
Ask HN: How do you secure your Mac? - jorangreef
Apart from full disk encryption and a password manager:<p>Do you use antivirus? Which antivirus?<p>Do you use two-factor SSH?<p>Do you use IDS?<p>What else do you recommend?
======
lukewrites
The thin I do that I think is most important is use Little Snitch
([https://www.obdev.at/products/littlesnitch/index.html](https://www.obdev.at/products/littlesnitch/index.html))
to track/block/approve incoming and outgoing network requests.

It's how I caught a new Seagate external hard drive making calls to Baidu and
Google.
[https://fosstodon.org/@lukewrites/100907932236227641](https://fosstodon.org/@lukewrites/100907932236227641)

~~~
geowwy

      > When it loads, the disk is unwritable; you have a choice of
      > a Mac executable or a Windows executable.
    

That's ridiculous. How do they justify that?

------
rgovostes
I am a security professional and have thorough knowledge of macOS internals
and the built-in security protections.

Almost all antivirus or security products on the Mac App Store should be
treated with extreme skepticism. I recently saw that one of the top grossing
apps was an antivirus product called Thor Antivirus. Looking under the hood,
it was just ClamAV, and their claims about its protections were
unsubstantiated. They probably made tens of thousands of dollars before Apple
took them down in response to my report.

Several years before that, I audited SecureMac's MacScan[0], a once-popular
antivirus app that had received accolades from MacWorld for years. It turns
out it just checked file metadata such as modification times, and didn't even
look inside.

Apple's app reviewers are not able identify bogus security products, and the
result is that you might damage your system by allowing some half-baked
program to run amok.

I don't run any third-party antivirus myself, but when I was investigating a
piece of Mac malware, I discovered that Malwarebytes had beat me to the punch
and published a great blog post on their investigation. I vaguely recall using
their software to clean up a relative's Mac successfully.

By the way, at the time of writing, a program called Antivirus Zap - Virus &
Aware is #6 on the Top Paid list of the Mac App Store. Antivirus VirusKiller
is #41. I guarantee you they're both shit. (Antivirus Zap also uses ClamAV.)

0:
[https://web.archive.org/web/20110719013009/http://rgov.org/2...](https://web.archive.org/web/20110719013009/http://rgov.org/2011/01/19/macscam/)

------
jiscariot
My primary concern is someone physically stealing my Macbook or iMac. They are
personal devices and the content on them would not be much of interest to
others, foreign governments or other entities.

I have Prey[1] installed. On both devices, I have "admin" credentials taped to
the back. The account is actually a locked down user-level account with very
little authority, other than being able to get on wifi/browse the internet,
etc. I suppose this would be a honeypot of sorts. My thought being if someone
walks off with it, I want to be able to gather as much info on them as
possible. I haven't given a whole lot of thought to this, so definitely
curious if there are issues with this approach.

[1]: [https://preyproject.com/](https://preyproject.com/)

~~~
loopbit
Your comment reminded me of this:

DEF CON 18 - Zoz - Pwned By The Owner: What Happens When You Steal A Hacker's
Computer: [https://youtu.be/Jwpg-AwJ0Jc](https://youtu.be/Jwpg-AwJ0Jc)

~~~
neilalexander
This is wonderful.

------
drexlspivey
I try to use Touch ID for everything it can be used for.

Touch ID for sudo [http://osxdaily.com/2017/11/22/use-touch-id-sudo-
mac/](http://osxdaily.com/2017/11/22/use-touch-id-sudo-mac/)

Touch ID for SSH
[https://github.com/sekey/sekey](https://github.com/sekey/sekey) (uses secure
enclave)

I use this for 2FA [https://krypt.co/](https://krypt.co/) (uses secure enclave
on your phone)

Touch ID for password management
[https://1password.com/](https://1password.com/)

I upload dotfiles and other credentials in a keybase encrypted repo

~~~
majewsky
So I assume your threat model is exclusively keyloggers? It's certainly not
physical access. Your fingerprints are all over the device's surface, so a
determined attacker can easily duplicate them. (And to a non-determined
attacker, Touch ID does not make much of a difference to passwords.)

~~~
tinco
Having your ssh key password protected would be a lot more annoying than
having them touch id protected. The threat model would be someone using your
Mac if you left it unlocked for a minute or something.

------
0x54MUR41
I follow some parts on Bejarano's [0]. It was discussed on HN
[https://news.ycombinator.com/item?id=18099835](https://news.ycombinator.com/item?id=18099835)
(6 months ago)

macOS Security and Privacy guide [1] also a recommendation you can try.

[0]: [https://blog.bejarano.io/hardening-
macos.html](https://blog.bejarano.io/hardening-macos.html)

[1]: [https://github.com/drduh/macOS-Security-and-Privacy-
Guide](https://github.com/drduh/macOS-Security-and-Privacy-Guide)

------
no1youknowz
I used to use little snitch and now came across lulu [0].

> LuLu is the free, open-source macOS firewall that aims to block unknown
> outgoing connections, unless explicitly approved by the user.

I would love to know if anyone else has switched over and what's missing. I
haven't had a whole lot of time to do a thorough investigation.

[0]: [https://objective-see.com/products/lulu.html](https://objective-
see.com/products/lulu.html)

~~~
jason_slack
I have been using lulu for several months and love it. The interface for
managing rules is easy to follow.

