
A practical guide to securing macOS - DemiGuru
https://github.com/drduh/macOS-Security-and-Privacy-Guide
======
jamesgeck0
Guide should probably mention automatically updated Chrome extensions. There
have been multiple cases where the owner of a popular extension sold it to a
3rd party that pushed out malicious updates. Tab Manager is the most recent
instance that comes to mind:
[http://security.stackexchange.com/a/130600](http://security.stackexchange.com/a/130600)

Chrome does disable extensions when an update requires new permissions, but
that won't catch malicious updates to extensions that require extensive
permissions for basic functionality.

~~~
lima
All my Chrome extensions are Git repositories in my home directory. Works
really well and I can take a look at the changelog after pulling.

Requires the extensions to be open source, of course.

~~~
duskwuff
And means that Chrome will nag you about your "developer mode extensions"
every time it starts up. I know why they do that, but it's still annoying. :(

~~~
wtbob
This is similar to how Android warns me every single time I reboot that an
unknown entity can observe my network traffic. The unknown entity, of course,
is _me_ (I've installed a certificate for my Streisand server). But still, it
flashes a warning _every_ _single_ _time_.

Of course, this means that if anyone ever _does_ install a malicious
certificate on my phone, I'll be none the wiser. Thanks Google!

~~~
eneveu
Thanks for mentioning your Streisand server. I had no idea this existed. This
is amazing!

Here is the GitHub repository if other people are interested:
[https://github.com/jlund/streisand](https://github.com/jlund/streisand)

------
tptacek
I like reading guides like this, and they're useful in a sort of encyclopedic
sense, but the problem with them is that they're really a "practical guide to
doing every conceivable security thing you could do" with macOS, which is in
fact not the best way to secure your operating system. For instance: it's
probably not the world's greatest idea to go out of your way to install Adium
for secure messaging on a locked-down Mac.

The cryptographic advice in this particular guide is not especially great. You
can, for instance, safely ignore what it says about randomness (and, in
particular, about how it interacts with FileVault's XTS block crypto). Its
advice about password management is needlessly complex (if you trust Keychain,
use Keychain Assistant to generate passwords, not OpenSSL --- but most of the
cool kids just use 1Password, and they're right to do that).

~~~
JumpCrisscross
> _most of the cool kids just use 1Password_

Do you have a view on 1Password versus LastPass?

~~~
reconbot
I do, I've been a heavy user of both for 4+ years, but I'm not a security
expert of any kind.

LastPass has been exploited a few times in ways that could have given up
passwords. Their UX and server infrastructure seems to be a mess of php
scripts, that itself doesn't have to be insecure but is a code smell. Their
commercial support looks unmaintained. Both platforms support "cloud" based
syncing but since 1Password's is pretty new I can't speak to it.

1Password does local encryption outside of the browser, LastPass will encrypt
locally in the browser.

1Password can leverage other file transports to sync passwords, iCloud,
DropBox, or any shared directory. LastPass does it all with their servers.

LastPass's web interface if compromised can have you give away the password to
all your passwords. 1Password has a much smaller risk of this and would
probably have to include a malicious software update.

1Password Families/Teams exists and I'm not familiar with it but it probably
has a similar attack vector to LastPass's web interfaces.

You know, they both offer end to end encryption with similar attacks. Overall
these companies are big targets and I'd rather keep my passwords offline or
synced via side channels in a standalone app like 1Password.

PS I'd be amiss if I didn't mention dashlane
[https://www.dashlane.com/](https://www.dashlane.com/) I hear good things and
it's passed review at a few companies who know their stuff, but that's all I
know.

~~~
milkytron
After reading this I deleted my lastpass account and came across this message
upon trying to log in.

[http://imgur.com/a/SFpWw](http://imgur.com/a/SFpWw)

One of the first things I learned about security was not to tell the user
which credential was incorrect.

Disclaimer: I'm not a security expert.

~~~
jerf
The debate that the smart people have on that one still seems to go back and
forth. I can find people I respect who have both opinions.

My only contribution is that I suspect that in practice almost every site
leaks this info if you try hard enough, via some form of timing attack. You
can get off-the-shelf "constant time string comparison" algorithms, but it's
impractical to write anything much larger in a constant-time fashion,
certainly nothing as complicated as a full authentication flow, especially in
the light of the complexity of the systems we program on nowadays, with so
many layers of caching to exploit for timing, etc. I've leaned in the
direction of going for the user-friendly approach in my code, though I've only
come around to that recently.

------
ents
Be careful. Some of these tools do not include any way to reverse their
settings. A friend followed one of these guides and we had to reinstall the OS
to get some wireless tech working again (Might have been AirDrop).

~~~
wool_gather
AirDrop is pretty finicky anyways. Is there any further detail you can provide
here?

------
tessela
I find really amusing the author does want to hide the installation from
Apple, but recommends using Google DNS and Chrome for everything else.

------
ysleepy
Nice resource.

But what I miss most, is a deeper analysis of the different launchd services
and agents. - Especially which ones can be disabled and what features will be
impacted.

It is quite opaque, especially considering the verbose descriptions of Windows
Services out of the box.

I want to disable all these, for me, useless features: handoff, geo, maps,
icloud, push, commCenter, spotlight web, siri, social integration, diagnostics
reporting, and many more.

It has been a very annoying experience of seemingly unrelated parts of the OS
breaking when Disabling anything, - and log spamming of unsuccessful attempts
of using it.

~~~
callalex
The parts of the OS you are describing were not designed in a modular way. It
seems to me like you are using the wrong operating system if you want this
level of control.

~~~
ysleepy
Ah, I'm holding it wrong. :P I use FreeBSD, Linux and Windows. I like macOS, I
want to use it, but not under a facist rule of the one holy way.

It is a tool and should not push policy through arbitrary limitations. But it
seems we are caught in a war of lock-in ecosystem providers. Kind of a more
realistic version of the much used picture of corporation-states or societies
in sci-fi.

Apart from this, hypothetically I might not only an end-user but also an admin
who has to implement certain policies. The argument is never sound, there is
always an economic or practical tradeoff and you are stuck somewhere and have
to make it work and yours.

~~~
gok
What part of macOS do you like and want to use?

~~~
ysleepy
The UI is polished, Commercial and refined Apps are available and
technological it is a reasonably sound design.

I have my *nix shell with software from macports as well.

I just don't have the motivation or time anymore to make linux fit my personal
computer needs, it always ends up in rabbit holes of tangles to accomplish
many things and when you are actually trying to accomplish something unrelated
to playing with it.

~~~
rahoulb
Do you think the two might be related? One is modular and configurable and
ends up in rabbit holes of tangles and the other is monolithic and controlling
but keeps the trains running on time?

~~~
ysleepy
Sure they are related. But its not black and white, and not an absolute
correlation.

macOS itself is actually designed in a very modular way if you look at the
message based integration of components via XPC and "do one thing" daemons.

I have accepted that I must forfeit some personal preferences in the Apple
ecosystem, but I choose to draw the line with not being able to disable
intrusive and privacy related features/components.

A similar complaint can be made about Windows, which is more monolithic in its
design in my view, but it offers (as mentioned in my top-level comment) proper
descriptions and a UI to disable services. Also there are many tools like
Win10Privacy and such available which disable a lot, without making the system
to constantly misbehave.

"trains on time" \- While I appreciate the metaphor, when considered
carefully, it is more likely linux and the pragmatic approach that makes the
"trains run on time" in many fields. (embedded and server-side)

~~~
ghostly_s
It's designed to be modular for ease of development by Apple folks. Whether
they extend the benefits of that modularity to you, the user, is entirely
case-by-case -- and the default answer is 'no'.

------
jmnicolas
"Is your adversary a three letter agency (if so, you may want to consider
using OpenBSD instead)"

If your adversary is a 3 letter agency you'd better use no computer at all. If
they can't subvert the OS (witch I doubt) they'll subvert the hardware (hello
Intel ME).

------
0xCMP
I used to follow the changes a lot on this repo. Lots of great discussion in
the issues of balancing practicality and security. Like @ents mentioned
though, there are some un-reversible changes if you do _everything_ they
recommend. Although it'll make you more secure.

I don't do most of this. I'm waiting until I decide to wipe my Mac and have
plenty of time to play with it. (which is going to be when exactly? Not sure.)

~~~
gist
> I'm waiting until I decide to wipe my Mac and have plenty of time to play
> with it.

Clone a copy of your drive (use something like super duper) and then simply
boot from the cloned drive. The clone drive can be another physical drive
(attached via USB) or just use disk utility to create a separate partition and
clone a copy there.

~~~
0xCMP
Yea I guess I could do that. Play around with it and see how it feels and then
I can wipe it over again if I want to.

------
Theodores
How often you find yourself locked out of your house obeys Murphy's Law, add
lots of security and you will find yourself annoyingly locked out for silly
reasons all the time. Have just the one simple lock on the door and you
probably will not end up locked out, particularly given there is a key under
the mat.

I had a laptop of mine retrieved by the police from a big rubbish bin. The
screen was broken, it did boot up though. Another time I had the broken screen
after being hit by a car. These things happen and I am always sure I can get
in even if keyboard/screen/mouse isn't an option. It is more useful for me to
be able to somehow access my machine even if broken, I imagine there will be
circumstances of that.

When the police retrieved my laptop I wasn't exactly worried about my obvious
login password or whether I had locked down that mysql port sufficiently. The
thief wasn't even literate so those extreme security measures wouldn't have
helped.

------
tolmasky
Is there some way to have some faith from what you're getting from brew? In
other words, can I verify installations from brew somehow?

~~~
jjn2009
>[http://brew.sh/](http://brew.sh/) the home site shows a simple wget example
for homebrew formulae

the chain of trust is solid up until make and configure happen, at that point
any number of things could happen so it's a question of whether or not you
trust whatever scripts its running.

unless homebrew has some sort of enforcement on what that script can do it
could do anything. This is why its a really good thing that homebrew does not
require root.

~~~
mikemcquaid
> unless homebrew has some sort of enforcement on what that script can do

Anything from our Homebrew/core (i.e. wget) uses the macOS sandbox to prevent
writes outside of permitted locations.

------
jdeibele
Was curious what would happen if you set the firmware to only boot from the
startup disk and it crashed ...

Seems like MacOS does the reasonable thing and prompts for the firmware
password if you use a different disk.

[https://support.apple.com/en-ca/HT204455](https://support.apple.com/en-
ca/HT204455)

------
tolmasky
Any thoughts on doing work in virtual machines?

~~~
brobinson
I have a MBP as my primary machine, and I do all of my development work in a
VirtualBox VM running Ubuntu. MacOS seems a lot more stable without 40gb of
development stuff installed.

------
TurboHaskal
Is there a similar guide but for Windows?

Google mostly shows you guides from merchants trying to get you buy AV
licenses.

~~~
ergot
I quite enjoy this script called make_windows10_great_again.bat
[https://gist.github.com/IntergalacticApps/675339c2b805b4c9c6...](https://gist.github.com/IntergalacticApps/675339c2b805b4c9c6e9a442e0121b1d)

Keep in mind this is a very rigorous script and modifies Windows10 beyond
recognition. Infact it kind of makes Win10 appear and function more like
Windows8

------
gok
That time of year again?
[https://news.ycombinator.com/item?id=10148077](https://news.ycombinator.com/item?id=10148077)

------
rasz_pl
Wow, and people laughed at all the Windows 10 antispy tools/script packs.
Turns out this is the state of personal computing in 2016, nothing is decent
out of the box anymore :(

------
leetbulb
Very nice. Thank you for this! :)

------
pttrsmrt
Step one: Don't use macOS

~~~
ralmidani
You're probably being downvoted because you didn't elaborate, but I agree with
your implied premise: proprietary software is inherently insecure.

~~~
bigiain
> proprietary software is inherently insecure

Unlike widely used and security-critical open source projects, right? Like,
say, OpenSSL?

("All hardware sucks. All software sucks." This is at least as true these days
as it was back on alt.sysadmin.recovery in the '90s)

~~~
ralmidani
At least in the case of free (as in freedom) software, the vulnerabilities can
be exposed and patched. More importantly (and more relevant to this
discussion), software freedom also tends to make it difficult for the original
developer to hide malicious features.

~~~
acdha
Theoretically, yes, but if you're going to make that claim you'd need some
hard data showing that exploitable bugs either happen less frequently or are
going and patched earlier.

Care to show your data and analysis?

~~~
ralmidani
How can I obtain reliable data on non-free software when the public cannot
study the source code?

You also seem to discount the possibility of _intentional_ vulnerabilities
(from the user's perspective) being included in the software by its developer.

~~~
acdha
You appear to be unaware of the large industry reverse-engineering software of
all sorts. You could compare comparable projects and see whether source
availability correlates with fewer vulnerabilities, lower severity, etc.

Similarly, the security community has discussed the possibility of intentional
vulnerabilities in opensource software for decades. Sure, someone would
probably notice if you submitted secret-nsa-exploit.patch but it's unclear
that someone would notice if e.g. you submitted a Heartbleed-style bug, not to
mention something the NSA's dual curve backdoor.

To be clear, I've been working with open-source software since the mid-90s. I
think the model has a lot to offer but it's not magic. Lazy fanboy activism
doesn't do anything but lower your credibility and help the companies which
are arguing that open-source isn't safe to use (or isn't safe to use without
paying them to manage it).

