<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Hi James<div>Thanks for your excellent comments and your deep knowledge of technology. Let’s all do what James has suggested and move on. As James has so eloquently said <span style="background-color: rgba(255, 255, 255, 0);">we start digging I think you will find every collaboration platform has serious security flaws, but without the excellent response and executive support that Zoom has responded with.</span></div><div><br></div><div>Best </div><div>Judith <br><br><div id="AppleMailSignature" dir="ltr">Sent from my iPhone<div><a href="mailto:Judith@jhellerstein.com">Judith@jhellerstein.com</a></div><div>Skype ID:Judithhellerstein </div></div><div dir="ltr"><br>On Apr 20, 2020, at 10:14 AM, James Gannon <<a href="mailto:james@cyberinvasion.net">james@cyberinvasion.net</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div id="__MailbirdStyleContent" style="font-size: 10pt;font-family: Arial;color: #000000">
I think that we are moving into hypothetical here, if we want to talk in absolutes Zoom has responded in every way possible to the risks presented, its a textbook case of exactly the correct responses that you would look for from an organisation that was taking it seriously.<div><br><div>The flaws discovered were not critical apart from a very small subset of users with a threat model that includes nation state attackers, which is not ICANNs threat model for community collaboration.</div><div><br></div><div>Please dont mistake media coverage for actual threats, I would heavily oppose encouraging ICANN to move away from Zoom, as if we start digging I think you will find every collaboration platform has serious security flaws, but without the excellent response and executive support that Zoom has responded with.<br><div class="mb_sig"></div><blockquote class="history_container" type="cite" style="border-left-style:solid;border-width:1px; margin-top:20px; margin-left:0px;padding-left:10px;">
<p style="color: #AAAAAA; margin-top: 10px;">On 20/04/2020 15:05:28, Judith Hellerstein <<a href="mailto:judith@jhellerstein.com">judith@jhellerstein.com</a>> wrote:</p><div style="font-family:Arial,Helvetica,sans-serif">Microsoft teams does not work well for people with disabilities and other accessibility challenges so it is a no go <div><br></div><div>Judith <br><br><div id="AppleMailSignature" dir="ltr">Sent from my iPhone<div><a href="mailto:Judith@jhellerstein.com">Judith@jhellerstein.com</a></div><div>Skype ID:Judithhellerstein </div></div><div dir="ltr"><br>On Apr 20, 2020, at 9:58 AM, Adrian Schmidt <<a href="mailto:aschmi@gmail.com">aschmi@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">Maybe you did this in the past, but should we look at some of the "giants" on video conferencing? Google Meet (doesn't have enough features) - Microsoft Teams (I personally dislike them but it might work for us?). For both, there is no need of a client for participants, so people only need to keep updated their browser (maybe easier)<div>They will have the scale needed, but not all the features probably...</div><div>Adrian</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 20, 2020 at 6:36 AM Judith Hellerstein <<a href="mailto:judith@jhellerstein.com">judith@jhellerstein.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Hi all<div>As you recal a few years ago we tested the platform that the ietf uses called meet echo. The icann it were on the call and were impressed with that technology but thought then that this platform was not mature enough and asked them to work on the deficiencies they saw. We were at that time on adobe and just starting the process of possibly moving but meetecho did not have the capital to expand and their largest client the ietf did not need those enhancements and so they did not expand. A few months later the adobe flaw was discovered and icann left adobe. Meet echo was a good alternative and would have beef great if they had put in the effort but they did not </div><div><br></div><div>Judith <br><br><div id="gmail-m_3125317712213956834AppleMailSignature" dir="ltr">Sent from my iPhone<div><a href="mailto:Judith@jhellerstein.com" target="_blank">Judith@jhellerstein.com</a></div><div>Skype ID:Judithhellerstein </div></div><div dir="ltr"><br>On Apr 20, 2020, at 8:18 AM, Satish Babu <<a href="mailto:sbabu@ieee.org" target="_blank">sbabu@ieee.org</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><br></div><div></div></div><div>Hi</div><div><br></div><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 20, 2020 at 5:44 PM Adrian Schmidt <<a href="mailto:aschmi@gmail.com" target="_blank">aschmi@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><div>I agree with most of the technical reports about Zoom, but we should agree that growing 10x in a very short time is painful. In my daily job we still support zoom even if that is for a school district, and try to get ahead of possible problems.