Most active commenters
  • saagarjha(13)
  • Wowfunhappy(12)
  • aequitas(9)
  • manigandham(6)
  • benhurmarcel(6)
  • dang(6)
  • lonelappde(5)
  • danieldk(4)
  • gentleman11(4)
  • (4)

How the Zoom macOS installer does its job without you clicking ‘install’

(twitter.com)
796 points _Microft | 330 comments | 31 Mar 20 11:41 UTC | HN request time: 2.417s | source | bottom
1. t0mas88 ◴[31 Mar 20 12:06 UTC] No.22736717[source]
The whole torrent of grey area, just over the line and outright shady behavior at Zoom is a problem in itself even if all the separate instances in isolation aren't grounds to stop using them. Their responses to security issues and today's revelation of misleading marketing on E2E encryption make it clear they're not just making isolated mistakes. Shady is at the core of how they operate, this is an indication that Zoom has a company culture of accepting borderline behavior. Otherwise it wouldn't be so widespread.

As a customer this is a reason for me to stop using Zoom. Not in the last place because I'm quite sure we're only seeing the public tip of the iceberg of all the unacceptable things happening within Zoom.

replies(2): >>22736799 #>>22738601 #
2. lultimouomo ◴[31 Mar 20 12:08 UTC] No.22736730[source]
I think this also shows how macOS has been training users to enter their password in random dialogs that have absolutely nothing that identifies them as being legit OS dialogs. The dialog that Zoom uses could very well be sending the credentials to a remote server, and the user would be none the wiser.
replies(2): >>22736941 #>>22742904 #
3. capableweb ◴[31 Mar 20 12:23 UTC] No.22736799[source]
Unfortunately, the current system and people in power seems to not give a damn about security and shady behavior, as long as the thing they are using is working and working well. Zoom is an example of very useful and performant software with shady company behind it, that's why people will continue using it.

Same with Uber, Google and bunch of other companies. It doesn't matter what they do, as their product is helping people enough for people to look past the terrible things.

replies(3): >>22736841 #>>22737789 #>>22737910 #
4. dbbk ◴[31 Mar 20 12:23 UTC] No.22736800[source]
But why are they doing this? What is the benefit?
replies(3): >>22736850 #>>22736871 #>>22736899 #
5. aequitas ◴[31 Mar 20 12:29 UTC] No.22736838[source]
Not that I'm in favor of this practice, but the one key feature that conference software must have is: it just works™.

Nothing turns you off more from a conferencing solution than: any problem getting it working right now.

When there is just the slightest issue, one person not being able to join, one person not getting voice to work, bad audio, your entire team is blocked/distracted. Which results in a collective distain for the solution and video conferencing as a whole.

This extends to getting the solution working for greenfield installs as simple as possible. Because who knows which non-tech users from which department all need to join and can't figure out how to set the permission in their browser right or install/use the other browser that is compatible.

So sadly, from a functionality point of view, you want have the software be able to force itself onto the user in the most usable state it can.

replies(8): >>22736886 #>>22737349 #>>22737355 #>>22737357 #>>22737381 #>>22737449 #>>22738084 #>>22738434 #
6. Fiahil ◴[31 Mar 20 12:29 UTC] No.22736841{3}[source]
Enterprise customer DO give a damn about security. They can be slow to react, but rules are also there for a very long time. If Zoom doesn't want to loose most of their marketshare in favor of WebEx, they should probably address these issues.
replies(6): >>22737049 #>>22737090 #>>22737713 #>>22737745 #>>22737945 #>>22739109 #
7. mstolpm ◴[31 Mar 20 12:31 UTC] No.22736850[source]
If one assumes there is nothing really nefarious going on, it seems they are trying to gain market share: Growth marketing to raise the company value. And looking at some people already using "zoom" and "zooming" as synonym for video conferencing, it kind of works.
8. Wowfunhappy ◴[31 Mar 20 12:34 UTC] No.22736871[source]
Several less mouse clicks to get into a meeting.

(I am not arguing in favor of the practice, just stating the advantage)

9. t0mas88 ◴[31 Mar 20 12:36 UTC] No.22736886[source]
I'm still curious why everyone thinks Zoom "just works" while others don't. Because in an enterprise context it is often hard to download an executable and run it with sufficient permissions. While Google and Microsoft both offer a product that "just works" with only a browser. What makes Zoom more "just works" than that?
replies(16): >>22736916 #>>22736940 #>>22737051 #>>22737108 #>>22737143 #>>22737238 #>>22737841 #>>22738424 #>>22738725 #>>22739146 #>>22739536 #>>22739595 #>>22739641 #>>22739741 #>>22739848 #>>22740219 #
10. dceddia ◴[31 Mar 20 12:38 UTC] No.22736899[source]
If I had to guess, it’s an attempt to optimize install conversions. Every multi-step process you ask a user to perform is effectively a (marketing/sales) funnel. Some percentage of people drop off at every step. Maybe Zoom they thought that if they moved the actual installation closer to Step 1, then more people would accomplish it. It’s awfully sneaky though, especially that password dialog.
replies(3): >>22737230 #>>22737537 #>>22738271 #
11. capableweb ◴[31 Mar 20 12:40 UTC] No.22736916{3}[source]
Well, I have a feeling that the praise for zoom going around is not from people working in enterprises, it's people working for everything-but enterprises, who just want a solution that works.

In my experience (also not enterprise), Zoom is the simplest solution with the best quality and latency, compared to the alternatives. The UX could be better, but the performance of Zoom for all platforms makes you survive the UX.

replies(3): >>22736946 #>>22739747 #>>22740886 #
12. zuppy ◴[31 Mar 20 12:44 UTC] No.22736940{3}[source]
they work for your use case.

hangouts can’t handle many users (is it 10 the limit?), which is a deal breaker for me. we’ve tried and people couldn’t join the call.

if by microsoft you mean teams, i’m not aware of it working without accounts (not an issue for google as most people have google accounts).

replies(3): >>22736965 #>>22737603 #>>22740603 #
13. Wowfunhappy ◴[31 Mar 20 12:44 UTC] No.22736941[source]
Note that in this case, it's still a legit OS dialog. Preflight scripts are very much built into the macOS pkg format, they're just not intended to be used like this.
replies(4): >>22737018 #>>22737061 #>>22738118 #>>22741908 #
14. jrochkind1 ◴[31 Mar 20 12:44 UTC] No.22736946{4}[source]
Yep, Zoom is the only one I've used where I have never had an audio problem, never a drop out or glitch.
15. gnud ◴[31 Mar 20 12:47 UTC] No.22736965{4}[source]
Teams works for "guest users", but they have to be let into the meeting by a "real" user.

Also, I think it's possible for companies to disallow guest users on their team instance.

replies(1): >>22737125 #
16. pottertheotter ◴[31 Mar 20 12:47 UTC] No.22736966[source]
I installed Zoom on macOS yesterday and I thought that the install was crashing because this is not the expected behavior. I would double click the download, try to install, and then the installation program would "crash", so I'd try it again. Did that a few times before I realized it was installed. Until now I thought it had somehow gotten far enough in the installation process before crashing that I could at least use the application. I'd been hearing everyone raving about how Zoom was such better software than anything else, and my first experience was their installer doesn't even work.

This was a horrible user experience for me, and I wasn't thinking about security implications at all.

replies(4): >>22737035 #>>22738040 #>>22741429 #>>22743433 #
17. paulgpetty ◴[31 Mar 20 12:47 UTC] No.22736970[source]
Two questions this raises, for me at least:

How do I know I’ve completely uninstalled all the things Zoom installed?

And, if Zoom provided a separate uninstaller (like many apps do) and it was verified to purge all of the stuff they installed (along with the uninstaller); would that appease people's concerns?

For now I’m sticking with the iOS app for video & their web-based experience for desktop sharing...

replies(4): >>22737015 #>>22737037 #>>22737708 #>>22737834 #
18. factorialboy ◴[31 Mar 20 12:55 UTC] No.22737012[source]
Why isn't this categorized a major Mac OS vulnerability? If Zoom abuses preinstall scripts, what's to say others aren't.
replies(3): >>22737104 #>>22738160 #>>22738324 #
19. simonh ◴[31 Mar 20 12:55 UTC] No.22737015[source]
A previous version of Zoom installed a web server on MacOS without telling you, and left it there after the uninstall process. So the answer is no, you can't be sure.

Oh, and there was a known vulnerability in the web server that allowed remote access to your camera. The company claimed this was all intentional and was a feature and refused to remediate it for months. Eventually Apple issues a system update that removed the web server.

https://www.buzzfeednews.com/article/nicolenguyen/zoom-webca...

20. tantalor ◴[31 Mar 20 12:56 UTC] No.22737018{3}[source]
It doesn't look legit, it looks like the installer script is faking a system dialog in this screenshot:

https://twitter.com/c1truz_/status/1244737675191619584/photo...

This message is a lie; it not coming from system but from the installer script.

Just because the OS is used to show the dialog doesn't mean it should be trusted. As other commenter noted this could be used to steal passwords; that is effectively what it does.

replies(2): >>22737159 #>>22737550 #
21. realityking ◴[31 Mar 20 12:59 UTC] No.22737032[source]
I really wish they'd make the client available in the Mac App Store. Not only is the installation experience better than this, things also stay nicely up-to-date. If your company runs an MDM for your Macs, it's easy to deploy apps en-mass to everyone.
replies(2): >>22741711 #>>22742646 #
22. macleginn ◴[31 Mar 20 13:00 UTC] No.22737035[source]
Same here. I thought the process didn't finish until I tried launching the app (which I was supposed to do by clicking a link in the browser, which is also rather unintuitive).
23. why_only_15 ◴[31 Mar 20 13:00 UTC] No.22737037[source]
Part of the benefit of macOS apps is that you can just put them in the trash and they're gone. Breaking that contract isn't like awful but it is frustrating.
24. krageon ◴[31 Mar 20 13:01 UTC] No.22737049{4}[source]
> Enterprise customer DO give a damn about security

You are wrong. Even without extensive experience in the space, you can very easily see how even large companies don't secure themselves at all. The US has had equifax recently, and it's not like that was an isolated example either. There just isn't a security culture at the eye-watering heights of corporate upper management and while everyone's as busy making money as they are, there never will be. It doesn't fit into the system, and anyone who tries to change it gets muscled out by people who don't want it to change - because that is simply what's most efficient.

replies(1): >>22737136 #
25. aequitas ◴[31 Mar 20 13:01 UTC] No.22737051{3}[source]
We just had a corporate presentation with around 250 people. Normally we use Teams or Slack for internal communication, this was also stated by management, that Zoom should only be used for 'big' meetings like this. I think they know the other solutions will not work as well for bigger groups. I've not had issues with using either solution for small group meetings.

Actually I have to go out of my way to run Zoom in the browser instead of using the installer. I have to use Chrome instead of Firefox, download but not install the app and wait for the "or run in browser" link to appear after that.

I really don't like macOS installers anyways and passionately hate them as "installing" and App on macOS should be nothing more than moving the .app from a zip or disk image into your /Applications folder. I just don't trust them in not placing additional crap like auto updaters or kext's when I don't need them.

replies(4): >>22737111 #>>22737819 #>>22739780 #>>22739893 #
26. danieldk ◴[31 Mar 20 13:02 UTC] No.22737061{3}[source]
I never understood why Apple still supports the pkg format. It seems a half-baked leftover from the 2000s and even then I was already surprised that there is no way to uninstall things through the macOS GUI. I am not sure if this has changed (I try to avoid pkg files and use Homebrew cask to uninstall such packages), but IIRC you had to list the files with pkgutil on the command-line, remove stuff by hand and then --forget the package.

They should just kill the format. Everything should just be drag to install, drag to trash to remove.

replies(5): >>22737190 #>>22737837 #>>22737980 #>>22747295 #>>22747843 #
27. xenophonf ◴[31 Mar 20 13:03 UTC] No.22737073[source]
I missed the part where Zoom is holding people's computers for ransom, or formatting the drive, or exfiltrating sensitive information to criminals or state intelligence officers, or mining bitcoin, or other similarly malicious behaviors.

An admin can write to /Applications without privilege escalation? That's a macOS bug. If the operating system didn't rely on an 80s-style put-all-the-executables-in-one-place app launch paradigm, maybe there'd be less incentive for app developers to ignore the per-user Applications folder that macOS supports.

An app can spoof or abuse privilege escalation dialogs? That's because macOS doesn't implement an Orange Book-style Trusted Path. It's why Windows and similar operating systems have secure attention keys in the first place.

So yeah, Zoom is (ab)using flaws in macOS to get itself installed with minimum fuss, but it isn't doing it with evil intent. They fixed past issues; they'll probably fix this. Meanwhile, these long-standing macOS security flaws won't be addressed by Apple, who has a terrible track record about these things except when it lets people bypass their App Store.

P.S. As an enterprise customer, I'm much more worried about end-to-end encryption in Zoom, and the apparent lack thereof. I'm also not sure how that compares with other video conferencing services.

replies(3): >>22737135 #>>22737296 #>>22737360 #
28. taylortrusty ◴[31 Mar 20 13:06 UTC] No.22737090{4}[source]
They're much more likely to lose it to Microsoft Teams, which has been doing great the last several weeks.
29. scumbert ◴[31 Mar 20 13:08 UTC] No.22737104[source]
Underrated take. They shouldn't be able to do this. This should flag Zoom as PUP for malware removal, if it weren't the new go-to.
30. ilikehurdles ◴[31 Mar 20 13:09 UTC] No.22737108{3}[source]
Don’t Google and Microsoft answers both require accounts, and carry with them the expectation that everything you do on their platforms is recorded for the purpose of selling ads?

