IIRC it didn't just have no release notes, it explicitly claimed not to contain security patches.
Although I may be misremembering or may have been misled by an ambiguous message. https://support.apple.com/en-us/HT201222 lists it as being a security update but "This update has no published CVE entries." (emphasis mine) implying some nasty but embargoed security issue.
Apple does typically have release notes and an overview of fixed vulnerabilities for releases.
I think it is likely that 11.5.2 fixes a large vulnerability and they will only disclose more information once most people have updated to 11.5.2. And/or they are still preparing updates for Mojave/Catalina.
Same as with the error messages. Almost every MS app has removed the messages that actually tell you what's going wrong and replace it with something like "Oops!! Something went wrong!" that tells you absolutely nothing. And some stupid "funny" picture.
On Intel: Works pretty well. No longer a need to have special ISOs like Ubuntu used to have. You do have to turn off the "secure boot" on newer systems with T2 chip (using the startup security utility in recovery mode)
On M1: Still in progress. Linux boots but the kinks have to be worked out. Not production quality yet.
In soviet russia the computer controls you. It's funny to see Apple with 1984 ad and Microsoft which said that GPL is communistic apply the same tactics as the KGB and Soviet politburo. I think that people never learn because they are so happy to embrace the future.
No way. Ask HN "new generation" to tell you, Apple and Microsoft are taking care of you to feel safe and protecting the children at the same time.
Linux desktop sucks. It is broken.
I found out that this "brokenness" is what I expect to have.
To modify and optimize my UX.
I’ll bite. I’m not necessarily the new generation, but I understand the viewpoint you’re arguing against.
I am the on the more technical side, making me the help desk for friends and family. For the vast majority of people, the safest and easiest thing to hand them is a chromebook. If they want more capability or better hardware, then they will step up into OS X or windows.
They don’t care about the UX until they have to care about the UX because it’s not working the way it was intended. Then they want to fix it back to the way it was (unhide icons or the task bar). They don’t grasp how computers should work, and while I’ve tried explaining, it just doesn’t take. So they remember how to get to email by clicking icons.
99% of people for casual use would just be confused if you dropped them into a command line. There’s a reason things weren’t as popular before we made advances like we have today.
So - for the vast majority of users - an upgrade is an annoyance and downtime that is there during the 10-30 minutes a day they may need the machine (not the 10-30 minutes they are taking a break from the machine). They don’t understand, and don’t care about, the security updates.
Apple and Microsoft and Samsung and Google have no obligation to you, an edge customer, to create a lot more opportunities to screw things up for the vast majority of users who would just get confused. They have no obligation to enable users to perform illegal activity on their hardware. And they can put whatever they want to in the user agreement for their hardware and software. Your option as a consumer is to not buy it. You can complain about it, but that ship has sailed, as the vast majority of users don’t even understand the complaint and the potential implication.
But no. If you want a UX that’s fully configurable and secure and has privacy protections in place and places emphasis on security over convenience, a private, cloud focused, company like Google or Microsoft or Apple is not the right tree to be barking up.
It's not broken at all... At least not for me, being a user for several decades now. I use it at work while billing quite a lot of money so if it was breaking, I would have a massive problem. :)
I would say this though - the machine you run it on matters. The hardware matters. Some hardware runs great, other hardware will give you problems. This is due to driver support either being good or bad, not Linux itself, but the distinction is meaningless for the user.
Use a thinkpad, with Pop OS, to get you started. It will just work.
It is sarcasm. But obviously I communicated this poorly.
Linux actually is more comfortable for development.
macOS is broken by design. MacOS X in the old times was a dream to work on. But now with all "privacy" features from Apple - anything is a problem, and the quality of software from Cupertino is lowest ever.
I am an iOS and MacOS developer and have gotten my updates rejected for my release notes not being descriptive enough of what it changes. Yet Apple regularly gives exceptions to the big guys like Facebook, Uber etc apps and now themselves. Apple’s developer guidelines specifically warn developers to not put vague release notes but the rules often get partially applied.
Interesting tidbit about Chrome using POSIX_SPAWN_NP_CSM_ALL now. But I would point out that according to the open-source Chromium code base, these CPU security mitigation APIs offer process-wide protection rather than thread-based protection (commit message at https://source.chromium.org/chromium/chromium/src/+/46e23c81... )
The security improvement I want is that when I run ‘ps ax’ on a fresh install, I have reduced attack surface instead of dozens of random daemons hardwired into launchd like the one for classrooms(??), iCloud and photo sharing even when those features are disabled, etc.
This is a big issue - on Windows you can set services to not start up unless they are needed, and you can turn them off so they don't run at all.
On macOS, the launchd configuration seems to be hard-wired and protected by SIP; there's no easy way to disable random daemons for features like remote student device management - something that most users would not need or want. And as you note even if you disable the associated feature (e.g. in Preferences) its daemon can still run.
It's always annoying when you're not doing anything but your laptop heats up and turns on the fans because some stupid daemon has woken up and decided to re-scan the same files (such as game updates) for the 100th time.
Not to mention photoanalysisd, which burns large amounts of CPU for days/weeks and runs even if you disable the intrusive and obnoxious holiday events/memories features in Photos.
> Not to mention photoanalysisd, which burns large amounts of CPU for days/weeks and runs even if you disable the intrusive and obnoxious holiday events/memories features in Photos.
This and many other daemons related to photos is very annoying. I have my photos stored on an external drive because the internal SSD isn’t large enough for that, and it’s a nightmare every time trying to eject the external drive. Even when nothing has changed in the photos library, these daemons will be busy scrubbing the disk and keeping it busy for hours or days. The only solution is to find each process (per user) and kill them.
Does anyone know for a way to disable this scanning by photoanalysisd? (Other than not having any photos.) my old laptop keeps chugging away at that process for tens of minutes after each wake.
Apple's Photos app can search photos based on their contents (e.g. try typing "cat" into the Photos search box). It can also identify individual faces, and group photos based on who's in them.
All of this is local-only. (Which is why it has to run an expensive indexing process locally.)
Cool tech, but so frustrating if it can't be toggled as an option. Reading this it's clear that I would be even more incompatible with macos now than when I left it years ago, just the lack of control.
photoanalysisd was responsible for making my Mac feel slow at least 80% of the time I started to notice it chug. Apple should really limit the processes CPU time so that it doesn't randomly spin up my fans.
The CSAM thing "came to light"? They announced it publicly and proudly, before it was even implemented! There's no reason to think they are hiding anything.
I kind of bailed on macOS prior to Big Sur, so I'm not sure—but I think you can do that. Authenticated-root would need to be kept turned off, but that's a separate thing.
You're going to have to redo everything after every update, however.
I'd be interested to hear from someone with deep security knowledge:
Some people have dismissed OpenBSD's mitigations as overhyped (i.e. - things like W^X are not the main problem, linux has long caught up, etc).
But now we see Apple adding precisely some of these mitigations.
Where does this leave such architectural countermeasures? Are there real gains from investing in such low-level things? Are they irrelevant in an age where many laptops still have ports that give direct DMA access, users are not savvy and sandboxes incomplete?
W^X is a good mitigation to prevent attackers from just spraying shellcode into a RWX heap. This is how most JIT engines used to be attacked, and many exploits continue to include WebAssembly just because Chrome will create a RWX arena for this. Many of the OpenBSD mitigations are actually a good idea, but some are fanciful junk. The posture that the team has towards pushing those latter ones is what generally makes people unhappy.
Also, do note that Apple silicon puts everything behind a DART (essentially an IOMMU). This is noted in the article:
> Device isolation was another M1-only feature, that uses the more powerful IOMMU of that platform to make sure hardware devices can only share memory with the operating system and not with each other. Cross-device memory sharing is a historical custom, based on a blind, unfounded trust in hardware.
So what mitigations are "fanciful junk" exactly, and was that actually known before or just poo-poo'd the way basically everything the openbsd folks introduce is?
macOS has enforced W^X in most cases for many years.
As for the two mitigations mentioned in the article:
NO_SMT seems to be equivalent to Linux's "core scheduling" feature, which landed recently [1]. This approach, involving disabling SMT (aka hyperthreading) for specific processes, is different from OpenBSD's more brute-force approach of disabling SMT systemwide; there are pros and cons to both approaches.
As for the other one, forcing VERW to be executed on every return from the kernel, both Linux and OpenBSD chose the brute-force approach of doing this for all processes by default; both added this feature in 2019 as part of the coordinated disclosure of the MDS vulnerability class. Apple is instead doing it on a per-thread basis. Again, pros and cons.
(To provide more context, before the new APIs Apple used to flip actual page memory protections, which required going through the kernel. The new SPRR APIs allow for essentially the same thing, except they work per-thread and just set a register accessible from userspace that essentially applies an extra mask on the permission bits, which is much faster.)
It’s clear that W^X isn’t “solving security”, but it’s not a bad idea just because it’s a low-hanging fruit. On Apple platforms, I think that it came to be as a natural consequence of the ability to toggle RX mappings to be RW without a syscall.
Almost all DMA-capable peripherals on Apple Silicon (including iDevices) are gated behind an IOMMU.
Note that, although it was published recently, this article covers macOS 11 (Big Sur) which released last year, not macOS 12 (Monterey) which is in beta.
This is a great write-up. Are Apple getting more secretive as I had heard they were trying to become more open regarding their security. This and not providing release notes [1]for 11.5.2 make me think otherwise
I was hoping the article would mention the recent "security improvement" that prevents daemons from using Bluetooth in Big Sur. I haven't seen anything from Apple (or anyone else) explaining how that improves security.
That hasn't been a trivial option for a while, userland W^X (DEP) was implemented across the board >15 years ago.
TFA seems to be confused about what Apple did with the M1, macOS has had W^X enabled across the board (for userland) on all supported 64b architectures since 10.5 (10.4 only had stack W^X).
> NO_SMT disables Simultaneous multithreading (SMT), the CPU feature better known under Intel’s trade name of “Hyper-Threading”. SMT allows a CPU core to execute two or more threads at the same time, for improved performance at the cost of contention for per-core resources, such as caches, TLBs etc.
> Letting multiple threads share invisible resources carries the risk of letting a malicious thread steal secrets from a “sibling” thread running on the same core—a risk that over the years has materialized into multiple attacks, like TLBleed, PortSmash, Fallout, ZombieLoad, RIDL. A straightforward mitigation for this entire family of attacks, past and future, is then to simply disable SMT, which is what NO_SMT does.
BAHAHA cperciva was right! It’s a decade later and people care now! Linus didn’t care at the time!
I’m on mobile otherwise I’d link to relevant refs, but it was an “I told you so” 10 years in the making. Maybe longer? When was cperciva’s cache stealing research?
> The problems introduced by caches have been further exacerbated by the current trend towards increased parallelism. On recent processors implementing simultaneous multithreading [18], such as Intel’s “Hyper- Threading” processors [11], access to the L1 cache is shared between two independent instruction streams
And here we are 16 years later, with NO_SMT. Neat.
Perhaps my emotional outburst wasn’t substantive, but boy was it satisfying. I’ll try to restrain such urges in the future, but somehow I doubt a 16 year “told ya so” will pop up again any time soon. It’s half as old as I am.
I wish I could remember Linus’ remark about cperciva’s attack being merely “theoretical.”
Linus: "[...] I'd be really surprised if somebody is actually able to get a real-world attack on a real-world pgp key usage or similar out of it (and as to the covert channel, nobody cares). It's a fairly interesting approach, but it's certainly neither new nor HT-specific, or necessarily seem all that worrying in real life. [...]"
Sounds good but a problem with Apple's latest releases are that a lot of its security features listen only to Apple and not to the user.
