Odd. I can get asn unsigned, un-notarised app running just fine. I just need to hold control while opening it for initial run. Something odd happening here.
Users are fickle. And in the 5 years I've been deploying this app I've never had to ask users to do that. I'm sure it's fixable, the solution has just eluded me this far.
Look, I agree that this kind of non-specific rant isn’t useful but that level of response is pretty harsh. I’d at least be charitable and ask whether he’s doing something uncommon which would explain why it’s so much harder than normal.
Surely it would be easier to simply disable internet access until the user enables it. Bonus points if you can control what it talks to at the IP stack and DNS level. Something i've wanted for decades at this point.... yea, little snitch does this, but it's not built in and belongs on my phone as well.
Preventing an app from accessing browser data feels like an approach to make people feel safe while providing no meaningful protections from most malware behavior.
I recently attempted to trace exactly which app is making a particular DNS SOA query. I can confidently say that there are very few applications in the *nix space that do proper DNS reporting at all, and Little Snitch seems to be the only one that would map the actual app. I found no working solution to match a query to a pid in Linux.
This tells me that either people rarely need to do this, or that it’s very hard to do in userland.
> Preventing an app from accessing browser data feels like an approach to make people feel safe while providing no meaningful protections from most malware behavior.
Depends on the threat model. Yes, protecting browser data does not help if the attacker gained entry into the system by exploiting a vulnerability in the browser. But it helps against all other entry points: USB sticks laced with malware (common threat against companies), malware that came as part of an email attachment or by dodgy warez, an attacker that's already in the network (either because they're laterally moving or because the victim is in a scenario like a public wifi) and exploits some vulnerability in network-enabled software...
Classic defense in depth here, it massively raises the bar for attackers because to steal Chrome user sessions or passwords, you now need a code execution avenue but also a kernel-level or at least sandbox exploit to bypass Bastion.
> Classic defense in depth here, it massively raises the bar for attackers because to steal Chrome user sessions or passwords, you now need a code execution avenue but also a kernel-level or at least sandbox exploit to bypass Bastion.
Sure, but this is a very arbitrary threat model to prioritize that doesn't seem to affect people. What about ads? Tracking? Apps sending fingerprinting home? That seems like a more obvious place to start.
> Sure, but this is a very arbitrary threat model to prioritize that doesn't seem to affect people.
Credential stealer malware is abundant, it's often enough how attackers gain initial access to a company's internal network - grab the credentials off of Chrome, Firefox or one of the other popular password manager apps, and you're bound to find a set of credentials there. Now all you need is some piece of software that's reachable from the Internet and lacks 2FA (which applies to a shocking lot of legacy software), and you got some sort of persistent access to the network.
And in ye early days of cryptocurrencies, before hardware vaults became the norm among crypto enthusiasts, a fair amount of people got their wallets drained by targeted cookie (=session) stealers.
> What about ads? Tracking? Apps sending fingerprinting home?
That is bad, but not "someone can drain your bank account or take over your social media accounts to spam" bad.
I disagree; i think the proliferation of ads is a type of malware that has far more detrimental effects on society than credit card theft (which, incidentally, wouldn't be a problem if the industry bothered to protect their cards with basic authentication on use, which they refuse to)
Disabling internet access only prevents exfiltration. Ransomware, for instance, wouldn't need to access the internet at all if it used hard-coded public keys to encrypt content.
Presumably exfiltration would work for most people, no? It is quite unusual to have physical access to a computer, and if you do generally all bets are off.
This is just the hypothetical situation where ransomware is a static binary that doesn't care about any data exfiltration - it just encrypts files in-place with a pre-defined public key. So no exfiltration, physical or over the internet, is required.
Hopefully that's true. If Apple misclassifies some benign action an app makes I have a feeling it'll be nigh-impossible for users to continue using the app, and I always worry that automated negative consequences my come to my Apple developer account.
Can you share the app? Maybe someone here can tell what the issue is. I'm able to distribute outside of the mac AppStore without users needing to jump through any hoops or right click etc.
