> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.
EDIT:
As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:
So yesterday I wrote about the blurring lines of ownership, and people came back with some fairly disparate responses. It's fair to say that I was mostly dismissed. https://news.ycombinator.com/item?id=25058952
And this is why I won't be moving to Apple silicon. Apple already has the ability to restrict whats apps I can run (they can simply toggle a switch for all users to "no unsigned binaries"), and congrats! Apple is the sole decider of what we get to use on our computers.
Of course Apple's Craig Federighi assures us that the people making such assertions are "tools" (https://youtu.be/Hg9F1Qjv3iU?t=3177 , timestamp 53:33) and they have no intention whatsoever of taking away our ability to do general compute on the machines we buy and own.
Except...
Apple can already decide what binaries you can execute. Should they choose to.
Apple is now restricting what other OSes you can boot into. As they've chosen to.
Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.
It's clear where they're going. And I'm jumping ship. It's painful to do so, given how invested I am in the ecosystem, but we're already beyond the threshold that many of us would have left earlier in the decade.
---
edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer. Most non-Apple laptops don't have very good color accuracy. They also don't have good trackpads, and their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad so that I don't have to carry around a mouse, good speakers would be a plus, and light enough that I don't feel like I'm lifting weights while working on my laptop. And this package should ideally come with 512GB of SSD storage and, at least, 16GB to 32GB of RAM.
Oh and it shouldn't be more expensive than a Mac as many of these laptops are!
Yeah so basically in the windows world, a lot of the good laptops are under the "business class" of the various manufacturers:
Dell Precision, HP Elite Book, MSI Prestige
In the consumer world the Dell XPS, Asus Zenbook, Asus Pro Art are the way to go for a designer.
Dell Precision is probably the overall best laptop. MSI Prestige is targetted right at you though, with color accuracy and a good display. The only brand I can personally vouch for is Dell. I and my partner use XPS's, and a good friend of mine has a super nice Precision that I am jealous of (specifically the ports! I'm so over USB-C)
Wow, the way Craig is laughing at the question and so dismissive of it is really insulting. Maybe it's the more casual nature of the interview/discussion, but this really is the crappy icing on the cake of Mac users' continuously-declining control over the machines they spend their hard-earned money on. "Where do you even begin to come up with that theory"?? I mean, maybe we're seeing the gradual hampering of control over our computer with every OS X release in the past 5-10 years?
Get a Thinkpad. I replaced a 2015 MacBook Pro with a Thinkpad P1 Gen2 and love it. The trackpad isn’t as nice. The keyboard is better. Running WSL2 you have a great Unixy development environment in Windows. Or just install Linux. As thin and light as a MacBook Pro. Much better thermals, though still not awesome. Other, somewhat larger Thinkpads have better thermals. You can upgrade your RAM, add 2 SSDs and other peripherals like a 4G card etc if you like. Thinkpads come with fantastic service. Next business day on-site repair including for accidental damage and they mean it. Looks: It’s the design Apple copied for their very first laptops and is IMO better looking. They got it right the first time and haven’t changed it materially. Built like a tank. Not quite a tough book but they will take some abuse.
NotebookCheck is a great website for laptop reviews. They even get into the nitty-gritty details of display calibration, input devices, power consumption, etc.
My partner bought a razer 13 inch to replace a MacBook Air. It wasn’t cheap, the build quality is excellent and it handles everything (she’s in an orchestra and records her parts on it, does graphic design and sometimes plays fortnite.). The screen is quite nice and the build quality is better than my system 76 (onyx pro) which I really like too.
Dave2d on YouTube gives pretty short and decent laptop reviews. I think he has a discord channel discussing the machines too
I switched away from Macbook Pro about a year ago, after using Apple hardware for about a decade.
It's working great, GNOME interface is solid and productive, Manjaro and AUR libraries just work. Highly recommend making the move, sooner the better as I'm sure you see the writing on the wall.
My Huawei Matebook Pro has been everything I wanted in a Mac, in a way I couldn't get from Apple.
Pros that Macbooks don't have: USB-A (along with USB-C), no touch bar, 3:2 screen, can enable secure boot if I choose so feel like I'll be able to run whatever I want on it, replaceable SSD, etc.
Pros that Macbooks also have: still has a great build quality, full day battery
Over the generations, I have had three Macbooks, four Vaios, a ThinkPad, a HP, multiple ASUS and Huawei. Most of the devices I have killed by travel: dust infiltration, vibrated the BGA chips off the boards by motorbike vibrations..
My requirements have all been fulfilled with the Huawei MateBook X Pro.
You could say it's heavily inspired by the MacBook. Aluminum case. Chiclet keyboard with decent travel. 2000x3000 display (2:3 ratio!). Awesome trackpad. Good battery life. Portable. Solid. 2x USB-C and 1x USB-A. Sustained multiple drops.
For context, I am able to pull solid 12-hour days on the device, without a mouse, without fatigue or frustration.
> keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
Those are laptops with numeric keypads, the trackpad is still centred relative to the "main area" of the keyboard (the home row and in particular the rest keys - the two keys with a little bump, F and J on a QWERTY) but it is off-centre relative to the body of the laptop due to the presence of the keypad.
Macs don't have numpads so if you've always used Macs it's understandable that you're not familiar with this type of layout.
In any case that type of placement makes no difference while you are using the laptop, because keys and touchpad are still where they are supposed to be relative to each other.
Get a Thinkpad, P-series, lots of options. Run Fedora on it. Great machines, great keyboard, 4k screens, good color, goot battery life, lightweight. Everything works. Mac-level price, and worth it.
> edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer.
I woukld agree on desginer.
Absolutely not on developer or researcher.
Actually MacOS is for the reasons you mentioned incredibly developer-unfriendly (unless you target is of course the iOS ecosystem).
And for research there is no better platform but Linux. Unless you are in clicky-colorful frontend applications where I would doubt you are doing serious research.
Try metabox. (https://www.metabox.com.au/). They have a wide range of laptops at various specs and prices and form factors and whatever else. A lot of the guys at work have started to switch to them and they feel nice to hold and fondle.
I'm currently in the same boat as you and my next machine will be from these guys when my (admittedly very new) Macbook Pro gives up or gets taken over by Apple.
It's hard to say who is now Apple's target audience. It seems like their products are ideal for people who don't know much about IT and just want to watch a video or edit their holiday photos and maybe create a CV and will probably never go beyond that. Other people still enjoy Macs from 2012, but things are moving on when you look at desktop PC and what you can do. Apple looks more and more dumbed down.
I really like my surface book. They are priced like MacBook pros (and spec'd like them too). The track pad is great, the pen input and detachable screen come in handy more than I'd have guessed when I first switched.
Apple has a pretty broad utility patent around their trackpads, which requires other manufacturers to work around what would seem like pretty obvious things.
Are there no other suggestions beyond the 2012 MBP?
I use arch linux on a Lenova Thinkpad T580, and I'm really happy with it, but I'm not sure about the colour accuracy of the screen. I doubt it's as good as you find on an Apple.
I, for one, am really interested in good, high quality alternative to apple laptop hardware, that meet the parent's criteria.
I agree with you that Apple is doing way too much to restrict users. But I also agree with Craig in that I don't see how Apple silicon is useful for them in helping to restrict users.
X1 Yoga 4 is what I went with recently when my 2016 macbook pro died for the 4th time since owning it.
Its very similar to the x1 carbon but converts to a tablet and it has an aluminum body.
I can't say I'm out of the apple ecosystem entirely, but I decided to spend my money elsewhere given the abysmal quality of the macbook pro line these days.
Owning a Lenovo X1 Carbon 7th gen, 2019, 4K screen, 16GB RAM. extremely impressed with the hardware, running Linux Mint and going to move to Manjaro.
Initially i tried PopOS! but they removed from Gnome the intermediate scaling (1.5X) of the UI, just like in MacOS you have Display - Scaled options.
I really like the per monitor setting which you don't have in Linux. (or i didn't research enough); e.g. More space on main display (external 4k monitor) and Larger Text on the macbook screen.
I'm also jumping ship due to the worst experience i had in 25 years dealing with technology, 1 month to replace a swollen battery with a 3rd party repair service. Apple throws now all this "complex" hardware issues to 3rd parties since their employees are pressuring them not to execute hazardous repairs in their own "centers"
Their SSL certificate revocation server (the default for macOS) goes down an you try to tie it to Apple Silicon being created to lock-in users? I understand the feelings people have about this but today's failure seems orthogonal.
Re colour accuracy, checkout thinkpads, they even come with a colour calibration sensor so you can have them autocalibrate daily/weekly or whatever suits you.
Do you _really_ need a laptop? That's my solution to the problem of no good Linux laptops. I've got a desktop at home now, and when I go back to the office, I'll pick up a mini desktop. I'll keep an old MacBook in a drawer if I need to take it into a meeting. When I used laptops only, they were just plugged into a monitor/keyboard/mouse at all times anyway.
> their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
Buy something without a number pad. Unfortunately most 15" laptops do have one.
If anybody from HP is reading this, I'll pay an extra for a keyboard without number pad on your 15" ZBooks with 3 buttons on the touchpad. Space bar and touchpad aligned with the center of the screen please.
>it's off-center in a lot of cases! How weird is that
It is off center if they have a number pad to the right of the normal keyboard layout. At first glance it looks weird, but it is 100% what you would want if you were using the laptop. Otherwise the trackpad would end up being right over where your right wrist is.
I just gotta say that I don’t think it’s clear where they are going. You are of course free to do however you like. And if you are leaving because of what they already have done, that’s reasonable, but if you are leaving because of what you are guessing that they might do tomorrow, is that really wise? I mean even with the ARM switch won’t it be as easy to switch to win/linux intel after a year if you are not satisfied?
I don’t like the boot thing either, and it’s a bit scary not being on intel as everyone else is right now, but I also think ARM feels really interesting and it might turn out to be a great new platform!
Edit: i mean it is not like they never listen, they did take bake the mac pro, they did fix the keyboards, you have cli tools to make a lot of changes in how macos works, etc. Of course I would like hundreds of things to be different, but I believe that is true of all platforms.
I don't think there's a one-sized-fits-all solution without something custom and extremely expensive ($15k+). Maybe a Lenovo T480 for most purposes and a dedicated second screen for color correctness? I had a Dell Studio XPS 1645 with an RGBLED screen with an insane gamut. It begs the question: Why aren't such screens widely available?
I think you should stick to Apple, frankly. Every time Apple comes up with something new (or just a new software release), people come out of their sheds to warn about all the bad things that will happen.
And then almost none of those bad things happen. I've witnessed this dozens of times now, so a safe interpretation would be to assume that this time none of those things happen.
I started panicking mildly thinking my drive was failing or something.
And just before this, I finally managed to fix Spotlight pegging one core at 100% constantly. Next thing, I reboot into a laggy system. macOS is my favorite OS, but the shit I put up with... it's basically an abusive relationship at this point.
Same. Panic attack. Thought the SSD was dying. I ran Disk Utility diagnostics and started coming up with plans to reformat and restore as a last resort.
Ain't that the truth with every OS. I use Windows for gaming, PopOS for work on my desktop and MacOS for work on my laptop. The amount of weird issues is about constant.
As developers and engineers, we ought to be jumping off this platform like a sinking ship. It's clear that they want to lock it down like the iPhone. Why else would they be measuring which apps are in use if they didn't want to control it?
If your argument is "compatibility research", you're missing the other warning signs.
If I do any simple math calculation in Spotlight it pegs all cores at 100%. Its easily reproducible and really annoying because I've used spotlight as a calculator for years.
My music software became completely useless on catalina, and I was also running into issues with spotlight so I disabled it. I downgraded(painfully) to Mojave and my system is so much speedier. wish I could completely switch to linux.
> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.
That's another case of a product not doing its primary function - OS running apps - because company placed their own (data gathering) objective above it. See thermostats not turning on heat when the internet connection is down and other equally stupid examples...
I discovered this by running unbound – a DNS server – locally (block some unwanted hosts and do dns over TLS). I guess the rest of the story is pretty obvious; having your default dns server not being able to resolve because you're trying to verify it – since you cannot resolve your verify hostname – is obviously Not Great. As you can imagine, there is no waiting in the world that fixes this. I couldn't kill (-9) the process either; had to reboot into safe mode, rename the binary and switch the default dns on the network.
The server is called OSCP which suggests to me that if we look at Apple in the most positive light - they sign and certify binaries as safe. If an app gets later reported as malicious, they need to revoke the certificate that has been used to sign said binary.
So when you open an app, how else are they going to check whether the certificate is still valid or whether it has been revoked?
Can anyone confirm whether this lookup applies to unsigned as well as signed binaries? As far as I know if I build a brand new binary with cargo, and run it, it doesn't do any checks.
Right around this same time, I had 1 macBook hard reboot (watchdogd timeout) and shortly thereafter, a second macBook froze, fan maxed out, with the display not coming up. Then it rebooted into recovery mode.
Yeah, these _could_ be unrelated issues to what has been going on in Apple land today, but it's uncanny...
I keep reading in the tweets how all Macs are unusable. Is this an OS bug that doesn't effect older OSes? I'm on Mojave on my 2017 MBP, and have had zero issues at all.
Checking for notarization on each launch was introduced in catalina. Older versions have trustd, but it was only used for the gatekeeper checks added in 10.8.
My 2018 MPB on Mojave had some serious issues launching apps for a little while yesterday (3PM central) afternoon. It seemed to resolve within an hour though. Not sure how that lines up with the outage described here.
This might be a stupid question, but is there a downside to blocking this "feature"? I can't think of any.
I've been using Big Sur beta for some time and one of the things that annoyed me a bit was the sudden lack of responsiveness, which is a tad annoying given that I upgraded to a 16inch MBP earlier this year and everything felt so snappy.
ocsp.apple.com also has an IPv6 address. Firefox connects to it even with 0.0.0.0 in the hosts file and a flushed cache (you need to also clear firefox's internal cache if you're testing with it), so I'd assume that trustd could connect to the ocsp site as well. I don't think this will work without ensuring there is no IPv6 traffic on your network, or otherwise dumping both IPv4 and v6 packets to ocsp.apple.com.
Disable IPv6:
sudo networksetup -setv6off Wi-Fi
(where Wi-Fi is the name of the network service)
Can you not just add an IPv6 entry for it in your hosts file, e.g., ::1? That would work in Linux and seems like a much less nuclear option than disabling ipv6 all together, but admittedly I've never worked with ipv6 networking on Macs.
Last time I played with a Mac they also had the BSD `ipfw` command for kernel packet filtering [1]. Could try something there if it still exists.
I had both my personal and work laptop become unresponsive at the same time. I was wondering what kind of problem could cause that - was thinking EM interference or possibly something on my network. This explains it.
Ha! So that's what it was. Last night (I just woke up in the UK) my macbook pro started to crawl, I started to threat that it might be the SSD starting to fail.
A compelling way to enact change at large corporates is to vocally communicate when and why you are forced back into a buying position as a customer.
Apple VPs who are listening, especially Craig Federighi - here is an early warning for you. The HN crowd may seem fringe, but they are living in the future. I de-Googled my entire life over similar transgressions by Google and several of my friends are gradually going through the same process, albeit more slowly.
And even though I just bought an MBP16, Apple monitoring every binary I run makes me want to sell it immediately and never buy another iPhone, Watch or Macbook. No one is going to catch Apple on performance and form factor for a long time, but I'm willing to invest in a long-term ecosystem that won't allow things like this...as long as I don't need to debug audio drivers. I am done with that phase of my life.
So if I had to choose an alternate path, what would such a path look like that could eventually approach the build quality of an Apple Macbook Pro? That product doesn't have to exist yet, it just has to be on the path.
(I looked at Alienware's M2 and M3, but it cost about the same as an MBP16 but with more blue LEDs.)
> The HN crowd may seem fringe, but they are living in the future.
The other thing that really can't be discounted here is that a lot of the HN crowd are likely the default go-to people in their circle of family and friends for this sort of stuff, and in many cases they may also have major purchasing influence and technical decision making power in their respective businesses. Turning off one of them may be inconsequential on its own in the short term, but it could seriously add up to a lot more destroyed mindshare and significantly more "lost" sales over time.
Don't underestimate the power of your choice at the frontier, even if it takes a while to reverberate through time.
I used to think it didn't matter what tools I chose as a lone developer making consumer tech products and DSP audio applications. But over time, I saw that consumers rely on frontier-makers for fast-moving tech choices more than you’d think, even if they lag a few years behind.
When enough people make a choice, a tipping point forms in the future. Paul Graham wrote about this in "The Return of the Mac", and I believe a tipping point is forming: http://www.paulgraham.com/mac.html
If Apple wants to ride on privacy, then it will fall on privacy.
Yes, I can specifically say that 2 other people have chosen not to update past Mojave 10.14 because of my advice.
I'm experimenting with Linux these days. There are some minor annoyances with using an outdated version of macOS. Unfortunately those apply to not just one or two apps, but every part of the OS when using Linux. Basic things like WiFi drivers or sleep support. I'm encouraged by the trackpad driver project, but it's not there yet. So I'm still hanging on to my 2014 Retina MacBook Pro using 10.13, until some Linux distro catches up. I feel like that will happen soon though.
> The HN crowd may seem fringe, but they are living in the future.
I really don’t think the HN community is at all representative of what the masses think about. Just like in any online community, it is easy to think that the thoughts of that community somewhat resemble that of most people when that simply isn’t true. HN’s base consists highly of developers who are up to date with most things in the technology industry.
The rest of the world doesn’t really care enough to compromise the comfort and reliability of Google’s suite, which lets be honest, outperforms its competition by a size-able margin, and does so with a “free” price tag.
People on HN have talked about de-googling for years and I have yet to see someone outside of the computer development scene do it (or even talk about it for that manner).
I am starting to see people switch around me, but it doesn't happen overnight.
A surprisingly handful of non-tech people have asked me, "Hey, I see you use DuckDuckGo. Why not Google?" And then we have the conversation - it's a short conversation:
Well, you cannot prosper in an environment if you operate on inaccurate or censored information. Google & YouTube censor information and track everything you search for or watch. Today your views align, tomorrow they may not.
Secondly, you must insure yourself against tail risks, and having your Gmail account "cancelled" is a yuuuge tail risk. Therefore, avoid bundled Google products.
Then a few months will go buy, and I'll see they are now using Firefox and DDG.
When you have these conversations, it's important that it not be about your identity (open source! Linux!), but about risk-aversion.
I agree--I also de-googled within the last couple years. I also did it because I need my e-mail to always work, it's just unacceptable that Google could take it away with no reasonable recourse.
I was also hit by this outage today, at work, on my work laptop, while I was working. Apple literally cost me time and my employer money today, because their lack of foresight or inadequate provisioning of servers or whatever the fuck it was, fucked up my laptop. No good reason. They just fucked up, and it cost something.
And there are A LOT more than what is just happening here.
They have burnt a lot of good faith post Steve Jobs. But judging from current Apple management, they wont act until Sales numbers decline. As shown by the MacBook Pro Keyboard fiasco. And to make it worst, they seems to think most of these problem as PR and Marketing problem and dial up the marketing instead of actually fixing it.
( You can see that with Apple's marketing, especially with recent iPhone 12, with VPs explaining in podcast )
If there are a lot more, it's worth listing them all in a blog post. A set of evidence is more compelling than only one act that could potentially be written off as well-meaning incompetence.
I would say that the current Microsoft Surface laptop/book has the same build quality feel as the Macbook line, but unfortunately you're stuck with Windows 10, which is a downgrade if you're used to MacOS.
Windows 10 is also working against you with its telemetry and ads.
We shouldn't have to work against the interest of the company that sells us the software running on our PCs. This will lead to more problems down the road.
I concur. I have a Surface. It sucks. Worst computer I’ve ever bought.
Keyboard sucks. Is it a tablet trying to be a laptop? Or a laptop moonlighting as a tablet?
Stylus sucks. It doesn’t have the accuracy of the iPad. And it always had a weird parallax feeling, so I gave up on using it. And the software was just mediocre.
I gave up and bought a Lenovo T4xx series laptop. Installed a dual boot Linux Ubuntu on it. Best. Computer. Laptop. Ever.
I just got a new XPS13 after a decade of using only macbook pros. Honestly it's pretty good and like 95-99% as good as my macbook. The only thing I really miss is the incredible touchpad. The XPS touchpad is meh, although is functional which is more than I can say about many other windows notebooks.
>So if I had to choose an alternate path, what would such a path look like that could eventually approach the build quality of an Apple Macbook Pro? That product doesn't have to exist yet, it just has to be on the path.
Thinkpad X1 Extreme Gen 2 is what I use and I'm very happy with it. My requirements were a moderately high-performance laptop, hybrid/discrete graphics, not excessively bulky and good Linux support. I can't fault my choice. The only issue I had with hardware compatibility under Linux was due to me receiving it a couple days after launch and the drivers for the wifi card not yet being in the kernel used by Debian or Ubuntu (no longer an issue iirc). Happy to answer any specific questions you have.
I don't think they are "checking"; they've carefully planned a path and are slowly and meticulously executing on it. They have no intention to stop at any point. Should the money stop flowing, they'll just come up with a new gadget. To make them backtrack on the walled garden would take an extinction-threatening event that (unfortunately) will never be on the cards as long as nobody can seriously threaten the iPhone.
I had the pleasure of installing Ubuntu on a modern Dell XPS recently. I was happy to discover that everything seems to work flawlessly upon install without any additional fiddling: WiFi, trackpad, touchscreen, display scaling, and really everything else I've tried so far worked great. It's an absolute joy!
There was a time I remember when various things with Linux installations were often quirky or troublesome to get working well with certain laptop hardware, but I'm convinced now that this situation has improved tremendously since then...at least from my recent experience and hearing other good things about the Dell XPS and various ThinkPad models, and of course System76 (although I haven't had a chance to try one of those myself yet).
Yes , and they are also selling Ubuntu edition where you not only save quite a few $$$ (because no windows licence) but you're also sending a signal to manufacturers that there is a demand for compatibility with other OSes (unlike on Apple or MS Surfaces).
So if the dev edition fits your need consider buying this one
Thank god I switched back to windows early this year. I absolutely love it and I do not foresee me returning to Apple for a considerable amount of time.
You should know that Windows includes a similar feature (to call home and report file hashes and the user's IP for example) called SmartScreen, and with default settings it also triggers on every single application launch in the OS.
I use both Windows and Mac but I would never consider Windows some patron saint. The telemetry and dark patterns in Windows are much worse than what Apple does. Windows literally advertises its own browser in different parts of your OS and will regularly change the default back to Edge after updates.
But overall I am pretty happy with Windows being my daily driver now that they have WSL.
I bought the business cousin of the XPS 17, the Precision 5750. The screen-to-body ratio is amazing. And the 4k screen is beautiful, the build is attractive, thermals are good and the speakers are nice as well. (From an Apple perspective these are the things that others often get wrong)
It has some design flaws („hybrid power“) but what is really messed up is the QC:
I have ProSupport and already had 4 technicians over and am currently awaiting my third full replacement.
Issues are all over the place: faulty trackpad, extreme coil whine, broken display, etc.
Perfect device for me if they could figure out their QC.
If the next one is bot perfect, I am getting a G14 which is the best performance/watt, performance/notebook volume and one of the best performing notebooks in general.
Microsoft saw that Macs were eating their lunch regarding developers and researchers when e.g. nearly everyone doing AI was on a MacBook or Ubuntu. You had a hard time getting Tensorflow to run on Windows because no one in the community really cared.
Also everyone developing applications in the cloud was eventually targeting Linux as the production OS, which is a pain if your development OS is pretty much hostile do anything command line.
MS then put a lot of money into getting a Linux like command line and support into Windows with WSL.
They also got a bunch of influencers and devs do their thing with improving that kind of developer's experience.
Apple, however, has been sitting on their hands in this regard. They are moving exactly the opposite direction with this crowd.
I have no idea what rationale is behind that. Did they come to a different conclusion than Microsoft or are they just failing to execute on the strategy?
MS sells cloud services. They don't really care what machine you use, as long as you live on Azure as much as possible. That's why they give you more and more tools that improve the "remote development" experience.
Apple sells silicon. They don't really care about developers; as long as they can pull enough users through the iPhone->iPad->Mac funnel, they have done their job of selling as much hardware as they can. In their view, developers bitch and moan but in the end will have to go where users go - at which point, Apple can tax them for access to the walled garden.
> And even though I just bought an MBP16, Apple monitoring every binary I run makes me want to sell it immediately and never buy another iPhone, Watch or Macbook.
You'll keep buying Apple stuff. I know it, you know it and Apple knows it. If all of their past transgressions hadn't changed your mind you'll keep doing it. Cut the shit.
From a another post on this page, someone recommended to look at Metabox.
I never heard of them. I just looked over their site. Some very very cool options. Been in business a long time.
https://www.metabox.com.au/
I've tried Alienware -used to be good, bit not very impressed since Dell days, I've tried Razer- always some issues, Dell g and XPS seems the best, up to now. But this Metabox looks really fun. Wonder if others have tried?
Look into what state law protections you have. High ticket mail order items can usually be returned for a full refund for a fairly long time.
Finding out that it's phoning home about every binary you run is absolutely a good justification to return it. I would sooner throw out a computer that did that rather than use it.
You've got to be kidding me. When Apple's servers are down, all Macs worldwide start freezing randomly? My XCode is hanging during builds, is this why?
This code signing enforcement stuff has gone way too far. Heads should roll for this.
Wait what happens if you don't have an internet connection? Can Macs not be used offline any more, surely that's still a relatively common use case for a laptop even today in a lot of places?
My understanding is that if you're offline, it skips this check and everything works fine. The reason this is a big deal is that the problem's on their end, so you're not offline, so it keeps trying and waiting instead of just letting you skip the check.
If you don't have a connection, it just doesn't do the check. If you have a crappy connection like many of our students, it takes forever to check. If the server is down, life just sucks and non-Apple programs don't open.
If you are connected to a network without an Internet connection, it just becomes unusable. Internet connection is somewhat unreliable in my area, and I had an internet outage that lasted for days during the COVID lockdown. I feared it was a malware infection causing the slow down. I switched over to Linux not long after.
Often when I would see this type of error it would be when something silently drops TCP packets (rather than sending a RST). This is one way to configure a firewall, and it's indistinguishable from high latency. Hence the difference in behavior. If the address was unroutable, or immediately closed the connection, it would fail quickly (and presumably for the OCSP check, it would be skipped immediately). But when packets are silently dropped, it's up to the client to decide how long to wait for an ACK, which might cause a hang.
I've seen an identical problem where Chrome would hang for minutes when loading sites, and it was because I was in a firewalled environment that was outright dropping packets to Chrome's OCSP server.
With Android is the same. I have an App Firewall on my Android phone and since then the standard Android gallery app does not work really anymore. A lot of things break, for ex. when I_ like to send a file with Threema, I have to go offline, choose the file and then go online again. Otherwise the file dialoge does freeze. It's just standard these days. Also a lot of things break, if you are just on a network without internet connection. Welcome in 2020.
That's why notarized applications should be stapled too. The stapling "ticket" is embedded in the app bundle and allows macOS to perform an offline check.
Basically you'll get the usual GateKeeper window, but with a slightly different message, along the lines of "I can't check this binary in realtime but I trust the embedded notarization".
Almost certainly so. Apple has built chains of certificate trust very deep into the OS, along with apparently an assumption that this particular revocation service check is reliable & fast enough to call out to the network a lot.
Imagine how many people would lost their productiveness, maybe not at the big corps or govt (I assume they use a version of mac that call somewhere else/don't). But very very many people.
Code signing is an okay thing as long as the signing identities don't get discriminated. Android has had code signing ever since it was released, but you always generated the certificate yourself, and the purpose was simply to stop someone else from making an apk with the same package id that would install over yours and gain access to its data.
The thing Apple does, on the other hand, with trusting themselves more than the user, is disgusting. I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
Give me, the owner of the computer, over the keystore for the root certificates I trust, and code signing is great.
> I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
As a libertarian I can see the argument for getting rid of presumptive copyright (and tanking the US economy), but the government preventing people from entering into contracts that you don't like? That's just hypocritical.
You need to set up your own DNS caching resolver and start selectively filtering out Apple domains. Pihole does that wonderfully. Ask your Apple geniuses whether they would help you setting it to make your Macs work.
If you just read his writings on the importance of free software, he never was that "crazy" to begin with. He simply saw examples of companies locking down their hardware so that they could control it at the consumer's expense.
Exactly this is happening with Apple now. Although Apple computers were fairly hackable in the past, with users being able to install Linux or Windows, that is changing. Apple is changing the hardware _and_ software to make it more difficult to do things that Apple does not approve of.
Stallman was keenly aware of this type of behaviour, and he was also aware that companies that have the potential to use this behaviour to this advantage, will often do so.
Apple wants to be in a position where they sell computers as appliances, and Apple Silicon is their step towards doing so.
By the way, I'm typing this on a Macbook pro that is no longer supported by Apple, but running Linux. I am not sure this would be possible in the world of Apple Silicon.
I don't think Stallman's crazy, he's just passionate about his beliefs, and people whose careers depend on not acknowledging the truth in what he has to say like to dismiss him.
Hardly "happy about all this". From the end of the linked article:
Author's note: Some people have read this blog as my utopia or dream of the future. It is not. It is a scenario showing where we could be heading - for better and for worse. I wrote this piece to start a discussion about some of the pros and cons of the current technological development. When we are dealing with the future, it is not enough to work with reports. We should start discussions in many new ways. This is the intention with this piece.
So many comments in here, but I haven't seen a single one mentioning a simple solution: Vote with your feet.
For years now, I've seen a large portion of the HN crowd praising Apple for its (alleged) respect of privacy and cursing at Microsoft for Windows "calling home" all the time. Now that this has happened, the only comments I see are "heads should roll", and "we must complain and be heard by high-level execs", but never "let's move away". This just reinforces my impression of the Apple ecosystem as something akin to a cult: Once you get in, you never get out again.
There are good alternatives - many people, including software engineers, use non-apple solutions on a daily basis and they are still productive. Why not give Linux a shot, or gasp even Windows? The age-old argument of "MS is evil, Apple good" is moot. Companies are generally not good or evil, they are profit-oriented. If the market demands privacy, they care about it, otherwise probably not so much.
It's isn't so easy. There is often a large cost of moving. Eg - I use `sketch` for designing. I can move to Figma, but it'll be a learning curve and the performance just isn't the same.
Additionally, in order to move to Linux I need to find a good alternative to many other software that I'm using. Most commercial software only target Windows or OSX.
For the record, I've written large parts of KDE, so I'm acutely familiar with running Linux as a Desktop Environment.
> This just reinforces my impression of the Apple ecosystem as something akin to a cult
That's very uncharitable. Suggesting Windows as a potential alternative also sounds slightly comical given their history with Windows 10 and many people's required workflows, required because of work or other outside influence, make Linux less tenable.
A lot of people seem to suggest that if you have something to complain about then you should be moving on to something else, a vibe of 'appeal to perfection'. I think this is the same mentality that drives the distro hopping phenomenon. I'm not brainwashed because I live with the flaws of my OS choice and complain when things are changed that I don't like.
I'm not sure which comments you are reading: one of the top threads that almost fills the whole first page is a long discussion about alternatives to macbooks...
I've been using Windows 10 with WSL2 and found it a surprisingly effective development environment with all of the Linux goodies accessible. And games are available without a reboot or VM!
