[HN Gopher] How the Zoom macOS installer does its job without yo... ___________________________________________________________________ How the Zoom macOS installer does its job without you clicking 'install' Author : _Microft Score : 569 points Date : 2020-03-31 11:41 UTC (11 hours ago) (HTM) web link (twitter.com) (TXT) w3m dump (twitter.com) | diebir wrote: | A lot of this is Mac OS X fault: it still does not have an easy | canonical way of installing things and has no way for | uninstalling. I don't get why in this day mac os can't have | something like RPM or any number of other package managers. | saagarjha wrote: | It very much does! Zoom even stumbled upon it, it's called | Installer.app. Except, of course, they killed it before it even | finished... | tambourine_man wrote: | Zoom's got a tradition of being, let's put it like this, way too | clever for everyone's own good. | | See previous "lets install a server on this Mac that is not | removed when you uninstall the app and leaves your camera open to | the entire internet" for more examples. | | I use it on a VM, I suggest you do it too. | elevenoh wrote: | Best zoom alternative? | mrzool wrote: | We just started using Whereby and we're loving it. I strongly | recommended against Zoom. | emmelaich wrote: | Google Duo have raised the people per meeting from 4 to 12. | luto wrote: | Jitsi, Google Meet, bigbluebutton -- anything can runs in a | browser tab and is more or less confined within it. | Aachen wrote: | Don't know bigbluebutton but at least among Jitsi and | Google Meet, Wire is an alternative that is open source and | end to end encrypted. They just don't make it easy to host | your own, for that I guess Jitsi is the best way to go. | ummonk wrote: | I use the web browser version, and refuse to even install Zoom. | It's borderline spyware. | junky228 wrote: | sunova.... I couldn't find the web based version...That's | what frustrated me about zoom compared to webex. I could use | Weber in the browser and zoom had to be installed | lloeki wrote: | It's gated behind a fallback after three "failed" attempts | at clicking on the link to open the app after opening a | meeting URL, or a meeting setting. So, not on by default, | seems to be unable to join audio unless you use Chrome, and | shows a single video only. | 333c wrote: | This browser extension enables the web interface: | https://github.com/arkadiyt/zoom-redirector | saagarjha wrote: | It's very Dropbox-esque... | merpnderp wrote: | I wish I knew how it installed on my partner's Mac. No root | password was ever given, yet it installed when we thought we were | still using the web app. Quickly uninstalled and will use | different software next time. | miguelmota wrote: | What I like about zoom is that I can click on a zoom link and it | opens up my video conference pretty quickly. Last thing I want is | to go through installation steps when people are waiting for me | on a call. I understand the security implications but it's a | trade-off between user experience and lesser security. | pottertheotter wrote: | I installed Zoom on macOS yesterday and I thought that the | install was crashing because this is not the expected behavior. I | would double click the download, try to install, and then the | installation program would "crash", so I'd try it again. Did that | a few times before I realized it was installed. Until now I | thought it had somehow gotten far enough in the installation | process before crashing that I could at least use the | application. I'd been hearing everyone raving about how Zoom was | such better software than anything else, and my first experience | was their installer doesn't even work. | | This was a horrible user experience for me, and I wasn't thinking | about security implications at all. | pehtis wrote: | I would highly recommend checking all installers on macOS | through Suspicious Package. It will give you a complete picture | of all the installer scripts that will be run and all the files | that will be written. I did just that for zoom and decided | against installing it. | twodayslate wrote: | https://mothersruin.com/software/SuspiciousPackage/ for those | curious | 0xff00ffee wrote: | Oooh this is good. A few years ago I came home drunk and | wanted to watch this old film that wasn't on any channels. | I found it on some dubious website, which required me to | install a player .dmg. I drunkenly typed in my password, | and then an hour later was like: dafuq did I just do?!? | Next day I re-imaged my mac because I'm both paranoid and | don't know enough about secops. | | SuspiciousPackage wouldn't have helped combat Drunk Install | Syndrome, but it might have been a helpful tool before I | nuked my OS. | | Or maybe this is just good marketing for SuspiciousPackage, | which is really malware. Well played. | JadeNB wrote: | Similar functionality: unpkg | (https://www.timdoug.com/unpkg/). See also | https://stackoverflow.com/questions/11298855/how-to- | unpack-a... . I think unpkg handles mpkg files, which I | haven't encountered in the wild for quite a while now; I | don't know about the others. | yreg wrote: | I too don't get how Zoom is considered "the superior software". | Maybe the calls don't drop, but the experience is bad (at least | on macOS). | 7ewis wrote: | Said this on Reddit the other day and got downvoted. | | It _is_ bad on macOS. It used to be one of the better | platforms to stream video content to others, but now it just | lacks in many areas compared to most of its competitors. | | The worst bug I had was it essentially started muting random | people on a call, but only for me. I could see their mouth | moving, and thought it was a problem their side but turns out | everyone else could hear them apart from me. I could hear | everyone else too apart from them. | macleginn wrote: | Same here. I thought the process didn't finish until I tried | launching the app (which I was supposed to do by clicking a | link in the browser, which is also rather unintuitive). | afandian wrote: | I did this too and didn't put two and two together til now. I | just assumed it was a buggy installer that broke with that | version of MacOS and tried a different machine | | I've defended Zoom in the past for ethical 'slips', but weidly | this has tipped me into hating it. | enricotal wrote: | Ok this is it... I was able to disinstall it with | | $ brew cask install zoomus $ brew cask uninstall zoomus | | so long and thank you for all the fish... Zoom | angott wrote: | You can also use "brew cask zap zoomus" to remove | preference files, browser plugins, logs. | a-wu wrote: | Does this also work for non-brew installs? | szhu wrote: | Homebrew Cask's uninstall scripts are basically a | community-maintained "best guess" at to how to full | uninstall each piece of software. It's generally pretty | reliable, and I do use it to remove non-brew installs | sometimes. | | Note: I have contributed casks to Homebrew Cask before. | paulgpetty wrote: | Two questions this raises, for me at least: | | How do I know I've completely uninstalled all the things Zoom | installed? | | And, if Zoom provided a separate uninstaller (like many apps do) | and it was verified to purge all of the stuff they installed | (along with the uninstaller); would that appease people's | concerns? | | For now I'm sticking with the iOS app for video & their web-based | experience for desktop sharing... | aequitas wrote: | I think it's interesting to see the outcry when Apple poses new | restrictions in the application distribution process (like | signing and sandboxing) but conversely the same cries go up | when there is an App that seems to be abusing loose control | mechanisms. | | I think a lot of power users rightfully feel they are belittled | by sandboxes and application restrictions. But seeing that they | are not the major userbase and most Apps don't really need any | permissions at all for their intended purpose (the user's | purpose at least) I think Apple is moving in the right | direction. | lonelappde wrote: | It's possible to things wrong in more than one way. | simonh wrote: | A previous version of Zoom installed a web server on MacOS | without telling you, and left it there after the uninstall | process. So the answer is no, you can't be sure. | | Oh, and there was a known vulnerability in the web server that | allowed remote access to your camera. The company claimed this | was all intentional and was a feature and refused to remediate | it for months. Eventually Apple issues a system update that | removed the web server. | | https://www.buzzfeednews.com/article/nicolenguyen/zoom-webca... | why_only_15 wrote: | Part of the benefit of macOS apps is that you can just put them | in the trash and they're gone. Breaking that contract isn't | like awful but it is frustrating. | Hackbraten wrote: | If you have Homebrew installed, you can run `brew cask zap | zoomus` to get rid of all the things (as far as we know) Zoom | has installed. | | If you prefer to remove it manually, here's the list of files | and folders Homebrew will delete on `brew cask zap zoomus`: | | https://github.com/Homebrew/homebrew-cask/blob/a6026e0a36c22... | overgard wrote: | I understand wanting to reduce friction, but this is the second | time Zoom has kinda done something weird and suspect security | wise in the name of removing really minor obstacles that users | are probably used to dealing with anyway. Considering how many | tech companies are using Zoom right now, I would hope they are | cognizant that they don't become known as "the company that does | sketchy stuff so our IT people say we can't use it" | t0mas88 wrote: | The whole torrent of grey area, just over the line and outright | shady behavior at Zoom is a problem in itself even if all the | separate instances in isolation aren't grounds to stop using | them. Their responses to security issues and today's revelation | of misleading marketing on E2E encryption make it clear they're | not just making isolated mistakes. Shady is at the core of how | they operate, this is an indication that Zoom has a company | culture of accepting borderline behavior. Otherwise it wouldn't | be so widespread. | | As a customer this is a reason for me to stop using Zoom. Not in | the last place because I'm quite sure we're only seeing the | public tip of the iceberg of all the unacceptable things | happening within Zoom. | capableweb wrote: | Unfortunately, the current system and people in power seems to | not give a damn about security and shady behavior, as long as | the thing they are using is working and working well. Zoom is | an example of very useful and performant software with shady | company behind it, that's why people will continue using it. | | Same with Uber, Google and bunch of other companies. It doesn't | matter what they do, as their product is helping people enough | for people to look past the terrible things. | mikorym wrote: | I think you underappreciate one point here: We can still have | long term alternatives to Zoom (and we can have them now). | | Google and Uber are already difficult to replace or to | otherwise challange. | ForHackernews wrote: | Uber is trivially easy to replace with Lyft or $generic- | taxi-app. | aembleton wrote: | How do you persuade enough taxi drivers to use $generic- | taxi-app in enough areas to make it worthwhile for | someone to choose to use it instead of Uber? | minhazm wrote: | Lyft only operates in US and Canada. Uber is available in | 63 countries. The convenience you get just having that | one Uber app work is not easily replaced. But yeah you | could always try to find the local ride sharing companies | app, but it can be far less convenient. | ForHackernews wrote: | Only a tiny minority of wealthy people frequently travel | internationally. This is not a major selling point that | will save Uber. | Fiahil wrote: | Enterprise customer DO give a damn about security. They can | be slow to react, but rules are also there for a very long | time. If Zoom doesn't want to loose most of their marketshare | in favor of WebEx, they should probably address these issues. | m-p-3 wrote: | Correct, and we blocked zoom.us on the corporate network. | No way we're allowing this malware within our walls. | | We already have meet.google.com that works well for us, and | external clients can easily join through a web browser. | kamyarg wrote: | As an employee of a corporate can tell you that they do not | care about security more than money. cheaper the better. | Money > Security | Ididntdothis wrote: | "Enterprise customer DO give a damn about security." | | When I look at IT they give a damn about some security but | then completely ignore other huge problems. I think a | bigger concern for them is cost, liability and convenience | for the administrators. | krageon wrote: | > Enterprise customer DO give a damn about security | | You are wrong. Even without extensive experience in the | space, you can very easily see how even _large_ companies | don 't secure themselves at all. The US has had equifax | recently, and it's not like that was an isolated example | either. There just isn't a security culture at the eye- | watering heights of corporate upper management and while | everyone's as busy making money as they are, there never | will be. It doesn't fit into the system, and anyone who | tries to change it gets muscled out by people who don't | want it to change - because that is simply what's most | efficient. | mywittyname wrote: | This has been my experience as well. Large companies pay | lip-service to security that protects their customers; | they want just enough for legal deniability in the event | of a breach, but not so much that it impacts operations | or profits. | | However, they can be...enthusiastic when it comes to | security around protecting themselves. If you report an | issue with customer information on a public S3 bucket, | they might get around to fixing it someday, but if there | are "trade secrets" or the like in that bucket, the issue | is going to get fixed immediately and someone with a big | title probably won't be coming in tomorrow. | neuronic wrote: | This is hilariously wrong. I brought up Zoom issues at our | enterprise client - no one gives a shit (this is in | Germany, so rather privacy focused). As a consultant I felt | a need to bring the issues up, backed with sources of | course. | | So why does no one care? Because Zoom UI/UX apparently | works 100x better than most other solutions. People dont | even REACT when I mentions Jitsi or just using the Teams | solution that every Microsoft customer has anyways. | | The enterprise I was talking about is using a mix of | Microsoft Teams and Zoom. Our team started with Teams, now | we are using Zoom because I don't even know. Others also | move from Teams to Zoom. | | I bring this up to lots of people and the response is | rolling eyes and "shut the fuck up" in business euphemisms. | Zoom is viral now and privacy has no say in its success. | president wrote: | Could also be an issue of pricing. I wouldn't be | surprised if Zoom is cheaper than MS. Maybe someone with | knowledge on the sourcing side could comment on that. | taylortrusty wrote: | They're much more likely to lose it to Microsoft Teams, | which has been doing great the last several weeks. | m-p-3 wrote: | They're using malware-like behaviors to spread out and reach | more customers, even at the cost of security. | rwmj wrote: | They probably learned a lesson from Whatsapp which was a | nightmare of insecurity in the early days that cutting corners | gets results and approximately no one cares (except the tiny | minority like us who would never use it anyway). | lultimouomo wrote: | I think this also shows how macOS has been training users to | enter their password in random dialogs that have absolutely | nothing that identifies them as being legit OS dialogs. The | dialog that Zoom uses could very well be sending the credentials | to a remote server, and the user would be none the wiser. | Wowfunhappy wrote: | Note that in this case, it's still a legit OS dialog. Preflight | scripts are very much built into the macOS pkg format, they're | just not intended to be used like this. | tantalor wrote: | It doesn't look legit, it looks like the installer script is | faking a system dialog in this screenshot: | | https://twitter.com/c1truz_/status/1244737675191619584/photo. | .. | | This message is a lie; it not coming from system but from the | installer script. | | Just because the OS is used to show the dialog doesn't mean | it should be trusted. As other commenter noted this could be | used to steal passwords; that is effectively what it does. | rainforest wrote: | To their credit, they seem to be using | AuthorizationExecuteWithPrivileges which doesn't get the | user's password, but executes a command as root, which is | marginally better than stealing the password like Dropbox | did. | tantalor wrote: | How hard do you think it is to steal a password once you | have root? | jedieaston wrote: | It should be _impossible_ with SIP enabled, as in OS X | 10.14 Apple protected the files in /var/db/dslocal where | the user shadow files are stored so that root could not | read them (unless triggered by an Apple signed | executable, like Software Update). If you are running | with SIP disabled you've taken the risk of it happening, | and if you are on a corporate laptop (or 99% of personal | machines) it is engaged. | | https://apple.stackexchange.com/questions/344117/mac-10-1 | 3-1... | tantalor wrote: | Think a little harder. With root, you can install a | keylogger. | saagarjha wrote: | You'd still need to bypass TCC. | swiley wrote: | It would take an extra step, you have access to the hash | and maybe shared memory/SOs but you'd need a second trick | to actually steal it. | Wowfunhappy wrote: | The script asks for root which subsequently pops up an OS | password prompt. Zoom never sees your password. | | How is this different from the way e.g. Virtualbox gets | root? | auiya wrote: | It's not making the proper privilege escalation call, | it's faking the box entirely. There's even a typo in the | dialog box. | saagarjha wrote: | No, they're using the (deprecated) Authorization Services | API from the (renamed) BLAuthentication. | Wowfunhappy wrote: | ...are you _sure_? I 'm pretty sure that code just pops | up the system box to get privileges, with a custom | message at the top. | | I'm running Mavericks--the last version of macOS before | they made the UI flat--and the prompt didn't look out of | place. If Zoom is indeed faking the box, they actually | went through the trouble to make a separate version for | Mavericks with Mavericks-style visuals. | lonelappde wrote: | Because it lies about its identity, calling itself | "System" not Zoom. | | This is also a MacOS vuln that lets apps lie about their | identity in sudo prompts, much like a browser showing an | https site with no certificate checking. | Wowfunhappy wrote: | macOS allows apps to write arbitrary lines of text above | password prompts, which is what Zoom is doing. I don't | see how that's different from a shell script echo'ing | something before a sudo prompt. | | How would you design this system? | jedieaston wrote: | Don't allow the application to do any of it, and when the | app asks for access, have the system instead say | "{processName}.app is requesting {permissionFlavorText}. | Enter a name and password to continue." | thaumasiotes wrote: | > Note that in this case, it's still a legit OS dialog. | | No it isn't. The dialog prompt is "System need your privilege | to change." That's not passing QA anywhere -- it's just a | custom message someone put into Zoom without bothering to | proofread. | danieldk wrote: | I never understood why Apple still supports the pkg format. | It seems a half-baked leftover from the 2000s and even then I | was already surprised that there is no way to uninstall | things through the macOS GUI. I am not sure if this has | changed (I try to avoid pkg files and use Homebrew cask to | uninstall such packages), but IIRC you had to list the files | with _pkgutil_ on the command-line, remove stuff by hand and | then _--forget_ the package. | | They should just kill the format. Everything should just be | drag to install, drag to trash to remove. | javagram wrote: | In my experience I've seen even technical users (Who were | used to windows) struggle with the idea of dragging an .app | from an open disk image to the Applications folder. They | would end up running the app from the disk image and then | getting confused when it disappears after restart. | Wowfunhappy wrote: | This system worked so much better when the Applications | folder was placed in the Dock by default, and everyone | used that folder launch applications (which weren't | common enough to keep in the Dock directly). | | It was actually a really beautiful synergy--you install | applications by copying them to a folder, and launch them | from that folder. Same way you'd acquire and open files. | Lovely. | | Then Apple ruined it in Lion with Launchpad. Their app | install flow for anything outside of the app store | doesn't make any sense. | AnIdiotOnTheNet wrote: | One wonders why Apple didn't just treat DMGs like | Application Folders in the first place. If they had an | icon and you could run them directly then there wouldn't | be any confusion. AppImage works like that and I think it | was a wise decision. | Wowfunhappy wrote: | Developers can distribute .app's inside of .zip files, | and many do, but this can result in users just running | the .app inside of their downloads folder. And then this | causes problems if they ever decide to clean out their | Downloads folder. | | The DMGs are a clever way to (A) make sure the app gets | to the proper location while simultaneously (B) teaching | the user about what's actually happening on their | computer. As I said in a sibling comment, this all made | much more sense when users also _launched_ apps from the | Applications folder directly. | danieldk wrote: | _Developers can distribute .app 's inside of .zip files, | and many do, but this can result in users just running | the .app inside of their downloads folder. And then this | causes problems if they ever decide to clean out their | Downloads folder._ | | Some applications offer to move themselves to the | /Applications folder when started the first time outside | _/ Applications_ or _~ /Applications_. Though in general, | it would be better if Apple made it more attractive to | publish in the App Store, since it brings other | advantages (e.g. mandatory sandboxing). | Wowfunhappy wrote: | Yeah, and that's a fine solution given the situation | Apple has left us in. But it's also kind of a hack, which | shouldn't have become necessary. | | Also, personally, I sometimes purposefully put apps in | places other than /Applications--for example, I like to | keep games in their own Games folder. And then the | dialogs are kind of annoying. | samcat116 wrote: | One thing to note here: people who administer macOS for | organizations basically convert everything to .pkgs (or | DMGs). Its the only easy way to silently install | application, and perform post install actions like | performing licensing or activation steps. | drampelt wrote: | > Everything should just be drag to install, drag to trash | to remove. | | I wish it were that easy, most apps leave files in other | places on your computer like ~/Library that will never get | cleaned up if you just move the app to trash. | Wowfunhappy wrote: | As much as this bothers me because of who I am, I don't | think it's a real problem. Those files shouldn't take up | significant space unless the developer is doing something | stupid. | | It might be nice if macOS had some sort of automatic | cleanup routine when an app is trashed, but that would | either require showing the user an extra dialog (a la | AppCleaner's) or introducing an opaque system which could | potentially lead to data loss. | danieldk wrote: | Indeed, data outside the application folder usually | consists of a preferences plist and saved application | state. Of course, there could be caches as well, which | could take up a fair amount of disk space. | | But I think the primary argumentation in favor of what | macOS does now on drag-to-trash is that the users | preferences are preserved, for when they install an | application again. | lonelappde wrote: | Incorrect. Look at the second tweet in the thread. It's a | phishing popup that misidentifies itself in order to steal | priveleges intended for System, not Zoom. | | https://mobile.twitter.com/c1truz_/status/124473767519161958. | .. | Wowfunhappy wrote: | That's still an OS prompt, they just put their own message | at the top, as you're allowed to do. | joshuaissac wrote: | Yes, they are _allowed_ to put a fake message | (identifying the requester as System instead of Zoom), | but that does not make it OK. | Aachen wrote: | One could say the same for gksudo, UAC prompts, or the | equivalent dialog on your favorite operating system, no? Or is | there something on other OSes that identifies it? | sudosysgen wrote: | gksudo and UAC don't let the process lie about what it is. | 0xff00ffee wrote: | One suggestion... | | My company has been using Gotomeeting for 5+ years. No video | (thankfully), but meetings are generally 20-30 people and largely | seamless. | | It is expensive: $300 per seat to host a meeting, but it pretty | much just works. The UI is annoying and could be simpler. | | However, I don't know if it is as shady as Zoom because I don't | think anyone has done a deep dive. | manigandham wrote: | 1) If Zoom can do this then it's a MacOS security bug. | | 2) UX matters. Users don't care about the technical details, they | want a smooth experience and that can be the difference between a | billion-dollar business or a failed startup. And yes the desktop | version is more stable than the web-based UI. | | 3) Malware is defined by what it does, not how it's installed. | thaumasiotes wrote: | > 3) Malware is defined by what it does, not how it's | installed. | | Well, from the tweet thread: | | > If the App is already installed but the current user is not | admin, they use a helper tool called "zoomAutenticationTool" | [sic] and the AuthorizationExecuteWithPrivileges API to spawn a | password prompt identifying as "System" (!!) to gain root | (including a typo). | manigandham wrote: | It's not malicious, and you have to give it permissions | somehow to finish the install. | | Dropbox (used to?) patch system files to integrate with | Office better, and that wasn't considered malware either. | thaumasiotes wrote: | > It's not malicious | | By the time you're lying to the user, you are malicious. | keymone wrote: | is botnet agent not malware? it's not doing anything until the | operator sends the payload. | manigandham wrote: | A botnet agent is designed to take control and run a bot, so | yes it's malware. It doesn't have to be actively doing it at | that moment to be considered such. | munk-a wrote: | Zoom does report usage to Facebook whether you have an | account or not - and that data is used to stitch together a | web profile of the user that is of no benefit to the user. | Zoom is bordering on malware, just... malware that comes | with a useful app that allows video conferencing. | vijaybritto wrote: | They removed that Facebook sdk after complaints. | Gaelan wrote: | I mean, it's not really a security bug. Installer.app displays | a dialog box that says "Hey, this package wants to run | arbitrary code to check if it's compatible with your system. Is | that OK?" The user is explicitly opting into the code | execution. Zoom's "compatibility check" installs the app and | kills the installer window. That's certainly unexpected | behavior, but I don't think it's an exploit in any real sense. | | While normally I'd object to running arbitrary code with just | an easily-skippable dialog as confirmation, but I think it's OK | in this case where the expectation was that we're installing | their software anyway. | manigandham wrote: | You're right, it's more of a design issue. More explicit | permissions on altering the Applications folder could help. | Then again, most people want an easier install so this is | really for those who want that extra control. | opportune wrote: | As a user, I would not assume that checking compatibility | means I'm executing arbitrary code. I mean it could just be | macOS examining the binary to make sure it's compatible with | my ISA, or checking some app metadata about recommended free | resources like ram/disk space. | pvg wrote: | Apple agrees with you which is why the installer shows a | warning the check will involve running code and lets you | opt in or out. | etaioinshrdlu wrote: | It's really Apple's fault. "This package will run a program | to determine if the software can be installed." Is just | fundamentally a very strange statement to make, loaded with | vagueness. | | Think about your average user... they are running an | installer program... which alerts them that they need to run | another program... to determine if they can install the | program.... (Which the user thought they were already doing) | | The loaded expectation of the user to realize they are | granting privileges to a program to determine whether they | can install a program is just totally unreasonable. | | It just sounds more and more ridiculous written out like | this. | RocketSyntax wrote: | Okay, great. Let's wrap some permissions around it to make this a | legit process? | factorialboy wrote: | Why isn't this categorized a major Mac OS vulnerability? If Zoom | abuses preinstall scripts, what's to say others aren't. | [deleted] | scumbert wrote: | Underrated take. They shouldn't be able to do this. This should | flag Zoom as PUP for malware removal, if it weren't the new go- | to. | lonelappde wrote: | It's not a vulnerability, as the dialog says "run a program" | and prompts for confirmation. | | It's up to the user's imagination to consider what a program | can do. | | The prompt is terribly worded though. | j1elo wrote: | Some background info for those commenters who say that Zoom | should be requiring just a web browser because web browsers | already have everything needed (aka. WebRTC). TL;DR summary: they | want to do their own thing, outside of what the WebRTC standard | allows, that's all (and enough reason for not using WebRTC?) | | Zoom doesn't want to use the stock H.264 encoder as provided by | the browser for WebRTC communication. Instead, they use their own | video encoders and decoders (which while still being H.264, it is | presumedly better optimized for their use case). WebRTC forces | you to use either the H.264 or the VP8 encoder/decoder that the | browser provides. | | How they do this is by having their own custom application that | you have to install. Still, some users have noticed that there is | a well hidden web-based version of Zoom, which works by again | running their custom encoders, thanks to WebAssembly. Also it | seems that their video is transmitted via DataCahnnels [0]. | | They are not alone. Companies want to provide additional "value" | by innovating outside of what the WebRTC standard offers. That's | nice and all, although it of course tends to disgregation and | incompatibilities in the long run. For this reason, I've heard | talks about how future revisions of the standard might explore | adding WebAssembly support, in order to allow everyone embedding | their own compiled components into their applications [1]. | | [0]: https://webrtchacks.com/zoom-avoids-using-webrtc/ | | [1]: https://webrtcbydralex.com/index.php/2019/11/13/webrtc- | stand... | xorcist wrote: | Right. It's also important to understand when the reason to | build non-standard things are just "productization" (intended | to open the wallets of enterprise clients) and when it is | because it really provides a better service to the end user. | | Having native code running in every client makes a service | provider more valuable. It is much the same reason service | providers would rather have you running their app on mobile | than utilizing the web browser. | | This link provides a bit of background to the webrtchack | articles above and give a bit of background to when WebRTC is | sufficient: | | https://bloggeek.me/webrtc-vs-zoom-video-quality/ | realityking wrote: | I really wish they'd make the client available in the Mac App | Store. Not only is the installation experience better than this, | things also stay nicely up-to-date. If your company runs an MDM | for your Macs, it's easy to deploy apps en-mass to everyone. | saagarjha wrote: | But then they'd need to opt-in to sandboxing and other | "onerous" requirements and couldn't pull shady things like | this. | diebeforei485 wrote: | It's times like this when I realize how much I prefer the Mac | App Store over everything else. | | Zoom should definitely offer a Mac App Store version. Even if | they just take their iPad app and Catalyst it, I'd probably use | it. | jeroenhd wrote: | As someone who's never used or seen Zoom in action, what's | pulling people into Zoom that's not already available in other | tools (Hangouts Meet, MS Teams) and even works without installing | anything (such as Jitsi)? | | Based on what I've seen, there's just so much hostile behaviour | by the company (including lying about meeting HIPAA e2e | requirements!) and the fact that their _official client_ had | parts removed by the macOS malware removal tool that I just don't | get why people still consider it as an option. If it were the | only "just works" tool out there I'd understand, but there's | plenty of competition in this space. | | I've personally began using the Jitsi server the local student | network association has set up and it's been working like a | dream. You can even share a window to others (which I didn't even | know browsers had support for) for presentations and such. | aeyes wrote: | I use Zoom, Hangouts, Slack and WebEx. Out of those Zoom has | the best call quality, and it is the only solution out of the 4 | on which huge meetings (50+ persons) are workable. | benhurmarcel wrote: | I've been in Google Meet meetings with 100 to 150 | participants, it worked fine. | SiempreViernes wrote: | I've used another software for big meetings, now called Vibe, | which works if I close chrome and patiently wait for the | bloated java app to expand into all available memory before | trying to take any action... it's not great. | | Zoom manages to run without crashing doesn't force me to | close a browser and waiting a lot, so that's an advantage. | milesskorpen wrote: | I use Meet at work. For social gatherings, my friend group | exclusively uses Zoom because (a) better tiling (seems small, | but you want to see everyone) and (b) video quality seems | better. | giovannibajo1 wrote: | There's a chrome extension to do tiling: | | https://chrome.google.com/webstore/detail/google-meet- | grid-v... | | Which is even more infuriating because it shows that missing | tiling in Meet is just a frontend issue. | | I'm completely baffled that this is not implemented. | dbbk wrote: | But why are they doing this? What is the benefit? | dceddia wrote: | If I had to guess, it's an attempt to optimize install | conversions. Every multi-step process you ask a user to perform | is effectively a (marketing/sales) funnel. Some percentage of | people drop off at every step. Maybe Zoom they thought that if | they moved the actual installation closer to Step 1, then more | people would accomplish it. It's awfully sneaky though, | especially that password dialog. | my123 wrote: | They could have made it just a zip containing an app bundle | instead of this mess, but of course they didn't. | xorcist wrote: | > it's an attempt to optimize install conversions | | I love creative uses of language like this! | | Be right back, I just have to optimize install conversions of | my botnet client. | x0x0 wrote: | Or, you know, decrease the failure rate of people | legitimately attempting to install Zoom. It's quite | reasonable to ask why on earth apple requires more than one | click for a user to say "I want this program to run on my | computer; make it happen." | drewg123 wrote: | They could have also made it just work in a web browser | without having to use workarounds. That's one of the reasons | why I strongly prefer Google Meet and get annoyed at vendors | that want me to use solutions that require me to install | software. | dbbk wrote: | Conversely, I much prefer a desktop app to Google Meet, | since that's stuck in the browser the video can't float PIP | when you navigate away from the call | saagarjha wrote: | It can if it uses the right web APIs, which are widely | supported: https://w3c.github.io/picture-in-picture/ | mstolpm wrote: | If one assumes there is nothing really nefarious going on, it | seems they are trying to gain market share: Growth marketing to | raise the company value. And looking at some people already | using "zoom" and "zooming" as synonym for video conferencing, | it kind of works. | Wowfunhappy wrote: | Several less mouse clicks to get into a meeting. | | (I am not arguing in favor of the practice, just stating the | advantage) | xenophonf wrote: | I missed the part where Zoom is holding people's computers for | ransom, or formatting the drive, or exfiltrating sensitive | information to criminals or state intelligence officers, or | mining bitcoin, or other similarly malicious behaviors. | | An admin can write to /Applications without privilege escalation? | That's a macOS bug. If the operating system didn't rely on an | 80s-style put-all-the-executables-in-one-place app launch | paradigm, maybe there'd be less incentive for app developers to | ignore the per-user Applications folder that macOS supports. | | An app can spoof or abuse privilege escalation dialogs? That's | because macOS doesn't implement an Orange Book-style Trusted | Path. It's why Windows and similar operating systems have secure | attention keys in the first place. | | So yeah, Zoom is (ab)using flaws in macOS to get itself installed | with minimum fuss, but it isn't doing it with evil intent. They | fixed past issues; they'll probably fix this. Meanwhile, these | long-standing macOS security flaws won't be addressed by Apple, | who has a terrible track record about these things except when it | lets people bypass their App Store. | | P.S. As an enterprise customer, I'm much more worried about end- | to-end encryption in Zoom, and the apparent lack thereof. I'm | also not sure how that compares with other video conferencing | services. | oefrha wrote: | > An admin can write to /Applications without privilege | escalation? That's a macOS bug. | | /Applications has been root:admin 775 since forever ago. It's | not a bug, and drag this app to (an alias of) /Applications is | very standard behavior of dmg installers. Working as designed. | xenophonf wrote: | That behavior goes all the way back to Classic Mac OS. If the | above is working as designed, then Zoom automating the copy- | app-to-/Applications process doesn't really seem that hinky | to me. | oefrha wrote: | It's a weird thing to do, but I don't find it particularly | concerning, no. You launched the installer after all. (I do | use Suspicious Package to quicklook pkgs myself, FWIW.) | xenophonf wrote: | Having write access without privilege escalation to | executable packages run by all users on a multiuser | computer is a significant security risk. That's one of | the ways an attacker can pivot into other systems from a | compromised computer. | oefrha wrote: | root:admin 775 is only writable by the admin group, I'm | not sure where you got the idea that all users have write | access. | | The situation here is an admin explicitly executing a | program that writes to a directory that they have write | access to. | | Edit: corrected typo 755 => 775. | | Edit 2: Okay, I read what you wrote again and can now see | I misunderstood. However, | | 1. macOS is primarily single user (or at least single | household) given how it's actually used. In actual | multiuser settings admins don't typically muck around | with their admin account. | | 2. Typically other users can read/execute a lot of stuff | that's not root anyway. For instance, on research group | Linux servers people would often tell you to just execute | something in their home directory. | yardie wrote: | I use MacOS and everything I read in the twitter thread was | exactly as expected. MacOS does ask you to escalate. It also | asks for privileged access to the camera, microphone, and the | keyboard. So when our son had to download and run Zoom for his | now online school, I took the opportunity to teach him some | basic computer security. Zoom installed into his ~/Applications | folder, as a non-admin that was expected. And then it asked for | access to his microphone and camera. | rainforest wrote: | > So yeah, Zoom is (ab)using flaws in macOS to get itself | installed with minimum fuss, but it isn't doing it with evil | intent. | | But... why? What other software vendors look at the OS security | model from a viewpoint of 'how do we bypass this as much as | possible?' If it's not evil intent, what is it, incompetence? | javagram wrote: | It's about making your software as easy to use as possible. | | Users don't like UAC or having to click through a dozen | dialogs. They just want to get into their virtual meeting. | lonelappde wrote: | Zoom could be honest about what it doing instead of going | to extreme lengths to conceal it | my123 wrote: | Then Zoom should just make them join the meeting via the | web browser! | | Zoom does this somehow and doesn't make joining from the | web frictionless when they pretty much could have. | xenophonf wrote: | /Applications is writable by admins. There is no O/S security | model to bypass. | rainforest wrote: | It has a pre-flight script (which isn't supposed to change | anything) that installs it (and its browser extensions, and | a kernel extension at some point in the past) in the most | widely available place the current user has privileges to | (it installs in their home directory if they aren't an | admin). | | So yes, there is some blame to be laid at the OS for | running binaries with the privileges the current user has, | but it's clear that the installer doesn't behave like a | regular installer would. | rgovostes wrote: | I installed the WebEx client for macOS today and it seemed | similar, installing almost instantly without going through the | normal EULA, volume selection, etc. flow. | | It seems like they've stuck their installation flow into an | Installer.app _plugin_ which is unusual. I haven't encountered | that before, and I'm somewhat surprised the feature exists | considering Apple waged war on loading code into first-party | software. (The user is prompted before the plugin loads.) | mrpippy wrote: | Ughhh, this is probably where Zoom got the idea from. | cpeterso wrote: | Zoom was founded by Eric Yuan, a lead engineer from Cisco's | WebEx business unit. | aequitas wrote: | Not that I'm in favor of this practice, but the one key feature | that conference software must have is: it just works(tm). | | Nothing turns you off more from a conferencing solution than: any | problem getting it working right now. | | When there is just the slightest issue, one person not being able | to join, one person not getting voice to work, bad audio, your | entire team is blocked/distracted. Which results in a collective | distain for the solution and video conferencing as a whole. | | This extends to getting the solution working for greenfield | installs as simple as possible. Because who knows which non-tech | users from which department all need to join and can't figure out | how to set the permission in their browser right or install/use | the other browser that is compatible. | | So sadly, from a functionality point of view, you want have the | software be able to force itself onto the user in the most usable | state it can. | untog wrote: | It just amazes me that the "just works" solution here is still | a native app. Plenty of reasons to use native apps but in 2020 | video conferencing really isn't one: WebRTC is capable and | supported by every major desktop and mobile browser. It's | literally one click and you're done! | Saaster wrote: | None of the WebRTC based options just work, they're all | glitchy and cannot scale up to even moderate amounts of | users. We have Google Hangouts Meet for free for our org, and | we still pay for Zoom because It Just Works. | basch wrote: | Even having the "unblock this site from camera and | microphone" burried in the browser chrome or settings pages | somewhere is a dealbreaker. It's too easy for people to | mindlessly click "no" to can this access your microphone, | because of the way the browser pops it up during first use, | instead of during "install." | noahtallen wrote: | True. Even the adblocker and autoplay blockers can | prevent video and audio from working in Hangouts. I have | had issues with hangouts when joining meetings with | important people -- and my browser's autoplay block | feature prevented the video feed from working. | bwb wrote: | Same here, we used hangouts for the longest time but it got | worse. Zoom just works perfectly all the time. | x0x0 wrote: | Yeah. And high fidelity sync between audio (ideally via | phone). Maybe someone does it, but we tried _all_ vendors | and settled on Zoom. And screen annotations, and the | ability to remember participants' phones and dial them | directly (replaces them having to type 9 digit numbers into | their phones), etc. | | Also, Zoom has reached a critical mass where, particularly | for sales calls, the remote party is quite likely to have | it installed. The network effect here is really valuable. | benhurmarcel wrote: | Maybe it has to do with the plan you have? I've used Google | Meet with up to ~150 participants and it was fine, but we | have an Enterprise account. | chadlavi wrote: | Zoom would "just work" if they didn't force you to install | software on your computer in the first place. If google meet | can do it, zoom can too. | wp381640 wrote: | Google Meet is terrible, there's a reason why everybody | switched to Zoom even in an over-crowded market | benhurmarcel wrote: | What's your problem with Meet? We've switched to it | massively after issues with Webex, and it's all very good. | fiddlerwoaroof wrote: | Doesn't Google Meet depend on a browser plugin they make you | install the first time? Hangouts did. | bruckie wrote: | No, it uses WebRTC. | https://support.google.com/meet/answer/7317473 | tech234a wrote: | Apparently a plugin is needed for Internet Explorer, but | otherwise isn't. | gcb0 wrote: | Zoom doesn't simply works. The same way that facebook isn't a | good news feed. and paypal isn't a good, neutral, bank. etc | etc. | | But people (like you) unknowingly shill for them because | they've feel prey to the marketing and influencers. | Advertisement works. And you are living proof of that. | tarsinge wrote: | This is/was maybe true on Windows but on macOS installing an | App the standard way is straightforward and any user knows how | to do it. | aequitas wrote: | Which standard way? You have: | | - Install from App store | | - Drag and drop the .app from zip/dmg | | - Using a .pkg installer (mostly based on Xcode templates) | | I'd argue that a lot of users don't know all of these and | some even run most of their applications from the ~/Downloads | folder. | swiley wrote: | This still isn't a good reason to build a native app instead of | just using webrtc. | | Someone should make a PSA site that says something along the | lines of "don't install teleconferencing software because it | usually bundles malware; your browser already has the | technology built in." | manigandham wrote: | What do you mean by "bundles malware"? What else is it doing | besides teleconferencing? | bruckie wrote: | https://daringfireball.net/2020/03/regarding_zoom | | https://medium.com/bugbountywriteup/zoom-zero- | day-4-million-... | | https://www.theverge.com/2019/7/10/20689644/apple-zoom- | web-s... | manigandham wrote: | To be clear, that's a security issue with their software | but not malware. It's not intended or designed to harm | your device. | aequitas wrote: | It is however the reason why this solution is being used | instead of all the other ones. | distances wrote: | I guess it works for _some_. I 've had two Zoom meetings this | far, and in both cases the organizer quickly changed to Jitsi | as Zoom had distorted audio. | | Maybe some incompatible software/hardware at some end? I don't | know or even care really, but Jitsi worked well with the same | participants both times, while the anecdotal Zoom success rate | is still 0% for me. | aequitas wrote: | For meetings I host I'm trying to evaluate Jitsi as well, so | far without much luck. I'm not hosting that many meeting and | the one I did was with someone using Linux not getting screen | sharing working. | | But Jitsi is on my shortlist as I think being open source and | self-hostable is the way forward for a tool that could knock | Zoom of it's throne. | gwbas1c wrote: | Good point, but: You can do so much in a browser now. Does | teleconference software really need an installed client | anymore? | JoeAltmaier wrote: | In theory. But in practice, as a developer you don't want to | depend on the browser support for your whole product. | Conferencing features of browsers have been pretty lame, | compared to what's possible in a professional product. | | {edit} My experience: investor took over our startup, made us | switch from bespoke technology to web-based conference | features. Every feature was compromised, reliability and | capacity reduced by 10X. | rsynnott wrote: | Based on my experience with Zoom on the one hand and that | Google thing on the other, yes, yes it does. | noahtallen wrote: | Browser blocking and plugin features can prevent it from | working. For example, I've been in hangouts meetings where | the video feed wouldn't load because autoplay was blocked on | the browser. Of course, you can work around that, but having | the Zoom desktop client provides a reliable experience | without any tweaking | m0dest wrote: | For better or for worse, WebRTC is very opinionated about | codecs and transports. Those might be great choices for some | scenarios, but no developer wants their whole business to be | constrained it. | t0mas88 wrote: | I'm still curious why everyone thinks Zoom "just works" while | others don't. Because in an enterprise context it is often hard | to download an executable and run it with sufficient | permissions. While Google and Microsoft both offer a product | that "just works" with only a browser. What makes Zoom more | "just works" than that? | capableweb wrote: | Well, I have a feeling that the praise for zoom going around | is not from people working in enterprises, it's people | working for everything-but enterprises, who just want a | solution that works. | | In my experience (also not enterprise), Zoom is the simplest | solution with the best quality and latency, compared to the | alternatives. The UX could be better, but the performance of | Zoom for all platforms makes you survive the UX. | tardo99 wrote: | My company has used Hangouts for years with zero problems. | Zoom is mostly just hype. | jrochkind1 wrote: | Yep, Zoom is the only one I've used where I have never had | an audio problem, never a drop out or glitch. | gentleman11 wrote: | I don't think you can get much more reliable or simpler | then whereby.com | pjkundert wrote: | I've been working remotely for years. | | In my experience, every other solution I've tried is a train- | wreck, compared to Zoom (MacBook Pro w/ external Apple | monitors). And, as far as I remember, I've tried them _all_ , | repeatedly. | | Even first-class platform-specific solutions like FaceTime | are, basically, unusable vs. Zoom. Its amazing, actually. I'm | not quite sure how Apple managed to make FaceTime's audio | just not work (almost _ever_ ), and Zoom just _works_ , every | time, on every platform. | unlinked_dll wrote: | Same question. Not because of the browser thing but just | because it doesn't "just work" for me or my team. | zuppy wrote: | they work for your use case. | | hangouts can't handle many users (is it 10 the limit?), which | is a deal breaker for me. we've tried and people couldn't | join the call. | | if by microsoft you mean teams, i'm not aware of it working | without accounts (not an issue for google as most people have | google accounts). | gnud wrote: | Teams works for "guest users", but they have to be let into | the meeting by a "real" user. | | Also, I think it's possible for companies to disallow guest | users on their team instance. | lukevp wrote: | Teams live can work without logins but you have to make | the feed public with a hidden link. | benhurmarcel wrote: | Google Meet supports up to 250 participants, on the | Enterprise version. Also it doesn't require an account to | join. | Wowfunhappy wrote: | > hangouts can't handle many users (is it 10 the limit?), | which is a deal breaker for me. we've tried and people | couldn't join the call. | | My company had a 17 person Hangouts (Meet) meeting on | Monday. Actually, we switched to Hangouts from Slack | because Slack has a 15 person limit. | | Is the limit maybe different for "Hangouts" vs Hangouts | Meet? | w1ntermute wrote: | As someone who has used a variety of VTC products (Zoom, | Webex, BlueJeans, Teams, Skype, etc.) for several years on a | daily basis (lots of external VTCs with different companies | who use different VTC systems), Zoom is by far the best. The | audio and video quality is head and shoulders above the rest | (both on PC and mobile) and the interface is dead simple for | even the least tech-savvy users. | | My company uses Zoom, and there have been many instances | where, during a VTC call set up by someone at another company | (that doesn't use Zoom), we have switched mid-meeting to Zoom | because there's something wrong with the other VTC system | (someone can't join, can't hear, can't speak, can't share | their screen, etc.). And the other options haven't gotten | noticeably better over the years either. | impendia wrote: | I'm a college professor, and I'll share my perspective. | | For one, Zoom _did_ just work. (At least as a participant, | rather than an organizer.) I tried it out, and it immediately | worked. It did what all of us were expecting, with no fuss. | | I also tried MS Teams. It seems designed with a different | philosophy: that you use the software to do many different | things, and you want them all integrated. (For example, it | posted my meetings automatically to my Outlook calendar. I | had never used this calendar before, and was only dimly aware | that it existed.) | | Moreover, it seems that the expected setup is a bunch of | people, all at the same workplace, who communicate with each | other consistently. My needs are different, with wildly | disparate use cases: a departmental meeting; classes to | teach; an online conference | (https://www.daniellitt.com/agonize/); an online social | gathering. Many of the people with whom I communicate don't | work for the same employer. And I don't want to configure all | of these "teams" in advance. | | That said, I tried to get MS Teams up and running, to teach | my class. This involved multiple emails back and forth to our | tech support (it seems that I can't set up a "team" myself; I | have to ask IT to do it for me). It didn't have its own | whiteboard functionality so I had to download and run some | separate software. | | And, then, in the end... it didn't work. I was trying to | teach a class, but my students couldn't see what I was doing. | I had no idea why. | btilly wrote: | _And, then, in the end... it didn 't work. I was trying to | teach a class, but my students couldn't see what I was | doing. I had no idea why._ | | Were you on a mac? | | If so, you may have encountered | https://answers.microsoft.com/en- | us/msoffice/forum/msoffice_... which has been outstanding | since October and has no sign will be fixed properly any | time soon. | | The workaround is quit programs until you find the one that | somehow causes Microsoft Teams to not understand that it | really does have permissions. For me it seemed to be XCode. | But it could be others...here is a partial list: | - Harvest - Confirmed - Sonos - Confirmed - | Cisco VPN - Issue reported by others - Microsoft To- | Do - Confirmed - Contacts+ (formerly FullContact) - | confirmed - Apple Photos - confirmed - | Teamviewer - reported by others - Prompt/popup for | app review from App Store - still have questions here. This | seemed to be it, but haven't been able to confirm - | Brackets - reported by others - Citrix Workspace | Version: 19.10.2.41 (1910) - confirmed | | This is an example of why "just works" is so important. | gentleman11 wrote: | Zoom doesn't just work. If the students want privacy, they | are just helpless. | | Edit: downvoted for speaking up for student rights. Sorry | if it is inconvenient for the teachers | 867-5309 wrote: | universities are organisations, which all force some | incarnation of an internet usage policy. better still, | the students are paying an arm and a leg for their lack | of privacy. wouldn't it be great for the non-technical | end user if these Just Works(tm) software could just | bypass firewalls by way of VPNs, common ports, obfuscated | servers or the like? | impendia wrote: | > If the students want privacy, they are just helpless. | | This isn't true actually. As a student, send the | following email: | | "Hi Professor, I just read this webpage [link], which | outlines some privacy concerns with Zoom. I know some | other classes are running Software X, could we try that | instead?" | | My university isn't _mandating_ Zoom. Indeed, they | recommended several software packages, of which their top | recommendation was Blackboard. (Which is what I 've been | using so far. I have mostly joined others' Zoom meetings; | I've only initiated them for a D+D game I'm participating | in.) MS Teams was their second recommendation as I | recall, and Zoom was below that. | | At least at my university -- and I expect that this is | typical -- individual faculty members are deciding how to | best fulfill their own responsibilities. And I have | emphasized to my students that I have never done this | before, and that I'm happy to change what I'm doing if | people have good suggestions. | saagarjha wrote: | > "Hi Professor, I just read this webpage [link], which | outlines some privacy concerns with Zoom. I know some | other classes are running Software X, could we try that | instead?" | | Hi [Student], | | I appreciate your concern; however, our university has | conducted a thorough audit of this software and found | that it satisfies our needs. We will continue using it | for our lectures. | | Regards, Dr. [Professor] | | Senior tenured chair of [Department], distinguished | lecturer, [University] | lostmsu wrote: | It does not "just work" for me. First, it required a | separate client, when even Skype does not. | | Second, it does not support my browser. | floatingatoll wrote: | Your unstated criteria for "just work" are "just work in | browser", which differs from the definition used by the | comment you're replying to. | | That is not universally shared among others, including | the non-technical folks that Zoom is being widely adopted | by. | stingraycharles wrote: | You're being downvoted fairly heavily, which I think is | unfair. Even though some other people might not agree, | it's a valid argument to make. | aequitas wrote: | This is what I was getting at with my parent comment, it | "just works" for everyone. But it doesn't fit some of the | niches technical or privacy minded people have. And in | the end, we are bound by the common denominator. I can | push my open source privacy respecting solution all I | want. But unless it "just works" for the lowest tech user | I'm at a loss. | | There's a parallels here with security in the uphill | battle to get users to respect the caveats of the | solution they choose. | gameofcode wrote: | You're right, MS Teams is definitly better placed as an | org-wide communication/collaboration tool, not an external | one. They really need to make it easier to communicate with | people in external orgs, the org switcher is my biggest | complaint. | | FWIW, IT can allow people in certain groups to make their | own teams, it's an admin setting. | Onawa wrote: | Working within the US NIH, we are forced to submit a | ticket for creating any new teams and the entire | Teams/Office 365 ecosystem is entirely crippled for us. | All new features take forever to be approved and brought | online, as well as additional connectors and apps having | to go through an extensive 6+ month-long vetting process | before being approved. | | Makes using Teams quite a hassle, but with Skype for | Business being the only other approved option for | internal chat, it's better than nothing. | basch wrote: | Those are all organizational decisions, and not out of | the box defaults. Microsoft is trying very hard to | persuade organizations not to make those decisions. | | Completely free teams creation does come at a cost. It | makes data governance much more complicated. People | creating duplicate places for things they didnt know | already existed. A lack of naming convention, to be able | to analyze what exists. Microsoft is pushing for people | to just be able to get things done, at the expense of | organization. | technion wrote: | When they mention "connectors and apps", right now there | is a very serious amount of phishing fraud going on | involving one click links that ask you to authorise a | malicious app. Users see a "please click yes" prompt, | they never have to enter their password and they think | that sounds fine. | | I wish Microsoft would try a lot harder in persuading | businesses to make the decision to take oauth approvals | out of the user hands, because the volume is at a point | where I really feel anyone following the "empower the | user" discussion almost certainly has a compromised | mailbox in their business. | kiliancs wrote: | From my perspective, working in the browser is not | necessarily "just working", because for many combinations of | OS/hardware, the performance is terrible and not only eats | battery and will slow down other programs, but also affects | the quality of the call (audio and video). | sgustard wrote: | Also, granting a website access to my camera, granting | access to my microphone, and so on; which are really not | functions I want to be granting any websites. I don't run a | browser to have it randomly turn on surveillance devices. I | prefer to run an app to access my camera and quit it when | I'm done. | whatever_dude wrote: | Zoom has a browser version as a fallback. | | Most people use the standalone app because indeed it "just | works". That's why you don't hear much about its browser | client. | saagarjha wrote: | > Most people use the standalone app because indeed it | "just works". | | Most people use the standalone app because Zoom | aggressively pushes it. | aequitas wrote: | We just had a corporate presentation with around 250 people. | Normally we use Teams or Slack for internal communication, | this was also stated by management, that Zoom should only be | used for 'big' meetings like this. I think they know the | other solutions will not work as well for bigger groups. I've | not had issues with using either solution for small group | meetings. | | Actually I have to go out of my way to run Zoom in the | browser instead of using the installer. I have to use Chrome | instead of Firefox, download but not install the app and wait | for the "or run in browser" link to appear after that. | | I really don't like macOS installers anyways and passionately | hate them as "installing" and App on macOS should be nothing | more than moving the .app from a zip or disk image into your | /Applications folder. I just don't trust them in not placing | additional crap like auto updaters or kext's when I don't | need them. | enedil wrote: | In fact, if you change URL from /j/CONFERENCE_NUMBER to | /wc/join/CONFERENCE_NUMBER you won't be needing to wait for | that link. | aequitas wrote: | There is also a browser plugin a saw floating by a couple | of days ago that would just enforce this step, but can't | find it anymore. | borgel wrote: | From another commenter on another HN thread | https://github.com/arkadiyt/zoom-redirector | specialist wrote: | App installation should always just be a file copy. | Deinstallation should always just be a move to Trash (or | ~/Disabled equiv). | | IMHO. | | I'm even uncomfortable with config scattered everywhere. | The continued need for those 3rd party uninstallers is an | admission of failure. | | Source: released products ported to misc Windows, classic | Mac, modern Mac. Our dev, QA, Test, tech supp was always | _so much easier_ on Mac. Not least because we could have | multiple current versions installed. Which allows | troubleshooting, rollbacks, etc. | | Caveat: I personally use package managers and am curious to | see if Nix becomes the norm. So I may change my mind in the | future. | johannes1234321 wrote: | If the file is only moved to trash it will keep | configuration and other artefacts around or not support | such features or the file ahs to be mutable, which is | questionable from a security pov | Wowfunhappy wrote: | > Normally we use Teams or Slack for internal communication | | > to run Zoom in the browser [...] I have to use Chrome | instead of Firefox. | | Just a note, Slack and Teams calls also won't work in | Firefox. It's really annoying. | | Hangouts works fine in Firefox though, somewhat | unexpectedly. | cpeterso wrote: | Here are the Firefox bug reports for Slack calls: | | https://github.com/webcompat/web-bugs/issues/12975 | | And Teams calls: | | https://github.com/webcompat/web-bugs/issues/25070 | | Slack originally relied on non-standard, Chrome-specific | WebRTC behavior and now is prioritizing development of | their Electron app over web support. | | There is a Firefox extension to spoof Chrome's User-Agent | string for Teams. I haven't tested it, but it appears to | work for people: https://addons.mozilla.org/en- | US/firefox/addon/teams-phone-f... | lukevp wrote: | Why not use Teams Live for this? We have been using zoom | and Teams alternately and Teams performance and ease of use | has been much better in my experience, but we have yet to | do a 200+ all hands so I was curious if there were some | footguns with teams live that you may know about. Teams | live works on a lot of platforms and also has a web | version. | aequitas wrote: | I don't know of any, but our teams uses Slack, not Teams. | Barely any complaints about Slack video chat btw, but | that's all small sessions anyways. | reaperducer wrote: | _Why not use Teams Live for this?_ | | My wife was on a Teams videoconference last week. 125 | people in four locations from New York to Southern | California. | | An hour into it, half of the people were simultaneously | dropped, and not from any particular geography. It was | random. And nobody could reconnect for a very long time. | It took 45 minutes to restart the meeting. | | The company is no longer using Teams. | mgkimsal wrote: | have only recently started using teams with one client. | small group (max 6 folks I think) and... we've had issues | with it - someone's video freezing, audio | garbled/dropping, etc - twice in 2 days. _but_... I 'm | sort of chalking it up to potentially overloaded/bad net | connections in the wake of all the WFH and remote meeting | stuff being used. We had issues with connecting to zoom | (and their phone numbers) last week as well, so I'm not | ready to pull the plug on teams entirely until we have | more experience under our belts. | freehunter wrote: | To be fair I've seen the same thing happen with Zoom. | During a 2 hour meeting with a client, about half of my | team was dropped and couldn't get back into the meeting | for several minutes. | mynameisvlad wrote: | Teams live events (https://docs.microsoft.com/en- | us/microsoftteams/teams-live-e...) which the parent | comment was refering to is actually a specific feature in | Teams that is only available for certain levels AFAIK but | supports vastly more people than a standard Teams | meeting. | alasdair_ wrote: | The only Teams Live meeting I've ever tried to join, we | had two people who gave up because their web version | didn't support Safari without having to manually go deep | into their preferences and change settings from the | default. | snowwrestler wrote: | My employer has used Teams Live for all-hands meetings | from home the last couple weeks and it worked great for | ~350 attendees. | basch wrote: | The predecessor, Skype Broadcast allowed completely | anonymous viewing, basically a twitch or youtube stream. | In the name of growth hacking, the Teams team decided to | force people to the app, you couldnt watch the video | stream from a mobile device without the teams app. Which | is a huge amount of friction for a mobile workforce that | isnt using teams. | | Maybe this has changed since I last talked to Microsoft, | but even their own team was unhappy with it. But if you | still have access to broadcast.skype.com, it still works, | until they decide it shouldnt. | [deleted] | rickyc091 wrote: | Google requires you to have a Google account. Kids in middle | school (ages 12-14) and younger typically don't have an email | address. Zoom, on the other hand, lets you join a call | without logging in. You can even join straight from the | browser if needed without installing anything. | benhurmarcel wrote: | > Google requires you to have a Google account | | Not for joining a meeting, no. You just type your name. | alasdair_ wrote: | Google has messenger and hangouts and another video | conferencing solution that I don't recall. | | The reason we ditched hangouts for zoom a few years ago was | that hangouts only supported up to ten users, including users | whose connection had died and so they had to re-enter the | room again. This became extremely annoying - having to stop a | conference mid-call to ask some people to disconnect so | others could enter, or trying to find out how to kick "ghost" | users, was definitely not "just works". | benhurmarcel wrote: | Google Meet supports up to 250 participants in the | enterprise version. | ilikehurdles wrote: | Don't Google and Microsoft answers both require accounts, and | carry with them the expectation that everything you do on | their platforms is recorded for the purpose of selling ads? | | Also I regularly attend more than 50-person zoom calls | without a hiccup. Google I think requires an enterprise plan | to get to that limit, and I don't even know what the name of | their video conferencing product is at this point. | bruckie wrote: | > Don't Google and Microsoft answers both require accounts, | and carry with them the expectation that everything you do | on their platforms is recorded for the purpose of selling | ads? | | For Google, the answers are "sorta but not really", and | "no": | | https://support.google.com/meet/answer/9303164: "Note: | Guests on the web don't need a Google account to | participate in a meeting." The initiator of a meeting needs | a G Suite account, but others can join without one. | | https://gsuite.google.com/learn-more/security/security- | white...: "Google does not collect, scan or use data in G | Suite Core Services for advertising purposes." | | (Speaking for myself, not Google.) | deelowe wrote: | I don't think either of those are true for meet. | rainforest wrote: | Zoom has a web client that "just works" but they only show it | as an option after they detect that their native client | didn't "just work". | aeyes wrote: | That's weird, when I open a meeting link (which would open | the native client) at the bottom of the page it says "If | you cannot download or run the application, join from your | browser.". | | I have the native client and it still shows me this option. | mulmen wrote: | The web client is well hidden, crippled and only works in | Chrome. | | Gallery view does not exist in the web client. Nor the | ability to add cat memes to your background. | grimjack00 wrote: | > While Google and Microsoft both offer a product that "just | works" with only a browser. | | But those products don't always "just work", at least not in | my recent experience. I have had repeated problems with | Google meetings while working with an external entity, and | most of my employer is a Microsoft shop, so I've had deal | with issues with both Teams and Skype, both via browser and | OS X app. | jwr wrote: | > I'm still curious why everyone thinks Zoom "just works" | while others don't. | | I'm also curious. I subscribed to Whereby | (https://whereby.com/), where I can send people a URL, which | they click and land in my conference room. There is ZERO | software they need to install. | | [For all the "well, actually" folks: yes, it "only" works in | every modern browser out there, and it works "only" for up to | 12 people. Fine with me.] | | Zoom has more features, but there are many other solutions | that work much better and are WAY simpler. It's just that | Zoom is well known, and it's easiest to choose the tool that | everyone has heard about. | gentleman11 wrote: | To be more specific, whereby seems to be free for up to 4 | people, but then they claim to be able to support 50. Never | tested it with 50 | sudosysgen wrote: | Some of my teachers use jitsi, which works on the same | principle. The teacher sends a link, you click it, and | that's it. Works very well, and no limit. | josteink wrote: | Root-kit authors: watch and learn! | danans wrote: | For those calling this a security vulnerability in MacOS, isn't | this just using a GUI equivalent of "sudo"? There may be a decent | argument that a consumer OS shouldn't offer such a sudo-like API | to installers, but MacOS probably does this for legacy app | support reasons. | | IMO the better question in this case is why Zoom needs to be | installed as admin on MacOS? After all, the mobile apps and | chrome extension don't need those privileges. | saagarjha wrote: | This is like the GUI equivalent of running "apt install zoom" | and the installation script killing the APT process and then | running amok with its root privileges. | e40 wrote: | I can't imagine why anyone logs in and uses macOS as an admin | user. | | First account I create on a new Mac: admin. Then, when setup is | done, I login and create my non-admin user account. | | This is a good reason for many reasons, this abusive installer | being one. | staz wrote: | https://www.theverge.com/2019/7/8/20687014/zoom-security-fla... | gentleman11 wrote: | > Zoom has been criticized for its data collection practices,[45] | which include its collection and storage of "the content | contained in cloud recordings, and instant messages, files, | whiteboards" as well as its enabling employers to monitor workers | remotely;[46][47] the Electronic Frontier Foundation warned that | administrators can join any call at any time "without in-the- | moment consent or warning for the attendees of the call."[48] The | Ministry of Defence of the U.K. banned its use.[49][50] During | signup for a Zoom free account, Zoom requires users to permit it | to identify users with their personal information on Google and | also offers to permanently delete their Google contacts. | | Widespread use of Zoom for online education during the novel | coronavirus pandemic increased concerns regarding students' data | privacy and, in particular, their personally identifiable | information.[17] According to the FBI, students' IP addresses, | browsing history, academic progress, and biometric data may be at | risk during the use of similar online learning services.[17] | Privacy experts are also concerned that the use of Zoom by | schools and universities may raise issues regarding unauthorized | surveillance of students and possible violations of students' | rights under the Family Educational Rights and Privacy Act | (FERPA) | | - Wikipedia | wodenokoto wrote: | Having never installed Zoom, and honestly not having photographic | memory of how the installation process on MacOS is, how is it | supposed to look in the installer? | | Also, what happened to just dragging the program into the | applications folder? I really liked that way of installing apps, | but most things seems to have an annoying click-through wizard. | jtvjan wrote: | They embedded their installation into a pre-install script. | Normally, you'd go through a next-next-next process with a pkg | installer, but in this case you get a popup asking you if you | want to allow it to "run a program to determine if the software | can be installed" (the purpose of pre-install scripts) | immediately after opening the pkg, you authenticate, and then | the installer just disappears. | giovannibajo1 wrote: | Before that, when they had the shady web server, the zoom | application would pop up immediately connected to the right | meaning, as your browser would be "waking it up" via http. It | looks like they still haven't fixed this after they removed | the http server. | proffan wrote: | resReitna.7z | | Reminds me of tech support XD | fermienrico wrote: | Also, Zoom's entire engineering team is based in China [1]. China | and Chinese companies have no real culture of user centric | privacy. | | [1] https://news.ycombinator.com/item?id=22707528 | | Edit: Why downvote me? I am not trying to stir up flame wars. | Saying anything against China has become impossible to do on HN. | Voices get drowned despite of raising _real_ legitimate concerns | about privacy, especially for a tool used by millions all of a | sudden during this pandemic. People should be speaking up on HN. | I know, I am not supposed to complain about downvotes on HN, I | 've read the guidelines. | | Edit2: Not able to find the source for Tianjin datacenter, I will | reply if I can find it. Please take it with a grain of salt. | | Edit3: Holyshit, so much attention on my comment. Redacting | unsubstantiated claims and adding more sources that can be traced | on the wikipedia section of Zoom privacy criticisms: | https://en.wikipedia.org/wiki/Zoom_Video_Communications#Crit... | nothrabannosir wrote: | You get downvoted because every post critical of China gets | hit, regardless of quality or veracity. | dang wrote: | The post has been heavily upvoted, and what you've said isn't | close to true. | | Please read and follow the site guidelines: | https://news.ycombinator.com/newsguidelines.html | Lucasoato wrote: | _totalitarian dictatorship intensifies_ | dang wrote: | Please stop posting unsubstantive comments here. | zorked wrote: | Your comment is at the top. Please don't complain about | downvoting. | | "China and Chinese companies have no real culture of user | centric privacy." | | Citation needed. That's one billion individuals you are talking | about. | dang wrote: | I don't think it's fair to call that borderline racist. | That's an extremely strong word; let's not escalate where it | isn't needed. The problem with the statement is that it | doesn't come with any substantiation, or additional | information. | zorked wrote: | Edited. Feel free to delete my comment, it's redundant now. | dang wrote: | I think the edited version of your comment is just fine. | dang wrote: | Please don't break the site guidelines by going on about | downvoting. Your comment has been heavily upvoted. Meanwhile | complaints like that linger on as off-topic and false, and | don't garbage-collect themselves. | | You can use HN Search to verify that HN sees plenty of comments | "saying anything against China". The topic is extremely flame- | prone because people are wont to hurl generalizations at each | other, and worse. Nationalistic flamebait and flamewar is a big | problem on HN [1], and obviously destructive of the spirit of | this site [2]. Individuals have been attacked here for just for | expressing their views while being (or being assumed to be) | Chinese, and in at least one case the person was hounded off | the site altogether. I'm sure you'll agree that that's shocking | and not at all the community we want to be. None of us wants | that, but it's easy to get it anyway, if such flames get | started and aren't quickly contained. | | I don't think your comment was nationalistic flamebait, except | insofar as it was rather unsubstantive. Unsubstantive comments | on inflammatory topics are almost guaranteed to come across in | a flamey way to some segment of the readership, even if that | was the last thing you intended. Intent doesn't communicate | itself, unfortunately, so the burden is on the commenter to | disambiguate [4]. | | [1] | https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que... | | [2] https://news.ycombinator.com/newsguidelines.html | | [3] https://news.ycombinator.com/item?id=21200971 | | https://news.ycombinator.com/item?id=21195898 | | https://news.ycombinator.com/item?id=19404162 | | https://news.ycombinator.com/item?id=22608635 | | [4] | https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu... | fermienrico wrote: | Understood, thanks and accept my apologies. I have some | feedback - please make exceptions when discussing fact based | discussions around privacy when it is not tending towards | flame wars, especially related to Chinese influence and | erosion of privacy. I can see why this can lead to flame wars | but that's where you should step in and moderate. I just read | your links to people getting harrased if they are Chinese, | that's not cool. | dang wrote: | I think my comment addresses this, but perhaps you were | replying to an earlier version, or perhaps I wasn't clear | enough. What you posted _was_ trending towards flamewar, | even though you didn 't intend it that way. Telling | moderators to "step in and moderate" isn't sufficient to | solve this problem. For one thing, we don't come close to | seeing all the material that gets posted--there's far too | much. We do step in, but we also need users like you to | understand the problem a bit differently. If you're going | to comment on an inflammatory topic, you need to make sure | your comment is substantive, i.e. contains solid | information and not just grand claims. And you should be | careful to narrow its scope explicitly to what the | information supports. Fortunately that should also be | enough to make it clear that your intent isn't just to post | pejoratives about other people. | [deleted] | [deleted] | kerng wrote: | Thanks for sharing. I'm not too concerned about engineering | happening in China but data storage seems problematic, | especially because of the lack of encryption on their side. | | The post or the CNBC link don't seem to have the word Tianjin | in them (comments do). Can you provide more details or another | source? | | If that's indeed true I won't be hopping on a Zoom call later | this week with my bank for instance. | fermienrico wrote: | I'll try to dig out where I read it - Google isn't helping. I | am gonna edit my comment to clarify about the source. | jopolous wrote: | On a simpler level, zoom on macOS sketches me out in lots of | ways. | | My macbook's bluetooth will not connect to my earbuds, but only | when zoom is running. Other audio recording/playing apps don't | affect things at all. What the heck is going on here?! | | Scrolling on settings panels is definitely their own home-brewed | scrolling functionality. Why?! Was macOS's not cutting it for | some reason? | | The settings menu is very clearly not using native OS buttons and | inputs. Why?! Why build your own? What is that for? | jcelerier wrote: | > My macbook's bluetooth will not connect to my earbuds, but | only when zoom is running. | | that sounds like something related to this bug : | https://www.jeffgeerling.com/blog/2018/airpods-get-stuck-low... | jopolous wrote: | Nice, that's pretty much what I had to do to fix this. I used | the bluetooth explorer to force AAC, and force zoom to use | the internal MacBook mic ___________________________________________________________________ (page generated 2020-03-31 23:00 UTC)