Zoom sent data to China, shared encryption keys?

https://www.ft.com/content/2fc518e0-26cd-4d5f-8419-fe71f5c55…

Zoom has been caught lying again, just since their Thursday statement. This firm has no integrity whatsoever.

’ Zoom…admitted that it had “mistakenly” routed some user data through China, marking the latest in a string of mis-steps to cast doubt on the security of the platform.

The Silicon Valley company …said late on Friday that certain meetings held by its non-Chinese users may have been “allowed to connect to systems in China, where they should not have been able to connect”.

The company said it had “mistakenly” allowed the calls to flow through its two Chinese data centres since February…

Until now it has sought to reassure western critics who have privacy concerns — including that meetings may be vulnerable to spying from Beijing — that their data was not routed through Chinese servers.

On Thursday the company had told the Financial Times that “data originating in the US stays in the US, and cross-border meeting data goes to wherever the host’s enterprise account is headquartered”. It also said at the time that it only had one data centre in China, not two.

Friday’s statement was prompted by new research from Citizen Lab, which found that in some cases, Zoom’s encryption keys — the code used to unscramble meetings data — appeared to be being sent to servers in Beijing.

“A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” …’

These are Zoom servers that happen to be located in facilities in China. Every company has servers in China. It’s Zoom’s network still.

There are some that are trying way too hard to turn Zoom into a boogie man company for having completely normal things occur on an exploding use platform. This is pathetic. Throw in the word “Beijing” for the fear factor. Please. Oh god a Chinese data center!! On an extremely small set of occurrences. They use terms like encryption coming out of Beijing. No context whatsoever.

Darth

“Zoom has been caught lying again, just since their Thursday statement. This firm has no integrity whatsoever.”

Well; by now we have all heard of the over used phrase…Zoombombing!

Zoombombing is now sooo March 2020!

The new phrase is…ZoomFearMongering!!

Start using it with all your family, friends and associates and be the popular and hip kid on the video conference. But, I warn you, use it now while it is still the hot word because coming up quickly is ZoomTrolling!

Enjoy the rest of your Saturday, I have to go spread mulch. Its a great way to practice social distancing.

Harley

To think it’s possible for a company to grow this fast without problems is delusional. People trade simplicity over privacy/security all the time. Yuan seems credible to me in his effort to fix these issues.

The link below is behind a paywall on Business Insider Prime but you’ll get the main point…

Zoom helped to connect the world, then got slammed for cybersecurity issues – here’s why experts say the company deserves a break
https://www.businessinsider.com/zoom-security-covid19-privac…

… many of those same experts also give Zoom credit for the gravity and speed of the company’s response to those issues, and argue that users could be doing more to protect themselves, too. And even the most hard-boiled security experts note that if Zoom had not been focused on easy adoption without a lot of configuration, it might not have filled the immediate need for connection that neither it nor the world anticipated.

The article also notes how fast the company’s working to address the issues without wrecking the product.

So often all the morality police are really just bark about the inevitable trade-offs that come from doing anything. Cold beer, Chipotle burritos, binge watching Netflix all have downsides too. Hundreds of millions of people are connecting with their families and friends, staving off the anxiety and dread of the times, and many are still keeping their businesses and livelihoods going thanks to Zoom. Though there’s been some ugly incidents, to date I’m yet to hear of a bank account drained or something truly catastrophic. The good outweighs the bad by a massive factor.

“They don’t boo nobodies” - Reggie Jackson

BD

Zoom has been caught lying again, just since their Thursday statement. This firm has no integrity whatsoever.

Hi Naj,
You are inspiring me to buy more Zoom on Monday morning! If you knew more about the integrity of the company you would see how silly your comments sound to someone who is familiar with the company’s history.

Let me explain a little about Zoom to you! The CEO of the Zoom, who had been a senior executive of Webex when it was owned by Cisco, quit Cisco started Zoom because he was so depressed about coming to work at Webex because all the customers were so unhappy with the product, and Cisco didn’t want to bother improving it. Because of this, his focus throughout with Zoom has been having happy customers, happy employees, and happy stockholders.

For a long time whenever a customer wanted to close his account at Zoom the CEO would call him/her personally to see why he was unhappy and what he could do to make him happier. He asked employees who were unhappy about their jobs to stay home and let him know what was wrong and how to make them happier. (Zoom may be too large for that now, but the focus has always been on giving great service and keeping every customer happy).

That brings us to the present when the company suddenly has 20 times as much business as they had two months ago. No, not 20% more, or 200% more but 20 TIMES as much. So in their desire to have enough capacity to continue to please everyone, and keep all their customers pleased and happy, they cut some corners by going all out and had a small amount spill out into a server in China. Whoopdeedoo! Big deal! That makes them liars and having no integrity in your eyes??? I’m afraid that just showed how little you knew about the company beyond the attack headlines.

I’m puzzled why you, and others like IGU, would keep trying to attack the company’s “integrity”. IGU used that term three times in three days in his attacks, and here you are with the same. It seems to be obvious to a lot of other people that the company got overwhelmed with this enormous amount of new business and got swamped. Add to that the fact that their changing from a niche company to a household word in two months brought all the hackers out of the woodwork to try to make a name for themselves (which was easy because Zoom’s prior focus had been on ease of use over security, because there was little incentive for hackers when they were tiny).

At any rate they have been very forthcoming and apologetic about the oversights, and if you missed your chance to get out of a short on Thursday morning, I’m sorry about that, but my feeling is that they will continue to do very well and you won’t be able to scare many people to switch to an inferior product.

Saul

at one point-especially in these times of COVID19- everyone has to be mindful of from where anything they read online comes from originally, and not propagate exaggerated situations or plain untruths.

Obviously there are many parties that hope to benefit from these for a variety of reasons.

Zoom has issued patches for the 'Zoom bombing’and adapting to its unprecedented fast user expansion. People are using Zoom and they will still be using it more and more even beyond COVID19.
Some just need to get used to this fact that I don’t think will change much.

tj

My take is that Zoom began as a “hobby program”, and as such, its scalability was never fully envisioned. Now we are seeing the weaknesses in its infrastructure. It’s likely a major rebuild will be required now that the security lens is being applied.

The beneficiaries of this mess are Team and Meet.

🆁🅶🅱
For not in my bow do I trust, nor can my sword save me.

Hi Saul and others,

The Intercept has a lengthy article on Zoom’s security concerns/flaws today. I can’t figure out how to share it. If anyone has the time and inclination, please check it out.

I am long ZM.

THANKS,

Andy

no. I don’t think it exactly started that way. In a sense every silicon valley outfit has a ‘HP garage’ story but this was started by a bunch of people who did Webex.

They came out to do a better Webex and they did.

tj

The Intercept has a lengthy article on Zoom’s security concerns/flaws today. I can’t figure out how to share it.

This?
https://theintercept.com/2020/04/03/zooms-encryption-is-not-…

🆁🅶🅱
For not in my bow do I trust, nor can my sword save me.

You are inspiring me to buy more Zoom on Monday morning! If you knew more about the integrity of the company you would see how silly your comments sound to someone who is familiar with the company’s history.

Shift happens! Anyone who has run a business knows it. What counts is how the company deals with the problem. At first I was worried but having had the end to end encryption issue explained (not a bug but a feature), the swift action to change the default settings to protect novices, and the forthright acknowledgement of the issues, have reassured me that Zoom is a solid investment with a bright future.

For me, the two best stocks for the covid-19 season are ZM and TDOC.

Denny Schlesinger

The beneficiaries of this mess are Team and Meet.

Short term maybe but long term the beneficiary is Zoom.

Denny Schlesinger

The Intercept has a lengthy article on Zoom’s security concerns/flaws today. I can’t figure out how to share it. If anyone has the time and inclination, please check it out.

This is how you do it:

ZOOM’S ENCRYPTION IS “NOT SUITED FOR SECRETS” AND HAS SURPRISING LINKS TO CHINA, RESEARCHERS DISCOVER

MEETINGS ON ZOOM, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.

https://theintercept.com/2020/04/03/zooms-encryption-is-not-…

Linked but not read.

Denny Schlesinger

SAUL: “I’m puzzled why you, and others like IGU, would keep trying to attack the company’s “integrity”. IGU used that term three times in three days in his attacks, and here you are with the same.”

Please refer to my Post #65357.

This behavior can be quite easily explained. It is nothing more than “ZoomTrolling”! A few members of this board often feel that the only way they are able to contribute is by playing the role of antagonist, to it politely for the board.

However, I am considering adding the following to Wikipedia:

ZOOMTROLLING: ZoomTrolling is defined as creating discord on the Saul’s Investment Discussions Message Board by starting quarrels or upsetting people by posting inflammatory or off-topic messages about Zoom on Saul’s Investment Discussion Message Board. Basically, a ZOOM TROLL is someone who purposely says something controversial in order to get a rise out of Saul and/or other Saul’s Investment Discussions Message Board members.

There are quite of few Zoom Trolls here and they know who they are. The best way to dispose of a Zoom Troll is to ignore a Zoom Troll.

…Back to mulching!

Harley

Denny,

Thanks for posting the link.

