[CPWG] Fwd: Re: Zoom Structural Vulnerability Discovered
Marita Moll
mmoll at ca.inter.net
Thu Jul 11 13:42:11 UTC 2019
Thanks Judith, for this background. But what I am asking is whether
there is any appetite in At-large to join in the suggestion below
clipped from a discussion on the NCSG list. I get it that the TTF
already has covered some of this but I think formalizing the arrangement
as suggested below would be good cooperative gesture and I definitely
think there should be a tender.
Here is the proposal from the NCSG list that I would like to see us
consider:
"Then, a recommendation to Chairs of ACs and SOs: ICANN Board and CEO
could be requested to set up a specifications sheet for a desirable
conferencing tool, based on needs expressed by the multi-stakeholder
community, and publish that as a tender. Offers received could then be
reviewed not only by Staff, but in consultation with ACs and SOs."
Marita
On 7/10/2019 10:05 AM, Judith Hellerstein wrote:
>
> HI Marita,
>
> Yes the TTF had discussed zoom and others technology platforms with
> the ICANN Meetings team and also had sent them our comparison sheet of
> items that we need to see and what we hope to see in a new web
> meetings software. We were actively involved early on in the process.
> We then had a follow up call later on with questions regarding Zoom
> with the ICANN Meetings team. We can discuss this vulnerability at the
> next TTF meeting. We work Closely with Mark Seagal from ICANN IT who
> is our designated Liaison and also with Sara Caplis of the ICANN
> Meetings team who is the lead person on Zoom and other related
> software used
>
> Best,
>
> Judith
>
> _________________________________________________________________________
> Judith Hellerstein, Founder & CEO
> Hellerstein & Associates
> 3001 Veazey Terrace NW, Washington DC 20008
> Phone: (202) 362-5139 Skype ID: judithhellerstein
> Mobile/Whats app: +1202-333-6517
> E-mail:Judith at jhellerstein.com Website:www.jhellerstein.com
> Linked In:www.linkedin.com/in/jhellerstein/
> Opening Telecom & Technology Opportunities Worldwide
>
> On 7/10/2019 3:00 PM, Marita Moll wrote:
>>
>> Hello all. I did bring up issues around the Zoom platform in early
>> June and I have not yet had a chance to take the issues I see with
>> the platform any further. But there is a robust discussion going on
>> at NCSG with the idea below re: a joint recommendation from SO's/AC's
>> for community input into the choices that are made about platform
>> changes that affect us so profoundly. Perhaps we should indicate our
>> support for this sort of action -- through our technology task force.
>>
>> Marita
>>
>>
>>
>> -------- Forwarded Message --------
>> Subject: Re: Zoom Structural Vulnerability Discovered
>> Date: Wed, 10 Jul 2019 15:21:51 +0200
>> From: Jean-Jacques Subrenat <jjs at DYALOG.NET>
>> Reply-To: Jean-Jacques Subrenat <jjs at DYALOG.NET>
>> To: NCSG-DISCUSS at LISTSERV.SYR.EDU
>>
>>
>>
>> First, a remark: for Adobe, Zoom or other tool providers, ICANN may
>> not be the single largest client, but it is certainly a significant
>> one owing to its nature (quasi-regulatory, multi-stakeholder, some
>> parts geared to non-commercial users).
>>
>> Then, a recommendation to Chairs of ACs and SOs: ICANN Board and CEO
>> could be requested to set up a specifications sheet for a desirable
>> conferencing tool, based on needs expressed by the multi-stakeholder
>> community, and publish that as a tender. Offers received could then
>> be reviewed not only by Staff, but in consultation with ACs and SOs.
>>
>> This would get us closer to what we, collectively, consider as the
>> appropriate tool for the numerous conference calls held throughout ICANN.
>>
>> Jean-Jacques Subrenat.
>>
>>
>> Le 10 juillet 2019 à 14:46:20, Paul Rosenzweig
>> (paul.rosenzweig at redbranchconsulting.com
>> <mailto:paul.rosenzweig at redbranchconsulting.com>) a écrit:
>>
>>> This is assuredly right. The change from Adobe to Zoom may, or may
>>> not, have been right for ICANN and for this group for any number of
>>> reasons ranging from cost, to security, to scalability and utility.
>>> But let’s not romanticize Adobe. They are not a terribly secure
>>> platform generically. As James said, the Zoom response is poor –
>>> but we can’t hang that around the neck of ICANN org.
>>>
>>> P
>>>
>>> Paul Rosenzweig
>>>
>>> paul.rosenzweig at redbranchconsulting.com
>>> <mailto:paul.rosenzweig at redbranchconsulting.com>
>>>
>>> O: +1 (202) 547-0660
>>>
>>> M: +1 (202) 329-9650
>>>
>>> VOIP: +1 (202) 738-1739
>>>
>>> www.redbranchconsulting.com <http://www.redbranchconsulting.com/>
>>>
>>> My PGP Key:
>>> https://keys.mailvelope.com/pks/lookup?op=get&search=0x9A830097CA066684
>>>
>>> *From:* NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU> *On Behalf Of
>>> *James Gannon
>>> *Sent:* Wednesday, July 10, 2019 12:52 AM
>>> *To:* NCSG-DISCUSS at LISTSERV.SYR.EDU
>>> *Subject:* Re: Zoom Structural Vulnerability Discovered
>>>
>>> Just want to call out that Adobe has likely the worst reputation in
>>> the entire tech industry when it comes to security, I really would
>>> not hold them out as either prompt or without serious issues (I
>>> believe they still hold the record for number of CVSS 9+ vulns).
>>>
>>> Zooms response is poor I agree, but on a data driven comparison it
>>> is a far more secure platform.
>>>
>>> *From: *NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU
>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>> on behalf of Ayden Férdeline
>>> <icann at FERDELINE.COM <mailto:icann at FERDELINE.COM>>
>>> *Reply-To: *Ayden Férdeline <icann at FERDELINE.COM
>>> <mailto:icann at FERDELINE.COM>>
>>> *Date: *Tuesday, 9 July 2019 at 14:13
>>> *To: *"NCSG-DISCUSS at LISTSERV.SYR.EDU
>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>"
>>> <NCSG-DISCUSS at LISTSERV.SYR.EDU <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>>
>>> *Subject: *Re: Zoom Structural Vulnerability Discovered
>>>
>>> That is true, but note that this security researcher notified Zoom
>>> of the exploit and they were in no rush to repair it. Look at the
>>> timeline in the Medium post. They only sought to fix it after the
>>> vulnerability drew media attention.
>>>
>>> Adobe Connect was not perfect but it met our needs and the
>>> occasional security issues that arose were promptly fixed by Adobe
>>> and never as serious as this one!
>>>
>>> Best wishes, Ayden
>>>
>>> On Tue, Jul 9, 2019 at 18:07, Adeel Sadiq <11beeasadiq at seecs.edu.pk
>>> <mailto:11beeasadiq at seecs.edu.pk>> wrote:
>>>
>>> Speaking from a technical perspective, no software is perfect or
>>> bug-free. Its only a matter of time a loophole is found and
>>> exploited and eventually patched up. If you think Adobe Connect
>>> or ezTalks were/are free of these architectural issues, think
>>> again! That's the way we technical community do things.
>>>
>>> Regards
>>>
>>> Adeel
>>>
>>> Pakistan
>>>
>>> On Wed, Jul 10, 2019 at 1:37 AM Ayden Férdeline
>>> <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>>>
>>> Unfortunately, uninstalling the application does not rectify
>>> the situation, due to poor architecture (acknowledged by
>>> Zoom on their blog today). They are working on a fix, now
>>> that public scrutiny demands one. So disappointing
>>> that ICANN has put us in this terrible situation.
>>>
>>> Ayden
>>>
>>> On Tue, Jul 9, 2019 at 16:15, Vaibhav Aggarwal, Catalyst &
>>> Group CEO <va at BLADEBRAINS.COM <mailto:va at BLADEBRAINS.COM>>
>>> wrote:
>>>
>>> Thanks for this. Till the next Update, I have removed
>>> the Zoom For Mac Client with immediate effect.
>>>
>>> Regards,
>>>
>>> Vaibhav Aggarwal
>>>
>>> New Delhi
>>>
>>> VaibhavAggarwal.com <http://VaibhavAggarwal.com>
>>>
>>> On Jul 10, 2019, at 12:30 AM, Michael Karanicolas
>>> <mkaranicolas at GMAIL.COM
>>> <mailto:mkaranicolas at GMAIL.COM>> wrote:
>>>
>>> Hey - remember when ICANN switched everyone from
>>> Adobe over to Zoom as a way of enhancing information
>>> security and data privacy?
>>>
>>> "A vulnerability in the Mac Zoom Client allows any
>>> malicious website to enable your camera without your
>>> permission... This vulnerability allows any website
>>> to forcibly join a user to a Zoom call, with their
>>> video camera activated, without the user's
>>> permission. On top of this, this vulnerability would
>>> have allowed any webpage to DOS (Denial of Service)
>>> a Mac by repeatedly joining a user to an invalid
>>> call. Additionally, if you’ve ever installed the
>>> Zoom client and then uninstalled it, you still have
>>> a localhost web server on your machine that will
>>> happily re-install the Zoom client for you, without
>>> requiring any user interaction on your behalf
>>> besides visiting a webpage. This re-install
>>> ‘feature’ continues to work to this day."
>>>
>>> Read more here:
>>> https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
>>>
>>
>> _______________________________________________
>> CPWG mailing list
>> CPWG at icann.org
>> https://mm.icann.org/mailman/listinfo/cpwg
>>
>> _______________________________________________
>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cpwg/attachments/20190711/49447e8e/attachment-0001.html>
More information about the CPWG
mailing list