[HN Gopher] How the Zoom macOS installer does its job without yo...
___________________________________________________________________
How the Zoom macOS installer does its job without you clicking
'install'
Author : _Microft
Score : 569 points
Date : 2020-03-31 11:41 UTC (11 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| diebir wrote:
| A lot of this is Mac OS X fault: it still does not have an easy
| canonical way of installing things and has no way for
| uninstalling. I don't get why in this day mac os can't have
| something like RPM or any number of other package managers.
| saagarjha wrote:
| It very much does! Zoom even stumbled upon it, it's called
| Installer.app. Except, of course, they killed it before it even
| finished...
| tambourine_man wrote:
| Zoom's got a tradition of being, let's put it like this, way too
| clever for everyone's own good.
|
| See previous "lets install a server on this Mac that is not
| removed when you uninstall the app and leaves your camera open to
| the entire internet" for more examples.
|
| I use it on a VM, I suggest you do it too.
| elevenoh wrote:
| Best zoom alternative?
| mrzool wrote:
| We just started using Whereby and we're loving it. I strongly
| recommended against Zoom.
| emmelaich wrote:
| Google Duo have raised the people per meeting from 4 to 12.
| luto wrote:
| Jitsi, Google Meet, bigbluebutton -- anything can runs in a
| browser tab and is more or less confined within it.
| Aachen wrote:
| Don't know bigbluebutton but at least among Jitsi and
| Google Meet, Wire is an alternative that is open source and
| end to end encrypted. They just don't make it easy to host
| your own, for that I guess Jitsi is the best way to go.
| ummonk wrote:
| I use the web browser version, and refuse to even install Zoom.
| It's borderline spyware.
| junky228 wrote:
| sunova.... I couldn't find the web based version...That's
| what frustrated me about zoom compared to webex. I could use
| Weber in the browser and zoom had to be installed
| lloeki wrote:
| It's gated behind a fallback after three "failed" attempts
| at clicking on the link to open the app after opening a
| meeting URL, or a meeting setting. So, not on by default,
| seems to be unable to join audio unless you use Chrome, and
| shows a single video only.
| 333c wrote:
| This browser extension enables the web interface:
| https://github.com/arkadiyt/zoom-redirector
| saagarjha wrote:
| It's very Dropbox-esque...
| merpnderp wrote:
| I wish I knew how it installed on my partner's Mac. No root
| password was ever given, yet it installed when we thought we were
| still using the web app. Quickly uninstalled and will use
| different software next time.
| miguelmota wrote:
| What I like about zoom is that I can click on a zoom link and it
| opens up my video conference pretty quickly. Last thing I want is
| to go through installation steps when people are waiting for me
| on a call. I understand the security implications but it's a
| trade-off between user experience and lesser security.
| pottertheotter wrote:
| I installed Zoom on macOS yesterday and I thought that the
| install was crashing because this is not the expected behavior. I
| would double click the download, try to install, and then the
| installation program would "crash", so I'd try it again. Did that
| a few times before I realized it was installed. Until now I
| thought it had somehow gotten far enough in the installation
| process before crashing that I could at least use the
| application. I'd been hearing everyone raving about how Zoom was
| such better software than anything else, and my first experience
| was their installer doesn't even work.
|
| This was a horrible user experience for me, and I wasn't thinking
| about security implications at all.
| pehtis wrote:
| I would highly recommend checking all installers on macOS
| through Suspicious Package. It will give you a complete picture
| of all the installer scripts that will be run and all the files
| that will be written. I did just that for zoom and decided
| against installing it.
| twodayslate wrote:
| https://mothersruin.com/software/SuspiciousPackage/ for those
| curious
| 0xff00ffee wrote:
| Oooh this is good. A few years ago I came home drunk and
| wanted to watch this old film that wasn't on any channels.
| I found it on some dubious website, which required me to
| install a player .dmg. I drunkenly typed in my password,
| and then an hour later was like: dafuq did I just do?!?
| Next day I re-imaged my mac because I'm both paranoid and
| don't know enough about secops.
|
| SuspiciousPackage wouldn't have helped combat Drunk Install
| Syndrome, but it might have been a helpful tool before I
| nuked my OS.
|
| Or maybe this is just good marketing for SuspiciousPackage,
| which is really malware. Well played.
| JadeNB wrote:
| Similar functionality: unpkg
| (https://www.timdoug.com/unpkg/). See also
| https://stackoverflow.com/questions/11298855/how-to-
| unpack-a... . I think unpkg handles mpkg files, which I
| haven't encountered in the wild for quite a while now; I
| don't know about the others.
| yreg wrote:
| I too don't get how Zoom is considered "the superior software".
| Maybe the calls don't drop, but the experience is bad (at least
| on macOS).
| 7ewis wrote:
| Said this on Reddit the other day and got downvoted.
|
| It _is_ bad on macOS. It used to be one of the better
| platforms to stream video content to others, but now it just
| lacks in many areas compared to most of its competitors.
|
| The worst bug I had was it essentially started muting random
| people on a call, but only for me. I could see their mouth
| moving, and thought it was a problem their side but turns out
| everyone else could hear them apart from me. I could hear
| everyone else too apart from them.
| macleginn wrote:
| Same here. I thought the process didn't finish until I tried
| launching the app (which I was supposed to do by clicking a
| link in the browser, which is also rather unintuitive).
| afandian wrote:
| I did this too and didn't put two and two together til now. I
| just assumed it was a buggy installer that broke with that
| version of MacOS and tried a different machine
|
| I've defended Zoom in the past for ethical 'slips', but weidly
| this has tipped me into hating it.
| enricotal wrote:
| Ok this is it... I was able to disinstall it with
|
| $ brew cask install zoomus $ brew cask uninstall zoomus
|
| so long and thank you for all the fish... Zoom
| angott wrote:
| You can also use "brew cask zap zoomus" to remove
| preference files, browser plugins, logs.
| a-wu wrote:
| Does this also work for non-brew installs?
| szhu wrote:
| Homebrew Cask's uninstall scripts are basically a
| community-maintained "best guess" at to how to full
| uninstall each piece of software. It's generally pretty
| reliable, and I do use it to remove non-brew installs
| sometimes.
|
| Note: I have contributed casks to Homebrew Cask before.
| paulgpetty wrote:
| Two questions this raises, for me at least:
|
| How do I know I've completely uninstalled all the things Zoom
| installed?
|
| And, if Zoom provided a separate uninstaller (like many apps do)
| and it was verified to purge all of the stuff they installed
| (along with the uninstaller); would that appease people's
| concerns?
|
| For now I'm sticking with the iOS app for video & their web-based
| experience for desktop sharing...
| aequitas wrote:
| I think it's interesting to see the outcry when Apple poses new
| restrictions in the application distribution process (like
| signing and sandboxing) but conversely the same cries go up
| when there is an App that seems to be abusing loose control
| mechanisms.
|
| I think a lot of power users rightfully feel they are belittled
| by sandboxes and application restrictions. But seeing that they
| are not the major userbase and most Apps don't really need any
| permissions at all for their intended purpose (the user's
| purpose at least) I think Apple is moving in the right
| direction.
| lonelappde wrote:
| It's possible to things wrong in more than one way.
| simonh wrote:
| A previous version of Zoom installed a web server on MacOS
| without telling you, and left it there after the uninstall
| process. So the answer is no, you can't be sure.
|
| Oh, and there was a known vulnerability in the web server that
| allowed remote access to your camera. The company claimed this
| was all intentional and was a feature and refused to remediate
| it for months. Eventually Apple issues a system update that
| removed the web server.
|
| https://www.buzzfeednews.com/article/nicolenguyen/zoom-webca...
| why_only_15 wrote:
| Part of the benefit of macOS apps is that you can just put them
| in the trash and they're gone. Breaking that contract isn't
| like awful but it is frustrating.
| Hackbraten wrote:
| If you have Homebrew installed, you can run `brew cask zap
| zoomus` to get rid of all the things (as far as we know) Zoom
| has installed.
|
| If you prefer to remove it manually, here's the list of files
| and folders Homebrew will delete on `brew cask zap zoomus`:
|
| https://github.com/Homebrew/homebrew-cask/blob/a6026e0a36c22...
| overgard wrote:
| I understand wanting to reduce friction, but this is the second
| time Zoom has kinda done something weird and suspect security
| wise in the name of removing really minor obstacles that users
| are probably used to dealing with anyway. Considering how many
| tech companies are using Zoom right now, I would hope they are
| cognizant that they don't become known as "the company that does
| sketchy stuff so our IT people say we can't use it"
| t0mas88 wrote:
| The whole torrent of grey area, just over the line and outright
| shady behavior at Zoom is a problem in itself even if all the
| separate instances in isolation aren't grounds to stop using
| them. Their responses to security issues and today's revelation
| of misleading marketing on E2E encryption make it clear they're
| not just making isolated mistakes. Shady is at the core of how
| they operate, this is an indication that Zoom has a company
| culture of accepting borderline behavior. Otherwise it wouldn't
| be so widespread.
|
| As a customer this is a reason for me to stop using Zoom. Not in
| the last place because I'm quite sure we're only seeing the
| public tip of the iceberg of all the unacceptable things
| happening within Zoom.
| capableweb wrote:
| Unfortunately, the current system and people in power seems to
| not give a damn about security and shady behavior, as long as
| the thing they are using is working and working well. Zoom is
| an example of very useful and performant software with shady
| company behind it, that's why people will continue using it.
|
| Same with Uber, Google and bunch of other companies. It doesn't
| matter what they do, as their product is helping people enough
| for people to look past the terrible things.
| mikorym wrote:
| I think you underappreciate one point here: We can still have
| long term alternatives to Zoom (and we can have them now).
|
| Google and Uber are already difficult to replace or to
| otherwise challange.
| ForHackernews wrote:
| Uber is trivially easy to replace with Lyft or $generic-
| taxi-app.
| aembleton wrote:
| How do you persuade enough taxi drivers to use $generic-
| taxi-app in enough areas to make it worthwhile for
| someone to choose to use it instead of Uber?
| minhazm wrote:
| Lyft only operates in US and Canada. Uber is available in
| 63 countries. The convenience you get just having that
| one Uber app work is not easily replaced. But yeah you
| could always try to find the local ride sharing companies
| app, but it can be far less convenient.
| ForHackernews wrote:
| Only a tiny minority of wealthy people frequently travel
| internationally. This is not a major selling point that
| will save Uber.
| Fiahil wrote:
| Enterprise customer DO give a damn about security. They can
| be slow to react, but rules are also there for a very long
| time. If Zoom doesn't want to loose most of their marketshare
| in favor of WebEx, they should probably address these issues.
| m-p-3 wrote:
| Correct, and we blocked zoom.us on the corporate network.
| No way we're allowing this malware within our walls.
|
| We already have meet.google.com that works well for us, and
| external clients can easily join through a web browser.
| kamyarg wrote:
| As an employee of a corporate can tell you that they do not
| care about security more than money. cheaper the better.
| Money > Security
| Ididntdothis wrote:
| "Enterprise customer DO give a damn about security."
|
| When I look at IT they give a damn about some security but
| then completely ignore other huge problems. I think a
| bigger concern for them is cost, liability and convenience
| for the administrators.
| krageon wrote:
| > Enterprise customer DO give a damn about security
|
| You are wrong. Even without extensive experience in the
| space, you can very easily see how even _large_ companies
| don 't secure themselves at all. The US has had equifax
| recently, and it's not like that was an isolated example
| either. There just isn't a security culture at the eye-
| watering heights of corporate upper management and while
| everyone's as busy making money as they are, there never
| will be. It doesn't fit into the system, and anyone who
| tries to change it gets muscled out by people who don't
| want it to change - because that is simply what's most
| efficient.
| mywittyname wrote:
| This has been my experience as well. Large companies pay
| lip-service to security that protects their customers;
| they want just enough for legal deniability in the event
| of a breach, but not so much that it impacts operations
| or profits.
|
| However, they can be...enthusiastic when it comes to
| security around protecting themselves. If you report an
| issue with customer information on a public S3 bucket,
| they might get around to fixing it someday, but if there
| are "trade secrets" or the like in that bucket, the issue
| is going to get fixed immediately and someone with a big
| title probably won't be coming in tomorrow.
| neuronic wrote:
| This is hilariously wrong. I brought up Zoom issues at our
| enterprise client - no one gives a shit (this is in
| Germany, so rather privacy focused). As a consultant I felt
| a need to bring the issues up, backed with sources of
| course.
|
| So why does no one care? Because Zoom UI/UX apparently
| works 100x better than most other solutions. People dont
| even REACT when I mentions Jitsi or just using the Teams
| solution that every Microsoft customer has anyways.
|
| The enterprise I was talking about is using a mix of
| Microsoft Teams and Zoom. Our team started with Teams, now
| we are using Zoom because I don't even know. Others also
| move from Teams to Zoom.
|
| I bring this up to lots of people and the response is
| rolling eyes and "shut the fuck up" in business euphemisms.
| Zoom is viral now and privacy has no say in its success.
| president wrote:
| Could also be an issue of pricing. I wouldn't be
| surprised if Zoom is cheaper than MS. Maybe someone with
| knowledge on the sourcing side could comment on that.
| taylortrusty wrote:
| They're much more likely to lose it to Microsoft Teams,
| which has been doing great the last several weeks.
| m-p-3 wrote:
| They're using malware-like behaviors to spread out and reach
| more customers, even at the cost of security.
| rwmj wrote:
| They probably learned a lesson from Whatsapp which was a
| nightmare of insecurity in the early days that cutting corners
| gets results and approximately no one cares (except the tiny
| minority like us who would never use it anyway).
| lultimouomo wrote:
| I think this also shows how macOS has been training users to
| enter their password in random dialogs that have absolutely
| nothing that identifies them as being legit OS dialogs. The
| dialog that Zoom uses could very well be sending the credentials
| to a remote server, and the user would be none the wiser.
| Wowfunhappy wrote:
| Note that in this case, it's still a legit OS dialog. Preflight
| scripts are very much built into the macOS pkg format, they're
| just not intended to be used like this.
| tantalor wrote:
| It doesn't look legit, it looks like the installer script is
| faking a system dialog in this screenshot:
|
| https://twitter.com/c1truz_/status/1244737675191619584/photo.
| ..
|
| This message is a lie; it not coming from system but from the
| installer script.
|
| Just because the OS is used to show the dialog doesn't mean
| it should be trusted. As other commenter noted this could be
| used to steal passwords; that is effectively what it does.
| rainforest wrote:
| To their credit, they seem to be using
| AuthorizationExecuteWithPrivileges which doesn't get the
| user's password, but executes a command as root, which is
| marginally better than stealing the password like Dropbox
| did.
| tantalor wrote:
| How hard do you think it is to steal a password once you
| have root?
| jedieaston wrote:
| It should be _impossible_ with SIP enabled, as in OS X
| 10.14 Apple protected the files in /var/db/dslocal where
| the user shadow files are stored so that root could not
| read them (unless triggered by an Apple signed
| executable, like Software Update). If you are running
| with SIP disabled you've taken the risk of it happening,
| and if you are on a corporate laptop (or 99% of personal
| machines) it is engaged.
|
| https://apple.stackexchange.com/questions/344117/mac-10-1
| 3-1...
| tantalor wrote:
| Think a little harder. With root, you can install a
| keylogger.
| saagarjha wrote:
| You'd still need to bypass TCC.
| swiley wrote:
| It would take an extra step, you have access to the hash
| and maybe shared memory/SOs but you'd need a second trick
| to actually steal it.
| Wowfunhappy wrote:
| The script asks for root which subsequently pops up an OS
| password prompt. Zoom never sees your password.
|
| How is this different from the way e.g. Virtualbox gets
| root?
| auiya wrote:
| It's not making the proper privilege escalation call,
| it's faking the box entirely. There's even a typo in the
| dialog box.
| saagarjha wrote:
| No, they're using the (deprecated) Authorization Services
| API from the (renamed) BLAuthentication.
| Wowfunhappy wrote:
| ...are you _sure_? I 'm pretty sure that code just pops
| up the system box to get privileges, with a custom
| message at the top.
|
| I'm running Mavericks--the last version of macOS before
| they made the UI flat--and the prompt didn't look out of
| place. If Zoom is indeed faking the box, they actually
| went through the trouble to make a separate version for
| Mavericks with Mavericks-style visuals.
| lonelappde wrote:
| Because it lies about its identity, calling itself
| "System" not Zoom.
|
| This is also a MacOS vuln that lets apps lie about their
| identity in sudo prompts, much like a browser showing an
| https site with no certificate checking.
| Wowfunhappy wrote:
| macOS allows apps to write arbitrary lines of text above
| password prompts, which is what Zoom is doing. I don't
| see how that's different from a shell script echo'ing
| something before a sudo prompt.
|
| How would you design this system?
| jedieaston wrote:
| Don't allow the application to do any of it, and when the
| app asks for access, have the system instead say
| "{processName}.app is requesting {permissionFlavorText}.
| Enter a name and password to continue."
| thaumasiotes wrote:
| > Note that in this case, it's still a legit OS dialog.
|
| No it isn't. The dialog prompt is "System need your privilege
| to change." That's not passing QA anywhere -- it's just a
| custom message someone put into Zoom without bothering to
| proofread.
| danieldk wrote:
| I never understood why Apple still supports the pkg format.
| It seems a half-baked leftover from the 2000s and even then I
| was already surprised that there is no way to uninstall
| things through the macOS GUI. I am not sure if this has
| changed (I try to avoid pkg files and use Homebrew cask to
| uninstall such packages), but IIRC you had to list the files
| with _pkgutil_ on the command-line, remove stuff by hand and
| then _--forget_ the package.
|
| They should just kill the format. Everything should just be
| drag to install, drag to trash to remove.
| javagram wrote:
| In my experience I've seen even technical users (Who were
| used to windows) struggle with the idea of dragging an .app
| from an open disk image to the Applications folder. They
| would end up running the app from the disk image and then
| getting confused when it disappears after restart.
| Wowfunhappy wrote:
| This system worked so much better when the Applications
| folder was placed in the Dock by default, and everyone
| used that folder launch applications (which weren't
| common enough to keep in the Dock directly).
|
| It was actually a really beautiful synergy--you install
| applications by copying them to a folder, and launch them
| from that folder. Same way you'd acquire and open files.
| Lovely.
|
| Then Apple ruined it in Lion with Launchpad. Their app
| install flow for anything outside of the app store
| doesn't make any sense.
| AnIdiotOnTheNet wrote:
| One wonders why Apple didn't just treat DMGs like
| Application Folders in the first place. If they had an
| icon and you could run them directly then there wouldn't
| be any confusion. AppImage works like that and I think it
| was a wise decision.
| Wowfunhappy wrote:
| Developers can distribute .app's inside of .zip files,
| and many do, but this can result in users just running
| the .app inside of their downloads folder. And then this
| causes problems if they ever decide to clean out their
| Downloads folder.
|
| The DMGs are a clever way to (A) make sure the app gets
| to the proper location while simultaneously (B) teaching
| the user about what's actually happening on their
| computer. As I said in a sibling comment, this all made
| much more sense when users also _launched_ apps from the
| Applications folder directly.
| danieldk wrote:
| _Developers can distribute .app 's inside of .zip files,
| and many do, but this can result in users just running
| the .app inside of their downloads folder. And then this
| causes problems if they ever decide to clean out their
| Downloads folder._
|
| Some applications offer to move themselves to the
| /Applications folder when started the first time outside
| _/ Applications_ or _~ /Applications_. Though in general,
| it would be better if Apple made it more attractive to
| publish in the App Store, since it brings other
| advantages (e.g. mandatory sandboxing).
| Wowfunhappy wrote:
| Yeah, and that's a fine solution given the situation
| Apple has left us in. But it's also kind of a hack, which
| shouldn't have become necessary.
|
| Also, personally, I sometimes purposefully put apps in
| places other than /Applications--for example, I like to
| keep games in their own Games folder. And then the
| dialogs are kind of annoying.
| samcat116 wrote:
| One thing to note here: people who administer macOS for
| organizations basically convert everything to .pkgs (or
| DMGs). Its the only easy way to silently install
| application, and perform post install actions like
| performing licensing or activation steps.
| drampelt wrote:
| > Everything should just be drag to install, drag to trash
| to remove.
|
| I wish it were that easy, most apps leave files in other
| places on your computer like ~/Library that will never get
| cleaned up if you just move the app to trash.
| Wowfunhappy wrote:
| As much as this bothers me because of who I am, I don't
| think it's a real problem. Those files shouldn't take up
| significant space unless the developer is doing something
| stupid.
|
| It might be nice if macOS had some sort of automatic
| cleanup routine when an app is trashed, but that would
| either require showing the user an extra dialog (a la
| AppCleaner's) or introducing an opaque system which could
| potentially lead to data loss.
| danieldk wrote:
| Indeed, data outside the application folder usually
| consists of a preferences plist and saved application
| state. Of course, there could be caches as well, which
| could take up a fair amount of disk space.
|
| But I think the primary argumentation in favor of what
| macOS does now on drag-to-trash is that the users
| preferences are preserved, for when they install an
| application again.
| lonelappde wrote:
| Incorrect. Look at the second tweet in the thread. It's a
| phishing popup that misidentifies itself in order to steal
| priveleges intended for System, not Zoom.
|
| https://mobile.twitter.com/c1truz_/status/124473767519161958.
| ..
| Wowfunhappy wrote:
| That's still an OS prompt, they just put their own message
| at the top, as you're allowed to do.
| joshuaissac wrote:
| Yes, they are _allowed_ to put a fake message
| (identifying the requester as System instead of Zoom),
| but that does not make it OK.
| Aachen wrote:
| One could say the same for gksudo, UAC prompts, or the
| equivalent dialog on your favorite operating system, no? Or is
| there something on other OSes that identifies it?
| sudosysgen wrote:
| gksudo and UAC don't let the process lie about what it is.
| 0xff00ffee wrote:
| One suggestion...
|
| My company has been using Gotomeeting for 5+ years. No video
| (thankfully), but meetings are generally 20-30 people and largely
| seamless.
|
| It is expensive: $300 per seat to host a meeting, but it pretty
| much just works. The UI is annoying and could be simpler.
|
| However, I don't know if it is as shady as Zoom because I don't
| think anyone has done a deep dive.
| manigandham wrote:
| 1) If Zoom can do this then it's a MacOS security bug.
|
| 2) UX matters. Users don't care about the technical details, they
| want a smooth experience and that can be the difference between a
| billion-dollar business or a failed startup. And yes the desktop
| version is more stable than the web-based UI.
|
| 3) Malware is defined by what it does, not how it's installed.
| thaumasiotes wrote:
| > 3) Malware is defined by what it does, not how it's
| installed.
|
| Well, from the tweet thread:
|
| > If the App is already installed but the current user is not
| admin, they use a helper tool called "zoomAutenticationTool"
| [sic] and the AuthorizationExecuteWithPrivileges API to spawn a
| password prompt identifying as "System" (!!) to gain root
| (including a typo).
| manigandham wrote:
| It's not malicious, and you have to give it permissions
| somehow to finish the install.
|
| Dropbox (used to?) patch system files to integrate with
| Office better, and that wasn't considered malware either.
| thaumasiotes wrote:
| > It's not malicious
|
| By the time you're lying to the user, you are malicious.
| keymone wrote:
| is botnet agent not malware? it's not doing anything until the
| operator sends the payload.
| manigandham wrote:
| A botnet agent is designed to take control and run a bot, so
| yes it's malware. It doesn't have to be actively doing it at
| that moment to be considered such.
| munk-a wrote:
| Zoom does report usage to Facebook whether you have an
| account or not - and that data is used to stitch together a
| web profile of the user that is of no benefit to the user.
| Zoom is bordering on malware, just... malware that comes
| with a useful app that allows video conferencing.
| vijaybritto wrote:
| They removed that Facebook sdk after complaints.
| Gaelan wrote:
| I mean, it's not really a security bug. Installer.app displays
| a dialog box that says "Hey, this package wants to run
| arbitrary code to check if it's compatible with your system. Is
| that OK?" The user is explicitly opting into the code
| execution. Zoom's "compatibility check" installs the app and
| kills the installer window. That's certainly unexpected
| behavior, but I don't think it's an exploit in any real sense.
|
| While normally I'd object to running arbitrary code with just
| an easily-skippable dialog as confirmation, but I think it's OK
| in this case where the expectation was that we're installing
| their software anyway.
| manigandham wrote:
| You're right, it's more of a design issue. More explicit
| permissions on altering the Applications folder could help.
| Then again, most people want an easier install so this is
| really for those who want that extra control.
| opportune wrote:
| As a user, I would not assume that checking compatibility
| means I'm executing arbitrary code. I mean it could just be
| macOS examining the binary to make sure it's compatible with
| my ISA, or checking some app metadata about recommended free
| resources like ram/disk space.
| pvg wrote:
| Apple agrees with you which is why the installer shows a
| warning the check will involve running code and lets you
| opt in or out.
| etaioinshrdlu wrote:
| It's really Apple's fault. "This package will run a program
| to determine if the software can be installed." Is just
| fundamentally a very strange statement to make, loaded with
| vagueness.
|
| Think about your average user... they are running an
| installer program... which alerts them that they need to run
| another program... to determine if they can install the
| program.... (Which the user thought they were already doing)
|
| The loaded expectation of the user to realize they are
| granting privileges to a program to determine whether they
| can install a program is just totally unreasonable.
|
| It just sounds more and more ridiculous written out like
| this.
| RocketSyntax wrote:
| Okay, great. Let's wrap some permissions around it to make this a
| legit process?
| factorialboy wrote:
| Why isn't this categorized a major Mac OS vulnerability? If Zoom
| abuses preinstall scripts, what's to say others aren't.
| [deleted]
| scumbert wrote:
| Underrated take. They shouldn't be able to do this. This should
| flag Zoom as PUP for malware removal, if it weren't the new go-
| to.
| lonelappde wrote:
| It's not a vulnerability, as the dialog says "run a program"
| and prompts for confirmation.
|
| It's up to the user's imagination to consider what a program
| can do.
|
| The prompt is terribly worded though.
| j1elo wrote:
| Some background info for those commenters who say that Zoom
| should be requiring just a web browser because web browsers
| already have everything needed (aka. WebRTC). TL;DR summary: they
| want to do their own thing, outside of what the WebRTC standard
| allows, that's all (and enough reason for not using WebRTC?)
|
| Zoom doesn't want to use the stock H.264 encoder as provided by
| the browser for WebRTC communication. Instead, they use their own
| video encoders and decoders (which while still being H.264, it is
| presumedly better optimized for their use case). WebRTC forces
| you to use either the H.264 or the VP8 encoder/decoder that the
| browser provides.
|
| How they do this is by having their own custom application that
| you have to install. Still, some users have noticed that there is
| a well hidden web-based version of Zoom, which works by again
| running their custom encoders, thanks to WebAssembly. Also it
| seems that their video is transmitted via DataCahnnels [0].
|
| They are not alone. Companies want to provide additional "value"
| by innovating outside of what the WebRTC standard offers. That's
| nice and all, although it of course tends to disgregation and
| incompatibilities in the long run. For this reason, I've heard
| talks about how future revisions of the standard might explore
| adding WebAssembly support, in order to allow everyone embedding
| their own compiled components into their applications [1].
|
| [0]: https://webrtchacks.com/zoom-avoids-using-webrtc/
|
| [1]: https://webrtcbydralex.com/index.php/2019/11/13/webrtc-
| stand...
| xorcist wrote:
| Right. It's also important to understand when the reason to
| build non-standard things are just "productization" (intended
| to open the wallets of enterprise clients) and when it is
| because it really provides a better service to the end user.
|
| Having native code running in every client makes a service
| provider more valuable. It is much the same reason service
| providers would rather have you running their app on mobile
| than utilizing the web browser.
|
| This link provides a bit of background to the webrtchack
| articles above and give a bit of background to when WebRTC is
| sufficient:
|
| https://bloggeek.me/webrtc-vs-zoom-video-quality/
| realityking wrote:
| I really wish they'd make the client available in the Mac App
| Store. Not only is the installation experience better than this,
| things also stay nicely up-to-date. If your company runs an MDM
| for your Macs, it's easy to deploy apps en-mass to everyone.
| saagarjha wrote:
| But then they'd need to opt-in to sandboxing and other
| "onerous" requirements and couldn't pull shady things like
| this.
| diebeforei485 wrote:
| It's times like this when I realize how much I prefer the Mac
| App Store over everything else.
|
| Zoom should definitely offer a Mac App Store version. Even if
| they just take their iPad app and Catalyst it, I'd probably use
| it.
| jeroenhd wrote:
| As someone who's never used or seen Zoom in action, what's
| pulling people into Zoom that's not already available in other
| tools (Hangouts Meet, MS Teams) and even works without installing
| anything (such as Jitsi)?
|
| Based on what I've seen, there's just so much hostile behaviour
| by the company (including lying about meeting HIPAA e2e
| requirements!) and the fact that their _official client_ had
| parts removed by the macOS malware removal tool that I just don't
| get why people still consider it as an option. If it were the
| only "just works" tool out there I'd understand, but there's
| plenty of competition in this space.
|
| I've personally began using the Jitsi server the local student
| network association has set up and it's been working like a
| dream. You can even share a window to others (which I didn't even
| know browsers had support for) for presentations and such.
| aeyes wrote:
| I use Zoom, Hangouts, Slack and WebEx. Out of those Zoom has
| the best call quality, and it is the only solution out of the 4
| on which huge meetings (50+ persons) are workable.
| benhurmarcel wrote:
| I've been in Google Meet meetings with 100 to 150
| participants, it worked fine.
| SiempreViernes wrote:
| I've used another software for big meetings, now called Vibe,
| which works if I close chrome and patiently wait for the
| bloated java app to expand into all available memory before
| trying to take any action... it's not great.
|
| Zoom manages to run without crashing doesn't force me to
| close a browser and waiting a lot, so that's an advantage.
| milesskorpen wrote:
| I use Meet at work. For social gatherings, my friend group
| exclusively uses Zoom because (a) better tiling (seems small,
| but you want to see everyone) and (b) video quality seems
| better.
| giovannibajo1 wrote:
| There's a chrome extension to do tiling:
|
| https://chrome.google.com/webstore/detail/google-meet-
| grid-v...
|
| Which is even more infuriating because it shows that missing
| tiling in Meet is just a frontend issue.
|
| I'm completely baffled that this is not implemented.
| dbbk wrote:
| But why are they doing this? What is the benefit?
| dceddia wrote:
| If I had to guess, it's an attempt to optimize install
| conversions. Every multi-step process you ask a user to perform
| is effectively a (marketing/sales) funnel. Some percentage of
| people drop off at every step. Maybe Zoom they thought that if
| they moved the actual installation closer to Step 1, then more
| people would accomplish it. It's awfully sneaky though,
| especially that password dialog.
| my123 wrote:
| They could have made it just a zip containing an app bundle
| instead of this mess, but of course they didn't.
| xorcist wrote:
| > it's an attempt to optimize install conversions
|
| I love creative uses of language like this!
|
| Be right back, I just have to optimize install conversions of
| my botnet client.
| x0x0 wrote:
| Or, you know, decrease the failure rate of people
| legitimately attempting to install Zoom. It's quite
| reasonable to ask why on earth apple requires more than one
| click for a user to say "I want this program to run on my
| computer; make it happen."
| drewg123 wrote:
| They could have also made it just work in a web browser
| without having to use workarounds. That's one of the reasons
| why I strongly prefer Google Meet and get annoyed at vendors
| that want me to use solutions that require me to install
| software.
| dbbk wrote:
| Conversely, I much prefer a desktop app to Google Meet,
| since that's stuck in the browser the video can't float PIP
| when you navigate away from the call
| saagarjha wrote:
| It can if it uses the right web APIs, which are widely
| supported: https://w3c.github.io/picture-in-picture/
| mstolpm wrote:
| If one assumes there is nothing really nefarious going on, it
| seems they are trying to gain market share: Growth marketing to
| raise the company value. And looking at some people already
| using "zoom" and "zooming" as synonym for video conferencing,
| it kind of works.
| Wowfunhappy wrote:
| Several less mouse clicks to get into a meeting.
|
| (I am not arguing in favor of the practice, just stating the
| advantage)
| xenophonf wrote:
| I missed the part where Zoom is holding people's computers for
| ransom, or formatting the drive, or exfiltrating sensitive
| information to criminals or state intelligence officers, or
| mining bitcoin, or other similarly malicious behaviors.
|
| An admin can write to /Applications without privilege escalation?
| That's a macOS bug. If the operating system didn't rely on an
| 80s-style put-all-the-executables-in-one-place app launch
| paradigm, maybe there'd be less incentive for app developers to
| ignore the per-user Applications folder that macOS supports.
|
| An app can spoof or abuse privilege escalation dialogs? That's
| because macOS doesn't implement an Orange Book-style Trusted
| Path. It's why Windows and similar operating systems have secure
| attention keys in the first place.
|
| So yeah, Zoom is (ab)using flaws in macOS to get itself installed
| with minimum fuss, but it isn't doing it with evil intent. They
| fixed past issues; they'll probably fix this. Meanwhile, these
| long-standing macOS security flaws won't be addressed by Apple,
| who has a terrible track record about these things except when it
| lets people bypass their App Store.
|
| P.S. As an enterprise customer, I'm much more worried about end-
| to-end encryption in Zoom, and the apparent lack thereof. I'm
| also not sure how that compares with other video conferencing
| services.
| oefrha wrote:
| > An admin can write to /Applications without privilege
| escalation? That's a macOS bug.
|
| /Applications has been root:admin 775 since forever ago. It's
| not a bug, and drag this app to (an alias of) /Applications is
| very standard behavior of dmg installers. Working as designed.
| xenophonf wrote:
| That behavior goes all the way back to Classic Mac OS. If the
| above is working as designed, then Zoom automating the copy-
| app-to-/Applications process doesn't really seem that hinky
| to me.
| oefrha wrote:
| It's a weird thing to do, but I don't find it particularly
| concerning, no. You launched the installer after all. (I do
| use Suspicious Package to quicklook pkgs myself, FWIW.)
| xenophonf wrote:
| Having write access without privilege escalation to
| executable packages run by all users on a multiuser
| computer is a significant security risk. That's one of
| the ways an attacker can pivot into other systems from a
| compromised computer.
| oefrha wrote:
| root:admin 775 is only writable by the admin group, I'm
| not sure where you got the idea that all users have write
| access.
|
| The situation here is an admin explicitly executing a
| program that writes to a directory that they have write
| access to.
|
| Edit: corrected typo 755 => 775.
|
| Edit 2: Okay, I read what you wrote again and can now see
| I misunderstood. However,
|
| 1. macOS is primarily single user (or at least single
| household) given how it's actually used. In actual
| multiuser settings admins don't typically muck around
| with their admin account.
|
| 2. Typically other users can read/execute a lot of stuff
| that's not root anyway. For instance, on research group
| Linux servers people would often tell you to just execute
| something in their home directory.
| yardie wrote:
| I use MacOS and everything I read in the twitter thread was
| exactly as expected. MacOS does ask you to escalate. It also
| asks for privileged access to the camera, microphone, and the
| keyboard. So when our son had to download and run Zoom for his
| now online school, I took the opportunity to teach him some
| basic computer security. Zoom installed into his ~/Applications
| folder, as a non-admin that was expected. And then it asked for
| access to his microphone and camera.
| rainforest wrote:
| > So yeah, Zoom is (ab)using flaws in macOS to get itself
| installed with minimum fuss, but it isn't doing it with evil
| intent.
|
| But... why? What other software vendors look at the OS security
| model from a viewpoint of 'how do we bypass this as much as
| possible?' If it's not evil intent, what is it, incompetence?
| javagram wrote:
| It's about making your software as easy to use as possible.
|
| Users don't like UAC or having to click through a dozen
| dialogs. They just want to get into their virtual meeting.
| lonelappde wrote:
| Zoom could be honest about what it doing instead of going
| to extreme lengths to conceal it
| my123 wrote:
| Then Zoom should just make them join the meeting via the
| web browser!
|
| Zoom does this somehow and doesn't make joining from the
| web frictionless when they pretty much could have.
| xenophonf wrote:
| /Applications is writable by admins. There is no O/S security
| model to bypass.
| rainforest wrote:
| It has a pre-flight script (which isn't supposed to change
| anything) that installs it (and its browser extensions, and
| a kernel extension at some point in the past) in the most
| widely available place the current user has privileges to
| (it installs in their home directory if they aren't an
| admin).
|
| So yes, there is some blame to be laid at the OS for
| running binaries with the privileges the current user has,
| but it's clear that the installer doesn't behave like a
| regular installer would.
