Update: Overnight, Apple PR sent out an e-mail about this issue to multiple websites and blogs, including me, for some reason. The company has updated its knowledge base article about “safely opening apps” on the Mac with new information, including a number of promises to fix this issue in the near future:
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the the next year we will introduce several changes to our security checks:
o A new encrypted protocol for Developer ID certificate revocation checks
o Strong protections against server failure
o A new preference for users to opt out of these security protections
These are good promised changes, especially the first and third one. Turning off the security checks is the most welcome change, but it remains to be seen if this cripples the user experience in some other way.
It’s also interesting to note that I’ve been inundated by random people claiming there was no issue here at all, yet it seems Apple sure does disagree with that. A response like this over the weekend, emailed to not only the usual Apple news outlets, but also insignificant ones like OSAlert seems highly unusual for something that, according to a lot of random people, isn’t an issue at all.
Original story: Almost nine years ago, I wrote an article titled “Richard Stallman was right all along“, still one of the most popular, if not the most popular, articles ever posted on OSAlert.
That’s the very core of the Free Software Foundation’s and Stallman’s beliefs: that proprietary software takes control away from the user, which can lead to disastrous consequences, especially now that we rely on computers for virtually everything we do. The fact that Stallman foresaw this almost three decades ago is remarkable, and vindicates his activism. It justifies 30 years of Free Software Foundation.
And, in 2012, we’re probably going to need Free and open source software more than ever before. At the Chaos Computer Congress in Berlin late last year, Cory Doctorow held a presentation titled “The Coming War on General Purpose Computation“. In it, Doctorow warns that the general purpose computer, and more specifically, user control over general purpose computers, is perceived as a threat to the establishment. The copyright wars? Nothing but a prelude to the real war.
Yesterday, every Mac user got a taste of what happens when you don’t actually own the computers you pay a lot of money for. Because Apple wants to control everything you do with the computer you rent from them, and because Apple wants to know everything you do while using the computer you rent from them, a random server somewhere going down meant Mac users couldn’t open their applications anymore.
Why? Because applications on macOS will only open if Apple allows them to be opened, and that means macOS phones home every time you do anything on Apple’s Mac that you rented. This has some serious privacy implications, as Jeffrey Paul notes:
This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city.
It gets worse. The data that’s being sent as part of this phone home procedure is sent unencrypted, passes through third parties like Akamai, and since Apple is part of the US intelligence program PRISM, the US government has unfettered access to without the need for warrants.
I’ve been warning about the consequences of handing over control of our software and computers to corporations and governments for well over a decade now here on OSAlert, and every year, we seem to slide a little farther down the slippery slope, and every time, people wave it away. Yet yesterday, Mac users all over the world were confronted with the reality of being an Apple user today.
Macs are not yours. They are controlled, owned, and operated by Apple, and are an absolute privacy and security nightmare. Exactly as the Free and open source software movement has been warning about for 40 years now.
Oh No! Apple knows I opened The Sims again for the 9000th time and then closed it. Even worse!!! My neighbor knows it too!!!!! He’s going to hack my bank account with this very sensitive data. He’s also going to think I live in Waco, Texas because my IP address for my house thinks it’s there even though I am 300 miles away!! ALSO They know I went to work 15 minutes later in El Paso because my phone’s internet that I use often reports that my IP address is there. I hope they don’t take out any bogus loans on me and try to sell me tacos and Sims expansion packs using directed advertisements. It’s almost as if Apple gets on my computer and controls it playing the Sims themselves!!!
Overdo is a real word. Check a dictionary. It might help.
Sarcasm is another one.
Nice try Donald Trump, finally have the time to troll around the internet now that you’re almost done messing up a country?
Change The Sims for that porn game or website. Not so nice, right? Now you piss off somebody and suddenly your web surfing history is leaked on the internet and everyone at work knows.
And even if I only play innocent games it’s my business. There is a reason I don’t have a Facebook account where Candy crash publishes my score.
Either you are literally trolling for attention, in which case trying to explain why Apple / Google / Microsoft should not have completely control over our computing device is a complete waste of time.
Or you somehow managed to live your life without understanding the implication of having your life depend on devices you don’t own – in which case any attempt to give you a well thought out explanation will most likely fly over your head like a U.S Navy Blue Angels Show on the 4’th of July.
Either way, you’ll end up spamming the OSAlert.
