Zoom 5.0(zoom.us)
zoom.us
Zoom 5.0
https://zoom.us/docs/en-us/zoom-v5-0.html
103 comments
> There's not much they can do about having all their development in China, but at least their focus on security otherwise seems to be paying off.
They could start moving their development to the US. There are plenty of successful software companies in the US. There's a good ecosystem, a huge amount of talent, and tons of enthusiasm about their problem space.
What they can't do anything about is the trust they lost by misleading their customers about their security model.
They could start moving their development to the US. There are plenty of successful software companies in the US. There's a good ecosystem, a huge amount of talent, and tons of enthusiasm about their problem space.
What they can't do anything about is the trust they lost by misleading their customers about their security model.
> There are plenty of successful software companies in the US. There's a good ecosystem, a huge amount of talent, and tons of enthusiasm about their problem space.
The same you could say about China.
What benefits would they gain by moving development to the US?
The same you could say about China.
What benefits would they gain by moving development to the US?
Dev team is different than actual server location.
Anyone know if they still passing non China video data through mainland China server? Unclear from this.
Anyone know if they still passing non China video data through mainland China server? Unclear from this.
They aren’t. They fixed that almost immediately. They said it was just a mis configuration.
Most dystopic feature:
> Audio Watermarks: Turn this on to embed a user's personal information into the audio as an inaudible watermark if they record during a meeting. If the audio file is shared without permission, Zoom can help identify which participant recorded the meeting.
> Audio Watermarks: Turn this on to embed a user's personal information into the audio as an inaudible watermark if they record during a meeting. If the audio file is shared without permission, Zoom can help identify which participant recorded the meeting.
What's dystopic about it?
Movie studios have done watermarking in the past with DVD screeners. Color laser printers output almost-invible patterns of yellow dots to match a document to a printer. When you download an academic paper as PDF, the PDF generally imprints the IP address and time of the downloader. Watermarking is nothing new.
For a company or government worried about employees leaking sensitive information to the press, this is an intriguing feature.
And if you're a determined whistleblower, this isn't going to stop you anyways.
Movie studios have done watermarking in the past with DVD screeners. Color laser printers output almost-invible patterns of yellow dots to match a document to a printer. When you download an academic paper as PDF, the PDF generally imprints the IP address and time of the downloader. Watermarking is nothing new.
For a company or government worried about employees leaking sensitive information to the press, this is an intriguing feature.
And if you're a determined whistleblower, this isn't going to stop you anyways.
This is a fantastic feature. It isn't so much for the company to prevent it but a way for the guy being pressured to share the recording to say "I'm sorry, I can't. They embed details in it that if they were leaked would ruin me." i.e. technology that allows you to say no to things is great.
The most extreme example is a secret that if I shared with you, I'd die painfully. You can't threaten me with death or torture because that's what's going to happen to me if I share it with you.
The most extreme example is a secret that if I shared with you, I'd die painfully. You can't threaten me with death or torture because that's what's going to happen to me if I share it with you.
> The most extreme example is a secret that if I shared with you, I'd die painfully. You can't threaten me with death or torture because that's what's going to happen to me if I share it with you.
I say this regretfully because I really like the slogan "technology that allows you to say no to things is great", and, of course, it's not what you meant; but, taken to its extreme, the combination of this paragraph with the logic from your first paragraph:
> This is a fantastic feature … technology that allows you to say no to things is great.
means that an imaginary Zoom feature by which it would kill you painfully if you leaked sensitive data would be fantastic.
I say this regretfully because I really like the slogan "technology that allows you to say no to things is great", and, of course, it's not what you meant; but, taken to its extreme, the combination of this paragraph with the logic from your first paragraph:
> This is a fantastic feature … technology that allows you to say no to things is great.
means that an imaginary Zoom feature by which it would kill you painfully if you leaked sensitive data would be fantastic.
Haha, right, that is the natural syllogism that one would arrive at. The missing pieces of the picture are the prior probabilities of accidental leaking vs. coerced leaking and the value of the individual. For a spy in danger of being exposed, yes, technology which guaranteed violent death on exposure would be fantastically desirable. I won't condescend to you by walking through the entire thing, but I think you can tell I'm not an extremist and have left out all the bits about the ROI etc.
v6?
I wonder how they are doing this. Wouldn't a low quality recording render this fingerprint invisible?
I wonder if it can be filtered out, on the other hand. Does anybody have knowledge on audio fingerprinting/watermarking? Or is it perhaps security theater?
most common technique is a spectral encoding, which can be quite resistant to degradation.
here's some old (ugly) code - quite short as you can see:
- encoding: https://github.com/jcelerier/libaudiotool/blob/master/src/li...
