Hacker News new | past | comments | ask | show | jobs | submit login

It's been rather disturbing to see this whole thing play out --- I'm not taking sides here, but Apple "flexing its arms" in this manner shows that it is willing and has the power to go beyond policing its App Store and such (which while I do not like, I feel it does have the right to) and involve itself in the affairs of third-party software which it did not originally install. (This is subtly different from updating things like OS files, for example. Some other comments here suggest that the installation of this update is controlled by a setting described as being for system related updates, which a user would expect to leave his/her third-party software alone.)

You may agree with its decision this time, but will you always agree? Apple's wielding of power in this way is likely to attract the attention of groups such as copyright/IP lobbyists, which have an immense desire to have all "non-authorised" files/software erased from all user's machines.

As the saying goes, "two wrongs don't make a right".

In any case, the idea of the OS/platform vendor meddling with third-party software that it doesn't like just feels wrong. I know Apple has historically held tight control over its mobile platforms, but the Mac is meant to be different.

I am not an Apple customer, and I now feel even more reluctant to become one.






lol they removed what would be called horrific spyware if it wasn’t made by Zoom and you’re over here on some lofty criticism about possible implications years into the future

any OS (and many other apps) that update have the power to do what you’re afraid of, and much more.

plus i don’t really see a bright line between system level software and an app when apps can access your video cam, mic, all your files - basically your whole computer.


That's it right there. This isn't some gray area, questionable thing like that time they pushed a David Bowie song onto people's iTunes. Remember that? People completely lost their minds over it, and I agree with the sentiment.

This isn't third-party anything. No one even knew this was running on their machine and it was demonstrably abusable. Good riddance!


As one of those people who got really annoyed by it, here's two reasons why:

One: On the family iPad we had at the time, we hadn't ever uploaded music to it from the family library, because there wasn't enough space for it all. Whenever anyone opened control panel and accidentally pressed "play", something by U2 (with a not-appropriate-for-little-children album cover) would come on.

Two: It was hard to remove that darn album. I couldn't figure out how to get it to go away for the life of me.

There's also a fundamental difference between someone adding something like Clippy to your desktop (or a U2 album) and someone saying "you need to fix your stuff or you get kicked out."


a David Bowie song

It was an entire U2 album, a far greater offense.


It’s blasphemous to equate these artists.

If it was a Bowie song, people probably would've been happy.

any OS (and many other apps) that update have the power to do what you’re afraid of, and much more.

There's an ocean of difference between can and will.

plus i don’t really see a bright line between system level software and an app when apps can access your video cam, mic, all your files - basically your whole computer.

The setting ostensibly refers to the operating system, i.e. macOS, which I have no problems with Apple modifying if you've enabled that option, and which their EULA probably has a clause about. But from a legal perspective, modifying a third-party application which Apple does not own and did not install seems an overreach; unless their EULA explicitly grants them the right to do anything they want with the files of the system it's installed on, they could find themselves in legal trouble. (That notorious CFAA and the like.)


I’m quite happy with it, as I don’t see millions of people removing some hidden directory.

No more zoom for me.


The point is precisely NOT to think about only this one case like many others seem to be focusing (or Zoom-ing in...?) on, but to consider how far you are willing to let Apple exercise its power over your computer.

Would you let it scan all your files and delete e.g. "suspected images of child abuse" (to use an old cliche)? Suspected copyrighted material or fragments thereof? "Extremist" content, or content which is contrary to current social norms? How authoritarian does it have to get before you start being creeped out?


This is a classic "parade of horribles" argument. I do not find them compelling, personally.

If Apple starts being abusive, they'll get their hand slapped. If they don't, they don't.

There's no better company positioned to do anti-malware than the vendor of the OS itself. Which is why Apple and Microsoft both do it. You can disable updates on both platforms if, for some reason, you don't want anything to change on your system without your explicit action (pros and cons to that, obviously). But for most end users, the tradeoff of control vs. security is a very easy one, since the average user is in no way qualified to secure their own system or audit the code that runs on it.


You can take any capability and stretch it out to some absurd extreme. What if apt-get whatnot trashed your entire computer? What if buses started hunting pedestrians for sport? It's a line of inquiry that prioritizes handwringing over insight.

Has anyone ever asked bus companies to start hunting pedestrians for sport? The answer is clearly no.

Contrary to that, the demands from governments and others for tech companies to "take responsibility" and become enforcers of all sorts of perceived virtues is reaching a crescendo.

And it's not just about clearly dangerous things like child porn or terrorism. The UK government seriously demands the takedown of "harmful but not illegal" content.

Just think about that concept of "harmful but not illegal" for a moment and you'll see that the sort of overreach that userbinator is talking about is anything but "some absurd extreme".


I still have a lot of trouble seeing how Apple removing a critical vulnerability - a completely mundane act with plenty of precedent from both Apple and others - is some clarion call that, if left unheeded, will have Siri judging everyone's hentai collection next. Why this - preventing myriads of users from becoming campeople - of all things? Why not, say, every Chrome autoupdate ever?

