It has always been my goal to appropriately communicate to the media what is happening out there and what amazing work the security industry is doing.

I have to be honest, the latest Zoom storm has me concerned. 1/10
Most of the findings thus far would be considered low to medium risk. Not world-ending. This isn't a knock on the amazing work that the folks have done on spending their own time in testing an application that is now fundamentally used by a large percent of the world. 2/10
There is no question that the privacy aspects need to be looked at, but Zoom has been clarifying them and expanding on them. Their responses thus far I would say have been good.

With any application, you are bound to find things. It's what we do. 3/10
The 2019 instances of the uninstallable web server and the ability to join private sessions were direct exposures and addressed by Zoom.

The E2E encryption wording was at best misleading because it only covers chat and not the video itself. 4/10
Regardless of any of that, what we have here is a company that is relatively easy to use for the masses (comes with its challenges on personal meeting IDs) and is relatively secure.

Yet the industry is making it out to be "this is malware" and you can't use this. 5/10
This is extreme. We need to look at the risk specific applications pose and help voice a message of how people can leverage technology and be safe.

Dropping zero-days to the media hurts our credibility, sensationalizes fear, and hurts others. 6/10
I had a nontech friend the other day say that they were scared to message their family members because of all the news on how insecure Zoom was. This is what we've done.

We are a formal industry, we are a group of folks the world listens to. 7/10
If there are ways for a company to improve, we should notify them and if they don't fix their issues, we should call them out.

We should not be putting fear into everyone, and leveraging the media as a method to create that fear. 8/10
Most of these exposures wouldn't even bubble up to a high or critical finding in any assessments a normal tester would conduct. Yet, it has world reaching implications to the masses that don't understand the technical details. It creates hysteria when it is not needed. 9/10
That's it for me. Be responsible. Be respectful. Most importantly, be aware of the things that you say and how you approach a situation is looked upon in the rest of the world during a very critical time in history. 10/10
You can follow @HackingDave.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: