Most active commenters
  • nmg(3)
  • jachee(3)

←back to thread

macOS unable to open any non-Apple application

(twitter.com)
2603 points mattsolle | 44 comments | 12 Nov 20 21:00 UTC | HN request time: 0.965s | source | bottom
Show context
modeless ◴[12 Nov 20 21:30 UTC] No.25075336[source]
You've got to be kidding me. When Apple's servers are down, all Macs worldwide start freezing randomly? My XCode is hanging during builds, is this why?

This code signing enforcement stuff has gone way too far. Heads should roll for this.

replies(7): >>25075369 #>>25075380 #>>25075549 #>>25075960 #>>25076693 #>>25079741 #>>25080072 #
p1necone ◴[12 Nov 20 21:49 UTC] No.25075549[source]
Wait what happens if you don't have an internet connection? Can Macs not be used offline any more, surely that's still a relatively common use case for a laptop even today in a lot of places?
replies(7): >>25075778 #>>25075945 #>>25076204 #>>25078280 #>>25078541 #>>25081169 #>>25083116 #
1. josephcsible ◴[12 Nov 20 22:07 UTC] No.25075778[source]
My understanding is that if you're offline, it skips this check and everything works fine. The reason this is a big deal is that the problem's on their end, so you're not offline, so it keeps trying and waiting instead of just letting you skip the check.
replies(3): >>25075909 #>>25076399 #>>25076495 #
2. Spivak ◴[12 Nov 20 22:16 UTC] No.25075909[source]
Unfortunately there’s not a way to differentiate “we’re online but Apple’s servers are having issues — probably fine” and “we’re online and something something is preventing us from talking to them — something nefarious might be happening.”
replies(1): >>25076601 #
3. 8note ◴[12 Nov 20 22:58 UTC] No.25076399[source]
That still seems weird. Why does running unrecognized software become safe when you're off line?
replies(3): >>25076483 #>>25077222 #>>25082161 #
4. sprt ◴[12 Nov 20 23:05 UTC] No.25076483[source]
Yes, can someone clarify this? What the hell is going on here?
replies(1): >>25077571 #
5. berryg ◴[12 Nov 20 23:06 UTC] No.25076495[source]
I experienced this a couple of weeks ago. My wifi was up, but my internetprovider was down. My Macbook came to a halt. Nothing worked anymore. The whole machine was extremely slow. When the internetprovider came back up again, everything was fine again.
replies(2): >>25077853 #>>25078261 #
6. alistairSH ◴[12 Nov 20 23:14 UTC] No.25076601[source]
Local copy of whatever Apple is checking? Update that daily (on sign on or something). Not going to catch zero day type stuff, but better than making the laptop unusable.
replies(3): >>25077846 #>>25077865 #>>25079683 #
7. type0 ◴[13 Nov 20 00:24 UTC] No.25077222[source]
It's a security theater
replies(4): >>25077806 #>>25078011 #>>25079751 #>>25080381 #
8. db48x ◴[13 Nov 20 01:04 UTC] No.25077571{3}[source]
It doesn't become safe when you're offline, it's just that you're no worse off than you were. OCSP is s a certificate revocation protocol. It's only used for disabling certificates which were issued in good faith but now need to be revoked. Suppose Apple signs application X, and the signature is good for a year. Six months later, Apple discovers that application X contains malware, so they revoke the certificate. However, your computer doesn't know about the revocation until it checks the OCSP server, which requires you to be online. If you're offline, it just skips the check; the certificate wasn't revoked yesterday, so it's probably fine today too. The bug is that if you're connected to a network but can't contact the OCSP server (either because the OCSP server is down, or because you're not connected to the internet) then OSX keeps trying to connect and becomes sluggish and/or unresponsive. This is how we know that it's a defect rather than a deliberate choice; if they had decided to make the OS non−functional unless connected to the internet they would have done a better job of it.

It wouldn't surprise me if they one day wanted to require you to be online 100% of the time so that you can't skip the OCSP checks on applications, but I don't think that would go over very well. Apple wouldn't even be the first to produce applications that refuse to work if there's no internet connection. If you don't like the thought that they might one day spring this on you, I recommend investigating Linux.

9. nmg ◴[13 Nov 20 01:35 UTC] No.25077806{3}[source]
Thank you. Phrased perfectly.

