Your Computer isn't Yours

[foldingNoob]

I want to have two computers. One that bot posts kitten pictures to facebook as I sleep and one that I actually use. Both using the same mac address and hardware profile. Surely it can be done. It would also be cool if i could make my phone constantly declare myself at home all the time.

[Spindel]

9 hours ago, Futr said:

Actually you can't. I have everything disabled yet still my mac sends that data to apple

Okok I might be wrong. I still run Catalina and has not seen any wierd activity in my logs. Of course I see my mac making connections out, but non of it has been strange and more if what I would expect when it is looking for updates etc (also I share analytics data with apple by choice). 

 

If we go about relativism, it is still dwarfed compared to the queries my wifes worklaptop does towards microsoft

 

(I run Diversion in my router so I get pretty good logs of all outbound queries in my network)

[RejZoR]

So, just by seeing what it's doing I've established correctly that it's the same thing as Windows Defender and SmartScreen on Windows. Heh, so much drama for nothing. I also remember it was talked about this quite some time ago.

[captain_to_fire]

5 minutes ago, RejZoR said:

So, just by seeing what it's doing I've established correctly that it's the same thing as Windows Defender and SmartScreen on Windows. Heh, so much drama for nothing. I also remember it was talked about this quite some time ago.

It is. It's a standard operating procedure for all security solutions to collect information on newly installed applications and how they perform once installed should they exhibit malicious behavior.

4 hours ago, like_ooh_ahh said:

There is a documentation. https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf

Privacy Policy: https://www.apple.com/legal/privacy/en-ww/

Analytics: https://support.apple.com/lt-lt/guide/mac-help/mh27990/mac

 

 

The last time I checked, this is how all antivirus applications work from Microsoft Defender to the Kaspersky solutions. The reason why they use this kind of telemetry is because it can innoculate many systems faster should "patient zero" gets infected by a new malware.

 

[Orange1]

Cant you setup a firewall to not allow pc to send out info and just allow your programs or internet through.

[TheSleeker369]

On 11/13/2020 at 10:00 AM, Tedny said:

so, what's news?! Someone finally has good prove of it? 

Check this out. Seems it is not just due to past beta versions like mentioned in the article/other thread. But I have to admit that I am not that into - lets call it - cyber security. Maybe someone can come up with a different option.

 

[Bombastinator]

15 minutes ago, TheSleeker369 said:

Check this out. Seems it is not just due to past beta versions like mentioned in the article/other thread. But I have to admit that I am not that into - lets call it - cyber security. Maybe someone can come up with a different option.

 

So dude that apparently normally does comedy stuff made an assumptive leap.  He goes further, after assuming a change other than the defeating of “little snitch” whatever that is, he accuses that the change is deliberate.  It’s still far far less data than basically all other companies acquire.  Whether that is still too much is another question.  The concept that “it’s not 100% perfect so it’s just as bad” is the same error being seen in a lot of areas lately.  The conflation of the definition of “some”

[jakeonlyfans]

 

[Bombastinator]

36 minutes ago, jakeonlyfans said:

 

That would be a big oof

[Don72]

I just watched a video from Louis Rossmann about MacOS Big Sur and it's "phone home" kind of spying on users -- especially with the new Apple silicon Macs.  Not that I solely use Mac, but I do use it for music / audio production, and I would love it if LMG could investigate this, once they get a new Apple silicon Mac.

The video I watched is here:
https://www.youtube.com/watch?v=aS2lJNQn3NA

[Tenelia]

On 11/14/2020 at 6:23 AM, kpluck said:

Sure. Check out Tidbits. Basically, much ado about nothing.

Yeah, I saw that on my feed first and sadly scrolled through a dozen others decrying Apple's privacy intrusion. As much as echo chambers exist, I do want to remind people to stop, think on the claims, examine the evidence, and process the logic across multiple references. Linus and team likes to remind us that this community should remain a drama-free and toxicity-free space, and such outbursts only serve to make things worse.

[RedRound2]

On 11/13/2020 at 11:01 PM, Statik said:

Summary

 

macOS has apparently always has always sent data, unencrypted through to apple (and in turn the US Government), and their latest update circumvents all programs that try to stop it, as well as any VPNs.

,

Quotes

 

My thoughts

Your lack of "online" privacy has apparently carried over to activity you do offline. I think it's safe to say there isn't anything you do ever, that isn't tracked, collected, monitored, shared, etc. It's spiraling out of control and it's very hard to manage. I really hope Linux becomes more viable in the coming years so I can completely make the switch from Windows.

 

Sources

https://sneak.berlin/20201112/your-computer-isnt-yours/

OP, hoepfully, you'll add an update to the article here

 

Apple has responded to the claims and updated their support documents to better explain what actually is happening 

https://9to5mac.com/2020/11/15/apple-explains-addresses-mac-privacy-concerns/

 

Quote

macOS’ process of using OCSP is a very important security measure to prevent malicious software from running on Macs. It checks to see if a Developer ID certificate used by an app has been revoked due to software being compromised or events like a dev certificate being used to sign malicious software.

Apple support document updated

Quote

Privacy protections

macOS has been designed to keep users and their data safe while respecting their privacy.
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.

Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.

These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.

In addition, over the next year we will introduce several changes to our security checks:

*A new encrypted protocol for Developer ID certificate revocation checks
*Strong protections against server failure
*A new preference for users to opt out of these security protections

 

And an independant developer has investigated this issue

https://blog.jacopo.io/en/post/apple-ocsp/

Quote

More details about Apple’s use of OCSP have been shared by cybersecurity researcher Jacopo Jannone. He says that macOS isn’t sending a hash of each app to Apple when they run and explains why the industry-standard OCSP doesn’t use encryption. Further, he says Paul’s analysis “isn’t quite accurate” and importantly notes that Apple uses this process to check and prevent apps with malware from running on your Mac. 

To quote some excerpts from his blog

 

Quote

OCSP stands for Online Certificate Status Protocol1. As the name implies, it is used to verify the validity of a certificate without having to download and scan large certificate revocation lists. macOS uses OCSP to make sure that the developer certificate hasn’t been revoked before an app is launched.

 

As Jeff Johnson explains in his tweet above, if macOS cannot reach Apple’s OCSP responder it skips the check and launches the app anyway - it is basically a fail-open behaviour. The problem is that Apple’s responder didn’t go down; it was reachable but became extremely slow, and this prevented the soft failure from triggering and giving up the check.

 

To make things worse, it is common for OCSP to use HTTP - I’m talking about good old plaintext HTTP on port 80, none of that HTTPS rubbish. There is usually a good reason for this, that becomes especially clear when the OCSP service is used for web browsers: preventing loops. If you used HTTPS for checking a certificate with OCSP then you would need to also check the certificate for the HTTPS connection using OCSP. That would imply opening another HTTPS connection and so on.

That's the intro ^. He has a further deeper dive on how it works and why it does what it does. But I'll also post the TLDR from his blog below

 

Quote

• No, macOS does not send Apple a hash of your apps each time you run them.
• You should be aware that macOS might transmit some opaque information about the developer certificate of the apps you run. This information is sent out in clear text on your network.
• You shouldn’t probably block ocsp.apple.com with Little Snitch or in your hosts file.

 

[DrMacintosh]

Told y’all it was a nothing-burger

 

[Intergalacticbits]

Personally I wouldn't care about them collecting all that data if they would just do things I liked.

 

What is funny is that I always hear about all these algorithms and all this data that is supposedly collected. People saying how they know everything about you.

Yet half the time when I'm looking for movies to purchase on itunes it shows me a giant load of stuff on sale that I hate and would never even watch if it were free. For example for months before my last purchase it kept showing me movies of every kind that were just awful but almost no science fiction movies. Even though about 95 percent of everything I like and watch is science fiction.

Same with the music most of the time.

My experience on my iPad more often then not makes me think that apple doesn't know anything about me lol.

 

What I also find frustrating on the other side of the OS universe, windows 10. Is that it gives me the impression that it collects a bunch of data on everything I do yet it doesn't do or look anything like I would like it too.

It doesn't let me change the look of it or the behavior of it in any way to what would please me.

 

I'd like them to pass a law in the US that says if you want to collect data from people you have to give them stuff they want for it in the Operating systems.

I mean should we get something out of it?

 

 

[Fnige]

5 hours ago, Intergalacticbits said:

I'd like them to pass a law in the US that says if you want to collect data from people you have to give them stuff they want for it in the Operating systems.

 

i doubt that would be easily enforceable

[Chad the Hamster]

Apple's goal is to trap their users in their ecosystem of tech, force them to waste their money to buy their items, and all the while, taking and sending back user's data. Once you join apple you can't leave them, and if you try to it's very difficult. Lets be honest its not Apple doing this to their users, probably other companies as well, but I personally prefer Android because you can make your online activity more private. 

[Bombastinator]

1 hour ago, K4BOOM said:

Apple's goal is to trap their users in their ecosystem of tech, force them to waste their money to buy their items, and all the while, taking and sending back user's data. Once you join apple you can't leave them, and if you try to it's very difficult. Lets be honest its not Apple doing this to their users, probably other companies as well, but I personally prefer Android because you can make your online activity more private. 

Turned out it wasn’t that way.

[BuckGup]

16 hours ago, K4BOOM said:

Apple's goal is to trap their users in their ecosystem of tech, force them to waste their money to buy their items, and all the while, taking and sending back user's data. Once you join apple you can't leave them, and if you try to it's very difficult. Lets be honest its not Apple doing this to their users, probably other companies as well, but I personally prefer Android because you can make your online activity more private. 

That's not true lol

https://arstechnica.com/gadgets/2020/11/mac-certificate-check-stokes-fears-apple-logs-every-app-you-run/

Here you can read up what actually is happening instead of fanboy bandwagon pitch forking fear mongering anything related to Apple Bad Apple No Good Apple Evil

[dilpickle]

/thread

 

Now you know why we were asking for a better source.

[BlueChinchillaEatingDorito]

On 11/13/2020 at 10:00 AM, PCGuy_5960 said:

To be entirely fair, the only reason why people say that Apple respects your privacy is because Microsoft and Google are even worse (and by a lot).

Exactly what I was thinking. Either you take a bone up the arse from Apple or take an entire tractor trailer up the arse by Microsoft or Google.