There are two major somewhat misleading bits of buzz around macOS “phoning home” all of our executables.
1: among Windows, macOS and Linux only Linux distros don’t do such checks, and most of end-user Linux installations are arguably secure in spite of this—mostly because they are very rare and thus not a priority target for malware.
2: this only concerns files you launch. If you wrap your binary invocation in a shell script, that shell script’s hash will be sent, not your binary’s.
What does the author of the operating system phoning home have to do with Linux not being a target for malware? It seems like you're mixing up two different issues with this.
Phoning home in this case is done to check whether an app’s signed with a valid certificate. Not checking that opens user’s machine to attacks where malware successfully pretends to be an authentic trusted app, likely gaining access privileges (Keychain, etc.) granted to that app by the user previously.
Linux distros can arguably get away without these checks since their users are typically more aware of what they are launching, but importantly also because they are not as big a target due to smaller user bases.
There are two major somewhat misleading bits of buzz around macOS “phoning home” all of our executables.
1: among Windows, macOS and Linux only Linux distros don’t do such checks, and most of end-user Linux installations are arguably secure in spite of this—mostly because they are very rare and thus not a priority target for malware.
2: this only concerns files you launch. If you wrap your binary invocation in a shell script, that shell script’s hash will be sent, not your binary’s.
What does the author of the operating system phoning home have to do with Linux not being a target for malware? It seems like you're mixing up two different issues with this.
Phoning home in this case is done to check whether an app’s signed with a valid certificate. Not checking that opens user’s machine to attacks where malware successfully pretends to be an authentic trusted app, likely gaining access privileges (Keychain, etc.) granted to that app by the user previously.
Linux distros can arguably get away without these checks since their users are typically more aware of what they are launching, but importantly also because they are not as big a target due to smaller user bases.
3 replies →
Who is laughing at the Gentoo folks now ey?
Yes it is, but merely sending hashes doesn’t mean such a centralized repository exists. We need more information on the actual implementation.