It's an invasive restriction, cynically designed, poorly engineered and improperly managed, that impairs your ability to function.. masquerading as security.

macOS is my favorite OS, but I don't need to use it. I was so psyched reading about the new Macbooks, and I've had to walk all that excitement back now. I cannot invest in a computer that locks me out of my job if a cable gets cut by a maintenance crew in Cupertino.

replies(2): >>25077953 #>>25078576 #
10. Spivak ◴[13 Nov 20 01:41 UTC] No.25077846{3}[source]
I think the point is that that database is too large to store on a single machine which is why it has to be ad-hoc queried and cached. I mean it will have the signature of every program run on a Mac.
replies(1): >>25092269 #
11. kps ◴[13 Nov 20 01:42 UTC] No.25077853[source]
So you can't use a computer on an airgapped network? That seems counterproductive if the objective is security.
replies(1): >>25077877 #
12. jagger27 ◴[13 Nov 20 01:43 UTC] No.25077865{3}[source]
I don’t really want a giant hash table on my disk either.
replies(1): >>25078177 #
13. floatingatoll ◴[13 Nov 20 01:44 UTC] No.25077877{3}[source]
If your computer is actually airgapped and has no networking interfaces configured, you won't have this issue.

If your computer is able to resolve DNS for ocsp.apple.com but to connection-timeout all traffic, yes, you could possibly reproduce today's issue.

replies(1): >>25078423 #
14. bnj ◴[13 Nov 20 01:56 UTC] No.25077953{4}[source]
I agree that it’s security theater and a suspect implementation, but I was playing a game of “let’s imagine why someone might do this...”—

I’m wondering, suppose it was designed this way because part of the goal is to prevent the spread of malware, the fastest means of which is an internet connected computer. In that event, the feature only intrudes when the computer, by virtue of it’s internet connection, is a member of the threat class.

So... plausible?

replies(2): >>25078107 #>>25088723 #
15. johncolanduoni ◴[13 Nov 20 02:06 UTC] No.25078011{3}[source]
Mandatory OCSP is security theater? That’s a pretty bold claim.
replies(1): >>25078132 #
16. nmg ◴[13 Nov 20 02:22 UTC] No.25078107{5}[source]
Apple built the computer; I exchanged money for the computer; now I own the computer.

Apple does not own the computer.

If Apple wants to own the computer, they can pay me instead.

replies(1): >>25079446 #
17. josephcsible ◴[13 Nov 20 02:26 UTC] No.25078132{4}[source]
Mandatory OCSP that fails open when you're offline is security theater.
replies(1): >>25078452 #
18. esclerofilo ◴[13 Nov 20 02:36 UTC] No.25078177{4}[source]
A Bloom Filter[1] could be used as a lighter alternative. You probably have at least one of those in your disk now.

[1]: https://en.wikipedia.org/wiki/Bloom_filter

19. aunty_helen ◴[13 Nov 20 02:51 UTC] No.25078261[source]
Had the same thing earlier in the week as the isp was doing maintenance two nights in a row. 5+ seconds to start sublime and other really basic apps. Apple apps had no problem of course.

Remembering the notarization problems people were having months ago I did some tests and confirmed.

Now have little snitch installed again and my laptops going to be an Apple orphan. So I never noticed this problem today by virtue of it pissing me off 2 days before.

replies(1): >>25079331 #
20. kps ◴[13 Nov 20 03:16 UTC] No.25078423{4}[source]
Airgapped network — an IP LAN not connected to the internet. These do exist, sometimes permanently for security reasons, and sometimes just where external connectivity sucks but you still want your laptop to talk to your NAS.
replies(2): >>25079265 #>>25080545 #
21. snowwrestler ◴[13 Nov 20 03:22 UTC] No.25078452{5}[source]
OCSP fails open by definition because it is a revocation protocol. In the absence of revocation, a valid cert continues to be valid.

The problem here is simply that Apple did not build a short enough timeout into their client.

replies(1): >>25080027 #
22. snowwrestler ◴[13 Nov 20 03:42 UTC] No.25078576{4}[source]
If you point the request at localhost, the problem resolves. This means that a cable getting cut in Cupertino won’t matter. It is a revocation protocol; it fails open.

The problem today is that not that the connection to the server failed, but that it succeeded very slowly. The result was an accidental denial of service on the client.

It is a bug, and an easily fixed one at that.

replies(1): >>25078757 #
23. tomxor ◴[13 Nov 20 04:08 UTC] No.25078757{5}[source]
This particular issue is easy to work around for technical users; the _problem_ is the philosophy that made it possible.

This is the reason I can no longer use Apple computers - the continuous battle they are waging against the users freedom on all fronts - the anxiety of what they will do next to _my_ computer is too much.

replies(1): >>25079438 #
24. justinclift ◴[13 Nov 20 05:39 UTC] No.25079265{5}[source]
Agreed. These are really useful in various settings, but seem to be outside of most people's experience.
25. hackerfromthefu ◴[13 Nov 20 05:50 UTC] No.25079331{3}[source]
Might as well get a chromebook then hahaha
26. jachee ◴[13 Nov 20 06:10 UTC] No.25079438{6}[source]
Good luck finding a suitable replacement. Microsoft does unpredictable things to Windows. Linux maintainers do unpredictable things to all sorts of things.

Your only real recourse is to compile everything from source after a thorough review every time...

...or else trust someone.

Sure Apple had a problem here, but there are so many other reasons to trust them over any other org that I can't in good conscience switch platforms, because there's so much more anxiety elsewhere.

replies(2): >>25079462 #>>25087766 #
27. jachee ◴[13 Nov 20 06:11 UTC] No.25079446{6}[source]
They own the software.

You didn't pay for that. You licensed it from them.

replies(1): >>25081596 #
28. heavyset_go ◴[13 Nov 20 06:14 UTC] No.25079462{7}[source]
> Linux maintainers do unpredictable things to all sorts of things.

With Linux you don't have to worry about every program you launch being reported to the mothership, or that failure of the mothership to respond would cause your computer to not function.

replies(1): >>25079548 #
29. jachee ◴[13 Nov 20 06:26 UTC] No.25079548{8}[source]
If you're not reading all the source of everything you're running, any or all of it it absolutely could be reporting usage/stats/your data to a "mothership".

Just because there's no single central org involved doesn't mean there aren't risks.

replies(3): >>25079992 #>>25081276 #>>25086229 #
30. noobermin ◴[13 Nov 20 06:48 UTC] No.25079683{3}[source]
I'm going to make a bold claim but Linus made a claim to this effect. Security is important but it cannot be the only main priority when designing systems. Apple's mistake here is probably the main story but more generally this attitude (letting systems spectacularly fail for the sake of hypothetical security) is foolish and results in rather terrible bugs like this.
31. unethical_ban ◴[13 Nov 20 07:00 UTC] No.25079751{3}[source]
Or defense in depth.

I hate it too, but 'theater' implies it isn't useful in any way.

32. inimino ◴[13 Nov 20 07:41 UTC] No.25079992{9}[source]
You don't need to read it, you just need to be able to read it.

Just because there are risks doesn't mean the risks are meaningfully comparable.

replies(1): >>25080967 #
33. anticensor ◴[13 Nov 20 07:47 UTC] No.25080027{6}[source]
Make OCSP fail locked and it would be a software imprisonment protocol instead.
34. sildur ◴[13 Nov 20 08:45 UTC] No.25080381{3}[source]
And probably a ruse to amass application usage stats.
35. floatingatoll ◴[13 Nov 20 09:14 UTC] No.25080545{5}[source]
The point stands: if you allow a host to resolve ocsp.apple.com to an unresponsive (timeout) address, it might break macOS the same as today — whether by air gap, by firewall, or who knows what else.
36. muraiki ◴[13 Nov 20 10:38 UTC] No.25080967{10}[source]
Ken Thompson won a Turing Award for showing how that isn’t the case: http://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-thom...
replies(2): >>25088083 #>>25090093 #
37. nmg ◴[13 Nov 20 12:48 UTC] No.25081596{7}[source]
That's a fair point that I hadn't considered, and I appreciate it. But I still feel like "ability to use your computer as a service" is not something I signed up for.
38. eternalban ◴[13 Nov 20 13:59 UTC] No.25082161[source]
Because it is not yet illegal to operate a computing machine that is not centrally monitored. New Normal, get used to it. Soon, this corner case will go away.

"Why were you offline when using your computer?"

39. heavyset_go ◴[13 Nov 20 19:18 UTC] No.25086229{9}[source]
We already know that, by design, macOS will report back to the mothership. If things are working 100% correctly, Apple will collect what programs you run and when you do so.

Linux won't report to the mothership by design. If things work 100% correctly, you don't have to worry about some company knowing what programs you run and when.

40. tomxor ◴[13 Nov 20 21:34 UTC] No.25087766{7}[source]
I've already found a replacement, Debian stable + i3wm has been my happy place for the last 5 years. No unexpected behavior changes on update, just bug fixes, it does what I tell it, nothing crazy like Debian maintainers dictating what binaries I can run... if you want more or less control you've got plenty of Ubuntu style distros in one direction and Arch style in the other.

If you're a media person then yeah, I feel bad for you, i've been there and it sucks, you're stuck with mac and windows if you require mainstream design apps.

41. teddyh ◴[13 Nov 20 22:06 UTC] No.25088083{11}[source]
May I direct your attention to https://reproducible-builds.org/
42. boneitis ◴[13 Nov 20 23:17 UTC] No.25088723{5}[source]
Plausible a la NSA, yeah?

I presume this setup wasn't public knowledge.

43. inimino ◴[14 Nov 20 03:32 UTC] No.25090093{11}[source]
That what isn't the case? Pointing out additional threat vectors doesn't in any way contradict my point.
44. salawat ◴[14 Nov 20 13:50 UTC] No.25092269{4}[source]
Funny how DNS has that same issue, and yet, we still decentralized it to a point, even if there is some inertia going on to keep it as centralized as possible.