Consider the following:

1. #Zoom, a company with bad security track record and murky ownership now has clandestine supply-chain-attack capability on #Keybase, and

2. Keybase is used by a lot of people to sign their #git commits and whatnot.


3. Zoom, a company with bad security track record and murky ownership now has potential supply-chain-attack capability on a lot of software whose git commits are signed using keys that touch Keybase.

#ThisIsFine #InfoSec

@rysiek Microsoft also had a bad Security track record, and turned it around.
Cisco jsut released a ton of advisories for ASA, FTD and FMC that are pretty bad and tend to hide their issues until they can't.
Apple does not disclose the security issues they fix very easily if at all.
Zoom starts to take steps by getting people like Katie Mussouris and her company to help and actually has responded to the security findings at least. Shows intent to get better at it.

@siliconshecky I'm not entirely sure what you're trying to argue here, but intent is meaningless without results.

Microsoft's has shown some results but arguably not yet sufficient improvement.

Cisco is one big overpriced garbage fire. They've shown little intent to improve and virtually no results.

Zoom is behaving just like Facebook. Lots if apology, noble intention (at least the appearance of it) but woefully inadequate results. They are not at all proactive, just reactive...


@msh @rysiek
So Zoom has hires Luta Security to now handle its bug bounty program. Brought on Alex Stamos to help build/fix its security program, has been working with other security consultants to help with the security issues, put a 90 day feature freeze on its product to solely work on security issues, has released numerous updates to fix the issues at hand, made Passwords the default, New easier to access area for security settings...
Sounds like they have done nothing to me.


@siliconshecky this is very promising and good news to hear. They are going in the right direction.

But, I would say they still have critical issues that need addressing beneath all these surface level fixes they've released. I still need to be sold on their transparency and trustworthiness as well. As such I will continue to observe but Zoom will continue to be disallowed in my workplace.


Sign in to participate in the conversation

Hometown is adapted from Mastodon, a decentralized social network with no ads, no corporate surveillance, and ethical design.