1. Google's threat model may not be your threat model, and it definitely isn't the threat model of my daughter's school. A corporation like Google may be concerned using native applications, written in unsafe languages, written by developers from other corporations in China. That said, Zoom isn't wrong for everyone.
2. Google is motivated to push their own solution for obvious reasons.
3. Tavis, or others, at Project Zero might know some things, maybe we'll find out.
Google's threat model surely differs in some way from a school, but the specific threats you named seem like threats equally applicable to the surfaces identifiable in the threat model of a school.
Google's threat model actually does include state level attack (And specifically by China) to steal IP or access confidential user data.
For those that use Zoom - consider spending at least a few minutes to make a mental threat model about Zoom. Who might go after you? What features does Zoom have that might be exploitable? What's the worst thing that can happen? The worst case for Google is not the same as the worst case for a professor or elementary school.
Maybe Zoom doesn't work for your use case - fine!
Maybe Zoom is good for your use case - fine!
Lots of people will be using it either way, so it's good to have Alex help lock it down.
- kicking out their colleagues
- muting the teacher
- posting memes in the chat room
It looks like you can't prevent them from muting/kicking out each other. There's a larger threat surface of mean pre-adolescents, than a hacker trying to steal their info.
But look at the whole threat model.
* Google's exposure is far greater than merely other languages
* Exposing profiles & activities of an entire generation of kids to a foreign adversarial surveillance govt is itself a serious threat, covered by other responses here
* This creates a massive increase in exposed surface area. E. g., consider abkid using their parent's computer who happens to work at a sub-sub-contractor on a key defense project. Even if the key files are properly encrypted, just some little data points like the fact of their employment, network name, list of known WiFi routers cached, etc., now lets CCP fill out their model of attack vectors. There's a thousand other ways this can be used to gain an edge if you don't like that example
The bottom line is like the precautionary principle - just because you or I can't figure out how to exploit something, doesn't mean that it can't be exploited.
Why use it at all? I honestly don't know what's available in this space, since I don't need to, but is there really no alternative?
If they're building a product that does shady things (e.g., macOS install nonsense) and is full of security holes (e.g., zoombombing) that's enough to tell me I don't want to use it and I don't want my son's school using it.
Google isn't alone here. Just another data point.
At best it's a product full of security holes. At worst deliberately designed to spy on people. I don't care who those people are. I care about the intent.
People in the real world care as much about Jitsi as about Bernie Sanders. HN and Reddit are bubbles that Joe Schmitz from MegaCorp Inc. does not know or care about ever despite some aspects being vastly better on the security side. UI/UX is Zoom's domain though and nothing comes close.
Try doing a Teams call with 30+ people.
A number of companies have rightfully banned Zoom's native apps, given how insecure they are. I had previously uninstalled it when the news about the secret web server they install came out. Google is still allowing use of the web app, but the web app bizarrely doesn't support Grid/Gallery View, which is the main reason my friends/family wanted to use it.
Hangouts Meet was optimized for work meetings where most people would be dialing in from high-bandwidth meeting rooms, not everyone individually dialing in from home, but hopefully now they've heard the loud feedback about the especial usefulness of Gallery View during quarantine times and will introduce the feature soon.
For now I'm using the Chrome extension that enables this feature client-side using JS/CSS, and staying tf away from Zoom. With how little I used Zoom before quarantine, I don't understand the adoration for it (I found its UI confusing and quality similar to other tools), and I haven't been able to find any benchmarks comparing its video quality for people on less good internet connections (my home network is pretty strong).
The UI is initially confusing, but so is the UI for every video chat app I've used. It seems to be the fad to have "clever" UI in video chats apps (controls that auto-hide, non-standard icons, low contrast, non standard control placement (use the standard toolbar luke!) etc.
On top of that zoom has always "just worked". The "just worked" thing is now resulting in security woes, but still. Start a meeting, send link. Done. Online works, dial in works.
Contrast with hangouts (dropped non-chrome browser support for at least a year). To this day we have users that can't use slack video for unknown reasons (app store slack doesn't work as well as slack installer slack or something). WebEx is some horror show that seems to constantly re-install itself for each meeting. You're lucky if you can get it going before the meeting is over.
Where most apps stop at video chat and maybe poor quality screen sharing, zoom has a pretty deep enterprise feature set. Good webinar support, integration with SIP systems, SSO, recording etc.
To give an example, they prioritize audio over anything else. Which makes sense because if you can't understand what the person is saying, you can't have a meeting. So they automatically downgrade or upgrade your video to try to keep latency decent on audio. Meet just has a manual setting where you can up or downgrade video or audio.
It's mostly equivalent to Zoom, from my experience. Grid view, screen sharing, recording, chat, file sharing, phone dial-in, calendar meetings, etc. If you follow a GTM invite link it downloads the app and run its for you, so nobody needs to have the app previously installed.
It's also rock stable. I've had hundreds of meetings with GTM, and never had any audio/video issues, whereas Google Hangouts/Meet has always been really flaky.
WeChat now often pops up a notice when you try to use web.wechat.com that translates to "For your account safety you cannot use the web version, and you need to download a Windows or Mac client."
Safety my ass -- web is the safest. I know better than you about my safety, Tencent.
That is insane!
(Disclosure: I work for Google, speaking only for myself)
It uses shitty dark patterns that require two or three clicks and at one point, if I'm not mistaken, waiting for a link to appear after a delay.
In my most recent experience with it, it led to a zip file being automatically downloaded to my computer. This when I already have had plenty of previous experience with the web app and was deliberately trying to reach to the web page for a meeting for which I had been sent a URL.
Slack does similar things but isn't quite so aggressive about it.
I trust zoom a lot more when it is running inside a chrome sandbox than as a native app.
I haven't audited the files yet to see what technology they use (e.g. why is the web experience shit, but the Chrome App is OK), but I certainly trust Zoom a lot more in a sandbox.
It mainly sucks for when an employee (especially in sales) has a call with a client that uses Zoom and can't use Meet, because then you're forced to dial in, which just puts you at a disadvantage when everyone can see everyone's face except yours.
Edit: per comments, people can still use the browser version of Zoom, so doesn't seem that bad.
Before Google Docs existed, many employees used MS Office, and when Docs was being rolled out Googlers were incentivized to switch to Docs by being offered kudos, swag, etc (ie, the carrot, not the stick).
I did most of my doc writing in LyX before Google, though.
It's not just the money it's also additional security vulns to defend.
Google is the fourth biggest public company in the world as measured by market cap.
A Microsoft 365 "E3" license is $20/user/month. They can afford it.
This restriction is entirely about eating your own dogfood.
Can't they just participate in a call from the browser? I thought Google only banned the application/app, not usage of the service altogether.
Jitsi and Google Meet seem to work in both browsers, without requiring me to log in.
And in truth, I usually don't want to see anyone else's face either. Aren't there companies that forbid looking at someone for more than five seconds? Well guess what, on a video call, they're staring at you for minutes on end.
> Employees who have been using Zoom [...] can continue to do so through a web browser or via mobile.
I have used about a dozen over the years in my role as a consultant, and Zoom has been by far the most reliable. I’m hopeful lots of good can come from the scrutiny, but please Zoom get your act together so I don’t have to use some other buggy thing that doesn’t actually work.
I have honestly lost track of the amount of software I've seen in the past 20 years, that people insist they absolutely must continue to use despite its well documented gaping security flaws. Because it has a better UI or makes their life very slightly more convenient in some way.
Versions of Microsoft Office from the early 2000s where an entire operating system could be pwned simply by opening an excel or word file with malicious vbscript in it were good examples. JPG parsing buffer overflows. People continued to not only not patch it, but use it in its out of the box configuration.
For reference, organizations that have now banned Zoom include google, NYC public schools, SpaceX and NASA.
I think you've missed the point completely. It's not a question of convenient UI. It's the reliability of the video call. I've tried numerous video conferencing tools, and the differentiating factor is literally just whether or not the video quality is consistently good, whether the call is dropped or not, and whether the audio is audible.
The problem with Office and Zoom is that they are _the best_ at what they do right now. And that has a massive impact on what people are willing to give up to use it (money, privacy, risk, etc).
I hope Zoom gets their act together because their competitors, with way more time and resources, suck a lot more. I don't think it's because of the difference in security--maybe it's because competitors were focusing on Enterprise or because it wasn't their core business?
I think each of those companies that have banned it make sense, even if that means the average person should continue using it. Zoombombing elementary school children because of a misconfiguration (or just because of the media reports) isn't a great idea and the security concerns warrant the rest. I still don't see much of an issue for other business and most personal use.
This is one of the places where FOSS has a great role to play, vendor neutral infrastructure code. Any thing from one of the FAANG companies or even a startup is constantly going to have to find a way to create value for the company and inevitably that leads to data harvesting and sales.
What I have observed is that FOSS folks like to pick poor names for things which limits their ability to penetrate into the world of the non-computer geeks. Case in point, Jitsi. WTF? My parents are never going to remember what something named "Jitsi" does, ever. Call it "GNU Video Conferencing System (GVCS)" or just "Video Conferences" please.
I've been using WebEx in enterprise/corporate environment for couple of years intensively, and it "just works". I can download desktop client, but I can also just run it on browser.
Zoom always wants to install weird clients that violate policies and cause my corporate laptops to refuse or bork.
I recognize my experience may be a minority one, but I'm surprised, genuinely, at this perception that it's "the one video conferencing software" that works.
What people struggle to understand is that Zoom made it easy accross ALL operating systems. While Webex might "just work" on a subset of Windows and Mac hosts.
I use Linux as my day to day OS and WebEx is a nightmare (which sticks well to the stereotypical enterprise tool from Cisco).
- Overall webex UI is very slow/laggy, subjective - yes, but I think it'd be obvious to any regular person.
- It makes my self-view a tiny floating box (this drives me crazy, I want it to be the same size as the others).
- Gallery view doesn't work well, sometimes the speaker is duplicated in sharing content speaker view and again in gallery view.
- Audio switching doesn't work as well between putting airpods on and off.
- More video/audio failures than Zoom in general (enough to be annoying).
I'm not sure why Zoom is the only one that does Gallery view right - the others all seem to mess this interface up (maybe because they can't handle the traffic?)
And every so often by virtue of being open in the background, WebEx manages to somehow crash my BT headphones.
Other than that, no real complaints.
I also have a B2B micro-ISV, and chose Webex for that too, largely because it just works, but also because it's almost expected in corporate circles.
Human interaction that actually works right now is so important. And I simply have a hard time trusting another product to actually do the call reliably
Disclaimer: I work for Alphabet, but already held this opinion before I did.
We use it internally at Xero, more than ever currently with working from home, and it's been solid from what I've experienced.
Given we also use Google Calendar, joining a meeting is pretty straight forward, as a Meet link is populated in each event, and shows up on the home screen for meet.google.com
Usually the only mic issues that occur are people using their own headsets with audio gain set too high or flaky bluetooth connections
Running in Firefox, it works great for the most part although sadly it breaks every few months. It'll tend to drop me from the lobby a few seconds in with "Network Error" or something along those lines. I would get frustrated but given it's a work tool, a few days to a week using Chrome (just for calls) and Firefox is back in action again.
We also conduct our postmortems via Google Meet and it generally seems to support 50+ person calls fairly well. That said, we use Hangouts Streaming for All Hands type of stuff so I couldn't speak on performance with hundreds of users at once
Purely anecdotal but my coworker has an older HP laptop (specs are still a respectable 8GB ram, presumably quad core CPU) and finds that he can't be on a Google Meet call while also doing development as his fans will flare up too much.
I would actually quite appreciate a Google Meet desktop app (that's not electron) but I guess the premium userbase tend to have enough specs to throw at web-based products
Oh yeah, I do appreciate that Zoom presumably doesn't require any fancy logins because running Google Meet on a phone requires a device policy in order to connect to a call.
I can either install it on my device plainly (requiring a pin to login going forward vs say, a fingerprint) or I could install it in a work profile. The latter is cleaner but then I have an entire second set of apps just to join a call on my phone once in a blue moon :(
At least you can dial into meetings but I find the audio is kinda wonky at times.
Having said all this, I can respect the product but I'm always happy for a non-Google entity to win in any given space ;)
These two remove from one-another other.
Zoom just showcased this back to back to back to back in a few weeks time). They played tricks with the words. "we wrote ABC but what we really meant is XYZ" is a shitty response to any type of audit/scrutiny.
This is a public company. They have an Internal Audit. What the hell were these guys been auditing in security audits??? The color of the background????
We have this or skype for b as approved. 10% of all meetings in skype bugs out and at least one person can not hear the rest or gets kicked out or can not see the others in the meeting. Or someone is presenting and a mandatory update is being rolled out and computer restarts but this is more related to the OS.
Zoom just works and you hear each others so much better. Stable and working. Lets hope all these new features makes it more secure.
not that we save anything from zoom that I need to be concerned about key storage for, but concerning nonetheless.
Once may have been an honest mistake. Twice (and now more) is definitely a culture problem that's not going to be fixed without massive turnover.
If the issues are ethical or political, they aren't ever going to get fixed.
Note, works best in Chrome (likely Chromium) based on what the docs say.
If this was a Microsoft/Google product it would be pilloried to death.
Threat modelling is fine for your home security, but it is now dangerously anachronistic when evaluating anything connected to the internet. One solution would be to at least educate people about the need for a security mindset on a massive scale, or at worst craft some laws to force it.
I’m sure there are many people who would accept the risks of drink driving: we don’t let them.
It got so bad we added a bluejeans on fire emoji on slack to announce our problems. That said, I've not used it for a year, so some of those issues might be fixed: Software doesn't sit still.
I'm not sure one is necessarily better than the other once you're in the call but I prefer Meet for the Calendar integration.
https://blog.joeldare.com/creating-an-install-free-dock-icon...
Zoom stopped the browser login from working for a few days, but it seems to be back working now.
I understand there are some business reasons here and there (MS wants people on Teams not Skype) but it doesn't matter.
'Basic Video' should be as common, robust and reliable as making a phone call.
Our church group has been using it with 12-ish participants once a week for several weeks now. There are individuals who consistently have problems, but since it's always the same people, I tend to think they'd have similar issues with Zoom. (Zoom meetings with different sets of people have had similar sorts of issues.)
People are saying that Firefox "technically works" but that due to limitations in the spec, one person in your conference using FF causes everyone else's cpu to go through the roof. (Can't speak authoritatively on that, but FF is labeled as not fully supported.)
Fundamentally, I think it probably comes down to the business model. The company that runs meet.jit.si, 8x8, doesn't make money on that service; they make money selling some large integrated business solution. Running the free service seems to be less of a loss leader than a massive pool of beta testers. So they aren't pushing it as hard as Zoom, where (at least originally) the free version was limited to 40 minutes to directly up-sell you to the paid version.
Two other things about Zoom:
1. Easy to get the client installed, and once it's installed, it's easy to use. Of course, they consistently do that by working around the protections your OS has in place by dodgy methods.
2. It seems to work well in China. Not sure how Jitsi fares in that respect.
EDIT: Some cool things about Jitsi:
1. NO INSTALL AT ALL for desktops. People just click the link and bam, you're in a meeting.
2. Rooms are created when a URL is visited. So if you want so split into two groups, half of you can just add "2" to the URL, and bam -- group is split in two. Ready to join back together? Delete the '2' and you're back together again.
Anyway, all that to say -- I think Jitsi is definitely worth a try. Tell people to use something Chromium-based until they've fixed the issue with FF (I use Brave) and give it a shot.
1. We used google meet a lot, but it's very CPU intense and also does not run in Safari so I have to start Chrome to run it 2. It's a better UI and Video Conf experience, hands down.
I realize that it has issues but nothing truly major as far as I can see.
You can't safely assume all your employees are properly assessing the risks unless that is their actual job. If you only allow what you know then you can reason about your risk.
Engineers aren’t clamoring to get into the kinds of companies where IT needs to pre-approve software for their workstations.
Installing third-party software on corp devices is generally a no-go at a lot of workplaces. With the security problems that Zoom has been having, it's only prudent of IT to ban its use on work devices.
> Why would forcing use of web version mitigate any concerns?
Because the web version runs in a browser sandbox, so there's a reduced risk of it compromising the security of the corp device.
> The concerns I have heard are lack of proper end-to-end encryption, servers in China and the possibility to join chatrooms by guessing a name (zoom-bombing)).
Googlers don't use Zoom for work, they use it for personal stuff, so that's not the problem.
From the perspective of a generic IT department: Even if there aren't any security problems with having the client installed on your workstation - the problem is that when they've made so many amateurish security mistakes, it's difficult for IT to trust the binary blob that Zoom wants you to install on your computer.
Corporate device security is a series of safety-versus-efficiency tradeoffs, made with incomplete information. Banning Zoom does not really compromise efficiency, if you aren't using it for work stuff.
https://www.cvedetails.com/vulnerability-list/vendor_id-2159...
There is nothing new/outstanding.
"For those who have no choice but to use Zoom, including in contexts where secrets may be shared, we speculate that the browser plugin may have some marginally better security properties, as data transmission occurs over TLS."
Apparently the web version doesn't use their homegrown encryption scheme.
But your point stands either way. I'm just surprised at the pass being given to Zoom given the blitheness of their gaffes.
I write like this because I am not sure what I can disclose.
With various levels of being merged or not.
It was banned as in it can no longer be installed on corp laptops.
I really want to know what goes on within Product Management at Google, because looking from the outside in I cannot imagine anything other than sheer incompetence.
We're using MS Teams and it seems to be pretty great for us (team of about 15), we use Skype to contact the remaining 20ish more junior staff who don't need Teams licenses just to be able to keep in touch with their work and keep the face to face communication going.
> They have had their own videochat solution for years, so I would expect the usual "eat your own dogfood" approach.
If an engineer from Microsoft has to speak to an engineer from Google, and you think they should both be dog-fooding their own video application... how do you see that working? Just both dig their feet in and never talk to each other? Seems silly to me.
One or both are going to have to install a video application that isn't their own aren't they?
They could use a telephone. (Yes, they still exist.)
Edit for response:
Neither Google nor Microsoft forbid their employees from using telephones, and neither would even consider it. The assumption that they'd dogfood their own video chat platforms is obviously not a supposition that they'd ban telephones. Your comment frames the matter as though a third party video chat service is the only pragmatic option. Video chat was a fringe concept not very long ago, considered mostly to be in the realm of science fiction. Even today, inter-company telephone meetings are still common. Tech-fetishists working in this industry often seem to lose sight of the obvious time-tested solutions that still work today. I think a lot of people are earnestly forgetting that telephones still exist.
That kinda applies to any modern client. H.323 and SIP are ok, but webrtc is brutal.
Since finding this I find hangouts meet much more tolerable!
Uh. Are we reading different websites? This is the most vocally anti-everything-FAANG community I've seen on the Internet, since about 2017 or so. Except Apple, mostly.
lacker put it particularly nicely: https://news.ycombinator.com/item?id=22814338
Google, Facebook and others get criticism for exactly the same reasons
- your friends set up a zoom happy hour - current personal laptop is fubar or super old/unsupported - you use work laptop, installing zoom
As someone not in sales, I have never seen anyone try to use Zoom for actual work meetings.
Some of this is consumer vs. enterprise tension, though. Emoji demo really well on an initial product tour; reliability is one of those key features that's really hard to get people excited about, but which people hate to find lacking.
I wouldn't go that far - there's something like 250k hangout meetings per day at Google[0] and that was before Covid.
[0] https://www.blog.google/products/g-suite/how-google-went-all... (2017)
Hangouts Chat, on the other hand...well okay, it seems reliable enough, doesn't have that problem that old Hangouts did. Comparing the UX to Discord just makes me sad though.
Joking asides, this is a weak way to promote the fact they have a competing tool.
