New subject: Jeffrey Paul: Your Computer Isn't Yours

Nov. 15, 2020

      Caro Alberto,

Chi ha scritto quanto sotto non capisce il problema e non sa di che cosa sta parlando.

1) OCSP _deve_ essere in HTTP - essendo un protocollo per verificare scaricare i certificati pubblici delle certification authority.
Non sarebbe possibile scaricare un certificato da verificare usando lo stesso certificato per cifrare la comunicazione (chicken and egg problem).

2) Il download di Big Sur richiede (giustamente!) la certificazione del server da cui scaricare l’update - per ovvi motivi.
Il carico eccessivo ha fatto crollare i server OCSP. E quindi impedire ulteriori richieste di download.

3) Quanto sopra non c’entra NULLA con la raccolta di informazioni statistiche e di debug relative ad applicazioni in uso - che certo non avviene tramite protocollo OCSP su HTTP.
Ipotizzo che il blocco del servizio OCSP abbia bloccato/reso malfunzionante anche questa raccolta dati in quanto il servizio non poteva usare cifratura per gli stessi motivi di cui sopra.

4) Durante l’installazione del SO, e ad ogni aggiornamento dell'SO, apple chiede espressamente se vuoi partecipare alla raccolta dati, con una pagina chiara e dedicata. Questo sia per MacOS, iOS, iPadOS.

5) Tale opzione si può cambiare in qualunque momento da pannello di controllo, con 3 semplici click (da pannello controll -> Sicurezza e Privacy -> Privacy -> Analisi e miglioramenti)

6) Nello stesso pannello ci sono chiare informazioni su che dati sono condivisi. Sotto un estratto delle stesse.

In sostanza - tanto rumore per nulla.

Un caro saluto
M
—
I dati di analisi comprendono le specifiche hardware e software del tuo computer, inclusi i dati sui dispositivi connessi al Mac, la versione del sistema operativo e le app installate. Le informazioni che potrebbero consentire di identificarti non vengono salvate nei resoconti generati dal Mac e vengono trattate in conformità alle politica di tutela della privacy di tipo differenziale. In alternativa, prima di essere inviati ad Apple, tale tipo di dati viene eliminato dai resoconti. Se vuoi inviare una descrizione delle attività che stavi svolgendo nel momento in cui si è verificato il problema, fai clic sull’icona a triangolo e inserisci i tuoi commenti, facendo attenzione a non inserire informazioni personali.
[…]
Per visualizzare le informazioni di analisi che vengono inviate ad Apple, puoi utilizzare l’app Console. Apri l'app Console, quindi nella barra laterale fai clic su “Dati di analisi Mac”. Console mostra le informazioni di analisi anche se non hai selezionato l’opzione per l’invio automatico dei resoconti. Gli elementi in SubmitDiagInfo indicano quando le informazioni di analisi sono state inviate ad Apple.
[…]
Tutte le informazioni di analisi vengono inviate ad Apple in forma anonima.
[…]
Puoi scegliere di non condividere i dati relativi ai blocchi e le statistiche d'uso con gli sviluppatori di terze parti. Per farlo, vai in Preferenze di Sistema > Sicurezza e Privacy > Privacy, fai clic su “Analisi e miglioramenti” e deseleziona “Condividi con gli sviluppatori di app”.
[…]

—
Prof. Marco Mellia
SmartData@PoliTO coordinator - https://smartdata.polito.it
Dipartimento di Elettronica e Telecomunicazioni
Politecnico di Torino
Corso Duca Degli Abruzzi 24
10129 - Torino - IT
Tel: +39-011-090-4173 (DET / Polito)
Tel: +39-011-090-3901 (SmartData / OGR)
Cel: +39-331-6714789
Skype: mgmellia
Home page: https://www.telematica.polito.it/member/marco-mellia/

Il giorno 15 nov 2020, alle ore 09:44, nexa-request@server-nexa.polito.it<mailto:nexa-request@server-nexa.polito.it> ha scritto:

Message: 4
Date: Sun, 15 Nov 2020 08:44:51 +0000
From: Alberto Cammozzo <ac+nexa@zeromx.net<mailto:ac+nexa@zeromx.net>>
To: Stefano Quintarelli <stefano@quintarelli.it<mailto:stefano@quintarelli.it>>, Nexa
<nexa@server-nexa.polito.it<mailto:nexa@server-nexa.polito.it>>
Subject: Re: [nexa] Jeffrey Paul: Your Computer Isn't Yours
Message-ID: <63D56C0D-FEA8-42EC-A210-4D6D54A4E4BF@zeromx.net<mailto:63D56C0D-FEA8-42EC-A210-4D6D54A4E4BF@zeromx.net>>
Content-Type: text/plain; charset="utf-8"

Non saprei.
Segnalo un commento che farebbe pensare di no.
Se la sicurezza viene centralizzata diventa censura, anche concedendo che non sia censura by design...

Does Apple really log every app you run? A technical look

<https://blog.jacopo.io/en/post/apple-ocsp/>

Apple?s launch of macOS Big Sur was almost immediately followed by server issues which prevented users from running third-party apps on their computers. While a workaround was soon found by people on Twitter, others raised some privacy concerns related to that issue.

   Hey Apple users:

   If you're now experiencing hangs launching apps on the Mac, I figured out the problem using Little Snitch.

   It's trustd connecting to https://t.co/FzIGwbGRan

   Denying that connection fixes it, because OCSP is a soft failure.

   (Disconnect internet also fixes.) pic.twitter.com/w9YciFltrb<http://pic.twitter.com/w9YciFltrb>
   ? Jeff Johnson (@lapcatsoftware) November 12, 2020

What is OCSP?

OCSP stands for Online Certificate Status Protocol1. As the name implies, it is used to verify the validity of a certificate without having to download and scan large certificate revocation lists. macOS uses OCSP to make sure that the developer certificate hasn?t been revoked before an app is launched.

As Jeff Johnson explains in his tweet above, if macOS cannot reach Apple?s OCSP responder it skips the check and launches the app anyway - it is basically a fail-open behaviour. The problem is that Apple?s responder didn?t go down; it was reachable but became extremely slow, and this prevented the soft failure from triggering and giving up the check.

It is clear that this mechanism requires macOS to contact Apple before an app is launched. The sudden public awareness of this fact, brought about by Apple?s issues, raised some privacy concerns and a post from security researcher Jeffrey Paul2 became very popular on Twitter. He claims that

   In the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it.

That would be creepy indeed.

To make things worse, it is common for OCSP to use HTTP - I?m talking about good old plaintext HTTP on port 80, none of that HTTPS rubbish. There is usually a good reason for this, that becomes especially clear when the OCSP service is used for web browsers: preventing loops. If you used HTTPS for checking a certificate with OCSP then you would need to also check the certificate for the HTTPS connection using OCSP. That would imply opening another HTTPS connection and so on.

Of course while OCSP does not mandate encryption, it does require that responses are signed by the server. This still doesn?t solve the initial concern that anyone with a traffic analyzer on your network could evasdrop every app you open and when you open it.
Diving deeper

Knowing some OCSP basics, more questions arise. OCSP is about checking certificates; why should this have anything to do with sending out hashes of apps you run? Does macOS really compute the hash of each executable at each launch? What about very large ones? That would take a significant amount of time; is it possible that nobody noticed? Maybe the hash is computed only once (e.g. the first time you run the app) and it is stored somewhere. But I?m not convinced and I think these claims needs more research.[...]

On November 14, 2020 9:53:31 PM UTC, Stefano Quintarelli <stefano@quintarelli.it<mailto:stefano@quintarelli.it>> wrote:
ciao,
non c'e' un setting nel sistema operativo per dire "non mandare info a
apple" ?
ciao, s.

On 14/11/2020 22:31, Alberto Cammozzo via nexa wrote:
<https://sneak.berlin/20201112/your-computer-isnt-yours/
<https://sneak.berlin/20201112/your-computer-isnt-yours/>>

Your Computer Isn't Yours
12 November 2020

It?s here. It happened. Did you notice?

I?m speaking, of course, of the world that Richard Stallman predicted
in
1997. The one Cory Doctorow also warned us about.

On modern versions of macOS, you simply can?t power on your computer,

launch a text editor or eBook reader, and write or read, without a
log
of your activity being transmitted and stored.

It turns out that in the current version of the macOS, the OS sends
to
Apple a hash (unique identifier) of each and every program you run,
when
you run it. Lots of people didn?t realize this, because it?s silent
and
invisible and it fails instantly and gracefully when you?re offline,
but
today the server got really slow and it didn?t hit the fail-fast code

path, and everyone?s apps failed to open if they were connected to
the
internet.

Because it does this using the internet, the server sees your IP, of
course, and knows what time the request came in. An IP address allows

for coarse, city-level and ISP-level geolocation, and allows for a
table
that has the following headings:

Date, Time, Computer, ISP, City, State, Application Hash

Apple (or anyone else) can, of course, calculate these hashes for
common
programs: everything in the App Store, the Creative Cloud, Tor
Browser,
cracking or reverse engineering tools, whatever.

This means that Apple knows when you?re at home. When you?re at work.

What apps you open there, and how often. They know when you open
Premiere over at a friend?s house on their Wi-Fi, and they know when
you
open Tor Browser in a hotel on a trip to another city.

?Who cares?? I hear you asking.
[...]

_______________________________________________
nexa mailing list
nexa@server-nexa.polito.it<mailto:nexa@server-nexa.polito.it>
https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa

--
reserve your meeting with me at https://cal.quintarelli.it<https://cal.quintarelli.it/>

Re: [nexa] nexa Digest, Vol 139, Issue 21

MELLIA MARCO

Giovanni Biscuolo

Alberto Berti

Giovanni Biscuolo

Alberto Berti

tags

participants (3)