Hacker News new | past | comments | ask | show | jobs | submit login

The point is precisely NOT to think about only this one case like many others seem to be focusing (or Zoom-ing in...?) on, but to consider how far you are willing to let Apple exercise its power over your computer.

Would you let it scan all your files and delete e.g. "suspected images of child abuse" (to use an old cliche)? Suspected copyrighted material or fragments thereof? "Extremist" content, or content which is contrary to current social norms? How authoritarian does it have to get before you start being creeped out?

This is a classic "parade of horribles" argument. I do not find them compelling, personally.

If Apple starts being abusive, they'll get their hand slapped. If they don't, they don't.

There's no better company positioned to do anti-malware than the vendor of the OS itself. Which is why Apple and Microsoft both do it. You can disable updates on both platforms if, for some reason, you don't want anything to change on your system without your explicit action (pros and cons to that, obviously). But for most end users, the tradeoff of control vs. security is a very easy one, since the average user is in no way qualified to secure their own system or audit the code that runs on it.

You can take any capability and stretch it out to some absurd extreme. What if apt-get whatnot trashed your entire computer? What if buses started hunting pedestrians for sport? It's a line of inquiry that prioritizes handwringing over insight.

Has anyone ever asked bus companies to start hunting pedestrians for sport? The answer is clearly no.

Contrary to that, the demands from governments and others for tech companies to "take responsibility" and become enforcers of all sorts of perceived virtues is reaching a crescendo.

And it's not just about clearly dangerous things like child porn or terrorism. The UK government seriously demands the takedown of "harmful but not illegal" content.

Just think about that concept of "harmful but not illegal" for a moment and you'll see that the sort of overreach that userbinator is talking about is anything but "some absurd extreme".

I still have a lot of trouble seeing how Apple removing a critical vulnerability - a completely mundane act with plenty of precedent from both Apple and others - is some clarion call that, if left unheeded, will have Siri judging everyone's hentai collection next. Why this - preventing myriads of users from becoming campeople - of all things? Why not, say, every Chrome autoupdate ever?

> I still have a lot of trouble seeing how Apple removing a critical vulnerability

You have that trouble because you are focusing on the "critical vulnerability" part and ignoring the fact that Apple decided to uninstall a program they had nothing to do with from your computer without your consent.

The intentions might be noble, the implications however are less so.

But they didn't uninstall 'a program'. The product itself was unaffected. And, again, this was done in consultation with the makers of the 'program' who had screwed up badly enough to be unable to fix the problem themselves. Nothing happened here that doesn't regularly happen when all sorts of things update.

These are unimportant details, the issue is with Apple modifying people's computers silently and the users themselves having no knowledge or any say about it.

Replace this instance with something that you disagree about (imagine Apple removing VPN software from Chinese customers due to demands from China or "fixing" existing VPN software with backdoors that enable Chinese authorities to wiretap Chinese people) and see what the issue is here.

(if that example would happen or not is irrelevant, i'm making it to help you see the issue in a context i think you'd disagree with Apple about, i'm not making it for you to argue if that would happen or not)

You brought up the details, inaccurately, to now tell me the details don't matter. You can understand, I hope, how this starts to feel like an exercise in eel juggling.

I didn't brought up details, i explicitly mentioned in my first reply to you to ignore the specifics of this case, ie. the details, and see what happened without them.

> something something Apple, a US-based company who prides itself on privacy helping China spy on people.

Apple engineers go to China. Anything they do to help the Chinese government can immediately affect their own workers. If they did that, and a bunch of people with Apple devices got thrown in jail / whatever, their stock, and moral standing, would suffer some serious blow-back for it.

Google Chrome has a thing that pops up when it thinks you might be getting attacked / phished by somebody. I wouldn't mind if OS X terminated my connection and said "Hey, we don't think this is safe" to me, especially if it was something that the average person isn't likely to notice and can cause damage to them (also, in China [relative to the US], the stakes for everything are generally higher- the US probably tracks you around, China for sure does that and is actively nabbing people a lot more frequently, too.)

I already wrote

> (if that example would happen or not is irrelevant, i'm making it to help you see the issue in a context i think you'd disagree with Apple about, i'm not making it for you to argue if that would happen or not)

It is in its own paragraph. That China part wasn't meant to be debated, it was meant as an example of an event that if it happened would make you disagree with Apple. The important part of this example is you disagreeing with Apple, not the reason why.

>terminated my connection and said "Hey, we don't think this is safe" /

That's not equivalent, equivalent would be doing something you don't realise, the point is about user agency: keeping users uninformed and, for those that get the information out-of-band, unable to exercise their own control over the situation.

>the users themselves having no knowledge or any say about it.

This is not true. You can disable all the automatic updates in System Preferences.

This is a nuclear option and the issue isn't getting updates, the issue is being silent and not offering any control over that. See my other replies about Windows Defender about what i meant with that.

What do you mean? They're silent because they're malware updates. You can turn those off.

>uninstall a program they had nothing to do with from your computer without your consent.

Incorrect. Users who are vulnerable to this had already decided to uninstall Zoom and that's why it was a vulnerability. Zoom had decided to ignore the user's wishes and leave their server behind so that it could re-install the software. Apple's update simply enforces the users' past decision to uninstall the application.

The problem is that Apple appears to have made an exception to its own rules in this particular case. If I understand correctly, they used a first party system update mechanism to change third party software.

It's like Google making an ad hoc decision to use Chrome autoupdate to silently patch a particularly bad vulnerability in Microsoft Word just because they can.

So what is the principle behind this kind of exception? It's simply this: If it's bad enough, normal rules can be suspended and anything goes. It's like declaring a state of emergency. It's not normal or mundane.

Now the question becomes what is bad enough and who gets to decide what is bad enough? People will point to incidents like this and ask questions like: Why was the San Bernardino attack not bad enough for Apple to suspend its ususal rules? Why can people store tons of pirated music on their Macs without Apple taking action? Why does Apple allow criminals to hide behind end-to-end encrypted messaging software?

If Apple has decided to take responsibility for the security of all third party software on macOS then they should say so. They should change the rules instead of breaking them in an ad hoc fashion.

Then we can all decide whether or not we want to hand total control to Apple (and to those who have control over Apple).

This is untrue. The update process was part of Xprotect, the malware definition/signature system built-into macOS that's part of Gatekeeper [1]. It dates back to Mac OS X 10.5 Leopard and was expanded on Mac OS X 10.6 Snow Leopard (the Gatekeeper GUI was introduced in OS X 10.8 Mountain Lion and back ported to Mac OS X 10.7.5 Lion). Updates were historically issued via minor OS updates, but Apple started to do silent updates to the Xprotect definition list a number of years ago, as a way to target popular/growing strains of malware (which were often installed via cracked apps).

There were a few instances in the last few years where the repos or built-in update systems of legitimate programs were compromised and bundled malware (and in one case, ransomware) along with their apps. In those cases, Apple also silently updated XProtect to remove the malware.

In this case, just because this was a webserver and not something more traditional like a trojan doesn't mean that it isn't still malware. The Risky Business podcast asserted the existence of the RCE before Apple jumped into action that it says Zoom knew about for months. Given that the only way to remove the webserver is to update Zoom (something that won't help any user that has already uninstalled Zoom, which kindly left the insecure webserver behind), this type of update makes perfect sense -- especially since Zoom itself is removing the server from its own application bundle.

This was malware, pure and simple. It wasn't third party software. It was malware left behind/included with a third-party app. It's not as if Apple removed the Zoom app -- it removed the piece of malware Zoom was including alongside its app. The fact that Zoom was including this malware as a way of bypassing Apple's access control in Safari (God forbid the user have to click a button confirming they want to open a meeting) is beside the point -- this was malware.

Additionally, users can turn off the auto system updates and they can disable Gatekeeper entirely.

I understand the broader concern of an OS maker being able to remove files a user chose to install -- but this is a very unambiguous case of malware. Just because the RCE wasn't actively exploited doesn't mean it wasn't malware.

[1]: https://en.wikipedia.org/wiki/Gatekeeper_(macOS)

I understand why Apple did it and the additional context you provide does change my opinion somewhat in Apple's favor, but I disagree about Zoom being malware because malware is made in bad faith to introduce functionality the user never intended to use.

What Zoom did was negligent and incompetent, but I don't see that there was malicious intent. I do agree, however, that what they tried to do is unacceptable even if implemented competently.

I think when you refuse to address a reported security issue related to something you installed (without the users knowledge and without a way for the user to easily remove) as a way to bypass an access control pop-up, and cite that it’s a feature not a bug, until forced by the public/other disclosures to remove it, The intent is malicious.

But even if it weren’t — and we can agree to disagree on the intent — the second the RCE is popped, it becomes a massive security issue and it becomes traditional malware. As I said, I’m convinced Apple would do the same thing if this was something left behind or associated with Java or Flash.

Malicious intent is the only thing that separates malware from a regular security issue. So if we disagree on intent we have to keep disagreeing on whether or not it's malware.

But I will admit that I'm starting to see the question of Zoom's intent a bit differently after thinking about what you have said.

Lying to users about the uninstallation is pretty icky intent. It's weird to make this about the sanctity of user choice and just repeatedly ignore that bit on top of coming up with a throughly inaccurate narrative about the nature of Apple's response.

I didn't ignore that bit. You didn't bring it up in your responses to me.

Instead you defended Apple fixing security issues in third party software (as I understood it without user consent) and you compared any concerns about that with concerns about buses intentionally running over pedestrians.

So apparently our debate took wrong turn and that wasn't entirely my fault although I will take some of the blame.

I agree that Zoom's intent (and even more so their methods) is icky. So perhaps we should have focused on that, because I can understand the reasoning that this makes Apple's actions look far more justified than I initially thought.

It's not.. it is malicious. They want to circumvent os/browser behavior / user protection (the prompt to open zoom). To hack around this they install malware to get things done. It is exactly the same as using doing something that wouldn't pass the appstore checks.

It is actually very competent of them, except for the security part.

The problem is that Apple appears to have made an exception to its own rules in this particular case. If I understand correctly, they used a first party system update mechanism to change third party software.

I don't see anything in the article that suggests this - as I read it, it pretty much says the opposite. What else have you read that outlined these rules and the exception Apple made?

The article says "Apple said the update does not require any user interaction and is deployed automatically."

As far as I know, there is no system-wide update mechanism for third party software not distributed through the Mac App Store that does not require any user interaction. So apparently they (ab)used the system update mechanism.

There is nothing in the article that suggests 'abuse' let alone rules, which is what you said. It's not entirely clear exactly what was done here but it was probably an update to the Malware Removal Tool which does what you can surmise from the name, without user interaction.

I care far more about the facts than about what's in the article.

Zoom is clearly not malware. It just has a bug. Is updating regular third party software documented behaviour of macOS? If so then I agree that it is not abuse. Otherwise Apple has some explaining to do.

I wouldn't call it a bug. Zoom deliberately engineered their app so it opened a security threat, accessible from any website on your browser, on your local machine without the user's knowledge. Then they reinstalled their software after the user had uninstalled it. Again, deliberately engineered that way.

That is not a bug

Zoom's intention was not to introduce a security vulnerability. That's why I'm calling it a bug.

Their intention was to bypass an inbuilt security measure. So no, maybe they didn't mean to add a vulnerability but they did mean to reduce the security of the system as a whole

Sure, facts are important. You started here:

The problem is that Apple appears to have made an exception to its own rules in this particular case. If I understand correctly, they used a first party system update mechanism to change third party software.

I don't think any of these are established facts and I don't understand how you, a fellow fact-fancier, haven't acknowledged that before breezily moving on to a discussion of the precise definition of the term 'malware'.

If you read the quote carefully, you will see that I did use rather cautious language, and I did that exactly because I wasn't sure that I knew all the facts.

No, they installed an update to XProtect's signatures to say "this is malware, remove it if detected" -- something the company has done many times in the past.

No, it prioritizes thinking about clear boundaries ahead of time, while you're able to think clearly about the issues. "Hard cases make bad law" as the lawyers say. Ethicists do this sort of thing all the time.

There's a line between the OS and third-party software. There's a line between malicious software and accidentally vulnerable. Apple has just shown that it is willing to cross both those lines. Where is the line at which Apple will stop?

In what way did Apple cross a line? Platform vendors have automatically removed malware for many years. In this particular case, Apple, in consultation with the vendor, removed a particularly nasty vulnerability. The software itself was left alone. In fact, because the software was written so poorly, the vendor didn't even have the ability to address the problem - only Apple could. It's even odder to bring up ethics - should Apple have knowingly left zillions of users exposed to this?

To make this look scary, you have to misrepresent what Apple actually did and then extrapolate to some frightening hypothetical to end up at nothing more than a risk inherent in all self-updating software.

If the position is 'all self-updating software is an unreasonable risk', fine. But at least argue that unvarnished, and I imagine to most people, extreme and impractical view instead of trying to dress it up as some novel and intricate argument about morality and creeping authoritarianism.

Lets ask a reasonable question: who wants the zoom webserver running on their systems providing a backdoor.

I didn't want my window to be broken. I still wasn't happy when my landlord came in and fixed it without giving me any notice.

You have to extend some goodwill to a company that invested millions of dollars and absolutely critical space in its handheld tech simply for security (I'm referring, of course, to the secure enclave).

Point to me any other manufacturer who has gone to those lengths to protect their users. There was no reason for Apple to develop that tech. No one else in that space, but they developed it anyway.

Can they do all this stuff? Sure, but I don't think they will. It does not seem to be in their interest.

I'd rather put Apple in control of my computer than any other random software vendor. This is exatly why all windows systems are full of crapware and are grinding their disks out of the box

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact