Zoom blasts major security breach: Tens of thousands of videos publicly watched by CEO considering open source

Did you Zoom today? Recently, during the outbreak of the fire video conferencing software Zoom has a major security breach: tens of thousands of private videos were uploaded to the public web page, anyone can watch online! Surprise scare! Founder Yuan Zheng admits that if security issues are not addressed, they may even consider open source Zoom code.

During the Coronary virus outbreak, the use of video conferencing software surged, with the most eye-catching software being Zoom. Zoom’s daily active users surged from 10 million in December to 200 million today, becoming the red fried chicken in video conferencing software, and unable to go out to European and American users who use Zoom to meet, attend classes, do training, visit family, visit friends, see doctors, and even have weddings and funerals.

Zoom is the most attractive is “simple and easy to use”, but “simple and easy to use” the price is that there are many security vulnerabilities, privacy issues can not be guaranteed.

Tens of thousands of private videos have been compromised, stemming from how the videos are named?

15,000 videos made public.

Recently, the Washington Post reported a major security breach in Zoom: tens of thousands of private Zoom videos were uploaded to the public web page, and anyone could watch online! It’s a thriller!

To the Washington Post, Patrick Jackson, a former national security agency researcher, reported that 15,000 Zoom videos had been seized in a single time in open cloud storage space.

Zoom blasts major security breach: Tens of thousands of videos publicly watched by CEO considering open source

The Zoom video seen by The Washington Post on this trail includes: one-on-one treatment plan; the latest training direction for telemedicine callers, including the names and phone numbers of attendees; a small company meeting video with financial statements; an online class for elementary school students, where children’s faces, sounds and details can be seen. Many videos contain personally identifiable information, as well as many intimate conversations at home, and even bare videos of beauticians teaching hair removal techniques.

Single security poor for naming

Zoom does not record video by default when it comes to video calls, but meeting hosts can save video symconsensual video on the Zoom server or any cloud- or public site without the participant’s consent, and the recorded Zoom video is saved in the same nameway.

Zoom blasts major security breach: Tens of thousands of videos publicly watched by CEO considering open source

Jackson discovered the problem and scanned open cloud storage space with a free online search engine, searching for 15,000 videos at a time under the default naming rules. In addition, some videos are stored in unprotected Amazon buckets, users have inadvertently changed to public access, and Zoom videos can be found on YouTube and Vimeo.

Zoom blasts major security breach: Tens of thousands of videos publicly watched by CEO considering open source

15,000 videos show that this is not the user’s carelessness, but the design of the product. Zoom’s designers bypass some of the security features commonly used by video chat programs, such as requiring users to use unique file names when saving videos. Zoom’s default single naming method is simple and easy to do, but it is also more vulnerable to hackers.

“Zoom should do a better job of reminding users to protect video and make some design adjustments, such as naming video in an unpredictable way that makes it difficult to find in the public domain,” Jackson said. “

A Zoom spokesman later issued a statement advising users to exercise caution when uploading video recordings:

Zoom blasts major security breach: Tens of thousands of videos publicly watched by CEO considering open source

“When a Zoom meeting host records a video, Zoom notifies all attendees and provides the host with a secure and secure way to store the meeting minutes. Zoom conference videos are stored on your local device or Zoom cloud only at the moderator’s choice, and if the host chooses to upload the minutes to another location, we urge that you be extremely careful and be transparent with the participants, and carefully consider whether the meeting contains sensitive information that meets the reasonable expectations of the participants. “

Zoom vulnerability is also suspected of false propaganda

Security researchers who analyzed Zoom code say Zoom’s software relies on technologies that could expose people’s computers to hackers. Zoom’s data-sharing design allows some users to record conversations without the consent of all conference attendees, potentially revealing the privacy of participants.

Zoom blasts major security breach: Tens of thousands of videos publicly watched by CEO considering open source

Zoom’s default settings allow new users to suddenly send text and pictures to other users’ computers while they are on the phone, and this screen-sharing feature is freely exploited by “zooming” . In an interview with The Washington Post, Zoom said the feature was designed for its core user base and recently changed the school’s default settings to allow teachers to share their screens.

