
OS X Yosemite Security and Privacy Guide - noondip
https://github.com/drduh/OS-X-Yosemite-Security-and-Privacy-Guide
======
gok
> Don't use Safari. The code is a mess and security vulnerabilities are
> frequent, but slow to patch.

Over the last two years, Safari has had half the vulnerabilities [1] as Chrome
[2] or Firefox [3]. Security updates are frequent [4].

As to code being a mess... perhaps there's a particularly offensive part of
the WebKit code style guidelines [5] that make them less secure than Blink
code style guidelines[6]?

[1] [http://www.cvedetails.com/product/2935/Apple-
Safari.html?ven...](http://www.cvedetails.com/product/2935/Apple-
Safari.html?vendor_id=49) [2] [http://www.cvedetails.com/product/15031/Google-
Chrome.html?v...](http://www.cvedetails.com/product/15031/Google-
Chrome.html?vendor_id=1224) [3]
[http://www.cvedetails.com/product/3264/Mozilla-
Firefox.html?...](http://www.cvedetails.com/product/3264/Mozilla-
Firefox.html?vendor_id=452) [4] [https://support.apple.com/en-
us/HT201222](https://support.apple.com/en-us/HT201222) [5]
[http://www.webkit.org/coding/coding-
style.html](http://www.webkit.org/coding/coding-style.html) [6]
[https://www.chromium.org/blink/coding-
style](https://www.chromium.org/blink/coding-style)

~~~
WA
I don't use Safari, not because of privacy concerns, but because

1\. I hate the address bar how it partially hides the URL

2\. It adjusts colors. Not only for images with an embedded color profile, but
many colors defined in CSS are brighter in Safari than in Firefox or Chrome.
This messes up my web development.

~~~
dombili
1\. I agree that this can be annoying at times, but you can disable this.
Settings > Advanced > Show full website address

2\. I have no answers for this one, other than to say that I haven't
experienced it.

------
waz0wski
This guide has some useful tips (enable filevault2, disable mdns advertise),
but recommends wholly disabling most of the usable functions of applications
like calendar, finder, spotlight, etc in the name of "security", which is
futile considering every single security update for OSX addresses tons of
userland and kernel remote-code execution or local r00t privilege
escalations[1][2][3], as well as the well publicized thunderstrike[4] family
of vulnerabilities which allow for osx hw/sw compromise.

Every major/minor system update (IE 10.10.x, 10.11) will require these tweaks
be reapplied as well.

Lets not call using ruby to run curl to install homebrew secure either. Just
because homebrew doesn't need sudo doesn't mean it's inherently secure, and
the dependency tree of some of the software the guide recommends you install
come with their own set of security issues which need to be manually
maintained outside of OSX update procedures.

I'm typing this from an OSX machine with a few of these tweaks applied
already, and I love using it for my desktop OS -- but if you really need to be
this paranoid about security, you shouldn't be using OSX. There are several
security-or-paranoia oriented linux distros you can run.

[1] - [https://support.apple.com/en-us/HT205031](https://support.apple.com/en-
us/HT205031) [2] - [https://support.apple.com/en-
us/HT204942](https://support.apple.com/en-us/HT204942) [3] -
[https://support.apple.com/en-us/HT204659](https://support.apple.com/en-
us/HT204659) [4] -
[https://trmm.net/Thunderstrike](https://trmm.net/Thunderstrike) &
[https://trmm.net/Thunderstrike_2](https://trmm.net/Thunderstrike_2)

~~~
simonebrunozzi
What's the best guide you know for SE Linux as a desktop?

~~~
noja
You don't need a guide, it just works. If you're installing stuff from rpm
(and not from a weird backalley repo) then it all just works.

~~~
simoncion
> You don't need a guide, it just works.

It "just works" if the package you're installing has a corresponding SELinux
profile. If it doesn't, you're in for a world of "fun" trying to come up with
a correct profile.

(I've played with both SELinux and Grsecurity MAC systems in the past. I know
that it's not _impossible_ to create these profiles. I also know that it's not
infrequently an _enormous_ pain in the ass, and a thing that even experts
sometimes get wrong.)

~~~
noja
If something doesn't have a profile then it runs unconfined. That's
simplified, but really does work out of the box unless you do something weird
(then you flip a boolean) or very weird (then you create a custom module).

But for a normal desktop user, it does just work.

~~~
simoncion
Oh! That's super useful. I stand corrected.

I wonder if grsec's MAC system has grown an equivalent feature in the past
four or five years. (If I overlooked the existence of such a thing in grsec,
I'm gonna be _so_ embarrassed.)

------
reledi
I expect there to be a lot of criticism in this thread. May I suggest that you
direct your energy towards the guide by opening an issue or pull request
instead. It's a better medium for discussion and there's a chance the guide
will be improved, benefiting everyone.

~~~
axx
Yes please!

------
natch
This looks great. However for a document that is so hyper vigilant about
preventing little phone-home-to-Apple behaviors, isn't there some cognitive
dissonance in the fact that it recommends installing Google Chrome? What am I
missing?

~~~
Karunamon
The fact that, much like Mac OS, all of the phone-home-ness of Chrome can be
turned off (regardless of how much doing so might be more of a threat to you)

~~~
sam_goody
Chrome sends every URL or key stroke in the URL bar home in the guise of
checking if they are search terms, and nothing short of not using Chrome helps
that.

In addition, installing Chrome created a situation where every few minutes
something is connecting to Google's servers. I disabled updates, uninstalled
Chrome, and removed everything Google, followed instructions for removing the
updater - and something is still pinging Google every few minutes.

If there is a way to shut these off, then the author should detail this, as
much as he has detailed how to fix Apple's phone-home behaviour.

~~~
Karunamon
Nothing short of _unticking the box_ you mean:
[http://imgur.com/If9Oazj](http://imgur.com/If9Oazj)

The amount of bad faith people ascribe to basic usability functions utterly
astounds me.

~~~
habith
> The amount of bad faith people ascribe to basic usability functions utterly
> astounds me.

I think most of it comes from how Google (and the industry in general) has
evolved. There was a day[0] when things were labeled clearly and the default
behavior wasn't to vacuum up as much data about users in the name of basic
usability functions.

The amount of trust people have in companies to keep their private information
safe from prying eyes is what's truly astounding.

[0]
[http://images.devshed.com/sc/stories/Google_Desktop_Search2b...](http://images.devshed.com/sc/stories/Google_Desktop_Search2b/Desktopadvanced.jpg)

~~~
donkeyd
For me, it's mostly because I believe that bad press is enough of a motivator
for companies to not turn completely evil. We know the damage that Snowden did
to the public image of the NSA. Imagine the NSA being a publicly traded
company, it wouldn't have been pretty.

I'm sure some company will turn evil and abuse the trust that their users have
given them. (I assume it will be Facebook.) But I also, maybe naively, assume
this will not impact my life in a significant way.

------
fredkbloggs
Please do not enable "stealth mode" in the ALF. This violates applicable
standards, impedes system and network management, and provides no additional
security (as anyone with nmap can readily verify). Hosts are required to
respond to unicast ICMP echo requests, period [0]. No exceptions.

[0]
[https://tools.ietf.org/html/rfc1122#page-42](https://tools.ietf.org/html/rfc1122#page-42)

~~~
tptacek
"Impeding system and network management" is potentially a real argument
(though one most OS X users, whose machines are not rightfully overseen by any
network manager, might dismiss).

But the appeal to IETF standards that brackets that argument, with it's
"period, no exceptions" language, is a bit galling. Who cares? The IETF has
made all manner of silly rules in its history. Why isn't this simply one of
them?

~~~
seanhunter
Totally agree. It's fair to realise that there are consequences to deviation
from standards, but (like many people) I don't consider the fact that IETF
makes something a standard to be a binding requirment on me to do something on
my boxes.

For one thing, the standard was built for an extremely different internet than
the one we have today.

------
geofft
Out of curiosity, does the recovery-mode download verify the integrity of the
downloaded image (either with HTTPS or with some sort of static signature
check)?

------
MagerValp
Author of AutoDMG here, and since imaging is my day job I was happy to see
that the article starts with a solid introduction to deploying OS X. However
I'd do a few things differently:

* It's best to build the image using a full installer of the latest version of OS X downloaded from the App Store (currently 10.10.5 14F27). Do not build a 10.10 14A389 image and apply the combo update to it as updates are meant to be installed on live systems and occasionally causes headaches.

* Avoid including extra packages on the image, it'll only make it a pain to maintain and update. Also many packages are badly written and don't install correctly (see [https://github.com/MagerValp/AutoDMG/wiki/Packages-Suitable-...](https://github.com/MagerValp/AutoDMG/wiki/Packages-Suitable-for-Deployment)).

* Rather than installing packages into the image you can include them but install them on first boot, e.g. with Outset: [https://github.com/chilcote/outset](https://github.com/chilcote/outset)

* Even better, it's easy to set up Munki for software management, this way you can keep your machines updated too: [https://github.com/munki/munki](https://github.com/munki/munki)

* If you build your image with AutoDMG a recovery partition should be included in the image and created automatically when you restore with asr. If for some reason it's missing you can create a package that will create it for you (again using the latest OS X installer): [https://github.com/MagerValp/Create-Recovery-Partition-Insta...](https://github.com/MagerValp/Create-Recovery-Partition-Installer)

Now on to reading the rest of the guide... :)

Edit: reworded

------
gcb0
gotta love how it gives out hashes for the OSX install image, and then ignores
all that nonsense when installing homebrew with shellcode directly from
github.

~~~
noondip
Would you mind explaining why you think that's a contradiction? The
"shellcode" is downloaded over SSL from a very popular repository on github.
I'm genuinely interested in your alternative approach to securely downloading
and installing programs from source, and why you think this way is
problematic.

~~~
sitharus
You should publish the hash of the script, then the user should download it to
disk, verify the script and then execute it. The same as would apply to any
binary download - if a binary can be compromised so can a shell script.

Alternatively you can code review the script before executing it, which is a
plus.

~~~
superuser2
Hashes are useful when software is hosted on third-party mirrors or CDNs. If
the software is hosted on the same server as the webpage about it, then anyone
in a position to replace the download can and will replace the hash as well.

~~~
vbezhenar
Better solution is to use signed software packages. Compromising website is
more common than compromising developer private keys.

~~~
superuser2
How are you going to trust the public key?

HN doesn't seem to like Apple/Microsoft as trust brokers, and absent a trusted
CA I don't see how this makes the problem any better.

~~~
vbezhenar
You have to trust someone to build trusted chain. Trusted CA roots from SSL
are good practical choice IMO. May be NSA or China government theoretically
could crack that setup, but for other adversaries it would be much harder.

------
tetraodonpuffer
anybody knowledgeable could comment on the list of disable services and
agents? I can't find a good site discussing what each service/agent is and
what it is for

------
danieleggert
You're worried about security, but you install homebrew?!?

~~~
billyhoffman
even better, let's just execute the random contents of a URL with a Ruby
interpreter. Pretty sure curl's -f will suppress any SSL errors you'd receive
as someone MITM's you...

~~~
acdha
This is a commonly-repeated cargo-cult security trope: if you're going to run
arbitrary code from Homebrew, your risk exposure is no different whether you
download the installer and run it as two separate actions or one combined
command.

The option you're thinking of is -k — -f simply tells curl to fail silently on
errors, not ignore them:

[http://curl.haxx.se/docs/manpage.html#-f](http://curl.haxx.se/docs/manpage.html#-f)

------
cmurf
"Use of the OS X OpenSSL libraries by apps is strongly discouraged."
[https://developer.apple.com/library/mac/documentation/Securi...](https://developer.apple.com/library/mac/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html)

OK, so why even include it then?

------
ced
That's a long list. Is it commonly believed that out-of-the-box Ubuntu is more
secure than OSX?

~~~
rasengan
This isn't exactly an answer to your question, as I do not know what the
common belief could be and, as well, without doing serious research through
the exploration of blogs, social networks and such to determine what said
belief could be, it would be impossible to give a definitive answer.

That being said, I don't think Ubuntu is any more or less secure than OS X.

This is just a personal opinion.

------
newman314
Cert removal does not seem to work on El Capitan. Maybe because of rootless?

~~~
gurkendoktor
I'm not on El Capitan, but does disabling them in the GUI work (Trust: Never)?
I think that's better than removing them anyway, as it seems to persist across
OS upgrades.

