I installed Zoom on macOS yesterday and I thought that the install was crashing because this is not the expected behavior. I would double click the download, try to install, and then the installation program would "crash", so I'd try it again. Did that a few times before I realized it was installed. Until now I thought it had somehow gotten far enough in the installation process before crashing that I could at least use the application. I'd been hearing everyone raving about how Zoom was such better software than anything else, and my first experience was their installer doesn't even work.
This was a horrible user experience for me, and I wasn't thinking about security implications at all.
afandian 1477 days ago [-]
I did this too and didn't put two and two together til now. I just assumed it was a buggy installer that broke with that version of MacOS and tried a different machine
I've defended Zoom in the past for ethical 'slips', but weidly this has tipped me into hating it.
You can also use “brew cask zap zoomus” to remove preference files, browser plugins, logs.
a-wu 1477 days ago [-]
Does this also work for non-brew installs?
szhu 1477 days ago [-]
Homebrew Cask's uninstall scripts are basically a community-maintained "best guess" at to how to full uninstall each piece of software. It's generally pretty reliable, and I do use it to remove non-brew installs sometimes.
Note: I have contributed casks to Homebrew Cask before.
angott 1477 days ago [-]
You can add `--force` and zap will also work on non-brew installs. The paths are community-contributed, so watch out (you can print the paths with `brew cask cat <name>`).
sneak 1477 days ago [-]
Presumably if you don't like Zoom's shadiness, you may not like Homebrew's bundled spyware either. Disable it with
No. Homebrew sends a per-installation unique identifier to a third party (Google), tracking your location across different IPs, whether you want it to or not.
Popcon is first-party, and is entirely opt-in. It doesn’t send anything unless you want it to.
icebraining 1476 days ago [-]
popcon is opt-in.
jasonmp85 1477 days ago [-]
This isn’t remotely comparable. I would have expected all you weirdos to have aged out of the internet by now.
pehtis 1477 days ago [-]
I would highly recommend checking all installers on macOS through Suspicious Package. It will give you a complete picture of all the installer scripts that will be run and all the files that will be written.
I did just that for zoom and decided against installing it.
Oooh this is good. A few years ago I came home drunk and wanted to watch this old film that wasn't on any channels. I found it on some dubious website, which required me to install a player .dmg. I drunkenly typed in my password, and then an hour later was like: dafuq did I just do?!? Next day I re-imaged my mac because I'm both paranoid and don't know enough about secops.
SuspiciousPackage wouldn't have helped combat Drunk Install Syndrome, but it might have been a helpful tool before I nuked my OS.
Or maybe this is just good marketing for SuspiciousPackage, which is really malware. Well played.
mulmen 1477 days ago [-]
If you don’t trust SuspiciousPackage just run it through SuspiciousPackage.
I too don't get how Zoom is considered "the superior software". Maybe the calls don't drop, but the experience is bad (at least on macOS).
7ewis 1477 days ago [-]
Said this on Reddit the other day and got downvoted.
It _is_ bad on macOS. It used to be one of the better platforms to stream video content to others, but now it just lacks in many areas compared to most of its competitors.
The worst bug I had was it essentially started muting random people on a call, but only for me. I could see their mouth moving, and thought it was a problem their side but turns out everyone else could hear them apart from me. I could hear everyone else too apart from them.
shreyshrey 1477 days ago [-]
Yes. My experience is really bad too in mac OS. I thought may be something wrong with my setup.
macleginn 1477 days ago [-]
Same here. I thought the process didn't finish until I tried launching the app (which I was supposed to do by clicking a link in the browser, which is also rather unintuitive).
tambourine_man 1477 days ago [-]
Zoom's got a tradition of being, let's put it like this, way too clever for everyone's own good.
See previous “lets install a server on this Mac that is not removed when you uninstall the app and leaves your camera open to the entire internet” for more examples.
I use it on a VM, I suggest you do it too.
ummonk 1477 days ago [-]
I use the web browser version, and refuse to even install Zoom. It's borderline spyware.
junky228 1477 days ago [-]
sunova.... I couldn't find the web based version...That's what frustrated me about zoom compared to webex. I could use Weber in the browser and zoom had to be installed
lloeki 1477 days ago [-]
It's gated behind a fallback after three "failed" attempts at clicking on the link to open the app after opening a meeting URL, or a meeting setting. So, not on by default, seems to be unable to join audio unless you use Chrome, and shows a single video only.
I tried using the web client in Chrome today on my Mac, and the audio was playing to me at what felt like 50% speed; everyone sounded like slow motion to me.
Jitsi, Google Meet, bigbluebutton -- anything can runs in a browser tab and is more or less confined within it.
adtac 1477 days ago [-]
I wouldn't be surprised if Zoom suddenly started exploiting browser zero days to force install things "for your own good"
saagarjha 1477 days ago [-]
Good thing that this is somewhat difficult to do ;)
Aachen 1477 days ago [-]
Don't know bigbluebutton but at least among Jitsi and Google Meet, Wire is an alternative that is open source and end to end encrypted. They just don't make it easy to host your own, for that I guess Jitsi is the best way to go.
behnamoh 1477 days ago [-]
But how do they remain in business? I'm interested in knowing how say, Jitsi, earns money off of it.
oehtXRwMkIs 1477 days ago [-]
Its wikipedia article describes its funding. It's basically a combination of sponsorships and paid employees working on it.
throwaway1777 1477 days ago [-]
Zoom works in the browser
mrzool 1477 days ago [-]
We just started using Whereby and we’re loving it. I strongly recommended against Zoom.
latexr 1476 days ago [-]
I recommend against Whereby.
I was a big proponent when they started as appear.in, but they’ve been steadily removing features (or moving them to the paid plan). For my friend group, the biggest appeal was that you could use it in a browser without an account by inventing a room name. That was one of the first features to get cut.
Everyone I’ve ever recommended it to has bumped into the limitations, asked me “what happened”, and switched to something else.
I haven’t tried it extensively, but I’ve read about https://meet.jit.si/ on HN and passed it on to a friend in that situation. He was happy with it and described it as “what appear.in used to be”.
drusepth 1477 days ago [-]
I switched from Zoom to Google Duo almost a year ago and haven't had any issues.
emmelaich 1477 days ago [-]
Google Duo have raised the people per meeting from 4 to 12.
wlesieutre 1477 days ago [-]
But can they raise the expected product lifespan from 4 years to 12?
m0rganic 1476 days ago [-]
lifesize
manigandham 1477 days ago [-]
1) If Zoom can do this then it's a MacOS security bug.
2) UX matters. Users don't care about the technical details, they want a smooth experience and that can be the difference between a billion-dollar business or a failed startup. And yes the desktop version is more stable than the web-based UI.
3) Malware is defined by what it does, not how it's installed.
Gaelan 1477 days ago [-]
I mean, it's not really a security bug. Installer.app displays a dialog box that says "Hey, this package wants to run arbitrary code to check if it's compatible with your system. Is that OK?" The user is explicitly opting into the code execution. Zoom's "compatibility check" installs the app and kills the installer window. That's certainly unexpected behavior, but I don't think it's an exploit in any real sense.
While normally I'd object to running arbitrary code with just an easily-skippable dialog as confirmation, but I think it's OK in this case where the expectation was that we're installing their software anyway.
etaioinshrdlu 1477 days ago [-]
It's really Apple's fault. "This package will run a program to determine if the software can be installed." Is just fundamentally a very strange statement to make, loaded with vagueness.
Think about your average user... they are running an installer program... which alerts them that they need to run another program... to determine if they can install the program.... (Which the user thought they were already doing)
The loaded expectation of the user to realize they are granting privileges to a program to determine whether they can install a program is just totally unreasonable.
It just sounds more and more ridiculous written out like this.
Smoosh 1477 days ago [-]
On top of this, a standard install asks for permissions, but doesn't disclose who/what is asking for it (certified in some way) or what permissions it wants, if these are temporary for the install or permanent for the application, or what it is going to do during the install (what goes where, what gets changed etc).
It is long past time for Apple to improve this process.
manigandham 1477 days ago [-]
You're right, it's more of a design issue. More explicit permissions on altering the Applications folder could help. Then again, most people want an easier install so this is really for those who want that extra control.
opportune 1477 days ago [-]
As a user, I would not assume that checking compatibility means I'm executing arbitrary code. I mean it could just be macOS examining the binary to make sure it's compatible with my ISA, or checking some app metadata about recommended free resources like ram/disk space.
pvg 1477 days ago [-]
Apple agrees with you which is why the installer shows a warning the check will involve running code and lets you opt in or out.
thaumasiotes 1477 days ago [-]
> 3) Malware is defined by what it does, not how it's installed.
Well, from the tweet thread:
> If the App is already installed but the current user is not admin, they use a helper tool called "zoomAutenticationTool" [sic] and the AuthorizationExecuteWithPrivileges API to spawn a password prompt identifying as "System" (!!) to gain root (including a typo).
Craighead 1477 days ago [-]
Why are you doing damage control?
manigandham 1477 days ago [-]
It's not malicious, and you have to give it permissions somehow to finish the install.
Dropbox (used to?) patch system files to integrate with Office better, and that wasn't considered malware either.
thaumasiotes 1477 days ago [-]
> It's not malicious
By the time you're lying to the user, you are malicious.
9935c101ab17a66 1477 days ago [-]
Malicious behaviour does not inherently make something malware. That said, The work arounds Dropbox used in the past should also be considered shady or malicious, and do not serve as a convincing defense in any way.
Yes, zoom does need the user’s password to complete the install in the scenario described. So why isn’t there a proper installer that behaves like installers on macOS should. Why do they ask for the users password on the behalf of ‘system’?
Oh, and zoom was just busted for sending user data to Facebook (regardless of whether or not you had a Facebook account and without disclosure AFAIK) so I reverse my previous statement. It is malware.
keymone 1477 days ago [-]
is botnet agent not malware? it's not doing anything until the operator sends the payload.
manigandham 1477 days ago [-]
A botnet agent is designed to take control and run a bot, so yes it's malware. It doesn't have to be actively doing it at that moment to be considered such.
munk-a 1477 days ago [-]
Zoom does report usage to Facebook whether you have an account or not - and that data is used to stitch together a web profile of the user that is of no benefit to the user. Zoom is bordering on malware, just... malware that comes with a useful app that allows video conferencing.
vijaybritto 1477 days ago [-]
They removed that Facebook sdk after complaints.
lultimouomo 1477 days ago [-]
I think this also shows how macOS has been training users to enter their password in random dialogs that have absolutely nothing that identifies them as being legit OS dialogs. The dialog that Zoom uses could very well be sending the credentials to a remote server, and the user would be none the wiser.
Wowfunhappy 1477 days ago [-]
Note that in this case, it's still a legit OS dialog. Preflight scripts are very much built into the macOS pkg format, they're just not intended to be used like this.
danieldk 1477 days ago [-]
I never understood why Apple still supports the pkg format. It seems a half-baked leftover from the 2000s and even then I was already surprised that there is no way to uninstall things through the macOS GUI. I am not sure if this has changed (I try to avoid pkg files and use Homebrew cask to uninstall such packages), but IIRC you had to list the files with pkgutil on the command-line, remove stuff by hand and then --forget the package.
They should just kill the format. Everything should just be drag to install, drag to trash to remove.
javagram 1477 days ago [-]
In my experience I’ve seen even technical users (Who were used to windows) struggle with the idea of dragging an .app from an open disk image to the Applications folder. They would end up running the app from the disk image and then getting confused when it disappears after restart.
Wowfunhappy 1477 days ago [-]
This system worked so much better when the Applications folder was placed in the Dock by default, and everyone used that folder launch applications (which weren't common enough to keep in the Dock directly).
It was actually a really beautiful synergy—you install applications by copying them to a folder, and launch them from that folder. Same way you'd acquire and open files. Lovely.
Then Apple ruined it in Lion with Launchpad. Their app install flow for anything outside of the app store doesn't make any sense.
Smoosh 1477 days ago [-]
In even earlier days, applications didn't need to be installed at all. You just ran them from wherever they were. Of course, it made sense to store them somewhere together, and you could cause yourself problems if you put applications onto disks you then ejected. But the current system is clearly influenced by the UNIX underpinnings, and I'm not sure that the average user fully "gets it".
though preferences files were a bit of a mess.
I vaguely remember if early Macintosh System versions you would be prompted to insert the disk (with the correct disk name in the message) if you tried to open a file belonging to an application which was on an ejected disk.
int_19h 1477 days ago [-]
You can still run them from wherever they are. The problem is that users do that once, exit, and then later forget where the app was.
saagarjha 1477 days ago [-]
There are issues when running from the downloads folder (translocation).
AnIdiotOnTheNet 1477 days ago [-]
One wonders why Apple didn't just treat DMGs like Application Folders in the first place. If they had an icon and you could run them directly then there wouldn't be any confusion. AppImage works like that and I think it was a wise decision.
Wowfunhappy 1477 days ago [-]
Developers can distribute .app's inside of .zip files, and many do, but this can result in users just running the .app inside of their downloads folder. And then this causes problems if they ever decide to clean out their Downloads folder.
The DMGs are a clever way to (A) make sure the app gets to the proper location while simultaneously (B) teaching the user about what's actually happening on their computer. As I said in a sibling comment, this all made much more sense when users also launched apps from the Applications folder directly.
danieldk 1477 days ago [-]
Developers can distribute .app's inside of .zip files, and many do, but this can result in users just running the .app inside of their downloads folder. And then this causes problems if they ever decide to clean out their Downloads folder.
Some applications offer to move themselves to the /Applications folder when started the first time outside /Applications or ~/Applications. Though in general, it would be better if Apple made it more attractive to publish in the App Store, since it brings other advantages (e.g. mandatory sandboxing).
Wowfunhappy 1477 days ago [-]
Yeah, and that's a fine solution given the situation Apple has left us in. But it's also kind of a hack, which shouldn't have become necessary.
Also, personally, I sometimes purposefully put apps in places other than /Applications—for example, I like to keep games in their own Games folder. And then the dialogs are kind of annoying.
kelnos 1477 days ago [-]
Hell, why doesn't Finder do this? If you try to run a .app from a .dmg, it should pop up a dialog asking you if you want Finder to move it to /Applications for you and run it from there.
danieldk 1477 days ago [-]
I agree, that would be awesome!
ksec 1475 days ago [-]
I thought some of these interaction was from a design where Apple wanted the Mac to be more appliance. I think the goal / target market has changed. The super easy to use Computer to use is now the iPad.
Mac is now Prosumers and Professionals. And its UX should be treated as such.
samcat116 1477 days ago [-]
One thing to note here: people who administer macOS for organizations basically convert everything to .pkgs (or DMGs). Its the only easy way to silently install application, and perform post install actions like performing licensing or activation steps.
drampelt 1477 days ago [-]
> Everything should just be drag to install, drag to trash to remove.
I wish it were that easy, most apps leave files in other places on your computer like ~/Library that will never get cleaned up if you just move the app to trash.
Wowfunhappy 1477 days ago [-]
As much as this bothers me because of who I am, I don't think it's a real problem. Those files shouldn't take up significant space unless the developer is doing something stupid.
It might be nice if macOS had some sort of automatic cleanup routine when an app is trashed, but that would either require showing the user an extra dialog (a la AppCleaner's) or introducing an opaque system which could potentially lead to data loss.
danieldk 1477 days ago [-]
Indeed, data outside the application folder usually consists of a preferences plist and saved application state. Of course, there could be caches as well, which could take up a fair amount of disk space.
But I think the primary argumentation in favor of what macOS does now on drag-to-trash is that the users preferences are preserved, for when they install an application again.
latexr 1476 days ago [-]
If the pkg format was no longer supported, developers might use GUI installers instead, and those are harder to verify and install/uninstall programmatically.
fouc 1476 days ago [-]
pkg is there explicitly to let companies install sketchy shit. Any application that relies on pkg to be installed is fundamentally risky.
tantalor 1477 days ago [-]
It doesn't look legit, it looks like the installer script is faking a system dialog in this screenshot:
This message is a lie; it not coming from system but from the installer script.
Just because the OS is used to show the dialog doesn't mean it should be trusted. As other commenter noted this could be used to steal passwords; that is effectively what it does.
rainforest 1477 days ago [-]
To their credit, they seem to be using AuthorizationExecuteWithPrivileges which doesn't get the user's password, but executes a command as root, which is marginally better than stealing the password like Dropbox did.
tantalor 1477 days ago [-]
How hard do you think it is to steal a password once you have root?
jedieaston 1477 days ago [-]
It should be impossible with SIP enabled, as in OS X 10.14 Apple protected the files in /var/db/dslocal where the user shadow files are stored so that root could not read them (unless triggered by an Apple signed executable, like Software Update). If you are running with SIP disabled you've taken the risk of it happening, and if you are on a corporate laptop (or 99% of personal machines) it is engaged.
Think a little harder. With root, you can install a keylogger.
saagarjha 1477 days ago [-]
You'd still need to bypass TCC.
swiley 1477 days ago [-]
It would take an extra step, you have access to the hash and maybe shared memory/SOs but you’d need a second trick to actually steal it.
Wowfunhappy 1477 days ago [-]
The script asks for root which subsequently pops up an OS password prompt. Zoom never sees your password.
How is this different from the way e.g. Virtualbox gets root?
lonelappde 1477 days ago [-]
Because it lies about its identity, calling itself "System" not Zoom.
This is also a MacOS vuln that lets apps lie about their identity in sudo prompts, much like a browser showing an https site with no certificate checking.
Wowfunhappy 1477 days ago [-]
macOS allows apps to write arbitrary lines of text above password prompts, which is what Zoom is doing. I don't see how that's different from a shell script echo'ing something before a sudo prompt.
How would you design this system?
jedieaston 1477 days ago [-]
Don't allow the application to do any of it, and when the app asks for access, have the system instead say "{processName}.app is requesting {permissionFlavorText}. Enter a name and password to continue."
auiya 1477 days ago [-]
It's not making the proper privilege escalation call, it's faking the box entirely. There's even a typo in the dialog box.
Wowfunhappy 1477 days ago [-]
...are you sure? I'm pretty sure that code just pops up the system box to get privileges, with a custom message at the top.
I'm running Mavericks—the last version of macOS before they made the UI flat—and the prompt didn't look out of place. If Zoom is indeed faking the box, they actually went through the trouble to make a separate version for Mavericks with Mavericks-style visuals.
saagarjha 1477 days ago [-]
No, they're using the (deprecated) Authorization Services API from the (renamed) BLAuthentication.
lonelappde 1477 days ago [-]
Incorrect. Look at the second tweet in the thread. It's a phishing popup that misidentifies itself in order to steal priveleges intended for System, not Zoom.
That's still an OS prompt, they just put their own message at the top, as you're allowed to do.
joshuaissac 1477 days ago [-]
Yes, they are allowed to put a fake message (identifying the requester as System instead of Zoom), but that does not make it OK.
thaumasiotes 1477 days ago [-]
> Note that in this case, it's still a legit OS dialog.
No it isn't. The dialog prompt is "System need your privilege to change." That's not passing QA anywhere -- it's just a custom message someone put into Zoom without bothering to proofread.
Aachen 1477 days ago [-]
One could say the same for gksudo, UAC prompts, or the equivalent dialog on your favorite operating system, no? Or is there something on other OSes that identifies it?
lultimouomo 1477 days ago [-]
I don't think UAC is spoofable - if I remember well it minimizes all the other windows and hides the taskbar, which you shouldn't be able to do with a regular dialog.
gksudo is definitely spoofable, except I almost never get a gksudo dialog. I am not trained to expect every other app to periodically ask me for my password.
Aachen 1476 days ago [-]
Any application can draw over the task bar as far as I know? Seems weird if games needed root permissions just to be full screen.
sudosysgen 1477 days ago [-]
gksudo and UAC don't let the process lie about what it is.
aequitas 1477 days ago [-]
Not that I'm in favor of this practice, but the one key feature that conference software must have is: it just works™.
Nothing turns you off more from a conferencing solution than: any problem getting it working right now.
When there is just the slightest issue, one person not being able to join, one person not getting voice to work, bad audio, your entire team is blocked/distracted. Which results in a collective distain for the solution and video conferencing as a whole.
This extends to getting the solution working for greenfield installs as simple as possible. Because who knows which non-tech users from which department all need to join and can't figure out how to set the permission in their browser right or install/use the other browser that is compatible.
So sadly, from a functionality point of view, you want have the software be able to force itself onto the user in the most usable state it can.
t0mas88 1477 days ago [-]
I'm still curious why everyone thinks Zoom "just works" while others don't. Because in an enterprise context it is often hard to download an executable and run it with sufficient permissions. While Google and Microsoft both offer a product that "just works" with only a browser. What makes Zoom more "just works" than that?
impendia 1477 days ago [-]
I'm a college professor, and I'll share my perspective.
For one, Zoom did just work. (At least as a participant, rather than an organizer.) I tried it out, and it immediately worked. It did what all of us were expecting, with no fuss.
I also tried MS Teams. It seems designed with a different philosophy: that you use the software to do many different things, and you want them all integrated. (For example, it posted my meetings automatically to my Outlook calendar. I had never used this calendar before, and was only dimly aware that it existed.)
Moreover, it seems that the expected setup is a bunch of people, all at the same workplace, who communicate with each other consistently. My needs are different, with wildly disparate use cases: a departmental meeting; classes to teach; an online conference (https://www.daniellitt.com/agonize/); an online social gathering. Many of the people with whom I communicate don't work for the same employer. And I don't want to configure all of these "teams" in advance.
That said, I tried to get MS Teams up and running, to teach my class. This involved multiple emails back and forth to our tech support (it seems that I can't set up a "team" myself; I have to ask IT to do it for me). It didn't have its own whiteboard functionality so I had to download and run some separate software.
And, then, in the end... it didn't work. I was trying to teach a class, but my students couldn't see what I was doing. I had no idea why.
btilly 1477 days ago [-]
And, then, in the end... it didn't work. I was trying to teach a class, but my students couldn't see what I was doing. I had no idea why.
The workaround is quit programs until you find the one that somehow causes Microsoft Teams to not understand that it really does have permissions. For me it seemed to be XCode. But it could be others...here is a partial list:
- Harvest – Confirmed
- Sonos – Confirmed
- Cisco VPN – Issue reported by others
- Microsoft To-Do – Confirmed
- Contacts+ (formerly FullContact) – confirmed
- Apple Photos – confirmed
- Teamviewer – reported by others
- Prompt/popup for app review from App Store – still have questions here. This seemed to be it, but haven’t been able to confirm
- Brackets – reported by others
- Citrix Workspace Version: 19.10.2.41 (1910) – confirmed
This is an example of why "just works" is so important.
gameofcode 1477 days ago [-]
You're right, MS Teams is definitly better placed as an org-wide communication/collaboration tool, not an external one. They really need to make it easier to communicate with people in external orgs, the org switcher is my biggest complaint.
FWIW, IT can allow people in certain groups to make their own teams, it's an admin setting.
Onawa 1477 days ago [-]
Working within the US NIH, we are forced to submit a ticket for creating any new teams and the entire Teams/Office 365 ecosystem is entirely crippled for us. All new features take forever to be approved and brought online, as well as additional connectors and apps having to go through an extensive 6+ month-long vetting process before being approved.
Makes using Teams quite a hassle, but with Skype for Business being the only other approved option for internal chat, it's better than nothing.
basch 1477 days ago [-]
Those are all organizational decisions, and not out of the box defaults. Microsoft is trying very hard to persuade organizations not to make those decisions.
Completely free teams creation does come at a cost. It makes data governance much more complicated. People creating duplicate places for things they didnt know already existed. A lack of naming convention, to be able to analyze what exists. Microsoft is pushing for people to just be able to get things done, at the expense of organization.
technion 1477 days ago [-]
When they mention "connectors and apps", right now there is a very serious amount of phishing fraud going on involving one click links that ask you to authorise a malicious app. Users see a "please click yes" prompt, they never have to enter their password and they think that sounds fine.
I wish Microsoft would try a lot harder in persuading businesses to make the decision to take oauth approvals out of the user hands, because the volume is at a point where I really feel anyone following the "empower the user" discussion almost certainly has a compromised mailbox in their business.
int_19h 1477 days ago [-]
Teams specifically is the spiritual successor to Skype for Business / Lync / Office Communicator - its main benefit is integrating with Outlook, Exchange, OneNote, and SharePoint. If it's not deployed with that in mind, that's a lot of wasted effort, IMO.
nextweek2 1477 days ago [-]
Did you try Microsoft Teams live events? Which seems aimed at your use case.
gentleman11 1477 days ago [-]
Zoom doesn’t just work. If the students want privacy, they are just helpless.
Edit: downvoted for speaking up for student rights. Sorry if it is inconvenient for the teachers
impendia 1477 days ago [-]
> If the students want privacy, they are just helpless.
This isn't true actually. As a student, send the following email:
"Hi Professor, I just read this webpage [link], which outlines some privacy concerns with Zoom. I know some other classes are running Software X, could we try that instead?"
My university isn't mandating Zoom. Indeed, they recommended several software packages, of which their top recommendation was Blackboard. (Which is what I've been using so far. I have mostly joined others' Zoom meetings; I've only initiated them for a D+D game I'm participating in.) MS Teams was their second recommendation as I recall, and Zoom was below that.
At least at my university -- and I expect that this is typical -- individual faculty members are deciding how to best fulfill their own responsibilities. And I have emphasized to my students that I have never done this before, and that I'm happy to change what I'm doing if people have good suggestions.
saagarjha 1477 days ago [-]
> "Hi Professor, I just read this webpage [link], which outlines some privacy concerns with Zoom. I know some other classes are running Software X, could we try that instead?"
Hi [Student],
I appreciate your concern; however, our university has conducted a thorough audit of this software and found that it satisfies our needs. We will continue using it for our lectures.
Regards,
Dr. [Professor]
Senior tenured chair of [Department], distinguished lecturer, [University]
867-5309 1477 days ago [-]
universities are organisations, which all force some incarnation of an internet usage policy. better still, the students are paying an arm and a leg for their lack of privacy. wouldn't it be great for the non-technical end user if these Just Works™ software could just bypass firewalls by way of VPNs, common ports, obfuscated servers or the like?
lostmsu 1477 days ago [-]
It does not "just work" for me. First, it required a separate client, when even Skype does not.
Second, it does not support my browser.
floatingatoll 1477 days ago [-]
Your unstated criteria for "just work" are "just work in browser", which differs from the definition used by the comment you're replying to.
That is not universally shared among others, including the non-technical folks that Zoom is being widely adopted by.
aequitas 1477 days ago [-]
This is what I was getting at with my parent comment, it "just works" for everyone. But it doesn't fit some of the niches technical or privacy minded people have. And in the end, we are bound by the common denominator. I can push my open source privacy respecting solution all I want. But unless it "just works" for the lowest tech user I'm at a loss.
There's a parallels here with security in the uphill battle to get users to respect the caveats of the solution they choose.
stingraycharles 1477 days ago [-]
You’re being downvoted fairly heavily, which I think is unfair. Even though some other people might not agree, it’s a valid argument to make.
aequitas 1477 days ago [-]
We just had a corporate presentation with around 250 people. Normally we use Teams or Slack for internal communication, this was also stated by management, that Zoom should only be used for 'big' meetings like this. I think they know the other solutions will not work as well for bigger groups. I've not had issues with using either solution for small group meetings.
Actually I have to go out of my way to run Zoom in the browser instead of using the installer. I have to use Chrome instead of Firefox, download but not install the app and wait for the "or run in browser" link to appear after that.
I really don't like macOS installers anyways and passionately hate them as "installing" and App on macOS should be nothing more than moving the .app from a zip or disk image into your /Applications folder. I just don't trust them in not placing additional crap like auto updaters or kext's when I don't need them.
Wowfunhappy 1477 days ago [-]
> Normally we use Teams or Slack for internal communication
> to run Zoom in the browser [...] I have to use Chrome instead of Firefox.
Just a note, Slack and Teams calls also won't work in Firefox. It's really annoying.
Hangouts works fine in Firefox though, somewhat unexpectedly.
App installation should always just be a file copy. Deinstallation should always just be a move to Trash (or ~/Disabled equiv).
IMHO.
I'm even uncomfortable with config scattered everywhere. The continued need for those 3rd party uninstallers is an admission of failure.
Source: released products ported to misc Windows, classic Mac, modern Mac. Our dev, QA, Test, tech supp was always so much easier on Mac. Not least because we could have multiple current versions installed. Which allows troubleshooting, rollbacks, etc.
Caveat: I personally use package managers and am curious to see if Nix becomes the norm. So I may change my mind in the future.
johannes1234321 1477 days ago [-]
If the file is only moved to trash it will keep configuration and other artefacts around or not support such features or the file ahs to be mutable, which is questionable from a security pov
specialist 1475 days ago [-]
Thanks. I've been chewing on your reply. I didn't get very far. It finally occurs to me that macOS (or equiv) could implement iOS (or equiv) style sandboxing. Maybe that's already in progress. As a dev and former power user, I'm sure it'll be uncomfortable.
lukevp 1477 days ago [-]
Why not use Teams Live for this? We have been using zoom and Teams alternately and Teams performance and ease of use has been much better in my experience, but we have yet to do a 200+ all hands so I was curious if there were some footguns with teams live that you may know about. Teams live works on a lot of platforms and also has a web version.
reaperducer 1477 days ago [-]
Why not use Teams Live for this?
My wife was on a Teams videoconference last week. 125 people in four locations from New York to Southern California.
An hour into it, half of the people were simultaneously dropped, and not from any particular geography. It was random. And nobody could reconnect for a very long time. It took 45 minutes to restart the meeting.
The company is no longer using Teams.
mgkimsal 1477 days ago [-]
have only recently started using teams with one client. small group (max 6 folks I think) and... we've had issues with it - someone's video freezing, audio garbled/dropping, etc - twice in 2 days. but... I'm sort of chalking it up to potentially overloaded/bad net connections in the wake of all the WFH and remote meeting stuff being used. We had issues with connecting to zoom (and their phone numbers) last week as well, so I'm not ready to pull the plug on teams entirely until we have more experience under our belts.
freehunter 1477 days ago [-]
To be fair I’ve seen the same thing happen with Zoom. During a 2 hour meeting with a client, about half of my team was dropped and couldn’t get back into the meeting for several minutes.
mynameisvlad 1477 days ago [-]
Teams live events (https://docs.microsoft.com/en-us/microsoftteams/teams-live-e...) which the parent comment was refering to is actually a specific feature in Teams that is only available for certain levels AFAIK but supports vastly more people than a standard Teams meeting.
basch 1477 days ago [-]
The predecessor, Skype Broadcast allowed completely anonymous viewing, basically a twitch or youtube stream. In the name of growth hacking, the Teams team decided to force people to the app, you couldnt watch the video stream from a mobile device without the teams app. Which is a huge amount of friction for a mobile workforce that isnt using teams.
Maybe this has changed since I last talked to Microsoft, but even their own team was unhappy with it. But if you still have access to broadcast.skype.com, it still works, until they decide it shouldnt.
alasdair_ 1477 days ago [-]
The only Teams Live meeting I've ever tried to join, we had two people who gave up because their web version didn't support Safari without having to manually go deep into their preferences and change settings from the default.
aequitas 1477 days ago [-]
I don't know of any, but our teams uses Slack, not Teams. Barely any complaints about Slack video chat btw, but that's all small sessions anyways.
snowwrestler 1477 days ago [-]
My employer has used Teams Live for all-hands meetings from home the last couple weeks and it worked great for ~350 attendees.
capableweb 1477 days ago [-]
Well, I have a feeling that the praise for zoom going around is not from people working in enterprises, it's people working for everything-but enterprises, who just want a solution that works.
In my experience (also not enterprise), Zoom is the simplest solution with the best quality and latency, compared to the alternatives. The UX could be better, but the performance of Zoom for all platforms makes you survive the UX.
jrochkind1 1477 days ago [-]
Yep, Zoom is the only one I've used where I have never had an audio problem, never a drop out or glitch.
gentleman11 1477 days ago [-]
I don’t think you can get much more reliable or simpler then whereby.com
tardo99 1477 days ago [-]
My company has used Hangouts for years with zero problems. Zoom is mostly just hype.
w1ntermute 1477 days ago [-]
As someone who has used a variety of VTC products (Zoom, Webex, BlueJeans, Teams, Skype, etc.) for several years on a daily basis (lots of external VTCs with different companies who use different VTC systems), Zoom is by far the best. The audio and video quality is head and shoulders above the rest (both on PC and mobile) and the interface is dead simple for even the least tech-savvy users.
My company uses Zoom, and there have been many instances where, during a VTC call set up by someone at another company (that doesn’t use Zoom), we have switched mid-meeting to Zoom because there’s something wrong with the other VTC system (someone can’t join, can’t hear, can’t speak, can’t share their screen, etc.). And the other options haven’t gotten noticeably better over the years either.
pjkundert 1477 days ago [-]
I've been working remotely for years.
In my experience, every other solution I've tried is a train-wreck, compared to Zoom (MacBook Pro w/ external Apple monitors). And, as far as I remember, I've tried them all, repeatedly.
Even first-class platform-specific solutions like FaceTime are, basically, unusable vs. Zoom. Its amazing, actually. I'm not quite sure how Apple managed to make FaceTime's audio just not work (almost ever), and Zoom just works, every time, on every platform.
jwr 1477 days ago [-]
> I'm still curious why everyone thinks Zoom "just works" while others don't.
I'm also curious. I subscribed to Whereby (https://whereby.com/), where I can send people a URL, which they click and land in my conference room. There is ZERO software they need to install.
[For all the "well, actually" folks: yes, it "only" works in every modern browser out there, and it works "only" for up to 12 people. Fine with me.]
Zoom has more features, but there are many other solutions that work much better and are WAY simpler. It's just that Zoom is well known, and it's easiest to choose the tool that everyone has heard about.
gentleman11 1477 days ago [-]
To be more specific, whereby seems to be free for up to 4 people, but then they claim to be able to support 50. Never tested it with 50
sudosysgen 1477 days ago [-]
Some of my teachers use jitsi, which works on the same principle. The teacher sends a link, you click it, and that's it. Works very well, and no limit.
jwr 1476 days ago [-]
Specifically, my "Pro" plan allows up to 12 people.
danlugo92 1476 days ago [-]
I use whereby too. It's great.
kiliancs 1477 days ago [-]
From my perspective, working in the browser is not necessarily "just working", because for many combinations of OS/hardware, the performance is terrible and not only eats battery and will slow down other programs, but also affects the quality of the call (audio and video).
sgustard 1477 days ago [-]
Also, granting a website access to my camera, granting access to my microphone, and so on; which are really not functions I want to be granting any websites. I don't run a browser to have it randomly turn on surveillance devices. I prefer to run an app to access my camera and quit it when I'm done.
ilikehurdles 1477 days ago [-]
Don’t Google and Microsoft answers both require accounts, and carry with them the expectation that everything you do on their platforms is recorded for the purpose of selling ads?
Also I regularly attend more than 50-person zoom calls without a hiccup. Google I think requires an enterprise plan to get to that limit, and I don’t even know what the name of their video conferencing product is at this point.
bruckie 1477 days ago [-]
> Don’t Google and Microsoft answers both require accounts, and carry with them the expectation that everything you do on their platforms is recorded for the purpose of selling ads?
For Google, the answers are "sorta but not really", and "no":
https://support.google.com/meet/answer/9303164: "Note: Guests on the web don't need a Google account to participate in a meeting." The initiator of a meeting needs a G Suite account, but others can join without one.
> While Google and Microsoft both offer a product that "just works" with only a browser.
But those products don't always "just work", at least not in my recent experience. I have had repeated problems with Google meetings while working with an external entity, and most of my employer is a Microsoft shop, so I've had deal with issues with both Teams and Skype, both via browser and OS X app.
whatever_dude 1477 days ago [-]
Zoom has a browser version as a fallback.
Most people use the standalone app because indeed it "just works". That's why you don't hear much about its browser client.
saagarjha 1477 days ago [-]
> Most people use the standalone app because indeed it "just works".
Most people use the standalone app because Zoom aggressively pushes it.
rickyc091 1477 days ago [-]
Google requires you to have a Google account. Kids in middle school (ages 12-14) and younger typically don't have an email address. Zoom, on the other hand, lets you join a call without logging in. You can even join straight from the browser if needed without installing anything.
benhurmarcel 1477 days ago [-]
> Google requires you to have a Google account
Not for joining a meeting, no. You just type your name.
rainforest 1477 days ago [-]
Zoom has a web client that "just works" but they only show it as an option after they detect that their native client didn't "just work".
mulmen 1477 days ago [-]
The web client is well hidden, crippled and only works in Chrome.
Gallery view does not exist in the web client. Nor the ability to add cat memes to your background.
aeyes 1477 days ago [-]
That's weird, when I open a meeting link (which would open the native client) at the bottom of the page it says "If you cannot download or run the application, join from your browser.".
I have the native client and it still shows me this option.
ThePowerOfFuet 1469 days ago [-]
The visibility of this link is disabled by default unless the person trying to join attempts (and fails, even if deliberately) to download+install the client at least twice.
It can be enabled, but it's not on by default.
alasdair_ 1477 days ago [-]
Google has messenger and hangouts and another video conferencing solution that I don't recall.
The reason we ditched hangouts for zoom a few years ago was that hangouts only supported up to ten users, including users whose connection had died and so they had to re-enter the room again. This became extremely annoying - having to stop a conference mid-call to ask some people to disconnect so others could enter, or trying to find out how to kick "ghost" users, was definitely not "just works".
benhurmarcel 1477 days ago [-]
Google Meet supports up to 250 participants in the enterprise version.
1477 days ago [-]
zuppy 1477 days ago [-]
they work for your use case.
hangouts can’t handle many users (is it 10 the limit?), which is a deal breaker for me. we’ve tried and people couldn’t join the call.
if by microsoft you mean teams, i’m not aware of it working without accounts (not an issue for google as most people have google accounts).
Wowfunhappy 1477 days ago [-]
> hangouts can’t handle many users (is it 10 the limit?), which is a deal breaker for me. we’ve tried and people couldn’t join the call.
My company had a 17 person Hangouts (Meet) meeting on Monday. Actually, we switched to Hangouts from Slack because Slack has a 15 person limit.
Is the limit maybe different for "Hangouts" vs Hangouts Meet?
zuppy 1477 days ago [-]
That’s probably the issue. We were using the free version.
gnud 1477 days ago [-]
Teams works for "guest users", but they have to be let into the meeting by a "real" user.
Also, I think it's possible for companies to disallow guest users on their team instance.
lukevp 1477 days ago [-]
Teams live can work without logins but you have to make the feed public with a hidden link.
zuppy 1477 days ago [-]
teams has another issue though: when someone speaks, it cuts the sound for the other people speaking in the same time. in theory this sounds good, but many times it will cut the sound of the active speaker. yes, i think this can be managed with group mute, but zoom doesn’t have this “feature”.
benhurmarcel 1477 days ago [-]
Google Meet supports up to 250 participants, on the Enterprise version. Also it doesn't require an account to join.
unlinked_dll 1477 days ago [-]
Same question. Not because of the browser thing but just because it doesn't "just work" for me or my team.
untog 1477 days ago [-]
It just amazes me that the "just works" solution here is still a native app. Plenty of reasons to use native apps but in 2020 video conferencing really isn't one: WebRTC is capable and supported by every major desktop and mobile browser. It's literally one click and you're done!
Saaster 1477 days ago [-]
None of the WebRTC based options just work, they're all glitchy and cannot scale up to even moderate amounts of users. We have Google Hangouts Meet for free for our org, and we still pay for Zoom because It Just Works.
basch 1477 days ago [-]
Even having the "unblock this site from camera and microphone" burried in the browser chrome or settings pages somewhere is a dealbreaker. It's too easy for people to mindlessly click "no" to can this access your microphone, because of the way the browser pops it up during first use, instead of during "install."
noahtallen 1477 days ago [-]
True. Even the adblocker and autoplay blockers can prevent video and audio from working in Hangouts. I have had issues with hangouts when joining meetings with important people — and my browser’s autoplay block feature prevented the video feed from working.
x0x0 1477 days ago [-]
Yeah. And high fidelity sync between audio (ideally via phone). Maybe someone does it, but we tried _all_ vendors and settled on Zoom. And screen annotations, and the ability to remember participants' phones and dial them directly (replaces them having to type 9 digit numbers into their phones), etc.
Also, Zoom has reached a critical mass where, particularly for sales calls, the remote party is quite likely to have it installed. The network effect here is really valuable.
benhurmarcel 1477 days ago [-]
Maybe it has to do with the plan you have? I've used Google Meet with up to ~150 participants and it was fine, but we have an Enterprise account.
bwb 1477 days ago [-]
Same here, we used hangouts for the longest time but it got worse. Zoom just works perfectly all the time.
distances 1477 days ago [-]
I guess it works for some. I've had two Zoom meetings this far, and in both cases the organizer quickly changed to Jitsi as Zoom had distorted audio.
Maybe some incompatible software/hardware at some end? I don't know or even care really, but Jitsi worked well with the same participants both times, while the anecdotal Zoom success rate is still 0% for me.
aequitas 1477 days ago [-]
For meetings I host I'm trying to evaluate Jitsi as well, so far without much luck. I'm not hosting that many meeting and the one I did was with someone using Linux not getting screen sharing working.
But Jitsi is on my shortlist as I think being open source and self-hostable is the way forward for a tool that could knock Zoom of it's throne.
swiley 1477 days ago [-]
This still isn’t a good reason to build a native app instead of just using webrtc.
Someone should make a PSA site that says something along the lines of “don’t install teleconferencing software because it usually bundles malware; your browser already has the technology built in.”
manigandham 1477 days ago [-]
What do you mean by "bundles malware"? What else is it doing besides teleconferencing?
To be clear, that's a security issue with their software but not malware. It's not intended or designed to harm your device.
aequitas 1477 days ago [-]
It is however the reason why this solution is being used instead of all the other ones.
tarsinge 1477 days ago [-]
This is/was maybe true on Windows but on macOS installing an App the standard way is straightforward and any user knows how to do it.
aequitas 1477 days ago [-]
Which standard way? You have:
- Install from App store
- Drag and drop the .app from zip/dmg
- Using a .pkg installer (mostly based on Xcode templates)
I'd argue that a lot of users don't know all of these and some even run most of their applications from the ~/Downloads folder.
gwbas1c 1477 days ago [-]
Good point, but: You can do so much in a browser now. Does teleconference software really need an installed client anymore?
JoeAltmaier 1477 days ago [-]
In theory. But in practice, as a developer you don't want to depend on the browser support for your whole product. Conferencing features of browsers have been pretty lame, compared to what's possible in a professional product.
{edit} My experience: investor took over our startup, made us switch from bespoke technology to web-based conference features. Every feature was compromised, reliability and capacity reduced by 10X.
rsynnott 1477 days ago [-]
Based on my experience with Zoom on the one hand and that Google thing on the other, yes, yes it does.
noahtallen 1477 days ago [-]
Browser blocking and plugin features can prevent it from working. For example, I’ve been in hangouts meetings where the video feed wouldn’t load because autoplay was blocked on the browser. Of course, you can work around that, but having the Zoom desktop client provides a reliable experience without any tweaking
m0dest 1477 days ago [-]
For better or for worse, WebRTC is very opinionated about codecs and transports. Those might be great choices for some scenarios, but no developer wants their whole business to be constrained it.
gcb0 1477 days ago [-]
Zoom doesn't simply works. The same way that facebook isn't a good news feed. and paypal isn't a good, neutral, bank. etc etc.
But people (like you) unknowingly shill for them because they've feel prey to the marketing and influencers. Advertisement works. And you are living proof of that.
chadlavi 1477 days ago [-]
Zoom would "just work" if they didn't force you to install software on your computer in the first place. If google meet can do it, zoom can too.
wp381640 1477 days ago [-]
Google Meet is terrible, there's a reason why everybody switched to Zoom even in an over-crowded market
benhurmarcel 1477 days ago [-]
What's your problem with Meet? We've switched to it massively after issues with Webex, and it's all very good.
fiddlerwoaroof 1477 days ago [-]
Doesn’t Google Meet depend on a browser plugin they make you install the first time? Hangouts did.
Apparently a plugin is needed for Internet Explorer, but otherwise isn’t.
jeroenhd 1477 days ago [-]
As someone who's never used or seen Zoom in action, what's pulling people into Zoom that's not already available in other tools (Hangouts Meet, MS Teams) and even works without installing anything (such as Jitsi)?
Based on what I've seen, there's just so much hostile behaviour by the company (including lying about meeting HIPAA e2e requirements!) and the fact that their _official client_ had parts removed by the macOS malware removal tool that I just don't get why people still consider it as an option. If it were the only "just works" tool out there I'd understand, but there's plenty of competition in this space.
I've personally began using the Jitsi server the local student network association has set up and it's been working like a dream. You can even share a window to others (which I didn't even know browsers had support for) for presentations and such.
aeyes 1477 days ago [-]
I use Zoom, Hangouts, Slack and WebEx. Out of those Zoom has the best call quality, and it is the only solution out of the 4 on which huge meetings (50+ persons) are workable.
benhurmarcel 1477 days ago [-]
I've been in Google Meet meetings with 100 to 150 participants, it worked fine.
rootusrootus 1477 days ago [-]
Was just on a Zoom call with 656 participants, it it was remarkably better than any other solutions we've tried in the past.
SiempreViernes 1477 days ago [-]
I've used another software for big meetings, now called Vibe, which works if I close chrome and patiently wait for the bloated java app to expand into all available memory before trying to take any action... it's not great.
Zoom manages to run without crashing doesn't force me to close a browser and waiting a lot, so that's an advantage.
milesskorpen 1477 days ago [-]
I use Meet at work. For social gatherings, my friend group exclusively uses Zoom because (a) better tiling (seems small, but you want to see everyone) and (b) video quality seems better.
Which is even more infuriating because it shows that missing tiling in Meet is just a frontend issue.
I’m completely baffled that this is not implemented.
milesskorpen 1475 days ago [-]
Yes, that extension is great. Doesn't work on iPads though.
anon102010 1477 days ago [-]
The meme that HIPPA requires e2e is so ridiculous - it is pretty clear that very few people actually deal with HIPPA stuff.
Zoom (if you need HIPPA) can set you up with it - but you WILL lose a bunch of features (zoom by default has features that are not HIPPA compatible) - so make sure you need HIPPA before paying for it.
If anything medicine is almost anti-e2e. Everything is copied and copied between one system and another (billing, lab systems, imaging systems etc). Seriously, medicine is in many cases very fragmented, so the number of medical practice groups that need copies of your details / visit details etc is high just to bill you (and you may end up with 5 bills for one visit - which may be 4-5 systems behind the scenes).
rootusrootus 1477 days ago [-]
My experience (beyond Zoom) is with WebEx, Hangouts, and Teams. Zoom has a better UI for large meetings, and the audio quality is significantly improved. We just switched recently from WebEx to Zoom at the office and it's been refreshing. A few days ago was the last time I tried to use Teams, but the "only four people on the screen at a time" limitation was a no-go for our family's virtual gathering. Everyone was much happier with Zoom's video grid, and we noticed that the audio was significantly improved -- in particular how it handles multiple people trying to talk at the same time.
realityking 1477 days ago [-]
I really wish they'd make the client available in the Mac App Store. Not only is the installation experience better than this, things also stay nicely up-to-date. If your company runs an MDM for your Macs, it's easy to deploy apps en-mass to everyone.
saagarjha 1477 days ago [-]
But then they'd need to opt-in to sandboxing and other "onerous" requirements and couldn't pull shady things like this.
ThePowerOfFuet 1469 days ago [-]
Nailed it.
diebeforei485 1477 days ago [-]
It's times like this when I realize how much I prefer the Mac App Store over everything else.
Zoom should definitely offer a Mac App Store version. Even if they just take their iPad app and Catalyst it, I'd probably use it.
factorialboy 1477 days ago [-]
Why isn't this categorized a major Mac OS vulnerability? If Zoom abuses preinstall scripts, what's to say others aren't.
lonelappde 1477 days ago [-]
It's not a vulnerability, as the dialog says "run a program" and prompts for confirmation.
It's up to the user's imagination to consider what a program can do.
The prompt is terribly worded though.
ddebernardy 1476 days ago [-]
It seems macOS could use virtualization or permissions to run these scripts in some throw away environment to get rid of the problem altogether. Preflight check programs shouldn't be able to write anything to disk.
1477 days ago [-]
scumbert 1477 days ago [-]
Underrated take. They shouldn't be able to do this. This should flag Zoom as PUP for malware removal, if it weren't the new go-to.
paulgpetty 1477 days ago [-]
Two questions this raises, for me at least:
How do I know I’ve completely uninstalled all the things Zoom installed?
And, if Zoom provided a separate uninstaller (like many apps do) and it was verified to purge all of the stuff they installed (along with the uninstaller); would that appease people's concerns?
For now I’m sticking with the iOS app for video & their web-based experience for desktop sharing...
simonh 1477 days ago [-]
A previous version of Zoom installed a web server on MacOS without telling you, and left it there after the uninstall process. So the answer is no, you can't be sure.
Oh, and there was a known vulnerability in the web server that allowed remote access to your camera. The company claimed this was all intentional and was a feature and refused to remediate it for months. Eventually Apple issues a system update that removed the web server.
I think it's interesting to see the outcry when Apple poses new restrictions in the application distribution process (like signing and sandboxing) but conversely the same cries go up when there is an App that seems to be abusing loose control mechanisms.
I think a lot of power users rightfully feel they are belittled by sandboxes and application restrictions. But seeing that they are not the major userbase and most Apps don't really need any permissions at all for their intended purpose (the user's purpose at least) I think Apple is moving in the right direction.
lonelappde 1477 days ago [-]
It's possible to things wrong in more than one way.
why_only_15 1477 days ago [-]
Part of the benefit of macOS apps is that you can just put them in the trash and they're gone. Breaking that contract isn't like awful but it is frustrating.
eyegor 1477 days ago [-]
Can someone explain to me what the problem is? If you run the installer, isn't that consent to install the software? That's the whole point of it. I guess this isn't the "Mac way" but this is exactly how I would write an install script if I was slapping together support for other platforms. In fact this is the same way most installers work: it unzips an archive somewhere, then creates the links for remove/launch/etc.
What is the typical install process for software on a Mac?
notriddle 1476 days ago [-]
Zoom is using a hook in the macOS installer framework in a way that is not intended.
This is forming a troubling pattern [1]. Zoom will do anything to reduce the number of clicks to start a conference, even if results in a misleading installer prompt or security vulnerability.
Many PMs are obsessed with click optimization. I've been told many times that a certain feature of security method is no-go due to it being "too many clicks" full-stop -.-
t0mas88 1477 days ago [-]
The whole torrent of grey area, just over the line and outright shady behavior at Zoom is a problem in itself even if all the separate instances in isolation aren't grounds to stop using them. Their responses to security issues and today's revelation of misleading marketing on E2E encryption make it clear they're not just making isolated mistakes. Shady is at the core of how they operate, this is an indication that Zoom has a company culture of accepting borderline behavior. Otherwise it wouldn't be so widespread.
As a customer this is a reason for me to stop using Zoom. Not in the last place because I'm quite sure we're only seeing the public tip of the iceberg of all the unacceptable things happening within Zoom.
capableweb 1477 days ago [-]
Unfortunately, the current system and people in power seems to not give a damn about security and shady behavior, as long as the thing they are using is working and working well. Zoom is an example of very useful and performant software with shady company behind it, that's why people will continue using it.
Same with Uber, Google and bunch of other companies. It doesn't matter what they do, as their product is helping people enough for people to look past the terrible things.
Fiahil 1477 days ago [-]
Enterprise customer DO give a damn about security. They can be slow to react, but rules are also there for a very long time. If Zoom doesn't want to loose most of their marketshare in favor of WebEx, they should probably address these issues.
krageon 1477 days ago [-]
> Enterprise customer DO give a damn about security
You are wrong. Even without extensive experience in the space, you can very easily see how even large companies don't secure themselves at all. The US has had equifax recently, and it's not like that was an isolated example either. There just isn't a security culture at the eye-watering heights of corporate upper management and while everyone's as busy making money as they are, there never will be. It doesn't fit into the system, and anyone who tries to change it gets muscled out by people who don't want it to change - because that is simply what's most efficient.
mywittyname 1477 days ago [-]
This has been my experience as well. Large companies pay lip-service to security that protects their customers; they want just enough for legal deniability in the event of a breach, but not so much that it impacts operations or profits.
However, they can be...enthusiastic when it comes to security around protecting themselves. If you report an issue with customer information on a public S3 bucket, they might get around to fixing it someday, but if there are "trade secrets" or the like in that bucket, the issue is going to get fixed immediately and someone with a big title probably won't be coming in tomorrow.
neuronic 1477 days ago [-]
This is hilariously wrong. I brought up Zoom issues at our enterprise client - no one gives a shit (this is in Germany, so rather privacy focused). As a consultant I felt a need to bring the issues up, backed with sources of course.
So why does no one care? Because Zoom UI/UX apparently works 100x better than most other solutions. People dont even REACT when I mentions Jitsi or just using the Teams solution that every Microsoft customer has anyways.
The enterprise I was talking about is using a mix of Microsoft Teams and Zoom. Our team started with Teams, now we are using Zoom because I don't even know. Others also move from Teams to Zoom.
I bring this up to lots of people and the response is rolling eyes and "shut the fuck up" in business euphemisms. Zoom is viral now and privacy has no say in its success.
president 1477 days ago [-]
Could also be an issue of pricing. I wouldn't be surprised if Zoom is cheaper than MS. Maybe someone with knowledge on the sourcing side could comment on that.
neuronic 1476 days ago [-]
Sorry, I wasn't clear enough. The enterprise already has a Teams license which is part of an Office/Microsoft deal that they will of course continue to have.
So Teams is there, will stay there and it works well but people are still moving to Zoom anyways.
m-p-3 1477 days ago [-]
Correct, and we blocked zoom.us on the corporate network. No way we're allowing this malware within our walls.
We already have meet.google.com that works well for us, and external clients can easily join through a web browser.
Ididntdothis 1477 days ago [-]
“Enterprise customer DO give a damn about security.“
When I look at IT they give a damn about some security but then completely ignore other huge problems. I think a bigger concern for them is cost, liability and convenience for the administrators.
kamyarg 1477 days ago [-]
As an employee of a corporate can tell you that they do not care about security more than money. cheaper the better. Money > Security
taylortrusty 1477 days ago [-]
They're much more likely to lose it to Microsoft Teams, which has been doing great the last several weeks.
mikorym 1477 days ago [-]
I think you underappreciate one point here: We can still have long term alternatives to Zoom (and we can have them now).
Google and Uber are already difficult to replace or to otherwise challange.
ForHackernews 1477 days ago [-]
Uber is trivially easy to replace with Lyft or $generic-taxi-app.
minhazm 1477 days ago [-]
Lyft only operates in US and Canada. Uber is available in 63 countries. The convenience you get just having that one Uber app work is not easily replaced. But yeah you could always try to find the local ride sharing companies app, but it can be far less convenient.
ForHackernews 1477 days ago [-]
Only a tiny minority of wealthy people frequently travel internationally. This is not a major selling point that will save Uber.
aembleton 1477 days ago [-]
How do you persuade enough taxi drivers to use $generic-taxi-app in enough areas to make it worthwhile for someone to choose to use it instead of Uber?
m-p-3 1477 days ago [-]
They're using malware-like behaviors to spread out and reach more customers, even at the cost of security.
rwmj 1477 days ago [-]
They probably learned a lesson from Whatsapp which was a nightmare of insecurity in the early days that cutting corners gets results and approximately no one cares (except the tiny minority like us who would never use it anyway).
fermienrico 1477 days ago [-]
Also, Zoom's entire engineering team is based in China [1]. China and Chinese companies have no real culture of user centric privacy.
Edit: Why downvote me? I am not trying to stir up flame wars. Saying anything against China has become impossible to do on HN. Voices get drowned despite of raising real legitimate concerns about privacy, especially for a tool used by millions all of a sudden during this pandemic. People should be speaking up on HN. I know, I am not supposed to complain about downvotes on HN, I've read the guidelines.
Edit2: Not able to find the source for Tianjin datacenter, I will reply if I can find it. Please take it with a grain of salt.
Please don't break the site guidelines [1] by going on about downvoting. Your comment has been heavily upvoted. Meanwhile complaints like that linger on as off-topic and false, and don't garbage-collect themselves.
You can use HN Search to verify that HN sees plenty of comments "saying anything against China". The topic is extremely flame-prone because people are wont to hurl generalizations at each other, and worse. Nationalistic flamebait and flamewar is a big problem on HN [2] and destructive of the spirit of this site [1]. Individuals have been attacked here for just for expressing their views while being (or being assumed to be) Chinese, and at least one person was hounded off the site altogether. I'm sure you'll agree that that's shocking and not at all the community we want to be. None of us wants it, but it's easy to get it anyway, once such flames get going.
I don't think your comment was nationalistic flamebait, except insofar as it was rather unsubstantive. Unsubstantive comments on inflammatory topics are guaranteed to come across in a flamey way to some segment of the readership, even when that wasn't your intent. Intent doesn't communicate itself, unfortunately, so the burden is on the commenter to disambiguate [4].
Understood, thanks and accept my apologies. I have some feedback - please make exceptions when discussing fact based discussions around privacy when it is not tending towards flame wars, especially related to Chinese influence and erosion of privacy. I can see why this can lead to flame wars but that's where you should step in and moderate. I just read your links to people getting harrased if they are Chinese, that's not cool.
dang 1477 days ago [-]
I think my comment addresses this, but perhaps you were replying to an earlier version, or perhaps I wasn't clear enough. What you posted was trending towards flamewar, even though you didn't intend it that way. Telling moderators to "step in and moderate" isn't sufficient to solve this problem. For one thing, we don't come close to seeing all the material that gets posted—there's far too much. We do step in, but we also need users like you to understand the problem a bit differently. If you're going to comment on an inflammatory topic, you need to make sure your comment is substantive, i.e. contains solid information and not just grand claims. And you should be careful to narrow its scope explicitly to what the information supports. Fortunately that should also be enough to make it clear that your intent isn't just to post pejoratives about other people.
zorked 1477 days ago [-]
Your comment is at the top. Please don't complain about downvoting.
"China and Chinese companies have no real culture of user centric privacy."
Citation needed. That's one billion individuals you are talking about.
dang 1477 days ago [-]
I don't think it's fair to call that borderline racist. That's an extremely strong word; let's not escalate where it isn't needed. The problem with the statement is that it doesn't come with any substantiation, or additional information.
zorked 1477 days ago [-]
Edited. Feel free to delete my comment, it's redundant now.
dang 1477 days ago [-]
I think the edited version of your comment is just fine.
kerng 1477 days ago [-]
Thanks for sharing. I'm not too concerned about engineering happening in China but data storage seems problematic, especially because of the lack of encryption on their side.
The post or the CNBC link don't seem to have the word Tianjin in them (comments do). Can you provide more details or another source?
If that's indeed true I won't be hopping on a Zoom call later this week with my bank for instance.
fermienrico 1477 days ago [-]
I'll try to dig out where I read it - Google isn't helping. I am gonna edit my comment to clarify about the source.
1477 days ago [-]
1477 days ago [-]
Lucasoato 1477 days ago [-]
totalitarian dictatorship intensifies
dang 1477 days ago [-]
Please stop posting unsubstantive comments here.
nothrabannosir 1477 days ago [-]
You get downvoted because every post critical of China gets hit, regardless of quality or veracity.
On a simpler level, zoom on macOS sketches me out in lots of ways.
My macbook's bluetooth will not connect to my earbuds, but only when zoom is running. Other audio recording/playing apps don't affect things at all. What the heck is going on here?!
Scrolling on settings panels is definitely their own home-brewed scrolling functionality. Why?! Was macOS's not cutting it for some reason?
The settings menu is very clearly not using native OS buttons and inputs. Why?! Why build your own? What is that for?
jcelerier 1477 days ago [-]
> My macbook's bluetooth will not connect to my earbuds, but only when zoom is running.
Nice, that's pretty much what I had to do to fix this. I used the bluetooth explorer to force AAC, and force zoom to use the internal MacBook mic
rgovostes 1477 days ago [-]
I installed the WebEx client for macOS today and it seemed similar, installing almost instantly without going through the normal EULA, volume selection, etc. flow.
It seems like they've stuck their installation flow into an Installer.app _plugin_ which is unusual. I haven't encountered that before, and I'm somewhat surprised the feature exists considering Apple waged war on loading code into first-party software. (The user is prompted before the plugin loads.)
mrpippy 1477 days ago [-]
Ughhh, this is probably where Zoom got the idea from.
cpeterso 1477 days ago [-]
Zoom was founded by Eric Yuan, a lead engineer from Cisco's WebEx business unit.
danans 1477 days ago [-]
For those calling this a security vulnerability in MacOS, isn't this just using a GUI equivalent of "sudo"? There may be a decent argument that a consumer OS shouldn't offer such a sudo-like API to installers, but MacOS probably does this for legacy app support reasons.
IMO the better question in this case is why Zoom needs to be installed as admin on MacOS? After all, the mobile apps and chrome extension don't need those privileges.
saagarjha 1477 days ago [-]
This is like the GUI equivalent of running "apt install zoom" and the installation script killing the APT process and then running amok with its root privileges.
danans 1476 days ago [-]
> This is like the GUI equivalent of running "apt install zoom" and the installation script killing the APT process and then running amok with its root privileges.
So in that case it seems like there is perhaps an issue on both sides.
- I understand that the OS API to get root/admin privileges likely exists for legacy app install reasons, but why should any install script even be able to run amok with admin privileges? Shouldn't privileges granted by this API this is using be sandboxed in the extreme? Something this sensitive shouldn't be left to the honor system of the app developer.
- Independently, I still don't understand why Zoom needs admin privs on Mac when it clearly doesn't need them when installed as a browser extension. I'm using it just fine in Chrome all the time - no admin rights needed.
e40 1477 days ago [-]
I can't imagine why anyone logs in and uses macOS as an admin user.
First account I create on a new Mac: admin. Then, when setup is done, I login and create my non-admin user account.
This is a good reason for many reasons, this abusive installer being one.
clay_the_ripper 1476 days ago [-]
To me this implies that the installation process on Mac OS should be improved. The fact that they have to resort to these types of things to make it “just work” for people suggests that the official way of doing things is less than ideal.
They are aiming to make the process completely idiot proof, and good for them. If you’ve ever watched a nontechnical user try to install an application you’ll understand why they had to do all this.
I recently watched One of my friends who has only ever used an iPad and not a laptop try to install an application downloaded from the internet. Things we take for granted like “find your downloads folder” were not obvious. I had to explain what the Finder is, and it seemed laughably not obvious to someone who has never used it before.
overgard 1477 days ago [-]
I understand wanting to reduce friction, but this is the second time Zoom has kinda done something weird and suspect security wise in the name of removing really minor obstacles that users are probably used to dealing with anyway. Considering how many tech companies are using Zoom right now, I would hope they are cognizant that they don't become known as "the company that does sketchy stuff so our IT people say we can't use it"
j1elo 1477 days ago [-]
Some background info for those commenters who say that Zoom should be requiring just a web browser because web browsers already have everything needed (aka. WebRTC). TL;DR summary: they want to do their own thing, outside of what the WebRTC standard allows, that's all (and enough reason for not using WebRTC?)
Zoom doesn't want to use the stock H.264 encoder as provided by the browser for WebRTC communication. Instead, they use their own video encoders and decoders (which while still being H.264, it is presumedly better optimized for their use case). WebRTC forces you to use either the H.264 or the VP8 encoder/decoder that the browser provides.
How they do this is by having their own custom application that you have to install. Still, some users have noticed that there is a well hidden web-based version of Zoom, which works by again running their custom encoders, thanks to WebAssembly. Also it seems that their video is transmitted via DataCahnnels [0].
They are not alone. Companies want to provide additional "value" by innovating outside of what the WebRTC standard offers. That's nice and all, although it of course tends to disgregation and incompatibilities in the long run. For this reason, I've heard talks about how future revisions of the standard might explore adding WebAssembly support, in order to allow everyone embedding their own compiled components into their applications [1].
Right. It's also important to understand when the reason to build non-standard things are just "productization" (intended to open the wallets of enterprise clients) and when it is because it really provides a better service to the end user.
Having native code running in every client makes a service provider more valuable. It is much the same reason service providers would rather have you running their app on mobile than utilizing the web browser.
This link provides a bit of background to the webrtchack articles above and give a bit of background to when WebRTC is sufficient:
Instead of installing the Zoom software, join Zoom calls from within your web browser
With this trick you can join Zoom calls without ever installing the client on your computer.
Here's how to do it:
1) Uninstall the Zoom client if you have it installed (this is important).
2) When you get a Zoom link to join a meeting, click it to open it in your browser.
3) You'll be asked to download Zoom. Click the "download & run Zoom" link, but don't run the installer.
4) Wait for a few moments and a link to "join from your browser" will appear. Click this and join the call as normal. Most of the features work in this browser based version -- there is no need to ever risk your computer!
Having never installed Zoom, and honestly not having photographic memory of how the installation process on MacOS is, how is it supposed to look in the installer?
Also, what happened to just dragging the program into the applications folder? I really liked that way of installing apps, but most things seems to have an annoying click-through wizard.
jtvjan 1477 days ago [-]
They embedded their installation into a pre-install script. Normally, you'd go through a next-next-next process with a pkg installer, but in this case you get a popup asking you if you want to allow it to "run a program to determine if the software can be installed" (the purpose of pre-install scripts) immediately after opening the pkg, you authenticate, and then the installer just disappears.
giovannibajo1 1477 days ago [-]
Before that, when they had the shady web server, the zoom application would pop up immediately connected to the right meaning, as your browser would be “waking it up” via http. It looks like they still haven’t fixed this after they removed the http server.
int_19h 1477 days ago [-]
That Twitter thread has a link to a more detailed analysis that was done all the way back in 2016:
If I search my bookmarks for "zoom" every link is about a discovery of it doing some shady shit. At this point I would just classify it as spyware.
scelerat 1477 days ago [-]
I have a friend who has some intimate knowledge of MacOS installation software who refuses to use Zoom. "It's not merely because it uses the same install patterns as Russian malware," this person told me, "no; it's personal."
Seriously, despite this person's aversion to anything Google, Hangouts ends up being the one tolerable exception.
miguelmota 1477 days ago [-]
What I like about zoom is that I can click on a zoom link and it opens up my video conference pretty quickly. Last thing I want is to go through installation steps when people are waiting for me on a call. I understand the security implications but it's a trade-off between user experience and lesser security.
mr_toad 1476 days ago [-]
People will go through the hassle of booking airline tickets, hotels, taxis and take the time to travel to face to face meetings (and some of them even seem to enjoy it).
But they won’t spend 5 minutes installing software properly, or half an hour doing some legwork.
miguelmota 1475 days ago [-]
The difference is that it's expected that booking airlines and hotels will take time so they make time for it but nobody expects to spend minutes installing video conferencing software properly.
They expect meeting chat software to just work and be as easy as opening a link. If a person needs to fly somewhere they have limited choices with airlines, but if a person gets frustrated with video conferencing software then they have an abundance of alternative options.
emilecantin 1477 days ago [-]
I have this irrational disgust of .pkg installs, and this is is a good example why. Every time I have to install a .pkg, I wonder what crap it's spreading all around my system.
What's wrong with dragging .apps? Does your app really need to spread its tentacles beyond an app bundle and (maybe) some preference files?
gentleman11 1477 days ago [-]
> Zoom has been criticized for its data collection practices,[45] which include its collection and storage of "the content contained in cloud recordings, and instant messages, files, whiteboards" as well as its enabling employers to monitor workers remotely;[46][47] the Electronic Frontier Foundation warned that administrators can join any call at any time "without in-the-moment consent or warning for the attendees of the call."[48] The Ministry of Defence of the U.K. banned its use.[49][50] During signup for a Zoom free account, Zoom requires users to permit it to identify users with their personal information on Google and also offers to permanently delete their Google contacts.
Widespread use of Zoom for online education during the novel coronavirus pandemic increased concerns regarding students' data privacy and, in particular, their personally identifiable information.[17] According to the FBI, students’ IP addresses, browsing history, academic progress, and biometric data may be at risk during the use of similar online learning services.[17] Privacy experts are also concerned that the use of Zoom by schools and universities may raise issues regarding unauthorized surveillance of students and possible violations of students’ rights under the Family Educational Rights and Privacy Act (FERPA)
- Wikipedia
diebir 1477 days ago [-]
A lot of this is Mac OS X fault: it still does not have an easy canonical way of installing things and has no way for uninstalling. I don't get why in this day mac os can't have something like RPM or any number of other package managers.
saagarjha 1477 days ago [-]
It very much does! Zoom even stumbled upon it, it's called Installer.app. Except, of course, they killed it before it even finished…
RocketSyntax 1477 days ago [-]
Okay, great. Let's wrap some permissions around it to make this a legit process?
merpnderp 1477 days ago [-]
I wish I knew how it installed on my partner's Mac. No root password was ever given, yet it installed when we thought we were still using the web app. Quickly uninstalled and will use different software next time.
AngeloAnolin 1477 days ago [-]
I removed Zoom from my Mac following this instruction [0]
Given their security issues as of late, is there further way I could ensure that my machine has completely removed this software?
[0]
fouc 1476 days ago [-]
Are there other app installers that do this? I've got a feeling Zoom is definitely not the only one that does that.
musicale 1477 days ago [-]
Zoom's malware-like behavior is the reason I only use their web app, in a browser with minimal privileges.
Kaze404 1477 days ago [-]
Discord also does this On Windows at least) and I don't understand how / why it's allowed.
josteink 1477 days ago [-]
Root-kit authors: watch and learn!
dbbk 1477 days ago [-]
But why are they doing this? What is the benefit?
dceddia 1477 days ago [-]
If I had to guess, it’s an attempt to optimize install conversions. Every multi-step process you ask a user to perform is effectively a (marketing/sales) funnel. Some percentage of people drop off at every step. Maybe Zoom they thought that if they moved the actual installation closer to Step 1, then more people would accomplish it. It’s awfully sneaky though, especially that password dialog.
drewg123 1477 days ago [-]
They could have also made it just work in a web browser without having to use workarounds. That's one of the reasons why I strongly prefer Google Meet and get annoyed at vendors that want me to use solutions that require me to install software.
dbbk 1477 days ago [-]
Conversely, I much prefer a desktop app to Google Meet, since that's stuck in the browser the video can't float PIP when you navigate away from the call
Be right back, I just have to optimize install conversions of my botnet client.
x0x0 1477 days ago [-]
Or, you know, decrease the failure rate of people legitimately attempting to install Zoom. It's quite reasonable to ask why on earth apple requires more than one click for a user to say "I want this program to run on my computer; make it happen."
my123 1477 days ago [-]
They could have made it just a zip containing an app bundle instead of this mess, but of course they didn't.
Wowfunhappy 1477 days ago [-]
Several less mouse clicks to get into a meeting.
(I am not arguing in favor of the practice, just stating the advantage)
mstolpm 1477 days ago [-]
If one assumes there is nothing really nefarious going on, it seems they are trying to gain market share: Growth marketing to raise the company value. And looking at some people already using "zoom" and "zooming" as synonym for video conferencing, it kind of works.
neycoda 1474 days ago [-]
Why does Apple allow this?
0xff00ffee 1477 days ago [-]
One suggestion...
My company has been using Gotomeeting for 5+ years. No video (thankfully), but meetings are generally 20-30 people and largely seamless.
It is expensive: $300 per seat to host a meeting, but it pretty much just works. The UI is annoying and could be simpler.
However, I don't know if it is as shady as Zoom because I don't think anyone has done a deep dive.
proffan 1477 days ago [-]
resReitna.7z
Reminds me of tech support XD
xenophonf 1477 days ago [-]
I missed the part where Zoom is holding people's computers for ransom, or formatting the drive, or exfiltrating sensitive information to criminals or state intelligence officers, or mining bitcoin, or other similarly malicious behaviors.
An admin can write to /Applications without privilege escalation? That's a macOS bug. If the operating system didn't rely on an 80s-style put-all-the-executables-in-one-place app launch paradigm, maybe there'd be less incentive for app developers to ignore the per-user Applications folder that macOS supports.
An app can spoof or abuse privilege escalation dialogs? That's because macOS doesn't implement an Orange Book-style Trusted Path. It's why Windows and similar operating systems have secure attention keys in the first place.
So yeah, Zoom is (ab)using flaws in macOS to get itself installed with minimum fuss, but it isn't doing it with evil intent. They fixed past issues; they'll probably fix this. Meanwhile, these long-standing macOS security flaws won't be addressed by Apple, who has a terrible track record about these things except when it lets people bypass their App Store.
P.S. As an enterprise customer, I'm much more worried about end-to-end encryption in Zoom, and the apparent lack thereof. I'm also not sure how that compares with other video conferencing services.
rainforest 1477 days ago [-]
> So yeah, Zoom is (ab)using flaws in macOS to get itself installed with minimum fuss, but it isn't doing it with evil intent.
But... why? What other software vendors look at the OS security model from a viewpoint of 'how do we bypass this as much as possible?' If it's not evil intent, what is it, incompetence?
javagram 1477 days ago [-]
It’s about making your software as easy to use as possible.
Users don’t like UAC or having to click through a dozen dialogs. They just want to get into their virtual meeting.
my123 1477 days ago [-]
Then Zoom should just make them join the meeting via the web browser!
Zoom does this somehow and doesn't make joining from the web frictionless when they pretty much could have.
lonelappde 1477 days ago [-]
Zoom could be honest about what it doing instead of going to extreme lengths to conceal it
xenophonf 1477 days ago [-]
/Applications is writable by admins. There is no O/S security model to bypass.
rainforest 1477 days ago [-]
It has a pre-flight script (which isn't supposed to change anything) that installs it (and its browser extensions, and a kernel extension at some point in the past) in the most widely available place the current user has privileges to (it installs in their home directory if they aren't an admin).
So yes, there is some blame to be laid at the OS for running binaries with the privileges the current user has, but it's clear that the installer doesn't behave like a regular installer would.
oefrha 1477 days ago [-]
> An admin can write to /Applications without privilege escalation? That's a macOS bug.
/Applications has been root:admin 775 since forever ago. It’s not a bug, and drag this app to (an alias of) /Applications is very standard behavior of dmg installers. Working as designed.
xenophonf 1477 days ago [-]
That behavior goes all the way back to Classic Mac OS. If the above is working as designed, then Zoom automating the copy-app-to-/Applications process doesn't really seem that hinky to me.
oefrha 1477 days ago [-]
It’s a weird thing to do, but I don’t find it particularly concerning, no. You launched the installer after all. (I do use Suspicious Package to quicklook pkgs myself, FWIW.)
xenophonf 1477 days ago [-]
Having write access without privilege escalation to executable packages run by all users on a multiuser computer is a significant security risk. That's one of the ways an attacker can pivot into other systems from a compromised computer.
oefrha 1477 days ago [-]
root:admin 775 is only writable by the admin group, I’m not sure where you got the idea that all users have write access.
The situation here is an admin explicitly executing a program that writes to a directory that they have write access to.
Edit: corrected typo 755 => 775.
Edit 2: Okay, I read what you wrote again and can now see I misunderstood. However,
1. macOS is primarily single user (or at least single household) given how it's actually used. In actual multiuser settings admins don't typically muck around with their admin account.
2. Typically other users can read/execute a lot of stuff that's not root anyway. For instance, on research group Linux servers people would often tell you to just execute something in their home directory.
yardie 1477 days ago [-]
I use MacOS and everything I read in the twitter thread was exactly as expected. MacOS does ask you to escalate. It also asks for privileged access to the camera, microphone, and the keyboard. So when our son had to download and run Zoom for his now online school, I took the opportunity to teach him some basic computer security. Zoom installed into his ~/Applications folder, as a non-admin that was expected. And then it asked for access to his microphone and camera.
Rendered at 19:33:41 GMT+0000 (Coordinated Universal Time) with Vercel.
This was a horrible user experience for me, and I wasn't thinking about security implications at all.
I've defended Zoom in the past for ethical 'slips', but weidly this has tipped me into hating it.
$ brew cask install zoomus $ brew cask uninstall zoomus
so long and thank you for all the fish... Zoom
Note: I have contributed casks to Homebrew Cask before.
https://popcon.debian.org/
Popcon is first-party, and is entirely opt-in. It doesn’t send anything unless you want it to.
SuspiciousPackage wouldn't have helped combat Drunk Install Syndrome, but it might have been a helpful tool before I nuked my OS.
Or maybe this is just good marketing for SuspiciousPackage, which is really malware. Well played.
It _is_ bad on macOS. It used to be one of the better platforms to stream video content to others, but now it just lacks in many areas compared to most of its competitors.
The worst bug I had was it essentially started muting random people on a call, but only for me. I could see their mouth moving, and thought it was a problem their side but turns out everyone else could hear them apart from me. I could hear everyone else too apart from them.
See previous “lets install a server on this Mac that is not removed when you uninstall the app and leaves your camera open to the entire internet” for more examples.
I use it on a VM, I suggest you do it too.
I was a big proponent when they started as appear.in, but they’ve been steadily removing features (or moving them to the paid plan). For my friend group, the biggest appeal was that you could use it in a browser without an account by inventing a room name. That was one of the first features to get cut.
Everyone I’ve ever recommended it to has bumped into the limitations, asked me “what happened”, and switched to something else.
I haven’t tried it extensively, but I’ve read about https://meet.jit.si/ on HN and passed it on to a friend in that situation. He was happy with it and described it as “what appear.in used to be”.
2) UX matters. Users don't care about the technical details, they want a smooth experience and that can be the difference between a billion-dollar business or a failed startup. And yes the desktop version is more stable than the web-based UI.
3) Malware is defined by what it does, not how it's installed.
While normally I'd object to running arbitrary code with just an easily-skippable dialog as confirmation, but I think it's OK in this case where the expectation was that we're installing their software anyway.
Think about your average user... they are running an installer program... which alerts them that they need to run another program... to determine if they can install the program.... (Which the user thought they were already doing)
The loaded expectation of the user to realize they are granting privileges to a program to determine whether they can install a program is just totally unreasonable.
It just sounds more and more ridiculous written out like this.
It is long past time for Apple to improve this process.
Well, from the tweet thread:
> If the App is already installed but the current user is not admin, they use a helper tool called "zoomAutenticationTool" [sic] and the AuthorizationExecuteWithPrivileges API to spawn a password prompt identifying as "System" (!!) to gain root (including a typo).
Dropbox (used to?) patch system files to integrate with Office better, and that wasn't considered malware either.
By the time you're lying to the user, you are malicious.
Yes, zoom does need the user’s password to complete the install in the scenario described. So why isn’t there a proper installer that behaves like installers on macOS should. Why do they ask for the users password on the behalf of ‘system’?
Oh, and zoom was just busted for sending user data to Facebook (regardless of whether or not you had a Facebook account and without disclosure AFAIK) so I reverse my previous statement. It is malware.
They should just kill the format. Everything should just be drag to install, drag to trash to remove.
It was actually a really beautiful synergy—you install applications by copying them to a folder, and launch them from that folder. Same way you'd acquire and open files. Lovely.
Then Apple ruined it in Lion with Launchpad. Their app install flow for anything outside of the app store doesn't make any sense.
though preferences files were a bit of a mess.
I vaguely remember if early Macintosh System versions you would be prompted to insert the disk (with the correct disk name in the message) if you tried to open a file belonging to an application which was on an ejected disk.
The DMGs are a clever way to (A) make sure the app gets to the proper location while simultaneously (B) teaching the user about what's actually happening on their computer. As I said in a sibling comment, this all made much more sense when users also launched apps from the Applications folder directly.
Some applications offer to move themselves to the /Applications folder when started the first time outside /Applications or ~/Applications. Though in general, it would be better if Apple made it more attractive to publish in the App Store, since it brings other advantages (e.g. mandatory sandboxing).
Also, personally, I sometimes purposefully put apps in places other than /Applications—for example, I like to keep games in their own Games folder. And then the dialogs are kind of annoying.
Mac is now Prosumers and Professionals. And its UX should be treated as such.
I wish it were that easy, most apps leave files in other places on your computer like ~/Library that will never get cleaned up if you just move the app to trash.
It might be nice if macOS had some sort of automatic cleanup routine when an app is trashed, but that would either require showing the user an extra dialog (a la AppCleaner's) or introducing an opaque system which could potentially lead to data loss.
But I think the primary argumentation in favor of what macOS does now on drag-to-trash is that the users preferences are preserved, for when they install an application again.
https://twitter.com/c1truz_/status/1244737675191619584/photo...
This message is a lie; it not coming from system but from the installer script.
Just because the OS is used to show the dialog doesn't mean it should be trusted. As other commenter noted this could be used to steal passwords; that is effectively what it does.
https://apple.stackexchange.com/questions/344117/mac-10-13-1...
How is this different from the way e.g. Virtualbox gets root?
This is also a MacOS vuln that lets apps lie about their identity in sudo prompts, much like a browser showing an https site with no certificate checking.
How would you design this system?
I'm running Mavericks—the last version of macOS before they made the UI flat—and the prompt didn't look out of place. If Zoom is indeed faking the box, they actually went through the trouble to make a separate version for Mavericks with Mavericks-style visuals.
https://mobile.twitter.com/c1truz_/status/124473767519161958...
No it isn't. The dialog prompt is "System need your privilege to change." That's not passing QA anywhere -- it's just a custom message someone put into Zoom without bothering to proofread.
gksudo is definitely spoofable, except I almost never get a gksudo dialog. I am not trained to expect every other app to periodically ask me for my password.
Nothing turns you off more from a conferencing solution than: any problem getting it working right now.
When there is just the slightest issue, one person not being able to join, one person not getting voice to work, bad audio, your entire team is blocked/distracted. Which results in a collective distain for the solution and video conferencing as a whole.
This extends to getting the solution working for greenfield installs as simple as possible. Because who knows which non-tech users from which department all need to join and can't figure out how to set the permission in their browser right or install/use the other browser that is compatible.
So sadly, from a functionality point of view, you want have the software be able to force itself onto the user in the most usable state it can.
For one, Zoom did just work. (At least as a participant, rather than an organizer.) I tried it out, and it immediately worked. It did what all of us were expecting, with no fuss.
I also tried MS Teams. It seems designed with a different philosophy: that you use the software to do many different things, and you want them all integrated. (For example, it posted my meetings automatically to my Outlook calendar. I had never used this calendar before, and was only dimly aware that it existed.)
Moreover, it seems that the expected setup is a bunch of people, all at the same workplace, who communicate with each other consistently. My needs are different, with wildly disparate use cases: a departmental meeting; classes to teach; an online conference (https://www.daniellitt.com/agonize/); an online social gathering. Many of the people with whom I communicate don't work for the same employer. And I don't want to configure all of these "teams" in advance.
That said, I tried to get MS Teams up and running, to teach my class. This involved multiple emails back and forth to our tech support (it seems that I can't set up a "team" myself; I have to ask IT to do it for me). It didn't have its own whiteboard functionality so I had to download and run some separate software.
And, then, in the end... it didn't work. I was trying to teach a class, but my students couldn't see what I was doing. I had no idea why.
Were you on a mac?
If so, you may have encountered https://answers.microsoft.com/en-us/msoffice/forum/msoffice_... which has been outstanding since October and has no sign will be fixed properly any time soon.
The workaround is quit programs until you find the one that somehow causes Microsoft Teams to not understand that it really does have permissions. For me it seemed to be XCode. But it could be others...here is a partial list:
This is an example of why "just works" is so important.FWIW, IT can allow people in certain groups to make their own teams, it's an admin setting.
Makes using Teams quite a hassle, but with Skype for Business being the only other approved option for internal chat, it's better than nothing.
Completely free teams creation does come at a cost. It makes data governance much more complicated. People creating duplicate places for things they didnt know already existed. A lack of naming convention, to be able to analyze what exists. Microsoft is pushing for people to just be able to get things done, at the expense of organization.
I wish Microsoft would try a lot harder in persuading businesses to make the decision to take oauth approvals out of the user hands, because the volume is at a point where I really feel anyone following the "empower the user" discussion almost certainly has a compromised mailbox in their business.
Edit: downvoted for speaking up for student rights. Sorry if it is inconvenient for the teachers
This isn't true actually. As a student, send the following email:
"Hi Professor, I just read this webpage [link], which outlines some privacy concerns with Zoom. I know some other classes are running Software X, could we try that instead?"
My university isn't mandating Zoom. Indeed, they recommended several software packages, of which their top recommendation was Blackboard. (Which is what I've been using so far. I have mostly joined others' Zoom meetings; I've only initiated them for a D+D game I'm participating in.) MS Teams was their second recommendation as I recall, and Zoom was below that.
At least at my university -- and I expect that this is typical -- individual faculty members are deciding how to best fulfill their own responsibilities. And I have emphasized to my students that I have never done this before, and that I'm happy to change what I'm doing if people have good suggestions.
Hi [Student],
I appreciate your concern; however, our university has conducted a thorough audit of this software and found that it satisfies our needs. We will continue using it for our lectures.
Regards, Dr. [Professor]
Senior tenured chair of [Department], distinguished lecturer, [University]
Second, it does not support my browser.
That is not universally shared among others, including the non-technical folks that Zoom is being widely adopted by.
There's a parallels here with security in the uphill battle to get users to respect the caveats of the solution they choose.
Actually I have to go out of my way to run Zoom in the browser instead of using the installer. I have to use Chrome instead of Firefox, download but not install the app and wait for the "or run in browser" link to appear after that.
I really don't like macOS installers anyways and passionately hate them as "installing" and App on macOS should be nothing more than moving the .app from a zip or disk image into your /Applications folder. I just don't trust them in not placing additional crap like auto updaters or kext's when I don't need them.
> to run Zoom in the browser [...] I have to use Chrome instead of Firefox.
Just a note, Slack and Teams calls also won't work in Firefox. It's really annoying.
Hangouts works fine in Firefox though, somewhat unexpectedly.
https://github.com/webcompat/web-bugs/issues/12975
And Teams calls:
https://github.com/webcompat/web-bugs/issues/25070
Slack originally relied on non-standard, Chrome-specific WebRTC behavior and now is prioritizing development of their Electron app over web support.
There is a Firefox extension to spoof Chrome's User-Agent string for Teams. I haven't tested it, but it appears to work for people: https://addons.mozilla.org/en-US/firefox/addon/teams-phone-f...
IMHO.
I'm even uncomfortable with config scattered everywhere. The continued need for those 3rd party uninstallers is an admission of failure.
Source: released products ported to misc Windows, classic Mac, modern Mac. Our dev, QA, Test, tech supp was always so much easier on Mac. Not least because we could have multiple current versions installed. Which allows troubleshooting, rollbacks, etc.
Caveat: I personally use package managers and am curious to see if Nix becomes the norm. So I may change my mind in the future.
My wife was on a Teams videoconference last week. 125 people in four locations from New York to Southern California.
An hour into it, half of the people were simultaneously dropped, and not from any particular geography. It was random. And nobody could reconnect for a very long time. It took 45 minutes to restart the meeting.
The company is no longer using Teams.
Maybe this has changed since I last talked to Microsoft, but even their own team was unhappy with it. But if you still have access to broadcast.skype.com, it still works, until they decide it shouldnt.
In my experience (also not enterprise), Zoom is the simplest solution with the best quality and latency, compared to the alternatives. The UX could be better, but the performance of Zoom for all platforms makes you survive the UX.
My company uses Zoom, and there have been many instances where, during a VTC call set up by someone at another company (that doesn’t use Zoom), we have switched mid-meeting to Zoom because there’s something wrong with the other VTC system (someone can’t join, can’t hear, can’t speak, can’t share their screen, etc.). And the other options haven’t gotten noticeably better over the years either.
In my experience, every other solution I've tried is a train-wreck, compared to Zoom (MacBook Pro w/ external Apple monitors). And, as far as I remember, I've tried them all, repeatedly.
Even first-class platform-specific solutions like FaceTime are, basically, unusable vs. Zoom. Its amazing, actually. I'm not quite sure how Apple managed to make FaceTime's audio just not work (almost ever), and Zoom just works, every time, on every platform.
I'm also curious. I subscribed to Whereby (https://whereby.com/), where I can send people a URL, which they click and land in my conference room. There is ZERO software they need to install.
[For all the "well, actually" folks: yes, it "only" works in every modern browser out there, and it works "only" for up to 12 people. Fine with me.]
Zoom has more features, but there are many other solutions that work much better and are WAY simpler. It's just that Zoom is well known, and it's easiest to choose the tool that everyone has heard about.
Also I regularly attend more than 50-person zoom calls without a hiccup. Google I think requires an enterprise plan to get to that limit, and I don’t even know what the name of their video conferencing product is at this point.
For Google, the answers are "sorta but not really", and "no":
https://support.google.com/meet/answer/9303164: "Note: Guests on the web don't need a Google account to participate in a meeting." The initiator of a meeting needs a G Suite account, but others can join without one.
https://gsuite.google.com/learn-more/security/security-white...: "Google does not collect, scan or use data in G Suite Core Services for advertising purposes."
(Speaking for myself, not Google.)
But those products don't always "just work", at least not in my recent experience. I have had repeated problems with Google meetings while working with an external entity, and most of my employer is a Microsoft shop, so I've had deal with issues with both Teams and Skype, both via browser and OS X app.
Most people use the standalone app because indeed it "just works". That's why you don't hear much about its browser client.
Most people use the standalone app because Zoom aggressively pushes it.
Not for joining a meeting, no. You just type your name.
Gallery view does not exist in the web client. Nor the ability to add cat memes to your background.
I have the native client and it still shows me this option.
It can be enabled, but it's not on by default.
The reason we ditched hangouts for zoom a few years ago was that hangouts only supported up to ten users, including users whose connection had died and so they had to re-enter the room again. This became extremely annoying - having to stop a conference mid-call to ask some people to disconnect so others could enter, or trying to find out how to kick "ghost" users, was definitely not "just works".
hangouts can’t handle many users (is it 10 the limit?), which is a deal breaker for me. we’ve tried and people couldn’t join the call.
if by microsoft you mean teams, i’m not aware of it working without accounts (not an issue for google as most people have google accounts).
My company had a 17 person Hangouts (Meet) meeting on Monday. Actually, we switched to Hangouts from Slack because Slack has a 15 person limit.
Is the limit maybe different for "Hangouts" vs Hangouts Meet?
Also, I think it's possible for companies to disallow guest users on their team instance.
Also, Zoom has reached a critical mass where, particularly for sales calls, the remote party is quite likely to have it installed. The network effect here is really valuable.
Maybe some incompatible software/hardware at some end? I don't know or even care really, but Jitsi worked well with the same participants both times, while the anecdotal Zoom success rate is still 0% for me.
But Jitsi is on my shortlist as I think being open source and self-hostable is the way forward for a tool that could knock Zoom of it's throne.
Someone should make a PSA site that says something along the lines of “don’t install teleconferencing software because it usually bundles malware; your browser already has the technology built in.”
https://medium.com/bugbountywriteup/zoom-zero-day-4-million-...
https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-s...
- Install from App store
- Drag and drop the .app from zip/dmg
- Using a .pkg installer (mostly based on Xcode templates)
I'd argue that a lot of users don't know all of these and some even run most of their applications from the ~/Downloads folder.
{edit} My experience: investor took over our startup, made us switch from bespoke technology to web-based conference features. Every feature was compromised, reliability and capacity reduced by 10X.
But people (like you) unknowingly shill for them because they've feel prey to the marketing and influencers. Advertisement works. And you are living proof of that.
Based on what I've seen, there's just so much hostile behaviour by the company (including lying about meeting HIPAA e2e requirements!) and the fact that their _official client_ had parts removed by the macOS malware removal tool that I just don't get why people still consider it as an option. If it were the only "just works" tool out there I'd understand, but there's plenty of competition in this space.
I've personally began using the Jitsi server the local student network association has set up and it's been working like a dream. You can even share a window to others (which I didn't even know browsers had support for) for presentations and such.
Zoom manages to run without crashing doesn't force me to close a browser and waiting a lot, so that's an advantage.
https://chrome.google.com/webstore/detail/google-meet-grid-v...
Which is even more infuriating because it shows that missing tiling in Meet is just a frontend issue.
I’m completely baffled that this is not implemented.
Zoom (if you need HIPPA) can set you up with it - but you WILL lose a bunch of features (zoom by default has features that are not HIPPA compatible) - so make sure you need HIPPA before paying for it.
If anything medicine is almost anti-e2e. Everything is copied and copied between one system and another (billing, lab systems, imaging systems etc). Seriously, medicine is in many cases very fragmented, so the number of medical practice groups that need copies of your details / visit details etc is high just to bill you (and you may end up with 5 bills for one visit - which may be 4-5 systems behind the scenes).
Zoom should definitely offer a Mac App Store version. Even if they just take their iPad app and Catalyst it, I'd probably use it.
It's up to the user's imagination to consider what a program can do.
The prompt is terribly worded though.
How do I know I’ve completely uninstalled all the things Zoom installed?
And, if Zoom provided a separate uninstaller (like many apps do) and it was verified to purge all of the stuff they installed (along with the uninstaller); would that appease people's concerns?
For now I’m sticking with the iOS app for video & their web-based experience for desktop sharing...
Oh, and there was a known vulnerability in the web server that allowed remote access to your camera. The company claimed this was all intentional and was a feature and refused to remediate it for months. Eventually Apple issues a system update that removed the web server.
https://www.buzzfeednews.com/article/nicolenguyen/zoom-webca...
If you prefer to remove it manually, here’s the list of files and folders Homebrew will delete on `brew cask zap zoomus`:
https://github.com/Homebrew/homebrew-cask/blob/a6026e0a36c22...
Running the uninstaller is enforced by the `pkg` declaration. See also: https://github.com/Homebrew/homebrew-cask/blob/a6026e0a36c22...
I think a lot of power users rightfully feel they are belittled by sandboxes and application restrictions. But seeing that they are not the major userbase and most Apps don't really need any permissions at all for their intended purpose (the user's purpose at least) I think Apple is moving in the right direction.
What is the typical install process for software on a Mac?
This is forming a troubling pattern [1]. Zoom will do anything to reduce the number of clicks to start a conference, even if results in a misleading installer prompt or security vulnerability.
[1]: https://www.zdnet.com/article/zoom-defends-use-of-local-web-...
As a customer this is a reason for me to stop using Zoom. Not in the last place because I'm quite sure we're only seeing the public tip of the iceberg of all the unacceptable things happening within Zoom.
Same with Uber, Google and bunch of other companies. It doesn't matter what they do, as their product is helping people enough for people to look past the terrible things.
You are wrong. Even without extensive experience in the space, you can very easily see how even large companies don't secure themselves at all. The US has had equifax recently, and it's not like that was an isolated example either. There just isn't a security culture at the eye-watering heights of corporate upper management and while everyone's as busy making money as they are, there never will be. It doesn't fit into the system, and anyone who tries to change it gets muscled out by people who don't want it to change - because that is simply what's most efficient.
However, they can be...enthusiastic when it comes to security around protecting themselves. If you report an issue with customer information on a public S3 bucket, they might get around to fixing it someday, but if there are "trade secrets" or the like in that bucket, the issue is going to get fixed immediately and someone with a big title probably won't be coming in tomorrow.
So why does no one care? Because Zoom UI/UX apparently works 100x better than most other solutions. People dont even REACT when I mentions Jitsi or just using the Teams solution that every Microsoft customer has anyways.
The enterprise I was talking about is using a mix of Microsoft Teams and Zoom. Our team started with Teams, now we are using Zoom because I don't even know. Others also move from Teams to Zoom.
I bring this up to lots of people and the response is rolling eyes and "shut the fuck up" in business euphemisms. Zoom is viral now and privacy has no say in its success.
So Teams is there, will stay there and it works well but people are still moving to Zoom anyways.
We already have meet.google.com that works well for us, and external clients can easily join through a web browser.
When I look at IT they give a damn about some security but then completely ignore other huge problems. I think a bigger concern for them is cost, liability and convenience for the administrators.
Google and Uber are already difficult to replace or to otherwise challange.
[1] https://news.ycombinator.com/item?id=22707528
Edit: Why downvote me? I am not trying to stir up flame wars. Saying anything against China has become impossible to do on HN. Voices get drowned despite of raising real legitimate concerns about privacy, especially for a tool used by millions all of a sudden during this pandemic. People should be speaking up on HN. I know, I am not supposed to complain about downvotes on HN, I've read the guidelines.
Edit2: Not able to find the source for Tianjin datacenter, I will reply if I can find it. Please take it with a grain of salt.
Edit3: Holyshit, so much attention on my comment. Redacting unsubstantiated claims and adding more sources that can be traced on the wikipedia section of Zoom privacy criticisms: https://en.wikipedia.org/wiki/Zoom_Video_Communications#Crit...
You can use HN Search to verify that HN sees plenty of comments "saying anything against China". The topic is extremely flame-prone because people are wont to hurl generalizations at each other, and worse. Nationalistic flamebait and flamewar is a big problem on HN [2] and destructive of the spirit of this site [1]. Individuals have been attacked here for just for expressing their views while being (or being assumed to be) Chinese, and at least one person was hounded off the site altogether. I'm sure you'll agree that that's shocking and not at all the community we want to be. None of us wants it, but it's easy to get it anyway, once such flames get going.
I don't think your comment was nationalistic flamebait, except insofar as it was rather unsubstantive. Unsubstantive comments on inflammatory topics are guaranteed to come across in a flamey way to some segment of the readership, even when that wasn't your intent. Intent doesn't communicate itself, unfortunately, so the burden is on the commenter to disambiguate [4].
[1] https://news.ycombinator.com/newsguidelines.html
[2] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
[3] https://news.ycombinator.com/item?id=21200971
https://news.ycombinator.com/item?id=21195898
https://news.ycombinator.com/item?id=19404162
https://news.ycombinator.com/item?id=22608635
[4] https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
"China and Chinese companies have no real culture of user centric privacy."
Citation needed. That's one billion individuals you are talking about.
The post or the CNBC link don't seem to have the word Tianjin in them (comments do). Can you provide more details or another source?
If that's indeed true I won't be hopping on a Zoom call later this week with my bank for instance.
My macbook's bluetooth will not connect to my earbuds, but only when zoom is running. Other audio recording/playing apps don't affect things at all. What the heck is going on here?!
Scrolling on settings panels is definitely their own home-brewed scrolling functionality. Why?! Was macOS's not cutting it for some reason?
The settings menu is very clearly not using native OS buttons and inputs. Why?! Why build your own? What is that for?
that sounds like something related to this bug : https://www.jeffgeerling.com/blog/2018/airpods-get-stuck-low...
It seems like they've stuck their installation flow into an Installer.app _plugin_ which is unusual. I haven't encountered that before, and I'm somewhat surprised the feature exists considering Apple waged war on loading code into first-party software. (The user is prompted before the plugin loads.)
IMO the better question in this case is why Zoom needs to be installed as admin on MacOS? After all, the mobile apps and chrome extension don't need those privileges.
So in that case it seems like there is perhaps an issue on both sides.
- I understand that the OS API to get root/admin privileges likely exists for legacy app install reasons, but why should any install script even be able to run amok with admin privileges? Shouldn't privileges granted by this API this is using be sandboxed in the extreme? Something this sensitive shouldn't be left to the honor system of the app developer.
- Independently, I still don't understand why Zoom needs admin privs on Mac when it clearly doesn't need them when installed as a browser extension. I'm using it just fine in Chrome all the time - no admin rights needed.
First account I create on a new Mac: admin. Then, when setup is done, I login and create my non-admin user account.
This is a good reason for many reasons, this abusive installer being one.
They are aiming to make the process completely idiot proof, and good for them. If you’ve ever watched a nontechnical user try to install an application you’ll understand why they had to do all this.
I recently watched One of my friends who has only ever used an iPad and not a laptop try to install an application downloaded from the internet. Things we take for granted like “find your downloads folder” were not obvious. I had to explain what the Finder is, and it seemed laughably not obvious to someone who has never used it before.
Zoom doesn't want to use the stock H.264 encoder as provided by the browser for WebRTC communication. Instead, they use their own video encoders and decoders (which while still being H.264, it is presumedly better optimized for their use case). WebRTC forces you to use either the H.264 or the VP8 encoder/decoder that the browser provides.
How they do this is by having their own custom application that you have to install. Still, some users have noticed that there is a well hidden web-based version of Zoom, which works by again running their custom encoders, thanks to WebAssembly. Also it seems that their video is transmitted via DataCahnnels [0].
They are not alone. Companies want to provide additional "value" by innovating outside of what the WebRTC standard offers. That's nice and all, although it of course tends to disgregation and incompatibilities in the long run. For this reason, I've heard talks about how future revisions of the standard might explore adding WebAssembly support, in order to allow everyone embedding their own compiled components into their applications [1].
[0]: https://webrtchacks.com/zoom-avoids-using-webrtc/
[1]: https://webrtcbydralex.com/index.php/2019/11/13/webrtc-stand...
Having native code running in every client makes a service provider more valuable. It is much the same reason service providers would rather have you running their app on mobile than utilizing the web browser.
This link provides a bit of background to the webrtchack articles above and give a bit of background to when WebRTC is sufficient:
https://bloggeek.me/webrtc-vs-zoom-video-quality/
With this trick you can join Zoom calls without ever installing the client on your computer.
Here's how to do it:
1) Uninstall the Zoom client if you have it installed (this is important).
2) When you get a Zoom link to join a meeting, click it to open it in your browser.
3) You'll be asked to download Zoom. Click the "download & run Zoom" link, but don't run the installer.
4) Wait for a few moments and a link to "join from your browser" will appear. Click this and join the call as normal. Most of the features work in this browser based version -- there is no need to ever risk your computer!
Here's a gif demoing what to click: https://assets.zoom.us/images/en-us/web/client/join-web-clie...
Also, what happened to just dragging the program into the applications folder? I really liked that way of installing apps, but most things seems to have an annoying click-through wizard.
https://macpkghallofshame.tumblr.com/post/138612887932/indis...
Seriously, despite this person's aversion to anything Google, Hangouts ends up being the one tolerable exception.
But they won’t spend 5 minutes installing software properly, or half an hour doing some legwork.
They expect meeting chat software to just work and be as easy as opening a link. If a person needs to fly somewhere they have limited choices with airlines, but if a person gets frustrated with video conferencing software then they have an abundance of alternative options.
What's wrong with dragging .apps? Does your app really need to spread its tentacles beyond an app bundle and (maybe) some preference files?
Widespread use of Zoom for online education during the novel coronavirus pandemic increased concerns regarding students' data privacy and, in particular, their personally identifiable information.[17] According to the FBI, students’ IP addresses, browsing history, academic progress, and biometric data may be at risk during the use of similar online learning services.[17] Privacy experts are also concerned that the use of Zoom by schools and universities may raise issues regarding unauthorized surveillance of students and possible violations of students’ rights under the Family Educational Rights and Privacy Act (FERPA)
- Wikipedia
Given their security issues as of late, is there further way I could ensure that my machine has completely removed this software?
[0]
I love creative uses of language like this!
Be right back, I just have to optimize install conversions of my botnet client.
(I am not arguing in favor of the practice, just stating the advantage)
My company has been using Gotomeeting for 5+ years. No video (thankfully), but meetings are generally 20-30 people and largely seamless.
It is expensive: $300 per seat to host a meeting, but it pretty much just works. The UI is annoying and could be simpler.
However, I don't know if it is as shady as Zoom because I don't think anyone has done a deep dive.
Reminds me of tech support XD
An admin can write to /Applications without privilege escalation? That's a macOS bug. If the operating system didn't rely on an 80s-style put-all-the-executables-in-one-place app launch paradigm, maybe there'd be less incentive for app developers to ignore the per-user Applications folder that macOS supports.
An app can spoof or abuse privilege escalation dialogs? That's because macOS doesn't implement an Orange Book-style Trusted Path. It's why Windows and similar operating systems have secure attention keys in the first place.
So yeah, Zoom is (ab)using flaws in macOS to get itself installed with minimum fuss, but it isn't doing it with evil intent. They fixed past issues; they'll probably fix this. Meanwhile, these long-standing macOS security flaws won't be addressed by Apple, who has a terrible track record about these things except when it lets people bypass their App Store.
P.S. As an enterprise customer, I'm much more worried about end-to-end encryption in Zoom, and the apparent lack thereof. I'm also not sure how that compares with other video conferencing services.
But... why? What other software vendors look at the OS security model from a viewpoint of 'how do we bypass this as much as possible?' If it's not evil intent, what is it, incompetence?
Users don’t like UAC or having to click through a dozen dialogs. They just want to get into their virtual meeting.
Zoom does this somehow and doesn't make joining from the web frictionless when they pretty much could have.
So yes, there is some blame to be laid at the OS for running binaries with the privileges the current user has, but it's clear that the installer doesn't behave like a regular installer would.
/Applications has been root:admin 775 since forever ago. It’s not a bug, and drag this app to (an alias of) /Applications is very standard behavior of dmg installers. Working as designed.
The situation here is an admin explicitly executing a program that writes to a directory that they have write access to.
Edit: corrected typo 755 => 775.
Edit 2: Okay, I read what you wrote again and can now see I misunderstood. However,
1. macOS is primarily single user (or at least single household) given how it's actually used. In actual multiuser settings admins don't typically muck around with their admin account.
2. Typically other users can read/execute a lot of stuff that's not root anyway. For instance, on research group Linux servers people would often tell you to just execute something in their home directory.