Many complain, few will act. Virtue signalling about Windows is zero cost, unless one is a Windows user. Most people just don't care about privacy enough to do anything (ANY thing) inconvenient.
Linux only makes sense as a desktop operating system if your top priority is telling people online that you use Linux as your desktop operating system.
I mean, it's easier to do most kinds of programming on linux than windows. Stuff works more "out-of-the-box" than on windows.
For other things? Maybe. Some nice GUI applicatipns are, while in theory be run on Windows through cygwin, work well on Linux as well.
And some people just like performance / look-and-feel. Windows is often sluggish, while most Non-GNOME IDEs are pretty fast on usual hardware.
Then there is updates problem. I have had Windows downloading updates even if network was marked as metered in past.Some LTS distro is often better. Unless you use Fedora or Arch, updates should be minimum.
I don't want to imply Linux desktop is mature enough for all people. Just reminded there are valid reasons tech savvy people prefer it.
It IS, though. SmartScreen on Windows doesn't check binaries created on the same machine, but you'll get flagged if you move the untrusted binary to another machine you own.
This is a big conceit everyone holds - that Linux will be an acceptable substitute for MacOS. To be perfectly honest, if Apple shut down their Macbook factories and got out of the computer game entirely, and everyone flocked to Linux, it would be several painful years before Linux would be as usable as MacOS is today.
This is why I try out Linux every few years, and file lots of bug reports when I run into issues (mostly in applications - the core Linux kernel is solid). I've even contributed code to Linux apps that I don't intend to use right now.
Sincerely and without any intention to troll or be sarcastic: I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.
Even beyond unintentional glitches at Apple, just imagine what this could mean when traffic to this infra is disrupted intentionally (e.g. to any "unfavorable" country). That sounds like a really serious cyber attack vector to me. Equally dangerous if infra inside the USA gets compromised, if that is going to make Apple computers effectively inoperable. Not sure how Apple will shield itself from legal liability in such an event, if things are intentionally designed this way. I seriously doubt that a cleverly crafted TOS/EULA will do it, for the damage might easily go way beyond to just users in this case.
Again, maybe (and in fact: hopefully) I'm just getting this all wrong. If not, I might know a country or two where this could even warrant a full ban on the sale of Apple computers, if there is no local/national instance of this (apparently crucial) infrastructure operating in that country itself, merely on the argument of national security (and in this case a very valid one, for a change).
All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.
> I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.
The answer is pretty simple: these problems are extremely rare, they don't last very long, and they tend to have fairly simple workarounds. You seem to have a principle that any non-zero chance of being affected by a problem of a certain type is a complete deal-breaker, but most people when buying a computer probably just subconsciously estimate the likelihood and impact of this type (and all other types) of problems and weigh that against other unrelated factors like price.
I agree with your point about it being a principle, although I would add that the decision to build a product in this manner is also a principle.
Furthermore, I would sort of disagree with the answer to why people would buy this. In terms of "most people buying a computer", the overwhelming majority of Apple customers are likely ignorant to this issue, and will continue to be.
Without principles, your freedom will be (is being!) slowly chiseled away, pragmatically accepting each small step. By the time even pragmatism tells you to refuse, it'll be too late.
(As someone pointed out, this does more than just prevent apps from running - it also leaks which apps you use and how often. Someone could ask Apple exactly when you started Tor browser, for example)
The payoff for the very slight risk is an effective built-in malware prevention system that doesn’t treat me abusively and reacts in a timely manner to abusive circumstances.
After decades of production operations, I have no complaints about how this was handled, and I expect they’ll investigate and patch any defects exposed by the outage.
I went for a walk when this happened and when I got back it was fixed. Works for me.
There's software "EazyFlixPix" which shut down its authentication server - so everyone who purchased the app can no longer install it (unsure, but they might be also prevented from running it too).
That's different mindset — ability to fix, right to repair. No way to comfortably run another OS on MacBook, has to use macOS. It is closed source, users at mercy of the company. Think different.
Also, which is the bigger risk for most people: disruption to the cert verification, or malicious runtimes on their system?
(Hint: I have literally never seen an example of one of our bank's customers being unable to bank because of this. I have seen heaps and heaps of examples of endpoint compromises resulting in people having their accounts cleaned out.)
People chose to use Apple because it seems like a benevolent dictatorship.
And frankly, a benevolent dictatorship is basically the best government you can have, as long as you're part of the "in-group" who doesn't push boundaries, doesn't cause trouble, and supports the supreme ruler, Kim jon... cough* Apple.
---
The problem is that no matter how good the dictatorship might be today, it will eventually bite you. You will either develop a need that isn't addressed, or they will change the rules so you are no longer able to satisfy an existing need.
We're seeing this now with Google - Their motto was literally "don't be evil" for a long time. And during that golden period their users loved them. But as Google has shifted from "don't be evil" to "Make lots of money" people are starting to shift away.
Apple is still in the golden phase, but I'm not really convinced they're going to be there much longer.
Speaking as an ex-Google user and an ex-Apple customer (still tied to Apple Music and iCloud for family phones), I'd compare Google to Russia - not particularly benevolent, a bit chaotic/random, citizens tend to shrug and accept their lot. Apple is more like Singapore, slick, seemingly benevolent, citizens honestly question why the rest of the world isn't run the same way.
EDIT: I'd add another way in which Google is like Russia and Apple like Singapore. Everyone kinda knows that Russia's leaders are a bit/a lot evil. There's still a debate about whether Singapore's leaders are evil.
> Apple is still in the golden phase, but I'm not really convinced they're going to be there much longer.
The honeymoon is already over. A post like yours would have got several downvotes up to less than two years ago. I noticed that honest critics to Apple are tolerated now, since at least about one year ago.
I think the difference between the Google and Apple dictatorships is the business model.
Google's customers are not the users, they are the advertisers who rely on the data harvested by Google. The incentive to be evil is directly baked into the business model, and most users end up tolerating it because it is "FREE", and often the only viable option.
Apple's customers are the users. If Apple rocks the boat too much, their users might not feel so good about paying the premium prices Apple demands for its products. Making users upset is a direct threat to their business model.
> "Don't be evil" is a phrase used in Google's corporate code of conduct, which it also formerly preceded as a motto.
> Following Google's corporate restructuring under the conglomerate Alphabet Inc. in October 2015, Alphabet took "Do the right thing" as its motto, also forming the opening of its corporate code of conduct.[1][2][3][4][5] The original motto was retained in Google's code of conduct, now a subsidiary of Alphabet. In April 2018, the motto was removed from the code of conduct's preface and retained in its last sentence.[6]
I know saying Google removed Don't Be Evil is something of a trope, but the truth is a little more complicated. And, of course, the presence or absence of this phrase has no necessary bearing on the degree to which they are perceived as evil or not!
Think about Apple's policies regarding IAPs. You're not allowed to tell your customers in your app that they can do the purchases on your webserver etc.
The benevolent days of Apple ended when they removed the expansion slots from their computers, if not earlier.
In defense of Google, they really like having a lot of money.
Let P = "Don't be evil" and Q = "make lots of money".
Q was nothing new. They always wanted Q. But Google made a fundamental breakthrough in business logic, discovering that P -> ¬Q.
It should be noted that ¬P -> Q is not automatically implied. Plenty of companies are ¬P ∧ ¬Q. Perhaps they are not ¬P enough? Perhaps they are too much ¬P? But very few manage to be purely P ∧ Q.
This has been happening for a long time. Hardware and software that you can't control is becoming normalized. If they had done this 10 years ago with the same customers, those customers would be shocked or weirded out but right now, many of them will just wait it out or change their host.
Don't limit freedom at once. Do it one by one so the impact seems low.
What are the chances that any of the big tech companies take orders from a fascist to block all the harmful software in their country?
Non zero. People in HK know this. I want to know how they felt about their choice to buy iPhone at that moment.
Because we can't have nice things, Apple has to check that apps are signed with a current certificate for safety and security reasons. OCSP tells the client if the certificate has been revoked or not.
Try opening a non-https web page; you'll get a bunch of ominous warnings from all major browsers.
Browser certificates need to be OSCP signed for the browser to trust them. You can't even get a new cert if the issuer’s OCSP server goes down, which does happen on occasion.
There are so many dependencies to ensure we're not running malware infected apps that sometimes things break.
Let’s not get carried away; every major tech company has had some version of this happen at one time or another.
FWIW, I haven't experienced any issues with my iMac running Big Sur running Apple or 3rd party apps all day.
This used to be true, but neither Chrome nor Firefox actually check CRLs or OCSP that much. They'll accept OCSP-stapling, but that's about it.
This is a very serious concern for Enterprise PKI systems: revoking certificates is now virtually impossible. CRLs and OCSP do practically nothing.
Google especially has unilaterally decided that Enterprise PKI systems don't matter. They have established a new "standard" called Certificate Transparency, which they use to make CRLSets that they publish as Chrome updates.
Which is fine I suppose for public CAs, but utterly useless on internal-use private CAs on local networks, especially those with lots of BYOD or guest/partner systems. Think universities or hospitals.
Google has become a juggernaut with more control over computing in general (not even just the Internet!) than all of the world governments put together.
I have no problem with checking binaries when I launch them for security. I imagine many of the virus checking apps for windows probably call home with similar information. I doubt very much I’m leaky in any personal information.
What is frustrating is they didn’t handle this situation like they do if I’m offline - don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway. would have solved this eventuality
> don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway
how do you do that without defeating the security? Now a malicious attacker just has to wait for a moment when you aren't connected before launching their payload.
Even when it works right, it’s transmitting the apps that you use, as well as your timestamped coarse geolocation (from client IP) to Apple, which logs all of it. It’s good for city-level location.
They know what times you're at home, and what apps you're using there. They know what times you're at work. They know what times you're tethered. They know when you travel, and to which cities. They know when you're on a friend's Wi-Fi, and they know which apps you open from that connection.
Apple is a partner in the US military’s PRISM spying program, so this log is available to US military intelligence at any time without a warrant.
Thanks to API changes in Big Sur, it’s impossible to use Little Snitch to block these system level connections, and they will also bypass any configured VPN. To control this, you’ll need to use external network hardware, like a travel router that you can operate a vpn/firewall on.
Big Sur is the only OS that will run on the new Apple Silicon macs, so it’ll be impossible to use the new machines without leaking your track log and app usage history in a way that is available to the FBI/CIA/et al whenever they want it.
Note also that Apple recently backdoored iMessage’s end-to-end encryption by defaulting the non e2e-encrypted iCloud Backup to on for all users: it backs up (to Apple) your device’s complete plaintext iMessage history, as well as your device’s iMessage keys, using Apple keys, each night when you plug it in. You should immediately stop using iMessage as a result of this, because even if you have disabled iCloud or iCloud Backup, your conversation partners likely have it enabled. iMessage is no longer meaningfully encrypted.
Apple’s marketing about privacy is lip service, not real.
I just ordered one, and let me tell you something - I didn't expect this to happen.
If I knew - I might still have ordered one, because I like ARM and battery life. But this reaffirms the observed trend of Apple becoming more of an owner of the machine that supposedly I own.
I'll attempt to shut it down (at least now, it still observes /etc/hosts) - but when I can no longer do that, I'll leave Apple forever, hopefully by then other hardware manufacturers have caught up in UX.
In short, the vast majority of users never need or want fine-grained control over their computers. In the HN community, we are mostly edge cases in terms of computer usage & functionality requirements.
I believe this is why there has never been any mass pushback against iOS/Android (even if Android is slightly better in this respect).
Further, neither iOS nor Android (and now OS X) have instituted huge restrictive changes all at once. Restrictions are gradual & creeping, basically moving the overton window of what is accepted.
Or just run BlueStacks, which is necessary to run Among Us (the popular game since lockdown), which isn’t signed because it’s an emulator. And it requires the “Control this mac” permission. Unsigned. There are many, many cases in which users are faced with unsigned apps.
I think it comes down to humans being creatures of habit and conservation of energy. I've seen people buy macs even after seeing all the flaws because it's what they're used to and don't want to exert energy learning a new OS and environment. Apple used to make great products and I think people still cling on to that thought, even though their quality has been degrading these past years. Something needs to be 10x better (or at least perceived that way) for people to switch and switching to a new OS for them is probably like a 1x improvement so not worth the time cost.
The alternative to a poor binary checking and cert revocation process isn't to get rid of binary signing and cert revocation.
I don't want that. I don't think it would serve Apple's customers to get rid of binary signing either.
Since there are no legal ramifications for security bugs that cause downtime, or for bugs that cause other functionality that goes down, I'm not sure why this particular bug would be any different. It's certainly not as bad as losing one's Google account permanently without recourse.
This issue is clearly a bug. It is an accidental denial of service attack on the client.
It will get fixed pretty easily: Apple will add some combination of a timeout and a request back-off to their client, to properly handle the situation of a server that is reachable but not sufficiently responsive.
Apple clearly does not mean to make their devices unresponsive if the server is offline, because pointing requests at localhost resolves the issue.
I disagree. It isn't a bug because it was explicitly designed to behave this way.
The solution won't be to fix a defect, but to change the design, which is completely flawed. They should have pushed revocations from the beginning rather than requiring every system on the planet to poll a service. What were they thinking? And that does make one wonder whether there weren't other reasons for this behaviour besides "security".
> I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down.
For the same reason every human frequently makes decisions with greater-than-zero risk: because we're either unaware of the risk, or because we believe the tradeoff is a good one, and the benefits are worth the risk-adjusted costs.
I don't like this behaviour at all, and find it frustrating at times (e.g. apps slow to launch when my internet connection drops out temporarily).
Having said that, it's not enough to get me to switch platforms. I'm able to work around the problem (using Little Snitch, see other replies), and there are a ton of factors that go into my decision of which hardware/OS to use, all of them involving tradeoffs. The only viable alternatives, Windows and Linux, have their downsides too. Some people prefer those over macs and that's fine; it's a choice people make based on their particular situation.
That's all nice and well, but what if some country decides that your country will still have Internet access, but a "degraded experience" to Apple's central infrastructure?
Still sounds to me like Apple rolled out a huge (logical) trojan horse, as a potential weapon in terms of nation state cyber warfare.
Probably not at all with that intention. But I doubt that any government willing to abuse this "opportunity" will give a fuck about that. Don't underestimate the power (and disruptive) effects of being able to practically disable a whole brand of popular computer hardware. Heck, even the ability to threaten with it (privately, through diplomatic channels) can (and probably should) be considered a serious weapon. So yeah .. "thank you" Apple.
From my experience during this outage, the ability for the computer to "open" may not actually mean much. While trying to fix what I assumed was a localized software issue I rebooted my machine. Typically this takes a minute or two. However during Apple's systems outage my rebooting took approximately an hour before my computer was in any way functional again.
In this case, any app would take five to ten minutes to open. While that technically means "it still opens", it effectively renders the computer unusable.
(And that's after I realized that they will eventually open. Originally I rebooted the machine before any app had had a chance to open.)
A lot of it is just people parroting the same old boring tropes. They couldn't believe Linux had gotten easier to use than windows. I know this. I installed Windows few days ago. I can't install steam or chromium without getting blocked by windows. I have to download it from external sites while both of these are available in the software store on Ubuntu. It didn't nag me to login, switched my browser to edge after updates, forced me to read a marketing manual before starting the OS.
The search is useless. On Linux, it's so much better.
I had to download and run a bunch of scripts to get rid of the amount of data it was sending back home. I had to remove the bloat and ads it came with.
Give https://pop.system76.com/ a try if you don't believe that Linux is easier to use. Most people don't need to open the terminal anymore.
I used to be a MacOS user from System 7 to Sierra. I owned an iPhone from 2007 until a few months ago. I have completely switched away from Apple. It absolutely boggles my mind how popular Apple still is. Apple's quality is absolute garbage now, this latest incident is just a drop in the bucket.
I'm sure I'll get downvoted, but I just had to get this off my chest. Why people still buy Apple today, I positively can not comprehend.
The main design fuck-up is that instead of independed Personal Computers we have terminals connected to one huge server which violates the whole idea and meaning of Personal Computer and what the word "Personal" should mean.
The worst part of this is that Apple could have easily predicted this, that there would be demand to download the new OS, and put in place measures to prevent this from happening. I guess they just do not care.
All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.
Apple gave a detailed explanation. It was a server misconfiguration combined with a CDN issue which caused the OCSP certificate check to stop working, which caused Apple's system for ensuring certificates haven't been revoked to stop working:
“We have never combined data from these checks
with information about Apple users or their
devices. We do not use data from these checks
to learn what individual users are launching
or running on their devices,” clarified the
company.
“Notarization checks if the app contains known
malware using an encrypted connection that is
resilient to server failures,” says Apple,
further emphasizing, “These security checks
have never included the user’s Apple ID or the
identity of their device. To further protect
privacy, we have stopped logging IP addresses
associated with Developer ID certificate checks,
and we will ensure that any collected IP addresses
are removed from logs,” details Apple.
To your first paragraph, how many people globally do you think know that this is how it works?
Apple don't publicly go out of their way to tell you that this is how it works. You make a great point that the way it works is bad and I think everyone agrees with that. But it's the limited knowledge that the OS operates this way that keeps consumers purchasing their products.
I need XCode to build software for iOS and OSX, and there isn't to my knowledge any other feasible, performant and off-line capable way to do that beside running OSX on a Mac.
This is the only reason I had to move away from (arch) linux and it saddens me every day.
I think it is because a lot of people still believe and repeat old trope which are demonstrably false these days. Despite having the worst keyboard, buying third party apps to have features which most of the other OS in the market provide as standard, more lock down of their OS every year, Apple fans continue to buy them. Appke's powerful marketing, which is full of weasel words, keeps them in their own bubble.
I buy em cause apple laptops just maintain their quality way longer than other laptops. All the other laptops I’ve had start losing all their charge within 30 mins after a year or two. My 5 year old MacBook still can go probably 2 or 3 hours on a full battery charge
You're missing the point. I don't care if Apple has the most reliable servers in the world. Phoning home the hashes of the binaries you run is an outright violation of user privacy.
I think the problem is that almost all the software you buy a mac for (or even things that mac users like) has this built in but calls to the developer's servers instead.
The amount of time you save by having a computer that "just works" 99%+ of the time is far greater than the occasional time lost by shit like this.
I'd love it if someone other than Apple made a competent PC that was as clean, reliable, and comparatively free of bullshit. Unfortunately Apple has a monopoly on cleanly designed computers.
This is almost as bad as relying China on Personal Protective Equipment and quickly running out during the pandemic earlier this year.
Imagine if the USA actually comes under an attack.The apple spaceship would be high on the list of targets. All of sudden hospitals can't run their computers or communications. Disaster!
Readit News
https://news.ycombinator.com/item?id=25074959&p=2
https://news.ycombinator.com/item?id=25074959&p=3
https://news.ycombinator.com/item?id=25074959&p=4
Here is another tweet that describes the problem in more detail:
https://mobile.twitter.com/llanga/status/1326989724704268289
> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.
EDIT:
As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:
And this is why I won't be moving to Apple silicon. Apple already has the ability to restrict whats apps I can run (they can simply toggle a switch for all users to "no unsigned binaries"), and congrats! Apple is the sole decider of what we get to use on our computers.
Of course Apple's Craig Federighi assures us that the people making such assertions are "tools" (https://youtu.be/Hg9F1Qjv3iU?t=3177 , timestamp 53:33) and they have no intention whatsoever of taking away our ability to do general compute on the machines we buy and own.
Except...
Apple can already decide what binaries you can execute. Should they choose to.
Apple is now restricting what other OSes you can boot into. As they've chosen to.
Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.
It's clear where they're going. And I'm jumping ship. It's painful to do so, given how invested I am in the ecosystem, but we're already beyond the threshold that many of us would have left earlier in the decade.
---
edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer. Most non-Apple laptops don't have very good color accuracy. They also don't have good trackpads, and their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad so that I don't have to carry around a mouse, good speakers would be a plus, and light enough that I don't feel like I'm lifting weights while working on my laptop. And this package should ideally come with 512GB of SSD storage and, at least, 16GB to 32GB of RAM.
Oh and it shouldn't be more expensive than a Mac as many of these laptops are!
Any suggestions?
Dell Precision, HP Elite Book, MSI Prestige
In the consumer world the Dell XPS, Asus Zenbook, Asus Pro Art are the way to go for a designer.
Dell Precision is probably the overall best laptop. MSI Prestige is targetted right at you though, with color accuracy and a good display. The only brand I can personally vouch for is Dell. I and my partner use XPS's, and a good friend of mine has a super nice Precision that I am jealous of (specifically the ports! I'm so over USB-C)
That switch was toggled with Big Sur and Apple silicon: https://mjtsai.com/blog/2020/08/19/apple-silicon-macs-to-req...
Here's a list of the laptops with the best displays: https://www.notebookcheck.net/The-Best-Notebooks-with-the-Be...
And here's a list of general multimedia laptops that would be roughly equivalent to a MacBook Pro: https://www.notebookcheck.net/Notebookcheck-s-Top-10-Multime...
Dave2d on YouTube gives pretty short and decent laptop reviews. I think he has a discord channel discussing the machines too
I switched away from Macbook Pro about a year ago, after using Apple hardware for about a decade.
It's working great, GNOME interface is solid and productive, Manjaro and AUR libraries just work. Highly recommend making the move, sooner the better as I'm sure you see the writing on the wall.
Pros that Macbooks don't have: USB-A (along with USB-C), no touch bar, 3:2 screen, can enable secure boot if I choose so feel like I'll be able to run whatever I want on it, replaceable SSD, etc.
Pros that Macbooks also have: still has a great build quality, full day battery
Cons that both have: Non replaceable RAM
My requirements have all been fulfilled with the Huawei MateBook X Pro.
You could say it's heavily inspired by the MacBook. Aluminum case. Chiclet keyboard with decent travel. 2000x3000 display (2:3 ratio!). Awesome trackpad. Good battery life. Portable. Solid. 2x USB-C and 1x USB-A. Sustained multiple drops.
For context, I am able to pull solid 12-hour days on the device, without a mouse, without fatigue or frustration.
Cheaper than a MacBook. Might be worth a look.
Recommendations for linux laptops (or checkout https://linuxpreloaded.com/ ):
* Tuxedo https://www.tuxedocomputers.com
~1000$ 1.5kg, Their "15, 1080p flagship is configurable with AMD Ryzen 7 4700U, 32GB RAM, 500GB M.2
They also have more expensive versions with 4k OLED displays if that's what you're into. Also "13.
* KDE Slimbook https://slimbook.es/en/store/slimbook-kde/kde-slimbook-15-co...
~1200$ 1.5kg, "15, 1080p, AMD Ryzen 4800 H, 32GB RAM, 500GB NVMe
* System76 https://system76.com/laptops/gaze15/configure
~1350$ 2.2kg, 15", 1080p, i7-10750H, 32GB DDR4, 500GB NVMe
* Purism http://shop.puri.sm/shop/librem-15
They're trying to become and opensource Apple --> high prices, own linux distro, trying to make their own ecosystem, etc.
~2000$ 1.8kg, "15, 4K, Core i7 7500U (Kabylake), 32GB RAM, 500GB NVMe
Those are laptops with numeric keypads, the trackpad is still centred relative to the "main area" of the keyboard (the home row and in particular the rest keys - the two keys with a little bump, F and J on a QWERTY) but it is off-centre relative to the body of the laptop due to the presence of the keypad.
Macs don't have numpads so if you've always used Macs it's understandable that you're not familiar with this type of layout.
In any case that type of placement makes no difference while you are using the laptop, because keys and touchpad are still where they are supposed to be relative to each other.
I woukld agree on desginer.
Absolutely not on developer or researcher.
Actually MacOS is for the reasons you mentioned incredibly developer-unfriendly (unless you target is of course the iOS ecosystem).
And for research there is no better platform but Linux. Unless you are in clicky-colorful frontend applications where I would doubt you are doing serious research.
It seems the iPhone 12 is already rejecting non-original parts, even if the part comes from another iPhone 12: https://news.ycombinator.com/item?id=24924761
I'm currently in the same boat as you and my next machine will be from these guys when my (admittedly very new) Macbook Pro gives up or gets taken over by Apple.
Apple has a pretty broad utility patent around their trackpads, which requires other manufacturers to work around what would seem like pretty obvious things.
PDF: http://assets.sbnation.com/assets/2017767/USD674382S1.pdf
I use arch linux on a Lenova Thinkpad T580, and I'm really happy with it, but I'm not sure about the colour accuracy of the screen. I doubt it's as good as you find on an Apple.
I, for one, am really interested in good, high quality alternative to apple laptop hardware, that meet the parent's criteria.
Its very similar to the x1 carbon but converts to a tablet and it has an aluminum body.
I can't say I'm out of the apple ecosystem entirely, but I decided to spend my money elsewhere given the abysmal quality of the macbook pro line these days.
Deleted Comment
Trackpad is as good as it gets outside Apple, I'd say.
The display looks gorgeous. Can't say about color accuracy/fidelity though.
Clearly there's no need to jump ship if it's more expensive on the other side.
Buy something without a number pad. Unfortunately most 15" laptops do have one.
If anybody from HP is reading this, I'll pay an extra for a keyboard without number pad on your 15" ZBooks with 3 buttons on the touchpad. Space bar and touchpad aligned with the center of the screen please.
It is off center if they have a number pad to the right of the normal keyboard layout. At first glance it looks weird, but it is 100% what you would want if you were using the laptop. Otherwise the trackpad would end up being right over where your right wrist is.
Sounds like you might want a Microsoft surface (or surface book).
Not sure about the TouchPad - but at least there's a pen for drawing on the screen.
https://starlabs.systems/pages/laptops
I don’t like the boot thing either, and it’s a bit scary not being on intel as everyone else is right now, but I also think ARM feels really interesting and it might turn out to be a great new platform!
Edit: i mean it is not like they never listen, they did take bake the mac pro, they did fix the keyboards, you have cli tools to make a lot of changes in how macos works, etc. Of course I would like hundreds of things to be different, but I believe that is true of all platforms.
Deleted Comment
And then almost none of those bad things happen. I've witnessed this dozens of times now, so a safe interpretation would be to assume that this time none of those things happen.
And just before this, I finally managed to fix Spotlight pegging one core at 100% constantly. Next thing, I reboot into a laggy system. macOS is my favorite OS, but the shit I put up with... it's basically an abusive relationship at this point.
Apple folks in this thread, this was terrible
Idk, the several Linux distros I’ve used recently, and Windows, have a much longer list of “shit _I_ put up with”
Ain't that the truth with every OS. I use Windows for gaming, PopOS for work on my desktop and MacOS for work on my laptop. The amount of weird issues is about constant.
As developers and engineers, we ought to be jumping off this platform like a sinking ship. It's clear that they want to lock it down like the iPhone. Why else would they be measuring which apps are in use if they didn't want to control it?
If your argument is "compatibility research", you're missing the other warning signs.
Right there with ya.
That's another case of a product not doing its primary function - OS running apps - because company placed their own (data gathering) objective above it. See thermostats not turning on heat when the internet connection is down and other equally stupid examples...
Just a small reminder that this can soon stop working: Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur - https://news.ycombinator.com/item?id=24838816
Edit:
Just reached out to Dang with a request to correct my typo.
So when you open an app, how else are they going to check whether the certificate is still valid or whether it has been revoked?
Can anyone confirm whether this lookup applies to unsigned as well as signed binaries? As far as I know if I build a brand new binary with cargo, and run it, it doesn't do any checks.
Or if you do, only do it for a set of known bad ones, as antivirus products do.
Do not put a cloud service (or anything for that matter) between the users and their ability to run what they want.
Never block me from opening something, but warn me about bad stuff on a regular basis.
You can also run these commands to disable ocsp (and crl) since it can no longer be accomplished in Keychain Access → Preferences:
But when the endpoint is dying and it gets called every time you try to run any binary…
This is about when I remember seeing it: https://medium.com/@acecilia/apple-is-sending-a-request-to-t...
I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.
Deleted Comment
Yeah, these _could_ be unrelated issues to what has been going on in Apple land today, but it's uncanny...
When was `trustd` introduced?
I think you were just lucky to not open non-Apple applications during the outage.
I've been using Big Sur beta for some time and one of the things that annoyed me a bit was the sudden lack of responsiveness, which is a tad annoying given that I upgraded to a 16inch MBP earlier this year and everything felt so snappy.
Disable IPv6: sudo networksetup -setv6off Wi-Fi (where Wi-Fi is the name of the network service)
Last time I played with a Mac they also had the BSD `ipfw` command for kernel packet filtering [1]. Could try something there if it still exists.
[1]: https://www.unix.com/man-page/FreeBSD/8/ipfw/
Deleted Comment
Deleted Comment
Apple VPs who are listening, especially Craig Federighi - here is an early warning for you. The HN crowd may seem fringe, but they are living in the future. I de-Googled my entire life over similar transgressions by Google and several of my friends are gradually going through the same process, albeit more slowly.
And even though I just bought an MBP16, Apple monitoring every binary I run makes me want to sell it immediately and never buy another iPhone, Watch or Macbook. No one is going to catch Apple on performance and form factor for a long time, but I'm willing to invest in a long-term ecosystem that won't allow things like this...as long as I don't need to debug audio drivers. I am done with that phase of my life.
So if I had to choose an alternate path, what would such a path look like that could eventually approach the build quality of an Apple Macbook Pro? That product doesn't have to exist yet, it just has to be on the path.
(I looked at Alienware's M2 and M3, but it cost about the same as an MBP16 but with more blue LEDs.)
The other thing that really can't be discounted here is that a lot of the HN crowd are likely the default go-to people in their circle of family and friends for this sort of stuff, and in many cases they may also have major purchasing influence and technical decision making power in their respective businesses. Turning off one of them may be inconsequential on its own in the short term, but it could seriously add up to a lot more destroyed mindshare and significantly more "lost" sales over time.
I used to think it didn't matter what tools I chose as a lone developer making consumer tech products and DSP audio applications. But over time, I saw that consumers rely on frontier-makers for fast-moving tech choices more than you’d think, even if they lag a few years behind.
When enough people make a choice, a tipping point forms in the future. Paul Graham wrote about this in "The Return of the Mac", and I believe a tipping point is forming: http://www.paulgraham.com/mac.html
If Apple wants to ride on privacy, then it will fall on privacy.
I'm experimenting with Linux these days. There are some minor annoyances with using an outdated version of macOS. Unfortunately those apply to not just one or two apps, but every part of the OS when using Linux. Basic things like WiFi drivers or sleep support. I'm encouraged by the trackpad driver project, but it's not there yet. So I'm still hanging on to my 2014 Retina MacBook Pro using 10.13, until some Linux distro catches up. I feel like that will happen soon though.
I really don’t think the HN community is at all representative of what the masses think about. Just like in any online community, it is easy to think that the thoughts of that community somewhat resemble that of most people when that simply isn’t true. HN’s base consists highly of developers who are up to date with most things in the technology industry.
The rest of the world doesn’t really care enough to compromise the comfort and reliability of Google’s suite, which lets be honest, outperforms its competition by a size-able margin, and does so with a “free” price tag.
People on HN have talked about de-googling for years and I have yet to see someone outside of the computer development scene do it (or even talk about it for that manner).
A surprisingly handful of non-tech people have asked me, "Hey, I see you use DuckDuckGo. Why not Google?" And then we have the conversation - it's a short conversation:
Well, you cannot prosper in an environment if you operate on inaccurate or censored information. Google & YouTube censor information and track everything you search for or watch. Today your views align, tomorrow they may not.