There is no 'open offer' to consider. The only thing the grandparent did was fabricate a lie, and the only reasonable response is to call them out on it.
Their comment was against HN guidelines (Assume good faith.), there's no reason to chide someone for calling them out on that.
It's a non-trivial thing to test, since it involves so many secrets and the notarization step can take over an hour, so I don't expect anyone here to actually want to look into it.
My original comment really was just venting my frustration, not a cry for help (but I might be crying soon if I cant get to the bottom of this!).
I’m on mobile, so short help: in one of my projects I’m building a binary in Rust and then using Xcode to notarize it by replacing the binary of another shell app that I’m Bildung in Xcode. This works really well. Check out the description here: https://github.com/terhechte/Ebou
Thanks for the response. The output of `spctl` on your latest build (2.7.2, downloaded from the build artefacts section of Github Actions gives me the following:
/Applications/Ganache.app: rejected (invalid destination for symbolic link in bundle)
origin=Developer ID Application: ConsenSys AG (48XVW22RCG)
I see you're also migrating to Github Actions for this particular release and that the notarization process was working correctly on your previous CI/CD? I guess there has to be an issue with the new environment here or the way you're building it now.
You could try experimenting with Hydraulic Conveyor [1]. I built it originally due to the frustrations involved in distributing P2P software during my old Bitcoin days so you won't get any hate from me about that ;)
Conveyor can package Electron apps and also do all the Mac specific stuff from any platform including Linux. So it can sign, notarize and staple the app itself, also bundling Sparkle updates as it goes. We're listed on the Electron website these days. You may have more luck with it. There's a Discord channel for help too if you get stuck.
Apple has developed the first and only generally available "evil maid" resistant computer systems. Part of participating in this secure ecosystem involves more effort on your part to comply with the security requirements.
Or you can just develop for vulnerable-as-all-getout Linux or Windows systems. Your choice.
It’s not just the evil maid but what happens if your device is stolen (or scanned by the police), or you run malware by mistake and want to restore it to a trustworthy state. Most people should worry about those more than the evil maid scenarios.
Notice how those tools don’t have perfect coverage, often don’t support fully patched devices or only work with e.g. short PINs, and in high profile cases it often takes months to crack iPhones? Nobody said this is easy but it’s a lot harder than it used to be.
- I can't prevent the police from pegasusing my device.
- I haven't have anyone infected by a malware in years, no matter the brand of device.
- Most thief won't be able to do anything with any of my devices, no matter the brand. They are not very smart, and can't deal with a bios password, an encrypted disk or even simply a locked smartphones. They steal it anyway, and throw it away when it fails.
But in the end, I don't optimize my life for the rare occasion of being stolen.
I optimize it for my day to day problems, like being able to use my machine to do what I want to do every day, without having to hope I'm allowed to do it by corporations.
I'm much more worried about the state of society that losing a phone once to a thief.
If security was a spectrum Apple has gone into ultra-violet. If The Onion did tech jokes there'd be a headline that reads: The iBrick - it doesn't work, but at least it's hacker-proof!
But thanks for reminding me I have a choice, which I actually do not.
Those are separate threats. You must accept the risk of your hardware manufacturer being compromised but that’s very different from also accepting the risk that any third-party with brief physical access can compromise your device.
What happened is that instead of the user having all the rights, now it's Apple having them all instead. Not a single security problem was reduced here, the threat model just moved from users to Apple.
> Not a single security problem was reduced here, the threat model just moved from users to Apple.
If you don’t understand why this isn’t true, I would respectfully start reading about what the platform does. It’s not like it was around the turn of the century where PCs and Macs were roughly equivalent.
I'm not saying it doesn't solve real problems, I'm saying its swapping problems into others.
Sure you can find some problems that have been solved but for each of those, there's a brand new problem created and not necessarily any better than the previous one.
Under the assumption that SIP is not disabled, and computer doesn't have any 3rd party kernel extensions installed (both of which are safe to assume for most people), it's close to impossible to inject something in the boot chain.
---
I think the best possible option might be to replace the keyboard with the one with a hardware keylogger, and record the actual password.
Yes, that option with the keyboard would be the easiest option. See? The point on encrypting your whole disk is not to avoid tampering, but to lock your machine in public places and be sure that no one can access your data upon placing that disk in another machine, or even trying to boot it.
As always, security always operates with some threat model in mind. Of course some government-level agency with physical access and any amount of money to spend could likely get access to your device (though the usual $5 wrench is probably still the "better" way) at the price of a (or a few) zero days. But you are likely not a key person in toppling a government and it would be a giant waste on their parts.
The threat model the general populace faces ranges from something as mundane as your ex wanting to extract something from your device to basically being the know-all key to every important document, photo and data you might have. I think I can safely say that under this circumstances not even physical access poses a real threat to the device's security -- it is tamper-proof to replacing most critical parts and the boot-sequence is cryptographically secured. Biometric data is not stored in software, so not even that can be spoofed.
Weird. I just downloaded Ganache and it ran and opened just fine, no warnings. Are you experiencing this on your own machine, or just other machines? And what version of macOS?
The current published version is fine, thanks for trying it! I'm working on a new release, and haven't been able to get the Apple build to work. Lots has changed since the last release, certainly on my side and I presume also on Apple's.
I’d recommend you check out Apparency [1], which can inspect .app bundles and show you what’s up with the signing on your bundle. It looks like you include a few frameworks (which also need to be signed), so maybe you have components missing signatures/with mismatched signatures.
I used to think this sentiment is overblown, but then I tried to develop a Mac and iOS app. Although I live in Canada, it took almost 3 weeks to become an Apple developer, having to supply every piece of ID in my possession and having many declined. They’re British Columbian identification in perfectly fine condition.
The development process could have been much worse, but some aspects of swift development in XCode were frustratingly rough with a range of extremely well document to barely documented APIs.
Can I do X with SwiftUI? Who knows. Does it support Y pattern well? Absolutely, and here are a dozen examples. Such a pain in the ass.
I also have no idea when my app will be approved. It just generates air quality forecasts from multiple sources, provides alerts, shows active wildfire perimeters, and doesn’t allow any access to anything else. Just uses location, optionally. It’s been weeks now.
Overall I’d rather not develop for apple’s devices again, but mostly because so little is in my control. The rest was fine. I strongly dislike having so little agency around being accepted into the platform and then publishing on it. Not having a say over my tool chain is also pretty frustrating when theirs is so buggy, slow, and unintuitive.
> Can I do X with SwiftUI? Who knows. Does it support Y pattern well? Absolutely, and here are a dozen examples. Such a pain in the ass.
SwiftUI is still very green, especially on Mac where it hasn't gotten as much attention as it has on iOS. There are some things I'm starting to use it for over UIKit on iOS, but on macOS I wouldn't bother — AppKit might be a little rough around the edges compared to UIKit, mainly due to its age, but it's a great deal more suitable for production work on macOS than SwiftUI is.
I guess that was another hang up. What should you use? Why? When is it reasonable to use cutting edge vs seasoned libraries?
Thanks for that, though. I’ll likely give that a shot soon, because my current client loves the idea of MacOS apps. I like the idea of common code to rub on multiple platforms, but it seems like it’s too green.
I think that not just on macOS, but generally in desktop software, the older, more mature, more "boring" option is going to be best in the long run even if getting up and running is faster in newer stuff. Of course platform devs would like you to think otherwise because they want buy-in for their new frameworks, but buy-in is earned. New frameworks might eventually be great, but it's going to be a while before they're able to compete with the likes of frameworks such as AppKit, which have legacies stretching back 3+ decades. That's a lot of time to allow for refinement and better covering of common use cases.
It's somewhat true on mobile, too, though to a lesser extent because mobile UI widgets don't need to be as functional, which makes it easier for new things to compete — for instance a table view with sortable, rearrangable columns and column headers is practically unheard of on mobile whereas it's a cornerstone widget on desktop. For user-facing platforms the web is the odd exception where it's somewhat the norm to jump for the latest trendy shiny thing on new projects.
> Can I do X with SwiftUI? Who knows. Does it support Y pattern well? Absolutely, and here are a dozen examples. Such a pain in the ass.
Exactly this. Don't even get me started if you are writing a Mac Catalyst app too.
Can I use this NSEvent? No? I gotta create a bundle that's built for OSX and then load that dynamically and pass stuff as AnyObject from my AppDelegate.
Oh I'm getting .rotation and .magnify events. Is there any API I can call to ask the OS the positions of the fingers on the trackpad? No? I need to go through the GestureRecogizer? But that is returning 0 touches for a .magnify event.
All I wanted was to get the current location of the fingers so that I can decide on which axis to zoom more on. Oh there is a plist for Application Supports Indirect Events. Downstream effects not documented, well, that's how it is developing for an Apple platform.
Ha, wow, that's agonizing to read but totally on point. You nailed it.
I don't understand why Apple has decided this is okay, or why they don't direct more resources and attention to ensuring this sort of thing doesn't become reality.
Every time I submit my app for review it gets rejected and I need to go through 3-4 rounds before it finally gets approved. In one case, the app was rejected and I was asked to make a change. I made the change, and the app was rejected because of the change I was told to make.
I’d be fine with their process if there was an alternative way to get my app into my customers hands. But there isn’t, and they’re vehemently against it.
When Apple launched unlisted apps I was really excited. But these apps inexplicably seem to go through the same review process. If it’s unlisted, why do they care about anything other than security?
Apple truly makes life painful for developers. Can’t wait for alternative app stores.
For those interested in more details on XProtect’s status on their systems, Howard Oakley (the author of this blog) also provides free utilities: https://eclecticlight.co/downloads/
More of this could be great for corporate machines. Currently they are often bogged down with poorly behaving third party security software, some of which causes real problems for users, which could be lessened if some of that software could be replaced with better behaving OS capabilities.
Windows Defender (or whatever it’s called) looked like it might help similarly on Windows, but I haven’t seen it being used that way. It looks to me like the third parties keep looking for new features they can advertise, knowing that corporate InfoSec will mandate support for them quickly, and that an OS-provided solution isn’t sold in the same way, so will be deemed unsuitable.
Scenario 1: corp buys into Apple's protection, gets rid of (most) third party software
Scenario 2: corp keeps third party software, which bangs its head against Apple's protection which prevents such god processes to access information, thus corp disables Apple's protection and keeps using third party software.
Scenario 3: Apple treats third-party software that "bangs its head against Apple's protection" as malware, force-disabling it; mandates all third-party software to be rewritten to just use control APIs for Apple's internal protection mechanism.
For what it's worth, most if not all "anti-virus" software that corps buy are borderline malware themselves and doesn't worth shit. The reason they even exist is that corps get to tick "security" on some bullshit bureaucracy check list. One reason I prefer Macs on company laptops is that corp doesn't get to modify it all that much.
Yeah the compliance is the same whether you use Windows, Mac or Linux. We run Microsoft Defender on our Macs. And have JAMF, and Beyond Trust. All the same shitty corp management software works on Macs now because they are popular in the workplace. If your corp isn't managing them the same as Windows, they either have no third party security audits, or your company is not compliant.
IMO this is pulling the OS closer towards a more trusted platform model that mobile devices have been afforded through years of incremental refinement of corporate MDM solutions.
If you read the darwin-kernel mailing list archives from 10-15 years ago, some of the most ignorant questions were from AV vendors. (like: "why does my system deadlock when I stop the entire kernel waiting for a userspace helper ..") They seemed so horrifically incompetent that I resolved to never run any 3rd party AV software on any machine I control.