Also I regularly attend more than 50-person zoom calls without a hiccup. Google I think requires an enterprise plan to get to that limit, and I don’t even know what the name of their video conferencing product is at this point.

replies(2): >>22738466 #>>22738649 #
31. lukevp ◴[31 Mar 20 13:09 UTC] No.22737111{4}[source]
Why not use Teams Live for this? We have been using zoom and Teams alternately and Teams performance and ease of use has been much better in my experience, but we have yet to do a 200+ all hands so I was curious if there were some footguns with teams live that you may know about. Teams live works on a lot of platforms and also has a web version.
replies(5): >>22737290 #>>22739352 #>>22739661 #>>22740812 #>>22742456 #
32. lukevp ◴[31 Mar 20 13:10 UTC] No.22737125{5}[source]
Teams live can work without logins but you have to make the feed public with a hidden link.
replies(1): >>22745942 #
33. staz ◴[31 Mar 20 13:10 UTC] No.22737127[source]
https://www.theverge.com/2019/7/8/20687014/zoom-security-fla...
34. rainforest ◴[31 Mar 20 13:11 UTC] No.22737135[source]
> So yeah, Zoom is (ab)using flaws in macOS to get itself installed with minimum fuss, but it isn't doing it with evil intent.

But... why? What other software vendors look at the OS security model from a viewpoint of 'how do we bypass this as much as possible?' If it's not evil intent, what is it, incompetence?

replies(2): >>22737156 #>>22738561 #
35. mywittyname ◴[31 Mar 20 13:11 UTC] No.22737136{5}[source]
This has been my experience as well. Large companies pay lip-service to security that protects their customers; they want just enough for legal deniability in the event of a breach, but not so much that it impacts operations or profits.

However, they can be...enthusiastic when it comes to security around protecting themselves. If you report an issue with customer information on a public S3 bucket, they might get around to fixing it someday, but if there are "trade secrets" or the like in that bucket, the issue is going to get fixed immediately and someone with a big title probably won't be coming in tomorrow.

36. rainforest ◴[31 Mar 20 13:12 UTC] No.22737143{3}[source]
Zoom has a web client that "just works" but they only show it as an option after they detect that their native client didn't "just work".
replies(2): >>22737546 #>>22738204 #
37. javagram ◴[31 Mar 20 13:14 UTC] No.22737156{3}[source]
It’s about making your software as easy to use as possible.

Users don’t like UAC or having to click through a dozen dialogs. They just want to get into their virtual meeting.

replies(2): >>22737196 #>>22738183 #
38. rainforest ◴[31 Mar 20 13:15 UTC] No.22737159{4}[source]
To their credit, they seem to be using AuthorizationExecuteWithPrivileges which doesn't get the user's password, but executes a command as root, which is marginally better than stealing the password like Dropbox did.
replies(1): >>22737179 #
39. tantalor ◴[31 Mar 20 13:16 UTC] No.22737179{5}[source]
How hard do you think it is to steal a password once you have root?
replies(2): >>22737310 #>>22740559 #
40. javagram ◴[31 Mar 20 13:17 UTC] No.22737190{4}[source]
In my experience I’ve seen even technical users (Who were used to windows) struggle with the idea of dragging an .app from an open disk image to the Applications folder. They would end up running the app from the disk image and then getting confused when it disappears after restart.
replies(2): >>22737624 #>>22737658 #
41. my123 ◴[31 Mar 20 13:18 UTC] No.22737196{4}[source]
Then Zoom should just make them join the meeting via the web browser!

Zoom does this somehow and doesn't make joining from the web frictionless when they pretty much could have.

42. my123 ◴[31 Mar 20 13:22 UTC] No.22737230{3}[source]
They could have made it just a zip containing an app bundle instead of this mess, but of course they didn't.
43. impendia ◴[31 Mar 20 13:22 UTC] No.22737238{3}[source]
I'm a college professor, and I'll share my perspective.

For one, Zoom did just work. (At least as a participant, rather than an organizer.) I tried it out, and it immediately worked. It did what all of us were expecting, with no fuss.

I also tried MS Teams. It seems designed with a different philosophy: that you use the software to do many different things, and you want them all integrated. (For example, it posted my meetings automatically to my Outlook calendar. I had never used this calendar before, and was only dimly aware that it existed.)

Moreover, it seems that the expected setup is a bunch of people, all at the same workplace, who communicate with each other consistently. My needs are different, with wildly disparate use cases: a departmental meeting; classes to teach; an online conference (https://www.daniellitt.com/agonize/); an online social gathering. Many of the people with whom I communicate don't work for the same employer. And I don't want to configure all of these "teams" in advance.

That said, I tried to get MS Teams up and running, to teach my class. This involved multiple emails back and forth to our tech support (it seems that I can't set up a "team" myself; I have to ask IT to do it for me). It didn't have its own whiteboard functionality so I had to download and run some separate software.

And, then, in the end... it didn't work. I was trying to teach a class, but my students couldn't see what I was doing. I had no idea why.

replies(6): >>22737398 #>>22739151 #>>22740879 #>>22741348 #>>22745843 #>>22746426 #
44. RocketSyntax ◴[31 Mar 20 13:24 UTC] No.22737257[source]
Okay, great. Let's wrap some permissions around it to make this a legit process?
45. reaperducer ◴[31 Mar 20 13:27 UTC] No.22737290{5}[source]
Why not use Teams Live for this?

My wife was on a Teams videoconference last week. 125 people in four locations from New York to Southern California.

An hour into it, half of the people were simultaneously dropped, and not from any particular geography. It was random. And nobody could reconnect for a very long time. It took 45 minutes to restart the meeting.

The company is no longer using Teams.

replies(3): >>22737492 #>>22738220 #>>22741340 #
46. oefrha ◴[31 Mar 20 13:28 UTC] No.22737296[source]
> An admin can write to /Applications without privilege escalation? That's a macOS bug.

/Applications has been root:admin 775 since forever ago. It’s not a bug, and drag this app to (an alias of) /Applications is very standard behavior of dmg installers. Working as designed.

replies(1): >>22738527 #
47. swiley ◴[31 Mar 20 13:30 UTC] No.22737310{6}[source]
It would take an extra step, you have access to the hash and maybe shared memory/SOs but you’d need a second trick to actually steal it.
48. tarsinge ◴[31 Mar 20 13:33 UTC] No.22737349[source]
This is/was maybe true on Windows but on macOS installing an App the standard way is straightforward and any user knows how to do it.
replies(1): >>22737664 #
49. swiley ◴[31 Mar 20 13:33 UTC] No.22737355[source]
This still isn’t a good reason to build a native app instead of just using webrtc.

Someone should make a PSA site that says something along the lines of “don’t install teleconferencing software because it usually bundles malware; your browser already has the technology built in.”

replies(2): >>22738054 #>>22742185 #
50. distances ◴[31 Mar 20 13:34 UTC] No.22737357[source]
I guess it works for some. I've had two Zoom meetings this far, and in both cases the organizer quickly changed to Jitsi as Zoom had distorted audio.

Maybe some incompatible software/hardware at some end? I don't know or even care really, but Jitsi worked well with the same participants both times, while the anecdotal Zoom success rate is still 0% for me.

replies(1): >>22742135 #
51. yardie ◴[31 Mar 20 13:34 UTC] No.22737360[source]
I use MacOS and everything I read in the twitter thread was exactly as expected. MacOS does ask you to escalate. It also asks for privileged access to the camera, microphone, and the keyboard. So when our son had to download and run Zoom for his now online school, I took the opportunity to teach him some basic computer security. Zoom installed into his ~/Applications folder, as a non-admin that was expected. And then it asked for access to his microphone and camera.
52. gwbas1c ◴[31 Mar 20 13:36 UTC] No.22737381[source]
Good point, but: You can do so much in a browser now. Does teleconference software really need an installed client anymore?
replies(4): >>22737419 #>>22737453 #>>22738599 #>>22740795 #
53. wodenokoto ◴[31 Mar 20 13:37 UTC] No.22737393[source]
Having never installed Zoom, and honestly not having photographic memory of how the installation process on MacOS is, how is it supposed to look in the installer?

Also, what happened to just dragging the program into the applications folder? I really liked that way of installing apps, but most things seems to have an annoying click-through wizard.

replies(1): >>22738122 #
54. gameofcode ◴[31 Mar 20 13:37 UTC] No.22737398{4}[source]
You're right, MS Teams is definitly better placed as an org-wide communication/collaboration tool, not an external one. They really need to make it easier to communicate with people in external orgs, the org switcher is my biggest complaint.

FWIW, IT can allow people in certain groups to make their own teams, it's an admin setting.

replies(1): >>22738352 #
55. JoeAltmaier ◴[31 Mar 20 13:40 UTC] No.22737419{3}[source]
In theory. But in practice, as a developer you don't want to depend on the browser support for your whole product. Conferencing features of browsers have been pretty lame, compared to what's possible in a professional product.

{edit} My experience: investor took over our startup, made us switch from bespoke technology to web-based conference features. Every feature was compromised, reliability and capacity reduced by 10X.

56. chadlavi ◴[31 Mar 20 13:44 UTC] No.22737449[source]
Zoom would "just work" if they didn't force you to install software on your computer in the first place. If google meet can do it, zoom can too.
replies(2): >>22737488 #>>22738328 #
57. rsynnott ◴[31 Mar 20 13:45 UTC] No.22737453{3}[source]
Based on my experience with Zoom on the one hand and that Google thing on the other, yes, yes it does.
58. wp381640 ◴[31 Mar 20 13:49 UTC] No.22737488{3}[source]
Google Meet is terrible, there's a reason why everybody switched to Zoom even in an over-crowded market
replies(1): >>22740617 #
59. freehunter ◴[31 Mar 20 13:50 UTC] No.22737492{6}[source]
To be fair I’ve seen the same thing happen with Zoom. During a 2 hour meeting with a client, about half of my team was dropped and couldn’t get back into the meeting for several minutes.
60. drewg123 ◴[31 Mar 20 13:54 UTC] No.22737537{3}[source]
They could have also made it just work in a web browser without having to use workarounds. That's one of the reasons why I strongly prefer Google Meet and get annoyed at vendors that want me to use solutions that require me to install software.
replies(1): >>22737548 #
61. mulmen ◴[31 Mar 20 13:56 UTC] No.22737546{4}[source]
The web client is well hidden, crippled and only works in Chrome.

Gallery view does not exist in the web client. Nor the ability to add cat memes to your background.

62. dbbk ◴[31 Mar 20 13:56 UTC] No.22737548{4}[source]
Conversely, I much prefer a desktop app to Google Meet, since that's stuck in the browser the video can't float PIP when you navigate away from the call
replies(1): >>22742813 #
63. Wowfunhappy ◴[31 Mar 20 13:57 UTC] No.22737550{4}[source]
The script asks for root which subsequently pops up an OS password prompt. Zoom never sees your password.

How is this different from the way e.g. Virtualbox gets root?

replies(2): >>22738134 #>>22738303 #
64. Wowfunhappy ◴[31 Mar 20 14:02 UTC] No.22737603{4}[source]
> hangouts can’t handle many users (is it 10 the limit?), which is a deal breaker for me. we’ve tried and people couldn’t join the call.

My company had a 17 person Hangouts (Meet) meeting on Monday. Actually, we switched to Hangouts from Slack because Slack has a 15 person limit.

Is the limit maybe different for "Hangouts" vs Hangouts Meet?

replies(1): >>22744010 #
65. josteink ◴[31 Mar 20 14:03 UTC] No.22737607[source]
Root-kit authors: watch and learn!
66. Wowfunhappy ◴[31 Mar 20 14:05 UTC] No.22737624{5}[source]
This system worked so much better when the Applications folder was placed in the Dock by default, and everyone used that folder launch applications (which weren't common enough to keep in the Dock directly).

It was actually a really beautiful synergy—you install applications by copying them to a folder, and launch them from that folder. Same way you'd acquire and open files. Lovely.

Then Apple ruined it in Lion with Launchpad. Their app install flow for anything outside of the app store doesn't make any sense.

replies(1): >>22744136 #
67. proffan ◴[31 Mar 20 14:08 UTC] No.22737651[source]
resReitna.7z

Reminds me of tech support XD

68. AnIdiotOnTheNet ◴[31 Mar 20 14:09 UTC] No.22737658{5}[source]
One wonders why Apple didn't just treat DMGs like Application Folders in the first place. If they had an icon and you could run them directly then there wouldn't be any confusion. AppImage works like that and I think it was a wise decision.
replies(1): >>22737872 #
69. aequitas ◴[31 Mar 20 14:09 UTC] No.22737664{3}[source]
Which standard way? You have:

- Install from App store

- Drag and drop the .app from zip/dmg

- Using a .pkg installer (mostly based on Xcode templates)

I'd argue that a lot of users don't know all of these and some even run most of their applications from the ~/Downloads folder.

70. aequitas ◴[31 Mar 20 14:16 UTC] No.22737708[source]
I think it's interesting to see the outcry when Apple poses new restrictions in the application distribution process (like signing and sandboxing) but conversely the same cries go up when there is an App that seems to be abusing loose control mechanisms.

I think a lot of power users rightfully feel they are belittled by sandboxes and application restrictions. But seeing that they are not the major userbase and most Apps don't really need any permissions at all for their intended purpose (the user's purpose at least) I think Apple is moving in the right direction.

replies(1): >>22738169 #
71. kamyarg ◴[31 Mar 20 14:17 UTC] No.22737713{4}[source]
As an employee of a corporate can tell you that they do not care about security more than money. cheaper the better. Money > Security
72. Ididntdothis ◴[31 Mar 20 14:20 UTC] No.22737745{4}[source]
“Enterprise customer DO give a damn about security.“

When I look at IT they give a damn about some security but then completely ignore other huge problems. I think a bigger concern for them is cost, liability and convenience for the administrators.