Andy

My take is that Zoom began as a “hobby program”, and as such, its scalability was never fully envisioned.

Huh? If anything, Zoom has focused on business use with the personal use being an add-on until the recent surge. Your remarks about scalability seem at direct odds with its reputation, prior to this 20X expansion, of having the best performance of any competing application. How many companies do you know whose products could experience a 20X increase in user base in 2 weeks without crashing completely to the ground. This seems like the definition of scalability.

In my opinion, the amount of negative news recently directed towards Zoom seems like a concerted PR campaign. Yes, I am cynical and don’t trust the media. But to me this feels like manipulation. Below are samples.

Washington Post
https://www.washingtonpost.com/

Mashable- 1000’s of private videos available to view
https://mashable.com/article/private-zoom-recordings-online/…

CNN- FBI warns of Zoombombing
https://www.cnn.com/2020/04/02/us/fbi-warning-zoombombing-tr…

Bloomberg - “CEO messed up”
https://www.bloomberg.com/news/articles/2020-04-04/zoom-ceo-…

Wall St Journal “I really messed up”.
https://www.wsj.com/articles/zoom-ceo-i-really-messed-up-on-…

Zoom improves security features and adds waiting room. This article was a straightforward breakdown of the new changes
Mashable.
https://mashable.com/article/zoom-password-waiting-rooms-sec…

CNN- NYC schools dropping Zoom.
https://www.cnn.com/2020/04/04/us/nyc-schools-zoom-online-se…

Even though Zoom has grown to 26.7% of my portfolio, I am considering buying more if the stock drops Monday.

Thanks
JT

The Intercept article lists several points. Perhaps an IT/security expert can comment on the following:

1. Encryption keys are developed by a type of zoom server called “key management system”. 5 out of 73 of these servers are in China. US traffic is routed through those servers in a small no. of cases. Chinese entities can get access to these keys and be able to listen in. UK cabinet meetings, US covid response, Navy. OPM, State dept. are some of the agencies using zoom. Zoom has said govt. customers were not routed through China. Perhaps this is not as much of an issue?
2. Encryption keys are 128 bit not 256 bit which is what many companies now use.
3. Encryption keys uses “an algorithm called Electronic Codebook, or ECB, mode, “which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input.” The article goes on to show a very good example.
4. Zoom has access to all encryption keys and could decrypt any meeting. The company says they have internal controls against that and have not developed a process to do that. Is this a normal industry practice for a company to hold encryption keys?

Finally, the original article concludes:

As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including:
Governments worried about espionage
Businesses concerned about cybercrime and industrial espionage
Healthcare providers handling sensitive patient information
Activists, lawyers, and journalists working on sensitive topics

Issue #1 maybe a perception issue at this point. Issues #3, and #4 concern me most. Any thoughts why that should not be a concern?

https://theintercept.com/2020/04/03/zooms-encryption-is-not-…

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto…

The issue isn’t that they’ve had some sort of generic ‘growth’ problem. And I’m sympathetic that some new users didn’t set up their meetings as safely as they could.

It’s that they’ve lied to their customers about their privacy and integrity of their data. They lied about E2E encryption. They lied about routing it through China sometimes. They lied about it, just this Thursday when asked about that exact question!

Now it turns out they may have been forced to provide those encryption keys to the Chinese communist government as part of doing business with the PRC.

Now their excuse is, well, we didn’t send any other government’s data to the PRC!

Only after they were caught lying Friday by the Financial Times, one of the most well-respected newspapers in the world and a private company, did they confess to their latest iteration of ‘the truth.’

‘There’s never just one cockroach.’ ~ Warren Buffett

Naj, no position

ps love me some Reggie, he grew up around the corner from me.

The Intercept article lists several points. Perhaps an IT/security expert can comment on the following:

4. Zoom has access to all encryption keys and could decrypt any meeting. The company says they have internal controls against that and have not developed a process to do that. Is this a normal industry practice for a company to hold encryption keys?

As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including:

Not an “expert” but I know enough about the subject to give an authorized opinion.

A distinction needs to be made between “security” and “secrecy.” For most ordinary users the “security” is good enough. I say good enough because given enough time most codes can be broken. In wartime they used light encoding for short term events because by the time it was decrypted the event was over and done with. How much security does a high school class need since what is being taught is essentially public domain stuff. What they need is to keep hackers out and passwords and waiting rooms should do the trick.

On the other hand, “secrecy” is a different issue. Since Zoom is able to decrypt the data stream it is NOT secure! Anything that needs a security clearance should not use Zoom. Not governments, not commercial secrets until Zoom can provide a true end to end encryption that they cannot decode at any point in the transmission.

Denny Schlesinger