From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HTML_FONT_LOW_CONTRAST, HTML_MESSAGE,MAILING_LIST_MULTI autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 13400 invoked from network); 18 Jan 2023 19:50:50 -0000 Received: from minnie.tuhs.org (50.116.15.146) by inbox.vuxu.org with ESMTPUTF8; 18 Jan 2023 19:50:50 -0000 Received: from minnie.tuhs.org (localhost [IPv6:::1]) by minnie.tuhs.org (Postfix) with ESMTP id 2CD2142411; Thu, 19 Jan 2023 05:50:28 +1000 (AEST) Received: from mail-il1-f173.google.com (mail-il1-f173.google.com [209.85.166.173]) by minnie.tuhs.org (Postfix) with ESMTPS id AA0B042410 for ; Thu, 19 Jan 2023 05:50:19 +1000 (AEST) Received: by mail-il1-f173.google.com with SMTP id w2so77446ilg.1 for ; Wed, 18 Jan 2023 11:50:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:reply-to:cc:date:in-reply-to:from:subject :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=27wJhsur9KAX9KP2LRmfZ6mjbfJkgoTVSwDhldgmffA=; b=iOe7sTnWu7A/+11e71kel0FsrnJu6lxgswCXfbYeNLRyGmmzkRvXr4K+yl5KDMS0fe qMGU8xOyk2R3Ut/5HIb5M2ligqESWvivDi7eqsaQr+N0q5Nu6VjEsKqDVi608lrvKOBY gZUOf79LUfWsc9pSIaiw/L7VBrVRk58iGxcpsKJiHhwEOfdwoWHhOd2FYR1uFkZYzaFL KOu60Mx8CGAZ+dg8FZuPZGwcnskEluRF0bNXFyKM4sns6vkq+B/njKTdJPOKq1QV0URk KE3WPIOoni56BHDxkPTGennNo7U9PqFP3qS/oqTnTo27DiOc/PuVzAHrO483gEji13H0 QzhQ== X-Gm-Message-State: AFqh2kqzpmGSZpA6x+/gztlDkmk8iu+Phi45Jc/xd8nlBwW0mWMuoCC8 QZlkk/FbmKZsQ51tSs2FFG0= X-Google-Smtp-Source: AMrXdXurlPuu0X8cRkQADyUU4jRfisYXdJHFAbAgyRzSc6u2Yx/jcxAkMlPGajITi4sZXROFxojDyw== X-Received: by 2002:a05:6e02:1cc9:b0:30c:4558:1376 with SMTP id s9-20020a056e021cc900b0030c45581376mr5921041ill.3.1674071418940; Wed, 18 Jan 2023 11:50:18 -0800 (PST) Received: from kdbarto.org (107-193-50-41.lightspeed.sndgca.sbcglobal.net. [107.193.50.41]) by smtp.gmail.com with ESMTPSA id m4-20020a056e020de400b0030bf2476c5fsm10278640ilj.25.2023.01.18.11.50.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Jan 2023 11:50:18 -0800 (PST) Received: from smtpclient.apple (zaphod.local [IPv6:fe80::496:559e:4af6:b635]) by kdbarto.org (Postfix) with ESMTPS id EB2AD448C631; Wed, 18 Jan 2023 11:50:16 -0800 (PST) Content-Type: multipart/alternative; boundary="Apple-Mail=_7CFE27AE-C062-4E35-8959-54BD26923B6D" Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\)) From: David Barto In-Reply-To: <1315c448-c8e8-1ae5-ef34-0f7ba3fbb8a7@gmail.com> Date: Wed, 18 Jan 2023 11:50:16 -0800 Message-Id: <08D6905B-E615-4347-BF33-E8C9A7A703B8@kdbarto.org> References: <202301180943.30I9hrOw030485@freefriends.org> <202301181513.30IFDDUJ015224@freefriends.org> <20230118151446.GD2964@mcvoy.com> <20230118161959.GE2964@mcvoy.com> <20230118163840.GF2964@mcvoy.com> <1315c448-c8e8-1ae5-ef34-0f7ba3fbb8a7@gmail.com> To: Will Senn X-Mailer: Apple Mail (2.3696.120.41.1.1) Message-ID-Hash: QAM2LGZJREM3JTQO2V5BKUSLMGY4H3OC X-Message-ID-Hash: QAM2LGZJREM3JTQO2V5BKUSLMGY4H3OC X-MailFrom: kdbarto@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tuhs.tuhs.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: segaloco , tuhs@tuhs.org X-Mailman-Version: 3.3.6b1 Precedence: list Reply-To: david@kdbarto.org Subject: [TUHS] Re: Maintenance mode on AIX List-Id: The Unix Heritage Society mailing list Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --Apple-Mail=_7CFE27AE-C062-4E35-8959-54BD26923B6D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I think that the situation with MacOS is an (over) reaction to viruses, = worms, and the end users themselves. In order to make sure that the normal user doesn=E2=80=99t do something = silly to their system Apple has wound up restricting what the more = advanced and knowledgeable user can do. I=E2=80=99m in an in-between camp. I like to install what I want and as = long as I can do that, MacOS will work for me. And I like that Apple is = working to stop the =E2=80=9Cbad guys=E2=80=9D as much as