[DenisM]

I'm still not sure what to think of the whole debacle.

Zoom could be a victim of the internet mob justice, where every inevitable misstep is blown out of proportion. Perhaps the mob is helped along by some competing interests. Or Zoom could be yet another tech company with dubious ethics (like U: or F). I doubt they are outright a PLA branch, that would be far too obvious.

This isn't just idle musings - I love how Zoom allows me to share screen/whiteboard, and see people's faces at the same time. It works really well for remote dev collaboration, in some ways better than physical presence. And yet the question of safety remains.

Should I go and research WebEx?

[lacker]

Occam’s Razor. Zoom usage went up by 8x in a few months. Usually doubling in two years is great for a public company. So that’s 6 years of great growth, compressed into a few months. It shouldn’t be surprising to see six years of security problems also compressed into those three months.

I think Zoom is on track to fix these problems quickly and cement their spot as the best solution for videoconferencing.

[ergothus]

Zoom had the same security issues with half the traffic. Acting like usage causes them is disingenuous.

Technically speaking, zoom has shown off great and remarkably stable/scalable features.

But that is orthogonal to whether they are putting people at risk (e.g. not-so-secret therapy sessions) or lying about their feature set (clearly claiming to have end to end encryption).

[skrebbel]

That's a straw man. GP argues that Zoom's increased popularity implies increased public scrutiny. Not that the problems are OK.

There's lots and lots of insecure software that Bloomberg doesn't write about. People click on articles about software they use.

[ergothus]

I'm not following your argument.

I agree that increased scrutiny does not make the problem ok, but does reveal the problems more quickly.

But the only reason those points matter in the "Should I use Zoom?" question is if you're assuming all other products have the same flaws and just haven't been looked at. To which, I'm pretty confident they don't all share these problems, particularly but not limited to the "blatantly lied about the basic security features".

[ethbro]

> To which, I'm pretty confident [other products] don't all share these problems

I am not confident of this.

I would assume that anything that isn't actively being sold into the large enterprise market has Zoom-level problems, or worse.

[cat199]

if bloomberg broke this (not sure), they are fully known to monetarily reward market-moving stories. sources easily searchable.

If I were a writer/editor working under this policy, making a big stink about a teleconferencing company enjoying huge growth in the current covid 19 climate would be a no brainer.

[dangus]

Devil's advocate, I guess: 8 times the users, 8 times (at least) the number of people to notice those problems.

Especially when work from home is now at the center of our conversation, and journalistic outlets shift their attention to newly-popular services like Zoom and Houseparty.

Regarding your last example, I'm also continually confused at the claim that Zoom has been lying about end-to-end encryption. I don't see any place where they ever claimed to encrypt anything end-to-end except for chats, and only after enabling the feature:

https://support.zoom.us/hc/en-us/articles/207599823-End-To-E...

https://support.zoom.us/hc/en-us/articles/201362723-Encrypti...

When I'm in a Zoom meeting, it says that my connection is encrypted (the green E lock thing). It does not say "end-to-end." So I always assumed that just meant that the transport layer is encrypted.

[lonelappde]

They removed the e2e claim after criticism.

[user5994461]

It's not blown out of proportions. If anything the major securities issues went mostly unnoticed in the noise of the media trying to bank some ads revenues.

There were 2 RCE that would have allowed anybody to easily take over any computer using zoom. The first one last year was wormable, triggered by simply visiting a website with no interaction (like a javascript ad).

Other video conference tools don't have these because they didn't try to provide the same features or work around the OS.

Except for Skype, that still has one samba relay attack left like zoom, that went mostly unnoticed. From my research they had the exact same issue but blocked the RCE part in 2018 CVE-2018-8311 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8311

[NegativeLatency]

Sketchy package installer to boot https://macpkghallofshame.tumblr.com/post/138612887932/indis...

[ggggtez]

>dubious ethics

Yeah, I think datamining to steal and sell your LinkedIn account counts as dubious ethics. Or claiming to have E2E but actually they don't.

There is a good share of incompetence as well, like the CSP issues.

[brobinson]

Using AES in ECB mode and doing key exchange on servers in the PRC are not simply "missteps".

[anoraca]

"The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China."

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...