Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

This is one of those tough cases where software cuts both ways.

Some people are smart, informed developers that install a trusted tool to monitor their traffic and have legitimate reasons to want to inspect Apple traffic. They're dismayed.

Most people are the opposite and this move protects the most sensitive data from being easily scooped up or muddled in easily installed apps, or at least easily installed apps that don't use zero days.

Is the world better or worse due to this change? I'd say a touch better, but I don't like the fact that this change was needed in the first place. I trust Apple, but I don't like trusting trust.

If I install Little Snitch, it's because I trust Little Snitch to be responsible for my computer's network traffic, over and above anyone else.

I recognize that this won't necessarily apply to all users or all apps, but there needs to be a way for the user to designate trust. Apple services and traffic should not get special treatment.

They provide the OS. If you don't trust them, then you shouldn't trust anything running on top of it either...

If you don’t trust Apple then you need something more than little snitch. Apple is responsible for both hardware and OS. What delta in security or trust is little snitch going to offer over Apple?

I'd argue this opens up a giant attack surface where malicious software will try to route its command and control communication through a protected service. Do we really want to trust that Apple will keep all 50+ of these privileged services fully protected?

I think it makes the "world" slightly worse in that it will be harder to discover malware. Little snitch has a small user base, but it's been used to identify many forms of malware and protect many more people once the threat is identified.

You could (and perhaps would) make the same argument about Intel (for providing the processor) or Broadcom (for providing the wifi chip) or Comcast (for providing internet service). And it's true, all of these parties have the ability to use their positions for nefarious purposes.

However, I would like to limit that potential as much as possible, partly by creating a stigma against practices that remove control from the user.

Is there anything Apple can do that makes their platform less accessible to the users that you would not support?

Right, but many users want to delegate trust to more than just the OS vendor.

I don't understand these style of responses. I think the point is that this "feature" makes the OS shittier.

In this situation the question isn’t about whether or not Apple can be trusted.

Apple has clearly betrayed users’ trust in this situation.

People don’t install Little Snitch only to prevent nefarious third party activity. Some may want to know what traffic is going to and from their computers. Other may want to block all traffic for testing and/or research purposes.

I can trust that Apple is not doing something nefarious and still see that Apple is blatantly betraying the fact that people trusted when switching stuff like firewalls away from kext that it wouldn’t build backdoors for itself.

Also, any backdoors Apple builds for its own apps and services are simply an additional attack vector that could potentially be used by non Apple malicious actors.

Tech savvy users are not just the minority. They're also cheap. They've been conditioned by the FOSS movement to think all software should be free as-in-beer. (The people who started FOSS didn't say that, but that's what it's become.) They say they want free as-in-freedom, but since they are not willing to pay for it they don't exist. Those who pay set the agenda for everything.

Developing a truly polished operating system with a whole ecosystem of services is far, far beyond what volunteers and hobbyists can achieve. It's just too much work. It also requires focus and coordination and someone who is able and willing to say no. Without that the FOSS community rewrites everything over and over again instead of doing the not-fun parts of programming like fixing bugs and edge cases.

TL;DR: we get what we pay for. We don't pay for freedom so we don't get it.

> If you don't trust them, then you shouldn't trust anything running on top of it either...

Trust, but verify.

The problem with this is that it's taking away the ability to verify. Which takes away the ability to trust.

> They say they want free as-in-freedom, but since they are not willing to pay for it they don't exist. Only paying users matter.

Citation needed. If you look at app store pricing models the opposite seems true. If I were going to take a random guess I would say that tech savvy users use open source software to avoid anti-consumer bullshit more than anything else.

If enough people said to Apple "hey, this stuff is not acceptable and we won't pay for it" and then they actually did follow through, Apple would stop.

My point is that the vast majority of people don't say that, only a very tiny minority. The vast majority of people want convenience, not control. They want their stuff to "just work" because even if they do have the technical knowledge they don't have the time to screw around with fixing their computer. Apple is giving the market what they want as evidenced by actual buying behavior, not posts on HN.

My other point is that while there probably are enough tech-savvy people who care about freedom to support a viable alternative platform, the majority of these users are not willing to pay for anything so there is not in fact a market for it.

Basically what it boils down to is that people don't actually care. Even the vocal people who say they care don't care because they won't open their wallets or change their buying habits. If you won't actually do anything about something, you don't care. Whining on the Internet is not doing something.

I'm happy to pay for good FOSS and open hardware and I'm paying. Also I'm trying to avoid any proprietary and especially cloud-connected things. You are generalizing too much, there are enough people who are happy to pay for trustworthy software and hardware. Just noone cares.

> any backdoors Apple builds for its own apps

Apple hasn't weakened the security of their devices to provide a secret way in, in fact, they made their systems even more robust.

The question absolutely is whether Apple can be trusted. Little Snitch works for other apps, just not Apple's apps. The remaining slice of the pie you're arguing for is whether or not we can trust Apple.

So what delta in security and trust over Apple are we getting by asking for this change, and how much insecurity and brittleness are we inviting to all other users with our ineffective software based firewall?

> Is the world better or worse due to this change?

This is the false shortcut behind any attempt to weaken security. Security makes access harder, therefore let's weaken security to improve access.

The fact is that weakening security also makes malicious behavior easier and/or more likely. Changes like this are bad particularly because Apple users pay for a protected walled garden.

> Apple hasn't weakened the security of their devices to provide a secret way in, in fact, they made their systems even more robust.

I'd consider poking a hole in firewalls to be providing "a secret way in", particularly in the context of Little Snitch. This isn't some antivirus bloatware that comes preinstalled, or a firewall imposed by corporate networks. The entire pitch of Little Snitch is that it enables you, the user, to monitor and control any bit of traffic that leaves your machine. No one was asking for Apple to bypass that.

> Apple has clearly betrayed users’ trust in this situation.

That's a perfectly reasonable opinion to hold, but 99.9% of macOS users won't know the difference and will be safer for it.

Some of the folks who know the difference will also be fine with it. FWIW, I've used Little Snitch (only to prevent nefarious third party activity), and its biggest UX problem is that it treats legitimate OS traffic no differently than untrusted traffic.

Where are these weird anti-FOSS statements being bred from?

> Those who pay set the agenda for everything. And this different from non FOSS software how?

> Developing a truly polished operating system with a whole ecosystem of services is far, far beyond what volunteers and hobbyists can achieve.

As someone who uses Linux as my primary workstation I disagree. My coworkers that use Mac or Windows seem to have about the same number of issues overall. I mean- look at the article this is about. I’m pretty confident that would be much harder to get away with in the Linux community. Gnome shell is more polished than windows or macOS were at the same age.

> It also requires focus and coordination and someone who is able and willing to say no.

Clearly you haven’t dealt with the Gnome folks who are perfectly willing to say no to features some users scream for. Or read any of Linus’s rants about nvidia.

Edit: formatting

> The question absolutely is whether Apple can be trusted.

This is a false dichotomy. I choose to use a Mac, but I also choose not to let my Mac phone home to Cupertino unless I allow it. Why can't I have that choice? Why does it have to be all or nothing? I'm only interested in the Mac, I have zero interest in Apple "services". It's a fine computing device, but I see no reason why the device has to continue to talk to Apple after I purchase it, except to download software updates — which I manually trigger.

It's not about trust, it's about choice.

EDIT: Now if Apple provided a way to easily disable all of those "services" that phone home, there would be a lot fewer complaints about this issue. But they don't.

> They want their stuff to "just work" because even if they do have the technical knowledge they don't have the time to screw around with fixing their computer.

And that's why I picked up an MBP this year; it's caused me way less grief than my various Linux boxen have.

Yes I agree with your first part. There are real drawbacks.

But it's like installing a custom HTTPS cert in your OS to inspect potential traffic that malware may use through, say, a Google Doc or Sheet. It's helpful to true professionals dealing with highly sensitive information, but it's ultimately a bigger source of compromise for the vast majority of software users.

I don't think there is an easy answer here. That's why I said I thought it made the world a "touch better" and I can see from your response that you understand the tradeoffs roughly as well as I do based on the wording of your response. The fact is that contemplating these hard tradeoffs belie the underlying truth: Securing computers is hard and getting harder and the stakes keep going up. I can't say if this move by Apple will ultimately be worth it, but I certainly understand the predicament they are in. This is no easy work.

Absolutely. For example, I think that the lockdown of the bios was a move that hobbled developers like myself that installed custom bios extensions. I used to be able to run raw linux on real hardware. Now I need to use a commercial virtual machine just to get the dev environment I want.

The difference between the two is subtle, but true. I want true masters that understand what the tradeoffs are to make those hard choices for themselves. I want the rest of the world to have a blanket of privacy and security that protects everyone.

Especially the elderly that are too trusting with what they believe.

I find it interesting how the needs of legitimate security mesh so well with the industry desires to kill off general-purpose computing for the majority of users

Have you used little snitch? It very clearly allows all apple traffic by default, and if you modify something that would affect it, you get a huge popup explaining what will happen and have to click on a red button to confirm.

What this will do is allow apple to decide what goes in and out of the machine.

It's pretty clear what they think - they allow basically any app to access the network on ios.

I think that's a false false assumption.

With trust you get trade. Trade is commerce and the more trust you have the more money changes hands.

If I could firewall my phone I would upgrade every year no question.

