Apple Big Sur Security and Analytics Check Box
PING!
If you want on or off the Apple/Mac/iOS Ping List, Freepmail me.
Posted on 11/17/2020 10:32:48 AM PST by Mount Athos
Apple's latest operating system, macOS Big Sur, uses a new API to constantly send users' data (including how, when, and where a Mac is used) to Apple. This data is transmitted to Apple without encryption, meaning anyone with access to the same network as the Mac can see the information.
There are plenty of reports of Google, Amazon, Facebook, and other big tech companies tracking and logging user data. Thankfully, Apple has been a bastion of respect for user privacy in both the computer and smartphone world. Right?
According to a new report from Jeffrey Paul, a computer privacy blogger and advocate, macOS Big Sur is constantly logging and transmitting user data. He reports that a recent Apple server failure brought attention to the tracking process. Apparently, macOS Big Sur communicates with Apple servers and logs which apps a user opens; the time the app is opened; and location data like the user’s IP address, city, state, etc.
Normally, this process either logs and send user data when a user is online. If the process cannot immediately connect with the server, it fails without notifying the user. Late last week, an Apple server got bogged down. The tracking process could still communicate with the server, but the longer connection times caused the code to skip past its quick-fail path. However, the issue caused apps to fail to open as they couldn’t verify the logging process.
What does this mean? In a nutshell, Apple receives data detailing exactly where, when, and how you use your macOS Big Sur device. Further still, Apple can prevent apps from opening on your computer, whether you know it or not.
This tracking has been present in prior versions of macOS, but privacy-focused apps and VPNs could trick the process. However, Big Sur introduces a new API that circumvents even these apps and VPNs. In other words, a VPN or firewall won’t shield your location from Apple’s own tracking.
Considering the new proprietary hardware Apple has put into its MacBooks (like the T2 security chip and the new M1 SoC), this tracking has become extremely difficult to circumvent as some processes appear to take place at the hardware level. Not only is it almost impossible to install another operating system through non-Apple-approved channels (i.e., dual-booting Linux), it is becoming harder to block or hamper Apple’s embedded tracking practices.
Perhaps worst of all, the data is sent to Apple through unencrypted channels. That means anyone with access to the computer’s connected network (e.g., your ISP or anyone on the same public WiFi network) can see the data being transmitted with little trouble. Apple does hash the application data, but if history is any lesson, hashes like these are cracked in due time.
As Jeffrey Paul states, your MacBook is no longer yours.
This is likely a non-issue brought up by those that do not understand certificate checking (hint: your browser is likely doing this too).
Apple is using Online Certificate Status Protocol (OCSP) to check whether your signed applications were signed with valid certificates, or if those certificates have been revoked for some reason.
Why is OCSP unencrypted? It uses the HTTP protocol not HTTPS. If it used HTTPS, it would create an endless loop of checking certificates. Not good.
MacOS lets you install unsigned apps or apps with unknown signatures. You have to make a conscious decision to allow that. I don’t know what happens if a signed app returns a revoked or bad status. That is, will the OS still let you run the app if you allow it?
Brave and/or firefox with privacy extensions.
I don’t go through the VPN if I’m just doing normal stuff (online banking/shopping, etc.).
Interesting. If Big Sur is air-gapped, when do the apps fail?
I have a similar procedure.
I live a boring life, but I don’t want to be followed around by peeping toms.
and as you said, things are getting weird.
Even if you have to opt-in to send the analytic data to Apple, if they’re sending it *UNENCRYPTED* it’s a big problem... as a big shiny beacon for anyone sniffing traffic on that network.
MJ
Charles for iOS is the schiznitt if ya wanna peek at that traffic.
Yeh, well, Biden’s not a pervert either!
In China, Apple has multitudes of children looking over your files... heh heh heh.
If you want on or off the Apple/Mac/iOS Ping List, Freepmail me.
*sigh*
Meanwhile, the pic you posted in your comment is a 404 for some reason. The image URL on the FR page looks like this:
https://freerepublic.com/focus/bloggers/3906908/%E2%80%9Chttps://i.postimg.cc/SxjZLTWh/B702-EA3-D-2176-44-FC-B080-0-E458-A7-DD4-CA.jpg%E2%80%9Dbut in a browser bar, if you peel out this:
https://i.postimg.cc/SxjZLTWh/B702-EA3-D-2176-44-FC-B080-0-E458-A7-DD4-CA.jpgYou get this (I reduced its size):
Re: Photo. That’s what I wanted to post. Nothing I did would let it post. Something got broken in the migration of FR to the new server. Did you have to reduce the size before posting or did you do it in the HTML command? I used a sizing command. Thanks.
<IMG SRC="https://i.postimg.cc/SxjZLTWh/B702-EA3-D-2176-44-FC-B080-0-E458-A7-DD4-CA.jpg">
Big Sur is bricking Mid-2014 13 inch MacBook Pro computers. I have a 15 inch Mid-2014 MBP, so no Big Sur for me.
Bookmark
I did hear that big sur exploded some charging feature in that it couldn’t determine voltage to correctly charge a variety of apple devices requiring different voltages on usb C.
Found the problem. The new server for FR is interpreting pasted quotation marks as a double apostrophe. No wonder it’s not working. Delete the quotation marks and replace with a proper quotation mark around the HTML Image source command and it works. Thanks for the help in trouble shooting this.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.