
Mac OS/X Security Tips - jackgavigan
http://zsmith.co/security.html
======
tptacek
The Tor browser might be the _least_ safe choice among all modern browsers:
it's a version of Firefox (itself probably the weakest of the browser
runtimes) that has the "virtue" of being heavily targeted by everyone.

If you're picking browsers based on security, what you probably want is
Chrom(e|ium).

Some of what's in this document makes some sense (especially if you're
_really_ trying to be careful; for instance, if anything important in your
life depends on full disk encryption, you probably do want to be careful about
when your machine is powered on). But a lot of it is batshit.

Also: it links to the Norse attack map.

~~~
kobayashi
While I agree that Chrom(e|ium) sandboxing and the backing of Google's
security teams make it a security leader, I'm torn between Chrome/Chromium and
Firefox because of privacy considerations. For example, privacytools.io
recommends Firefox for reasons such as its tweak-ability, and because WebRTC
can be disabled so that when using a VPN, the originating IP isn't leaked.
Other tweaks include the ability to disable both the disclosure of battery
status and clipboard events.

I'd love to get your opinion on the trade-offs between the current un-
sandboxed version of Firefox, and Chrome/Chromium.

Edit: Also, thegrugq[0] recommends against using Safari, but makes no mention
of Firefox. While Safari is not atop my list of privacy or security focussed
browsers, I'm somewhat surprised to see if specifically mentioned as one to be
avoided. If you agree with him, why is that? In my view, it's not terrible
because it doesn't support WebRTC, a user can disable plugins, and because
WebGL can also be disabled. While it can't run HTTPS everywhere nor a random
user agent spoofer, JSB5 seems pretty good for a javascript blocker and uBlock
(while no longer under development) still works rather well.

[0]
[https://gist.github.com/grugq/353b6fc9b094d5700c70](https://gist.github.com/grugq/353b6fc9b094d5700c70)

~~~
viraptor
For webrtc there's always [https://chrome.google.com/webstore/detail/webrtc-
network-lim...](https://chrome.google.com/webstore/detail/webrtc-network-
limiter/npeicpdbkakmehahjeeohfdhnlpdklia)

~~~
kobayashi
I haven't before seen that extension, though privacytools.io categorically
states: "There is no known working solution [to fix the WebRTC Leak in Google
Chrome], only a plugin that is easily circumvented. Please use Firefox
instead."

Do you have reason to believe that they're mistaken?

~~~
viraptor
No, I haven't seen this note. If they don't post details about how it can be
"easily circumvented", it's hard to really reason about it. For what it's
worth, their test does not "easily circumvent" this extension.

~~~
kobayashi
Seems to work, and it looks to be from a trustworthy source, so that's a plus.

Do you happen to know about a reputable way to disable WebGL?

~~~
proyb2
Do you mean WebRTC? WebGL could disabled in chrome config as we know.

~~~
kobayashi
Which flag disables WebGL? I don't see one.

------
jads
Some good suggestions in this list, but some of this is a bit "tinfoil hat"
(reinstall OS X every month? What about resorting data from a backup? Seems so
unnecessary to suggest users wipe their Mac each month)

Any reason the author insists on spelling it "OS/X" or is this just their
personal preference? It shouldn't, but this bugged me when reading the
article.

Edit: in fact, most of this is tinfoil hat. I'm all for safety and security
but some of this is pretty extreme. "Don't trust third-party Mail providers
like Gmail?" Not sure the author realizes a good number of people they're
emailing use these services, so should people not converse with Gmail users?

This entire list of suggestions and "explanations" is straight-up FUD.

~~~
scrollaway
Yeah, the author seems to confuse "security" and "privacy". They are not
always interchangeable. Certainly not in the case of email - "private" email
services are almost always far easier to crack into than gmail.

Author also seems to think reinstalling the OS somehow makes you less
vulnerable. And that compiling source code magically makes the resulting
binary safer.

And just a giant LOL at the suggestion to upload files to virustotal at the
end of that wall of paranoia-driven privacy tips. Contrast, man.

~~~
viraptor
> Author also seems to think reinstalling the OS somehow makes you less
> vulnerable.

Depends on the context you're working in. I wouldn't recommend anyone actually
do that, but it sounds like a poor-man's readonly-system solution. If you want
to ensure that your system doesn't (for example) preserve rootkits across
system restarts, you've got a few good and bad choices: r/o system r/w (or no)
data, restarting from golden image, wiping machine clean, file integrity
checkers.

~~~
scrollaway
But the point is that wiping the OS isn't preventative. Wiping a clean system
is pointless, and wiping an infected one without knowing how it was infected
isn't just a recipe for getting infected again, it also gives a completely
false sense of security and can get you to start skipping actual preventative
measures because "the system will be gone in a couple of weeks anyway".

~~~
viraptor
(for the record, I'm not saying this is a good idea for personal desktops,
just discussing the theory) No, it's not preventative. But wiping an infected
one is not pointless either. Especially if you can upgrade all the relevant
applications after each reinstall, potentially closing previous issues. In
some contexts (small town library without IT staff, shared computer, no
knowledge how to do stateless terminals), it would be an improvement over
what's currently happening.

~~~
scrollaway
Agreed, it's not a bad idea for shared desktops.

------
thought_alarm
_> Remove all personal data from your computer before taking it in for
repair._

Ha! Great advice, unless your broken computer is broken.

When you take your machine in for service they're going to want an admin
account name and password to a working system, so here's my advice:

\- Use FileVault encryption on your main system partition.

\- Create a small-ish unencrypted partition and install a bootable version of
OS X. This is a great way to play around with pre-release versions of the OS.

\- Create a dummy admin account and give it a password that you don't use for
anything else. Write the account name and password down somewhere.

\- If/when you need to take your machine in for service, tell them to boot
into that unencrypted partition and use your dummy admin account.

A little while ago my 2011 iMac's video card failed; apparently a common
problem with that model year. The machine wouldn't boot, but thanks to
Thunderbolt Target Disk Mode I was able to make a copy of my home folder with
my laptop.

When I took my machine in they asked for an admin account. I already had that
unencrypted small partition for them to use, but I hadn't set up a separate
admin account and had to give them my primary username and password, which is
something I really didn't want to do.

They would have potentially had access to my encrypted partition along with my
Keychain. I ended up having to change a whole bunch of account passwords, just
to be safe.

So I think it's very good advice to create a separate admin account with a
password that you're comfortable giving out, along with an unencrypted system
partition that you're comfortable losing.

(By the way, Apple fixed that iMac for free even though it was over 4 years
old, way out of warranty, and was supposedly not included in a video card
replacement plan they issued for other iMac models of that year. Target disk
mode saved the day, and Apple fixed my old computer for free, so I'm a very
happy camper and am still using that machine.)

~~~
ScottBurson
Apple has never asked me for my login credentials, nor did the third-party
repair shop I took my MBP to a few months ago. Well, maybe there was a time
they did it that I don't remember, but I'm pretty sure they haven't done it
since releasing OS X. (I'm not a frequent user of Apple service, but this MBP
has been in the shop four times, I think.)

In any case, if they did ask, I would refuse. Let them boot off a DVD if they
need to.

------
electic
> Reinstall OS/X every month.

Seems like you might spend all month installing software...only to erase it
and start all over again.

~~~
pwython
And he says to reinstall iOS every WEEK. This is painful to read. Plus:

> "When sending a private email, consider encrypting it e.g. with GPG. The
> recepient [sic] will have to use GPG as well."

I bet his contacts love him.

Sometimes, people wrap the tinfoil around their heads a little too tight.

------
BoringCode
Some of these rules are oddly contradictory.

> 4.2. Do not use unofficial Firefox plugins.

Ok, fine.

> 4.13. Install an ad blocker if available. Firefox does not have an ad-
> blocker built in. Most people use Ad Block Plus, which is a Firefox
> extension.

Instructions unclear.

EDIT: This one made me laugh:

> 3.4. Turn off your home Wifi router at night and when you are not at home.
> At night, or whenever you are not at home, there is no need for your router
> to be powered up. Having it on means that someone can theoretically hack
> into the router itself from anywhere on the planet.

Leaving it on while I'm home and awake will keep me safe though.

~~~
wtallis
Not that I'm defending these recommendations, but browser plug-ins and browser
extensions are not the same thing, at least in the Mozilla context. Flash and
Java are plug-ins, NoScript and AdBlock are extensions.

~~~
BoringCode
Reading the description seems to imply the author is confusing plugins and
addons. Either way you're still installing executable code written by people
using those evil pseudonyms.

------
pseudosavant
How on earth did this tinfoil garbage make it to the HN homepage? He might as
well say don't use computers. You'll spend more time reinstalling everything
than actually using the systems.

------
redial
This boils down to (1) don't use your computer and (2) if you have to use your
computer don't do anything in it.

------
rschlaikjer
> Disable website-provided fonts in your browsers as there have been exploits
> that use infected font files.

Better be on the safe side and just disable your entire computer, as there
have been several exploits that target those.

------
muterad_murilax
> Mac OS/X

Why the slash in the name? Some kind of OS/2 mix-up?

------
berkeleynerd
That's pretty good but if it were me I'd pry the ICs out of the motherboard
and microwave them every month as well. /s

Some of this is crazy advice unless you're DPR or trying to help some
oppressed people somewhere. That said, I end up reinstalling every month or so
naturally because I like to alpha-test. :P

------
dguido
This is awful advice and you would be wise not to follow it.

> Your first choice of web browser should be the TOR browser with Javascript
> disabled.

> Your second choice of web browser should be the TOR browser with Javascript
> enabled.

> Consider using the email client Thunderbird with TorBirdy, which sends
> emails through the TOR network.

Tor guarantees your network traffic will be intercepted. Malicious exit nodes
etc etc.

> Reinstall OS/X every month.

What does this get you? If you're owned, all your accounts will be owned. Re-
infecting your OS with malware would be trivial, if that is even necessary
anymore.

> Avoid free online email. There is no free lunch. They profit by selling you
> out.

Author is probably trying to make an implicit pass on Gmail. The only issue
with that is Google has a hollow mountain full of security engineers and "name
your private mail service" probably has 1, maybe 2, similarly skilled
individuals. It's a numbers game: you're safer with Gmail unless you have an
explicit 702 risk (ie, FBI thinks you're a terrorist and requests your
mailspool via a 702 order from Gmail). Btw, Google has the cutest video that
shows how they handle those:
[https://vimeo.com/108275932](https://vimeo.com/108275932)

> When sending a private email, consider encrypting it e.g. with GPG. The
> recepient will have to use GPG as well.

Even the creator of PGP does not use PGP
([http://motherboard.vice.com/read/even-the-inventor-of-pgp-
do...](http://motherboard.vice.com/read/even-the-inventor-of-pgp-doesnt-use-
pgp)). I can't tell you how many times people have emailed me their private
keys. This is not a great solution 99% of the time. Move your conversation
somewhere else.

> Your third choice of web browser should be the text-based Links browser.

lol ok

> Your fourth choice of web browser should be Firefox.

Out of 4 major browsers, yes, use the ONLY one without a sandbox.

> If you need to download an app, get its source code and compile it yourself.
> (Type ./configure; make clean; make).

Why is this better? You're not reading the source code just like you're not
reversing the binary. Waste of time.

> Try to avoid downloading risky files (PDFs, MS Word files etc.) and if you
> must, run a virus scanner on them first. If the file does not contain any
> personal or sensitive data, you can upload it to VirusTotal to have it
> tested by many antivirus programs at once.

Note: Uploading your Docs/PDFs to VirusTotal makes them readable by anyone
with a VirusTotal account lol. Also, Google gets a copy. Have fun with that.
Much easier to turn off a few features ( _cough_ macros) or use a trimmer
viewer, like the Chrome PDF Viewer or uploading the docx to Google Docs and
viewing there.

> Disable website-provided fonts in your browsers as there have been exploits
> that use infected font files.

There have been exploits in a lot of things. Let's all go outside and not use
computers. Once a trend becomes public, that target generally cleans up its
act. There's been a huge amount of effort put into font validation and fuzzing
over the last few years and I think we've made it out of the font exploit dark
ages.

Here's a list from thegrugq that is far better:

[https://gist.github.com/grugq/353b6fc9b094d5700c70](https://gist.github.com/grugq/353b6fc9b094d5700c70)

~~~
viraptor
> Why is this better? You're not reading the code just like you're not
> reversing the binary. Waste of time.

This may be a weird way of saying: get your application from the most trusted
source. For example for a long time sourceforge was trusted as an opensource
distribution platform. Now they're injecting malware into popular installers.
The source/binaries signed with gpg is what I would trust over unsigned
binaries from the authors site. The third party download sites which cannot be
verified (signature/checksum) are just potential malware.

I'm not saying that "compile everything" is realistic or a good idea, but
"make sure your sources are trusted" needs much more explanation and
qualifiers.

Otherwise agree with all comments.

------
Spooky23
Sounds like the infosec idiots at my company. Only thing missing is the advice
to make sure that the infrared data transfer port is disabled.

Some sap has to file an exception to that requirement annually.

------
keeganjw
* Puts tinfoil hat on * _

