The problem with online checks (gatekeeper) are when you have flaky internet connection.
It can handle no connection quite well, but unstable internet is really a PITA - commands and applications lag randomly when launching etc... It took me some time to troubleshoot why suddenly ma MacOS was almost unusable and this was the culprit.
That's a technique used/required by some software cracking methods - override your general network DNS lookup process (I believe anything you put in the "hosts" file in Linux/Mac, and the similar file in Windows - though obviously don't quote me on this - will be used rather than DNS-queried). So you configure say "google.com" to go directly to 127.0.0.1 (the localhost address, pointing right back at your own computer) and run a server on the port that the program is expecting to authenticate to.
The problem is responding to those API requests in a way that the program will accept - if it's just a simple PING, no issue, but if there's any sort of more advanced encryption, handshaking or license checking/exchange going on, you'll need to reverse engineer the algorithm. Some simple versions of that you can just record once and "replay", but most will at least have a timestamp hashed in.
(super rough, lay-man's understanding of the issue - sorry for any inaccuracies)
noob question: is there not a way for the client to verify that it is actually talking to google.com in a situation like this? I would think there would be some way to verify based on certs or something like that.
If you want to be sure, you have to pin your TLS certificates. That way someone either has to decompile your executable and replace that pinned cert (hard if you use SW signing), crack your signature (not likely) or steal your private key.
There are several other methods that I've seen but they are not bulletproof:
- talking directly to hardcoded DNS such as 8.8.8.8
- hardcoding IP addresses into SW
- Checking for some obscure header as a part of client/server identification
yes, cert pinning, DNS over https, and encrypted DNS can make it much harder to see what the software on your network is doing. even just verifying ssl certificates client side is enough in most instances. Luckily, proxy servers in corporate environments have forced many vendors into not fully implementing these features.
> Is there a way to make it "think" it is connected to internet?
You actually want the opposite, to make it think it's not connected to the internet. In other words, a network connection blockers such as Little Snitch.
Yes there is but you probably don't like the answer: install Linux on the thing and be done with it. It does not seem to work as well on the ARM-versions but on Intel it flies. You can try to keep on fighting the beast but in the end the beast will win unless you show it the door - its only vulnerability. You get the glitzy hardware without the annoyances of MacOS - Linux may have its own annoyances sometimes but these tend to be less nefarious and more easily solved than the hurdles put up by Apple. Apple is not alone in this or I would have said to install 'Linux or Windows', Microsoft is just as bad when it comes to these shenanigans. An additional benefit is that you'll be able to keep the thing running an up-to-date OS for far longer since (most...?) Linux distributions are not enmeshed in planned obsolescence schemes.
Source: typing this from an older ("late 2009") iMac running Linux
Well, this is nice but in reality useless. You can run Linux on ancient Apple devices such as 2009 iMac but not really on anything newer.
I want to have modern peripherals and experience such as 4k display, USB-C, reasonably fast wifi/bluetooth. I don't really have a need for CD-ROM, firewire and IR port...
And believe me, I tried to run Linux on 2018/2019 MBP. Apple really really tries to makes that as painful as possible. Most of the things are behind T2 (including keyboard for example) and since there is virtually no documentation you have to rely on reverse engineering efforts of few talented individuals. Also there are things that just plain don't work such as resuming from sleep (the graphics MUX gets all confused and the driver will not re-configure it for some reason) etc... Basically nice for playing around, not good enough for running as a main device.
Not really but you can simulate this by either using iPhone as an AP and forcing 3G if possible or you can hide behind linux proxy and set up packet dropping (can be done with nftables) random packets.
Yeah I don't understand why Apple does not force its developers to use such connection for day or two in work. I'm very sure that they would notice because even shell gets pretty unusable - and if you have Oh My ZSH with plugins such as git where it runs several commands every prompt... Oh boy are in for a ride.
And the most painful thing is that Macbooks don't have eSIM/cellular so you have to use iPhone with its small-ish antenna. So you have a MBP and your system is barely usable and next to you is your colleague, using DELL with built-in LTE and 4 large antennas behind its display doing over 70Mbps with a sh*t-eating grin asking you if you want to use his computer :-D
Since macOS is AFAIK a laptop-focused operating system, and laptops are often used on the go, without any network connectivity, I'd expect it to work perfectly in that kind of situation. So these results are not that surprising.
I like my Macs precisely because they are boring and almost never surprise me.
TBH, the only reason my Linux boxes surprise me is because I try stupid things such as mounting /var/log as a tmpfs to reduce write loads (mostly on RPis SD cards and eMMC devices).
I don't know about that — macs have enough weird behaviours that it wouldn't totally surprise me if, soon, they required a network connection, or the lack of one would at least make things awkward. For example, the inability to use clamshell mode without AC power.
Amphetamine[0] lets you prevent sleep on lid close. I presume it lets you do so without AC power (but I might be wrong on that), but one of the techniques they use to do that (setting the IOKit key that indicates the system is currently in clamshell mode) definitely does work without AC power. I made a command line utility[1] for myself a while back that does that if you're interested. It works fairly well, but the clamshell state tends to reset upon gaining/losing AC power. That's fine if the lid is open at the time (as the utility just applies the change again), but if the lid is closed, the system sleeps until the lid is opened again (at which point, it reapplies the change and you can close the lid again).
Q. a local mac repair shop installed "new OSX" on a laptop by request .. but it is version 10.12.6 (?) ..
Later, when downloading several common desktop applications, upon opening them.. it says "this software requires v10.13 or later" .. I assume this is completely on purpose to get the legions of happy Mac owners off of their stable OS and into the upgrade churn ? I assume (US here) you have to have to buy OSX 10.13, register an ID with Apple, to get new software (according to them) ?
macOS upgrades have been free since OS X Mavericks[0] (10.9, released in 2013). macOS 10.13 (High Sierra) came out in 2017, so is a 5 year old OS at this point[1]. It also supports all Macs that macOS 10.12 (Sierra) supports[1]. And you don't need an Apple ID for anything other than Apple services and the Mac App Store. OS Upgrades don't need an Apple ID (even on older versions of macOS where they're installed through the Mac App Store), and you can even network boot a recovery image and install the latest version over the network[2] (Intel Macs only).
I'm a bit confused by the question and might be misunderstanding but there is no need to buy OS X upgrades, they're free. But you do need to register with Apple to get them.
You’re not entirely wrong; you do need “Xcode Command Line Tools”. Thankfully, that’s a much smaller bundle than Xcode. It contains a bunch of tools for building code, such as llvm, ld, make, and git.
it read like someone appalled at the state of things setting up the ground work before getting to the problem, but then after that first stage, it just sort of ends. what a pointless read.
The difference is that it includes the initial installation process too. So the idea is that since online services are deeply embedded into the OS, what happens if you don't have an internet connection?
A few years back there was this issue of MacOS apps launching with a delay because the OS was checking with Appe if you are allowed to use the app. IIRC, this was just a bug.
Also, you won't be able to use iOS without an initial internet connection.
This creates a curiosity on how usable a Mac is without internet. As it turns out, it's pretty usable.
> A few years back there was this issue of MacOS apps launching with a delay because the OS was checking with Appe if you are allowed to use the app. IIRC, this was just a bug.
If you're talking about Nov 2021 when Apple's Gatekeeper servers went down, apps weren't just delayed, they were unable to be opened _at all_ unless you blocked DNS requests to the server or completely disabled your internet connection.
I believe the only apps that were allowed to be opened were the built in macOS apps. Why this verification is done on every single load is completely beyond me. After this and the whole iPhone 7 radio debacle I won't be buying their products for a long time.
> If you're talking about Nov 2021 when Apple's Gatekeeper servers went down, apps weren't just delayed, they were unable to be opened _at all_ unless you blocked DNS requests to the server or completely disabled your internet connection.
IIRC, Gatekeeper responses are cached for some amount of time for each app, so most people were still able to launch a given app. But yeah, you'd have to disable DNS or internet if you were unlucky and the cache had expired.
Apple's failure inspired me to research compressed CRLs. These don't have the same privacy problems as OCSP, and they work offline. As far as I can tell they would be a good replacement for OCSP here (and also in most cases on the web) but I don't know how one could convince them to roll them out.
It was November 2020, and at the time, OCSP responses were only cached for 5 minutes, so most people weren't actually able to launch apps. After the incident, Apple increased the cache period to half a day.
The iPhone 7 had a flaw in its assembly where the radio IC was not epoxied to the PCB correctly. Overtime due to heat stress the chip would get fractures in its solder joints and the phone would lose the ability to get on cell networks.
I took my 7 to the Apple store in 2019 with this issue after giving it to my SO. I was told by the store rep that it was an issue with "the third party manufacturer" (Qualcomm) but Apple would do the repair for free. I learned from some independent repair communities that this was actually a really common issue and Apple was doing some silent recalls.
> A few years back there was this issue of MacOS apps launching with a delay because the OS was checking with Appe if you are allowed to use the app. IIRC, this was just a bug
Convinced this is why Spotlight is so janky on iOS lately and you’ll be just staring at a blank list while searching for a local app.
Too cynical. The author is one of the best experts on macOS (on the level of Jonathan Levin) and their utilities are geared towards understanding the OS, not so much as really doing something commercially viable
Windows is also effectively free for, e.g., students. Then, the students are hooked and have to pay for it later (including paying with their private data). Same for some other well-known services from Google.
May I ask, FSF lover, with https://fsf.org in the "about" of your profile, why exactly you're commenting multiple times in a submission specifically about Apple Mac?
To me it feels like you're just evangelizing, with no particular relevance to the subject at hand. Yeah, we get it, Mac is not "free" software as defined by the FSF.
It's not a news to you and, perhaps, many others. However, people saying "He is right because it is free" do not seem to understand the difference between freeware and free software. I did not reply to the article; I replied to one particular comment, which was wrong in my opinion. You can call it "evangelizing" if you want, but knowledge of this difference can (in principle) save one from being trapped in the future.
I'm aware of both meanings. The discussion was with regard to cost. The software in question is free in that sense, which is the sense that virtually everyone would interpret.
But not FS types, who have had many years to adopt a less ambiguous word to differentiate free as in speech vs. beer. Open, Libre etc. can be used but they insist on trying to unnecessarily reclaim the word. Seemingly just to make a point.
Okay, we get it. But no one cares about the axe you're grinding. You guys need to pick your battles and move on.
> I did not reply to the article; I replied to one particular comment
You replied to two separate comments (not including this one). One of your replies was (rightly) flagged dead.
The entire thread was misconceived. All of the accusations of advertising and bait and switch were completely lacking in evidence or justification. Howard Oakley isn't ever going to "trap" anyone, regardless of whether his software is "free" under your strict definition.
I didn't say you did. You didn't start the misconceived thread, you just participated in it.
> I said that it was in principle possible to use freeware as bait and switch.
That's completely unhelpful though. We're not talking about "in principle" or "in general". Some commenters here were accusing the article author, Howard Oakley, of using his article for advertising of his software. And you added fuel to that fire.
The "in principle" possibility is irrelevant to this submission unless you're specifically suggesting that Howard would actually do it. And that would amount to a personal accusation.
Dr Oakley is making his software for way too many years for such model to be feasible. Had he been relying for one of his apps to become a unicorn, he’d probably have gone broke by now.
The „business model” you are speculating about is second in its insanity only to making MIT-or-more-permissive open source software with an expectation that a multibillion corporation picking it up for its own use will share profits with the author in a sudden ethic attack.
The author blogs almost every day about the Mac on his years-old Mac-oriented blog. The author doesn't write for HN readers, nor did he submit his blog post to HN.
Why do the worst HN comments always rise to the top?
> The author doesn't write for HN readers, nor did he submit his blog post to HN.
It does not follow from the GP comment's claim that the author must be writing for HN readers. There may be many articles written by many people about how the Mac works without a network connection, but this one happened to be the one to be posted to HN and make it to the front page because it has traits that are in line with what HN wants to read.
> It does not follow from the GP comment's claim that the author must be writing for HN readers.
It seemed clear to me that the comment was a snide remark suggesting that the article was clickbait. Much like some of the other snide remarks on this submission, such as the sibling comment "The difference is that this article is an advertisement for the app they're selling." https://news.ycombinator.com/item?id=35149157
> Want to use a non apple keyboard with keybinds…most likely gonna need usb overdrive or something.
What keybindings are you using that requires an application to support using a third party keyboard? I’ve been using third party keyboards with macOS for years and have never had need of any third party app.
Volume controls and media buttons (stop/play/pause/next etc).
Generally i have had to USB overdrive since catalina for basic functionality on even old keyboards (ie: dell multimedia keyboard)
But that brings its own caveats. And doing it through a dock is problematic though (it requires a reboot to function) it works fine on a mac mini. In general ive just given up on maintaining the functionality.
Good to hear that is now a feature in Ventura, better late than never... The enraging experience I had that prompted my complaint happened on Monterey.
> - Updates that you don't need right now cannot be cancelled, paused or rate-limited and will just eat your entire data cap with no warning.
You should be able to turn off "check for updates" and "download new update when available", and only manually check for updates at a time and network location of your choice.
My experience was that these options didn't do anything if the download had already started, everything else I tried from restarting to killing processes was fought back with a newly spawned process update. Trying to SSH into a server to fix an emergency while on a spotty 3G hotspot was made far more stressful by my computer being out of my control.
Oh, I wouldn't expect them to do anything if the download had already started, sure. It would be nice to able to abort, agreed. I misunderstood what you were describing.
But perhaps you (or other readers) might want to leave those settings unchecked so it never automatically downloads, and you can manually tell it to download when you want, when you're in a location you want to. I believe you can have it check for updates and notify you, but not automatically download, too, with the right settings.
Would be interesting to every once in a while test "Using Linux without a network connection" (as in: install everything from usb/media and check all your workflows)
I yard out the drive, attach it to another machine and toss a copy of, e.g., slackware64-current (+ sources) and a bootloader on the drive, put the drive back in its original machine and boot/install without a network.
After that, it may or may not ever see a network depending on what it is slated to do.
I don't know about now, but when Ubuntu came on CD images intended for burning to actual CDs and offline installation, those images included most of the packages you'd ever need. Or at least that was my impression.
I’m currently on the fence about buying Little Snitch. I tried the trial for a week and interestingly there were no outboard connections I did not expect so ended up allowing basically everything. I run a limited set of applications and that hasn’t changed in a number of years.
Obviously I feel quite happy that I’ve not found I’ve been allowing connections I didn’t want to but it also makes me feel perhaps I am being a little over the top by adding Little Snitch into the mix.
I went in thinking it would catch dozens of secret connections but nothing. So part of me feels it is over kill and a time waster for myself. Anyone care to explain how wrong I am? I would be grateful to be corrected and happy to buy if I can be convinced it is indeed worth while :)
To me it's more about personal control than surprises. It doesn't surprise me that Apple software is phoning home; I just want to stop it and control which connections and data I allow to leave my Mac.
Do you find LS causes any kind of network speed impact when dealing with systems that have hundreds or thousands of connections? I often have Transmission open downloading and as I have a 2.5gbps connection it can easily hit several hundred in and out connections when bandwidth hits >2gbps. I’m wondering if LS either slows that down or causes additional power use/heat?
> Do you find LS causes any kind of network speed impact when dealing with systems that have hundreds or thousands of connections?
Not that I'm aware of. Only my main Mac has Little Snitch installed, but as a developer I have other Macs and iOS devices for testing that don't have Little Snitch, and I've never noticed any difference in speed.
Thanks. I think I will reset the trial and stress test it a bit with and without LS installed to gauge for myself then. Shouldn’t take long to notice an impact. If all is good I guess I might pick it up to run with for a year and see how it goes. If it makes no performance difference and doesn’t introduce any other issues I don’t see any reason to not err on the side of paranoia :)
It whitelists all of the Apple privacy-invading phone home nonsense by default. You have to disable those rules to see the dozens of alerts from different OS processes phoning home to Apple (even if you don't use iCloud or iMessage or FaceTime or the App Store or any other service at all).
Because Little Snitch is the tool that will help you from getting surprised in the future by something you don't have now. Sure, you might be surprise free in your outbound traffic now, but what happens 6 months from now when you suddenly are hit with something from a new download or some other method of infection? Little Snitch will block it from the first attempt and bring it to your attention. Without it, it'll just happily do it's little tasks until the next time you think about auditing with a reset trial version of Little Snitch.
Just like you don't need health insurance until you do, then it's too late if you don't have it. The comparison seems obvious enough
macOS 11 stopped support for kernel extensions, and now requires firewall apps like Little Snitch to use "Network Extensions".
In early versions of macOS 11, some Apple apps bypassed network extensions. This was supposedly fixed in macOS 11.2, but there is no way to verify that macOS doesn't have any exceptions that might still bypass network extensions.
Not everyone can afford a managed switch and a second computer to inspect the traffic with.
Also, I’d worry that any traffic I was seeing on the mirrored port was not coming from the Mac but was appearing because I messed up the setup so that what I am seeing is traffic generated by the system I am using to inspect the traffic with
> Not everyone can afford a managed switch and a second computer to inspect the traffic with.
Everyone doesn't need to verify this. The security researchers and other Mac experts can verify it. Security researchers and Mac developers discovered the previous bypass.
It’s not magic, the packets have to comply with IP standards if they’re going to work on an IP network. Below that, the frames have to comply with Ethernet if you’re plugged into an Ethernet port. The traffic can’t hide.
Why not? It's not like it'd be hard to know. The submission article even talks about running it in a VM, wouldn't be hard to connect tcpdump to whatever bridge it's using and inspect if Little Snitch can truly capture and block all traffic.
Because you don't know what conditions would trigger a circumvention of the network extension. There might be a zero-day somewhere in macOS that allows a malicious app to circumvent network extensions.
If you look for leaks, and don't find any, it doesn't mean there aren't any.
> Indeed, if anything, the first run of apps like Xcode was started with less delay than when an internet connection is available.
Does anyone know whether this Apple server contact delay applies to every executable? Whenever I compile my code on a Mac the first run is delayed by 2-5 seconds and it's getting really annoying.
Guys! Guys! I turned Internet off, and guess what?!? No internet based features worked!! Can you believe that I couldn't authenticate to my apple account?!
This just reminds me of Windows 11. The Home edition which most people would buy cannot bypass the setup screen without connecting to the internet and creating a Microsoft account. Can't believe Apple is the more free option here.
The funny thing is that I've always done it this way, for many many years, when installing major Mac OS updates: choose the option "My Mac doesn't connect to the internet", and set up the internet connection later, after I configure everything how I want.
Then of course the first thing I do after installing macOS is install Little Snitch (already having a hard copy on an external disk).
Last time I installed, I had to only select "continue with limited setup" (tiny font with bad contrast in the bottom left corner, doesn't really look like a button), and confirm that in the nag-screens that follow. Then it created a local account. After the installation I inserted the network cable and all is well.
IMO, that's the difference between straightforward and obvious. It's not obvious because Microsoft doesn't want it to be obvious. But one can totally tell a family member "press these keys, then type this command and press Enter" - non-technically inclined people couldn't care less about further explanation, only about the end goal. I've done more complicated troubleshooting over the phone...
It's a built-in and supported workaround, just intentionally hidden (because Microsoft wants the average Joe / the masses to use an online account). That's not something that a random person came up with, even if it's not advertised.
dpkg -i ./some-package.deb works just fine, though if that package has dependencies you have to install them first. The same is true for any program on Windows requiring a specific MS VC++ runtime version, you'll have to get those installed manually if they're not built into the package you're trying to install.
apt-cdrom (https://linux.die.net/man/8/apt-cdrom) exists to solve the dependency problem. You can also use the GUI (insert DVD, go to "software & updates", click "add volume"). If you don't use CDs or DVDs for removeable media, you can manually add the repository directory (`deb [trusted=yes] file:/path/to/your/folder ./`) as well.
You can even apt install software like you would with an internet connected device if you have the offline repository in the same place. Redhat's RPM files should work very similarly.
Most of the time, developers don't distribute raw packages the same way Mac and Windows software is distributed. You can download individual packages from your repository of choice and install them on any machine you like (except for maybe Snap, but there's a reason people hate Snap). The difference is that you're not expected to hunt down every download page to get the latest copy of your software.
Annoyingly, the .deb distributions of Discord and VS Code use .deb files instead of repositories to update themselves. This leads to a very annoying Windows-like "click here to download the update" program flow. Luckily, Flatpak versions are available that handle this for stuff you.
Go to packages.ubuntu.com (or the equivalent of your favorite distro), download the packages, transfer them to your offline computer, install there. The requirement for dependency resolution does make it more of a pain than it is in Windows or MacOS though (where dependencies are simply vendored in the installer)
Holy cow dude if you’re going to shill against Linux online you should at least try knowing about what you’re trying to shill against. Linux package managers ALL support installing from files. I don’t even use Linux but just wow. What outfit are you with?
Yes, you can, though the download will be a tiny bit larger. E.g. currently, Fedora 37 release and updates, for x86_64+aarch64+source is just a bit bellow 700GB.
It can handle no connection quite well, but unstable internet is really a PITA - commands and applications lag randomly when launching etc... It took me some time to troubleshoot why suddenly ma MacOS was almost unusable and this was the culprit.