A lot has changed with the Novel Corona Virus pandemic, and the rise of video conferencing software as a necessity is near the top of the list.

Zoom, started by Eric Yuan, is a big winner in these changes. However, their system and architecture is being tested like never before. And that has brought to light some skeevy shit.

In the way back time, like July 2019, there was a big stink when Zoom got caught on the Mac client running a hidden web server to simply the user experience to Mac users. The problem was that it was a vector for bad actors, and gave control to things DEEP in the OS, like the control of the camera on Mac computers. Really bad shit, and they fixed it.

However, their mission has been to build a very friction free video conferencing system, with “cool” features that the staid grown ups (Go to Webinar, Webex, etc) didn’t have.

The Dude calls this “eye candy”. He is not adverse to it, as it can be a differentiator. But, it shouldn’t come at the expense of robustness, reliability, security, and strong privacy controls.

Then the Dude reads about “Zoombombing” the phenomenon of someone not invited to a meeting dropping in, and hijacking the meeting with offensive content, abuse, and other awful behavior.

Apparently, one of the “features” of Zoom is that if someone has the public link, they can just join a meeting. Makes it easy to have a large public fora, but it also enables the asshats. Imagine a Jewish service being broadcast via Zoom, and a group of white nationalist scumbags dropping in, and uttering hateful things.

Bad as that is, there is one more facet that is - in the Dude’s mind at least - far worse. From The NY Times article:

In addition to the Zoombombing episodes, Zoom has reacted with surprise to press reports that the company’s iPhone app leaked user data to Facebook as well as to criticism that the platform had allowed certain users to covertly access the LinkedIn profile data of other participants.

Turns out that their apps had connections to Facebook, and LinkedIn, two known offenders of privacy.

Again, from the article:

Zoom quickly announced that it was removing the Facebook software from its iPhone app and eliminating the LinkedIn data-mining feature on its platform. To hinder Zoombombing, the company just introduced default settings that will require K to 12 schools to individually admit participants to videoconferences from virtual waiting rooms.

Seriously? All serious web conferencing software has been like this, well since FOREVER. The fact that they defaulted to open meetings where anyone can join is a horrible design decision, on par with the Mac web server running in the background to get around privacy restrictions in Safari.

It is disconcerting to read Zoom's leadership responses that the exponential growth in usage by audiences not intended are the culprits here.

Ostensibly, Zoom claims that their target audience was businesses/enterprises to provide them a simple to use, yet comfortable experience, and that Security wasn't top of mind before now.

A snippet from one of the growing number of critical articles:

Zoom’s defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes — like elementary school classes and family celebrations — for which it was never intended.

I am not sure what pisses me off more, that they are blaming the widespread public adoption for getting caught, or the fact that they sold a product to companies while having such a lackadaisical approach to security, encryption, and privacy. I hope all companies who leverage Zoom in their workflow are having a serious re-think of that decision.

Zoom has gifted all their competitors a killer bullet point to add to their battlecards. "Zoom fails hard at security and privacy"

The connection to Product Management

Every time the Dude reads about some self-own like this, where some tech company does something that in hindsight is so completely fucked up, the Dude wonders if their Product Management team was onboard with the choice. He presumes so.

As the Dude has told many bosses, in software you can do just about anything, but the wisdom is in knowing what not to do. Sometimes the assumption that people are good, and will not abuse a feature or an option is just wishful thinking.

As the line goes:

“Yeah, but your scientists were so preoccupied with whether or not they could that they didn’t stop to think if they should.”
Jeff Goldblum - Jurassic Park

Coda

The day after the Dude drafted this, the NY Times ran another article on Zoom, and their drive to make video messaging "friction free". Worth the read: Zoom is Easy. That's why it is dangerous.

And since this was written almost two weeks before it is being published, there was yet another article on Zoom's security laxity, this time, a partner, Dropbox, had sponsored security hackers poke at the app to find glaring faults, and then pressured Zoom to address holes. Yikes.

If you are an IT leader or responsible for security at your company, no matter how large, and you use Zoom's teleconferencing service, you ought to be looking to move to another service. Who knows what other shoes will drop.