[GTLD-WG] [CPWG] Fwd: Re: Zoom Structural Vulnerability Discovered

Marita Moll mmoll at ca.inter.net
Thu Jul 11 13:42:11 UTC 2019


Thanks Judith, for this background. But what I am asking is whether 
there is any appetite in At-large to join in the suggestion below 
clipped from a discussion on the NCSG list. I get it that the TTF 
already has covered some of this but I think formalizing the arrangement 
as suggested below would be good cooperative gesture and I definitely 
think there should be a tender.

Here is the proposal from the NCSG list that I would like to see us 
consider:

"Then, a recommendation to Chairs of ACs and SOs: ICANN Board and CEO 
could be requested to set up a specifications sheet for a desirable 
conferencing tool, based on needs expressed by the multi-stakeholder 
community, and publish that as a tender. Offers received could then be 
reviewed not only by Staff, but in consultation with ACs and SOs."

Marita

On 7/10/2019 10:05 AM, Judith Hellerstein wrote:
>
> HI Marita,
>
> Yes the TTF had discussed zoom and others technology platforms with 
> the ICANN Meetings team and also had sent them our comparison sheet of 
> items that we need to see and what we hope to see in a new web 
> meetings software. We were actively involved early on in the process. 
> We then had a follow up call later on with questions regarding Zoom 
> with the ICANN Meetings team. We can discuss this vulnerability at the 
> next TTF meeting. We work Closely with Mark Seagal from ICANN IT who 
> is our designated Liaison and also with Sara Caplis of the ICANN 
> Meetings team who is the lead person on Zoom and other related 
> software used
>
> Best,
>
> Judith
>
> _________________________________________________________________________
> Judith Hellerstein, Founder & CEO
> Hellerstein & Associates
> 3001 Veazey Terrace NW, Washington DC 20008
> Phone: (202) 362-5139  Skype ID: judithhellerstein
> Mobile/Whats app: +1202-333-6517
> E-mail:Judith at jhellerstein.com    Website:www.jhellerstein.com
> Linked In:www.linkedin.com/in/jhellerstein/
> Opening Telecom & Technology Opportunities Worldwide
>
> On 7/10/2019 3:00 PM, Marita Moll wrote:
>>
>> Hello all. I did bring up issues around the Zoom platform in early 
>> June and I have not yet had a chance to take the issues I see with 
>> the platform any further. But there is a robust discussion going on 
>> at NCSG with the idea below re: a joint recommendation from SO's/AC's 
>> for community input into the choices that are made about platform 
>> changes that affect us so profoundly. Perhaps we should indicate our 
>> support for this sort of action -- through our technology task force.
>>
>> Marita
>>
>>
>>
>> -------- Forwarded Message --------
>> Subject: 	Re: Zoom Structural Vulnerability Discovered
>> Date: 	Wed, 10 Jul 2019 15:21:51 +0200
>> From: 	Jean-Jacques Subrenat <jjs at DYALOG.NET>
>> Reply-To: 	Jean-Jacques Subrenat <jjs at DYALOG.NET>
>> To: 	NCSG-DISCUSS at LISTSERV.SYR.EDU
>>
>>
>>
>> First, a remark: for Adobe, Zoom or other tool providers, ICANN may 
>> not be the single largest client, but it is certainly a significant 
>> one owing to its nature (quasi-regulatory, multi-stakeholder, some 
>> parts geared to non-commercial users).
>>
>> Then, a recommendation to Chairs of ACs and SOs: ICANN Board and CEO 
>> could be requested to set up a specifications sheet for a desirable 
>> conferencing tool, based on needs expressed by the multi-stakeholder 
>> community, and publish that as a tender. Offers received could then 
>> be reviewed not only by Staff, but in consultation with ACs and SOs.
>>
>> This would get us closer to what we, collectively, consider as the 
>> appropriate tool for the numerous conference calls held throughout ICANN.
>>
>> Jean-Jacques Subrenat.
>>
>>
>> Le 10 juillet 2019 à 14:46:20, Paul Rosenzweig 
>> (paul.rosenzweig at redbranchconsulting.com 
>> <mailto:paul.rosenzweig at redbranchconsulting.com>) a écrit:
>>
>>> This is assuredly right.  The change from Adobe to Zoom may, or may 
>>> not, have been right for ICANN and for this group for any number of 
>>> reasons ranging from cost, to security, to scalability and utility.  
>>> But let’s not romanticize Adobe.  They are not a terribly secure 
>>> platform generically.  As James said, the Zoom response is poor – 
>>> but we can’t hang that around the neck of ICANN org.
>>>
>>> P
>>>
>>> Paul Rosenzweig
>>>
>>> paul.rosenzweig at redbranchconsulting.com 
>>> <mailto:paul.rosenzweig at redbranchconsulting.com>
>>>
>>> O: +1 (202) 547-0660
>>>
>>> M: +1 (202) 329-9650
>>>
>>> VOIP: +1 (202) 738-1739
>>>
>>> www.redbranchconsulting.com <http://www.redbranchconsulting.com/>
>>>
>>> My PGP Key: 
>>> https://keys.mailvelope.com/pks/lookup?op=get&search=0x9A830097CA066684
>>>
>>> *From:* NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU> *On Behalf Of 
>>> *James Gannon
>>> *Sent:* Wednesday, July 10, 2019 12:52 AM
>>> *To:* NCSG-DISCUSS at LISTSERV.SYR.EDU
>>> *Subject:* Re: Zoom Structural Vulnerability Discovered
