Reporter investigation: "Zoom bombing": Is the video conferencing software we use safe?
Xinhua News Agency, Beijing, April 23, by reporter investigation: "Zoom bombing": Is the video conferencing software we use safe?
Xinhua News Agency reporter Peng Qianlin Xiaochun
Under the new crown epidemic, online teaching and video conferencing have become new choices for people's work and life. However, recently the popular video conferencing software Zoom's online classroom or conference site broke into many uninvited guests. They rushed into the webcast room or shouted inappropriate comments or uploaded pornographic images, which caused great trouble to participants, especially teenagers. This kind of "hijacking" normal online meetings and wanton disturbances also brought a new buzzword-"Zoom bombing".
Some government agencies and companies, including NASA and Google, have banned employees from using Zoom at work. Singapore has temporarily prohibited teachers from using Zoom to teach lessons this month; Oracle, a database software giant, uses "indispensable services" as its Support the Zoom. In any case, Silicon Valley technology company Zoom suffered a crisis due to the "Zoom bombing." People naturally ask: Can the video conferencing software represented by Zoom be used safely?
The epidemic amplifies Zoom's hidden dangers
Zoom was founded by Silicon Valley Chinese engineer Yuan Zheng in 2011. Due to the good user experience, Zoom has become the first choice for most corporate online meetings; some Chinese children learn English with American teachers through Zoom. After the outbreak, the number of Zoom daily active users soared from 10 million at the end of last year to more than 200 million people in March this year. Even the World Health Organization's daily outbreak of regular outbreaks was held with Zoom. As the number of users has skyrocketed, the privacy and security issues of video conferencing software have become prominent.
"It itself is enterprise-end software. Enterprise users only purchase services when they hold formal meetings. It is a relatively closed environment, and generally no outsiders will come in to make trouble," Liu Jiang, vice president of Beijing Zhiyuan Artificial Intelligence Research Institute, accepted Xinhua News Agency. The reporter said in an interview that now it suddenly has a large number of users, and the value of attacking it has become greater.
In order to improve product safety, Internet product developers will set up many security checkpoints, but the user experience will be worse. Zoom has always been favored by users because it is easier to use and more reliable connection quality than similar products. However, in Liu Jiang's view, the previous design for the convenience of user experience has now become a security risk point.
For example, Zoom can enter the conference by entering the conference number, but it is easy to guess the conference number that is only a combination of numbers. There is no need for too much authentication to participate, so anyone can break into an online conference by simply obtaining the conference number shared on the network platform or even simply guessing the number.
Bruce Schneier, a cryptography expert and lecturer at the Kennedy School of Government at Harvard University, summarized the security risks exposed by Zoom with "bad privacy practices, bad security practices, and bad user configurations." He claims that the security design of the Zoom product itself is too sloppy, there are many code errors and software vulnerabilities, and the encryption method is also very bad.
The Zoom security issue is not alone. Ding Liping, a researcher at the Institute of Software of the Chinese Academy of Sciences and chairman of the real number of Zhongke, said that at present, many products of many companies temporarily hold their feet to deal with security issues. "When an unsafe product is applied, the problem will be more and more exposed when the user scale becomes larger and larger." Safety should be implemented in the entire process of product development.
Not simply questioning
In addition to technical problems, there are also some simple sounds.
Zoom has set some R & D teams in China to take full advantage of China's "low-wage advantage" over Silicon Valley; it also has a data center in China; and founder Yuan Zheng is a native of Shandong. Under the "tinted glasses" of some Western politicians and media, these are examples of Zoom as a "Chinese entity".
In addition, the technology companies that resist Zoom include competitors in the same industry.
Yuan Zheng rejected the Xinhua News Agency reporter's request for an interview.
Facing questions from the outside world, Yuan Zheng responded in early April that he would use the necessary resources to better identify, deal with and repair security vulnerabilities within 90 days, including temporarily freezing new feature development and inviting third-party experts to review.
Oracle founder Larry Ellison recently supported Zoom through public video development, saying that the service provided by Zoom is Oracle's "indispensable service". "Its technology enables Oracle's engineering design, customer service and sales to continue, even Now everyone works from home. "
Ding Liping said: "Zoom will start to solve the problem within 90 days. I believe that after this time point, it will become a safer and more trustworthy good product." Vince Chrysler, a network security expert and former US Air Force communications officer In his blog post: "I don't want to minimize the emotional and psychological impact of the 'Zoom bombing', but similar things exist not only in the virtual world, but also in the real world."
Liu Jiang believes that "the technology itself is difficult to solve the problem 100%." Just like the Windows operating system needs to be continuously upgraded to fill the holes, no software can be absolutely safe.
China's remote office began to spread in advance
According to Ding Liping, in addition to Zoom, domestic video conferences can also use Tencent conferences, Ali Dingding, Huawei Cloud WeLink, etc. Some of these products use multiple programs such as data security multi-party computing, and have strict access control mechanisms. Storage, and provide some recording options to ensure security, etc.
Domestic video conferencing software also faces security challenges brought about by the surge in users. According to data provided by Tencent, the number of daily active users in the Tencent conference launched at the end of December last year exceeded 10 million within two months. In order to meet the growing demand for “cloud-based” office work, the Tencent meeting updated and iterated 20 versions within 100 days, and also prevented unknown product risks by adding internal security investment and conducting security public testing.
"The epidemic not only advances the (popular) trend of remote office in China by 5 years, but also cultivates users' online office habits," Qian Min, head of Tencent Cloud Office Collaborative Product Center, said in an interview with reporters that there will be more lines in the future A combination of online and offline office exploration.
As for how ordinary users can safely use video conferencing software, Ding Liping recommends that you do not use immature products first; second, enable security features, sometimes users do not turn on these features; third, distinguish between office and home environments, do not place in video conferencing environments Too many personal items, pay attention to protecting personal privacy; Fourth, develop good video conference usage habits, keep silent when not speaking, and try to show details of some sensitive files by email. "If the security configuration is done, users can rest assured."