Ask HN: How do you secure your Mac?
Apart from full disk encryption and a password manager:
Do you use antivirus? Which antivirus?
Do you use two-factor SSH?
Do you use IDS?
What else do you recommend?
Do you use antivirus? Which antivirus?
Do you use two-factor SSH?
Do you use IDS?
What else do you recommend?
74 comments
[ 3.2 ms ] story [ 153 ms ] threadAnd what software do you use regularly? Do you pirate software?
These are important questions to answer, before you come up with how to secure your Mac.
That said, I'm just an average developer. I hardly run anything non-standard. I do make sure to not leave my laptop unlocked, but that's it.
Regarding software: only system apps with the exception of say a password manager, code editor and git.
[1] https://etrecheck.com
Everything else (2FA, password manager) is not macOS specific.
Not really an exhaustive list, but at least gets you started off.
Just configure the top right corner to lock the computer (AFAIK it’s new in Mojave) or start the screensaver with an n-second delay for password prompt (configured separately under the screensaver tab). The delay is important because you will trigger it by mistake many times. The new lock option does not have a delay, which makes it a little less convenient.
macOS Security and Privacy guide [1] also a recommendation you can try.
[0]: https://blog.bejarano.io/hardening-macos.html
[1]: https://github.com/drduh/macOS-Security-and-Privacy-Guide
- Full Disk Encryption - Use Little Snitch - Don't use iCloud - Disable SSH except for your account - Turn off remote login - Run developer software in Docker containers
I have Prey[1] installed. On both devices, I have "admin" credentials taped to the back. The account is actually a locked down user-level account with very little authority, other than being able to get on wifi/browse the internet, etc. I suppose this would be a honeypot of sorts. My thought being if someone walks off with it, I want to be able to gather as much info on them as possible. I haven't given a whole lot of thought to this, so definitely curious if there are issues with this approach.
[1]: https://preyproject.com/
The only issue is a firewall on the router side, but, that's a highly targeted attack then.
You also can't set a bootup/EFI password.
DEF CON 18 - Zoz - Pwned By The Owner: What Happens When You Steal A Hacker's Computer: https://youtu.be/Jwpg-AwJ0Jc
We built a Slack bot [0] that shames (in good humor) people in the office who leave unlocked laptops unattended. We had a similar system at Twitter where we would tweet a certain codeword on unlocked laptops and it was very effective in stopping that behavior.
[0] https://sniped.app/
It's pretty hilarious because the person usually go through with it.
It's recently escalated to sudolphin-ing (think a sudo alias involving cowsay and you're on the right track).
Touch ID for sudo http://osxdaily.com/2017/11/22/use-touch-id-sudo-mac/
Touch ID for SSH https://github.com/sekey/sekey (uses secure enclave)
I use this for 2FA https://krypt.co/ (uses secure enclave on your phone)
Touch ID for password management https://1password.com/
I upload dotfiles and other credentials in a keybase encrypted repo
It's how I caught a new Seagate external hard drive making calls to Baidu and Google. https://fosstodon.org/@lukewrites/100907932236227641
I appreciate that Quickstray.
I think FDE plus a VPN and DNS blocker tends to be enough for not state level actors.
This is where you put the disk back in the box and return it for a full refund.
> LuLu is the free, open-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user.
I would love to know if anyone else has switched over and what's missing. I haven't had a whole lot of time to do a thorough investigation.
[0]: https://objective-see.com/products/lulu.html
What's your threat model? My recommendations are going to be based wholly on that. Are you an average Joe/Jane, or a reporter for The Intercept?
1. For evil maid attacks. https://objective-see.com/products/dnd.html
I use them more for privacy, but security is an added benefit.
Few years back I was a big fan of Little Flocker, which now is part of F-Secure as XFENCE [4]. But haven't used it since its rebranding, anyone using it anymore?
[1] https://www.obdev.at/products/littlesnitch/ [2] https://1password.com/ [3] https://objective-see.com/products.html [4] https://campaigns.f-secure.com/xfence/
If you really need security, get a computer , disconnect it from the internet. The end.
My recommendation stay offline as much as you can.
My recommendation stay offline as much as you can.