Just a warning for Big Sur User

Discussion in 'Mac / Hackintosh' started by groove, Nov 14, 2020.

Thread Status:
Not open for further replies.
  1. groove

    groove Kapellmeister

    Joined:
    Oct 6, 2012
    Messages:
    172
    Likes Received:
    42
    Hello

    I find this on the web very interesting and scary in same time ... VPN and little snitch are bypassed in the new apple os Read this .......


    Jeffrey Paul
    Your Computer Isn't Yours
    12 November 2020
    ( 2674 words, approximately 14 minutes reading time. )

    It’s here. It happened. Did you notice?

    I’m speaking, of course, of the world that Richard Stallman predicted in 1997. The one Cory Doctorow also warned us about.

    On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.

    It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slowand it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet.

    Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings:

    Date, Time, Computer, ISP, City, State, Application Hash

    Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.

    This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city.

    “Who cares?” I hear you asking.

    Well, it’s not just Apple. This information doesn’t stay with them:

    1. These OCSP requests are transmitted unencrypted. Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables.

    2. These requests go to a third-party CDN run by another company, Akamai.

    3. Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.
    This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns. For some people, this can even pose a physical danger to them.

    Now, it’s been possible up until today to block this sort of stuff on your Mac using a program called Little Snitch (really, the only thing keeping me using macOS at this point). In the default configuration, it blanket allows all of this computer-to-Apple communication, but you can disable those default rules and go on to approve or deny each of these connections, and your computer will continue to work fine without snitching on you to Apple.

    The version of macOS that was released today, 11.0, also known as Big Sur, has new APIs that prevent Little Snitch from working the same way. The new APIs don’t permit Little Snitch to inspect or block any OS level processes. Additionally, the new rules in macOS 11 even hobble VPNs so that Apple apps will simply bypass them.

    @patrickwardle lets us know that trustd, the daemon responsible for these requests, is in the new ContentFilterExclusionList in macOS 11, which means it can’t be blocked by any user-controlled firewall or VPN. In his screenshot, it also shows that CommCenter (used for making phone calls from your Mac) and Maps will also leak past your firewall/VPN, potentially compromising your voice traffic and future/planned location information.

    Those shiny new Apple Silicon macs that Apple just announced, three times faster and 50% more battery life? They won’t run any OS before Big Sur.

    These machines are the first general purpose computers ever where you have to make an exclusive choice: you can have a fast and efficient machine, or you can have a private one. (Apple mobile devices have already been this way for several years.) Short of using an external network filtering device like a travel/vpn router that you can totally control, there will be no way to boot any OS on the new Apple Silicon macs that won’t phone home, and you can’t modify the OS to prevent this (or they won’t boot at all, due to hardware-based cryptographic protections).

    Update, 2020-11-13 07:20 UTC: It comes to my attention that it may be possible to disable the boot time protections and modify the Signed System Volume (SSV) on Apple Silicon macs, via the bputil tool. I’ve one on order, and I will investigate and report on this blog. As I understand it, this would still only permit booting of Apple-signed macOS, albeit perhaps with certain objectionable system processes removed or disabled. More data forthcoming when I have the system in hand.

    Your computer now serves a remote master, who has decided that they are entitled to spy on you. If you’ve the most efficient high-res laptop in the world, you can’t turn this off.

    Let’s not think very much right now about the additional fact that Apple can, via these online certificate checks, prevent you from launching any app they (or their government) demands be censored.
     
    • Interesting Interesting x 9
    • Like Like x 3
    • Funny Funny x 1
    • Useful Useful x 1
    • List
  2.  
  3. KungPaoFist

    KungPaoFist Audiosexual

    Joined:
    Nov 20, 2017
    Messages:
    1,665
    Likes Received:
    959
    Location:
    CA
    It's not that scary if you think about global safety. If everyone's cards are on the table then there might be less threats to each other.
     
    • Disagree Disagree x 11
    • Dislike Dislike x 2
    • Funny Funny x 1
    • Interesting Interesting x 1
    • List
  4. aymat

    aymat Audiosexual

    Joined:
    Dec 21, 2015
    Messages:
    860
    Likes Received:
    996
    Time to break out the tin hats, folks
     
  5. Moonlight

    Moonlight Audiosexual

    Joined:
    Jun 12, 2011
    Messages:
    2,473
    Likes Received:
    761
    Location:
    Earth
    Interesting stuff , where we all read so much about Windows telemetry...

    So now the argument "Windows spies on you my macOS not" no longer is valid
     
    Last edited: Nov 14, 2020
  6. depijp_HSK

    depijp_HSK Ultrasonic

    Joined:
    Aug 6, 2020
    Messages:
    166
    Likes Received:
    23
    is there a list of processes recommended to block in little snitch?
     
  7. OBKenobi

    OBKenobi Producer

    Joined:
    Jul 14, 2012
    Messages:
    198
    Likes Received:
    95
    Why tin foil hat?
     
