1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • A message from Zoom Video Communications, Inc. -- re: free / open sourc

    From nmschulte@desmas.net@21:1/5 to All on Fri Jan 28 21:50:02 2022
    This is a multi-part message in MIME format.

    Today I received this response from Zoom Video Communications, Inc., regarding my inquiry about ascertaining the (F/LOSS) contents of the zoom binary packages and programs there-in, after discovering their existing solution was not working.

    I am writing with the hope that this message reaches interested parties, who are more suited to addressing the situation and seeing things resolved, and those that wish to comment and provide insight.  I am in a position where I must concern about this
    routinely, and am only really suited to working to better that routine, rather than supporting the license of the relevant free software codes, though I would like to.

    I am happy to share the entire conversation, but this last message is what caught my attention. Find it in-lined here, attached to this mail, and also via https://desmas.net/zoom-oss.txt

    Hi Nathan,

    I am coming back to you regarding your request about the open source software source code page, that were containing invalid links.
    All links in the page should now be working correctly (https://explore.zoom.us/en/opensource/source/).

    Regarding your comment, please find the following explanations that I have received from our Dev team:

    "We provide our OSS attribution in this manner intentionally, which is to say, it’s legally permissible (as per OSS licensing requirements) and more secure to be vague about the OSS contents of a given Zoom client/version… if a critical CVE is
    discovered at some point after we release, it’s best not to publish which specific Zoom client version contains the vulnerability, as that essentially gives a roadmap to exploitation for hackers. That said, we can provide more specific lists by request,
    but do not publish them by default.

    Also, I’m happy to talk to any customers with specific needs… a quick review of our policies/processes might alleviate the need to provide one-off lists. And the reality is that most of our clients are comprised of a number of shared projects, so
    most share a common core of OSS libraries, which is to say, most of our client OSS reports will look pretty similar except for a few environment-specific entries."

    I hope the above answers your query. Please let me know if you have any questions.

    Best regards,

    Arnaud

    Some specific thoughts in question form:

    - Is the stated legal assertion accurate?
    - Does an open-ended request suffice; may one simply request: I wish for this information about "all versions ever released", or perhaps specifying explicit version ranges matching the existing patterns?
    - Must references be made (more) concretely, and if so ... how?

    Thank you. 77u/SGkgTmF0aGFuLAoKSSBhbSBjb21pbmcgYmFjayB0byB5b3UgcmVnYXJkaW5nIHlvdXIgcmVx dWVzdCBhYm91dCB0aGUgb3BlbiBzb3VyY2Ugc29mdHdhcmUgc291cmNlIGNvZGUgcGFnZSwgdGhh dCB3ZXJlIGNvbnRhaW5pbmcgaW52YWxpZCBsaW5rcy4KQWxsIGxpbmtzIGluIHRoZSBwYWdlIHNo b3VsZCBub3cgYmUgd29ya2luZyBjb3JyZWN0bHkgKGh0dHBzOi8vZXhwbG9yZS56b29tLnVzL2Vu L29wZW5zb3VyY2Uvc291cmNlLykuCgpSZWdhcmRpbmcgeW91ciBjb21tZW50LCBwbGVhc2UgZmlu ZCB0aGUgZm9sbG93aW5nIGV4cGxhbmF0aW9ucyB0aGF0IEkgaGF2ZSByZWNlaXZlZCBmcm9tIG91 ciBEZXYgdGVhbToKCiJXZSBwcm92aWRlIG91ciBPU1MgYXR0cmlidXRpb24gaW4gdGhpcyBtYW5u ZXIgaW50ZW50aW9uYWxseSwgd2hpY2ggaXMgdG8gc2F5LCBpdOKAmXMgbGVnYWxseSBwZXJtaXNz aWJsZSAoYXMgcGVyIE9TUyBsaWNlbnNpbmcgcmVxdWlyZW1lbnRzKSBhbmQgbW9yZSBzZWN1cmUg dG8gYmUgdmFndWUgYWJvdXQgdGhlIE9TUyBjb250ZW50cyBvZiBhIGdpdmVuIFpvb20gY2xpZW50 L3ZlcnNpb27igKYgaWYgYSBjcml0aWNhbCBDVkUgaXMgZGlzY292ZXJlZCBhdCBzb21lIHBvaW50 IGFmdGVyIHdlIHJlbGVhc2UsIGl04oCZcyBiZXN0IG5vdCB0byBwdWJsaXNoIHdoaWNoIHNwZWNp ZmljIFpvb20gY2xpZW50IHZlcnNpb24gY29udGFpbnMgdGhlIHZ1bG5lcmFiaWxpdHksIGFzIHRo YXQgZXNzZW50aWFsbHkgZ2l2ZXMgYSByb2FkbWFwIHRvIGV4cGxvaXRhdGlvbiBmb3IgaGFja2Vy cy4gVGhhdCBzYWlkLCB3ZSBjYW4gcHJvdmlkZSBtb3JlIHNwZWNpZmljIGxpc3RzIGJ5IHJlcXVl c3QsIGJ1dCBkbyBub3QgcHVibGlzaCB0aGVtIGJ5IGRlZmF1bHQuCkFsc28sIEnigJltIGhhcHB5 IHRvIHRhbGsgdG8gYW55IGN1c3RvbWVycyB3aXRoIHNwZWNpZmljIG5lZWRz4oCmIGEgcXVpY2sg cmV2aWV3IG9mIG91ciBwb2xpY2llcy9wcm9jZXNzZXMgbWlnaHQgYWxsZXZpYXRlIHRoZSBuZWVk IHRvIHByb3ZpZGUgb25lLW9mZiBsaXN0cy4gQW5kIHRoZSByZWFsaXR5IGlzIHRoYXQgbW9zdCBv ZiBvdXIgY2xpZW50cyBhcmUgY29tcHJpc2VkIG9mIGEgbnVtYmVyIG9mIHNoYXJlZCBwcm9qZWN0 cywgc28gbW9zdCBzaGFyZSBhIGNvbW1vbiBjb3JlIG9mIE9TUyBsaWJyYXJpZXMsIHdoaWNoIGlz IHRvIHNheSwgbW9zdCBvZiBvdXIgY2xpZW50IE9TUyByZXBvcnRzIHdpbGwgbG9vayBwcmV0dHkg c2ltaWxhciBleGNlcHQgZm9yIGEgZmV3IGVudmlyb25tZW50LXNwZWNpZmljIGVudHJpZXMuIgoK SSBob3BlIHRoZSBhYm92ZSBhbnN3ZXJzIHlvdXIgcXVlcnkuIFBsZWFzZSBsZXQgbWUga25vdyBp ZiB5b3UgaGF2ZSBhbnkgcXVlc3Rpb25zLgoKQmVzdCByZWdhcmRzLApBcm5hdWQK

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Wise@21:1/5 to Zoom Video Communications on Sat Jan 29 01:40:02 2022
    On Fri, 2022-01-28 at 20:23 +0000, Zoom Video Communications wrote:

    if a critical CVE is discovered at some point after we release, it’s
    best not to publish which specific Zoom client version contains the vulnerability, as that essentially gives a roadmap to exploitation
    for hackers.

    This is misguided at best, hackers are able to compare binaries and
    find out what changed. Some adversaries have this automated and there
    is even work on automatically deriving exploits from those diffs.

    https://explore.zoom.us/en/opensource/source/
    "We provide our OSS attribution in this manner intentionally, which
    is to say, it’s legally permissible (as per OSS licensing
    requirements)

    On Fri, 2022-01-28 at 20:23 +0000, nmschulte@desmas.net wrote:

    - Is the stated legal assertion accurate?

    It completely depends on what components they are using and what
    licenses they are using those components under. If you suspect a
    violation of one of those licenses, please verify the details and
    contact the copyright holder for the components in question.

    - Does an open-ended request suffice

    Given their response, I expect that they will reject such a request.

