401 comments

[ 5.6 ms ] story [ 289 ms ] thread
It does that on Linux, too. Likes to mess with PulseAudio settings when you're not looking.
if you've managed to make it thru an entire meeting without crashing or freezing system w/ 100% cpu on linux you're doing better than me.
Why do people use the zoom app on linux? It works fine in the browser, where it is forced to behave itself.
Idk, does the browser do screen sharing now? It didn't last time I used it but I haven't for a minute so I'm not sure if they fixed that.

I have a wrapper script that installs, starts the meeting then uninstalls because unfortunately people use it and sometimes I need to contact them.

Gallery view doesn't work in Firefox the last time I checked.
Virtual background doesn't work in the browser.
Yes the best way to detect if zoom is up to no good on Linux is to listen to my fan or check if my battery is draining unusually fast. Same for Discord.
I don't get crashing except when I go to share a window and then cancel it without sharing anything.

The biggest problem for me is having multicolored noise covering most of the Zoom windows/controls when I'm sharing a window.

Also, it takes like ten seconds to share or stop sharing a window.

Same as Teams. Once you leave a meeting it keeps listening until you restart.
Teams also likes to mess with the system-level audio device configuration, which just obnoxious. I had to block this for all apps to prevent it randomly changing my volume.
Could you detail how you block apps adjusting the device volume? I'm utterly fed up with Zoom changing the volume to 100% for everything except itself.
Navigate to the "old-school" device properties screen (not the shiny new Windows 10/11 version). Untick the checkbox "Allow applications to take exclusive control of this device" under the Advanced tab.

Exclusive mode is a bit like full-screen for GPUs. DirectX games can do things like override the output color management, gamma ramps, brightness, HDR mode, and even set the "white point" on some displays! Similarly, audio applications can take control of your audio devices in all sorts of ways if permitted.

While "full control" of a GPU is still useful, because we're not living in a utopia where all displays are 12-bit HDR all the time, audio has long ago passed the point where direct control delivers tangible benefits. Software mixing is more than capable of "keeping up" even with an absurd number of simultaneous streams at a quality level that vastly exceeds what the human ear can perceive.

I found that with Teams, it's more important to turn off direct control of the microphone than the speakers, but I do both just to be on the safe side...

Hang on, I thought we were talking about Linux here.
I find `sudo killall -9 zoom` seems to work to stop this. That may be overkill but was just the first thing to occur to me. But I'll probably just sandbox it into my windows VM whenever I bother to set up passthrough on my camera.
I've never experienced this on Ubuntu 20.04 (and similarly not had any of the experiences mentioned in other child comments).

The only pulse audio annoyance happening here is pulse audio itself assuming all my 3.5mm jack headphones have a microphone.

Almost certainly just a bug with closing the audio session. It doesn’t seem to always be listening but sometimes after a meeting it stays on for whatever reason. If it’s not already fixed then I’m sure it will be soon…
That's a very charitable interpretation, and I like your optimism!
Having worked on similar software in the past, I wouldn't be surprised if this is the actual reason. Especially since the microphone indicator is a relatively new addition to the system, they might just have never realized that they're not closing the device properly and now that it becomes obvious, it might not be so trivial to fix the code.
A tickbox in settings, "don't keep mic enabled"?

I can't see how it can be that hard to just close the mic device when you go off a call.

That's easy to say when you don't know what other things may be bound to that code. As said, I have worked on similar stuff before, and was in a very similar situation where an audio device was kept open for longer than necessary, but "simply closing the device" would have broken many other things that depended on the audio device. Fixing it involved logic changes and refactoring. Sure it wasn't impossible, but it was not exactly as trivial as adding a new checkbox either.
This is also my take on this issue. The company just wants to monetize on remote meeting and has no malicious intention on user privacy, but they just mess up the security from time to time. It is not sound that selling user data can make them better off.

Another infamous example is proctoru. Literally a spyware, but delivering a spyware requires much less effort (both intellectually and financially) compared to designing a product that makes security-savy customers happy.

It definitely seems way more innocuous than the conclusions being jumped to in this thread. A simple packet sniff would be an easy test in this situation, and since nobody is even claiming that data is being transmitted, it's quite a leap to assume that they're listening to everyone with nefarious intent.
Pretty confident this is related to the way the Zoom app can detect what conference room you are in when that room is fully equipped with Zoom hardware.

From [Direct sharing in Zoom Rooms](https://support.zoom.us/hc/en-us/articles/214629303-Direct-s...):

> Direct sharing with proximity detection uses the microphone on your laptop to detect the Zoom Room controller.

I'm not as familiar with Zoom, but WebEx and Cisco video conferencing hardware use ultrasonic sounds to let you start and transfer meetings from the mobile and desktop app to video conferencing devices.

With WebEx you can turn this off in the preferences. I'd assume Zoom has a similar config setting.

They do? Ugh.. hopefully not continuous emitting of pulses.. I can hear some ultrasonics due to my cochlear implant, and it's been really annoying how these days Lutron is selling motion detectors that use both ultrasonics and IR. They like to buzz, even when people are already in the room.
Have you contacted Lutron at all? Or your implant manufacturer? Something seems out of alignment.
I contacted the implant manufacturer when I became aware of the issue.. apparently there is even a warning that ultrasonics can damage it.. but it's not clear to me if that's just legalese or if it's actually a clear and present danger.

I haven't contacted Lutron yet which is bad of me, and I really should do that, but I don't think they would care since the amount of people who can identify that there's a problem with their devices is small.

Lutron may not care about you but they may care about an article in the news about how their products are harming people.
Today disability is an issue that is taken seriously. If Lutron's technology is affecting your disability then you should absolutely contact them, and barring a satisfactory solution you might even get aggressive with them. They cannot hurt you, arguing that people like you are rare.
Anxiety can be classified as a disability. Does that mean you can’t make someone anxious? That would be fun to see enforced.
Yes, Zoom has a similar setting. I don't think the client is listening for the ultrasonics all the time; you need to click the "Share Screen" button on the main zoom page to have it work, and it presents a "please wait" screen for 5-10 seconds after pressing that button while it appears to detect the room info.
That's such a hack. Seriously, this is how we do tech in 2022?
Lol, why don't they use ipv6? What would you use?

I think it's a pretty cool hack.

It's pretty cool in that commodity integrated hardware is capable of doing something practical at those frequencies. Not long ago it was a struggle to get the Pro Audio Spectrum ISA card working at all.

It's awful in that using the auditory domain is too much an intrusion into the human space. There is enough noise pollution. Interference patterns around the room may generate harmonics at audible frequencies. Young kids can hear high frequencies we forgot we ever could. I can still hear CRT flybacks. Sometimes I thought I heard something electronic in conference rooms but convinced myself it was nothing.

Someone else was complaining about it affecting their cochlear implant. That is horrifying.

It is not so farfetched that it has an adverse affect on health either. America is losing diplomats left and right to some mysterious ultrasonic weapon, or at least that is one of the leading theories.

It is awful that my CPU has to be constantly running a FFT to read this signal. I think Apple has an ASIC which does the Siri voice recognition.

It's awful that it triggers the orange light to be constantly on so you end up ignoring it. What if Zoom is simultaneously using the microphone stream for nefarious purposes.

This is what Bluetooth was made for. This is a worse idea than Wifi over lighting. Even the 9-digit Zoom dial codes are better.

>Someone else was complaining about it affecting their cochlear implant. That is horrifying.

Definitely.

>It is awful that my CPU has to be constantly running a FFT to read this signal. I think Apple has an ASIC which does the Siri voice recognition.

Isn't it the zoom box that has to be doing the detection? The pc is just sending the signal, which wouldn't take much processing.

>It's awful that it triggers the orange light to be constantly on so you end up ignoring it.

I think someone commented that's for the purpose of detecting if someone is muted and notifying them. Still, there should definitely be a choice to disable this behavior. I wouldn't be able to ignore it.

>What if Zoom is simultaneously using the microphone stream for nefarious purposes.

There's a lot of nefarious things they could potentially do even without using the mic, considering it's software already running on your pc that already has an encrypted connection to their servers.

>This is what Bluetooth was made for.

Good point, that would have been better.

> Isn't it the zoom box that has to be doing the detection? The pc is just sending the signal, which wouldn't take much processing.

If the PC were just sending the signal it wouldn't need the microphone to be on. And it would stop working when people turn off their speakers like a lot of people do in a busy meeting room.

By the way there seem to be other ways to do it too. Not sure if it's Bluetooth but MS Teams warned me in the past that I was in a room with a Surface display (the huge first generation one). It doesn't keep the microphone active though.. I never investigated how it figured that.

Bluetooth would be more appropriate for that I would say.
What is the other way of doing it?

Because this “hack”:

* Works on devices without Bluetooth (or that have it disabled)

* doesn’t require anyone installing privileged software or drivers

* gives a very good “in the same room” indicator

* doesn’t require any custom/expensive hardware components

But how is the device going to communicate with the zoom hardware in the room when Bluetooth is disabled?
The ultrasound is the communication.

From the description it sounds like it's just a handoff feature, as in you go into a conference room with whatever their conference room product is.

Once you get in handoff range they only need to exchange sufficient information to get the AV equipment to start a connection to the appropriate zoom/webex/whatever channel, and presumably the reverse of getting the original zoom client to close.

I'm assuming there is some work to reduce the likelihood of unintentionally triggering it, and some basic authentication, but this is not a lot of data, and ultrasound is more than sufficient to do it very "instantaneously".

OK, so the actual communication (the call itself) will be transmitted over wifi. But this means that at least some kind of access token must be transmitted over ultrasound. Is this safe? I would love to see an analysis of that communication; whether it is encrypted, is the handshake secure or can it be hijacked, does,it transmit only an anonymous access token or the whole user ID etc.

I mean, if I ever switch off Bluetooth it's exactly for the reason that I don't want my device to be detected/tracked. Zoom going around this by using ultrasound is kind of mean, since I can't prevent zoom from using audio if I want to be able to make calls.

> OK, so the actual communication (the call itself) will be transmitted over wifi

That was my interpretation of the feature described earlier in the thread

> But this means that at least some kind of access token must be transmitted over ultrasound. ...

Yup, I agree I'd love to know more about what is involved. I like to think there's a degree of authentication involved, but this is also Zoom. The company that installed a persistent service in order to circumvent a security feature in safari, that also allowed unauthenticated RCE.

> I mean, if I ever switch off Bluetooth it's exactly for the reason that I don't want my device to be detected/tracked.

I had assumed Android and PC had adopted the randomized MACs apple uses to prevent such tracking?

> Zoom going around this by using ultrasound is kind of mean, since I can't prevent zoom from using audio if I want to be able to make calls.

If we assume for now that it is properly authenticated, and has safe tokens to break tracking, identification, etc, then this behaviour seems reasonable. It would require you to open zoom in a room with the requisite enterprise-y teleconference equipment.

But of course that is quite a load bearing "if", and it already appears that they're trying to maintain the channel when they aren't active.

> I had assumed Android and PC had adopted the randomized MACs apple uses to prevent such tracking?

True, and this is why I rarely switch it off, except in situations where I don't want to be visible to devices that I previously connected to. Same for wifi.

I just find it quite over the top to work around user-controlled communication channels like bluetooth that the user might have chosen to disable, by using a medium (sound) that the user cannot switch off and still use the app.

In this case it's a convenience feature, rather than a avoid user controlled channels thing.

As I noted earlier it works without bluetooth available, but more importantly I suspect, if it were bluetooth everyone would have to peer their devices with every conference room. If it were wifi you'd need to know the network name of the conference room's AV system.

While both options would work, having a single "switch to AV system" button is clearly the best user experience, so you try to make that possible. Given both the app and the AV system have the ability to create and record sound, that's the obvious choice.

But again, I'm not making any statement on the security of the actual implementation from Zoom :D

(comment deleted)
If I have NFC or Bluetooth disabled it is because I explicitly do not want software on my device to contact outside services.
Yes, but if you’re in a zoom/whatever conference room, with a zoom/whatever client running, it’s not unreasonable to think that you want to use the conference equipment. Couple with the various constraints on BT, etc this is a reasonable solution.

Where this reasonable solution is actually implemented securely is another question, and Zoom’s track record isn’t exactly fantastic.

The mechanism is not the problem, it's that it turns on the mic by default. Most Zoom users are not in the luxury position of being in a location with a presentation room where they might need to present something, so for most people this is just an unnecessary feature and a possible nuisance. So this setting should by default be turned off (it can still work when the mic is turned on already).
I was responding to the comment calling it a hack :)

Zoom deciding to use the mic while not in use is clearly a terrible bit of behavior :)

You're right, they should have found a way to shoe-horn in kubernetes.
proximity detection is done via the blockchain
Yea, and it was a battery killer on a laptop - at my company, it even had a side effect of all but pegging the CPU. The confluence of poor software meets bad device driver is entertaining.
(comment deleted)
Is the zoom hardware shouting "welcome to thunderdome" at frequencies we can't hear so that the the app will realize it's in the thunderdome?

If so someone should make a jammer.

Or a fake "welcome to thunderdome" generator . . .
Probably more like "Welcome to zoombocom" :D
This is what Cisco's conferencing software does, too.

When it works, it means someone can walk into an appropriately equipped meeting room, and the software on their machine detects that. The audio, video, and screen sharing all route through the meeting room, rather than the laptop. Virtually zero involvement for the user.

Very convenient but not worth the price to set up a whole corporate surveillance nightmare.
Certainly with the Cisco system, not worth the money they charge for the hardware! Every room has a few $25 wholesale price Ikea grade chairs, a table, and then a $100k conference phone.
The units we got were like TV sound bar format, with a camera in the middle. About $10-15k each.
They are priced high enough that companies doing this are already hip deep in Cisco's world. They probably already have the corporate surveillance thing going.
What happens if someone records a YouTube video in that room, and that video goes viral?
I dont know for certain.

I recall that if you were not signed in to an account on their Org, it would only show up with you as that you were a guest in the room, and you could not do much/anything without someone from that org authorising you.

I dont know if the token is long lived, i would hope its rotated frequently.

i also suspect that because it's above audible range, your average video compression might strip it out.

I had to turn this off (not sure how it ever got turned on) because the Microphone indicator was on 100% of the time it was running (as it should be) while it searched for nearby devices through some kind of audio communication.
Not sure if all microphones are able to listen at that frequencies
That gives an explanation but doesn’t actually answer the question - “why is it doing this when I’m not using zoom”

Plenty of people use conference rooms for non video chat reasons, and many of those reason have confidentiality rules.

I know for example there are strict rules around what is required to protect client/lawyer confidentiality, and most of the protection goes out the window if you record, or allow some one else to record them. Would zoom listening in on that count? I have no idea

The only class of apps that have any business using a microphone while not in active use are “assistants”, and those have no business doing anything other than listening for their initiator phrase (except haven’t they all been caught sending arbitrary recordings to their parent company?)

I can assure you Zoom is not doing anything that would legally constitute "recording." In all US states and probably a lot of countries, recording is illegal without the consent of at least one party to the conversation. In the US, in some states, all parties must consent to recording. If Zoom were even skirting the line here, their lawyers would put the kibosh on it real quick.

Hmm... but, then again, there was that thing where Amazon Alexa was recording people without their knowledge... hmm.

I have seen the general sentiment of "their own lawyers would stop it" expressed many times about many different things, but who tells the lawyers?

Every place I have worked in the past there have been zero pathway for IT/Developers to notify a lawyer about anything or ask a question.

Really? At places I've been, you could definitely notify a lawyer of an issue, with the process ranging from walking up to their desk to looking up someone in the legal department and emailing them. I've never had cause to actually do it, but I certainly could have, had the situation warranted it.
Not everywhere has lawyers on staff or an easily searchable directory with accurate titles and department names.
On the other hand, like any other American company Zoom can be “asked” by intelligence services to “cooperate” - and there is no law that would protect its users against it.
> If Zoom were even skirting the line here, their lawyers would put the kibosh on it real quick.

And then the people in charge of the money would do the math on "this earns us 1 billion dollars and the fine has a 10% chance of happening and would be 100 million... so do it anyways, it's worth the tradeoff". This happens over and over.

> I can assure you Zoom is not doing anything that would legally constitute "recording."

No need to use quotes here, that was literally my question :D

> In all US states and probably a lot of countries, recording is illegal without the consent of at least one party to the conversation. In the US, in some states, all parties must consent to recording.

Literally every company that got caught having their assistants record conversations turned around and said the victims were informed and consented through the terms of use agreement.

> If Zoom were even skirting the line here, their lawyers would put the kibosh on it real quick

Their lawyers didn't stop them from claiming to provide end-to-end encryption, a blatant misrepresentation that resulted in receiving a consent order from the FTC [1] and settling a class-action suit for $85M [2], so I don't think it's safe to assume that they would prevent the company from doing obviously unacceptable things.

[1]: https://www.ftc.gov/system/files/documents/cases/1923167zoom...

[2]: https://arstechnica.com/tech-policy/2021/08/zoom-to-pay-85m-...

Is there any reason it couldn't do that at the start of the meeting?

Meeting start -> probe for hardware -> make decision where to host

It's the same for webex sensing compatible devices via ultrasound.
> Resolved an issue regarding the microphone light indicator being triggered when not in a meeting on macOS Monterrey

Haha, a problem with the light staying lit, not with the mic staying on. Riiiiiiggggght.

(comment deleted)
Don't use the Zoom app. Load meetings in an incognito/private/whatever browser window, and cancel the automatic download it prompts you with, then click Join In Browser.

Nothing about this company's attitude towards privacy has changed in years.

Thank you. And thank you for making it open source.

Concerning this line: https://github.com/arkadiyt/zoom-redirector/blob/master/back... Why is it sometimes returning undefined? (or is that known)?

Cheers!

Not the developer but nice catch. const match would be null, not undefined, if the regex search does not match, right?
In a browser console:

> const match = /^\/[js]\/(\d+)\/?$/.exec("something")

> undefined

The assignment to match returns undefined. The value of match is null.
To be pedantic the assignment returns null (always returns the rvalue[1]), it's the const statement that produces undefined[2]

[1] https://tc39.es/ecma262/multipage/ecmascript-language-statem... [2] https://tc39.es/ecma262/multipage/ecmascript-language-statem...

And to be even more pedantic, the function works because it is applied on an event listener... When null[1] is evaluated (in the right side of the || of the conditional), it produces a TypeError... which in effect (due to no catch and evaluation continuing in a parent/event-driven scope) is essentially equivalent to an empty return in this specific context.

What fun! :-)

Edit: apparently as also mentioned https://news.ycombinator.com/item?id=30268412

Run just /^\/[js]\/(\d+)\/?$/.exec("something") in the console
A function returns undefined if any value was not returned.
True generally, but irrelevant here: the function in question is RegExp.prototype.match. By definition, it never returns undefined, but only an array or null. The only way `match == undefined` could be true would be if smething had overridden RegExp.prototype.match, which would be… surprising and worthy of explicit note.

Also match[1] will never be undefined: it’ll either throw an exception, or be a string. No, this is just a bug, a poorly written guard that fails to guard what it was supposed to, and I suppose an exception is just silently swallowed and treated equivalently to the intended early return. But the clause should be changed to just `if (!match) return;` or similar.

Quick heads up you may want to update that to be === rather than ==, because of course JS is wonderful and null does == undefined (not a nerd snipe, I was just confused by your comment and went and looked at the code, and realized it was likely a typo :) )
Yeah, unfortunate typo, thanks for the correction. I spend most of my time writing Rust, and when I’m writing JavaScript I type !== and === naturally, but I think writing this comment I just didn’t quite switch into JavaScript mode.
> Thank you. And thank you for making it open source.

Sure thing. All browser extension source code is available to you anyhow, even if the author doesn't publish it.

> Why is it sometimes returning undefined?

Looks like a simple bug as some folks below have pointed out. It doesn't impact the functionality of the extension in any way here.

Missing only Safari, my browser of choice
Safari supports neither webRequestBlocking (for manifest v2 extensions) nor manifest v3 extensions. If they add support for either option then I can publish a Safari extension too.
Sign up for the Orion beta; it’s uses the Safari rendering engine and supports manifest v3 extensions
Wonderful! Thank you. Only if there was a way to do the same on iOS.
Thanks for writing this - I've been using this for ages, and it's a recommended install for everyone at our company.
You can also join using a standard SIP client.
With video and screen sharing ?
Video, yes. Haven't tried (nor needed to) screen sharing.

Apparently H.323 works too, but I haven't tried that either --- just noticed the "dial this IP to join via H323/SIP" at the bottom of the invites and did so.

Nice ! Thank you ! I’ll try this
If I wrote the same HN article but said Cisco Webex would you say the same thing?

Despite them doing the same thing.

Yes?
Definitely, who cares what company makes it !
Ya. I don't install Zoom, Skype, Microsoft__, Cisco__, Dell__, etc.
You could’ve just rephrased this to “don’t work anywhere during the pandemic”. Seriously, most people have very little choice in what they can install.
WebEx and Skype also have web browser versions. I don't know about the other ones. But you can generally use these apps without having to run an executable or install anything.
Sandbox it, or get a hardware mute for your device if you don't have a choice.
I’ve worked remotely for years. Refuse to install these apps on my computer. If someone requires a meeting with an app-only interface, I dial in. Otherwise, I run Zoom on an iPad.
My practice is that if I'm paid, I'll use company software. In the real world (my own time)... not a chance
I don't really care that much about the privacy of what I install on my work computer. That's their business, as long as I can turn the computer off when my work day is over. It's more of a concern for my own machine.
I’ve worked remotely for years. Slack and Zoom work fine in a browser.
Microsoft Teams does the same thing on Linux, so yeah.
Go for Jitsi. It's privacy conscious and has really good video quality. It seems to favour frame rate over resolution which doesn't look as glossy but the smooth video makes it much easier to pick up small gestures and facial expressions than the others like Teams and WebEx.

I use teams a lot for work and Jitsi with the makerspace crowd and Jitsi is just so much better imo..

+1 for Jitsi as an underrated, high-quality, free service
Jitsi is a winner, especially with non-techy people. Literally just click a link and you're in.
Or just don't leave it running all the time. Not sure why anyone would, it's not like it's hard to exit or start up. Personally I run mine using firejail instead of the browser as I didn't have much luck with the browser version when I first needed it (work) a few years back... though that is likely better by now.
Leaving it open means that when you click on a Zoom link, the app opens much quicker and you are already logged in. But yeah, not worth the privacy hit.
We use single sign on with Zoom so I never have to login and it takes <1sec to start on my laptop. But even contained using firejail I wouldn't want it running all the time.
Some companies use Zoom for chat and phone lines, in addition to meetings, so not a lot of choice in that situation
First I've heard of that but it makes sense.
The browser client is missing (or was recently) the “grid view,” which is very important for my use. So I won’t be leaving the desktop app anytime soon, despite my attempts :)
Zoom enables grid view in Chrome, just not in Firefox.

Everything else seems to work fine in both.

Audio on Firefox on Linux does not work well for me (mics not working)

On Chromium, sometimes video/screenshare is not visible for me, only black screen.

Often there is no choice but use the app… sadly.

But they bought keybase ... smirk

RIP a trustable keybase.

Is it safe to just use the Zoom iOS app, since it's way more locked down?
That’s my approach, anyway. I trust iOS’ sandboxing a bit more than a desktop OS. At least they can’t do things like installing a web server or reading files I’d like to keep private.
Yeah the British Govt with collusion of the so called free British press were pushing it when everyone was forced to go into lockdown and work from home because of covid.

Massive GCHQ data grab!

What is your source for this?
(comment deleted)
I use zoom in the browser, and this my experience every time:

1. On first opening the link, a browser confirmation window immediately asks me for permission to launch the app. I press "Cancel".

2. There is no option to join from my browser. But, there is a big blue button that says "Launch Meeting". I press it.

3. Again, the confirmation window from (1.) is raised. I press "Cancel".

4. Choosing to cancel a second time causes a visibility toggle for a small link on the bottom of the page (hidden beneath the giant blue button) that says, "Having issues with Zoom Client? Join from Your Browser".

Anti-patterns out the wazoo!

No background and filters in the web version.
This is correct.

Zoom is malware from what is effectively a CCP controlled company.

(comment deleted)
(comment deleted)
No this is because the profit incentive demands new features regardless of the privacy violations of the customer. China's faults are the same we have, out of control capitalism causing social harm, workers abuse, and violating customers.

This feature, and one used by many other conference companies, is for proximity detection of zoom rooms. Other implementations are bluetooth beaconing, but ultrasound is reliable and BT is often disabled by corporate security due to all the vulnerabilities it has and are constantly being discovered for.

Meanwhile the NSA has meetings where powerpoints titled "I hunt sysadmins" are a normal thing. And where your Cisco is intercepted, hacked, and shipped to you. Or where the previous president offers pardons to criminals doing his bidding and culminates with an attempt to murder Democratic senators to stay in power at the capitol on 1/6. I don't think you want to play "my country good, other country bad" unless you want to be corrected.

He didn't say "my country good", only "other country bad".
He's not even saying China is bad. He's related two things that people tend to like or hate simultaneously.
> China's faults are the same we have, out of control capitalism causing social harm, workers abuse, and violating customers.

China also has an unelected government with a dictator for life that arrests people for exercising free speech, commits genocide, threatens its neighbors, etc. It's not the same, though the CCP loves to say it is! Yes, there are flaws in the US, but that doesn't make it the same!

> I don't think you want to play "my country good, other country bad" unless you want to be corrected.

"corrected"?!

I got Micro Snitch [1] as part of a bundle with Little Snitch years ago and have just had it running for cases like this. I'm fortunate to not have run into this issue, but I like the peace of mind of knowing exactly if I do.

[1]: https://obdev.at/products/microsnitch/index.html

>Little Snitch

Just FYI, Little Snitch resolves the DNS request (to IP) while the dialogue is onscreen (i.e. before you click `DENY` or `ALLOW`, a DNS query has already been sent).

All Little Snitch does is prevent the connection to the IP address, but your DNS host (e.g. ISP) knows what URL(s) you are requesting, even if/when you click `DENY`.

Why is that a problem?
Recording DNS queries is a long standing method of spying on end users that ISPs and governments have at their disposal. In the US we have a constitutional amendment about how it's supposed to be illegal for law enforcement to mess with people not suspected of a crime - the fourth amendment. They don't really respect that rule at all, so it's in everyone's best interest not to give them metadata when it's avoidable.
That's good to know. I don't use my ISP's DNS and so I have inherently a little less concern about the query itself. My biggest concern for having Little Snitch is the data/connection itself.
(comment deleted)
Fake features that abuse my privacy is why I hard close the app when I’m not using it.
I hope I’m pointing out the obvious, but the answer to this question doesn’t matter. The real problem is that we’re compelled to run a bunch of software from organizations we, to put it charitably, have no reason to trust.

This situation may exist because it’s inevitable but it still sucks.

What’s the alternative? Not run software? Run it all in the browser? FOSS only?
I mean... that's not especially unreasonable; FOSS-first is absolutely a reasonable move, and there's a whole discussion upthread about using the browser version or dialing in with an actual phone. Certainly some people are stuck, but many people can absolutely avoid this.
For any service I want to use that has a website, I absolutely use that instead of the app.

I can close it and know it is closed.

Unless PWA fans have their way and succeed perverting browsers into an app platforms, that is.
Not run SW is possibly last resort, or not an alternative at all. But selecting, proposing FOSS alternatives, or run it in the browser if possible are two ways of trying to make the situation better.

As others have said, Jitsi is a for many meetings a good FOSS alternative. And if that does not work, use Zoom in the browser.

> What’s the alternative?

A desktop operating system that comes with a proper security and permission model (i.e. not a standard Linux system). Right now, QubesOS seems like the only candidate here.

I can't believe Android and iOS are now >=15 years old and Linux is still struggling with this.

IME, a lot of people learn about Wayland's security improvements over Xorg and then immediately consider them deal-breakers. Stuff like global hotkeys and shared clipboard access.
Which is wild to me because my immediate thought upon learning was ok, how long until I can get off Xorg?
Fedora 35 came with Wayland by default, it was so smooth I haven't even noticed :) I only learned about it when I reflexively invoked an x-something tool and it said command not found.
MacOS manages to implement all those things while having sandboxing. Though at the expense of many popups (program X wants to do Y) right now. Maybe not the perfect solution either but it is not an unreasonable thing to ask for IMO.
GNU/Linux phones (Librem 5 and Pinephone), but they aren't polished yet.
I would argue this is the exact opposite of what we want to do.

The primary cause of this problem is the conventional desktop OS which has no meaningful security model.

IOS and Android have the correct approach to mitigate this, strong sandboxing and mandatory access control.

GNU/Linux phones bring these problems to mobile, which considering how much of our lives are on these devices, is an absolute disaster.

So I actually use this as my daily driver, but I think it illustrates the point quite well.

The only way to meaningfully secure a GNU/Linux desktop is to run multiple instances of it through a type-1 hypervisor.

For a mobile device, a user prioritizing privacy, security and FOSS would be much better served by GrapheneOS.

Run software from vendors who have demonstrated they are trustworthy -- or, at a minimum, actively AVOID software from vendors (like Zoom) who have repeatedly demonstrated that they are NOT worthy of trust.
No alternative if the people you want to reach, or want to be reached by, are available only on a specific, closed platform.

It's a pick your poison type of situation I think. I personally run FOSS where I can, and compartmentalize the environment where I can't but I still want the benefits.

I guess that’s what I’m getting at. Like this is for work, my company has dictated that we do SSO into the desktop app. I was wondering if there was something I was missing besides the browser version.

But for personal use- totally makes sense

The number of android phones in existence is a good evidence on how much most people are concerned about their privacy (very little).
I disagree.

The number of Android phones in existence is evidence of how important it is to have affordable tech.

Indeed. Second, most people don't actually realise how bad it really is.
How bad it really is?
(assuming you are on Android)

Google's algorithm knows you opened your browser. They almost certainly know what page you opened and how long you have been on it [on chromium, everything typed in URL bar is sent to them]. They probably know that you asked the above question.

If it is a cheap android phone (or even if not, if it uses Rockchip chips, if it is a Xiaomi and likely if it is a Oppo) then at least one Chinese corporation, with ties to a very sophisticated gov apparatus knows it as well.

Considering how many permissions they allow each app to receive (esp. on older versions, which are the majority of users) other apps likely know it as well.

I have a Samsung, and there are lots of clues that they know everything I type and a lot of what I say as well.

Probably other actors as well, since a porous pail will leak...

Good burn, the difference between what permission modals say and what Apple and Google allow you to do with the hardware you paid money for is a valid point in 2022.
I think people are mostly concerned with what they can experience. Building on this, these systems make sure that the breach of privacy is experienced in the least amount possible. When something happens that upsets this surface, like Apple suddenly telling people that an app looked at their clipboard, suddenly privacy is cared about again.

Also, look at other things that are made invisible to the people, and when made visible, people react negatively. Treatment of animals in the various industries, treatment of workers in countries where labour is cheap, issues with waste and its environmental effects.

The real problem is not that we have to run the software, it is that we run it on devices that usually store a huge fraction of our personal life, and which we rely on every day to run our lives.
Out of all the apps I have used for meetings, I've had the best experience with Zoom. But the privacy aspect always concerns me. What's the best alternative today?
https://meet.jit.si has a similar drop in like experience, where no accounts are required, which I believe is in part the reason Zoom was popular in the beginning.
I was curious, so looked at their paid offering[0]. I couldn't find their prices without making an account. Bad sign imo, but the free offering seems sufficient.

[0]: https://8x8.vc

Thanks. I have used this before for a 1-1 and it was decent. Not sure how it scales when there are 20 participants; something Zoom was good with. Any experience?
I can confirm I have noticed this so many times and decided to keep the Zoom app closed while not in a meeting.
If you're mute and start talking (or even if you just clear your throat), the Zoom app shows a pop-up that reminds you that you're muted. I can see why this feature may be useful for many people. Sometimes it's easy to forget that many people don't know how to use the most basic apps.

Conceptually, it's similar to Apple always listening for "Hey Siri".

But the huge difference between these two cases is that most people will probably trust Apple more than Zoom, which is understandable.

If the app is in the foreground or I am in a meeting, Zoom can have my microphone. Anything beyond that is just absurd.
I think this is a recent problem - I've only seen this occurring in the last month or so, I think.
I would never use the zoom app. No way that Chinese asset is touching my system.
For the sake of argument, let's assume this is intentional. What would be the point of doing this? Capturing millions of random people's background sound, in the hopes of landing some "big fish", to provide/sell that audio to the Chinese government?
It's like LastPass or GitHub Copilot collecting private data. It just goes against their business model to violate privacy. I'd be a lot more suspicious if it's Meta/Facebook, because it's directly part of their business model.
The problem is that not every business is fully transparent about their business models nor we don’t know which state level actor is sometimes behind the ”accidental” data collection.
Do we have any examples so far of a state-level actor using data that was "accidentally" collected from users?
You're asking a silly question. States use data indiscriminately, whether it was "accidentally" gathered or not. Ultimately, it's not really accidentally gathered. There is pressure to over-collect.
Technically it is illegal at least in the U.S. to pressure for overcollecting the data. That is why I used the word ”accidentally”. However, in reality some companies might think in the end that it was their own idea.
they have a massive free tier that has yet to be monetized

ads targeted to users based on conversations within ear shot of an always listening device sounds like a big money maker to me

although I don't use zoom, something(s) is already doing this on my phone as I get targeted ads based on conversations I have, routinely ( typically within 45 mins) despite taking many precautions... some technology is already out there in production

Aggregate keyword data to sell to advertisers and hedge funds. Same thing pretty much every smart device does.
I'm a big fan of bashing corporate for things like this, but smart devices haven't been proven to do this, yet. We had a myriad ways of tracking enabled by these devices, but voice, and its mining for data, is off the list for now. Attractive target though, for sure.
Perhaps they've been 'compelled' by the US Government to capture: 1: as much data as possible from their users. 2: recordings from specific users, but in order to hide their intentions, it's a universal "feature"
Background noise can be used to identify location and device association.
I have this problem with skype on Windows. It is not constant but sometimes after I talk to someone it still listens to mike. My mike however has mechanical switch and the camera has cover.
Only semi-related: March 30 deadline to opt into (or out of) the Zoom Class Action settlement:

https://www.zoommeetingsclassaction.com

(comment deleted)
there's something painfully ironic about the final hearing being hosted on "zoomgov.com"
There is a problem with quality at Zoom. My day to day job involves dealing with servers and valuable data, I already made it clear that I can’t use the zoom app for safety concerns. That being said, I don’t believe zoom has malicious goals, they are just not very security minded (or knowledgeable). I believe they like to take shortcuts that put your machine, data and privacy at risk
Can you use browser? I’ve used zoom once, I just launched it in browser and that’s about it. Browser is a godsend when it comes to sketchy apps that I’m forced to use.
Can you now see multiple in the browser? IIRC, that was a limitation at some point.
For some reason, not in Firefox, I don't know why, other apps like Jitsi does it any without trouble.

In Chromium/Chrome it does but limited to 9 people.

I'm using the browser when my zoom is the only option, otherwise I try to use alternative web solution. Zoom on the web-browser is fine but I always recommend using an alternative where user safety and transparency is a priority.
> That being said, I don’t believe zoom has malicious goals

How many "mistakes" do they have to make before you reconsider? They lied to their users for years that their software was end to end encrypted. They sent user's data along with their keys through servers in China. They rolled out their own encryption system, lied about what algorithms they were using, and the encryption they were actually using had well known weaknesses. If they aren't outright malicious they've somehow managed to maintain a level of incompetence that's just as harmful.

The latest is the point I'm trying to make, they are too reckless and profit driven to be trusted.
That's an odd way of saying Chinese state actor.
> they are just not very security minded (or knowledgeable)

I argue that they are definitely knowledgeable and capable of security. The nuance is they care about their own security, not the users'.

Case in point: Their MacOS installer abuses the pre-installation step to fake a System prompt to obtain root, very much like malware. Before you actually click install, it's already done [1].

In this case it was merely a shortcut to reduce the number of clicks to install, but it clearly betrays their disregard for user control & security.

[1] https://www.digitaltrends.com/computing/zoom-mac-one-click-i...

* SEO Bonus: I couldn't find this article on Google no matter what I queried for. But DuckDuckGo found it on my first attempt.

Guess abusing SEO to hide negative press is among their tactics as well.

A solution is only as safe as the most reckless and less knowledgeable person with root access they employ. I'm convinced they have lots of knowledgeable people, but they proved over and again that they also have many bad apples cutting corners and putting everyone at risk.
I think this might have been true in the past, but I don't think it is true any longer. Zoom grew at a wild pace during the early days of the pandemic, and with that came security issues. However, they recognised that and invested into security.

I have previously reported bugs to Google, including one where they simply didn't put any auth on an API endpoint for a new feature, allowing access to any account's data. That is a massive oversight, but at Google scale we realise these things happen, and the more important consideration is how companies respond.

Zoom have a private bug bounty program, but I previously disclosed Zoom bugs publicly [1] as I didn't think their bug bounty program was worthwhile engaging with.

However, they overhauled it, and now of the dozens of private programs I am part of, Zoom's is one of the absolute best. The payouts are great, the team actively engages with the researchers, and seem to legitimately care about getting things right.

Are they perfect? Of course not. But I would feel safer on a Zoom call that call with many competitors who simply don't get as much scrutiny.

[1] https://www.tomanthony.co.uk/blog/zoom-security-exploit-crac...

Force quit out of zoom every time I'm not in a meeting
That’s worrying. I’m glad I have a keybinding for an Alfred shortcut that SIGKILLs Zoom, OBS and the virtualcam plug-in in one shot