- decoding: https://github.com/jcelerier/libaudiotool/blob/master/src/li...
here's some old (ugly) code - quite short as you can see:
- encoding: https://github.com/jcelerier/libaudiotool/blob/master/src/li...
- decoding: https://github.com/jcelerier/libaudiotool/blob/master/src/li...
My Guess is that it is mostly a security through obscurity thing for now, we do not know exactly how they mark the audio. When someone figures this out I believe that it should be possible to filter this out.
It would be interesting if they found a way to watermark the audio in such a way that removing the mark makes the audio unusable.
It would be interesting if they found a way to watermark the audio in such a way that removing the mark makes the audio unusable.
Just compare two records from two different users.
Streaming and downloaded audio from Universal Music Group, and some Sony releases has been "inaudibly watermarked" for some years now, but there are several cases of people complaining that the watermark is actually audible in their supposedly lossless FLAC/ALAC/WAV download.
AFAIK these are just used to identify the streaming / download source (e.g. Spotify / TIDAL / Qobuz etc.), rather than the individual user as will be the case with Zoom. It'll be interesting to see what, if anything, has changed with the technology.
AFAIK these are just used to identify the streaming / download source (e.g. Spotify / TIDAL / Qobuz etc.), rather than the individual user as will be the case with Zoom. It'll be interesting to see what, if anything, has changed with the technology.
If the watermark is inaudible, can't it removed by re-encoding the audio with a bandpass filter tuned for audible range?
Inaudible just means that a person can't perceive it, not necessarily because it's outside the frequency range a human ear can sense.
A common technique is to add pseudo noise to encode data over the whole audio spectrum. It's related to the spread spectrum techniques used for radio communications resistant to signal degradation (natural or jamming), common in many radio protocols, like your GPS receiver in your phone.
https://en.m.wikipedia.org/wiki/Audio_watermark
A common technique is to add pseudo noise to encode data over the whole audio spectrum. It's related to the spread spectrum techniques used for radio communications resistant to signal degradation (natural or jamming), common in many radio protocols, like your GPS receiver in your phone.
https://en.m.wikipedia.org/wiki/Audio_watermark
I'd love to see some analysis of what's going on as well. I assume this would work better for audio recorded on-device (eg. using screen capture software) than audio recorded externally after being played out on the speaker.
For companies in healthcare and finance, this is a good feature to protect clients.
Attention tracking ...
Oh great... I'm sure we all have been waiting for more big brother features like this one
Many game developers do this for any kind of NDA-enforced testing. Not necessarily to the audio but to the video.
Apple Retail has/had an internal communications iPad app called RetailMe that overlayed their employee number in a massive watermark on the screen to capture people to leak screenshots. It was slightly visible under normal use, but load it into photoshop and play with the curves and becomes super visible.
One day there was an Ars Technica article leaking some news, included a screenshot of RetailMe. I put the screenshot into Photoshop and low and behold there was the employee's ID.
One day there was an Ars Technica article leaking some news, included a screenshot of RetailMe. I put the screenshot into Photoshop and low and behold there was the employee's ID.
Dystopic? That's a privacy forward feature. Accountability to protect the privacy of meetings.
Apply some time stretch, pitch shift, slight distortion, and the watermark is likely destroyed.
Printers have done this for decades
*help identify the participant's account, but not the actual participant.
I guess this is targeted at corporate users.
If a watermarked audio is leaked, the owner of the account will be liable. If he shared he's zoom credentials, is just as bad as sharing the recording.
If a watermarked audio is leaked, the owner of the account will be liable. If he shared he's zoom credentials, is just as bad as sharing the recording.
That’s not much of a leap, though: if you know you were talking to some people, and then audio is leaked, then you can figure out which account did it.
I’m not defending (or denouncing, for that matter) this feature, though I have opinions.
I’m not defending (or denouncing, for that matter) this feature, though I have opinions.
A few weeks ago they required login to join a meeting from the browser. This make it harder for older people who I like to talk to. Since then I have moved to jit.si . The quality is slightly lower, but it is much easier to use
Jitsi is much worse in a number of ways. If you use it casually with small crowds then it’s prob fine. Otherwise the pains of Jitsi are huge for the year I had to use it a lot.
I'm very concerned about the China connection. there has been zero analysis of what they actually look at and how they use the data
According to their 10-K filings, zoom has more than 700 heads in RnD in China, and about 5 subsidiaries in China IIRC, but none of those are listed as subprocessors of personal data, which I, personally, find somewhat hard to believe
Nice to see all the security improvements, however, the new UI seems less crisp, the fonts have become much more blurry, with too much anti-aliasing going on. Also the up-arrows for audio/video settings have been made much smaller and thus harder to hit - you will mute yourself rather than opening the audio settings.
The font smoothing/antialiasing problem is not everywhere, which makes it look even weirder. See this dialog for instance: https://i.imgur.com/L5S8Tqn.png
Where the text "0 participants per room" have been applied too much anti-aliasing.
Where the text "0 participants per room" have been applied too much anti-aliasing.
There was discussion before that Zoom had serious security issues. Have these been fixed in the new version of zoom ? Eg would companies that previously banned zoom now allow zoom 5.0?
Eg some previous issues with zoom https://news.ycombinator.com/item?id=22736608
Eg some previous issues with zoom https://news.ycombinator.com/item?id=22736608
Not a security expert but deal with PKI (openssl, openssh, etc) / OpenGPG/GnuPG a lot on a daily basis, I just don't understand why Zoom would let their marketing people put buzzword like `GCM Encryption` on such an important landing page, not nitpicking, seriously...
At least, use AES-256 (mode can be optional as most people don't even know what GCM XTS CBC stands for).
At least, use AES-256 (mode can be optional as most people don't even know what GCM XTS CBC stands for).
Because focus groups liked the sound of "GCM Encryption". Be glad they didn't slap on a bunch of Trim Level Designators like "GCM LX Sport Encryption CE".
https://www.liveabout.com/glx-gls-se-si-lx-what-do-they-mean...
https://en.wikipedia.org/wiki/Trim_level_(automobile)
https://www.liveabout.com/glx-gls-se-si-lx-what-do-they-mean...
https://en.wikipedia.org/wiki/Trim_level_(automobile)
I think because the big failing before was that Zoom was using AES, but was using it in ECB mode. Zoom clearly paid near-zero attention to security until recently.
So by saying “GCM encryption” they’re highlighting that the fixed the mode by which they are using AES encryption.
So by saying “GCM encryption” they’re highlighting that the fixed the mode by which they are using AES encryption.
Why are they touting "GCM encryption" without explaining what that means? Do they mean "Galois/Counter Mode" [0]? If so, _why_ is that better than the encryption they were using before?
[0] https://en.wikipedia.org/wiki/Galois/Counter_Mode
[0] https://en.wikipedia.org/wiki/Galois/Counter_Mode
They were using ECB mode before
I was hoping a new major version would help me fix the problem I have with the Zoom desktop application on Xubuntu. Every time I join a meeting, the entire desktop start lagging. Sadly, this update did not help.
"How was your experience?" [Great] / [Had issues]
So infuriating. And yes it disappears by itself after a while, but no, I do not need that dialog box.
Anyone know how to turn that off?
So infuriating. And yes it disappears by itself after a while, but no, I do not need that dialog box.
Anyone know how to turn that off?
It's a setting that's exposed on the website ("Feedback to Zoom"), but, at least for my licence, it's locked. Incidentally, I am able to close the box, rather than just waiting for it to go away, in case that's better.
Thankfully the major version update doesn't mean a completely new UI, which would have cut their userbase in half.
"GCM encryption". What? o_O
Still no Mac App Store version? Sigh...
There is a mac version, why do you require it from the mac app store instead of the developer's site?
Because the non-app store version does weird stuff - faking installation, background services, etc. Sandboxed version would hopefully be less malware-like.
Security. App store has much tighter rules on what a developer can do whereas downloading a dmg from somewhere pretty much leaves you to fend for yourself (and Zoom already has proven itself here).
Edit: clarifications
Edit: clarifications
Because at this point, every single version of the app from their site has had some issue that wouldn't have happened in a sandboxed Mac App Store version.
Probably due to the Apple tax.
No, it's probably because then the app would need to be sandboxed and they wouldn't be able to justify their insane Hardened Runtime exemptions.
Since they are already on iOS, this is not an excuse. I would only trust a sandboxed version from them.
Apple tax on free?
Their macOS app is already notarized by Apple, there is no additional "Apple tax" for them to make a Mac App Store version.
Can Zoom stop logging me out from current computer (while I'm using Zoom) just because there's another computer on standby where I forgot to log off Zoom (and I'm not in any Zoom call on that computer)?
Hah finally a criticism for Zoom I can immediately relate to and is really frustrating. Why log me out like you said if I’m not in a call.
ralusek(4)
Real end to end encryption? No? Must be a hard problem that other people have solved.
To my knowledge there is no zoom competitor that has end to end encryption and allows people to join a call from landlines.
bluejeans? Skype for business? Webex?
How are they encrypting the telephone connections?
All those services don't encrypt connections if they include PTSN phone calls or other features. Example: https://help.webex.com/en-us/WBX44739/What-Does-End-to-End-E...
Zooms end to end encryption is pointless because they can get at the data by performing an assertive action. Their competitors (at least the ones I have heard of) can also get at the data by performing an assertive action. The difference is probably that the people designing the Zoom knew that you can't have secure E2EE without customer access to the client source and an awkward identity verification requirement. So they didn't bother to pretend. As a result they probably saved themselves a lot of work.
Some of these features sound like anti-security and definitely anti-privacy features. Will definitely make you think twice about having a “private” meeting on Zoom if they’re going to embed my email on a screenshot someone else takes. Great way to get a meeting organizers email...
> Screen Share Watermark Superimposes the image of a meeting participant’s email address onto shared content in the event a participant takes a screenshot.
> Screen Share Watermark Superimposes the image of a meeting participant’s email address onto shared content in the event a participant takes a screenshot.
Isn’t the point that it embeds your email address onto screenshots you take?
Zoom's intended for corporate customers. Many of us have compliance requirements that demand not having individual privacy for employees.
If you want to elicit a change, the biggest value for your time will be lobbying against FedRAMP and its corollaries.
If you want to elicit a change, the biggest value for your time will be lobbying against FedRAMP and its corollaries.
I wonder how zoom determines if a screenshot is taken.
On Linux/Wayland at least, there's no API for an app to determine that this is happening. So they'd have to show the watermark all the time.
On Linux/Wayland at least, there's no API for an app to determine that this is happening. So they'd have to show the watermark all the time.
Yes as I understand the watermark is on the Zoom video stream you're viewing, so it doesn't need to detect when you take a local screenshot.
Likely by detecting certain keystrokes (that's what Snapchat does on iOS for example). Idk if there are other ways on macOS or Windows.
There is an API on iOS: UIApplicationUserDidTakeScreenshotNotification
https://developer.apple.com/documentation/uikit/uiapplicatio...
https://developer.apple.com/documentation/uikit/uiapplicatio...
I was not aware of this- thank you!
Definitely not on Linux. Global hotkeys are managed by the compositor and can't be spied on by applications. There's also no API no read keystrokes from external apps. This is actually a security feature.
AFAIK, on iOS, the app is actually sent an event by the OS when a screenshot is captured.
AFAIK, on iOS, the app is actually sent an event by the OS when a screenshot is captured.
You might be specifically talking about Wayland here then, but with X on the other hand, it's not difficult for example [0]
[0] https://security.stackexchange.com/questions/170596/is-it-po...
[0] https://security.stackexchange.com/questions/170596/is-it-po...
If this were google or Microsoft this comment wouldn't be getting downvoted
Probably because they seemed to have misinterpreted the text they quoted in their own comment. The participant who takes the screenshot has their own email embedded in their screenshot, not someone else's.
Not sure why I got downvoted on that? Everyone must be really happy with Zoom. lol
Can you respond to the people saying you didn’t say the correct facts? IE which email is included. And where
I think this should fix the main issues people have had with them (at least the most public problem with 'zoom bombing').
There's not much they can do about having all their development in China, but at least their focus on security otherwise seems to be paying off.
###
Quick Feature Summary:
- Mandatory GCM encryption requires Zoom clients to upgrade to 5.0 by May 30th [0]
- Hosts can prevent screenshare, chat, user renaming
- Hosts can report users to Zoom’s Trust & Safety team, who will review any potential misuse of the platform and take appropriate action.
- All hosts may now turn on the Waiting Rooms while their meeting is already in progress.
- Lock your meeting after everyone has arrived to prevent any unwanted disruptions.
- The host may remove a participant and they will be unable to re-enter the meeting.
- Waiting Room enabled by default
- Complex Meeting IDs
- Meeting passwords are now more complex and enabled by default
- Meeting Registration and Authentication (require email registration/restrict meetings to preset profiles)
- All cloud recordings are encrypted with complex passwords on by default.
- Audio Watermarks/Screen Share Watermark (help prevent leaks)
- Message Preview Options (Users can now enable Zoom Chat notifications to not show chat content while screen sharing.)
- Host or account admin can disable the ability for participants to show their profile picture or change it in a meeting.
- Hosts can now select which data center regions they would like their in-meeting traffic to use when scheduling a meeting, and participants can see which data center they are connected to by clicking on the info icon at the top left of the client window.
- Zoom 5.0 supports a new data structure for larger organizations, allowing them to link contacts across multiple accounts so people can easily and securely search and find meetings, chat, and phone contacts.
[0]: https://en.wikipedia.org/wiki/Galois/Counter_Mode