Archive for October 23, 2020

Friday, October 23, 2020

HP Printer Driver Certificate Revoked

Howard Oakley:

Many users are today reporting that their HP printer software has suddenly stopped working, with worrying messages implying that their software is malicious and “will damage your computer”.

[…]

You’re seeing that message because macOS is checking the signature on your HP printer software, and being told that its signing certificate has been revoked. What’s strange, though, is that this doesn’t appear to affect High Sierra and older versions of macOS. […] This may well be because they’re working with different databases.

No word yet on why. It’s a shame there’s no way to tell the system to trust it temporarily, especially given that the revocation may be in error.

Thomas Reed:

We’re seeing a significant influx of support cases where users are seeing macOS identify what appear to be legit processes as malware, exactly what is being reported here[…]

Previously:

Update (2020-11-10): Patrick Wardle (also: William Gallagher, Hacker News):

As others have noted it appears certs used to sign apps such as Amazon Music, HP Printer drivers, etc. were revoked ...by?

Thus, macOS blocks the (legit) software from running ...and implies it is malware? 🤦‍♂️

likegadgets:

It is a vicious circle - Apple says to call HP as they need to provide the drivers, I have not been able to speak to anyone at HP that can help.

Chris Williams:

Complaints from punters are building up on the Apple and HP support forums.

[…]

The Register understands from sources familiar with the matter that HP Inc asked Apple to revoke its printer driver code-signing certificates. It appears this request backfired as it left users unable to print.

Howard Oakley (also: Mr. Macintosh):

At some time during the night of 24-25 October, Apple PKI withdrew the revocation of HP’s certificate, presumably at HP’s request in response to the many complaints from users. HP’s software should therefore now work normally again.

[…]

HP has now published a support article explaining what affected users should do to remedy this problem.

Howard Oakley:

Although there’s nothing to stop anyone using a security certificate from elsewhere, for macOS there’s only one source of the certificates required to sign code for Apple’s operating systems, Apple PKI. This is the team within Apple which issues signing (and other) certificates to Apple itself and its very many third-party developers. Not only do they issue certificates, but they can also revoke them, and have detailed and explicit procedures for doing both.

Jeff Johnson:

An unfortunate consequence of the lack of a Developer ID CRL is that you can’t obtain a list of all revoked Developer ID certs. You can only query the status of known certs one-by-one.

[…]

As the Certificate Authority, Apple can revoke a Developer ID certificate at any time. This is done when Apple discovers that a cert has been used to sign malware. Unfortunately, we’ve seen cases where Apple has revoked a Developer ID cert mistakenly, such as with the indie developer Charlie Monroe. Is it possible for a developer to revoke their own Developer ID cert? The answer is no.

[…]

The reason for this difference in policy is that revoking a Developer ID cert has severe consequences, as we’ve seen with HP printer software: Mac users will no longer be able to run software signed with the revoked cert. Developers are allowed to revoke their own Mac App Store code signing certificates, because those certs are only used for development purposes.

[…]

HP had to contact Apple and request for the cert to be revoked. Apparently Apple granted that request. So blame must be apportioned to both companies. There have been no reports of malware or private key compromise. Therefore, no good reason exists for HP to request that their cert be revoked, and no good reason exists for Apple to grant that misguided request.

Sam Rowlands:

The issue is the lack of communication. The system should check on download (of a new list) to see if anything will become disabled, then inform the user what, why and how to resolve. Because this was handled poorly, it created anger and frustration.

[…]

I do wonder if HP was trying to ensure that the build machines were using the latest certs and something went wrong, which they didn’t know about. So the question becomes how easy is to accidentally revoke identities?

I feel that Apple is responsible for this mess, because they built the system that allows apps (& drivers) to be “killed” remotely. The solution was designed to be silent.

Was this intentional or just an oversight? If Apple has designed the system to communicate to users that something they use will no longer work, why and what they can do about this. It becomes a non-issue, for two reasons. 1. HP would have to provide information to Apple as to why they wanted the identities revoked, which would help confirm that they wanted this action. 2. Customers would be aware of what’s going on, and could solve the problem themselves.

Thomas Reed:

Earlier, we said that the issue was mostly related to HP printer drivers. There was another issue with a couple Amazon apps – Amazon Music and Amazon Workspaces – where users were seeing the same behavior. This led to a lot of speculation and finger pointing at Apple (in which yours truly regretfully participated), but this appears to have been an unrelated and coincidentally timed issue.

I have yet to hear an explanation for what happened with Amazon Music. Did Amazon also accidentally request revocation of its certificate?

Apple TV Remote App Replaced by Control Center

Filipe Espósito (also: MacRumors):

Apple today silently removed its “Apple TV Remote” app from the App Store, which lets users control the Apple TV from an iPhone or iPad simulating a real Remote. The app is no longer available for download from the App Store and Apple has likely discontinued it, which means that it will no longer get any updates.

That doesn’t come as a surprise since Apple has added the Remote feature built into the Control Center in iOS 12, so Apple TV users can have access to all the controls on Siri Remote without having to download any app.

Alan Cannistraro:

I created this app on nights and weekends. I demoed it to Steve in Jan ’08. He said, “We’re going to open an App Store; let’s make this our app”. Sad to see it go. I always referred to it as “my baby”.

This is the first version of the Control Center remote that works with my Apple TV 3, and it seems to fix the keyboard and focus problems that have plagued the standalone Remote app lately. Unfortunately, the connection with the Apple TV sometimes gets dropped when the phone’s screen turns off, and—unlike with the physical remote—holding down the Menu button doesn’t bring you all the way up to the top menu.

Previously:

Update (2020-11-07): Nick Heer:

This is kind of a bummer because the Apple TV Remote app has actual buttons for previous and next. The Control Centre feature is a more faithful onscreen replication of the Siri Remote, which does not have those buttons.

See also: 9to5Mac, MacRumors.

Apple TV App for PlayStation and Xbox

Benjamin Mayo:

The Apple TV app is officially coming to games consoles, starting with an announcement from Sony. On the PlayStation blog, the company revealed that the Apple TV app will be available on November 12, that’s the same day as the PlayStation 5 release date.

[…]

On Amazon Fire Stick, the ability to purchase content is disabled as Apple and Amazon did not come to a revenue sharing agreement. However, on the PlayStation app, customers will be able to directly subscribe to Apple TV+ and other Apple TV Channels.

It’s also coming to Xbox. It’s not clear to me whether all of these devices will support AirPlay.

Previously:

Google Antitrust Lawsuit

William P. Barr (tweet, PDF):

This morning the Department of Justice, along with eleven states, filed a civil lawsuit against Google for unlawfully maintaining a monopoly in general search services and search advertising in violation of the U.S. antitrust laws.

[…]

Over the course of the last 16 months, the Antitrust Division collected convincing evidence that Google no longer competes only on the merits but instead uses its monopoly power – and billions in monopoly profits – to lock up key pathways to search on mobile phones, browsers, and next generation devices, depriving rivals of distribution and scale. The end result is that no one can feasibly challenge Google’s dominance in search and search advertising.

This lack of competition harms users, advertisers, and small businesses in the form of fewer choices, reduced quality (including on metrics like privacy), higher advertising prices, and less innovation.

David McCabe, Cecilia Kang, and Daisuke Wakabayashi (Hacker News):

In a 57-page complaint, filed in the U.S. District Court in the District of Columbia, the agency accused Google of locking out competition in search by obtaining several exclusive business contracts and agreements. Google’s deals with Apple, mobile carriers and other handset makers to place its search engine as the default option for consumers accounted for most of its dominant market share in search, the agency said, a figure that it put at around 80 percent.

Google:

Today’s lawsuit by the Department of Justice is deeply flawed. People use Google because they choose to, not because they’re forced to, or because they can’t find alternatives.

This lawsuit would do nothing to help consumers. To the contrary, it would artificially prop up lower-quality search alternatives, raise phone prices, and make it harder for people to get the search services they want to use.

DuckDuckGo (tweet):

So, Google, given that you’ve often said competition is one click away, and you’re aware a complicated process suppresses competition, why does it take fifteen+ clicks to make DuckDuckGo Search or any other alternative the default on Android devices?

Ben Thompson:

Apparently being sued for antitrust is like graduating from college for tech companies.

Sandeep Vaheesan:

Great excerpt in U.S. v. Google on how Google shares its monopoly profits with Apple. Google pays billions for exclusive pre-installation on Apple devices--payments that are as much as one-fifth of Apple’s annual net income.

Michael Y. Lee:

To me it reveals how fragile their dominance is that they’d feel the need to pay apple billions for making them the default search engine on iPhones

Mark Gurman:

The U.S. government said Apple Chief Executive Officer Tim Cook and Google CEO Sundar Pichai met in 2018 to discuss the deal. After that, an unidentified senior Apple employee wrote to a Google counterpart that “our vision is that we work as if we are one company.”

The DOJ also cited internal Google documents that call the Apple search deal a “significant revenue channel” for the search giant and one that, if lost, would result in a “Code Red” scenario. That’s because nearly half of Google search traffic in 2019 came from Apple products, according to the lawsuit.

Jeff Johnson:

It’s certainly not a good look when Google pays Apple $billions per year, they agree to “work as if we are one company”, and both Safari and Chrome kneecap the browser extension ad blocking API.

Mozilla:

Unintended harm to smaller innovators from enforcement actions will be detrimental to the system as a whole, without any meaningful benefit to consumers — and is not how anyone will fix Big Tech.

Tim Bray:

It’s not obvious that end-users are hurt directly. Google provides, at the end of the day, a pretty awesome search service.

[…]

The problem is (to steal a phrase from the Complaint) “monopoly rents from advertisers”. Search advertising is a context where you know exactly what the user is looking for, and it’s amazingly effective, and Google enjoys a monopoly, which means they can charge what the market will bear, and they do.

Previously:

Update (2020-11-07): Hartley Charlton:

The New York Times reports that Apple receives an estimated eight to 12 billion dollars per year in exchange for making Google the default search engine on its devices and services, including the iPhone and Siri. This is believed to be the single biggest payment Google makes to anyone, and it accounts for 14 to 21 percent of Apple’s annual profits.