Thanks for sharing. I sense a little of clickbait in that title; /"Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox"/. It was also no secret to anybody who read the news. Even the article itself links to old news articles like the ones talking about the local web server that Zoom would secretly and persistently install on your machine and allow for unauthenticated RCE:
https://blog.assetnote.io/bug-bounty/2019/07/17/rce-on-zoom/ Clickbait aside, it is always interesting to see how these companies tackle security as an after-thought. The programmers implement the system with little to no concern about security, then at some point somebody realizes the system is flawed, and then the tiger black hat team rushes in to save the day. Except that oftentimes they will operate on a contract basis, may not even have access to the source code, and have no long-term interest in the security of the product. If I remember correctly and this is what the article is talking about, Zoom patched that web server crap only after it was made public: /"...it took more than three months for Zoom to fix the bug, the former engineers said. Zoom //patched the vulnerability <https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/>//only after another hacker publicized a different security flaw with the same root cause."/ Furthermore:/ / https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/ /"Earlier this week, a security researcher published a blog highlighting concerns with aspects of the Zoom platform. In engaging this researcher over the past 90 days, we misjudged the situation and did not respond quickly enough..."/ But anyway. I'll take free/libre software that can be inspected by the security community over VC-funded proprietary garbage any day. The golden standard in this respect seems to me to be Signal <https://www.signal.org/>. On 4/20/20 5:01 PM, Robert Mathews (OSIA) wrote: > > *Business RELATIONS and MODELS _Having To Adjust_ To The > SIGNIFICANT Imperfections -- DOWNRIGHT FLAWS of Partners....* > > *"Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox"* > /Dropbox privately paid top hackers to find bugs in software by the > videoconferencing company Zoom, then pressed it to fix them./ > > By Natasha Singer and Nicole Perlroth > *The New York Times* > April 20, 2020 > Updated 2:31 p.m. ET > https://www.nytimes.com/2020/04/20/technology/zoom-security-dropbox-hackers.html > -- > /Dr. Robert Mathews, D.Phil. > Principal Technologist & > //Distinguished Senior Research Scholar// > //Office of Scientific Inquiry & Applications (OSIA)// > //University of Hawai'i/ >
signature.asc
Description: OpenPGP digital signature
-- Liberationtech is public & archives are searchable from any major commercial search engine. Violations of list guidelines will get you moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, change to digest mode, or change password by emailing [email protected].
