Hacker News new | past | comments | ask | show | jobs | submit login
How the Zoom macOS installer does its job without you clicking ‘install’ (twitter.com/c1truz_)
796 points by _Microft on March 31, 2020 | hide | past | favorite | 325 comments

I installed Zoom on macOS yesterday and I thought that the install was crashing because this is not the expected behavior. I would double click the download, try to install, and then the installation program would "crash", so I'd try it again. Did that a few times before I realized it was installed. Until now I thought it had somehow gotten far enough in the installation process before crashing that I could at least use the application. I'd been hearing everyone raving about how Zoom was such better software than anything else, and my first experience was their installer doesn't even work.

This was a horrible user experience for me, and I wasn't thinking about security implications at all.

I did this too and didn't put two and two together til now. I just assumed it was a buggy installer that broke with that version of MacOS and tried a different machine

I've defended Zoom in the past for ethical 'slips', but weidly this has tipped me into hating it.

Ok this is it... I was able to disinstall it with

$ brew cask install zoomus $ brew cask uninstall zoomus

so long and thank you for all the fish... Zoom

You can also use “brew cask zap zoomus” to remove preference files, browser plugins, logs.

Does this also work for non-brew installs?

Homebrew Cask's uninstall scripts are basically a community-maintained "best guess" at to how to full uninstall each piece of software. It's generally pretty reliable, and I do use it to remove non-brew installs sometimes.

Note: I have contributed casks to Homebrew Cask before.

You can add `--force` and zap will also work on non-brew installs. The paths are community-contributed, so watch out (you can print the paths with `brew cask cat <name>`).

Presumably if you don't like Zoom's shadiness, you may not like Homebrew's bundled spyware either. Disable it with

    brew analytics off

Or better yet, switch to MacPorts - https://www.macports.org/

Isn't that more like Debian popularity contest ?


No. Homebrew sends a per-installation unique identifier to a third party (Google), tracking your location across different IPs, whether you want it to or not.

Popcon is first-party, and is entirely opt-in. It doesn’t send anything unless you want it to.

popcon is opt-in.

I would highly recommend checking all installers on macOS through Suspicious Package. It will give you a complete picture of all the installer scripts that will be run and all the files that will be written. I did just that for zoom and decided against installing it.

Oooh this is good. A few years ago I came home drunk and wanted to watch this old film that wasn't on any channels. I found it on some dubious website, which required me to install a player .dmg. I drunkenly typed in my password, and then an hour later was like: dafuq did I just do?!? Next day I re-imaged my mac because I'm both paranoid and don't know enough about secops.

SuspiciousPackage wouldn't have helped combat Drunk Install Syndrome, but it might have been a helpful tool before I nuked my OS.

Or maybe this is just good marketing for SuspiciousPackage, which is really malware. Well played.

If you don’t trust SuspiciousPackage just run it through SuspiciousPackage.

Similar functionality: unpkg (https://www.timdoug.com/unpkg/). See also https://stackoverflow.com/questions/11298855/how-to-unpack-a... . I think unpkg handles mpkg files, which I haven't encountered in the wild for quite a while now; I don't know about the others.

Pacifist is also handy https://www.charlessoft.com/

I too don't get how Zoom is considered "the superior software". Maybe the calls don't drop, but the experience is bad (at least on macOS).

Said this on Reddit the other day and got downvoted.

It _is_ bad on macOS. It used to be one of the better platforms to stream video content to others, but now it just lacks in many areas compared to most of its competitors.

The worst bug I had was it essentially started muting random people on a call, but only for me. I could see their mouth moving, and thought it was a problem their side but turns out everyone else could hear them apart from me. I could hear everyone else too apart from them.

Yes. My experience is really bad too in mac OS. I thought may be something wrong with my setup.

Same here. I thought the process didn't finish until I tried launching the app (which I was supposed to do by clicking a link in the browser, which is also rather unintuitive).

Zoom's got a tradition of being, let's put it like this, way too clever for everyone's own good.

See previous “lets install a server on this Mac that is not removed when you uninstall the app and leaves your camera open to the entire internet” for more examples.

I use it on a VM, I suggest you do it too.

I use the web browser version, and refuse to even install Zoom. It's borderline spyware.

sunova.... I couldn't find the web based version...That's what frustrated me about zoom compared to webex. I could use Weber in the browser and zoom had to be installed

It's gated behind a fallback after three "failed" attempts at clicking on the link to open the app after opening a meeting URL, or a meeting setting. So, not on by default, seems to be unable to join audio unless you use Chrome, and shows a single video only.

This browser extension enables the web interface: https://github.com/arkadiyt/zoom-redirector

I tried using the web client in Chrome today on my Mac, and the audio was playing to me at what felt like 50% speed; everyone sounded like slow motion to me.

It's very Dropbox-esque…

As a Dropbox user, care to elaborate please?

Best zoom alternative?

Jitsi, Google Meet, bigbluebutton -- anything can runs in a browser tab and is more or less confined within it.

I wouldn't be surprised if Zoom suddenly started exploiting browser zero days to force install things "for your own good"

Good thing that this is somewhat difficult to do ;)

Don't know bigbluebutton but at least among Jitsi and Google Meet, Wire is an alternative that is open source and end to end encrypted. They just don't make it easy to host your own, for that I guess Jitsi is the best way to go.

But how do they remain in business? I'm interested in knowing how say, Jitsi, earns money off of it.

Its wikipedia article describes its funding. It's basically a combination of sponsorships and paid employees working on it.

Zoom works in the browser

We just started using Whereby and we’re loving it. I strongly recommended against Zoom.

I recommend against Whereby.

I was a big proponent when they started as appear.in, but they’ve been steadily removing features (or moving them to the paid plan). For my friend group, the biggest appeal was that you could use it in a browser without an account by inventing a room name. That was one of the first features to get cut.

Everyone I’ve ever recommended it to has bumped into the limitations, asked me “what happened”, and switched to something else.

I haven’t tried it extensively, but I’ve read about https://meet.jit.si/ on HN and passed it on to a friend in that situation. He was happy with it and described it as “what appear.in used to be”.

I switched from Zoom to Google Duo almost a year ago and haven't had any issues.

Google Duo have raised the people per meeting from 4 to 12.

But can they raise the expected product lifespan from 4 years to 12?


1) If Zoom can do this then it's a MacOS security bug.

2) UX matters. Users don't care about the technical details, they want a smooth experience and that can be the difference between a billion-dollar business or a failed startup. And yes the desktop version is more stable than the web-based UI.

3) Malware is defined by what it does, not how it's installed.

I mean, it's not really a security bug. Installer.app displays a dialog box that says "Hey, this package wants to run arbitrary code to check if it's compatible with your system. Is that OK?" The user is explicitly opting into the code execution. Zoom's "compatibility check" installs the app and kills the installer window. That's certainly unexpected behavior, but I don't think it's an exploit in any real sense.

While normally I'd object to running arbitrary code with just an easily-skippable dialog as confirmation, but I think it's OK in this case where the expectation was that we're installing their software anyway.

It's really Apple's fault. "This package will run a program to determine if the software can be installed." Is just fundamentally a very strange statement to make, loaded with vagueness.

Think about your average user... they are running an installer program... which alerts them that they need to run another program... to determine if they can install the program.... (Which the user thought they were already doing)

The loaded expectation of the user to realize they are granting privileges to a program to determine whether they can install a program is just totally unreasonable.

It just sounds more and more ridiculous written out like this.

On top of this, a standard install asks for permissions, but doesn't disclose who/what is asking for it (certified in some way) or what permissions it wants, if these are temporary for the install or permanent for the application, or what it is going to do during the install (what goes where, what gets changed etc).

It is long past time for Apple to improve this process.

You're right, it's more of a design issue. More explicit permissions on altering the Applications folder could help. Then again, most people want an easier install so this is really for those who want that extra control.

As a user, I would not assume that checking compatibility means I'm executing arbitrary code. I mean it could just be macOS examining the binary to make sure it's compatible with my ISA, or checking some app metadata about recommended free resources like ram/disk space.

Apple agrees with you which is why the installer shows a warning the check will involve running code and lets you opt in or out.

> 3) Malware is defined by what it does, not how it's installed.

Well, from the tweet thread:

> If the App is already installed but the current user is not admin, they use a helper tool called "zoomAutenticationTool" [sic] and the AuthorizationExecuteWithPrivileges API to spawn a password prompt identifying as "System" (!!) to gain root (including a typo).

It's not malicious, and you have to give it permissions somehow to finish the install.

Dropbox (used to?) patch system files to integrate with Office better, and that wasn't considered malware either.

> It's not malicious

By the time you're lying to the user, you are malicious.

Malicious behaviour does not inherently make something malware. That said, The work arounds Dropbox used in the past should also be considered shady or malicious, and do not serve as a convincing defense in any way.

Yes, zoom does need the user’s password to complete the install in the scenario described. So why isn’t there a proper installer that behaves like installers on macOS should. Why do they ask for the users password on the behalf of ‘system’?

Oh, and zoom was just busted for sending user data to Facebook (regardless of whether or not you had a Facebook account and without disclosure AFAIK) so I reverse my previous statement. It is malware.

is botnet agent not malware? it's not doing anything until the operator sends the payload.

A botnet agent is designed to take control and run a bot, so yes it's malware. It doesn't have to be actively doing it at that moment to be considered such.

Zoom does report usage to Facebook whether you have an account or not - and that data is used to stitch together a web profile of the user that is of no benefit to the user. Zoom is bordering on malware, just... malware that comes with a useful app that allows video conferencing.

They removed that Facebook sdk after complaints.

I think this also shows how macOS has been training users to enter their password in random dialogs that have absolutely nothing that identifies them as being legit OS dialogs. The dialog that Zoom uses could very well be sending the credentials to a remote server, and the user would be none the wiser.

Note that in this case, it's still a legit OS dialog. Preflight scripts are very much built into the macOS pkg format, they're just not intended to be used like this.

I never understood why Apple still supports the pkg format. It seems a half-baked leftover from the 2000s and even then I was already surprised that there is no way to uninstall things through the macOS GUI. I am not sure if this has changed (I try to avoid pkg files and use Homebrew cask to uninstall such packages), but IIRC you had to list the files with pkgutil on the command-line, remove stuff by hand and then --forget the package.

They should just kill the format. Everything should just be drag to install, drag to trash to remove.

In my experience I’ve seen even technical users (Who were used to windows) struggle with the idea of dragging an .app from an open disk image to the Applications folder. They would end up running the app from the disk image and then getting confused when it disappears after restart.

This system worked so much better when the Applications folder was placed in the Dock by default, and everyone used that folder launch applications (which weren't common enough to keep in the Dock directly).

It was actually a really beautiful synergy—you install applications by copying them to a folder, and launch them from that folder. Same way you'd acquire and open files. Lovely.

Then Apple ruined it in Lion with Launchpad. Their app install flow for anything outside of the app store doesn't make any sense.

In even earlier days, applications didn't need to be installed at all. You just ran them from wherever they were. Of course, it made sense to store them somewhere together, and you could cause yourself problems if you put applications onto disks you then ejected. But the current system is clearly influenced by the UNIX underpinnings, and I'm not sure that the average user fully "gets it".

though preferences files were a bit of a mess.

I vaguely remember if early Macintosh System versions you would be prompted to insert the disk (with the correct disk name in the message) if you tried to open a file belonging to an application which was on an ejected disk.

You can still run them from wherever they are. The problem is that users do that once, exit, and then later forget where the app was.

There are issues when running from the downloads folder (translocation).

One wonders why Apple didn't just treat DMGs like Application Folders in the first place. If they had an icon and you could run them directly then there wouldn't be any confusion. AppImage works like that and I think it was a wise decision.

Developers can distribute .app's inside of .zip files, and many do, but this can result in users just running the .app inside of their downloads folder. And then this causes problems if they ever decide to clean out their Downloads folder.

The DMGs are a clever way to (A) make sure the app gets to the proper location while simultaneously (B) teaching the user about what's actually happening on their computer. As I said in a sibling comment, this all made much more sense when users also launched apps from the Applications folder directly.

Developers can distribute .app's inside of .zip files, and many do, but this can result in users just running the .app inside of their downloads folder. And then this causes problems if they ever decide to clean out their Downloads folder.

Some applications offer to move themselves to the /Applications folder when started the first time outside /Applications or ~/Applications. Though in general, it would be better if Apple made it more attractive to publish in the App Store, since it brings other advantages (e.g. mandatory sandboxing).

Yeah, and that's a fine solution given the situation Apple has left us in. But it's also kind of a hack, which shouldn't have become necessary.

Also, personally, I sometimes purposefully put apps in places other than /Applications—for example, I like to keep games in their own Games folder. And then the dialogs are kind of annoying.

Hell, why doesn't Finder do this? If you try to run a .app from a .dmg, it should pop up a dialog asking you if you want Finder to move it to /Applications for you and run it from there.

I agree, that would be awesome!

I thought some of these interaction was from a design where Apple wanted the Mac to be more appliance. I think the goal / target market has changed. The super easy to use Computer to use is now the iPad.

Mac is now Prosumers and Professionals. And its UX should be treated as such.

One thing to note here: people who administer macOS for organizations basically convert everything to .pkgs (or DMGs). Its the only easy way to silently install application, and perform post install actions like performing licensing or activation steps.

> Everything should just be drag to install, drag to trash to remove.

I wish it were that easy, most apps leave files in other places on your computer like ~/Library that will never get cleaned up if you just move the app to trash.

As much as this bothers me because of who I am, I don't think it's a real problem. Those files shouldn't take up significant space unless the developer is doing something stupid.

It might be nice if macOS had some sort of automatic cleanup routine when an app is trashed, but that would either require showing the user an extra dialog (a la AppCleaner's) or introducing an opaque system which could potentially lead to data loss.

Indeed, data outside the application folder usually consists of a preferences plist and saved application state. Of course, there could be caches as well, which could take up a fair amount of disk space.

But I think the primary argumentation in favor of what macOS does now on drag-to-trash is that the users preferences are preserved, for when they install an application again.

If the pkg format was no longer supported, developers might use GUI installers instead, and those are harder to verify and install/uninstall programmatically.

pkg is there explicitly to let companies install sketchy shit. Any application that relies on pkg to be installed is fundamentally risky.

It doesn't look legit, it looks like the installer script is faking a system dialog in this screenshot:


This message is a lie; it not coming from system but from the installer script.

Just because the OS is used to show the dialog doesn't mean it should be trusted. As other commenter noted this could be used to steal passwords; that is effectively what it does.

To their credit, they seem to be using AuthorizationExecuteWithPrivileges which doesn't get the user's password, but executes a command as root, which is marginally better than stealing the password like Dropbox did.

How hard do you think it is to steal a password once you have root?

It should be impossible with SIP enabled, as in OS X 10.14 Apple protected the files in /var/db/dslocal where the user shadow files are stored so that root could not read them (unless triggered by an Apple signed executable, like Software Update). If you are running with SIP disabled you've taken the risk of it happening, and if you are on a corporate laptop (or 99% of personal machines) it is engaged.


Think a little harder. With root, you can install a keylogger.

You'd still need to bypass TCC.

It would take an extra step, you have access to the hash and maybe shared memory/SOs but you’d need a second trick to actually steal it.

The script asks for root which subsequently pops up an OS password prompt. Zoom never sees your password.

How is this different from the way e.g. Virtualbox gets root?

Because it lies about its identity, calling itself "System" not Zoom.

This is also a MacOS vuln that lets apps lie about their identity in sudo prompts, much like a browser showing an https site with no certificate checking.

macOS allows apps to write arbitrary lines of text above password prompts, which is what Zoom is doing. I don't see how that's different from a shell script echo'ing something before a sudo prompt.

How would you design this system?

Don't allow the application to do any of it, and when the app asks for access, have the system instead say "{processName}.app is requesting {permissionFlavorText}. Enter a name and password to continue."

It's not making the proper privilege escalation call, it's faking the box entirely. There's even a typo in the dialog box.

...are you sure? I'm pretty sure that code just pops up the system box to get privileges, with a custom message at the top.

I'm running Mavericks—the last version of macOS before they made the UI flat—and the prompt didn't look out of place. If Zoom is indeed faking the box, they actually went through the trouble to make a separate version for Mavericks with Mavericks-style visuals.

No, they're using the (deprecated) Authorization Services API from the (renamed) BLAuthentication.

Incorrect. Look at the second tweet in the thread. It's a phishing popup that misidentifies itself in order to steal priveleges intended for System, not Zoom.


That's still an OS prompt, they just put their own message at the top, as you're allowed to do.

Yes, they are allowed to put a fake message (identifying the requester as System instead of Zoom), but that does not make it OK.

> Note that in this case, it's still a legit OS dialog.

No it isn't. The dialog prompt is "System need your privilege to change." That's not passing QA anywhere -- it's just a custom message someone put into Zoom without bothering to proofread.

One could say the same for gksudo, UAC prompts, or the equivalent dialog on your favorite operating system, no? Or is there something on other OSes that identifies it?

I don't think UAC is spoofable - if I remember well it minimizes all the other windows and hides the taskbar, which you shouldn't be able to do with a regular dialog.

gksudo is definitely spoofable, except I almost never get a gksudo dialog. I am not trained to expect every other app to periodically ask me for my password.

Any application can draw over the task bar as far as I know? Seems weird if games needed root permissions just to be full screen.

gksudo and UAC don't let the process lie about what it is.

Not that I'm in favor of this practice, but the one key feature that conference software must have is: it just works™.

Nothing turns you off more from a conferencing solution than: any problem getting it working right now.

When there is just the slightest issue, one person not being able to join, one person not getting voice to work, bad audio, your entire team is blocked/distracted. Which results in a collective distain for the solution and video conferencing as a whole.

This extends to getting the solution working for greenfield installs as simple as possible. Because who knows which non-tech users from which department all need to join and can't figure out how to set the permission in their browser right or install/use the other browser that is compatible.

So sadly, from a functionality point of view, you want have the software be able to force itself onto the user in the most usable state it can.

I'm still curious why everyone thinks Zoom "just works" while others don't. Because in an enterprise context it is often hard to download an executable and run it with sufficient permissions. While Google and Microsoft both offer a product that "just works" with only a browser. What makes Zoom more "just works" than that?

I'm a college professor, and I'll share my perspective.

For one, Zoom did just work. (At least as a participant, rather than an organizer.) I tried it out, and it immediately worked. It did what all of us were expecting, with no fuss.

I also tried MS Teams. It seems designed with a different philosophy: that you use the software to do many different things, and you want them all integrated. (For example, it posted my meetings automatically to my Outlook calendar. I had never used this calendar before, and was only dimly aware that it existed.)

Moreover, it seems that the expected setup is a bunch of people, all at the same workplace, who communicate with each other consistently. My needs are different, with wildly disparate use cases: a departmental meeting; classes to teach; an online conference (https://www.daniellitt.com/agonize/); an online social gathering. Many of the people with whom I communicate don't work for the same employer. And I don't want to configure all of these "teams" in advance.

That said, I tried to get MS Teams up and running, to teach my class. This involved multiple emails back and forth to our tech support (it seems that I can't set up a "team" myself; I have to ask IT to do it for me). It didn't have its own whiteboard functionality so I had to download and run some separate software.

And, then, in the end... it didn't work. I was trying to teach a class, but my students couldn't see what I was doing. I had no idea why.

And, then, in the end... it didn't work. I was trying to teach a class, but my students couldn't see what I was doing. I had no idea why.

Were you on a mac?

If so, you may have encountered https://answers.microsoft.com/en-us/msoffice/forum/msoffice_... which has been outstanding since October and has no sign will be fixed properly any time soon.

The workaround is quit programs until you find the one that somehow causes Microsoft Teams to not understand that it really does have permissions. For me it seemed to be XCode. But it could be others...here is a partial list:

  - Harvest – Confirmed
  - Sonos – Confirmed
  - Cisco VPN – Issue reported by others
  - Microsoft To-Do – Confirmed
  - Contacts+ (formerly FullContact) – confirmed
  - Apple Photos – confirmed
  - Teamviewer – reported by others
  - Prompt/popup for app review from App Store – still have questions here. This seemed to be it, but haven’t been able to confirm
  - Brackets – reported by others
  - Citrix Workspace Version: (1910) – confirmed
This is an example of why "just works" is so important.

You're right, MS Teams is definitly better placed as an org-wide communication/collaboration tool, not an external one. They really need to make it easier to communicate with people in external orgs, the org switcher is my biggest complaint.

FWIW, IT can allow people in certain groups to make their own teams, it's an admin setting.

Working within the US NIH, we are forced to submit a ticket for creating any new teams and the entire Teams/Office 365 ecosystem is entirely crippled for us. All new features take forever to be approved and brought online, as well as additional connectors and apps having to go through an extensive 6+ month-long vetting process before being approved.

Makes using Teams quite a hassle, but with Skype for Business being the only other approved option for internal chat, it's better than nothing.

Those are all organizational decisions, and not out of the box defaults. Microsoft is trying very hard to persuade organizations not to make those decisions.

Completely free teams creation does come at a cost. It makes data governance much more complicated. People creating duplicate places for things they didnt know already existed. A lack of naming convention, to be able to analyze what exists. Microsoft is pushing for people to just be able to get things done, at the expense of organization.

When they mention "connectors and apps", right now there is a very serious amount of phishing fraud going on involving one click links that ask you to authorise a malicious app. Users see a "please click yes" prompt, they never have to enter their password and they think that sounds fine.

I wish Microsoft would try a lot harder in persuading businesses to make the decision to take oauth approvals out of the user hands, because the volume is at a point where I really feel anyone following the "empower the user" discussion almost certainly has a compromised mailbox in their business.

Teams specifically is the spiritual successor to Skype for Business / Lync / Office Communicator - its main benefit is integrating with Outlook, Exchange, OneNote, and SharePoint. If it's not deployed with that in mind, that's a lot of wasted effort, IMO.

Did you try Microsoft Teams live events? Which seems aimed at your use case.

Zoom doesn’t just work. If the students want privacy, they are just helpless.

Edit: downvoted for speaking up for student rights. Sorry if it is inconvenient for the teachers

> If the students want privacy, they are just helpless.

This isn't true actually. As a student, send the following email:

"Hi Professor, I just read this webpage [link], which outlines some privacy concerns with Zoom. I know some other classes are running Software X, could we try that instead?"

My university isn't mandating Zoom. Indeed, they recommended several software packages, of which their top recommendation was Blackboard. (Which is what I've been using so far. I have mostly joined others' Zoom meetings; I've only initiated them for a D+D game I'm participating in.) MS Teams was their second recommendation as I recall, and Zoom was below that.

At least at my university -- and I expect that this is typical -- individual faculty members are deciding how to best fulfill their own responsibilities. And I have emphasized to my students that I have never done this before, and that I'm happy to change what I'm doing if people have good suggestions.

> "Hi Professor, I just read this webpage [link], which outlines some privacy concerns with Zoom. I know some other classes are running Software X, could we try that instead?"

Hi [Student],

I appreciate your concern; however, our university has conducted a thorough audit of this software and found that it satisfies our needs. We will continue using it for our lectures.

Regards, Dr. [Professor]

Senior tenured chair of [Department], distinguished lecturer, [University]

universities are organisations, which all force some incarnation of an internet usage policy. better still, the students are paying an arm and a leg for their lack of privacy. wouldn't it be great for the non-technical end user if these Just Works™ software could just bypass firewalls by way of VPNs, common ports, obfuscated servers or the like?

It does not "just work" for me. First, it required a separate client, when even Skype does not.

Second, it does not support my browser.

Your unstated criteria for "just work" are "just work in browser", which differs from the definition used by the comment you're replying to.

That is not universally shared among others, including the non-technical folks that Zoom is being widely adopted by.

This is what I was getting at with my parent comment, it "just works" for everyone. But it doesn't fit some of the niches technical or privacy minded people have. And in the end, we are bound by the common denominator. I can push my open source privacy respecting solution all I want. But unless it "just works" for the lowest tech user I'm at a loss.

There's a parallels here with security in the uphill battle to get users to respect the caveats of the solution they choose.

You’re being downvoted fairly heavily, which I think is unfair. Even though some other people might not agree, it’s a valid argument to make.

We just had a corporate presentation with around 250 people. Normally we use Teams or Slack for internal communication, this was also stated by management, that Zoom should only be used for 'big' meetings like this. I think they know the other solutions will not work as well for bigger groups. I've not had issues with using either solution for small group meetings.

Actually I have to go out of my way to run Zoom in the browser instead of using the installer. I have to use Chrome instead of Firefox, download but not install the app and wait for the "or run in browser" link to appear after that.

I really don't like macOS installers anyways and passionately hate them as "installing" and App on macOS should be nothing more than moving the .app from a zip or disk image into your /Applications folder. I just don't trust them in not placing additional crap like auto updaters or kext's when I don't need them.

> Normally we use Teams or Slack for internal communication

> to run Zoom in the browser [...] I have to use Chrome instead of Firefox.

Just a note, Slack and Teams calls also won't work in Firefox. It's really annoying.

Hangouts works fine in Firefox though, somewhat unexpectedly.

Here are the Firefox bug reports for Slack calls:


And Teams calls:


Slack originally relied on non-standard, Chrome-specific WebRTC behavior and now is prioritizing development of their Electron app over web support.

There is a Firefox extension to spoof Chrome's User-Agent string for Teams. I haven't tested it, but it appears to work for people: https://addons.mozilla.org/en-US/firefox/addon/teams-phone-f...

In fact, if you change URL from /j/CONFERENCE_NUMBER to /wc/join/CONFERENCE_NUMBER you won't be needing to wait for that link.

There is also a browser plugin a saw floating by a couple of days ago that would just enforce this step, but can't find it anymore.

From another commenter on another HN thread https://github.com/arkadiyt/zoom-redirector

App installation should always just be a file copy. Deinstallation should always just be a move to Trash (or ~/Disabled equiv).


I'm even uncomfortable with config scattered everywhere. The continued need for those 3rd party uninstallers is an admission of failure.

Source: released products ported to misc Windows, classic Mac, modern Mac. Our dev, QA, Test, tech supp was always so much easier on Mac. Not least because we could have multiple current versions installed. Which allows troubleshooting, rollbacks, etc.

Caveat: I personally use package managers and am curious to see if Nix becomes the norm. So I may change my mind in the future.

If the file is only moved to trash it will keep configuration and other artefacts around or not support such features or the file ahs to be mutable, which is questionable from a security pov

Thanks. I've been chewing on your reply. I didn't get very far. It finally occurs to me that macOS (or equiv) could implement iOS (or equiv) style sandboxing. Maybe that's already in progress. As a dev and former power user, I'm sure it'll be uncomfortable.

Why not use Teams Live for this? We have been using zoom and Teams alternately and Teams performance and ease of use has been much better in my experience, but we have yet to do a 200+ all hands so I was curious if there were some footguns with teams live that you may know about. Teams live works on a lot of platforms and also has a web version.

Why not use Teams Live for this?

My wife was on a Teams videoconference last week. 125 people in four locations from New York to Southern California.

An hour into it, half of the people were simultaneously dropped, and not from any particular geography. It was random. And nobody could reconnect for a very long time. It took 45 minutes to restart the meeting.

The company is no longer using Teams.

have only recently started using teams with one client. small group (max 6 folks I think) and... we've had issues with it - someone's video freezing, audio garbled/dropping, etc - twice in 2 days. but... I'm sort of chalking it up to potentially overloaded/bad net connections in the wake of all the WFH and remote meeting stuff being used. We had issues with connecting to zoom (and their phone numbers) last week as well, so I'm not ready to pull the plug on teams entirely until we have more experience under our belts.

To be fair I’ve seen the same thing happen with Zoom. During a 2 hour meeting with a client, about half of my team was dropped and couldn’t get back into the meeting for several minutes.

Teams live events (https://docs.microsoft.com/en-us/microsoftteams/teams-live-e...) which the parent comment was refering to is actually a specific feature in Teams that is only available for certain levels AFAIK but supports vastly more people than a standard Teams meeting.

The predecessor, Skype Broadcast allowed completely anonymous viewing, basically a twitch or youtube stream. In the name of growth hacking, the Teams team decided to force people to the app, you couldnt watch the video stream from a mobile device without the teams app. Which is a huge amount of friction for a mobile workforce that isnt using teams.

Maybe this has changed since I last talked to Microsoft, but even their own team was unhappy with it. But if you still have access to broadcast.skype.com, it still works, until they decide it shouldnt.

The only Teams Live meeting I've ever tried to join, we had two people who gave up because their web version didn't support Safari without having to manually go deep into their preferences and change settings from the default.

I don't know of any, but our teams uses Slack, not Teams. Barely any complaints about Slack video chat btw, but that's all small sessions anyways.

My employer has used Teams Live for all-hands meetings from home the last couple weeks and it worked great for ~350 attendees.

Well, I have a feeling that the praise for zoom going around is not from people working in enterprises, it's people working for everything-but enterprises, who just want a solution that works.

In my experience (also not enterprise), Zoom is the simplest solution with the best quality and latency, compared to the alternatives. The UX could be better, but the performance of Zoom for all platforms makes you survive the UX.

Yep, Zoom is the only one I've used where I have never had an audio problem, never a drop out or glitch.

I don’t think you can get much more reliable or simpler then whereby.com

My company has used Hangouts for years with zero problems. Zoom is mostly just hype.

As someone who has used a variety of VTC products (Zoom, Webex, BlueJeans, Teams, Skype, etc.) for several years on a daily basis (lots of external VTCs with different companies who use different VTC systems), Zoom is by far the best. The audio and video quality is head and shoulders above the rest (both on PC and mobile) and the interface is dead simple for even the least tech-savvy users.

My company uses Zoom, and there have been many instances where, during a VTC call set up by someone at another company (that doesn’t use Zoom), we have switched mid-meeting to Zoom because there’s something wrong with the other VTC system (someone can’t join, can’t hear, can’t speak, can’t share their screen, etc.). And the other options haven’t gotten noticeably better over the years either.

I've been working remotely for years.

In my experience, every other solution I've tried is a train-wreck, compared to Zoom (MacBook Pro w/ external Apple monitors). And, as far as I remember, I've tried them all, repeatedly.

Even first-class platform-specific solutions like FaceTime are, basically, unusable vs. Zoom. Its amazing, actually. I'm not quite sure how Apple managed to make FaceTime's audio just not work (almost ever), and Zoom just works, every time, on every platform.

> I'm still curious why everyone thinks Zoom "just works" while others don't.

I'm also curious. I subscribed to Whereby (https://whereby.com/), where I can send people a URL, which they click and land in my conference room. There is ZERO software they need to install.

[For all the "well, actually" folks: yes, it "only" works in every modern browser out there, and it works "only" for up to 12 people. Fine with me.]

Zoom has more features, but there are many other solutions that work much better and are WAY simpler. It's just that Zoom is well known, and it's easiest to choose the tool that everyone has heard about.

To be more specific, whereby seems to be free for up to 4 people, but then they claim to be able to support 50. Never tested it with 50

Some of my teachers use jitsi, which works on the same principle. The teacher sends a link, you click it, and that's it. Works very well, and no limit.

Specifically, my "Pro" plan allows up to 12 people.

I use whereby too. It's great.

From my perspective, working in the browser is not necessarily "just working", because for many combinations of OS/hardware, the performance is terrible and not only eats battery and will slow down other programs, but also affects the quality of the call (audio and video).

Also, granting a website access to my camera, granting access to my microphone, and so on; which are really not functions I want to be granting any websites. I don't run a browser to have it randomly turn on surveillance devices. I prefer to run an app to access my camera and quit it when I'm done.

Don’t Google and Microsoft answers both require accounts, and carry with them the expectation that everything you do on their platforms is recorded for the purpose of selling ads?

Also I regularly attend more than 50-person zoom calls without a hiccup. Google I think requires an enterprise plan to get to that limit, and I don’t even know what the name of their video conferencing product is at this point.

> Don’t Google and Microsoft answers both require accounts, and carry with them the expectation that everything you do on their platforms is recorded for the purpose of selling ads?

For Google, the answers are "sorta but not really", and "no":

https://support.google.com/meet/answer/9303164: "Note: Guests on the web don't need a Google account to participate in a meeting." The initiator of a meeting needs a G Suite account, but others can join without one.

https://gsuite.google.com/learn-more/security/security-white...: "Google does not collect, scan or use data in G Suite Core Services for advertising purposes."

(Speaking for myself, not Google.)

I don't think either of those are true for meet.

> While Google and Microsoft both offer a product that "just works" with only a browser.

But those products don't always "just work", at least not in my recent experience. I have had repeated problems with Google meetings while working with an external entity, and most of my employer is a Microsoft shop, so I've had deal with issues with both Teams and Skype, both via browser and OS X app.

Zoom has a browser version as a fallback.

Most people use the standalone app because indeed it "just works". That's why you don't hear much about its browser client.

> Most people use the standalone app because indeed it "just works".

Most people use the standalone app because Zoom aggressively pushes it.

Google requires you to have a Google account. Kids in middle school (ages 12-14) and younger typically don't have an email address. Zoom, on the other hand, lets you join a call without logging in. You can even join straight from the browser if needed without installing anything.

> Google requires you to have a Google account

Not for joining a meeting, no. You just type your name.

Zoom has a web client that "just works" but they only show it as an option after they detect that their native client didn't "just work".

The web client is well hidden, crippled and only works in Chrome.

Gallery view does not exist in the web client. Nor the ability to add cat memes to your background.

That's weird, when I open a meeting link (which would open the native client) at the bottom of the page it says "If you cannot download or run the application, join from your browser.".

I have the native client and it still shows me this option.

The visibility of this link is disabled by default unless the person trying to join attempts (and fails, even if deliberately) to download+install the client at least twice.

It can be enabled, but it's not on by default.

Google has messenger and hangouts and another video conferencing solution that I don't recall.

The reason we ditched hangouts for zoom a few years ago was that hangouts only supported up to ten users, including users whose connection had died and so they had to re-enter the room again. This became extremely annoying - having to stop a conference mid-call to ask some people to disconnect so others could enter, or trying to find out how to kick "ghost" users, was definitely not "just works".

Google Meet supports up to 250 participants in the enterprise version.

they work for your use case.

hangouts can’t handle many users (is it 10 the limit?), which is a deal breaker for me. we’ve tried and people couldn’t join the call.

if by microsoft you mean teams, i’m not aware of it working without accounts (not an issue for google as most people have google accounts).

> hangouts can’t handle many users (is it 10 the limit?), which is a deal breaker for me. we’ve tried and people couldn’t join the call.

My company had a 17 person Hangouts (Meet) meeting on Monday. Actually, we switched to Hangouts from Slack because Slack has a 15 person limit.

Is the limit maybe different for "Hangouts" vs Hangouts Meet?

That’s probably the issue. We were using the free version.

Teams works for "guest users", but they have to be let into the meeting by a "real" user.

Also, I think it's possible for companies to disallow guest users on their team instance.

Teams live can work without logins but you have to make the feed public with a hidden link.

teams has another issue though: when someone speaks, it cuts the sound for the other people speaking in the same time. in theory this sounds good, but many times it will cut the sound of the active speaker. yes, i think this can be managed with group mute, but zoom doesn’t have this “feature”.

Google Meet supports up to 250 participants, on the Enterprise version. Also it doesn't require an account to join.

Same question. Not because of the browser thing but just because it doesn't "just work" for me or my team.

It just amazes me that the "just works" solution here is still a native app. Plenty of reasons to use native apps but in 2020 video conferencing really isn't one: WebRTC is capable and supported by every major desktop and mobile browser. It's literally one click and you're done!

None of the WebRTC based options just work, they're all glitchy and cannot scale up to even moderate amounts of users. We have Google Hangouts Meet for free for our org, and we still pay for Zoom because It Just Works.

Even having the "unblock this site from camera and microphone" burried in the browser chrome or settings pages somewhere is a dealbreaker. It's too easy for people to mindlessly click "no" to can this access your microphone, because of the way the browser pops it up during first use, instead of during "install."

True. Even the adblocker and autoplay blockers can prevent video and audio from working in Hangouts. I have had issues with hangouts when joining meetings with important people — and my browser’s autoplay block feature prevented the video feed from working.

Yeah. And high fidelity sync between audio (ideally via phone). Maybe someone does it, but we tried _all_ vendors and settled on Zoom. And screen annotations, and the ability to remember participants' phones and dial them directly (replaces them having to type 9 digit numbers into their phones), etc.

Also, Zoom has reached a critical mass where, particularly for sales calls, the remote party is quite likely to have it installed. The network effect here is really valuable.

Maybe it has to do with the plan you have? I've used Google Meet with up to ~150 participants and it was fine, but we have an Enterprise account.

Same here, we used hangouts for the longest time but it got worse. Zoom just works perfectly all the time.

I guess it works for some. I've had two Zoom meetings this far, and in both cases the organizer quickly changed to Jitsi as Zoom had distorted audio.

Maybe some incompatible software/hardware at some end? I don't know or even care really, but Jitsi worked well with the same participants both times, while the anecdotal Zoom success rate is still 0% for me.

For meetings I host I'm trying to evaluate Jitsi as well, so far without much luck. I'm not hosting that many meeting and the one I did was with someone using Linux not getting screen sharing working.

But Jitsi is on my shortlist as I think being open source and self-hostable is the way forward for a tool that could knock Zoom of it's throne.

This still isn’t a good reason to build a native app instead of just using webrtc.

Someone should make a PSA site that says something along the lines of “don’t install teleconferencing software because it usually bundles malware; your browser already has the technology built in.”

What do you mean by "bundles malware"? What else is it doing besides teleconferencing?

To be clear, that's a security issue with their software but not malware. It's not intended or designed to harm your device.

It is however the reason why this solution is being used instead of all the other ones.

This is/was maybe true on Windows but on macOS installing an App the standard way is straightforward and any user knows how to do it.

Which standard way? You have:

- Install from App store

- Drag and drop the .app from zip/dmg

- Using a .pkg installer (mostly based on Xcode templates)

I'd argue that a lot of users don't know all of these and some even run most of their applications from the ~/Downloads folder.

Good point, but: You can do so much in a browser now. Does teleconference software really need an installed client anymore?

In theory. But in practice, as a developer you don't want to depend on the browser support for your whole product. Conferencing features of browsers have been pretty lame, compared to what's possible in a professional product.

{edit} My experience: investor took over our startup, made us switch from bespoke technology to web-based conference features. Every feature was compromised, reliability and capacity reduced by 10X.

Based on my experience with Zoom on the one hand and that Google thing on the other, yes, yes it does.

Browser blocking and plugin features can prevent it from working. For example, I’ve been in hangouts meetings where the video feed wouldn’t load because autoplay was blocked on the browser. Of course, you can work around that, but having the Zoom desktop client provides a reliable experience without any tweaking

For better or for worse, WebRTC is very opinionated about codecs and transports. Those might be great choices for some scenarios, but no developer wants their whole business to be constrained it.

Zoom would "just work" if they didn't force you to install software on your computer in the first place. If google meet can do it, zoom can too.

Google Meet is terrible, there's a reason why everybody switched to Zoom even in an over-crowded market

What's your problem with Meet? We've switched to it massively after issues with Webex, and it's all very good.

Doesn’t Google Meet depend on a browser plugin they make you install the first time? Hangouts did.

Apparently a plugin is needed for Internet Explorer, but otherwise isn’t.

As someone who's never used or seen Zoom in action, what's pulling people into Zoom that's not already available in other tools (Hangouts Meet, MS Teams) and even works without installing anything (such as Jitsi)?

Based on what I've seen, there's just so much hostile behaviour by the company (including lying about meeting HIPAA e2e requirements!) and the fact that their _official client_ had parts removed by the macOS malware removal tool that I just don't get why people still consider it as an option. If it were the only "just works" tool out there I'd understand, but there's plenty of competition in this space.

I've personally began using the Jitsi server the local student network association has set up and it's been working like a dream. You can even share a window to others (which I didn't even know browsers had support for) for presentations and such.

I use Zoom, Hangouts, Slack and WebEx. Out of those Zoom has the best call quality, and it is the only solution out of the 4 on which huge meetings (50+ persons) are workable.

I've been in Google Meet meetings with 100 to 150 participants, it worked fine.

Was just on a Zoom call with 656 participants, it it was remarkably better than any other solutions we've tried in the past.

I've used another software for big meetings, now called Vibe, which works if I close chrome and patiently wait for the bloated java app to expand into all available memory before trying to take any action... it's not great.

Zoom manages to run without crashing doesn't force me to close a browser and waiting a lot, so that's an advantage.

I use Meet at work. For social gatherings, my friend group exclusively uses Zoom because (a) better tiling (seems small, but you want to see everyone) and (b) video quality seems better.

There’s a chrome extension to do tiling:


Which is even more infuriating because it shows that missing tiling in Meet is just a frontend issue.

I’m completely baffled that this is not implemented.

Yes, that extension is great. Doesn't work on iPads though.

The meme that HIPPA requires e2e is so ridiculous - it is pretty clear that very few people actually deal with HIPPA stuff.

Zoom (if you need HIPPA) can set you up with it - but you WILL lose a bunch of features (zoom by default has features that are not HIPPA compatible) - so make sure you need HIPPA before paying for it.

If anything medicine is almost anti-e2e. Everything is copied and copied between one system and another (billing, lab systems, imaging systems etc). Seriously, medicine is in many cases very fragmented, so the number of medical practice groups that need copies of your details / visit details etc is high just to bill you (and you may end up with 5 bills for one visit - which may be 4-5 systems behind the scenes).

My experience (beyond Zoom) is with WebEx, Hangouts, and Teams. Zoom has a better UI for large meetings, and the audio quality is significantly improved. We just switched recently from WebEx to Zoom at the office and it's been refreshing. A few days ago was the last time I tried to use Teams, but the "only four people on the screen at a time" limitation was a no-go for our family's virtual gathering. Everyone was much happier with Zoom's video grid, and we noticed that the audio was significantly improved -- in particular how it handles multiple people trying to talk at the same time.

I really wish they'd make the client available in the Mac App Store. Not only is the installation experience better than this, things also stay nicely up-to-date. If your company runs an MDM for your Macs, it's easy to deploy apps en-mass to everyone.

But then they'd need to opt-in to sandboxing and other "onerous" requirements and couldn't pull shady things like this.

Nailed it.

It's times like this when I realize how much I prefer the Mac App Store over everything else.

Zoom should definitely offer a Mac App Store version. Even if they just take their iPad app and Catalyst it, I'd probably use it.

Why isn't this categorized a major Mac OS vulnerability? If Zoom abuses preinstall scripts, what's to say others aren't.

It's not a vulnerability, as the dialog says "run a program" and prompts for confirmation.

It's up to the user's imagination to consider what a program can do.

The prompt is terribly worded though.

It seems macOS could use virtualization or permissions to run these scripts in some throw away environment to get rid of the problem altogether. Preflight check programs shouldn't be able to write anything to disk.

Underrated take. They shouldn't be able to do this. This should flag Zoom as PUP for malware removal, if it weren't the new go-to.

Two questions this raises, for me at least:

How do I know I’ve completely uninstalled all the things Zoom installed?

And, if Zoom provided a separate uninstaller (like many apps do) and it was verified to purge all of the stuff they installed (along with the uninstaller); would that appease people's concerns?

For now I’m sticking with the iOS app for video & their web-based experience for desktop sharing...

A previous version of Zoom installed a web server on MacOS without telling you, and left it there after the uninstall process. So the answer is no, you can't be sure.

Oh, and there was a known vulnerability in the web server that allowed remote access to your camera. The company claimed this was all intentional and was a feature and refused to remediate it for months. Eventually Apple issues a system update that removed the web server.


If you have Homebrew installed, you can run `brew cask zap zoomus` to get rid of all the things (as far as we know) Zoom has installed.

If you prefer to remove it manually, here’s the list of files and folders Homebrew will delete on `brew cask zap zoomus`:


Your list seems to be missing a couple of files that the Zoom uninstaller cleans up.

That's deliberate. Homebrew always runs the Zoom uninstaller first before going through the list.

Running the uninstaller is enforced by the `pkg` declaration. See also: https://github.com/Homebrew/homebrew-cask/blob/a6026e0a36c22...

I think it's interesting to see the outcry when Apple poses new restrictions in the application distribution process (like signing and sandboxing) but conversely the same cries go up when there is an App that seems to be abusing loose control mechanisms.

I think a lot of power users rightfully feel they are belittled by sandboxes and application restrictions. But seeing that they are not the major userbase and most Apps don't really need any permissions at all for their intended purpose (the user's purpose at least) I think Apple is moving in the right direction.

It's possible to things wrong in more than one way.

Part of the benefit of macOS apps is that you can just put them in the trash and they're gone. Breaking that contract isn't like awful but it is frustrating.

Can someone explain to me what the problem is? If you run the installer, isn't that consent to install the software? That's the whole point of it. I guess this isn't the "Mac way" but this is exactly how I would write an install script if I was slapping together support for other platforms. In fact this is the same way most installers work: it unzips an archive somewhere, then creates the links for remove/launch/etc.

What is the typical install process for software on a Mac?

Zoom is using a hook in the macOS installer framework in a way that is not intended.

This is forming a troubling pattern [1]. Zoom will do anything to reduce the number of clicks to start a conference, even if results in a misleading installer prompt or security vulnerability.

[1]: https://www.zdnet.com/article/zoom-defends-use-of-local-web-...

Many PMs are obsessed with click optimization. I've been told many times that a certain feature of security method is no-go due to it being "too many clicks" full-stop -.-

The whole torrent of grey area, just over the line and outright shady behavior at Zoom is a problem in itself even if all the separate instances in isolation aren't grounds to stop using them. Their responses to security issues and today's revelation of misleading marketing on E2E encryption make it clear they're not just making isolated mistakes. Shady is at the core of how they operate, this is an indication that Zoom has a company culture of accepting borderline behavior. Otherwise it wouldn't be so widespread.

As a customer this is a reason for me to stop using Zoom. Not in the last place because I'm quite sure we're only seeing the public tip of the iceberg of all the unacceptable things happening within Zoom.

Unfortunately, the current system and people in power seems to not give a damn about security and shady behavior, as long as the thing they are using is working and working well. Zoom is an example of very useful and performant software with shady company behind it, that's why people will continue using it.

Same with Uber, Google and bunch of other companies. It doesn't matter what they do, as their product is helping people enough for people to look past the terrible things.

Enterprise customer DO give a damn about security. They can be slow to react, but rules are also there for a very long time. If Zoom doesn't want to loose most of their marketshare in favor of WebEx, they should probably address these issues.

> Enterprise customer DO give a damn about security

You are wrong. Even without extensive experience in the space, you can very easily see how even large companies don't secure themselves at all. The US has had equifax recently, and it's not like that was an isolated example either. There just isn't a security culture at the eye-watering heights of corporate upper management and while everyone's as busy making money as they are, there never will be. It doesn't fit into the system, and anyone who tries to change it gets muscled out by people who don't want it to change - because that is simply what's most efficient.

This has been my experience as well. Large companies pay lip-service to security that protects their customers; they want just enough for legal deniability in the event of a breach, but not so much that it impacts operations or profits.

However, they can be...enthusiastic when it comes to security around protecting themselves. If you report an issue with customer information on a public S3 bucket, they might get around to fixing it someday, but if there are "trade secrets" or the like in that bucket, the issue is going to get fixed immediately and someone with a big title probably won't be coming in tomorrow.

This is hilariously wrong. I brought up Zoom issues at our enterprise client - no one gives a shit (this is in Germany, so rather privacy focused). As a consultant I felt a need to bring the issues up, backed with sources of course.

So why does no one care? Because Zoom UI/UX apparently works 100x better than most other solutions. People dont even REACT when I mentions Jitsi or just using the Teams solution that every Microsoft customer has anyways.

The enterprise I was talking about is using a mix of Microsoft Teams and Zoom. Our team started with Teams, now we are using Zoom because I don't even know. Others also move from Teams to Zoom.

I bring this up to lots of people and the response is rolling eyes and "shut the fuck up" in business euphemisms. Zoom is viral now and privacy has no say in its success.

Could also be an issue of pricing. I wouldn't be surprised if Zoom is cheaper than MS. Maybe someone with knowledge on the sourcing side could comment on that.

Sorry, I wasn't clear enough. The enterprise already has a Teams license which is part of an Office/Microsoft deal that they will of course continue to have.

So Teams is there, will stay there and it works well but people are still moving to Zoom anyways.

Correct, and we blocked zoom.us on the corporate network. No way we're allowing this malware within our walls.

We already have meet.google.com that works well for us, and external clients can easily join through a web browser.

“Enterprise customer DO give a damn about security.“

When I look at IT they give a damn about some security but then completely ignore other huge problems. I think a bigger concern for them is cost, liability and convenience for the administrators.

As an employee of a corporate can tell you that they do not care about security more than money. cheaper the better. Money > Security

They're much more likely to lose it to Microsoft Teams, which has been doing great the last several weeks.

I think you underappreciate one point here: We can still have long term alternatives to Zoom (and we can have them now).

Google and Uber are already difficult to replace or to otherwise challange.

Uber is trivially easy to replace with Lyft or $generic-taxi-app.

Lyft only operates in US and Canada. Uber is available in 63 countries. The convenience you get just having that one Uber app work is not easily replaced. But yeah you could always try to find the local ride sharing companies app, but it can be far less convenient.

Only a tiny minority of wealthy people frequently travel internationally. This is not a major selling point that will save Uber.

How do you persuade enough taxi drivers to use $generic-taxi-app in enough areas to make it worthwhile for someone to choose to use it instead of Uber?

They're using malware-like behaviors to spread out and reach more customers, even at the cost of security.

They probably learned a lesson from Whatsapp which was a nightmare of insecurity in the early days that cutting corners gets results and approximately no one cares (except the tiny minority like us who would never use it anyway).

Also, Zoom's entire engineering team is based in China [1]. China and Chinese companies have no real culture of user centric privacy.

[1] https://news.ycombinator.com/item?id=22707528

Edit: Why downvote me? I am not trying to stir up flame wars. Saying anything against China has become impossible to do on HN. Voices get drowned despite of raising real legitimate concerns about privacy, especially for a tool used by millions all of a sudden during this pandemic. People should be speaking up on HN. I know, I am not supposed to complain about downvotes on HN, I've read the guidelines.

Edit2: Not able to find the source for Tianjin datacenter, I will reply if I can find it. Please take it with a grain of salt.

Edit3: Holyshit, so much attention on my comment. Redacting unsubstantiated claims and adding more sources that can be traced on the wikipedia section of Zoom privacy criticisms: https://en.wikipedia.org/wiki/Zoom_Video_Communications#Crit...

Please don't break the site guidelines [1] by going on about downvoting. Your comment has been heavily upvoted. Meanwhile complaints like that linger on as off-topic and false, and don't garbage-collect themselves.

You can use HN Search to verify that HN sees plenty of comments "saying anything against China". The topic is extremely flame-prone because people are wont to hurl generalizations at each other, and worse. Nationalistic flamebait and flamewar is a big problem on HN [2] and destructive of the spirit of this site [1]. Individuals have been attacked here for just for expressing their views while being (or being assumed to be) Chinese, and at least one person was hounded off the site altogether. I'm sure you'll agree that that's shocking and not at all the community we want to be. None of us wants it, but it's easy to get it anyway, once such flames get going.

I don't think your comment was nationalistic flamebait, except insofar as it was rather unsubstantive. Unsubstantive comments on inflammatory topics are guaranteed to come across in a flamey way to some segment of the readership, even when that wasn't your intent. Intent doesn't communicate itself, unfortunately, so the burden is on the commenter to disambiguate [4].

[1] https://news.ycombinator.com/newsguidelines.html

[2] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

[3] https://news.ycombinator.com/item?id=21200971




[4] https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

Understood, thanks and accept my apologies. I have some feedback - please make exceptions when discussing fact based discussions around privacy when it is not tending towards flame wars, especially related to Chinese influence and erosion of privacy. I can see why this can lead to flame wars but that's where you should step in and moderate. I just read your links to people getting harrased if they are Chinese, that's not cool.

I think my comment addresses this, but perhaps you were replying to an earlier version, or perhaps I wasn't clear enough. What you posted was trending towards flamewar, even though you didn't intend it that way. Telling moderators to "step in and moderate" isn't sufficient to solve this problem. For one thing, we don't come close to seeing all the material that gets posted—there's far too much. We do step in, but we also need users like you to understand the problem a bit differently. If you're going to comment on an inflammatory topic, you need to make sure your comment is substantive, i.e. contains solid information and not just grand claims. And you should be careful to narrow its scope explicitly to what the information supports. Fortunately that should also be enough to make it clear that your intent isn't just to post pejoratives about other people.

Your comment is at the top. Please don't complain about downvoting.

"China and Chinese companies have no real culture of user centric privacy."

Citation needed. That's one billion individuals you are talking about.

I don't think it's fair to call that borderline racist. That's an extremely strong word; let's not escalate where it isn't needed. The problem with the statement is that it doesn't come with any substantiation, or additional information.

Edited. Feel free to delete my comment, it's redundant now.

I think the edited version of your comment is just fine.

Thanks for sharing. I'm not too concerned about engineering happening in China but data storage seems problematic, especially because of the lack of encryption on their side.

The post or the CNBC link don't seem to have the word Tianjin in them (comments do). Can you provide more details or another source?

If that's indeed true I won't be hopping on a Zoom call later this week with my bank for instance.

I'll try to dig out where I read it - Google isn't helping. I am gonna edit my comment to clarify about the source.


Please stop posting unsubstantive comments here.

You get downvoted because every post critical of China gets hit, regardless of quality or veracity.

The post has been heavily upvoted, and what you've said isn't close to true. Please read and follow the site guidelines: https://news.ycombinator.com/newsguidelines.html

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact