This is one of those tough cases where software cuts both ways.
Some people are smart, informed developers that install a trusted tool to monitor their traffic and have legitimate reasons to want to inspect Apple traffic. They're dismayed.
Most people are the opposite and this move protects the most sensitive data from being easily scooped up or muddled in easily installed apps, or at least easily installed apps that don't use zero days.
Is the world better or worse due to this change? I'd say a touch better, but I don't like the fact that this change was needed in the first place. I trust Apple, but I don't like trusting trust.
I'd argue this opens up a giant attack surface where malicious software will try to route its command and control communication through a protected service. Do we really want to trust that Apple will keep all 50+ of these privileged services fully protected?
I think it makes the "world" slightly worse in that it will be harder to discover malware. Little snitch has a small user base, but it's been used to identify many forms of malware and protect many more people once the threat is identified.
If I install Little Snitch, it's because I trust Little Snitch to be responsible for my computer's network traffic, over and above anyone else.
I recognize that this won't necessarily apply to all users or all apps, but there needs to be a way for the user to designate trust. Apple services and traffic should not get special treatment.
Trust relies on faith or evidence, the overwhelming circumstantial evidence is that Apple can not be trusted with anything other than their commercial interests.
You can not trust Apple with anything else, therefore you must have faith.
Why doesn't each individual user have the final say over whether she wants to accept the change or not? There is no option presented to the user:
[ ] Do not trust Apple, trust only me
You say "Some people are smart, informed developers" but in this case, it appears Apple is treating every user as the same.
I am not a "developer" (nor am I particularly "smart") and yet I monitor traffic to/from computers I own. Maybe some incorrect assumptions are being made about so-called "users". I find it perplexing that any company should be able to prevent me from monitoring traffic to/from computers I own. I own the computers, I pay for the bandwidth. I do not buy Apple computers for the Apple software.
Actually, I don't think this is about trust. I mean, when I use an Apple OS, I (should) trust them, as their software has access to all my most sensitive digital information.
However, making it impossible to route the traffic of the system apps through a VPN of my choice (whatever the reason), is just broken functionality.
Have you used little snitch? It very clearly allows all apple traffic by default, and if you modify something that would affect it, you get a huge popup explaining what will happen and have to click on a red button to confirm.
> Is the world better or worse due to this change?
This is the false shortcut behind any attempt to weaken security. Security makes access harder, therefore let's weaken security to improve access.
The fact is that weakening security also makes malicious behavior easier and/or more likely. Changes like this are bad particularly because Apple users pay for a protected walled garden.
> Some people are smart, informed developers that install a trusted tool to monitor their traffic and have legitimate reasons to want to inspect Apple traffic. They're dismayed.
Wouldn't say I'm that smart. Wouldn't call myself a developer either. But I'm still kind of dismayed. I used to love macOS (or OS X to be precise), but the clock has been ticking for years now. Near every decision made about macOS future goes in the wrong direction (for me). Right now I'm looking at Manjaro. But still, I need the Adobe CC suite to get my work done, so I will have to use two machines. I hate running two computers. But that's probably where I'll end up.
Either Apple doesn't trust Little Snitch and shouldn't let it interfere with any apps, or Apple does trust Little Snitch and shouldn't block it at all. There's no reason to implement this halfway.
If the data is so poorly protected in transit that a firewall app on the system is a concern, something has gone very wrong indeed. It's just going to see that your Apple services on your Apple device are speaking to Apple servers.
There's an availability consideration here, but that's about it.
Tech savvy users are not just the minority. They're also cheap. They've been conditioned by the FOSS movement to think all software should be free as-in-beer. (The people who started FOSS didn't say that, but that's what it's become.) They say they want free as-in-freedom, but since they are not willing to pay for it they don't exist. Those who pay set the agenda for everything.
Developing a truly polished operating system with a whole ecosystem of services is far, far beyond what volunteers and hobbyists can achieve. It's just too much work. It also requires focus and coordination and someone who is able and willing to say no. Without that the FOSS community rewrites everything over and over again instead of doing the not-fun parts of programming like fixing bugs and edge cases.
