Zoom has just hired Alex Stamos, a professor at Stanford’s Center for International Security and Cooperation and former chief security officer at Facebook, as an outside consultant to advice the company on security and privacy issues. I’ve seen him talk—he’s a smart guy who cares deeply about this stuff. He left Facebook over disagreements with other executives over how to deal with Russian interference in the 2016 elections. He was also chief security officer at Yahoo before that, and resigned over a program to scan incoming email on behalf of US government intelligence organizations.
5 Likes
In hoping to maintain a more secure Zoom environment I updated it (again) just this morning. Unfortunately, I now have a floating Zoom window during every conference with “Talking: …” that displays who’s speaking. Of course I didn’t see any mention of that addition in the release notes. 
After searching the web and going through the prefs several times I just cannot figure out where that can be turned off. Has anybody here found the off switch for that floating panel?
1 Like
@Simon, Zoom’s windowing behavior is odd. Windows in Full-screen mode are different than windows zoomed to cover the screen but not menu bar. The first Preferences pane has a dual-monitor checkbox which changes behavior substantially. There are popup menus in the upper right and over your own video stream.
Good luck!
Thanks, Chris. I should have mentioned I don’t use full-screen mode. I noticed that panel appears regardless of having the participants displayed or not (I usually have it on making this panel even more redundant). However, I just had another Zoom meeting and here, miraculously, the panel didn’t show up. I have no idea what is controlling this behavior at this point.
Excellent report, Glenn (as always, informative and thorough!). As an independent consultant, I’ve had to use a number of virtual meeting services with a variety of clients. And WebEx and GoToMeeting have been the go-to services to date. Recently, Zoom started to move in, and I’ve enjoyed it immensely.
I understand that some organizations have prohibited use of Zoom (as noted in an earlier post, here, that the NYC school system, and I’ve heard that the Wichita school system has as well). However, I just learned last week where NASA states that “…Zoom is not licensed nor authorized for use by NASA employees and contractors, and is not allowed on NASA IT devices. …”
I hope that Zoom addresses its security issues fundamentally. The first steps have been encouraging.
So until Zoom is able to address its security issues, it’s back to WebEx, GotoMeeting and, now, Adobe Connect (Ugh!).
Zoom has now posted a report on its security progress after 90 days.
I am decidedly unimpressed.
For review, this is the company who REPEATEDLY, KNOWINGLY, and DELIBERATELY flouted security best practices and put dangerous, persistent, malware-like code in their products that put anyone who installed their software at risk. They knew the code was there, but took no steps to remove it until it was discovered and publicized, and then only after trying to pay off and then trying to intimidate the researchers to try to keep their dirty little secret private. Remember, also, that this malware injection didn’t just happen once. Or even twice. In every case, the offensive code was removed only after a public outcry.
The last time I posted about this, one reply I got was “all the other products have bugs” (whataboutism) and “Zoom is only targeted because they’re so popular” (the Windows defense).
-
I’m not talking about bugs. I’m talking about deliberate, malicious code.
-
Discovery of Zoom’s malfeasance predates COVID-19 lockdowns and the rise of Zoom’s popularity.
Yes, they hired Alex Stamos. Now, I’m given to understand that Mr. Stamos is a charismatic and generally likable fellow. I’ve never met him. He could well be awesome. But I can’t help but notice that he was in charge of security at Yahoo during or shortly after THE LARGEST KNOWN CREDENTIALS BREACH IN INTERNET HISTORY and was at least complicit in the decision to keep the fact of the breach secret while hundreds of thousands of vulnerable persons were phished and fleeced, aided by leaked Yahoo credentials. Such secrecy was only legal because, at the time, the law had not caught up with developments in technology. Then he was there for that nasty business at Facebook when they allowed Cambridge Analytica to commit THE LARGEST DATA BREACH IN FACEBOOK HISTORY.
https://en.wikipedia.org/wiki/Yahoo!_data_breaches
https://en.wikipedia.org/wiki/Facebook–Cambridge_Analytica_data_scandal
So I remain dubious about this much-touted, high-profile hire and not surprised when Mr. Stamos appeared publicly to defend Zoom’s decision to not allow end-to-end encyrption for free-tier accounts, putting some of Zoom’s most vulnerable users in harm’s way.
I was much more impressed by Zoom’s hiring of Katie Moussouris, whom I believe to be a security professional with credibility and integrity. Unfortunately, Ms. Moussouris has announced that she and her Luta Security are parting ways with Zoom. As befits her professionalism, no reasons were given. The referenced blog post conveniently omits the fact of Luta’s departure. What else did this press release omit?
Oh, and speaking of end-to-end encryption, Zoom very publicly walked back their Stamos-endorsed decision to not offer E2EE to free-tier users in response to a public outcry (sound familiar?). I have seen many reports that “Zoom now offers end-to-end encryption to free tier users.” That is not correct. Zoom offers end-to-end encryption to NONE of their users, though they LIED and claimed to have it in their product until forced (public outcry) to admit that it wasn’t there (depending on what your definition of “is” is). At best, currently, such encryption is just another “we’re working on it.” I recently spoke to a medical group I’ve worked with who was assuring their patients that their Zoom telemedicine systems were end-to-end encrypted. They were aghast, then unbelieving, when I told them that Zoom does not have and never had E2EE. They were “just sure” that Zoom had repeated the claim of having E2EE just a week or two ago.
There are alternatives to Zoom. There are offerings that are well vetted, offer end-to-end encryption, are free and open source, and/or don’t come from developers with a history of malicious actions toward their users. Why choose Zoom?
2 Likes