No, but now they see that the minimum is not where they had thought. As someone who does security professionally, of course a business wants to do the minimum necessary for security. The point of security systems is to break things that would otherwise work.

TLS is there to break sessions that would work under TCP. GPG is there to tell you to discard some mail.

The fact that they hired Alex Stamos and probably just spent a bunch of money on buying Keybase seem like a sign that things are changing.

They prioritized ease of use above all to get adoption before. This is appalling to me, but I believe they are seeing enough pressure to change course. It’s believable to me that they would intend to as they have already captured much of the consumer (non-B2B) market mind share and can afford to invest in this area.

Will I be using it now? Still a no. Maybe I’m time though.

> The fact that they hired Alex Stamos and ...

Call my cynical, but "hiring" a bunch of infosec celebrities and critics as part-time consultants or contractors should be considered nothing but a (brilliant and silencing) PR move until the day that product updates and analyses reveal otherwise.

> until the day that product updates and analyses reveal otherwise.

The product (and their poor installer practice) has been updated several times in the past few months alone, and each move has made Zoom a more secure product, with the vast majority of the hubbub having been addressed. So are you simply ignoring that, or are you setting your own personal goalposts?

I'm doing neither. I'm pointing out a logical fallacy in the parent comment. Hiring people part-time and buying a company does not, on its own, convey anything about improvements to product quality, security, or the corporate culture of either. I can only infer from your comment that you might think I have some beef or issue with Zoom. I said no such thing.

Sure, but it's not "on its own", it's in the context of the investment in security mentioned by the parent comment.

At this point, I'm confused, and I'm not sure what point you or the other commenter are looking for me to concede. Zoom is paying some security consultants, pushed out some product updates, and bought Keybase, so it's a story book ending?

Just as your comment was aiming to narrowly point out a logical fallacy in the parent comment, I'm pointing out a flaw in your own: I disagree with your claim that investing in security practices is just theater, and that more concrete efforts in the same direction are irrelevant. The concrete efforts are Bayesian evidence that the newer investments are more than theater.

I didn't claim that. I believe in investing in security. I'm a security professional.

You said that those things are theater until the day the product updates. We are beyond the day when that happened. So for it to be a fallacy you have to reject the context in which it was presented, which nobody but you is doing.

It's a SaaS world, baby. Product updates (can) happen everyday. I'm not sure what that proved.

Good catch, that was a misphrasing in my comment. I meant to say _Zoom's_ investments in security, not security investments in general.

I am not looking for you to concede anything. You said nothing has been done to show you that the calculus of their priorities has changed and I listed some things that could possibly show that. It’s up to you if you believe that is significant enough to convince you.

Frankly, I don’t care if it does or not. I was just providing some visible signs of investment.

I didn't see you respond to my comment in this thread unless you post under two different accounts.

You're absolutely right that past decisions focused on ease-of-use over security.

For evidence that they've changed their focus you can see their April 1 blog post[1] and the weekly video AMAs they do that are summarised in their "90-Day Security Plan Progress Report" blog posts.[2]

They're making a lot of progress.

The Keybase acquisition is about building out a strong security team that will help them implement end-to-end encryption in 1,000 person meetings, which currently isn't possible anywhere.[3]

[1] https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-u... [2] https://blog.zoom.us/wordpress/category/announcements/ [3] https://twitter.com/alexstamos/status/1258405729720918016

This is a good point.

But I do think that company values do change.

Zoom is getting the shining light of attention globally. Even human beings, in these situations, start to act more conscientiously, and then believe their own morality after the fact!

I believe the keybase acquisition demonstrates this a bit - because they will get zero public goodwill from this - nobody on Main St. knows are cares what Keybase is, this won't be on CNN so they are probably very much trying to make things better.

Owners of the company want money - now they are popular, they have to behave well to get that money. Wanting money usually transcends everything else including loyalty to state. A Chinese CEO with a popular Western product is going to realize that if his customers are way for CCP grabbing their data, it's a problem to his business. He doesn't want CCP snooping and one of the better ways to do that is to have better encryption as well.

Doing slightly suspicious things doesn't matter if nobody is watching and therefore nobody cares, now that people care ... it matters. Just as a matter of pragmatism.

The CEO of Zoom is a naturalized U.S. citizen. He is ethnically Chinese but by all means he is no longer legally a Chinese citizen.

Source: https://en.wikipedia.org/wiki/Eric_Yuan

> did not feel like mistakes so much as an expression of their values

That's an intepretation you're choosing to make.

Calling it an interpretation is nothing short of revisionism. Nobody considers the hidden web server to have been an oversight. It required forethought and effort. It's not as if they didn't know what they were doing.