1. Google's threat model may not be your threat model, and it definitely isn't the threat model of my daughter's school. A corporation like Google may be concerned using native applications, written in unsafe languages, written by developers from other corporations in China. That said, Zoom isn't wrong for everyone.
2. Google is motivated to push their own solution for obvious reasons.
3. Tavis, or others, at Project Zero might know some things, maybe we'll find out.
> Google's threat model may not be your threat model, and it definitely isn't the threat model of my daughter's school. A corporation like Google may be concerned using native applications, written in unsafe languages, written by developers from other corporations in China. That said, Zoom isn't wrong for everyone.
Google's threat model surely differs in some way from a school, but the specific threats you named seem like threats equally applicable to the surfaces identifiable in the threat model of a school.
The threat model for a school is kids/others disrupting sessions and creepers using access to gawp at (or communicate with kids). Since the Chinese government is unlikely to feel the need to compel Zoom to do that, the fact that they have all the keys centrally stored is not a problem.
Google's threat model actually does include state level attack (And specifically by China) to steal IP or access confidential user data.
A risk when talking about memory safety vulnerabilities is that someone (not china especially, just someone exploiting zoom) pwns the child's or family's computing infrastructure and gains access to everything running on there and possibly does it without detection for a long time. It's badically an all-bets-are-off situation that also puts social media contacts at risk.
Zoom is of course just one vector for this, but the threat model of "it's just schoolwork at risk" is wrong. It's actually integrity of tje computing environment.
The Chinese gov't spying problem isn't with schoolchildren per se but schoolchildren use their parents' computers. Chinese authorities openly demonstrate their intention to deploy the maximum level of surveillance they can over any adult within their reach. This just increases their reach.
Even if they don't use their parents' computers, if Zoom is not totally sandboxed, they can hack the child's OS, they can mess with computers on LAN, or the router/wifi.
Every native app made by a Chinese company could also provide a backdoor to the PLA. Same could be said about apps from other countries and the NSA, FSB, GCHQ, Mossad, ASD, whatever the Germans are calling the gentler, kinder, totally-not-spying-on-everyone-anymore-we-swear successor to the Stasi, etc.
There is no specific evidence for this, but it is a possibility. Balancing remote possibilities and accepting some that are beyond our control is what separates the sane from the tinfoil hat crowd. Personally, I would try to stick to apps by companies headquartered in your home country. This is difficult outside of the USA and probably impossible outside of the next 5 top software hub countries.
>Personally, I would try to stick to apps by companies headquartered in your home country.
Why is that? It seems like the opposite would be the best advice: make sure to use something from a company not headquartered in your country. Most people probably have more to worry about from their own government than anyone else.
I think that's technically incorrect. The BND (and it's military sibling MAD) are mostly concerned with foreign intelligence, while the Stasi was mostly used for internal surveillance. The subdivision HVA inside the Stasi would be the equivalent to the BND, while the larger and infamous internal surveillance of the Stasi is now in the responsibility of the Verfassungsschutz.
> I think that's technically incorrect. The BND (and it's military sibling MAD) are mostly concerned with foreign intelligence, while the Stasi was mostly used for internal surveillance.
Of course they are. That's why they are happy to work with NSA which get everything that is routed through frankfurt.
>The subdivision HVA inside the Stasi would be the equivalent to the BND, while the larger and infamous internal surveillance of the Stasi is now in the responsibility of the Verfassungsschutz.
I'm not sure why you worry about that. It's guaranteed they have it and use it. You should worry about "is it a problem for me that the Chinese government and Chinese companies have access to my video meeting streams"
If yes: do not use Zoom right now.
If no: do what you want.
If China wants to waste its resources having people spy on me on Zoom while I play board games with friends on it, then this seems like a good thing to me.
China doesn't have any concerns about wasting resources. They have more than enough to spare. Vacuuming up any sort of mundane daily task people do is good data to feed into some AI that can easily distinguish fluff conversations from useful interactions worth investigating.
Not sure what your interest is in this, but I was responding to his not caring if China harvests his data. I didn't make claims about Zoom sending the data to China, but I've seen other people make comments around the internet that Zoom is sending the data to China, and they promptly get flooded with comments tearing them apart for having suspicions.
But you made me look into this. Apparently Zoom does "accidentally" (accidents like this don't really happen) send data to China. [1] It's very normal for companies to completely divide up their Chinese servers and non-Chinese servers, so the rerouting makes me suspicious.
It still leaks information. How many kids you have, their name, some things about their personality, who they are friends with, etc. Think about how someone who wants to hurt or control you could could use that information.
You seriously think the Chinese government is going to stoop to K&R with random Americans?
The Chinese government is the last entity I'd be worried about with this kind of information (unless, of course, you live in China). Certain criminals in your own country are a much bigger concern.
Doubtful. But "the Chinese government" is comprised of individuals who might want to make a quick buck selling information on various markets. Perhaps to those certain criminals better positioned to take advantage of it.
This is similar to the concern some of us had over giving local government departments access to our full Opal card public transport travel histories here in Australia. Not all government employees are up to no good, but some are. Don't give them more than they need.
> The threat model for a school is kids/others disrupting sessions and creepers using access to gawp at (or communicate with kids).
Not if the school actually cares about the future of its students.
From a blog post[0] we published at NuCypher a while back:
> If we fail to take action now, we risk a world in which unsavory actors - domestic and foreign - have built rich, comprehensive profiles for every one of our children, following the trajectories of their education, home life, consumer habits, health, and on and on. These profiles will then be used to manipulate their behavior not only as consumers, but as voters and participants in all those corners of society which, in order for freedom and justice to prevail, require instead that these kids mature into functional, free-thinking adults.
I got confused and thought he was talking about Google. The results already exist via Cambridge Analytica.
It's like the old 5G debate in Europe: who do you want to have a backdoor: Cisco+USA or Huawei+PRC? (Hint for Americans: some/many see China as less malevolent).
Understood, it differs, I just made a very brief comment and mentioned a couple of obvious threats!
For those that use Zoom - consider spending at least a few minutes to make a mental threat model about Zoom. Who might go after you? What features does Zoom have that might be exploitable? What's the worst thing that can happen? The worst case for Google is not the same as the worst case for a professor or elementary school.
Maybe Zoom doesn't work for your use case - fine!
Maybe Zoom is good for your use case - fine!
Lots of people will be using it either way, so it's good to have Alex help lock it down.
My children's school is using Microsoft Teams for classes. The students are:
- kicking out their colleagues
- muting the teacher
- posting memes in the chat room
It looks like you can't prevent them from muting/kicking out each other. There's a larger threat surface of mean pre-adolescents, than a hacker trying to steal their info.
Sure. And it's not easy for a k12 teacher of a third world country to use these tools. The default is open and the need to configure it is a surface attack.
No they are not. A business can have trade information they want to protect. A school would be more focused on individual privacy and safety. These threat models are quite different.
* Google's exposure is far greater than merely other languages
* Exposing profiles & activities of an entire generation of kids to a foreign adversarial surveillance govt is itself a serious threat, covered by other responses here
* This creates a massive increase in exposed surface area. E. g., consider abkid using their parent's computer who happens to work at a sub-sub-contractor on a key defense project. Even if the key files are properly encrypted, just some little data points like the fact of their employment, network name, list of known WiFi routers cached, etc., now lets CCP fill out their model of attack vectors. There's a thousand other ways this can be used to gain an edge if you don't like that example
The bottom line is like the precautionary principle - just because you or I can't figure out how to exploit something, doesn't mean that it can't be exploited.
Why use it at all? I honestly don't know what's available in this space, since I don't need to, but is there really no alternative?
If they're building a product that does shady things (e.g., macOS install nonsense) and is full of security holes (e.g., zoombombing) that's enough to tell me I don't want to use it and I don't want my son's school using it.
Google isn't alone here. Just another data point.
At best it's a product full of security holes. At worst deliberately designed to spy on people. I don't care who those people are. I care about the intent.
Zoom is by far the best usable conferencing software. Its security flaws are irrelevant to most users as the pain of using anything else is awful. It's always a major drawback.
People in the real world care as much about Jitsi as about Bernie Sanders. HN and Reddit are bubbles that Joe Schmitz from MegaCorp Inc. does not know or care about ever despite some aspects being vastly better on the security side. UI/UX is Zoom's domain though and nothing comes close.
Some of us don’t have security as a high priority. I for example wouldn’t really mind if my computer’s entire contents were published at nytimes.com. What I care about right now is my kids getting to see their family over Zoom or whateverx
I think we’re probably at the point where it doesn’t matter what your personal threat model is: your insecurity affects everyone, so nobody has the luxury of not caring about it (much like vaccination against disease). It is a matter of collective and national security.
A number of companies have rightfully banned Zoom's native apps, given how insecure they are. I had previously uninstalled it when the news about the secret web server they install came out. Google is still allowing use of the web app, but the web app bizarrely doesn't support Grid/Gallery View, which is the main reason my friends/family wanted to use it.
Hangouts Meet was optimized for work meetings where most people would be dialing in from high-bandwidth meeting rooms, not everyone individually dialing in from home, but hopefully now they've heard the loud feedback about the especial usefulness of Gallery View during quarantine times and will introduce the feature soon.
For now I'm using the Chrome extension that enables this feature client-side using JS/CSS, and staying tf away from Zoom. With how little I used Zoom before quarantine, I don't understand the adoration for it (I found its UI confusing and quality similar to other tools), and I haven't been able to find any benchmarks comparing its video quality for people on less good internet connections (my home network is pretty strong).
We switched from google hangouts to zoom a while ago because the quality "felt" better. We are a small distributed team where our internet connections run the range of fast to slow. We didn't track numbers or anything, but fewer dropouts, frozen videos, better sound quality, etc. Maybe we all just had better internet days each time we used zoom though. Never know.
The UI is initially confusing, but so is the UI for every video chat app I've used. It seems to be the fad to have "clever" UI in video chats apps (controls that auto-hide, non-standard icons, low contrast, non standard control placement (use the standard toolbar luke!) etc.
On top of that zoom has always "just worked". The "just worked" thing is now resulting in security woes, but still. Start a meeting, send link. Done. Online works, dial in works.
Contrast with hangouts (dropped non-chrome browser support for at least a year). To this day we have users that can't use slack video for unknown reasons (app store slack doesn't work as well as slack installer slack or something). WebEx is some horror show that seems to constantly re-install itself for each meeting. You're lucky if you can get it going before the meeting is over.
Where most apps stop at video chat and maybe poor quality screen sharing, zoom has a pretty deep enterprise feature set. Good webinar support, integration with SIP systems, SSO, recording etc.
To give an example, they prioritize audio over anything else. Which makes sense because if you can't understand what the person is saying, you can't have a meeting. So they automatically downgrade or upgrade your video to try to keep latency decent on audio. Meet just has a manual setting where you can up or downgrade video or audio.
For the most part my understanding is that zoom is better at quality because it does not use webrtc - but hangout meet does. This means webrtc needs a lot of the fixing, which is hard because it's a standard.
zoom sends proprietary stuff over web sockets instead. Which is also why they prefer you use their fat clients with native decoding
Have you tried GoToMeeting? From the company that makes LastPass.
It's mostly equivalent to Zoom, from my experience. Grid view, screen sharing, recording, chat, file sharing, phone dial-in, calendar meetings, etc. If you follow a GTM invite link it downloads the app and run its for you, so nobody needs to have the app previously installed.
It's also rock stable. I've had hundreds of meetings with GTM, and never had any audio/video issues, whereas Google Hangouts/Meet has always been really flaky.
I wish more companies would ban WeChat's desktop clients and force them to re-enable the web version at web.wechat.com
WeChat now often pops up a notice when you try to use web.wechat.com that translates to "For your account safety you cannot use the web version, and you need to download a Windows or Mac client."
Safety my ass -- web is the safest. I know better than you about my safety, Tencent.
I have seen MANY people install it on company hardware because it's tiring to have long chats on a 5" screen and it's hard to send/receive files through a phone. Many hardware providers send/receive contracts and even firmware hex files over WeChat (WTF, I know, but they do) so you're forced to use it for work if you are in the hardware industry, but for most people Tencent doesn't let you use it from a desktop without a native app. And they try to brainwash you into thinking it's for your own "account safety". BS.
Also, Alibaba's conferencing client. If you even have a meeting with anyone at Alibaba, they send you a proprietary desktop client to use for the meeting. More people need to learn to stand up and say no to this. From a corporate executive level, proprietary conferencing apps need to be banned on company-owned machines.
What they should be doing is straight-up WebRTC running in a web browser, which works great, and which will work in China as long as you set up signalling servers there.
I went from Zoom to Jitsi with my family, because I was tired of it pushing the desktop client to me and the webapp limitations as you point out. Jitsi web supports Grid view, as well as desktop sharing (with audio!). We've been playing Jackbox games over it just fine.
Right in Jitsi, you share your screen and Chrome's dialog opens, you go "application window" and select your game, and check the little box "share audio". Here's a GIF from their newest blog post showing it: https://335wvf48o1332cksy23mw1pj-wpengine.netdna-ssl.com/wp-...
Yeah this should be higher. Also work @ G, and it's just the desktop version of the app that's been disallowed. We can still run the Zoom web app on corp machines.
One thing that puts me off about Zoom is the way it tries to push you into downloading the desktop app when the web app should be fine and is what I prefer.
It uses shitty dark patterns that require two or three clicks and at one point, if I'm not mistaken, waiting for a link to appear after a delay.
In my most recent experience with it, it led to a zip file being automatically downloaded to my computer. This when I already have had plenty of previous experience with the web app and was deliberately trying to reach to the web page for a meeting for which I had been sent a URL.
Slack does similar things but isn't quite so aggressive about it.
> One thing that puts me off about Zoom is the way it tries to push you into downloading the desktop app when the web app should be fine and is what I prefer.
I'm pretty sure they do that because their web app is garbage, and they know people will get a much better experience in the native app.
Notably, Zoom's native app is truly native; it's not some electron wrapper like Slack or Teams. I don't think it's a coincidence that Zoom is both (A) the only major solution that seem to work consistently with large numbers of participants, and (B) the only one not using WebRTC.
> and they know people will get a much better experience in the native app.
not if I'm a user who is actively trying to not install the native app. for me, and likely many others, security and privacy trump performance benchmarks and UI/UX all day, every day.
And in that case you can use the web app. The grandparent talked about a "dark pattern" and it's really hard to see one if the native client is better than the web version.
This is all well and good when their native app actually works - in my experiences on Ubuntu (using i3, so that could be a factor) it freezes up my laptop completely. I was initially able to get the web version working by using the click-the-meeting-link-multiple-times trick, but now Zoom wants me to make an account to join meetings which I have no interest in doing.
My new strategy is to call in and say "Sorry, I can't see your screen because Zoom doesn't work on my computer," which is a completely unnecessary situation that Zoom creates by intentionally adding roadblocks to their web app.
It's hard to imagine why they'd want to push the desktop app that hard. I don't want to assume anything untoward, but it'd be a lot easier to dismiss the whole sending-data-to-China thing if they didn't try so hard to force you onto the version of their product that's capable of such a thing.
I hope we can stop and appreciate for a moment how clear and well-understood this direction is at a tech company. I can't imagine how difficult it would be to explain to a school or other company that they can use the web app but not the desktop app.
Zoom has a not very well published chrome app (intended for chromebook users). You can install it in normal chrome and it gives you a much better experience than the web version without all the issues of the desktop app.
I trust zoom a lot more when it is running inside a chrome sandbox than as a native app.
I haven't audited the files yet to see what technology they use (e.g. why is the web experience shit, but the Chrome App is OK), but I certainly trust Zoom a lot more in a sandbox.
I use this because I have a pixelbook and it works pretty well except for two issues: (1) minor issue that you have to click the "leave meeting" button, you can't just close the window or else it strangely relaunches and (2) major issue is that you can't change your video background which is a killer feature IMO.
I haven't been able to find a way to change my video background on the Linux client either. The image recognition software must be difficult to reliably implement for their lower-value platforms (as in, it would cost them too much to get it working well relative to the number of users).
I mean, Google bans MS Office from employees' computers as well (with special-case exceptions), so they use Docs instead. Since Google has Meet (Hangouts), this isn't really surprising.
It mainly sucks for when an employee (especially in sales) has a call with a client that uses Zoom and can't use Meet, because then you're forced to dial in, which just puts you at a disadvantage when everyone can see everyone's face except yours.
Edit: per comments, people can still use the browser version of Zoom, so doesn't seem that bad.
MS Office isn't "banned" from employees' computers at Google. If you need it (and some do) you must request it specifically, because it costs Google a nontrivial amount of money for every user. Same thing with any piece of commercial software: for example, I have Adobe Photoshop on my Google laptop, and I had to request it because it costs Google a few hundred bucks, and most people don't need it at all.
Before Google Docs existed, many employees used MS Office, and when Docs was being rolled out Googlers were incentivized to switch to Docs by being offered kudos, swag, etc (ie, the carrot, not the stick).
I imagine most people who want MS Office over Google Docs probably want it for Excel, which IIUC as several powerful features not present in Google's Sheets.
The only thing Google Docs has over MS is the collaboration.
Word in the browser is a billion times better for formatting than Google Docs. I loath using google docs. But when it comes to Collab, Google docs wins hands down.
> The only thing Google Docs has over MS is the collaboration.
As someone who has had to build relatively complex tools in both Sheets and Excel, I would have to say Sheets has done a much more impressive job with their builtin formulas/functions than Excel.
Also JS vs VB, im not a big fan of JS but only a madman prefers VB.
The JS in Sheets also run in the cloud. Really nice for scheduled things or things that talk to an api or similar. But being able to run stuff locally is nice to.
Entire GSuites is a productivity and doc formatting disaster. From docs, sheets to mail all very inconsistent and formatting of content and information is terrible compared to Office. Glad I'm back at a company that uses O365.
Yes, we can afford it, and that's why if you want MS Office you click a button on a web page and get it immediately. But why would we throw away money by having it installed by default?
> Nobody is dumb enough to believe that Google is saving money by not using office.
Maybe I'm dumb, why wouldn't they be saving money by not paying for Office? Obviously they could buy it for every employee, including the majority that don't need it, but why? They could also just light money on fire (but why?)?
Office is business productivity software. You don't buy it for every employee, you negotiate a license for the number of seats in use. It has way more features than google docs and is standard everywhere. It's like saying you could save money by having programmers write code on pencil and paper. You saved the money on the computer but you have a net loss because you lost the power and efficiency of real time editing, compiling and debugging. These corporate guys just drink the internal koolaid/spin from hr or whatever and come here repeating nonsense as if its fact and it annoys me. It's dogfooding with some minor privacy/security concerns since microsoft is competitor, we get it, just call it what it is and move on.
> It has way more features than google docs and is standard everywhere
I work for another FAANG and we don’t use MS Word. It certainly isn’t “standard” for us. It’s not standard for two of the three FAANG companies, so “everywhere” is inaccurate. Being popular isn’t the same thing as standard. Pages is a far more usable for the vast majority of use cases. Most people aren’t creating extremely complicated word processing documents in their day-to-day. Word is a bloated mess. Keynote is far easier and more elegant than PowerPoint. Excel however certainly shines for big spreadsheet work, but for most spreadsheet work Numbers and the google spreadsheet are perfectly fine.
This isn't about the merits of excel over sheets, it's about employees coming on the board and lying to promote their company. Google makes 1.61 million in revenue per employee. Honestly it's only going to get worse, because if you see the videos of the company meetings, Sundar was always the super loyalist that would say anything to protect Google or run interference for senior leadership. And now that he's CEO they will start aping him.
I may work for Google but I am often critical of them. I have no reason to lie in this instance, and anyone you talk to who works for Google will corroborate what I'm saying. Not everything is a conspiracy.
Your reasoning is based on the belief that Google is sacrificing productivity by not giving all employees office. GP is directly contradicting that line of thought, which makes the rest of it fall apart.
there is two narratives, which do you think is more likely:
1. Google is dogfooding it's own products to improve them and make them competitive and stop potential data/privacy/security leaks by using external software.
2. Google is trying to save 20 bucks
There is nothing wrong with Google docs or sheets and I have used them both. But sooner or later you make enough documents or work with enough spreadsheets you're going to want or need some feature that office has.
Why should it be an either/or thing? Both are valid reasons for Google to prefer its employees use Docs. However the fact that you can choose to use MS Office without any special permissions somewhat undermines your reasoning in point 1.
Google may be a rich company but it's also a very frugal company in many ways, particularly wrt technology (they pioneered the "huge amounts of redundant cheap hardware" approach to DC construction, for example). When Googlers were being coaxed into switching to Docs from MS Office, the financial benefits were front and centre to that pitch.
Google is a large company so they have lots of money, yes. Google also has lots of employees, so paying a per-employee price for anything gets expensive. I can't find a Google headcount vs Alphabet, but at the end of 2019 Alphabet had 118,899 employees. $20/month for each of those employees would cost $2,377,980 a month or $28,535,760/year assuming no annual-payment discounts. Google could absolutely absorb that easily if they purchased Office for every employee by default, or if only 25% of the company gets around to requesting it they can save $21 million a year simply by not buying software nobody asked for or intended to use.
I'd seriously doubt more than a few of people at Google would want to use 365 at work. I for one never felt the need when I was there nor afterwards and the entire company is fully utilizing Google Docs which is a better product as far as sharing and search is concerned. It's not like people at Google constantly email .docx files to each other, lol. Nevertheless, you can request it (in an AppStore like fashion, not some overburdened process) if you really need MSOffice, but Zoom binary being banned seems to be a completely different matter though, as pointed out in other posts.
For workplace collaboration, sharing is the highlight, not formatting (unless you're designing for paper-based publication). I have to say the few times I encountered the browser-based Word 356, it felt like total shit. Cannot imagine anyone really using it if they have the desktop app installed. Seems like a checkmark product and the real users end up using the full app version. I've even heard this from friends at Microsoft.
From what I've tried the desktop apps themselves do cloud-driven collab just fine, so I don't really see a reason to use a browser app when native's available. May just be me seeing things, but the native-to-native sync seems faster than with the web apps. Sadly that means sharing is a bit less convenient than just click link to open.
Just because Google has a lot of money doesn’t mean they’ll go wasting it on software licenses. 24 million might not even come close to what they make per year, but they still have to be considerate on what they spend their money on.
$20/user/month is tens of millions of dollars every year for Google. Sure, they can afford it, but I'm quite sure they have better things to spend money on.
The browser version of Zoom seems to require a free account be created, and it was audio only in Chromium, I could not get it to use my camera. Zoom refused to work in Firefox.
Jitsi and Google Meet seem to work in both browsers, without requiring me to log in.
You can join Zoom meetings on your browser without creating an account. It's a bit off the beaten path:
1. Go to zoom.com
2. Click "Join a meeting"
3. Enter meeting id and click Join
4. Ignore the automatic app download
5. Go back
6. Click "Join a meeting" again
7. Enter meeting id and click Join again
8. Ignore the app download again
9. Click at "If nothing prompts, click here"
10. Click "Join from your browser"
11. Agree to terms of service
12. Enter password and name, click Join
It's improved a bit, and actually works fine in Firefox Nightly right now, but you have to craft the web client URL directly. The UI will try its very best to make you download the client.
Seen somewhere else: when you get to the web page that launches the app, don't allow that launch, hit (IIRC) "Retry", still don't allow it, and the page should say "Having trouble?" offer a link to the web version.
I've joined plenty of Zoom meetings without creating an account. Are you sure it wasn't just asking you to enter your name and email in the page so people on the call would know who you are when you joined?
Personally, I feel much advantaged when no one can see my face.
And in truth, I usually don't want to see anyone else's face either. Aren't there companies that forbid looking at someone for more than five seconds? Well guess what, on a video call, they're staring at you for minutes on end.
Extremely unlikely Netflix actually has a policy like this. It was probably an example of what could be considered creepy in some circumstances during a training.
Perhaps, but almost certainly not. This sounds exactly like things that were said in sexual harassment trainings I've been to at other large companies. These trainings often provide examples of what can be construed which ways, because a non-trivial slice of any given sample of humanity totally lacks social graces. They don't want someone to later complain that, "I was only looking," when they get reprimanded for leering at a colleague.
Examples like this can accidentally or intentionally be misread as policy, but it is not actually policy. It's an example of what can be not OK in some contexts. Of course, I'm happy to be corrected if someone who works there wants to jump on and say otherwise. But I very much doubt that such a policy exists. Doesn't pass the sniff test.
"A spokeswoman clarified there is no such “rule” at Netflix. However, she confirms that the recommendation was, in fact, discussed in an anti-harassment training session, though it’s not an official guideline."
What should I look at conversing with another person? I used to look in the eyes or just in the face, I don't understand why is it harassment? Should I look at tits instead, is it less harassment or what? Shall I just close my eyes? West culture is weird.
God please don't make me use a non-zoom video conferencing tool!
I have used about a dozen over the years in my role as a consultant, and Zoom has been by far the most reliable. I’m hopeful lots of good can come from the scrutiny, but please Zoom get your act together so I don’t have to use some other buggy thing that doesn’t actually work.
> God please don't make me use a non-zoom video conferencing tool!
I have honestly lost track of the amount of software I've seen in the past 20 years, that people insist they absolutely must continue to use despite its well documented gaping security flaws. Because it has a better UI or makes their life very slightly more convenient in some way.
Versions of Microsoft Office from the early 2000s where an entire operating system could be pwned simply by opening an excel or word file with malicious vbscript in it were good examples. JPG parsing buffer overflows. People continued to not only not patch it, but use it in its out of the box configuration.
For reference, organizations that have now banned Zoom include google, NYC public schools, SpaceX and NASA.
> Because it has a better UI or makes their life very slightly more convenient in some way.
I think you've missed the point completely. It's not a question of convenient UI. It's the reliability of the video call. I've tried numerous video conferencing tools, and the differentiating factor is literally just whether or not the video quality is consistently good, whether the call is dropped or not, and whether the audio is audible.
Exactly. A lot of tools barely recognize webcams or desktop mics. You’re expected to dial in, which means being tied to whatever terrible audio quality the phone bridge provides for talking to 20 people.
wait what, are you using the DOS-zoom client? Or how is it, that everyone else got general drivers for their devices so applications can use standardized APIs and "just work"
If you've never been on a conference call where someone can't get their dial-in, audio, camera, screen share, or mute button to work, I'd suspect you've never been in a conference call. These recurring issues are fewer with Zoom. I spent 6 hours on zoom today (ugh), and every day I'm in a 25-to-50-person call that has consistently been buttery smooth.
They have this long long outstanding bug where if they deem the audio low-quality (despite the fact it's crystal clear) they gain the audio and it goes crackly and too loud. If you turn down the volume... they gain it again, and again, and again, till you need to restart the app. Only for it to happen again.
Personal opinion, you don't need video or talking heads to have a conference. Some combination of text chat to share documents with simultaneous good quality audio is sufficient.
The challenges related to audio sucking are mostly individual end users' audio stepping on itself, such as feedback from speakerphone configurations into its own microphone. Easily solved by good quality bluetooth headsets, wired headsets, or simply using something as basic as holding an android or ios phone up to your ear.
And I do put "video quality is consistently good" in the category of "makes peoples' lives slightly more convenient". It's not essential.
I disagree. To build connection, read body language, and show people are paying attention it’s important to see the person... we ask that of all of our internal remote calls.
oh yeah, let's try to look each other into the eyes. ooooh no, seems that doesn't work. And "show people paying attention": why do a conference at all if people have no stake in it?
Audio < Text when too many people are trying to communicate at the same time.
<rant>
We are supposed to be engineers here. I regularly see this attitude that one thing is always and inherently better than another. Life is (mostly) a zero sum game and it is our job to pick a solution for the problem at hand. And the more we can constrain that problem, the better, cheaper, more reliably we can deliver a solution. More information is not better. Maybe for interview body language is important but for deciding what story to pull or what commits you did? Not really.
Deciding what story to pull generally revolves around conversations during sprint planning or with a product manager. What commits you did means you're committing which means you probably (should) have had code reviews. Often times code reviews involve discussions.
If you're one of the few people that don't have person-to-person interaction on a daily basis - congratulations. However, that places you firmly in the minority.
On the other hand Microsoft Office is still used today - and is still the #1 office suite, especially with Excel. They've since cleaned up most of their security issues (I'm sure some exist, but it's not nearly as bad as it used to be).
The problem with Office and Zoom is that they are _the best_ at what they do right now. And that has a massive impact on what people are willing to give up to use it (money, privacy, risk, etc).
What are you advocating for? Either way business will continue; lock down security and people (and productivity) will suffer but still continue, ignore security and business will still happen. Different business will fail in each scenario, but the world won't end. Heck, force people to jump through hoops to support insecure software and work still gets done: https://news.ycombinator.com/item?id=22804208
I hope Zoom gets their act together because their competitors, with way more time and resources, suck a lot more. I don't think it's because of the difference in security--maybe it's because competitors were focusing on Enterprise or because it wasn't their core business?
I think each of those companies that have banned it make sense, even if that means the average person should continue using it. Zoombombing elementary school children because of a misconfiguration (or just because of the media reports) isn't a great idea and the security concerns warrant the rest. I still don't see much of an issue for other business and most personal use.
I am specifically advocating that organizations with important data to protect take a more cautious and measured approach to installing software on their workstation computers.
If the very slight productivity hit from having slightly-more-blocky video chat in a slightly-more-awkward GUI client (google hangouts meet for gsuite, for instance, or Teams) is the make-or-break line between a company's continuing success, or not, with everyone working remotely, something else is fundamentally wrong that has no relation to any software package.
That sounds like an appropriate response. I do think the BYOD push over the past 10+ years has improved Enterprise experience for end users and I expect things like Zoom and the current push for work-from-home does the same for working remotely.
I hope both Zoom improves their practices and other enterprise tools step up their game, too. It's been a joke that the first 15m of a meeting is spent getting things working for decades now.
Zoom seems to have spent time in some areas almost completely ignored by most others: Linux, more than a handful of simultaneous users, and poor connections (I feel like Zoom has other benefits, but these are egregiously bad with competitors). At my previous job it wasn't just slightly-more-blocky video chat in a slightly-more-awkward GUI client. We used our own equipment (and mostly used Linux in-house) and were spread all over the world (some countries had poor connectivity). We also had our company meetings via Zoom. We often tried other software and didn't bless any one of them, but I don't think any other single software would work. Without Zoom I imagine we'd do most meetings via voice--likely over POTS.
This is one of the places where FOSS has a great role to play, vendor neutral infrastructure code. Any thing from one of the FAANG companies or even a startup is constantly going to have to find a way to create value for the company and inevitably that leads to data harvesting and sales.
What I have observed is that FOSS folks like to pick poor names for things which limits their ability to penetrate into the world of the non-computer geeks. Case in point, Jitsi. WTF? My parents are never going to remember what something named "Jitsi" does, ever. Call it "GNU Video Conferencing System (GVCS)" or just "Video Conferences" please.
Ah the days of https://en.wikipedia.org/wiki/Microsoft_NetMeeting
I recall them so well. Desktop videoconferencing and whiteboard interaction was all about to go mainstream back then by many a manager evangelistic eye just far enough of the base of reality that it was almost believable. Yet still such things have to find a champion that rings true for all, let alone interoperability. Which is a shame as many standards out there matured over time.
I've been using WebEx in enterprise/corporate environment for couple of years intensively, and it "just works". I can download desktop client, but I can also just run it on browser.
Zoom always wants to install weird clients that violate policies and cause my corporate laptops to refuse or bork.
I recognize my experience may be a minority one, but I'm surprised, genuinely, at this perception that it's "the one video conferencing software" that works.
The issue is that WebEx might just work for you, but if there is one person for whom it doesn't work then that is the limiting factor.
What people struggle to understand is that Zoom made it easy accross ALL operating systems. While Webex might "just work" on a subset of Windows and Mac hosts.
I use Linux as my day to day OS and WebEx is a nightmare (which sticks well to the stereotypical enterprise tool from Cisco).
Many solutions don't require a local software. That's an onboarding hurdle. Zoom's dial-in system also requires host approval, which lead to mayhem across every Zoom call I've been forced to join today. Most importantly, someone inviting me to a Zoom call says something about how they value security.
Zoom's audio quality is better. But it's not irreplaceably better. In terms of UX and reliability, it's been a mixed bag. In terms of security and branding, it's awful.
or is the difference that any other tool runs in the browser (which might be old or locked down), while Zoom childishly just gets admin-privilege to turn the tables in its favour?
Zoom is worse across most operating systems. It is worst of all on MacOS, where it downloads an installer without asking me. I then have to click a link saying that it didn't work, whereupon, it will download the installer again without asking me before finally giving me the option to join the call without installing that buggy app.
The Zoom client works really well, Webex works okay for me most of the time but not all the time and has a lot of little problems I find annoying.
- Overall webex UI is very slow/laggy, subjective - yes, but I think it'd be obvious to any regular person.
- It makes my self-view a tiny floating box (this drives me crazy, I want it to be the same size as the others).
- Gallery view doesn't work well, sometimes the speaker is duplicated in sharing content speaker view and again in gallery view.
- Audio switching doesn't work as well between putting airpods on and off.
- More video/audio failures than Zoom in general (enough to be annoying).
I'm not sure why Zoom is the only one that does Gallery view right - the others all seem to mess this interface up (maybe because they can't handle the traffic?)
I've used Webex for 5 years or so, and haven't experienced the issues you have.
Also, when I was evaluating conferencing systems for my micro-ISV, I tried several - the screen sharing on Zoom was laggy as hell, moreso than I saw with anything else. It was 1-2 years ago, so things might have changed since then.
WebEx on MacOS will, if left open and idle, randomly tell my headset that a phone call is starting, then it will disconnect it shortly after. Sometimes it disconnects two calls in a row (my headset announces when a call ends).
And every so often by virtue of being open in the background, WebEx manages to somehow crash my BT headphones.
Go into the Preferences, Video Systems (last item), uncheck "Automatically discover nearby devices"
The default behavior of Webex is to grab the microphone and keep it always-open looking for audio signals from Webex-compatible hardware.
I found this because I was bothered that even though I wasn't on a call Windows was telling me that Webex was actively using the Microphone, so I dug in. IIRC the post that guided me to this, on Apple devices with their earbuds it apparently also significantly degrades the sound due to some codec issue (or did in the past).
Yeah, Webex's background app has a weird habit of holding onto the microphone on Windows also. Why do they even need a background app? I have a calendar already. Just be a client when I need you.
I knew I would get downvoted. But folks seriously don’t remember the pain before Zoom. And the current pain anytime we have to use a GoToMeeting, Google Meet, Webex or other tool that barely functions.
Human interaction that actually works right now is so important. And I simply have a hard time trusting another product to actually do the call reliably
Google Meet is the only one of these that has always worked reliably for me. Doesn't require any strange clients, works in most browsers, never randomly fails to move just some person's audio and so on.
Disclaimer: I work for Alphabet, but already held this opinion before I did.
We use Google Meet and it struggles to keep up with meetings with more than 10 people. It seems that the common hack is to ask each attendee to disable their camera. On the plus side, it is the only one that reliably works from a browser only.
I couldn't get it to work in Firefox ESR on Debian 10, and audio was consistently choppy for me in Chromium 80 after I went through their forced account creation process. Zoom wouldn't use my camera either in Chromium :c
Jitsi and Google Meet worked by following a link and clicking one popup. Much easier UX
Same here - often it'll tell me I'm waiting for other people to show up but the other people will never see I'm there. It works somewhat better with Chrome but I loathe having that installed on my Mac. Rarely I do have to do so, but am forced to spend time removing its tendrils afterward (it's not just deleting the app!).
Almost all problems on video conferences are on the user's end. What Zoom excel at is to mitigate most of those user issues by trying to figure out all the corner cases that the user might be in.
Yeah, probably. But what should I do about it. It’s unusable for me. Doesn’t work with Chrome, doesn’t work with Firefox. Zoom works for me every single time.
Edit: Maybe if I could receive some support from Google to find out what my problem is, I’d be able to fix it. But that ain’t going to happen.
I gave up on Google Meet/Hangouts/Whatever. When chatting with Googlers, it is really nice. But their products available to me as a non-Google employee suck and change quite a bit. Just trying to debut issues with participants was frustrating it it would vary based on how they clicked the link, what they had running, etc.
I wish Google would just provide the internal tool and sell that. It’s the opposite of dogfooding their product. They eat the good stuff and product a lesser product to their customers.
When I tried it years ago, the GSuite version could not dial out to an external phone number to join them in. Is this now available to gsuite users?
I tried looking up the features on the Wikipedia page [0] and didn’t see a really comprehensive list. I reviewed Wikipedia because when I searched for google meet, Google’s top result (that seems like their product page) [1] just had an “open” button that linked out to the App Store to install “Hangouts Meet by Google.”
It's missing too many features to be usable. No remote control. The speaker detection is terrible. Audio quality is bad. We only use it because we are cheap and it comes free.
only skype worked for us meeting group to group over single feed and open speakers, skype seems to work well doing audio google meet hasn't fixed it for ever. personal audio on most works for me, unless you have like less than 2-3megabit for video.
100% agree but I'm tentatively hopeful that alternatives to Zoom have caught up. Zoom raised the bar and I have seen that other products have improved. Meet is decent right now and Jitsi (in my very limited testing so far) seem actually pretty great, possibly better than Zoom (they mix audio more smoothly when two people are talking over each other in a way that is less jarring, not sure but that's my current theory of why it "feels" better). Even historically awful alternatives like Webex really are honestly improved. Anyway, Zoom is getting outed as being a seriously a-hole company - there are definitely alternatives better than selling out just for convenience of not switching or even trying to find an alternative.
Yes. I find jitsi one-on-one audio call is better than zoom. Screenshare is equivalent to skype if you set the fps to 15. zoom is better for videos if it involve large number of users.
I'm surprised to hear that google meet doesn't work well for others. We've used it exclusively with all our clients for the past 5 years simply because its integrated into google calendar, but we've never had any reliability problems with it. Most problems we have are based around people trying to figure out how to unmute their conference room mic.
Yep I’ve been working nearly 100% remote for five years and have several WebEx conferences every day and Zoom doesn’t perform any better or more reliably than WebEx.
Teams is awful. Skype is worse. WebEx is just fine. So is Zoom.
So has Google Meet and Hangouts. So was Skype, when I used it about 5 years ago.
Perhaps I'm just used to them as a remote worker, but they were never all that janky to begin with. Or, rather, more janky than the other tools available at the time.
Right. I've worked almost only remotely for several outfits over more than ten years although conveniently I am currently unemployed. I have used WebEx, Skype, Hangouts, Slack's built-in video conferencing, Zoom and I'm sure I'm forgetting others. If you have a sane setup all of these work fine.
I hadn't used Jitsi until this current situation meant friends wanted to "meet up" drunkenly on Friday evenings but it's the same.
The main obstacles are hardware. The cheapest correct working solution for a single individual participant is a headset and a webcam. Can you use lapel microphones, or (as two of my Youtube creator friends do for Friday evenings) sit in front of a huge professional microphone with filters? Yes, yes you can but that's not for most users. Can you plug a high-end SLR that's focused dead on you into a converter and stream that instead of a webcam? Yup, but again most people either don't own an SLR or don't want to set it up just so they can be a bit clearer and brighter when drunk.
And the thing about hardware is that we abstracted this away entirely. Zoom doesn't have different hardware support from Hangouts or Skype or any other tool.
"Which VC tool should we use for this meeting?" is a bike shed discussion at the best of times. Chances are good either you didn't need a video conference at all, or any of the tools would have been fine.
I'm baffled by the amount of people claiming zoom to be painless or working, even. Don't you know any linux users? Zoom is utterly broken beyond comprehension on any variant or flavour, even when `sudo`ing everything: installer, running, audio setup (pavucontrol) to try to figure out why it refuses to work, etc
I concur. I haven't tried Zoom on any other platform yet, but it has been 100% reliable on my Ubuntu machine. Nothing else even comes close. I've had hundreds of Zoom calls over the past 8 months, from 1:1s to all-hands with ~500 participants. Audio, cameras, screen sharing all worked every single time.
We have two Linux users (myself included) that it works great for. Better than pretty much every other video conferencing tool I've tried on Linux. I do use the flatpak installer so that dependencies aren't a problem.
Linux user here. I have tried them all and Zoom is not perfect but is multiple levels above any of the competitors. Don't even get me started with WebEx.
I share you pain using other products, I really do. I'm stuck with Skype for Business and Webex. However Zoom's attitude to security is unacceptable, and therefore I will not accept it. Full Stop. Every now and then I'm on a company call that, if made public, could do serious harm to the company. My children do video calls with their friends from their bedrooms without adult supervision. In neither of those scenarios am I willing to trust Zoom right now.
I have to agree. I deal with vendors a lot, so I've used a bunch of different ones: GoToMeeting, BlueJeans, WebEx, Skype. And the experience of using those ones is painful. Zoom is a joy to use. Its not perfect, and I have my complaints (when I'm sharing a screen why can't I make the gallery view large so I can see everybody on a second screen??) but it has been rock solid.
I just switched to GoToMeeting and they have improved significantly since the last time I used them (before Zoom). New interface, transcription, unlimited recorded meetings in the cloud, great audio so far, I’m happy.
I've only used Zoom in recent times and while it has seemed fairly solid, I also can't say I've noticed any major differences from Google Meet.
We use it internally at Xero, more than ever currently with working from home, and it's been solid from what I've experienced.
Given we also use Google Calendar, joining a meeting is pretty straight forward, as a Meet link is populated in each event, and shows up on the home screen for meet.google.com
Usually the only mic issues that occur are people using their own headsets with audio gain set too high or flaky bluetooth connections
Running in Firefox, it works great for the most part although sadly it breaks every few months. It'll tend to drop me from the lobby a few seconds in with "Network Error" or something along those lines. I would get frustrated but given it's a work tool, a few days to a week using Chrome (just for calls) and Firefox is back in action again.
We also conduct our postmortems via Google Meet and it generally seems to support 50+ person calls fairly well. That said, we use Hangouts Streaming for All Hands type of stuff so I couldn't speak on performance with hundreds of users at once
Purely anecdotal but my coworker has an older HP laptop (specs are still a respectable 8GB ram, presumably quad core CPU) and finds that he can't be on a Google Meet call while also doing development as his fans will flare up too much.
I would actually quite appreciate a Google Meet desktop app (that's not electron) but I guess the premium userbase tend to have enough specs to throw at web-based products
Oh yeah, I do appreciate that Zoom presumably doesn't require any fancy logins because running Google Meet on a phone requires a device policy in order to connect to a call.
I can either install it on my device plainly (requiring a pin to login going forward vs say, a fingerprint) or I could install it in a work profile. The latter is cleaner but then I have an entire second set of apps just to join a call on my phone once in a blue moon :(
At least you can dial into meetings but I find the audio is kinda wonky at times.
Having said all this, I can respect the product but I'm always happy for a non-Google entity to win in any given space ;)
Zoom just showcased this back to back to back to back in a few weeks time). They played tricks with the words. "we wrote ABC but what we really meant is XYZ" is a shitty response to any type of audit/scrutiny.
This is a public company. They have an Internal Audit. What the hell were these guys been auditing in security audits??? The color of the background????
As someone who demos software frequently, GoToMeeting is the only one that ever held a candle to Zoom for me. Webex does weird shit to screen shares on Windows, and don't even get me started on Teams/Skype. The rest are pretty obviously not designed to be used for screensharing.
I loved BlueJeans but I don't think they have a free option either.
It was really nice to just send a URL to someone and then have them pop into a BlueJeans meeting without a pre-installed client.
We have this or skype for b as approved. 10% of all meetings in skype bugs out and at least one person can not hear the rest or gets kicked out or can not see the others in the meeting. Or someone is presenting and a mandatory update is being rolled out and computer restarts but this is more related to the OS.
Zoom just works and you hear each others so much better. Stable and working. Lets hope all these new features makes it more secure.
"The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China."
Zoom said that their meeting data is no longer routed through China's servers. That's not what citizenlab's complaint was, and also not what the original poster stated.
>There is the thing that all Zoom keys are kept and maintained in China
Their complaint was about zoom's encryption key generation and distribution practices. The post you linked has nothing about the key distribution scheme zoom needs to implement so they actually have end-to-end encryption.
Without proper encryption, it doesn't matter if all participants in a meeting only connect to zoom servers since you don't know what zoom could be doing inside their network. Are they actually routing data without any storage, or any they storing the data and sending a stream out the back door to interested parties? But with true end-to-end encryption, it doesn't matter what zoom does with the meeting data since only the participants can decrypt it.
Not to mention that for a sufficiently interested actor, they don't need to access zoom's network to intercept a copy of a meeting as it makes its way through the internet to a zoom server. End-to-end encryption also ensures they only get junk.
I actually have no idea what argument youre making.
OP: all Zoom keys are kept and maintained in China
me: got a source for that claim?
you: quote citizen lab, sometimes zoom keys are sent to china
me: i didn't ask if keys were sometimes sent to china and that's not what OP said
you: not what the original poster stated.
this is where you lost me
> But with true end-to-end encryption, it doesn't matter
i never said it mattered. i don't care if zoom is e2e encrypted or not, which is why i didn't bring it up.
> Not to mention that for a sufficiently interested actor, they don't need to access zoom's network
people get away with this internet boogeyman argument because its technically true, but what percentage of internet traffic inside the continental US is actually being monitored and exfiltrated to APTs? compromises happen internally. i cant remember any stories of a data breach occurring with data in transit, as opposed to data at rest.
> During a test of a Zoom meeting with two users, one in the United States and one in Canada, we found that the AES-128 key for conference encryption and decryption was sent to one of the participants over TLS from a Zoom server apparently located in Beijing, 52.81.151.250. A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server. We suspect that keys may be distributed through these servers.
We need more details about this, ideally from Zoom, as this is not really a lot of detail, and includes a lot of "apparently", "we suspect", etc.
It’s not so much what you store, but what someone listening in on might be storing, or learning.
A number of our hospital customers were diving in head first with Zoom, but are now backing off. I am curious to hear if there is any legal fallout from any of this.
If my livelihood depends on interacting with people, I need a super compelling reason to switch. Not to mention considering whether the hassle of using/maintaining Jitsi myself is worth billable rate doing work I’m actually interested in
Well, I was also instructed by my company to uninstall Zoom clients. And Zoom deliberately make the "use the web version" as obnoxiously difficult to use as their native client is easy. (Why would that be, I wonder? Hmm...) Is "I need to talk to someone at one of the dozens of companies that have forbidden Zoom" a good reason to switch to Jitsi, which is 1) open source 2) entirely browser-based 3) runs anywhere Chrome runs without any extra plugins / installation?
Jitsi hasn't been great for my team. Our company switched to Whereby and it is worlds better than jitsi/zoom and whatever else. Only thing I'm not sure about is sharing on-screen audio.
My experience: On one computer it froze Firefox. On another computer it crashed Firefox. On my phone (Jitsi Meet via F-Droid): I once had a big meeting where it seemed like only call-in users could hear me, another time during a rather large meeting the application crashed, and recently I had a successful conference with 4 people.
The phone application had a few updates between the failures and the success, so perhaps everything's sorted out. I also need to give the desktop native application a try.
I'm rooting for them, I really hope we get a viable free software option. But we should be honest about the state of things right now.
Not the person you asked, but I personally really dislike Jitsi for the following reasons:
* We run into so many issues screen sharing, usually it's just that the persons screen doesn't show up, but it's also often way to compressed to read
* Even just 1 on 1 it makes my laptop cry, with 5 or 6 people in a conference I have to minimize the application or I cannot use my laptop at all because of the CPU load, and at 12+ people even with the application minimized it was maxing out my 2017 Macbook Pro CPU
* For comparison, I recently was in a 230 person Zoom conference, laptop hardly noticed
* I often have audio issues and it requires restarting the application or chrome before it fixes itself
* Really the performance of it is the biggest reason I hate it, we tried having a "lounge" where people join it and just chill while working, but we stopped because once a few of us got on it our computers just became unusable
I've got probably about a half dozen data points with each, and they seem about the same to me -- my laptop (2018 Macbook Pro) heated up about the same for the 12-node Zoom conference as the 12-node Jitsi conference (neither so badly that it affected the rest of the system or made me worry about anything); people seem to have about the same rate of technical issues / bandwidth issues.
I have to reboot if I want my laptop back after a Jitsi meeting. It sends the Windows audio driver into a resource-consuming tailspin from which it does not recover. In all fairness I've had issues with the audio driver before on this laptop but that's the only application that has this particular effect.
If you avoid firefox and stick to either Chrome or the unofficial (but perfectly working) electron app I've had zero issues. Using the free service (not a self hosted instance) I've had several calls with 10-20 (all video) people and not a single hiccup.
If you are using firefox you will encounter issues
Same in my org. Employees cannot setup Zoom meetings but can join meetings set by others from outside the org but only via browser. Zoom apps are banned and all installed apps in managed devices will be removed by IT.
This might explain why the people around me don't understand why it's so popular. None of us is reckless enough to install their application, so all we've seen is the web version.
It would be wonderful. I don't want to be a Zoom hater, but they give me no choice. I'm uninstalling it now in hopes that next time I need to join a Zoom, the web experience will be improved.
Zoom's issues are fixable... unlike a hardware defect like the macbook pro keyboard and the iphone antenna that didn't work well... Zoom is clearly better than the alternatives and has my 80 year old uncle talking about it. This too shall pass.
I uninstalled zoom and refused to use it after they did that skanky "start up a local webserver to avoid Safari's user-safety questions". Then everyone was using Zoom, so I gave them another chance and installed the native client. Turns out the native client install also contains skanky hacks to avoid user-safety questions. So I uninstalled it again, and now my company has told us all not to use the native app.
Once may have been an honest mistake. Twice (and now more) is definitely a culture problem that's not going to be fixed without massive turnover.
I don’t understand why people are so eager to trust this company with sensitive business information. They’re totally untrustworthy after what they’ve done. It doesn’t matter what they pretend they’re fixing. Their word is worthless. What is it with you people blindly believing whatever garbage comes out of these companies?
I work at a large corp, our own in house video conf went down for a few hours. Our backup conference system also tied to same system of course went down. Rather than postpone meetings we took them on zoom. It just works and I hope they get over this security issue and start ramping up their feature set.
Is it not common for companies to control what apps are installed on corporate computers, and where company data is stored (cloud providers, etc)? I get the whole Zoom backlash, but this is taking a specific instance of company and app and harvesting clicks.
I'm seeing references to Zoom "getting over these security issues". Some of the issues (e.g. not requiring passwords) can be relatively easily addressed. Others, like transmitting symmetric encryption keys over the wire and storing them in databases in China, are more fundamental to Zoom's corporate strategy. I doubt Zoom would change the most jarring of their security gaffes in a way that would satisfy security-focused companies like Google.
It doesn’t matter what your personal threat model is: these videoconferencing apps have become de facto critical infrastructure for many countries almost overnight with no scrutiny and a joke security posture, because the IRL channels they replace are unavailable. This has dire implications for all of us, both in terms of espionage and the potential for massive disruption.
Threat modelling is fine for your home security, but it is now dangerously anachronistic when evaluating anything connected to the internet. One solution would be to at least educate people about the need for a security mindset on a massive scale, or at worst craft some laws to force it.
I’m sure there are many people who would accept the risks of drink driving: we don’t let them.
I used it at work, 3+ times a day for about a year. It worked well most of the time, but it had interesting ways to fail when it didn't like the connection quality. the MacOS app sometimes decided to stop connecting to any meeting. It got so bad at times that I had to force quit the app after every single meeting, because it didn't listen to regular closing.
It got so bad we added a bluejeans on fire emoji on slack to announce our problems. That said, I've not used it for a year, so some of those issues might be fixed: Software doesn't sit still.
Have been our work official one for nearly 7 years. Works, and has h.323, sip, phone, webrtc. That said, it's very simple, wit just about minimal features.
Use it. It's "OK." It's integrated with room systems. Use primetime for bigger broadcast-style meetings. However, I've switched to Google Meet for when I set up meetings, in part because it's better integrated with Google Calendar so it's just easier (fewer steps).
I'm not sure one is necessarily better than the other once you're in the call but I prefer Meet for the Calendar integration.
Did not work on ubuntu the last time I tried it, roughly 6 months ago. Same goes for zoom, but different problems (bluejeans segfaults, zoom only starts with sudo but no audio after upgrading lts)
From a usability perspective, it worked decently for me for about a week, then stopped working (dying upon opening) for about a week. Now it seems to work again. This is on the Linux (X11) client.
I just wish Slack didn't use so much firepower on my machine, it seems to make my Macbook pro 2015's fan go wild and the CPU to spike, and it seems to "rot" over time, and get worse.
I put together instructions for creating an install-free dock icon for Zoom. Nothing ground breaking here, I just combined several sets of instructions I found useful.
All of our meetings at Google are using GVC (aka Google Meet from gSuites), and while there are people who have reported problems (mostly in low bandwidth situations and/or using Firefox), my experience is that it is quite reliable. I've had video conferences from my Dad's Senior Center (obviously, pre-COVID-19) using a MiFi box, and there things were more reliable if I turned off my camera, but other than that, I've personally never had any problems using Google Meet from either a Linux box running ChromeOS, or a Chromebook. In fact, I've never had to worry about attending meetings remotely so much that I really can't speak to the reports of people complaining about Google Meet being unreliable.
Can someone with more experience using Jitsi comment on benefits/limitations for use at work? We typically have 2-5 people on calls but occasionally up to 20. I tried it a bit with 1-1 calls and it was pretty great but I'm assuming there are some limitations vs Zoom to be aware of.
At work, our team of 4 has been using it for several weeks too, and it's been just fine.
Our church group has been using it with 12-ish participants once a week for several weeks now. There are individuals who consistently have problems, but since it's always the same people, I tend to think they'd have similar issues with Zoom. (Zoom meetings with different sets of people have had similar sorts of issues.)
People are saying that Firefox "technically works" but that due to limitations in the spec, one person in your conference using FF causes everyone else's cpu to go through the roof. (Can't speak authoritatively on that, but FF is labeled as not fully supported.)
Fundamentally, I think it probably comes down to the business model. The company that runs meet.jit.si, 8x8, doesn't make money on that service; they make money selling some large integrated business solution. Running the free service seems to be less of a loss leader than a massive pool of beta testers. So they aren't pushing it as hard as Zoom, where (at least originally) the free version was limited to 40 minutes to directly up-sell you to the paid version.
Two other things about Zoom:
1. Easy to get the client installed, and once it's installed, it's easy to use. Of course, they consistently do that by working around the protections your OS has in place by dodgy methods.
2. It seems to work well in China. Not sure how Jitsi fares in that respect.
EDIT: Some cool things about Jitsi:
1. NO INSTALL AT ALL for desktops. People just click the link and bam, you're in a meeting.
2. Rooms are created when a URL is visited. So if you want so split into two groups, half of you can just add "2" to the URL, and bam -- group is split in two. Ready to join back together? Delete the '2' and you're back together again.
Anyway, all that to say -- I think Jitsi is definitely worth a try. Tell people to use something Chromium-based until they've fixed the issue with FF (I use Brave) and give it a shot.
1. We used google meet a lot, but it's very CPU intense and also does not run in Safari so I have to start Chrome to run it
2. It's a better UI and Video Conf experience, hands down.
I realize that it has issues but nothing truly major as far as I can see.
A question: I have avoided installing the native macOS Zoom client, but I use the iOS native app on my iPhone. Does the iOS app have the same vulnerabilities as the macOS native app? I searched in these comments for ‘iOS’ to see if someone already discussed this. Thanks.
Is there any technical merit to this ban? Why would forcing use of web version mitigate any concerns? (The concerns I have heard are lack of proper end-to-end encryption, servers in China and the possibility to join chatrooms by guessing a name (zoom-bombing)).
Seems perfectly sensible to ban all software that is not pre-approved by IT, InfoSec and Legal.
You can't safely assume all your employees are properly assessing the risks unless that is their actual job. If you only allow what you know then you can reason about your risk.
I'll be absolutely stunned if people are really having to raise JIRA tickets instead of typing "brew install" but my information is secondhand so what do I know.
Our laptops are configuration managed, force upgraded, and surveilled, but we all have root and IT has never stood in the way of "power user" behavior. The extent of the frustration in engineering is that their management processes sometimes eat CPU. My understanding is that most of the Valley is like this.
https://github.com/google/santa is used to whitelist binaries on Macs, but you can fill out a form to instantly opt out. One of the options for why is "I use a package manager".
Installing third-party software on corp devices is generally a no-go at a lot of workplaces. With the security problems that Zoom has been having, it's only prudent of IT to ban its use on work devices.
> Why would forcing use of web version mitigate any concerns?
Because the web version runs in a browser sandbox, so there's a reduced risk of it compromising the security of the corp device.
> The concerns I have heard are lack of proper end-to-end encryption, servers in China and the possibility to join chatrooms by guessing a name (zoom-bombing)).
Googlers don't use Zoom for work, they use it for personal stuff, so that's not the problem.
From the perspective of a generic IT department: Even if there aren't any security problems with having the client installed on your workstation - the problem is that when they've made so many amateurish security mistakes, it's difficult for IT to trust the binary blob that Zoom wants you to install on your computer.
Corporate device security is a series of safety-versus-efficiency tradeoffs, made with incomplete information. Banning Zoom does not really compromise efficiency, if you aren't using it for work stuff.
The Code execution vulns for both OSX and Win10 probably. In windows clicking a UNC path link would pass hashs. I believe for OSX there was an installer trick that allowed any code to run if triggered.
But those vulnerabilities were there, at least on OSX, because they were trying to avoid OSX's security warnings. And this is not the first time they've done something skanky like that.
Once may have been an honest mistake; 2+ times is now a pattern.
"For those who have no choice but to use Zoom, including in contexts where secrets may be shared, we speculate that the browser plugin may have some marginally better security properties, as data transmission occurs over TLS."
Apparently the web version doesn't use their homegrown encryption scheme.
Using Zoom or any other videoconferencing app that might retain data for an internal meeting is presumably banned regardless, and unnecessary given that Google Meet exists. But some employees might need to use it to videoconference with customers and partners, and some employees might be using it for personal calls on their work laptop. Banning the native app of a company that is clearly 100% shady 100% of the time seems wise.
If the tech community can't prioritize security over features, it's pretty rich for same community to declare that the "average joe" doesn't care about security.
The same "tech community" that's been drinking the "move fast and break things" and "be disruptive in your market segment" koolaid for 15-20 years? Unsurprised.
I was a bit unclear in my original post. I meant this tech community here.. lots of "don't make me use something else" posts in a community of people who ostensibly are tech oriented.
But your point stands either way. I'm just surprised at the pass being given to Zoom given the blitheness of their gaffes.
Why Zoom is making so many silly mistakes. They should take advantage of this situation instead they are blowing up. Every time they apologies or make statement trust has been lost.
What's surprising to me is that it was allowed before. They have had their own videochat solution for years, so I would expect the usual "eat your own dogfood" approach.
Anyone remember Google Allo? I think it had video? If they made it a discord kind of thing it might have worked but instead they chose to compete with their own products.
Allo didn't have video, that was Duo's job. Hangouts Chat is their Slack/Discord competitor, and Hangouts Classic is the version that everyone has in Gmail. Hangouts Meet is their Zoom competitor. Both Hangouts Classic and Meet can video call, I believe. Chat piggybacks off of Meet. Hangouts Chat and Classic are named the same but are two different products.
Right but it's also astonishing that was allowed before. If it's not needed for work why would it be installed? Why would any non-work software be allowed on corp laptops?
Because unlike most large workplaces that inhibit innovation and productivity and infantilize staff with an “anything not specifically permitted is prohibited” rule which also creates continuous work for a review and approval bureaucracy and guarantees that toolsets are outdated and improvements difficult to discover, Google apparently has an “everything not specifically prohibited is allowed” policy.
There's a third "use at your own risk" option between the two extremes. Sure, install your favorite terminal emulator, but if it steals your production credentials you may get fired...
Because then you don't impede people who might need a new widget installed because everyone and their mother in IT needs to try it and test it before you can use it.
Especially at Google scale, where the BeyondCorp system described in their papers could automatically see when an endpoint was doing something naughty, block the user from accessing corporate resources, and give the user information on how to fix it, instead of blocking them from installing anything (even if what they want is perfectly harmless).
Google allows personal software to be installed in a corp laptop, subject to restrictions and limitations like this. It's not encouraged, though, and if something happens because you installed a third party software then it's your responsibility.
Google has always had the company culture of not infantilizing their employees and broadly trusting them to do the right thing. This reflects in many many policies and general 'culture'. You can install software on the laptop as long as you have the right license for it, and there are centralized tools to check for potentially dangerous binaries and things like that.
With videoconferencing you aren't always in control of it, especially if you interface with other companies. I have webex, zoom, bluejeans, teams, and skype4business on my laptop because I am a consultant and have to use whatever my client is using.
There's also that zoom free tier creating a 'Shadow IT' situation. Slack used this to great effect and everybody on HN was very impressed. It should be no surprise that Zoom is finding its way onto random employee laptops, that is something tech firms are trying to do on purpose now.
Generally you can install anything, but the responsibility is on you though. It's not uncommon to see people with Steam, Spotify or other personal software too.
Because sometimes there are contractors, or consultants, or vendors, or partners you work with that for one reason or another can't use internal options.
Really? I've started using it more and more recently and it seems pretty good. Dependent on good Internet connectivity like anything else but otherwise it seems straightforward and streamlined--which IMO describes Gsuite in general.
The screensharing is truly atrocious. Any window over, say, 1280x720 looks like total garbage on the other end. Aliased to hell, unreadable text, "ghosts" when you scroll.
Some employees had it installed on corp devices, maybe to connect with their friends and families. Google has banned even installing that app on corp devices. Nobody used it for corp work.
It's surprisingly common for people not to own a non-work computer other than a phone/tablet, especially now that prevalence of desktop computers is declining. Some people do still have a home desktop, or a separate personal laptop, but a lot of people I know don't. Or they might have one but it's a shared family computer that's mostly used by the kids, while parents use their work laptops.
This is correct.When all this Corona thing started,we put the entire office on remote. Before we did it,we had to assess who's got what at home. In my department it was about 20% without a laptop/pc. In others was similar.We simply gave company's PC to take home and called it a day. It's a small company, so obviously things are simpler here.
It's something I would strongly recommend against, since it gives your employer easy access to monitor you, and if for some reason your employer winds up in court, everything you used the machine for could end up read into the record.
Eh. Depends on how much control the company has over devices being used for work. I have a number of different computers--including a company-issued laptop that I use as a Linux system. But I mostly use a personal MacBook for both personal and work use. I travel a lot (normally) and really wouldn't want to have to travel with a laptop that was strictly for work use.
It's frustrating because Google Hangouts used to be great, and then Google purposefully started cannibalizing their own platform.
I really want to know what goes on within Product Management at Google, because looking from the outside in I cannot imagine anything other than sheer incompetence.
The rumors from inside Google is that there's no way to get credit/be rewarded as an employee simply for maintaining an existing solution, or even for fixing obvious breakage. Every incentive is tilted towards starting new projects, often multiple projects in the same domain directly competing with one another. There are some positives to this of course, but clearly it's being overdone.
But still...As a prod manager,you aren't coming up with new projects every week, your entire job is to ensure the roadmap is decent and not taking the product into the graveyard. The company has so many people and yet can't produce a single product with a decent UX.
I worked at Google 2006-2010, and from where I sat, Google's biggest problems were (1) rapid erosion of corporate culture over that time frame and (2) weak project management.
A friend was managing a project on a shoestring budget. Upper management (C-suite) had reviewed the idea and green-lit it. He had been told Larry and Sergei in particular had voiced support. He got it done ahead of schedule and under budget by managing a stream of off-cycle interns. The week it was scheduled to go live, someone in middle management killed it. My friend and his team got zero credit for a job very well done, a big setback for him. He and I were working on an internal tool for datacenter management as a 20% project when I left. I asked him about it later, and our 20% project met a similar fate: enthusiastic support from management, including giving us some resources, all the way through completion, followed by cancellation shortly after completion. My friend left less than a year later.
Another friend started a modest improvement to chat as a 20% project, which later got expanded to a full-time project for several engineers. I forget the external name, but the internal code name was "Taco Town" after the SnL skit. Walkabout / Wave was a skunkworks project that used its separate repository, which was very rare at Google. People knew something mysterious was going on down in Australia, but we really had no idea what it was, other than the Google Maps guys were running it and it was named "Walkabout". When Walkabout / Wave came out of skunkworks mode shortly before external launch, the Taco Town team realized they needed to launch very soon or their project would never launch because its functionality was subsumed by Walkabout / Wave. Taco Town rushed its launch, was a bit buggy and had some scalability issues that they knew about, but expected to be able to improve shortly after launch. I think Taco Town's botched launch a few weeks before Walkabout/Wave contributed to initial confusion around Wave and some of Taco Town's problems colored perceptions of Wave's launch.
Shortly after I left, Google publicly announced they'd be putting "more wood behind fewer arrows", which was a step in the right direction.
I get it that management doesn't want to discourage engineers or stifle innovation, and they know they don't have a good handle on what will be successful and what won't, but keeping around zombie projects gives engineers false hope. The "throw mud at the wall and see what sticks" style of project management can be soul-crushing for talented junior people managing small projects, unless they're properly supported and really get proper credit for doing a very good job engineering something that fails for non-engineering reasons.
They've probably run in to a similar issue to Apple whereby they've found their consumer-grade "phone auntie susan once a week" offerings don't stand up to the needs of everyone working remotely needing screen sharing, hot seating in and out all day long chats.
We're using MS Teams and it seems to be pretty great for us (team of about 15), we use Skype to contact the remaining 20ish more junior staff who don't need Teams licenses just to be able to keep in touch with their work and keep the face to face communication going.
> What's surprising to me is that it was allowed before.
> They have had their own videochat solution for years, so I would expect the usual "eat your own dogfood" approach.
If an engineer from Microsoft has to speak to an engineer from Google, and you think they should both be dog-fooding their own video application... how do you see that working? Just both dig their feet in and never talk to each other? Seems silly to me.
One or both are going to have to install a video application that isn't their own aren't they?
> If an engineer from Microsoft has to speak to an engineer from Google, and you think they should both be dog-fooding their own video application... how do you see that working?
They could use a telephone. (Yes, they still exist.)
Edit for response:
Neither Google nor Microsoft forbid their employees from using telephones, and neither would even consider it. The assumption that they'd dogfood their own video chat platforms is obviously not a supposition that they'd ban telephones. Your comment frames the matter as though a third party video chat service is the only pragmatic option. Video chat was a fringe concept not very long ago, considered mostly to be in the realm of science fiction. Even today, inter-company telephone meetings are still common. Tech-fetishists working in this industry often seem to lose sight of the obvious time-tested solutions that still work today. I think a lot of people are earnestly forgetting that telephones still exist.
Standard practice for Google SREs in any serious outage is to communicate via internally-hosted IRC, since it has a minimum amount of dependencies outside of itself
I was once invited to the Google campus in Mountain View. The employee showing me around laughed in disbelief when I pulled out my Android phone to show her something. She said that she and all of her coworkers use iPhones.
Sure it mostly works. But when your livelihood depends on online videoconferencing the last 10% of reliability that Zoom provides is extremely important
Agreed. This is my biggest complaint with it, the functionality is amazing but if you're on any sort of laptop the poor thing will melt halfway through a meeting.
I'm sure it depends on your internet, but I tried hangouts again recently and it was unusable, video mostly frozen and dropping or muddling most of the audio. Zoom was crystal clear, dropping some video frames every few minutes but audio was always good. I'm not sure what hangouts is doing differently, but it's night and day.
It's pretty bad. I tried it alongside Zoom and Zoom was waaay better quality. Plus if you need anything more than very basic features Hangouts isn't an option. Hell it doesn't even have a gallery view. Forget recording, auto-muting participants, etc.
hangouts isn't bad at all. Dumb product decision to only be able to see 4 people at once tho. Probably biggest reason people are on Zoom and not hangouts right now
I don't like zoom either, but what exactly made them the HN punching bag of the month? Ad/surveillance giants like Google or FB are typically spoken of with notes of reverence and awe on here. Zoom gets lit-up for sending data to FB, but FB gets a pass? I don't know I just can't get into the mood. extinguishes torch in moat.
> Ad/surveillance giants like Google or FB are typically spoken of with notes of reverence and awe on here.
Uh. Are we reading different websites? This is the most vocally anti-everything-FAANG community I've seen on the Internet, since about 2017 or so. Except Apple, mostly.
And on the FB note, let's clear that up -- FB ships a mandatory phone-home analytics feature on their mobile SDKs used to enable the "sign in with facebook button". This sends your users' data over to their servers _even when_ those users do not use a Facebook social sign-on. Zoom removed that SDK within a day of finding out this was happening, yet it continues to be plastered around the web as if its an ongoing data collection; meanwhile, crickets at the fact that half the apps on our phones have this Facebook spyware.
I interviewed at Google a while back for an SRE position working with the Hangouts team. My first interview was in another office and the audio in Hangouts session would not start. We ending up having to move on to the next interview. I'm not surprised even Google employees don't use it.
There was a running joke (out of frustration, really) back when I was at Google (2013) that Hangouts was happily adding hundreds of new emoji, yet did not consider "reliable message delivery" to be a key feature.
Some of this is consumer vs. enterprise tension, though. Emoji demo really well on an initial product tour; reliability is one of those key features that's really hard to get people excited about, but which people hate to find lacking.
"Nearly a decade has passed since we built the first prototype. Face-to-face collaboration is ingrained in Google’s DNA now—more than 16,500 meetings rooms are VC-equipped at Google and our employees join Hangouts 240,000 times per day!"
Hangouts Meet actually works very well overall. I work at Google and almost never have problems with it.
Hangouts Chat, on the other hand...well okay, it seems reliable enough, doesn't have that problem that old Hangouts did. Comparing the UX to Discord just makes me sad though.
This has been my experience as well (with some relatively large Hangouts Meet meetings in a big G Suite org). Compared with old-fashioned Hangouts, Meet is pretty reliable.
1. Google's threat model may not be your threat model, and it definitely isn't the threat model of my daughter's school. A corporation like Google may be concerned using native applications, written in unsafe languages, written by developers from other corporations in China. That said, Zoom isn't wrong for everyone.
2. Google is motivated to push their own solution for obvious reasons.
3. Tavis, or others, at Project Zero might know some things, maybe we'll find out.