[NA-Discuss] Fwd: [Ccwg-auctionproceeds] ADOBE CONNECT – WHAT NEXT? - ICANN Blog By Ash Rangan

Judith Hellerstein judith at jhellerstein.com
Fri Apr 20 18:20:42 UTC 2018


Hi All,

Very interesting blog by Ash Rangan.  Forwarding this email widely so others could read it and discuss it.

Best,
Judith

Sent from my iPad 
judith at jhellerstein.com 
Skype ID:JudithHellerstein

Begin forwarded message:

> From: Nathalie Peregrine <nathalie.peregrine at icann.org>
> Date: April 20, 2018 at 2:16:27 PM EDT
> To: "ccwg-auctionproceeds at icann.org" <ccwg-auctionproceeds at icann.org>
> Subject: [Ccwg-auctionproceeds] ADOBE CONNECT – WHAT NEXT? - ICANN Blog By Ash Rangan
> 
> Dear all:
>  
> Please take a look at this blog on Adobe Connect.  And note the request:
>  
> Before we make these changes, we want to hear from you. What do you think? Please submit your thoughts on this contemplated move before May 2nd here: RP-tool at icann.org
>  
> Best regards,        David
>  
>  
> https://www.icann.org/news/blog/adobe-connect-what-next[icann.org]
>  
> ADOBE CONNECT – WHAT NEXT?
> As you know, the ICANN organization took down its Adobe Connect service midway through the ICANN61 meeting in response to reported issues[icann.org] with this service. Concurrently, we began to conduct our own forensic analysis of the reported incident and began working with our Adobe cloud service provider, CoSo Cloud LLC, and through them with Adobe to learn more. Shortly thereafter, we rolled out instances of Zoom and WebEx for the community to support remote participation (RP) and collaboration. Here's where we are now:
>  
> The Forensics Investigation
> With respect to our forensics work, we received application logfiles from CoSo Cloud, going back for a period of one year. ICANN Engineering and Security teams have examined these application log files and the results of our investigation clearly show "fingerprints of incursion" by the researcher who reported the issue. We were unable to find any other indication that anyone else either identified or exploited this issue. Thanks to the person who found the bug again.
> Working closely with CoSo Cloud, we were able to recreate the reported issue, and understand the conditions required to trigger it. This information has been communicated to Adobe, and Adobe is working on a software fix to address the root cause of the issue.
> We have also been working with CoSo on options to re-enable Adobe Connect in the shorter term. We have determined there are two viable paths to accomplish this goal. They are:
> Deploy a hardened configuration to eliminate "man-in-the-middle" exploitations by encrypting relevant traffic, or
> Implement a programmatic fix from CoSo Cloud to substantially reduce the window during which the issue can be exploited.
> With respect to the first option, we attempted to hack the hardened configuration in a test environment last week, and were not able to do so over the course of 7 hours. Separately, CoSo Cloud and Adobe conducted similar tests and confirmed that this configuration is protected from exploitation of the issue.
>  
> Community Feedback and Next Steps
> For the last three weeks, we have been gathering limited feedback regarding users' experiences with WebEx and Zoom. So far, we have input from about 200 people, including ICANN org meeting organizers and the ICANN community. Our analysis of this feedback indicates a desire to revert back to an Adobe Connect, providing the security of the service is ensured.
> Accordingly, we would like to propose the following plan to the broader community for consideration:
> We would like to restore Adobe Connect services with both the new hardened configuration and the programmatic fix discussed above. Our intent would be to restore service by 3 May. This would allow us to use Adobe Connect during several upcoming events including the Board Workshop, the GDD Industry Summit, and ICANN62.
> Once Adobe releases a new version of the software with a fix for this issue from their perspective, and provides assurance the update has been adequately tested, we will move toward that release of Adobe Connect in a prudent manner, with the help of CoSo Cloud.
>  
> We believe that this approach will ensure the security of our content, and of our community interactions, while also enabling our community to use the collaboration tools of their choice.
>  
> Before we make these changes, we want to hear from you. What do you think? Please submit your thoughts on this contemplated move before May 2nd here: RP-tool at icann.org
>  
> Meanwhile, we will continue to offer WebEx and Zoom for RP and collaboration purposes. We will also continue to follow industry developments, including the research ALAC is doing on the RP and collaboration space, to ensure we are using secure and cost-effective tools that are appropriate for our needs.
>  
> I look forward to your comments!
>  
>  
>  
> David A. Olive
> Senior Vice President
> Policy Development Support
> Internet Corporation for Assigned Names and Numbers (ICANN)
> 
>  
> _______________________________________________
> SOAC-Leaders-ICANNMeeting-Planning mailing list
> SOAC-Leaders-ICANNMeeting-Planning at icann.org
> https://mm.icann.org/mailman/listinfo/soac-leaders-icannmeeting-planning
> _______________________________________________
> Gnso-igo-ingo-crp mailing list
> Gnso-igo-ingo-crp at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-igo-ingo-crp
> _______________________________________________
> gnso-rpm-wg mailing list
> gnso-rpm-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rpm-wg
> _______________________________________________
> Ccwg-auctionproceeds mailing list
> Ccwg-auctionproceeds at icann.org
> https://mm.icann.org/mailman/listinfo/ccwg-auctionproceeds
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/na-discuss/attachments/20180420/cc8dd9fa/attachment-0001.html>


More information about the NA-Discuss mailing list