<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p><font size="+1" face="Times New Roman, Times, serif">Hello all. I
        did bring up issues around the Zoom platform in early June and I
        have not yet had a chance to take the issues I see with the
        platform any further. But there is a robust discussion going on
        at NCSG with the idea below re: a joint recommendation from
        SO's/AC's for community input into the choices that are made
        about platform changes that affect us so profoundly. Perhaps we
        should indicate our support for this sort of action -- through
        our technology task force.</font></p>
    <p><font size="+1" face="Times New Roman, Times, serif">Marita</font><br>
    </p>
    <div class="moz-forward-container"><br>
      <br>
      -------- Forwarded Message --------
      <table class="moz-email-headers-table" cellspacing="0"
        cellpadding="0" border="0">
        <tbody>
          <tr>
            <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Subject:
            </th>
            <td>Re: Zoom Structural Vulnerability Discovered</td>
          </tr>
          <tr>
            <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date: </th>
            <td>Wed, 10 Jul 2019 15:21:51 +0200</td>
          </tr>
          <tr>
            <th valign="BASELINE" nowrap="nowrap" align="RIGHT">From: </th>
            <td>Jean-Jacques Subrenat <a class="moz-txt-link-rfc2396E" href="mailto:jjs@DYALOG.NET"><jjs@DYALOG.NET></a></td>
          </tr>
          <tr>
            <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Reply-To:
            </th>
            <td>Jean-Jacques Subrenat <a class="moz-txt-link-rfc2396E" href="mailto:jjs@DYALOG.NET"><jjs@DYALOG.NET></a></td>
          </tr>
          <tr>
            <th valign="BASELINE" nowrap="nowrap" align="RIGHT">To: </th>
            <td><a class="moz-txt-link-abbreviated" href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU">NCSG-DISCUSS@LISTSERV.SYR.EDU</a></td>
          </tr>
        </tbody>
      </table>
      <br>
      <br>
      <style>body{font-family:Helvetica,Arial;font-size:13px}</style>
      <div id="bloop_customfont"
        style="font-family:Helvetica,Arial;font-size:13px; color:
        rgba(0,0,0,1.0); margin: 0px; line-height: auto;">First, a
        remark: for Adobe, Zoom or other tool providers, ICANN may not
        be the single largest client, but it is certainly a significant
        one owing to its nature (quasi-regulatory, multi-stakeholder,
        some parts geared to non-commercial users).</div>
      <div id="bloop_customfont"
        style="font-family:Helvetica,Arial;font-size:13px; color:
        rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br>
      </div>
      <div id="bloop_customfont"
        style="font-family:Helvetica,Arial;font-size:13px; color:
        rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Then, a
        recommendation to Chairs of ACs and SOs: ICANN Board and CEO
        could be requested to set up a specifications sheet for a
        desirable conferencing tool, based on needs expressed by the
        multi-stakeholder community, and publish that as a tender.
        Offers received could then be reviewed not only by Staff, but in
        consultation with ACs and SOs.</div>
      <div id="bloop_customfont"
        style="font-family:Helvetica,Arial;font-size:13px; color:
        rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br>
      </div>
      <div id="bloop_customfont"
        style="font-family:Helvetica,Arial;font-size:13px; color:
        rgba(0,0,0,1.0); margin: 0px; line-height: auto;">This would get
        us closer to what we, collectively, consider as the appropriate
        tool for the numerous conference calls held throughout ICANN.</div>
      <div id="bloop_customfont"
        style="font-family:Helvetica,Arial;font-size:13px; color:
        rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br>
      </div>
      <div id="bloop_customfont"
        style="font-family:Helvetica,Arial;font-size:13px; color:
        rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Jean-Jacques
        Subrenat.</div>
      <br>
      <br>
      <p class="airmail_on">Le 10 juillet 2019 à 14:46:20, Paul
        Rosenzweig (<a
          href="mailto:paul.rosenzweig@redbranchconsulting.com"
          moz-do-not-send="true">paul.rosenzweig@redbranchconsulting.com</a>)
        a écrit:</p>
      <blockquote type="cite" class="clean_bq"><span>
          <div link="blue" vlink="purple" lang="EN-US">
            <div><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
              <div class="WordSection1">
                <p class="MsoNormal">This is assuredly right.  The
                  change from Adobe to Zoom may, or may not, have been
                  right for ICANN and for this group for any number of
                  reasons ranging from cost, to security, to scalability
                  and utility.  But let’s not romanticize Adobe.  They
                  are not a terribly secure platform generically.  As
                  James said, the Zoom response is poor – but we can’t
                  hang that around the neck of ICANN org.  <o:p></o:p></p>
                <p class="MsoNormal"><o:p> </o:p></p>
                <p class="MsoNormal">P<o:p></o:p></p>
                <p class="MsoNormal"><o:p> </o:p></p>
                <div>
                  <p class="MsoNormal">Paul Rosenzweig<o:p></o:p></p>
                  <p class="MsoNormal"><a
                      href="mailto:paul.rosenzweig@redbranchconsulting.com"
                      moz-do-not-send="true"><span style="color:#0563C1">paul.rosenzweig@redbranchconsulting.com</span></a><o:p></o:p></p>
                  <p class="MsoNormal">O: +1 (202) 547-0660<o:p></o:p></p>
                  <p class="MsoNormal">M: +1 (202) 329-9650<o:p></o:p></p>
                  <p class="MsoNormal">VOIP: +1 (202) 738-1739<o:p></o:p></p>
                  <p class="MsoNormal"><a
                      href="http://www.redbranchconsulting.com/"
                      moz-do-not-send="true"><span style="color:#0563C1">www.redbranchconsulting.com</span></a><o:p></o:p></p>
                  <p class="MsoNormal">My PGP Key: <a
href="https://keys.mailvelope.com/pks/lookup?op=get&search=0x9A830097CA066684"
                      moz-do-not-send="true"><span style="color:#0563C1">https://keys.mailvelope.com/pks/lookup?op=get&search=0x9A830097CA066684</span></a><o:p></o:p></p>
                  <p class="MsoNormal"><o:p> </o:p></p>
                </div>
                <p class="MsoNormal"><o:p> </o:p></p>
                <div>
                  <div style="border:none;border-top:solid #E1E1E1
                    1.0pt;padding:3.0pt 0in 0in 0in">
                    <p class="MsoNormal"><b>From:</b> NCSG-Discuss
                      <a class="moz-txt-link-rfc2396E" href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU"><NCSG-DISCUSS@LISTSERV.SYR.EDU></a> <b>On
                        Behalf Of </b>James Gannon<br>
                      <b>Sent:</b> Wednesday, July 10, 2019 12:52 AM<br>
                      <b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU">NCSG-DISCUSS@LISTSERV.SYR.EDU</a><br>
                      <b>Subject:</b> Re: Zoom Structural Vulnerability
                      Discovered<o:p></o:p></p>
                  </div>
                </div>
                <p class="MsoNormal"><o:p> </o:p></p>
                <p class="MsoNormal">Just want to call out that Adobe
                  has likely the worst reputation in the entire tech
                  industry when it comes to security, I really would not
                  hold them out as either prompt or without serious
                  issues (I believe they still hold the record for
                  number of CVSS 9+ vulns).<o:p></o:p></p>
                <p class="MsoNormal">Zooms response is poor I agree, but
                  on a data driven comparison it is a far more secure
                  platform.<o:p></o:p></p>
                <p class="MsoNormal"><o:p> </o:p></p>
                <div style="border:none;border-top:solid #B5C4DF
                  1.0pt;padding:3.0pt 0in 0in 0in">
                  <p class="MsoNormal"><b><span
                        style="font-size:12.0pt;color:black">From: </span></b><span
                      style="font-size:12.0pt;color:black">NCSG-Discuss
                      <<a href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU"
                        moz-do-not-send="true">NCSG-DISCUSS@LISTSERV.SYR.EDU</a>>
                      on behalf of Ayden Férdeline <<a
                        href="mailto:icann@FERDELINE.COM"
                        moz-do-not-send="true">icann@FERDELINE.COM</a>><br>
                      <b>Reply-To: </b>Ayden Férdeline <<a
                        href="mailto:icann@FERDELINE.COM"
                        moz-do-not-send="true">icann@FERDELINE.COM</a>><br>
                      <b>Date: </b>Tuesday, 9 July 2019 at 14:13<br>
                      <b>To: </b>"<a
                        href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU"
                        moz-do-not-send="true">NCSG-DISCUSS@LISTSERV.SYR.EDU</a>"
                      <<a href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU"
                        moz-do-not-send="true">NCSG-DISCUSS@LISTSERV.SYR.EDU</a>><br>
                      <b>Subject: </b>Re: Zoom Structural Vulnerability
                      Discovered<o:p></o:p></span></p>
                </div>
                <div>
                  <p class="MsoNormal"><o:p> </o:p></p>
                </div>
                <div>
                  <p class="MsoNormal">That is true, but note that this
                    security researcher notified Zoom of the exploit and
                    they were in no rush to repair it. Look at the
                    timeline in the Medium post. They only sought to fix
                    it after the vulnerability drew media attention. <o:p></o:p></p>
                </div>
                <div>
                  <p class="MsoNormal"><o:p> </o:p></p>
                </div>
                <div>
                  <p class="MsoNormal">Adobe Connect was not perfect but
                    it met our needs and the occasional security issues
                    that arose were promptly fixed by Adobe and never as
                    serious as this one!<o:p></o:p></p>
                </div>
                <div>
                  <p class="MsoNormal"><o:p> </o:p></p>
                </div>
                <div id="protonmail_mobile_signature_block">
                  <div>
                    <p class="MsoNormal">Best wishes, Ayden<o:p></o:p></p>
                  </div>
                </div>
                <div>
                  <p class="MsoNormal"><o:p> </o:p></p>
                </div>
                <p class="MsoNormal">On Tue, Jul 9, 2019 at 18:07, Adeel
                  Sadiq <<a href="mailto:11beeasadiq@seecs.edu.pk"
                    moz-do-not-send="true">11beeasadiq@seecs.edu.pk</a>>
                  wrote: <o:p></o:p></p>
                <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                  <div>
                    <p class="MsoNormal">Speaking from a
                      technical perspective, no software is perfect or
                      bug-free. Its only a matter of time a loophole is
                      found and exploited and eventually patched up. If
                      you think Adobe Connect or ezTalks were/are free
                      of these architectural issues, think again! That's
                      the way we technical community do things. <o:p></o:p></p>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">Regards<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">Adeel<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">Pakistan<o:p></o:p></p>
                    </div>
                  </div>
                  <p class="MsoNormal"><o:p> </o:p></p>
                  <div>
                    <div>
                      <p class="MsoNormal">On Wed, Jul 10, 2019 at 1:37
                        AM Ayden Férdeline <<a
                          href="mailto:icann@ferdeline.com"
                          moz-do-not-send="true">icann@ferdeline.com</a>>
                        wrote:<o:p></o:p></p>
                    </div>
                    <blockquote style="border:none;border-left:solid
                      #CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
                      <div>
                        <p class="MsoNormal">Unfortunately, uninstalling
                          the application does not rectify the
                          situation, due to poor architecture
                          (acknowledged by Zoom on their blog today).
                          They are working on a fix, now that public
                          scrutiny demands one. So disappointing
                          that ICANN has put us in this terrible
                          situation. <o:p></o:p></p>
                      </div>
                      <div>
                        <p class="MsoNormal"><o:p> </o:p></p>
                      </div>
                      <div
                        id="gmail-m_4892314735287444777protonmail_mobile_signature_block">
                        <div>
                          <p class="MsoNormal">Ayden<o:p></o:p></p>
                        </div>
                      </div>
                      <div>
                        <p class="MsoNormal"><o:p> </o:p></p>
                      </div>
                      <div>
                        <p class="MsoNormal"><o:p> </o:p></p>
                      </div>
                      <p class="MsoNormal">On Tue, Jul 9, 2019 at 16:15,
                        Vaibhav Aggarwal, Catalyst & Group CEO <<a
                          href="mailto:va@BLADEBRAINS.COM"
                          moz-do-not-send="true">va@BLADEBRAINS.COM</a>>
                        wrote: <o:p></o:p></p>
                      <blockquote
                        style="margin-top:5.0pt;margin-bottom:5.0pt">
                        <p class="MsoNormal">Thanks for this. Till the
                          next Update, I have removed the Zoom For Mac
                          Client with immediate effect.  <o:p></o:p></p>
                        <div>
                          <p class="MsoNormal"><o:p> </o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal">Regards,<o:p></o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal">Vaibhav Aggarwal<o:p></o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal">New Delhi<o:p></o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal"><a
                              href="http://VaibhavAggarwal.com"
                              moz-do-not-send="true">VaibhavAggarwal.com</a> <o:p></o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal"><o:p> </o:p></p>
                          <div>
                            <p class="MsoNormal"
                              style="margin-bottom:12.0pt"><o:p> </o:p></p>
                            <blockquote
                              style="margin-top:5.0pt;margin-bottom:5.0pt">
                              <div>
                                <p class="MsoNormal">On Jul 10, 2019, at
                                  12:30 AM, Michael Karanicolas <<a
                                    href="mailto:mkaranicolas@GMAIL.COM"
                                    moz-do-not-send="true">mkaranicolas@GMAIL.COM</a>>
                                  wrote:<o:p></o:p></p>
                              </div>
                              <p class="MsoNormal"><o:p> </o:p></p>
                              <div>
                                <div>
                                  <p class="MsoNormal">Hey - remember
                                    when ICANN switched everyone from
                                    Adobe over to Zoom as a way of
                                    enhancing information security and
                                    data privacy? <o:p></o:p></p>
                                  <div>
                                    <p class="MsoNormal"><o:p> </o:p></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal">"A
                                      vulnerability in the Mac Zoom
                                      Client allows any malicious
                                      website to enable your camera
                                      without your permission... This
                                      vulnerability allows any website
                                      to forcibly join a user to a Zoom
                                      call, with their video camera
                                      activated, without the user's
                                      permission. On top of this, this
                                      vulnerability would have allowed
                                      any webpage to DOS (Denial of
                                      Service) a Mac by repeatedly
                                      joining a user to an invalid call.
                                      Additionally, if you’ve ever
                                      installed the Zoom client and then
                                      uninstalled it, you still have a
                                      localhost web server on your
                                      machine that will happily
                                      re-install the Zoom client for
                                      you, without requiring any user
                                      interaction on your behalf besides
                                      visiting a webpage. This
                                      re-install ‘feature’ continues to
                                      work to this day."<o:p></o:p></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"><o:p> </o:p></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal">Read more
                                      here: <a
href="https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5"
                                        moz-do-not-send="true">https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5</a><o:p></o:p></p>
                                  </div>
                                </div>
                              </div>
                            </blockquote>
                          </div>
                          <p class="MsoNormal"><o:p> </o:p></p>
                        </div>
                      </blockquote>
                      <div>
                        <p class="MsoNormal"><o:p> </o:p></p>
                      </div>
                      <div>
                        <p class="MsoNormal"><o:p> </o:p></p>
                      </div>
                    </blockquote>
                  </div>
                </blockquote>
                <div>
                  <p class="MsoNormal"><o:p> </o:p></p>
                </div>
                <div>
                  <p class="MsoNormal"><o:p> </o:p></p>
                </div>
              </div>
            </div>
          </div>
        </span></blockquote>
    </div>
  </body>
</html>