Ask HN: How do you secure your Mac?

137 points by jorangreef ↗ HN
Apart from full disk encryption and a password manager:

Do you use antivirus? Which antivirus?

Do you use two-factor SSH?

Do you use IDS?

What else do you recommend?

74 comments

[ 3.2 ms ] story [ 153 ms ] thread
What exactly is your threat model? Are you a developer of a very public software project? Are you a politician or a journalist? Or someone in HR? Or are you just an average Joe?

And what software do you use regularly? Do you pirate software?

These are important questions to answer, before you come up with how to secure your Mac.

That said, I'm just an average developer. I hardly run anything non-standard. I do make sure to not leave my laptop unlocked, but that's it.

Assume it's for a software developer.

Regarding software: only system apps with the exception of say a password manager, code editor and git.

I don't do any of the above! I lock it, keep it up to date and are not foolish about what to run/download.
While I strongly advise avoiding traditional "antivirus" software like Symantec, EtreCheck[1] if a wonderful diagnostic tool for checking your Mac's general health. Included in that health check is a full disk sweep for any known adware. I used it just this past year to help identify and remove some adware on my parents' computer just this past year, and would highly recommend.

[1] https://etrecheck.com

(comment deleted)
FileVault, strong system password, Little Snitch.

Everything else (2FA, password manager) is not macOS specific.

(comment deleted)
(comment deleted)
2fa all the time. And I dont usually join public connection.
Full disk encryption, that's it. When I get up, I lock the screen.
To add to this: the shortcut key for locking the screen is Cmd+Ctrl+Q. There's also the possibility of configuring a Hot Corner for this.
Didn't know this, I was using an Alfred command instead. Thanks!
I was using some other workaround as well. The shortcut is new since Mojave! :)
Also if you have a Touch Bar Mac you can add a “lock” button to the Touch Bar. I mostly use that one and unlock with my watch when I come close.
I use Ctrl+Shift+Esc to put my screen to sleep (which locks it).
Whoops. I never actually look at the keyboard (too late to edit my comment). It's Ctrl+Shift+Power
I’ve been using hot corners for approximately 5 years I think. It works very well.

Just configure the top right corner to lock the computer (AFAIK it’s new in Mojave) or start the screensaver with an n-second delay for password prompt (configured separately under the screensaver tab). The delay is important because you will trigger it by mistake many times. The new lock option does not have a delay, which makes it a little less convenient.

Thanks for posting this. I have been missing the Cmd-Shift-Power ever since getting a TouchBar.
Yeah I'm very happy with that shortcut :) others mentioned a shortcut with Ctrl-Shift-Escape, to force it to sleep. But doesn't seem to work in my case (I'm often using my MacBook in clamshell mode).
If you're paranoid:

- Full Disk Encryption - Use Little Snitch - Don't use iCloud - Disable SSH except for your account - Turn off remote login - Run developer software in Docker containers

Genuine question: Is iCloud any more insecure than any other cloud service? I was thinking of shifting a lot of stuff to it.
(comment deleted)
How does FireVault work with Google cloud ?. I have a google cloud folder which is synced with my local drive. Now if I enable Firevault, it will encrypt all the data... but im not sure what will happen to the Google Drive folder on mac. How will google drive manage my encryption then.
FileVault is encryption at the disk level; you unlock at startup. Unless you have other encryption methods for files or directories, once you're logged in, they are unencrypted as far as Google Drive or any other app sees it.
Quick question; what's the point of running development software in docker from a security perspective?
My primary concern is someone physically stealing my Macbook or iMac. They are personal devices and the content on them would not be much of interest to others, foreign governments or other entities.

I have Prey[1] installed. On both devices, I have "admin" credentials taped to the back. The account is actually a locked down user-level account with very little authority, other than being able to get on wifi/browse the internet, etc. I suppose this would be a honeypot of sorts. My thought being if someone walks off with it, I want to be able to gather as much info on them as possible. I haven't given a whole lot of thought to this, so definitely curious if there are issues with this approach.

[1]: https://preyproject.com/

Wow that's a great idea to provide a fake admin account, so that you can get usage data. Could be useful even if you don't use prey if you have find my mac turned on.
I've donee something similar too, with with a script that'd continually poll a website upon user login and findmymac.

The only issue is a firewall on the router side, but, that's a highly targeted attack then.

You also can't set a bootup/EFI password.