>Windows Defender (or whatever it’s called) looked like it might help similarly on Windows, but I haven’t seen it being used that way.
It is more and more, but you need the expensive Microsoft 365 license to use the web portal for it for, key word, MANAGEMENT.
You want to be able to scan computers, lock them out of all network access besides the AV management, block usb/peripherals etc etc when an attack happens.
“RansomWhere? is a utility with a simple goal; generically thwart OS X ransomware. It does so by identifying a commonality of essentially all ransomware; the creation of encrypted files.”
Given AV firms change hands and veer into dark patterns, forum posts like this one shouldn't recommend anything in particular as the ownership and policies can change overnight.
Ah! No, sorry, I meant that there are quite a few HNers that have some origin in the Bukkit/Spigot scene, e.g. they once wrote plugins for those platforms.
I wonder why Apple finds the need to run all of this security software in the shadows with zero documentation, near zero user access to logging, and zero user access to what the system is doing. Is it just some leftover pride because a handsome actor in blue jeans said macs don’t have viruses on TV 15 years ago?
Because a serious enough malware running rampant on their platform would cause actual monetary loss for them, potentially losing their image as a safe OS?
Zero user control over technical functionality is totally Apple's MO these days. They were a lot better at this in the early OSX days, they only used to hide technical details but the user could still control them if they knew what they were doing.
But since iOS they've been slowly pushing this model to Mac. It pushed me away from the Mac platform, I only use it for work now.
I do wonder whether they'll let other apps hook into the "don't access private data for X" safeguards. In this hypothetical, how many developers would choose this – over simply putting their private data behind a password?
108 comments
[ 5.0 ms ] story [ 189 ms ] threadIt's designed so regular users don't / can't bother to do so, tho
And on the other end, window's UX is going down the drain year over year.
Preventing an app from accessing browser data feels like an approach to make people feel safe while providing no meaningful protections from most malware behavior.
This tells me that either people rarely need to do this, or that it’s very hard to do in userland.
Depends on the threat model. Yes, protecting browser data does not help if the attacker gained entry into the system by exploiting a vulnerability in the browser. But it helps against all other entry points: USB sticks laced with malware (common threat against companies), malware that came as part of an email attachment or by dodgy warez, an attacker that's already in the network (either because they're laterally moving or because the victim is in a scenario like a public wifi) and exploits some vulnerability in network-enabled software...
Classic defense in depth here, it massively raises the bar for attackers because to steal Chrome user sessions or passwords, you now need a code execution avenue but also a kernel-level or at least sandbox exploit to bypass Bastion.
Sure, but this is a very arbitrary threat model to prioritize that doesn't seem to affect people. What about ads? Tracking? Apps sending fingerprinting home? That seems like a more obvious place to start.
Malware exfiltrating users' browser sessions and passwords is a "very arbitrary threat model" that "doesn't seem to affect people"???
Credential stealer malware is abundant, it's often enough how attackers gain initial access to a company's internal network - grab the credentials off of Chrome, Firefox or one of the other popular password manager apps, and you're bound to find a set of credentials there. Now all you need is some piece of software that's reachable from the Internet and lacks 2FA (which applies to a shocking lot of legacy software), and you got some sort of persistent access to the network.
And in ye early days of cryptocurrencies, before hardware vaults became the norm among crypto enthusiasts, a fair amount of people got their wallets drained by targeted cookie (=session) stealers.
> What about ads? Tracking? Apps sending fingerprinting home?
That is bad, but not "someone can drain your bank account or take over your social media accounts to spam" bad.
Their comment was against HN guidelines (Assume good faith.), there's no reason to chide someone for calling them out on that.
It's certainly either something I'm doing wrong, or a big in the software I'm using to automate signing, notification and stapling.
Here's the issue I opened on the software I'm using to automate: https://github.com/electron-userland/electron-builder/issues... that issue kinks to the PR that adds the automation.
It's a non-trivial thing to test, since it involves so many secrets and the notarization step can take over an hour, so I don't expect anyone here to actually want to look into it.
My original comment really was just venting my frustration, not a cry for help (but I might be crying soon if I cant get to the bottom of this!).
/Applications/Ganache.app: rejected (invalid destination for symbolic link in bundle) origin=Developer ID Application: ConsenSys AG (48XVW22RCG)
I see you're also migrating to Github Actions for this particular release and that the notarization process was working correctly on your previous CI/CD? I guess there has to be an issue with the new environment here or the way you're building it now.
Conveyor can package Electron apps and also do all the Mac specific stuff from any platform including Linux. So it can sign, notarize and staple the app itself, also bundling Sparkle updates as it goes. We're listed on the Electron website these days. You may have more luck with it. There's a Discord channel for help too if you get stuck.
[1] https://hydraulic.dev/ (disclosure: my company)
Or you can just develop for vulnerable-as-all-getout Linux or Windows systems. Your choice.
- I can't prevent the police from pegasusing my device.
- I haven't have anyone infected by a malware in years, no matter the brand of device.
- Most thief won't be able to do anything with any of my devices, no matter the brand. They are not very smart, and can't deal with a bios password, an encrypted disk or even simply a locked smartphones. They steal it anyway, and throw it away when it fails.
But in the end, I don't optimize my life for the rare occasion of being stolen.
I optimize it for my day to day problems, like being able to use my machine to do what I want to do every day, without having to hope I'm allowed to do it by corporations.
I'm much more worried about the state of society that losing a phone once to a thief.
But thanks for reminding me I have a choice, which I actually do not.
If you exclude themselves from the threat model of course, which I don't see why you would
If you don’t understand why this isn’t true, I would respectfully start reading about what the platform does. It’s not like it was around the turn of the century where PCs and Macs were roughly equivalent.
Sure you can find some problems that have been solved but for each of those, there's a brand new problem created and not necessarily any better than the previous one.
"resistant" is a pretty low bar to pass. Do we get to include the Nintendo Switch for having eFuses?
macOS @ M1 boot process looks similar to that of iOS devices: https://support.apple.com/en-gb/guide/security/secac71d5623/...
Under the assumption that SIP is not disabled, and computer doesn't have any 3rd party kernel extensions installed (both of which are safe to assume for most people), it's close to impossible to inject something in the boot chain.
---
I think the best possible option might be to replace the keyboard with the one with a hardware keylogger, and record the actual password.
The threat model the general populace faces ranges from something as mundane as your ex wanting to extract something from your device to basically being the know-all key to every important document, photo and data you might have. I think I can safely say that under this circumstances not even physical access poses a real threat to the device's security -- it is tamper-proof to replacing most critical parts and the boot-sequence is cryptographically secured. Biometric data is not stored in software, so not even that can be spoofed.
I've manually tested on Monterey.
I’d recommend you check out Apparency [1], which can inspect .app bundles and show you what’s up with the signing on your bundle. It looks like you include a few frameworks (which also need to be signed), so maybe you have components missing signatures/with mismatched signatures.
[1] https://mothersruin.com/software/Apparency/
The development process could have been much worse, but some aspects of swift development in XCode were frustratingly rough with a range of extremely well document to barely documented APIs.
Can I do X with SwiftUI? Who knows. Does it support Y pattern well? Absolutely, and here are a dozen examples. Such a pain in the ass.
I also have no idea when my app will be approved. It just generates air quality forecasts from multiple sources, provides alerts, shows active wildfire perimeters, and doesn’t allow any access to anything else. Just uses location, optionally. It’s been weeks now.
Overall I’d rather not develop for apple’s devices again, but mostly because so little is in my control. The rest was fine. I strongly dislike having so little agency around being accepted into the platform and then publishing on it. Not having a say over my tool chain is also pretty frustrating when theirs is so buggy, slow, and unintuitive.
SwiftUI is still very green, especially on Mac where it hasn't gotten as much attention as it has on iOS. There are some things I'm starting to use it for over UIKit on iOS, but on macOS I wouldn't bother — AppKit might be a little rough around the edges compared to UIKit, mainly due to its age, but it's a great deal more suitable for production work on macOS than SwiftUI is.
Thanks for that, though. I’ll likely give that a shot soon, because my current client loves the idea of MacOS apps. I like the idea of common code to rub on multiple platforms, but it seems like it’s too green.
It's somewhat true on mobile, too, though to a lesser extent because mobile UI widgets don't need to be as functional, which makes it easier for new things to compete — for instance a table view with sortable, rearrangable columns and column headers is practically unheard of on mobile whereas it's a cornerstone widget on desktop. For user-facing platforms the web is the odd exception where it's somewhat the norm to jump for the latest trendy shiny thing on new projects.
Exactly this. Don't even get me started if you are writing a Mac Catalyst app too.
Can I use this NSEvent? No? I gotta create a bundle that's built for OSX and then load that dynamically and pass stuff as AnyObject from my AppDelegate.
Oh I'm getting .rotation and .magnify events. Is there any API I can call to ask the OS the positions of the fingers on the trackpad? No? I need to go through the GestureRecogizer? But that is returning 0 touches for a .magnify event.
All I wanted was to get the current location of the fingers so that I can decide on which axis to zoom more on. Oh there is a plist for Application Supports Indirect Events. Downstream effects not documented, well, that's how it is developing for an Apple platform.
I don't understand why Apple has decided this is okay, or why they don't direct more resources and attention to ensuring this sort of thing doesn't become reality.
I’d be fine with their process if there was an alternative way to get my app into my customers hands. But there isn’t, and they’re vehemently against it.
When Apple launched unlisted apps I was really excited. But these apps inexplicably seem to go through the same review process. If it’s unlisted, why do they care about anything other than security?
Apple truly makes life painful for developers. Can’t wait for alternative app stores.
XProCheck, which allows for easier viewing of XProtect log details: https://eclecticlight.co/consolation-t2m2-and-log-utilities/
As well as SilentKnight + LockRattler for checking the status of XProtect updates and other security configuration: https://eclecticlight.co/lockrattler-systhist/
Windows Defender (or whatever it’s called) looked like it might help similarly on Windows, but I haven’t seen it being used that way. It looks to me like the third parties keep looking for new features they can advertise, knowing that corporate InfoSec will mandate support for them quickly, and that an OS-provided solution isn’t sold in the same way, so will be deemed unsuitable.
Anyone feel more optimistic?
Scenario 2: corp keeps third party software, which bangs its head against Apple's protection which prevents such god processes to access information, thus corp disables Apple's protection and keeps using third party software.
(Compare/contrast: Hypervisor.framework)
E.g. https://www.bloomberg.com/news/features/2023-05-11/the-plot-...
We used to write image processing pipelines.
This is code that really needs to run fast.
We spent a huge amount of time tuning, analyzing, and re-tuning the software.
Our IT group was completely focused on office workers, and would force us to install their spyware on our test machines.
It was not a good fit.
Good call. There has been too many awful products in that space.
It is more and more, but you need the expensive Microsoft 365 license to use the web portal for it for, key word, MANAGEMENT.
You want to be able to scan computers, lock them out of all network access besides the AV management, block usb/peripherals etc etc when an attack happens.
You DONT want to just let it run headless.
https://objective-see.org/products/ransomwhere.html
For a deep dive into this line of thinking, his post:
Towards Generic Ransomware Detection (04/20/2016) — https://objective-see.org/blog/blog_0x0F.html
Malwarebytes purchased an activity detecting product and claimed to offer this type of protection, though that marketing has become more generic now:
https://www.malwarebytes.com/cybersecurity/business/what-is-...
Given AV firms change hands and veer into dark patterns, forum posts like this one shouldn't recommend anything in particular as the ownership and policies can change overnight.
But since iOS they've been slowly pushing this model to Mac. It pushed me away from the Mac platform, I only use it for work now.