> On Apr 6, 2020, at 11:10 AM, shadow at shadowgard.com (via tml list) <xxxxxx@simplelists.com> wrote:
>
> On 3 Apr 2020 at 23:36, Bruce  Johnson wrote:
>
>> I´ll just add to this that Zoom is head and shoulders better than
>> all the rest of those in terms of ease of use.
>
> I've heard some disturbing things about Zoom's (lack of) security
> apparently their encryption leaves much to be desired, among other
> things.

There’s a lot of confusion going on about it; from what I‘ve read there are some significant differences between the ‘free’ use version and contracted versions. We have a SLA with Zoom that is certified for communicating HIPAA-sensitive clinical data over the service. However that use is required to take place entirely within our networks, ie: on the U’s VPN, so Zooms encryption or lack thereof is irrelevant.

There’s also a lot of rehashing of older issues that have long been fixed, like the hidden web server on macs. (That was a BAD one and someone should have really been fired for that!)

The ’sending data to Facebook’ issue is only on Android and IOS and per zoom has been removed in the latest version of the client. (but given the massive penetration of Facebook into pretty much every nook and cranny of the digital world, this is plugging a little hole in the dam that has a 200-meter gap in the middle with a raging torrent pouring out)

Also from what I’ve read and seen is that people are not taking care to properly set up their meetings (a process that is NOT helped by the defaults Zoom puts in place!) that allow anyone with the link to join in and share their screen. You can password-protect the meetings, make meeting so the owner has to click ‘allow’ on you joining.

You also have to set it up so the owner of the meeting can stop the screen sharing for any participant  and be able per permanently expel people.

All of these things really needed to be defaults… It’s not like we don’t have real-world examples of how this technology can go wrong…chatroulette anyone?

This was big part of our training push when the UA announced that they were suspending physical classes for the semester. We were lucky, they made that decision right at the beginning of Spring Break here, so we had a week’s breathing room to get faculty and staff up to speed.

But a lot of these kinds of faults don’t show up until some service gets slammed by a massive upsurge of users. Then all the convenient shortcuts they took building their systems in the name of ‘move fast and break stuff’ start showing. The whole culture and practice of modern network and internet development is, in a real sense, badly broken, driven by the demands of VC returns not service reliablity and security. (and when the users are, in the main, the *product*, not the *customer* this will continue to be a privacy nightmare)

And that’s not even getting into the fake zoom meeting invites being sent around by the usual nefarious suspects.

oBTrav: We’ve had many discussions in the past about how the OTU would manage this kind of thing, but considering that when the OTU was conceived, all of this stuff was really considered to be stuff from the far future…:-)

--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs