Most active commenters
  • simonbarker87(3)

←back to thread

macOS unable to open any non-Apple application

(twitter.com)
2603 points mattsolle | 12 comments | 12 Nov 20 21:00 UTC | HN request time: 3.943s | source | bottom
Show context
elmo2you ◴[12 Nov 20 22:26 UTC] No.25076037[source]
Sincerely and without any intention to troll or be sarcastic: I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.

Even beyond unintentional glitches at Apple, just imagine what this could mean when traffic to this infra is disrupted intentionally (e.g. to any "unfavorable" country). That sounds like a really serious cyber attack vector to me. Equally dangerous if infra inside the USA gets compromised, if that is going to make Apple computers effectively inoperable. Not sure how Apple will shield itself from legal liability in such an event, if things are intentionally designed this way. I seriously doubt that a cleverly crafted TOS/EULA will do it, for the damage might easily go way beyond to just users in this case.

Again, maybe (and in fact: hopefully) I'm just getting this all wrong. If not, I might know a country or two where this could even warrant a full ban on the sale of Apple computers, if there is no local/national instance of this (apparently crucial) infrastructure operating in that country itself, merely on the argument of national security (and in this case a very valid one, for a change).

All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.

replies(35): >>25076070 #>>25076108 #>>25076117 #>>25076130 #>>25076131 #>>25076194 #>>25076232 #>>25076348 #>>25076377 #>>25076414 #>>25076421 #>>25076460 #>>25076514 #>>25076630 #>>25076635 #>>25076649 #>>25076707 #>>25076786 #>>25076858 #>>25076908 #>>25076965 #>>25077109 #>>25077171 #>>25077401 #>>25077488 #>>25077655 #>>25077729 #>>25077764 #>>25077960 #>>25078164 #>>25078511 #>>25078513 #>>25079215 #>>25080127 #>>25108729 #
1. simonbarker87 ◴[12 Nov 20 22:34 UTC] No.25076130[source]
I have no problem with checking binaries when I launch them for security. I imagine many of the virus checking apps for windows probably call home with similar information. I doubt very much I’m leaky in any personal information.

What is frustrating is they didn’t handle this situation like they do if I’m offline - don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway. would have solved this eventuality

replies(2): >>25076251 #>>25080144 #
2. zmmmmm ◴[12 Nov 20 22:44 UTC] No.25076251[source]
> don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway

how do you do that without defeating the security? Now a malicious attacker just has to wait for a moment when you aren't connected before launching their payload.

replies(2): >>25076304 #>>25076318 #
3. initplus ◴[12 Nov 20 22:49 UTC] No.25076304[source]
The feature needs to be implemented using some kind of regularly updated local database, rather than requiring a phone home every time.
replies(2): >>25076423 #>>25076454 #
4. simonbarker87 ◴[12 Nov 20 22:50 UTC] No.25076318[source]
Well it already just lets you launch the app if you’re not connected to the internet so my answer would be “no different to the situation we have now”?

Also, my understanding is that it’s a hash of the binary being checked so if it failed the verification the first time when you were connected you would have received a warning and the OS would block that executable on your system or given a warning or something? Not sure tbh.

5. elmo2you ◴[12 Nov 20 23:00 UTC] No.25076423{3}[source]
A local database with a hash of every possible non-official Apple app in it? Sounds like something maybe only storage manufacturers will like.

The thing is, this is not a new security problem/challenge. It essentially can not be properly solved if you don't have a tightly controlled environment. If it's a general purpose environment, where you can't fully control what ends up running on it, this particular approach to "security" is pretty much doomed, no matter how you address it.

replies(2): >>25076478 #>>25076534 #
6. colejohnson66 ◴[12 Nov 20 23:02 UTC] No.25076454{3}[source]
A program signature database, perhaps? We could even call it: antivirus! No, that’s a bad name...

In seriousness though, the problem with offline databases that are changed a lot is a problem antivirus programs always had: they need updating. You can’t have the “latest and greatest” protection if you don’t know about the newest threat. That’s probably what Apple is doing here: using a database on their end that they wouldn’t have to distribute to end users. It’s not the best way around it, but there isn’t really a “best” way.

replies(1): >>25076775 #
7. mehrdada ◴[12 Nov 20 23:05 UTC] No.25076478{4}[source]
There are solutions for this like bloom filters etc. Google Safe Browsing system tackles a somewhat similar problem.
8. _ph_ ◴[12 Nov 20 23:09 UTC] No.25076534{4}[source]
No, a database with the hash of every program you ever started on that computer. The Apple server should be contacted when a program is installed/run for the first time. And of course, the system software should handle network problems more gracefully. If everything "works" when offline, network problems should quicker lead to the offline behavior. There should be one daemon process which handles the signature checking which changes its behavior once requests to the server are not answered.
replies(1): >>25079890 #
9. btown ◴[12 Nov 20 23:31 UTC] No.25076775{4}[source]
I think it's an exaggeration to say that it's impossible to keep local AV databases up to date in a meaningful way.

Use compressed probabilistic data structures and ship minimal diffs to save bandwidth and storage; you can fall back to phoning home if there's a possibility of a collision with a known-bad hash. Apple's solved push messages at scale; it could piggyback an update mechanism on that, or use the techniques Dropbox uses to notify about file updates. It can do this at the OS level so there's no threat of a user process not being active to pull updates. And the check is already soft-failing (per the OP) so it won't break if the system is offline, so they're already not caring about threats that are so new, they were found while the computer was offline.

You need to solve a lot of timing diagrams and race conditions (and, if we're being snarky, maybe it's for the best that Apple isn't trying to do this!) but it should be doable.

10. kortilla ◴[13 Nov 20 07:25 UTC] No.25079890{5}[source]
Pretty sure you just described how it already works. IIUC it only checks new hashes.
11. Tepix ◴[13 Nov 20 08:08 UTC] No.25080144[source]
> I have no problem with checking binaries when I launch them for security. ... I doubt very much I’m leaky in any personal information.

You should. It's noones business when and how often you run a known tor browser binary.

replies(1): >>25082084 #
12. simonbarker87 ◴[13 Nov 20 13:51 UTC] No.25082084[source]
I don’t run a tor browser so I’m good in that example.