Your Computer Isn't Yours

lorsque je disais il y a longtemps que Apple était devenu une secte …

iamapizza

289 points·1 day ago

I’d say that Linux has always been the only viable choice, it’s just that ‘shiny’ and deceptive marketing campaigns have fooled large swathes of people into believeing otherwise with Macos.

Marketing campaigns by trillion dollar companies don’t change facts, they merely serve as unhelpful distractions from the actual topic of privacy. If you want control, FOSS is the way. There is a lot of choice in this space too.

If anyone’s thinking of Linux, some good starting points are Ubuntu, Pop OS and Mint.

I agree with another poster here that Windows has other problems, but will say that despite those problems it’s still not the worst choice.

level 3

IamNotMike25

154 points·1 day ago

I feel like Linux has made a big leap the last few years.

10-20 years ago installing and getting things to run was a pain (missing drivers, packages, etc).

Today it’s a breeze. Everything just runs, design is better than Windows and there are plenty customizations.

With more and more apps going online, it’s a matter of time when more people can make the jump.

Final straw for me was being able to use Figma for design on Linux, replacing Photoshop (Figma in an Electron container).

yummy_crap_brick

4 points·1 day ago

The thing is, I switched about 12 years ago. I still had a laptop that ran Windows, but my primary machine went from XP to Linux. At the beginning, you will struggle, but unless you just make the leap, you will always have a reason not to.

You will sacrifice some usability, no question about it. You will give up some shiny features, yes. However, you’re getting a lot for the trade–that is if you’re interested in privacy and security. Over time, you’ll learn how to resolve your own issues, you’ll learn how to do things in a different way. I’m still terrible at compiling and installing from source, resolving dependencies and general application troubleshooting. However, I can get along and do what I need to do. I do get frustrated sometimes that doing something seemingly simple can end up eating a lot of time, but we learn to rise to the challenge.

I would advise you to just switch. Buy a cheap copy of Win10 and use it for must-have applications like Microsoft Office and maybe some specialty apps that might have to connect to hardware. Beyond that, do your day-to-day on Linux. There is tons of help now compared to 10+ years ago when I made the change. I recall 14+ years ago when I first attempted to use Slackware Linux and it was just a fucking headache. I don’t miss trying to install RPMs and chasing down a million missing parts by hand. It’s SO much better now.

1_p_freely

169 points·1 day ago

I switched to Linux because it was free, I am a cheap bastard, and I had “all the free time in the world to learn something new, so why not?”

I stay on Linux because my computer is in fact mine.

Best decision I ever made.

ProbablePenguin

8 points·1 day ago·edited 1 day ago

On higher end hardware my experience is it’s all pretty much the same, in some cases certain DE’s feel slower than W10 just due to the way they animate things so slowly. Unity or Gnome for example feel really slow to me even if they are working fine because of slow animations and generally massive UI buttons and windows.

With limited RAM, CPU, IOPS, etc you start to notice a significant boost in linux due to not having the insane amount of crap running in the background like windows does (at least, on most distros). Of course once you open a webbrowser with 20 tabs, and all your other software the difference becomes more minimal since those use a lot of resources on any OS.

Also, I’ve never gotten stellar battery life with linux on my thinkpad, no matter what I do it never runs quite as long as it does when booted into windows 10. Which is surprising given how much background stuff is always going on in windows.

level 3

TheMatten

8 points·1 day ago

Not a big brother - it’s more of a security issue that can potentially let Apple and 3rd parties track apps usage on Apple devices. I guess I don’t really agree with tone of the article either, it’s just that Apple seems to sometimes be a little bit hypocritical, investing a lot of time in restricting 3rd party apps while letting issues with their own software slip by - I mean e.g. that example with iCloud or numerous exploits in iOS 13.

SkidmarkStain

14 points·1 day ago

Anyone saying linux isnt viable hasnt tried lately. And be honest we are talking desktop. Nas systems, servers, and now desktop run everything. Pop os is great on laptops. If software is the problem, those companies should start seeing the trend. Or host nextcloud with collabora and ditch office suites.

polarhive

37 points·1 day ago

RMS was right.

With MacOS and Windows they own the computer. You just rent it from them. Period. He predicted it way back in the 1980s

Don’t forget it’s the GNU project which respects your freedom. Even Linux as in filled with proprietary software could turn into another windows especially with Microsoft trying to do their EEE strategy and porting their proprietary apps to Linux. http://esr.ibiblio.org/?p=8764

Demand and protect freedom. Use GNU/Linux

level 5

Fujinn981

4 points·1 day ago

How much earlier are we talking here? Because I don’t think I’ve talked to you in my life. A little dishonest of you since it’s easy to look at post history and prove that. The only comments I’ve had from you are today, all of which I have replied to and counter argued with. Try being a little more honest next time, shill.

