© Dakota Santiago for The New York Times
© A24, via Associated Press
© Pool photo by Allison Robbert
© September Dawn Bottoms, Desiree Rios, Adriana Zehbrauskas for The New York Times
© Illustration by Cristiana Couceiro. Photographs by Getty Images
© Brittainy Newman for The New York Times
© Daniel Berehulak/The New York Times
© Gene Maggio/The New York Times
© Jose A. Alvarado Jr. for The New York Times
© Gabriela Bhaskar/The New York Times; Charles Sykes/Invision, via Associated Press
© The New York Times
© Jim Bourg for The New York Times
© Edmund D. Fountain for The New York Times
© The New York Times
Over the last few years the way that Apple and its official authorised service providers handle your Mac has changed. When you take or send in your Mac for repair or service, they no longer start it up in the way that you would, so don’t need to log into it the way that you do. This is why there are hidden FieldService folders or volumes in /System/Volumes, as they will be used during its service. In the past, technicians often needed access to your user account, and you may have been asked to provide your password; now it’s the exact opposite.
The first and most essential step in preparing your Mac to go away, even for a brief battery replacement, is to ensure that you’ve got at least one full and complete backup on storage that will remain with you. If you use Time Machine, its backups should do fine, but you should check that they don’t exclude folders or volumes that you can’t readily restore. Open Time Machine settings and click on the Options… button to ensure that no significant data are excluded from your Mac’s final backup.
Some repairs will inevitably lead to all your documents and files being wiped. Any that requires the main logic board to be replaced is almost certain to do that, but so can other procedures that you wouldn’t expect to be as radical in effect. Technicians generally work on the assumption that you have already taken care of your own files, so if they do need to erase or replace internal storage, don’t be caught out and lose all your data.
Once you’ve backed your Mac up, if FileVault isn’t enabled, turn it on, if your Mac will cope with that. Intel Macs with a T2 chip and Apple silicon Macs don’t encrypt the contents of their internal storage when you do that, as the Data volume is always fully encrypted. All they do is use your password to protect the encryption key that’s already being used to encrypt your data. That’s more than sufficient to prevent anyone who doesn’t know your password from gaining access to anything on your Mac’s Data volume. Although it’s most unlikely that any technician might try to abuse that, FileVault ensures they can’t.
For Intel Macs without a T2 chip, enabling FileVault does require the entire contents of the Data volume to be encrypted, which can take many hours or even days. If you have sufficient advance notice, it’s still worth considering.
If your Mac has a T2 or Apple silicon chip and is going to have its internal storage, or its main logic board, replaced, then you can safely assume that you’ll be restoring it from your backup when that Mac has been repaired. For an extra touch of security, immediately before parting with it you can use the Erase All Content and Settings (EACAS) feature in System Settings > General > Transfer or Reset. That will destroy the encryption keys to its Data volume and ensure that no one will ever be able to access its contents.
There are a couple of things that you need to do to help the technician:
If you’re sending your Mac in, you’ll probably receive detailed instructions as how to prepare and package it ready. If you’re taking it in, then technicians normally appreciate it if you bring its power cable. Once it’s ready and shut down, give it a quick clean. That’s important if it’s being repaired under AppleCare+, when signs of neglect or abuse might count against you. Macs that have been used in smoky areas usually accumulate tar deposits that should be carefully removed from around their ports. In more serious cases a deep clean may be needed: a technician told me of an iMac that had been the perch for its owner’s parrot, and had become heavily soiled by the bird’s droppings.
When you’re taking your Mac in, remember to take evidence of its purchase in case that’s needed, and a written record of your user name and password, in case you’re asked to start it up. There’s nothing worse than struggling to remember them when under pressure.
These apply to Macs to be serviced or repaired by Apple technicians, or those of Apple Authorised Service Providers. If your Mac is being maintained by an independent repair shop, then they may require different, so ask them what they need you to do.
As the threat landscape and strategies change, different parts of macOS security have been more actively developed. When Java and Flash vulnerabilities were dominant, XProtect’s metadata became vital for blocking older unpatched versions. Then in 2020, Apple grew XProtect’s Yara signatures to detect more malicious software, in 27 updates released that year. That campaign had finished by 2023, when it was only updated once each month, and all eyes were on the youthful XProtect Remediator maturing rapidly in its 18 updates. This article outlines what changed in macOS security protection during 2024, and how Apple has shifted emphasis back to XProtect, together with the importance of CDHashes and notarization.
This has definitely been the year of XProtect, which performs on-demand checks of code that’s about to be launched, using a set of Yara rules to detect known malware. Our Macs started 2024 with version 2177, and after a record total of 29 updates for all macOS and a sudden change in version numbering, by the year’s end that has reached 5284. Even more impressive is the growth of XProtect’s Yara detection rules: at the start of 2024 there were about 195 rules taking 167 KB of text; as we pass into 2025, there are now about 328 rules in 921 KB of text. That’s 170% of the number of rules, and over five times the size.
macOS Sequoia has also brought the most substantial change to XProtect itself, in the introduction of a new medium for delivery of updates to its data, suggesting that XProtect is being forked. When macOS 15.0 was first released, XProtect could receive updates via either the old mechanism of Software Update, or through a new connection to iCloud using CloudKit. After a transition period, updates switched to iCloud only with effect from macOS 15.2.
Apple released two test updates for Sequoia only during September, one of which brought a huge increase in Yara rules in a file of 1.2 MB in size. This suggests that Sequoia’s XProtect is likely to see more frequent and larger updates now that this new mechanism has been tried and tested. How that will run alongside updates for older macOS has yet to be demonstrated, and none of this has been documented by Apple.
This runs daily or more frequent background scans looking for the presence of malicious software and remediating it whenever it can. Although most of its scans are brief, those for Adload can now take several seconds or longer. Our Macs started the year with version 122 containing 22 scanning modules. Since then there have been 18 updates, bringing new modules for Bundlore (also the subject of a campaign in XProtect), and the newer Crapyrator and Dolittle (covered by extensive rules in XProtect), while RedPine has been dropped. We end the year with version 149.
For much of the year updates have been released every two weeks, but have reduced to one update each month since the summer. It’s thought that XProtect Remediator also uses XProtect’s Yara rules for detection purposes, so it should have benefitted from all those updates as well.
The most recent of the XProtect trio, this watches for code that breaks its Bastion rules of behaviour by accessing files in specific sensitive locations, and similar. Apple states in its Platform Security Guide that this isn’t used to block apps or for local detection: “In addition, XProtect contains an advanced engine to detect unknown malware based on behavioral analysis. Information about malware detected by this engine, including what software was ultimately responsible for downloading it, is used to improve XProtect signatures and macOS security.”
Its Bastion rules have grown from 7 to 12, adding watched locations in ~/Library and /Users/Shared and more. Apple doesn’t provide any information as to how useful this intelligence is proving.
As all those using macOS Sequoia will have discovered by now, it brings a major change to way that Gatekeeper’s checks for notarization can be bypassed. In recent versions of macOS, this has been simple to accomplish using the Finder’s Open command, so simple that malware developers commonly coach the user through this to ensure their unsigned code is run without the defences of macOS. The new procedure requires permission to be granted explicitly in Privacy & Security settings.
This has proved controversial, with some who distribute code that isn’t notarized complaining that it’s getting in the way of users running perfectly benign software. However, it’s an important part of the transition to reliance on CDHashes known to Apple. It has already posed a problem to those distributing malicious code, for which no simple workaround has yet emerged. This has also led to a few legitimate apps being blocked, typically when they have been updated in place without fully updating their CDHashes and notarization ticket.
The old macOS Malware Removal Tool MRT has been superseded in Catalina and later by a scanner module in XProtect Remediator. MRT was last updated nearly three years ago, with version 1.93 from 29 April 2022 being the last. It hasn’t been entirely forgotten, though, and may still be installed on the latest Apple silicon Macs.
Fuller accounts of changes in the threat landscape are given by independent security researchers. Moonlock’s was published earlier this month, and I’d expect to see reviews from Patrick Wardle at the Objective-See Foundation and others in the coming days.
The year has seen continuing increase in the number and variety of malicious products for macOS. It’s surprising how many old names like Adload and Bundlore are apparently still thriving, and the emphasis remains on stealers. Recent directed attacks have demonstrated increasing ingenuity and technical skills, and at least one managed to sneak its way through screening by Apple and became notarized, although that has since been revoked.
As ever, threats are most immediate for those who engage in high-risk activities, including downloading cracked commercial products, and dealing in cryptocurrency.
Given that there’s no sign yet that Apple has driven away those who develop and deploy malware, 2025 isn’t likely to be any easier. Most malware has yet to respond to the change brought in bypassing notarization requirements. While there are bound to be more attempts to get malware notarized by Apple, the chances of a notarized app being malicious are likely to remain as close to zero as possible. Greatest risks will continue for those who run unnotarized code from uncontrolled sources.
Apple has put a lot of effort into the changes it has made in XProtect, and will expect to see results in the coming months.
In the early years of the twentieth century, the city of Venice grew in importance as a centre of art, with the Venice Biennale increasingly encouraging contemporary styles. That drew a succession of Post-Impressionists to depict the city and its famous canals.
Henri-Edmond Cross’s watercolour sketch of Venice – The Giudecca from 1903 is similar in approach to those painted by Paul Signac before he viewed Paul Cézanne’s late watercolours in 1908.
Cross’s Regatta in Venice from 1903-04 is a finished Pointillist painting in oils, bearing a strong similarity to those painted at this time by Paul Signac. In the middle distance there appears to be a race taking place.
Paul Signac’s fascination with Venice had been inspired by the writings of John Ruskin, in particular The Stones of Venice. In the course of the early years of the twentieth century, he turned his large collection of studies made in front of the motif into a succession of major Neo-Impressionist oil paintings. Among the first, which he completed in 1904, was this view of the Giudecca Anchorage showing the church of Santa Maria della Salute. This set the compositional approach for many of his views of ports, with colourful vessels in the foreground, and lofty buildings dissolving in the distance.
Another example from 1904 is Signac’s painting of The Lagoon. Yellow Sail with its rhythmic reflections.
Signac’s The Green Sail (1904) features the church of San Giorgio in the distance.
Meanwhile, John Singer Sargent found more unusual views of activities and parts of the city not normally seen by the visitor. This watercolour from 1904 shows Unloading Boats in Venice in the city’s port.
Basin of San Marco, Venice, completed by Signac in 1905, is one of the largest of his paintings of ports. This shows, at the left, San Giorgio Maggiore, in the centre Santa Maria della Salute, and to the right the Doges’ Palace and the Campanile of Piazza San Marco. In the foreground is a flotilla of bragozzi with their colourful sails. Signac’s preparations for this had been careful if not painstaking. They led from his watercolour sketches to a squared drawing with formal geometry and a planned colour scheme, which he then enlarged onto the canvas. He was clearly pleased with the result, and this work was featured in many of his subsequent major exhibitions.
My favourite among Signac’s views of Venice is his Entrance to the Grand Canal, Venice (1905). Its foreground is dominated by a shimmering and jumbled parade of gondolas, and melting into the distance is the towering silhouette of Santa Maria della Salute.
Sargent’s bravura watercolour sketch Grand Canal, Venice (1907) gives an idea as to his approach and style. It’s composed of a sparse collection of brushstrokes of watercolour which assemble into a detailed view. He sees Venice from the level of a gondola, the bows of which are also shown. His palette for these sketches is generally centred on earth colours for the buildings, with blue for the sky, water, and usually the shadows too.
In 1908, Ivan Trush visited northern Italy, where he painted this famous view of Venice, San Giorgio Maggiore. One of the smaller islands there, it has been painted extensively, perhaps most famously in Claude Monet’s late series. The church and its high campanile are prominent landmarks whose detail Trush has captured in this impressive oil sketch.
Signac painted Venice. Customs House in 1908, following a return visit to the city. This reverses his previous compositions by placing the Customs House in the mid-ground, with masts and sails behind. This loses the depth and grandeur of those earlier works.
Martín Rico maintained his summer visits to Venice right up to the year of his death, when he painted this unusual view Near the Grand Canal, Venice (1908). A person is in the water beside the gondola, and the boatman is assisting them with a boathook while the other occupants seem quite detached from what is going on.
Sargent’s watercolours were by no means dependent on the sophistication of his technique: Rio dei Mendicanti, Venice from about 1909 works its magic almost entirely from a combination of wet on dry and wet on wet. There isn’t even much in the way of a graphite drawing under its thin washes.
Although the rise of Modernism brought fewer painters to the canals of Venice, they increasingly flocked to the Venice Biennale during the twentieth century, and Venice remains a focus of art.
Login
