> “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,
I mean, sure, fine, it scaled quickly. That's not what people are mad at. We could tolerate technical issues inherent with that growth of scale. But these issues are fundamental and were issues with both 5 people and 5 billion and given that some of the choices, e.g. the installer, were deliberately designed, that statement holds no water with me.
Then again, how did this happen? In my scenario you have a product owner asking for specific functionality to be added, a (group of) developers gives their estimation of how much effort/time this will take and some time later it gets built.
So when the product owner asked the developers to add the ability to log in with Facebook, they looked at the technical documentation of the Facebook SDK, but probably not much thought went into how Facebook would channel through data even for non-facebook users. And if the technical staff did not communicate this to the PO they might not have been technically savvy enough to consider this a problem/threat.
I don't want to defend Zoom, I've actually also been pushing against using it in our company. But I also don't agree with the idea that every bad thing that comes out of Zoom was done with malicious intentions. I think it speaks more about software development in general.
Don't forget that every website with Google Analytics, Facebook Pixel, Facebook Like buttons, Twitter embeds have basically been doing the same thing for years.
I think it's extremely likely not a single one of their decisions was done with malicious intentions. But that's also the case for all the other software and systems out there riddled with security and/or privacy issues. Negligence and ignorance is way better than maliciousness, but is still really bad when you have so much power and reach.
The thing is it's impossible to tell. They deliberately turned off library verification security in their OSX app. They deliberately bypassed standard installation controls in that installer. The easiest way to hide a deliberate backdoor is to make it look like an oversight. So from a practical perspective it's sensible to treat the decisions as malicious, even if they weren't intended to be.
> Daily meetings participants jumped from 10 million in December to 200 million in March.
I am really impressed that the tool has remained stable and performant.
(This doesn't mean there's not things they got to fix regarding security and privacy; both things can be true, I'm still impressed with the technical quality -- AND wish/hope they use what is apparently some high-quality engineering ability in a more pro-user way).
"The company is far from done. Don’t forget that it claimed that calls are end-to-end encrypted even though they’re not at all. More importantly, the fact that Zoom is fixing issues as quickly as it can isn’t enough. Something is wrong at Zoom — there’s a corporate culture issue that leads to all those missteps. It’ll take much longer than 90 days."
Seems like this type of terrible and wide spread news about a companies only product would turn around just about any corporate culture in way less than 90 days. This was some majorly bad news and it was everywhere for weeks, I'd assume things are very different there now.
Let's hope so. Honestly, Zoom is the preferred video conferencing software out there when it comes to UI/UX and performance. Grid view just being one major plus, no disconnects or issues in 4 weeks of home office so far. Meetings with 10-20 people no problemo.
If the same software could be used without the security concerns then I don't see how competitors at their current level would remain anything but a side note.
I have brought up Jitsi, no one cares, perceived as worthless fringe. Enterprise client already has MS Teams licenses, again no one cares, only used when Zoom is no option. Internally we got Slack, cannot even do 1:1 calls without issues. We also have Pexip, it has crappy UI/UX and several disconnects if sessions > 30mins. Hangouts is Google so enterprise clients are often not getting into that.
You hit the nail on the head as to why people don't use Slack & Jitsi, and barely use Hangouts: it's the call quality, stupid. Zoom drops out less, video & audio quality is better, screen sharing works. It's as close to a "gets out of your way" piece of videoconferencing software as has ever existed.
Competitors, take note. Get the basics right - don't concern yourself with fluff - and customers will flock to you.
setup is included in "meeting on time" because you will have members without the client, and the installer needs to silently always work with as few clicks or places for a person to make a wrong decision as possible.
"do i click run or save"
"yes or no to this question i dont understand, [and despite clicking hundreds of times in my life, ive never actually read it]" (UAC)
> “ Freeze feature development and spend the next 30 days on a top-to-bottom review of Zoom’s approach to security and privacy, followed by an update of how the company is re-allocating resources based on that review.
Until public equity markets start valuing security nothing will change. How do we make that happen? Make their customers care. Bad security -> less customers -> less value. How do we do that? Wish I knew, probably regulation, but I wouldn’t know how to even think about writing it.
> For the next 90 days, Zoom is enacting a feature freeze, which means that the company isn’t going to ship any new feature until it is done fixing the current feature set
Unless they were already working on it, I don't see how they'll get E2E encryption hammered out in 90 days.
I think it’s going to take more than 90 days to fix this. I’d rather they say no new features until security and privacy are satisfactory then we’ll do performance.
Am I misunderstanding the product, or are the streams not being merged on the server into a single feed?
>To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.
I mean, sure, fine, it scaled quickly. That's not what people are mad at. We could tolerate technical issues inherent with that growth of scale. But these issues are fundamental and were issues with both 5 people and 5 billion and given that some of the choices, e.g. the installer, were deliberately designed, that statement holds no water with me.