Hacker News new | past | comments | ask | show | jobs | submit login
Hardening macOS (2018) (bejarano.io)
149 points by nomoreplease on May 6, 2021 | hide | past | favorite | 98 comments



Frankly, if all you do is create a separate administrator user, leaving your day to day account as standard, and enable disk encryption, you’re going to be so much more secure than the default target.

Encryption is super important because it secures your data in case your machine is stolen. There is an active market for identity data from stolen hard disks; don’t be that victim. It sucks.


> Encryption is super important because it secures your data in case your machine is stolen.

If your machine is stolen and off*

I always turn my computer(s) and phone off before entering airports and other similar areas. They can ask me before Cellebriting them.

Not that I've ever done anything wrong, it's just for the ethics of it all. Privacy is critically important.


Also, I've witnessed first hand someone come into a cafe I where I was working, walk up to another person who was on their laptop, snatch the open laptop as the person was typing on it, and bolt out into a waiting getaway car. That laptop was fully open and logged into everything.

This is obviously a rare case but it just goes to show that you can have pretty darn good security and there are still attack vectors that you won't be hardened against.


I’ve been thinking it’d be neat to have a program running that watches the web camera continuously and if you look away from the screen then it locks the computer after 1 minute. And if you disappear from the image it locks it immediately.

This would also immediately lock the computer in the case of someone snatching it from you, even though the main use case I had in mind is just for falling asleep and for leaving the room.

Dunno if it’d drain too much battery. Also having the camera active indicator led glow all the time would be annoying. And it would also mean that you unfortunately no longer know if other software on your computer is recording your face while you are sitting there.


For a while I had my laptop set up with a udev rule that would automatically lock it as soon as my USB Yubikey was unplugged. The Yubikey was on my keychain on a lanyard attached to my clothing.

I mostly used that at CCC events where I was paranoid about forgetting to lock my laptop when I left it unattended, but it would also defend against that scenario pretty well.


I believe windows has/had a setting where you could automatically log out if a bluetooth device was disconnected. I'm not sure how hard it'd be to do something like that on a Mac but maybe I should look into it. I think "if my watch disappears, lock the screen" would be simple enough.


It has this setting and defaults to using your phone as the proximity device. Not sure why else I should BT pair my phone with my PC.


Perhaps tie into bluetooth instead. If your Watch or iPhone goes out of range, lock the machine.


BetterTouchTool has a "Bluetooth LE device moved away".. Maybe that can detect Apple Watch moving away, and then lock or even shut down the computer..

EDIT: Confirmed. This works. In a few minutes, I was able to set it up so that if my watch moves about a meter away from the mac, it'll lock the screen. It supports any Bluetooth LE device.


I had moved away from BTT for a while but would come back for this. Awesome. This stuff should be in macOS core.


Unlox app does this - its primary feature is to use FaceID on an iPhone to unlock a mac, but it also has an AutoLock feature if said phone goes out of bluetooth range. The signal level threshold is configurable so you can keep it on a pretty short leash.

(no relation, just a happy customer)


That is intriguing -- but I don't love the "enter your computer password in the app" part. Can it be configured to _not_ do that -- i.e. only do the "AutoLock" part?


I believe so, yes. you might need to do a temp password dance to get it configured initially, but after that "lock only" should work fine.


Perhaps an accelerometer for when it's snatched quickly.


Should actually be pretty easy to implement


I was thinking something tied to the accerometer - I know laptops used to have those when they had spinning disk. Sudden movement locks the screen.


There used to be an "alarm" app for MacBooks that'd sound an audible alarm when the computer was moved.


When I was in college, someone did this with my phone. Luckily, they gave it back a minute later - perhaps because I made a ruckus, and perhaps because they felt bad about robbing a student, who knows.

Still, it made me pretty uncomfortable using devices in public after that. For all the effort we put into cybersecurity, our measures are trivially defeated by a common thug. Even YubiKeys securing all your accounts wouldn’t do much to protect you from this.


[flagged]


how is that relevant here and not other comments here?


See BLEUnlock[1] for a simple Bluetooth proximity lock solution for macOS or BusKill[2] for a cross-platform wired solution.

