<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Thanks for sharing.</p>
<p>I sense a little of clickbait in that title; <i>"Zoom’s Security
Woes Were No Secret to Business Partners Like Dropbox"</i>. It
was also no secret to anybody who read the news. Even the article
itself links to old news articles like the ones talking about the
local web server that Zoom would secretly and persistently install
on your machine and allow for unauthenticated RCE:</p>
<p><a moz-do-not-send="true"
href="https://blog.assetnote.io/bug-bounty/2019/07/17/rce-on-zoom/">https://blog.assetnote.io/bug-bounty/2019/07/17/rce-on-zoom/</a></p>
<p>Clickbait aside, it is always interesting to see how these
companies tackle security as an after-thought. The programmers
implement the system with little to no concern about security,
then at some point somebody realizes the system is flawed, and
then the tiger black hat team rushes in to save the day. Except
that oftentimes they will operate on a contract basis, may not
even have access to the source code, and have no long-term
interest in the security of the product. If I remember correctly
and this is what the article is talking about, Zoom patched that
web server crap only after it was made public:</p>
<p><i>"...it took more than three months for Zoom to fix the bug,
the former engineers said. Zoom </i><i><a class="css-1g7m0tk"
href="https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/"
title="" rel="noopener noreferrer" target="_blank">patched the
vulnerability</a></i><i> only after another hacker publicized
a different security flaw with the same root cause."</i></p>
<p>Furthermore:<i><br>
</i></p>
<p><a moz-do-not-send="true"
href="https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/">https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/</a></p>
<p><i><span style="font-weight: 400;">"Earlier this week, a security
researcher published a blog highlighting concerns with aspects
of the Zoom platform. In engaging this researcher over the
past 90 days, we misjudged the situation and did not respond
quickly enough..."</span></i></p>
<p><span style="font-weight: 400;">But anyway. I'll take free/libre
software that can be inspected by the security community over
VC-funded proprietary garbage any day. The golden standard in
this respect seems to me to be <a moz-do-not-send="true"
href="https://www.signal.org/">Signal</a>.<br>
</span></p>
<div class="moz-cite-prefix">On 4/20/20 5:01 PM, Robert Mathews
(OSIA) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ac6bdb0f-a70b-f0c4-60e2-0633a8b7d16b@hawaii.edu">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<br>
<blockquote><b>Business RELATIONS and MODELS <u>Having To Adjust</u>
To The SIGNIFICANT Imperfections -- DOWNRIGHT FLAWS of
Partners....</b><br>
</blockquote>
<font size="+1"><b>"Zoom’s Security Woes Were No Secret to
Business Partners Like Dropbox"</b></font><br>
<i>Dropbox privately paid top hackers to find bugs in software by
the videoconferencing company Zoom, then pressed it to fix them.</i><br>
<br>
By Natasha Singer and Nicole Perlroth<br>
<b>The New York Times</b><br>
April 20, 2020<br>
Updated 2:31 p.m. ET<br>
<a class="moz-txt-link-freetext"
href="https://www.nytimes.com/2020/04/20/technology/zoom-security-dropbox-hackers.html"
moz-do-not-send="true">https://www.nytimes.com/2020/04/20/technology/zoom-security-dropbox-hackers.html</a><br>
<div class="moz-signature">-- <br>
<font color="#b3b3b3"><i>Dr. Robert Mathews, D.Phil.<br>
Principal Technologist &<br>
</i><i>Distinguished Senior Research Scholar</i><i><br>
</i><i>Office of Scientific Inquiry & Applications (OSIA)</i><i><br>
</i><i>University of Hawai'i</i></font></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
</blockquote>
</body>
</html>