> SK runs on the same high speed application processors as XNU/iOS. To make this possible, additional processor privilege levels are required — likely supported by virtualization extensions
Recent Apple phone and laptop SoCs include hardware support for nested virtualization, including the M4 iPad Pro where an exclave is used for the camera LED. Hopefully the next revision of the Apple Platform Security guide will cover SK exclaves and baseband mitigations for Wi-Fi radar sensing, https://help.apple.com/pdf/security/en_US/apple-platform-sec...
XNU is being refactored into a micro-kernel inspired architecture, aiming to reduce its code base, and move security sensitive operations out of it. The memory space isolation is performed with the help of a Secure Page Table Monitor - SPTM. The code signing, entitlement verification, Developer Mode, Restricted Execution Mode, and other security sensitive operations are handled by the Trusted eXecution Monitor - TXM.
> or most likely via ARM’s TrustZone technology. The XNU source code contains several references regarding transitions to and from TrustZone’s concept of a secure world
> it’s a defensive effort on a larger scale than any other end user device manufacturer is currently attempting
Google implemented pKVM on Pixels with hardware nested virtualization a few years ago, and upstreamed the code to Linux mainline, including cooperative de-privileging of TrustZone relative to pKVM L0. But they have not announced defensive features using pKVM/AVF, outside of Debian "Linux Terminal" VM.
It’s important to note that most of those CVEs are to do with vulnerable software that manufacturers put in the TrustZone protected environment (many of which are garbage). There are very few vulnerabilities reported about the hardware itself.
michaelt 3 days ago [-]
Personally, I've always thought the fact these vulnerabilities keeps happening demonstrates that TrustZone's secure execution environment just isn't designed well.
If you're a phone designer, and you're going to put unlock PIN validation into a trusted execution environment? Sure, makes sense. If you're going to put your widevine DRM code into a trusted execution environment? I guess.
But why did they make a design that means a vulnerability in the DRM code allows an attack on the PIN validation code? That means the attack surface is huge.
You gotta keep these clowns separated if you don't want them spraying each other with water and throwing pies down each other's trousers.
sly010 3 days ago [-]
Isn't that just true for vulnerabilities in general? Trust Zone is not a security mechanism, it's an isolation mechanism.
> While I speculated that TrustZone was being used, exclaves may well use the existing SPTM and GXF (Guarded Execution) privilege levels after all. One implication may be that there is no hard reason they couldn't be supported on iPhone 13 and higher, aside from RAM requirements and development effort. Make no mistake these are huge undertakings even for Apple.
neom 4 days ago [-]
I think Steve truly believed at his core, very simply: your laptop is your diary, and they have a responsibility to that.
I don't think Tim would be CEO if he didn't believe what Steve did. It's so weird, but I really miss Steve.
As someone who builds industrial/scientific machines, the consumer oriented devices that Apple makes are completely unusable for me. Locking down completely capable computing devices seems like such a waste. I'm also not a fan of how Apple controls devices and the market of software after the device has changed owner. I'm staying the hell away from this ecosystem. Not sure why many so-called "hackers" are so enthusiastic about these "hood-welded-shut" systems.
adamtaylor_13 3 days ago [-]
I'm one of the most technically-inclined people I know in my personal social circle (not true in my professional circle.) I'd even probably go so far as to label myself a "hacker". But I do care about UX (which Apple nails). I do care about convenience (which Apple nails.) And I do care about privacy (which, and I know I'll get flak for this, Apple _also nails_ when compared to any other device on the market that isn't explicitly marketed to developers.)
However, despite being an actual software engineer, I'm no security researcher. I don't understand kernels or privilege elevation or anything deeper than the UNIX shell I work in. So it's nice to have a system that's 99% safe by default, but still allows me to run crons, or programmatically open/modify things, and generally script my machine to look and behave the way I want.
Apple is the perfect middle-ground for people like me. Just because you can't fiddle with a kernel hardly makes this a "hood-welded-shut" machine. There are processes on my Windows machine that I'm not allowed to kill even as an administrator. I can `kill -9` whatever the hell I want on my Mac.
There's a very large group of people who operate like me, and are even less technical than I am, but love things like Keyboard Maestro or Apple scripts which allow them to tweak little things. Windows has no comparison and as far as I've witnessed it's one of the most frustrating operating systems in existence. Most people do not have the time or desire to run Linux. So, you are left with Apple which nails several of selling points that no other ecosystem nails.
That's why people, including "hackers", are enthusiastic about this "hood-welded-shut" system.
AceJohnny2 3 days ago [-]
> I can `kill -9` whatever the hell I want on my Mac.
Note that the Mac is way more open than the iPhone (or iPad, which is funny considering how some chips are shared between Mac & iPad), specifically to preserve (some) of the kind of control people expect from their Mac.
That's why you can run Asahi Linux on Macs, but not iPads.
So you & GP may be talking past each other, them grousing over the locked-down nature of the iPhone, while you celebrate the control of your Mac.
saagarjha 3 days ago [-]
There are processes on macOS you can’t signal without disabling SIP.
adamtaylor_13 3 days ago [-]
This is true, but those tend to be “mission critical” and, as you pointed out, CAN be affected with enough motivation.
Windows blocks me from doing things like permanently uninstalling Microsoft Edge.
It’s like the operating system itself is viral in nature.
kennysoona 19 hours ago [-]
You can permanently uninstall Microsoft Edge, it just takes some tinkering.
Last time I was playing with a Mac, even the root account was a problem to try and access. Apple are just way too nannying with their devices, but people like that.
adamtaylor_13 7 hours ago [-]
I’ve literally never experienced that. If you’re the admin account, you can sudo su no problem.
Unless your company has something locked down. If it’s a consumer Mac, it requires nothing more than a login password.
kennysoona 6 hours ago [-]
I'm not talking about sudo su, but actually accessing the root account directly. I remember back in the day I put a file on someones desktop to prove a point, and they couldn't delete it because logging on as root was harder than it should be and they didn't know how.
alabastervlog 4 days ago [-]
What's excessively locked down on MacBooks?
There are some security features that (for good reason) get in the way of e.g. dtrace, but I'm not aware of any of those that you can't turn off.
> I'm also not a fan of how Apple controls devices and the market of software after the device has changed owner.
What's this about?
colonial 3 days ago [-]
One thing in particular that bugs me about Macbooks is the fail-deadly hardware security. Disk encryption is good, yes - I use LUKS myself - but it tends to backfire on regular consumers if done poorly. I've had to tell far too many people that their data is perma-gone from a fried Macbook motherboard. (And no, "they should have used Time Machine" is not a valid excuse for such poor design.)
Such scenarios are trivially recoverable on better-designed machines with removable storage and consumer-friendly software FDE. BitLocker does this reasonably well - yes, there are privacy concerns w.r.t. key backups, but one must strike a balance between convenience and security.
ETA: To be clear, this setup would be entirely tolerable to me, but I (and everyone else in here) is hardly an average consumer when it comes to technology.
intrasight 4 days ago [-]
"The worse system except for all the others that have been tried."
Many hackers think that about Apple computers. Many others have no choice because they develop iOS apps.
devmor 4 days ago [-]
Personally, I do not like MacOS, and I do not like using a Macbook for work, because I am a developer and a hacker. It is harder to do my job and harder to be efficient at my work.
That being said, I love iOS on my phone and tablet. I used to prefer android, because of how much I could customize it, but it slowly became less reliable and more centered around selling me products and services sponsored by Google or my carrier. I switched to an iPhone and iPad about 7 years ago and am much happier with a reliable set of mobile devices that I know are relatively secure and wont get in the way of what I want to do.
Point being, the OS you want on, and ecosystem you want around your devices absolutely depends entirely on what you want your devices to do (or not do against your will).
kavok 4 days ago [-]
Out of curiosity would you prefer Windows or Linux instead of Mac?
kennysoona 19 hours ago [-]
> Not sure why many so-called "hackers" are so enthusiastic about these "hood-welded-shut" systems.
I think the term 'hackers' has become diluted to the point it just means 'enthusiastic coder' - it hasn't seemed tied to creative thinking or pushing boundaries in some time. That probably stopped around the time the LifeHacks site became popular.
They prefer Apple because most are young and grew up with iPhones and Apple being cool due, all while MS starting continually shooting themselves in the photo with Win 10 and 11. They probably approve of Apple standing up to the FBI also.
rollcat 4 days ago [-]
I'm a self-branded hacker so I'll share my motivation:
Shit. Works.
This is critical. I can focus on my actual task at hand, rather than fiddling with the system.
Some perspective: I've been on Debian for 15 years, and I still hold it in very high regard for servers. I'm also an occasional Alpine & OpenBSD user; and Windows for games. I've tried Ubuntu, couldn't stop it from getting in my way. Before you suggest Fedora, Arch, NixOS, whatever: I'm done distro-hopping. The experience is about equal everywhere. No amount of "choice" beats thoughtful design, accessibility, and vertical integration.
Vendan 4 days ago [-]
I'm a software engineer at a company that does all macbooks. I hate my M1 macbook because it's way less reliable then my desktop, both software and hardware. I have to hold the power button to force it off roughly twice a month, it absolutely refuses to play nice with my KVM (that my desktop has no issues with), and the "keyboard secure input" feature regularly goes on the fritz and breaks anything that taps into the keyboard, including stuff that I've specifically installed.
rollcat 4 days ago [-]
> I have to hold the power button to force it off roughly twice a month [...]
Hmm...
$ last | grep reboot
reboot time Sun Feb 16 14:10
reboot time Fri Feb 14 19:40
reboot time Thu Jan 30 09:52
reboot time Fri Dec 13 16:20
reboot time Tue Oct 29 15:32
reboot time Tue Sep 17 12:19
[...]
I guess most of these are from macOS updates. I don't think I've used the power button at all in the past year or so? FWIW I'm using a Mac mini (also M1) rather than a Macbook, but "it works for me" was the entire point of my original comment.
> it absolutely refuses to play nice with my KVM (that my desktop has no issues with)
Honestly I'm with you here, but I'm pretty sure KVMs are just pure lottery. I plug the mini via USB-C/DP to a screen that has a simple built-in USB hub (which in turn handles mouse/KB/audio interface); this also works perfectly fine with my Thinkpad T495. However an expensive TB3 dock with a dozen ports doesn't work with either, but it's just fine with a 2017 MBP. TBH I wouldn't blame any of the involved parties; USB-C/TB always came off as a finicky mess to me.
> I'm a software engineer at a company that does all macbooks.
I can't say anything but extend my sympathy. In an ideal world, companies prioritise employee satisfaction and productivity. There's an argument that this is a trade-off vs increased IT support cost/workload, but I guess SWEs don't need much support to begin with?
You could at least appeal on the basis that the HW you've been provided with is clearly unreliable. Come up with some numbers about lost productivity. Bosses love numbers.
RussianCow 4 days ago [-]
> There's an argument that this is a trade-off vs increased IT support cost/workload, but I guess SWEs don't need much support to begin with?
IME, it's also about being able to ensure that everyone has access to the same software. I worked at a company that used macOS-specific software for development (I think it was Sketch?) so I had to have a MacBook around, even though I primarily used a Linux desktop for work. Anecdotally, I don't think this is uncommon.
rollcat 3 days ago [-]
Yeah I'm using enough Mac-specific (Logic, Compressor, Sketch, ...) or otherwise proprietary software that it makes perfect sense. I'm lucky that this is already my platform of choice. And honestly it's been getting better (OrbStack!), and I don't even have to touch XCode too often :,)
supriyo-biswas 4 days ago [-]
Much of these complaints are usually better directed at Crowdstrike and other EDRs. The performance difference between my employer-provided Macbook and my personal one are like night and day.
alabastervlog 4 days ago [-]
Hell, half (but only half...) the reason I try to get MacBooks anywhere I work is because they're usually not quite as shitted up with broken surveillance software eating half the company's potential productivity, as the Windows ones.
t0astbread 3 days ago [-]
Sorry to be that person but: As someone who's been using NixOS as their daily driver for about three years (after switching to it from Debian) and is currently trying out a MacBook I can tell you that NixOS provides a very different experience than everything else you've mentioned (including macOS). The only other OS I'm aware of that it's comparable to is Guix System which is distantly related to NixOS.
NixOS in its unofficial "endgame" is more like a container where you can strictly define what files to keep between reboots and everything else gets thrown away. Except unlike a container it covers your entire filesystem (not just a single application) and it's actually usable for things like a laptop since you don't have to reboot between making changes. There's a popular blog post titled "Erase your darlings" that explains it in more detail[1]. And, like with a container image (but different in how it's done), NixOS forces you to write any and all changes to your system's programs or config as code that can be introspected and delivers repeatable results.
This is definitely not to everyone's taste but for me this is now the only way to keep computers "clean" in the long term (sans specialized distros like Talos Linux). I can just look at the source code to know exactly what I'm running and I can delete stuff I no longer want without having to think about leftover files or anything like that. Backups also get a lot simpler when you only have to think about the persistent volume of your system and your config and full restores are just a matter of reinstalling with your config in place.
macOS is gorgeous and I love how everything just works pretty much (except defining global keyboard shortcuts). But I've been so spoiled by NixOS catering to my config management obsession that everything else feels kind of primitive in that regard. My dream would be the macOS userland and kernel on top of Apple hardware but built and assembled with the Nix module system. And then some APFS magic to make an ephemeral root filesystem work.
(Also yes I've tried nix-darwin. Love it and I'm infinitely grateful it exists because I'm also using a MacBook at work but it's not the same kind of "complete" experience that NixOS provides.)
