Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

"You have to trust Apple", it's said. But I suspect that if you actually knew how much your Apple devices were phoning home to Cupertino, you wouldn't trust Apple anymore. Using Little Snitch (the kernel extension) was a real eye opener for me. Especially when I allowed Little Snitch to block all Apple processes (by disabling the built-in iCloud Services and macOS Services rule groups).

This may be a good time to remind folks of my blog post where I explain how Catalina phones home when you run unsigned executables, including shell scripts! In the article I mentioned that you can prevent this with Little Snitch. But that was the LS kext. Is it even possible anymore? https://lapcatsoftware.com/articles/catalina-executables.htm...

Let me just quote one comment from the HN discussion of that article: https://news.ycombinator.com/item?id=23278253 "Making this about speed is burying the lede. From a privacy and user-freedom perspective, it's horrifying. Don't think so? Apple now theoretically has a centralized database of every Mac user who's ever used youtube-dl. Or Tor. Or TrueCrypt."

It's all too easy to dismiss the privacy violations that we're not aware of. Out of sight, out of mind.

Apply Occam's Razor.

Why would the most successful company in history—a success gained in no small part through protecting users, selling hardware and services instead of their data, and promoting and enhancing privacy as a first-class feature—do that sort of thing? What possible benefit could such a centralized database serve? How's that gonna make them more money?

That quote—“Apple now theoretically has a centralized database of every Mac user who's ever used youtube-dl.”—is somewhat misleading.

Apple doesn’t get script contents, it only gets a hash. Of course, if Apple really wanted, they could maintain a DB of hashed contents of every possible version of youtube-dl script, and do their best to match it up with what users execute. However, even that far-fetched scenario falls apart the moment you wrap youtube-dl invocation in a convenience script—as only the hashed content of the script you invoke is submitted for notarization check, not every binary or script further launched by it.

Why are scripts even getting notarization checks when scripts cannot be notarized???

We shouldn't need to tell a story about how it would be difficult for Apple to exploit data they have about us, because they simply shouldn't have this data about us.

The whole "We can trust Apple with our data" line starts with a flawed assumption: that Apple should be allowed to collect data from us. False. And it's important to note that none of this data collection was ever explained or even disclosed to users. We had to discover it by reverse engineering. Extremely shady practice by Apple. It doesn't matter if the "intentions" were good. Secretly collecting data is never acceptable.

And let's never forget, Apple has been actively collaborating with authoritarian governments to shut down pro-democracy activism. That's not just a theoretical possibility, it actually happened.

The very possibility of Macs phoning home for every shell script would have been considered a crazy conspiracy until we discovered that's it's actually a real thing. So it's a bit ironic to suggest that Apple's exploiting this data is just a crazy conspiracy theory.

> And let's never forget, Apple has been actively collaborating with authoritarian governments to shut down pro-democracy activism. That's not just a theoretical possibility, it actually happened.

I wonder why any time I see these claims, they’re never accompanied by anything resembling reliable evidence.

> The whole "We can trust Apple with our data" line starts with a flawed assumption: that Apple should be allowed to collect data from us.

Apple is free to do that, as a private entity in a free market; you on the other hand are free to vote with your wallet and your time by buying their devices and developing for their ecosystem (or not).

You’re entitled to not believe that the end goal (security) is not justified or achieved by the means (notarization, Gatekeeper, etc.), but somehow you are not making that argument.

> I wonder why any time I see these claims, they’re never accompanied by anything resembling reliable evidence.

Because the stories have been on all the news sites, it's common knowledge, and thus it would be superfluous to submit detailed documentation every time it's mentioned? I can't help it if you're not informed about politics and tech.

> you on the other hand are free to vote with your wallet and your time by buying their devices and developing for their ecosystem (or not).

People always say stuff like that, but do they really mean it? It feels like just empty rhetoric to shut down criticism of Apple, not an actual suggestion. I've been a professional Mac developer for over a dozen years, my software has been enjoyed by countless people, and I've also provided many tech insights enjoyed by many people, including this one under discussion, as well as the Google Chrome bug story that's been going around — that's me too! Are you seriously saying I should pack my bags and leave the Apple ecosystem forever and no longer write software for the Mac or write blog posts about it? Is that what you really want? Is that what people in general want, for me to leave the Mac? Don't say it unless you mean it, and are willing to drive away longtime Mac users and/or developers like me.

I hope you'll enjoy your "curated" criticism-less ecosystem with no actual developers who care about the Mac.