> Zoom has had major security issues for years, and they've always brushed them off as not a big deal. This isn't an isolated incident.
But here's the operative question: were they wrong to set their priorities the way they did? In this crisis, they're wildly popular, and part of that popularity comes from optimizing for usability and advertising to close the deals that got their product in front of enough people to be a "household name" when everyone suddenly needed videoconferencing.
If people want security, GChat is built on top of Google's infrastructure, has almost no outstanding security issues, and years of engineering behind making it a quality product. And users don't care enough about security for that to be the tool people are reaching for right now.
Business is an art, and that art is the art of making tradeoffs to meet users halfway. And time and again, the product that thinks users need to be met halfway at "it's secure" gets trounced by the ones who meet users halfway at "It's usable."
> We fired all our 'security' people who told us we had best-of-breed security
Why, in a crisis, would you start by firing the people who already know the inside of your application, warts and all?
> here's the operative question: were they wrong to set their priorities the way they did?
Yes. Let me ask this the other way, in a different context.
Say your company builds rapid-assembly prefab building components. You have built the business on being supposedly greener than the competition, by using natural materials where possible. All of a sudden there is a massive surge in demand, and you find out that certain cost-cutting optimisations that used to be merely mildly beneficial, actually provide a marketing edge.
Does it matter that your fire-proofing is a naturally occurring material? Namely, asbestos?
1) Is there a better fire-proofing alternative available, one that will work as well and be as cost-effective to deploy?
2) Are we talking about 1990 (when the public actually cared, legal torts were likely, and it was a huge hassle to sell a property that was known to have asbestos) or 1890 (when in spite of evidence that asbestos may pose a health risk, industry was full-speed-ahead on it because, hey, everything poses a health risk, and lung cancer was of lower concern to the public than dying in a fire)?
They've made mistakes in the past, but their privacy model is actually pretty good as long as your risk assessment includes the carve out "I'm comfortable with Google knowing a lot about me."
And if you aren't, there are plenty of alternatives. But unlike Google, they often don't have a security or privacy model to speak of because they haven't taken the lumps Google has in the past for messing up.
But here's the operative question: were they wrong to set their priorities the way they did? In this crisis, they're wildly popular, and part of that popularity comes from optimizing for usability and advertising to close the deals that got their product in front of enough people to be a "household name" when everyone suddenly needed videoconferencing.
If people want security, GChat is built on top of Google's infrastructure, has almost no outstanding security issues, and years of engineering behind making it a quality product. And users don't care enough about security for that to be the tool people are reaching for right now.
Business is an art, and that art is the art of making tradeoffs to meet users halfway. And time and again, the product that thinks users need to be met halfway at "it's secure" gets trounced by the ones who meet users halfway at "It's usable."
> We fired all our 'security' people who told us we had best-of-breed security
Why, in a crisis, would you start by firing the people who already know the inside of your application, warts and all?