not work.
Jitsi does work flawlessly for us in Chrome, Firefox and Edge.
I set up a private server for friends, too, to keep in contact with their family.
Jitsi is a fine tool, especially with headsets (wtf, use a headset, dad!) , the main bottleneck seems to be the clients ISP downstream and the dedicated apps on tablets seem to get out of sync.
Just to clarify the performance penalty of these apps is not what bothers me the most, but it’s more to do with registering protocols that are susceptible to attacks, opening local ports on your computer that are browser-accessible, installing startup drivers/services and other things in the name of “user convenience” that persist well beyond me closing some of these apps.
I can live with a fat app, but anything that insists on being there and having serious negative trade-offs even when not using it, in my opinion falls under malware.
The funny thing is that if you disable all the gif and animated gif features it behaves much better.
I also disabled spelling checks, automatic replacement of emojis and this kind of not really useful things.
On my work computer it went from using kind 60% of a core to almost nothing.
I went looking for these options after ready your message. I'm now wonder why in the world is "Allow animated images and emoji" in the Accessibility section of the preferences and separated from the other options for images and media? Seems oddly located to me
Still doesn't excuse it from eating up all your resources. It's not a great productivity tool if you can't do anything else on your computer when it's open.
There's an attitude I've seen bandied about a lot in recent years that "unused RAM is wasted RAM." In a literal sense, this is true. However it's nearly always misapplied. Unless your program is likely to be the raison d'être for that computer existing, then you shouldn't assume the user has all that RAM so that your program can use it. The user probably bought all that RAM for something else and you shouldn't feel justified in slurping it all up yourself.
I've only ever seen this when explaining to people why Linux appears to be using all their RAM - it caches your disk to make subsequent reads faster, and when an application needs more memory the cache will be evicted immediately and at almost no performance cost.
It's completely insane to suggest the user's RAM is yours to consume. Some people have 64 gb of memory in their desktops, and others have 4gb on their $300 laptop because that's all they could afford, and some have 2gb on their cheap phone.
> I've only ever seen this when explaining to people why Linux appears to be using all their RAM - it caches your disk to make subsequent reads faster, and when an application needs more memory the cache will be evicted immediately and at almost no performance cost.
That's where it's taught I think, and certainly it's the truth in that context. But more than a few times I've encountered it as a defense for stuff like bloated chat programs slurping up gigabytes of RAM.
With respect to hardware diversity, I think part of the problem is most programmers do their development on powerful hardware and become accustomed to it. Certainly nobody wants to sit around for an hour waiting for their build to finish on low-end hardware when a powerful computer, which they or their employer can easily afford, could finish the build in minutes. But because of that, they lose touch with end users who will be running that software on very modest hardware.
> I wonder. Are all the vulnerabilities and issues with Zoom because of its popularity?
No vulnerabilities are in production because of buggy code and lack of pre-production quality control. But yes more popularity means more free quality control by third parties. It is a sad reality of "scale first" and "cheapest offer" economies.
If there's some external actors trying scrutinise Zoom then they are surely are making them much stronger...
But if I'd have to pick one I'd guess Google has the best security analysis track record, anti-China fetish which tops the lack of clue what they are doing with their chat or conferencing products.
When I look at Zoombombing, it seems like the sort of thing someone should have flagged internally early on. I don't know anything about Zoom's culture, but a case like this makes me think being security-minded isn't in their culture. You can also see that in the CEO's statement about end-to-end encryption; his logic about how free users wouldn't get end-to-end encryption so Zoom could cooperate with law enforcement was non sequitur. Or look at how they handled Zoombombing and the lobby: if you call a contact, they still have to be admitted. Development is also mostly in China to save money. I buy the explanation, but even in 2011, China didn't have the best reputation for privacy and censorship; other countries would have been better choices.
Remember Kazaa? A security researcher once posited that there were almost 70 million Kazaa clients at some point. Surely one of them has a security vulnerability...