| rgovostes wrote:
| I installed the WebEx client for macOS today and it seemed
| similar, installing almost instantly without going through the
| normal EULA, volume selection, etc. flow.
|
| It seems like they've stuck their installation flow into an
| Installer.app _plugin_ which is unusual. I haven't encountered
| that before, and I'm somewhat surprised the feature exists
| considering Apple waged war on loading code into first-party
| software. (The user is prompted before the plugin loads.)
| mrpippy wrote:
| Ughhh, this is probably where Zoom got the idea from.
| cpeterso wrote:
| Zoom was founded by Eric Yuan, a lead engineer from Cisco's
| WebEx business unit.
| aequitas wrote:
| Not that I'm in favor of this practice, but the one key feature
| that conference software must have is: it just works(tm).
|
| Nothing turns you off more from a conferencing solution than: any
| problem getting it working right now.
|
| When there is just the slightest issue, one person not being able
| to join, one person not getting voice to work, bad audio, your
| entire team is blocked/distracted. Which results in a collective
| distain for the solution and video conferencing as a whole.
|
| This extends to getting the solution working for greenfield
| installs as simple as possible. Because who knows which non-tech
| users from which department all need to join and can't figure out
| how to set the permission in their browser right or install/use
| the other browser that is compatible.
|
| So sadly, from a functionality point of view, you want have the
| software be able to force itself onto the user in the most usable
| state it can.
| untog wrote:
| It just amazes me that the "just works" solution here is still
| a native app. Plenty of reasons to use native apps but in 2020
| video conferencing really isn't one: WebRTC is capable and
| supported by every major desktop and mobile browser. It's
| literally one click and you're done!
| Saaster wrote:
| None of the WebRTC based options just work, they're all
| glitchy and cannot scale up to even moderate amounts of
| users. We have Google Hangouts Meet for free for our org, and
| we still pay for Zoom because It Just Works.
| basch wrote:
| Even having the "unblock this site from camera and
| microphone" burried in the browser chrome or settings pages
| somewhere is a dealbreaker. It's too easy for people to
| mindlessly click "no" to can this access your microphone,
| because of the way the browser pops it up during first use,
| instead of during "install."
| noahtallen wrote:
| True. Even the adblocker and autoplay blockers can
| prevent video and audio from working in Hangouts. I have
| had issues with hangouts when joining meetings with
| important people -- and my browser's autoplay block
| feature prevented the video feed from working.
| bwb wrote:
| Same here, we used hangouts for the longest time but it got
| worse. Zoom just works perfectly all the time.
| x0x0 wrote:
| Yeah. And high fidelity sync between audio (ideally via
| phone). Maybe someone does it, but we tried _all_ vendors
| and settled on Zoom. And screen annotations, and the
| ability to remember participants' phones and dial them
| directly (replaces them having to type 9 digit numbers into
| their phones), etc.
|
| Also, Zoom has reached a critical mass where, particularly
| for sales calls, the remote party is quite likely to have
| it installed. The network effect here is really valuable.
| benhurmarcel wrote:
| Maybe it has to do with the plan you have? I've used Google
| Meet with up to ~150 participants and it was fine, but we
| have an Enterprise account.
| chadlavi wrote:
| Zoom would "just work" if they didn't force you to install
| software on your computer in the first place. If google meet
| can do it, zoom can too.
| wp381640 wrote:
| Google Meet is terrible, there's a reason why everybody
| switched to Zoom even in an over-crowded market
| benhurmarcel wrote:
| What's your problem with Meet? We've switched to it
| massively after issues with Webex, and it's all very good.
| fiddlerwoaroof wrote:
| Doesn't Google Meet depend on a browser plugin they make you
| install the first time? Hangouts did.
| bruckie wrote:
| No, it uses WebRTC.
| https://support.google.com/meet/answer/7317473
| tech234a wrote:
| Apparently a plugin is needed for Internet Explorer, but
| otherwise isn't.
| gcb0 wrote:
| Zoom doesn't simply works. The same way that facebook isn't a
| good news feed. and paypal isn't a good, neutral, bank. etc
| etc.
|
| But people (like you) unknowingly shill for them because
| they've feel prey to the marketing and influencers.
| Advertisement works. And you are living proof of that.
| tarsinge wrote:
| This is/was maybe true on Windows but on macOS installing an
| App the standard way is straightforward and any user knows how
| to do it.
| aequitas wrote:
| Which standard way? You have:
|
| - Install from App store
|
| - Drag and drop the .app from zip/dmg
|
| - Using a .pkg installer (mostly based on Xcode templates)
|
| I'd argue that a lot of users don't know all of these and
| some even run most of their applications from the ~/Downloads
| folder.
| swiley wrote:
| This still isn't a good reason to build a native app instead of
| just using webrtc.
|
| Someone should make a PSA site that says something along the
| lines of "don't install teleconferencing software because it
| usually bundles malware; your browser already has the
| technology built in."
| manigandham wrote:
| What do you mean by "bundles malware"? What else is it doing
| besides teleconferencing?
| bruckie wrote:
| https://daringfireball.net/2020/03/regarding_zoom
|
| https://medium.com/bugbountywriteup/zoom-zero-
| day-4-million-...
|
| https://www.theverge.com/2019/7/10/20689644/apple-zoom-
| web-s...
| manigandham wrote:
| To be clear, that's a security issue with their software
| but not malware. It's not intended or designed to harm
| your device.
| aequitas wrote:
| It is however the reason why this solution is being used
| instead of all the other ones.
| distances wrote:
| I guess it works for _some_. I 've had two Zoom meetings this
| far, and in both cases the organizer quickly changed to Jitsi
| as Zoom had distorted audio.
|
| Maybe some incompatible software/hardware at some end? I don't
| know or even care really, but Jitsi worked well with the same
| participants both times, while the anecdotal Zoom success rate
| is still 0% for me.
| aequitas wrote:
| For meetings I host I'm trying to evaluate Jitsi as well, so
| far without much luck. I'm not hosting that many meeting and
| the one I did was with someone using Linux not getting screen
| sharing working.
|
| But Jitsi is on my shortlist as I think being open source and
| self-hostable is the way forward for a tool that could knock
| Zoom of it's throne.
| gwbas1c wrote:
| Good point, but: You can do so much in a browser now. Does
| teleconference software really need an installed client
| anymore?
| JoeAltmaier wrote:
| In theory. But in practice, as a developer you don't want to
| depend on the browser support for your whole product.
| Conferencing features of browsers have been pretty lame,
| compared to what's possible in a professional product.
|
| {edit} My experience: investor took over our startup, made us
| switch from bespoke technology to web-based conference
| features. Every feature was compromised, reliability and
| capacity reduced by 10X.
| rsynnott wrote:
| Based on my experience with Zoom on the one hand and that
| Google thing on the other, yes, yes it does.
| noahtallen wrote:
| Browser blocking and plugin features can prevent it from
| working. For example, I've been in hangouts meetings where
| the video feed wouldn't load because autoplay was blocked on
| the browser. Of course, you can work around that, but having
| the Zoom desktop client provides a reliable experience
| without any tweaking
| m0dest wrote:
| For better or for worse, WebRTC is very opinionated about
| codecs and transports. Those might be great choices for some
| scenarios, but no developer wants their whole business to be
| constrained it.
| t0mas88 wrote:
| I'm still curious why everyone thinks Zoom "just works" while
| others don't. Because in an enterprise context it is often hard
| to download an executable and run it with sufficient
| permissions. While Google and Microsoft both offer a product
| that "just works" with only a browser. What makes Zoom more
| "just works" than that?
| capableweb wrote:
| Well, I have a feeling that the praise for zoom going around
| is not from people working in enterprises, it's people
| working for everything-but enterprises, who just want a
| solution that works.
|
| In my experience (also not enterprise), Zoom is the simplest
| solution with the best quality and latency, compared to the
| alternatives. The UX could be better, but the performance of
| Zoom for all platforms makes you survive the UX.
| tardo99 wrote:
| My company has used Hangouts for years with zero problems.
| Zoom is mostly just hype.
| jrochkind1 wrote:
| Yep, Zoom is the only one I've used where I have never had
| an audio problem, never a drop out or glitch.
| gentleman11 wrote:
| I don't think you can get much more reliable or simpler
| then whereby.com
| pjkundert wrote:
| I've been working remotely for years.
|
| In my experience, every other solution I've tried is a train-
| wreck, compared to Zoom (MacBook Pro w/ external Apple
| monitors). And, as far as I remember, I've tried them _all_ ,
| repeatedly.
|
| Even first-class platform-specific solutions like FaceTime
| are, basically, unusable vs. Zoom. Its amazing, actually. I'm
| not quite sure how Apple managed to make FaceTime's audio
| just not work (almost _ever_ ), and Zoom just _works_ , every
| time, on every platform.
| unlinked_dll wrote:
| Same question. Not because of the browser thing but just
| because it doesn't "just work" for me or my team.
| zuppy wrote:
| they work for your use case.
|
| hangouts can't handle many users (is it 10 the limit?), which
| is a deal breaker for me. we've tried and people couldn't
| join the call.
|
| if by microsoft you mean teams, i'm not aware of it working
| without accounts (not an issue for google as most people have
| google accounts).
| gnud wrote:
| Teams works for "guest users", but they have to be let into
| the meeting by a "real" user.
