> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.
EDIT:
As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:
So yesterday I wrote about the blurring lines of ownership, and people came back with some fairly disparate responses. It's fair to say that I was mostly dismissed. https://youtu.be/Hg9F1Qjv3iU?t=3177 , timestamp 53:33) and they have no intention whatsoever of taking away our ability to do general compute on the machines we buy and own.
Except...
Apple can already decide what binaries you can execute. Should they choose to.
Apple is now restricting what other OSes you can boot into. As they've chosen to.
Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.
It's clear where they're going. And I'm jumping ship. It's painful to do so, given how invested I am in the ecosystem, but we're already beyond the threshold that many of us would have left earlier in the decade.
---
edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer. Most non-Apple laptops don't have very good color accuracy. They also don't have good trackpads, and their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad so that I don't have to carry around a mouse, good speakers would be a plus, and light enough that I don't feel like I'm lifting weights while working on my laptop. And this package should ideally come with 512GB of SSD storage and, at least, 16GB to 32GB of RAM.
Oh and it shouldn't be more expensive than a Mac as many of these laptops are!
Yeah so basically in the windows world, a lot of the good laptops are under the "business class" of the various manufacturers:
Dell Precision, HP Elite Book, MSI Prestige
In the consumer world the Dell XPS, Asus Zenbook, Asus Pro Art are the way to go for a designer.
Dell Precision is probably the overall best laptop. MSI Prestige is targetted right at you though, with color accuracy and a good display. The only brand I can personally vouch for is Dell. I and my partner use XPS's, and a good friend of mine has a super nice Precision that I am jealous of (specifically the ports! I'm so over USB-C)
Wow, the way Craig is laughing at the question and so dismissive of it is really insulting. Maybe it's the more casual nature of the interview/discussion, but this really is the crappy icing on the cake of Mac users' continuously-declining control over the machines they spend their hard-earned money on. "Where do you even begin to come up with that theory"?? I mean, maybe we're seeing the gradual hampering of control over our computer with every OS X release in the past 5-10 years?
Get a Thinkpad. I replaced a 2015 MacBook Pro with a Thinkpad P1 Gen2 and love it. The trackpad isn’t as nice. The keyboard is better. Running WSL2 you have a great Unixy development environment in Windows. Or just install Linux. As thin and light as a MacBook Pro. Much better thermals, though still not awesome. Other, somewhat larger Thinkpads have better thermals. You can upgrade your RAM, add 2 SSDs and other peripherals like a 4G card etc if you like. Thinkpads come with fantastic service. Next business day on-site repair including for accidental damage and they mean it. Looks: It’s the design Apple copied for their very first laptops and is IMO better looking. They got it right the first time and haven’t changed it materially. Built like a tank. Not quite a tough book but they will take some abuse.
NotebookCheck is a great website for laptop reviews. They even get into the nitty-gritty details of display calibration, input devices, power consumption, etc.
My partner bought a razer 13 inch to replace a MacBook Air. It wasn’t cheap, the build quality is excellent and it handles everything (she’s in an orchestra and records her parts on it, does graphic design and sometimes plays fortnite.). The screen is quite nice and the build quality is better than my system 76 (onyx pro) which I really like too.
Dave2d on YouTube gives pretty short and decent laptop reviews. I think he has a discord channel discussing the machines too
I switched away from Macbook Pro about a year ago, after using Apple hardware for about a decade.
It's working great, GNOME interface is solid and productive, Manjaro and AUR libraries just work. Highly recommend making the move, sooner the better as I'm sure you see the writing on the wall.
My Huawei Matebook Pro has been everything I wanted in a Mac, in a way I couldn't get from Apple.
Pros that Macbooks don't have: USB-A (along with USB-C), no touch bar, 3:2 screen, can enable secure boot if I choose so feel like I'll be able to run whatever I want on it, replaceable SSD, etc.
Pros that Macbooks also have: still has a great build quality, full day battery
Over the generations, I have had three Macbooks, four Vaios, a ThinkPad, a HP, multiple ASUS and Huawei. Most of the devices I have killed by travel: dust infiltration, vibrated the BGA chips off the boards by motorbike vibrations..
My requirements have all been fulfilled with the Huawei MateBook X Pro.
You could say it's heavily inspired by the MacBook. Aluminum case. Chiclet keyboard with decent travel. 2000x3000 display (2:3 ratio!). Awesome trackpad. Good battery life. Portable. Solid. 2x USB-C and 1x USB-A. Sustained multiple drops.
For context, I am able to pull solid 12-hour days on the device, without a mouse, without fatigue or frustration.
> keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
Those are laptops with numeric keypads, the trackpad is still centred relative to the "main area" of the keyboard (the home row and in particular the rest keys - the two keys with a little bump, F and J on a QWERTY) but it is off-centre relative to the body of the laptop due to the presence of the keypad.
Macs don't have numpads so if you've always used Macs it's understandable that you're not familiar with this type of layout.
In any case that type of placement makes no difference while you are using the laptop, because keys and touchpad are still where they are supposed to be relative to each other.
Get a Thinkpad, P-series, lots of options. Run Fedora on it. Great machines, great keyboard, 4k screens, good color, goot battery life, lightweight. Everything works. Mac-level price, and worth it.
> edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer.
I woukld agree on desginer.
Absolutely not on developer or researcher.
Actually MacOS is for the reasons you mentioned incredibly developer-unfriendly (unless you target is of course the iOS ecosystem).
And for research there is no better platform but Linux. Unless you are in clicky-colorful frontend applications where I would doubt you are doing serious research.
Try metabox. (https://www.metabox.com.au/). They have a wide range of laptops at various specs and prices and form factors and whatever else. A lot of the guys at work have started to switch to them and they feel nice to hold and fondle.
I'm currently in the same boat as you and my next machine will be from these guys when my (admittedly very new) Macbook Pro gives up or gets taken over by Apple.
It's hard to say who is now Apple's target audience. It seems like their products are ideal for people who don't know much about IT and just want to watch a video or edit their holiday photos and maybe create a CV and will probably never go beyond that. Other people still enjoy Macs from 2012, but things are moving on when you look at desktop PC and what you can do. Apple looks more and more dumbed down.
I really like my surface book. They are priced like MacBook pros (and spec'd like them too). The track pad is great, the pen input and detachable screen come in handy more than I'd have guessed when I first switched.
Apple has a pretty broad utility patent around their trackpads, which requires other manufacturers to work around what would seem like pretty obvious things.
Are there no other suggestions beyond the 2012 MBP?
I use arch linux on a Lenova Thinkpad T580, and I'm really happy with it, but I'm not sure about the colour accuracy of the screen. I doubt it's as good as you find on an Apple.
I, for one, am really interested in good, high quality alternative to apple laptop hardware, that meet the parent's criteria.
I agree with you that Apple is doing way too much to restrict users. But I also agree with Craig in that I don't see how Apple silicon is useful for them in helping to restrict users.
X1 Yoga 4 is what I went with recently when my 2016 macbook pro died for the 4th time since owning it.
Its very similar to the x1 carbon but converts to a tablet and it has an aluminum body.
I can't say I'm out of the apple ecosystem entirely, but I decided to spend my money elsewhere given the abysmal quality of the macbook pro line these days.
Owning a Lenovo X1 Carbon 7th gen, 2019, 4K screen, 16GB RAM. extremely impressed with the hardware, running Linux Mint and going to move to Manjaro.
Initially i tried PopOS! but they removed from Gnome the intermediate scaling (1.5X) of the UI, just like in MacOS you have Display - Scaled options.
I really like the per monitor setting which you don't have in Linux. (or i didn't research enough); e.g. More space on main display (external 4k monitor) and Larger Text on the macbook screen.
I'm also jumping ship due to the worst experience i had in 25 years dealing with technology, 1 month to replace a swollen battery with a 3rd party repair service. Apple throws now all this "complex" hardware issues to 3rd parties since their employees are pressuring them not to execute hazardous repairs in their own "centers"
Their SSL certificate revocation server (the default for macOS) goes down an you try to tie it to Apple Silicon being created to lock-in users? I understand the feelings people have about this but today's failure seems orthogonal.
Re colour accuracy, checkout thinkpads, they even come with a colour calibration sensor so you can have them autocalibrate daily/weekly or whatever suits you.
Do you _really_ need a laptop? That's my solution to the problem of no good Linux laptops. I've got a desktop at home now, and when I go back to the office, I'll pick up a mini desktop. I'll keep an old MacBook in a drawer if I need to take it into a meeting. When I used laptops only, they were just plugged into a monitor/keyboard/mouse at all times anyway.
> their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
Buy something without a number pad. Unfortunately most 15" laptops do have one.
If anybody from HP is reading this, I'll pay an extra for a keyboard without number pad on your 15" ZBooks with 3 buttons on the touchpad. Space bar and touchpad aligned with the center of the screen please.
>it's off-center in a lot of cases! How weird is that
It is off center if they have a number pad to the right of the normal keyboard layout. At first glance it looks weird, but it is 100% what you would want if you were using the laptop. Otherwise the trackpad would end up being right over where your right wrist is.
I just gotta say that I don’t think it’s clear where they are going. You are of course free to do however you like. And if you are leaving because of what they already have done, that’s reasonable, but if you are leaving because of what you are guessing that they might do tomorrow, is that really wise? I mean even with the ARM switch won’t it be as easy to switch to win/linux intel after a year if you are not satisfied?
I don’t like the boot thing either, and it’s a bit scary not being on intel as everyone else is right now, but I also think ARM feels really interesting and it might turn out to be a great new platform!
Edit: i mean it is not like they never listen, they did take bake the mac pro, they did fix the keyboards, you have cli tools to make a lot of changes in how macos works, etc. Of course I would like hundreds of things to be different, but I believe that is true of all platforms.
I don't think there's a one-sized-fits-all solution without something custom and extremely expensive ($15k+). Maybe a Lenovo T480 for most purposes and a dedicated second screen for color correctness? I had a Dell Studio XPS 1645 with an RGBLED screen with an insane gamut. It begs the question: Why aren't such screens widely available?
I think you should stick to Apple, frankly. Every time Apple comes up with something new (or just a new software release), people come out of their sheds to warn about all the bad things that will happen.
And then almost none of those bad things happen. I've witnessed this dozens of times now, so a safe interpretation would be to assume that this time none of those things happen.
I started panicking mildly thinking my drive was failing or something.
And just before this, I finally managed to fix Spotlight pegging one core at 100% constantly. Next thing, I reboot into a laggy system. macOS is my favorite OS, but the shit I put up with... it's basically an abusive relationship at this point.
Same. Panic attack. Thought the SSD was dying. I ran Disk Utility diagnostics and started coming up with plans to reformat and restore as a last resort.
Ain't that the truth with every OS. I use Windows for gaming, PopOS for work on my desktop and MacOS for work on my laptop. The amount of weird issues is about constant.
As developers and engineers, we ought to be jumping off this platform like a sinking ship. It's clear that they want to lock it down like the iPhone. Why else would they be measuring which apps are in use if they didn't want to control it?
If your argument is "compatibility research", you're missing the other warning signs.
If I do any simple math calculation in Spotlight it pegs all cores at 100%. Its easily reproducible and really annoying because I've used spotlight as a calculator for years.
My music software became completely useless on catalina, and I was also running into issues with spotlight so I disabled it. I downgraded(painfully) to Mojave and my system is so much speedier. wish I could completely switch to linux.
> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.
That's another case of a product not doing its primary function - OS running apps - because company placed their own (data gathering) objective above it. See thermostats not turning on heat when the internet connection is down and other equally stupid examples...
I discovered this by running unbound – a DNS server – locally (block some unwanted hosts and do dns over TLS). I guess the rest of the story is pretty obvious; having your default dns server not being able to resolve because you're trying to verify it – since you cannot resolve your verify hostname – is obviously Not Great. As you can imagine, there is no waiting in the world that fixes this. I couldn't kill (-9) the process either; had to reboot into safe mode, rename the binary and switch the default dns on the network.
The server is called OSCP which suggests to me that if we look at Apple in the most positive light - they sign and certify binaries as safe. If an app gets later reported as malicious, they need to revoke the certificate that has been used to sign said binary.
So when you open an app, how else are they going to check whether the certificate is still valid or whether it has been revoked?
Can anyone confirm whether this lookup applies to unsigned as well as signed binaries? As far as I know if I build a brand new binary with cargo, and run it, it doesn't do any checks.
Right around this same time, I had 1 macBook hard reboot (watchdogd timeout) and shortly thereafter, a second macBook froze, fan maxed out, with the display not coming up. Then it rebooted into recovery mode.
Yeah, these _could_ be unrelated issues to what has been going on in Apple land today, but it's uncanny...
I keep reading in the tweets how all Macs are unusable. Is this an OS bug that doesn't effect older OSes? I'm on Mojave on my 2017 MBP, and have had zero issues at all.
Checking for notarization on each launch was introduced in catalina. Older versions have trustd, but it was only used for the gatekeeper checks added in 10.8.
My 2018 MPB on Mojave had some serious issues launching apps for a little while yesterday (3PM central) afternoon. It seemed to resolve within an hour though. Not sure how that lines up with the outage described here.
This might be a stupid question, but is there a downside to blocking this "feature"? I can't think of any.
I've been using Big Sur beta for some time and one of the things that annoyed me a bit was the sudden lack of responsiveness, which is a tad annoying given that I upgraded to a 16inch MBP earlier this year and everything felt so snappy.
ocsp.apple.com also has an IPv6 address. Firefox connects to it even with 0.0.0.0 in the hosts file and a flushed cache (you need to also clear firefox's internal cache if you're testing with it), so I'd assume that trustd could connect to the ocsp site as well. I don't think this will work without ensuring there is no IPv6 traffic on your network, or otherwise dumping both IPv4 and v6 packets to ocsp.apple.com.
Disable IPv6:
sudo networksetup -setv6off Wi-Fi
(where Wi-Fi is the name of the network service)
Can you not just add an IPv6 entry for it in your hosts file, e.g., ::1? That would work in Linux and seems like a much less nuclear option than disabling ipv6 all together, but admittedly I've never worked with ipv6 networking on Macs.
Last time I played with a Mac they also had the BSD `ipfw` command for kernel packet filtering [1]. Could try something there if it still exists.
I had both my personal and work laptop become unresponsive at the same time. I was wondering what kind of problem could cause that - was thinking EM interference or possibly something on my network. This explains it.
Ha! So that's what it was. Last night (I just woke up in the UK) my macbook pro started to crawl, I started to threat that it might be the SSD starting to fail.
A compelling way to enact change at large corporates is to vocally communicate when and why you are forced back into a buying position as a customer.
Apple VPs who are listening, especially Craig Federighi - here is an early warning for you. The HN crowd may seem fringe, but they are living in the future. I de-Googled my entire life over similar transgressions by Google and several of my friends are gradually going through the same process, albeit more slowly.
And even though I just bought an MBP16, Apple monitoring every binary I run makes me want to sell it immediately and never buy another iPhone, Watch or Macbook. No one is going to catch Apple on performance and form factor for a long time, but I'm willing to invest in a long-term ecosystem that won't allow things like this...as long as I don't need to debug audio drivers. I am done with that phase of my life.
So if I had to choose an alternate path, what would such a path look like that could eventually approach the build quality of an Apple Macbook Pro? That product doesn't have to exist yet, it just has to be on the path.
(I looked at Alienware's M2 and M3, but it cost about the same as an MBP16 but with more blue LEDs.)
> The HN crowd may seem fringe, but they are living in the future.
The other thing that really can't be discounted here is that a lot of the HN crowd are likely the default go-to people in their circle of family and friends for this sort of stuff, and in many cases they may also have major purchasing influence and technical decision making power in their respective businesses. Turning off one of them may be inconsequential on its own in the short term, but it could seriously add up to a lot more destroyed mindshare and significantly more "lost" sales over time.
Don't underestimate the power of your choice at the frontier, even if it takes a while to reverberate through time.
I used to think it didn't matter what tools I chose as a lone developer making consumer tech products and DSP audio applications. But over time, I saw that consumers rely on frontier-makers for fast-moving tech choices more than you’d think, even if they lag a few years behind.
When enough people make a choice, a tipping point forms in the future. Paul Graham wrote about this in "The Return of the Mac", and I believe a tipping point is forming: http://www.paulgraham.com/mac.html
If Apple wants to ride on privacy, then it will fall on privacy.
Yes, I can specifically say that 2 other people have chosen not to update past Mojave 10.14 because of my advice.
I'm experimenting with Linux these days. There are some minor annoyances with using an outdated version of macOS. Unfortunately those apply to not just one or two apps, but every part of the OS when using Linux. Basic things like WiFi drivers or sleep support. I'm encouraged by the trackpad driver project, but it's not there yet. So I'm still hanging on to my 2014 Retina MacBook Pro using 10.13, until some Linux distro catches up. I feel like that will happen soon though.
> The HN crowd may seem fringe, but they are living in the future.
I really don’t think the HN community is at all representative of what the masses think about. Just like in any online community, it is easy to think that the thoughts of that community somewhat resemble that of most people when that simply isn’t true. HN’s base consists highly of developers who are up to date with most things in the technology industry.
The rest of the world doesn’t really care enough to compromise the comfort and reliability of Google’s suite, which lets be honest, outperforms its competition by a size-able margin, and does so with a “free” price tag.
People on HN have talked about de-googling for years and I have yet to see someone outside of the computer development scene do it (or even talk about it for that manner).
I am starting to see people switch around me, but it doesn't happen overnight.
A surprisingly handful of non-tech people have asked me, "Hey, I see you use DuckDuckGo. Why not Google?" And then we have the conversation - it's a short conversation:
Well, you cannot prosper in an environment if you operate on inaccurate or censored information. Google & YouTube censor information and track everything you search for or watch. Today your views align, tomorrow they may not.
Secondly, you must insure yourself against tail risks, and having your Gmail account "cancelled" is a yuuuge tail risk. Therefore, avoid bundled Google products.
Then a few months will go buy, and I'll see they are now using Firefox and DDG.
When you have these conversations, it's important that it not be about your identity (open source! Linux!), but about risk-aversion.
I agree--I also de-googled within the last couple years. I also did it because I need my e-mail to always work, it's just unacceptable that Google could take it away with no reasonable recourse.
I was also hit by this outage today, at work, on my work laptop, while I was working. Apple literally cost me time and my employer money today, because their lack of foresight or inadequate provisioning of servers or whatever the fuck it was, fucked up my laptop. No good reason. They just fucked up, and it cost something.
And there are A LOT more than what is just happening here.
They have burnt a lot of good faith post Steve Jobs. But judging from current Apple management, they wont act until Sales numbers decline. As shown by the MacBook Pro Keyboard fiasco. And to make it worst, they seems to think most of these problem as PR and Marketing problem and dial up the marketing instead of actually fixing it.
( You can see that with Apple's marketing, especially with recent iPhone 12, with VPs explaining in podcast )
If there are a lot more, it's worth listing them all in a blog post. A set of evidence is more compelling than only one act that could potentially be written off as well-meaning incompetence.
I would say that the current Microsoft Surface laptop/book has the same build quality feel as the Macbook line, but unfortunately you're stuck with Windows 10, which is a downgrade if you're used to MacOS.
Windows 10 is also working against you with its telemetry and ads.
We shouldn't have to work against the interest of the company that sells us the software running on our PCs. This will lead to more problems down the road.
I concur. I have a Surface. It sucks. Worst computer I’ve ever bought.
Keyboard sucks. Is it a tablet trying to be a laptop? Or a laptop moonlighting as a tablet?
Stylus sucks. It doesn’t have the accuracy of the iPad. And it always had a weird parallax feeling, so I gave up on using it. And the software was just mediocre.
I gave up and bought a Lenovo T4xx series laptop. Installed a dual boot Linux Ubuntu on it. Best. Computer. Laptop. Ever.
I just got a new XPS13 after a decade of using only macbook pros. Honestly it's pretty good and like 95-99% as good as my macbook. The only thing I really miss is the incredible touchpad. The XPS touchpad is meh, although is functional which is more than I can say about many other windows notebooks.
>So if I had to choose an alternate path, what would such a path look like that could eventually approach the build quality of an Apple Macbook Pro? That product doesn't have to exist yet, it just has to be on the path.
Thinkpad X1 Extreme Gen 2 is what I use and I'm very happy with it. My requirements were a moderately high-performance laptop, hybrid/discrete graphics, not excessively bulky and good Linux support. I can't fault my choice. The only issue I had with hardware compatibility under Linux was due to me receiving it a couple days after launch and the drivers for the wifi card not yet being in the kernel used by Debian or Ubuntu (no longer an issue iirc). Happy to answer any specific questions you have.
I don't think they are "checking"; they've carefully planned a path and are slowly and meticulously executing on it. They have no intention to stop at any point. Should the money stop flowing, they'll just come up with a new gadget. To make them backtrack on the walled garden would take an extinction-threatening event that (unfortunately) will never be on the cards as long as nobody can seriously threaten the iPhone.
I had the pleasure of installing Ubuntu on a modern Dell XPS recently. I was happy to discover that everything seems to work flawlessly upon install without any additional fiddling: WiFi, trackpad, touchscreen, display scaling, and really everything else I've tried so far worked great. It's an absolute joy!
There was a time I remember when various things with Linux installations were often quirky or troublesome to get working well with certain laptop hardware, but I'm convinced now that this situation has improved tremendously since then...at least from my recent experience and hearing other good things about the Dell XPS and various ThinkPad models, and of course System76 (although I haven't had a chance to try one of those myself yet).
Yes , and they are also selling Ubuntu edition where you not only save quite a few $$$ (because no windows licence) but you're also sending a signal to manufacturers that there is a demand for compatibility with other OSes (unlike on Apple or MS Surfaces).
So if the dev edition fits your need consider buying this one
Thank god I switched back to windows early this year. I absolutely love it and I do not foresee me returning to Apple for a considerable amount of time.
You should know that Windows includes a similar feature (to call home and report file hashes and the user's IP for example) called SmartScreen, and with default settings it also triggers on every single application launch in the OS.
I use both Windows and Mac but I would never consider Windows some patron saint. The telemetry and dark patterns in Windows are much worse than what Apple does. Windows literally advertises its own browser in different parts of your OS and will regularly change the default back to Edge after updates.
But overall I am pretty happy with Windows being my daily driver now that they have WSL.
I bought the business cousin of the XPS 17, the Precision 5750. The screen-to-body ratio is amazing. And the 4k screen is beautiful, the build is attractive, thermals are good and the speakers are nice as well. (From an Apple perspective these are the things that others often get wrong)
It has some design flaws („hybrid power“) but what is really messed up is the QC:
I have ProSupport and already had 4 technicians over and am currently awaiting my third full replacement.
Issues are all over the place: faulty trackpad, extreme coil whine, broken display, etc.
Perfect device for me if they could figure out their QC.
If the next one is bot perfect, I am getting a G14 which is the best performance/watt, performance/notebook volume and one of the best performing notebooks in general.
Microsoft saw that Macs were eating their lunch regarding developers and researchers when e.g. nearly everyone doing AI was on a MacBook or Ubuntu. You had a hard time getting Tensorflow to run on Windows because no one in the community really cared.
Also everyone developing applications in the cloud was eventually targeting Linux as the production OS, which is a pain if your development OS is pretty much hostile do anything command line.
MS then put a lot of money into getting a Linux like command line and support into Windows with WSL.
They also got a bunch of influencers and devs do their thing with improving that kind of developer's experience.
Apple, however, has been sitting on their hands in this regard. They are moving exactly the opposite direction with this crowd.
I have no idea what rationale is behind that. Did they come to a different conclusion than Microsoft or are they just failing to execute on the strategy?
MS sells cloud services. They don't really care what machine you use, as long as you live on Azure as much as possible. That's why they give you more and more tools that improve the "remote development" experience.
Apple sells silicon. They don't really care about developers; as long as they can pull enough users through the iPhone->iPad->Mac funnel, they have done their job of selling as much hardware as they can. In their view, developers bitch and moan but in the end will have to go where users go - at which point, Apple can tax them for access to the walled garden.
> And even though I just bought an MBP16, Apple monitoring every binary I run makes me want to sell it immediately and never buy another iPhone, Watch or Macbook.
You'll keep buying Apple stuff. I know it, you know it and Apple knows it. If all of their past transgressions hadn't changed your mind you'll keep doing it. Cut the shit.
From a another post on this page, someone recommended to look at Metabox.
I never heard of them. I just looked over their site. Some very very cool options. Been in business a long time.
https://www.metabox.com.au/
I've tried Alienware -used to be good, bit not very impressed since Dell days, I've tried Razer- always some issues, Dell g and XPS seems the best, up to now. But this Metabox looks really fun. Wonder if others have tried?
Look into what state law protections you have. High ticket mail order items can usually be returned for a full refund for a fairly long time.
Finding out that it's phoning home about every binary you run is absolutely a good justification to return it. I would sooner throw out a computer that did that rather than use it.
You've got to be kidding me. When Apple's servers are down, all Macs worldwide start freezing randomly? My XCode is hanging during builds, is this why?
This code signing enforcement stuff has gone way too far. Heads should roll for this.
Wait what happens if you don't have an internet connection? Can Macs not be used offline any more, surely that's still a relatively common use case for a laptop even today in a lot of places?
My understanding is that if you're offline, it skips this check and everything works fine. The reason this is a big deal is that the problem's on their end, so you're not offline, so it keeps trying and waiting instead of just letting you skip the check.
If you don't have a connection, it just doesn't do the check. If you have a crappy connection like many of our students, it takes forever to check. If the server is down, life just sucks and non-Apple programs don't open.
If you are connected to a network without an Internet connection, it just becomes unusable. Internet connection is somewhat unreliable in my area, and I had an internet outage that lasted for days during the COVID lockdown. I feared it was a malware infection causing the slow down. I switched over to Linux not long after.
Often when I would see this type of error it would be when something silently drops TCP packets (rather than sending a RST). This is one way to configure a firewall, and it's indistinguishable from high latency. Hence the difference in behavior. If the address was unroutable, or immediately closed the connection, it would fail quickly (and presumably for the OCSP check, it would be skipped immediately). But when packets are silently dropped, it's up to the client to decide how long to wait for an ACK, which might cause a hang.
