I vaguely remember the day, sitting on our front patio, overlooking Souda Bay, and opening the package from Mark Shuttleworth.
Mark became very rich overnight when Verisign bought his company as a failsafe against the Millennium Bug. Mark flew to Moscow to become a Cosmonaut, then returned to South Africa to start Canonical and Ubuntu.
Free CDs for you and up to five friends, Ubuntu promised. Here they were. Looking out at the gleaming Med with the Aptera islands in the bay, life seemed good.
But that was years ago. That was back when you actually needed CDs to install an OS. We got our first 10.2 Jaguar by winning a raffle. We needed the CDs to install the update.
We weren't connected to an OS vendor. We could set up the boxes without an Internet connection. The same with Mark's Ubuntu setup. No Internet connection needed.
But somewhere along the road, it might have been Apple's 10.5, things changed.
When installing an OS or an OS update on a true standalone, you need privilege escalation to get anywhere. All sensitive files on a Unix system are protected. They're owned by root, and are embedded in directories also owned by root. You need root to get anywhere.
Which is why, BTW, that 'su' is so precarious, and why the safer 'sudo' is mostly protective code. For all sudo does is rerun the requested command line as its own, but with its own privileges. But to protect systems from malfeasance, most of the code deals with watching out for hacks. The source is always available online, so you can see for yourselves what inordinate hoops the code goes through to accomplish the impossible.
For 'get root' is the ultimate hacker wet dream. Physical access is almost always superior, but, barring that possibility, 'get root' is almost as good.
Conversely, running code in user mode, as it's called, is always safer.
Kernel Mode, Privileged Mode, Superuser Mode
Kernel Mode, Privileged Mode, Superuser/Supervisor Mode: They're basically equivalent on all modern personal computers. How they're implemented on different hardware platforms, with different CPUs, will of course differ. At hardware level, the modes can be called 'rings', but it's of no matter. Some CPUs have more than two modes/rings, but modern systems use mostly two, the lowest and the highest. User Mode and Kernel Mode.
Modern preemptive multitasking systems use this model. It's impossible to create a true preemptive multitasking system with less than 32 bits. This is because bits are needed to index into the so-called page tables.
If this seems hard to follow, it's because it is. But, at ground level, the basic rule is this: Nothing is at all as it seems. An address, a symbolic address, such as the name of a program variable, is not a real address at all. But both the program and the user think it is, and must think it is. And that's why it works.
Addresses sent by a program to the kernel are run through the page tables. The kernel looks up the addresses and sees where they actually reside in real memory. The addresses in user mode ('userland') code are not real addresses. It's therefore impossible for one application to interfere with another - as long as you're in User Mode.
I'll never forget when our sysadmin Peter first installed NT on one of his Windows boxes, created a simple app that ran away in a wild loop, producing the expected hourglass cursor, then moved the cursor outside the application window. The hourglass disappeared, replaced by the standard cursor, and Peter broke out in a wide grin.
Prior to that, of course, we had 'cooperative multitasking', which of course meant that everything ran through a single funnel, so to speak, so that if any app acted up - like Peter's intentionally runaway app - then the whole system had to be shut down (or you somehow exited Windows and got back to the DOS prompt, or the equivalent on other platforms).
You need at least 32 bits to do any kind of true preemptive multitasking, even with limited addressing capabilities.
Code running in Kernel Mode can do anything, to anyone, at any time. Device drivers run in this mode, and have to be careful not to use too much time, and will generate so-called ‘deferred procedure calls’ (DPCs) for work that doesn't require this mode. The DPCs are run as soon as possible after the driver returns, because, after all, that feeling that 'everything’s happening at once' is an illusion that must be preserved.
(These systems aren't simple. But your typical Joe Blogs just taps and thinks everything's jim-dandy.)
Driver coders are anal-retentive to a fault. They're paranoid about 'orderly'. They have to be. Testing driver code is lugubrious. Grueling even. It's not for everyone.
Which all points to the importance of protecting one's system, of using privilege escalation sparingly, cautiously.
Dave Cutler reached an impasse when approaching the release of his NT 4.0. He'd always had a 10:1 speed advantage over 16-bit Win9x 'wanker code'. But the 9x people were catching up: suddenly he was only three times as fast. So he started moving parts of his Windows core (GDI, USER) into Kernel Mode. Probably not a good idea. Bill Gates proudly announced that the coming NT 4.0 had only seventeen (17) bugs, thereby incurring the derision of professionals everywhere, but a lot of those seventeen bugs and even more bugs started popping up where you'd never seen them on the very stable NT 3.5.
Running things in Kernel Mode is fraught with peril.
But now we're back to good old Apple. Up to now, when using install CDs, for Windows, for Ubuntu, for Apple's OS X, you could copy in as many files as you wanted - but ultimately you had to grant your permission for the install/update to proceed. For the files had to now be moved into the protected areas where they belonged. Nothing continued without a privilege escalation authorised by you.
That's how it's been. But now, suddenly, this is no longer necessary. Pop quiz: do you think the Apple fanboys reacted? We reacted, of course - but did they?
Here's a teaser.
https://rixstep.com/1/2/20100524,00.shtml
A visual depiction here:
https://rixstep.com/1/2/20100401,00.shtml
That was one way to do it - a dodgy directory called '.SoftwareUpdateAtLogout'.
Further info on this somewhat archaic hack.
https://rixstep.com/1/2/20100331,00.shtml
'The implication is clear: Apple can 'get root' without the help of the local user or administrator. And they've had this ability for quite some time.'
But there were other ways. Getting down to brass tacks:
https://rixstep.com/1/2/20100318,00.shtml
'There's also the question of why Apple hide the previous version with all associated components in zip archives on user hard drives and how they achieve root access without user authentication.'
The Bottom Line
The bottom line - there's a lot in the archives - is that most commercial systems of today will admit of a way to abuse Kernel Mode. They can perhaps trigger something in a legit root thread, for example. The bottom line is that Apple don't need your permission to install anything - but you need their permission!
Perhaps you specifically ask for an update. That's the polite way to do it. But even when it comes to sensitive code, Apple stopped pretending. And their fanboys don't even wince. Suddenly the computer you thought was yours, as you paid so dearly for it, is actually Apple's and not yours after all.
Things have gone even farther today. Years ago, Peter Gutmann mused about perhaps having to go to China to get a pristine un-compromised PC. Now look where we are today. We're so well-connected, aren't we - so well connected that we need Apple's permission to update our systems and run our own application software!
(Yes, we at Rixstep offer an easy way around that, but most NPCs don't have a clue.)
Here's a screed from an author we've mentioned before.
https://sneak.berlin/20201112/your-computer-isnt-yours/
'On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.'
'It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet.'
Yes, we remember. It was only our software that ran. The poor challenged people at Panic, who buy into everything from Apple, acted bewildered. But yes, if your app is code-signed (ours are not) then launching an app means the system launch services will 'phone home'.
Another cold shower.
https://sneak.berlin/20201204/on-trusting-macintosh-hardware/
'Modern Apple computers can no longer be fully used and maintained in 100% offline environments, or in ways that will reasonably ensure that the computer is free of state-ordered tampering.'
Apple media won't cover this. But they'll pimp the new iPhone 27x!
'If you wish to fully and completely restore these systems to their factory state for whatever reason, be it a virus or malware, reverting a testing or research configuration, preparing for resale, disk data corruption, whatever: the operating system for the special secured section of the processor (in M1-land) or the separate security/encryption chip (the T2, in Intel-land) must be restored, first and foremost, for the computer to even think about booting an OS. The only way to do this is to obtain a cryptographic signature from Apple, specific to that hardware.'
We can wind up with this gem.
https://sneak.berlin/20220409/apple-is-still-tracking-you-without-consent/
I used a mobile. Once. I had to. I had a kind of Sonny Crockett MicroTAC. This for Sweden. To get from venue to venue. We had a special secret number with Stockholm's Taxi. That's what I needed. To get a cab fast. Knee-deep snow in the winter? Not fun.
I had a beeper once too, for our contract with Ericsson. They demanded an emergency number. They never had to use it, but I carried a beeper around for a while.
But otherwise? I hate phones. I fucking hate them. Not just mobiles. Any phones. But mobiles are worse. And so-called 'smart' phones are the living end. So much complex technology, all to make stupid people even more stupid. Check the imagery used back in the days of NeXT. They were celebrating human intelligence. Compare with today. The vendors want people dumber and dumber.
George Carlin should be here.
Try another.
I Feel So Clean
Andrew was an online student of mine. He was a bit testy. He always wanted to do things his way. Then take some other course, I told him. But he weathered his way through, and learned a bit about programming discipline hopefully.
Then he went all-in for open source.
This is twenty years ago. Just imagine how much worse the topology's become since then.
https://radsoft.net/rants/20020906,00.shtml
'On the other hand, working in Linux I feel so clean. Nothing is hidden. Everything is laid bare; it's only up to me to find it and understand it. There's no more nasty, greasy worry about what my OS is really doing beneath its happy face.'
And it was Microsoft, not Apple, freaking him out. What would have happened if he'd been battling Apple?
If you must absolutely have a mobile phone, then use a primitive one with none of the doodads and hopefully none of the tracking.
Your desktop/laptop should be yours and yours alone. Open source is of course preferable. Perhaps do like Andrew, and download the source, inspect it, and build it yourself.
Avoid all things commercial - Microsoft, Apple - as much as possible. Use our ACP to protect yourself on an Apple OS. Do not use a Microsoft OS under any circumstances.
Happy New Year.
'And when it's done, I'll know exactly what I have, and it will be what I want, no more or less, because I chose and configured every piece of it.'