------
ellw
Little Snitch [1], 1Password [2], macOS Filevault, {BlockBlock, RansomWhere,
OverSight, ReiKey} by Objective-See [3]

Few years back I was a big fan of Little Flocker, which now is part of
F-Secure as XFENCE [4]. But haven't used it since its rebranding, anyone using
it anymore?

[1]
[https://www.obdev.at/products/littlesnitch/](https://www.obdev.at/products/littlesnitch/)
[2] [https://1password.com/](https://1password.com/) [3] [https://objective-
see.com/products.html](https://objective-see.com/products.html) [4]
[https://campaigns.f-secure.com/xfence/](https://campaigns.f-secure.com/xfence/)

------
cerberusss
What exactly is your threat model? Are you a developer of a very public
software project? Are you a politician or a journalist? Or someone in HR? Or
are you just an average Joe?

And what software do you use regularly? Do you pirate software?

These are important questions to answer, before you come up with how to secure
your Mac.

That said, I'm just an average developer. I hardly run anything non-standard.
I do make sure to not leave my laptop unlocked, but that's it.

~~~
jorangreef
Assume it's for a software developer.

Regarding software: only system apps with the exception of say a password
manager, code editor and git.

------
fergbrain
I basically follow the NIST Guide to Securing Apple macOS:
[https://csrc.nist.gov/publications/detail/sp/800-179/rev-1/d...](https://csrc.nist.gov/publications/detail/sp/800-179/rev-1/draft)

------
aianus
Shameless plug since it's relevant:

We built a Slack bot [0] that shames (in good humor) people in the office who
leave unlocked laptops unattended. We had a similar system at Twitter where we
would tweet a certain codeword on unlocked laptops and it was very effective
in stopping that behavior.

[0] [https://sniped.app/](https://sniped.app/)

~~~
unixhero
We, at Accenture, invite our colleagues 5-15 invitees to a cake celebration,
from the person's unlocked laptop and Outlook a week into the future.

It's pretty hilarious because the person usually go through with it.

------
listoflinks
Hardening macOS [https://blog.bejarano.io/hardening-
macos.html](https://blog.bejarano.io/hardening-macos.html)

Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST
Security Configuration Checklist [https://www.nist.gov/publications/guide-
securing-apple-os-x-...](https://www.nist.gov/publications/guide-securing-
apple-os-x-1010-systems-it-professionals-nist-security-configuration)

Securing macOS in 2018 [https://www.davd.eu/securing-
macos/](https://www.davd.eu/securing-macos/)

Free OS X Security Tools [https://objective-
see.com/products.html](https://objective-see.com/products.html)

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems
[https://github.com/CISOfy/lynis](https://github.com/CISOfy/lynis)

------
dippersauce
For me the most important aspect is the use of a VPN, security software, and
the combination of multiple layers of authentication. These are of course just
general good practices, but how you implement them is what's unique compared
to Windows or Linux. A full list would be too long for an HN comment, but a
few months ago I put together something of a reference guide listing the
methods I apply to secure Macs in a roughly organized fashion. It's brief in
most aspects, but but hopefully it can be of use to someone. It's licensed
under Creative Commons, so feel free to redistribute it. I've uploaded it to
iTunes[1], but if Freedom is a concern I can email[3] a PDF of it directly.

[1] [https://itunes.apple.com/us/book/kickstart-security-macos-
mo...](https://itunes.apple.com/us/book/kickstart-security-macos-
mojave/id1451794169?mt=11)

[2] contact@austinlasota.com

------
dervjd
As others have mentioned, Little Snitch + Block Block is a powerful
combination that lets you (1) see what is phoning home, and (2) know what crap
apps are installing in the background.

I like to set up a lock screen message with your name/phone.
[https://support.apple.com/en-us/HT203580](https://support.apple.com/en-
us/HT203580). Not "security" per say, but can help get your computer back to
you if stolen.

Set a firmware password to prevent your mac from being reformatted:
[https://support.apple.com/en-us/HT204455](https://support.apple.com/en-
us/HT204455)

If you're using Filevault, you may want to ensure you are not backing up your
recovery key to iCloud. There's a terminal command (I think) to discover if it
is.

You should also go in and show hidden files. In terminal: "defaults write
com.apple.Finder AppleShowAllFiles true"

------
dev_north_east
I don't do any of the above! I lock it, keep it up to date and are not foolish
about what to run/download.

------
barrowclift
While I strongly advise avoiding traditional "antivirus" software like
Symantec, EtreCheck[1] if a wonderful diagnostic tool for checking your Mac's
general health. Included in that health check is a full disk sweep for any
known adware. I used it just this past year to help identify and remove some
adware on my parents' computer just this past year, and would highly
recommend.

[1] [https://etrecheck.com](https://etrecheck.com)

------
runjake
Filevault, no antivirus (except what comes with macOS), Objective See's Do Not
Disturb [1], 2F SSH depending on the host.

What's your threat model? My recommendations are going to be based wholly on
that. Are you an average Joe/Jane, or a reporter for The Intercept?

1\. For evil maid attacks. [https://objective-
see.com/products/dnd.html](https://objective-see.com/products/dnd.html)

------
maverickmax90
Anti virus - Sophos home Free & according to me the only real antivirus Little
snitch is excellent for severing unintended network connections Search engine
- startpage.com. This one has been excellent as I get privacy + search results
same as Google I use adguard... Very effective. Dns 1.1.1.1 from cloud flare

------
6footgeek
My friend built this audit / lockdown tool for enhancing security defaults in
Mac. Maybe you will find it useful :)
[https://github.com/0xmachos/mOSL](https://github.com/0xmachos/mOSL)

------
kevinherron
FileVault, strong system password, Little Snitch.

Everything else (2FA, password manager) is not macOS specific.

------
icedchai
Full disk encryption, that's it. When I get up, I lock the screen.

~~~
cerberusss
To add to this: the shortcut key for locking the screen is Cmd+Ctrl+Q. There's
also the possibility of configuring a Hot Corner for this.

~~~
pfranz
I use Ctrl+Shift+Esc to put my screen to sleep (which locks it).

~~~
cerberusss
Is this a default shortcut key?

~~~
jeauxlb
yep

------
captainredbeard
If you're paranoid:

\- Full Disk Encryption \- Use Little Snitch \- Don't use iCloud \- Disable
SSH except for your account \- Turn off remote login \- Run developer software
in Docker containers

~~~
kahlonel
Genuine question: Is iCloud any more insecure than any other cloud service? I
was thinking of shifting a lot of stuff to it.

------
fakeElonMusk
in addition to FileVault I have uBlock Origin installed on all browsers and
Malwarebytes running. but I have no idea if these programs are working, are
looking for the correct threats or potentially have malware themselves. so far
so good...

------
ajroot
I follow this: [https://spreadprivacy.com/mac-privacy-
tips/](https://spreadprivacy.com/mac-privacy-tips/)

Not really an exhaustive list, but at least gets you started off.

------
notlukesky
saaspass.com for 2FA on MAC OS

SAASPASS Authenticator for regular 2FA

SAASPASS Browser extension for autofill of 2FA Authenticator codes

SAASPASS Password Manager for websites

[https://saaspass.com/download/apple-mac-two-factor-
authentic...](https://saaspass.com/download/apple-mac-two-factor-
authentication-2fa-computer-connector-os-x/)

And here:

[https://saaspass.com/downloads/](https://saaspass.com/downloads/)

[https://m.youtube.com/watch?v=qkf9VraKuDU](https://m.youtube.com/watch?v=qkf9VraKuDU)

------
cyrilbenson47
2fa all the time. And I dont usually join public connection.

------
kilon
I don’t. I keep my super sensitive data in my head. I never believed in
computer security and never will. But the I never believed in security in
general. Why on earth you would need an antivirus for a Mac ? I don’t even
remember the last time avast gave me a virus warning on Windoom 10. Nowadays
it’s mostly worms, ransomeware and spyware , rarely a Trojan horse. The age of
virus has long gone after the start of the age of not slow internet.The only
thing I do is to backup my data via Dropbox and megasync.

If you really need security, get a computer , disconnect it from the internet.
The end.

------
buffaloo
If the concern is ransom-ware, what works well?

------
hodder
I don't. Never had an issue. 2FA for secure web needs if it is offered.

------
m463
most useful tools: \- Little Snitch \- Firefox with lots of privacy settings +
umatrix + decentraleyes

I use them more for privacy, but security is an added benefit.

------
Saphyel
it doesn't matter what you do, Apple controls and share your data.

My recommendation stay offline as much as you can.

------
Saphyel
it doesn't matter what you do, Apple harvest and share your data..

My recommendation stay offline as much as you can.

~~~
Veen
Do you have any evidence that Apple harvests data stored on Macs and shares it
with third parties? If so, that would be big news given Apple's stance on
security and privacy.

------
npc_george123
I update my hosts file to stop communication with the bad guys:
[https://github.com/StevenBlack/hosts/blob/master/alternates/...](https://github.com/StevenBlack/hosts/blob/master/alternates/fakenews-
gambling-porn-social/readme.md)