  8. evolasme

    evolasme Producer

    Joined:
    May 11, 2013
    Messages:
    293
    Likes Received:
    112
    Location:
    somewhere different almost every night
    wasnt planning on updating. anyway ...now more so.... Mac OS died with Jobs
     
  9. EddieXx

    EddieXx Audiosexual

    Joined:
    Sep 13, 2015
    Messages:
    1,078
    Likes Received:
    648
    Cmon, what “cards on the table “??! What “global security “?! At the mercy and discretion of corporations and warmongering industries ffs
     
    • Agree Agree x 6
    • Like Like x 1
    • List
  10. Pipotron3000

    Pipotron3000 Audiosexual

    Joined:
    Mar 13, 2013
    Messages:
    1,230
    Likes Received:
    612
    Funny when Apple ppl always speak about "Windows Evil" and NEVER see Apple is doing the SAME thing since the beginning.
     
    • Agree Agree x 8
    • Like Like x 1
    • List
  11. Moonlight

    Moonlight Audiosexual

    Joined:
    Jun 12, 2011
    Messages:
    2,473
    Likes Received:
    761
    Location:
    Earth
    Have you read the article ? It says :
    That means you cant block with Lil Snitch
     
  12. tzzsmk

    tzzsmk Audiosexual

    Joined:
    Sep 13, 2016
    Messages:
    2,017
    Likes Received:
    1,205
    Location:
    Heart of Europe
    yes this is a big deal, and I'd almost bet it's just only one of a few trickeries Big Sur is full of,
    and thanks to the new security precautions, it probably won't be possible to circumvent whatever MacOS is doing, because any Apps or user scripts (such as Little Snitch) will be a layer above, and tampering OS will result in non-bootable state - very clever, and for many users a welcome foolproof security measure
    :knock:
    on a side note, those Gatekeeper-related trickery and notarization started with Mojave and followed in Catalina, so the problem is not magically starting with Big Sur, the difference is how Big Sur protects itself from things like system-wide Little Snitch

    this new MacOS name starts to make sense now - Big Surveillance
     
    Last edited: Nov 14, 2020
    • Like Like x 2
    • Agree Agree x 1
    • List
  13. tzzsmk

    tzzsmk Audiosexual

    Joined:
    Sep 13, 2016
    Messages:
    2,017
    Likes Received:
    1,205
    Location:
    Heart of Europe
    and a useful brief video on the matter:

     
  14. dkny

    dkny Platinum Record

    Joined:
    Jan 25, 2015
    Messages:
    391
    Likes Received:
    199
    *Looks around the room* - oh, everyone here is for unfounded conspiracy theories..?

    Looks like I'm in the wrong room...
     
  15. Smoove Grooves

    Smoove Grooves Audiosexual

    Joined:
    Jan 26, 2019
    Messages:
    5,218
    Likes Received:
    1,970
    It never was valid, and IF anybody ever said this they must be very ignorant.
    a) not "funny", any of this! 'lol'.
    b) "Apple ppl always speak" - no they don't. I use both platforms, and I'm not ignorant.
    c) "Windows Evil" - Never heard that one either. Probably just you putting your words in the mouths of a whole strata of society there! Well done for helping divisiveness along!
    I used " marks because I was actually quoting you. You see?
    There are actual WinVsMac threads here at AS, you know? The real thing!
    Why don't you go and find yourself some real fun, eh?
     
  16. Smoove Grooves

    Smoove Grooves Audiosexual

    Joined:
    Jan 26, 2019
    Messages:
    5,218
    Likes Received:
    1,970
    yeahbye
     
  17. No Avenger

    No Avenger Moderator Staff Member

    Joined:
    Jul 19, 2017
    Messages:
    7,137
    Likes Received:
    4,965
    Location:
    Europe
    I think he was not speaking about Big Sur.
     
    Last edited: Nov 15, 2020
  18. No Avenger

    No Avenger Moderator Staff Member

    Joined:
    Jul 19, 2017
    Messages:
    7,137
    Likes Received:
    4,965
    Location:
    Europe
    I think there's a good chance that Big Sur (interestingly the abbreviation would be BS [​IMG]) is violating our data privacy act and will sooner or later not be allowed to be sold this way in my country.
     
    • Agree Agree x 4
    • Funny Funny x 2
    • Interesting Interesting x 1
    • List
  19. Foobar

    Foobar Producer

    Joined:
    Dec 6, 2018
    Messages:
    145
    Likes Received:
    87
    I would so love if politics would actually do something and prevent this shit from selling. The US banned Huawai for the same reason.

    And while we are at it, ban everything which can't be repaired as well.
     
    • Agree Agree x 2
    • Disagree Disagree x 1
    • List
  20. skankhunt42

    skankhunt42 Noisemaker

    Joined:
    Nov 14, 2020
    Messages:
    3
    Likes Received:
    5
    Interesting read!
     
  21. Polomo

    Polomo Audiosexual

    Joined:
    Oct 30, 2019
    Messages:
    1,027
    Likes Received:
    818
    Utopia

    (MacBook are more glue than screws :winker: they’s days
    But many devices this day's goes this dark ways (Ryzen 4xxx laptops few USB ports no replaceable battery) )
     
Loading...
Thread Status:
Not open for further replies.
Loading...