> I still have a lot of trouble seeing how Apple removing a critical vulnerability

You have that trouble because you are focusing on the "critical vulnerability" part and ignoring the fact that Apple decided to uninstall a program they had nothing to do with from your computer without your consent.

The intentions might be noble, the implications however are less so.


But they didn't uninstall 'a program'. The product itself was unaffected. And, again, this was done in consultation with the makers of the 'program' who had screwed up badly enough to be unable to fix the problem themselves. Nothing happened here that doesn't regularly happen when all sorts of things update.

These are unimportant details, the issue is with Apple modifying people's computers silently and the users themselves having no knowledge or any say about it.

Replace this instance with something that you disagree about (imagine Apple removing VPN software from Chinese customers due to demands from China or "fixing" existing VPN software with backdoors that enable Chinese authorities to wiretap Chinese people) and see what the issue is here.

(if that example would happen or not is irrelevant, i'm making it to help you see the issue in a context i think you'd disagree with Apple about, i'm not making it for you to argue if that would happen or not)


You brought up the details, inaccurately, to now tell me the details don't matter. You can understand, I hope, how this starts to feel like an exercise in eel juggling.

I didn't brought up details, i explicitly mentioned in my first reply to you to ignore the specifics of this case, ie. the details, and see what happened without them.

> something something Apple, a US-based company who prides itself on privacy helping China spy on people.

Apple engineers go to China. Anything they do to help the Chinese government can immediately affect their own workers. If they did that, and a bunch of people with Apple devices got thrown in jail / whatever, their stock, and moral standing, would suffer some serious blow-back for it.

Google Chrome has a thing that pops up when it thinks you might be getting attacked / phished by somebody. I wouldn't mind if OS X terminated my connection and said "Hey, we don't think this is safe" to me, especially if it was something that the average person isn't likely to notice and can cause damage to them (also, in China [relative to the US], the stakes for everything are generally higher- the US probably tracks you around, China for sure does that and is actively nabbing people a lot more frequently, too.)


I already wrote

> (if that example would happen or not is irrelevant, i'm making it to help you see the issue in a context i think you'd disagree with Apple about, i'm not making it for you to argue if that would happen or not)

It is in its own paragraph. That China part wasn't meant to be debated, it was meant as an example of an event that if it happened would make you disagree with Apple. The important part of this example is you disagreeing with Apple, not the reason why.


>terminated my connection and said "Hey, we don't think this is safe" /

That's not equivalent, equivalent would be doing something you don't realise, the point is about user agency: keeping users uninformed and, for those that get the information out-of-band, unable to exercise their own control over the situation.


>the users themselves having no knowledge or any say about it.

This is not true. You can disable all the automatic updates in System Preferences.


This is a nuclear option and the issue isn't getting updates, the issue is being silent and not offering any control over that. See my other replies about Windows Defender about what i meant with that.

What do you mean? They're silent because they're malware updates. You can turn those off.

>uninstall a program they had nothing to do with from your computer without your consent.

Incorrect. Users who are vulnerable to this had already decided to uninstall Zoom and that's why it was a vulnerability. Zoom had decided to ignore the user's wishes and leave their server behind so that it could re-install the software. Apple's update simply enforces the users' past decision to uninstall the application.


The problem is that Apple appears to have made an exception to its own rules in this particular case. If I understand correctly, they used a first party system update mechanism to change third party software.

It's like Google making an ad hoc decision to use Chrome autoupdate to silently patch a particularly bad vulnerability in Microsoft Word just because they can.

So what is the principle behind this kind of exception? It's simply this: If it's bad enough, normal rules can be suspended and anything goes. It's like declaring a state of emergency. It's not normal or mundane.

Now the question becomes what is bad enough and who gets to decide what is bad enough? People will point to incidents like this and ask questions like: Why was the San Bernardino attack not bad enough for Apple to suspend its ususal rules? Why can people store tons of pirated music on their Macs without Apple taking action? Why does Apple allow criminals to hide behind end-to-end encrypted messaging software?

If Apple has decided to take responsibility for the security of all third party software on macOS then they should say so. They should change the rules instead of breaking them in an ad hoc fashion.

Then we can all decide whether or not we want to hand total control to Apple (and to those who have control over Apple).


This is untrue. The update process was part of Xprotect, the malware definition/signature system built-into macOS that's part of Gatekeeper [1]. It dates back to Mac OS X 10.5 Leopard and was expanded on Mac OS X 10.6 Snow Leopard (the Gatekeeper GUI was introduced in OS X 10.8 Mountain Lion and back ported to Mac OS X 10.7.5 Lion). Updates were historically issued via minor OS updates, but Apple started to do silent updates to the Xprotect definition list a number of years ago, as a way to target popular/growing strains of malware (which were often installed via cracked apps).

There were a few instances in the last few years where the repos or built-in update systems of legitimate programs were compromised and bundled malware (and in one case, ransomware) along with their apps. In those cases, Apple also silently updated XProtect to remove the malware.

In this case, just because this was a webserver and not something more traditional like a trojan doesn't mean that it isn't still malware. The Risky Business podcast asserted the existence of the RCE before Apple jumped into action that it says Zoom knew about for months. Given that the only way to remove the webserver is to update Zoom (something that won't help any user that has already uninstalled Zoom, which kindly left the insecure webserver behind), this type of update makes perfect sense -- especially since Zoom itself is removing the server from its own application bundle.

This was malware, pure and simple. It wasn't third party software. It was malware left behind/included with a third-party app. It's not as if Apple removed the Zoom app -- it removed the piece of malware Zoom was including alongside its app. The fact that Zoom was including this malware as a way of bypassing Apple's access control in Safari (God forbid the user have to click a button confirming they want to open a meeting) is beside the point -- this was malware.

Additionally, users can turn off the auto system updates and they can disable Gatekeeper entirely.

I understand the broader concern of an OS maker being able to remove files a user chose to install -- but this is a very unambiguous case of malware. Just because the RCE wasn't actively exploited doesn't mean it wasn't malware.

[1]: https://en.wikipedia.org/wiki/Gatekeeper_(macOS)


I understand why Apple did it and the additional context you provide does change my opinion somewhat in Apple's favor, but I disagree about Zoom being malware because malware is made in bad faith to introduce functionality the user never intended to use.

What Zoom did was negligent and incompetent, but I don't see that there was malicious intent. I do agree, however, that what they tried to do is unacceptable even if implemented competently.


I think when you refuse to address a reported security issue related to something you installed (without the users knowledge and without a way for the user to easily remove) as a way to bypass an access control pop-up, and cite that it’s a feature not a bug, until forced by the public/other disclosures to remove it, The intent is malicious.

But even if it weren’t — and we can agree to disagree on the intent — the second the RCE is popped, it becomes a massive security issue and it becomes traditional malware. As I said, I’m convinced Apple would do the same thing if this was something left behind or associated with Java or Flash.


Malicious intent is the only thing that separates malware from a regular security issue. So if we disagree on intent we have to keep disagreeing on whether or not it's malware.

But I will admit that I'm starting to see the question of Zoom's intent a bit differently after thinking about what you have said.


Lying to users about the uninstallation is pretty icky intent. It's weird to make this about the sanctity of user choice and just repeatedly ignore that bit on top of coming up with a throughly inaccurate narrative about the nature of Apple's response.

I didn't ignore that bit. You didn't bring it up in your responses to me.

Instead you defended Apple fixing security issues in third party software (as I understood it without user consent) and you compared any concerns about that with concerns about buses intentionally running over pedestrians.

So apparently our debate took wrong turn and that wasn't entirely my fault although I will take some of the blame.

I agree that Zoom's intent (and even more so their methods) is icky. So perhaps we should have focused on that, because I can understand the reasoning that this makes Apple's actions look far more justified than I initially thought.


It's not.. it is malicious. They want to circumvent os/browser behavior / user protection (the prompt to open zoom). To hack around this they install malware to get things done. It is exactly the same as using doing something that wouldn't pass the appstore checks.

It is actually very competent of them, except for the security part.


The problem is that Apple appears to have made an exception to its own rules in this particular case. If I understand correctly, they used a first party system update mechanism to change third party software.

I don't see anything in the article that suggests this - as I read it, it pretty much says the opposite. What else have you read that outlined these rules and the exception Apple made?


The article says "Apple said the update does not require any user interaction and is deployed automatically."

As far as I know, there is no system-wide update mechanism for third party software not distributed through the Mac App Store that does not require any user interaction. So apparently they (ab)used the system update mechanism.


There is nothing in the article that suggests 'abuse' let alone rules, which is what you said. It's not entirely clear exactly what was done here but it was probably an update to the Malware Removal Tool which does what you can surmise from the name, without user interaction.

I care far more about the facts than about what's in the article.

Zoom is clearly not malware. It just has a bug. Is updating regular third party software documented behaviour of macOS? If so then I agree that it is not abuse. Otherwise Apple has some explaining to do.


I wouldn't call it a bug. Zoom deliberately engineered their app so it opened a security threat, accessible from any website on your browser, on your local machine without the user's knowledge. Then they reinstalled their software after the user had uninstalled it. Again, deliberately engineered that way.

That is not a bug


Zoom's intention was not to introduce a security vulnerability. That's why I'm calling it a bug.

Their intention was to bypass an inbuilt security measure. So no, maybe they didn't mean to add a vulnerability but they did mean to reduce the security of the system as a whole

Sure, facts are important. You started here:

The problem is that Apple appears to have made an exception to its own rules in this particular case. If I understand correctly, they used a first party system update mechanism to change third party software.

I don't think any of these are established facts and I don't understand how you, a fellow fact-fancier, haven't acknowledged that before breezily moving on to a discussion of the precise definition of the term 'malware'.


If you read the quote carefully, you will see that I did use rather cautious language, and I did that exactly because I wasn't sure that I knew all the facts.

No, they installed an update to XProtect's signatures to say "this is malware, remove it if detected" -- something the company has done many times in the past.

No, it prioritizes thinking about clear boundaries ahead of time, while you're able to think clearly about the issues. "Hard cases make bad law" as the lawyers say. Ethicists do this sort of thing all the time.

There's a line between the OS and third-party software. There's a line between malicious software and accidentally vulnerable. Apple has just shown that it is willing to cross both those lines. Where is the line at which Apple will stop?


In what way did Apple cross a line? Platform vendors have automatically removed malware for many years. In this particular case, Apple, in consultation with the vendor, removed a particularly nasty vulnerability. The software itself was left alone. In fact, because the software was written so poorly, the vendor didn't even have the ability to address the problem - only Apple could. It's even odder to bring up ethics - should Apple have knowingly left zillions of users exposed to this?

To make this look scary, you have to misrepresent what Apple actually did and then extrapolate to some frightening hypothetical to end up at nothing more than a risk inherent in all self-updating software.

If the position is 'all self-updating software is an unreasonable risk', fine. But at least argue that unvarnished, and I imagine to most people, extreme and impractical view instead of trying to dress it up as some novel and intricate argument about morality and creeping authoritarianism.


Lets ask a reasonable question: who wants the zoom webserver running on their systems providing a backdoor.

I didn't want my window to be broken. I still wasn't happy when my landlord came in and fixed it without giving me any notice.

You have to extend some goodwill to a company that invested millions of dollars and absolutely critical space in its handheld tech simply for security (I'm referring, of course, to the secure enclave).

Point to me any other manufacturer who has gone to those lengths to protect their users. There was no reason for Apple to develop that tech. No one else in that space, but they developed it anyway.

Can they do all this stuff? Sure, but I don't think they will. It does not seem to be in their interest.


I'd rather put Apple in control of my computer than any other random software vendor. This is exatly why all windows systems are full of crapware and are grinding their disks out of the box

Exactly. What is the other option? Show my mom how to use terminal to delete hidden dot directories?

I also purged Zoom. They’ve blown it in the trust department. They better start working on a web app because that is as much access they’ll get from me in the future.


They didn't remove the application. They removed the mechanism by which that application was circumventing user intervention (which does actually remove the application). It's almost like a company refusing to take chinless credit cards to stop fake credit card use. They didn't do anything to the credit cards themselves to make the valid ones invalid. They just updated their policies to exclude the ones that could be abused.

It's not spyware, this was not something that was intended to be abused, it's insecure software and its very common, you're running plenty of it right now.

> It's not spyware, this was not something that was intended to be abused

Do you have a source for that. It doesn’t peek around my computer a little and/or send back any telemetry? I’m being serious, I’d like to know.

I had to install Zoom in school in 2014, I ended up uninstalling it the next week and reformatted after the quarter. I’m with Apple here. It’s shit insecure non-consenting software that wastes battery 99.99% of the time.


> I had to install Zoom in school in 2014

This is a good point; we shouldn't act as though users are necessarily making an informed choice or meaningfully consenting to all the software that's on their computers. Lots of people are forced to install software at economic gunpoint (and probably can ill afford a separate computer to isolate it on).

You can't depend on users and the marketplace to select against insecure software. The market is too distorted to function that way; the people forcing others to use shitty software are often isolated from the consequences themselves, so there's no effective feedback loop to stop it. Having the OS vendor step in is really the only good solution in the short term.


IIRC, part of the functionality included silent background updates from a domain that nearly expired, and was only renewed when pointed out to them during the discovery of this.

Thanks, that cuts through a lot of the fluff.

The part that freaks me out is you can’t uninstall it.

“The undocumented web server remained installed even if a user uninstalled Zoom.”

I’m not sure if this is common. Sony got caught with their XCP rootkit (I’m not sure if they called it this at the time) you had to fill out a “uninstall request” form on their site with your email and location[0]. I’m not sure if the uninstaller fixed the vulnerability.

So maybe a rootkit might describe this if the vulnerable webserver is privileged. In Sony’s case, the side effects were unintentional (though their history with DRM is egregious). I think Zoom is just polluted MVP in production.

[0] https://web.archive.org/web/20051104044919/http://cp.sonybmg...


It's not spyware but it's user-hostile, insecure, undocumented, uninstallable-by-the-usual-process software.

Most of the insecure software that I run has enough grace to not silently leave behind a web server to automatically re-install itself after I dumped it in the trash can.


You have no idea what "most insecure" software does, if you did you wouldn't be running it. Lots of insecure software fails in spectacularly unexpected ways.

https://www.macworld.co.uk/news/iphone/facetime-bug-hack-369...

This is a horrifying bug. Is Facetime malware? Or do developers with earnest intentions sometimes write buggy code?


Buggy code is common, silently installing and running a web server is not.

The webserver is an implementation detail. It's not uncommon for desktop application software to use native code to provide UX enhancements that are not possible within the browser alone. If the server had been designed securely it would not be an issue, it would just be left-over cruft, which is also pretty common.

