Consider the following:

1. #Zoom, a company with bad security track record and murky ownership now has clandestine supply-chain-attack capability on #Keybase, and

2. Keybase is used by a lot of people to sign their #git commits and whatnot.

Therefore:

3. Zoom, a company with bad security track record and murky ownership now has potential supply-chain-attack capability on a lot of software whose git commits are signed using keys that touch Keybase.

#ThisIsFine #InfoSec

@rysiek Microsoft also had a bad Security track record, and turned it around.
Cisco jsut released a ton of advisories for ASA, FTD and FMC that are pretty bad and tend to hide their issues until they can't.
Apple does not disclose the security issues they fix very easily if at all.
Zoom starts to take steps by getting people like Katie Mussouris and her company to help and actually has responded to the security findings at least. Shows intent to get better at it.

@siliconshecky I'm not entirely sure what you're trying to argue here, but intent is meaningless without results.

Microsoft's has shown some results but arguably not yet sufficient improvement.

Cisco is one big overpriced garbage fire. They've shown little intent to improve and virtually no results.

Zoom is behaving just like Facebook. Lots if apology, noble intention (at least the appearance of it) but woefully inadequate results. They are not at all proactive, just reactive...

@rysiek

@msh @rysiek
So Zoom has hires Luta Security to now handle its bug bounty program. Brought on Alex Stamos to help build/fix its security program, has been working with other security consultants to help with the security issues, put a 90 day feature freeze on its product to solely work on security issues, has released numerous updates to fix the issues at hand, made Passwords the default, New easier to access area for security settings...
Sounds like they have done nothing to me.

@siliconshecky @msh oh sure. but consider, how much time and pressure it took for them to even start getting their shit together.

Now imagine the same amount of time, effort, and money is invested into something like Jitsi, BigBlueButton, or Nextcloud Talk. Where the security is mostly there, audit would be welcome, code is open, and usability issues could be ironed with such resources.

Once you do that you will perhaps understand why I refuse to cut Zoom any slack here.

Follow

@rysiek @msh I have used Kitsi, and I applaud some of these. Have you taught a non-tech person how toi set them up? Just curious.
And yeah there was pressure of a ton of people auditing and fuzzing Zoom as it ballooned for 10 Million to 200 million users in a few weeks time. Also issues were brought straight into the public, no responsible disclosure at all.
Yes Zoom has problems, but they are working on fixing them.
Just remember, Open source has issues also, and some take years to show.

@siliconshecky @msh set what up? A Jitsi call? Yes, I work with dozens of non-techie journalists, and they're using Jitsi calls AOK.

"FLOSS has issues", again, is true but also again: whataboutism. And I will eat my hat if it turns out Jitsi or BBB are using AES_ECB. Everybody knows not to use these. Unless you're Zoom!

The bug from a year ago I linked in another toot followed proper channels and responsible disclosure. I can understand why after that security researchers decided it's bonkers.

@rysiek @msh Also, you obviously did not see that they have started up a new bug bounty program with a reputable company.
I could not explain to my son's grandmother how to set up a jitsi setup. I'm talking the everyday person, which is where Zoom ballooned.
Listen, I get it, you love open source and that is fine. You probably do not use commercial unless you have to, that is fine. But if you do not allow for change and adjustments, you are not allowing for solutions.

@siliconshecky @msh Zoom had over a year for change and adjustments. Now it's too little too late.

And again, you are missing the point: had the same amount of money and resources been invested in projects like Jitsi or BBB, your grandmother could use them too. The difference is that it would be without a J. Random ScriptKiddie zoombombing the call.

It's not about Zoom, specifically. It's about how we seem to incentivise this kind of abusive developer behaviour.

@rysiek @msh Now we get to the core of it, and that is monetization which promotes said developer behaviour.
That said, Hitsi or BBB could have, but are not ready for a grandmother at this time. Not enough people willing to spend time working on them without getting paid? That could be, but then you run into the return on investment issue again.

@siliconshecky @msh and these will not get fixed unless the incentive structure changes *dramatically*. That requires, among other things, being way less forgiving for shitty security practices.

And yes, Jitsi is easy enough to use by your grandma. Just send her the link.

@siliconshecky the industry is pretty sick right now. Everyone externalises IT costs. It's always someone else's problem. Put it in the cloud. Use Free software but don't take any responsibility for your installations.

There has to be a change. Free software devs don't always need to be on payroll but they need support of big users who already have ample resources to do so.

Also, I'm curious about how Jitsi is "not ready" . You send a link, user clicks link, they connect!...

@rysiek

@siliconshecky ... I've had to deal with both Zoom and Jitsi meetings and honestly Jitsi is easier to support. No plugins or apps, everything is standard etc. After eliminating Zoom we have had less trouble overall.

Finally I think the repeated reference ro "grandmother" a bit insulting. My parents are in their 80s and are quite capable of learning. If mum could key COBOL code onto punch cards to run accounting batch jobs I'm sure she can figure out things as easy as Jitsi.

@rysiek

@siliconshecky look, if you care about Zoom getting better, just leak their source code.

noone has to know it was you. :awesome:

@rysiek @msh

@siliconshecky @rysiek @msh My kids (both 10 or under) can use Jitsi just fine, on our private instance. They run weekly dungeons and dragons with no tech help from me.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.