[bezoz]

The positive "tilt" in this article is honestly amusing and unusual for such articles

"zero-day discovery makes calls safer" "Understandably, Zoom has not yet had the time to issue a patch for the vulnerability" "This event, and the procedures and protocols that surround it, demonstrate very nicely how white-hat hackers work"

Imagine if that was your run of the mill well-hated big corp

"Yet another security vulnerability leaves millions at risk" "XYZ Corp shows its incompetence once again exposing users' private data to hackers" etc etc

No specific point here. I am just amused!

[ajross]

I don't think that's fair. The Pwn2Own contest rules specifically disallow disclosure. This isn't a "zero day" in any sense but marketing. It's a privately disclosed vulnerability under a managed embargo, just as if it had been reported by Project Zero or whoever.

The ding is that, because it was a "public contest", the existence of the vulnerability is known. And that's probably a higher risk scenario in the abstract I guess. But I think it's clear to all that Pwn2Own and similar activities are a net benefit to global software security nonetheless.

[jms703]

This. The article should have been less about 0days and more about supporting contests and programs that vulnerability researchers.

[coverband]

It’s actually worded in quite that way (even though it’ll be picked up by larger media differently).

[whatgoodisaroad]

Maybe the zero-day isn't disclosed from this pwn2own itself, but importantly, we now know it exists, which means we should consider how many bad actors are already independently aware of it and are exploiting it.

Responsibe disclosure processes are just as much about closing the vectors that we can't prove are under active exploit.

[temp667]

the Pwn2Own exploits have generally not already been out there. There have been a long history of these, including some incredible chrome exploits! So the disclosure process tends to work out OK.

[whatgoodisaroad]

I think that's right that pwn2own exploits are generally new to the public, but that only means it's not provably out there.

Just to be clear, I think programs like this are great and they do improve safety, but only because they result in patches. This news shouldn't make users feel safe until there is a patch.

[saagarjha]

A fair number of submissions only received partial points because the vendor claimed they were aware of the bug already.

[dmix]

Agreed, just because it exists doesn’t mean it was being exploited.

And these help patch not just the specific hole but the general approach of the exploit chain may expose a whole area the development team had not previously considered.

[teawrecks]

I'm not seeing how your point relates to bezoz's point...

[grayhatter]

finally, someone who uses 0day more correct than nearly every else. My remaining sanity thanks you!

[dylan604]

Wait, are you saying Zoom isn't hated? It's crap. I refuse to install its PoS app and all of the security holes it came with (don't care if they are fixed or not). Launching a zoom meeting in my browser totally bogs the browser down. The zoom site is so slow that proving I'm a human is at least 10x slower than on other sites. In my use case, nobody on the zoom call is even using video, yet it still runs this badly.

[codefreakxff]

We run zoom calls with over 200 participants and no problems. It sounds like their browser experience is poor, I don’t know if that’s a browser limitation or bad design, but their app on Windows and Mac performs quite well.

Mistakes were made with security early in their product. It’s clear that has turned a lot of potential users against them.

I’m curious why companies like Facebook get more acceptance over terrible security, but other companies are never forgiven

[dylan604]

>Mac performs quite well.

This is not my experience at all. Early in the lockdown when Zoom became the darling, I was forced to install their app. Pre-pandemic, Zoom was already panned on this site for crap they were doing, so I pushed back hard against using Zoom before ultimately relenting. Running zoom with a simple 3 person call would bog down my 2017 MBP with fans running full tilt. I've since upgraded hardware and zoom is not allowed to be installed on this computer.

>I’m curious why companies like Facebook get more acceptance

Is there anyone on this site that agrees with that comment? I certainly don't. There are multiple billions of FB users, so I'm quite sure the readers of HN is just a mere rounding error level of numbers.

[kiwijamo]

I've been involved with zoom sessions of up to 50 connections and it has exceptionally flawless on my work macOS laptop from approx 2017. Compared to every other video conference software I've tried, zoom is unfortunately by far the best on macos, Windows and even Linux for video conferencing with large number of participants. I am baffled as to why it performs so poorly—this is not my observation on the machine I have and I also know it works well with on many of my colleagues Macs so it is not just the one Mac I use.

[agloeregrets]

Hard agree. Mac resource use of Zoom is insane. The only machine I've used that feels not bogged way down and blowing it's fans like crazy is my M1 mac and even then it's showing > 50% cpu use. When demoing our app in a screen share on my old iMac 4K the machine would be screaming it's fans and much much slower than normal. Meanwhile Messages screen sharing used less than 10% CPU. IDK what they are doing but it's not right at all.

[celdon25]

In my case, Zoom will cause my Mac to heat up quite a lot on each call, using the app.

[Sn0wCoder]

I also like zoom over the alternatives. Does it have problems, yes but what software doesn’t. I have been using zoom for years (my school switched early) compared to previous tools it just worked and worked well. Yes I know they lied and deceived but again marketing is always full of BS and guess who makes the blurbs we read on the internet about a company. Again the constantly changing UI is annoying but what is better? If someone has something better that even my grandma can use I will give it a shot.

[dylan604]

There's a difference between software having problems, and the problems that zoom had/has. The fiasco of creating a method to run any command with escalated sudo privelages just because they wanted to make the install easier that remains after install was absolutely mind blowing. Those kinds of things are unforgivable.

[IHLayman]

If browser performance is bad but app performance is good (and I agree that my experience with the app is actually pretty good), then it is a bad sign that the exploit is in the app, and not the browser version.

[dheera]

Also the UI sucks. It doesn't blend nicely with my system. It looks like a sore thumb Windows 3.0 app or quack-age MacOS app in the midst of a futuristic OS.

[agloeregrets]

Yes! Like there's a required two clicks to leave a call, you can't trust if it will start video on or off, the menu bar hides by default! The UX is horrible.

[dylan604]

The 2-click to leave is aweful. Sure, accidental leaving can be annoying. How about don't put the button near anything else that might need clicking so that it's much less likely to be accidentally clicked.

[chociej]

Having to download and use an executable at all is ridiculous and half the reason they have so many security problems.

[smoldesu]

It also has an unexpectedly great Linux app, IMO.

[jimmont]

Agree and have a similar experience so I use Jitsi https://jitsi.org/ instead and recommend it. If clients insist I simply ask they enable joining from a web client, otherwise unable to join. Jitsi works well and find it odd how remarkable mindsets become locked into options regardless of the accessibility and benefit of alternatives (great material for comedy, psychosocial study, etc). From React to iOS default apps to Zoom, it's an odd disadvantage of our human condition.

[elric]

The browser experience is pretty decent IMO. And unlike, say, MS Teams, at least it works on all platforms with a reasonably modern browser.

[dTal]

I was shocked to find that on Windows, Teams refuses to run in any browser except Edge. On Linux, it runs quite happily under Chromium. It's the worst sort of anti-competitive behavior, in my view.

[mynameisvlad]

https://docs.microsoft.com/en-us/microsoftteams/get-clients#...

IE11 (ew), old Edge (ew), Chromium Edge and Chrome are fully supported. Newest Safari has limited support, and only Firefox and older Safari versions are the only ones explicitly not supported.

[puetzk]

I use it in Firefox regularly, and just checked and it runs in chrome too. Weird...

[chociej]

Same. The whole interface is god awful. And it almost always dishonors my OS audio input/output preferences by default. The web client always downgrades my camera resolution for some reason, and messes up its aspect ratio. Plus the security problems.

[PufPufPuf]

Zoom has a history of nasty security issues, does shady business with China and bought and killed Keybase. It's a shitty company not even considering their software.

[13415]

Which goes to tell you how good their software is. It is better than anything other companies have to offer for video conference calls with many participants and screen sharing, which is why our university is using it after we had evaluated all competitors last year in April.

[rijoja]

Didn't they route calls through China for no apparent reason as well?

[titzer]

Not without improving the speed of light.

[chapium]

To be fair, Zoom is universally well-hated at this point, at least by anyone with an interest in security.

[anoncake]

Zoom is pretty well-liked by those who would be stuck with Teams otherwise.

[Moodles]

Which was also hacked in pwn2own but that's not a big story for some reason https://www.bleepingcomputer.com/news/security/microsofts-wi...

[II2II]

> Imagine if that was your run of the mill well-hated big corp

I don't know what the general perception of Zoom is. Our opinions of it never really come up at work. The discussion I see of it online largely focuses upon the security issues so that is going to be negative. There is one thing I am grateful for though: it seems as though the masses settled on a product with decent cross-platform support for once. You rarely see that unless the product is intended for a niche market (e.g. science, engineering, software development). Heck, they even package it for Arch.

[kiwijamo]

Indeed. It is really nice to be able to participate in group and conference calls from Linux without having to reboot into windows or macos. Also performs well in all the platforms I've used it in which is not something I can say for teams and Google meets.

[pydry]

>Imagine if that was your run of the mill well-hated big corp

Microsoft seems to be the one banging the "zoom is insecure" drum hardest and teams had, like, 4 zero days and paid < 30K for them IIRC.

[Moodles]

... including an RCE in the very same competition https://www.bleepingcomputer.com/news/security/microsofts-wi...

[mtmail]

ZDNet's headline is "Critical Zoom vulnerability triggers remote code execution without user input"

[rijoja]

Which is more akin to what a person who actually knows what a 0-day exploit is would phrase it.

[vxNsr]

This is a PR piece. People do hate zoom, this is zoom trying to rehabilitate their image through their security partner.

[FreshFries]

People hate zoom? Like "Teams is so much better" or "online meeting are bad"?

For me it one of the more enjoyable online meeting options and it leaves Teams, Skype, webex and what have you, far behind.

[Throwaway234285]

Like "Zoom is an unethical company".

See: Privacy concerns, lying about encryption, connections to china, bad security.

[cstejerean]

That might be “people on HN hate zoom”.

[dylan604]

That doesn't make them wrong though

[Throwaway234285]

It doesn't, but it's worth noting that the general populace doesn't feel that way.

[Throwaway234285]

Fair point.

Possibly "people on HN hate zoom, and then use it anyways because it's forced."

[rijoja]

Or how about people on HN are educated about zoom and therefore hate it.

[kyawzazaw]

a lot of college students do not worry about this

[AlwaysRock]

Its possible to hate zoom without liking one of the alternatives. I know a lot of people hate zoom because they associate it without meeting burning due to this year and security issues.

[chociej]

Never used Teams. Skype, which I last used years ago, was certainly better as far as downloadable chat clients go. Google Meet runs circles around Zoom, and I don't have to install anything.

[c7DJTLrn]

Chernobyl nuclear power plant explodes and paves way for safer reactor design!*

*citizens not yet evacuated from radiation zone

[hashkb]

Using Zoom on Linux is a fun way to get everything to crash; and may as well flip a coin to see if I'll get connected / anyone will be able to hear me.

Google Meet, Slack calls, literally everything else works perfectly. With screenshare. On Wayland. I just call in to Zooms now.

[not2b]

My wife has been doing a ton of Zoom on an Ubuntu system on a Dell laptop, using their native app. She hasn't had problems.

Clearly your experience differs, not sure why.

Of the proprietary video meeting apps, they all have problems, but Zoom sucks less than Teams, Webex, or Skype and is a lot easier for non-technical folks to use.

[kiwijamo]

I'm in the same boat. I use Zoom frequently on Linux and it's performance is quite acceptable. I use Zoom successfully on other platforms as well. It compares well to altneratives such as Google Meets which in my experience starts to fall apart past a certain number of participants on a call. Quite interesting to see the variance of experiences as it doesn't match what I've observed personally as well as comments I've heard from colleagues who have tried various systems. I hear lots of praise for Zoom and Teams but Meets is either loved or hated.

[toomanyducks]

I use Zoom fairly regularly, and haven't had *too* many issues. (Debian, x11, the app, though the browser version is fairly terrible)

[LoneWolf]

This so much, also eats way too much CPU, and has no support for background blur, just a damn basic chroma.

[TwoBit]

I've read that AV is a dumpster fire on Linux and you're lucky if anything runs and Linux has never solved it and no resolution in sight.

[lostgame]

>> Imagine if that was your run of the mill well-hated big corp

Zoom is one of my, and several of my coder friends', top-five well-hated big corps.

This far into the pandemic, I take personal pride that I hadn't installed what for a while was essentially reported as Chinese spyware on my machines. :)