Bringing free antivirus to Mac is a good thing IMO, especially since Microsoft has been doing the same for years.
I'd like to see much more behavioral analysis like the leading AV companies do, rather than just fingerprinting but it's a good start.
One thing I don't like about Apple's approach to security is locking the user out, making the OS like a black box. For me the user should always retain the last word. Until now most of their work has been in this direction (and the direction of iOS) but I'm pleased to see they're looking more into mitigation rather than just prevention now.
> One thing I don't like about Apple's approach to security is locking the user out, making the OS like a black box.
If we're talking about prevention of execution of unknown applications, that's not existent. Right click any application, click open, and it'll show you the same warning with "Open" added. So, you can always override Apple's warning.
I like how macOS makes you read the warning box before making a decision, tbh. Yes, it's no Linux in terms of flexibility, and freedom, but I like the OS nevertheless.
Windows is not at a different place. The boot chain is incrementally locked down. Also, due to unfettered access throughout Windows API, adding extra kernel modules was not widespread under Windows.
Just because you can modify Windows, it doesn't make it a better place overall. We have witnessed what happened to it over the years.
At the end of the day, I'm a Linux guy and strong GNU proponent. The reason I use Mac laptops because of the hardware & software integration they provide, plus I always keep a virtualized Linux installation at top of it.
If macOS was not interoperable with Linux, I'd not be using it.
Windows also has a bunch of protections against modifying the kernel. Ironically this wasn't done to defend against malware but to defend against _antivirus vendors_ patching the kernel and making the system unstable.
People have been talking bs about Windows for a long time, but I think Apple will do even worse than what MS did to Windows. As something gets more popular (in this case, macOS), unfortunately it falls victim to corporate greed (telemetry, forced updates, etc.)
It depends on the profit motivators. Windows fell victim to telemetry and forced updates because Microsoft’s business model might not be what you think it is.
Apple has a simple business model for macOS. It exists solely as a vehicle for selling Macs - premium computers with (most importantly) a fat profit margin.
Keeping the customer wanting to buy new Macs (and maybe that new iPhone…and that Apple TV+ subscription…) is what drives their OS to be, generally, much less user-hostile than Windows. The user is the customer; whether through direct hardware sales or through the subscription purchases those hardware sales lead into.
Microsoft, in turn, sells Windows to OEMs and the business world via bulk licensing. You, the consumer, buying a Windows 11 license is not what’s funding Satya Nadella’s new private island. It’s Initech Corp. buying 5,000 PCs with Windows because “no one ever got fired for buying IBM.”
Disclaimer: this is largely all speculation, and if I am off the mark, do let me know.
First, Apple now has a vast ecosystem which they are trying to promote, be it music, movies, TV, advertising, some of it requiring or optimized for their hardware. It goes beyond selling Macs.
Second, Microsoft is also trying to sell PCs. I don't buy the idea that they can be explicitly anti-consumer and get away with it. Backlash against the OS would hurt MS's bottom line perhaps more than Apple.
> Second, Microsoft is also trying to sell PCs. I don't buy the idea that they can be explicitly anti-consumer and get away with it. Backlash against the OS would hurt MS's bottom line perhaps more than Apple.
Gmail wastes 10% of your mobile inbox screen real estate on a large bar at the bottom of the screen that's only function is to let you switch between email and their attempt at a Zoom competitor.
Macs is a small part of the Apple revenue. Apple is no longer in computer/phone business. It is in an ecosystem business wherein it can keep on adding a deca-billion dollar vertical every few years.
The thing is, iOS's security and application model was like that since the beginning. Tech-minded people buying into Apple ecosystem knew these details from the get go. I personally accepted these terms before getting my iOS devices, for one.
It's not like the Android ecosystem, which started as an open source free for all mobile OS, which iteratively locked and closed down, starting from Google integration to OS and boot loader level.
Now, Google is preparing to throw Linux kernel out of Android for a even more tightly controlled Fuchsia kernel. I'm hoarding my popcorn and wait for the day when the hardware vendors stop building their Fuchsia drivers to control how they deprecate their hardware, and fine-tune their bottom lines.
The response from the community will worth a watch.
Also, in pure irony, Apple is preparing to allow application sideloading.
> Also, in pure irony, Apple is preparing to allow application sideloading.
Only because the EU is preparing to force them. Apple is still very strongly against it. Recently they listed a bunch of reasons why they think it shouldn't exist.
But they know this is coming from the EU so they're probably trying to do it on their terms while they still can. Give as little as possible to the users to keep the EU off their back.
> One thing I don't like about Apple's approach to security is locking the user out, making the OS like a black box.
You can still turn off an awful lot of the security features in macOS. Some require a reboot, but still, the option's there for developers and power-users, if they prefer or require riskier operation.
Yes but that's all or nothing then. And you lose out on some functionality.
There is no way for me to put my own configuration in the system and still have it persist. For example I change things in sshd_config (to turn off password auth), and PAM.
This is not OK, there should be a way for me to sign files so they are marked as valid.
I don't think the read-only OS partition or the SIP is a bad idea. The bad part is that Apple is the only one who controls it.
With all due respect, a person doesn't have to be that smart to cut and paste something from a Google search while not completely understanding the consequences.
> There is no way for me to put my own configuration in the system and still have it persist. For example I change things in sshd_config (to turn off password auth), and PAM.
Does putting your custom options in something like:
/etc/ssh/sshd_config.d/disable-passwords.conf
no longer allow custom sshd config to survive updates? It's like if you're configuring daemons on, say, Ubuntu the "right way" so you don't get a ton of those prompts during apt-updates asking you if you want to accept the maintainer's config file or roll the dice and keep your own.
Good point, I have not tried that. Pretty sure when I still used macOS this didn't work. I think Mojave or Catalina was the last one. In the end I just had enough of macOS, this was only one of the many reasons. The lack of choice in UX configuration is another one.
Opinionated software is great if your opinion is aligned with the vendor's but Apple has been moving away from mine ever so slowly since peak macOS which was around snow leopard for me.
I really love how KDE gave me all the options back that I missed for so long. Finally virtual desktops in a grid again. And choosing what I want my UI to look like (and not forced changes on me every year)
The problem is that any way for you to sign files is also a way for malware to convince a less technically-adept user to sign it. Even if the dialogue that pops up for this says “Never ever do this unless you know exactly what you are doing, if a program you are running brought this up then it is probably trying to HACK you!”, people will click through it on autopilot and then maybe go ask what it meant afterwards.
I have a feeling it's not only that though. Apple is rapidly expanding from a hardware to a media content vendor and they have reasons to want to protect their own content as much as possible.
> here is no way for me to put my own configuration in the system and still have it persist. For example I change things in sshd_config (to turn off password auth), and PAM.
This is now possible for SSH, btw.
They finally support /etc/ssh/ssh[d]_config.d/ where you can add your customization files, and they won't be squashed by an OS update.
So they finally picked up on the technique Linux has been using forever.
And this arrogant "we know better than you, plebes" is why I don't buy apple shit.
My money, my hardware, my control. Not negotiable.
(Edit: this applies to all their offerings. Iphone is already anti-user and effectively a rented device. Mac laptops are heading that way. Do not want.)
In their defense—both Apple's, and the public's—the general populace is, like, 99.99% OK with outsourcing those choices to a company that's way more interested/invested/capable in knowing better than they would be on their own.
Is it arrogant if the public continues to reward/reaffirm it?
> In their defense—both Apple's, and the public's—the general populace is, like, 99.99% OK
Majority of customers purchase one of two options in a duopoly isn’t really an endorsement of the options, but rather a critique on the lack of options.
Nonsense. At various points during iPhone's lifetime, customers had the ability to choose Windows Phone, Nokia, Symbian, Blackberry. People who wanted cheap or hackable phones went with Android, everyone else bought iPhones. Just like today!
Other operating systems were available in the past, and you can release a RISC-V Lisp OS phone incompatible with everything else tomorrow if you want. Just like in the past.
… however, the market decided years ago it didn't want to support a multitude of choices, when all other viable options went belly-up, or currently fail to get traction … or, to be fair, can't compete with the giant marketing machines of the remaining parties.
the general populace is, like, 99.99% OK with outsourcing those choices
Because they were deliberately made to feel helpless.
to a company that's way more interested/invested/capable in knowing better than they would be on their own.
The company is "way more interested" in continuing to squeeze the $$$ out of you, and would rather you not know anything but be subservient to it, because then you cannot object.
Is it, though? Or is it evidence that Apple's products wins out on usability for the majority of use cases that are relevant to their customers? That is compared to Linux, where you have to make an active effort to acheive the same level of usability.
So you’re saying that you know better what most people want in a phone than they do?
I bet if you told 100 random people on the street what they could do with an Android phone that they couldn’t do with an iPhone, 99 of them would shrug and not care.
No the flip side is that I choose the product on the market that best meets my needs as do most people.
I started programming in assembly in 6th grade in 1986 and by the time I graduated from college in 1996, I had dabbled in assembly for four different processors (65C02, 68K, PPC, x86) and I have been a professional hands on keyboard developer since then [1]. I think I have a good grasp on how this computer stuff works. I still prefer the Apple ecosystem.
Have you thought that most people don’t care about the ability to run a Linux shell on their phone? I certainly don’t.
[1] before I get called out, I’ve mentioned before that my official title now is “cloud architect specialized in application modernization consulting”. But that just means that I’m still just an “full stack enterprise developer” who also writes a shit ton of yaml/HCL/PowerPoint slides, “one pagers” and PrFAQs.
Same here. I just finished reading Raymond Chen's The Old New Thing, and it was really reassuring to read about the choices the Windows developers would make to always give the user the final choice over the programs. Hopefully Microsoft still has devs like these working their on the OS now.
They give you pretty much all control of the hardware. The ultimate sign of that is, that you can install Linux on the ARM macs now. Apple even made some steps to make this reasonable. You do have full control of the hardware.
On the other side, a booted macOS has certain limitations in place. Not even root is able to write to certain partitions and such stuff. This is not because "we know better", but because these limits provide some fundamental security. A partition which cannot be written to, cannot be modified by malware.
You can boot into a mode where this protection does not exist, but for productive usage, it is a good idea to have that protection in place.
You can turn off most of the stuff that's keeping it out of "your control". I write "most" only to hedge—I'm not aware of any that you can't (though there may be some).
There's also the option of doing better things with your life and not worrying about what software your phone runs, in reality your life has to be really fucking boring for it to make any difference whatsoever.
A few years ago there was an advertising campaign run by Australia's massively dominant telco, Telstra. It went along the lines of a new business struggling to get their various comms setup via a number of smaller players, different ones per communications medium: Internet, landline, mobile. This faded to the advertising tagline of "Let's just get Telstra to do it": one-stop-shop for all your comms needs.
Having been responsible for WAN connectivity for a company with branches spread around Australia, I'm aware that the attitude of (added the first two words and comma for appropriate dramatic effect) "Fuck it, Let's just get Telstra to do it" will end up adding a good 30-40% of costs over and above alternate providers.
Moral of the story: The cost is worth it to some people, probably a majority of people because they just don't want to think about it, don't want to go to the extra effort, and probably won't realise the cost difference.
I'm not one of those people. I feel as if I'm quite "aware" of the nature of the world, and I react as per how I feel is appropriate. If that's "really fucking boring" to some internet rando, then, well, maybe I'd better re-think my entire life! Maybe I'll get Telstra to do it...
For that can't you use Private DNS / Encrypted DNS pointing to a PiHole or nextdns etc? My memory is that iOS you have to change the DNS settings for each network which is sort of a headache, but one-time at least.
that only works for network requests that use dns. some (including a number of apple & google services) go directly to an ip address, which is why a firewall like little snitch is still valuable beyond dns-based blockers like pihole, nextdns, and adguard (this is what i use on ios). you used to be able to install an application firewall on jailbroken iphones, but i don't think that's an option any more.
on macos, i used to use hands off! from one periodic (and before that, metakine), but they've since disappeared. i now use lulu with pf firewall via murus lite as a backup, but may switch to little snitch again (used to have a license but was unable to upgrade it so switched to hands off! via a promo) for the better UX.
No, the main issue is Apple considering themselves an unquestionably trusted party. Notarization and all other shit. I want to build a macOS app at some point because every single one of modern instant messaging clients sucks, but I won't be paying $100/year to be able to "notarize" it.
I had gatekeeper completely disabled, yet somehow it has recently reset to its asinine default and I got this "this app isn't from an identified developer, you should delete it" error. I hated it.
If you must do code signing for whatever reason, at least let me install my own roots of trust for developers I personally consider trustworthy.
I'd like to see much more behavioral analysis like the leading AV companies do, rather than just fingerprinting but it's a good start.
One thing I don't like about Apple's approach to security is locking the user out, making the OS like a black box. For me the user should always retain the last word. Until now most of their work has been in this direction (and the direction of iOS) but I'm pleased to see they're looking more into mitigation rather than just prevention now.