hoakley September 25, 2022 Macs, Technology

Last Week on my Mac: Paradoxical undressing

Human behaviour is full of paradoxical responses. One of the most puzzling of them all is sometimes seen in those suffering from hypothermia, who instead of trying to conserve body heat, do the exact opposite, in what’s known as paradoxical undressing. Some become quite punchy about it too, and have to be restrained by several burly blokes to stop them from dancing naked in a blizzard.

In trying to round up the significant ins and outs of Ventura this week, the third in which I have been largely immersed in Ventura’s features, I’ve come across equally paradoxical responses. They have explained one of the mysteries I see occasionally among SilentKnight users, those who discover that, at some time in the past, they have turned Gatekeeper checks off, and never turned them back on again. It seems the reason for this paradoxical behaviour is the advice they’ve been given on sites among the top hits on Google’s search.

In my case, I came across this advice when trying to discover whether other sites had covered changes to Gatekeeper in Ventura. To my horror, among the more popular recommendations given for dealing with apps being blocked by Gatekeeper from starting up, are stripping all extended attributes at the command line, and disabling Gatekeeper “temporarily”.

This reminds me of those unfortunate cases you read about. An intruder alarm goes off, annoying security staff, who turn it off and allow thieves to enter without any further trouble, and someone gets upset enough to disable automatic smoke alarms or sprinkler systems when there’s a real fire in progress.

Let’s say we have downloaded software from a developer’s site, installed it on our Mac, only to find that Gatekeeper won’t allow us to run it. I’m not referring here to problems occurring with app translocation, but a warning that the app is damaged and can’t be run. Most sites give the correct first response, of trying to download and install the app again. After some of the usual general panaceas like restarting and installing macOS updates, several then go on to recommend the user to disable Gatekeeper, or to strip extended attributes, among them presumably the quarantine flag, so effectively bypassing Gatekeeper’s first run checks on that app.

From time to time, developer’s sites are compromised, and one of the common tricks is to subvert them to deliver malicious software to innocent users who think they’re downloading genuine signed and notarized software instead. Well, you would, wouldn’t you? Who would ever suspect that you might download something not entirely wholesome?

Your best defence then is the hope that Gatekeeper’s first run checks will detect that malware. Stripping the quarantine flag or turning Gatekeeper checks off altogether disable your Mac’s primary defences, open the door, and welcome almost anything in, as paradoxically as stripping off in a blizzard, or turning intruder or smoke alarms off.

The only saving grace for those websites offering such dangerous advice is that they haven’t been brought up to date for Ventura, although several pretend to provide specific advice for it. This may in part explain why Apple is changing Gatekeeper behaviour in macOS 13 so that signatures and notarization are always checked on notarized apps, even after their first run, when they have got out of quarantine. However, I suspect that those crazy enough to turn Gatekeeper off altogether may still get everything they wished for, with a bonus of some added malware.

It was at this stage that another thought occurred to me: several of these sites offering this dangerous advice were also trying to get me to download and install software, generally housekeeping and clean-up utilities. What if their advice was carefully tailored to encourage visitors to download malware, then turn Gatekeeper off to ensure that it installed and ran undetected?

I can’t prove anything, and I’m afraid these products aren’t the sort I’d ever let loose on one of my Macs anyway, but what an ingenious deception.

All this brings me back to the issue of paradoxical behaviour. Why would anyone put blind trust in such websites urging us to turn off our Mac’s security defences? I’d rather dance naked in a blizzard, thank you.

16Comments

Add yours

1

sebus on September 25, 2022 at 9:50 am

One reason for these is defo Italy Apple fault, because troubleshooting any problem is way beyond “normal” Mac user.
Simply because the workings of the OS itself is dark mystery, kept secret by the creators with very few “high priests” that know more

LikeLiked by 1 person
- 2
  
  hoakley on September 25, 2022 at 11:42 am
  
  Presuming that you mean “definitely Apple’s fault”, in this case I couldn’t disagree more.
  1. The error message given is wholly appropriate. In most cases, this should only occur because the app has been damaged in some way, either accidentally or deliberately. You really don’t have to think hard or know anything about computers to realise the next step is to try installing a freshly downloaded copy of that app. If that results in the same error, then basic logic suggests the most likely cause is that the download is broken. In that case, there’s no point in searching on the web, but your first point of contact is obviously with the app’s developer who seems to be providing broken downloads. This isn’t rocket science, and if you can’t cope with that level of thought, you perhaps need adult supervision.
  2. Assuming that you can’t find a convenient adult, then you have two steps – contact Apple Support, who I’m certain will give similar advice completely free of charge; or search Apple’s support pages, which also provide excellent detailed instructions which nowhere refer to disabling security mechanisms.
  3. If you prefer third-party advice, there’s no shortage of reputable sites you can check, such as MacWorld, other longstanding publishers, even this one.
  No, there are two reasons why people don’t get good advice. Google doesn’t (any more) put reputable sites among its top hits, because it’s too obsessed with making money rather than returning good hits; just as with Covid, people deliberately ignore experts and the reputable, fundamentally because they’ve regressed to being irrational, believing superstition and rumour.
  If you think you might have a problem with your heart, do you consult a doctor, or follow the advice given in some wacky website that Google happened to put on its first page of hits? Well, I’m sorry to say that many people do the latter, and find some excuse for not going to the doctor instead.
  Howard.
  
  LikeLiked by 3 people
  - 3
    
    Tristan Hubsch on September 25, 2022 at 12:58 pm
    
    It is not just Google’s search algorithms that sacrifice veracity and reliability for remuneration. For my own part, I’ve tried a few others (DuckDuckGo, and Brave — discovered with the Brave browser) but am rather disheartened. …perhaps you know of a meaningful comparison of search result quality between the different current search engines?
    
    Also, something else, about WP’s widgets: I logged into this site (by default) via Safari, “liked” the article… but then I couldn’t “like” this response (hovering over the star made it amber, clicking elicited some “cogitation” but no end-result change). So, I logged in using Brave; this time, clicking on the star produced a blank popup window… and no end-result change. So, I logged in via Firefox, and here “liking” worked… (Or, did I get muddled by this time, by the three different browser windows with the identical content? For, I find myself writing this reply in the Safari rendition, after I cycled through the three browsers checking if the refresh will show the added “like”… and thought I’d be back in Firefox.) Oh, well. Oh, and the Safari rendition tends to display some of the elements badly overlapping: narrowing the window makes the “like” links overlap with the poster’s date/time stamp. Aargh… (I came here curious about the main topic — and commend your warning, not to get bogged down by browser idiosyncrasies.)
    
    LikeLiked by 1 person
    - 4
      
      hoakley on September 25, 2022 at 2:11 pm
      
      Thank you.
      I’m sorry about the browser problems you’re experiencing. Although I don’t routinely test using browsers other than Safari, I’ve never experienced such incompatibilities, although I regularly and frequently access this site on my iPhone, iPad and several different Macs. In any case, I can’t tamper with WordPress.
      Howard.
      
      LikeLiked by 1 person
    - 5
      
      Tristan Hubsch on September 26, 2022 at 12:26 am
      
      @Howard (there’s no “reply” link to your reply): Thanks for the response. I surmised as much about the WP widgets and features. Cheers
      
      LikeLiked by 1 person
    - 6
      
      hoakley on September 26, 2022 at 5:15 pm
      
      I’m sorry, but the depth of threading of comments has to be limited, and the reason there was no reply link is that you had reached that limit. Yes, I can make that deeper, but whenever I try, I get a load of irate emails and comments complaining that the lines are too short to be readable. So I’m afraid that whatever I do, readers aren’t happy!
      Howard.
      
      LikeLiked by 1 person
7

Alan Ralph on September 25, 2022 at 10:36 am

These days, if I’m having a problem with an app, my first recourse is to check Apple’s support pages or those of the developer. If there’s no information to be found online, I’d contact the developer and let them know. In the case of Audio Hijack 4, that turned out to be a bug in the process of transferring previous settings, and I was able to help them find the cause and fix it.

For general troubleshooting, I’m now very wary of any search result that goes to a website I’ve never heard of before and double-check any other results to see if they’re outdated or incorrect.

LikeLiked by 3 people
- 8
  
  hoakley on September 25, 2022 at 11:43 am
  
  Thank you.
  Howard.
  
  LikeLike
9

bwillius on September 25, 2022 at 1:50 pm

So very often security on macOS is not reliable. Sometimes the quarantine info is removed and sometimes it’s not. We developers – mostly – know about that. But users do not know what is secure and what is not secure. They just read advice “turn of Gatekeeper” and they do it. That someone will try to exploit that is no wonder.

LikeLiked by 1 person
- 10
  
  hoakley on September 25, 2022 at 2:19 pm
  
  Thank you.
  So, let’s get this clear: because some means of downloading don’t necessarily attach quarantine flags (which isn’t Apple’s fault, but a decision of the developer), it’s Apple’s fault that some users disable Gatekeeper? I’m sorry, I don’t follow your logic there, nor understand what you think Apple has got wrong. In any case, in Ventura quarantine flags won’t make any difference for notarized apps, will they?
  Howard.
  
  LikeLike
11

markbot2zero on September 26, 2022 at 3:56 am

Thank you, Howard.

re: “…several of these sites offering this dangerous advice were also trying to get me to download and install software, generally housekeeping and clean-up utilities.”

I used to keep track of all the “cleaner” applications on MacUpdate, literally counting them up, and posting them there as a comment. (I also cautioned readers to avoid all but maybe three of them.) This was my bit of service to the Mac community; once in a while I’d get a thank you reply or two, which made it all worthwhile.

The list started with around fifty and kept growing steadily, with sometimes as many as three new cleaners introduced per week. I stopped at seventy-nine, because MacUpdate rejiggered its comment method and would no longer let me post the list.

It’s sad when Mac users get roped into doing things that are harmful, as you’ve described. I do try to spread the word about Eclecticlight.co, among friends, family and clients. The world would be a better place if more folks dropped by here.

-Mark

P.S. Sometimes WordPress gets a bit tetchy for me too. I’ve also had trouble “Liking” comments, and occasionally leaving them. Usually it resolves, which reminds me of an anecdote about my kids’ pediatrician, a kind and thoughtful man, who was originally from London. He had a “Call Hour” from 7 AM – 8 AM, where he’d try to calm down anxious parents like me. Once I called because I thought my young daughter was aspirating. He diagnosed the condition (over the phone) correctly as it turned out, as laughter. Another time he reassured poor agitated me about some other minor thing that was going on with her, by gently saying, “Her condition will persist until it resolves.”

LikeLiked by 2 people
- 12
  
  Tristan Hubsch on September 26, 2022 at 5:21 am
  
  Thanks for the WP widget reassurances; indeed, the inexplicable(?) intermittence and illogic makes these darn things behave like toddlers! AI’s on the rise!!
  
  LikeLiked by 1 person
- 13
  
  hoakley on September 26, 2022 at 5:17 pm
  
  Thank you.
  WordPress, on Automattic, changes daily, sometimes hourly. Keeping pace with it is impossible. The good thing is that, when I hit a bug, it usually vanishes within a few hours, but the next one could occur at any time.
  Howard.
  
  LikeLiked by 1 person
14

Richard on October 23, 2022 at 11:39 pm

I am considering the use of OWC’s SoftRaid Pro. However installing this software on an Apple silicon Mac requires that the Mac’s security status be downgraded to “Reduced Security > Allow user management of kernel extensions from identified developers” which seems contrary to your ‘best practices’ stance in the above article. Do you have any thoughts about the wisdom of downgrading my Mac’s security in order to run software such as OWC’s SoftRaid Pro? Is downgrading my Mac Studio’s security in order to run SoftRaid Pro a ‘reasonable’ trade off in terms of security or not? Thank you.

LikeLiked by 1 person
- 15
  
  hoakley on October 24, 2022 at 11:01 am
  
  Unfortunately, OWC has so far been unable to transform their kernel extensions into system extensions, so for the time being the only way to use SoftRAID on an Apple silicon Mac is to install those kernel extensions, which requires reduced security. If you want to use SoftRAID, there’s no other option.
  You could instead use hardware RAID which doesn’t require kernel extensions, or use AppleRAID in Disk Utility. Either of those should allow you to keep your Apple silicon Mac at Full Security, however they may not support the RAID level you want to use.
  The choice is yours. Personally, given the tendency for kernel extensions to need revision for new versions of macOS, I decided not to use SoftRAID. But your priorities may be different.
  Howard.
  
  LikeLiked by 1 person
  - 16
    
    Richard on October 24, 2022 at 3:20 pm
    
    Thank you, Howard. Seems like sound advice to me, as yours always seems to hit the mark.
    
    LikeLiked by 2 people