> I would strongly recommend anyone who thinks their system is sluggish to [disable SIP]
I’m very glad this advice has been as niche as it has been. It’s awful advice unless you really know what you’re doing and why you’re doing it.
Anyway, I still run 10.15 daily and the only thing that I’d call slow by design is the thermal design of the laptop it runs on. Even so I think just thoroughly clearing dust out of it gave it at least another few more years of being a pretty decent laptop.
Apple really needs to do something about the slow-start problem though. Even on my shiny M1 Mac with Monterey it sometimes takes several seconds to start a tiny executable . What's the point of developing new faster CPUs if it takes the software guys just a few months to undo all the hardware progress?
"What's the point of developing new faster CPUs if it takes the software guys just a few months to undo all the hardware progress?"
Nice you found out and mention it here.
It has been like that since new generation x86 CPUs provide compatibility with the previous generation with more speed... Pushing an uncalculable number of tons of perfectly working hardware to the trash, most of the time to keep executing the same tasks with an updated software.
When the software performance/optimization declines, the hardware is accused of being too old. Even if hardware speed never declines with age. I understand we need new hardware for new usage; but not for a new version of Windows, Office or MacOS.
I wonder if you’re encountering MacOS’ Gatekeeper malware checking being slow to communicate with Apple’s servers. My understanding is it checks the app every time you launch.
This is a misreading of the linked document. Disabling SIP is permanent until re-enabled. That's why the document is warning you to only disable it temporarily and then re-enable it. The warning wouldn't be necessary if it automatically re-enabled.
"Warning
Disable SIP only temporarily to perform necessary tasks, and reenable it as soon as possible. Failure to reenable SIP when you are done testing leaves your computer vulnerable to malicious code."
Why is it horrible advice? It’s equivalent to telling someone to use Linux, which doesn’t have SIP either.
SIP is personal preference. Personally I find that Mac OS is too buggy with SIP enabled. I had an issue where disk space was disappearing into a directory that was hidden by SIP, because the OS was leaking update images.
> Why is it horrible advice? It’s equivalent to telling someone to use Linux, which doesn’t have SIP either.
These two OS’s have very different types of user and attacker (speaking in generalities), and thus different security trade-offs during design.
The main risk with Mac is that someone downloads a “Mac cleaner” or something similar which installs malware, or that malware is hidden in a legitimate looking app, and this is what SIP protects against. Even informed power users can make these mistakes - it only takes downloading one compromised utility!
IMO for most ‘home’ use where it is used as a main OS by a person without too much familiarity with computers, Ubuntu and many Linux distros are probably less secure than Mac - for instance the average user is conditioned to run random terminal commands they find on the internet and give them sudo permission. Obviously I’m excluding the majority of use-cases such as routers, consoles, tvs, servers where users access to the underlying OS is heavily restricted.
Okay sure I agree that my parents shouldn’t turn off SIP, not that they would know how to. But in this case the advice comes from Allan Odgaard, the author of TextMate, on a blog called SIGPIPE. A certain amount of technical expertise can be assumed from the audience.
I know we like to think we are all unique and invulnerable to these attacks, but technical people still manage to download dodgy software out in the wild.
Plus, some categories of technical users like sysadmins are probably the worst possible people to disable SIP because even though the probability of attack is much lower, the potential impact is orders of magnitude higher.
I always ignore spam text messages, but got a phishing attack message made to look like a USPS update about 2 months ago they almost fooled me because I had a legitimate package that was missing. I clicked the link, and even entered my email address in the landing page form and was about to enter credit card details for a $2 ‘redelivery’ charge - which I was also primed for because I’d recently paid USPS a similar amount to redirect my mail after moving.
I was creating a one-time use virtual card to make the payment when my thoughts caught up with me and I realized it wasn’t a legitimate page.
Ergo using Linux is irresponsible? It’s the double-think I have a problem with.
Either 1) we say that Mac-using developers are stupider than Linux using-developers, and it’s irresponsible for Mac-using developers specifically to turn it off.
Or 2) we say that Linux is “horribly” insecure and it’s irresponsible for developers to use Linux whatsoever and they should go out and buy a Mac immediately to save themselves.
Or 3) we say that Mac-using developers are not stupider than Linux using developers and it’s fine to turn it off if they want.
> I know we like to think we are all unique and invulnerable to these attacks, but technical people still manage to download dodgy software out in the wild.
Good old Apple, slowing my(?) Computer down daily to protect me from myself.
Does anyone tally attacks by type? i suspect most successful attacks against sysadmins are via social engineering/xss/token stealing on their perfectly uncompromised machines rather than malware.
Measures like SIP force application developers to create workarounds that compromise system security even more. Remember the recent Zoom vulnerability where they created a special service to autoupdate Zoom? If the system is too restrictive, developers will try to punch holes in it to accomplish what they need.
> Measures like SIP force application developers to create workarounds that compromise system security even more. Remember the recent Zoom vulnerability where they created a special service to autoupdate Zoom? If the system is too restrictive, developers will try to punch holes in it to accomplish what they need.
That wasn't related to SIP, so I don't think we can just throw random unrelated security issues against SIP to justify it being a bad thing.
Bedsides, is the moral of the Zoom story really that application Developers should be given unfettered access to the OS and the freedom to do whatever they want? It sounds like the opposite - an example of exactly why security has to be built into the OS and can't be left to companies like Zoom.
This is exactly why I use Linux. There is nothing subversive going on behind the scenes. My system trusts that I know what I'm doing and that's why I like it.
Also on Windows, the first thing I do is disable the Windows Defender. And believe it or not, I haven't had any viruses for as long as I can remember using computers.
On the other hand, half a year ago I've investigated a compromised macOS system at work where the user clicked a wrong button on some innocently looking dialog and ended up with a rogue extension in Google Chrome which was not possible to uninstall. Why didn't SIP prevent that from happening?
> On the other hand, half a year ago I've investigated a compromised macOS system at work where the user clicked a wrong button on some innocently looking dialog and ended up with a rogue extension in Google Chrome which was not possible to uninstall. Why didn't SIP prevent that from happening?
Because a Chrome extension is not part of the system. The clue is in the name, System Integrity Protection. Were Chrome extensions something that interacted withe kernel, or other system functions, you'd have a point. Arguably XProtect could've kicked in, but now would expect the software running the extension to have reasonable protection agains that sort of thing.
> Also on Windows, the first thing I do is disable the Windows Defender. And believe it or not, I haven't had any viruses for as long as I can remember using computers.
I have a Windows 10 (windows 7 -> 10 upgrade) machine with 10+ years operation, Windows Defender has never caught or warned me about anything.
So either:
1. I never downloaded malware
2. Windows Defender is useless and doesn't catch anything.
Well, you can easily find out if it's detected anything by checking it's history, as opposed to having no idea if you have any malware whatsoever - which is what you're advocating for with this stance.
So if I’m a soldier in Ukraine, you’re suggesting I check my bullet proof flak jacket to see if there are any bullet or shrapnel impacts, and if not I should ditch it?
Linux doesn't have SIP, or Gatekeeper, or XProtect, but you know it doesn't have any of those features. The developers know it doesn't have any of those features, so the absence of those features are part of the attack surface that the vendor (in this case the Linux OSS community) is aware of in the threat model.
If you have SIP disabled, no-one is trying to solve any problems that this causes for you. Anyone writing malware to target a SIP-disabled system knows Apple isn't trying to patch those issues because having SIP disabled is not a valid system state they're trying to protect. There won't be patches for you, and given that it's closed source, it's not like you can fix it yourself.
> I don't think that running malware on your computer is a good idea. Just don't do it.
I don't think that having vulnerabilities on your computer is a good idea. Just don't do it. /s
> SIP does not solve any problems.
Of course it does. We might disagree with the tradeoffs it's making, it might not be worth it at all, it might be a wrong approach from the start. But saying it does not solve any problems is disingenuous at best.
I don't think dying from cancer is a good idea. Just don't do it.
