Show HN: Zoom Redirector

I don't want to diss an effort made with good intentions. though this is like using duct tape on fatally flawed design - it doesn't solve the problem. We're dealing with an inherently hostile company which aggressively uses dark pattern, ignoring privacy and security best practices. Not only are they ignoring these things they actively bypass the security control on the host-system where it is installed - this is literally what malware does. You don't put duct tape on malware so it works better for you!

If they would be a Chinese company they'd be banned and probably even sanctioned. Stop using this shit and stop justifying its use just because your employer makes you use it. Grow some balls (or eggs) and speak up naming it for what this is (malware) - so that we can all have nice things and not be forced to engage in endlessly justifying ourselves because "team or company XYZ is using it too and it works great for them ..."

I have absolutely no idea what you're on about. How is Zoom malware?

By "actively bypass the security" do you mean "it's a program that you need to install on your computer"?

Can you elaborate why Zoom is malware in ways that VS Code, VLC Media Player or Photoshop aren't?

EDIT: I mean the question honestly, as a question. I might have missed something. I mean, I saw yesterday's HN topic on a tweet that claims it sends info about all active programs to a server. But I saw nothing to substantiate that other than an "attention tracking" feature which is way less invasive than what's described in that tweet and off by default.

Did I miss the evidence, or some other damning privacy invading misfeature?

@rainforest's reply pretty much covers it. NPAPI was deprecated for security reasons so they thought it was a good idea to bypass that deprecation by installing a local webserver. My other comment on yesterdays thread: https://news.ycombinator.com/item?id=22658173

How is that the same as malware? I.e. "software intentionally designed to cause damage to a computer, server, client, or computer network", if the Wikipedia definition has authority. That's not at all what Zoom does.

You're assuming ill intent where there is none. At the worst, it's incompetence. And they fixed the local http server flaw.

I'd much rather we reserve the term "malware" for actual malware and not dilute it to mean "any program made by a programmer who's either not very good at security or doesn't have the exact same opinion about it as me".

you're misrepresenting what I said:

> they actively bypass the security control on the host-system where it is installed - this is literally what malware does

it is not equal to malware. It is what malware does, which is an important distinction. If you're OK with a product disabling the host-system security controls and still happy to trust the product with this taken in consideration then fair enough: use it, defend it, and evangelize it as much as you want. As somebody who has "security" in the job title it is a problem for me.

> And they fixed the local http server flaw.

it wasn't a flaw or silly design bug, it was a conscious design decision to gain market share which other players felt too risky. please read the NPAPI spec and why it was deprecated. A company doing this has no place in an enterprise network!

> > they actively bypass the security control on the host-system where it is installed - this is literally what malware does

> it is not equal to malware. It is what malware does, which is an important distinction.

That's not an important distinction at all. It's like saying "Ooh George talked to Mary when they were alone in the elevator. That's what rapists do", and then later defending it by saying "well, I did not say that George is a rapist".

I agree with the remainder of your comment, fair point. I think your initial comment would've been stronger if you had used the "no place in an enterprise network" argument instead of the malware comparison.

> That's not an important distinction at all. It's like saying "Ooh George talked to Mary when they were alone in the elevator. That's what rapists do", and then later defending it by saying "well, I did not say that George is a rapist".

Installing an HTTP server on your client to bypass security control is not talking to Mary in an elevator. It's following Mary home, and making a copy of her house key.