I installed Zoom on macOS yesterday and I thought that the install was crashing because this is not the expected behavior. I would double click the download, try to install, and then the installation program would "crash", so I'd try it again. Did that a few times before I realized it was installed. Until now I thought it had somehow gotten far enough in the installation process before crashing that I could at least use the application. I'd been hearing everyone raving about how Zoom was such better software than anything else, and my first experience was their installer doesn't even work.
This was a horrible user experience for me, and I wasn't thinking about security implications at all.
I did this too and didn't put two and two together til now. I just assumed it was a buggy installer that broke with that version of MacOS and tried a different machine
I've defended Zoom in the past for ethical 'slips', but weidly this has tipped me into hating it.
Homebrew Cask's uninstall scripts are basically a community-maintained "best guess" at to how to full uninstall each piece of software. It's generally pretty reliable, and I do use it to remove non-brew installs sometimes.
Note: I have contributed casks to Homebrew Cask before.
You can add `--force` and zap will also work on non-brew installs. The paths are community-contributed, so watch out (you can print the paths with `brew cask cat <name>`).
No. Homebrew sends a per-installation unique identifier to a third party (Google), tracking your location across different IPs, whether you want it to or not.
Popcon is first-party, and is entirely opt-in. It doesn’t send anything unless you want it to.
I would highly recommend checking all installers on macOS through Suspicious Package. It will give you a complete picture of all the installer scripts that will be run and all the files that will be written.
I did just that for zoom and decided against installing it.
Oooh this is good. A few years ago I came home drunk and wanted to watch this old film that wasn't on any channels. I found it on some dubious website, which required me to install a player .dmg. I drunkenly typed in my password, and then an hour later was like: dafuq did I just do?!? Next day I re-imaged my mac because I'm both paranoid and don't know enough about secops.
SuspiciousPackage wouldn't have helped combat Drunk Install Syndrome, but it might have been a helpful tool before I nuked my OS.
Or maybe this is just good marketing for SuspiciousPackage, which is really malware. Well played.
Said this on Reddit the other day and got downvoted.
It _is_ bad on macOS. It used to be one of the better platforms to stream video content to others, but now it just lacks in many areas compared to most of its competitors.
The worst bug I had was it essentially started muting random people on a call, but only for me. I could see their mouth moving, and thought it was a problem their side but turns out everyone else could hear them apart from me. I could hear everyone else too apart from them.
Same here. I thought the process didn't finish until I tried launching the app (which I was supposed to do by clicking a link in the browser, which is also rather unintuitive).
Zoom's got a tradition of being, let's put it like this, way too clever for everyone's own good.
See previous “lets install a server on this Mac that is not removed when you uninstall the app and leaves your camera open to the entire internet” for more examples.
sunova.... I couldn't find the web based version...That's what frustrated me about zoom compared to webex. I could use Weber in the browser and zoom had to be installed
It's gated behind a fallback after three "failed" attempts at clicking on the link to open the app after opening a meeting URL, or a meeting setting. So, not on by default, seems to be unable to join audio unless you use Chrome, and shows a single video only.
I tried using the web client in Chrome today on my Mac, and the audio was playing to me at what felt like 50% speed; everyone sounded like slow motion to me.
Don't know bigbluebutton but at least among Jitsi and Google Meet, Wire is an alternative that is open source and end to end encrypted. They just don't make it easy to host your own, for that I guess Jitsi is the best way to go.
I was a big proponent when they started as appear.in, but they’ve been steadily removing features (or moving them to the paid plan). For my friend group, the biggest appeal was that you could use it in a browser without an account by inventing a room name. That was one of the first features to get cut.
Everyone I’ve ever recommended it to has bumped into the limitations, asked me “what happened”, and switched to something else.
I haven’t tried it extensively, but I’ve read about https://meet.jit.si/ on HN and passed it on to a friend in that situation. He was happy with it and described it as “what appear.in used to be”.
1) If Zoom can do this then it's a MacOS security bug.
2) UX matters. Users don't care about the technical details, they want a smooth experience and that can be the difference between a billion-dollar business or a failed startup. And yes the desktop version is more stable than the web-based UI.
3) Malware is defined by what it does, not how it's installed.
I mean, it's not really a security bug. Installer.app displays a dialog box that says "Hey, this package wants to run arbitrary code to check if it's compatible with your system. Is that OK?" The user is explicitly opting into the code execution. Zoom's "compatibility check" installs the app and kills the installer window. That's certainly unexpected behavior, but I don't think it's an exploit in any real sense.
While normally I'd object to running arbitrary code with just an easily-skippable dialog as confirmation, but I think it's OK in this case where the expectation was that we're installing their software anyway.
It's really Apple's fault. "This package will run a program to determine if the software can be installed." Is just fundamentally a very strange statement to make, loaded with vagueness.
Think about your average user... they are running an installer program... which alerts them that they need to run another program... to determine if they can install the program.... (Which the user thought they were already doing)
The loaded expectation of the user to realize they are granting privileges to a program to determine whether they can install a program is just totally unreasonable.
It just sounds more and more ridiculous written out like this.
On top of this, a standard install asks for permissions, but doesn't disclose who/what is asking for it (certified in some way) or what permissions it wants, if these are temporary for the install or permanent for the application, or what it is going to do during the install (what goes where, what gets changed etc).
It is long past time for Apple to improve this process.
You're right, it's more of a design issue. More explicit permissions on altering the Applications folder could help. Then again, most people want an easier install so this is really for those who want that extra control.
As a user, I would not assume that checking compatibility means I'm executing arbitrary code. I mean it could just be macOS examining the binary to make sure it's compatible with my ISA, or checking some app metadata about recommended free resources like ram/disk space.
> 3) Malware is defined by what it does, not how it's installed.
Well, from the tweet thread:
> If the App is already installed but the current user is not admin, they use a helper tool called "zoomAutenticationTool" [sic] and the AuthorizationExecuteWithPrivileges API to spawn a password prompt identifying as "System" (!!) to gain root (including a typo).
Malicious behaviour does not inherently make something malware. That said, The work arounds Dropbox used in the past should also be considered shady or malicious, and do not serve as a convincing defense in any way.
Yes, zoom does need the user’s password to complete the install in the scenario described. So why isn’t there a proper installer that behaves like installers on macOS should. Why do they ask for the users password on the behalf of ‘system’?
Oh, and zoom was just busted for sending user data to Facebook (regardless of whether or not you had a Facebook account and without disclosure AFAIK) so I reverse my previous statement. It is malware.
A botnet agent is designed to take control and run a bot, so yes it's malware. It doesn't have to be actively doing it at that moment to be considered such.
Zoom does report usage to Facebook whether you have an account or not - and that data is used to stitch together a web profile of the user that is of no benefit to the user. Zoom is bordering on malware, just... malware that comes with a useful app that allows video conferencing.
I think this also shows how macOS has been training users to enter their password in random dialogs that have absolutely nothing that identifies them as being legit OS dialogs. The dialog that Zoom uses could very well be sending the credentials to a remote server, and the user would be none the wiser.
Note that in this case, it's still a legit OS dialog. Preflight scripts are very much built into the macOS pkg format, they're just not intended to be used like this.
I never understood why Apple still supports the pkg format. It seems a half-baked leftover from the 2000s and even then I was already surprised that there is no way to uninstall things through the macOS GUI. I am not sure if this has changed (I try to avoid pkg files and use Homebrew cask to uninstall such packages), but IIRC you had to list the files with pkgutil on the command-line, remove stuff by hand and then --forget the package.
They should just kill the format. Everything should just be drag to install, drag to trash to remove.
In my experience I’ve seen even technical users (Who were used to windows) struggle with the idea of dragging an .app from an open disk image to the Applications folder. They would end up running the app from the disk image and then getting confused when it disappears after restart.
This system worked so much better when the Applications folder was placed in the Dock by default, and everyone used that folder launch applications (which weren't common enough to keep in the Dock directly).
It was actually a really beautiful synergy—you install applications by copying them to a folder, and launch them from that folder. Same way you'd acquire and open files. Lovely.
Then Apple ruined it in Lion with Launchpad. Their app install flow for anything outside of the app store doesn't make any sense.
In even earlier days, applications didn't need to be installed at all. You just ran them from wherever they were. Of course, it made sense to store them somewhere together, and you could cause yourself problems if you put applications onto disks you then ejected. But the current system is clearly influenced by the UNIX underpinnings, and I'm not sure that the average user fully "gets it".
though preferences files were a bit of a mess.
I vaguely remember if early Macintosh System versions you would be prompted to insert the disk (with the correct disk name in the message) if you tried to open a file belonging to an application which was on an ejected disk.
One wonders why Apple didn't just treat DMGs like Application Folders in the first place. If they had an icon and you could run them directly then there wouldn't be any confusion. AppImage works like that and I think it was a wise decision.
Developers can distribute .app's inside of .zip files, and many do, but this can result in users just running the .app inside of their downloads folder. And then this causes problems if they ever decide to clean out their Downloads folder.
The DMGs are a clever way to (A) make sure the app gets to the proper location while simultaneously (B) teaching the user about what's actually happening on their computer. As I said in a sibling comment, this all made much more sense when users also launched apps from the Applications folder directly.
Developers can distribute .app's inside of .zip files, and many do, but this can result in users just running the .app inside of their downloads folder. And then this causes problems if they ever decide to clean out their Downloads folder.
Some applications offer to move themselves to the /Applications folder when started the first time outside /Applications or ~/Applications. Though in general, it would be better if Apple made it more attractive to publish in the App Store, since it brings other advantages (e.g. mandatory sandboxing).
Yeah, and that's a fine solution given the situation Apple has left us in. But it's also kind of a hack, which shouldn't have become necessary.
Also, personally, I sometimes purposefully put apps in places other than /Applications—for example, I like to keep games in their own Games folder. And then the dialogs are kind of annoying.
Hell, why doesn't Finder do this? If you try to run a .app from a .dmg, it should pop up a dialog asking you if you want Finder to move it to /Applications for you and run it from there.
I thought some of these interaction was from a design where Apple wanted the Mac to be more appliance. I think the goal / target market has changed. The super easy to use Computer to use is now the iPad.
Mac is now Prosumers and Professionals. And its UX should be treated as such.
One thing to note here: people who administer macOS for organizations basically convert everything to .pkgs (or DMGs). Its the only easy way to silently install application, and perform post install actions like performing licensing or activation steps.
> Everything should just be drag to install, drag to trash to remove.
I wish it were that easy, most apps leave files in other places on your computer like ~/Library that will never get cleaned up if you just move the app to trash.
As much as this bothers me because of who I am, I don't think it's a real problem. Those files shouldn't take up significant space unless the developer is doing something stupid.
It might be nice if macOS had some sort of automatic cleanup routine when an app is trashed, but that would either require showing the user an extra dialog (a la AppCleaner's) or introducing an opaque system which could potentially lead to data loss.
Indeed, data outside the application folder usually consists of a preferences plist and saved application state. Of course, there could be caches as well, which could take up a fair amount of disk space.
But I think the primary argumentation in favor of what macOS does now on drag-to-trash is that the users preferences are preserved, for when they install an application again.
If the pkg format was no longer supported, developers might use GUI installers instead, and those are harder to verify and install/uninstall programmatically.
This message is a lie; it not coming from system but from the installer script.
Just because the OS is used to show the dialog doesn't mean it should be trusted. As other commenter noted this could be used to steal passwords; that is effectively what it does.
To their credit, they seem to be using AuthorizationExecuteWithPrivileges which doesn't get the user's password, but executes a command as root, which is marginally better than stealing the password like Dropbox did.
It should be impossible with SIP enabled, as in OS X 10.14 Apple protected the files in /var/db/dslocal where the user shadow files are stored so that root could not read them (unless triggered by an Apple signed executable, like Software Update). If you are running with SIP disabled you've taken the risk of it happening, and if you are on a corporate laptop (or 99% of personal machines) it is engaged.
Because it lies about its identity, calling itself "System" not Zoom.
This is also a MacOS vuln that lets apps lie about their identity in sudo prompts, much like a browser showing an https site with no certificate checking.
macOS allows apps to write arbitrary lines of text above password prompts, which is what Zoom is doing. I don't see how that's different from a shell script echo'ing something before a sudo prompt.
Don't allow the application to do any of it, and when the app asks for access, have the system instead say "{processName}.app is requesting {permissionFlavorText}. Enter a name and password to continue."
...are you sure? I'm pretty sure that code just pops up the system box to get privileges, with a custom message at the top.
I'm running Mavericks—the last version of macOS before they made the UI flat—and the prompt didn't look out of place. If Zoom is indeed faking the box, they actually went through the trouble to make a separate version for Mavericks with Mavericks-style visuals.
Incorrect. Look at the second tweet in the thread. It's a phishing popup that misidentifies itself in order to steal priveleges intended for System, not Zoom.
> Note that in this case, it's still a legit OS dialog.
No it isn't. The dialog prompt is "System need your privilege to change." That's not passing QA anywhere -- it's just a custom message someone put into Zoom without bothering to proofread.
One could say the same for gksudo, UAC prompts, or the equivalent dialog on your favorite operating system, no? Or is there something on other OSes that identifies it?
I don't think UAC is spoofable - if I remember well it minimizes all the other windows and hides the taskbar, which you shouldn't be able to do with a regular dialog.
gksudo is definitely spoofable, except I almost never get a gksudo dialog. I am not trained to expect every other app to periodically ask me for my password.
Not that I'm in favor of this practice, but the one key feature that conference software must have is: it just works™.
Nothing turns you off more from a conferencing solution than: any problem getting it working right now.
When there is just the slightest issue, one person not being able to join, one person not getting voice to work, bad audio, your entire team is blocked/distracted. Which results in a collective distain for the solution and video conferencing as a whole.
This extends to getting the solution working for greenfield installs as simple as possible. Because who knows which non-tech users from which department all need to join and can't figure out how to set the permission in their browser right or install/use the other browser that is compatible.
So sadly, from a functionality point of view, you want have the software be able to force itself onto the user in the most usable state it can.
I'm still curious why everyone thinks Zoom "just works" while others don't. Because in an enterprise context it is often hard to download an executable and run it with sufficient permissions. While Google and Microsoft both offer a product that "just works" with only a browser. What makes Zoom more "just works" than that?
I'm a college professor, and I'll share my perspective.
For one, Zoom did just work. (At least as a participant, rather than an organizer.) I tried it out, and it immediately worked. It did what all of us were expecting, with no fuss.
I also tried MS Teams. It seems designed with a different philosophy: that you use the software to do many different things, and you want them all integrated. (For example, it posted my meetings automatically to my Outlook calendar. I had never used this calendar before, and was only dimly aware that it existed.)
Moreover, it seems that the expected setup is a bunch of people, all at the same workplace, who communicate with each other consistently. My needs are different, with wildly disparate use cases: a departmental meeting; classes to teach; an online conference (https://www.daniellitt.com/agonize/); an online social gathering. Many of the people with whom I communicate don't work for the same employer. And I don't want to configure all of these "teams" in advance.
That said, I tried to get MS Teams up and running, to teach my class. This involved multiple emails back and forth to our tech support (it seems that I can't set up a "team" myself; I have to ask IT to do it for me). It didn't have its own whiteboard functionality so I had to download and run some separate software.
And, then, in the end... it didn't work. I was trying to teach a class, but my students couldn't see what I was doing. I had no idea why.
The workaround is quit programs until you find the one that somehow causes Microsoft Teams to not understand that it really does have permissions. For me it seemed to be XCode. But it could be others...here is a partial list:
- Harvest – Confirmed
- Sonos – Confirmed
- Cisco VPN – Issue reported by others
- Microsoft To-Do – Confirmed
- Contacts+ (formerly FullContact) – confirmed
- Apple Photos – confirmed
- Teamviewer – reported by others
- Prompt/popup for app review from App Store – still have questions here. This seemed to be it, but haven’t been able to confirm
- Brackets – reported by others
- Citrix Workspace Version: 19.10.2.41 (1910) – confirmed
This is an example of why "just works" is so important.
You're right, MS Teams is definitly better placed as an org-wide communication/collaboration tool, not an external one. They really need to make it easier to communicate with people in external orgs, the org switcher is my biggest complaint.
FWIW, IT can allow people in certain groups to make their own teams, it's an admin setting.
Working within the US NIH, we are forced to submit a ticket for creating any new teams and the entire Teams/Office 365 ecosystem is entirely crippled for us. All new features take forever to be approved and brought online, as well as additional connectors and apps having to go through an extensive 6+ month-long vetting process before being approved.
Makes using Teams quite a hassle, but with Skype for Business being the only other approved option for internal chat, it's better than nothing.
Those are all organizational decisions, and not out of the box defaults. Microsoft is trying very hard to persuade organizations not to make those decisions.
Completely free teams creation does come at a cost. It makes data governance much more complicated. People creating duplicate places for things they didnt know already existed. A lack of naming convention, to be able to analyze what exists. Microsoft is pushing for people to just be able to get things done, at the expense of organization.
When they mention "connectors and apps", right now there is a very serious amount of phishing fraud going on involving one click links that ask you to authorise a malicious app. Users see a "please click yes" prompt, they never have to enter their password and they think that sounds fine.
I wish Microsoft would try a lot harder in persuading businesses to make the decision to take oauth approvals out of the user hands, because the volume is at a point where I really feel anyone following the "empower the user" discussion almost certainly has a compromised mailbox in their business.
Teams specifically is the spiritual successor to Skype for Business / Lync / Office Communicator - its main benefit is integrating with Outlook, Exchange, OneNote, and SharePoint. If it's not deployed with that in mind, that's a lot of wasted effort, IMO.
> If the students want privacy, they are just helpless.
This isn't true actually. As a student, send the following email:
"Hi Professor, I just read this webpage [link], which outlines some privacy concerns with Zoom. I know some other classes are running Software X, could we try that instead?"
My university isn't mandating Zoom. Indeed, they recommended several software packages, of which their top recommendation was Blackboard. (Which is what I've been using so far. I have mostly joined others' Zoom meetings; I've only initiated them for a D+D game I'm participating in.) MS Teams was their second recommendation as I recall, and Zoom was below that.
At least at my university -- and I expect that this is typical -- individual faculty members are deciding how to best fulfill their own responsibilities. And I have emphasized to my students that I have never done this before, and that I'm happy to change what I'm doing if people have good suggestions.
> "Hi Professor, I just read this webpage [link], which outlines some privacy concerns with Zoom. I know some other classes are running Software X, could we try that instead?"
Hi [Student],
I appreciate your concern; however, our university has conducted a thorough audit of this software and found that it satisfies our needs. We will continue using it for our lectures.
Regards,
Dr. [Professor]
Senior tenured chair of [Department], distinguished lecturer, [University]
universities are organisations, which all force some incarnation of an internet usage policy. better still, the students are paying an arm and a leg for their lack of privacy. wouldn't it be great for the non-technical end user if these Just Works™ software could just bypass firewalls by way of VPNs, common ports, obfuscated servers or the like?
This is what I was getting at with my parent comment, it "just works" for everyone. But it doesn't fit some of the niches technical or privacy minded people have. And in the end, we are bound by the common denominator. I can push my open source privacy respecting solution all I want. But unless it "just works" for the lowest tech user I'm at a loss.
There's a parallels here with security in the uphill battle to get users to respect the caveats of the solution they choose.
We just had a corporate presentation with around 250 people. Normally we use Teams or Slack for internal communication, this was also stated by management, that Zoom should only be used for 'big' meetings like this. I think they know the other solutions will not work as well for bigger groups. I've not had issues with using either solution for small group meetings.
Actually I have to go out of my way to run Zoom in the browser instead of using the installer. I have to use Chrome instead of Firefox, download but not install the app and wait for the "or run in browser" link to appear after that.
I really don't like macOS installers anyways and passionately hate them as "installing" and App on macOS should be nothing more than moving the .app from a zip or disk image into your /Applications folder. I just don't trust them in not placing additional crap like auto updaters or kext's when I don't need them.