SIP absolutely solves a specific problem. It prevents rogue software from writing to protected areas. Whether that matters to you is your business, but to suggest no-one else should want to prevent any old homebrew package or DMG installing a keylogger is a bit silly.
It's disabled until you manually re-enable it. That documentation page's wording suggests otherwise, but that seems to just be an artifact of trying to really hammer in the advice that you should only keep it disabled temporarily.
> The main task of SIP on Mac is to protect the safety and integrity of the system files and directories, preventing them from modifications or attacks from unauthenticated processes. It brings a high level of security to the entire system.
I’m not sure id say disabling it is terrible advice, but the feature is useful. These files are still protected by standard root access, but I suppose the issue was people getting tricked in to copy pasting things in to bash and typing their password in. Or maybe GUI apps asking for admin and doing bad things.
The feature has only existed for around 7 years and macOS wasn’t horribly broken before that time.
Those interested to block the check should look at this list : https://support.apple.com/en-us/HT210060 and block the IPs associated with notarization. It is possible to do that with pf, which is integrated in macOS but it should be done after every update since the pf.conf file will get overwritten.
But their server-side list of malware is always growing. So it could be valuable to recheck that list. I'm not sure how valuable, but it does have minor upsides. Of course:
1. If you have run it in the past aren't you already screwed? Maybe this can effectively "disarm" otherwise entrenched malware?
2. Could they track the list of signatures that you have asked about in the past $timeframe and your system can frequently check for newly flagged signatures? This would allow longer caching without high delay until new blocks take effect. (Similar to moving from OCSP to CRLs)
With control over the whole stack like Apple has, it might be easier to just store a bit on the file system level after checking a binary, and if the file is modified, to reset it.
But I guess with how fast computers and storage is today, it's probably easier to recompute the hash every run. My desktop can do SHA-512 at 1 GB/s (`openssl speed sha512`), which is fast enough to be imperceptible for 99% of binaries.
Anyway, I thought OP meant Ventura sends the hash to Apple's server every run. That would be far too expensive to be reasonable.
Any slowdown wouldn’t be due to CPU speed, but to disk speed.
To compute the checksum you have to read the entire executable, but to execute it, you only have to map the parts that are needed at startup into memory.
That, I think, is the reason Apple didn’t do this at every process launch before: their OS supported (too many) systems that booted from a spinning disk.
Do you have a source on that? If I recall correctly one of the main problems mentioned in the article are synchronous security checks, and as far as I can tell these are still an issue. First time launches of apps still cause random delays, I just experienced them with macOS Ventura beta.
And if you don't add Terminal to the developer tools in Security preferences you still get slow performance for scripts.
Gatekeeper will still call out to Apple servers if the app doesn't have a stapled notarization ticket in it. However, basically any app released in the last few years will have such a ticket, so you shouldn't experience such delays unless you happen to use a lot of unmaintained or unsigned apps. The server polls are a backwards compatibility fallback.
> The server polls are a backwards compatibility fallback.
This is not true. Gatekeeper will phone home regardless. The stapled notarization tickets are actually the fallback, in case the server check fails for some reason, such as no internet connection.
Remember that notarization tickets can be revoked by Apple! In fact, security researchers have found many instances of notarized malware. Notarization is no guarantee against malware. A notarization ticket just says that the app was validly signed, and that Apple checked the app for malware at the time and didn't find any. At the time. Malware checks are improved. Malware is found after the fact.
Are you sure? Perhaps it changed at some point - that could be the case. Apple employee Quinn "The Eskimo" states clearly here that the network check is done only if not stapled:
Apple can revoke tickets without synchronously checking on every first launch. Mac malware isn't that common, so they could easily use a CRL pushed to clients (for example) on a regular schedule.
It can also be verified visually. Download a notarized stapled app, disable your internet connection, and launch the app. You'll see a Gatekeeper dialog like this:
"Safari downloaded this file on [date]. As of [date], Apple checked it for malicious software and none was detected."
Notice "As of [date]".
Then press Cancel, re-enable your internet, and launch the app again.
This time "As of [date]" is gone! It's phoned home to check.
It's not underlined in the article, but for anyone who didn't follow this issue while it peaked: the root cause was (still is?) a notable delay when contacting Apple's servers to enquire about fingerprints of an executable that was about to launch, for anti-malware purposes. There were loads of reports that the problem disappeared entirely by just disabling Internet access, an obviously unideal solution.
The article is a bit misleading I think, since the check only happens on startup; a lot of people won't start up new apps on the regular. Developers probably do though.
Another observation that went missing from the discussions around this problem is that it pans out differently (worse) for people in North America than it does for European users. Apple's various CDNs are far from equally encumbered. Reports from North American users held numbers well beyond those reported by European users. For me here in Sweden the problem was at its peak no more than a lesser annoyance. Not once did I observe anything near the dredging 5-30 second delays that North American users reported, and the recurring 2-3 seconds long system freezes never manifested for me at all.
Is this why my iOS devices have been running smoother since I changed my isp to something much better ? I used to have issues with all my ios devices where they just felt sluggish in general doing non internet related tasks too. Now that I have upgraded my ISP everything is just snappier. Just launching apps is faster. This isn’t the first time this transition has happened for me. I’ve been moving a lot last few years and different places have different quality isps. Every time I have a good isp all my apple devices feel better.
I remember reading an article once where they said SIP sends the hash of the application in the clear. This allows your ISP to track known application hashes you have installed. Unsure if this is still accurate.
It does, but it is the hash of the developer’s certificate. For most developers, this uniquely identifies the single application they publish. If you launch a unique constellation of apps then it uniquely identifies your machine.
Apple committed to sending this OCSP check not in plaintext within a year, but that was more than a year ago.
When I upgraded my fully maxed-out 2019 16" mbp from Catalina to Monteray, the every-day performance of my computer took an absolute nose-dive. It's been a complete nightmare, and has significantly soured me on Apple. Right now, the biggest lingering issue is that if my laptop is on the integrated gfx card, typing performance is so laggy that it's excruciating to type anything. So far, the only response has been to just disable automatic graphics switching, meaning battery life is reduced by about 3-4x. It's just unbelievable how bad this has become. I spent hours with an Apple senior support engineer (or whatever they are called), and all he could do is go "dang that _is_ bad, I'll file a bug." Yet the problem still persists.
My maxed-out 2019 16" MBP was always a dog. The 2016-2019 Intel MBPs suffered from an inability to cool themselves (esp. with dual external displays) and were just overly complex. I think the combination of the Intel CPU, discrete GPU, and T1/T2 controller just made for an overly complex and crash prone system. Mine had this weird issue where touchpad and keyboard input would periodically experience some kind of deadlock. I could trigger this using the calculator app. Enter 42, +, 23, and press =. The results would not show up until I would move the mouse or tap a key on the keyboard.
I traded the 2019 MBP for a 14" M1 Pro as soon as I could and haven't looked back. This machine is great.
Hopefully they can fix it. I had that model for work (the i7, though) and it was better for me but it still greatly struggled with heat management with a normal office workload (video call, editor, some documents, browser.)
The corollary is that macOS’ increasing reliance on GPU all over the system is really nice on Apple Silicon, where they don’t need to make such a stark trade-off between GPU power and battery, and can scale usage smoothly.
This is getting stupid now. I don't care what it's for, I want to make this very clear for anyone at Apple, so read this next bit aloud ok; I DO NOT WANT YOU TO SEND ANYTHING ON MY COMPUTER TO YOUR F***G SERVERS. As a professional, I will never buy a Mac with will refuse to use one for work so long as this walled garden horseshit continues. I'm not against signature protection, but it should be entirely local. You don't need to know what is on my computer or what I'm doing with it.
The component responsible for all the notarization nonsense and entitlements enforcement is not SIP, it's AMFI. You can disable it too with a kernel argument, I don't remember it exactly but it's something like "--amfi-get-out-of-my-way". This will reduce the security of your system approximately to that of Windows.
What a nightmare. My previous two jobs had me use macOS, specifically Macbook Pros, and it was a nightmare. Slow, difficult to even use the computer due to all sorts of hidden behaviors and blocks, and a terrible mess when it came to my external monitor, webcam, keyboard, and mouse (from major brands in Dell and Logitech). I got to choose for my new job and chose Windows, and it's night and day in terms of productivity.
I get 2 computer in my work, one windows, one linux. I do not bother to open the windows one, unless I need to use some obscure feature of offices programs. The development work, runs completely in linux.
Privately I have mac. After 20 years of saying "mac is BAD (TM)". I buy a Microsoft surface, because I said "is not that the SW is bad, the problem is the HW is not from the same company"... 6 month later, I ditched the surface, bought an iPad, one month later iPhone, 3 month later a macbook pro. No way I would privately go back to windows.
In the work, the people who got the Macbook pros were not happy, but mainly because of bad integration with the Microsoft ecosystems around.
For all intents and purposes, a M-Series MacBook running Parallels is the best Windows laptop you can buy. I say this as a Windows productivity maximalist.
It’s 2022 and Windows touchpads and touchpad drivers don’t hold a candle to my 2011 MacBook.
- Mac touchpads have near-perfect wrist detection so you almost never get an errant input.
- There is virtually no input lag. It’s especially crucial when scrolling long pages. On a Mac, you can flick the touchpad and the page will scroll all the way down.
- Furthermore, they perfectly recognize up to 10 fingers. There’s a lot of great software that allows you to set shortcuts to different mouse gestures like 3-,4-, 5-finger swipes, tip-taps, and more.
- There’s a really smooth acceleration curve that allows you to be extremely precise with the mouse while also allowing it to span great distances when needed.
Like the other poster said, there are so many subtle differences that amount to a gargantuan delta between the two experiences.
I don't know what is a "wrist detection". Nobody put his wrist on a touchpad anyway, there is simply no practicable way to do that when operating a laptop, even when trying to!
I don't perceive any lag on both my thinkpad and my pro admitedly crappy Dell laptop on Linux when scrolling anything and I don't recall having felt a significant difference with windows when it was last fired up or on Mac laptops I tried in the past. Most of the difference usually came from a difference in the speed and acceleration settings but these are configurables.
Can't speak about gestures because that is something most people don't use.
Most people don't use gestures in the windows ecosystem because neither Windows, nor its OEMs have put any effort into making them useful or supported. Apple did both, and then apps like BetterTouchTool took it even further.
The wrist detection on the mac is okay (orders of magnitude better than my HP), but definitely not perfect. But, it's worse or similar to the one on Lenovo.
The acceleration is okay on the touchpad, but the fact that it carries over to the mouse as well is an abomination.
Fair enough - I will admit to finding plugins for chrome and the like for gesturing, so I can see how that's useful if it's unified across many programs in the Mac ecosystem.
You can’t specifically point things out. It’s just a general “doesn’t feel right”.
Some specific issues though I have seen is general lack of responsiveness or missing the first bit of movement and no gestures or gestures that just don’t work as well.
I’d say that a Windows 11 computer running WSL2 is the best computer you can buy. Benefits of a high-level OS with seamless integration with real Linux.
I only ever miss two apps from macOS: Preview and LaTeXiT.
I’m not a designer. I use a trackpad full time, even on desktop (on macOS).
For me, it’s a couple of things. First, gestures are awesome and not easily reproducible with a mouse. My keyboard is full of shortcuts for other things, I don’t want to take up hotkeys for something my trackpad can do.
Second, it’s consistent across all my computing devices. My laptop experience is identical to the desktop experience and I don’t have to carry a mouse in my backpack for my laptop.
Finally, my hands are closer, and on the same plane, as my keyboard. With a mouse, my hand has to move from a small claw shape back to flat for typing. With a trackpad, my hand stays flatter.
Bonus, I need less space for computing. I know you can adjust the sensitivity for mice, and even for trackpads, but in practice, for me personally, I tend to need way more space when using a mouse. I still play computer games so it’s not like I don’t own one, but for productivity, I’ll use a trackpad when possible.
I respect your experience if indeed this is it. And of course it has to do with what you're used to.
For me the experience has been the opposite. I could never get used to things not working fluidly enough. When I finally decided to embrace the level of integration apple devices provide, the world of pain that windows was to work with eased up a lot. Windows seemed a patchwork of things cobbled together with no real coordination, parts that don't work very well together, and messy visual/interaction design where the users' point of view hasn't been a priority.
I used a MacBook all through undergrad, grad school, and a few years into industry. I eventually moved to Windows after being tired of dealing with Apple-isms. The simple fact though is that macOS and/or the MacBook Pros I used for work simply could not handle my Dell monitor and Logitech peripherals, and that was with dedicated GPUs. And Apple often intentionally makes this so. For example, macOS does not support adjusting the brightness or volume on an external monitor unless it is an Apple monitor or one of two LG monitors they sell in the Apple Store, neither through the keyboard or directly in the OS. This is because Apple refuses to implement a protocol to support this. Neither MacBook Pro could drive my monitor without the clamshell closed.
My Lenovo Thinkpad doesn’t even have a discrete GPU and drives my monitor fine, much better than the $2,000+ MacBook Pros I had.
There are concrete things that just do not work on macOS or, if they do work, not work well.
Lastly, macOS is a compromise in two wrong directions. One is that it’s not Linux, so the Unix experience is compromised and dealing with Homebrew is a pain. I constantly had trouble with asdf and other Linux tools on macOS that I never have issue with in WSL on Windows. It seems any tool on macOS needs several workarounds. That doesn’t exist on Windows for development tools because I directly use Linux through WSL. Then I get to use Windows for everything else, which has much more stable driver support. The other direction is macOS, which keeps moving towards a locked down, mobile-like experience.
Well for one, Linux isn't Unix. You'd know this if you ever lived through the treachery that was Proprietary Unix e.g. Solaris, HP-UX, IRIX. The maladies of the "Unix Experience" as you termed it is why people migrated to Linux. So you can consider macOS as carrying on the tradition that was the proprietary Unix shitfest.
My job forced me to use Windows, and it is terrible for my productivity and what not. One day, one of the screens stopped working when in use with dual display another day the fingerprint reader stopped working for log-ins, but still works for the first half of setting up a new fingerprint. I can't even charge my headphones without special drivers!
Look. We all have our pet peeves with OSs, but they are not relevant to TFA
i had the same issue. got the new macbook m1 at work, and could not use any my of usb keyboard or mice. i asked for an adaptor and it comes with one usb port only :(
also this laptop keeps giving me static shocks. i never had issues with pre 2015 era macbooks which i think were pretty good.
The static shocks have been an issue for over a decade. My 2011 MacBook Pro had the same issues, and I recall at the time discovering several reports of that and grounding issues on the forums. It’s a common theme in Apple’s history. Another is Bluetooth problems. I don’t think I have ever had a MacBook that didn’t have issues with streaming audio over Bluetooth.
> I don’t think I have ever had a MacBook that didn’t have issues with streaming audio over Bluetooth.
Conversely, to supply one Gladwell's worth of anecdata, I've never had a MacBook (in 10+ years) that has had any issues with streaming audio over Bluetooth (several TaoTronics dongles, standalone speakers, PLT headphones, Aftershokz headphones, etc.)
I like how most of the things that slow things down are actually really nice and important security features that you should keep enabled for the normal user. This article feels like a blog from 2007 recommending ccleaner to “speed” up windows.
Is the macos perfect? No. But it works a lot better than Windows in my experience. Anti malware service, everyone is looking at you.
> are actually really nice and important security features
I don't underestand how Apple getting a list of everything i run is "security". But everybody is doing it (Google, Apple, Microsoft, Facebook) so it must be good.
I’m very glad this advice has been as niche as it has been. It’s awful advice unless you really know what you’re doing and why you’re doing it.
Anyway, I still run 10.15 daily and the only thing that I’d call slow by design is the thermal design of the laptop it runs on. Even so I think just thoroughly clearing dust out of it gave it at least another few more years of being a pretty decent laptop.