Bruce Schneier on Zoom security

Hi Fools,

If you’re not familiar with Bruce Schneier, he’s one of the world’s foremost authorities on public key encryption. In fact, he quite literally wrote the book on it!

A while back he wrote a blog article outlining his many concerns about Zoom and their privacy/security failings: https://www.schneier.com/blog/archives/2020/04/security_and_…

More recently (and more importantly, in my opinion) he wrote a new article re-visiting Zoom and updating his readers on the progress Zoom has made in addressing the issues outlined in the previous article:

https://www.schneier.com/blog/archives/2020/04/secure_intern…

For me, the important part of the latter article wasn’t the article itself, but rather, the first comment on the article and Bruce’s response to it:

Comment:

@Bruce - whilst I normally agree with most of your Op-eds, I’m genuinely curious as to how you can reconcile using (or recommending) Zoom considering their multiple, egregious breaches of privacy and mis-selling of encryption to their users?

I thought your previous article, in which you appeared diametrically opposed to Zoom, summed up a great many reasons not to use Zoom.

Response:

@Jack:

“I thought your previous article, in which you appeared diametrically opposed to Zoom, summed up a great many reasons not to use Zoom.”

And yet I never stopped using it.

Basically, all security is trade-offs. I had to use Zoom for my class, because that’s what Harvard had as its standard and it works well in a classroom setting. I started using it for personal video calls, because that’s what everyone else had. I continue to use it because I like the features, and they are trying to improve their security and privacy.

Putting it another way: I used to use the telephone system a lot more, and their security and privacy is even worse. Again, it’s all a trade-off.

I wouldn’t run a UK Cabinet meeting over Zoom, though.

So, here we have the world’s foremost authority on public key encryption and one of the world’s leading authorities on security in general stating “everything has trade-offs, even security” and “In most cases, security is a hinderance to convenience and productivity that doesn’t warrant that trade-off!”

Being in the networking/infrastructure (and thereby also deeply involved in security of those things), I have long maintained that “Security is inversely proportional to productivity!”. And here, we have Bruce saying essentially the same thing.

Note: He is not at all saying that security does not matter. But rather, “it’s good enough for most of the things most of the people who use it want to use it for.”

This is important. Especially from an investment perspective. Many people will hear Zoom is insecure and think it’ll be hacked frequently or all sorts of privacies will be breached. Not true for the vast majority of Zoom calls. No one is going to hack my company zoom sessions where me and my team are discussing the work we need to do this week, or my weekly family zoom call with cousins from Alaska. They probably won’t even bother with my company meeting over Zoom. But they might try to hack the British Parliament calls, or Pentagon calls, etc. Or a bank. But of the millions of people using it for everyday business, no one cares, and it’s “good enough”.

And, most people don’t really care about security anyway, because they have no idea what that really means, or how a security breach could affect them should it happen. People seldom, if at all, think about these things until it’s too late. And Bruce is telling us that Zoom is already good enough to the point where we no longer have to worry about it for the vast majority of use cases.

–
Paul - Who would rather have a dollar/minute he spent on Zoom calls these days than the too few Zoom shares he currently owns

So the philosophy of using Zoom despite security concerns is basically same as those that want to end quarantine.

The productivity gains outweigh the risks.

No one wants to speak to valuation, and the same non-reality-based arguments I heard about Arista destroying Cisco and taking over the enterprise (circa Jan 2018, which never materialized, btw) are being applied to this idea that Zoom will just take over enterprises.

Microsoft has 200m daily participants and 75m DAUs. Most corporations use O365 or are still on Exchange but plan on moving to O365, and then Teams (along with Onedrive/sharepoint) are basically packaged in. Microsoft also does this with security…Azure AD competes with Okta, you have AIP, Defender ATP. Optionality.

Webex was/is still a formidable presence in Enterprise space. Backed by Cisco, of course. Zscaler was supposed to destroy Cisco too. Two biggest use cases for Zscaler? O365 by Microsoft and SDWAN. Know who a leader in SDWAN is? Cisco’s Viptela product line. Optionality.

Facebook and Shopify share a lot of joint clients…the idea that Facebook couldn’t make inroads in the consumer or smb space doesn’t fly. Add to that the incorporation of VR/AR that Facebook (and MSFT) lead in, and their video products have greater optionality than Zoom long-term.

Google chromebooks rule education…pretty sure if they put their mind and considerable resources to pairing up their video solutions as a tie-in for Education clients with chromebooks, they are a formidable force in that space then, too.

Consumers already have/had options; facetime/apple, facebook, alexa/amazon, google hangouts.

Zoom not only does not have a free path to take over the planet, they still have to pay for the petabytes of video data their hundreds of millions of non-paying participants are generating. So while I expect revenue to rise due to covid, I expect costs rise relatively greater, plus the y/y comps will be shot as things normalize. Plus, there is always the jump-the-shark fatigue factor:
https://www.usatoday.com/story/news/nation/2020/04/23/zoom-f…
https://www.ecowatch.com/video-calls-zoom-fatigue-2645822041…
https://www.engadget.com/online-conferencing-video-chat-fati…
https://www.bbc.com/worklife/article/20200421-why-zoom-video…
https://www.cnbc.com/2020/04/27/why-video-chat-during-covid-…

On top of all this, they had a valuation problem, pre-covid. There is a reason the stock was negative for many in 2019…it was overvalued out of the gate. It took a pandemic to start justifying the valuation, but the problem is it was already overvalued, so now was near $50b mkt cap, or equivalent of about 7-8 AYX’s.

If they were in the $15-20b range now, because they were more unknown and didn’t debut/IPO in middle of SaaS peak in 2019, then I would be a buyer, because I could see potential upside.

The stock will probably bounce back, as at some point we will string a few bad market days together again, and there will be a new outbreak in NY or somewhere that will spook everyone, and ZM now acts as a hedge to normal economy. I wouldn’t want to be in a position where you have to bet against the world returning to normalcy to get future stock appreciation, but that is just me.

good luck all,
Dreamer

Dreamer,

You seemed to neither read the articles I linked to, nor cared to make any point at all related to the security concerns of the product vs. the safety of using the product despite those concerns.

What, pray tell then, was the point of connecting your rant over valuation with my post regarding the implications of security concerns for Zoom? Or was it that you just need to hear yourself rant over valuation some more?

–
Paul

I replied to your post with solid reasoning, from multiple directions.
My first sentence was tied to a summary of your post from a security perspective. There have been a few hundred posts on Zoom security here. My company, like many in f500 space, do not allow Zoom internally due to security concerns, but kind of a moot point since we, our clients, and our vendors, almost exclusively leverage Teams/Skype/Webex anyway. So I didn’t feel the need to belabor the security point further.

Your previous post was basically “hey…security expert said he has to use zoom, regardless of security” I guess with the purpose being that somehow validates ZM as a stock appreciation candidate from today’s levels (because why else do we invest?).

To sum up: I provided a ton of investment-relevant info in my previous response. Your post below is just you being snarky to me.

I am used to it…got the same reaction from the ANET crowd previously.

Good luck.
Dreamer

I replied to your post with solid reasoning, from multiple directions.

Not really. You started with an emotional argument tying Zoom security to pandemic fears, as if people don’t normally accept much greater risk just driving a car. You ended with an emotional/moral argument about holding a stock that might rise because of overall negative impositions on society…one presumes you hold only “moral” stocks?

In the middle you create what I think are strawman arguments, that people assume Zoom is going to conquer the entire conference space and how naive they are for thinking so; and emotional arguments about how you’ve seen this kind of fever before.

I’m in Zoom mainly for 4 reasons now:

1. they were already growing at a great rate (they may or may not have been overpriced before, that’s a different debate)
2. they’ve had a period of ridiculous and unprecedented usage growth in both enterprise and consumer space. One expects (hopes?) that translates to revenue, I guess we’ll see.
3. they’ve apparently expanded their appeal into market spaces that were never part of their previous target (such as medicine and education), primarily because of ease of use.
4. they’ve experienced an unprecedented brand awareness explosion, again primarily because of easy of use.

That’s it. I’m not predicting they are going to “kill Webex” or “kill Teams”. Or even if they somehow dominate the market that they will stay there (that’s a conversation for a different time). However, as at my current company, where we use both O365 and Zoom, they can certainly steal some market share, or live along side these other platforms. And “ease of use” is a vastly underrated moat imho. Most software is designed by software engineers, which means it’s generally terrible. (Being a software engineer myself means I can make such a blanket statement… ) The fact that millions of average consumers were able to jump on the usage bandwagon speaks volumes to me.

I think I understand his reasoning. If I am the director of the CIA, I don’t want Zoom. The CIA is a target for the best hackers in the world. If I am teaching a class in beermaking, or SaaS investing, I am fine with the possibility of a snooper, because I am not a target nor am I discussing my social security number.

That leaves lots of people who will use Zoom. Some are big enough to be paying customers.

Customers care about easy use, quality of service and security in varying proportions.

But ZM wants the customers who bring fat money. The customers with fat budgets care about security because they have something to steal. It could be intelligence or technical data or business plans. They care about security. And like Warren Buffett says, “there is never just one cockroach”. ZM can’t afford any more missteps, either for users (security) or investors (defining and counting users correctly). Good accounts make good friends and happy investors.

The Harvard professor isn’t the same kind of target as the CIA or Boeing. Motley Fool isn’t the same kind of target. The church service hopes thieves are watching so they will repent. But they don’t pay the kind of money a Boeing or GE or government can pay. High profile targets like them will be concerned with security.

How about easy use? ZM wins in a social/club/church setting for instant-on meetings. I have never set up a meeting with it, but I have clicked on the meeting organizer’s email link and been “in” in 5 seconds.

Quality of service? I have been in gatherings with ZM, Teams, Webex and Skype. All have had good days and bad days. I don’t personally care about hi-resolution image of my bosses face. But I better have quality of audio and good image when he shares his desktop or some slides. All the four listed above can do that. I can say that I work for a major tech company. At present we have Skype, Teams and Webex. I personally don’t see a compelling reason to dump Teams or Skype, because we get them with our microsoft tools.

Where I will care about quality of video is watching a kid’s basketball game over the net if I can’t be there in person. That’s worth a lot to me, but that won’t keep ZM alive.

ZM has a lot of users at the moment. Some will stay when the virus has subsided. How many will pay? Don’t know. They all think about cost, security, easy use and quality of service in varying amounts. If you know IT people personally, maybe they will share their thoughts, because their decisions are where the big business accounts will come from for ZM.

Disclosure: Long ZM, but not a major amount.

We should remember that there are really three questions about security with respect to Zoom:

1. What vulnerabilities does it have, actually?

2. In what circumstances are those vulnerabilities relevant?

3. Are competing products any better?

These are, of course, constantly changing and can have some subtle aspects, e.g., the recent change to make some security settings default which significantly improved the security for the unsophisticated user, but didn’t actually change the security of the underlying product.

This is important. Especially from an investment perspective. Many people will hear Zoom is insecure and think it’ll be hacked frequently or all sorts of privacies will be breached.

And this is exactly the problem. My wife was asking me if her book club should continue to use Zoom. I told her “of course,” of course. I could sit in with permission and couldn’t tolerate 90 minutes of that!

At this point the unfortunate reality is that the perception of Zoom security matters more than the reality. That perception is surely hurting adoption. Whether by paying customers or not I don’t know.

One other note, which I’m sure I’ll get flak for, is that Zoom is the battleground stock of the 21st century’s third decade. I can’t mention what the battleground stock for the 21st century’s second decade was, but I’m sure you can figure it out, and how that turned out.