←back to thread

Catalina is checking notarization of unsigned executables

(lapcatsoftware.com)
361 points robenkleene | 7 comments | 23 May 20 09:42 UTC | HN request time: 0.428s | source | bottom
1. londons_explore ◴[23 May 20 14:00 UTC] No.23282990[source]
This must be a blacklist, since it doesn't block my own random scripts which it has never seen before.

If it's a global blacklist on apple servers, it should instead be downloaded to the client, and be a local blacklist.

Too big? Use a bloom filter. Now you only end up keeping less than one byte per blacklisted item. Update the bloom filter with an autoupdater. Any positive hit you can check against the server just incase it's a false positive.

replies(3): >>23283287 #>>23283550 #>>23283950 #
2. daneel_w ◴[23 May 20 14:38 UTC] No.23283287[source]
Bloom filters are probability-based and come with inaccuracy problems. If you're going to double-check with Apple anyway what does a bloom filter solve compared to the current response caching after querying Apple? How will you protect the locally cached blacklist from being tampered with?
replies(1): >>23283412 #
3. w-j-w ◴[23 May 20 14:52 UTC] No.23283412[source]
Bloomington filters have probabilistic false positives, making it perfect for blacklisting. A negative means that the program can be run immediately, because it is guaranteed to not be on the list. A positive needs to be double checked, though.
4. JackC ◴[23 May 20 15:09 UTC] No.23283550[source]
The k-anonymity scheme used by the haveibeenpwned api seems like a good fit here.
5. caf ◴[23 May 20 15:55 UTC] No.23283950[source]
Doesn't a blacklist also work only until the malware authors figure out how to randomize 8 junk bytes every time they serve an executable?
replies(2): >>23285266 #>>23285447 #
6. therein ◴[23 May 20 18:34 UTC] No.23285266[source]
Which they already do.
7. dimator ◴[23 May 20 18:58 UTC] No.23285447[source]
That's the crazy thing about this. There's already obfuscation techniques against hash blacklists, so what is this even for? There's no earthly way apple security engineers didn't know that. So what is actually happening?

My guess is that it's strictly for banning app store apps that they pull from the app store, but would like also to cripple retroactively on installed machines. But that doesn't explain why it had to run against random shell scripts? This is all still confusing. We don't have all the info.