Everyone is raving about a new app called Camo that lets you use your iPhone as a webcam for your computer.

This is a great idea at first blush, since any recent iPhone has way better cameras than the webcam on any Mac you can buy. This is why webcams sold out in the early days of lockdown, when everyone was on Zoom all the time, realised just how bad the image quality was, and rushed out to buy better options. Serious streamers have of course long used full-on DSLRs as their webcams, but that’s a whole other level of expense — and the little dongles to connect those as webcams also sold out for ages.

Camo therefore seems like a really good idea, taking advantage of the great cameras in the phone that you already have. Unfortunately, it has a number of downsides in practice.

The big one is that it’s not wireless¹; your iPhone will need to be connected to your Mac² by a cable. If you have a (just plain) MacBook like SWMBO’s, with a single USB-C port, you’re already in trouble. Her non-Pro iPhone 11 came with a USB-A cable, so she would need to find her dongle, and then hope that she doesn’t need the single port for anything else. If she did have a USB-C cable, of course, she could choose between charging the laptop or connecting the phone — still not ideal. Newer models don’t have the single-port conundrum, but there are still plenty of MacBooks out there that only have one or two ports.

The other problem with the wired setup is that it means you can’t just prop your phone up and go; you’re going to need either a dock of some description with a connector already in place, or a stand or tripod to hold your phone. I had avoided buying one of these by getting a case with a kickstand built into it, but it’s not possible to connect a cable this way. I could of course put the phone in landscape mode, but that way the camera is far too low, giving viewers the full NostrilCam effect.

So okay, I can pick up a tripod of some sort from Amazon for not too much money — but speaking of money, here’s the big Achilles’ heel: while the free version of the app is fairly functional, upgrading to Pro costs €41.47. That’s nearly fifty bucks! Sure, I’d like to be able to use all my cameras; in free mode the app shows me the Wide 1x camera and the front selfie camera, but is it worth that much to use the Telephoto 2x or the Ultrawide 0.5x? Pro unlocks higher resolutions, and there are also a bunch of options to control focus, lighting, flash, zoom, and so on, which I would definitely have bought for a fiver or so — but not for this much. I already have a decent webcam at home (a Razer Kiyo), so I’d be using Camo only away from home, and I’d have to acquire and carry a separate piece of kit to do so.

I do wonder how many of this app’s target market are going to make the same evaluation as me. Most people who wanted a better webcam already bought one, which already limits the target market, and while many might be attracted to the simplicity of using their phone as a webcam, once the reality of what it takes to do that starts to sink in, I doubt many will pony up. The thirty-day refund does go some way to reduce the downsides, but at least for me it’s not enough.

I hate to be the person who quibbles at paying for software, but this is a lot for a very single-purpose app. I pay for other software I use — but a year’s subscription to Evernote costs about the same as this thing, and I get a lot more value from Evernote.

Nice app, though.

In a normal year, this is high season for events and trade shows. Instead, because 2020, I’m at home with no immediate prospect of travel. While this lack of travel does have some benefits, I do miss events, and I hope that things will get back to normal, because virtual events — or at least, the sorts of virtual events I have attended — simply do not work for me, and I’m not the only one.

One big issue is just reserving the time to "attend" the remote event, because when we’re working from home, there’s a lot of other stuff going on.

Since most of the people saying "virtual learning is the future" don't have kids, I've decided to break down what a normal day is like as a working mom with 3 kids.

— Amanda Goetz (@AmandaMGoetz) June 25, 2020

To be fair, I also hope that we will learn from this year and add more and better options for remote attendees than just a video stream of the keynote, which has been the standard until now. I have not yet seen an event format that replicated what I love about in-person events, but there is value in doing that if we can, because whoever achieves that feat will unlock enormous amounts of value, for themselves and for their event’s attendees.

The environment is also benefiting from all of us being grounded instead of burning jet fuel, (although my luggage¹ is getting very dusty!). On the other hand, the local economy in places that typically host events is suffering badly — although one sector that I hope stays dead is the one that generates useless conference swag.

Time Is Value

The most important factor is the dedicated time. An event that I attend from home will inevitably need to fit in around other tasks, personal and professional. Instead, if I have travelled somewhere and blocked out a day or a few days, I am motivated to make the most of that investment, and minimise other activities. There is also a feeling that I have permission to postpone everything else if I’m at an in-person event in a way that I at least do not feel that I have for virtual events.

There’s another aspect to time that is often overlooked, though, and that is time zones. If an in-person event is in a certain location, all the attendees agree to base their schedules on the local time zone. If it’s remote, all bets are off. Yes, there have been experiments with "follow-the-sun" conferences, with people either giving the same presentation several times, or recordings being rebroadcast after an offset, but it’s still not the same as all being there together, plus you also lose out on having one single conversation going on via Twitter or whatever social media about your announcements.

Hell Is No Other People

While perhaps not as quantifiable, the serendipitous networking is the aspect of in-person events the I miss the most, and certainly the hardest to reproduce online. You can have great conversations even just standing in the booth, if you ask punters questions about their work and situation instead of just regurgitating the same tired sales spiel for the Nth time.

In technical terms, you’re probably going to be able to give a better answer if you understand what the actual goal is. The first phrasing of a question from someone unfamiliar with your technology is probably not going to tell you that, because they are framing the question in terms of what they do know. Of course you’ll be even better placed if you can answer them in the context of what they know: "in Technology X that is indeed what you would want to do, but it has the following downsides: a, b, c; instead, in Technology Y we achieve the same goal in this other way, which delivers these benefits: foo, bar, baz; would you like to see a demo?".

A conference booth is also a great environment to practice your pitch many times, over and over, in relatively low-stakes conversations, and with lots of colleagues around you to ask for support or after-action critiques. I stood up in a booth on day two of my current gig, and by the end of the day I had learned more about actual customer needs and perception than in any office onboarding course.

Beyond that, I have benefited enormously from being dragged along in the wake of more senior colleagues, meeting people and participating in conversations that let me understand better how my industry worked. Just the questions that get asked in these senior-level conversations will tell you a lot, and topics that come up will tell you what is currently hot, what terminology is expected, and so on. In more recent years, I’ve been the one getting the invites, and so I try to bring other team mates along to benefit from their perspective and help them in their own careers.

In other words, it’s not (just) about the free drinks…

What Can We Do

There are some suggestions people have shared with me for how to improve remote events, which might also be applied as extensions to in-person events. After all, big events like WWDC or AWS re:Invent are already effectively remote events: even people who’re in town for the show end up watching video streams. Many people don't even have tickets, but they travel anyway for the networking and because everybody else is there, making it easier to meet a lot of people over the course of a week whom you would not normally have access to. Unfortunately, I am not quite convinced by any of these suggestions, precisely because they miss out on the reasons why people might travel to an event and only ever stay on its fringes.

Watch Parties

To combine remote events with at least some networking, some have suggested local user groups or similar organisations could meet up to watch the stream together. To me, this is the worst of both worlds, because I would still have to travel a bit, at least up to Milan, but my networking there would be restricted to the people who live and work there, who by and large are not relevant to me; my job is worldwide, not local or regional. This is the same objection I have to the suggestion of many local events instead of one big global event; I am specifically looking forward to getting together with everyone in the world who is interested in the same things I am. This sort of thing might make some sense if you’re in NYC and not wanting to travel to SF, or just not wanting to go to Vegas (sensible!), but it sucks for the lone person in Omaha or whatever who’s into that topic (replace US locales with your own; the same thing happens in every country/region). And again, time zones will complicate this. If you’re in Sydney, it’s going to be tough to follow a livestream from San Francisco or Amsterdam.

Portals!

I have been in many offices that have always-on video conferencing setups, usually in the kitchen or other common space, so that when you walk past you can wave at someone in the office in Bengaluru or wherever. This is the next step up from the social media walls that you (used to) see at in/person events, but again it seems to be a gimmick; a week after the first installation, nobody looks at the screens any more. They sometimes get used for all-hands meetings or similar occasions, but that’s it. They are more of a "digital transformation" checkbox, like the iPad for signing in on the front desk; gimmicks for companies trying to show how global and interconnected they are, rather than any sort of practical solution.

Another gimmicky technology that many expected to transform our lives is VR, but that's not working either, or at least not yet.

Look at the numbers

Attendance numbers are also not comparable between in-person and online-only events. The smaller numbers of people who attend in-person events have demonstrated significant commitment and are ipso facto extremely valuable contacts. The far larger numbers of people who register for online events have not made any such commitment; in fact, many have no intention of attending the live event at all, but will only look at a handful of recordings, potentially days, weeks, or even months later. How do you discount the quality of that lead? Is it any better than a webinar lead? Is it worse because of dilution (you don’t know which one session they were really interested in)?

So What?

Unfortunately, I have not found any good solutions. The best we can hope for is that by this time in 2021, we can once again have in-person events in safety, but that we also learn something about complementing the in-person experience with at least some remote-access options. Those remote options should also allow for time-shifting, whether by a few hours for people in other time zones, or by much longer periods for later review. The assumption that all speaking sessions are recorded should help ensure better content, as well as better outcomes for sessions that suffer from being scheduled across from a session on a hot topic or with a big-name speaker.

I’ll see you in my employer’s booth, and don’t forget to come to my session later!

🖼️ Photos by Samuel Pereira and The Climate Reality Project on Unsplash

Every year after the end of school we have the habit of travelling to Finale Ligure, where my father-in-law’s family is from, for a couple of weeks. This is a a couple of hours’ drive from home, so not too strenuous. In a normal year, SWMBO and I spend the weekends at the sea, and then drive to offices, airports, or train stations early on Monday morning, leaving the kids with her parents. We would then return to Finale on Friday, or if possible, on Thursday night so we could work from the beach on the Friday.

This year was a bit different. Once the Covid lockdowns hit in earnest, we had assumed we would not be able to travel to Liguria in June; the border with the region where we live had been closed to non-essential travel. However, in early June the restrictions lifted, and so we trekked out here.

This year is the first year I have spent the full fortnight in Finale, instead of disappearing during the working week. It has been somewhat challenging to work from here, but I figured it out, more or less — and one benefit is that I have been able to get up early, sneak in an early-morning bike ride, and be back with warm focaccia straight from the bakery for breakfast, all before 9am.

Finale is one of the top mountain-bike resorts in Europe, and stiff with ancient rusty camper vans from Germany and Scandinavia with bikes strapped to them that are worth several multiples of the van and all its contents. What is also great is the variety: you can be bombing downhill through a forest, then there’s a village that looks like something out of the Lord of the Rings where you can stop for coffee, then there’s a technical rock garden, and then at the end you can cool off in the Med. Pretty good, for an unexpected holiday.

That last picture is my office in Finale, yes. So if you’ve been on calls with me in the last fortnight, now you know why I’ve been using Zoom backgrounds more than normal…

The one downside is that the two episodes of the Roll For Enterprise podcast that I recorded down here have noticeably worse audio for my parts, because I was using AirPods instead of my fancy home studio setup. Something to bear in mind in future years, since we typically record on Friday afternoon at my end, when we would usually aim to be in Finale even if we had not spent the whole week here.

Everyone and their dog has followed the saga of Hey and Apple — but in case you missed some of the twists and turns, this is a decent recap from The Verge.

My own opinion can be summed up as follows: "Wait, a hundred bucks a year?¹ For email? In 2020? Are you insane?" (We also discussed the Hey saga on the most recent episode of the Roll For Enterprise podcast.) In fact, I am far more interested in Bye, the Hey parody that promises to reply to all your email with insults.

That said, there are a couple of different aspects to this story that I think are worth looking at in more detail. One is the PR debacle that this whole saga has been for Apple, and the other is what any of it means for users.

PR Ju-Jitsu

The fact that all this drama went down in the week before WWDC, and at the very same time the EU opens antitrust investigations into Apple’s App Store practices, led many to wonder whether this could be some mastermind move to generate the sort of PR money can’t buy for an email app (because, again, email simply is not exciting in 2020. Ahem).

I don’t buy it. Oh, I am sure that the Hey team chose to launch the week before WWDC very consciously to get more attention, but they could never have expected Apple to approve their initial release, then reject a bug fix, and finally to be so ham-fisted in all of their subsequent moves. To be sure, David Heinemeier Hansson (DHH on Twitter, Hey and Basecamp cofounder) rode the PR wave masterfully, positioning himself as the David (ha!) to Apple’s Goliath. He was largely successful in this effort, judging by an entirely unscientific survey of my Twitter feed.

On the other hand, I am equally sure that Apple did not deliberately set out to pick a fight with a Twitter loudmouth in the week before the biggest event of their year. It does seem that they have been trying for some time to get more paid apps to use their own in-app-purchase (IAP) mechanism, and the reviewer(s) for Hey didn’t anticipate this level of blowback from one more enforcement decision in what is already a long list.

Apple PR did make some pretty heavy-handed and tone-deaf moves. At one point, a letter to Hey was apparently released to the press before it was sent to Hey, which is bad enough, but that letter contains language that DHH was easily able to present as a threat to his other apps in the App Store, which also do not use IAP:

Thank you for being an iOS app developer. We understand that Basecamp has developed a number of apps and many subsequent versions for the App Store for many years, and that the App Store has distributed millions of these apps to iOS users. These apps do not offer in-app purchase — and, consequently, have not contributed any revenue to the App Store over the last eight years. We are happy to continue to support you in your app business and offer you the solutions to provide your services for free — so long as you follow and respect the same App Store Review Guidelines and terms that all developers must follow.

To me this is not a threat, merely a statement of fact. Operating the App Store is not free, and Basecamp, by not offering IAP, has not contributed any revenue whatsoever to Apple.

Mob Tactics?

This is the key point: is Apple merely rent-seeking by attempting to extract their 30% cut from developers, or do they actually offer a service that is worth that overhead?

Ben Thompson has consistently been critical of the App Store’s regulations and their enforcement; in fact he goes so far as to consider it an antitrust issue, and made hay (or Hey) with this story:

I would go so far as to say that executives in the tech industry are more afraid of Apple in 2020 than they were of Microsoft two decades ago. App Store Review is such an absolute gatekeeper, and the number of ways that Apple can retaliate are so varied and hard to verify, that no one is willing to publicly breathe a word against the company — again, except for Basecamp. I wish I could prove this to you — the stories I have received the last few days tell the tale — but no one is willing to go on the record, to me or to regulators. The risk is too great, because Apple’s level of control, and willingness to use it, is so overwhelming. I wish I were exaggerating, but I’m not.

It’s certainly true that the App Store extracts rent from developers, but the key point is that it also adds substantial value. All of the coverage of Hey has focused on Apple and on developers, but I have not seen any significant discussion of the users’ point of view. Customers are more willing to engage with a single trusted intermediary like Apple than with vast numbers of unknown developers. Especially with subscriptions, which are notorious for being easy to start and difficult to impossible to cancel, Apple’s role in the process is invaluable.

The user experience is better because of Apple’s aggressive curation of the App Store experience, and users are more willing to take a chance on apps because of that curation, and because of the established trust relationship they already have with Apple.

Friction Is Traction

It’s easy for DHH to say that Apple is interposing itself between him and his customers. He would rather have a direct relationship with them, and keep the 30% for his bottom line. In his view, the App Store and IAP add unnecessary friction to the smooth transmission back and forth.

Here’s the thing, though: friction is not just a negative. If we remove all friction, we also lose all traction. Intermediaries like Apple add both friction and traction. The way they justify their 30% cut — the friction that DHH complains about — is by offering traction: the technical underpinnings of the App Store — hosting, payments, marketing, and so on — but also by enabling developers to take advantage of the trust that Apple has built up with its customers.

I am happy to have my credit card on file with Apple, so buying an app (or a book, or a film, or music back before I subscribed to Apple Music) is a one-click process. One of the reasons I trust Apple with my credit card is because they let me see and manage my subscriptions in one place, and they let me cancel them and even offer refunds of purchases simply and quickly. I have bought thousands of euros through Apple if you add up apps, books, and media; if I had had to register for each one of those purchases, and ask myself "do I trust this vendor not to scam me or just make my life difficult in some way?", I would not have bought nearly as much.

The restrictions that Apple imposes on iOS — no side-loading of apps outside the App Store, sandboxing of individual apps, Apple ID login — may annoy developers and power users, but they also lower the barrier to installing new apps, because those apps cannot mess up anything else, either deliberately or on purpose. People who have experienced Windows are trained to be extremely reluctant to install new apps; no such caution is needed on iOS, in large part due to Apple’s oversight.

None of this is to say that the App Store experience is perfect for users. I could definitely use better search, as scammy developers seem to be winning this round against Apple and have made searching within the App Store almost pointless. The review process itself needs to be more aggressive in my opinion; especially with my eldest now using the App Store, I have discovered a whole lot of scammy IAP practices! Even then, though, the parental controls built into iOS beat anything Google offers.

Hey Hey, Bye Bye

Personally I hope Apple gets a fright and figures out a better way to continue to give me what I like as a user, without developers feeling ripped off. And regardless, there is no way I am dropping a hundred bucks a year² on email.

SF authors have a lot to answer for. While they are popularly assumed to predict the future, most will be quick to disclaim any Nostradamus tendencies. Instead, they are trying to tell a story, and the setting is only a part of that effort. The problems arise when people read the story, fall in love with the setting — and decide to enact it in real life.

I’m as guilty as any other nerd, with my unmarked keyboard meant to evoke Case’s deck in Neuromancer that always got him into trouble at customs. I also have an Ono-Sendai sticker on my MacBook, just to complete the look. That sort of thing is mostly harmless. What about the people who read Snow Crash¹ and decided to build the Metaverse, though? They read passages like this and think to themselves: "whoa, cool, I gotta build that":

He is not seeing real people, of course. This is all a part of the moving illustration drawn by his computer according to specifications coming down the fiber-optic cable. The people are pieces of software called avatars. They are the audiovisual bodies that people use to communicate with each other in the Metaverse.

And so they went and built those things. This is literally the origin story for a lot of the tech we have today, from the iPhone as Star Trek communicator on down. When it comes to VR, you might expect that now of all times, with nobody able to go to the office, VR would be having its moment. But it isn’t, at all.

Sure, there are hopefuls like Spatial, sometimes described breathlessly as "the Zoom of VR" — but it relies on the Oculus Quest hardware, which is hardly universal, or Magic Leap, which may never be seen at all. I tried it on the web and it’s buggy right in the signup experience, definitely not something I would introduce to colleagues, let alone clients.

Maybe when Apple brings out its AR headset we’ll have a platform worthy of the name, but right now VR just isn’t there. I’m a techie, an early adopter, and if you can’t sell me on VR when a) I can’t leave the house and b) there’s a new Halflife game which requires VR, I think it’s safe to say it’s a small niche and going to stay that way.

I’ve been fully remote for a long time, but most people, even among those who had the choice, preferred to go into offices. Now we are all forced into the WFH life, but it’s awkward. Too many Zooms, too few, how much communication is needed or wanted, what needs to be synchronous and what can go async via Slack — and how do we manage all of that when many of us are also juggling other responsibilities? The home schooling, oh God the home schooling. Give teachers raises yesterday, they earned them.

Part of the stress of WFH is communication, and the pitch of meeting in VR is to approximate the experience of a real meeting better than just a grid of people’s heads on screen. It turns out, though, that experience is sufficient for most purposes. People are using Zoom for karaoke, cocktails (quarantini, anyone?), weddings, graduations, and just about anything else.

So Where Did VR Get Lost?

Even with the head start of everyone stuck at home and hating it, VR still has not taken off. The reason is the sort of impact that always means that the future will not look like the past or even a linear extrapolation. It’s easy to think of remote working and see that it requires good bandwidth, that people with good written skills and ability to manage their own time might thrive, and so on. Not many futurists had considered the impact on a family with both parents trying to work from home while juggling child care and home schooling, for instance.

This is one reason why even in lockdown VR hasn’t taken off (that and it’s still too expensive, but that’s a chicken & egg problem). I’ve taken tons of conference calls — yes, even on video — with a baby in my arms², or keeping one eye on the maths homework going on next to me, or simply with one ear cocked for mischief being perpetrated somewhere else. VR, if it works properly, excludes all of that.

Some of the reluctance to embrace new tech is also the fear of obsolescence. If we can all go back to the office as soon as possible, the old habits and rules that enabled people to be successful in the past can be reimposed and those people can go on being successful without having to learn something new or change their behaviour in any way.

This reluctance also applies to tech platforms themselves. Remote events — and all events are of course remote for the rest of 2020 at least — default to the tried and true format of fast-scrolling comments beside live streamed events. This format was already tired ten years ago, but nobody has come up with anything much better. Partly there wasn’t a need, because it was easier just to rent out space in Vegas or Orlando and run the conference there, and partly there wasn’t a platform to build on. That last issue is of course another iteration of the chicken-and-egg problem: nobody has been able to build a platform because the users weren’t there, because nobody had built it, and repeat.

That consideration leads us back to Apple potentially jump-starting the whole VR-AR market by pulling their usual trick of holding back, looking carefully at what’s out there, thinking really hard about the use case, and then bringing out something that defines the market such that soon afterwards it is seen as inevitable and everybody else simply has variations on Apple’s theme.

Until that happens, though, the Zoom+Slack combo is the best we have, and we had better get used to it.

We discussed the topic of remote working on Episode Two of Roll For Enterprise, a new podcast I co-host. Listen to the episode, and subscribe if you like what you hear!

🖼️ Photo by Hammer & Tusk on Unsplash

I was all ready to hate this list of work-from-home tips from Marie Kondo, but actually it’s… not bad?

I mean, some of it is disgustingly twee — striking a tuning fork to signal the start of the working day? — but other parts make a lot of sense, like keeping your work stuff in a box that you can put away outside work hours.

There is a certain amount of work-from-home advice that is not exactly helpful going about, so at this point I am reflexively sceptical of new advice. There was the Washington Post advising people to sleep in their spare room and pretend they were on a trip, to which people quite rightly pointed out that not everyone has a spare room they can just casually go and sleep in. Even leaving aside issues of sudden economic anxiety due to the lockdown, many people made trade-offs to live in smaller homes in more expensive areas that were closer to schools, parks, restaurants, or transport options — precisely none of which they can take advantage of right now.

Another strand of unhelpful advice is when people forget that other people have children, or seemingly have never met a child in their entire lives.

I’m lucky enough that I was already set up with a pretty decent home office, and I spent the early part of this lockdown fitting it out to the nines, but in my own WFH advice I tried not to assume that everyone was in the same fortunate position. Even people who had the space might not have basics like a reasonably ergonomic desk and chair, and many don’t have the luxury of dedicated space. This is where Marie Kondo’s advice chimes with mine:

• Keep your work stuff in one place. Work from the kitchen table, and move to the couch when you’re done.
• Separate work time from personal time. Work from the laptop, then close the laptop when you’re done.

There’s one more piece of advice that I need to add, though:

• Give yourself and others permission to be their whole selves. Some of us are juggling home-schooling kids with work, and so work happens around other stuff. Even when I’m in my home office, my kids regularly burst in to grab something from the printer, ask a question about homework, or sometimes just to give me a hug. People seem to find it charming more than anything else. This may well be because I’m a man, so I go out of my way to reassure female colleagues that it’s okay for their kids to do the same sort of thing.

Maybe you don’t have kids, maybe it’s your dog barking or your cat deciding to sit on you, or your room-mate coming out of the shower behind you. It’s fine, we’re all in the same boat.

And it could always be worse.

🖼️ Box photo by Bench Accounting¹ on Unsplash, others from Stephanie Insley Hershinow and Adam Graham via Twitter

Inspired by Eddie Jaoude, I made some updates to my home office setup. Just like everyone else, I have been on a ton of calls and a couple of podcasts too, so I kept myself entertained — and the economy moving — by upgrading my work environment.

In the foreground is my Røde NT-USB microphone, with shock mount, pop shield, and boom arm. That last is especially useful so I can swing the whole rig back out of the way when I’m done with it.

Behind that, you can see my Microsoft Natural keyboard; I get RSI if I type too long on straight keyboards, like my laptop’s for instance, so when I’m at my desk I use the Natural which lets me keep my wrists straight.

I use an Apple Magic Mouse, and I know some people hate it. It’s true that it’s not the most ergonomic thing ever, but I love the gestures on it, and I don’t actually use my mouse that much; it’s all about the keyboard shortcuts for me. This also means that I only have to deal with the silly recharging setup quite rarely.

The screen is an Iiyama 26". It’s only HD, not 4k, so it’s probably the next thing due an upgrade. I was hoping Apple would get around to releasing one of its lovely 5k screens without an entire iMac attached, but that is looking increasingly less likely. The LG 5k screen is just too ugly for words, especially for the price, so I’ll probably blow my next bonus on a nice 4k screen. What else am I going to spend money on right now, anyway?

On the walls are generic sound-absorbent foam panels. They really do make a surprisingly audible difference compared to bare paint — nearly as much as moving from the mike on the little headset that’s hanging beside the monitor to the big Røde!

Nestled under the monitor is one of my ancient Cambridge Soundworks speakers and its volume controller; you can just about see the subwoofer under the desk. It’s a four-speaker (plus sub) setup, but right now I don’t have the rear two wired up, waiting for a USB sound card with front+rear outputs that is on a very slow boat from China.

On top of the monitor, the bright ring of light is my Razer Kiyo webcam with built-in ring light. My office is in a half-basement, and the desk is in the darkest corner, so I need all the help I can get.

The computer itself is a MacBook Pro 13" with Touch Bar. Personally, I like the Touch Bar, although obviously I don’t use it much when the MBP is on its stand like this!

The keyboard under the stand belongs to the computer you can just about see above the monitor — yes, that’s a computer! The keyboard has blank keycaps for that William Gibson hacker look, while the computer is in a Skeleton "case" from Antec which is pretty much just an open frame to mount components in, plus a big slow fan to blow air over everything. It’s perfect for what is basically a parts-bin computer. It runs Debian and lets me mess around without the risk of doing something silly on my work computer.

The wicker boxes beside the Skeleton are all full of ancient tangled cables. Because of course they are.

Break Down

This is the other half of my home office, with a rowing machine set up in front of a TV with an Apple TV attached. This lets me stream webinars via AirPlay and watch them while I get a workout in. Good for a change of pace in between all the Zoom calls!

Emergency Spare Backup Office Location

Sometimes I also work from a secure alternative location outside my usual office, partly for the view and partly for the company.

Zoom was having an excellent quarantine — until it wasn’t.

This morning’s news is from Bloomberg: Zoom Sued for Fraud Over Privacy, Security Flaws. But how did we get here?

Here is what’s interesting about the Thing with Zoom: it’s an excellent example of a company getting it mostly right for its stated aims and chosen target market — and still getting tripped up by changing conditions.

To recap, very quickly: with everybody suddenly stuck home and forbidden to go to the office, there was an equally sudden explosion in video calling — first for purely professional reasons, but quickly spreading to virtual happy hours, remote karaoke, video play dates, and the like. Zoom was the major beneficiary of this growth, with daily active users going from 10 million to over 200 million in 3 months.

One of the major factors that enabled this explosive growth in users is that Zoom has always placed a premium on ease of use — some would argue, at the expense of other important aspects, such as the security and privacy of its users.

There is almost always some tension between security and usability. Security features generally involve checking, validating, and confirming that a user is entitled to perform some action, and asking them for permission to take it. Zoom generally took the approach of not asking users questions which might confuse them, and removing as much friction as possible from the process of getting users into a video call — which is, after all, the goal of its enterprise customers.

Doing The Right Thing — Wrong

I cannot emphasise enough that this focus on ease of use is what made Zoom successful. I think I have used every alternative, from the big names like WebEx (even before its acquisition by Cisco!), to would-be contenders like whatever Google’s thing is called this week, to has-beens like Skype, to also-rans like BlueJeans. The key use case for me and for Zoom’s other corporate customers is, if I send one of my prospects a link to a video call, how quickly can they show up in my call so that I can start my demo? Zoom absolutely blew away the competition at this one crucial task.

Arguably, Zoom pushed their search for ease of use a bit too far. On macOS, if you click on a link to a Zoom chat, a Safari window will open and ask you whether you want to run Zoom. This one click is the only interaction that is needed, especially if you already have Zoom installed, but it was apparently still too much — so Zoom actually started bundling a hidden web server with their application, purely so that they could bypass this alert.

Sneaking a web server onto users’ systems was bad enough, but worse was to come. First of all, Zoom’s uninstall routine did not remove the web server, and it was capable of reinstalling the Zoom client without user interaction. But what got the headlines was the vulnerability that this combination enabled: a malicious website could join visitors to a Zoom conference, and since most people had their webcam on by default, active video would leak to the attacker.

This behaviour was so bad that Apple actually took the unprecedented step of issuing an operating system patch to shut Zoom down.

Problem solved?

This hidden-web-server saga was a preview run for what we are seeing now. Zoom had over-indexed on its customers, namely large corporations who were trying to reach their own customers. The issue with being forcibly and invisibly joined to a Zoom video conference simply by visiting a malicious web server did not affect those customers – but it did affect Zoom’s users.

The distinction is one that is crucial in the world of enterprise software procurement, where the person who signs the cheque is rarely the one who will be using the tool. Because of this disconnect, vendors by and large optimise for that economic buyer’s requirements first, and only later (if at all) on the actual users’ needs.

With everyone locked up at home, usage of Zoom exploded. People with corporate accounts used them in the evening to keep up with their social lives, and many more signed up for the newly-expanded free tier. This new attention brought new scrutiny, and from a different angle from what Zoom was used to or prepared for.

For instance, it came to light that the embedded code that let users log in to Zoom on iOS with their Facebook credentials was leaking data to Facebook even for users without a Facebook account. Arguably, Zoom had not done anything wrong here; as far as I can tell, the leakage was due to Facebook’s standard SDK grabbing more data than it was supposed to have, in a move that is depressingly predictable coming from Facebook.

In a normal circumstance, Zoom could have apologised, explained that they had moved too quickly to enable a consumer feature that was outside their usual comfort zone without understanding all the implications, and moved on. However, because of the earlier hidden-web-server debacle, there was no goodwill for this sort of move. Zoom did act quickly to remove the offending Facebook code, but worse was to come.

Less than a week later, another story broke, claiming that Zoom is Leaking Peoples' Email Addresses and Photos to Strangers. Here is where the story gets really instructive.

Uh oh, it looks like your embed code is broken.

This "leak" is due to the sort of strategy tax that was almost inevitable in hindsight. Basically, Zoom added a convenience feature for its enterprise customers, called Company Directory, which assumes that anyone sharing the same domain in their email address works for the same company. In line with their guiding principle of building a simple and friction-free user experience, this assumption makes it easier to schedule meetings with one’s colleagues.

The problem only arose when people started joining en masse from their personal email accounts. Zoom had excluded the big email providers, so that people would not find themselves with millions of "colleagues" just because they had all signed up with Gmail accounts. However, they had not made an exhaustive list of all email providers, and so users found themselves with "colleagues" who simply happened to be customers of the same ISP or email provider. The story mentioned Dutch ISPs like xs4all.nl, dds.nl, and quicknet.nl, but the same issue would presumably apply to all small regional ISPs and niche email providers.

Ordinarily, this sort of "privacy leak" is a storm in a teacup; it’s no worse than a newsletter where all the names are in the To: line instead of being in Bcc:. However, by this point Zoom was in the full glare of public attention, and the story blew up even in the mainstream press, outside of the insular tech world.

Now What?

Zoom’s CEO, Eric Yuan, issued a pretty comprehensive apology. I will quote the key paragraphs below:

First, some background: our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.

However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.

These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users.

We take them extremely seriously. We are looking into each and every one of them and addressing them as expeditiously as we can. We are committed to learning from them and doing better in the future.

It’s too early to say what the long-term consequences for Zoom will be, but this is a good apology, and a reasonable set of early moves by the company to repair its public image. To be clear, the company still has a long way to go, and to succeed, it will need to rebalance its exclusive focus on usability to be much more considerate of privacy and security.

For instance, there were a couple of zero-days bugs found in the macOS client (since patched in Version 4.6.9) which would have allowed for privilege escalation. These particular flaws cannot be remotely exploited, so they would require would-be attackers to have access to the operating system already, but it’s still far from ideal. In particular, one of these bugs took advantage of some shortcuts that Zoom had taken in its installer, once again in the name of ease-of-use.

Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M

— Felix (@c1truz_) March 30, 2020

Installers on macOS have the option of running a "preflight" check, where they verify all their prerequisites are met. After this step, they will request confirmation from the user before running the installer proper. Zoom’s installer actually completed all its work in this preflight step, including specifically running a script with root (administrator) privileges. This script could be replaced by an attacker, whose malicious script would then be run with those same elevated privileges.

Personally I hope that Zoom figures out a way to resolve this situation. The user experience is very pleasant (even after installation!), and given that I work from home all the time — not just in quarantine — Zoom is a key part of my work environment.

Lessons To Learn

1: Pivoting is hard

Regardless of the outcome for Zoom, though, this is a cautionary tale in corporate life and communications. Zoom was doing everything right for its previous situation, but this exclusive focus made it difficult to react to changes in that situation. The pivot from corporate enterprise users to much larger numbers of personal users is an opportunity for Zoom if they can monetise this vastly expanded user base, but it also exposes them to a much-changed environment. Corporate users are more predictable in their environments and routines, and in the way they interact with apps and services. Home users will do all sorts of unexpected things and come from unexpected places, exposing many more edge cases in developers’ assumptions.

Companies should not assume that they can easily "pivot" to a whole new user population, even one that is attractively larger and more promising of profits, without making corresponding changes to core assumptions about how they go to market.

2: A good reputation once lost is hard to regain

A big part of Zoom’s problem right now is that they had squandered their earlier goodwill with techies when they hid a web server on their machines. Without that earlier situation, they might have been able to point out that many of the current problems are on the level of tempests in teacups — bugs to be sure, which need to be fixed, but hardly existential PROBLEMS.

As it happened, though, the Internet hive mind was all primed to think the worst of Zoom, and indeed actively went looking for issues once Zoom was in the glare of the spotlight. In this situation, there is not much to be done in the short term, apart from what Zoom actually did: apologise profusely, promise not to do it again, and attempt to weather the storm.

One move I have not yet seen them make which would be very powerful would be to hire a well-known security expert with a reputation for impartiality. One part of their job would be to act as figurehead and lightning conductor for the company’s security efforts, but an equally important part would be as internal naysayer: the VP of Nope, someone able to say a firm NO to bad ideas. Hiding a web server? Bad idea. Shortcutting the installer? Bad idea. Assuming everyone with an email address not on a very short list of mega-providers is a colleague of everyone else with the same email domain? Bad idea.

UPDATE: Showing how amazingly prescient this recommendation was, shortly after I published this post, Alex Stamos announced that he was joining Zoom to help them "build up their security program":

Uhoh, This content has sprouted legs and trotted off.

Alex Stamos is of course the ex-CSO at Facebook, who since departing FB has made something of a name for himself by commenting publicly about security and privacy issues. As such, he’s pretty much the perfect hire: high public profile, known as an impartial expert, and deeply experienced specifically in end-user security issues, not just the sort of enterprise aspects which Zoom had previously been focusing on.

I will be watching his and Zoom’s next moves with interest.

3: Bottom line: build good products

Generally people prefer an insecure product that works over a secure product that doesn’t. This is why we’re talking about Zoom at all right now.

— Jeremiah Grossman (@jeremiahg) April 1, 2020

Most companies need to review both security and usability — but it’s probably worth noting that a good product is the best way of saving yourself. Even in a post-debacle roundup of would-be alternatives to Zoom, Zoom still came out ahead, despite being penalised for its security woes. They still have the best product, and, yes, the one that is easiest to use.

But if you get the other two factors right, you, your good product, and your long-suffering comms team will all have an easier life.

🖼️ Photos by Allie Smith on Unsplash

Happy Friday!

(Birkenstocks: model’s own. These are taking the place of my normal spring sneakers purchase.)