> don't think security was the primary reason for Zoom taking off. It was stability

Stability was the main draw, but company IT departments would have had more power to ban it if there were bigger and clearer risks of corporate secrets escaping.

Industrial espionage is real. There are many companies who are concerned about this and take active steps to keep data secret who would likely not have approved zoom use if they'd known e2e encryption wasn't to the level they were told.

Some folks are concerned with more than stability and ease of use.

It's difficult to imagine a company that cares that much about keeping their video chat data private, but would use any third party service.

That doesn't justify zoom making false claims--I just don't think the companies you're describing would be using zoom.

How would you verify e2e encryption on a proprietary protocol? Not every company that cares about privacy has crypto experts on staff. They should have a reasonable expectation that the vendor is telling the truth.

1. Is the software proprietary? Liability, Denied.

You can't. Don't trust, but verify. If a company or individual needs strong privacy, they should verify any encryption claims.

This would mean using only libre/open source software like Jitsu or Linphone, as one could verify the code or higher experts to verify the code.

So it's okay that Zoom lied because users should have reverse engineered it to verify that what Zoom said about their own product was true?

No, if a company was really worried they shouldn't have opted for a cloud product with a (partly) Chinese-owned company. A lot of companies go through the trouble of giving their employees (especially management) "throw away" phones and/or computers when they send them to "problematic" places, in particular China, but then they install Zoom for their C-level and middle management executives to use, huh?

But everybody knows C-level and middle-management don't actually know anything or do anything. Have at it! Its like spamming the spammers.

You know what it's called when you purposefully lie about your products or services to gain an advantage? Fraud.

If this was happenening in any other industry (except fonance?), the perpetrators would be in jail.

Any company IT department's power to ban something is inversely related to how much it's users want to use it. Also, the videoconference provider stealing company secrets it not part of most companies threat model. Teams and Slack are incredibly popular corporate tools, and neither of them offer this feature. WebEx is the only reasonably popular tool I can think of that supports it, and any security department that cared strongly about E2EE, would be asking questions like "do you perform key escrow" if they were thinking of migrating off something like that.

Why isn’t it? I highly suspect the CCP stole trade secrets with zoom.

Because in order to operate a business (or any organization), you have to at some point decide on a group of service providers and other 3rd parties that you trust. For most organizations, trusting a major videoconferencing vendor is going to be within their risk tolerance. For some organizations (or for some use-cases within organizations) this wouldn't be acceptable (or perhaps trusting Zoom wouldn't be acceptable, where a different vendor might be), but at this point you're starting to stray outside of Zoom's target market and into a set of more specialized requirements.

Defending against sophisticated state-level actors goes even further beyond the requirements of most businesses. Unless you had a specific reason to believe that you were a target of such actors (dealing with national security, or matters of significant national strategic importance), you couldn't justify investing much resource into such defensive measures.

Does it really take that much for a company to be an interesting target for industrial espionage ?

Or state secrets, or court secrets, or just preventing random zoom admins from watching children in virtual class rooms.

> It was stability - it just worked

Also due to deception, it auto reinstalled on macs until they were caught.

Users were unaware this was happening. "It just worked" because it would install itself in the background unbeknownst to the user, thus obviating the need to take time to install it when needed.

> It was stability - it just worked and at the same time competitors didn't.

This is absolutely huge. We've tried Teams (and I have previously used Webex and Hangouts).

It seems like there is _always_ one person that struggles with other video services. Can't join, video/audio issues, CPU usage, latency, etc. Painful when 10%+ of a meeting is consumed by getting one last, key person trying to fix their issues.

and it could be more stable because it didn't implement e2e encryption.

It's much easier to make a stable communication product if you don't need to worry about security and privacy.

Just look at the troubles and hurdles Signal messenger need to overcome to implement some features, while the competition that is not so security focused has them since forever.

They took money from many clients to provide a service.

They did not provide the service the advertised: they provided something much inferior (and that's actually unsuitable for many industries).

It's not really really about "what would clients have done otherwise". It's a matter of giving money back.

If you pay me to write a program, and it only does half of what I promise, wouldn't you want [part of] your money back?

Skype was better before the MS aquisition... and it used to be P2P. It'd be nice if the pre-MS source would leak somehow.

I think you may be viewing history through slightly rose-tinted glasses there - I used pre-MS Skype a lot and it was never anywhere near as reliable as Zoom is and didn't support group video chat at all. And the fact that it was P2P meant that some features that everyone would expect to work these days (offline messages, mobile support) were simply not possible at all.

Amen

Or maybe your long term memory is corrupted?

Fun fact, the original Skype developers also developed the great (for its time) P2P filesharing app/network Kazaa/FastTrack.

I'm not sure what would be accomplished if the source leaked. Someone would still need to maintain both the client and now a new set of servers. This would be difficult given that Microsoft would almost certainly use whatever means they could to stop this from happening.

Wasn’t Skype pre-MS P2P, not server based?

Perhaps. But at minimum there would still be some server necessary for discovery purposes.

The client application was also the server application. Clients with good connections which appeared to always be online became super nodes which were the directory "servers" you would connect to. The code base contained a long list of previously known super nodes and would attempt to connect to those on first start. As it ran it would keep syncing the list of close super nodes. There were many hundreds of super nodes, so the odds of all of them changing or going offline were pretty slim.

I imagine some people at Skype probably kept a few instances of Skype running at the office. So they technically hosted a few super nodes, but it wasn't necessarily that they were running some vastly different server version of the app. It wasn't until Microsoft decided to cut down on the P2P aspect of the app and hardcode only Azure-hosted super nodes into the application that this changed.

Interesting. I didn't realize that Skype was really P2P. Thanks for sharing :)

Isn’t that also how BitTorrent’s DHT works?

Wow. Brings back memories as MSN was the messenger of choice during my college years :)

It was stability and speed! It uses very little CPU for everything!

THIS THIS THIS. End users (generally) do not care about security they just need it to work.

That is what was great about zoom. The security becomes important after it works.