[Hamuko]

Apple locking down the OS even more by making Gatekeeper harder to bypass makes me want to skip this version for as long as possible.

The screen recording permission thing also doesn't help since I'm using Ice (https://github.com/jordanbaird/Ice) because somehow Apple still can't Sherlock this feature.

[user3939382]

The way it's even implemented now is like the nightmare realized from everything Richard Stallman warned about for decades. Especially for non-technical users, they've practically implemented a system where Apple decides what software you are and aren't allowed to run on your own computer. They can muddy the issue by claiming it's for safety/security but I don't buy it. They could have made the override still clear but much easier to access.

[chongli]

Especially for non-technical users, they've practically implemented a system where Apple decides what software you are and aren't allowed to run on your own computer.

For non-technical users the choice is simple: either Apple decides what is allowed to run on their computer or cybercriminals do. After years of getting burned, non-technical users made their choice. I think it was the right one but the jury's still out for the future.

Perhaps one day these users will get squeezed out of computing entirely. That will be a terrible shame. The same thing is playing out with everything else though. Look at cars and household appliances.

[willtemperley]

It’s still perfectly possible to run whatever you like on Mac via virtualisation, which Apple have tried to make easy with a reasonably decent API

[simonask]

Also, let's not fool ourselves. I'm not sure even most technical people running macOS or Linux would know if they had malware running. I probably wouldn't. It's not like antivirus is commonplace on those platforms.

The notion that you can reasonably have knowledge of and control over all the software that is actually running on your machine has not been realistic for decades.

[AStonesThrow]

My router was pwned, not once but possibly 3 times, and the major compromise I only discovered due to the third-party DNS filtering service I'd set up on it. It is practically impossible for any consumer to detect a compromised router, due to their embedded systems and lack of meaningful logging or diagnostics. Therefore I concluded that consumer routers are the weakest link in anyone's home network, and I was pleased as punch to begin renting one that my ISP manages. Peace of mind indeed.

My Windows 10 box became so bogged down that I was convinced it was running some undetectable malware. AV detected nothing, but after a critical look at open ports I just decided to wipe and go to Windows 11.

Here are some of the biggest risks today. Running third-party apps at all, unless they are absolutely necessary. I try to do everything possible with Google-provided apps within the Google ecosystem on my Android phone and the other devices as well, which limits the third-party attack surfaces. My Windows machine runs practically nothing outside of MS or Google. I don't need to.

Other big threats are beyond personal devices at this point. Connecting third-party SaaS to your accounts is a real problem. Facebook, Google Workspace, Slack, GitHub, any service that acts as a platform and runs third-party integrations, that's where you'll get bitten nowadays, and your local AV scans are powerless to shield you from footguns. Just to use HP printer features, HP wanted full, unscoped, read/write/delete access to my Google Drive!

Everyone's "hacked Facebook account" has really been just some stupid game that went rogue. Supply-chain attacks through browser extensions and the rest. Extremely difficult to police from the end-user's position, but deadly and dangerous, because they're out on the net and in the cloud.

[doodaddy]

I’m a fan of Stallman and his ideology toward computing as much as anyone but tend to think that the ship has sailed long ago. We are not living in a world where everyone who touches a computer has the knowledge or skill set to know a good idea from a bad one. Long-gone are the days when our passwords could be blank because the other guy using the system was also a kernel developer. And so unfortunately Stallman’s ideas are mostly a thing of computing utopia fiction.

It’s fine to let the experts worry about securing our systems. The Internet is safer for it. And it’s fine to not think so, too. But for those people, realize that the product may not be for you. That’s why we have a dozen flavors of Linux.

But maybe I’m just getting old.

[adastra22]

Anything you compile on your own system you can run. This only affects downloaded binaries.

[chongli]

Yes, so we should move to a source-based package manager and build system, like FreeBSD ports.

[adastra22]

There are plenty of options for that on macOS, the most common being homebrew and MacPorts.

[Hamuko]

Homebrew defaults to downloading binaries.

[adastra22]

Defaults to. You can tell it to compile yourself, if that matters to you. I don’t see what the issue is here. Why is it a problem that it defaults to binary distribution?

[IshKebab]

Thanks for confirming the nightmare.

[steve_adams_86]

I mean, you can download source if you want to run it. It isn’t a complete nightmare yet. I think we’re still in a grey area. This will help some people still, though it’ll definitely hinder others (myself included).

Once you need to be in the apple developer program to build and run from source or something, that’ll be a legitimate nightmare. But we’re nowhere near that yet.

[ryandrake]

> Once you need to be in the apple developer program to build and run from source or something, that’ll be a legitimate nightmare. But we’re nowhere near that yet.

When Quarantine was released in Leopard, and Gatekeeper in Lion, and System Integrity Protection in El Capitan, and then "Allow from Anywhere" was removed as an option in Sierra... Each time, people were saying similar things. "Yea, it's bad, and it's getting consistently worse with every release, but surely we are nowhere near 'really bad' yet!"

[adastra22]

To me these are clear security improvements; things are not getting worse. And there is absolutely no reason to think they'll be dropping support for endusers running their own compiled software.

[skrrtww]

> Once you need to be in the apple developer program to build and run from source or something, that’ll be a legitimate nightmare. But we’re nowhere near that yet.

This is the case for building and running things with restricted entitlements and system extensions.

Unless you disable system integrity protection entirely, which locks you out of your purchased App Store software, DRM content, etc.

[dur-randir]

>which locks you out of your purchased App Store software, DRM content

Also false. But Apple's glad you believe in that.

[adastra22]

You can no longer disable system integrity protection.

[adastra22]

Care to explain the nightmare to someone who seriously doesn't get it?

I can run any open-source software I want. Other people can't run my precompiled binaries unless I opt into an attestation system that lets the OS respond to and pre-emptively block binaries from developers found to be issuing malware. Open source is unaffected.

I seriously fail to see what is wrong here.

[int_19h]

That would kill a lot of old software, though. Especially games.

[adastra22]

I challenge you to find old software that still runs on modern Macs which was never code signed. Note that support for 32-bit applications has been retired, and x86 applications will eventually be sunsetted as well. This isn't Windows.

[conradev]

> They could have made the override still clear but much easier to access.

The level of difficulty is absolutely intentional. For you, it's a small speed bump. For the guy on the phone with my grandma trying to hack her computer, it's more of a hill to climb.

[kcb]

Yea, i too want my pro device designed around my grandmas use case. Make sure we think about the children too.

[raxxorraxor]

And it is not even true and pure FUD. The most widely spread attack surfaces are different today, people wouldn't try to install malware on your machine.

And even if, we had issue with malware infecting iPhones like Pegasus. Locking down environments with these specific mechanisms isn't improving security.

[wpm]

Grandma probably needs an iPad.

[raxxorraxor]

Jobs too for that matter. Seems he wasn't able to protect his own company from idiots either.

Not that Microsoft doesn't salivate about such "improvements" as well.

[NotPractical]

I tend to not really care about these things as long as powerusers have a way around it. Yeah, it'd be great if everyone was technically literate, but most people simply don't care to be, and I think that's okay?

IMHO there's a huge difference between no freedom for anyone (iOS) and secure-by-default, freedom only for powerusers (macOS / Android / Chromebooks / ARM Windows devices) ¯\_(ツ)_/¯