I'm not sure it's still really cognitive dissonance when they admitted their error in marketing it that way, announced they were working on exactly this to provide what their claims said, and now they're saying it's done?
Sounds like they got a sudden spike in interest, realized that their customers were angry, admitted the error, bought keybase, and provided what their customers asked them for.
There's an ashtonishing lack of ethics in our industry. A marketing error here, a software bug there [1], a misleading opt-out here [2], a preinstalled malware there [3][4][5], a little violation of privacy of here [6][7], a little lack of respect there [8][9]... It's all happening all at once. We shouldn't be lapping it up.
I hate to be that guy, but you can hardly blame them when there are hardly any consequences. I really hate what they’re doing, but the worst they get is a slap on the wrist.
Here's a clever technique from the Web PKI: Stop blaming people. You don't need to care whether people are malevolent or incompetent, you can assume incompetence just fine. Intent only matters for blame, so, don't use blame.
I don't actually care whether the board at Symantec were deliberately turning a blind eye to forbidden practices and then get caught or they were too incompetent to exercise effective oversight and had no idea there was a problem, we can't trust them in either case.
Apart from in the legal system, which is supposedly where we go to sort things like this out and discourage others from doing the same thing, intent has a massive impact ( https://en.wikipedia.org/wiki/Mens_rea ) on the penalties you can levy to discourage said behaviour.
Even after they got busted, I had their sells reps pitching my organization that they have proper E2E encryption, and that the public claims were mistaken.
So, no. This perfectly above-board version is not what happened.
I missed that one, thanks for the heads up (found sources @ [1]). Between that and Keybase going into cryptcurrency, that means I uninstalled Keybase and quit using it.
Zoom is guilty of alot of stupid stuff, but the "E2E" controversy is the among the dumber controversies. Zoom's characterization of end to end was referring to the transport layer between the clients and Zoom service endpoint. The more serious issue there was that until a point in the recent past, they weren't using an appropriate cipher mode.
E2E in the sense that security nerds bang their chests about isn't what customers want. Boards of directors of public companies, some attorneys, and some others need it. Almost nobody else does. It means that you don't have cloud recording, can't use POTS phones to connect to the meetings, etc. People with those needs have security controls beyond the software, so they probably need something like Webex, or should be using directly connected room systems. Someone who needs E2E for real reasons aren't doing it from home, for example, as you need to take other measures to protect that meeting content.
You've pushed this narrative a couple times in these threads that only nerds care.
That's like saying only car mechanics care about kind of oil that goes into your car. Yeah I mean nerds care because nerds know the difference. This is not something where nerds caring about e2e is at odds with what everyone benefits from. Better security benefits everyone without taking away from the experience.
There's absolutely _nothing_ preventing recording while having end-to-end encryption. It just means the recording happens at one of the ends and can be uploaded. Hell, you could even go as far as storing the encrypted streams, and then decrypt on the device during playback. The keybase people especially have experience with messages that are encrypted so that only a handful of recipients can decrypt it.
The POTS line, I'm less sure about. But I'm still a little iffy about it, since everything is VoIP now. But that may not matter.
You cannot do cloud recording, which is usually preferable for companies.
If you look at 100 Webex customers, who have access to a high quality E2E capability, you’ll find 3-5 (outside the military) who have ever used it.
You cannot do service-side POTS integration unless you integrate with an on premises PBX and restrict external calls.
I’ve been on teams designing high security collaboration environments. E2E is a need for specific use cases only — the user endpoint is usually a bigger risk. Nobody with that need is considering Zoom!
Your points are fair enough. I just think e2e should be table stakes these days for any communications platform. The only folks not doing it for consumers are the companies that are addicted to invading our privacy, like Google and Facebook (WhatsApp is e2e but FB has been fighting that for a while).
The others are rolling it out.
Zoom is being used for schools with kids younger than my 7 year old. And probably telehealth too. These should all be e2e encrypted.
Enterprises should be demanding e2e. Especially given the Chinese governments aggressive corporate espionage, I’m shocked that more companies aren’t nervous about having potentially sensitive meetings on Zoom. I know one of my clients expressly forbids their employees from joining Zoom meetings.
