macOS unable to open any non-Apple application

Here is another tweet that describes the problem in more detail:

https://mobile.twitter.com/llanga/status/1326989724704268289

> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

EDIT:

As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:

    sudo emacs /etc/hosts # add `0.0.0.0 ocsp.apple.com` 
    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts

Edit: working as usual now, moments after i wrote this. But seriously Apple, how can you allow this to happen? Your services hanging should _never_ prevent my device from running things locally. This is seriously making me reconsider my next computer purchase.

EDIT: This might indeed be Big Sur-release-day related. Most certificate revocation failures are "soft", but with ocsp.apple.com black-holed in /etc/hosts I can't resume downloading the update.

[1] https://twitter.com/lapcatsoftware/status/132699029641299148...

Wait for at least one week and check out other people's experiences first.

This is really terrible, but at least the workaround is simple.

And people somehow still love their macs...

This code signing enforcement stuff has gone way too far. Heads should roll for this.

I've found a work around for now.

* Turn off wifi

* Reboot

* Open everything you need

* Turn wifi back on

Can't believe Big Sur is somehow affecting my Mohave Mac! Yikes!

cs_enforcement_disable=1 amfi_get_out_of_my_way=1

echo '127.0.0.1 ocsp.apple.com' | sudo tee -a /etc/hosts

To save yourself the headaches and frustrations, wait for the bug fix releases and updates to come first before installing this very first new release.

It makes no sense to immediately update the system and then risk your computer being rendered unusable with such bugs and problems whilst having a deadline hanging over your head.

It's not, per se. The apps will launch if you block the specific subdomain, or turn off internet. The problem is if the computer thinks it can connect and keeps trying.

[1] https://www.gnu.org/philosophy/can-you-trust.en.html

[2] https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

I wrote an article about this a couple weeks ago because of the temporary revocation of HP's signing cert for printer drivers on the Mac:

https://lapcatsoftware.com/articles/revocation.html

Of course if everyone does this, there is no experience upon which to draw.

Furthermore, the title is straight up wrong: this is not related to Big Sur and is in fact also affecting other versions with Gatekeeper.

And just before this, I finally managed to fix Spotlight pegging one core at 100% constantly. Next thing, I reboot into a laggy system. macOS is my favorite OS, but the shit I put up with... it's basically an abusive relationship at this point.

I don’t know what to tell you, beyond the fact that all use cases are not the same, apparently.

> A better fix to this is:

> - Turn off Wifi (to be usable)

> - Add "0.0.0.0 http://ocsp.apple.com" to `/etc/hosts`

> - Turn on Wifi

> This is temporary, don't forget to remove it tomorrow.

A database like an "app store"?

If they know the hash of (let's say) a pr0n app which you run, then I'd say that's pretty damn sensitive information Apple is getting.

Good connection -> Fine

Spotty connection -> Problematic.

Basically, they didn't include a timeout in their network code.

https://news.ycombinator.com/item?id=23281564

ocsp.apple.com 127.0.0.1 in /private/etc/hosts got it moving again.

https://news.ycombinator.com/item?id=25074959

`sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -bool true`

Unix workflows like to call hundreds of small programs.

If Apple doesn't respond in time, your system halts.

Well, how interesting that Apple's software is going to be bypassing Little Snitch, making it harder to discover and fix this sort of issue.

You can also add this to your /etc/hosts file:

0.0.0.0 ocsp.apple.com

That seems to happen on MacBook Pros when the computer boots or wakes from sleep with the WiFi turned on, but the WiFi router can't connect to the Internet for whatever reason.

I sure love the SAAS future we are heading forwards.

I think this is about MacOS Big Sur, aka MacOS 11, which released today?

or maybe don't depend on apple to allow you to run programs on your OWN computer. that hosts rule should stay in place...

Think about someone having a dating app that would out them. Or a therapy app that they don't want people to know about. And that just scratches the surface.

I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.

It’s a huge problem on Windows where Explorer.exe still blocks the UI thread while it checks SMB shares if it thinks it can connect to them, but it skips them if it knows the computer is disconnected from a network. So using a Windows computer on a very spotty WLAN is actually more painful than being disconnected due to all the timeouts and dropped packets. Office Outlook is another main offender. I have a Windows Firewall rule just for Outlook.exe when I know it’s going to lock-up a lot.

