I believe there was nothing new in this article…I guess the NYT felt because they where able to add color to the two original engineers at Drop Box ‘sitting on a plane going to a hack-a-thon’ they thought it was worthy to print.
As the article states: Details on Dropbox’s role have not been publicly reported before.
A careful read reveals the following that wasn’t previously known:
- Dropbox had been trying to get Zoom to improve its security for more than 2 years now.
- Dropbox was so concerned they put Zoom on its own bug bounty programs! You get this? Dropbox was willing to pay hackers for bugs found in a product they didn’t themselves make, but were just using! I’ve never heard of that before.
- Despite bugs being reported, Zoom did not address some issues for 3 months. It took other, more public, disclosures to get Zoom to fix security issues.
- Dropbox put its own layer on top of Zoom to help protect Dropbox users from Zoom’s security flaws.
- Dropbox invested in Zoom before its IPO. Maybe that explains Dropbox’s interest in improving Zoom? They couldn’t invest in Zoom and then use WebEx or something else, right?
But, yeah, if you want to say that we all know that Zoom didn’t really care about security until a couple months ago and so it doesn’t matter how much they didn’t care, you’re right and there’s nothing new.
For myself, beyond the magnitude of the flaws was the company’s attitude. Ignoring security flaw reports. Actively fighting back on some reports because it would force installing users to click to confirm they really wanted it installed, etc. Even today, Zoom’s security advisor claims that use of Zoom for school classes and family celebrations is like “driving their cars on water.” That’s totally wrong. It’s like someone driving their family in a pickup truck on the highway. Yeah, that’s different than a gardner driving that same pickup as part of his work, but it doesn’t mean the truck should be any less safe in terms of frontal impacts, airbag deployment, etc. Stamos has it wrong. Today. Totally wrong.
And, just to be clear, I fully get and agree on giving Zoom a pass on the issues such as default security settings. Users of any product who care about security need to understand how to set the product up, assuming it provides the security they feel they need. Of course, when Zoom said things like ‘End to End Encryption is automatically enabled if no users are using phone audio’, for instance, then no amount of settings changes can overcome that inaccuracy. Imagine a car where the manufacturer tells you that a security alarm that tracks your stolen car via GPS is automatically set every time you lock the car as long as no door is open - and then it turns out that there is no GPS at all, just an alarm bell! That’s the equivalent here.
I still own Zoom shares. Despite the past, I’ve been hopeful that Yuan really means what he says about the company now being really serious about securing its product. Of course, Stamos’ recent comment doesn’t exactly inspire confidence, either - it’s long past time for the company to be making excuses. I guess I’ll have to let that slide, too, eh?