Zoom Zoom or WTF people?

Slide by Dave Kennedy, CEO of TrustedSec and Binary Defense from his closing remarks at Grimmcon.

Zoom is not malware. Repeat with me…  ZOOM IS NOT MALWARE!

Zoom has been everywhere and on many peoples minds. We have also failed the company, not by finding holes in their software, but by playing the role of chicken little. The sky is not falling, at least not from Zoom. We in the world of security have lost it, and as Dave Kennedy said at Grimmcon this week, and I paraphrase, “We have pushed back our relations with the everyday person. We have forgotten that usability is part of our equation of risk, and that responsibility in disclosing of bugs is important.”

Here is a great blog post about the whole situation with Zoom (written by Amit Serper and Dave Kennedy): https://medium.com/@0xamit/zoom-isnt-malware-ae01618e2046

To those that do not want to read that, here are a few key points:

1. Zoom usage grew from 10 Million people to 200 Million people in a matter of weeks. That is 20x the people in a matter of weeks, unbelievable growth in a product.
2. Zoom has made mistakes and has bugs. All software does, and the real proof of a company is how they respond.
3. Zoom has a PDF of best practices for securing Zoom meetings.

On point 2, Zoom has not only been fast to respond and push out fixes, but has not complained about people finding these issues. As of April 2, 2020 Zoom announced a 90 day hold on any new features to focus on security fixes. This is amazing in its own right. I have not heard of many companies doing this. These bugs that Zoom has been fixing have been fixed in a matter of days in most cases. Last time I checked Microsoft, Apple, Cisco, Oracle, take months or longer to fix bugs in most cases. They have done this with no warning about the bugs, they are hearing about them at nearly the same time as we are. Google, Microsoft, Oracle, Cisco, usually get 90 days from notification of a bug to fix it, and the bug is usually not announced until a fix is out.

As far as End to End Encryption goes, that was a marketing mistake. Cisco WebEx, while offering End to End Encryption, does not offer it for Video conferencing. There also have been plenty of flaws found on WebEx and other Video conferencing systems over the years.

As far as the breach with usernames and passwords, all I have to say is.. Target, Best Buy, Home Depot, Equifax, Anthem, need I go on?

Zoom has made mistakes, no doubt. They are not perfect, but their model is one of simplicity. One of allowing people to communicate easily, and that is what it was easy. Easy for grandma to not have to log into anything and just take a link sent to her by her family to video chat with them. Easy to just set up and go. It was not designed to be used for State Secrets. Its threat model at the time was different than what it was starting to be used for by Governments and Corporations. It is a product that got shoved under a microscope, and has responded to being under that microscope a lot better than many companies I have seen over the years.

So yes, Zoom is safe for the everyday person to use. Zoom now defaults to requiring passwords for the meeting sessions. Zoom now wants people to log in. Zoom has taken away some of its simplicity. Zoom is not Malware!