Your Computer isn't Yours

[wanderingfool2]

11 minutes ago, Vitamanic said:

Relying on a database stored on local hardware is how security worked 20 years ago, not now. It’s excessively easier to compromise a locally stored file than it is to compromise Apple’s data center. 
 

This is how anti malware works. You and others are raging about it almost entirely because you don’t understand how modern security functions.

MITM if you can capture and manipulate the HASH.  In the case of local DB, you would have already had a way to get full read/write access, so you point is pretty moot running a check everytime you open an app.

 

It also lets ISP's etc potentially spy on you.

[Sauron]

35 minutes ago, Vitamanic said:

Relying on a database stored on local hardware is how security worked 20 years ago, not now. It’s excessively easier to compromise a locally stored file than it is to compromise Apple’s data center. 

That's bullshit. All major security software that I know of relies on periodic local database updates. If you think it's easier to compromise the database of a security software than to intercept and modify an UNENCRYPTED PACKET with an application hash you're straight up delusional.

38 minutes ago, Vitamanic said:

This is how anti malware works.

It really isn't and thank God for that. If it worked like that, none of it would ever work. Any security software that relies on a constant connection to the internet to detect threats and will just let you run whatever if there isn't one or, even worse, if it can't reach a specific server is absolutely terrible, let alone one that uses unencrypted packets to do it.

 

On top of that, location, date and user ID are completely unnecessary for simple security checks and sending the data EVERY TIME YOU RUN IT is absolutely ridiculous - the system can know when an application is updated or otherwise changes on the system, it only needs to send the data when that happens (if at all).

 

This is not an anti-malware, it behaves a lot more like DRM. So as far as I'm concerned, this IS malware in and of itself.

34 minutes ago, kelvinhall05 said:

Ok but the data they send should, at the absolute bare minimum, be encrypted and anonymized.

No need to walk it back, what they said is absolute nonsense.

[YellowJersey]

This is exactly why I switched to Linux back in 2015 when Windows 10 was being pushed hard.

[Jet_ski]

Is there any reputable/well known source for the claims here besides some guy’s blog?

[DrMacintosh]

This topic has been debunked:

https://blog.jacopo.io/en/post/apple-ocsp/

 

edit: Not necessarily “debunked.” It would be more accurate to say that the claims made by  Jeffery Paul are not accurate in most ways that impact user privacy. 

[DrMacintosh]

2 hours ago, Sauron said:

On top of that, location, date and user ID are completely unnecessary for simple security checks and sending the data EVERY TIME YOU RUN IT is absolutely ridiculous

You’re right, it would be ridiculous. Thankfully what’s described in the OPs source isn’t accurate. 
 

This is: https://blog.jacopo.io/en/post/apple-ocsp/

[kirashi]

On 11/13/2020 at 9:34 AM, kelvinhall05 said:

Did anyone really trust that Apple did what they claimed and respected the privacy of customers? Cause I sure as hell didn't, and I'm not surprised by this.

I'm not surprised either. Society should never blindly trust the word of anyone unless they're able to verify the facts for themselves. Zero Trust networks apply to a lot more than just computer networking, including news articles published by ANY entity, hardware & software, and even the words of your friends and family. 

 

Am I insinuating that one shouldn't trust anything unless they can verify it using one of the 5 sense's feeding their brain? If you want a fully secure world, yes, however, I also realize how unrealistic this sounds. It really boils down to how much you yourself individually are willing to trust other entities on the planet.

 

TL;DR: The only way you can verify the integrity of anything in life is with direct access to the source, otherwise it's really just the world vs. your skepticism.

 

On 11/13/2020 at 9:55 AM, dilpickle said:

OK but is there a better source for this news than someone's personal blog?

14 minutes ago, Jet_ski said:

Is there any reputable/well known source for the claims here besides some guy’s blog?

On 11/13/2020 at 10:18 AM, RorzNZ said:

I know I'm an Apple Fanboy, I'm going to need convincing more than someone's blog. Hardly a noteworthy source.

On 11/13/2020 at 1:04 PM, DrMacintosh said:

A personal blog is not a source btw. 

On 11/13/2020 at 12:42 PM, Spindel said:

Is it even worth mentioning that this is a thing you have to either opt-in or opt-out to when installing macOS?

