The IT Nerd

Yesterday, I wrote a story about Zoom’s security issues and what they needed to do to fix them. In the last few hours a lot have happened. For starters, a memo from Elon Musk of Tesla and Space-X was leaked to Reuters. The memo stated that Zoom was banned due to security and privacy issues. Related to that Zoom posted a blog post from its CEO. In it he says this:

For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.

At least he recognizes that he has a problem. This is what he has done to fix things:

We have also worked hard to actively and quickly address specific issues and questions that have been raised.

• On March 20th, we published a blog post to help users address incidents of harassment (or so-called “Zoombombing”) on our platform by clarifying the protective features that can help prevent this, such as waiting rooms, passwords, muting controls, and limiting screen sharing. (We’ve also changed the name and content of that blog post, which originally referred to uninvited participants as “party crashers.” Given the more serious and hateful types of attacks that have since emerged, that terminology clearly doesn’t suffice. We absolutely condemn these types of attacks and deeply feel for anyone whose meeting has been interrupted in this way.)  
• On March 27th, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users. 
• On March 29th, we updated our privacy policy to be more clear and transparent around what data we collect and how it is used – explicitly clarifying that we do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward.
• For education users we:
  • Rolled out a guide for administrators on setting up a virtual classroom. 
  • Set up a guide on how to better secure their virtual classrooms. 
  • Set up a dedicated K-12 privacy policy.
  • Changed the settings for education users enrolled in our K-12 program so virtual waiting rooms are on by default.
  • Changed the settings for education users enrolled in our K-12 program so that teachers by default are the only ones who can share content in class.
• On April 1, we:
  • Published a blog to clarify the facts around encryption on our platform – acknowledging and apologizing for the confusion.
  • Removed the attendee attention tracker feature.
  • Released fixes for both Mac-related issues raised by Patrick Wardle.
  • Released a fix for the UNC link issue.
  • Removed the LinkedIn Sales Navigator after identifying unnecessary data disclosure by the feature.

He then outlines these steps to fix this situation going forward:

• Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
• Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
• Preparing a transparency report that details information related to requests for data, records, or content.
• Enhancing our current bug bounty program.
• Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
• Engaging a series of simultaneous white box penetration tests to further identify and address issues.
• Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community.

These are very good steps and fit within the things that I suggested in the story that I wrote yesterday. But if you’re a Zoom user, you need concrete things that you can do right now to ensure your security. Here is what I would suggest:

• Update your macOS and Windows clients now. As in RIGHT NOW. The macOS client (Version 4.6.9 (19273.0402)) can be found here, and the Windows client (Version 4.6.9  (19253.0401)) can be found here. Now I tested both versions and I can confirm that the issues that I raised yesterday are fixed.
• Enable the waiting room functionality. This document that Zoom has on the topic can help you with that.

I have to applaud Zoom on taking action quickly and transparently. And you can bet that lots of people will be watching to make sure that they follow through on their promises. Because it’s a safe bet that if they don’t I among many others will not hesitate to call them on it.

This entry was posted on April 2, 2020 at 12:34 pm and is filed under Commentary with tags Zoom. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.