> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.
EDIT:
As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:
So yesterday I wrote about the blurring lines of ownership, and people came back with some fairly disparate responses. It's fair to say that I was mostly dismissed. https://news.ycombinator.com/item?id=25058952
And this is why I won't be moving to Apple silicon. Apple already has the ability to restrict whats apps I can run (they can simply toggle a switch for all users to "no unsigned binaries"), and congrats! Apple is the sole decider of what we get to use on our computers.
Of course Apple's Craig Federighi assures us that the people making such assertions are "tools" (https://youtu.be/Hg9F1Qjv3iU?t=3177 , timestamp 53:33) and they have no intention whatsoever of taking away our ability to do general compute on the machines we buy and own.
Except...
Apple can already decide what binaries you can execute. Should they choose to.
Apple is now restricting what other OSes you can boot into. As they've chosen to.
Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.
It's clear where they're going. And I'm jumping ship. It's painful to do so, given how invested I am in the ecosystem, but we're already beyond the threshold that many of us would have left earlier in the decade.
---
edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer. Most non-Apple laptops don't have very good color accuracy. They also don't have good trackpads, and their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad so that I don't have to carry around a mouse, good speakers would be a plus, and light enough that I don't feel like I'm lifting weights while working on my laptop. And this package should ideally come with 512GB of SSD storage and, at least, 16GB to 32GB of RAM.
Oh and it shouldn't be more expensive than a Mac as many of these laptops are!
Yeah so basically in the windows world, a lot of the good laptops are under the "business class" of the various manufacturers:
Dell Precision, HP Elite Book, MSI Prestige
In the consumer world the Dell XPS, Asus Zenbook, Asus Pro Art are the way to go for a designer.
Dell Precision is probably the overall best laptop. MSI Prestige is targetted right at you though, with color accuracy and a good display. The only brand I can personally vouch for is Dell. I and my partner use XPS's, and a good friend of mine has a super nice Precision that I am jealous of (specifically the ports! I'm so over USB-C)
Lenovo Thinkpad is another popular line, seems conspicuously absent from your list. They're known to have good resale value, and to work well with Linux. If you're getting up to the Precision line, the Lenovo P series workstations are also worth considering, though given they're actually professional-grade machines with Xeon and Quadro parts they'll be more expensive than a Macbook Pro.
There are also boutiques like System76, that white label, upgrade, and manage driver compatibility for Clevo laptops which may be worth considering, they just came out with a new Lemur Pro like yesterday.
Check Thinkpad screens carefully as a lot of the new amd ones come with terrible 'business class' screens that I don't want to use as a developer, let alone as a designer .. and a repairman told me they are glued on these days so you can no longer swap them as you used to be able to.
Lenovo P series workstations are also worth considering
I have a P72 and it is garbage. Plugged into a docking station it works OK as really expensive mid-range workstation. Trying to use it as a laptop causes the fans to spin like crazy, performance throttled to shit and the and battery life of maybe 90 minutes for even fairly modest workloads. The similarly specced Dell Precision I had before was much better in every way and was actually usable as a laptop.
The P5X series that many of my colleagues have seem much better.
The P4X series is also working quite well - I went with that for the smaller footprint. Since I mostly dock it, the smaller screen is acceptable for the limited amount of time I use it undocked.
I’ve also had tremendous Thunderbolt-related firmware issues that could only be fixed in Windows. If you use Linux, there are much better options than Lenovo. I still use my T480 daily but I miss my old XPS 13, which gave me no issues ever.
Exceptionally bad is a bit harsh. Windows is first tier support with Linux coming in as a second. In my experience they are pretty good about fixing remaining issues in firmware updates, which can be installed using fwupd (I don't have a Windows partition at all). I belive there's even a GNOME Software front-end if you prefer things being very easy.
I don't need to use throttled on my X1 Carbon 7th and they recently added mainline support for the fingerprint reader. All I had to do was enable it in GNOME Settings.
I love my X1 (also 7th). This is the laptop which made me retire my actual desktop. Bought a docking station and a MOTU 8A for sound connectivity, and have no need for a classical desktop since.
I am not into gaming or graphics though. Still, with my (unusual) usage pattern I get almost 10 hours battery life time on the road, and all the CPU power I need locally. For heavy stuff, I compile remotely anyway.
I can't stand the (lack) of brightness on my X1 7th gen. Is that not a problem for you?
I can't for the life of me get it to be bright enough to use in a lit room. A bit of hyperbole here, but I basically have to hide in a closet and stuff a towel under the door to see the fucking screen. I love the keyboard, but I basically won't use the thing now because it's such a drag to use.
I am blind (no joke), I couldn't care less about brightness :-) Well, actually, no, I execute a script after boot which basically does:
for backlight in leds/tpacpi::kbd_backlight backlight/intel_backlight; do dir="/sys/class/${backlight}"; if [ -d "${dir}" ]; then echo 0 > "${dir}/brightness"; fi; done
I had similar thoughts after purchasing my X13 AMD, not sure if you're experiencing the same thing I did. I was extremely disappointed with stock brightness when I first turned it on.
Turned out windows power saving and battery settings actually capped my brightness. So my user-controlled "100%" (via keyboard) actually becomes more like 60%, depending on the power profile.
As soon as I got a new m2 ssd, I shelved Windows and installed Fedora WS, which has no such issue. That is, if I say I want 100%, it obeys.
You can quickly test with either a live USB, or tweaking your power profiles.
This is the only screen I've ever had to fight with to get something bright enough, and I'm nearing 40 so I've been through a metric buttload of computers and screens. It is hands down the worst screen I've ever had (and I still have a couple ~ 2006 20" acer lcds pressed into service in various comms closets and shop space in my house). The brightness on these is appalling and it doesn't help that Mint insists on resetting the brightness to 60% on every boot so I feel like I'm trying to walk through a house of horrors with only a single birthday candle for light.
Edit: the joke is that the house of horrors is my code
Thinkpad was one of the first laptop series which supported Linux explicitly.
Their competitor was Compaq NX series (HP EliteBook of today). Dell was late to the party and closed the gap by actively developing software for Linux (DKMS, Privacy Drivers, etc.).
Are they doing anything to prevent Linux from running well on them? As far as I can tell, since all big three (XPS, EliteBook and Thinkpad) are considered enterprise devices and their BIOS, IO tables and hardware layouts are crafted with Linux compatibility in mind.
They're explicitly sold with FreeDOS option to imply that you can directly install Linux on them.
Even my run on off the mill desktop shows more soft-errors about IO layout and memory mapped devices on board.
When IBM didn't like the panels they could source for Thinkpads, they started a new company called International Display Technology to manufacture panels they did like. Thinkpads used to be special.
While it's entirely possible there's a connection between decisions like that and IBM's PC division being unprofitable enough they sold it to Lenovo, it might be reasonable to hope that Lenovo would make the effort to offer competitive panels when it's obviously possible for their competitors to source them.
Piling on to say I cut on teeth on Linux installing Breezy Badger on a Thinkpad T20. Since then I’ve never struggled with a Debian based OS on Thinkpads.
Not sure about Carbons, but for T-series there are aftermarket IPS displays that you could swap for the original TN ones. Could be done in 30 min, with no previous experience, just with the service manuals from Lenovo and enough dexterity to handle a screwdriver.
I sent my Lenovo in for warranty service for a faulty SSD ribbon cable and... they lost it. And they haven't replaced it. They've told me four times over the course of the last five months that I'll get a call in 3-5 business days. It has never come of course.
I know I'm not alone; even just in my circle there are two other stories of horrible mishaps with this company.
Lenovo makes some decent machines, sometimes, but their warranty service is not to be trusted.
Lenovo took around 100 days, within warranty period, to replace my motherboard of my Ideapad Y500 because the parts were not available. I am never buying any Lenovo product ever again.
It uses low-power components (U rather than H CPUs for example) and isn't capable of generating nearly as much heat, regardless of what you're asking it to do.
Switching from a core H to core U will cut your perf in half. I like my xps 13 but in all fairness it struggles to run Firefox with youtube+gmail+slack and Office open all at the same time. As someone who primarily uses beefy desktops, it feels about as snappy as a Core 2 Duo machines with DDR-400.
Big bonus of the proper "business" laptops also is support. Wouldn't want a work machine I rely on without on-site support anymore (of course ideally you want a machine that never needs support, but since you can't rely on that from anybody...)
Indeed. Worth looking at the Thinkpads with this as well. A lot of the 3 year old discarded corporate units still have a couple of years of warranty left on them and Lenovo actually honour it!
Interestingly, Apple covers more than sRGB, their panels are now being set to the broader DCI-P3 gamut. Whereas these laptops (at least in 2019) were slightly less than the sRGB gamut on testing. Except for the surface book,
Almost no displays get 100% when tested for gamut coverage. I'm not really sure why, I think it's some testing artefact. At this point (around 99% sRGB) what you should be looking at is coverage in larger gamuts (here 84.8% AdobeRGB).
> In the consumer world the Dell XPS [...] are the way to go for a designer
I have to use a Dell XPS 9560 and had two issues with it, most people never realize:
1. The Intel Thermal management driver is buggy so the device shuts off on very high-load tasks. You have to find the old driver on the internet and install it, and prevent windows from reverting to a new driver.
2. Only after two years of hanging connections and dropped UDP-packets I ran a speedtest and realized that this is not my home-internet being weird, but a systemic problem of the Wifi-card, which others have reported on the internet as well. Switched cards - getting windows to recognize the new one was difficult - and now I have normal Wifi.
Both of these issues are terrible for customers, and I still wish I wouldn't have ignored/overlooked the Wifi-issue for so long, as it interrupted work for a very long time.
Dell XPS 9360, good keyboard and touchpad, but my two issues, Dell software for updating drivers is just buggy. In general Dell can't write good consumer software.
Second is the same as yours, the Killer Wi-Fi is subpar. Can't keep a steady connection. Can trigger bluescreens if resuming without power cable and running Firefox (I think). Have not changed my Wi-Fi card yet.
I got an XPS 15 7590 in part because I read that the "Killer" Wifi problems of old were finally fixed. Well not for me, after waking the laptop I have to manually disconnect and reconnect Wifi for it to work. Have not had time to contact support about it yet, but I'm very disappointed that they've stayed with "Killer Wifi" after the long history of problems.
I looked up the MSI Prestige and apparently there exist a limited edition of it that's completely pink, I mean really, really pink: https://www.msi.com/Business-Productivity/Prestige-14-A11X-P.... Not a big fan of the color, but it sure is interesting to see. I now wonder if the color would be a good deterrent for thieves.
Wow, the way Craig is laughing at the question and so dismissive of it is really insulting. Maybe it's the more casual nature of the interview/discussion, but this really is the crappy icing on the cake of Mac users' continuously-declining control over the machines they spend their hard-earned money on. "Where do you even begin to come up with that theory"?? I mean, maybe we're seeing the gradual hampering of control over our computer with every OS X release in the past 5-10 years?
Get a Thinkpad. I replaced a 2015 MacBook Pro with a Thinkpad P1 Gen2 and love it. The trackpad isn’t as nice. The keyboard is better. Running WSL2 you have a great Unixy development environment in Windows. Or just install Linux. As thin and light as a MacBook Pro. Much better thermals, though still not awesome. Other, somewhat larger Thinkpads have better thermals. You can upgrade your RAM, add 2 SSDs and other peripherals like a 4G card etc if you like. Thinkpads come with fantastic service. Next business day on-site repair including for accidental damage and they mean it. Looks: It’s the design Apple copied for their very first laptops and is IMO better looking. They got it right the first time and haven’t changed it materially. Built like a tank. Not quite a tough book but they will take some abuse.
I have that exact laptop (work provided) and I’m not a fan. Trackpad is OK but not nearly as good as my Mac. 4K display sometimes looks amazing but the color accuracy is terrible and there’s a weird speckle texture that I assume comes from the touch overlay. I have a thunderbolt dock that supplies 85w of power but the machine refuses to charge from it and requires connecting the huge external power supply. But the worst part is I’ve gone through several incidents where some update occurred (never could narrow it down to one in particular) and I started getting multiple blue screens a day.
Edit: forgot one more annoyance. The laptop seems to frequently power off completely overnight even though it should just be sleeping/hibernating.
> I am still suprised by the number of people that want trackpad's
I occasionally have need to use a laptop in conditions where a mouse is inconvenient, so i prefer to have a trackpad, but I find that even the best trackpad is far inferior to a mouse. (Trackball, at least the kind that gets integrated into a laptop, isn't an improvement, IMO over a trackpad.)
Never had a blue screen. Haven’t had the power off problem though there is a distinction between regular sleep and deep sleep. When coming out of deep sleep it boots up like normal and restores RAM from disk. Don’t have a touch screen but have the highest end, non-touch 4K screen Lenovo offered. They also offered a very good HD screen and a not so good 4K screen. Display is not as good as on a Mac but this is more a Windows problem than a hardware problem. If color calibration is an issue, you could have had them calibrate it for you for 25 bucks when you ordered it. I believe Lenovo support can send someone to calibrate later on too for a somewhat higher fee.
Linux UI is far worse than Windows. It's not even close. I use Linux but definitely not for its UI.
Windows can out-of-the-box do HiDPI, multiple monitors, multiple desktops, trackpad gestures, hardware accelerated UI rendering, facial recognition logins, and more. It was designed as a desktop OS.
On Linux some things are getting better if you stick to the Wayland+GNOME stack, but it's still so bad I can't recommend it to people on technical grounds. Use it if you believe in free software, not because you think it's "better" (it's not).
I am seriously wondering why Linux UI development is lagging so much considering it’s at the forefront of many developments, and probably with the worlds best devs using Linux. I can only come up with that it’s console centered approach doesn’t attract a lot of UX designers of caliber to take it to a new level.
Most of the money being thrown at Linux is to make it better on a server. The laptop/desktop market is dominated by Microsoft, with Apple a distant second.
Arch is only a recommendation for people with a fair bit of experience. I have some experience, and I still needed to check some webpages to find out what I was missing when I tried installing Arch as the official manual doesn't spell out every step that is needed.
For "easy" for people who don't have time or experience, I would instead recommend Pop!_OS https://pop.system76.com/ flash a liveusb stick and you can try it out on your hardware without needing to install it first.
I've been using Ubuntu for over a decade because my days of fiddling with my computer to get things to work are over. In general, Ubuntu just works without much configuration on the user's end.
I've noticed a trend where people who are new to Linux will jump on Arch because they believe it'll give them more power, or that they'll learn more by using it. Or people will install Kali because they think it is what hackers use, and completely miss the fact that Kali isn't meant to be installed at all.
It's all Linux under the hood, and you get the same amount of power no matter which distro you use. And when you use a distro with sane defaults like Ubuntu, you're able to dig into the internals whenever it suits you, and not because an update broke your computer.
The biggest problem with Linux is not enough people use it so you run into all kinds of edge cases with hardware and software. I just stick with Ubuntu because it's the most popular, so the most likely someone bumps their head on the problem before I do, and maybe I find their stack exchange question or bug report when I search.
I've been very happy with Ubuntu 20.04. Not without issues, but overall it's been quite stable and snappy (pun intended) and I prefer it to macos and windows.
Arch is neat, and their documentation and forums are amazingly great. However, I have zero desire to be my laptop's sysadmin. Pop! OS runs great on my Thinkpad.
If the only concern is the install process, I would recommend Manjaro. It has its own installer, but you still get the powerful pacman package manager and the Arch repositories which are the most cutting-edge around.
Photoshop works pretty well in Wine, and Windows runs quickly using KVM.
Linux also has native support for hardware pass-through if your machine has an IOMMU, so you can give virtual machines direct access to graphics cards and get GPU acceleration in your VM, along with USB devices, etc. VirtIO is built into the kernel and can provide you with paravirtualized network and storage access, which can speed things up considerably.
While true, that doesn't mean that an Apple-controlled key decides which apps will run:
> There isn’t a specific identity requirement for this signature: a simple ad-hoc signature issued locally is sufficient, which includes signatures which are now generated automatically by the linker. This new behavior doesn’t change the long-established policy that our users and developers can run arbitrary code on their Macs, and is designed to simplify the execution policies on Apple silicon Mac computers and enable the system to better detect code modifications.
NotebookCheck is a great website for laptop reviews. They even get into the nitty-gritty details of display calibration, input devices, power consumption, etc.
I find that their reviews are amazing but their "top 10" lists are lacking. Their search: https://www.notebookcheck.net/Search.8222.0.html is marginally better, but in general, they're for researching specific models, not finding models, imo.
Edit to add: The other thing is that for their percentage laptop score, you should generally subtract 80 and multiply by 10. I've never seen them review a laptop below 60% or above 92%.
My partner bought a razer 13 inch to replace a MacBook Air. It wasn’t cheap, the build quality is excellent and it handles everything (she’s in an orchestra and records her parts on it, does graphic design and sometimes plays fortnite.). The screen is quite nice and the build quality is better than my system 76 (onyx pro) which I really like too.
Dave2d on YouTube gives pretty short and decent laptop reviews. I think he has a discord channel discussing the machines too
My 2017 razer stealth 13" has rather questionable build quality.
* Once a month or so, the touchscreen flips out and starts registering dozens of random finger taps per second. There are tons of complaints on the internet, but Razer never acknowledged it as a known issue.
* One of the long rubber pads on the bottom fell off after about a year and a half.
* The USB-C power cord's insulation was frayed from day one.
* When running Linux, the kernel continuously reports "correctable" pci-e errors, indicating a signal integrity issue. I had to turn down the verbosity of the messages to keep from spamming the journal.
* When running Linux, a monitor connected via HDMI has random "snow" noise. When playing any sound through the builtin speakers, the monitor blacks out every 10 seconds or so. Plugging in headphones "fixes" it.
* The bios' ACPI implementation is buggy and doesn't properly report whether the lid is open or closed. As a result, the laptop sometimes fails to go to sleep when I close it, and sometimes fails to wake up when I open it. It works most of the time but not always in windows, and linux got into a perpetual sleep-wakeup-sleep loop until I found the right workaround.
* A plugable brand thunderbolt dock "glitches" every 10-20 seconds when typing on a USB3 keyboard. Plugable claims it's due to buggy Intel firmware in the laptop. To be fair, a different brand of dock works fine, though.
Many of the signal issues can be caused by a faulty or low quality power supply. It took me a good half year until I finaly fugured why my Thinkpad touchpad and screen was acting up similar to your description. Turned out that my 65W power supply from Amazon was causing all the issues.
I switched away from Macbook Pro about a year ago, after using Apple hardware for about a decade.
It's working great, GNOME interface is solid and productive, Manjaro and AUR libraries just work. Highly recommend making the move, sooner the better as I'm sure you see the writing on the wall.
My Huawei Matebook Pro has been everything I wanted in a Mac, in a way I couldn't get from Apple.
Pros that Macbooks don't have: USB-A (along with USB-C), no touch bar, 3:2 screen, can enable secure boot if I choose so feel like I'll be able to run whatever I want on it, replaceable SSD, etc.
Pros that Macbooks also have: still has a great build quality, full day battery
I can second this, I'm on the Matebook 14 2020 with the Ryzen 7 I think rather than the Pro. But after a dreadful run of luck with the XPS15, the Matebook (so far) is an amazing bit of kit for almost half the price.
It feels like if they play the next iteration right Huawei could blow most of the top end out the water, there's so little choice at the top end and they all seem riddled with build quality, hardware or software issues.
I'm glad I took the risk on the Huawei and I don't really regard the Chinese spying moral panic as an issue. If they want to spy on you I'm sure there's far easier ways online than trying to backdoor a highly scrutinised laptop.
My huawei matebook pro is the best laptop I've ever owned.
The only downside is that I have Windows 10 on it, and considering Microsoft actively destorys user data and has for 15+ years as company policy...I won't use it for serious work, only entertainment. :(
User state is also a time investment, so rebooting and destorying this is not ok even if all files by some stroke of luck were saved first
Are you not worried about your data going to China? Huawei looks indeed great, but I would never use it. Maybe if there was a way to replace components with ones from legitimate source like Mouser or digikey, to ensure there is no spying going on.
I think a firmware- or hardware-level exfiltration system that works anywhere would be valuable enough that they are not likely to burn it by putting it in systems sold widely to consumers, where it would only be a matter of time before it was detected. Unless monocasa is someone fairly important, that is!
Over the generations, I have had three Macbooks, four Vaios, a ThinkPad, a HP, multiple ASUS and Huawei. Most of the devices I have killed by travel: dust infiltration, vibrated the BGA chips off the boards by motorbike vibrations..
My requirements have all been fulfilled with the Huawei MateBook X Pro.
You could say it's heavily inspired by the MacBook. Aluminum case. Chiclet keyboard with decent travel. 2000x3000 display (2:3 ratio!). Awesome trackpad. Good battery life. Portable. Solid. 2x USB-C and 1x USB-A. Sustained multiple drops.
For context, I am able to pull solid 12-hour days on the device, without a mouse, without fatigue or frustration.
I was skeptical initially.
The laptop has been dissected and scrutinized by multiple people with nothing suspect discovered.
On the other hand - which brand is safe ? Thinkpad has installed rootkits multiple times.
Until there's proof to the otherwise, I think it's worth withholding preconceived ideas.
In any case, everyone has their own level of comfort, and that's important.
Are you talking about the Superfish vulnerability? It's never affected the business class Thinkpad lines [1], but it has affected a lot of the other laptops that Lenovo has shipped.
> keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
Those are laptops with numeric keypads, the trackpad is still centred relative to the "main area" of the keyboard (the home row and in particular the rest keys - the two keys with a little bump, F and J on a QWERTY) but it is off-centre relative to the body of the laptop due to the presence of the keypad.
Macs don't have numpads so if you've always used Macs it's understandable that you're not familiar with this type of layout.
In any case that type of placement makes no difference while you are using the laptop, because keys and touchpad are still where they are supposed to be relative to each other.
A lot of laptops, Dell for example, offset the touch pad to the left even though there is no keypad. You might be right that these are technically centered on the q to p span of the keyboard.
Good eye! I had never noticed those before. Yes I think those are centred to j and f. on the Macbook Pro I'm using right now, if you look carefully, the touchpad is centred relative to the body but it is slightly off centre relative to the home row.
I use my laptop on my lap, and usually when I sit with my hands folded in my lap, my hands fall along the center axis of my body. We are bilaterally symmetrical beings (with some internal asymmetries).
So unless I scoot the laptop off-axis or I have to move my hands off axis to type.
I'm unsure how this isn't unergonomic. It's not something to get used to. It's bad design. Period.
Yes this has always annoyed me; having it centred under the keyboard makes no sense except in some weird universe where everybody uses only their thumbs to operate the trackpad. Trackpad alignment was one of the major causes of my RSI due to the horrible bend in the wrist it causes.
I haven't used a Mac in years but the one thing they always nailed was the trackpad. It's big and actually centred on the laptop body.
I think it depends on how much you type. If you type most of the time, your hands will tend to stay centred on the keyboard. Of course this is highly variable based on so many factors...
