67 comments

[ 8.4 ms ] story [ 195 ms ] thread
Rash decisions like this aren't going to do anything but hurt the students.
How is it a rash decision? There are multiple alternatives that respect privacy and do more than pay lip service to security.
Although if I'm honest I wouldn't really know if the alternatives are going to be that much better. All alternatives that I know off still follows the same general pattern of letting all connections go through a central server where everyone with the right URL can participate. Sure I wouldn't trust a company that claims to have better security than they actually have and who add weird privacy violating features, but any of the common alternatives are by Microsoft and Google, which I don't trust either.

So in the end I'm not sure what good will come of this decision, while it will definitely cause some confusion.

It's possible I missed something and that Zoom truly is notably worse than any of the common alternatives. I'm partially posting this in the hopes that anyone can point out whether this is the case.

And yes Zoom is definitely worse than a self hosted OSS solution like Jitsi (or even Jitsi without the self hosting) but we all know that that's not going to happen.

NYC schools have like a million students. How is jitsi going to scale to that?
By having each school's IT setup a separate server

School's have IT. It isn't always competent IT (I speak from experience), but clear instructions from up high can lead it

Or, you can flip a switch and enable Zoom, Google, or even Microsoft.

IT people are hammered right now, nobody has time to futz around with some random oss tool that will further stress overutilized remote infrastructure.

While I believe this will work for NYC, I'm not sure how it'll work for Pumpkintown TN
Pumpkinland, TN will use Zoom. It’s exponentially easier, except for older kids already using Google Classroom.
That's kinda my point. That the IT in a major city can use a custom system but that discludes a lot of people. I would wager that most schools don't have a decent IT department. I know that when I was in high school they weren't great and I grew up in a fairly affluent area. Not everyone has the ability to "roll their own"
It probably isn't, but one could hope.

Edit: If I'm honest I'm not even sure how meet.jit.si can function at it's current scale. Especially because I've found no way to send them money.

I think it hosts about a thousand rooms on a lowly single core - absolutely unbelievable in the age of kubernetes, I know... Given that, it needs bandwidth (but Zoom needs that as well for a 30 participant video conf...) and this seems paid for by the consulting company upselling it to companies.
Zoom is known to have at best been massively incompetent and at worst to have been grossly irresponsible and possibly malicious.

Sure other solutions might be just as bad but that is hardly and argument against ditching Zoom immediately. If you've missed the many articles about their weirdly bad security you should definitely go read them.

I saw those articles. Quite a few talked about how Zoom was weirdly insistent that they had end to end encryption (which they do not), and they added some disturbing privacy violating features to the desktop client which they're oddly pushy about, also their privacy statement wasn't exactly reassuring. All red flags, but strictly speaking they don't really impact the security much (they might do god knows what to the metadata, but to my knowledge, that's the same with most alternatives).

The one truly sensitive issue is the zoombombing, and I haven't been able to figure out whether that's truly a security bug or if zoom is just the biggest attack surface and has some terrible default settings.

Zoom is notably worse. They rolled their own encryption and it's really, really bad. They also send keys through China even if none of the participants are in China. Questionable behavior even if they were perfect in every other way, which they aren't.
Be careful, you are going up a Chinese-based company that will downvote anything negative and give excuses that most people won't know anything about.
Is this really happening? Lots of very reasonable comments are in fact getting downvoted. Because it is Chinese??? WTF? Are you saying this is a patriotism thing? Or are you saying either Zoom or Chinese organizations are paying people to downvote? Seriously this is bugging me. If this is going on on HN that is a serious violation. Normally HN seems like a sanctuary from crap like that.
Zoom seems popular, so many are willing to sacrifice principles for using something easy. Preconceptions are big everywhere, reinforced not fixed by mod points.
It's not like there aren't other options out there they could be using. I'm sure this was factored into the decision given current events.

At this point, I think it's more than fair to be worried about Zoom's security.

I find it incredibly uncommon to see real repercussions (even temporary ones) resulting from cyber security failings of companies.

In this case, some large part of the issue was in deceptive (at best) promotional material. Does that mean people understand messaging, even if they don't understand encryption?

I'm sure many readers here have seen incredible breaches of trust and security, such as Equifax, go almost entirely without punishment. This is an interesting case in the opposite direction. It is worth noting for balance that Zoom does appear to have favoured usability, and successfully so.

I couldn’t imagine trying to get elementary kids using Teams... it’s way too convoluted.
What a fall from grace.
They 20x their users in one month. 10MM to 200MM
yep, I come from a really small town in India, and I see everyone using Zoom suddenly, the mobile app is all over the town, all business meetings, family meetups, schools, everyone is using Zoom all of a sudden.
Honestly this feels bizarrely knee-jerk and media-driven to me.

First of all, Zoom has been used in education for a long time. The quote about switching to Teams because it's FERPA-compliant is disingenuous -- Zoom says they are too. [1]

Second, Zoom has been receiving tons of scrutiny recently while e.g. Microsoft Teams hasn't received any. (Nor has Google Meet.)

I'm really not sure how I feel about this. It's been hard enough already on teachers to adopt remote learning, now they're expected to switch platforms after a couple of weeks, presumably mostly because of sensationalistic media reports of "Zoombombing" which a teacher can trivially prevent?

[1] https://zoom.us/docs/doc/FERPA%20Guide.pdf

To be fair, if naked men are zoombombing your class of schoolchildren? I mean, not a lot of teachers out there are equipped to deal with that. They fumble around looking for how to remove a participant. Some panic and try to kill the whole session for the entire class. Some call the cops while yelling at the man to leave. Some freeze up and don't know what to do.

Maybe MS Teams is worse? But MS will, at least, make sure to keep the pedophiles and racists at bay.

It's incredibly straightforward to prevent zoombombing, you simply set a password on your room. I would be surprised if Zoom hadn't made this the default by Monday.

Prior to the age of 'zoombombing', frictionless entry to every meeting was a nice feature, and meeting IDs are difficult enough to guess (11 digit number) that entry of uninvited guests basically never happened.

Now that everyone has so much spare time, the worst elements of society are using it to try to harass children. I guess the tragedy of the commons kicks into full swing and we must have passwords going forward.

Fine, but what's the number of times that a naked man zoombombs your class before you tell your school and they switch to Teams? These are schools we're talking about. That number is exactly one. Because I can guarantee you the kids are gonna tell their parents what they saw, and the parents are gonna light into the principal.

Slow video? A few random disconnects? These are the kinds of issues that result in second chances. Random men showing up naked in your classfull of kids, or random racists coming in your class to call the black kid an n-word? Yeah, I'm fair certain that results in a, "Thanks, but no thanks. We'll find something else."

Fair argument, I just think it's rather 'throwing the baby out with the bathwater', getting rid of a tool that teachers are familiar with, works well and can handle 200MM customers because of an easily changed setting, which is already present in the software.

I know your argument is the correct one, but it's frustrating to see Zoom caught up in a furore of media-driven controversy.

> works well and can handle 200MM customers

That’s the the point though: Zoom doesn’t “work well” if you include basic security as a required part of “working.”

Zoom using ECB mode for encryption, and transmitting keys to China says everything. They just don’t care about security at all.

Everyone in the banking industry I work with has blocked or banned Zoom for longer than COVID-19 has been around. Microsoft Teams seems to be the new Default choice, if only because everyone is using office365 already and anything is better than WebEx.

I also think, it doesn't work well for conferencing... Last/First time we used it, the annotation tool just stopped updating, colleague was drawing and I was: "I don't see anything" (and then everyone: yeah me too). Also I'm wondering, why it send the "foreign" screen in fusll res (WQHD), but at a measly 4 fps with crappy compression...

After this my personal impression is that it is just an obtrusive piece od adware, which happens to behave like a rootkit in some parts...

Yea, super concerned about China watching my kids math call.

Yawn.

“Everyone in the banking industry has blocked Zoom” was my qualifier.

The U.K. even held a cabinet meeting over Zoom.

There’s a lot more than schoolwork taking place on Zoom unfortunately.

I’m on Zoom a gajillion times over 5 years and I’ve not once experienced a zoombomb. I have experienced Google Hangouts bombs.

The incidence is of course going way up, but it really is overblown on the quantity. The biggest issue are those that post links on twitter or some place public (same issue for Hangouts).

And let's also be clear that the incidence rate is going up because 1) the popularity of Zoom and 2) because there's a lot of people home going stir crazy.

Saying Zoom has a bombing issue feels like saying Linux doesn't get viruses.

How often do zoom bombs occur. Once every million calls?
I believe zoom defaulted to passwords in the past, and a lot of companies just updated their settings to turn it off. Not sure what the state is now since we switched to Teams.
> It's incredibly straightforward to prevent zoombombing, you simply set a password on your room

The password is the same for everyone. Are you seriously saying that kids won't share the link/password online themselves as pranks? This reduces the risk from "anyone can join" to "anyone with password can join". The waiting rooms helped at least, but the passwords reduce, not stop, zoombombing.

Isn't that a problem with any video conferencing service then, if the credentials to enter are shared by participants?
Google meet used with gsuite will by default prevent anyone from outside the company domain to join the meeting (unless explicitly invited) for example. I've joined some webinars where the password was per-user, (so you can kick/ban that one user) but can't remember the service.

But yes, that was my point - shared passwords don't prevent conference-bombing on any service.

So will Zoom, on a corporate account.
> I would be surprised if Zoom hadn't made this the default by Monday.

Zoom already announced that the password option will be set by default starting tomorrow.

How do you know what teachers do in this case?

How often are teachers starting the zoom calls as admins so they have total control over them and can easily disable zoom bombers?

How do we know this is happening more than once every million zoom calls?

This isn't about zoombombing, this is about their very odd and suspiciously terrible security practices and repeated abuse of user trust. Zoom should be ditched immediately by everyone.

The problem is that while Zoom is ok at best, and really pretty terrible for classroom (two kids + my fitness bootcamp are all virtual now), the user experience for everything else is really even worse. So in a time when we really need video chat, viable alternatives are scarce.

iOS, Android, Linux, Democrats, Republicans, Zoom???

There is a lot of angry emotional fanboi-ism around Zoom that is very very odd to see in support of a video conferencing app. Whoever is downvoting comments like this, I'd love to hear your POV.

I feel like recent concerns over zoom are actually quite reasonable. I've never been a zoom hater, my company adopted it with my blessing and we continue to use it although we are now having reasonable, IMO, misgivings and considering alternatives.

Zoom is easy to use which is super important for kids doing remote schooling, it's security flaws are minor in the schooling context (and worst can be mitigated by having teachers admin the calls).
> Zoom says they are too.

But, to be fair, Zoom has already been shown to be lying about e2e encryption. Fool me once...

To be fair, they were already caught installing malware.

How many free passes are we going to give these jagoffs?

Microsoft and Google both spend a lot on security to ensure due diligence. Of course there still can and will be issues.

But, the situation with Zoom is vastly different. It's obvious by now that Zoom took shortcuts and even worse, actively circumvents security features of the OS and actively leverages insecure encryption (e.g ECB mode). There have been plenty of other issues also and more to come as CitizenLab has already pointed out.

So, objectively speaking its okay and I wouldn't blame anyone for seeking alternative solutions.

This is part knee-jerk, part well-deserved. Zoom isn't great for privacy (and apparently not security either, with its false e2e claims). But MS Teams isn't much better.

But honestly, setting up a zoom meeting with a public link is just asking for trouble

Is there any browser based P2P web conferencing software? WebRTC seems like a perfect fit for this. Especially as in the suburbs students will almost certainly be on the same single broadband provider so the traffic will be local.
Hangouts etc are using webrtc, but p2p doesn't scale beyond a few participants.
Not even to a standard 20-30 person class size? Surely there’s enough bidirectional bandwidth for a continuous audio feed and a token based video feed.
In my experience, WebRTC peer-to-peer solutions often struggle keeping a room of 15 in a state that everyone can hear everyone else. Many upstream connections are tiny, and the p2p session management tricks to get through NAT slightly wonky.

And NYC is going to have many students with only a mobile phone plan or similarly bad internet (and a bunch with no internet at all, but that's another discussion). Efficient is important.

did you ever try it with such a real low bandwidth connection? I somehow doubt that it's really that nice to transmit WQHD desktops as is... Also I don't really get the thing about a 30 person, all hands video-conference. The only thing coming out of that (on the average 1080p screen) is gratifying the host: "all these people show up, because of meeee" (and yeah, school kids could do whatever they want in an audio conference. but kids can do that also with zoom (unless you are spying on them with the integrated spyware...) and they also can sit through one session and then replay their face all the time...
How does "P2P can't even maintain audio for large-ish groups in my experience" translate to "transmitting WQHD desktops"?

One of the large strengths of tools like Zoom over the typical WebRTC-P2P thing is that they can avoid exactly that, and e.g. maintain a stable audio only (or extremely low-quality video) conference for people on slow connections.

I suppose you can stop transmission of all video in jitsi as well (or at least it should be possible, given that it supports landline dial-in as well)? low quality video of heads is not that interesting for me personally (and for all purposes except keeping a literal headcount).
Jitsi is not an example of a peer-to-peer system for group calls. The default UI doesn't expose that many configuration options for this sadly from what I've heard.
HELLO MODERATORS, a group of users are systematically downvoting all comments remotely critical of Zoom or recommending alternatives. HN's objectivity is being hijacked by a group with a strongly anti-open discourse agenda!
jitsi meet. School districts could also selfhost easily.
I'm sensitive to complaints about Zoom's privacy/security shortcomings. I wouldn't have an important conversation on the platform.

But Zoom clearly offers the best videoconferencing product along many dimensions: ease of use, quality of video, etc. Students are already receiving subpar instruction due to the unceremonious transition to remote learning by schools that clearly aren't prepared. So unless the privacy/security issues are actually impacting learning on a large scale, perhaps it makes more sense to stick with the product people are already using.

What are some good alternatives to Zoom that are actually true end-to-end encrypted? I know of one: https://www.crypho.com/ and Crypho is offering free audio and video conferencing for the next 3 months due to Coronavirus demand.
From the Crypho website:

>Key management and encryption happens automatically.

That implies that they could do MITM if they chose to do so because of the lack of a way to ensure you are actually talking to who you think you are talking to. If that is true then you still have to trust them and e2ee is in a sense pointless.

(comment deleted)