Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] Forbidden Commands to Speed Up macOS (naut.ca)
62 points by rubatuga 74 days ago | hide | past | favorite | 29 comments

Honestly, this may as well have been titled "Disable security to speed up macOS," which afaik is a fairly well-known tradeoff in just about any piece of software. The article even explicitly says this:

> First, ask yourself, would you like to undo a decade of security protections painstakingly created by Apple, protecting your Mac from malware, spyware, and ransomware? [...]

> [...] Speed and convenience over security any day! Let us march on boldly ! The steps listed below will give you a short description of each protection we disable, [...]

When Apple's ocsp server went down yesterday, people kept talking about how they were going to switch away from macOS, now that they knew launching apps was (semi) dependent on an external server.

And if you want to switch, that's fine—but, if there are other things you like about macOS, you could also just set it to not make these checks.

There was also plenty of "helpful" advice making the rounds that more or less amounted to permanently blocking Apple's OCSP server.

It's a real shame that it's usually not the same people suggesting/applying these "pro hacks" to other people's computers that will end up spending hours on the phone with less tech savvy friends and family members trying to get their things back into a secure (or just working) state.

Your less tech savvy friends and family members aren't reading hacker news. People will always be able to make a mess of things.

Personally, when I'm trying to fix someone's computer and I notice weird things have been done, I immediately recommend backing up files and doing a full reinstall. (And I'll offer to do the reinstall—which is easy—provided they do the work of backing up important files.)

They definitely will, but I think it's always worth keeping in mind before firing off a "how to be more clever than your computer/OS manufacturer" piece.

I honestly don't mind the slightly longer startup times for apps since I keep most of them open until I restart my computer.

I would like to know, however, if this tradeoff has been worth it. Does anyone have any statistics on whether this has helped reduce the amount of malware ran by users?

For some reason these high startup times apply also to any shell script I write, any binary I compiler from the command line.

I read somewhere that xcode can bypass that because it's registered as a developer tool. There were some instructions saying that adding terminal.app to the developer tools pane in security preferences would solve my problem but it didn't.

Butchering ocsp by fiddling with /etc/hosts still didn't fully solve the problem: it still takes 200-300ms to start any new binary the first time. But at least it's no longer up to several seconds in case of bad networks.

My own personal experience with `sudo spctl --master-disable` (which is narrowly-focused on large numbers of new script executables, not full apps) suggests that it only stops syspolicyd from using the networked assessment's return, not from performing the assessment.

In a narrow test it seems like it may very slightly improve performance, but I did a fairly large multi-project test with this setting in CI and saw no real impact.

By contrast, a narrow test with the "Developer Tools" security exemption added to my terminal, unambiguously demonstrates the large potential performance improvement of actually skipping the assessments.

Unfortunately, the exemption only seemed to work for apps, so I never identified a way to turn the assessments off in CI. Also, it causes my laptop to hang until I hard cycle or watchdogd kills it (after 5 minutes) on shutdown (I did all of this in Catalina, though I verified this was still the case midway through Big Sur beta; have not verified on final release).

So I suppose the question is, what is that best way to actually get the stability/performance increase? Is blackhole-ing the DNS request the best way?

I didn't try any networking approach myself so I can't attest to the best.

I was on a narrow search for any cheap ~reasonable solution I could recommend for Nix to mitigate the performance hit at install or run time--while avoiding any security/config/functionality splash damage that might end up on the front page of HN some day :)

Another hack for those of us on underpowered macbooks with retina screens is set a non-retina resolution with RDM:


My favorite part of this was learning that the flag to disable AMFI is "amfi_get_out_of_my_way=1"

The URL to crash Chrome (to test its crash reporting) is inducebrowsercrashforrealz. Developers have a sense of humor for things they don't want you to do.

Funny how these would be decried as "arcane command line wizardry" and held up as examples of how the OS isn't a serious contender for general use if ... it wasn't MacOS.

Is there really much of a performance impact here?

The computer overall seems faster, but for a real example, I can tell that starting VS Code takes less time than before.

"Seems faster" definitely isn't the level of proof required to justify recommending that people butcher their OS's security.

The placebo effect doesn't only apply to medical ailments.

Also, sticking it to overbearing Apple is fun – until it bricks your computing device or makes it vulnerable to all kinds of malware and you end on the receiving end of a ransomware or other extortion attack.

No. There’s a tiny improvement on opening apps. Absolutely nothing more.

And of course the cost is disabling a bunch of very real security protections.

If you want a real-life example of multi-second lag from macOS code signing that affects me personally, please check out this GitHub issue:


@zepto It’s been happening since a few months ago, and I found out about the fix just last week.

Seems like a problem with VSCode not MacOS.

Does that happen always, or just when Apple is having server problems?

I just opened my VSCode terminal for the first time on a freshly upgraded Big Sur system running on 6 year old hardware and it appeared in less than 1 second.

Part of it is security, part of it is lock-in. Either way, it’s excessive. It contributes to entropy more than security.

People keep saying it is lock-in without any justification.

Notice that these things can all be disabled.

Lock in really has nothing to do with things like SIP.

It has to do with things like platform differentiation.

I.e. software and device support for which there is no good alternative.

It feels like lock-in to me. It keeps getting more difficult to develop for Mac, which I think will kill the free software scene for it.

Honestly, it's almost like Windows programming in the late '90s. You had only one real option, Visual C++, and you either paid out the ear for it or pirated it. That restrictive approach doesn't work, and Microsoft learned that. You can't make developers pay to make your platform worthwhile.

Rudimentary dev tools like xcode are not added value worth $100/yr and 30% of your profit. Other platforms provide better tools and more flexibility for free. People will wise up eventually, and I think that's already happening.

Sorry for getting off-topic. I used to be a fan of OS X, but I'm really disappointed in the direction they took things.

@dang I'm wondering why this disappeared off the front-page?

The usual reason: users flagged it.

Is there any way to unflag it?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact