Apple (MacRumors, Hacker News):
Apple today detailed two initiatives to help protect users who may be personally targeted by some of the most sophisticated digital threats, such as those from private companies developing state-sponsored mercenary spyware. Lockdown Mode — the first major capability of its kind, coming this fall with iOS 16, iPadOS 16, and macOS Ventura — is an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security.
[…]
Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
And no configuration profiles. This sounds great, though I would rather see something like Little Snitch for iOS to help protect against rogue apps.
See also: Lorenzo Franceschi-Bicchierai, Ron Deibert.
Previously:
Apple Security Bounty FaceTime iOS iOS 16 Lockdown Mode Mac macOS 13 Ventura Messages.app Mobile Device Management (MDM) Privacy Safari Security
Hartley Charlton (Hacker News):
European Union lawmakers have approved landmark legislation to heavily regulate Apple, Google, Meta, and other big tech firms.
[…]
Under the DMA, gatekeepers may have to:
- Allow users to install apps from third-party app stores and sideload directly from the internet.
- Allow developers to offer third-party payment systems in apps and promote offers outside the gatekeeper’s platforms.
- Allow developers to integrate their apps and digital services directly with those belonging to a gatekeeper. This includes making messaging, voice-calling, and video-calling services interoperable with third-party services upon request.
- Give developers access to any hardware feature, such as “near-field communication technology, secure elements and processors, authentication mechanisms, and the software used to control those technologies.”
There are many more requirements, including one I hadn’t seen before: allowing third-party voice assistants as the default.
EFF (via Nick Heer):
The final bill avoids transforming social networks and search engines into censorship tools, which is great news. It also retains important principles under the previous internet rules that helped to make the internet free, such as allowing liability exemptions for online platforms for the speech of others and limiting user monitoring. And it improves things as well, by imposing higher standards for transparency around content moderation and creating more user control over algorithmically-curated recommendations.
However, the DSA is not a panacea for all problems users face online and the final deal isn’t all good news: It gives way too much power to government agencies to flag and remove potentially illegal content and to uncover data about anonymous speakers.
Previously:
Update (2022-07-25): See also: Hacker News.
Antitrust App Store Apple Digital Markets Act (DMA) European Union Facebook Google iMessage iOS iPhone Legal Meta Near-Field Communication (NFC) Privacy Sideloading
Howard Oakley:
While reading from each of the Disk Images was almost as fast as from the SSD, write speeds were severely reduced. The sparse bundle was least impaired, with a write speed just under half that of the SSD, but all three disk images wrote at less than 20% of SSD speed, with the encrypted disk image the worst of all, at less than 1%.
[…]
Given the high write performance of the SSDs used, this can only indicate that macOS is intentionally throttling threads responsible for performing writes to the encrypted disk image, and to unencrypted disk images too.
[…]
This difference may reflect Apple’s historical usage of disk images, which have been most commonly used for reading rather than writing. However, that has now changed, with write performance becoming important to the user in:
- encrypted disk images used as a substitute for the absence of folder encryption in APFS;
- both encrypted and unencrypted sparse bundles used for shared Time Machine backup storage;
- unencrypted disk images used as Block Device storage in virtualisation.
Howard Oakley:
There’s a new twist: results differ when the image is still mounted after creation, and after unmount-remount.
I haven’t done encrypted UDSP, but
enc UDRW is 55 MB/s first time, 900 remounted;
enc UDSB is 360 first, 4.3 GB/s remounted;
plain UDRW 1.3 GB/s falls to 970 MB/s.
Previously:
Update (2022-07-07): Howard Oakley:
This article presents a lot more data, which both clarify and confound. The TL;DR is that writing to macOS Disk Images – whether plain .dmg, sparse disk images, or sparse bundles – is a complete gamble. Sometimes they perform fairly well, and sometimes they’re excruciatingly slow.
[…]
As things stand, the only type of Disk Image which can be relied on to deliver acceptable write performance is the sparse bundle. If encrypted, when it has been freshly made and hasn’t been unmounted, write speed can be abysmal. But once written to and unmounted, it’s likely to deliver write speeds 60%-70% of those of the host SSD.
Thomas Tempelmann:
The disk (block) image device driver does not cache any decrypted fata and also does not allow the use of macOS disk block cache to be used, all probably in order to prevent finding any unencrypted data in memory by an attacker. Thus, every time the file system driver wants to access a block, eg. to traverse the directory b*tree, it’ll have to fetch the block from the SSD and then decode it. And I also suspect that even when encryption is not used, the block cache is denied, thus causing bad performance even then.
Advanced Encryption Standard (AES) Disk Image Mac macOS 12 Monterey
Luc Beaudoin brought to my attention that there is a serious bug in the current Monterey beta. So far it’s affected every app I’ve tried that uses AppleScript. The script will fail with error -609 (connectionInvalid). Sometimes the script succeeds the first time, but then it will fail every subsequent time.
I can reproduce the error with a script as simple as:
tell application "Safari" to get URL of document of window 1
or this similar script for BBEdit.
Until this bug is fixed, I recommend not updating to the latest Monterey beta, as it is likely to cause widespread breakage. Even if you don’t write scripts yourself, many apps rely on them under the hood. For example, there are confirmed problems with:
I have filed a feedback (FB10565806) about this, as has Beaudoin (FB10563311).
Update (2022-07-07): It also affects the Dock and SuperDuper.
Update (2022-07-12): This seems to be fixed in the release candidate.
AppleScript BBEdit BetterTouchTool Bug DropDMG EagleFiler Hook Mac macOS 12 Monterey Safari SpamSieve