If you chose ”share analytics data” this is what it will do. If you chose ”no” it won’t. 

 

 

 

 

 

19 hours ago, justpoet said:

Having worked inside the chocolate factory…this is NOT tracking analytics.

--SNIP--

I am one that likes privacy and not giving out data.  I'd like to be able to disable gatekeeper and similar in an easy way for extra assurance that somebody can't find a way to abuse the minimal data later (that any web server gets most of the same data as) as an attack vector.  But this is definitely NOT nefarious.

I applaud everyone above's sense of seeking out additional sources, however, I would hope you're all equally questioning any claims from Apple about what the OCSP data is used for as well. Remember, if you can't see how the data is being handled, you should not blindly trust Apple's words without additional sources.

 

On 11/13/2020 at 3:57 PM, Vitamanic said:

Oh my god... the amount of ignorance, melodramatics and unwavering belief in a random blog post here is astounding. Holy shit.

--SNIP--

This (very minimal) data isn’t being forwarded to the US government as OP suggests and isn’t being sold or given to anyone as per Apple’s privacy policy.

This thread needs to be taken down or locked, it’s wildly incorrect. 

22 hours ago, Vitamanic said:

There’s nothing to get away with. It’s a widely documented feature that’s been around forever. It’s their cloud based anti malware. There’s nothing sinister about it whatsoever.

 

 

 

 

While I will agree that certain aspects of this "news" are melodramatic (as are many sensationalist modern-day news stories), I don't see any ignorance here - in fact, I see users concerned with the safety & security of data that can potentially identify aspects of their lives they may not wish to be made public.

 

You're spot on that there is documentation about https://en.wikipedia.org/wiki/Gatekeeper_(macOS) since its release back in 2012. However, users are currently unable to verify how data is handled after it leaves their computer, so they cannot verify that the data is not used in a sinister way.

 

Your comment about the security of locally stored data vs. data stored by any company is factually wrong though. I can encrypt locally stored data on my PC using open-source encryption software I've compiled from source myself, but I have no way to see what happens to unencrypted OCSP data that leaves my system.

 

2 hours ago, Vitamanic said:

It’s excessively easier to compromise a locally stored file than it is to compromise Apple’s data center. 
This is how anti malware works. You and others are raging about it almost entirely because you don’t understand how modern security functions.

I don't believe people are raging about this because they don't understand modern security - in fact, I think the entire outrage stems from security conscious users beginning to question just how legitimate Apple's stance on privacy truly is. Advertising is one thing; how you actually handle what's advertised is another.

 

22 hours ago, NotTheFirstDaniel said:

Oh wait this is just GateKeeper? So basically like Windows Defender... Why was this such a big story then?

 

Then the only problem I guess is the lack of E2E encryption, and the fact that a down server can kill millions of devices across the globe. This shouldn't run every time you open a program. I could understand one check on an install, but how many times do you need to scan the same app?

While I don't fully agree with how overblown this story is becoming, I think it's caused by the amount Apple prides themselves on privacy and security. Other companies like Microsoft and Google are already well-known for collecting all sorts of telemetry data. People should be equally concerned about being the product whenever they use any services, free or paid, because advertising data is still one of the most valuable things in a capitalist world driven by consumerism. (Though this forum is NOT the time or place to get into politics.)

 

5 minutes ago, DrMacintosh said:

This topic has been debunked:

https://blog.jacopo.io/en/post/apple-ocsp/

Without access to the equipment transmitting or storing our data, there's no way we can be 100% certain said data isn't being mishandled. To be clear, if you're accepting that certain data may leave your computer that could identify you or your habits, that's totally fine - enjoy using whatever product you're using. Trust and transparency of data that can be used to identify things that some would prefer to remain private are the real talking points that people seem to be missing here.

[Bombastinator]

13 minutes ago, kirashi said:

I'm not surprised either. Society should never blindly trust the word of anyone unless they're able to verify the facts for themselves. Zero Trust networks apply to a lot more than just computer networking, including news articles published by ANY entity, hardware & software, and even the words of your friends and family. 