I've been using NixOS for a couple of years; I still have it on one of my RasPis. I've had a moderately elaborate config for my laptop. I could enumerate all of the problems I've had with it, but back to my point: not that different from every other distribution. Once you get past the insane level of ecosystem fragmentation and DIY fixes (which NixOS adds to- with "regular" configs vs flakes), there's still the UX department, where both KDE and Gnome are severely lacking.
t0astbread 2 days ago [-]
Of course, the software that goes onto a NixOS installation is the same as on most other Linux distros so it's not any different in that regard. What I was trying to say is the config management aspect - especially when used with an ephemeral root FS - provides an entirely different way of managing your computer that's not really possible to replicate anywhere else (except Guix as I've mentioned).
Not that that makes it objectively better or worse. The config shtick of NixOS can also be really annoying to someone who just wants to install stuff and move on. It comes down to personal preference.
rollcat 2 days ago [-]
Personally I prefer the approach that the BSDs took: your OS has a "base" that is designed and integrated as a whole, provides basic services (SSH, httpd, mail, etc) plus a spartan GUI and all the tools to support its own development. Everything else is in ports/packages, which theoretically can be erased all at once with no loss in core functionality. It's conceptually simple and works OK in practice.
Notably, macOS (a BSD in my book) took the next logical step and completely sealed the base OS, all the way via logical volume management, verified boot chain, SEP (aka TPM), etc.
I agree that NixOS solves configuration management in a much more elegant way, but that elegance carries a heavy cost: it requires domain knowledge to comprehend. Personally I just keep /etc in git, and use judo to propagate changes. <https://github.com/rollcat/judo>
spyke112 3 days ago [-]
Fedora is really good though. I’ve daily driven Windows, MacOS and Linux, Fedora is by far the best developer experience I’ve had so far. But then again, I tend to setup my devbox quite spartan, so that it just works.
rollcat 3 days ago [-]
Does Fedora support ZFS (without building from source) yet? Filesystem snapshots is not something I'd ever give up on, and Btrfs still doesn't seem production-ready.
Also - I'm done distro-hopping. The problem is KDE/Gnome- KDE is aping Windows (badly), Gnome is aping macOS (also badly). I'd list all of the problems but it would take an essay.
spyke112 2 days ago [-]
I don’t know, it’s my workstation so everything is in Dropbox/Onedrive/Github/Gitlab, making the machine itself ephemeral… Come to think of it I should
probably get a NAS and mirror Dropbox/Onedrive onto, just in case.
rollcat 2 days ago [-]
Does Dropbox or Onedrive keep hourly+daily+weekly+monthly deduplicated snapshots of everything that's happened on your machine, that work without any network connection?
It's no substitute for backups (I use Borg), and syncing is good (I use Syncthing, I guess iCloud also counts). But snapshots should be ubiquitous at this point, just like having a "trash bin" was mainstream in 1995.
spyke112 2 days ago [-]
Well, I may be an oddball, but I never really find myself having the need for snapshots, I have a tendency to not really delete files. Once upon a time i recall Dropbox having versions?
fc417fc802 3 days ago [-]
I'm also confused when I see threads like this. For dev work I've yet to try a distro that didn't "just work". The only real friction I've run into is the tradeoff between stability versus package freshness but that's going to be a tradeoff with any software environment.
kennysoona 18 hours ago [-]
Shit works just as well without issue on my Alpine main install. On a mac, I have to fiddle with it to stay out of my way.
What exactly does not work for you on other systems, that works on a mac?
m463 3 days ago [-]
I totally agree. I think the best time was when they switched to the intel architecture, and their machines were good at interoperating with the rest of the world.
But I think they're regressed. I think sj was good at getting apple to interface with the rest of the world, and make course corrections. But now they've forgotten how.
Everything apple does is more apple ecosystem, ignore everyone else.
Sort of like the 7-habits dependent, independent, interdependent. Now they're back to independent.
so... they ignore the rest of the world. their own hardware, their own languages, everything else comes from their store. admittedly macos still allows people to run their own software, but ios doesn't let you run software or even access your own filesystem.
johnklos 3 days ago [-]
Let's step back for a moment and think about this example:
Do I, a highly technical person, want a machine that has been made in to an appliance, where I have very little control over what's going on in the background, where I have to trust one of the largest companies on the planet to Do The Right Thing™?
Well, I know I don't want to run an OS like Windows where the end user is treated with contempt and distain, where the price of the license means nothing because I'm still treated as someone who doesn't know enough to even choose my own browser, where third party programs have more control over my own machine than I do, unless I happen to have a lot of specialized knowledge and plenty of time to circumvent these biases.
But let's compare the Apple appliance to an open source OS running on an Intel CPU. Now I have an OS that gives me more freedom to do what I want and need, that has only documentation and technical issues as roadblocks, not intentional design. Better, yes? But now I'm also required to trust a company that has a literal hardware back door built in to it, that comes from a company that acts like they have no real understanding of security but might just be playing dumb, that has lied to users many times over years, that has knowingly chosen speed and marketing numbers over security time and time again.
Now add the fact that we need to trust binary blobs for wifi chipsets, some ethernet chips, GPUs, et cetera. Not great, if we want to both control our machine and trust it.
So, really, would I want to run an open OS on top of a janky CPU with lowest common denominator hardware, where each part might have issues, possibly security issues, or would I want an appliance?
I wish there were more options... AMD is better than Intel, but not sufficiently. They have less of a history of lying, of manipulation of marketing information, et cetera, but they still have that hardware back door. People are working on open source firmware for wifi chips, et cetera. ARM is nice, but ARM laptops and desktops still come at a premium.
So do I see the appeal of an appliance that has incredible performance, battery life, the best exploitation of the hardware on the planet, excellent quality and security? I do, particularly when all aspects of that appliance are in the hands of a company that makes their insane profits from being "premium". So long as their profits depend on being premium, I will trust them, because my trust needs align with their profit desires. When that stops, my trust stops.
Would it be nice if I could run my own choice of OS on it? It would. But sometimes we need a device that gets things done, and in many instances, an appliance is better than the alternatives.
Can I still run pretty much what I want on this appliance, aside from my OS of choice? Yes, I can. So unless I'm interfacing directly with hardware, these appliances mean less work for me.
That's not to say your case isn't valid, but it's easy to see a case for most people having appliances.
JoachimS 3 days ago [-]
One thing I can do when I need an OS that I can mess around with is running a VM, with for example Linux. This allows me to do the things I want in an open OS, while still have the nice appliance-machine. In the VM I can mess around as much as I want, need. I can even checkpoint the VM, saving myself from over-messing.
Yes using a VM means taking a performance hit. But with the latest Apple machines, and for what I do in the VMs, I haven't experienced any lack of performance that annoys me.
One example for what I do is to run double Wireguard tunnels. In MacOS it has been nigh impossibly to get working (and esp not reliably). But works easily in a Linux VM. With this I can proxy through the VM to access remote resources from applications in MacOS.
Tim definitely carries that torch in his own way, but there was something about Steve's presence that made everything feel more… human? Less corporate? Hard to put into words, but yeah, I miss him too. Thanks for sharing that video.
ChrisMarshallNY 4 days ago [-]
One of the things about Tim Cook, that people don’t really talk about (which, IMO, is appropriate), is that he’s openly gay.
Most times, this doesn’t mean anything, but there’s very few demographics that understand the need for privacy and data protection, better than gay folks.
Of course, he’s still at the whim of the Board, and he’s no spring chicken, so there’s no guarantee that his successor would feel the same, but I do believe that he, himself, is legitimately serious about privacy.
lordofgibbons 4 days ago [-]
> Of course, he’s still at the whim of the Board, and he’s no spring chicken, so there’s no guarantee that his successor would feel the same
At the risk of sounding like Richard Stallman, that exactly is the problem with buying into such walled-prison ecosystem of devices. You're at the mercy of Apple pushing an update that can unilaterally take away your privacy and rights.
They already do that with sending hashes of your photos on your iPhone and implement dark patterns to trick you to upload your data to iCloud. Just 1 CEO change away from having them from being a privacy advocate to a privacy nightmare.
brookst 4 days ago [-]
Sure, and every time you eat at a restaurant they could poison you.
This is mainly a concern if you are a high value target likely to be the first person poisoned. For most of us, that’s not true, and a formerly good actor turning evil would be noticed long before it came our turn.
So there’s the idealist “I can’t be sure my favorite restaurant won’t poison me today, so I’m never eating there again”, and the pragmatic “the benefits I get outweigh the slim chance that today is the day they decide to attack boring people like me” outlook.
I’ll never fault someone for being the idealist; the concerns are unfalsifiable. But to me it looks like a rough way to live. Maybe just because I really am that boring so it’s hard to relate to having any super secret stuff that would put me among the first to be attacked.
alwayslikethis 3 days ago [-]
Your analogy doesn't really work because a food poisoning attack is hard to scale (across restaurants, locations) without being detected, whereas one backdoor can compromise everyone all at once if they all have the same software.
If Apple adds a backdoor to their E2EE (by sending their servers the key) via a software update, and they don't do anything with the secrets exposed, they can compromise a large proportion of users over just a few weeks and there is a big chance you'll be among the "first", because the "first" is now a large set.
lukifer 4 days ago [-]
The better analogy might be, "when the morality police call the restaurant, they divulge which table you sit at every day during lunch". And it's also not clear that it would be noticed: national security letters, gag orders, parallel construction, etc.
It's just another principal-agent problem, and I agree that a fully self-sovereign life, with no dependence on trust or agents, is an unrealizable ideal; and, that a decent solution (while not perfect) is reputation stake and aligned incentives, check and check in Apple's case. I too think Cook is sincere, and I trust them as far as I can throw their products, which is to say, a little. (The Apple Tax is so they don't have to rely on a sketchy big-data business model.)
That said, computing and InfoSec have some unique contours, in a way that trusting a mechanic or a lawyer does not. Those can have catastrophic failure modes as well (crashing from a shoddy repair, getting sued based on bad legal advice), but they aren't systemic to society, and have lower switching costs.
And I ultimately think it's a false choice. When it comes to meatspace security, it's possible to have trusted and accountable public institutions, and allow citizens to have some means for self-sovereignty (2A, locked doors). It would be foolish to rely only on one or the other, either as a society or an individual.
So I'm deeply grateful for the Stallman types, pushing forward the capacity for self-sovereignty. Even if it doesn't currently meet my needs from a risk/benefit tradeoff, I still benefit from the ecosystem, and its BATNA, and I look forward to the day I sever my dependence on Apple's ecosystem, whether or not they betray my trust.
alwayslikethis 3 days ago [-]
> a fully self-sovereign life, with no dependence on trust or agents, is an unrealizable ideal
I agree with this part, but relying Apple is quite far from self-sovereignty compared to many other practical alternatives: not relying on external clouds, GrapheneOS, Linux. By relying on Apple, you not only pay a tax to essentially bribe them to not attack you (perhaps a viable strategy, not too different from taxes to governments), but more importantly you give up the ability to resist without serious compromises (can't have E2EE backups on your own cloud if they said so). This is akin to trying to be paying taxes to the government to get better police coverage, and they decide to ban locks, security cameras, and leaving the walled garden.
The problem with the current computing security paradigm is that it puts too much trust in entities that do not deserve it, because the entities are simply too powerful and do not suffer consequences when they break that trust.
lukifer 3 days ago [-]
Fair points, I can't say I disagree, and I'm aware of the trade-offs I'm making. (I was actually tempted to use the word "bribe" when describing the Apple Tax!)
There are a couple meaningful points of divergence in the ecosystem: Mac vs iOS (the former has some self-sovereignty, even if there are risks of backdoors/etc); and, cloud vs not (I mostly avoid cloud usage, iCloud or otherwise, and when I do use it, I treat all content as public).
I agree about the trust problem. Varoufakis might make some valid points re: "Technofeudalism", but then Bruce Schneier was making a similar analogy over a decade ago. I've heard cogent arguments, that early feudalism evolved from rational self-interest, that serfs were willing to trade some degree of autonomy for safety, and it does feel that many "normie" users (especially with iOS) are making a similar rational trade, even if it sets up an asymmetric power dynamic, and risk (inevitability?) of future betrayal.
I'm curious if you have any examples in mind for Apple, re: "do not suffer consequences when they break that trust". IMO, they've done okay at putting actions and costly signaling behind their privacy rhetoric, and I think they'd take some kind of market hit if they were to blatantly break that trust. But I'm curious if you think there are past instances in which that already happened, which maybe I've forgotten or am neglecting, or if it's a threat model of the future.
alwayslikethis 2 days ago [-]
> any examples in mind for Apple
Their image scanning proposal? The recent UK E2EE backup thing?
For the first, although they eventually backtracked, proposing it alone should be ruinous they are actually a privacy-oriented company.
Although the second situation is forced by a government, it is still a self-inflicted problem where iCloud is the only way you can back up your stuff. Not being able to have encrypted backups is a serious QoL issue.
> I mostly avoid cloud usage, iCloud or otherwise, and when I do use it, I treat all content as public
This is also my attitude toward "the cloud" in general.
brookst 3 days ago [-]
I’m kind of with you, but tell me.. who “deserves” trust?
alwayslikethis 3 days ago [-]
Someone with everything to lose if they break it. Most large companies do not. Perhaps smaller companies whose main selling point is privacy? Proton? Signal? I don't use either but they seem relatively plausible.
ChrisMarshallNY 4 days ago [-]
Stallman is a brilliant and passionate chap, but he's also a lifelong academic, and has very different life priorities than people that need to make a living at shipping things.
He's one end of the spectrum, and NSO is at the other end. The best place is somewhere in the middle.
JadeNB 4 days ago [-]
> NSO is at the other end.
I thought I was familiar with the really big players in the privacy/anti-privacy space, but I don't know this one. What is NSO? These guys https://www.nsogroup.com/ ?
ChrisMarshallNY 4 days ago [-]
Yeah. They are about as far away from "freedom" and "privacy" as you can get.
reaperducer 4 days ago [-]
One of the things about Tim Cook, that people don’t really talk about (which, IMO, is appropriate), is that he’s openly gay.
Most times, this doesn’t mean anything, but there’s very few demographics that understand the need for privacy and data protection, better than gay folks.
I used to think this, too. His recent ring-kissing antics have changed my mind. He, too, can be bought for a price.
You don't write a check for a million dollars to a person who is actively trying to decimate the gay community and still get to wear the rainbow flag.
KerrAvon 4 days ago [-]
Genuine question: what would you have him do at that point instead? It’s notable that he did that after all the other billionaires did it. Apple can’t go alone on this, they’d be taken apart by a right wing smear campaign (and possibly violence against Apple stores — how many thousands of Apple employees would be affected?).
Collective action, even in corporate America, is required to beat these people. The failure here is that like-minded execs didn’t preemptively gather to prevent this outcome in the first place. If you want to be unhappy with Tim Cook, be unhappy that he was too politically naive for too long.
9dev 3 days ago [-]
This is the exact mindset the Germans put forth when questioned after the war: What should we have done anyway? We were just following orders. We didn’t know what would happen. They would only have taken us, too, if we resisted.
If a few more of us would have stood up at the time, the world could look very differently today.
reaperducer 3 days ago [-]
Genuine question: what would you have him do at that point instead?
He's a leader. He should lead.
wrycoder 3 days ago [-]
He did
kennysoona 17 hours ago [-]
By bending a knee?
jjtheblunt 3 days ago [-]
who is actively trying to decimate the gay community? honest question!
eleveriven 2 days ago [-]
I do think Tim Cook takes it seriously, though as you said, there's always the question of what happens when leadership changes
musicale 4 days ago [-]
It is weird. Jobs was divisive and (not infrequently) abrasive, and why would you miss a tech billionaire anyway? Yet I also feel indebted to him and to the folks at Apple who helped to produce some of my favorite products like the Mac, the iPod, and the iPad.
Jobs also said a lot of things that still resonate with me. Recently Apple introduced a "classic Mac" screensaver that shows how carefully designed the original Mac GUI was. I'm sure nobody misses the days when app bugs could crash the OS, but I wish Apple were as obsessive now about detail now as they were back then.
neom 4 days ago [-]
Now that I'm becoming an old man, I've taken the time to go back and listen to him properly, to analize his thoughts and words a bit more contextually, and I've come to believe that Steve Jobs was quite misunderstood, both by us, and by himself. When I miss him I think: his thoughts were so very refined for his time, it is quite incredible and I wish he was around to hear more of them. I guess I'm a fan? Oh well...worse things to be.
He's definitely misunderstood. If you read his biography it's incredible how much the author of it misunderstands, but if you read between the lines you can see through them. In particular you should note how he changes before and after getting married.
The biography is really awful though. It constantly misquotes people - Bill Gates is directly quoted as saying something so technically inaccurate he can't possibly have said it.
I also remember that every time his son is quoted it's because he was telling a dick joke. At one point the book claims this is why Apple Park is a circle. Why the author did this is not clear to me.
(Btw, I have an unreported Jobs story about this myself. Actually two. I'm not going to tell them, so feel free to just imagine.)
miki123211 4 days ago [-]
I think "becoming Steve Jobs" is a far better book.
I feel like the official Isaacson biography was trying to tell a story, and would twist facts and reality to fit that story. This certainly makes for entertaining reading, but is not a great way to study history.
Meanwhile "Becoming Steve Jobs" gives the reader glimpses into Jobs's life, often very contradictory glimpses, ones that don't really tell you what to think. It shows you how complex of a person he really was.
al_borland 4 days ago [-]
I don’t remember many details from the biography at this point, but I remember not liking it either. It seemed like it was written with the assumption the reader already knew the about Steve’s more public life and career, and skipped over much of it. It didn’t feel like it would be a good source for future generations to learn about Steve, as it seemed to largely ignore the entire reason a book was being written about him. I also remembering it seeming largely negative, trumpeting the views of critics, and while downplaying the good to balance it out. Though this could also be my memory fading, feel free correct me if I’m wrong.
It was my first Isaacson biography, and didn’t leave me excited for another one.
alpaca128 4 days ago [-]
> I also remembering it seeming largely negative
It definitely was, but at least parts of that must have been warranted given Jobs refused to read it, saying something along the lines of "I know I wouldn’t like what it says"
al_borland 4 days ago [-]
I think that was him trusting the author to be fair and show a balanced view of who he was; maybe that trust was misplaced.
KerrAvon 4 days ago [-]
I second “Becoming Steve Jobs.” It actually gives insight into him, rather than just regurgitating what Isaacson thinks are the facts.
al_borland 4 days ago [-]
Thanks, I’ll check it out.
6stringmerc 4 days ago [-]
I still think about how he tried to cure cancer with crystals and then when that didn’t work he used his wealth to get residency in a different state to jump in line for a transplant and still died before his yacht got completed. I don’t misunderstand him at all. Especially the parking in handicap spaces part. Very easy to understand what kind of person he was through his actions. Perhaps we will never see eye to eye, and I feel posts like yours do deserve legitimate opposition as applicable.
dlivingston 4 days ago [-]
> Do I contradict myself?
> Very well then I contradict myself,
> (I am large, I contain multitudes.)
When you speak ill of Jobs you are speaking on his moral character. When others (incl. myself) speak positively on Jobs, they are speaking on his design, business, and life philosophies, which are quite profound. [0]
How you want to weigh the two is up to you, but it is not a contradiction to say someone contains both good and bad.
The worst part of internet culture is the conflation of simplicity and reductionism. Comments are short, people have different contexts, so there’s an instinct to reduce everything to binary and fight to the death over the binary value.
Worst of all is the false good person / bad person dichotomy that leads to great offense at any slight praise for someone the reader has decided is a bad person, or any slight criticism of someone the reader has decided is a good person.
I can’t think of anything less fruitful than arguing over whether a public figure’s personal plus professional life makes them a 100% good person or 100% bad person. It’s strange the conversation ever happens, and yet it’s so incredibly common.
colechristensen 4 days ago [-]
Ok, but more or less everyone is going to have a few things about them that you’re not going to like. When your whole life is up for scrutiny and you have unlimited resources, that’s how it is. If you had a billion dollars there’d be plenty of things people would criticize about you. And anybody else who did too.
al_borland 4 days ago [-]
He didn’t jump the line, he just got in multiple lines.
hansvm 4 days ago [-]
Sure. On the one hand, everything adhered to the letter of the law. On the other, he used his money to get served before other people in an otherwise similar position would have been able to do.
I personally view that as more of a failing in the system itself (why are there multiple lines to begin with when organ transport is a solved problem?), but it's not unreasonable to look at somebody exploiting that broken system and question their character.
auggierose 4 days ago [-]
I know very few people who would't use their wealth to try to save their lifes, or that of their loved ones. It's kind of what wealth is for.
hansvm 3 days ago [-]
It's the "at the expense of others" thing that makes it more morally grey, and the chain of cause and effect is short enough that people sometimes get up in arms about it.
For some other actions on some sort of badness scale, we have:
- Murdering people for your spare organs. Parts of China do this (somebody survived and escaped recently, so it's stirred things up a bit). Most people think this is very bad.
- Paying for somebody's organs (similar to prostitution at some level, though banned much more frequently than sex work -- if society is structurally so unequal that sacrificing part of your life for a pittance is actually attractive, that reflects poorly on that society, and we try to ban.the rich and powerful from using that power to create scenarios more like my first point).
- What Jobs did. It's technically legal, but he necessarily got an organ before somebody else for no other reason than that he had money. Did that somebody else survive? Who knows. If you factor in that it was actually many people who were displaced, did all of them survive? Unlikely. Organ donations are already fraught with ethical issues and strongly held convictions, and I'm not at all surprised that a number of people would be upset at this.
sapphicsnail 4 days ago [-]
You know that's still bad right?
brookst 4 days ago [-]
What’s the point of making a moral judgment about a bit of human nature that literally everyone in earth shares? It doesn’t make you or me superior to condemn it; we would do the same. So… what does “bad” even mean in this context?
auggierose 4 days ago [-]
If it is bad to use your money to legally buy yourself advantages that other people cannot afford to buy, then capitalism is bad.
Do you think capitalism is bad?
globular-toast 4 days ago [-]
Why do you only pay the minimum amount of tax?
elygre 4 days ago [-]
> Why do you only pay the minimum amount of tax?
You didn’t pose the question to me. And yet.
Very many people don’t. We know there are constructs that would enable us to pay less, yet we choose to not pursue them. We are part of a society that enables us to be what we are, why should we strive to give as little as possible in return?
(And yes, we also don’t send extra money. This is not a contradiction.)
globular-toast 4 days ago [-]
> We know there are constructs that would enable us to pay less, yet we choose to not pursue them.
Only because you don't want to put the effort in to pursuing it. If I told you you could reduce your tax bill by 20% by spinning round in your chair one time I doubt you (or anyone else) would decline.
Every entity generally seeks to take as much as they can and give back as little as they can. Individuals are generally a little less extreme, in my experience, with corporations being the worst.
eesmith 4 days ago [-]
I would not.
My taxes are not a burden on me. While on the other hand, the local politicians have sought tax cut after tax cut, causing the library to limit services, the schools to cut down on teaching staff, infrastructure maintenance delays, less funding for local social services and city events, and more.
My paying an extra 20% wouldn't fix things, as adding to the general budget would end up simply reducing taxes further, instead of everyone sharing the load.
I hate that I've starting getting involved with local politics. I would rather code.
Or, following your self-centric analysis, I would put the effort into raising my taxes by 20% since the collective benefits give me much more than what I can do individually.
1oooqooq 4 days ago [-]
because we all live paycheck to paycheck, to fund wars and Tesla carbon rebates.
While he could have funded a new hospital and not even change his tax bracket.
al_borland 3 days ago [-]
There are multiple lines because when an organ comes up, it can only last so long, so a person needs to be able to get to the hospital without a certain period of time. Usually this means driving distance. When you have a private plane, the distance expands. The organ still goes to the most sick person in line, not the one with the most money.
I was at a talk with Martine Rothblatt several years back, who created a startup for 3D printed organs. They ended up also building electric helicopters to transport those organs, because the transportation bottleneck was a huge issue.
I try not to judges peoples character when they’re looking death in the face. No one really knows what they’ll do in that scenario. Most people who can save their own life will. This was the premise of the movie SAW… how far are you willing to go to save your own life? How strong is your survival instinct? Most people are never tested, and it’s easy to sit back and judge, but would you just sit back and die? How do we even know there was someone else in line behind Jobs? It could be that he got an organ that would have otherwise been wasted.
orangepanda 4 days ago [-]
Pancreatic cancer is known for being incurable, even in the best of circumstances, early diagnose or not. Having witnessed a family member go through the same thing, I understand Jobs's reaction of trying literally anything else.
eecc 4 days ago [-]
Sorry for your loss.
Though SJ "He was diagnosed with insulinoma, which unlike other pancreatic cancers, is curable and can be treated with surgery."
Well, given apparently the posts in this thread reveal me to be an "manic crazy person" (or such I inferred) - I suppose I'll add to it then by saying: I too have read and understood Yogācārabhūmi-Śāstra. I hadn't thought much about it till today, but, I suspect, will do as Steve did. :) :)
pstuart 4 days ago [-]
There's plenty to not like about Jobs as a person, but Apple exists because of him (twice).
joseppudev 4 days ago [-]
[dead]
pepinator 4 days ago [-]
[flagged]
APPLE_LOVER 4 days ago [-]
[flagged]
perfmode 4 days ago [-]
Jobs was more than a tech billionaire. He was someone who had refined personal taste and stood on values and was willing to do what it took to see them through, despite the friction.
And the outcome was a computing company that was waaaay less mediocre than 99% of these other memetic, mediocre gradient-descent chasing privacy-abusing, ad-supported companies.
Apple has raised the bar so high. And the DNA of what is manifesting is Steve’s insistence and vision followed by Tim’s clarity of execution.
Look at the Apple Architecture moves. They got Intel’s hot, slow CPUs out of the device. And replaced them with excellent, quiet, fast, efficient CPUs, with UMA and great features.
It’s hard to nail every detail when you have the surface area of Apple 2025. A huge huge company with billions of users and dozens of device families and services. But the bar is high for most of what they do.
dlivingston 4 days ago [-]
I think of Apple like I think of Disney: _consistently good_ products. Maybe not the best in all the things all the times, and some duds from time to time, but if you blindly hit "play" on a Disney movie you're going to be watching something at least pretty good.
musicale 1 days ago [-]
And I need to be more obsessive about proofreading before HN's editing timeout expires.
eleveriven 4 days ago [-]
It's not just about the products themselves, but the philosophy behind them. He had this relentless obsession with making technology feel right (it is all from my perspective)
baggy_trough 4 days ago [-]
> why would you miss a tech billionaire anyway
Because we miss new instances of the great products they created to earn all that money.
astrange 4 days ago [-]
I could easily be wrong about this but I don't believe Jobs or anyone else at Jobs-era Apple became a billionaire because of it. Because of early infighting/getting fired, ownership was too dispersed for that.
He became a billionaire because Disney bought Pixar.
baggy_trough 4 days ago [-]
[flagged]
-__---____-ZXyw 4 days ago [-]
> It's so weird, but I really miss Steve.
When I see the sincere sentiment sometimes expressed towards Jobs, I wonder if something similar is being tapped into when people - often tech people - use and experience LLMs.
To put it a bit bluntly, it almost feels like there's a mystical or religious element to it. As if we desperately want there to be miracles, and oracles, and god-like, caring men who can provide us with beautiful products, and rituals, and a future where everything is sleek and bountiful and timeless. As if some spiritual "hole" were being filled.
I don't mean to disparage anyone who feels fondly towards Jobs or LLMs, I'm merely sharing an observation of mine.
9dev 3 days ago [-]
If you haven’t, I recommend reading Harari, specifically Homo Deus and Nexus. He writes at length about what he calls dataism, a new kind of religion filling the void liberalism and enlightenment left in us. Good reads.
yalogin 4 days ago [-]
Sorry I am sure the article about enclaves triggered this thought about Steve for you. I cannot how one led to the other, can you may be tell us?
neom 4 days ago [-]
hehe, it's a good question. When you get to scale, you realize you got there because a lot of humans put you there. It's part of why scaling is hard, business is an art and science that juggles the value exchange between us in society. People still here on hackernews are angry at me personally for decisions at digitalocean, in retrospect, I wish I'd handled the wipe disk thing that happened better, for example. It's both very easy and very difficult at the same time to build a business while trying super hard to love (really actually love as humans love!!!) your customer because many many things want to prevent you from loving your customer (I have government stories too, many of us do). At the end of the day, they are doing the real work, like, the real real stuff, they don't have to, I mean, they don't right? But they will, because it's the right thing to do, because Steve said so. apple here, have taken extraordinary engineering effort to say even if you compel us, we physically can’t give you access to their diary. That is to be commended, and that, is Steve Jobs.
transpute 4 days ago [-]
Thanks for the Steve Jobs clip and this valiant comment on complex subjects.
therein 4 days ago [-]
[flagged]
neom 4 days ago [-]
Me?!? I don't even drink alcohol. I'm just being expressive, last I checked it was allowed??
shuckles 4 days ago [-]
Commenters are getting increasingly cynical on here. I wouldn’t worry about it.
neom 4 days ago [-]
If we lose a bastion of being able to speak quite freely in front of other intelligent humans, that will be a shame.
sevg 4 days ago [-]
Don’t worry, the more reasonable of us on HN helped to flag that troll comment into oblivion.
Thanks for sharing your story.
therein 4 days ago [-]
[flagged]
therein 4 days ago [-]
I never said I disapprove.
SSLy 4 days ago [-]
that's how it looked
stavros 4 days ago [-]
Don't worry about the trolls, everyone else just flags them.
bowsamic 4 days ago [-]
[flagged]
api 3 days ago [-]
They seem like the last big PC company where PC actually stands for personal computing. It’s a left over from old Silicon Valley, the one steeped in human potential ideas with a sprinkling of actual as-in-individual-liberty libertarianism.
RIP
lern_too_spel 4 days ago [-]
Steve believed at his core that locking down devices was the best way to extract business value from users. That's why you can't install any apps without telling Apple or get your location without sending it to Apple. He also believed very strongly in good marketing, and he jumped on privacy marketing very quickly after the Facebook - Google privacy spat that coincided with the failure of iTunes Ping.
vlovich123 4 days ago [-]
The company shift to privacy was more about getting pulled in front of Congress over the location data being accessible via USB as part of iTunes backup:
Source: people who were at Apple during that time period.
I think people underestimate how traumatic it was culturally to Apple and how Apple generally experiences comparatively little turnover vs their other major tech peers, so the responses to those traumas linger. Same with the brouhaha over the CSAM tech that they attempted to bundle into the iPhone that ostensibly was trying to preserve your privacy and they instantly got smacked down over it.
astrange 4 days ago [-]
> He also believed very strongly in good marketing, and he jumped on privacy marketing very quickly after the Facebook - Google privacy spat that coincided with the failure of iTunes Ping.
I have two thoughts about this.
One, if you tell yourself a story strongly enough, it becomes real. Especially when you can structure the company to force it to become real.
Two, "marketing" is usually used disparagingly to mean something like "advertising that brainwashes customers into wanting something", but it's more like "knowing what people are going to want by the time it's ready to ship". It doesn't necessarily even include advertising. So in this case people do want privacy.
Kudos 4 days ago [-]
> "knowing what people are going to want by the time it's ready to ship"
Isn't that Product rather than Marketing?
astrange 4 days ago [-]
Same function at Apple. There isn't a separate "product" division and there aren't "PMs" with power (though there are some job site postings for them… in the marketing division.) That doesn't make sense at a functionally organized company where the execs and designers decide everything - Jobs and Ive were the "product" people.
IIRC the advertising people are called Marcom or "marketing communications".
brookst 4 days ago [-]
Some companies run this as “inbound marketing” (collecting needs, understanding market size) versus “outbound marketing” (advertising, conferences).
nedt 4 days ago [-]
The first iPhone didn't have an app store and the idea was to just use websites and later install webapps. On that there is no control whatsoever, so no I don't think the original idea was to lock down the devices for business value.
lern_too_spel 3 days ago [-]
The two examples I gave are where locking a device down to extract value from customers conflict with privacy for those same customers. The former won years ago, and there has been no change since.
The iPhone had to add an app store because there were some apps that users couldn't build on the web at the time. They since allowed apps, but those apps are restricted to a proper subset of the APIs that first party apps get.
IncreasePosts 4 days ago [-]
That seems very unlikely since nothing of that sort was ever attempted by Jobs on their desktops.
rat87 4 days ago [-]
I'm not sure it's so much about extracting value exactly but Jobs long believed in making sealed appliances that people couldn't and wouldn't have to tinker with as opposed to more easily modify able computers sold by competitors
> Expandability, or the lack thereof, was far and away the most controversial aspect of the original Macintosh hardware design. Apple co-founder Steve Wozniak was a strong believer in hardware expandability, and he endowed the Apple II with luxurious expandability in the form of seven built-in slots for peripheral cards
...
>This flexibility allowed the Apple II to be adapted to a wider range of applications, and quickly spawned a thriving third-party hardware industry.
...
> Apple's other co-founder, Steve Jobs, didn't agree with Jef about many things, but they both felt the same way about hardware expandability: it was a bug instead of a feature. Steve was reportedly against having slots in the Apple II back in the days of yore, and felt even stronger about slots for the Mac. He decreed that the Macintosh would remain perpetually bereft of slots, enclosed in a tightly sealed case, with only the limited expandability of the two serial ports.
> Mac hardware designer Burrell Smith and his assistant Brian Howard understood Steve's rationale, but they felt differently about the proper course of action. Burrell had already watched the Macintosh's hopelessly optimistic schedule start to slip indefinitely, and he was unable to predict when the Mac's pioneering software would be finished, if ever. He was afraid that Moore's Law would make his delayed hardware obsolete before it ever came to market. He thought it was prudent to build in as much flexibility as possible, as long as it didn't cost too much.
> Burrell decided to add a single, simple slot to his Macintosh design, which made the processor's bus accessible to peripherals, that wouldn't cost very much, especially if it wasn't used. He worked out the details and proposed it at the weekly staff meeting, but Steve immediately nixed his proposal, stating that there was no way that the Mac would even have a single slot.
> But Burrell was not that easily thwarted. He realized that the Mac was never going to have something called a slot, but perhaps the same functionality could be called something else. After talking it over with Brian, they decided to start calling it the "diagnostic port" instead of a slot, arguing that it would save money during manufacturing if testing devices could access the processor bus to diagnose manufacturing errors. They didn't mention that the same port would also provide the functionality of a slot.
>This was received positively at first, but after a couple weeks, engineering manager Rod Holt caught on to what was happening, probably aided by occasional giggles when the diagnostic port was mentioned. "That things really a slot, right? You're trying to sneak in a slot!", Rod finally accused us at the next engineering meeting. "Well, that's not going to happen!"
> Even though the diagnostic port was scuttled, it wasn't the last attempt at surreptitious hardware expandability. When the Mac digital board was redesigned for the last time in August 1982, the next generation of RAM chips was already on the horizon. The Mac used 16 64Kbit RAM chips, giving it 128K of memory. The next generation chip was 256Kbits, giving us 512K bytes instead, which made a huge difference.
> Burrell was afraid the 128Kbyte Mac would seem inadequate soon after launch, and there were no slots for the user to add RAM. He realized that he could support 256Kbit RAM chips simply by routing a few extra lines on the PC board, allowing adventurous people who knew how to wield a soldering gun to replace their RAM chips with the newer generation. The extra lines would only cost pennies to add.
> But once again, Steve Jobs objected, because he didn't like the idea of customers mucking with the innards of their computer. He would also rather have them buy a new 512K Mac instead of them buying more RAM from a third-party. But this time Burrell prevailed, because the change was so minimal. He just left it in there and no one bothered to mention it to Steve, much to the eventual benefit of customers, who didn't have to buy a whole new Mac to expand their memory.
kalleboo 3 days ago [-]
> Jobs long believed in making sealed appliances that people couldn't and wouldn't have to tinker with as opposed to more easily modify able computers sold by competitors
But at the same time he was also very proud of the PowerMac G3/G4 case which could be opened at any time (even when it was on) with the side being hinged with a prominent, friendly finger loop.
I would particularly like to highlight the work of Dataflow Forensics and their much more advanced work dissecting SPTM without the benefit of source code. I enthusiastically await their promised blog post about exclaves and hope they will answer many of the remaining questions, provide gory disassembly explanations, and correct all my mistakes and assumptions!
saagarjha 4 days ago [-]
They are being polite. The Dataflow blog post barely goes beyond running strings.
Yes, they're saying that there's some stuff they didn't cover, and they hope the Dataflow people will. But the first couple didn't really answer much so I'm not particularly hopeful.
metadat 4 days ago [-]
100% agree.
The discussion has been underwhelming:
I read TFA and wasn't sure what to even make of it.
gnabgib 4 days ago [-]
That is underwhelming! (But also.. that's *this* discussion.. and the other discussion is already linked by GP.. so I'm not really sure what you're aiming for here)
metadat 4 days ago [-]
Only attempting to share information. Is there an unstated next step (or next-next step) given Apple's moves?
P.s. @gnabgib thanks for all your excellent dupe postings! I used to do a lot but life got busier. You are appreciated.
Edit: @thrdbndndn: My bad, yes this submitted article is the one that sucks. Thank you! If you delete your reply it will make things less confusing, but no worries and best wishes.
thrdbndndn 4 days ago [-]
He's saying you're posting the HN URL of this very discussion to.. this discussion.
4 days ago [-]
GeekyBear 4 days ago [-]
An overview from that piece:
> exclaves refer to specific resources that are separated from the main kernel (XNU) and cannot be accessed by it, even if the kernel is compromise
Also interesting:
> It’s not uncommon for mid-cycle releases of macOS to gain new features in preparation for the next major version. Perhaps the most fundamental and significant added to Sonoma 14.4, together with iOS 17.4, iPadOS 17.4 and watchOS 10.4, are exclaves.
> In macOS 15 and later, creation of a VM running macOS 15 or later can configure an identity derived from the host Secure Enclave, enabling access to resources requiring Apple ID including iCloud. This is accomplished using an exclave of the Secure Enclave.
This is not correct
kennysoona 17 hours ago [-]
How is it incorrect?
lambdaone 4 days ago [-]
I'm quite surprised that they use a secure exclave to control the physical camera LED - this is absolutely massive overengineering to do something very simple.
A tiny bit of hardwired dedicated logic integrated into the camera module would be more than adequate to do this - just gating of either the digital I/O or the power to the camera, and a pulse-stretcher so the LED goes on for at least a few seconds each time to prevent an attack by rapidly flicking the camera logic on and off.
A similar circuit for the microphone with a different-coloured physical LED - not just a software-controlled dot on the screen - would be a good idea too.
brookst 4 days ago [-]
It gets complicated. “The camera” is a bunch of parts. You’d probably want to key off of the CMOS sensor power, but that has several power levels for standby, sleep, idle. So your hardware circuit would likely to know current, not just voltage. Or maybe go upstream and parse the I2C (or whatever) messages signaling power mode changes?
And then your LED driver would need to know screen brightness (or connect to the ambient light sensor) because you want to be bright enough to see in direct sunlight, but that level of brightness would be unpleasant (and maybe screw up legit camera use) in low light.
So if you believe your SK is secure, you can do a better job more simply by using it. And if you don’t think SK is secure, all bets are off anyway.
runjake 4 days ago [-]
It’s not over engineering. It’s because of research like this, along with other researchers like Charlie Miller.
Apple generally isn’t out to make things willfully overcomplicated without good reason.
All of which is fantastic, until you can't trust Apple because they are under a secret obligation to disable that feature. Non-programmable hardware gating the I/O lines or power isn't hackable in the same way.
runjake 3 days ago [-]
From the thread I linked:
> On Macbooks made after 2014, no firmware is involved
andrewcl 4 days ago [-]
You have to wonder if it is over engineering, or a resolution for something they've discovered from shipping so many phones. I wouldn't think of the camera as a security vector, but maybe Apple thinks it is?
TheNewsIsHere 4 days ago [-]
The camera and mic are generally regarded as security sensitive because of the possibility that they can be used to surveil. That’s why it’s a selling point to have physical hardware or hardware-bound controls or indicators that can’t be bypassed by the OS.
I think it’s not just the camera LED, but the indicators that appear on screen, like the amber, green, or blue dots that appear in the menu bar when the microphone, camera, or screen recording are accessed by apps.
jjtheblunt 4 days ago [-]
You can’t just add circuits and discrete components like an extra led without screwing up RF sensitivity. Cf. “Rf desense”, for example.
supriyo-biswas 4 days ago [-]
> just gating of either the digital I/O or the power to the camera, and a pulse-stretcher so the LED goes on for at least a few seconds each time to prevent an attack by rapidly flicking the camera logic on and off.
They'd be unable to roll out the feature to older iPhones if they did this.
I guess for newer iPhones this is not as big of a deal since they have a big-ass notch anyway, however Apple also has a large customer base that only buys their older products (like me), and saying that their older products have worse security than their newer ones is probably not the kind of message they want to send, even if it might potentially get them some new sales.
0cf8612b2e1e 4 days ago [-]
What product line anywhere says, “Buy our old models, just as good as the latest!”
api 4 days ago [-]
What if they want to add Face ID to the Mac but have the camera light not illuminate for that internal function, since that can also be developed securely so that nothing in user space can access the camera during that query.
MBCook 3 days ago [-]
FaceID doesn’t use the standard visual camera.
It’s (for example) similar to the Kinect. It projects a pattern of structured light in IR then looks at that with an IR camera to be able to determine depth.
yalogin 4 days ago [-]
Who is this author? It’s a very elaborately, well written post. Great job. Having followed exclaves myself this is well done
eleveriven 4 days ago [-]
This was an incredibly well-researched and well-written deep dive. It's rare to see such a thorough breakdown of something as technical as exclaves while still making it engaging to read.
fedxc 3 days ago [-]
I see exclaves as a significant but intermediate step. Apple is making XNU less of a liability, but they're still playing defense instead of fully embracing a microkernel architecture.
If I had to bet, exclaves will be a bridge to something bigger, either a more modular OS (like Fuchsia) or a CHERI-inspired security model where memory safety is enforced at the hardware level.
Apple is leading the pack in consumer OS security, but exclaves are a patchwork improvement rather than a total rethinking of system design. That said, this is probably the biggest security shift in mainstream OS design in the last decade, and it will take years before we see its full impact.
3 days ago [-]
JoachimS 3 days ago [-]
I see it as a way to move back to the micro kernel it once was - with modern solutions and new requirements. Security was much less of a concern when Mach was created. With the insane performance we now get in the machines, the overhead caused by the micro kernel process communication may well be negligible.
kennysoona 4 days ago [-]
I wonder how this compares to Linux Virtualization based Security?
From the page[1] with the video: a security feature that can a) harden the kernel and b) ensure that critical kernel resources remain untampered, even if the kernel gets compromised. VBS uses hardware virtualization and the hypervisor (Hyper-V) to create an isolated virtual environment that runs as a higher trust level, called Virtual Trust Level 1 (VTL1). VTL1 has its own kernel, separate from the Guest kernel, referred to as the Secure Kernel.
I'm not familiar with that level of knowledge, but from the look of it you can attack the enclave itself to escalate privilege higher than the kernel enjoys? Is this piece of hardware something like a co-processor?
saagarjha 4 days ago [-]
An exclave isn’t hardware, it’s an isolated piece of software that deals with a certain sensitive operation that you don’t want the kernel to have access to. So if you exploit it, then yes you have access to something that the kernel doesn’t–but that’s the point, because the goal is if you exploit the kernel you shouldn’t get access to that.
alfiedotwtf 4 days ago [-]
If it’s all in software but the kernel has lower privileges, I’m curious how they’ll be able to update it? And if there is an API to update via the kernel, what’s stopping a push via a malicious source pretending to be Apple?
saagarjha 4 days ago [-]
I don't think it is accurate to say that the kernel has lower privileges. It's just something the kernel isn't allowed to do, while the exclave has a list of things it isn't allowed to do. Also exclaves are shipped with normal software updates (verified by the boot chain, not the kernel).
brookst 4 days ago [-]
Less than entirely confident stab (someone please correct if I get this wrong):
- Exclave exposes a small set of functions that kernel may call for sensitive operations
- One of those is “update exclave”. The input to this is a blob signed with Apple’s private key.
- Exclave verifies signature, so a compromised kernel and push a malicious update
How the exclave gets Apple’s public key is a little opaque to me. One way would be to have the exclave have its own (per device or per global version) private key, but client side private keys are very high risk.
Alternatively, perhaps some elaborate set of baked-in public keys for Apple and a way to validate a CRL?
MBCook 3 days ago [-]
I would think the Secure Enclave would handle such things.
That said I’m not sure what you or GP mean by “update exclave”. It’s just part of the kernel binary loaded up at system start. Wouldn’t it be updated the same way the rest of the kernel is, probably requiring a restart?
brookst 3 days ago [-]
No, because that way a rogue kernel could overwrite the exclave itself and the next reboot would be insecure. You can’t trust a low-trust environment to update a high-trust environment.
MBCook 3 days ago [-]
Is that why everything is cryptographically secured in the boot chain? To ensure only trusted code is loaded?
kennysoona 17 hours ago [-]
Exactly.
vintagedave 4 days ago [-]
I'm a little confused reading the article on how exclaves are related to the Mach kernel. Is there a second, parallel seL4 kernel running on the same chip? If so, how do two kernels execute at the same time?
> To allow for execution of exclave Services while isolated from XNU, Apple has introduced a new kernel called the Secure Kernel (SK).
Or do exclaves run on a separate chip, like Secure Enclaves-with-a-N do? (The article said not to confuse the two.)
For now, I think existing exclaves such as the one that displays the camera indicator do not really apply to macOS (since MacBooks have dedicated hardware for that), but in the future there might be exclaves that do.
wtallis 4 days ago [-]
> since SPTM is not used according to Apple documentation:
Try reading that footnote again:
> Note 2: Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM) enforce the execution of signed and trusted code on all platforms with the exception of macOS (because macOS is designed to run any code). All of the other security properties, including the protection of page tables, are present across all supported platforms.
It doesn't say macOS doesn't use SPTM. It says macOS doesn't use SPTM to prevent running unsigned code, since macOS is supposed to allow unsigned code (after the user jumps through some hoops).
saagarjha 4 days ago [-]
That document is wrong and has been wrong for years (FB13803014)
teknologist 4 days ago [-]
I wonder if it's possible for app devs to use Exclaves. The thing that irks me about Apple is that they invent this new amazing internal stuff but then completely wall it off from devs, leaving everyone else (banking apps, wallets, secure messaging, etc.) to continue running in unsecured user space.
mike_hearn 4 days ago [-]
They don't do that. Apple userspace has continually got more secure too.
One simple example: recent versions of macOS run all apps inside a sandbox, even those that don't opt in. One thing the sandbox blocks is apps modifying each others files, which up until then had been a major weakness of the security system (signatures of a bundle were checked at first-run, but not on every execution).
dwaite 4 days ago [-]
My understanding is no with the current design - exclaves are built into the overall OS and started as part of the boot process, so they are relatively static. I suspect these components have static relationships for security reasons.
They are also kernel-to-kernel currently, so third party support would likely be limited to implementing things like secure device drivers. However, Apple has been trying to push third party drivers to user space, not to the hypervisor. Based on that migration happening in parallel with this development, I do not suspect they plan to pivot and have third party driver developers use exclaves.
It is pretty common for Apple to do significantly more stabilization of kernel-imposed platform features like this internally before exposing to third parties (see also pointer authentication a la arm64e).
saagarjha 4 days ago [-]
Currently no.
prolefeed 3 days ago [-]
I enjoyed the obvious references to The Expanse in the naming of secure/insecure world transitions (Ring Gate) and the RPC framework (Tightbeam)
talkingtab 4 days ago [-]
Reference to Mach for historical reasons. Using IPC instead of traps.
My crusty squinty morning eyes read that as
“ it can lead to a complete system compromise, as all the operating system’s functions are bundled together in the kernel’s single “breakfast of eggs”.” .. now I wish this was the idiom.
cantrecallmypwd 3 days ago [-]
seL4 is awesome for its formal engineering. One of the main gotchas though with purer (less hybrid) microkernel architectures is the coordination of transactions that touch multiple services, i.e., a system call or event that touches multiple hardware areas and must execute rollback code should any one of them fail.
saagarjha 4 days ago [-]
> Apple may use SPTM to manage transitions between the secure and insecure worlds
This, because they don’t have TrustZone
seventh12 4 days ago [-]
Why Apple doesn't use TrustZone?
saagarjha 4 days ago [-]
You'd have to ask them. My general guess is they design their own stuff first and then try to get it standardized.
brcmthrowaway 4 days ago [-]
What impact does this have in the user
saagarjha 4 days ago [-]
It makes your device more secure.
4 days ago [-]
ZebraDude 4 days ago [-]
Very interesting
api 4 days ago [-]
We could have avoided so much hardware and OS complexity if we'd instead (mostly) discarded the idea of shipping and running compiled code directly on the hardware.
TL;DR: we are doing things in hardware that ought to be done in software, and we're giving software too close to metal access.
User mode should be something like the JVM, but more language-neutral, something based around WASM for example. The runtime for this should ideally be written in a memory safe language and very extensively tested. User mode code should not have access to raw pointers, raw CPU, etc.
If we'd done this we also could have elevated things like the common API beyond the lowest common denominator of C. We used to have a ton of research and some fielded systems like this: Smalltalk, LISP machines, the JVM, the CLR, etc. The JVM and the CLR are still quite alive and well but the HN world seems to hate them for some reason. Smalltalk and efforts like the LISP machines died out.
sroussey 3 days ago [-]
MS had a research project that built an OS from CLR.
One of the great things about it (in my opinion) was the lack of context switching. It broke a fundamental assumption about how an OS should work. It could also do global optimizations.
api 3 days ago [-]
Oh yeah, forgot about that: you can do profile guided optimization on the entire running image of code in the machine.
I wonder how much of a boost you'd get for that? I'm sure it would depend on the work load.
jandrewrogers 4 days ago [-]
So your solution is to nerf the computer in terms of both performance and functionality? There is a lot of software that cannot be properly written without being very close to the metal e.g. database kernels.
api 4 days ago [-]
There would almost certainly be an escape hatch, but it would require user approval to run native code. It would probably be in the form of libraries that could be 'blessed' to run native. The vast majority of software does not need this.
cytocync 3 days ago [-]
[dead]
curtisszmania 4 days ago [-]
[dead]
Cheng2023 3 days ago [-]
[dead]
Cheng2023 3 days ago [-]
[dead]
hello_computer 4 days ago [-]
Apple works wonders protecting their plantation, but what protects you from them? Have any of you pondered the prospect of “the last geohot”?
vintagedave 4 days ago [-]
I had to google. There's a hacker called geohot, is that what this comment is referring to?
Could you explain what you mean more please?
hello_computer 4 days ago [-]
he was the first to jailbreak the iphone. where do you see things going when they release an un-jailbreakable iphone?
vintagedave 4 days ago [-]
They're pretty close now, and I'm increasingly dissatisfied with software on both iOS and macOS.
The privacy features for messaging and cloud storage, plus not having to worry (as much) about security as I might with Linux, are the only reason I still use Apple. Every year I get more and more disappointed though. More and more nostalgic for the Apple software I used to enjoy using.
kazinator 4 days ago [-]
If most of the stuff the user cares about is inside the "Insecure World" bubble of the diagram, then this whole business is, like, for shit.
It serves only the platform provider, who can decide which programs may or may not be installed based on whether they are aligned with or against their competitive interests.
sollewitt 4 days ago [-]
This is about process privilege. Apps and services are a layer above.
vermilingua 4 days ago [-]
This is just plainly false. Passkeys, biometrics, app permissions, and a suite of other user-centric privacy features have clear benefit from strong isolation from an "insecure world" kernel.
hedora 4 days ago [-]
How so? Isn’t this just the xkcd authorization model?
I tried to read the article, and know what all the words mean (sel4, enclaves, virtualization primitives, etc.).
It all seems very complicated and error prone, but I couldn’t figure out what the attack model is, or what the security objectives are.
Eg, what sorts of things run in exclaves, and under what circumstances will a persistent kernel level compromise on my laptop protect those things?
lxgr 4 days ago [-]
Delegating key derivation and/or password validation, combined with secure UI state indication, to a more secure execution environment can be a big win for security, for example.
I could imagine a passkey implementation with some extensions that allow securely presenting what the user is consenting to and how ("enter your payments PIN or password now to confirm a payment of $x to merchant y").
It's of course even better to do that in tamper-proof security coprocessors such as Apple's secure enclave, but TEEs have the big advantage of having access to much more memory and faster processing, which allows doing more complicated things there more easily.
They can also always lean on the secure hardware for actual key management, but handle more complex user interface operations in an environment that's still more secure than the main OS.
Android has supported something just like that years ago with "protected confirmation" [1], but unfortunately it's only available on Pixel phones and hasn't really been picked up by app developers as a result; the situation for Apple is of course very different, so I have some hopes that if they launch something comparable it could actually see some adoption.
Apple is already using the secure enclave for key derivation, PIN/password rate limiting etc. (that’s what it’s for), but my point is that there’s currently a gap in that you can often not really know if you are actually talking to the secure enclave or OS-level malware.
saagarjha 3 days ago [-]
Secure PIN entry
lxgr 3 days ago [-]
How? The secure enclave doesn't have any trusted input/output capabilities other than the power button double click and biometrics. The PIN isn't entered via these.
hedora 3 days ago [-]
Also, can't you just get the pin from the accelerometer? (It may take a few tries, but this was shown by academics a while back.)
timewizard 4 days ago [-]
What he misses is "tamper evidence."
In order to do those things I have to actually steal his laptop. Which would be obvious to him. It also implicates me.
If I could just remotely install a driver I don't need to worry about any of that and I can steal remotely and anonymously.
hedora 4 days ago [-]
Can’t you just remotely install a keylogger (e.g. a modified version of zoom)?
timewizard 4 days ago [-]
If it's running as their user account then they can see it and remove it. The point of the admin account is to prevent this by obfuscation and permission hijack.
vlovich123 4 days ago [-]
The most likely attack model I can imagine is that a jailbroken phone still won’t be able to violate certain functionality (eg a recording LED remains lit, various supervisor functionality can’t be disabled, etc)
hedora 4 days ago [-]
Oh; so the camera LED and camera data path would run a remote attestation protocol with the exclave, and the exclave would make sure the led is on whenever it’s forwarding on data from the camera?
(Though I’m not convinced that will actually work on modern apple devices, where the led is pixels that run through the compositor — I guess the video driver stack and window managers are also exclaves in this world?)
lxgr 4 days ago [-]
I'm not sure how complex modern display controllers are, but I could imagine a simple priority hardware overlay functionality that an exclave has access to (similar to the dedicated "cursor overlay" functionality some older GPUs had, as far as I understand).
Once you have that, you can take the idea further: Displaying an indicator that confirms that all your keystrokes are going to an exclave validating your password, for example.
The much-hated touch bar actually enabled just that, for Apple Pay payments, as far as I remember: It could display something like "touch to confirm payment of $x" on its own screen in a way that was impossible to manipulate from macOS – now here's an opportunity to bring that level of security back without requiring a dedicated display or taking away people's beloved function keys.
sroussey 4 days ago [-]
They should have done half height function keys and kept the Touch Bar. Best of both worlds.
grahamj 4 days ago [-]
The article mentions the display controller runs an Apple OS so I could see there being a secure way for an exclave to call into it for the onscreen indicators.
I would expect that to mean they're not included in screenshots so I'm curious now whether that's true for the iPhone 16.
Rendered at 05:36:45 GMT+0000 (Coordinated Universal Time) with Vercel.
Recent Apple phone and laptop SoCs include hardware support for nested virtualization, including the M4 iPad Pro where an exclave is used for the camera LED. Hopefully the next revision of the Apple Platform Security guide will cover SK exclaves and baseband mitigations for Wi-Fi radar sensing, https://help.apple.com/pdf/security/en_US/apple-platform-sec...
> Apple specific additions to SPTM
SPTM reverse engineering, https://www.df-f.com/blog/sptm3
> or most likely via ARM’s TrustZone technology. The XNU source code contains several references regarding transitions to and from TrustZone’s concept of a secure world150+ TrustZone CVEs, https://www.cve.org/CVERecord/SearchResults?query=trustzone
> it’s a defensive effort on a larger scale than any other end user device manufacturer is currently attempting
Google implemented pKVM on Pixels with hardware nested virtualization a few years ago, and upstreamed the code to Linux mainline, including cooperative de-privileging of TrustZone relative to pKVM L0. But they have not announced defensive features using pKVM/AVF, outside of Debian "Linux Terminal" VM.
It’s important to note that most of those CVEs are to do with vulnerable software that manufacturers put in the TrustZone protected environment (many of which are garbage). There are very few vulnerabilities reported about the hardware itself.
If you're a phone designer, and you're going to put unlock PIN validation into a trusted execution environment? Sure, makes sense. If you're going to put your widevine DRM code into a trusted execution environment? I guess.
But why did they make a design that means a vulnerability in the DRM code allows an attack on the PIN validation code? That means the attack surface is huge.
You gotta keep these clowns separated if you don't want them spraying each other with water and throwing pies down each other's trousers.
> While I speculated that TrustZone was being used, exclaves may well use the existing SPTM and GXF (Guarded Execution) privilege levels after all. One implication may be that there is no hard reason they couldn't be supported on iPhone 13 and higher, aside from RAM requirements and development effort. Make no mistake these are huge undertakings even for Apple.
I don't think Tim would be CEO if he didn't believe what Steve did. It's so weird, but I really miss Steve.
https://www.youtube.com/watch?v=Ij-jlF98SzA
However, despite being an actual software engineer, I'm no security researcher. I don't understand kernels or privilege elevation or anything deeper than the UNIX shell I work in. So it's nice to have a system that's 99% safe by default, but still allows me to run crons, or programmatically open/modify things, and generally script my machine to look and behave the way I want.
Apple is the perfect middle-ground for people like me. Just because you can't fiddle with a kernel hardly makes this a "hood-welded-shut" machine. There are processes on my Windows machine that I'm not allowed to kill even as an administrator. I can `kill -9` whatever the hell I want on my Mac.
There's a very large group of people who operate like me, and are even less technical than I am, but love things like Keyboard Maestro or Apple scripts which allow them to tweak little things. Windows has no comparison and as far as I've witnessed it's one of the most frustrating operating systems in existence. Most people do not have the time or desire to run Linux. So, you are left with Apple which nails several of selling points that no other ecosystem nails.
That's why people, including "hackers", are enthusiastic about this "hood-welded-shut" system.
Note that the Mac is way more open than the iPhone (or iPad, which is funny considering how some chips are shared between Mac & iPad), specifically to preserve (some) of the kind of control people expect from their Mac.
That's why you can run Asahi Linux on Macs, but not iPads.
So you & GP may be talking past each other, them grousing over the locked-down nature of the iPhone, while you celebrate the control of your Mac.
Windows blocks me from doing things like permanently uninstalling Microsoft Edge.
It’s like the operating system itself is viral in nature.
Last time I was playing with a Mac, even the root account was a problem to try and access. Apple are just way too nannying with their devices, but people like that.
Unless your company has something locked down. If it’s a consumer Mac, it requires nothing more than a login password.
There are some security features that (for good reason) get in the way of e.g. dtrace, but I'm not aware of any of those that you can't turn off.
> I'm also not a fan of how Apple controls devices and the market of software after the device has changed owner.
What's this about?
Such scenarios are trivially recoverable on better-designed machines with removable storage and consumer-friendly software FDE. BitLocker does this reasonably well - yes, there are privacy concerns w.r.t. key backups, but one must strike a balance between convenience and security.
ETA: To be clear, this setup would be entirely tolerable to me, but I (and everyone else in here) is hardly an average consumer when it comes to technology.
Many hackers think that about Apple computers. Many others have no choice because they develop iOS apps.
That being said, I love iOS on my phone and tablet. I used to prefer android, because of how much I could customize it, but it slowly became less reliable and more centered around selling me products and services sponsored by Google or my carrier. I switched to an iPhone and iPad about 7 years ago and am much happier with a reliable set of mobile devices that I know are relatively secure and wont get in the way of what I want to do.
Point being, the OS you want on, and ecosystem you want around your devices absolutely depends entirely on what you want your devices to do (or not do against your will).
I think the term 'hackers' has become diluted to the point it just means 'enthusiastic coder' - it hasn't seemed tied to creative thinking or pushing boundaries in some time. That probably stopped around the time the LifeHacks site became popular.
They prefer Apple because most are young and grew up with iPhones and Apple being cool due, all while MS starting continually shooting themselves in the photo with Win 10 and 11. They probably approve of Apple standing up to the FBI also.
Shit. Works.
This is critical. I can focus on my actual task at hand, rather than fiddling with the system.
Some perspective: I've been on Debian for 15 years, and I still hold it in very high regard for servers. I'm also an occasional Alpine & OpenBSD user; and Windows for games. I've tried Ubuntu, couldn't stop it from getting in my way. Before you suggest Fedora, Arch, NixOS, whatever: I'm done distro-hopping. The experience is about equal everywhere. No amount of "choice" beats thoughtful design, accessibility, and vertical integration.
Hmm...
I guess most of these are from macOS updates. I don't think I've used the power button at all in the past year or so? FWIW I'm using a Mac mini (also M1) rather than a Macbook, but "it works for me" was the entire point of my original comment.> it absolutely refuses to play nice with my KVM (that my desktop has no issues with)
Honestly I'm with you here, but I'm pretty sure KVMs are just pure lottery. I plug the mini via USB-C/DP to a screen that has a simple built-in USB hub (which in turn handles mouse/KB/audio interface); this also works perfectly fine with my Thinkpad T495. However an expensive TB3 dock with a dozen ports doesn't work with either, but it's just fine with a 2017 MBP. TBH I wouldn't blame any of the involved parties; USB-C/TB always came off as a finicky mess to me.
> I'm a software engineer at a company that does all macbooks.
I can't say anything but extend my sympathy. In an ideal world, companies prioritise employee satisfaction and productivity. There's an argument that this is a trade-off vs increased IT support cost/workload, but I guess SWEs don't need much support to begin with?
You could at least appeal on the basis that the HW you've been provided with is clearly unreliable. Come up with some numbers about lost productivity. Bosses love numbers.
IME, it's also about being able to ensure that everyone has access to the same software. I worked at a company that used macOS-specific software for development (I think it was Sketch?) so I had to have a MacBook around, even though I primarily used a Linux desktop for work. Anecdotally, I don't think this is uncommon.
NixOS in its unofficial "endgame" is more like a container where you can strictly define what files to keep between reboots and everything else gets thrown away. Except unlike a container it covers your entire filesystem (not just a single application) and it's actually usable for things like a laptop since you don't have to reboot between making changes. There's a popular blog post titled "Erase your darlings" that explains it in more detail[1]. And, like with a container image (but different in how it's done), NixOS forces you to write any and all changes to your system's programs or config as code that can be introspected and delivers repeatable results.
This is definitely not to everyone's taste but for me this is now the only way to keep computers "clean" in the long term (sans specialized distros like Talos Linux). I can just look at the source code to know exactly what I'm running and I can delete stuff I no longer want without having to think about leftover files or anything like that. Backups also get a lot simpler when you only have to think about the persistent volume of your system and your config and full restores are just a matter of reinstalling with your config in place.
macOS is gorgeous and I love how everything just works pretty much (except defining global keyboard shortcuts). But I've been so spoiled by NixOS catering to my config management obsession that everything else feels kind of primitive in that regard. My dream would be the macOS userland and kernel on top of Apple hardware but built and assembled with the Nix module system. And then some APFS magic to make an ephemeral root filesystem work.
(Also yes I've tried nix-darwin. Love it and I'm infinitely grateful it exists because I'm also using a MacBook at work but it's not the same kind of "complete" experience that NixOS provides.)
[1] https://grahamc.com/blog/erase-your-darlings/
Not that that makes it objectively better or worse. The config shtick of NixOS can also be really annoying to someone who just wants to install stuff and move on. It comes down to personal preference.
Notably, macOS (a BSD in my book) took the next logical step and completely sealed the base OS, all the way via logical volume management, verified boot chain, SEP (aka TPM), etc.
I agree that NixOS solves configuration management in a much more elegant way, but that elegance carries a heavy cost: it requires domain knowledge to comprehend. Personally I just keep /etc in git, and use judo to propagate changes. <https://github.com/rollcat/judo>
Also - I'm done distro-hopping. The problem is KDE/Gnome- KDE is aping Windows (badly), Gnome is aping macOS (also badly). I'd list all of the problems but it would take an essay.
It's no substitute for backups (I use Borg), and syncing is good (I use Syncthing, I guess iCloud also counts). But snapshots should be ubiquitous at this point, just like having a "trash bin" was mainstream in 1995.
What exactly does not work for you on other systems, that works on a mac?
But I think they're regressed. I think sj was good at getting apple to interface with the rest of the world, and make course corrections. But now they've forgotten how.
Everything apple does is more apple ecosystem, ignore everyone else.
Sort of like the 7-habits dependent, independent, interdependent. Now they're back to independent.
so... they ignore the rest of the world. their own hardware, their own languages, everything else comes from their store. admittedly macos still allows people to run their own software, but ios doesn't let you run software or even access your own filesystem.
Do I, a highly technical person, want a machine that has been made in to an appliance, where I have very little control over what's going on in the background, where I have to trust one of the largest companies on the planet to Do The Right Thing™?
Well, I know I don't want to run an OS like Windows where the end user is treated with contempt and distain, where the price of the license means nothing because I'm still treated as someone who doesn't know enough to even choose my own browser, where third party programs have more control over my own machine than I do, unless I happen to have a lot of specialized knowledge and plenty of time to circumvent these biases.
But let's compare the Apple appliance to an open source OS running on an Intel CPU. Now I have an OS that gives me more freedom to do what I want and need, that has only documentation and technical issues as roadblocks, not intentional design. Better, yes? But now I'm also required to trust a company that has a literal hardware back door built in to it, that comes from a company that acts like they have no real understanding of security but might just be playing dumb, that has lied to users many times over years, that has knowingly chosen speed and marketing numbers over security time and time again.
Now add the fact that we need to trust binary blobs for wifi chipsets, some ethernet chips, GPUs, et cetera. Not great, if we want to both control our machine and trust it.
So, really, would I want to run an open OS on top of a janky CPU with lowest common denominator hardware, where each part might have issues, possibly security issues, or would I want an appliance?
I wish there were more options... AMD is better than Intel, but not sufficiently. They have less of a history of lying, of manipulation of marketing information, et cetera, but they still have that hardware back door. People are working on open source firmware for wifi chips, et cetera. ARM is nice, but ARM laptops and desktops still come at a premium.
So do I see the appeal of an appliance that has incredible performance, battery life, the best exploitation of the hardware on the planet, excellent quality and security? I do, particularly when all aspects of that appliance are in the hands of a company that makes their insane profits from being "premium". So long as their profits depend on being premium, I will trust them, because my trust needs align with their profit desires. When that stops, my trust stops.
Would it be nice if I could run my own choice of OS on it? It would. But sometimes we need a device that gets things done, and in many instances, an appliance is better than the alternatives.
Can I still run pretty much what I want on this appliance, aside from my OS of choice? Yes, I can. So unless I'm interfacing directly with hardware, these appliances mean less work for me.
That's not to say your case isn't valid, but it's easy to see a case for most people having appliances.
Yes using a VM means taking a performance hit. But with the latest Apple machines, and for what I do in the VMs, I haven't experienced any lack of performance that annoys me.
One example for what I do is to run double Wireguard tunnels. In MacOS it has been nigh impossibly to get working (and esp not reliably). But works easily in a Linux VM. With this I can proxy through the VM to access remote resources from applications in MacOS.
I'm using UTM btw: https://mac.getutm.app/
Most times, this doesn’t mean anything, but there’s very few demographics that understand the need for privacy and data protection, better than gay folks.
Of course, he’s still at the whim of the Board, and he’s no spring chicken, so there’s no guarantee that his successor would feel the same, but I do believe that he, himself, is legitimately serious about privacy.
At the risk of sounding like Richard Stallman, that exactly is the problem with buying into such walled-prison ecosystem of devices. You're at the mercy of Apple pushing an update that can unilaterally take away your privacy and rights.
They already do that with sending hashes of your photos on your iPhone and implement dark patterns to trick you to upload your data to iCloud. Just 1 CEO change away from having them from being a privacy advocate to a privacy nightmare.
This is mainly a concern if you are a high value target likely to be the first person poisoned. For most of us, that’s not true, and a formerly good actor turning evil would be noticed long before it came our turn.
So there’s the idealist “I can’t be sure my favorite restaurant won’t poison me today, so I’m never eating there again”, and the pragmatic “the benefits I get outweigh the slim chance that today is the day they decide to attack boring people like me” outlook.
I’ll never fault someone for being the idealist; the concerns are unfalsifiable. But to me it looks like a rough way to live. Maybe just because I really am that boring so it’s hard to relate to having any super secret stuff that would put me among the first to be attacked.
If Apple adds a backdoor to their E2EE (by sending their servers the key) via a software update, and they don't do anything with the secrets exposed, they can compromise a large proportion of users over just a few weeks and there is a big chance you'll be among the "first", because the "first" is now a large set.
It's just another principal-agent problem, and I agree that a fully self-sovereign life, with no dependence on trust or agents, is an unrealizable ideal; and, that a decent solution (while not perfect) is reputation stake and aligned incentives, check and check in Apple's case. I too think Cook is sincere, and I trust them as far as I can throw their products, which is to say, a little. (The Apple Tax is so they don't have to rely on a sketchy big-data business model.)
That said, computing and InfoSec have some unique contours, in a way that trusting a mechanic or a lawyer does not. Those can have catastrophic failure modes as well (crashing from a shoddy repair, getting sued based on bad legal advice), but they aren't systemic to society, and have lower switching costs.
And I ultimately think it's a false choice. When it comes to meatspace security, it's possible to have trusted and accountable public institutions, and allow citizens to have some means for self-sovereignty (2A, locked doors). It would be foolish to rely only on one or the other, either as a society or an individual.
So I'm deeply grateful for the Stallman types, pushing forward the capacity for self-sovereignty. Even if it doesn't currently meet my needs from a risk/benefit tradeoff, I still benefit from the ecosystem, and its BATNA, and I look forward to the day I sever my dependence on Apple's ecosystem, whether or not they betray my trust.
I agree with this part, but relying Apple is quite far from self-sovereignty compared to many other practical alternatives: not relying on external clouds, GrapheneOS, Linux. By relying on Apple, you not only pay a tax to essentially bribe them to not attack you (perhaps a viable strategy, not too different from taxes to governments), but more importantly you give up the ability to resist without serious compromises (can't have E2EE backups on your own cloud if they said so). This is akin to trying to be paying taxes to the government to get better police coverage, and they decide to ban locks, security cameras, and leaving the walled garden.
The problem with the current computing security paradigm is that it puts too much trust in entities that do not deserve it, because the entities are simply too powerful and do not suffer consequences when they break that trust.
There are a couple meaningful points of divergence in the ecosystem: Mac vs iOS (the former has some self-sovereignty, even if there are risks of backdoors/etc); and, cloud vs not (I mostly avoid cloud usage, iCloud or otherwise, and when I do use it, I treat all content as public).
I agree about the trust problem. Varoufakis might make some valid points re: "Technofeudalism", but then Bruce Schneier was making a similar analogy over a decade ago. I've heard cogent arguments, that early feudalism evolved from rational self-interest, that serfs were willing to trade some degree of autonomy for safety, and it does feel that many "normie" users (especially with iOS) are making a similar rational trade, even if it sets up an asymmetric power dynamic, and risk (inevitability?) of future betrayal.
I'm curious if you have any examples in mind for Apple, re: "do not suffer consequences when they break that trust". IMO, they've done okay at putting actions and costly signaling behind their privacy rhetoric, and I think they'd take some kind of market hit if they were to blatantly break that trust. But I'm curious if you think there are past instances in which that already happened, which maybe I've forgotten or am neglecting, or if it's a threat model of the future.
Their image scanning proposal? The recent UK E2EE backup thing?
For the first, although they eventually backtracked, proposing it alone should be ruinous they are actually a privacy-oriented company.
Although the second situation is forced by a government, it is still a self-inflicted problem where iCloud is the only way you can back up your stuff. Not being able to have encrypted backups is a serious QoL issue.
> I mostly avoid cloud usage, iCloud or otherwise, and when I do use it, I treat all content as public
This is also my attitude toward "the cloud" in general.
He's one end of the spectrum, and NSO is at the other end. The best place is somewhere in the middle.
I thought I was familiar with the really big players in the privacy/anti-privacy space, but I don't know this one. What is NSO? These guys https://www.nsogroup.com/ ?
Most times, this doesn’t mean anything, but there’s very few demographics that understand the need for privacy and data protection, better than gay folks.
I used to think this, too. His recent ring-kissing antics have changed my mind. He, too, can be bought for a price.
You don't write a check for a million dollars to a person who is actively trying to decimate the gay community and still get to wear the rainbow flag.
Collective action, even in corporate America, is required to beat these people. The failure here is that like-minded execs didn’t preemptively gather to prevent this outcome in the first place. If you want to be unhappy with Tim Cook, be unhappy that he was too politically naive for too long.
If a few more of us would have stood up at the time, the world could look very differently today.
He's a leader. He should lead.
Jobs also said a lot of things that still resonate with me. Recently Apple introduced a "classic Mac" screensaver that shows how carefully designed the original Mac GUI was. I'm sure nobody misses the days when app bugs could crash the OS, but I wish Apple were as obsessive now about detail now as they were back then.
(the article is good but giving you the hn for comments too: https://news.ycombinator.com/item?id=2131299)
The biography is really awful though. It constantly misquotes people - Bill Gates is directly quoted as saying something so technically inaccurate he can't possibly have said it.
I also remember that every time his son is quoted it's because he was telling a dick joke. At one point the book claims this is why Apple Park is a circle. Why the author did this is not clear to me.
(Btw, I have an unreported Jobs story about this myself. Actually two. I'm not going to tell them, so feel free to just imagine.)
I feel like the official Isaacson biography was trying to tell a story, and would twist facts and reality to fit that story. This certainly makes for entertaining reading, but is not a great way to study history.
Meanwhile "Becoming Steve Jobs" gives the reader glimpses into Jobs's life, often very contradictory glimpses, ones that don't really tell you what to think. It shows you how complex of a person he really was.
It was my first Isaacson biography, and didn’t leave me excited for another one.
It definitely was, but at least parts of that must have been warranted given Jobs refused to read it, saying something along the lines of "I know I wouldn’t like what it says"
> Very well then I contradict myself,
> (I am large, I contain multitudes.)
When you speak ill of Jobs you are speaking on his moral character. When others (incl. myself) speak positively on Jobs, they are speaking on his design, business, and life philosophies, which are quite profound. [0]
How you want to weigh the two is up to you, but it is not a contradiction to say someone contains both good and bad.
[0]: https://youtu.be/cHuqhQmc4ok
Worst of all is the false good person / bad person dichotomy that leads to great offense at any slight praise for someone the reader has decided is a bad person, or any slight criticism of someone the reader has decided is a good person.
I can’t think of anything less fruitful than arguing over whether a public figure’s personal plus professional life makes them a 100% good person or 100% bad person. It’s strange the conversation ever happens, and yet it’s so incredibly common.
I personally view that as more of a failing in the system itself (why are there multiple lines to begin with when organ transport is a solved problem?), but it's not unreasonable to look at somebody exploiting that broken system and question their character.
For some other actions on some sort of badness scale, we have:
- Murdering people for your spare organs. Parts of China do this (somebody survived and escaped recently, so it's stirred things up a bit). Most people think this is very bad.
- Paying for somebody's organs (similar to prostitution at some level, though banned much more frequently than sex work -- if society is structurally so unequal that sacrificing part of your life for a pittance is actually attractive, that reflects poorly on that society, and we try to ban.the rich and powerful from using that power to create scenarios more like my first point).
- What Jobs did. It's technically legal, but he necessarily got an organ before somebody else for no other reason than that he had money. Did that somebody else survive? Who knows. If you factor in that it was actually many people who were displaced, did all of them survive? Unlikely. Organ donations are already fraught with ethical issues and strongly held convictions, and I'm not at all surprised that a number of people would be upset at this.
Do you think capitalism is bad?
You didn’t pose the question to me. And yet.
Very many people don’t. We know there are constructs that would enable us to pay less, yet we choose to not pursue them. We are part of a society that enables us to be what we are, why should we strive to give as little as possible in return?
(And yes, we also don’t send extra money. This is not a contradiction.)
Only because you don't want to put the effort in to pursuing it. If I told you you could reduce your tax bill by 20% by spinning round in your chair one time I doubt you (or anyone else) would decline.
Every entity generally seeks to take as much as they can and give back as little as they can. Individuals are generally a little less extreme, in my experience, with corporations being the worst.
My taxes are not a burden on me. While on the other hand, the local politicians have sought tax cut after tax cut, causing the library to limit services, the schools to cut down on teaching staff, infrastructure maintenance delays, less funding for local social services and city events, and more.
My paying an extra 20% wouldn't fix things, as adding to the general budget would end up simply reducing taxes further, instead of everyone sharing the load.
I hate that I've starting getting involved with local politics. I would rather code.
Or, following your self-centric analysis, I would put the effort into raising my taxes by 20% since the collective benefits give me much more than what I can do individually.
While he could have funded a new hospital and not even change his tax bracket.
I was at a talk with Martine Rothblatt several years back, who created a startup for 3D printed organs. They ended up also building electric helicopters to transport those organs, because the transportation bottleneck was a huge issue.
I try not to judges peoples character when they’re looking death in the face. No one really knows what they’ll do in that scenario. Most people who can save their own life will. This was the premise of the movie SAW… how far are you willing to go to save your own life? How strong is your survival instinct? Most people are never tested, and it’s easy to sit back and judge, but would you just sit back and die? How do we even know there was someone else in line behind Jobs? It could be that he got an organ that would have otherwise been wasted.
Though SJ "He was diagnosed with insulinoma, which unlike other pancreatic cancers, is curable and can be treated with surgery."
see: https://www.bbc.com/news/technology-16157142#:~:text=He%20wa...
And the outcome was a computing company that was waaaay less mediocre than 99% of these other memetic, mediocre gradient-descent chasing privacy-abusing, ad-supported companies.
Apple has raised the bar so high. And the DNA of what is manifesting is Steve’s insistence and vision followed by Tim’s clarity of execution.
Look at the Apple Architecture moves. They got Intel’s hot, slow CPUs out of the device. And replaced them with excellent, quiet, fast, efficient CPUs, with UMA and great features.
It’s hard to nail every detail when you have the surface area of Apple 2025. A huge huge company with billions of users and dozens of device families and services. But the bar is high for most of what they do.
Because we miss new instances of the great products they created to earn all that money.
He became a billionaire because Disney bought Pixar.
When I see the sincere sentiment sometimes expressed towards Jobs, I wonder if something similar is being tapped into when people - often tech people - use and experience LLMs.
To put it a bit bluntly, it almost feels like there's a mystical or religious element to it. As if we desperately want there to be miracles, and oracles, and god-like, caring men who can provide us with beautiful products, and rituals, and a future where everything is sleek and bountiful and timeless. As if some spiritual "hole" were being filled.
I don't mean to disparage anyone who feels fondly towards Jobs or LLMs, I'm merely sharing an observation of mine.
Thanks for sharing your story.
RIP
Source: people who were at Apple during that time period.
Example: https://www.nbcnews.com/news/world/government-officials-want...
I think people underestimate how traumatic it was culturally to Apple and how Apple generally experiences comparatively little turnover vs their other major tech peers, so the responses to those traumas linger. Same with the brouhaha over the CSAM tech that they attempted to bundle into the iPhone that ostensibly was trying to preserve your privacy and they instantly got smacked down over it.
I have two thoughts about this.
One, if you tell yourself a story strongly enough, it becomes real. Especially when you can structure the company to force it to become real.
Two, "marketing" is usually used disparagingly to mean something like "advertising that brainwashes customers into wanting something", but it's more like "knowing what people are going to want by the time it's ready to ship". It doesn't necessarily even include advertising. So in this case people do want privacy.
Isn't that Product rather than Marketing?
IIRC the advertising people are called Marcom or "marketing communications".
The iPhone had to add an app store because there were some apps that users couldn't build on the web at the time. They since allowed apps, but those apps are restricted to a proper subset of the APIs that first party apps get.
https://folklore.org/Diagnostic_Port.html
> Expandability, or the lack thereof, was far and away the most controversial aspect of the original Macintosh hardware design. Apple co-founder Steve Wozniak was a strong believer in hardware expandability, and he endowed the Apple II with luxurious expandability in the form of seven built-in slots for peripheral cards ... >This flexibility allowed the Apple II to be adapted to a wider range of applications, and quickly spawned a thriving third-party hardware industry.
...
> Apple's other co-founder, Steve Jobs, didn't agree with Jef about many things, but they both felt the same way about hardware expandability: it was a bug instead of a feature. Steve was reportedly against having slots in the Apple II back in the days of yore, and felt even stronger about slots for the Mac. He decreed that the Macintosh would remain perpetually bereft of slots, enclosed in a tightly sealed case, with only the limited expandability of the two serial ports.
> Mac hardware designer Burrell Smith and his assistant Brian Howard understood Steve's rationale, but they felt differently about the proper course of action. Burrell had already watched the Macintosh's hopelessly optimistic schedule start to slip indefinitely, and he was unable to predict when the Mac's pioneering software would be finished, if ever. He was afraid that Moore's Law would make his delayed hardware obsolete before it ever came to market. He thought it was prudent to build in as much flexibility as possible, as long as it didn't cost too much.
> Burrell decided to add a single, simple slot to his Macintosh design, which made the processor's bus accessible to peripherals, that wouldn't cost very much, especially if it wasn't used. He worked out the details and proposed it at the weekly staff meeting, but Steve immediately nixed his proposal, stating that there was no way that the Mac would even have a single slot.
> But Burrell was not that easily thwarted. He realized that the Mac was never going to have something called a slot, but perhaps the same functionality could be called something else. After talking it over with Brian, they decided to start calling it the "diagnostic port" instead of a slot, arguing that it would save money during manufacturing if testing devices could access the processor bus to diagnose manufacturing errors. They didn't mention that the same port would also provide the functionality of a slot.
>This was received positively at first, but after a couple weeks, engineering manager Rod Holt caught on to what was happening, probably aided by occasional giggles when the diagnostic port was mentioned. "That things really a slot, right? You're trying to sneak in a slot!", Rod finally accused us at the next engineering meeting. "Well, that's not going to happen!"
> Even though the diagnostic port was scuttled, it wasn't the last attempt at surreptitious hardware expandability. When the Mac digital board was redesigned for the last time in August 1982, the next generation of RAM chips was already on the horizon. The Mac used 16 64Kbit RAM chips, giving it 128K of memory. The next generation chip was 256Kbits, giving us 512K bytes instead, which made a huge difference.
> Burrell was afraid the 128Kbyte Mac would seem inadequate soon after launch, and there were no slots for the user to add RAM. He realized that he could support 256Kbit RAM chips simply by routing a few extra lines on the PC board, allowing adventurous people who knew how to wield a soldering gun to replace their RAM chips with the newer generation. The extra lines would only cost pennies to add.
> But once again, Steve Jobs objected, because he didn't like the idea of customers mucking with the innards of their computer. He would also rather have them buy a new 512K Mac instead of them buying more RAM from a third-party. But this time Burrell prevailed, because the change was so minimal. He just left it in there and no one bothered to mention it to Steve, much to the eventual benefit of customers, who didn't have to buy a whole new Mac to expand their memory.
But at the same time he was also very proud of the PowerMac G3/G4 case which could be opened at any time (even when it was on) with the side being hinged with a prominent, friendly finger loop.
Aug 2023, https://www.df-f.com/blog/ios17
Nov 2023, https://www.df-f.com/blog/ios-17round2
Feb 2025, https://www.df-f.com/blog/sptm3
Are they? The article's closing paragraph advertises a _future_ Dataflow blog post to the reader. Their follow-up March correction is consistent with the Dataflow Feb summary, https://randomaugustine.medium.com/more-speculation-on-excla...
The discussion has been underwhelming:
I read TFA and wasn't sure what to even make of it.
A gentle suggestion for a more interesting / entertaining article currently on the front page with a glance: https://news.ycombinator.com/item?id=43311696
Hatching a Conspiracy: A BIG Investigation into Egg Prices
https://www.thebignewsletter.com/p/hatching-a-conspiracy-a-b...
P.s. @gnabgib thanks for all your excellent dupe postings! I used to do a lot but life got busier. You are appreciated.
Edit: @thrdbndndn: My bad, yes this submitted article is the one that sucks. Thank you! If you delete your reply it will make things less confusing, but no worries and best wishes.
> exclaves refer to specific resources that are separated from the main kernel (XNU) and cannot be accessed by it, even if the kernel is compromise
Also interesting:
> It’s not uncommon for mid-cycle releases of macOS to gain new features in preparation for the next major version. Perhaps the most fundamental and significant added to Sonoma 14.4, together with iOS 17.4, iPadOS 17.4 and watchOS 10.4, are exclaves.
https://eclecticlight.co/2024/08/20/sonomas-unfinished-busin...
This is not correct
A tiny bit of hardwired dedicated logic integrated into the camera module would be more than adequate to do this - just gating of either the digital I/O or the power to the camera, and a pulse-stretcher so the LED goes on for at least a few seconds each time to prevent an attack by rapidly flicking the camera logic on and off.
A similar circuit for the microphone with a different-coloured physical LED - not just a software-controlled dot on the screen - would be a good idea too.
And then your LED driver would need to know screen brightness (or connect to the ambient light sensor) because you want to be bright enough to see in direct sunlight, but that level of brightness would be unpleasant (and maybe screw up legit camera use) in low light.
So if you believe your SK is secure, you can do a better job more simply by using it. And if you don’t think SK is secure, all bets are off anyway.
Apple generally isn’t out to make things willfully overcomplicated without good reason.
https://news.ycombinator.com/item?id=42260379
> On Macbooks made after 2014, no firmware is involved
They'd be unable to roll out the feature to older iPhones if they did this.
I guess for newer iPhones this is not as big of a deal since they have a big-ass notch anyway, however Apple also has a large customer base that only buys their older products (like me), and saying that their older products have worse security than their newer ones is probably not the kind of message they want to send, even if it might potentially get them some new sales.
It’s (for example) similar to the Kinect. It projects a pattern of structured light in IR then looks at that with an IR camera to be able to determine depth.
If I had to bet, exclaves will be a bridge to something bigger, either a more modular OS (like Fuchsia) or a CHERI-inspired security model where memory safety is enforced at the hardware level.
Apple is leading the pack in consumer OS security, but exclaves are a patchwork improvement rather than a total rethinking of system design. That said, this is probably the biggest security shift in mainstream OS design in the last decade, and it will take years before we see its full impact.
From the page[1] with the video: a security feature that can a) harden the kernel and b) ensure that critical kernel resources remain untampered, even if the kernel gets compromised. VBS uses hardware virtualization and the hypervisor (Hyper-V) to create an isolated virtual environment that runs as a higher trust level, called Virtual Trust Level 1 (VTL1). VTL1 has its own kernel, separate from the Guest kernel, referred to as the Secure Kernel.
[1] https://lssna24.sched.com/event/1aIeD/linux-virtualization-b...
- Exclave exposes a small set of functions that kernel may call for sensitive operations - One of those is “update exclave”. The input to this is a blob signed with Apple’s private key. - Exclave verifies signature, so a compromised kernel and push a malicious update
How the exclave gets Apple’s public key is a little opaque to me. One way would be to have the exclave have its own (per device or per global version) private key, but client side private keys are very high risk.
Alternatively, perhaps some elaborate set of baked-in public keys for Apple and a way to validate a CRL?
That said I’m not sure what you or GP mean by “update exclave”. It’s just part of the kernel binary loaded up at system start. Wouldn’t it be updated the same way the rest of the kernel is, probably requiring a restart?
> To allow for execution of exclave Services while isolated from XNU, Apple has introduced a new kernel called the Secure Kernel (SK).
Or do exclaves run on a separate chip, like Secure Enclaves-with-a-N do? (The article said not to confuse the two.)
For now, I think existing exclaves such as the one that displays the camera indicator do not really apply to macOS (since MacBooks have dedicated hardware for that), but in the future there might be exclaves that do.
Try reading that footnote again:
> Note 2: Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM) enforce the execution of signed and trusted code on all platforms with the exception of macOS (because macOS is designed to run any code). All of the other security properties, including the protection of page tables, are present across all supported platforms.
It doesn't say macOS doesn't use SPTM. It says macOS doesn't use SPTM to prevent running unsigned code, since macOS is supposed to allow unsigned code (after the user jumps through some hoops).
One simple example: recent versions of macOS run all apps inside a sandbox, even those that don't opt in. One thing the sandbox blocks is apps modifying each others files, which up until then had been a major weakness of the security system (signatures of a bundle were checked at first-run, but not on every execution).
They are also kernel-to-kernel currently, so third party support would likely be limited to implementing things like secure device drivers. However, Apple has been trying to push third party drivers to user space, not to the hypervisor. Based on that migration happening in parallel with this development, I do not suspect they plan to pivot and have third party driver developers use exclaves.
It is pretty common for Apple to do significantly more stabilization of kernel-imposed platform features like this internally before exposing to third parties (see also pointer authentication a la arm64e).
https://en.wikipedia.org/wiki/Mach_(kernel)
This, because they don’t have TrustZone
TL;DR: we are doing things in hardware that ought to be done in software, and we're giving software too close to metal access.
User mode should be something like the JVM, but more language-neutral, something based around WASM for example. The runtime for this should ideally be written in a memory safe language and very extensively tested. User mode code should not have access to raw pointers, raw CPU, etc.
If we'd done this we also could have elevated things like the common API beyond the lowest common denominator of C. We used to have a ton of research and some fielded systems like this: Smalltalk, LISP machines, the JVM, the CLR, etc. The JVM and the CLR are still quite alive and well but the HN world seems to hate them for some reason. Smalltalk and efforts like the LISP machines died out.
One of the great things about it (in my opinion) was the lack of context switching. It broke a fundamental assumption about how an OS should work. It could also do global optimizations.
I wonder how much of a boost you'd get for that? I'm sure it would depend on the work load.
Could you explain what you mean more please?
The privacy features for messaging and cloud storage, plus not having to worry (as much) about security as I might with Linux, are the only reason I still use Apple. Every year I get more and more disappointed though. More and more nostalgic for the Apple software I used to enjoy using.
It serves only the platform provider, who can decide which programs may or may not be installed based on whether they are aligned with or against their competitive interests.
https://xkcd.com/1200/
I tried to read the article, and know what all the words mean (sel4, enclaves, virtualization primitives, etc.).
It all seems very complicated and error prone, but I couldn’t figure out what the attack model is, or what the security objectives are.
Eg, what sorts of things run in exclaves, and under what circumstances will a persistent kernel level compromise on my laptop protect those things?
I could imagine a passkey implementation with some extensions that allow securely presenting what the user is consenting to and how ("enter your payments PIN or password now to confirm a payment of $x to merchant y").
It's of course even better to do that in tamper-proof security coprocessors such as Apple's secure enclave, but TEEs have the big advantage of having access to much more memory and faster processing, which allows doing more complicated things there more easily.
They can also always lean on the secure hardware for actual key management, but handle more complex user interface operations in an environment that's still more secure than the main OS.
Android has supported something just like that years ago with "protected confirmation" [1], but unfortunately it's only available on Pixel phones and hasn't really been picked up by app developers as a result; the situation for Apple is of course very different, so I have some hopes that if they launch something comparable it could actually see some adoption.
[1] https://android-developers.googleblog.com/2018/10/android-pr...
Apple is already using the secure enclave for key derivation, PIN/password rate limiting etc. (that’s what it’s for), but my point is that there’s currently a gap in that you can often not really know if you are actually talking to the secure enclave or OS-level malware.
In order to do those things I have to actually steal his laptop. Which would be obvious to him. It also implicates me.
If I could just remotely install a driver I don't need to worry about any of that and I can steal remotely and anonymously.
(Though I’m not convinced that will actually work on modern apple devices, where the led is pixels that run through the compositor — I guess the video driver stack and window managers are also exclaves in this world?)
Once you have that, you can take the idea further: Displaying an indicator that confirms that all your keystrokes are going to an exclave validating your password, for example.
The much-hated touch bar actually enabled just that, for Apple Pay payments, as far as I remember: It could display something like "touch to confirm payment of $x" on its own screen in a way that was impossible to manipulate from macOS – now here's an opportunity to bring that level of security back without requiring a dedicated display or taking away people's beloved function keys.
I would expect that to mean they're not included in screenshots so I'm curious now whether that's true for the iPhone 16.