> If there's one that I really need to be on, I'm going to spin up a VM on my computer so that it has no idea of the other files laying around, such as my ~/passcodes.csv. If you are such a negligent bullhead as to get me onto your call, you'll be unable to see me because my VM cannot access my camera! By design! Same for my microphone, so I'll plug in a USB mic if I really need to speak up. More likely than not though, I'm exhausted by now. I'll spend the full duration of the call eeking a small echo of pleasure from the continuation of this rambling alarm, for your sheepish audience to rub their enablist shame in.
This is written in an edgy tone but it's pretty much SOP with QubesOS. Why would you install _anything_ in your main VM? Not just Zoom, but anything you import in a deep dependency graph can access your figurative ~/passcodes.csv anyway.
You can run zoom in the browser. At least you could some years ago. Encryption is relevant depending on what you're doing but not everything needs to be super secret. A common practice is to email or use secure file shares while on the call to maintain that security.
You can still. There's a small dark pattern to discourage it, though. You go to the URL for the call, click the button to launch the app, and when that fails, you see a small link to do the call in the Web browser.
I already have Zoom installed on the work computer but for some reason it has started doing this weird thing where every time I click a Zoom meeting link in Google Calendar, Google Chrome downloads a copy of the Zoom installer at the same time as it opens the already installed Zoom. I didn’t notice until I already had six recently downloaded copies of the installer in the Downloads folder.
No idea why this happens. But it’s probably part of the crappy pushiness of Zoom to get people to install their app that makes them trigger a download of the installer because either they are not detecting that Zoom is already installed at the right time, or they are so eager to download the installer that they don’t even care about whether or not you already have it installed.
I’ve disliked Zoom since the beginning for their antics, and the only reason I have it installed is because I have to for the meetings at work, and the work computer belongs to the company I work for anyway, not to me.
I had to do it once and is extremely difficult, I don’t remember the details but I think you have to do dozens of extra steps on your account configuration and it won’t work on your phone unless you request the desktop version of the website.
Click on the meeting, where you will land on a download landpage. Then click the big download blue button in the center of the screen. WHen you click it a link will appear in the 2nd row below the blue button, something like "continue from browser", click on that, and you are golden
every once in a while, someone will ask me to screenshare on a shared monitor, then i will have to explain i cannot , because i am on zoom browser.
Its always great to see the reactions that gathers. Its a true rainbow: bemusement, curiosity, exasperation, outright suspicion...and everything in between!
You can also install and run Zoom in FlatPak which secures your computer by running the executable in BubbleWrap. If you know what you're doing, you can also sandbox it directly.
It comes from жици in Bulgarian, which means "wires".
I think the author should remove that part of the blog post because it detracts from the author's point and is even a bit embarrassing that they hadn't looked it up.
When Zoom took the world by storm due to the pandemic, they're security was known to be horrible. They aquihired the keybase team who are crypto experts and this presumably had some measure of positive effect.
The advantage of Zoom was that it just worked. No more spending the first 10 minutes of a call making sure everyone is online and can see/hear you. Or at least greatly improved.
Yeah, that line, "people say Zoom is secure", instantly reminded me of how they opened a port on localhost that any website could connect to to run admin shit on the system. So I wonder, who says it's secure?
I found a zoom daemon running on my kid's MacBook a year after uninstalling it. Turns out uninstall didn't kill background processes, needed a reboot to flush it away.
I swear I remember this being called a feature, they left something around after uninstall so that if you clicked a Zoom link it could reinstall the client seamlessly. An ease-of-use thing for less technical people.
> If there's one [zoom call] I really need to be on, I'm going to spin up a VM on my computer so that it has no idea of the other files laying around, such as my ~/passcodes.csv`
Oh come now. You don't really think Zoom is exfiltrating unrelated files from your computer, do you? If they got caught doing this, it would be such a major scandal... why risk it? And even though the client is closed-source I do think they'd get caught. It just isn't fathomable to me.
There's also security vulnerabilities. A while back there was a Firefox bug that let websites upload arbitrary files, which got used to steal SSH keys.
For the average user, you're probably right. In more secure environments, relying on the rational behavior of outside parties for your security isn't tenable.
[In the past is that Zoom said they were HIPAA Compliant, eg. had end-to-end encryption, and weren't. This was a huge issue at the beginning of the Pandemic when everybody started using them. This has since been fixed, but this wasn't their only lie or breach of trust.
A few years ago, Zoom tried to insert a clause in their ToS that would have allowed them to use audio, video or chat content for training AI. But due to a LOT of backlash they backpedalled on that and now they "just" use telemetry data, product-usage data, diagnostic data and similar data “that Zoom collects or generates in connection with your or your End Users’ use of the Services or Software”.
Zoom has had multiple instances of extremely sketchy behavior, including:
* Deploying a rootkit on Macs to allow silent reinstallation of Zoom after removal.
* Having vulnerabilities in said rootkit that took months to patch after trying to ghost the researcher.
* Using useless encryption.
* Lying about end-to-end encryption (they weren't even zero knowledge!)
* Routing entirely US calls through China.
* Lacking any reasonable access control to stop bombers.
They have been caught lying-- not corporate speaking, not fudging a bit, outright lying-- on multiple occasions and had to replace parts of their leadership structure to try to fix the bad PR around it.]
If you have to take the call, and your main concern is desktop client malware...
At a startup a few years ago, since I was the engineering dept., I had to be on a lot of enterprise sales/partnership calls, and much of the time we had to use the other company's favorite videoconferencing software.
Rather than installing those dumpster fire desktop apps on my Linux laptop that had the keys to our kingdom, I expensed an iPad that would be dedicated to random videoconf apps.
We still get violated numerous ways, but at least compartmentalized from the engineering laptop.
(I also used the iPad for passive monitoring of production at night, like a little digital photo frame in my living room, after putting away the work laptop.)
I really love use fairmeeting.net as my jitsi goto server for any quick drawing board sessions or screensharing/video calling zoom alternative.
I have used it for more over than 1 year/6 months with my friend where we both used and we used to very consistently think of how this service is free and how great it is etc.
Thanks to fairmeeting.net ngl! One of the best services period. I wanted something in browser without too much hassle and something with a perma-link so I can join from different devices (I only had a pc back then and so I used to join with a kiosk tablet which only had browser & do other shenanigans)
I found element calls to be interesting too but still personally I prefer fairmeeting.net! It's really stable when we used it for so many hours for so many days.
I should probably donate to fairmeeting.net ^^
If someone from the fairmeeting.net team is listening, I don't mind donating 10$ or such (yes a little broke haha!) to fairmeting if crypto option can be supported in the official website
I do feel like there were some very minor features behind a donation paywall but honestly for 99.9% people its okay and what me and my friend used to do was use it with tldraw and make drawing boards and send messages with discord (I really wanted him to use matrix/we sometimes used signal) + fairmeeting.net + tldraw (before it required a sign in to create multiple pages, man that feature was so great for anonymous users)
Anyways, I spent an hour or two trying to build a claude script which can make jitsi servers easier to deploy by using cloudflare api+dns feature & podman
it's running on meet.fossbox.cloud enjoy everybody! (Please don't abuse it haha, sharing it in the same spirit as fairmeeting!)
The script is Claude generated and under unlicense. Pasting both gist(github) and opengist(my server) links:
> You can run zoom in the browser. At least you could some years ago. Encryption is relevant depending on what you're doing but not everything needs to be super secret. A common practice is to email or use secure file shares while on the call to maintain that security.
I kind of decided that I can help create an instance too instead of donating right away as my server runs <10$ (currently 8$ for 3 months 3 TB bandwidth everyday and afterwards a 100mbps cap plus more decentralization)
Although I might shut down the server if I would need to utilize the resources though so if I ever do that, sorry about that!
Alright time to sleep :> Good night!
Edit: the server's xmpp isn't working, gonna try to get a fix of it before I sleep! (seems like I had proxy true and it had to be proxy false)
Edit2: looks like its a bigger issue, I am gonna have to fix it later. Personally I don't know but I just like the workflow of using cloudflare api for dns management & building on it and I have built some other internal tools for myself for making ease of development so currently its gonna have an issue of self issued certificate which I will have to fix later most likely
I mean, sure, fine, but nobody cares that some rando on the Internet doesn't agree to the ToS of Zoom. The article has no actionable information, is not interesting, and is beating an old subject to death.
When I get on conference calls on business software that is primarily sold to and intended for businesses, I'm not usually doing so with the assumption of privacy. I'm usually doing so in the context of the semi-public activity I do at work.
https://appleinsider.com/articles/19/07/10/apple-removes-zoo...
This is written in an edgy tone but it's pretty much SOP with QubesOS. Why would you install _anything_ in your main VM? Not just Zoom, but anything you import in a deep dependency graph can access your figurative ~/passcodes.csv anyway.
No idea why this happens. But it’s probably part of the crappy pushiness of Zoom to get people to install their app that makes them trigger a download of the installer because either they are not detecting that Zoom is already installed at the right time, or they are so eager to download the installer that they don’t even care about whether or not you already have it installed.
I’ve disliked Zoom since the beginning for their antics, and the only reason I have it installed is because I have to for the meetings at work, and the work computer belongs to the company I work for anyway, not to me.
I would never install Zoom on my own computer.
Click on the meeting, where you will land on a download landpage. Then click the big download blue button in the center of the screen. WHen you click it a link will appear in the 2nd row below the blue button, something like "continue from browser", click on that, and you are golden
Its always great to see the reactions that gathers. Its a true rainbow: bemusement, curiosity, exasperation, outright suspicion...and everything in between!
Check out these CVEs: * https://nvd.nist.gov/vuln/detail/CVE-2025-49457 * https://nvd.nist.gov/vuln/detail/CVE-2026-22844
And who can't remember not using a video conference app that didn't have an inoffensive name?
If "jitsi" is offensive, who to? If not, which video conferencing app names are?
I think the author should remove that part of the blog post because it detracts from the author's point and is even a bit embarrassing that they hadn't looked it up.
A reference for the name: https://desktop.jitsi.org/Documentation/FAQ.html#spelling
WP on the name origin:
> Jitsi (from Bulgarian: жици, "wires")
I just assume anything said near a computer could be and likely is recorded and stored by somebody, nowadays.
And other services also had their own easy to install app (I think Jitsi only dropped the desktop app fairly recently).
I think the only thing really easier with Zoom was remembering the name. I think the brand constitutes 99% of its success.
Never mind the government surveillance.
https://raw.githubusercontent.com/jamesy0ung/zoom_grabber/re...
Oh come now. You don't really think Zoom is exfiltrating unrelated files from your computer, do you? If they got caught doing this, it would be such a major scandal... why risk it? And even though the client is closed-source I do think they'd get caught. It just isn't fathomable to me.
Its security issues are already discussed earlier elsewhere, such as in this Reddit thread.
https://www.reddit.com/r/privacy/comments/18d1bgi/is_zoom_st...
[In the past is that Zoom said they were HIPAA Compliant, eg. had end-to-end encryption, and weren't. This was a huge issue at the beginning of the Pandemic when everybody started using them. This has since been fixed, but this wasn't their only lie or breach of trust.
A few years ago, Zoom tried to insert a clause in their ToS that would have allowed them to use audio, video or chat content for training AI. But due to a LOT of backlash they backpedalled on that and now they "just" use telemetry data, product-usage data, diagnostic data and similar data “that Zoom collects or generates in connection with your or your End Users’ use of the Services or Software”.
Zoom has had multiple instances of extremely sketchy behavior, including: * Deploying a rootkit on Macs to allow silent reinstallation of Zoom after removal. * Having vulnerabilities in said rootkit that took months to patch after trying to ghost the researcher. * Using useless encryption. * Lying about end-to-end encryption (they weren't even zero knowledge!) * Routing entirely US calls through China. * Lacking any reasonable access control to stop bombers.
They have been caught lying-- not corporate speaking, not fudging a bit, outright lying-- on multiple occasions and had to replace parts of their leadership structure to try to fix the bad PR around it.]
At a startup a few years ago, since I was the engineering dept., I had to be on a lot of enterprise sales/partnership calls, and much of the time we had to use the other company's favorite videoconferencing software.
Rather than installing those dumpster fire desktop apps on my Linux laptop that had the keys to our kingdom, I expensed an iPad that would be dedicated to random videoconf apps.
We still get violated numerous ways, but at least compartmentalized from the engineering laptop.
(I also used the iPad for passive monitoring of production at night, like a little digital photo frame in my living room, after putting away the work laptop.)
I have used it for more over than 1 year/6 months with my friend where we both used and we used to very consistently think of how this service is free and how great it is etc.
Thanks to fairmeeting.net ngl! One of the best services period. I wanted something in browser without too much hassle and something with a perma-link so I can join from different devices (I only had a pc back then and so I used to join with a kiosk tablet which only had browser & do other shenanigans)
I found element calls to be interesting too but still personally I prefer fairmeeting.net! It's really stable when we used it for so many hours for so many days.
I should probably donate to fairmeeting.net ^^
If someone from the fairmeeting.net team is listening, I don't mind donating 10$ or such (yes a little broke haha!) to fairmeting if crypto option can be supported in the official website
I do feel like there were some very minor features behind a donation paywall but honestly for 99.9% people its okay and what me and my friend used to do was use it with tldraw and make drawing boards and send messages with discord (I really wanted him to use matrix/we sometimes used signal) + fairmeeting.net + tldraw (before it required a sign in to create multiple pages, man that feature was so great for anonymous users)
Anyways, I spent an hour or two trying to build a claude script which can make jitsi servers easier to deploy by using cloudflare api+dns feature & podman
it's running on meet.fossbox.cloud enjoy everybody! (Please don't abuse it haha, sharing it in the same spirit as fairmeeting!)
The script is Claude generated and under unlicense. Pasting both gist(github) and opengist(my server) links:
https://opengist.fossbox.cloud/Admin/db747020aae14503b23e5a4...
https://gist.github.com/SerJaimeLannister/d9f1511854b4dc5b17...
> You can run zoom in the browser. At least you could some years ago. Encryption is relevant depending on what you're doing but not everything needs to be super secret. A common practice is to email or use secure file shares while on the call to maintain that security.
Edit: Just wanted the last sentence to show Jitsi instance at https://meet.fossbox.cloud
I kind of decided that I can help create an instance too instead of donating right away as my server runs <10$ (currently 8$ for 3 months 3 TB bandwidth everyday and afterwards a 100mbps cap plus more decentralization)
Although I might shut down the server if I would need to utilize the resources though so if I ever do that, sorry about that!
Alright time to sleep :> Good night!
Edit: the server's xmpp isn't working, gonna try to get a fix of it before I sleep! (seems like I had proxy true and it had to be proxy false)
Edit2: looks like its a bigger issue, I am gonna have to fix it later. Personally I don't know but I just like the workflow of using cloudflare api for dns management & building on it and I have built some other internal tools for myself for making ease of development so currently its gonna have an issue of self issued certificate which I will have to fix later most likely
When I get on conference calls on business software that is primarily sold to and intended for businesses, I'm not usually doing so with the assumption of privacy. I'm usually doing so in the context of the semi-public activity I do at work.