 

Am I insinuating that one shouldn't trust anything unless they can verify it using one of the 5 sense's feeding their brain? If you want a fully secure world, yes, however, I also realize how unrealistic this sounds. It really boils down to how much you yourself individually are willing to trust other entities on the planet.

 

TL;DR: The only way you can verify the integrity of anything in life is with direct access to the source, otherwise it's really just the world vs. your skepticism.

 

I applaud everyone above's sense of seeking out additional sources, however, I would hope you're all equally questioning any claims from Apple about what the OCSP data is used for as well. Remember, if you can't see how the data is being handled, you should not blindly trust Apple's words without additional sources.

 

While I will agree that certain aspects of this "news" are melodramatic (as are many sensationalist modern-day news stories), I don't see any ignorance here - in fact, I see users concerned with the safety & security of data that can potentially identify aspects of their lives they may not wish to be made public.

 

You're spot on that there is documentation about https://en.wikipedia.org/wiki/Gatekeeper_(macOS) since its release back in 2012. However, users are currently unable to verify how data is handled after it leaves their computer, so they cannot verify that the data is not used in a sinister way.

 

Your comment about the security of locally stored data vs. data stored by any company is factually wrong though. I can encrypt locally stored data on my PC using open-source encryption software I've compiled from source myself, but I have no way to see what happens to unencrypted OCSP data that leaves my system.

 

I don't believe people are raging about this because they don't understand modern security - in fact, I think the entire outrage stems from security conscious users beginning to question just how legitimate Apple's stance on privacy truly is. Advertising is one thing; how you actually handle what's advertised is another.

 

While I don't fully agree with how overblown this story is becoming, I think it's caused by the amount Apple prides themselves on privacy and security. Other companies like Microsoft and Google are already well-known for collecting all sorts of telemetry data. People should be equally concerned about being the product whenever they use any services, free or paid, because advertising data is still one of the most valuable things in a capitalist world driven by consumerism. (Though this forum is NOT the time or place to get into politics.)

 

Without access to the equipment transmitting or storing our data, there's no way we can be 100% certain said data isn't being mishandled. To be clear, if you're accepting that certain data may leave your computer that could identify you or your habits, that's totally fine - enjoy using whatever product you're using. Trust and transparency of data that can be used to identify things that some would prefer to remain private are the real talking points that people seem to be missing here.

One problem:

assumes a trusted avenue of information gathering: your senses.  Go to a magic show sometime.  They’ll show you how fallible that line is.   So what one is actually left with is nothing at all.

[eeeee1]

TempleOS is the way

 

[Bombastinator]

Just now, eeeee1 said:

TempleOS is the new way

 

I wouldn’t call it new.

[eeeee1]

Just now, Bombastinator said:

I wouldn’t call it new.

ok good point

[NotTheFirstDaniel]

45 minutes ago, DrMacintosh said:

This topic has been debunked:

https://blog.jacopo.io/en/post/apple-ocsp/

 

edit: Not necessarily “debunked.” It would be more accurate to say that the claims made by  Jeffery Paul are not accurate in most ways that impact user privacy. 

So this was a nothing-burger this entire time? 

 

I still do think this should've been in plain documentation, or like a support page. But I want them to change how this functionality works, or remove it. The entirety of a userbase should not be held up by a malfunctioning server.

[DrMacintosh]

6 minutes ago, NotTheFirstDaniel said:

So this was a nothing-burger this entire time? 

100% 

6 minutes ago, NotTheFirstDaniel said:

I still do think this should've been in plain documentation, or like a support page. But I want them to change how this functionality works, or remove it. The entirety of a userbase should not be held up by a malfunctioning server.

There certainly could be a different way to do what's currently being done. Ideally if the server that's performing the checks is down, nobody will notice anything since the Mac will just give up checking. That server being slow, not down, is what caused the issue. 

 

Opting out of this feature is a pretty bad idea, since as was noted in the link I posted, this is a critical part in how macOS detects malware. 

[Orange1]

6 hours ago, Sakuriru said:

Welcome to the 21st century where you're the product

 

There's always duckduckgo and ubuntu phone.

Grocery stores to

You think the products are on the shelves, no no you are the product. Like a herd of cattle.

Get out your Points Card or Air Miles card and shop away. 6' high, adult products, 4' high kids product, big shopping carts, moving product, fancy yellow and red price tags. Walmarts the king

[NotTheFirstDaniel]

1 hour ago, DrMacintosh said:

100% 

There certainly could be a different way to do what's currently being done. Ideally if the server that's performing the checks is down, nobody will notice anything since the Mac will just give up checking. That server being slow, not down, is what caused the issue. 

 

Opting out of this feature is a pretty bad idea, since as was noted in the link I posted, this is a critical part in how macOS detects malware. 

There's still some unanswered questions though.

 

I can understand why the site itself isn't HTTPS, but that doesn't mean the information itself can't be encrypted on machine and decrypted off site. Why does it pass through a VPN? How much is too much? No one likes this "big brother" type always watching to make sure you're safe. This is just a really shit implementation of something that anti-malware software have been able to do for years without this functionality.

 

Apparently other anti-malware solutions have been doing this, but that was opt-out. This isn't opt-anything.

[Orange1]

5 hours ago, Futr said:

Actually you can't. I have everything disabled yet still my mac sends that data to apple

They are sneaky, should be against the law but the politicians are paid off by the lobbyists.

[captain_to_fire]

3 hours ago, NotTheFirstDaniel said:

So this was a nothing-burger this entire time? 

 

I still do think this should've been in plain documentation, or like a support page. But I want them to change how this functionality works, or remove it. The entirety of a userbase should not be held up by a malfunctioning server.

There is a documentation. https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf

Privacy Policy: https://www.apple.com/legal/privacy/en-ww/

Analytics: https://support.apple.com/lt-lt/guide/mac-help/mh27990/mac

 

 

The last time I checked, this is how all antivirus applications work from Microsoft Defender to the Kaspersky solutions. The reason why they use this kind of telemetry is because it can innoculate many systems faster should "patient zero" gets infected by a new malware.

[bcredeur97]

computer is yours, just the software isn't. and never has been actually since pretty much all software follows a licensing model.

[Phoned_]

apple has been stalking people for years not even surprised by this

[justpoet]

4 hours ago, kirashi said:

I applaud everyone above's sense of seeking out additional sources, however, I would hope you're all equally questioning any claims from Apple about what the OCSP data is used for as well. Remember, if you can't see how the data is being handled, you should not blindly trust Apple's words without additional sources.

I saw how the data was handled.  Guess you didn't read the response very well.

[DrMacintosh]

2 hours ago, like_ooh_ahh said:

There is a documentation. https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf

Privacy Policy: https://www.apple.com/legal/privacy/en-ww/

Analytics: https://support.apple.com/lt-lt/guide/mac-help/mh27990/mac

 

 

 

The last time I checked, this is how all antivirus applications work Microsoft Defender to the Kaspersky solutions. The reason why they use this kind of telemetry is because it can innoculate many systems faster should "patient zero" gets infected by a new malware.

Wow, didn't realize it was going to be that easy to defeat the narrative that has been established here....

[kirashi]

8 minutes ago, justpoet said:

I saw how the data was handled.  Guess you didn't read the response very well.

Wait, you have access to both the Akamai CDN and Apple's data centre where the information is stored?

[DrMacintosh]

1 minute ago, kirashi said:

Wait, you have access to both the Akamai CDN and Apple's data centre where the information is stored?

You know you can just monitor the data as it leaves your own machine....right? 

[kirashi]

7 minutes ago, DrMacintosh said:

You know you can just monitor the data as it leaves your own machine....right? 

Correct, however, users have no insight into where that data goes after it leaves their machine. Companies can say whatever they want about how they use our data, but unless we can see proof that backs up their claims, it's their word against out skepticism.

[DrMacintosh]

3 minutes ago, kirashi said:

Correct, however, users have no insight into where that data goes after it leaves their machine. Companies can say whatever they want about how they use our data,

As was described in the article I posted....this "data" that Apple is collecting is completely useless in terms of identifying who you are. Apple checks developer certificates only when an app is installed or updated. Developer Certificates are incredibly generic things, they can't really be used to gather data about you other than "this machine installed/updated an app from this developer." Nothing in the Data apple gets involves a time of access, app name, or any info about what's being done with the app. It's literally just a malware check.