Comment by spaceribs
6 years ago
A custom URI wouldn't work as seamlessly as zoom's UX team would have liked. If you hadn't installed zoom, either a nasty message would tell you the protocol wasn't supported, or it would redirect you to a google search.
Their answer was to send people to a URL they controlled and brought you through the install process as easily as possible, but the issue they needed to solve was determining if you needed to have an install or just redirect to the app.
They broke so many security rules just to shave off a few inconvenient seconds, and those seconds rose them to the top.
Am I the only one seeing the pattern here. Most security loop holes I have witness have existed at the cost of providing a better user experience.
This is the security - usability tradeoff and is as old as the hills.
Yeah, it's a tradeoff by nature. This applies to security in general, not just computers. Having to unlock the door to your house when your hands are full with shopping is annoying, but the alternative is leaving your house unlocked all the time and trusting nobody will walk in.
Depending on the context (location, is there usually someone home anyway, value of stuff within the house) you may or may not find the tradeoff makes sense and voluntarily opt for the worse 'UX'.
4 replies →
The fun thing is users mistakenly recognise the tradeoff as a sign of the security. If it was annoying it must be secure. Why would somebody waste my time for no purpose? See also placebo effect - of course I feel better, you gave me pills and I took them, duh, it's medicine.
This is the pattern of applications continuing to be deeply flawed and heavily advertised as long as you can be bought for a billion by IBM/Microsoft/Google/Facebook/TechOverlorfOfTheYear and finally get into a stable enough state so that they can be part of the infrastructure when a full-features open source version emerges.
Ah, yeah, the flow for when the app isn’t installed makes particular sense (at least as a motivation for why someone would implement something so awful). Thanks!
If you want to really break down their viewpoint on the situation, lets translate their PR statement line by line:
> Zoom believes in giving our customers the power to choose how they want to Zoom.
Zoom believes if their app isn't convenient to use, their customers have the power to leave their ass, as they are in an incredibly competitive market.
> This includes whether they want a seamless experience in joining a meeting with microphone and video automatically enabled, or if they want to manually enable these input devices after joining a meeting.
This includes making sure that they aren't asked to provide confirmation to access their camera/microphone, which impedes the convenience of the app to all participants. Less clicks equals less thinking.
> Such configuration options are available in the Zoom Meeting client audio and video settings.
Stop complaining about this as we have given ourselves a legally compelling user defined control hidden in a single tab deep within our preferences.
> However, we also recognize the desire by some customers to have a confirmation dialog before joining a meeting.
We can tell you aren't going to drop this.
> Based on your recommendations and feature requests from other customers, the Zoomteam [sic] is evaluating options for such a feature, as well as additional account level controls over user input device settings. We will be sure to keep you informed of our plans in this regard.
We don't care. We have lots of users, and lots of success having this option turned on by default. The support costs alone telling non-technical people how to turn on their cameras don't make it worth it.
Oh come on. There is no easy way to send people without the app to a installer page, that is the issue. And that is something every single person wants.
8 replies →
I'm unclear what subset of users are desktop only Zoom users that aren't also familiar with the same "Do you want to allow this app to access your camera/microphone?" dialogs on mobile devices. This can't be a large demographic, can it?
3 replies →
> The UX team
You seem to imply that they have an UX team but not a security team, so nobody convinced anybody else that this wasn't a good idea.
Without genuine security orientation, even if an expert realizes there is a security problem, who wants to be the boring paranoid pessimist who wastes time and attempts to ruin products, only to be staved off by the efforts of more productive employees that focus on adding value?
A sustainable company isn't built on velocity, lack of conflict, and willful ignorance.
Decisions need to be made between strong opinions about the right path forward. There needs to be balance and respect between these aspects.
Reading the PR statement, I highly doubt the people who have those strong opinions about security are being given a fair voice. They are probably there, but they have zero power to change anything within their product.
> A sustainable company isn't built on velocity, lack of conflict, and willful ignorance.
> Decisions need to be made between strong opinions about the right path forward. There needs to be balance and respect between these aspects.
tell that to literally every VC
1 reply →
The article indicates they have a "Security engineer" who was OOO when the author first contacted Zoom.
So yeah, sounds like one human, and it sounds like she/he probably doesn't have much say.