Secondly, you must insure yourself against tail risks, and having your Gmail account "cancelled" is a yuuuge tail risk. Therefore, avoid bundled Google products.
Then a few months will go buy, and I'll see they are now using Firefox and DDG.
When you have these conversations, it's important that it not be about your identity (open source! Linux!), but about risk-aversion.
I was also hit by this outage today, at work, on my work laptop, while I was working. Apple literally cost me time and my employer money today, because their lack of foresight or inadequate provisioning of servers or whatever the fuck it was, fucked up my laptop. No good reason. They just fucked up, and it cost something.
Apple iphones seems even worse than Android, honestly.
They have burnt a lot of good faith post Steve Jobs. But judging from current Apple management, they wont act until Sales numbers decline. As shown by the MacBook Pro Keyboard fiasco. And to make it worst, they seems to think most of these problem as PR and Marketing problem and dial up the marketing instead of actually fixing it.
( You can see that with Apple's marketing, especially with recent iPhone 12, with VPs explaining in podcast )
Keyboard sucks. Is it a tablet trying to be a laptop? Or a laptop moonlighting as a tablet?
Stylus sucks. It doesn’t have the accuracy of the iPad. And it always had a weird parallax feeling, so I gave up on using it. And the software was just mediocre.
I gave up and bought a Lenovo T4xx series laptop. Installed a dual boot Linux Ubuntu on it. Best. Computer. Laptop. Ever.
Thinkpad X1 Extreme Gen 2 is what I use and I'm very happy with it. My requirements were a moderately high-performance laptop, hybrid/discrete graphics, not excessively bulky and good Linux support. I can't fault my choice. The only issue I had with hardware compatibility under Linux was due to me receiving it a couple days after launch and the drivers for the wifi card not yet being in the kernel used by Debian or Ubuntu (no longer an issue iirc). Happy to answer any specific questions you have.
The point is, things like this should never happen in the first place.
They are probably checking how far they can go, before it affects their bottom line.
There was a time I remember when various things with Linux installations were often quirky or troublesome to get working well with certain laptop hardware, but I'm convinced now that this situation has improved tremendously since then...at least from my recent experience and hearing other good things about the Dell XPS and various ThinkPad models, and of course System76 (although I haven't had a chance to try one of those myself yet).
So if the dev edition fits your need consider buying this one
Reference: https://en.wikipedia.org/wiki/Microsoft_SmartScreen#Windows
(also I should know, I worked on a tiny part of this feature in IE9 and Windows 8)
But overall I am pretty happy with Windows being my daily driver now that they have WSL.
Try to install an apk without internet connection, and then try over a slow 3G connection to see the several(!) minutes it takes.
If your phone has the old style data arrows, you will see the upload one all the time while you stare at the "installing" screen.
It has some design flaws („hybrid power“) but what is really messed up is the QC: I have ProSupport and already had 4 technicians over and am currently awaiting my third full replacement.
Issues are all over the place: faulty trackpad, extreme coil whine, broken display, etc. Perfect device for me if they could figure out their QC. If the next one is bot perfect, I am getting a G14 which is the best performance/watt, performance/notebook volume and one of the best performing notebooks in general.
Also everyone developing applications in the cloud was eventually targeting Linux as the production OS, which is a pain if your development OS is pretty much hostile do anything command line.
MS then put a lot of money into getting a Linux like command line and support into Windows with WSL.
They also got a bunch of influencers and devs do their thing with improving that kind of developer's experience.
Apple, however, has been sitting on their hands in this regard. They are moving exactly the opposite direction with this crowd.
I have no idea what rationale is behind that. Did they come to a different conclusion than Microsoft or are they just failing to execute on the strategy?
Apple sells silicon. They don't really care about developers; as long as they can pull enough users through the iPhone->iPad->Mac funnel, they have done their job of selling as much hardware as they can. In their view, developers bitch and moan but in the end will have to go where users go - at which point, Apple can tax them for access to the walled garden.
You'll keep buying Apple stuff. I know it, you know it and Apple knows it. If all of their past transgressions hadn't changed your mind you'll keep doing it. Cut the shit.
The Singles Day ad on the landing page made me think it was a domain squatting ad page.
Look into what state law protections you have. High ticket mail order items can usually be returned for a full refund for a fairly long time.
Finding out that it's phoning home about every binary you run is absolutely a good justification to return it. I would sooner throw out a computer that did that rather than use it.
I am short Google and have been trying to figure out how to short their stock from ZA without losing opportunity on growth of other, better stocks.
This code signing enforcement stuff has gone way too far. Heads should roll for this.
https://medium.com/sensorfu/how-my-application-ran-away-and-...
I've seen an identical problem where Chrome would hang for minutes when loading sites, and it was because I was in a firewalled environment that was outright dropping packets to Chrome's OCSP server.
Basically you'll get the usual GateKeeper window, but with a slightly different message, along the lines of "I can't check this binary in realtime but I trust the embedded notarization".
Imagine how many people would lost their productiveness, maybe not at the big corps or govt (I assume they use a version of mac that call somewhere else/don't). But very very many people.
After I restarted it I could actually launch apps other than terminal again.
The thing Apple does, on the other hand, with trusting themselves more than the user, is disgusting. I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
> I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
As a libertarian I can see the argument for getting rid of presumptive copyright (and tanking the US economy), but the government preventing people from entering into contracts that you don't like? That's just hypocritical.
Dead Comment
[1] https://www.gnu.org/philosophy/can-you-trust.en.html
[2] https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
Exactly this is happening with Apple now. Although Apple computers were fairly hackable in the past, with users being able to install Linux or Windows, that is changing. Apple is changing the hardware _and_ software to make it more difficult to do things that Apple does not approve of.
Stallman was keenly aware of this type of behaviour, and he was also aware that companies that have the potential to use this behaviour to this advantage, will often do so.
Apple wants to be in a position where they sell computers as appliances, and Apple Silicon is their step towards doing so.
By the way, I'm typing this on a Macbook pro that is no longer supported by Apple, but running Linux. I am not sure this would be possible in the world of Apple Silicon.
Deleted Comment
https://www.weforum.org/agenda/2016/11/shopping-i-can-t-real...
Author's note: Some people have read this blog as my utopia or dream of the future. It is not. It is a scenario showing where we could be heading - for better and for worse. I wrote this piece to start a discussion about some of the pros and cons of the current technological development. When we are dealing with the future, it is not enough to work with reports. We should start discussions in many new ways. This is the intention with this piece.
The article sohuld not be read as an endorsement of that future. It's her prediction of what the world is going to look like, for better or for worse.
For years now, I've seen a large portion of the HN crowd praising Apple for its (alleged) respect of privacy and cursing at Microsoft for Windows "calling home" all the time. Now that this has happened, the only comments I see are "heads should roll", and "we must complain and be heard by high-level execs", but never "let's move away". This just reinforces my impression of the Apple ecosystem as something akin to a cult: Once you get in, you never get out again.
There are good alternatives - many people, including software engineers, use non-apple solutions on a daily basis and they are still productive. Why not give Linux a shot, or gasp even Windows? The age-old argument of "MS is evil, Apple good" is moot. Companies are generally not good or evil, they are profit-oriented. If the market demands privacy, they care about it, otherwise probably not so much.
Additionally, in order to move to Linux I need to find a good alternative to many other software that I'm using. Most commercial software only target Windows or OSX.
For the record, I've written large parts of KDE, so I'm acutely familiar with running Linux as a Desktop Environment.
That's very uncharitable. Suggesting Windows as a potential alternative also sounds slightly comical given their history with Windows 10 and many people's required workflows, required because of work or other outside influence, make Linux less tenable.
A lot of people seem to suggest that if you have something to complain about then you should be moving on to something else, a vibe of 'appeal to perfection'. I think this is the same mentality that drives the distro hopping phenomenon. I'm not brainwashed because I live with the flaws of my OS choice and complain when things are changed that I don't like.
Windows is no better for telemetry, and the user experience doesn't at all fit well with how I work.
Linux I prefer to Windows but generally find the desktop experience lacking.
Linux only makes sense as a desktop operating system if your top priority is telling people online that you use Linux as your desktop operating system.
For other things? Maybe. Some nice GUI applicatipns are, while in theory be run on Windows through cygwin, work well on Linux as well.
And some people just like performance / look-and-feel. Windows is often sluggish, while most Non-GNOME IDEs are pretty fast on usual hardware.
Then there is updates problem. I have had Windows downloading updates even if network was marked as metered in past.Some LTS distro is often better. Unless you use Fedora or Arch, updates should be minimum.
I don't want to imply Linux desktop is mature enough for all people. Just reminded there are valid reasons tech savvy people prefer it.
As they say, nothing is black and white.
I sure love the SAAS future we are heading forwards.
This is why I try out Linux every few years, and file lots of bug reports when I run into issues (mostly in applications - the core Linux kernel is solid). I've even contributed code to Linux apps that I don't intend to use right now.
Even beyond unintentional glitches at Apple, just imagine what this could mean when traffic to this infra is disrupted intentionally (e.g. to any "unfavorable" country). That sounds like a really serious cyber attack vector to me. Equally dangerous if infra inside the USA gets compromised, if that is going to make Apple computers effectively inoperable. Not sure how Apple will shield itself from legal liability in such an event, if things are intentionally designed this way. I seriously doubt that a cleverly crafted TOS/EULA will do it, for the damage might easily go way beyond to just users in this case.
Again, maybe (and in fact: hopefully) I'm just getting this all wrong. If not, I might know a country or two where this could even warrant a full ban on the sale of Apple computers, if there is no local/national instance of this (apparently crucial) infrastructure operating in that country itself, merely on the argument of national security (and in this case a very valid one, for a change).
All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.
The answer is pretty simple: these problems are extremely rare, they don't last very long, and they tend to have fairly simple workarounds. You seem to have a principle that any non-zero chance of being affected by a problem of a certain type is a complete deal-breaker, but most people when buying a computer probably just subconsciously estimate the likelihood and impact of this type (and all other types) of problems and weigh that against other unrelated factors like price.
Furthermore, I would sort of disagree with the answer to why people would buy this. In terms of "most people buying a computer", the overwhelming majority of Apple customers are likely ignorant to this issue, and will continue to be.
in this context those are simply weasel words in my opinion
That's exactly what happened in Hong Kong: https://www.nytimes.com/2019/10/09/technology/apple-hong-kon...
But it could never happen here...
(As someone pointed out, this does more than just prevent apps from running - it also leaks which apps you use and how often. Someone could ask Apple exactly when you started Tor browser, for example)
After decades of production operations, I have no complaints about how this was handled, and I expect they’ll investigate and patch any defects exposed by the outage.
I went for a walk when this happened and when I got back it was fixed. Works for me.
Feels problematic.
(Hint: I have literally never seen an example of one of our bank's customers being unable to bank because of this. I have seen heaps and heaps of examples of endpoint compromises resulting in people having their accounts cleaned out.)
And frankly, a benevolent dictatorship is basically the best government you can have, as long as you're part of the "in-group" who doesn't push boundaries, doesn't cause trouble, and supports the supreme ruler, Kim jon... cough* Apple.
---
The problem is that no matter how good the dictatorship might be today, it will eventually bite you. You will either develop a need that isn't addressed, or they will change the rules so you are no longer able to satisfy an existing need.
We're seeing this now with Google - Their motto was literally "don't be evil" for a long time. And during that golden period their users loved them. But as Google has shifted from "don't be evil" to "Make lots of money" people are starting to shift away.
Apple is still in the golden phase, but I'm not really convinced they're going to be there much longer.
EDIT: I'd add another way in which Google is like Russia and Apple like Singapore. Everyone kinda knows that Russia's leaders are a bit/a lot evil. There's still a debate about whether Singapore's leaders are evil.
The honeymoon is already over. A post like yours would have got several downvotes up to less than two years ago. I noticed that honest critics to Apple are tolerated now, since at least about one year ago.
Google's customers are not the users, they are the advertisers who rely on the data harvested by Google. The incentive to be evil is directly baked into the business model, and most users end up tolerating it because it is "FREE", and often the only viable option.
Apple's customers are the users. If Apple rocks the boat too much, their users might not feel so good about paying the premium prices Apple demands for its products. Making users upset is a direct threat to their business model.
> "Don't be evil" is a phrase used in Google's corporate code of conduct, which it also formerly preceded as a motto.
> Following Google's corporate restructuring under the conglomerate Alphabet Inc. in October 2015, Alphabet took "Do the right thing" as its motto, also forming the opening of its corporate code of conduct.[1][2][3][4][5] The original motto was retained in Google's code of conduct, now a subsidiary of Alphabet. In April 2018, the motto was removed from the code of conduct's preface and retained in its last sentence.[6]
I know saying Google removed Don't Be Evil is something of a trope, but the truth is a little more complicated. And, of course, the presence or absence of this phrase has no necessary bearing on the degree to which they are perceived as evil or not!
Have you seen Louis Rossmann's videos on Apple hardware repair?
The benevolent days of Apple ended when they removed the expansion slots from their computers, if not earlier.
Let P = "Don't be evil" and Q = "make lots of money".
Q was nothing new. They always wanted Q. But Google made a fundamental breakthrough in business logic, discovering that P -> ¬Q.
It should be noted that ¬P -> Q is not automatically implied. Plenty of companies are ¬P ∧ ¬Q. Perhaps they are not ¬P enough? Perhaps they are too much ¬P? But very few manage to be purely P ∧ Q.
Like so much of the modern security activity, it doesn't seem to be fully thought out, nor was the possibility of failure considered.
Or maybe such failures were considered and then dismissed? I don't know.
They may move to edge servers instead of centralized datacenters now though...
Don't limit freedom at once. Do it one by one so the impact seems low.
What are the chances that any of the big tech companies take orders from a fascist to block all the harmful software in their country?
Non zero. People in HK know this. I want to know how they felt about their choice to buy iPhone at that moment.
Because we can't have nice things, Apple has to check that apps are signed with a current certificate for safety and security reasons. OCSP tells the client if the certificate has been revoked or not.
Try opening a non-https web page; you'll get a bunch of ominous warnings from all major browsers.
Browser certificates need to be OSCP signed for the browser to trust them. You can't even get a new cert if the issuer’s OCSP server goes down, which does happen on occasion.
There are so many dependencies to ensure we're not running malware infected apps that sometimes things break.
Let’s not get carried away; every major tech company has had some version of this happen at one time or another.
FWIW, I haven't experienced any issues with my iMac running Big Sur running Apple or 3rd party apps all day.
This is a very serious concern for Enterprise PKI systems: revoking certificates is now virtually impossible. CRLs and OCSP do practically nothing.
Google especially has unilaterally decided that Enterprise PKI systems don't matter. They have established a new "standard" called Certificate Transparency, which they use to make CRLSets that they publish as Chrome updates.
Which is fine I suppose for public CAs, but utterly useless on internal-use private CAs on local networks, especially those with lots of BYOD or guest/partner systems. Think universities or hospitals.
Google has become a juggernaut with more control over computing in general (not even just the Internet!) than all of the world governments put together.
They're getting truly terrifying.
What is frustrating is they didn’t handle this situation like they do if I’m offline - don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway. would have solved this eventuality
how do you do that without defeating the security? Now a malicious attacker just has to wait for a moment when you aren't connected before launching their payload.
You should. It's noones business when and how often you run a known tor browser binary.
They know what times you're at home, and what apps you're using there. They know what times you're at work. They know what times you're tethered. They know when you travel, and to which cities. They know when you're on a friend's Wi-Fi, and they know which apps you open from that connection.
Apple is a partner in the US military’s PRISM spying program, so this log is available to US military intelligence at any time without a warrant.
Thanks to API changes in Big Sur, it’s impossible to use Little Snitch to block these system level connections, and they will also bypass any configured VPN. To control this, you’ll need to use external network hardware, like a travel router that you can operate a vpn/firewall on.
Big Sur is the only OS that will run on the new Apple Silicon macs, so it’ll be impossible to use the new machines without leaking your track log and app usage history in a way that is available to the FBI/CIA/et al whenever they want it.
Note also that Apple recently backdoored iMessage’s end-to-end encryption by defaulting the non e2e-encrypted iCloud Backup to on for all users: it backs up (to Apple) your device’s complete plaintext iMessage history, as well as your device’s iMessage keys, using Apple keys, each night when you plug it in. You should immediately stop using iMessage as a result of this, because even if you have disabled iCloud or iCloud Backup, your conversation partners likely have it enabled. iMessage is no longer meaningfully encrypted.
Apple’s marketing about privacy is lip service, not real.
Deleted Comment
False
If I knew - I might still have ordered one, because I like ARM and battery life. But this reaffirms the observed trend of Apple becoming more of an owner of the machine that supposedly I own.
I'll attempt to shut it down (at least now, it still observes /etc/hosts) - but when I can no longer do that, I'll leave Apple forever, hopefully by then other hardware manufacturers have caught up in UX.
I believe this is why there has never been any mass pushback against iOS/Android (even if Android is slightly better in this respect).
Further, neither iOS nor Android (and now OS X) have instituted huge restrictive changes all at once. Restrictions are gradual & creeping, basically moving the overton window of what is accepted.
Or just run BlueStacks, which is necessary to run Among Us (the popular game since lockdown), which isn’t signed because it’s an emulator. And it requires the “Control this mac” permission. Unsigned. There are many, many cases in which users are faced with unsigned apps.
I don't want that. I don't think it would serve Apple's customers to get rid of binary signing either.
Since there are no legal ramifications for security bugs that cause downtime, or for bugs that cause other functionality that goes down, I'm not sure why this particular bug would be any different. It's certainly not as bad as losing one's Google account permanently without recourse.
I really had no idea until today.
It will get fixed pretty easily: Apple will add some combination of a timeout and a request back-off to their client, to properly handle the situation of a server that is reachable but not sufficiently responsive.
Apple clearly does not mean to make their devices unresponsive if the server is offline, because pointing requests at localhost resolves the issue.
The solution won't be to fix a defect, but to change the design, which is completely flawed. They should have pushed revocations from the beginning rather than requiring every system on the planet to poll a service. What were they thinking? And that does make one wonder whether there weren't other reasons for this behaviour besides "security".
For the same reason every human frequently makes decisions with greater-than-zero risk: because we're either unaware of the risk, or because we believe the tradeoff is a good one, and the benefits are worth the risk-adjusted costs.
Having said that, it's not enough to get me to switch platforms. I'm able to work around the problem (using Little Snitch, see other replies), and there are a ton of factors that go into my decision of which hardware/OS to use, all of them involving tradeoffs. The only viable alternatives, Windows and Linux, have their downsides too. Some people prefer those over macs and that's fine; it's a choice people make based on their particular situation.
Still sounds to me like Apple rolled out a huge (logical) trojan horse, as a potential weapon in terms of nation state cyber warfare.
Probably not at all with that intention. But I doubt that any government willing to abuse this "opportunity" will give a fuck about that. Don't underestimate the power (and disruptive) effects of being able to practically disable a whole brand of popular computer hardware. Heck, even the ability to threaten with it (privately, through diplomatic channels) can (and probably should) be considered a serious weapon. So yeah .. "thank you" Apple.
(And that's after I realized that they will eventually open. Originally I rebooted the machine before any app had had a chance to open.)
The search is useless. On Linux, it's so much better.
I had to download and run a bunch of scripts to get rid of the amount of data it was sending back home. I had to remove the bloat and ads it came with.
Give https://pop.system76.com/ a try if you don't believe that Linux is easier to use. Most people don't need to open the terminal anymore.
While OSX was demanding that I identify a bluetooth keyboard... I don't have a bluetooth keyboard at all.
OSX is buggy and getting less and less usable. I'm finding myself working on Ubuntu and Windows more, than OSX these days.
I'm sure I'll get downvoted, but I just had to get this off my chest. Why people still buy Apple today, I positively can not comprehend.
i really don’t get these kinds of comments.
Apple gave a detailed explanation. It was a server misconfiguration combined with a CDN issue which caused the OCSP certificate check to stop working, which caused Apple's system for ensuring certificates haven't been revoked to stop working:
https://news.ycombinator.com/item?id=25108108Turns our Apple's MacBook business grew 39% last quarter: https://appleinsider.com/articles/20/11/16/apples-macbook-bu...
Apple don't publicly go out of their way to tell you that this is how it works. You make a great point that the way it works is bad and I think everyone agrees with that. But it's the limited knowledge that the OS operates this way that keeps consumers purchasing their products.
This is the only reason I had to move away from (arch) linux and it saddens me every day.
Deleted Comment
Deleted Comment
Dead Comment
The central company server didn't go down. If it was down there would be no problem. The problem is that the server is slow.
Consumer and commercial software is just all bad.
I'm thinking specifically of Firefox, but others too.
I'd love it if someone other than Apple made a competent PC that was as clean, reliable, and comparatively free of bullshit. Unfortunately Apple has a monopoly on cleanly designed computers.
Imagine if the USA actually comes under an attack.The apple spaceship would be high on the list of targets. All of sudden hospitals can't run their computers or communications. Disaster!
If Apple servers actually go down, there's no issue.