Rixstep
 About | ACP | Buy | Free | Industry Watch | Learning Curve | News | Search | Test
Home » Learning Curve » Red Hat Diaries

Apple Make You Paranoid Yet?

Jeffrey seems to have a forgiving nature. Do you?


Get It

Try It

DEUTSCHLAND (Rixstep) — YMMV but this might be one of the scariest reads you'll have today, or this week, or this month.

This is about a network analysis done by Jeffrey Paul two months ago.


So who is Jeffrey Paul? He seems to live in Berlin, and a name like his is rare in the German capital. His site says he's from the US. He seems to know what he's talking about.

He'll scare you.

It's about this piece from 2 February.

https://sneak.berlin/20210202/macos-11.2-network-privacy/

Jeffrey decided to do a thorough privacy/intrusion test on his new M1 MacBook Air.

He booted his system from a USB, used diskutil zeroDisk to zap the system drive, and nvram -c to zap all the NVRAM settings, so the reboot gave him nothing but the '!'.

He then connected to another machine running Apple Configurator 2 so he could restore the firmware and the OS.

His next reboot seemed to confirm that the NVRAM had worked: the Air didn't automatically connect to the Wi-Fi network. Jeffrey continues.

'The system completed the out-of-box-setup (initial country selection, user account creation, etc) without being connected to the network. Location services, analytics, Screen Time, Siri, and Touch ID were all declined.'

He's not connected anywhere and has declined invitations to do so. Jeffrey's comment so far.

'Has anyone else noticed that Apple's setup wizards are getting more and more aggressive about prompting you to enable their services even after you click 'no'?'

Well have you?

Captures

Jeffrey's desktop now appeared and now he connected to a network chosen for this test. The procedure took about one minute, then the system rebooted itself, and now things were connected (to the test network).

Jeffrey Paul then disabled the network. A few minutes later, he'd nevertheless captured 38 megabytes of traffic data - with a computer that had been disconnected from its network.

The following are the IPs his Apple MacBook Air tried to find a way to talk to (by querying DNS).

1-courier.push.apple.com
1-courier.sandbox.push.apple.com
46-courier.push.apple.com
49-courier.push.apple.com
a1051.b.akamai.net
a1864.gi3.akamai.net
a2047.dscb.akamai.net
a239.gi3.akamai.net
albert.apple.com
albert.gcsis-apple.com.akadns.net
api.apple-cloudkit.com
api.smoot.apple.com
apple-finance.query.yahoo.com
appleid.apple.com
bag-smoot.v.aaplimg.com
bag.itunes.apple.com
c.apple.news
captive.apple.com
captive.g.aaplimg.com
cdn.apple.com.c.footprint.net
cf.iadsdk.apple.com
configuration.apple.com
configuration.ls.apple.com
cs9.wac.phicdn.net
e10499.dsce9.akamaiedge.net
e11408.d.akamaiedge.net
e12919.dscd.akamaiedge.net
e1329.g.akamaiedge.net
e16126.dscg.akamaiedge.net
e17437.dscb.akamaiedge.net
e5977.dsce9.akamaiedge.net
e673.dsce9.akamaiedge.net
e6858.dsce9.akamaiedge.net
e6987.a.akamaiedge.net
e6987.e9.akamaiedge.net
gateway.fe.apple-dns.net
gateway.icloud.com
gdmf.apple.com
gdmf.apple.com.akadns.net
geo-applefinance-cache.internal.query.g03.yahoodns.net
get-bx.g.aaplimg.com
gsa.apple.com
gsa.apple.com.akadns.net
gsp-ssl.ls.apple.com
gspe1-ssl.ls.apple.com
gspe21-ssl.ls.apple.com
gspe35-ssl.ls.apple.com
help.apple.com
iadsdk.apple.com
init-p01md.apple.com
init.ess.apple.com
init.itunes.apple.com
init.push-apple.com.akadns.net
init.push.apple.com
internalcheck.apple.com
lcdn-locator-usnkq.apple.com.akadns.net
lcdn-locator.apple.com
mesu.apple.com
ocsp.apple.com
ocsp.digicert.com
pancake.apple.com
pancake.g.aaplimg.com
pds-init.ess.apple.com
stocks-sparkline.apple.com
swcdn.apple.com
swdist.apple.com
swscan.apple.com
time.apple.com
weather-data.apple.com
weather-edge.apple.com
weather-edge.news.apple-dns.net
www.apple.com
xp.apple.com

Jeffrey.

