Hacker News new | past | comments | ask | show | jobs | submit login
Why is the Zoom app listening on my microphone when not in a meeting? (zoom.com)
687 points by mangala_murti on Feb 9, 2022 | hide | past | favorite | 383 comments



This kind of thing is why software I don't fully trust only runs in my browser.

With how good the browser APIs have become, there is little reason to run native apps, which nowadays are often just an outdated browser with a packaged web app anyways (Electron). Google Meet, Microsoft Teams, and even Zoom have demonstrated that web is good enough if they want it.

If you try to force me to install a native app, that's a strong signal that the app is going to do something against my interest. Given how aggressively Zoom has pushed the app, it was very clear to me that this thing is never going to hit my main machine (I think I have a VM somewhere that I used for a job interview that needed the more advanced features).


> If you try to force me to install a native app, that's a strong signal that the app is going to do something against my interest.

That's a really sorry state of affairs. We should be able to trust our OS to work only towards our best interests. To me a web app represents a complete lack of user control over the content & metadata created by the user; my expectation for a desktop app is the opposite.

The signal I take that an app is going to do something shitty is the level to which the vendor asks/suggests/begs me to install the app. If they don't push it (other and advertising it for sale), I'm more likely to trust it. If they push it ("download our app for a better experience"), it's obviously on their side more than mine.


Reddit as a point in case. They deliberately break their mobile web version subtly to coerce users to install their app. Shudder.


Facebook does the same thing.

I won't install the Facebook app, because I can almost watch the battery drain; even when it's in the background.

It's easy for me to prevent any app from listening. I use an external monitor that doesn't have a microphone, and I connect via the DisplayPort, so there's no audio.

The only time I use anything with a mic, it's for Zoom, and I explicitly turn on my AirPods.


The "external monitor" phrasing makes me think you're using a laptop, which probably has its own microphone. Typically that microphone is accessible even when you're connected to an external monitor (even if the laptop is closed).

You may want to visit your control panel/system preferences/whatever to see how things are configured and perhaps explicitly disable/mute the laptop mic.


Already done that. It's sorted. Thanks!


> my AirPods. You had me until that L0L. Anything with a mic (especially the AirPods) would need to be "unpaired" (or better yet, never paired) to avoid activation by covert code. Apple once sold EarPods that had no microphone (for use on iPods) that do the trick. (However, I would wager that it's possible to remotely activate and pair a set of AirPods laying by your Mac using the Apple protocols designed to make it easier for legit users to set them up.)

The Chinese app called "genie" used with devices like cheap Merkury cameras, sold at places like Walmart for impossibly low prices and that livestream thru "Tuya" (which likely provides the inputs to China-based deep learning models) also does this on all Apple Silicon platforms. Yes, the "Terms" for that app would seem to allow for it, just like other Chinese apps: https://www.npr.org/2021/01/05/953515627/facial-recognition-... Such streams help China develop models that interpret emotions and behaviorally profile all types of people, not just Uyghurs: https://www.bbc.com/news/technology-57101248 They can also be used like https://www.aei.org/articles/chinas-olympics-app-is-pure-spy...

Pretty sure China has hacked all of the telecom companies to know which IPs (Tuya streams) would go with which Experian® profiles (https://www.fbi.gov/news/stories/chinese-hackers-charged-in-...) too, though such a hack probably involves somethingStupid™ like keyboard firmware injected into customer service terminals at multi-provider offshore customer/provisioning centers. (Those account number to DHCP lease servers/loggers are probably the least protected part of the consumer networks...BigTech has erybody thinking it's about surveillance capitalism, when it's really about surveillance period.) Apple's iCloud Private Relay service doesn't help much here either, as "Tuya" can associate the Apple-device running the app with the IOT devices that are streaming through the "Tuya" platform, providing a pretty good estimation of the identity of the user of the app on the Apple-device (which, of course, can be passed along in realtime to other apps in the "Tuya" family, even as Private Relay is rotating the IP addresses, so long as the "genie" like app is running in the background enough to phone home with an IP update packet).

(Originally posted to someone's duplicate of this thread.)


I agree with you, except for the word 'subtly'. It's not subtle at all.


I see it as a feature. Using Facebook's deliberately shitty mobile interface with Firefox Focus, which clears cookies every time I close a browser tab, helped me to kick my Facebook habit by making it too inconvenient to check except for a specific purpose. I now log in about once a month.


Well, it still works, but the UX is terrible, and usually one has to reload the page after something like 20 clicks or so because it stops responding or UX elements disappear.

So yeah, not really that subtle, I agree.


For me recently it hasn't worked at all for example -

I'm signed into reddit on the webapp, I click a link on the front page, it renders the page, then overlays a popup saying "this page is only available in the app"

and despite having the app, clicking "open in app" takes me to the apple store, so really I can only reliably use reddit if I start my reddit "session" in the app


Reddit makes life miserable on the mobile web.


https://i.reddit.com/ and https://old.reddit.com still work - when they don't I'll likely stop using reddit entirely.

I won't install the app and the mobile experience is broken.

Which is a shame since I've used it for 14 years.


There are some great options on mobile from third parties if that might work well for you:

Apollo for iOS: https://apps.apple.com/us/app/apollo-for-reddit/id979274575

Boost, for Android: https://play.google.com/store/apps/details?id=com.rubenmayay...

Hopefully on desktops old.reddit sticks around forever. https://redditenhancementsuite.com/ is essential.


100% agree as a user of 12 years, and I'm getting pretty close to quitting because if the shenanigans they're pulling recently with making links not work for old reddit by inserting slashes.

If I wanted a Fisher Price styled social media thing full of user avatars and giant gifs, I'd use Facebook.


There is also the little-known ". compact".

E.g. https://www.reddit.com/.compact


I used to use RedReader[0]. But I eventually quit, because it works very well and is dangerously addictive. Beware.

[0] - https://f-droid.org/en/packages/org.quantumbadger.redreader/


> subtly

Nothing subtle about that. Some of the subreddits are completely blocked on mobile web, telling you to get the app.

Unfortunately, Android supports this by only letting verified apps respond to URLs by default and making it really hard for users to allowing unofficial apps to do it.


They're not blocked if you login on the mobile website.


I use the desktop site on mobile because it may be garbage but it at least works


just use old.reddit.com


^ One of the reasons I stopped using Reddit. Other than it being a toxic dump


I assume that's because of AdBlock


>> That's a really sorry state of affairs. We should be able to trust our OS to work only towards our best interests.

Yes, It's sad that browsers offer better security than our OS. I also like to point out that browsers pioneered tabs because the GUI toolkit and DE developers failed to do a good job at opening multiple documents well.

Another case pointing to failure with our OSes is the fad of running in containers. This is an extra layer doing what the OS should be offering.

The problem is our OS security models are a relic from the 1970's.


> I also like to point out that browsers pioneered tabs because the GUI toolkit and DE developers failed to do a good job at opening multiple documents well.

Windows and macOS had tabbed interfaces long before browsers made them cute. This is also an irrelevant distraction from the conversation about trust levels.

> This is an extra layer doing what the OS should be offering.

As pointed out by a sibling, this is an OS provided tool. I run macOS and I find containerisation an annoying distraction from doing my front-end dev work. I see why you might want it for back-end work and I feel your frustration at being forced to use a VM to support a Linux feature in an OS that doesn't share the same feature (or provide a directly comparable alternative). That would be nice.

I don't think it's relevant to the web vs OS trust level conversation either. Containers might support better OS-level sandboxing, but they're still open to the web and to siphoning off user-generated data to the cloud.

The core thing we should collectively work towards is a mind-set (and tools) that better supports users owning their own data more often, and vendors making tools to support that data, rather than monetising it independently of the users they provide tools to. This was the norm through 'til Hotmail and Yahoomail took off; it swung exponentially away from user-benefit when Gmail took off.


> This is an extra layer doing what the OS should be offering.

FWIW Linux containers are OS-level with cgroups.


Isn't this just moving the problem, instead of solving it? The fact that browser APIs are so capable these days also means they enable almost the same opportunities for spying or creating other havoc, doesn't it? Especially if it means that I never close the browser because all my apps are running inside it.


Yes, but the browser at least indicates that a microphone or a camera is being used. Also you need to explicitly allow their use. And web apps cannot just go around accessing your files. It may not be perfect, but security-wise it's a lot better than running untrusted native applications.


OK, but to be fair, at least MacOS also asks for file access permissions, and indicates if the mic is being used with the orange dot that this thread is about.

So when running zoom in the browser, it could still keep the mic open and listen, until closing the browser tab. That would be equivalent to closing the native app.

I can see a small advantage when running in the browser, but it also comes with additional privacy risks. For example, if I want the browser to remember my settings for file and mic/camera access, I can't run it in a private tab, meaning that tracking via cookies and other techniques becomes a lot easier.


there's a growing sentiment that desktop operating systems should adopt the security model of android/iOS... I don't know what it'l take for developer/user adoption though


Current browsers indicate that a microphone or a camera is being used. Future browsers might not, or there could be technologies under different names going forward.


Not at all. Browsers have to assume Web content is malicious, and they behave accordingly.


There are a whole lot of web APIs that were developed without a care for privacy/security, that are slowwwwly being mitigated by Mozilla's resistFingerprinting and Tor Browser. Browsers certainly do more to get sandboxing right than native apps, but they aren't a panacea.


The sentiment that suspicious applications are best confined in the browser reflects the strong security reputation of modern browsers, which started with Chrome's extensive use of sandboxing more than ten years ago.


