Hacker News new | ask | show | jobs
by SilasX 1969 days ago
A few months ago it came out that MacOS was constantly making unencrypted calls over the internet to check signatures of non-Apple software; such calls were thus feeding back to Apple (and anyone sniffing the connection) the time and IP address of each application's being opened. (Technically, only the company, but each company usually only has a few apps.)

https://news.ycombinator.com/item?id=25074959
1 comments
saurik 1969 days ago
This "came out" at least 8 months ago.

https://news.ycombinator.com/item?id=23273247 https://news.ycombinator.com/item?id=23281564

link
SilasX 1969 days ago
I appreciate the further context, but am not sure that it was necessary to mock my phrasing.
link
saurik 1968 days ago
(I wrote a giant response to this explaining why I was frustrated and who I was frustrated with and how it meant we were just screwed as a society, but I have decided to just suffice it to note that I am not mocking your phrasing--that is the correct phrasing for the demoralizing thought--and that, FWIW, I don't think iOS does this in the same way, even for the "enterprise"-signed software where one would expect it would work identically, which is a bit hilarious.)
link
SilasX 1968 days ago
Ah okay, sorry for overreacting.
link
astrange 1969 days ago
And it wasn't true as stated (it didn't happen every time, the server didn't keep any logs, etc.)
link
SilasX 1969 days ago
>it didn't happen every time

True, but it didn't make much difference, since the reports from the thread showed it had a bizarrely short cache time.

>the server didn't keep any logs

Well, that's the rub isn't, it? Part of privacy-centric design is that you shouldn't have to risk such information being exposed or trust such reassurances; if they don't need the information, they shouldn't get it at all. There are privacy-respecting ways to do what they wanted to, which are also more efficient. For example, periodically update the machine's local revoked cert list, and check signatures against that (as several users recommended).

>etc

Was there anything substantively different from my characterization?

link
wombatpm 1968 days ago
Short retention according to who? That server only? No copies to the NSA? I’m a trust but verify kind of guy and with just the word of Apple I assume somebody is keeping the data and using it in some way.
link
SilasX 1968 days ago
Agree with such skepticism but what are you replying to there? My comment was saying that it cached the cert check for a bizarrely short time (necessitating frequent network calls), not that the logs were retained for only a short time, which I agree is a bad defense.
link
wombatpm 1968 days ago
Thanks for the clarification. I confused the cert cache with the apple server logs.
link