How to Block Apple's Spyware on BigSur?

Question

With BigSur, Apple is getting a hash of every executable you run, and it's changing the way kernel extensions work and VPNs work to prevent blocks from happening.Immediately, I think the quick answer is to block outgoing requests to apple's server using an external firewall, but how does one identify which requests are carrying the spyware?On the Mac system, how can we remove the spyware functionality?

Someone · Accepted Answer

&ldquo;With BigSur, Apple is getting a hash of every executable you run&rdquo;Make that &ldquo;Starting with Catalina&rdquo; (https://lapcatsoftware.com/articles/catalina-executables.htm...)

hello_asdf · Answer

There's a few solutions:LittleSnitch 4 can continue to work (with the kext) on Big Sur following this: [1]LittleSnitch 5 can block all protected MacOS processes by following this: [2]Murus can use PF and block IPs for Apple services: [3]. This isn't per process, and is really just a UI for the built-in PF process.If you'd like to block the notarization check, you can block trustd (/usr/libexec/trustd) access to ocsp.apple.com (on both system and user process ownership in LittleSnitch).Hope this helps. It's really not as bad as you think, there's a few solutions depending how thoroughly you want to block things.[1] - https://www.obdev.at/support/littlesnitch/245913651253917[2] - https://tinyapps.org/blog/202010210700_whose_computer_is_it....[3] - https://www.murusfirewall.com

znpy · Answer

I honestly can't understand why on earth would a sane minded person spend all that money on apple hardware and then on top of that spend a a lot of time fighting a losing fight against the software.Just switch to something else.

LinuxBender · Answer

I would start with LittleSnitch [1] Don't block things by default. Let it learn traffic and show you what is talking to what. Then sort out what things you want to block. I suggest this method because some of the flows won't be obvious if you start selectively blocking things from the start. Make notes of the IP's, CIDR blocks and domains that are problematic and block them on the edge of your network on a monthly basis using data derived from LittleSnitch.
You can also find some blogs and forums that discuss what applications are not critical and that you can "launchctl unload -wF" safely to minimize chatter and improve battery life. Ensure the sites specifically call out the version of MacOS you are on, as these things change with each release.
[1] - https://www.obdev.at/products/littlesnitch/index.html

ianmf · Answer

Are they using to Spy on their users or to keep the 'image' that Apple devices are more secure than the rest? I think the binary execution protection can do more good than harm. Sometimes shit happens like it did on Big Sur release. I just hope they change feature to not bring down the system to nearly unusable when ocsp.apple.com doesn't respond.

m-p-3 · Answer

Hopefully we'll see a maintained list to block those with the PiHole.

How to Block Apple's Spyware on BigSur?

“With BigSur, Apple is getting a hash of every executable you run”
Make that “Starting with Catalina” (https://lapcatsoftware.com/articles/catalina-executables.htm...)

I honestly can't understand why on earth would a sane minded person spend all that money on apple hardware and then on top of that spend a a lot of time fighting a losing fight against the software.
Just switch to something else.

Hopefully we'll see a maintained list to block those with the PiHole.