←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 6 comments | 20 Oct 20 15:51 UTC | HN request time: 1.141s | source | bottom
Show context
_qulr ◴[21 Oct 20 01:29 UTC] No.24844030[source]
"You have to trust Apple", it's said. But I suspect that if you actually knew how much your Apple devices were phoning home to Cupertino, you wouldn't trust Apple anymore. Using Little Snitch (the kernel extension) was a real eye opener for me. Especially when I allowed Little Snitch to block all Apple processes (by disabling the built-in iCloud Services and macOS Services rule groups).

This may be a good time to remind folks of my blog post where I explain how Catalina phones home when you run unsigned executables, including shell scripts! In the article I mentioned that you can prevent this with Little Snitch. But that was the LS kext. Is it even possible anymore? https://lapcatsoftware.com/articles/catalina-executables.htm...

Let me just quote one comment from the HN discussion of that article: https://news.ycombinator.com/item?id=23278253 "Making this about speed is burying the lede. From a privacy and user-freedom perspective, it's horrifying. Don't think so? Apple now theoretically has a centralized database of every Mac user who's ever used youtube-dl. Or Tor. Or TrueCrypt."

It's all too easy to dismiss the privacy violations that we're not aware of. Out of sight, out of mind.

replies(2): >>24844381 #>>24845966 #
jachee ◴[21 Oct 20 03:03 UTC] No.24844381[source]
Apply Occam's Razor.

Why would the most successful company in history—a success gained in no small part through protecting users, selling hardware and services instead of their data, and promoting and enhancing privacy as a first-class feature—do that sort of thing? What possible benefit could such a centralized database serve? How's that gonna make them more money?

replies(2): >>24844454 #>>24846051 #
1. strogonoff ◴[21 Oct 20 09:08 UTC] No.24846051[source]
That quote—“Apple now theoretically has a centralized database of every Mac user who's ever used youtube-dl.”—is somewhat misleading.

Apple doesn’t get script contents, it only gets a hash. Of course, if Apple really wanted, they could maintain a DB of hashed contents of every possible version of youtube-dl script, and do their best to match it up with what users execute. However, even that far-fetched scenario falls apart the moment you wrap youtube-dl invocation in a convenience script—as only the hashed content of the script you invoke is submitted for notarization check, not every binary or script further launched by it.

replies(1): >>24846466 #
2. _qulr ◴[21 Oct 20 10:39 UTC] No.24846466[source]
Why are scripts even getting notarization checks when scripts cannot be notarized???

We shouldn't need to tell a story about how it would be difficult for Apple to exploit data they have about us, because they simply shouldn't have this data about us.

The whole "We can trust Apple with our data" line starts with a flawed assumption: that Apple should be allowed to collect data from us. False. And it's important to note that none of this data collection was ever explained or even disclosed to users. We had to discover it by reverse engineering. Extremely shady practice by Apple. It doesn't matter if the "intentions" were good. Secretly collecting data is never acceptable.

And let's never forget, Apple has been actively collaborating with authoritarian governments to shut down pro-democracy activism. That's not just a theoretical possibility, it actually happened.

The very possibility of Macs phoning home for every shell script would have been considered a crazy conspiracy until we discovered that's it's actually a real thing. So it's a bit ironic to suggest that Apple's exploiting this data is just a crazy conspiracy theory.

replies(1): >>24848384 #
3. strogonoff ◴[21 Oct 20 14:46 UTC] No.24848384[source]
> And let's never forget, Apple has been actively collaborating with authoritarian governments to shut down pro-democracy activism. That's not just a theoretical possibility, it actually happened.

I wonder why any time I see these claims, they’re never accompanied by anything resembling reliable evidence.

> The whole "We can trust Apple with our data" line starts with a flawed assumption: that Apple should be allowed to collect data from us.

Apple is free to do that, as a private entity in a free market; you on the other hand are free to vote with your wallet and your time by buying their devices and developing for their ecosystem (or not).

You’re entitled to not believe that the end goal (security) is not justified or achieved by the means (notarization, Gatekeeper, etc.), but somehow you are not making that argument.

replies(1): >>24848530 #
4. _qulr ◴[21 Oct 20 15:03 UTC] No.24848530{3}[source]
> I wonder why any time I see these claims, they’re never accompanied by anything resembling reliable evidence.

Because the stories have been on all the news sites, it's common knowledge, and thus it would be superfluous to submit detailed documentation every time it's mentioned? I can't help it if you're not informed about politics and tech.

> you on the other hand are free to vote with your wallet and your time by buying their devices and developing for their ecosystem (or not).

People always say stuff like that, but do they really mean it? It feels like just empty rhetoric to shut down criticism of Apple, not an actual suggestion. I've been a professional Mac developer for over a dozen years, my software has been enjoyed by countless people, and I've also provided many tech insights enjoyed by many people, including this one under discussion, as well as the Google Chrome bug story that's been going around — that's me too! Are you seriously saying I should pack my bags and leave the Apple ecosystem forever and no longer write software for the Mac or write blog posts about it? Is that what you really want? Is that what people in general want, for me to leave the Mac? Don't say it unless you mean it, and are willing to drive away longtime Mac users and/or developers like me.

I hope you'll enjoy your "curated" criticism-less ecosystem with no actual developers who care about the Mac.

replies(2): >>24848683 #>>24855855 #
5. schwartzworld ◴[21 Oct 20 15:20 UTC] No.24848683{4}[source]
> people always say stuff like that, but do they mean it?

no of course not. it's a pointless thing to say, equivalent to "if you don't like the laws in America, move somewhere else." Easier said than done, for starters.

But also, if developers and power users aren't allowed to criticize or give feedback than who is? Apple needs us more than we need it, so of course you should have a voice

6. strogonoff ◴[22 Oct 20 08:04 UTC] No.24855855{4}[source]
> Because the stories have been on all the news sites, it's common knowledge, and thus it would be superfluous to submit detailed documentation every time it's mentioned?

Those are the claims, yet every time I dig deeper I see how from “actively collaborating with authoritarian governments to shut down pro-democracy activism” they are reduced to “complying with local laws” within a single brief conversation.

Sure, in some countries the latter is a superset of the former. In such countries, violation of ethical norms could be required in some situations to comply with local law. However, it doesn’t mean that any instance of the latter always requires the former, nor that Apple had ever faced this choice, nor that if put in this situation Apple would agree to actually do the former as opposed to exiting the market (which, exiting, I suspect is a scenario CCP would very much prefer to avoid).

I will roughly delineate the difference based on two concrete example situations:

1) Complying with the requirement to store encryption keys for Chinese user data on Chinese servers = complying with local laws.

2) Providing personally identifiable information about individual Apple users at request of CCP, or helping CCP representatives hack into Apple devices = collaborating to shut down activism.

If you have any evidence of anything along the lines of (2), I’m all ears (as I’m sure is any tech journalist worth their salt).

> Are you seriously saying I should pack my bags and leave the Apple ecosystem forever and no longer write software for the Mac or write blog posts about it?

I’ll level with you here. I’m not a professional Apple developer making a living from selling my software to end-users, but I dabble, and I am very deep in Apple’s hardware and software, preferring them to any other alternative in the market. It would be an extreme lifestyle change, but if I had reasons to believe that Apple had indeed collaborated with CCP to shut down activism, due to my personal views I would have to exit Apple’s ecosystem and start hacking on a PinePhone or something.

That said, if a country like China doesn’t want its citizens’ data encryption keys to live on servers in a country like the USA, I don’t believe that’s outrageous; if you’re an activist, you’ll be aware of that and make arrangements. There’s a line, but this does not cross that line as far as I’m concerned.