Last Week on My Mac: Throw caution to the wind

A lot of Mac users like to live well away from the leading edge, and with good reason. As Apple prepares to release macOS 12 Monterey, if you’re still running Catalina, you might be tempted to remain one major release behind, and take this as the time to upgrade to Big Sur. If you do, I think you’re making a serious mistake: anyone ready to go beyond Mojave should now be preparing for Monterey, not Catalina or Big Sur. It’s a matter of balancing the costs and benefits.

Usually, running the last release of the last major version of macOS provides a relatively stable platform, disturbed only by the series of Security Updates, and spares you from wrestling with all the new bugs which come bundled with the new major version. I don’t think that’s the prospect in store for those using Big Sur over the coming year.

Monterey is the first major release of macOS for some years which doesn’t bring deep structural changes. This is quite unlike High Sierra or Mojave with their rapidly evolving APFS, Catalina with its loss of 32-bit and split system volumes, or Big Sur with its Sealed System Volume. Instead, Monterey aims to consolidate on all those years of turbulence, allowing Apple’s engineers to fix more of the bugs which remain.

If Apple remains true to form, now it has released Big Sur 11.5.2 that version will not receive any further fixes or improvements other than Security Updates. Its many annoyances and issues will thus remain fixed in stone. At the same time, the Security Updates it receives will be very large compared to earlier versions of macOS, because of the changes Apple has made to system software updates from macOS 11 onwards. For an Intel Mac, that means that each Security Update will be at least 2.2 GB in size, require 15 minutes or more to ‘prepare’, and then take another 20 minutes or so to install. Not only that, there will only be two options to obtain them: as a 2.2+ GB update through Software Update, or by downloading the full 13 GB Big Sur installer. Don’t expect Apple to offer any standalone delta updates.

For Big Sur, receiving security updates only is likely to prove a poor compromise. At least with Monterey’s updates you’ll get better value for the investment of download and install time, as you’ll continue to get bug fixes, as well as benefitting from new features such as Live Text, which should become widely accessible in third-party apps as well as Apple’s.

The one promised feature in Monterey which could prove a decider for some is Apple’s proposed anti-CSAM measures. I’ve been following both technical and ethical discussions, and frankly don’t believe anyone any more.

On the one hand, there’s Asuhariet Ygvar, a security researcher, who claims to have recovered the code and ‘NeuralHashes’ from an existing release version of iOS and reverse-engineered it. They claim, with the support of others, that it’s incapable of generating the low false-positive rates claimed by Apple, who in turn denies the accuracy of their reverse-engineering. There are some oddities about these claims, not least of which is the fact that this very private code has been found in the public Vision framework, is present in Big Sur, and much was explained at WWDC 2019.

On the other hand, the authors of what’s claimed to be the only published account of a study of ‘the same method’ used by Apple insist that the only real flaw is that it allows Apple to match other types of image, so repurposing its system to match any images of its choosing.

Apple itself has reluctantly released further information, including most significantly the threshold number of images which have to be detected as CSAM before the system reports them for human checking. With that threshold of 30, and claims by reverse-engineering that NeuralHashes fail to detect images which have been cropped, for example, this conflicting evidence leads to the conclusion that results will be dominated not by false positives, but false negatives. From all that I have seen, that’s also my feeling, that Apple’s system is unlikely to detect many cases of CSAM, and that its mere presence may have the strongest effect of driving those who distribute CSAM away from Apple’s iCloud services.

In any case, Apple has maintained throughout that it will only be used in the USA, and only on images which are about to be uploaded to iCloud Photos.

If you don’t believe Apple, then you can’t assume that it hasn’t already implemented this (or another) system, or won’t do so, possibly even in older versions of macOS. Staying with an older version of macOS is no guarantee that it too won’t perform the same checks. So refusing to upgrade to Monterey really doesn’t help you escape the risk of CSAM image checks, if you really believe that they’re a threat to you.

Given the geographical limitation, and its restriction to images about to be uploaded to iCloud Photos, much more serious issues for Monterey are the remedies promised by Apple in November last year, for its use of OCSP to check revocation status of code-signing certificates. These affect every Mac user worldwide, and in the right circumstances can allow third-parties to discover which apps a user runs, when and where.

The remedies that Apple promised aren’t simple to implement, and will almost certainly come outside the scope of security updates. If they do happen, they’re most likely in Monterey rather than Big Sur. That really would be an incentive to think about.