|
| Also, I think it's possible for companies to disallow guest
| users on their team instance.
| lukevp wrote:
| Teams live can work without logins but you have to make
| the feed public with a hidden link.
| benhurmarcel wrote:
| Google Meet supports up to 250 participants, on the
| Enterprise version. Also it doesn't require an account to
| join.
| Wowfunhappy wrote:
| > hangouts can't handle many users (is it 10 the limit?),
| which is a deal breaker for me. we've tried and people
| couldn't join the call.
|
| My company had a 17 person Hangouts (Meet) meeting on
| Monday. Actually, we switched to Hangouts from Slack
| because Slack has a 15 person limit.
|
| Is the limit maybe different for "Hangouts" vs Hangouts
| Meet?
| w1ntermute wrote:
| As someone who has used a variety of VTC products (Zoom,
| Webex, BlueJeans, Teams, Skype, etc.) for several years on a
| daily basis (lots of external VTCs with different companies
| who use different VTC systems), Zoom is by far the best. The
| audio and video quality is head and shoulders above the rest
| (both on PC and mobile) and the interface is dead simple for
| even the least tech-savvy users.
|
| My company uses Zoom, and there have been many instances
| where, during a VTC call set up by someone at another company
| (that doesn't use Zoom), we have switched mid-meeting to Zoom
| because there's something wrong with the other VTC system
| (someone can't join, can't hear, can't speak, can't share
| their screen, etc.). And the other options haven't gotten
| noticeably better over the years either.
| impendia wrote:
| I'm a college professor, and I'll share my perspective.
|
| For one, Zoom _did_ just work. (At least as a participant,
| rather than an organizer.) I tried it out, and it immediately
| worked. It did what all of us were expecting, with no fuss.
|
| I also tried MS Teams. It seems designed with a different
| philosophy: that you use the software to do many different
| things, and you want them all integrated. (For example, it
| posted my meetings automatically to my Outlook calendar. I
| had never used this calendar before, and was only dimly aware
| that it existed.)
|
| Moreover, it seems that the expected setup is a bunch of
| people, all at the same workplace, who communicate with each
| other consistently. My needs are different, with wildly
| disparate use cases: a departmental meeting; classes to
| teach; an online conference
| (https://www.daniellitt.com/agonize/); an online social
| gathering. Many of the people with whom I communicate don't
| work for the same employer. And I don't want to configure all
| of these "teams" in advance.
|
| That said, I tried to get MS Teams up and running, to teach
| my class. This involved multiple emails back and forth to our
| tech support (it seems that I can't set up a "team" myself; I
| have to ask IT to do it for me). It didn't have its own
| whiteboard functionality so I had to download and run some
| separate software.
|
| And, then, in the end... it didn't work. I was trying to
| teach a class, but my students couldn't see what I was doing.
| I had no idea why.
| btilly wrote:
| _And, then, in the end... it didn 't work. I was trying to
| teach a class, but my students couldn't see what I was
| doing. I had no idea why._
|
| Were you on a mac?
|
| If so, you may have encountered
| https://answers.microsoft.com/en-
| us/msoffice/forum/msoffice_... which has been outstanding
| since October and has no sign will be fixed properly any
| time soon.
|
| The workaround is quit programs until you find the one that
| somehow causes Microsoft Teams to not understand that it
| really does have permissions. For me it seemed to be XCode.
| But it could be others...here is a partial list:
| - Harvest - Confirmed - Sonos - Confirmed -
| Cisco VPN - Issue reported by others - Microsoft To-
| Do - Confirmed - Contacts+ (formerly FullContact) -
| confirmed - Apple Photos - confirmed -
| Teamviewer - reported by others - Prompt/popup for
| app review from App Store - still have questions here. This
| seemed to be it, but haven't been able to confirm -
| Brackets - reported by others - Citrix Workspace
| Version: 19.10.2.41 (1910) - confirmed
|
| This is an example of why "just works" is so important.
| gentleman11 wrote:
| Zoom doesn't just work. If the students want privacy, they
| are just helpless.
|
| Edit: downvoted for speaking up for student rights. Sorry
| if it is inconvenient for the teachers
| 867-5309 wrote:
| universities are organisations, which all force some
| incarnation of an internet usage policy. better still,
| the students are paying an arm and a leg for their lack
| of privacy. wouldn't it be great for the non-technical
| end user if these Just Works(tm) software could just
| bypass firewalls by way of VPNs, common ports, obfuscated
| servers or the like?
| impendia wrote:
| > If the students want privacy, they are just helpless.
|
| This isn't true actually. As a student, send the
| following email:
|
| "Hi Professor, I just read this webpage [link], which
| outlines some privacy concerns with Zoom. I know some
| other classes are running Software X, could we try that
| instead?"
|
| My university isn't _mandating_ Zoom. Indeed, they
| recommended several software packages, of which their top
| recommendation was Blackboard. (Which is what I 've been
| using so far. I have mostly joined others' Zoom meetings;
| I've only initiated them for a D+D game I'm participating
| in.) MS Teams was their second recommendation as I
| recall, and Zoom was below that.
|
| At least at my university -- and I expect that this is
| typical -- individual faculty members are deciding how to
| best fulfill their own responsibilities. And I have
| emphasized to my students that I have never done this
| before, and that I'm happy to change what I'm doing if
| people have good suggestions.
| saagarjha wrote:
| > "Hi Professor, I just read this webpage [link], which
| outlines some privacy concerns with Zoom. I know some
| other classes are running Software X, could we try that
| instead?"
|
| Hi [Student],
|
| I appreciate your concern; however, our university has
| conducted a thorough audit of this software and found
| that it satisfies our needs. We will continue using it
| for our lectures.
|
| Regards, Dr. [Professor]
|
| Senior tenured chair of [Department], distinguished
| lecturer, [University]
| lostmsu wrote:
| It does not "just work" for me. First, it required a
| separate client, when even Skype does not.
|
| Second, it does not support my browser.
| floatingatoll wrote:
| Your unstated criteria for "just work" are "just work in
| browser", which differs from the definition used by the
| comment you're replying to.
|
| That is not universally shared among others, including
| the non-technical folks that Zoom is being widely adopted
| by.
| stingraycharles wrote:
| You're being downvoted fairly heavily, which I think is
| unfair. Even though some other people might not agree,
| it's a valid argument to make.
| aequitas wrote:
| This is what I was getting at with my parent comment, it
| "just works" for everyone. But it doesn't fit some of the
| niches technical or privacy minded people have. And in
| the end, we are bound by the common denominator. I can
| push my open source privacy respecting solution all I
| want. But unless it "just works" for the lowest tech user
| I'm at a loss.
|
| There's a parallels here with security in the uphill
| battle to get users to respect the caveats of the
| solution they choose.
| gameofcode wrote:
| You're right, MS Teams is definitly better placed as an
| org-wide communication/collaboration tool, not an external
| one. They really need to make it easier to communicate with
| people in external orgs, the org switcher is my biggest
| complaint.
|
| FWIW, IT can allow people in certain groups to make their
| own teams, it's an admin setting.
| Onawa wrote:
| Working within the US NIH, we are forced to submit a
| ticket for creating any new teams and the entire
| Teams/Office 365 ecosystem is entirely crippled for us.
| All new features take forever to be approved and brought
| online, as well as additional connectors and apps having
| to go through an extensive 6+ month-long vetting process
| before being approved.
|
| Makes using Teams quite a hassle, but with Skype for
| Business being the only other approved option for
| internal chat, it's better than nothing.
| basch wrote:
| Those are all organizational decisions, and not out of
| the box defaults. Microsoft is trying very hard to
| persuade organizations not to make those decisions.
|
| Completely free teams creation does come at a cost. It
| makes data governance much more complicated. People
| creating duplicate places for things they didnt know
| already existed. A lack of naming convention, to be able
| to analyze what exists. Microsoft is pushing for people
| to just be able to get things done, at the expense of
| organization.
| technion wrote:
| When they mention "connectors and apps", right now there
| is a very serious amount of phishing fraud going on
| involving one click links that ask you to authorise a
| malicious app. Users see a "please click yes" prompt,
| they never have to enter their password and they think
| that sounds fine.
|
| I wish Microsoft would try a lot harder in persuading
| businesses to make the decision to take oauth approvals
| out of the user hands, because the volume is at a point
| where I really feel anyone following the "empower the
| user" discussion almost certainly has a compromised
| mailbox in their business.
| kiliancs wrote:
| From my perspective, working in the browser is not
| necessarily "just working", because for many combinations of
| OS/hardware, the performance is terrible and not only eats
| battery and will slow down other programs, but also affects
| the quality of the call (audio and video).
| sgustard wrote:
| Also, granting a website access to my camera, granting
| access to my microphone, and so on; which are really not
| functions I want to be granting any websites. I don't run a
| browser to have it randomly turn on surveillance devices. I
| prefer to run an app to access my camera and quit it when
| I'm done.
| whatever_dude wrote:
| Zoom has a browser version as a fallback.
|
| Most people use the standalone app because indeed it "just
| works". That's why you don't hear much about its browser
| client.
| saagarjha wrote:
| > Most people use the standalone app because indeed it
| "just works".
|
| Most people use the standalone app because Zoom
| aggressively pushes it.
| aequitas wrote:
| We just had a corporate presentation with around 250 people.
