Zoom continues its catch-up security sprint with new training, bug bounty tweaks and promise of crypto playbook Zoom has outlined more about its efforts to improve its security. For starters, secure coding environment provider Secure Code Warrior (motto: Secure your code, from the start) has announced its been hired to implement its wares at the video chat company. You may recall that Zoom’s end-to-end encryption was found not to be …
Whilst it is unfortunate that lots of meetings have taken place without decent security, Zoom are now in a place where they can probably afford to take security seriously and do it properly. From the engagement of Secure Code Warrior, it seems they are taking this seriously.
Mind you both Zoom's and Secure Code Warrior's reputation is now on the line.
All of which is grand until one remembers that Zoom had around ten million daily meeting participants in late 2019, before the COVID-19 pandemic spiked numbers to around 200 million a day in March and around 300 million a day by April. And all those meetings took place without the security improvements mentioned above.
Do you say this every time any security fix is released for any software? "Microsoft fixed security flaw number 9000000008; let us mourn their 2 billion users who were using the software without it."
I agree with your sentiment, though Zoom should take the blame here.
The difference with e.g. Micros~1 vulnerabilities is that Zoom has deliberately chosen a poor encryption cipher for no obvious reason. AES-GCM (amongst others) was available when Zoom corp. was formed decade ago, yet they chose a specific AES cipher not fit for streaming video - amongst many other security snafus recently reported - falsely claiming end-to-end encryption, data-mining with Facebook etc.
This would be somewhat understandable if this was a small start-up that had its v0.9 product suddenly found out by the masses, but it's a billion-dollar software company with thousands of employees, and it hasn't (apparently) had any consideration for security until recently.
Had these exposes not happened, several companies, people (including Boris) would still happily be divulging their secrets, handily routed through China.
they said it was end to end encrypted, it is not.
MS have never to my kbnowledge made such a bold claim that has proved to be false.
they have told some intresting ones on when new things will be released,
and on the featuures they might have, but nothing as egregious.
I have some sympathy for Zoom. One minute they were an up-and-coming conferencing service, and the next they've become the backbone of civilization. They have a big responsibility to improve their product, but they're also dealing with all this unexpected marketing coup during the pandemic just as we are.
Agree that the sudden skyrocketing demand for and use of their product likely caught them flat-footed, and perhaps some sympathy would be warranted if they had demonstrated care and attention from the get-go.
But even assuming Zoom get all their technical problems fixed -- connections are truly secure, no leaks, no routing data through China, default settings such that using it "out of the box" will not send newbies/ grandmas down a risky path, and so on -- should we trust them? They CHOSE to sell/give/leak user data to Facebook, as if that could EVER be a good idea. They CHOSE to be disingenuous about end-to-end encryption when it was shown to not be as advertised. They are not stupid people or a bunch of middle schoolers at Coder Camp; they knew better and chose to not do better. So, even if they have completely fixed the car -- aired the tyres, tuned the engine, replaced all the fluids, checked the brakes, had the front end re-aligned -- can we trust them to not drive us over a cliff with it?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
