This kind of thing is why software I don't fully trust only runs in my browser.
With how good the browser APIs have become, there is little reason to run native apps, which nowadays are often just an outdated browser with a packaged web app anyways (Electron). Google Meet, Microsoft Teams, and even Zoom have demonstrated that web is good enough if they want it.
If you try to force me to install a native app, that's a strong signal that the app is going to do something against my interest. Given how aggressively Zoom has pushed the app, it was very clear to me that this thing is never going to hit my main machine (I think I have a VM somewhere that I used for a job interview that needed the more advanced features).
> If you try to force me to install a native app, that's a strong signal that the app is going to do something against my interest.
That's a really sorry state of affairs. We should be able to trust our OS to work only towards our best interests. To me a web app represents a complete lack of user control over the content & metadata created by the user; my expectation for a desktop app is the opposite.
The signal I take that an app is going to do something shitty is the level to which the vendor asks/suggests/begs me to install the app. If they don't push it (other and advertising it for sale), I'm more likely to trust it. If they push it ("download our app for a better experience"), it's obviously on their side more than mine.
Isn't this just moving the problem, instead of solving it? The fact that browser APIs are so capable these days also means they enable almost the same opportunities for spying or creating other havoc, doesn't it? Especially if it means that I never close the browser because all my apps are running inside it.
There are plenty. I like both worlds. Telegram for example is a good example of an unneeded desktop app that lives fine in the browser ( web.telegram.org ), multiple versions, regular updates, platform independent. On the other side there is signal, which forces to use a very shitty desktop app (or maybe I have not found a better yet). It just sucks.
On linux I have no issues installing "native" apps whatsoever. My editor (emacs), cad software, music player (!) - sure spotify works, but I like my network transparent MPD way more. I could go a lot farhther.
Iam curious about (cloud-)gaming since I actually was very suprised how good it can work.
Edit: Why is this downvoted? What am I doing wrong?
I think this is an indication that app sandboxing is not good enough. It should be possible for the user to have control over everything necessary. The light that warns that the microphone is being used should also have functionality to disable it and to make the app "Request every time" or "Only when app is fullscreen" or similar. And if that is actually all happening, then sandboxing is working as necessary and therefore there is no actual trust issue, because the user doesn't have to trust the app anyway.
This kind of thing is why I use Whereby. No plugin is suggested to the user, it always runs in the browser, you can still share your screen and all.
I’m afraid Zoom will upload my whole document folder to the internet “just in case you need to share them during the call, so we don’t consume bandwidth”…
I take the exact opposite stance. I hate browser based apps and prefer native apps. Browser apps are great at stealing your data because the browser makes it easy to. But with a native app I can better control access to system resources, even craft application layer firewall rules to control when it can communicate with the outside world. As a browser app I can only control the browser's traffic in aggregate, which is far less useful.
The problem is that even if you just use the browser, it slowly pushes you to the native app... Browser version is extremely limited, you can't change some settings like the number of people shown in the same time.
If you ignore the installer download and keep (not even) trying and failing to run it that way, eventually the Zoom website will relent and offer to take you to the JS-based system.
This type of thing is why I only run software from the Debian repos or that I build myself. On machines I own, anyway.
I personally still think the UI of web apps are generally terrible, and though they may not be listening to the microphone, spend 10 minutes using uMatrix and it's pretty clear they're spying on you and sending information all over the place.
Sounds like WASI might be the ideal to get around this in the near future given that it's also capability based similar to how browsers guard specific functions.
It's long past the time that native apps should get the same or better kind of sandboxing and access controls that browsers or Android provide. Perhaps a user-friendly wrapper around AppArmor/SELinux.
Pretty confident this is related to the way the Zoom app can detect what conference room you are in when that room is fully equipped with Zoom hardware.
I'm not as familiar with Zoom, but WebEx and Cisco video conferencing hardware use ultrasonic sounds to let you start and transfer meetings from the mobile and desktop app to video conferencing devices.
With WebEx you can turn this off in the preferences. I'd assume Zoom has a similar config setting.
That gives an explanation but doesn’t actually answer the question - “why is it doing this when I’m not using zoom”
Plenty of people use conference rooms for non video chat reasons, and many of those reason have confidentiality rules.
I know for example there are strict rules around what is required to protect client/lawyer confidentiality, and most of the protection goes out the window if you record, or allow some one else to record them. Would zoom listening in on that count? I have no idea
The only class of apps that have any business using a microphone while not in active use are “assistants”, and those have no business doing anything other than listening for their initiator phrase (except haven’t they all been caught sending arbitrary recordings to their parent company?)
I hope I’m pointing out the obvious, but the answer to this question doesn’t matter. The real problem is that we’re compelled to run a bunch of software from organizations we, to put it charitably, have no reason to trust.
This situation may exist because it’s inevitable but it still sucks.
The real problem is not that we have to run the software, it is that we run it on devices that usually store a huge fraction of our personal life, and which we rely on every day to run our lives.
I really think we need a physical microphone shut up switch similar to that we have for webcam shutter available in most laptops now to prevent this kind of intruding stupidity.
It's not a physical switch but MS Powertoys have a system wide mic and camera toggle UI now.
https://docs.microsoft.com/en-us/windows/powertoys/video-con...
For 90s kids, the Powertoys name should bring back fond memories.
My only gripe is that instead of 'Microphone On' it should say 'Microphone is On' - I always forget if it's indicating the state or indicating it will go to that state if I press it. I'm 90% sure it's the former as I type this
Good thing! Yields superior audio quality (because it means there is a powered pre-amp right next to the microphone's recording point) and allows to physically turn off microphones.
Is this possible in MacOS? I thought it was controlled at the kernel and hardware level to prevent user space software from secretly listening/looking?
There is a problem with quality at Zoom. My day to day job involves dealing with servers and valuable data, I already made it clear that I can’t use the zoom app for safety concerns. That being said, I don’t believe zoom has malicious goals, they are just not very security minded (or knowledgeable). I believe they like to take shortcuts that put your machine, data and privacy at risk
> That being said, I don’t believe zoom has malicious goals
How many "mistakes" do they have to make before you reconsider? They lied to their users for years that their software was end to end encrypted. They sent user's data along with their keys through servers in China. They rolled out their own encryption system, lied about what algorithms they were using, and the encryption they were actually using had well known weaknesses. If they aren't outright malicious they've somehow managed to maintain a level of incompetence that's just as harmful.
Can you use browser? I’ve used zoom once, I just launched it in browser and that’s about it. Browser is a godsend when it comes to sketchy apps that I’m forced to use.
Don't use the Zoom app. Load meetings in an incognito/private/whatever browser window, and cancel the automatic download it prompts you with, then click Join In Browser.
Nothing about this company's attitude towards privacy has changed in years.
Almost certainly just a bug with closing the audio session. It doesn’t seem to always be listening but sometimes after a meeting it stays on for whatever reason. If it’s not already fixed then I’m sure it will be soon…
I know this might be unpopular, but, I don't know, you could just QUIT the app? Obviously, there's a bigger issue here if Zoom is listening in when we don't want them to. But, the number of comments providing workarounds just leaves me thinking: why don't you just quit the app? Immediate problem solved. Long-term problem not solved.
Out of all the apps I have used for meetings, I've had the best experience with Zoom. But the privacy aspect always concerns me. What's the best alternative today?
I regrettably had to install Zoom on my Mac because so many people use the service.
However the Mac makes it an easy process to block microphone and camera access. So when I don't have any Zoom meetings scheduled imminently, I just go to System Preferences -> Privacy Settings and kill off Zoom's access there. Only takes, what 5-10 seconds. I guess I could even script it via AppleScript (or potentially CLI), but have never had the time to investigate.
One of the best things about Apple MacOS and Apple iOS is the centralised privacy settings that make it easy to see what has access and easy to turn it off.
I use stuff like Zoom or Bluejeans maybe once a month. So I don't keep it installed. Instead, I just open a terminal and install it using Homebrew with the following commands:
% brew install zoom
When done, eradicate all traces with the zap option:
For the sake of argument, let's assume this is intentional. What would be the point of doing this? Capturing millions of random people's background sound, in the hopes of landing some "big fish", to provide/sell that audio to the Chinese government?
```
<key>SMPrivilegedExecutables</key>
<dict>
<key>us.zoom.ZoomDaemon</key>
<string>identifier "us.zoom.ZoomDaemon" and anchor apple generic and certificate leaf[subject.OU] = BJ4HAAB9B3 and certificate leaf[subject.CN] = "Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)"</string>
<key>us.zoom.ZMSipLocationHelper</key>
<string>identifier "us.zoom.ZMSipLocationHelper" and anchor apple generic and certificate leaf[subject.OU] = BJ4HAAB9B3 and certificate leaf[subject.CN] = "Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)"</string>
</dict>
</dict>
</plist>
```
That's `~/Applications/zoom.us.app/Contents/Resources/Zoom-Info.plist`, last few lines of the file.
Even though I didn't install it with admin permissions, it's at least trying to slip that shady shit in under the radar. No idea if it succeeded or not, need to do some deep analysis to find out, but probably the simplest/surest fix is to nuke the entire filesystem and rebuild my macos installation from scratch. Done it before many a time, easy enough, just a laborious pain.
Never again, Zoom. Never again.
(Same goes for Teams, and basically anything that isn't browser-based, by the way. Assumption of human rights violations is now the default.)
I don't care if this is just a "harmless bug" or an accident. Too many attempts at shady shit have been glossed over in the name of forgiving an honest mistake. Not anymore. I'm done.
I reported a similar issue to Zoom on April 9, 2020 and did not receive a reply. I did not test to see if it has been fixed since.
The issue: While watching Zoom webinars on Mac, clicking on Audio Settings auto-activated the mic for testing audio levels. However, Zoom forgot to deactivate it upon leaving the settings. For the rest of the webinar, the input device stayed activated in the background (as evidenced by OverSight and Micro Snitch). I could not find a way to deactivate it.
Haven't seen this myself, but it's such a battery-murdering app.
I can view full-HD video without the fan even making a sigh, but joining a Zoom meeting and turning off everything except incoming audio makes the fan scream.
What's going on? Is that app doing crypto-mining in the background?
I got Micro Snitch [1] as part of a bundle with Little Snitch years ago and have just had it running for cases like this. I'm fortunate to not have run into this issue, but I like the peace of mind of knowing exactly if I do.
[+] [-] tgsovlerkhgsel|4 years ago|reply
With how good the browser APIs have become, there is little reason to run native apps, which nowadays are often just an outdated browser with a packaged web app anyways (Electron). Google Meet, Microsoft Teams, and even Zoom have demonstrated that web is good enough if they want it.
If you try to force me to install a native app, that's a strong signal that the app is going to do something against my interest. Given how aggressively Zoom has pushed the app, it was very clear to me that this thing is never going to hit my main machine (I think I have a VM somewhere that I used for a job interview that needed the more advanced features).
[+] [-] the_other|4 years ago|reply
That's a really sorry state of affairs. We should be able to trust our OS to work only towards our best interests. To me a web app represents a complete lack of user control over the content & metadata created by the user; my expectation for a desktop app is the opposite.
The signal I take that an app is going to do something shitty is the level to which the vendor asks/suggests/begs me to install the app. If they don't push it (other and advertising it for sale), I'm more likely to trust it. If they push it ("download our app for a better experience"), it's obviously on their side more than mine.
[+] [-] periheli0n|4 years ago|reply
[+] [-] entropie|4 years ago|reply
There are plenty. I like both worlds. Telegram for example is a good example of an unneeded desktop app that lives fine in the browser ( web.telegram.org ), multiple versions, regular updates, platform independent. On the other side there is signal, which forces to use a very shitty desktop app (or maybe I have not found a better yet). It just sucks.