</div><div>One alternative that I've been looking at is to develop a very good product called Jitsi, that is open source, and seems to be working very well <a href="https://jitsi.org/" target="_blank">https://jitsi.org/</a> - but of course, I don't think ICANN at this point can setup needed servers infrastructure to do video conferencing at the level we need</div></div></blockquote><div><br></div></div><div class="gmail_quote"><div dir="ltr"><div>Jitsi is indeed a promising alternative, but it doesn't appear to scale well beyond about 30-35 users as of now. Personally, I'd choose an open source application wherever possible, so I'm keenly awaiting further development of this product.</div><div><br></div><div>With kind regards,</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>satish<br></div><div><br></div><div><br></div></div></div><div class="gmail_quote"><br></div><div class="gmail_quote"><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 20, 2020 at 3:00 AM Lutz Donnerhacke <<a href="mailto:lutz@donnerhacke.de" target="_blank">lutz@donnerhacke.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="DE"><div><p class="MsoNormal"><span style="font-size: 11pt;font-family: Calibri,sans-serif;color: rgb(31,73,125)" lang="EN-GB">Correct. Zoom is currently actively examined, other applications are still unknown. We all remember the security record of Adobe Flash (base of Connect). Yes, zoom is in bad standing right now, but they react in a senseful ways. Yes zoom did a bad job in updating their software, we do not know anything about alternatives.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size: 11pt;font-family: Calibri,sans-serif;color: rgb(31,73,125)" lang="EN-GB"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size: 11pt;font-family: Calibri,sans-serif;color: rgb(31,73,125)" lang="EN-GB">So I’m currently prefer to stick with Zoom for our purposes.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size: 11pt;font-family: Calibri,sans-serif;color: rgb(31,73,125)" lang="EN-GB"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size: 11pt;font-family: Calibri,sans-serif;color: rgb(31,73,125)" lang="EN-GB"><u></u> <u></u></span></p><div style="border-color:currentcolor currentcolor currentcolor blue;border-style:none none none solid;border-width:medium medium medium 1.5pt;padding:0cm 0cm 0cm 4pt"><div><div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm"><p class="MsoNormal"><b><span style="font-size: 11pt;font-family: Calibri,sans-serif">Von:</span></b><span style="font-size: 11pt;font-family: Calibri,sans-serif"> ttf <<a href="mailto:ttf-bounces@atlarge-lists.icann.org" target="_blank">ttf-bounces@atlarge-lists.icann.org</a>> <b>Im Auftrag von </b>Olivier MJ Crépin-Leblond<br><b>Gesendet:</b> Sonntag, 19. April 2020 00:54<br><b>An:</b> DANIEL NANGHAKA <<a href="mailto:dndannang@gmail.com" target="_blank">dndannang@gmail.com</a>>; Alfredo Calderon-Serrano <<a href="mailto:acalderon1@me.com" target="_blank">acalderon1@me.com</a>><br><b>Cc:</b> Technology Taskforce WG <<a href="mailto:ttf@atlarge-lists.icann.org" target="_blank">ttf@atlarge-lists.icann.org</a>><br><b>Betreff:</b> [SPAM:1.4] Re: [technology taskforce] ZOOM 90-Day Security Plan Progress Report: April 15<u></u><u></u></span></p></div></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal" style="margin-bottom:12pt">Dear Daniel,<br><br>in one week I have seen more security and feature updates in Zoom than in 3 years of prior utilisation. There are alternatives to Zoom, but most of them have the same faults and can be equally as easy to hack. Some alternatives might be better on security but are feature poor and bandwidth hungry. Some are worse than Zoom on security and have done nothing to address these points, and some alternatives are downright awful to use... or "work" only on a single platform.<br>Kindest regards,<br><br>Olivier<u></u><u></u></p><div><p class="MsoNormal">On 18/04/2020 23:33, DANIEL NANGHAKA wrote:<u></u><u></u></p></div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><p class="MsoNormal">Are we still safe with zoom amidst all the flaws that have been identified? <u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">There was a time when a simple flaw was discover during an ICANN meeting, and Adobe Connect was shutdown. Is there an analysis of the effects. <u></u><u></u></p></div><div><p class="MsoNormal">What is the security guarantee that we have on zoom?<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Daniel KN<u></u><u></u></p></div></div><div><p class="MsoNormal"><span style="border:1pt solid windowtext;padding:0cm"><~WRD000.jpg></span><span style="font-size: 7.5pt;font-family: Gadugi,sans-serif;color: white">ᐧ</span><u></u><u></u></p></div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">On Sat, 18 Apr 2020 at 17:17, Alfredo Calderon-Serrano via ttf <<a href="mailto:ttf@atlarge-lists.icann.org" target="_blank">ttf@atlarge-lists.icann.org</a>> wrote:<u></u><u></u></p></div><blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm"><div><p class="MsoNormal"><a href="https://blog.zoom.us/wordpress/2020/04/15/90-day-security-plan-progress-report-april-15/" target="_blank">https://blog.zoom.us/wordpress/2020/04/15/90-day-security-plan-progress-report-april-15/</a><br><br><image001.png><u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><image002.png><u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p style="margin:0cm 0cm 0.0001pt;vertical-align:baseline;box-sizing:border-box"><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41);border: 1pt none windowtext;padding: 0cm">The newly released </span><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41)"><a href="https://blog.zoom.us/wordpress/2020/04/08/zoom-product-updates-new-security-toolbar-icon-for-hosts-meeting-id-hidden/" target="_blank"><span style="color:rgb(253,120,34);border:1pt none windowtext;padding:0cm;text-decoration:none">Security icon</span></a><span style="border:1pt none windowtext;padding:0cm"> in the toolbar provides Zoom Meetings hosts and co-hosts with one-click access to a number of existing Zoom security features, including Lock Meeting and Enable the Waiting Room.</span><u></u><u></u></span></p><p style="margin:0cm 0cm 0.0001pt;vertical-align:baseline;box-sizing:border-box"><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41);border: 1pt none windowtext;padding: 0cm">Changes to Zoom’s default settings</span><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41)"><u></u><u></u></span></p><p style="margin:0cm 0cm 0.0001pt;vertical-align:baseline;box-sizing:border-box"><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41);border: 1pt none windowtext;padding: 0cm">We’ve made changes to Zoom’s default meeting settings to improve security before a meeting starts. Both meeting passwords and Waiting Rooms are enabled by default for our free Basic users and single Pro users, while those in our K-12 education program need a password to join a meeting. Waiting Rooms also are on by default for those K-12 users. </span><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41)"><u></u><u></u></span></p><p style="margin:0cm 0cm 0.0001pt;vertical-align:baseline;box-sizing:border-box"><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41);border: 1pt none windowtext;padding: 0cm">Enhanced meeting password complexity</span><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41)"><u></u><u></u></span></p><p style="margin:0cm 0cm 0.0001pt;vertical-align:baseline;box-sizing:border-box"><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41);border: 1pt none windowtext;padding: 0cm">Account owners and admins can now configure minimum meeting password requirements to include numbers, letters, and special characters, or allow only numeric passwords. Free Basic account users will now use alphanumeric passwords by default instead of numeric passwords. </span><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41)"><u></u><u></u></span></p><p style="margin:0cm 0cm 0.0001pt;vertical-align:baseline;box-sizing:border-box"><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41);border: 1pt none windowtext;padding: 0cm">Changes to data center routing </span><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41)"><u></u><u></u></span></p><p style="margin:0cm 0cm 0.0001pt;vertical-align:baseline;box-sizing:border-box"><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41);border: 1pt none windowtext;padding: 0cm">Starting April 18, account admins will have the ability to choose whether or not their data is routed through specific data center regions, giving users more control of their interactions with Zoom’s global network. Learn more about the process in our </span><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41)"><a href="https://blog.zoom.us/wordpress/2020/04/13/coming-april-18-control-your-zoom-data-routing/" target="_blank"><span style="color:rgb(253,120,34);border:1pt none windowtext;padding:0cm;text-decoration:none">blog post</span></a><span style="border:1pt none windowtext;padding:0cm">.</span><u></u><u></u></span></p><p style="margin:0cm 0cm 0.0001pt;vertical-align:baseline;box-sizing:border-box"><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41);border: 1pt none windowtext;padding: 0cm">Bug bounty program with Katie Moussouris of Luta Security </span><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41)"><u></u><u></u></span></p><p style="margin:0cm 0cm 0.0001pt;vertical-align:baseline;box-sizing:border-box"><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41);border: 1pt none windowtext;padding: 0cm">Zoom will be working with Luta Security to reboot our bug bounty program. Luta Security was founded by Katie Moussouris, who created some of the most important vulnerability programs still running today. She started Microsoft Vulnerability Research and Symantec Vulnerability Research, and also started Microsoft’s and the Pentagon’s bug bounty programs. Luta Security will be assessing Zoom’s program holistically with a 90-day “get well” plan, which will cover all internal vulnerability handling processes. Read more in Katie’s <a href="https://www.lutasecurity.com/post/luta-security-and-zoom" target="_blank"><span style="color:rgb(253,120,34);text-decoration:none">blog post</span></a>.</span><span style="font-size: 11.5pt;font-family: Helvetica,sans-serif;color: rgb(19,35,41)"><u></u><u></u></span></p></div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Alfredo Calderón <u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Sent from my iPad<u></u><u></u></p></div></div></div></div><p class="MsoNormal">_______________________________________________<br>ttf mailing list<br><a href="mailto:ttf@atlarge-lists.icann.org" target="_blank">ttf@atlarge-lists.icann.org</a><br><a href="https://mm.icann.org/mailman/listinfo/ttf" target="_blank">https://mm.icann.org/mailman/listinfo/ttf</a><br><br>_______________________________________________<br>By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.<u></u><u></u></p></blockquote></div><p class="MsoNormal"><br><br><u></u><u></u></p><pre>_______________________________________________<u></u><u></u></pre><pre>ttf mailing list<u></u><u></u></pre><pre><a href="mailto:ttf@atlarge-lists.icann.org" target="_blank">ttf@atlarge-lists.icann.org</a><u></u><u></u></pre><pre><a href="https://mm.icann.org/mailman/listinfo/ttf" target="_blank">https://mm.icann.org/mailman/listinfo/ttf</a><u></u><u></u></pre><pre><u></u> <u></u></pre><pre>_______________________________________________<u></u><u></u></pre><pre>By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.<u></u><u></u></pre></blockquote><p class="MsoNormal"><br><br><u></u><u></u></p><pre>-- <u></u><u></u></pre><pre>Olivier MJ Crépin-Leblond, PhD<u></u><u></u></pre><pre><a href="http://www.gih.com/ocl.html" target="_blank">http://www.gih.com/ocl.html</a><u></u><u></u></pre></div></div></div>_______________________________________________<br>
ttf mailing list<br>
<a href="mailto:ttf@atlarge-lists.icann.org" target="_blank">ttf@atlarge-lists.icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/ttf" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/ttf</a><br>
<br>
_______________________________________________<br>
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" rel="noreferrer" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" rel="noreferrer" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</blockquote></div>
_______________________________________________<br>
ttf mailing list<br>
<a href="mailto:ttf@atlarge-lists.icann.org" target="_blank">ttf@atlarge-lists.icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/ttf" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/ttf</a><br>
<br>
_______________________________________________<br>
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" rel="noreferrer" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" rel="noreferrer" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</blockquote></div></div></div>
</div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>ttf mailing list</span><br><span><a href="mailto:ttf@atlarge-lists.icann.org" target="_blank">ttf@atlarge-lists.icann.org</a></span><br><span><a href="https://mm.icann.org/mailman/listinfo/ttf" target="_blank">https://mm.icann.org/mailman/listinfo/ttf</a></span><br><span></span><br><span>_______________________________________________</span><br><span>By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</span></div></blockquote></div></div></blockquote></div>
</div></blockquote></div></div></blockquote>
</div></div></div></div></blockquote></div></body></html>