Hacker News new | past | comments | ask | show | jobs | submit login
[dead]
on April 7, 2020 | hide | past | favorite



While zoom has faced many privacy concerns in the last few weeks, it is incredible how reliable the service has been given the massive spike in demand.

Most services would have buckled (examples abound like robinhoods recent outage) and part of their stack would have not been able to handle the load.

On top of that they are in new customer segments that I bet they didn’t see as their user base. I know more than a few elementary school teachers who are now hosting zoom classes with 15+ 5 year olds on a call.


> I know more than a few elementary school teachers who are now hosting zoom classes with 15+ 5 year olds on a call.

Given the ease of setup of Zoom which defaulted to a machine-guessable URL which displayed email and other information about participants, this is one reason Zoom is rightly being scrutinized and criticized for poor security.


> Zoom which defaulted to a machine-guessable URL

Was there any rational for them doing this?


Zoom has clearly focused on UX above all else. This explains both their popularity and the security issues that have recently been uncovered.


First thing that comes to my mind is: a friendly URL in a email body that doesn't get clipped or mangled in such away that it can't be easily opened.


Ease of use, probably.

Now every private room is by default secured with a password, I think.


> Was there any rational for them doing this?

Conference ids are numbers for easier dial-in?


> While zoom has faced many privacy concerns...I bet they didn’t see as their user base. I know more than a few elementary school teachers

They better get on those security concerns quickly if they want to retain these new customer segments:

"New York City bans Zoom in schools, citing security concerns" https://techcrunch.com/2020/04/05/zoom-new-york-city-schools...

"Instead, the city’s Dept. of Education is transitioning schools to Microsoft Teams, which the spokesperson said has the “same capabilities with appropriate security measures in place.”"


They already changed default values which were the main vector of attack.


I would be really interested in a tech writeup on how they managed infrastructure. They run a lot of very bandwidth and presumably CPU intensive servers that they quickly had to scale out massively. There are some older articles that they use Equinix for infrastructure (probably colocation?) but adding that much capacity in a short amount of time is really impressive.


That's only http traffic to the website, not people connecting via the app or via phone call.

Most people use only the app or a phone call, for example to join a conference call hosted by someone else. Beyond business people on company-hosted calls, think students taking remote classes, grandmas connecting with their whole families, friends joining virtual happy hours, people playing social games, and so on.

Worldwide, I wouldn't be shocked to find out that a couple billion people have recently used Zoom.

Zoom has handled this ludicrous growth impressively well.

--

EDIT: Changed "suspect" to "wouldn't be shocked to find out," which more accurately reflects what I meant to write.


Are you proposing that the majority of users had their IT department remotely install the zoom application? I'd imagine there's a significant amount of people who downloaded the application from their website.

Additionally calendar invites often have a link to the zoom site, which then launches the app. So someone who is connecting via the app would still hit the website.


> I'd imagine there's a significant amount of people who downloaded the application from their website.

Not on iOS or Android devices (phones, tablets, Chromebooks, etc).


> That's only http traffic to the website ...

I suspect a good portion of that 700MM was simply people searching for Zoom to find out what is was, after hearing about it from others or in the news.

> Worldwide, I suspect around a couple billion people have recently used Zoom.

I recall seeing the number 200MM mentioned and I think that came from Zoom themselves (a blog post or something, maybe?) but don't hold me to that.


200M daily active users according to their blog post https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-u...


Until two weeks ago I was the only one in my family who had used Zoom. By now, each member of my family has used it independentely for different purposes. From casual meet-ups with friends/family over sports classes to seminars and trainings, Zoom really started gaining traction outside of large businesses.


Is 200M the number of accounts or the number of people that have used the service, say over the past month? The latter is likely an order of magnitude greater than the former.


I'm legitimately curious if anyone has any clues as to how they handled this with cloud providers.

Technically it doesn't seem that hard -- just spin up a ton more servers. Unlike Facebook or Twitter or Reddit there isn't massive communication between all users at all times -- just one-off video calls that are "relatively" trivial to distribute among servers. (Sure there's cloud recording and stuff too, but the point still stands that this is certainly among the way easier products to scale.)

But assuming they're using cloud providers, I'm curious what percentage of spare cloud capacity they've wound up taking? If they've had to split up traffic between multiple major providers just to handle it?

Or if the increase is well within the capacity of any single cloud provider to handle easily, e.g. massive daytime spikes are essentially just using the same servers Netflix uses at night?


The public zoom filling showed Zoom had a lot of co-located servers. From their SEC filing.

"We currently serve our users from 13 co-located data centers in Australia, Brazil, Canada, China, Germany, India, Japan, the Netherlands and the United States. We also utilize Amazon Web Services and Microsoft Azure for the hosting of certain critical aspects of our business. "


Maybe we can assume if people are on Zoom then they are also not on Netflix? But yes, would be very interesting to get a post-survival writeup.


As a developer for some sleepy enterprise apps, I am very impressed at how companies like Zoom, Microsoft, and such can scale to handle this increased load so gracefully. I'm guessing this is just their website and not their actual app backend, but I'd imagine they had a huge spike there, too.


Given enough money, this isn't terribly difficult to accomplish with most cloud service providers. All of the major players offer automatic scaling based on load and multiple region support. There are still some gotchas at scale, but it is much easier to build out scalable infrastructure these days.


I've commented in the past about Zoom's close ties with China (beyond its engineering staff) but I didn't have sources, so I conceded and redacted some specifics: https://news.ycombinator.com/item?id=22738420

WSJ just wrote an article interviewing the CEO and other security experts on this topic. Some interesting excerpts:

> In the U.S., 27 attorney general’s offices have raised questions about privacy issues, Zoom said, adding it is cooperating with authorities.

> Security researchers also have scrutinized Zoom’s links to China. Researchers at the Citizen Lab, a security research group affiliated with the University of Toronto, on Friday said Zoom used an encryption technology that is considered substandard, and that in certain circumstances the company stored encryption keys—long strings of numbers and characters that can be used to access encoded communications—on servers based in China.

> Brendan Ittelson, head of technical support at Zoom, said because of the distributed nature of the company’s infrastructure, meeting data can be routed through different data centers around the world. Zoom’s system first tries to send this data locally, but if the connections fail, the backup route might send it elsewhere.

> Zoom had created a system to prevent this data from being sent through China when calls originate in the U.S. But when traffic surged starting in February, some data was mistakenly routed that way, the company said, adding that it has remedied the problem. Critics also have questioned whether Zoom’s heavy reliance on China-based engineering could pose a security risk.

Source: https://www.wsj.com/articles/zoom-ceo-i-really-messed-up-on-...

Personal opinion: I think we should all boycott Zoom until there is a guarantee of where the data is stored with independent audits. In this pandemic, we've given our privacy (facial features, email, screen sharing, video data and application usage patterns) to Zoom in a whim. The entire world has done so. I have no trust in the Chinese Communist Party and their potential to exploit this data if they get it. Perhaps not in the immediate future, but may be in year 2027 - suppressing voices, threats and border control, detentions of people who spoke against the CCP during the pandemic or after caught using the facial AI technologies from the data collected today. This is real and we should all be concerned.


>> Personal opinion: I think we should all boycott Zoom until there is a guarantee

There can be no guarantee with a proprietary software. Just switch to free software...


Amen.


Won't happen until mainstream media and average Americans are onboard. Unfortunately, I don't see this happening anytime soon.


[flagged]


Perhaps I can't stand seeing the entire world having to bend down to an authoritarian regime (or any regime for that matter). Perhaps I can't stand the chilling effect current actions would create in the future: https://en.wikipedia.org/wiki/Chilling_effect


[flagged]


Informing others and providing an explanation for why people should be discouraged from using a malicious tool is not virtue signaling.

Trying to discourage people from disseminating this information under the auspices of “virtue signaling” is unhelpful.

Some people build technology, some people research and critique it.

Would you tell researchers who demonstrate critical vulnerabilities in technology that they should build something better instead of just talking about it?


It’s odd. I wouldn’t tell security researchers to build something better.

Yet on these high-level comments I have a reaction to tell to build rather than critique.

It must be that the OP faults a company that’s providing tremendous value to society. It’s not without its faults, but to focus on that seem petty? Tone death?

The more I think about your retort of the security the more I think it’s a false comparison. The good ones, demonstrate exactly what the problem is and sometimes even provide a solution.

Here the solution is to use software that has more friction, that robs the grandmas of the world of connection and waste peoples time fixing technology.

So with that I stand by my original comment of don’t criticize, build.


Moreover, often there is something better, people just do not know about it.


[flagged]


Thanks for writing the blog post. It was a great read.

You wrote "organs of executed prisons for transplant / sale, then slowly morphed into an extremely lucrative industry generating HUNDREDS OF BILLIONS". China has a $14 trillion dollar economy, so surely HUNDREDS of billions is not correct?

Also do you have a citation for the Mao quote. I would like to see the screenshot and/or the full canonical English translation. I am very interested in learning more.


Please look into this app and the screenshots the developer has posted: https://apps.apple.com/us/app/bizvideo-ec/id1409523106

Organs per individual go for $2,000,000 if a full ECMO harvest can be done.

That is quite a bit of money, but illegal medical experimentation, as documented by the book "ScienceMart", generates an equivalent amount. Obviously the experimentees might not wind up completely dead like the organ transplant victims though.


Can they sustain this with so many non-paying users


Does anyone know how they are scaling so gracefully?


That's an interesting number and wonder whether this could be traced back to meeting participants. If so, is it possible to statistically derive the number of meetings held on average on any day?


probably more for grocery delivery


The website, sure.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: