Zoom and security of files

[Colson P]

The other possible alternatives are not better in their usability, data grabbing and security.

That's quite a statement. Care to back it up?

Google Hangouts - https://support.google.com/hangouts/thr ... 2564?hl=en
Skype - https://www.cnet.com/news/microsoft-lis ... port-says/
Facebook Messenger - I think their recent scandal is self-explanatory: https://www.theguardian.com/technology/ ... e-facebook

Zoom is obviously very, VERY insecure, and the mainstream alternatives are better but also aren't very secure. One thing we do have to realize is nothing can be perfect - there will always be security vulnerabilities no matter what internet service you use. What's important is the steps companies take to reduce these vulnerabilities as much as they can. Ex: encrypting their video conferences end-to-end (better than Zoom is doing ).

One thing I HATE about Zoom is how meeting hosts can spy on you to see if you're paying attention: https://www.vice.com/en_us/article/qjdn ... -attention

Also just found this, looks like I need to uninstall or disable Zoom on my Iphone: https://www.vice.com/en_us/article/k7e5 ... ok-account

There are some better less-known options that are out there, take WhatsApp and its "state-of-the-art" encryption for example.
https://www.vice.com/en_us/article/m7qw ... g-software
[EDIT] Whoops, WhatsApp is owned by Facebook too...

[Moem]

Zoom is obviously very, VERY insecure, and the mainstream alternatives are better but also aren't very secure.

Okay, thanks for the above info. Any thoughts on Jitsi? I hear that it's pretty good, with regards to security. If it's not mainstream, maybe it needs to become so.

[MoreLinux]

But still........

'Archers fan event invaded by **** and pornography':

https://www.bbc.co.uk/news/entertainment-arts-52243209

They were using Zoom.

They made the mistake, not Zoom.

'Teachable moment'
Brown said the mistake they made was to put a link to the meeting all over social media, meaning anyone who saw it could join in.

"It was a teachable moment - as our American cousins would say," he said.

[MoreLinux]

The other possible alternatives are not better in their usability, data grabbing and security.

That's quite a statement. Care to back it up?

Here are some good write-ups on many message and video conference tools.
- https://www.makeuseof.com/tag/how-secur ... ferencing/
- https://www.theguardian.com/technology/ ... ternatives
- https://www.avg.com/en/signal/secure-message-apps

Almost all have one or the other security problems. Several have not the end-to-end encryption as we think they should have, or a flawed or outdated encryption technology, or the end-to-end encryption isn’t default activated. This means many users use it unprotected. Some have un-encrypted backups or even worse the backup key is controlled by the vendor.

Also everyone is giving lists of Zoom alternatives, example: https://siliconcanals.com/news/zoom-alt ... o-calling/
Did they check these alternatives on security?

my two cents, in a few weeks is Zoom the most secure video conferencing app in the world.

[Petermint]

Has anyone used Jitsi or Jami for a large meeting? 10 or more people?

[Red Squirrel]

I wanted to convince my family to use Jitsi but "it's too much trouble let's just use Zoom". That seems to be the trend most of the time with this sort of stuff.

So gave in and installed that spyware on my phone. Is there a way in Android to disable an app completely? who knows what it could be doing in the background. I don't want to delete and install it each time.

Ideally going to setup a Raspberry Pi or something with a web cam to see if I can have it run off that on a separate vlan.

[Colson P]

I wanted to convince my family to use Jitsi but "it's too much trouble let's just use Zoom". That seems to be the trend most of the time with this sort of stuff.

So gave in and installed that spyware on my phone. Is there a way in Android to disable an app completely? who knows what it could be doing in the background. I don't want to delete and install it each time.

Ideally going to setup a Raspberry Pi or something with a web cam to see if I can have it run off that on a separate vlan.

Raspberry Pis will work with a USB webcam, although some configuration is needed:
https://www.raspberrypi.org/documentati ... e/webcams/
Zoom will need to be run from the browser on your pi (which is probably best anyway.)
https://www.raspberrypi.org/forums/view ... p?t=254367

So gave in and installed that spyware on my phone. Is there a way in Android to disable an app completely? who knows what it could be doing in the background. I don't want to delete and install it each time.

https://explorehowto.com/disable-androi ... data-loss/

Has anyone used Jitsi or Jami for a large meeting? 10 or more people?

https://www.reddit.com/r/privacy/commen ... _not_e2ee/
Jitsi isn't end-to-end encrypted, so its main advantage over Zoom in the privacy aspect is that nobody knows about it (similar to how few people use Linux, so it doesn't have many major security threats like Windows does )

[Moem]

Has anyone used Jitsi or Jami for a large meeting? 10 or more people?

Jitsi, and it worked well.

[MoreLinux]

Has anyone used Jitsi or Jami for a large meeting? 10 or more people?

Jitsi, and it worked well.

I just tested Jitsi, and my opinion is different.

Here some comparison between Zoom and Jitsi.

= First look and feel on usability: I was never impressed by Zoom's usability, but now I have to tested Jitsi, I must say Zoom beats Jitsi.
= The Browser experience: On an iPad using Chrome on the Jitsi interface is very unresponsive, Zoom web interface is very responsive on all OS'es and browsers.
= Desktop app on Linux, Mac, Windows: Zoom yes, Jitsi, Yes.
= Bandwidth usage: with only two devices in the Jitsi meeting it already started to complain about the bandwidth not being optimal. With the same devices in a Zoom meeting using HD webcams the bandwidth is no problem.
= Breakout rooms: Zoom has them, as far I can find Jitsi doesn't. I need them as I use Zoom for my work, without Jitsi is a no-go zone.
= Browser support: Jitsi complained that my Safari wasn't gonna give me the best experience, so on my tablet I could switch to Chrome or download the app. On my iPhone I had Chrome installed, but was forced to download and install the app. Zoom supports all mayor browser.
= Screen share: On my three monitor setup, in Zoom I can share any window or a separate monitor screen. In Jitsi, I could share windows, and only my three monitor wide full screen image.
= Separate video streams from view/presentation screen: In Zoom, I can do a dual monitor setup with the video gallery in a separate window so I free up my presentation screen. On the second screen I can keep an eye on my participants and how they react to my presentation.
= Virtual background: Zoom can work with green screen and virtual background don on modern CPU's. Jitsi has only a Beta blur screen that is not usefull.
= Meeting organizer has full control: Zoom - Yes, Jitsi - No, the all users are moderators is a joke when using it in professional work envirionment.
= End to End encryption: Zoom, Yes, but only between client and Zoom server. All data channeled thru the Zoom servers isn't. Jitsi, Yes, only in a 1 on 1 meeting, as soon as you setup a multiple participant meeting it's like Zoom.

In the case of multiparty meetings all audio and video traffic is still encrypted on the network (again, using DTLS-SRTP). Packets are decrypted while traversing Jitsi Videobridge; however they are never stored to any persistent storage and only live in memory while being routed to other participants in the meeting.

So all in all, Jitsi is as insecure a Zoom and has only a sub-set of the features I need during my work.

[Red Squirrel]

I wanted to convince my family to use Jitsi but "it's too much trouble let's just use Zoom". That seems to be the trend most of the time with this sort of stuff.

So gave in and installed that spyware on my phone. Is there a way in Android to disable an app completely? who knows what it could be doing in the background. I don't want to delete and install it each time.

Ideally going to setup a Raspberry Pi or something with a web cam to see if I can have it run off that on a separate vlan.

Raspberry Pis will work with a USB webcam, although some configuration is needed:
https://www.raspberrypi.org/documentati ... e/webcams/
Zoom will need to be run from the browser on your pi (which is probably best anyway.)
https://www.raspberrypi.org/forums/view ... p?t=254367

So gave in and installed that spyware on my phone. Is there a way in Android to disable an app completely? who knows what it could be doing in the background. I don't want to delete and install it each time.

https://explorehowto.com/disable-androi ... data-loss/

Has anyone used Jitsi or Jami for a large meeting? 10 or more people?

https://www.reddit.com/r/privacy/commen ... _not_e2ee/
Jitsi isn't end-to-end encrypted, so its main advantage over Zoom in the privacy aspect is that nobody knows about it (similar to how few people use Linux, so it doesn't have many major security threats like Windows does )

Yeah on the Pi I would use in browser.

For the apps I don't get the disable option. I only get force stop and uninstall. I did force stop though. If it's not running in the background then technically it can't spy on me right?

As for Jitsi and encryption at least with Jitsi it's not Chinese based and you can also run your own server so if you do that even if it's not encrypted the entire path is over a network you trust, and you can also trust the app itself to not be loading spyware into your machine like Zoom does.

[Colson P]

Now Singapore has banned Zoom from its classrooms, the US pentagon is restricting its usage, and the US senate is being asked to not use it.
https://www.theguardian.com/world/2020/ ... on-screens
https://www.cnet.com/news/zoom-every-se ... -chat-app/

To make matters worse,

Cybersecurity intelligence firm Cyble discovered that over 500,000 Zoom accounts are being sold on the dark web and hacker forums,

[Dirkoir]

Has there been an outcome on:

(A) protecting one's private files from possibly getting stolen via Zoom?

and

(B) using Firejail successfully for this protection without causing other problems?

or

(C) getting Zoom to work properly (audio and video) inside a virtual machine? - - - (something I already tried but failed (on LM 17 as the VirtualBox hosting OS because I had endless struggles to get a newer LM version installed in multi-boots; only today I finally managed to install LM20.1 but am still needing lots of work to configure it and eventually experiment with VMs on it))


To be clear, the zoom-bombing or being listened to by spies is not a major worry for me. Installing an Internet-access software of unknown trustworthiness is my worry when it might perhaps give hacker-access to my private computer. And, yes, I too am forced to use Zoom now (in job interviews).

[Fizz]

Between work and school, i've had to use several different apps of this kind. i much prefer Zoom to the alternatives (can't stand MS Teams). I recall the initial panic that came out about Zoom at the start of the pandemic. But since then Zoom have released many updates, and I have read that Zoom security has improved greatly. I can't recall the specifics offhand though.

-Fizz

[Dirkoir]

I have become somewhat worried about virally spreading free applications with Internet access being possibly used as Trojan horses to steal private files or perform other hacking acts. Zoom is one of them. Other video chat tools likewise (like Google Meet, MS Teams, Facebook ..., and possibly even Skype the one which -- unlike these others -- we have trusted for ages)

Zoom is still not installable from our standard Linux Mint repository, tho, right? (say, on LM 20; I am currently still on LM 17, so I can't check this now) I tend to trust repository installations more hoping that the Linux communities watch them well.

I wonder if enough fellows will come back into this thread from last year, or if maybe I should start a new one, since I regard this as an important topic.

[Fizz]

I have become somewhat worried about virally spreading free applications with Internet access being possibly used as Trojan horses to steal private files or perform other hacking acts. Zoom is one of them. Other video chat tools likewise (like Google Meet, MS Teams, Facebook ..., and possibly even Skype the one which -- unlike these others -- we have trusted for ages)

Zoom is still not installable from our standard Linux Mint repository, tho, right? (say, on LM 20; I am currently still on LM 17, so I can't check this now) I tend to trust repository installations more hoping that the Linux communities watch them well.

I wonder if enough fellows will come back into this thread from last year, or if maybe I should start a new one, since I regard this as an important topic.

I just checked, and Zoom is on the Mint repository (for Mint 21 anyways). The version is a bit behind the latest though (not suprisingly). If you want the latest version, you could just get it straight from zoom.us, that should be safe.

Fortunately, the odds of Zoom being used for nefarious purposes are low. I haven't found anything indicating that hackers have actually managed to plant malware through Zoom- most of them seem to be focused on setting up fake "Zoom" domains, which has nothing to do with the software itself.

If you are really worried, then there are two options. 1: Use Zoom through the browser (as anything is then contained to the browser). 2: Use 2-factor authentication which is now available.

Hope this helps.


-Fizz

[Dirkoir]

Thanks, Fizz.

Yeah, I just booted LM 20.1 and also found Zoom installable in the Software Manager. Jitsi Meet, that some fellows recommended, is also installable in the Software Manager, but with a "(Flatpak)" label. (and Skype, too, but both normally AND via "Flathub" --- I wonder what these Flat-thingies are... weren't they behind Chromium temporarily having been made uninstallable from our LM repository?)

I haven't found anything indicating that hackers have actually managed to plant malware through Zoom

That at least is encouraging.

If you are really worried, then there are two options. 1: Use Zoom through the browser (as anything is then contained to the browser). 2: Use 2-factor authentication which is now available.

1. To use Zoom from a browser mustn't the Zoom software nevertheless be installed first? And doesn't the browser then simply load up the Zoom software when clicked on a chat link?

2. What can 2-factor authentication do? (I am too busy with too much trouble from all directions to have had enough time to check out the 2-factor authentication play of recent years... what little I saw appeared very unconvincing to me... If invented something called that way, it would betwo passwords for a user: the regular use one more easily stolen because of frequent use, and an account settings one rarely used)

[Fizz]

1. To use Zoom from a browser mustn't the Zoom software nevertheless be installed first? And doesn't the browser then simply load up the Zoom software when clicked on a chat link?

I don't think so. I think you can join a Zoom meeting through a browser link alone, and it loads up and runs inside the browser, no extra software required (though it may not have as many features. I think you can't host this way (only join).

2. What can 2-factor authentication do? (I am too busy with too much trouble from all directions to have had enough time to check out the 2-factor authentication play of recent years... what little I saw appeared very unconvincing to me... If invented something called that way, it would betwo passwords for a user: the regular use one more easily stolen because of frequent use, and an account settings one rarely used)

No, not two passwords. Here is how it works: if a hacker managed to crack your password or something and wanted to use your Zoom, the software would recognize a new device attempting to connect (the hacker's) and request a verification to your own personal hardware (like a text message to your cell phone). The hacker wouldn't have that verification code (because it is generated at login attempt), and it is only sent to your personal device (which you still have).
Here's Zoom's description of it:
https://support.zoom.us/hc/en-us/articl ... ation-2FA-

That doesn't mean Zoom doesn't have other vulnerabilities. Ultimately, it depends on what you have on your computer and how important it is to keep out. I don't have anything that critical (hackers want my homework and saved games? ok... heh) so i don't worry about it. But if you keep some sensitive or potentially damaging material then your concern is warranted.

I don't know much about Firejail, but based on the earlier messages, it sounds like Firejail has a good dev team that was actively working on any Zoom issues. So in the year that has passed i would guess it's better off now.


-Fizz