About | ACP | Buy Stuff | Forum | Industry Watch | Learning Curve | Search | Test Drive
Home » Learning Curve

Socially Engineering macOS Catalina

Don't be engineered. Do the research. Prove them wrong.

Get It

Try It

Originally this piece was to be called 'Enervation', which we weren't even sure was a real word, much as we wonder sometimes if macOS is a real OS, for 'enervation' is what we feel when we see the kinds of ridiculous things being printed on the web about this operating system, and its internals, and other sundry deets about it.

And not to disparage anyone by identifying when it's not needed, so here we go, and we'll try to take it in really small steps. It really gets to be too much at times, doesn't it?

Someone has namely noticed that even command line tools have a difficulty running under Catalina if they're not at least notarised. This has been a bit hazy, one not knowing from one moment to the next what part of the Apple gospel one is to take seriously, but all of Apple's command line tools are code-signed, for example, already on Mojave. Yet there's no way, even today, for mere mortals outside the Loop of putting that gunk on executables (thank goodness, some might say).

So you can run into trouble on Catalina - but only if you go down the wrong path. And in this case it's pretty hard not to go down the right path. Anyway.

The key - as we'd suspected all along - is Apple's infamous quarantine flag, com.apple.quarantine, which gets slapped onto almost everything you touch. In fact, the deception doesn't work if there's something that doesn't get the flag.

Apple's strange world is often referred to as a 'walled garden', but it's a garden in concept only. This isn't the same as jailbreaking, for example. It's more like - OK, bear with us - having a tag slapped on your back which is only visible with ultraviolet light. And it then works like this: If you have such a tag, then there are a lot of hoops you have to jump through, but if you don't have a tag, then you're OK.

Of course, we've been warning about the dreaded 'kill switch' for over ten years now, and Apple can pull that switch at any time, but let's leave that matter for the moment.

Most of the time you'll find com.apple.quarantine on your downloads. We specifically made the free and standalone tool appleclean for this purpose. It's a 4 KB download and it's dead easy to use. And you don't have to endure any of this if you make a practice of running appleclean prior to using any of your downloads. And they should then work great.

The long route through the labyrinth to the exit is ridiculous. We'll show you in a moment. Again: all you need is appleclean, then you don't have to worry about a thing. But do try to appreciate the silliness of this situation for those who of their own free will choose not to take the easy route.

That tag on your back, visible only in ultraviolet light, is actually an extended attribute or XA for short. One such XA in particular causes all the pain. Yes, it's com.apple.quarantine. So maybe a quarantine is a bit like a walled garden. Whatever: you're being quarantined.

If you didn't get it: this quarantine flag only appears when you go through standard Apple interfaces to get things off the web. It won't, for example, appear if you download via FTP from an FTP client. Apple have tried to plug all the holes, but they haven't got them all, at least yet.

Once you start toying with a download with the quarantine flag, don't count on anything. All your standard Apple tools and utilities are specifically programmed to propagate this flag on everything they touch. If you expand a ZIP file with the flag, then Apple's trusty 'unarchiver' will slap the flag on every file it extracts. And so forth.

Conversely, if your ZIP or whatever has no such flags, then the system can't know where it comes from, and won't slap anything on it. So the key is to - right from the get-go - remove the quarantine flag.

But say you don't. Say you've downloaded and you got quarantine flags all over the place. What happens then?

According to various sources, Apple's launch services - the call at the bottom of the 'open file with application' hierarchy - will tell you that it refuses to let you launch because they can't check for malicious software' [sic]. (Did you know your favourite platform was under attack? No? Well it's not.)

If you get to that point, you can go into System Preferences, Security & Privacy, onto your General tab, and you'll suddenly see an option to let you run your program anyway. Oh joy. So hallelujah for 'Allow Anyway'. Mostly like what you've been doing on the platform for the past 20+ years. Before the Russians invaded (again).

But, once again, that's the circuitous route. That's carrying coals to Newcastle via Edinburgh, Lisbon, and Macau. It's just plain stupid. Rid yourself of the tag on your back and your omniscient system will be none the wiser.

Supposedly even the circuitous route described above will 'eventually' clear away that nasty quarantine flag, but that's never been demonstrated in practice. Having a quarantine flag on a file - having any XA at all, unless it's something you really want, as in an XA for which the XA system was initially designed - is a bad bad thing. It's just messy. It's quintessential Apple. Like AppleTalk. Seemingly powerful, but a royal pain in the ass.

Articles published online - and note this well - point out that command line tools which are not notarised and have com.apple.quarantine will not run until you go through that rigamarole described above. But they of course will fail to mention that removing com.apple.quarantine is eminent child's play. For that would be too easy. Even those who have tools to add, delete, or edit and replace XAs will go out of their way not to mention that the easiest thing is just to remove the XAs right away.

So, with that out of the way, and knowing you don't need this headache ever, not for command line tools or even bundles: what's going on?

We've been intimating this for some time now, and we began warning of this over ten years ago, but Tim Cook's profit-hungry Apple seems to have met with a dilemma. They'd prefer that all independent software for their computer platform had to go through their App Store as is the case with their mobile apps, but they don't dare enforce it. The backlash, most people agree, would be too great. But that doesn't mean they'll give up trying. 'Notarisation' is their latest tack to get you closer.

There are no great dangers on Apple's macOS, unless you're a complete idiot. It's a Unix system, and when's the last time you heard of a malware epidemic on Unix? Exactly. There are none. Unix was built with a security model in mind. Windows was not. BSD founder Bill Joy was aghast when he realised what Microsoft had done. Things like that won't happen on a Unix system.

But Tim Cook's reached peak iPhone. And the only road ahead goes downhill. He won't publish sales stats anymore. Not many companies do, but Apple did. Now they don't anymore. Want to guess why?

If you hire on a programmer full time, and that programmer occasionally contributes a good software title, or writes a few lines of code now and then that actually make their way into production, you still have to pay the sod. You still have to give him a free lunch. And vacation pay. And benefits. And medical insurance. And a dental plan. Perhaps a leasing vehicle. Big investment.

But if you only cull the software titles your programmer produces, and only when the title actually sells, and you get to keep one full third of all the money the title generates... Add it up. Look at the turnover in Apple's App Store. Look at the revenues passing through. Then take one third of that total amount. That's what Apple gets. No lunches, no leasing vehicles, no benefits, no vacation pay, no dental plan. What's that been called throughout history?

The step from 'notarisation' to 'submission' to the App Store is nonexistent, and it's a premier place to sell your wares, or so you're told. You might never sell more than a handful of copies, and independent software developers are hurting all the time, and you can hear them complaining all the time online, but to Apple it all adds up. It's a lot of cash. A lot of cash. Do the math yourselves. It's a lot of cash.

It's what Mark Knopfler called 'Money For Nothing'.

We warned about this over ten years ago. Others chimed in almost at once. Others scolded Mac users for letting this deplorable situation happen. Over ten years ago.

We pulled a social engineering trick on Apple back then. Our target was Steve Jobs himself. Unbelievably enough, we succeeded.

We got Steve Jobs, through no direct meddling on our own - we left that to the 'consumers' - to deny both the use of the obvious 'kill switch' and the very Apple Store for Mac which exists, as you know, today.

How about the ramifications? Well, to start with, it's a very uneasy feeling working on and for such a platform. This isn't a 'Unix' built in the spirit of Unix. Unix is an educational adventure. Apple does all it can to see that you don't learn anything.

Unix is not a complex system. Yet Apple's Human Interface Group still see it as such. They really believe that Unix is too difficult for you. When this is more likely a projection of their own shortcomings. No one ever told them it's rude to assume that other people are stupid. It's simply not nice.

This same HI Group, by the way, nixed the original NeXT title bar system because they thought that was too difficult you as well.

A short detour here, but it's worth it.


We like to think that what we do with a computing interface is intuitive. We like the interfaces that are self-explanatory. The ones where everything is right where we'd expect it. And in fact numerous heavy tomes have been written about this, not all from an 'apologetic' ('after the fact') perspective. Computer programmers and system architects get into this a lot.

The window title bar. All systems today, save the mobile ones, admit of freely moveable windows. And, given a keyboard and a pointing device, there are a number of things we can do. Which results in a delineation of three separate and distinct 'states' for every window on screen.

Inactive. This is for any window belonginh to an inactive application. By design - some would say pure logic - only one application can be 'active' at any one given time. If an application itself is inactive, then all its windows are inactive as well.

Active But Not Key. Your active application can have many windows, but only one of those windows can be 'key' at any one given time. By 'key' is meant 'ready to accept keyboard input'. If you start typing, then you'll get visual feedback from only one window (and that window will belong to your active application).

Active And Key. This is the window in your active application that is prepared to accept keyboard input. If you start typing, then it's in this window you'll see something - nowhere else.

Being able to intuitively see - without 'thinking' as it were - which window is key, and so forth, is a design goal of any graphical user interface. And NeXT solved it brilliantly.

NeXT's system was the 'negative' version of what we have today, in a way. The darker the window title bar, the closer that window was to being 'key'.

Inactive: light grey title bar.
Active But Not Key: medium grey title bar.
Active And Key: Black title bar.

Three distinct window states. Three and only three. But Apple's Human Interface Group decided that 'three' was too difficult for you users. Seriously. Two you could handle, but three? Nah. That'd overload your feeble brains. Or so they thought. (Yes, really.)

So what did they do? They smudged out the difference between window 2 and window 3, between Active But Not Key and Active And Key. They were able to compensate in some cases, with focus rectangles and the like, but that didn't always work. Things are actually very confusing at times, but they still thought this was better, as 'three' is so much bigger than two.


This same reasoning - this same reliance on your being stupid - is found in a lot of their design and marketing decisions.

When Apple wanted to sell the music industry on the idea of iTunes, they had to provide a convincing argument for why people wouldn't share their music with each other. They came up with 'iPod_Control', a root-level directory on the iPod which was marked with a special flag that only made sense to their Finder. So the Finder wouldn't show you the directory. Naturally if you went to the command line, or use one of our utilities, you'd see the directory right away - and all your songs with it. But Apple counted on you being too lame or too stupid to do that, and when the music bean counters looked at the bottom lines, they concluded that it was 'good enough' - there were so few people doing the obvious that it didn't cut significantly into their sales.

Other companies like Sony tried their tricks too - but were outed pretty quickly by pencil erasers or, in one notorious case, by simply holding down a shift key when inserting the medium. They didn't fare well - but Apple did.

Apple got caught in a bind during the Processor Wars. The lawn mower engines from Intel were clocking faster speeds than the Formula One CPUs used by Apple. And Apple needed a new CPU for their laptops anyway. And IBM had a next-generation processor on the way - it was just too hot for use in laptops, and IBM needed another $250 million to develop another version that was cool enough for laptops, and they knew that Apple, with their constricting marketing policy, would never sell enough laptops to make it worthwhile, and Apple knew it too, so IBM's CPU went into the powerful games consoles and Apple switched to Intel.

But Apple had been telling their customers for years how superior their PowerPC was (and it really was, this was no hype). But what to do now? They engineered it perfectly. The company infamous for secrecy suddenly started leaking. Then Steve Jobs came onstage with the famous sign 'It's true!' The compliant media were fed the hype, and the customers fell right in line. PowerPC better than Intel? Who said that? We never said that! And so forth. Mission accomplished.

The 'mac.com' email addresses were always going to be free. And so forth.

And what this tells us is what Apple - like so many other companies - think of their consumers. Not a lot. Three different title bars on windows? No. They can't handle it. A hidden iPod_Control directory that's eminently visible and accessible as long as you don't use Finder? No biggie. Sneaky extended attributes tagged onto files downloaded from the Internet or other devices, even though a simple command line will obviate them all into oblivion? Nope. No worries there either.

% xattr -crsv *

It's right there in your system, in your macOS Catalina system, all along.

But they're counting on you - most of you - not using it. They're counting on you not understanding, and/or being too lame or stupid.

Their accountants prove them right.

But be scared. Give in to the hype. You remember those 'Mac vs PC' adverts?

Forget them. All 66 of them. They don't mean anything. You're under attack today. No one is safe any longer. Even your JPEG image files can corrupt you. Perhaps your text files too! Yes it could happen!!1!

Ignore the fear-mongers, the ones who say that there are common things that 'carry significant security risks'. Because there aren't. Because it's all bullshit.

You have to ask yourself: if your platform - macOS - is so secure, to the point that Apple produced no less than 66 (sixty-six) adverts to that effect, if your platform is demonstrably not Windows, if you have command line tools installed on your Catalina that can remove these troublesome extended attributes, if you have the good sense not to fall for every cheap trick in the book in the extreme case that you yourself are specifically singled out for attack - then why do you worry?

Do not believe the hype. Stay away from the hype and the world will be a better place all around.

Prove Apple's HI Group wrong. Do the research. Show them you're smarter than they give you credit for. Take control of your own machine. For it is your machine, is it not?

Footnote: Rixstep offer a number of XA-related utilities, dating back to 2007, when extended attributes first replaced resource forks on 10.4 Tiger. CandS is a real workhorse today. Xattr is a Cocoa XA editor. XaBatch and xabatch are for system maintenance. And so forth. Try our free unlimited Test Drive to get a feel for it. It's not only extended attributes Tim Cook's been hiding from you.



'There's no more truth out there than there is in the world I created for you.'

See Also
How-To Geek: XProtect Explained
Stack Overflow: How do I remove 'extended attributes'?
Red Hat Diaries: The Steve Gambit
Rixstep FTP Download: appleclean (4 KB)

About Rixstep

Stockholm/London-based Rixstep are a constellation of programmers and support staff from Radsoft Laboratories who tired of Windows vulnerabilities, Linux driver issues, and cursing x86 hardware all day long. Rixstep have many years of experience behind their efforts, with teaching and consulting credentials from the likes of British Aerospace, General Electric, Lockheed Martin, Lloyds TSB, SAAB Defence Systems, British Broadcasting Corporation, Barclays Bank, IBM, Microsoft, and Sony/Ericsson.

Rixstep and Radsoft products are or have been in use by Sweden's Royal Mail, Sony/Ericsson, the US Department of Defense, the offices of the US Supreme Court, the Government of Western Australia, the German Federal Police, Verizon Wireless, Los Alamos National Laboratory, Microsoft Corporation, the New York Times, Apple Inc, Oxford University, and hundreds of research institutes around the globe. See here.

All Content and Software Copyright © Rixstep. All Rights Reserved.

John Cattelin
Media Contact
ACP/Xfile licences
About | ACP | Buy Stuff | Forum | Industry Watch | Learning Curve | Search | Test Drive
Copyright © Rixstep. All rights reserved.