this post was submitted on 09 Aug 2023
290 points (98.0% liked)

Apple

17275 readers
276 users here now

Welcome

to the largest Apple community on Lemmy. This is the place where we talk about everything Apple, from iOS to the exciting upcoming Apple Vision Pro. Feel free to join the discussion!

Rules:
  1. No NSFW Content
  2. No Hate Speech or Personal Attacks
  3. No Ads / Spamming
    Self promotion is only allowed in the pinned monthly thread

Lemmy Code of Conduct

Communities of Interest:

Apple Hardware
Apple TV
Apple Watch
iPad
iPhone
Mac
Vintage Apple

Apple Software
iOS
iPadOS
macOS
tvOS
watchOS
Shortcuts
Xcode

Community banner courtesy of u/Antsomnia.

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
290
Uninstall the Nightowl App, now. (robins.one)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
33 comments fedilink hide all child comments
 

The NightOwl application has existed since 2018 and is used to automatically switch between light/dark modes on the operating system. It is an alternative to the built in macOS automatic mode which only switches when the user steps away from the computer.

However, the application has been bought out by “TPE.FYI LLC” in late 2022 that forcibly joins your devices into a botnet for use of market research, without your knowledge (other than the TOS in small text on the download page) or express consent (this feature cannot be turned off, even when the app is quit). This is documented in their terms of service.

top 33 comments
sorted by: hot top controversial new old
[–] [email protected] 65 points 1 year ago (3 children)

This is extremely shady. How do I know if other apps I have are making me part of a botnet?

[–] [email protected] 23 points 1 year ago (3 children)

Use free and open source software

[–] [email protected] 39 points 1 year ago (2 children)

Something being open source doesn't automatically make it safe to use. Sure, it means it's easier for people to check for security issues, but how many people actually have the knowledge and the time to do it? And even then, take the log4j vulnerability from a while ago, it's been present in the code since 2013 and only reported in like 2021.

[–] [email protected] 5 points 1 year ago

Common sense still prevails. Don't install obviously shady freeware. Something like GIMP or Blender or Ubuntu or FreeCAD or ProjectLibre is going to be safe. Large community = most likely safe.

[–] [email protected] 2 points 1 year ago (1 children)

FOSS isn't generally vulnerable to the "buyout" vulnerability. It's not new that a valuable browser extension is bought out and repurposed, but FOSS is less likely to fall to these bugs. (also fuck WEI. You'll get more of this with WEI)

[–] [email protected] 4 points 1 year ago

FOSS isn't generally vulnerable to the "buyout" vulnerability.

Oracle has entered the chat.

[–] [email protected] 5 points 1 year ago

You still need to build package and install it yourself though or else you are trusting someone else. Open Source software has been used as a vector for attacks before by bad actors getting access to the build system or source code.

[–] [email protected] 2 points 1 year ago

I try to where I can, but unfortunately this is not always an option for me.

[–] [email protected] 8 points 1 year ago (4 children)

You need to examine your devices packets and see what servers they're going to. You can do that through Wireshark on Windows, or use an external sniffer to examine them.

I'm not aware of any native apps for Mac that can do that, but maybe others will know.

[–] [email protected] 11 points 1 year ago (2 children)

You mean like Wireshark lol?

[–] [email protected] 8 points 1 year ago

Didn't know they maintained Mac packages as well, that's great.

[–] [email protected] 1 points 1 year ago

And Little Snitch and TripMode, and various other apps and *nix command line tools lol

[–] [email protected] 8 points 1 year ago (1 children)

If you're just interested in connections (and don't care about packet inspection) you can use Little Snitch (paid) or LuLu (FOSS).

Actually, all the Objective-See Foundation security tools are great and target specific classes of vulnerabilities, like LuLu for outgoing network connections, RansomWhere for detecting ransomwear by looking for encryption events, Oversight that monitors you cameras and microphones and a bunch of other really small, but really useful security utilities. Better than running a shady antivirus that's going to suck up loads of resources and rely on signatures.

[–] [email protected] 3 points 1 year ago

+1 for Objective-See

[–] [email protected] 6 points 1 year ago (1 children)

PiHole on a Raspberry Pi

[–] [email protected] 2 points 1 year ago (1 children)

When I’m using VPN, my pihole can’t see the traffic, and won’t be able to block any ads or analyze the traffic. Also, some browsers use their own DNS, so the pihole can’t block that traffic either.

Other than that, the pihole is a great tool to figure out what’s going on in your network. That’s how I found out that an Android phone is super noisy in my netwrok. Then I installed LineageOS+gapps, and it got better. It was still a bit noisy, so I reinstalled LineageOS, but this time without gapps and no play store. It finally got to the level I like, but unfortunately the world around me wasn’t compatible with this phone any more. :( But anyway thanks to pihole, I was able to figure out what kind of changes I need to make so that I’ll get the level of privacy I’m happy with.

[–] [email protected] 2 points 1 year ago (1 children)

Are you using the VPN locally on your device or router level?

[–] [email protected] 1 points 1 year ago

On the device level at this point. AFAIK, my VPN isn’t designed to work on a router level.

Anyway, it makes sense that once you encrypt the traffic, the pihole won’t be able to see what’s going on.

[–] [email protected] 5 points 1 year ago

Wireshark is available on intel and arm macs.

[–] [email protected] 5 points 1 year ago

Vigilance. Resource monitoring and network traffic monitoring. The occasional scan with anti malware tools to catch known bad actors.

I use malwarebytes when someone needs a scan, though they got naggy enough that I uninstalled it right after using it for my grandfather. Other monitoring IDK. LittleSnitch is popular on Mac but I have no personal experience with it.

[–] [email protected] 34 points 1 year ago (1 children)

Disclaimer : not an Apple user, not a lawyer

This should be illegal by European law. Without further knowledge it seems like a prime example for the GDPR letter of death and a pretty solid case for data protection lawyers

[–] [email protected] 11 points 1 year ago (1 children)

Unannounced changes to the Terms of Service are definitely illegal.

[–] [email protected] 8 points 1 year ago (1 children)

But various forms of backstabbing are legal as long as you let your users know that the TOS have changed. I mean, who reads that stuff anyway. You can literally throw in there whatever you like and people will just click “I agree” regardless.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

This is right. In the modern day, people likely receive dozens of emails each year informing them of changes to some terms of service or another. When most can't be bothered to read those updates for absolutely crucial applications, how many would be expected to read an update for a small-time utility app that they might even forget they had?

[–] [email protected] 2 points 1 year ago

I get those from my bank, insurance company and some other places too. I trust that their brand isn’t disposable, so they probably aren’t going to do anything too sneaky.

However, some random app from a random developer you never heard of is a different story. All of that is 100% disposable, so reputation is meaningless to a scam operation like that. Once they get your money, the company suddenly goes bankrupt and the developers disappear forever.

[–] [email protected] 31 points 1 year ago (1 children)

macOS now flags it as such

[–] [email protected] 2 points 1 year ago

When did this message appear?

[–] [email protected] 9 points 1 year ago

Should be illegal

[–] [email protected] 6 points 1 year ago

Light and dark mode can be set to turn on automatically at a given time or can be set via sunset/sunrise. Not sure where you got people need to step away from their devices to enable.

[–] [email protected] 3 points 1 year ago (1 children)

Jeez. I've been using it since 2018 and is one of my favorite applications. Maybe downloading an older functional version would mitigate this?

[–] [email protected] 1 points 1 year ago (2 children)

I don't use a Mac but can't you just block the app from accessing the internet in your firewall? MacOS has a firewall, right?

[–] [email protected] 4 points 1 year ago

The macOS firewall can only block incoming connections. If you want to block outgoing too you need something like LittleSnitch or LuLu.

[–] [email protected] 2 points 1 year ago

It does. Didn't think of that actually.