This doesn't concern most of the improvements mentioned in the article, those are purely technical improvements at a very low level. But the signed system volume for example (also mentioned), while a good idea, lacks a convenient way for the user to make changes to it. I'm not very happy leaving my security to a black box and just trusting the supplier implicitly. This is a supplier that introduced a "get root with blank password" bug and the "your password hint is your actual password" one. Sure, everyone makes mistakes, especially for that reason I'd want to have more access than they offer now.
macOS is becoming more and more like iOS, which is also way too closed in my opinion. More locks is always good but the user should have a key, not just the supplier.
On the other hand, Linux is getting better and better. And with the prevalence of web apps, the main obstacle to running non (MS | Apple) systems is getting smaller. With Linux, you can adjust the level of security you need and you keep the key. Security improvements appear also in BSDs, especially OpenBSD, but honestly I wouldn't recommend people used to macOS to switch to OpenBSD (yet).
Reasons were the excellent jails system, the ports collection, the ZFS on root (though Ubuntu is starting to offer that) and the great documentation. I also don't like the scale of corporate involvement in Linux development. In the end that leads to companies trying to insert their own IP with a view to monetisation (like Ubuntu with Mir, Upstart, now snaps). It's also the most suitable for a desktop system of all the BSDs I think.
But it's not for everyone. For one the hardware support is limited. I didn't even bother trying to get the WiFi or bluetooth going (I run this on a pure desktop). For laptop use I'd use a flavour of Linux, though I'm not entirely sure which I'd use :) It also doesn't hold your hand as much as most Linux distros, though it's not nearly as barebones as arch either! I'd consider it something a bit in the middle like Manjaro. Overall I'm really happy with it though.
I still use Macs for work though and I administered them for a long time. It's always a struggle if you need to do something that Apple doesn't really want you to do. You may get it working, but there's a good chance it'll get broken in whatever minor patch that's coming along without warning :) Unfortunately in a business with less than 1% Macs you can't always do things the Apple way.
A bit off-topic, but as a FreeBSD newbie: This summer I switched my ~6 home servers from CentOS to FreeBSD and absolutely love it. Trigger event was trying to set up a dedicated Linux VM for Ubiquiti's UniFi controller software. I was really fighting various dependencies in CentOS, then Ubuntu Server, then Debian... and saw that FreeBSD had an up-to-date package. Newbie FreeBSD user, from ISO install in a VM, to running Unifi Controller, took maybe 45 minutes. I was impressed and as I dug deeper, I began to appreciate its design.
As a 20+ year Linux user and 10+ year paid Linux admin, BSD has really connected with me as a sysadmin. Besides the clean filesystem structure and updated docs, there's generally "one way to do something" (looking at you, Red Hat...) and surprisingly, the packages are more up to date than I'm used to in CentOS / Ubuntu Server, usually tracking the latest stable releases. For the core system, there appears to be no update churn as with Linux distros.
After I discovered the FreeBSD images for the Raspberry Pi, it scratched my tinkerer itch and now... yeah.
People joke about The Year of Linux on the Desktop, but I believe we've been there since ~2014, when Chromebooks started to really get good. Goes to show a full "desktop environment," as we know it, isn't always needed for a great experience.
You get that. And about a million tradeoffs in terms of usability. No thanks.
Edit: To those downvoting. If you genueinly think running linux isn't a UIUX downgrade on macOS you are totally deluded. Its more open. Cool. It's also a UX nightmare.
Nah. It's great. You can view hidden files in the file manager without memorizing a keyboard shortcut or terminal command. Most Window managers don't rely on track pad gestures and so the mouse feels like a first class citizen. Window management in the big DEs is better than macOS. MacOS is a frustrating mess to me.
So piss off the users that do? For a while there wasn't even the keyboard shortcut. Throw up a scary warning if you need to but I feel like it's a basic system function that should be included. Some how Windows manages to allow users to toggle hidden files through the GUI and I haven't heard of too many disasters because of it.
I would argue it's actually worse with the keyboard shortcut on OS X because it's completely possible for someone to trigger Cmd+Shift+. accidentally whereas in other OSs it's a clear toggled option in the GUI.
There are many differences between Linux in general and macOS, but I wouldn't name UX as the first advantage of the latter. One of the first things I do on a fresh macOS device is to install Rectangle (previously Spectacle).
I have many gripes with Linux, but not about UX. I use preemptive kernels on the desktop for example, because the vanilla kernel is geared towards more general usage, which practically speaking means servers. Sometimes I need to spend more time when installing some new piece of hardware (and sometimes I don't, it works automatically).
One of the biggest advantages for me personally is that I can diagnose occasional problem myself, down to a single character in the source code if I want/need. I know what is running on my system and why, and if I want, I can remove it. (Or, I can make it very hard to remove.) I know what is getting in and out, and I can block it if I want, without any built-in exceptions for the vendor. When you come to think of it, this should be the default for all systems, but we're heading in the opposite direction.
Rectangle is pretty great, thanks for that pointer. I've been trying all kinds of tiling wms on MacOS, but they just don't quite work in this world -- since they're unable to do everything that's needed. But Rectangle allows me to make the decisions, which works a bit better here.
What's still missing with this setup is a shortcut for easily moving a window to another desktop. Any clues how to achieve that?
And finally there's the irritating MacOS UX "feature", that selecting an application with cmd-tab doesn't switch to the desktop where it is, or doesn't unminimize it if it's minimized.
I don't think anyone should downvote expressing an opinion, at least when it's done without toxicity like you did. Ok, that "delusion" remark was a bit toxic. But anyway.
Here's my opinion: i3 is vastly superior to anything macos is offering in the desktop space in terms of usability. Sure, wrestling with minutae like proper font rendering and DPI settings is a huge pain, but a) some distros do those things for you and b) if you're not a serial distro hopper / manic reinstaller, those things don't have to be done too often.
I genuinely think it's an UX upgrade. And I've been using macs almost exclusively for 5 years now.
The bad things of Linux are still bad: subsystems get replaced all the time (often with just minimal technical justification), and the replacements are usually (if you compare them to Macs) alpha quality for a long time. And the integration is lacking. Notable contemporary examples: oss/alsa/pulseaudio/jack/pipewire and x11/wayland. This is something I truly don't miss when using macs. Almost everything else I do miss.
To me Mac OS has a nicer looking UI, but i3 has better UX. For instance, the animations on Mac OS are annyoing. There is nothing good about adding a delay to basic operations. On i3, I can switch between workspaces in an instant, on Mac OS, I have to wait for a stupid 200ms animation to finish - and that is after already fiddling in system settings to disable fancy animation effects (the default was slide-in, ugh).
Fair, but it's not vastly superior for the majority of computer users, whose experience revolves entirely around the mouse. That's what I was getting at with macOS being better - generally, obviously not for every person.
Recently the hard drive in my Mac became inaccessible to MacOS even after formatting and a lot of other things. Somehow it was able to install Linux though, so I did that while waiting on the new drive to arrive. I tried a number of different distributions, and I had the experience you describe. It was death by UX papercuts and I could not wait to get back to MacOS by the second day. I hadn't used Linux in a decade outside of ssh to remote servers, and I really had high hopes for improvements in the UX since I last used it.
Playing with a distribution for 10 minutes and then installing another one is not going to make you understand it. It took me a while to take to KDE too. After you start actually working on it you'll find things that annoy you, start looking and find that there's actually a wealth of configuration options (which macOS absolutely doesn't have).
If you want something more Mac-like, Gnome is a thing of course but it's too opinionated like Mac for me.
Being dismissive of the UX of Linux isn't going to improve the market share of Linux for ex Apple people. I wish Linux was more on par because I don't like where Apple is taking MacOS.
It wasn't ten minutes, and there were way too many configuration options that I couldn't fix (like the terrible trackpad scrolling) despite best efforts that it wasn't worth it, and too many that I didn't want to bother. The point is that out of the box, the UX of the Linux UIs has historically and still does suck compared to tools that have a UX focus, and that's a deal breaker for a lot of people that I know.
> If you genueinly think running linux isn't a UIUX downgrade....
You've betrayed yourself with this statement. There isn't one Linux. I know this might just seem like more of the complexity non-Linux users want to avoid, however users are free to install whatever desktop environment or window manager they like. You could even opt for a desktop environment that resembles MacOS in most ways.
I use MacOS in my professional life, and Linux in my personal. My Linux PC has my own personalised setup built around the i3 window manager. I can say without question that I'm much faster and more productive on Linux than MacOS.
This entire comment proves my point. To you - a developer / tech pro, you feel Linux has a better UX.
My point was generalised, and I think generally the average computer user is going to have a better UX on macOS than linux. If they can figure out how to even set up Linux of course.
But that's part of the problem. There isn't a single DE which means that any applications that aren't specific to a DE will provide a UX that is inconsistent.
That's not really true. Outside of tiling window managers, pretty much everything is designed around the same, familiar model of minimise/maximise/close buttons in the corner of the window. Just about every mainstream OS supports different UI toolkits, and for the most part everyone lives with this.
Even tiling window managers don't really have any problems. They provide a very niche UX, which is almost entirely keyboard driven. There's not a single general application I can think of designed for use with this kind of window manager. Still, you get a pretty consistent user experience for the most part.
Apple's own UI is far from consistent either. They're always breaking their own UI guidelines. And many apps are electron which don't integrate well visually either.
Except, those quickly disappeared. That's the essence of the joke that was mentioned. Each year was called the year of the Linux Desktop, but it never happened.
I can't even remember the last year desktop computing was relevant. Professionals absolutely use it, but the market share that has gone to phone, tablets, and chromebooks is incredible.
Strongly disagree. The experience of Linux on desktop computers has never been better, and has been steadily improving for years. ‘Year of the Linux Desktop’ is of course a meme so it doesn’t really matter how long it has been current year, the fact is that every DE is improving and it has never been easier to be a Linux user.
If there is any criticism that can be made, it’s that the amount of choice can be overwhelming - there are dozens of highly polished, functional distributions - but once you get past that there is no practical limit except the way that Microsoft products like Office are locked away (even this is improving, since you can use Office online).
For a developer / power user Linux Desktop is years ahead of Mac OS. I recently bought a Macbook for testing and given how shiny it is, I had the thought to consider using it as a daily computer, but I could not switch because of the obstacles below and I continue being a happy Linux user:
1. Security. On Linux you can setup mandatory access control - i.e. AppArmor, SeLinux, and even if you don't want to fiddle with that, you can create mutliple users for multiple purposes to sandbox your data from untrusted apps. Running a program as another user is no problem on Linux - try it on Mac OS... (I did try it and it almost worked but things like select file dialog won't work, which makes it useless). By the way, Apple introduced some sandboxing capabilities in Catalina, but it's almost insulting because it only allows to restrict Desktop, Downloads and Trash directories, and not allowing the user to restrict other custom directories to certain apps only. And even for Desktop/Downloads it does not work reliably - i.e. I could not isolate a web browser from accessing desktop.
2. Privacy. I accidentally came upon article from a few years ago where it was revealed that Mac OS sends usage data to Apple or a third party on an unencrypted channel. Then there's the recent issue with client side scanning.
3. Desktop experience. This may be cosmetic but I don't like that Mac OS forces a slow 200ms fade animation when switching between desktops. You can't even switch back and forth too fast because the switching mechanism won't catch the hotkey if the slow fade animation is in progress.
The hardware is good though. Really hoping M1 on Linux will become a thing.
I understand that there are still some pain points for casual users. I first started using Linux on a daily basis in university in the mid 2000s. Back then, even distributions designed for casual users like Ubuntu had problems with everyday tasks like configuring multiple monitors. These days, I don't see any of those problems. I'm pretty confident I could give my parents a computer with Ubuntu 20 on it and they could probably figure out how to do their everyday tasks without any issues.
This, a million times. Now that Mojave is starting to get dropped, Linux is exactly what the doctor ordered for me. I feel a lot safer in a system where I can check the locks instead of being told "the door's closed, you're fine."
I'm a very privacy conscious Linux user. I'm not doing anything illegal, so I have no active concern about security. I'm not unrealistic. When it comes to my threat profiling, I don't expect my desktop to withstand attack by alphabet-soup US federal agencies. I just want to know that I have complete ownership of my hardware, and my data. I'm satisfied just knowing that a shadowy company like Google, or Apple, is not profiling me. If someone was going to be concerned with security from the government, Linux is still much more preferable than Windows, Android, or MacOS.
Very difficult to do so as anyone can create (and distros do) a customized kernel and userland with severally different compiling options.
OpenSSL vs LibreSSL, Glibc vs Musl, X11 vs Arcan (or just the framebuffer/KMS), and so on.
Also, on exploits realize Linux and BSD run in devices very different from X86 right? NetBSD today runs even on Alpha, and 0days won't work with ease there.
When you think about the utility of such backdoors, the ones in Windows like in Bitlocker are much more useful to intelligence agencies than a similar thing in Linux. As Linux is mainly installed on a server, we are talking about a backdoor that allows defined or arbitrary code execution based on a given signal such as specific connection data. What happens next is also important (a connection is established, a hidden process is created and so on). When you take all this into consideration, hiding a backdoor in the Linux kernel is not the most efficient way to proceed, especially when you normally deal with specific targets. So instead of a full backdoor you would prefer introducing a feature that would play nicely with a zero day you already developed.
You don't think, with all the resources available to them, the intelligence community would spend just about whatever it took to sneak a vulnerability or two into the most-run piece of code on the planet? The core devs don't even have to be corrupted--there are 28 million lines of code in the kernel, you don't think a motivated adversary could sneak something past the gate keepers?
I don't think this is realistic any more. There's just too much noise, too many chatty processes, too much traffic.
A while ago I tried to track the start of a single application, a new install of Firefox. IIRC the first start generated traffic to about a dozen endpoints.
Also, macOS and Windows generate enormous amounts of traffic (others here have noted that).
The amount of background traffic is simply overwhelming. Perhaps security companies can make sense of it all, but it's far too much for most technical people.
I run my own OpenBSD firewall and I've long since given up trying to understand what my Macbooks are doing.
The beauty of OpenBSD itself is that it starts very few daemons, and all source code is available. So it's easy for me to understand what my firewall is doing.
It's well known that they've already tried to insert back doors many times. On the other side is a huge amount of resources auditing and reviewing the kernel. Many reviewers, auditors, security analysts.
You can always disable CSR/SIP generally. macOS is unlike iOS in that many security mitigations can be disabled. The fact that new M1 Macs let you side load a diff non-Apple in iOS should be the ultimate proof you need of this motivation to allow user control on Macs.
Yes you can disable it, but then you disable it completely and totally. There is no middle ground. Most of the time these things are totally great ideas. Apple is doing really great work on the security front for sure. It's just what they lack is a way to customise them. Most security improvements they make involve giving Apple the keys and them alone. It doesn't have to be that way.
For example I would want to be able to just make an exception for some of the files I want to change.
There actually is a middle ground, in some cases - csrutil can, for instance, allow you to disable unsigned kext blocking but keep the rest of SIP enabled.
I thought those were entirely separate things? There's now a GUI option for the unsigned kernel extension block (in the startup security utility). I don't think that's part of SIP per se. It's also the one you need to run any other OS. Whereas SIP is a thing within the OS itself as far as I know. But I have to admit this is where my knowledge gets fuzzy :)
The kind of control I'd want is allowing to add a signator for approved kernel extensions. So that I could add my own key and sign kernel extensions myself. Or trust another party to do this. Just like you can add your own keys to Secure Boot on a PC. The same with the app notarisation. Another feature that's essentially great, but fully under the control of Apple. For example, as a corporate admin it'd be great to be able to notarise which apps I'd allow our employees to use.
These security tools would be super powerful and useful if we would be allowed to configure them more.
I know! And I do (it prevents popping up a user with a gazillion prompts to accept when they enrol)
But this is just kernel extension stuff. We know users use some software (not with kernel or system extensions) that's not allowed in our environment. Zoom for example (people are allowed to use it in the browser only for contact with external parties but many people install the full thing anyway). Our security department has banned the full client because of the backdoor it introduced.
Right now we mark it as malware in our antivirus, but it would be great to be able to prevent it altogether.
Many years ago, when it wasn’t possible to set a strong iPhone password, I worked out I could construct an Exchange ActiveSync profile enabling a strong password policy instead of a four digit number. I didn’t have a corporate Exchange server so I pushed it to the device using the fantastic and open source z-push. A strange length to have to go to mind. I also used this method to force full device encryption and wiping device after 10 failed attempts.
All of these are now possible to configure in settings now and device encryption is on by default.
If one mentions Android’s “openness” as a plus, people (rightly) point out that sure, it is technically open source and you can often sideload, but that doesn’t mean it is friendly towards those things necessarily. A lot of downsides come with rooting and bootloader unlocking after all. That is when comparing to iOS, which is more restrictive than macOS, as you point out.
I mention this because I think that it’s good Apple lets you use some of the hardware you own with relatively little restriction if you so choose, but it is a lot less practical than the previous status quo and other systems. You definitely lose some functionality (on M1, I believe you lose at least iOS application support.) If we’re going to be frank about it with Android, I think it’s fair to be frank about it with macOS/M1.
I would guess things could be better if user choice was as much of a focus as vendor control.
>A lot of downsides come with rooting and bootloader unlocking after all.
I think you might be confused. You don't need to root or unlock the bootloader on an Android device to side load apps. Just download desired APK and accept the security prompt of installing from unknown sources. It's literally that easy.
Those applications can't get root, though, and that does limit user control of the device.
(I used to root Android phones in the 4.x days, and then stopped, and then went back to iOS as I found myself doing progressively less and less with my phone.)
Except doing so doesn’t let you run iOS apps and not to mention is a pain to do so after every update (I believe SSV requires that).
The list of things to disable seems to grow every year. Even with Gatekeeper, CSR/SIP disabled I’ll still have issues opening applications which may (or may not) be fixed by taking it out of quarantine, changing the signature, etc
Won't the next update still wipe out your system changes, putting you back to insecure openssh password auth, etc., or do they have a system to merge your changes over now?
Exactly. This is the #1 problem I have with the implementation: I want to set up public-key authentication as the only option on openssh ("Remote Login").
You create and run one fixup script as root to modify /etc/ssh/sshd_config. That is root writable and not protected by SIP. It is a tiny hassle, but really no big deal. The fixup script can handle any of these cases, assuming they are in config files that are writable.
> signed system volume for example (also mentioned), while a good idea, lacks a convenient way for the user to make changes to it.
MacOS has no convenient way to know if changes are made by the user or malware. It is a feature, not a bug, for most users. Why would you need to change system volume anyway?
As others have said, you might want to modify sshd_config. However, I disagree that that is a big deal. Just write a little script to fix whatever you want to modify after a major system upgrade. If you are messing with sshd_config, you should now how to write a script to modify it. It is not protected by SIP. I don't understand why so many unix competent people seem to think this is a big problem.
The password hint bug, for example, was “only listening to Apple” in the narrow sense that the OS wouldn’t let you run your own implementation of password hints or login. But it’s not a backdoor.
There are plenty of built-in features that aren’t configurable, which is fine and good. Because most people have no idea what those things do, most of the rest shouldn’t touch them, and leaving them as configurable or editable opens up a whole class of malware.
Correct, though both layers remain active. The application-level firewall in the macOS GUI and the packet-based pf layer work on top of each other (I believe pf is on top of the application layer one but not 100% sure).
So if you have the application firewall on, opening ports in pf won't help.
I'm kinda surprised pf is still in there to be honest. I know some security solutions like McAfee Firewall use it under the hood. But they could do similar things with network extensions. I have expected them to drop it for years now.