[CPWG] Fwd: Re: Zoom Structural Vulnerability Discovered
Marita Moll
mmoll at ca.inter.net
Thu Jul 11 13:51:00 UTC 2019
Well, Judith, I can make the suggestion -- or maybe it should come from
a member of the TTF.
Marita
On 7/11/2019 9:46 AM, Judith Hellerstein wrote:
>
> HI Marita,
>
> Why not have NCSG join the TTF. We are open to all. We have prepared
> a sheet like they are asking and have shared it with the IT staff who
> thought it was very helpful. What would be better is NCSG sent reps
> or joined the TTF than we could all speak with once voice.
>
> Best,
>
> Judith
>
> _________________________________________________________________________
> Judith Hellerstein, Founder & CEO
> Hellerstein & Associates
> 3001 Veazey Terrace NW, Washington DC 20008
> Phone: (202) 362-5139 Skype ID: judithhellerstein
> Mobile/Whats app: +1202-333-6517
> E-mail:Judith at jhellerstein.com Website:www.jhellerstein.com
> Linked In:www.linkedin.com/in/jhellerstein/
> Opening Telecom & Technology Opportunities Worldwide
>
> On 7/11/2019 9:42 AM, Marita Moll wrote:
>>
>> Thanks Judith, for this background. But what I am asking is whether
>> there is any appetite in At-large to join in the suggestion below
>> clipped from a discussion on the NCSG list. I get it that the TTF
>> already has covered some of this but I think formalizing the
>> arrangement as suggested below would be good cooperative gesture and
>> I definitely think there should be a tender.
>>
>> Here is the proposal from the NCSG list that I would like to see us
>> consider:
>>
>> "Then, a recommendation to Chairs of ACs and SOs: ICANN Board and CEO
>> could be requested to set up a specifications sheet for a desirable
>> conferencing tool, based on needs expressed by the multi-stakeholder
>> community, and publish that as a tender. Offers received could then
>> be reviewed not only by Staff, but in consultation with ACs and SOs."
>>
>> Marita
>>
>> On 7/10/2019 10:05 AM, Judith Hellerstein wrote:
>>>
>>> HI Marita,
>>>
>>> Yes the TTF had discussed zoom and others technology platforms with
>>> the ICANN Meetings team and also had sent them our comparison sheet
>>> of items that we need to see and what we hope to see in a new web
>>> meetings software. We were actively involved early on in the
>>> process. We then had a follow up call later on with questions
>>> regarding Zoom with the ICANN Meetings team. We can discuss this
>>> vulnerability at the next TTF meeting. We work Closely with Mark
>>> Seagal from ICANN IT who is our designated Liaison and also with
>>> Sara Caplis of the ICANN Meetings team who is the lead person on
>>> Zoom and other related software used
>>>
>>> Best,
>>>
>>> Judith
>>>
>>> _________________________________________________________________________
>>> Judith Hellerstein, Founder & CEO
>>> Hellerstein & Associates
>>> 3001 Veazey Terrace NW, Washington DC 20008
>>> Phone: (202) 362-5139 Skype ID: judithhellerstein
>>> Mobile/Whats app: +1202-333-6517
>>> E-mail:Judith at jhellerstein.com Website:www.jhellerstein.com
>>> Linked In:www.linkedin.com/in/jhellerstein/
>>> Opening Telecom & Technology Opportunities Worldwide
>>>
>>> On 7/10/2019 3:00 PM, Marita Moll wrote:
>>>>
>>>> Hello all. I did bring up issues around the Zoom platform in early
>>>> June and I have not yet had a chance to take the issues I see with
>>>> the platform any further. But there is a robust discussion going on
>>>> at NCSG with the idea below re: a joint recommendation from
>>>> SO's/AC's for community input into the choices that are made about
>>>> platform changes that affect us so profoundly. Perhaps we should
>>>> indicate our support for this sort of action -- through our
>>>> technology task force.
>>>>
>>>> Marita
>>>>
>>>>
>>>>
>>>> -------- Forwarded Message --------
>>>> Subject: Re: Zoom Structural Vulnerability Discovered
>>>> Date: Wed, 10 Jul 2019 15:21:51 +0200
>>>> From: Jean-Jacques Subrenat <jjs at DYALOG.NET>
>>>> Reply-To: Jean-Jacques Subrenat <jjs at DYALOG.NET>
>>>> To: NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>
>>>>
>>>>
>>>> First, a remark: for Adobe, Zoom or other tool providers, ICANN may
>>>> not be the single largest client, but it is certainly a significant
>>>> one owing to its nature (quasi-regulatory, multi-stakeholder, some
>>>> parts geared to non-commercial users).
>>>>
>>>> Then, a recommendation to Chairs of ACs and SOs: ICANN Board and
>>>> CEO could be requested to set up a specifications sheet for a
>>>> desirable conferencing tool, based on needs expressed by the
>>>> multi-stakeholder community, and publish that as a tender. Offers
>>>> received could then be reviewed not only by Staff, but in
>>>> consultation with ACs and SOs.
>>>>
>>>> This would get us closer to what we, collectively, consider as the
>>>> appropriate tool for the numerous conference calls held throughout
>>>> ICANN.
>>>>
>>>> Jean-Jacques Subrenat.
>>>>
>>>>
>>>> Le 10 juillet 2019 à 14:46:20, Paul Rosenzweig
>>>> (paul.rosenzweig at redbranchconsulting.com
>>>> <mailto:paul.rosenzweig at redbranchconsulting.com>) a écrit:
>>>>
>>>>> This is assuredly right. The change from Adobe to Zoom may, or may
>>>>> not, have been right for ICANN and for this group for any number
>>>>> of reasons ranging from cost, to security, to scalability and
>>>>> utility. But let’s not romanticize Adobe. They are not a
>>>>> terribly secure platform generically. As James said, the Zoom
>>>>> response is poor – but we can’t hang that around the neck of ICANN
>>>>> org.
>>>>>
>>>>> P
>>>>>
>>>>> Paul Rosenzweig
>>>>>
>>>>> paul.rosenzweig at redbranchconsulting.com
>>>>> <mailto:paul.rosenzweig at redbranchconsulting.com>
>>>>>
>>>>> O: +1 (202) 547-0660
>>>>>
>>>>> M: +1 (202) 329-9650
>>>>>
>>>>> VOIP: +1 (202) 738-1739
>>>>>
>>>>> www.redbranchconsulting.com <http://www.redbranchconsulting.com/>
>>>>>
>>>>> My PGP Key:
>>>>> https://keys.mailvelope.com/pks/lookup?op=get&search=0x9A830097CA066684
>>>>>
>>>>> *From:* NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU> *On Behalf Of
>>>>> *James Gannon
>>>>> *Sent:* Wednesday, July 10, 2019 12:52 AM
>>>>> *To:* NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>> *Subject:* Re: Zoom Structural Vulnerability Discovered
>>>>>
>>>>> Just want to call out that Adobe has likely the worst reputation
>>>>> in the entire tech industry when it comes to security, I really
>>>>> would not hold them out as either prompt or without serious issues
>>>>> (I believe they still hold the record for number of CVSS 9+ vulns).
>>>>>
>>>>> Zooms response is poor I agree, but on a data driven comparison it
>>>>> is a far more secure platform.
>>>>>
>>>>> *From: *NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>> on behalf of Ayden
>>>>> Férdeline <icann at FERDELINE.COM <mailto:icann at FERDELINE.COM>>
>>>>> *Reply-To: *Ayden Férdeline <icann at FERDELINE.COM
>>>>> <mailto:icann at FERDELINE.COM>>
>>>>> *Date: *Tuesday, 9 July 2019 at 14:13
>>>>> *To: *"NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>"
>>>>> <NCSG-DISCUSS at LISTSERV.SYR.EDU <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>>
>>>>> *Subject: *Re: Zoom Structural Vulnerability Discovered
>>>>>
>>>>> That is true, but note that this security researcher notified Zoom
>>>>> of the exploit and they were in no rush to repair it. Look at the
>>>>> timeline in the Medium post. They only sought to fix it after the
>>>>> vulnerability drew media attention.
>>>>>
>>>>> Adobe Connect was not perfect but it met our needs and the
>>>>> occasional security issues that arose were promptly fixed by Adobe
>>>>> and never as serious as this one!
>>>>>
>>>>> Best wishes, Ayden
>>>>>
>>>>> On Tue, Jul 9, 2019 at 18:07, Adeel Sadiq
>>>>> <11beeasadiq at seecs.edu.pk <mailto:11beeasadiq at seecs.edu.pk>> wrote:
>>>>>
>>>>> Speaking from a technical perspective, no software is perfect
>>>>> or bug-free. Its only a matter of time a loophole is found and
>>>>> exploited and eventually patched up. If you think Adobe
>>>>> Connect or ezTalks were/are free of these architectural
>>>>> issues, think again! That's the way we technical community do
>>>>> things.
>>>>>
>>>>> Regards
>>>>>
>>>>> Adeel
>>>>>
>>>>> Pakistan
>>>>>
>>>>> On Wed, Jul 10, 2019 at 1:37 AM Ayden Férdeline
>>>>> <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>>>>>
>>>>> Unfortunately, uninstalling the application does not
>>>>> rectify the situation, due to poor architecture
>>>>> (acknowledged by Zoom on their blog today). They are
>>>>> working on a fix, now that public scrutiny demands one. So
>>>>> disappointing that ICANN has put us in this terrible
>>>>> situation.
>>>>>
>>>>> Ayden
>>>>>
>>>>> On Tue, Jul 9, 2019 at 16:15, Vaibhav Aggarwal, Catalyst &
>>>>> Group CEO <va at BLADEBRAINS.COM <mailto:va at BLADEBRAINS.COM>>
>>>>> wrote:
>>>>>
>>>>> Thanks for this. Till the next Update, I have removed
>>>>> the Zoom For Mac Client with immediate effect.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Vaibhav Aggarwal
>>>>>
>>>>> New Delhi
>>>>>
>>>>> VaibhavAggarwal.com <http://VaibhavAggarwal.com>
>>>>>
>>>>> On Jul 10, 2019, at 12:30 AM, Michael Karanicolas
>>>>> <mkaranicolas at GMAIL.COM
>>>>> <mailto:mkaranicolas at GMAIL.COM>> wrote:
>>>>>
>>>>> Hey - remember when ICANN switched everyone from
>>>>> Adobe over to Zoom as a way of enhancing
>>>>> information security and data privacy?
>>>>>
>>>>> "A vulnerability in the Mac Zoom Client allows any
>>>>> malicious website to enable your camera without
>>>>> your permission... This vulnerability allows any
>>>>> website to forcibly join a user to a Zoom call,
>>>>> with their video camera activated, without the
>>>>> user's permission. On top of this, this
>>>>> vulnerability would have allowed any webpage to
>>>>> DOS (Denial of Service) a Mac by repeatedly
>>>>> joining a user to an invalid call. Additionally,
>>>>> if you’ve ever installed the Zoom client and then
>>>>> uninstalled it, you still have a localhost web
>>>>> server on your machine that will happily
>>>>> re-install the Zoom client for you, without
>>>>> requiring any user interaction on your behalf
>>>>> besides visiting a webpage. This re-install
>>>>> ‘feature’ continues to work to this day."
>>>>>
>>>>> Read more here:
>>>>> https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
>>>>>
>>>>
>>>> _______________________________________________
>>>> CPWG mailing list
>>>> CPWG at icann.org
>>>> https://mm.icann.org/mailman/listinfo/cpwg
>>>>
>>>> _______________________________________________
>>>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>>>
>>> _______________________________________________
>>> CPWG mailing list
>>> CPWG at icann.org
>>> https://mm.icann.org/mailman/listinfo/cpwg
>>>
>>> _______________________________________________
>>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cpwg/attachments/20190711/26667e3c/attachment-0001.html>
More information about the CPWG
mailing list