Message from Zoom on Waiting Rooms and Passwords

[Bart Worden]

This is from Zoom today: https://support.zoom.us/hc/en-us/articles/360041408732

Overview

On April 5, 2020, Zoom will enable the Waiting Room feature and two meeting password settings for all Basic users and Pro users with a single license, including K-12 education accounts who have the 40-minute limit temporarily waived.

Zoom is enabling two password settings by default: require a password for Personal Meeting ID (PMI) and require a password for meetings which have already been scheduled.

[David Bland]

We find the waiting room feature to be of mixed benefit.  If you have a bunch of people in your waiting room it's very difficult to manage it - all you see are names.  If someone's name is " badass" it's a safe bet to reject them, but if it's "david" what do you do?   

And I may be mistaken in this but when we tested it, it did not seem to be possible to interrogate a single person in the waiting room - you could send a chat to everyone, but not a single person.  I might be wrong about this - we didn't have time to test this thoroughly, but I think that's the limitation.  

--
You received this message because you are subscribed to the Google Groups "Connections" group.
To unsubscribe from this group and stop receiving emails from it, send an email to connections...@aeu.org.
To view this discussion on the web visit https://groups.google.com/a/aeu.org/d/msgid/connections/25d65a61-3115-4942-a91b-25da97fe519f%40aeu.org.

[Bart Worden]

The more participants you have the harder it is but it does give more control to the host who can quickly send offending participants to the waiting room (thereby limiting their disruption) then suspend them from the session entirely. It's not a silver bullet but it does provide a level of safeguard. I expect most Ethical Society Platforms via Zoom will have 50 or fewer attendees, almost all of whom are known to the host so while the waiting room may not be for everyone, it may work pretty well for most groups.

Bart

--

Bart Worden

Executive Director

American Ethical Union

2 West 64th Street, New York, NY 10023

My pronouns are he, him, his  

O - 212-873-6500

C - 914-263-6667

Facebook

Twitter

YouTube

Google+

[Jone Lewis]

The Zoom bombers seem to be coming in "packs" of about six at a time, from reports I've heard. They will adapt, I'm sure.

So admitting one person we aren't sure of at a time, and then verbally asking them if we know them already, or how they found out about the meeting, is possible.  Having other settings safely set (like having chat closed down to others than hosts during the gathering time, closing down screen sharing to all but host) means they can't do too much in a short time.  

We recruited at RYSEC two other volunteers just to help with the waiting room and removals during the meeting.  We asked them to admit the obvious people, and let our official host and co-host handle the ones they aren't sure of, if they don't want to do so.

It LOOKS like the enabling of the password settings by default does not mean that passwords have been set for previously set meetings on Sunday. That would be a disaster for us.

To view this discussion on the web visit https://groups.google.com/a/aeu.org/d/msgid/connections/733535366.195416.1585949116144%40mail.yahoo.com.

[Jone Lewis]

Here is more info on the changes for Sunday:

1) If you have scheduled a Zoom platform, and you have only one paid user on the Zoom account, regenerate and re-send invitations because your meeting now has a password.  If you have more than one paid user, no password has been added to already-scheduled meetings.

2) Waiting rooms are now the default, and probably are a wise choice.  It's easy for co-hosts to admit known people, and to admit unknown people one at a time and greet them to find out who they are.  During the meeting the latter is more difficult.  The waiting room may NOT be automatically enabled if you have more than 1 paid user on the account, so change it manually for the meeting.

3) The bad link security hole has been patched (where a certain formatting of a link could give someone access to your computer passwords).

Just some other related reminders:

Hosts and co-hosts can remove people during the program, or send them back to the waiting room if you're not quite sure of them.  If your settings are that people cannot return after being removed, this will get them out of the room fairly quickly.

The reports I've seen from the last two days include DOZENS (in one case over 100) intruding at the same time.  Without a waiting room, this is very hard to control.