True, but then again this raises the question why a browser is needed for sandboxing; it could just as well be done on OS level. And it is done on MacOS, although I don't know whether the amount of sandboxing it does is comparable to what Chrome is doing.

Another issue is that the network communication of a native app can be fenced in by e.g. Little Snitch, whereas fencing in an app running in Chrome is quite challenging. I'd have to apply any firewall rules to Chrome as a whole, instead of the web app.

Perhaps there even exists a firewall as a Chrome extension that would allow that kind of thing; but then we quickly approach the terrain where Chrome becomes something like a VM where just everything runs in, just slower compared to native executables.


> there is little reason to run native apps,

There are plenty. I like both worlds. Telegram for example is a good example of an unneeded desktop app that lives fine in the browser ( web.telegram.org ), multiple versions, regular updates, platform independent. On the other side there is signal, which forces to use a very shitty desktop app (or maybe I have not found a better yet). It just sucks.

On linux I have no issues installing "native" apps whatsoever. My editor (emacs), cad software, music player (!) - sure spotify works, but I like my network transparent MPD way more. I could go a lot farhther.

Iam curious about (cloud-)gaming since I actually was very suprised how good it can work.

Edit: Why is this downvoted? What am I doing wrong?


> On linux I have no issues installing "native" apps whatsoever

You should. Linux provides pretty much zero protection for your data. Any app you install can spy on the data of any other app you're using, and all your personal files.

Other OSes are slowly introducing some limitations and protections here, but Linux is really not doing much at all.


Well, there is AppArmor and SELinux which AFAIU could fence in individual apps. It's just not exactly trivial to set up without breaking the app.


On Linux there's Flatpak and Wayland which aim to introduce more protection


Not meaningfully. If you have to install an app, only putting it in a VM can ever help much.

If you run X (except on Qubes!) any program can see everything every other X program is doing -- all keystrokes, all mouse clicks, all pixels.


This is not true. You can write AppArmor rules which can restrict pretty much everything. SELinux is also a thing, and introduces a lot of features that you can't see in the Windows for example.

> X program is doing -- all keystrokes, all mouse clicks, all pixels.

Parent was mentioning Wayland specifically to remove this threat.


In Linux, just run an app as separate user. Linux is a multi-tenant OS, so users are well protected from each other. If you need to share files with program, share them via a shared folder, e.g. `/tmp`.


Doesn't sound very practical, especially for grahical programs.


Security is compromise. You can share your whole home directory, if you trust the software, but it will make any kind of protection useless, or you can write a helper tool, which will grant access to a single selected file using a hard link, to make alias for file content, or synchronize files between directories, or mount a shared directory to both container and your home directory, or use SELinux to grant access to a selected directory only. Chose your own compromise.


But it doesn't have to be such a shitty compromise. Most desktop applications could be made such that you have all the security and the convenience.


Separate user for untrusted apps is the proven way to do that in UNIX. :-/


That can happen under the hood, but the user should not have to deal with that


This is how Android does security AFAIK — every app is run as a different user.


If they connect to the same X display, it doesn't matter what user they run as.


So, give separate X server (Xephyr, Xnest, Xvnc) per app for increased security. They will be isolated from clipboard, window titles, and broadcasted key events.


Yes, but in my experience at least, Firefox is not usable running under Xephyr. It's simply too slow for regular web browsing, forget about trying to watch any kind of video.

In theory, the X11 Security Extension would seem to provide a middle ground. On the plus side, I don't notice any performance impact when running Firefox as an untrusted client. However, most programs aren't coded correctly to coexist with it. For example, Firefox crashes regularly when running as such (via SIGSEGV no less, which is its own yikes). Not only that but many programs that are themselves trusted (i.e. normal/default X11 clients) will misbehave if they are simply near an untrusted client: LibreOffice Calc, for example, will lock up hard if the untrusted clipboard is in use.


That is nowhere near practical.


All system daemons are running this way. It's the standard way to isolate networking services on UNIX.


And no user-facing UI apps do this or are built for it, and no desktop environment has any kind of support for doing it.

It just doesn't work in practice.


Desktop environments have nothing to do with that: it's the job of distribution. `gksu` is popular to run graphical apps under root or another user, for example, until it was removed from distributions because distributions don't want to allow users to run untrusted apps as root.


You can run each program in full screen on a separate instance of Xephyr or Xnest, so the program will have a whole separate X server to play with in isolation. Good for running Raspberry Pi desktop via `ssh -X` or `ssh -Y`.


Linux distributions are FOSS. They provide as much protection as I need. I can run untrusted applications in a container, if I WANT that level of protection. For FOSS software, I don't want it.


The standard (and ubiquitous) way on UNIX/Linux is to run each program as a different dedicated user. Complete separation.


Even if you do that, they all connect to the same X server.

There's the X11 security extension, which offers the concept of "untrusted" clients, but many programs won't work with it. For example, Firefox segfaults regularly if run as an untrusted client.


Telegram desktop app is awesome. For me it is a great example of a native app. J ahd zero troubles with it. It is fast, it doesn't consume a lot of RAM and no Electron is bundled. I am glad to see someone is still developing native apps.


It's built with Qt :)


> Telegram desktop app is awesome.

I think I tried it at one point and didn't dislike it. I multiboot linux and windows and from day one it felt very comfortable to have a sticky telegram tab in my eternal browser session on both OS that behave the same.


> On the other side there is signal, which forces to use a very shitty desktop app (or maybe I have not found a better yet). It just sucks.

Usability is often the enemy of the security. Signal is full E2EE, including metadata. It compromises security in many ways when using a browser sharing the keys which were originally meant for single receiver and sender. (e.g malicious browser extensions could access the data).

Signal has chosen to implement only their own desktop app. And as their server side is kinda closed and not self-hostable, it is unlikely that we see other clients for a while.


I don't see what the difference is in security architecture between a desktop app and a web app implementing the same scheme?

My assumption is that you've got an E2EE link between the Signal app on the phone and the desktop app (with the messages decrypted on your phone in the middle). Why can't you do exactly the same thing with a web app?


> I don't see what the difference is in security architecture between a desktop app and a web app implementing the same scheme?

I just gave an example - execution environment is accessible by browser extensions. All the code and runtime data is visible for them with certain permissions.


How is that different from the desktop app? All the code and runtime data is visible to anyone running under the same uid, or the superuser.


No, they aren’t visible by default. Kernel isolates the memory space for every process. One of the basic fundamental things.

Browser extensions can additionally modify code on the fly. On desktops it is really difficult since you need to inject code into memory.

You are doing something wrong if you run your app as superuser or grant too much permissions by default.


That is false, you can read the raw memory for any other process running under your uid. /proc/<PID>/mem

You can also ptrace the process and completely control its execution.


Reading /proc/<PID>/mem requires access mode PTRACE_MODE_ATTACH_FSCREDS which is fundamentally same as access by using ptrace. Thus, kernel is indeed isolating process memory by default.

It is true, that often you get PTRACE_MODE_ATTACH_FSCREDS with same UID/GId, but the most production systems have disabled ptrace or there are extra AppArmor rules to prevent its use. In most of the cases it is recommended to be disabled.

For example latest Ubuntu allows only ptracing child processes on the same userspace (https://wiki.ubuntu.com/Security/Features#ptrace)

You can also set your apps in such a way that they can’t be ptraced, for example ssh-agent is doing this with PR_SET_DUMPABLE attribute.


Thanks for the details. I didn't know Ubuntu was restricting ptrace by default now. Now I need to figure out how to do that on my Debian system -- it definitely allows me to gdb attach to an unrelated process presently.

Even that protection doesn't seem to make it safe to run untrusted programs under the same UID, though? If nothing else, there's always the classic "modify user's rc files to put my malicious program first in $PATH." Similarly you could modify them to increase the core file size rlimit, then send SIGSEGV to the process later and collect the core file.


> Now I need to figure out how to do that on my Debian system -- it definitely allows me to gdb attach to an unrelated process presently.

You could try to set it similarly than Ubuntu is doing. See Yama kernel module [1], and set mode 1 (restricted).

> Even that protection doesn't seem to make it safe to run untrusted programs under the same UID, though? If nothing else, there's always the classic "modify user's rc files to put my malicious program first in $PATH." Similarly you could modify them to increase the core file size rlimit, then send SIGSEGV to the process later and collect the core file.

AppArmor[2] is useful for this, you could define profile for the untrusted app, and it cannot access any other file than you allow.

[1]: https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama....

[2]: https://www.kernel.org/doc/html/latest/admin-guide/LSM/appar...


I've been using GeForce Now quite a bit to play games that do not run on my laptop. The required internet speed is probably out of reach for most non-urbanites at the moment, but the concept does not really require a Native App, since it is basically video streaming with interactivity, and could probably easily move to the browser in the future.

Cloud gaming is one of the technologies I'm quite unsure about, it could become the de-facto standard in the coming decade, or it could remain a niche, all depending on consumer preferences and network infrastructure.


GeForce Now already works on browsers. It requires Chrome or iOS Safari (I suspect this one was the driving force behind it due to apples app store rules). Just go to https://play.geforcenow.com/ and it shows you what to do...


In my experience it works for mostly static games - most others are not fun due to the additional latencies. If you're close enough to the server and not too sensitive it might be enjoyable, but also some genres are just unplayable IMO (e.g. FPS, roguelikes, racing games).


For some games it might be reasonable but the ones i tried with my 100/100 mbit are miles away from the native experience.


I think this is an indication that app sandboxing is not good enough. It should be possible for the user to have control over everything necessary. The light that warns that the microphone is being used should also have functionality to disable it and to make the app "Request every time" or "Only when app is fullscreen" or similar. And if that is actually all happening, then sandboxing is working as necessary and therefore there is no actual trust issue, because the user doesn't have to trust the app anyway.


Adding to that, IMO there should also be an option that feeds bogus data to the app so it can't know if a resource is blocked. So many apps just refuse to work if you deny them the resources they don't need


LOL That would be nice!!! Feed an Animated Gif to the Webcam and Whale Noise to the mic!


That's a usability nightmare though. Imagine a user who clicked the wrong thing, then they complain that their mic is broken and plays analog TV hellscape sounds on conference calls.

Edit: Not saying I wouldn't use it myself, though.


Objective-See has a utility to do this called OverSight. It's a firewall for your webcams and mics. BUT do not mention this in the Zoom forums as it will be taken down.


This kind of thing is why I use Whereby. No plugin is suggested to the user, it always runs in the browser, you can still share your screen and all.

I’m afraid Zoom will upload my whole document folder to the internet “just in case you need to share them during the call, so we don’t consume bandwidth”…


I take the exact opposite stance. I hate browser based apps and prefer native apps. Browser apps are great at stealing your data because the browser makes it easy to. But with a native app I can better control access to system resources, even craft application layer firewall rules to control when it can communicate with the outside world. As a browser app I can only control the browser's traffic in aggregate, which is far less useful.


The problem is that even if you just use the browser, it slowly pushes you to the native app... Browser version is extremely limited, you can't change some settings like the number of people shown in the same time.


If you ignore the installer download and keep (not even) trying and failing to run it that way, eventually the Zoom website will relent and offer to take you to the JS-based system.


At least for some time and some accounts, the link only showed up if the owner of the meeting had enabled it in some three-layers-deep menu.

I assume that for enterprise customers it's enabled by default though because they realize that making paying customers fail to have their meetings is not a winning strategy.


I have a different take away.

This type of thing is why I only run software from the Debian repos or that I build myself. On machines I own, anyway.

I personally still think the UI of web apps are generally terrible, and though they may not be listening to the microphone, spend 10 minutes using uMatrix and it's pretty clear they're spying on you and sending information all over the place.


Sounds like WASI might be the ideal to get around this in the near future given that it's also capability based similar to how browsers guard specific functions.


And give your browser access to microphone and camera? That doesn’t sound wise from the security point of view either.


It's long past the time that native apps should get the same or better kind of sandboxing and access controls that browsers or Android provide. Perhaps a user-friendly wrapper around AppArmor/SELinux.


Yup. Say what you want about Teams and Meet, but at lease they run in the browser, and relatively well, for my use cases anyway.


Can you use the browser version to do screen sharing? My impression was you can't.


I read that some companies do not allow the use of Zoom.


Pretty confident this is related to the way the Zoom app can detect what conference room you are in when that room is fully equipped with Zoom hardware.

From [Direct sharing in Zoom Rooms](https://support.zoom.us/hc/en-us/articles/214629303-Direct-s...):

> Direct sharing with proximity detection uses the microphone on your laptop to detect the Zoom Room controller.


Is the zoom hardware shouting "welcome to thunderdome" at frequencies we can't hear so that the the app will realize it's in the thunderdome?

If so someone should make a jammer.


This is what Cisco's conferencing software does, too.

When it works, it means someone can walk into an appropriately equipped meeting room, and the software on their machine detects that. The audio, video, and screen sharing all route through the meeting room, rather than the laptop. Virtually zero involvement for the user.


Very convenient but not worth the price to set up a whole corporate surveillance nightmare.


Certainly with the Cisco system, not worth the money they charge for the hardware! Every room has a few $25 wholesale price Ikea grade chairs, a table, and then a $100k conference phone.


The units we got were like TV sound bar format, with a camera in the middle. About $10-15k each.


They are priced high enough that companies doing this are already hip deep in Cisco's world. They probably already have the corporate surveillance thing going.


What happens if someone records a YouTube video in that room, and that video goes viral?


I dont know for certain.

I recall that if you were not signed in to an account on their Org, it would only show up with you as that you were a guest in the room, and you could not do much/anything without someone from that org authorising you.

I dont know if the token is long lived, i would hope its rotated frequently.

i also suspect that because it's above audible range, your average video compression might strip it out.


I had to turn this off (not sure how it ever got turned on) because the Microphone indicator was on 100% of the time it was running (as it should be) while it searched for nearby devices through some kind of audio communication.


Probably more like "Welcome to zoombocom" :D


you can do anything at zoombocom.


Or a fake "welcome to thunderdome" generator . . .


Not sure if all microphones are able to listen at that frequencies


I'm not as familiar with Zoom, but WebEx and Cisco video conferencing hardware use ultrasonic sounds to let you start and transfer meetings from the mobile and desktop app to video conferencing devices.

With WebEx you can turn this off in the preferences. I'd assume Zoom has a similar config setting.


They do? Ugh.. hopefully not continuous emitting of pulses.. I can hear some ultrasonics due to my cochlear implant, and it's been really annoying how these days Lutron is selling motion detectors that use both ultrasonics and IR. They like to buzz, even when people are already in the room.


Have you contacted Lutron at all? Or your implant manufacturer? Something seems out of alignment.


I contacted the implant manufacturer when I became aware of the issue.. apparently there is even a warning that ultrasonics can damage it.. but it's not clear to me if that's just legalese or if it's actually a clear and present danger.

I haven't contacted Lutron yet which is bad of me, and I really should do that, but I don't think they would care since the amount of people who can identify that there's a problem with their devices is small.


Lutron may not care about you but they may care about an article in the news about how their products are harming people.


Today disability is an issue that is taken seriously. If Lutron's technology is affecting your disability then you should absolutely contact them, and barring a satisfactory solution you might even get aggressive with them. They cannot hurt you, arguing that people like you are rare.


Anxiety can be classified as a disability. Does that mean you can’t make someone anxious? That would be fun to see enforced.


Yes, Zoom has a similar setting. I don't think the client is listening for the ultrasonics all the time; you need to click the "Share Screen" button on the main zoom page to have it work, and it presents a "please wait" screen for 5-10 seconds after pressing that button while it appears to detect the room info.


Yea, and it was a battery killer on a laptop - at my company, it even had a side effect of all but pegging the CPU. The confluence of poor software meets bad device driver is entertaining.


That's such a hack. Seriously, this is how we do tech in 2022?


You're right, they should have found a way to shoe-horn in kubernetes.


proximity detection is done via the blockchain


What is the other way of doing it?

Because this “hack”:

* Works on devices without Bluetooth (or that have it disabled)

* doesn’t require anyone installing privileged software or drivers

* gives a very good “in the same room” indicator

* doesn’t require any custom/expensive hardware components


The mechanism is not the problem, it's that it turns on the mic by default. Most Zoom users are not in the luxury position of being in a location with a presentation room where they might need to present something, so for most people this is just an unnecessary feature and a possible nuisance. So this setting should by default be turned off (it can still work when the mic is turned on already).


I was responding to the comment calling it a hack :)

Zoom deciding to use the mic while not in use is clearly a terrible bit of behavior :)


If I have NFC or Bluetooth disabled it is because I explicitly do not want software on my device to contact outside services.


Yes, but if you’re in a zoom/whatever conference room, with a zoom/whatever client running, it’s not unreasonable to think that you want to use the conference equipment. Couple with the various constraints on BT, etc this is a reasonable solution.

Where this reasonable solution is actually implemented securely is another question, and Zoom’s track record isn’t exactly fantastic.


But how is the device going to communicate with the zoom hardware in the room when Bluetooth is disabled?


The ultrasound is the communication.

From the description it sounds like it's just a handoff feature, as in you go into a conference room with whatever their conference room product is.

Once you get in handoff range they only need to exchange sufficient information to get the AV equipment to start a connection to the appropriate zoom/webex/whatever channel, and presumably the reverse of getting the original zoom client to close.

I'm assuming there is some work to reduce the likelihood of unintentionally triggering it, and some basic authentication, but this is not a lot of data, and ultrasound is more than sufficient to do it very "instantaneously".


OK, so the actual communication (the call itself) will be transmitted over wifi. But this means that at least some kind of access token must be transmitted over ultrasound. Is this safe? I would love to see an analysis of that communication; whether it is encrypted, is the handshake secure or can it be hijacked, does,it transmit only an anonymous access token or the whole user ID etc.

I mean, if I ever switch off Bluetooth it's exactly for the reason that I don't want my device to be detected/tracked. Zoom going around this by using ultrasound is kind of mean, since I can't prevent zoom from using audio if I want to be able to make calls.


> OK, so the actual communication (the call itself) will be transmitted over wifi

That was my interpretation of the feature described earlier in the thread

> But this means that at least some kind of access token must be transmitted over ultrasound. ...

Yup, I agree I'd love to know more about what is involved. I like to think there's a degree of authentication involved, but this is also Zoom. The company that installed a persistent service in order to circumvent a security feature in safari, that also allowed unauthenticated RCE.

> I mean, if I ever switch off Bluetooth it's exactly for the reason that I don't want my device to be detected/tracked.

I had assumed Android and PC had adopted the randomized MACs apple uses to prevent such tracking?

> Zoom going around this by using ultrasound is kind of mean, since I can't prevent zoom from using audio if I want to be able to make calls.

If we assume for now that it is properly authenticated, and has safe tokens to break tracking, identification, etc, then this behaviour seems reasonable. It would require you to open zoom in a room with the requisite enterprise-y teleconference equipment.

But of course that is quite a load bearing "if", and it already appears that they're trying to maintain the channel when they aren't active.


> I had assumed Android and PC had adopted the randomized MACs apple uses to prevent such tracking?

True, and this is why I rarely switch it off, except in situations where I don't want to be visible to devices that I previously connected to. Same for wifi.

I just find it quite over the top to work around user-controlled communication channels like bluetooth that the user might have chosen to disable, by using a medium (sound) that the user cannot switch off and still use the app.


In this case it's a convenience feature, rather than a avoid user controlled channels thing.

As I noted earlier it works without bluetooth available, but more importantly I suspect, if it were bluetooth everyone would have to peer their devices with every conference room. If it were wifi you'd need to know the network name of the conference room's AV system.

While both options would work, having a single "switch to AV system" button is clearly the best user experience, so you try to make that possible. Given both the app and the AV system have the ability to create and record sound, that's the obvious choice.

But again, I'm not making any statement on the security of the actual implementation from Zoom :D


Lol, why don't they use ipv6? What would you use?

I think it's a pretty cool hack.


It's pretty cool in that commodity integrated hardware is capable of doing something practical at those frequencies. Not long ago it was a struggle to get the Pro Audio Spectrum ISA card working at all.

It's awful in that using the auditory domain is too much an intrusion into the human space. There is enough noise pollution. Interference patterns around the room may generate harmonics at audible frequencies. Young kids can hear high frequencies we forgot we ever could. I can still hear CRT flybacks. Sometimes I thought I heard something electronic in conference rooms but convinced myself it was nothing.

Someone else was complaining about it affecting their cochlear implant. That is horrifying.

It is not so farfetched that it has an adverse affect on health either. America is losing diplomats left and right to some mysterious ultrasonic weapon, or at least that is one of the leading theories.

It is awful that my CPU has to be constantly running a FFT to read this signal. I think Apple has an ASIC which does the Siri voice recognition.

It's awful that it triggers the orange light to be constantly on so you end up ignoring it. What if Zoom is simultaneously using the microphone stream for nefarious purposes.

This is what Bluetooth was made for. This is a worse idea than Wifi over lighting. Even the 9-digit Zoom dial codes are better.


>Someone else was complaining about it affecting their cochlear implant. That is horrifying.

Definitely.

>It is awful that my CPU has to be constantly running a FFT to read this signal. I think Apple has an ASIC which does the Siri voice recognition.

Isn't it the zoom box that has to be doing the detection? The pc is just sending the signal, which wouldn't take much processing.

>It's awful that it triggers the orange light to be constantly on so you end up ignoring it.

I think someone commented that's for the purpose of detecting if someone is muted and notifying them. Still, there should definitely be a choice to disable this behavior. I wouldn't be able to ignore it.

>What if Zoom is simultaneously using the microphone stream for nefarious purposes.

There's a lot of nefarious things they could potentially do even without using the mic, considering it's software already running on your pc that already has an encrypted connection to their servers.

>This is what Bluetooth was made for.

Good point, that would have been better.


> Isn't it the zoom box that has to be doing the detection? The pc is just sending the signal, which wouldn't take much processing.

If the PC were just sending the signal it wouldn't need the microphone to be on. And it would stop working when people turn off their speakers like a lot of people do in a busy meeting room.

By the way there seem to be other ways to do it too. Not sure if it's Bluetooth but MS Teams warned me in the past that I was in a room with a Surface display (the huge first generation one). It doesn't keep the microphone active though.. I never investigated how it figured that.


Bluetooth would be more appropriate for that I would say.


That gives an explanation but doesn’t actually answer the question - “why is it doing this when I’m not using zoom”

Plenty of people use conference rooms for non video chat reasons, and many of those reason have confidentiality rules.

I know for example there are strict rules around what is required to protect client/lawyer confidentiality, and most of the protection goes out the window if you record, or allow some one else to record them. Would zoom listening in on that count? I have no idea

The only class of apps that have any business using a microphone while not in active use are “assistants”, and those have no business doing anything other than listening for their initiator phrase (except haven’t they all been caught sending arbitrary recordings to their parent company?)


I can assure you Zoom is not doing anything that would legally constitute "recording." In all US states and probably a lot of countries, recording is illegal without the consent of at least one party to the conversation. In the US, in some states, all parties must consent to recording. If Zoom were even skirting the line here, their lawyers would put the kibosh on it real quick.

Hmm... but, then again, there was that thing where Amazon Alexa was recording people without their knowledge... hmm.


I have seen the general sentiment of "their own lawyers would stop it" expressed many times about many different things, but who tells the lawyers?

Every place I have worked in the past there have been zero pathway for IT/Developers to notify a lawyer about anything or ask a question.


Really? At places I've been, you could definitely notify a lawyer of an issue, with the process ranging from walking up to their desk to looking up someone in the legal department and emailing them. I've never had cause to actually do it, but I certainly could have, had the situation warranted it.


Not everywhere has lawyers on staff or an easily searchable directory with accurate titles and department names.


> If Zoom were even skirting the line here, their lawyers would put the kibosh on it real quick.

And then the people in charge of the money would do the math on "this earns us 1 billion dollars and the fine has a 10% chance of happening and would be 100 million... so do it anyways, it's worth the tradeoff". This happens over and over.


On the other hand, like any other American company Zoom can be “asked” by intelligence services to “cooperate” - and there is no law that would protect its users against it.


"American". The coincidence that "Zoom" and "Zhumu" share the same platform.

https://thenextweb.com/news/zooms-scary-webcam-flaw-also-aff...


It doesn't matter - the company is American, thus it can be "convinced" into cooperating.


> If Zoom were even skirting the line here, their lawyers would put the kibosh on it real quick

Their lawyers didn't stop them from claiming to provide end-to-end encryption, a blatant misrepresentation that resulted in receiving a consent order from the FTC [1] and settling a class-action suit for $85M [2], so I don't think it's safe to assume that they would prevent the company from doing obviously unacceptable things.

[1]: https://www.ftc.gov/system/files/documents/cases/1923167zoom...

[2]: https://arstechnica.com/tech-policy/2021/08/zoom-to-pay-85m-...


> I can assure you Zoom is not doing anything that would legally constitute "recording."

No need to use quotes here, that was literally my question :D

> In all US states and probably a lot of countries, recording is illegal without the consent of at least one party to the conversation. In the US, in some states, all parties must consent to recording.

Literally every company that got caught having their assistants record conversations turned around and said the victims were informed and consented through the terms of use agreement.


Is there any reason it couldn't do that at the start of the meeting?

Meeting start -> probe for hardware -> make decision where to host


I hope I’m pointing out the obvious, but the answer to this question doesn’t matter. The real problem is that we’re compelled to run a bunch of software from organizations we, to put it charitably, have no reason to trust.

This situation may exist because it’s inevitable but it still sucks.


The number of android phones in existence is a good evidence on how much most people are concerned about their privacy (very little).


I disagree.

The number of Android phones in existence is evidence of how important it is to have affordable tech.


Indeed. Second, most people don't actually realise how bad it really is.


How bad it really is?


(assuming you are on Android)

Google's algorithm knows you opened your browser. They almost certainly know what page you opened and how long you have been on it [on chromium, everything typed in URL bar is sent to them]. They probably know that you asked the above question.

If it is a cheap android phone (or even if not, if it uses Rockchip chips, if it is a Xiaomi and likely if it is a Oppo) then at least one Chinese corporation, with ties to a very sophisticated gov apparatus knows it as well.

Considering how many permissions they allow each app to receive (esp. on older versions, which are the majority of users) other apps likely know it as well.

I have a Samsung, and there are lots of clues that they know everything I type and a lot of what I say as well.

Probably other actors as well, since a porous pail will leak...


Good burn, the difference between what permission modals say and what Apple and Google allow you to do with the hardware you paid money for is a valid point in 2022.


I think people are mostly concerned with what they can experience. Building on this, these systems make sure that the breach of privacy is experienced in the least amount possible. When something happens that upsets this surface, like Apple suddenly telling people that an app looked at their clipboard, suddenly privacy is cared about again.

Also, look at other things that are made invisible to the people, and when made visible, people react negatively. Treatment of animals in the various industries, treatment of workers in countries where labour is cheap, issues with waste and its environmental effects.


What’s the alternative? Not run software? Run it all in the browser? FOSS only?


I mean... that's not especially unreasonable; FOSS-first is absolutely a reasonable move, and there's a whole discussion upthread about using the browser version or dialing in with an actual phone. Certainly some people are stuck, but many people can absolutely avoid this.


Not run SW is possibly last resort, or not an alternative at all. But selecting, proposing FOSS alternatives, or run it in the browser if possible are two ways of trying to make the situation better.

As others have said, Jitsi is a for many meetings a good FOSS alternative. And if that does not work, use Zoom in the browser.


Run software from vendors who have demonstrated they are trustworthy -- or, at a minimum, actively AVOID software from vendors (like Zoom) who have repeatedly demonstrated that they are NOT worthy of trust.


No alternative if the people you want to reach, or want to be reached by, are available only on a specific, closed platform.

It's a pick your poison type of situation I think. I personally run FOSS where I can, and compartmentalize the environment where I can't but I still want the benefits.


I guess that’s what I’m getting at. Like this is for work, my company has dictated that we do SSO into the desktop app. I was wondering if there was something I was missing besides the browser version.

But for personal use- totally makes sense


> What’s the alternative?

A desktop operating system that comes with a proper security and permission model (i.e. not a standard Linux system). Right now, QubesOS seems like the only candidate here.

I can't believe Android and iOS are now >=15 years old and Linux is still struggling with this.


IME, a lot of people learn about Wayland's security improvements over Xorg and then immediately consider them deal-breakers. Stuff like global hotkeys and shared clipboard access.


MacOS manages to implement all those things while having sandboxing. Though at the expense of many popups (program X wants to do Y) right now. Maybe not the perfect solution either but it is not an unreasonable thing to ask for IMO.


Which is wild to me because my immediate thought upon learning was ok, how long until I can get off Xorg?


Fedora 35 came with Wayland by default, it was so smooth I haven't even noticed :) I only learned about it when I reflexively invoked an x-something tool and it said command not found.


For any service I want to use that has a website, I absolutely use that instead of the app.

I can close it and know it is closed.


Unless PWA fans have their way and succeed perverting browsers into an app platforms, that is.


Hey it's better than electron.


GNU/Linux phones (Librem 5 and Pinephone), but they aren't polished yet.


I would argue this is the exact opposite of what we want to do.

The primary cause of this problem is the conventional desktop OS which has no meaningful security model.

IOS and Android have the correct approach to mitigate this, strong sandboxing and mandatory access control.

GNU/Linux phones bring these problems to mobile, which considering how much of our lives are on these devices, is an absolute disaster.


Here you go: https://qubes-os.org


So I actually use this as my daily driver, but I think it illustrates the point quite well.

The only way to meaningfully secure a GNU/Linux desktop is to run multiple instances of it through a type-1 hypervisor.

For a mobile device, a user prioritizing privacy, security and FOSS would be much better served by GrapheneOS.


Brave talk seems browser based.


The real problem is not that we have to run the software, it is that we run it on devices that usually store a huge fraction of our personal life, and which we rely on every day to run our lives.


I really think we need a physical microphone shut up switch similar to that we have for webcam shutter available in most laptops now to prevent this kind of intruding stupidity.


Or maybe we shouldn't run spywares on our devices and stick to FLOSS? I know, that's not very 2022...


Open Source software is not immune to backdoors, and can also be hacked. I am afraid simple solutions such as “use only trusted software” just are not good enough in 2022.

We need defence in depth, and a physical switch would be one of the best protection mechanism.

Just like developers learnt the hard way that user input should not be trusted, users need to realise that software should not be trusted either.


It’s also fundamentally not possible for the vast majority of people, and I think you know that.

So all you are doing is making the rest of the community look bad, by essentially doing zealot preaching: you’re telling the people who don’t have a choice that they’re stupid for not doing exactly what you do.


Why is it about "the people" doing something? I am not making a choice to use zoom, my employer does. And for my employer it would totally be possible to setup jitsi/blue button/whatever instead.

Similarly, if I attend a virtual meeting elsewhere those people choose what software to host it with.

So feel free to "preach" to companies instead of people.


Which meeting software doesn't support web nowadays? I think even Zoom does it once you break through their dark patterns.


Signal is open source and has reproducible builds.


Yes, and that's cool. Signal is an awesome piece of software but not a competitor in many of Zoom markets.

If you are a student at a university using zoom then there's no other realistic way to participate and learn today. I also can't imagine many employers makng an exception for a single employee.


Except signal doesn’t have conference room hardware and has low group size limits, so doesn’t solve the problems that zoom, webex, etc solve.

I’m also going to get that while bullshit (I trust signal’s crypto a hell of a lot more than more or less any other company) I would bet they don’t have some arbitrary set of certificates or whatever for doctors to be able to use them


It's not a physical switch but MS Powertoys have a system wide mic and camera toggle UI now. https://docs.microsoft.com/en-us/windows/powertoys/video-con... For 90s kids, the Powertoys name should bring back fond memories. My only gripe is that instead of 'Microphone On' it should say 'Microphone is On' - I always forget if it's indicating the state or indicating it will go to that state if I press it. I'm 90% sure it's the former as I type this


Here you go: https://puri.sm/products/librem-14.


Have you heard about Phantom Power?

Good thing! Yields superior audio quality (because it means there is a powered pre-amp right next to the microphone's recording point) and allows to physically turn off microphones.

https://en.wikipedia.org/wiki/Phantom_power


If you are using a USB microphone (and/or webcam), you can effectively do that with one of these:

4-Port USB 3.0 Hub Power Switches https://www.amazon.com/gp/product/B00TPMEOYM


Or simply by unplugging the mike?


At which point the system will helpfully switch to the built-in mic.


As it might/probably will happen by turning off the USB port.


I can disable the on-board sound card in the BIOS settings on my Thinkpad (T440p), so unplugging the USB headset should do the trick (but then there's no music either).


I do something similar but it doesn't help me with the built in microphone in the laptop. I'd have to disassemble the bezel and possibly snip a wire. It's much easier to Macgyver disable a webcam than a Microphone, even if you've got one of those webcams that can see through plastic with infrared. Best I can do so far is disable the device in device manager.

Although I wonder if the bios on this HP let's you disable it...


This. I do my work on a clamshell laptop, got a similar gadget (bus powered, with LED indicators) when I got an external webcam.

Windows/browser permissions don't have device level granularity AFAICT, so I can't allow access to only an external cam/mic, but I can disable the internal ones in the OS for full tinfoil hat compliance.

Most importantly off is actually off when a button cuts the power.


"Resolved an issue regarding the microphone light indicator being triggered when not in a meeting on macOS Monterrey"

"You fixed it so that it doesn't switch the microphone on at all, not just stopping the light coming on, right?"

"Right?"

(Yay! Memes in text form!)


Is this possible in MacOS? I thought it was controlled at the kernel and hardware level to prevent user space software from secretly listening/looking?


Someone hacked together a quick program to hide the orange dot a few months ago. The intent was to use it when music professionals have a secondary display with acoustics / live show going, but there’s no reason other app developers can’t apply a similar technique.

https://github.com/s4y/undot


Seems like that only works in full screen mode though


There's this but it requires starting in recovery mode:

https://github.com/cormiertyshawn895/RecordingIndicatorUtili...


There is a problem with quality at Zoom. My day to day job involves dealing with servers and valuable data, I already made it clear that I can’t use the zoom app for safety concerns. That being said, I don’t believe zoom has malicious goals, they are just not very security minded (or knowledgeable). I believe they like to take shortcuts that put your machine, data and privacy at risk


> That being said, I don’t believe zoom has malicious goals

How many "mistakes" do they have to make before you reconsider? They lied to their users for years that their software was end to end encrypted. They sent user's data along with their keys through servers in China. They rolled out their own encryption system, lied about what algorithms they were using, and the encryption they were actually using had well known weaknesses. If they aren't outright malicious they've somehow managed to maintain a level of incompetence that's just as harmful.


The latest is the point I'm trying to make, they are too reckless and profit driven to be trusted.


That's an odd way of saying Chinese state actor.


Can you use browser? I’ve used zoom once, I just launched it in browser and that’s about it. Browser is a godsend when it comes to sketchy apps that I’m forced to use.


I'm using the browser when my zoom is the only option, otherwise I try to use alternative web solution. Zoom on the web-browser is fine but I always recommend using an alternative where user safety and transparency is a priority.


Can you now see multiple in the browser? IIRC, that was a limitation at some point.


For some reason, not in Firefox, I don't know why, other apps like Jitsi does it any without trouble.

In Chromium/Chrome it does but limited to 9 people.


> they are just not very security minded (or knowledgeable)

I argue that they are definitely knowledgeable and capable of security. The nuance is they care about their own security, not the users'.

Case in point: Their MacOS installer abuses the pre-installation step to fake a System prompt to obtain root, very much like malware. Before you actually click install, it's already done [1].

In this case it was merely a shortcut to reduce the number of clicks to install, but it clearly betrays their disregard for user control & security.

[1] https://www.digitaltrends.com/computing/zoom-mac-one-click-i...

* SEO Bonus: I couldn't find this article on Google no matter what I queried for. But DuckDuckGo found it on my first attempt.

Guess abusing SEO to hide negative press is among their tactics as well.


A solution is only as safe as the most reckless and less knowledgeable person with root access they employ. I'm convinced they have lots of knowledgeable people, but they proved over and again that they also have many bad apples cutting corners and putting everyone at risk.


I think this might have been true in the past, but I don't think it is true any longer. Zoom grew at a wild pace during the early days of the pandemic, and with that came security issues. However, they recognised that and invested into security.

I have previously reported bugs to Google, including one where they simply didn't put any auth on an API endpoint for a new feature, allowing access to any account's data. That is a massive oversight, but at Google scale we realise these things happen, and the more important consideration is how companies respond.

Zoom have a private bug bounty program, but I previously disclosed Zoom bugs publicly [1] as I didn't think their bug bounty program was worthwhile engaging with.

However, they overhauled it, and now of the dozens of private programs I am part of, Zoom's is one of the absolute best. The payouts are great, the team actively engages with the researchers, and seem to legitimately care about getting things right.

Are they perfect? Of course not. But I would feel safer on a Zoom call that call with many competitors who simply don't get as much scrutiny.

[1] https://www.tomanthony.co.uk/blog/zoom-security-exploit-crac...


Don't use the Zoom app. Load meetings in an incognito/private/whatever browser window, and cancel the automatic download it prompts you with, then click Join In Browser.

Nothing about this company's attitude towards privacy has changed in years.


I wrote a small browser extension to transparently redirect you so you don't have to cancel the download and click "Join in Browser":

Chrome: https://chrome.google.com/webstore/detail/zoom-redirector/fm...

Firefox: https://addons.mozilla.org/en-US/firefox/addon/zoom-redirect...

Edge: https://microsoftedge.microsoft.com/addons/detail/dkhjempaia...

Opera: https://addons.opera.com/en/extensions/details/zoom-redirect...

Source: https://github.com/arkadiyt/zoom-redirector


Thank you. And thank you for making it open source.

Concerning this line: https://github.com/arkadiyt/zoom-redirector/blob/master/back... Why is it sometimes returning undefined? (or is that known)?

Cheers!


> Thank you. And thank you for making it open source.

Sure thing. All browser extension source code is available to you anyhow, even if the author doesn't publish it.

> Why is it sometimes returning undefined?

Looks like a simple bug as some folks below have pointed out. It doesn't impact the functionality of the extension in any way here.


Not the developer but nice catch. const match would be null, not undefined, if the regex search does not match, right?


In a browser console:

> const match = /^\/[js]\/(\d+)\/?$/.exec("something")

> undefined


The assignment to match returns undefined. The value of match is null.


To be pedantic the assignment returns null (always returns the rvalue[1]), it's the const statement that produces undefined[2]

[1] https://tc39.es/ecma262/multipage/ecmascript-language-statem... [2] https://tc39.es/ecma262/multipage/ecmascript-language-statem...


And to be even more pedantic, the function works because it is applied on an event listener... When null[1] is evaluated (in the right side of the || of the conditional), it produces a TypeError... which in effect (due to no catch and evaluation continuing in a parent/event-driven scope) is essentially equivalent to an empty return in this specific context.

What fun! :-)

Edit: apparently as also mentioned https://news.ycombinator.com/item?id=30268412


Run just /^\/[js]\/(\d+)\/?$/.exec("something") in the console


A function returns undefined if any value was not returned.


True generally, but irrelevant here: the function in question is RegExp.prototype.match. By definition, it never returns undefined, but only an array or null. The only way `match == undefined` could be true would be if smething had overridden RegExp.prototype.match, which would be… surprising and worthy of explicit note.

Also match[1] will never be undefined: it’ll either throw an exception, or be a string. No, this is just a bug, a poorly written guard that fails to guard what it was supposed to, and I suppose an exception is just silently swallowed and treated equivalently to the intended early return. But the clause should be changed to just `if (!match) return;` or similar.


Quick heads up you may want to update that to be === rather than ==, because of course JS is wonderful and null does == undefined (not a nerd snipe, I was just confused by your comment and went and looked at the code, and realized it was likely a typo :) )


Yeah, unfortunate typo, thanks for the correction. I spend most of my time writing Rust, and when I’m writing JavaScript I type !== and === naturally, but I think writing this comment I just didn’t quite switch into JavaScript mode.


Thanks for writing this - I've been using this for ages, and it's a recommended install for everyone at our company.


Missing only Safari, my browser of choice


Safari supports neither webRequestBlocking (for manifest v2 extensions) nor manifest v3 extensions. If they add support for either option then I can publish a Safari extension too.


Sign up for the Orion beta; it’s uses the Safari rendering engine and supports manifest v3 extensions


Wonderful! Thank you. Only if there was a way to do the same on iOS.


I use zoom in the browser, and this my experience every time:

1. On first opening the link, a browser confirmation window immediately asks me for permission to launch the app. I press "Cancel".

2. There is no option to join from my browser. But, there is a big blue button that says "Launch Meeting". I press it.

3. Again, the confirmation window from (1.) is raised. I press "Cancel".

4. Choosing to cancel a second time causes a visibility toggle for a small link on the bottom of the page (hidden beneath the giant blue button) that says, "Having issues with Zoom Client? Join from Your Browser".

Anti-patterns out the wazoo!


The browser client is missing (or was recently) the “grid view,” which is very important for my use. So I won’t be leaving the desktop app anytime soon, despite my attempts :)


Zoom enables grid view in Chrome, just not in Firefox.

Everything else seems to work fine in both.


Audio on Firefox on Linux does not work well for me (mics not working)

On Chromium, sometimes video/screenshare is not visible for me, only black screen.

Often there is no choice but use the app… sadly.


If I wrote the same HN article but said Cisco Webex would you say the same thing?

Despite them doing the same thing.


Go for Jitsi. It's privacy conscious and has really good video quality. It seems to favour frame rate over resolution which doesn't look as glossy but the smooth video makes it much easier to pick up small gestures and facial expressions than the others like Teams and WebEx.

I use teams a lot for work and Jitsi with the makerspace crowd and Jitsi is just so much better imo..


+1 for Jitsi as an underrated, high-quality, free service


Jitsi is a winner, especially with non-techy people. Literally just click a link and you're in.


Ya. I don't install Zoom, Skype, Microsoft__, Cisco__, Dell__, etc.


You could’ve just rephrased this to “don’t work anywhere during the pandemic”. Seriously, most people have very little choice in what they can install.


WebEx and Skype also have web browser versions. I don't know about the other ones. But you can generally use these apps without having to run an executable or install anything.


I’ve worked remotely for years. Refuse to install these apps on my computer. If someone requires a meeting with an app-only interface, I dial in. Otherwise, I run Zoom on an iPad.


I don't really care that much about the privacy of what I install on my work computer. That's their business, as long as I can turn the computer off when my work day is over. It's more of a concern for my own machine.


Sandbox it, or get a hardware mute for your device if you don't have a choice.


I’ve worked remotely for years. Slack and Zoom work fine in a browser.


My practice is that if I'm paid, I'll use company software. In the real world (my own time)... not a chance


Microsoft Teams does the same thing on Linux, so yeah.


Yes?


Definitely, who cares what company makes it !


Uninstalled. Thank you.


But they bought keybase ... smirk

RIP a trustable keybase.


There's people who don't use BitWarden? :D


Is it safe to just use the Zoom iOS app, since it's way more locked down?


That’s my approach, anyway. I trust iOS’ sandboxing a bit more than a desktop OS. At least they can’t do things like installing a web server or reading files I’d like to keep private.


Yeah the British Govt with collusion of the so called free British press were pushing it when everyone was forced to go into lockdown and work from home because of covid.

Massive GCHQ data grab!


What is your source for this?


Two crimes dont make a right!


You can also join using a standard SIP client.


https://support.zoom.us/hc/en-us/articles/201363273-Using-th...


With video and screen sharing ?


Video, yes. Haven't tried (nor needed to) screen sharing.

Apparently H.323 works too, but I haven't tried that either --- just noticed the "dial this IP to join via H323/SIP" at the bottom of the invites and did so.


Nice ! Thank you ! I’ll try this


Or just don't leave it running all the time. Not sure why anyone would, it's not like it's hard to exit or start up. Personally I run mine using firejail instead of the browser as I didn't have much luck with the browser version when I first needed it (work) a few years back... though that is likely better by now.


Leaving it open means that when you click on a Zoom link, the app opens much quicker and you are already logged in. But yeah, not worth the privacy hit.


We use single sign on with Zoom so I never have to login and it takes <1sec to start on my laptop. But even contained using firejail I wouldn't want it running all the time.


Some companies use Zoom for chat and phone lines, in addition to meetings, so not a lot of choice in that situation


First I've heard of that but it makes sense.


No background and filters in the web version.


Almost certainly just a bug with closing the audio session. It doesn’t seem to always be listening but sometimes after a meeting it stays on for whatever reason. If it’s not already fixed then I’m sure it will be soon…


That's a very charitable interpretation, and I like your optimism!


Having worked on similar software in the past, I wouldn't be surprised if this is the actual reason. Especially since the microphone indicator is a relatively new addition to the system, they might just have never realized that they're not closing the device properly and now that it becomes obvious, it might not be so trivial to fix the code.


A tickbox in settings, "don't keep mic enabled"?

I can't see how it can be that hard to just close the mic device when you go off a call.


That's easy to say when you don't know what other things may be bound to that code. As said, I have worked on similar stuff before, and was in a very similar situation where an audio device was kept open for longer than necessary, but "simply closing the device" would have broken many other things that depended on the audio device. Fixing it involved logic changes and refactoring. Sure it wasn't impossible, but it was not exactly as trivial as adding a new checkbox either.


This is also my take on this issue. The company just wants to monetize on remote meeting and has no malicious intention on user privacy, but they just mess up the security from time to time. It is not sound that selling user data can make them better off.

Another infamous example is proctoru. Literally a spyware, but delivering a spyware requires much less effort (both intellectually and financially) compared to designing a product that makes security-savy customers happy.


It definitely seems way more innocuous than the conclusions being jumped to in this thread. A simple packet sniff would be an easy test in this situation, and since nobody is even claiming that data is being transmitted, it's quite a leap to assume that they're listening to everyone with nefarious intent.


I know this might be unpopular, but, I don't know, you could just QUIT the app? Obviously, there's a bigger issue here if Zoom is listening in when we don't want them to. But, the number of comments providing workarounds just leaves me thinking: why don't you just quit the app? Immediate problem solved. Long-term problem not solved.


Zoom is not just simply a meeting app, it has chat function and integrated apps too. People who don’t use Zoom just for meeting purpose might find the situation uncomfortable.


That's a great point.


The issue is that Zoom continues to keep the mic open after you quit the App. They blamed it on a bug and said it was fixed in a new version but it's still happening! This is why doing this in the browser would be better or even adding an App Firewall like OverSight to block access to the external devices.


Kudos to Apple for empowering users with necessary tools to detect such user-hostile behavior.


Out of all the apps I have used for meetings, I've had the best experience with Zoom. But the privacy aspect always concerns me. What's the best alternative today?


https://meet.jit.si has a similar drop in like experience, where no accounts are required, which I believe is in part the reason Zoom was popular in the beginning.


I was curious, so looked at their paid offering[0]. I couldn't find their prices without making an account. Bad sign imo, but the free offering seems sufficient.

[0]: https://8x8.vc


I think what you're looking looking for is here https://jaas.8x8.vc, which states their pricing for the enterprise offering of Jitsi Meet.


Thanks. I have used this before for a 1-1 and it was decent. Not sure how it scales when there are 20 participants; something Zoom was good with. Any experience?


https://whereby.com


It does that on Linux, too. Likes to mess with PulseAudio settings when you're not looking.


Same as Teams. Once you leave a meeting it keeps listening until you restart.


Teams also likes to mess with the system-level audio device configuration, which just obnoxious. I had to block this for all apps to prevent it randomly changing my volume.


Could you detail how you block apps adjusting the device volume? I'm utterly fed up with Zoom changing the volume to 100% for everything except itself.


Navigate to the "old-school" device properties screen (not the shiny new Windows 10/11 version). Untick the checkbox "Allow applications to take exclusive control of this device" under the Advanced tab.

Exclusive mode is a bit like full-screen for GPUs. DirectX games can do things like override the output color management, gamma ramps, brightness, HDR mode, and even set the "white point" on some displays! Similarly, audio applications can take control of your audio devices in all sorts of ways if permitted.

While "full control" of a GPU is still useful, because we're not living in a utopia where all displays are 12-bit HDR all the time, audio has long ago passed the point where direct control delivers tangible benefits. Software mixing is more than capable of "keeping up" even with an absurd number of simultaneous streams at a quality level that vastly exceeds what the human ear can perceive.

I found that with Teams, it's more important to turn off direct control of the microphone than the speakers, but I do both just to be on the safe side...


Hang on, I thought we were talking about Linux here.


I've never experienced this on Ubuntu 20.04 (and similarly not had any of the experiences mentioned in other child comments).

The only pulse audio annoyance happening here is pulse audio itself assuming all my 3.5mm jack headphones have a microphone.


I find `sudo killall -9 zoom` seems to work to stop this. That may be overkill but was just the first thing to occur to me. But I'll probably just sandbox it into my windows VM whenever I bother to set up passthrough on my camera.


if you've managed to make it thru an entire meeting without crashing or freezing system w/ 100% cpu on linux you're doing better than me.


I don't get crashing except when I go to share a window and then cancel it without sharing anything.

The biggest problem for me is having multicolored noise covering most of the Zoom windows/controls when I'm sharing a window.

Also, it takes like ten seconds to share or stop sharing a window.


Yes the best way to detect if zoom is up to no good on Linux is to listen to my fan or check if my battery is draining unusually fast. Same for Discord.


Why do people use the zoom app on linux? It works fine in the browser, where it is forced to behave itself.


Idk, does the browser do screen sharing now? It didn't last time I used it but I haven't for a minute so I'm not sure if they fixed that.

I have a wrapper script that installs, starts the meeting then uninstalls because unfortunately people use it and sometimes I need to contact them.


Virtual background doesn't work in the browser.


Gallery view doesn't work in Firefox the last time I checked.


Same with skype here


I note the blog post relates to MacOS.

I regrettably had to install Zoom on my Mac because so many people use the service.

However the Mac makes it an easy process to block microphone and camera access. So when I don't have any Zoom meetings scheduled imminently, I just go to System Preferences -> Privacy Settings and kill off Zoom's access there. Only takes, what 5-10 seconds. I guess I could even script it via AppleScript (or potentially CLI), but have never had the time to investigate.

One of the best things about Apple MacOS and Apple iOS is the centralised privacy settings that make it easy to see what has access and easy to turn it off.


You can use this to show the privacy settings.

  tell application "System Preferences"
    set securityPane to pane id "com.apple.preference.security"
    tell securityPane to reveal anchor "Privacy_Microphone"
    activate
  end tell


Buy an extra cheap device to run crap like zoom. Mobile tends to be better as well.


Here is a great bit of software from a guy I trust... https://objective-see.com/products/oversight.html


I use stuff like Zoom or Bluejeans maybe once a month. So I don't keep it installed. Instead, I just open a terminal and install it using Homebrew with the following commands:

  % brew install zoom
When done, eradicate all traces with the zap option:

  % brew uninstall -z zoom
It's pretty wonderful, IMHO.


This is the kind of context where Docker would be useful, I don't know if it can be used for something like Zoom.

Docker images, by design, don't anything while not running. So you wouldn't even have to uninstall it. Just stopping it guarantees it does nothing.


old job used zoom, didn't trust it from the get-go (didn't even know who was behind it), just that software that provides extremely granular controls to admins gives me the heebeejeebies in general, my workflow was:

open zoom, join a meeting, then pkill -9 zoom when done. Didn't trust having it around.


Check if it registers to run on reboot.


I use i3wm, as far as i know it didn't used to unless it installs itself as a daemon


For the sake of argument, let's assume this is intentional. What would be the point of doing this? Capturing millions of random people's background sound, in the hopes of landing some "big fish", to provide/sell that audio to the Chinese government?


Aggregate keyword data to sell to advertisers and hedge funds. Same thing pretty much every smart device does.


I'm a big fan of bashing corporate for things like this, but smart devices haven't been proven to do this, yet. We had a myriad ways of tracking enabled by these devices, but voice, and its mining for data, is off the list for now. Attractive target though, for sure.


Source?


It's like LastPass or GitHub Copilot collecting private data. It just goes against their business model to violate privacy. I'd be a lot more suspicious if it's Meta/Facebook, because it's directly part of their business model.


The problem is that not every business is fully transparent about their business models nor we don’t know which state level actor is sometimes behind the ”accidental” data collection.


Do we have any examples so far of a state-level actor using data that was "accidentally" collected from users?


You're asking a silly question. States use data indiscriminately, whether it was "accidentally" gathered or not. Ultimately, it's not really accidentally gathered. There is pressure to over-collect.


Technically it is illegal at least in the U.S. to pressure for overcollecting the data. That is why I used the word ”accidentally”. However, in reality some companies might think in the end that it was their own idea.


they have a massive free tier that has yet to be monetized

ads targeted to users based on conversations within ear shot of an always listening device sounds like a big money maker to me

although I don't use zoom, something(s) is already doing this on my phone as I get targeted ads based on conversations I have, routinely ( typically within 45 mins) despite taking many precautions... some technology is already out there in production


Background noise can be used to identify location and device association.


Perhaps they've been 'compelled' by the US Government to capture: 1: as much data as possible from their users. 2: recordings from specific users, but in order to hide their intentions, it's a universal "feature"


Took a look at my zoom.app locally installed on just my user (thankfully), and found some interesting things in the plist...

EDIT: This formatting sucks, how does HN not have markdown fenced codeblocks? Anyway, here's less fail formatting:

https://pastebin.com/WiRpWs61

``` <key>SMPrivilegedExecutables</key> <dict> <key>us.zoom.ZoomDaemon</key> <string>identifier &quot;us.zoom.ZoomDaemon&quot; and anchor apple generic and certificate leaf[subject.OU] = BJ4HAAB9B3 and certificate leaf[subject.CN] = &quot;Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)&quot;</string> <key>us.zoom.ZMSipLocationHelper</key> <string>identifier &quot;us.zoom.ZMSipLocationHelper&quot; and anchor apple generic and certificate leaf[subject.OU] = BJ4HAAB9B3 and certificate leaf[subject.CN] = &quot;Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)&quot;</string> </dict> </dict> </plist> ```

That's `~/Applications/zoom.us.app/Contents/Resources/Zoom-Info.plist`, last few lines of the file.

Even though I didn't install it with admin permissions, it's at least trying to slip that shady shit in under the radar. No idea if it succeeded or not, need to do some deep analysis to find out, but probably the simplest/surest fix is to nuke the entire filesystem and rebuild my macos installation from scratch. Done it before many a time, easy enough, just a laborious pain.

Never again, Zoom. Never again.

(Same goes for Teams, and basically anything that isn't browser-based, by the way. Assumption of human rights violations is now the default.)

I don't care if this is just a "harmless bug" or an accident. Too many attempts at shady shit have been glossed over in the name of forgiving an honest mistake. Not anymore. I'm done.


> This formatting sucks, how does HN not have markdown fenced codeblocks?

Code blocks are made by indenting by four spaces, like this:

    <!-- last few lines of ~/Applications/zoom.us.app/Contents/Resources/Zoom-Info.plist -->
    <key>SMPrivilegedExecutables</key>
    <dict>
      <key>us.zoom.ZoomDaemon</key>
      <string>identifier &quot;us.zoom.ZoomDaemon&quot; and anchor apple generic and certificate leaf[subject.OU] = BJ4HAAB9B3 and certificate leaf[subject.CN] = &quot;Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)&quot;</string>
      <key>us.zoom.ZMSipLocationHelper</key>
      <string>identifier &quot;us.zoom.ZMSipLocationHelper&quot; and anchor apple generic and certificate leaf[subject.OU] = BJ4HAAB9B3 and certificate leaf[subject.CN] = &quot;Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)&quot;</string>
    </dict>
    </dict>
    </plist>


Actually two spaces.

Of course four or more work as well, but they add extra indentation that you don't need.


Not sure what you're expecting here. Do you want their installer to, depending on where it's installing Zoom, be able to 1) directly modify files inside the app bundle, or 2) install an entirely different app bundle?


What does this mean / what could it done? (Never used macOS, I think it is related to that?)


I reported a similar issue to Zoom on April 9, 2020 and did not receive a reply. I did not test to see if it has been fixed since.

The issue: While watching Zoom webinars on Mac, clicking on Audio Settings auto-activated the mic for testing audio levels. However, Zoom forgot to deactivate it upon leaving the settings. For the rest of the webinar, the input device stayed activated in the background (as evidenced by OverSight and Micro Snitch). I could not find a way to deactivate it.

This issue is similar to one that affected Shazam: "Shazam Keeps Your Mac’s Microphone Always On, Even When You Turn It Off" https://www.vice.com/en_us/article/8q8ee3/shazam-keeps-your-....


Haven't seen this myself, but it's such a battery-murdering app.

I can view full-HD video without the fan even making a sigh, but joining a Zoom meeting and turning off everything except incoming audio makes the fan scream.

What's going on? Is that app doing crypto-mining in the background?


I got Micro Snitch [1] as part of a bundle with Little Snitch years ago and have just had it running for cases like this. I'm fortunate to not have run into this issue, but I like the peace of mind of knowing exactly if I do.

[1]: https://obdev.at/products/microsnitch/index.html


OverSight [1] is even better because it can identify the process that is accessing the webcam/mic, as well as any additional processes trying to invisibly piggyback on legit webcam/mic usage.

1. https://objective-see.com/products/oversight.html


That's a nice addition, I use ReiKey and KnockKnock. Patrick makes good stuff.


>Little Snitch

Just FYI, Little Snitch resolves the DNS request (to IP) while the dialogue is onscreen (i.e. before you click `DENY` or `ALLOW`, a DNS query has already been sent).

All Little Snitch does is prevent the connection to the IP address, but your DNS host (e.g. ISP) knows what URL(s) you are requesting, even if/when you click `DENY`.


That's good to know. I don't use my ISP's DNS and so I have inherently a little less concern about the query itself. My biggest concern for having Little Snitch is the data/connection itself.


Why is that a problem?


Recording DNS queries is a long standing method of spying on end users that ISPs and governments have at their disposal. In the US we have a constitutional amendment about how it's supposed to be illegal for law enforcement to mess with people not suspected of a crime - the fourth amendment. They don't really respect that rule at all, so it's in everyone's best interest not to give them metadata when it's avoidable.


Reminds one of "Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth" [0].

[0] https://www.privateinternetaccess.com/blog/google-chrome-lis...


Curious as to why the knee jerk privacy reactions to Zoom doing this when other video conf tools like Cisco does the same.

What about phones and other devices that respond to voice commands that are also constantly listening?

There is no such thing as privacy. Only the trust that you have in companies to not abuse the data that is collected of you, or you go completely off grid


I use Shush for Mac to keep my microphone off at a system level unless I press a button (push to talk): https://mizage.com/shush/

It makes me much more comfortable in the age of WFH. I never know when someone or something might be listening.


For mac, I use little snitch to block all unwanted outgoing streaming include connection to Apple. It is kind of weird that some app keeps connecting to somewhere when I don't need it. The outcome is that some apps might be buggy. For example, Chrome would randomly crash with error code 11 which might be the failure of connecting to their auto-updating server. Vscode might crash with error code 5 also, but I'm not sure if it comes from the network blocking or not.


Force quit out of zoom every time I'm not in a meeting


Kind of a tangent, but is anyone else pissed off that Android doesn't offer a way to simply disable the microphone system-wide? It could be toggled in the notification bar in the same way that Wifi, Bluetooth, etc. can today.

I have to use Zoom lately, and my solution is an old Android tablet that I don't use for anything else. I opened it up and physically disabled the built-in microphone. I use a headset for meetings, and simply disconnect it from the tablet when the meeting is over.


Since Zoom installed an web server running in the background on my Mac, they get zero trust from me. I only install it on iOS/iPadOS devices and uninstall when I am done. https://techcrunch.com/2019/07/10/apple-silent-update-zoom-a...


Starting stopping the mic is expensive (CPU and time wise). I think it's for a more responsive experience, or they just don't care about starting/stopping sessions.

After all, anyone noticing (or caring) that mic on indicator is probably <1%, and I'm obviously talking about the general public, not HN community.


WebEx (even in the browser) stars and stops the mic every time you mute and unmute and it works fine. There is no technical blocker.


I never said there's a blocker. The convenience (both from UX and DX) is probably just higher to outweigh the privacy-alarm-bells for most of the community to keep things as they are.


Pretty sure this is similar to how other web conferencing software detects compatible conferencing hardware via sound (out of our range). It's actually common and surprisingly effective method to communicate without Bluetooth, Wi-Fi, etc. Reminded me of those hacking stories you hear about jumping air gaps :)


It is way past time to rethink our end-user computing devices to assume zero trust (the way browsers have to), without passing the ball back to the user in form of "access grant prompts" which everyone under the sun reads as "click ok if you want to be able to run this app" anyways.


my bluetooth headphone has a physical mute button. but it's a button, not a switch, so when you press the button, it will announce to you that "mic is off" and then start to beep every 5s to keep reminding you that the mic is off, until you press the button again to unmute it.

but that only works when the device (computer) actually requests mic data. e.g. if I just connect it to listen to music, press the button will not do anything. if I'm in a google meet meeting and I muted myself in google meet, press the button will also do nothing.

but if I'm in a zoom meeting (via browser, I don't allow their apps anywhere near me), even if I have myself muted in zoom, press the button will still have the announcement, which means even if I'm "muted" on zoom, zoom still keeps requesting my mic data.


I can confirm I have noticed this so many times and decided to keep the Zoom app closed while not in a meeting.


I think this is a recent problem - I've only seen this occurring in the last month or so, I think.


Fake features that abuse my privacy is why I hard close the app when I’m not using it.


Only semi-related: March 30 deadline to opt into (or out of) the Zoom Class Action settlement:

https://www.zoommeetingsclassaction.com


there's something painfully ironic about the final hearing being hosted on "zoomgov.com"


I have this problem with skype on Windows. It is not constant but sometimes after I talk to someone it still listens to mike. My mike however has mechanical switch and the camera has cover.


This might be why my wireless headphones drop to the shitty 1kbps audio codec sometimes after Zoom meetings. They switch back when I close the Zoom application.


Hah! What a way to word this!

>Resolved Issues

> Resolved an issue regarding the microphone light indicator being triggered when not in a meeting on macOS Monterrey


If you're mute and start talking (or even if you just clear your throat), the Zoom app shows a pop-up that reminds you that you're muted. I can see why this feature may be useful for many people. Sometimes it's easy to forget that many people don't know how to use the most basic apps.

Conceptually, it's similar to Apple always listening for "Hey Siri".

But the huge difference between these two cases is that most people will probably trust Apple more than Zoom, which is understandable.


If the app is in the foreground or I am in a meeting, Zoom can have my microphone. Anything beyond that is just absurd.


That’s worrying. I’m glad I have a keybinding for an Alfred shortcut that SIGKILLs Zoom, OBS and the virtualcam plug-in in one shot


Good thing I only run a usb mic and unplug it when not in use…

Uninstalling Zoom. Team discussion on dumping zoom for the whole company to come.


An other good question: why is dropbox scanning abd opening files outside of the dropbox folder?


BTW, Zoom doesn't allow me to delete my credit card even I have canceled all zoom service


Why run the Zoom app at all? It works perfectly well in a browser.


That is the reason i LOVE phantom powered microphones.


Who runs the thick Zoom client?!

Surely people know better by now.


This is a bug and it's fixed. Just update.


Updated or obfuscated?


Great Support, no response…


Sounds like malware to me.


FYI, Zoom is found by a Chinese.

You can choose whether to trust the company or not, but I don't.


I would never use the zoom app. No way that Chinese asset is touching my system.


ultrasonic for sharing instantiation


sharing instantiation (ultrasonic)


> Resolved an issue regarding the microphone light indicator being triggered when not in a meeting on macOS Monterrey

Haha, a problem with the light staying lit, not with the mic staying on. Riiiiiiggggght.


It's the same for webex sensing compatible devices via ultrasound.


[flagged]


This is correct.

Zoom is malware from what is effectively a CCP controlled company.


No this is because the profit incentive demands new features regardless of the privacy violations of the customer. China's faults are the same we have, out of control capitalism causing social harm, workers abuse, and violating customers.

This feature, and one used by many other conference companies, is for proximity detection of zoom rooms. Other implementations are bluetooth beaconing, but ultrasound is reliable and BT is often disabled by corporate security due to all the vulnerabilities it has and are constantly being discovered for.

Meanwhile the NSA has meetings where powerpoints titled "I hunt sysadmins" are a normal thing. And where your Cisco is intercepted, hacked, and shipped to you. Or where the previous president offers pardons to criminals doing his bidding and culminates with an attempt to murder Democratic senators to stay in power at the capitol on 1/6. I don't think you want to play "my country good, other country bad" unless you want to be corrected.


He didn't say "my country good", only "other country bad".


He's not even saying China is bad. He's related two things that people tend to like or hate simultaneously.


> China's faults are the same we have, out of control capitalism causing social harm, workers abuse, and violating customers.

China also has an unelected government with a dictator for life that arrests people for exercising free speech, commits genocide, threatens its neighbors, etc. It's not the same, though the CCP loves to say it is! Yes, there are flaws in the US, but that doesn't make it the same!

> I don't think you want to play "my country good, other country bad" unless you want to be corrected.

"corrected"?!


Probably a Chinese shill (wumao), just ignore them.


It's to enable the feature where it warns you to turn it on when you're speaking but your mic is off. That's the most obvious observable answer.


When not in a meeting?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: