← Back to context

Comment by Nevermark

2 months ago

This is that false dichotomy.

You can turn off all protection, as you point out. So who Apple markets Neo's to isn't a factor.

> Apple’s fault if nobody else decided to make their own trust repositories and the only alternative on the market is to have no safeguard at all.

Does Apple provide a means for enabling third party trust systems, without disabling Apple's protections in general? If not, that is a serious problem of Apple's choosing. Nobody (to a first order approximation) want's to dispense with Apple's protection, or re-implement it, but to be able to carve out exceptions for specific classes of software.

Sounds like you should pick something other than MacOS.

  • Right, all they need to do is convince every end user they’re trying to distribute software to that they’re using the wrong OS and should replace their MacBook with something running Linux. No problem at all.

  • I decided to get into this subject in my comment before I edited it out because I thought it would be too much of a tangent/ruffle too many feathers.

    But, yeah, macOS power users these days seem to spend a lot of time criticizing the OS and the company and never seem to just switch to something else.

    Apple is the 4th most popular PC manufacturer on the market. You can use something else. It's not a monopoly, nor a duopoly like with iOS.

    I switched to Linux, and I've been beyond shocked at how smooth it's been. It's been better than both Mac and Windows in more ways than I expected. And sure, not perfect, but still.

    • I can charitably believe this comment is not disingenuous, however, there are effectively two options, which are Windows and macOS, regardless of three manufacturers making more Windows machines than Apple at number four with Mac. I would call it an effective duopoly

      8 replies →

  • Unfortunately, your tone deaf comment is in an HN cliche.

    1) People complain about the imperfections of what they love.

    2) Imperfections are highly unlikely to tilt the benefits from one device to another, given there are few device choices, devices have hundreds of other pros/cons, and people accrue years of familiarity and functional investment.

If you can enable a third party trust system you completely open it up for abuse. If I put my threat actor hat on, I love your idea because now I have an alternative codepath to try and exploit (where you do store third-party trusted roots for code-signing/notarization evaluations that cannot be tampered with, how do you load them, verify them, etc), but now instead of having to dance around bypassing Gatekeeper, I can just try and convince the user to install my certificates and voila, my malware behaves like a legitimate app.

Apple's root of trust for the OS and thus anything that passes AMFI/Gatekeeper scans is built into the hardware. There is no safe mechanism for introducing other roots of trust that is worth the effort.

If you don't trust Apple, why the hell are you buying their computers at all?

  • > If you don't trust Apple, why the hell are you buying their computers at all?

    This is the exact same false dichotomy they mentioned; it's perfectly reasonable to have a set of trusted software vendors that includes Apple but also some others, while the only choices that they support are either just Apple or literally anyone in the universe. You're conflating "trusting Apple" with "trusting no one but Apple to make it sound like the opposite of the latter is somehow also contradictory with the former.

    Claiming it's "not worth the effort" is a lot easier when you've already muddied the waters like this.

  • > There is no safe mechanism for introducing other roots of trust that is worth the effort.

    Gee, if only Apple had a reason for implementing this entire feature for themselves…

  • > If you don't trust Apple, why the hell are you buying their computers at all?

    Well, you see, I quit buying Apple hardware. But I did buy this MBP M1 back in the days. It still serves me well, but now there is an insane US president who'd have no shame whatsoever to pressure Apple into pushing nefarious software (or, say, not fix a security bug or two).

    Also, another example. I got a second hand iPad Pro for my pre-teen daughter a couple of years ago. It is still on the original battery. Device still works though. It does not get iOS updates anymore though.

    Do you see where this is going? Regarding the latter: I should have root on an EOL product.