Frankly, if all you do is create a separate administrator user, leaving your day to day account as standard, and enable disk encryption, you’re going to be so much more secure than the default target.
Encryption is super important because it secures your data in case your machine is stolen. There is an active market for identity data from stolen hard disks; don’t be that victim.
It sucks.
I've done this for several years now. I also value this approach for psychological reasons: whenever you do need to perform some sysadmin action, you invariably need to type the password for the admin account rather than your usual login or unlock password. This different password is enough to make me pause and think whether this administrative action is really worth doing.
Essentially you can still be the admin on your account but this app can make you a general user. When you need to install anything, run the app and grant yourself temporary admin rights. If you deploy this to employees with a management system, you can define default reversion to general user. It addresses the need to not allow users to be admins all the time, grants only when the need it for installation.
Hardening operating systems is extremely difficult, I put a ton of research into it, but making it harder for APTs is always valuable. Linux with GRSecurity used to be the gold standard. Not sure what is now.
I noticed a lot of "zero days" or vulnerbilities target specific versions of popular software so there may be plenty of security in obscurity just based on the nature of the hacking business. And there's a huge shadowy hacking business if you weren't aware.
And as a side note one thing I learned from grugq is that managing your identity online is worth 10 fold than any of this hardening business. Creating fake identities with real back stories and linkedin pages etc. That sort of thing. But that getting a little deep into the "shadowy arts" of the infosec world.
> NSA released a now older OSX hardening PDF, still lots of relevant stuff:
> Disable Unnecessary Services: The following services can be found in /System/Library/ LaunchDaemons. Unless needed for the purpose shown in the second column, disable each service using the command below, which needs the full path specified: sudo launchctl unload -w PathToPlistFile
Today, you can't do that unless you disable, well, a different security setting.
Got a newer Mac from work and upgraded it to Big Sur—Big mistake. If I hadn't installed Little Snitch from a recommendation here I'd have not known it runs dozens of chatty network services by default with no way to disable them. Many communicating and uploading metrics to services like icloud and local bonjour, whether you use them or not.
Not only that, but with the system volume is read only, so there is no obvious way to disable them from running without defeating other security. Any tips to disable these easily on the latest OS?
All in all for company that touts privacy, I found it all a bit shocking really.
That's always been one of my biggest gripes with Apple. Their security theater was particularly convincing for a while, but in recent years it's been going downhill, hard. The T2 chip was dedicated hardware for a prng generator, the "secure enclave" is based on technology that has been cracked for years, and their team actively ignores security researchers who report vulnerabilities to them. It's definitely one of the deciding factors keeping me on Linux.
I always find myself clearing the drive in order to install the latest macOS. Perhaps psychological, but it always gives me a fresh starting point that is benefited by an implicit boost in performance. While it does require some time for setup, and much of what I do is manual, I never regret it --almost like spring cleaning.
Maybe I am getting old but I find “starting fresh” to be extremely expensive. I recently had to do this with my work MacBook which cannot restore from Time Machine for... reasons.
I don’t know what settings I changed six months or a year or four years ago. I just know that my mouse should scroll that way, not this way. Time Machine makes sure these settings persist between disasters so I don’t generally try to track them. Historically upgrades maintained the settings where they make sense. Over time my environment adapted to my preference.
But with the recent more drastic changes in Big Sur (and my fresh start) I find myself constantly having to re-learn really basic things like how to manage notifications. What used to be one click is three, or gestures that used to do one thing (drag right to dismiss) now do something unexpected (dismiss all notifications for an app). I don’t know how much of this is a setting and how much is just new behavior.
It has been an infuriating experience. I don’t even know how to use my computer and I feel powerless. I also have very little motivation to learn the “new” way because I know it will just change again in a year. So the time I invest now will be wasted.
It’s extremely demoralizing. One of the hardest things I do during the day is try to navigate my desktop environment. I have an adversarial relationship with my MacBook. There’s very little cognitive energy left to do my actual job. I don’t feel like it is improving, my computer is just in my way.
I keep a file listing software I installed and my usual settings I need to set. Some 30 packages, including UI tools. The homebrew package installer supports a 'Brewfile' which will install everything in one step. https://thoughtbot.com/blog/brewfile-a-gemfile-but-for-homeb...
Is there any good solution to choosing the admin password? I always hear a strong password is recommended, but this becomes very annoying very fast since you have to type it in quite often, and password managers can't help you here.
I like diceware passwords, a random set of common words, for this, often with a few random characters thrown in. It's still long, but I find them to be faster to type and memorize than random characters.
Generates 8 random characters excluding punctuation that is often not allowed in passwords. You can change `head -c 8` to the desired length of the password. If you get something difficult to type, just generate another one.
Would a thumb print reader be viable in this case? Can those provide arbitrary strings? I'd still store the password in a manager in case that device breaks.
This is a nice starting point. It seems like it was written from someone who's fairly paranoid (not trying to judge the value or correctness of paranoia, here), which means that it's not too hard to customize it--if you are less paranoid, skip some of these steps.
Some of these are good advice if you prioritize security over usability, as some legitimately need to do. Some of these have nothing at all to do with "Hardening macOS" and will have no measurable effect on security whatsoever, especially when state attackers are excluded from consideration (as the page itself states). Why are these things mixed together into a single guide?
Or, to present one specific example of this mixed-messages issue:
How precisely does the listed step "Disable Crash Reporter" harden macOS against being attacked, when nation-states are excluded from consideration?
Here's a somewhat dated example of such a setup: https://github.com/memco/dotfiles. Basically, you just need the install.sh if all you care about is macOS preferences, but you can also add in something like the brewfile so that you can also install your apps. My brewfile leverages MAS so that I can install stuff from the app store in addition to what's available via brew. I haven't automated app preferences, but macOS and apps are just a clone, `./install.sh && brew bundle --file Brewfile` away.
