Request feedback: Using logins to protect online meeting info

Thanks for your post!
I just asked for some opinions from people who have worked a lot with Zoom by now.
I am certainly not a security specialist but I do work in IT and I realise that what I might find acceptable measures might not always resonate with our general audiences.

Let me reflect what I was told:
-when we show a password on open websites, we cannot prevent that individuals with bad intentions get into our meetings
-we need to cater to that with at least one moderator who helps the host of each meeting to remove them
-showing the password as a value on the website at least takes away the risk of troller robots that simply try different combinations of the mostly numeric meeting ID and passwords. That particular hacking action is minimized by a lot in this way
-the fear is that those who are truly interested in our meetings, might decline if they have to create an account. It seems like a bit of overkill too for something that can and should be managed by proper stringent settings for each meeting by the owner of the Zoom account (or other medium)

In physical meetings the risk of getting people with ulterior motives is lower because they have to be there in person. On the other hand: in my 4 program years I have already been witness to a couple of these where the meeting had to ask the person not to come back. So it cannot be prevented at all times.

Online these people or hacking organisations do not have to show their faces, so there is more need for security measures. I don’t think though that I would go to the level of the accounts. I would hate to see newcomers in particular leave because they are daunted by giving details, even if they make them up.

Just some thoughts… I will be interested to hear what others have to say.

Instead of requiring a logon, maybe use a CAPTCHA that the user must complete before showing the password? It won’t eliminate the most sophisticaed bot from scraping the website, but it may eliminate most of them.

Thanks for that idea @westsidecentraloffice. It is worth discussing. I suspect you’re right that it would only help against the crawlers scraping first. I’m not sure how most of the Zoombombers are getting their info?

https://www.google.com/search?ei=T-iJXsb1EeSIggfGsL_YDw&q=aa+zoom+meetings+pwd&oq=aa+zoom+meetings+pwd&gs_lcp=CgZwc3ktYWIQAzoECAAQRzoFCAAQgwE6BAgAEEM6AggAOggIIRAWEB0QHkoNCBcSCTExLTYyZzEyNUoKCBgSBjExLThnMVCUzQFYltUBYJfbAWgAcAV4AIABsQGIAfgDkgEDMC40mAEAoAEBqgEHZ3dzLXdpeg&sclient=psy-ab&ved=0ahUKEwiG2Y_ovNHoAhVkhOAKHUbYD_sQ4dUDCAw&uact=5

This is one way how they are getting the info.

@octotoot,

Yes. What we really don’t know though is whether most of them are using search terms they enter (like you showed), in which case they are able to go to a link and easily defeat the captcha; or if they are mostly using scripts and crawlers to conduct their attacks, in which case the captcha could help.

Requiring memberships sounds like a useful approach but I wonder what that opens us up to with trolls either spoofing accounts or hacking them?

We’re talking about possible having a limited number of beginner meetings that hotline volunteers could direct new people to and that would be staffed by experienced 12th Steppers. Similar to some groups having a separate newcomers table.

The remainder of the meetings could then have limited access, either by requiring and account or by passwords passed around amongst home group members.

If zoom accounts for AA meetings would Disable the “Embed password in meeting link” this would negate the google search attach above.

Also, as meeting guide admins you can truncate the meeting link to remove the ?pwd=dafakdf$ada and when the link is clicked, it will launch the zoom client and require the users to manually enter in the password which they can get from reading the meeting information if it’s posted.

this doesn’t keep people from manually attacking but it certainly slows down the rate of attack, allow the hosts/co-hosts to take measures before things get out of hand to much.

Adding the need for a captcha before viewing the meeting details adds another level of complexity for them to try to script around.

just my 2cents

I thought by having embed password in the meeting URl and then using the TSML plugin to mask the link would make it so the meeting link with the encrypted password wouldn’t show up in google searches.

Do I have this wrong?

@octotoot, Crawlers work with the code of the website, not the buttons shown to the user. Masking in the way we have provides limited protection against the casual observer only.

@mnel69, Yes, we could strip the password (hash) being required by Zoom, and that would provide separation between the URL and the password if the website admins were careful to do that (I assume in the notes). Website admins can accomplish the same thing you’re describing. As a side note, we are not Meeting Guide admins. Meeting Guide refers to the app maintained by GSO. We are maintainers of the Twelve Step Meeting List (TSML) plugin.

@theronb, WordPress sites that required logins would still be vulnerable to some nefarious actions, but I believe that number would drop significantly. People doing Zoombombing are trolls who rely on anonymity and not being traceable. They will take the easier and more anonymous route nine times out of 10, which means they would normally move on to a easier target. That is my experience any way.

@tech2serve thank you for your quick response. I’m under the impression that nothing is ever 100% on the Internet and all we could do is try to provide some protection and make it a little harder. WordPress is especially vulnerable To hackers and I hope everyone has some kind of security running behind the scenes. I use wordfence premium and I think it does an amazing job.

Though this masking is not the most ideal thing, It is certainly much better than putting the actual password in the meeting notes. If there was a way to actually hide it and require some Captcha to confirm that they’re actually a human, that would be awesome.

I too am a bit dismayed about how we might be close to breaking the intent of this plug-in. But we are in a completely different time now and I have a feeling for the foreseeable future which could last several months, we’re going to be doing this online thing. I hope you’re doing well and thank you for everything.

Though this masking is not the most ideal thing, It is certainly much better than putting the actual password in the meeting notes.

Yes and no (based on my experience). Most crawlers and automated tools work by having predictable patterns. So a basic technique to mitigate this remains to separate the information on the webpage. With masking, the crawler remains able to grab the entire URL (including password(hash)) and has it for connecting to the video conference session. If a website has *only* the conference provider in the URL field and has the password, unidentified as such, in the notes, that will knock down many of the scripts. However, it may make it easier for manual attacks, and it takes away one-click convenience. Kind of a catch-22.

As was discussed in TIAA Forum, the password requirement is actually a good thing because it defeats the scripts that are randomly generating meeting ids. My wife read a piece indicating Zoom was dedicating 90% of it’s resources to locking down Zoom calls. I’m wondering if we just need to be patient. We are discussing the captcha idea though.

And thanks, I’m healthy and doing great ?? Hope the same to you and yours.

We have had three zoom bombings so far. One incident, a group of about seven joined the meeting started spewing offensive language and posted pics of a naked guy in a bathtub(?). The host immediately closed the meeting but went in later out of curiosity. The trolls were still there, video on, young teen boys and not saying anything to each other. I suggested some options such as using the Waiting room but he said “screw it, just take the password down and I’ll get it to the members”. I asked what about the newcomer, and he said he’d rather have a meeting for a few than no meeting at all. He was uncomfortable about putting his phone # in the meeting info but was ok with a contact email.

Whatever solution we come up with, it has to be simple because not all hosts are tech savvy.

Why didn’t the host remove them from the meeting?

Minimum there should be at least one host and one cohost to manage a meeting. They should all be familiar with what to do. You can start here: https://zoom.us/security

And here. https://zoom.us/docs/en-us/privacy-and-security.html

If the developers are still considering the CAPTCHA idea, I suggest they consider using the CAPTCHA to reveal both the online meeting link and the password. Perhaps that is under consideration, but I wanted to clarify that. I suspect when some trolls find active zoom links that have a password, they Google the URL to obtain the password. I have noticed some visits to our website with zoom URLs as the search criteria.