[liberationtech] Business RELATIONS and MODELS Needing To Adjust....

Tue Apr 21 07:38:52 CEST 2020

Thanks for sharing.

I sense a little of clickbait in that title; /"Zoom’s Security Woes Were
No Secret to Business Partners Like Dropbox"/. It was also no secret to
anybody who read the news. Even the article itself links to old news
articles like the ones talking about the local web server that Zoom
would secretly and persistently install on your machine and allow for
unauthenticated RCE:

https://blog.assetnote.io/bug-bounty/2019/07/17/rce-on-zoom/

Clickbait aside, it is always interesting to see how these companies
tackle security as an after-thought. The programmers implement the
system with little to no concern about security, then at some point
somebody realizes the system is flawed, and then the tiger black hat
team rushes in to save the day. Except that oftentimes they will operate
on a contract basis, may not even have access to the source code, and
have no long-term interest in the security of the product. If I remember
correctly and this is what the article is talking about, Zoom patched
that web server crap only after it was made public:

/"...it took more than three months for Zoom to fix the bug, the former
engineers said. Zoom //patched the vulnerability
<https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/>//only
after another hacker publicized a different security flaw with the same
root cause."/

Furthermore:/
/

https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/

/"Earlier this week, a security researcher published a blog highlighting
concerns with aspects of the Zoom platform. In engaging this researcher
over the past 90 days, we misjudged the situation and did not respond
quickly enough..."/

But anyway. I'll take free/libre software that can be inspected by the
security community over VC-funded proprietary garbage any day. The
golden standard in this respect seems to me to be Signal
<https://www.signal.org/>.

On 4/20/20 5:01 PM, Robert Mathews (OSIA) wrote:
>
>     *Business RELATIONS and MODELS _Having To Adjust_ To The
>     SIGNIFICANT Imperfections -- DOWNRIGHT FLAWS of Partners....*
>
> *"Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox"*
> /Dropbox privately paid top hackers to find bugs in software by the
> videoconferencing company Zoom, then pressed it to fix them./
>
> By Natasha Singer and Nicole Perlroth
> *The New York Times*
> April 20, 2020
> Updated 2:31 p.m. ET
> https://www.nytimes.com/2020/04/20/technology/zoom-security-dropbox-hackers.html
> -- 
> /Dr. Robert Mathews, D.Phil.
> Principal Technologist &
> //Distinguished Senior Research Scholar//
> //Office of Scientific Inquiry & Applications (OSIA)//
> //University of Hawai'i/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20200420/d1bb4be6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20200420/d1bb4be6/attachment.sig>