Show HN: Zoom Redirector

I don't want to diss an effort made with good intentions. though this is like using duct tape on fatally flawed design - it doesn't solve the problem. We're dealing with an inherently hostile company which aggressively uses dark pattern, ignoring privacy and security best practices. Not only are they ignoring these things they actively bypass the security control on the host-system where it is installed - this is literally what malware does. You don't put duct tape on malware so it works better for you!

If they would be a Chinese company they'd be banned and probably even sanctioned. Stop using this shit and stop justifying its use just because your employer makes you use it. Grow some balls (or eggs) and speak up naming it for what this is (malware) - so that we can all have nice things and not be forced to engage in endlessly justifying ourselves because "team or company XYZ is using it too and it works great for them ..."

I have absolutely no idea what you're on about. How is Zoom malware?

By "actively bypass the security" do you mean "it's a program that you need to install on your computer"?

Can you elaborate why Zoom is malware in ways that VS Code, VLC Media Player or Photoshop aren't?

EDIT: I mean the question honestly, as a question. I might have missed something. I mean, I saw yesterday's HN topic on a tweet that claims it sends info about all active programs to a server. But I saw nothing to substantiate that other than an "attention tracking" feature which is way less invasive than what's described in that tweet and off by default.

Did I miss the evidence, or some other damning privacy invading misfeature?

I just posted the related issues to my companies working-remote channel to raise awareness, because lots of us AND our clients suddenly began using Zoom. We are in Europe, so the laws are quite different.

So far, the response as been zero (it's been an hour) but let's see. Maybe I can make some coworkers and clients be more wary of Zoom.

The videoconferencing industry seems to believe it's necessary to bypass regular OS protections to make the UX "better".

For example: https://www.theverge.com/2019/7/8/20687014/zoom-security-fla... By design, instead of using a URL handler, they run a HTTP server on your machine to bypass the "open with" dialog. There are good reasons not to trust the binaries they ask you to run.

Here, it turns out they offer a web client after all, which is nice and sandboxed, but they default to trying to run a binary on your machine where you have less control over what it does.

@rainforest's reply pretty much covers it. NPAPI was deprecated for security reasons so they thought it was a good idea to bypass that deprecation by installing a local webserver. My other comment on yesterdays thread: https://news.ycombinator.com/item?id=22658173

> Not only are they ignoring these things they actively bypass the security control on the host-system where it is installed

What we're seeing is the constant balance between easy-of-use VS privacy/security and people making the choice without really understanding the consequences.

In the end, privacy/security is so invisible and hard to understand for "normal" people that easy-of-use and performance always seems to win in our current system.

> Stop using this shit and stop justifying it's use just because your employer makes you use it.

This seems a bit simplistic. We're all humans and navigating what's almost a political situation regarding Zoom and it's issues can hurt you individually, while not gaining a lot globally.

I'm not saying you're wrong, ideally we should all stand up for what we believe in. But sometimes the contexts and environments prevent us from doing so, and not all of us are ready to die on the hill that is privacy/security.

> Update, 5:15PM ET July 9th: Zoom has published a blog post detailing its response to this vulnerability, including how it will patch its software and uninstall the webserver it has installed on Macs. More details here, and original story follows.

Seems like they don't, and haven't since July.

i hear you and I understand this sounds like privacy or security maximalism. but bear with me for a second ...

at some point in the last 100 or 200 years technology has become so complex that society has agreed to compartmentalize problem domains into subject matter expertise and we install specialists to work on these problems.

you're spot-on saying that the majority can't tell and probably doesn't care. but the majority also isn't as deep in this as most people here. if it's not our job as engineers or as an industry to raise raise alarms when it's justified what chances do we have - or what chances do those have who aren't skilled to ask or answer these questions?

Things have become so complex that our reaction is now to no longer question things and instead point to team-XYZ who claim that they are using it successfully (but have they really investigated what they're using or are they just so desperate to turn a blind eye to what's happening?)

I'm not willing to die on that hill but am prepared to fight this for long enough until people wake up to the problem. The point is to stall the nomalization of this behavior for long enough - until a sizable portion of specialists/subject matter experts is aware and can no longer be ignored. The #DeleteFacebook movement and people inside Google and Microsoft fighting ICE contracts are an example that pressure maybe doesn't solve the problem but it still is a very effective "spanner in the works" of Surveillance Capitalism.

the used to do it, but there was a huge backlash. I think even apple pushed a patch to block their behaviour

thanks for speaking up. this takes a lot of guts and I hope you get your colleagues attention. forcing a tool like this on employees is a betrayal of trust and could also have devastating effects on their motivation.

What are the issues exactly? I've also been using it but so far haven't heard of privacy concerns that are unique to Zoom? Obviously, P2P should be preferred but it's really hard for this to work with larger groups, esp if some have connectivity issues. Zoom just shines here.

What is the actual current issue

see yesterday's thread in general but especially this: https://news.ycombinator.com/item?id=22657605

extensively discussed yesterday: https://news.ycombinator.com/item?id=22657384

How is that the same as malware? I.e. "software intentionally designed to cause damage to a computer, server, client, or computer network", if the Wikipedia definition has authority. That's not at all what Zoom does.

You're assuming ill intent where there is none. At the worst, it's incompetence. And they fixed the local http server flaw.

I'd much rather we reserve the term "malware" for actual malware and not dilute it to mean "any program made by a programmer who's either not very good at security or doesn't have the exact same opinion about it as me".

Zoom's product team is based in China.

https://www.cnbc.com/2019/03/26/zoom-key-profit-driver-ahead...

This is an example. Why would you trust an organisation that engineers "solutions" to security measures but does so without due care and attention leading to a widespread critical security bug?

you're misrepresenting what I said:

> they actively bypass the security control on the host-system where it is installed - this is literally what malware does

it is not equal to malware. It is what malware does, which is an important distinction. If you're OK with a product disabling the host-system security controls and still happy to trust the product with this taken in consideration then fair enough: use it, defend it, and evangelize it as much as you want. As somebody who has "security" in the job title it is a problem for me.

> And they fixed the local http server flaw.

it wasn't a flaw or silly design bug, it was a conscious design decision to gain market share which other players felt too risky. please read the NPAPI spec and why it was deprecated. A company doing this has no place in an enterprise network!

Spyware (which Zoom is) is also a type of malware.

> > they actively bypass the security control on the host-system where it is installed - this is literally what malware does

> it is not equal to malware. It is what malware does, which is an important distinction.

That's not an important distinction at all. It's like saying "Ooh George talked to Mary when they were alone in the elevator. That's what rapists do", and then later defending it by saying "well, I did not say that George is a rapist".

I agree with the remainder of your comment, fair point. I think your initial comment would've been stronger if you had used the "no place in an enterprise network" argument instead of the malware comparison.

> That's not an important distinction at all. It's like saying "Ooh George talked to Mary when they were alone in the elevator. That's what rapists do", and then later defending it by saying "well, I did not say that George is a rapist".

Installing an HTTP server on your client to bypass security control is not talking to Mary in an elevator. It's following Mary home, and making a copy of her house key.

My only argument is that you can't first imply that Zoom is malware and then claim that you didn't say Zoom is malware.