I bought the new mac, but I'm planning to dwell in the terminal and browser. My exposure to Apple's closed garden is very limited but I dread the day when it's forced upon me. Then I would need to switch hardware despite Apple's form factor being my ideal type (light and battery life+++).

https://system76.com/laptops

/s obviously.

I bought the new mac, but I'm planning to dwell in the terminal and browser. My exposure to Apple's closed garden is very limited but I dread the day when it's forced upon me. Then I would need to switch hardware despite Apple's form factor being my ideal type (light and battery life+++).

Use linux folks! It doesn't communicate with a third party when a process starts up!

Phoning home on every app launch seems insane to begin with.

But if you're gonna go there, at least be prepared for the inevitable.

Any recommendations? I’ve heard good things about System76.

https://news.ycombinator.com/newsguidelines.html

It’s not like Apple us building a database of apps you’ve launched linked to your address and social security number.

Right there with ya.

tbh, I'm a huge fan of macs but only really because I use it as a client/screen.

I was in the middle of a call to fix a problem with a customer, I need to near-panic telling them MY computer was frozen.

Thanks Apple!

Apple folks in this thread, this was terrible

This is about when I remember seeing it: https://medium.com/@acecilia/apple-is-sending-a-request-to-t...

Idk, the several Linux distros I’ve used recently, and Windows, have a much longer list of “shit _I_ put up with”

There are some work around in this thread but in reality you don't know how and when Apple may choose to automatically re-enable it without your consent.

* You should probably just smack you Mac with a rock just to be sure ;)

https://medium.com/@acecilia/apple-is-sending-a-request-to-t...

Imagine no car or train in the region starting because of a server outage. People would riot on the streets. But for some reason in the IT world this kind of crap is marketed as a feature.

The biggest draw of mac:

1. slim, light 2. long battery life. 3. track pad.

That's all I want, but nobody else offers it on the same spec, the difference is even bigger with M1.

Linked to your identity if you have a credit card saved for say iTunes.

If you could point to any documentation of Windows performing app-start OCSP checks, I'd love to learn more (and recant my earlier statement).

After I restarted it I could actually launch apps other than terminal again.

And anyway, when we are talking about a phone, it would be literally impossible to run an app store without recording (and personally identifying!) that information. Maybe that's one more argument to allow third-party app stores, which I'm not against (though who knows if they're more trustworthy with that data?), but nevertheless.

My point is that in the grand scheme of privacy concerns, this is a very silly hill to die on. In the grand scheme of system reliability, on the other hand, it's totally legitimate to be upset that this effectively took down thousands of expensive workstations across the world for a few minutes.

After 11 years of MBPs as my main computer, I left because of crappy hardware (keyboards, missing Esc and Fn keys). I'm now very happy on a System76 laptop running PopOS.

With each new release of the OS, getting more and more locked down, I am happier that I moved on when I did.

The long term trend with Apple is for their computers to get more and more closed. First hardware, and now software. I get that for a phone, but it is completely antithetical to what a COMPUTER is supposed to be. They really should stop calling these things computers.

Huh.

After typing the above, I decided to check. THEY DO NOT call Macs "computers". I searched the pages for MBPs, iMacs, and Mac Pros. They use the word "computer" in connection with trade-ins, (for the thing you are trading in), and they use the phrase "computer system" in fine print, and never to refer to their products directly.

APPLE, IN THEIR OWN WORDS, NO LONGER BUILDS COMPUTERS. That explains so much.

It isn't just checking for malware, its broadcasting your app opening behavior to apple and anyone else who might be listening.

> It’s not like Apple us building a database of apps you’ve launched linked to your address and social security number.

You know this how? Seriously, I don't get why you would believe that.

Much faster, updates relatively quickly, and not subject to network outages.

It is also trivially linked to ip address, which is usually personally identifying.

Ain't that the truth with every OS. I use Windows for gaming, PopOS for work on my desktop and MacOS for work on my laptop. The amount of weird issues is about constant.

I get what they were trying to do with it to improve security/privacy, but the execution fell flat (as we've now witnessed).

If you can provide a Wireshark filter that will show a certificate check on a vanilla Ubuntu 20.04 system when the following commands are executed in a bash shell, then I will donate $25 to a charity of your choice. Commands follow:

    cat <<HEREDOC >/tmp/file.c
    #include <stdio.h>

    int main() {
      printf("Hello World");
      return 0;
    }
    HEREDOC
    gcc /tmp/file.c -o /tmp/app
    /tmp/app

Even beyond unintentional glitches at Apple, just imagine what this could mean when traffic to this infra is disrupted intentionally (e.g. to any "unfavorable" country). That sounds like a really serious cyber attack vector to me. Equally dangerous if infra inside the USA gets compromised, if that is going to make Apple computers effectively inoperable. Not sure how Apple will shield itself from legal liability in such an event, if things are intentionally designed this way. I seriously doubt that a cleverly crafted TOS/EULA will do it, for the damage might easily go way beyond to just users in this case.

Again, maybe (and in fact: hopefully) I'm just getting this all wrong. If not, I might know a country or two where this could even warrant a full ban on the sale of Apple computers, if there is no local/national instance of this (apparently crucial) infrastructure operating in that country itself, merely on the argument of national security (and in this case a very valid one, for a change).

All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.

What the hell? You have to wait 30 seconds before you can run unsigned code on Windows without calling home to Microsoft about it? How is that considered sane? (I mean, forking on windows is slow but it's not that slow.)

How do people (and corporations! Especially ones sensitive to sharing IP!) put up with this stuff?!

A better option is to asynchronously update a Certificate Revocation List ("CRL") and perform any check local to the machine. This avoids disclosing to Apple every single time you run a program, which program it is, and what network you're on. It could also emergency-revoke certificates just as quickly as the OCSP design by polling at the same frequency (every app startup).

Now when I get my new mac, I'm going to find a way to opt out of this.

Consumer and commercial software is just all bad.

Your Mac hardware is a brick if Apple's servers aren't running!

(it's still prudent to Google for compatibility before the purchase though, since sometimes peripherals (like the webcam) on new models can be problematic)

Does no one here have principles?

Great example of how you should never block UX on network requests.

Translation: "I've got nothing to hide".

Like so much of the modern security activity, it doesn't seem to be fully thought out, nor was the possibility of failure considered.

Or maybe such failures were considered and then dismissed? I don't know.

What is frustrating is they didn’t handle this situation like they do if I’m offline - don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway. would have solved this eventuality

Don't limit freedom at once. Do it one by one so the impact seems low.

What are the chances that any of the big tech companies take orders from a fascist to block all the harmful software in their country?

Non zero. People in HK know this. I want to know how they felt about their choice to buy iPhone at that moment.

Apple seems to do all kinds of weird networking _stuff_ [...] https://news.ycombinator.com/item?id=24838816

(As someone else already linked: https://www.gnu.org/philosophy/right-to-read.en.html)

Dell's XPS 13 line has Linux support (the Dev Edition comes with Ubuntu), I bought one of these and it's great. Only big problem was thermald/RAPL would keep the SOC at 15W after a very short 'boost' - updating to master fixed this problem... but Linux still requires 'tweaking'.

Another example: sleep on the XPS is not S3, but S2Idle - so it uses extra power when sleeping (A compromise so it wakes up faster). This can be fixed with some tweaking, if desired.

I've also heard good things about Lenovo laptops running Linux.

I'd check the archwiki (even if you don't want to run arch) for any laptop you're considering. There's good advice in the articles.

If I had to buy again, I'd look closer at what S76 offers. I really liked my old Chromebook Pixel 1 because of its open firmware (after I re-flashed) and excellent Linux support. I wish I had looked closer at S76, honestly.

I'm thinking specifically of Firefox, but others too.

Take a look at the macOS App Store medical section. Doing a quick scan of the top apps there is one app to help with some diabetes pump, one for a personal ECG machine, one that says it's a "mobile lactation consultant". Those can reveal a lot about a person that they might want to keep private. Searching "therapy" or "dating" also shows many results that people might want to keep private.

I use desktops 99% of the time (it's more ergonomic), but I have an old XPS for occasional travel.

This is Apple we are talking about, which has the strongest privacy commitment of any device maker, and no advertising business outside of the App Store. Linking IP addresses to app certificate requests provides them zero benefit and exposes them to substantial brand damage.

As it turns out, there are some downsides.

And frankly, a benevolent dictatorship is basically the best government you can have, as long as you're part of the "in-group" who doesn't push boundaries, doesn't cause trouble, and supports the supreme ruler, Kim jon... cough* Apple.

---

The problem is that no matter how good the dictatorship might be today, it will eventually bite you. You will either develop a need that isn't addressed, or they will change the rules so you are no longer able to satisfy an existing need.

We're seeing this now with Google - Their motto was literally "don't be evil" for a long time. And during that golden period their users loved them. But as Google has shifted from "don't be evil" to "Make lots of money" people are starting to shift away.

Apple is still in the golden phase, but I'm not really convinced they're going to be there much longer.

I'd assume that's what most corporations do, since that's what it's there for.

I wouldn't 100% forsake the benefits of this stuff, since it does protect normal users - defender on modern Windows installs is good software and really does its job well, while staying out of your way most of the time. I'd leave it on for my parents.

Esp. rational corporate buyers are not going to want some 'cool new hardware' if they can't do basic things.

Makes you think about MS's existential 'always backwards compatible' philosophy.

They don’t have any significant advertising business. They don’t need to collect any personally identifiable information. They’ve promoted their brand by putting their customers privacy first.

So why would you believe they would intentionally risk all of that here?

I downloaded steam from the steam page, windows blocked it. I downloaded Chrome, windows blocked it. What's even the fucking point?

The central company server didn't go down. If it was down there would be no problem. The problem is that the server is slow.

But not for Apple where advertising revenues a rounding error on a rounding error, and they’ve built their brand on their commitment to privacy.

Your description of them was also not exactly flattering.

how do you do that without defeating the security? Now a malicious attacker just has to wait for a moment when you aren't connected before launching their payload.

Still sounds to me like Apple rolled out a huge (logical) trojan horse, as a potential weapon in terms of nation state cyber warfare.

Probably not at all with that intention. But I doubt that any government willing to abuse this "opportunity" will give a fuck about that. Don't underestimate the power (and disruptive) effects of being able to practically disable a whole brand of popular computer hardware. Heck, even the ability to threaten with it (privately, through diplomatic channels) can (and probably should) be considered a serious weapon. So yeah .. "thank you" Apple.

Defender is a traditional hueristic-based AV with on-disk and live load scanning and an offline database. SmartScreen is a reputation-based (certs + "how many people ran this") checker, and is much more visible. Win10 runs both.

Do you put URLs in /etc/hosts now? The mind boggles at the ways of Apple

> "Don't be evil" is a phrase used in Google's corporate code of conduct, which it also formerly preceded as a motto.

> Following Google's corporate restructuring under the conglomerate Alphabet Inc. in October 2015, Alphabet took "Do the right thing" as its motto, also forming the opening of its corporate code of conduct.[1][2][3][4][5] The original motto was retained in Google's code of conduct, now a subsidiary of Alphabet. In April 2018, the motto was removed from the code of conduct's preface and retained in its last sentence.[6]

I know saying Google removed Don't Be Evil is something of a trope, but the truth is a little more complicated. And, of course, the presence or absence of this phrase has no necessary bearing on the degree to which they are perceived as evil or not!

I already expect the ISP to detect my Tor traffic.

But I didn't expect Apple, of all companies, to have a detailed audit trail of every time I've ever opened it, to the nearest minute.

Proof that if you are signed into any of their cloud services they know who you are? Is this a serious question?

Do I have proof that they could be ordered by a court to store it? Of course, that's how warrants work.

Do I have proof they are currently storing it? No, nor was that ever the claim.

Also, my understanding is that it’s a hash of the binary being checked so if it failed the verification the first time when you were connected you would have received a warning and the OS would block that executable on your system or given a warning or something? Not sure tbh.

The honeymoon is already over. A post like yours would have got several downvotes up to less than two years ago. I noticed that honest critics to Apple are tolerated now, since at least about one year ago.

Linux does provide application-level and per-application security, as well as sandboxes, but they exist to help the user and the user has complete control over them and their system.

What’s the matter with privacy? That’s a basic signature check, and you can do so while preserving privacy by using salted hashes or a similar solution.

https://www.weforum.org/agenda/2016/11/shopping-i-can-t-real...

Basically Final Cut Pro and Logic Pro might forever be faster than any 3rd party software package by having access to IP blocks that aren't exposed to other developers complete with signature check to prevent reverse-engineered use...