Hacker News new | past | comments | ask | show | jobs | submit login
A practical guide to securing macOS (github.com)
633 points by DemiGuru on Nov 23, 2016 | hide | past | web | favorite | 84 comments

Guide should probably mention automatically updated Chrome extensions. There have been multiple cases where the owner of a popular extension sold it to a 3rd party that pushed out malicious updates. Tab Manager is the most recent instance that comes to mind: http://security.stackexchange.com/a/130600

Chrome does disable extensions when an update requires new permissions, but that won't catch malicious updates to extensions that require extensive permissions for basic functionality.

All my Chrome extensions are Git repositories in my home directory. Works really well and I can take a look at the changelog after pulling.

Requires the extensions to be open source, of course.

And means that Chrome will nag you about your "developer mode extensions" every time it starts up. I know why they do that, but it's still annoying. :(

This is similar to how Android warns me every single time I reboot that an unknown entity can observe my network traffic. The unknown entity, of course, is me (I've installed a certificate for my Streisand server). But still, it flashes a warning every single time.

Of course, this means that if anyone ever does install a malicious certificate on my phone, I'll be none the wiser. Thanks Google!

Thanks for mentioning your Streisand server. I had no idea this existed. This is amazing!

Here is the GitHub repository if other people are interested: https://github.com/jlund/streisand

The reason for that warning is the fact that when you add a certificate that is not trusted by Android, it goes into the personal cert store. When you add a cert in the personal cert store, the system requires a higher security level to unlock the device. hence the warning and pin/password nag.

But if you manage to add your cert to the global system store then Android will not issue any warning. Here's how to do it:

1 - add your cert normally, it will be stored in your personal store and Android will ask you a pin/password.

2 - With a file manager which has root access, browse to /data/misc/keychain/cacerts-added. You should see a file there. This is the certificate you just added at step 1.

3 - Move this file to /system/etc/security/cacerts

4 - Reboot the phone

5 - Now you can clear the pin/password you have set to unlock the device and there are no warnings.

I won't recommend doing this blindly as by doing this, you are actually man-in-the-middling yourself. But if you know what you are doing, this is the way.

Yeah, and that's even more stupid if your threat model considers your country and ISP as an adversary. We don't all live in nice countries, and in this case not having a VPN is far worse in terms of traffic interception than having your Streisand or similar. I guess Android developers are only aware of suspicious VPN providers and do not even provide an option to reverse this warning banner.

Chrome Dev and Chromium don't do that, however.

The Chrome dev channel didn't used to, but it does now.

The reason why? Malware was switching users to the dev channel to silence the warning. ¯\_(ツ)_/¯

Oops. Thanks for the correction! Looks like Windows and Mac Chrome developers are out of luck now, unless they are brave enough to try a solution listed here:


Chrome on Linux doesn't warn yet (I just tested it) and neither does Chromium.

The price you pay for convenience vs security.

This nag is the reason I switched over to Opera. All chrome extensions work and no nagging message on startup.

I'm okay with that since I rarely restart Chrome anyway.

Be careful. Some of these tools do not include any way to reverse their settings. A friend followed one of these guides and we had to reinstall the OS to get some wireless tech working again (Might have been AirDrop).

AirDrop is pretty finicky anyways. Is there any further detail you can provide here?

I like reading guides like this, and they're useful in a sort of encyclopedic sense, but the problem with them is that they're really a "practical guide to doing every conceivable security thing you could do" with macOS, which is in fact not the best way to secure your operating system. For instance: it's probably not the world's greatest idea to go out of your way to install Adium for secure messaging on a locked-down Mac.

The cryptographic advice in this particular guide is not especially great. You can, for instance, safely ignore what it says about randomness (and, in particular, about how it interacts with FileVault's XTS block crypto). Its advice about password management is needlessly complex (if you trust Keychain, use Keychain Assistant to generate passwords, not OpenSSL --- but most of the cool kids just use 1Password, and they're right to do that).

I suggest pass [1]. It's just gpg with git. If you don't like the command line very much you can use a front end for desktop [2], Android [3] or iOS[4]. There are scripts to migrate from others password managers.

[1] https://www.passwordstore.org/

[2] https://qtpass.org/

[3] https://github.com/zeapo/Android-Password-Store/

[4] https://github.com/davidjb/pass-ios

I am using pass on Mac and all other computers for over a year. The only thing missing is proper dmenu alternative for Mac but I modified https://github.com/oNaiPs/dmenu-mac to work with pass and paste username/password to the clipboard. If I get time I will publish this code because it makes pass fly.

> most of the cool kids just use 1Password

Do you have a view on 1Password versus LastPass?

I do, I've been a heavy user of both for 4+ years, but I'm not a security expert of any kind.

LastPass has been exploited a few times in ways that could have given up passwords. Their UX and server infrastructure seems to be a mess of php scripts, that itself doesn't have to be insecure but is a code smell. Their commercial support looks unmaintained. Both platforms support "cloud" based syncing but since 1Password's is pretty new I can't speak to it.

1Password does local encryption outside of the browser, LastPass will encrypt locally in the browser.

1Password can leverage other file transports to sync passwords, iCloud, DropBox, or any shared directory. LastPass does it all with their servers.

LastPass's web interface if compromised can have you give away the password to all your passwords. 1Password has a much smaller risk of this and would probably have to include a malicious software update.

1Password Families/Teams exists and I'm not familiar with it but it probably has a similar attack vector to LastPass's web interfaces.

You know, they both offer end to end encryption with similar attacks. Overall these companies are big targets and I'd rather keep my passwords offline or synced via side channels in a standalone app like 1Password.

PS I'd be amiss if I didn't mention dashlane https://www.dashlane.com/ I hear good things and it's passed review at a few companies who know their stuff, but that's all I know.

> I hear good things and it's passed review at a few companies who know their stuff

Tavis Ormandy found some really bad vulnerabilities in Dashlane (and 1Password). [1] [2] [3] [4]

[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=89...

[2] https://twitter.com/taviso/status/769391927892598784

[3] https://twitter.com/taviso/status/763801055725359104

[4] https://twitter.com/taviso/status/773218040758448128

So far as I know, he only found a vulnerability in the Windows version of 1Password, which is now fixed.

I don't know anything about Windows 1Password, but for macOS, I strongly recommend 1Password over any of the alternatives.

After reading this I deleted my lastpass account and came across this message upon trying to log in.


One of the first things I learned about security was not to tell the user which credential was incorrect.

Disclaimer: I'm not a security expert.

The debate that the smart people have on that one still seems to go back and forth. I can find people I respect who have both opinions.

My only contribution is that I suspect that in practice almost every site leaks this info if you try hard enough, via some form of timing attack. You can get off-the-shelf "constant time string comparison" algorithms, but it's impractical to write anything much larger in a constant-time fashion, certainly nothing as complicated as a full authentication flow, especially in the light of the complexity of the systems we program on nowadays, with so many layers of caching to exploit for timing, etc. I've leaned in the direction of going for the user-friendly approach in my code, though I've only come around to that recently.

I mean, honestly, it's not a crazy trade-off to let people see the username, especially if you have a registration page that's going to tell people "sorry, that name is already registered."

I've been using Dashlane for the past 12 months. It is excellent. Integrates well with OSX, Chrome, Firefox and Android, haven't heard of any security issues/break-ins or them handing out everyone's password data to anyone who shouldn't have them. I'm sticking with Dashlane for the foreseeable future. There's certain things that would be "nice to have" such as an API so a command line utility could be built but I'll deal with it.

A friend recently introduced me to Keepass[1], it seems to be an open source 1Password. I'd be interested in opinions on that, especially @tptacek's.

[1] http://keepass.info/

You will probably get tons of bad comments on KeePass security (specially for 2.x the "Professional" version, since its developed with .NET C#) but KeePass threat model is way more easy to handle/secure than any of those cloud based password providers. Just remember to keep it updated and use password and key to protect your database. Plus remember to read the Security section for clarification on "ways to pwn you": http://keepass.info/help/base/security.html

KeePass has open source clients on every major platform.

A central cloud service using closed source applications for storing passwords just seems like an easy target for assailants.

Friends don't let friends use LastPass.

Use 1Password.


Friends don't let friends use 1Password.

Use Dashlane.

for better sharing and groups - I prefer lastpass.

Yes: use 1Password.

I'm assuming this specifically refers to the 1Password app (iOS and macOS)? Do you have better-informed-than-me opinions of their web based 1Password for Teams? (I'm using it at work, but don't "trust" it in the way I trust my personal passwords to the 1Password apps on my phone and laptop. Not because I know of any specific vulnerabilities, but just because "Web app? surely that's a probably-unnecessary risk for my passwords?")

1Password doesn't seem to support Linux, so that's a big dealbreaker...

I've run 1Password in wine on Arch for years. Both the app and the browser plugin are styled like Win95 applications (even after changing the winecfg settings), but otherwise run flawlessly.

I have wondered if running 1Password through wine would introduce some not-considered attack vector, but I've yet to hear it.

This guide lost me (a noob) at "Create a threat model".

I don't even know what questions to ask. Much less choose the appropriate options.

And I'd have very different answers for my work and home gear.

I think you might be over thinking it, though I can understand how it's a daunting question.

I believe the intent is to ensure that it's understood the list isn't a requirement, but rather the varying options and levels of secure you can have based on your wants/needs.

When asking someone to create a threat model, you can begin with a simple question: "What are you afraid someone will do to your computer?" From this, you can then begin to piece through the list and look for items that address that.

Just care about malware? Look at the scanning tools.

Fearful that some bored teens in eastern europe are goofing around with hacking shit? Look at the security and notification tools

Think Putin is sending the new FSB/KGB after you for your exfiltrated борщ recipe? Look at the disk encryption section. (and perhaps professional help)

Maybe it could use some clarification, but I think the author's intent here was to convey that the list isn't a laundry list of "do this or your computer is going to be attacked", but more that you get what is required for your needs. Many of these tools require that you adopt different computing habits than traditional computing, and not all are applicable to every single use case.

I find really amusing the author does want to hide the installation from Apple, but recommends using Google DNS and Chrome for everything else.

Nice resource.

But what I miss most, is a deeper analysis of the different launchd services and agents. - Especially which ones can be disabled and what features will be impacted.

It is quite opaque, especially considering the verbose descriptions of Windows Services out of the box.

I want to disable all these, for me, useless features: handoff, geo, maps, icloud, push, commCenter, spotlight web, siri, social integration, diagnostics reporting, and many more.

It has been a very annoying experience of seemingly unrelated parts of the OS breaking when Disabling anything, - and log spamming of unsuccessful attempts of using it.

The parts of the OS you are describing were not designed in a modular way. It seems to me like you are using the wrong operating system if you want this level of control.

Ah, I'm holding it wrong. :P I use FreeBSD, Linux and Windows. I like macOS, I want to use it, but not under a facist rule of the one holy way.

It is a tool and should not push policy through arbitrary limitations. But it seems we are caught in a war of lock-in ecosystem providers. Kind of a more realistic version of the much used picture of corporation-states or societies in sci-fi.

Apart from this, hypothetically I might not only an end-user but also an admin who has to implement certain policies. The argument is never sound, there is always an economic or practical tradeoff and you are stuck somewhere and have to make it work and yours.

What part of macOS do you like and want to use?

The UI is polished, Commercial and refined Apps are available and technological it is a reasonably sound design.

I have my *nix shell with software from macports as well.

I just don't have the motivation or time anymore to make linux fit my personal computer needs, it always ends up in rabbit holes of tangles to accomplish many things and when you are actually trying to accomplish something unrelated to playing with it.

Do you think the two might be related? One is modular and configurable and ends up in rabbit holes of tangles and the other is monolithic and controlling but keeps the trains running on time?

Sure they are related. But its not black and white, and not an absolute correlation.

macOS itself is actually designed in a very modular way if you look at the message based integration of components via XPC and "do one thing" daemons.

I have accepted that I must forfeit some personal preferences in the Apple ecosystem, but I choose to draw the line with not being able to disable intrusive and privacy related features/components.

A similar complaint can be made about Windows, which is more monolithic in its design in my view, but it offers (as mentioned in my top-level comment) proper descriptions and a UI to disable services. Also there are many tools like Win10Privacy and such available which disable a lot, without making the system to constantly misbehave.

"trains on time" - While I appreciate the metaphor, when considered carefully, it is more likely linux and the pragmatic approach that makes the "trains run on time" in many fields. (embedded and server-side)

It's designed to be modular for ease of development by Apple folks. Whether they extend the benefits of that modularity to you, the user, is entirely case-by-case -- and the default answer is 'no'.

"Trains on time" was a reference to your original comment (yes, I know it's not really true)

While a government that's "monolithic and controlling but keeps the trains running on time" is clearly a bad thing, it's not clear that the same holds for computers -- particularly for your average user. I'm not too concerned about Apple locking down my machine as long as I can get what I want to get done done -- and that doesn't involve making my tool conform to some ideology. I have more important things to worry about -- even more important infringements on personal freedom -- and I'd rather have my tool work adequately with as little pain as possible.

that doesn't involve making my tool conform to some ideology

The only platform that does this is iOS, which embeds an ideology that forces developers to lock down their apps even against their own wishes, and hence prevents the use of GPLv3 licensed code.

Meanwhile, the major Linux distros include all types of licenses, including proprietary.

Windows is not better than mac un that sense

That is certainly true of the more recent versions, but at least there has historically been a far bigger wealth of information about tweaking and modifying Windows than any version of MacOS, no doubt discovered through experimentation and reverse-engineering. On the other hand, Apple and its user's philosophy has always leaned towards the "don't look, don't touch, just use it as we made it" direction.

Linux and the BSDs are traditionally far in the other direction: extreme flexibility and customisability, but you really do have to configure things before you can start working. Windows is somewhere in the middle but (IMHO unfortunately) moving towards the Mac side.

> The parts of the OS you are describing were not designed in a modular way

On what basis are you saying that?

I really want a wiki for OSX processes & apple urls, integrated with little snitch & other app/network analyzers too.

That way we can find out what is gamed, or passd, or what the hell is pancake.apple.com for.

They should all have man pages already. (That's Game Center and Passbook/Wallet though.)

"Is your adversary a three letter agency (if so, you may want to consider using OpenBSD instead)"

If your adversary is a 3 letter agency you'd better use no computer at all. If they can't subvert the OS (witch I doubt) they'll subvert the hardware (hello Intel ME).

I used to follow the changes a lot on this repo. Lots of great discussion in the issues of balancing practicality and security. Like @ents mentioned though, there are some un-reversible changes if you do everything they recommend. Although it'll make you more secure.

I don't do most of this. I'm waiting until I decide to wipe my Mac and have plenty of time to play with it. (which is going to be when exactly? Not sure.)

> I'm waiting until I decide to wipe my Mac and have plenty of time to play with it.

Clone a copy of your drive (use something like super duper) and then simply boot from the cloned drive. The clone drive can be another physical drive (attached via USB) or just use disk utility to create a separate partition and clone a copy there.

Yea I guess I could do that. Play around with it and see how it feels and then I can wipe it over again if I want to.

How often you find yourself locked out of your house obeys Murphy's Law, add lots of security and you will find yourself annoyingly locked out for silly reasons all the time. Have just the one simple lock on the door and you probably will not end up locked out, particularly given there is a key under the mat.

I had a laptop of mine retrieved by the police from a big rubbish bin. The screen was broken, it did boot up though. Another time I had the broken screen after being hit by a car. These things happen and I am always sure I can get in even if keyboard/screen/mouse isn't an option. It is more useful for me to be able to somehow access my machine even if broken, I imagine there will be circumstances of that.

When the police retrieved my laptop I wasn't exactly worried about my obvious login password or whether I had locked down that mysql port sufficiently. The thief wasn't even literate so those extreme security measures wouldn't have helped.

Is there some way to have some faith from what you're getting from brew? In other words, can I verify installations from brew somehow?

Yes, brew automatically checks that hashes of downloads match what was specified in the formula. This does mean you're trusting the formula maintainer(s), but anyone using brew is already doing that anyway.


Frankly, I am starting to have serious reservations about brew itself. It seems to now be forcing a self-update on every package installation, and that update somehow (I'm not a good enough *nix hacker to sort it out) gets some kind of elevated in the process privs: I've tried setting some of its component ruby scripts read-only and even changing ownership, and they still get force-updated on package installation.

>http://brew.sh/ the home site shows a simple wget example for homebrew formulae

the chain of trust is solid up until make and configure happen, at that point any number of things could happen so it's a question of whether or not you trust whatever scripts its running.

unless homebrew has some sort of enforcement on what that script can do it could do anything. This is why its a really good thing that homebrew does not require root.

> unless homebrew has some sort of enforcement on what that script can do

Anything from our Homebrew/core (i.e. wget) uses the macOS sandbox to prevent writes outside of permitted locations.

Was curious what would happen if you set the firmware to only boot from the startup disk and it crashed ...

Seems like MacOS does the reasonable thing and prompts for the firmware password if you use a different disk.


Any thoughts on doing work in virtual machines?

I have a MBP as my primary machine, and I do all of my development work in a VirtualBox VM running Ubuntu. MacOS seems a lot more stable without 40gb of development stuff installed.

Is there a similar guide but for Windows?

Google mostly shows you guides from merchants trying to get you buy AV licenses.

I quite enjoy this script called make_windows10_great_again.bat https://gist.github.com/IntergalacticApps/675339c2b805b4c9c6...

Keep in mind this is a very rigorous script and modifies Windows10 beyond recognition. Infact it kind of makes Win10 appear and function more like Windows8

I'd gladly use one - if anyone have some links, please share.

The one I've found: http://hardenwindows10forsecurity.com/index.html

Wow, and people laughed at all the Windows 10 antispy tools/script packs. Turns out this is the state of personal computing in 2016, nothing is decent out of the box anymore :(

Very nice. Thank you for this! :)

Step one: Don't use macOS

You're probably being downvoted because you didn't elaborate, but I agree with your implied premise: proprietary software is inherently insecure.

> proprietary software is inherently insecure

Unlike widely used and security-critical open source projects, right? Like, say, OpenSSL?

("All hardware sucks. All software sucks." This is at least as true these days as it was back on alt.sysadmin.recovery in the '90s)

At least in the case of free (as in freedom) software, the vulnerabilities can be exposed and patched. More importantly (and more relevant to this discussion), software freedom also tends to make it difficult for the original developer to hide malicious features.

Theoretically, yes, but if you're going to make that claim you'd need some hard data showing that exploitable bugs either happen less frequently or are going and patched earlier.

Care to show your data and analysis?

To be fair - they didn't make that claim, just left it up to you to assume the dichotomy.

It can be (and arguably is) true that "proprietary software is inherently insecure" - without requiring an opposite statement like "open source software is inherently secure" to also hold. (The wording in context _does_ strongly suggest that was the implied premise of the implied premise tho.)

How can I obtain reliable data on non-free software when the public cannot study the source code?

You also seem to discount the possibility of _intentional_ vulnerabilities (from the user's perspective) being included in the software by its developer.

You appear to be unaware of the large industry reverse-engineering software of all sorts. You could compare comparable projects and see whether source availability correlates with fewer vulnerabilities, lower severity, etc.

Similarly, the security community has discussed the possibility of intentional vulnerabilities in opensource software for decades. Sure, someone would probably notice if you submitted secret-nsa-exploit.patch but it's unclear that someone would notice if e.g. you submitted a Heartbleed-style bug, not to mention something the NSA's dual curve backdoor.

To be clear, I've been working with open-source software since the mid-90s. I think the model has a lot to offer but it's not magic. Lazy fanboy activism doesn't do anything but lower your credibility and help the companies which are arguing that open-source isn't safe to use (or isn't safe to use without paying them to manage it).

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact