Since I last wrote to you fine people, the world has massively changed. Some changes are for the better; some are for the worse. On the bright side, people have suddenly realized that we’re all “internet locals” now, so we can hang out together virtually and do some really cool stuff! Musicians are doing free concerts or assembling distributed recordings into neato ukelele videos; adults are attending virtual game nights, artists are creating cool artwork, teachers are porting their classwork into virtual classes and much, much more.
And what most all of these activities have in common right now? That’s easy: Zoom. Zoom is the name of the application that helps folks to meet-up virtually, video chat, and broadcast webinars. It’s kind of like Skype but on steroids and it’s suddenly very, VERY popular.
However, it’s also now VERY criticized. A growing chorus of security professionals and educators are reporting that Zoom is, among other things: “malware”, a “privacy risk”, lying about their end-to-end encryption and worse. Here’s a scathing article from CNET. Here’s another from The Washington Post. And one from NPR. And another from Vice.
People are fearful, worried and protective of their privacy and it sure does seem like Zoom is trying to undermine it if you read the press and the articles written by security professionals. Personally: I can’t argue with most of the criticism. These folks all have a legitimate beef with Zoom; the problems they’ve discovered with the company’s software are real. However, that doesn’t stop me from using the software to teach my improv classes.
Malicious Vs. Sloppy
All of the worthy criticism being leveled at Zoom is, honestly, right on schedule. Prior to the pandemic hitting, Zoom was more of a nitch player in the video conferencing market. Then, as soon as millions of people started using their software, it became a target for hackers.
Only, that’s not unique to Zoom: it happens to ANY software title or platform. It’s considered a mark that you’ve arrived on the world stage, so:
It’s good that it happened.
Let me explain… As hackers started to pick apart the Zoom software and exploit its weaknesses, and as security researchers began to uncover some of the application’s shortcomings, it gave the public a chance to see how the company would respond. It’s now 100% clear from the company’s most recent response that they didn’t create malicious software designed with malice to harvest data or expose users’ privacy.
Instead, they just made incredibly sloppy software that was designed for speed.
It’s a huge difference and something that’s important for the public to keep in mind. Also - and this is key - they didn’t design their software to be used by every school district and work-from-home employee in the world nearly overnight. But that happened as well. And that kind of explosive growth puts a tremendous strain and spotlight on a company.
So, how did the company respond in the face of all of this pressure? Exactly as I might have hoped. The company shifted quickly, started rolling out patches and improvements on a near-daily basis to address their software’s shortcomings. The CEO went public with his desire to hear the complaints, listen, and pivot to address them. The company’s new changes include new security controls, changing their iOS app to not interface with Facebook, hiring Facebook’s previous and well-respected security chief a massive and transparent update about security from the CEO, and more.
Which is to say: the company is listening. And they’re demonstrating by their actions that they’re doing all of the right things. For now.
Privacy Vs. Security
It’s also important to remember that security and privacy aren’t the same things:
Privacy, as defined by Mirriam Webster, is freedom from unauthorized intrusion. In tech, I’d describe privacy as the desire to feel safe from others monitoring what we’re saying or doing.
Security, as defined by Mirriam-Webster, is measures taken to guard against espionage or sabotage, crime, attack, or escape. In tech, I’d describe security as the hardware, the software, and the behaviors we adopt to help keep our affairs private.
In other words, privacy is a feeling or a state of being and security is list of actions we take to achieve that privacy.
Enacting good security measures to achieve our privacy isn’t a one-size-fits-all approach for those around us. In fact, it’s rarely a one-size-fits-all approach for ourselves: there are many situations in my own life where I need higher levels of security and others where I’m comfortable with less. It’s always a balancing act.
Sometimes, I need to be productive and efficient, so I’m willing to work with lower levels of security. Much of my basic email falls into this category as I use Google, a company renowned for harvesting data. Other times, I need higher levels of security, because certain aspects of my life require it. Much of my medical and financial affairs fall into this category so I use much more secured forms of communications.
But teaching improv classes on Zoom? Privacy isn’t so important in that, specific context. Neither what I’m teaching, nor the activities I’m undertaking, nor the discussions I’m having with any my students require high-levels of privacy. If hackers were able to watch or overhear my class, all they’d observe would be a bunch of happy people doing fun and silly games with one another.
I’m fine with that. But it doesn’t mean I’m not interested in the security of my Zoom meetings. So let’s take a look at how I implement security on Zoom and how you should as well…
Photo by marcos mayer on Unsplash
The Hacks & How to Prevent Them
Hackers try to find loopholes and exploit weaknesses in any popular software. It’s what they do. Expect that. As users, it’s our responsibility to learn how to find and use our software’s security protocols and then set them tightly. It sounds harsh but it’s true:
If you’re hacked and there was an easy way to prevent that hack, then you should have taken the time to learn more about your software before implementing it, especially if you’re using your software to supervise children.
Think of security preferences like you would think of a seatbelt in your car: they should ALWAYS be on.
In fact, before using any piece of software, you should always - ALWAYS! - take the time to explore the preferences to see what’s offered. Start with the Security/Privacy preferences. Many times those preferences get their own category as shown below in the Chrome and Brave browsers and the Discord desktop application:
Additionally, turn off ANY feature in your software unless it’s proven safe to use and you’ve taken the time to verify that yourself.
With that in mind, let’s dive in…
The Zoombombing Hack
This hack works when malicious hackers join your meeting and use the “screen share” feature of Zoom to share inappropriate content with the rest of your attendees. Not cool.
Much has been made of this exploit which surprises me because the controls to prevent this have always been available. Click this link, log into your Zoom account if asked, and then click the “In Meeting (Basic)” link as shown. Scroll down to your Screen Sharing preferences and ensure that it’s only turned for YOU (the host), not for all of your participants. You’ll note that, in my preferences, I’ve not activated the “Disable desktop/screen share for users” preference because I sometimes DO share my screen when I’m hosting a meeting. I’ve just ensured that I’m the only one that can do that.
The Virtual Screen Hack
This hack works when malicious hackers join your meeting and use the “Virtual background” feature of Zoom. This feature allows users to change their background to ANY image. Malicious hackers can then feature what appears behind them to share inappropriate content with the rest of your attendees. Also, not cool.
Once again, the controls to prevent this hack have always been available. Click the same settings link as above, log into your Zoom account if asked, and then click the “In Meeting (Advanced)” link as shown. Scroll down to your Virtual background preferences and ensure that it’s turned off.
The Chat Hack
This hack works when malicious hackers join your meeting and use the chat feature of Zoom. If turned on, malicious hackers can send chat messages to you or to everyone in your meeting the ability to attach inappropriate images. Again, super not cool.
Once again, the controls to prevent this hack have always been available. Click the same settings link as above, log into your Zoom account if asked, and then click the “In Meeting (Basic)” link as shown. Scroll down to your Chat preferences and ensure that it’s turned off.
In my case, you’ll see chat is ON, but that’s because I use it a lot in my virtual improv classes and I carefully vet my attendees.
The “Your Meeting is Public” Hack
This hack works when malicious hackers join your open meeting because you’ve made the mistake of publishing your link to the general public. Once in your meeting, they do anything possible to disrupt or attack.
There are two ways to prevent something like this from happening.
NEVER make your meeting link freely available online. Don’t put it on your website, a bulletin board, or in a group email to everyone you know. If you do that, you’re only asking for trouble. Instead, only provide your meeting link to those you know or have vetted in advance. One simple way to do this is to have your attendees register to attend your meeting on another website. I use and love TicketSpice for this very reason.
Use Zoom’s “Waiting Room” feature to prevent anyone from joining your meeting until you allow them in. Click the same settings link as above, log into your Zoom account if asked, and then click the “In Meeting (Advanced)” link as shown. Scroll down to your Waiting room preferences and ensure that it’s turned ON. Then, if someone attempts to join your meeting and you don’t recognize the name: don’t let that person in.
The My Account Info Got Stolen Hack
This hack works when malicious hackers manage, through a variety of efforts, to gain access to your Zoom account username and password. If this happens, all of the work you’ve done to protect your users and lock down your account is undermined.
Therefore, use the same advice I mentioned in Episode 20 when discussing how to secure your email accounts: add two-factor authentication (or “2FA” for short) to protect your Zoom account. Doing this will eliminate nearly every hacker’s ability to log into your account.
Zoom has an easy-to-follow help page on how to do this here. In short, click this link to visit your Zoom account’s security preferences and scroll down to the 2FA preferences as shown and turn it on. Make sure to select the “All users in your account” radio button as shown. That will force ANYONE in your organization who shares your Zoom account - something that’s common with business accounts - to also apply 2FA to their login.
Then, the next time that you log in, you’ll be met with the following screen:
If you’re not familiar with how 2FA works, let me say this: I highly recommend learning about it more. Here’s a free link to a piece I wrote on Medium which does a deeper dive on the topic. The quick overview is this: 2FA uses an application on your smartphone (I use the amazing and free “Authy” app) which provides you with a different 6-digit-code every 30 seconds. This means that, in order for hackers to be able to log into your account, they’d not only need your username/password but they’d also need access to your smartphone.
The I’m Lazy Hack
This hack works when a software company releases newer, better, and safer versions of their applications but you’ve not taken the time to download and install those updates. When hackers note this - and they can and will - they can leverage security holes in older versions against you.
This is, literally, the laziest mistake of all, so start by downloading the newest version of Zoom here. If you’ve already got the app installed, always click yes if it prompts you to update. If you’re not sure, check: click on your profile pic in the Zoom application and select “Check for Updates” as shown:
The Lessons Learned
We’re responsible for the technology we use. In a few rare examples — CleanMyMac & MacKeeper come to mind — the applications we use are designed with malice to hurt our computers and livelihoods. In nearly every case — including Zoom! — the software might be buggy, outdated, or require patching/updating but it’s not intended to harm.
You, not the software company, are your last line of defense. Get educated, learn about your apps, and lock them down in ways that protect you and those you serve. That’s true for ANY application on any operating system.
I have faith in you. Now go out there and lemme know how it goes…!
That’s a wrap for today’s episode, everyone. Thank you again, for reading and for being a subscriber. Let me know your thoughts & questions in the comments section. All subscribers can read & leave comments.
As always… surf safe.
Click here for my guide on how to choose a privacy-focused VPN.
If you’re looking to set up a VERY secure iPhone, click here.
To learn how to remove your personal data from the web, click here.
For a super cool way to NOT give your personal email address to everyone, click here.
Click here for a crash course on how to keep your devices updated.