Wij willen met u aan tafel zitten en in een openhartig gesprek uitvinden welke uitdagingen en vragen er bij u spelen om zo, gezamelijk, tot een beste oplossing te komen. Oftewel, hoe kan de techniek u ondersteunen in plaats van dat u de techniek moet ondersteunen.

Hours after security researchers at Citizen Lab reported that some Zoom calls were routed through China, the video conferencing platform has offered an apology and a partial explanation.

To recap, Zoom has faced a barrage of headlines this week over its security policies and privacy practices, as hundreds of millions forced to work from home during the coronavirus pandemic still need to communicate with each other.

The latest findings landed earlier today when Citizen Lab researchers said that some calls made in North America were routed through China — as were the encryption keys used to secure those calls. But as was noted this week, Zoom isn’t end-to-end encrypted at all, despite the company’s earlier claims, meaning that Zoom controls the encryption keys and can therefore access the contents of its customers’ calls. Zoom said in an earlier blog post that it has “implemented robust and validated internal controls to prevent unauthorized access to any content that users share during meetings.” The same can’t be said for Chinese authorities, however, which could demand Zoom turn over any encryption keys on its servers in China to facilitate decryption of the contents of encrypted calls.

Zoom now says that during its efforts to ramp up its server capacity to accommodate the massive influx of users over the past few weeks, it “mistakenly” allowed two of its Chinese data centers to accept calls as a backup in the event of network congestion.

From Zoom’s CEO Eric Yuan:

During normal operations, Zoom clients attempt to connect to a series of primary datacenters in or near a user’s region, and if those multiple connection attempts fail due to network congestion or other issues, clients will reach out to two secondary datacenters off of a list of several secondary datacenters as a potential backup bridge to the Zoom platform. In all instances, Zoom clients are provided with a list of datacenters appropriate to their region. This system is critical to Zoom’s trademark reliability, particularly during times of massive internet stress.”

In other words, North American calls are supposed to stay in North America, just as European calls are supposed to stay in Europe. This is what Zoom calls its data center “geofencing.” But when traffic spikes, the network shifts traffic to the nearest data center with the most available capacity.

China, however, is supposed to be an exception, largely due to privacy concerns among Western companies. But China’s own laws and regulations mandate that companies operating on the mainland must keep citizens’ data within its borders.

Zoom said in February that “rapidly added capacity” to its Chinese regions to handle demand was also put on an international whitelist of backup data centers, which meant non-Chinese users were in some cases connected to Chinese servers when data centers in other regions were unavailable.

Zoom said this happened in “extremely limited circumstances.” When reached, a Zoom spokesperson did not quantify the number of users affected.

Zoom said that it has now reversed that incorrect whitelisting. The company also said users on the company’s dedicated government plan were not affected by the accidental rerouting.

But some questions remain. The blog post only briefly addresses its encryption design. Citizen Lab criticized the company for “rolling its own” encryption — otherwise known as building its own encryption scheme. Experts have long rejected efforts by companies to build their own encryption, because it doesn’t undergo the same scrutiny and peer review as the decades-old encryption standards we all use today.

Zoom said in its defense that it can “do better” on its encryption scheme, which it says covers a “large range of use cases.” Zoom also said it was consulting with outside experts, but when asked, a spokesperson declined to name any.

Bill Marczak, one of the Citizen Lab researchers that authored today’s report, told TechCrunch he was “cautiously optimistic” about Zoom’s response.

“The bigger issue here is that Zoom has apparently written their own scheme for encrypting and securing calls,” he said, and that “there are Zoom servers in Beijing that have access to the meeting encryption keys.”

“If you’re a well-resourced entity, obtaining a copy of the internet traffic containing some particularly high-value encrypted Zoom call is perhaps not that hard,” said Marcak.

“The huge shift to platforms like Zoom during the COVID-19 pandemic makes platforms like Zoom attractive targets for many different types of intelligence agencies, not just China,” he said. “Fortunately, the company has (so far) hit all the right notes in responding to this new wave of scrutiny from security researchers, and have committed themselves to make improvements in their app.”

Zoom’s blog post gets points for transparency. But the company is still facing pressure from New York’s attorney general and from two class-action lawsuits. Just today, several lawmakers demanded to know what it’s doing to protect users’ privacy.

Will Zoom’s mea culpas be enough?


TechCrunch

In a wide-ranging conversation at TechCrunch Disrupt San Francisco last week, Postmates co-founder and chief executive officer Bastian Lehmann made light of the company’s lack of IPO documents.

