In the age of the coronavirus (COVID-19) not a day goes by without mentioning zoom. The video conferencing tool is used by political parties, corporate offices, school districts, small businesses, and individuals who need to connect at work and study from home. We now finally have some numbers to quantify the leap: Zoom increased from 10 million active users per day to 200 million active users per day in three months.
Let us put these numbers in context. The daily active users of Skype grew by 70% from month to month. Microsoft Teams daily active users grew 110% in four months. Zoom's daily active users exploded by 1,900% in three months.
Such a drastic increase in usage is a great blessing for any company, let alone for a company like Zoom that has not been public for a year. It also brings with it many technical obstacles and even more questions. This is common in the art; The more popular a service becomes, the more problems it has and the more attention it receives. The problems worsen when the climb is sharp.
Scale, Attitudes and Security
There are three categories of learning content. The first is the scale . Any company that grew 20x in 3 months would have problems. Case studies are written about how Zoom was able to adapt its infrastructure to astronomical requirements in weeks, and often probably days. The learning here is that Zoom made the right investments early on and was able to do a phenomenal job of increasing its capacity.
The second setting is . There has been a lot of confusion about why zoom works in a certain way, how to avoid zoom bombing trolls, and what you can do to protect your privacy in general. For the K-1
The third is Security . This should not conflict with attitudes. While Zoom was not designed for consumer use, security researchers have identified numerous issues that cannot be changed with one setting. Zoom responded quickly, but a lot of damage has already been done. The learning here is that you can never take security seriously too soon.
Zoom's entire business is making video calls easy to use. It is easy to make software user-friendly. It is difficult to use secure software easily.
In the past few weeks, Zoom has been the subject of too many security headings to list. This week alone we saw:
This is not an exhaustive list for this week, but hopefully it explains why SpaceX banned Zoom and called it a day.
Zoom apologized for the amount of outages and frozen new feature development to focus on security and privacy. The company has done a lot to fix some of the issues, including:
- The Facebook SDK in its iOS client has been removed and unnecessary device information has been prevented from being captured by users.
- The attention tracking feature for participants has been permanently removed.
- ] Fixed fixes for two Mac problems.
- Released a fix for the Windows UNC link problem.
- The LinkedIn Sales Navigator app was permanently removed after unnecessary data was exposed.
It's great that Zoom wasn't wasted time discounting the claims and acting quickly instead. The company didn't really have a choice of maintaining its 20x larger user base. But the point is that there were so many problems at all. And the hits will go on.
Zoom is playing Whac-A-Mole. Just yesterday, the notorious security journalist Brian Krebs introduced an automated zoom conference meeting finder "zWarDial" that detects about 100 meetings per hour that are not password-protected. The link, date, time, organizer and topic of a zoom meeting can then be extracted. Today we learned that a simple web search can uncover thousands of zoom calls recorded in people's homes. Zoom has basic flaws that cannot be remedied by a lot of plasters.
Long Term Solutions
Eric Yuan, CEO of Zoom, announced today that all meetings will soon require password protection. Depending on the execution, this may affect participation in a zoom meeting. Compared to browser-based video conferencing tools, the process already has an extra step because Zoom needs to be installed.
Yuan also says Zoom will double its bug bounty program. This is a smart move – bug bounty programs motivate individuals and hacker groups not only to find bugs that your security team has not recognized, but to properly disclose them. Otherwise, they tend to use them maliciously or sell them to parties who do so. Rewarding security researchers with bounties costs peanuts compared to paying for security snafus.
Most importantly, however, Yuan said that if he can't make Zoom the "most secure platform in the world" in the next few years, I'll consider open sourcing zoom code. It's a big deal and a big vote of confidence for the platform. It is much easier to find vulnerabilities if you have all the code right in front of you.
So why not open source now? After everything we've seen, I bet the zoom code isn't ready yet. It is 20 times more difficult to add security and data protection afterwards than to install it from the start.
ProBeat is a column in which Emil scolds everything that hits him this week.