Also, I've seen an increasing number of reports of chat being the method of spreading the vile messages.  So consider making chat "host only" except at times you're well-prepared to close it down if it goes awry to open it.

A new recommendation from some is to "hide" URLs on open web pages -- instead of https://zoom.us/j/999999999 for instance, post https://bit.ly/3aHP9Us (or use another service like tinyurl).

Zoom-bombing seems to be increasing exponentially.  Consider the balance between inclusion and security.  And remember, we've had to balance that in our in-person meetings, too.

[Jone Lewis]

Ooops, forgot this:

>>1) If you have scheduled a Zoom platform, and you have only one paid user on the Zoom account, regenerate and re-send invitations because your meeting now has a password.  If you have more than one paid user, no password has been added to already-scheduled meetings.<<

This ALSO means that the AEU Connections calendar needs to be updated with the new information.  

--

You received this message because you are subscribed to the Google Groups "Connections" group.
To unsubscribe from this group and stop receiving emails from it, send an email to connections...@aeu.org.

To view this discussion on the web visit https://groups.google.com/a/aeu.org/d/msgid/connections/5547518b-b450-4abe-9d1b-020cc638a855%40aeu.org.

[Jone Lewis]

https://support.zoom.us/hc/en-us/articles/360041408732

Notice that this is about FREE and SINGLE USER accounts.  

[David Bland]

Jone (or others), if 10 people are in the waiting room, is it possible to do a chat to one (only) of them?  I did not have a chance to test this but my impression is that you cannot, you chat to everyone or no one.

David

--
You received this message because you are subscribed to the Google Groups "Connections" group.
To unsubscribe from this group and stop receiving emails from it, send an email to connections...@aeu.org.
To view this discussion on the web visit

https://groups.google.com/a/aeu.org/d/msgid/connections/5547518b-b450-4abe-9d1b-020cc638a855%40aeu.org

.

[David Bland]

I do not see how using a shortened URL such as https://bit.ly/3aHP9Us will help.  The link will still work and you have a password on the meeting the link will contain the password in encrypted form so the link will still work

[Nathan Schrenk]

The recommendation to use shortened URLs seems to be a tactic for reducing the likelihood that miscreants will find and target your Zoom meeting. If miscreants are searching for Zoom URLs via search engines  then using a shortened URL will result in your events not showing up in their search results list of meetings to target. As you note, it doesn’t prevent someone with the URL from joining.

Nathan 

--
You received this message because you are subscribed to the Google Groups "Connections" group.
To unsubscribe from this group and stop receiving emails from it, send an email to connections...@aeu.org.

To view this discussion on the web visit https://groups.google.com/a/aeu.org/d/msgid/connections/827119966.554283.1586015531260%40mail.yahoo.com.

[Bart Worden]

Hi David - what you can do is leave everyone in the waiting room except the individual you want to speak to, then let that person into the meeting for a private conversation.

Bart

[Jone Lewis]

You cannot "talk" in any way to people in the waiting room.  If there are 10 people I don't recognize, all at once, my spidey-sense is going to be tingling.   I've heard from others who've had intrusions that the usernames are usually giveaways that they're not our folks.

And if the screen names are innocent I'll admit them one by one and warmly greet each one (while subtly interrogating who they might be) before admitting another.

[Jone Lewis]

What the shortened URL on a public page does, according to those whose guess is that bots are looking for meeting links, is hide that it's a Zoom meeting.  The bot would have to evolve to actually check such links, which would trigger notices (I get them occasionally when people test a link: "David Bland is waiting in your meeting" at 2 am for instance). It's just to keep them from finding your room.

That won't keep them from just generating numbers and trying them, or passing around links in backchannels planning these intrusions.  But it will stop bots from finding the links so easily.

It's a suggestion -- and a possible deterrent.   No guarantees.  But it doesn't take too long.

On public pages, I'm finding I need to rewrite the invitation, anyway.  It's not a user-friendly invitation for those not comfortable with the technology.  For many, as it's written, it's not clear what to do.

[David Bland]

Yeah, I verified that you cannot "talk" to individuals in the Waiting Room

Terri Karp and I have been in discussion about this and we're going to use the Waiting Room.  I will be posting our Zoom zoom settings shortly but that said, our primary security feature is to use passwords and not to post any URLs on public facing web sites.  

To view this discussion on the web visit https://groups.google.com/a/aeu.org/d/msgid/connections/CABj6SHjN%3DKGF-Q%3DSGFiVMFv%2BnHXrqM7_5odDWoiux4WP4Hn%3Drw%40mail.gmail.com.

[David Bland]

On Saturday, April 4, 2020, 12:30:02 PM EDT, Jone Lewis <jone...@gmail.com> wrote:

What the shortened URL on a public page does, according to those whose guess is that bots are looking for meeting links, is hide that it's a Zoom meeting.  The bot would have to evolve to actually check such links, which would trigger notices (I get them occasionally when people test a link: "David Bland is waiting in your meeting" at 2 am for instance). It's just to keep them from finding your room.  I see.  That does make sense if you're posting on a public web site

That won't keep them from just generating numbers and trying them, or passing around links in backchannels planning these intrusions.  But it will stop bots from finding the links so easily.

It's a suggestion -- and a possible deterrent.   No guarantees.  But it doesn't take too long.

On public pages, I'm finding I need to rewrite the invitation, anyway.  It's not a user-friendly invitation for those not comfortable with the technology.  For many, as it's written, it's not clear what to do.

On Sat, Apr 4, 2020 at 11:52 AM David Bland <dblan...@yahoo.com> wrote:

I do not see how using a shortened URL such as https://bit.ly/3aHP9Us will help.  The link will still work and you have a password on the meeting the link will contain the password in encrypted form so the link will still work

On Saturday, April 4, 2020, 10:48:21 AM EDT, Jone Lewis <jone...@gmail.com> wrote:

Here is more info on the changes for Sunday:

1) If you have scheduled a Zoom platform, and you have only one paid user on the Zoom account, regenerate and re-send invitations because your meeting now has a password.  If you have more than one paid user, no password has been added to already-scheduled meetings.

2) Waiting rooms are now the default, and probably are a wise choice.  It's easy for co-hosts to admit known people, and to admit unknown people one at a time and greet them to find out who they are.  During the meeting the latter is more difficult.  The waiting room may NOT be automatically enabled if you have more than 1 paid user on the account, so change it manually for the meeting.

3) The bad link security hole has been patched (where a certain formatting of a link could give someone access to your computer passwords).

Just some other related reminders:

Hosts and co-hosts can remove people during the program, or send them back to the waiting room if you're not quite sure of them.  If your settings are that people cannot return after being removed, this will get them out of the room fairly quickly.

The reports I've seen from the last two days include DOZENS (in one case over 100) intruding at the same time.  Without a waiting room, this is very hard to control.

Also, I've seen an increasing number of reports of chat being the method of spreading the vile messages.  So consider making chat "host only" except at times you're well-prepared to close it down if it goes awry to open it.

A new recommendation from some is to "hide" URLs on open web pages -- instead of https://zoom.us/j/999999999 for instance, post https://bit.ly/3aHP9Us (or use another service like tinyurl).

Zoom-bombing seems to be increasing exponentially.  Consider the balance between inclusion and security.  And remember, we've had to balance that in our in-person meetings, too.

--
You received this message because you are subscribed to the Google Groups "Connections" group.
To unsubscribe from this group and stop receiving emails from it, send an email to connections...@aeu.org.

To view this discussion on the web visit https://groups.google.com/a/aeu.org/d/msgid/connections/CABj6SHjCHrxYPLhstCks8erEa5RNzNYRjWGLNxqkJudzqb14fQ%40mail.gmail.com.