Get the top HN stories in your inbox every day.
_V_
joshspankit
Also a PITA (even though it’s super easy for devs to replicate): being connected to your local network, but your internet is down.
varispeed
Is there a way to make it "think" it is connected to internet?
Like plugging a device that will be seen as network card and responding to certain api requests to trick whatever service calls them?
maicro
That's a technique used/required by some software cracking methods - override your general network DNS lookup process (I believe anything you put in the "hosts" file in Linux/Mac, and the similar file in Windows - though obviously don't quote me on this - will be used rather than DNS-queried). So you configure say "google.com" to go directly to 127.0.0.1 (the localhost address, pointing right back at your own computer) and run a server on the port that the program is expecting to authenticate to.
The problem is responding to those API requests in a way that the program will accept - if it's just a simple PING, no issue, but if there's any sort of more advanced encryption, handshaking or license checking/exchange going on, you'll need to reverse engineer the algorithm. Some simple versions of that you can just record once and "replay", but most will at least have a timestamp hashed in.
(super rough, lay-man's understanding of the issue - sorry for any inaccuracies)
kingds
noob question: is there not a way for the client to verify that it is actually talking to google.com in a situation like this? I would think there would be some way to verify based on certs or something like that.
lapcat
> Is there a way to make it "think" it is connected to internet?
You actually want the opposite, to make it think it's not connected to the internet. In other words, a network connection blockers such as Little Snitch.
yencabulator
As far as I understand, Apple's own software can bypass Little Snitch.
the_third_wave
Yes there is but you probably don't like the answer: install Linux on the thing and be done with it. It does not seem to work as well on the ARM-versions but on Intel it flies. You can try to keep on fighting the beast but in the end the beast will win unless you show it the door - its only vulnerability. You get the glitzy hardware without the annoyances of MacOS - Linux may have its own annoyances sometimes but these tend to be less nefarious and more easily solved than the hurdles put up by Apple. Apple is not alone in this or I would have said to install 'Linux or Windows', Microsoft is just as bad when it comes to these shenanigans. An additional benefit is that you'll be able to keep the thing running an up-to-date OS for far longer since (most...?) Linux distributions are not enmeshed in planned obsolescence schemes.
Source: typing this from an older ("late 2009") iMac running Linux
_V_
Well, this is nice but in reality useless. You can run Linux on ancient Apple devices such as 2009 iMac but not really on anything newer.
I want to have modern peripherals and experience such as 4k display, USB-C, reasonably fast wifi/bluetooth. I don't really have a need for CD-ROM, firewire and IR port...
And believe me, I tried to run Linux on 2018/2019 MBP. Apple really really tries to makes that as painful as possible. Most of the things are behind T2 (including keyboard for example) and since there is virtually no documentation you have to rely on reverse engineering efforts of few talented individuals. Also there are things that just plain don't work such as resuming from sleep (the graphics MUX gets all confused and the driver will not re-configure it for some reason) etc... Basically nice for playing around, not good enough for running as a main device.
_V_
Not really but you can simulate this by either using iPhone as an AP and forcing 3G if possible or you can hide behind linux proxy and set up packet dropping (can be done with nftables) random packets.
That will result in almost unusable system.
jcadam
> hide behind linux proxy and set up packet dropping (can be done with nftables) random packets.
I used a similar method to simulate running our software on a government network when I worked in defense.
Timeouts and packets dropping all over the place. Government work sucks.
cesarb
Since macOS is AFAIK a laptop-focused operating system, and laptops are often used on the go, without any network connectivity, I'd expect it to work perfectly in that kind of situation. So these results are not that surprising.
cehrlich
Given the title I was expecting some kind of surprise, but everything works exactly as you would expect.
rbanffy
I like my Macs precisely because they are boring and almost never surprise me.
TBH, the only reason my Linux boxes surprise me is because I try stupid things such as mounting /var/log as a tmpfs to reduce write loads (mostly on RPis SD cards and eMMC devices).
oneeyedpigeon
I don't know about that — macs have enough weird behaviours that it wouldn't totally surprise me if, soon, they required a network connection, or the lack of one would at least make things awkward. For example, the inability to use clamshell mode without AC power.
mejutoco
I like Macs, but was pretty surprised the first time a package needed xcode, and I saw the size needed to download (several GB)
lynguist
I never say things like that but isn’t this like saying the floor is made out of floor?
