hoakley August 22, 2021 Macs, Technology

Last Week on My Mac: Throw caution to the wind

A lot of Mac users like to live well away from the leading edge, and with good reason. As Apple prepares to release macOS 12 Monterey, if you’re still running Catalina, you might be tempted to remain one major release behind, and take this as the time to upgrade to Big Sur. If you do, I think you’re making a serious mistake: anyone ready to go beyond Mojave should now be preparing for Monterey, not Catalina or Big Sur. It’s a matter of balancing the costs and benefits.

Usually, running the last release of the last major version of macOS provides a relatively stable platform, disturbed only by the series of Security Updates, and spares you from wrestling with all the new bugs which come bundled with the new major version. I don’t think that’s the prospect in store for those using Big Sur over the coming year.

Monterey is the first major release of macOS for some years which doesn’t bring deep structural changes. This is quite unlike High Sierra or Mojave with their rapidly evolving APFS, Catalina with its loss of 32-bit and split system volumes, or Big Sur with its Sealed System Volume. Instead, Monterey aims to consolidate on all those years of turbulence, allowing Apple’s engineers to fix more of the bugs which remain.

If Apple remains true to form, now it has released Big Sur 11.5.2 that version will not receive any further fixes or improvements other than Security Updates. Its many annoyances and issues will thus remain fixed in stone. At the same time, the Security Updates it receives will be very large compared to earlier versions of macOS, because of the changes Apple has made to system software updates from macOS 11 onwards. For an Intel Mac, that means that each Security Update will be at least 2.2 GB in size, require 15 minutes or more to ‘prepare’, and then take another 20 minutes or so to install. Not only that, there will only be two options to obtain them: as a 2.2+ GB update through Software Update, or by downloading the full 13 GB Big Sur installer. Don’t expect Apple to offer any standalone delta updates.

For Big Sur, receiving security updates only is likely to prove a poor compromise. At least with Monterey’s updates you’ll get better value for the investment of download and install time, as you’ll continue to get bug fixes, as well as benefitting from new features such as Live Text, which should become widely accessible in third-party apps as well as Apple’s.

The one promised feature in Monterey which could prove a decider for some is Apple’s proposed anti-CSAM measures. I’ve been following both technical and ethical discussions, and frankly don’t believe anyone any more.

On the one hand, there’s Asuhariet Ygvar, a security researcher, who claims to have recovered the code and ‘NeuralHashes’ from an existing release version of iOS and reverse-engineered it. They claim, with the support of others, that it’s incapable of generating the low false-positive rates claimed by Apple, who in turn denies the accuracy of their reverse-engineering. There are some oddities about these claims, not least of which is the fact that this very private code has been found in the public Vision framework, is present in Big Sur, and much was explained at WWDC 2019.

On the other hand, the authors of what’s claimed to be the only published account of a study of ‘the same method’ used by Apple insist that the only real flaw is that it allows Apple to match other types of image, so repurposing its system to match any images of its choosing.

Apple itself has reluctantly released further information, including most significantly the threshold number of images which have to be detected as CSAM before the system reports them for human checking. With that threshold of 30, and claims by reverse-engineering that NeuralHashes fail to detect images which have been cropped, for example, this conflicting evidence leads to the conclusion that results will be dominated not by false positives, but false negatives. From all that I have seen, that’s also my feeling, that Apple’s system is unlikely to detect many cases of CSAM, and that its mere presence may have the strongest effect of driving those who distribute CSAM away from Apple’s iCloud services.

In any case, Apple has maintained throughout that it will only be used in the USA, and only on images which are about to be uploaded to iCloud Photos.

If you don’t believe Apple, then you can’t assume that it hasn’t already implemented this (or another) system, or won’t do so, possibly even in older versions of macOS. Staying with an older version of macOS is no guarantee that it too won’t perform the same checks. So refusing to upgrade to Monterey really doesn’t help you escape the risk of CSAM image checks, if you really believe that they’re a threat to you.

Given the geographical limitation, and its restriction to images about to be uploaded to iCloud Photos, much more serious issues for Monterey are the remedies promised by Apple in November last year, for its use of OCSP to check revocation status of code-signing certificates. These affect every Mac user worldwide, and in the right circumstances can allow third-parties to discover which apps a user runs, when and where.

