I’ve been processing my thoughts on the Zoom Security stuff for a couple of weeks now, and I think I finally have an opinion.
The hate is silly.
Like I said, I sense something strange here.— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) April 3, 2020
I get there are security issues. And some seem pretty bad.
But the amount of highly-coordinated PR against the company feels more like an operation than regular criticism…
The Spidey Sense is flaring for sure. https://t.co/CFS3ELYuUG
I had a bad Oompa-Loompa vibe immediately about all the hate they were receiving, but I couldn’t quite tell what was going on. Some were implying there was a massive cover-up, or massive negligence, at the company, which would make it like a whistleblower situation.
I stole “Haterade” from Joel P.
But my opinion has now squarely fallen in the Camp of Haterade. In other words, a whole lot of people got really upset when they saw a rocket take off heading for space. So they decided to shoot it down.
And it wasn’t just competitors (although I bet many of them helped magnify the backlash). It was also security researchers. And the media. It was—and still is—an absolute frenzy.
But here’s the thing: they had a 20X burst in usage in just three weeks—because of COVID. Did WebEx have that? Did Microsoft Teams? Did Google Hangouts? No.
This was a miss by their competitors, not a win by Zoom.
Why not? Because they’re nowhere near as intuitive.
So we’re in the middle of the biggest event in most people’s memory—an event that has isolated us from others—and one company had a product that made connection easier for millions of people.
Lots of companies had competing products much earlier than them. Years earlier. Skype, Hangouts, Webex—they all had their shot. But Zoom comes in and makes something people actually want to use. And now that we’re in a crisis, it turns out that it’s the go-to option for people due to its user interface.
Turns out it also has vulnerabilities. Actually a lot of them. But if you’ve been in security a while you know that vulnerabilities aren’t absent just because they aren’t being talked about. If you looked at Hangouts, or WebEx, or any of these other options the same way we’re looking at Zoom, it’d likely be just as nasty.
Yet people are banning Zoom. Largely because of Zoom-bombing and other panic-inducing issues. Keep in mind: it’s only called Zoom-bombing because Zoom was the only product popular enough to get bombed. That’s like claiming Ford was the #1 manufacturer involved in vehicle deaths 2 years after the car was invented. Of course it was.
Banning Zoom requires that the risk to people is as bad or worse than what’s gained from its use. And during a pandemic when most other solutions are nowhere near as approachable, that’s a very high bar.
Nobody’s using the other platforms as much, and nobody cares about them as much, because they’re not easy and intuitive to use for beginners. And the more usage you have, the more scrutiny will come with it.
I think it’s funny that Google banned Zoom. Really? That’s your technique for gaining marketshare? Ban the competitor that just did to the market what you should have done 5 years ago? Maybe it’s because Google is small and has no money. That’s probably why they couldn’t figure out how to make a good product.
What annoys me is that we’re not paying attention to the inherent balance involved in technology and security. Everything in security is a tradeoff. The only question is whether you’re properly measuring both sides to make an informed choice.
For people banning Zoom all over the place right now, the tradeoff is not communicating easily with people in a moment of intense need. Not. Communicating. During. Intense. Need. That’s on one side of the balance.
On the other side you have a bunch of vulnerabilities that can maybe be exploited, by certain people, and that are actively being addressed by the company.
Everything in security is a tradeoff. The only question is whether you’re properly measuring both sides.
And I’ve also heard they were quite dismissive of security issues earlier on in their history.
And I’m not giving Zoom a pass. They shouldn’t have had these issues in the first place. And it took them too long to fix some of them.
But they seem to be responding well now.
My recommendation is simple: know your tradeoffs. At all times. Zoom had a 20X increase in traffic because it just provided a massive benefit to humanity. Banning it requires that the risk to people from using Zoom is as bad or worse than not being connected to people in a way that’s intuitive and easy.
And by my calculation, the comparison is not even close for 99 percent of people.
The changes they made already have vastly improved its security.
So if you’re the Pentagon (or some other high-security situation), maybe don’t use Zoom for a bit. But for most others—including most who just started using it recently—Zoom is quite safe. And now that they’ve had all this scrutiny, it’ll be even more secure in the coming weeks and months.
- April 9, 2020 — I have a friend who is familiar with Zoom’s security going way back, and he says their security was markedly worse than other companies, and that their team was not responsive to vulnerabilities being presented. I trust him a lot so the question really becomes how much they’ve changed since a year or two ago. I think with Alex Stamos coming on, and all the work they’re doing now, they’re likely to be in a good spot, but the question remains whether their culture is now deeply focused on security, or if all this work is being done just to reduce scrutiny. The good news is that either way the security will improve. But things will be better for longer if they care about security at a deeper level.
- April 10, 2020 — Cleaned up the formatting a bit (removed a bunch of line breaks) and added a tiny bit of clarification.