[1] https://github.com/ts1/BLEUnlock

[2] https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-k...


>Not that I've ever done anything wrong, ...

When you see that people need to write this disclaimer even on this website it feels like the privacy ship has long sailed.


>> Encryption is super important because it secures your data in case your machine is stolen.

> If your machine is stolen and off*

It's possible to configure macOS to wipe FileVault keys from memory when transitioning to a hibernation state. Assuming this works as designed, it might help in a snatch-and-grab situation if the thief closed the lid of the laptop. I would assume competent LEAs would take measures to keep their target's machine awake however.


> If your machine is stolen and off*

Locked. macOS has used the IOMMU to block access to RAM from external devices for many years and on the newer Macs you’d need to compromise the T2 as well.


Five-eyes nation states probably had that long ago

https://www.zdnet.com/article/hackers-claim-they-can-now-jai...


Five Eyes is a signals intelligence cooperative — they’re not grabbing your laptop at Starbucks.

That brings me to the second part of why this fear mongering is pointless: if the black-bag types are interested in you, they’re going to use the password they recorded you entering when you last turned it on or just hold you until you unlock it. If your threat model includes state-level force, you’re way outside of what consumer electronics can help you with.

For most people, the risk is more along the lines of whether someone who steals your backpack can cash out relatively quickly. Needing a complex exploit chain is not a high risk there - and, again, if you’re carrying something that valuable I’d be thinking more about the odds of them forcing you to unlock it.

Finally, the article you linked is talking about a jail break exploit: notably neither checkm8 or checkra1n will help you if you don’t already know the device password.


I've done this for several years now. I also value this approach for psychological reasons: whenever you do need to perform some sysadmin action, you invariably need to type the password for the admin account rather than your usual login or unlock password. This different password is enough to make me pause and think whether this administrative action is really worth doing.


A well known macOS It developer created an app that can give you admin rights and take them away with an app.

https://github.com/SAP/macOS-enterprise-privileges

Essentially you can still be the admin on your account but this app can make you a general user. When you need to install anything, run the app and grant yourself temporary admin rights. If you deploy this to employees with a management system, you can define default reversion to general user. It addresses the need to not allow users to be admins all the time, grants only when the need it for installation.


Interesting, sounds like graphical sudo.


NSA released a now older OSX hardening PDF, still lots of relevant stuff:

https://cirka.net/wiki/_media/macosx_hardening_tips.pdf

And NIST did a long form one as well for macOS Sierra (10.2)

https://csrc.nist.gov/CSRC/media/Publications/sp/800-179/rev...

Hardening operating systems is extremely difficult, I put a ton of research into it, but making it harder for APTs is always valuable. Linux with GRSecurity used to be the gold standard. Not sure what is now.

I noticed a lot of "zero days" or vulnerbilities target specific versions of popular software so there may be plenty of security in obscurity just based on the nature of the hacking business. And there's a huge shadowy hacking business if you weren't aware.

And as a side note one thing I learned from grugq is that managing your identity online is worth 10 fold than any of this hardening business. Creating fake identities with real back stories and linkedin pages etc. That sort of thing. But that getting a little deep into the "shadowy arts" of the infosec world.


> NSA released a now older OSX hardening PDF, still lots of relevant stuff:

> Disable Unnecessary Services: The following services can be found in /System/Library/ LaunchDaemons. Unless needed for the purpose shown in the second column, disable each service using the command below, which needs the full path specified: sudo launchctl unload -w PathToPlistFile

Today, you can't do that unless you disable, well, a different security setting.


Well youre suppose to reenable the security feature blocking you afterwards


Oh, I guess you can do that, but then you have to redo the whole rigamarole (three reboots) every time you install an update...


One thing I've learned is real security takes real effort. It involves disruptions and breaking of otherwise easy flows.

But it's worth it, especially if you work at a major company with hundreds of millions/billions.


Discussion from the last time this was posted in 2018 - https://news.ycombinator.com/item?id=18099835

Also the macOS Security and Privacy Guide may be of interest

https://github.com/drduh/macOS-Security-and-Privacy-Guide

as discussed on HN last year https://news.ycombinator.com/item?id=24242890



Expired certificate


Also, seriously? A link to a zip file with no context whatsoever in a thread about security?


Got a newer Mac from work and upgraded it to Big Sur—Big mistake. If I hadn't installed Little Snitch from a recommendation here I'd have not known it runs dozens of chatty network services by default with no way to disable them. Many communicating and uploading metrics to services like icloud and local bonjour, whether you use them or not.

Not only that, but with the system volume is read only, so there is no obvious way to disable them from running without defeating other security. Any tips to disable these easily on the latest OS?

All in all for company that touts privacy, I found it all a bit shocking really.


That's always been one of my biggest gripes with Apple. Their security theater was particularly convincing for a while, but in recent years it's been going downhill, hard. The T2 chip was dedicated hardware for a prng generator, the "secure enclave" is based on technology that has been cracked for years, and their team actively ignores security researchers who report vulnerabilities to them. It's definitely one of the deciding factors keeping me on Linux.


This is how the OCSP standard works.

It needs to be chatty.


The OS is extremely chatty even without OCSP.


Dozens was highlighted.


Much of what you're attributing to Big Sur existed in Catalina.


Here's documentation of all of the stuff it talks to, if anyone's curious:

https://sneak.berlin/20210202/macos-11.2-network-privacy/

(pcaps linked in the post, too.)


Somewhat related:

I always find myself clearing the drive in order to install the latest macOS. Perhaps psychological, but it always gives me a fresh starting point that is benefited by an implicit boost in performance. While it does require some time for setup, and much of what I do is manual, I never regret it --almost like spring cleaning.


Maybe I am getting old but I find “starting fresh” to be extremely expensive. I recently had to do this with my work MacBook which cannot restore from Time Machine for... reasons.

I don’t know what settings I changed six months or a year or four years ago. I just know that my mouse should scroll that way, not this way. Time Machine makes sure these settings persist between disasters so I don’t generally try to track them. Historically upgrades maintained the settings where they make sense. Over time my environment adapted to my preference.

But with the recent more drastic changes in Big Sur (and my fresh start) I find myself constantly having to re-learn really basic things like how to manage notifications. What used to be one click is three, or gestures that used to do one thing (drag right to dismiss) now do something unexpected (dismiss all notifications for an app). I don’t know how much of this is a setting and how much is just new behavior.

It has been an infuriating experience. I don’t even know how to use my computer and I feel powerless. I also have very little motivation to learn the “new” way because I know it will just change again in a year. So the time I invest now will be wasted.

It’s extremely demoralizing. One of the hardest things I do during the day is try to navigate my desktop environment. I have an adversarial relationship with my MacBook. There’s very little cognitive energy left to do my actual job. I don’t feel like it is improving, my computer is just in my way.


> Maybe I am getting old but I find “starting fresh” to be extremely expensive.

I used to think like that, then I got a new mirrorless camera, which has a ton of settings with a menu which it feels like an open world. Then, I stopped worrying about setting things the way exactly I want. Instead, I started to change things I dislike.

This brings two advantages from my point of view. First, it doesn't feel overwhelming; two, it's really a smooth way of learning new things or relearning things in the new way.

I also run a micro server on a SBC. I fed up with the Ubuntu installation running on it and decided to migrate to Debian. I got two-three essential files (basically fstab, dnsmasq config files), and nuked the card. It was running in less than 15 minutes. I made a lot of small changes after that, but it was much smoother and nicer. Since I was not in a rush, I made the changes calmly and enthusiastically. Now, that thing works 10x better than Ubuntu.

No need to rush, just solve a single thing in one go, and you won't believe how far you can go in very short time.

Of course, this is my two cents and YMMV.


Ok but it sounds like your new camera is actually better. My new MacOS is just the same, or slightly worse. The changes in Big Sur don't solve any problems I actually have. Notifications are just more fiddly. Common actions are no longer prominently available, they are hidden behind hovers and tiny buttons, or simply gone. The interface uses more space and provides less information.


>Notifications are just more fiddly.

OMG - I hate the new notifications. Dismissing them is a very expensive task. Almost makes me want to disable notifications altogether.


Strange. I’m using macOS for ~12 years now and Big Sur is not worse for me.

I’m not trying to say you’re wrong. On the contrary, since I don’t use macOS that deeply (I’m a Linux guy mainly), not feeling the change for worse is intriguing for me.


Disruptive changes to me personally in Big Sur:

1) They changed keyboard shortcut and navigation behavior, I now have to use twice as many keystrokes to navigate Mail than I did before. Some keyboard navigation options are now impossible.

2) Messages was rewritten for Catalyst and is far more unstable. Keyboard navigation is impossible.

3) Notification buttons and behavior. This now requires hovers and the gestures do different things than they did before.

4) Application icon shape and location. Mail has buttons moved around and the icons are different. Functionality is basically the same but muscle memory is reset.

5) Window title bars are bigger and application minimum sizes are larger but fewer options are available, requiring more clicks to get to nested functionality, if it is even available. My 16” screen on Big Sur now shows as much information as my 13” screen on Catalina.

They are small changes but they are still changes. Small enough that the functionality is basically the same but big enough I have to re-learn it, and for no benefit to myself.


Honestly that is kind of weird.

I just re-imaged my Macbook Pro laptop this week, to completely remove some super invasive exam-taking software that I had to install for a licensing exam.

The whole thing was very painless. I keep all of my data in one folder. I copied that folder, and copied some preferences for apps that don't sync to a folder (e.g., VS Code) to an external SSD.

I booted into recovery mode, wiped the disk, and re-installed Mac OS. Then I copied my folder back and re-did my settings.

The whole thing took a couple of hours, although a lot of that was babysitting the installs etc. while doing other things. I definitely wouldn't put it into the "extremely expensive" bucket in terms of time spent.


The expense comes in having to re-learn basic actions or go find a setting. My job takes longer to perform now because I have to stop and re-learn simple things that used to be instinctive, such as dismissing notifications and looking at icons or changing the direction my mouse scrolls.


This is very 'unhacker' advice, but I generally learn to love defaults.

I also think a lot about sane defaults when working on/deploying software to customers myself. I choose what systems to use in part based on how good the defaults are.

The closer you are to accepting defaults the easier your life is. Obviously there are exceptions, but things like mouse scroll direction? Just learn to love the new one.


>This is very 'unhacker' advice, but I generally learn to love defaults

There's a lot of wisdom in this advice: the more time you spend messing with settings to customize the UX; the less repeatable this configuration is, and the harder it is to get a new system back up and running.

Also: what's "hacker" is working on many many different systems, and being able to at least minimally adapt to each different system's set of defaults, so you can remain productive. (and for me, this means absolutely forgetting all about one platform's take on hot-keys, shortcuts, and setting up aliases).

Mouse-scroll direction? I can't abide the "reverse" (scroll down to go up), and that's one thing I'm not ever going to let slide on a new system.


Yeah - I think we have the same perspective.

On mouse-scroll direction, the 'reverse' is actually the way the content moves (if you imagine your hand on the screen). I came around to thinking this makes more sense than the direction the scroll bar moves, but it was weird at first.


Some other advantages:

- Things might be less likely to break. Certainly the default settings are the most likely to have a test case associated with them. How likely is it that there's a test case around the unique combination of the 35 parameters you've configured that are relevant to the particular operation you're attempting?

- It may be better. A number of times I've heard of some odd default and thought "that's obviously wrong" but given it a chance and learned to like it. Definitely change things that really are important to you, but vendors often put a lot of effort into making good defaults.

- If you're a developer, a less configured system is more likely to be similar to what an average user uses, giving you a more similar experience to them.


I guess I didn't explain myself well. "Starting fresh" can mean two things.

1) Adapting to a new system that has changes outside your control. This is the case of a major version update in MacOS.

2) Reverting to default settings and re-configuring the environment.

In the case of 1 I am disrupted because I have to learn new ways to do what I could already do before.

In the case of 2 I am disrupted because I have to repeat configuration I already performed.

The context of this thread is choosing 2 on a regular basis just for the sake of doing it. By choosing to always accept defaults you are effectively maintaining a stable system, which is the opposite of what the second situation advocates.


1 is just the cost of living in a world that isn't static.

2 is what I'm suggesting to mostly avoid if you can.


I’m sorry, I guess I am just missing the point you are trying to make.


"The wise warrior avoids the battle." - Sun Tzu

Sounds hacker to me.


I used to do this on a weekly basis with my Windows desktops (95, 98, NT, XP, and 7 was the last one I bothered with). I used various tools to automate this process, (nLite was a good one), and wrote scripts to perform application setup (back in the bad old days before chocolatey).

This had huge benefits in terms of maintaining a very performant Windows desktop.

Then, I also baked-in my security configurations with another set of scripts. So it was always in a consistent configuration, (even if I had to "temporarily" disable something that was blocking me or broke something, I could always return to my "known-good-configuration").

I've also done the same with my linux systems.

Mac OS X has always been curiously resistant to full automation, however. I know some people have done it; but there's something about this ecosystem that makes it very difficult; and I kind of think that's by-design, (to thwart the hackintosh people).

I think it would be extremely valuable to be able to do this on Mac OS X; because customizing the OS is central to being able to get a good productive user-experience (especially for power-users), and I'm often stymied trying to accomplish this in a repeatable manner, on Mac OS X.


I have churned through three macs since 2012 and have never once installed fresh. Time machine has helped me move between them. At one point I had to temporarily move back to an old one while the other one was being fixed, and I did the exact same thing (I experienced some hiccups with brew packages that were no longer compatible due to missing CPU optimizations on the old mac).

I periodically clean my mac, though. Remove stale configuration files, cleanup apps, etc. I also have a bunch of stuff written down, as well as scripts, to help with installing new macs (to help my friends reinstall theirs).

I'm very nitpicky about configurations and apps. I've got dozens of apps and micro-apps I use. which are very modified. These include the typical BetterTouchTool, Alfred, Amphetamine, but also smaller apps like Audio Balance. My terminal is heavily customized, both in terms of iTerm 2 settings, but also in terms of my zsh config, custom commands, etc.

I'm sure I'd be able re-create my environment within days, but these would be very rough days....and time machine just works! I don't need anything else.


With Big Sur I finally did my first fresh install of macOS since Jaguar (10.2). It took me an entire weekend and while it’s nice to have a clean out I think I’ll just do a time machine restore when I finally get an M1 Mac.


Ah, I expect that this is where things might go south! Since many apps are built for x86/x64, I'm sure that when you migrate to the M1 mac, they will run in intel "emulation" mode or just crash/fail!

I'm not talking about apps that you got from the app store or similar, but, rather, things you installed via homebrew!

When I temporarily had to move back from a more recent (~2014) mac to an older one (~2012), I got bitten by that becuse some apps installed via homebrew had been built from source with optimizations that the older machine didn't support. It was easy to fix, since I could just reinstall them as I saw them breaking, but it was an annoyance nonetheless.


I actually just got an M1 Mac since that post and I've decided to start from scratch again for the exact same reasons as you've mentioned here.


I can relate. I went through a clean install recently because my last was about 5 years ago and I wanted to start fresh instead of installing from a Time Machine backup.

I had a checklist from last time in my notes and remembered that it only took a few hours and then the system was set.

This time it took much longer. Maybe because I went from Mojave to Big Sur in one go.

So now I've started a small project where I automate as much as possible, using defaults and/or Plistbuddy to edit macOS configuration settings, install dotfiles using GNU stow, profiles for network settings, and just copying files around.


Whenever you change a setting, look up the corresponding “defaults write” command. Put them into a script. Then run that whenever you got a new machine.


This misses the point to an extent that it is honestly kind of insulting. I am aware of how to manage settings, that is not hard or interesting. KLVTZ suggested reverting to defaults on a regular (~annual) basis. I pointed out how changes to my desktop environment are disruptive, regardless of the reason (OS version bumps or revert-to-default).

Settings do not change fundamental OS behavior. I can't set my notifications in Big Sur to "Catalina".


Dot files are your friend.


Please. Show me the dotfile in Big Sur that changes Messages.app to the Catalina binary.

MacOS does not use dotflies to manage OS settings.

Dotfiles require a separate mechanism to replicate.


I keep a file listing software I installed and my usual settings I need to set. Some 30 packages, including UI tools. The homebrew package installer supports a 'Brewfile' which will install everything in one step. https://thoughtbot.com/blog/brewfile-a-gemfile-but-for-homeb...


And then you just

brew install this-will-solve-my problem

with 782 dependencies.


Is there any good solution to choosing the admin password? I always hear a strong password is recommended, but this becomes very annoying very fast since you have to type it in quite often, and password managers can't help you here.


I like diceware passwords, a random set of common words, for this, often with a few random characters thrown in. It's still long, but I find them to be faster to type and memorize than random characters.


I use this bash one-liner

    < /dev/urandom tr -cd "[:print:]" | tr -d '[]<>(),~.\;\: \\/\`\|\{\}\'\"\' | head -c 8; echo
Generates 8 random characters excluding punctuation that is often not allowed in passwords. You can change `head -c 8` to the desired length of the password. If you get something difficult to type, just generate another one.


For sudo you can use the fingerprint reader if you configure pam to allow it


Would a thumb print reader be viable in this case? Can those provide arbitrary strings? I'd still store the password in a manager in case that device breaks.


I built https://phrase.shop for creating secure yet memorable passphrases.


The second thing this generated was "centersuchstrongdefine". I imagined a football pitch with a really thick half-way line, and Doge (the shiba inu meme) admiring it like "wow, center such strong define" and I chuckled. Could've been a nice password.


The most strong password is p@ssw0rd, I use that one for everything


lyrics with spaces work well. e.g. 'God only knows what I'd be without you'


This is a terrible advice. Especially using lyrics.

If you like typing sentences use some unlikely ones, preferably personal because people suck at coming up with random stuff.

If you just throw some random thing in these lyrics like "God only knows WOOP i'd be without you" it would make it much stronger, but lyrics are like the thing where you would start building your brute forcer from and also.. how private are you about music that you listen to? I openly broadcast it.


I got this from samyk, actually. I wouldn't use iconic lyrics like this and you don't have to use a full line or even a natural ending. You don't even have to use lyrics from a band you particularly enjoy -- just something longer and easier to remember.


mangle a longish sentence in your head and pepper it with typos, punctuation and numbers.

e.g.: h0arseSt@br3bg#terYC0rt5d!t


That's the worst way to create passwords.

It's too chaotic, which makes it hard to remember, which forces the user to save it in a password manager (or worse, write it down). And since it's going into the password manager, you can just go full random.


> That's the worst way to create passwords.

That's one way to look to it, but I remember a lot of passwords created this way, and know a lot of sysadmins who create passwords this way.

Sometimes full-random + password manager is better, but sometimes something convoluted + brain & offline backups is better.

Perhaps being a sysadmin for so long deformed our brains to remember these types of stuff.


funnily enough now h0arseSt@br3bg#terYC0rt5d!t is a terrible password to use ;)


Doesn’t matter. It’s already a variation of a well known password anyway. :)


horse staple battery correct? Now I have to change my password!


Yep! :)

Go, change it. Run!


This is a nice starting point. It seems like it was written from someone who's fairly paranoid (not trying to judge the value or correctness of paranoia, here), which means that it's not too hard to customize it--if you are less paranoid, skip some of these steps.


Some of these are good advice if you prioritize security over usability, as some legitimately need to do. Some of these have nothing at all to do with "Hardening macOS" and will have no measurable effect on security whatsoever, especially when state attackers are excluded from consideration (as the page itself states). Why are these things mixed together into a single guide?

Or, to present one specific example of this mixed-messages issue:

How precisely does the listed step "Disable Crash Reporter" harden macOS against being attacked, when nation-states are excluded from consideration?


that's a lot of work. How about some sort of script to do all this?


Here's a somewhat dated example of such a setup: https://github.com/memco/dotfiles. Basically, you just need the install.sh if all you care about is macOS preferences, but you can also add in something like the brewfile so that you can also install your apps. My brewfile leverages MAS so that I can install stuff from the app store in addition to what's available via brew. I haven't automated app preferences, but macOS and apps are just a clone, `./install.sh && brew bundle --file Brewfile` away.


Use a one-click script to secure your computer is worse than do nothing.


an IT dept is not going to do all this manually on hundreds of laptops.


2018




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: