Archive for January 14, 2021

Thursday, January 14, 2021


Omar Rizwan:

TabFS is a browser extension that mounts your browser tabs as a filesystem on your computer.

The files inside a tab’s folder directly reflect (and can control) the state of that tab in your browser.


This gives you a ton of power, because now you can apply all the existing tools on your computer that already know how to deal with files -- terminal commands, scripting languages, point-and-click explorers, etc -- and use them to control and communicate with your browser.

macOS 11.2 Beta 2 Adds Full Custom Kernel Support

Hector Martin:

So I’m working in understanding the Apple Silicon boot/OS provisioning process. This is all subject to change, but here are some takeaways according to my current understanding.


This means that in order to set up an Apple Silicon device to boot arbitrary code, you first need to set it up to boot macOS, or at least install a working recovery mode.


In addition, Apple has a mechanism they use to only allow recent versions of their software to be installed on devices, by requiring a “phone home” process when you install it.


So the takeaway here is: Apple have built a very clever secureboot process previously unseen in any kind of desktop computer. They make us go through hoops to boot Linux, but those hoops are there to protect normal users.

Hector Martin (Hacker News):

macOS Big Sur 11.2 beta 2 is out with full custom kernel support.


The OS now finally includes the firmware and bootloaders and tools necessary to replace Big Sur with not-Big-Sur. That was previously not possible.

Howard Oakley:

When you boot an M1 Mac into its new Recovery Mode, it isn’t using the Recovery volume from the standard boot container at all, but what Apple calls 1 True Recovery (1TR) from the Apple_APFS_Recovery container, something which doesn’t exist on an external bootable disk. Many of its features, notably its Startup Security Utility which you can use to change the security policy, are only available in 1TR. As that can’t exist on an external bootable disk, and its command line equivalent bputil is largely limited to 1TR, it’s the internal storage which really controls that Mac, even when it’s booted from an external disk.


This ingenious new boot process does have consequences, though. Failure of internal storage means failure of the whole Mac, which can’t then boot from an external disk, which lacks the essential iSC and can’t provide 1TR either. I think this is already true for Macs with T2 chips, with their single security policy, rather than one for each bootable operating system as in the M1. I suspect it’s also, in part at least, responsible for the lack of an Internet Recovery Mode in M1 Macs.


ContentFilterExclusionList Gone in macOS 11.2 Beta 2

Patrick Wardle (tweet, Hacker News):

Unfortunately, Apple (without telling anybody) decided to “exclude” or exempt over 50 of its own applications (such as the App Store) and daemons from being routed thru the Network Extension Framework.


Due to the ContentFilterExclusionList list any traffic generated from these “excluded” items could not be filtered or blocked by a socket filter firewall (such as LuLu). Many (rightfully) asked, “What good is a firewall if it can’t block all traffic?” I of course also wondered if malware could abuse these “excluded” items to generate network traffic that could surreptitiously bypass any socket filter firewall. Unfortunately the answer was yes! It was (unsurprisingly) trivial to find a way to abuse these items, and generate undetected network traffic[…]


Well, after lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed.

Norbert Heger:

Thanks Apple for listening!


Big Sur on M1 (and possibly on Intel) maintains a persistent, hardware-serial-number linked TLS connection to Apple (for APNS, just like on iOS) at all times when you are logged in, even if you don’t use iCloud, App Store, iMessage, or FaceTime, and have all analytics turned off.

There’s no UI to disable this.

This means that Apple has the coarse location track log (due to GeoIP of the client IP) for every M1 serial number.


This change is essential for blocking such traffic, and I’m glad for it, but there is a long way to go when it comes to pressuring the pro-privacy forces inside of Apple to do more.


Update (2021-02-05): Jeffrey Paul:

There are several privacy/usage leaks remaining in the OS, but now they can be effectively blocked without affecting the overall operation of the device.

Reminder: iMessage Not Meaningfully E2E

David Heinemeier Hansson (Hacker News):

If you use iCloud Backup AT ALL, which is the default, your use of iMessage is not E2E because Apple has a backup of the encryption keys 🤯. And even if you turn off this backup, your recipient probably didn’t. So iMessage is not meaningfully E2E at all!


Apple’s marketing of iMessage’s E2E is seriously deceptive.

You would think a company serious about privacy would explain the situation in plain English. Or allow more granular control so that you don’t have to choose between giving Apple all your messages and not having a cloud backup.

David Heinemeier Hansson:

I cannot believe Apple conned me into thinking iMessage was meaningfully E2E 😞.

David Heinemeier Hansson:

So say you wake up one morning. Realize that Apple has been lying about E2E with asterisks and omissions and defaults, and you then turn off your iCloud backup. How long does it take before these backups are permanently gone from Apple’s servers? Can’t find a retention answer.

Noah Williams:

Hey so since @dhh has just reminded me of all the ways Apple deceives us into thinking their products are secure, I’d just like to compile my thoughts on all the ways backdoors currently exist within iOS[…]

Apple saves your call logs to the cloud unless you turn off iCloud Drive (not iCloud backups)[…]


The default length of an iOS passcode which you’re prompted to setup out of the box is six digits, which is laughably easy to brute force.


Also, you can’t even request to disable server side logging of Siri commands without putting your phone in supervised mode…


Update (2021-01-18): See also: Hacker News.