Unpatchable vulnerability in Apple chip leaks secret encryption keys

[erek]

Apple's M-based CPUs are at fault

"Like other microarchitectural CPU side channels, the one that makes GoFetch possible can’t be patched in the silicon. Instead, responsibility for mitigating the harmful effects of the vulnerability falls on the people developing code for Apple hardware. For developers of cryptographic software running on M1 and M2 processors, this means that in addition to constant-time programming, they will have to employ other defenses, almost all of which come with significant performance penalties.

One of the most effective mitigations, known as ciphertext blinding, is a good example. Blinding works by adding/removing masks to sensitive values before/after being stored to/loaded from memory. This effectively randomizes the internal state of the cryptographic algorithm, preventing the attacker from controlling it and thus neutralizing GoFetch attacks. Unfortunately, the researchers said, this defense is both algorithm-specific and often costly, potentially even doubling the computing resources needed in some cases, such as for Diffie-Hellman key exchanges.

One other defense is to run cryptographic processes on the previously mentioned efficiency cores, also known as Icestorm cores, which don't have DMP. One approach is to run all cryptographic code on these cores. This defense, too, is hardly ideal. Not only is it possible for unannounced changes to add DMP functionality to efficiency cores, running cryptographic processes here will also likely increase the time required to complete operations by a nontrivial margin. The researchers mention several ad-hoc defenses, but they are equally problematic.

The DMP on the M3, Apple’s latest chip, has a special bit that developers can invoke to disable the feature. The researchers don’t yet know what kind of penalty will occur when this performance optimization is turned off. (The researchers noted that the DMP found in Intel’s Raptor Lake processors doesn’t leak the same sorts of cryptographic secrets. What’s more, setting a special DOIT bit also effectively turns off the DMP.)

Advertisement

Readers should remember that whatever penalties result will only be felt when affected software is performing specific cryptographic operations. For browsers and many other types of apps, the performance cost may not be noticeable.

“Longer term, we view the right solution to be to broaden the hardware-software contract to account for the DMP,” the researchers wrote. “At a minimum, hardware should expose to software a way to selectively disable the DMP when running security-critical applications. This already has nascent industry precedent. For example, Intel’s DOIT extensions specifically mention disabling their DMP through an ISA extension. Longer term, one would ideally like finer-grain control, e.g., to constrain the DMP to only prefetch from specific buffers or designated non-sensitive memory regions.”

Apple representatives declined to comment on the record about the GoFetch research.

End users who are concerned should check for GoFetch mitigation updates that become available for macOS software that implements any of the four encryption protocols known to be vulnerable. Out of an abundance of caution, it’s probably also wise to assume, at least for now, that other cryptographic protocols are likely also susceptible.

“Unfortunately, to assess if an implementation is vulnerable, cryptanalysis and code inspection are required to understand when and how intermediate values can be made to look like pointers in a way that leaks secrets,” the researchers advised. “This process is manual and slow and does not rule out other attack approaches.”"

Source: https://arstechnica.com/security/20...secret-encryption-keys-from-apples-mac-chips/

 

[Lakados]

Apple's M-based CPUs are at fault

"Like other microarchitectural CPU side channels, the one that makes GoFetch possible can’t be patched in the silicon. Instead, responsibility for mitigating the harmful effects of the vulnerability falls on the people developing code for Apple hardware. For developers of cryptographic software running on M1 and M2 processors, this means that in addition to constant-time programming, they will have to employ other defenses, almost all of which come with significant performance penalties.

One of the most effective mitigations, known as ciphertext blinding, is a good example. Blinding works by adding/removing masks to sensitive values before/after being stored to/loaded from memory. This effectively randomizes the internal state of the cryptographic algorithm, preventing the attacker from controlling it and thus neutralizing GoFetch attacks. Unfortunately, the researchers said, this defense is both algorithm-specific and often costly, potentially even doubling the computing resources needed in some cases, such as for Diffie-Hellman key exchanges.

One other defense is to run cryptographic processes on the previously mentioned efficiency cores, also known as Icestorm cores, which don't have DMP. One approach is to run all cryptographic code on these cores. This defense, too, is hardly ideal. Not only is it possible for unannounced changes to add DMP functionality to efficiency cores, running cryptographic processes here will also likely increase the time required to complete operations by a nontrivial margin. The researchers mention several ad-hoc defenses, but they are equally problematic.

The DMP on the M3, Apple’s latest chip, has a special bit that developers can invoke to disable the feature. The researchers don’t yet know what kind of penalty will occur when this performance optimization is turned off. (The researchers noted that the DMP found in Intel’s Raptor Lake processors doesn’t leak the same sorts of cryptographic secrets. What’s more, setting a special DOIT bit also effectively turns off the DMP.)

Advertisement

Readers should remember that whatever penalties result will only be felt when affected software is performing specific cryptographic operations. For browsers and many other types of apps, the performance cost may not be noticeable.

“Longer term, we view the right solution to be to broaden the hardware-software contract to account for the DMP,” the researchers wrote. “At a minimum, hardware should expose to software a way to selectively disable the DMP when running security-critical applications. This already has nascent industry precedent. For example, Intel’s DOIT extensions specifically mention disabling their DMP through an ISA extension. Longer term, one would ideally like finer-grain control, e.g., to constrain the DMP to only prefetch from specific buffers or designated non-sensitive memory regions.”

Apple representatives declined to comment on the record about the GoFetch research.

End users who are concerned should check for GoFetch mitigation updates that become available for macOS software that implements any of the four encryption protocols known to be vulnerable. Out of an abundance of caution, it’s probably also wise to assume, at least for now, that other cryptographic protocols are likely also susceptible.

“Unfortunately, to assess if an implementation is vulnerable, cryptanalysis and code inspection are required to understand when and how intermediate values can be made to look like pointers in a way that leaks secrets,” the researchers advised. “This process is manual and slow and does not rule out other attack approaches.”"

Source: https://arstechnica.com/security/20...secret-encryption-keys-from-apples-mac-chips/

Should be noted this side channel attack vector is present on all ARMv8 chips.

Putting Apple in the title just generates more clicks.

 

[pendragon1]

excited?

great. my teachers are already unhappy with the M1 units we have, they crumble under 15ish chrome tabs...

 

[Lakados]

excited?

great. my teachers are already unhappy with the M1 units we have, they crumble under 15ish chrome tabs...

Google put out an update in mid Oct of last year that tanked its performance on Apple products, not sure exactly what they did but it’s awful.

 

[rflcptr]

excited?

great. my teachers are already unhappy with the M1 units we have, they crumble under 15ish chrome tabs...

K so use Safari with MacOS

 

[Zarathustra[H]]

Yikes.

Not a good day to be Apple today, huh?

First the DOJ suit and then this...

 

[Lakados]

Yikes.

Not a good day to be Apple today, huh?

First the DOJ suit and then this...

The DOJ is gonna get laughed out of court, they are basing their claim that Apple makes up 70% of the smart phone market by inventing a new category of “performance phones”.

The Justice Department describes "performance smartphones" as phones that are made with premium materials such as metal and glass; boast faster and better processors, or bigger storage sizes; and have advanced communications tech inside such as tap-to-pay chips. Performance smartphones are distinct from basic, entry-level devices that don't have these same features, according to the complaint.

As far as their messaging complaints they are basing it completely around a Tim Cook quote of:
"buy your mom an iPhone" to resolve the issue.

Nothing technical or legal, California is looking for a pay day and to use this as a leg up on their American Innovation and Choice Online Act which has been rewritten so many times I don’t even know what it does anymore, I know what it claims but I don’t believe them.

 

[LukeTbk]

As far as their messaging complaints they are basing it completely around a Tim Cook quote of:
"buy your mom an iPhone" to resolve the issue.

That sound strange....

They have technical point's no:
https://www.documentcloud.org/documents/24492020-doj-apple-antitrust-complaint
p.36
- For example, Apple designates the APIs needed to implement SMS as “private,” meaning third-party developers have no technical means of accessing them and are prohibited from doing so under Apple’s contractual agreements with developers. As a result, third-party messaging apps cannot combine the “text to anyone” functionality of SMS with the advanced features of OTT messaging.
- For example, third-party messaging apps cannot continue operating in the background when the app is closed, which impairs functionality like message delivery confirmation. And when users receive video calls, third-party messaging apps cannot access the iPhone camera to allow users to preview their appearance on video before answering a call. Apple Messages incorporates these features.
- Recently, Apple has stated that it plans to incorporate more advanced features for cross-platform messaging in Apple Messages by adopting a 2019 version of the RCS protocol (which combines aspects of SMS and OTT). Apple has not done so yet

Right now I feel the DOJ is going after more than one company about being a monopoly in digital ads at this points (Long list of many new giant player, amazon, netflix, disney, tiktok, uber in that space that where not active in that space when Facebook+Google were getting 90% of new digital ads revenu in their direction) ...

 

[Lakados]

That sound strange....

They have technical point's no:
https://www.documentcloud.org/documents/24492020-doj-apple-antitrust-complaint
p.36
- For example, Apple designates the APIs needed to implement SMS as “private,” meaning third-party developers have no technical means of accessing them and are prohibited from doing so under Apple’s contractual agreements with developers. As a result, third-party messaging apps cannot combine the “text to anyone” functionality of SMS with the advanced features of OTT messaging.
- For example, third-party messaging apps cannot continue operating in the background when the app is closed, which impairs functionality like message delivery confirmation. And when users receive video calls, third-party messaging apps cannot access the iPhone camera to allow users to preview their appearance on video before answering a call. Apple Messages incorporates these features.
- Recently, Apple has stated that it plans to incorporate more advanced features for cross-platform messaging in Apple Messages by adopting a 2019 version of the RCS protocol (which combines aspects of SMS and OTT). Apple has not done so yet

Right now I feel the DOJ is going after more than a company about a monopoly in digital ads by this points

But that’s fundamentally flawed, Apple does not declare SMS as private as SMS as a standard does not support encryption. SMS as a standard also does not support text to everyone. All those features are addons and usually proprietary ones at that.

The only glimmer of hope for the lawsuit is in that iMessage runs as a persistent background service by default where all others do not unless you implicitly give them permission to and even then you can only do so if the program asks for permission and many don’t. And again 3’rd party apps can use the camera and microphone but they have to be granted permission and the app has to ask for permission. Camera preview very much is possible before accepting or joining, teams and zoom both do it, but they have actually built in their own solutions to facilitate the preview.

The DOJ started this lawsuit back in 2018 and half of what is in the complaint is either factually incorrect or no longer relevant as it was patched in or out over the last 6 years.

 

[d3athf1sh]

The researchers noted that the DMP found in Intel’s Raptor Lake processors doesn’t leak the same sorts of cryptographic secrets

ha ha. i bet they wish they would've just stuck with intel procs now instead of trying to force the world to abandon x86

 

[Mchart]

ha ha. i bet they wish they would've just stuck with intel procs now instead of trying to force the world to abandon x86

The world will abandon x86 for consumer devices, Apple was just the first major player to do so.

 

[sk3tch]

The long and short of this vulnerability is it requires sometime to both have access to your hardware and time to exploit it (~30 minutes) - plus whatever time is necessary to exfiltrate data.

So - yes...very big risk for those of us with high risk/valuable data. For the normal people out there - move along. Physically secure your device and/or keep it with you and you're good.

Frankly, as a cybersecurity professional I would not buy an M1 or M2 today. I would buy an M3. The price difference is not that great where it is worth having this type of vulnerability.

 

[Mchart]

The long and short of this vulnerability is it requires sometime to both have access to your hardware and time to exploit it (~30 minutes) - plus whatever time is necessary to exfiltrate data.

So - yes...very big risk for those of us with high risk/valuable data. For the normal people out there - move along. Physically secure your device and/or keep it with you and you're good.

Frankly, as a cybersecurity professional I would not buy an M1 or M2 today. I would buy an M3. The price difference is not that great where it is worth having this type of vulnerability.

Still more secure than windows. If you’ve owned a box reality is you’re going to get the keys. Windows by default keeps any key handled by windows within lsass for 10 hours. Dump the associated eprocess blocks and you’ve got every key.

 

[uOpt]

So - yes...very big risk for those of us with high risk/valuable data. For the normal people out there - move along. Physically secure your device and/or keep it with you and you're good.

IMHO it is only a question of time until vulnerabilities like this one can be used from Javascript or webassembly.

 

[Aurelius]

ha ha. i bet they wish they would've just stuck with intel procs now instead of trying to force the world to abandon x86

That's a very odd statement when we had years of reports that Intel and AMD chips were vulnerable to an unpatchable memory exploit.

The reality is that it's very difficult to design a chip that's completely immune to attacks. It also sounds like M3 and later chips won't face as much of a threat.

 

[sk3tch]

Still more secure than windows. If you’ve owned a box reality is you’re going to get the keys. Windows by default keeps any key handled by windows within lsass for 10 hours. Dump the associated eprocess blocks and you’ve got every key.

Yes - unless you are using Bitlocker - and remember - both AMD and Intel have had their own issues of this type on x86.

ARM obviously is not resilient to it.

 

[Zarathustra[H]]

The DOJ is gonna get laughed out of court, they are basing their claim that Apple makes up 70% of the smart phone market by inventing a new category of “performance phones”.

The Justice Department describes "performance smartphones" as phones that are made with premium materials such as metal and glass; boast faster and better processors, or bigger storage sizes; and have advanced communications tech inside such as tap-to-pay chips. Performance smartphones are distinct from basic, entry-level devices that don't have these same features, according to the complaint.

As far as their messaging complaints they are basing it completely around a Tim Cook quote of:
"buy your mom an iPhone" to resolve the issue.

Nothing technical or legal, California is looking for a pay day and to use this as a leg up on their American Innovation and Choice Online Act which has been rewritten so many times I don’t even know what it does anymore, I know what it claims but I don’t believe them.

I think the suit is completely appropriate.

They are intentionally sabotaging the competition to attempt to maintain their matlet leadership position, and putting up barriers for customers to leave the apple ecosystem, and fleece third parties in order to allow them to access their captive audience.

Classic anti-competitive behavior.

By law, it should be a slam dunk, and the DOJ should win this case, but I am not convinced that will happen, because courts tend to be reticent to fully enforce anti-trust law.

But yes, I am hoping Apple absolutely gets their asses handed to them.

 

[pendragon1]

K so use Safari with MacOS

no. we are google and ms based, safari is only used for very specific things. which is why ive always wondered wtf we deploy macs....

 

[DukenukemX]

excited?

great. my teachers are already unhappy with the M1 units we have, they crumble under 15ish chrome tabs...

They should just install more ram...

The world will abandon x86 for consumer devices, Apple was just the first major player to do so.

I don't know about that. Apple has apparently lost 5% MacOS market share world wide. Add the 34% decline year over year, and Apple has some serious problems. I really doubt it's because M1 owners don't need to upgrade. To lose 5% decline would mean that people have moved on to a Windows laptop. Are M1/M2 machines just failing? Are people finding out that without AppleCare, you can't afford to fix an M1/M2 machine? Are people sick of the incompatible Windows software or even slower MacOS software running through Rosetta2? Is it that AMD's Dragon Range and Intel's recent Meteor Lake's battery performance is good enough? Whatever the case is, Apple doesn't seem to be selling desktop based ARM silicon.

That's a very odd statement when we had years of reports that Intel and AMD chips were vulnerable to an unpatchable memory exploit.

The reality is that it's very difficult to design a chip that's completely immune to attacks. It also sounds like M3 and later chips won't face as much of a threat.

Last I checked, Spectre effected ARM as well. Meltdown was a massive problem for Intel. The difference here is that AMD and Intel both sell CPU's to servers who really need their stuff secure. That is a big part of their business model. They have to be on top of that stuff, or they could lose to competitors. Apple isn't, and it will show. The difference here is that it's up to the developers of their software to prevent this vulnerability, which is a nice way of saying good luck. The M3 isn't immune either, just that it has a special bit that developers can use to disable DMP. The alternative is to run cryptographic processes on the efficiency cores since they also don't have a DMP. Whatever the case is, the Apple Silicon will lose performance from this.

I don't believe most people will have a problem with security from this, but most people are probably looking at cat videos. You probably don't want to use these machines with sensitive data if nobody is going to do anything about this. Apple hasn't acknowledged it yet, and you're basically dependent on who wrote the application to implement one of the three methods they describe to avoid this vulnerability. With Windows and Linux you got mitigations very quickly.

 

[Lakados]

I think the suit is completely appropriate.

They are intentionally sabotaging the competition to attempt to maintain their matlet leadership position, and putting up barriers for customers to leave the apple ecosystem, and fleece third parties in order to allow them to access their captive audience.

Classic anti-competitive behavior.

By law, it should be a slam dunk, and the DOJ should win this case, but I am not convinced that will happen, because courts tend to be reticent to fully enforce anti-trust law.

But yes, I am hoping Apple absolutely gets their asses handed to them.

The issue here is Apple has already won against every argument the DoJ is making, in other cases brought against them over the last 6 years.
The DoJ this time is framing it as Apple being a Monopoly claiming they own 70% of the smartphone market (which in reality is close to 20%) by inventing a new classification of devices and then claiming that nobody else makes a "premium" phone in some form of digital gerrymandering, which is obviously not true as it can very easily be argued that Samsung, Sony, Google, Motorola, Red Magic, ... make a device that is as high quality or higher quality and if you combine their sales then again Apples top of the line iPhone 15 and all its variants is nowhere close to 70% plus of the market share required to be a Monopoly.
The DoJ spent too long preparing their case only for their case to get shot to shit by other rulings and technical advances.
This case will spend the next 3 years in finding, for it to be ultimately dismissed, it's a waste of time and money and the DoJ should be spending its time on actually useful things.

 

[Zarathustra[H]]

The issue here is Apple has already won against every argument the DoJ is making, in other cases brought against them over the last 6 years.
The DoJ this time is framing it as Apple being a Monopoly claiming they own 70% of the smartphone market (which in reality is close to 20%) by inventing a new classification of devices and then claiming that nobody else makes a "premium" phone in some form of digital gerrymandering, which is obviously not true as it can very easily be argued that Samsung, Sony, Google, Motorola, Red Magic, ... make a device that is as high quality or higher quality and if you combine their sales then again Apples top of the line iPhone 15 and all its variants is nowhere close to 70% plus of the market share required to be a Monopoly.
The DoJ spent too long preparing their case only for their case to get shot to shit by other rulings and technical advances.
This case will spend the next 3 years in finding, for it to be ultimately dismissed, it's a waste of time and money and the DoJ should be spending its time on actually useful things.

Its one thing to fight off a rinkydink civil suit from Epic based on questionable legal complaints. Its a while other case to fight a well resources DOJ investigation.

The AG's office does not like losing. (It hurts politically) They would not have brought the case unless they thought they had a reasonable chance of winning.

 

[LukeTbk]

by inventing a new classification of devices and then claiming that nobody else makes a "premium" phone in some form of digital gerrymandering

I do not remember if It worked, but that something that they try to do with wholefood in the past, WalMart was by far the biggest seller of organic-bio food in the USA followed by the other big chain, so to block some wholefood acquisition (Wild Oats Markets Inc), they needed to invent a new premium organic food store category for it to be considered a big player in some segment of the market: premium natural, and organic supermarkets" ("PNOS"),.

And they even tried to block them to access the market sales of organics food to build their case:
https://www.denverpost.com/2007/06/22/ftc-opposes-whole-foods-bid-to-see-information/

I think the FTC strategy, did work:
https://en.wikipedia.org/wiki/Wild_Oats_Markets#Proposed_sale_to_Whole_Foods_Market

 

[Lakados]

They should just install more ram...

I don't know about that. Apple has apparently lost 5% MacOS market share world wide. Add the 34% decline year over year, and Apple has some serious problems. I really doubt it's because M1 owners don't need to upgrade. To lose 5% decline would mean that people have moved on to a Windows laptop. Are M1/M2 machines just failing? Are people finding out that without AppleCare, you can't afford to fix an M1/M2 machine? Are people sick of the incompatible Windows software or even slower MacOS software running through Rosetta2? Is it that AMD's Dragon Range and Intel's recent Meteor Lake's battery performance is good enough? Whatever the case is, Apple doesn't seem to be selling desktop based ARM silicon.

Last I checked, Spectre effected ARM as well. Meltdown was a massive problem for Intel. The difference here is that AMD and Intel both sell CPU's to servers who really need their stuff secure. That is a big part of their business model. They have to be on top of that stuff, or they could lose to competitors. Apple isn't, and it will show. The difference here is that it's up to the developers of their software to prevent this vulnerability, which is a nice way of saying good luck. The M3 isn't immune either, just that it has a special bit that developers can use to disable DMP. The alternative is to run cryptographic processes on the efficiency cores since they also don't have a DMP. Whatever the case is, the Apple Silicon will lose performance from this.

I don't believe most people will have a problem with security from this, but most people are probably looking at cat videos. You probably don't want to use these machines with sensitive data if nobody is going to do anything about this. Apple hasn't acknowledged it yet, and you're basically dependent on who wrote the application to implement one of the three methods they describe to avoid this vulnerability. With Windows and Linux you got mitigations very quickly.

MacOS shares decrease, but iOS shares increase.
For many Apple users, the current iteration of the iPad is more than capable of meeting their needs, more so than the "cheaper" MacBooks, so they can either spend $1000 on a base MacBook, or they can spend $600 on an iPad with a keyboard case and get the same level of functionality that they require, Microsoft Office, Google Suite, Adobe Photoshop and more all running happily there. The gaming for what it's worth is doing better on iOS than it is on MacBook for the most part as well.
If you are an Apple user there are strong cases for their more powerful MacBooks depending on specific needs and use cases, but for the average user who just needs the basics then an iPad will do just as well while being cheaper, easier to port around, and easier to support and troubleshoot.

But yes the ARM v7 through v9 all currently have some moderately annoying issues that need attention in the form of microcode, firmware, or heavy-handed software updates to mitigate, how serious they are in the real world is uncertain because most of them are a PITA to exploit in the wild without getting physical access or having compromised software already installed.
At least in this case unlike many others there are software methods that developers can use to work around the issues so they aren't completely dependent on Apple issuing an update, which I am sure they will but Apple needs to be careful because if the update hurts performance, and they put out their new chips without the security flaw without the performance impacting mitigations in place you know the only thing that will result in is a lawsuit saying they intentionally tanked the performance in that update to sell their new device.

 

[MrGuvernment]

Should be noted this side channel attack vector is present on all ARMv8 chips.

Putting Apple in the title just generates more clicks.

it isnt though, it turns out it is how Apple implemented their DMP. Some Intel Core chips have it, but it is mitigated via other methods, so this is specific to Apple M silicon currently.

 

[Lakados]

I do not remember if It worked, but that something that they try to do with wholefood in the past, WalMart was by far the biggest seller of organic-bio food in the USA followed by the other big chain, so to block some wholefood acquisition (Wild Oats Markets Inc), they needed to invent a new premium organic food store category for it to be considered a big player in some segment of the market: premium natural, and organic supermarkets" ("PNOS"),.

And they even tried to block them to access the market sales of organics food to build their case:
https://www.denverpost.com/2007/06/22/ftc-opposes-whole-foods-bid-to-see-information/

I think the FTC strategy, did work:
https://en.wikipedia.org/wiki/Wild_Oats_Markets#Proposed_sale_to_Whole_Foods_Market

Yeah but in this case I think their goal is to get Apple to settle with a no-fault and pay a fine so they can claim a win and walk away.

The FTC one worked because they found emails proving they intended to raise prices after the merger.

In this case, with Apple, the DoJ has millions of documents, case studies, and past presidents that show Apple is competitive in its pricing and is actively working with regulators to improve things.

They are going to try, but I seriously lack the DoJ's abilities to do anything other than temporarily affect Apple's stock prices.

 

[MrGuvernment]

ha ha. i bet they wish they would've just stuck with intel procs now instead of trying to force the world to abandon x86

And how many side channel attacks has Intel had in the last 5 years?

 

[Zarathustra[H]]

I do not remember if It worked, but that something that they try to do with wholefood in the past, WalMart was by far the biggest seller of organic-bio food in the USA followed by the other big chain, so to block some wholefood acquisition (Wild Oats Markets Inc), they needed to invent a new premium organic food store category for it to be considered a big player in some segment of the market: premium natural, and organic supermarkets" ("PNOS"),.

My understanding of the Sherman Act (full disclosure, I am not a lawyer, business law or otherwise, but I did study the topic briefly in my masters program) is that while market share can be a strong argument in favor of anti-trust action, the fact that a company has dominating market share doesn't in and of itself mean that a law has been broken with respect to competition law. And the opposite else also true. A corporations actions may violate competition law even if the company is not in a dominating market position, if they attempt to manipulate the market in such a way as to harm that market, or customers for their own benefit. That said, actions like these are usually only taken if the DOJ think a corporation has significant enough market dominance that they can defend it in the court of public opinion.


Furthermore, while the law goes into detail on the formulas used to determine market share, it does not defined markets or market segments. These have always been subjective things. Is Ford a part of the vehicle market or a part of the light truck segment of that market? I would argue both, and if they are harming either, they may be liable under the law. Individual markets are simply not formally defined things. It is up to the DOJ now to draw the lines as to what constitutes the market that is being harmed, and they have a lot of lee-way there. Heck, corporate marketing departments make this shit up all the time, and try to find niche's they can dominate to try to control the markets they operate in too much. That is always problematic, and IMHO, anti-trust law should be wielder A LOT more than we normally do in this country.

As for Apple one could zoom in and talk about the market for high end phones. One could talk about smartphones overall. Or one could zoom out and talk about all cell-phones, all telecommunication or even all electronics.

The moral of the story is that there is a lot of subjectivity here. I would argue - and it would seem the DOJ would too in this case - that if Apple distorts and wields disproportionate power and takes advantage of that power in ways that harm other competitors and their customers in any market segment, then they are in violation of the law. Of course you could go down the rabbit hole and overly define the market (cell phones of a small size range or weight range, etc. etc.) and that would be stupid and would likely be thrown out instantly by a judge, but that is not what is going on here. High end phones is definitely a real market, even if you are not used to think of them that way.

 

[LukeTbk]

I don't know about that. Apple has apparently lost 5% MacOS market share world wide

It was an United state maket only phenomenom in that way to count it it seems and so sudden, from 33-25% in a month, considering what percentage of american desktop would be old and the giant momentum... make it look like they could use some browser data and something changed... For windows to go from 55% of the market to 63% in a single month, you need to sales how many new device to non already windows users....

I really doubt it's because M1 owners don't need to upgrade.

We can wonder that like Ipad and more and more for IPhone, how much it would be true, what percentage of Apple userbase does an M1 not ridiculously overpowered and will be for years for what they do...

if not for game, how many people windows system will be in the don,t need to upgrade category if they have an old 8700k, nice ssd, 32 gb of ram machine ? They have something like a 12600 with excellent specialized hardware acceleration for what they do attach.... Lucky that ram-harddrive extension are not easy to buy, because that could very well be the case.

 

[Lakados]

it isnt though, it turns out it is how Apple implemented their DMP. Some Intel Core chips have it, but it is mitigated via other methods, so this is specific to Apple M silicon currently.

This variant of it yes, but the rest of the ARM silicon was found to have the same issue back in late 2022 or early 2023 and they fell like flies, Apple was excluded from those because they had their own solution to do the same job but as it ultimately does the same job it was bound to be breached.
So yes this method is uniquely Apple, but the same fundamental flaw exists across the entirety of the ARM platform.

 

[Zarathustra[H]]

They should just install more ram...

I don't know about that. Apple has apparently lost 5% MacOS market share world wide. Add the 34% decline year over year, and Apple has some serious problems.

Worldwide is not very relevant. The DOJ does not have worldwide jurisdiction, and also does not have the charter to protect people in the entire world. Their job is to defend U.S. citizens, and from that perspective it is their position on and actions in the U.S. market (and only the U.S. market) that are relevant. Let the EU sue Apple or Google in Europe if they think they have a problem over there, in which case it would be their market share and actions inside the EU which would be relevant.

 

[LukeTbk]

The DoJ this time is framing it as Apple being a Monopoly claiming they own 70% of the smartphone market (which in reality is close to 20%)

Is it not 60% in the USA ?
https://gs.statcounter.com/os-market-share/mobile/united-states-of-america

I do not imagine the DoJ would care about the rest of the world much.

 

[Lakados]

That's a very odd statement when we had years of reports that Intel and AMD chips were vulnerable to an unpatchable memory exploit.

The reality is that it's very difficult to design a chip that's completely immune to attacks. It also sounds like M3 and later chips won't face as much of a threat.

Different threat, but ultimately the same flaw exists it will just take them another 6-8 months before they break that one too.
Not uniquely an Apple issue, very few devices out there will remain unbreakable to an exploit that requires physical access or rooted software to accomplish.

 

[Lakados]

Is it not 60% in the USA ?
https://gs.statcounter.com/os-market-share/mobile/united-states-of-america

I do not imagine the DoJ would care about the rest of the world much.

60% is still not enough to be a legal Monopoly, in the US you need to be larger than 70% of the market to qualify, which is why the DoJ has invented this Premium phone category to rule out many of the Android devices on the market, using some pretty arbitrary cosmetic distinctions to determine what is or isn't a "premium" device.
Based on the DoJ classification an iPhone 6 from 2014 would still be considered premium but a Samsung Galaxy from 2020 would not be because it was made with plastic and not metal and glass.

 

[LukeTbk]

The DOJ started this lawsuit back in 2018 and half of what is in the complaint is either factually incorrect or no longer relevant as it was patched in or out over the last 6 years.

I think that something that often show the issue with their big tech obsession, by the time it take often the space changed a lot, proving the absence of a stagnant monopoly (say TikTok in social media, Uber-Amazon in digital ads, etc...), but here on the major points it seem to have been relatively constant.

 

[Lakados]

I think that something that often show the issue with their big tech obsession, by the time it take often the space changed a lot, proving the absence of a stagnant monopoly (say TikTok in social media, Uber-Amazon in digital ads, etc...), but here on the major points it seem to have been relatively constant.

Consistent but sadly subjective.
DoJ Stance on the Apple stores.
DoJ: You can't do your store that way you have to do it like this.
Apple: But that way introduces the following security and stability issues which our users chose us to avoid.
DoJ: Well find a way to operate your store like this, but also solve those problems.
Apple: Google and Android have been trying for the better part of 15 years and have not succeeded yet, what makes you think we can in 6 months?

DoJ stance on Apple payment policies (which to be fair suck)
DoJ: Your store costs too much for developers
Apple: Here is an itemized breakdown of our operation and services as well as their costs to operate, furthermore here are numerous examples of places where we have done as you have asked and this is the result, it doesn't end how you claim it does.
DoJ: Well find a way to cut costs then.
Apple: You honestly think we don't continually look for ways to cut costs?

DoJ Stance on iMessage and the Green Bubble Controversy
DoJ: Make SMS messages Blue!
Apple: update the SMS standards so that they support encryption using something other than point-to-point via E.164 addresses.
DoJ: No Google did it you can too
Apple: Google does it by routing all the messages through their privately owned server where they generate the encryption and handle delivery while simultaneously parsing the messages for keywords they can profile for their advertising engines. Our users do not want that, and it goes against our shareholder mission statements.
DoJ:.... OK use RCS then!
Apple: OK update RCS to do encryption via something other than point-to-point via E.164 addresses, and decouple it from the Business Messaging service platform
DoJ: No Google does it you can too!
Apple: Google does it by again routing all the messages through their privately owned servers where they again parse it for keywords before encrypting and delivering the messages just as they do for SMS. Again our users don't want that and if we do our shareholders will sue us.
DoJ: Fine F-U then, you make a global standard then and make it available for everybody to use for free while outlining the security protocols and security methods.
Apple: That's not our F'ing job!

So the DoJ has a very consistent stance, it is just a terrible one.
They are trying to legislate Apple into solving their problems so they don't have to while simultaneously claiming a win.
The government needs to take action and implement some policies at a top level to address these and other problems, but they are inept, corrupt, and ultimately useless so they can't, and won't.

Should the mobile platform market be more open? yes, is Apple extraordinarily closed? also yes, are they being extremely protective of their market? of course. Is any of it illegal? case after case in the US and around the world says no, and in instances where they have wanted things to happen differently, those governments and institutions have had to put forward either new standards or implement nationwide infrastructure to support the changes. Such as Europe working with Apple and Google to update and replace the base RCS protocols, or much of Asia working to support 3rd party payment platforms and wallet services.

 

[DukenukemX]

MacOS shares decrease, but iOS shares increase.

According to this it's been in decline. In the US they maintain a 40% average market share. But recently, iOS has lost market share in the past 4 months. At least according to statcounter. It may not matter as much since it seems that iOS goes down and up quiet frequently.

For many Apple users, the current iteration of the iPad is more than capable of meeting their needs, more so than the "cheaper" MacBooks, so they can either spend $1000 on a base MacBook, or they can spend $600 on an iPad with a keyboard case and get the same level of functionality that they require, Microsoft Office, Google Suite, Adobe Photoshop and more all running happily there. The gaming for what it's worth is doing better on iOS than it is on MacBook for the most part as well.
If you are an Apple user there are strong cases for their more powerful MacBooks depending on specific needs and use cases, but for the average user who just needs the basics then an iPad will do just as well while being cheaper, easier to port around, and easier to support and troubleshoot.

I believe the devices just break and people move on. To lose 5% is like losing 1/4 of your market share. It's so bad that you can say that Linux is 1/4 of MacOS's market share. Repairing the SSD's are no easy task. Gotta find the chips needed to work, which usually means salvaging from another Macbook or buying a nearly $600 1TB SSD kit meant for a Mac pro and carefully remove them. You cant just insert them either, but you have to format them with a special tool because the Macbook won't do it. For that much money you might as well buy another computer. As for the iPad theory, I know there's a lot of people who are asking for MacOS on iPads with M2's because you can't really utilize them with iOS.

View: https://youtu.be/yR7m4aUxHcM?si=T-mJMQjHEZsU5dNe

But yes the ARM v7 through v9 all currently have some moderately annoying issues that need attention in the form of microcode, firmware, or heavy-handed software updates to mitigate, how serious they are in the real world is uncertain because most of them are a PITA to exploit in the wild without getting physical access or having compromised software already installed.
At least in this case unlike many others there are software methods that developers can use to work around the issues so they aren't completely dependent on Apple issuing an update, which I am sure they will but Apple needs to be careful because if the update hurts performance, and they put out their new chips without the security flaw without the performance impacting mitigations in place you know the only thing that will result in is a lawsuit saying they intentionally tanked the performance in that update to sell their new device.

As a person who just uses their computers for shits and giggles, I turn off those mitigations. I paid for that 1% performance. I also don't see anything use these vulnerabilities. If I worked for a major corporation and had sensitive data on my laptop, I would probably be fired if they knew my laptop had vulnerabilities.

 

[Red Falcon]

ha ha. i bet they wish they would've just stuck with intel procs now instead of trying to force the world to abandon x86

After the 80+ hardware exploits like Meltdown, Spectre, Foreshadow, etc. etc. etc., that were nearly all Intel-specific since January 2018, I highly doubt that.

But yes the ARM v7 through v9 all currently have some moderately annoying issues that need attention in the form of microcode, firmware, or heavy-handed software updates to mitigate.

Exactly this, which is what the patch will most likely be.
This is Apple ARM's one exploit to Intel's x86/x86-64 80+ exploits.

At least AMD did things right with their CPU protection rings, permissions, and memory checks going back to the 1990s - all of which Intel did not start doing until their Core i 8th-gen CPUs.

 

[Shoganai]

K so use Safari with MacOS

Or Brave, which I can have a million tabs open without any issues.

After the 80+ hardware exploits like Meltdown, Spectre, Foreshadow, etc. etc. etc., that were all Intel-specific, I highly doubt that.

Some people in here have selective memory.

Consistent but sadly subjective.
DoJ Stance on the Apple stores.
DoJ: You can't do your store that way you have to do it like this.
Apple: But that way introduces the following security and stability issues which our users chose us to avoid.
DoJ: Well find a way to operate your store like this, but also solve those problems.
Apple: Google and Android have been trying for the better part of 15 years and have not succeeded yet, what makes you think we can in 6 months?

DoJ stance on Apple payment policies (which to be fair suck)
DoJ: Your store costs too much for developers
Apple: Here is an itemized breakdown of our operation and services as well as their costs to operate, furthermore here are numerous examples of places where we have done as you have asked and this is the result, it doesn't end how you claim it does.
DoJ: Well find a way to cut costs then.
Apple: You honestly think we don't continually look for ways to cut costs?

DoJ Stance on iMessage and the Green Bubble Controversy
DoJ: Make SMS messages Blue!
Apple: update the SMS standards so that they support encryption using something other than point-to-point via E.164 addresses.
DoJ: No Google did it you can too
Apple: Google does it by routing all the messages through their privately owned server where they generate the encryption and handle delivery while simultaneously parsing the messages for keywords they can profile for their advertising engines. Our users do not want that, and it goes against our shareholder mission statements.
DoJ:.... OK use RCS then!
Apple: OK update RCS to do encryption via something other than point-to-point via E.164 addresses, and decouple it from the Business Messaging service platform
DoJ: No Google does it you can too!
Apple: Google does it by again routing all the messages through their privately owned servers where they again parse it for keywords before encrypting and delivering the messages just as they do for SMS. Again our users don't want that and if we do our shareholders will sue us.
DoJ: Fine F-U then, you make a global standard then and make it available for everybody to use for free while outlining the security protocols and security methods.
Apple: That's not our F'ing job!

So the DoJ has a very consistent stance, it is just a terrible one.
They are trying to legislate Apple into solving their problems so they don't have to while simultaneously claiming a win.
The government needs to take action and implement some policies at a top level to address these and other problems, but they are inept, corrupt, and ultimately useless so they can't, and won't.

Should the mobile platform market be more open? yes, is Apple extraordinarily closed? also yes, are they being extremely protective of their market? of course. Is any of it illegal? case after case in the US and around the world says no, and in instances where they have wanted things to happen differently, those governments and institutions have had to put forward either new standards or implement nationwide infrastructure to support the changes. Such as Europe working with Apple and Google to update and replace the base RCS protocols, or much of Asia working to support 3rd party payment platforms and wallet services.

The DOJ is mostly run by decrepit morons that barely know how to use technology.

 

[philb2]

At least AMD did things right with their CPU protection rings, permissions, and memory checks going back to the 1990s - all of which Intel did not start doing until their Core i 8th-gen CPUs.

Another reason why I will keep using AMD CPUs forever.

 

[sk3tch]

Are you guys taking crazy pills? AMD has security issues just like everyone else. I love AMD as much as anyone but c'mon...

https://www.tomshardware.com/pc-com...pdates-aim-to-patch-bugs-finally-fix-zenbleed

https://www.forbes.com/sites/antony...md-ryzen-owners-in-zenbleed-security-exploit/

https://www.pcgamer.com/all-recent-amd-cpus-are-affected-by-the-inception-cpu-vulnerability/

Just some examples.

Comprehensive list to dig through:

https://www.amd.com/en/resources/product-security.html