The remedies that Apple promised aren’t simple to implement, and will almost certainly come outside the scope of security updates. If they do happen, they’re most likely in Monterey rather than Big Sur. That really would be an incentive to think about.

33Comments

Add yours

1

Michele Galvagno on August 22, 2021 at 7:14 am

If we are lucky, Monterey could be a masked comeback to the 2-year development cycle, just under a fancy new name. As you mentioned in a previous article, if our Big Sur install is working well, it means that it’s a good one so, with no point over erasing the disk and clean installing one could just upgrade to Monterey and hope, for example, that the most annoying bugs in Preview’s history have been fixed. Major softwares should just work in Monterey if they worked in Big Sur but, again, no one will take any responsibility as usual.

In the end, a good clone and an even better cup of tea during upgrading time will be our best and comfortable option!

Michele Galvagno

LikeLiked by 1 person
- 2
  
  hoakley on August 22, 2021 at 8:14 am
  
  Thank you, Michele.
  Howard.
  
  LikeLike
3

Jerry on August 22, 2021 at 12:10 pm

I think your advice is sound here and was just thinking myself to go directly from Mojave to Monterey sometime this year … as I cannot really stay behind any longer when working with helping people with their problems on Macs, but I still got my website program in 32-bit that does not make sense to substitute for a less helpful program I won’t have interest/time to learn (BBEdit would likely be best, but would take forever to create all helpful shortcuts I need and nothing much helpful in that program itself apart from colouring). (same goes for the CSS program) I could pay maybe for PhotoShop/Lightroom bundle (as I didn’t like the Affinity program mostly for lack of shortcuts I am used to), but another cost that is basically without any benefit. Anyway could use VMware to use some programs in a virtual machine, but cannot then get a new Apple silicon Mac anytime soon. So it seems like it is more and more likely that users like me will have to live with two computers instead of one … otherwise I would have sold my MBP and get a new M1/2 MBP rather quickly … . But Monterey should be the way to go to avoid problems in Catalina/Big Sur that are likely not getting worse anyway in Monterey.

LikeLiked by 1 person
- 4
  
  Duncan on August 22, 2021 at 4:58 pm
  
  “So it seems like it is more and more likely that users like me will have to live with two computers instead of one …”
  
  I know I’m an outlier here because I have saved (hoarded) so many computers over the years, but I have adopted the view that I keep certain older Macs configured for very specific tasks, and thus run old versions of MacOS as a result. Fortunately I have never in my 30+ years of computing discovered any malware on my machines (I run a very tight network and am paranoid about anything I download) so I’m not as concerned as others with running old versions. I also only keep personal information on my main desktop Mac (and travel laptop, as needed) so that’s where I focus my security efforts.
  
  Keeping older machines for legacy purposes is like having different sets of eyeglasses for different situations. I don’t wear sunglasses indoors, and I don’t wear reading glasses while driving. Maintaining multiple pairs and prescriptions is added effort versus having a magical one-size-fits-all pair of glasses, but I’m used to that now. I accept the same hassles (and benefits) of doing the same with computers.
  
  LikeLiked by 1 person
  - 5
    
    hoakley on August 22, 2021 at 5:49 pm
    
    Thank you.
    I think I’d crack and use VMs rather than unmaintainable hardware. Parallels seems able to go a long way back if you want.
    Howard.
    
    LikeLike
- 6
  
  hoakley on August 22, 2021 at 5:34 pm
  
  Thank you.
  Provided that you’ve got an Intel Mac, an excellent solution to keeping 32-bit apps accessible is virtualisation: I use Parallels Desktop, and each year write a tutorial for MacFormat/Mac|Life explaining how to set up an earlier macOS in a VM for exactly this purpose.
  Sadly, on an M1 Mac you can only virtualise Monterey, and Mojave is completely out of the question.
  Howard.
  
  LikeLike
  - 7
    
    Duncan on August 22, 2021 at 5:55 pm
    
    “Provided that you’ve got an Intel Mac…”
    
    I’ve got old Macs going back to a IIci (which is really just for nostalgic reasons), and a couple of NeXT machines. So yeah, I ,personally, have an Intel Mac (or three). I’m looking forward to buying a refurbished M1 Mini, which will be my Monterey starter kit.
    