73. mikorym ◴[31 Mar 20 14:24 UTC] No.22737789{3}[source]
I think you underappreciate one point here: We can still have long term alternatives to Zoom (and we can have them now).

Google and Uber are already difficult to replace or to otherwise challange.

replies(1): >>22737974 #
74. specialist ◴[31 Mar 20 14:27 UTC] No.22737819{4}[source]
App installation should always just be a file copy. Deinstallation should always just be a move to Trash (or ~/Disabled equiv).

IMHO.

I'm even uncomfortable with config scattered everywhere. The continued need for those 3rd party uninstallers is an admission of failure.

Source: released products ported to misc Windows, classic Mac, modern Mac. Our dev, QA, Test, tech supp was always so much easier on Mac. Not least because we could have multiple current versions installed. Which allows troubleshooting, rollbacks, etc.

Caveat: I personally use package managers and am curious to see if Nix becomes the norm. So I may change my mind in the future.

replies(1): >>22740176 #
75. Hackbraten ◴[31 Mar 20 14:29 UTC] No.22737834[source]
If you have Homebrew installed, you can run `brew cask zap zoomus` to get rid of all the things (as far as we know) Zoom has installed.

If you prefer to remove it manually, here’s the list of files and folders Homebrew will delete on `brew cask zap zoomus`:

https://github.com/Homebrew/homebrew-cask/blob/a6026e0a36c22...

replies(1): >>22756510 #
76. drampelt ◴[31 Mar 20 14:30 UTC] No.22737837{4}[source]
> Everything should just be drag to install, drag to trash to remove.

I wish it were that easy, most apps leave files in other places on your computer like ~/Library that will never get cleaned up if you just move the app to trash.

replies(1): >>22738101 #
77. ◴[31 Mar 20 14:30 UTC] No.22737841{3}[source]
78. rgovostes ◴[31 Mar 20 14:31 UTC] No.22737847[source]
I installed the WebEx client for macOS today and it seemed similar, installing almost instantly without going through the normal EULA, volume selection, etc. flow.

It seems like they've stuck their installation flow into an Installer.app _plugin_ which is unusual. I haven't encountered that before, and I'm somewhat surprised the feature exists considering Apple waged war on loading code into first-party software. (The user is prompted before the plugin loads.)

replies(1): >>22739005 #
79. Wowfunhappy ◴[31 Mar 20 14:34 UTC] No.22737872{6}[source]
Developers can distribute .app's inside of .zip files, and many do, but this can result in users just running the .app inside of their downloads folder. And then this causes problems if they ever decide to clean out their Downloads folder.

The DMGs are a clever way to (A) make sure the app gets to the proper location while simultaneously (B) teaching the user about what's actually happening on their computer. As I said in a sibling comment, this all made much more sense when users also launched apps from the Applications folder directly.

replies(2): >>22738217 #>>22766252 #
80. m-p-3 ◴[31 Mar 20 14:38 UTC] No.22737910{3}[source]
They're using malware-like behaviors to spread out and reach more customers, even at the cost of security.
81. m-p-3 ◴[31 Mar 20 14:41 UTC] No.22737945{4}[source]
Correct, and we blocked zoom.us on the corporate network. No way we're allowing this malware within our walls.

We already have meet.google.com that works well for us, and external clients can easily join through a web browser.

82. ForHackernews ◴[31 Mar 20 14:44 UTC] No.22737974{4}[source]
Uber is trivially easy to replace with Lyft or $generic-taxi-app.
replies(2): >>22738345 #>>22738491 #
83. samcat116 ◴[31 Mar 20 14:44 UTC] No.22737980{4}[source]
One thing to note here: people who administer macOS for organizations basically convert everything to .pkgs (or DMGs). Its the only easy way to silently install application, and perform post install actions like performing licensing or activation steps.
84. manigandham ◴[31 Mar 20 14:48 UTC] No.22738023[source]
1) If Zoom can do this then it's a MacOS security bug.

2) UX matters. Users don't care about the technical details, they want a smooth experience and that can be the difference between a billion-dollar business or a failed startup. And yes the desktop version is more stable than the web-based UI.

3) Malware is defined by what it does, not how it's installed.

replies(3): >>22738241 #>>22738342 #>>22741312 #
85. j1elo ◴[31 Mar 20 14:49 UTC] No.22738037[source]
Some background info for those commenters who say that Zoom should be requiring just a web browser because web browsers already have everything needed (aka. WebRTC). TL;DR summary: they want to do their own thing, outside of what the WebRTC standard allows, that's all (and enough reason for not using WebRTC?)

Zoom doesn't want to use the stock H.264 encoder as provided by the browser for WebRTC communication. Instead, they use their own video encoders and decoders (which while still being H.264, it is presumedly better optimized for their use case). WebRTC forces you to use either the H.264 or the VP8 encoder/decoder that the browser provides.

How they do this is by having their own custom application that you have to install. Still, some users have noticed that there is a well hidden web-based version of Zoom, which works by again running their custom encoders, thanks to WebAssembly. Also it seems that their video is transmitted via DataCahnnels [0].

They are not alone. Companies want to provide additional "value" by innovating outside of what the WebRTC standard offers. That's nice and all, although it of course tends to disgregation and incompatibilities in the long run. For this reason, I've heard talks about how future revisions of the standard might explore adding WebAssembly support, in order to allow everyone embedding their own compiled components into their applications [1].

[0]: https://webrtchacks.com/zoom-avoids-using-webrtc/

[1]: https://webrtcbydralex.com/index.php/2019/11/13/webrtc-stand...

replies(1): >>22738196 #
86. pehtis ◴[31 Mar 20 14:50 UTC] No.22738040[source]
I would highly recommend checking all installers on macOS through Suspicious Package. It will give you a complete picture of all the installer scripts that will be run and all the files that will be written. I did just that for zoom and decided against installing it.
replies(1): >>22739721 #
87. manigandham ◴[31 Mar 20 14:51 UTC] No.22738054{3}[source]
What do you mean by "bundles malware"? What else is it doing besides teleconferencing?
replies(1): >>22738548 #
88. jeroenhd ◴[31 Mar 20 14:52 UTC] No.22738070[source]
As someone who's never used or seen Zoom in action, what's pulling people into Zoom that's not already available in other tools (Hangouts Meet, MS Teams) and even works without installing anything (such as Jitsi)?

Based on what I've seen, there's just so much hostile behaviour by the company (including lying about meeting HIPAA e2e requirements!) and the fact that their _official client_ had parts removed by the macOS malware removal tool that I just don't get why people still consider it as an option. If it were the only "just works" tool out there I'd understand, but there's plenty of competition in this space.

I've personally began using the Jitsi server the local student network association has set up and it's been working like a dream. You can even share a window to others (which I didn't even know browsers had support for) for presentations and such.

replies(4): >>22738110 #>>22738258 #>>22744226 #>>22745963 #
89. Wowfunhappy ◴[31 Mar 20 14:55 UTC] No.22738101{5}[source]
As much as this bothers me because of who I am, I don't think it's a real problem. Those files shouldn't take up significant space unless the developer is doing something stupid.

It might be nice if macOS had some sort of automatic cleanup routine when an app is trashed, but that would either require showing the user an extra dialog (a la AppCleaner's) or introducing an opaque system which could potentially lead to data loss.

replies(1): >>22738249 #
90. milesskorpen ◴[31 Mar 20 14:56 UTC] No.22738110[source]
I use Meet at work. For social gatherings, my friend group exclusively uses Zoom because (a) better tiling (seems small, but you want to see everyone) and (b) video quality seems better.
replies(1): >>22740378 #
91. lonelappde ◴[31 Mar 20 14:57 UTC] No.22738118{3}[source]
Incorrect. Look at the second tweet in the thread. It's a phishing popup that misidentifies itself in order to steal priveleges intended for System, not Zoom.

https://mobile.twitter.com/c1truz_/status/124473767519161958...

replies(1): >>22738224 #
92. jtvjan ◴[31 Mar 20 14:58 UTC] No.22738122[source]
They embedded their installation into a pre-install script. Normally, you'd go through a next-next-next process with a pkg installer, but in this case you get a popup asking you if you want to allow it to "run a program to determine if the software can be installed" (the purpose of pre-install scripts) immediately after opening the pkg, you authenticate, and then the installer just disappears.
replies(1): >>22740399 #
93. e40 ◴[31 Mar 20 14:59 UTC] No.22738130[source]
I can't imagine why anyone logs in and uses macOS as an admin user.

First account I create on a new Mac: admin. Then, when setup is done, I login and create my non-admin user account.

This is a good reason for many reasons, this abusive installer being one.

94. lonelappde ◴[31 Mar 20 14:59 UTC] No.22738134{5}[source]
Because it lies about its identity, calling itself "System" not Zoom.

This is also a MacOS vuln that lets apps lie about their identity in sudo prompts, much like a browser showing an https site with no certificate checking.

replies(1): >>22738200 #
95. lonelappde ◴[31 Mar 20 15:02 UTC] No.22738160[source]
It's not a vulnerability, as the dialog says "run a program" and prompts for confirmation.

It's up to the user's imagination to consider what a program can do.

The prompt is terribly worded though.

replies(1): >>22747139 #
96. lonelappde ◴[31 Mar 20 15:03 UTC] No.22738169{3}[source]
It's possible to things wrong in more than one way.
97. lonelappde ◴[31 Mar 20 15:04 UTC] No.22738183{4}[source]
Zoom could be honest about what it doing instead of going to extreme lengths to conceal it
98. xorcist ◴[31 Mar 20 15:05 UTC] No.22738196[source]
Right. It's also important to understand when the reason to build non-standard things are just "productization" (intended to open the wallets of enterprise clients) and when it is because it really provides a better service to the end user.

Having native code running in every client makes a service provider more valuable. It is much the same reason service providers would rather have you running their app on mobile than utilizing the web browser.

This link provides a bit of background to the webrtchack articles above and give a bit of background to when WebRTC is sufficient:

https://bloggeek.me/webrtc-vs-zoom-video-quality/

99. Wowfunhappy ◴[31 Mar 20 15:05 UTC] No.22738200{6}[source]
macOS allows apps to write arbitrary lines of text above password prompts, which is what Zoom is doing. I don't see how that's different from a shell script echo'ing something before a sudo prompt.

How would you design this system?

replies(1): >>22740596 #
100. aeyes ◴[31 Mar 20 15:06 UTC] No.22738204{4}[source]
That's weird, when I open a meeting link (which would open the native client) at the bottom of the page it says "If you cannot download or run the application, join from your browser.".

I have the native client and it still shows me this option.

replies(1): >>22812522 #
101. danieldk ◴[31 Mar 20 15:07 UTC] No.22738217{7}[source]
Developers can distribute .app's inside of .zip files, and many do, but this can result in users just running the .app inside of their downloads folder. And then this causes problems if they ever decide to clean out their Downloads folder.

Some applications offer to move themselves to the /Applications folder when started the first time outside /Applications or ~/Applications. Though in general, it would be better if Apple made it more attractive to publish in the App Store, since it brings other advantages (e.g. mandatory sandboxing).

replies(2): >>22738918 #>>22745753 #
102. mgkimsal ◴[31 Mar 20 15:07 UTC] No.22738220{6}[source]
have only recently started using teams with one client. small group (max 6 folks I think) and... we've had issues with it - someone's video freezing, audio garbled/dropping, etc - twice in 2 days. but... I'm sort of chalking it up to potentially overloaded/bad net connections in the wake of all the WFH and remote meeting stuff being used. We had issues with connecting to zoom (and their phone numbers) last week as well, so I'm not ready to pull the plug on teams entirely until we have more experience under our belts.
103. Wowfunhappy ◴[31 Mar 20 15:08 UTC] No.22738224{4}[source]
That's still an OS prompt, they just put their own message at the top, as you're allowed to do.
replies(1): >>22741551 #
104. keymone ◴[31 Mar 20 15:09 UTC] No.22738241[source]
is botnet agent not malware? it's not doing anything until the operator sends the payload.
replies(1): >>22738757 #
105. danieldk ◴[31 Mar 20 15:10 UTC] No.22738249{6}[source]
Indeed, data outside the application folder usually consists of a preferences plist and saved application state. Of course, there could be caches as well, which could take up a fair amount of disk space.

But I think the primary argumentation in favor of what macOS does now on drag-to-trash is that the users preferences are preserved, for when they install an application again.

106. aeyes ◴[31 Mar 20 15:11 UTC] No.22738258[source]
I use Zoom, Hangouts, Slack and WebEx. Out of those Zoom has the best call quality, and it is the only solution out of the 4 on which huge meetings (50+ persons) are workable.
replies(2): >>22738653 #>>22740636 #
107. xorcist ◴[31 Mar 20 15:12 UTC] No.22738271{3}[source]
> it’s an attempt to optimize install conversions

I love creative uses of language like this!

Be right back, I just have to optimize install conversions of my botnet client.

replies(1): >>22738812 #
108. auiya ◴[31 Mar 20 15:15 UTC] No.22738303{5}[source]
It's not making the proper privilege escalation call, it's faking the box entirely. There's even a typo in the dialog box.
replies(2): >>22738340 #>>22742584 #
109. ◴[31 Mar 20 15:18 UTC] No.22738324[source]
110. fiddlerwoaroof ◴[31 Mar 20 15:18 UTC] No.22738328{3}[source]
Doesn’t Google Meet depend on a browser plugin they make you install the first time? Hangouts did.
replies(1): >>22738583 #
111. Wowfunhappy ◴[31 Mar 20 15:19 UTC] No.22738340{6}[source]
...are you sure? I'm pretty sure that code just pops up the system box to get privileges, with a custom message at the top.

I'm running Mavericks—the last version of macOS before they made the UI flat—and the prompt didn't look out of place. If Zoom is indeed faking the box, they actually went through the trouble to make a separate version for Mavericks with Mavericks-style visuals.

112. Gaelan ◴[31 Mar 20 15:19 UTC] No.22738342[source]
I mean, it's not really a security bug. Installer.app displays a dialog box that says "Hey, this package wants to run arbitrary code to check if it's compatible with your system. Is that OK?" The user is explicitly opting into the code execution. Zoom's "compatibility check" installs the app and kills the installer window. That's certainly unexpected behavior, but I don't think it's an exploit in any real sense.

While normally I'd object to running arbitrary code with just an easily-skippable dialog as confirmation, but I think it's OK in this case where the expectation was that we're installing their software anyway.

replies(3): >>22738808 #>>22742516 #>>22742693 #
113. minhazm ◴[31 Mar 20 15:19 UTC] No.22738345{5}[source]
Lyft only operates in US and Canada. Uber is available in 63 countries. The convenience you get just having that one Uber app work is not easily replaced. But yeah you could always try to find the local ride sharing companies app, but it can be far less convenient.
replies(1): >>22738721 #
114. Onawa ◴[31 Mar 20 15:20 UTC] No.22738352{5}[source]
Working within the US NIH, we are forced to submit a ticket for creating any new teams and the entire Teams/Office 365 ecosystem is entirely crippled for us. All new features take forever to be approved and brought online, as well as additional connectors and apps having to go through an extensive 6+ month-long vetting process before being approved.

Makes using Teams quite a hassle, but with Skype for Business being the only other approved option for internal chat, it's better than nothing.

replies(1): >>22739616 #
115. danans ◴[31 Mar 20 15:23 UTC] No.22738381[source]
For those calling this a security vulnerability in MacOS, isn't this just using a GUI equivalent of "sudo"? There may be a decent argument that a consumer OS shouldn't offer such a sudo-like API to installers, but MacOS probably does this for legacy app support reasons.

IMO the better question in this case is why Zoom needs to be installed as admin on MacOS? After all, the mobile apps and chrome extension don't need those privileges.

replies(1): >>22742789 #
116. fermienrico ◴[31 Mar 20 15:26 UTC] No.22738420[source]
Also, Zoom's entire engineering team is based in China [1]. China and Chinese companies have no real culture of user centric privacy.

[1] https://news.ycombinator.com/item?id=22707528

Edit: Why downvote me? I am not trying to stir up flame wars. Saying anything against China has become impossible to do on HN. Voices get drowned despite of raising real legitimate concerns about privacy, especially for a tool used by millions all of a sudden during this pandemic. People should be speaking up on HN. I know, I am not supposed to complain about downvotes on HN, I've read the guidelines.

Edit2: Not able to find the source for Tianjin datacenter, I will reply if I can find it. Please take it with a grain of salt.

Edit3: Holyshit, so much attention on my comment. Redacting unsubstantiated claims and adding more sources that can be traced on the wikipedia section of Zoom privacy criticisms: https://en.wikipedia.org/wiki/Zoom_Video_Communications#Crit...

replies(7): >>22738794 #>>22739169 #>>22739249 #>>22739344 #>>22739350 #>>22739377 #>>22739873 #
117. grimjack00 ◴[31 Mar 20 15:26 UTC] No.22738424{3}[source]
> While Google and Microsoft both offer a product that "just works" with only a browser.

But those products don't always "just work", at least not in my recent experience. I have had repeated problems with Google meetings while working with an external entity, and most of my employer is a Microsoft shop, so I've had deal with issues with both Teams and Skype, both via browser and OS X app.

118. untog ◴[31 Mar 20 15:27 UTC] No.22738434[source]
It just amazes me that the "just works" solution here is still a native app. Plenty of reasons to use native apps but in 2020 video conferencing really isn't one: WebRTC is capable and supported by every major desktop and mobile browser. It's literally one click and you're done!
replies(1): >>22738664 #
119. bruckie ◴[31 Mar 20 15:30 UTC] No.22738466{4}[source]
> Don’t Google and Microsoft answers both require accounts, and carry with them the expectation that everything you do on their platforms is recorded for the purpose of selling ads?

For Google, the answers are "sorta but not really", and "no":

https://support.google.com/meet/answer/9303164: "Note: Guests on the web don't need a Google account to participate in a meeting." The initiator of a meeting needs a G Suite account, but others can join without one.

https://gsuite.google.com/learn-more/security/security-white...: "Google does not collect, scan or use data in G Suite Core Services for advertising purposes."

(Speaking for myself, not Google.)

120. aembleton ◴[31 Mar 20 15:32 UTC] No.22738491{5}[source]
How do you persuade enough taxi drivers to use $generic-taxi-app in enough areas to make it worthwhile for someone to choose to use it instead of Uber?
121. xenophonf ◴[31 Mar 20 15:34 UTC] No.22738527{3}[source]
That behavior goes all the way back to Classic Mac OS. If the above is working as designed, then Zoom automating the copy-app-to-/Applications process doesn't really seem that hinky to me.
replies(1): >>22738562 #
122. bruckie ◴[31 Mar 20 15:37 UTC] No.22738548{4}[source]
https://daringfireball.net/2020/03/regarding_zoom

https://medium.com/bugbountywriteup/zoom-zero-day-4-million-...

https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-s...

replies(1): >>22739806 #
123. xenophonf ◴[31 Mar 20 15:37 UTC] No.22738561{3}[source]
/Applications is writable by admins. There is no O/S security model to bypass.
replies(1): >>22739129 #
124. oefrha ◴[31 Mar 20 15:37 UTC] No.22738562{4}[source]
It’s a weird thing to do, but I don’t find it particularly concerning, no. You launched the installer after all. (I do use Suspicious Package to quicklook pkgs myself, FWIW.)
replies(1): >>22738685 #
125. bruckie ◴[31 Mar 20 15:39 UTC] No.22738583{4}[source]
No, it uses WebRTC. https://support.google.com/meet/answer/7317473
replies(1): >>22741146 #
126. m0dest ◴[31 Mar 20 15:41 UTC] No.22738599{3}[source]
For better or for worse, WebRTC is very opinionated about codecs and transports. Those might be great choices for some scenarios, but no developer wants their whole business to be constrained it.
127. rwmj ◴[31 Mar 20 15:41 UTC] No.22738601[source]
They probably learned a lesson from Whatsapp which was a nightmare of insecurity in the early days that cutting corners gets results and approximately no one cares (except the tiny minority like us who would never use it anyway).
128. deelowe ◴[31 Mar 20 15:44 UTC] No.22738649{4}[source]
I don't think either of those are true for meet.
129. SiempreViernes ◴[31 Mar 20 15:45 UTC] No.22738653{3}[source]
I've used another software for big meetings, now called Vibe, which works if I close chrome and patiently wait for the bloated java app to expand into all available memory before trying to take any action... it's not great.

Zoom manages to run without crashing doesn't force me to close a browser and waiting a lot, so that's an advantage.

130. Saaster ◴[31 Mar 20 15:46 UTC] No.22738664{3}[source]
None of the WebRTC based options just work, they're all glitchy and cannot scale up to even moderate amounts of users. We have Google Hangouts Meet for free for our org, and we still pay for Zoom because It Just Works.
replies(4): >>22738743 #>>22738960 #>>22739978 #>>22740678 #
131. jopolous ◴[31 Mar 20 15:47 UTC] No.22738677[source]
On a simpler level, zoom on macOS sketches me out in lots of ways.

My macbook's bluetooth will not connect to my earbuds, but only when zoom is running. Other audio recording/playing apps don't affect things at all. What the heck is going on here?!

Scrolling on settings panels is definitely their own home-brewed scrolling functionality. Why?! Was macOS's not cutting it for some reason?

The settings menu is very clearly not using native OS buttons and inputs. Why?! Why build your own? What is that for?

replies(1): >>22739495 #
132. xenophonf ◴[31 Mar 20 15:47 UTC] No.22738685{5}[source]
Having write access without privilege escalation to executable packages run by all users on a multiuser computer is a significant security risk. That's one of the ways an attacker can pivot into other systems from a compromised computer.
replies(1): >>22738730 #
133. ForHackernews ◴[31 Mar 20 15:50 UTC] No.22738721{6}[source]
Only a tiny minority of wealthy people frequently travel internationally. This is not a major selling point that will save Uber.
134. unlinked_dll ◴[31 Mar 20 15:50 UTC] No.22738725{3}[source]
Same question. Not because of the browser thing but just because it doesn't "just work" for me or my team.
135. oefrha ◴[31 Mar 20 15:50 UTC] No.22738730{6}[source]
root:admin 775 is only writable by the admin group, I’m not sure where you got the idea that all users have write access.

The situation here is an admin explicitly executing a program that writes to a directory that they have write access to.

Edit: corrected typo 755 => 775.

Edit 2: Okay, I read what you wrote again and can now see I misunderstood. However,

1. macOS is primarily single user (or at least single household) given how it's actually used. In actual multiuser settings admins don't typically muck around with their admin account.

2. Typically other users can read/execute a lot of stuff that's not root anyway. For instance, on research group Linux servers people would often tell you to just execute something in their home directory.

136. x0x0 ◴[31 Mar 20 15:52 UTC] No.22738743{4}[source]
Yeah. And high fidelity sync between audio (ideally via phone). Maybe someone does it, but we tried _all_ vendors and settled on Zoom. And screen annotations, and the ability to remember participants' phones and dial them directly (replaces them having to type 9 digit numbers into their phones), etc.

Also, Zoom has reached a critical mass where, particularly for sales calls, the remote party is quite likely to have it installed. The network effect here is really valuable.

137. manigandham ◴[31 Mar 20 15:53 UTC] No.22738757{3}[source]
A botnet agent is designed to take control and run a bot, so yes it's malware. It doesn't have to be actively doing it at that moment to be considered such.
replies(1): >>22742082 #
138. manigandham ◴[31 Mar 20 15:56 UTC] No.22738808{3}[source]
You're right, it's more of a design issue. More explicit permissions on altering the Applications folder could help. Then again, most people want an easier install so this is really for those who want that extra control.
139. x0x0 ◴[31 Mar 20 15:57 UTC] No.22738812{4}[source]
Or, you know, decrease the failure rate of people legitimately attempting to install Zoom. It's quite reasonable to ask why on earth apple requires more than one click for a user to say "I want this program to run on my computer; make it happen."
140. Wowfunhappy ◴[31 Mar 20 16:06 UTC] No.22738918{8}[source]
Yeah, and that's a fine solution given the situation Apple has left us in. But it's also kind of a hack, which shouldn't have become necessary.

Also, personally, I sometimes purposefully put apps in places other than /Applications—for example, I like to keep games in their own Games folder. And then the dialogs are kind of annoying.

141. bwb ◴[31 Mar 20 16:09 UTC] No.22738960{4}[source]
Same here, we used hangouts for the longest time but it got worse. Zoom just works perfectly all the time.
142. mrpippy ◴[31 Mar 20 16:12 UTC] No.22739005[source]
Ughhh, this is probably where Zoom got the idea from.
replies(1): >>22740937 #
143. neuronic ◴[31 Mar 20 16:18 UTC] No.22739109{4}[source]
This is hilariously wrong. I brought up Zoom issues at our enterprise client - no one gives a shit (this is in Germany, so rather privacy focused). As a consultant I felt a need to bring the issues up, backed with sources of course.

So why does no one care? Because Zoom UI/UX apparently works 100x better than most other solutions. People dont even REACT when I mentions Jitsi or just using the Teams solution that every Microsoft customer has anyways.

The enterprise I was talking about is using a mix of Microsoft Teams and Zoom. Our team started with Teams, now we are using Zoom because I don't even know. Others also move from Teams to Zoom.

I bring this up to lots of people and the response is rolling eyes and "shut the fuck up" in business euphemisms. Zoom is viral now and privacy has no say in its success.

replies(1): >>22739960 #
144. rainforest ◴[31 Mar 20 16:19 UTC] No.22739129{4}[source]
It has a pre-flight script (which isn't supposed to change anything) that installs it (and its browser extensions, and a kernel extension at some point in the past) in the most widely available place the current user has privileges to (it installs in their home directory if they aren't an admin).

So yes, there is some blame to be laid at the OS for running binaries with the privileges the current user has, but it's clear that the installer doesn't behave like a regular installer would.

145. alasdair_ ◴[31 Mar 20 16:20 UTC] No.22739146{3}[source]
Google has messenger and hangouts and another video conferencing solution that I don't recall.

The reason we ditched hangouts for zoom a few years ago was that hangouts only supported up to ten users, including users whose connection had died and so they had to re-enter the room again. This became extremely annoying - having to stop a conference mid-call to ask some people to disconnect so others could enter, or trying to find out how to kick "ghost" users, was definitely not "just works".

replies(1): >>22740586 #
146. lostmsu ◴[31 Mar 20 16:21 UTC] No.22739151{4}[source]
It does not "just work" for me. First, it required a separate client, when even Skype does not.

Second, it does not support my browser.

replies(1): >>22739397 #
147. kerng ◴[31 Mar 20 16:22 UTC] No.22739169[source]
Thanks for sharing. I'm not too concerned about engineering happening in China but data storage seems problematic, especially because of the lack of encryption on their side.

The post or the CNBC link don't seem to have the word Tianjin in them (comments do). Can you provide more details or another source?

If that's indeed true I won't be hopping on a Zoom call later this week with my bank for instance.

replies(1): >>22739296 #
148. nothrabannosir ◴[31 Mar 20 16:28 UTC] No.22739249[source]
You get downvoted because every post critical of China gets hit, regardless of quality or veracity.
replies(1): >>22739266 #
149. dang ◴[31 Mar 20 16:30 UTC] No.22739266{3}[source]
The post has been heavily upvoted, and what you've said isn't close to true. Please read and follow the site guidelines: https://news.ycombinator.com/newsguidelines.html
150. dang ◴[31 Mar 20 16:31 UTC] No.22739278{3}[source]
Please stop posting unsubstantive comments here.
151. fermienrico ◴[31 Mar 20 16:32 UTC] No.22739296{3}[source]
I'll try to dig out where I read it - Google isn't helping. I am gonna edit my comment to clarify about the source.
152. zorked ◴[31 Mar 20 16:36 UTC] No.22739344[source]
Your comment is at the top. Please don't complain about downvoting.

"China and Chinese companies have no real culture of user centric privacy."

Citation needed. That's one billion individuals you are talking about.

replies(1): >>22739378 #
153. dang ◴[31 Mar 20 16:36 UTC] No.22739350[source]
Please don't break the site guidelines [1] by going on about downvoting. Your comment has been heavily upvoted. Meanwhile complaints like that linger on as off-topic and false, and don't garbage-collect themselves.

You can use HN Search to verify that HN sees plenty of comments "saying anything against China". The topic is extremely flame-prone because people are wont to hurl generalizations at each other, and worse. Nationalistic flamebait and flamewar is a big problem on HN [2] and destructive of the spirit of this site [1]. Individuals have been attacked here for just for expressing their views while being (or being assumed to be) Chinese, and at least one person was hounded off the site altogether. I'm sure you'll agree that that's shocking and not at all the community we want to be. None of us wants it, but it's easy to get it anyway, once such flames get going.

I don't think your comment was nationalistic flamebait, except insofar as it was rather unsubstantive. Unsubstantive comments on inflammatory topics are guaranteed to come across in a flamey way to some segment of the readership, even when that wasn't your intent. Intent doesn't communicate itself, unfortunately, so the burden is on the commenter to disambiguate [4].

[1] https://news.ycombinator.com/newsguidelines.html

[2] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

[3] https://news.ycombinator.com/item?id=21200971

https://news.ycombinator.com/item?id=21195898

https://news.ycombinator.com/item?id=19404162

https://news.ycombinator.com/item?id=22608635

[4] https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

replies(1): >>22739476 #
154. alasdair_ ◴[31 Mar 20 16:37 UTC] No.22739352{5}[source]
The only Teams Live meeting I've ever tried to join, we had two people who gave up because their web version didn't support Safari without having to manually go deep into their preferences and change settings from the default.
155. ◴[31 Mar 20 16:39 UTC] No.22739377[source]
156. dang ◴[31 Mar 20 16:39 UTC] No.22739378{3}[source]
I don't think it's fair to call that borderline racist. That's an extremely strong word; let's not escalate where it isn't needed. The problem with the statement is that it doesn't come with any substantiation, or additional information.
replies(1): >>22739407 #
157. floatingatoll ◴[31 Mar 20 16:40 UTC] No.22739397{5}[source]
Your unstated criteria for "just work" are "just work in browser", which differs from the definition used by the comment you're replying to.

That is not universally shared among others, including the non-technical folks that Zoom is being widely adopted by.

replies(2): >>22739458 #>>22741985 #
158. zorked ◴[31 Mar 20 16:41 UTC] No.22739407{4}[source]
Edited. Feel free to delete my comment, it's redundant now.
replies(1): >>22739564 #
159. stingraycharles ◴[31 Mar 20 16:46 UTC] No.22739458{6}[source]
You’re being downvoted fairly heavily, which I think is unfair. Even though some other people might not agree, it’s a valid argument to make.
160. fermienrico ◴[31 Mar 20 16:47 UTC] No.22739476{3}[source]
Understood, thanks and accept my apologies. I have some feedback - please make exceptions when discussing fact based discussions around privacy when it is not tending towards flame wars, especially related to Chinese influence and erosion of privacy. I can see why this can lead to flame wars but that's where you should step in and moderate. I just read your links to people getting harrased if they are Chinese, that's not cool.
replies(1): >>22739597 #
161. jcelerier ◴[31 Mar 20 16:49 UTC] No.22739495[source]
> My macbook's bluetooth will not connect to my earbuds, but only when zoom is running.

that sounds like something related to this bug : https://www.jeffgeerling.com/blog/2018/airpods-get-stuck-low...

replies(1): >>22740258 #
162. w1ntermute ◴[31 Mar 20 16:52 UTC] No.22739536{3}[source]
As someone who has used a variety of VTC products (Zoom, Webex, BlueJeans, Teams, Skype, etc.) for several years on a daily basis (lots of external VTCs with different companies who use different VTC systems), Zoom is by far the best. The audio and video quality is head and shoulders above the rest (both on PC and mobile) and the interface is dead simple for even the least tech-savvy users.

My company uses Zoom, and there have been many instances where, during a VTC call set up by someone at another company (that doesn’t use Zoom), we have switched mid-meeting to Zoom because there’s something wrong with the other VTC system (someone can’t join, can’t hear, can’t speak, can’t share their screen, etc.). And the other options haven’t gotten noticeably better over the years either.

163. dang ◴[31 Mar 20 16:54 UTC] No.22739564{5}[source]
I think the edited version of your comment is just fine.
164. whatever_dude ◴[31 Mar 20 16:57 UTC] No.22739595{3}[source]
Zoom has a browser version as a fallback.

Most people use the standalone app because indeed it "just works". That's why you don't hear much about its browser client.

replies(1): >>22742630 #
165. dang ◴[31 Mar 20 16:57 UTC] No.22739597{4}[source]
I think my comment addresses this, but perhaps you were replying to an earlier version, or perhaps I wasn't clear enough. What you posted was trending towards flamewar, even though you didn't intend it that way. Telling moderators to "step in and moderate" isn't sufficient to solve this problem. For one thing, we don't come close to seeing all the material that gets posted—there's far too much. We do step in, but we also need users like you to understand the problem a bit differently. If you're going to comment on an inflammatory topic, you need to make sure your comment is substantive, i.e. contains solid information and not just grand claims. And you should be careful to narrow its scope explicitly to what the information supports. Fortunately that should also be enough to make it clear that your intent isn't just to post pejoratives about other people.
166. basch ◴[31 Mar 20 16:59 UTC] No.22739616{6}[source]
Those are all organizational decisions, and not out of the box defaults. Microsoft is trying very hard to persuade organizations not to make those decisions.

Completely free teams creation does come at a cost. It makes data governance much more complicated. People creating duplicate places for things they didnt know already existed. A lack of naming convention, to be able to analyze what exists. Microsoft is pushing for people to just be able to get things done, at the expense of organization.

replies(1): >>22742833 #
167. rickyc091 ◴[31 Mar 20 17:01 UTC] No.22739641{3}[source]
Google requires you to have a Google account. Kids in middle school (ages 12-14) and younger typically don't have an email address. Zoom, on the other hand, lets you join a call without logging in. You can even join straight from the browser if needed without installing anything.
replies(1): >>22740565 #
168. basch ◴[31 Mar 20 17:03 UTC] No.22739661{5}[source]
The predecessor, Skype Broadcast allowed completely anonymous viewing, basically a twitch or youtube stream. In the name of growth hacking, the Teams team decided to force people to the app, you couldnt watch the video stream from a mobile device without the teams app. Which is a huge amount of friction for a mobile workforce that isnt using teams.

Maybe this has changed since I last talked to Microsoft, but even their own team was unhappy with it. But if you still have access to broadcast.skype.com, it still works, until they decide it shouldnt.

169. twodayslate ◴[31 Mar 20 17:08 UTC] No.22739721{3}[source]
https://mothersruin.com/software/SuspiciousPackage/ for those curious
replies(3): >>22740875 #>>22741650 #>>22744660 #
170. tambourine_man ◴[31 Mar 20 17:08 UTC] No.22739735[source]
Zoom's got a tradition of being, let's put it like this, way too clever for everyone's own good.

See previous “lets install a server on this Mac that is not removed when you uninstall the app and leaves your camera open to the entire internet” for more examples.

I use it on a VM, I suggest you do it too.

replies(3): >>22741425 #>>22742487 #>>22742581 #
171. pjkundert ◴[31 Mar 20 17:09 UTC] No.22739741{3}[source]
I've been working remotely for years.

In my experience, every other solution I've tried is a train-wreck, compared to Zoom (MacBook Pro w/ external Apple monitors). And, as far as I remember, I've tried them all, repeatedly.

Even first-class platform-specific solutions like FaceTime are, basically, unusable vs. Zoom. Its amazing, actually. I'm not quite sure how Apple managed to make FaceTime's audio just not work (almost ever), and Zoom just works, every time, on every platform.

172. tardo99 ◴[31 Mar 20 17:09 UTC] No.22739747{4}[source]
My company has used Hangouts for years with zero problems. Zoom is mostly just hype.
173. enedil ◴[31 Mar 20 17:12 UTC] No.22739780{4}[source]
In fact, if you change URL from /j/CONFERENCE_NUMBER to /wc/join/CONFERENCE_NUMBER you won't be needing to wait for that link.
replies(1): >>22742016 #
174. manigandham ◴[31 Mar 20 17:15 UTC] No.22739806{5}[source]
To be clear, that's a security issue with their software but not malware. It's not intended or designed to harm your device.
175. kiliancs ◴[31 Mar 20 17:19 UTC] No.22739848{3}[source]
From my perspective, working in the browser is not necessarily "just working", because for many combinations of OS/hardware, the performance is terrible and not only eats battery and will slow down other programs, but also affects the quality of the call (audio and video).
replies(1): >>22740301 #
176. ◴[31 Mar 20 17:21 UTC] No.22739873[source]
177. Wowfunhappy ◴[31 Mar 20 17:22 UTC] No.22739893{4}[source]
> Normally we use Teams or Slack for internal communication

> to run Zoom in the browser [...] I have to use Chrome instead of Firefox.

Just a note, Slack and Teams calls also won't work in Firefox. It's really annoying.

Hangouts works fine in Firefox though, somewhat unexpectedly.

replies(1): >>22741460 #
178. president ◴[31 Mar 20 17:28 UTC] No.22739960{5}[source]
Could also be an issue of pricing. I wouldn't be surprised if Zoom is cheaper than MS. Maybe someone with knowledge on the sourcing side could comment on that.
replies(1): >>22746613 #
179. basch ◴[31 Mar 20 17:30 UTC] No.22739978{4}[source]
Even having the "unblock this site from camera and microphone" burried in the browser chrome or settings pages somewhere is a dealbreaker. It's too easy for people to mindlessly click "no" to can this access your microphone, because of the way the browser pops it up during first use, instead of during "install."
replies(1): >>22740764 #
180. johannes1234321 ◴[31 Mar 20 17:43 UTC] No.22740176{5}[source]
If the file is only moved to trash it will keep configuration and other artefacts around or not support such features or the file ahs to be mutable, which is questionable from a security pov
replies(1): >>22760608 #
181. jwr ◴[31 Mar 20 17:46 UTC] No.22740219{3}[source]
> I'm still curious why everyone thinks Zoom "just works" while others don't.

I'm also curious. I subscribed to Whereby (https://whereby.com/), where I can send people a URL, which they click and land in my conference room. There is ZERO software they need to install.

[For all the "well, actually" folks: yes, it "only" works in every modern browser out there, and it works "only" for up to 12 people. Fine with me.]

Zoom has more features, but there are many other solutions that work much better and are WAY simpler. It's just that Zoom is well known, and it's easiest to choose the tool that everyone has heard about.

replies(2): >>22740899 #>>22748719 #
182. jopolous ◴[31 Mar 20 17:48 UTC] No.22740258{3}[source]
Nice, that's pretty much what I had to do to fix this. I used the bluetooth explorer to force AAC, and force zoom to use the internal MacBook mic
183. sgustard ◴[31 Mar 20 17:52 UTC] No.22740301{4}[source]
Also, granting a website access to my camera, granting access to my microphone, and so on; which are really not functions I want to be granting any websites. I don't run a browser to have it randomly turn on surveillance devices. I prefer to run an app to access my camera and quit it when I'm done.
184. giovannibajo1 ◴[31 Mar 20 17:58 UTC] No.22740378{3}[source]
There’s a chrome extension to do tiling:

https://chrome.google.com/webstore/detail/google-meet-grid-v...

Which is even more infuriating because it shows that missing tiling in Meet is just a frontend issue.

I’m completely baffled that this is not implemented.

replies(1): >>22761722 #
185. giovannibajo1 ◴[31 Mar 20 18:00 UTC] No.22740399{3}[source]
Before that, when they had the shady web server, the zoom application would pop up immediately connected to the right meaning, as your browser would be “waking it up” via http. It looks like they still haven’t fixed this after they removed the http server.
186. jedieaston ◴[31 Mar 20 18:14 UTC] No.22740559{6}[source]
It should be impossible with SIP enabled, as in OS X 10.14 Apple protected the files in /var/db/dslocal where the user shadow files are stored so that root could not read them (unless triggered by an Apple signed executable, like Software Update). If you are running with SIP disabled you've taken the risk of it happening, and if you are on a corporate laptop (or 99% of personal machines) it is engaged.

https://apple.stackexchange.com/questions/344117/mac-10-13-1...

replies(1): >>22741172 #
187. benhurmarcel ◴[31 Mar 20 18:14 UTC] No.22740565{4}[source]
> Google requires you to have a Google account

Not for joining a meeting, no. You just type your name.

188. benhurmarcel ◴[31 Mar 20 18:15 UTC] No.22740586{4}[source]
Google Meet supports up to 250 participants in the enterprise version.
189. jedieaston ◴[31 Mar 20 18:16 UTC] No.22740596{7}[source]
Don't allow the application to do any of it, and when the app asks for access, have the system instead say "{processName}.app is requesting {permissionFlavorText}. Enter a name and password to continue."
190. benhurmarcel ◴[31 Mar 20 18:16 UTC] No.22740603{4}[source]
Google Meet supports up to 250 participants, on the Enterprise version. Also it doesn't require an account to join.
191. benhurmarcel ◴[31 Mar 20 18:17 UTC] No.22740617{4}[source]
What's your problem with Meet? We've switched to it massively after issues with Webex, and it's all very good.
192. benhurmarcel ◴[31 Mar 20 18:19 UTC] No.22740636{3}[source]
I've been in Google Meet meetings with 100 to 150 participants, it worked fine.
replies(1): >>22744236 #
193. benhurmarcel ◴[31 Mar 20 18:22 UTC] No.22740678{4}[source]
Maybe it has to do with the plan you have? I've used Google Meet with up to ~150 participants and it was fine, but we have an Enterprise account.
194. noahtallen ◴[31 Mar 20 18:29 UTC] No.22740764{5}[source]
True. Even the adblocker and autoplay blockers can prevent video and audio from working in Hangouts. I have had issues with hangouts when joining meetings with important people — and my browser’s autoplay block feature prevented the video feed from working.
195. noahtallen ◴[31 Mar 20 18:31 UTC] No.22740795{3}[source]
Browser blocking and plugin features can prevent it from working. For example, I’ve been in hangouts meetings where the video feed wouldn’t load because autoplay was blocked on the browser. Of course, you can work around that, but having the Zoom desktop client provides a reliable experience without any tweaking
196. aequitas ◴[31 Mar 20 18:32 UTC] No.22740812{5}[source]
I don't know of any, but our teams uses Slack, not Teams. Barely any complaints about Slack video chat btw, but that's all small sessions anyways.
197. 0xff00ffee ◴[31 Mar 20 18:34 UTC] No.22740838[source]
One suggestion...

My company has been using Gotomeeting for 5+ years. No video (thankfully), but meetings are generally 20-30 people and largely seamless.

It is expensive: $300 per seat to host a meeting, but it pretty much just works. The UI is annoying and could be simpler.

However, I don't know if it is as shady as Zoom because I don't think anyone has done a deep dive.

198. 0xff00ffee ◴[31 Mar 20 18:37 UTC] No.22740875{4}[source]
Oooh this is good. A few years ago I came home drunk and wanted to watch this old film that wasn't on any channels. I found it on some dubious website, which required me to install a player .dmg. I drunkenly typed in my password, and then an hour later was like: dafuq did I just do?!? Next day I re-imaged my mac because I'm both paranoid and don't know enough about secops.

SuspiciousPackage wouldn't have helped combat Drunk Install Syndrome, but it might have been a helpful tool before I nuked my OS.

Or maybe this is just good marketing for SuspiciousPackage, which is really malware. Well played.

replies(1): >>22744841 #
199. gentleman11 ◴[31 Mar 20 18:37 UTC] No.22740879{4}[source]
Zoom doesn’t just work. If the students want privacy, they are just helpless.

Edit: downvoted for speaking up for student rights. Sorry if it is inconvenient for the teachers

replies(2): >>22741275 #>>22741745 #
200. gentleman11 ◴[31 Mar 20 18:38 UTC] No.22740886{4}[source]
I don’t think you can get much more reliable or simpler then whereby.com
201. gentleman11 ◴[31 Mar 20 18:39 UTC] No.22740899{4}[source]
To be more specific, whereby seems to be free for up to 4 people, but then they claim to be able to support 50. Never tested it with 50
replies(2): >>22743403 #>>22747178 #
202. cpeterso ◴[31 Mar 20 18:41 UTC] No.22740937{3}[source]
Zoom was founded by Eric Yuan, a lead engineer from Cisco's WebEx business unit.
203. gentleman11 ◴[31 Mar 20 18:44 UTC] No.22740973[source]
> Zoom has been criticized for its data collection practices,[45] which include its collection and storage of "the content contained in cloud recordings, and instant messages, files, whiteboards" as well as its enabling employers to monitor workers remotely;[46][47] the Electronic Frontier Foundation warned that administrators can join any call at any time "without in-the-moment consent or warning for the attendees of the call."[48] The Ministry of Defence of the U.K. banned its use.[49][50] During signup for a Zoom free account, Zoom requires users to permit it to identify users with their personal information on Google and also offers to permanently delete their Google contacts.

Widespread use of Zoom for online education during the novel coronavirus pandemic increased concerns regarding students' data privacy and, in particular, their personally identifiable information.[17] According to the FBI, students’ IP addresses, browsing history, academic progress, and biometric data may be at risk during the use of similar online learning services.[17] Privacy experts are also concerned that the use of Zoom by schools and universities may raise issues regarding unauthorized surveillance of students and possible violations of students’ rights under the Family Educational Rights and Privacy Act (FERPA)

- Wikipedia

204. tech234a ◴[31 Mar 20 18:59 UTC] No.22741146{5}[source]
Apparently a plugin is needed for Internet Explorer, but otherwise isn’t.
205. tantalor ◴[31 Mar 20 19:02 UTC] No.22741172{7}[source]
Think a little harder. With root, you can install a keylogger.
replies(1): >>22742525 #
206. 867-5309 ◴[31 Mar 20 19:11 UTC] No.22741275{5}[source]
universities are organisations, which all force some incarnation of an internet usage policy. better still, the students are paying an arm and a leg for their lack of privacy. wouldn't it be great for the non-technical end user if these Just Works™ software could just bypass firewalls by way of VPNs, common ports, obfuscated servers or the like?
207. merpnderp ◴[31 Mar 20 19:12 UTC] No.22741287[source]
I wish I knew how it installed on my partner's Mac. No root password was ever given, yet it installed when we thought we were still using the web app. Quickly uninstalled and will use different software next time.
208. thaumasiotes ◴[31 Mar 20 19:15 UTC] No.22741312[source]
> 3) Malware is defined by what it does, not how it's installed.

Well, from the tweet thread:

> If the App is already installed but the current user is not admin, they use a helper tool called "zoomAutenticationTool" [sic] and the AuthorizationExecuteWithPrivileges API to spawn a password prompt identifying as "System" (!!) to gain root (including a typo).

replies(2): >>22743374 #>>22744950 #
209. miguelmota ◴[31 Mar 20 19:15 UTC] No.22741317[source]
What I like about zoom is that I can click on a zoom link and it opens up my video conference pretty quickly. Last thing I want is to go through installation steps when people are waiting for me on a call. I understand the security implications but it's a trade-off between user experience and lesser security.
replies(1): >>22754232 #
210. mynameisvlad ◴[31 Mar 20 19:17 UTC] No.22741340{6}[source]
Teams live events (https://docs.microsoft.com/en-us/microsoftteams/teams-live-e...) which the parent comment was refering to is actually a specific feature in Teams that is only available for certain levels AFAIK but supports vastly more people than a standard Teams meeting.
211. btilly ◴[31 Mar 20 19:17 UTC] No.22741348{4}[source]
And, then, in the end... it didn't work. I was trying to teach a class, but my students couldn't see what I was doing. I had no idea why.

Were you on a mac?

If so, you may have encountered https://answers.microsoft.com/en-us/msoffice/forum/msoffice_... which has been outstanding since October and has no sign will be fixed properly any time soon.

The workaround is quit programs until you find the one that somehow causes Microsoft Teams to not understand that it really does have permissions. For me it seemed to be XCode. But it could be others...here is a partial list:

  - Harvest – Confirmed
  - Sonos – Confirmed
  - Cisco VPN – Issue reported by others
  - Microsoft To-Do – Confirmed
  - Contacts+ (formerly FullContact) – confirmed
  - Apple Photos – confirmed
  - Teamviewer – reported by others
  - Prompt/popup for app review from App Store – still have questions here. This seemed to be it, but haven’t been able to confirm
  - Brackets – reported by others
  - Citrix Workspace Version: 19.10.2.41 (1910) – confirmed
This is an example of why "just works" is so important.
212. ummonk ◴[31 Mar 20 19:25 UTC] No.22741425[source]
I use the web browser version, and refuse to even install Zoom. It's borderline spyware.
replies(1): >>22741715 #
213. afandian ◴[31 Mar 20 19:25 UTC] No.22741429[source]
I did this too and didn't put two and two together til now. I just assumed it was a buggy installer that broke with that version of MacOS and tried a different machine

I've defended Zoom in the past for ethical 'slips', but weidly this has tipped me into hating it.

replies(1): >>22741581 #
214. cpeterso ◴[31 Mar 20 19:27 UTC] No.22741460{5}[source]
Here are the Firefox bug reports for Slack calls:

https://github.com/webcompat/web-bugs/issues/12975

And Teams calls:

https://github.com/webcompat/web-bugs/issues/25070

Slack originally relied on non-standard, Chrome-specific WebRTC behavior and now is prioritizing development of their Electron app over web support.

There is a Firefox extension to spoof Chrome's User-Agent string for Teams. I haven't tested it, but it appears to work for people: https://addons.mozilla.org/en-US/firefox/addon/teams-phone-f...

215. diebir ◴[31 Mar 20 19:31 UTC] No.22741509[source]
A lot of this is Mac OS X fault: it still does not have an easy canonical way of installing things and has no way for uninstalling. I don't get why in this day mac os can't have something like RPM or any number of other package managers.
replies(1): >>22742800 #
216. joshuaissac ◴[31 Mar 20 19:35 UTC] No.22741551{5}[source]
Yes, they are allowed to put a fake message (identifying the requester as System instead of Zoom), but that does not make it OK.
217. enricotal ◴[31 Mar 20 19:37 UTC] No.22741581{3}[source]
Ok this is it... I was able to disinstall it with

$ brew cask install zoomus $ brew cask uninstall zoomus

so long and thank you for all the fish... Zoom

replies(2): >>22742826 #>>22745056 #
218. JadeNB ◴[31 Mar 20 19:44 UTC] No.22741650{4}[source]
Similar functionality: unpkg (https://www.timdoug.com/unpkg/). See also https://stackoverflow.com/questions/11298855/how-to-unpack-a... . I think unpkg handles mpkg files, which I haven't encountered in the wild for quite a while now; I don't know about the others.
219. diebeforei485 ◴[31 Mar 20 19:50 UTC] No.22741711[source]
It's times like this when I realize how much I prefer the Mac App Store over everything else.

Zoom should definitely offer a Mac App Store version. Even if they just take their iPad app and Catalyst it, I'd probably use it.

220. junky228 ◴[31 Mar 20 19:50 UTC] No.22741715{3}[source]
sunova.... I couldn't find the web based version...That's what frustrated me about zoom compared to webex. I could use Weber in the browser and zoom had to be installed
replies(1): >>22742810 #
221. impendia ◴[31 Mar 20 19:53 UTC] No.22741745{5}[source]
> If the students want privacy, they are just helpless.

This isn't true actually. As a student, send the following email:

"Hi Professor, I just read this webpage [link], which outlines some privacy concerns with Zoom. I know some other classes are running Software X, could we try that instead?"

My university isn't mandating Zoom. Indeed, they recommended several software packages, of which their top recommendation was Blackboard. (Which is what I've been using so far. I have mostly joined others' Zoom meetings; I've only initiated them for a D+D game I'm participating in.) MS Teams was their second recommendation as I recall, and Zoom was below that.

At least at my university -- and I expect that this is typical -- individual faculty members are deciding how to best fulfill their own responsibilities. And I have emphasized to my students that I have never done this before, and that I'm happy to change what I'm doing if people have good suggestions.

replies(1): >>22742609 #
222. thaumasiotes ◴[31 Mar 20 20:07 UTC] No.22741908{3}[source]
> Note that in this case, it's still a legit OS dialog.

No it isn't. The dialog prompt is "System need your privilege to change." That's not passing QA anywhere -- it's just a custom message someone put into Zoom without bothering to proofread.

223. aequitas ◴[31 Mar 20 20:14 UTC] No.22741985{6}[source]
This is what I was getting at with my parent comment, it "just works" for everyone. But it doesn't fit some of the niches technical or privacy minded people have. And in the end, we are bound by the common denominator. I can push my open source privacy respecting solution all I want. But unless it "just works" for the lowest tech user I'm at a loss.

There's a parallels here with security in the uphill battle to get users to respect the caveats of the solution they choose.

224. aequitas ◴[31 Mar 20 20:16 UTC] No.22742016{5}[source]
There is also a browser plugin a saw floating by a couple of days ago that would just enforce this step, but can't find it anymore.
replies(1): >>22743112 #
225. munk-a ◴[31 Mar 20 20:21 UTC] No.22742082{4}[source]
Zoom does report usage to Facebook whether you have an account or not - and that data is used to stitch together a web profile of the user that is of no benefit to the user. Zoom is bordering on malware, just... malware that comes with a useful app that allows video conferencing.
replies(1): >>22742569 #
226. aequitas ◴[31 Mar 20 20:25 UTC] No.22742135{3}[source]
For meetings I host I'm trying to evaluate Jitsi as well, so far without much luck. I'm not hosting that many meeting and the one I did was with someone using Linux not getting screen sharing working.

But Jitsi is on my shortlist as I think being open source and self-hostable is the way forward for a tool that could knock Zoom of it's throne.

227. aequitas ◴[31 Mar 20 20:29 UTC] No.22742185{3}[source]
It is however the reason why this solution is being used instead of all the other ones.
228. snowwrestler ◴[31 Mar 20 20:54 UTC] No.22742456{5}[source]
My employer has used Teams Live for all-hands meetings from home the last couple weeks and it worked great for ~350 attendees.
229. saagarjha ◴[31 Mar 20 20:57 UTC] No.22742487[source]
It's very Dropbox-esque…
replies(1): >>22743765 #
230. etaioinshrdlu ◴[31 Mar 20 20:59 UTC] No.22742516{3}[source]
It's really Apple's fault. "This package will run a program to determine if the software can be installed." Is just fundamentally a very strange statement to make, loaded with vagueness.

Think about your average user... they are running an installer program... which alerts them that they need to run another program... to determine if they can install the program.... (Which the user thought they were already doing)

The loaded expectation of the user to realize they are granting privileges to a program to determine whether they can install a program is just totally unreasonable.

It just sounds more and more ridiculous written out like this.

replies(1): >>22744086 #
231. saagarjha ◴[31 Mar 20 21:00 UTC] No.22742525{8}[source]
You'd still need to bypass TCC.
232. vijaybritto ◴[31 Mar 20 21:04 UTC] No.22742569{5}[source]
They removed that Facebook sdk after complaints.
233. elevenoh ◴[31 Mar 20 21:05 UTC] No.22742581[source]
Best zoom alternative?
replies(5): >>22742631 #>>22742784 #>>22743115 #>>22745698 #>>22755591 #
234. saagarjha ◴[31 Mar 20 21:06 UTC] No.22742584{6}[source]
No, they're using the (deprecated) Authorization Services API from the (renamed) BLAuthentication.
235. saagarjha ◴[31 Mar 20 21:09 UTC] No.22742609{6}[source]
> "Hi Professor, I just read this webpage [link], which outlines some privacy concerns with Zoom. I know some other classes are running Software X, could we try that instead?"

Hi [Student],

I appreciate your concern; however, our university has conducted a thorough audit of this software and found that it satisfies our needs. We will continue using it for our lectures.

Regards, Dr. [Professor]

Senior tenured chair of [Department], distinguished lecturer, [University]

236. saagarjha ◴[31 Mar 20 21:11 UTC] No.22742630{4}[source]
> Most people use the standalone app because indeed it "just works".

Most people use the standalone app because Zoom aggressively pushes it.

237. luto ◴[31 Mar 20 21:11 UTC] No.22742631{3}[source]
Jitsi, Google Meet, bigbluebutton -- anything can runs in a browser tab and is more or less confined within it.
replies(4): >>22742874 #>>22745377 #>>22745524 #>>22745738 #
238. saagarjha ◴[31 Mar 20 21:13 UTC] No.22742646[source]
But then they'd need to opt-in to sandboxing and other "onerous" requirements and couldn't pull shady things like this.
replies(1): >>22812554 #
239. opportune ◴[31 Mar 20 21:17 UTC] No.22742693{3}[source]
As a user, I would not assume that checking compatibility means I'm executing arbitrary code. I mean it could just be macOS examining the binary to make sure it's compatible with my ISA, or checking some app metadata about recommended free resources like ram/disk space.
replies(1): >>22742815 #
240. mrzool ◴[31 Mar 20 21:25 UTC] No.22742784{3}[source]
We just started using Whereby and we’re loving it. I strongly recommended against Zoom.
replies(1): >>22747764 #
241. saagarjha ◴[31 Mar 20 21:25 UTC] No.22742789[source]
This is like the GUI equivalent of running "apt install zoom" and the installation script killing the APT process and then running amok with its root privileges.
replies(1): >>22751782 #
242. saagarjha ◴[31 Mar 20 21:26 UTC] No.22742800[source]
It very much does! Zoom even stumbled upon it, it's called Installer.app. Except, of course, they killed it before it even finished…
243. lloeki ◴[31 Mar 20 21:27 UTC] No.22742810{4}[source]
It's gated behind a fallback after three "failed" attempts at clicking on the link to open the app after opening a meeting URL, or a meeting setting. So, not on by default, seems to be unable to join audio unless you use Chrome, and shows a single video only.
replies(2): >>22742926 #>>22745119 #
244. saagarjha ◴[31 Mar 20 21:28 UTC] No.22742813{5}[source]
It can if it uses the right web APIs, which are widely supported: https://w3c.github.io/picture-in-picture/
replies(1): >>22759653 #
245. pvg ◴[31 Mar 20 21:28 UTC] No.22742815{4}[source]
Apple agrees with you which is why the installer shows a warning the check will involve running code and lets you opt in or out.
246. angott ◴[31 Mar 20 21:29 UTC] No.22742826{4}[source]
You can also use “brew cask zap zoomus” to remove preference files, browser plugins, logs.
replies(1): >>22742836 #
247. technion ◴[31 Mar 20 21:30 UTC] No.22742833{7}[source]
When they mention "connectors and apps", right now there is a very serious amount of phishing fraud going on involving one click links that ask you to authorise a malicious app. Users see a "please click yes" prompt, they never have to enter their password and they think that sounds fine.

I wish Microsoft would try a lot harder in persuading businesses to make the decision to take oauth approvals out of the user hands, because the volume is at a point where I really feel anyone following the "empower the user" discussion almost certainly has a compromised mailbox in their business.

248. a-wu ◴[31 Mar 20 21:30 UTC] No.22742836{5}[source]
Does this also work for non-brew installs?
replies(2): >>22743367 #>>22745526 #
249. overgard ◴[31 Mar 20 21:33 UTC] No.22742860[source]
I understand wanting to reduce friction, but this is the second time Zoom has kinda done something weird and suspect security wise in the name of removing really minor obstacles that users are probably used to dealing with anyway. Considering how many tech companies are using Zoom right now, I would hope they are cognizant that they don't become known as "the company that does sketchy stuff so our IT people say we can't use it"
250. Aachen ◴[31 Mar 20 21:34 UTC] No.22742874{4}[source]
Don't know bigbluebutton but at least among Jitsi and Google Meet, Wire is an alternative that is open source and end to end encrypted. They just don't make it easy to host your own, for that I guess Jitsi is the best way to go.
251. Aachen ◴[31 Mar 20 21:38 UTC] No.22742904[source]
One could say the same for gksudo, UAC prompts, or the equivalent dialog on your favorite operating system, no? Or is there something on other OSes that identifies it?
replies(2): >>22743357 #>>22746458 #
252. 333c ◴[31 Mar 20 21:40 UTC] No.22742926{5}[source]
This browser extension enables the web interface: https://github.com/arkadiyt/zoom-redirector
253. borgel ◴[31 Mar 20 21:57 UTC] No.22743112{6}[source]
From another commenter on another HN thread https://github.com/arkadiyt/zoom-redirector
254. emmelaich ◴[31 Mar 20 21:57 UTC] No.22743115{3}[source]
Google Duo have raised the people per meeting from 4 to 12.
replies(1): >>22743969 #
255. sudosysgen ◴[31 Mar 20 22:22 UTC] No.22743357{3}[source]
gksudo and UAC don't let the process lie about what it is.
256. szhu ◴[31 Mar 20 22:23 UTC] No.22743367{6}[source]
Homebrew Cask's uninstall scripts are basically a community-maintained "best guess" at to how to full uninstall each piece of software. It's generally pretty reliable, and I do use it to remove non-brew installs sometimes.

Note: I have contributed casks to Homebrew Cask before.

257. manigandham ◴[31 Mar 20 22:23 UTC] No.22743374{3}[source]
It's not malicious, and you have to give it permissions somehow to finish the install.

Dropbox (used to?) patch system files to integrate with Office better, and that wasn't considered malware either.

replies(2): >>22743442 #>>22744426 #
258. sudosysgen ◴[31 Mar 20 22:26 UTC] No.22743403{5}[source]
Some of my teachers use jitsi, which works on the same principle. The teacher sends a link, you click it, and that's it. Works very well, and no limit.
259. yreg ◴[31 Mar 20 22:29 UTC] No.22743433[source]
I too don't get how Zoom is considered "the superior software". Maybe the calls don't drop, but the experience is bad (at least on macOS).
replies(2): >>22743535 #>>22744654 #
260. thaumasiotes ◴[31 Mar 20 22:30 UTC] No.22743442{4}[source]
> It's not malicious

By the time you're lying to the user, you are malicious.

261. 7ewis ◴[31 Mar 20 22:41 UTC] No.22743535{3}[source]
Said this on Reddit the other day and got downvoted.

It _is_ bad on macOS. It used to be one of the better platforms to stream video content to others, but now it just lacks in many areas compared to most of its competitors.

The worst bug I had was it essentially started muting random people on a call, but only for me. I could see their mouth moving, and thought it was a problem their side but turns out everyone else could hear them apart from me. I could hear everyone else too apart from them.

262. hr2016 ◴[31 Mar 20 23:10 UTC] No.22743765{3}[source]
As a Dropbox user, care to elaborate please?
replies(1): >>22743800 #
263. saagarjha ◴[31 Mar 20 23:14 UTC] No.22743800{4}[source]
https://applehelpwriter.com/2016/08/29/discovering-how-dropb..., and the associated Hacker News discussion: https://news.ycombinator.com/item?id=12463338
264. AngeloAnolin ◴[31 Mar 20 23:17 UTC] No.22743829[source]
I removed Zoom from my Mac following this instruction [0]

Given their security issues as of late, is there further way I could ensure that my machine has completely removed this software?

[0]

265. wlesieutre ◴[31 Mar 20 23:31 UTC] No.22743969{4}[source]
But can they raise the expected product lifespan from 4 years to 12?
266. zuppy ◴[31 Mar 20 23:35 UTC] No.22744010{5}[source]
That’s probably the issue. We were using the free version.
267. Smoosh ◴[31 Mar 20 23:46 UTC] No.22744086{4}[source]
On top of this, a standard install asks for permissions, but doesn't disclose who/what is asking for it (certified in some way) or what permissions it wants, if these are temporary for the install or permanent for the application, or what it is going to do during the install (what goes where, what gets changed etc).

It is long past time for Apple to improve this process.

268. Smoosh ◴[31 Mar 20 23:53 UTC] No.22744136{6}[source]
In even earlier days, applications didn't need to be installed at all. You just ran them from wherever they were. Of course, it made sense to store them somewhere together, and you could cause yourself problems if you put applications onto disks you then ejected. But the current system is clearly influenced by the UNIX underpinnings, and I'm not sure that the average user fully "gets it".

though preferences files were a bit of a mess.

I vaguely remember if early Macintosh System versions you would be prompted to insert the disk (with the correct disk name in the message) if you tried to open a file belonging to an application which was on an ejected disk.

replies(1): >>22745817 #
269. rootusrootus ◴[01 Apr 20 00:06 UTC] No.22744226[source]
My experience (beyond Zoom) is with WebEx, Hangouts, and Teams. Zoom has a better UI for large meetings, and the audio quality is significantly improved. We just switched recently from WebEx to Zoom at the office and it's been refreshing. A few days ago was the last time I tried to use Teams, but the "only four people on the screen at a time" limitation was a no-go for our family's virtual gathering. Everyone was much happier with Zoom's video grid, and we noticed that the audio was significantly improved -- in particular how it handles multiple people trying to talk at the same time.
270. rootusrootus ◴[01 Apr 20 00:07 UTC] No.22744236{4}[source]
Was just on a Zoom call with 656 participants, it it was remarkably better than any other solutions we've tried in the past.
271. Razengan ◴[01 Apr 20 00:24 UTC] No.22744348[source]
If I search my bookmarks for "zoom" every link is about a discovery of it doing some shady shit. At this point I would just classify it as spyware.
272. 9935c101ab17a66 ◴[01 Apr 20 00:36 UTC] No.22744426{4}[source]
Malicious behaviour does not inherently make something malware. That said, The work arounds Dropbox used in the past should also be considered shady or malicious, and do not serve as a convincing defense in any way.

Yes, zoom does need the user’s password to complete the install in the scenario described. So why isn’t there a proper installer that behaves like installers on macOS should. Why do they ask for the users password on the behalf of ‘system’?

Oh, and zoom was just busted for sending user data to Facebook (regardless of whether or not you had a Facebook account and without disclosure AFAIK) so I reverse my previous statement. It is malware.

273. Kaze404 ◴[01 Apr 20 00:48 UTC] No.22744508[source]
Discord also does this On Windows at least) and I don't understand how / why it's allowed.
274. eyegor ◴[01 Apr 20 01:06 UTC] No.22744627[source]
Can someone explain to me what the problem is? If you run the installer, isn't that consent to install the software? That's the whole point of it. I guess this isn't the "Mac way" but this is exactly how I would write an install script if I was slapping together support for other platforms. In fact this is the same way most installers work: it unzips an archive somewhere, then creates the links for remove/launch/etc.

What is the typical install process for software on a Mac?

replies(1): >>22753552 #
275. shreyshrey ◴[01 Apr 20 01:10 UTC] No.22744654{3}[source]
Yes. My experience is really bad too in mac OS. I thought may be something wrong with my setup.
276. paulschreiber ◴[01 Apr 20 01:11 UTC] No.22744660{4}[source]
Pacifist is also handy https://www.charlessoft.com/
277. mulmen ◴[01 Apr 20 01:52 UTC] No.22744841{5}[source]
If you don’t trust SuspiciousPackage just run it through SuspiciousPackage.
278. sneak ◴[01 Apr 20 02:36 UTC] No.22745056{4}[source]
Presumably if you don't like Zoom's shadiness, you may not like Homebrew's bundled spyware either. Disable it with

    brew analytics off
replies(3): >>22745156 #>>22746437 #>>22746804 #
279. MarkyC4 ◴[01 Apr 20 02:50 UTC] No.22745119{5}[source]
I tried using the web client in Chrome today on my Mac, and the audio was playing to me at what felt like 50% speed; everyone sounded like slow motion to me.
280. webmobdev ◴[01 Apr 20 02:56 UTC] No.22745156{5}[source]
Or better yet, switch to MacPorts - https://www.macports.org/
281. emilecantin ◴[01 Apr 20 03:00 UTC] No.22745181[source]
I have this irrational disgust of .pkg installs, and this is is a good example why. Every time I have to install a .pkg, I wonder what crap it's spreading all around my system.

What's wrong with dragging .apps? Does your app really need to spread its tentacles beyond an app bundle and (maybe) some preference files?

282. behnamoh ◴[01 Apr 20 03:33 UTC] No.22745377{4}[source]
But how do they remain in business? I'm interested in knowing how say, Jitsi, earns money off of it.
replies(1): >>22746408 #
283. throwaway1777 ◴[01 Apr 20 04:01 UTC] No.22745524{4}[source]
Zoom works in the browser
284. angott ◴[01 Apr 20 04:02 UTC] No.22745526{6}[source]
You can add `--force` and zap will also work on non-brew installs. The paths are community-contributed, so watch out (you can print the paths with `brew cask cat <name>`).
285. drusepth ◴[01 Apr 20 04:30 UTC] No.22745698{3}[source]
I switched from Zoom to Google Duo almost a year ago and haven't had any issues.
286. adtac ◴[01 Apr 20 04:38 UTC] No.22745738{4}[source]
I wouldn't be surprised if Zoom suddenly started exploiting browser zero days to force install things "for your own good"
replies(1): >>22746112 #
287. kelnos ◴[01 Apr 20 04:40 UTC] No.22745753{8}[source]
Hell, why doesn't Finder do this? If you try to run a .app from a .dmg, it should pop up a dialog asking you if you want Finder to move it to /Applications for you and run it from there.
replies(1): >>22746098 #
288. int_19h ◴[01 Apr 20 04:52 UTC] No.22745817{7}[source]
You can still run them from wherever they are. The problem is that users do that once, exit, and then later forget where the app was.
replies(1): >>22746119 #
289. int_19h ◴[01 Apr 20 04:56 UTC] No.22745843{4}[source]
Teams specifically is the spiritual successor to Skype for Business / Lync / Office Communicator - its main benefit is integrating with Outlook, Exchange, OneNote, and SharePoint. If it's not deployed with that in mind, that's a lot of wasted effort, IMO.
290. int_19h ◴[01 Apr 20 04:59 UTC] No.22745855[source]
That Twitter thread has a link to a more detailed analysis that was done all the way back in 2016:

https://macpkghallofshame.tumblr.com/post/138612887932/indis...

291. zuppy ◴[01 Apr 20 05:20 UTC] No.22745942{6}[source]
teams has another issue though: when someone speaks, it cuts the sound for the other people speaking in the same time. in theory this sounds good, but many times it will cut the sound of the active speaker. yes, i think this can be managed with group mute, but zoom doesn’t have this “feature”.
292. anon102010 ◴[01 Apr 20 05:25 UTC] No.22745963[source]
The meme that HIPPA requires e2e is so ridiculous - it is pretty clear that very few people actually deal with HIPPA stuff.

Zoom (if you need HIPPA) can set you up with it - but you WILL lose a bunch of features (zoom by default has features that are not HIPPA compatible) - so make sure you need HIPPA before paying for it.

If anything medicine is almost anti-e2e. Everything is copied and copied between one system and another (billing, lab systems, imaging systems etc). Seriously, medicine is in many cases very fragmented, so the number of medical practice groups that need copies of your details / visit details etc is high just to bill you (and you may end up with 5 bills for one visit - which may be 4-5 systems behind the scenes).

293. musicale ◴[01 Apr 20 05:36 UTC] No.22746021[source]
Zoom's malware-like behavior is the reason I only use their web app, in a browser with minimal privileges.
294. scelerat ◴[01 Apr 20 05:46 UTC] No.22746068[source]
I have a friend who has some intimate knowledge of MacOS installation software who refuses to use Zoom. "It's not merely because it uses the same install patterns as Russian malware," this person told me, "no; it's personal."

Seriously, despite this person's aversion to anything Google, Hangouts ends up being the one tolerable exception.

295. danieldk ◴[01 Apr 20 05:52 UTC] No.22746098{9}[source]
I agree, that would be awesome!
296. saagarjha ◴[01 Apr 20 05:55 UTC] No.22746112{5}[source]
Good thing that this is somewhat difficult to do ;)
297. saagarjha ◴[01 Apr 20 05:57 UTC] No.22746119{8}[source]
There are issues when running from the downloads folder (translocation).
298. oehtXRwMkIs ◴[01 Apr 20 07:04 UTC] No.22746408{5}[source]
Its wikipedia article describes its funding. It's basically a combination of sponsorships and paid employees working on it.
299. nextweek2 ◴[01 Apr 20 07:08 UTC] No.22746426{4}[source]
Did you try Microsoft Teams live events? Which seems aimed at your use case.
300. lultimouomo ◴[01 Apr 20 07:15 UTC] No.22746458{3}[source]
I don't think UAC is spoofable - if I remember well it minimizes all the other windows and hides the taskbar, which you shouldn't be able to do with a regular dialog.

gksudo is definitely spoofable, except I almost never get a gksudo dialog. I am not trained to expect every other app to periodically ask me for my password.

replies(1): >>22753963 #
301. neuronic ◴[01 Apr 20 07:49 UTC] No.22746613{6}[source]
Sorry, I wasn't clear enough. The enterprise already has a Teams license which is part of an Office/Microsoft deal that they will of course continue to have.

So Teams is there, will stay there and it works well but people are still moving to Zoom anyways.

302. 8fingerlouie ◴[01 Apr 20 08:34 UTC] No.22746804{5}[source]
Isn't that more like Debian popularity contest ?

https://popcon.debian.org/

replies(2): >>22746900 #>>22750263 #
303. icebraining ◴[01 Apr 20 08:57 UTC] No.22746900{6}[source]
popcon is opt-in.
304. ddebernardy ◴[01 Apr 20 09:53 UTC] No.22747139{3}[source]
It seems macOS could use virtualization or permissions to run these scripts in some throw away environment to get rid of the problem altogether. Preflight check programs shouldn't be able to write anything to disk.
305. fouc ◴[01 Apr 20 09:56 UTC] No.22747157[source]
Are there other app installers that do this? I've got a feeling Zoom is definitely not the only one that does that.
306. jwr ◴[01 Apr 20 10:01 UTC] No.22747178{5}[source]
Specifically, my "Pro" plan allows up to 12 people.
307. fouc ◴[01 Apr 20 10:27 UTC] No.22747295{4}[source]
pkg is there explicitly to let companies install sketchy shit. Any application that relies on pkg to be installed is fundamentally risky.
308. latexr ◴[01 Apr 20 11:56 UTC] No.22747764{4}[source]
I recommend against Whereby.

I was a big proponent when they started as appear.in, but they’ve been steadily removing features (or moving them to the paid plan). For my friend group, the biggest appeal was that you could use it in a browser without an account by inventing a room name. That was one of the first features to get cut.

Everyone I’ve ever recommended it to has bumped into the limitations, asked me “what happened”, and switched to something else.

I haven’t tried it extensively, but I’ve read about https://meet.jit.si/ on HN and passed it on to a friend in that situation. He was happy with it and described it as “what appear.in used to be”.

309. latexr ◴[01 Apr 20 12:11 UTC] No.22747843{4}[source]
If the pkg format was no longer supported, developers might use GUI installers instead, and those are harder to verify and install/uninstall programmatically.
310. danlugo92 ◴[01 Apr 20 14:19 UTC] No.22748719{4}[source]
I use whereby too. It's great.
311. sneak ◴[01 Apr 20 16:12 UTC] No.22750263{6}[source]
No. Homebrew sends a per-installation unique identifier to a third party (Google), tracking your location across different IPs, whether you want it to or not.

Popcon is first-party, and is entirely opt-in. It doesn’t send anything unless you want it to.

312. danans ◴[01 Apr 20 18:11 UTC] No.22751782{3}[source]
> This is like the GUI equivalent of running "apt install zoom" and the installation script killing the APT process and then running amok with its root privileges.

So in that case it seems like there is perhaps an issue on both sides.

- I understand that the OS API to get root/admin privileges likely exists for legacy app install reasons, but why should any install script even be able to run amok with admin privileges? Shouldn't privileges granted by this API this is using be sandboxed in the extreme? Something this sensitive shouldn't be left to the honor system of the app developer.

- Independently, I still don't understand why Zoom needs admin privs on Mac when it clearly doesn't need them when installed as a browser extension. I'm using it just fine in Chrome all the time - no admin rights needed.

313. notriddle ◴[01 Apr 20 21:09 UTC] No.22753552[source]
Zoom is using a hook in the macOS installer framework in a way that is not intended.

This is forming a troubling pattern [1]. Zoom will do anything to reduce the number of clicks to start a conference, even if results in a misleading installer prompt or security vulnerability.

[1]: https://www.zdnet.com/article/zoom-defends-use-of-local-web-...

replies(1): >>22782927 #
314. Aachen ◴[01 Apr 20 22:00 UTC] No.22753963{4}[source]
Any application can draw over the task bar as far as I know? Seems weird if games needed root permissions just to be full screen.
315. mr_toad ◴[01 Apr 20 22:38 UTC] No.22754232[source]
People will go through the hassle of booking airline tickets, hotels, taxis and take the time to travel to face to face meetings (and some of them even seem to enjoy it).

But they won’t spend 5 minutes installing software properly, or half an hour doing some legwork.

replies(1): >>22763547 #
316. clay_the_ripper ◴[02 Apr 20 00:12 UTC] No.22754946[source]
To me this implies that the installation process on Mac OS should be improved. The fact that they have to resort to these types of things to make it “just work” for people suggests that the official way of doing things is less than ideal.

They are aiming to make the process completely idiot proof, and good for them. If you’ve ever watched a nontechnical user try to install an application you’ll understand why they had to do all this.

I recently watched One of my friends who has only ever used an iPad and not a laptop try to install an application downloaded from the internet. Things we take for granted like “find your downloads folder” were not obvious. I had to explain what the Finder is, and it seemed laughably not obvious to someone who has never used it before.

317. m0rganic ◴[02 Apr 20 02:02 UTC] No.22755591{3}[source]
lifesize
318. saagarjha ◴[02 Apr 20 05:37 UTC] No.22756510{3}[source]
Your list seems to be missing a couple of files that the Zoom uninstaller cleans up.
replies(1): >>22758365 #
319. Hackbraten ◴[02 Apr 20 12:54 UTC] No.22758365{4}[source]
That's deliberate. Homebrew always runs the Zoom uninstaller first before going through the list.

Running the uninstaller is enforced by the `pkg` declaration. See also: https://github.com/Homebrew/homebrew-cask/blob/a6026e0a36c22...

320. dbbk ◴[02 Apr 20 14:52 UTC] No.22759653{6}[source]
Yes but... it doesn't.
321. specialist ◴[02 Apr 20 16:16 UTC] No.22760608{6}[source]
Thanks. I've been chewing on your reply. I didn't get very far. It finally occurs to me that macOS (or equiv) could implement iOS (or equiv) style sandboxing. Maybe that's already in progress. As a dev and former power user, I'm sure it'll be uncomfortable.
322. milesskorpen ◴[02 Apr 20 17:59 UTC] No.22761722{4}[source]
Yes, that extension is great. Doesn't work on iPads though.
323. miguelmota ◴[02 Apr 20 20:43 UTC] No.22763547{3}[source]
The difference is that it's expected that booking airlines and hotels will take time so they make time for it but nobody expects to spend minutes installing video conferencing software properly.

They expect meeting chat software to just work and be as easy as opening a link. If a person needs to fly somewhere they have limited choices with airlines, but if a person gets frustrated with video conferencing software then they have an abundance of alternative options.

324. teknologist ◴[02 Apr 20 23:48 UTC] No.22765058[source]
Instead of installing the Zoom software, join Zoom calls from within your web browser

With this trick you can join Zoom calls without ever installing the client on your computer.

Here's how to do it:

1) Uninstall the Zoom client if you have it installed (this is important).

2) When you get a Zoom link to join a meeting, click it to open it in your browser.

3) You'll be asked to download Zoom. Click the "download & run Zoom" link, but don't run the installer.

4) Wait for a few moments and a link to "join from your browser" will appear. Click this and join the call as normal. Most of the features work in this browser based version -- there is no need to ever risk your computer!

Here's a gif demoing what to click: https://assets.zoom.us/images/en-us/web/client/join-web-clie...

325. ksec ◴[03 Apr 20 04:08 UTC] No.22766252{7}[source]
I thought some of these interaction was from a design where Apple wanted the Mac to be more appliance. I think the goal / target market has changed. The super easy to use Computer to use is now the iPad.

Mac is now Prosumers and Professionals. And its UX should be treated as such.

326. neycoda ◴[03 Apr 20 18:18 UTC] No.22772413[source]
Why does Apple allow this?
327. whateveracct ◴[05 Apr 20 01:12 UTC] No.22782927{3}[source]
Many PMs are obsessed with click optimization. I've been told many times that a certain feature of security method is no-go due to it being "too many clicks" full-stop -.-
328. ThePowerOfFuet ◴[08 Apr 20 13:02 UTC] No.22812522{5}[source]
The visibility of this link is disabled by default unless the person trying to join attempts (and fails, even if deliberately) to download+install the client at least twice.

It can be enabled, but it's not on by default.

329. ThePowerOfFuet ◴[08 Apr 20 13:05 UTC] No.22812554{3}[source]
Nailed it.