[TUHS] Re: Maintenance mode on AIX

[Will Senn <will.senn@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3359 bytes --]

Wow, we're all over the place on this thread. I stopped updating my Mac 
with Mojave. Occasionally, I flirt with more recent incarnations and 
much like with recent Windows incarnations, I scurry back pretty quickly 
to the stable and fast. ... and Mojave support 32 bit apps, which is 
nice. It's fast, responsive, and locked down the way I like it.

The mutually exclusive goals represented by security/it lockdown 
obsession and OS phone homeitis is ridiculous. One hopes that this is 
not a permanent set of affairs. I would prefer my OS to be under my 
control and secure my information, for me.

Lately, I've been doing work with SculptOS on Genode - a capabilities 
based OS running on a microkernel (trusted computing base). Sculpts got 
a ways to go, but I like the way the architects are thinking.

Will


On 1/18/23 11:08 AM, segaloco via TUHS wrote:
> Apple's unreasonable hardening has been the latest deterent to my ever 
> wanting to use macOS as a personal driver.  I've got a Mac as my daily 
> driver for work, it can happily stay with work until I can decide how 
> the filesystem is laid out and what folders I, as the root user, can 
> and can't interact with from user land. I own my machine, not Apple.
>
> - Matt G.
> ------- Original Message -------
> On Wednesday, January 18th, 2023 at 8:59 AM, Clem Cole <clemc@ccc.com> 
> wrote:
>
>>
>>
>> On Wed, Jan 18, 2023 at 11:39 AM Larry McVoy <lm@mcvoy.com> wrote:
>>
>>     Someone once told me that if they had physical access to a Unix
>>     box, they
>>     would get root. That has been true forever and it's even more
>>     true today,
>>     pull the root disk, mount it on Linux, drop your ssh keys in
>>     there or add
>>     a no password root or setuid a shell, whatever, if you can put
>>     your hands
>>     on it, you can get in.
>>
>> A reasonable point, but I think it really depends on the UNIX 
>> implementation I suspect. Current mac OS is pretty well hardened from 
>> this, with their current enclaves and needing to boot home to Apple 
>> to get keys if things are not 100% right. Not saying you or I can 
>> not, but basically means the same cracking tricks you need to use for 
>> iPhones. It's not as easy as you describe.
>>
>> The ubiquitous Internet/WiFi changed the rules - as you can start to 
>> keep some set of keys somewhere else and then encrypt the local 
>> volumes. In fact, one of the things they do if mac OS boot detects 
>> that root has been modified (it has a crypto index stored away when 
>> it was made read-only), the boot rolls back to the last root snapshot 
>> -- since they are all read-only that works. In fact, it is a PITA to 
>> update/fix things like traditional scripts (for instance the scripts 
>> in the /etc/periodic area). Basically, they make it really unnatural 
>> to change the root files system, make a new snapshot and index (I 
>> have yet to see it documented although, with much pain, I previously 
>> created a procedure that is close -- i.e. it once worked on my 
>> pre-Ventura Mac - but currently -- fails, so I need to some more 
>> investigation when I can bring this back to the top of the 
>> importance/curiosity stack (I have a less than satisfying end around 
>> for now so I'm ignoring doing it properly).
>>
>> Clem
>> ᐧ
>

[-- Attachment #2: Type: text/html, Size: 6811 bytes --]