Dropbox and Zoom

The NY Times has a new article on Dropbox’s surprising role in Zoom’s security: https://www.nytimes.com/2020/04/20/technology/zoom-security-…

Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom’s security practices itself

The article says Dropbox was an early investor in Zoom, and a Director at Dropbox is a partner in a VC firm that invested $100M in the company before its IPO. Dropbox even had its own engineers not just find bugs, but do investigations to provide more information to Zoom. Dropbox even put its own security layer in place so that its users were more protected from Zoom’s security flaws.

The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom’s code — and troubled by Zoom’s slowness in fixing them.

They also say Zoom’s current woes can be traced back two years or more, and they argue that the company’s failure to overhaul its security practices back then put its business clients at risk.

A few cases are cited, including two where it took more than 3 months for Zoom to fix it, and then only after another person publicized the flaw.

The article does say that Zoom is the most user-friendly video conferencing service.

I read the NYT article and having kept up on Zm posts here and elsewhere I believe there was nothing new in this article, similar to the CNET hit piece. I guess the NYT felt because they where able to add color to the two original engineers at Drop Box ‘sitting on a plane going to a hack-a-thon’ they thought it was worthy to print.

There are growing pains inherent in providing what Zm is offering and to rehash them over and over is silly in making the investment decision at hand. What they have now and what they’re doing is amazing and I believe as do many of the best security experts in the world that Zm is now ‘critical infrastructure’ going forward.

This is my first and last post on this topic.

Jason

I believe there was nothing new in this article…I guess the NYT felt because they where able to add color to the two original engineers at Drop Box ‘sitting on a plane going to a hack-a-thon’ they thought it was worthy to print.

As the article states: Details on Dropbox’s role have not been publicly reported before.

A careful read reveals the following that wasn’t previously known:

1. Dropbox had been trying to get Zoom to improve its security for more than 2 years now.
2. Dropbox was so concerned they put Zoom on its own bug bounty programs! You get this? Dropbox was willing to pay hackers for bugs found in a product they didn’t themselves make, but were just using! I’ve never heard of that before.
3. Despite bugs being reported, Zoom did not address some issues for 3 months. It took other, more public, disclosures to get Zoom to fix security issues.
4. Dropbox put its own layer on top of Zoom to help protect Dropbox users from Zoom’s security flaws.
5. Dropbox invested in Zoom before its IPO. Maybe that explains Dropbox’s interest in improving Zoom? They couldn’t invest in Zoom and then use WebEx or something else, right?

But, yeah, if you want to say that we all know that Zoom didn’t really care about security until a couple months ago and so it doesn’t matter how much they didn’t care, you’re right and there’s nothing new.

For myself, beyond the magnitude of the flaws was the company’s attitude. Ignoring security flaw reports. Actively fighting back on some reports because it would force installing users to click to confirm they really wanted it installed, etc. Even today, Zoom’s security advisor claims that use of Zoom for school classes and family celebrations is like “driving their cars on water.” That’s totally wrong. It’s like someone driving their family in a pickup truck on the highway. Yeah, that’s different than a gardner driving that same pickup as part of his work, but it doesn’t mean the truck should be any less safe in terms of frontal impacts, airbag deployment, etc. Stamos has it wrong. Today. Totally wrong.

And, just to be clear, I fully get and agree on giving Zoom a pass on the issues such as default security settings. Users of any product who care about security need to understand how to set the product up, assuming it provides the security they feel they need. Of course, when Zoom said things like ‘End to End Encryption is automatically enabled if no users are using phone audio’, for instance, then no amount of settings changes can overcome that inaccuracy. Imagine a car where the manufacturer tells you that a security alarm that tracks your stolen car via GPS is automatically set every time you lock the car as long as no door is open - and then it turns out that there is no GPS at all, just an alarm bell! That’s the equivalent here.

I still own Zoom shares. Despite the past, I’ve been hopeful that Yuan really means what he says about the company now being really serious about securing its product. Of course, Stamos’ recent comment doesn’t exactly inspire confidence, either - it’s long past time for the company to be making excuses. I guess I’ll have to let that slide, too, eh?