>>>
>>> Just want to call out that Adobe has likely the worst reputation in 
>>> the entire tech industry when it comes to security, I really would 
>>> not hold them out as either prompt or without serious issues (I 
>>> believe they still hold the record for number of CVSS 9+ vulns).
>>>
>>> Zooms response is poor I agree, but on a data driven comparison it 
>>> is a far more secure platform.
>>>
>>> *From: *NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU 
>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>> on behalf of Ayden Férdeline 
>>> <icann at FERDELINE.COM <mailto:icann at FERDELINE.COM>>
>>> *Reply-To: *Ayden Férdeline <icann at FERDELINE.COM 
>>> <mailto:icann at FERDELINE.COM>>
>>> *Date: *Tuesday, 9 July 2019 at 14:13
>>> *To: *"NCSG-DISCUSS at LISTSERV.SYR.EDU 
>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>" 
>>> <NCSG-DISCUSS at LISTSERV.SYR.EDU <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>>
>>> *Subject: *Re: Zoom Structural Vulnerability Discovered
>>>
>>> That is true, but note that this security researcher notified Zoom 
>>> of the exploit and they were in no rush to repair it. Look at the 
>>> timeline in the Medium post. They only sought to fix it after the 
>>> vulnerability drew media attention.
>>>
>>> Adobe Connect was not perfect but it met our needs and the 
>>> occasional security issues that arose were promptly fixed by Adobe 
>>> and never as serious as this one!
>>>
>>> Best wishes, Ayden
>>>
>>> On Tue, Jul 9, 2019 at 18:07, Adeel Sadiq <11beeasadiq at seecs.edu.pk 
>>> <mailto:11beeasadiq at seecs.edu.pk>> wrote:
>>>
>>>     Speaking from a technical perspective, no software is perfect or
>>>     bug-free. Its only a matter of time a loophole is found and
>>>     exploited and eventually patched up. If you think Adobe Connect
>>>     or ezTalks were/are free of these architectural issues, think
>>>     again! That's the way we technical community do things.
>>>
>>>     Regards
>>>
>>>     Adeel
>>>
>>>     Pakistan
>>>
>>>     On Wed, Jul 10, 2019 at 1:37 AM Ayden Férdeline
>>>     <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>>>
>>>         Unfortunately, uninstalling the application does not rectify
>>>         the situation, due to poor architecture (acknowledged by
>>>         Zoom on their blog today). They are working on a fix, now
>>>         that public scrutiny demands one. So disappointing
>>>         that ICANN has put us in this terrible situation.
>>>
>>>         Ayden
>>>
>>>         On Tue, Jul 9, 2019 at 16:15, Vaibhav Aggarwal, Catalyst &
>>>         Group CEO <va at BLADEBRAINS.COM <mailto:va at BLADEBRAINS.COM>>
>>>         wrote:
>>>
>>>             Thanks for this. Till the next Update, I have removed
>>>             the Zoom For Mac Client with immediate effect.
>>>
>>>             Regards,
>>>
>>>             Vaibhav Aggarwal
>>>
>>>             New Delhi
>>>
>>>             VaibhavAggarwal.com <http://VaibhavAggarwal.com>
>>>
>>>                 On Jul 10, 2019, at 12:30 AM, Michael Karanicolas
>>>                 <mkaranicolas at GMAIL.COM
>>>                 <mailto:mkaranicolas at GMAIL.COM>> wrote:
>>>
>>>                 Hey - remember when ICANN switched everyone from
>>>                 Adobe over to Zoom as a way of enhancing information
>>>                 security and data privacy?
>>>
>>>                 "A vulnerability in the Mac Zoom Client allows any
>>>                 malicious website to enable your camera without your
>>>                 permission... This vulnerability allows any website
>>>                 to forcibly join a user to a Zoom call, with their
>>>                 video camera activated, without the user's
>>>                 permission. On top of this, this vulnerability would
>>>                 have allowed any webpage to DOS (Denial of Service)
>>>                 a Mac by repeatedly joining a user to an invalid
>>>                 call. Additionally, if you’ve ever installed the
>>>                 Zoom client and then uninstalled it, you still have
>>>                 a localhost web server on your machine that will
>>>                 happily re-install the Zoom client for you, without
>>>                 requiring any user interaction on your behalf
>>>                 besides visiting a webpage. This re-install
>>>                 ‘feature’ continues to work to this day."
>>>
>>>                 Read more here:
>>>                 https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
>>>
>>
>> _______________________________________________
>> CPWG mailing list
>> CPWG at icann.org
>> https://mm.icann.org/mailman/listinfo/cpwg
>>
>> _______________________________________________
>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/gtld-wg/attachments/20190711/49447e8e/attachment-0001.html>
-------------- next part --------------
_______________________________________________
CPWG mailing list
CPWG at icann.org
https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.


More information about the GTLD-WG mailing list