- Message Preview Options (Users can now enable Zoom Chat notifications to not show chat content while screen sharing.)
- Host or account admin can disable the ability for participants to show their profile picture or change it in a meeting.
- Hosts can now select which data center regions they would like their in-meeting traffic to use when scheduling a meeting, and participants can see which data center they are connected to by clicking on the info icon at the top left of the client window.
- Zoom 5.0 supports a new data structure for larger organizations, allowing them to link contacts across multiple accounts so people can easily and securely search and find meetings, chat, and phone contacts.
> There's not much they can do about having all their development in China, but at least their focus on security otherwise seems to be paying off.
They could start moving their development to the US. There are plenty of successful software companies in the US. There's a good ecosystem, a huge amount of talent, and tons of enthusiasm about their problem space.
What they can't do anything about is the trust they lost by misleading their customers about their security model.
> There are plenty of successful software companies in the US. There's a good ecosystem, a huge amount of talent, and tons of enthusiasm about their problem space.
The same you could say about China.
What benefits would they gain by moving development to the US?
> Audio Watermarks: Turn this on to embed a user's personal information into the audio as an inaudible watermark if they record during a meeting. If the audio file is shared without permission, Zoom can help identify which participant recorded the meeting.
Movie studios have done watermarking in the past with DVD screeners. Color laser printers output almost-invible patterns of yellow dots to match a document to a printer. When you download an academic paper as PDF, the PDF generally imprints the IP address and time of the downloader. Watermarking is nothing new.
For a company or government worried about employees leaking sensitive information to the press, this is an intriguing feature.
And if you're a determined whistleblower, this isn't going to stop you anyways.
This is a fantastic feature. It isn't so much for the company to prevent it but a way for the guy being pressured to share the recording to say "I'm sorry, I can't. They embed details in it that if they were leaked would ruin me." i.e. technology that allows you to say no to things is great.
The most extreme example is a secret that if I shared with you, I'd die painfully. You can't threaten me with death or torture because that's what's going to happen to me if I share it with you.
> The most extreme example is a secret that if I shared with you, I'd die painfully. You can't threaten me with death or torture because that's what's going to happen to me if I share it with you.
I say this regretfully because I really like the slogan "technology that allows you to say no to things is great", and, of course, it's not what you meant; but, taken to its extreme, the combination of this paragraph with the logic from your first paragraph:
> This is a fantastic feature … technology that allows you to say no to things is great.
means that an imaginary Zoom feature by which it would kill you painfully if you leaked sensitive data would be fantastic.
Haha, right, that is the natural syllogism that one would arrive at. The missing pieces of the picture are the prior probabilities of accidental leaking vs. coerced leaking and the value of the individual. For a spy in danger of being exposed, yes, technology which guaranteed violent death on exposure would be fantastically desirable. I won't condescend to you by walking through the entire thing, but I think you can tell I'm not an extremist and have left out all the bits about the ROI etc.
I wonder if it can be filtered out, on the other hand. Does anybody have knowledge on audio fingerprinting/watermarking? Or is it perhaps security theater?
My Guess is that it is mostly a security through obscurity thing for now, we do not know exactly how they mark the audio. When someone figures this out I believe that it should be possible to filter this out.
It would be interesting if they found a way to watermark the audio in such a way that removing the mark makes the audio unusable.
Streaming and downloaded audio from Universal Music Group, and some Sony releases has been "inaudibly watermarked" for some years now, but there are several cases of people complaining that the watermark is actually audible in their supposedly lossless FLAC/ALAC/WAV download.
AFAIK these are just used to identify the streaming / download source (e.g. Spotify / TIDAL / Qobuz etc.), rather than the individual user as will be the case with Zoom. It'll be interesting to see what, if anything, has changed with the technology.
Inaudible just means that a person can't perceive it, not necessarily because it's outside the frequency range a human ear can sense.
A common technique is to add pseudo noise to encode data over the whole audio spectrum. It's related to the spread spectrum techniques used for radio communications resistant to signal degradation (natural or jamming), common in many radio protocols, like your GPS receiver in your phone.
I'd love to see some analysis of what's going on as well. I assume this would work better for audio recorded on-device (eg. using screen capture software) than audio recorded externally after being played out on the speaker.
Apple Retail has/had an internal communications iPad app called RetailMe that overlayed their employee number in a massive watermark on the screen to capture people to leak screenshots. It was slightly visible under normal use, but load it into photoshop and play with the curves and becomes super visible.
One day there was an Ars Technica article leaking some news, included a screenshot of RetailMe. I put the screenshot into Photoshop and low and behold there was the employee's ID.
If a watermarked audio is leaked, the owner of the account will be liable. If he shared he's zoom credentials, is just as bad as sharing the recording.
That’s not much of a leap, though: if you know you were talking to some people, and then audio is leaked, then you can figure out which account did it.
I’m not defending (or denouncing, for that matter) this feature, though I have opinions.
This is really a terrible feature for anybody who doesn't like DRM. I only can hope clever hackers will identify these steganographic features in video and audio recordings of zoom sessions.
A few weeks ago they required login to join a meeting from the browser. This make it harder for older people who I like to talk to. Since then I have moved to jit.si . The quality is slightly lower, but it is much easier to use
Jitsi is much worse in a number of ways. If you use it casually with small crowds then it’s prob fine. Otherwise the pains of Jitsi are huge for the year I had to use it a lot.
According to their 10-K filings, zoom has more than 700 heads in RnD in China, and about 5 subsidiaries in China IIRC, but none of those are listed as subprocessors of personal data, which I, personally, find somewhat hard to believe
Nice to see all the security improvements, however, the new UI seems less crisp, the fonts have become much more blurry, with too much anti-aliasing going on. Also the up-arrows for audio/video settings have been made much smaller and thus harder to hit - you will mute yourself rather than opening the audio settings.
The font smoothing/antialiasing problem is not everywhere, which makes it look even weirder. See this dialog for instance: https://i.imgur.com/L5S8Tqn.png
Where the text "0 participants per room" have been applied too much anti-aliasing.
There was discussion before that Zoom had serious security issues. Have these been fixed in the new version of zoom ? Eg would companies that previously banned zoom now allow zoom 5.0?
Not a security expert but deal with PKI (openssl, openssh, etc) / OpenGPG/GnuPG a lot on a daily basis, I just don't understand why Zoom would let their marketing people put buzzword like `GCM Encryption` on such an important landing page, not nitpicking, seriously...
At least, use AES-256 (mode can be optional as most people don't even know what GCM XTS CBC stands for).
Because focus groups liked the sound of "GCM Encryption". Be glad they didn't slap on a bunch of Trim Level Designators like "GCM LX Sport Encryption CE".
I think because the big failing before was that Zoom was using AES, but was using it in ECB mode. Zoom clearly paid near-zero attention to security until recently.
So by saying “GCM encryption” they’re highlighting that the fixed the mode by which they are using AES encryption.
Why are they touting "GCM encryption" without explaining what that means? Do they mean "Galois/Counter Mode" [0]? If so, _why_ is that better than the encryption they were using before?
I was hoping a new major version would help me fix the problem I have with the Zoom desktop application on Xubuntu. Every time I join a meeting, the entire desktop start lagging. Sadly, this update did not help.
It's a setting that's exposed on the website ("Feedback to Zoom"), but, at least for my licence, it's locked. Incidentally, I am able to close the box, rather than just waiting for it to go away, in case that's better.
Security. App store has much tighter rules on what a developer can do whereas downloading a dmg from somewhere pretty much leaves you to fend for yourself (and Zoom already has proven itself here).
Because at this point, every single version of the app from their site has had some issue that wouldn't have happened in a sandboxed Mac App Store version.
Because the non-app store version does weird stuff - faking installation, background services, etc. Sandboxed version would hopefully be less malware-like.
Can Zoom stop logging me out from current computer (while I'm using Zoom) just because there's another computer on standby where I forgot to log off Zoom (and I'm not in any Zoom call on that computer)?
In my case, zoom has a killer feature that skype and google don't have. Zoom can be told to use a codec which isn't optimized for voice (referred to as "preserve original sound").
Specifically, I have weekly lessons on my instrument, and it was just a horrible, garbled experience attempting to play instruments to each other.
Aren't WebRTC calls mostly using Opus? If they enable a reasonable audio bitrate (64 kbps+) when the bandwidth is available, you should be able to get quite decent music quality. Certainly, this should always be enabled for video calls because it would be a small fraction of the total call bitrate.
(Of course, these are theoretical considerations, not a prediction for what actually happens in practice.)
> 64 kpbs, whichever codec, gets this small by cutting all frequencies outside of human speech
Unfortunately, you're completely wrong about this. Sorry to undeceive you, I would have said the same a few years ago. Codecs, especially the best AAC encoders, and Opus, have improved drastically since 2005.
Listen for yourself to 64 kbps music samples made with the 2011 Opus. They're quite passable. https://people.xiph.org/~greg/opus/ha2011/ Certainly good enough for a WebRTC stream. No, it's not close to transparent, but it's going to be fine for a music lesson, there's no weird pitch shifts or anything.
Won't believe it till I see the benchmarks. Now trying to find some links comparing to MP3 and AAC. I'd really love to find out that codecs have halved audio size in the past half decade.
To be clear, I mean quality indistinguishable from an audio CD, listening to songs in the quiet living room. I am not talking good enough for a stream or a phone call, that's a much lower bar.
For historic reference. Steam changed the codec for their voice chat around 2011 to something called SILK that seemed to be the parent of OPUS. It gave just enough quality to blast Ievan Polkka and Britney Spears in team fortress games and other players could recognize the song (noting it's very very low bitrate, it ain't great). By comparison, the previous encoding couldn't play songs at all, it butchered most frequencies so much that the audio was just lost.
That's right - SILK was a codec tuned for voice chat, not music. CELT is the other parent of OPUS and is tuned for music. (Opus uses a hybrid strategy that switches between codecs as necessary.) Don't just look at the benchmarks, at the bottom of the page you can click on the links and listen to a bunch of 64 kbps Opus samples. They're very, very good.
And no, they aren't indistinguishable from a CD. As I said in the original comment, they're more than good enough for high quality music streaming for a video chat.
> I'd really love to find out that codecs have halved audio size in the past half decade.
This has happened, to my ears at least. A little over a decade ago, I could not-infrequently tell a V2 MP3 (~196 kbps) from the FLAC. Took 256 kbps (~V0) to be reliably transparent. (I think it's improved marginally since then, V2 might be transparent almost all the time now.) These days, it's quite infrequent I can tell a 128 kbps Opus file from the FLAC. And the best codecs are quite passable even at 64 kbps.
It's NOT about the codec. It's about all the post-processing happening to do noise cancellation, echo removal or auto gain.
Those features are usually configurable in major video conferencing apps.
FYI, I saw some artist play on Zoom not so long ago, and the music was muted by their client. And they didn't know it happened or how to fix it. No software is immune from misconfiguration.
Video and audio quality in hangouts is terrible, it also doesn’t support gallery view so groups larger than 2 are a lot worse than zoom for that reason alone.
You also do need gmail, an app, and to have it enabled.
Zoom is in a class of its own in terms of actual call quality and UX, it’s a lot better.
Looks like that gallery view is from last week? Also meet only, not hangouts, and not rolled out to everyone yet?
Either way it’ll be nice if they do that.
Other comment was a reply to the parent comment, I was stating that you still need gmail for hangouts and to have it turned on in your email settings, or you need the specific app.
I know less about meet - I think that’s some corporate google product I don’t have access to? Google’s strategy around messaging is impossible to understand so it’s possible I’m wrong about that.
so, do you mind telling me, how I can get this fantastic video quality. Since we (university) don't want to share our whole desktop (and some are using Windows, so xephyr is out as well), a lot of people got OBS+some virtual webcam. Now, I spotlight my video, it's okish on my screen and the receivers get garbage with nonlegible text, doing a live-coding demo is basically impossible (the same with math-heavy slides). Works as expected in Jitsi though (but everyone needs chrome there for it to work - or the app. But who uses the jitsi-app...). So: can you tell me, what I'm doing wrong and how I can get this fantastic video quality of Zoom every shill is writing about?
You don't have to share the whole desktop on zoom. You can share single apps or even windows of an app. Use it all the time and it is flawless.
I am unsure what OBS is but it sounds like you're recording your screen via webcam and then streaming that ... My guess is the compression on talking heads is aggressive and has a different profile to a screenshare.
well, if I could share more than one app, it would be fine, but I can't. And sincerely: just sending everyone a 1440p@4fps stream of a presentation is both wasteful and useless (I the receiving party has a FHD screeny), very far from perfect ;).
And even with the talking heads compression: why can't I disable it (I and most colleagues have solid broadband)? We have a nice FHD (Sony A6400 to HDMI-capture) webcam as well and the picture there is also far from superb.
But well, this all might make sense if the target is just to make sure, we don't increase their AMZ-bill too much after our uni had setup their license-agreement with them...
I don't know, I can just tell you it was night and day for my company.
We were really trying to use different solutions, because of all of the problems Zoom has. We just had constant quality issues that made it really hard to hear people.
Then we tried Zoom one day and it was incredible how good it was in comparison.
Are there services that have opportunistic end-to-end encryption that is only disabled if someone is calling in from a landline? That seems vastly superior.
Zooms end to end encryption is pointless because they can get at the data by performing an assertive action. Their competitors (at least the ones I have heard of) can also get at the data by performing an assertive action. The difference is probably that the people designing the Zoom knew that you can't have secure E2EE without customer access to the client source and an awkward identity verification requirement. So they didn't bother to pretend. As a result they probably saved themselves a lot of work.
Some of these features sound like anti-security and definitely anti-privacy features. Will definitely make you think twice about having a “private” meeting on Zoom if they’re going to embed my email on a screenshot someone else takes. Great way to get a meeting organizers email...
> Screen Share Watermark Superimposes the image of a meeting participant’s email address onto shared content in the event a participant takes a screenshot.
Definitely not on Linux. Global hotkeys are managed by the compositor and can't be spied on by applications. There's also no API no read keystrokes from external apps. This is actually a security feature.
AFAIK, on iOS, the app is actually sent an event by the OS when a screenshot is captured.
Probably because they seemed to have misinterpreted the text they quoted in their own comment. The participant who takes the screenshot has their own email embedded in their screenshot, not someone else's.
I think this should fix the main issues people have had with them (at least the most public problem with 'zoom bombing').
There's not much they can do about having all their development in China, but at least their focus on security otherwise seems to be paying off.
###
Quick Feature Summary:
- Mandatory GCM encryption requires Zoom clients to upgrade to 5.0 by May 30th [0]
- Hosts can prevent screenshare, chat, user renaming
- Hosts can report users to Zoom’s Trust & Safety team, who will review any potential misuse of the platform and take appropriate action.
- All hosts may now turn on the Waiting Rooms while their meeting is already in progress.
- Lock your meeting after everyone has arrived to prevent any unwanted disruptions.
- The host may remove a participant and they will be unable to re-enter the meeting.
- Waiting Room enabled by default
- Complex Meeting IDs
- Meeting passwords are now more complex and enabled by default
- Meeting Registration and Authentication (require email registration/restrict meetings to preset profiles)
- All cloud recordings are encrypted with complex passwords on by default.
- Audio Watermarks/Screen Share Watermark (help prevent leaks)
- Message Preview Options (Users can now enable Zoom Chat notifications to not show chat content while screen sharing.)
- Host or account admin can disable the ability for participants to show their profile picture or change it in a meeting.
- Hosts can now select which data center regions they would like their in-meeting traffic to use when scheduling a meeting, and participants can see which data center they are connected to by clicking on the info icon at the top left of the client window.
- Zoom 5.0 supports a new data structure for larger organizations, allowing them to link contacts across multiple accounts so people can easily and securely search and find meetings, chat, and phone contacts.
[0]: https://en.wikipedia.org/wiki/Galois/Counter_Mode