As an Internet Security professional, I have heard some folks expressing dismay over various security issues in the Zoom video conferencing package and the MatterMost chat services. I may do a piece on MatterMost at a later date, but for now I want to focus on Zoom because Zoom is what Meetup is suggesting as one of their preferred video conferencing platforms. (The other, Google Hangouts, is limited to ten people and thus isn’t practical for a number of the meetups I run.)
Most of the issues covered have already been patched, such as UNC password theft under MicrosoftWindows. This was a rather insidious security flaw but fortunately the folks at Zoom stepped up to the plate and patched.
iOS profiling also seems to be fixed. Since I do a lot of my Zoom conferencing, with the National Popular Vote Interstate Compact grassroots coalition, on the iPhone, this has been a great relief. Now, though, I do most of my meetup Zoom conferences on my laptop.
The decrypting of streams at the Zoom servers and re-encrypting them as they go out to the far-end client is at first blush worrisome, but that in part is necessary for folks recording their zoom sessions and though it puts a vulnerability at the level of Zoom staff, one hopes Zoom is careful with whom it employs. But it must be said, nothing I do on Zoom is something I would be embarrassed about were it to leak. I nonetheless want to do everything in my power to make sure it stays secure and I’m happy to hear Zoom is looking into closing this security flaw.
The auto-download for Macintosh is worrisome but again I am happy to say this practice is also ending as it is a backdoor that Zoom can use to allow third party software onto ones Mac. Zoom also has ceased allowing team profiles to share email addresses, though this is not a feature I’m using for any of my Zoom conferences.
As for recording leaking onto the Internet or folks joining your conference uninvited (Zoom Bombing) or war drive scanning Zoom to find your conference, all of these can be solved by user diligence. It’s important to be mindful of who you let into a conference, and don’t let just anyone have access to your recordings. For my Writing Groups, only myself, the account owner, and the persons being reviewed will ever have access to the recordings, and if the reviewed doesn’t need the recordings, we will delete them.
Also, as of this morning, 5 April 2020, at 0:00 UTC, Zoom now requires passwords on all new Zoom events. Thus, even with a Zoom ID scan, you won’t be able to get into the meeting without the password and although the URL can encode the password in an obfuscated way, simply scanning Zoom IDs will not get you into the conferences. And even if you did, I’d still have to approve you. I won’t.
Overall, I’m quite happy with Zoom and hope to use it all through Covidapolis. Overall, I give it this Security Engineers line of approval. And please note, I am available for hire if you like what you see!
From about 2020-03-23T14:30:00Z (10:30 am, Monday) to about 2020-03-23T23:30:00Z (7:30 pm, Monday), Google was redirecting all my email and either bouncing it or deleting it.
Let me repeat, google deleted or bounced my email for Nine Hours, as a part of the setup of my setup for a paid Google Apps account. The setup for these accounts are a bit weird. They require you to create a new google entity with your own company URL. Fortunately, I have multiple domains I own and maintain, including this one, TimeHorse.com.
I probably should have used my writing group domain, RestonWriters.org. After all, the whole reason I wanted to get a paid Google account is because Meetup was moving to Online-Only meetings, following the outbreak of SARS-COV-2, and I needed a tool that allowed for video conferencing.
Skype was a non-starter. For one thing, it’s great for person-to-person communications, but for group chats, it has this annoying habit of muting everyone except the current speaker and you have to wait until that speaker stops to get a word in edgewise. My understanding is WhatsApp has the same problem.
Meetup actually suggested using Google Hangouts or Zoom. I happen to like Zoom. I use it for my regular NPVIC Grassroots strategy meetings and for Toastmasters and it’s always worked great. Zoom does support up to a hundred participants, both free and Pro. The only problem is, each of those Zoom sessions are either limited to the free forty-minute block or are using an up-to-24-hour Zoom Pro Account. Since most of my Meetups are at least an hour, breaking meeting up into forty-minute chunks would be tedious. And, at $14.99 a month, the professional account is well out of my price range.
Just before the first week of Virtual meetings began, my writing colleagues and I, including Elizabeth Hayes, who runs The Hourlings, tested both free Zoom and Google Hangout. Despite being limited to ten people, we decided on Google Hangout and I mapped it to our official Virtual Meeting URL.
Ten people worked fine for Reston Writers and for the Saturday Morning Review. The Saturday Morning Review actually worked out quite well because Meetup, despite suggesting we move to a virtual platform, still won’t let you delete the venue from your event and mark it as virtual, which, when editing events can cause some confusion. But when the Library cancelled all our events, I just deleted them all from the Meetup Calendar, and recreated them with no Venue and just announced them as occurring in Cyberspace.
Stay with me folks, I’m getting to the email…
As Sunday approached, I new ten participants wouldn’t be enough. Google Hangout would be fine for Bewie Bevy of Brainy Books and Saturday Morning Review, and likely The Science Book Club, as they all usually have fewer than ten participants for each meeting. The Hourlings, on the other hand, often had twelve, and sometimes as many as sixteen!
I new Zoom was $14.99 a month, but I read that Google App accounts could up the number of participants to twenty-five. Unfortunately my 2TB Google Drive account didn’t qualify. I had to get a Google Apps account.
And that’s where my troubles began.
At first, I could only sign up for the $12 per month account, even though I’d read it could be had for $6. Since the setup has a fortnight trial period, I didn’t worry about the financial discrepancy. I set up the account with my business email address for TimeHorse, LLC. I associated it with with that email, it connected to my Gandi Registrar, and my account was ready to go. I created a Google Hangout and assigned it to the Virtual Meeting URL, hoping it would allow twenty-five. The plan was to use it with the Hourlings to verify that fact.
It failed! We still could only get ten people into the meetup despite it being a paid account.
Unfortunately, since Monday I’ve been on Weather and Safety Leave from work because my Telework agreement was revoked, but that’s a story for another day as this post is long as it is! However, it did allow me to speak to Google and they suggested I try Google Meet. Meet was included with all Google App paid accounts, and it would allow for up to a hundred people and could be as long as I needed. Also, I could downgrade to the $6 per month account and I would still be able to use it. I thus downgraded.
We tried it with Reston Writers Review and it worked wonderfully. We had up to twelve connections simultaneously! But I’m getting ahead of myself.
At around 10:30 am, that Monday, after chatting with Google, I was examining my Google Apps account more closely. It was telling me I had one last step I needed to complete: integrate me email with Gmail.
That’s when my troubles began. You see, what this innocuous, turn-key step says it does is it says it sets up GMail for your company. What it actually does is obliterate all the MX Records (email routing information) of your DNS (Internet routing information) Zone File (routing configuration file) on Gandi and replace it with MX Records that point to Google. The setup wizard doesn’t actually tell you this and I’m totally oblivious.
At current writing, I have 188 forwarded email addresses set up on Gandi with their MX Servers. One of those is my business email, the one Google took over and is my Google Apps login. That’s the email google set up as the official email address used in GMail. Once the GMail setup goes through and I send an email from the GMail interface to my personal email address on the timehorse.com domain.
It never arrives. All day long, I watch my email and, strangely, nothing arrives after 10:30 in the morning. I refresh and refresh, and it’s still nothing. Where have all my emails gone?
It’s not until I’m setting up for Reston Writers that I decide to contact Google about this. I’m crazy-busy setting up the Google Meet, opening up the pieces we’d be reviewing on my computer, and, simultaneously, chatting with Google, trying to figure out why I’m not receiving any email.
Eventually, Google Tech Support starts talking about MX Records and a chill runs down my spine. As you probably gathered by now, I am well versed in DNS records and Zone File manipulation. I even have a Python script which updates my DNS A Record when the IP Address for this server changes.
With trepidation, I logged into my Gandi account and saw the damage. Google had modified my Zone file and added a bunch of strange new MX Records pointing to Google. They had nuked all my Gandi Email forward since they’d redirected all email traffic to google. As google only had one account registered on the domain, timehorse.com, namely my business email address, every other email address I possessed was either being deleted or bounced by google!
Fortunately, Gandi’s Email Forwarding page provides a warning when the Zone file doesn’t point to their email server, listing the correct MX Record settings to use Gandi as the mail hosting server. I quickly commented out the Google MX Records and pasted in the Gandi MX Records around 7:30 pm, in the middle of my Reston Writers meeting.
Needless to say, I was miffed that I could not give my full attention to my writers during our weekly writing gettogether. But it’s good I finally did figure out the disastrous actions committed by Google after only nine hours, and not a day or more.
I may never know what was contained in those nine hours of lost emails. I suppose there is one blessing, though. I get too much email already and still have dozens of unread messages I’m desperately trying to catch up on. One Covidapolis, novel-length email after another from every business under the sun. STFU companies, you’re all doing the same thing and I don’t like reading the same message again, and again, and again! You have a plan, that’s all I need to know!
Maybe Google was doing me a favor?
In the end, I was able to solve the problem because I got skills and I’m available for hire!