Ask HN: How to Block Apple's Spyware on BigSur?

32 points by exabrial ↗ HN
With BigSur, Apple is getting a hash of every executable you run, and it's changing the way kernel extensions work and VPNs work to prevent blocks from happening.

Immediately, I think the quick answer is to block outgoing requests to apple's server using an external firewall, but how does one identify which requests are carrying the spyware?

On the Mac system, how can we remove the spyware functionality?

44 comments

[ 3.2 ms ] story [ 105 ms ] thread
I honestly can't understand why on earth would a sane minded person spend all that money on apple hardware and then on top of that spend a a lot of time fighting a losing fight against the software.

Just switch to something else.

There are things which Apple Macs excel at, and no other laptop even comes close. This is not me speaking in thin air, you can yourself notice that majority of developers and creative professionals own Macs.
I agree and switching environments will hinder my productivity to an extend but watching the direction Apple is taking, makes me evaluating a switch to Linux in the next 2-3 years. Mind you, my family owns 5+ macs and another 7 Apple devices... If I switch they are all going to follow.
Such as?
Literally everything. Like a good trackpad, build quality, stability, ...
It's easy to be stable when you can't run software
(comment deleted)
A lot of Apple fans say this, but I find many components in Apple products in general to be of average to poor build quality. Keyboards, display hinges, CPU/GPU cooling, weak display bezel/frames, weak outer-frames on their phones, laptop case creaking, etc. Heck they have yet to figure out how to design cables that don't fray. I'm sure there are some nice aspects to owning a mac too, otherwise nobody would purchase them. But I have yet to find anything that they've done w.r.t good build quality. I do admit they have a very good handle on making their products look pretty. So there's that..
Seriously, the bluetooth chipset in my MBP 2018 at work sucks balls. If I try to listen to music on my bluetooth headset as well as using a bluetooth mouse it stutters, and the mouse cursor is jittery.

If I use the same mouse and headset on my Dell Precision 5520 I don't suffer from these issues.

> good trackpad

Granted. Except it's useless from my perspective because:

* keyboard-centric tiling workflow + mouse

- is faster than-

* a standard K&M stacked windows workflow

- is mostly faster than-

* keyboard-centric tiling workflow + any trackpad

- is faster than -

* the standard macOS experience with a trackpad

It's an exercise in frustration whenever I have to get help from or help out a peer which uses a touchpad for everything (Mac user or otherwise, but more common in Mac users precisely because of its good trackpad) because it makes every operation slow as molasses. And if you care about a responsive desktop, the trackpad is mostly irrelevant because you'll be using a tiling setup which relies on a keyboard and simple mouse/trackpad usage.

> build quality

A computer that throttles at max frequency does not have good build quality. A computer with a keyboard that falls apart with specks of dust does not have good build quality.

Macs have great screens and are slim, but they're far from the only ones with those qualities.

> stability

Except this is a meme. macOS stability is an absolute gamble like all other OSes, it will depend on your configuration macOS will behave or not, as is the case for both Windows and Linux. And macOS releases are known to be stability shitshows, Catalina being a big example and now Big Sur not being able to start applications because an Apple server is unresponsive.

Stability on macOS? Laughable.

Macs are pretty popular among musicians and producers. When El Capitan dropped, pretty much all audio hardware and software stopped working. I remember that you couldn't use Native Instruments plugs and the majority of pro audio interfaces stopped working.

This was fixed after a while, but it took at least half a year for everything to work again for 50% of users and a full year for everything to work for 90% of users.

If you upgraded by accident and didn't have backups, you were in trouble. Even if you had backups, you could still have issues.

Here's a link from back in the day:

https://macprovideo.com/article/audio-software/5-reasons-mus...

Now, did something similar ever happen on Linux or Windows?

I can safely say that a lot of people lost some revenue because of that upgrade (there were also issues for video production software), at least until the word spread that you shouldn't upgrade.

This is common apple fanatism bs.

Except for a few very specific workloads and iDevices development, most things can be done on windows or Linux equally well.

In the meantime, have fun with your dumbed down is where you can only run apple-approved things.

I respectfully disagree.

The entire desktop experience on macOS feels WAY more cohesive than windows (which I have used since early 90s), or any of the DE i have tried on linux/bsd (which i have used extensively for over 20 years). Additionally the quality of the hardware (specification/cost aside) far exceeds the alternatives.

I HATE the way that apple are going. Their products are absolutely fantastic, but it is evident that the direction is to lock-down the "computer" as they have done their mobile ecosystem. I hope that legislation and regulation will tear their walled garden (and others!) apart. Then we can get back to bashing peoples OS for being not our own - rather than for being the authoritarian minefield they have become.

Your comment is by definition subjective
What video editing and UI/UX/illustration software would you recommend on Linux?

I know I could use Inkscape over Sketch for example but I can't see how I would be as productive as the clone functionality isn't comparable to the symbols functionality of Sketch e.g. you can create a reusable web page header element that you can paste in multiple locations with the colours + text changed via simple parameters where the rest is kept in sync with the original. Is there something similar?

UI design I do with Figma on Linux since 2 years. For video editing I recommemd looking into DsVinci Resolve.
Surprisingly, running Docker is not one.
So you are going to fight against your own laptop which you paid for.
Because people who create stuff use Macs, Macs are the only thing in existence that's functional?!

You sure about that logic?

Related, any one know of any brilliant engineers who deeply understand what they're using that use/love apple products?

I'd say that because they sadly don't know better.
> you can yourself notice that majority of developers and creative professionals own Macs.

No they don't. There are statistics. What you see in the Bay isn't common.

> you can yourself notice that majority of developers and creative professionals own Macs.

In the USA/UK/Canada startup land maybe? I very much doubt that most developers use a Mac. For one it is extremely expensive in "non first world" countries.

On top of that, a lot of companies simply give you a Mac, you don't get a choice.

I HATE my piece of crap MBP and would take a small pay cut to go back to Ubuntu/Arch.

This kind of weird elitism is getting very old.

I am a programmer because I love Macs and I only want to work on these computers.

If I’d have to switch to another platform I prefer to quit programming at all.

I would start with LittleSnitch [1] Don't block things by default. Let it learn traffic and show you what is talking to what. Then sort out what things you want to block. I suggest this method because some of the flows won't be obvious if you start selectively blocking things from the start. Make notes of the IP's, CIDR blocks and domains that are problematic and block them on the edge of your network on a monthly basis using data derived from LittleSnitch.

You can also find some blogs and forums that discuss what applications are not critical and that you can "launchctl unload -wF" safely to minimize chatter and improve battery life. Ensure the sites specifically call out the version of MacOS you are on, as these things change with each release.

[1] - https://www.obdev.at/products/littlesnitch/index.html

There was a thread the other day... about this. I believe mapping ocsp.apple.com to 127.0.0.1 on your hosts file will do the trick.
Oh if the question was just blocking the OCSP, then yes, /etc/hosts or null route will do that. That isn't the only data leakage (tracking) that comes out of a mac however.

  sudo route add -net 17.253.17.0 255.255.255.0 -blackhole
also works for the OCSP. You will still get some delay in opening applications. I would like to see apple do OCSP stapling and caching in the OS like reverse proxies already do, but that would defeat the tracking I guess.
Anyone wanting to do the above should first check what ocsp.apple.com resolves to for them -- looks like the responses vary by geographical location.
There's a few solutions:

LittleSnitch 4 can continue to work (with the kext) on Big Sur following this: [1]

LittleSnitch 5 can block all protected MacOS processes by following this: [2]

Murus can use PF and block IPs for Apple services: [3]. This isn't per process, and is really just a UI for the built-in PF process.

If you'd like to block the notarization check, you can block trustd (/usr/libexec/trustd) access to ocsp.apple.com (on both system and user process ownership in LittleSnitch).

Hope this helps. It's really not as bad as you think, there's a few solutions depending how thoroughly you want to block things.

[1] - https://www.obdev.at/support/littlesnitch/245913651253917

[2] - https://tinyapps.org/blog/202010210700_whose_computer_is_it....

[3] - https://www.murusfirewall.com

> If you'd like to block the notarization check, you can block trustd (/usr/libexec/trustd) access to ocsp.apple.com

Technically speaking, OCSP and notarization are two different things. The notarization check is actually to https://api.apple-cloudkit.com by /usr/libexec/syspolicyd

Hopefully we'll see a maintained list to block those with the PiHole.
I'd love to explore this, but I feel I lack the knowledge of finding new, improved or up-to-date PiHole lists.. do you have any advice?
I can say for myself that now I personally study the details of how to make high-quality footnotes correctly and there is really nothing complicated here. I am personally very glad that I have found here the data on how to quote correctly https://justbuyessay.com/blog/mcgill-guide . This is very important now because because of the wrong quote you can even get an accusation of plagiarism. Therefore, I can say that it is necessary to look here and see the details described. I hope it will be useful, write down what you have learned.
Are they using to Spy on their users or to keep the 'image' that Apple devices are more secure than the rest? I think the binary execution protection can do more good than harm. Sometimes shit happens like it did on Big Sur release. I just hope they change feature to not bring down the system to nearly unusable when ocsp.apple.com doesn't respond.