[GTLD-WG] [CPWG] Fwd: Re: Zoom Structural Vulnerability Discovered

Marita Moll mmoll at ca.inter.net
Thu Jul 11 13:51:00 UTC 2019


Well, Judith, I can make the suggestion -- or maybe it should come from 
a member of the TTF.

Marita


On 7/11/2019 9:46 AM, Judith Hellerstein wrote:
>
> HI Marita,
>
> Why not have NCSG join the TTF.  We are open to all.  We have prepared 
> a sheet like they are asking and have shared it with the IT staff who 
> thought it was very helpful.  What would be better is NCSG sent reps 
> or joined the TTF than we could all speak with once voice.
>
> Best,
>
> Judith
>
> _________________________________________________________________________
> Judith Hellerstein, Founder & CEO
> Hellerstein & Associates
> 3001 Veazey Terrace NW, Washington DC 20008
> Phone: (202) 362-5139  Skype ID: judithhellerstein
> Mobile/Whats app: +1202-333-6517
> E-mail:Judith at jhellerstein.com    Website:www.jhellerstein.com
> Linked In:www.linkedin.com/in/jhellerstein/
> Opening Telecom & Technology Opportunities Worldwide
>
> On 7/11/2019 9:42 AM, Marita Moll wrote:
>>
>> Thanks Judith, for this background. But what I am asking is whether 
>> there is any appetite in At-large to join in the suggestion below 
>> clipped from a discussion on the NCSG list. I get it that the TTF 
>> already has covered some of this but I think formalizing the 
>> arrangement as suggested below would be good cooperative gesture and 
>> I definitely think there should be a tender.
>>
>> Here is the proposal from the NCSG list that I would like to see us 
>> consider:
>>
>> "Then, a recommendation to Chairs of ACs and SOs: ICANN Board and CEO 
>> could be requested to set up a specifications sheet for a desirable 
>> conferencing tool, based on needs expressed by the multi-stakeholder 
>> community, and publish that as a tender. Offers received could then 
>> be reviewed not only by Staff, but in consultation with ACs and SOs."
>>
>> Marita
>>
>> On 7/10/2019 10:05 AM, Judith Hellerstein wrote:
>>>
>>> HI Marita,
>>>
>>> Yes the TTF had discussed zoom and others technology platforms with 
>>> the ICANN Meetings team and also had sent them our comparison sheet 
>>> of items that we need to see and what we hope to see in a new web 
>>> meetings software. We were actively involved early on in the 
>>> process. We then had a follow up call later on with questions 
>>> regarding Zoom with the ICANN Meetings team. We can discuss this 
>>> vulnerability at the next TTF meeting. We work Closely with Mark 
>>> Seagal from ICANN IT who is our designated Liaison and also with 
>>> Sara Caplis of the ICANN Meetings team who is the lead person on 
>>> Zoom and other related software used
>>>
>>> Best,
>>>
>>> Judith
>>>
>>> _________________________________________________________________________
>>> Judith Hellerstein, Founder & CEO
>>> Hellerstein & Associates
>>> 3001 Veazey Terrace NW, Washington DC 20008
>>> Phone: (202) 362-5139  Skype ID: judithhellerstein
>>> Mobile/Whats app: +1202-333-6517
>>> E-mail:Judith at jhellerstein.com    Website:www.jhellerstein.com
>>> Linked In:www.linkedin.com/in/jhellerstein/
>>> Opening Telecom & Technology Opportunities Worldwide
>>>
>>> On 7/10/2019 3:00 PM, Marita Moll wrote:
>>>>
>>>> Hello all. I did bring up issues around the Zoom platform in early 
>>>> June and I have not yet had a chance to take the issues I see with 
>>>> the platform any further. But there is a robust discussion going on 
>>>> at NCSG with the idea below re: a joint recommendation from 
>>>> SO's/AC's for community input into the choices that are made about 
>>>> platform changes that affect us so profoundly. Perhaps we should 
>>>> indicate our support for this sort of action -- through our 
>>>> technology task force.
>>>>
>>>> Marita
>>>>
>>>>
>>>>
>>>> -------- Forwarded Message --------
>>>> Subject: 	Re: Zoom Structural Vulnerability Discovered
>>>> Date: 	Wed, 10 Jul 2019 15:21:51 +0200
>>>> From: 	Jean-Jacques Subrenat <jjs at DYALOG.NET>
>>>> Reply-To: 	Jean-Jacques Subrenat <jjs at DYALOG.NET>
>>>> To: 	NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>
>>>>
>>>>
>>>> First, a remark: for Adobe, Zoom or other tool providers, ICANN may 
>>>> not be the single largest client, but it is certainly a significant 
>>>> one owing to its nature (quasi-regulatory, multi-stakeholder, some 
>>>> parts geared to non-commercial users).
>>>>
>>>> Then, a recommendation to Chairs of ACs and SOs: ICANN Board and 
>>>> CEO could be requested to set up a specifications sheet for a 
>>>> desirable conferencing tool, based on needs expressed by the 
>>>> multi-stakeholder community, and publish that as a tender. Offers 
>>>> received could then be reviewed not only by Staff, but in 
>>>> consultation with ACs and SOs.
>>>>
>>>> This would get us closer to what we, collectively, consider as the 
>>>> appropriate tool for the numerous conference calls held throughout 
>>>> ICANN.
>>>>
>>>> Jean-Jacques Subrenat.
>>>>
>>>>
>>>> Le 10 juillet 2019 à 14:46:20, Paul Rosenzweig 
>>>> (paul.rosenzweig at redbranchconsulting.com 
>>>> <mailto:paul.rosenzweig at redbranchconsulting.com>) a écrit:
>>>>
>>>>> This is assuredly right. The change from Adobe to Zoom may, or may 
>>>>> not, have been right for ICANN and for this group for any number 
>>>>> of reasons ranging from cost, to security, to scalability and 
>>>>> utility.  But let’s not romanticize Adobe.  They are not a 
>>>>> terribly secure platform generically.  As James said, the Zoom 
>>>>> response is poor – but we can’t hang that around the neck of ICANN 
>>>>> org.
>>>>>
>>>>> P
>>>>>
>>>>> Paul Rosenzweig
>>>>>
>>>>> paul.rosenzweig at redbranchconsulting.com 
>>>>> <mailto:paul.rosenzweig at redbranchconsulting.com>
>>>>>
>>>>> O: +1 (202) 547-0660
>>>>>
>>>>> M: +1 (202) 329-9650
>>>>>
>>>>> VOIP: +1 (202) 738-1739
>>>>>
>>>>> www.redbranchconsulting.com <http://www.redbranchconsulting.com/>
>>>>>
>>>>> My PGP Key: 
>>>>> https://keys.mailvelope.com/pks/lookup?op=get&search=0x9A830097CA066684
>>>>>
>>>>> *From:* NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU> *On Behalf Of 
>>>>> *James Gannon
>>>>> *Sent:* Wednesday, July 10, 2019 12:52 AM
>>>>> *To:* NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>> *Subject:* Re: Zoom Structural Vulnerability Discovered
>>>>>
>>>>> Just want to call out that Adobe has likely the worst reputation 
>>>>> in the entire tech industry when it comes to security, I really 
>>>>> would not hold them out as either prompt or without serious issues 
>>>>> (I believe they still hold the record for number of CVSS 9+ vulns).
>>>>>
>>>>> Zooms response is poor I agree, but on a data driven comparison it 
>>>>> is a far more secure platform.
>>>>>
>>>>> *From: *NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU 
>>>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>> on behalf of Ayden 
>>>>> Férdeline <icann at FERDELINE.COM <mailto:icann at FERDELINE.COM>>
>>>>> *Reply-To: *Ayden Férdeline <icann at FERDELINE.COM 
>>>>> <mailto:icann at FERDELINE.COM>>
>>>>> *Date: *Tuesday, 9 July 2019 at 14:13
>>>>> *To: *"NCSG-DISCUSS at LISTSERV.SYR.EDU 
>>>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>" 
>>>>> <NCSG-DISCUSS at LISTSERV.SYR.EDU <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>>
>>>>> *Subject: *Re: Zoom Structural Vulnerability Discovered
>>>>>
>>>>> That is true, but note that this security researcher notified Zoom 
>>>>> of the exploit and they were in no rush to repair it. Look at the 
>>>>> timeline in the Medium post. They only sought to fix it after the 
>>>>> vulnerability drew media attention.
>>>>>
>>>>> Adobe Connect was not perfect but it met our needs and the 
>>>>> occasional security issues that arose were promptly fixed by Adobe 
>>>>> and never as serious as this one!
>>>>>
>>>>> Best wishes, Ayden
>>>>>
>>>>> On Tue, Jul 9, 2019 at 18:07, Adeel Sadiq 
>>>>> <11beeasadiq at seecs.edu.pk <mailto:11beeasadiq at seecs.edu.pk>> wrote:
>>>>>
>>>>>     Speaking from a technical perspective, no software is perfect
>>>>>     or bug-free. Its only a matter of time a loophole is found and
>>>>>     exploited and eventually patched up. If you think Adobe
>>>>>     Connect or ezTalks were/are free of these architectural
>>>>>     issues, think again! That's the way we technical community do
>>>>>     things.
>>>>>
>>>>>     Regards
>>>>>
>>>>>     Adeel
>>>>>
>>>>>     Pakistan
>>>>>
>>>>>     On Wed, Jul 10, 2019 at 1:37 AM Ayden Férdeline
>>>>>     <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>>>>>
>>>>>         Unfortunately, uninstalling the application does not
>>>>>         rectify the situation, due to poor architecture
>>>>>         (acknowledged by Zoom on their blog today). They are
>>>>>         working on a fix, now that public scrutiny demands one. So
>>>>>         disappointing that ICANN has put us in this terrible
>>>>>         situation.
>>>>>
>>>>>         Ayden
>>>>>
>>>>>         On Tue, Jul 9, 2019 at 16:15, Vaibhav Aggarwal, Catalyst &
>>>>>         Group CEO <va at BLADEBRAINS.COM <mailto:va at BLADEBRAINS.COM>>
>>>>>         wrote:
>>>>>
>>>>>             Thanks for this. Till the next Update, I have removed
>>>>>             the Zoom For Mac Client with immediate effect.
>>>>>
>>>>>             Regards,
>>>>>
>>>>>             Vaibhav Aggarwal
>>>>>
>>>>>             New Delhi
>>>>>
>>>>>             VaibhavAggarwal.com <http://VaibhavAggarwal.com>
>>>>>
>>>>>                 On Jul 10, 2019, at 12:30 AM, Michael Karanicolas
>>>>>                 <mkaranicolas at GMAIL.COM
>>>>>                 <mailto:mkaranicolas at GMAIL.COM>> wrote:
>>>>>
>>>>>                 Hey - remember when ICANN switched everyone from
>>>>>                 Adobe over to Zoom as a way of enhancing
>>>>>                 information security and data privacy?
>>>>>
>>>>>                 "A vulnerability in the Mac Zoom Client allows any
>>>>>                 malicious website to enable your camera without
>>>>>                 your permission... This vulnerability allows any
>>>>>                 website to forcibly join a user to a Zoom call,
>>>>>                 with their video camera activated, without the
>>>>>                 user's permission. On top of this, this
>>>>>                 vulnerability would have allowed any webpage to
>>>>>                 DOS (Denial of Service) a Mac by repeatedly
>>>>>                 joining a user to an invalid call. Additionally,
>>>>>                 if you’ve ever installed the Zoom client and then
>>>>>                 uninstalled it, you still have a localhost web
>>>>>                 server on your machine that will happily
>>>>>                 re-install the Zoom client for you, without
>>>>>                 requiring any user interaction on your behalf
>>>>>                 besides visiting a webpage. This re-install
>>>>>                 ‘feature’ continues to work to this day."
>>>>>
>>>>>                 Read more here:
>>>>>                 https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
>>>>>
>>>>
>>>> _______________________________________________
>>>> CPWG mailing list
>>>> CPWG at icann.org
>>>> https://mm.icann.org/mailman/listinfo/cpwg
>>>>
>>>> _______________________________________________
>>>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>>>
>>> _______________________________________________
>>> CPWG mailing list
>>> CPWG at icann.org
>>> https://mm.icann.org/mailman/listinfo/cpwg
>>>
>>> _______________________________________________
>>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/gtld-wg/attachments/20190711/26667e3c/attachment-0001.html>
-------------- next part --------------
_______________________________________________
CPWG mailing list
CPWG at icann.org
https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.


More information about the GTLD-WG mailing list