@NathanMcNulty - Nathan McNulty Nathan McNulty at @NathanMcNulty
12 Tweets 2 minutes, 35 seconds read

Re: NYC blocking Zoom I like Matthew a lot, but I don't feel this is a "dumb overreaction." As a security admin overseeing 40K+ students and participating in communities serving over 1.5M students, I would love to shed some light on the difficulties Zoom has created for us.

First, let's start with Zoombombing. The answer seems very simple - let's add a password. The problem is that many places allowed teachers to go create their own accounts, and we had to rely on them reading email from IT. Is that ever 100% effective?

For those of us who do have an admin console to control settings, sure we can change the settings to add a password, but that only affects future meetings (according to the console), not past meetings. Again, communicating to teachers to change existing meetings? This is hard.

Zoom also provided no way to cancel or modify those existing meetings, so it seemed we were out of luck. Fortunately, Zoom has done the right thing and appears to have updated all meetings for us (according to staff reports too).

support.zoom.us/hc/en-us/artic…

On to #FERPA I think there's a big misunderstanding at NYC here. Zoom's Basic accounts do not have controls to allow us to comply with FERPA laws. Zoom "upgraded" these Basic accounts to add those controls, so if we are setting them properly, then we are covered.

I think this is a great question. Schools have very weird threat models. If we create accounts for students, they can use school resources to video and chat with each other in something where we have limited auditing capabilities. This should matter.

Without going into specifics, in my network, we have had numerous luring cases, CP cases, and plenty of things we would consider "normal" for adult relationships. Schools providing resources with no controls keeping students safe is irresponsible. College and older? Who cares.

Now on to actual security of the product. Again, our threat model is weird. Students will find your PoC and attempt to use it - they are awesomely curious. Zoom's long running bad practices and how they have handled it is what bothers me. There will always be vulnerabilities.

And privacy? They have explicitly signed privacy agreements that they have broken, though these seem to have been "oversights." I don't trust them to handle our data the way they are claiming based on previous experiences, and recent news has only made that distrust worse.

Given the choice, I think I would still stick with Zoom though. Forcing thousands of teachers to lose existing investments and learn something new is a big deal. The risk is students getting exposed to bad stuff, but that can happen on other poorly configured platforms too.

One last comment based on some messages - listening to your community is an important part of school culture. I don't know the nuances of NY, but I do know we have received communication from concerned parents. It's hard to balance this well while still valuing your community.

author avatar
Followers 536 Following 133
Twitter : @NathanMcNulty
Top