TL;DR: we get what we pay for. We don't pay for freedom so we don't get it.
Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.
Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.
I won't share the other sentiments about the above, but is it really that hard to document these behaviors?
"You have to trust Apple", it's said. But I suspect that if you actually knew how much your Apple devices were phoning home to Cupertino, you wouldn't trust Apple anymore. Using Little Snitch (the kernel extension) was a real eye opener for me. Especially when I allowed Little Snitch to block all Apple processes (by disabling the built-in iCloud Services and macOS Services rule groups).
This may be a good time to remind folks of my blog post where I explain how Catalina phones home when you run unsigned executables, including shell scripts! In the article I mentioned that you can prevent this with Little Snitch. But that was the LS kext. Is it even possible anymore?
https://lapcatsoftware.com/articles/catalina-executables.htm...
Let me just quote one comment from the HN discussion of that article: https://news.ycombinator.com/item?id=23278253
"Making this about speed is burying the lede. From a privacy and user-freedom perspective, it's horrifying. Don't think so? Apple now theoretically has a centralized database of every Mac user who's ever used youtube-dl. Or Tor. Or TrueCrypt."
It's all too easy to dismiss the privacy violations that we're not aware of. Out of sight, out of mind.
That totally breaks my use case for Little Snitch: working tethered. When I tether my laptop it thinks it has free reign with the bandwidth and all of the little background processes can kill my data in a few minutes. With a firewall, I can grant access to only the processes that I need to get my work done.
Now, I guess I have to run some external firewall between my laptop and my phone. ... or better yet, abandon Apple.
For what it's worth, my hacky solution to this is this script which kills all the background processes that use significant bandwidth. If you're interested in how I came up with the list of processes, I can share the BitBar [1] script I wrote for monitoring per-process network usage (I wrote a small wrapper around nettop that logs to a db, which is read periodically by my BitBar script to show me the per-process usage:
I use Trip Mode for that (https://tripmode.ch/). Though, it's not unlikely it'll have the same issues described in the OP, it does seem to block Apple stuff on Mojave.
Last year Apple introduced 2 flags on the network: “constrained” (the Low Data Mode toggle) and “expensive” (most cellular and personal hotspots). These are intended to let the app make intelligent decisions about what network requests to do. For example, “expensive” networks should disable background or speculative fetches and only fetch what the user asked for.
Presumably Apple apps that bypass the network filter are making use of these flags already, to avoid unnecessary network traffic.
Is there no chance for little snitch to block app store? I just have a demo ver of little snitch and will buy it for blocking all apple service. I always connect the internet through my phone outdoors. The bandwidth is limiting...
If Microsoft did this in windows, or Google did this in chrome, would we see so much defense of this strategy? Or could it be those rose coloured glasses that HN tends to view Apple through.
Or more like "users are literally brain dead and cannot be trusted to change the channels on their TV" coloured glasses. If you only trust your users to watch TV, then get into TVs instead of computers.
We don't fault the maker of a drill when a careless user drills a hole in their hand. We fault the user for being careless. At what point do we start doing the same for computers? The advantage of physical power-tools is that their mechanism of operation is readily apparent, open, understandable, predictable. If Apple really cares about their users, they should start investing in making software open, understandable, predictable. This is a much harder problem, and probably less profitable, than just building another TV, but I'd rather live in that world than this one. I don't need another TV.
Btw, when I've been testing a "kill switch" on Windows (firewall configuration that doesn't allow internet access without a VPN running) using the built-in firewall, I discovered that
- Chrome adds a Firewall rule on installation that grants it access to all networks, bypassing kill switch configurations.
- Microsoft has an "Allow app through Firewall" [1] dialog that manages all of the rules for its apps and services along with some third-party apps. These rules again tend to allow everything, and at least on earlier builds from like 2018 they would reset to allow everything on _every_ update.