I've seen an identical problem where Chrome would hang for minutes when loading sites, and it was because I was in a firewalled environment that was outright dropping packets to Chrome's OCSP server.
With Android is the same. I have an App Firewall on my Android phone and since then the standard Android gallery app does not work really anymore. A lot of things break, for ex. when I_ like to send a file with Threema, I have to go offline, choose the file and then go online again. Otherwise the file dialoge does freeze. It's just standard these days. Also a lot of things break, if you are just on a network without internet connection. Welcome in 2020.
That's why notarized applications should be stapled too. The stapling "ticket" is embedded in the app bundle and allows macOS to perform an offline check.
Basically you'll get the usual GateKeeper window, but with a slightly different message, along the lines of "I can't check this binary in realtime but I trust the embedded notarization".
Almost certainly so. Apple has built chains of certificate trust very deep into the OS, along with apparently an assumption that this particular revocation service check is reliable & fast enough to call out to the network a lot.
Imagine how many people would lost their productiveness, maybe not at the big corps or govt (I assume they use a version of mac that call somewhere else/don't). But very very many people.
Code signing is an okay thing as long as the signing identities don't get discriminated. Android has had code signing ever since it was released, but you always generated the certificate yourself, and the purpose was simply to stop someone else from making an apk with the same package id that would install over yours and gain access to its data.
The thing Apple does, on the other hand, with trusting themselves more than the user, is disgusting. I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
Give me, the owner of the computer, over the keystore for the root certificates I trust, and code signing is great.
> I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
As a libertarian I can see the argument for getting rid of presumptive copyright (and tanking the US economy), but the government preventing people from entering into contracts that you don't like? That's just hypocritical.
You need to set up your own DNS caching resolver and start selectively filtering out Apple domains. Pihole does that wonderfully. Ask your Apple geniuses whether they would help you setting it to make your Macs work.
If you just read his writings on the importance of free software, he never was that "crazy" to begin with. He simply saw examples of companies locking down their hardware so that they could control it at the consumer's expense.
Exactly this is happening with Apple now. Although Apple computers were fairly hackable in the past, with users being able to install Linux or Windows, that is changing. Apple is changing the hardware _and_ software to make it more difficult to do things that Apple does not approve of.
Stallman was keenly aware of this type of behaviour, and he was also aware that companies that have the potential to use this behaviour to this advantage, will often do so.
Apple wants to be in a position where they sell computers as appliances, and Apple Silicon is their step towards doing so.
By the way, I'm typing this on a Macbook pro that is no longer supported by Apple, but running Linux. I am not sure this would be possible in the world of Apple Silicon.
I don't think Stallman's crazy, he's just passionate about his beliefs, and people whose careers depend on not acknowledging the truth in what he has to say like to dismiss him.
Hardly "happy about all this". From the end of the linked article:
Author's note: Some people have read this blog as my utopia or dream of the future. It is not. It is a scenario showing where we could be heading - for better and for worse. I wrote this piece to start a discussion about some of the pros and cons of the current technological development. When we are dealing with the future, it is not enough to work with reports. We should start discussions in many new ways. This is the intention with this piece.
So many comments in here, but I haven't seen a single one mentioning a simple solution: Vote with your feet.
For years now, I've seen a large portion of the HN crowd praising Apple for its (alleged) respect of privacy and cursing at Microsoft for Windows "calling home" all the time. Now that this has happened, the only comments I see are "heads should roll", and "we must complain and be heard by high-level execs", but never "let's move away". This just reinforces my impression of the Apple ecosystem as something akin to a cult: Once you get in, you never get out again.
There are good alternatives - many people, including software engineers, use non-apple solutions on a daily basis and they are still productive. Why not give Linux a shot, or gasp even Windows? The age-old argument of "MS is evil, Apple good" is moot. Companies are generally not good or evil, they are profit-oriented. If the market demands privacy, they care about it, otherwise probably not so much.
It's isn't so easy. There is often a large cost of moving. Eg - I use `sketch` for designing. I can move to Figma, but it'll be a learning curve and the performance just isn't the same.
Additionally, in order to move to Linux I need to find a good alternative to many other software that I'm using. Most commercial software only target Windows or OSX.
For the record, I've written large parts of KDE, so I'm acutely familiar with running Linux as a Desktop Environment.
> This just reinforces my impression of the Apple ecosystem as something akin to a cult
That's very uncharitable. Suggesting Windows as a potential alternative also sounds slightly comical given their history with Windows 10 and many people's required workflows, required because of work or other outside influence, make Linux less tenable.
A lot of people seem to suggest that if you have something to complain about then you should be moving on to something else, a vibe of 'appeal to perfection'. I think this is the same mentality that drives the distro hopping phenomenon. I'm not brainwashed because I live with the flaws of my OS choice and complain when things are changed that I don't like.
I'm not sure which comments you are reading: one of the top threads that almost fills the whole first page is a long discussion about alternatives to macbooks...
I've been using Windows 10 with WSL2 and found it a surprisingly effective development environment with all of the Linux goodies accessible. And games are available without a reboot or VM!
Many complain, few will act. Virtue signalling about Windows is zero cost, unless one is a Windows user. Most people just don't care about privacy enough to do anything (ANY thing) inconvenient.
Linux only makes sense as a desktop operating system if your top priority is telling people online that you use Linux as your desktop operating system.
I mean, it's easier to do most kinds of programming on linux than windows. Stuff works more "out-of-the-box" than on windows.
For other things? Maybe. Some nice GUI applicatipns are, while in theory be run on Windows through cygwin, work well on Linux as well.
And some people just like performance / look-and-feel. Windows is often sluggish, while most Non-GNOME IDEs are pretty fast on usual hardware.
Then there is updates problem. I have had Windows downloading updates even if network was marked as metered in past.Some LTS distro is often better. Unless you use Fedora or Arch, updates should be minimum.
I don't want to imply Linux desktop is mature enough for all people. Just reminded there are valid reasons tech savvy people prefer it.
It IS, though. SmartScreen on Windows doesn't check binaries created on the same machine, but you'll get flagged if you move the untrusted binary to another machine you own.
This is a big conceit everyone holds - that Linux will be an acceptable substitute for MacOS. To be perfectly honest, if Apple shut down their Macbook factories and got out of the computer game entirely, and everyone flocked to Linux, it would be several painful years before Linux would be as usable as MacOS is today.
This is why I try out Linux every few years, and file lots of bug reports when I run into issues (mostly in applications - the core Linux kernel is solid). I've even contributed code to Linux apps that I don't intend to use right now.
Sincerely and without any intention to troll or be sarcastic: I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.
Even beyond unintentional glitches at Apple, just imagine what this could mean when traffic to this infra is disrupted intentionally (e.g. to any "unfavorable" country). That sounds like a really serious cyber attack vector to me. Equally dangerous if infra inside the USA gets compromised, if that is going to make Apple computers effectively inoperable. Not sure how Apple will shield itself from legal liability in such an event, if things are intentionally designed this way. I seriously doubt that a cleverly crafted TOS/EULA will do it, for the damage might easily go way beyond to just users in this case.
Again, maybe (and in fact: hopefully) I'm just getting this all wrong. If not, I might know a country or two where this could even warrant a full ban on the sale of Apple computers, if there is no local/national instance of this (apparently crucial) infrastructure operating in that country itself, merely on the argument of national security (and in this case a very valid one, for a change).
All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.
> I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.
The answer is pretty simple: these problems are extremely rare, they don't last very long, and they tend to have fairly simple workarounds. You seem to have a principle that any non-zero chance of being affected by a problem of a certain type is a complete deal-breaker, but most people when buying a computer probably just subconsciously estimate the likelihood and impact of this type (and all other types) of problems and weigh that against other unrelated factors like price.
I agree with your point about it being a principle, although I would add that the decision to build a product in this manner is also a principle.
Furthermore, I would sort of disagree with the answer to why people would buy this. In terms of "most people buying a computer", the overwhelming majority of Apple customers are likely ignorant to this issue, and will continue to be.
Without principles, your freedom will be (is being!) slowly chiseled away, pragmatically accepting each small step. By the time even pragmatism tells you to refuse, it'll be too late.
(As someone pointed out, this does more than just prevent apps from running - it also leaks which apps you use and how often. Someone could ask Apple exactly when you started Tor browser, for example)
The payoff for the very slight risk is an effective built-in malware prevention system that doesn’t treat me abusively and reacts in a timely manner to abusive circumstances.
After decades of production operations, I have no complaints about how this was handled, and I expect they’ll investigate and patch any defects exposed by the outage.
I went for a walk when this happened and when I got back it was fixed. Works for me.
There's software "EazyFlixPix" which shut down its authentication server - so everyone who purchased the app can no longer install it (unsure, but they might be also prevented from running it too).
That's different mindset — ability to fix, right to repair. No way to comfortably run another OS on MacBook, has to use macOS. It is closed source, users at mercy of the company. Think different.
Also, which is the bigger risk for most people: disruption to the cert verification, or malicious runtimes on their system?
(Hint: I have literally never seen an example of one of our bank's customers being unable to bank because of this. I have seen heaps and heaps of examples of endpoint compromises resulting in people having their accounts cleaned out.)
People chose to use Apple because it seems like a benevolent dictatorship.
And frankly, a benevolent dictatorship is basically the best government you can have, as long as you're part of the "in-group" who doesn't push boundaries, doesn't cause trouble, and supports the supreme ruler, Kim jon... cough* Apple.
---
The problem is that no matter how good the dictatorship might be today, it will eventually bite you. You will either develop a need that isn't addressed, or they will change the rules so you are no longer able to satisfy an existing need.
We're seeing this now with Google - Their motto was literally "don't be evil" for a long time. And during that golden period their users loved them. But as Google has shifted from "don't be evil" to "Make lots of money" people are starting to shift away.
Apple is still in the golden phase, but I'm not really convinced they're going to be there much longer.
Speaking as an ex-Google user and an ex-Apple customer (still tied to Apple Music and iCloud for family phones), I'd compare Google to Russia - not particularly benevolent, a bit chaotic/random, citizens tend to shrug and accept their lot. Apple is more like Singapore, slick, seemingly benevolent, citizens honestly question why the rest of the world isn't run the same way.
EDIT: I'd add another way in which Google is like Russia and Apple like Singapore. Everyone kinda knows that Russia's leaders are a bit/a lot evil. There's still a debate about whether Singapore's leaders are evil.
> Apple is still in the golden phase, but I'm not really convinced they're going to be there much longer.
The honeymoon is already over. A post like yours would have got several downvotes up to less than two years ago. I noticed that honest critics to Apple are tolerated now, since at least about one year ago.
I think the difference between the Google and Apple dictatorships is the business model.
Google's customers are not the users, they are the advertisers who rely on the data harvested by Google. The incentive to be evil is directly baked into the business model, and most users end up tolerating it because it is "FREE", and often the only viable option.
Apple's customers are the users. If Apple rocks the boat too much, their users might not feel so good about paying the premium prices Apple demands for its products. Making users upset is a direct threat to their business model.
> "Don't be evil" is a phrase used in Google's corporate code of conduct, which it also formerly preceded as a motto.
> Following Google's corporate restructuring under the conglomerate Alphabet Inc. in October 2015, Alphabet took "Do the right thing" as its motto, also forming the opening of its corporate code of conduct.[1][2][3][4][5] The original motto was retained in Google's code of conduct, now a subsidiary of Alphabet. In April 2018, the motto was removed from the code of conduct's preface and retained in its last sentence.[6]
I know saying Google removed Don't Be Evil is something of a trope, but the truth is a little more complicated. And, of course, the presence or absence of this phrase has no necessary bearing on the degree to which they are perceived as evil or not!
Think about Apple's policies regarding IAPs. You're not allowed to tell your customers in your app that they can do the purchases on your webserver etc.
The benevolent days of Apple ended when they removed the expansion slots from their computers, if not earlier.
In defense of Google, they really like having a lot of money.
Let P = "Don't be evil" and Q = "make lots of money".
Q was nothing new. They always wanted Q. But Google made a fundamental breakthrough in business logic, discovering that P -> ¬Q.
It should be noted that ¬P -> Q is not automatically implied. Plenty of companies are ¬P ∧ ¬Q. Perhaps they are not ¬P enough? Perhaps they are too much ¬P? But very few manage to be purely P ∧ Q.
This has been happening for a long time. Hardware and software that you can't control is becoming normalized. If they had done this 10 years ago with the same customers, those customers would be shocked or weirded out but right now, many of them will just wait it out or change their host.
Don't limit freedom at once. Do it one by one so the impact seems low.
What are the chances that any of the big tech companies take orders from a fascist to block all the harmful software in their country?
Non zero. People in HK know this. I want to know how they felt about their choice to buy iPhone at that moment.
Because we can't have nice things, Apple has to check that apps are signed with a current certificate for safety and security reasons. OCSP tells the client if the certificate has been revoked or not.
Try opening a non-https web page; you'll get a bunch of ominous warnings from all major browsers.
Browser certificates need to be OSCP signed for the browser to trust them. You can't even get a new cert if the issuer’s OCSP server goes down, which does happen on occasion.
There are so many dependencies to ensure we're not running malware infected apps that sometimes things break.
Let’s not get carried away; every major tech company has had some version of this happen at one time or another.
FWIW, I haven't experienced any issues with my iMac running Big Sur running Apple or 3rd party apps all day.
This used to be true, but neither Chrome nor Firefox actually check CRLs or OCSP that much. They'll accept OCSP-stapling, but that's about it.
This is a very serious concern for Enterprise PKI systems: revoking certificates is now virtually impossible. CRLs and OCSP do practically nothing.
Google especially has unilaterally decided that Enterprise PKI systems don't matter. They have established a new "standard" called Certificate Transparency, which they use to make CRLSets that they publish as Chrome updates.
Which is fine I suppose for public CAs, but utterly useless on internal-use private CAs on local networks, especially those with lots of BYOD or guest/partner systems. Think universities or hospitals.
Google has become a juggernaut with more control over computing in general (not even just the Internet!) than all of the world governments put together.
I have no problem with checking binaries when I launch them for security. I imagine many of the virus checking apps for windows probably call home with similar information. I doubt very much I’m leaky in any personal information.
What is frustrating is they didn’t handle this situation like they do if I’m offline - don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway. would have solved this eventuality
> don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway
how do you do that without defeating the security? Now a malicious attacker just has to wait for a moment when you aren't connected before launching their payload.
Even when it works right, it’s transmitting the apps that you use, as well as your timestamped coarse geolocation (from client IP) to Apple, which logs all of it. It’s good for city-level location.
They know what times you're at home, and what apps you're using there. They know what times you're at work. They know what times you're tethered. They know when you travel, and to which cities. They know when you're on a friend's Wi-Fi, and they know which apps you open from that connection.
Apple is a partner in the US military’s PRISM spying program, so this log is available to US military intelligence at any time without a warrant.
Thanks to API changes in Big Sur, it’s impossible to use Little Snitch to block these system level connections, and they will also bypass any configured VPN. To control this, you’ll need to use external network hardware, like a travel router that you can operate a vpn/firewall on.
Big Sur is the only OS that will run on the new Apple Silicon macs, so it’ll be impossible to use the new machines without leaking your track log and app usage history in a way that is available to the FBI/CIA/et al whenever they want it.
Note also that Apple recently backdoored iMessage’s end-to-end encryption by defaulting the non e2e-encrypted iCloud Backup to on for all users: it backs up (to Apple) your device’s complete plaintext iMessage history, as well as your device’s iMessage keys, using Apple keys, each night when you plug it in. You should immediately stop using iMessage as a result of this, because even if you have disabled iCloud or iCloud Backup, your conversation partners likely have it enabled. iMessage is no longer meaningfully encrypted.
Apple’s marketing about privacy is lip service, not real.
I just ordered one, and let me tell you something - I didn't expect this to happen.
If I knew - I might still have ordered one, because I like ARM and battery life. But this reaffirms the observed trend of Apple becoming more of an owner of the machine that supposedly I own.
I'll attempt to shut it down (at least now, it still observes /etc/hosts) - but when I can no longer do that, I'll leave Apple forever, hopefully by then other hardware manufacturers have caught up in UX.
In short, the vast majority of users never need or want fine-grained control over their computers. In the HN community, we are mostly edge cases in terms of computer usage & functionality requirements.
I believe this is why there has never been any mass pushback against iOS/Android (even if Android is slightly better in this respect).
Further, neither iOS nor Android (and now OS X) have instituted huge restrictive changes all at once. Restrictions are gradual & creeping, basically moving the overton window of what is accepted.
Or just run BlueStacks, which is necessary to run Among Us (the popular game since lockdown), which isn’t signed because it’s an emulator. And it requires the “Control this mac” permission. Unsigned. There are many, many cases in which users are faced with unsigned apps.
I think it comes down to humans being creatures of habit and conservation of energy. I've seen people buy macs even after seeing all the flaws because it's what they're used to and don't want to exert energy learning a new OS and environment. Apple used to make great products and I think people still cling on to that thought, even though their quality has been degrading these past years. Something needs to be 10x better (or at least perceived that way) for people to switch and switching to a new OS for them is probably like a 1x improvement so not worth the time cost.
The alternative to a poor binary checking and cert revocation process isn't to get rid of binary signing and cert revocation.
I don't want that. I don't think it would serve Apple's customers to get rid of binary signing either.
Since there are no legal ramifications for security bugs that cause downtime, or for bugs that cause other functionality that goes down, I'm not sure why this particular bug would be any different. It's certainly not as bad as losing one's Google account permanently without recourse.
This issue is clearly a bug. It is an accidental denial of service attack on the client.
It will get fixed pretty easily: Apple will add some combination of a timeout and a request back-off to their client, to properly handle the situation of a server that is reachable but not sufficiently responsive.
Apple clearly does not mean to make their devices unresponsive if the server is offline, because pointing requests at localhost resolves the issue.
I disagree. It isn't a bug because it was explicitly designed to behave this way.
The solution won't be to fix a defect, but to change the design, which is completely flawed. They should have pushed revocations from the beginning rather than requiring every system on the planet to poll a service. What were they thinking? And that does make one wonder whether there weren't other reasons for this behaviour besides "security".
> I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down.
For the same reason every human frequently makes decisions with greater-than-zero risk: because we're either unaware of the risk, or because we believe the tradeoff is a good one, and the benefits are worth the risk-adjusted costs.
I don't like this behaviour at all, and find it frustrating at times (e.g. apps slow to launch when my internet connection drops out temporarily).
Having said that, it's not enough to get me to switch platforms. I'm able to work around the problem (using Little Snitch, see other replies), and there are a ton of factors that go into my decision of which hardware/OS to use, all of them involving tradeoffs. The only viable alternatives, Windows and Linux, have their downsides too. Some people prefer those over macs and that's fine; it's a choice people make based on their particular situation.
That's all nice and well, but what if some country decides that your country will still have Internet access, but a "degraded experience" to Apple's central infrastructure?
Still sounds to me like Apple rolled out a huge (logical) trojan horse, as a potential weapon in terms of nation state cyber warfare.
Probably not at all with that intention. But I doubt that any government willing to abuse this "opportunity" will give a fuck about that. Don't underestimate the power (and disruptive) effects of being able to practically disable a whole brand of popular computer hardware. Heck, even the ability to threaten with it (privately, through diplomatic channels) can (and probably should) be considered a serious weapon. So yeah .. "thank you" Apple.
From my experience during this outage, the ability for the computer to "open" may not actually mean much. While trying to fix what I assumed was a localized software issue I rebooted my machine. Typically this takes a minute or two. However during Apple's systems outage my rebooting took approximately an hour before my computer was in any way functional again.
In this case, any app would take five to ten minutes to open. While that technically means "it still opens", it effectively renders the computer unusable.
(And that's after I realized that they will eventually open. Originally I rebooted the machine before any app had had a chance to open.)
A lot of it is just people parroting the same old boring tropes. They couldn't believe Linux had gotten easier to use than windows. I know this. I installed Windows few days ago. I can't install steam or chromium without getting blocked by windows. I have to download it from external sites while both of these are available in the software store on Ubuntu. It didn't nag me to login, switched my browser to edge after updates, forced me to read a marketing manual before starting the OS.
The search is useless. On Linux, it's so much better.
I had to download and run a bunch of scripts to get rid of the amount of data it was sending back home. I had to remove the bloat and ads it came with.
Give https://pop.system76.com/ a try if you don't believe that Linux is easier to use. Most people don't need to open the terminal anymore.
I used to be a MacOS user from System 7 to Sierra. I owned an iPhone from 2007 until a few months ago. I have completely switched away from Apple. It absolutely boggles my mind how popular Apple still is. Apple's quality is absolute garbage now, this latest incident is just a drop in the bucket.
I'm sure I'll get downvoted, but I just had to get this off my chest. Why people still buy Apple today, I positively can not comprehend.
The main design fuck-up is that instead of independed Personal Computers we have terminals connected to one huge server which violates the whole idea and meaning of Personal Computer and what the word "Personal" should mean.
The worst part of this is that Apple could have easily predicted this, that there would be demand to download the new OS, and put in place measures to prevent this from happening. I guess they just do not care.
All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.
Apple gave a detailed explanation. It was a server misconfiguration combined with a CDN issue which caused the OCSP certificate check to stop working, which caused Apple's system for ensuring certificates haven't been revoked to stop working:
“We have never combined data from these checks
with information about Apple users or their
devices. We do not use data from these checks
to learn what individual users are launching
or running on their devices,” clarified the
company.
“Notarization checks if the app contains known
malware using an encrypted connection that is
resilient to server failures,” says Apple,
further emphasizing, “These security checks
have never included the user’s Apple ID or the
identity of their device. To further protect
privacy, we have stopped logging IP addresses
associated with Developer ID certificate checks,
and we will ensure that any collected IP addresses
are removed from logs,” details Apple.
To your first paragraph, how many people globally do you think know that this is how it works?
Apple don't publicly go out of their way to tell you that this is how it works. You make a great point that the way it works is bad and I think everyone agrees with that. But it's the limited knowledge that the OS operates this way that keeps consumers purchasing their products.
I need XCode to build software for iOS and OSX, and there isn't to my knowledge any other feasible, performant and off-line capable way to do that beside running OSX on a Mac.
This is the only reason I had to move away from (arch) linux and it saddens me every day.
I think it is because a lot of people still believe and repeat old trope which are demonstrably false these days. Despite having the worst keyboard, buying third party apps to have features which most of the other OS in the market provide as standard, more lock down of their OS every year, Apple fans continue to buy them. Appke's powerful marketing, which is full of weasel words, keeps them in their own bubble.
I buy em cause apple laptops just maintain their quality way longer than other laptops. All the other laptops I’ve had start losing all their charge within 30 mins after a year or two. My 5 year old MacBook still can go probably 2 or 3 hours on a full battery charge
Bitcoin people (like me) feel the same about currency. Why out your entire life savings in the hands of a single government when they have proven again and again that the can't be trusted.
You're missing the point. I don't care if Apple has the most reliable servers in the world. Phoning home the hashes of the binaries you run is an outright violation of user privacy.
I think the problem is that almost all the software you buy a mac for (or even things that mac users like) has this built in but calls to the developer's servers instead.
The amount of time you save by having a computer that "just works" 99%+ of the time is far greater than the occasional time lost by shit like this.
I'd love it if someone other than Apple made a competent PC that was as clean, reliable, and comparatively free of bullshit. Unfortunately Apple has a monopoly on cleanly designed computers.
This is almost as bad as relying China on Personal Protective Equipment and quickly running out during the pandemic earlier this year.
Imagine if the USA actually comes under an attack.The apple spaceship would be high on the list of targets. All of sudden hospitals can't run their computers or communications. Disaster!
If you haven't downloaded your data from Apple recently I suggest doing that. The amount of personal info they collect has exploded over the last couple years.
Their Services business is moving them into Google levels of data collection.
Is this the one-time signature checking that has been in place since Catalina, or is this something else? (And if so is there any information about it?)
Well it would be pretty good information to have to do analysis against.
You could easily see knowing how often an app is used on an OS to be useful business information if apple wanted to create software to get into a trend before it gets to big.
Of course that doesn't require fine grained time data just daily would be more than good enough.
However you could also see the business use of knowing if two pieces of software are often used together or sequentialy which could inform creating an all in one/integrated experience that would do well in a market. So you need that finer application timing.
Of course that doesn't require tying it to a particular user account,not even a device ID, just a sessionID that changes each time the device restarts would probably be granular enough.
However since we've got that other stuff in place per device wouldn't it be great to see if there's a correlation between people using an app on there Mac and using it or another App on there iphone, ipad, or watch. What piece of data can we include to match up a user across all their devices? Maybe some kind of obfuscated or derived userID.
Of course you'd hope that other interests such as a commitment to privacy would rule out the use of such a dataset. If Apple did have such a dataset then you'd hope they'd be doing whatever processes (social, business, and technical) it can to obfuscate and seperate how that dataset is tied to a specific user.
The only real argument against Apple not having it is the balance between the cost of creating/exploiting such a data set, the expected profit, and the legal and reputational costs of such behaviour.
I don't know they're not doing that, is the problem. They probably aren't, but as Bill Kristol offered recently, 99% sure isn't 100% sure, and the fact that I'm not 100% sure is a problem unto itself.
I don't know about you, but hashes of the binaries I run don't exactly reveal any sensitive personal information about me. That said, obviously they should have much more graceful degradation in place for when something is wrong with the service.
The information reveals in exquisite detail what times of day I'm working, what times I'm slacking off, which days I work too.
And whether I'm taking a long or short lunch break, or lots of breaks. Whether I stay in bed until late, or work late at night. It's enough to predict whether I'm a "good" worker.
It also reveals whenever I travel, which coffee shops and libraries I frequent and what times of day. It also reveals what time I open any of several video conferencing apps.
And the sort of thing some HR would like to browse when assessing job candidates. They wouldn't need to ask "do you know X", they could just consult the Apple log of how often I run the relevant commands. Things like "we see you ran 'git' an average of 145 times per day last month, tell us more about that".
And whether I'm running tools I "shouldn't".
All that seems quite sensitive and personal to me.
In this case, isn't the hash of the binary consistent across all devices, so Apples can in fact derive exactly which binary you're running (assuming they have a large database of application binary and hashes)?
I run Tor browser occasionally. That fact alone is sensitive personal information about me. It makes me stand out. Someday it might be held against me.
I already expect the ISP to detect my Tor traffic.
But I didn't expect Apple, of all companies, to have a detailed audit trail of every time I've ever opened it, to the nearest minute.
What about the hash of a password cracking binary or the hash of some sort of binary used for piracy or stripping DRM off of something? Or just in general the ability to profile users based on the apps they use seems completely trivial. I imagine it would not take a particularly brilliant data scientist to correlate people who use FTP programs or developer programs or whatever else with people who buy high value items from certain e-commerce sites, for example. Seems like a marketer’s dream if they could ever get access to that. And sure Apple wouldn’t do that, today, on purpose, but are you 100% certain that could never happen? And if there was some way to tie that illegal piracy app binary hash to you personally and the government came knocking with a subpoena, seems like something Apple might be forced to comply with. It’s a very slippery slope.
I think that for some users, the applications they run and the frequency they run them at would be enough to identify them across time and accounts. I could change my identifier, even my name, but at the end of the day, I've been using the same apps for at least a decade more or less.
OCSP is Online Certificate Status Protocol. The connection to ocsp.apple.com is checking the status of the certificate used to code sign the launching app.
I wrote an article about this a couple weeks ago because of the temporary revocation of HP's signing cert for printer drivers on the Mac:
I'm sorry if this was answered elsewhere, but can someone explain me how this works when you don't have internet connection? I assume you can still launch apps without internet connection. So then, what stops bad actors to just either block connection to ocsp or straight up turn off your connection entirely when running malware?
Through the very mechanism people are complaining about today.
If your machine is offline then it switches to a fail-open system and uses its cache to verify the binary and if it's not in the cache then it skips the check and allows it.
If your machine is online then it switches to a fail-closed system so that if you can't reach the servers because of something malicious then it blocks.
They are disallowing custom kernel extensions and instead requiring apps like Little Snitch to use their system API. This means that Apple has total control of how these apps function and what they can see.
My MacBook is basically unusable right now. This appears to be the reason. Is there any way to fix it without installing little snitch?
Edit: working as usual now, moments after i wrote this. But seriously Apple, how can you allow this to happen? Your services hanging should _never_ prevent my device from running things locally. This is seriously making me reconsider my next computer purchase.
System76 is pretty great and they have amazing customer support. Plus between ProtonDB / Lutris you can run pretty much anything you want that needed Windows before.
I use and love Linux, but come on man, that kind of statement does not help. Even with proton and friends, wine is not perfect. There will most likely be problems, and it's not a one to one transition. However, in my opinion, it is worth it, but there's no sense pretending there is no cost.
Given that they're using a MacBook they probably aren't using very much Windows specific software if any, so I don't know that Wine would be much of a factor.
Enablers, that is what they are. If the EU manages to push that anti-encryption thing through, Apple will be the one forced to remove the App from your PC. 1984 is here already.
> Champions of privacy, phoning home a hash of every executable your computer runs!
What’s the matter with privacy? That’s a basic signature check, and you can do so while preserving privacy by using salted hashes or a similar solution.
I don’t understand how salted hashes would obfuscate the query. Private information retrieval is much more complicated than private password storage, and how do we know what the protocol is?
The title is slightly misleading. ALL macs with a recent macOS (Catalina?) are freezing, since the security checks that happens when you launch a binary is down. Even if you don't update to Big Sur.
Indeed, I was bouncing a session in Logic and even that crawled, activity monitor showed a blank screen when it finally opened and iterm2 was unresponsive. I thought the machine was under load but the fans weren't even on.
> How can launching apps be depending on a cloud service being available...
It's not, per se. The apps will launch if you block the specific subdomain, or turn off internet. The problem is if the computer thinks it can connect and keeps trying.
It’s a huge problem on Windows where Explorer.exe still blocks the UI thread while it checks SMB shares if it thinks it can connect to them, but it skips them if it knows the computer is disconnected from a network. So using a Windows computer on a very spotty WLAN is actually more painful than being disconnected due to all the timeouts and dropped packets. Office Outlook is another main offender. I have a Windows Firewall rule just for Outlook.exe when I know it’s going to lock-up a lot.
It's like no one at Apple has ever had sporadic internet access and they don't plan for it. The Apple Music app does the same thing, if you are connected to wifi but don't have internet access it takes 60 seconds for a song to start playing every time you click one. Because apparently that is a reasonable timeout for a UI action
But seriously, I have installed Ubuntu 20.04.1 LTS on my personal Lenovo ThinkPad P1 Gen 2, and work Dell Precision 5550, and it works fine in both cases. Stick with it for a month and macOS becomes old news. Also I think OEMs are wising up to "Linux = free" and charging for Windows on their laptops again, so you can also save some money on OS licensing going forwards.
It is strange how many people will sacrifice so much for free speech and the right to bear arms (like tolerating school shootings and foreign interference in elections), but offer them the "freedom OS" and they'll pick the slightly better trackpad.
I think Razer would satisfy those 3 criteria. Razer is known for their line of high-end laptops with comparable design and arguably better specifications than the MacBook line. They are mainly marketed to gamers, but could easily double as development workstations. There's even a pretty well-maintained set of Razer hardware drivers for linux (https://openrazer.github.io/#project).
Ok so let's say you actually want Apple to do this kind of security for you (I don't, but let's say).
Currently they do a synchronous check before you launch any binary.
Why don't they instead just log every binary signature and check them async on some regular schedule? Strict mode could be blocking the FIRST execution of a binary signature and after that you only recheck if that signature has been revoked on some regular interval.
There's absolutely no good reason why an app which I've run 100 times needs to phone home before running the 101st time.
This is how it worked. The point of the tweet and others' experience is that this is now happening for apps that have already been launched plenty of times before. This is why nothing other than Apple's programs would launch during the short time that the OCSP was down.
PSA to developers: Notarization alone won't be sufficient. You'll need to staple that notarization ticket as well so that your users' Macs doesn't need to go online to validate whether your app has been tampered (among other things).
This isn't anything surprising. A handful of companies out there have been working hard for the past few years to kill the personal computer and turn it back into a dumb terminal that connects to a mainframe owned by them, and they've managed to do it. Nomenclature also matters - they've stopped calling them "computers", now they're just "devices".
Enjoy your $1500 dumb terminal. If you're still buying Apple products, then you're simply unforgivable.
We are slowly loosing ownership (and in many cases we've already lost) of the tech that we think we own (mobile devices, laptops, gadgets, etc). And the thing is that is hard to make people aware about this issue, especially elder people. I have just helped an old lady with her own new laptop and I was completely shocked the number of steps that we had to go through to get her Windows 10 working for her brand new Acer laptop (asked for PIN number, fingerprint, Microsoft account and don't know what else mumbo jumbo just to get it running). Proprietary software definitely is going in the wrong direction and people generally are ok with it. 15 or 20 years ago you got a CD and that was more than enough to get things running. Sometimes I think how lucky I'm to be able to put a FreeBSD/OpenBSD/Linux in my computers and do whatever the f* I want with it and get rid of all the nonsense and bs that multi-billion companies are putting in front of us to consume.
I also noticed that the symptoms go way if you manually disable WIFI.
Who architected this solution? Imagine an OS that needs to ping a server every time you launch an application and if the server down it renders your system useless.
The dev-community needs to push back on this issue and perhaps apple will re-think this solution
The tragedy here is that likely the retrospective on this at Apple internally will not be "why do we even need our customers MacBooks to send all this data to us", but "how can we keep on doing this without something similar happening again"
This is the reason I needed to switch to a Linux laptop. I cannot be beholden to Apple’s - or anyone’s - servers when it comes to running applications on my own machine.
Any recommendations? I’ve heard good things about System76.
System 76 makes a nice looking thin/light 14" laptop (Lemur pro).
Dell's XPS 13 line has Linux support (the Dev Edition comes with Ubuntu), I bought one of these and it's great. Only big problem was thermald/RAPL would keep the SOC at 15W after a very short 'boost' - updating to master fixed this problem... but Linux still requires 'tweaking'.
Another example: sleep on the XPS is not S3, but S2Idle - so it uses extra power when sleeping (A compromise so it wakes up faster). This can be fixed with some tweaking, if desired.
I've also heard good things about Lenovo laptops running Linux.
I'd check the archwiki (even if you don't want to run arch) for any laptop you're considering. There's good advice in the articles.
If I had to buy again, I'd look closer at what S76 offers. I really liked my old Chromebook Pixel 1 because of its open firmware (after I re-flashed) and excellent Linux support. I wish I had looked closer at S76, honestly.
I always wanted to have a Thinkpad but couldn't afford it - finally bought X1 Extreme Gen 2 and put Pop_OS! (System76's distribution built on top of Ubuntu) on it. Everything including fingerprint scanner works; I once had it hang when resuming from suspend but I mostly don't use sleep/suspend so wasn't too bothered. If you buy the laptop from System76, I would assume everything would basically just work since they are configuring everything.
System76 just rebadges Clevo laptops. You may as well just go directly to Clevo.
I use a Dell xps13 (several years old now) for work, and it's fine. I have no complaints except that the aging battery is not what it used to be (I'd normally be due for a replacement system this year, but we're limping along on old hardware due to the recession).
I can't understand how picky people seem to be about things like the MacBook touchpad. Since my last Apple computer purchase was well over a decade ago, maybe I just don't know what I'm missing, but the touchpad on the Dell seems to control my pointer well enough.
I started with Manjaro, and I would definitely recommend it. I tried to switch to Linux a few times before I arrived at Manjaro, and it was the perfect introduction. It's based on Arch, so you get the most up-to-date packages, but it has a graphical installer and is beginner-friendly. If you can't find something in the default repositories, it's probably in the AUR (user-maintained repositories). Plus, it's just really fun to use.
Linux runs perfectly fine on most laptops nowadays - pick whatever you like.
(it's still prudent to Google for compatibility before the purchase though, since sometimes peripherals (like the webcam) on new models can be problematic)
This is _FUD_. it emphatically does not perform similar checks by phoning home to a third party. The closes you will find are SELinux/AppArmor policies, which do not involve the network at all.
Sidebar topic, but something that is always in the back of my head. Cars are becoming evermore connected to the web. If something as simple as this can brick my Mac, then what will it be like in a vehicle? Will all cars simultaneously go haywire at the same time around the world? This of course assumes software or hardware safety overrides are not in place to overcome such a situation.
Most cars use separate buses for the critical control systems and the infotainment/GPS/etc. They learned that lesson after the infamous demonstration of hacking a Jeep on the highway several years ago.
It's conceivable that someone could push bad updates to Tesla autopilot software, or briefly stop peoples' radios from working, but quiet OTA systems like that are the exception rather than the rule.
I did experience a very strange slowdown earlier today, and other odd behavior - first, a massive slowdown and then on a reboot, the keyboard wasn't found. After some tinkering, it's all better now - though I don't know that the tinkering actually did anything.
> a massive slowdown and then on a reboot, the keyboard wasn't found.
That seems to happen on MacBook Pros when the computer boots or wakes from sleep with the WiFi turned on, but the WiFi router can't connect to the Internet for whatever reason.
That can be symptomatic of always-on VPN. My last employer had an always-on device VPN and it would cause this issue - my MBP would complain no keyboard was connected at times following a wake event, and then reconcile a few/five seconds later.
This is the future Apple wants I guess, you don't really own your hardware, you simply have a limited license to use it under their very strict terms. It's just a matter of time before Macs become just like iOS.
It might get worse: now that they're switching to their own SoCs, they might even block APIs and allow access only to certified parties.
Basically Final Cut Pro and Logic Pro might forever be faster than any 3rd party software package by having access to IP blocks that aren't exposed to other developers complete with signature check to prevent reverse-engineered use...
If they really tried that, wouldn't the DoJ bring an anti-trust case against them? That's exactly what Microsoft was doing in the 90s, using undocumented internal APIs for their own software that let it run faster than competitors'.
I've been trying to sound the alarm over "Secure Boot" and the absolute torture it will be to run other operating systems on these ARM Macbooks but very few people seem to care. I guess as long as the display is shiny and the trackpad is big then we're all good.
I'm sad to see people buying things only because the look comfortable and nice. Here happens finally what was predicted a long time ago and it shows why everyone should use free and open-source operating-systems and applications.
I tried to attach the notarization to every Mac App Bundle in the past but with MacOS 11 this doesn't help either?
You should never, ever, install a MacOS update the moment it comes out. There is a high chance (> 30% from my experience) that something will be wrong with it. iOS too for that matter.
Wait for at least one week and check out other people's experiences first.
I ran the beta over the summer and it was awful. I loved the changes but it was just unstable as hell. And people kept saying it was the most stable is yet, I don’t get it.
I’ve been running it as a daily driver since the first day of the developer betas and have found it to be vastly more stable than the previous version, with basically no issues before this.
I don’t know what to tell you, beyond the fact that all use cases are not the same, apparently.
This has nothing to do with a software update. I haven't updated anything and am still running into this. It's their online services that are the problem.
To elaborate on what others are saying, macOS has been doing this phone home for a while, it just looks like the server it phones home to started being _really slow_. So if you were offline, the software behaves fine, but if you're online, it blocks on getting a response.
Great example of how you should never block UX on network requests.
To save yourself the headaches and frustrations, wait for the bug fix releases and updates to come first before installing this very first new release.
It makes no sense to immediately update the system and then risk your computer being rendered unusable with such bugs and problems whilst having a deadline hanging over your head.
The software quality of Apple is embarrassing. They have the money to hire the best of the best, and to do tons of manual QA yet their OS releases are always riddled with errors. Why is software the red-headed step-child of Apple?
I always wonder about the after action in a situation like this. Obviously, it makes Apple look bad but it isn't like they are going to flog the responsible team (and I mean responsible in the sense that various teams are in charge of the components of the overall system: the os service that issues the request, the website responding to the request, etc.)
I'm sure some devops folks were getting screamed at while running around with their hair on fire, but what's the cause and response. Hopefully they'll issue a public after action report that isn't jammed with marketing talk like "we were unfortunately caught by surprise and due to the unprecedented massive interest in the latest macOS with its great features for users and developers, blah blah".
How is this not congruent with strong privacy protections? Your iPhone knows everywhere you’ve been, but when it sends that info to Apple it doesn’t include any personally identifiable information.
After AMD released their Zen 2 lineup and the prospect of considerably faster compile times became attainable, I re-evaluated my relationship with MacOS.
I bought a new AMD PC and initially hackntoshed it. This actually worked out great but after some time I decided to jump over and see if I could live with WSL under Windows.
Windows is not as nice as MacOS, but WSL1 (tried WSL2 for a few months but still prefer WSL1) has allowed me take advantage of affordable high performance hardware and maintain support for the software I use daily.
I may buy a low powered MacBook laptop in future (because there are no Windows laptops with a trackpad that compares) but I don't think I will ever use it as a primary desktop environment again.
Its even worse, after Apple's service recovered I was left with what seemed to be a corrupted installer/updater that kept throwing "An error occurred while installing the selected updates" when I clicked on the upgrade now. I had to boot in recovery mode, run "csrutil disable" so I can delete the update directory from Library/Updates.
This makes me wonder, I guess in the event of war the data centers of Google/Apple/Microsoft/Facebook must be at the top of the list. I wonder how close any of them are to being powned. I can only hope those companies are at the top of their game when it comes to this stuff though accidents like this don't give much confidence.
I wonder if there are startup attempting to challenge the Mac dominance? Good trackpad, good battery, good screen, with (some) Linux supported out of the box,and no wonky configuration seems to be the problem to solve
Mac dominates nothing, the great majority of PC out there are running Windows. If you are talking about hardware then DELL, Lenovo, Asus and co all have excellent high end computers. Becoming slave to Apple is 100% a choice.
Seems youve been locked in. I never bought apple in my life, snap decision when I saw I had to pay to try developing for their system 10 years ago(developers license), I remain pretty safistied with this decision.
They need to find another way, because this is just pure crud. So today, everyone gets to experience what a person with a poor internet connection deals with when using a Macintosh.
So the block works for now, but what happens when
a) macOS is changed such that Little Snitch doesn't work anymore, whether it is because the architecture changes in some critical way, or Little Snitch iself is blocked by trustd?
b) failure of trustd to succeed in its call home becomes a hard failure that blocks execution?
I can kinda see a noble intention behind this: protect system integrity by making sure no "known evil" application runs, like say a ransomware. But I have two problems with it.
First, it seems to assume that the call-home server will always be available, which seems a bad assumption from an engineering standpoint. Even the mighty and holy Apple can suffer outages, for a myriad of possible reasons. Be it a fat-fingering of some parameter during an approved maintenance window, the criticality of of which was heretofore unappreciated, a cascade of on-their-own-innocuous failures transforming into a deadlocked hard-down situation, or the fact that the North-American Fiber-Seeking Backhoe is not and never will be an endangered species, the result is ultimately the same: the mother-may-I server is not available.
The second reason, giving Apple further capability of evil shenanigans is already well covered by other comments here.
I wonder if this explains why I was unable to print something for several minutes around the time this tweet was published? The printer manager refused to open each time I tried to print. Frankly, that's unacceptable.
I have preferred Apple/MacOS since 2007. However, my 2019 MBA suffered the infamous shaky keypress issue, randomly inserting an extra space when I typed. After 6 trips to the Apple store to fix under warranty I told myself it is my last Apple product.
I wanted the MBA for the portable form factor. Now I work from home and portability is no longer a consideration. I will mostly likely ditch this device in favor of a linux system.
This reminds me of the recent news about Lets Encrypt expiring one of their root certificate and warning that old Android systems may not be able to validate SSL if they were not updated. We have increasing moved our world into an interconnected web of trusts and taken out failsafes and overrides, so we are very much entering an age of brittle systems --- one in which the vulnerability of one key subsystem (Google, Facebook, Apple, a key SSL validation cert etc) can escalate towards disabling the entire world, when you cannot get your TV to turn on, car to start, power grid to switch on. What are we doing to prevent that?
Is MacOS sending these hashes to check whether they are revoked? That sounds like an insane excuse. Are there really so many revoked hashes that it is not feasible to mirror the database to every device for offline querying?
That shortens the delay. Others here found adding ocsp.apple.com to /etc/hosts using a private address also helps. Whichever is easiest for you. To remove:
Unacceptable ecosystem, for both 3rd party app devs and users. What I guess we won't see - but need - is an apology from apple and a commitment to quickly fixing this bug.
This mechanism is also what recently broke all HP printer drivers on macOS.
HP accidentally revoked their certificate, and since macOS automatically checks it before loading code printing and scanning with my HP printer no longer works.
My mom called me with the same issue. She didn't do anything, but all of the sudden her printer stopped working.
There is no way I know of to override the accidental revocation.
Installing updates from Apple and HP didn't help.
Online certificate revocation is a really bad idea for desktop software.
I've never heard of any software developer I know doing this, even the ones with deeper or more obscure knowledge, but do you have any interesting resources to point to?
So this is what was happening to my MBP a couple hours ago? Right before a meeting my Mac started glitching out - extremely slow to do anything and spinning beach ball. Launching any app would take literal minutes. Spent the next hour rebooting & diagnosing. Then it suddenly went back to normal. That's great.
One of the «romantic» aspects of buying an Apple back in the day was that people that «knew» was buying them. Musicians, designers programmers must had one. It was stable and just enpowered you to do your job. I wonder if Apple has underestimated how important is having the «tech» guys on their side
We are no longer the "target" audience. I will use Catalina with Little Snitch until it's possible. In 3-4 years time someone will finally realise that Linux is the future of professional work and will make Photoshop/Illustrator clone with quality performance. Resolve is working reasonably well under Linux, Blender works, the only Apple thing I cannot remove is Logic.
So all Russia/China would need to drive Apple into bankruptcy is to DDoS Apple's servers and brick their laptops worldwide? This must be hilarious. Imagine the meeting at Apple HQ when they took that decision, probably that KGB agent must be very proud to make Apple shoot themselves :)
OSs have been doing something similar for a while. Even since the 90s I remember Windows NT checking SSL Cert revocation lists every time you right-clicked. When you disable that option, right click goes from 400ms to 5ms response time.
Synchronous remote calls should not exist in the OS like this
Most people trade their freedom for more convenience, but we don't think how we put all our eggs in one basket that we don't control at all. All Apple users are at the mercy of a megacorp. Better don't offend someone online, your Mac may be cancelled...
I hate when my keyboard hangs and because I'm connected but dns isn't working. Like I need internet for my keyboard. So so frustrating has me seriously considering bailing to some nix flavor if this shit continues.
I don't know if the slow downloads of Big Sur are related, but the underlying problem is that ocsp.apple.com[1] is fubar, and certificate revocation lookups are failing.
EDIT: This might indeed be Big Sur-release-day related. Most certificate revocation failures are "soft", but with ocsp.apple.com black-holed in /etc/hosts I can't resume downloading the update.
You could absolutely use a simple certificate revocation list instead of OCSP. I don't know how large that would be, though. It could run into problems if there was a heartbleed like issue that required revoking many certs.
All the extra connections are enough of an issue that there's OCSP stapling, where a web server attaches a copy of the OCSP check to the response.
Seems like it'd be possible to inject a file into Cool.app/Contents/ocsp.staple in a downloaded .dmg.
That could be considered valid for a few days so that, for the common case of "download app and try it out", there's no need to phone home.
This demonstrates the limits of Apple's campaign towards vertical integration of their services. Once they make a simple mistake on their part, you are at the mercy of Apple to make it right again.
Is it possible that we (the internet) don't understand this properly because by this logic, the apps shouldn't run when there is no internet connection. I don't believe that is the case.
It's funny how many apps have this problem, you don't realize until you're on a spotty connection. Often disabling/cycling the wifi/network fixes an app freeze.
Remember how everyone was so insistent on certificates everywhere? We must have them, no matter what you think, no matter how trivial the transmission of information.
We were in the final steps of a really major demo and my laptop shit a brick, I kid you not, I ate about 50 pistachios while rebooting and killing mds_stores, thinking Spotlight was losing its mind.
I have been seeing a warning message for some time about something that won't work in next upgrade, I could never find whatever it was, maybe something I gave unnecessary pensions too long back, so I upgraded yesterday and so far all is running very smoothly, and most of what I use is open source and mostly free, and haven't found anything that doesn't work yet. my windows emulator I use for work stuff may have issues, but it's been dysfunctional for a while, I just refuse to get parallels again.
Eeks, this should be communicated better, though to be fair, IF there was any malware with a tampered signature, you wouldn’t want it to run just because your network was unplugged.
How would you prevent something like [0]?
I think all the game consoles regularly verify downloaded games too.
This widespread outrage is proof that only few knew of this. Why is it that such a single point of failure and such a vector for unexpected data disclosure goes unnoticed for so long?
Is there any official or even unofficial Apple information that can confirm all the explanations here correct and this was intended behavior? Or explain their position on it?
I'll go a step further: what if someone decides, "Hey, I'll shut that website up by influencing someone to revoke their certificate."
Remember everyone's eagerness to eliminate bare, unencrypted HTTP? How self-signed certs are "sketchy?"
Has this been yet another way to pull the plug on certain parties? Could someone get Cloudflared by a maintainer of certs somewhere along the chain revoking a site's cert because they woke up in a bad mood?
There are some work around in this thread but in reality you don't know how and when Apple may choose to automatically re-enable it without your consent.
* You should probably just smack you Mac with a rock just to be sure ;)
Pathetic. Apps don't need to have internet connection until they actually do.
I bought the new mac, but I'm planning to dwell in the terminal and browser. My exposure to Apple's closed garden is very limited but I dread the day when it's forced upon me. Then I would need to switch hardware despite Apple's form factor being my ideal type (light and battery life+++).
Initially I noticed this behaviour on my work laptop (where I've joined recently); where I was able to get the app working as soon as I used to switch my location to Home (non-VPN/Proxy). I though it has something to do with work configuration.
For past few days I'm also experiencing the similar behaviour on my personal laptop.
You can login to a chromebook (unless it's a first time setup) even if it's offline. Login stuff seems to be handled locally. Eg: if you update your Google password, you need to log in to your chromebook with your old password one more time and re-sync.
All of my personal Macs became unusable about an hour ago. Fan would kick up, CPU gets loaded, and every operation comes to a crawl. Thankfully it seems a PRAM and SMC reset solved the issue. Wondering if what's going on here is related. It would be quite the coincidence if not.
About 4 hours ago my Mac crawled to a stop. I rebooted, but it remained incredibly sluggish, uncharacteristically so. This definitely was not normal operation (and I use this many hours daily). Then about 1/2 hour later, it began to operate normally again.
I'm curious if this falls under the "Check this box to send metrics to Apple to help us make things better" checkbox you get when you first login to your Mac after a reinstall.
Anyways I don't understand why this process would not be completely asynchronous.
I just excitedly told my wife about this issue, because its a big deal, I didnt know about it, and she was complaining her macbook pro was very slow today. Her response ‘oh wow, so is it fixed now?’ Thats the difference between HN and the real world.
Maybe apps should be signed and issued certs by neutral authorities like SSL certs are issued (like Let's Encrypt).. Maybe also issue bulk cert updates with OS updates or virus scan updates like browser updates bring SSL root cert updates..
I followed OP's advice and blocked trustd from connecting to these servers. I noticed that there's also a process named ocspd that's whitelisted by default in Little Snitch. Can someone explain how these things are related?
This is outrageous. Can we sue apple for damages? What if you were about to do something literally life critical? I pretty quickly debugged the issue but man and added a host line but this is absolutely horrible. I have no words for it.
With things like this, docker not running on apple silicon (because it doesn’t support virtualisation) etc there surly should be a market for developer laptops running Linux but with an OS that gets out of the way most of the time.
It's outrageous that Apple designed their system this way. (And it's curious why they seem to have so many fans on Hacker News that will defend this type of design.)
Your Mac hardware is a brick if Apple's servers aren't running!
I was on a Zoom call a few minutes ago and my machine was struggling with responsiveness, which I haven’t seen happen - and there’s been a lot of Zoom usage this year. I assumed it was Zoom related but this makes more sense.