possible. When installing what I want stops happening then I=E2=80=99ll stop = upgrading. Until then I=E2=80=99m willing to ride the Apple train. David > On Jan 18, 2023, at 9:21 AM, Will Senn wrote: >=20 > Wow, we're all over the place on this thread. I stopped updating my = Mac with Mojave. Occasionally, I flirt with more recent incarnations and = much like with recent Windows incarnations, I scurry back pretty quickly = to the stable and fast. ... and Mojave support 32 bit apps, which is = nice. It's fast, responsive, and locked down the way I like it. >=20 > The mutually exclusive goals represented by security/it lockdown = obsession and OS phone homeitis is ridiculous. One hopes that this is = not a permanent set of affairs. I would prefer my OS to be under my = control and secure my information, for me.=20 >=20 > Lately, I've been doing work with SculptOS on Genode - a capabilities = based OS running on a microkernel (trusted computing base). = Sculpts got a ways to go, but I like the way the architects are = thinking. >=20 > Will >=20 >=20 > On 1/18/23 11:08 AM, segaloco via TUHS wrote: >> Apple's unreasonable hardening has been the latest deterent to my = ever wanting to use macOS as a personal driver. I've got a Mac as my = daily driver for work, it can happily stay with work until I can decide = how the filesystem is laid out and what folders I, as the root user, can = and can't interact with from user land. I own my machine, not Apple. >>=20 >> - Matt G. >> ------- Original Message ------- >> On Wednesday, January 18th, 2023 at 8:59 AM, Clem Cole = wrote: >>=20 >>>=20 >>>=20 >>> On Wed, Jan 18, 2023 at 11:39 AM Larry McVoy > wrote: >>> Someone once told me that if they had physical access to a Unix box, = they >>> would get root. That has been true forever and it's even more true = today, >>> pull the root disk, mount it on Linux, drop your ssh keys in there = or add >>> a no password root or setuid a shell, whatever, if you can put your = hands >>> on it, you can get in. >>> A reasonable point, but I think it really depends on the UNIX = implementation I suspect. Current mac OS is pretty well hardened from = this, with their current enclaves and needing to boot home to Apple to = get keys if things are not 100% right. Not saying you or I can not, but = basically means the same cracking tricks you need to use for iPhones. = It's not as easy as you describe. >>>=20 >>> The ubiquitous Internet/WiFi changed the rules - as you can start to = keep some set of keys somewhere else and then encrypt the local volumes. = In fact, one of the things they do if mac OS boot detects that root has = been modified (it has a crypto index stored away when it was made = read-only), the boot rolls back to the last root snapshot -- since they = are all read-only that works. In fact, it is a PITA to update/fix things = like traditional scripts (for instance the scripts in the /etc/periodic = area). Basically, they make it really unnatural to change the root files = system, make a new snapshot and index (I have yet to see it documented = although, with much pain, I previously created a procedure that is close = -- i.e. it once worked on my pre-Ventura Mac - but currently -- fails, = so I need to some more investigation when I can bring this back to the = top of the importance/curiosity stack (I have a less than satisfying end = around for now so I'm ignoring doing it properly). >>>=20 >>> Clem >>> =E1=90=A7 >>=20 >=20 --Apple-Mail=_7CFE27AE-C062-4E35-8959-54BD26923B6D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 I = think that the situation with MacOS is an (over) reaction to viruses, = worms, and the end users themselves.
In order to make = sure that the normal user doesn=E2=80=99t do something silly to their = system Apple has wound up restricting what the more advanced and = knowledgeable user can do.

I=E2=80=99m in an in-between camp. I like to install what I = want and as long as I can do that, MacOS will work for me. And I like = that Apple is working to stop the =E2=80=9Cbad guys=E2=80=9D as much as = possible.

When = installing what I want stops happening then I=E2=80=99ll stop upgrading. = Until then I=E2=80=99m willing to ride the Apple train.

David

On Jan 18, 2023, at 9:21 AM, Will Senn <will.senn@gmail.com>= wrote:

=20 =20
Wow, we're all over the place on this thread. I stopped updating my Mac with Mojave. Occasionally, I flirt with more recent incarnations and much like with recent Windows incarnations, I scurry back pretty quickly to the stable and fast. ... and Mojave support 32 bit apps, which is nice. It's fast, responsive, and locked down the way I like it.

The mutually exclusive goals represented by security/it lockdown obsession and OS phone homeitis is ridiculous. One hopes that this is not a permanent set of affairs. I would prefer my OS to be under my control and secure my information, for me.

Lately, I've been doing work with SculptOS on Genode - a capabilities based OS running on a microkernel (trusted computing base). Sculpts got a ways to go, but I like the way the architects are thinking.

Will


On 1/18/23 11:08 AM, segaloco via TUHS wrote:
Apple's unreasonable hardening has been the latest = deterent to my ever wanting to use macOS as a personal driver.  I've = got a Mac as my daily driver for work, it can happily stay with work until I can decide how the filesystem is laid out and what folders I, as the root user, can and can't interact with from user land. I own my machine, not Apple.

- = Matt G.
------- Original Message = -------
On Wednesday, January 18th, 2023 at 8:59 AM, Clem Cole <clemc@ccc.com> wrote:



On Wed, Jan 18, 2023 = at 11:39 AM Larry McVoy <lm@mcvoy.com> wrote:
Someone once told me that if they had physical access to a Unix box, they
would get root. That has been true forever and it's even more true today,
pull the root disk, mount it on Linux, drop your ssh keys in there or add
a no password root or setuid a shell, whatever, if you can put your hands
on it, you can get in.
A= reasonable point, but I think it really depends on the UNIX implementation I suspect. Current mac OS is pretty well hardened from this, with their current enclaves and needing to boot home to Apple to get keys if things are not 100% right. Not saying you or I can not, but basically means the same cracking tricks you need to use for iPhones. It's not as easy as you describe.

The ubiquitous Internet/WiFi changed the rules - as you can start to keep some set of keys somewhere else and then encrypt the local volumes. In fact, one of the things they do if mac OS boot detects that root has been modified (it has a crypto index stored away when it was made read-only), the boot rolls back to the last root snapshot -- since they are all read-only that works. In fact, it is a PITA to update/fix things like traditional scripts (for instance the scripts in the /etc/periodic area). Basically, they make it really unnatural to change the root files system, make a new snapshot and index (I have yet to see it documented although, with much pain, I previously created a procedure that is close -- i.e. it once worked on my pre-Ventura Mac - but currently -- fails, so I need to some more investigation when I can bring this back to the top of the importance/curiosity stack (I have a less than satisfying end around for now so I'm ignoring doing it properly).

Clem
3D""=E1=90=A7



= --Apple-Mail=_7CFE27AE-C062-4E35-8959-54BD26923B6D--