    But just last weekend I finished organizing and testing all my Mac OS installers, from 10.7 Lion (the first OS available as a download) through 10.5.2 Big Sur, for completeness, even though I don’t intend to run it on anything. Every now and then I discover a reason to fire up an older version, such as compatibility with certain versions of iTunes, etc. for very specific tasks. But again, I’m an outlier in this regard.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on August 22, 2021 at 9:27 pm
      
      Thank you, Duncan.
      I haven’t flashed up my IIfx or Mac Portable for years, much as it might be fun to.
      Howard.
      
      LikeLike
9

Simon on August 22, 2021 at 4:07 pm

> require 15 minutes or more to ‘prepare’

Howard, can you enlighten us to what actually happens during that 15-min “prepare” phase?

Also, has Apple so far actually committed to scanning for CSAM before iCloud upload on macOS? I thought they had so far announced this for iOS 15 only?

LikeLiked by 1 person
- 10
  
  hoakley on August 22, 2021 at 5:48 pm
  
  A substantial part of the preparation is decompressing the update payload, which almost doubles in size. Although I suspected that the contents could also be written, in part at least, to the System volume, as that doesn’t appear to get mounted during preparation, that doesn’t seem possible. It is feasible that the hashes for the seal are calculated at this stage, and I think the whole update is made ready to move into position. Of course iOS has been doing this for a while.
  Apple’s announcement about CSAM checks aren’t clear on this: there are three changes, to Messages, the CSAM checks, and to Siri and Search. While Apple makes it clear that the CSAM checks will apply to iOS/iPadOS 15, the other two are coming across the board. So Apple hasn’t clearly stated that CSAM checks will or won’t come in Monterey.
  If you believe the story that the code for the CSAM checks is already in the Vision framework, though, that is certainly already present in Big Sur, so could quickly be applied to Monterey. Personally, I don’t think that’s the code to be used for CSAM checks, but is already in use by Apple and third-parties for entirely innocent purposes (and not specific enough for CSAM use). But if that’s the case, then the claims made on that reverse engineering are all false anyway.
  So who knows?! (And is prepared to tell.)
  Howard.
  
  LikeLike
  - 11
    
    Simon on August 22, 2021 at 8:20 pm
    
    Thank you, Howard. As always, much appreciated.
    
    LikeLiked by 1 person
12

Sebby on August 22, 2021 at 5:12 pm

Yep, exactly. Spot on analysis. It’s too bad that some of these changes are regressions, but really, once Mojave is no longer supported, there’s just no point in staying behind any more. And, really, sometimes it’s nice to be ahead, for once. And it’s unarguable that the care and attention is always concentrated on the latest, including integration with Apple’s cloud services.

This happened last time, too, for me. I was on 10.10 until High Sierra came out, then I moved over. Strange, how patterns change for the “discerning”–and yet the story couldn’t be further for everyone else. Standards have changed.

LikeLiked by 1 person
- 13
  
  hoakley on August 22, 2021 at 5:49 pm
  
  Thank you.
  Howard.
  
  LikeLike
14

ericrfmwp on August 22, 2021 at 8:18 pm

Thanks for that perspective, Howard. I got a new iMac I year or so ago, and I have my heels dug in with Mojave. Given the horrible problems with new MacOS versions over recent decades, I stay with what works for as long as I can. Though I have had some annoying intermittent glitches with Mojave. I’m just afraid of what applications might break given things like the Sealed System Volume in Monterey.

We’ll see what the scuttlebutt is when Monterey is released. I usually wait for the third point release to upgrade anyway. I’m kind of glad I don’t develop for the Mac anymore.

LikeLiked by 1 person
- 15
  
  hoakley on August 22, 2021 at 9:29 pm
  
  Thank you.
  I don’t know of any modern app which is coded properly which bats an eyelid with the SSV. Pretty well everything there was already protected by being read-only and SIP anyway.
  Howard.
  
  LikeLike
16

Robin on August 24, 2021 at 7:29 pm

The last few releases of MacOS have been concerning due to their massive internal changes. I’ve taken a cautionary approach, delaying an upgrade until the last release. I avoided Big Sur altogether. For Monterey, I believe that you are correct that it may be time, once again, to embrace a new release early in the cycle.

But I am going to avoid an upgrade to Catalina. I want to move to the new MBP 14/16 hardware when they are available – the first for me to validate, the second for my wife. I’ll import users from the Catalina Macs. New backup strategy, new TM strategy. Hope for stability and smaller maintenance releases in the future.