App installation should always just be a file copy. Deinstallation should always just be a move to Trash (or ~/Disabled equiv).
IMHO.
I'm even uncomfortable with config scattered everywhere. The continued need for those 3rd party uninstallers is an admission of failure.
Source: released products ported to misc Windows, classic Mac, modern Mac. Our dev, QA, Test, tech supp was always so much easier on Mac. Not least because we could have multiple current versions installed. Which allows troubleshooting, rollbacks, etc.
Caveat: I personally use package managers and am curious to see if Nix becomes the norm. So I may change my mind in the future.
If the file is only moved to trash it will keep configuration and other artefacts around or not support such features or the file ahs to be mutable, which is questionable from a security pov
Thanks. I've been chewing on your reply. I didn't get very far. It finally occurs to me that macOS (or equiv) could implement iOS (or equiv) style sandboxing. Maybe that's already in progress. As a dev and former power user, I'm sure it'll be uncomfortable.
Why not use Teams Live for this? We have been using zoom and Teams alternately and Teams performance and ease of use has been much better in my experience, but we have yet to do a 200+ all hands so I was curious if there were some footguns with teams live that you may know about. Teams live works on a lot of platforms and also has a web version.
My wife was on a Teams videoconference last week. 125 people in four locations from New York to Southern California.
An hour into it, half of the people were simultaneously dropped, and not from any particular geography. It was random. And nobody could reconnect for a very long time. It took 45 minutes to restart the meeting.
have only recently started using teams with one client. small group (max 6 folks I think) and... we've had issues with it - someone's video freezing, audio garbled/dropping, etc - twice in 2 days. but... I'm sort of chalking it up to potentially overloaded/bad net connections in the wake of all the WFH and remote meeting stuff being used. We had issues with connecting to zoom (and their phone numbers) last week as well, so I'm not ready to pull the plug on teams entirely until we have more experience under our belts.
To be fair I’ve seen the same thing happen with Zoom. During a 2 hour meeting with a client, about half of my team was dropped and couldn’t get back into the meeting for several minutes.
Teams live events (https://docs.microsoft.com/en-us/microsoftteams/teams-live-e...) which the parent comment was refering to is actually a specific feature in Teams that is only available for certain levels AFAIK but supports vastly more people than a standard Teams meeting.
The predecessor, Skype Broadcast allowed completely anonymous viewing, basically a twitch or youtube stream. In the name of growth hacking, the Teams team decided to force people to the app, you couldnt watch the video stream from a mobile device without the teams app. Which is a huge amount of friction for a mobile workforce that isnt using teams.
Maybe this has changed since I last talked to Microsoft, but even their own team was unhappy with it. But if you still have access to broadcast.skype.com, it still works, until they decide it shouldnt.
The only Teams Live meeting I've ever tried to join, we had two people who gave up because their web version didn't support Safari without having to manually go deep into their preferences and change settings from the default.
Well, I have a feeling that the praise for zoom going around is not from people working in enterprises, it's people working for everything-but enterprises, who just want a solution that works.
In my experience (also not enterprise), Zoom is the simplest solution with the best quality and latency, compared to the alternatives. The UX could be better, but the performance of Zoom for all platforms makes you survive the UX.
As someone who has used a variety of VTC products (Zoom, Webex, BlueJeans, Teams, Skype, etc.) for several years on a daily basis (lots of external VTCs with different companies who use different VTC systems), Zoom is by far the best. The audio and video quality is head and shoulders above the rest (both on PC and mobile) and the interface is dead simple for even the least tech-savvy users.
My company uses Zoom, and there have been many instances where, during a VTC call set up by someone at another company (that doesn’t use Zoom), we have switched mid-meeting to Zoom because there’s something wrong with the other VTC system (someone can’t join, can’t hear, can’t speak, can’t share their screen, etc.). And the other options haven’t gotten noticeably better over the years either.
In my experience, every other solution I've tried is a train-wreck, compared to Zoom (MacBook Pro w/ external Apple monitors). And, as far as I remember, I've tried them all, repeatedly.
Even first-class platform-specific solutions like FaceTime are, basically, unusable vs. Zoom. Its amazing, actually. I'm not quite sure how Apple managed to make FaceTime's audio just not work (almost ever), and Zoom just works, every time, on every platform.
> I'm still curious why everyone thinks Zoom "just works" while others don't.
I'm also curious. I subscribed to Whereby (https://whereby.com/), where I can send people a URL, which they click and land in my conference room. There is ZERO software they need to install.
[For all the "well, actually" folks: yes, it "only" works in every modern browser out there, and it works "only" for up to 12 people. Fine with me.]
Zoom has more features, but there are many other solutions that work much better and are WAY simpler. It's just that Zoom is well known, and it's easiest to choose the tool that everyone has heard about.
Some of my teachers use jitsi, which works on the same principle. The teacher sends a link, you click it, and that's it. Works very well, and no limit.
From my perspective, working in the browser is not necessarily "just working", because for many combinations of OS/hardware, the performance is terrible and not only eats battery and will slow down other programs, but also affects the quality of the call (audio and video).
Also, granting a website access to my camera, granting access to my microphone, and so on; which are really not functions I want to be granting any websites. I don't run a browser to have it randomly turn on surveillance devices. I prefer to run an app to access my camera and quit it when I'm done.
Don’t Google and Microsoft answers both require accounts, and carry with them the expectation that everything you do on their platforms is recorded for the purpose of selling ads?
Also I regularly attend more than 50-person zoom calls without a hiccup. Google I think requires an enterprise plan to get to that limit, and I don’t even know what the name of their video conferencing product is at this point.
> Don’t Google and Microsoft answers both require accounts, and carry with them the expectation that everything you do on their platforms is recorded for the purpose of selling ads?
For Google, the answers are "sorta but not really", and "no":
https://support.google.com/meet/answer/9303164: "Note: Guests on the web don't need a Google account to participate in a meeting." The initiator of a meeting needs a G Suite account, but others can join without one.
> While Google and Microsoft both offer a product that "just works" with only a browser.
But those products don't always "just work", at least not in my recent experience. I have had repeated problems with Google meetings while working with an external entity, and most of my employer is a Microsoft shop, so I've had deal with issues with both Teams and Skype, both via browser and OS X app.
Google requires you to have a Google account. Kids in middle school (ages 12-14) and younger typically don't have an email address. Zoom, on the other hand, lets you join a call without logging in. You can even join straight from the browser if needed without installing anything.
That's weird, when I open a meeting link (which would open the native client) at the bottom of the page it says "If you cannot download or run the application, join from your browser.".
I have the native client and it still shows me this option.
The visibility of this link is disabled by default unless the person trying to join attempts (and fails, even if deliberately) to download+install the client at least twice.
Google has messenger and hangouts and another video conferencing solution that I don't recall.
The reason we ditched hangouts for zoom a few years ago was that hangouts only supported up to ten users, including users whose connection had died and so they had to re-enter the room again. This became extremely annoying - having to stop a conference mid-call to ask some people to disconnect so others could enter, or trying to find out how to kick "ghost" users, was definitely not "just works".
teams has another issue though: when someone speaks, it cuts the sound for the other people speaking in the same time. in theory this sounds good, but many times it will cut the sound of the active speaker. yes, i think this can be managed with group mute, but zoom doesn’t have this “feature”.
It just amazes me that the "just works" solution here is still a native app. Plenty of reasons to use native apps but in 2020 video conferencing really isn't one: WebRTC is capable and supported by every major desktop and mobile browser. It's literally one click and you're done!
None of the WebRTC based options just work, they're all glitchy and cannot scale up to even moderate amounts of users. We have Google Hangouts Meet for free for our org, and we still pay for Zoom because It Just Works.
Even having the "unblock this site from camera and microphone" burried in the browser chrome or settings pages somewhere is a dealbreaker. It's too easy for people to mindlessly click "no" to can this access your microphone, because of the way the browser pops it up during first use, instead of during "install."
True. Even the adblocker and autoplay blockers can prevent video and audio from working in Hangouts. I have had issues with hangouts when joining meetings with important people — and my browser’s autoplay block feature prevented the video feed from working.
Yeah. And high fidelity sync between audio (ideally via phone). Maybe someone does it, but we tried _all_ vendors and settled on Zoom. And screen annotations, and the ability to remember participants' phones and dial them directly (replaces them having to type 9 digit numbers into their phones), etc.
Also, Zoom has reached a critical mass where, particularly for sales calls, the remote party is quite likely to have it installed. The network effect here is really valuable.
I guess it works for some. I've had two Zoom meetings this far, and in both cases the organizer quickly changed to Jitsi as Zoom had distorted audio.
Maybe some incompatible software/hardware at some end? I don't know or even care really, but Jitsi worked well with the same participants both times, while the anecdotal Zoom success rate is still 0% for me.
For meetings I host I'm trying to evaluate Jitsi as well, so far without much luck. I'm not hosting that many meeting and the one I did was with someone using Linux not getting screen sharing working.
But Jitsi is on my shortlist as I think being open source and self-hostable is the way forward for a tool that could knock Zoom of it's throne.
This still isn’t a good reason to build a native app instead of just using webrtc.
Someone should make a PSA site that says something along the lines of “don’t install teleconferencing software because it usually bundles malware; your browser already has the technology built in.”
In theory. But in practice, as a developer you don't want to depend on the browser support for your whole product. Conferencing features of browsers have been pretty lame, compared to what's possible in a professional product.
{edit} My experience: investor took over our startup, made us switch from bespoke technology to web-based conference features. Every feature was compromised, reliability and capacity reduced by 10X.
Browser blocking and plugin features can prevent it from working. For example, I’ve been in hangouts meetings where the video feed wouldn’t load because autoplay was blocked on the browser. Of course, you can work around that, but having the Zoom desktop client provides a reliable experience without any tweaking
For better or for worse, WebRTC is very opinionated about codecs and transports. Those might be great choices for some scenarios, but no developer wants their whole business to be constrained it.
As someone who's never used or seen Zoom in action, what's pulling people into Zoom that's not already available in other tools (Hangouts Meet, MS Teams) and even works without installing anything (such as Jitsi)?
Based on what I've seen, there's just so much hostile behaviour by the company (including lying about meeting HIPAA e2e requirements!) and the fact that their _official client_ had parts removed by the macOS malware removal tool that I just don't get why people still consider it as an option. If it were the only "just works" tool out there I'd understand, but there's plenty of competition in this space.
I've personally began using the Jitsi server the local student network association has set up and it's been working like a dream. You can even share a window to others (which I didn't even know browsers had support for) for presentations and such.
I use Zoom, Hangouts, Slack and WebEx. Out of those Zoom has the best call quality, and it is the only solution out of the 4 on which huge meetings (50+ persons) are workable.
I've used another software for big meetings, now called Vibe, which works if I close chrome and patiently wait for the bloated java app to expand into all available memory before trying to take any action... it's not great.
Zoom manages to run without crashing doesn't force me to close a browser and waiting a lot, so that's an advantage.
I use Meet at work. For social gatherings, my friend group exclusively uses Zoom because (a) better tiling (seems small, but you want to see everyone) and (b) video quality seems better.
The meme that HIPPA requires e2e is so ridiculous - it is pretty clear that very few people actually deal with HIPPA stuff.
Zoom (if you need HIPPA) can set you up with it - but you WILL lose a bunch of features (zoom by default has features that are not HIPPA compatible) - so make sure you need HIPPA before paying for it.
If anything medicine is almost anti-e2e. Everything is copied and copied between one system and another (billing, lab systems, imaging systems etc). Seriously, medicine is in many cases very fragmented, so the number of medical practice groups that need copies of your details / visit details etc is high just to bill you (and you may end up with 5 bills for one visit - which may be 4-5 systems behind the scenes).
My experience (beyond Zoom) is with WebEx, Hangouts, and Teams. Zoom has a better UI for large meetings, and the audio quality is significantly improved. We just switched recently from WebEx to Zoom at the office and it's been refreshing. A few days ago was the last time I tried to use Teams, but the "only four people on the screen at a time" limitation was a no-go for our family's virtual gathering. Everyone was much happier with Zoom's video grid, and we noticed that the audio was significantly improved -- in particular how it handles multiple people trying to talk at the same time.
I really wish they'd make the client available in the Mac App Store. Not only is the installation experience better than this, things also stay nicely up-to-date. If your company runs an MDM for your Macs, it's easy to deploy apps en-mass to everyone.
It seems macOS could use virtualization or permissions to run these scripts in some throw away environment to get rid of the problem altogether. Preflight check programs shouldn't be able to write anything to disk.
How do I know I’ve completely uninstalled all the things Zoom installed?
And, if Zoom provided a separate uninstaller (like many apps do) and it was verified to purge all of the stuff they installed (along with the uninstaller); would that appease people's concerns?
For now I’m sticking with the iOS app for video & their web-based experience for desktop sharing...
A previous version of Zoom installed a web server on MacOS without telling you, and left it there after the uninstall process. So the answer is no, you can't be sure.
Oh, and there was a known vulnerability in the web server that allowed remote access to your camera. The company claimed this was all intentional and was a feature and refused to remediate it for months. Eventually Apple issues a system update that removed the web server.
I think it's interesting to see the outcry when Apple poses new restrictions in the application distribution process (like signing and sandboxing) but conversely the same cries go up when there is an App that seems to be abusing loose control mechanisms.
I think a lot of power users rightfully feel they are belittled by sandboxes and application restrictions. But seeing that they are not the major userbase and most Apps don't really need any permissions at all for their intended purpose (the user's purpose at least) I think Apple is moving in the right direction.
Part of the benefit of macOS apps is that you can just put them in the trash and they're gone. Breaking that contract isn't like awful but it is frustrating.
Can someone explain to me what the problem is? If you run the installer, isn't that consent to install the software? That's the whole point of it. I guess this isn't the "Mac way" but this is exactly how I would write an install script if I was slapping together support for other platforms. In fact this is the same way most installers work: it unzips an archive somewhere, then creates the links for remove/launch/etc.
What is the typical install process for software on a Mac?
Zoom is using a hook in the macOS installer framework in a way that is not intended.
This is forming a troubling pattern [1]. Zoom will do anything to reduce the number of clicks to start a conference, even if results in a misleading installer prompt or security vulnerability.
Many PMs are obsessed with click optimization. I've been told many times that a certain feature of security method is no-go due to it being "too many clicks" full-stop -.-
The whole torrent of grey area, just over the line and outright shady behavior at Zoom is a problem in itself even if all the separate instances in isolation aren't grounds to stop using them. Their responses to security issues and today's revelation of misleading marketing on E2E encryption make it clear they're not just making isolated mistakes. Shady is at the core of how they operate, this is an indication that Zoom has a company culture of accepting borderline behavior. Otherwise it wouldn't be so widespread.
As a customer this is a reason for me to stop using Zoom. Not in the last place because I'm quite sure we're only seeing the public tip of the iceberg of all the unacceptable things happening within Zoom.
Unfortunately, the current system and people in power seems to not give a damn about security and shady behavior, as long as the thing they are using is working and working well. Zoom is an example of very useful and performant software with shady company behind it, that's why people will continue using it.
Same with Uber, Google and bunch of other companies. It doesn't matter what they do, as their product is helping people enough for people to look past the terrible things.
Enterprise customer DO give a damn about security. They can be slow to react, but rules are also there for a very long time. If Zoom doesn't want to loose most of their marketshare in favor of WebEx, they should probably address these issues.
> Enterprise customer DO give a damn about security
You are wrong. Even without extensive experience in the space, you can very easily see how even large companies don't secure themselves at all. The US has had equifax recently, and it's not like that was an isolated example either. There just isn't a security culture at the eye-watering heights of corporate upper management and while everyone's as busy making money as they are, there never will be. It doesn't fit into the system, and anyone who tries to change it gets muscled out by people who don't want it to change - because that is simply what's most efficient.
This has been my experience as well. Large companies pay lip-service to security that protects their customers; they want just enough for legal deniability in the event of a breach, but not so much that it impacts operations or profits.
However, they can be...enthusiastic when it comes to security around protecting themselves. If you report an issue with customer information on a public S3 bucket, they might get around to fixing it someday, but if there are "trade secrets" or the like in that bucket, the issue is going to get fixed immediately and someone with a big title probably won't be coming in tomorrow.
This is hilariously wrong. I brought up Zoom issues at our enterprise client - no one gives a shit (this is in Germany, so rather privacy focused). As a consultant I felt a need to bring the issues up, backed with sources of course.
So why does no one care? Because Zoom UI/UX apparently works 100x better than most other solutions. People dont even REACT when I mentions Jitsi or just using the Teams solution that every Microsoft customer has anyways.
The enterprise I was talking about is using a mix of Microsoft Teams and Zoom. Our team started with Teams, now we are using Zoom because I don't even know. Others also move from Teams to Zoom.
I bring this up to lots of people and the response is rolling eyes and "shut the fuck up" in business euphemisms. Zoom is viral now and privacy has no say in its success.
Could also be an issue of pricing. I wouldn't be surprised if Zoom is cheaper than MS. Maybe someone with knowledge on the sourcing side could comment on that.
Sorry, I wasn't clear enough. The enterprise already has a Teams license which is part of an Office/Microsoft deal that they will of course continue to have.
So Teams is there, will stay there and it works well but people are still moving to Zoom anyways.
“Enterprise customer DO give a damn about security.“
When I look at IT they give a damn about some security but then completely ignore other huge problems. I think a bigger concern for them is cost, liability and convenience for the administrators.
Lyft only operates in US and Canada. Uber is available in 63 countries. The convenience you get just having that one Uber app work is not easily replaced. But yeah you could always try to find the local ride sharing companies app, but it can be far less convenient.
How do you persuade enough taxi drivers to use $generic-taxi-app in enough areas to make it worthwhile for someone to choose to use it instead of Uber?
They probably learned a lesson from Whatsapp which was a nightmare of insecurity in the early days that cutting corners gets results and approximately no one cares (except the tiny minority like us who would never use it anyway).
Edit: Why downvote me? I am not trying to stir up flame wars. Saying anything against China has become impossible to do on HN. Voices get drowned despite of raising real legitimate concerns about privacy, especially for a tool used by millions all of a sudden during this pandemic. People should be speaking up on HN. I know, I am not supposed to complain about downvotes on HN, I've read the guidelines.
Edit2: Not able to find the source for Tianjin datacenter, I will reply if I can find it. Please take it with a grain of salt.
Please don't break the site guidelines [1] by going on about downvoting. Your comment has been heavily upvoted. Meanwhile complaints like that linger on as off-topic and false, and don't garbage-collect themselves.
You can use HN Search to verify that HN sees plenty of comments "saying anything against China". The topic is extremely flame-prone because people are wont to hurl generalizations at each other, and worse. Nationalistic flamebait and flamewar is a big problem on HN [2] and destructive of the spirit of this site [1]. Individuals have been attacked here for just for expressing their views while being (or being assumed to be) Chinese, and at least one person was hounded off the site altogether. I'm sure you'll agree that that's shocking and not at all the community we want to be. None of us wants it, but it's easy to get it anyway, once such flames get going.
I don't think your comment was nationalistic flamebait, except insofar as it was rather unsubstantive. Unsubstantive comments on inflammatory topics are guaranteed to come across in a flamey way to some segment of the readership, even when that wasn't your intent. Intent doesn't communicate itself, unfortunately, so the burden is on the commenter to disambiguate [4].
Understood, thanks and accept my apologies. I have some feedback - please make exceptions when discussing fact based discussions around privacy when it is not tending towards flame wars, especially related to Chinese influence and erosion of privacy. I can see why this can lead to flame wars but that's where you should step in and moderate. I just read your links to people getting harrased if they are Chinese, that's not cool.
I think my comment addresses this, but perhaps you were replying to an earlier version, or perhaps I wasn't clear enough. What you posted was trending towards flamewar, even though you didn't intend it that way. Telling moderators to "step in and moderate" isn't sufficient to solve this problem. For one thing, we don't come close to seeing all the material that gets posted—there's far too much. We do step in, but we also need users like you to understand the problem a bit differently. If you're going to comment on an inflammatory topic, you need to make sure your comment is substantive, i.e. contains solid information and not just grand claims. And you should be careful to narrow its scope explicitly to what the information supports. Fortunately that should also be enough to make it clear that your intent isn't just to post pejoratives about other people.
I don't think it's fair to call that borderline racist. That's an extremely strong word; let's not escalate where it isn't needed. The problem with the statement is that it doesn't come with any substantiation, or additional information.
Thanks for sharing. I'm not too concerned about engineering happening in China but data storage seems problematic, especially because of the lack of encryption on their side.
The post or the CNBC link don't seem to have the word Tianjin in them (comments do). Can you provide more details or another source?
If that's indeed true I won't be hopping on a Zoom call later this week with my bank for instance.
On a simpler level, zoom on macOS sketches me out in lots of ways.
My macbook's bluetooth will not connect to my earbuds, but only when zoom is running. Other audio recording/playing apps don't affect things at all. What the heck is going on here?!
Scrolling on settings panels is definitely their own home-brewed scrolling functionality. Why?! Was macOS's not cutting it for some reason?
The settings menu is very clearly not using native OS buttons and inputs. Why?! Why build your own? What is that for?
I installed the WebEx client for macOS today and it seemed similar, installing almost instantly without going through the normal EULA, volume selection, etc. flow.
It seems like they've stuck their installation flow into an Installer.app _plugin_ which is unusual. I haven't encountered that before, and I'm somewhat surprised the feature exists considering Apple waged war on loading code into first-party software. (The user is prompted before the plugin loads.)
For those calling this a security vulnerability in MacOS, isn't this just using a GUI equivalent of "sudo"? There may be a decent argument that a consumer OS shouldn't offer such a sudo-like API to installers, but MacOS probably does this for legacy app support reasons.
IMO the better question in this case is why Zoom needs to be installed as admin on MacOS? After all, the mobile apps and chrome extension don't need those privileges.
This is like the GUI equivalent of running "apt install zoom" and the installation script killing the APT process and then running amok with its root privileges.
> This is like the GUI equivalent of running "apt install zoom" and the installation script killing the APT process and then running amok with its root privileges.
So in that case it seems like there is perhaps an issue on both sides.
- I understand that the OS API to get root/admin privileges likely exists for legacy app install reasons, but why should any install script even be able to run amok with admin privileges? Shouldn't privileges granted by this API this is using be sandboxed in the extreme? Something this sensitive shouldn't be left to the honor system of the app developer.
- Independently, I still don't understand why Zoom needs admin privs on Mac when it clearly doesn't need them when installed as a browser extension. I'm using it just fine in Chrome all the time - no admin rights needed.
To me this implies that the installation process on Mac OS should be improved. The fact that they have to resort to these types of things to make it “just work” for people suggests that the official way of doing things is less than ideal.
They are aiming to make the process completely idiot proof, and good for them. If you’ve ever watched a nontechnical user try to install an application you’ll understand why they had to do all this.
I recently watched One of my friends who has only ever used an iPad and not a laptop try to install an application downloaded from the internet. Things we take for granted like “find your downloads folder” were not obvious. I had to explain what the Finder is, and it seemed laughably not obvious to someone who has never used it before.
I understand wanting to reduce friction, but this is the second time Zoom has kinda done something weird and suspect security wise in the name of removing really minor obstacles that users are probably used to dealing with anyway. Considering how many tech companies are using Zoom right now, I would hope they are cognizant that they don't become known as "the company that does sketchy stuff so our IT people say we can't use it"
Some background info for those commenters who say that Zoom should be requiring just a web browser because web browsers already have everything needed (aka. WebRTC). TL;DR summary: they want to do their own thing, outside of what the WebRTC standard allows, that's all (and enough reason for not using WebRTC?)
Zoom doesn't want to use the stock H.264 encoder as provided by the browser for WebRTC communication. Instead, they use their own video encoders and decoders (which while still being H.264, it is presumedly better optimized for their use case). WebRTC forces you to use either the H.264 or the VP8 encoder/decoder that the browser provides.
How they do this is by having their own custom application that you have to install. Still, some users have noticed that there is a well hidden web-based version of Zoom, which works by again running their custom encoders, thanks to WebAssembly. Also it seems that their video is transmitted via DataCahnnels [0].
They are not alone. Companies want to provide additional "value" by innovating outside of what the WebRTC standard offers. That's nice and all, although it of course tends to disgregation and incompatibilities in the long run. For this reason, I've heard talks about how future revisions of the standard might explore adding WebAssembly support, in order to allow everyone embedding their own compiled components into their applications [1].
Right. It's also important to understand when the reason to build non-standard things are just "productization" (intended to open the wallets of enterprise clients) and when it is because it really provides a better service to the end user.
Having native code running in every client makes a service provider more valuable. It is much the same reason service providers would rather have you running their app on mobile than utilizing the web browser.
This link provides a bit of background to the webrtchack articles above and give a bit of background to when WebRTC is sufficient:
Instead of installing the Zoom software, join Zoom calls from within your web browser
With this trick you can join Zoom calls without ever installing the client on your computer.
Here's how to do it:
1) Uninstall the Zoom client if you have it installed (this is important).
2) When you get a Zoom link to join a meeting, click it to open it in your browser.
3) You'll be asked to download Zoom. Click the "download & run Zoom" link, but don't run the installer.
4) Wait for a few moments and a link to "join from your browser" will appear. Click this and join the call as normal. Most of the features work in this browser based version -- there is no need to ever risk your computer!
Having never installed Zoom, and honestly not having photographic memory of how the installation process on MacOS is, how is it supposed to look in the installer?
Also, what happened to just dragging the program into the applications folder? I really liked that way of installing apps, but most things seems to have an annoying click-through wizard.
They embedded their installation into a pre-install script. Normally, you'd go through a next-next-next process with a pkg installer, but in this case you get a popup asking you if you want to allow it to "run a program to determine if the software can be installed" (the purpose of pre-install scripts) immediately after opening the pkg, you authenticate, and then the installer just disappears.
Before that, when they had the shady web server, the zoom application would pop up immediately connected to the right meaning, as your browser would be “waking it up” via http. It looks like they still haven’t fixed this after they removed the http server.
I have a friend who has some intimate knowledge of MacOS installation software who refuses to use Zoom. "It's not merely because it uses the same install patterns as Russian malware," this person told me, "no; it's personal."
Seriously, despite this person's aversion to anything Google, Hangouts ends up being the one tolerable exception.
What I like about zoom is that I can click on a zoom link and it opens up my video conference pretty quickly. Last thing I want is to go through installation steps when people are waiting for me on a call. I understand the security implications but it's a trade-off between user experience and lesser security.
People will go through the hassle of booking airline tickets, hotels, taxis and take the time to travel to face to face meetings (and some of them even seem to enjoy it).
But they won’t spend 5 minutes installing software properly, or half an hour doing some legwork.
The difference is that it's expected that booking airlines and hotels will take time so they make time for it but nobody expects to spend minutes installing video conferencing software properly.
They expect meeting chat software to just work and be as easy as opening a link. If a person needs to fly somewhere they have limited choices with airlines, but if a person gets frustrated with video conferencing software then they have an abundance of alternative options.
I have this irrational disgust of .pkg installs, and this is is a good example why. Every time I have to install a .pkg, I wonder what crap it's spreading all around my system.
What's wrong with dragging .apps? Does your app really need to spread its tentacles beyond an app bundle and (maybe) some preference files?
> Zoom has been criticized for its data collection practices,[45] which include its collection and storage of "the content contained in cloud recordings, and instant messages, files, whiteboards" as well as its enabling employers to monitor workers remotely;[46][47] the Electronic Frontier Foundation warned that administrators can join any call at any time "without in-the-moment consent or warning for the attendees of the call."[48] The Ministry of Defence of the U.K. banned its use.[49][50] During signup for a Zoom free account, Zoom requires users to permit it to identify users with their personal information on Google and also offers to permanently delete their Google contacts.
Widespread use of Zoom for online education during the novel coronavirus pandemic increased concerns regarding students' data privacy and, in particular, their personally identifiable information.[17] According to the FBI, students’ IP addresses, browsing history, academic progress, and biometric data may be at risk during the use of similar online learning services.[17] Privacy experts are also concerned that the use of Zoom by schools and universities may raise issues regarding unauthorized surveillance of students and possible violations of students’ rights under the Family Educational Rights and Privacy Act (FERPA)
A lot of this is Mac OS X fault: it still does not have an easy canonical way of installing things and has no way for uninstalling. I don't get why in this day mac os can't have something like RPM or any number of other package managers.
I wish I knew how it installed on my partner's Mac. No root password was ever given, yet it installed when we thought we were still using the web app. Quickly uninstalled and will use different software next time.
If I had to guess, it’s an attempt to optimize install conversions. Every multi-step process you ask a user to perform is effectively a (marketing/sales) funnel. Some percentage of people drop off at every step. Maybe Zoom they thought that if they moved the actual installation closer to Step 1, then more people would accomplish it. It’s awfully sneaky though, especially that password dialog.
They could have also made it just work in a web browser without having to use workarounds. That's one of the reasons why I strongly prefer Google Meet and get annoyed at vendors that want me to use solutions that require me to install software.
Conversely, I much prefer a desktop app to Google Meet, since that's stuck in the browser the video can't float PIP when you navigate away from the call
Or, you know, decrease the failure rate of people legitimately attempting to install Zoom. It's quite reasonable to ask why on earth apple requires more than one click for a user to say "I want this program to run on my computer; make it happen."
If one assumes there is nothing really nefarious going on, it seems they are trying to gain market share: Growth marketing to raise the company value. And looking at some people already using "zoom" and "zooming" as synonym for video conferencing, it kind of works.
I missed the part where Zoom is holding people's computers for ransom, or formatting the drive, or exfiltrating sensitive information to criminals or state intelligence officers, or mining bitcoin, or other similarly malicious behaviors.
An admin can write to /Applications without privilege escalation? That's a macOS bug. If the operating system didn't rely on an 80s-style put-all-the-executables-in-one-place app launch paradigm, maybe there'd be less incentive for app developers to ignore the per-user Applications folder that macOS supports.
An app can spoof or abuse privilege escalation dialogs? That's because macOS doesn't implement an Orange Book-style Trusted Path. It's why Windows and similar operating systems have secure attention keys in the first place.
So yeah, Zoom is (ab)using flaws in macOS to get itself installed with minimum fuss, but it isn't doing it with evil intent. They fixed past issues; they'll probably fix this. Meanwhile, these long-standing macOS security flaws won't be addressed by Apple, who has a terrible track record about these things except when it lets people bypass their App Store.
P.S. As an enterprise customer, I'm much more worried about end-to-end encryption in Zoom, and the apparent lack thereof. I'm also not sure how that compares with other video conferencing services.
> So yeah, Zoom is (ab)using flaws in macOS to get itself installed with minimum fuss, but it isn't doing it with evil intent.
But... why? What other software vendors look at the OS security model from a viewpoint of 'how do we bypass this as much as possible?' If it's not evil intent, what is it, incompetence?
It has a pre-flight script (which isn't supposed to change anything) that installs it (and its browser extensions, and a kernel extension at some point in the past) in the most widely available place the current user has privileges to (it installs in their home directory if they aren't an admin).
So yes, there is some blame to be laid at the OS for running binaries with the privileges the current user has, but it's clear that the installer doesn't behave like a regular installer would.
> An admin can write to /Applications without privilege escalation? That's a macOS bug.
/Applications has been root:admin 775 since forever ago. It’s not a bug, and drag this app to (an alias of) /Applications is very standard behavior of dmg installers. Working as designed.
That behavior goes all the way back to Classic Mac OS. If the above is working as designed, then Zoom automating the copy-app-to-/Applications process doesn't really seem that hinky to me.
It’s a weird thing to do, but I don’t find it particularly concerning, no. You launched the installer after all. (I do use Suspicious Package to quicklook pkgs myself, FWIW.)
Having write access without privilege escalation to executable packages run by all users on a multiuser computer is a significant security risk. That's one of the ways an attacker can pivot into other systems from a compromised computer.
root:admin 775 is only writable by the admin group, I’m not sure where you got the idea that all users have write access.
The situation here is an admin explicitly executing a program that writes to a directory that they have write access to.
Edit: corrected typo 755 => 775.
Edit 2: Okay, I read what you wrote again and can now see I misunderstood. However,
1. macOS is primarily single user (or at least single household) given how it's actually used. In actual multiuser settings admins don't typically muck around with their admin account.
2. Typically other users can read/execute a lot of stuff that's not root anyway. For instance, on research group Linux servers people would often tell you to just execute something in their home directory.
I use MacOS and everything I read in the twitter thread was exactly as expected. MacOS does ask you to escalate. It also asks for privileged access to the camera, microphone, and the keyboard. So when our son had to download and run Zoom for his now online school, I took the opportunity to teach him some basic computer security. Zoom installed into his ~/Applications folder, as a non-admin that was expected. And then it asked for access to his microphone and camera.
This was a horrible user experience for me, and I wasn't thinking about security implications at all.