
A practical guide to securing macOS - migueldemoura
https://github.com/drduh/macOS-Security-and-Privacy-Guide
======
tptacek
There is some seriously folkloric jibber-jabber in here. For instance, you do
not need to wait until after installation to enable FileVault because "there
is more entropy available to the system". Nor can you test the security of a
CSPRNG by running "ent" on it!

In the same vein: _don 't_ run out and sign up for a commercial OpenVPN
hosting service, and for Christ's sake don't install AV software on your Mac.

I kind of love how this is like 19 pages of rubber chicken "defaults write"
commands, followed by advice to use Transmission to torrent videos to watch in
VLC.

~~~
noja
Why shouldn't you install AV software on a Mac? It's the least hardened of all
current OSes. Luckily it's not attacked very often.

~~~
akerl_
It seems unlikely that that could be the case: that Macs, which have massive
market share in the kinds of places that attackers would want to compromise,
have the least hardening and also aren't attacked very often.

Can you clarify which other OSes you'd consider to be more hardened?

~~~
tedunangst
Where do we get the idea that attackers target Macs? The DNC hack, to pick one
notable example, primarily targeted Windows computers.

------
tambourine_man
_> a modern Apple Macintosh computer ("MacBook")_

I don’t get this. Does the author think Apple only makes laptops now? Don't
the iMac and Mac Mini qualify as modern?

~~~
mattkevan
The current Mac mini? Probably not...

~~~
tambourine_man
Yeah, unintended joke there.

------
briandear
Ridiculous guide.

> Care should be taken when installing new software. Always prefer free and
> open source software (which macOS is not)

“Free” doesn’t have anything g to do with security and there are plenty of
profound security flaws with all software — open source doesn’t make it
inherently more safe.

One of the most serious security issues of the past few years came from
OpenSSL/Heartbleed. Equifax was from unpatched Apache Struts — while the cause
was negligence on the part of Equifax, happened due to a vulnerability in open
source software. I am definitely not arguing that closed source is more
secure, but I am arguing that open and closed source can have significant
vulnerabilities. One is not inherently safer than another; it depends on how
it is used. Apache Struts has a significant vulnerability before it was
patched — which means that it was unsafe at some point. How many years was
OpenSSL vulnerable before the exploit was discovered? Closed source certainly
doesn’t fare much better, however implying that open source is always safer is
just incorrect. I use “always” here because the author said to “always” prefer
free and open source over closed source. His qualifier, not mine. Always is a
very strong word. Many open source projects are often at the level of a hobby,
with part time, occasionally unprofessional management and processes. Of
course many closed source software also has unprofessional management and
processes as well. I am simply disputing the implication that open source is
always better: it’s not. Often and perhaps generally, but not always. I would
trust Apple closed source more than some rubygem created and maintained by a
single developer as a side project, with dependencies created by other
hobbyists as a side project. A rubygem, for example, is dependent on the
security competency of the weakest dependency. Often the projects are well
secured — but definitely not always.

I am a big supporter of open source, but arguing that open source is always
more secure is just factually incorrect. And the “free” aspect is a political
benefit, not a security one.

The author also has a clear lack of understanding of how FileVault works as an
example, which calls into question any other recommendations made in this
guide.

------
kjullien
I have been running Linux for some months now on my workplace MPB ever since
the whole root with empty password fiasco. I don't trust macOS in any manner
no matter how many fixes you try and apply to it, for some reason I feel like
I simply can't trust macOS security wise for my part.

Only darn problem is I can't get my speakers working so I use Bluetooth
headphones, but for a workmachine it's fine.

~~~
evilduck
Desktop Linux is not exempt from security compromising mistakes either.
There’s been plenty of equally bad ones, like pressing backspace 28 times to
bypass Grub.

~~~
kjullien
You say "equally bad ones" and give the grub backspace bug as an example.

Thing is 1\. Grub password != file-system password. If you are using a grub
password you are probably also using a user account password, as it is a
requirement of a Linux user account. 2\. The grub rescue shell that you could
access using this overflow also won't let you do much in terms of actual user
file-system penetration, even more so if you encrypt your partition.

Now for macOS, if you had remote desktop services enabled when the "bug" was
discovered, you could simply remote desktop into the machine with these
logins. (see
[https://twitter.com/patrickwardle/status/935639234437935105](https://twitter.com/patrickwardle/status/935639234437935105))

I agree with you that flaws do exist as in any software, nothing can truly be
secure, that's the first rule of security. Thing is I trust a community of
people that work openly under constant scrutiny (code reviews, audits...) over
a company that has shown repeatedly that they do no testing of any form on
their release products (I also think they have completely lost touch with
their customers, except if their niche is college kids that need them to write
Pages and send emojis to their friends, but I digress).

This was showed time and time again, with the most recent fiasco being that
they did not test __heavy CPU usage __on their latest MPB line which meant
anybody simply rendering a video with say an obscure tool like Final Cut Pro
would effectively throttle your CPU to the point where using all its cores
would be equivalent to using one. When a company that is supposed to be all
about the "out of the box" experience cannot even deliver a computer that can
be used to, let's say, do computing, I think it shows a lack of care for my
business, which is entirely fine by me. Other examples : touch-bar (people
want physical keys, not emojis, at least I do), butterfly keyboard (had to
send my machine in for the free repair program) and the first MPB to offer
32GB of RAM came out a month ago, let that sink in...

Apple has entirely lost their focus of computers, understandably so when 90%
of their profits come from iPhones sales, and even the iPhone is becoming more
and more of a joke every year. The iPhone #bendgate controversy that spawned
from the iPhone 6 Plus (the last Apple product I have, and will have purchased
for myself) is a perfect example: "We didn't engineer a shitty model, the
people are using it wrong!", every iPhone since then is based off of the
iPhone 6 Plus design and every iPhone has the same hardware flaws since then,
Louis Rossmann did a great video about this (see
[https://www.youtube.com/watch?v=Lgv7aktFErA](https://www.youtube.com/watch?v=Lgv7aktFErA)).

I'm not saying they are going to go bankrupt, that will probably never happen,
but they have lost their "let the technology be a consequence of the journey"
philosophy. First people to give up were media content producers, then
developers. Maybe now their new niche are college kids as I said earlier...

I used to be the biggest Apple fanboy out of them all but where is the new
Apple II, the new Powerbook, the new iPod, the new iPhone... They simply don't
think this way any more, something is missing.

Next laptop I'm asking for at work will 100% not be a MPB, probably a ThinkPad
or an XPS Dev Edition.

------
andrewmcwatters
Goodness, I'm floored. There's an absolutely incredible amount of insight in
that document. I can only imagine how many years of collective experiences and
digging have resulted in this compilation.

~~~
pvg
I think it's probably worth approaching this very skeptically as a guide to
improving the actual security of your Mac. Big swathes of it are really 'fun
ways to nerdfiddle with your system' that don't actually do anything to make
it more secure and quite a bit of the fiddling can arguably make it
substantially less secure.

