I think thats fair. All of us who have written and deployed software know that a change in the onboarding/new users rate like this would be a punch in the face that would knock any SW team on its ass. And it would take anyone a few days to get back up.
The important part is the leaderships reaction to the situation. Compare to something like Boeing. Zoom acknowledges facts, takes responsibilty and starts fixing things. Boeings reaction to its product killing hundreds of people was “Lol user error. RTFM”. That is (apparently) what acceptable leadership can look like..
Any sw product has issues. The question is what the company does about it
Err, no. It would be understandable if their servers buckled under the load or something. Zoom's blatant disregard for their users' security and privacy is unacceptable regardless of whether they have 5 or 5 million users.
> Any sw product has issues. The question is what the company does about it
I let out an audible “wow” upon reading this. This is absolutely bone-headed and I have no idea how they thought automatically grouping members by their email domain name was a good idea.
You gotta figure, as soon as you starting writing a blacklist of “common” domains like gmail.com, hotmail.com, etc, your immediate thought should probably be “wait, maybe we’re doing this wrong.”
You’re right but I absolutely see why they are doing this. When I saw all my colleagues in the company list I immediately figured they only have the email domain and I found it extremely useful to see whom I can contact without explaining how zoom works. Privacy isn’t our most important concern right now, it’s keeping the world running, and this “feature” helped me/us (if only just a little bit) communicate more effectively.
Why wouldn’t this be an opt in feature per-organization? I’m acme co, I buy a zoom subscription for acme.com, I click a box saying “let everyone with an acme.com email address see each other”. Done. Yes, I would have to prove I own acme.com, but we have solutions for that (didn’t set out to make this joke but, the ACME protocol, for one.)
Why is it that it’s on by default for arbitrary domains (excepting the ones some poor soul has to blacklist)?
I don't mean to be overly snarky, but removing authentication from all computers and servers would also help everyone (if only just a little bit) be more effective. It's still a bad idea, crisis or not.
This problem also seems to stem from the fact that Zoom has been used primarily in the corporate settings until now, which kinda validates their claim. Definitely not ideal, but understandable.
Companies that are concerned about this can set up SSO authentication with zoom I believe. So once the user is removed from the company’s directory server they wouldn’t have access to the zoom address list either.
I'm not dismissing the overall security point, but this seems like a pretty weak attack vector. If your company is routinely not deactivating accounts associated with your domain as part of your offboarding, being able to see e-mails and pictures of your employees is not your biggest problem.
Point taken, but none of the issues raised over the last few days had anything to do with scaling problems. The humblebrag of "we were just a little company and then we got hugged to death" doesn't sit right when a lot of the issues fall into the same category: prioritising ease of use and onboarding over security.
As for "Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment."... well it can't have been that exhaustive if a couple of weeks in the sunlight have generated a shopping list full of concerns.
Kudos for half-playing by the 3F rule, though - probably their smartest move yet
> These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones.
I don't think he is saying that these issues have to do with scaling problems, but rather that the increased usage + new types of usages led to increased scrutiny and uncovered new issues. Which is correct in a way.
Obviously, they were told several issues in the past too, but then those issues were not costing them money. Now they are, so they are trying to fix them.
A year ago they architected their system to not uninstall when you asked it to uninstall, and instead it left a running daemon that would re-install as soon as it saw a relevant URL.
This isn't a scaling, usage, or whoops issue. This was intentional.
Maybe. I've got enough uninstaller logic wrong in my day to believe it possible that a failure to switch off all your daemons and delete them is just sloppy software engineering on a piece of the system that isn't considered critical path by product managers.
After all, users never want to uninstall our software, right? That implies they don't love our product. And of course they love our product. ;)
It's not that uninstalling isn't an important feature. It's just that at crunch time, project managers will pull people off polishing the uninstaller to put them on that virtual green-screen feature 10 out of 10 times.
This was clearly not an accident, but a dark pattern.
There are way too many complex dark patterns which have been exposed to excuse them as oopsies. This is a company where product managers overruled developers into creating security-breaking implementations for the sake of "usability".
You just described exactly what I described, only attaching a malicious connotation to it.
It doesn't have to be malicious; the fact is that the market simply favors usability. Optimizing for the things users care about over the things they don't is the first PM guideline. This has been demonstrated over and over and over again; have users first, then worry about security and privacy.
What you originally described (or proposed) what that it may be a simple case of accidentally overlooking a bit of tidying up during uninstall.
What I described - the problem that came to light March and then June last year - is that Zoom installed a web server on your Mac whose sole purpose was to silently re-install Zoom if you a) uninstalled zoom, and b) later clicked on a zoom link.
There is nothing about it that could be attributed to 'getting uninstaller logic wrong'.
This is not correct. I have some sympathy for them, maybe this was what was needed to grow with a dev center in China. They might have been pressured by government authorities.
The statement admits that they fell short of the privacy and security goals but go on explaining how it's not their fault. It makes it look like either the issues are non-issues, or they're someone else's issues, or "we'll do these generic things that don't address in any way how those issues came to be". Which is a big thing to mention if you care about transparency and earning back the trust.
Some of the biggest issues came to be due to deception and this message does not address that point. They were intentional decisions with effort put into obscuring them. One of the most egregious being the creative use of the "end to end encrypted" moniker. That was deliberately deceptive and I don't see this cookie cutter response addressing any of that.
More engineering resources and engineering fixes don't fix deception, that starts at the top. And this puts the whole message into question.
>Any sw product has issues. The question is what the company does about it
We are all software devs -- we know as well as him. He's chosen to prioritise growth over end user data privacy protection and then lying about it with marketing e.g. E2E advertised on front page.
Many of these privacy/security issues were being complained about on HN about Zoom well before Corona.
If Zoom users are data breached I personally won't feel sorry for them like some other breaches like Equifax for example. They've signed up to this to secure a bit of convenience. I will be personally discouraging it's use where I work.
“If Zoom users are data breached I personally won't feel sorry for them like some other breaches like Equifax for example. They've signed up to this to secure a bit of convenience.”
I think that’s a bit unfair of a stance to take. As an example, I know someone who doesn’t want to use Zoom, but thanks to their university classes going online-only due to COVID-19, some of their professors have forced them to use Zoom for lectures, presentations, and examinations.
That. I am personally in that boat and I in my class I had no choice, but to use Zoom for it. The problem with "you don't want it, don't use it" mantra is, it is ignoring cases like mine. In law, those tend to be characterized as contracts of adhesion.
Same. $WORK moved from Whereby to Zoom (to handle more people in the weekly video meeting) which means I have to use Zoom - but I'm only using the iOS version and without signing up for an account.
Well, I can discourage its usage as much as I want, but if my university decides to use it, my chances to change that are very close to zero. And if the security issues affect me or my students, I will feel sorry.
"While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it."
Because "thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment" and they didnt "design the product" for these "new, mostly consumer use cases", it means that up until now they couldnt have forseen that lying about e2e encryption to sell enterprise subscriptions was an issue.
> enterprises around the world have done exhaustive security reviews
I'm pretty sure they are referring to security reviews for things like SOC2 and PCI. Which aren't exhaustive and generally consist of throwing a scanner on the network and running some sort of WASP top 10 vulnerability tester against the product. I have uncovered major flaws in products I have written that these "extensive reviews" have missed, like user enumeration by changing something in a POST request.
