Understanding the impact of Zoom’s security issues from ISKCON’s perspective

by Aradhya Bhagavan Das
Various security related articles wrt Zoom have suddenly started flying all around, inducing a sense of fear amongst devotees using it. So as a professional technology consultant at a Big 5 organization, l decided to analyze it objectively. Whatever I have gathered has been, thus, jotted down in three brief sections ( below ) – first, what exactly is the security threats associated with zoom ; second, Is Zoom officials cognisant of the security gaps in their product ; third, what does it mean for ISKCON.
Primarily, if I were to zero in on the risks involved , it would be as follows :

1) Zoombombing

It is a phenomenon, by virtue of which pranksters can join any random zoom meeting and play objectionable video materials to disrupt the natural flow of the meeting / remain unassumingly silent and record the screen & audio to gain access to Confidential Meetings and the information discussed there in. Now the question is how would these pranksters know my meeting ID. For that we need to understand that each Zoom call has a randomly generated ID number between 9 and 11 digits long that’s used by participants to gain access to a meeting and there is no usage of password typically. Researchers have found that these meeting IDs are easy to guess and even brute forceable, allowing anyone to get into meetings.

2) No E2E encryption

Zoom data is not end 2 end encrypted (although Zoom’s website had earlier claimed E2E encryption, they later admitted it as false), meaning anyone in between can intercepted the flow of information and gain access to the information being passed through the WWW.

3) Relaxed Privacy policy

Zoom’s user privacy policy inherently had some flaws in terms of the fact that they could pretty much do whatever they felt like with your private data, gathered at sign up.

—————

So, the first question here is : Is Zoom officials doing anything about it at all?

YES THEY ARE ACTIVELY ENGAGED ON FIXING THE SECURITY LAPSES . Infact they are more concerned about their dipping popularity, when the market was just beginning to boom for them, than anyone else really. So to fix themselves up, as on April 16, they have hired Luta Security, the best security consultant in the industry that has worked with the likes of Microsoft.

One of the things they have already done is for example, they have implemented Password Protected entry methodology to counter Zoombombing. More are in the way…
Ref :https://www.google.com/amp/s/www.tomsguide.com/amp/news/zoom-security-privacy-woeshttps://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

—————

Having understood the technicalities of this apparent threat now the bigger question is, how much of this security issue is relevant for ISKCON’s preaching and classes at the moment?

Well, on a personal note – I’d love to say the answer is NO THREAT. Because, we don’t discuss business critical numbers , war-ready battle strategies that can break our movement or get us arrested, when we give a BG / SB class.
I was reading a recent recommendation by Govt of India, Ministry of Home Affairs, based on which I have concluded that there is, however, a caution – one must be careful not to forget. 
As a responsible member of this society, the onus is on us to make sure all our preachers using Zoom are made well aware of the facts and the potential threats that they are exposed to, for example, Zoombombing into our meetings by radical Islamic organisations (and it’s a very very real threat in Bangladesh) to indentify our members and centres, also may be to potentially hijacks our online programs with objectionable materials.

—————

My recommendation:
Having said all that, I believe simply exercising caution through Password Protected meetings and continuous updation of the meeting ids not to be shared on public forums, should pretty much cover us up. 
For easier remembering,  I am sharing some key points, that hosts must keep in mind, while creating meetings on Zoom :
1) Never share Zoom Link or Meeting Codes on Social Media or Public domain
2) Every time create a new & unique Meeting id
3) All Meetings must compulsorily have a strong password assigned to it  ( Passwords to be changed everytime and kept complex, beyond the obvious, like HareKrsna@108, Prabhupada@108, Gauranga@1008 etc.) – see article in ref on how to create strong password
4) Use the “Waiting Room” feature, that allows host to allow/reject a participant
5) All participants’ camera should be ON always – to better identify unwanted participants
6) enable “Host Only” screen-sharing
7) Restrict annotations feature, if absolutely, not urgent
8) Disable “Allow removed participants to rejoin”
9) Always use the latest version of the Zoom app ( applies to all participants of the meeting)

Beyond this from our perspective, we don’t need to worry much,  unlike the Googles and Amazons of the world. Further more, apart from the necessary precautions, possible, at a user’s end, I am admittedly relying here on the proactive response exhibited by the Information Security guys at Zoom.

Ref:https://www.thehindu.com/news/national/zoom-is-not-a-safe-platform-says-mha-advisory/article31355460.ece
https://www.nytimes.com/2020/04/07/style/zoom-security-tips.html

https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/