[GTLD-WG] [CPWG] Fwd: Re: Zoom Structural Vulnerability Discovered

Marita Moll mmoll at ca.inter.net
Thu Jul 11 14:26:15 UTC 2019


Cool! Thanks Judith. Let us know how that turns out.

Marita

On 7/11/2019 10:07 AM, Judith Hellerstein wrote:
>
> HI Marita,
>
> I just wrote a note to the Executive leaders of the NCSG as listed on 
> the website asking them to join with us and speak as one voice
>
> Judith
>
> _________________________________________________________________________
> Judith Hellerstein, Founder & CEO
> Hellerstein & Associates
> 3001 Veazey Terrace NW, Washington DC 20008
> Phone: (202) 362-5139  Skype ID: judithhellerstein
> Mobile/Whats app: +1202-333-6517
> E-mail:Judith at jhellerstein.com    Website:www.jhellerstein.com
> Linked In:www.linkedin.com/in/jhellerstein/
> Opening Telecom & Technology Opportunities Worldwide
>
> On 7/11/2019 9:51 AM, Marita Moll wrote:
>>
>> Well, Judith, I can make the suggestion -- or maybe it should come 
>> from a member of the TTF.
>>
>> Marita
>>
>>
>> On 7/11/2019 9:46 AM, Judith Hellerstein wrote:
>>>
>>> HI Marita,
>>>
>>> Why not have NCSG join the TTF.  We are open to all.  We have 
>>> prepared a sheet like they are asking and have shared it with the IT 
>>> staff who thought it was very helpful.  What would be better is NCSG 
>>> sent reps or joined the TTF than we could all speak with once voice.
>>>
>>> Best,
>>>
>>> Judith
>>>
>>> _________________________________________________________________________
>>> Judith Hellerstein, Founder & CEO
>>> Hellerstein & Associates
>>> 3001 Veazey Terrace NW, Washington DC 20008
>>> Phone: (202) 362-5139  Skype ID: judithhellerstein
>>> Mobile/Whats app: +1202-333-6517
>>> E-mail:Judith at jhellerstein.com    Website:www.jhellerstein.com
>>> Linked In:www.linkedin.com/in/jhellerstein/
>>> Opening Telecom & Technology Opportunities Worldwide
>>>
>>> On 7/11/2019 9:42 AM, Marita Moll wrote:
>>>>
>>>> Thanks Judith, for this background. But what I am asking is whether 
>>>> there is any appetite in At-large to join in the suggestion below 
>>>> clipped from a discussion on the NCSG list. I get it that the TTF 
>>>> already has covered some of this but I think formalizing the 
>>>> arrangement as suggested below would be good cooperative gesture 
>>>> and I definitely think there should be a tender.
>>>>
>>>> Here is the proposal from the NCSG list that I would like to see us 
>>>> consider:
>>>>
>>>> "Then, a recommendation to Chairs of ACs and SOs: ICANN Board and 
>>>> CEO could be requested to set up a specifications sheet for a 
>>>> desirable conferencing tool, based on needs expressed by the 
>>>> multi-stakeholder community, and publish that as a tender. Offers 
>>>> received could then be reviewed not only by Staff, but in 
>>>> consultation with ACs and SOs."
>>>>
>>>> Marita
>>>>
>>>> On 7/10/2019 10:05 AM, Judith Hellerstein wrote:
>>>>>
>>>>> HI Marita,
>>>>>
>>>>> Yes the TTF had discussed zoom and others technology platforms 
>>>>> with the ICANN Meetings team and also had sent them our comparison 
>>>>> sheet of items that we need to see and what we hope to see in a 
>>>>> new web meetings software. We were actively involved early on in 
>>>>> the process. We then had a follow up call later on with questions 
>>>>> regarding Zoom with the ICANN Meetings team. We can discuss this 
>>>>> vulnerability at the next TTF meeting. We work Closely with Mark 
>>>>> Seagal from ICANN IT who is our designated Liaison and also with 
>>>>> Sara Caplis of the ICANN Meetings team who is the lead person on 
>>>>> Zoom and other related software used
>>>>>
>>>>> Best,
>>>>>
>>>>> Judith
>>>>>
>>>>> _________________________________________________________________________
>>>>> Judith Hellerstein, Founder & CEO
>>>>> Hellerstein & Associates
>>>>> 3001 Veazey Terrace NW, Washington DC 20008
>>>>> Phone: (202) 362-5139  Skype ID: judithhellerstein
>>>>> Mobile/Whats app: +1202-333-6517
>>>>> E-mail:Judith at jhellerstein.com    Website:www.jhellerstein.com
>>>>> Linked In:www.linkedin.com/in/jhellerstein/
>>>>> Opening Telecom & Technology Opportunities Worldwide
>>>>>
>>>>> On 7/10/2019 3:00 PM, Marita Moll wrote:
>>>>>>
>>>>>> Hello all. I did bring up issues around the Zoom platform in 
>>>>>> early June and I have not yet had a chance to take the issues I 
>>>>>> see with the platform any further. But there is a robust 
>>>>>> discussion going on at NCSG with the idea below re: a joint 
>>>>>> recommendation from SO's/AC's for community input into the 
>>>>>> choices that are made about platform changes that affect us so 
>>>>>> profoundly. Perhaps we should indicate our support for this sort 
>>>>>> of action -- through our technology task force.
>>>>>>
>>>>>> Marita
>>>>>>
>>>>>>
>>>>>>
>>>>>> -------- Forwarded Message --------
>>>>>> Subject: 	Re: Zoom Structural Vulnerability Discovered
>>>>>> Date: 	Wed, 10 Jul 2019 15:21:51 +0200
>>>>>> From: 	Jean-Jacques Subrenat <jjs at DYALOG.NET>
>>>>>> Reply-To: 	Jean-Jacques Subrenat <jjs at DYALOG.NET>
>>>>>> To: 	NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>>>
>>>>>>
>>>>>>
>>>>>> First, a remark: for Adobe, Zoom or other tool providers, ICANN 
>>>>>> may not be the single largest client, but it is certainly a 
>>>>>> significant one owing to its nature (quasi-regulatory, 
>>>>>> multi-stakeholder, some parts geared to non-commercial users).
>>>>>>
>>>>>> Then, a recommendation to Chairs of ACs and SOs: ICANN Board and 
>>>>>> CEO could be requested to set up a specifications sheet for a 
>>>>>> desirable conferencing tool, based on needs expressed by the 
>>>>>> multi-stakeholder community, and publish that as a tender. Offers 
>>>>>> received could then be reviewed not only by Staff, but in 
>>>>>> consultation with ACs and SOs.
>>>>>>
>>>>>> This would get us closer to what we, collectively, consider as 
>>>>>> the appropriate tool for the numerous conference calls held 
>>>>>> throughout ICANN.
>>>>>>
>>>>>> Jean-Jacques Subrenat.
>>>>>>
>>>>>>
>>>>>> Le 10 juillet 2019 à 14:46:20, Paul Rosenzweig 
>>>>>> (paul.rosenzweig at redbranchconsulting.com 
>>>>>> <mailto:paul.rosenzweig at redbranchconsulting.com>) a écrit:
>>>>>>
>>>>>>> This is assuredly right.  The change from Adobe to Zoom may, or 
>>>>>>> may not, have been right for ICANN and for this group for any 
>>>>>>> number of reasons ranging from cost, to security, to scalability 
>>>>>>> and utility.  But let’s not romanticize Adobe.  They are not a 
>>>>>>> terribly secure platform generically.  As James said, the Zoom 
>>>>>>> response is poor – but we can’t hang that around the neck of 
>>>>>>> ICANN org.
>>>>>>>
>>>>>>> P
>>>>>>>
>>>>>>> Paul Rosenzweig
>>>>>>>
>>>>>>> paul.rosenzweig at redbranchconsulting.com 
>>>>>>> <mailto:paul.rosenzweig at redbranchconsulting.com>
>>>>>>>
>>>>>>> O: +1 (202) 547-0660
>>>>>>>
>>>>>>> M: +1 (202) 329-9650
>>>>>>>
>>>>>>> VOIP: +1 (202) 738-1739
>>>>>>>
>>>>>>> www.redbranchconsulting.com <http://www.redbranchconsulting.com/>
>>>>>>>
>>>>>>> My PGP Key: 
>>>>>>> https://keys.mailvelope.com/pks/lookup?op=get&search=0x9A830097CA066684
>>>>>>>
>>>>>>> *From:* NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU> *On Behalf 
>>>>>>> Of *James Gannon
>>>>>>> *Sent:* Wednesday, July 10, 2019 12:52 AM
>>>>>>> *To:* NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>>>> *Subject:* Re: Zoom Structural Vulnerability Discovered
>>>>>>>
>>>>>>> Just want to call out that Adobe has likely the worst reputation 
>>>>>>> in the entire tech industry when it comes to security, I really 
>>>>>>> would not hold them out as either prompt or without serious 
>>>>>>> issues (I believe they still hold the record for number of CVSS 
>>>>>>> 9+ vulns).
>>>>>>>
>>>>>>> Zooms response is poor I agree, but on a data driven comparison 
>>>>>>> it is a far more secure platform.
>>>>>>>
>>>>>>> *From: *NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU 
>>>>>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>> on behalf of Ayden 
>>>>>>> Férdeline <icann at FERDELINE.COM <mailto:icann at FERDELINE.COM>>
>>>>>>> *Reply-To: *Ayden Férdeline <icann at FERDELINE.COM 
>>>>>>> <mailto:icann at FERDELINE.COM>>
>>>>>>> *Date: *Tuesday, 9 July 2019 at 14:13
>>>>>>> *To: *"NCSG-DISCUSS at LISTSERV.SYR.EDU 
>>>>>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>" 
>>>>>>> <NCSG-DISCUSS at LISTSERV.SYR.EDU 
>>>>>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>>
>>>>>>> *Subject: *Re: Zoom Structural Vulnerability Discovered
>>>>>>>
>>>>>>> That is true, but note that this security researcher notified 
>>>>>>> Zoom of the exploit and they were in no rush to repair it. Look 
>>>>>>> at the timeline in the Medium post. They only sought to fix it 
>>>>>>> after the vulnerability drew media attention.
>>>>>>>
>>>>>>> Adobe Connect was not perfect but it met our needs and the 
>>>>>>> occasional security issues that arose were promptly fixed by 
>>>>>>> Adobe and never as serious as this one!
>>>>>>>
>>>>>>> Best wishes, Ayden
>>>>>>>
>>>>>>> On Tue, Jul 9, 2019 at 18:07, Adeel Sadiq 
>>>>>>> <11beeasadiq at seecs.edu.pk <mailto:11beeasadiq at seecs.edu.pk>> wrote:
>>>>>>>
>>>>>>>     Speaking from a technical perspective, no software is
>>>>>>>     perfect or bug-free. Its only a matter of time a loophole is
>>>>>>>     found and exploited and eventually patched up. If you think
>>>>>>>     Adobe Connect or ezTalks were/are free of these
>>>>>>>     architectural issues, think again! That's the way we
>>>>>>>     technical community do things.
>>>>>>>
>>>>>>>     Regards
>>>>>>>
>>>>>>>     Adeel
>>>>>>>
>>>>>>>     Pakistan
>>>>>>>
>>>>>>>     On Wed, Jul 10, 2019 at 1:37 AM Ayden Férdeline
>>>>>>>     <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>>>>>>>
>>>>>>>         Unfortunately, uninstalling the application does not
>>>>>>>         rectify the situation, due to poor architecture
>>>>>>>         (acknowledged by Zoom on their blog today). They are
>>>>>>>         working on a fix, now that public scrutiny demands one.
>>>>>>>         So disappointing that ICANN has put us in this terrible
>>>>>>>         situation.
>>>>>>>
>>>>>>>         Ayden
>>>>>>>
>>>>>>>         On Tue, Jul 9, 2019 at 16:15, Vaibhav Aggarwal, Catalyst
>>>>>>>         & Group CEO <va at BLADEBRAINS.COM
>>>>>>>         <mailto:va at BLADEBRAINS.COM>> wrote:
>>>>>>>
>>>>>>>             Thanks for this. Till the next Update, I have
>>>>>>>             removed the Zoom For Mac Client with immediate effect.
>>>>>>>
>>>>>>>             Regards,
>>>>>>>
>>>>>>>             Vaibhav Aggarwal
>>>>>>>
>>>>>>>             New Delhi
>>>>>>>
>>>>>>>             VaibhavAggarwal.com <http://VaibhavAggarwal.com>
>>>>>>>
>>>>>>>                 On Jul 10, 2019, at 12:30 AM, Michael
>>>>>>>                 Karanicolas <mkaranicolas at GMAIL.COM
>>>>>>>                 <mailto:mkaranicolas at GMAIL.COM>> wrote:
>>>>>>>
>>>>>>>                 Hey - remember when ICANN switched everyone from
>>>>>>>                 Adobe over to Zoom as a way of enhancing
>>>>>>>                 information security and data privacy?
>>>>>>>
>>>>>>>                 "A vulnerability in the Mac Zoom Client allows
>>>>>>>                 any malicious website to enable your camera
>>>>>>>                 without your permission... This vulnerability
>>>>>>>                 allows any website to forcibly join a user to a
>>>>>>>                 Zoom call, with their video camera activated,
>>>>>>>                 without the user's permission. On top of this,
>>>>>>>                 this vulnerability would have allowed any
>>>>>>>                 webpage to DOS (Denial of Service) a Mac by
>>>>>>>                 repeatedly joining a user to an invalid call.
>>>>>>>                 Additionally, if you’ve ever installed the Zoom
>>>>>>>                 client and then uninstalled it, you still have a
>>>>>>>                 localhost web server on your machine that will
>>>>>>>                 happily re-install the Zoom client for you,
>>>>>>>                 without requiring any user interaction on your
>>>>>>>                 behalf besides visiting a webpage. This
>>>>>>>                 re-install ‘feature’ continues to work to this day."
>>>>>>>
>>>>>>>                 Read more here:
>>>>>>>                 https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> CPWG mailing list
>>>>>> CPWG at icann.org
>>>>>> https://mm.icann.org/mailman/listinfo/cpwg
>>>>>>
>>>>>> _______________________________________________
>>>>>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>>>>>
>>>>> _______________________________________________
>>>>> CPWG mailing list
>>>>> CPWG at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/cpwg
>>>>>
>>>>> _______________________________________________
>>>>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/gtld-wg/attachments/20190711/bd7efe03/attachment-0001.html>
-------------- next part --------------
_______________________________________________
CPWG mailing list
CPWG at icann.org
https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.


More information about the GTLD-WG mailing list