Yes this is true, I see your point, with a laptop on your lap, in order to balance its weight optimally, you need to centre it relative to its mass, not relative to the hands rest position (F and J keys) so then when you have to type you need to move your hands sideways and it's not very ergonomic.
But you want to align the keyboard and the touchpad with the vertical axis of your body so you end up with 2/3 of the screen to your right. That's why I'm advocating no number pads on laptops.
I gave it a try for one minute when I unpacked my new laptop in 2014 and I immediately shifted it to the right: typing as you suggest was terrible for wrists, shoulders and probably the spine.
My workaround: I move the windows I work more often (eg: the editor) to the left part of the screen.
To be fair: there is no way to fix an ergonomically broken design. There are only mitigations and those a probably subjective: everybody is a little different and muscles/skeletons/etc can accommodate different twists.
Get a Thinkpad, P-series, lots of options. Run Fedora on it. Great machines, great keyboard, 4k screens, good color, goot battery life, lightweight. Everything works. Mac-level price, and worth it.
I would like to get a thinkpad, but I'm not sure Lenovo can be trusted any more than Apple can, especially since Apple atleast pretends to care about customer security.
Lenovo is junk for anything but business class laptops. That the thinkpads X P W and T. The rest is the disposable, unrepairable, bloated junk you’d expect from consumer level products.
"Disposable, unrepairable, bloated junk" describes pretty much all non-business laptops these days. I don't think Lenovo is special (and the Yoga often reviews as "good for the price")
I work with thousands of their business class Thinkpads and they are also junk. They seem made for corporations to just churn through. I see harware/bios bugs that carry through generations.
Could be. I stopped at the 2011 and 2013 variants. Still powerful enough for me, cheap to repair, and the intel me can be entirely erased/corebooted. I don’t know about the more recent business class TP.
Well, if you immediately overwrite the hard drive of the machine with some Linux variant (as I think the GP implie), I think it will solve a lot of problems like this from any manufacturer.
No it doesn’t. If memory serves, Lenovo rootkits have been in the UEFI firmware which auto-install hooks into the OS after boot.
Linux is not magically immune to this attack. One could argue it is more susceptible than other OS due to lack of binary signature checks on executables at runtime (at least by default).
In my experience, fractional scaling and 4k support is finally fine on at least whatever GNOME and Wayland Ubuntu 20.04 ships with, with two major caveats:
* Chromium-based applications (the browser and Electron apps like VS Code) still don't know how to render themselves with fractional scaling and end up ever so slightly blurry (but correct sized) on fractionally scaled displays. Think like very old applications (like Control Panel) on Windows 10. I use Firefox so it doesn't bother me that much. There's a issue in Chromium bug tracker following this, but I can't find it right now.
* Screen sharing full screen or other windows than browser tabs doesn't work on Google Meet / MS Teams. This is and has been an issue in Wayland since forever.
> Chromium-based applications (the browser and Electron apps like VS Code)
This is most likely because they don't support Wayland. The scaling with XWayland doesn't really work great a lot of the time.
I don't use scaling for my 4K monitor, and just set text sizes larger. It feels a bit weird for a while but eventually it's actually quite a nice balance where the content is relatively larger vs. the chrome.
> * Screen sharing full screen or other windows than browser tabs doesn't work on Google Meet / MS Teams. This is and has been an issue in Wayland since forever.
Chrome has experimental Pipewire support; enable it in here: chrome://flags/#enable-webrtc-pipewire-capturer
Firefox (at least on Fedora) has enabled it out of the box.
P1 Gen 3 is 0.72" x 14.24" x 9.67", compared to the 2019 15" MBP which is 0.61" x 13.75" x 9.48". Slightly larger? Sure, but I wouldn't call it "huge" if the 15" MBP is what you're used to. It's only 0.11" thicker than the MBP and half an inch longer. (And it weighs less.)
> edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer.
I woukld agree on desginer.
Absolutely not on developer or researcher.
Actually MacOS is for the reasons you mentioned incredibly developer-unfriendly (unless you target is of course the iOS ecosystem).
And for research there is no better platform but Linux. Unless you are in clicky-colorful frontend applications where I would doubt you are doing serious research.
Try metabox. (https://www.metabox.com.au/). They have a wide range of laptops at various specs and prices and form factors and whatever else. A lot of the guys at work have started to switch to them and they feel nice to hold and fondle.
I'm currently in the same boat as you and my next machine will be from these guys when my (admittedly very new) Macbook Pro gives up or gets taken over by Apple.
It's hard to say who is now Apple's target audience. It seems like their products are ideal for people who don't know much about IT and just want to watch a video or edit their holiday photos and maybe create a CV and will probably never go beyond that. Other people still enjoy Macs from 2012, but things are moving on when you look at desktop PC and what you can do. Apple looks more and more dumbed down.
It's like being trapped in a beautiful plastic cage. I used a MacBook Air (2012) for years as my primary development machine and really loved a lot about it, and it had some fantastic apps in the environment like QuickSilver, especially since it just worked compared to some of the Linux distros I had before that. But I'm glad I jumped ship when mine went obsolete.
>> It's like being trapped in a beautiful plastic cage.
To be fair, it's like being trapped in a silver gray aluminum cage with uniform body and irreplaceable bars. I wish more companies would make a PC laptop that doesn't suck aesthetically. Even when they use aluminum, most PC manufacturers don't spend much time on designing a good keyboard (arrow keys not having the same shape comes to mind.)
The feel of the keyboard is far, far more important to me than the look. Lenovo Thinkpads (business class, not the consumer ones chasing after the foolish "thin" trend) are the only ones that have are the only ones that have a reasonable shape and response. This includes Apple, which tends to be one of the worst offenders in the feel of a keyboard. I want to have some amount of vertical movement to the keys, not to jam my fingers into a hard surface repeatedly.
Very small audiance, but people with bad vision do enjoy the good displays on their machines and the GREAT built in zoom in OSX. Zoom in Windows is a joke.
Unfortunatly Linux isn't really an option just yet for a lot of us.
I really like my surface book. They are priced like MacBook pros (and spec'd like them too). The track pad is great, the pen input and detachable screen come in handy more than I'd have guessed when I first switched.
Apple has a pretty broad utility patent around their trackpads, which requires other manufacturers to work around what would seem like pretty obvious things.
Are there no other suggestions beyond the 2012 MBP?
I use arch linux on a Lenova Thinkpad T580, and I'm really happy with it, but I'm not sure about the colour accuracy of the screen. I doubt it's as good as you find on an Apple.
I, for one, am really interested in good, high quality alternative to apple laptop hardware, that meet the parent's criteria.
I agree with you that Apple is doing way too much to restrict users. But I also agree with Craig in that I don't see how Apple silicon is useful for them in helping to restrict users.
I have the 4K version. You can’t use it, you have to downscale to 1440p because you get lag at 4K. They released a 4K laptop that isn’t powerful enough to run at 4K.
X1 Yoga 4 is what I went with recently when my 2016 macbook pro died for the 4th time since owning it.
Its very similar to the x1 carbon but converts to a tablet and it has an aluminum body.
I can't say I'm out of the apple ecosystem entirely, but I decided to spend my money elsewhere given the abysmal quality of the macbook pro line these days.
I like Lenovo ThinkPads and even IdeaPads (I own one for personal use) but I do hesitate dealing with potential Chinese spyware from the factory for work uses.
Owning a Lenovo X1 Carbon 7th gen, 2019, 4K screen, 16GB RAM. extremely impressed with the hardware, running Linux Mint and going to move to Manjaro.
Initially i tried PopOS! but they removed from Gnome the intermediate scaling (1.5X) of the UI, just like in MacOS you have Display - Scaled options.
I really like the per monitor setting which you don't have in Linux. (or i didn't research enough); e.g. More space on main display (external 4k monitor) and Larger Text on the macbook screen.
I'm also jumping ship due to the worst experience i had in 25 years dealing with technology, 1 month to replace a swollen battery with a 3rd party repair service. Apple throws now all this "complex" hardware issues to 3rd parties since their employees are pressuring them not to execute hazardous repairs in their own "centers"
Their SSL certificate revocation server (the default for macOS) goes down an you try to tie it to Apple Silicon being created to lock-in users? I understand the feelings people have about this but today's failure seems orthogonal.
It's just one of many recent actions that they've taken that have made people wary. The changes to app signing in recent OS X versions was another example of this
Re colour accuracy, checkout thinkpads, they even come with a colour calibration sensor so you can have them autocalibrate daily/weekly or whatever suits you.
Do you _really_ need a laptop? That's my solution to the problem of no good Linux laptops. I've got a desktop at home now, and when I go back to the office, I'll pick up a mini desktop. I'll keep an old MacBook in a drawer if I need to take it into a meeting. When I used laptops only, they were just plugged into a monitor/keyboard/mouse at all times anyway.
One that reliably goes to sleep when i close the lid and then wakes up again when i open the lid.
Wifi that works... Audio that works... Plugging in and out external monitors that work... Netflix/Youtube in HD without burning the cpu and draining all battery
Basic hygiene essentially.
I use linux on a laptop every day for the past years and have tried Dell, HP, Lenovo, Asus, Ubuntu, Arch, Mint. Lately things are working, but only most of the time, never really really 100% as a Windows/OSX machine does. You always have to live with those 1/20 times sleep did not wake up or oh time to reinstall pulseaudio again for microphone to work.
> their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
Buy something without a number pad. Unfortunately most 15" laptops do have one.
If anybody from HP is reading this, I'll pay an extra for a keyboard without number pad on your 15" ZBooks with 3 buttons on the touchpad. Space bar and touchpad aligned with the center of the screen please.
>it's off-center in a lot of cases! How weird is that
It is off center if they have a number pad to the right of the normal keyboard layout. At first glance it looks weird, but it is 100% what you would want if you were using the laptop. Otherwise the trackpad would end up being right over where your right wrist is.
I just gotta say that I don’t think it’s clear where they are going. You are of course free to do however you like. And if you are leaving because of what they already have done, that’s reasonable, but if you are leaving because of what you are guessing that they might do tomorrow, is that really wise? I mean even with the ARM switch won’t it be as easy to switch to win/linux intel after a year if you are not satisfied?
I don’t like the boot thing either, and it’s a bit scary not being on intel as everyone else is right now, but I also think ARM feels really interesting and it might turn out to be a great new platform!
Edit: i mean it is not like they never listen, they did take bake the mac pro, they did fix the keyboards, you have cli tools to make a lot of changes in how macos works, etc. Of course I would like hundreds of things to be different, but I believe that is true of all platforms.
I second this. Catalina runs great on my 15" mid-2015 16GB/1TB, and it even runs shockingly well (bootstrapped) on my (unsupported) 13" mid-2009 8GB/512GB.
The 2009-2015 era of Macbooks are, not were, truly phenomenal machines.
What does bootstrapped mean? I’m surprised with Catalina running well on a 2009 MacBook. I felt it was slow on a Mac Mini 2014 where it is supported and went down one version.
I don't think there's a one-sized-fits-all solution without something custom and extremely expensive ($15k+). Maybe a Lenovo T480 for most purposes and a dedicated second screen for color correctness? I had a Dell Studio XPS 1645 with an RGBLED screen with an insane gamut. It begs the question: Why aren't such screens widely available?
What about getting a T480 and replacing the screen itself? You can find a decent one for ~$400 USD, and a 1080p or WQHD screen for another $100.
As for screen availability, I think it's more to do with the fact that these are business computers. Lenovo only recently started blurring the line between their premium and business class devices.
I think every post-Haswell ThinkPad comes with a 720p screen in it's default configuration. At least up until Tx90/5 series.
I think you should stick to Apple, frankly. Every time Apple comes up with something new (or just a new software release), people come out of their sheds to warn about all the bad things that will happen.
And then almost none of those bad things happen. I've witnessed this dozens of times now, so a safe interpretation would be to assume that this time none of those things happen.
Except bad things did happen. Like their capricious application of Appstore “guidelines”; the increasing difficulty of running software on Mac where the developer won’t pay Apple a tithe; the drop in Linux support for the platform, as they locked it down more and more at hardware level; the imposition of their authentication and payment portals (and hence 30% taxes all around) on web apps... etc etc etc.
We have been effectively boiled like obedient frogs.
I love macOS but my next laptop won’t be a mac and my next phone won’t be an iPhone. Divesting from the ecosystem will be painful but we’re well past any grace period at this point.
"I love macOS but my next laptop won’t be a mac and my next phone won’t be an iPhone. Divesting from the ecosystem will be painful but we’re well past any grace period at this point. "
same here. I hope this will lead to a leap in quality in alternative mobile & desktop OSes, because at the moment the situation looks pretty bad.
I have not experienced any difficulties in installing or running apps from outside the Mac app store (if that’s what you mean by paying Apple a tithe).
They've also removed any 32bit support, in case you could make do with old programs that don't make Apple some money.
I'm still on Mojave and will not upgrade. Personally, my last MBP was bought in 2016 and I have no intention of getting another one as long as they continue exploiting developers and the public in this way.
What exactly do you mean ad-hoc? Can my friend without an apple account compile an executable with GCC send it to me and I can run it on my new Apple Macbook?
It was rumored for like a decade. The last 32-bit computers were sold in something like 2007-2008? High Sierra started throwing warnings when you launched 32-bit apps. In 2018, they announced Mojave would be the last version to support them. Mojave just got an update yesterday and will likely get updates for at least another year. So nobody has been forced out yet.
I'm aware end users with discontinued software were forced into some no-win choices. But as an ecosystem, it's one example where this happened and was given a ~15 year possible window and an explicit 4 year window to transition.
Do you want to be burdened with layers of backwards compatibility and end up like POSIX or Autoconf with provisions for things that once run on some long forgotten UNIX OS version?
I started panicking mildly thinking my drive was failing or something.
And just before this, I finally managed to fix Spotlight pegging one core at 100% constantly. Next thing, I reboot into a laggy system. macOS is my favorite OS, but the shit I put up with... it's basically an abusive relationship at this point.
Same. Panic attack. Thought the SSD was dying. I ran Disk Utility diagnostics and started coming up with plans to reformat and restore as a last resort.
I genuinely thought the same thing. I opened my MBP and it was sluggish, felt like it was dead. Browser wouldn't load, Zoom wouldn't load, I rebooted and the same problems persisted. I honestly thought the hardware was giving out.
I almost cannot believe the actual cause. Absolutely awful experience.
Incredible I had the exact same thing. 2019 MB pro I bought for music production and ableton started to lag incredibly badly and the whole desktop was unresponsive. I started to search my email to see what warranty I had.
The thing you get with Linux is "more _predictable_ shit to deal with", not "less shit to deal with", no large capable desktop OS is perfect and never will be.
Anxiety from what Apple's agenda will do to your computer next update? anxiety from if a 1hr windows update is awaiting you when you turn your pc on? ... Linux awaits.
Linux awaits and then when it comes it borks WLAN driver, because canonical decided to replace a perfectly working one with WIP FOSS alternative, forcing users to switch to cable LAN until it reached feature parity.
Linux awaits and then when it comes it borks AMD driver, because AMD decided not to support older cards on the new FOSS driver, and the old perfectly working driver is not compatible with modern kernels, driver ABI be dammed.
Linux awaits and then when it comes it breaks hard disk encryption forcing a full install, and feeling lucky that I actually backup /home regurlarly.
Linux awaits and then when it comes half of the stuff doesn't work in Wayland.
Eventually I rather just deal with macOS, Windows, Android and leave Linux just for the kernel itself.
I haven't had to deal with any of that, but I've had Windows straight up refuse to boot multiple times and the only fix I found was to reinstall. I've now had to advise multiple people who couldn't turn on their WiFi in Windows (the switch just did nothing). I also couldn't fix that without a reinstall (not for a lack of trying). My family iMac refuses to import photos from an iPhone into Photos, failing the transfer silently. I have no idea how I'd even go about fixing that besides calling Apple and forcing them to fix it.
No man gets to deal with all of the possible computer problems, thankfully. But in my experience, most Linux problems have been fixable and I managed to fix them, while more closed OSs have left me stumped many times. I no longer believe that a computer can work without problems, so my priority is making sure that when problems appear, I can diagnose them and fix them easily.
Windows sometimes has these artificial problems, purely for market share play. Hell, I'm still a bit angry at them because of what they did to RE-DOS with Win 3.1 Beta. I was working in a small computer shop and we were blindly recommending MS-DOS as we were sure RE-DOS had compatibility problems. The tracking, and the constant nagging, silly software signing shenanigans...
So I agree, Linux problems are usually much more fixable.
Thanks, I already tried that. It does give an (easily missed) error from the underlying library there, but it's just some number that some other people are also complaining about on support forums.
If you have any other insights, I'd be happy to hear them. We have a workaround, but It'd be nice to get imports working again.
To each their own I guess, but in 20+ years of using Linux I've never had any of those issues. Maybe it's because I'm cheap an I run it on older laptops.
As for Windows... really no issues there other than forced errors of whatever absurd company policies are in place that cause software I don't want or need being forced on my machine.
Hell no. I work with RHEL every day, and while I'm by no means an expert, I would say I'm reasonably proficient with Linux.
Every time I've tried using Linux on the desktop, it's worked just fine until I tried to update something. Sooner or later, there's some broken patch or some incompatible thing here or there that breaks my window manager and throws me to the command line, ruins my network settings, overwrites my boot config or some other maddening mess. Linux works brilliantly, AS LONG AS YOU NEVER TOUCH ANYTHING
That's true in most Linux distros, I've been there, even with the most robust ones (like Debian). But then I found Manjaro, with a semi-rolling update system, that is a perfect balance between recent version updates and rock-solid stability.
Well, you're using the wrong distributions then. Use something stodgy but solid like stable Debian or a recent but not bleeding edge version of Mint and you should not have all too many things on your shit list. It won't be empty - printing will still trip you up every now and then, just like it does everywhere else to give an example - but it will mostly ' just work' unless you're trying to install it on truly exotic (as in "released this week") hardware. The overall facepalm experience will be comparable to that on Mac OS, better than that on Windows. Add to that the fact that it is free in every sense of the word as well as the glaring and welcome absence of draconic "features" like the one discussed in this thread and those Linux distributions will start to look very tempting.
Debian has abysmal hardware support( well gpus mostly). They need to do something about their kernels, my RX5700XT is miles ahead with the current kernel compared to whatever debian 10 ships.
AMD graphics require a firmware blob for all modern cards [0]. It used to be that the firmware was only needed for 3D acceleration and you could run X/text mode without the blob just fine, but that hasn't been true for years (I think since HD6000 series in 2010).
My Lenovo Windows laptop came installed with malware that MITMed all my https connections and also allowed anyone else to MITM all my https connections.
Would MacOS actually have prevented it? Would Superfish just have simply signed the binary? Sure it wouldn't have started up when the Apple servers are down, but that's a very small percent of the time.
Fair enough, but that's not a typical experience on either Windows or Linux in this decade - if that's happened to you, then I think you've just been incredibly unlucky.
On the other hand I was gifted a 2015 MacBook Pro 15 and I can't run away screaming fast enough from it. I know people rave about the touch pad, but when I use it I find apps get minimized, or don't launch or some other weird gesture causing behavior. I guarantee that this is classic PEBKAC. The other day a family member with a MacBook Pro asked me to assist them with Safari which on launch wouldn't appear. I was able to get it to appear by using the Finder or something which allowed me to pin/size Safari to one side of the screen, but on appearing the window simply displayed a single pixel frame with a black interior. I liked the process, launched it again but it did the same thing. I told them they would have more success with Google than me. I have never had those experiences with Windows. Yes I've had other lame experiences, but I can always solve them, it at least find a solution online. Again probably PEBCAK so no fan boy retorts please. In the end all programs and operating systems suck.
I have to say I also don't understand all the fanfare for the MBP trackpad. I have a 13" 2016 MBP, and I actively dislike the trackpad. You need to use far too much pressure to "click" (even when the resistance at the lowest setting), and there is something "off" about the mouse pointer tracking - I can't figure out what it is, like if it feels too smooth, too jerky, I don't know, but it feels wrong somehow.
Oh, I do like the gesture support, though even Windows 10 supports gestures nowadays.
I’m personally quite a big fan of the trackpad and gestures but I understand that they take some getting used to. If they are causing you frustration then you can turn them off under system preferences > trackpad in the “scroll and zoom” and “more gestures” sections. I’d recommend keeping most of the scroll ones and disabling most of the others, then one by one turning on any of the ones you think would be most useful as you get more used to them.
As for the Safari issue, I have no idea off the top of my head.
Disagree with Linux. I make an LVM snapshot before making any attempts to upgrade the graphics driver. It's a disaster. And don't say proprietary code, that's beside the point. Windows runs drivers in a way that one that crashes can be restarted without bringing down the kernel or the whole system.
FYI I've had the issue you describe half a dozen times with CentOS but literally never with Arch Linux (on both machines with similar nVidia cards, using the proprietary driver). In general I'm pretty impressed with Arch's package quality, I seldom encounter any issue and when I do it's patched very quickly.
I tried Arch Linux in a dual boot scenario on this System76 laptop and I don't recall why I switched back... I think it's because I tried to upgrade the graphics driver and got into state where I couldn't get X to run at all.
A co-worker keeps telling me to try Manjaro. I'm just not sure if I want to spend a weekend reinstalling all the stuff I use.
Very true. I have used Ubuntu and Fedora for a while, but when I switched to Arch, I never go back. Arch is described as bleeding edge, but another way to put it is it always has latest software, which is what a dev machine should be. My experience with installing Nvidia driver in ubuntu is nightmare. Tried official repo then failed, and tried different ppa and then failed again and again. At last, I found that I have an older kernel version and I need to compiled a latest kernel which is not in official ubuntu repo. I gave up at this point because I don't want to compile kernel every time I need to upgrade. With Arch, you always get the latest kernel and you won't usually missing feature from using an old LTS kernel.
Nope, there have been a few issues with BSOD that have impacted quite a lot of people. The latest one was with nvidia drivers being old that caused BSOD after update.
In a previous company the IT dept had to revert a forced by MS update manually on each machine by “hacking” and deleting and replacing files as it was causing BSOD.
It happened to me pretty much every other forced windows update, from broken graphics drivers to non functional start menu.
I just replaced that pos with a mac mini....
I use centos 7 for my daily driver, it'll get 8 on it next hardware upgrade. Touch wood not a single problem with that for years now, and amd5000/nv3000 are looking very tasty.
I believe you must have been using Windows 7 without updates for the decade, because with windows 10 every[1] update[2] borks the system so much that Microsoft had to pull updates. And last but not the least, a big guide to fix problems caused by a forced, mandatory windows update[3]
Meanwhile on Linux, I cannot upgrade to the new kernel that contains a lot of support and fixes for my new shiny AMD Ryzen chip because it completely breaks the Nvidia driver, refusing even to boot.
Apple may suck, but it still sucks less than the alternatives
> Meanwhile on Linux, I cannot upgrade to the new kernel that contains a lot of support and fixes for my new shiny AMD Ryzen chip because it completely breaks the Nvidia driver, refusing even to boot.
Well that's the problem with Linux distros for the desktop in general. A user upgrading a newer version of a single system component risks breaking the whole desktop: systemd, libdrm, x11, whatever and something else doesn't work. I'm even excluding drivers here but again it's clear what happens when a user finds that out for themselves on Linux. If they even have the time and energy to do all that digging and googling of cryptic errors.
To save yourself the time and frustration, Just keep using Windows 10 with WSL2. I don't have any reason to dual boot to a Linux desktop any more due to this.
And I believe you must not have been using Windows, and are relying too much of news of incidents affecting small numbers of people.
It is - quite clearly - a gross exaggeration that "every update borks the system".
Aside from MacOS, I use Windows 10, and have done for several years. I have the Microsoft Action Pack, which means I get multiple Windows 10 Enterprise licenses - and no forced updates.
Ain't that the truth with every OS. I use Windows for gaming, PopOS for work on my desktop and MacOS for work on my laptop. The amount of weird issues is about constant.
But linux is free both as in free beer and in free speech, windows required you to pay the Microsoft tax to use, and lastly macOS required you to pay a premium on hardware.
That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.
Paying $100 for Windows seems like a better solution if you just want a working OS without a hassle.
And what premium do Mac hardwares have? It seems I paid what they deserved as I can't find anything better in the market. Even moreso now that M1 is out, it seems all Windows machines have premium.
> That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.
What do you mean "take care of the level of detail"?
I can download Debian right now, install it on hardware in about 10min, and get everything to work rock solid without any hitch.
I can't say the same about either Windows 10 or macOS.
In fact, I had mojave crash and reboot more times in the last month than Ubuntu 18.04 since it was released, and mojave is preinstalled in its own target hardware, which is supposed to be high-end, while Ubuntu is installed on a cheap laptop that cost between a third and a fourth of my apple laptop.
>> That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.
>> Paying $100 for Windows seems like a better solution if you just want a working OS without a hassle.
I've been running Fedora for 15 years and haven't had any of those pesky Linux issues for at least 8 of those years. Meanwhile, I was issued a new Windows laptop at work just last week and it Sucks pretty bad. It's smooth and polished, but with all the advertising and "first ones free" preinstalled shit it feels a lot like Facebook rather than a computer. I'm glad its me-at-work being monetized and not me at home...
I can't help but think you meant, "I've accepted there's no real way to salvage and diagnose my computer when it breaks so reformatting it has become second nature. I always keep an up to date Win10 install USB ready, and I even have a second hard drive that I keep all my files on."
With Macs, you have to put up with MacOS and Apple (one big premium is lack of choice). It's also not that easy to self-administrate without MDM, and software options are relatively limited if you come from either Linux or Windows.
I'm a software dev but since we're only 2 techies at work I also maintain about 40 Windows PC, 3 Hyper-V hypervisors (with something like half a dozen Windows server, the rest are Linuxes) and the printers.
If Windows 10 was unstable I should be swamped. But I spend more than 90% of my time on software dev.
And the machines are not new with fresh installs, I all migrated them manually from Windows 7.
The unspoken rule didn't change because it's Windows 10: never install a fresh release of an OS right away (I'm still on 20H1). And judging by the comments I read here it's true for MacOS too.
FWIW I switched from XP to Vista 1 or 1.5 year after its release date. It has been a great OS for me, I never had a problem with it (except that it's then they started with the bullshit telemetry).
Of course YMMV, but since late Vista stability isn't a major issue anymore.
Activation, for example. An activated and running Windows system can turn into a nagging SOB by something as simple as enabling a motherboard's Ethernet adapter in BIOS.
A level of detail I value is that none of that BS is baked into systems I use. Doesn't matter whether those who did not do so were paid for it or not.
Had this happen to me after installing a secondary SSD. Windows was deactivated, and wouldn't reactivate. I ended up having to use the Windows Restore tool before I could activate again. Having to reinstall all of your programs is never fun.
I had a new mobo broken in 1 week and replaced it with the same model and it ended up license being invalid despite the mobo being the exact same model.
I had to make a phone call since none of the methods Windows or the internet suggested worked and that phone literally took 30 min to reactivate my license again. That wasn't fun.
True. Linux is the best value and the best developer experience IMHO - unless you need commercial software that is Win/Mac only. Even then you can virtualize which is safer too. I can also easily get a Darcula theme OS-wide for Gnome so..
As developers and engineers, we ought to be jumping off this platform like a sinking ship. It's clear that they want to lock it down like the iPhone. Why else would they be measuring which apps are in use if they didn't want to control it?
If your argument is "compatibility research", you're missing the other warning signs.
If I do any simple math calculation in Spotlight it pegs all cores at 100%. Its easily reproducible and really annoying because I've used spotlight as a calculator for years.
My music software became completely useless on catalina, and I was also running into issues with spotlight so I disabled it. I downgraded(painfully) to Mojave and my system is so much speedier. wish I could completely switch to linux.
yeah, but in the end, choice of OS is secondary to choice of application. I'm staying on Mojave for the foreseeable future, but I'll stay with Mac because Logic Pro is not available on any other platform. Sometimes applications are fungible, or you're lucky and your critical application is available on multiple platforms, but sometimes there are only certain applications that can do what you want. I run a MacOS System 7 for software to edit my Yamaha VL-1. I run MacOS 9.2.8 due to hardware drivers for a Korg OasysPCI. I run MacOS 10.6.8 Snow Leopard because is is the last OS that runs rosetta and keeps numerous PowerPC apps that never made the jump to Intel. I'll keep Mojave running when eventually I have to jump to Arm because I'm sure a lot of the software I run won't make the jump to Arm. I'd LOVE to drop any of those systems, but each exists because there are applications that do not have replacement on modern OS'es.
And that, my friend, is exactly why they bought Logic. Don't know if you were in the music game back then, but they way it played out was:
- Logic had the pole position for non-pro-tools music at the time, and sold (IIRC) for about $600
- Apple bought Logic and stated publicly "we will not discontinue it on windows"
- I think a year later, might have been two, they cancelled it on windows
- Some time later, they dropped the price, and also put out garage band, using Logic's engine.
- Logic's product roadmap (from what I've heard) became more general user friendly (can't attest to this personally though)
Basically, anything Apple owns becomes part of the plan to get you on a mac and iEverything, secondary to whatever it's originally purpose is. I won't touch any music software now that doesn't run on at least 2 operating systems. Fortunately most of them now realize the importance of this.
I'd recommend looking at other options like Reaper, Cubase, or Digital Performer, all of which have been improving steadily and can on windows or OSX.
Personally I'm sticking on High Sierra, and doubt my next machine will be a mac. Man I'm going to miss Bash everywhere though. Sigh
> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.
That's another case of a product not doing its primary function - OS running apps - because company placed their own (data gathering) objective above it. See thermostats not turning on heat when the internet connection is down and other equally stupid examples...
I discovered this by running unbound – a DNS server – locally (block some unwanted hosts and do dns over TLS). I guess the rest of the story is pretty obvious; having your default dns server not being able to resolve because you're trying to verify it – since you cannot resolve your verify hostname – is obviously Not Great. As you can imagine, there is no waiting in the world that fixes this. I couldn't kill (-9) the process either; had to reboot into safe mode, rename the binary and switch the default dns on the network.
It's more likely that their will be an Apple-only private API that uses /private/etc/hosts which already exists, but is editable (for now) instead of /etc/hosts.
The server is called OSCP which suggests to me that if we look at Apple in the most positive light - they sign and certify binaries as safe. If an app gets later reported as malicious, they need to revoke the certificate that has been used to sign said binary.
So when you open an app, how else are they going to check whether the certificate is still valid or whether it has been revoked?
Can anyone confirm whether this lookup applies to unsigned as well as signed binaries? As far as I know if I build a brand new binary with cargo, and run it, it doesn't do any checks.
Sure but how does that work? If a cert-revoked app is allowed to run, the damage is already done.
I think perhaps a better tradeoff would be if a revocation list could be synced hourly or so and the app could be checked sync locally and then asyncronously on open. And of course, always give the power user an option to ignore things.
> I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.
Based on the OP tweet... depending on the way it is unavailable, the failure is indeed ignored in some cases. "Denying that connection fixes it, because OCSP is a soft failure (Disconnect internet also fixes.)"
So it may be an actual unintended bug that a particular failure path results in a DoS instead?
Normally if there's no internet Gatekeeper instead checks the "stapled" notarization ticket from the notarization process. But since there is internet, and the ocsp server is technically "up" gatekeeper isn't checking the tickets.
actually I think the problem is not that it is not available, heck /etc/hosts fixes wouldn't work than. it's that it is unresponsive as hell, and they have no system wide circuit breaker, if it is slow.
A limited change would be to fail-open more of the time, e.g., if the OCSP server does not respond within a few milliseconds. (MacOS already fails-open in some internet scenarios.)
A better option is to asynchronously update a Certificate Revocation List ("CRL") and perform any check local to the machine. This avoids disclosing to Apple every single time you run a program, which program it is, and what network you're on. It could also emergency-revoke certificates just as quickly as the OCSP design by polling at the same frequency (every app startup).
I'd imagine that revocations don't happen often. And when they do, Apple has a perfectly capable infrastructure to push those small incremental changes on demand. It's almost as if they intentionally ignored such superior solution and chose calling home for other reasons...
Most OSCP implementations fail-open, not fail-closed. I get the benefits of having it fail-closed, but it should be opt in, because having an always-online requirement for using a mac is ridiculous.
Most browser vendors agree because they all stopped checking CRLs (like they technically should) when verifying certs.
I don’t think the design is wrong, I just think it’s tuned a little too cautious. If you’re going to verify certs then checking the CRL is something you really should do before approval. And you can’t sync the database entirely because it’s too big.
There really aren’t any good solutions to this unless you can solve the cache invalidation problem.
The OP literally says if you disallow connection or unplug the intenret it does fail open.
I think it's probably an unintended bug that this failure mode was fail-closed.
The costs of this unintended bug are going to be huge to Apple's reputation, as demonstrated in this whole HN thread, where many assuming what's going on is even WORSE than it really is.
(Personally I think having signed certs (with opt-in ability to run unsigned apps, as MacOS has) is fine. And fail-open OSCP revocation check is also fine-ish, although it would annoy me if it's making it slower to launch apps on the regular. The problem here is a bug, not one of design. But most of this thread is assuming Apple was doing something different than this. Of course, how often a company produces fairly catastrophic bugs is also on them).
Right around this same time, I had 1 macBook hard reboot (watchdogd timeout) and shortly thereafter, a second macBook froze, fan maxed out, with the display not coming up. Then it rebooted into recovery mode.
Yeah, these _could_ be unrelated issues to what has been going on in Apple land today, but it's uncanny...
I keep reading in the tweets how all Macs are unusable. Is this an OS bug that doesn't effect older OSes? I'm on Mojave on my 2017 MBP, and have had zero issues at all.
Checking for notarization on each launch was introduced in catalina. Older versions have trustd, but it was only used for the gatekeeper checks added in 10.8.
My 2018 MPB on Mojave had some serious issues launching apps for a little while yesterday (3PM central) afternoon. It seemed to resolve within an hour though. Not sure how that lines up with the outage described here.
Hibernation.
External monitor support is buggy.
Pulseaudio is buggy with external microphone.
IR camera face login isn't supported.
Fingerprint scanner isn't working properly at login after sleep.
Sound from internal audio is much worse than was on Windows.
No app I know of can reliably share screen on Wayland.
This might be a stupid question, but is there a downside to blocking this "feature"? I can't think of any.
I've been using Big Sur beta for some time and one of the things that annoyed me a bit was the sudden lack of responsiveness, which is a tad annoying given that I upgraded to a 16inch MBP earlier this year and everything felt so snappy.
This is the correct policy. I upgraded my mac because I couldn't install a certain application on the version I was running and now it runs crazy hot and the fans run on full blast whenever I watch a video on the internet.
ocsp.apple.com also has an IPv6 address. Firefox connects to it even with 0.0.0.0 in the hosts file and a flushed cache (you need to also clear firefox's internal cache if you're testing with it), so I'd assume that trustd could connect to the ocsp site as well. I don't think this will work without ensuring there is no IPv6 traffic on your network, or otherwise dumping both IPv4 and v6 packets to ocsp.apple.com.
Disable IPv6:
sudo networksetup -setv6off Wi-Fi
(where Wi-Fi is the name of the network service)
Can you not just add an IPv6 entry for it in your hosts file, e.g., ::1? That would work in Linux and seems like a much less nuclear option than disabling ipv6 all together, but admittedly I've never worked with ipv6 networking on Macs.
Last time I played with a Mac they also had the BSD `ipfw` command for kernel packet filtering [1]. Could try something there if it still exists.
I had both my personal and work laptop become unresponsive at the same time. I was wondering what kind of problem could cause that - was thinking EM interference or possibly something on my network. This explains it.
Ha! So that's what it was. Last night (I just woke up in the UK) my macbook pro started to crawl, I started to threat that it might be the SSD starting to fail.
A compelling way to enact change at large corporates is to vocally communicate when and why you are forced back into a buying position as a customer.
Apple VPs who are listening, especially Craig Federighi - here is an early warning for you. The HN crowd may seem fringe, but they are living in the future. I de-Googled my entire life over similar transgressions by Google and several of my friends are gradually going through the same process, albeit more slowly.
And even though I just bought an MBP16, Apple monitoring every binary I run makes me want to sell it immediately and never buy another iPhone, Watch or Macbook. No one is going to catch Apple on performance and form factor for a long time, but I'm willing to invest in a long-term ecosystem that won't allow things like this...as long as I don't need to debug audio drivers. I am done with that phase of my life.
So if I had to choose an alternate path, what would such a path look like that could eventually approach the build quality of an Apple Macbook Pro? That product doesn't have to exist yet, it just has to be on the path.
(I looked at Alienware's M2 and M3, but it cost about the same as an MBP16 but with more blue LEDs.)
> The HN crowd may seem fringe, but they are living in the future.
The other thing that really can't be discounted here is that a lot of the HN crowd are likely the default go-to people in their circle of family and friends for this sort of stuff, and in many cases they may also have major purchasing influence and technical decision making power in their respective businesses. Turning off one of them may be inconsequential on its own in the short term, but it could seriously add up to a lot more destroyed mindshare and significantly more "lost" sales over time.
Don't underestimate the power of your choice at the frontier, even if it takes a while to reverberate through time.
I used to think it didn't matter what tools I chose as a lone developer making consumer tech products and DSP audio applications. But over time, I saw that consumers rely on frontier-makers for fast-moving tech choices more than you’d think, even if they lag a few years behind.
When enough people make a choice, a tipping point forms in the future. Paul Graham wrote about this in "The Return of the Mac", and I believe a tipping point is forming: http://www.paulgraham.com/mac.html
If Apple wants to ride on privacy, then it will fall on privacy.
Yes, I can specifically say that 2 other people have chosen not to update past Mojave 10.14 because of my advice.
I'm experimenting with Linux these days. There are some minor annoyances with using an outdated version of macOS. Unfortunately those apply to not just one or two apps, but every part of the OS when using Linux. Basic things like WiFi drivers or sleep support. I'm encouraged by the trackpad driver project, but it's not there yet. So I'm still hanging on to my 2014 Retina MacBook Pro using 10.13, until some Linux distro catches up. I feel like that will happen soon though.
One of my family members is using Time Machine and is on Catalina, which forces APFS -- is there something I should be worried about (outside of cross-platform support)?
It’s true, but at the same time Apple are currently trying to win over the developer community. That much was clear over the M1 announcement where they focused on compile times and tensor flow as benchmarks.
Corps like Google or Apple are so big that the amount of HN customers and their friends/relatives are a drop in the ocean. This is just a PR mess for them, that's all.
You and I - we are the market. How do you know how many drops there are if you don't speak up?
Relative to my community in South Africa, I have spent more money on Apple products than anyone I know. And here I am saying that if these privacy issues are not resolved, I am willing to vote with my wallet as soon as I can find an alternative.
I only mention that I've de-Googled my life so that those who doubt my intent will know it's not an idle threat. These things take time to change, but they can and do change if you make your voice as a customer heard.
When you want to enact change at a Big Co:
1.) Communicate why you are forced into a buying position and ideally how to resolve it.
2.) Be willing to walk away, or you can't negotiate.
The interesting thing about this community is that technically it could create its own OS. That is a threat to nation state level institutes that want to prevent that.
I agree with the sentiment, but I also think designers and builders of all kinds ignore the most advanced users at their peril regardless of if they're HN, some game's best players, someone who uses a library in production instead of as hobby, etcetc.
The impact is just different and sometimes causes big issues if ignored
There are more than 1,000 people and it's a sampling of a larger population. There are more developers and technical savvy people out there than just the ones who use HN.
You and them are the market if you happen to be the only two customers of a company or the only customers for specific goods. Hopefully you see now why your statement was ridiculous.
> The HN crowd may seem fringe, but they are living in the future.
I really don’t think the HN community is at all representative of what the masses think about. Just like in any online community, it is easy to think that the thoughts of that community somewhat resemble that of most people when that simply isn’t true. HN’s base consists highly of developers who are up to date with most things in the technology industry.
The rest of the world doesn’t really care enough to compromise the comfort and reliability of Google’s suite, which lets be honest, outperforms its competition by a size-able margin, and does so with a “free” price tag.
People on HN have talked about de-googling for years and I have yet to see someone outside of the computer development scene do it (or even talk about it for that manner).
I am starting to see people switch around me, but it doesn't happen overnight.
A surprisingly handful of non-tech people have asked me, "Hey, I see you use DuckDuckGo. Why not Google?" And then we have the conversation - it's a short conversation:
Well, you cannot prosper in an environment if you operate on inaccurate or censored information. Google & YouTube censor information and track everything you search for or watch. Today your views align, tomorrow they may not.
Secondly, you must insure yourself against tail risks, and having your Gmail account "cancelled" is a yuuuge tail risk. Therefore, avoid bundled Google products.
Then a few months will go buy, and I'll see they are now using Firefox and DDG.
When you have these conversations, it's important that it not be about your identity (open source! Linux!), but about risk-aversion.
I agree--I also de-googled within the last couple years. I also did it because I need my e-mail to always work, it's just unacceptable that Google could take it away with no reasonable recourse.
I was also hit by this outage today, at work, on my work laptop, while I was working. Apple literally cost me time and my employer money today, because their lack of foresight or inadequate provisioning of servers or whatever the fuck it was, fucked up my laptop. No good reason. They just fucked up, and it cost something.
I wish there was a phone ecosystem I could invest in that ran Clojure near the metal. Some kind of Lisp machine would be awesome and make it more palatable to endure missing libraries and apps.
In case you don't know, GrapheneOS is based on the open sources parts of Android (AOSP) so the apps are developed on Android's JVM (Dalvik?). Maybe it's possible to code with Clojure.
And there are A LOT more than what is just happening here.
They have burnt a lot of good faith post Steve Jobs. But judging from current Apple management, they wont act until Sales numbers decline. As shown by the MacBook Pro Keyboard fiasco. And to make it worst, they seems to think most of these problem as PR and Marketing problem and dial up the marketing instead of actually fixing it.
( You can see that with Apple's marketing, especially with recent iPhone 12, with VPs explaining in podcast )
If there are a lot more, it's worth listing them all in a blog post. A set of evidence is more compelling than only one act that could potentially be written off as well-meaning incompetence.
I would say that the current Microsoft Surface laptop/book has the same build quality feel as the Macbook line, but unfortunately you're stuck with Windows 10, which is a downgrade if you're used to MacOS.
Windows 10 is also working against you with its telemetry and ads.
We shouldn't have to work against the interest of the company that sells us the software running on our PCs. This will lead to more problems down the road.
I concur. I have a Surface. It sucks. Worst computer I’ve ever bought.
Keyboard sucks. Is it a tablet trying to be a laptop? Or a laptop moonlighting as a tablet?
Stylus sucks. It doesn’t have the accuracy of the iPad. And it always had a weird parallax feeling, so I gave up on using it. And the software was just mediocre.
I gave up and bought a Lenovo T4xx series laptop. Installed a dual boot Linux Ubuntu on it. Best. Computer. Laptop. Ever.
I just got a new XPS13 after a decade of using only macbook pros. Honestly it's pretty good and like 95-99% as good as my macbook. The only thing I really miss is the incredible touchpad. The XPS touchpad is meh, although is functional which is more than I can say about many other windows notebooks.
>So if I had to choose an alternate path, what would such a path look like that could eventually approach the build quality of an Apple Macbook Pro? That product doesn't have to exist yet, it just has to be on the path.
Thinkpad X1 Extreme Gen 2 is what I use and I'm very happy with it. My requirements were a moderately high-performance laptop, hybrid/discrete graphics, not excessively bulky and good Linux support. I can't fault my choice. The only issue I had with hardware compatibility under Linux was due to me receiving it a couple days after launch and the drivers for the wifi card not yet being in the kernel used by Debian or Ubuntu (no longer an issue iirc). Happy to answer any specific questions you have.
I don't think they are "checking"; they've carefully planned a path and are slowly and meticulously executing on it. They have no intention to stop at any point. Should the money stop flowing, they'll just come up with a new gadget. To make them backtrack on the walled garden would take an extinction-threatening event that (unfortunately) will never be on the cards as long as nobody can seriously threaten the iPhone.
I’m not so sure. A handful of high-profile opinions + a few hundred low-brow peeps like myself calling out bad behaviour can have a noticeable impact on sales in the mid-term.
I had the pleasure of installing Ubuntu on a modern Dell XPS recently. I was happy to discover that everything seems to work flawlessly upon install without any additional fiddling: WiFi, trackpad, touchscreen, display scaling, and really everything else I've tried so far worked great. It's an absolute joy!
There was a time I remember when various things with Linux installations were often quirky or troublesome to get working well with certain laptop hardware, but I'm convinced now that this situation has improved tremendously since then...at least from my recent experience and hearing other good things about the Dell XPS and various ThinkPad models, and of course System76 (although I haven't had a chance to try one of those myself yet).
You can buy the XPS13 Developer Edition. The XPS15 doesn’t come preinstalled with Linux (although it apparently works well and is well supported). If you want an officially supported Dell 15”, you need to buy the more expensive Precision: https://www.dell.com/en-us/work/shop/overview/cp/linuxsystem...
There may be some supply chain issues with the Linux one. When I ordered this in August, they never sent it and cancelled my order 1.5 months later. I reordered it that day, and it was delivered within several days. I do like it very much.
Yes , and they are also selling Ubuntu edition where you not only save quite a few $$$ (because no windows licence) but you're also sending a signal to manufacturers that there is a demand for compatibility with other OSes (unlike on Apple or MS Surfaces).
So if the dev edition fits your need consider buying this one
Thank god I switched back to windows early this year. I absolutely love it and I do not foresee me returning to Apple for a considerable amount of time.
You should know that Windows includes a similar feature (to call home and report file hashes and the user's IP for example) called SmartScreen, and with default settings it also triggers on every single application launch in the OS.
