
Zoom’s security woes were no secret to business partners like Dropbox - pseudolus
https://www.nytimes.com/2020/04/20/technology/zoom-security-dropbox-hackers.html
======
danpalmer
I feel like this is a non-story.

> Dropbox privately paid top hackers to find bugs in software by the
> videoconferencing company Zoom, then pressed it to fix them.

This is pretty standard. For a big company looking to purchase services from
another company, commissioning a pen-test is common practice. It doesn't mean
anything bad, it's about mitigating risk.

Further, everything about these contracts is about mitigating risk. Zoom had
privacy/security issues for individual consumers, but large enterprises have a
contract that lays out it detail exactly what is required and expected, and I
fully believe that Zoom was meeting those requirements because that's part of
the enterprise software game.

Does a large enterprise care if its traffic is being routed through China?
Probably not (unless there's a national security concern), because they will
have insurance against any issues arising from that as part of their contract
– Zoom will be liable for data leaked. Same goes for Facebook login being in
the Zoom app.

Yes, it's not great for the privacy of individuals, but that's not the target
customer of Zoom, and even the target _user_ is a corporate identity, not a
user's personal identity tied to their Facebook account for example.

~~~
staticassertion
Disclaimer: I worked on Dropbox security. Not in appsec. I won't comment on
the article, or the accuracy of the article, or anything that wasn't public
before the article. I'm mostly just going to talk about what is broadly true
for all or most companies.

I think it is worth noting that:

a) Pentesting 3rd party vendors is uncommon. This is something that the
majority of companies rely on a SOC2 for.

b) Pentesting is not what the article is talking about, it's talking about bug
bounties/ Vulnerability Reporting Programs. It is equally, if not more,
uncommon for a company to bring a vendor into its VRP.

And yes, companies care greatly about traffic being routed through China.

~~~
danpalmer
> a) Pentesting 3rd party vendors is extremely uncommon. This is something you
> rely on a SOC2 for.

In my experience this is fairly common? Although that was my experience
working on the pen-testing side so I guess it was a little biased. The company
I worked for did a lot of this sort of thing – pen-testing for meeting due
diligence requirements.

~~~
staticassertion
There are two separate things here.

There's going to a company and saying "Are you SOC2? If not, we need you to
be, and that requires a pentest - please go do that before we engage." There
may also be, in this same vein, "We're strategic partners, we'll help you get
that pentest". This is very common, I suspect the vast majority of pentests
are compliance (and essentially sales) driven and would fall under this
category.

That's different from "We have already engaged, you are already compliant with
SOC2, you may do your own pentests, we will now separately pay for and manage
a pentest of your company". This is not something I've seen too much of -
perhaps that's just me not paying attention? But I'd be surprised if this were
common at all.

Though I want to again restate that the article is focusing on VRP.

------
xmodem
> “I don’t think a lot of these things were predictable,” said Alex Stamos, a
> former chief security officer at Facebook

After the macOS installer bug last year I predicted exactly this. I may just
be a random HN commentator but my opinion of Mr Stamos is diminished greatly
if he actually believes this

------
ig0r0
Somebody should create a lightweight VM to run Zoom and possibly other
malware-like apps (WebEx) your employer forces you to use.

~~~
akersten
Luckily they offer web-based versions of the software, so I use my browser as
that lightweight VM :)

~~~
spurgu
I tried that the other day when I had to use Zoom for work. The sound was
stuttering (in a consistent straight pattern). Luckily the group was small
enough that I managed to convince them to switch to Jitsi.

------
neonate
[https://archive.md/zo8jZ](https://archive.md/zo8jZ)

------
Flenser
What are the odds there'll be a project zero blog post on Zoom in 90 days?

~~~
sleepybrett
Google doesn't have a competing project that I know of. From what I can tell
they only study things google depends on or things google competes with.

~~~
notechback
Hangouts seems like the main competitor to zoom in casual contexts (school,
families, etc)

~~~
lozf
They've dropped the "hangouts" and are just calling it "Meet" now (in some
places, at least).

------
thesh4d0w
> Zoom’s defenders, including big-name Silicon Valley venture capitalists, say
> the onslaught of criticism is unfair. They argue that Zoom, originally
> designed for businesses, could not have anticipated a pandemic that would
> send legions of consumers flocking to its service in the span of a few weeks
> and using it for purposes — like elementary school classes and family
> celebrations — for which it was never intended.

> “I don’t think a lot of these things were predictable,” said Alex Stamos, a
> former chief security officer at Facebook who recently signed on as a
> security adviser to Zoom. “It’s like everyone decided to drive their cars on
> water.”

So they're saying because this product was designed for business rather than
consumer, it wasn't necessary to build it securely? How the fuck does that
make any sense?

