Huge thanks to @phi for an important alert about a couple security/privacy issues with Zoom (I’m replacing his message with this one because @phi’s message made it sound way worse than it is but I’m including the full text of his message below. I just want to lead with a more balanced characterization so people don’t freak out.
First, the security vulnerabilities involve physical access to your machine, which for me personally doesn’t feel like a big enough risk to switch the meetup to something else. (Also Zoom misused the term “end-to-end encryption” which wasn’t cool. Looks like they’re seeing a lot of backlash and are responding reasonably, I don’t know. The software seems really good to me, like the highest quality video/audio I’ve seen and really easy for everyone.)
What do you think?
- Anything but Zoom
- Zoom this time since we already picked it but switch next time
- Google Hangouts or whatever they call it these days
- Whatever the beekeepers decide
To be clear, the default answer is we’ll stick with Zoom for now but anxious to hear if the more security-savvy among you think I’m misassessing this.
PS: Another link from @phi (thanks again!) to help people assess: https://www.tomsguide.com/news/zoom-security-privacy-woes
Phi's Original Message(s)
I strongly vouch for choosing something other than Zoom. They don’t take security or privacy serious. There is at least two (!) zero-day exploits in their macOS and Windows client currently which “could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.” and allows for remote code execution:
I don’t care what software we use, as long as it is not Zoom. Maybe https://jitsi.org? It also doesn’t need a login from what I can tell.
(I’m personally a big fan of https://discordapp.com but that needs a free login)
This is a recurring theme, if this older article is any indication:
And of course there is their careless attitude towards sharing data with facebook on their iOS client.
Also, Zoom claims to be end-to-end encrypted but they are not. In fact, they do clarify somewhere less prominent, that by “end-to-end” they mean from their client to their server. AKA plain old transport layer security (TLS). That is not end-to-end and this is at best false advertising.