The Dangers of Narrow Focus
As the world adjusts to life during a global pandemic, people have turned to technology for work, socializing, education, professional networking - even dating. By far the most popular tool for these activities is Zoom video conferencing, which has seen a ten-fold jump in user adoption. This dramatic increase in popularity prompted many researchers to take a close look at the application’s security.
Any time that kind of attention is focused on a business application, particularly one involving communication between distant users, there will be flaws. Remote Code Execution vulnerabilities. Process issues, so the word “Zoombombing” became a thing. Questions about privacy and data sharing with third parties. The privacy of in-meeting chat logs and the control administrators have over meetings and participants. Zoom’s response has been overall excellent; they’ve announced a freeze on planned development to focus on patches and process improvements, with excellent results. It’s the kind of result researchers hope for in this situation.
Unfortunately the news of the various issues has also resulted in a lot of panic and confusion among the application’s users. Is Zoom safe to use? Should they worry? Stop using it? What do they do next?
It’s that part of the response I want to focus on today.
In the modern information security world, researchers have to focus their attention. We examine our targets closely, like medieval knights besieging a castle. Searching the defenses for weaknesses, for a way to leverage our tools and experience, find the flag or the reportable issue for our client. The target can become our whole world, sometimes. And the rush when we find it - it’s fantastic, isn’t it? It changes our whole perspective. Suddenly, the pathway we spent hours or days finding seems like a wide-open path. So we tell the world about our discovery, not incidentally including how clever we were in finding it, and warning of the dangers.
But that’s not always the right thing to do. Often, when we focus so intently on our objective, we lose sight of the big picture, and end up doing more than we intended.
So, Zoom. The issues are (or, increasingly, were) real, and raising and publicizing them did a lot of good. On the other hand, Zoom is the only video conferencing platform that didn’t struggle with load issues when the world started working from home. Grandmothers and young children can use it without expert assistance. Few of the discovered issues were serious enough to earn high CVE scores, and had fixes released very quickly. But the hysteria over these issues reached such a fever pitch that organizations began dropping Zoom as a supported application without the opportunity to research viable replacements. So - by highly publicizing the issues, by “raising awareness”, who are we helping?
As information security professionals, the goal is to defend those who need it. Ourselves, our employers, our communities, our world. Sometimes, that means highlighting dangerous and suspicious activities - Cambridge Analytica’s exploitation of Facebook data. Voting machine vulnerabilities. Payment card data leaks. And finding these issues means thinking like attackers - hacking systems and applications in search of the weak points. But once we’ve found it, once we’ve gotten through the defenses, we need to remember that our job is defense and protection. We need to think through the big picture before making our announcements, and in particular, we need to remember that the narrow focus on our target, the one that makes every flaw and possible vulnerability into something that fills our field of view, is not the same focus that should be used in evaluating the actions we recommend.
Our world is binary. Our perspectives can not be.