During this time, Apple placed an emphasis on improving the security of MacOS, continually locking the operating system down further and further. Though their changes weren’t aimed at the legitimate audio capture we provided our users, they nonetheless made that capture increasingly difficult. We labored to keep our tools functioning with each new version of MacOS. Through it all, we lived with a constant fear that Apple would irreparably break our apps.
In 2020, the disaster foreshadowed literally one sentence ago struck. Beta versions of MacOS 11 broke ACE, our then-current audio capture technology, and the damage looked permanent. When we spoke briefly to Apple during WWDC 2020, our appeals for assistance were flatly rejected. We spent weeks attempting to get ACE working again, but eventually we had to admit defeat. ACE as we knew it was dead in the water, and all options for replacing it involved substantial reductions in functionality. Though we did not discuss it publicly at the time, things looked grim for the future of our products.
It took three years of working with Apple, but Rogue Amoeba was eventually able to replace ACE with the next-generation audio capture technology ARK, all in the service of improving the first-run experience. It’s a fascinating story that reveals a bit of what developers go through in keeping up with Apple and its emphasis on platform security.
I would love to hear some inside stories about the kinds of threats that Apple sees. Every now and then we get a glimpse of the severity of these exploits, but seldom any real details. For instance, a security update from a year ago linked to a post with this comment:
Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.
Me too! I think we see a lot of the stories from the other side (ie, the FBI whining about encryption). It’d be fascinating to see Tim Cook’s daily brief.
(The point I was making was that I think we sometimes lose sight of the issues to the point that we have multiple simultaneous articles that are connected to each other but that everyone is reacting independently to.)
I was directly affected by these events, as someone who owns & relies on several Rogue Amoeba apps for the broadcasting & ad-production work I do for a community radio station. I’m super-happy that Paul & his team were able to recover from Apple’s changes! (I’ll note that I recently got a refurbished MacBook Air to replace my old iMac, so I now benefit directly from the considerably smoother installation of ARK versus the hoops required to install the previous ACE tool.)
I’m sure you’re aware of the 2TB custom SSDs that have been reverse-engineered for the M4 Mac Mini – now available on EBay. Ignoring the perils of opening the M4 Mac Mini, the OS must be installed on that SSD through a second Mac on the network while re-booting the Mac Mini in DFU mode.
It would be far easier to have those SSDs come with macOS installed. OTOH, it’s far more secure to have the customer download and install the OS on his machine. My understanding is that the OS image is customized with a tag from the M4 CPU.
Yes, but it can’t be done. In addition to installing macOS, Configurator sets up the cryptographic pairing between the SSD and your motherboard. It (obviously) can’t be done from a different computer.
Apple has quietly been adding Lockdown restrictions to browsers. I’m not sure precisely what threats Apple could be guarding against.
More than a year ago, I discovered that I couldn’t log into my bank’s website. So I turned off Lockdown for that site in Safari.
Last week I discovered another, unrelated site that I couldn’t lock into. Not on my Mac, iPhone, or iPad. A site I hadn’t logged into for a month – though I’d used it weekly for more than a year before then. Before 26.4.1 that is.
For anyone using lockdown having recent problems with a previously usable site, I recommend going to the site using Safari, and openinf its in-app Settings menu, then
Uncheck “Use Reader when available” (sometimes that, itself could be the problem), but if that doesn’t work , uncheck “Enable Lockdown Mode” [which I didn’t need to do for Tidbits}.
You should only need to do this on a Mac using your Apple Account; it should carry over to all the other devices (iPhones, iPads, etc.) on the account.
According to Apple that checkbox in Safari is intended to exclude certain sites from Lockdown mode restrictions when the Mac itself is configured to be in Lockdown Mode. If your Mac is not in lockdown mode, that checkbox shouldn’t do anything.
Do you normally run your Mac in Lockdown mode? If so, then it makes perfect sense that your bank and other web sites might not work properly in that mode. If not, then there may be a bug (implementing some Lockdown features when the mode is not enabled) or that Safari setting does more than Apple has documented.
I don’t know how closely you follow organizations such as the Citizen Lab at the University of Toronto and the work they do exposing cyberattacks on people who need Lockdown Mode…but if you’re interested, this book, written by the founder of Citizen Lab, has stories about actual threats Apple is guarding against. https://www.simonandschuster.com/books/Chasing-Shadows/Ronald-J-Deibert/9781668014059
The writing, as might be expected from a practicing academic, can be slightly dry at times but overall I enjoyed reading the book.
I’ve never seen such an option; perhaps because it only appears when you have set your Mac to be in Lockdown. According to Apple, Lockdown mode affects web access:
“Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image icon.”
I believe that ‘complex web technologies’ means just-in-time JavaScript.
