Catalina: Apple turns macOS into a closed platform; many audio-devs warned from the upgrade

[FabienTDR]

As in because you've just now miraculously discovered Apple makes changes to requirements, and you've tied this new discovery to your business model.

I've noticed it before, just why this offensive tone?

I am evaluating the pros and cons, and considering the long term effect. I am free to stop supporting new mac OS's anytime, for political reasons. Again, this makes ~30% of our revenue to date, and I feel we're getting close to the point were it isn't worth the trouble anymore. We could certainly sell more to win, by gaining time to develop new functionality.

Pls allow each participant to express his impression without being treated like an idiot. The point with business models is that the owner carries full risk and costs, he has a skin in the game, and typically knows and evaluates very well what he is doing.

See, branching out a whole product between pre catalina and post catalina complicates the matter. Now two codebases, two products needs support. It's not that realistic. You understand there are third party distributors and resellers behind all this, probably having to adapt their systems for exotic upgrade constellations and whatever? There are websites, e-commerce systems, license systems and and and that all need exceptional updates? Well meant, but not that well done I'd say.

Not just that, the whole communication effort is a pain in the ass, with several previously satisfied customers ending up being pissed of, for no functional gain. Just costs, just noise.

[JunSev]

Is good to see developers expressing their opinions, I can even remember some employees from Image Line expressing their dissatisfaction dealing with the apple platform, always breaking things and always getting rid of things and a lot of apple users just complaining how s**t FL is, absurd.

Apple is an arrogant corporation that doesn't think about compatibility, independent developers and common users.

[elxsound]

Pls allow each participant to express his impression without being treated like an idiot.

Hmmm... really, you don't say.

and obviously mac users don't care too much about additional costs and paperwork anyway, according to Apple: just matter of the right wording ( ).

And by the way, it wasn't an offensive tone. You asked a question. I answered it.

I just didn't add an emoji, which apparently makes everything cuddly.

So, for you...

[JoeCat]

good article here, if it hasn't been posted already:
https://cdm.link/2019/09/macos-catalina ... ajS3sdK3yc

[Hanz Meyzer]

good article here, if it hasn't been posted already:
https://cdm.link/2019/09/macos-catalina ... ajS3sdK3yc

I don't think it is a good article, since it just repeats the propaganda wording of Apple marketing and that's why deflects from the real reasons of Apples new requirements.

The article simply says untruth:

The good news is, theoretically this burden falls on the DAW, not individual plug-ins. (Plug-ins may still require an update, because of the removal of 32-bit code and other portions of the OS required for compatibility, and because of new installer requirements.) But you will need to update any software working with plug-ins, or you may find software won’t run properly or will fail to run altogether.

The truth is, once the DAW was updated for notarisation for being usable under macos Catalina, ALL PLUGINS YOU USE now need this kind of update, too. Not for 64 bit, but for notarisation.

https://www.bitwig.com/en/home/news-arc ... alina.html

It is not more secure, if the system volume is write protected, it is more like you will not be able to remove the virus yourself anymore. You now need permission from Apple for that Also, this article... OMG OMG THERE WAS A CRYPTOMINING TROJAN in faked pirated software that the user installed manually!!! So that is now the reason to make a flood of plugins incompatible? C'mon guys, please think about it a bit more. A cryptomining trojan? Which you could most likely manually remove yourself, if you know some OS basics? Even "Saddam Virus" on my Amiga 500 was more evil. And then those articles come with this outdated 32-bit-is-dead-argument, which isn't one. That discussion already started in 2007 or so and was finished 4 years ago. 99% today already do not use 32 bit anymore. No, it is about notarisation, which will force every developer to pay Apple tax. Then freeware developing will be much less attractive. Also a lot of plugins will not be updated or will not pass Apples intransparent process, and it neither is about security, it is about loosing control over your very own computer. Pfft. This is simply a ton of shit for any macos audio user.

[Zaphod (giancarlo)]

That cryptomining Trojan virtual machine (!!!! It was a whole virtual machine because they didn't know how to run it directly!!!) installed using a very basic script is just ridiculous - I find embarrassing we are even speaking about it

[Angus_FX]

If I'm not completely mistaken, regardless if someone disables that quarantine bit whatsoever, the host software can still run the integrity test. That makes PACE EDEN signing surplus for plug-ins on macOS. It also enables any host to run the same kind of security that PACE offers for free. Heck, our plug-ins can check themselves!

Your plug-ins can check themselves (and each other) anyway, everyone has been able to implement key-signing since the year dot. Also rather easy for crackers to circumvent with a key substitution attack, but no matter. Don't get me wrong, I'd be glad to see the end of PACE, but code signing on its own is far from a panacea. If you can't prevent hackers from installing their own keys and certs, or overwriting those already installed, it's not copyprotection.

As a developer, I'm rather more concerned with the anti-debugging implications of this. If a host will only load signed code, I now can't use it with development builds. Further, the entitlements system has some nasty restrictions on debugging in a mixed-vendor environment:

https://developer.apple.com/documentati ... s_debugger

.. and if a vendor ships their code with the debugger entitlement set to OFF, you as a developer can't patch it to ON - because that will cause the code signature checks on the host to fail. (OK, you could probably patch it and then re-sign with your own cert, but if the host self-checks it will now fail on the self-check).

We've almost become victim to socially engineered attacks several times, the advent of deep learning in malware is not going too make our lives easier.

Any sources on that..? I mean, it _sounds_ scary, but it's not immediately obvious to me what deep learning has to do with socially engineered malware.

[Urs]

We've almost become victim to socially engineered attacks several times, the advent of deep learning in malware is not going too make our lives easier.

Any sources on that..? I mean, it _sounds_ scary, but it's not immediately obvious to me what deep learning has to do with socially engineered malware.

Connect the dots.

I'm just saying - people already attack us with knowledge of social connections between workers at u-he, trying to empty our bank account.

At the same time, articles emerge stating that AI can extract knowledge from photos which go beyond what humans can extract from them.

How long until *automated* socially engineered attacks are going to be so good that you won't be able to figure it out anymore?

[Haptix]

Do not worry, by the time that happens we will already have timemachines to go back in time and prevent all this from happening. We can stop Apple from ever evolving into self-thinking cryptomining malware.

[EvilDragon]

...except then Apple's time agents from 29th century will prevent you by prodding you in the ass.

[perpetual3]

Pls allow each participant to express his impression without being treated like an idiot.

Hmmm... really, you don't say.

and obviously mac users don't care too much about additional costs and paperwork anyway, according to Apple: just matter of the right wording ( ).

Exactly. This kind of attitude towards customer never bodes well, and frankly with so many more or less equivalent options on the market, why should a customer tolerate a developer who takes such an attitude?

[perpetual3]

We've almost become victim to socially engineered attacks several times, the advent of deep learning in malware is not going too make our lives easier.

Any sources on that..? I mean, it _sounds_ scary, but it's not immediately obvious to me what deep learning has to do with socially engineered malware.

Connect the dots.

I'm just saying - people already attack us with knowledge of social connections between workers at u-he, trying to empty our bank account.

At the same time, articles emerge stating that AI can extract knowledge from photos which go beyond what humans can extract from them.

How long until *automated* socially engineered attacks are going to be so good that you won't be able to figure it out anymore?

That a DNN can extract “more” information from a photo than a human may be true (do you have a source handy?), But they are also fairly brittle and easy to fool. Adding noise imperceptible to humans to an image can completely thwart a DNN, for example.

https://www.nature.com/articles/d41586-019-03013-5

“Researchers have already demonstrated how to fool an AI system into misreading a stop sign, by carefully positioning stickers on it1. They have deceived facial-recognition systems by sticking a printed pattern on glasses or hats. And they have tricked speech-recognition systems into hearing phantom phrases by inserting patterns of white noise in the audio.
...

“There are no fixes for the fundamental brittleness of deep neural networks,” argues François Chollet, an AI engineer at Google in Mountain View, California.”

https://www.nature.com/articles/d41586-019-03013-5

[Urs]

Adding noise imperceptible to humans to an image can completely thwart a DNN, for example.

But we're not talking about pictures which are prepared and put up on Instagram. We're talking about locking down private information stored on computers in a way that malware can not access it - location and movement profiles, calendars, passwords, photos, contacts, credit cards, medical data and whatever fitness apps store.

OTOH people are stupid enough to upload their own image to obscure services which return versions modified in age, gender and what not.

[Zaphod (giancarlo)]

If I'm not completely mistaken, regardless if someone disables that quarantine bit whatsoever, the host software can still run the integrity test. That makes PACE EDEN signing surplus for plug-ins on macOS. It also enables any host to run the same kind of security that PACE offers for free. Heck, our plug-ins can check themselves!

Your plug-ins can check themselves (and each other) anyway, everyone has been able to implement key-signing since the year dot. Also rather easy for crackers to circumvent with a key substitution attack, but no matter. Don't get me wrong, I'd be glad to see the end of PACE, but code signing on its own is far from a panacea. If you can't prevent hackers from installing their own keys and certs, or overwriting those already installed, it's not copyprotection.

As a developer, I'm rather more concerned with the anti-debugging implications of this. If a host will only load signed code, I now can't use it with development builds. Further, the entitlements system has some nasty restrictions on debugging in a mixed-vendor environment:

https://developer.apple.com/documentati ... s_debugger

.. and if a vendor ships their code with the debugger entitlement set to OFF, you as a developer can't patch it to ON - because that will cause the code signature checks on the host to fail. (OK, you could probably patch it and then re-sign with your own cert, but if the host self-checks it will now fail on the self-check).

exactly...

[Urs]

If I remember correctly, Apple was able to blacklist developer certificates which were stolen through phishing attacks. That was why they made two factor identification mandatory. So those cracks will work for a while and then boom.