I immediately shutoff Kazaa and rethought my approach to secure computing at home
I know the Cisco UC teams directly and Zoom Engineering as well. Cisco and Google just can't stand that so much money have been spent in acquisitions and engineering that a smaller company just beat them in the consumer and enterprise space (Cisco acquire Tandberg, Latitude, WebEx, defuncted Jabber and some of the Telepresence technology), same as Google (creators of WebRTC and few apps Hangouts, Meet, Duo, etc) that a small company beat them badly, that's the reality. Yes some Zoom Engineering is in China, so what? Unless you have solid technical proof that there is a security problem, is just gossip and bad press, I though this is a technical forum
Actually, I don’t think that zoom have any kind of technological improvements than the other companies you mention, as Jitsi proves, making a videocall and screen sharing app it’s not really very difficult, as the building blocks are already stablished and it’s a matter of how you join them. Zoom make the choice to try to circumvent some security things to be able to appear less hostile for the user, and it seems that it was worth it. Several other things (integration with third party calendars, conference and seminar tools) are the ice in the cake.
with all these corporate products the motivation is to provide new features, not strengthen their (often very mediocre) core. In a security light this is just making more vulnerabilities, especially since zoom is using an unsafe language for some reason.
See also: atlassian, oracle, salesforce, zendesk, etc
WhatsApp isn't a conference tool.
You can't have more than a handful of people on a call.
And it's with people in your contacts on your mobile phone.
I presume the same with telegram.
Skype for business has been deprecated by Microsoft in favour of teams. I use it daily and it's just not that great. It requires a Microsoft subscription.
Google hangouts meet only just became available for everyone to use. Before it required a Google business subscription. It makes my CPU usage max out and cooks my laptop.
Zoom works well with 10s of people in a call, it's easy to use.
Breakout rooms is a useful feature.
With COVID so many people are using it not because of a marketing campaign but because it's easy to use.
I think it's like asking "why is a an iPhone better than a Blackberry? They both make calls and send email."
But I think Zoom has built their product to not be "enterprise" which in my opinion is a good thing. As that usually means you need to accept jank.
Of course there are security issues with the software as well.
This is not an 'arbitrary file write'. There is virtually no 'arbitrary file write' that doesn't lead to code execution on Windows. The reason is detailed in the report itself:
> The severity of this vulnerability is partially mitigated by the fact that Zoom client will append a string _BigPic.gif to the specified filename. This prevents the attacker from creating a fully controlled file with arbitrary extension.
Nobody is getting hacked by downloading a corrupt .gif file.
This is not an 'arbitrary file write', as even in the most user input intensive scenario it is restricted. It's not a 'remote code execution', either as they clearly detail in the last paragraph:
> In summary, this vulnerability can be abused in two above outlined scenarios. First, without user interaction, it can be abused to plant arbitrary binaries on target system albeit at a constrained path potentially used in exploiting another vulnerability. Secondly with user interaction, plant binaries at almost arbitrary paths and can potentially overwrite important files and lead to arbitrary code execution.
The report itself does not detail the actual way this reaches remote code execution, saying only:
> This in itself could potentially be abused in leveraging another vulnerability.
However, they could presumably extract the exe to %APPDATA%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, which would cause remote code execution when the user logs in again. I would be surprised if the reality isn't they tried this and they couldn't do it. I don't understand why they cut this so short.
It's pretty normal for me to be able to drop an .exe in various places. That's what happens when a website triggers a download. The important thing here is the 'execution' of remote code execution, which they have failed to demonstrate.
This is an endless frustration as a vulnerability researcher. Security consultancies, trying to fish for contracts are endlessly willing to misrepresent bugs and security issues they find as much as possible, and there's very little accountability for this.
If the Zoom native app's security is a concern for you, the arguably increased security of your browser's environment should help.
If you are a Zoom meeting host, you can save your participants the trouble of the procedure described above by always showing the Join From Browser link:
For me the audio stream crashes in the browser, when I allow microphone access, but mute it on the OS side (after about 5 min). I think whatever dies is connected to measuring latency or something. I assume Zoom actually listens to your mic, even when we it's muted in the app.
Not a comment on the article, but the CAPTCHA before it seems weird and kind of sketchy.
> Why do I have to complete a CAPTCHA?
> Completing the CAPTCHA proves you are a human and gives you temporary access to the web property.
Okay, but... why do I have to complete a CAPTCHA?
> What can I do to prevent this in the future?
> If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware.
> If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices.
> Another way to prevent getting this page in the future is to use Privacy Pass. You may need to download version 2.0 now from the Firefox Add-ons Store.
How would a virus scan help here? I certainly hope my browser doesn't go around advertising when I last did one of them. And how does Privacy Pass prove I'm human, are robots unable to pretend to be Firefox plus Privacy Pass?
Usually that means that the IP you are connecting from got somehow flagged as an originator of malicious attacks. Like if the virus on your computer does automated requests (click fraud, scraping, DoS,...) to other IPs that are monitored by them.
Of course this is probably mostly useless especially if you are on a dynamic IP but that's where it's coming from.
this line of text was more appropriate when this text only showed up when CF had a low "trust score" for you; now website owners have much more control and can trigger a captcha for almost any reason that doesn't necessarily mean your network is infected (eg. A website owner triggering captchas on a page of their website once they have a heavy increase of traffic)
I was only answering to the part about why they suggest virus scan, not the usage of captchas in general. Of course you are right in regards to captchas in general.
I got the same CAPTCHA, running Firefox 68.4.1 on Linux. Normally when this kind of thing happens, I just close the tab and move on with my life. But this time I tried opening with Chromium instead (version 76.0.3809.100) and then no CAPTCHA was required. Neither browser has Privacy Pass, so why are they treated differently?
I think that the site backend is having trouble keeping up with the load and the owner turned on Cloudflare’s Under Attack mode, thinking that this was a DDoS. This doesn’t look like the behavior I’ve seen when Cloudflare does it automatically. It’s smart enough to know that HN is not a DDoS.
A common question on the CF forum is a requests/second trigger for either enabling Under Attack mode or enabling a Firewall rule that triggers the full hCaptcha page. This is most likely what happened here.
[This is usually done by counting requests/second at the origin then using the CF API to enable the firewall rule or change the security level)
> And how does Privacy Pass prove I'm human, are robots unable to pretend to be Firefox plus Privacy Pass?
Privacy pass just like some blockchain tech require to spend some computational resources in order to get tokens. After all CloudFlare goal isn't to block bots as is, but to make DDoS attacks and mass vulneribility scan more expensive.
That’s not what privacy pass is. There’s no proof of work involved. Basically you solve a captcha once, and it gives you 30 tokens to skip future captchas.
> In preliminary tests on consumer hardware, our extension takes ~1.1 seconds to generate blinded tokens to be signed by the server and ~1.9 seconds to parse the signed tokens and verify the DLEQ proof. Creating a pass that can be used to redeem signed tokens takes <40ms.
It's intentionally very slow to get and use those token though
That seems to be a side effect of the zero knowledge proof implementation, rather than an explicit design choice. There doesn’t seem to be a tunable “difficultly” parameter, like with all proof of work implementations.
If we assume a spherical cow and say that there are no rate limits on the captcha service and capture solves are instant, then privacy pass requires you to spend 100ms of CPU time before each request, which is a sort of "work"
If we then say that the captcha you solve can be dynamically adjusted based on how suspicious the request is, then that is a sort of difficulty tuning.
Sure this isn't exactly blockchains or whatever, but it's basically the same idea.
Why would CloudFlare endorse this system if it was just "business as normal but you solve 1/30th of the captchas"?
> Why would CloudFlare endorse this system if it was just "business as normal but you solve 1/30th of the captchas"?
They don't just endorse it, they developed it. Their argument was that it allowed them to solve the "Tor CAPTCHA problem" (as a Tor user, you see CAPTCHA on almost every page visit to a CloudFlare-fronted site) without breaking the anonymity of Tor users (because CloudFlare is in a position to maliciously track a scary amount of Tor exit traffic).
The idea is that this 1/30 multiplier is meant to reduce the amount of pain Tor users have, without making attackers' jobs easier (a factor of 30 isn't really that much of a change for most attackers and CloudFlare has DDoS protection beyond just CAPTCHA, but it does make a huge difference for normal users).
All of that being said, the Tor project does not endorse the usage of PrivacyPass because they are ethically opposed to the entire concept of having to get a hall pass from CloudFlare to browse large swathes of the internet. And being one of a handful of PrivacyPass users on Tor will reduce your anonymity significantly. The Tor Projecy might also disagree with the privacy claims made by PrivacyPass, but given they are against the very idea of the project I believe they haven't done any actual research into their claims.
> Sure this isn't exactly blockchains or whatever, but it's basically the same idea.
This idea is older than blockchains; it's basically hashcash (https://en.wikipedia.org/wiki/Hashcash), which AFAIK was one of the inspirations for Bitcoin.
Because of these possibilities, I prefer using my iPad Mini for meetings, and If I have to share a screen I just join from Chrome, its screen share works well enough and is more restricted than Zoom client. I highly recommend it if you dont feel comfortable.
I was able to use Zoom in the browser with my first meeting, but now it no longer shows that option when I access a Zoom meeting URL. What do you do to force it to let you use it in the browser?
AFAICT, you need to first click on the link to install the app, taking the first step in that direction. But then close whatever app install window that opens, return to the invitation page, and the Join From Browser link should have appeared.
Basically, the option to join from a browser is only shown once you first signal intent to install the app. This procedure is described in the Zoom docs:
The last time I looked, you have to be logged in, and then after requesting to join you have to wait on the page that tells you to install the app to join for a few seconds before the web joining link appears.
However, the ZOOM web client lacks quite a few features, including viewing the video of more than one participant at a time. I believe it's also not possible to share audio. So if you need to do any of these things, you really still have to install the ZOOM client on your computer!
The Linux client jumped from 3.5.392530.0421 to 5.0.418682.0603 at the end of April 2020, the version outlined in this article appears to have never existed on the Linux platform.
A major vulnerability with a sincere response is not that bad. Software is very difficult. What killed my respect for the zoom team was the PR bullshit that they engaged in after it was discovered. Major companies have been known to fuck up and recall their faulty products or offer reasonable solutions (e.g. exploding batteries on the note 7, the intel chip bugs). The reaction shown by zoom was that of a whiny child caught in the act of stealing cookies and denying it all ---"Those are not really cookies you see!" It was so ridiculous it was not even offensive.
At least they're into regular bad code bugs, rather than intentionally created security holes, including deliberately circumventing browser security restrictions.
Your link is from 2019. GP is referring to how Zoom has (so far) moved on from those kinds of egregious behaviors, so now in June 2020 we're looking at just regular (non-malicious) code vulnerabilities.
Why do you think that has anything to do with culture?
They made business decisions that seemed rational at the time, to grow fast at the expense of good security.
Now they're making business decisions that are rational for the current situation -- they've grown hugely, and now have been fixing their reputation for privacy and security.
Culture has nothing to do with it. It's pure business. I trust their profit motive far more than any "culture". And their profit motive now is: do everything to be a trustworthy product. And their actions over the past couple of months have been demonstrating that.
Do you think it's impossible for companies to change? Because a company makes mistakes, they can't ever be trusted again? That doesn't seem very realistic.
Not much progress at all. They just announced the end-to-end encryption will be a paid for feature. Free users won't get this feature because as CEO Eric Yuan says "Free users for sure we don't want to give that because we also want to work with the FBI, with local law enforcement in case some people use Zoom for a bad purpose".
Everybody is using zoom these days and in my opinion it's because it has an excellent user experience.
I'm wondering if something like Cisco WebEx is just as "broken" but everyone doesn't have their eyes on it.
One thing for sure. We need a way to run desktop applications in isolated containers in the same way mobile apps are run.
I joined a WebEx meeting the other day, downloading it's client. And after the meeting a little window popped up with my next meetings.
Without permission it'd hooked into my outlook calendar.
At the the very least, we could have some sort of virtual file system that by default applications only see.
I'm sure the capability exists in windows, because there's a mod management tool for Skyrim I've used where it creates a virtual folder for all your activated mods and the game itself sees that virtual folder when running.
As an aside, remember when Skype was the most popular audio/video chat app in the world?
Or even MSN messenger?
I also remember Hangouts getting popular but then stagnating in using 100% CPU and setting fire to your laps.