The font is used by the teamviewer website. When inviting a partner to a teamviewer session, one can do so by sharing the invitation url.
The invitation url looks like this (where XXXXXXXX is the session code).
https://get.teamviewer.com/v15/en/sXXXXXXXX
The website will check if a teamviewer font is installed (using javascript). If the font is found, the web site assumes that teamviewer is installed. The teamviewer installer also registers a protocol handler in the operating system.
The website (javascript code) will thus try to launch teamviewer directly using a url like the following:
teamviewer8://instantsupport/?sid=XXXXXXXX
Otherwise, if the font is not found, it will prompt the user to download and install the teamviewer application.
This is the benign explanation I was looking for. It's a clever hack for providing a good user experience for the person who's receiving remote support, who can't be assumed to be computer-savvy.
Of course, it would be better still if there was a standard way of setting up specific URL patterns under specific domains to automatically launch an associated desktop app if that app is installed. iOS can already do this through the "/.well-known/apple-app-site-association" URL on the domain. It's why Zoom and Teams links, when opened on an iOS device, always go straight into the native app once that app is installed.
Edit to add: BTW, the file at the well-known Apple path also gives me a way of detecting a Zoom invite URL in one of my own products, even though Zoom URLs can have custom domains.
> Of course, it would be better still if there was a standard way of setting up specific URL patterns under specific domains to automatically launch an associated desktop app if that app is installed.
The "PWA" standard for "/.well-known/apple-app-site-association" is "related_applications" [0] in the Web App Manifest standard and specifically here where "prefer_related_applications" [1] is set to true.
Interesting. Based on your comment, I did a quick check and only Zoom gives a valid response. The parent domain for Microsoft Teams don't seem to respect the convention.
Heh, I've never used teams before so when I did a few searches I got sent to www.microsoft.com and office.com. None of the links on page 1 and 2 of the SERP led to teams.microsoft.com.
Good find. Disproves the "only useful for web fingerprinting". It's also useful to their users for a fairly common flow.
Don't assume malice, but do consider side effects of your decisions.
This does add an extra bit to web-fingerprinting, it's only 1 bit. Someone intentionally trying to add fingerprinting could do much more malicious things. Unique font names or uniquely generated font w varying letter widths could completely de-anonymize a user. This seems scoped to identifying team-viewer users, not identifying/fingerprinting individuals.
This is still web fingerprinting. They are using this, specifically, for fingerprinting. They don't care about the font; they care about being able to spot TeamViewer users in a crowd. The only difference here is it's being done for a beneficial purpose. "TeamViewer installs font only useful for web fingerprinting" is absolutely true; only the word "suspicious" is untrue because now we know what it's for.
Fingerprinting requires there to be a purpose of identifying an individual device, and is done by collecting multiple data points that in aggregate are a unique combination.
Just knowing you have a font or TeamViewer, like just knowing your IP or viewport size, isn't fingerprinting your device.
They may not be baking a cake, but they have all the ingredients to bake a cake. They also give everybody else who is currently baking a cake an additional ingredient.
You don't get to call a thing something it isn't simply because you don't like that thing.
The action of taking your fingerprint to identify you is fingerprinting. Providing you a handrail without a purpose of identifying you, even though it happens to take your fingerprint for anyone else, is not fingerprinting. Changing your fingerprint is not fingerprinting.
This is an abuse of a technology with more harm then benefit if you ask me. Calling it "fingerprinting" is still a category error.
Repeatedly claiming something doesn't make it true.
Here's what the Electronic Frontier Foundation says about fingerprinting.
"""Digital fingerprinting is the process where a remote site or service gathers little bits of information about a user's machine, and puts those pieces together to form a unique picture, or "fingerprint," of the user's device"""
Here what TeamViewer is doing isn't fingerprinting. it's not combining unrealated bits of information to uniquely identify a user/computer. it's looking at literally one bit of information to identify whether the current non-uniquely-known user is in a -large- group or not, the group of "computers with teamviewer installed".
it can be claimed that this is adding to the bits that can improve a third party's ability to uniquely identify a user/computer, but that's a different claim, that's not what teamviewer is doing.
That’s why this attempt to stay anonymous — or even more ambitiously, prevent metadata from being aggregated to reveal mass patterns among many users - is useless.
Eventually, everything will be collected using an actual use case — contacts, photos etc. — and the AI will process it and make deepfakes of anything.
We won’t be able to trust any video evidence. The future is about watermarking and signing stuff using your own private keys. And even then, someone can just announce their private keys somewhere and have plausible deniability after that. Too many such renunciations though would be suspicious.
The world is going to be as unfamiliar to us, breaking enough of our assumptions, as when people didn’t know about gramophones and televisions and instant communication, assuming that it would take time for a messenger to get a message out. Today we expect a ton of info to flow over always-on connections. Similarly our assumptions about identity and privacy and democracy are going to be totally smashed by AI and bots soon.
Swarms of bots using GPT-4 and deepfakes will be able to drown out the vanishingly tiny amount of information that all the humans writing online produce, and adversarial networks will make them far more effective at convincing a crowd of humans thay X event happened or to support Y policy, or even rewrite history and science. The sams way that AlphaZero defeated AlphaGo which defeated human players, because it had far more combinations than all humanity combined did, and then downloaded the learnings to each node (Leela and others do the same).
All that is missing is decentralized swarms of bots, that have no single point of failure, and can update their weights autonomously.
I will go even further and say that CAPTCHAs will become irrelevant. Humans won’t be the primary economic actor for online services, because botnets will control far more capital and everyone will do some work for a botnet, such as being a caretaker etc. No one will even know or care who is giving the assignment or writing to them anymore.
The sad part about this is that botnets based on GPT3 and deepfakes are simply bullshittes that don’t understand things like Cyc — they literally throw bullshit at a wall and see what sticks. It’s sad but this will collectively outperform collective human reasoning at convincing humans because ALL our systems are vulnerable to be subverted that way.
No. I posit humanity has never left a glass half full.
Just wait for the deepfakes to utterly destroy video as a means of common representation of reality when it crosses the threshold of too often faked to be generally believed without independent attestation.
And even then people will question subconsciously.
A side effect is that it allows anyone running a website to build a database of TeamViewer installs behind IP addresses. If there was a TeamViewer security issue, that database could be useful.
Yes, this key point is missing from the rest of the discussion.
_Any_ website can tell whether or not you have TeamViewer installed. Ad networks could theoretically target you based on whether or not you have TeamViewer installed.
I’m not assuming malice, but it’s a much bigger privacy hole than just increasing fingerprinting by a few bits.
Precisely my thoughts, though I think this is more problematic than simple, nefarious malice.
Sometimes it is the case that no one behind the decisions is being malicious - e.g., perhaps just trying to accomplish a task at hand on a tight timeline.
As such, the default in today's society, where we are more or less 'on our own' on this issue, should be to assume that even while that vehicle over there is indeed about to plow into the crowd, there is often no one behind the wheel.
We should default to an even more suspicious approach.
Its technically more than one bit, as it has a different version of the font for each major version of Teamviewer. So there are several different fonts Teamviewer may have installed depending on when you installed it.
The fact that some corporations and governments are guilty doesn't mean they all are. And the fact that they're guilty of some things doesn't mean we should assume they're guilty of others. It's no different than with people; corporations and governments are made of people, after all.
Besides, the constant negativity is just exhausting for all involved. I'm glad intellectual curiosity won out on this thread, at least for now.
The world is, to some extent, what we make it. If we're going to make it better, we can't give up so completely; we have to have hope that the world can be made better, and that we're not alone in trying to do so. That's why I choose to assume that the TeamViewer developers are merely trying to make the best of the constraints they're working in, i.e. no proper way for a website to determine whether the custom protocol handler is already installed. In their situation, I would probably be forced to do the same thing, and I wouldn't appreciate such negativity. I assume you wouldn't either.
It would be totally sufficient to use the protocol handler. You also can not be sure teamviewer is not installed, just because the font is missing. The user could use an older version that does not include the font, or could have removed the font manually.
But can JavaScript check whether the protocol handler is installed? Or can it only attempt to use the protocol handler, then give the user if-then-else instructions to manually handle the case where it's not installed? Remember, a remote support product has to assume that the user receiving support doesn't have the knowledge or energy to go through a complex setup process, which is presumably a digression from whatever problem they were having in the first place.
It cannot. Enumerating protocol handlers is actually an excellent fingerprinting technique. That’s why platforms like iOS for instance forbid it, or you have to explicitly specify which ones you’ll query (see: https://developer.apple.com/documentation/uikit/uiapplicatio...).
> The user could use an older version that does not include the font
Teamviewer versions are not backwards-compatible
> It would be totally sufficient to use the protocol handler
The error when it's not installed could be confusing to the user. Remember this is a remote support product, you must the assume the user is not tech literate. You must also assume the user is on IE5 or something.
This could very easily be justified as a functional cookie.
Honestly if this could only be detected from a TeamViewer-owned domains it would be basically a non-issue. The more concerning bit is that this can be used to build a cross-site fingerprint.
The 2009 ePrivacy directive, also known as "Cookie law", speaks of "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user".
GDPR is concerned with all personal data processing, cookie or not is even more irrelevant to it applying.
That is a great idea, generate a font on the fly with the info you need and you have your alternative cookie. Question is, do you have to treat it as a cookie?
Clever, but still not an acceptable use of a font. There are very valid security reasons why browsers don't advertise installed software. Using a font install for reasons unrelated to having a font is still not a valid use case, even if the goal is a smooth UX.
30 days before your subscription expires, teamviewer send you a friendly email to remind you to that your subscription expires in 30 days and to be sure to renew before then in order to not lose service.
What that email does not tell you is that unless you cancel your subscription at least 30 days (ie on that very day) before your sub expires they will renew you automatically and demand a full year's subscription under threat of legal proceedings.
Personally I believe that the purpose of this email is to lull you into a false sense of security that you can just let your subscription lapse instead of renewing when that is far from the case.
Had a similar experience with AnyDesk, who quietly decreed that they need 3 months notice before the end of the year otherwise you're tied into another year. And there are zero options to make contact with them.
It's a shame because I occasionally need something with that functionality and would otherwise have happily renewed when I need it.
Yes. AnyDesk is often touted as a TeamViewer replacement but they’re just as bad and shady.
Both subreddits are full of users helping grandma only to get banned for commercial use, for example.
I gave RustDesk (FOSS) a try and it was nice but slow and I don’t currently have the time or resources to self host near me to see if that makes a difference.
There is a need in this space for a good home use Remote Desktop that’s easy to use and if touted as free for non-commercial use, doesn’t end up banning you later without hard evidence (or just limit free users to 1 session, etc).
Right now they all seem to be chasing medium/large/enterprise money which makes sense I suppose due to the current state of remote work.
Try MeshCentral .. free and open-source but you can use the "Public Server" to give you a quick and easy remote desktop access to another device you setup the agent on.
The performance was good (TeamViewer was still slightly better imho) I just took issue with the commercial detection problems and then having to go to a webpage to beg for them to unban you.
I agree given the two options I’d choose and recommend AnyDesk first.
Over a 50/50 commercial wireless link RDP over wireguard was best for most users that I had test. AD/TV a close second and VNC was so perceptually laggy that it was a no go from the start.
Much the same with me. I have it on about 5 computers in/around my house and work, and have never had any commercial naggings, nor do I use it commercially.
Why is Apple able and willing to offer free, easy to use Remote Desktop capability for both macOS and iOS, but Microsoft does not?
Same with Apple offering an awesome PDF manipulating program with Preview and print to PDF, and Microsoft taking many more years to come up with just print to PDF.
Except Microsoft does, it's called QuickAssist and it's installed by default. Calling it up is as easy as pressing Win+Ctrl+Q. (Or the normal way in the app list, obviously.) At this point, using TeamViewer is just inertia.
If you're using it personally to connect to your own machines, try looking up the remote desktop assistant. I use this in combination with the VPN built into my router.
I really wish there was a way to set up an RDP gateway without Microsoft server or other complicated setups. There's an open source project rdpgw[0] that provides an RDP gateway, however it requires the use of docker, a web server, and other software. It's not suitable for small use cases like mine (once a month or so, I need to start wsl while away from home, or restart BubbleUPnP service). VPNs and docker add quite a bit of overhead to a system that's already running close to capacity.
FWIW I've been using AnyDesk for free for connecting to my work laptops (located at home, but they're on my work VPN) from my home PC for at least 3 years now with zero issues. I've been waiting for the day that they finally pull the plug, but it's yet to happen (knock on wood).
I used it fine up until lockdowns and work from home stuff. Account was flagged sometime early 21 along with a flood of other users who were initially ignored and then told to fill out a form and hope to get allowed back on.
My AD use was three home computers to either view them (LAN) or to assist my parents with various questions occasionally. Never any server OS used or on the network. No domain controllers, no email servers, heck at the time I didn’t even have any Linux or BSD machines.. physical or virtual. It was baffling and forever soured my view of AD.
Worse actually. I was lucky enough to read the fine print and canceled just a month in. They called to figure out why I canceled so fast and when I pointed out the user hostile terms they said “oh ok thanks have a nice day.”
If our representatives weren’t all so old, they might have a concept of these types of issues. Unfortunately without age limits we’re stuck with candidates so old that most lack an awareness of the most common issues of living and working with the internet.
Your theory is that legislators mainly write legislation themselves about problems they have personally experienced? Because my understanding is that legislators are just the most visible person on a team, with much of the work being done by staff, who range widely in age. Based, of course, on input from constituents, lobbyists, civil society organizations, and government agencies.
I think it's pretty weird to jump right to "the olds know nothing" when the problem is a niche and relatively new scam. Scammers are always finding new scams. Would I like the lag time between scam creation and scam elimination to be faster? Sure. But I'd guess that legislator age is well down the list of factors causing that.
Blatantly ageist. Even if legislators entirely relied on their own understanding of technology to make policy decisions, it would not apply here— replace that e-mail with a letter, phone call, telegram, or any other sort of communication and you’ve got the same exact problem. Unfair sales tactics and shady long-term contractual obligations aren’t exactly a new problem. When you get a few more years under your belt, you’ll realize that the advantages afforded by a young person’s perspective can be valuable but are more ephemeral and superficial than those brought by experience and wisdom.
That's not an "internet" issue, that's a contract issue. The vast bulk of our representatives are fully credentialed with some credential that says they understand that, and the remaining few that don't can't have failed to pick up the super basic level of understanding it takes to understand that. Moreover, I'm sure quite a lot of them have been personally screwed at some point by a contract. Old they may be, but they're nowhere near as old as this sort of trick.
Give the nature of their previous work and their credentials, a good number of them have probably written contracts that have one variant or another of this trick in them.
It’s not about age (nearing 67 here, so I bristle at such mentions). Probably even the youngest members of Congress wouldn‘t have a clue about some of these items. It comes down to things like what their staff knows and what they’ve actually experienced themselves. One doesn’t generally reach public office and/or the staff of an office-holder through a path even remotely like what a typical HN commenter has followed.
The ageism in the reply makes me bristle as well. A little past 65 here. Currently employed at my third startup gig in my thirty eight year embedded systems career. Ignorance spans all age levels.
70 here, and working on an automated order taker for restaurant drive-thrus.
My role is part Developer Experience Engineer (making sure our developers are happy and productive), part Roving Troubleshooter, and part whatever else needs to get done.
One of our most important metrics is obviously how many orders we complete on our own without crew intervention. So I spend a lot of time looking at our chat logs from the stores to figure out why we had to escalate to the crew - or why they decided to take over the order.
"Welcome to McDonald's. What can I get for you?"
The running joke on our team as that most of us don't eat at McDonald's that often. But there is one sandwich I really like, you just have to customize it a bit.
"I'd like a fish filet, no cheese, with lettuce and pickles"
They use real fish in this, wild caught Alaskan pollock.
"Got it. Anything else?"
"A guava pie and that's it."
The guava cream cheese pie is really nice. A friend suggested we try it, and I was skeptical. But I would order it again any time. Not overly sweetened like I feared, and good flavor.
Disclosure: I work for IBM on this and currently our exclusive customer is McDonald's. (And it should be obvious that I don't get paid extra when you order one of my recommendations.)
Team Viewer is a German company. In Germany, it's pretty common to have a contract automatically extend for a year if you don't cancel one to three months in advance. Most of the German users actually expect that behaviour, so it's not a surprise to them.
It's user hostile, and only recent legislation is trying to fix this.
Sorry, but that won't fix your problem, at least not in Germany.
If your contract extends because you forgot to cancel it, you still have to pay, since it's completely legal. If your payment information is not correct, they may even charge you a reasonable surcharge for the failed payment.
After a few warning, you can be sent to a legal collection service, which you either pay, or challenge in two weeks, and it case of challenge it goes automatically to court. Then you will need to pay the contract plus court expenses, since there's 100% chance that extension of your contract is valid.
If you are outside of Germany, and unreachable to the German state, then it may work, since they could decide it's too much hassle for them to collect.
Example #354 of why the shift to subscriptions and cloudified everything has resulted in me using more open-source for consumer-style apps.
It turns out that, if you refuse to simply let me throw money at you in exchange for software and instead demand an ongoing relationship, I'm almost certain to just nope out and find a different way to fix my problem.
Intentionally baking a bad offboarding experience gives the game away - companies who do this think you're a chump and will happily fuck with you for another nickel rather than build a better product.
1. Browsers should ship with a set of fonts used just in the web browser that web designers can count on. Right now, there isn't a font I can count on finding in Chrome on all platforms. This especially matters for non-English languages, where a different system font can lead to a website that looks very different.
2. Browsers should not load fonts installed in the operating system. It's a fingerprinting vulnerability. And it also causes issues where the system-installed font is unexpectedly different from platform to platform. For example, Arial is different across platforms, especially once you consider non-English languages.
I don't understand why they don't just ship a huge set of fonts by default. I'm probably missing some licensing bullshit, but look at Google Fonts and all the amazing fonts there. They're called open source fonts. Is there anything stopping firefox et al from just bundling them, or at least downloading them on-demand from a trusted server (not google)?
It would be lovely if all web developers could just assume that the entirety of google fonts is at their disposal in a native way without having to resort to webfonts and the overhead that brings.
> I don't understand why they don't just ship a huge set of fonts by default.
It takes a lot of work to draw a reasonable large set of all the Unicode characters for a given language. Time is money and fonts are ridiculously expensive.
That being said, Firefox has funded a few fonts over the years but they don’t bundle them with the browser. Google has a huge collection but doesn’t bundle them either. It makes more sense with Google as it can collect user data from its WebFont as a service system.
The problem is not shipping alternative fonts, but blocking access to the system fonts. For compatibility reasons, there needs to be a mechanism to still allow access for specific websites. That’s what the planned feature linked by the parent is for.
I'd be happy to have many more resources this way, use a hash and some sort of frecency -- but we've moved away from sharing resources across sites, unfortunately.
WebKit/Safari gets dunked on a lot for being slow to implement features (sometimes rightfully so), but for many features, this is exactly why. Check out this long list of APIs they're purposefully dragging their feet on out of privacy concerns: https://webkit.org/tracking-prevention/#table-of-contents-to...
Many of those are gated behind permissions in the browsers that have implemented them, and safari could gate the rest too. Or they could collaborate with the working groups to reduce the fingerprinting hazard.
Many other features that safari has been late with have basically no fingerprinting usefulness like web push.
imo it's more crazy that people thought of tracking users by using a font in the first place. The level of human ingenuity that has gone into spying on people is staggering.
Follow the money. It is always about the money. I was at a corporate security conference where one of the speakers stated that organized crime groups hire the top mathematicians and computer scientists from the top universities every year. They provide them with laboratories that you wish your company could afford.
The web and ideas back then were different. It was so cool to choose wingdings as a font, and make it <blink>. The web would not have evolved the way it is now if we hadn’t had the freedom back then.
The page should provide a hash, no need to ping a server, just a local cache lookup (like per-site cache schemes now) then a user-selected choice of downloading from the first-party, or an ordered list of third-parties.
Browsers are all moving towards origin-isolation. So, even when you download a font from fonts.example.com from example.net; that downloaded font won’t be available to example.org.
The local cache is, unfortunately, also an unintended source of fingerprinting and cross-origin communication.
It is not a requirement. Packages that depend on it, like firefox, only depend on the virtual package ttf-font, which happens to be satisfied by noto-fonts: https://archlinux.org/packages/extra/x86_64/firefox/.
This means that you get to choose from ttf-liberation, ttf-bitstream-vera, ttf-droid, gnu-free-fonts, noto-fonts, ttf-croscore, ttf-ibm-plex, ttf-dejavu or even all the stuff in the AUR.
When for displaying Web pages a browser uses beautiful locally installed fonts instead of ugly widely available fonts, such as Arial, that is not a fingerprinting vulnerability.
It becomes a fingerprinting vulnerability only after the browser (or a script with the permission of the browser) sends information to a 3rd party about which fonts are used on your computer to display text.
The efforts to prevent vulnerabilities must focus on preventing undesirable communication between browsers/scripts and other parties, and not on how the Web pages are displayed, which should be done according to the user preferences.
> The efforts to prevent vulnerabilities must focus on preventing undesirable communication between browsers/scripts and other parties, and not on how the Web pages are displayed, which should be done according to the user preferences.
And how would you do so? Probably I lack in fantasy, but I really don't see a way to distinguish _necessary_ traffic from traffic that is useful only for exfiltrating data.
The problem is you have to be willing to define a scope for what a web page should and shouldn't do. The largest developer of web browsers though happens to be obsessed with injecting support for crud like MIDI devices and serial ports to the web platform though, which makes it hard to define a good boundary for behavior.
I think I could happily live with say half a dozen fonts on the web (plus variations of bold/italic, if we want to count those as multipliers) for the rest of my life. Sarif, SansSarif, Mono, Weird - that's really my ability or care to tell fonts apart, when I'm there for the interesting article or funny video.
But it's that tension:
I, as a consumer, am happy with simplicity
They, as producers, want branding and differentiation (not to mention tracking and all sorts of other things)
Ultimately, and we mustn't forget this, they the producers are the ones investing effort they need a return on; and we the consumers are lousy when it comes to voting with our feet, dollars, scrolling thumbs and back buttons.
We're talking about system fonts here, not webfonts, so they can differentiate as much as they like with webfonts. Webfonts would still be available. Although they'd also have to go into the per-site cache to prevent sites from fingerprinting by whether or not you already had the font loaded via some other site.
(Web fonts can be quite space-effective, if the site can serve a trimmed-down version that doesn't have the whole unicode space in them. CSS even has support for breaking the font into pieces so if a bit of unicode does slip through on some page you can still go get "the rest" of the font.)
Arial Nova, not installed by default, is better. Free download in the Microsoft Store. Like Helvetica Neue, it’s slightly more readable by increasing the size of some punctuation marks, lengthening horizontal strokes (e.g. t), and greatly improving kerning.
And how do you define if something is undesirable? Is sending the width of an element ok? Then you can encode any message you want by putting text into an element and sending its size. Is lazy-loaded image ok? Then you can construct a font with different heights so that displaying a letter will / won't put the following image in the visible area.
You can't derive the intention from the page behaviour.
The "vulnerability" has always existed, it was just not as widely exploited (or at least not known to be).
As for how to fix it: When the cost for technical measures to ensure security gets too high we need legal measures to ensure a higher-trust society where such technical measures are not needed. We don't all live in locked down fortresses with bullet proof windows and filtered air and water supplies either even though technically that makes us more vulnerable.
On this point, I would like to put some of the major libraries (like jQuery) just wrapped into the browser and developers have to deal with it. Common graphics like the loading spinner could be included as well. Do we really need to be constantly redownloading all of this? It seems like a waste.
Nice discovery, indeed that is very suspicious, i wish Microsoft would have sorted out permissions for Windows..
This would help notice things like that earlier
I use this: https://processhacker.sourceforge.io/ gives me notifications whenever a process create/delete services, also has a nice CPU graph in the system tray, thanks to that i noticed Windows will eat your CPU/DISKs whenever you AFK, some telemetry/update thing running in the background.. even when you just idle watching a video.. inefficient telemetry software.. sweet.. what a time to be alive
If they're indexing your disk 24/7 for a better user experience and searching for something still barely works half the time, I'd be less embarrassed if it was attributed to malice.
I skimmed the article and looks like they didn't try to compare the font from two different PCs. I think it may be a uniquely generated/procedural font, identifying a specific installation.
How do you know? The font number does not matter as the website wont see that. To check uniqueness of the fonts you would need to actually compare the content of installed font, not only the name. It would be totally possible that the installer is packed with the font, but dynamically alters it before actually installing it.
The version number is part of the font name (e.g. “TeamViewer15”). Websites can apply a list of known font names to an element and see which are available based on whether a test element changes size after applying the font.
It's not. It is embedded in the installer with a sha1 of 692a2bd8cce1c4ac62f7cd505907aa8e21ab3b69, which you would have known had you actually studied the suspicious file at hand, rather than just go with the narrative posted in the blog.
Well, they’re right, and they did the work to verify they were right, as opposed to the other people in this thread blindly making assumptions. They care more about the truth than the other posters.
Makes them more decent than the others, in my book.
Sure, the installer ships a font file, and sure, the most obvious answer is that it's just installed as is.
But my app also ships a bunch of templates, and it doesn't mean users will always see the same thing when they're loaded. The font binary could have some magic number that's replaced with a fingerprint ID.
Most likely it isn't, but the work to verify would actually involve installing TV in two different machines, and comparing the installed files.
If you think they're going through the hassle to ship a font file but sleight-of-hand install a different font, then why do you think they wouldn't also go through the hassle of further hide what they're doing? For instance, replace a preexisting font you wouldn't think to look at?
If you think it's honest-to-god malware, then provide evidence that it's malware. Installing a font does not make software malware. Checking for the presence of an installed font is not malware.
I paid for a lifetime license, who knew that a lifetime was less than 10 years? My lifetime license was revoked and I have to buy the latest version I want to continue using. No thank you.
One thing I understood a while ago is that any service claiming a lifetime license is it's either the lifetime of the product or the company, not the customer.
I tend to avoid it unless I'm fairly certain the product / company will last for longer than it would cost me per year of a subscription (to make sure my "investment" is worth it), and that I'll use it extensively.
Nothing is truely forever, and moreso in the world of software.
What's the best alternative you've found? I personally use anydesk from time to time when helping family with tech issues remotely, but I haven't looked too much at other software.
NoMachine is the closest 1:1 experience to Teamviewer I've found. It uses the same video capture method and offers a lot of the same features such as drag-and drop file copying and aspect ratio controls. The downside is the UI is very odd and difficult to maneuver, but once you get used to it, you'll ditch TeamViewer.
You will also need to connect to hosts with IPs and open your ports; it doesn't have the ability to punch through firewalls like TeamViewer can.
Hi, can you tell us what you find odd and difficult to use? Maybe we get what you mean; in the NoMachine UI there are a lot of settings you can select: the protocol, different IP addresses, encodings and so on. These are some of the advanced options that almost no users probably care about.
But the fact is that, since its inception, NoMachine was intended as an "advanced communication and remote desktop tool", more a "professional tool", not intended for the "wide public", especially because you had to "know" and be able to configure things like "an IP address", which is more in the "professional space".
To make NoMachine apt for widespread adoption, we need NoMachine Network, the infrastructure that will allow people to connect by just knowing a "machine id", the same TeamViewer does, and we are working on it. Expect this very soon.
But that said...
We would love to know form you where we can improve the NoMachine UI, to make it more usable, more friendly less "confusing" (if it is) and less intimidating. If you like, you can obviously also contact us directly. Do as you like, but we would love to hear from you.
Thanks for reaching out to us already! A beta program for Network is not currently available, but we would love to hear your feedback about your experience with our software and user interface :-) Please respond to that ticket with your comments at your earliest convenience.
should impede it («Not all fonts installed on your computer are available to webpages»), but I am not sure, as I do not know the exact "which fonts to expose" rule.
Edit: in theory, it should allow only "«base»" fonts and not user installed. In practice, more details would be useful.
I cannot use this because it always resets the custom zoom level for web site. For example I cannot browse HN with the default font size, so I set Firefox to zoom 120% for news.ycombinator.com, and I don't want to have to do that each time I come back to the site.
RFP is great but it also heavily interferes with addons. It disables Ctrl and Alt key combinations for them, breaks scrolling and timer-based behavior, and generally renders many of the addons unusable in various ways.
I used TeamViewer less than twice a month for a few elderly relatives who needed help when I wasn't visiting. One of them sadly passed away recently, and another stopped using computers, so my usage went almost to zero. What angers me is that the fine folks/algorithm at TeamWiever kept killing my connections because they thought I was a professional abusing their free service.
Screw them: Now I'll either find an alternative or nothing.
I choose to assume there's a benign explanation for this. Nobody's perfect; nobody can be expected to do everything in the optimal, least suspicious way; sometimes developers just have to come up with a good-enough solution for something and ship it. So let's look for the most charitable explanation of this. It's how we'd want online randos to approach our own work, right?
Companies that routinely deal with remote access scams (I'm thinking especially of crypto exchanges) could check for this font and display specific warnings only to people who had TeamViewer installed on their Windows machine (probably disproportionately represented among scam victims).
TeamViewer is a long way from the only software being used for this, but it's kind of a cool opportunity.
I'm currently using TeamViewer on a single PC, but I'm searching for an alternative. Big plus if the alternative is OSS + self-hosted, but I'm open to other solutions.
My current workflow is -> Connect to HomeVPN -> Turn on Gaming PC with WakeOnLAN -> Connect with TeamViewer to start Steam -> Start gaming with Steam RemotePlay. I did not find a way for Steam to autostart without logging into Window, that's the only reason I currently use TeamViewer, essentially to login and start Steam.
Fair enough. Since you mentioned it's a Gaming PC specifically, I assume this is a machine that's only used for that. In that case I personally wouldn't mind leaving it unprotected, but I can understand why someone else would.
Yeah, it is only used for gaming. You know, to be fair, I could enable auto-login without a problem. The probability that someone else turns it on, snoops around and finds something they shouldn't see is close to 0%. But somehow it feels dirty to disable authentication on a device, if you know what I mean.
Chrome Remote Desktop is honestly not a bad option for something like this. It has an unattended mode and you can set long passphrases in addition to 2FA/etc.
I've used this a couple of years ago, did work well, yes. But these days I try to avoid Google, which disqualifies this solution. But thanks for the recommendation anyways!
No, but it looks very interesting. So this would replace TeamViewer and Steam RemotePlay at the same time, not bad. Just not that big of a fan about the pricing. $100 per year just so that my SO can play on their PC at their home, while I'm not at my home, seems a bit steep.
Yeah, my use-case is very specific, I know. I don't even game remote myself, but if I'm on holidays or at work and my partner wants to game from their home, I need a way to be able to power on my PC and everything necessary for it to work. A complete niche, first-world problem :)
I myself use the free tier, didn't miss any of the paid features. It's easily the best, lowest-latency, most no-hassle remote desktop tool I've ever used. Once they add Linux hosting I won't mind shelling out some cash either.
My desktop machine is not in my living room but I like to watch shows on my large TV while gaming from the couch.
I use Parsec and remote to my desktop from my shitty laptop and get much better performance than I would just gaming with an integrated chipset and it's portable. Also, plugging in a usb controller into my laptop automatically controls the desktop without any setup.
Only bad thing I can say is that they got bought by Unity last year and Unity is now merging with IronSource :/
This is a very charitable interpretation of corporate behavior, but perhaps one reason this could have been implemented is to enable support teams to detect if it's installed on a system.
As with anything though, it could be abused by tech support scammers. Overall, I wish such things weren't implemented.
>I haven’t examined archived versions of the TeamViewer website; it might have used the font in the past.
That seems the most likely explanation. That it was once used somewhere in TeamViewer, no longer is, but is still packaged. I don't think there's a real conspiracy involved.
Right. I'm saying that, on the only site I run where I look at this kind of thing, when I review the stats, "uses Brave" puts a visitor into a pool of 2 people. Preventing me from enumerating their fonts is a valiant effort, though.
Wait doesn't randomizing make one more easily fingerprinted? Unless every check returns different results. And even that behavior could be a strong signal to distinguish Brave from other browsers.
I would love to have a nice scalable TrueType font of the fingerprints of famous serial killers and criminals and insurrectionists like Donald Trump. That would be so cool! You could scatter them all over your documents to make them look incriminating.
The invitation url looks like this (where XXXXXXXX is the session code).
The website will check if a teamviewer font is installed (using javascript). If the font is found, the web site assumes that teamviewer is installed. The teamviewer installer also registers a protocol handler in the operating system. The website (javascript code) will thus try to launch teamviewer directly using a url like the following: Otherwise, if the font is not found, it will prompt the user to download and install the teamviewer application.Source: Font detection routine:
Connect routine: