Hacker News new | past | comments | ask | show | jobs | submit login
Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur (twitter.com/patrickwardle)
1183 points by robenkleene 12 months ago | hide | past | favorite | 616 comments



This is one of those tough cases where software cuts both ways.

Some people are smart, informed developers that install a trusted tool to monitor their traffic and have legitimate reasons to want to inspect Apple traffic. They're dismayed.

Most people are the opposite and this move protects the most sensitive data from being easily scooped up or muddled in easily installed apps, or at least easily installed apps that don't use zero days.

Is the world better or worse due to this change? I'd say a touch better, but I don't like the fact that this change was needed in the first place. I trust Apple, but I don't like trusting trust.


I'd argue this opens up a giant attack surface where malicious software will try to route its command and control communication through a protected service. Do we really want to trust that Apple will keep all 50+ of these privileged services fully protected?

I think it makes the "world" slightly worse in that it will be harder to discover malware. Little snitch has a small user base, but it's been used to identify many forms of malware and protect many more people once the threat is identified.


Yes I agree with your first part. There are real drawbacks.

But it's like installing a custom HTTPS cert in your OS to inspect potential traffic that malware may use through, say, a Google Doc or Sheet. It's helpful to true professionals dealing with highly sensitive information, but it's ultimately a bigger source of compromise for the vast majority of software users.

I don't think there is an easy answer here. That's why I said I thought it made the world a "touch better" and I can see from your response that you understand the tradeoffs roughly as well as I do based on the wording of your response. The fact is that contemplating these hard tradeoffs belie the underlying truth: Securing computers is hard and getting harder and the stakes keep going up. I can't say if this move by Apple will ultimately be worth it, but I certainly understand the predicament they are in. This is no easy work.


Why not just give additional permission levels? I don't really get why so many permission models on what software can do are effectively "admin mode" or "user mode". Why can't you get a very strong warning when software tries to snoop on traffic, but you can still do it? Or maybe you have to go into settings and allow it or something like that.

When you rent space in a building, do you get access to every single apartment/office space in the building? No. You get access to specifically what you rented and the front door. The maintenance people for the building will have access to the front door and other maintenance areas, but won't have access to your space. We can clearly conceptualize models like that. We even have something like this on phones.


Apple's argument is typically "users ignore strong warnings".


I helped a friend of mine with her OS X laptop. She had installed something bad and it installed MITM proxy and its own CA and other things to totally own and inspect all of her web browser traffic including SSL. So these features that we find powerful and informative also do have a dark side for more novice users.


OK, but if it's a real security risk why do they only protect their own services? Why not have the user jump through a bunch of complex hoops like editing a plist file from an elevated terminal account? Hell, this is the os that makes it onerous to install software that didn't come from the App store. Clearly they don't mind throwing some user pain in front of basic activities.


> Hell, this is the os that makes it onerous to install software that didn't come from the App store.

No, they really don’t. Unsigned software is a little onerous, but signed software can come from outside the Mac App Store.


I’m trying to think of a powerful tool that is not dangerous. Still thinking


Absolutely not, installing a CA makes attacks which weren't previously possible now possible. A host firewall isn't doing anything a network provider (read: your ISP, coffee shop, vpn provider, etc) couldn't already do. At least you can possibly look at what the host firewall is doing.


Installing any third-party software that inspects network traffic makes attacks which weren't previously possible now possible, since that software can be targeted.


It depends on the host firewall... many quality operating systems allow host firewalls to apply process-based policy which your upstream certainly can’t achieve.


If they can circumvent system security for their own purposes (even though I’m sure it wasn’t planned to be that way), then they should be open to circumventing it for our country (by backdoor-ing their encryption), at least that is how I would imagine it will be referenced in the inevitable government lawsuit. What a major screw up Apple!


[flagged]


I’m having trouble understanding your comment, but it sure sounds a lot like complaining about downvotes–that’s usually not well received.


> Do we really want to trust that Apple will keep all 50+ of these privileged services fully protected?

No.[1] That's what people need to start understanding.

Even if you decide to trust that someone will attempt to act in your best interests (you really shouldn't, see Google's extinct "do no evil" mantra), you can't trust anyone to do so perfectly.

All this aspirational goodwill that fans express on behalf of their favorite FAANGMUULA is the tech equivalent of flat earthing. The facts are simple: no software is perfect, you can't trust any software.

1: https://www.cvedetails.com/vendor/49/Apple.html


If you buy a ticket to a commercial flight, you're trusting software with your life.

It's a matter of degree of trust and hazard at failure.


If you can get into apple’s system processes, you are already on the other side of the airtight hatchway. You can make sufficient changes to the system at that point that you can certainly mess with any user-installed firewall monitoring.


In any system with any kind of sane security model, being able to convince the Maps app to send arbitrary data to an arbitrary URL is not exactly the same thing as total change-stuff-not-even-root-has-access-to compromise.


I think this is the case where you can have traffic monitoring set-up on your home router or any other network gateway available. It will be slightly more troublesome, but not impossible.


That doesn't work with HTTPS, obviously.

And with DNS-over-HTTPS, DNS-over-TLS and encrypted SNI, that makes it all the more harder.


It would work with HTTPS if you can set your software to accept a self-signed root cert. That's a significant if, however.


Same situation with a government:

Even if you believe all the MPs / representatives are trustworthy and intend to act in your best interests, their competence is going to be limited, so we need to checks and balances and a limit on their power.


The decision is questionable, but you can always inspect traffic from the machine outside it, I would even say that's preferable in context of malware.


TLS makes this difficult today and SNI encryption will make this next to impossible without installing a custom ca certificate and doing MITM. Even that isn't helpful when you are using a laptop that may not always be on the network where you have deployed a device for inspection. Better to be able to inspect or block on the device by application.


I would be astonished if Apple doesn't at least experiment with key pinning for the services it has decided to "protect" in this way.

If pinning is used then you can't interfere by interposing a middlebox, the connection would just fail. I guess it's possible Apple would find corporate pushback is too strong, but maybe not.

Don't use things you don't trust. If you trust Apple's proprietary software at least you are getting exactly what you signed up for. Apple gets to do whatever they want, which you apparently trust them to do. Will they accidentally let in bad guys? Maybe. You signed up for that too.


When we are talking about malware that's irrelevant. And if we are talking about inspecting Apple's traffic, I don't think you should trust things you see on their hardware running their operating system.


Can you recommend a portable wifi firewall? Based on Raspberry Pi, perhaps?


saw the GL.iNet+GL-MT300N-V2 recently - have not bought it yet, maybe it's time if it's good


Someone else here recommended those, and now I have 11 for myself + my staff. They are great 2-port devices, with free GPIO pins too! Can do on-device VPN (openvpn, wireguard + tor) with a policy that kills internet access unless it's through the VPN.


Ah, nice. I've been looking for something with which I can sniff my phone's activity, and that provides all of the keywords. And $20 ain't bad neither.


If I install Little Snitch, it's because I trust Little Snitch to be responsible for my computer's network traffic, over and above anyone else.

I recognize that this won't necessarily apply to all users or all apps, but there needs to be a way for the user to designate trust. Apple services and traffic should not get special treatment.


They provide the OS. If you don't trust them, then you shouldn't trust anything running on top of it either...


That's the exactly the thing - they are, indeed, chasing me off. When this Mac dies, I'll be replacing it with something running Debian.

It is too bad - the Mac hit this sweet-spot where it was pretty much my perfect machine for several years - a kickass Unix workstation in a decently built laptop, with a decent GUI, with access to consumer apps, too. It was great while it lasted.

Thing is, this is a reasonable thing for Apple to do. Back when they weren't enormous, it made sense for them to at least make token gestures to the Unix-weenie/developer market - we threw a lot of money at them and made them hip when they were down and out. Now we're in rounding-error territory, and that we got what we wanted for a while was sort of a happy accident, anyway. Building developer dream-machines was never Apple's thing.

I bought my first Mac in 1991, and this one will last a while longer. Can't really complain too much about 30 years of decent-to-awesome tools.


I disagree that it's reasonableness except in the short term. We're seeing a change in developers' opinions; my friends in video production were getting ready to ditch Apple due to their "professional" software and hardware products getting worse both in relative (hardware) and absolute (software) terms. Part of the Apple cachet is that these are professional tools; how long is their reputation going to hold up if those professionals leave the platform?

It's a touch of hubris to think that we are and will continue to be taste makers, certainly. Maybe Apple won't get burned by alienating this crowd. But it seems a risky strategy for dubious return.


Both the tech-bro and the media production audience are now a rounding error of a rounding error for Apple. It is a consumer luxury brand first and foremost, and it derives 99% of net income from that. Catering to dorks in basements is a tiny legacy business and the support level for it is commensurate. (It probably actually only exists because Apple has its own share of dorks in basements.)


That's assuming nobody cares about the opinions of tech people when they're buying tech.

It's not just that tech people are customers, it's that ten other customers will look at what the tech people are carrying and assume they're the ones to know what's good.

And developers write code for the platform they actually use first. And spend time fixing the problems with that platform that are keeping other people from using it. Then more non-developers switch to it because it's improving.


I really thought about this yesterday, and the one program i really miss on linux would be Little Snitch. I need a good application firewall on linux.


We are working on an alternative for both Linux and Windows: https://safing.io/portmaster/

Not only is it an application firewall, but also gives you DNS filtering (ie. Pi-Hole basics) and DNS-over-TLS.

If you check it out, we'd love to hear some feedback! (Full UI revamp incoming)


There's OpenSnitch, but it's a WIP: https://github.com/evilsocket/opensnitch


Sounds like a business opportunity...



You could (and perhaps would) make the same argument about Intel (for providing the processor) or Broadcom (for providing the wifi chip) or Comcast (for providing internet service). And it's true, all of these parties have the ability to use their positions for nefarious purposes.

However, I would like to limit that potential as much as possible, partly by creating a stigma against practices that remove control from the user.


I find it interesting how the needs of legitimate security mesh so well with the industry desires to kill off general-purpose computing for the majority of users


As is usual, this is something Stallman had touched upon years ago[1].

[1] https://www.gnu.org/philosophy/can-you-trust.en.html


I've been respecting RMS' argument year by year


I find this article[1] linked by RMS is prescient as well, for something published in 2003.

[1] https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html


As a general rule, you want to prevent software from bypassing a user's informed consent. Apple typically does this in one of two ways:

1. Have functionality only accessible through system frameworks, so that the OS can be responsible for prompting for informed consent and granting it to a process. This means that the system itself has to have functionality to prompt for that informed consent in a way that users can understand.

2. Require processes which an application cannot script that are technically complicated enough that users might realize they are pulling off the warranty-voiding stickers. A prime example would be rebooting into recovery mode to turn off system integrity protections via a terminal command.

Both of these wind up getting gated in priority, but such is the priority of their system - limiting the ability of arbitrary software to act as an unrestricted agent of the user so that user security and privacy (as well as device operation like battery life and radio reception) can be protected.


> A prime example would be rebooting into recovery mode to turn off system integrity protections via a terminal command.

I actually think the way Apple implemented this downright brilliant. As you say, it can't be done automatically, and it's definitely made to be a bit intimidating. At the same time, it's not difficult or onerous, that's a pretty hard balance to strike.

By contrast, when I try to install unsigned drivers in Windows, I feel as though Microsoft is fighting me, and I get annoyed basically every time. I've never had that feeling with SIP; when I get a new computer, I take off the training wheels I don't need, and move along.


Unfortunately, Apple often does 1 far more often than 2, whether it be because 2 is harder, or has a worse experience, or what have you. And Apple exempting themselves is really option 3 for themselves.


I mean the irony is when it comes to browsers you see the general tone of HN shift to the opposite opinion when it comes to features like, RTC, USB, Bluetooth, Filesystem Access. These are all features that give users more power but it's (apparently) easier to see the downsides and how these features can and are used maliciously.

Now put yourself in the Apple's position where "an iOS app" or a "mac App" is about as trusted as a random website. Tech people have a strong culture of locally installed apps being extremely trusted but that doesn't extend to everyone. Can you imagine if websites could control your firewall?


> I mean the irony is when it comes to browsers you see the general tone of HN shift to the opposite opinion when it comes to features like, RTC, USB, Bluetooth, Filesystem Access.

I don't think it's that ironic. From my vantage point, the big tech companies specifically and consistently invoke the security arguments that are best aligned with their agendas.

• We need to enforce automatic Windows 10 updates to keep your computer secure. (But also, we won't let consumers use the security-patches-only LTSC branch we offer businesses.)

• You cannot install an app on your iPhone that we have not personally vetted. (As part of the vetting process, we enforce a 30% cut on all digital goods.)

• We need to hide URLs in Chrome to protect users from phishing websites. (But isn't it nice how it makes AMP more seamless?)

• We need to give browsers Bluetooth and USB access, because web apps are safer than random Windows executables. (But also, we can advertise inside of web apps more easily.)

I could go on. The problem with all of these arguments is that they aren't wrong so much as they're selective. The iOS App Store does protect users from malware, and hiding URLs does protect users from phishing. What goes unacknowledged are the trade-offs of these decisions—some of which may themselves be bad for security.


Also, they lock the user in to the corporation's choices. Most of these don't even have a way to bypass them for knowledgeable users.


>hiding URLs does protect users from phishing

Real question: how? I would expect it to be the opposite, a perfect phishing site will have the wrong URL.


Because it's not really "hiding the URL" despite what all the outrage bloggers tried to make it seem. It's by default (i.e. until you tap/click it) hiding the parts of the URL that the site controls. So paypal.amazon.citibank.scamsite.biz/secure/login/trustus will just show scamsite.biz.


My first instinct was to distrust the hide-until-click URL bar also, but you've illustrated clearly why it's a reasonable default. It mitigates the effect of malicious websites playing URL games, and allows the browser to more accurately convey to the user where they really are.


To drive your point home, paypal.amazon.citibank.scamsite.biz/secure/login/trustus will likely have a perfectly valid certificate, along with the trusted green closed-lock before the URL, implying that the site is "secure".


Safari does not behave as you've described. The subdomain (for example, 'gist' in 'gist.github.com') is displayed.


I suspect that Safari uses Public Suffix or similar for that.


google.com.evilwebsite.example?=google.com

Oh that has google in it (twice even) we can go there.

There's also arguments that URLs are too complex for normal people to understand.

I agree with you though, hiding or redirecting URLs is the opposite of protecting users from phishing.


> google.com.evilwebsite.example?=google.com

This was solved a decade ago by rendering the 2nd+1st level domains (and sometimes other parts of the URL) in a different style.

> There's also arguments that URLs are too complex for normal people to understand.

That argument is an insulting attempt to justify a form of illiteracy[1]. Most people don't need to know all of the technical features of a URL; they just need to be able to use it as an address and recognize basic features like the hostname.

Street addresses are a good analogy. Most people understand the basics easily even though physical addresses are far more complex[2] than URLs!

[1] https://news.ycombinator.com/item?id=7694919

[2] https://news.ycombinator.com/item?id=7695735


> Now put yourself in the Apple's position where "an iOS app" or a "mac App" is about as trusted as a random website.

The mistake is in creating a category called "iOS app" or "mac app" and trying to fit every piece of third party code in the universe into that category.

What there should be is different categories of apps with different levels of trust. Then 95% of apps can go in the totally untrusted category because they don't actually need any special privileges. Which then makes asking for a trusted privilege a red flag rather than something the user clicks through because they see it for every app they install.

> Can you imagine if websites could control your firewall?

Realize that this has already happened. You wanted to block DNS to untrusted servers so everything would have to use your Pi-hole? Say hello to DoH. You could block AOL Instant Messenger by blocking port 5190, good luck doing that with Facebook.

The web made every protocol run over HTTPS to bypass your firewall, even if it has nothing to do with transferring hypertext.

Because that's what happens when you do security wrong. It has to be usable or it gets routed around. People started blocking unknown ports by default, or blocking/mangling protocols both of the endpoints didn't want blocked or mangled, so firewalls got displaced.

You don't actually want that to happen (again). You don't want the only options to be living in a cage or rooting your device with some unaudited 0-day code you got from some Russian hackers. There is value in the existence of the middle ground.


> Can you imagine if websites could control your firewall?

Oh, they can. Cross-site scripting and request-forgery attacks aren't dead yet thanks to widespread terrible security practices :)


User freedom means being able to command our computers to do anything, even if it's against the law or against the business interests of corporations. A free computer is by definition hostile to corporations and governments since it can be used against them.

Security as an industry is generally all about protecting the interests of corporations and governments. Just look at how they react when normal people use subversive technology like encryption. The people in power simply cannot tolerate anything they have no control over.


> Security as an industry

…is not a monolith. There are plenty of people in security interested in giving you freedom as a user, actually, many do it specifically for that reason.


There has always been a tradeoff between security and freedom.


> If you don't trust them, then you shouldn't trust anything running on top of it either...

Trust, but verify.

The problem with this is that it's taking away the ability to verify. Which takes away the ability to trust.


> If you don't trust them, then you shouldn't trust anything running on top of it either...

You start with trust, if you attempt to verify that trust by examining behaviour and discover a covert side channel surely you can no longer trust.


I don't understand these style of responses. I think the point is that this "feature" makes the OS shittier.


For the average user who expects to be able to block malicious traffic via something like Little Snitch, but still expects their OS updates, App Store, etc to work, or for someone who "knows better"?


The average user isn't using Little Snitch. And if they are, the app provides default profiles for this sort of thing.


It's not about trust that they aren't doing something malicious, it's about trusting them to provide the level of attention and work required to keep something very secure.

A kernel and the core OS capabilities are a high security domain and I expect Apple to be extremely careful and put a lot of attention into making it secure. Desktop applications are a different domain where security is not quite at the same level and Apple will not and can not provide the same level of security for all of them that it can and does provide for the base OS.

As a simple example, compare Safari and the OS. The domains in which they operate make it extremely hard, if not impossible, for Safari to have the same level of security as the OS and kernel because the use case of Safari opens it to far more attack vectors.

Does anyone believe that exempting all Safari traffic from firewalls would be a good idea? If not, then why should we accept that it's a good idea for some arbitrarily set of other Apple applications?

The issue here is simple, it's the same as it always is with Apple. There's a choice to do the thing that's slightly more complex and requires users to provide even a minimal amount of input that they might have to think about ("An application is attempting to change the traffic flow required by X service, if you allow this it may cause problems with this service. Yes/No?"), but instead they opt for "Users must trust us implicitly and entirely in everything we do", which is their go-to solution. It all comes back to control, does Apple control the user, or the the user control their software? Apple has built their empire around the former, so while we can't expect the latter without if being forced on them, that doesn't mean we shouldn't.


Well, that's not the whole story: consider another example, the various parts of Safari. Apple wrote that, Apple wrote the whole OS…should they have access to a kernel task port? Shouldn't I trust them to not do bad things? Of course I do, since I use the browser–but I am glad that those are split into separate processes and sandboxed, because an exploit in any of those instantly turns this access into a confused deputy problem. A confused deputy is trustworthy–but they're confused.

Adding exceptions means adding more points of failure, more complexities in code, more opportunities for attackers to bypass restrictions placed on them but not on OS services. Not only that, but you get the upside of having a unified model for Apple and your app developers "for free"–the latter which is of critical importance to Apple in particular, since they have had years of trouble in this area.


Microsoft makes an OS too. And to use it I have to spend an enormous amount of time turning off all its daemons that phone home, harvest my personal information, show me ads, and force updates on me.

So no, I don't trust OS providers. I tolerate them and defend myself against them.


I trust my friend Mike to drive me to the pub. I don't trust Mike to be the executor of my will.


And also, you might be uncomfortable if Mike blacked out all the windows.


Trust but verify. Now we must do the former without being able to do the latter.


You can very easily monitor all outgoing traffic through an external device.


You can’t filter per-app, however, which is a key selling point of Little Snitch.


How do you get around TLS with cert-pinning?


This really isn't about trusting Apple, this is about trusting Little Snitch. I don't think it would be a good decision to allow any app to control your firewall, but I should be able to say "this app should be allowed to because I trust it."


Their software could have bugs, or be compromised.


China (enter the room): Agreed.


Right, but many users want to delegate trust to more than just the OS vendor.


Great comment - agree 100%


5 years ago I found LS was unable detect any traffic out of a VMWare virtual machine running on the same Mac. Sure the VM is running through some installed virtual network adapter, but if that's all it takes an attacker can set up one of her own. Cool Hollywood interface but I gave up on LS as a serious security tool right there.


I can't speak about 5 years ago, but I was using Little Snitch with VMWare last year, and it worked. I had to specifically allow the VMWare process.


Guest traffic was visible when the VM was in NAT mode, but when switched to Bridged mode traffic went straight through with LS unaware. I suppose LS was only sniffing the standard adapters, though this could have been improved since.


That's likely because VMWare Workstation's bridge mode likely injects into the networking stack at the same point that Little Snitch does.


I was only trialing VMWare before, so unfortunately I can't test this anymore.


Heads up that VMWare Fusion has a free version on Mac as of this month. :)


If you don’t trust Apple then you need something more than little snitch. Apple is responsible for both hardware and OS. What delta in security or trust is little snitch going to offer over Apple?


In this situation the question isn’t about whether or not Apple can be trusted.

Apple has clearly betrayed users’ trust in this situation.

People don’t install Little Snitch only to prevent nefarious third party activity. Some may want to know what traffic is going to and from their computers. Other may want to block all traffic for testing and/or research purposes.

I can trust that Apple is not doing something nefarious and still see that Apple is blatantly betraying the fact that people trusted when switching stuff like firewalls away from kext that it wouldn’t build backdoors for itself.

Also, any backdoors Apple builds for its own apps and services are simply an additional attack vector that could potentially be used by non Apple malicious actors.


> Apple has clearly betrayed users’ trust in this situation.

That's a perfectly reasonable opinion to hold, but 99.9% of macOS users won't know the difference and will be safer for it.

Some of the folks who know the difference will also be fine with it. FWIW, I've used Little Snitch (only to prevent nefarious third party activity), and its biggest UX problem is that it treats legitimate OS traffic no differently than untrusted traffic.


> any backdoors Apple builds for its own apps

Apple hasn't weakened the security of their devices to provide a secret way in, in fact, they made their systems even more robust.

The question absolutely is whether Apple can be trusted. Little Snitch works for other apps, just not Apple's apps. The remaining slice of the pie you're arguing for is whether or not we can trust Apple.

So what delta in security and trust over Apple are we getting by asking for this change, and how much insecurity and brittleness are we inviting to all other users with our ineffective software based firewall?


> The question absolutely is whether Apple can be trusted.

This is a false dichotomy. I choose to use a Mac, but I also choose not to let my Mac phone home to Cupertino unless I allow it. Why can't I have that choice? Why does it have to be all or nothing? I'm only interested in the Mac, I have zero interest in Apple "services". It's a fine computing device, but I see no reason why the device has to continue to talk to Apple after I purchase it, except to download software updates — which I manually trigger.

It's not about trust, it's about choice.

EDIT: Now if Apple provided a way to easily disable all of those "services" that phone home, there would be a lot fewer complaints about this issue. But they don't.


> Apple hasn't weakened the security of their devices to provide a secret way in, in fact, they made their systems even more robust.

I'd consider poking a hole in firewalls to be providing "a secret way in", particularly in the context of Little Snitch. This isn't some antivirus bloatware that comes preinstalled, or a firewall imposed by corporate networks. The entire pitch of Little Snitch is that it enables you, the user, to monitor and control any bit of traffic that leaves your machine. No one was asking for Apple to bypass that.


ANY firewall inherently trusts the OS of the device it's running. They have to in order to function. The firewall sits on top of the OS, not underneath it. Even on Linux if you're running ipfw, the traffic first goes through the OS and then to your firewall.


There is trust and there is visibility. Here’s an alternative example I actually do quite often: I attach debuggers and such to system processes. Not because I don’t trust them to not do something malicious, but knowing what they are doing is always useful to me. If Mail is randomly reading files from my Documents folder, perhaps something is wrong with it. Maybe I should just tell it that I can’t look there and see why it might be doing so. These are things that give me more control over my system, not things I engage in because of a lack of trust.


Yes, but as a user, I expect the OS to behave in a transparent manner. If the OS provides a firewall API, I expect it to send all traffic through firewalls that use that API, not selectively redirect traffic from certain apps or domains.


Bottom line is that Apple made software like Little Snitch switch away from kexts and then built in behavior that was unexpected, which would not have been possible for them to do while Little Snitch was based on kexts.

Whether this is malicious, not malicious, secure, insecure etc. is irrelevant to whether this is an untrustworthy action. It’s not what one would reasonably expect and is therefore a betrayal of users’ trust.

If Apple switched gatekeeper on MacOS to completely remove the option and the workarounds to run unsigned apps, it would certainly be more secure. It would also be a huge betrayal of users’ trust in Apple and the MacOS platform.


>is therefore a betrayal of users’ trust.

I would disagree with that statement. The user bought an Apple computer so they clearly trust Apple already. If anything, the new frameworks make the system more secure which strengthens that trust for users. The only people really affected by this change are users who want granular control over everything whether it comes from Apple or not.


This conflating of purchasing with trusting is harmful. It's an ongoing trend I've seen with large tech companies, with arguments of the form "You accept a tiny X, therefore your rejection of the giant Y is invalid."

We buy things from companies we don't implicitly trust all the time, because we can isolate and verify those things.

I don't always trust the supermarket to sell me non-moldy produce, but I can look at the produce and see whether it's moldy.

I don't trust oil companies not to destroy the environment, but if they sell me bad fuel it will be very clear.

I don't trust OS makers, but I can run firewalls and network sniffers to verify that the OS is behaving reasonably, and isolate it when it isn't. Until I can't.


>The user bought an Apple computer so they clearly trust Apple

This is false, maybe I bought X because it was the least shitty choice.


That's fine but you bought it. When it comes down to it, America and capitalism run on the premise that you vote with your dollar. You voted with your dollar regardless of the mental gymnastics you did or didn't do to make that decision.


You're overloading "trust". I think most people trust Apple not to be malicious, but that doesn't mean they trust apple to omniscient and perfect.

A back-channel that you can't inspect but Apple can use is a back-channel that you can't inspect but malicious actors have found a way to use waiting to happen. Preventing you from seeing that traffic doesn't protect you, only protects Apple at your expense, since you have no way of detecting whether something fishy is going on.


> I trust Apple, but I don't like trusting trust.

Trust relies on faith or evidence, the overwhelming circumstantial evidence is that Apple can not be trusted with anything other than their commercial interests.

You can not trust Apple with anything else, therefore you must have faith.


Who cares about the world.. I just want full access to the system I paid for. This should always remain an option.


Depending on your definition of "full access", you probably haven't truly had that for decades—on any broadly available computing system at least.


Regardless of whether that want is feasible today, having something that gets closer to it is clearly the goal.


If that goal is important to you, I agree. I disagree that this should be declared as a universal goal for all people.


Why doesn't each individual user have the final say over whether she wants to accept the change or not? There is no option presented to the user:

   [ ] Do not trust Apple, trust only me
You say "Some people are smart, informed developers" but in this case, it appears Apple is treating every user as the same.

I am not a "developer" (nor am I particularly "smart") and yet I monitor traffic to/from computers I own. Maybe some incorrect assumptions are being made about so-called "users". I find it perplexing that any company should be able to prevent me from monitoring traffic to/from computers I own. I own the computers, I pay for the bandwidth. I do not buy Apple computers for the Apple software.


Actually, I don't think this is about trust. I mean, when I use an Apple OS, I (should) trust them, as their software has access to all my most sensitive digital information.

However, making it impossible to route the traffic of the system apps through a VPN of my choice (whatever the reason), is just broken functionality.


Is there anything Apple can do that makes their platform less accessible to the users that you would not support?


Absolutely. For example, I think that the lockdown of the bios was a move that hobbled developers like myself that installed custom bios extensions. I used to be able to run raw linux on real hardware. Now I need to use a commercial virtual machine just to get the dev environment I want.

The difference between the two is subtle, but true. I want true masters that understand what the tradeoffs are to make those hard choices for themselves. I want the rest of the world to have a blanket of privacy and security that protects everyone.

Especially the elderly that are too trusting with what they believe.


Interesting that it's only the thing that personally affects you that you object to


I appreciate the response. I suspect you’re missing the many ways in which this change can negatively impact valid and fairly frequent advanced usages of macs, in a way similar to the BIOS change you mentioned.

When I was in college, Little Snitch was an absolute must for using Macs in our networking labs, because it was the best way to analyze and control our network. Without it the mac was not a feasible option.

This change by Apple would have essentially eliminated the macs use in several of these experiments, and I suspect that’s true today as well.

Further, this has a regular advanced user impact as well, for users on metered networks who would like to control their data usage.


Have you used little snitch? It very clearly allows all apple traffic by default, and if you modify something that would affect it, you get a huge popup explaining what will happen and have to click on a red button to confirm.


> Is the world better or worse due to this change?

This is the false shortcut behind any attempt to weaken security. Security makes access harder, therefore let's weaken security to improve access.

The fact is that weakening security also makes malicious behavior easier and/or more likely. Changes like this are bad particularly because Apple users pay for a protected walled garden.


What this will do is allow apple to decide what goes in and out of the machine.

It's pretty clear what they think - they allow basically any app to access the network on ios.


Local network access is a separate permission since iOS 14. I’m not sure whether that is for scanning or multicast only (e.g. finding devices such as Chromecast) or complete access to anything other that the gateway and dns servers.


> Some people are smart, informed developers that install a trusted tool to monitor their traffic and have legitimate reasons to want to inspect Apple traffic. They're dismayed.

Wouldn't say I'm that smart. Wouldn't call myself a developer either. But I'm still kind of dismayed. I used to love macOS (or OS X to be precise), but the clock has been ticking for years now. Near every decision made about macOS future goes in the wrong direction (for me). Right now I'm looking at Manjaro. But still, I need the Adobe CC suite to get my work done, so I will have to use two machines. I hate running two computers. But that's probably where I'll end up.


How is this good?

Either Apple doesn't trust Little Snitch and shouldn't let it interfere with any apps, or Apple does trust Little Snitch and shouldn't block it at all. There's no reason to implement this halfway.


Ah, yes, the "users actually want an operating system that undermines their every action" argument.


Trusting corporations (or any entity free from limitations and background checks) seldom bring the expected results.


If the data is so poorly protected in transit that a firewall app on the system is a concern, something has gone very wrong indeed. It's just going to see that your Apple services on your Apple device are speaking to Apple servers.

There's an availability consideration here, but that's about it.


why do you “trust” Apple?


In this case it's actually "just" a bug.


Apple fanboys will always ignore the facts... why would you want apps to bypass a firewall that you install... Apple need to fix their OS either way


Tech savvy users are not just the minority. They're also cheap. They've been conditioned by the FOSS movement to think all software should be free as-in-beer. (The people who started FOSS didn't say that, but that's what it's become.) They say they want free as-in-freedom, but since they are not willing to pay for it they don't exist. Those who pay set the agenda for everything.

Developing a truly polished operating system with a whole ecosystem of services is far, far beyond what volunteers and hobbyists can achieve. It's just too much work. It also requires focus and coordination and someone who is able and willing to say no. Without that the FOSS community rewrites everything over and over again instead of doing the not-fun parts of programming like fixing bugs and edge cases.

TL;DR: we get what we pay for. We don't pay for freedom so we don't get it.


Where are these weird anti-FOSS statements being bred from?

> Those who pay set the agenda for everything. And this different from non FOSS software how?

> Developing a truly polished operating system with a whole ecosystem of services is far, far beyond what volunteers and hobbyists can achieve.

As someone who uses Linux as my primary workstation I disagree. My coworkers that use Mac or Windows seem to have about the same number of issues overall. I mean- look at the article this is about. I’m pretty confident that would be much harder to get away with in the Linux community. Gnome shell is more polished than windows or macOS were at the same age.

> It also requires focus and coordination and someone who is able and willing to say no.

Clearly you haven’t dealt with the Gnome folks who are perfectly willing to say no to features some users scream for. Or read any of Linus’s rants about nvidia.

Edit: formatting


I crap on FOSS a bit because I like it and wish it got more traction in the mainstream. I intend it as constructive criticism.

I've been a FOSS user and sometimes contributor since 1994 when I installed Linux with floppy disks, and have consistently watched FOSS lose the mainstream because they don't grasp the critical importance of UI/UX.

I want to write "it has to just work" on a sledgehammer and bash people about the head with it over and over again until they understand that user experience is f'ing EVERYTHING and every installation or setup step required to adopt something roughly halves adoption.

This is largely because we are in an age of time and attention poverty.


Is it really a goal of most FOSS projects to attract the mainstream? IME some of the highest-quality and longest lived projects know who their users are and provide an extremely high quality product.

I don't want to see Arch Linux, for example, to start prioritizing for attracting non-technical users who want it to "just work."


Well you should be thankful our predecessors took making things "just work" seriously enough to remove your need to boot using toggle switch sequences.


Oh come on! It is not because I spend most of my life inside a terminal that I don't prefer simple things over complicated ones.

Technical doesn't mean "unnecessarily complicated", it means "rich, expressive and built for users that are willing to spend some time to learn" (at least it should)


Sorry then. I had read something anti-foss the other day (probably on Reddit) which seemed to have a hidden agenda behind it like in the old days. As far as having a “it just works” experience- sticking with the Lenovo and Dell professional lines has worked out pretty well for me.


> They say they want free as-in-freedom, but since they are not willing to pay for it they don't exist. Only paying users matter.

Citation needed. If you look at app store pricing models the opposite seems true. If I were going to take a random guess I would say that tech savvy users use open source software to avoid anti-consumer bullshit more than anything else.


If enough people said to Apple "hey, this stuff is not acceptable and we won't pay for it" and then they actually did follow through, Apple would stop.

My point is that the vast majority of people don't say that, only a very tiny minority. The vast majority of people want convenience, not control. They want their stuff to "just work" because even if they do have the technical knowledge they don't have the time to screw around with fixing their computer. Apple is giving the market what they want as evidenced by actual buying behavior, not posts on HN.

My other point is that while there probably are enough tech-savvy people who care about freedom to support a viable alternative platform, the majority of these users are not willing to pay for anything so there is not in fact a market for it.

Basically what it boils down to is that people don't actually care. Even the vocal people who say they care don't care because they won't open their wallets or change their buying habits. If you won't actually do anything about something, you don't care. Whining on the Internet is not doing something.


> If enough people said to Apple "hey, this stuff is not acceptable and we won't pay for it" and then they actually did follow through, Apple would stop.

“The market will price this out” doesn’t actually work because it assumes that 1. Apple’s product strategy is done to match market desires perfectly and 2. The decision to buy is solely predicated on this particular thing. The first is false because nobody can do that and the second is because people buy Apple products for other reasons than just that. I personally know many people (although this sample is of course unbiased) that buy Apple devices for a number of reasons (they work well, they look nice, they have good support) but hate that they can’t do thing on them. But their purchase decision doesn’t reflect their opinions on this particular issue.


> Basically what it boils down to is that people don't actually care. Even the vocal people who say they care don't care because they won't open their wallets or change their buying habits. If you won't actually do anything about something, you don't care. Whining on the Internet is not doing something.

People aren't buying features off a list. In a situation like this a missing feature has to be so important that it completely disqualifies the product, which is a very different thing from a willingness to open the wallet.

It's similar to how you can get a kindle with or without lock screen ads. If the only option was with ads, you'd see more people buying that version because it becomes artificially hard for them to say "I don't want ads". Even though they're willing to pay for the feature.

And for convenience vs. control, well, this firewall bypass doesn't help convenience.


> They want their stuff to "just work" because even if they do have the technical knowledge they don't have the time to screw around with fixing their computer.

And that's why I picked up an MBP this year; it's caused me way less grief than my various Linux boxen have.


It's the opposite for me. Pop!_OS has caused me the least amount of grief. I tried switching to it as my main workstation but, sadly, Zoom doesn't run very well (in my experience). It crashed often and started using 100% CPU on all my cores.


I'm happy to pay for good FOSS and open hardware and I'm paying. Also I'm trying to avoid any proprietary and especially cloud-connected things. You are generalizing too much, there are enough people who are happy to pay for trustworthy software and hardware. Just noone cares.


> Tech savvy users are not just the minority. They're also cheap.

Bologna. I spent $4,000 for this MBP, and I've spent many hundreds on accessories, and thousands of dollars on software to run on it. I do everything on it. It is the center of my digital life.

That being said, the day I go to do something on this machine and find that I can't is the day I go buy a sub-$1,000 PC laptop, and go back to Linux (which I ran on the desktop for 19 years). Apple should be very careful how hard they squeeze here.


I think that's a false false assumption.

With trust you get trade. Trade is commerce and the more trust you have the more money changes hands.

If I could firewall my phone I would upgrade every year no question.


Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.

Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.

I won't share the other sentiments about the above, but is it really that hard to document these behaviors?


Apple touted the T2 chip as the bee's knees in security. Now, we have a vulnerability that cannot be defended against. However, Apple went all in on the security of this T2 chip so that you cannot replace the SSD (besides the method to manufacture). I appreciate the desire at making a device difficult for a bad actor to get to your data, but they epicly failed and ultimately only made an user-hostile device. Oh, and the laptops with these chips also had the world's worst keyboard. Absolute trash.


> I appreciate the desire at making a device difficult for a bad actor to get to your data

That's what FileVault is for. I don't understand what's the problem T2 is trying to solve by its existence. Being able to use something else to read the data from a drive you pulled out of your computer, after decrypting it with your password, is a feature, not a bug. T2 is a regression, not an improvement in security. You can't call it a security product if you keep the master key, which Apple does.


One of the value props was the inability to reset and resell if it were lost or stolen. Now that it’s cracked there is more of an incentive to not try and find the owner.

As for actual data security you are probably right


> One of the value props was the inability to reset and resell if it were lost or stolen.

It's sure one of those nice to have features, but there's no good reason why it has to be mandatory like it is. All in all, having a device purposefully retain some information when you factory reset it is user-hostile.

The "lost or stolen" argument also hardly holds for desktop computers like Mac Pro or Mac Mini or iMac, yet they still have T2s in them.


It seems like this is a feature designed to shrink the "used" market for Apple products -- and not a user benefiting feature.


But one of the things about Apple products that makes people okay with the exorbitant pricing is the resale value. I thought Apple themselves realized this?


No, they want both you and the potential pre-owned Mac buyer to buy a new device each.


> The "lost or stolen" argument also hardly holds for desktop computers

Why ? People's houses get broken into all the time.

And probably 99.999% of laptops never leave a person's house.


Is the crack in hardware or software? Any links on it? I thought the iPhones at least could not be reset by thieves?


> The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone 7 since it contains a processor based on the iOS A10.

> ..Using the checkm8 exploit originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market.

> Since sepOS/BootROM is Read-Only Memory for security reasons, interestingly, Apple cannot patch this core vulnerability without a new hardware revision.

Crouching T2, Hidden Danger (2020-10-05) https://ironpeak.be/blog/crouching-t2-hidden-danger/


A demo of the T2 hardware exploit on iMacs can be found here: https://blog.t8012.dev/plug-n-pwn/

From what I could find, the encryption keys of the T2 are still secure but the OS running on it is not. Wiping the SSD and/or repairing another might be enough to resell the device without any locks but I'm not 100% sure about that.


Every device up to the iphone X has been cracked btw so the factory reset protection can be bypassed.


Can you provide some links?


> I don't understand what's the problem T2 is trying to solve by its existence.

watch the 2 security briefings that Apple delivered at black hat. i think they are 3 years apart and each touched on different aspects. i might be misremembering and T2 is covered in just one of them.


Additionally charging on the left side ports makes the T2 chip overheat and crashes the machine on occasion.


What if you have a model with ports only on the left-hand side? Does it crash it as well?


I'm not sure. I have a 2019 mbp 16 with a dodgy logic board and while it crashes even without charging on the left it definitely crashes more often when charging on the left. I'm stuck in limbo because I need my machine for work. Will take it in when I have a break.

Some threads https://discussions.apple.com/thread/250905859

https://forums.macrumors.com/threads/2019-16-inch-macbook-pr...


I also have 2019 MBP16 and i am using a dock/charging on the left side - i think the system froze once in a year so i don't seem to have this issue.


Did you buy the stock spec or custom?


Stock with i9, 16GB RAM, Radeon 5500m, 1TB SSD


Are the Apple Stores in your area even open to take the laptop in? I have delayed my attempt to get my keyboard looked at because of Covid.


In Berlin everything is pretty much open (loosely enforced indoor mask and social distancing mandates). They’re not trying to eliminate the virus here like they do in Singapore or Australia. They track 3 values and depending on the scores they escalate or ease restrictions.


Have found success with pressing hard on stuck keys to unstick them.


Mine doesn’t.


REALLY?

Okay, I'm going to test this.

I noticed odd hangings and cpu hitting high temps on a MBP 2018' w/ dell usb C dock on left side, meanwhile right side is fine but I had to reboot randomly and sometimes it will just crash.

And this is a MBP on a laptop stand.


Docks on the left side, or similar devices which provide both power and send data, seem to be particularly problematic. On advice of my employer's IT department I went from "spinning up new VMs in VirtualBox reliably leads to thermal excess, CPU throttling, and total system shutdown" to a system that actually works -- just by moving the dock connection to the right side.

It's a little funny because the advice used to be you should use the left-side USB-C ports first because they were faster (both for data and charge, IIRC?)


What? I have to test this. I have my 4k monitor also providing power. Being a lefty I always plug it into the left side. Need to test this. Thanks for the information.


On one of the older MacBookPros, the left hand USB port was USB3 while the one on the right hand side was USB2


T3 vs USB3, not USB3 vs USB2.


I said OLDER MBPs. This was before TB3 was even a thing


I never had mine crash, but if I charge on the left hand side, the temp of the laptop increases to the point of needing the fan. Charging on the right hand side does not cause this problem. I had never paid attention to what side I was charging on until earlier this year when someone posted about it. After trying the right hand ports, I could see a difference.


Yes it was with specific models, but it's got nothing to do with the T2 chip. https://apple.stackexchange.com/questions/363337/how-to-find...


The new keyboard is no longer horrible beyond index. Unfortunately, it's merely adequate, which at least in my book is unacceptable for any $1k+ laptop, let alone $3k+.


I am at MB Pro #3 in as many years. We replace around 2 percent of or colleagues' machines per week. Some because of the keyboard (they go into repair and are rotated back) some because they stop working from one moment to the next (also into repair, but only once, after that if it happens again they're scrapped). All three of my MB Pro devices were in repair once because they stopped working costing me one additional day of setup of a temp device. And also one day for setting them up again after they came back. When they died for good another day for a temp replacement until the newly ordered one arrived and it was another day of setup. So I am currently quite well versed in setting up a MB Pro and have it scripted as far as I can thanks to homebrew and the like.

But replacing 2.5k every year with additional repairs in the 700 Euro range isn't viable.

Sadly we are primarily a Mac shop and I have to say that Keynote is by far the best piece of presentation software I know of. But none the less. The hardware is currently unacceptable imho.


T2 is a nightmare for people who want to reinstall. I reinstalled a machine for someone and it was a mess of 2fa and other nonsense.


Yeah if you want to wipe a laptop, make sure you unlink your user account first. It's Apple's theft protection, same as with their phones. It'll want to see a successful login with the Apple ID.


This is the worst. So many people seem to forget their apple ID password but remember their screen unlock password. I saw a case recently where someone had an attacker get access to their apple account as well as everything else. I was able to do a fresh install of their windows laptop but I was unable to reset the persons iphone because the attacker had changed the apple id password.

I have also seen many android devices bricked by the same anti theft protections.


Yep we have a whole box full of perfectly good phones and that's just for one office :(

However Apple does unlock them if you can prove ownership. You need an invoice with serial number. It's a lot of hassle but it works. The reason for that box is that we didn't get serial numbers on the invoices for a long time :(

It's another one of those things that are supposedly for the benefit of the consumer but also really supports the company's bottom line by having to buy a new product. I'm always a bit dubious of their motives. I do see the benefit of such features. But they should have some kind of workaround for unlocking it. Such as a card with a QR code that you get with the phone and keep on file or something. Because theft isn't the only way you can get locked out. And since the fappening Apple is really difficult with resetting passwords, in some cases people just can't make it happen.

Android is even tougher but our local carrier can send them for repair to unblock them. Also, Samsung KME overrides the lock, which makes sense because it proves the device is company owned. I wish Apple DEP could do this too.


How old are the phones? Everything up til the X can be hacked now to bypass that I was told. If the company has no use for them you could probably make a huge profit unlocking all of them.


It's ok, the T3-based MacBook Air is due out next month.


> Apple went all in on the security of this T2 chip so that you cannot replace the SSD

That's not a security thing, really. It's easy enough to layer encryption on a normal SSD. It's their desire to make it some kind of do-everything auxiliary chip, which has the end result of weakening security.


Plus don't talk about display. Its has serious flaw. Like most macbook 2017 have lines on bottom due to apple placing controller in tcon board. What a trash .


Oh wow! This probably explains why every now and then when I wake my MacBook Pro from sleep it says no keyboard is connected! I thought I had some hardware problem on a basically brand new machine. Glad to hear it's only a stupid software problem!


If you're using Cisco Anyconnect, blame that for that particular keyboard issue.


Or Wireguard.

The absurdity of sitting in front of a frozen keyboard and trackpad for up to a minute before I can unlock the screensaver on a 2k machine has driven me spare. And now has driven away from these astounding lemons.

This is the last Apple laptop for me.


Why not blame the idiotic decision to make this network check just to wake up?


I think the threat model here is that someone might've swapped out your keyboard to one that's spying on you, whilst you're out at a conference enjoying the more social aspects of such gatherings. At the same time, if you were to not be connected to a network, this kind of verification wouldn't do anything.


I don't believe this is ever the case. What happens if you legitimately installed a new keyboard? Will Apple just... prevent you from using it?


I have a 2017 MBP. There are several keycaps that that are no longer physically connected to the key, so if I tilt the laptop 4 or 5 keys fall off. I have been dealing with it by using an external Apple keyboard (with added benefit of having 10-key and full sized arrow keys). Since it's on a desktop in this config, I have it set to never sleep so luckily I have not seen this unwakeable fuck up.


Apple has a three year warranty which means yours may have run out or is about to run out.

If you still have time, get your keyboard replaced for free: https://support.apple.com/keyboard-service-program-for-mac-n... (it also means they have to replace your mobo and battery due to brilliant Apple engineering).

It doesn't fix the problem, but it resets the clock until they fall off again. In Texas, it was <48 hours between dropping my Macbook off at the Apple shop and receiving it on my doorstep.


I just followed your link, and had an interesting experience. Of all of the Apple Stores and Authorized Repair they do not appear to be accepting repairs. Everyone of them tell me: "This location has no available reservations. You can check another location now, or check this location again tomorrow."

Can't even get far enough to see if the repair would be covered. Good job Apple


48 hours is pretty optimistic. At least for the 2016 model they can't just change the keycaps but they'll have to change the whole bottom case. This took a few weeks for me since I had to send it to a certified repair center.


That's the same for the 2017 model that I had to fix. I got a new mobo + battery. Convenient because my battery was in dire need to servicing.

I heard it would take weeks and even had a backup laptop ready, so it surprised me when it came <2 days later. It was my original laptop too (had all my data and the same dent).

Oh well, the new models don't have this issue anymore. What a fuck up.


The big question is will they extend the warranty by the number of months the Apple Stores were closed due to pandemic lock down? My keycaps didn't start misbehaving until about April.


> Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.

I had the same thing happening to me but Apple changed the complete keyboard under their extended keyboard warranty programm (even though it was out of Apple Care already).


Before 2019 if you use the factory standard keyboard Apple will just prevent you from using it (butterfly).


Huh? When I’m out socializing there’s no spying to do. But as soon as I get back I will just log in and the spying begins.

I’m so accustomed to flaky peripherals with Apple products I wouldn’t even be alarmed at the behavior.


I think you misunderstand.

The idea is that if your keyboard is replaced with a keyboard that has modified (hacked) firmware, your computer will refuse to let you use it.

To do this, it must obtain a cryptographic attestation from the keyboard firmware, proving that it has not been modified. Further, to avoid replay attacks it must include the current time in the message it signs. NTP is used by macOS to determine the current time, so as to verify the signature provided by the keyboard.

So, if NTP is slow to respond or time out, you are stuck waiting for your Mac to verify your keyboard's signature.


If I was an attacker I would simply hook into the key matrix. The extra obfuscation in firmware is just user-hostile and stupid.


So they introduce a major usability breaker (consider opening up your macbook on a plane with no internet access) to prevent a really obscure security issue that requires an attacker to replace the entire system's top case without you noticing. Nice.

At least give the user the ability to turn that off.


What happens if you have networking turned off or your WiFi isn't configured for the local network?


Per the grandparent...

> At the same time, if you were to not be connected to a network, this kind of verification wouldn't do anything.


> Further, to avoid replay attacks it must include the current time in the message it signs.

Use a counter...?


I'm not trying to defend Apple here, just explain the mechanism to the parent.


Oh, okay. You said "must" so I was wondering if there was another important factor.


Sorry, that wasn't the best word choice. Certainly a counter is another viable way of performing that check. (And obviously comes with its own set of trade-offs which I'm not interested in performing value judgments on!)


I was thinking of an external keyboard. That might be the cause of confusion.


Ugh, Cisco AnyConnect, had my MDM policy erroneously install the 32-bit version of it and removing it required finding a shell script in /opt/cisco and running to deregister it before I could install the updated version. So much fun!


So I'm not the only one?! Holy I thought I was going crazy, dropping out of the VPN meant a ten second freeze until a couple of weeks ago. Do you have any additional sources?


It's any VPN software that is always-on.


Happens with the built-in, first-party VPN client as well. Definitely not just a Cisco issue.


Oh my gosh this explains so much.

I blame Apple though for their terrible software.


omgggg it's not just me?! I thought it was bad hardware. this is both good and bad news; at least I can sort out a way to mitigate this now.


> but is it really that hard to document these behaviors?

I imagine it is, given the bureaucracy of a big company. Apple's documentation has long been really dreadful, mostly nonexistent and where it does exist, usually incomplete and even wrong. I've assumed it was because the code itself is developed by isolated groups while the documentation presumably has to touch all sorts of people (publishing, translation, language checks, ...) in a kind of Conway's law.

However, hard or not, writing comprehensive documentation is quite doable. I have never been a fan of the Windows programming model but I have long admired not just MS's documentation but the amount of effort and commitment they obviously put in.

Apple cares about some things but in this regard it appears they simply don't give a shit.


> Apple's documentation has long been really dreadful

Developer docs for most of their libraries are usually just the method name in a large font and the parameter types and that's it.


Online documentation. For some reason the qualification is necessary because their header files have a bunch of information that whatever script or tool that generates the webpages doesn’t catch.


> Apple's documentation has long been really dreadful, mostly nonexistent and where it does exist, usually incomplete and even wrong.

Anyone want to tell him about Microsoft's Azure or .NET documentation?...

It's the same all over.


MS docs were great, but after they took down MSDN and let the "community" maintain them on Github, it's been going downhill.


Yeah, I am talking of the old windows mfc doc that came printed on paper.


Makes one wish Woz’s Apple was still around (and yes I know Jobs tried as hard as he could to put a monkey wrench into that at the time)


Holy cow, you just explained a load of weird keyboard behavior I was seeing after waking from sleep.


I'm seeing this weird keyboard behaviour on wakeup with my 2012 MBP running Catalina too


> Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.

When did they start doing this? I'm still using High Sierra on my 2018 MBP work laptop, because the keyboard and trackpad was freezing for anywhere up to 5 minutes or more with Mojave after a wakeup (usually after a long sleep). Downgrading to High Sierra fixed it, but fighting with the machine was such a pain I haven't dared touch it since.

I'm wondering if you're describing the problem I was having, but could never figure out.


Unrelated but has anyone often had Chrome going on cpu usage rampage and unresponsive fairly frequency on 'wakeup from sleep'? It's almost certain to happen if the chrome has been updated and waiting to be restarted.


That's how typical Apple "magical/just works" features are implemented, i.e. very ugly behind the curtain.

Documenting means revealing the edge cases and the limitations, which engineering knows is the best kind of documentation. But marketing people are invested in the "magic".

Marketing people have too much sway at Apple.


> your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard.

Holy shit, this is why my macbook sometimes won't let me log in for like 15 seconds on my shitty cellular hotspot connection? Absurd. Apple software has fallen so far from just 10 years ago.


Great... Well, that explains the crappy response on some bad connections.

I really wish Apple executives were forced to use their computers on crap wifi. Who am I kidding, I would imagine Tim Cook hasn't used a Mac in years.


The keyboard thing is new to me, wow that sucks. The other one sounds like a workaround for captive portals. I think there is some documentation on that wrt Safari and the built in networking, but it was mostly a workaround needed to deal with wifi hotspots that intercept dns until you pay/subscribe, and it causes safari to look hung - so they had to make it clear it wasn’t their browser hanging since it couldn’t make SSL connections.


Cool, can you reference some docs or any communication from Apple re the captive portal workarounds?

It feels rather heavy handed as there are ways other systems have worked around this that don't hijack routes.


I don’t work for Apple, you might ask their developer support.

A quick search for Captive Network Assistant shows it’s not documented.


OS is a weird design. It lets the machine belong to Apple/MS/Google not we, so they could update whatever they want or query to their website secretly. You can't even stop them because once you installed you agreed for all. You don't have choices to partially agree. It makes me feel like when you have a cecal surgery, the doctor also took out your foreskin for auto-updating.


You actually just helped me diagnose a really annoying bug I've been having lately. When I wake up my Mac from sleep mode the keyboard and mouse are unresponsive for a up to a few minutes in some extreme cases, sometimes I even have to hard reboot. I found online that it was related to VPNs trying to restore their connection but I could never find the link between the keyboard and the VPN.

It was also compounded by the VPN setting I use to disable all traffic until it successfully reconnects. Meaning whether my computer works or not is dependent on my VPN providers reliability.

Now that I know Apple thinks I need an internet connection to wake up my laptop securely I'm quite pissed by this. Brand new $4k laptop is a paperweight if my VPN can't connect.


I'm working from home now, and in my company we use Tunnelblick for vpn into corp network. VPN has time-based OTP so it never gets saved.

Sometimes when my MBP goes to sleep it loses wifi connection and VPN disconnects. When it wakes up, Tunnelblick asks for password, but it doesn't restore routes (I guess?). Basically no internet until I either enter password or click disconnect. At that moment I'm typing in my OS password and pressing Enter.

What then happens is that it waits for ≈30 seconds and then logs me in, as if it made a network request and waited until it timed out.

Could it be related to the issue you're describing?


Another reason why I'm going to stick with Linux for the foreseeable future.

I just wish the font rendering situation on Linux was better though. Text (in browsers) just looks so bad on Linux compared to both Windows and mac.


No, it's fine, just needs a bit of tweaking: https://aswinmohan.me/posts/better-fonts-on-linux/


Thank you!


do you have a source for the keyboard part? I experience odd delays in typing and this would definitely explain that.


The other odd delays are from gatekeeper checking each command you run via the network.


I was trying to figure out how my routing table was set up on my iPad and I found out that iOS doesn't expose any interface to routing tables, at any level of privilege. Very frustrating.


I think this is probably wrong. I don’t know what the interface is, but on my iPad running 14.0.1 this app shows a Routing Table that looks okay to me. https://networktools.he.net/


> wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard

... and what if your network is down? You can't even use your keyboard?


I should've clarified - it only does this if there is a default route. Funnily enough, whilst the firewalls in the original twitter post would possibly fail to catch this traffic, PF will block it just fine.


This mindset probably explains why I have such issues with Apple products when my connection to the internet goes down, but the internal network infrastructure (including DNS server) are perfectly fine.


Having a default route does not mean the internet is reachable.


I wish Apple agreed.

But on the other hand, there are use cases where checking for the existence of a default route is the best heuristic.


I mean that's what a default route is supposed to mean, right? That this machine can route to any address. It might not get there because of a firewall, or because nothing is at a given address but you're at least claiming to know what to do with a packet destined for anywhere.


I think that’s a reasonable assumption for applications to make. I think that’s a less reasonable assumption for your keyboard to make.


Probably why the other discussed function exists:

> Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.

So if the default route doesn't exist yet since it's still checking for internet, it would let you use the keyboard. DHCP probably runs every time the NIC is turned on (like from sleep), and they could just disable this function if you've set a static default route (since they may not be able to reach their NTP server on that route).


The default route verification is separate from the keyboard issue. I don't know exactly what is going on here, but in the above post what I mean by the system applying a default route is that the route isn't propagated to the system configration's dynamic store and whatever macOS uses for netlink, i.e. the route doesn't show up in `route monitor` until the check finishes. However, I do believe it would still be used at some level, either on the T2 or in the kernel to do the NTP stuff.


The T2 has its own OS, so that makes sense.


That is exactly what happens if you use VPN clients.

The machine is basically frozen at login until some timeout hits.


When I had the authenticate with watch option enabled, and for some reason the watch lagged, the Mac didn't allow me to log in with my password or finger.


> For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard.

Aha so this is why I need to put my MacBook back to sleep after waking on a spotty WiFi connection or when it was previously connected to vpn which timed out during sleep!


check out their captive portal detection. It's a mess of apple-specific garbage.


Hmm is this also why I can't use my bluetooth mouse at the login screen?


Would certain go a long way to explain why waking my MBP up after going AFK involves an affair that requires me to undock it from my vertical stand, entering password, and awkwardly trying to place it back into the stand, reconnecting peripherals while slapping the BT keyboard endlessly so it doesn't go back to sleep after login.

Quite annoying.


> reconnecting peripherals while slapping the BT keyboard endlessly so it doesn't go back to sleep after login.

https://www.cru-inc.com/products/wiebetech/mouse_jiggler_mj-...


What's the DNS name and type that gets looked up?


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: