I'm probably stating the obvious, but I think it's always worth keeping in mind that these software verification systems, both on Windows and now MacOS, are not for us.
Ten years ago, I was constantly getting laptops dropped off at my house from friends and family who'd picked up some virus and needed a clean install. That doesn't happen anymore, and it's not because they're no longer using laptops - they are.
It's thanks to these security systems. And yes, there are privacy implications. But for most people, you'd have to compare those to the privacy implications of having some virus sweeping your hard drive.
If you're the sort of person who reads Hacker News you can probably spot a fake program or dodgy link in e-mail a mile off. But if you're not interested enough to care enough to know the difference, there's no free lunch on the privacy issue.
I couldn’t agree more. I don’t know if people have a short memory, or if I just grew up in a particularly malware-infested part of meatspace, but in the late 90s and early 2000s doing extensive malware/virus scans on PCs was an entire industry and career path.
I agree and actually are happy about security facilities on my computer. The question is, whether the way Apple implemented this is the right way. Except for launching a program the very first time on a computer, the security check shouldn't block program execution. The check should run asynchronously. Especially, as it seems to be fine to start any program, when your computer is off the network.
Also, the system could be reacting better detecting that the Apple server is unresponsive. If a certain number of requests didn't answer in a timeout of a few seconds, it should not lock up but treat the server as not reachable.
could these be done on-device, esp since they built in all that Secure Enclave crytographic stuff, vs in the cloud? At least partially?
I mean having it phone home to the authentication server every time seems laborious vs. say, downloading a set of definitions every night that gets checked against some hash in the Secure Enclave or something.
You don't really need the secure enclave for this since it's the kernel doing the enforcement. I'm sure Apple considered syncing, since it's hard to implement something and not even glance at the other solutions on the market. My guess is
* They expect the database to be too large to practically fit on every device. If this is really going to be literally every program or script ever run on macOS then that's gonna be huge.
* They don't want to deal with "virus definitions out of date" issues or "please update your AV" in response to an incident.
* They want to be able to revoke a malicious program immediately and not worry about cache expirations which is why the cache is only used when it's really really offline.
People always recommend System76 in these threads but they're just rebranding Clevo systems. You might consider cutting out their "value add" and just getting the unbranded NV41MB for ~$100 less (depending on how you configure it).
I understand they're working on producing their own laptops as well, but I bought a System76 Thelio desktop at the beginning of the pandemic ("guess I'm not going anywhere for a while") and it's been fantastic.
I also feel that calling it "just a rebrand" does a disservice to the engineering System76 has done short of building their own hardware. Pop OS is a real usability achievement, the tiling desktop is great, and controlling both hardware and software is how you get something as user-friendly as a mac. I especially loved this review of the Oryx: https://www.youtube.com/watch?v=5aJ9U5t9oD4
While getting it directly might be cheaper, it is necessary to realize what those $100 extra value add is getting you: someone did their work and did the integration necessary to run Linux seamlessly.
You see HN threads full of complaining that there is always something to "fix" when running Linux. Your $100 goes towards not having to "fix" anything and working correctly OOTB.
It is surely not perfect (I wouldn't know, I use different distro).
But when people won't reward Linux integration, and reward Windows or Apple instead, there won't be any Linux integration and they will be getting Windows or Apple.
Offer a competitive price for a competitive product and support and people will pay for it. That's currently not possible with Linux for personal computing.
I don't have any ill will towards Linux, I use it myself at work and home. But I'm not buying my parents a System76 machine for Christmas because I know the OS is unusable for them while the machines themselves are not well priced or spec'd for their needs.
The closest thing I could buy is a Chromebook, which fits the needs of a kid in school certainly but is a bit weak and ill supported for what they use a computer for.
So if I do get either of them a new computer, it's going to be a Windows or Mac. Linux options for them don't exist. There's no way to "reward linux integration" even if I wanted to, it's just not realistic.
There are Linux offers from Dell and Lenovo; I heard something that HP could offer it as well.
When you are paying for Windows, you will be getting Windows. It is up to you. However, don't complain that you have to "fix" something when installing Linux on a Windows machine; after all, you got Windows machine and that's what your vendor prepared for you.
You need to be mindful of the quality with both brands.
Dell XPS models are notorious for coil wine and display issues. Unlike the X1, the XPS models don't have USB-A ports.
The Lenovo X1 has the display panel lottery and fit-and-finish problems such as misaligned keys, seam gaps, and case material differences, which is probably attributed to multiple suppliers. Depending on the type of display panel, there could be four different suppliers (best to worst): Innolux, LG-Philips, AU Optronics, and BOE.
Buddy I know went with Dell + Ubuntu. I watched him struggle with driver issues that give me hesitation to the idea of _not_ buying an all in one packaged system.
Quick word though, if you have issues with dell software on Linux you're SOL even if you pay for software support. Dell does not offer any paid support for Linux machines they sell or software they distribute on them.
Dell XPS is an outstanding laptop, I've not found yet better laptop if you don't like macs
However, Dell is not going to be my next machine because:
- dev edition is hard to get (at least for me) and regular version does not work well with Linux (finger scanner requires to install OS patches, WiFi is dropping ocasionally , I had some crappy WiFi adapter installed in 2017/18, scaling is a big issue etc)
- mine XPS had a weirdly placed camera (bottom left corner)
- again, mine model did not have 4k display (comparing to retina I had back then)
- 13" is too small and 15" is too heavy, I would like something in the middle which might seem weird for you
- there is no finger scanner for dev edition (Yubico is here to help)
As you see those are very minor and subjective issues. Dell is a favourite machine of a friend of mine for years already, however I find Apple winning premium laptops battle in my eyes.
Mac is offering one thing that I can't find elsewhere: an amazing TouchPad.
I'm sure I could break away, but, right now, I'm hugely dependent on my touchpad for my workflows.
* For some reason, windows cannot get scrolling working correctly on touchpads.
* OSX gestures work incredibly well. I have them tied into many different actions.
There is a fellow from here working on getting it right in Linux. Apparently they’ve looked into it and it seemed like the obstacles aren’t insurmountable, but the developers want to be paid.
As they should be, one thing I want to knock System76 for here is for not doing more around making the Linux Desktop experience more seamless. Still requires a ton of fiddling.
It would be worth paying for, and honestly, I think it should be Bourne by the manufacturers of linux machines, not end users.
> macOS Software Update - Resolved Issue
Yesterday, 7:00 PM - Today, 2:15 AM
Some users were affected
Users may not have been able to download macOS Software Updates on Mac computers.
> iMessage - Resolved Issue
Yesterday, 9:00 PM - 10:47 PM
Some users were affected
Users may have been unable to sign in to iMessage.
> FaceTime - Resolved Issue
Yesterday, 9:00 PM - 10:47 PM
Some users were affected
Users may have been unable to sign in.
> iCloud Mail - Resolved Issue
Yesterday, 1:49 AM - 5:00 PM
Some users were affected
Users may have been unable to send or receive mail.
> Maps Traffic - Resolved Outage
Yesterday, 9:00 PM - 10:40 PM
Some users were affected
This service may have been slow or unavailable.
> Maps Routing & Navigation - Resolved Outage
Yesterday, 9:00 PM - 10:40 PM
Some users were affected
This service may have been slow or unavailable.
Just a random thought: How many total hashes of applications does Gatekeeper track?
It's not that hard to have a SQLite database of the 50,000+ most common hashes physically on the computer... It would be tiny. If there even are that many!
Valid point. Even if Apple wants you to have the most up-to-date information for "security reasons", it would be more effective to perform continual syncing of that database to each computer.
If your computer's internet is offline then Gatekeeper could use that cache of information to make decisions.
The downside is that Apple wouldn't get any information about who opened which app at what time... which is arguably a privacy violation in itself.
I wonder if desire for that tracking information influenced the design.
You don't even need a database. A Bloom filter would be very compact, easy to check, would not divulge any extra information and could adequately store hashes for orders of magnitude more apps.
The probability can be dialed depending on your needs and you can make it as low as you want.
For a Bloom filter storing 50k hashes with one in quadrillion (10^-15) probability of false positive you need 438kB bitmap.
I would worry more about ability to create software with hashes that exploit false positives in the filter. I guess there is multiple ways to remediate this: the filter could be used only as fallback if the primary service doesn't work. And it could also be rotated regularly. It could be salted (ie. thousands of versions of the filter available) making it difficult to predict which one is going to be used. These are just couple silly ideas off the top of my head.
Kind of. Incremental adds are possible with a Bloom filter, but not incremental removes. Resizing is also not possible, so you’ll want to redownload occasionally.
Whats up with Apple's QA lately, update issues, the other issue with third party apps not working, I was really looking forward to try out the new safari (with all the promised battery life improvements).
sigh
I read somewhere that the iOS division has a culture of secrecy from the beginning, and this now permeates the whole software org, meaning that teams are more siloed, and crucial coordination and integration doesn't happen until far too close to release.
It's a good point. Apple always had terrible QA. It just wasn't as bad as all the other vendors. The other vendors have possibly surpassed them now so it's more obvious.
To expand on king_magic’s point, this isn’t a case of a small service having a sudden spike in traffic, it’s a core service used by all devices manufactured by one the worlds largest tech companies. If they don’t test for massive scale it would shocking.
Sure it does. Scaling can absolutely be tested in a robust way, it just requires a shitload of engineering resources to do. Apple absolutely has the financial means to test things properly, they just... seem to not care.
OCSP is deliberately done with plaintext HTTP, because otherwise it's potentially infinitely recursive. To be clear: Cryptographically this is fine, the OCSP answer itself is signed, so an imposter can't show you a bogus answer (though they could potentially show you an older but not yet expired answer pretending it's the latest they have). But in privacy terms it has negative consequences.
You could in principle fix this (with technologies that were invented later, like OCSP mandatory stapling) or you could use CRLs for everything. But we don't.
When used as Apple apparently did, the effect of OCSP is that any certificates being examined are reported (by serial number, but you can look up the certificate itself of course) to their issuer by your machine each time it checks. This is why browsers like Chrome or Firefox do not do OCSP checks.
Suppose (in a browser) you visit Porn Hub. Well it makes sense that Porn Hub know you visited, but it would probably surprise most visitors if DigiCert (the Certificate Authority which issued their certificates) were told you visited Porn Hub too. Likewise then if you're running some hypothetical porn app, the CA would be told each time on Mac OS apparently.
It's just weird none of the high profile tech sites or social media I followed mentioned this outage? I really hoped for more of a noticeable backlash for a high possibility of change.
This was a bug exacerbated by a server-side misconfiguration.
GateKeeper notarization checks already "fail open" by allowing the launch if something goes wrong. Unfortunately a bug in certificate revocation checks caused excessive delays when the server fails to respond so unlike notarization checks this didn't "fail open" as intended.
Because it’s 2020 and there’s still no Linux distribution that doesn’t have some terrible pain point (whether it’s driver support, UI roughness, randomly not being able to boot to GRUB, etc). Also, as far as I can tell there isn’t really a laptop/distribution pair that has a support experience like Apple or Microsoft hardware either.
Ubuntu or Arch on a thinkpad is pretty close, but trackpad support still isn’t close to apple or surfaces and if the OS becomes unstable you’re on your own.
I’d definitely consider a Linux laptop if it had a Retina-comparable display, aluminum body, excellent trackpad, weighed less than 5 lbs, half-decent speakers, and commercial support where I could walk in same-day and have my OS problems fixed.
I was wondering this myself. The common criticism you’ll see in these Apple threads is that people don’t care to configure their device/software as required in Linux. Or desktop OS is rough around the edges.
However anyone wanting to avoid these issues is now required to configure their Apple device. Anyone want to shift to Apple silicon will also experience a rough around the edges situation. In the previous days, Apple documentation for building on their no-config required platform is rough all around, not just the edges.
People are allowed to have criticisms and be hypocritical but it’s sometimes astounding how much Apple gets away with their choices because of marketing.
Linux doesn't run the software I need it to run, so it's not fit for my purposes and Windows is someone's idea of a sick joke. I also value aesthetics and UX in a computer, Linux and Windows are actually offensive to me in those two areas.
I don't feel there's an alternative for users like me and Apple know it.
Edit: This news story has annoyed me, I think Apple have crossed the line, but I need to buy a new personal computer in March and a MacBook seems to be my only option.
Fair enough. Lots of software either doesn't exist for Linux or doesn't run well. Also, I don't want to have to deal with all the smaller bugs that exist on Linux. At least the bugs with macOS are widespread and well-documented.
> I also value aesthetics and UX in a computer
Yes, Windows is bad in this aspect. Have you seen r/unixporn (safe for work) though? Many of the posts look pretty good.
I use Linux and Windows. If Windows is an idea of a "sick joke," consider how much processing power and capability you're leaving on the table. Just losing the first-party GPU driver alone costs you. It costs you more for RAM, for more SSD storage, for higher memory bandwidth. If that's worth it for you, great. I'll enjoy 128 gb of ram, photoshop loading instantly, and fast compile times thanks.
> Edit: This news story has annoyed me, I think Apple have crossed the line, but I need to buy a new personal computer in March and a MacBook seems to be my only option.
If people keep buying Apple products, what is Apple's incentive to change?
Ten years ago, I was constantly getting laptops dropped off at my house from friends and family who'd picked up some virus and needed a clean install. That doesn't happen anymore, and it's not because they're no longer using laptops - they are.
It's thanks to these security systems. And yes, there are privacy implications. But for most people, you'd have to compare those to the privacy implications of having some virus sweeping your hard drive.
If you're the sort of person who reads Hacker News you can probably spot a fake program or dodgy link in e-mail a mile off. But if you're not interested enough to care enough to know the difference, there's no free lunch on the privacy issue.