Zoom is making some drastic changes to prevent rampant abuse while trolls are attacking publicly shared video calls. As of April 5, passwords are required to enter calls using the meeting ID as they may be guessed or reused. In the meantime, virtual waiting rooms are changed so that they are activated by default, so that hosts must manually allow participants.
The changes could prevent "zoom bombing", a term that I coined two weeks ago to describe malicious actors who enter zoom calls and interfere with screen sharing of offensive images. Since then, new zoom bombing tactics have emerged, such as spamming the chat thread with terrible GIFs, using virtual backgrounds to spread hateful messages, or just screaming bad words and blurring. Anonymous forums have become breeding grounds for organized trolling efforts to raid calls.
The FBI has issued a warning about the zoom bombing problem after online courses for children, anonymous alcoholics meetings, and trolls' private business calls were raided. Security researchers have shown many ways that attackers can infiltrate a call.
The problems are due to the fact that Zoom was designed for trustworthy business use cases rather than cocktail hours, yoga classes, panel discussions, and courses. However, since Zoom is struggling to scale its infrastructure, as the daily number of users has increased from 10 million to 200 million due to on-site orders for corona viruses in the past month, it was unprepared.
Eric Yuan, CEO of Zoom, apologized for the security deficiencies this week and promised changes. At the time, however, the company only said that by default it would only set up screen sharing for hosts and waiting rooms for its K-12 training users. It was clearly found that this was not enough. Therefore, the waiting rooms are now activated for everyone by default.
Zoom emailed the changes to users, stating, "We chose to enable passwords for your meetings and to enable waiting rooms by default as additional security enhancements to protect your privacy."
The company also said, “For meetings scheduled in the future, the meeting password can be found in the invitation. For instant meetings, the password is displayed in the zoom client. You can also find the password in the URL for attending meetings. " Some other precautions that users can take include disabling file transfer, sharing screens, or reconnecting by remote participants.
The move can cause problems for users. Hosts are distracted by having to approve participants from the waiting room while trying to make calls. Zoom recommends that users resend invitations with passwords for meeting ID-based calls scheduled after April 5. Searching for passwords can result in late calls.
However, this is a reasonable price to prevent people from being drawn by zoom bombing attacks. The trolling rash threatened to affect many people's early experiences with the video chat platform, just as it was just breaking out. A single call affected by disruptive pornography can make a stronger impression than 100 peaceful calls to friends and colleagues. The old settings made sense when it was just a corporate product, but it had to consider its own identity change as it becomes a fundamental benefit for everyone.
Technologists need to be better able to anticipate worst-case scenarios when their products become mainstream and adapt to new use cases. Assuming that everyone has the best intentions, the reality of human nature is ignored. There is always someone who tries to make a profit, gain power, or cause chaos on the tiniest of occasions. Building development teams that include skeptics and realists, not just visionary idealists, could ensure that products are protected from misuse rather than scandal.