LikeLiked by 1 person
- 17
  
  hoakley on August 24, 2021 at 7:40 pm
  
  Thank you.
  Howard.
  
  LikeLike
18

JP on August 26, 2021 at 3:35 am

Hi, just wanted to leave some quick data based on further observations.. the performance of macos im convinced noticably degrades with random security updates. The closest i’ve come to pinning it down is when the AMD GPU drivers are updated… give or take.

Without going though it scientifically, ive tried assuming the inverse, that regardless, if a version of the os will be installed on a model on physical display at an apple store, all possible optimization will be done to it. Once you cross the border into running unsupported macos, this has been incredibly profitable, especially on Catalina and Sierra which i’ve tried.

If you’re always surfing on the latest then by assumption you’ll always be on that “display model” edge, at least until apple decide your machine is old enough. Or stil new enough (see ios 14 running like lightning on an ipad mini 4, which is an A8!!!!)

LikeLiked by 1 person
19

Marc Wilson on August 26, 2021 at 11:22 pm

Thanks, but I’ll be staying on Catalina as long as it is still receiving software updates. I won’t be looking at an ARM Mac before 2023, so there’s no rush.

LikeLiked by 1 person
- 20
  
  hoakley on August 27, 2021 at 6:15 am
  
  Thank you.
  Catalina doesn’t get software updates, and hasn’t for a year now. It only gets security updates. For non-security bugs, it’s as bad today as it was almost a year ago. And in a year’s time, it will stop getting security updates too.
  Monterey isn’t just for M1 Macs, but brings almost all its benefits to Intel models.
  Howard.
  
  LikeLike
  - 21
    
    Marc Wilson on August 28, 2021 at 3:26 pm
    
    Thanks. My comment re ARM Macs was soley intended to point out that the user doesn’t *need* to bother with Big Sur or Monterey unless they have an M1. Since I don’t, and won’t for another couple years, hardware support isn’t the driver.
    
    Hardware was what drove me to Catalina, having bought a laptop that couldn’t run anything earlier.
    
    So. Software. Speaking for myself, I’ve reviewed repeatedly Apple’s published feature lists for both Big Sur and Monterey. There’s nothing on either list I care about, so the only driver right now would be some software application I use or want to use requiring 11.x. That was the same thing that drove me off Sierra onto HS, back in the day, in the face of HS’s many bugs.
    
    Yes, Catalina is only receiving security updates now. Yes, it has bugs. The USB bugs Apple introduced between 15.5 and 15.7 are especially ridiculous. And they’ll never be fixed. Truly, if you are going to run Catalina, you should run 15.4 or 15.5, but then you are giving up security updates.
    
    Finally, it’s been a given at least as far back as Sierra that you do not want to waste time with the current Apple release before it has a track record. My to-do list does not include being a beta-tester in production. In 4Q 2022 I’ll need to decide whether Monterey is typical Apple, and so install Big Sur knowing the problems it’s likely to still have, or try to make a determination of which one is worse and install that one, or continue on Catalina knowing it is no longer getting security updates.
    
    LikeLiked by 1 person
22

Christian on August 27, 2021 at 9:43 am

Hi!
I was happy to read that we agree about directly upgrading to Monterey.
As you wrote, this is particularly sensible considering the recent big changes in MacOS structure and APFS.
I have settled on an update strategy that might sound extreme or dangerous to many, since Apple’s crazy pace of one new MacOS every year: I wait for the last Security Update for a given MacOS before switching to it! — initially for various compatibility reasons but also for not downloading GBs of updaters over and over. 😉
So, I kept running Mavericks until late 2018 then switched to El Capitan; I’ve planned switching to Mojave in the next months and I should switch to Monterey at the end of 2024… 😀
I may be wrong but the balance between convenience and (hypothetical) risk seems ok to me.

LikeLiked by 1 person
23

Sebby on August 30, 2021 at 5:50 am

I just filed FB9578556 – Please Allow Switching System MTA. It says:

Presently, Postfix is the supplied MTA, and sendmail-compatible binaries are at /usr/{sbin,lib,libexec}/sendmail, mailq, newaliases. Every MTA uses those conventions to be sendmail-compatible, though, so replacing it is now tediously difficult since application code often wants to invoke those binaries. Can we please have either mailwrapper(8) or symlinks in /var/select (in the present fashion of /bin/sh) so that replacing the MTA with another, leaner, preferred choice is possible without recompiling software or breaking the system seal? Thanks.

Given that this is the only serious filesystem-level problem I’ve had (but, OTOH, the only problem I’ve actually found in the course of reconstructing my environment) it certainly looks like Monterey is go. Of course, filing any bug/feedback, including this one, remains a black hole of despondency, but that’s hardly news. Maybe you also think this is important to you or just an interesting example of a gotcha, but either way, HTH.

LikeLiked by 1 person
- 24
  
  hoakley on August 30, 2021 at 7:55 am
  
  Thank you. Don’t the managers like brew (etc.) cope with this?
  Howard.
  
  LikeLike
  - 25
    
    Sebby on August 30, 2021 at 9:00 am
    
    Can’t speak to Brew, but given that it tries to minimise external dependencies and rely on the system, probably not; it’s also not clearly a bug, either, because it’s not a run-time dependency anyway. I use MacPorts and just installed GNU mailutils, and it’s relying on /usr/sbin/sendmail; fortunately, however, unlike the system-provided /bin/mail its sendmail binary appears to be run-time configurable, so that’s a lucky escape. In any case the location of a sendmail binary should probably be well-known across the system, so I still hope Apple attends to this when they eventually get around to it, as they have with the “standard” /bin/sh which was once always bash but is now, happily, a symlink. They even provide dash, an excellent POSIXly upright minimalist alternative that I’d recommend /var/select/sh be linked to if you want maximal compatibility in your shell scripts.
    
    LikeLiked by 1 person
26

Michael Tsai - Blog - Waiting to Update to Big Sur on September 8, 2021 at 3:38 pm

[…] Update (2021-09-08): Howard Oakley: […]

LikeLike
27

jeffsyrop on November 22, 2021 at 11:48 pm

A friend of mine has found by experimenting and going on forums that people who have replaced a regular hard drive with an SSD drive in their Macs cannot install Monterey. Here are screenshots showing the kind of Mac she has and the version of Big Sur she’s running, and the error message she gets when she tries to install Monterey. She has tried several times and she got the same error message every time. Is there some workaround she could do? She has used Terminal commands before but is not adept at it, but also not afraid to do it.

Thanks in advance for reading this, even if there’s nothing that can be done.

LikeLiked by 1 person
- 28
  
  hoakley on November 23, 2021 at 8:49 am
  
  Thank you.
  This has been a longstanding problem with macOS Installers and updaters. It had been improving more recently, as shown by the fact that she’s been able to update as far as she has.
  There are two further things she can try: one is to perform the install in Recovery mode. However, she’ll need to be prepared to migrate here data into that from a backup, in case that install can’t use here existing Data volume. The other possibility is to create a bootable external installer and try that, although there’s the same requirement to be ready to migrate data from a backup.
  Otherwise she should raise this with Apple Support, who might have a neater solution.
  I wish her success.
  Howard.
  
  LikeLiked by 1 person
  - 29
    
    jeffsyrop on November 24, 2021 at 12:27 am
    
    Thank you so much for this answer, super helpful and clear.
    
    LikeLiked by 1 person
    - 30
      
      hoakley on November 24, 2021 at 11:12 pm
      
      Thank you.
      Howard.
      
      LikeLike
- 31
  
  Sebby on November 23, 2021 at 11:06 am
  
  Is this not the well-known (and unjustifiable, IMO) restriction that the installer puts on the disk used for flashing firmware? I couldn’t OCR your image so this is just a guess.
  
  Possible workaround: use Apple SSD in Thunderbolt enclosure. It only works, of course, if you have such an SSD, and an enclosure. (If you don’t, you’re SOL. 😦 )
  
  LikeLiked by 2 people
  - 32
    
    hoakley on November 23, 2021 at 2:16 pm
    
    Thank you. In this case, I don’t think so, as this user has already updated to 11.6.1, which contains exactly the same firmware update – which other users have found too. I think it’s a bug in the Installer app itself which is making unwarranted checks, which is why taking it to Apple Support is helpful, as that needs to be fixed properly.
    Unfortunately, although installing to an external SSD will result in the firmware update (which isn’t needed here, I suspect), if the Installer itself won’t attempt the installation because of the non-Apple storage, that may still fail.
    Howard.
    
    LikeLiked by 1 person
33

jeffsyrop on November 22, 2021 at 11:49 pm

LikeLiked by 1 person