This really isn't about trusting Apple, this is about trusting Little Snitch. I don't think it would be a good decision to allow any app to control your firewall, but I should be able to say "this app should be allowed to because I trust it."

I mean the irony is when it comes to browsers you see the general tone of HN shift to the opposite opinion when it comes to features like, RTC, USB, Bluetooth, Filesystem Access. These are all features that give users more power but it's (apparently) easier to see the downsides and how these features can and are used maliciously.

Now put yourself in the Apple's position where "an iOS app" or a "mac App" is about as trusted as a random website. Tech people have a strong culture of locally installed apps being extremely trusted but that doesn't extend to everyone. Can you imagine if websites could control your firewall?

I trust my friend Mike to drive me to the pub. I don't trust Mike to be the executor of my will.

Interesting that it's only the thing that personally affects you that you object to

I crap on FOSS a bit because I like it and wish it got more traction in the mainstream. I intend it as constructive criticism.

I've been a FOSS user and sometimes contributor since 1994 when I installed Linux with floppy disks, and have consistently watched FOSS lose the mainstream because they don't grasp the critical importance of UI/UX.

I want to write "it has to just work" on a sledgehammer and bash people about the head with it over and over again until they understand that user experience is f'ing EVERYTHING and every installation or setup step required to adopt something roughly halves adoption.

This is largely because we are in an age of time and attention poverty.

For the average user who expects to be able to block malicious traffic via something like Little Snitch, but still expects their OS updates, App Store, etc to work, or for someone who "knows better"?

> I mean the irony is when it comes to browsers you see the general tone of HN shift to the opposite opinion when it comes to features like, RTC, USB, Bluetooth, Filesystem Access.

I don't think it's that ironic. From my vantage point, the big tech companies specifically and consistently invoke the security arguments that are best aligned with their agendas.

• We need to enforce automatic Windows 10 updates to keep your computer secure. (But also, we won't let consumers use the security-patches-only LTSC branch we offer businesses.)

• You cannot install an app on your iPhone that we have not personally vetted. (As part of the vetting process, we enforce a 30% cut on all digital goods.)

• We need to hide URLs in Chrome to protect users from phishing websites. (But isn't it nice how it makes AMP more seamless?)

• We need to give browsers Bluetooth and USB access, because web apps are safer than random Windows executables. (But also, we can advertise inside of web apps more easily.)

I could go on. The problem with all of these arguments is that they aren't wrong so much as they're selective. The iOS App Store does protect users from malware, and hiding URLs does protect users from phishing. What goes unacknowledged are the trade-offs of these decisions—some of which may themselves be bad for security.

The average user isn't using Little Snitch. And if they are, the app provides default profiles for this sort of thing.

It's the opposite for me. Pop!_OS has caused me the least amount of grief. I tried switching to it as my main workstation but, sadly, Zoom doesn't run very well (in my experience). It crashed often and started using 100% CPU on all my cores.

> Tech savvy users are not just the minority. They're also cheap.

Bologna. I spent $4,000 for this MBP, and I've spent many hundreds on accessories, and thousands of dollars on software to run on it. I do everything on it. It is the center of my digital life.

That being said, the day I go to do something on this machine and find that I can't is the day I go buy a sub-$1,000 PC laptop, and go back to Linux (which I ran on the desktop for 19 years). Apple should be very careful how hard they squeeze here.

Who cares about the world.. I just want full access to the system I paid for. This should always remain an option.

Also, they lock the user in to the corporation's choices. Most of these don't even have a way to bypass them for knowledgeable users.

There has always been a tradeoff between security and freedom.

ANY firewall inherently trusts the OS of the device it's running. They have to in order to function. The firewall sits on top of the OS, not underneath it. Even on Linux if you're running ipfw, the traffic first goes through the OS and then to your firewall.

Is it really a goal of most FOSS projects to attract the mainstream? IME some of the highest-quality and longest lived projects know who their users are and provide an extremely high quality product.

I don't want to see Arch Linux, for example, to start prioritizing for attracting non-technical users who want it to "just work."

The decision is questionable, but you can always inspect traffic from the machine outside it, I would even say that's preferable in context of malware.

> I trust Apple, but I don't like trusting trust.

Trust relies on faith or evidence, the overwhelming circumstantial evidence is that Apple can not be trusted with anything other than their commercial interests.

You can not trust Apple with anything else, therefore you must have faith.

> If you don't trust them, then you shouldn't trust anything running on top of it either...

You start with trust, if you attempt to verify that trust by examining behaviour and discover a covert side channel surely you can no longer trust.

It's not about trust that they aren't doing something malicious, it's about trusting them to provide the level of attention and work required to keep something very secure.

A kernel and the core OS capabilities are a high security domain and I expect Apple to be extremely careful and put a lot of attention into making it secure. Desktop applications are a different domain where security is not quite at the same level and Apple will not and can not provide the same level of security for all of them that it can and does provide for the base OS.

As a simple example, compare Safari and the OS. The domains in which they operate make it extremely hard, if not impossible, for Safari to have the same level of security as the OS and kernel because the use case of Safari opens it to far more attack vectors.

Does anyone believe that exempting all Safari traffic from firewalls would be a good idea? If not, then why should we accept that it's a good idea for some arbitrarily set of other Apple applications?

The issue here is simple, it's the same as it always is with Apple. There's a choice to do the thing that's slightly more complex and requires users to provide even a minimal amount of input that they might have to think about ("An application is attempting to change the traffic flow required by X service, if you allow this it may cause problems with this service. Yes/No?"), but instead they opt for "Users must trust us implicitly and entirely in everything we do", which is their go-to solution. It all comes back to control, does Apple control the user, or the the user control their software? Apple has built their empire around the former, so while we can't expect the latter without if being forced on them, that doesn't mean we shouldn't.

Can you recommend a portable wifi firewall? Based on Raspberry Pi, perhaps?

>hiding URLs does protect users from phishing

Real question: how? I would expect it to be the opposite, a perfect phishing site will have the wrong URL.

You're overloading "trust". I think most people trust Apple not to be malicious, but that doesn't mean they trust apple to omniscient and perfect.

A back-channel that you can't inspect but Apple can use is a back-channel that you can't inspect but malicious actors have found a way to use waiting to happen. Preventing you from seeing that traffic doesn't protect you, only protects Apple at your expense, since you have no way of detecting whether something fishy is going on.

Yes, but as a user, I expect the OS to behave in a transparent manner. If the OS provides a firewall API, I expect it to send all traffic through firewalls that use that API, not selectively redirect traffic from certain apps or domains.

Because it's not really "hiding the URL" despite what all the outrage bloggers tried to make it seem. It's by default (i.e. until you tap/click it) hiding the parts of the URL that the site controls. So paypal.amazon.citibank.scamsite.biz/secure/login/trustus will just show scamsite.biz.

google.com.evilwebsite.example?=google.com

Oh that has google in it (twice even) we can go there.

There's also arguments that URLs are too complex for normal people to understand.

I agree with you though, hiding or redirecting URLs is the opposite of protecting users from phishing.

saw the GL.iNet+GL-MT300N-V2 recently - have not bought it yet, maybe it's time if it's good

And also, you might be uncomfortable if Mike blacked out all the windows.

Bottom line is that Apple made software like Little Snitch switch away from kexts and then built in behavior that was unexpected, which would not have been possible for them to do while Little Snitch was based on kexts.

Whether this is malicious, not malicious, secure, insecure etc. is irrelevant to whether this is an untrustworthy action. It’s not what one would reasonably expect and is therefore a betrayal of users’ trust.

If Apple switched gatekeeper on MacOS to completely remove the option and the workarounds to run unsigned apps, it would certainly be more secure. It would also be a huge betrayal of users’ trust in Apple and the MacOS platform.

5 years ago I found LS was unable detect any traffic out of a VMWare virtual machine running on the same Mac. Sure the VM is running through some installed virtual network adapter, but if that's all it takes an attacker can set up one of her own. Cool Hollywood interface but I gave up on LS as a serious security tool right there.

Trust but verify. Now we must do the former without being able to do the latter.

> Basically what it boils down to is that people don't actually care. Even the vocal people who say they care don't care because they won't open their wallets or change their buying habits. If you won't actually do anything about something, you don't care. Whining on the Internet is not doing something.

People aren't buying features off a list. In a situation like this a missing feature has to be so important that it completely disqualifies the product, which is a very different thing from a willingness to open the wallet.

It's similar to how you can get a kindle with or without lock screen ads. If the only option was with ads, you'd see more people buying that version because it becomes artificially hard for them to say "I don't want ads". Even though they're willing to pay for the feature.

And for convenience vs. control, well, this firewall bypass doesn't help convenience.

I can't speak about 5 years ago, but I was using Little Snitch with VMWare last year, and it worked. I had to specifically allow the VMWare process.

You can very easily monitor all outgoing traffic through an external device.

As is usual, this is something Stallman had touched upon years ago[1].

[1] https://www.gnu.org/philosophy/can-you-trust.en.html

I appreciate the response. I suspect you’re missing the many ways in which this change can negatively impact valid and fairly frequent advanced usages of macs, in a way similar to the BIOS change you mentioned.

When I was in college, Little Snitch was an absolute must for using Macs in our networking labs, because it was the best way to analyze and control our network. Without it the mac was not a feasible option.

This change by Apple would have essentially eliminated the macs use in several of these experiments, and I suspect that’s true today as well.