'All of these 73 hostname lookups happened without launching any apps - no App Store, analytics off, no iTunes, nothing. No Apple ID has been used on the device. The device was set up, analytics and network services declined, connected to network, sat at desktop, rebooted, sat at desktop, and then shut down.'

Jeffrey now tries launching a few apps.

'One by one, the following apps are launched (via the command-space launcher, which also sends each and every keystroke typed into it over the network):'

App Store, News, TV, Books, Maps

He went through the procedure of setting up with each, then closed the apps and shut the system down.

In two or three minutes, that activity generated another 47 megabytes of traffic.

Here are the connecting Apple servers this time. Now there are 105 of them.

1-courier.push.apple.com
1-courier.sandbox.push.apple.com
26-courier.push.apple.com
34-courier.push.apple.com
a1806.dscb.akamai.net
a1838.dscb.akamai.net
a1864.gi3.akamai.net
a1956.dscb.akamai.net
a2047.dscb.akamai.net
amp-api.apps.apple.com
api-edge.apps.apple.com
api-glb-den.smoot.apple.com
api-glb-usw2c.smoot.apple.com
api.apple-cloudkit.com
apple-finance.query.yahoo.com
apple.com
apple.comscoreresearch.com
appleid.apple.com
apps.mzstatic.com
ax.itunes.apple.com
bag.itunes.apple.com
books.apple.com
buy.itunes.apple.com
c.apple.news
captive.apple.com
captive.g.aaplimg.com
cdn.smoot.apple.com
cdn.smoot.g.aaplimg.com
cdn2.smoot.apple.com
cf.iadsdk.apple.com
client-api.itunes.apple.com
configuration.apple.com
configuration.ls.apple.com
cs9.wac.phicdn.net
e10499.dsce9.akamaiedge.net
e11408.d.akamaiedge.net
e12919.dscd.akamaiedge.net
e1329.g.akamaiedge.net
e14313.g.akamaiedge.net
e16126.dscg.akamaiedge.net
e17437.dscb.akamaiedge.net
e3925.dscx.akamaiedge.net
e5949.dscg.akamaiedge.net
e5977.dsce9.akamaiedge.net
e673.dsce9.akamaiedge.net
e673.dscx.akamaiedge.net
e6858.dsce9.akamaiedge.net
e6987.a.akamaiedge.net
e6987.e9.akamaiedge.net
e8143.dscb.akamaiedge.net
gateway.fe.apple-dns.net
gateway.icloud.com
gdmf.apple.com
gdmf.apple.com.akadns.net
geo-applefinance-cache.internal.query.g03.yahoodns.net
get-bx.g.aaplimg.com
gsp-ssl.ls.apple.com
gspe1-ssl.ls.apple.com
gspe19-ssl.ls.apple.com
gspe21-ssl.ls.apple.com
gspe35-ssl.ls.apple.com
help.apple.com
humb.apple.com
iadsdk.apple.com
init.itunes.apple.com
init.push-apple.com.akadns.net
init.push.apple.com
is1-ssl.mzstatic.com
is2-ssl.mzstatic.com
is3-ssl.mzstatic.com
is4-ssl.mzstatic.com
is5-ssl.mzstatic.com
itunes.apple.com
js-cdn.music.apple.com
mesu-cdn.origin-apple.com.akadns.net
mesu.apple.com
news-assets.apple.com
news-client.apple.com
news-client.news.apple-dns.net
news-edge.apple.com
news-edge.origin-apple.com.akadns.net
news-events.apple.com
news-events.news.apple-dns.net
ocsp.apple.com
ocsp.digicert.com
pancake.apple.com
pancake.g.aaplimg.com
pds-init.ess.apple.com
play.itunes.apple.com
s.mzstatic.com
sb.tv.apple.com
se-edge.itunes.apple.com
sf-api-token-service.itunes.apple.com
smoot-api-glb-den.v.aaplimg.com
smoot-searchv2-usw2c.v.aaplimg.com
stocks-sparkline.apple.com
support-sp.apple.com
swscan.apple.com
time.apple.com
uts-api.itunes.apple.com
weather-data.apple.com
weather-edge.apple.com
weather-edge.news.apple-dns.net
www.apple.com
xp.apple.com

Jeffrey.

'Again, this is on a system that does not opt in to any Apple services - no iCloud, no FaceTime, no iMessage, no App Store apps, no Siri, no analytics.'

But Jeffrey's just begun to fight.

Jeffrey now adds all the previous IPs to /etc/hosts to block them. After this he rebooted again to his desktop. He moved the cursor around a bit and then rebooted again, and then launched the same five apps in the order given below. Each was launched and then terminated.

App Store, News, TV, Books, Maps

Thereafter the system was again shut down.

The capture file this time was only one tenth of a meg - 104 KB. But the system is still trying to contact Apple, specifically at the following IPs.

24-courier.push.apple.com
36-courier.push.apple.com
a1806.dscb.akamai.net
a1864.gi3.akamai.net
api-edge.apps.apple.com
api-glb-usw2c.smoot.apple.com
apple-finance.query.yahoo.com
apple.comscoreresearch.com
apps.mzstatic.com
c.apple.news
captive.apple.com
captive.g.aaplimg.com
cf.iadsdk.apple.com
configuration.apple.com
configuration.ls.apple.com
e10499.dsce9.akamaiedge.net
e11408.d.akamaiedge.net
e12919.dscd.akamaiedge.net
e1329.g.akamaiedge.net
e17437.dscb.akamaiedge.net
e5977.dsce9.akamaiedge.net
e673.dsce9.akamaiedge.net
e673.dscx.akamaiedge.net
e6987.a.akamaiedge.net
e6987.e9.akamaiedge.net
gateway.fe.apple-dns.net
gateway.icloud.com
gdmf.apple.com
gdmf.apple.com.akadns.net
geo-applefinance-cache.internal.query.g03.yahoodns.net
get-bx.g.aaplimg.com
gsp-ssl.ls.apple.com
gspe1-ssl.ls.apple.com
gspe19-ssl.ls.apple.com
gspe35-ssl.ls.apple.com
help.apple.com
iadsdk.apple.com
init.itunes.apple.com
init.push-apple.com.akadns.net
init.push.apple.com
mesu-cdn.origin-apple.com.akadns.net
mesu.apple.com
news-edge.apple.com
news-edge.origin-apple.com.akadns.net
ocsp.apple.com
pds-init.ess.apple.com
play.itunes.apple.com
push.apple.com
smoot-searchv2-usw2c.v.aaplimg.com
swdist.apple.com.edgekey.net
swscan.apple.com
xp.apple.com

And Jeffrey's conclusion? Brace yourself.

'All in all I think that's a pretty good improvement.'

But he concluded with this.

'The quest for a computer that allows me to boot, open a local text editor, write some words, save them on a disk, quit the program, and shut down without snitching to the network continues.'

Jeffrey seems to have a forgiving nature. Do you?



You've obviously heard of us, otherwise you wouldn't be here.
We're known for telling the truth even if it's not in our interest.
We're now telling you to beware Apple's walled garden. Don't get locked in.
What you've seen so far may be only the beginning of something far far worse.
Download our Test Drive and at least check out our free Keymaster Solo.
That's the first step to regaining your freedom. See here.

CONTACT INFO:
John Cattelin
Media Contact
contact@rixstep.com
PURCHASE INFO:
ACP/Xfile licences
User/Family/Business
http://rixstep.com/buy
About | ACP | Buy | Free | Industry Watch | Learning Curve | News | Search | Test
Copyright © Rixstep. All rights reserved.