I wonder if it would make sense for Little Snitch to continue supporting their kext-based solution in parallel to the new one, possibly only for users who are willing to disable SIP.
You might argue that disabling SIP for a security product defeats the point, but I'm not sure if that's necessarily true. SIP effectively delegates trust away from the user and towards Apple, which is fine as a default—but the calculus may be different for experienced users, like the ones who use Little Snitch.
Background: I've written my own kernel extension that works in similar manner to Little Snitch, but does a lot more, including SSL MITM and on-demand packet capture, that I've been using for more than 10 years now.
It's a fact that Apple has continuously moved to lock down macOS in ways that are antithetical to folks that want full control over their operating system. To many of us that moved on from Linux on the desktop, the combination of a stable/uniform/attractive desktop environment with a Unix core that had great developer documentation -no longer the case!- and nicely-designed APIs was too much to resist. Unfortunately, the push towards consumers and Apple's increasingly one-sided my-way-or-the-highway approach (fueled by security concerns that to me are completely irrelevant, if not a huge annoyance and waste of time) means that a lot of us oldschool Unix hackers were left out in the cold.
I don't plan to upgrade past Mojave and at some point in the future I will move back to Linux.
A great example of why you need defense in depth. Ideally you'd be running the local firewall on your box, as well as an external firewall.
That being said, this is not ok behavior on Apple's part. There shouldn't be a way for traffic to go around the firewall like this, even if it is just Apple apps.
Because as Apple well knows, once you make a backdoor, someone will figure out a way to exploit it.
> Because as Apple well knows, once you make a backdoor, someone will figure out a way to exploit it.
I can't help but see this as the real reasoning behind the change. With EARN-IT on on the table and antitrust cases looming, they've got every reason to bend over and give governments whatever access they can.
Chrome exempts Google properties from rules? Unacceptable!
macOS exempts Apple apps from rules? Protecting users!
Seriously, it's my machine. I should have top permissions on it, not Apple. If I chose to run an app that intercepts traffic, I want it to intercept _all_ traffic. What's next, making it impossible to hook a debugger to Apple services? Or did they already do that?
As much as I love Mac & iPhone UX, stuff like this will keep me off them and keep me from recommending them to anyone either.
Everyone seems to assume this is true, but are people also confirming this? I installed LittleSnitch recently on Big Sur and I’m constantly getting pop up’s for all of Apple’s internal daemons etc. While I haven’t tried the App Store specifically, I’m wondering if the person didn’t understand how things were configured and was allowing certain traffic thru. I can’t imagine there’s really some big conspiracy here.
This is a big breach of trust in terms of Apple always being on the side of user privacy.
If someone knows enough to install these firewall apps, then they know enough to figure out what they want to enable/disable even for Apple applications.
If Apple thinks certain rules cause issues, they certainly could work with the developer of these apps to educate users of adverse effects when certain things cause unintended issues for the user. The decision should still lie with the user. Bypassing firewalls by privileging some traffic is not okay.
Looks like for now, the only real option is an external device you always connect through running pfsense or another firewall, which is not too big a deal for use on a home network, but requires carrying around another device when on other networks.
Apple is not going in a great direction for more technical people. Started looking a Linux desktops and r/unixporn . Maybe time to switch, when my Macbook is up for replacement.
This might mean running firewalls on the local networks which block outgoing traffic to Apple. And possibly keeping Apple devices vpned to such a network.
I was looking forward to new Apple devices, but feel uncertain about the "trust Apple but no one else" approach.
Concerns:
1) Apple devices have been configurable to be respectful if not invisible in corporate or client windows networks.
You could use a Mac with a firewall in windows environments without being worried about setting off something on the network for unusual traffic. Especially for environments that don't support some but don't stop it either.
2) Corporate Windows networks can control the monitoring of telemetry and metadata to a higher degree than Apple now seems to. It could be a new gap in Apple when compared to others.
If the above are true, it's not clear if Apple sees few Mac users in any corporate environment as an opportunity to grow, it's only accelerating the consideration of other operating systems.
Apple also appears to be signaling that devices do not belong to the customer. The idea of we will protect your data, but trust your data to our policies, which we can change seems confusing. I'm considering the new iPhone for security, but this workaround seems like an affront to it.
This is upsetting. I currently use macOS with iCloud, FaceTime, iMessage, and App Store all disabled, and use Little Snitch to prevent the machine from communicating with Apple except for on update days, and then limited only to those specific update processes.
It’s possible that this will mean that the next macOS version will be unsuitable on privacy grounds, as I will then have to use a second physical device to prevent such network access. :(
Maybe if you block it randomly renders your OS inoperable and you won’t know why. Example iCloud login, could be a few obscure network calls. You would then call Apple and ask wtf if you are some noob blocking everything. This isn’t old days where there could be zero dependence on the net for critical function.
This is one of the key purposes of the Apple Store. The Genius Bar would help you test on a clean account or do a full wipe — although, Little Snitch is well-known enough that I'd expect an Apple Store employee to recognize it pretty quickly.
I suppose it's theoretically possible they're trying to drive down support costs. But, geez, that would make me much more scared about the direction Apple is taking than anything else.
Really though, Little Snitch is quite explicit about what it does. It's also $40, and it's marketed to a pretty technical audience.
[+] [-] 3pt14159|5 years ago|reply
Some people are smart, informed developers that install a trusted tool to monitor their traffic and have legitimate reasons to want to inspect Apple traffic. They're dismayed.
Most people are the opposite and this move protects the most sensitive data from being easily scooped up or muddled in easily installed apps, or at least easily installed apps that don't use zero days.
Is the world better or worse due to this change? I'd say a touch better, but I don't like the fact that this change was needed in the first place. I trust Apple, but I don't like trusting trust.
[+] [-] ballenf|5 years ago|reply
I think it makes the "world" slightly worse in that it will be harder to discover malware. Little snitch has a small user base, but it's been used to identify many forms of malware and protect many more people once the threat is identified.
[+] [-] Wowfunhappy|5 years ago|reply
I recognize that this won't necessarily apply to all users or all apps, but there needs to be a way for the user to designate trust. Apple services and traffic should not get special treatment.
[+] [-] flower-giraffe|5 years ago|reply
Trust relies on faith or evidence, the overwhelming circumstantial evidence is that Apple can not be trusted with anything other than their commercial interests.
You can not trust Apple with anything else, therefore you must have faith.
[+] [-] _abox|5 years ago|reply
[+] [-] 1vuio0pswjnm7|5 years ago|reply
I am not a "developer" (nor am I particularly "smart") and yet I monitor traffic to/from computers I own. Maybe some incorrect assumptions are being made about so-called "users". I find it perplexing that any company should be able to prevent me from monitoring traffic to/from computers I own. I own the computers, I pay for the bandwidth. I do not buy Apple computers for the Apple software.
[+] [-] arendtio|5 years ago|reply
However, making it impossible to route the traffic of the system apps through a VPN of my choice (whatever the reason), is just broken functionality.
[+] [-] addicted|5 years ago|reply
[+] [-] m463|5 years ago|reply
[+] [-] solatic|5 years ago|reply
This is the false shortcut behind any attempt to weaken security. Security makes access harder, therefore let's weaken security to improve access.
The fact is that weakening security also makes malicious behavior easier and/or more likely. Changes like this are bad particularly because Apple users pay for a protected walled garden.
[+] [-] unicornporn|5 years ago|reply
Wouldn't say I'm that smart. Wouldn't call myself a developer either. But I'm still kind of dismayed. I used to love macOS (or OS X to be precise), but the clock has been ticking for years now. Near every decision made about macOS future goes in the wrong direction (for me). Right now I'm looking at Manjaro. But still, I need the Adobe CC suite to get my work done, so I will have to use two machines. I hate running two computers. But that's probably where I'll end up.
[+] [-] gowld|5 years ago|reply
Either Apple doesn't trust Little Snitch and shouldn't let it interfere with any apps, or Apple does trust Little Snitch and shouldn't block it at all. There's no reason to implement this halfway.
[+] [-] jerry80|5 years ago|reply
[+] [-] tomcooks|5 years ago|reply
[+] [-] Godel_unicode|5 years ago|reply
There's an availability consideration here, but that's about it.
[+] [-] roody15|5 years ago|reply
[+] [-] xenadu02|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] vaccinator|5 years ago|reply
[+] [-] api|5 years ago|reply
Developing a truly polished operating system with a whole ecosystem of services is far, far beyond what volunteers and hobbyists can achieve. It's just too much work. It also requires focus and coordination and someone who is able and willing to say no. Without that the FOSS community rewrites everything over and over again instead of doing the not-fun parts of programming like fixing bugs and edge cases.
TL;DR: we get what we pay for. We don't pay for freedom so we don't get it.
[+] [-] eptcyka|5 years ago|reply
Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.
I won't share the other sentiments about the above, but is it really that hard to document these behaviors?
[+] [-] _qulr|5 years ago|reply
This may be a good time to remind folks of my blog post where I explain how Catalina phones home when you run unsigned executables, including shell scripts! In the article I mentioned that you can prevent this with Little Snitch. But that was the LS kext. Is it even possible anymore? https://lapcatsoftware.com/articles/catalina-executables.htm...
Let me just quote one comment from the HN discussion of that article: https://news.ycombinator.com/item?id=23278253 "Making this about speed is burying the lede. From a privacy and user-freedom perspective, it's horrifying. Don't think so? Apple now theoretically has a centralized database of every Mac user who's ever used youtube-dl. Or Tor. Or TrueCrypt."
It's all too easy to dismiss the privacy violations that we're not aware of. Out of sight, out of mind.
[+] [-] joncp|5 years ago|reply
Now, I guess I have to run some external firewall between my laptop and my phone. ... or better yet, abandon Apple.
[+] [-] chrisshroba|5 years ago|reply
[+] [-] Xavdidtheshadow|5 years ago|reply
[+] [-] Ensorceled|5 years ago|reply
Glad to know stopping shit like that is no longer an option.
[+] [-] lilyball|5 years ago|reply
Presumably Apple apps that bypass the network filter are making use of these flags already, to avoid unnecessary network traffic.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] LdSGSgvupDV|5 years ago|reply
[+] [-] admax88q|5 years ago|reply
Or more like "users are literally brain dead and cannot be trusted to change the channels on their TV" coloured glasses. If you only trust your users to watch TV, then get into TVs instead of computers.
We don't fault the maker of a drill when a careless user drills a hole in their hand. We fault the user for being careless. At what point do we start doing the same for computers? The advantage of physical power-tools is that their mechanism of operation is readily apparent, open, understandable, predictable. If Apple really cares about their users, they should start investing in making software open, understandable, predictable. This is a much harder problem, and probably less profitable, than just building another TV, but I'd rather live in that world than this one. I don't need another TV.
[+] [-] nickflood|5 years ago|reply
- Chrome adds a Firewall rule on installation that grants it access to all networks, bypassing kill switch configurations.
- Microsoft has an "Allow app through Firewall" [1] dialog that manages all of the rules for its apps and services along with some third-party apps. These rules again tend to allow everything, and at least on earlier builds from like 2018 they would reset to allow everything on _every_ update.
This was such a pain to deal with.
[1] https://az767233.vo.msecnd.net/images/Security/win8_winfirew...
[+] [-] wmeredith|5 years ago|reply
[+] [-] Wowfunhappy|5 years ago|reply
You might argue that disabling SIP for a security product defeats the point, but I'm not sure if that's necessarily true. SIP effectively delegates trust away from the user and towards Apple, which is fine as a default—but the calculus may be different for experienced users, like the ones who use Little Snitch.
[+] [-] metroholografix|5 years ago|reply
It's a fact that Apple has continuously moved to lock down macOS in ways that are antithetical to folks that want full control over their operating system. To many of us that moved on from Linux on the desktop, the combination of a stable/uniform/attractive desktop environment with a Unix core that had great developer documentation -no longer the case!- and nicely-designed APIs was too much to resist. Unfortunately, the push towards consumers and Apple's increasingly one-sided my-way-or-the-highway approach (fueled by security concerns that to me are completely irrelevant, if not a huge annoyance and waste of time) means that a lot of us oldschool Unix hackers were left out in the cold.
I don't plan to upgrade past Mojave and at some point in the future I will move back to Linux.
[+] [-] jedberg|5 years ago|reply
That being said, this is not ok behavior on Apple's part. There shouldn't be a way for traffic to go around the firewall like this, even if it is just Apple apps.
Because as Apple well knows, once you make a backdoor, someone will figure out a way to exploit it.
[+] [-] klyrs|5 years ago|reply
I can't help but see this as the real reasoning behind the change. With EARN-IT on on the table and antitrust cases looming, they've got every reason to bend over and give governments whatever access they can.
[+] [-] Wowfunhappy|5 years ago|reply
[+] [-] aftbit|5 years ago|reply
macOS exempts Apple apps from rules? Protecting users!
Seriously, it's my machine. I should have top permissions on it, not Apple. If I chose to run an app that intercepts traffic, I want it to intercept _all_ traffic. What's next, making it impossible to hook a debugger to Apple services? Or did they already do that?
As much as I love Mac & iPhone UX, stuff like this will keep me off them and keep me from recommending them to anyone either.
[+] [-] Wowfunhappy|5 years ago|reply
[+] [-] azinman2|5 years ago|reply
[+] [-] sbuk|5 years ago|reply
https://www.murusfirewall.com
[+] [-] bitobserver|5 years ago|reply
[+] [-] malandrew|5 years ago|reply
If someone knows enough to install these firewall apps, then they know enough to figure out what they want to enable/disable even for Apple applications.
If Apple thinks certain rules cause issues, they certainly could work with the developer of these apps to educate users of adverse effects when certain things cause unintended issues for the user. The decision should still lie with the user. Bypassing firewalls by privileging some traffic is not okay.
Looks like for now, the only real option is an external device you always connect through running pfsense or another firewall, which is not too big a deal for use on a home network, but requires carrying around another device when on other networks.
[+] [-] xyst|5 years ago|reply
[+] [-] Fizzadar|5 years ago|reply
[+] [-] m3nu|5 years ago|reply
[+] [-] j45|5 years ago|reply
I was looking forward to new Apple devices, but feel uncertain about the "trust Apple but no one else" approach.
Concerns:
1) Apple devices have been configurable to be respectful if not invisible in corporate or client windows networks.
You could use a Mac with a firewall in windows environments without being worried about setting off something on the network for unusual traffic. Especially for environments that don't support some but don't stop it either.
2) Corporate Windows networks can control the monitoring of telemetry and metadata to a higher degree than Apple now seems to. It could be a new gap in Apple when compared to others.
If the above are true, it's not clear if Apple sees few Mac users in any corporate environment as an opportunity to grow, it's only accelerating the consideration of other operating systems.
Apple also appears to be signaling that devices do not belong to the customer. The idea of we will protect your data, but trust your data to our policies, which we can change seems confusing. I'm considering the new iPhone for security, but this workaround seems like an affront to it.
[+] [-] sneak|5 years ago|reply
It’s possible that this will mean that the next macOS version will be unsuitable on privacy grounds, as I will then have to use a second physical device to prevent such network access. :(
[+] [-] m3kw9|5 years ago|reply
[+] [-] Wowfunhappy|5 years ago|reply
I suppose it's theoretically possible they're trying to drive down support costs. But, geez, that would make me much more scared about the direction Apple is taking than anything else.
Really though, Little Snitch is quite explicit about what it does. It's also $40, and it's marketed to a pretty technical audience.