I use both Windows and Mac but I would never consider Windows some patron saint. The telemetry and dark patterns in Windows are much worse than what Apple does. Windows literally advertises its own browser in different parts of your OS and will regularly change the default back to Edge after updates.
But overall I am pretty happy with Windows being my daily driver now that they have WSL.
I bought the business cousin of the XPS 17, the Precision 5750. The screen-to-body ratio is amazing. And the 4k screen is beautiful, the build is attractive, thermals are good and the speakers are nice as well. (From an Apple perspective these are the things that others often get wrong)
It has some design flaws („hybrid power“) but what is really messed up is the QC:
I have ProSupport and already had 4 technicians over and am currently awaiting my third full replacement.
Issues are all over the place: faulty trackpad, extreme coil whine, broken display, etc.
Perfect device for me if they could figure out their QC.
If the next one is bot perfect, I am getting a G14 which is the best performance/watt, performance/notebook volume and one of the best performing notebooks in general.
Microsoft saw that Macs were eating their lunch regarding developers and researchers when e.g. nearly everyone doing AI was on a MacBook or Ubuntu. You had a hard time getting Tensorflow to run on Windows because no one in the community really cared.
Also everyone developing applications in the cloud was eventually targeting Linux as the production OS, which is a pain if your development OS is pretty much hostile do anything command line.
MS then put a lot of money into getting a Linux like command line and support into Windows with WSL.
They also got a bunch of influencers and devs do their thing with improving that kind of developer's experience.
Apple, however, has been sitting on their hands in this regard. They are moving exactly the opposite direction with this crowd.
I have no idea what rationale is behind that. Did they come to a different conclusion than Microsoft or are they just failing to execute on the strategy?
MS sells cloud services. They don't really care what machine you use, as long as you live on Azure as much as possible. That's why they give you more and more tools that improve the "remote development" experience.
Apple sells silicon. They don't really care about developers; as long as they can pull enough users through the iPhone->iPad->Mac funnel, they have done their job of selling as much hardware as they can. In their view, developers bitch and moan but in the end will have to go where users go - at which point, Apple can tax them for access to the walled garden.
> And even though I just bought an MBP16, Apple monitoring every binary I run makes me want to sell it immediately and never buy another iPhone, Watch or Macbook.
You'll keep buying Apple stuff. I know it, you know it and Apple knows it. If all of their past transgressions hadn't changed your mind you'll keep doing it. Cut the shit.
From a another post on this page, someone recommended to look at Metabox.
I never heard of them. I just looked over their site. Some very very cool options. Been in business a long time.
https://www.metabox.com.au/
I've tried Alienware -used to be good, bit not very impressed since Dell days, I've tried Razer- always some issues, Dell g and XPS seems the best, up to now. But this Metabox looks really fun. Wonder if others have tried?
Look into what state law protections you have. High ticket mail order items can usually be returned for a full refund for a fairly long time.
Finding out that it's phoning home about every binary you run is absolutely a good justification to return it. I would sooner throw out a computer that did that rather than use it.
You've got to be kidding me. When Apple's servers are down, all Macs worldwide start freezing randomly? My XCode is hanging during builds, is this why?
This code signing enforcement stuff has gone way too far. Heads should roll for this.
Holy Shit. That should be illegal. All it needs is one rogue employee to potentially steal trade secrets? And dont tell me MS employees never go rogue after the recent events...
The behavior documented there is on FIRST run of a new executable.
You can like that behavior or find it unacceptable, but the issue in OP is not that, it was applying to executables that had already been launched plenty of times on the machine.
Right. The recent problem (in top-level OP, and that you were presumably experiencing) was not just first run, but the behavior explained at the GP link (https://news.ycombinator.com/item?id=23281564 , HN thread for https://lapcatsoftware.com/articles/catalina-executables.htm...) is just about first-run, so the behavior explained at the GP link is not sufficient explanation for the recent problem, it's not talking about the same thing.
Wait what happens if you don't have an internet connection? Can Macs not be used offline any more, surely that's still a relatively common use case for a laptop even today in a lot of places?
My understanding is that if you're offline, it skips this check and everything works fine. The reason this is a big deal is that the problem's on their end, so you're not offline, so it keeps trying and waiting instead of just letting you skip the check.
I experienced this a couple of weeks ago. My wifi was up, but my internetprovider was down. My Macbook came to a halt. Nothing worked anymore. The whole machine was extremely slow. When the internetprovider came back up again, everything was fine again.
Had the same thing earlier in the week as the isp was doing maintenance two nights in a row. 5+ seconds to start sublime and other really basic apps. Apple apps had no problem of course.
Remembering the notarization problems people were having months ago I did some tests and confirmed.
Now have little snitch installed again and my laptops going to be an Apple orphan. So I never noticed this problem today by virtue of it pissing me off 2 days before.
Airgapped network — an IP LAN not connected to the internet. These do exist, sometimes permanently for security reasons, and sometimes just where external connectivity sucks but you still want your laptop to talk to your NAS.
The point stands: if you allow a host to resolve ocsp.apple.com to an unresponsive (timeout) address, it might break macOS the same as today — whether by air gap, by firewall, or who knows what else.
It's an invasive restriction, cynically designed, poorly engineered and improperly managed, that impairs your ability to function.. masquerading as security.
macOS is my favorite OS, but I don't need to use it. I was so psyched reading about the new Macbooks, and I've had to walk all that excitement back now. I cannot invest in a computer that locks me out of my job if a cable gets cut by a maintenance crew in Cupertino.
If you point the request at localhost, the problem resolves. This means that a cable getting cut in Cupertino won’t matter. It is a revocation protocol; it fails open.
The problem today is that not that the connection to the server failed, but that it succeeded very slowly. The result was an accidental denial of service on the client.
This particular issue is easy to work around for technical users; the _problem_ is the philosophy that made it possible.
This is the reason I can no longer use Apple computers - the continuous battle they are waging against the users freedom on all fronts - the anxiety of what they will do next to _my_ computer is too much.
Good luck finding a suitable replacement. Microsoft does unpredictable things to Windows. Linux maintainers do unpredictable things to all sorts of things.
Your only real recourse is to compile everything from source after a thorough review every time...
...or else trust someone.
Sure Apple had a problem here, but there are so many other reasons to trust them over any other org that I can't in good conscience switch platforms, because there's so much more anxiety elsewhere.
> Linux maintainers do unpredictable things to all sorts of things.
With Linux you don't have to worry about every program you launch being reported to the mothership, or that failure of the mothership to respond would cause your computer to not function.
If you're not reading all the source of everything you're running, any or all of it it absolutely could be reporting usage/stats/your data to a "mothership".
Just because there's no single central org involved doesn't mean there aren't risks.
We already know that, by design, macOS will report back to the mothership. If things are working 100% correctly, Apple will collect what programs you run and when you do so.
Linux won't report to the mothership by design. If things work 100% correctly, you don't have to worry about some company knowing what programs you run and when.
I've already found a replacement, Debian stable + i3wm has been my happy place for the last 5 years. No unexpected behavior changes on update, just bug fixes, it does what I tell it, nothing crazy like Debian maintainers dictating what binaries I can run... if you want more or less control you've got plenty of Ubuntu style distros in one direction and Arch style in the other.
If you're a media person then yeah, I feel bad for you, i've been there and it sucks, you're stuck with mac and windows if you require mainstream design apps.
I agree that it’s security theater and a suspect implementation, but I was playing a game of “let’s imagine why someone might do this...”—
I’m wondering, suppose it was designed this way because part of the goal is to prevent the spread of malware, the fastest means of which is an internet connected computer. In that event, the feature only intrudes when the computer, by virtue of it’s internet connection, is a member of the threat class.
That's a fair point that I hadn't considered, and I appreciate it. But I still feel like "ability to use your computer as a service" is not something I signed up for.
Because it is not yet illegal to operate a computing machine that is not centrally monitored. New Normal, get used to it. Soon, this corner case will go away.
It doesn't become safe when you're offline, it's just that you're no worse off than you were. OCSP is s a certificate revocation protocol. It's only used for disabling certificates which were issued in good faith but now need to be revoked. Suppose Apple signs application X, and the signature is good for a year. Six months later, Apple discovers that application X contains malware, so they revoke the certificate. However, your computer doesn't know about the revocation until it checks the OCSP server, which requires you to be online. If you're offline, it just skips the check; the certificate wasn't revoked yesterday, so it's probably fine today too. The bug is that if you're connected to a network but can't contact the OCSP server (either because the OCSP server is down, or because you're not connected to the internet) then OSX keeps trying to connect and becomes sluggish and/or unresponsive. This is how we know that it's a defect rather than a deliberate choice; if they had decided to make the OS non−functional unless connected to the internet they would have done a better job of it.
It wouldn't surprise me if they one day wanted to require you to be online 100% of the time so that you can't skip the OCSP checks on applications, but I don't think that would go over very well. Apple wouldn't even be the first to produce applications that refuse to work if there's no internet connection. If you don't like the thought that they might one day spring this on you, I recommend investigating Linux.
Unfortunately there’s not a way to differentiate “we’re online but Apple’s servers are having issues — probably fine” and “we’re online and something something is preventing us from talking to them — something nefarious might be happening.”
Local copy of whatever Apple is checking? Update that daily (on sign on or something). Not going to catch zero day type stuff, but better than making the laptop unusable.
I'm going to make a bold claim but Linus made a claim to this effect. Security is important but it cannot be the only main priority when designing systems. Apple's mistake here is probably the main story but more generally this attitude (letting systems spectacularly fail for the sake of hypothetical security) is foolish and results in rather terrible bugs like this.
I think the point is that that database is too large to store on a single machine which is why it has to be ad-hoc queried and cached. I mean it will have the signature of every program run on a Mac.
Funny how DNS has that same issue, and yet, we still decentralized it to a point, even if there is some inertia going on to keep it as centralized as possible.
If you don't have a connection, it just doesn't do the check. If you have a crappy connection like many of our students, it takes forever to check. If the server is down, life just sucks and non-Apple programs don't open.
If you are connected to a network without an Internet connection, it just becomes unusable. Internet connection is somewhat unreliable in my area, and I had an internet outage that lasted for days during the COVID lockdown. I feared it was a malware infection causing the slow down. I switched over to Linux not long after.
Often when I would see this type of error it would be when something silently drops TCP packets (rather than sending a RST). This is one way to configure a firewall, and it's indistinguishable from high latency. Hence the difference in behavior. If the address was unroutable, or immediately closed the connection, it would fail quickly (and presumably for the OCSP check, it would be skipped immediately). But when packets are silently dropped, it's up to the client to decide how long to wait for an ACK, which might cause a hang.
I've seen an identical problem where Chrome would hang for minutes when loading sites, and it was because I was in a firewalled environment that was outright dropping packets to Chrome's OCSP server.
With Android is the same. I have an App Firewall on my Android phone and since then the standard Android gallery app does not work really anymore. A lot of things break, for ex. when I_ like to send a file with Threema, I have to go offline, choose the file and then go online again. Otherwise the file dialoge does freeze. It's just standard these days. Also a lot of things break, if you are just on a network without internet connection. Welcome in 2020.
That's why notarized applications should be stapled too. The stapling "ticket" is embedded in the app bundle and allows macOS to perform an offline check.
Basically you'll get the usual GateKeeper window, but with a slightly different message, along the lines of "I can't check this binary in realtime but I trust the embedded notarization".
Almost certainly so. Apple has built chains of certificate trust very deep into the OS, along with apparently an assumption that this particular revocation service check is reliable & fast enough to call out to the network a lot.
Imagine how many people would lost their productiveness, maybe not at the big corps or govt (I assume they use a version of mac that call somewhere else/don't). But very very many people.
Code signing is an okay thing as long as the signing identities don't get discriminated. Android has had code signing ever since it was released, but you always generated the certificate yourself, and the purpose was simply to stop someone else from making an apk with the same package id that would install over yours and gain access to its data.
The thing Apple does, on the other hand, with trusting themselves more than the user, is disgusting. I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
Give me, the owner of the computer, over the keystore for the root certificates I trust, and code signing is great.
> I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
As a libertarian I can see the argument for getting rid of presumptive copyright (and tanking the US economy), but the government preventing people from entering into contracts that you don't like? That's just hypocritical.
> but the government preventing people from entering into contracts that you don't like?
It's not that. Plain and simple: in an ideal world, more money shouldn't grant more power and immunity. Governments should disincentivize this growth into the sky by, for example, progressive taxation for companies. The world would be a better place if tech companies actually competed with each other by making better products, not trying their damnest to lock everyone into their walled gardens to earn even more money they have no clue what to do with. Currently, when choosing something like a computer or a phone, you just pick one that sucks the least. There's no healthy competition.
Libertarian is not a well defined word. I have a friend who identifies as a Socialist and a Libertarian. He believes that true libertarianism (anarchy) would result in a collapse of capitalism since there would be no state to enforce private property rights.
So yeah, always gotta find out what a person means when they say "Libertarian"
You need to set up your own DNS caching resolver and start selectively filtering out Apple domains. Pihole does that wonderfully. Ask your Apple geniuses whether they would help you setting it to make your Macs work.
If you just read his writings on the importance of free software, he never was that "crazy" to begin with. He simply saw examples of companies locking down their hardware so that they could control it at the consumer's expense.
Exactly this is happening with Apple now. Although Apple computers were fairly hackable in the past, with users being able to install Linux or Windows, that is changing. Apple is changing the hardware _and_ software to make it more difficult to do things that Apple does not approve of.
Stallman was keenly aware of this type of behaviour, and he was also aware that companies that have the potential to use this behaviour to this advantage, will often do so.
Apple wants to be in a position where they sell computers as appliances, and Apple Silicon is their step towards doing so.
By the way, I'm typing this on a Macbook pro that is no longer supported by Apple, but running Linux. I am not sure this would be possible in the world of Apple Silicon.
I don't think Stallman's crazy, he's just passionate about his beliefs, and people whose careers depend on not acknowledging the truth in what he has to say like to dismiss him.
He was short sighted in many parts. Eg: the definition of free software as something that can be freely redistributed.
For infrastructure parts, it makes sense to be even permissive open source. For something in applications level, it would be nice to make money from it by charging corporations using it, while still being freely available for students and hobbyists. This could have combined best of open source and commercial software.
Stallman's belief is that everything is either good or bad, and there is nothing in between. He is write about consumerization of computing devices though.
Hardly "happy about all this". From the end of the linked article:
Author's note: Some people have read this blog as my utopia or dream of the future. It is not. It is a scenario showing where we could be heading - for better and for worse. I wrote this piece to start a discussion about some of the pros and cons of the current technological development. When we are dealing with the future, it is not enough to work with reports. We should start discussions in many new ways. This is the intention with this piece.
So many comments in here, but I haven't seen a single one mentioning a simple solution: Vote with your feet.
For years now, I've seen a large portion of the HN crowd praising Apple for its (alleged) respect of privacy and cursing at Microsoft for Windows "calling home" all the time. Now that this has happened, the only comments I see are "heads should roll", and "we must complain and be heard by high-level execs", but never "let's move away". This just reinforces my impression of the Apple ecosystem as something akin to a cult: Once you get in, you never get out again.
There are good alternatives - many people, including software engineers, use non-apple solutions on a daily basis and they are still productive. Why not give Linux a shot, or gasp even Windows? The age-old argument of "MS is evil, Apple good" is moot. Companies are generally not good or evil, they are profit-oriented. If the market demands privacy, they care about it, otherwise probably not so much.
It's isn't so easy. There is often a large cost of moving. Eg - I use `sketch` for designing. I can move to Figma, but it'll be a learning curve and the performance just isn't the same.
Additionally, in order to move to Linux I need to find a good alternative to many other software that I'm using. Most commercial software only target Windows or OSX.
For the record, I've written large parts of KDE, so I'm acutely familiar with running Linux as a Desktop Environment.
> This just reinforces my impression of the Apple ecosystem as something akin to a cult
That's very uncharitable. Suggesting Windows as a potential alternative also sounds slightly comical given their history with Windows 10 and many people's required workflows, required because of work or other outside influence, make Linux less tenable.
A lot of people seem to suggest that if you have something to complain about then you should be moving on to something else, a vibe of 'appeal to perfection'. I think this is the same mentality that drives the distro hopping phenomenon. I'm not brainwashed because I live with the flaws of my OS choice and complain when things are changed that I don't like.
I'm not sure which comments you are reading: one of the top threads that almost fills the whole first page is a long discussion about alternatives to macbooks...
I've been using Windows 10 with WSL2 and found it a surprisingly effective development environment with all of the Linux goodies accessible. And games are available without a reboot or VM!
Many complain, few will act. Virtue signalling about Windows is zero cost, unless one is a Windows user. Most people just don't care about privacy enough to do anything (ANY thing) inconvenient.
Linux only makes sense as a desktop operating system if your top priority is telling people online that you use Linux as your desktop operating system.
I mean, it's easier to do most kinds of programming on linux than windows. Stuff works more "out-of-the-box" than on windows.
For other things? Maybe. Some nice GUI applicatipns are, while in theory be run on Windows through cygwin, work well on Linux as well.
And some people just like performance / look-and-feel. Windows is often sluggish, while most Non-GNOME IDEs are pretty fast on usual hardware.
Then there is updates problem. I have had Windows downloading updates even if network was marked as metered in past.Some LTS distro is often better. Unless you use Fedora or Arch, updates should be minimum.
I don't want to imply Linux desktop is mature enough for all people. Just reminded there are valid reasons tech savvy people prefer it.
It IS, though. SmartScreen on Windows doesn't check binaries created on the same machine, but you'll get flagged if you move the untrusted binary to another machine you own.
Note that SmartScreen has an UI that lets you bypass it without having to disable it system wide, and has a sane timeout (I believe 30 seconds) after which it just pops up a dialogue box telling you that it can't check the binary, allowing you to continue.
What the hell? You have to wait 30 seconds before you can run unsigned code on Windows without calling home to Microsoft about it? How is that considered sane? (I mean, forking on windows is slow but it's not that slow.)
How do people (and corporations! Especially ones sensitive to sharing IP!) put up with this stuff?!
I'd assume that's what most corporations do, since that's what it's there for.
I wouldn't 100% forsake the benefits of this stuff, since it does protect normal users - defender on modern Windows installs is good software and really does its job well, while staying out of your way most of the time. I'd leave it on for my parents.
iirc no, there is a "More Info" button in the smart screen pop up that you can click instantly, and from there a button to run the app is available instantly.
well it is more insane because if you have an elevated exe that can span other exe which would trigger smartscreen the elevated exe can actually put a smartscreen filter in it.
I mean what is the point in smartscreening an exe that gets spawned from an elevated exe?!
To prevent virus spread by confused deputies: even if you somehow get CreateProcess permission by, ex, getting a service registered, the actual malicious executable will still be blocked.
well as said its an elevated process that can completly disable smartscreen, so an attacker would only need to run an exe that downloads another malicious exe after it disabled smartscreen that would not be blocked.
Imagine a program, WinSudo.exe. This program runs elevated, by magic. It passes its arguments to CreateProcess(). You call WinSudo.exe Virus.exe. Virus.exe execution is blocked by SmartScreen.
(This scenario is itself a security flaw that existed for some combinations of Windows system utilities, so this is a real concern.)
Now, you could change WinSudo.exe to disable SmartScreen, sure -- but this requires you to be able to modify WinSudo.exe (which should require Administrator), and the mismatched binary would ALSO flag SmartScreen.
well WinSudo.exe DisableSmartScreenAndCallVirus.exe Virus.exe might work if the first two are not smart screen detected yet. a simple program might not be detected by smartscreen yet.
Unless this is a 2004 feature, it does block binaries compiled on the same machine. Not very fun if you are compiling stuff repeatedly with a couple of second wait-times when running the binary.
I'm not sure what they call it, but Windows does get in the way for things you compile on your own machine. I compiled the JuicyPotato exploit and tried to copy it to another local folder and got error 0x800700E1 and the EXE went missing.
That's Defender behavior -- you'll want to disable antivirus before building viruses :)
Defender is a traditional hueristic-based AV with on-disk and live load scanning and an offline database. SmartScreen is a reputation-based (certs + "how many people ran this") checker, and is much more visible. Win10 runs both.
This is a big conceit everyone holds - that Linux will be an acceptable substitute for MacOS. To be perfectly honest, if Apple shut down their Macbook factories and got out of the computer game entirely, and everyone flocked to Linux, it would be several painful years before Linux would be as usable as MacOS is today.
This is why I try out Linux every few years, and file lots of bug reports when I run into issues (mostly in applications - the core Linux kernel is solid). I've even contributed code to Linux apps that I don't intend to use right now.
I guess this is where the disagreements about usability on Linux come from. I've been using Linux based OSes since I was a child and IME when you run into brokenness it's almost always the user space (often something flashy from gnome or kde or occasionally freedesktop.org.)
Most things are more than doable on Linux but often you're choosing between stuff that works and stuff that looks pretty.
I've gotten quite good at recognizing crosswalks, fire hydrants, chimneys and the like. Though I refuse to identify that one mailbox as a "parking meter" even if it means another trial to prove my humanity. Users of the platform get treated as spammers already.
It's a reference to Google's recaptcha, which in my experience always asks you to try to identify features in tiny blurry low-resolution photos (and I always wonder how users with poor vision can deal with it). And it's not unusual for it to be wrong and insist that a street decoration is a bicycle, or something like that, and not let you proceed unless you agree with its misidentification.
Oh I intentionally select the wrong things on that mixed with the right things. Just to screw with google for trying to automate some BS by making us do it.
I don't doubt it. At least on non-server machines. They might not even do it intentionally. When every new machine manufactured in the last 20 years has some kind of secure boot system that prevents "unauthorised" operating systems from being installed, what then? Are you just going to keep your laptop from 20 years ago?
Mentally I'm there. But in terms of convenience I'm not. Thankfully my entire workflow has been done with OSS compatible with linux in mind so switching over is little more than an inconvenience for me. It all started because I couldn't use specific software in my workflow with linux...even if I paid for it. So then I started looking for good OSS alternatives and now I've basically become OS agnostic.
Sincerely and without any intention to troll or be sarcastic: I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.
Even beyond unintentional glitches at Apple, just imagine what this could mean when traffic to this infra is disrupted intentionally (e.g. to any "unfavorable" country). That sounds like a really serious cyber attack vector to me. Equally dangerous if infra inside the USA gets compromised, if that is going to make Apple computers effectively inoperable. Not sure how Apple will shield itself from legal liability in such an event, if things are intentionally designed this way. I seriously doubt that a cleverly crafted TOS/EULA will do it, for the damage might easily go way beyond to just users in this case.
Again, maybe (and in fact: hopefully) I'm just getting this all wrong. If not, I might know a country or two where this could even warrant a full ban on the sale of Apple computers, if there is no local/national instance of this (apparently crucial) infrastructure operating in that country itself, merely on the argument of national security (and in this case a very valid one, for a change).
All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.
> I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.
The answer is pretty simple: these problems are extremely rare, they don't last very long, and they tend to have fairly simple workarounds. You seem to have a principle that any non-zero chance of being affected by a problem of a certain type is a complete deal-breaker, but most people when buying a computer probably just subconsciously estimate the likelihood and impact of this type (and all other types) of problems and weigh that against other unrelated factors like price.
Exactly. Today was the first day when I knew this was possible. If I had been buying a computer a month ago, this would not have been a factor in my calculations whatsoever, because I didn't know it was even a possibility to consider.
FYI, both Windows and Chrome (to an extent) can do this too. Windows will phone home to smartscreen scan downloaded executables, and Chrome checks every download against virustotal (owned by Google since 2013) for viruses to warn that software is malicious, and I've been burned by this a few times when a download wouldn't complete for multiple minutes due to this scan.
You still can run the same program checked by windows though, by opting in to use the program. And definitely you still run other programs as the check only occurs on installation, and not every time after running it.
And they don't know because the hidden source of the binaries their overpriced hardware is running. So users can't inspect the source and look for hidden "gems" like this one, let alone fix those intentional bugs themselves - not just due to not having the source, but the hardware refusing to boot anything not signed by the blessed key of Apple.
Razer laptops come with the latest and greatest in terms of GPU/CPUs, plus they usually feature things like high-refresh displays, full RGB keyboards etc. They're still overpriced, mind you - since you can find comparable laptops for literally half the price - but at least they have the powerful hardware in them to somewhat justify their steep pricing. Similarly to Apple though, their pricetags are heavily inflated by the Razer branding.
Can't comment on the Surface, never looked into them much.
That's one potential issue, if you have privacy concerns. But the real problem here is that there's a blatant bug in the phone-home code that causes apps to crash if Apple's servers have a problem.
No, I don’t think you should just dismiss the privacy issue. It seems every time I launch an app, MacOS tells Apple. That’s also a REAL problem — and I guess I won’t be buying a Mac again unless the feature can be turned off.
Not in this case. This particular thread is about any app that was not an Apple app having problems launching, regardless of how many times have been launched before. It has revealed that actually every opening of any application phones home.
What you said is like saying nothing except a social security number is used to identify you, as if that wasn't linked to the rest of the info about you.
I would accept "flaw", "incorrect choice", or "mistake". But if they considered it, and chose this path, knowing full well this would happen, that's not a bug.
simply doing “if server does not respond, don’t check anything” would be bigger flaw in design because that would mean just modify hosts file to localhost or something and the security check would be worked around.
Doesn't this bigger design flaw you describe apparently exist? I (and many others) did exactly that to get our machines responsive again, ocsp.apple.com 127.0.0.1 in the hosts file.
I knew and didn't care. If you care, you're going to be real upset when you look at your other alternatives.
That said, I don't think many people here actually care. I firmly believe that most of the people on this site just like to shit on Apple, because they prefer that to trust their privacy to an Advertising company.
I agree with your point about it being a principle, although I would add that the decision to build a product in this manner is also a principle.
Furthermore, I would sort of disagree with the answer to why people would buy this. In terms of "most people buying a computer", the overwhelming majority of Apple customers are likely ignorant to this issue, and will continue to be.
It's true that I don't have data on how often this type of problem happens, how long they last, and what the workarounds are, but I'm using those words not to be intentionally vague, but to reflect my own impression from my own experience, and I strongly suspect my impression matches most people's.
It's like saying car crashes are rare, insured against, and you personally never experienced one.
This does not mean car crashes can be ignored, or cannot happen to be dangerous.
There is a balance between the possible damage because of not checking signatures remotely, and the possible damage from not being able to run a program when the remote checking service is unavailable. But there is no situation where the average damage is exactly zero :-/
What? In your analogy, the parent commenter would be saying "I'm puzzled that people are willing to buy an operate an automobile given that they can be involved in dangerous accidents."
And in this analogy, I'm not saying "we should ignore car crashes." I'm saying "the reason people still buy and operate automobiles despite the possibility of accidents is pretty simple."
Your metaphor suffers an imbalance in spectrum. We are hardly talking about life and death here. You clearly can’t make the same comparison to car crashes. People’s motivations will certainly not be the same in these two cases.
The problem is that this is not an issue that should be viewed only in the current context. Just because things are rare now, don't last very long doesn't mean that they will continue to be that way, or that it will work at all in the future if Apple decides that only EOL OSs could be using this system at some future point where it's mostly changed.
Not caring about this now is like not caring about government or corporate privacy invasions because "I have nothing to hide". It completely ignores all the variables that have to align to make this benign that happen to at this point, but are in now was assured for the future.
He's not commenting how the problem should be viewed. He's communicating how he thinks most people view it. IOW, you're arguing what should be while he was talking about what is.
> Just because things are rare now, don't last very long doesn't mean that they will continue to be that way, or that it will work at all in the future if Apple decides that only EOL OSs could be using this system at some future point where it's mostly changed.
Okay, sure, you could attempt to estimate future damage from what appears to be a simple (albeit bad) bug in MacOS. Maybe it means all Macs will completely stop working in 2 years. But again, I think consumers will subconsciously estimate the likelihood of this to be extremely low.
> Not caring about this now is like not caring about government or corporate privacy invasions because "I have nothing to hide".
What? I thought we were talking about the immediate user-visible bug here, where some third-party apps could not be opened on some Macs for some period of time today. Sure, there are separate potential privacy concerns any time an OS phones home for any reason. But the problem here is just a blatant bug that manifests when the OS phones home and the servers are having problems. Macs continue to work fine when they're not connected to the internet, so it's pretty clear this is just a bug that's not actually related to the privacy concerns with phoning home.
> What? I thought we were talking about the immediate user-visible bug here, where some third-party apps could not be opened on some Macs for some period of time today.
>>>>> these problems are extremely rare, they don't last very long, and they tend to have fairly simple workarounds.
This is about Apple controlling what software you can run on your computer, for all third parties, and in a way that if the system/service is malfunctioning or shut down there's a chance it blocks all non Apple software.
You can either choose to accept that Apple is a good steward of this because they haven't screwed up too much yet, and that you're okay with it because you have no or little need for third party software it might affect (or are willing to deal with it), or you can view this as an erosion of your rights to control the hardware you bought, which while only slightly inconveniencing now are still fundamentally the same as what could be used egregiously in the future.
You either vigorously defend the rights (or what you want to be a right) now, or you watch it erode slowly. That's how the system works. You want privacy or believe it's important? Protect it now and even if you don't have anything to hide. You want the ability to control your own computer and run your own software, and not be beholden to some companies deprecation schedule affecting things they didn't write, or at least believe it's important for a possible future? Then defend it now.
Given how iOS functions, and how Apple is moving to their own silicon for their other products, do people seriously doubt that a future where you actually can't run anything on MacOS except what you get through their store isn't at least a possible future? If that's something we care about, it's something we should be vocal about now.
If you use your laptop as mostly a youtube machine or a social media station then yes, the described problems are not a big deal, in fact they are probably beneficial to your well-being. But if you use your laptop to earn a living, that can be a major problem, day traders for a top of the head example. This also sounds like a nightmare for the corporate world. I suspect that these custom silicon iOS devices will be fully cemented as 'Fisher Price' computers.
> If you use your laptop as mostly a youtube machine or a social media station then yes, the described problems are not a big deal, in fact they are probably beneficial to your well-being
I've set up a few Linux installations for people who only use their computers as Facebook and YouTube machines, and I haven't had a complaint. They also wouldn't be able to break their systems if they tried.
I'm of the opinion that if ChromeOS would fit a user's use case, then so would Ubuntu with Firefox or Chrome, most of the time.
Those same Linux systems would fit my needs as a developer with only a few small changes.
Security, simplicity, power and ownership don't have to be mutually exclusive. You can have a simple and secure computer, and also have power over your system and own your hardware.
Yeah, a modern Linux distro can satisfy the needs of a "regular" user just fine - an up to date web browser and maybe an email client and all is fine.
Yet at the same time it makes it possible for the user to "grow" and make use of more advanced features of the system for creative endeavors.
On the other hand on a locked down mobile device or chromebook, there is not really any room to grow and be creative, it's only good for consuming content.
Even a youtube machine can become a big deal if the walled garden prevents you from installing an ad blocker or third party client & forces you to watch mandatory adds to see any videos - that might very well happens (and happens) in walled gardens.
There's no question that software bugs are bad. But that doesn't mean we should expect consumers to ditch an entire manufacturer forever because it's physically possible for that manufacturer to have a software bug. Obviously, bugs are inevitable. I'm not making excuses. I'm just explaining why people wouldn't instantly abandon a manufacturer after experiencing a single serious software bug.
Without principles, your freedom will be (is being!) slowly chiseled away, pragmatically accepting each small step. By the time even pragmatism tells you to refuse, it'll be too late.
(As someone pointed out, this does more than just prevent apps from running - it also leaks which apps you use and how often. Someone could ask Apple exactly when you started Tor browser, for example)
The payoff for the very slight risk is an effective built-in malware prevention system that doesn’t treat me abusively and reacts in a timely manner to abusive circumstances.
After decades of production operations, I have no complaints about how this was handled, and I expect they’ll investigate and patch any defects exposed by the outage.
I went for a walk when this happened and when I got back it was fixed. Works for me.
Normally I'm of a similar opinion to yours...but in this case I'm not.
What happens if you're trading securities, or if you have an imminent deadline? Apple sells a fail-closed security feature, without investing the resources necessary to keep it as near to 100% serviceable as possible, and never really discusses it with the user. When it hangs, most users don't even know why.
WTF!
Seems like they could partner with Akamai (or one of its competitors) to make the server-side component of this feature more robust.
If they are going to sell the MBP as a premium professional product, then they must recognize that it will sometimes serve as the linchpin of users' mission-critical activities.
Take a billion dollars out of the stock buyback, invest it in the product instead, and make this problem go away.
Apple’s entire CDN collapsed on Big Sur launch day, which for years was and probably still is backed by Akamai. The OCSP endpoint was just one of many that was impacted. Seems like that’s exactly what you suggest they should have done to make this more robust. The endpoint failed for the first time in a decade this week. That’s better uptime than any stock exchange you’re trading securities on.
The tricky part with renting a computer is that you have to insure it against accidental damage by the renter, and that has to be “gig economy” or “business” compatible insurance, because you’re profiting from loaning it to others.
There’s also not exactly a huge market for rental computers when you consider that libraries offer them for free, and often with better Internet connections than those renting a computer could offer.
Renting computers is a lot easier if you host them in the cloud and deny physical access to your customers, though — they generally can’t do permanent damage, and there’s no issues with theft/loss. But this isn’t typically viewed as “renting” anymore, but instead something like “colocation” or whatever EC2 is.
There's software "EazyFlixPix" which shut down its authentication server - so everyone who purchased the app can no longer install it (unsure, but they might be also prevented from running it too).
That's different mindset — ability to fix, right to repair. No way to comfortably run another OS on MacBook, has to use macOS. It is closed source, users at mercy of the company. Think different.
Also, which is the bigger risk for most people: disruption to the cert verification, or malicious runtimes on their system?
(Hint: I have literally never seen an example of one of our bank's customers being unable to bank because of this. I have seen heaps and heaps of examples of endpoint compromises resulting in people having their accounts cleaned out.)
People chose to use Apple because it seems like a benevolent dictatorship.
And frankly, a benevolent dictatorship is basically the best government you can have, as long as you're part of the "in-group" who doesn't push boundaries, doesn't cause trouble, and supports the supreme ruler, Kim jon... cough* Apple.
---
The problem is that no matter how good the dictatorship might be today, it will eventually bite you. You will either develop a need that isn't addressed, or they will change the rules so you are no longer able to satisfy an existing need.
We're seeing this now with Google - Their motto was literally "don't be evil" for a long time. And during that golden period their users loved them. But as Google has shifted from "don't be evil" to "Make lots of money" people are starting to shift away.
Apple is still in the golden phase, but I'm not really convinced they're going to be there much longer.
Speaking as an ex-Google user and an ex-Apple customer (still tied to Apple Music and iCloud for family phones), I'd compare Google to Russia - not particularly benevolent, a bit chaotic/random, citizens tend to shrug and accept their lot. Apple is more like Singapore, slick, seemingly benevolent, citizens honestly question why the rest of the world isn't run the same way.
EDIT: I'd add another way in which Google is like Russia and Apple like Singapore. Everyone kinda knows that Russia's leaders are a bit/a lot evil. There's still a debate about whether Singapore's leaders are evil.
I think it makes Linux some sort of United States: users like the principles, but almost all use one of the 50 major implementations, which tend to have small differences. When defending any perceived shortcoming, they will point to a different implementation without the particular flaw, or argue that the feature is not only unnecessary but undesirable.
Many outsiders are uncomfortable with the unwavering commitment these users have for the principles. Others often talk about moving to the USA, or how they plan to, but few make the effort to do so.
[The last paragraph convinced me the analogy was better with the USA than the EU.]
Linux is also like the United States in that you are in some sense free, but everything just barely works, sometimes things don't work at all, and there is no hope of many well-documented problems ever being fixed. If you have a problem, you are "free" to fix it yourself, on your own, without support.
Have you used Linux in the last few years? Seems like all standard use cases work seamlessly, such as web browsing, streaming, videos, text editing, creating artwork, presentations, installing any random Linux binary, programming, ...etc ; only problems I've run into are by doing something stupid or doing something really really off the wall.
And even when I've created a problem or chosen to do something way outside of standard usage, there has been a WEALTH of documentation, stack overflow discussions, and live Linux community support. I've never run into a problem that hasn't already been chewed over by the Linux community, solved, and the solution been posted in a clear, educational, and technically descriptive manner.
I've NEVER has that kind of support from Apple or Microsoft. From them, it's always some half baked, high level / middle management overview type of solution, usually outdated, that discusses why it's a problem, why fixing it is dependent on the system (their system, that I've paid for), and how I should contact my system administrator, who's going to go read through the same page, then spend the afternoon sipping Pepto and dreaming of having a more sane job. Using their OS's is like wading through mud.
I have — Linux was my daily driver for three years ending in 2018, and I tried to use it for everything from print design to video editing to software development. I was even using it on two different generations of the Dell XPS machines that officially support Linux. I still eventually gave up and went back to macOS. I want my tools to work, not to work on my tools.
I find Linux issues easier to debug than windows or Mac issues, but that’s as a technical user. It would be frustrating as a newbie. I hear elementary is good for new users
More like their state fixed particular issue, some move a lot between states, some settled on their first place. Some live all life in a hotel, some build their own houses.
It looks scary for outsiders — how to choose state? Building own house requires so much energy and time, why would anyone do this? Just rent an apartment, maybe change wallpapers and door, bring appliances. Yes, sometimes owner moves switches, adds cameras, puts advertisement, forbids all but own groceries where he takes 30% cut, but apart from that life is good.
Running Gentoo you learn a lot about how Linux works at a deep level. I'm glad I have that knowledge I gained running Gentoo and it's saved my bacon a few times over the years.
But after about the third time that upgrading my system made it unbootable because I had missed some crucial step buried in the changelog or release notes, I also developed a deep appreciation of all the things modern distros handle for you. I rarely fear a dist-upgrade the way I did an emerge world.
> Apple is still in the golden phase, but I'm not really convinced they're going to be there much longer.
The honeymoon is already over. A post like yours would have got several downvotes up to less than two years ago. I noticed that honest critics to Apple are tolerated now, since at least about one year ago.
I actually agree with you (and as someone who's been complaining about Apple for a looong time, I have the posts with the downvotes to show you're probably right), but I don't think HN is representative of the general populace.
I also still consider Apple's PR game to be top notch. Which is why so many folks are talking about loving the Apple app store in the thread about the recent Epic case that also popped up today. Although I'll note it's interesting that originally those threads seemed about evenly divided on the topic, and currently the pro-apple, pro-dictatorship voices seem to be getting mostly downvoted.
Regardless - I'd strongly recommend everyone out there to consider free and open software, on devices that you own (and you don't own a device if you don't have root access). Open source just keeps getting better - We happily re-implement the ideas and products generated by these companies, but we care about you - not the bottom line -because we are you.
I remember there was a bug on the App Store that cause some issue on certain games. I posted on the thread "Why not buy this game on Steam instead. It costs the same, doesn't have this issue, and you benefit from the game working on Windows/Mac/Linux at no extra charge. You also get proper trophy support, cross platform multiplayer etc..
I got a bunch of 'Why on earth would I do that. I love the app store and will only ever have Macs.'
Steam has its own set of issues where they control what you get to play, and when.
I feel like I've "bought" a ton of games through Steam, and now that my kids are a bit older, they want to play some of them. Unfortunately they can't play different games at the same time - even with Steam's family sharing. When one person plays a game, it locks the whole game library.
I think the difference between the Google and Apple dictatorships is the business model.
Google's customers are not the users, they are the advertisers who rely on the data harvested by Google. The incentive to be evil is directly baked into the business model, and most users end up tolerating it because it is "FREE", and often the only viable option.
Apple's customers are the users. If Apple rocks the boat too much, their users might not feel so good about paying the premium prices Apple demands for its products. Making users upset is a direct threat to their business model.
This doesn't mean, however, that Apple's incentives are aligned with the user's incentives. It's important to see that Apple's devices are also a sales channel for Apple. For example, an iPhone is essentially a vending machine for entertainment. And Apple will exert its power to use that sales channel (using the same techniques as advertising companies, like user tracking), whether the user likes it or not.
> Apple rocks the boat too much, their users might not feel so good about paying
Just today I heard a colleague say how tough it would be to move away from Apple because of their iCloud. Then you have all the apps and content (iOS and macOS) you already paid for.
The difference in business model between G, Apple (or other tech behemoths) are very superficial. Yes, to google and apple operations they are very different, but to a consumer: it's the same. Both try to become essential, all encompassing locking you in and increasing the cost of switching. All brands try to do this. But it's much easier for me to pick a new brand toothpaste after I'm done with previous one than for me to move app ecosystems, specially when those apps ecosystems are all locked down as all non-libre app ecosystems are.
You may "feel" like you're an Apple product because you think you can just buy less Apple products or not at all. That's until you consider the consequences of losing access to third-party content/products you purchase.
Making users upset is also a direct threat to Google's business model. It doesn't really matter whether you're paying them $20 directly, or whether you're generating $20 of ad revenue - either way, you're worth $20 to them.
Of course, you are quite right to point out that Google's business model does incentivize behavior that isn't what their users would want. But the same is true of Apple - their business model strongly incentivizes them to create lock-in to the platform. Whether this bothers you more or less than Google's need to mine your data is I guess a matter of personal preference.
I definitely think there's some truth to this, but there are more network connections involved here than a simple Seller->buyer relationship.
In my opinion, right now Apple is rocking the boat for 3rd party developers. Historically, that hasn't worked out that well for platforms, but we also don't have a ton of data to work with. It's conceivable that Apple becomes the "Company store" on Apple hardware, and their users only use Apple software.
But if that happens, I think they'll suffer more regulation and governmental interference (and rightfully so, imo).
> Making users upset is a direct threat to their business model
You can't really compare Google to Apple. You can switch to a different company if you don't like pixel phones and get almost the same experience. You can switch between manufacturers and use windows/Linux as well. The same isn't true about Mac os or iOS.
While you may think customers still have a choice, the reality is that they are locked in through their school, work or relationships (can't use imessage to talk to your spouse?). Apple makes it difficult to use third-party hardware and software it competes with so you will buy more and more Apple over time. People are prone to sunk cost fallacy and consistency. It's sales manual 101. I really can't recommend reading a good sales manual enough.
> You can't really compare Google to Apple. You can switch to a different company if you don't like pixel phones and get almost the same experience. You can switch between manufacturers and use windows/Linux as well. The same isn't true about Mac os or iOS.
This doesn't really make much sense to me. Unless you are going with a niche privacy-oriented fork of AOSP, any non-iOS smartphone you move to will still be controlled by Google. And if you do move to one of those forks, you are essentially migrating to an entirely new ecosystem anyways. It's no easier to leave Google's Android ecosystem than it is to leave iOS or macOS.
There is not just iOS and Android - Sailfish OS has been a thing since 2013 and while unforutnately not fully open source, it's perfectly usable (and on my primary smartphone):
https://sailfishos.org/
Sire, not everything might work yet & PinePhone is not at the same level as the latest Android flagship phone (well, you can hardly expect that for $150) but there are multiple people communities of people building new mobile operating systems, right now! Ones that are not controlled by a control freak (Apple) or spymaster dropping services left and right (Google).
You are a product for any private company, they are just different kinds of evil. It is in Apple interests to limit users freedom to run another OS on their hardware, to funnel applications through App Store.
Users en masse would not switch, not from Apple, not from Microsoft. Their price is not that high in dollars, it is high in freedom. And most users do not value that.
> "Don't be evil" is a phrase used in Google's corporate code of conduct, which it also formerly preceded as a motto.
> Following Google's corporate restructuring under the conglomerate Alphabet Inc. in October 2015, Alphabet took "Do the right thing" as its motto, also forming the opening of its corporate code of conduct.[1][2][3][4][5] The original motto was retained in Google's code of conduct, now a subsidiary of Alphabet. In April 2018, the motto was removed from the code of conduct's preface and retained in its last sentence.[6]
I know saying Google removed Don't Be Evil is something of a trope, but the truth is a little more complicated. And, of course, the presence or absence of this phrase has no necessary bearing on the degree to which they are perceived as evil or not!
Right, but it's funny how these things tend to correlate. For example, the US Department of War became the US Department of Defense in 1949, arguably around the time when its primary business switched from Defense to War.
"Hilariously", thirty years later, the company that would go on to put a camera in everyone's living room and pocket ran this commercial: https://vimeo.com/312710573
Think about Apple's policies regarding IAPs. You're not allowed to tell your customers in your app that they can do the purchases on your webserver etc.
The benevolent days of Apple ended when they removed the expansion slots from their computers, if not earlier.
In defense of Google, they really like having a lot of money.
Let P = "Don't be evil" and Q = "make lots of money".
Q was nothing new. They always wanted Q. But Google made a fundamental breakthrough in business logic, discovering that P -> ¬Q.
It should be noted that ¬P -> Q is not automatically implied. Plenty of companies are ¬P ∧ ¬Q. Perhaps they are not ¬P enough? Perhaps they are too much ¬P? But very few manage to be purely P ∧ Q.
Considered but not tuned. I've never noticed any delay launching or using software that doesn't require an internet connection while not being connected to the internet. (I definitely did notice slowdowns today - Zoom in particular which I tend to quit out of when I'm not using it because I don't trust it one bit but am compelled to use it for work)
Seems like apple was accepting connections for the signature check but were unable to actually service the connections, leading to the timeout/failover.
I honestly like the idea of signature checks on software that give me some confidence that the code that is running is the code that it claimed to be when it was published/installed and has not been manipulated via some other vector.
Whether apple is the appropriate steward of that system is certainly up for debate, but certainly other companies that run app stores have similar systems and similar risk. It certainly doesn't seem obvious to me what a secure, anonymous, performant and federated system to solve such a problem would actually look like.
This has been happening for a long time. Hardware and software that you can't control is becoming normalized. If they had done this 10 years ago with the same customers, those customers would be shocked or weirded out but right now, many of them will just wait it out or change their host.
Don't limit freedom at once. Do it one by one so the impact seems low.
What are the chances that any of the big tech companies take orders from a fascist to block all the harmful software in their country?
Non zero. People in HK know this. I want to know how they felt about their choice to buy iPhone at that moment.
Because we can't have nice things, Apple has to check that apps are signed with a current certificate for safety and security reasons. OCSP tells the client if the certificate has been revoked or not.
Try opening a non-https web page; you'll get a bunch of ominous warnings from all major browsers.
Browser certificates need to be OSCP signed for the browser to trust them. You can't even get a new cert if the issuer’s OCSP server goes down, which does happen on occasion.
There are so many dependencies to ensure we're not running malware infected apps that sometimes things break.
Let’s not get carried away; every major tech company has had some version of this happen at one time or another.
FWIW, I haven't experienced any issues with my iMac running Big Sur running Apple or 3rd party apps all day.
This used to be true, but neither Chrome nor Firefox actually check CRLs or OCSP that much. They'll accept OCSP-stapling, but that's about it.
This is a very serious concern for Enterprise PKI systems: revoking certificates is now virtually impossible. CRLs and OCSP do practically nothing.
Google especially has unilaterally decided that Enterprise PKI systems don't matter. They have established a new "standard" called Certificate Transparency, which they use to make CRLSets that they publish as Chrome updates.
Which is fine I suppose for public CAs, but utterly useless on internal-use private CAs on local networks, especially those with lots of BYOD or guest/partner systems. Think universities or hospitals.
Google has become a juggernaut with more control over computing in general (not even just the Internet!) than all of the world governments put together.
It's a shame you're being downvoted as you're right, CRLs and OCSP do practically nothing _for webbrowsers_
OSCP is flawed because you can block the connection, meaning
1) Your browswer has to accept it (thus an attacker feeding you the bad certificate can bypass OSCP)
2) Your browswer blocks completely (thus DOSsing all connections), and people use another browser
CRLs don't scale - you can't keep a cached list of every revoked cert globally.
However I pull down the CRLs for my internal CA every few hours onto my internal https sites, which rely on a client presenting a valid certificate to connect. If that doesn't get pulled down, I get a warning about it in the monitoring system. When a client with a client certificate connects, I check against my local cache of the CRL, and if it's been revoked, it can't connect.
What problem do you have on your private CA internal network that CRLs fix but browsers don't? Are you that concerned that your server certificates get compromised? You should be working to massively reduce the time those certificate are valid.
Firefox has historically checked OCSP by default everywhere but for Firefox mobile, where it was only checked for EV certs.
With the introduction of CRLite, the default is disabled, but those using Firefox with internal-use private CAs on local networks can renable via preferences, which can also be controlled by enterprise policies and tooling.
This is all true; OCSP-stapling is the thing these days.
But these browsers won't trust a cert if it can't be found a Certificate Transparency log. Yes, a cert should be in at least two of them but if there's a networking problem or infrastructure issue, you're SOL.
I have no problem with checking binaries when I launch them for security. I imagine many of the virus checking apps for windows probably call home with similar information. I doubt very much I’m leaky in any personal information.
What is frustrating is they didn’t handle this situation like they do if I’m offline - don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway. would have solved this eventuality
> don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway
how do you do that without defeating the security? Now a malicious attacker just has to wait for a moment when you aren't connected before launching their payload.
Well it already just lets you launch the app if you’re not connected to the internet so my answer would be “no different to the situation we have now”?
Also, my understanding is that it’s a hash of the binary being checked so if it failed the verification the first time when you were connected you would have received a warning and the OS would block that executable on your system or given a warning or something? Not sure tbh.
A program signature database, perhaps? We could even call it: antivirus! No, that’s a bad name...
In seriousness though, the problem with offline databases that are changed a lot is a problem antivirus programs always had: they need updating. You can’t have the “latest and greatest” protection if you don’t know about the newest threat. That’s probably what Apple is doing here: using a database on their end that they wouldn’t have to distribute to end users. It’s not the best way around it, but there isn’t really a “best” way.
I think it's an exaggeration to say that it's impossible to keep local AV databases up to date in a meaningful way.
Use compressed probabilistic data structures and ship minimal diffs to save bandwidth and storage; you can fall back to phoning home if there's a possibility of a collision with a known-bad hash. Apple's solved push messages at scale; it could piggyback an update mechanism on that, or use the techniques Dropbox uses to notify about file updates. It can do this at the OS level so there's no threat of a user process not being active to pull updates. And the check is already soft-failing (per the OP) so it won't break if the system is offline, so they're already not caring about threats that are so new, they were found while the computer was offline.
You need to solve a lot of timing diagrams and race conditions (and, if we're being snarky, maybe it's for the best that Apple isn't trying to do this!) but it should be doable.
A local database with a hash of every possible non-official Apple app in it? Sounds like something maybe only storage manufacturers will like.
The thing is, this is not a new security problem/challenge. It essentially can not be properly solved if you don't have a tightly controlled environment. If it's a general purpose environment, where you can't fully control what ends up running on it, this particular approach to "security" is pretty much doomed, no matter how you address it.
No, a database with the hash of every program you ever started on that computer. The Apple server should be contacted when a program is installed/run for the first time. And of course, the system software should handle network problems more gracefully. If everything "works" when offline, network problems should quicker lead to the offline behavior. There should be one daemon process which handles the signature checking which changes its behavior once requests to the server are not answered.
Even when it works right, it’s transmitting the apps that you use, as well as your timestamped coarse geolocation (from client IP) to Apple, which logs all of it. It’s good for city-level location.
They know what times you're at home, and what apps you're using there. They know what times you're at work. They know what times you're tethered. They know when you travel, and to which cities. They know when you're on a friend's Wi-Fi, and they know which apps you open from that connection.
Apple is a partner in the US military’s PRISM spying program, so this log is available to US military intelligence at any time without a warrant.
Thanks to API changes in Big Sur, it’s impossible to use Little Snitch to block these system level connections, and they will also bypass any configured VPN. To control this, you’ll need to use external network hardware, like a travel router that you can operate a vpn/firewall on.
Big Sur is the only OS that will run on the new Apple Silicon macs, so it’ll be impossible to use the new machines without leaking your track log and app usage history in a way that is available to the FBI/CIA/et al whenever they want it.
Note also that Apple recently backdoored iMessage’s end-to-end encryption by defaulting the non e2e-encrypted iCloud Backup to on for all users: it backs up (to Apple) your device’s complete plaintext iMessage history, as well as your device’s iMessage keys, using Apple keys, each night when you plug it in. You should immediately stop using iMessage as a result of this, because even if you have disabled iCloud or iCloud Backup, your conversation partners likely have it enabled. iMessage is no longer meaningfully encrypted.
Apple’s marketing about privacy is lip service, not real.
I just ordered one, and let me tell you something - I didn't expect this to happen.
If I knew - I might still have ordered one, because I like ARM and battery life. But this reaffirms the observed trend of Apple becoming more of an owner of the machine that supposedly I own.
I'll attempt to shut it down (at least now, it still observes /etc/hosts) - but when I can no longer do that, I'll leave Apple forever, hopefully by then other hardware manufacturers have caught up in UX.
In short, the vast majority of users never need or want fine-grained control over their computers. In the HN community, we are mostly edge cases in terms of computer usage & functionality requirements.
I believe this is why there has never been any mass pushback against iOS/Android (even if Android is slightly better in this respect).
Further, neither iOS nor Android (and now OS X) have instituted huge restrictive changes all at once. Restrictions are gradual & creeping, basically moving the overton window of what is accepted.
Or just run BlueStacks, which is necessary to run Among Us (the popular game since lockdown), which isn’t signed because it’s an emulator. And it requires the “Control this mac” permission. Unsigned. There are many, many cases in which users are faced with unsigned apps.
I think it comes down to humans being creatures of habit and conservation of energy. I've seen people buy macs even after seeing all the flaws because it's what they're used to and don't want to exert energy learning a new OS and environment. Apple used to make great products and I think people still cling on to that thought, even though their quality has been degrading these past years. Something needs to be 10x better (or at least perceived that way) for people to switch and switching to a new OS for them is probably like a 1x improvement so not worth the time cost.
The alternative to a poor binary checking and cert revocation process isn't to get rid of binary signing and cert revocation.
I don't want that. I don't think it would serve Apple's customers to get rid of binary signing either.
Since there are no legal ramifications for security bugs that cause downtime, or for bugs that cause other functionality that goes down, I'm not sure why this particular bug would be any different. It's certainly not as bad as losing one's Google account permanently without recourse.
This issue is clearly a bug. It is an accidental denial of service attack on the client.
It will get fixed pretty easily: Apple will add some combination of a timeout and a request back-off to their client, to properly handle the situation of a server that is reachable but not sufficiently responsive.
Apple clearly does not mean to make their devices unresponsive if the server is offline, because pointing requests at localhost resolves the issue.
I disagree. It isn't a bug because it was explicitly designed to behave this way.
The solution won't be to fix a defect, but to change the design, which is completely flawed. They should have pushed revocations from the beginning rather than requiring every system on the planet to poll a service. What were they thinking? And that does make one wonder whether there weren't other reasons for this behaviour besides "security".
> I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down.
For the same reason every human frequently makes decisions with greater-than-zero risk: because we're either unaware of the risk, or because we believe the tradeoff is a good one, and the benefits are worth the risk-adjusted costs.
I don't like this behaviour at all, and find it frustrating at times (e.g. apps slow to launch when my internet connection drops out temporarily).
Having said that, it's not enough to get me to switch platforms. I'm able to work around the problem (using Little Snitch, see other replies), and there are a ton of factors that go into my decision of which hardware/OS to use, all of them involving tradeoffs. The only viable alternatives, Windows and Linux, have their downsides too. Some people prefer those over macs and that's fine; it's a choice people make based on their particular situation.
That's all nice and well, but what if some country decides that your country will still have Internet access, but a "degraded experience" to Apple's central infrastructure?
Still sounds to me like Apple rolled out a huge (logical) trojan horse, as a potential weapon in terms of nation state cyber warfare.
Probably not at all with that intention. But I doubt that any government willing to abuse this "opportunity" will give a fuck about that. Don't underestimate the power (and disruptive) effects of being able to practically disable a whole brand of popular computer hardware. Heck, even the ability to threaten with it (privately, through diplomatic channels) can (and probably should) be considered a serious weapon. So yeah .. "thank you" Apple.
From my experience during this outage, the ability for the computer to "open" may not actually mean much. While trying to fix what I assumed was a localized software issue I rebooted my machine. Typically this takes a minute or two. However during Apple's systems outage my rebooting took approximately an hour before my computer was in any way functional again.
In this case, any app would take five to ten minutes to open. While that technically means "it still opens", it effectively renders the computer unusable.
(And that's after I realized that they will eventually open. Originally I rebooted the machine before any app had had a chance to open.)
A lot of it is just people parroting the same old boring tropes. They couldn't believe Linux had gotten easier to use than windows. I know this. I installed Windows few days ago. I can't install steam or chromium without getting blocked by windows. I have to download it from external sites while both of these are available in the software store on Ubuntu. It didn't nag me to login, switched my browser to edge after updates, forced me to read a marketing manual before starting the OS.
The search is useless. On Linux, it's so much better.
I had to download and run a bunch of scripts to get rid of the amount of data it was sending back home. I had to remove the bloat and ads it came with.
Give https://pop.system76.com/ a try if you don't believe that Linux is easier to use. Most people don't need to open the terminal anymore.
That's not really the same as not being able to run these apps, don't you think?
But besides this bad example, I agree with you. Windows has always been a black box, but as time goes by it's become a stupid black box. It feels so incredibly refreshing when I go back to Linux and I feel in control of the entire system. Almost like a physical sensation.
I used to be a MacOS user from System 7 to Sierra. I owned an iPhone from 2007 until a few months ago. I have completely switched away from Apple. It absolutely boggles my mind how popular Apple still is. Apple's quality is absolute garbage now, this latest incident is just a drop in the bucket.
I'm sure I'll get downvoted, but I just had to get this off my chest. Why people still buy Apple today, I positively can not comprehend.
The main design fuck-up is that instead of independed Personal Computers we have terminals connected to one huge server which violates the whole idea and meaning of Personal Computer and what the word "Personal" should mean.
The worst part of this is that Apple could have easily predicted this, that there would be demand to download the new OS, and put in place measures to prevent this from happening. I guess they just do not care.
All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.
Apple gave a detailed explanation. It was a server misconfiguration combined with a CDN issue which caused the OCSP certificate check to stop working, which caused Apple's system for ensuring certificates haven't been revoked to stop working:
“We have never combined data from these checks
with information about Apple users or their
devices. We do not use data from these checks
to learn what individual users are launching
or running on their devices,” clarified the
company.
“Notarization checks if the app contains known
malware using an encrypted connection that is
resilient to server failures,” says Apple,
further emphasizing, “These security checks
have never included the user’s Apple ID or the
identity of their device. To further protect
privacy, we have stopped logging IP addresses
associated with Developer ID certificate checks,
and we will ensure that any collected IP addresses
are removed from logs,” details Apple.
To your first paragraph, how many people globally do you think know that this is how it works?
Apple don't publicly go out of their way to tell you that this is how it works. You make a great point that the way it works is bad and I think everyone agrees with that. But it's the limited knowledge that the OS operates this way that keeps consumers purchasing their products.
I need XCode to build software for iOS and OSX, and there isn't to my knowledge any other feasible, performant and off-line capable way to do that beside running OSX on a Mac.
This is the only reason I had to move away from (arch) linux and it saddens me every day.
I think it is because a lot of people still believe and repeat old trope which are demonstrably false these days. Despite having the worst keyboard, buying third party apps to have features which most of the other OS in the market provide as standard, more lock down of their OS every year, Apple fans continue to buy them. Appke's powerful marketing, which is full of weasel words, keeps them in their own bubble.
I buy em cause apple laptops just maintain their quality way longer than other laptops. All the other laptops I’ve had start losing all their charge within 30 mins after a year or two. My 5 year old MacBook still can go probably 2 or 3 hours on a full battery charge
You're missing the point. I don't care if Apple has the most reliable servers in the world. Phoning home the hashes of the binaries you run is an outright violation of user privacy.
I think the problem is that almost all the software you buy a mac for (or even things that mac users like) has this built in but calls to the developer's servers instead.
The amount of time you save by having a computer that "just works" 99%+ of the time is far greater than the occasional time lost by shit like this.
I'd love it if someone other than Apple made a competent PC that was as clean, reliable, and comparatively free of bullshit. Unfortunately Apple has a monopoly on cleanly designed computers.
This is almost as bad as relying China on Personal Protective Equipment and quickly running out during the pandemic earlier this year.
Imagine if the USA actually comes under an attack.The apple spaceship would be high on the list of targets. All of sudden hospitals can't run their computers or communications. Disaster!
Referring to the USA, this might indeed be leaning towards fear mongering .. on the other hand, for any other country .. the "opportunity" to systemically disrupt Apple computers in that country might now be considered a (diplomatic) soft power (of the USA), from this day forward.
That is why a smart attacker would not make them go down, instead they'd degrade performance to such an extent that it'd cripple Apple-encumbered products.
If you haven't downloaded your data from Apple recently I suggest doing that. The amount of personal info they collect has exploded over the last couple years.
Their Services business is moving them into Google levels of data collection.
Is this the one-time signature checking that has been in place since Catalina, or is this something else? (And if so is there any information about it?)
Ok, but this doesn't answer the question. If this is the same behavior since Mojave, why aren't those users complaining about this outage on their Mojave and Catalina based system?
Presumably something changed, but so far I haven't heard an explanation that makes sense of it.
According to statcounter.com [1] there are over 4x as many Catalina users as there are Mojave users (62% vs 14% of MacOS users), so I think it's just that the people complaining about Catalina are louder.
Anecdotally, I'm using Mojave and experienced this issue, a person I was trying to have a Zoom call with was experiencing the same issue on their Mojave.
I think there are enough comments scattered across Hacker News to safely conclude that it affected Mojave too - although it's possible the timeout behaviour / error handling is different to Catalina.
Because Apple would not benefit from doing so, I’m fact could be hugely damaged doing so.
They don’t have any significant advertising business. They don’t need to collect any personally identifiable information. They’ve promoted their brand by putting their customers privacy first.
So why would you believe they would intentionally risk all of that here?
> They don’t have any significant advertising business. They don’t need to collect any personally identifiable information. They’ve promoted their brand by putting their customers privacy first.
Yes... now. Can you say that with certainty 10 years from now? 15? 20? Would you want an evil Apple 10 years from now having that? Or one that a 3-letter agency forced to collect it and they could never tell anyone because National Security Letter? Is that a bet you want to take? One you NEED to take? Is it truly unavoidable, sufficient to justify such a thing?
The best bulwark against overreach is to not create the capacity for it in the first place. Power will only ever do 1 thing, and that's amass more power.
You are assuming that Apple would have a say in the matter. The US is deteriorating socially and becoming much more authoritarian every day. It is not at all outlandish to believe the US could simply compel Apple to store this information and/or funnel it right to the NSA/FBI/Whoever. They could even be ordered to lie and say they are respecting our privacy and would never do such a thing.
Only if catched. You've claimed Linux does similar checks. Linux is not a company, it is community. They don't need to collect PI, they don't play PR.
Why would private company not utilize leverage? You have no source, you can't even turn off these checks without hacks. Privacy first is open source and audit. It is removing feature people don't want.
For those not familiar with it, the fable is that the scorpion asks the frog to help it cross a river, it stings the frog, the frog asks why since they'll both drown, the scorpion says it's my nature to do so.
A corporation's nature is determined by their business model.
If you want to apply that fable to, say, Apple's relationship with independent repair shops, I'd 100% agree.
> They don’t have any significant advertising business.
This refutes that they're the scorpion in this relationship.
What if a 3 letter agency told them so? (Since apparently it is entirely impossible for people to even conceive that apple might be doing it for their own benefit)
Well it would be pretty good information to have to do analysis against.
You could easily see knowing how often an app is used on an OS to be useful business information if apple wanted to create software to get into a trend before it gets to big.
Of course that doesn't require fine grained time data just daily would be more than good enough.
However you could also see the business use of knowing if two pieces of software are often used together or sequentialy which could inform creating an all in one/integrated experience that would do well in a market. So you need that finer application timing.
Of course that doesn't require tying it to a particular user account,not even a device ID, just a sessionID that changes each time the device restarts would probably be granular enough.
However since we've got that other stuff in place per device wouldn't it be great to see if there's a correlation between people using an app on there Mac and using it or another App on there iphone, ipad, or watch. What piece of data can we include to match up a user across all their devices? Maybe some kind of obfuscated or derived userID.
Of course you'd hope that other interests such as a commitment to privacy would rule out the use of such a dataset. If Apple did have such a dataset then you'd hope they'd be doing whatever processes (social, business, and technical) it can to obfuscate and seperate how that dataset is tied to a specific user.
The only real argument against Apple not having it is the balance between the cost of creating/exploiting such a data set, the expected profit, and the legal and reputational costs of such behaviour.
I don't know they're not doing that, is the problem. They probably aren't, but as Bill Kristol offered recently, 99% sure isn't 100% sure, and the fact that I'm not 100% sure is a problem unto itself.
No. Apple has a history of being extremely careful with personal data, and almost always goes out of its way to make sure it never even collects anything personalized. Of course, those could all be lies, I suppose.
They cover ads in Apple News, the App Store Search ads and promotions, and there's the results of Siri search I suppose too. But all of these are internal Apple products and marketplaces. They are not running advertising auctions to any bidder on the basis of guaranteed user groups or targeting strategies.
If you are in fact suggesting that they sell ads beyond their internal marketplaces I'd consider that motivation to move away from them myself, and I converted away from OSS when I got bored fixing my workstation more than my work.
It's hilarious: most of the journalism I'm finding via DDG search is anti-Apple from the advertisers perspective. All these bloggers and Forbes writers decrying the fact that Apple keep making it harder for third parties to exfiltrate user data. Outraged that Apple would use this data internally making the marketplace non-competitive to both "tiny ad networks" and "Apple's corporate rivals" alike.
This is bogus. It seriously strangles the capabilities of the rival giants to get hold of that trove of data, but the small ad networks, representing businesses with whom Apple has a formal supplier relationship (the Apple Developer Program) and no direct competition are really no worse off.
Shock and awe.
The big change that caused this flurry of self-serving smear? Making 3rd party advertising opt-in. Forgive me if don't swoon with relief that they are now holding off on this user-empowering, privacy focussed change until next year: "to give advertisers and publisher more time to prepare" and come up with ways to subvert the new order.
Throughout this whole discussion users are talking about "ecosystems" and buying in to one or the other, and the effort of changing. The original issue in this thread was serious, reasonably short-lived, and an infrequent screw up (though that frequency is increasing if you ask me). The issue of Apple's ads is moot. They protect their right to be custodians of the user data they hold (or own, I'm still kind of unclear on that) and they continue to shore up the fences that keep the wolves at bay.
Point me to another major hardware/software/data vendor who shares those values.
There was a connection between the search bar for awhile, if you typed in pants you'd get potential amazon links. It was easy to turn off and disappeared awhile later.
Linux operating systems don't spy on their users. This is false. Stop repeating misinformation.
The Ubuntu Amazon fiasco is, if anything, evidence of extreme resistance to this kind of thing. The Linux community rejected Canonical's opt-out ad partnership with Amazon collectively and almost unanimously. The program was relatively benign, but it went against ideals of both users and developers, and there have been no repeats.
I'm fairly sure Windows does upload at least some hashes if you have it enabled in Windows Defender (which it is by default). Don't expect Ubuntu does this though.
That said, "this has happened forever" is false too. These behaviors are relatively new and relatively under the radar. Many people don't know they exist to get upset about it.
I don't know about you, but hashes of the binaries I run don't exactly reveal any sensitive personal information about me. That said, obviously they should have much more graceful degradation in place for when something is wrong with the service.
The information reveals in exquisite detail what times of day I'm working, what times I'm slacking off, which days I work too.
And whether I'm taking a long or short lunch break, or lots of breaks. Whether I stay in bed until late, or work late at night. It's enough to predict whether I'm a "good" worker.
It also reveals whenever I travel, which coffee shops and libraries I frequent and what times of day. It also reveals what time I open any of several video conferencing apps.
And the sort of thing some HR would like to browse when assessing job candidates. They wouldn't need to ask "do you know X", they could just consult the Apple log of how often I run the relevant commands. Things like "we see you ran 'git' an average of 145 times per day last month, tell us more about that".
And whether I'm running tools I "shouldn't".
All that seems quite sensitive and personal to me.
> It's enough to predict whether I'm a "good" worker.
If your employer is willing to be that invasive, they already have a much easier route for getting that information: forcibly installing surveillance software on your work machine.
> It also reveals whenever I travel, which coffee shops and libraries I frequent and what times of day.
How...? How would the binaries you're running have anything remotely relevant to say about this?
> They wouldn't need to ask "do you know X", they could just consult the Apple log of how often I run the relevant commands. Things like "we see you ran 'git' an average of 145 times per day last month, tell us more about that".
That's a pretty contrived use-case for a pretty significant and unscrupulous bit of data-sharing. From a PR perspective Apple would never intentionally and publicly share this data. So assuming this data is even stored anywhere after the check is complete, and assuming any personal identification is kept with it, both of which are huge ifs, that leaves a couple of possibilities:
- Hackers gain access to the data
- Government subpoenas the data
- Extremely lucrative contracts, probably from advertising companies, are enough to motivate Apple to sell the data despite the risk of a massive PR scandal
I don't see any of those falling under your proposed scenario of random employers casually perusing the logs.
> If your employer is willing to be that invasive, they already have a much easier route for getting that information: forcibly installing surveillance software on your work machine.
The question was whether the information gathered is personal and sensitive.
The fact there is another way it could be gathered doesn't make the information less personal or sensitive.
> How...? How would the binaries you're running have anything remotely relevant to say about this?
Because your temporary IP address is part of the hash request, and that's usually enough to identify which major organisation's network you are on, not counting any geolocation.
Thus, coffee shop (which brand), library (government network), home or mobile, at least.
I expect the websites and services I'm using to have this when I'm using them. That's reasonable, I'm reaching out to them.
Apple itself is not a service I'm using constantly, so I don't expect it to be sent a minute-by-minute update of my movements whenever I'm doing work in a CLI, and happen to have wifi on.
(I don't use iCloud, btw. Perhaps people using iCloud expect activity to be streamed constantly.)
> From a PR perspective Apple would never intentionally and publicly share this data.
Again, the question was whether the information is personal and sensitive. That's a property of the information itself.
Not whether Apple intends to store it and share it.
> Because your temporary IP address is part of the hash request, and that's usually enough to identify which major organisation's network you are on, not counting any geolocation.
Okay. You realize that you literally have to turn off the network connection completely to prevent dozens of companies from getting this information every waking moment? Windows and even Ubuntu constantly send back basic telemetry, not to mention the many more less-trustworthy apps that are refreshing in the background, the websites you interact with (even with ads/tracking blocked, the site itself still knows your IP address and time of access!), and so on.
Maybe it's not the exact point I was making originally, but my point now is that this is a ridiculous thing to focus on in the grand scheme of privacy concerns. It might be the single least-privacy-significant network request that any of your devices ever makes. Personally, if that's the only cost, I'll take the tradeoff for the security benefits. But even if I didn't feel that way, it's not what I would be spending my energy worrying about.
> You realize that you literally have to turn off the network connection completely to prevent dozens of companies from getting this information every waking moment
I do. (A look at my comment history would show I know quite a bit about networking.)
Again, the question being addressed, or actually the assertion being challenged, was: "hashes of the binaries I run don't exactly reveal any sensitive personal information about me"
I replied to show that those hashes do reveal that information.
But I threw in that how the hashes are sent (revealing the IP constantly) also reveals sensitive and personal information.
You might think that's inevitable, maybe so trivial it doesn't merit a mention. But in fact it isn't. It's purely a consequence of a technical decision. There are many ways Apple could perform the hash check without revealing your ephemeral IP to Apple.
Still, you asked what I thought was "how does sending your hash to Apple reveal where you go?".
Since you asked, I answered.
But perhaps I misunderstood your question, and you were asking how does Apple having the hash reveal where you are, not the act of sending it to them.
Ironically, if tor was already running, the check would run over tor and not be traceable. But to start it in the first place it would be traceable. Damn.
In this case, isn't the hash of the binary consistent across all devices, so Apples can in fact derive exactly which binary you're running (assuming they have a large database of application binary and hashes)?
That's not even close to true. Apps that you have downloaded can reveal a massive amount of potentially personal information.
Think about someone having a dating app that would out them. Or a therapy app that they don't want people to know about. And that just scratches the surface.
This is Apple we are talking about, which has the strongest privacy commitment of any device maker, and no advertising business outside of the App Store. Linking IP addresses to app certificate requests provides them zero benefit and exposes them to substantial brand damage.
I'm not an Apple user so forgive my ignorance here.
1. Do you need an apple account to use the app store?
2. Do you need to provide personal information to use an apple account (I'm thinking at least enough to get a credit card working for app purchases/subscriptions)?
3. Is the data sent to this anti-malware service linked to your Apple account or an apple hardware id? (Has someone wiresharked the data to confirm/deny)
But regardless of 3, simply by using the App Store at all (similarly to any other App Store out there) you're already giving them more information than they get from these hashes (at least for the apps that come from the store). I know for a fact that they keep a record of which apps you've downloaded there, associated with your account, because they check for updates and let you re-download them. As does the Android store. As does the Windows store.
That's unrelated to my comment. I was simply responding to the astoundingly wrong claim that "My personal data involves what I do within those apps, not which ones they are."
Part of it is that, when we're talking about a traditional computer (contrasted with a phone), all of that stuff happens in the web browser these days. The average user's native binaries are mostly limited to said web browser, some work communication apps, maybe a notes app, maybe some dev tools or office tools or media tools depending on the person. Nothing remotely interesting to advertising companies. Maybe that will change with the new iOS app support, but I kind of doubt it.
And anyway, when we are talking about a phone, it would be literally impossible to run an app store without recording (and personally identifying!) that information. Maybe that's one more argument to allow third-party app stores, which I'm not against (though who knows if they're more trustworthy with that data?), but nevertheless.
My point is that in the grand scheme of privacy concerns, this is a very silly hill to die on. In the grand scheme of system reliability, on the other hand, it's totally legitimate to be upset that this effectively took down thousands of expensive workstations across the world for a few minutes.
So you're okay with it because at the moment you personally (or at least some vague idea of the "average user") don't have any "interesting" apps on your traditional computer? You should step back and understand why this is the wrong way to look at it.
Take a look at the macOS App Store medical section. Doing a quick scan of the top apps there is one app to help with some diabetes pump, one for a personal ECG machine, one that says it's a "mobile lactation consultant". Those can reveal a lot about a person that they might want to keep private. Searching "therapy" or "dating" also shows many results that people might want to keep private.
> My native binaries are mostly limited to said web browser, some work communication apps, dev tools, maybe a notes app. Nothing remotely interesting to advertising companies.
I don't think that's necessarily true. Meta data about your usage can be very revealing in itself. To use an analogy, if someone tracked every location you visited that'd be very invasive, regardless of whether they recorded any details about what you did at those locations.
Its what apps you’ve got, exactly when and how often you use them, and where you are at those times via network info. Casual gay pickup app, last night in a coffee shop in the red light district, while your wife thought you were at the office working late for example.
I run Tor browser occasionally. That fact alone is sensitive personal information about me. It makes me stand out. Someday it might be held against me.
I already expect the ISP to detect my Tor traffic.
But I didn't expect Apple, of all companies, to have a detailed audit trail of every time I've ever opened it, to the nearest minute.
What about the hash of a password cracking binary or the hash of some sort of binary used for piracy or stripping DRM off of something? Or just in general the ability to profile users based on the apps they use seems completely trivial. I imagine it would not take a particularly brilliant data scientist to correlate people who use FTP programs or developer programs or whatever else with people who buy high value items from certain e-commerce sites, for example. Seems like a marketer’s dream if they could ever get access to that. And sure Apple wouldn’t do that, today, on purpose, but are you 100% certain that could never happen? And if there was some way to tie that illegal piracy app binary hash to you personally and the government came knocking with a subpoena, seems like something Apple might be forced to comply with. It’s a very slippery slope.
I think that for some users, the applications they run and the frequency they run them at would be enough to identify them across time and accounts. I could change my identifier, even my name, but at the end of the day, I've been using the same apps for at least a decade more or less.
OCSP is Online Certificate Status Protocol. The connection to ocsp.apple.com is checking the status of the certificate used to code sign the launching app.
I wrote an article about this a couple weeks ago because of the temporary revocation of HP's signing cert for printer drivers on the Mac:
I'm sorry if this was answered elsewhere, but can someone explain me how this works when you don't have internet connection? I assume you can still launch apps without internet connection. So then, what stops bad actors to just either block connection to ocsp or straight up turn off your connection entirely when running malware?
Through the very mechanism people are complaining about today.
If your machine is offline then it switches to a fail-open system and uses its cache to verify the binary and if it's not in the cache then it skips the check and allows it.
If your machine is online then it switches to a fail-closed system so that if you can't reach the servers because of something malicious then it blocks.
They are disallowing custom kernel extensions and instead requiring apps like Little Snitch to use their system API. This means that Apple has total control of how these apps function and what they can see.
With the new Apple Silicon devices you can’t boot your own OSes anymore so the process of putting the desktop in a walled garden is complete.
But where is the issue though? While you won’t be able to “own” your MacBook Air there are so many alternatives available such that crowding-out computers with open Bootloaders seems implausible.
EDIT: Apparently there is a way to load your own os using bputil
> With the new Apple Silicon devices the you can’t boot your own OSes anymore
I'm not sure this is confirmed. Though either way it's somewhat moot as Linux drivers for key Apple Silicon components (e.g. GPU, radios) are unlikely to be available any time soon.
My MacBook is basically unusable right now. This appears to be the reason. Is there any way to fix it without installing little snitch?
Edit: working as usual now, moments after i wrote this. But seriously Apple, how can you allow this to happen? Your services hanging should _never_ prevent my device from running things locally. This is seriously making me reconsider my next computer purchase.
System76 is pretty great and they have amazing customer support. Plus between ProtonDB / Lutris you can run pretty much anything you want that needed Windows before.
I use and love Linux, but come on man, that kind of statement does not help. Even with proton and friends, wine is not perfect. There will most likely be problems, and it's not a one to one transition. However, in my opinion, it is worth it, but there's no sense pretending there is no cost.
It's certainly not perfect, but it's good. If Windows-specific stuff is what's keeping someone from Linux, I'd encourage them to at least see if it works in Wine.
If you're willing to use Windows, honestly one of the better solutions today is to just run Windows 10 in a VM. It's even feasible to do this for video games with VFIO.
Given that they're using a MacBook they probably aren't using very much Windows specific software if any, so I don't know that Wine would be much of a factor.
Users should not put up with this kind of thing, no matter what
OS. Forced updates, online startup checks...all unacceptable in
my opinion.
Imagine no car or train in the region starting because of a
server outage. People would riot on the streets. But for some
reason in the IT world this kind of crap is marketed as a
feature.
Do you know of a Wireshark filter that will reveal this on Ubuntu? What you're saying doesn't sound credible, but to incentivize, here's the bet:
If you can provide a Wireshark filter that will show a certificate check on a vanilla Ubuntu 20.04 system when the following commands are executed in a bash shell, then I will donate $25 to a charity of your choice. Commands follow:
Linux does provide application-level and per-application security, as well as sandboxes, but they exist to help the user and the user has complete control over them and their system.
The comment you are replying to states other OS' do not have this failure mode so your response is quite the non-sequitur, nevermind of questionable veracity (linux).
Enablers, that is what they are. If the EU manages to push that anti-encryption thing through, Apple will be the one forced to remove the App from your PC. 1984 is here already.
> Champions of privacy, phoning home a hash of every executable your computer runs!
What’s the matter with privacy? That’s a basic signature check, and you can do so while preserving privacy by using salted hashes or a similar solution.
There are two major somewhat misleading bits of buzz around macOS “phoning home” all of our executables.
1: among Windows, macOS and Linux only Linux distros don’t do such checks, and most of end-user Linux installations are arguably secure in spite of this—mostly because they are very rare and thus not a priority target for malware.
2: this only concerns files you launch. If you wrap your binary invocation in a shell script, that shell script’s hash will be sent, not your binary’s.
What does the author of the operating system phoning home have to do with Linux not being a target for malware? It seems like you're mixing up two different issues with this.
Phoning home in this case is done to check whether an app’s signed with a valid certificate. Not checking that opens user’s machine to attacks where malware successfully pretends to be an authentic trusted app, likely gaining access privileges (Keychain, etc.) granted to that app by the user previously.
Linux distros can arguably get away without these checks since their users are typically more aware of what they are launching, but importantly also because they are not as big a target due to smaller user bases.
Does it ensure the executable you downloaded and granted access to is still the same and was not modified afterwards?
Another reason is that if a cert (or a cert in the chain) is known to be compromised it can be revoked—would the mechanism used on Linux give some equivalent of that, or one has to be rely on bug trackers or apply updates to ensure trusted signatures are up-to-date?
The binary you get from your upstream repositories are signed but they aren't verified after that. On macOS if you download vagrant and grant it the ability to read your project directory I can't overwrite or modify your binary without it tripping the system and losing those privileges.
I don’t understand how salted hashes would obfuscate the query. Private information retrieval is much more complicated than private password storage, and how do we know what the protocol is?
The title is slightly misleading. ALL macs with a recent macOS (Catalina?) are freezing, since the security checks that happens when you launch a binary is down. Even if you don't update to Big Sur.
Indeed, I was bouncing a session in Logic and even that crawled, activity monitor showed a blank screen when it finally opened and iterm2 was unresponsive. I thought the machine was under load but the fans weren't even on.
> How can launching apps be depending on a cloud service being available...
It's not, per se. The apps will launch if you block the specific subdomain, or turn off internet. The problem is if the computer thinks it can connect and keeps trying.
It’s a huge problem on Windows where Explorer.exe still blocks the UI thread while it checks SMB shares if it thinks it can connect to them, but it skips them if it knows the computer is disconnected from a network. So using a Windows computer on a very spotty WLAN is actually more painful than being disconnected due to all the timeouts and dropped packets. Office Outlook is another main offender. I have a Windows Firewall rule just for Outlook.exe when I know it’s going to lock-up a lot.
It's like no one at Apple has ever had sporadic internet access and they don't plan for it. The Apple Music app does the same thing, if you are connected to wifi but don't have internet access it takes 60 seconds for a song to start playing every time you click one. Because apparently that is a reasonable timeout for a UI action
But seriously, I have installed Ubuntu 20.04.1 LTS on my personal Lenovo ThinkPad P1 Gen 2, and work Dell Precision 5550, and it works fine in both cases. Stick with it for a month and macOS becomes old news. Also I think OEMs are wising up to "Linux = free" and charging for Windows on their laptops again, so you can also save some money on OS licensing going forwards.
It is strange how many people will sacrifice so much for free speech and the right to bear arms (like tolerating school shootings and foreign interference in elections), but offer them the "freedom OS" and they'll pick the slightly better trackpad.
Fuck yes I'll pick the slightly better trackpad. To a point anyway. Sitting for upwards of 8 hours a day typing code can be a depressing life trap to find yourself in. If every time I touched my trackpad I cringed because it feels like sandpaper, works like shit, and might not even have good first party driver support, only to be consoled by the the thought that I could install Windows on it if I wanted to, I'd probably not be too satisfied.
I have an expensive chair, that I could only really get fixed by the company that made it. I could have a shitty chair that hurts my ass, messes with my posture, costs 1/12th the price, that I could sit in and re-assure myself that I'm free to get commodity parts anywhere I want, but I'd prefer not to do that unless I had no choice.
I think Razer would satisfy those 3 criteria. Razer is known for their line of high-end laptops with comparable design and arguably better specifications than the MacBook line. They are mainly marketed to gamers, but could easily double as development workstations. There's even a pretty well-maintained set of Razer hardware drivers for linux (https://openrazer.github.io/#project).
They also have the cloud connected peripherals bullshit. Probably best to avoid Razer, if you want your expensive xmas light to work as a mouse even when you happen to be offline.
After running Xubuntu and Fedora on a MacBook for several months, I don't recommend it; not all drivers are available and sleep functionality is finicky. Running Windows on a MacBook was even worse in terms of graphics card support. Running linux on a cheap thinkpad will perform better imo.
Alternativelym you can also run macOS on linux. I had luck with Docker-OSX
Fair enough. I suppose that the experience depends heavily on the particular MacBook model and its age.
For example, I have used a 13 inch MacBook Air (Early 2015) for almost 4 years now exclusively with Linux and I have had a very good experience with it so far. WiFi, Bluetooth, webcam, touchpad, card reader and sleep all work well. Battery time is very similar to OS X. The configuration took some time but it is well documented on the Arch Linux wiki.
This model is now quite old and relatively many people use it with Linux. That is probably the reason why there are no major outstanding issues with it. When it was new, the situation might have been different.
Ok so let's say you actually want Apple to do this kind of security for you (I don't, but let's say).
Currently they do a synchronous check before you launch any binary.
Why don't they instead just log every binary signature and check them async on some regular schedule? Strict mode could be blocking the FIRST execution of a binary signature and after that you only recheck if that signature has been revoked on some regular interval.
There's absolutely no good reason why an app which I've run 100 times needs to phone home before running the 101st time.
This is how it worked. The point of the tweet and others' experience is that this is now happening for apps that have already been launched plenty of times before. This is why nothing other than Apple's programs would launch during the short time that the OCSP was down.
PSA to developers: Notarization alone won't be sufficient. You'll need to staple that notarization ticket as well so that your users' Macs doesn't need to go online to validate whether your app has been tampered (among other things).
This isn't anything surprising. A handful of companies out there have been working hard for the past few years to kill the personal computer and turn it back into a dumb terminal that connects to a mainframe owned by them, and they've managed to do it. Nomenclature also matters - they've stopped calling them "computers", now they're just "devices".
Enjoy your $1500 dumb terminal. If you're still buying Apple products, then you're simply unforgivable.
We are slowly loosing ownership (and in many cases we've already lost) of the tech that we think we own (mobile devices, laptops, gadgets, etc). And the thing is that is hard to make people aware about this issue, especially elder people. I have just helped an old lady with her own new laptop and I was completely shocked the number of steps that we had to go through to get her Windows 10 working for her brand new Acer laptop (asked for PIN number, fingerprint, Microsoft account and don't know what else mumbo jumbo just to get it running). Proprietary software definitely is going in the wrong direction and people generally are ok with it. 15 or 20 years ago you got a CD and that was more than enough to get things running. Sometimes I think how lucky I'm to be able to put a FreeBSD/OpenBSD/Linux in my computers and do whatever the f* I want with it and get rid of all the nonsense and bs that multi-billion companies are putting in front of us to consume.
I also noticed that the symptoms go way if you manually disable WIFI.
Who architected this solution? Imagine an OS that needs to ping a server every time you launch an application and if the server down it renders your system useless.
The dev-community needs to push back on this issue and perhaps apple will re-think this solution
The tragedy here is that likely the retrospective on this at Apple internally will not be "why do we even need our customers MacBooks to send all this data to us", but "how can we keep on doing this without something similar happening again"
This is the reason I needed to switch to a Linux laptop. I cannot be beholden to Apple’s - or anyone’s - servers when it comes to running applications on my own machine.
Any recommendations? I’ve heard good things about System76.
System 76 makes a nice looking thin/light 14" laptop (Lemur pro).
Dell's XPS 13 line has Linux support (the Dev Edition comes with Ubuntu), I bought one of these and it's great. Only big problem was thermald/RAPL would keep the SOC at 15W after a very short 'boost' - updating to master fixed this problem... but Linux still requires 'tweaking'.
Another example: sleep on the XPS is not S3, but S2Idle - so it uses extra power when sleeping (A compromise so it wakes up faster). This can be fixed with some tweaking, if desired.
I've also heard good things about Lenovo laptops running Linux.
I'd check the archwiki (even if you don't want to run arch) for any laptop you're considering. There's good advice in the articles.
If I had to buy again, I'd look closer at what S76 offers. I really liked my old Chromebook Pixel 1 because of its open firmware (after I re-flashed) and excellent Linux support. I wish I had looked closer at S76, honestly.
I always wanted to have a Thinkpad but couldn't afford it - finally bought X1 Extreme Gen 2 and put Pop_OS! (System76's distribution built on top of Ubuntu) on it. Everything including fingerprint scanner works; I once had it hang when resuming from suspend but I mostly don't use sleep/suspend so wasn't too bothered. If you buy the laptop from System76, I would assume everything would basically just work since they are configuring everything.
System76 just rebadges Clevo laptops. You may as well just go directly to Clevo.
I use a Dell xps13 (several years old now) for work, and it's fine. I have no complaints except that the aging battery is not what it used to be (I'd normally be due for a replacement system this year, but we're limping along on old hardware due to the recession).
I can't understand how picky people seem to be about things like the MacBook touchpad. Since my last Apple computer purchase was well over a decade ago, maybe I just don't know what I'm missing, but the touchpad on the Dell seems to control my pointer well enough.
I started with Manjaro, and I would definitely recommend it. I tried to switch to Linux a few times before I arrived at Manjaro, and it was the perfect introduction. It's based on Arch, so you get the most up-to-date packages, but it has a graphical installer and is beginner-friendly. If you can't find something in the default repositories, it's probably in the AUR (user-maintained repositories). Plus, it's just really fun to use.
Linux runs perfectly fine on most laptops nowadays - pick whatever you like.
(it's still prudent to Google for compatibility before the purchase though, since sometimes peripherals (like the webcam) on new models can be problematic)
This is _FUD_. it emphatically does not perform similar checks by phoning home to a third party. The closes you will find are SELinux/AppArmor policies, which do not involve the network at all.
Sidebar topic, but something that is always in the back of my head. Cars are becoming evermore connected to the web. If something as simple as this can brick my Mac, then what will it be like in a vehicle? Will all cars simultaneously go haywire at the same time around the world? This of course assumes software or hardware safety overrides are not in place to overcome such a situation.
Most cars use separate buses for the critical control systems and the infotainment/GPS/etc. They learned that lesson after the infamous demonstration of hacking a Jeep on the highway several years ago.
It's conceivable that someone could push bad updates to Tesla autopilot software, or briefly stop peoples' radios from working, but quiet OTA systems like that are the exception rather than the rule.
I did experience a very strange slowdown earlier today, and other odd behavior - first, a massive slowdown and then on a reboot, the keyboard wasn't found. After some tinkering, it's all better now - though I don't know that the tinkering actually did anything.
> a massive slowdown and then on a reboot, the keyboard wasn't found.
That seems to happen on MacBook Pros when the computer boots or wakes from sleep with the WiFi turned on, but the WiFi router can't connect to the Internet for whatever reason.
That can be symptomatic of always-on VPN. My last employer had an always-on device VPN and it would cause this issue - my MBP would complain no keyboard was connected at times following a wake event, and then reconcile a few/five seconds later.
This is the future Apple wants I guess, you don't really own your hardware, you simply have a limited license to use it under their very strict terms. It's just a matter of time before Macs become just like iOS.
It might get worse: now that they're switching to their own SoCs, they might even block APIs and allow access only to certified parties.
Basically Final Cut Pro and Logic Pro might forever be faster than any 3rd party software package by having access to IP blocks that aren't exposed to other developers complete with signature check to prevent reverse-engineered use...
If they really tried that, wouldn't the DoJ bring an anti-trust case against them? That's exactly what Microsoft was doing in the 90s, using undocumented internal APIs for their own software that let it run faster than competitors'.
Well, unlike Microsoft in the 90s, Apple doesn't hold a monopoly in the PC space.
The current Oracle API-debacle also doesn't give me much hope that this would hold up in court. It's their hardware and by now they could even argue that Macs aren't general computing devices anymore. After all, what's the difference between the M1 and AMDs SoCs that power XBox and Playstation?
(I should be careful - I can always hear Apple's lawyers taking notes;)
I've been trying to sound the alarm over "Secure Boot" and the absolute torture it will be to run other operating systems on these ARM Macbooks but very few people seem to care. I guess as long as the display is shiny and the trackpad is big then we're all good.
I'm sad to see people buying things only because the look comfortable and nice. Here happens finally what was predicted a long time ago and it shows why everyone should use free and open-source operating-systems and applications.
I tried to attach the notarization to every Mac App Bundle in the past but with MacOS 11 this doesn't help either?
You should never, ever, install a MacOS update the moment it comes out. There is a high chance (> 30% from my experience) that something will be wrong with it. iOS too for that matter.
Wait for at least one week and check out other people's experiences first.
I ran the beta over the summer and it was awful. I loved the changes but it was just unstable as hell. And people kept saying it was the most stable is yet, I don’t get it.
I’ve been running it as a daily driver since the first day of the developer betas and have found it to be vastly more stable than the previous version, with basically no issues before this.
I don’t know what to tell you, beyond the fact that all use cases are not the same, apparently.
This has nothing to do with a software update. I haven't updated anything and am still running into this. It's their online services that are the problem.
To elaborate on what others are saying, macOS has been doing this phone home for a while, it just looks like the server it phones home to started being _really slow_. So if you were offline, the software behaves fine, but if you're online, it blocks on getting a response.
Great example of how you should never block UX on network requests.
To save yourself the headaches and frustrations, wait for the bug fix releases and updates to come first before installing this very first new release.
It makes no sense to immediately update the system and then risk your computer being rendered unusable with such bugs and problems whilst having a deadline hanging over your head.
The software quality of Apple is embarrassing. They have the money to hire the best of the best, and to do tons of manual QA yet their OS releases are always riddled with errors. Why is software the red-headed step-child of Apple?
I always wonder about the after action in a situation like this. Obviously, it makes Apple look bad but it isn't like they are going to flog the responsible team (and I mean responsible in the sense that various teams are in charge of the components of the overall system: the os service that issues the request, the website responding to the request, etc.)
I'm sure some devops folks were getting screamed at while running around with their hair on fire, but what's the cause and response. Hopefully they'll issue a public after action report that isn't jammed with marketing talk like "we were unfortunately caught by surprise and due to the unprecedented massive interest in the latest macOS with its great features for users and developers, blah blah".
How is this not congruent with strong privacy protections? Your iPhone knows everywhere you’ve been, but when it sends that info to Apple it doesn’t include any personally identifiable information.
Maps does for sure, it’s how they build traffic measures. They need to know how many (relatively) are using specific routes, but have no need to know who.
Another case is WiFi mapping. Your phone helps build a database of WiFi network locations to improve your location accuracy, again they don’t need your personal identity to build that.
iPhone doesn’t need to do this as long as the system integrity is there because you can only install signed apps from them anyway so they already know what you’re running.
After AMD released their Zen 2 lineup and the prospect of considerably faster compile times became attainable, I re-evaluated my relationship with MacOS.
I bought a new AMD PC and initially hackntoshed it. This actually worked out great but after some time I decided to jump over and see if I could live with WSL under Windows.
Windows is not as nice as MacOS, but WSL1 (tried WSL2 for a few months but still prefer WSL1) has allowed me take advantage of affordable high performance hardware and maintain support for the software I use daily.
I may buy a low powered MacBook laptop in future (because there are no Windows laptops with a trackpad that compares) but I don't think I will ever use it as a primary desktop environment again.
Its even worse, after Apple's service recovered I was left with what seemed to be a corrupted installer/updater that kept throwing "An error occurred while installing the selected updates" when I clicked on the upgrade now. I had to boot in recovery mode, run "csrutil disable" so I can delete the update directory from Library/Updates.
This makes me wonder, I guess in the event of war the data centers of Google/Apple/Microsoft/Facebook must be at the top of the list. I wonder how close any of them are to being powned. I can only hope those companies are at the top of their game when it comes to this stuff though accidents like this don't give much confidence.
I wonder if there are startup attempting to challenge the Mac dominance? Good trackpad, good battery, good screen, with (some) Linux supported out of the box,and no wonky configuration seems to be the problem to solve
Mac dominates nothing, the great majority of PC out there are running Windows. If you are talking about hardware then DELL, Lenovo, Asus and co all have excellent high end computers. Becoming slave to Apple is 100% a choice.
Seems youve been locked in. I never bought apple in my life, snap decision when I saw I had to pay to try developing for their system 10 years ago(developers license), I remain pretty safistied with this decision.
They need to find another way, because this is just pure crud. So today, everyone gets to experience what a person with a poor internet connection deals with when using a Macintosh.
So the block works for now, but what happens when
a) macOS is changed such that Little Snitch doesn't work anymore, whether it is because the architecture changes in some critical way, or Little Snitch iself is blocked by trustd?
b) failure of trustd to succeed in its call home becomes a hard failure that blocks execution?
I can kinda see a noble intention behind this: protect system integrity by making sure no "known evil" application runs, like say a ransomware. But I have two problems with it.
First, it seems to assume that the call-home server will always be available, which seems a bad assumption from an engineering standpoint. Even the mighty and holy Apple can suffer outages, for a myriad of possible reasons. Be it a fat-fingering of some parameter during an approved maintenance window, the criticality of of which was heretofore unappreciated, a cascade of on-their-own-innocuous failures transforming into a deadlocked hard-down situation, or the fact that the North-American Fiber-Seeking Backhoe is not and never will be an endangered species, the result is ultimately the same: the mother-may-I server is not available.
The second reason, giving Apple further capability of evil shenanigans is already well covered by other comments here.
I wonder if this explains why I was unable to print something for several minutes around the time this tweet was published? The printer manager refused to open each time I tried to print. Frankly, that's unacceptable.
I have preferred Apple/MacOS since 2007. However, my 2019 MBA suffered the infamous shaky keypress issue, randomly inserting an extra space when I typed. After 6 trips to the Apple store to fix under warranty I told myself it is my last Apple product.
I wanted the MBA for the portable form factor. Now I work from home and portability is no longer a consideration. I will mostly likely ditch this device in favor of a linux system.
This reminds me of the recent news about Lets Encrypt expiring one of their root certificate and warning that old Android systems may not be able to validate SSL if they were not updated. We have increasing moved our world into an interconnected web of trusts and taken out failsafes and overrides, so we are very much entering an age of brittle systems --- one in which the vulnerability of one key subsystem (Google, Facebook, Apple, a key SSL validation cert etc) can escalate towards disabling the entire world, when you cannot get your TV to turn on, car to start, power grid to switch on. What are we doing to prevent that?
Is MacOS sending these hashes to check whether they are revoked? That sounds like an insane excuse. Are there really so many revoked hashes that it is not feasible to mirror the database to every device for offline querying?
That shortens the delay. Others here found adding ocsp.apple.com to /etc/hosts using a private address also helps. Whichever is easiest for you. To remove:
Unacceptable ecosystem, for both 3rd party app devs and users. What I guess we won't see - but need - is an apology from apple and a commitment to quickly fixing this bug.
This mechanism is also what recently broke all HP printer drivers on macOS.
HP accidentally revoked their certificate, and since macOS automatically checks it before loading code printing and scanning with my HP printer no longer works.
My mom called me with the same issue. She didn't do anything, but all of the sudden her printer stopped working.
There is no way I know of to override the accidental revocation.
Installing updates from Apple and HP didn't help.
Online certificate revocation is a really bad idea for desktop software.
I've never heard of any software developer I know doing this, even the ones with deeper or more obscure knowledge, but do you have any interesting resources to point to?
So this is what was happening to my MBP a couple hours ago? Right before a meeting my Mac started glitching out - extremely slow to do anything and spinning beach ball. Launching any app would take literal minutes. Spent the next hour rebooting & diagnosing. Then it suddenly went back to normal. That's great.
One of the «romantic» aspects of buying an Apple back in the day was that people that «knew» was buying them. Musicians, designers programmers must had one. It was stable and just enpowered you to do your job. I wonder if Apple has underestimated how important is having the «tech» guys on their side
We are no longer the "target" audience. I will use Catalina with Little Snitch until it's possible. In 3-4 years time someone will finally realise that Linux is the future of professional work and will make Photoshop/Illustrator clone with quality performance. Resolve is working reasonably well under Linux, Blender works, the only Apple thing I cannot remove is Logic.
So all Russia/China would need to drive Apple into bankruptcy is to DDoS Apple's servers and brick their laptops worldwide? This must be hilarious. Imagine the meeting at Apple HQ when they took that decision, probably that KGB agent must be very proud to make Apple shoot themselves :)
OSs have been doing something similar for a while. Even since the 90s I remember Windows NT checking SSL Cert revocation lists every time you right-clicked. When you disable that option, right click goes from 400ms to 5ms response time.
Synchronous remote calls should not exist in the OS like this
Most people trade their freedom for more convenience, but we don't think how we put all our eggs in one basket that we don't control at all. All Apple users are at the mercy of a megacorp. Better don't offend someone online, your Mac may be cancelled...
I hate when my keyboard hangs and because I'm connected but dns isn't working. Like I need internet for my keyboard. So so frustrating has me seriously considering bailing to some nix flavor if this shit continues.
I don't know if the slow downloads of Big Sur are related, but the underlying problem is that ocsp.apple.com[1] is fubar, and certificate revocation lookups are failing.
EDIT: This might indeed be Big Sur-release-day related. Most certificate revocation failures are "soft", but with ocsp.apple.com black-holed in /etc/hosts I can't resume downloading the update.
You could absolutely use a simple certificate revocation list instead of OCSP. I don't know how large that would be, though. It could run into problems if there was a heartbleed like issue that required revoking many certs.
All the extra connections are enough of an issue that there's OCSP stapling, where a web server attaches a copy of the OCSP check to the response.
Seems like it'd be possible to inject a file into Cool.app/Contents/ocsp.staple in a downloaded .dmg.
That could be considered valid for a few days so that, for the common case of "download app and try it out", there's no need to phone home.
This demonstrates the limits of Apple's campaign towards vertical integration of their services. Once they make a simple mistake on their part, you are at the mercy of Apple to make it right again.
Is it possible that we (the internet) don't understand this properly because by this logic, the apps shouldn't run when there is no internet connection. I don't believe that is the case.
It's funny how many apps have this problem, you don't realize until you're on a spotty connection. Often disabling/cycling the wifi/network fixes an app freeze.
A "manual" test case I've seen before actually involved trying various things in the software while literally walking into an elevator and having all network connectivity suddenly cut out (no WiFi and no cell radio), in order to simulate what so many people do (or at least did anyway, pre-COVID) regularly throughout the day. I suppose this is also a bit different than just toggling connectivity on the device, since for some time the app and OS both still think the connection is in tact when it's already physically gone, so it may even be useful to help expose other issues this way.
One of the things that's easy to take for granted these days when working on desktop or server software is a mostly stable network connection, but on mobile this goes completely out the window, or down the elevator shaft as the case may be. :)
For one bit of software I'm writing expected to be 'network robust', there is actually a test case that, in any network state, from any screen in the app, any button can be clicked, and the resulting screen must be the same as if there were network connectivity, within 100ms.
The 'network states' are online, offline, all packets dropped, and various simulated network connections.
This is achieved by preloading the next click everywhere.
Remember how everyone was so insistent on certificates everywhere? We must have them, no matter what you think, no matter how trivial the transmission of information.
We were in the final steps of a really major demo and my laptop shit a brick, I kid you not, I ate about 50 pistachios while rebooting and killing mds_stores, thinking Spotlight was losing its mind.
I have been seeing a warning message for some time about something that won't work in next upgrade, I could never find whatever it was, maybe something I gave unnecessary pensions too long back, so I upgraded yesterday and so far all is running very smoothly, and most of what I use is open source and mostly free, and haven't found anything that doesn't work yet. my windows emulator I use for work stuff may have issues, but it's been dysfunctional for a while, I just refuse to get parallels again.
Eeks, this should be communicated better, though to be fair, IF there was any malware with a tampered signature, you wouldn’t want it to run just because your network was unplugged.
How would you prevent something like [0]?
I think all the game consoles regularly verify downloaded games too.
This widespread outrage is proof that only few knew of this. Why is it that such a single point of failure and such a vector for unexpected data disclosure goes unnoticed for so long?
Is there any official or even unofficial Apple information that can confirm all the explanations here correct and this was intended behavior? Or explain their position on it?
I'll go a step further: what if someone decides, "Hey, I'll shut that website up by influencing someone to revoke their certificate."
Remember everyone's eagerness to eliminate bare, unencrypted HTTP? How self-signed certs are "sketchy?"
Has this been yet another way to pull the plug on certain parties? Could someone get Cloudflared by a maintainer of certs somewhere along the chain revoking a site's cert because they woke up in a bad mood?
There are some work around in this thread but in reality you don't know how and when Apple may choose to automatically re-enable it without your consent.
* You should probably just smack you Mac with a rock just to be sure ;)
Pathetic. Apps don't need to have internet connection until they actually do.
I bought the new mac, but I'm planning to dwell in the terminal and browser. My exposure to Apple's closed garden is very limited but I dread the day when it's forced upon me. Then I would need to switch hardware despite Apple's form factor being my ideal type (light and battery life+++).
Initially I noticed this behaviour on my work laptop (where I've joined recently); where I was able to get the app working as soon as I used to switch my location to Home (non-VPN/Proxy). I though it has something to do with work configuration.
For past few days I'm also experiencing the similar behaviour on my personal laptop.
You can login to a chromebook (unless it's a first time setup) even if it's offline. Login stuff seems to be handled locally. Eg: if you update your Google password, you need to log in to your chromebook with your old password one more time and re-sync.
I do have a Chromebook in front of me and I can certainly login without any network connection.
Contrary to popular belief, ChromeOS devs do know that people might want to use Chromebooks on airplane or train trips without network. Google Docs / Sheets / Slides work on a cached copy and sync when online again.
All of my personal Macs became unusable about an hour ago. Fan would kick up, CPU gets loaded, and every operation comes to a crawl. Thankfully it seems a PRAM and SMC reset solved the issue. Wondering if what's going on here is related. It would be quite the coincidence if not.
About 4 hours ago my Mac crawled to a stop. I rebooted, but it remained incredibly sluggish, uncharacteristically so. This definitely was not normal operation (and I use this many hours daily). Then about 1/2 hour later, it began to operate normally again.
I'm curious if this falls under the "Check this box to send metrics to Apple to help us make things better" checkbox you get when you first login to your Mac after a reinstall.
Anyways I don't understand why this process would not be completely asynchronous.
I just excitedly told my wife about this issue, because its a big deal, I didnt know about it, and she was complaining her macbook pro was very slow today. Her response ‘oh wow, so is it fixed now?’ Thats the difference between HN and the real world.
Maybe apps should be signed and issued certs by neutral authorities like SSL certs are issued (like Let's Encrypt).. Maybe also issue bulk cert updates with OS updates or virus scan updates like browser updates bring SSL root cert updates..
I followed OP's advice and blocked trustd from connecting to these servers. I noticed that there's also a process named ocspd that's whitelisted by default in Little Snitch. Can someone explain how these things are related?
This is outrageous. Can we sue apple for damages? What if you were about to do something literally life critical? I pretty quickly debugged the issue but man and added a host line but this is absolutely horrible. I have no words for it.
With things like this, docker not running on apple silicon (because it doesn’t support virtualisation) etc there surly should be a market for developer laptops running Linux but with an OS that gets out of the way most of the time.
It's outrageous that Apple designed their system this way. (And it's curious why they seem to have so many fans on Hacker News that will defend this type of design.)
Your Mac hardware is a brick if Apple's servers aren't running!
I was on a Zoom call a few minutes ago and my machine was struggling with responsiveness, which I haven’t seen happen - and there’s been a lot of Zoom usage this year. I assumed it was Zoom related but this makes more sense.
Always wondered why it checks for cert revocation when starting an app instead of periodically checking in the background. Hm, that might require some sort of central cert database or something? Just spitballing here.
It's completely unrelated to M1 and also affecting Mojave and Catalina, apparently. It's a security signature check service problem. Some might argue that it should be easy to disable security signature checks, system wide (which is what the provided instruction achieve). Many more would probably argue that disabling these checks would be bad for security, especially for the average user.
I'm curious what security researchers think of this. Further evidence that security is a doomed endeavor, since it's necessarily at odds with convenience?
I know it's unrelated. I have a Mac and was unable to do any work for around an hour, had no idea why. Windows has smart screen, but if the service is unreachable you get a popup. This is just completely unacceptable, if it's possible that a server issue could cause all apps to fail locally, there should at least be a popup explaining that's why nothing is working. I'm fed up with far more than just this. I'm saying any temptation I had for an M1 Mac is now gone.
macOS Software Update - Resolved Issue
Today, 10:00 AM - 5:15 PM
Some users were affected
Users may not have been able to download macOS Software Updates on Mac computers.
This is a bug. The intent is that if the malware check takes too long the system fails "open" and allows the launch. That obviously didn't work correctly in this case.
Can't wait until they port the Facebook SDK and we can have these "stuff doesn't work because a computer 3000 kms away is wrong" moments on the desktop.
Apple never gonna change right? Seems like we will see iphone style thing in future where we only can download app from their store. Switching to linux right now :/
My MBA is not responsive with my USB-mouse, but is with the touchpad. Like, just hovering over items is smooth with the touchpad, but lags with the mouse.
Apple has been deciding what and how you are allowed to run apps in your phone for almost a decade now. It's bad and all, but no one can say this is a surprise.
Huh, this was the reason why my laptop was freezing every time. I thought it was the fact that my laptop got too old and so I wiped my laptop and installed Arch.
This seems like a case of Apple engineers only testing these features on Apple networks and such, where obviously the pings are very fast and unlikely to fail.
I was deeply considering one of the new M1 MacBooks last night, but held off on completing the order.
Now today, I can't use my computer for nearly an hour. And my daughter as well during school time... all because a remote server can't respond. I just do not find that acceptable for a computer I own to simply stop working because of remote non-response.
I am now deeply considering not getting a new m1 machine.
Pathetic. Apps don't need to have internet connection until they actually do.
I bought the new mac, but I'm planning to dwell in the terminal and browser. My exposure to Apple's closed garden is very limited but I dread the day when it's forced upon me. Then I would need to switch hardware despite Apple's form factor being my ideal type (light and battery life+++).
Asking for a friend, what's the experience installing Linux onto a 2018 MacBook? Last I heard it was nothing short of torture, but I'm hoping the situation has gotten better as time goes by.
The computer is completely unresponsive as the OS is blocking all apps from starting. The best part was that the "keyboard" was not found.. in my macbook.
Had that too. Apparently it checks keyboard firmware? Always-on VPN connections can cause that same issue too. Wake up, can't type. OS eventually prompts you to connect a BT keyboard as none is detected, then that goes away.
Probably best to read this to understand better what happened. TLDR The problem was due to a hung network connection. So the notarisation check thought it could go because it had network but then it hung because the connection to oscp was getting stalled. Hence why turning off network made the problem go away. I experienced a weird slowdown for about 20mins, then everything went back to normal.
How can this be GDPR compliant? Apple tracks each users behaviour and know exactly what software they use and how often, so they can launch their own services and cut out competition on popular services.
I am tired of this 2trillion company becoming too strong. Screw them. I aint gonna develop for them anymore. Parasites.
Got this mail from Apple:
Dear Developer,
Compatible iOS and iPadOS apps will automatically appear on the Mac App Store when the first Apple silicon Macs become available this year. However, we noticed the following issues with one or more of your apps that are opted in to appear.
The following apps will not be made available on the Mac App Store until you address the issues and select Make this app available on Mac in the app's Pricing and Availability section of App Store Connect.
It doesn't have to be any more work than you're already doing. Just stop putting cycles into working around bad decisions by people who are trying to control you and put those very same cycles into working around bad decisions by people who are trying to help you.
A couple years later, snippets of code worth sharing will be lying around. Which you can share, or not.
If my employer offered anything for Linux use than a 10lb Dell laptop I would consider it. I primarily choose MacBooks because I know what to expect in terms of hardware.
If they can afford to outfit macbook pros, they can likely afford to outfit their employees with XPS or more likely, latitudes with the same form factor.
This seems like another signal of an overall trend. Post-sj, Cupertino seems to be getting progressively laxer about testing, quality, usability, and overall excellence in software and hardware. It's a shame. :'(
You are right. I was just letting off some steam. I am just really frustrated with a company that I respected for so many years, going downhill so much over the last 5-6 years.
After 11 years of MBPs as my main computer, I left because of crappy hardware (keyboards, missing Esc and Fn keys). I'm now very happy on a System76 laptop running PopOS.
With each new release of the OS, getting more and more locked down, I am happier that I moved on when I did.
The long term trend with Apple is for their computers to get more and more closed. First hardware, and now software. I get that for a phone, but it is completely antithetical to what a COMPUTER is supposed to be. They really should stop calling these things computers.
Huh.
After typing the above, I decided to check. THEY DO NOT call Macs "computers". I searched the pages for MBPs, iMacs, and Mac Pros. They use the word "computer" in connection with trade-ins, (for the thing you are trading in), and they use the phrase "computer system" in fine print, and never to refer to their products directly.
APPLE, IN THEIR OWN WORDS, NO LONGER BUILDS COMPUTERS. That explains so much.
;; ANSWER SECTION:
ocsp.apple.com. 3593 IN CNAME ocsp-lb.apple.com.akadns.net.
ocsp-lb.apple.com.akadns.net. 53 IN CNAME ocsp.g.aaplimg.com.
ocsp.g.aaplimg.com. 8 IN A 17.253.21.201
ocsp.g.aaplimg.com. 8 IN A 17.253.119.201
"ocsp-lb.apple.com.akadns.net" is an entry indicating DNS based load balancing, done by Akamai.
Even with lots of redundancy, there are still lots of ways all that can fall over. You can have a batch of servers that soft-fail: they're not responding to real queries but the load balancer thinks they're healthy.
Wake up, people. Free software is the last line of defense we have left before technological tools are completely taken away from us, and we all have to live our digital lives at the behest of Giant Megacorps.
I hope people finally realise what a terrible company Apple is and stop buying their products once and for all. I cannot understand why such atrocious decisions are magically forgotten when they release a new iPhone or a new Macbook. Every time there is a new Apple launch (service or product), it is almost always projected onto the front page of HN with hundreds if not thousands of upvotes.
https://news.ycombinator.com/item?id=25074959&p=2
https://news.ycombinator.com/item?id=25074959&p=3
https://news.ycombinator.com/item?id=25074959&p=4