[CPWG] Fwd: Re: Zoom Structural Vulnerability Discovered
Marita Moll
mmoll at ca.inter.net
Thu Jul 11 14:26:15 UTC 2019
Cool! Thanks Judith. Let us know how that turns out.
Marita
On 7/11/2019 10:07 AM, Judith Hellerstein wrote:
>
> HI Marita,
>
> I just wrote a note to the Executive leaders of the NCSG as listed on
> the website asking them to join with us and speak as one voice
>
> Judith
>
> _________________________________________________________________________
> Judith Hellerstein, Founder & CEO
> Hellerstein & Associates
> 3001 Veazey Terrace NW, Washington DC 20008
> Phone: (202) 362-5139 Skype ID: judithhellerstein
> Mobile/Whats app: +1202-333-6517
> E-mail:Judith at jhellerstein.com Website:www.jhellerstein.com
> Linked In:www.linkedin.com/in/jhellerstein/
> Opening Telecom & Technology Opportunities Worldwide
>
> On 7/11/2019 9:51 AM, Marita Moll wrote:
>>
>> Well, Judith, I can make the suggestion -- or maybe it should come
>> from a member of the TTF.
>>
>> Marita
>>
>>
>> On 7/11/2019 9:46 AM, Judith Hellerstein wrote:
>>>
>>> HI Marita,
>>>
>>> Why not have NCSG join the TTF. We are open to all. We have
>>> prepared a sheet like they are asking and have shared it with the IT
>>> staff who thought it was very helpful. What would be better is NCSG
>>> sent reps or joined the TTF than we could all speak with once voice.
>>>
>>> Best,
>>>
>>> Judith
>>>
>>> _________________________________________________________________________
>>> Judith Hellerstein, Founder & CEO
>>> Hellerstein & Associates
>>> 3001 Veazey Terrace NW, Washington DC 20008
>>> Phone: (202) 362-5139 Skype ID: judithhellerstein
>>> Mobile/Whats app: +1202-333-6517
>>> E-mail:Judith at jhellerstein.com Website:www.jhellerstein.com
>>> Linked In:www.linkedin.com/in/jhellerstein/
>>> Opening Telecom & Technology Opportunities Worldwide
>>>
>>> On 7/11/2019 9:42 AM, Marita Moll wrote:
>>>>
>>>> Thanks Judith, for this background. But what I am asking is whether
>>>> there is any appetite in At-large to join in the suggestion below
>>>> clipped from a discussion on the NCSG list. I get it that the TTF
>>>> already has covered some of this but I think formalizing the
>>>> arrangement as suggested below would be good cooperative gesture
>>>> and I definitely think there should be a tender.
>>>>
>>>> Here is the proposal from the NCSG list that I would like to see us
>>>> consider:
>>>>
>>>> "Then, a recommendation to Chairs of ACs and SOs: ICANN Board and
>>>> CEO could be requested to set up a specifications sheet for a
>>>> desirable conferencing tool, based on needs expressed by the
>>>> multi-stakeholder community, and publish that as a tender. Offers
>>>> received could then be reviewed not only by Staff, but in
>>>> consultation with ACs and SOs."
>>>>
>>>> Marita
>>>>
>>>> On 7/10/2019 10:05 AM, Judith Hellerstein wrote:
>>>>>
>>>>> HI Marita,
>>>>>
>>>>> Yes the TTF had discussed zoom and others technology platforms
>>>>> with the ICANN Meetings team and also had sent them our comparison
>>>>> sheet of items that we need to see and what we hope to see in a
>>>>> new web meetings software. We were actively involved early on in
>>>>> the process. We then had a follow up call later on with questions
>>>>> regarding Zoom with the ICANN Meetings team. We can discuss this
>>>>> vulnerability at the next TTF meeting. We work Closely with Mark
>>>>> Seagal from ICANN IT who is our designated Liaison and also with
>>>>> Sara Caplis of the ICANN Meetings team who is the lead person on
>>>>> Zoom and other related software used
>>>>>
>>>>> Best,
>>>>>
>>>>> Judith
>>>>>
>>>>> _________________________________________________________________________
>>>>> Judith Hellerstein, Founder & CEO
>>>>> Hellerstein & Associates
>>>>> 3001 Veazey Terrace NW, Washington DC 20008
>>>>> Phone: (202) 362-5139 Skype ID: judithhellerstein
>>>>> Mobile/Whats app: +1202-333-6517
>>>>> E-mail:Judith at jhellerstein.com Website:www.jhellerstein.com
>>>>> Linked In:www.linkedin.com/in/jhellerstein/
>>>>> Opening Telecom & Technology Opportunities Worldwide
>>>>>
>>>>> On 7/10/2019 3:00 PM, Marita Moll wrote:
>>>>>>
>>>>>> Hello all. I did bring up issues around the Zoom platform in
>>>>>> early June and I have not yet had a chance to take the issues I
>>>>>> see with the platform any further. But there is a robust
>>>>>> discussion going on at NCSG with the idea below re: a joint
>>>>>> recommendation from SO's/AC's for community input into the
>>>>>> choices that are made about platform changes that affect us so
>>>>>> profoundly. Perhaps we should indicate our support for this sort
>>>>>> of action -- through our technology task force.
>>>>>>
>>>>>> Marita
>>>>>>
>>>>>>
>>>>>>
>>>>>> -------- Forwarded Message --------
>>>>>> Subject: Re: Zoom Structural Vulnerability Discovered
>>>>>> Date: Wed, 10 Jul 2019 15:21:51 +0200
>>>>>> From: Jean-Jacques Subrenat <jjs at DYALOG.NET>
>>>>>> Reply-To: Jean-Jacques Subrenat <jjs at DYALOG.NET>
>>>>>> To: NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>>>
>>>>>>
>>>>>>
>>>>>> First, a remark: for Adobe, Zoom or other tool providers, ICANN
>>>>>> may not be the single largest client, but it is certainly a
>>>>>> significant one owing to its nature (quasi-regulatory,
>>>>>> multi-stakeholder, some parts geared to non-commercial users).
>>>>>>
>>>>>> Then, a recommendation to Chairs of ACs and SOs: ICANN Board and
>>>>>> CEO could be requested to set up a specifications sheet for a
>>>>>> desirable conferencing tool, based on needs expressed by the
>>>>>> multi-stakeholder community, and publish that as a tender. Offers
>>>>>> received could then be reviewed not only by Staff, but in
>>>>>> consultation with ACs and SOs.
>>>>>>
>>>>>> This would get us closer to what we, collectively, consider as
>>>>>> the appropriate tool for the numerous conference calls held
>>>>>> throughout ICANN.
>>>>>>
>>>>>> Jean-Jacques Subrenat.
>>>>>>
>>>>>>
>>>>>> Le 10 juillet 2019 à 14:46:20, Paul Rosenzweig
>>>>>> (paul.rosenzweig at redbranchconsulting.com
>>>>>> <mailto:paul.rosenzweig at redbranchconsulting.com>) a écrit:
>>>>>>
>>>>>>> This is assuredly right. The change from Adobe to Zoom may, or
>>>>>>> may not, have been right for ICANN and for this group for any
>>>>>>> number of reasons ranging from cost, to security, to scalability
>>>>>>> and utility. But let’s not romanticize Adobe. They are not a
>>>>>>> terribly secure platform generically. As James said, the Zoom
>>>>>>> response is poor – but we can’t hang that around the neck of
>>>>>>> ICANN org.
>>>>>>>
>>>>>>> P
>>>>>>>
>>>>>>> Paul Rosenzweig
>>>>>>>
>>>>>>> paul.rosenzweig at redbranchconsulting.com
>>>>>>> <mailto:paul.rosenzweig at redbranchconsulting.com>
>>>>>>>
>>>>>>> O: +1 (202) 547-0660
>>>>>>>
>>>>>>> M: +1 (202) 329-9650
>>>>>>>
>>>>>>> VOIP: +1 (202) 738-1739
>>>>>>>
>>>>>>> www.redbranchconsulting.com <http://www.redbranchconsulting.com/>
>>>>>>>
>>>>>>> My PGP Key:
>>>>>>> https://keys.mailvelope.com/pks/lookup?op=get&search=0x9A830097CA066684
>>>>>>>
>>>>>>> *From:* NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU> *On Behalf
>>>>>>> Of *James Gannon
>>>>>>> *Sent:* Wednesday, July 10, 2019 12:52 AM
>>>>>>> *To:* NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>>>> *Subject:* Re: Zoom Structural Vulnerability Discovered
>>>>>>>
>>>>>>> Just want to call out that Adobe has likely the worst reputation
>>>>>>> in the entire tech industry when it comes to security, I really
>>>>>>> would not hold them out as either prompt or without serious
>>>>>>> issues (I believe they still hold the record for number of CVSS
>>>>>>> 9+ vulns).
>>>>>>>
>>>>>>> Zooms response is poor I agree, but on a data driven comparison
>>>>>>> it is a far more secure platform.
>>>>>>>
>>>>>>> *From: *NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>> on behalf of Ayden
>>>>>>> Férdeline <icann at FERDELINE.COM <mailto:icann at FERDELINE.COM>>
>>>>>>> *Reply-To: *Ayden Férdeline <icann at FERDELINE.COM
>>>>>>> <mailto:icann at FERDELINE.COM>>
>>>>>>> *Date: *Tuesday, 9 July 2019 at 14:13
>>>>>>> *To: *"NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>"
>>>>>>> <NCSG-DISCUSS at LISTSERV.SYR.EDU
>>>>>>> <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>>
>>>>>>> *Subject: *Re: Zoom Structural Vulnerability Discovered
>>>>>>>
>>>>>>> That is true, but note that this security researcher notified
>>>>>>> Zoom of the exploit and they were in no rush to repair it. Look
>>>>>>> at the timeline in the Medium post. They only sought to fix it
>>>>>>> after the vulnerability drew media attention.
>>>>>>>
>>>>>>> Adobe Connect was not perfect but it met our needs and the
>>>>>>> occasional security issues that arose were promptly fixed by
>>>>>>> Adobe and never as serious as this one!
>>>>>>>
>>>>>>> Best wishes, Ayden
>>>>>>>
>>>>>>> On Tue, Jul 9, 2019 at 18:07, Adeel Sadiq
>>>>>>> <11beeasadiq at seecs.edu.pk <mailto:11beeasadiq at seecs.edu.pk>> wrote:
>>>>>>>
>>>>>>> Speaking from a technical perspective, no software is
>>>>>>> perfect or bug-free. Its only a matter of time a loophole is
>>>>>>> found and exploited and eventually patched up. If you think
>>>>>>> Adobe Connect or ezTalks were/are free of these
>>>>>>> architectural issues, think again! That's the way we
>>>>>>> technical community do things.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Adeel
>>>>>>>
>>>>>>> Pakistan
>>>>>>>
>>>>>>> On Wed, Jul 10, 2019 at 1:37 AM Ayden Férdeline
>>>>>>> <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>>>>>>>
>>>>>>> Unfortunately, uninstalling the application does not
>>>>>>> rectify the situation, due to poor architecture
>>>>>>> (acknowledged by Zoom on their blog today). They are
>>>>>>> working on a fix, now that public scrutiny demands one.
>>>>>>> So disappointing that ICANN has put us in this terrible
>>>>>>> situation.
>>>>>>>
>>>>>>> Ayden
>>>>>>>
>>>>>>> On Tue, Jul 9, 2019 at 16:15, Vaibhav Aggarwal, Catalyst
>>>>>>> & Group CEO <va at BLADEBRAINS.COM
>>>>>>> <mailto:va at BLADEBRAINS.COM>> wrote:
>>>>>>>
>>>>>>> Thanks for this. Till the next Update, I have
>>>>>>> removed the Zoom For Mac Client with immediate effect.
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Vaibhav Aggarwal
>>>>>>>
>>>>>>> New Delhi
>>>>>>>
>>>>>>> VaibhavAggarwal.com <http://VaibhavAggarwal.com>
>>>>>>>
>>>>>>> On Jul 10, 2019, at 12:30 AM, Michael
>>>>>>> Karanicolas <mkaranicolas at GMAIL.COM
>>>>>>> <mailto:mkaranicolas at GMAIL.COM>> wrote:
>>>>>>>
>>>>>>> Hey - remember when ICANN switched everyone from
>>>>>>> Adobe over to Zoom as a way of enhancing
>>>>>>> information security and data privacy?
>>>>>>>
>>>>>>> "A vulnerability in the Mac Zoom Client allows
>>>>>>> any malicious website to enable your camera
>>>>>>> without your permission... This vulnerability
>>>>>>> allows any website to forcibly join a user to a
>>>>>>> Zoom call, with their video camera activated,
>>>>>>> without the user's permission. On top of this,
>>>>>>> this vulnerability would have allowed any
>>>>>>> webpage to DOS (Denial of Service) a Mac by
>>>>>>> repeatedly joining a user to an invalid call.
>>>>>>> Additionally, if you’ve ever installed the Zoom
>>>>>>> client and then uninstalled it, you still have a
>>>>>>> localhost web server on your machine that will
>>>>>>> happily re-install the Zoom client for you,
>>>>>>> without requiring any user interaction on your
>>>>>>> behalf besides visiting a webpage. This
>>>>>>> re-install ‘feature’ continues to work to this day."
>>>>>>>
>>>>>>> Read more here:
>>>>>>> https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> CPWG mailing list
>>>>>> CPWG at icann.org
>>>>>> https://mm.icann.org/mailman/listinfo/cpwg
>>>>>>
>>>>>> _______________________________________________
>>>>>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>>>>>
>>>>> _______________________________________________
>>>>> CPWG mailing list
>>>>> CPWG at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/cpwg
>>>>>
>>>>> _______________________________________________
>>>>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cpwg/attachments/20190711/bd7efe03/attachment-0001.html>
More information about the CPWG
mailing list