    - Must references be made (more) concretely, and if so ... how?

    Looking at the referenced web page, I see components licensed under the
    LGPL, which means that each time Zoom releases software containing
    those components, they must also release the exact corresponding source
    for the version used by their software, as well as complying with the
    relinking and other requirements of the LGPL.

    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmH0iqsACgkQMRa6Xp/6 aaMvHRAAiVVTp4lKIpQR7mUHYSuRiUHuoawacSMNNpOg6Z7AGa8XuarC3PEuZDri ZDn4UnWdBHcQ37zV7Ve4mp+FBeiitgYwcxGF+vNMx20U8djUyZ6WjQNJhSc5Katt 90oJoSYbu1uSbKiWcRU9nWgBcXDkhYxL+z+I0/i8GGIBu+le2jrh3TGvCTo9rp0/ MzyLZOAuqStHr9sYt3SWvQ18DmjEAXDjtpcUr+py2Qzg8AOiPTwNPUsZpgcpAAP4 1CGVtu6h4Tcr8DFLD28+qf20QmOo8uf+AwfktbLBBq8udh0u6ED2DDCs8YQXDS5d 4tHnFmPlSCaafsm04lbvMDKgblE/QR7cDlZqxgn6Uh8BD4UQAVTXOpY4JYEuzJIV 3y/mqcBgVs+QoZjsimpbeqod0+xAC6yF3jG+47F398F1xtXCm+PPZLqQAc39jC5S wXtIvIw1UFQaYj4EWtLRj1XYDAf6PZ1yJ2YFStPm13hQJPEYoG53YyQ67/lrxM/o +EvAaf8uH6BJz3uXCYj9Bphimrx2TK8AJr0aM+KJPGj+2aXJvTo8dL0dU529Ce/W 0Gyvl8jDcAtBqkZVs+Anczle9LH+JJyneSU1xgcpPY1MZbRAIcByTQrSJHcv7EsJ 4uPCBlh/AUMP2HcfZ/mxGot+bLFNnhD32XvuLDmz3L+BH4Q/4z0=
    =gsQt
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Geert Stappers@21:1/5 to Paul Wise on Sat Jan 29 08:40:02 2022
    On Sat, Jan 29, 2022 at 08:30:39AM +0800, Paul Wise wrote:
    On Fri, 2022-01-28 at 20:23 +0000, Zoom Video Communications wrote:

    if a critical CVE is discovered at some point after we release, it’s
    best not to publish which specific Zoom client version contains the vulnerability, as that essentially gives a roadmap to exploitation
    for hackers.

    This is misguided at best, hackers are able to compare binaries and
    find out what changed. Some adversaries have this automated and there
    is even work on automatically deriving exploits from those diffs.

    And they, Zoom Video Communications, completely mis the point
    to provide their customers with information
    on wether or not to upgrade their Zoom client.


    https://explore.zoom.us/en/opensource/source/
    "We provide our OSS attribution in this manner intentionally, which
    is to say, it’s legally permissible (as per OSS licensing
    requirements)

    On Fri, 2022-01-28 at 20:23 +0000, nmschulte@desmas.net wrote:

    - Is the stated legal assertion accurate?

    It completely depends on what components they are using and what
    licenses they are using those components under. If you suspect a
    violation of one of those licenses, please verify the details and
    contact the copyright holder for the components in question.

    - Does an open-ended request suffice

    Given their response, I expect that they will reject such a request.

    FWIW Feel lucky upon recieving a reject from them.
    Because it implies they, Zoom, made some effort to inform you.


    - Must references be made (more) concretely, and if so ... how?

    Looking at the referenced web page, I see components licensed under the
    LGPL, which means that each time Zoom releases software containing
    those components, they must also release the exact corresponding source
    for the version used by their software, as well as complying with the relinking and other requirements of the LGPL.

    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise


    Regards
    Geert Stappers
    How thinks that customers and software vendors who are talking with each other, is the best security measure there is.
    --
    Silence is hard to parse

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)