[+] [-] ttul|4 years ago|reply
Encryption is super important because it secures your data in case your machine is stolen. There is an active market for identity data from stolen hard disks; don’t be that victim. It sucks.
[+] [-] dmix|4 years ago|reply
If your machine is stolen and off*
I always turn my computer(s) and phone off before entering airports and other similar areas. They can ask me before Cellebriting them.
Not that I've ever done anything wrong, it's just for the ethics of it all. Privacy is critically important.
[+] [-] kccqzy|4 years ago|reply
[+] [-] someonehere|4 years ago|reply
https://github.com/SAP/macOS-enterprise-privileges
Essentially you can still be the admin on your account but this app can make you a general user. When you need to install anything, run the app and grant yourself temporary admin rights. If you deploy this to employees with a management system, you can define default reversion to general user. It addresses the need to not allow users to be admins all the time, grants only when the need it for installation.
[+] [-] dmix|4 years ago|reply
https://cirka.net/wiki/_media/macosx_hardening_tips.pdf
And NIST did a long form one as well for macOS Sierra (10.2)
https://csrc.nist.gov/CSRC/media/Publications/sp/800-179/rev...
Hardening operating systems is extremely difficult, I put a ton of research into it, but making it harder for APTs is always valuable. Linux with GRSecurity used to be the gold standard. Not sure what is now.
I noticed a lot of "zero days" or vulnerbilities target specific versions of popular software so there may be plenty of security in obscurity just based on the nature of the hacking business. And there's a huge shadowy hacking business if you weren't aware.
And as a side note one thing I learned from grugq is that managing your identity online is worth 10 fold than any of this hardening business. Creating fake identities with real back stories and linkedin pages etc. That sort of thing. But that getting a little deep into the "shadowy arts" of the infosec world.
[+] [-] Wowfunhappy|4 years ago|reply
> Disable Unnecessary Services: The following services can be found in /System/Library/ LaunchDaemons. Unless needed for the purpose shown in the second column, disable each service using the command below, which needs the full path specified: sudo launchctl unload -w PathToPlistFile
Today, you can't do that unless you disable, well, a different security setting.
[+] [-] satysin|4 years ago|reply
Also the macOS Security and Privacy Guide may be of interest
https://github.com/drduh/macOS-Security-and-Privacy-Guide
as discussed on HN last year https://news.ycombinator.com/item?id=24242890
[+] [-] Pokepokalypse|4 years ago|reply
[+] [-] mixmastamyk|4 years ago|reply
Not only that, but with the system volume is read only, so there is no obvious way to disable them from running without defeating other security. Any tips to disable these easily on the latest OS?
All in all for company that touts privacy, I found it all a bit shocking really.
[+] [-] smoldesu|4 years ago|reply
[+] [-] aaomidi|4 years ago|reply
It needs to be chatty.
[+] [-] Klonoar|4 years ago|reply
[+] [-] sneak|4 years ago|reply
https://sneak.berlin/20210202/macos-11.2-network-privacy/
(pcaps linked in the post, too.)
[+] [-] KLVTZ|4 years ago|reply
I always find myself clearing the drive in order to install the latest macOS. Perhaps psychological, but it always gives me a fresh starting point that is benefited by an implicit boost in performance. While it does require some time for setup, and much of what I do is manual, I never regret it --almost like spring cleaning.
[+] [-] mulmen|4 years ago|reply
I don’t know what settings I changed six months or a year or four years ago. I just know that my mouse should scroll that way, not this way. Time Machine makes sure these settings persist between disasters so I don’t generally try to track them. Historically upgrades maintained the settings where they make sense. Over time my environment adapted to my preference.
But with the recent more drastic changes in Big Sur (and my fresh start) I find myself constantly having to re-learn really basic things like how to manage notifications. What used to be one click is three, or gestures that used to do one thing (drag right to dismiss) now do something unexpected (dismiss all notifications for an app). I don’t know how much of this is a setting and how much is just new behavior.
It has been an infuriating experience. I don’t even know how to use my computer and I feel powerless. I also have very little motivation to learn the “new” way because I know it will just change again in a year. So the time I invest now will be wasted.
It’s extremely demoralizing. One of the hardest things I do during the day is try to navigate my desktop environment. I have an adversarial relationship with my MacBook. There’s very little cognitive energy left to do my actual job. I don’t feel like it is improving, my computer is just in my way.
[+] [-] mtmail|4 years ago|reply
[+] [-] comboy|4 years ago|reply
brew install this-will-solve-my problem
with 782 dependencies.
[+] [-] sarsway|4 years ago|reply
[+] [-] rurp|4 years ago|reply
[+] [-] ryankrage77|4 years ago|reply
[+] [-] tokamak-teapot|4 years ago|reply
[+] [-] wishinghand|4 years ago|reply
[+] [-] pmw|4 years ago|reply
[+] [-] Ashanmaril|4 years ago|reply
[+] [-] stevewillows|4 years ago|reply
[+] [-] bayindirh|4 years ago|reply
e.g.: h0arseSt@br3bg#terYC0rt5d!t
[+] [-] klodolph|4 years ago|reply
[+] [-] floatingatoll|4 years ago|reply
Or, to present one specific example of this mixed-messages issue:
How precisely does the listed step "Disable Crash Reporter" harden macOS against being attacked, when nation-states are excluded from consideration?
[+] [-] fnord77|4 years ago|reply
[+] [-] memco|4 years ago|reply
[+] [-] sinxccc|4 years ago|reply
[+] [-] tingletech|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]