TLDR: there’s a security issue that has been identified with regard to waiting rooms, and it has been reported to zoom. No further details will be provided until it’s fixed.
"Building development teams that include skeptics and realists, rather than just visionary idealists, could keep ensure products get safeguarded from abuse before rather than after a scandal occurs."
On the face of it this sounds fair, but the problem is that being "sceptical" and "realistic" is far easier and requires much less effort than being "visionary"[1]. Too much of the former early on can really suck the life out of a team, increasing the risk that the product fails, or is simply never built.
Safeguarding from abuse is much better achieved by systematic thinking and discipline (which are learned skills) rather than hiring "realists" who might simply turn out to be whiners and energy vampires.
As much as Zoom is currently in the spotlight, and I can't say I'm overjoyed by a number of the issues I've read about (e.g., encryption keys being passed through Chinese servers?!??), many of them are the problems of success, and every successful company has or will experience their fair share of those.
[1] I might also add that it's far easier to commentate and to critique than to do, eh, TechCrunch?
I'm so tired of these types of comments. "The reason you have this issue is you're missing X", "Yeah but if we only had X we wouldn't have been able to do this at all!", "Yes, which is why I said you should have more X, not completely abandon everything but X".
Let's be clear: The issues that Zoom is having were seen by other businesses in the same industry decades ago. At a time where every other messaging system in the world has been moving to end to end encryption - even facebook, Zoom is still lying about it to customers. It doesn't require a room full of sceptics to figure that out, it requires some sort of development process that involves a the tiniest bit of thought before rushing out a feature - a culture that is apparently consistently lacking in large parts of silicon valley.
Btw, If you think that what we've seen over the last few years is that commentating on tech is an easy career to make a living at, you haven't been paying attention to the state of journalism.
I don't know why skepticism and realism are viewed as "easy" when both are skills that require practice and education to apply accurately and consistency. What is so much harder about being "visionary" if all that means is coming up with ideas? Obviously what's valuable is coming up with ideas that can be executed on safely and easily, and Zoom completely shit the bed on safety here.
A team full of visionaries will never get anything shipped at release quality. I've worked with plenty of them. You don't need to hire a bunch of depressing pessimists but if you don't have skeptics and realists to keep your team's velocity under control you're never going to hit quality targets.
Imagine there being multiple valuable skills in an industry, like critique, commentary, planning, debugging, testing, engineering, design, and ideation!
Giving the benefit of doubt here, if you enter full screen mode chat opens in a different window and no longer gives you notifications. At least on linux. I honestly find this quite painful and rather surprising. I'm not sure why full screen and chat isn't equivalent to just maximizing the window (where the chat is on the right and users are above) with tabs to open and close chat (and users). New windows seems like a weird decision.
> Starting April 5th, it will require passwords to enter calls via Meeting ID
A meeting id with a password is semantically the same as a longer meeting id (or a meeting id with a character space larger than just digits). I wish they'd do that instead (make meeting ids longer) so I could continue to enter my company meetings with only a link but not have to worry about getting wardialed.
I work for a large multi-national media company, and we've been using BlueJeans for video conferencing for the last few years. It's been very reliable, but I haven't heard of very many others using BlueJeans. I'm curious if the security issues in Zoom vs its competitors more have to do with the amount of people using it and putting eyes on it.
> I haven't heard of very many others using BlueJeans
I'd think more eyes on Zoom right now will be better for it in the long run. Anecdotally, security aside, I've found Zoom to be about one step ahead of BlueJeans in pretty much every way.
I was sent a link for them about a month ago. On Mojave the app kept crashing. I couldn't figure out how to join via the browser, so we switched to zoom.
We use both Zoom and BlueJeans at work, and Zoom Just Works™ while BlueJeans has all sorts of compatibility headaches; if it's not Chrome/Windows, it's pretty much a crapshoot.
That being said, the AV quality between the two are pretty similar.
Red Hat uses Blue Jeans for their webinars, and the OKD project uses it for the WG meetings. Not sure about internally or other projects as I don’t have experience with them nor am I an employee.
we've had a few glitches here and there but overall highly reliable. The ability to do a meeting or do an event to prevent zoom bombing type issues is wonderful.
Techcrunch links seem to redirect through guce.advertising.com nowadays, which is blocked by my ad blocker. Also, according to redirect-checker.org it takes 5 requests before finally landing on the actual page. Seems excessive.
I’ve used a lot of these tools, and I have to admit, Zoom is the best.
As for the Zoombombing, I can’t say that I am surprised. All you really need is the URL.
And all the other tools are like that too. Sure, you can require a separate passcode, but damn it, it’s like trying to figure out rocket science to enter the passcode.
1) you have to dial the number
2) you have to punch in the meeting ID
3) you have to punch in the passcode.
4) ERROR. You flipped it, and used the passcode for the meeting ID instead. Aargh.. frustration.
5) Forget about the passcode. Just let everyone in that has the meeting ID. And monitor if there’s someone unknown on the line.
It must have been at least a decade since I actually dialled into a video conference using a phone, on any conferencing platform - I always connect audio via my laptop or phone, which I use with a Bluetooth headset.
I was actually having this conversation with a bunch of colleagues the other day, and every person in the call said the same thing, only difference was some used a USB headset, rather than Bluetooth.
Waiting rooms don't help because you don't see any identifying information. My sister's call got zoombombed even with a moderated waiting room. They were trying to keep within their university's students, but they couldn't see the email addresses associated with the zoom user name in the waiting room, so a griefer got through.
Zoom meetings created on my company's account can only be joined by people logged in through my company's SSO (unless the meeting is explicitly set to open).
Universities typically have SSO, so this don't seem like a hard thing for them to implement.
Hopefully they do this for existing users as well. One of my fellow teachers' classes got bombed today even after we were all sent instructions about securing our meetings, enabling waiting rooms, etc.
She didn't follow the recommendation because she "didn't think someone would join" because she hadn't posted the meeting link on social media. You have you protect your users that won't protect themselves.
Wouldn’t it have been easier to present an option to the presenter once X number of people joined? So 3-5, no, but more then a dialog pops up asking the presenter if they’d like to have a waiting room.
bretpiatt|5 years ago
HN thread https://news.ycombinator.com/item?id=22768494
detaro|5 years ago
kerng|5 years ago
gnicholas|5 years ago
bartread|5 years ago
On the face of it this sounds fair, but the problem is that being "sceptical" and "realistic" is far easier and requires much less effort than being "visionary"[1]. Too much of the former early on can really suck the life out of a team, increasing the risk that the product fails, or is simply never built.
Safeguarding from abuse is much better achieved by systematic thinking and discipline (which are learned skills) rather than hiring "realists" who might simply turn out to be whiners and energy vampires.
As much as Zoom is currently in the spotlight, and I can't say I'm overjoyed by a number of the issues I've read about (e.g., encryption keys being passed through Chinese servers?!??), many of them are the problems of success, and every successful company has or will experience their fair share of those.
[1] I might also add that it's far easier to commentate and to critique than to do, eh, TechCrunch?
Traster|5 years ago
Let's be clear: The issues that Zoom is having were seen by other businesses in the same industry decades ago. At a time where every other messaging system in the world has been moving to end to end encryption - even facebook, Zoom is still lying about it to customers. It doesn't require a room full of sceptics to figure that out, it requires some sort of development process that involves a the tiniest bit of thought before rushing out a feature - a culture that is apparently consistently lacking in large parts of silicon valley.
Btw, If you think that what we've seen over the last few years is that commentating on tech is an easy career to make a living at, you haven't been paying attention to the state of journalism.
kevingadd|5 years ago
A team full of visionaries will never get anything shipped at release quality. I've worked with plenty of them. You don't need to hire a bunch of depressing pessimists but if you don't have skeptics and realists to keep your team's velocity under control you're never going to hit quality targets.
Imagine there being multiple valuable skills in an industry, like critique, commentary, planning, debugging, testing, engineering, design, and ideation!
TACIXAT|5 years ago
godelski|5 years ago
arkadiyt|5 years ago
A meeting id with a password is semantically the same as a longer meeting id (or a meeting id with a character space larger than just digits). I wish they'd do that instead (make meeting ids longer) so I could continue to enter my company meetings with only a link but not have to worry about getting wardialed.
mjlee|5 years ago
https://tenant.zoom.us/j/123123123?pwd=QlR0cXZkYXBDS0txYzJRR...
The password is an encoded version of the password set by the host.
joe5150|5 years ago
bowmessage|5 years ago
detaro|5 years ago
jdlyga|5 years ago
dehrmann|5 years ago
I'd think more eyes on Zoom right now will be better for it in the long run. Anecdotally, security aside, I've found Zoom to be about one step ahead of BlueJeans in pretty much every way.
e40|5 years ago
kenhwang|5 years ago
That being said, the AV quality between the two are pretty similar.
shmoogy|5 years ago
arwineap|5 years ago
cheald|5 years ago
I'm using Jitsi now and am quite happy with it.
_ea1k|5 years ago
I also do not believe that it claims to have E2E encryption or anything like that.
mroche|5 years ago
avs733|5 years ago
we've had a few glitches here and there but overall highly reliable. The ability to do a meeting or do an event to prevent zoom bombing type issues is wonderful.
wcoenen|5 years ago
blackrock|5 years ago
As for the Zoombombing, I can’t say that I am surprised. All you really need is the URL.
And all the other tools are like that too. Sure, you can require a separate passcode, but damn it, it’s like trying to figure out rocket science to enter the passcode.
1) you have to dial the number
2) you have to punch in the meeting ID
3) you have to punch in the passcode.
4) ERROR. You flipped it, and used the passcode for the meeting ID instead. Aargh.. frustration.
5) Forget about the passcode. Just let everyone in that has the meeting ID. And monitor if there’s someone unknown on the line.
GordonS|5 years ago
It must have been at least a decade since I actually dialled into a video conference using a phone, on any conferencing platform - I always connect audio via my laptop or phone, which I use with a Bluetooth headset.
I was actually having this conversation with a bunch of colleagues the other day, and every person in the call said the same thing, only difference was some used a USB headset, rather than Bluetooth.
faitswulff|5 years ago
closeparen|5 years ago
Universities typically have SSO, so this don't seem like a hard thing for them to implement.
raverbashing|5 years ago
mavsman|5 years ago
She didn't follow the recommendation because she "didn't think someone would join" because she hadn't posted the meeting link on social media. You have you protect your users that won't protect themselves.
rdlecler1|5 years ago
wodenokoto|5 years ago
Would this be solved by generating chat names through a cryptographic hash algorithm?
I have google docs that are edible by anyone with the link and I’m kinda assuming that the link is as hard to guess as logging in with a password.
Am I completely off and in dire need of reevaluating my personal web security?
Igelau|5 years ago
[deleted]