That said, to anything else reading my post, here’s the reason for concern:
You buy a Google or an Apple product, you don’t like it, you write a review about it in OSAlert, suddenly you iMAC / Chromebook stops working, you cannot login, you cannot access your email, even on like payment no longer works, as you depend on Google/Apple payment service.
Sounds unreasonable? Ask 1000s of people that were locked out of their Google / Apple / Facebook accounts due to some unknown TOS volition.
Typo-o-plenty:
Say you buy a Google or an Apple product, you don’t like it and you write a review about it in OSAlert.
Suddenly your iMAC / Chromebook stops working, you cannot login, cannot access your email and even your online payment services no longer work, as you depend on Google/Apple payment service (or you simply need to two factor authentication).
The first step in garnering some respect, whether you are an Apple, MS, Linux, Unix, BSD or Solaris fanboy, is not to be a hypocrite!
The first step is to stop being a fanboy and stop treating people that levy valid criticisms against Apple, Linux, Microsoft, etc, as fanboys, or else run the risk of coming across as Mister Gotcha.
Thom, you and I have been using computers long enough to remember a time when this didn’t happen and we expect it to not happen. Anyone who’s started in the last five years hasn’t known anything else, and it won’t seem at all strange to them.
RMS real insight, IMO, was that software has high fixed costs and low marginal costs, so there would always be a very small number of vendors and a large number of users, and those vendors have incentives to provide less freedom to users over time. Migrating to cloud services hasn’t changed this at all, and has arguably exacerbated it. The specifics of what vendors are hoping to achieve will vary each decade, but the economics that drive it are fixed.
This, +1: “using computers long enough to remember a time when this didn’t happen and we expect it to not happen. Anyone who’s started in the last five years hasn’t known anything else, and it won’t seem at all strange to them.”
Years in tech fly by really fast, we all know that. We also know people’s memories are fragile and sometimes too short. Plus, as quote says, new gen tech people don’t know any better, which – as in the case of ever widespread general lack of cultural, historical and political knowledge – will inevitably lead to a quickly accelerating erosion of capabilities and freedoms people once enjoyed. It’s hard to see those slowly transform and head towards disappearance, especially when some even seem to like what’s happening.
Educating the newer generations w.r.t. computing, IT and tech history is more important today than has ever been before. We are clearly seeing, and have seen before, where ignorance in other areas (again, culture, history, politics) can lead our societies. Let’s not wait until that happens in computing and tech. I really wouldn’t want the next generations to grow into a restrictive and constrained environment that they can’t get out of because they don’t know any better…
Hi Thom.
In all fairness and not all that long ago you too joined the political correctness bandwagon. Without much hesitation concluding good riddance to such people. Point being, people that actually have constructive, clear and predominantly reasonable stance on such issues, privacy, are by today’s standards considered extremist, conspiracy theorists, criminals and worse. Most people today unfortunately chooses to be ignorant and are not bothered if their government or any multinational company took their privacy away. A decade or two back people would say no way i am giving up my privacy to the government or to any company! This days this has obviously become a norm. Apple hence can continue with such trends and the lines at their stores won’t be affected a bit by it.
It is possible for people like Richard Stallman to both have had great ideas and to be a creep. We are complicated beings. Calling out someone for repugnant behaviour is not political correctness run amok. It is calling out someone for repugnant behaviour.
I spent my first decades admiring his work and accomplishments. I hadn’t realized that this respect blinded me to his shortcomings. Yes, it is painful. I can respect his ideas and no longer respect the man for his actions.
If RMS had great ideas but was a creep. And the things that followed were justified. I feel it is safe to say Apple had great ideas and at the same time it is a creep. Why the double standards then? Or are you saying RMS was way worse than Apple? All in all that was my point. Why would you care in this day and age? People choose to go to Apple store and choose to be treated in the way Apple treats them. Being vocal about it and saying something is clearly wrong with this picture. At best large portions of people will start calling you a creep. Just like it happened to RMS. As for an average keyboard warrior and his opinion. I feel it is safe to say no special admiration, accomplishment, a lot of shortcomings, painful, no respect no actions … involved.
No double standards and I certainly wasn’t suggesting that RMS was wrong or that Apple was right to do this. I think you misunderstood me.
.
My point was just that RMS could both be right with respect to privacy and be someone who I can no longer respect for his blatantly misogynistic and inappropriate behaviour and published opinions in other areas.
.
You wrote:
.
“Point being, people that actually have constructive, clear and predominantly reasonable stance on such issues, privacy, are by today’s standards considered extremist, conspiracy theorists, criminals and worse”
.
I completely agree with RMS and the FSF stance on issues such as privacy and software freedom. I certainly don’t consider these views to be extremist or worse. It was his personal and professional conduct that ended his career in disgrace. As well it should, in my opinion.
.
With respect to Apple, I wouldn’t compare an individual to an entire company comprised of tens of thousands of people. However, I do wholeheartedly agree that this is an appalling move by Apple and one that is consistent with their corporate actions in recent years.
.
I loved Apple hardware and software 2005-2011 or so. Mac OS was a good Unix with an X11 server, good Java support, etc. Their laptops were far better than most PC options at the time, as far as I am concerned. Once they started only allowing signed binaries by default and then stripping back all of what had drawn me to the platform, I gravitated away from them. I have many, many complaints about their hardware, software, and service.
What actions? RMS was vilified from a few sentences he said that were edited and taken out of context and published all around. Mysogynistic in some of his older writings? Sure, maybe, but whether people like to admit it or not, older people tend to have been raised in a less tolerant time. Values and views have changed, but not always for the better.
Anyhow, just wanted to say that most people have that attitude of ‘well I don’t do anything wrong, so if they spy on me, I don’t care…’ just told my sister it isn’t about that. It is about having a conversation with someone near your phone, or even if you are browsing stuff, and maybe it is about car insurance. Then suddenly you start getting calls from car insurance places because they paid Google or Apple money… or let’s say either of them decides to start their own insurance and use their collected data to sell it?
People who just shrug it off as a criminal snooping act and not about respecting privacy doesn’t ‘get it’.
RMS & FSF correctly identified a very real problem. However…
By making a “zero cost, development funded via. hidden means” model mainstream and undermining the older “pay a disclosed-up-front price for what you use” model; RMS & FSF are responsible for some companies adopting advertising and/or “walled garden store” as an alternative revenue stream to fund development. Targeted advertising and “walled garden stores” are the leading causes of privacy violations.
In other words; RMS & FSF are (partially) responsible for causing the problems that they originally intended to prevent.
The correct approach is far simpler: make laws that protect privacy (and improve laws that protect competition).
Hmm.. seems I can’t thread deeper and reply to Leech and Brendan.
.
@leech: what actions: This seems like a balanced summary that goes over the major points
.
https://www.insidehighered.com/news/2019/09/18/computer-scientist-richard-stallman-leaves-mit-amid-controversial-remarks-about
.
Sentiments such as “Values and view have changed” are often used to excuse behaviour. You’re right; thinking evolves. If an individual can’t grow and evolve with the changed values this is no excuse. If anyone believes that their opinion or thought is valid, they should be prepared to explain and defend it. If they cannot, then it is likely that their belief and opinion should change.
.
“Anyhow, just wanted to say that most people have that attitude of ‘well I don’t do anything wrong, so if they spy on me, I don’t care…’”
.
I agree 100% that this attitude should go. We should all take care to protect our privacy and freedom.
.
@Brendan: you make good points. This is why I tend to do my best to support and use open source software when I can, but I am not militant about it. I have done my best to support it over the years; offering hosting, donating to some projects, buying commercial versions of others.
.
I love the idea of open source but funding is always a trick. I absolutely hate advertising and would much rather pay for good software than suffer the ads (and in-app-purchases) that seems to be the business model for so much code these days.
.
We need more creative business models!
Brendan,
Stallman played a very important role in the free software movement, but you bring up a good point in that he hasn’t provided a universally competitive business case. Most FOSS work is either done with no expectation of payment or subsidized by other business income. And while I obviously get the importance of FOSS with regards to freedoms, a lot of independent developers including myself are constantly facing this financial conundrum; not everyone can make a viable living at it
Well, we’ve got the least productive congress ever and with a new lame duck administration we’re not going to make any progress on legal reform in the next administration. However simple legal fixes may be in principle, it will be impossible in practice as long as mitch mcconnell and people like him control the senate. New legislation gets stonewalled because that’s how he see’s his job, his long game is to stall all legislative progress and load the courts with members of his party. The US constitution assumes that senators will want to pass laws and that they’ll compromise in order to do so, but mcconnell highlights a major flaw, the senate majority can win by not doing anything at all, they can stonewall everything. They don’t have to take up any bills, they don’t even have to approve judicial appointees until their party controls the whitehouse. The scary part is that the laws don’t matter as much when you control the judges.
I’m afraid this strategy has been so effective for republicans that it may become the new norm indefinitely. We could see new laws during national emergencies like the patriot act that granted more government surveillance capabilities, but I don’t see any progress with US laws on the horizon.
And do you feel Apple will end their career in disgrace, due their conduct? Likely you wouldn’t need to dig deep to find patterns of misogynistic behavior regarding Apple. I just did a quick “Apple misogynistic”search and the very first link returned suggests such issues exist for as long as Apple. But in the end luckily we got rid of people such as RMS. We at least achieved something, didn’t we? And can now stand in an Apple store row to get their products for us and our kids with a big smile on our face. Note that you responded to my post and i am not holding that against you. Nor is all of my rumblings directed at you.
Importance of protecting privacy was defeated by the convenience of clicking “Accept” to a 20+ page legal document you didn’t read.
Thank you for posting this, Thom. It has sent me down a bit of a rabbit hole and has reminded me of why I started using Linux back in the late 90s. Microsoft was the source of ire at the time; now it appears to be Apple’s turn. (And I say that as someone who quite enjoys using macOS, iOS, iPadOS, and Windows but doesn’t trust any of these platforms to respect my privacy at all.)
Sometimes it feels to me that 2010-2013 was a golden age of computing. Big Tech hadn’t finished consolidating, things felt more possible. I hope we can get back to that at some point.
People (general public) really don’t seem to understand, when you have a MacOS X or Windows machine you don’t own the machine and the software. You only have an end-user license. Only allowed to use it in the way these companies want.
It’s the same thing with Windows, ChromeOS or Android. Every executable is counted — and at least for Windows, if the executable is signed, and you have a developer account linked to the certificate, you can see the statistics yourself.
If this isn’t a good argument for more competition, particularly from Open Source vendors with varying agendas, I don’t know what is.
It seems that the majority of open source vendors fail with regard to actually creating a product that most users want and that will actually do what the users want to do *better* than what they already have. Unless you can show a typical user something they have to have, a killer feature or app for example, they’re not going to switch to anything new or different. This goes double if the system will in some way inhibit their workflow or otherwise add complications to it. So my challenge to all the open source vendors, advocates, and communities will remain thus: stop telling everybody what they should care about, and build something that will get them to care.
darknexus,
Obviously you can point out the ways it needs to be better for you. However this challenge as stated is fundamentally unattainable. No platform does that open source or otherwise. What works for some people doesn’t work for everyone. Realistically most people are going to have resistance to change whether or not it’s warranted and they’re not going to change even if a new platform would satisfy their needs. In short, it can make more sense to prioritize the needs of people who are sitting on the fence than those who show no interest in changing.
To put a finer point in it, if it were to mean dumbing down the OS/metroification/IOSification/etc, then my own vote is to do the exact opposite!
No, Richard Stallman was NOT right all along. In fact, his insistence that everything should be Free Software is somewhat counter-productive. He is like those people who claimed that the problem of non-standard landlord contracts could only be abolished by abolishing either the concept of property or the concept of house renting. And guess what? The problem was solved by governments regulating those contracts, not by abolishing property or the concept of house renting.
He kind of still is right. Open source software (not free software, there IS a difference) is the correct way to go. If you were provided the source code for even if it were just auditing purposes, how much better would some companies be off using it? He never has said that everything should be free, just open source.
It’s easy for him to claim that, being a professor at the MIT could pay a bit of money the usual linux “free as in free beer” nerd won’t earn.
https://popularbio.com/richard-stallman/#Richard_Stallman_Net_Worth
No, he is not. He is trying to push an agenda and doesn’t really care about the actual problem. If he did, he would ask for regulation.
Trouble is he says free software is GPL where as I would say free software is BSD.
Minor point to some manybe but in freeness BSD is more free.
GPL may be better for many things however they need a different word than free to describe it.
Always have.
Free is free as in free for all.
If you want something of me for using it (in any situation) it is not free.
(And to answer your question yes I use GPL and linux stuff more than BSD since I agree with it. It just needs a better word).
There seems to be a bit of hysteria on this issue… Jacopo Jannone published a thorough analysis: https://blog.jacopo.io/en/post/apple-ocsp/
Thanks for that. So it’s not sending the app signature every time an app is run, but rather the developer signature after a certain amount of time has elapsed since the last time an app was run.
Still seems like an invasion of privacy to me, if a lesser one.
Then again, any app you use that connects to the internet (which these days is most of them), as well as every web page you visit, is doing the same thing and worse.
Moochman,
Clearly invasion of privacy is one concern, but the other is apple having the capability to block those applications. Regardless of apple’s official reason for having this remote control “we’re doing it to protect our users, blah blah blah”, the reality is they are building the technology that enables government censorship, something we’re already seeing on IOS.
Well, I’d argue there’s a huge difference between being monitored by the web server you are visiting versus being monitored by a 3rd party. If I connect to my bank, I expect them to see everything that I do there, that’s entirely expected. However if my OS/browser/etc collect this information and send it off to an unrelated 3rd party, that’s objectively more invasive.
The original, hysterical article is bilge, of course. Here’s a nice, sane, analysis:
https://eclecticlight.co/2020/11/15/last-week-on-my-mac-making-essential-services-fail-safe/
Thanks for the link, which is indeed sane and well-reasoned. In the comments section I think there is a very valid argument to be made for the disabling of this check, however:
https://eclecticlight.co/2020/11/15/last-week-on-my-mac-making-essential-services-fail-safe/#comment-53042
I must admit that I always assumed the notarization check only happened the first time I ran an app, not EVERY TIME. This is indeed a bummer, especially because for the vast majority of users for whom Linux might be too much of a struggle, the alternative on Windows is even more full of analytics and spyware crap.
Up to now Apple’s main selling point for its services and products as compared to Google and MS was “we care about your privacy”. Meaning, they might be storing your data on their servers, but they pledge not to use it for any other purposes such as targeted advertising. Whether there are any number of exceptions to this policy (recommendations within their own Music, TV and App Store apps come to mind) I can’t say, but at the very least up to now Apple has built a reputation of being more privacy-respecting than the likes of Google or Microsoft, which they can do more easily because they’re selling you hardware and services, not giving aware software and services for free. And AFAIK at the very least Safari ranks up there with Firefox and Brave as one of the most privacy-focused browsers you can use.
Now this new discovery is making them look like huge hypocrites.
Bottom line: At the very least Apple needs to provide a public statement about what they do with this data, in the best case a pledge that they don’t share or do any analysis with it AT ALL beyond the notarization checking, and that the data is not persisted. TBH I assume this is the case anyway, but they need to clear this up once and for all.
The better outcome would be to only check for notarization when the app is started the first time (as I had assumed they were doing), although I expect they change that because of claims about possible malware discovery and the need to revoke rights after the fact. Which is shit for the end user and the app developer, because they could theoretically block a company’s already-installed apps from running because that company pissed them off (ahem EPIC), and nothing would prevent them from doing this except a court of law.
On the whole I am gravitating more and more toward a Linux-based laptop for my next computer. These days Dell, HP and Lenovo all offer slick laptops with Linux pre-installed and fully supported (in particular the Dell XPS 13 seems just about perfect). For web development purposes (my bread and butter) they are ideal, offering the best Docker experience you can get, and even working with Microsoft technologies like .NET and Edge is no problem should it be necessary. I would admittedly miss certain Adobe apps to be honest, but I’m willing to give open-source alternatives a shot, and worst case I could always run Windows apps in a VM.
Turns out the scare story is false. MacOS does not send Apple a hash of your apps each time you run them. MacOS does not transmit info about which app you launch but sends info about the developer certificate, if the developer has several apps (pretty common) then the same certificate info is sent for lots of different apps. And the info is not sent on every launch, just if enough time has passed since the last launch.
Checkout –
https://blog.jacopo.io/en/post/apple-ocsp/
– for details
I see once again a teacup and a storm have combined to excite some people.
Thanks for that link: Jacapo Janone’s article has a delightfully high signal-to-noise ratio. Makes it obvious that blocking the OCSP requests is easy (any proxy, firewall or similar could be configured to do it) and also very probably a bad idea in general. Multi-layered malware detection and suppression _is_ one of the services we’re buying from Apple, after all.
areilly,
The link is very informative and he’s done a good job explaining what it does. However he doesn’t get into how it can be abused, it’s just not discussed at all. So although it’s a good source of facts, it doesn’t do much to refute the ways that it can be abused.
Also, I’ve read multiple posts reporting that a recent change gives apple the ability to override the owner’s local firewall and routing policies in big-sur. An update claims this remains true as of yesterday.
https://appleterm.com/2020/10/20/macos-big-sur-firewalls-and-vpns/
This means that owners may not have any way to block these connections to apple (unless they use an external firewall to do it). I cannot test this myself, but if you have information that shows this is wrong, then please provide a link!
Hmm, that’s certainly disappointing. I was thinking about an external (network router) firewall, but thought that the local one ought to work too. Hope they fix that. Moving unnecessary services out of the kernel is a good idea IMO.
Of course. When Windows introduced telemetry it was considered following in Apple’s footsteps. Apple is always ahead and spearheading anti-consumer behavior.
Carewolf,
Indeed, these companies need each other in order to point the finger to someone else. This way when someone calls out privacy concerns an effective rebuttal is “Hey, look it’s normal, they are doing it too!” This is the process by which regressions become normalized. In the distant past this type of control would have been publicly condemned, but now it’s becoming normalized by all the major companies including apple, microsoft, google embracing it. This protects all of them from antitrust lawsuits “it’s not abusive, it’s normal”. And because all the major companies are doing it, consumers don’t have as many options to avoid it.
“TL;DR
No, macOS does not send Apple a hash of your apps each time you run them.
You should be aware that macOS might transmit some opaque information about the developer certificate of the apps you run. This information is sent out in clear text on your network.
You shouldn’t probably block ocsp.apple.com with Little Snitch or in your hosts file.”
https://blog.jacopo.io/en/post/apple-ocsp/
Nice that everyone misses the POINT of the phone home.
Apple verification of signatures on apps. If an app changes substantially between openings it flags a security concern. Was it modified, is it malware. Did you get infected?
This isn’t Apple spying on you. Any developer of Mac apps, direct (App Store), authorised (partner), or independent, is well aware of this ‘feature’ in MacOS.
Btw, if you’re running anti-malware software on Linux that program is doing the same thing.
How else can it verify software.
It doesn’t change the fact that unencrypted data is flowing which is a concern. However this is not end-of-the-world material. It’s a safety feature.
lostinlodos,
That’s a misunderstanding of how certificates work. They are verified without phoning home. A signed app CANNOT be changed between openings without breaking the signature. The signature itself verified that the code has NOT been modified.
Furthermore, it’s being reported here that apple is revoking the original developer certificate and NOT the binary’s signature.
https://blog.jacopo.io/en/post/apple-ocsp/
This mechanism clearly exists to revoke code signing certificates. It isn’t capable of blocking vulnerable binaries without blocking everything that developer has published.
Funny that ‘feature’ is in quotes
No, actually it works quite a bit differently. Anti-virus tools like clamav scan files for code signatures from a database that is updated with malware signatures. It does not identify what you are running to 3rd parties and furthermore you as the owner hold the keys to your own computer. It isn’t pinging a corporate server for permission to run executables.
Because of the inability to block specific programs, this clearly isn’t very effective as a safety feature. It is clearly designed to revoke developer certificates and not to block specific malware. Regardless of the reasons you want to give though, it is wrong of you to dismiss the fact that this can be abused. While you trust apple to have the keys to your computer, not everyone does – it should be an owner’s right to take the keys away from apple.
This is why i always use the educational version of windows 10 when i use windows, you can turn off all telemetry using a global policy. I try to avoid MacOS entirely, and use kubuntu as my daily driver.
BluenoseJake,
Ironically minors have more privacy protections under the law due to the fact that under law they cannot give consent…protections that some adults would benefit from too yet aren't given sufficient opportunity to give & refuse consent.
I was under the impression that the general public couldn't buy educational versions of windows 10, where did you get that from if you don't mind me asking?
Apple Insider authored a really great retort to this articles POV.
https://appleinsider.com/articles/20/11/15/big-sur-telling-apple-what-app-youve-opened-isnt-a-security-or-privacy-issue
haus,
Apple Insider didn’t retort anything at all, they don’t contradict the allegations in any way, they actually acknowledge them. Instead what they offer is their opinion is that it doesn’t matter if the data is being collected.
I quote:
Everyone can form their own opinion as to whether this data is sensitive to them or not, just keep in mind that you do not speak for everybody else. Some people could even be put in harms way if this kind of information gets out in certain areas of the world. I’ve criticized microsoft for doing this, and now I have to criticize apple for doing it too.
Alfman, what the AI article showed was that the data was not any more concerning than what an ISP could collect.
>”However there’s not really much utility in knowing just what app is being launched, realistically speaking. And, the ISPs could have that data if they wanted to without the limited info that Apple’s Gatekeeper may provide. For the majority of these hashes, it will consist of largely unusable data, even if it is identifiable, due to the genericness or the high use cases of some apps. There’s not much information you could gather on a user by knowing they launched Safari or Chrome, as the hash states the app but not what they are looking at.”
haus,
Honestly now haus you should know better than this. Prior to big-sur, an ISP wouldn’t know what software you are running locally. The fact is that this mechanism leaks information that doesn’t need to be leaked and wasn’t leaked prior to this. It’s not just one’s home ISP ether, if I go to a hotel, airport, public hotspot, etc, they’ll be able to see these requests too. You gotta admit it haus, it’s an objectively poor implementation.
Thom Holwerda,
Obviously somebody at apple knows you Thom
If you analyzed the traffic you might find some leads bring you back to corporate networks. It wouldn’t surprise me at all if a company like apple is involved in “ground roots” astroturfing to spin the news about themselves. It’s either a crackpot conspiracy, or explains the source of apple’s alternate reality bubble, haha.
“A new encrypted protocol” is ambiguous and could mean one of two things:
1. They simply move it to HTTPS, which hides the data from other prying eyes but not from apple.
2. They could implement a lossy hash function to retrieve the revocation checks. This would result in fetching an arbitrary number of revocation checks in one shot without revealing to apple or anyone else which one was requested. This would be far better for privacy, although apple didn’t make it clear this is what they’re going to do.
“Strong protections against server failure”. Frankly apple should be embarrassed they didn’t do this in the first place, this probably cost a lot of people & companies real money. Hell if I were day trading on a mac, I’d consider suing apple over it.
“A new preference for users to opt out of these security protections”. This is the bright side to all the backlash, it resulted in acknowledgement and change. It highlights a difference between apple & microsoft, apple is extremely sensitive to bad PR whereas microsoft doesn’t give a crap and will dig their heals in even when it costs them popularity. In a way it’s good the outage happened to bring it to our attention.
Although I’m sure there are many other controversial features going into macos right now that haven’t been revealed.
More tracking, apparently also for security reasons, named Identifier for Advertisers.
https://noyb.eu/en/noyb-files-complaints-against-apples-tracking-code-idfa
Geck,
Thanks for the link, apparently apple is applying the EU’s privacy restrictions to 3rd parties, but giving itself an excemption. Quoted from your link…
But where did you get that tracking “Apple’s Identifier for Advertisers” is ever used for security purposes?
Is anyone able to confirm that apple exempts itself from the owner’s firewall & routing policies as described here?
https://appleterm.com/2020/10/20/macos-big-sur-firewalls-and-vpns/
If this is true, I find it quite concerning that apple created a firewall backdoor for itself in big-sur. That’s nuts, who approved this decision?
I read a series of articles on IDFA and apparently Apple initially defended IDFA purpose in a way it is supposed to offer increased security for end users. After i guess more pressure they said third parties won’t be able to have access to IDFA anymore starting from iOS 14, now that got delayed to 2021.
The most important conclusion to me is that this is a pretty embarrassing bug on Apple’s side. The blog below gives a pretty good technical analysis of what happened:
https://blog.jacopo.io/en/post/apple-ocsp/
Simple remedy for all of this is to put these machines/devices in their proper perspective. Yes the fondleslab is a convenient device, but it sucks at productivity as it’s a Single tasking device by design. Nowadays, It is paltry at or blatently sucks at the function at the core of its name(Phone). Also, in communications, you do not need Facebook, Google, Youtube, Snapchat, TikTok, etc in order to handle everyday life circumstances. Being older has it’s perks. I can either call someone, or Use any of my PCs. (OS, not applicable since there are solutions for most). This reminds me of the greatest gift that Open source Software has given me: Freedom of choice.
Someone at apple must be reading this site
That being said, Thom is right, it was alarming enough, and it is welcome that they’re going to allow disabling the checks. I’m eager to do that the first chance I get.