Further, this has a regular advanced user impact as well, for users on metered networks who would like to control their data usage.

You can’t filter per-app, however, which is a key selling point of Little Snitch.

Well you should be thankful our predecessors took making things "just work" seriously enough to remove your need to boot using toggle switch sequences.

> Now put yourself in the Apple's position where "an iOS app" or a "mac App" is about as trusted as a random website.

The mistake is in creating a category called "iOS app" or "mac app" and trying to fit every piece of third party code in the universe into that category.

What there should be is different categories of apps with different levels of trust. Then 95% of apps can go in the totally untrusted category because they don't actually need any special privileges. Which then makes asking for a trusted privilege a red flag rather than something the user clicks through because they see it for every app they install.

> Can you imagine if websites could control your firewall?

Realize that this has already happened. You wanted to block DNS to untrusted servers so everything would have to use your Pi-hole? Say hello to DoH. You could block AOL Instant Messenger by blocking port 5190, good luck doing that with Facebook.

The web made every protocol run over HTTPS to bypass your firewall, even if it has nothing to do with transferring hypertext.

Because that's what happens when you do security wrong. It has to be usable or it gets routed around. People started blocking unknown ports by default, or blocking/mangling protocols both of the endpoints didn't want blocked or mangled, so firewalls got displaced.

You don't actually want that to happen (again). You don't want the only options to be living in a cage or rooting your device with some unaudited 0-day code you got from some Russian hackers. There is value in the existence of the middle ground.

Guest traffic was visible when the VM was in NAT mode, but when switched to Bridged mode traffic went straight through with LS unaware. I suppose LS was only sniffing the standard adapters, though this could have been improved since.

How is this good?

Either Apple doesn't trust Little Snitch and shouldn't let it interfere with any apps, or Apple does trust Little Snitch and shouldn't block it at all. There's no reason to implement this halfway.

Their software could have bugs, or be compromised.

Ah, nice. I've been looking for something with which I can sniff my phone's activity, and that provides all of the keywords. And $20 ain't bad neither.

As a general rule, you want to prevent software from bypassing a user's informed consent. Apple typically does this in one of two ways:

1. Have functionality only accessible through system frameworks, so that the OS can be responsible for prompting for informed consent and granting it to a process. This means that the system itself has to have functionality to prompt for that informed consent in a way that users can understand.

2. Require processes which an application cannot script that are technically complicated enough that users might realize they are pulling off the warranty-voiding stickers. A prime example would be rebooting into recovery mode to turn off system integrity protections via a terminal command.

Both of these wind up getting gated in priority, but such is the priority of their system - limiting the ability of arbitrary software to act as an unrestricted agent of the user so that user security and privacy (as well as device operation like battery life and radio reception) can be protected.

Why doesn't each individual user have the final say over whether she wants to accept the change or not? There is no option presented to the user:

   [ ] Do not trust Apple, trust only me

You say "Some people are smart, informed developers" but in this case, it appears Apple is treating every user as the same.

I am not a "developer" (nor am I particularly "smart") and yet I monitor traffic to/from computers I own. Maybe some incorrect assumptions are being made about so-called "users". I find it perplexing that any company should be able to prevent me from monitoring traffic to/from computers I own. I own the computers, I pay for the bandwidth. I do not buy Apple computers for the Apple software.

Great comment - agree 100%

If the data is so poorly protected in transit that a firewall app on the system is a concern, something has gone very wrong indeed. It's just going to see that your Apple services on your Apple device are speaking to Apple servers.

There's an availability consideration here, but that's about it.

Absolutely not, installing a CA makes attacks which weren't previously possible now possible. A host firewall isn't doing anything a network provider (read: your ISP, coffee shop, vpn provider, etc) couldn't already do. At least you can possibly look at what the host firewall is doing.

> Can you imagine if websites could control your firewall?

Oh, they can. Cross-site scripting and request-forgery attacks aren't dead yet thanks to widespread terrible security practices :)

I think this is the case where you can have traffic monitoring set-up on your home router or any other network gateway available. It will be slightly more troublesome, but not impossible.

I was only trialing VMWare before, so unfortunately I can't test this anymore.

Heads up that VMWare Fusion has a free version on Mac as of this month. :)

My first instinct was to distrust the hide-until-click URL bar also, but you've illustrated clearly why it's a reasonable default. It mitigates the effect of malicious websites playing URL games, and allows the browser to more accurately convey to the user where they really are.

That's likely because VMWare Workstation's bridge mode likely injects into the networking stack at the same point that Little Snitch does.

To drive your point home, paypal.amazon.citibank.scamsite.biz/secure/login/trustus will likely have a perfectly valid certificate, along with the trusted green closed-lock before the URL, implying that the site is "secure".