Alex Stamos, a former Facebook security executive and now head of the Stanford Internet Observatory, says Zoom’s problems range from silly designs to serious product security flaws, many of which worry him.

According to a technical analyst at VMRay, a cybersecurity firm, the code That Zoom uses to speed up installation relies on “poor security measures and lying to users.” In response, Zoom’s chief executive, Yuan Zheng, said the company used the practices to “balance” the “clicks” users need before using the program.

The most important of The range of security vulnerabilities that Zoom exposed this time was the lack of end-to-end encryption in video calls, the OnePlus secret method in only part of the text message and part mode audio, but the Zoom is using the end to end encrypted connection in a video app.

Zoom blasts major security breach: Tens of thousands of videos publicly watched by CEO considering open source

A spokesman for Zoom later said it was not possible to provide end-to-end encryption for video conferencing on the Zoom platform at this stage.

Why Don’t Zoom end-to-end

To understand end-to-end encryption, you first need to understand what information encryption is.

In cryptography, encryption is the process of changing clear text information into hard-to-read, non-readable text content. Only objects that have a decryption method can revert to normal readable content through the decryption process.

End-to-end encryption (End-to-end encryption, E2EE) is a communication encryption system that only users involved in communication can read. In general, it prevents potential eavesdroppers, including telecommunications providers, Internet service providers and even providers of the communications system, from obtaining keys that can be used to decrypt communications. Such systems prevent potential monitoring or tampering because third parties with no keys have difficulty deciphering data transmitted or stored in the system. Communication providers that use end-to-end encryption, such as Whatsapp, cannot extract their customers’ communications data, so this type of encryption can also cause some confusion for police investigations and forensics.

Zoom blasts major security breach: Tens of thousands of videos publicly watched by CEO considering open source

Without encryption, any link from A to B can view and modify the information, SSL encryption from A to the server, server to B information transmission is safe, but the information on the server is decrypted, end-to-end encryption A side using user B’s public key encryption, the server is no key, B-side user then use the private key decryption, the entire transmission process is encrypted.

In 1994, NetScape designed the SSL Protocol (Secure Sockets Layer), and in 1999, is is the Internet Standardization Organization ISOC to replace NetScape, released an upgraded version of SSL TLS, and TLS is the way Zoom now uses video encryption, so user data can still be stolen.

End-to-end encryption is so good, why isn’t Zoom using it?

First, end-to-end encryption only improves the confidentiality of the content of the communication, it does not prevent the communication from being completely interrupted; For example, Zoom helps you deliver an end-to-end encrypted video, and Zoom may not know what the video is, but it certainly knows who the address, consignee, and shipper are, and Zoom doesn’t guarantee delivery. Therefore, for the application environment with higher confidentiality needs, it must also be combined with other levels of encryption in order to achieve better results.

Stop developing new features immediately and fill jobs

On March 20, it helped users resolve harassment incidents on the platform( or so-called “Zoombombing”) and alerted them to ways to prevent harassment, such as waiting rooms, passwords, mute controls, and restricting screen sharing.

On March 27, the facebook SDK for iOS clients was removed.

On March 29, the Privacy Policy was updated to make it clear that we do not sell user data, that we have never sold user data in the past, and that we have no intention of selling user data in the future.

For educational users, Zoom has launched an administrator guide to help better maintain virtual classrooms, and has set up a K-12 privacy policy.

On April 1, Zoom Chinese announcement that Zoom would stop developing all new features and devote all engineering resources to addressing recent security vulnerabilities.

Zoom blasts major security breach: Tens of thousands of videos publicly watched by CEO considering open source

Zoom was founded just because of love, did you Zoom today?

“We’ve realized that we haven’t lived up to our users’ expectations for privacy and security. I apologize for this. “

In Zoom’s letter of apology, founder and CEO Yuan Zheng reiterated the company’s original intention, which sounded like a decriminalization of the leak, but there was no shortage of sincerity between the words. “We didn’t expect this product to be designed, and within a few weeks, everyone in the world would suddenly work, learn and socialize from home. “

“Whether it’s multinationals that want to keep their businesses going, local governments that keep communities running, where school teachers want to go through distance education, or who want to spend quality time with friends during isolation, we’re honored to be able to keep in touch.” “

“We feel a great responsibility. Zoom’s user base surged much more than expected overnight. This includes more than 90,000 schools from 20 countries, which have already initiated distance education. In March this year, we had more than 200 million daily conference participants, both free and paid. We work around the clock to ensure that all our new and old users can stay in touch and function properly. “

Zoom blasts major security breach: Tens of thousands of videos publicly watched by CEO considering open source

In short, the core idea is that Zoom’s business was originally intended to be good, and that communication between people during the outbreak was meaningful, and that we should not be too critical of us.

Let’s go back to Zoom’s original vision.

Zoom was founded by founder Yuan Zheng’s freshman girlfriend, who was still in a different place, with the two separated by a train for 10 hours and only a few meetings each year during the winter and summer holidays. The thought of his girlfriend made him start a video-sharing website. The insistence on love made him finally bring the beauty home.

Zoom blasts major security breach: Tens of thousands of videos publicly watched by CEO considering open source

In 2018, he was named the most popular CEO with 99 percent of the vote on the 2018 Top100 CEO list released by GlaSSDoor, a U.S. job search site, surpassing even Mark Zuckerburg and Tim Cook. He is ranked 78th on the 2019 Hurun Rich List. He is also on the Forbes list of billionaires to be released in April.

Yuan Zheng is a legend. Compared with other tech moguls, he is far from a talented man. Yuan Zheng was born into a family of mining engineers in Tai’an, Shandong Province, and graduated from Shandong University of Science and Technology in 1987 in applied mathematics. In 1994, while on a business trip to Japan, he heard a speech by Bill Gates, and the idea of packing up and coming across the ocean to join the Tide of the Internet came to him.

When he went to the United States, Yuan Zheng had a serious accent in Mandarin, and English was a stumbling block, when U.S. Customs asked for his English business card, which was written as a consultant, but was understood by the visa officer as a part-time contractor. In two years, he was refused a visa nine times. In 1997 finally went to the United States as expected, a walk is twenty years. When he first arrived in the U.S., he started brushing his resume, and later joined WebEx, an early web conferencing application company, to start writing code.

Around 2000, he became in a bad mood to deal with his clients every day, and his clients became increasingly dissatisfied, and his work began to get back to straining. In 2007, WebEx was acquired by Cisco.

Later, Yuan Zheng, who became Vice President of Engineering at Cisco, took away more than 40 engineers from the company. In 2011, Zoom was officially established, and initially provided services to the organization are free of charge.

Although you make mistakes, the first thing is to benefit the world.

“When I was young, I wanted to understand what life was for, but I couldn’t find the answer,” he said in an interview with Startup Bang. Later understand that life is to pursue happiness, and for others to create happiness, your own happiness can continue. So I started the company also follow this principle, and strive to make customers happy. “

Yuan Zheng’s son was a freshman when the outbreak began to use Zoom for classes. “I told my son that I finally understood the meaning of working so hard, ” Yuan said in an interview with Forbes. I do these tools to get you online for classes. “

The first heart is good, but the more the wind is tight, the easier it is to go wrong.

After the leak broke out, his mother, who lived under the same roof as Yuan Zheng, was always worried about his health. Yuan Zheng hides in his office at home every day and sleeps only two or three hours.

“If I had a choice, I would definitely be back in B2B, and now the rules of the game are completely different, ” he admitted in the interview. Yuan even said he would consider open-source Zoom code in the next few years if he couldn’t make Zoom the world’s most secure platform.

This scene is somewhat familiar. “Facebook was founded by me, and Until the last day, I was responsible for what happened on the platform, ” said Zuckerberg, A., The most admired entrepreneur in the wake of Facebook’s user data breach. “

I don’t know how to feel about love and career, Yuan Zheng is feeling at this moment.

Related links http://www.scots

https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/

https://www.cyzone.cn/article/520637.html

https://zh.wikipedia.org/wiki/%E8%A2%81%E5%BE%81

https://mp.weixin.qq.com/s/Q0i-ddBrVRcOGll8E6ii3A