Zoom, a brand new video conferencing startup that has been around for nearly a decade, became the latest Silicon Valley pariah after a wave of reports from security researchers proved once again that technologists have no idea what cybersecurity and privacy are. Even its Founder & Chief Executive Officer, Eric Yuan, admitted that his company was caught sleeping at the wheel. “We never imagined that average people would actually want to use our software, much less how hackers could misuse it,” Yuan said in a statement. “The only reason we made a version free was for techies to use it responsibly. I mean, come on, who really would have ever thought that the Prime Minister of a first-world country would be so ignorant as to tweet out a screenshot that included his personal meeting code? That’s not the kind of user Zoom was made for.”
With the coronavirus pandemic forcing more and more people into virtual work, Zoom usage reportedly exploded as school districts and individual users snatched up free licenses and started sucking up the network bandwidth that larger enterprises were used to having to themselves. The resulting occasional Zoom meeting shudders ultimately annoyed security researchers who were already irritated that a revised definition of social distancing meant actually having to show up to 9 AM meetings.
One bearded security engineer from former Silicon Valley geek garage band and top 10 Zoom customer HP said, “Every time I complained about Zoom to management, they would just tell me that it passed the compliance questionnaire, and that was good enough for them.” He continued. “So, when they started making me wake up for these morning virtual standup meetings, I decided to start scanning the network traffic to see if Zoom was sending our design discussions to China. Of course, I was right.”
Jill Hazelbaker, Senior Vice President of Marketing and Public Affairs for Uber Technologies, another top 10 Zoom customer, seemed confused when asked about the company’s decision to use the software. “Our corporate leadership has been so focused on our own customer privacy issues and executives filming themselves berating our employees, I mean our contractors, that they could care less about what Zoom is doing.”
Most executives thought Zoom was great until it started offering free licenses to schools. Once children started using it for distance learning, the web conferencing software became so popular that it caught the attention of vandals also stuck at home and looking for new ways to entertain themselves. Zoombombing then entered the contemporary lexicon and parents working from home were forced to monitor their kids’ classes for modern streakers jumping into meetings unfettered.
After witnessing pornography on her daughter’s Zoom classroom, one cybersecurity executive directed her team to do a full security and risk audit of the software. “I had to ignore Zoom security because a member of our board of directors was friends with one of their board members,” she noted to explain why the team had not looked at it before. “I may lose my job over it, but I have already exceeded expectations by lasting more than 18 months.”
Quickly jumping onto the Zoom bandwagon because they did not realize similar tools were already available through their free educational services, many school districts are now reconsidering. Danielle Filson, the spokesperson for the New York City Education Department, lamented, “Look, we have no idea what we are doing. All we want to do is teach children for low wages and not worry about this technology stuff.” Los Angeles Mayor Eric Garcetti was more forceful in his contempt when asked about LA schools dumping Zoom at a recent press conference. “If any of those parents who are really smart technology people would stop telling our teachers to watch Khan Academy videos and volunteer to help us figure it out, we would welcome the rare show of support.”
Despite the blowback, few technology industry leaders seem to be concerned about Zoom’s prospects as more security researchers look for new vulnerabilities. Former Microsoft Windows chief Terry Myerson advised, “Microsoft is the leader at making customers happy about maintaining defective software. I really doubt that anyone will leave Zoom for Skype, so they should just shrug it off and patch away the pain.” Javier Soltero, head of Google’s G Suite office and education tools, suggested obfuscation as the best course for Zoom. “Whenever Google thinks that one communications platform is having issues, we just build a new one to confuse everyone,” Soltero said before showing how many enterprise Zoom customers are also G Suite customers as proof that the strategy is working to reduce pressure on the Google Hangouts league of competing tools.
Whatever the final outcome, hackers seem determined to be heard now that the world has followed them into social distancing. Instacart and DoorDash, likely next targets as cybersecurity researchers realize that they can no longer count on their corporate chefs to feed them, have reportedly begun hiring security engineers for the first time now that average people may potentially break their applications through unpredictable usage.
When I’m not trying to find humour from spending over 20 years working in cybersecurity, I define strategies and architect solutions that make sense for protecting mission-driven organizations. If you are looking for leadership partner to help improve your organization’s resilience, contact me on LinkedIn or Twitter.