Q: Unsigned (Legacy) Extensions in El Capitan?
-
Oct 15, 2015 11:14 AMby R C-R,In your opinion, do you think it's a better practice to keep SIP enabled until I need to do a recording session, then disable it, re-enabling when I've finished recording?
Personally, I would not disable SIP to begin with, even for something like that. The fact that the driver you found (where?) hangs the device's system preference suggests there is something about it that is not fully compatible with El Capitan, so if for no other reason than to protect your system files from potential damage I would keep SIP enabled. (SIP doesn't care if it is malware, intentional user changes, or whatever that would try to alter protected files or memory -- not even root can do that with SIP enabled.)
What I would do is remove the 1.10.5 software by whatever means necessary & try installing the 1.10.3 version -- if it will install, you can try the System Information thing I mentioned earlier to see if it is signed. If not, you should be able to trash & then delete it manually from wherever System Info indicates it is located, even if it is in a protected folder, as long as you authenticate as an admin user. (At least I have been able to do that for items marked as "Unknown" or "Unsigned" that don't load at startup time.)
-
Oct 19, 2015 3:41 AMby Yidoman,So previously my Firewire-410 had quit on me after upgrading my system to El Capitan. The blue light kept blinking.
For whatever it is worth, I disabled SIP and got my Firewire-410 working. Solid blue light, recording, playback and everything else seemed just fine. M-Audio control panel, however, was still not working, which I disregarded.
BUT, today I started up my iMac (late 2011) the 410 is just not working, not even a blue light.
Just wanted to share with y'all.
-Y
-
Oct 19, 2015 8:24 AMby R C-R,Yidoman wrote:
For whatever it is worth, I disabled SIP and got my Firewire-410 working.
As I mentioned, for several reasons I personally think it is not a good idea to disable SIP. If it was me & I really needed to use the Firewire 410, what I would do instead is create a separate boot volume with Yosemite (or whatever other older OS that met my needs) on it, & boot into that whenever I needed to do anything with the 410.
Because the older OS X versions are not as secure as El Capitan, if at all practical I would disable all Internet access on that system.
But that is just me.
-
Oct 19, 2015 8:58 AMby roncarfl,Thanks, R C-R. Your abundance of caution is understood and appreciated. I had not considered the alternate boot volume to an older OS, so thank you for reminding me of that option. I think I have a Mavericks bootable volume somewhere on a mobile external drive.
Maybe I'm naive to new threats to system integrity. With 35 years experience of personal computing and software development without ever having a system integrity issue, I wonder why the concern is at a level that Apple would resort to such a sweeping change. Is it because there are a lot of less experienced users out there that take too much for granted and Apple is trying to protect them? I can assure you I came along during a time where nothing in computing was taken for granted and because of that, I have adopted best practices that have probably kept me out of harm's way.
-
Oct 19, 2015 9:54 AMby R C-R,roncarfl wrote:
... I wonder why the concern is at a level that Apple would resort to such a sweeping change.
I think it is mostly in response to the ever increasing sophistication & seriousness of malware attacks. Once, we mostly just had to worry about hacker hobbyists that tried to break into systems for the challenge of seeing if they could do it, & later mostly about script kiddies who didn't pose much of a threat.
But now, we also have to consider well funded criminal organizations & government-sponsored hackers (including our own) looking for anything they can exploit. Unlike the hobbyists & script kiddies, they focus on "stealthy" attacks we are unlikely to notice, & have the resources to probe the OS itself for weaknesses. There is no denying they exist -- all you have to do is look at the long list of vulnerabilities that Apple has patched at Apple security updates - Apple Support. There is no reason to think that as the OS continues to get ever more complex only the white hats will find everything a remote attack can do before the black hats will -- including at least a few things "best practices" won't protect us from.
Of course, SIP can't protect us from everything -- in fact, by itself it offers very little that will protect user domain files -- but I am a firm believer in the value of the layered defense security strategy. SIP adds a new layer that if nothing else makes the damage privilege escalation attacks can do much less severe. That is reason enough for me to avoid disabling it whenever possible.
As always, YMMV. -
Dec 25, 2015 2:29 PMby dorjepismo,Disabling Integrity Protection does not cause Capitan to load unsigned drivers. The bottom line is that Apple decided that fear of hackers was sufficient to arbitrarily transform thousands, millions, whatever of users' investment in hardware into bricks. That's really an incredibly ****** thing to do to people.