This is effectively a press release to the Russian and Chinese governments that Apple could unilaterally remove all VPN software from Macs in a territory if they were compelled to.

If you don't think that's scary then you're just incapable of long term thinking.


What? The blowback from that would be huge. Why would they do that?

Yes, they can do that. So can Microsoft with Windows. So can Google with Android. Will any of them do that? Hopefully not, at the very least. Will all of them do that? Probably not- there's money to be made being the last company standing that actively protects privacy.


> What? The blowback from that would be huge. Why would they do that?

For the same reason Apple removed VPN apps from the Chinese iOS app store and multiple news organisations. Because they feel that the money from China is worth obeying oppressive regimes. I really don't think the backlash would be any worse.


There are reports there was another RCE that Zoom didn’t/wouldn’t fix. This is what Gatekeeper and the built-in anti-malware engine is suppose to do — remove malware. If you don’t want this feature, you can turn it off, but this is a sane default and a good thing.

Apple didn’t flex anything here, it removed malware from its users computers.

https://twitter.com/riskybusiness/status/1148824808236318721


If "malware" is going to include any software with security bugs, then Gatekeeper should just rm -rf the whole drive.

Zoom was literally reinstalling itself after being uninstalled. It's basically the definition of malware.

I was waiting for this comment.

> You may agree with its decision this time, but will you always agree?

Yes, I will. At least I am not going to lose sleep over it until Apple does abuse that power.

I am actually even more happy to be an Apple user knowing that the mothership said hell naw to the naw naw naw naw to this horseshit Zoom has been pulling.

If I were Apple, I'd be taking this as a personal slight against my entire user base.


> At least I am not going to lose sleep over it until Apple does abuse that power.

What if Apple abuses that power in ways that not everyone sees as "abuse", yet they are affected by it?

The reason you are not already seeing this act as abuse is because you happen to agree with it. What if you didn't agree? What if you were in the minority? What if the reason you where in the minority was that the majority simply didn't had the necessary understanding, experience and/or knowledge to see the issue you see?

If something can be abused, it will be abused, there isn't a matter of if, it is a matter of when. And with that in mind it is better to try and avoid being abused than wait for the abuse to happen and see what you can do after the fact.


This same line of reasoning could apply to any Windows or Mac OS update that disables and removes known viruses and malware.

Is it appropriate for Microsoft and Apple to push updates that disable and remove those from infected computers? If so, what is the significant difference?


No, and there is no difference, because "infected" in their eyes is not necessarily so in the user's. To give a clear example, AVs have had a long history of false positive problems with things like cracks, keygens, and demoscene productions. Even then, for the most part(? I have not used a persistent AV for a long time) I believe they still tell you first and then let you decide what to do when they find something.

I remember many years ago when the first widespread worms for Windows started circulating. All MS did was publish news and a removal tool. It was publicised greatly, but the ultimate choice was left to the owners of the computers, and that's how it should be.

All the big tech companies (and even a lot of the smaller ones) are becoming increasingly authoritarian, and that's the most concerning thing about this.


Windows Defender doesn't remove stuff silently, it shows you notifications, provides control to ignore parts of your computer you know can misfire and you can revert the actions it does.

Apple has had this ability for YEARS. They have not abused it yet.

> but Apple "flexing its arms" in this manner shows that it is willing and has the power to go beyond policing its App Store and such (which while I do not like, I feel it does have the right to) and involve itself in the affairs of third-party software which it did not originally install.

I love this. This is why I'll keep buying Apple.


> You may agree with its decision this time, but will you always agree?

To be honest I'm kinda sick of this argument. Someone brings this argument up _every single time_ a tech company takes action against something malicious. It's a strawman argument at best and at worst a way to give people an out on acting against something that could harm the user.

> Apple's wielding of power in this way is likely to attract the attention of groups such as copyright/IP lobbyists, which have an immense desire to have all "non-authorised" files/software erased from all user's machines.

This will never happen.


How is it a strawman? It's not even a hypothetical, has everyone forgotten already the constant dramas from the era in which Steve Jobs insisted iPhone apps would be banned if they weren't of "very good quality" or whatever the BS wording was? And when he went on his personal moral quest against porn?

This seems like overreach to me. It's annoying but it's not like the Zoom app was silently letting people watch me for hours through my webcam without anyone noticing - the app opens a full screen video sharing GUI for goodness sake. Is being joined to a VC without me wanting it when I click a link annoying? Sure. It also serves the attacker no real purpose and thus has never actually happened in the wild. It's also easily fixed. This is a storm in a teacup.

Moreover it seems from the last discussion of this on HN that videocall firms do this for a good reason - lots of users get confused by bad Safari permissions GUIs and end up locking themselves out of the app by cancelling the URL open prompt without thinking (which is apparently persistent!) Then they can't join the call. So the only reason these firms are using such a bad workaround to begin with is because Apple screwed up their user interfaces: why is this not on Apple to fix?

This appears to send a message to Mac devs that a single troublemaking blogger can cause Apple to kneejerkingly nuke features in your app overnight, regardless of whether you are fixing them, whether they're serious or not or whether it will result in legions of confused and stuck Mac users. Not a great message.


> Someone brings this argument up _every single time_ a tech company takes action against something malicious.

The argument isn't about taking action against something malicious, the argument is about the implications of being able to take that action and what sort of power the company has and if they should have it in light of past abuses (not necessarily but that company, but this is totally irrelevant since companies are made up of people that come and go, they do not have a single "brain" or morality).

> This will never happen.

You cannot guarantee that.


   > > This will never happen

   > You cannot guarantee that.
Can you guarantee that it will happen within the next, say, 5, 10, 15, or 20 years? Somewhere within there, the devices we're currently using will likely be replaced, and the landscape will have changed.

What I personally care about, privacy-wise, is the present and near future- will my family be safe on the internet with what I've set up for the next five years? Probably. Will the computer I'm using to type this reply on be replaced within a decade? Probably so. Will my family get a new PC within the next ten years? Yes.

Can you 100% guarantee that the Government of the United States will be intact in twenty years? No, the threats from Russia and China (both nuclear countries) and North Korea (armed or not, they're still dangerous), and space asteroids and epidemics and terrorists and politics and civil wars are not zero.

Can you 100% guarantee that California won't sink into the ocean in 100 years? That would make for some really bad real estate investments, yet people still buy and sell and build there.

People are still living in California, trading with each other, the US Government is still stable, and Apple is currently upholding and protecting user privacy. Also, we still have electricity and the internet. Now is a great time to be alive.


And this sort of widespread short-sighted behavior is why over time we lose nice things that at the past we took for granted.

> Some other comments here suggest that the installation of this update is controlled by a setting described as being for system related updates, which a user would expect to leave his/her third-party software alone.

The setting is called "Install system data files and security updates": it's not just system components.


I suppose that depends on the application of the transitive property of English grammar: "Install (system) (data files and security updates)" or "Install (system data files) and (security updates)"

Removing a malware app is installing a system security update.

Would you happen to have any examples outside of this particular update where an OS security update goes and changes something that the OS didn't itself create? Genuinely curious if this is a thing. The word "system" can be scoped any which way (see system of systems) but typically means "part of the OS" in this context.

Microsoft does this monthly with the Malicious Software Removal Tool which comes down as part of Windows Update.

Isn't it a security update of a system data file (the malware removal tool configuration)?

And it is a security update meant to annihilate a serious malware threat, not to mess with legitimate third party software.


I'm so glad that Apple pushes updates to protect me as a user. Why would I want to be vulnerable to unwanted webcam access?

I am an Apple customer, and I now feel even happier about being one.


> Why would I want to be vulnerable to unwanted webcam access?

You shouldn't want. But at the same time i do not think it is a good idea to want Apple to be able to silently remove arbitrary applications they had nothing to do with from your computer.

At the very least they should ask the user about it or quarantine the software and inform the user about it. AFAIK this is what Windows Defender does when it finds malicious files.


I agree that this entire thing has been disturbing. Leaving behind a web server after you perform an uninstall by Zoom is unbelievable in my opinion. It's not even the fact that there was a vulnerability that makes me angry, it's the idea that you say uninstall, and it knowingly leaves a web server running on your machine.

Then, Apple, can push a silent update to simply kill software on your machine which as I understand it wasn't installed through the app store.

In this case I may be happy that it's no longer running, but the whole thing is disturbing. Looking at the Security & Privacy settings on my MacBook, I see nothing about running any anti-virus or anti-malware. The closest setting I can see that might be this is under software update, where I have the option to install automatically the system data files and security updates.

It's kind of a stretch for me to consider the ability to kill some software Apple might construe as malware at anytime the same thing as a "security update". To me, a security update would patch Apple code which had a vulnerability.

Where do I tell Apple to whitelist software in the future they might not like which I've chosen to install not going through the App Store?

It's actually news to me that I'm running Anti-X on my Mac, I didn't think I was.

Considering the fact that I have to learn new places for all the buttons every time Microsoft gets bored and changes things for the "better" I'm really disappointed.

System76 is looking better and better.


I'm fine with this. I can always leave Apple and go to Linux if they do something drastic.

After years of pouring thousands of dollars into Apple's coffers you expect that Linux will still be there when you need it...

Real principles would involve switching now.


a) (s)he did set out his principle - that (s)he'd switch if Apple did something found personally egregious. Isn't this a sufficiently reasonable principle to follow?

b) Linux seems pretty solid, no...?

c) I'd argue that a better position might be 'support Linux now, in case you need it in the future'.


I like Apple products and software. Why would I switch?

I find it pretty hard to make sense of an argument that frames the removal of trivially exploitable, extremely privacy-violating malware from users' systems as a 'wrong'. The software itself continues to work and was minimally affected, if at all. If quickly intervening to protect your customers' privacy from an egregious threat is wrong, I want all my vendors to be wrong.

Given that it exposed Apple's users to possible privacy violations and Apple's actions didn't remove any function from Zoom (it operated fine, if installed when this action took place), I'd say I'm happier as an Apple customer.

They worked with Zoom to kill the zombie servers which were left behind after Zoom is uninstalled. Not really flexing. Zoom accidentally created malware, and Apple killed it using the same mechanisms they would to kill other malware.

That’s being pretty kind to a company that bypassed a system setting designed to respect user permissions by writing an always-running insecure web server —- and then refusing to remove that web server and even reinstalling itself when you remove the app.

Oh, and a company that defended the insecure web server up until the moment the public outrage exploded and/or the RCE it had willfully ignored was about to be revealed.

Oh, and a public company at that, that’s trying to convince businesses to use its product as it primary video chat system.

Apple worked with Zoom insofar as Apple cleaned up Zoom’s mess because of Zoom’s poor/unethical software practices.


How do you “accidentally” write software that can reinstall itself?

Logically this suggests not that Apple should stop removing malicious software but perhaps should have user visibility and control over the process.

For example if you classify possibly unwanted programs from annoying toolbars to randomware on a scale of 1-3 it might be reasonable to provide a checkbox to allow the user to switch between being warned of a negative program and being given the option to uninstall and having this happen automatically for non critical situations.

If the default is to on then 99% of users will be protected.

Arguably stuff like ransomware shouldn't be optional lest the malware set the option.


Does Windows not distribute automated tools via Windows Updates from time-to-time to remove Malware _and_ PUP (Potentially Unwanted Programs). I'd argue that the entire Zoom debacle is probably a PUP since a user _uninstalled_ Zoom. And the Zoom web server can _reinstall_ Zoom.

This sort of mentality means that nontechnical users will never be protected. Someone needs to take an active role in security and this kind of action is part of it. If the app developer is skirting the issue, Apple should be the company to step up. Who else will solve an issue on this scale? The developer should have stepped up and fixed it; instead they chose to dismiss it.

Apple made the right call for this instance, especially after the completely insufficient excuses given by Zoom’s CIO.


I'll never understand this argument:

> Apple's wielding of power in this way... the idea of the OS/platform vendor meddling with third-party software...

This is THEIR app store for THEIR operating system. Why in the world would they not be allowed to control their software's features or third party integrations? It reminds me of the ridiculous argument over Windows setting IE as its default browser (and I've been a web dev since the late 90s).


> This is THEIR app store for THEIR operating system.

On MY computer.

> Why in the world would they not be allowed to control their software's features or third party integrations?

Because it is not THEIR computer but MY computer.


> On MY computer.

But Apple didn't install macOS on your computer. You chose to use THEIR platform.


Actually they did as macOS comes preinstalled, however this is irrelevant. The computer and the software is running under it must be under the control of the user, otherwise it is the user who is under the control of the software.

This isn't about the App Store, I thought I made that clear in my original comment. While I disagree with the decisions it makes, I think Apple certainly has the right to control its App Store.

It reminds me of the ridiculous argument over Windows setting IE as its default browser

What do you mean by that? Instead you reminded me that saying "$our_competitor's product is not secure, so we've helpfully removed it and recommend you use $our_equivalent instead" is likely to run afoul of antitrust laws.


I'm actually quite happy to have Apple police its App Store and offer patches that eliminate security holes and malware. There's nothing wrong with Apple trying to make your computer safer and less prone to exploitation, in my opinion.

How do you feel about Windows Defender?

Windows Defender will not silently remove the software completely, it will quarantine it and make sure you know about its actions (i mean, it does make sure you know it exists even when there are no issues by its constant "Windows defender scanned your system and found no issues" notifications).

At this point it is up to the user to decide what to do and most non-technical users will leave it at that (and wont know what else to do) which should keep them safe.


The same way I feel about antivirus in general: they have tons of false positives that turn them into an effective form of censorware (cracks, keygens, demoscene stuff, Hello World programs[1][2], etc.) and are very unlikely to actually protect you from a 0-day. If I happen to have a file I want to run but feel suspicious and can't be bothered analysing it myself, which is a very rare case indeed, I upload it to one of the services that scans it with a dozen or more AVs to see what they think. Even then I will not use my main OS to try it first.

That said, in the context of my original comment, AVs are a bit of a special case because their sole and expected purpose is to detect and remove software they don't like.

[1] https://www.csoonline.com/article/3216765/security/heres-why...

[2] https://stackoverflow.com/questions/22926360/malwarebytes-gi...


Or the Malicious Software Removal Tool distributed and run regularly by Windows Update?

I think the difference here is that apple explicitly does not have an "anti malware" configuration section of the MacOS control panel. There's configuration for automated system updates, which most technical people understand to mean security patches and things that are equivalent to windows hotfixes and servicepacks.

I am with the "two wrongs don't make a right" people here. Zoom was reckless and their casual disregard for the initial security report left a very bad taste in my mouth. I'm now highly unlikely to use one of their products willingly. But having Apple initiate unattended removal of software that a person willingly installed on their own workstation machine is also unacceptable, unless they specifically opted in and checked "enable" on something that is very similar to windows defender.


If Apple removed a piece of ransomware that you installed would you have a problem with that?

Do you think anyone would have installed Zoom if they knew that it would allow any random website to activate your camera?


No, and I'm 100% in agreement with the need for it to be removed, it was clearly malware.

The question I see is really that Apple doesn't inform its users of the existence of this feature, unless you really search for it. Having something as simple as a functional-equivalent to Windows Defender with its own icon in Control Panel, which is fully enabled in the default operating system installation, should be sufficient.

Personally, unless I am specifically aware of the existence and enabled status of some anti-malware application, I don't think it's a good precedent to set for operating system vendors to start silently removing software from peoples' machines. Really all it should take is apple making people aware of the feature's existence.


While I agree with you that I wouldn't want any such thing operating silently on my own machine, I increasingly wonder if it's not the sensible default for a lot of people.

For a bunch of my family members, even simple errors mean almost nothing to them. They'll stop what they're doing and wait for help even on an error that (it seems to me) they could have simply read and addressed themselves. They've never examined the system tray, and dismiss any popups that come from it. Making them aware of systems like this only serves to confuse, because they don't really understand the problem it's addressing in the first place.

Machines for power users aren't going away. There are more operating systems than you can shake a stick at, and the number keeps growing. But for a lot of users information can be paralysing, and I wonder if having a strongly managed and simplified system akin to a phone isn't a better idea.


One could speculate in whether that is a conscious decision, since it would weaken the illusion that only Windows gets malware.

> Do you think anyone would have installed Zoom if they knew that it would allow any random website to activate your camera?

Yes, I'm quite confident that millions of "normal users" would still have installed Zoom knowing that.


> There's configuration for automated system updates, which most technical people understand to mean security patches and things that are equivalent to windows hotfixes and servicepacks.

Microsoft do exactly the same, and have done for over a decade now:

> Malicious Software Removal Tool is a freely distributed virus removal tool developed by Microsoft for the Microsoft Windows operating system. First released on January 13, 2005, it is an on-demand anti-virus tool ("on-demand" means it lacks real-time protection) that scans the computer for specific widespread malware and tries to eliminate the infection. [...] The program is usually updated on the second Tuesday of every month (commonly called "Patch Tuesday") and distributed via Windows Update, at which point it runs once automatically in the background and reports if malicious software is found.

https://en.wikipedia.org/wiki/Malicious_Software_Removal_Too...

> Having something as simple as a functional-equivalent to Windows Defender with its own icon in Control Panel

MSRT is independent from Windows Defender.


How well I remember everyone abandoning Microsoft Windows back in the Windows 2000 era when Microsoft first started using Windows Update to push out their monthly Malicious Software Removal Tool, he said sarcastically.

[flagged]


Could you please not slide back into breaking the site guidelines like this? I don't want to ban you, but you've done it repeatedly recently.

Stop pretending this is a conversation, I have no say here...

[flagged]


There is only Gentoo. So much control, so free. I've had to manually approve licenses to install fonts. A few other trade offs but I control and own all the bits

It's weird to call Linux "safe" because it lacks an optional anti-malware service.

If you can't see a difference between deleting files not authorized by the person who bought, installed, and uses the OS, and deleting files not authorized by third parties, I don't know what to tell you.

Well said. Apple loves to flex muscle as a show of force - virtue signaling - when there is some great drama going on. It is terrifying to know they have covert remote root code execution on Macs and iPhones at all times, which they may use without your consent of even knowledge. To me, that is a greater security risk and the reason I will not use their products in favor of open source operating systems only. It saddens me to see how soon people forget Apple participates in PRISM surveillance and has been literally criticized for human rights violations in China, yet invite them to control their computers. I expect people will down-vote this comment, but expressing my disgust for such an authoritarian world view is more important to me, and should be recognized as such by the hacker community. Unfortunately it seems too many of us will sacrifice autonomy and control for the promise of centrally-administered, ominous "security" working in the shadows.

The RCE is a given for anything that has automatic updates enabled, and IMHO isn't really the focus of this issue; the main concern is with the scope of what they are allowed to "update", and the legal ramifications thereof.

Yes, Apple does have the power to change every bit on your hard disk if you let it. Things like EULAs are supposed to govern to what extent they can use that power.


> Yes, Apple does have the power to change every bit on your hard disk if you let it. Things like EULAs are supposed to govern to what extent they can use that power.

Please help me understand this. Where in the EULA or elsewhere have users allowed Apple to remotely install a U2 album, or delete third-party software? What of the fact the EULA itself can change at any time without any posted notice? Or worse, what if Apple is forced or breached to deliver a "security update" which steals personal information or bricks your device? Why is this not a legitimate concern to technical professionals? Or, where is the documentation which at least explains this behavior to put curious minds at ease?




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: