Consider the following:

1. #Zoom, a company with bad security track record and murky ownership now has clandestine supply-chain-attack capability on #Keybase, and

2. Keybase is used by a lot of people to sign their #git commits and whatnot.


3. Zoom, a company with bad security track record and murky ownership now has potential supply-chain-attack capability on a lot of software whose git commits are signed using keys that touch Keybase.

#ThisIsFine #InfoSec


@rysiek Microsoft also had a bad Security track record, and turned it around.
Cisco jsut released a ton of advisories for ASA, FTD and FMC that are pretty bad and tend to hide their issues until they can't.
Apple does not disclose the security issues they fix very easily if at all.
Zoom starts to take steps by getting people like Katie Mussouris and her company to help and actually has responded to the security findings at least. Shows intent to get better at it.

@siliconshecky re: Microsoft -

re: everything else - I find it objectionable that it's still okay for shitty startups do shitty security while promising the world, get called out on it, pretend to apologize, and then do some more shitty security things, and *still* get credit for "trying"; meanwhile projects with sane security practices get crowded out of the market (and thus, funding).

@rysiek So Zoom has done nothing to address the security bugs you say? Honestly we can disagree, and it is obvious that we will never see eye to eye. I think the attitude you are showing does not translate into a more secure environment, as I read it as once shitty always shitty nothing ever changes.
As I said, believe what you want. I will respectfully disagree with your assessment.

@siliconshecky and let me be very clear: for months(!) Zoom was doing way more than nothing to leave their security problems unaddressed.

Just look at the timeline and initial Zoom's response in this case:

They were actively trying to sweep the thing under the rug. I don't care how much they do now to fix stuff. They should have ended up on the dumpster of history long ago, and stop crowding out projects that are so callous as to almost be malicious.

@rysiek A lot changes over a year.
Apple actively tries to sweep its stuff under the rug, so does Cisco.

@siliconshecky and the here point is?.. I am neither advocating Cisco nor Apple. In fact, I have no clue why Cisco and Apple even showed up in this conversation.

All the Microzon Facegoopples of this world should go the way for the Dodo for all I care. I'd just like them to take all the startup snakeoil salespeople like Zoom along for the ride. :blobcat:

@rysiek You talked about Zoom burying an issue a year ago (which they fixed in a couple of days after publicized). I was just showing that other companies do the same. In fact, it might have been the bug bounty programs fault and not Zooms that things got boggled, just as a what might have been.

@siliconshecky I know other companies do the same. That's kind of the point.

This kind of behaviour is incentivized, made into a winning business model. And defending such practices *is* co-responsible for these practices flourishing.

What I am saying is we must stop doing that. "All software has bugs" is the "boys will be boys" of the tech industry.

@rysiek Had to turn off some of my security features it seems. was throwing an error. Of course all that for a bug that was over a month ago and fixed since then. ;)

@siliconshecky yeah, sorry. But it was a bug that was somewhat similar to the one from the year ago, and was caused by a similar shady approach to installation and OS privileges: meaning "exploit whatever you can to your advantage, don't follow established protocols".

They got burned by that approach a year ago, and yet they persist.

@siliconshecky I'm not entirely sure what you're trying to argue here, but intent is meaningless without results.

Microsoft's has shown some results but arguably not yet sufficient improvement.

Cisco is one big overpriced garbage fire. They've shown little intent to improve and virtually no results.

Zoom is behaving just like Facebook. Lots if apology, noble intention (at least the appearance of it) but woefully inadequate results. They are not at all proactive, just reactive...


@msh @rysiek
So Zoom has hires Luta Security to now handle its bug bounty program. Brought on Alex Stamos to help build/fix its security program, has been working with other security consultants to help with the security issues, put a 90 day feature freeze on its product to solely work on security issues, has released numerous updates to fix the issues at hand, made Passwords the default, New easier to access area for security settings...
Sounds like they have done nothing to me.

@siliconshecky this is very promising and good news to hear. They are going in the right direction.

But, I would say they still have critical issues that need addressing beneath all these surface level fixes they've released. I still need to be sold on their transparency and trustworthiness as well. As such I will continue to observe but Zoom will continue to be disallowed in my workplace.


@siliconshecky @msh oh sure. but consider, how much time and pressure it took for them to even start getting their shit together.

Now imagine the same amount of time, effort, and money is invested into something like Jitsi, BigBlueButton, or Nextcloud Talk. Where the security is mostly there, audit would be welcome, code is open, and usability issues could be ironed with such resources.

Once you do that you will perhaps understand why I refuse to cut Zoom any slack here.

@rysiek @msh I have used Kitsi, and I applaud some of these. Have you taught a non-tech person how toi set them up? Just curious.
And yeah there was pressure of a ton of people auditing and fuzzing Zoom as it ballooned for 10 Million to 200 million users in a few weeks time. Also issues were brought straight into the public, no responsible disclosure at all.
Yes Zoom has problems, but they are working on fixing them.
Just remember, Open source has issues also, and some take years to show.

@siliconshecky @msh set what up? A Jitsi call? Yes, I work with dozens of non-techie journalists, and they're using Jitsi calls AOK.

"FLOSS has issues", again, is true but also again: whataboutism. And I will eat my hat if it turns out Jitsi or BBB are using AES_ECB. Everybody knows not to use these. Unless you're Zoom!

The bug from a year ago I linked in another toot followed proper channels and responsible disclosure. I can understand why after that security researchers decided it's bonkers.

@rysiek @msh Also, you obviously did not see that they have started up a new bug bounty program with a reputable company.
I could not explain to my son's grandmother how to set up a jitsi setup. I'm talking the everyday person, which is where Zoom ballooned.
Listen, I get it, you love open source and that is fine. You probably do not use commercial unless you have to, that is fine. But if you do not allow for change and adjustments, you are not allowing for solutions.

@siliconshecky @msh Zoom had over a year for change and adjustments. Now it's too little too late.

And again, you are missing the point: had the same amount of money and resources been invested in projects like Jitsi or BBB, your grandmother could use them too. The difference is that it would be without a J. Random ScriptKiddie zoombombing the call.

It's not about Zoom, specifically. It's about how we seem to incentivise this kind of abusive developer behaviour.

@rysiek @msh Now we get to the core of it, and that is monetization which promotes said developer behaviour.
That said, Hitsi or BBB could have, but are not ready for a grandmother at this time. Not enough people willing to spend time working on them without getting paid? That could be, but then you run into the return on investment issue again.

@siliconshecky @msh and these will not get fixed unless the incentive structure changes *dramatically*. That requires, among other things, being way less forgiving for shitty security practices.

And yes, Jitsi is easy enough to use by your grandma. Just send her the link.

@siliconshecky the industry is pretty sick right now. Everyone externalises IT costs. It's always someone else's problem. Put it in the cloud. Use Free software but don't take any responsibility for your installations.

There has to be a change. Free software devs don't always need to be on payroll but they need support of big users who already have ample resources to do so.

Also, I'm curious about how Jitsi is "not ready" . You send a link, user clicks link, they connect!...


@siliconshecky ... I've had to deal with both Zoom and Jitsi meetings and honestly Jitsi is easier to support. No plugins or apps, everything is standard etc. After eliminating Zoom we have had less trouble overall.

Finally I think the repeated reference ro "grandmother" a bit insulting. My parents are in their 80s and are quite capable of learning. If mum could key COBOL code onto punch cards to run accounting batch jobs I'm sure she can figure out things as easy as Jitsi.


@siliconshecky look, if you care about Zoom getting better, just leak their source code.

noone has to know it was you. :awesome:

@rysiek @msh

@siliconshecky @rysiek @msh My kids (both 10 or under) can use Jitsi just fine, on our private instance. They run weekly dungeons and dragons with no tech help from me.


...anyway my take on the situation:

1. It is best to vote with your feet and make maximum effort to avoid products and services that are insufficiently secure or abuse users regardless of their intentions. Only support them once they adequately demonstrate they *presently* respect users and practice good security.

2. Any product or service, and especially those security related, should be viewed with suspicion if they are closed and cannot be completely self hosted.


Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.