(comment deleted)
Neat. I read once about someone who had their photo booth folder set with a folder action to automatically post photos to Instagram (or something). When their Macbook was nicked their feed got spammed with photos of the thief and their friends.
Question - I used to use Prey and loved it, but stopped about 5 or 6 years ago because (IIRC) it didn't work with full disk encryption or something like that. Instead I ended up setting up a separate user and find my Mac (or whatever the apple one is called). Has this changed? If you have a couple of minutes could you tell me how you have it set up?! Thanks!
I use Prey with FileVault 2. I also have Find My Mac enabled.
I more in the camp that if someone takes it, I write it off. I don't want to get my life dragged down in the minutia of "who took it, where is it". I just want to restore from (encrypted) backup and move on with my life.
Shameless plug since it's relevant:

We built a Slack bot [0] that shames (in good humor) people in the office who leave unlocked laptops unattended. We had a similar system at Twitter where we would tweet a certain codeword on unlocked laptops and it was very effective in stopping that behavior.

[0] https://sniped.app/

We, at Accenture, invite our colleagues 5-15 invitees to a cake celebration, from the person's unlocked laptop and Outlook a week into the future.

It's pretty hilarious because the person usually go through with it.

Around the lab I work at we do a similar thing, always some variation on dolphins. Dolphin background, messaging a dolphin on slack, etc.

It's recently escalated to sudolphin-ing (think a sudo alias involving cowsay and you're on the right track).

I try to use Touch ID for everything it can be used for.

Touch ID for sudo http://osxdaily.com/2017/11/22/use-touch-id-sudo-mac/

Touch ID for SSH https://github.com/sekey/sekey (uses secure enclave)

I use this for 2FA https://krypt.co/ (uses secure enclave on your phone)

Touch ID for password management https://1password.com/

I upload dotfiles and other credentials in a keybase encrypted repo

So I assume your threat model is exclusively keyloggers? It's certainly not physical access. Your fingerprints are all over the device's surface, so a determined attacker can easily duplicate them. (And to a non-determined attacker, Touch ID does not make much of a difference to passwords.)
Having your ssh key password protected would be a lot more annoying than having them touch id protected. The threat model would be someone using your Mac if you left it unlocked for a minute or something.
do laptops without touchid have secure enclave(or a way to access it)?
The thin I do that I think is most important is use Little Snitch (https://www.obdev.at/products/littlesnitch/index.html) to track/block/approve incoming and outgoing network requests.

It's how I caught a new Seagate external hard drive making calls to Baidu and Google. https://fosstodon.org/@lukewrites/100907932236227641

>> I thin I do that

I appreciate that Quickstray.

I think FDE plus a VPN and DNS blocker tends to be enough for not state level actors.

  > When it loads, the disk is unwritable; you have a choice of
  > a Mac executable or a Windows executable.
That's ridiculous. How do they justify that?
> When it loads, the disk is unwritable

This is where you put the disk back in the box and return it for a full refund.

+1 for Little Snitch, it's a bit overwhelming at first but totally eye-opening. After a few days you'll have a good ruleset going and it won't be as annoying.
I used to use little snitch and now came across lulu [0].

> LuLu is the free, open-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user.

I would love to know if anyone else has switched over and what's missing. I haven't had a whole lot of time to do a thorough investigation.

[0]: https://objective-see.com/products/lulu.html

I have been using lulu for several months and love it. The interface for managing rules is easy to follow.
Filevault, no antivirus (except what comes with macOS), Objective See's Do Not Disturb [1], 2F SSH depending on the host.

What's your threat model? My recommendations are going to be based wholly on that. Are you an average Joe/Jane, or a reporter for The Intercept?

1. For evil maid attacks. https://objective-see.com/products/dnd.html

in addition to FileVault I have uBlock Origin installed on all browsers and Malwarebytes running. but I have no idea if these programs are working, are looking for the correct threats or potentially have malware themselves. so far so good...
most useful tools: - Little Snitch - Firefox with lots of privacy settings + umatrix + decentraleyes

I use them more for privacy, but security is an added benefit.

I don’t. I keep my super sensitive data in my head. I never believed in computer security and never will. But the I never believed in security in general. Why on earth you would need an antivirus for a Mac ? I don’t even remember the last time avast gave me a virus warning on Windoom 10. Nowadays it’s mostly worms, ransomeware and spyware , rarely a Trojan horse. The age of virus has long gone after the start of the age of not slow internet.The only thing I do is to backup my data via Dropbox and megasync.

If you really need security, get a computer , disconnect it from the internet. The end.

it doesn't matter what you do, Apple controls and share your data.

My recommendation stay offline as much as you can.

it doesn't matter what you do, Apple harvest and share your data..

My recommendation stay offline as much as you can.

Do you have any evidence that Apple harvests data stored on Macs and shares it with third parties? If so, that would be big news given Apple's stance on security and privacy.