Consider the following:

1. #Zoom, a company with bad security track record and murky ownership now has clandestine supply-chain-attack capability on #Keybase, and

2. Keybase is used by a lot of people to sign their #git commits and whatnot.


3. Zoom, a company with bad security track record and murky ownership now has potential supply-chain-attack capability on a lot of software whose git commits are signed using keys that touch Keybase.

#ThisIsFine #InfoSec

@rysiek Microsoft also had a bad Security track record, and turned it around.
Cisco jsut released a ton of advisories for ASA, FTD and FMC that are pretty bad and tend to hide their issues until they can't.
Apple does not disclose the security issues they fix very easily if at all.
Zoom starts to take steps by getting people like Katie Mussouris and her company to help and actually has responded to the security findings at least. Shows intent to get better at it.

@siliconshecky re: Microsoft -

re: everything else - I find it objectionable that it's still okay for shitty startups do shitty security while promising the world, get called out on it, pretend to apologize, and then do some more shitty security things, and *still* get credit for "trying"; meanwhile projects with sane security practices get crowded out of the market (and thus, funding).

@rysiek Had to turn off some of my security features it seems. was throwing an error. Of course all that for a bug that was over a month ago and fixed since then. ;)

@siliconshecky yeah, sorry. But it was a bug that was somewhat similar to the one from the year ago, and was caused by a similar shady approach to installation and OS privileges: meaning "exploit whatever you can to your advantage, don't follow established protocols".

They got burned by that approach a year ago, and yet they persist.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.