On linux I have no issues installing "native" apps whatsoever. My editor (emacs), cad software, music player (!) - sure spotify works, but I like my network transparent MPD way more. I could go a lot farhther.
Iam curious about (cloud-)gaming since I actually was very suprised how good it can work.
Edit: Why is this downvoted? What am I doing wrong?
[+] [-] rlpb|4 years ago|reply
[+] [-] laurent92|4 years ago|reply
I’m afraid Zoom will upload my whole document folder to the internet “just in case you need to share them during the call, so we don’t consume bandwidth”…
[+] [-] thereddaikon|4 years ago|reply
[+] [-] Lucasoato|4 years ago|reply
[+] [-] billpg|4 years ago|reply
[+] [-] jlarocco|4 years ago|reply
This type of thing is why I only run software from the Debian repos or that I build myself. On machines I own, anyway.
I personally still think the UI of web apps are generally terrible, and though they may not be listening to the microphone, spend 10 minutes using uMatrix and it's pretty clear they're spying on you and sending information all over the place.
[+] [-] nyberg|4 years ago|reply
[+] [-] trasz|4 years ago|reply
[+] [-] jevoten|4 years ago|reply
[+] [-] stronglikedan|4 years ago|reply
[+] [-] robertlagrant|4 years ago|reply
[+] [-] 1vuio0pswjnm7|4 years ago|reply
[+] [-] aserr|4 years ago|reply
From [Direct sharing in Zoom Rooms](https://support.zoom.us/hc/en-us/articles/214629303-Direct-s...):
> Direct sharing with proximity detection uses the microphone on your laptop to detect the Zoom Room controller.
[+] [-] __MatrixMan__|4 years ago|reply
If so someone should make a jammer.
[+] [-] troupe|4 years ago|reply
With WebEx you can turn this off in the preferences. I'd assume Zoom has a similar config setting.
[+] [-] olliej|4 years ago|reply
Plenty of people use conference rooms for non video chat reasons, and many of those reason have confidentiality rules.
I know for example there are strict rules around what is required to protect client/lawyer confidentiality, and most of the protection goes out the window if you record, or allow some one else to record them. Would zoom listening in on that count? I have no idea
The only class of apps that have any business using a microphone while not in active use are “assistants”, and those have no business doing anything other than listening for their initiator phrase (except haven’t they all been caught sending arbitrary recordings to their parent company?)
[+] [-] arwineap|4 years ago|reply
Meeting start -> probe for hardware -> make decision where to host
[+] [-] user3939382|4 years ago|reply
This situation may exist because it’s inevitable but it still sucks.
[+] [-] d0mine|4 years ago|reply
[+] [-] goblinux|4 years ago|reply
[+] [-] periheli0n|4 years ago|reply
[+] [-] teleforce|4 years ago|reply
[+] [-] nicoco|4 years ago|reply
[+] [-] bigmattystyles|4 years ago|reply
[+] [-] fsflover|4 years ago|reply
[+] [-] ri0t|4 years ago|reply
Good thing! Yields superior audio quality (because it means there is a powered pre-amp right next to the microphone's recording point) and allows to physically turn off microphones.
https://en.wikipedia.org/wiki/Phantom_power
[+] [-] Metricon|4 years ago|reply
4-Port USB 3.0 Hub Power Switches https://www.amazon.com/gp/product/B00TPMEOYM
[+] [-] billpg|4 years ago|reply
"You fixed it so that it doesn't switch the microphone on at all, not just stopping the light coming on, right?"
"Right?"
(Yay! Memes in text form!)
[+] [-] binarymax|4 years ago|reply
[+] [-] debrice|4 years ago|reply
[+] [-] autoexec|4 years ago|reply
How many "mistakes" do they have to make before you reconsider? They lied to their users for years that their software was end to end encrypted. They sent user's data along with their keys through servers in China. They rolled out their own encryption system, lied about what algorithms they were using, and the encryption they were actually using had well known weaknesses. If they aren't outright malicious they've somehow managed to maintain a level of incompetence that's just as harmful.
[+] [-] vbezhenar|4 years ago|reply
[+] [-] shaggyfrog|4 years ago|reply
Nothing about this company's attitude towards privacy has changed in years.
[+] [-] stevewodil|4 years ago|reply
[+] [-] taurusnoises|4 years ago|reply
[+] [-] laserlight|4 years ago|reply
[+] [-] Fervicus|4 years ago|reply
[+] [-] lima|4 years ago|reply
[+] [-] traceroute66|4 years ago|reply
I regrettably had to install Zoom on my Mac because so many people use the service.
However the Mac makes it an easy process to block microphone and camera access. So when I don't have any Zoom meetings scheduled imminently, I just go to System Preferences -> Privacy Settings and kill off Zoom's access there. Only takes, what 5-10 seconds. I guess I could even script it via AppleScript (or potentially CLI), but have never had the time to investigate.
One of the best things about Apple MacOS and Apple iOS is the centralised privacy settings that make it easy to see what has access and easy to turn it off.
[+] [-] bartvk|4 years ago|reply
[+] [-] cbm-vic-20|4 years ago|reply
[+] [-] MrWiffles|4 years ago|reply
EDIT: This formatting sucks, how does HN not have markdown fenced codeblocks? Anyway, here's less fail formatting:
https://pastebin.com/WiRpWs61
``` <key>SMPrivilegedExecutables</key> <dict> <key>us.zoom.ZoomDaemon</key> <string>identifier "us.zoom.ZoomDaemon" and anchor apple generic and certificate leaf[subject.OU] = BJ4HAAB9B3 and certificate leaf[subject.CN] = "Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)"</string> <key>us.zoom.ZMSipLocationHelper</key> <string>identifier "us.zoom.ZMSipLocationHelper" and anchor apple generic and certificate leaf[subject.OU] = BJ4HAAB9B3 and certificate leaf[subject.CN] = "Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)"</string> </dict> </dict> </plist> ```
That's `~/Applications/zoom.us.app/Contents/Resources/Zoom-Info.plist`, last few lines of the file.
Even though I didn't install it with admin permissions, it's at least trying to slip that shady shit in under the radar. No idea if it succeeded or not, need to do some deep analysis to find out, but probably the simplest/surest fix is to nuke the entire filesystem and rebuild my macos installation from scratch. Done it before many a time, easy enough, just a laborious pain.
Never again, Zoom. Never again.
(Same goes for Teams, and basically anything that isn't browser-based, by the way. Assumption of human rights violations is now the default.)
I don't care if this is just a "harmless bug" or an accident. Too many attempts at shady shit have been glossed over in the name of forgiving an honest mistake. Not anymore. I'm done.
[+] [-] psyklic|4 years ago|reply
The issue: While watching Zoom webinars on Mac, clicking on Audio Settings auto-activated the mic for testing audio levels. However, Zoom forgot to deactivate it upon leaving the settings. For the rest of the webinar, the input device stayed activated in the background (as evidenced by OverSight and Micro Snitch). I could not find a way to deactivate it.
This issue is similar to one that affected Shazam: "Shazam Keeps Your Mac’s Microphone Always On, Even When You Turn It Off" https://www.vice.com/en_us/article/8q8ee3/shazam-keeps-your-....
[+] [-] McHankHenry|4 years ago|reply
I can view full-HD video without the fan even making a sigh, but joining a Zoom meeting and turning off everything except incoming audio makes the fan scream.
What's going on? Is that app doing crypto-mining in the background?
[+] [-] core-utility|4 years ago|reply
[1]: https://obdev.at/products/microsnitch/index.html
[+] [-] 0xmohit|4 years ago|reply
[0] https://www.privateinternetaccess.com/blog/google-chrome-lis...