Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Nitpick:

> Now this may come as a shock to some of you, but Apple really doesn’t seem to like it when third party developers change just about anything about their UX

> Deploying a kext requires it be signed using a special Kernel Extension Signing Certificate, which can only be acquired from Apple

this restriction has nothing to do with them not liking people doing stuff about their UX and everything to do about the fact that kernel extensions bypass all security boundaries between users and processes.

Kernel extensions are bloody dangerous and I'm happy with Apple putting additional scrutiny on them.



Forbidding users from doing dangerous stuff with the machines they own is not good imho.


You can disable all of those checks by booting from the recovery partition, opening the Terminal and use `csrutil disable`.

Then you can do with your machine whatever you want.


Yep. Same with Windows; you get a big red screen and warning message when checks are disabled. You have to be able to do this in order to develop custom drivers and kernel extensions.

One the one hand, it makes it difficult for regular users to install malicious root-kits, but it also limits all wide scale adoption of FOSS tech like this at the pure whims and discretion of Apple.


But is it allowed for users to choose a machine that forbids this?


That's a difficult question because it might limit supply of open machines for users who want the freedom to hack their own stuff. I think it's okay to offer computers that are basically Facebook appliances, but there should always be a toggle somewhere that allows people who know what they're doing to do whatever they please.


Macs do have such a toggle. You can boot from the recovery partition, launch the terminal and issue the `csrutil disable` command.

This will turn off all the security features that have been added over the years, including the “Catalina Vista” prompts people were complaining about in September.

The reason this requires booting from the recovery partition is to make it impossible for malware to flip the switch and to make it convoluted enough that even the most gullible of users will question their actions when pushed to do these steps by malware.

(Apple has stated publicly and in very clear language that they fully intend for the Mac to continue to be able to run unsigned code, so I believe this toggle isn’t temporary)


> This will turn off all the security features that have been added over the years, including the “Catalina Vista” prompts people were complaining about in September.

I installed it back in June, so my memory might be a bit hazy, but as far as I’m aware SIP doesn’t control TCC.


You are right. That's controlled by gatekeeper which you disable with `spctl --master-disable`


You sure turning off Gatekeeper turns off TCC too?


What do you think of the counterargument that, as soon as you put a switch like that in, people will get manipulated into flipping it?


I think the risk of that can be made sufficiently low so that it won't be a serious problem in practice.


This clothing is made with slave labor.

"But is it allowed for customers to choose to buy this?".

"allowed" is irrelevant here.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: