How to disable this feature:<p><a href="https://tinyapps.org/blog/202010210700_whose_computer_is_it.html" rel="nofollow">https://tinyapps.org/blog/202010210700_whose_computer_is_it....</a><p>And a humorous guide on disabling protections like code signing and notarization:<p><a href="https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-liberate-macos/" rel="nofollow">https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-li...</a>
Ugh. I'd love to switch to Linux, but as a designer, I'm stuck. It's not a lack of understanding of how it works— Before I was a designer I was a developer, worked in IT for a while, worked in upper-level support for a while, and Linux was my primary personal and professional OS from the late 90s to like 2010.<p>Why don't I just run a closed-source OS in a VM? They are fussy. Having some weird graphics tablet driver problem or something can really kill the creative connection between me and my work, and if I'm coming down to the wire on a deadline, it can cost me a contract.<p>What about tools that work natively on Linux? They generally just don't work for professional design use. Whenever I say that, a billion people always jump in and say "Gimp and VivaDesigner and Natron and XYZ and PDQ" work fine for me," and to my astonishment, they always seem surprised that the same just isn't true in most (any?) professional workflows. Sure, with varying amounts (usually non-trivial) of extra effort I can cobble together a disparate set of tools that might sometimes yield similar results to professional design programs, but it's going to take significantly more work to produce possibly lower-quality results, and that's just not an option for a pro. If you were hiring someone to craft the image of your company in a crowded, competitive marketplace, would you pay them more to take longer and potentially end up with a suboptimal product just because they were only using OSS to do it?<p>A software developer could feasibly use something like windows notepad or pine to achieve the same results as an IDE, or even a more powerful text editor like SublimeText. For many non-professionals, people just editing a config file, or people making the occasional shell script, it does work fine. Better even, considering that the extra baggage of complex tools would actually slow them down rather than speed them up.
This whole release cycle is just one gigantic facepalm after another.<p>I am feeling pretty heavily smug that I got rid of my Apple kit earlier this year because I wasn't happy with the direction of the platform.
This seems so negligent it's difficult for me to believe this was a mistake. Perhaps it could be argued that Apple doesn't want applications blocking the network traffic of trusted applications because there is limited upside to doing so and doing so may restrict core functionality such as system updates, etc. But surely the most reasonable explanation here is that Apple wants a back door to guarantee they can monitor your activity / allow intelligence agencies a way to access to your system?
I'm done with Apple. It's incredibly restrictive for no real gain at this point. I have a really old MB Air I only ever use to compile apps for the App Store for clients, but otherwise there's no clear path towards improvement from them, so I'm voting with my wallet for the foreseeable future.
This reminds me of the old saying that it's impossible to work within an infected system to clean it --- and now that corporations have been "infecting" systems with such telemetry/spyware by default, that's even more true.<p>I believe Win10 was the first to do something like this --- it ignores the hosts files and firewall for certain hardcoded domain names and IPs.
<a href="https://imgur.com/a/y0NPJ2o" rel="nofollow">https://imgur.com/a/y0NPJ2o</a> - DNS activity of my Mac PRO + Big Sur during the last 30 mins. This is a filter on `<i></i><i>apple</i><i></i>` domain so I'm not sure if I'm seeing everything since they might use other domains but heh - for the curious.
I hope this proof-of-concept is the last straw that gets Apple to walk this design decision back. Because if it doesn’t, I'm not looking forward to whatever it is that does.
I commented on your Twitter post already, but I'll reiterate here. This is not a vulnerability, it is as intended. By default, you can only install Applications via the App Store on Big Sur, and AppProxyProvider only affects Applications installed via this method.<p>This has the dual-benefit of protecting casual users, and allowing power-users flexibility with any binaries that aren't sandboxed. From what I understand of your example, you used the bundled python installation to make the connection, the python binary is not sandboxed and is not affected by AppProxyProvider. This will be the case with any other binaries as well -- ping, ssh, etc...<p>The relevant documentation is at:
<a href="https://developer.apple.com/documentation/networkextension/app_proxy_provider" rel="nofollow">https://developer.apple.com/documentation/networkextension/a...</a><p>Specifically the section I've highlighted here:
<a href="https://share.getcloudapp.com/Z4uyONmJ" rel="nofollow">https://share.getcloudapp.com/Z4uyONmJ</a>
You play with fire you will get burned.<p>Same thing will happen with an encryption backdoor like the EU is now thinking of forcing down our throats...
I have no idea how they ever expected this to work. Seems it would be trivial to proxy a c&c through apps with access. All you need is a signal, any signal, to the outside world. If air gaps can be beat, this concept was doomed from the start, unless I'm missing something.
This is a deal breaker for me. Little Snitch is absolutely 100% essential for privacy. I’m staying on MacOS Catalina until they pry it off my cold dead hands.
For a company that boasts privacy, it sure leaves a lot of holes in it's OS for malicious people to exploit.<p>Guess I won't be upgrading from Catalina for a long time.
Apart from security implications I can see multiple privacy issues here. Apple's services may attempt connections to non-Apple resources as well as Apple's.
My understanding is that trustd (Trust Daemon) will be allowed to report/validate (OCSP? CT?) certificates anywhere issuer points it to, and that nsurlsessiond (NSURLSession Daemon) will be allowed to attempt any connections other Apple processes will tell it to. From what I observed, opening a single podcast in Podcasts.app sometimes results in nsurlsessiond connecting to resources under multiple different domains.<p>My pessimistic view of today's techworld tells me to follow the money on this and that I might not be able to block in-system ads in some future.
Of course when this possibility was raised 25 days ago on HN [1] there was a swarm of apologists who figured the superior Apple services needed no firewall interception (and just 2 days ago we learned that hell yes, they do!) and that this was all by design and impervious to abuse by other apps.<p>Turns out, no, macOS is still written by the same old skeleton crew at Apple and they still introduce trivial problems in most things they do.<p>1: <a href="https://news.ycombinator.com/item?id=24839086" rel="nofollow">https://news.ycombinator.com/item?id=24839086</a>
I could really use a "special edition" of MacOS - sort of like what happened with XP in the later days. Strip out all the Apple stuff, privacy failures, and excessive gatekeeping [$] and just leave the raw OS.<p>[$] for me
Discussion about when this originally surfaced, but was thought to only affect Apple apps: <a href="https://news.ycombinator.com/item?id=24838816" rel="nofollow">https://news.ycombinator.com/item?id=24838816</a>
Has anyone tested if disabling the 'Automatically allow built-in software to receive incoming connections' setting in the Firewall config changes this behavior? Seems like it might be attached to that static list of whitelisted processes.
Very interesting, but what is it with posting important information that begs for at least some details as a short thread on Twitter?<p>This is impossible to read on a phone.
As opposed to the OCSP thing, bypassing firewalls and VPNs seem to be really out there, especially the VPN part<p>You have a VPN active - I'm actually saying go here not there. Because the default connection might be unsafe, limited, etc.<p>Now, since I have to spend money on multiple dongles, etc that might justify me to buy a pi-hole for a home connection. Get around that Apple
Trying to understand this as someone who is not sophisticated about security issues. It SOUNDS like, if you have a Big Sur machine that runs no software other than Apple's and software downloaded from App Store, this isn't an issue.<p>The problem is if you install non-App Store software. Most people don't need to do that, but of course, the types of users who frequently Hacker News frequently will. So they run the risk of installing, and using, malicious software.<p>I myself do install non-App Store software sometimes. Prior to Big Sur, I could use Little Snitch and be sure I knew what servers it was communicating with. With Big Sur, I can't.<p>Does that sum up the problem?
Is this what happens when the Cold War spills out of internal tooling?<p><a href="https://news.ycombinator.com/item?id=22804607" rel="nofollow">https://news.ycombinator.com/item?id=22804607</a>
Unpopular opinion follows.<p>Apparently Patrick Wardle describes a security hole, which uses the NetworkExtension framework to make it as if his code is Apple code, and thus ignores the firewall rules. My guess is, that it'll get patched and that will be that.<p>If you think about it, blocking OS stuff makes less sense. You're already trusting the OS to a great degree.<p>(I can understand the need for most people to control the OS to a great degree, but personally I don't feel that need for macOS, which is my workhorse.)
On my system:<p><pre><code> % cd /System/Library/Frameworks/
% cd NetworkExtension.framework/
% cd Versions/A/Resources/
% ls -l Info.plist
-rw-r--r-- 1 root wheel 8.9K Jan 1 2020 Info.plist
</code></pre>
⇒ I think this requires root. That, IMO, would make it less of an issue (maybe even a good thing, given the complaints people have about Apple not giving them control over their hardware)
Is Big Sur compliant with GDPR? Do they list what they send and why and is it opt in? Or the OS is using a loophole that GDPR only applies to the web? I think people should start sending GDPR complaints to Apple. But even if Apple gets multi billion fine, it won't affect them in any way apart from loss of PR points.
Please file new bugs for this even though it has obviously been already reported to Apple. Apple always touts that the more reports it gets for an issue, the more attention it’ll get.
This is "bypassing firewalls in macOS BigSur" by adding an address to the firewall bypass whitelist.<p>I can hack ipf in a similar way, adding an ACCEPT rule...<p>Nothing to see here, move along...