Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security

Zoom's Security Woes Were No Secret to Business Partners Like Dropbox (nytimes.com) 33

Posted by msmash from the how-about-that dept.
Dropbox privately paid top hackers to find bugs in software by the videoconferencing company Zoom, then pressed it to fix them. From a report: One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. The hackers soon uncovered a major security vulnerability in Zoom's software that could have allowed attackers to covertly control certain users' Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.

Now Zoom's videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home, and reports of its privacy and security troubles have proliferated. Zoom's defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes -- like elementary school classes and family celebrations -- for which it was never intended.

[...] The former Dropbox engineers, however, say Zoom's current woes can be traced back two years or more, and they argue that the company's failure to overhaul its security practices back then put its business clients at risk. Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom's security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom's software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom's code -- and troubled by Zoom's slowness in fixing them.
This discussion has been archived. No new comments can be posted.

Zoom's Security Woes Were No Secret to Business Partners Like Dropbox More

Zoom's Security Woes Were No Secret to Business Partners Like Dropbox

Comments Filter:

  • All of them rushing to defend Humpty Dumpty, the cobbled together Big Ball of Mud that is Zoom.

    This is what your everything-must-API approach has started to fail. PHBs can now look like they've built something susbtantial which crumbles the instant any significant load is put on it, because it isn't engineered. It's just one part slapped on to the next as the lead PHB iterated their latest fantasy at the bongsole.

    • Re:More shit engineers and shit PHBs (Score:5, Funny)

      by arglebargle_xiv ( 2212710 ) on Monday April 20, 2020 @10:57AM (#59968528)

      Zoom's defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it

      "We just strung it together from toothpicks and duct tape in order to maximise VC interest, you can't blame us if it falls apart when people do something silly like actually use it".

      • Re: (Score:3)

        by guruevi ( 827432 )

        To be fair, the business Zoom is completely different than consumer Zoom. The free version does not have a string of security controls. It's great to talk to mom & pop but COVID has pushed a bunch of businesses to suddenly migrate online without a real disaster recovery plan and some yahoo in the sales department ends up using these 'free offerings', not just from Zoom, and business leaders just go along without anticipating the cybersecurity issues that come with it.

        In and of itself, the Zoom app, if p

        • ...In and of itself, the Zoom app, if properly used, is not a huge threat. The issues in Windows sharing its credentials to anyone who asks can be exploited in a million ways, including using Chrome and e-mail....

          Yes, this is an amazing public relations coup by MIcro$oft: the UNC exploit [thehackernews.com] is a Windows security flaw, but they have successfully spun it as being a Zoom security flaw (and that companies should buy the inferior Microoft "Teams" software instead, not as good, but whatever.)

          At the moment, the best security measure is: don't click links that are sent to you in chat.

      • Correct. You're either secure or you're not, whether one person or a billion people use it. The "who could have anticipated" argument is absurd...every start-up *daydreams* of that kind of growth.

    • oh really? zoom has been fine for my employer, meanwhile webex loses its shit sometimes, audio not working and even putting wrong faces with names. Maybe they're all cobbled together crap?

    • Re:More shit engineers and shit PHBs (Score:4, Insightful)

      by jellomizer ( 103300 ) on Monday April 20, 2020 @11:37AM (#59968636)

      You are using the wrong words.
      This is called Agile Development.

      As much as we can say it is bad management. The problem does the consumers really want to wait for years to get the bugs out. By the time it is released and solid it is already out of date?

      Think about the traditional automakers. The onboard computer and features when you get your new car are often running off of decades-old technology. My 2012 Prius had one of the most up to date infotainment center at the time. However, it still had a pressure touch screen, really low screen resolution and very minimal phone support. That other device had solved those problems years ago. But there is a large cost of failure in auto design. So putting in leading-edge tech that isn't tested and proven becomes a gamble. But for most software companies the cost of failure is low, and cheap to fix. So they produce rather crappy stuff quickly and fix anything big.

      • If all you do is move fast and break stuff, maybe you're heavily invested in easily-broken china.