It's very likely that a bunch of companies RFP process is a feature checklist and to get the "encrypted" box checked they needed that lie, or their product was out of the running.
RFP by "who can tailor their marketing to check all the boxes" is a terrible process and leads to this marketing bloat. RFP would be much more useful if it stuck to "list only things you do your competitors doesnt; what processes come with your product that are much more efficient or innovative compared to your competition; like an sec disclosure what are three true non fluff risks to selecting your product; describe your revenue, user growth, and future ownership expectations." If a company cant answer those seriously, push them until they can, or tell them youll move on.
SOC2 and PCI are a lot more than running an automated scan. Sure, that's part of it, but both are full-on frameworks that stretch well beyond technical controls and deeply into organizational questions.
The important thing is that they establish enough trust to create basis for shifting liability.
That's the biggest sticking point for me as well. I don't expect my mother to know what end-to-end means but I have a hard time believing that a technology company made this encryption claim in good faith.
Their website headers also whitelist a lot of domains including quite a handful that are known malware distributors. See for yourself: curl -I https://zoom.us
These are a blanket permissions for third party ad and affiliate (user tracking) scripts, so much for "targeted at organizations with IT departments" and "we do not sell you data"
This list makes me scratch my head... when, ever, would ".google.com" be filtered the same way as ".50million.club" or even "googleads.g.doubleclicj.net"?
I understand the header causes logged reports, no actual policy enforcement, but still... I don't have a good read on their underlying concern here.
If I understood it correctly it tells the browser iranok to run scripts from all these origins. No idea why there are so many malware associated domains here. Maybe zoom’s ceo could enlighten us. Probably because of the virus and unexpected growth I’m sure.
The domains are likely in the whitelist as their report-uri was getting spammed with reports from users that have adware/malware extensions in their browser.
These extensions inject their own scripts into the page which will then fail based on the CSP and send a report to the server. In an ideal world you would just 'ignore' these reports server-side instead of whitelisting the domains.
Well, think of all the man hours they spent creating “features” like installing a backdoor on MacOS that allowed them to reinstall Zoom after the user explicitly uninstalled it.
I don't know if I'd accept this. Zoom deliberately bypassed macOS security measures and ignored other basic principles for security. Additionally, they ignored privacy regulations like the GDPR by sharing data with facebook without user consent.
That's a lot of stuff to forgive, within just a few weeks. I could forgive their servers buckling under the load or the trolls bombing in meetings. But everything else is less of a mistake rather than a concious decision in the basic software architecture.
Isn't this where fines balance things out? I mean, it's 2020 ... GDPR isn't a new thing. It's good they have a plan to fix things, but isn't that enough for tech startups "We're sorry :(" narrative?
They are well funded, and have plenty of resources when compared to SMEs...
People still can choose to not use the service anymore, but that choice alone isn't enough. They should pay for it, and then users can make that decision.
> Isn't this where fines balance things out? I mean, it's 2020 ... GDPR isn't a new thing.
Exactly! Thats the point I was trying to make (sorry if that didn't came accross properly). It's not like they are facing completely new challenges. GDPR has been in place for years, yet they are breaking it. Guessing URLs to access "protected" files is also not unheard of.
I understand that it is a massive challenge to scale so fast and its good that they have plans to fix these issues, but these are mistakes that could have been easily avoided in the beginning.
The problem is that the GDPR is a joke, it's almost like they passed the law under duress but aren't actually interested in enforcing it (maybe because whoever is in charge is actually benefiting from the current situation?)
The idea to enforce it was each country Data Protection Agency is the key contact for any data/security issue - doesn't matter if it's reported by the company itself, or by a consumer who denounced a breach in data protection terms.
Then the country can issue any fines, reporting to EU agencies, etc.
The problems are:
- This process isn't clear for companies, let alone consumers;
- Not all Data Protection Agencies are the same, neither have the same resources. Here, in Portugal, when GDPR was live, the director of the agency came out to the public and said it was impossible to enforce anything because they didn't have the resources to do it. He was fired.
The reality is that it's extremely hard to control so many players, and delegating it to each country, some of which underfunded, doesn't get us anywhere.
I'm in complete agreement here. Their response is appropriate given the challenges that they face. No team ever thinks they are going to get that kind of migration to their platform the way zoom has received. Good for them.
If you don't read, comprehend, and remember Emergency Airworthiness Directives you have no business being a pilot for hundreds of people. (The instructions were a whole two steps: 1. trim to normal with electric trim switches 2. turn off the stab trim system.) Boeing is still at fault, but the pilots do share a portion of the responsibility.
Absolutely not. They have LIED about end-to-end encryption knowing very well that their product did not support that. That is premeditation, not making a mistake.
Also their atroicious history regarding their privacy practices makes me think that they are now reacting in this way only because they got caught, not due to a genuine desire to be better.
> Over the next 90 days, we are committed to... Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
I see a lot of comments here claiming that this blog post is bland corporate apologia, doesn't take responsibility, doesn't change anything.
But this seems like a pretty legit turnaround. Overall, they seem to be addressing pretty much everything that's been brought up. They removed the Facebook SDK, they removed attention tracking, they've clarified their encryption policies in detail.
One commenter here is asking for more, for punishment, another demands their security team be fired. And I mean, if someone wants to try to sue Zoom for misusing the term E2EE then go for it, but obviously Zoom can't "punish itself" in a blog post, and pinning it on a few bad engineers feels like a scapegoat.
This seems to be positive steps, folks. Genuinely not sure what more you could be asking for from a regular for-profit business.
This drives me nuts. Disclosure: I'm currently working in a security role. My company is great, and if someone on my team says "we shouldn't do this", the reaction is to meet and decide how to replace an idea with something that serves the business request and our (and our users') security needs. I love it.
But I also know I'm being spoiled here. More common in my experience is:
Software engineer: We need to do a thing.
Security team: No! We can't do thing at all. It would ruin us.
Engineer's manager: We've already started and our CEO promised it to a customer. Do your job and figure out how to secure it.
Just saying, cut that group a little slack until we know that someone actually didn't do their jobs.
To be fair sometimes the security team is wrong or being over protective. There has to be a balance because it’s too easy to think of “what if” , Mission Impossible style, scenarios that have no hearing on the real world.
You're absolutely right. I have two main job functions:
1. Instead of saying "no", saying "not that way, but let's figure this out together".
2. Evaluating risk and modeling threats: "this is who we're protecting ourselves from, and here's what happens if we fail." If a bored teenager on their couch hacked our website, it would be embarrassing because someone without a lot of resources would be able to make changes to our display system, even if no real harm was done. If North Korea hacked our user database, it would suck and be bad for our users, but in practice not too many people are going to get angry at us for being attacked by a hostile nation's government as long as we were doing the right things.
(Note: that's grossly simplified, and it's not like we're "heh we don't protect against nation states".)
There's such a thing. You can get asymptotically close to "perfect security", but it really is a risk evaluation game. Is it worth it to spend $20,000 to run a pen test and make sure we're not grossly vulnerable to attack? Sure! Is it worth spending $50B to develop our own hardened OS, hosted inside our data bunker with airgapped servers running on custom CPUs? Probably not. The challenge becomes how to identify when you're as good as you reasonably can be given the threats you realistically face on a budget that doesn't resemble a small country's GDP.
Of course there's always a scenario that could be malapropos; yet most of the time we're not comparing $20k to a figure that has a larger GDP than many countries. I always get a kick out of people on the internet who take what I say and blow it way out of proportion to try to win an argument against me that I never made in the first place.
Anyway, I agree with your last sentence; at what point is something "good enough". Lately I feel like the "good enough" in a significant amount of corporations isn't acceptable. I'm in healthcare and the absolute lack of security in my day to day is absolutely amazing.
I think you're reading stuff into my reply that I didn't intend. I didn't want to argue with you. I read your post as though you were asking a question, and I answered it.
I agree with you on that last bit. While it's important to have your compliance ducks in a row, a lot of shops seem to feel like "we've checked all the audit checkboxes so we're secure now!" No. All that stuff is nice, but having a documented process for deciding who gets root on your database servers is not the same as actually securing your database servers.
> One commenter here is asking for more, for punishment, another demands their security team be fired. And I mean, if someone wants to try to sue Zoom for misusing the term E2EE then go for it, but obviously Zoom can't "punish itself" in a blog post, and pinning it on a few bad engineers feels like a scapegoat.
A portion of the development community loves to talk about blameless post-mortems and a blame-free culture until a tech company like Zoom does something they don't like.
I think it's generally a poor assumption to assume that any two internet "crowds" are the same people. Some commenters care about X and some about Y and we can almost never tell what the overlap between those groups is. The hivemind is not as uniform as that.
Well, speaking solely for myself, I am more willing to forgive genuine bugs or even targeted attacks (supposing the company being attacked was doing the right things e.g. no weakly hashed passwords, keeping as little PIA as they can get away with, proper isolation) over misfeatures that hint at deep company culture problems ("Hmmm, how can we profit from our users' data, even though they're already paying us?")
While I agree with you, I can imagine people who prefer being blameless towards accidental mistakes (engineer ssh'd into a wrong host and dropped prod DB instead of testing) but demand proper punishment of "misfeatures" created on purpose (like spying on users).
> until a tech company like Zoom does something they don't like.
Consistently does something they don't like. Most people forgive single instances, but they don't forgive patterns as much. Especially when the patterns look like they are on purpose.
I agree. I'm just as skeptical as the next person about PR corporate-speak, but there's a clear action plan here and addressing of concerns. At least give them a chance to make good on their claims right?
We've become such a cynical culture, once pitchforks are brandished they appear to be unsheathable, rather they grow sharper and more wild as the chorus of internet echos grow. While there is value in discouraging certain behaviors (and thus "make an example"), and encouraging new ones (some level of noise was needed to warrant a response at all), surely there must be a path to redemption, an acknowledgement of misaligned incentives in lieu of the demonization of individuals. There are too many true enemies in the world (most of them not processes not people) to harbor such disgruntlement against a platform which is by at least basic measures doing good (providing a service that is obviously loved and used by many and jobs and economic well-being to those who make and support it).
I personally have been wary of Zoom since the first reports of their apps doing shady things (and the forcefulness with which they attempt to make you use it) and don't find it provides any value over a multitude of other services. But this wariness warrants a mere "meh, I'll go elsewhere," not a crucifixion. Yet as the frothiness grows from this current story (and it's really not much of a story) it becomes more difficult to see just what sort of blood sacrifice will satiate the mob.
I think that's unfortunately a climate that arose as a reaction to the sustained appalling behavior by FAANG and wannabe-FAANG cowboys.
When you have a handful of tech companies who systematically, unashamedly and deliberately abuse people's trust and privacy, it ruins the landscape for everyone. As it stands today, our trust has been betrayed so many times that a default assumption that the other actor is malicious and will do the wrong thing is almost always correct.
It's a shame, but this seems to be the case for every industry that is consumed by greed, and almost as a rule, every successful industry will eventually be consumed by greed. It's a local minimum that our society in it's current form cannot seem to avoid.
Well so again I think these are misattributions here. You're using language like "trust," "unashamedly," "malicious," in circumstances where "behavior," "incentives," and "value" are more fitting. This framing is why the pitchforks get yielded with such ferocity, demonization/victimization in situations that require more careful scrutiny and nuance.
> It's a local minimum that our society in it's current form cannot seem to avoid.
It can't avoid it because it is the result of incentives, not specific players. This is why it's so ineffective to brandish hostility towards individuals or even companies: others, up to and including yourself, would do the same things if put in the same positions, because that is what would be best for you (and there are plenty of rationalizations you can come up with to show why it's net good).
To eradicate this kind of thing we cannot be relegated to impotent rage with mob-issued pitchforks at industries or companies or the individuals who operate them, or play the victim card and blame the industry for "betraying our trust." The "why" of this is not an "industry consumed with greed," it is a fundamental result of technological breakthroughs in an economic environment such as ours. When you have bad incentives you will continually get bad actors, and playing whack-a-mole with them will be a fruitless exercise. We have to recognize the systems as a society, not the players, if we are to have any hope of true reformation.
I agree that this is a systemic issue and as long as the system is the same, the outcome is unlikely to change, hence why I wrote "It's a local
minimum that our society in it's current form cannot seem to avoid".
So a change in the system is required to fix the root cause, but I think some amount of pitchfork waving and torch igniting is not out of the order.
The excuse of "everyone would do it with these incentives" is not an excuse for this behavior. And I say that fully admitting that I'm part of the
system (although a different industry), and yes of course I'd do (and am doing) the same given the choice.
Perhaps the pitchforks show the individual the error of their way, and the society will change once enough individuals decide to make the change?
Maybe, I do agree it's warranted to call out bad behavior and impose some penalty on said behavior to discourage it. After all, this "feedback" has elicited a response here at least. But I worry that:
A) It misses the bigger picture and thus doesn't address the underlying cause, thus it will continue to happen over and over.
and
B) It feeds an outrage culture that permeates far too much of our online conversation that requires more nuance and careful dissection, which paired w/ the first leads to division and us vs them mentalities when more than ever we mentalities are needed.
Perhaps I'm overly sensitive to that second one because I'm more focused on systems and because outrage culture, which itself is bourn of other misaligned incentives, is a large problem underlying other issues that I've tended to notice more in my circumstantial isolation. So in a sense I'm being hypocritical when I plead for a more measured and forgiving response as I'm addressing individuals not the systems that caused them to react in this way. Mostly I'm just thinking out loud, as are we all (we're thinking at each other rather than with each other, another issue, related to outrage culture).
Anyway, as I'm in danger of severely incoherent rambling here I'll circle back to say I cautiously agree with you that some measure of pitchfork waving is warranted. But when the CEO makes a response like this, at least on its face an earnest effort to right past wrongs, can't we at least give them a chance to do so? Otherwise the pitchforks lose their meaning as it begins to look like they were out just to be out, and we're more concerned with persecution than actual redemption or resolution.
Well, yes, but now you're saying our trust is limited because other companies do bad.
But we have a pretty good reason, beyond that, to not trust Zoom - THEY clearly never gave a shit about security, given in a few weeks of people taking a slightly deeper look we've had pretty much every possible leak and bug and problem you can imagine crop up.
How long did it take Microsoft to go from "no-shits-are-given-security" to "security-is-core"? 2 decades, something like that?
So yeah, sure, 90 days, that's... well, maybe the beginnings of a start.
Your entire reply feels overly cynical. No, nobody likes it when companies invade your privacy, a la F & G.
However, saying "it took another megacorp twenty years to fix their privacy problems, so we shouldn't trust $relativelysmallcompany for the next two decades" is not fair to $relativelysmallcompany and doesn't even consider the cultural change it probably took to get $megacorp to actually care about security and user privacy.
Personally, I don't really like Zoom. I use it, and it works okay, but there are a lot of little nitpicks I would like to see addressed- for instance, it'd be really nice to be able to adjust individual member's volume levels or be able to mute them outright as a participant instead of listening to a compressor that needs a new bearing in the background for an entire meeting because they're not using push-to-talk and the host just downloaded the client yesterday. I'm also more than willing to give a company time to fix underlying architecture problems and not demand fixes in the meantime.
I would want to be given the benefit of time to fix problems, wouldn't you?
It is not possible to extrapolate with certainty the quality of code from the bugs that remain in it when released.
“There’s a misspelling in the HTTP headers spec, so obviously this was written by amateurs.”
“Browser X has an RCE, so obviously they don’t care about security.”
These are obviously faulty logic when stated about other scenarios, and apply here as well.
Has Zoom been found to have the same specific technical issue reoccurring over multiple releases, to the tune of “buffer overflow” or similar? If so, then that’s a trend to throw up warning flags about.
A series of bugs that share no commonality other than being bugs is, perhaps, not so much.
> At least give them a chance to make good on their claims right?
I’d be much more willing to cut them some slack if this was their first offense, or if their previous mea culpas had showed evidence of change. Today, it feels like “This time for sure!”
Two things: Zoom has established a clear pattern of malfeasance which can no longer be forgiven by writing it off as incompetence. Second, the stability of the world now depends on tools like Zoom, and their bush-league petty-criminal nonsense cannot be tolerated in a time of planetary emergency. Blood sacrifice is completely warranted here.
Did they actually establish a clear pattern of malfeasance? To me, a DevOps dude, it seems like they simply did not pay attention to security and privacy and focused on making features as easy to use as possible. Many security experts will tell you that security is all about trade offs between convenience and privacy. Zoom went to market basically only focused on convenience and now that the whole world is using the platform they have all eyes on their products.
It doesn't seem like anything they did warrants "Blood Sacrifice", and it doesn't seem like anything they did was criminal negligence. Security incompetence? Yes certainly, but lets be real, 99% of companies would fail under the same security scrutiny if the company suddenly had 190 million more users using their same product over night. Aren't you at least glad their CEO cares enough to address these issues? Its not like Facebook drastically addressed their users privacy issues, even with intense scrutiny over the last few years. The situation with Zoom could be much much worse. They definitely have some more work to do, and we should keep holding them accountable, but since I am forced to use Zoom for work, I'm glad they're even pretending to take these issues seriously.
While I agree that we can't continually forgive them for intentional behavior, I think you need to, at the very least, acknowledge that what they were trying to do, albeit poorly, was to limit the interaction needed from the end-user to make their product seamless when someone clicks a link. To go from there to being a tool of worldwide necessity and critique in a matter of weeks is unfair, in my opinion. It wasn't incompetence so much as it was something that worked and wasn't a big issue when they were just a small link in a chain. It's important now but that doesn't mean that the response is blood sacrifice. That's just as bad as the knee-jerk cancel culture that's everywhere.
I don't think Zoom has done anything malicious. I think they just built their software quickly and just made it work.
Now that it's under a lot of scrutiny they're paying a bit of PR price. But they'd probably do it all over again since they are now seeing hundreds of millions of users.
You make it sound like a startup that build a piece of software quickly and forgot a few things.
There are two issues with that argument.
First, they put in EXTRA effort to break the security of their users. The feature of 'upon de-installation, install a daemon on the system that silently re-installs the app whenever a zoom link is clicked' is MORE work than not doing that, for example.
Second, they are 8 years old, have 2500 employees and a revenue of over 600 million. I work at a 30 ppl startup and I would not at all be surprised of we invested more hours in security in 2019 than Zoom did...
I'm running Zoom in a virtual machine, & while I'll continue to do so, this news will pause me from recommending others (who are unwilling to sandbox applications) to not use Zoom
Still, would like their WebRTC UI improved. The use case I'm in requires gallery view & the web ui lacks that, so I ended up having webrtc streaming me out while using Zoom in Windows Sandbox to view (Sandbox isn't able to use my webcam). "easy to use" wouldn't describe my experience
>This seems to be positive steps, folks. Genuinely not sure what more you could be asking for from a regular for-profit business
I don't consider a public company worth umpteen billion dollars to be a regular for-profit business. They had the resources to address these issues before the public attacked them for it, and chose not to. With the same team in charge, why would I expect them to be proactive on similar issues in the future?
Did they remove the FB SDK completely, or just from the iOS app? The last post I saw from them was just the iOS app, and nearly bragged about it still being part of the webApp.
FTA: "On March 27th, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users."
Any blog posts that claims enterprises did any kind of meaningful security evaluation is a joke. They say almost nothing about fixing their existing shenanigans nor their past failures in that posting.
> One commenter here is asking for more, for punishment, another demands their security team be fired
Sometimes engineers are clueless, but it is unlikely that all of them are clueless. It's unlikely, unless the company is small, that there's a single engineer that's responsible for something.
However, a single person can be clueless and do incredible damage. Such persons are often called 'managers'.
I can't help but wonder if a Zoom that had, hypothetically, needed to be ultra-paranoid about GDPR or CCPA compliance would have a product on the market capable of wide adoption at the time the world suddenly needs a videoconferencing tool. Everything has tradeoffs.
I really don't agree with your argument that caring about user security and privacy would have a substantial effect on development time, certainly not in respect of GDPR.
If that's not true, we should be able to see an alternative to Zoom on the marketplace right now with as wide adoption as Zoom.
The fact we don't indicates there may be some reason security and privacy take a back-seat to usability and market adoption (and, in fact, it appears we've seen that pattern over and over again). "Engineering for security and privacy slows down product-to-market" is, admittedly, but one hypothesis.
I am tired of reading such statements. They are like a playbook when things get wrong.
Zoom had privacy and user invading issues years back. They didn't learn their lesson back then with the MacOS installers, and continued to assure us they are taking the "right steps".
My company have stopped using Zoom and we'll never go back.
That is because those statements are really written for you in the first place. They are really written by and for lawyers. This is about finding a balance between comforting as many users as they can, which is lip service, and not say anything that will result as evidence in a lawsuit. For most of the people griping here, saying anything they would want to hear (which would amount to grovelling and still be "not enough") does not fit that criteria.
At my company we just switched to Jitsi Meet. Fulfills our needs, works with just a browser, and we can be assured that our data remains ours as we deployed it locally.
exactly, like Google Meet is "better"? Zoom got called out and they're going to fix these things. Anyone you jump to is going to have different or maybe some of the same issues.
"In an effort to maximize uptake and engagement for my VC masters, I deliberately added several hidden mechanisms to the software that violated security and privacy practices and laws, and then I lied about them. When I got caught, I denied, deflected, and finally blamed it all on innocent mistakes. This happened multiple times, establishing a pattern that left no doubt that my actions were premeditated. In order to right this ship and give our customers, employees, and shareholders confidence in the company's future, I hereby resign, effective immediately."
Bingo, they straight up lied about E2E, bypassed security features, sold user info and hacked their way into self installing.
Plus blaming all the issues on consumer use cases is hilarious. That might work for like a company that makes fiber lines for commercial deployments or something However, it's like they forgot that their core video might be B2B, but the client is almost always B2C and always has been. The fact that you are forced to use the Zoom client/plugins to attend a Zoom meeting may make the business case enterprise, but they have always been taking these horrible stances on the client and harming normal people who can't choose to use something else.
There's nothing the CEO could say differently. Words don't cancel out the fact that they outright lied and absolutely, intentionally, implemented something that violated the privacy that they promised. It has nothing to do with the pandemic.
They have _actively_ engineered solutions that are bad for the users with no justification. It was extra effort, which means less speed and more complexity in order to get them in place.
> Once you get used to one model, is hard to switch to another.
So that plays out as "we can never truly trust Zoom to do things right". Sounds exactly like how I feel.
Unless Yuan wants to finally say up front "I actively worsened security and threw away user trust in order to maximize our growth at the expense of everyone that installed our client" it's inpossible to take anything else he says at face value.
Zoom has had major security issues for years, and they've always brushed them off as not a big deal. This isn't an isolated incident.
If their position is now that the Zoom software was designed for corporate users, e.g., that you're expected to only run it on your own VPN where you can guarantee there's no malicious network traffic, then it should have "NOT FOR CONSUMER USE" plastered all over it.
To me, this reads exactly like "Lol user error", except there's no "M" to "RTF" that ever said, for example, that its local web server stayed running after uninstallation and could take control of your camera, or that "E2E" in the Zoom docs doesn't mean the same thing as it means to the rest of the industry.
There's no responsibility being taken here. Taking responsibility would be "We fired all our 'security' people who told us we had best-of-breed security, and hired some actual security experts to re-architect our system to provide actual security for our users." What they did here is indistinguishable from "We're sorry we got caught!" except in verbosity.
> Zoom has had major security issues for years, and they've always brushed them off as not a big deal. This isn't an isolated incident.
But here's the operative question: were they wrong to set their priorities the way they did? In this crisis, they're wildly popular, and part of that popularity comes from optimizing for usability and advertising to close the deals that got their product in front of enough people to be a "household name" when everyone suddenly needed videoconferencing.
If people want security, GChat is built on top of Google's infrastructure, has almost no outstanding security issues, and years of engineering behind making it a quality product. And users don't care enough about security for that to be the tool people are reaching for right now.
Business is an art, and that art is the art of making tradeoffs to meet users halfway. And time and again, the product that thinks users need to be met halfway at "it's secure" gets trounced by the ones who meet users halfway at "It's usable."
> We fired all our 'security' people who told us we had best-of-breed security
Why, in a crisis, would you start by firing the people who already know the inside of your application, warts and all?
> here's the operative question: were they wrong to set their priorities the way they did?
Yes. Let me ask this the other way, in a different context.
Say your company builds rapid-assembly prefab building components. You have built the business on being supposedly greener than the competition, by using natural materials where possible. All of a sudden there is a massive surge in demand, and you find out that certain cost-cutting optimisations that used to be merely mildly beneficial, actually provide a marketing edge.
Does it matter that your fire-proofing is a naturally occurring material? Namely, asbestos?
1) Is there a better fire-proofing alternative available, one that will work as well and be as cost-effective to deploy?
2) Are we talking about 1990 (when the public actually cared, legal torts were likely, and it was a huge hassle to sell a property that was known to have asbestos) or 1890 (when in spite of evidence that asbestos may pose a health risk, industry was full-speed-ahead on it because, hey, everything poses a health risk, and lung cancer was of lower concern to the public than dying in a fire)?
They've made mistakes in the past, but their privacy model is actually pretty good as long as your risk assessment includes the carve out "I'm comfortable with Google knowing a lot about me."
And if you aren't, there are plenty of alternatives. But unlike Google, they often don't have a security or privacy model to speak of because they haven't taken the lumps Google has in the past for messing up.
Maybe a blog post saying "Yes, we acknowledge that we deliberately ignored major portions of security practices and just did whatever got us market share fastest. We can't change the past, but we're going to clean house and do privacy and security for real from now on, and we hope you'll stick with us, or come back after we've fixed <pointing to all of this>."
That's pretty much what this blog post is, with just a little bit more PR speak.
And I'm honestly surprised that it is not totally watered down, it's not just PR speak and user blaming, but makes some clear points. The base defense is bad - that it was for less users and contexts before changes nothing - but it at least includes the "we will focus on that now, honestly". That's not bad already.
We could read the PR blurb from the company that engineered for security and privacy before getting features in place users wanted, but we can't. They're not making a blog post because they ran out of runway money, having failed to get a product in user's hands in time for anyone to care about their existence.
Maybe the only way to get useful code that starts off secure is to start it open source? That way, even if it takes "forever", there's no profit motive or need to rush into adoption...
I'm trusting for-profit software less and less and less by the decade.
There are open-source videoconferencing solutions floating around on the Internet.
But they don't have the traction of the videochat-as-a-service options because those options have financial incentive to set up servers, configure them, solve those parts of the puzzle for users, make onboarding frictionless, etc.
I'm afraid I don't think open source would be a panacea for this problem, because if there's one thing we've observed from the world of open-source and online software, it's that most users adopting an open-source solution have to become their own sysadmin too, and a lot of otherwise-competent hackers are profoundly bad at the ever-moving arms race that is "hosting a secure software service online." Distributing the security maintenance burden doesn't make it easier to solve.
We could get there if, hypothetically, companies cared enough about security to demand that all the software running on (at least) the client machines and (ideally) the service-provider's servers was open-source so they could trust the security model via an audit by their own eyeballs. Then closed-source operations would lose out in the marketplace to open-source outfits because enterprise would only do business with the open-source ones.
Very much agree. Look at email, a system with far fewer real-time performance demands, excellent fault and outage tolerance, and many excellent open-source mail transfer agents.
What percent of the internet user base runs their own email server? What percent of even news.yc readers do?
> Taking responsibility would be "We fired all our 'security' people who told us we had best-of-breed security,
Based on what we know (not much) it's equally likely that their actual security experts completely understood the current situation, but marketing or high-level C-suite people came up with all of this.
I can completely picture the conversation between security engineers and marketing about whether they can use the term "End-to-end encryption" because I've had very similar conversations before about (mis)use of technical terminology.
How far do you go if you're unable to convince them to change the terms? What if you escalate all the way up to the CEO and they don't agree.. then what? Do you refuse to leave the CEO's office until they concede? Quit your job in protest? (What do you suppose that would accomplish?)
