Consider the following:

1. #Zoom, a company with bad security track record and murky ownership now has clandestine supply-chain-attack capability on #Keybase, and

2. Keybase is used by a lot of people to sign their #git commits and whatnot.


3. Zoom, a company with bad security track record and murky ownership now has potential supply-chain-attack capability on a lot of software whose git commits are signed using keys that touch Keybase.

#ThisIsFine #InfoSec

@rysiek Microsoft also had a bad Security track record, and turned it around.
Cisco jsut released a ton of advisories for ASA, FTD and FMC that are pretty bad and tend to hide their issues until they can't.
Apple does not disclose the security issues they fix very easily if at all.
Zoom starts to take steps by getting people like Katie Mussouris and her company to help and actually has responded to the security findings at least. Shows intent to get better at it.

@siliconshecky re: Microsoft -

re: everything else - I find it objectionable that it's still okay for shitty startups do shitty security while promising the world, get called out on it, pretend to apologize, and then do some more shitty security things, and *still* get credit for "trying"; meanwhile projects with sane security practices get crowded out of the market (and thus, funding).

@rysiek So Zoom has done nothing to address the security bugs you say? Honestly we can disagree, and it is obvious that we will never see eye to eye. I think the attitude you are showing does not translate into a more secure environment, as I read it as once shitty always shitty nothing ever changes.
As I said, believe what you want. I will respectfully disagree with your assessment.

@siliconshecky and let me be very clear: for months(!) Zoom was doing way more than nothing to leave their security problems unaddressed.

Just look at the timeline and initial Zoom's response in this case:

They were actively trying to sweep the thing under the rug. I don't care how much they do now to fix stuff. They should have ended up on the dumpster of history long ago, and stop crowding out projects that are so callous as to almost be malicious.

@rysiek A lot changes over a year.
Apple actively tries to sweep its stuff under the rug, so does Cisco.

@siliconshecky and the here point is?.. I am neither advocating Cisco nor Apple. In fact, I have no clue why Cisco and Apple even showed up in this conversation.

All the Microzon Facegoopples of this world should go the way for the Dodo for all I care. I'd just like them to take all the startup snakeoil salespeople like Zoom along for the ride. :blobcat:


@rysiek You talked about Zoom burying an issue a year ago (which they fixed in a couple of days after publicized). I was just showing that other companies do the same. In fact, it might have been the bug bounty programs fault and not Zooms that things got boggled, just as a what might have been.

· · Web · 1 · 0 · 0

@siliconshecky I know other companies do the same. That's kind of the point.

This kind of behaviour is incentivized, made into a winning business model. And defending such practices *is* co-responsible for these practices flourishing.

What I am saying is we must stop doing that. "All software has bugs" is the "boys will be boys" of the tech industry.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.