The San Francisco-based on-demand delivery business was expected to publicly file its IPO prospectus in September in preparation for a fall exit, sources familiar with the matter told TechCrunch this summer. September, however, has come and gone and we’re still waiting on Postmates to release the critical document.

“The reality is that we will IPO when we believe we find the right time for the business and the right time for the markets,” Lehmann told TechCrunch. “And if you look at the markets right now, I believe they are a little choppy. They are a little choppy when it comes to growth companies specifically … We are hopeful that we find a good window to get out there.”

Lehmann made reference to Uber and other companies to recently float, citing market conditions as an IPO deterrent. Uber, Lyft, Slack and other fast-growing unicorns have struggled since entering the public markets earlier this year despite sky-high private market valuations. WeWork, a money-losing endeavor, recently decided to delay its IPO after demand from Wall Street devalued the business by the billions. Whether Postmates will complete its debut by the end of the year is unclear.

Postmates confidentially filed with the U.S. Securities and Exchange Commission for an IPO in February. Shortly after, Postmates held M&A talks with DoorDash, another food delivery unicorn, according to people familiar with the matter, but failed to come to mutually favorable terms. DoorDash has previously declined to comment on these reports. On stage last week, Lehmann declined to confirm the reports.

“I don’t think it does any good to speculate on M&A,” he said. “I think you have four well-funded players here in the U.S. in this space. I think everyone is well aware of the strengths and the weaknesses of each other and you know at some point down the line, if we take Europe for example, you will see consolidation in the market. People have conversations all the time but I wouldn’t read too much into it.”

Postmates operates its on-demand delivery platform, powered by a network of local gig economy workers, in more than 3,500 cities across all 50 states. The company does not yet operate in any international markets aside from Mexico City, however, Lehmann’s comments suggest the business could be plotting a foray into Europe, where Deliveroo, Just Eat and others dominate the market.

Postmates has raised about $ 900 million to date, including a $ 225 million round announced last month that valued the company at $ 2.4 billion. DoorDash, on the other hand, reached a $ 12.6 billion valuation in May with a $ 600 million Series G and has raised more than double that of Postmates. When asked why DoorDash, a similar and competing business, needed that much more capital, Lehmann joked “Maybe [DoorDash CEO Tony Xu] needs a jet, I don’t know.”

Postmates, founded in 2011 by Lehmann, is backed by Spark Capital, Founders Fund, Uncork Capital, Slow Ventures, Tiger Global, Blackrock and others. In our interview with Lehmann, the long-time CEO discussed the ‘choppy’ public markets, competitors, the company’s autonomous robotics delivery efforts and more.


TechCrunch

Security researchers at Google say they’ve found a number of malicious websites which, when visited, could quietly hack into a victim’s iPhone by exploiting a set of previously undisclosed software flaws.

Google’s Project Zero said in a deep-dive blog post published late on Thursday that the websites were visited thousands of times per week by unsuspecting victims, in what they described as an “indiscriminate” attack.

“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a security researcher at Project Zero.

He said the websites had been hacking iPhones over a “period of at least two years.”

The researchers found five distinct exploit chains involving 12 separate security flaws, including seven involving Safari, the in-built web browser on iPhones. The five separate attack chains allowed an attacker to gain “root” access to the device — the highest level of access and privilege on an iPhone. In doing so, an attacker could gain access to the device’s full range of features normally off-limits to the user. That means an attacker could quietly install malicious apps to spy on an iPhone owner without their knowledge or consent.

Google said based off their analysis, the vulnerabilities were used to steal a user’s photos and messages as well as track their location in near-realtime. The “implant” could also access the user’s on-device bank of saved passwords.

The vulnerabilities affect iOS 10 through to the current iOS 12 software version.

Google privately disclosed the vulnerabilities in February, giving Apple only a week to fix the flaws and roll out updates to its users. That’s a fraction of the 90 days typically given to software developers, giving an indication of the severity of the vulnerabilities.

Apple issued a fix six days later with iOS 12.1.4 for iPhone 5s and iPad Air and later.

Beer said it’s possible other hacking campaigns are currently in action.

The iPhone and iPad maker in general has a good rap on security and privacy matters. Recently the company increased its maximum bug bounty payout to $ 1 million for security researchers who find flaws that can silently target an iPhone and gain root-level privileges without any user interaction. Under Apple’s new bounty rules — set to go into effect later this year — Google would’ve been eligible for several million dollars in bounties.

When reached, a spokesperson for Apple declined to comment.


TechCrunch

Created by R the Company. Powered by SiteMuze.