        • No, I expect there is actually a good balance out there.
          But the tech workers like to see the product done perfectly, while the Bosses want to see it selling quickly.
          There is actually a line between getting something out the door in a good amount of time and having the product of reasonable quality. However, it will take more time to develop and there will be problems that need to be addressed in the future.

          This is another case of the 80/20 rules. 80% of the time will be implementing that last 20% of the

          • Re: (Score:3)

            by Shotgun ( 30919 )

            But the tech workers like to see the product done perfectly, while the Bosses want to see it selling quickly.

            As a QA engineer of 20 years, I'm just gonna go ahead and call BS on that right there.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Monday April 20, 2020 @11:01AM (#59968540)
    Comment removed based on user account deletion

    • I think we've reached a point in the industry where if you sell a commercial product, you should be liable for "gross negligence" like this.

      Its not gross negligence. Its fraud. They lied about security. If they had made no claims about security then things would be different.

      For instance, IRC never promised that people could not join your "private" #family channel. Not negligence.

    • Re: (Score:2)

      by vlad30 ( 44644 )

      There are plenty of bad contractors out there in the construction business, but they can only get away with so much in terms of sloppiness and doing blatant disregard for professional practices before they can be quickly sued into the ground.

      You don't know the construction business at all. The bad contractors/developers just form new companies and continue. you sue an empty shell and waste your money in legal fees

  • Not surprising really... (Score:3)

    by Syberz ( 1170343 ) on Monday April 20, 2020 @11:25AM (#59968590)
    When the goal of the business is to get new bells and whistles out there as quickly as possible in order to grow your market share before your IPO, corners must be cut. Despite all of the negative press, they still have hundreds of millions of users while the closest competitors have nowhere near that amount. As long as the strategy pays off, companies will continue to do it.

    • An anecdote: I have to run an on-line meeting. I had been doing that every couple weeks with webex, whose UI I found frustrating. There's supposed to be a way to test your microphone before going on; I found the instructions, but could never make it work. There's a way to get the list of attendees; it is there, but every time I needed it I had to search around for ten minutes. (Yes, I did eventually write it down. But I shouldn't have had to do that.) And so forth with nearly every other thing I wante

      • Re: (Score:2)

        by Syberz ( 1170343 )
        You could have had the same realization with some of the other video conference tools as well. Zoom does do quite a few things very well, however it's not the revolutionary thing that many make it out to be once you start comparing it with other solutions.

  • It's called providing sharholder value (Score:3)

    by Nidi62 ( 1525137 ) on Monday April 20, 2020 @11:26AM (#59968598)

    Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom's security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom's software code and that of a few other companies.

    All Zoom was doing was reducing costs by outsourcing security audits to customers. In fact, they were able to cut costs so much that they were actually into negative cost territory: people were paying Zoom to do Zoom's work for them!

  • When you can make money?

    This is first day tech business school stuff.

  • As a private consumer of Zoom, there's nothing here to alarm me. I use it for family chats and a class at the local junior college. There's no sensitive information being passed around. The app works remarkably well on many different kinds of devices, with little or no setup. In the case of the class, the instructor has to admit each participant, so bombing wouldn't work.
    On the other hand, if there are vulnerabilities in the Zoom client that allow malware to infect my personal device, that's a problem. But

  • Dropbox has had security issues for years - I'm not sure which one is worse!

  • Industry failure (Score:3, Interesting)

    by anynicknameavailable ( 901735 ) on Monday April 20, 2020 @04:48PM (#59969864)
    The question is: why zoom, webex, teams, etc just for video chat? Wake up. It is ridiculous. There should be one standard and these should be clients. Use one or another. They should compete on price, performance, extra plugins, etc. But be interoperable for voice and video. You should not have to install new software just to talk to someone online in 2020 (hope your company firewall let's it go through, and waste time because there is always someone that can't connect). It should be like phone, like email. By now it should be a commodity. You don't have 5 phones on your desk right? No surprise then each company puts garbage together instead of using well thought standards. The issue is not zoom. It's all of them. It is an industry failure.

Slashdot Top Deals

What the gods would destroy they first submit to an IEEE standards committee.

Close