Point 1: This very article proves it. If that’s not enough, here: https://www.gnu.org/proprietary/malware-apple.html#content Enjoy, the list of abuses goes on and on. Apple is just like Microsoft, Google and Facebook.

Point 2: What argument? All you said is basically “INSTALLING OTHER OPERATING SYSTEMS BAD.” that’s not an argument.

Point 3: There’s de-googled Android and so on, I never specifically mentioned a distro, just that there are plenty of options out there. You are the only one specifically mentioning GrapheneOS. And here’s the average user argument again. As I’ve said to the other person here. Naivety is not a defense, and throwing users to another evil company as an excuse to avoid trying to raise awareness and educate them is selfish and unhelpful.

Point 4 (Since you can’t count): So are you just giving up and admitting that I am right here?

Silaith

2 points·9 hours ago

You should check the whole subject before, a well informed redditor resumed this clickbait post :

I am really concerned about what is happening and how intrusive could it be for our privacy. But this article is just superficial. It doesn’t even mention OCSP (Online Certificate Status Protocol) and its function and doesn’t explain anything. Just pointing the finger at Apple: “these guys want to control everything!!” There is more in-depth discussion of this on r/apple for example or on Twitter.

Thank you u/Royal_Donut_Inc

For information this article has been reposted in a lot of different subs, and blogs…sounds a bit like a garbage campaign. You can check, they are spreading all over Reddit :

level 1

HoTbEeFsUnDaEs

1 point·1 day ago

Are there ways to make windows safer and more private? I just don’t want to deal with Linux when I am primarily playing games and making music, all with programs that work flawlessly on windows.

any way to avoid this on a windows machine? : Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.

12 November 2020

( 2755 words, approximately 15 minutes reading time. )

Also available in:

It’s here. It happened. Did you notice?

I’m speaking, of course, of the world that Richard Stallman predicted in 1997. The one Cory Doctorow also warned us about.

On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.

It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet.

Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings:

Date, Time, Computer, ISP, City, State, Application Hash

Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.

This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city.

“Who cares?” I hear you asking.

Well, it’s not just Apple. This information doesn’t stay with them:

  1. These OCSP requests are transmitted unencrypted . Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables.
  2. These requests go to a third-party CDN run by another company, Akamai.
  3. Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.

This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns. For some people, this can even pose a physical danger to them.

Now, it’s been possible up until today to block this sort of stuff on your Mac using a program called Little Snitch (really, the only thing keeping me using macOS at this point). In the default configuration, it blanket allows all of this computer-to-Apple communication, but you can disable those default rules and go on to approve or deny each of these connections, and your computer will continue to work fine without snitching on you to Apple.

The version of macOS that was released today, 11.0, also known as Big Sur, has new APIs that prevent Little Snitch from working the same way. The new APIs don’t permit Little Snitch to inspect or block any OS level processes. Additionally, the new rules in macOS 11 even hobble VPNs so that Apple apps will simply bypass them.

@patrickwardle lets us know that trustd , the daemon responsible for these requests, is in the new ContentFilterExclusionList in macOS 11, which means it can’t be blocked by any user-controlled firewall or VPN. In his screenshot, it also shows that CommCenter (used for making phone calls from your Mac) and Maps will also leak past your firewall/VPN, potentially compromising your voice traffic and future/planned location information.

Those shiny new Apple Silicon macs that Apple just announced, three times faster and 50% more battery life? They won’t run any OS before Big Sur.

These machines are the first general purpose computers ever where you have to make an exclusive choice: you can have a fast and efficient machine, or you can have a private one. (Apple mobile devices have already been this way for several years.) Short of using an external network filtering device like a travel/vpn router that you can totally control, there will be no way to boot any OS on the new Apple Silicon macs that won’t phone home, and you can’t modify the OS to prevent this (or they won’t boot at all, due to hardware-based cryptographic protections).

Update, 2020-11-13 07:20 UTC: It comes to my attention that it may be possible to disable the boot time protections and modify the Signed System Volume (SSV) on Apple Silicon macs, via the bputil tool. I’ve one on order, and I will investigate and report on this blog. As I understand it, this would still only permit booting of Apple-signed macOS, albeit perhaps with certain objectionable system processes removed or disabled. More data forthcoming when I have the system in hand.

