
Zoom’s 90-day plan to bolster key privacy and security initiatives - karambir
https://blog.zoom.us/wordpress/2020/04/08/update-on-zoom-90-day-plan-to-bolster-key-privacy-and-security-initiatives/
======
DenisM
I'm still not sure what to think of the whole debacle.

Zoom could be a victim of the internet mob justice, where every inevitable
misstep is blown out of proportion. Perhaps the mob is helped along by some
competing interests. Or Zoom could be yet another tech company with dubious
ethics (like U: or F). I doubt they are outright a PLA branch, that would be
far too obvious.

This isn't just idle musings - I love how Zoom allows me to share
screen/whiteboard, and see people's faces at the same time. It works really
well for remote dev collaboration, in some ways better than physical presence.
And yet the question of safety remains.

Should I go and research WebEx?

~~~
lacker
Occam’s Razor. Zoom usage went up by 8x in a few months. Usually doubling in
two years is great for a public company. So that’s 6 years of great growth,
compressed into a few months. It shouldn’t be surprising to see six years of
security problems also compressed into those three months.

I think Zoom is on track to fix these problems quickly and cement their spot
as the best solution for videoconferencing.

~~~
ergothus
Zoom had the same security issues with half the traffic. Acting like usage
causes them is disingenuous.

Technically speaking, zoom has shown off great and remarkably stable/scalable
features.

But that is orthogonal to whether they are putting people at risk (e.g. not-
so-secret therapy sessions) or lying about their feature set (clearly claiming
to have end to end encryption).

~~~
skrebbel
That's a straw man. GP argues that Zoom's increased popularity implies
increased public scrutiny. Not that the problems are OK.

There's lots and lots of insecure software that Bloomberg doesn't write about.
People click on articles about software they use.

~~~
ergothus
I'm not following your argument.

I agree that increased scrutiny does not make the problem ok, but does reveal
the problems more quickly.

But the only reason those points matter in the "Should I use Zoom?" question
is if you're assuming all other products have the same flaws and just haven't
been looked at. To which, I'm pretty confident they don't all share these
problems, particularly but not limited to the "blatantly lied about the basic
security features".

~~~
ethbro
_> To which, I'm pretty confident [other products] don't all share these
problems_

I am not confident of this.

I would assume that anything that isn't actively being sold into the large
enterprise market has Zoom-level problems, or worse.

------
k33n
So were they really sending data to servers in China? From what little I've
heard and read about this, that is what stood out to me. Not sure they should
ever be trusted again after that.

~~~
pwarner
I think this is the Zoom response to that one:
[https://blog.zoom.us/wordpress/2020/04/03/response-to-
resear...](https://blog.zoom.us/wordpress/2020/04/03/response-to-research-
from-university-of-torontos-citizen-lab/)

As I read it they accidentally routed some data to China based servers for a
month (Feb 2020) due to a config mess up during their crazy fast scaling
period. This is since fixed.

~~~
hyko
They were making requests to IPs in China long before Feb 2020. At the time I
assumed they’d been hacked, but in retrospect it seems like this was just how
their organisation is distributed.

Needless to say, I have decided not to endorse their videoconferencing
solution.

~~~
otterley
Do you have evidence of this?

------
makerofspoons
Zoom's web SDK and web client were down for nearly four days over the weekend
with minimal communication, and when they brought it all back they killed a
key functionality the education market needs which is the ability to join a
meeting without an account: [https://devforum.zoom.us/t/in-progress-web-sdk-
web-client-fr...](https://devforum.zoom.us/t/in-progress-web-sdk-web-client-
from-browser-403-forbidden/10782/35)

~~~
flippyhead
Actually this isn't true anymore, they have since added the _option_ to not
require an account when using the web client. The Web SDK still works like
before and also doesn't require an account.

But I agree, the way it was handled was harrowing.

~~~
makerofspoons
Thanks! I fell out of the loop with this.

------
londons_explore
"90 day plans" tend to be management & PR things... Real engineering is more
of a "it takes as long as the job takes"...

~~~
wuunderbar
Can you blame them? Most users and purchasers (at a lot of companies the
people making purchase decisions aren't actually the users) don't really
understand or care about how long real engineering takes. As long as they made
a decision to pick a vendor based based on the principles of Cover Your Ass
it's all that matters.

It's another primary reason why so many "enterprise" companies purchase Redhat
over running CentOS.

------
TheChaplain
uh, is that an outlook-email link with someone's username in? The one linking
to Alex.

~~~
technicaldonut
Yup. Looks to be their email address. Email is from PR firm Sard Verbinnen &
Co.

~~~
basch
Safelinks have the email address of the recipient of a link.

------
Justsignedup
and this is why product over security always wins.

there's mob mentality right now, but zoom got a TON of customers, and now is
gonna have proof of end-to-end encryption in a couple of months.

boom.

zoom wins.

honestly just don't talk on zoom about something highly secretive such as ...
idk... something a government is interested in as that isn't currently secure,
other than that, don't sweat it.

~~~
larkost
They are very unlikely to have end-to-end security in a couple of months, for
the same reason few (if any) of their competitors have it: it is really
bandwidth intensive to send full-resolution video of every participant to
every other participant. So everyone sends low-res for most participants, and
at most one high-resolution stream. To do this you have to be able to make
low-resolution streams out of the high-resolution one people are sending you
(to pass along to others). That means you have to terminate encryption on the
server side. Once you have done that you are no longer "end-to-end". This is
just the state of things.

This is a valid tradeoff for most things, but the real problem here is that
Zoom claimed (and continues to claim) "end-to-end encryption", while not
providing it. That is a lie, and people naturally wonder what else you are
lying about.

~~~
viraptor
You can also send two streams (high and low quality) from each client and make
other clients request the right one from the server. Yes, it's slightly more
bandwidth than before and now complexity. No, it doesn't require full mesh of
connections to be E2E.

------
tmaly
My company banned the use of Zoom on company computers or computer connecting
to the company network.

Has anyone else had this happen to them?

~~~
mullen
The very large company I work for banned all video conference software except
for what is provided by the company. I don't think it is just about security,
but make everyone use the same system(s) because it just got too confusing to
communicate with other divisions or even departments. You can search for
people in other divisions and then video chat with them if you want, or just
plain old school voice chat.

Luckily, the software we are required use works pretty well on iOS, Android,
OSX and Windows.

------
diebeforei485
Mac App Store version when?

~~~
ken
Or even a non-MAS app that's sandboxed, if it's going to be free anyway and
they prefer to manage their own release schedule.

------
adultSwim
I wonder if Google and Apple were directly involved in the campaign against
Zoom.

------
throwaway15392
They’re in the same bed as China. I don’t trust them for anything now, this to
me is just a PR management exercise. They’re still going to give away your
data

~~~
dang
Would you please stop posting unsubstantive and/or flamebait comments to HN?
We're hoping for a better quality of discussion than this, and (especially)
than what it leads to. Case in point: see below.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
s_y_n_t_a_x
I believe the GP was referencing Zoom's encryption going through China's
servers, which was on HN's recently: [https://citizenlab.ca/2020/04/move-fast-
roll-your-own-crypto...](https://citizenlab.ca/2020/04/move-fast-roll-your-
own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/)

There are valid criticism to be discussed about China's actions and how much
Zoom should be trusted given its close relation.

There's been many criticism of the US government here and I never see anything
flagged or removed, I would consider that nationalistic and provocative under
the same guidelines. I just don't see why the China discussions are removed.

~~~
dang
> _There are valid criticism to be discussed about China 's actions and how
> much Zoom should be trusted given its close relation_

Yes, and that's why comments about it should be thoughtful and substantive—not
drive-by flamebait leading to useless flamewars about NATO and Winnie the
Pooh.

> _There 's been many criticism of the US government here and I never see
> anything flagged or removed_

That happens often. If you never see it, that's because of a cognitive bias:
we notice and weight more strongly—that is, we see—what we dislike.
[https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...](https://hn.algolia.com/?dateRange=all&page=0&prefix=true&query=by%3Adang%20notice%20dislike&sort=byDate&type=comment).
People on the opposite side of this question have exactly the opposite
complaint.

------
jimbob45
Zoom won the proverbial lottery with this pandemic and lost their ticket
through greed/laziness. Great companies are always prepared when their big
break comes. Zoom is not a great company.

~~~
tcoff91
You don't have to be a great company to win in the market. I'd bet that zoom
still maintains dominance and manages to con people into believing that
they're super secure now guys.

------
teknologist
I can't quite figure out what's going on with this thread. It seems to have an
eerie amount of posts about support for Zoom, perhaps by paid trolls
("wumaos")?

~~~
dang
Please don't break the site guidelines by posting insinuations of
astroturfing. Overwhelmingly, such perceptions are simply in the eye of the
beholder. I say that based on many years of looking at that data, and you can
find more explanations here than anyone would ever want to read:
[https://hn.algolia.com/?query=by:dang%20astroturf&sort=byDat...](https://hn.algolia.com/?query=by:dang%20astroturf&sort=byDate&dateRange=all&type=comment&storyText=false&prefix=true&page=0).

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

If you're worried about this kind of thing, follow the site guidelines and
email hn@ycombinator.com so we can look into it. (We always do.) In this case,
though, the simplest explanation seems adequate: the community is divided.
When there's a popular divisive topic, people who feel strongly for side A
always feel like the amount of support for opposing side B is 'eerie', because
it's hard to imagine how it could possibly be in good faith. Of course B feels
the same way about A.

Edit: oh dear. It seems like you've been using HN mostly for nationalistic
battle lately. We ban accounts that do that, so please stop. It's emphatically
not what this site is for, regardless of which nations are at issue.

------
yalooze
I can only assume CISO is Chief Information Security Officer? I hadn't seen
the acronym before. Bad Zoom for not writing it out in full on the first
instance.

~~~
munchbunny
"CISO" is a pretty standard acronym. People who don't work in cybersecurity or
who don't have that background might not recognize it, but it seems like a
minor detail.

~~~
yalooze
Sure, it's a minor detail. And yes, you can say the audience for this post are
people who work in cybersecurity. But it costs nothing to introduce the
acronym, as is usually recommended. Without it you are alienating anyone who
doesn't know the term.

~~~
socalnate1
Serious question - would you feel the same way about using CEO or CFO without
spelling out what they stand for?