I'd be interested in hearing about the conversation of the installer.
Manager: Why does the installer require so much interaction with the user?
Dev: That's part of the OS protection efforts.
Manager: Can we make it require less interaction?
Dev: Not without hacking together our own too that once installed will allow the computer to run any script with root privileges. That's a bad idea.
Manager: If it means the user doesn't have to do anything, then do it.
Dev: But it is a bad bad bad thing.
Manager: meh
Or was it closer to
Manager: Can't we do something.
Dev: Sure (with an evil grin), we can do something
Manager: Great!!
I highly doubt, if they even had a dedicated "security team" at the time the platform was architected as such, that they would have told the rest of the company they "had best-of-breed security". They would have understood their shortcomings and communicated them up the chain of command. And firing them and hiring an outside team of "security experts" to re-architect their system wholesale would be a patently absurd course of action.
The form of responsibility taking you're demanding is actually just business as usual, reactionary scapegoating.
> I highly doubt, if they even had a dedicated "security team"
I can only agree, from what I have seen on previous security vulnerabilities it often seemed to fall either into straight out negligence or intentional ignorance because it's easier "that way".
I believe security had never and will never bee a top priority for zoom. At least while they can get away with it, which they currently seem to be able to do.
Also I have seen it more then once that a Team originally had good intentions into making good secure software (but not necessarily enough expertise) but due to frequent changes in priorities or wrong time estimates they end up with a software which "works" but internally is broken with a promise from management that if they produce something like that soon then they will get to fix security issues in a view month. But then they never get that time and shitty security becomes the norm. Following that people with security expertise get demotivated and move on (either literally by changing the job or metaphorically by just accepting writing not so secure software).
I struggle to understand why the sudden influx of new users would affect these security problems in any way. OK, more people are affected, but the problems are surely the same regardless of how many users they have.
To me it just comes across as an attempt to deliberately confuse the issue.
If a team of career PR folks meticulously iterating on the precise wording of this message to frame the narrative in their favour doesn't count as "cunning" to you, I don't know what would.
> For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations.
Now, putting this into context as a software development team. Let's say your security/privacy team says "we really need to patch this CVE we found" and your infrastructure team says "we really need to re-architect this one area so we can handle more users". Given that Zoom has likely just doubled its user base (which means more revenue), where do you think management is going to spend its time?
This is coupled with the fact that a company with a ridiculous influx of users is going to be a higher value target. Security/privacy isn't going to move the needle in terms of revenue, but infrastructure is. It's a matter of contention of focus.
All reasonable if the company wasn't 8 years old, had 2500 employees and a turn-over of 600 million. They invested clearly near nothing in security over the last years. The extra scrutiny showed that, but it didn't CAUSE it.
> "On March 29th, we updated our privacy policy to be more clear and transparent around what data we collect and how it is used – explicitly clarifying that we do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward."
That is such a dishonest way of framing it. No one was really concerned whether they would "sell" data. The issue was with the exorbitant amount of data they collect and its analysis for commercial purposes, be it ads (which doesn't involve selling data), targeted pricing or providing access to corporate admins.
Surely as this comes from the FB lib zoom are not an outlier here? Why the sudden pearl clutching at zoom when everyone is using facebook, google and any other site that has facebook tracking built in?
I work very hard to keep Facebook out of my life. I run an ad-blocker and I don't log into my (inert) Facebook account outside of privacy mode (or a VM). Unfortunately, I don't have a choice about using Zoom. So it sucks that I'm effectively getting backdoored with this nonsense. Why is it OK to expose my information to an advertising company like Facebook without asking for permission first? Because everyone else does it?
I agree, this level of synthetic concern doesn't feel like "grass roots".
MS did a terrible job with Skype and Lync. No doubt they were expecting to be able to bind it to exchange server and then create a coupling that embedded into an effective monopoly, creating yet another bad user experience that somehow becomes "the norm".
Hopefully at some point MS will compete by improving their products and we will have a better WFH experience.
Was it? The techie community often seems to try to speak for the rest of the world and it doesn't always seem correct.
I would be surprised if much of the rest of the world didn't see a difference between "includes the facebook SDK" and "collects your data, bundles it, and sells it". Especially since such a huge percentage of apps include the facebook SDK. There's been specific research on apps that "overcollect" information and its found that typical users will only pay a few cents more for correctly permissioned apps.
When we talk about Facebook, Google, etc. people commonly believe that "selling data" refers to any, direct or indirect, access third parties gain to the data, as captured by the common phrase of "selling your data to advertisers" used to describe Facebook's practices. So, for most people there is no real, qualitative difference between giving advertisers the ability to use the gathered data to target people with ads on the given platform and (literally) selling that data to advertisers, so that they can target people with ads on a variety of platforms. When companies assert that they are not selling data to third parties, they are using the fuzziness of that term in common usage to imply that the data cannot be used by third parties in any way - which is often not true
Facebook did that (e.g. https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Ana..., funny stuff they did to circumvent GDPR). And Who cared? There was some noise in the media and that's all. Was Mark Zuckerberg punished? For me all this Zoom bashing looks a bit as if those guys stepped on someone's toe, who does not like the idea of having another competitor in the social media/online advertising area.
This is "we are sorry for getting caught" changes-nothing nonpology.
The use of "end to end encryption" designation was no confusion, it was deception - it is implausible that this could have been done accidentally or as a result of a misunderstanding without engineers warning managers that this is not how zoom works and being overridden in their objections to communicate it as such.
They also double down on data collection. Disclosure does not establish consent and "we do not sell data" is a red herring because data can still be shared with third parties for business purposes against the interests of the users without being overtly sold (not to mention with governments under various "compelled cooperation" arrangements) and the entire policy can be subject to retroactive change without recourse.
The fact that they were targeting organizations with IT support is irrelevant except maybe to discredit the people within those organizations who greenlighted Zoom.
The saddest part is that it is unlikely any of the competing corporate offers are any better in any of those respect, but then they are not being actively pumped these days.
> This is "we are sorry for getting caught" changes-nothing nonpology.
True, but I am still happy to see it. It shows that they got burned and that they noticed and felt the burn. It remains to be seen how they follow up — I will be watching closely.
People who care and have the time to spare might, but this is standard PR crisis mitigation technique and the goal is to have a large mass of the users thinking "ah, this was just a mistake made under pressure in crazy times, zoom is ok now, still convenient".
Zoom seems to be another example of the repeating pattern we seem to see from web service software: if the product has good UX, people don't care about the technical issues that aren't in their faces. At least, they don't care in any tangible way like "They stop using the product."
Remember when Twitter was incredibly unstable? That was fine when it had only ten thousand users. They had to fix it fast when it had a million. But the thing is: that seems to be viable software practice (rush on features, forget about the robustness and the corner cases) because it keeps working.
Professor uses Wacom and Inkscape to draw a picture, which is incrementally transmitted to students' computers. Students, those who have Wacom, may interact. Or just watch. Transmission happens every time the svg file is saved. Transmission requires a RabbitMQ server, which can be easily set up. Basically, a class needs one person who knows Linux, to set up the server.
It is intended for scientific collaboration or teaching in small groups of people. I am now using it for teaching my QFT class, although it only has 5 students. In principle, it should scale, but I have not tried it for large groups...
Drawing with Wacom in Inkscape is a pleasure, once you get used to it. In some sense, it is more convenient than using a physical blackboard. Although, some training is needed...
The moral of the story is once again that focusing on user acquisition at all costs is an effective strategy. MongoDB disregarded reliability, Youtube disregarded copyright, Reddit faked comments, Facebook disregarded privacy. Yet they were all ultimately successful. Could it have happened differently ? Not so sure.
Honestly, I don't understand why this site seems to hate Zoom so much. They're doing what all of the large players have done in the past. Why aren't they being congratulated for their success?
This is not meant to be snarky. They are literally living by the move fast and break things motto. Growth at the expense of everything else to win the market first, fix it second.
How are they not the golden child of SV right now?
It's just 2020 speaking, people outraged on the behalf of users who honestly don't care and just want easy to use videochatting.
This is just a symptom of ycombinator becoming a more widely known social network. All the malaises of social networks like pointless discussions about morality without any concrete solutions are coming along with that.
Almost certainly couldn't have happened differently, since we also have counterexamples of similar competing projects that called out privacy as a differentiator which all crashed and burned.
If you want a privacy-focused product to win, you either need to find an audience who wants it and focus there, or, you need to do great on all the other fronts that lead to acquisition and keep the privacy stuff an internal priority, not a banner feature.
I think your analogy is in bad faith. What rapsey clearly meant was that it's absurd to expect to get something for nothing. No business can operate that way, so if you're not willing to pay money then you're compensating them with something else, namely your information.
Your food sample analogy is similar to a "free trial". No company offers permanent free trials (at least not without a paid alternative, such as Spotify), just as no supermarket _only_ hands out free samples without also selling that same product in their stores.
Couldn't a web business also be offering a free sample with upmarket tiers available or alternative funding? How am I supposed to tell? Why does this make it okay for the business to ignore data safety? It would be cheaper for the supermarket to ignore food safety on their free tier, but we don't let them do that.
And then the company is publicly shamed for not providing privacy and security for everyone by the exact people who would never pay for anything anyway.
Because privacy and security are less important than food safety?
How about this one: I go to the library and borrow some books. This costs me nothing. The library publishes my name, birthdate, and reading list on their website. Is that okay?
> Because privacy and security are less important than food safety?
Yes how is that even a question?
> How about this one: I go to the library and borrow some books. This costs me nothing. The library publishes my name, birthdate, and reading list on their website. Is that okay?
Your library is funded through your tax dollars. You are paying for it.
The question was really whether that was your criteria for claiming my analogy was not comparable. Reading the rest of your comment, I see now that is not the reason.
It seems to me whether or not you can get something for nothing is rather orthogonal to the question of whether it's absurd to expect privacy while not paying for anything.
Are privacy and security less important than food safety? As I posted the question my immediate thought was, as yours, obviously, but the more I think about it the less I am sure. A single security breach in a critical information service could potentially have profound far-reaching effects possibly worse than a local case of food poisoning.
For anyone excusing any of this, Zoom is currently a 34bn dollar company. There really are no "whoops, didn't expect to get this popular" excuses that are legitimate for all of these issues; especially when none of these things have to do with scaling and are instead just boneheaded design decisions.
"34 billion" is the fake Silicon Valley price tag. And they get there by rushing like a bunch of idiots to a hollow Hoover Dam of a product that looks great to everyone from the outside.
> "We want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption."
Excerpt from their previous release above, only a few hours earlier.
Glad to hear they are starting to make improvements but waiting for public backlash to fix issues is a bad sign.
While I think Zoom has a lot of work to do from a security perspective, overall I think we should be supportive: facilitating -- mostly for free! -- very low friction video calls between an enormous number of isolated people is an incredible service.
December 2019: 10M daily participants. March 2020: 200M daily participants. A sustained 20x spike in usage. And it’s still working! I think that’s amazing.
Think through this situation — 90,000 schools suddenly using Zoom, children doing their classes. What is most important:
option 1) it just works
option 2) it’s 100% secure
Imagine you were a member of Zoom's team, would you not be justified in feeling proud right now?
> Imagine you were a member of Zoom's team, would you not be justified in feeling proud right now?
It has nothing to do with scaling. The problem is the numerous anti-privacy and anti-safety measures that they actively partook in. Those were no "features missed out" due to rapid development. Those were anti-user features purposefully developed in. This is what people are complaining about; and this is what the zoom manifesto is shamefully trying to brush off as if they were related to rapid development or to rapid scaling. If I was a member of the zoom team (who hadn't actively participated in these features), I would be extremely ashamed of my company for spoiling our success with these damaging practices.
I have to believe the aim of these features was to make it easier for Zoom to be installed and to "just work." I'm inclined to give them the benefit of a doubt right now.
"Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment."
Interesting that he would point out the failure of thousands of IT departments around the world.
that jumped out to me as well. I'm in a large org that uses Zoom, not company-wide, but certainly in several departments. We have a SaaS questionnaire that vendors need to submit for review as part of the procurement process.
With everything that's come out since (not just the iOS client issue), I'm wondering how deep that questionnaire goes with regards to security concerns.
Zoom added the Facebook SDK. When they got caught they removed it. Great! But what about a statement that they will provide a user-focused third-party security assessment on a regular basis so that users know there are no other issues?
“It takes 20 years to build a reputation and five minutes to ruin it” -Warren Buffet
They didn’t even bother to build up a reputation; hard to see how they’re going to build respect for people’s privacy and security into their culture now.
I find the whole ganging up against Zoom disgusting. Mac-fanbois-cum-security-experts blaming Zoom for the deficiencies of a) their platform not having a working native teleconferencing solution and b) their platforms arbitrary installer policies.
Then there's the issue that Zoom is now suddenly responsible for the complete lack of security awareness of teachers and middle managers who have never before held online classes, and are publicly posting meeting credentials so that everyone can join.
All, of course, while the while world is free loading (yes, "you are the product, hurr durr"; great contribution).
> On March 27th, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users.
Sounds like folks at Zoom take privacy and security related feedback pretty seriously.
I'm pretty new to Zoom. It always seems to take me a while to get to the option of using the web browser instead of the executable. Is there an easy way (e.g. URL structure) to force the web-browser-meeting and skip the download dialog?
Maaaan, the /wordpress/ in the URL really knocks home how slapdash this whole operation is.
And this wasn't anything but an acknowledgement that they're not qualified to produce the software they're distributing. They still don't even know what they don't know.
What an odd thing to criticize them about. Privacy and security issues aside (which are serious), it seems to be an extremely well engineered product. They’ve handled the absolute explosion in users with nary a glitch, and in my experience it’s the _only_ video conferencing solution that “just works”. It’s obvious that there’s some pretty impressive engineering behind it.
I’m not sure exactly what your critique about Wordpress is. Is it that they’re using Wordpress, like 30% of the other websites in the world? Or is it that they didn’t bother removing it from the URL? Start keeping an eye out for “/wp-content/“ in the path of images or downloads on websites. You’ll be amazed.
Do you really think they're not "qualified" to produce video conferencing software? Does that seem like a reasonable statement? I am genuinely curious if you think a public company with millions of users and fairly reliable quality is not "qualified" to deliver its own product.
I'm genuinely curious if you think that company status, bank balance or number of users translates into software quality.
I posit that Zoom has been right place, right price. Simple as that. The software is demonstrably hot trash. Not just at client endpoints but structurally.
Right place, right price, pretty-much flawlessly working video chats. The latter point is just as important (there's a bunch of free video chat products), and suggests it's not completely trash.
At least they're smart enough to make /wordpress/wp-admin return an nginx 403 (meaning that it only works from specific IP addresses or while logged in from another page). I agree that /blog seems more professional than /wordpress but it really doesn't matter that much.
Most likely because it was ranty rather than substantive. Solid critique is obviously welcome here, and it's not as if HN threads are lacking for criticism of Zoom these days. That's actually probably the #1 thing we don't lack right now.
Your account unfortunately has a long history of posting unsubstantive comments and breaking the site guidelines. Would you please fix this? The rules are at https://news.ycombinator.com/newsguidelines.html. The idea here is: if you have a substantive point to make, make it thoughtfully; if you don't, please don't comment until you do.
Ah man, I had no idea that was the problem, had I known that before I would have substracted myself from the community a long time ago and would have deleted this account. Please don't take this as sarcasm, I mean it 100%.
> Would you please fix this?
No, I'd rather not. Believe me this is how I express myself in real life, if I have to censor myself to avoid the risk of posting "unsubstantive comments" I will choose to stay away from this lovely community for our mutual benefit.
Please feel free to delete this account as I have not found the option in the user settings page.
This is because an increasingly large percentage of the people here have to deal with the dissonance of having to make their living in an industry and business culture that depends on those kind of practices and consequently rewards and promotes them.
"This is because an increasingly large percentage of the people here have to deal with the dissonance of having to make their living in an industry and business culture that depends on those kind of practices and consequently rewards and promotes them."
And bellow - doesn't show for me in the submission either when logged in or not, only in my comments urls.
Are you using any third-party extensions that could affect this? I can't see how our software would be producing pages that way. There's only one comment by that user (https://news.ycombinator.com/item?id=22757599) and it has no replies.
Nothing HN-specific, and yeah I also see
jbverschoor as having only one comment without replies in his comments page and yet our entire conversation is shown in reply to this one comment on https://news.ycombinator.com/item?id=22756730
EDIT: scratch that, it shows in reply to
hc91 [flagged] comment, but it in turn was originally a reply to my own, not a top-level comment for the submission.
> because it adds nothing substantial to the discussion.
Substantial to whom ? Often people who downvote will prvoide additional information as to their reasoning which can be substantial or insubstantial like any other comment.
If a downvoter didn't share their reasoning already, it's unlikely they will be prompted by a general "why is this getting downvoted?" comment. That's why site rules say you should not ask about downvotes.
A message in the right direction, but they need to solve the recent macOS security issues. Let’s give them the time to (transparently) correct all the recently reported issues.
It's a template PR / sales pitch talking about how great they are and how they've had to adapt during the COVID-19 crisis (all of which aren't relevant to the security and privacy complaints being made) and there's only a boilerplate message about how they care about their users....and it's such a generic message it could have been ripped out of any other correspondence sent from any other company.
Nothing about that message came across as sincere.
Also one of the biggest core issues (their installer) was widely reported and condemned last year (or was it the year before?) so these aren't all new issues coming to light. In fact blaming the visibility of these problems to an influx of new users (re COVID-19) is just dishonest.
Because we’re technical and can smell the BS miles away. But a lot of the people deciding whether to keep using zoom at their corporation aren’t technical and it might be reassuring enough for them to keep using it. Not saying that’s ok but here we are.
“We’re technical” is no excuse for a pitchfork mob. I’m technical and HN’s reply feels more like echo-chamber than a reasoned consideration of what they said. Almost every comment as of now is people reacting to the tone and dialect. It’s like there’s nothing to object to technically and so the mob has turned their rage onto speech patterns.
With topics like this it's worth waiting for ca. 12h (depending on your timezone) and then reading the whole page of comments at once. I'm here 4h after you, and I saw 2 most upvoted comments as pretty sympathetic if not outright supportive to the company. There's a lot of discussion below them, with both sides being represented near-equally. There are some bad comments - one or several words of generic dismissal or insults, and one lengthy incoherent rant - but they are mostly flagged, dead, or downvoted to the bottom of the page.
I believe using HN (for whatever reason) is a skill in its own right. If you want to use it as a tool for escaping your own echo-chamber, it takes some more thought to get right. Once you do, it works a significant percentage of the time, which is kind of impressive for a simple marketing platform of the Y Combinator (which is just a bunch of people with money and a bunch of people wanting that money to build or expand their business).
> It’s like there’s nothing to object to technically and so the mob has turned their rage onto speech patterns.
I’m usually the first to roll my eyes at such mobs but this case is different. When you have a company that has a documented past of privacy and security violations and then releases a letter saying “sorry about the new reported problems but you wouldn’t have known about it if we weren’t so popular lately,” you can hardly blame us for getting ranty. It just demonstrates that fixing those problems was never a priority and thus that press release is really just meaningless platitudes.
I absolutely blame us for pitchfork mob behavior in the initial reply, even if there’s a risk that Zoom is misbehaving intentionally. Theories about their motivations are no excuse for this. There is never an excuse for this. This behavior is unprofessional of us, disrespectful of us, and makes HN look no better than 4chan or Reddit to anyone who sees us doing so.
Which initial replies are we talking about? The one I wrote was literally just calling out their statement as being generic, templated and “hogwash”. I don’t see what’s disrespectful nor unprofessional about that.
As for other people’s comments, if others took it too far (I haven’t read the majority other other comments since I came to this early and haven’t ventured outside of my thread since, so you’ll have to excuse my if ignorance here) then perhaps you should be taking that up with them rather than me?
In any case, I don’t appreciate being lumped as part of a “mob mentality”! My own opinions are my own and not the product others.
I understand how PR works (literally my first words said it was PR) but that wasn't the point the OP was making to which I was responding. They said this was a message in the right direction and I'm saying this message doesn't mean nor commit them to anything.
I agree with you, I was only deploring that it will work on most of the people calling the shots. Not with me. But I have to use zoom because our CEO says so.
I think you're underestimating a CEO's ability to smell bullshit. In fact many will have written similar letters themselves. The difference is: a CEO usually wouldn't care about security nor privacy violations like this because it's unlikely to affect the bottom line of the business they're managing.
Thankfully most (in fact all) places I've worked, it's not the CEO who decides which video conferencing (et al) solution people use, he delegates that responsibility to his CTO or equivalent. Who has almost always then delegated that decision to me :)
Translation: "We are SO sorry that we got caught and that you feel this way about us. Let's see if we can react to this situation fast enough before everyone will start replacing us with alternatives that at least have a better reputation." ... yeah, give me a break!
The important part is the leaderships reaction to the situation. Compare to something like Boeing. Zoom acknowledges facts, takes responsibilty and starts fixing things. Boeings reaction to its product killing hundreds of people was “Lol user error. RTFM”. That is (apparently) what acceptable leadership can look like..
Any sw product has issues. The question is what the company does about it