I had to do a quick reality check after reading that article.
asddubs
it read like someone appalled at the state of things setting up the ground work before getting to the problem, but then after that first stage, it just sort of ends. what a pointless read.
ddalex
Definitely a solution in search of a problem.
snowe2010
Pretty sure it's just an advertisement.
lapcat
This has already been refuted elsewhere in the comments. Your near certainty is completely unfounded.
Howard Oakley and his work are well known in our community. If you don't know him, then please don't cast aspersions.
dmtroyer
some day I may be able to downvote posts.
tencentshill
It’s no longer possible at all on Windows 11, so it’s good to know.
grardb
Pardon if this is a stupid question, but I think I must be missing something. How is all of this different from turning WiFi off?
mrtksn
The difference is that it includes the initial installation process too. So the idea is that since online services are deeply embedded into the OS, what happens if you don't have an internet connection?
A few years back there was this issue of MacOS apps launching with a delay because the OS was checking with Appe if you are allowed to use the app. IIRC, this was just a bug.
Also, you won't be able to use iOS without an initial internet connection.
This creates a curiosity on how usable a Mac is without internet. As it turns out, it's pretty usable.
pathartl
> A few years back there was this issue of MacOS apps launching with a delay because the OS was checking with Appe if you are allowed to use the app. IIRC, this was just a bug.
If you're talking about Nov 2021 when Apple's Gatekeeper servers went down, apps weren't just delayed, they were unable to be opened _at all_ unless you blocked DNS requests to the server or completely disabled your internet connection.
I believe the only apps that were allowed to be opened were the built in macOS apps. Why this verification is done on every single load is completely beyond me. After this and the whole iPhone 7 radio debacle I won't be buying their products for a long time.
less_less
> If you're talking about Nov 2021 when Apple's Gatekeeper servers went down, apps weren't just delayed, they were unable to be opened _at all_ unless you blocked DNS requests to the server or completely disabled your internet connection.
IIRC, Gatekeeper responses are cached for some amount of time for each app, so most people were still able to launch a given app. But yeah, you'd have to disable DNS or internet if you were unlucky and the cache had expired.
Apple's failure inspired me to research compressed CRLs. These don't have the same privacy problems as OCSP, and they work offline. As far as I can tell they would be a good replacement for OCSP here (and also in most cases on the web) but I don't know how one could convince them to roll them out.
mrtksn
What’s the iPhone 7 radio debacle?
whywhywhywhy
> A few years back there was this issue of MacOS apps launching with a delay because the OS was checking with Appe if you are allowed to use the app. IIRC, this was just a bug
Convinced this is why Spotlight is so janky on iOS lately and you’ll be just staring at a blank list while searching for a local app.
personjerry
The difference is that this article is an advertisement for the app they're selling.
lapcat
Absolutely wrong. Howard is a retired doctor. And all of his Mac software (https://eclecticlight.co/downloads/) is free.
Also, Howard has been blogging about the Mac and making free apps available for many years. He's not suddenly going to pivot.
janfoeh
That is a pretty accusatory comment, given that the _freeware_ program mentioned is linked for download _right in TFA_.
sieabahlpark
[dead]
fsflover
Freeware is not the same as free software. You can use the former for a bait and switch.
jamesfmilne
They're not selling it, the app is free.
favaq
They are not selling it currently. Once they have enough downloads and people who rely on the app on a daily basis, who knows.
undefined
vinaypai
"I turned my WiFi off and nothing surprising happened" wouldn't make it to the front page of HN.
lapcat
The author blogs almost every day about the Mac on his years-old Mac-oriented blog. The author doesn't write for HN readers, nor did he submit his blog post to HN.
Why do the worst HN comments always rise to the top?
joshuaissac
> The author doesn't write for HN readers, nor did he submit his blog post to HN.
It does not follow from the GP comment's claim that the author must be writing for HN readers. There may be many articles written by many people about how the Mac works without a network connection, but this one happened to be the one to be posted to HN and make it to the front page because it has traits that are in line with what HN wants to read.
simondotau
It isn’t. The how is provided for the sake of reader curiosity; it is ancillary to the analysis performed in this article.
sdflhasjd
The experience is much worse on a mac when you have a _poor_ internet connection.
- Apple just doesn't care about the size of their updates. Minor OS & XCode updates are in the gigabytes.
- Updates that you don't need right now cannot be cancelled, paused or rate-limited and will just eat your entire data cap with no warning.
- Applications literally take longer to open because of gatekeeper checks
anamexis
Worth noting that macOS has a “low data mode” which solves several of these issues. Apps can hook into it also.
https://apple.stackexchange.com/questions/449668/what-is-low...
croutonwagon
This is somewhat handy. Im currently traveling and relying tethering LTE witb a 1GB/day limit.
Let me tell you on MacOS that is VERY easy to burn through in 15 minutes.
Ultimately i have been using my personal laptop with ubuntu to stay under the limit.
MacOS even with low data mode seems to use a lot of extraneous data for some reason.
I havent had time to really see what its doing but its been heavy. The first couple days i burned through my allocation in a out 5 minutes.
skinnymuch
You can get apps like Roadtrip to help with data usage
sdflhasjd
Good to hear that is now a feature in Ventura, better late than never... The enraging experience I had that prompted my complaint happened on Monterey.
jrochkind1
> - Updates that you don't need right now cannot be cancelled, paused or rate-limited and will just eat your entire data cap with no warning.
You should be able to turn off "check for updates" and "download new update when available", and only manually check for updates at a time and network location of your choice.
Search for "to set update options" on this page: https://support.apple.com/guide/mac-help/keep-your-mac-up-to...
But you may mean something different than I was thinking; maybe you don't find this functionality suitable, or find it doesn't work properly?
sdflhasjd
My experience was that these options didn't do anything if the download had already started, everything else I tried from restarting to killing processes was fought back with a newly spawned process update. Trying to SSH into a server to fix an emergency while on a spotty 3G hotspot was made far more stressful by my computer being out of my control.
jrochkind1
Oh, I wouldn't expect them to do anything if the download had already started, sure. It would be nice to able to abort, agreed. I misunderstood what you were describing.
But perhaps you (or other readers) might want to leave those settings unchecked so it never automatically downloads, and you can manually tell it to download when you want, when you're in a location you want to. I believe you can have it check for updates and notify you, but not automatically download, too, with the right settings.
college_physics
Would be interesting to every once in a while test "Using Linux without a network connection" (as in: install everything from usb/media and check all your workflows)
Rediscover
Slackware works great. OpenBSD, too.
I yard out the drive, attach it to another machine and toss a copy of, e.g., slackware64-current (+ sources) and a bootloader on the drive, put the drive back in its original machine and boot/install without a network.
After that, it may or may not ever see a network depending on what it is slated to do.
grishka
I don't know about now, but when Ubuntu came on CD images intended for burning to actual CDs and offline installation, those images included most of the packages you'd ever need. Or at least that was my impression.
3np
I'd expect any serious dist to already be doing this as part of their release process.
planede
I expect it to work fairly well, apart from "netinst" install medias, of course.
sneak
I do the same thing basically on bare metal: with Little Snitch I have blocked almost all system processes from accessing the network at all.
macOS still works fine. (You have to widen the permissions a bit for OCSP and the TSS api when doing OS updates, however.)
satysin
I’m currently on the fence about buying Little Snitch. I tried the trial for a week and interestingly there were no outboard connections I did not expect so ended up allowing basically everything. I run a limited set of applications and that hasn’t changed in a number of years.
Obviously I feel quite happy that I’ve not found I’ve been allowing connections I didn’t want to but it also makes me feel perhaps I am being a little over the top by adding Little Snitch into the mix.
I went in thinking it would catch dozens of secret connections but nothing. So part of me feels it is over kill and a time waster for myself. Anyone care to explain how wrong I am? I would be grateful to be corrected and happy to buy if I can be convinced it is indeed worth while :)
lapcat
To me it's more about personal control than surprises. It doesn't surprise me that Apple software is phoning home; I just want to stop it and control which connections and data I allow to leave my Mac.
satysin
Do you find LS causes any kind of network speed impact when dealing with systems that have hundreds or thousands of connections? I often have Transmission open downloading and as I have a 2.5gbps connection it can easily hit several hundred in and out connections when bandwidth hits >2gbps. I’m wondering if LS either slows that down or causes additional power use/heat?
sneak
It whitelists all of the Apple privacy-invading phone home nonsense by default. You have to disable those rules to see the dozens of alerts from different OS processes phoning home to Apple (even if you don't use iCloud or iMessage or FaceTime or the App Store or any other service at all).
ambicapter
You're like the guy who says "I'm never sick, why am I being forced into paying health insurance".
satysin
I do not understand what point you’re trying to make?
diimdeep
macOS underlying system is really opaque, is Little Snitch really do block all that there is ?
newaccount74
Probably, but we don't know.
macOS 11 stopped support for kernel extensions, and now requires firewall apps like Little Snitch to use "Network Extensions".
In early versions of macOS 11, some Apple apps bypassed network extensions. This was supposedly fixed in macOS 11.2, but there is no way to verify that macOS doesn't have any exceptions that might still bypass network extensions.
throw0101c
> […] but there is no way to verify that macOS doesn't have any exceptions that might still bypass network extensions.
Sure there is: you connect the system to a managed Ethernet switch and do port mirroring to inspect what traffic goes over the wire:
* https://community.fs.com/blog/port-mirroring-explained-basis...
* https://www.cisco.com/c/en/us/support/docs/switches/catalyst...
* https://en.wikipedia.org/wiki/Port_mirroring
If it's encrypted we may not know the exact contents, but you can't conceal IPs.
capableweb
> Probably, but we don't know.
Why not? It's not like it'd be hard to know. The submission article even talks about running it in a VM, wouldn't be hard to connect tcpdump to whatever bridge it's using and inspect if Little Snitch can truly capture and block all traffic.
dan1234
I think Little Snitch does a good job, but it would be easy to see any leaks at the router/hardware firewall if there's a real concern.
KingLancelot
[dead]
alpaca128
> Indeed, if anything, the first run of apps like Xcode was started with less delay than when an internet connection is available.
Does anyone know whether this Apple server contact delay applies to every executable? Whenever I compile my code on a Mac the first run is delayed by 2-5 seconds and it's getting really annoying.
lapcat
xenophonf
Well, that's horrifying from the perspective of someone trying to preserve their right to privacy.
steponlego
Heh, “right” to privacy.
collsni
Guys! Guys! I turned Internet off, and guess what?!? No internet based features worked!! Can you believe that I couldn't authenticate to my apple account?!
wink
My takeaway was more that the author expected a ton of things to not work, while in reality only a few didn't.
stewx
Please point out where the author claimed to be surprised by this. We'll wait.
adithyassekhar
This just reminds me of Windows 11. The Home edition which most people would buy cannot bypass the setup screen without connecting to the internet and creating a Microsoft account. Can't believe Apple is the more free option here.
miles
Even in the latest release of Windows 11 Home, the seemingly-required Microsoft account login can be bypassed via OOBE\BYPASSNRO: https://www.ghacks.net/2023/01/26/how-to-bypass-the-microsof...
lapcat
The funny thing is that I've always done it this way, for many many years, when installing major Mac OS updates: choose the option "My Mac doesn't connect to the internet", and set up the internet connection later, after I configure everything how I want.
Then of course the first thing I do after installing macOS is install Little Snitch (already having a hard copy on an external disk).
IIsi50MHz
A…hard copy? Like, a print-out of the source code or… ? If so, it would seem to be resting on top of an external disk. o-:
Sorry, just never seen someone refer to a digital copy as a hard copy before. You surprised me. (-:
lapcat
Old habits are hard to break.
It seems logical though that a copy on a hard drive should be called hard copy!
undefined
Get the top HN stories in your inbox every day.
The problem with online checks (gatekeeper) are when you have flaky internet connection.
It can handle no connection quite well, but unstable internet is really a PITA - commands and applications lag randomly when launching etc... It took me some time to troubleshoot why suddenly ma MacOS was almost unusable and this was the culprit.