Always wondered why it checks for cert revocation when starting an app instead of periodically checking in the background. Hm, that might require some sort of central cert database or something? Just spitballing here.
It's completely unrelated to M1 and also affecting Mojave and Catalina, apparently. It's a security signature check service problem. Some might argue that it should be easy to disable security signature checks, system wide (which is what the provided instruction achieve). Many more would probably argue that disabling these checks would be bad for security, especially for the average user.
I'm curious what security researchers think of this. Further evidence that security is a doomed endeavor, since it's necessarily at odds with convenience?
I know it's unrelated. I have a Mac and was unable to do any work for around an hour, had no idea why. Windows has smart screen, but if the service is unreachable you get a popup. This is just completely unacceptable, if it's possible that a server issue could cause all apps to fail locally, there should at least be a popup explaining that's why nothing is working. I'm fed up with far more than just this. I'm saying any temptation I had for an M1 Mac is now gone.
macOS Software Update - Resolved Issue
Today, 10:00 AM - 5:15 PM
Some users were affected
Users may not have been able to download macOS Software Updates on Mac computers.
This is a bug. The intent is that if the malware check takes too long the system fails "open" and allows the launch. That obviously didn't work correctly in this case.
Can't wait until they port the Facebook SDK and we can have these "stuff doesn't work because a computer 3000 kms away is wrong" moments on the desktop.
Apple never gonna change right? Seems like we will see iphone style thing in future where we only can download app from their store. Switching to linux right now :/
My MBA is not responsive with my USB-mouse, but is with the touchpad. Like, just hovering over items is smooth with the touchpad, but lags with the mouse.
Apple has been deciding what and how you are allowed to run apps in your phone for almost a decade now. It's bad and all, but no one can say this is a surprise.
Huh, this was the reason why my laptop was freezing every time. I thought it was the fact that my laptop got too old and so I wiped my laptop and installed Arch.
This seems like a case of Apple engineers only testing these features on Apple networks and such, where obviously the pings are very fast and unlikely to fail.
I was deeply considering one of the new M1 MacBooks last night, but held off on completing the order.
Now today, I can't use my computer for nearly an hour. And my daughter as well during school time... all because a remote server can't respond. I just do not find that acceptable for a computer I own to simply stop working because of remote non-response.
I am now deeply considering not getting a new m1 machine.
Pathetic. Apps don't need to have internet connection until they actually do.
I bought the new mac, but I'm planning to dwell in the terminal and browser. My exposure to Apple's closed garden is very limited but I dread the day when it's forced upon me. Then I would need to switch hardware despite Apple's form factor being my ideal type (light and battery life+++).
Asking for a friend, what's the experience installing Linux onto a 2018 MacBook? Last I heard it was nothing short of torture, but I'm hoping the situation has gotten better as time goes by.
The computer is completely unresponsive as the OS is blocking all apps from starting. The best part was that the "keyboard" was not found.. in my macbook.
Had that too. Apparently it checks keyboard firmware? Always-on VPN connections can cause that same issue too. Wake up, can't type. OS eventually prompts you to connect a BT keyboard as none is detected, then that goes away.
Probably best to read this to understand better what happened. TLDR The problem was due to a hung network connection. So the notarisation check thought it could go because it had network but then it hung because the connection to oscp was getting stalled. Hence why turning off network made the problem go away. I experienced a weird slowdown for about 20mins, then everything went back to normal.
How can this be GDPR compliant? Apple tracks each users behaviour and know exactly what software they use and how often, so they can launch their own services and cut out competition on popular services.
I am tired of this 2trillion company becoming too strong. Screw them. I aint gonna develop for them anymore. Parasites.
Got this mail from Apple:
Dear Developer,
Compatible iOS and iPadOS apps will automatically appear on the Mac App Store when the first Apple silicon Macs become available this year. However, we noticed the following issues with one or more of your apps that are opted in to appear.
The following apps will not be made available on the Mac App Store until you address the issues and select Make this app available on Mac in the app's Pricing and Availability section of App Store Connect.
It doesn't have to be any more work than you're already doing. Just stop putting cycles into working around bad decisions by people who are trying to control you and put those very same cycles into working around bad decisions by people who are trying to help you.
A couple years later, snippets of code worth sharing will be lying around. Which you can share, or not.
If my employer offered anything for Linux use than a 10lb Dell laptop I would consider it. I primarily choose MacBooks because I know what to expect in terms of hardware.
I don't care for downvotes:) Welcome to Jailbreak your Mac. Third time: I hate to repeat my self but this articles keep piling up. Vote with your money first, then if you have a way search legislative measures. They will never stop to search a way to profit more. This is just a beginning. Fully closed macs are coming. I don't care anymore for iPhones, my professional problem is with apple desktops and laptops. If we follow Apple logic in near future I will have to Jailbreak my personal computer that costs arm and a leg and cannot do 3rd party repairs on it. I am filling now very good about the decision to invest in multi platform software and avoid mac only apps. On a phone side someone suggested Fairphone (https://www.fairphone.com/en/) as an alternative. I can see a lot a value in this proposition, after rooting and removing Google crap/spyware.
Little Snitch is working under Catalina, I have blocked apple telemetry all the way. My graphic workflow is on multi platform apps, people are using Figma instead of Sketch, coding for web is beautiful under Linux, Resolve and Blender are working beautifully (I don't use prores). The only hassle will be Windows (under WM) with no internet and Logic (searching to switch to new DAW but not with subscription based licensing like ProTools). Apple is actively working on making developers "go away", the days of "Great Mac for developers" are gone. Bottomline: Users of Apple platform are exited, they will have powerful machines with M-soc, closed and secured.:)
This seems like another signal of an overall trend. Post-sj, Cupertino seems to be getting progressively laxer about testing, quality, usability, and overall excellence in software and hardware. It's a shame. :'(
This is a nightmare in so many respects. I can’t believe my ability to run software on my own machine requires successful network calls. I spent two hours today thinking my hardware was failing catastrophically.
You are right. I was just letting off some steam. I am just really frustrated with a company that I respected for so many years, going downhill so much over the last 5-6 years.
After 11 years of MBPs as my main computer, I left because of crappy hardware (keyboards, missing Esc and Fn keys). I'm now very happy on a System76 laptop running PopOS.
With each new release of the OS, getting more and more locked down, I am happier that I moved on when I did.
The long term trend with Apple is for their computers to get more and more closed. First hardware, and now software. I get that for a phone, but it is completely antithetical to what a COMPUTER is supposed to be. They really should stop calling these things computers.
Huh.
After typing the above, I decided to check. THEY DO NOT call Macs "computers". I searched the pages for MBPs, iMacs, and Mac Pros. They use the word "computer" in connection with trade-ins, (for the thing you are trading in), and they use the phrase "computer system" in fine print, and never to refer to their products directly.
APPLE, IN THEIR OWN WORDS, NO LONGER BUILDS COMPUTERS. That explains so much.
;; ANSWER SECTION:
ocsp.apple.com. 3593 IN CNAME ocsp-lb.apple.com.akadns.net.
ocsp-lb.apple.com.akadns.net. 53 IN CNAME ocsp.g.aaplimg.com.
ocsp.g.aaplimg.com. 8 IN A 17.253.21.201
ocsp.g.aaplimg.com. 8 IN A 17.253.119.201
"ocsp-lb.apple.com.akadns.net" is an entry indicating DNS based load balancing, done by Akamai.
Even with lots of redundancy, there are still lots of ways all that can fall over. You can have a batch of servers that soft-fail: they're not responding to real queries but the load balancer thinks they're healthy.
Wake up, people. Free software is the last line of defense we have left before technological tools are completely taken away from us, and we all have to live our digital lives at the behest of Giant Megacorps.
I hope people finally realise what a terrible company Apple is and stop buying their products once and for all. I cannot understand why such atrocious decisions are magically forgotten when they release a new iPhone or a new Macbook. Every time there is a new Apple launch (service or product), it is almost always projected onto the front page of HN with hundreds if not thousands of upvotes.
All: there are multiple pages of comments; if you're curious to read them, click More at the bottom of the page, or like this:
https://news.ycombinator.com/item?id=25074959&p=4
Unbelievable. When I read the tweet (tried to post here as well), I suddenly realized why my Mac was unresponsive an hour ago.
Here is another tweet that describes the problem in more detail:
https://mobile.twitter.com/llanga/status/1326989724704268289
> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.
EDIT:
As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:
So yesterday I wrote about the blurring lines of ownership, and people came back with some fairly disparate responses. It's fair to say that I was mostly dismissed. https://youtu.be/Hg9F1Qjv3iU?t=3177 , timestamp 53:33) and they have no intention whatsoever of taking away our ability to do general compute on the machines we buy and own.
Except...
Apple can already decide what binaries you can execute. Should they choose to.
Apple is now restricting what other OSes you can boot into. As they've chosen to.
Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.
It's clear where they're going. And I'm jumping ship. It's painful to do so, given how invested I am in the ecosystem, but we're already beyond the threshold that many of us would have left earlier in the decade.
---
edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer. Most non-Apple laptops don't have very good color accuracy. They also don't have good trackpads, and their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad so that I don't have to carry around a mouse, good speakers would be a plus, and light enough that I don't feel like I'm lifting weights while working on my laptop. And this package should ideally come with 512GB of SSD storage and, at least, 16GB to 32GB of RAM.
Oh and it shouldn't be more expensive than a Mac as many of these laptops are!
Any suggestions?
Yeah so basically in the windows world, a lot of the good laptops are under the "business class" of the various manufacturers:
Dell Precision, HP Elite Book, MSI Prestige
In the consumer world the Dell XPS, Asus Zenbook, Asus Pro Art are the way to go for a designer.
Dell Precision is probably the overall best laptop. MSI Prestige is targetted right at you though, with color accuracy and a good display. The only brand I can personally vouch for is Dell. I and my partner use XPS's, and a good friend of mine has a super nice Precision that I am jealous of (specifically the ports! I'm so over USB-C)
52 replies →
Wow, the way Craig is laughing at the question and so dismissive of it is really insulting. Maybe it's the more casual nature of the interview/discussion, but this really is the crappy icing on the cake of Mac users' continuously-declining control over the machines they spend their hard-earned money on. "Where do you even begin to come up with that theory"?? I mean, maybe we're seeing the gradual hampering of control over our computer with every OS X release in the past 5-10 years?
Get a Thinkpad. I replaced a 2015 MacBook Pro with a Thinkpad P1 Gen2 and love it. The trackpad isn’t as nice. The keyboard is better. Running WSL2 you have a great Unixy development environment in Windows. Or just install Linux. As thin and light as a MacBook Pro. Much better thermals, though still not awesome. Other, somewhat larger Thinkpads have better thermals. You can upgrade your RAM, add 2 SSDs and other peripherals like a 4G card etc if you like. Thinkpads come with fantastic service. Next business day on-site repair including for accidental damage and they mean it. Looks: It’s the design Apple copied for their very first laptops and is IMO better looking. They got it right the first time and haven’t changed it materially. Built like a tank. Not quite a tough book but they will take some abuse.
27 replies →
> they can simply toggle a switch for all users to "no unsigned binaries"
That switch was toggled with Big Sur and Apple silicon: https://mjtsai.com/blog/2020/08/19/apple-silicon-macs-to-req...
1 reply →
NotebookCheck is a great website for laptop reviews. They even get into the nitty-gritty details of display calibration, input devices, power consumption, etc.
Here's a list of the laptops with the best displays: https://www.notebookcheck.net/The-Best-Notebooks-with-the-Be...
And here's a list of general multimedia laptops that would be roughly equivalent to a MacBook Pro: https://www.notebookcheck.net/Notebookcheck-s-Top-10-Multime...
1 reply →
My partner bought a razer 13 inch to replace a MacBook Air. It wasn’t cheap, the build quality is excellent and it handles everything (she’s in an orchestra and records her parts on it, does graphic design and sometimes plays fortnite.). The screen is quite nice and the build quality is better than my system 76 (onyx pro) which I really like too.
Dave2d on YouTube gives pretty short and decent laptop reviews. I think he has a discord channel discussing the machines too
4 replies →
Manjaro GNOME on any of the Thinkpad models.
I switched away from Macbook Pro about a year ago, after using Apple hardware for about a decade.
It's working great, GNOME interface is solid and productive, Manjaro and AUR libraries just work. Highly recommend making the move, sooner the better as I'm sure you see the writing on the wall.
My Huawei Matebook Pro has been everything I wanted in a Mac, in a way I couldn't get from Apple.
Pros that Macbooks don't have: USB-A (along with USB-C), no touch bar, 3:2 screen, can enable secure boot if I choose so feel like I'll be able to run whatever I want on it, replaceable SSD, etc.
Pros that Macbooks also have: still has a great build quality, full day battery
Cons that both have: Non replaceable RAM
5 replies →
Over the generations, I have had three Macbooks, four Vaios, a ThinkPad, a HP, multiple ASUS and Huawei. Most of the devices I have killed by travel: dust infiltration, vibrated the BGA chips off the boards by motorbike vibrations..
My requirements have all been fulfilled with the Huawei MateBook X Pro.
You could say it's heavily inspired by the MacBook. Aluminum case. Chiclet keyboard with decent travel. 2000x3000 display (2:3 ratio!). Awesome trackpad. Good battery life. Portable. Solid. 2x USB-C and 1x USB-A. Sustained multiple drops.
For context, I am able to pull solid 12-hour days on the device, without a mouse, without fatigue or frustration.
Cheaper than a MacBook. Might be worth a look.
3 replies →
Assuming you were going for a Macbook Pro "15 for 2399$
Recommendations for linux laptops (or checkout https://linuxpreloaded.com/ ):
* Tuxedo https://www.tuxedocomputers.com
~1000$ 1.5kg, Their "15, 1080p flagship is configurable with AMD Ryzen 7 4700U, 32GB RAM, 500GB M.2
They also have more expensive versions with 4k OLED displays if that's what you're into. Also "13.
* KDE Slimbook https://slimbook.es/en/store/slimbook-kde/kde-slimbook-15-co...
~1200$ 1.5kg, "15, 1080p, AMD Ryzen 4800 H, 32GB RAM, 500GB NVMe
* System76 https://system76.com/laptops/gaze15/configure
~1350$ 2.2kg, 15", 1080p, i7-10750H, 32GB DDR4, 500GB NVMe
* Purism http://shop.puri.sm/shop/librem-15
They're trying to become and opensource Apple --> high prices, own linux distro, trying to make their own ecosystem, etc.
~2000$ 1.8kg, "15, 4K, Core i7 7500U (Kabylake), 32GB RAM, 500GB NVMe
> keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
Those are laptops with numeric keypads, the trackpad is still centred relative to the "main area" of the keyboard (the home row and in particular the rest keys - the two keys with a little bump, F and J on a QWERTY) but it is off-centre relative to the body of the laptop due to the presence of the keypad.
Macs don't have numpads so if you've always used Macs it's understandable that you're not familiar with this type of layout.
In any case that type of placement makes no difference while you are using the laptop, because keys and touchpad are still where they are supposed to be relative to each other.
10 replies →
Get a Thinkpad, P-series, lots of options. Run Fedora on it. Great machines, great keyboard, 4k screens, good color, goot battery life, lightweight. Everything works. Mac-level price, and worth it.
21 replies →
> edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer.
I woukld agree on desginer.
Absolutely not on developer or researcher.
Actually MacOS is for the reasons you mentioned incredibly developer-unfriendly (unless you target is of course the iOS ecosystem).
And for research there is no better platform but Linux. Unless you are in clicky-colorful frontend applications where I would doubt you are doing serious research.
>Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.
It seems the iPhone 12 is already rejecting non-original parts, even if the part comes from another iPhone 12: https://news.ycombinator.com/item?id=24924761
Try metabox. (https://www.metabox.com.au/). They have a wide range of laptops at various specs and prices and form factors and whatever else. A lot of the guys at work have started to switch to them and they feel nice to hold and fondle.
I'm currently in the same boat as you and my next machine will be from these guys when my (admittedly very new) Macbook Pro gives up or gets taken over by Apple.
It's hard to say who is now Apple's target audience. It seems like their products are ideal for people who don't know much about IT and just want to watch a video or edit their holiday photos and maybe create a CV and will probably never go beyond that. Other people still enjoy Macs from 2012, but things are moving on when you look at desktop PC and what you can do. Apple looks more and more dumbed down.
5 replies →
I really like my surface book. They are priced like MacBook pros (and spec'd like them too). The track pad is great, the pen input and detachable screen come in handy more than I'd have guessed when I first switched.
Apple has a pretty broad utility patent around their trackpads, which requires other manufacturers to work around what would seem like pretty obvious things.
PDF: http://assets.sbnation.com/assets/2017767/USD674382S1.pdf
Are there no other suggestions beyond the 2012 MBP?
I use arch linux on a Lenova Thinkpad T580, and I'm really happy with it, but I'm not sure about the colour accuracy of the screen. I doubt it's as good as you find on an Apple.
I, for one, am really interested in good, high quality alternative to apple laptop hardware, that meet the parent's criteria.
1 reply →
I agree with you that Apple is doing way too much to restrict users. But I also agree with Craig in that I don't see how Apple silicon is useful for them in helping to restrict users.
3 replies →
Dell XPS have an option for a fantastic 4K screen. After calibration it's better than the Retina screen on my 2013 MBP.
3 replies →
X1 Yoga 4 is what I went with recently when my 2016 macbook pro died for the 4th time since owning it.
Its very similar to the x1 carbon but converts to a tablet and it has an aluminum body.
I can't say I'm out of the apple ecosystem entirely, but I decided to spend my money elsewhere given the abysmal quality of the macbook pro line these days.
Thinkpads. Lenovo is far from perfect, but they have been good stewards of the brand.
1 reply →
I’d suggest using a Mac until it doesn’t actually work. Then you can find a new computer to compromise with.
Owning a Lenovo X1 Carbon 7th gen, 2019, 4K screen, 16GB RAM. extremely impressed with the hardware, running Linux Mint and going to move to Manjaro. Initially i tried PopOS! but they removed from Gnome the intermediate scaling (1.5X) of the UI, just like in MacOS you have Display - Scaled options. I really like the per monitor setting which you don't have in Linux. (or i didn't research enough); e.g. More space on main display (external 4k monitor) and Larger Text on the macbook screen. I'm also jumping ship due to the worst experience i had in 25 years dealing with technology, 1 month to replace a swollen battery with a 3rd party repair service. Apple throws now all this "complex" hardware issues to 3rd parties since their employees are pressuring them not to execute hazardous repairs in their own "centers"
Their SSL certificate revocation server (the default for macOS) goes down an you try to tie it to Apple Silicon being created to lock-in users? I understand the feelings people have about this but today's failure seems orthogonal.
1 reply →
Huawei Matebook X Pro. A friend has one, 2019 model. Runs Ubuntu on it.
Trackpad is as good as it gets outside Apple, I'd say.
The display looks gorgeous. Can't say about color accuracy/fidelity though.
Re colour accuracy, checkout thinkpads, they even come with a colour calibration sensor so you can have them autocalibrate daily/weekly or whatever suits you.
> Oh and it shouldn't be more expensive than a Mac as many of these laptops are!
Clearly there's no need to jump ship if it's more expensive on the other side.
Do you _really_ need a laptop? That's my solution to the problem of no good Linux laptops. I've got a desktop at home now, and when I go back to the office, I'll pick up a mini desktop. I'll keep an old MacBook in a drawer if I need to take it into a meeting. When I used laptops only, they were just plugged into a monitor/keyboard/mouse at all times anyway.
3 replies →
> their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)
Buy something without a number pad. Unfortunately most 15" laptops do have one.
If anybody from HP is reading this, I'll pay an extra for a keyboard without number pad on your 15" ZBooks with 3 buttons on the touchpad. Space bar and touchpad aligned with the center of the screen please.
>it's off-center in a lot of cases! How weird is that
It is off center if they have a number pad to the right of the normal keyboard layout. At first glance it looks weird, but it is 100% what you would want if you were using the laptop. Otherwise the trackpad would end up being right over where your right wrist is.
> I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad
Sounds like you might want a Microsoft surface (or surface book).
Not sure about the TouchPad - but at least there's a pen for drawing on the screen.
I came across this sometimes ago, I don't have any personal experience with their laptops but they seems promising.
https://starlabs.systems/pages/laptops
I just gotta say that I don’t think it’s clear where they are going. You are of course free to do however you like. And if you are leaving because of what they already have done, that’s reasonable, but if you are leaving because of what you are guessing that they might do tomorrow, is that really wise? I mean even with the ARM switch won’t it be as easy to switch to win/linux intel after a year if you are not satisfied?
I don’t like the boot thing either, and it’s a bit scary not being on intel as everyone else is right now, but I also think ARM feels really interesting and it might turn out to be a great new platform!
Edit: i mean it is not like they never listen, they did take bake the mac pro, they did fix the keyboards, you have cli tools to make a lot of changes in how macos works, etc. Of course I would like hundreds of things to be different, but I believe that is true of all platforms.
2012 Macbook Pro. Get the highest-spec Magsafe laptop you can find.
3 replies →
The Dell XPS line is my recommendation. But it’s not that much cheaper than the Mac equivalents
You can disable this behaviour by listing terminal under Dev tools, and launching from there.
My ASUS Zenbook has been solid ! But the macs are definitely prettier.
System76 may be good
1 reply →
Buy an Intel Macbook Pro and boot Linux.
1 reply →
The only tool in that video you linked to is that dishonest cheerleader Gruber.
I don't think there's a one-sized-fits-all solution without something custom and extremely expensive ($15k+). Maybe a Lenovo T480 for most purposes and a dedicated second screen for color correctness? I had a Dell Studio XPS 1645 with an RGBLED screen with an insane gamut. It begs the question: Why aren't such screens widely available?
1 reply →
Wow so many words to just say “this product isn’t for me”
I think you should stick to Apple, frankly. Every time Apple comes up with something new (or just a new software release), people come out of their sheds to warn about all the bad things that will happen.
And then almost none of those bad things happen. I've witnessed this dozens of times now, so a safe interpretation would be to assume that this time none of those things happen.
12 replies →
I started panicking mildly thinking my drive was failing or something.
And just before this, I finally managed to fix Spotlight pegging one core at 100% constantly. Next thing, I reboot into a laggy system. macOS is my favorite OS, but the shit I put up with... it's basically an abusive relationship at this point.
Same. Panic attack. Thought the SSD was dying. I ran Disk Utility diagnostics and started coming up with plans to reformat and restore as a last resort.
Apple folks in this thread, this was terrible
4 replies →
> macOS is my favorite OS, but the shit I put up with...
Idk, the several Linux distros I’ve used recently, and Windows, have a much longer list of “shit _I_ put up with”
61 replies →
> macOS is my favorite OS, but
Ain't that the truth with every OS. I use Windows for gaming, PopOS for work on my desktop and MacOS for work on my laptop. The amount of weird issues is about constant.
24 replies →
Just wait until you can only run signed binaries.
As developers and engineers, we ought to be jumping off this platform like a sinking ship. It's clear that they want to lock it down like the iPhone. Why else would they be measuring which apps are in use if they didn't want to control it?
If your argument is "compatibility research", you're missing the other warning signs.
If I do any simple math calculation in Spotlight it pegs all cores at 100%. Its easily reproducible and really annoying because I've used spotlight as a calculator for years.
1 reply →
My music software became completely useless on catalina, and I was also running into issues with spotlight so I disabled it. I downgraded(painfully) to Mojave and my system is so much speedier. wish I could completely switch to linux.
2 replies →
> macOS is my favorite OS, but the shit I put up with...
Right there with ya.
I never have problems with the new MacOS or iOS. The trick is to just wait for the X.1 update.
2 replies →
This happened to me too! What the hell.
yeah, I had spotlight thrashing my disk too. Odd.
1 reply →
> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.
That's another case of a product not doing its primary function - OS running apps - because company placed their own (data gathering) objective above it. See thermostats not turning on heat when the internet connection is down and other equally stupid examples...
See also: all electric vehicles (except a few very old designs).
2 replies →
Pretty sure Apple is doing this for security reasons, not data gathering reasons.
6 replies →
I discovered this by running unbound – a DNS server – locally (block some unwanted hosts and do dns over TLS). I guess the rest of the story is pretty obvious; having your default dns server not being able to resolve because you're trying to verify it – since you cannot resolve your verify hostname – is obviously Not Great. As you can imagine, there is no waiting in the world that fixes this. I couldn't kill (-9) the process either; had to reboot into safe mode, rename the binary and switch the default dns on the network.
Currently the workaround seems to be /etc/hosts override or firewall-level blocking.
Just a small reminder that this can soon stop working: Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur - https://news.ycombinator.com/item?id=24838816
Will they prevent changing hosts file as well?
1 reply →
Note that it's ocsp.apple.com, not oSCp.apple.com.
I'm sure if the SCP Foundation gets involved in filtering our applications, they have a very good reason, like keeping Zalgo out of our reality.
1 reply →
Ahh, thanks for the hint. It was a bad typo, but I can't edit my post anymore.
Edit:
Just reached out to Dang with a request to correct my typo.
Blocked both.
dns is case insensitive
6 replies →
The server is called OSCP which suggests to me that if we look at Apple in the most positive light - they sign and certify binaries as safe. If an app gets later reported as malicious, they need to revoke the certificate that has been used to sign said binary.
So when you open an app, how else are they going to check whether the certificate is still valid or whether it has been revoked?
Can anyone confirm whether this lookup applies to unsigned as well as signed binaries? As far as I know if I build a brand new binary with cargo, and run it, it doesn't do any checks.
Here's a wild idea: don't block executables from running.
Or if you do, only do it for a set of known bad ones, as antivirus products do.
Do not put a cloud service (or anything for that matter) between the users and their ability to run what they want.
1 reply →
Here's an idea: log all opened binaries somewhere and then every hour or so check them against the list.
Never block me from opening something, but warn me about bad stuff on a regular basis.
2 replies →
OCSP not OSCP
You can also run these commands to disable ocsp (and crl) since it can no longer be accomplished in Keychain Access → Preferences:
That oscp server must be compiling a huge set of stats on application usage. That doesn't sound right, privacy-wise.
It probably just gets a fingerprint, or the cert’ information.
But when the endpoint is dying and it gets called every time you try to run any binary…
I thought this was an old issue that was known or resolved months ago. Is this still an ongoing security practice that kills devs on MacOS?
This is about when I remember seeing it: https://medium.com/@acecilia/apple-is-sending-a-request-to-t...
Can apple not use security certificates to verify publishers ? why does it need to go to their servers ?
The URL mentioned in sibling comments suggests this has to do with certificate revocation (OCSP): https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...
I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.
22 replies →
They are checking for revoked certificates.
It does go locally if you are not on wifi. I thought the issue was my slow internet so I turned off wifi and suddenly everything launched just fine.
Right around this same time, I had 1 macBook hard reboot (watchdogd timeout) and shortly thereafter, a second macBook froze, fan maxed out, with the display not coming up. Then it rebooted into recovery mode.
Yeah, these _could_ be unrelated issues to what has been going on in Apple land today, but it's uncanny...
I keep reading in the tweets how all Macs are unusable. Is this an OS bug that doesn't effect older OSes? I'm on Mojave on my 2017 MBP, and have had zero issues at all.
When was `trustd` introduced?
Checking for notarization on each launch was introduced in catalina. Older versions have trustd, but it was only used for the gatekeeper checks added in 10.8.
`/usr/libexec/trustd` exists on Mojave, too. There's a (very unhelpful) manpage.
I think you were just lucky to not open non-Apple applications during the outage.
I ran into this on trying to load a new video file on VLC, with Mojave, so I guess it's not just apps, but maybe any new file load.
My 2018 MPB on Mojave had some serious issues launching apps for a little while yesterday (3PM central) afternoon. It seemed to resolve within an hour though. Not sure how that lines up with the outage described here.
Found another reason for me to not get a Mac
You can't go wrong with a ThinkPad. I switched from Mac to a T480 with Arch for dev work and it's been great.
9 replies →
Why isn't apple doing OCSP stapling & caching? Reverse proxies have long since solved OCSP availability with stapling and caching.
This might be a stupid question, but is there a downside to blocking this "feature"? I can't think of any.
I've been using Big Sur beta for some time and one of the things that annoyed me a bit was the sudden lack of responsiveness, which is a tad annoying given that I upgraded to a 16inch MBP earlier this year and everything felt so snappy.
Huh apparently I win by still being on an old OS version?
Depends on how old, I guess. I'm running Mojave, and ran into the problem.
My policy is to never upgrade anything until everyone I know has upgraded to the next version and not downgraded after N weeks.
3 replies →
ocsp.apple.com also has an IPv6 address. Firefox connects to it even with 0.0.0.0 in the hosts file and a flushed cache (you need to also clear firefox's internal cache if you're testing with it), so I'd assume that trustd could connect to the ocsp site as well. I don't think this will work without ensuring there is no IPv6 traffic on your network, or otherwise dumping both IPv4 and v6 packets to ocsp.apple.com.
Disable IPv6: sudo networksetup -setv6off Wi-Fi (where Wi-Fi is the name of the network service)
Can you not just add an IPv6 entry for it in your hosts file, e.g., ::1? That would work in Linux and seems like a much less nuclear option than disabling ipv6 all together, but admittedly I've never worked with ipv6 networking on Macs.
Last time I played with a Mac they also had the BSD `ipfw` command for kernel packet filtering [1]. Could try something there if it still exists.
[1]: https://www.unix.com/man-page/FreeBSD/8/ipfw/
1 reply →
and people was shocked at Windows 10 doing telemetry. MacOS isn't doing it better as I see
I had both my personal and work laptop become unresponsive at the same time. I was wondering what kind of problem could cause that - was thinking EM interference or possibly something on my network. This explains it.
Ha! So that's what it was. Last night (I just woke up in the UK) my macbook pro started to crawl, I started to threat that it might be the SSD starting to fail.
Welp, I won't be updating today then, not unless they fix that.
There is a mistake here. It should be “ocsp.apple.com”
Using a premium DNS with filtering features make sense: https://dnsadblock.com
or https://nextdns.io/
A compelling way to enact change at large corporates is to vocally communicate when and why you are forced back into a buying position as a customer.
Apple VPs who are listening, especially Craig Federighi - here is an early warning for you. The HN crowd may seem fringe, but they are living in the future. I de-Googled my entire life over similar transgressions by Google and several of my friends are gradually going through the same process, albeit more slowly.
And even though I just bought an MBP16, Apple monitoring every binary I run makes me want to sell it immediately and never buy another iPhone, Watch or Macbook. No one is going to catch Apple on performance and form factor for a long time, but I'm willing to invest in a long-term ecosystem that won't allow things like this...as long as I don't need to debug audio drivers. I am done with that phase of my life.
So if I had to choose an alternate path, what would such a path look like that could eventually approach the build quality of an Apple Macbook Pro? That product doesn't have to exist yet, it just has to be on the path.
(I looked at Alienware's M2 and M3, but it cost about the same as an MBP16 but with more blue LEDs.)
> The HN crowd may seem fringe, but they are living in the future.
The other thing that really can't be discounted here is that a lot of the HN crowd are likely the default go-to people in their circle of family and friends for this sort of stuff, and in many cases they may also have major purchasing influence and technical decision making power in their respective businesses. Turning off one of them may be inconsequential on its own in the short term, but it could seriously add up to a lot more destroyed mindshare and significantly more "lost" sales over time.
Don't underestimate the power of your choice at the frontier, even if it takes a while to reverberate through time.
I used to think it didn't matter what tools I chose as a lone developer making consumer tech products and DSP audio applications. But over time, I saw that consumers rely on frontier-makers for fast-moving tech choices more than you’d think, even if they lag a few years behind.
When enough people make a choice, a tipping point forms in the future. Paul Graham wrote about this in "The Return of the Mac", and I believe a tipping point is forming: http://www.paulgraham.com/mac.html
If Apple wants to ride on privacy, then it will fall on privacy.
Yes, I can specifically say that 2 other people have chosen not to update past Mojave 10.14 because of my advice.
I'm experimenting with Linux these days. There are some minor annoyances with using an outdated version of macOS. Unfortunately those apply to not just one or two apps, but every part of the OS when using Linux. Basic things like WiFi drivers or sleep support. I'm encouraged by the trackpad driver project, but it's not there yet. So I'm still hanging on to my 2014 Retina MacBook Pro using 10.13, until some Linux distro catches up. I feel like that will happen soon though.
4 replies →
God the self importance of this community. The world can live without the 1000 people here.
15 replies →
> The HN crowd may seem fringe, but they are living in the future.
I really don’t think the HN community is at all representative of what the masses think about. Just like in any online community, it is easy to think that the thoughts of that community somewhat resemble that of most people when that simply isn’t true. HN’s base consists highly of developers who are up to date with most things in the technology industry.
The rest of the world doesn’t really care enough to compromise the comfort and reliability of Google’s suite, which lets be honest, outperforms its competition by a size-able margin, and does so with a “free” price tag.
People on HN have talked about de-googling for years and I have yet to see someone outside of the computer development scene do it (or even talk about it for that manner).
I am starting to see people switch around me, but it doesn't happen overnight.
A surprisingly handful of non-tech people have asked me, "Hey, I see you use DuckDuckGo. Why not Google?" And then we have the conversation - it's a short conversation:
Well, you cannot prosper in an environment if you operate on inaccurate or censored information. Google & YouTube censor information and track everything you search for or watch. Today your views align, tomorrow they may not.
Secondly, you must insure yourself against tail risks, and having your Gmail account "cancelled" is a yuuuge tail risk. Therefore, avoid bundled Google products.
Then a few months will go buy, and I'll see they are now using Firefox and DDG.
When you have these conversations, it's important that it not be about your identity (open source! Linux!), but about risk-aversion.
I agree--I also de-googled within the last couple years. I also did it because I need my e-mail to always work, it's just unacceptable that Google could take it away with no reasonable recourse.
I was also hit by this outage today, at work, on my work laptop, while I was working. Apple literally cost me time and my employer money today, because their lack of foresight or inadequate provisioning of servers or whatever the fuck it was, fucked up my laptop. No good reason. They just fucked up, and it cost something.
I switched to Fastmail two weeks ago. So far it’s great. $5/month is reasonable insurance against “getting cancelled” by Google.
What did you move your phone to, when you degoogled your life?
Apple iphones seems even worse than Android, honestly.
5 replies →
And there are A LOT more than what is just happening here.
They have burnt a lot of good faith post Steve Jobs. But judging from current Apple management, they wont act until Sales numbers decline. As shown by the MacBook Pro Keyboard fiasco. And to make it worst, they seems to think most of these problem as PR and Marketing problem and dial up the marketing instead of actually fixing it.
( You can see that with Apple's marketing, especially with recent iPhone 12, with VPs explaining in podcast )
If there are a lot more, it's worth listing them all in a blog post. A set of evidence is more compelling than only one act that could potentially be written off as well-meaning incompetence.
I would say that the current Microsoft Surface laptop/book has the same build quality feel as the Macbook line, but unfortunately you're stuck with Windows 10, which is a downgrade if you're used to MacOS.
Interestingly this also works in reverse, namely macOS is a downgrade if you are used to Windows 10.
Windows 10 is also working against you with its telemetry and ads. We shouldn't have to work against the interest of the company that sells us the software running on our PCs. This will lead to more problems down the road.
I concur. I have a Surface. It sucks. Worst computer I’ve ever bought.
Keyboard sucks. Is it a tablet trying to be a laptop? Or a laptop moonlighting as a tablet?
Stylus sucks. It doesn’t have the accuracy of the iPad. And it always had a weird parallax feeling, so I gave up on using it. And the software was just mediocre.
I gave up and bought a Lenovo T4xx series laptop. Installed a dual boot Linux Ubuntu on it. Best. Computer. Laptop. Ever.
I just got a new XPS13 after a decade of using only macbook pros. Honestly it's pretty good and like 95-99% as good as my macbook. The only thing I really miss is the incredible touchpad. The XPS touchpad is meh, although is functional which is more than I can say about many other windows notebooks.
>So if I had to choose an alternate path, what would such a path look like that could eventually approach the build quality of an Apple Macbook Pro? That product doesn't have to exist yet, it just has to be on the path.
Thinkpad X1 Extreme Gen 2 is what I use and I'm very happy with it. My requirements were a moderately high-performance laptop, hybrid/discrete graphics, not excessively bulky and good Linux support. I can't fault my choice. The only issue I had with hardware compatibility under Linux was due to me receiving it a couple days after launch and the drivers for the wifi card not yet being in the kernel used by Debian or Ubuntu (no longer an issue iirc). Happy to answer any specific questions you have.
Apple VPs who are listening, especially Craig Federighi - here is an early warning for you.
The point is, things like this should never happen in the first place.
They are probably checking how far they can go, before it affects their bottom line.
I don't think they are "checking"; they've carefully planned a path and are slowly and meticulously executing on it. They have no intention to stop at any point. Should the money stop flowing, they'll just come up with a new gadget. To make them backtrack on the walled garden would take an extinction-threatening event that (unfortunately) will never be on the cards as long as nobody can seriously threaten the iPhone.
1 reply →
The Dell XPS range is probably the closest available currently.
I had the pleasure of installing Ubuntu on a modern Dell XPS recently. I was happy to discover that everything seems to work flawlessly upon install without any additional fiddling: WiFi, trackpad, touchscreen, display scaling, and really everything else I've tried so far worked great. It's an absolute joy!
There was a time I remember when various things with Linux installations were often quirky or troublesome to get working well with certain laptop hardware, but I'm convinced now that this situation has improved tremendously since then...at least from my recent experience and hearing other good things about the Dell XPS and various ThinkPad models, and of course System76 (although I haven't had a chance to try one of those myself yet).
3 replies →
Yes , and they are also selling Ubuntu edition where you not only save quite a few $$$ (because no windows licence) but you're also sending a signal to manufacturers that there is a demand for compatibility with other OSes (unlike on Apple or MS Surfaces).
So if the dev edition fits your need consider buying this one
Thank god I switched back to windows early this year. I absolutely love it and I do not foresee me returning to Apple for a considerable amount of time.
You should know that Windows includes a similar feature (to call home and report file hashes and the user's IP for example) called SmartScreen, and with default settings it also triggers on every single application launch in the OS.
Reference: https://en.wikipedia.org/wiki/Microsoft_SmartScreen#Windows
(also I should know, I worked on a tiny part of this feature in IE9 and Windows 8)
1 reply →
I use both Windows and Mac but I would never consider Windows some patron saint. The telemetry and dark patterns in Windows are much worse than what Apple does. Windows literally advertises its own browser in different parts of your OS and will regularly change the default back to Edge after updates.
But overall I am pretty happy with Windows being my daily driver now that they have WSL.
btw, when you install any app on Android, it sends a huge hash (maybe the whole thing) to Google servers.
Try to install an apk without internet connection, and then try over a slow 3G connection to see the several(!) minutes it takes.
If your phone has the old style data arrows, you will see the upload one all the time while you stare at the "installing" screen.
I bought the business cousin of the XPS 17, the Precision 5750. The screen-to-body ratio is amazing. And the 4k screen is beautiful, the build is attractive, thermals are good and the speakers are nice as well. (From an Apple perspective these are the things that others often get wrong)
It has some design flaws („hybrid power“) but what is really messed up is the QC: I have ProSupport and already had 4 technicians over and am currently awaiting my third full replacement.
Issues are all over the place: faulty trackpad, extreme coil whine, broken display, etc. Perfect device for me if they could figure out their QC. If the next one is bot perfect, I am getting a G14 which is the best performance/watt, performance/notebook volume and one of the best performing notebooks in general.
Microsoft saw that Macs were eating their lunch regarding developers and researchers when e.g. nearly everyone doing AI was on a MacBook or Ubuntu. You had a hard time getting Tensorflow to run on Windows because no one in the community really cared.
Also everyone developing applications in the cloud was eventually targeting Linux as the production OS, which is a pain if your development OS is pretty much hostile do anything command line.
MS then put a lot of money into getting a Linux like command line and support into Windows with WSL.
They also got a bunch of influencers and devs do their thing with improving that kind of developer's experience.
Apple, however, has been sitting on their hands in this regard. They are moving exactly the opposite direction with this crowd.
I have no idea what rationale is behind that. Did they come to a different conclusion than Microsoft or are they just failing to execute on the strategy?
MS sells cloud services. They don't really care what machine you use, as long as you live on Azure as much as possible. That's why they give you more and more tools that improve the "remote development" experience.
Apple sells silicon. They don't really care about developers; as long as they can pull enough users through the iPhone->iPad->Mac funnel, they have done their job of selling as much hardware as they can. In their view, developers bitch and moan but in the end will have to go where users go - at which point, Apple can tax them for access to the walled garden.
It’s going to be hard to beat Msft on developer ergonomics when Msft has GitHub, Azure, VSC, and TS.
> And even though I just bought an MBP16, Apple monitoring every binary I run makes me want to sell it immediately and never buy another iPhone, Watch or Macbook.
You'll keep buying Apple stuff. I know it, you know it and Apple knows it. If all of their past transgressions hadn't changed your mind you'll keep doing it. Cut the shit.
From a another post on this page, someone recommended to look at Metabox. I never heard of them. I just looked over their site. Some very very cool options. Been in business a long time. https://www.metabox.com.au/ I've tried Alienware -used to be good, bit not very impressed since Dell days, I've tried Razer- always some issues, Dell g and XPS seems the best, up to now. But this Metabox looks really fun. Wonder if others have tried?
Australia's anti-encryption laws make me very wary of buying anything based there.
The Singles Day ad on the landing page made me think it was a domain squatting ad page.
Look up System76
I switched from map to sys76 last year, never looking back at MacBook. I'd also suggest s76, x1 carbon, or Dell xps
These are Clevo laptops. You can get the same hardware with other Clevo resellers.
> And even though I just bought an MBP16,
Look into what state law protections you have. High ticket mail order items can usually be returned for a full refund for a fairly long time.
Finding out that it's phoning home about every binary you run is absolutely a good justification to return it. I would sooner throw out a computer that did that rather than use it.
I'm not sure that using Google as a cautionary tale is a good idea. Given their continued growth and success...
Product -> Customers -> Revenue. Not the other way around. First product goes, then customers, then revenue. It takes time.
I am short Google and have been trying to figure out how to short their stock from ZA without losing opportunity on growth of other, better stocks.
Thinkpad X1 Carbon.
Dell Precision and XPS are quality with official Linux support
they do all this on you iphone and watch, and even more.
You've got to be kidding me. When Apple's servers are down, all Macs worldwide start freezing randomly? My XCode is hanging during builds, is this why?
This code signing enforcement stuff has gone way too far. Heads should roll for this.
That's correct. AFAIK Catalina will check online for everything, even binaries you compile yourself.
Microsoft Windows also uploads your private exe’s, and then runs them on Microsoft servers:
https://medium.com/sensorfu/how-my-application-ran-away-and-...
6 replies →
wait what, how?
4 replies →
Wait what happens if you don't have an internet connection? Can Macs not be used offline any more, surely that's still a relatively common use case for a laptop even today in a lot of places?
My understanding is that if you're offline, it skips this check and everything works fine. The reason this is a big deal is that the problem's on their end, so you're not offline, so it keeps trying and waiting instead of just letting you skip the check.
44 replies →
On iOS, after a period of disconnection "the phone won't let you turn it on again until it goes online": https://youtu.be/BW32yUEymvU?t=1212
2 replies →
If you don't have a connection, it just doesn't do the check. If you have a crappy connection like many of our students, it takes forever to check. If the server is down, life just sucks and non-Apple programs don't open.
If you are connected to a network without an Internet connection, it just becomes unusable. Internet connection is somewhat unreliable in my area, and I had an internet outage that lasted for days during the COVID lockdown. I feared it was a malware infection causing the slow down. I switched over to Linux not long after.
Often when I would see this type of error it would be when something silently drops TCP packets (rather than sending a RST). This is one way to configure a firewall, and it's indistinguishable from high latency. Hence the difference in behavior. If the address was unroutable, or immediately closed the connection, it would fail quickly (and presumably for the OCSP check, it would be skipped immediately). But when packets are silently dropped, it's up to the client to decide how long to wait for an ACK, which might cause a hang.
I've seen an identical problem where Chrome would hang for minutes when loading sites, and it was because I was in a firewalled environment that was outright dropping packets to Chrome's OCSP server.
With Android is the same. I have an App Firewall on my Android phone and since then the standard Android gallery app does not work really anymore. A lot of things break, for ex. when I_ like to send a file with Threema, I have to go offline, choose the file and then go online again. Otherwise the file dialoge does freeze. It's just standard these days. Also a lot of things break, if you are just on a network without internet connection. Welcome in 2020.
That's why notarized applications should be stapled too. The stapling "ticket" is embedded in the app bundle and allows macOS to perform an offline check.
Basically you'll get the usual GateKeeper window, but with a slightly different message, along the lines of "I can't check this binary in realtime but I trust the embedded notarization".
Almost certainly so. Apple has built chains of certificate trust very deep into the OS, along with apparently an assumption that this particular revocation service check is reliable & fast enough to call out to the network a lot.
Oh man, imagining a DDOS to fail that over.
Imagine how many people would lost their productiveness, maybe not at the big corps or govt (I assume they use a version of mac that call somewhere else/don't). But very very many people.
3 replies →
This seems to explain why my Mac was nearly unusable after a reboot last week. Turns out bind crashed on my firewall leaving me with no DNS.
After I restarted it I could actually launch apps other than terminal again.
Code signing is an okay thing as long as the signing identities don't get discriminated. Android has had code signing ever since it was released, but you always generated the certificate yourself, and the purpose was simply to stop someone else from making an apk with the same package id that would install over yours and gain access to its data.
The thing Apple does, on the other hand, with trusting themselves more than the user, is disgusting. I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
Give me, the owner of the computer, over the keystore for the root certificates I trust, and code signing is great.
> I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
As a libertarian I can see the argument for getting rid of presumptive copyright (and tanking the US economy), but the government preventing people from entering into contracts that you don't like? That's just hypocritical.
3 replies →
You need to set up your own DNS caching resolver and start selectively filtering out Apple domains. Pihole does that wonderfully. Ask your Apple geniuses whether they would help you setting it to make your Macs work.
"Heads should roll for this" - careful with the language. Nowadays you may get banned for preaching "beheading".
There's a non-zero chance that this bug has caused at least one death.
1 reply →
Are you referring to Steve Bannon who said Dr. Fauci should be beheaded? Or something else?
Again, it turns out that Stallman[1] and others[2] were prescient.
[1] https://www.gnu.org/philosophy/can-you-trust.en.html
[2] https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
Every year Stallman seems less crazy.
If you just read his writings on the importance of free software, he never was that "crazy" to begin with. He simply saw examples of companies locking down their hardware so that they could control it at the consumer's expense.
Exactly this is happening with Apple now. Although Apple computers were fairly hackable in the past, with users being able to install Linux or Windows, that is changing. Apple is changing the hardware _and_ software to make it more difficult to do things that Apple does not approve of.
Stallman was keenly aware of this type of behaviour, and he was also aware that companies that have the potential to use this behaviour to this advantage, will often do so.
Apple wants to be in a position where they sell computers as appliances, and Apple Silicon is their step towards doing so.
By the way, I'm typing this on a Macbook pro that is no longer supported by Apple, but running Linux. I am not sure this would be possible in the world of Apple Silicon.
1 reply →
I don't think Stallman's crazy, he's just passionate about his beliefs, and people whose careers depend on not acknowledging the truth in what he has to say like to dismiss him.
1 reply →
Only in relation to the wider world which is getting progressively more crazy.
2 replies →
Don't forget the World Economic Forum, but they're happy about all this:
https://www.weforum.org/agenda/2016/11/shopping-i-can-t-real...
Hardly "happy about all this". From the end of the linked article:
Author's note: Some people have read this blog as my utopia or dream of the future. It is not. It is a scenario showing where we could be heading - for better and for worse. I wrote this piece to start a discussion about some of the pros and cons of the current technological development. When we are dealing with the future, it is not enough to work with reports. We should start discussions in many new ways. This is the intention with this piece.
The author, Ida Augen is without a doubt one of Denmark's most respectable and intelligent politicians.
The article sohuld not be read as an endorsement of that future. It's her prediction of what the world is going to look like, for better or for worse.
So many comments in here, but I haven't seen a single one mentioning a simple solution: Vote with your feet.
For years now, I've seen a large portion of the HN crowd praising Apple for its (alleged) respect of privacy and cursing at Microsoft for Windows "calling home" all the time. Now that this has happened, the only comments I see are "heads should roll", and "we must complain and be heard by high-level execs", but never "let's move away". This just reinforces my impression of the Apple ecosystem as something akin to a cult: Once you get in, you never get out again.
There are good alternatives - many people, including software engineers, use non-apple solutions on a daily basis and they are still productive. Why not give Linux a shot, or gasp even Windows? The age-old argument of "MS is evil, Apple good" is moot. Companies are generally not good or evil, they are profit-oriented. If the market demands privacy, they care about it, otherwise probably not so much.
It's isn't so easy. There is often a large cost of moving. Eg - I use `sketch` for designing. I can move to Figma, but it'll be a learning curve and the performance just isn't the same.
Additionally, in order to move to Linux I need to find a good alternative to many other software that I'm using. Most commercial software only target Windows or OSX.
For the record, I've written large parts of KDE, so I'm acutely familiar with running Linux as a Desktop Environment.
> This just reinforces my impression of the Apple ecosystem as something akin to a cult
That's very uncharitable. Suggesting Windows as a potential alternative also sounds slightly comical given their history with Windows 10 and many people's required workflows, required because of work or other outside influence, make Linux less tenable.
A lot of people seem to suggest that if you have something to complain about then you should be moving on to something else, a vibe of 'appeal to perfection'. I think this is the same mentality that drives the distro hopping phenomenon. I'm not brainwashed because I live with the flaws of my OS choice and complain when things are changed that I don't like.
I'm not sure which comments you are reading: one of the top threads that almost fills the whole first page is a long discussion about alternatives to macbooks...
I can't vote with my feet (nor do I really want to), because there's no alternative I enjoy using as a desktop OS.
Windows is no better for telemetry, and the user experience doesn't at all fit well with how I work.
Linux I prefer to Windows but generally find the desktop experience lacking.
I've been using Windows 10 with WSL2 and found it a surprisingly effective development environment with all of the Linux goodies accessible. And games are available without a reboot or VM!
Many complain, few will act. Virtue signalling about Windows is zero cost, unless one is a Windows user. Most people just don't care about privacy enough to do anything (ANY thing) inconvenient.
No there are not good alternatives.
Linux only makes sense as a desktop operating system if your top priority is telling people online that you use Linux as your desktop operating system.
I mean, it's easier to do most kinds of programming on linux than windows. Stuff works more "out-of-the-box" than on windows.
For other things? Maybe. Some nice GUI applicatipns are, while in theory be run on Windows through cygwin, work well on Linux as well.
And some people just like performance / look-and-feel. Windows is often sluggish, while most Non-GNOME IDEs are pretty fast on usual hardware.
Then there is updates problem. I have had Windows downloading updates even if network was marked as metered in past.Some LTS distro is often better. Unless you use Fedora or Arch, updates should be minimum.
I don't want to imply Linux desktop is mature enough for all people. Just reminded there are valid reasons tech savvy people prefer it.
As they say, nothing is black and white.
This isn't true. I know this because I've been using Linux as my desktop operating system for years.
1 reply →
Don't you love it the ability to compile and run software on your hardware is controlled by a third party over the internet?
I sure love the SAAS future we are heading forwards.
I will be a full on linux junkie when that happens.
It IS, though. SmartScreen on Windows doesn't check binaries created on the same machine, but you'll get flagged if you move the untrusted binary to another machine you own.
18 replies →
This is a big conceit everyone holds - that Linux will be an acceptable substitute for MacOS. To be perfectly honest, if Apple shut down their Macbook factories and got out of the computer game entirely, and everyone flocked to Linux, it would be several painful years before Linux would be as usable as MacOS is today.
This is why I try out Linux every few years, and file lots of bug reports when I run into issues (mostly in applications - the core Linux kernel is solid). I've even contributed code to Linux apps that I don't intend to use right now.
1 reply →
By then it will be too late
9 replies →
I’m slowly transitioning as competently as I can.
1 reply →
Are you sure? It's happening piece by piece so that its preferable for most people to bear one more bad thing than bear the cost of switching.
1 reply →
Sincerely and without any intention to troll or be sarcastic: I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.
Even beyond unintentional glitches at Apple, just imagine what this could mean when traffic to this infra is disrupted intentionally (e.g. to any "unfavorable" country). That sounds like a really serious cyber attack vector to me. Equally dangerous if infra inside the USA gets compromised, if that is going to make Apple computers effectively inoperable. Not sure how Apple will shield itself from legal liability in such an event, if things are intentionally designed this way. I seriously doubt that a cleverly crafted TOS/EULA will do it, for the damage might easily go way beyond to just users in this case.
Again, maybe (and in fact: hopefully) I'm just getting this all wrong. If not, I might know a country or two where this could even warrant a full ban on the sale of Apple computers, if there is no local/national instance of this (apparently crucial) infrastructure operating in that country itself, merely on the argument of national security (and in this case a very valid one, for a change).
All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.
> I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.
The answer is pretty simple: these problems are extremely rare, they don't last very long, and they tend to have fairly simple workarounds. You seem to have a principle that any non-zero chance of being affected by a problem of a certain type is a complete deal-breaker, but most people when buying a computer probably just subconsciously estimate the likelihood and impact of this type (and all other types) of problems and weigh that against other unrelated factors like price.
It's even simpler than people not caring, people don't know.
11 replies →
As an Apple user of 10 years: I had no idea macos phones home like this.
16 replies →
I agree with your point about it being a principle, although I would add that the decision to build a product in this manner is also a principle.
Furthermore, I would sort of disagree with the answer to why people would buy this. In terms of "most people buying a computer", the overwhelming majority of Apple customers are likely ignorant to this issue, and will continue to be.
> rare, very long, simple
in this context those are simply weasel words in my opinion
15 replies →
Without principles, your freedom will be (is being!) slowly chiseled away, pragmatically accepting each small step. By the time even pragmatism tells you to refuse, it'll be too late.
That's exactly what happened in Hong Kong: https://www.nytimes.com/2019/10/09/technology/apple-hong-kon...
But it could never happen here...
(As someone pointed out, this does more than just prevent apps from running - it also leaks which apps you use and how often. Someone could ask Apple exactly when you started Tor browser, for example)
The payoff for the very slight risk is an effective built-in malware prevention system that doesn’t treat me abusively and reacts in a timely manner to abusive circumstances.
After decades of production operations, I have no complaints about how this was handled, and I expect they’ll investigate and patch any defects exposed by the outage.
I went for a walk when this happened and when I got back it was fixed. Works for me.
4 replies →
I think more specifically it's rare enough that it hasn't happened to most people yet or people blame themselves ("my internet is bad" and the like)
There's software "EazyFlixPix" which shut down its authentication server - so everyone who purchased the app can no longer install it (unsure, but they might be also prevented from running it too).
Feels problematic.
That's different mindset — ability to fix, right to repair. No way to comfortably run another OS on MacBook, has to use macOS. It is closed source, users at mercy of the company. Think different.
Also, which is the bigger risk for most people: disruption to the cert verification, or malicious runtimes on their system?
(Hint: I have literally never seen an example of one of our bank's customers being unable to bank because of this. I have seen heaps and heaps of examples of endpoint compromises resulting in people having their accounts cleaned out.)
How do you use your computer if you don't have an Internet connection and one is required?
People chose to use Apple because it seems like a benevolent dictatorship.
And frankly, a benevolent dictatorship is basically the best government you can have, as long as you're part of the "in-group" who doesn't push boundaries, doesn't cause trouble, and supports the supreme ruler, Kim jon... cough* Apple.
---
The problem is that no matter how good the dictatorship might be today, it will eventually bite you. You will either develop a need that isn't addressed, or they will change the rules so you are no longer able to satisfy an existing need.
We're seeing this now with Google - Their motto was literally "don't be evil" for a long time. And during that golden period their users loved them. But as Google has shifted from "don't be evil" to "Make lots of money" people are starting to shift away.
Apple is still in the golden phase, but I'm not really convinced they're going to be there much longer.
Speaking as an ex-Google user and an ex-Apple customer (still tied to Apple Music and iCloud for family phones), I'd compare Google to Russia - not particularly benevolent, a bit chaotic/random, citizens tend to shrug and accept their lot. Apple is more like Singapore, slick, seemingly benevolent, citizens honestly question why the rest of the world isn't run the same way.
EDIT: I'd add another way in which Google is like Russia and Apple like Singapore. Everyone kinda knows that Russia's leaders are a bit/a lot evil. There's still a debate about whether Singapore's leaders are evil.
13 replies →
> Apple is still in the golden phase, but I'm not really convinced they're going to be there much longer.
The honeymoon is already over. A post like yours would have got several downvotes up to less than two years ago. I noticed that honest critics to Apple are tolerated now, since at least about one year ago.
7 replies →
I think the difference between the Google and Apple dictatorships is the business model.
Google's customers are not the users, they are the advertisers who rely on the data harvested by Google. The incentive to be evil is directly baked into the business model, and most users end up tolerating it because it is "FREE", and often the only viable option.
Apple's customers are the users. If Apple rocks the boat too much, their users might not feel so good about paying the premium prices Apple demands for its products. Making users upset is a direct threat to their business model.
9 replies →
From https://en.wikipedia.org/wiki/Don%27t_be_evil
> "Don't be evil" is a phrase used in Google's corporate code of conduct, which it also formerly preceded as a motto.
> Following Google's corporate restructuring under the conglomerate Alphabet Inc. in October 2015, Alphabet took "Do the right thing" as its motto, also forming the opening of its corporate code of conduct.[1][2][3][4][5] The original motto was retained in Google's code of conduct, now a subsidiary of Alphabet. In April 2018, the motto was removed from the code of conduct's preface and retained in its last sentence.[6]
I know saying Google removed Don't Be Evil is something of a trope, but the truth is a little more complicated. And, of course, the presence or absence of this phrase has no necessary bearing on the degree to which they are perceived as evil or not!
5 replies →
> benevolent dictatorship
Have you seen Louis Rossmann's videos on Apple hardware repair?
Think about Apple's policies regarding IAPs. You're not allowed to tell your customers in your app that they can do the purchases on your webserver etc.
The benevolent days of Apple ended when they removed the expansion slots from their computers, if not earlier.
In defense of Google, they really like having a lot of money.
Let P = "Don't be evil" and Q = "make lots of money".
Q was nothing new. They always wanted Q. But Google made a fundamental breakthrough in business logic, discovering that P -> ¬Q.
It should be noted that ¬P -> Q is not automatically implied. Plenty of companies are ¬P ∧ ¬Q. Perhaps they are not ¬P enough? Perhaps they are too much ¬P? But very few manage to be purely P ∧ Q.
Apple, for some reason, didn't advertise this change very widely, so it isn't precisely an informed decision.
Like so much of the modern security activity, it doesn't seem to be fully thought out, nor was the possibility of failure considered.
Or maybe such failures were considered and then dismissed? I don't know.
It times out and the app runs, so the failure mode was considered.
They may move to edge servers instead of centralized datacenters now though...
3 replies →
This has been happening for a long time. Hardware and software that you can't control is becoming normalized. If they had done this 10 years ago with the same customers, those customers would be shocked or weirded out but right now, many of them will just wait it out or change their host.
Don't limit freedom at once. Do it one by one so the impact seems low.
What are the chances that any of the big tech companies take orders from a fascist to block all the harmful software in their country?
Non zero. People in HK know this. I want to know how they felt about their choice to buy iPhone at that moment.
Welcome to 2020.
Because we can't have nice things, Apple has to check that apps are signed with a current certificate for safety and security reasons. OCSP tells the client if the certificate has been revoked or not.
Try opening a non-https web page; you'll get a bunch of ominous warnings from all major browsers.
Browser certificates need to be OSCP signed for the browser to trust them. You can't even get a new cert if the issuer’s OCSP server goes down, which does happen on occasion.
There are so many dependencies to ensure we're not running malware infected apps that sometimes things break.
Let’s not get carried away; every major tech company has had some version of this happen at one time or another.
FWIW, I haven't experienced any issues with my iMac running Big Sur running Apple or 3rd party apps all day.
This used to be true, but neither Chrome nor Firefox actually check CRLs or OCSP that much. They'll accept OCSP-stapling, but that's about it.
This is a very serious concern for Enterprise PKI systems: revoking certificates is now virtually impossible. CRLs and OCSP do practically nothing.
Google especially has unilaterally decided that Enterprise PKI systems don't matter. They have established a new "standard" called Certificate Transparency, which they use to make CRLSets that they publish as Chrome updates.
Which is fine I suppose for public CAs, but utterly useless on internal-use private CAs on local networks, especially those with lots of BYOD or guest/partner systems. Think universities or hospitals.
Google has become a juggernaut with more control over computing in general (not even just the Internet!) than all of the world governments put together.
They're getting truly terrifying.
4 replies →
I have no problem with checking binaries when I launch them for security. I imagine many of the virus checking apps for windows probably call home with similar information. I doubt very much I’m leaky in any personal information.
What is frustrating is they didn’t handle this situation like they do if I’m offline - don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway. would have solved this eventuality
> don’t get a ping back in less than 500ms or whatever? Go ahead and open anyway
how do you do that without defeating the security? Now a malicious attacker just has to wait for a moment when you aren't connected before launching their payload.
8 replies →
> I have no problem with checking binaries when I launch them for security. ... I doubt very much I’m leaky in any personal information.
You should. It's noones business when and how often you run a known tor browser binary.
1 reply →
Even when it works right, it’s transmitting the apps that you use, as well as your timestamped coarse geolocation (from client IP) to Apple, which logs all of it. It’s good for city-level location.
They know what times you're at home, and what apps you're using there. They know what times you're at work. They know what times you're tethered. They know when you travel, and to which cities. They know when you're on a friend's Wi-Fi, and they know which apps you open from that connection.
Apple is a partner in the US military’s PRISM spying program, so this log is available to US military intelligence at any time without a warrant.
Thanks to API changes in Big Sur, it’s impossible to use Little Snitch to block these system level connections, and they will also bypass any configured VPN. To control this, you’ll need to use external network hardware, like a travel router that you can operate a vpn/firewall on.
Big Sur is the only OS that will run on the new Apple Silicon macs, so it’ll be impossible to use the new machines without leaking your track log and app usage history in a way that is available to the FBI/CIA/et al whenever they want it.
Note also that Apple recently backdoored iMessage’s end-to-end encryption by defaulting the non e2e-encrypted iCloud Backup to on for all users: it backs up (to Apple) your device’s complete plaintext iMessage history, as well as your device’s iMessage keys, using Apple keys, each night when you plug it in. You should immediately stop using iMessage as a result of this, because even if you have disabled iCloud or iCloud Backup, your conversation partners likely have it enabled. iMessage is no longer meaningfully encrypted.
Apple’s marketing about privacy is lip service, not real.
> Apple is a partner in the US military’s PRISM spying program, so this log is available to US military intelligence at any time without a warrant.
False
Whoa - thank you for sharing that.
1 reply →
I just ordered one, and let me tell you something - I didn't expect this to happen.
If I knew - I might still have ordered one, because I like ARM and battery life. But this reaffirms the observed trend of Apple becoming more of an owner of the machine that supposedly I own.
I'll attempt to shut it down (at least now, it still observes /etc/hosts) - but when I can no longer do that, I'll leave Apple forever, hopefully by then other hardware manufacturers have caught up in UX.
In short, the vast majority of users never need or want fine-grained control over their computers. In the HN community, we are mostly edge cases in terms of computer usage & functionality requirements.
I believe this is why there has never been any mass pushback against iOS/Android (even if Android is slightly better in this respect).
Further, neither iOS nor Android (and now OS X) have instituted huge restrictive changes all at once. Restrictions are gradual & creeping, basically moving the overton window of what is accepted.
> fine-grained control over their computer
Or just run BlueStacks, which is necessary to run Among Us (the popular game since lockdown), which isn’t signed because it’s an emulator. And it requires the “Control this mac” permission. Unsigned. There are many, many cases in which users are faced with unsigned apps.
1 reply →
I think it comes down to humans being creatures of habit and conservation of energy. I've seen people buy macs even after seeing all the flaws because it's what they're used to and don't want to exert energy learning a new OS and environment. Apple used to make great products and I think people still cling on to that thought, even though their quality has been degrading these past years. Something needs to be 10x better (or at least perceived that way) for people to switch and switching to a new OS for them is probably like a 1x improvement so not worth the time cost.
The alternative to a poor binary checking and cert revocation process isn't to get rid of binary signing and cert revocation.
I don't want that. I don't think it would serve Apple's customers to get rid of binary signing either.
Since there are no legal ramifications for security bugs that cause downtime, or for bugs that cause other functionality that goes down, I'm not sure why this particular bug would be any different. It's certainly not as bad as losing one's Google account permanently without recourse.
I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down.
I really had no idea until today.
This issue is clearly a bug. It is an accidental denial of service attack on the client.
It will get fixed pretty easily: Apple will add some combination of a timeout and a request back-off to their client, to properly handle the situation of a server that is reachable but not sufficiently responsive.
Apple clearly does not mean to make their devices unresponsive if the server is offline, because pointing requests at localhost resolves the issue.
I disagree. It isn't a bug because it was explicitly designed to behave this way.
The solution won't be to fix a defect, but to change the design, which is completely flawed. They should have pushed revocations from the beginning rather than requiring every system on the planet to poll a service. What were they thinking? And that does make one wonder whether there weren't other reasons for this behaviour besides "security".
> I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down.
For the same reason every human frequently makes decisions with greater-than-zero risk: because we're either unaware of the risk, or because we believe the tradeoff is a good one, and the benefits are worth the risk-adjusted costs.
I don't like this behaviour at all, and find it frustrating at times (e.g. apps slow to launch when my internet connection drops out temporarily).
Having said that, it's not enough to get me to switch platforms. I'm able to work around the problem (using Little Snitch, see other replies), and there are a ton of factors that go into my decision of which hardware/OS to use, all of them involving tradeoffs. The only viable alternatives, Windows and Linux, have their downsides too. Some people prefer those over macs and that's fine; it's a choice people make based on their particular situation.
This is a soft failure. If the computer didn't have access to the Internet, it would still open.
That's all nice and well, but what if some country decides that your country will still have Internet access, but a "degraded experience" to Apple's central infrastructure?
Still sounds to me like Apple rolled out a huge (logical) trojan horse, as a potential weapon in terms of nation state cyber warfare.
Probably not at all with that intention. But I doubt that any government willing to abuse this "opportunity" will give a fuck about that. Don't underestimate the power (and disruptive) effects of being able to practically disable a whole brand of popular computer hardware. Heck, even the ability to threaten with it (privately, through diplomatic channels) can (and probably should) be considered a serious weapon. So yeah .. "thank you" Apple.
From my experience during this outage, the ability for the computer to "open" may not actually mean much. While trying to fix what I assumed was a localized software issue I rebooted my machine. Typically this takes a minute or two. However during Apple's systems outage my rebooting took approximately an hour before my computer was in any way functional again.
1 reply →
In this case, any app would take five to ten minutes to open. While that technically means "it still opens", it effectively renders the computer unusable.
(And that's after I realized that they will eventually open. Originally I rebooted the machine before any app had had a chance to open.)
And I keep hearing how Linux is a toy whereas macOS 'just works'.
A lot of it is just people parroting the same old boring tropes. They couldn't believe Linux had gotten easier to use than windows. I know this. I installed Windows few days ago. I can't install steam or chromium without getting blocked by windows. I have to download it from external sites while both of these are available in the software store on Ubuntu. It didn't nag me to login, switched my browser to edge after updates, forced me to read a marketing manual before starting the OS.
The search is useless. On Linux, it's so much better.
I had to download and run a bunch of scripts to get rid of the amount of data it was sending back home. I had to remove the bloat and ads it came with.
Give https://pop.system76.com/ a try if you don't believe that Linux is easier to use. Most people don't need to open the terminal anymore.
4 replies →
The new MBP that I just got got befuddled by my bluetooth mouse (Razer Mamba X), to the point that it was literally unusable for a few hours...
While OSX was demanding that I identify a bluetooth keyboard... I don't have a bluetooth keyboard at all.
OSX is buggy and getting less and less usable. I'm finding myself working on Ubuntu and Windows more, than OSX these days.
I used to be a MacOS user from System 7 to Sierra. I owned an iPhone from 2007 until a few months ago. I have completely switched away from Apple. It absolutely boggles my mind how popular Apple still is. Apple's quality is absolute garbage now, this latest incident is just a drop in the bucket.
I'm sure I'll get downvoted, but I just had to get this off my chest. Why people still buy Apple today, I positively can not comprehend.
best os, best hardware.
i really don’t get these kinds of comments.
The main design fuck-up is that instead of independed Personal Computers we have terminals connected to one huge server which violates the whole idea and meaning of Personal Computer and what the word "Personal" should mean.
The worst part of this is that Apple could have easily predicted this, that there would be demand to download the new OS, and put in place measures to prevent this from happening. I guess they just do not care.
All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.
Apple gave a detailed explanation. It was a server misconfiguration combined with a CDN issue which caused the OCSP certificate check to stop working, which caused Apple's system for ensuring certificates haven't been revoked to stop working:
https://news.ycombinator.com/item?id=25108108
not only do I see fewer macbooks every year among the affluent crowd…
Turns our Apple's MacBook business grew 39% last quarter: https://appleinsider.com/articles/20/11/16/apples-macbook-bu...
To your first paragraph, how many people globally do you think know that this is how it works?
Apple don't publicly go out of their way to tell you that this is how it works. You make a great point that the way it works is bad and I think everyone agrees with that. But it's the limited knowledge that the OS operates this way that keeps consumers purchasing their products.
I don't think most people are aware that this could happen or even understand what happened and how it was Apple's fault.
I need XCode to build software for iOS and OSX, and there isn't to my knowledge any other feasible, performant and off-line capable way to do that beside running OSX on a Mac.
This is the only reason I had to move away from (arch) linux and it saddens me every day.
I think it is because a lot of people still believe and repeat old trope which are demonstrably false these days. Despite having the worst keyboard, buying third party apps to have features which most of the other OS in the market provide as standard, more lock down of their OS every year, Apple fans continue to buy them. Appke's powerful marketing, which is full of weasel words, keeps them in their own bubble.
Which third party apps do you mean? And the worst keyboard? I understand it being subjective as a taste, but the worst? Idk...
I buy em cause apple laptops just maintain their quality way longer than other laptops. All the other laptops I’ve had start losing all their charge within 30 mins after a year or two. My 5 year old MacBook still can go probably 2 or 3 hours on a full battery charge
What if the café you went just blocks Apple's domains or your ISP decides to do that until Apple pays them "connection tax"?
Hey, it can never happen. Similar to a global pandemic.
Bitcoin people (like me) feel the same about currency. Why out your entire life savings in the hands of a single government when they have proven again and again that the can't be trusted.
> software can/will fail to launch if some central company server goes down
The central company server didn't go down. If it was down there would be no problem. The problem is that the server is slow.
You're missing the point. I don't care if Apple has the most reliable servers in the world. Phoning home the hashes of the binaries you run is an outright violation of user privacy.
1 reply →
I think the problem is that almost all the software you buy a mac for (or even things that mac users like) has this built in but calls to the developer's servers instead.
Consumer and commercial software is just all bad.
Although the open source software is copying this "always connected to the mothership" model as well.
I'm thinking specifically of Firefox, but others too.
Yet another reason why free software is essential for human technological freedom.
The amount of time you save by having a computer that "just works" 99%+ of the time is far greater than the occasional time lost by shit like this.
I'd love it if someone other than Apple made a competent PC that was as clean, reliable, and comparatively free of bullshit. Unfortunately Apple has a monopoly on cleanly designed computers.
This is almost as bad as relying China on Personal Protective Equipment and quickly running out during the pandemic earlier this year.
Imagine if the USA actually comes under an attack.The apple spaceship would be high on the list of targets. All of sudden hospitals can't run their computers or communications. Disaster!
Please stop fear mongering.
If Apple servers actually go down, there's no issue.
4 replies →
Maybe it's just me but the idea that my computer lets Apple (+ any LE organizations) surveil my app launches seems so much scarier than any malware.
If you haven't downloaded your data from Apple recently I suggest doing that. The amount of personal info they collect has exploded over the last couple years.
Their Services business is moving them into Google levels of data collection.
> The amount of personal info they collect has exploded over the last couple years.
Since maybe 2016-ish? https://en.wikipedia.org/wiki/FBI–Apple_encryption_dispute
For anyone who wants to do this, you can do it here (at least if you are in the EU): http://privacy.apple.com/
Having downloaded my data from both Apple and Google, "Google levels of data collection" seems inaccurate.
Is this the one-time signature checking that has been in place since Catalina, or is this something else? (And if so is there any information about it?)
I experienced the issue with Mojave while this was happening. So not just Catalina.
3 replies →
Why is it scary that your computer checks for malware?
It’s not like Apple us building a database of apps you’ve launched linked to your address and social security number.
> Why is it scary that your computer checks for malware?
It isn't just checking for malware, its broadcasting your app opening behavior to apple and anyone else who might be listening.
> It’s not like Apple us building a database of apps you’ve launched linked to your address and social security number.
You know this how? Seriously, I don't get why you would believe that.
8 replies →
I can't tell if you're being sarcastic or serious. Schrodinger's sarcasm.
1 reply →
Well it would be pretty good information to have to do analysis against.
You could easily see knowing how often an app is used on an OS to be useful business information if apple wanted to create software to get into a trend before it gets to big.
Of course that doesn't require fine grained time data just daily would be more than good enough.
However you could also see the business use of knowing if two pieces of software are often used together or sequentialy which could inform creating an all in one/integrated experience that would do well in a market. So you need that finer application timing.
Of course that doesn't require tying it to a particular user account,not even a device ID, just a sessionID that changes each time the device restarts would probably be granular enough.
However since we've got that other stuff in place per device wouldn't it be great to see if there's a correlation between people using an app on there Mac and using it or another App on there iphone, ipad, or watch. What piece of data can we include to match up a user across all their devices? Maybe some kind of obfuscated or derived userID.
Of course you'd hope that other interests such as a commitment to privacy would rule out the use of such a dataset. If Apple did have such a dataset then you'd hope they'd be doing whatever processes (social, business, and technical) it can to obfuscate and seperate how that dataset is tied to a specific user.
The only real argument against Apple not having it is the balance between the cost of creating/exploiting such a data set, the expected profit, and the legal and reputational costs of such behaviour.
I don't know they're not doing that, is the problem. They probably aren't, but as Bill Kristol offered recently, 99% sure isn't 100% sure, and the fact that I'm not 100% sure is a problem unto itself.
It's only a matter of time and money: https://www.google.com/amp/s/mashable.com/article/apple-sear...
It’s not like Apple us building a database of apps you’ve launched linked to your address and social security number.
Linked to your identity if you have a credit card saved for say iTunes.
10 replies →
Has anyone confirmed if this outside the error-reporting agreement step?
This has happened since forever on Mac, Windows and Ubuntu.
Can you please provide resources for Ubuntu?
3 replies →
Sorry, not on Ubuntu. It's easy to check, compile a binary, run it, and use wireshark to watch your uplink.
7 replies →
No it has not.
3 replies →
I don't know about you, but hashes of the binaries I run don't exactly reveal any sensitive personal information about me. That said, obviously they should have much more graceful degradation in place for when something is wrong with the service.
The information reveals in exquisite detail what times of day I'm working, what times I'm slacking off, which days I work too.
And whether I'm taking a long or short lunch break, or lots of breaks. Whether I stay in bed until late, or work late at night. It's enough to predict whether I'm a "good" worker.
It also reveals whenever I travel, which coffee shops and libraries I frequent and what times of day. It also reveals what time I open any of several video conferencing apps.
And the sort of thing some HR would like to browse when assessing job candidates. They wouldn't need to ask "do you know X", they could just consult the Apple log of how often I run the relevant commands. Things like "we see you ran 'git' an average of 145 times per day last month, tell us more about that".
And whether I'm running tools I "shouldn't".
All that seems quite sensitive and personal to me.
4 replies →
"Hey Siri, select every Tor Browser user in America for additional screening."
3 replies →
In this case, isn't the hash of the binary consistent across all devices, so Apples can in fact derive exactly which binary you're running (assuming they have a large database of application binary and hashes)?
23 replies →
I run Tor browser occasionally. That fact alone is sensitive personal information about me. It makes me stand out. Someday it might be held against me.
I already expect the ISP to detect my Tor traffic.
But I didn't expect Apple, of all companies, to have a detailed audit trail of every time I've ever opened it, to the nearest minute.
1 reply →
What about the hash of a password cracking binary or the hash of some sort of binary used for piracy or stripping DRM off of something? Or just in general the ability to profile users based on the apps they use seems completely trivial. I imagine it would not take a particularly brilliant data scientist to correlate people who use FTP programs or developer programs or whatever else with people who buy high value items from certain e-commerce sites, for example. Seems like a marketer’s dream if they could ever get access to that. And sure Apple wouldn’t do that, today, on purpose, but are you 100% certain that could never happen? And if there was some way to tie that illegal piracy app binary hash to you personally and the government came knocking with a subpoena, seems like something Apple might be forced to comply with. It’s a very slippery slope.
> I don't know about you, but hashes of the binaries I run don't exactly reveal any sensitive personal information about me.
If they know the hash of (let's say) a pr0n app which you run, then I'd say that's pretty damn sensitive information Apple is getting.
It reveals how often I am running new software, it reveals what time of day I run new software, it reveals what networks I connect from
I think that for some users, the applications they run and the frequency they run them at would be enough to identify them across time and accounts. I could change my identifier, even my name, but at the end of the day, I've been using the same apps for at least a decade more or less.
OCSP is Online Certificate Status Protocol. The connection to ocsp.apple.com is checking the status of the certificate used to code sign the launching app.
I wrote an article about this a couple weeks ago because of the temporary revocation of HP's signing cert for printer drivers on the Mac:
https://lapcatsoftware.com/articles/revocation.html
I'm sorry if this was answered elsewhere, but can someone explain me how this works when you don't have internet connection? I assume you can still launch apps without internet connection. So then, what stops bad actors to just either block connection to ocsp or straight up turn off your connection entirely when running malware?
Through the very mechanism people are complaining about today.
If your machine is offline then it switches to a fail-open system and uses its cache to verify the binary and if it's not in the cache then it skips the check and allows it.
If your machine is online then it switches to a fail-closed system so that if you can't reach the servers because of something malicious then it blocks.
2 replies →
So is checking for security certificates good or bad, now?
If you've suffered inconvenience from having checks but not suffered inconvenience from no checks, then it's bad.
If you've suffered inconvenience from no checks but not suffered inconvenience from having checks, then it's good.
Since this check is currently done _unencrypted_ (as lapcatsoftware said in his post), I'd say it's objectively bad.
"If you're now experiencing hangs launching apps on the Mac, I figured out the problem using Little Snitch."
Well, how interesting that Apple's software is going to be bypassing Little Snitch, making it harder to discover and fix this sort of issue.
> Well, how interesting that Apple's software is going to be bypassing Little Snitch, making it harder to discover and fix this sort of issue.
Source?
Apple themselves: https://support.apple.com/en-us/HT210999
They are disallowing custom kernel extensions and instead requiring apps like Little Snitch to use their system API. This means that Apple has total control of how these apps function and what they can see.
2 replies →
https://news.ycombinator.com/item?id=24838816
My MacBook is basically unusable right now. This appears to be the reason. Is there any way to fix it without installing little snitch?
Edit: working as usual now, moments after i wrote this. But seriously Apple, how can you allow this to happen? Your services hanging should _never_ prevent my device from running things locally. This is seriously making me reconsider my next computer purchase.
Apparently you can set ocsp.apple.com to 127.0.0.1 in your /etc/hosts
This is really terrible, but at least the workaround is simple.
System76 is pretty great and they have amazing customer support. Plus between ProtonDB / Lutris you can run pretty much anything you want that needed Windows before.
https://system76.com/laptops
I use and love Linux, but come on man, that kind of statement does not help. Even with proton and friends, wine is not perfect. There will most likely be problems, and it's not a one to one transition. However, in my opinion, it is worth it, but there's no sense pretending there is no cost.
2 replies →
Given that they're using a MacBook they probably aren't using very much Windows specific software if any, so I don't know that Wine would be much of a factor.
It'd be cooler if they were called "system32". JK
Add the `127.0.0.1 ocsp.apple.com` line to your /etc/hosts file.
Thank you, this fixed it for me. (What a mess!)
Turn off your internet, open the app, turn it back on.
I'm laughing so hard at this right now.
And people somehow still love their macs...
13 replies →
This was my intuition!
I was in the middle of a call to fix a problem with a customer, I need to near-panic telling them MY computer was frozen.
Thanks Apple!
Champions of privacy, phoning home a hash of every executable your computer runs!
Enablers, that is what they are. If the EU manages to push that anti-encryption thing through, Apple will be the one forced to remove the App from your PC. 1984 is here already.
Soon, phoning home a hash of every file your computer has.
> Champions of privacy, phoning home a hash of every executable your computer runs!
What’s the matter with privacy? That’s a basic signature check, and you can do so while preserving privacy by using salted hashes or a similar solution.
A centralized repository of all your executable hashes is a high precision fingerprint.
8 replies →
For one, they now have a list of everyone running Tor.
They can perfectly do that without recurring to sending the hashes, using asymmetric cryptography.
But... this way the also gather some data.
I don’t understand how salted hashes would obfuscate the query. Private information retrieval is much more complicated than private password storage, and how do we know what the protocol is?
The title is slightly misleading. ALL macs with a recent macOS (Catalina?) are freezing, since the security checks that happens when you launch a binary is down. Even if you don't update to Big Sur.
My Mojave was also affected.
Indeed, I was bouncing a session in Logic and even that crawled, activity monitor showed a blank screen when it finally opened and iterm2 was unresponsive. I thought the machine was under load but the fans weren't even on.
1 reply →
I remember this discussion from a few months ago where people foresaw that phoning home every time an program launches might be an issue:
https://news.ycombinator.com/item?id=23281564
The rabbit hole goes to https://sigpipe.macromates.com/2020/macos-catalina-slow-by-d...
This is horrible. How can launching apps be depending on a cloud service being available...
It takes courage. Think different.
> How can launching apps be depending on a cloud service being available...
It's not, per se. The apps will launch if you block the specific subdomain, or turn off internet. The problem is if the computer thinks it can connect and keeps trying.
Ah yes - the “poor X is worse than no X”-problem.
It’s a huge problem on Windows where Explorer.exe still blocks the UI thread while it checks SMB shares if it thinks it can connect to them, but it skips them if it knows the computer is disconnected from a network. So using a Windows computer on a very spotty WLAN is actually more painful than being disconnected due to all the timeouts and dropped packets. Office Outlook is another main offender. I have a Windows Firewall rule just for Outlook.exe when I know it’s going to lock-up a lot.
It's like no one at Apple has ever had sporadic internet access and they don't plan for it. The Apple Music app does the same thing, if you are connected to wifi but don't have internet access it takes 60 seconds for a song to start playing every time you click one. Because apparently that is a reasonable timeout for a UI action
So, yes: they do depend on the local (to the user) availability of that service. So they depend on that.
1 reply →
“We think you’re gonna love it”
Walled-garden strategy at the core of Apple's business.
And also, if you decide to implement such a horrible idea, how come you don't have a proper plan for when shit happens?
It's a rental market.
GateKeeper.
2021: The year of the Linux desktop?
But seriously, I have installed Ubuntu 20.04.1 LTS on my personal Lenovo ThinkPad P1 Gen 2, and work Dell Precision 5550, and it works fine in both cases. Stick with it for a month and macOS becomes old news. Also I think OEMs are wising up to "Linux = free" and charging for Windows on their laptops again, so you can also save some money on OS licensing going forwards.
I feel like even Richard Stallman would have had a hard time imagining non-free operating systems would result in this.
Use linux folks! It doesn't communicate with a third party when a process starts up!
No, I think this is exactly what Stallman predicted.
(As someone else already linked: https://www.gnu.org/philosophy/right-to-read.en.html)
It's just sad that we don't have the corresponding form factor in a similar laptop.
The biggest draw of mac:
1. slim, light 2. long battery life. 3. track pad.
That's all I want, but nobody else offers it on the same spec, the difference is even bigger with M1.
It is strange how many people will sacrifice so much for free speech and the right to bear arms (like tolerating school shootings and foreign interference in elections), but offer them the "freedom OS" and they'll pick the slightly better trackpad.
Does no one here have principles?
7 replies →
I have the Dell Inspiron 7000 for those exact reasons and could not be happier. It runs Linux out of the box too :)
I think Razer would satisfy those 3 criteria. Razer is known for their line of high-end laptops with comparable design and arguably better specifications than the MacBook line. They are mainly marketed to gamers, but could easily double as development workstations. There's even a pretty well-maintained set of Razer hardware drivers for linux (https://openrazer.github.io/#project).
1 reply →
What's wrong with a Thinkpad?
3 replies →
> 1. slim, light 2. long battery life. 3. track pad.
https://puri.sm/products/librem-14/
A Thinkpad Carbon X1 will be as slim and as light with excellent battery life.
I do not use track pads for actual work so I can't compare but I've heard that you can't really beat the Mac ones.
You can run Linux on a Macbook.
2 replies →
Ok so let's say you actually want Apple to do this kind of security for you (I don't, but let's say).
Currently they do a synchronous check before you launch any binary.
Why don't they instead just log every binary signature and check them async on some regular schedule? Strict mode could be blocking the FIRST execution of a binary signature and after that you only recheck if that signature has been revoked on some regular interval.
There's absolutely no good reason why an app which I've run 100 times needs to phone home before running the 101st time.
This is already how it works. After the first check the result is cached and then it can verify locally.
This is how it worked. The point of the tweet and others' experience is that this is now happening for apps that have already been launched plenty of times before. This is why nothing other than Apple's programs would launch during the short time that the OCSP was down.
1 reply →
PSA to developers: Notarization alone won't be sufficient. You'll need to staple that notarization ticket as well so that your users' Macs doesn't need to go online to validate whether your app has been tampered (among other things).
How? Have a look here: https://cutecoder.org/programming/notarize-disk-image-develo...
But with the new M1 chips, it will freeze 2.6x faster than before!
This isn't anything surprising. A handful of companies out there have been working hard for the past few years to kill the personal computer and turn it back into a dumb terminal that connects to a mainframe owned by them, and they've managed to do it. Nomenclature also matters - they've stopped calling them "computers", now they're just "devices".
Enjoy your $1500 dumb terminal. If you're still buying Apple products, then you're simply unforgivable.
"If you're still buying Apple products, then you're simply unforgivable."
What does this even mean? Are you unable to forgive me for buying an Apple product? Why exactly should that matter to me?
tbh I do see these macs as dumb terminals, what else are they?
These sweet dumb terminals can last 15 hours on a charge? nice, I'll just update the /etc/hosts when I get it.
We had 70 engineers at in a Slack channel work trying to figure out the issue before someone found a Twitter thread about it
We are slowly loosing ownership (and in many cases we've already lost) of the tech that we think we own (mobile devices, laptops, gadgets, etc). And the thing is that is hard to make people aware about this issue, especially elder people. I have just helped an old lady with her own new laptop and I was completely shocked the number of steps that we had to go through to get her Windows 10 working for her brand new Acer laptop (asked for PIN number, fingerprint, Microsoft account and don't know what else mumbo jumbo just to get it running). Proprietary software definitely is going in the wrong direction and people generally are ok with it. 15 or 20 years ago you got a CD and that was more than enough to get things running. Sometimes I think how lucky I'm to be able to put a FreeBSD/OpenBSD/Linux in my computers and do whatever the f* I want with it and get rid of all the nonsense and bs that multi-billion companies are putting in front of us to consume.
I experienced this earlier today. I ended up creating a reddit post (https://www.reddit.com/r/macbook/comments/jt3pqx/third_party...)
I also noticed that the symptoms go way if you manually disable WIFI.
Who architected this solution? Imagine an OS that needs to ping a server every time you launch an application and if the server down it renders your system useless.
The dev-community needs to push back on this issue and perhaps apple will re-think this solution
The tragedy here is that likely the retrospective on this at Apple internally will not be "why do we even need our customers MacBooks to send all this data to us", but "how can we keep on doing this without something similar happening again"
This is the reason I needed to switch to a Linux laptop. I cannot be beholden to Apple’s - or anyone’s - servers when it comes to running applications on my own machine.
Any recommendations? I’ve heard good things about System76.
System 76 makes a nice looking thin/light 14" laptop (Lemur pro).
Dell's XPS 13 line has Linux support (the Dev Edition comes with Ubuntu), I bought one of these and it's great. Only big problem was thermald/RAPL would keep the SOC at 15W after a very short 'boost' - updating to master fixed this problem... but Linux still requires 'tweaking'.
Another example: sleep on the XPS is not S3, but S2Idle - so it uses extra power when sleeping (A compromise so it wakes up faster). This can be fixed with some tweaking, if desired.
I've also heard good things about Lenovo laptops running Linux.
I'd check the archwiki (even if you don't want to run arch) for any laptop you're considering. There's good advice in the articles.
If I had to buy again, I'd look closer at what S76 offers. I really liked my old Chromebook Pixel 1 because of its open firmware (after I re-flashed) and excellent Linux support. I wish I had looked closer at S76, honestly.
I always wanted to have a Thinkpad but couldn't afford it - finally bought X1 Extreme Gen 2 and put Pop_OS! (System76's distribution built on top of Ubuntu) on it. Everything including fingerprint scanner works; I once had it hang when resuming from suspend but I mostly don't use sleep/suspend so wasn't too bothered. If you buy the laptop from System76, I would assume everything would basically just work since they are configuring everything.
System76 just rebadges Clevo laptops. You may as well just go directly to Clevo.
I use a Dell xps13 (several years old now) for work, and it's fine. I have no complaints except that the aging battery is not what it used to be (I'd normally be due for a replacement system this year, but we're limping along on old hardware due to the recession).
I can't understand how picky people seem to be about things like the MacBook touchpad. Since my last Apple computer purchase was well over a decade ago, maybe I just don't know what I'm missing, but the touchpad on the Dell seems to control my pointer well enough.
I started with Manjaro, and I would definitely recommend it. I tried to switch to Linux a few times before I arrived at Manjaro, and it was the perfect introduction. It's based on Arch, so you get the most up-to-date packages, but it has a graphical installer and is beginner-friendly. If you can't find something in the default repositories, it's probably in the AUR (user-maintained repositories). Plus, it's just really fun to use.
Linux runs perfectly fine on most laptops nowadays - pick whatever you like.
(it's still prudent to Google for compatibility before the purchase though, since sometimes peripherals (like the webcam) on new models can be problematic)
I've had no problems running Linux and OpenBSD on a refurbished Thinkpad T420, provided it's not using Nvidia graphics.
It's funny to see people run around in panic for 1 little temporary problem and seek alternatives which could make them panic even more often.
https://puri.sm/products/
I recently bought an XPS Developer Edition, seems to work well.
Linux performs similar checks.
This is _FUD_. it emphatically does not perform similar checks by phoning home to a third party. The closes you will find are SELinux/AppArmor policies, which do not involve the network at all.
You've stated this several times in this thread. Do you have a source for your claim?
Show us the kernel patch then
Stop spamming FUD.
Sidebar topic, but something that is always in the back of my head. Cars are becoming evermore connected to the web. If something as simple as this can brick my Mac, then what will it be like in a vehicle? Will all cars simultaneously go haywire at the same time around the world? This of course assumes software or hardware safety overrides are not in place to overcome such a situation.
Internet connectivity should be seen as an undesirable feature, a risk to be minimized.
Most cars use separate buses for the critical control systems and the infotainment/GPS/etc. They learned that lesson after the infamous demonstration of hacking a Jeep on the highway several years ago.
It's conceivable that someone could push bad updates to Tesla autopilot software, or briefly stop peoples' radios from working, but quiet OTA systems like that are the exception rather than the rule.
I did experience a very strange slowdown earlier today, and other odd behavior - first, a massive slowdown and then on a reboot, the keyboard wasn't found. After some tinkering, it's all better now - though I don't know that the tinkering actually did anything.
Explanation of the keyboard behavior: https://news.ycombinator.com/item?id=24839101
But no fix :(
2 replies →
> a massive slowdown and then on a reboot, the keyboard wasn't found.
That seems to happen on MacBook Pros when the computer boots or wakes from sleep with the WiFi turned on, but the WiFi router can't connect to the Internet for whatever reason.
Same! On 2 Macs! My external keyboard and mouse stopped working. I thought I was having some hardware or USB issues.
Are you using Logitech keyboard and mouse, by any chance?
That can be symptomatic of always-on VPN. My last employer had an always-on device VPN and it would cause this issue - my MBP would complain no keyboard was connected at times following a wake event, and then reconcile a few/five seconds later.
Apparently Apple runs the same check on startup even to connect the internal keyboard/mouse.
Same, keyboard and trackpad stopped working momentarily.
This is the future Apple wants I guess, you don't really own your hardware, you simply have a limited license to use it under their very strict terms. It's just a matter of time before Macs become just like iOS.
It might get worse: now that they're switching to their own SoCs, they might even block APIs and allow access only to certified parties.
Basically Final Cut Pro and Logic Pro might forever be faster than any 3rd party software package by having access to IP blocks that aren't exposed to other developers complete with signature check to prevent reverse-engineered use...
If they really tried that, wouldn't the DoJ bring an anti-trust case against them? That's exactly what Microsoft was doing in the 90s, using undocumented internal APIs for their own software that let it run faster than competitors'.
3 replies →
I've been trying to sound the alarm over "Secure Boot" and the absolute torture it will be to run other operating systems on these ARM Macbooks but very few people seem to care. I guess as long as the display is shiny and the trackpad is big then we're all good.
Add ocsp.apple.com to your Pi-Hole blocklist if you have one and the issue goes away.
You can also add this to your /etc/hosts file:
0.0.0.0 ocsp.apple.com
At that point might as well get rid of the Mac and switch to something else.
Insta-add to pi-hole. Interesting though, that in my query log I don't actually see my machine trying to hit this domain when I open apps.
I'm sad to see people buying things only because the look comfortable and nice. Here happens finally what was predicted a long time ago and it shows why everyone should use free and open-source operating-systems and applications.
I tried to attach the notarization to every Mac App Bundle in the past but with MacOS 11 this doesn't help either?
You should never, ever, install a MacOS update the moment it comes out. There is a high chance (> 30% from my experience) that something will be wrong with it. iOS too for that matter.
Wait for at least one week and check out other people's experiences first.
I ran the beta over the summer and it was awful. I loved the changes but it was just unstable as hell. And people kept saying it was the most stable is yet, I don’t get it.
I’ve been running it as a daily driver since the first day of the developer betas and have found it to be vastly more stable than the previous version, with basically no issues before this.
I don’t know what to tell you, beyond the fact that all use cases are not the same, apparently.
Unstable in what way?
2 replies →
This applies to every Mac, with or without an update.
Not only Macs. “There is a high chance that something will be wrong with it” applies to almost all software of the size of modern OSes.
1 reply →
This has nothing to do with a software update. I haven't updated anything and am still running into this. It's their online services that are the problem.
To elaborate on what others are saying, macOS has been doing this phone home for a while, it just looks like the server it phones home to started being _really slow_. So if you were offline, the software behaves fine, but if you're online, it blocks on getting a response.
Great example of how you should never block UX on network requests.
This.
To save yourself the headaches and frustrations, wait for the bug fix releases and updates to come first before installing this very first new release.
It makes no sense to immediately update the system and then risk your computer being rendered unusable with such bugs and problems whilst having a deadline hanging over your head.
> Wait for at least one week and check out other people's experiences first.
Of course if everyone does this, there is no experience upon which to draw.
Furthermore, the title is straight up wrong: this is not related to Big Sur and is in fact also affecting other versions with Gatekeeper.
It's same for any other OS. There's a reason Ubuntu won't try to update itself to the next LTS until it hits X.1.
This has nothing to do with the problem we're discussing.
This was a problem on previous releases too.
The software quality of Apple is embarrassing. They have the money to hire the best of the best, and to do tons of manual QA yet their OS releases are always riddled with errors. Why is software the red-headed step-child of Apple?
Hilarious. I wonder if any of the downvoters of https://news.ycombinator.com/item?id=25068229 now experience cognitive dissonance.
You mean cognitive resonance?
> downvoters of ...
Wow this is a huge cluster - threw a complete wrench in my work for almost an hour. Is this what we should be expecting from Apple going forward?
Apple want to be the closed garden, this will eventually happen.
tbh, I'm a huge fan of macs but only really because I use it as a client/screen.
What do you use as the server and what do you run on it?
1 reply →
Not just Apple. The entire world is heading in this direction
This is not true: https://news.ycombinator.com/item?id=24881988.
Update to the original tweet: https://twitter.com/michaelvillar/status/1327004693361549312...
> A better fix to this is:
> - Turn off Wifi (to be usable)
> - Add "0.0.0.0 http://ocsp.apple.com" to `/etc/hosts`
> - Turn on Wifi
> This is temporary, don't forget to remove it tomorrow.
> This is temporary, don't forget to remove it tomorrow.
or maybe don't depend on apple to allow you to run programs on your OWN computer. that hosts rule should stay in place...
I heard that's also the server that Apple uses for SSL cert validation, so you're going to want it again.
Is there a reason I shouldn't leave this address in a blackhole?
It depends if you care about this: https://en.m.wikipedia.org/wiki/Gatekeeper_(macOS)
Add "0.0.0.0 http://ocsp.apple.com" to `/etc/hosts`
Do you put URLs in /etc/hosts now? The mind boggles at the ways of Apple
More likely that's a typo.
Both my Hackintosh and MBAir are on Catalina and have been freezing repeatedly for the last hour. Definitely is effecting Catalina.
I always wonder about the after action in a situation like this. Obviously, it makes Apple look bad but it isn't like they are going to flog the responsible team (and I mean responsible in the sense that various teams are in charge of the components of the overall system: the os service that issues the request, the website responding to the request, etc.)
I'm sure some devops folks were getting screamed at while running around with their hair on fire, but what's the cause and response. Hopefully they'll issue a public after action report that isn't jammed with marketing talk like "we were unfortunately caught by surprise and due to the unprecedented massive interest in the latest macOS with its great features for users and developers, blah blah".
This is the kind of stuff that makes me laugh at their (very successful) "Apple respects privacy" PR campaigns.
How is this not congruent with strong privacy protections? Your iPhone knows everywhere you’ve been, but when it sends that info to Apple it doesn’t include any personally identifiable information.
Strong privacy would be not sending that information to Apple at all.
(Do iPhones really send the current location to Apple?)
3 replies →
After AMD released their Zen 2 lineup and the prospect of considerably faster compile times became attainable, I re-evaluated my relationship with MacOS.
I bought a new AMD PC and initially hackntoshed it. This actually worked out great but after some time I decided to jump over and see if I could live with WSL under Windows.
Windows is not as nice as MacOS, but WSL1 (tried WSL2 for a few months but still prefer WSL1) has allowed me take advantage of affordable high performance hardware and maintain support for the software I use daily.
I may buy a low powered MacBook laptop in future (because there are no Windows laptops with a trackpad that compares) but I don't think I will ever use it as a primary desktop environment again.
This is inconsistent - microsoft is arguably many times worse than apple in regard to telemetry and things like forced updates.
Why not running Linux directly?
Its even worse, after Apple's service recovered I was left with what seemed to be a corrupted installer/updater that kept throwing "An error occurred while installing the selected updates" when I clicked on the upgrade now. I had to boot in recovery mode, run "csrutil disable" so I can delete the update directory from Library/Updates.
Captain Pedantic checking in, should not the title simply be "Macs unable..."? I don't see anything MacBook Pro-specific.
Yeah, I had this issue on a Hackintosh.
This makes me wonder, I guess in the event of war the data centers of Google/Apple/Microsoft/Facebook must be at the top of the list. I wonder how close any of them are to being powned. I can only hope those companies are at the top of their game when it comes to this stuff though accidents like this don't give much confidence.
I wonder if there are startup attempting to challenge the Mac dominance? Good trackpad, good battery, good screen, with (some) Linux supported out of the box,and no wonky configuration seems to be the problem to solve
Mac dominates nothing, the great majority of PC out there are running Windows. If you are talking about hardware then DELL, Lenovo, Asus and co all have excellent high end computers. Becoming slave to Apple is 100% a choice.
https://puri.sm/products/
Seems youve been locked in. I never bought apple in my life, snap decision when I saw I had to pay to try developing for their system 10 years ago(developers license), I remain pretty safistied with this decision.
It's a software problem, not a hardware problem.
They need to find another way, because this is just pure crud. So today, everyone gets to experience what a person with a poor internet connection deals with when using a Macintosh.
So the block works for now, but what happens when a) macOS is changed such that Little Snitch doesn't work anymore, whether it is because the architecture changes in some critical way, or Little Snitch iself is blocked by trustd? b) failure of trustd to succeed in its call home becomes a hard failure that blocks execution?
I can kinda see a noble intention behind this: protect system integrity by making sure no "known evil" application runs, like say a ransomware. But I have two problems with it.
First, it seems to assume that the call-home server will always be available, which seems a bad assumption from an engineering standpoint. Even the mighty and holy Apple can suffer outages, for a myriad of possible reasons. Be it a fat-fingering of some parameter during an approved maintenance window, the criticality of of which was heretofore unappreciated, a cascade of on-their-own-innocuous failures transforming into a deadlocked hard-down situation, or the fact that the North-American Fiber-Seeking Backhoe is not and never will be an endangered species, the result is ultimately the same: the mother-may-I server is not available.
The second reason, giving Apple further capability of evil shenanigans is already well covered by other comments here.
Don't forget to go ahead and buy more Macs in the future. That will teach them
More Macs means even more "Trust and Security" traffic for Apple to handle. So, yeah, that'll teach them!
It reminds me of this comment and its parent link from one month ago, wich already were heavily upvoted:
Apple seems to do all kinds of weird networking _stuff_ [...] https://news.ycombinator.com/item?id=24838816
I wonder if this explains why I was unable to print something for several minutes around the time this tweet was published? The printer manager refused to open each time I tried to print. Frankly, that's unacceptable.
I have preferred Apple/MacOS since 2007. However, my 2019 MBA suffered the infamous shaky keypress issue, randomly inserting an extra space when I typed. After 6 trips to the Apple store to fix under warranty I told myself it is my last Apple product.
I wanted the MBA for the portable form factor. Now I work from home and portability is no longer a consideration. I will mostly likely ditch this device in favor of a linux system.
What a disappointment.
This reminds me of the recent news about Lets Encrypt expiring one of their root certificate and warning that old Android systems may not be able to validate SSL if they were not updated. We have increasing moved our world into an interconnected web of trusts and taken out failsafes and overrides, so we are very much entering an age of brittle systems --- one in which the vulnerability of one key subsystem (Google, Facebook, Apple, a key SSL validation cert etc) can escalate towards disabling the entire world, when you cannot get your TV to turn on, car to start, power grid to switch on. What are we doing to prevent that?
Is MacOS sending these hashes to check whether they are revoked? That sounds like an insane excuse. Are there really so many revoked hashes that it is not feasible to mirror the database to every device for offline querying?
Not sure if this system replaces it but they’ve had a built in system for years called XProtect that keeps a malware hash database and checks locally.
A temporary work around that helped me was to use
based on
That shortens the delay. Others here found adding ocsp.apple.com to /etc/hosts using a private address also helps. Whichever is easiest for you. To remove:
or reboot.
Another discussion about trustd from a few months ago: https://news.ycombinator.com/item?id=23273247
Sad state of affairs that apps are slow because it can't phone home to a server to verify it's okay.
Unacceptable ecosystem, for both 3rd party app devs and users. What I guess we won't see - but need - is an apology from apple and a commitment to quickly fixing this bug.
Is it a bug really or design problem where they are trying to do something they should not do in the first place.
This mechanism is also what recently broke all HP printer drivers on macOS.
HP accidentally revoked their certificate, and since macOS automatically checks it before loading code printing and scanning with my HP printer no longer works.
My mom called me with the same issue. She didn't do anything, but all of the sudden her printer stopped working.
There is no way I know of to override the accidental revocation.
Installing updates from Apple and HP didn't help.
Online certificate revocation is a really bad idea for desktop software.
See also: https://news.ycombinator.com/item?id=24217116.
Related:
https://news.ycombinator.com/item?id=25074959
Imagine you are a software developer and want to learn about the boot process and implement your own bootloader. A popular exercise.
You can't boot your self-written software on your "own" Apple Silicon Mac. There is no way to disable the locked down boot process.
You may argue that it's still your computer and you can do what you want with it. You're wrong.
I've never heard of any software developer I know doing this, even the ones with deeper or more obscure knowledge, but do you have any interesting resources to point to?
You may want to reprogram the computer in your car too.
You’ll discover there is no way to do so.
You may argue that it’s still your car and you can do what you want with it. You’re wrong.
Wait - what am I saying? - that makes no sense. Of course it’s your car.
Ahh, this is a bogus argument!
Just because there are things you don’t know how do with something doesn’t mean it isn’t yours.
It turns that all objects are this way!
I successfully downloaded all 12GB of the update; however I am getting an Installation Failed error, which is apparently common and likely related: https://twitter.com/zollotech/status/1326994718744571914
So this is what was happening to my MBP a couple hours ago? Right before a meeting my Mac started glitching out - extremely slow to do anything and spinning beach ball. Launching any app would take literal minutes. Spent the next hour rebooting & diagnosing. Then it suddenly went back to normal. That's great.
One of the «romantic» aspects of buying an Apple back in the day was that people that «knew» was buying them. Musicians, designers programmers must had one. It was stable and just enpowered you to do your job. I wonder if Apple has underestimated how important is having the «tech» guys on their side
We are no longer the "target" audience. I will use Catalina with Little Snitch until it's possible. In 3-4 years time someone will finally realise that Linux is the future of professional work and will make Photoshop/Illustrator clone with quality performance. Resolve is working reasonably well under Linux, Blender works, the only Apple thing I cannot remove is Logic.
http://swcdn.apple.com/content/downloads/50/49/001-79699-A_9...
11 Gigs?!
So all Russia/China would need to drive Apple into bankruptcy is to DDoS Apple's servers and brick their laptops worldwide? This must be hilarious. Imagine the meeting at Apple HQ when they took that decision, probably that KGB agent must be very proud to make Apple shoot themselves :)
I though this was known as early as May?
https://medium.com/@acecilia/apple-is-sending-a-request-to-t...
OSs have been doing something similar for a while. Even since the 90s I remember Windows NT checking SSL Cert revocation lists every time you right-clicked. When you disable that option, right click goes from 400ms to 5ms response time.
Synchronous remote calls should not exist in the OS like this
I guess the future is Linux.
Most people trade their freedom for more convenience, but we don't think how we put all our eggs in one basket that we don't control at all. All Apple users are at the mercy of a megacorp. Better don't offend someone online, your Mac may be cancelled...
This is a series of cliches strung together.
Yes, overused statements; but all true nevertheless.
A perfect example of how with non-free software, the user is controlled by the software.
Is it referring to this? https://mobile.twitter.com/lapcatsoftware/status/13269902964...
I hate when my keyboard hangs and because I'm connected but dns isn't working. Like I need internet for my keyboard. So so frustrating has me seriously considering bailing to some nix flavor if this shit continues.
This is bad. As bad as DRM.
A simple test for whether a product will stand the test of time is whether it'll cease to work once their creator's servers go down.
Imagine Apple goes bankrupt tomorrow. Is your overpriced device suddenly useless?
I don't know if the slow downloads of Big Sur are related, but the underlying problem is that ocsp.apple.com[1] is fubar, and certificate revocation lookups are failing.
EDIT: This might indeed be Big Sur-release-day related. Most certificate revocation failures are "soft", but with ocsp.apple.com black-holed in /etc/hosts I can't resume downloading the update.
[1] https://twitter.com/lapcatsoftware/status/132699029641299148...
Talking about a cluster.
Now when I get my new mac, I'm going to find a way to opt out of this.
Why the heck do they have to reach to central servers?
Anti-virus software have been working with "definition files" ever since the dial up days. Check locally. Update when you can.
This is a completely brain dead implementation.
You could absolutely use a simple certificate revocation list instead of OCSP. I don't know how large that would be, though. It could run into problems if there was a heartbleed like issue that required revoking many certs.
All the extra connections are enough of an issue that there's OCSP stapling, where a web server attaches a copy of the OCSP check to the response.
Seems like it'd be possible to inject a file into Cool.app/Contents/ocsp.staple in a downloaded .dmg.
That could be considered valid for a few days so that, for the common case of "download app and try it out", there's no need to phone home.
This demonstrates the limits of Apple's campaign towards vertical integration of their services. Once they make a simple mistake on their part, you are at the mercy of Apple to make it right again.
Is it possible that we (the internet) don't understand this properly because by this logic, the apps shouldn't run when there is no internet connection. I don't believe that is the case.
No connection -> Fine
Good connection -> Fine
Spotty connection -> Problematic.
Basically, they didn't include a timeout in their network code.
It's funny how many apps have this problem, you don't realize until you're on a spotty connection. Often disabling/cycling the wifi/network fixes an app freeze.
2 replies →
Remember how everyone was so insistent on certificates everywhere? We must have them, no matter what you think, no matter how trivial the transmission of information.
As it turns out, there are some downsides.
We were in the final steps of a really major demo and my laptop shit a brick, I kid you not, I ate about 50 pistachios while rebooting and killing mds_stores, thinking Spotlight was losing its mind.
I have been seeing a warning message for some time about something that won't work in next upgrade, I could never find whatever it was, maybe something I gave unnecessary pensions too long back, so I upgraded yesterday and so far all is running very smoothly, and most of what I use is open source and mostly free, and haven't found anything that doesn't work yet. my windows emulator I use for work stuff may have issues, but it's been dysfunctional for a while, I just refuse to get parallels again.
This only reinforces my desire to run Linux in their new ARM processors.
Eeks, this should be communicated better, though to be fair, IF there was any malware with a tampered signature, you wouldn’t want it to run just because your network was unplugged.
How would you prevent something like [0]?
I think all the game consoles regularly verify downloaded games too.
[0] https://blog.malwarebytes.com/threat-analysis/2016/09/transm...
This widespread outrage is proof that only few knew of this. Why is it that such a single point of failure and such a vector for unexpected data disclosure goes unnoticed for so long?
Is there any official or even unofficial Apple information that can confirm all the explanations here correct and this was intended behavior? Or explain their position on it?
This is brutal.
I've found a work around for now.
* Turn off wifi
* Reboot
* Open everything you need
* Turn wifi back on
There is also
ocsp-lb.apple.com.akadns.net
which looks like does the same and should be blocked too!
I'll go a step further: what if someone decides, "Hey, I'll shut that website up by influencing someone to revoke their certificate."
Remember everyone's eagerness to eliminate bare, unencrypted HTTP? How self-signed certs are "sketchy?"
Has this been yet another way to pull the plug on certain parties? Could someone get Cloudflared by a maintainer of certs somewhere along the chain revoking a site's cert because they woke up in a bad mood?
And so we demonstrate too much corporate control -out of user control- is not a nice thing. We have the Apple Big Brother here, I am sad to say.
This just seems wrong on multiple levels.
Phoning home on every app launch seems insane to begin with.
But if you're gonna go there, at least be prepared for the inevitable.
Does anybody now how to disable all hashing on macOS? The best I could do was disable GateKeeper with `sudo spctl --master-disable`.
Install another OS? *
There are some work around in this thread but in reality you don't know how and when Apple may choose to automatically re-enable it without your consent.
* You should probably just smack you Mac with a rock just to be sure ;)
You can also disable code signing enforcement and amfi by adding the following boot args:
cs_enforcement_disable=1 amfi_get_out_of_my_way=1
Thanks, you can also disable library code signing validation too:
`sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -bool true`
Would anyone be able to explain more specifically how cs_enforcement_disable is is different from disabling Gatekeeper?
1 reply →
Pathetic. Apps don't need to have internet connection until they actually do.
I bought the new mac, but I'm planning to dwell in the terminal and browser. My exposure to Apple's closed garden is very limited but I dread the day when it's forced upon me. Then I would need to switch hardware despite Apple's form factor being my ideal type (light and battery life+++).
Wow. Guess it's time to finally move to Linux.
my experience with upgrading today
First, just trying to get the system updater to display: https://i.imgur.com/waEF4kc.png
Second, after downloading 12gig of new OS: https://i.imgur.com/4HKMkPJ.png
I guess I should wait a few weeks.
https://news.ycombinator.com/item?id=23278103
Initially I noticed this behaviour on my work laptop (where I've joined recently); where I was able to get the app working as soon as I used to switch my location to Home (non-VPN/Proxy). I though it has something to do with work configuration.
For past few days I'm also experiencing the similar behaviour on my personal laptop.
Appalling to be sure, but you can't even log into a Chromebook if Google auth goes down, unless I'm mistaken.
You can login to a chromebook (unless it's a first time setup) even if it's offline. Login stuff seems to be handled locally. Eg: if you update your Google password, you need to log in to your chromebook with your old password one more time and re-sync.
Are you sure? I thought they cached login stuff locally so you can sign in while you're offline. Not sure though.
I admit that I don't have a Chromebook in front of me to test and that I'm not sure. This comment will likely be stricken from the record.
1 reply →
Oh boy, I'm so happy with my Linux Mint. It's way better than any Windows or Mac system I ever used or saw.
The tracking is not new, from Reddit: https://www.reddit.com/r/netsec/comments/gp52pe/apple_is_tra...
This issue + the inevitable platform switching costs may wipe out the momentum gained from the new offer.
Esp. rational corporate buyers are not going to want some 'cool new hardware' if they can't do basic things.
Makes you think about MS's existential 'always backwards compatible' philosophy.
All of my personal Macs became unusable about an hour ago. Fan would kick up, CPU gets loaded, and every operation comes to a crawl. Thankfully it seems a PRAM and SMC reset solved the issue. Wondering if what's going on here is related. It would be quite the coincidence if not.
I am really curious about how people realized this was the issue. Any ideas about the thought process?
Possibilities:
- Turned off wifi and everything started working again.
- While watching network stats, noticed a little burst of network traffic on each attempt to launch an application.
About 4 hours ago my Mac crawled to a stop. I rebooted, but it remained incredibly sluggish, uncharacteristically so. This definitely was not normal operation (and I use this many hours daily). Then about 1/2 hour later, it began to operate normally again.
But I'm running Mojave.
So ... huh.
I'm on Mojave and had problems.
I'm curious if this falls under the "Check this box to send metrics to Apple to help us make things better" checkbox you get when you first login to your Mac after a reinstall.
Anyways I don't understand why this process would not be completely asynchronous.
I just excitedly told my wife about this issue, because its a big deal, I didnt know about it, and she was complaining her macbook pro was very slow today. Her response ‘oh wow, so is it fixed now?’ Thats the difference between HN and the real world.
> macOS unable to open any non-Apple application
Shouldn't it really say:
or:
Saying unable makes it sound like a mistake or accident.
Maybe apps should be signed and issued certs by neutral authorities like SSL certs are issued (like Let's Encrypt).. Maybe also issue bulk cert updates with OS updates or virus scan updates like browser updates bring SSL root cert updates..
I followed OP's advice and blocked trustd from connecting to these servers. I noticed that there's also a process named ocspd that's whitelisted by default in Little Snitch. Can someone explain how these things are related?
This is outrageous. Can we sue apple for damages? What if you were about to do something literally life critical? I pretty quickly debugged the issue but man and added a host line but this is absolutely horrible. I have no words for it.
With things like this, docker not running on apple silicon (because it doesn’t support virtualisation) etc there surly should be a market for developer laptops running Linux but with an OS that gets out of the way most of the time.
Who’s selling those?
System76 / Dell XPS developer edition
It's outrageous that Apple designed their system this way. (And it's curious why they seem to have so many fans on Hacker News that will defend this type of design.)
Your Mac hardware is a brick if Apple's servers aren't running!
The way trustd works has annoyed me since Catalina was released, I do hope that it's improved in Big Sur.
I get what they were trying to do with it to improve security/privacy, but the execution fell flat (as we've now witnessed).
I was on a Zoom call a few minutes ago and my machine was struggling with responsiveness, which I haven’t seen happen - and there’s been a lot of Zoom usage this year. I assumed it was Zoom related but this makes more sense.
also saw problems with zoom as well
Always wondered why it checks for cert revocation when starting an app instead of periodically checking in the background. Hm, that might require some sort of central cert database or something? Just spitballing here.
There goes any temptation I had to buy an M1 Mac. Thanks for the warning Apple!
It's completely unrelated to M1 and also affecting Mojave and Catalina, apparently. It's a security signature check service problem. Some might argue that it should be easy to disable security signature checks, system wide (which is what the provided instruction achieve). Many more would probably argue that disabling these checks would be bad for security, especially for the average user.
I'm curious what security researchers think of this. Further evidence that security is a doomed endeavor, since it's necessarily at odds with convenience?
I know it's unrelated. I have a Mac and was unable to do any work for around an hour, had no idea why. Windows has smart screen, but if the service is unreachable you get a popup. This is just completely unacceptable, if it's possible that a server issue could cause all apps to fail locally, there should at least be a popup explaining that's why nothing is working. I'm fed up with far more than just this. I'm saying any temptation I had for an M1 Mac is now gone.
https://mobile.twitter.com/hypatiadotca/status/1327000209445...
Adding: 0.0.0.0 http://ocsp.apple.com to /private/etc/hosts solves it.
Can't believe Big Sur is somehow affecting my Mohave Mac! Yikes!
I mean, just sounds like Apple are skipping to the end of their game plan.
https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...
It took almost 6 hrs to fully resolve:
macOS Software Update - Resolved Issue Today, 10:00 AM - 5:15 PM Some users were affected Users may not have been able to download macOS Software Updates on Mac computers.
I'm also seeing ocsp-lb.apple.com.akadns.net pop up in my PiHole.
This is a bug. The intent is that if the malware check takes too long the system fails "open" and allows the launch. That obviously didn't work correctly in this case.
Can't wait until they port the Facebook SDK and we can have these "stuff doesn't work because a computer 3000 kms away is wrong" moments on the desktop.
Apple never gonna change right? Seems like we will see iphone style thing in future where we only can download app from their store. Switching to linux right now :/
My MBA is not responsive with my USB-mouse, but is with the touchpad. Like, just hovering over items is smooth with the touchpad, but lags with the mouse.
Anyone else with this problem?
Having this issue on a 13' MBP. Running this to append ocsp.apple.com to the hosts file did the trick:
echo '127.0.0.1 ocsp.apple.com' | sudo tee -a /etc/hosts
Apple has been deciding what and how you are allowed to run apps in your phone for almost a decade now. It's bad and all, but no one can say this is a surprise.
Huh, this was the reason why my laptop was freezing every time. I thought it was the fact that my laptop got too old and so I wiped my laptop and installed Arch.
This seems like a case of Apple engineers only testing these features on Apple networks and such, where obviously the pings are very fast and unlikely to fail.
Almost reinstalled OSX. I thought my SSD was failing.
Unacceptable showstopper. Professionals can't afford this nonsense. If I'd not already left the platform, the decision would be forced today.
Please note that most of your Apple computer hardware (except for the most recent iteration) will run Linux without any major problems.
I am wondering if this wasn't done by some Apple engineer on purpose to warn us all that each app is now phoning home upon start?
It wasn't a secret (not that it makes it any better):
https://medium.com/@acecilia/apple-is-sending-a-request-to-t...
I’m a MBP owner. But I’m sad to see that Apple makes strong statements about privacy, on stage, while sending hashes of open apps.
Just downloaded Pages, Keynote, Numbers and Garage Band from the Mac App Store. All updated for M1 and Big Sur.
So maybe things are improving?
Why is this not getting any media attention? Why is there no formal statement from Apple? Why is this behavior justifiable.
For anyone who wants to disable gatekeeper, this appears to do the trick, at least on mojave: sudo spctl --master-disable
I don't see MacBook Pro mentioned in the @lapcatsoftware tweet. Seems like this screw-up would affect all Macs, no?
Stuff like this will push me off Apple no matter what the performance of the M1 chip is. Privacy trumps performance.
Ugh, I don't want to upgrade to Big Sur now. How much more dictator garbage is hidden in the new OS, I wonder?
This may sound hyperbolic. Oh well.
I was deeply considering one of the new M1 MacBooks last night, but held off on completing the order.
Now today, I can't use my computer for nearly an hour. And my daughter as well during school time... all because a remote server can't respond. I just do not find that acceptable for a computer I own to simply stop working because of remote non-response.
I am now deeply considering not getting a new m1 machine.
I'm in a similar spot. Now I'm hesitant to purchase any Apple products.
This is the iOSification of macOS. They can keep all their fancy new Apple Silicon laptops. Fuck Apple.
I thought I was going crazy earlier because of this.
Strange though, flushing my network cache completely fixed my issue.
Pathetic. Apps don't need to have internet connection until they actually do.
I bought the new mac, but I'm planning to dwell in the terminal and browser. My exposure to Apple's closed garden is very limited but I dread the day when it's forced upon me. Then I would need to switch hardware despite Apple's form factor being my ideal type (light and battery life+++).
I have no idea why anyone immediately installs the new MacOS.
It is literally like this with every major release now.
It’s a far, far better thing to distribute the hash tables into each macOS, encrypted if need be.
I wasn't even able to change my brightness — pretty amusing, but also not, at the same time
So... An easy fix would be to disconnect internet and then your MacBook "just works".
Apple's products are both SASS and HASS. You dont own Apple products. You just rent it.
Back to terminal clients and mainframe in the sky? Apples on the great tree of knowledge.
I do get the same problem with my macbook pro 2018. It's so irritating :(
Do i need to use Little Snitch, or can LuLu block ocsp.apple.com., too?
Turning off wifi/ internet connection fixes the slow start for me
One moment Apple is inserting U2 into your iTunes and the next...
"But won't you think of the children."
-- Apple apologists
Asking for a friend, what's the experience installing Linux onto a 2018 MacBook? Last I heard it was nothing short of torture, but I'm hoping the situation has gotten better as time goes by.
Define “taking down”
The computer is completely unresponsive as the OS is blocking all apps from starting. The best part was that the "keyboard" was not found.. in my macbook.
Had that too. Apparently it checks keyboard firmware? Always-on VPN connections can cause that same issue too. Wake up, can't type. OS eventually prompts you to connect a BT keyboard as none is detected, then that goes away.
Ypu have to send a hash of every program you run.
Unix workflows like to call hundreds of small programs.
If Apple doesn't respond in time, your system halts.
That is a little surprising to me and I'm now glad I held off on buying one of the new macs.
1 reply →
Making you want to slam your mac on the desk over and over and over and over ...
You can't launch things.
Taking "Dog Fooding" to a whole new level.
Probably best to read this to understand better what happened. TLDR The problem was due to a hung network connection. So the notarisation check thought it could go because it had network but then it hung because the connection to oscp was getting stalled. Hence why turning off network made the problem go away. I experienced a weird slowdown for about 20mins, then everything went back to normal.
https://arstechnica.com/gadgets/2020/11/macos-big-sur-launch...
Was this already fixed? I just opened up Aquamacs.
Long live Linux!
But, is this literally one server?
Didn't this happen once before?
This seems to be a very bad design.
Oh, so this is that dark future.
sudo spctl --master-disable
Should disable gatekeeper. Have not verified with little snitch though.
oof.
I used to do this kind of thing to get around Adobe's DRM stuff. Not a good look Apple.
I just tought my laptop died
I knew this would be the nail in the macOS coffin as the "iOSening" of macOS is now complete
I've been on my Mac all day and haven't experienced any problems.
Sounds about right. What would you expect from a walled garden ecosystem?
The arrogance required to actually implement this. It's staggering.
Heck, it couldn’t even open Apple apps.
In my case, Finder hung badly.
How can this be GDPR compliant? Apple tracks each users behaviour and know exactly what software they use and how often, so they can launch their own services and cut out competition on popular services.
This is exactly the kind of application Facebook was called out for (https://techcrunch.com/2019/01/29/facebook-project-atlas/). Just here it's much more worse as it's installed and activated by default on all Macs.
This constant OCSP banging is absurd.
I am tired of this 2trillion company becoming too strong. Screw them. I aint gonna develop for them anymore. Parasites. Got this mail from Apple:
Dear Developer,
Compatible iOS and iPadOS apps will automatically appear on the Mac App Store when the first Apple silicon Macs become available this year. However, we noticed the following issues with one or more of your apps that are opted in to appear.
The following apps will not be made available on the Mac App Store until you address the issues and select Make this app available on Mac in the app's Pricing and Availability section of App Store Connect.
Maybe I didn't parse the sarcasm tags, but they're opening up a whole new market of mac owners to your product with what's likely minimal effort?
You all seriously should have spent the last 20 years helping us make Linux better. What a waste.
But since that's not in the cards, how about starting today?
Once you get over the lack of polish, you'll find that it was hiding seams that are useful to know about.
Sorry, I can't and won't work for free.
It doesn't have to be any more work than you're already doing. Just stop putting cycles into working around bad decisions by people who are trying to control you and put those very same cycles into working around bad decisions by people who are trying to help you.
A couple years later, snippets of code worth sharing will be lying around. Which you can share, or not.
I run Linux on my work machine, but everyone was talking about this problem in our chatroom for all of it. I got some co-worker karma.
If my employer offered anything for Linux use than a 10lb Dell laptop I would consider it. I primarily choose MacBooks because I know what to expect in terms of hardware.
Aren't Dell XPS laptops considered pretty good for Linux?
I use desktops 99% of the time (it's more ergonomic), but I have an old XPS for occasional travel.
4 replies →
You need to be playing the iPhone U2 album while opening each application for it to work
I don't care for downvotes:) Welcome to Jailbreak your Mac. Third time: I hate to repeat my self but this articles keep piling up. Vote with your money first, then if you have a way search legislative measures. They will never stop to search a way to profit more. This is just a beginning. Fully closed macs are coming. I don't care anymore for iPhones, my professional problem is with apple desktops and laptops. If we follow Apple logic in near future I will have to Jailbreak my personal computer that costs arm and a leg and cannot do 3rd party repairs on it. I am filling now very good about the decision to invest in multi platform software and avoid mac only apps. On a phone side someone suggested Fairphone (https://www.fairphone.com/en/) as an alternative. I can see a lot a value in this proposition, after rooting and removing Google crap/spyware.
Little Snitch is working under Catalina, I have blocked apple telemetry all the way. My graphic workflow is on multi platform apps, people are using Figma instead of Sketch, coding for web is beautiful under Linux, Resolve and Blender are working beautifully (I don't use prores). The only hassle will be Windows (under WM) with no internet and Logic (searching to switch to new DAW but not with subscription based licensing like ProTools). Apple is actively working on making developers "go away", the days of "Great Mac for developers" are gone. Bottomline: Users of Apple platform are exited, they will have powerful machines with M-soc, closed and secured.:)
This seems like another signal of an overall trend. Post-sj, Cupertino seems to be getting progressively laxer about testing, quality, usability, and overall excellence in software and hardware. It's a shame. :'(
This is a nightmare in so many respects. I can’t believe my ability to run software on my own machine requires successful network calls. I spent two hours today thinking my hardware was failing catastrophically.
Apple's plan to make you very very dependent, Enjoy
Out come all the people who think this sort of thing is planned by Apple.
Good.
.
I don't think everyone is experiencing it. My Mac became nearly completely unresponsive. Rebooting didn't help, it took forever to finish rebooting.
ocsp.apple.com 127.0.0.1 in /private/etc/hosts got it moving again.
Same, but I thought it was my backup software. I didn’t think my version of the OS was sending back the hashes.
Apple software quality and design is a joke.
Maybe so, but please don't post unsubstantive comments here. We're trying for something a bit different.
https://news.ycombinator.com/newsguidelines.html
You are right. I was just letting off some steam. I am just really frustrated with a company that I respected for so many years, going downhill so much over the last 5-6 years.
Dude you work at Wix.
And? I am the first to admit Wix quality isn't great either. But yes, let's compare the 2T$ OS vendor to a website builder. That makes sense.
Macbook as a service
tl;dr: Apple no longer builds computers.
After 11 years of MBPs as my main computer, I left because of crappy hardware (keyboards, missing Esc and Fn keys). I'm now very happy on a System76 laptop running PopOS.
With each new release of the OS, getting more and more locked down, I am happier that I moved on when I did.
The long term trend with Apple is for their computers to get more and more closed. First hardware, and now software. I get that for a phone, but it is completely antithetical to what a COMPUTER is supposed to be. They really should stop calling these things computers.
Huh.
After typing the above, I decided to check. THEY DO NOT call Macs "computers". I searched the pages for MBPs, iMacs, and Mac Pros. They use the word "computer" in connection with trade-ins, (for the thing you are trading in), and they use the phrase "computer system" in fine print, and never to refer to their products directly.
APPLE, IN THEIR OWN WORDS, NO LONGER BUILDS COMPUTERS. That explains so much.
They use a server like in one server like in single point of failure?!
dig ocsp.apple.com reports:
"ocsp-lb.apple.com.akadns.net" is an entry indicating DNS based load balancing, done by Akamai.
Even with lots of redundancy, there are still lots of ways all that can fall over. You can have a batch of servers that soft-fail: they're not responding to real queries but the load balancer thinks they're healthy.
Alright Apple crossed waaaay over the line here. I think i'm done.
Wake up, people. Free software is the last line of defense we have left before technological tools are completely taken away from us, and we all have to live our digital lives at the behest of Giant Megacorps.
I hope people finally realise what a terrible company Apple is and stop buying their products once and for all. I cannot understand why such atrocious decisions are magically forgotten when they release a new iPhone or a new Macbook. Every time there is a new Apple launch (service or product), it is almost always projected onto the front page of HN with hundreds if not thousands of upvotes.