Your computer now serves a remote master, who has decided that they are entitled to spy on you. If you’ve the most efficient high-res laptop in the world, you can’t turn this off .

Let’s not think very much right now about the additional fact that Apple can, via these online certificate checks, prevent you from launching any app they (or their government) demands be censored.

Dear Frog, This Water Is Now Boiling

The day that Stallman and Doctorow have been warning us about has arrived this week. It’s been a slow and gradual process, but we are finally here. You will receive no further alerts.

See Also

Probably Unrelated

In other news, Apple has quietly backdoored the end-to-end cryptography of iMessage. Presently, modern iOS will prompt you for your Apple ID during setup, and will automatically enable iCloud and iCloud Backup.

iCloud Backup is not end to end encrypted: it encrypts your device backup to Apple keys. Every device with iCloud Backup enabled (it’s on by default) backs up the complete iMessage history to Apple, along with the device’s iMessage secret keys, each night when plugged in. Apple can decrypt and read this information without ever touching the device. Even if you have iCloud and/or iCloud Backup disabled: it’s likely that whoever you’re iMessaging with does not, and that your conversation is being uploaded to Apple (and, via PRISM, freely available to the US military intelligence community, FBI, et al—with no warrant or probable cause).

Use Signal.

Update

Update, 2020-11-14 05:10 UTC: There is now a FAQ.

FAQ

Q: Is this part of macOS analytics? Does this still happen if I have analytics off?

A: This has nothing to do with analytics. It seems this is part of Apple’s anti-malware (and perhaps anti-piracy) efforts, and happens on all macs running the affected versions of the OS, independent of any analytics settings. There is no user setting in the OS to disable this behavior.

Q: When did this start?

A: This has been happening since at least macOS Catalina (10.15.x, released 7 October 2019). This did not just start with yesterday’s release of Big Sur, it has been happening silently for at least a year. According to Jeff Johnson of Lap Cat Software, this started with macOS Mojave, which was released on 24 September 2018.

Each new version of macOS that comes out, I install on a blank fresh machine, turn analytics off and log into nothing (no iCloud, no App Store, no FaceTime, no iMessage) and use an external device to monitor all of the network traffic that comes out of the machine. The last few versions of macOS have been quite noisy, even when you don’t use any Apple services. There have been some privacy/tracking concerns in Mojave (10.14.x), but I don’t recall if this specific OCSP issue existed then or not. I have not yet tested Big Sur (keep in touch for updates), and the concerns about user firewalls like Little Snitch and the Apple apps bypassing those and VPNs have come from reports from those who have. I imagine I’ll have a big list of issues I find with Big Sur when I install it on a test machine this week, as it just came out yesterday and I don’t use my limited time testing betas that are in flux, only released software.

Q: How do I protect my privacy?

A: It varies. There’s a ton of traffic coming out of your mac talking to Apple, and if you’re concerned about your privacy you can start with turning off the things for which there are knobs: disable and log out of iCloud, disable and log out of iMessage, disable and log out of FaceTime. Ensure Location Services is off on your computer, iPhone, and iPad. These are the big tracking leaks that you’ve already opted in to, and there is a way out that could not be simpler: turn it off.

As for the OCSP issue, I believe (but have not tested!) that

echo 127.0.0.1 ocsp.apple.com | sudo tee -a /etc/hosts

will work for now for this specific issue. I block such traffic using Little Snitch, which still works correctly on 10.15.x (Catalina) and earlier. (You have to disable all of the Little Snitch default allow rules for “macOS Services” and “iCloud Services” to get alerts when macOS tries to talk to Apple, because Little Snitch permits them by default.)

If you have an Intel mac (which is pretty much all of you right now), don’t worry too much about OS changes. If you’re willing to get your hands dirty and change some settings, you’ll likely always be able to modify every OS that Apple ever ships for your machine. (This is especially true for slightly older intel macs that do not have the T2 security chip in them, and it’s likely that even T2 Intel macs will always be permitted to disable all boot security (and thus modify the OS) if the user desires, which is the case today.)

The new ARM64 (“Apple Silicon”) macs that were released this week are the reason for my sounding the alarm: it remains to be seen whether it will be possible for users to modify the OS on these systems at all. On other Apple ARM systems (iPad, iPhone, Apple TV, Watch) it is cryptographically prohibited to disable parts of the OS. In the default configuration for these new ARM macs, it will likely be prohibited as well, although hopefully users that want the ability will be able to disable some of the security protections and modify the system. I’m hoping that the bputil(1) utility will permit disabling of the system volume integrity checks on the new macs, allowing us to disable certain system services at boot, without disabling all of the platform security features. More information will be forthcoming when I have the new M1 hardware in hand this month and have the facts.

Q: If you don’t like Apple or don’t trust their OS, why are you running it? Why did you say you’re buying one of the new ARM macs?

A: The simple answer is that without the hardware and software in hand, I can’t speak authoritatively about what it does or does not do, or steps one might take to mitigate any privacy issues. The long answer is that I have 20+ computers that comprise ~6 different processor architectures and I variously run all of the OSes you’ve heard of and some of the ones you probably haven’t. For example, here in my lab, I have 68k macs (16 bit, almost-32 bit (shoutout to my IIcx), and 32 bit clean), PowerPC macs, Intel 32 bit macs, Intel 64 bit macs (with and without the T2 security chip), and I’d be a total slacker if I didn’t hack at least a little bit on an ARM64 mac.

Q: Why is Apple spying on us?

A: I don’t believe that this was explicitly designed as telemetry, but it happens to serve insanely well for that purpose. The simple (assume no malice) explanation is that this is part of Apple’s efforts to prevent malware and ensure platform security on macOS. Additionally, the OCSP traffic that macOS generates is not encrypted, which makes it perfect for military surveillance operations (which passively monitor all major ISPs and network backbones) to use it for the purpose of telemetry, whether Apple intended that when designing the feature or not.

However: Apple recently backdoored iMessage’s cryptography with an iOS update that introduced iCloud Backup, and then didn’t fix it so the FBI could continue to read all the data on your phone.

As Goldfinger’s famous saying goes: “Once is happenstance. Twice is coincidence. The third time it’s enemy action.” There is a finite and small number of times Apple (who employs many absolute stone-cold cryptography wizards ) can say “oops sorry it was an accident” that their software transmitted plaintext or encryption keys off of the device and to the network/Apple and remain credible in their explanations.

The last time I reported an issue to Apple involving the transmission of plaintext across the network back in 2005, they fixed it promptly, and that was only for dictionary word lookups. Shortly thereafter they introduced App Transport Security to help third-party app developers stop fucking up their use of network crypto, and made it way more difficult for those same app developers to make unencrypted requests in App Store apps. It’s quite strange to me to see Apple making OCSP requests unencrypted, even if that is the industry default.

If Apple truly cares about user privacy, they should be looking long and hard at every single packet that comes out of a mac on a fresh install before they release a new OS. We are. The longer that they don’t, the less credible their claims about respecting user privacy will become.

Q: Why are you crying wolf? Don’t you know that OCSP is just to prevent malware and keep the OS secure and isn’t meant as telemetry?

A: The side effect is that it functions as telemetry , regardless of what the original intent of OCSP is or was. Additionally, even though the OCSP responses are signed, it’s borderline negligent that the OCSP requests themselves aren’t encrypted, allowing anyone on the network (which includes the US military intelligence community) to see what apps you’re launching and when.

Many things function as telemetry, even when not originally intended as so. The intelligence services that spy on everyone they can take advantage of this when and where it occurs, regardless of designer intent.

It’s not worth putting everyone in a society under constant surveillance to defeat, for example, violent terrorism, and it’s not worth putting everyone on a platform under the same surveillance to defeat malware. You throw out the baby with the bathwater when, in your effort to produce a secure platform, you produce a platform that is inherently insecure due to a lack of privacy.

Q: They backdoored iMessage’s end-to-end encryption?! WTF?!

A: Yup. More technical details in my HN comments here and here.

TL;DR: They even say as much on their website; from https://support.apple.com/en-us/HT202303:

Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn’t stored by Apple.

(emphasis mine)

Note that iCloud Backup itself is not end-to-end encrypted, which is what results in the iMessage key escrow issue that backdoors the end-to-end encryption of iMessage. There’s a section on that webpage that lists the stuff that is end-to-end encrypted, and iCloud Backup ain’t in there.

Neither are your iCloud photos. Apple sysadmins (and the US military and feds) can totally see all your nudes in iCloud or iMessage.

Further Reading

About The Author

Jeffrey Paul is a hacker and security researcher living in Berlin and the founder of EEQJ, a consulting and research organization.

sneak@sneak.berlin

@sneak@sneak.berlin

@sneakdotberlin

@eeqj

linkedin.com/in/jeffreypauleeqj