Zoom is entirely banned at the two companies that are my day job, and probably 90% of partners. If you do any work adjacent to anything that's ITAR controlled you should also not be surprised to see the same policy from partner companies. This has been in place for quite some time since the initial security problem that was so egregiously bad apple had to resort to using the malware removal tool to remove zoom's binaries from Macos clients.
Entirely aside from their many past security holes which have been handled poorly , they have straight up lied about end to end crypto and what exact crypto it's using. That's before we get into the ownership of the company, its management and the location of most of the developers.
I use the zoom web client, never the desktop app. I prefer everything to be via the browser since it provides good sandboxing.
Up until we have good sandboxing mechanisms via OS's - it will be the browser for me.
I think we're a bit naive in the west and most often assume good faith from certain other business cultures. We're not used to companies that engage in calculated perfidy that have their sorry prepared long before you've discovered the problem. To put another way, "It's better to ask for forgiveness than to ask for permission", or to beat around the bush even more: I disagree with Hanlon's razor.
this was the case here too, but just yesterday got on a usaf hosted zoom that said 'gov' and hosted in CONUS so they seem to have some offering at least DoD is ok with now, appears to only be fedramp
I don't like it but Zoom is soooo much better than Webex when I'm doing remote desktop support (those are the only options we're allowed). With webex the lag is awful amd makes it difficult to type, especially in a terminal, and the interface takes up so much space around the screen being shared for useless crap.
I use the zoom web client, when I have to use zoom. It has fewer features, but I'm more comfortable running badly written software in an environment designed for hostile code.
Just change the /j/ in the url to /wc/, and insert /join after the meeting id.
The zoom web client has extremely buggy audio support. It regularly breaks in all of the browsers on my computer, and I end up listening to meetings only able to contribute via the text chat.
I've had this as well. I just refresh as soon as the audio and video comes up, and this seems to keep it stable for the remainder of the session. Otherwise, there's like a 60% I lose the ability to do anything.
Audio was stuttering for me as well up until at some point late last autumn / early winter when it suddenly started working quite fine to the point I could actually bear using it. On MacOS with Chrome.
Can we please edit the headline. This sounds disingenuous, a more appropriate headline would be something like "critical vulnerability in Zoom Video Calls that would have put millions of users at risk has been found".
I really wish there was a changelog for headlines. Too often I see a critique like this and I have to figure out if the comment is referring to the current headline or a previous version. And, if the headline has already unknowingly been 'corrected', it leaves me wasting time trying to figure it out within that framing.
And it shouldn't be the responsibility of the poster necessarily to quote it -- because there's no verifiability there.
> I really wish there was a changelog for headlines.
While we’re talking feature requests, I think each submission should offer an optional second weblink, reserved specifically for the “original” or “source” URL.
It bothers me when the link is changed after lots of comments reference the previous one.
good luck with that when was the last time something changed on HN? My belief which is nothing but an educated guess is that the latest addition was the anti-procrastinate switch.
Exactly. It would be nice if there was a little arrow (or other icon) next to the title of an article that simply showed the previous titles that article used -- much like previous gaming handles on Steam profiles; Simple yet effective.
a change log of everything the admins do would be nice, because they control a lot of the content that you and me see... they move threads to other posts, they hide posts... etc... they don't like to let nature take its course.
Seconded! Only a PR person would dream of saying that a 0 day exploit is a good thing. I expect that most HN readers just finds this hillarious, but still people read HN since it has a good standard. Saying that a 0 day exploit is a good thing goes against this needless to say.
Especially since they've faced serious accusations earlier on.
Well, as is previously mentioned, it's not _quite_ a 0-day, and finding it and responsibly disclosing it is a very good thing *compared to alternatives*. I do agree, though, that the tone is needlessly confusing, and it feels like PR over clarity.
>Only a PR person would dream of saying that a 0 day exploit is a good thing
Depends on your perspective. a 0-day is a very good thing if you are an advesary trying to get in. so maybe to the alphabet soup of groups CCP, FBI, NSA, etc, woohoo!!!
It's very clearly sarcasm and not a serious PR move, though I agree it makes the article confusing and hard to follow. Changing it to a different source link seems appropriate.
I don't really think a communication from Malwarebytes is the place for sarcastic comments. Lets say if you are working with a US government this could have enormous implications. I've talked to a lot of clients who ditched Zoom for Microsoft Teams due to their earlier mistakes.
Also I find it funny that the heading "Not patched yet" is solved by the headline "Security done right".
Lets say if you are working with a company that deals with say healthcare information a 0-day certainly doesn't make things safer and since it is not patched yet this is definitely not done right.
It's clear that it's not serious, but once you get the joke you then have to mentally transform every statement as you go along in order to get the base facts. That hurts clarity.
But I thought we call them "zero day" when they are already being abused. I didn't get from the article that this vulnerability has been discovered and abused by the baddies.
Thus it is NOT a "zero day" but a "critical vulnerability".
Agree, but instead of "that would have put" it should be "that could be putting", we don't know if there are people currently exploiting the vulnerability and without a patch very well could be happening now.
Right, isn't this not a Zero Day specifically because it's not known to be exploited out in the wild. How can it be, no one else knows what the vuln is. It is being reported as part of a bug bounty with 90 day disclosure just like anything else would be.
I always get confused reading/talking about the definition of a zero-day with people... But this is what Wikipedia states, which is most consistent with my understanding.
> A zero-day (also known as 0-day) is a computer-software vulnerability unknown to those who should be interested in its mitigation (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network.
Seems like someone knows how to exploit this, and zoom / the general public don't know how to mitigate or perform it. That seems to fit this definition, no?
Related, the two other $200k entries from Pwn2Own 2021:[1]
- DEVCORE targeting Microsoft Exchange in the Server category (The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server.)
- The researcher who goes by OV targeting Microsoft Teams in the Enterprise Communications category (OV combined a pair of bugs to demonstrate code execution on Microsoft Teams.)
I wonder if the OS world will move towards lightweight but unforgiving sandboxing like OpenBSD's `pledge` and `unveil` system calls. It's crazy to me that most software is still completely fine to run around and set things as fire the instant it's compromised!
Most desktop OSes came about (or at least have their roots in) a pre-internet world, where you install software from discs you purchased at the store, or if you're feeling gutsy, from media your friend hands you in real-life. They assume you have a great amount of trust in every piece of code you run on your computer (and anyway, how will malware exfiltrate your data without an always-on network connection?).
Things like Windows Defender and Snap and the recent macOS hardening efforts are patchwork solutions to try and cope with the modern world, but they'll never really be enough because these systems can't be fundamentally re-thought; they have to keep doing everything everybody already expects them to do. Only brand new OSes really get the chance to do things right, and only the mobile ones really had the opportunity to gain wide adoption.
Just last week we were talking about a zero-click bug in Apple Mail (https://mikko-kenttala.medium.com/zero-click-vulnerability-i...) that didn't even need to bypass Apple's built-in sandboxing—simply overwriting Mail.app's config files was enough to trigger a devastating information disclosure.
Doesn't the equivalent already exist in Linux? BPF seccomp filters have been around since ~2012 (https://lwn.net/Articles/656307). There's also SELinux and friends (ie Linux Security Modules).
Pledge was created as a response to low `seccomp` (Linux) and `capsicum` (FreeBSD) usage in the wild. Pledge trades off granularity for ease-of-use, and has seen quite a bit of adoption despite OpenBSD being a small ecosystem.
As a Linux-based programmer who hasn't quite delved into the UNIX internals world, knowing that I have to write my own BPF filter or do some crazy stuff with file descriptors (in the case of capsicum) is enough to scare me. But on OpenBSD, I added `pledge` and `unveil` calls to all my silly Python chat bots in 15 mintes
iOS, Android and ChromeOS are already there. But for exploits targeting Exchange or Teams it's far from a perfect solution because valuable private information is in the app being compromised.
I don't see how the large majority of security problems could be solved by any OS design. Human failures would just account for 95% of breaches instead of the current 85% (made up numbers). Not saying the OS improvements aren't useful nevertheless..
Good design can dramatically reduce, if not eliminate, most human vulnerabilities.
For example, phishing sites would be radically less effective if passwords are not a thing, and everyone logged in using hardware keys (e.g. Yubikeys) which cryptographically prevent phishing.
Seems fair, through "less insecure" would be generally more appropriate (independent of it being Zoom).
But then I have lost all trust in Zoom due to the history involved with it. And I also don't thing Zoom will regain the trust, because due to the way they lost trust again and again and also acted in-honest it's pretty hard for them to convey that they changed (instead of just pretending they did).
My biggest gripe about Teams is what a memory hog it is. Mine is currently sitting idle (been on vacation all week) at nearly 1GB. Compare this to Zoom, which is idling at just over 100MB. Teams is literally taking up 10 times more RAM than Zoom just running in the background.
In Microsoft’s defense Teams is an electron (or electronesque) app and offers quite a bit more than Zoom in terms of features. The fact that it uses so much RAM is expected when you consider it as another copy of chrome.
It boggles me to no end that Microsoft is switching to electron apps even for Windows. You would think that they could write native applications that wouldn't sacrifice stability, performance or functionality the way Teams does for their own operating system.
I have never used Teams but is 1GB of memory usage really an issue in 2021, when most laptops have at least 16-32 gigs of memory? It's been years since the last time I actually worried about how much memory some software on my laptop was using.
It isn't if you're on a laptop from 2021. But that vast majority of people aren't. Companies don't provision new computers to their employees every time a new computer comes out. At the companies I've worked for, the minimum refresh time is 3-5 years, depending on tax laws, and financial ability.
It's also not a big deal if the computer is only used for Zoom. Most people, whether office drones or developers, run many programs at once.
In isolation, maybe not, but I don't get paid to have chat clients or screen share apps run, I get paid to add features or remove bugs from the bazillions of microservices and associated spa, which under ideal conditions requires running them locally. Every byte consumed by something useless is not a tradeoff I endorse.
That "ram is cheap and plentiful" is also seriously not true for Mac laptops, which both caps how much one can expand them and also charges unreasonable rates for the additions they do allow
16gb is the standard high end spec, 32gb is the extreme edition which usually costs a fortune and is impossible to convince your company to buy, especially if multiple people need them.
On 16GB I was constantly running out of memory at work. It’s not just 1GB it’s 1GB times all the other crap you need running.
I mean my laptop from 2014 had 32g (and like another 4g on the graphics processor) so that's not exactly outrageous for anyone doing serious work.
My laptop from 2019 also had 32g and was less than 2000 usd.
Obviously most people don't need that and I'm sympathetic to anyone having to run teams on some shitty IT-provided low cost laptop loaded with 7 different management spyware suites, but 16g-32g is not baller in a limo outrageous.
Well I did say I assume I'm not being trolled so I'm not sure what you're referring to. As a teams user I asked a good faith question to try and flesh out her reasons for considering banning Teams.
But to give you a reason why someone might assume a troll
- random internet stranger
- Microsoft mentioned, some people just don't like them as a company
- no actual reason given, just a comment with zero supporting evidence.
My company forbids using Teams for data that would be subject to GDPR. Guess they don't trust the Privacy Shield, but it still boggles the mind why we didn't go then for a solution that can be deployed on-premises.
Exactly. I run zoom on my iOS devices because it's hard to avoid and at least there's the combination of stricter sandboxing/less critical material on the device, but I refuse to run it on my computers because there's so much bad history with the company I don't feel I can trust them.
“Makes calls safer”. It fixes this particular no user input RCE vulnerability, but how many others remain? If this type of vulnerability is present at all in Zoom, then it stands to reason more wait to be discovered by sufficiently motivated attackers.
These things shouldn’t end with a bounty for the researcher and a patch by the vendor. It should end with a root cause analysis and a plan to fix that type of vulnerability across the entire app, or better yet, the whole industry via a research paper.
> These things shouldn’t end with a bounty for the researcher and a patch by the vendor. It should end with a root cause analysis and a plan to fix that type of vulnerability across the entire app, or better yet, the whole industry via a research paper.
I'm unsure (and open to discussion) on which classes of bugs make that possible. My initial thought is that finding a stack overflow bug (to randomly choose a bug class) results in "don't goof up memory", which is technically correct, but not actually useful in finding others of that class.
In this hypothetical, maybe the result would some combination of accessing programming language choice, programming practice, and testing tooling? Can't say those are a silver bullet though.
Meet performs quite poorly with large number of participants (the tipping point being around 10 or so for me) in a meeting. I tried various browsers and found Chrome to be the worst performer and surprisely Firefox was somewhat better but still needed a refresh every now and then. Macos on a 2017 MacBook. This is one of many reasons keeping my $employer on Zoom. We just haven't found a decent video conferencing software that manages 25+ videos flawlessly. I know of colleagues using Teams successfully but many people we meet with outside our organisation expects Zoom nowdays. I suspect any alternative will have to be very good to take over Zoom as the preferred platform. That has yet to appear.
My son's school uses Google Meet for online classes. 2 instructors + 36 students per section. All participants have their videos switched on. Even when the bandwidth fluctuates, we haven't noticed issues. In particular, Meet degrades well: audio continues to be high quality, with video becoming grainy or getting suspended. But, that is pretty rare. And, slide shows are never a problem.
Ah that is interesting. I work for a school for Deaf learners who use sign language. We rely on having good quality video so we can see each other. Your description of video degradion matches my observation. Unfortunately this is not suitable for our use case. Zoom maintains high quality video really well on the same connections meets will degrade quite badly. I've always thought there should be a switch to decide which of video or audio should receive priority.
I've wondered whether things like the gallery view limitation were actual technical hurdles, or just the modern equivalent of nagware to boost the app download metrics.
False dichotomy. There's a (likely) third option where they do not have sufficient engineering effort to do everything at once. Most users are on the app so that's where effort is applied. Yes, this means the webapp loses even more market share but thems the breaks.
Given that Facebook removed functionality from the mobile web view that was present in earlier versions and is still there in the desktop view (messages, cough), I think that it's a very fair question to raise about Zoom's choice to not allow gallery view in the web app.
Putting aside that Zoom is not Facebook, "Zoom's choice to not allow gallery view" sounds very much like, "How long have you been beating your wife?" Zoom has not implemented gallery view. We know nothing about the whys, hows, and whats of the matter.
Look, I prefer webapps when possible and keep mobile apps to a very minimum on my mobile (and preferably from F-Droid, at that). But I also understand that you can only do so much in a release and if your engineering team expertise, backlog, users, sales, EVERYTHING, is centered around native apps. Then damn it, you're going to make your native app look stellar because otherwise your competitors will get a leg up over you.
I can still get FB Messages in the mobile web view by telling my browser to use Desktop view and ensuring the URL starts with "www" rather than "m." It's painful but it works.
I deleted the FB app from my phone years ago (with difficulty because Samsung makes it undeletable by non-hackers) because the app gives FB far too much info about me.
On macOS my experience with Zoom in the browser is that the gallery mode works in Chrome, however in Chrome it has problems with the camera (it reports that the camera is in use, or will hog the cpu and work at about 1 frame per second). On Firefox the camera works fine, but there is no gallery mode. On Safari the gallery mode and camera both work, but audio does not work! So I need to choose whether to do without video, audio, or gallery mode, or I can connect to the meeting twice with two different browsers.
Is $200k enough to motivate a company like Zoom to do an RCA after something like this? Maybe? I personally doubt it but don’t have any real reasoning for it one way or another.
Oh the link actually says that it is not patched. So now everyone with an interest in nuclear devices knows that the code is something really easy to guess. The silver lining in this moving the nuclear warning system a few minutes closer to 12 is that the guy who pointed it out got a bonus and a raise!
What percentage of these kind of exploits does hn think are found by these kind of white hat exercises and what percentage are sitting out there in an intelligence service or private entity's 0-day database? I have always been curious.
A wild guess is 3:1 (3 working 0-day exploits in existence for every 1 found with exercises like this). My reasoning is because every time there is a very high-priced bounty on an exploit, it seems to get discovered and pay out. So if governments and blackhats have people hunting full time for these exploits, you better bet they are finding them too.
You don't have to find many zero days. Just have enough. Huge backend of tools and network of contributors surely helps, but if 0-day is gone in Zoom, and say you don't have their explicit cooperation (which you totally can have) and you only have one, then it may not be such a worry if it is commonly used with other software that you can own.
Besides that, there are tiers of 0-days, some of which you would not touch unless the target is exceptionally valuable and you did some homework with oh-just-a-common-malware to learn about their system and response.
There is no system that is secure. There may be systems that are obscure. But if they would be targeted they can be owned with easy because they are not popular and security is really really hard.
This is not just crazy talk anymore, it's reality. It's enough to watch CVEs, think what you could do if you exploit them silently and what that allows you to do in the future. Watch them not only for abstractions on top, but for whole tons of firmware running both on your machine and machines that you trust. Oh and certificates... It's just too easy. Way too easy.
Zoom's dark patterns trying to get you to install the app on your system (which demands administrator privileges, natch) are reason enough to resist ever running unsandboxed software from them. Their continued history of major security issues (remember that time that they had a local webserver offering RCE by design as part of the desktop client) is even more.
Their browser app does not have feature parity; recently I had to participate in a conference and the browser version fucked up my camera's aspect ratio, a problem that doesn't exist in their full client. A burner laptop was required, and was wiped immediately after.
Avoid Zoom whenever possible. Don't ask others to use it.
>The fact that the researchers came out on the second day of the Pwn2Own event with this vulnerability does not mean they figured it out in those two days. They will have put in months of research to find the different flaws and combine them into an RCE attack.
I really appreciate the article author mentioning this. It gives hope to all beginners and shows that "overnight success" is a result of months and years of learning and research
This reminds me of the Skype 'vuln' where you could see weird VPS/colocation servers scooping up links when you send them via their chat feature. /Nobody/ except the recipient and you should be visiting that link, yet it's still an issue. At first I thought it just wanted to generate a 'link preview' but it's more sinister than that. Some random surveillant is looking at every link.
Of course they do. I have in mind the choice that we're often given these days, between a native (or pseudo-native) desktop app and an in-browser version with comparable functionality. Perhaps I should have been clearer about that in my earlier comment.
We don't know much about the RCE. It may have been able to do something in the browser, with more effort, e̶s̶p̶e̶c̶i̶a̶l̶l̶y̶ ̶g̶i̶v̶e̶n̶ ̶t̶h̶a̶t̶ ̶t̶h̶e̶ ̶"̶n̶a̶t̶i̶v̶e̶ ̶a̶p̶p̶"̶ ̶h̶e̶r̶e̶ ̶i̶s̶ ̶a̶n̶ ̶E̶l̶e̶c̶t̶r̶o̶n̶ ̶a̶p̶p̶. Perhaps they stopped once they saw they had done enough for the $200k bounty.
I don't think Qt has ever pretended to look native. I remember using KDE back in the early 2000s and most Qt apps that didn't explicitly integrate with KDE didn't look "native" either. The other desktop OSes are not even internally consistent -- look at Windows's "settings" vs. "control panel". Which one is native? The answer is they both are, sort of, but there are simply two UI kits bundled with the OS. One is deprecated, the other isn't ready yet. Qt is not going to solve that problem for you.
(I'll also point out that even if you have a Win32ChatWidget in the library, that doesn't many anyone is going to use it. Zoom simply did a bad job implementing chat, which is why it's so bad. The UI toolkit library is neither the problem nor the solution. Caring about making chat good is the solution.)
Have you already tried to paste long(ish) text into Zoom chat ?
It literally starts going (hidden) outside of the window !
I've been using software since Windows 3.11, and I don't remember that ever happening before !!
Not related, but: the other day I joined a Zoom call for the first time. I had no interest in using a native client, but when you first try to join the call and Zoom tries to download the client, Microsoft Edge warned me that it was “harmful to my device”. For once SmartScreen and I are in agreement.
Even worse, it isn't even patched now, and now the bad guys are aware this exists, even if they don't know exactly how yet. And no reason to keep it quiet if they do figure it out - exploit away as long as you can cause they know it is going to be fixed relatively quickly.
It sounds like a great deal for Zoom... Zoom would have paid far more for this research in any other scenario.
The InfoSec community seems to be quite happy giving away their hard work, while the large security vendors make mountains of cash on snake oil solutions to enterprises. For context, Zoom certainly paid many multiples of $200k during any given month for firewall licensing.
OTOH, security researchers do inflate the value of any given exploit (chain) vs. broad mitigations.
Still, 200k seems _low_ for a bug that should imperil the reputation of a many-billion dollar company. And a few years ago it seems like that would have been $1000 and a firm handshake...
I sometimes wonder if we're destined for a world where software companies decide they should employ QA staff. Or if we're destined for a world where the majority of QA gets oursourced to competitions.
Software companies used to have QA staff. But developers said "we can write our own tests and you can get rid of those expensive QA people who we hate" and here we are, in the land of forever-crappy software.
It's our own damn fault for becoming over-reliant on CI to find all the bugs.
I squarely put this in the same compartment as "my code is self documenting". I've only seen management and devs who are less than stellar argue against having QAs.
Not surprising. I just wonder how trivial is to exploit it and if it's not one of many "honest mistakes" that some companies sometimes commit. Some trivially exploitable and very reliable stack overflows on some routers come to mind ...
Isn't it standard practice not to disclose a vulnerability at all (not just hiding the "technical details") until it's been patched? Why is this being made public?
"Safe" in security is always relative. Safe from a military hacking attack? Probably never. Safe from random scriptkiddies? Yeah, probably even if you don't run Zoom with a separate user, as long as you got the rest of your shit together. Safe from people buying/using 0days? Seems so, since this issue was never actually disclosed (yet) so it's not really a 0day, so it'll be harder to for people to exploit.
You'd need to understand who/what are your threats to understand if you're "safe" or not.
Depends on a lot of things. If the 0day is an RCE they would need another privilege escalation exploit. How easy that would be depends a lot on how your system is setup.
But the short answer is probably not. Unless you are running Qubes or something, if someone can exploit an RCE then they can probably own your system.
No, as this discussion points out you should use the browser version if at all possible. The snap version would also offer a little bit more sandboxing probably if you're willing to edit the config for how much access it has to your system.
likely not the same situation, but its interesting zoom has a client uri scheme zoommtg:// and just a year or so ago a CVE [0] popped up that involved using the irc:// scheme to demonstrate a calculator opening using mIRC.
Is it just me, or does $200k seem far too low for this? I understand that the reward was paid by the event, not Zoom... but it seems to me that Zoom should “pony up” some additional funds for this research.
Very few bounty programs offer that much for a single vulnerability. I'm not saying it's worth $200k, but $200k is definitively a huge payout in the security industry.
A lot of the time we see someone getting like 10k. Also 200k is over 3 years my wage so I have to say no it does not seem low to myself but to others perhaps that is a low number but I value things differently. I hold high morals so I would not ever just sell an exploit to "the bad guys" so realistically I was never going to get the most money for said exploit so it is not all about money.
You are always free to sell the hacks for their """actual""" market value on the black market. Of course you need to launder the money, you might get jailed, you might have to flee the country and so on but at least you get your fair rate.
The positive "tilt" in this article is honestly amusing and unusual for such articles
"zero-day discovery makes calls safer"
"Understandably, Zoom has not yet had the time to issue a patch for the vulnerability"
"This event, and the procedures and protocols that surround it, demonstrate very nicely how white-hat hackers work"
Imagine if that was your run of the mill well-hated big corp
"Yet another security vulnerability leaves millions at risk"
"XYZ Corp shows its incompetence once again exposing users' private data to hackers"
etc etc
I don't think that's fair. The Pwn2Own contest rules specifically disallow disclosure. This isn't a "zero day" in any sense but marketing. It's a privately disclosed vulnerability under a managed embargo, just as if it had been reported by Project Zero or whoever.
The ding is that, because it was a "public contest", the existence of the vulnerability is known. And that's probably a higher risk scenario in the abstract I guess. But I think it's clear to all that Pwn2Own and similar activities are a net benefit to global software security nonetheless.
Maybe the zero-day isn't disclosed from this pwn2own itself, but importantly, we now know it exists, which means we should consider how many bad actors are already independently aware of it and are exploiting it.
Responsibe disclosure processes are just as much about closing the vectors that we can't prove are under active exploit.
the Pwn2Own exploits have generally not already been out there. There have been a long history of these, including some incredible chrome exploits! So the disclosure process tends to work out OK.
I think that's right that pwn2own exploits are generally new to the public, but that only means it's not provably out there.
Just to be clear, I think programs like this are great and they do improve safety, but only because they result in patches. This news shouldn't make users feel safe until there is a patch.
Agreed, just because it exists doesn’t mean it was being exploited.
And these help patch not just the specific hole but the general approach of the exploit chain may expose a whole area the development team had not previously considered.
Wait, are you saying Zoom isn't hated? It's crap. I refuse to install its PoS app and all of the security holes it came with (don't care if they are fixed or not). Launching a zoom meeting in my browser totally bogs the browser down. The zoom site is so slow that proving I'm a human is at least 10x slower than on other sites. In my use case, nobody on the zoom call is even using video, yet it still runs this badly.
We run zoom calls with over 200 participants and no problems. It sounds like their browser experience is poor, I don’t know if that’s a browser limitation or bad design, but their app on Windows and Mac performs quite well.
Mistakes were made with security early in their product. It’s clear that has turned a lot of potential users against them.
I’m curious why companies like Facebook get more acceptance over terrible security, but other companies are never forgiven
This is not my experience at all. Early in the lockdown when Zoom became the darling, I was forced to install their app. Pre-pandemic, Zoom was already panned on this site for crap they were doing, so I pushed back hard against using Zoom before ultimately relenting. Running zoom with a simple 3 person call would bog down my 2017 MBP with fans running full tilt. I've since upgraded hardware and zoom is not allowed to be installed on this computer.
>I’m curious why companies like Facebook get more acceptance
Is there anyone on this site that agrees with that comment? I certainly don't. There are multiple billions of FB users, so I'm quite sure the readers of HN is just a mere rounding error level of numbers.
I've been involved with zoom sessions of up to 50 connections and it has exceptionally flawless on my work macOS laptop from approx 2017. Compared to every other video conference software I've tried, zoom is unfortunately by far the best on macos, Windows and even Linux for video conferencing with large number of participants. I am baffled as to why it performs so poorly—this is not my observation on the machine I have and I also know it works well with on many of my colleagues Macs so it is not just the one Mac I use.
Hard agree. Mac resource use of Zoom is insane. The only machine I've used that feels not bogged way down and blowing it's fans like crazy is my M1 mac and even then it's showing > 50% cpu use. When demoing our app in a screen share on my old iMac 4K the machine would be screaming it's fans and much much slower than normal. Meanwhile Messages screen sharing used less than 10% CPU. IDK what they are doing but it's not right at all.
I also like zoom over the alternatives. Does it have problems, yes but what software doesn’t. I have been using zoom for years (my school switched early) compared to previous tools it just worked and worked well. Yes I know they lied and deceived but again marketing is always full of BS and guess who makes the blurbs we read on the internet about a company. Again the constantly changing UI is annoying but what is better? If someone has something better that even my grandma can use I will give it a shot.
There's a difference between software having problems, and the problems that zoom had/has. The fiasco of creating a method to run any command with escalated sudo privelages just because they wanted to make the install easier that remains after install was absolutely mind blowing. Those kinds of things are unforgivable.
If browser performance is bad but app performance is good (and I agree that my experience with the app is actually pretty good), then it is a bad sign that the exploit is in the app, and not the browser version.
Also the UI sucks. It doesn't blend nicely with my system. It looks like a sore thumb Windows 3.0 app or quack-age MacOS app in the midst of a futuristic OS.
Yes! Like there's a required two clicks to leave a call, you can't trust if it will start video on or off, the menu bar hides by default! The UX is horrible.
The 2-click to leave is aweful. Sure, accidental leaving can be annoying. How about don't put the button near anything else that might need clicking so that it's much less likely to be accidentally clicked.
Agree and have a similar experience so I use Jitsi https://jitsi.org/ instead and recommend it. If clients insist I simply ask they enable joining from a web client, otherwise unable to join. Jitsi works well and find it odd how remarkable mindsets become locked into options regardless of the accessibility and benefit of alternatives (great material for comedy, psychosocial study, etc). From React to iOS default apps to Zoom, it's an odd disadvantage of our human condition.
I was shocked to find that on Windows, Teams refuses to run in any browser except Edge. On Linux, it runs quite happily under Chromium. It's the worst sort of anti-competitive behavior, in my view.
IE11 (ew), old Edge (ew), Chromium Edge and Chrome are fully supported. Newest Safari has limited support, and only Firefox and older Safari versions are the only ones explicitly not supported.
Same. The whole interface is god awful. And it almost always dishonors my OS audio input/output preferences by default. The web client always downgrades my camera resolution for some reason, and messes up its aspect ratio. Plus the security problems.
Zoom has a history of nasty security issues, does shady business with China and bought and killed Keybase. It's a shitty company not even considering their software.
Which goes to tell you how good their software is. It is better than anything other companies have to offer for video conference calls with many participants and screen sharing, which is why our university is using it after we had evaluated all competitors last year in April.
> Imagine if that was your run of the mill well-hated big corp
I don't know what the general perception of Zoom is. Our opinions of it never really come up at work. The discussion I see of it online largely focuses upon the security issues so that is going to be negative. There is one thing I am grateful for though: it seems as though the masses settled on a product with decent cross-platform support for once. You rarely see that unless the product is intended for a niche market (e.g. science, engineering, software development). Heck, they even package it for Arch.
Indeed. It is really nice to be able to participate in group and conference calls from Linux without having to reboot into windows or macos. Also performs well in all the platforms I've used it in which is not something I can say for teams and Google meets.
Because they don't realize how bad Zoom's bad acts could be for them. People didn't feel that cigarettes were bad for them. People don't feel like McDonald's is bad for them.
I work for a large MSP, one of our partners announced recently that effective basically immediately they are no longer supporting any zoom integrations due to the China connection.
Its possible to hate zoom without liking one of the alternatives. I know a lot of people hate zoom because they associate it without meeting burning due to this year and security issues.
Never used Teams. Skype, which I last used years ago, was certainly better as far as downloadable chat clients go. Google Meet runs circles around Zoom, and I don't have to install anything.
Using Zoom on Linux is a fun way to get everything to crash; and may as well flip a coin to see if I'll get connected / anyone will be able to hear me.
Google Meet, Slack calls, literally everything else works perfectly. With screenshare. On Wayland. I just call in to Zooms now.
My wife has been doing a ton of Zoom on an Ubuntu system on a Dell laptop, using their native app. She hasn't had problems.
Clearly your experience differs, not sure why.
Of the proprietary video meeting apps, they all have problems, but Zoom sucks less than Teams, Webex, or Skype and is a lot easier for non-technical folks to use.
I'm in the same boat. I use Zoom frequently on Linux and it's performance is quite acceptable. I use Zoom successfully on other platforms as well. It compares well to altneratives such as Google Meets which in my experience starts to fall apart past a certain number of participants on a call. Quite interesting to see the variance of experiences as it doesn't match what I've observed personally as well as comments I've heard from colleagues who have tried various systems. I hear lots of praise for Zoom and Teams but Meets is either loved or hated.
>> Imagine if that was your run of the mill well-hated big corp
Zoom is one of my, and several of my coder friends', top-five well-hated big corps.
This far into the pandemic, I take personal pride that I hadn't installed what for a while was essentially reported as Chinese spyware on my machines. :)
Entirely aside from their many past security holes which have been handled poorly , they have straight up lied about end to end crypto and what exact crypto it's using. That's before we get into the ownership of the company, its management and the location of most of the developers.