| Normally we use Teams or Slack for internal communication,
| this was also stated by management, that Zoom should only be
| used for 'big' meetings like this. I think they know the
| other solutions will not work as well for bigger groups. I've
| not had issues with using either solution for small group
| meetings.
|
| Actually I have to go out of my way to run Zoom in the
| browser instead of using the installer. I have to use Chrome
| instead of Firefox, download but not install the app and wait
| for the "or run in browser" link to appear after that.
|
| I really don't like macOS installers anyways and passionately
| hate them as "installing" and App on macOS should be nothing
| more than moving the .app from a zip or disk image into your
| /Applications folder. I just don't trust them in not placing
| additional crap like auto updaters or kext's when I don't
| need them.
| enedil wrote:
| In fact, if you change URL from /j/CONFERENCE_NUMBER to
| /wc/join/CONFERENCE_NUMBER you won't be needing to wait for
| that link.
| aequitas wrote:
| There is also a browser plugin a saw floating by a couple
| of days ago that would just enforce this step, but can't
| find it anymore.
| borgel wrote:
| From another commenter on another HN thread
| https://github.com/arkadiyt/zoom-redirector
| specialist wrote:
| App installation should always just be a file copy.
| Deinstallation should always just be a move to Trash (or
| ~/Disabled equiv).
|
| IMHO.
|
| I'm even uncomfortable with config scattered everywhere.
| The continued need for those 3rd party uninstallers is an
| admission of failure.
|
| Source: released products ported to misc Windows, classic
| Mac, modern Mac. Our dev, QA, Test, tech supp was always
| _so much easier_ on Mac. Not least because we could have
| multiple current versions installed. Which allows
| troubleshooting, rollbacks, etc.
|
| Caveat: I personally use package managers and am curious to
| see if Nix becomes the norm. So I may change my mind in the
| future.
| johannes1234321 wrote:
| If the file is only moved to trash it will keep
| configuration and other artefacts around or not support
| such features or the file ahs to be mutable, which is
| questionable from a security pov
| Wowfunhappy wrote:
| > Normally we use Teams or Slack for internal communication
|
| > to run Zoom in the browser [...] I have to use Chrome
| instead of Firefox.
|
| Just a note, Slack and Teams calls also won't work in
| Firefox. It's really annoying.
|
| Hangouts works fine in Firefox though, somewhat
| unexpectedly.
| cpeterso wrote:
| Here are the Firefox bug reports for Slack calls:
|
| https://github.com/webcompat/web-bugs/issues/12975
|
| And Teams calls:
|
| https://github.com/webcompat/web-bugs/issues/25070
|
| Slack originally relied on non-standard, Chrome-specific
| WebRTC behavior and now is prioritizing development of
| their Electron app over web support.
|
| There is a Firefox extension to spoof Chrome's User-Agent
| string for Teams. I haven't tested it, but it appears to
| work for people: https://addons.mozilla.org/en-
| US/firefox/addon/teams-phone-f...
| lukevp wrote:
| Why not use Teams Live for this? We have been using zoom
| and Teams alternately and Teams performance and ease of use
| has been much better in my experience, but we have yet to
| do a 200+ all hands so I was curious if there were some
| footguns with teams live that you may know about. Teams
| live works on a lot of platforms and also has a web
| version.
| aequitas wrote:
| I don't know of any, but our teams uses Slack, not Teams.
| Barely any complaints about Slack video chat btw, but
| that's all small sessions anyways.
| reaperducer wrote:
| _Why not use Teams Live for this?_
|
| My wife was on a Teams videoconference last week. 125
| people in four locations from New York to Southern
| California.
|
| An hour into it, half of the people were simultaneously
| dropped, and not from any particular geography. It was
| random. And nobody could reconnect for a very long time.
| It took 45 minutes to restart the meeting.
|
| The company is no longer using Teams.
| mgkimsal wrote:
| have only recently started using teams with one client.
| small group (max 6 folks I think) and... we've had issues
| with it - someone's video freezing, audio
| garbled/dropping, etc - twice in 2 days. _but_... I 'm
| sort of chalking it up to potentially overloaded/bad net
| connections in the wake of all the WFH and remote meeting
| stuff being used. We had issues with connecting to zoom
| (and their phone numbers) last week as well, so I'm not
| ready to pull the plug on teams entirely until we have
| more experience under our belts.
| freehunter wrote:
| To be fair I've seen the same thing happen with Zoom.
| During a 2 hour meeting with a client, about half of my
| team was dropped and couldn't get back into the meeting
| for several minutes.
| mynameisvlad wrote:
| Teams live events (https://docs.microsoft.com/en-
| us/microsoftteams/teams-live-e...) which the parent
| comment was refering to is actually a specific feature in
| Teams that is only available for certain levels AFAIK but
| supports vastly more people than a standard Teams
| meeting.
| alasdair_ wrote:
| The only Teams Live meeting I've ever tried to join, we
| had two people who gave up because their web version
| didn't support Safari without having to manually go deep
| into their preferences and change settings from the
| default.
| snowwrestler wrote:
| My employer has used Teams Live for all-hands meetings
| from home the last couple weeks and it worked great for
| ~350 attendees.
| basch wrote:
| The predecessor, Skype Broadcast allowed completely
| anonymous viewing, basically a twitch or youtube stream.
| In the name of growth hacking, the Teams team decided to
| force people to the app, you couldnt watch the video
| stream from a mobile device without the teams app. Which
| is a huge amount of friction for a mobile workforce that
| isnt using teams.
|
| Maybe this has changed since I last talked to Microsoft,
| but even their own team was unhappy with it. But if you
| still have access to broadcast.skype.com, it still works,
| until they decide it shouldnt.
| [deleted]
| rickyc091 wrote:
| Google requires you to have a Google account. Kids in middle
| school (ages 12-14) and younger typically don't have an email
| address. Zoom, on the other hand, lets you join a call
| without logging in. You can even join straight from the
| browser if needed without installing anything.
| benhurmarcel wrote:
| > Google requires you to have a Google account
|
| Not for joining a meeting, no. You just type your name.
| alasdair_ wrote:
| Google has messenger and hangouts and another video
| conferencing solution that I don't recall.
|
| The reason we ditched hangouts for zoom a few years ago was
| that hangouts only supported up to ten users, including users
| whose connection had died and so they had to re-enter the
| room again. This became extremely annoying - having to stop a
| conference mid-call to ask some people to disconnect so
| others could enter, or trying to find out how to kick "ghost"
| users, was definitely not "just works".
| benhurmarcel wrote:
| Google Meet supports up to 250 participants in the
| enterprise version.
| ilikehurdles wrote:
| Don't Google and Microsoft answers both require accounts, and
| carry with them the expectation that everything you do on
| their platforms is recorded for the purpose of selling ads?
|
| Also I regularly attend more than 50-person zoom calls
| without a hiccup. Google I think requires an enterprise plan
| to get to that limit, and I don't even know what the name of
| their video conferencing product is at this point.
| bruckie wrote:
| > Don't Google and Microsoft answers both require accounts,
| and carry with them the expectation that everything you do
| on their platforms is recorded for the purpose of selling
| ads?
|
| For Google, the answers are "sorta but not really", and
| "no":
|
| https://support.google.com/meet/answer/9303164: "Note:
| Guests on the web don't need a Google account to
| participate in a meeting." The initiator of a meeting needs
| a G Suite account, but others can join without one.
|
| https://gsuite.google.com/learn-more/security/security-
| white...: "Google does not collect, scan or use data in G
| Suite Core Services for advertising purposes."
|
| (Speaking for myself, not Google.)
| deelowe wrote:
| I don't think either of those are true for meet.
| rainforest wrote:
| Zoom has a web client that "just works" but they only show it
| as an option after they detect that their native client
| didn't "just work".
| aeyes wrote:
| That's weird, when I open a meeting link (which would open
| the native client) at the bottom of the page it says "If
| you cannot download or run the application, join from your
| browser.".
|
| I have the native client and it still shows me this option.
| mulmen wrote:
| The web client is well hidden, crippled and only works in
| Chrome.
|
| Gallery view does not exist in the web client. Nor the
| ability to add cat memes to your background.
| grimjack00 wrote:
| > While Google and Microsoft both offer a product that "just
| works" with only a browser.
|
| But those products don't always "just work", at least not in
| my recent experience. I have had repeated problems with
| Google meetings while working with an external entity, and
| most of my employer is a Microsoft shop, so I've had deal
| with issues with both Teams and Skype, both via browser and
| OS X app.
| jwr wrote:
| > I'm still curious why everyone thinks Zoom "just works"
| while others don't.
|
| I'm also curious. I subscribed to Whereby
| (https://whereby.com/), where I can send people a URL, which
| they click and land in my conference room. There is ZERO
| software they need to install.
|
| [For all the "well, actually" folks: yes, it "only" works in
| every modern browser out there, and it works "only" for up to
| 12 people. Fine with me.]
|
| Zoom has more features, but there are many other solutions
| that work much better and are WAY simpler. It's just that
| Zoom is well known, and it's easiest to choose the tool that
| everyone has heard about.
| gentleman11 wrote:
| To be more specific, whereby seems to be free for up to 4
| people, but then they claim to be able to support 50. Never
| tested it with 50
| sudosysgen wrote:
| Some of my teachers use jitsi, which works on the same
| principle. The teacher sends a link, you click it, and
| that's it. Works very well, and no limit.
| josteink wrote:
| Root-kit authors: watch and learn!
| danans wrote:
| For those calling this a security vulnerability in MacOS, isn't
| this just using a GUI equivalent of "sudo"? There may be a decent
| argument that a consumer OS shouldn't offer such a sudo-like API
| to installers, but MacOS probably does this for legacy app
| support reasons.
|
| IMO the better question in this case is why Zoom needs to be
| installed as admin on MacOS? After all, the mobile apps and
| chrome extension don't need those privileges.
| saagarjha wrote:
| This is like the GUI equivalent of running "apt install zoom"
| and the installation script killing the APT process and then
| running amok with its root privileges.
| e40 wrote:
| I can't imagine why anyone logs in and uses macOS as an admin
| user.
|
| First account I create on a new Mac: admin. Then, when setup is
| done, I login and create my non-admin user account.
|
| This is a good reason for many reasons, this abusive installer
| being one.
| staz wrote:
| https://www.theverge.com/2019/7/8/20687014/zoom-security-fla...
| gentleman11 wrote:
| > Zoom has been criticized for its data collection practices,[45]
| which include its collection and storage of "the content
| contained in cloud recordings, and instant messages, files,
| whiteboards" as well as its enabling employers to monitor workers
| remotely;[46][47] the Electronic Frontier Foundation warned that
| administrators can join any call at any time "without in-the-
| moment consent or warning for the attendees of the call."[48] The
| Ministry of Defence of the U.K. banned its use.[49][50] During
| signup for a Zoom free account, Zoom requires users to permit it
| to identify users with their personal information on Google and
| also offers to permanently delete their Google contacts.
|
| Widespread use of Zoom for online education during the novel
| coronavirus pandemic increased concerns regarding students' data
| privacy and, in particular, their personally identifiable
| information.[17] According to the FBI, students' IP addresses,
| browsing history, academic progress, and biometric data may be at
| risk during the use of similar online learning services.[17]
| Privacy experts are also concerned that the use of Zoom by
| schools and universities may raise issues regarding unauthorized
| surveillance of students and possible violations of students'
| rights under the Family Educational Rights and Privacy Act
| (FERPA)
|
| - Wikipedia
| wodenokoto wrote:
| Having never installed Zoom, and honestly not having photographic
| memory of how the installation process on MacOS is, how is it
| supposed to look in the installer?
|
| Also, what happened to just dragging the program into the
| applications folder? I really liked that way of installing apps,
| but most things seems to have an annoying click-through wizard.
| jtvjan wrote:
| They embedded their installation into a pre-install script.
| Normally, you'd go through a next-next-next process with a pkg
| installer, but in this case you get a popup asking you if you
| want to allow it to "run a program to determine if the software
| can be installed" (the purpose of pre-install scripts)
| immediately after opening the pkg, you authenticate, and then
| the installer just disappears.
| giovannibajo1 wrote:
| Before that, when they had the shady web server, the zoom
| application would pop up immediately connected to the right
| meaning, as your browser would be "waking it up" via http. It
| looks like they still haven't fixed this after they removed
| the http server.
| proffan wrote:
| resReitna.7z
|
| Reminds me of tech support XD
| fermienrico wrote:
| Also, Zoom's entire engineering team is based in China [1]. China
| and Chinese companies have no real culture of user centric
| privacy.
|
| [1] https://news.ycombinator.com/item?id=22707528
|
| Edit: Why downvote me? I am not trying to stir up flame wars.
| Saying anything against China has become impossible to do on HN.
| Voices get drowned despite of raising _real_ legitimate concerns
| about privacy, especially for a tool used by millions all of a
| sudden during this pandemic. People should be speaking up on HN.
| I know, I am not supposed to complain about downvotes on HN, I
| 've read the guidelines.
|
| Edit2: Not able to find the source for Tianjin datacenter, I will
| reply if I can find it. Please take it with a grain of salt.
|
| Edit3: Holyshit, so much attention on my comment. Redacting
| unsubstantiated claims and adding more sources that can be traced
| on the wikipedia section of Zoom privacy criticisms:
| https://en.wikipedia.org/wiki/Zoom_Video_Communications#Crit...
| nothrabannosir wrote:
| You get downvoted because every post critical of China gets
| hit, regardless of quality or veracity.
| dang wrote:
| The post has been heavily upvoted, and what you've said isn't
| close to true.
|
| Please read and follow the site guidelines:
| https://news.ycombinator.com/newsguidelines.html
| Lucasoato wrote:
| _totalitarian dictatorship intensifies_
| dang wrote:
| Please stop posting unsubstantive comments here.
| zorked wrote:
| Your comment is at the top. Please don't complain about
| downvoting.
|
| "China and Chinese companies have no real culture of user
| centric privacy."
|
| Citation needed. That's one billion individuals you are talking
| about.
| dang wrote:
| I don't think it's fair to call that borderline racist.
| That's an extremely strong word; let's not escalate where it
| isn't needed. The problem with the statement is that it
| doesn't come with any substantiation, or additional
| information.
| zorked wrote:
| Edited. Feel free to delete my comment, it's redundant now.
| dang wrote:
| I think the edited version of your comment is just fine.
| dang wrote:
| Please don't break the site guidelines by going on about
| downvoting. Your comment has been heavily upvoted. Meanwhile
| complaints like that linger on as off-topic and false, and
| don't garbage-collect themselves.
|
| You can use HN Search to verify that HN sees plenty of comments
| "saying anything against China". The topic is extremely flame-
| prone because people are wont to hurl generalizations at each
| other, and worse. Nationalistic flamebait and flamewar is a big
| problem on HN [1], and obviously destructive of the spirit of
| this site [2]. Individuals have been attacked here for just for
| expressing their views while being (or being assumed to be)
| Chinese, and in at least one case the person was hounded off
| the site altogether. I'm sure you'll agree that that's shocking
| and not at all the community we want to be. None of us wants
| that, but it's easy to get it anyway, if such flames get
| started and aren't quickly contained.
|
| I don't think your comment was nationalistic flamebait, except
| insofar as it was rather unsubstantive. Unsubstantive comments
| on inflammatory topics are almost guaranteed to come across in
| a flamey way to some segment of the readership, even if that
| was the last thing you intended. Intent doesn't communicate
| itself, unfortunately, so the burden is on the commenter to
| disambiguate [4].
|
| [1]
| https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
|
| [2] https://news.ycombinator.com/newsguidelines.html
|
| [3] https://news.ycombinator.com/item?id=21200971
|
| https://news.ycombinator.com/item?id=21195898
|
| https://news.ycombinator.com/item?id=19404162
|
| https://news.ycombinator.com/item?id=22608635
|
| [4]
| https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
| fermienrico wrote:
| Understood, thanks and accept my apologies. I have some
| feedback - please make exceptions when discussing fact based
| discussions around privacy when it is not tending towards
| flame wars, especially related to Chinese influence and
| erosion of privacy. I can see why this can lead to flame wars
| but that's where you should step in and moderate. I just read
| your links to people getting harrased if they are Chinese,
| that's not cool.
| dang wrote:
| I think my comment addresses this, but perhaps you were
| replying to an earlier version, or perhaps I wasn't clear
| enough. What you posted _was_ trending towards flamewar,
| even though you didn 't intend it that way. Telling
| moderators to "step in and moderate" isn't sufficient to
| solve this problem. For one thing, we don't come close to
| seeing all the material that gets posted--there's far too
| much. We do step in, but we also need users like you to
| understand the problem a bit differently. If you're going
| to comment on an inflammatory topic, you need to make sure
| your comment is substantive, i.e. contains solid
| information and not just grand claims. And you should be
| careful to narrow its scope explicitly to what the
| information supports. Fortunately that should also be
| enough to make it clear that your intent isn't just to post
| pejoratives about other people.
| [deleted]
| [deleted]
| kerng wrote:
| Thanks for sharing. I'm not too concerned about engineering
| happening in China but data storage seems problematic,
| especially because of the lack of encryption on their side.
|
| The post or the CNBC link don't seem to have the word Tianjin
| in them (comments do). Can you provide more details or another
| source?
|
| If that's indeed true I won't be hopping on a Zoom call later
| this week with my bank for instance.
| fermienrico wrote:
| I'll try to dig out where I read it - Google isn't helping. I
| am gonna edit my comment to clarify about the source.
| jopolous wrote:
| On a simpler level, zoom on macOS sketches me out in lots of
| ways.
|
| My macbook's bluetooth will not connect to my earbuds, but only
| when zoom is running. Other audio recording/playing apps don't
| affect things at all. What the heck is going on here?!
|
| Scrolling on settings panels is definitely their own home-brewed
| scrolling functionality. Why?! Was macOS's not cutting it for
| some reason?
|
| The settings menu is very clearly not using native OS buttons and
| inputs. Why?! Why build your own? What is that for?
| jcelerier wrote:
| > My macbook's bluetooth will not connect to my earbuds, but
| only when zoom is running.
|
| that sounds like something related to this bug :
| https://www.jeffgeerling.com/blog/2018/airpods-get-stuck-low...
| jopolous wrote:
| Nice, that's pretty much what I had to do to fix this. I used
| the bluetooth explorer to force AAC, and force zoom to use
| the internal MacBook mic
___________________________________________________________________
(page generated 2020-03-31 23:00 UTC)