That doesn't work with HTTPS, obviously.

And with DNS-over-HTTPS, DNS-over-TLS and encrypted SNI, that makes it all the more harder.

TLS makes this difficult today and SNI encryption will make this next to impossible without installing a custom ca certificate and doing MITM. Even that isn't helpful when you are using a laptop that may not always be on the network where you have deployed a device for inspection. Better to be able to inspect or block on the device by application.

> google.com.evilwebsite.example?=google.com

This was solved a decade ago by rendering the 2nd+1st level domains (and sometimes other parts of the URL) in a different style.

> There's also arguments that URLs are too complex for normal people to understand.

That argument is an insulting attempt to justify a form of illiteracy[1]. Most people don't need to know all of the technical features of a URL; they just need to be able to use it as an address and recognize basic features like the hostname.

Street addresses are a good analogy. Most people understand the basics easily even though physical addresses are far more complex[2] than URLs!

[1] https://news.ycombinator.com/item?id=7694919

[2] https://news.ycombinator.com/item?id=7695735

I've been respecting RMS' argument year by year

China (enter the room): Agreed.

That's the exactly the thing - they are, indeed, chasing me off. When this Mac dies, I'll be replacing it with something running Debian.

It is too bad - the Mac hit this sweet-spot where it was pretty much my perfect machine for several years - a kickass Unix workstation in a decently built laptop, with a decent GUI, with access to consumer apps, too. It was great while it lasted.

Thing is, this is a reasonable thing for Apple to do. Back when they weren't enormous, it made sense for them to at least make token gestures to the Unix-weenie/developer market - we threw a lot of money at them and made them hip when they were down and out. Now we're in rounding-error territory, and that we got what we wanted for a while was sort of a happy accident, anyway. Building developer dream-machines was never Apple's thing.

I bought my first Mac in 1991, and this one will last a while longer. Can't really complain too much about 30 years of decent-to-awesome tools.

Apple fanboys will always ignore the facts... why would you want apps to bypass a firewall that you install... Apple need to fix their OS either way

If they can circumvent system security for their own purposes (even though I’m sure it wasn’t planned to be that way), then they should be open to circumventing it for our country (by backdoor-ing their encryption), at least that is how I would imagine it will be referenced in the inevitable government lawsuit. What a major screw up Apple!

>is therefore a betrayal of users’ trust.

I would disagree with that statement. The user bought an Apple computer so they clearly trust Apple already. If anything, the new frameworks make the system more secure which strengthens that trust for users. The only people really affected by this change are users who want granular control over everything whether it comes from Apple or not.

I find this article[1] linked by RMS is prescient as well, for something published in 2003.

[1] https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

I helped a friend of mine with her OS X laptop. She had installed something bad and it installed MITM proxy and its own CA and other things to totally own and inspect all of her web browser traffic including SSL. So these features that we find powerful and informative also do have a dark side for more novice users.

Someone else here recommended those, and now I have 11 for myself + my staff. They are great 2-port devices, with free GPIO pins too! Can do on-device VPN (openvpn, wireguard + tor) with a policy that kills internet access unless it's through the VPN.

why do you “trust” Apple?

In this case it's actually "just" a bug.

Installing any third-party software that inspects network traffic makes attacks which weren't previously possible now possible, since that software can be targeted.

> Do we really want to trust that Apple will keep all 50+ of these privileged services fully protected?

No.[1] That's what people need to start understanding.

Even if you decide to trust that someone will attempt to act in your best interests (you really shouldn't, see Google's extinct "do no evil" mantra), you can't trust anyone to do so perfectly.

All this aspirational goodwill that fans express on behalf of their favorite FAANGMUULA is the tech equivalent of flat earthing. The facts are simple: no software is perfect, you can't trust any software.

1: https://www.cvedetails.com/vendor/49/Apple.html

If you can get into apple’s system processes, you are already on the other side of the airtight hatchway. You can make sufficient changes to the system at that point that you can certainly mess with any user-installed firewall monitoring.

In any system with any kind of sane security model, being able to convince the Maps app to send arbitrary data to an arbitrary URL is not exactly the same thing as total change-stuff-not-even-root-has-access-to compromise.

Ah, yes, the "users actually want an operating system that undermines their every action" argument.

OK, but if it's a real security risk why do they only protect their own services? Why not have the user jump through a bunch of complex hoops like editing a plist file from an elevated terminal account? Hell, this is the os that makes it onerous to install software that didn't come from the App store. Clearly they don't mind throwing some user pain in front of basic activities.

User freedom means being able to command our computers to do anything, even if it's against the law or against the business interests of corporations. A free computer is by definition hostile to corporations and governments since it can be used against them.

Security as an industry is generally all about protecting the interests of corporations and governments. Just look at how they react when normal people use subversive technology like encryption. The people in power simply cannot tolerate anything they have no control over.

> Hell, this is the os that makes it onerous to install software that didn't come from the App store.

No, they really don’t. Unsigned software is a little onerous, but signed software can come from outside the Mac App Store.

Microsoft makes an OS too. And to use it I have to spend an enormous amount of time turning off all its daemons that phone home, harvest my personal information, show me ads, and force updates on me.

So no, I don't trust OS providers. I tolerate them and defend myself against them.

I disagree that it's reasonableness except in the short term. We're seeing a change in developers' opinions; my friends in video production were getting ready to ditch Apple due to their "professional" software and hardware products getting worse both in relative (hardware) and absolute (software) terms. Part of the Apple cachet is that these are professional tools; how long is their reputation going to hold up if those professionals leave the platform?

It's a touch of hubris to think that we are and will continue to be taste makers, certainly. Maybe Apple won't get burned by alienating this crowd. But it seems a risky strategy for dubious return.

Depending on your definition of "full access", you probably haven't truly had that for decades—on any broadly available computing system at least.

This conflating of purchasing with trusting is harmful. It's an ongoing trend I've seen with large tech companies, with arguments of the form "You accept a tiny X, therefore your rejection of the giant Y is invalid."

We buy things from companies we don't implicitly trust all the time, because we can isolate and verify those things.

I don't always trust the supermarket to sell me non-moldy produce, but I can look at the produce and see whether it's moldy.

I don't trust oil companies not to destroy the environment, but if they sell me bad fuel it will be very clear.

I don't trust OS makers, but I can run firewalls and network sniffers to verify that the OS is behaving reasonably, and isolate it when it isn't. Until I can't.

Oh come on! It is not because I spend most of my life inside a terminal that I don't prefer simple things over complicated ones.

Technical doesn't mean "unnecessarily complicated", it means "rich, expressive and built for users that are willing to spend some time to learn" (at least it should)

Local network access is a separate permission since iOS 14. I’m not sure whether that is for scanning or multicast only (e.g. finding devices such as Chromecast) or complete access to anything other that the gateway and dns servers.

I would be astonished if Apple doesn't at least experiment with key pinning for the services it has decided to "protect" in this way.

If pinning is used then you can't interfere by interposing a middlebox, the connection would just fail. I guess it's possible Apple would find corporate pushback is too strong, but maybe not.

Don't use things you don't trust. If you trust Apple's proprietary software at least you are getting exactly what you signed up for. Apple gets to do whatever they want, which you apparently trust them to do. Will they accidentally let in bad guys? Maybe. You signed up for that too.

I really thought about this yesterday, and the one program i really miss on linux would be Little Snitch. I need a good application firewall on linux.

Well, that's not the whole story: consider another example, the various parts of Safari. Apple wrote that, Apple wrote the whole OS…should they have access to a kernel task port? Shouldn't I trust them to not do bad things? Of course I do, since I use the browser–but I am glad that those are split into separate processes and sandboxed, because an exploit in any of those instantly turns this access into a confused deputy problem. A confused deputy is trustworthy–but they're confused.

Adding exceptions means adding more points of failure, more complexities in code, more opportunities for attackers to bypass restrictions placed on them but not on OS services. Not only that, but you get the upside of having a unified model for Apple and your app developers "for free"–the latter which is of critical importance to Apple in particular, since they have had years of trouble in this area.

Unfortunately, Apple often does 1 far more often than 2, whether it be because 2 is harder, or has a worse experience, or what have you. And Apple exempting themselves is really option 3 for themselves.

> Security as an industry

…is not a monolith. There are plenty of people in security interested in giving you freedom as a user, actually, many do it specifically for that reason.

> Some people are smart, informed developers that install a trusted tool to monitor their traffic and have legitimate reasons to want to inspect Apple traffic. They're dismayed.

Wouldn't say I'm that smart. Wouldn't call myself a developer either. But I'm still kind of dismayed. I used to love macOS (or OS X to be precise), but the clock has been ticking for years now. Near every decision made about macOS future goes in the wrong direction (for me). Right now I'm looking at Manjaro. But still, I need the Adobe CC suite to get my work done, so I will have to use two machines. I hate running two computers. But that's probably where I'll end up.

I’m having trouble understanding your comment, but it sure sounds a lot like complaining about downvotes–that’s usually not well received.

There is trust and there is visibility. Here’s an alternative example I actually do quite often: I attach debuggers and such to system processes. Not because I don’t trust them to not do something malicious, but knowing what they are doing is always useful to me. If Mail is randomly reading files from my Documents folder, perhaps something is wrong with it. Maybe I should just tell it that I can’t look there and see why it might be doing so. These are things that give me more control over my system, not things I engage in because of a lack of trust.

Regardless of whether that want is feasible today, having something that gets closer to it is clearly the goal.

It depends on the host firewall... many quality operating systems allow host firewalls to apply process-based policy which your upstream certainly can’t achieve.

When we are talking about malware that's irrelevant. And if we are talking about inspecting Apple's traffic, I don't think you should trust things you see on their hardware running their operating system.

> If enough people said to Apple "hey, this stuff is not acceptable and we won't pay for it" and then they actually did follow through, Apple would stop.

“The market will price this out” doesn’t actually work because it assumes that 1. Apple’s product strategy is done to match market desires perfectly and 2. The decision to buy is solely predicated on this particular thing. The first is false because nobody can do that and the second is because people buy Apple products for other reasons than just that. I personally know many people (although this sample is of course unbiased) that buy Apple devices for a number of reasons (they work well, they look nice, they have good support) but hate that they can’t do thing on them. But their purchase decision doesn’t reflect their opinions on this particular issue.

Why not just give additional permission levels? I don't really get why so many permission models on what software can do are effectively "admin mode" or "user mode". Why can't you get a very strong warning when software tries to snoop on traffic, but you can still do it? Or maybe you have to go into settings and allow it or something like that.

When you rent space in a building, do you get access to every single apartment/office space in the building? No. You get access to specifically what you rented and the front door. The maintenance people for the building will have access to the front door and other maintenance areas, but won't have access to your space. We can clearly conceptualize models like that. We even have something like this on phones.

Trusting corporations (or any entity free from limitations and background checks) seldom bring the expected results.

Sounds like a business opportunity...

Actually, I don't think this is about trust. I mean, when I use an Apple OS, I (should) trust them, as their software has access to all my most sensitive digital information.

However, making it impossible to route the traffic of the system apps through a VPN of my choice (whatever the reason), is just broken functionality.

Both the tech-bro and the media production audience are now a rounding error of a rounding error for Apple. It is a consumer luxury brand first and foremost, and it derives 99% of net income from that. Catering to dorks in basements is a tiny legacy business and the support level for it is commensurate. (It probably actually only exists because Apple has its own share of dorks in basements.)

>The user bought an Apple computer so they clearly trust Apple

This is false, maybe I bought X because it was the least shitty choice.

There's OpenSnitch, but it's a WIP: https://github.com/evilsocket/opensnitch

If that goal is important to you, I agree. I disagree that this should be declared as a universal goal for all people.

If you buy a ticket to a commercial flight, you're trusting software with your life.

It's a matter of degree of trust and hazard at failure.

> A prime example would be rebooting into recovery mode to turn off system integrity protections via a terminal command.

I actually think the way Apple implemented this downright brilliant. As you say, it can't be done automatically, and it's definitely made to be a bit intimidating. At the same time, it's not difficult or onerous, that's a pretty hard balance to strike.

By contrast, when I try to install unsigned drivers in Windows, I feel as though Microsoft is fighting me, and I get annoyed basically every time. I've never had that feeling with SIP; when I get a new computer, I take off the training wheels I don't need, and move along.

That's assuming nobody cares about the opinions of tech people when they're buying tech.

It's not just that tech people are customers, it's that ten other customers will look at what the tech people are carrying and assume they're the ones to know what's good.

And developers write code for the platform they actually use first. And spend time fixing the problems with that platform that are keeping other people from using it. Then more non-developers switch to it because it's improving.

Safari does not behave as you've described. The subdomain (for example, 'gist' in 'gist.github.com') is displayed.

Apple's argument is typically "users ignore strong warnings".

I suspect that Safari uses Public Suffix or similar for that.

I’m trying to think of a powerful tool that is not dangerous. Still thinking

We are working on an alternative for both Linux and Windows: https://safing.io/portmaster/

Not only is it an application firewall, but also gives you DNS filtering (ie. Pi-Hole basics) and DNS-over-TLS.

If you check it out, we'd love to hear some feedback! (Full UI revamp incoming)

We're on it: https://safing.io/portmaster/

Sorry then. I had read something anti-foss the other day (probably on Reddit) which seemed to have a hidden agenda behind it like in the old days. As far as having a “it just works” experience- sticking with the Lenovo and Dell professional lines has worked out pretty well for me.

It would work with HTTPS if you can set your software to accept a self-signed root cert. That's a significant if, however.

That's fine but you bought it. When it comes down to it, America and capitalism run on the premise that you vote with your dollar. You voted with your dollar regardless of the mental gymnastics you did or didn't do to make that decision.

Same situation with a government:

Even if you believe all the MPs / representatives are trustworthy and intend to act in your best interests, their competence is going to be limited, so we need to checks and balances and a limit on their power.

How do you get around TLS with cert-pinning?