How to avoid Zoom while working from home, from beginner to advanced
by Bernard Meyer, Senior Researcher, CyberNews.com
Zoom is certainly the talk of the town now – but not in the same way that it was the talk of the town even a week ago. The CyberNews team explains how to get rid of Zoom and continue to conveniently collaborate while upping your privacy at the same time.
One week ago, everyone was getting their Zoom on – using it as a primary source for their company video conference meetings, general meetings with 100s of participants, watch parties, and much, much more. Zoom was so successful just a week ago that it seems everyone was using it for everything during these coronavirus lockdowns and quarantines.
But then it all changed a few days ago, when security and privacy experts began to unleash a trickle of concerns about the popular video messaging app. That trickle has now turned into a flood, in such a significant way, that I can’t even go into detail about all the issues that have arisen around Zoom.
So I’ll just put it in a quick list. In case you’ve been asleep these last few days, it was revealed that:
- Zoom has been sending user data to Facebook, without letting people know about it.
- It allows for anyone to interrupt your video conference since it uses public links. This paves the way for wonderful pranks (known as Zoom-bombing), and of course opens it up to security and privacy issues: do you want an outsider to burst in on your company’s sensitive meetings and take screenshots?
- Zoom doesn’t actually use end-to-end encryption, even though its marketing materials will try to convince you otherwise
- Because of its “Company Directory” setting, people can have their personal details leaked, especially if they’ve signed up to Zoom using their personal emails
- Zoom has significant vulnerabilities where hackers can take control of Zoomers’ microphones and webcams, by giving these hackers root privileges
By this time next week, that list will probably go up to 10 or 15 items. But these 5 are fine for now to make one point clear:
The best way to use Zoom is to not use Zoom at all.
So, how can we avoid Zoom? Well, that depends on how advanced (or paranoid) you want to get. For most people, it will involve 3 privacy and security levels. For each level, I’ll show the ease of implementation, the security and privacy advantages, and any disadvantages.
Level 1: Find alternatives to Zoom (and change nothing else)
- Implementation: Very easy
- Privacy and security advantages: none (for the majority)
- Disadvantages: similar privacy and security concerns as Zoom (for the majority)
Many CTOs, CEOs, professionals responsible for selecting company tools, and even everyday people, have been frantically Googling “best alternatives to Zoom.”
The idea is simple: how can you quickly replace one insecure, privacy-unfriendly video conferencing tool with another video conferencing tool?
Unfortunately, most of the alternatives that they’re currently deciding on most likely include other insecure, privacy-unfriendly video conferencing tools. And most likely, they’ll be choosing Microsoft Teams.
Security-wise: MS Teams has had its share of vulnerabilities. Take this June 2019 vulnerability, where attackers were able to insert malicious code into MS Teams and escalate privileges. Another set of vulnerabilities from September 2019 showed how attackers can redirect users to web pages whenever they try to enter a chat room, and more. There will be more vulnerabilities that will be out of your control.
Privacy-wise: c’mon, it’s Microsoft. While Google, Facebook, Amazon and even Apple are well-known for their privacy issues, Microsoft also deserves some ridicule. It tries to get as much data about you as it can, consistently, even with mediocre efforts like their Data Viewer.
Better option: while most companies will choose MS Teams for its ease-of-use and adoption, you’ll only get slightly better privacy and security. For greater privacy and security, it’ll be better to use more secure options.
Some good alternatives include privacy- and security-oriented messaging solutions like Wire and the open-source Riot for complete control. It’ll just take some time to set it all up and get everyone on board.
Level 2: Use video conferencing tools on a VM
- Implementation: Medium difficulty
- Privacy and security advantages: isolate your personal data from business matters
- Disadvantages: performance issues with lagging video
One problem with Level 1 is that it doesn’t really address cross-contamination: many people are guilty of either (1) doing personal stuff on their business computer or phone, or (2) doing business stuff on their personal devices.
For the first, the advice is simple: don’t. Just don’t. Don’t get personal on your business device. Completely isolate your company devices from your personal business, and never check Facebook, your personal emails, or anything not related to work on your company devices.
For the latter option, where companies haven’t provided you with a device, the answer is more in-depth: get a virtual machine (VM).
A VM allows you to isolate your work environment on your personal computer. It’s like a computer-inside-a-computer, Inception-style, where whatever you do on your VM won’t affect your personal computer (the host computer). Even if you get serious North Korea or Iran-style malware on your VM, your host computer won’t be affected. There are many free options like Oracle’s VirtualBox, and setting it up is also pretty easy:
This also helps mitigate the risks when employers want to have stronger controls of whatever device you’re using. This includes privileges that would allow them to remotely control the device, wipe data, turn on the webcam, and much more. With a VM, that limits those abilities only to the actual VM (which will have no personal data on it), and not the entire host computer where your personal data is housed.
Beyond that, it’s best to use lessons from Level 1 with a VM – avoid Zoom, MS Teams, Slack and other big privacy-unfriendly names. If you absolutely have to use these apps, check if you can use the browser-based version instead of installing the risky app. This works for Slack, while Zoom will require Chrome.
But there are downsides: using video conferencing software will bring some frustrating lags. No matter how much RAM or processing power you give the VM, video conferencing will most often experience some performance problems. With important meetings, this will turn from minor annoyance into impossible frustrations.
Level 3: Do your business on a partitioned drive with dual booting
- Implementation: Medium-High difficulty
- Privacy and security advantages: isolate your personal data from business matters while maintaining performance
- Disadvantages: low to none
We might be getting into a tinfoil-paranoia zone here, but the issues we’ve been seeing with Zoom will be passed on to MS Teams, or to Facebook scandal version 19.0, or by feeding the Google monster.
Level 2’s VM solution means that you won’t be able to use all your system resources, which can present a frustrating experience. That’ll mean that many employees or colleagues will stop using VMs and just video conference on their host computer.
Instead, you should go with dual booting. With this, you will split (partition) your computer’s hard drive, so that you can use it for a second, separate operating system. This can function much like a VM, but here it isn’t really virtual – it’s an actual second, separate computer (OK, operating system) which allows you to fully use your computer’s resources.
When you start up your computer, you’ll be able to choose which OS you want to boot into:
You can use the same OS that you prefer (Mac-Mac or Windows-Windows), but intelligence expert Michael Bazzel recommends using a different OS. This is largely psychological: if your personal OS is Windows and your business OS is Linux, you’ll be much less likely to do personal things on your business OS, and vice versa.
Again, this is pretty straightforward to set up:
Of course, there are Levels 4, 5, 6 and more. If you’ve followed Snowden’s advice, you know how private you can get (and need to be) – but you’re giving up a lot of convenience for that.
For the most part, Levels 1-3 will suit your needs, while the majority of people will go to Level 1 and call it a day.
So let me quickly summarize the levels and give you some recommendations:
- Level 1: use Wire or Riot on your business device, turn off your webcam, and use a VPN
- Level 2: use Wire or Riot on a VM on your PC, turn off your webcam, never get personal on your VM, and use a VPN on your host computer. If you have to use Zoom or Slack, use the browser versions. Wipe the VM when the lockdown period ends
- Level 3: use Wire or Riot on your second OS on your PC, webcam off, no personal business, and use a VPN. Use the browser versions of risky apps if necessary. Remove the partition when the lockdown period ends
That being said, we still need to discuss the core weakness in this situation, and in cybersecurity in general: you.
You do many risky things online. You use Zoom’s public links to hold private conversations. You send sensitive files on Messenger or Slack, or even worse Zoom. You do private, NSFW things on third-party applications that store that data on their servers.
You know that there are breaches and leaks every single week, many affecting big companies that you use, but you don’t change your behavior. You use your webcam during video conferences, even though you don’t need to (who made it mandatory?).
I’m not trying to place the blame on you here, but I’m also not trying to not place the blame on you here. And by the way, when I’m talking about you, this is what I’m picturing:
We are all guilty of doing things we know we shouldn’t, mostly for convenience. But if we’re aware that these risky behaviors have serious consequences, then we can teach ourselves to do better, and to be smarter, more often.
And also to avoid Zoom, like the plague.
About the Author
Bernard Meyer is the Senior Researcher at CyberNews.com and an online privacy and security professional who has been featured in Bild, Forbes, Express, Mirror, TechRadar and many more.
Bernard can be reached online at (firstname.lastname@example.org, @bernardmeyer01 on twitter) and at our company website https://cybernews.com/