Jump to content
Not connected, Your IP: 34.207.247.69
Terry Stanford

Blocking Apple Processes in Mac OSX

Recommended Posts

I have used Little Snitch for years. I use Mac computers, I suspect I will one day soon have to leave Apple for good and go totally over to Linux which is scary for me, not being too technically gifted! But the way Apple is going, it's a certainty now I think.
I have recently started trying to block all the many Apple processes I don't damn well want and I don't damn well need! Photo Library "Analysis" daemon, icloud connections when I don't use Icloud, a million others!
Does anyone know of a good little snitch ruleset I can copy or subscribe to? It would need to be from someone who blocks as much Apple stuff as possible

Share this post


Link to post

Heads up: Last I heard, Apple robbed the system interfaces Little Snitch uses of its teeth. Some Apple services, including telemetry, are unblockable with this on Big Sur and up.


» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post
8 hours ago, Terry Stanford said:

I have used Little Snitch for years. I use Mac computers, I suspect I will one day soon have to leave Apple for good and go totally over to Linux which is scary for me, not being too technically gifted! But the way Apple is going, it's a certainty now I think.
I have recently started trying to block all the many Apple processes I don't damn well want and I don't damn well need! Photo Library "Analysis" daemon, icloud connections when I don't use Icloud, a million others!
Does anyone know of a good little snitch ruleset I can copy or subscribe to? It would need to be from someone who blocks as much Apple stuff as possible

I am also curious about the ultimate rule set.
Also Linux can be nice and forgiving like linuxmint or ubuntu.
Btw I "discovered" this nice website:https://sunknudsen.com/privacy-guides  You can learn a lot and sometimes you can use it linux to ;-)

GReetings,Casper

Share this post


Link to post
17 hours ago, OpenSourcerer said:

Heads up: Last I heard, Apple robbed the system interfaces Little Snitch uses of its teeth. Some Apple services, including telemetry, are unblockable with this on Big Sur and up.

You're bang on. And this is one of about 1000 reasons why Apple has a limited future on my desk, having been using it daily for 15 years, they are no longer what they once were. they are now a radical outfit doing just what Windows always did, but doing it under the guise of being a "privacy respecting" company. Utter BS. When the day comes that I can't run Mojave, I will be on Linux. I am dreading that day for business stuff, but I could do it for personal stuff quite easily
 

Share this post


Link to post
10 hours ago, Casper31 said:
I am also curious about the ultimate rule set.
Also Linux can be nice and forgiving like linuxmint or ubuntu.
Btw I "discovered" this nice website:https://sunknudsen.com/privacy-guides  You can learn a lot and sometimes you can use it linux to 😉

GReetings,Casper
I have been researching privacy stuff for years. Yes I saw a few of Knudsen's videos, pretty good basic round up especially for beginners. But there is SO much more Apple does now which he (and nobody else) covers. I honestly dont think many people realise just how sneaky Apple are being lately. In a word, BASTARDS.

Share this post


Link to post

We all point at the big companies for being bastards, when they're actually compelled to do what they do because capitalism works this way. :D
Open source is a simple antithesis for this, for it does not rely on money to be alive at all


» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post

I respect your view, but I do get very tired of people just dumping on "capitalism" as some big evil entity that causes all the problems. Capitalism certainly has its problems, but what system doesn't? Or were you about to suggest Communist is better? If so, an impartial look at both, good AND bad of both, might correct that error!
Capitalism is also the reason we have computers, internets, healthcare, and a billion other things. There are things I detest about Capitalism, but they are all ultimately flaws of humanity, not capitalism, and the same flaws play out with far bigger dangers in most other systems. Money isn't evil, people are. People without money are still evil, but without free markets to play in, they can do much more harm, much more quickly. Besides, nearly all the biggest evil corporations in capitalism are RUN by outright MARXISTS! :D As usual, they love to dump on the system that gives them all their power and wealth, because they know it will never go away, and they get brownie points with misguided youth by bitching about capitalism and claiming they love left wing theory. They speak with two tongues, as does the devil :)

Share this post


Link to post

Maybe it was slightly uncalled for, as I was referring to privacy in general being a cost factor companies like to throw away first when they need to cut costs or make more profit again. Making telemetry unblockable gives them more data to work with and sell to advertisers.
But I am not going to start a discussion on political theory here. If you're interested, write me a message; I'm sure we can dive into a little discussion about it as we both have good and bad arguments to throw into the room. :D I remember the quote, discussion is an exchange of knowledge, an argument is an exchange of ignorance.


» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post

hahaha. that's a great quotation!! (An argument is also the presentation of a viewpoint of course, but that's a different context to "argument" as meant there, it's a really great quote!)

Yes, I don't disagree with anything you said there at all. The ONLY bone I pick is when people (not necessarily you either, but many others do), choose to just 'blame capitalism' as the root of all evil. The only root of any evil is the person conducting it, I would 'argue' so anyway :)
Furthermore, I think free market economics provides the fastest and most efficient route to a solution of these problems, such as the privacy issue. MANY people chose Apple (including me to some degree) over Windows due to it's protestations of 'respecting user's privacy'. We now can see that was all a ruse, a con trick to harbour millions of users, only THEN do they unleash the truth. But again, people (like me) will choose to vote with their feet, and their money, and go elsewhere. For a while there have been few alternatives, and some would say there still are. But in time, a truly privacy respecting platform will emerge and will take the market, and if they 'sell out', another will come along. I am all for FOSS stuff, I use a lot of it myself as it does come with certain protections (removal of profit-motive being one as you rightly pointed out). Sadly, as with countless FOSS projects, support can only go so far when it grows exponentially, hence i think paid upgrades to FOSS stuff is the future (Bitwarden for example, or many others) and whilst they will make LESS money, they will make enough for devs to get well paid, and so they should, if they make something truly privacy-orientated but they also get to eat a decent meal now and then instead of donuts and coke :D

All other things aside, I am in no doubt whatsoever that Apple is just another big tech monolith which needs to be beaten at its own game,and it will. And when that happens, I won't waste a cupful of piss to put out Apple's burning grave. :D


Linux for now is my future, Windows is a no brainer, Apple is now too. If I wasn't so stuck in the Apple ecosystem with business stuff, software and hardware (which I still rate), I wouldn't touch another apple device as long as I live. I recently smashed my iphone, and it was very satisfying :)


 

Share this post


Link to post
On 3/25/2021 at 7:48 PM, Terry Stanford said:

hahaha. that's a great quotation!! (An argument is also the presentation of a viewpoint of course, but that's a different context to "argument" as meant there, it's a really great quote!)

Yes, I don't disagree with anything you said there at all. The ONLY bone I pick is when people (not necessarily you either, but many others do), choose to just 'blame capitalism' as the root of all evil. The only root of any evil is the person conducting it, I would 'argue' so anyway :)
Furthermore, I think free market economics provides the fastest and most efficient route to a solution of these problems, such as the privacy issue. MANY people chose Apple (including me to some degree) over Windows due to it's protestations of 'respecting user's privacy'. We now can see that was all a ruse, a con trick to harbour millions of users, only THEN do they unleash the truth. But again, people (like me) will choose to vote with their feet, and their money, and go elsewhere. For a while there have been few alternatives, and some would say there still are. But in time, a truly privacy respecting platform will emerge and will take the market, and if they 'sell out', another will come along. I am all for FOSS stuff, I use a lot of it myself as it does come with certain protections (removal of profit-motive being one as you rightly pointed out). Sadly, as with countless FOSS projects, support can only go so far when it grows exponentially, hence i think paid upgrades to FOSS stuff is the future (Bitwarden for example, or many others) and whilst they will make LESS money, they will make enough for devs to get well paid, and so they should, if they make something truly privacy-orientated but they also get to eat a decent meal now and then instead of donuts and coke :D

All other things aside, I am in no doubt whatsoever that Apple is just another big tech monolith which needs to be beaten at its own game,and it will. And when that happens, I won't waste a cupful of piss to put out Apple's burning grave. :D


Linux for now is my future, Windows is a no brainer, Apple is now too. If I wasn't so stuck in the Apple ecosystem with business stuff, software and hardware (which I still rate), I wouldn't touch another apple device as long as I live. I recently smashed my iphone, and it was very satisfying :)


 

I wonder which Android phone you are going to buy ;-) or an alternatives.
Casper

Share this post


Link to post
On 3/24/2021 at 10:40 PM, OpenSourcerer said:

Heads up: Last I heard, Apple robbed the system interfaces Little Snitch uses of its teeth. Some Apple services, including telemetry, are unblockable with this on Big Sur and up.


Hello!

macOS Sierra and later versions (up to Big Sur 11.1) services had hard coded exceptions ("ContentFilterExclusionList") in the Network Extensions Framework to have their traffic go through any policy enforced via Network Extensions API (which is not anyway the correct API to use to enforce a filtering table).

The problem became relevant in Big Sur only, and not earlier, and only for people using improper firewalls, because it was only on Big Sur that Apple dropped support to Network Kernel Extensions. Please note that Network Kernel Extensions usage was deprecated since years and support drop was announced like one year earlier the fact or so, thus the fact that some apps still relied on them is a developers' fault.

However, the traffic of all Apple services could be blocked as usual with proper firewall rules, nothing changed, You could use pf for example as a pre-installed userspace tool (and probably the best firewall known to mankind ever) to the kernel filtering table, which is a method to properly craft filtering rules without adding custom kexts which have absolute power on the system and which must be blindly trusted by the user (they have been a cause of problems and crashes in Mac).

Network Lock in our applications did not allow ANYTHING out of the tunnel, including Apple telemetry service and any other process included in the exceptions, even during the period where the exceptions were enforced (from Sierra to Big Sur), because Network Lock uses pf in Mac, as it is appropriate.

The "ContentFilterExclusionList" has been removed by Apple in January 2021 from Big Sur 11.2 beta 2, so the problem at API level is no more, starting from Big Sur 11.2, and in general the issue never existed for people using our software Network Lock.

Kind regards
 

Share this post


Link to post
1 hour ago, Staff said:

The "ContentFilterExclusionList" has been removed by Apple in January 2021 from Big Sur 11.2 beta 2, so the problem at API level is no more, starting from Big Sur 11.2, and in general the issue never existed for people using our software Network Lock.


Thanks for this bit of info. It's good that it's fixed.
 
1 hour ago, Staff said:

Network Lock in our applications did not allow ANYTHING out of the tunnel, including Apple telemetry service and any other process included in the exceptions, even during the period where the exceptions were enforced (from Sierra to Big Sur), because Network Lock uses pf in Mac, as it is appropriate.


When people use Little Snitch, I believe they want to stop telemetry, not force it to be sent on another path. Which is why I don't understand how Eddie's NetLock via pf compares to Little Snitch and the API it uses.

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post
3 hours ago, OpenSourcerer said:
When people use Little Snitch, I believe they want to stop telemetry, not force it to be sent on another path. Which is why I don't understand how Eddie's NetLock via pf compares to Little Snitch and the API it uses.

Hello!

Network Lock stops macOS telemetry by blocking any traffic outside the VPN tunnel via pf rules. When Apple programs try to bind their socket to the physical network interface, their packets are blocked by the kernel filtering table set up by Network Lock. Therefore our customers were fully protected even during those months in which LittleSnitch and Lulu etc. were ineffective against the nasty Apple "exceptions".

Note for the readers: it's not possible to do that in iOS, due to the fact that an iOS user has limited privileges to her device (in this case, you have no way to reach and set the kernel filtering table or set arbitrary routes outside the limits enforced by Apple to VPN service). In iOS, traffic of some Apple services will always bypass the VPN, by policy, and Apple can bypass a VPN in any case with any future program. Contrarily to what happened in Big Sur, in iOS some Apple programs will continue to bypass the VPN tunnel.

Kind regards
 

Share this post


Link to post
1 hour ago, Staff said:

Network Lock stops macOS telemetry by blocking any traffic outside the VPN tunnel via pf rules. When Apple programs try to bind their socket to the physical network interface, their packets are blocked by the kernel filtering table set up by Network Lock. Therefore our customers were fully protected even during those months in which LittleSnitch and Lulu etc. were ineffective against the nasty Apple "exceptions".


This implies that Apple services all bind to that NIC, and that NIC only, which I find difficult to imagine. Unless you've got documentation saying otherwise, of course. In Apple's stead I'd use any available interface for connectivity, and that means, nothing is blocked if OpenVPN establishes a connection.

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post
37 minutes ago, OpenSourcerer said:

This implies that Apple services all bind to that NIC, and that NIC only

Hello!

Of course, that's the core of the issue and one of the purposes of NetworkExtension hard coded exceptions. Note that a VPN that does not have a kernel extension (and anyway kexts are no more supported), running in the userspace, relies on the NetworkExtension framework to tunnel traffic etc..

You can verify that no traffic is seen in the VPN tunnel and that it flows out of it (if Network Lock is disabled) with tools like tcpdump or Wireshark in the OS versions affected by the problem. That's also the problem experienced by Mac users which could not access Apple services when Network Lock was on, obviously, but only in certain macOS versions, while in other versions they had no problems.

To mention one of our competitors, just to remain above any suspicion :), PIA wrote in "PrivateNews" that " the Apple App store and 50 other Apple apps are allowed to bypass user based internet routing rules which means Apple could know your real IP address". (bold and underline are ours).

It makes sense in the eye of a profiler: being sure that you can link a "real" IP address to a certain profile is a "good thing", because it makes profiling effective and it bypasses risks of proxy / VPN or more trivially local routing table blocks (null routing etc. etc.). Moreover, it can destroy the anonymity layer of a user who has been careful to always hide to Apple the real IP address since when she bought a certain computer.

This problem existed since 2017 and Symantec publicly denounced it, Apple answered it was a feature. However, in 2017 kexts were still supported, so the problem did not seem so huge in the eye of many users because "anyway I can block via LittleSnitch etc".
 
Quote


I find difficult to imagine. Unless you've got documentation saying otherwise


You can start directly from Apple itself, it's not a secret how Network Extension framework works. See the developer's documentation of the NetworkExtension framework. An overview is given here https://developer.apple.com/documentation/networkextension

Kind regards
 

Share this post


Link to post
19 minutes ago, Staff said:

It makes sense in the eye of a profiler: being sure that you can link a "real" IP address to a certain profile is a "good thing", because it makes profiling effective and it bypasses risks of proxy / VPN or more trivially local routing table blocks (null routing). Moreover, it can destroy the anonymity layer of a user who has been careful to always hide to Apple the real IP address since when she bought a certain computer.


This is where security and privacy meet in a bloody battle, I guess.
  • If a malware can open a VPN connection and block the connection to such a feature, it will compromise the already compromised user security even more. It may allow installation of even more sketchy crap without alerting the user of that. I can now imagine why Apple would do that, from a pure security perspective. The only thing which wouldn't be okay is if this can really be abused by malware as claimed; but further research should be conducted in this direction, not spreading this like FUD.
  • And of course you can argue that it's data profiler programs can use, which is the other side of the battle. PIA writes the only data is a cert, a timestamp and an IP address. If that is the case, it's quite little data to work with, let alone identify someone. You can argue "but what if they combine this with other data" – which would be FUD again, right?

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post
@OpenSourcerer

1) Sure. That's where the kernel filtering table may save you, while a filtering method based on the API itself can't. Proof of concept to exploit the NetworkExtension exceptions exist since months it's not FUD. Of course future research might find even newer methods and Apple decision to cancel those exceptions might even be related to security considerations, more than customer's respect. But even without those possible exploits, the behavior has been highly criticized by many Apple customers and is rightly seen as not acceptable..

2) Yes, it was a very risky move by Apple, and no surprise they have moved away from that after a few months. On top of that you need to consider all the other 50 apps which may expose your real IP address involuntarily to the other end, not necessarily Apple, which is always a very bad thing  The expansion of the attack surface with such a decision was remarkably high.

Kind regards
 

Share this post


Link to post

I will never trust Apple as long as I live. That's for many reasons over the years, but just as an example of why I hate them so much now...

I have just wiped a Macbook Pro ready to sell it. I made my own bootable USB installer for Catalina. I booted to recovery volume, then formatted the internal SSD, competely wiped clean

I then installed Catalina for the next owner. During the setup I decline all the crap, Siri, network setup etc. I actually ticked "this computer does not connect to the internet".
Catalina finished installing and loaded up into the fresh account. I then see it wants to install updates. How? It isn't on the internet?! YES IT IS. It has turned on WiFi and connected to my WiFi WITH a very secure password. Now I am thinking, how the F*CK does it know the password to my wifi? Where did it store that info if I formatted the internal drive? What if the new user drove to my house and sat outside, he could F*CKING connect to MY wifi?!

Someone blow up Apple, PLEASE!

Share this post


Link to post
1 hour ago, Terry Stanford said:

I will never trust Apple as long as I live. That's for many reasons over the years, but just as an example of why I hate them so much now...

I have just wiped a Macbook Pro ready to sell it. I made my own bootable USB installer for Catalina. I booted to recovery volume, then formatted the internal SSD, competely wiped clean

I then installed Catalina for the next owner. During the setup I decline all the crap, Siri, network setup etc. I actually ticked "this computer does not connect to the internet".
Catalina finished installing and loaded up into the fresh account. I then see it wants to install updates. How? It isn't on the internet?! YES IT IS. It has turned on WiFi and connected to my WiFi WITH a very secure password. Now I am thinking, how the F*CK does it know the password to my wifi? Where did it store that info if I formatted the internal drive? What if the new user drove to my house and sat outside, he could F*CKING connect to MY wifi?!

Someone blow up Apple, PLEASE!


how much are you selling you macbook?

Share this post


Link to post
Just now, Terry Stanford said:

Why?!
To someone in the privacy community - £5,000 :D


Flawed as they are ,  I like them, hmmm its in those pound units, to rich for my wallet.

Share this post


Link to post
4 hours ago, flat4 said:

how much are you selling you macbook?


Don't know if I should mod you for the interest in an overpriced laptop or that you're trying to conduct business here… :D

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...