#85

Yeah, AFAIK lil’snitch isnt going to work in the future unless they do an overhaul. I block everything defacto and let it through as it tries to connect. I don’t want to out certain programs but they call home a lot for no particular reason - stuff I’ve paid for. I assume its to do updates etc but I don’t trust it. I actually block Max so that I don’t get that annoying yellow update bar up the top for example. I also block a really really useful program (again anonymous) that does correction for my speaker setup which calls home A LOT and constantly tries to update. I just want it to work the way I have it now!

1 Like
#86

Ultimately it comes down to trust, no? Your internet service provider usually gets realtime understanding of sites you visit by virtue of providing DNS services. Same for your bank and debit/credit card issuer (who have full tabs on your spending but severely restricted access), and same for card processor(s) who have (and do use) the option to run analytics on your purchases, individual and in large groups. Can this be used against you or to help you? Where does the “directly” line go in terms of looking at group behaviour and adjusting system thresholds? Apple, like most other companies, don’t have to store the request data, they’ve announced they won’t store IP addresses, and at the moment I’m unaware of any laws that mandate having to store requests for lauching software, even on a temporary basis (unlike, for comparison, for internet access).
I still trust Apple. Just about.

#87

Yeah, I think it’s been covered in some of the linked articles in a much better wording, but for me it boils down to:

  1. Am I willing to trust the other party with the data in the first place? And if I don’t trust them or need / want the service enough to give them that data, can I opt out easily - or more preferably, opt-in in the first place? If the service is voluntary and clearly specified as such, it’s usually not a problem anyway - the complicated questions arise when something happens without one’s knowledge or against one’s will. (Taken to extremes, of course I could stop using a credit card and build my own computer with a niche OS in it and never take it online, nobody’s forcing me to use the stuff I do, but the practical point is probably clear here…)

  2. Can I trust the other party to treat and transfer the data in a secure manner - always use TLS/HTTPS when something sensitive is transmitted, store sensitive things encrypted whenever possible, restrict access to the data properly, et cetera? I think this is ultimately what ends up constantly worrying people more strict (or paranoid) about security than me. Is the company competent and trustworthy enough that the data will only be seen / stored by the people and systems who need it, and not leaked or shared to other parties? Do they have to actively participate with a surveillance organization vs. is it data I feel uncomfortable giving to a surveillance organization? Et cetera. (I think in this specific case some people were worried about the fact that as the information is transferred unencrypted / over a non-secure connection, “anyone” can potentially eavesdrop on it, whether it makes sense or not - which is something Apple seems to have promised to change in the future)

There are a lot of cases where my answer to both of the questions is complicated and/or of “I’m not sure” variety.

(Reminds me, kind of related: I’m not sure how many here have seen the recent awful news about a large’ish Finnish psychotherapy company having most of their unencrypted patient database, including complete notes about therapy sessions, stolen - and people being blackmailed with “send me Bitcoins or I will publish all your personal data and therapy session transcripts”. Apparently this theft was greatly helped due to very shoddy / lax security practises of the said company so that it didn’t require much mad hacker skills to get the data.

I tend to specifically trust those people who aren’t faceless & nameless and do good to me, and I’d wager it’s the same with most other people - but more often than not, a large multinational company still has a better grasp of infosec and which sensitive data needs to be handled more carefully than usual, than a local company with in-house software developed by a single person who might not even be such an experienced developer. Even if I completely trusted a doctor I visited, can I trust the developers and maintainers of the patient system to be up to their tasks?)

#88

i honestly cannot understand why we should feel compelled to not call out companies who make software that collect data. it’s just a fact— the software does this, and most people don’t have monitoring software set up to know it’s doing it. there’s a chance the phone-home is legit and helpful, so there shouldn’t be outright resistance to all data contact— it should simply be transparent. because a lot of companies are now in the collection business which (despite any of our personal preoccupation or ambivalence) is bad.*

*edited a lot of words out here. there is plenty of writing out there already on surveillance capitalism.

10 Likes
#89

^- Also, this. If it comes as a complete surprise for most users that some kind of phoning-home been done for years without their knowledge, it’s probably worth raising an issue about. Even if it’s for a good purpose, perfectly normal way of doing things, and perfectly OK for most people once explained why it’s done (and even more so if not).

1 Like
#90

I think what I said is being misinterpreted. I have no problem calling out surveillance practice when it is provable and evident. Yes companies could be more transparent about what they do or dont do with your data, or how they communicate outside of your machine - they sort of might tell you this when you sign a ToS or data protection policy or by virtue of living in the EU. But I’m not going to say x company is bad because their software made a phone home for a number of reasons.

  1. I don’t know if that request is malicious or not and I’m not going to insinuate either way without proof including forensic evidence of that request. Personally, software I agreed to install is liable to connect to other machines
  1. Its possible an employee for said company lurks here and becomes aware that people are blocking their requests, resulting in them changing how that is done either positively or negatively. In the current circumstances I have total control over what happens now and I’m happy with that. I don’t want that to change.

The focus of my post was rationale for blocking requests rather than supporting some kind of argument that 2 companies whose software I use, has been excellent and has been well supported over the years should for some reason be ‘outed’. Again, no proof, just my personal preferences for managing how I work with a computer.

To be transparent from my end the companies are Max, Sonarworks and Microsoft (vscode).

3 Likes
#91

thanks for your followup— we are in agreement. i specifically stated that there’s a difference between “outing” (insinuating harm) and simply stating that some software does a lot of communication (without accusation of intent).

in fact, giving companies an opportunity to clarify what their software is doing i think helps (potentially) separate them out from the bad actors.

4 Likes
#92

I believe we are :upside_down_face: !

1 Like
#93

Lets not be carried away by apps phoning home analogy because what we are talking about in the context of MacOS Catalina and Big Sur is not that apps phone home, they phone to Apple. And by this giving Apple the power to approve or block the 3rd party processes inside the users machine. This has raised Apple to a very unique position where no other consumer electronics manufacturer has been. Lets stop pretending that this is some kind of industry standard procedure, because it is not, not on consumer computer market.

2 Likes
#94

It also seems to me that the “good” that OCSP does is that if an app has already made it past the gatekeeper/security stuff on the install side but then at some point later does something dodgy to have it’s licence removed, that Apple can then stop the app from loading.

That seems like such a weird edge case to check for (approving an app, and then it “breaks bad”) that you exchange for giving up the ability to have apps being prevented from launching, remotely.

#95

What OCSP is used for in this case is checking validity of developer certificates, not app certificates.

Eg. if you download and install an app outside of App Store that’s supposedly signed by Ableton, but is actually someone else who has gotten hold of Ableton’s developer keys - or install an app that is actually by Ableton but they’ve suddenly decided they’d like to destroy everyone’s computers - then Apple can react when they find out, revoke the developer certificate immediately, and stop (self-distributed) applications from the malignant developer from working the next time they are started.

The other way to do this would be to periodically update a list of revoked developer certificates separately from starting applications or installing them. This is also something that’s been used (possibly not by Apple), but has the drawback that the checks aren’t real time - you could happily run a malignant app until the revocation lists were updated the next time.

So basically the use it’s intended for is “we’ve found out that this developer, who is signed up for our developer plan and promised to play by rules, and has apparently signed this app with their certificate to certify it’s actually written by them, has written malware or leaked their keys so they are either no longer playing by rules or possibly not the actual party who has actually written and signed the app you are trying to start”.

As for trust / ownership implications, there’s been discussion about those during the thread already. I guess the other side is, that Apple is running a trust mechanism for the developers (developer plans & certificates), and the OCSP checks or similar are logical / necessary evil for that. If you don’t at least periodically check whether the developer certificate for company x is still valid or not, you don’t know whether you can still trust that certificate to only be in possession of company x, or trust company x to be honest. (Whatever should be done with that information is another thing, and actually, I’m not entirely sure if you can bypass code signing and certificate checks altogether, if you really want to for some reason…?)

FWIW, a very similar process happens with web browsers when you surf to HTTPS secured sites (eg. this one) - the validity of certificate chain is checked, and if something on the way has been compromised, the browser knows the certificate is revoked / invalid and displays a huge warning about an insecure site / potential security issue which will be major pain in the butt to skip for a good reason. Most browsers do specifically use the very same OCSP mechanism. I suppose it’s juts less scary and intrusive when it isn’t about installed applications but sites you navigate to, and the governing body for the whole world wide web is not a single computer / software company. But in that sense one could argue it is an industry standard procedure in a way.

6 Likes
#96

Most browsers do specifically use the very same OCSP mechanism. I suppose it’s juts less scary and intrusive when it isn’t about installed applications but sites you navigate to, and the governing body for the whole world wide web is not a single computer / software company. But in that sense one could argue it is an industry standard procedure in a way.

Not only it’s not one single company but it also has no power to block off the non-sertified site to open nor has it the control to block your browser from starting inside your computer. Only Apple has that control over your computer. I do understand the urge to explain this insanity with familiar terms and situations but there are none. We are living in different timeline now, because of this. To quote the man: dear frog, this water is now boiling.

5 Likes
#97

It’s worth noting that, when the service is functioning properly, this does not completely stop app launches. If we’re going to have a conversation about this, it needs to stop being sensationalized.

Apple will happily allow you to launch an app with a revoked or untrusted developer certificate, they just want to be sure you know that certificate is revoked or untrusted so that you can knowingly run something that may be malware rather than doing so unwittingly. (For the record, this is easily bypassed by right-clicking the application icon and clicking on open, then choosing to proceed when prompted with the warning.)

This isn’t about some draconian control method. It’s about keeping technologically less literate folks (like my brother, sister, or mother, or almost all of our grandparents) from unwittingly running malware on their computers. And since Apple has already stated they’re going to (1) make it easier to bypass their certificate validation process and (2) make that process more secure from snooping, I really don’t see what all the hubbub is about still.

6 Likes
#98

I think once they provide a means to opt out—as they’ve promised to do—the hubbub will go away. Until then, their service breaks, your apps break… and it has already happened once.

2 Likes
#99

I understand where you’re coming from, but on the other hand, how many times has a CloudFlare outage caused a large portion of the internet to come to a screeching halt in the past years, while this is a first for Apple’s OCSP servers?

I’m not trying to be an Apple fanboy here, I just think the “THIS IS THE END OF COMPUTER FREEDOMS AS WE KNOW IT” rhetoric is a bit much. It’s just a developer certificate validation protocol, and of all the companies to trust with that service, I’d put Apple pretty high on the list.

2 Likes
#100

sure, but clearly “some site that cloudflare is the cdn for” is substantially different from applications that users have deliberately installed on their computer (and that their livelihoods might depend on). I agree that the tenor of this might be a bit much though.

#102

It looks as though the new M1 chips require all native binaries to be code signed. From what I can tell a simple “hello world” has to use an ad-hoc method and doesn’t seem to work on any other computer unless validated with Apple’s Gatekeeper.

New in macOS 11 on Macs with Apple silicon, and starting in macOS Big Sur 11 beta 6, the operating system enforces that any executable must be signed before it’s allowed to run. There isn’t a specific identity requirement for this signature: a simple ad-hoc signature is sufficient. This new behavior doesn’t change the long-established policy that our users and developers can run arbitrary code on their Macs, and is designed to simplify the execution policies on Macs with Apple silicon and enable the system to better detect code modifications. This new policy doesn’t apply to translated x86 binaries running under Rosetta 2, nor does it apply to macOS 11 running on Intel-based platforms.

… If you use a custom workflow involving tools that modify a binary after linking (e.g. strip or install_name_tool) you might need to manually call codesign(1) as an additional build phase to properly ad-hoc sign your binary. These new signatures are not bound to the specific machine that was used to build the executable, they can be verified on any other system and will be sufficient to comply with the new default code signing requirement on Macs with Apple silicon. However, given that these signatures do not bear any valid identity, binaries signed this way cannot pass through Gatekeeper.

#103

(Sorry for the long post again, but) I think there are two points to consider here:

  • OCSP is simply a standardized means for checking certificate validity - it does not yet mandate doing anything about it. The issues with OCSP and enforcing the usage of signed apps are sort of separate, and the latter part can turn draconian fast if the company so wants. But as Ben says above, revoking a certificate could as well mean (and apparently means in practise, I haven’t tried it myself) that if you’re sure you want to run an app with a revoked certificate, you can still do it - you’ll just have to jump through hoops / look at a big red warning sign and click “I understand the consequences” before doing that. Based on jesselucas’ point, this might change with the new ARM CPUs they use, that remains to be seen.
  • Apple have promised both secure transport and opt-out mechanisms for this. It remains to be seen how and when that will happen and whether it will be satisfactory to everyone or not. Until then, it’s just good that there’s been a lot of noise, feedback and discussion about it, otherwise they might haven’t changed anything regarding this.

As an additional point (also regarding the later points from others in the discussion), now that everything basically has a web app for it, trust or control issues with content delivery networks and HTTPS certificates are IME pretty much as bad, or even worse, than issues with apps installed on your computer. Even though this particular thing touches the “this is personal, this is taking the control and ownership from me, I have the bytes of these apps physically on my computer, and nobody should be able to take them off from me” side of things, which does rub me the wrong way as well.

Eg. my day-to-day work is using an online cloud app suite for e-mail, calendar, “office” type use and file storage, another online browser-based app for UI design, two online browser-based apps for keeping track and planning stuff, various IM services, one or two unnamed large cloud providers that run everything we develop except for the emergency backup production systems for the cases of armageddon, and a huge number of development tools and libraries that require to be regularly downloaded and updated online. I could do the same work with pretty much any other computer with any half-decent code editor, any relatively standards-compliant browser and terminal installed if this one failed - but I couldn’t do pretty much anything if access to those services was suddenly cut. Or if one of those had their certificate revoked for any reason whatsoever, there’s no way I’d use that service for sensitive personal or work stuff before the matter was settled and a proper TLS certificate was in place. (And let’s not talk about the whole “do I trust big cloud company x with my data” issue, because that would open an entirely other can of worms, and at least in the case above, I’m mostly at the mercy of my employer’s choices…)

This is just to say that a lot of us do put a boatload of trust to everyone from big certificate issuers to major browser developers, companies offering popular cloud-based tools, companies offering infrastructure and package repositories, et cetera. Not that it means one should trust or like eg. Apple any more than they do now, but because of these things I kind of feel the “from here starts the end of freedom of owning your computer” type claims are yet a bit too strong - or alternatively, the change has already happened with other, much less sensational structural and habitual changes.

However, I also have two thoughts in strong agreement with your fears:

  • What is designed as a security tool is also, de facto, a contract enforcing tool - the technical interpretation “does Apple still trust this developer?” holds pretty well here. Apple has already blocked one or more apps from App Store specifically for not following the contract, and not for security issues. Developer accounts have a different contract and are not expected to follow the strict App Store publishing rules of course, but malware or an application with dangerous bugs are still not the only conceivable reasons a certificate could get revoked “with a good reason”. Whether doing something Apple doesn’t allow (see the Apple vs Epic case which is controversial and still specifically about App Store distribution but still kind of interesting) would mean small warning signs, big warning signs or apps ceasing to work, it’s still a method of control with somewhat wider actual use than plain ol’ infosec.
  • Apple’s trend does seem to be towards iOS type model, where you can only install properly signed apps from their own application store - which is easy for less computer savvy users but a nuisance to most power users, and does not fit well to actual personal computers in my mind. I do just about trust them as eesn says above, but the direction seems so uncomfortable for the type of computer user I am that I’ve been using another OS on another computer at home since this Spring.

Edit: so, TL;DR: not trying to be an apologist for Apple or any other company, I just don’t see this in quite as dramatic way as eg. Jeffrey Paul does.

7 Likes
#104

this. many times.

One thing that Apple have got right till now is making it possible for all this stuff, all the way to SIP, to be disabled by the power user. Seems obvious that if they don’t do that, but somehow keep in place the way to disable SIP, it’s only a matter of time before a system extension emerges that circumvents this stuff.

3 Likes