Friday, November 13, 2020

Your Mac does not belong to you.

I've been on this warpath for a long time. But it bears repeating that if you own an Apple product, that device PHONES HOME.

It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn't realize this, because it's silent and invisible and it fails instantly and gracefully when you're offline, but today the server got really slow and it didn't hit the fail-fast code path, and everyone's apps failed to open if they were connected to the internet.

Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings:

Date, Time, Computer, ISP, City, State, Application Hash

Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.


Yeah. Long story short, anybody with the right kit can track exactly what you're doing with your Apple product, be it a Macbook, an iPhone, iPad, whatever. And they know where you logged on, for how long, what programs you used, etc. And the right kit? It's cheap. Under a thousand bucks kind of cheap.

Similarly, we've known for a long time that your Android devices also phone home. And your PC if you're running Windows. That's just the obvious stuff that we know about. I don't think it is too tinfoil hat in this day and age to wonder if that's just the tip of the iceberg.

But that is all old news. 2014ish news. What's new?

Now, it's been possible up until today to block this sort of stuff on your Mac using a program called Little Snitch (really, the only thing keeping me using macOS at this point). In the default configuration, it blanket allows all of this computer-to-Apple communication, but you can disable those default rules and go on to approve or deny each of these connections, and your computer will continue to work fine without snitching on you to Apple.

The version of macOS that was released today, 11.0, also known as Big Sur, has new APIs that prevent Little Snitch from working the same way. The new APIs don't permit Little Snitch to inspect or block any OS level processes. Additionally, the new rules in macOS 11 even hobble VPNs so that Apple apps will simply bypass them.


Yeah. They're really quite interested in making -sure- to get all that data. They're going to get it whether you like it or not. The only thing you can do to stop this now, on a Mac, is run a network packet filter and stop all the packets headed for certain addresses. That's a whole computer stuck between yours and the Great Outdoors running a package like Smoothwall or similar. I don't know how to do that, but I may have to learn, or so it seems.

Given the raw political partisanship on display these days from Apple, Google and Microsoft, at both the corporate level and at the individual employee level, this is no longer a minor matter. Just sayin'.

The Phantom

Update! It develops that Google Android phones use your cellular data to call home if there's no wifi. 16 times an hour. 130MB per month. Doesn't sound like much, until you compare that to the complete works of William Shakespeare: five (5) megabytes of uncompressed text. 

Best part, they don't tell you that they're doing it, and you can't shut it off.

Some enterprising lad is suing them. I wish him good fortune.
 

8 comments:

  1. I'll note that there is a legitimate use case for collecting data on what apps run on your operating system, such as figuring out which of your APIs are in widespread use and need to be your first priority for bugfixing. But if you're actually legitimate then you disclose and allow opting out. For example, whenever I install a new version of Microsoft's .NET Core framework on my Linux machine, it informs me that .NET Core defaults to sending Microsoft information about what APIs are called, and tells me exactly how to opt out.

    See, Apple? THAT's how you're supposed to do it.

    Funny. When Bill Gates and Steve Ballmer were in charge of Microsoft, they were untrustworthy company, and I didn't anticipate that changing. But since Satya Nadella came onboard as CEO, Microsoft has been a far better-behaved company.

    ReplyDelete
  2. That "unknown" talking about Microsoft and opting out was me. The Blogger software says I'm signed in with my Google Account, but still lists me as "Unknown". Don't know why, and don't care enough to spend time finding out. *Shrug*

    - Robin Munn

    ReplyDelete
  3. Greetings, Robin and Hobbit.

    Not to be left out, Android literally phones home using your expensive cell data when there's no wifi. And they're being sued for it.

    https://www.theregister.com/2020/11/14/google_android_data_allowance/

    "To support the allegations, the plaintiff's counsel tested a new Samsung Galaxy S7 phone running Android, with a signed-in Google Account and default setting, and found that when left idle, without a Wi-Fi connection, the phone "sent and received 8.88 MB/day of data, with 94 per cent of those communications occurring between Google and the device."

    The device, stationary, with all apps closed, transferred data to Google about 16 times an hour, or about 389 times in 24 hours. Assuming even half of that data is outgoing, Google would receive about 4.4MB per day or 130MB per month in this manner per device subject to the same test conditions."

    16 times per hour. That's a lot, eh?

    ReplyDelete
  4. So, are they going to pay my bill if I use a service that charges by the MB for data connections? On Ting, which is probably about as cheap as data gets, that's still $120/year. Go lawsuit.

    As to the Mac debacle... apparently word got out because Apple's server went down, so none of the associated applications would open. Now, imagine that where it costs money or lives... (about 20 years ago, I saw somewhere that business downtime due to cranky computers had an estimated cost of up to $8M per MINUTE.)

    ReplyDelete
  5. Could us configure a Raspberry Pi or other very small computer as a router and power it from the Mac's USB port so that any connection went through it, with these Apple sites blocked? it would be small enough to carry with easily.

    ReplyDelete
  6. Jonathan H -

    The project you want is https://pi-hole.net/. Open-source project that does exactly what you're talking about: lets you install a blocklist (and let you control the blocklist as much as you want) to your Raspberry Pi, and use the Pi as a router so that it can prevent ever loading anything from the blocked domains.

    What I don't know is whether the Mac will run at all if it finds it can't phone home. Someone who owns a Mac would have to answer that one. :-)

    - Robin Munn

    ReplyDelete
  7. However, the Raspberry Pi needs about 2.5 to 3 amps of power, and the USB port standard delivers half an amp. So you'd have to plug it in somewhere; your Mac's USB port would not be enough to power a Pi.

    - Robin Munn

    ReplyDelete