Comment by modeless
4 years ago
You've got to be kidding me. When Apple's servers are down, all Macs worldwide start freezing randomly? My XCode is hanging during builds, is this why?
This code signing enforcement stuff has gone way too far. Heads should roll for this.
That's correct. AFAIK Catalina will check online for everything, even binaries you compile yourself.
Microsoft Windows also uploads your private exe’s, and then runs them on Microsoft servers:
https://medium.com/sensorfu/how-my-application-ran-away-and-...
Holy Shit. That should be illegal. All it needs is one rogue employee to potentially steal trade secrets? And dont tell me MS employees never go rogue after the recent events...
3 replies →
TL;DR: It's an option that can be disabled, unlike on Mac. Also doesn't lock up your PC if Apple's network is having a bad day.
Is this how we look for the next Stuxnet?
wait what, how?
https://news.ycombinator.com/item?id=23281564
3 replies →
Wait what happens if you don't have an internet connection? Can Macs not be used offline any more, surely that's still a relatively common use case for a laptop even today in a lot of places?
My understanding is that if you're offline, it skips this check and everything works fine. The reason this is a big deal is that the problem's on their end, so you're not offline, so it keeps trying and waiting instead of just letting you skip the check.
I experienced this a couple of weeks ago. My wifi was up, but my internetprovider was down. My Macbook came to a halt. Nothing worked anymore. The whole machine was extremely slow. When the internetprovider came back up again, everything was fine again.
7 replies →
That still seems weird. Why does running unrecognized software become safe when you're off line?
28 replies →
Unfortunately there’s not a way to differentiate “we’re online but Apple’s servers are having issues — probably fine” and “we’re online and something something is preventing us from talking to them — something nefarious might be happening.”
6 replies →
On iOS, after a period of disconnection "the phone won't let you turn it on again until it goes online": https://youtu.be/BW32yUEymvU?t=1212
That sounds like it might just be a bug. At least, I wasn't able to find any information whatsoever on this phenomenon on Google.
I'm guessing this is to help trigger the wipe of stolen phones.
If you don't have a connection, it just doesn't do the check. If you have a crappy connection like many of our students, it takes forever to check. If the server is down, life just sucks and non-Apple programs don't open.
If you are connected to a network without an Internet connection, it just becomes unusable. Internet connection is somewhat unreliable in my area, and I had an internet outage that lasted for days during the COVID lockdown. I feared it was a malware infection causing the slow down. I switched over to Linux not long after.
Often when I would see this type of error it would be when something silently drops TCP packets (rather than sending a RST). This is one way to configure a firewall, and it's indistinguishable from high latency. Hence the difference in behavior. If the address was unroutable, or immediately closed the connection, it would fail quickly (and presumably for the OCSP check, it would be skipped immediately). But when packets are silently dropped, it's up to the client to decide how long to wait for an ACK, which might cause a hang.
I've seen an identical problem where Chrome would hang for minutes when loading sites, and it was because I was in a firewalled environment that was outright dropping packets to Chrome's OCSP server.
With Android is the same. I have an App Firewall on my Android phone and since then the standard Android gallery app does not work really anymore. A lot of things break, for ex. when I_ like to send a file with Threema, I have to go offline, choose the file and then go online again. Otherwise the file dialoge does freeze. It's just standard these days. Also a lot of things break, if you are just on a network without internet connection. Welcome in 2020.
That's why notarized applications should be stapled too. The stapling "ticket" is embedded in the app bundle and allows macOS to perform an offline check.
Basically you'll get the usual GateKeeper window, but with a slightly different message, along the lines of "I can't check this binary in realtime but I trust the embedded notarization".
Almost certainly so. Apple has built chains of certificate trust very deep into the OS, along with apparently an assumption that this particular revocation service check is reliable & fast enough to call out to the network a lot.
Oh man, imagining a DDOS to fail that over.
Imagine how many people would lost their productiveness, maybe not at the big corps or govt (I assume they use a version of mac that call somewhere else/don't). But very very many people.
Today I was late to join a corporate conference call. It took like 5 mins to start conferencing software.
First time ever I'm genuinely frustrated with apple - macs are not those unicorn tools anymore that work reliable
> Oh man, imagining a DDOS to fail that over.
That might be what we just saw happen.
SelfDDOS. The first ever.
This seems to explain why my Mac was nearly unusable after a reboot last week. Turns out bind crashed on my firewall leaving me with no DNS.
After I restarted it I could actually launch apps other than terminal again.
Code signing is an okay thing as long as the signing identities don't get discriminated. Android has had code signing ever since it was released, but you always generated the certificate yourself, and the purpose was simply to stop someone else from making an apk with the same package id that would install over yours and gain access to its data.
The thing Apple does, on the other hand, with trusting themselves more than the user, is disgusting. I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
Give me, the owner of the computer, over the keystore for the root certificates I trust, and code signing is great.
> I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.
As a libertarian I can see the argument for getting rid of presumptive copyright (and tanking the US economy), but the government preventing people from entering into contracts that you don't like? That's just hypocritical.
> but the government preventing people from entering into contracts that you don't like?
It's not that. Plain and simple: in an ideal world, more money shouldn't grant more power and immunity. Governments should disincentivize this growth into the sky by, for example, progressive taxation for companies. The world would be a better place if tech companies actually competed with each other by making better products, not trying their damnest to lock everyone into their walled gardens to earn even more money they have no clue what to do with. Currently, when choosing something like a computer or a phone, you just pick one that sucks the least. There's no healthy competition.
2 replies →
You need to set up your own DNS caching resolver and start selectively filtering out Apple domains. Pihole does that wonderfully. Ask your Apple geniuses whether they would help you setting it to make your Macs work.
"Heads should roll for this" - careful with the language. Nowadays you may get banned for preaching "beheading".
There's a non-zero chance that this bug has caused at least one death.
Scary, but most likely true.
Are you referring to Steve Bannon who said Dr. Fauci should be beheaded? Or something else?