87 comments

[ 183 ms ] story [ 2671 ms ] thread
I like how they recount the "secure, not private" mantra at the top of the page. MacOS has a funny threat model: it's obviously not a very private machine, but the security measures like filesystem sandboxing and SIP go a long way towards... well, making your Mac more like an iPhone. This is good for defending against smaller, petty actors (identity theft, phishers, stray keyloggers, etc.), but it does very little to defend against the actually scary stuff like government surveillance, first-party data collection or foreign threat actors.

So, a lot of you are probably rearing up to write me a 5000-word response essay about how unreasonable it is to expect MacOS to compete with Team Red from around the world. I know. No operating system will ever be perfect.

...but on the flip side, MacOS' security concessions really don't seem to protect the user, from where I'm standing. Apple has made it so that trusting their OS means trusting them, which frankly, I don't. Apple is part of PRISM. Apple put iCloud in Chinese government datacenters. Maybe that Chinese data is encrypted-on-disk (eg. secure), but the fact that the Chinese government has the decryption keys certainly doesn't make it very private. With any degree of likelihood, that's already happening in most first-world countries too.

For a regular user the “petty actors” as you call them are actually scarier. Who wants to have their hard disk encrypted and pay $$$.

The “actually scary stuff” is extremely important, should definitely worked on and improved. It’s important to advocate for that and educate the common user.

But in my opinion for the regular user, this is not an immediate problem.

> For a regular user the “petty actors” as you call them are actually scarier. Who wants to have their hard disk encrypted and pay $$$.

They seem scarier. In reality it's not so clear what is the bigger threat. Many got a taste of this with COVID restrictions, but that is clearly tame to what would be possible with the information that was already gathered or if they had even more info about you.

> But in my opinion for the regular user, this is not an immediate problem.

At least not as obvious and many do not seem interested in privacy. Not sure if they are very afraid of being robbed, but it is a more tangible threat. One can only see what mass collection of sensitive information can lead to when looking at (relatively recent) history.* And it is as easy as ever to create lists of whatever needs to be erased by whoever can command this.

*: i.e. https://de.wikipedia.org/wiki/Rosa_Liste (can't find the English article on Wiki)

Every operating system requires the user to trust the operating system vendor.

Even open-source require a level of trust, at least of the contributor ecosystem, because no one has time to read every line of code that makes up a modern operating system, let alone understand the implication of every line.

> Apple is part of PRISM.

So are/were Microsoft, Yahoo!, Google, Facebook/Meta, YouTube, AOL and Skype. The Washington Post stated, after analysis 98% of PRISM production is/was based on Yahoo!, Google, and Microsoft. Not defending or apologising - merely stating fact. This is trotted out so often that it needs highlighting. Not trying to change your mind either - you do you. Just offering some balance to your opinion. I know that you are "holding a trillion dollar business accountable(tm)", but lets hold all these multi-billion dollar business accountable too.

> Apple put iCloud in Chinese government datacenters.

As does every company that has a market presence in China. iCloud is hosted in China and operated by GCBD. Effectively nothing to do with Apple and has little baring on iCloud. It's not private for local users, and that is bad. This does not mean that China legitimately has access to iCloud globally.

> but lets hold all these multi-billion dollar business accountable too.

Oh, for sure. Microsoft is far-and-away one of the worst handlers of data, Yahoo and Google aren't much better either. This is a strawman though, and while it provides a nice bit of context around the rest of the status-quo for privacy, it doesn't absolve Apple of the fact that their security is half-theater, and the other half has convenient backdoors and workarounds for the involved parties. Given that the topic of this article is "Hardening MacOS" and not "Reviewing The Standards of Security in Big Tech", I chose to focus on Apple's particular issues, especially since the issues with those other companies are so well-documented on HN.

> It's not private for local users, and that is bad.

This is what I used that point to illustrate. Apple claims that privacy is a human right, yet apparently not all humans are created equal? It's a strange bit of hypocrisy, one they could easily avoid by refusing to negotiate with countries that take advantage of them.

I don’t think this is a unfair statement to make.

The “petty threats” make up the large majority of risk for average users. Faaaar larger.

If your threat model includes worry about state level actors, Tails or QubesOS is the only thing I would recommend

Distinguishing between security and privacy is important, because otherwise you get a bunch of uninformed conspiracists who insist that hardening a machine involves installing Tor; or that using Google is bad, in a topic about using cryptographic signatures.
Please don't use derogatory terms like "conspiritards" on HN which obviously come from the term "retard".
Conspiracies are the rule, not the exception.
It doesn’t matter if they are real. If the topic is about practical suggestions for reducing the attack surface of current systems, it’s the wrong place to bring up global surveillance and vague allegations about vendor trust and world governments.
Thats ridiculous. It is the perfect forum to bring up such a discussion.

The article does a fantastic job covering the fundamentals.

How do you build on that and take it further?

Is it even worthwhile or possible to have a reasonable chance of thwarting a state level actor?

All fantastic topics.

(comment deleted)
There's no such thing as PRISM. That's just the database the government puts subpoena responses in, and it's not a secret that subpoenas exist.
> Enable Terminal secure keyboard entry

> Why? To prevent other apps from snooping on what you type.

> How? Go to Terminal.app > Menu bar > Terminal, click “Secure Keyboard Entry”.

I wasn’t aware of this setting. Seems like it should be enabled by default.

I had Secure Keyboard Entry enabled before, but starting on macOS Monterey it unfortunately causes other apps to launch in the background when Terminal is in the foreground, which makes the feature unusable for me.

https://lapcatsoftware.com/articles/monterey-security.html

Oh, that's perfect. I hate how new apps get focus on macOS. Of course, now they'll "fix" it because I found some useful feature somewhere ;) .
Yeah, this sounds like something I've always wanted. I'll take the inconvenience of having to explicitly switch to newly launched apps if it means that a newly launched app will never again steal focus while I was in the middle of typing.
This feels like a false dichotomy to me.

If I click an app in the Dock, I want it to come forward, always.

If an app launches for some other reason, I don't want it to steal the focus, ever. But that's in general, independent of Secure Keyboard Entry.

My issue is that some apps take a while to start. While waiting, I go to do something else and then get brought back when the app finally decides to wake up. Apps being able to steal focus from a system password entry dialog is pure incompetence IMO.

Fun side note: apps can steal focus from the lock screen password entry too (maybe this one has been fixed). Made it "fun" to log into locked screens while CI spawned dozens of windows in the background.

> My issue is that some apps take a while to start. While waiting, I go to do something else and then get brought back when the app finally decides to wake up.

Agreed. I think I filed a Radar about this a dozen years ago or so.

But the new Monterey behavior doesn't solve this problem, because it only applies to very limited circumstances.

I want user interaction to be free of race conditions. If I click on an app that takes 1 second to start, then start typing, the resulting behavior shouldn't change based on whether I started typing before or after the window appears. In both cases, the input shouldn't make it to the previously focused app, and perhaps the input should even be buffered and sent to the new window once it appears (though I'm unsure if this is a good idea).

And if you click back on the old window after clicking an app icon (which is slow to load), the newly opening app perhaps should not steal focus (interrupting user interaction at an unpredictable point) once it does pop up (though I'm unsure if this is an ideal user experience, how should the new app indicate its presence?).

Hard disagree - the expected behavior should be: If I launch an item from the dock/finder AND I also don't context switch to another application, then and only then should the window show in the foreground and steal keyboard focus.

I can't even begin to list the number of times where I've hit the enter key in an IDE at the exact moment that a application with a crucial modal message box steals focus.

> Hard disagree - the expected behavior should be: If I launch an item from the dock/finder AND I also don't context switch to another application, then and only then should the window show in the foreground and steal keyboard focus.

I'm not sure there's a disagreement here at all. Normally there shouldn't be any time for a context switch between launching an app and the app showing its window. If you're talking about a slow launching app, then yes, I agree that's a problem, and I commented on that here: https://news.ycombinator.com/item?id=31867084

In general, app launching is too slow nowadays. Apple used to optimize this on Mac OS X, but they seem to have completely given up. Maybe it's "security" checks. Anyway, it can be annoying.

I can’t count how many times I’m typing something (and since I don’t touch type, I’m looking at the keyboard, not the screen) and when I look up half of my text has gone into another app. I actually wish I could enable this one everything, not just secure text fields.
That was an incredibly frustrating read. You click on an app in the dock and it doesn’t come to the foreground, and Apple marks this as “works as designed”?

Just no.

One of the many strange behavioral quirks of MacOS. I really love MacOS' compositor, but the window manager on top of it is just... yuck.
You can use the following to set it as part of your install and setup automation script if you have one

  defaults write com.apple.terminal SecureKeyboardEntry -bool true
You can get most of the way to hardening to CIS level 1 picking more up-to-date fork of these https://github.com/jamf/CIS-for-macOS-Catalina-CP.

FWIW, CIS level 1 will mean people get locked out of their machines very frequently. Complex 15 character passwords with 3 retries from memory. So you need a half-decent MDM to unlock quickly. There is no half-decent MDM out there. Only shit ones but workable like Jamf.

Also the username does't get auto-populated on login so the typo can be in username but the user assumes it is with password. Very fast way to get lock outs.

To pass a full security review you might want to play with Google Santa. But that is intense.

Also disabling things like AirDrop and biometric unlock is a productivity inhibitor.

Disabling Bonjour can cause strange problems for some people (e.g. using Reflector 4).

Basically I hate my mac that is hardened all the way so have a second machine (Mac Studio Ultra) in a more secure location that is less hardened and more pleasant to work with.

mosyle is an ok MDM. Just ok, not great, but it works.
> There is no half-decent MDM out there. Only shit ones but workable like Jamf.

Can you please elaborate? What problems would you pay to see solved in MDMs?

Couldn't you do something weird like have your mac be super hardened and then run a VM of OSX inside of that with more convenience features enabled?

Like using a jump box basically but with no external machine

CIS benchmarks are guidelines and aren’t intended to be applied blindly. You should consider the benchmark as the optimal least permissive perspective and adjust to solve the problems you have.

Many of the folks who contribute to CIS come from .gov backgrounds and have a bias towards the compliance controls that state/local have to deal with. Note the word compliance vs. security. The password thing for example is driven by IRS Pub 1075 — most everyone else has moved on to more rational standards.

Santa isn’t that bad if your endpoints pretty much only run Chrome, which is a large swath of enterprises these days (not all of them of course).
> no half-decent MDM out there. Only shit ones … like Jamf

Out of curiosity, have you looked beyond usual suspects such as JAMF or inTune to targeted solutions like https://mosyle.com/ or ultra straightforward like Apple’s new https://www.apple.com/business/essentials/ ?

// Your last comment is interesting, I think there’s a lot to be said for a dedicated trusted-work-only machine, with no email, no web browsing other than admin panels.

> Install and configure Google’s Santa.

Interesting, I'd never heard of this before. "A binary authorization system for macOS". Open source.

https://github.com/google/santa

I've set this up once. It is a mammoth and ongoing effort to tune it for your org. Ended up dropping it for all but the most locked down machines.
Can you say how the setup compares to Little Snitch, for example?
That is like comparing apples to oranges.
> That is like comparing apples to oranges.

That doesn't seem like helpful reply.

I was asking about the time/complexity/difficulty of setup. It can be somewhat painful to setup and train Little Snitch, but it's ok after that.

Little Snitch seems to be a consumer-focused product while Santa is more for org-wide policy management, although I didn't check if LS had a business product available.
Is it just application whitelisting / blacklisting basically? Sounds like Applocker which is used extensively and not THAT much work to really tune. Bit of upfront work and then its pretty smooth sailing from there - especially of course if you just run it in the monitoring mode without any enforcements.
I love it as a way to prevent Apple Music and other default apps from ever running, which happens from time to time for some reason I can never figure out.
Or some Apple TV app that constantly starts up for some reason that I can not figure out at all
If you never use those apps, you can also remove the executable flag with `chmod -x` and they won’t open anymore.
You cannot touch system apps when SIP is engaged.
Only time I've seen that is when I connected an AppleTV remote to the Mac to charge it. Pressing the buttons launches the Music app.
Do you own AirPods? When removing them from your ears, it’s easy to accidentally click the stems. The system interprets that as a Play command and will often launch Apple Music in response.
I'd keep Guest access for desktop usage enabled, mainly for asset recovery. A Guest user can be restricted to internet browsing which makes a poorly informed thief likely to connect the device to the internet, allowing for FMI to ping the (approximate) location and do a remote wipe. You can still leave guest access for other facilities off while keeping this on.

The question would become a matter of "is recovery part of security"?

If this works, it’s a legitimately good idea. Otherwise the thief might realize he can’t connect and try to wipe the device directly.
> mainly for asset recovery

Aren't backups a far better solution?

I think asset here means the computer itself.
I feel like this isn't much of an issue with newer macbooks where bluetooth via Find My network allows location data to be exfiltrated regardless of wifi connectivity.

Also, I believe (on M1) that entering guest mode requires the computer to reboot into an untrusted state, so even if there's some 0-day to bypass Guest mode access control, the main encrypted filesystem won't be available.

Is doing a fresh install of the OS still necessary in 2022?
It’s mostly a config reset, just to cover bases in things you may have messed up in the past and forgotten about. Always a good idea, and easy, but not a total solution
>Enable automatic software updates

This is one I'm always torn about.

There are countless iOS and Android apps that forever ruined by future updates. And unless you have the older version lying around (ipa/apk) then you can never downgrade. I experienced similar with MacOS apps too and generally on other OSes as well. I'm okay with automatic software updates for the OS but for general standalone apps not so much.

> The advanced stuff

> For the security enthusiast, who wants to go the extra mile.

> 16. Use a password manager

Hard disagree. Using a decent password manager ought to be considered one of the baby steps of online security.

> Using a decent password manager ought to be considered one of the baby steps of online security

It's a lot more effort to configure a password manager than it is to check a few radio buttons and then move on.

There's a big exception: the built-in Keychain is solid and very easy to use. In 2022, my advice would be to use the built-in password manager for everything _unless_ you have a strong cross-platform requirement, in which case consider things like 1Password.

Plus, that's setting you up for WebAuthn passkeys to become more pervasive and that's a transformative change relative to password logins.

Not OP but author, you're right. Totally agree. I will update the post.
Especially that Keychain makes it so easy on macOS, so no additional setup is really required.
the MacOS keychain application is a fantastic built in piece of software. I wish they’d do more with it to make it more user accessible
I've never heard of the "Steven Black DNS list". Is it legit and valuable?
Yea it's somewhat valuable (if you use it, make sure you keep it up to date.) An alternative would be Pi-Hole, which handles not just your machine, but the entire network.

Neither of the above, replace a proper content blocker, like uBlock Origin (which can block much more than just DNS lookups.)

drduh’s macOS Security and Privacy Guide is linked in that article and I found it to be a good quick read.

Some of its suggestions like use Tor are out of date.

I'm somewhat surprised that using an HSM like a YubiKey or NitroKey isn't on there. Mac OS has had pretty solid support for smartcards and tokens for a very long time now, improving significantly in the last 5 or so generations. Even for Macs with biometrics keys can still be useful in a multiuser environment or for the convenience of not needing to reach for the Touch ID (and be limited to an Apple keyboard). Login becomes a matter of just plugging in the key and entering the PIN. Most system authentication and sudo by default as well. Makes it much more convenient to have a long good password, though unfortunately FileVault (and 1Password is also a shitty, glaring example here) remains an outlier. Can disable automatic login following use of FV just fine though, and having it for system auth is still good. And it's another option (and one that can be backed up physically) for websites as webauthn spreads.

It costs money but it's not technical to work with either. Hopefully the day comes when password managers are effectively obsolete because we finally finally FINALLY give up on the ludicrous practice of using symmetric information for 3rd party authentication.

I think this breaks the "don't compromise usability" rule set at the top. While "what you have" is quite good compared to "what you know" (a regular password), chances are the Mac they're buying has some form of Touch ID for authentication, which is only slightly worse than a physical smart card since it only opens up two attack vectors: chopping off your finger, and someone cloning your fingerprint while engineering a way to fake the sensor's liveness check.
>I think this breaks the "don't compromise usability" rule set at the top.

What? It's more, not less usable. You plug in a key and now all you need is a 4-8 digit PIN for most operations while still being secure, not a 20+char random password, and it's not tied to a specific system either. HSMs are one of the rare cases in security where they are both more secure and better UX.

>chances are the Mac they're buying has some form of Touch ID for authentication

I addressed this. That only applies to new and new-ish notebooks unless you also get a special Apple-only keyboard. Even for notebooks, it only applies if you have the notebook close, open and/or are happy to reach for it. If someone is doing the common pattern of their notebook docked at their desk to another screen and peripherals at least some of the time, now Touch ID is most decidedly not right there (again, barring sticking only to Apple keyboards). And not everyone is 100% exclusively in the Apple ecosystem, even if they have lots of Apple stuff. If website credentials are tied to keys, one can just unplug and plug it into a Linux/BSD/Windows system and still login fine.

I don't disparage making use of biometrics on Macs or iDevices a single bit, and indeed I think it's weird and silly that Apple hasn't done Face ID for the Mac. But that doesn't mean USB keys or smart cards aren't super handy for a lot of Mac usage same as they are on any other system. It's a fairly polished built-in supported feature of macOS, no reason not to consider taking advantage of it.

That would clash with Apple's Not Invented Here syndrome. The rest of the world will quietly continue using smartcards and PIV tokens for stringent security....
Looking at that list one starts to wonder, wouldn't it be easier not to turn the computer on, not to buy at all?! : D

Isn't this just mental that you are a hairline away of peril if you do not do a twentysomething steps massaging every inch of the system right away?! : )

missing the most important one: use a non-administrator account as a daily driver
I did this for close to a decade and I agree it's important, but I feel it's less important on Monterey with Apple Silicon. They're really locked down a lot of things with the ARM binaries. And, there are a few things which have just become so tiresome when running as a regular user, that I finally just gave in and upgraded to an admin user.
> "there are a few things which have just become so tiresome when running as a regular user"

Like what?

I'm also curious as to what is tiresome running as a regular user. I'm a developer and run two users (standard/admin) without any issue. Only issue I run into is having to switch to the admin user to run brew.
...which you can do with:

    su - admin
You can also run gui apps as admin, like:

    sudo -u admin /System/Applications/Utilities/Console.app/Contents/MacOS/Console
Don't forget dragging the app onto the terminal window completes the path
Remember when Apple made a delusional commercial that mocked UAC [1] yet here we are over 15 years later and it looks like Microsoft was the one that got it right. Under Windows you can have multiple windows open each running as different users.

[1] https://www.youtube.com/watch?v=DUPxkzV1RTc

I had a situation with my new Studio where elevating didn't work. It got into a loop (asking for permission, getting it, trying and failing and asking again), but I can't remember now what it was... it was in the setup phase, and I'm foggy on exactly what it was.
> Reconsider the risks of browser extensions

This is underrated. There are many, many browser extensions I would love to use, but I will never install. If it's from Google or Apple or a company I pay money to, I will install it. Or if it's uBlock Origin or Privacy Badger. Otherwise, I just don't trust that a future update after the sale of the extension won't turn evil.

I think it depends on the permissions the extension asks for at the time of install. If a future update tries to escalate their permissions to access all websites, at the very least you will be notified about that.

But, if you install an extension that from day 1 gets full dom access to all sites, it already has everything it needs to be evil.

Agreed. There are a lot of extensions, tab managers for example, that get to see a LOT. I'm very unhappy with the state of Firefox tab management, but damned if I'm going to install one of those extensions. Who knows what evil deeds they will do now or in the future.
I use Tree Style Tab -- it's actually one of the main reasons I use Firefox -- and this does make me a bit nervous. TST and its competitor Sidebery are both Firefox "Recommended Extensions"[1], which receive extra scrutiny from Firefox staff. I'd like to think that these extensions are as trustworthy as the browser itself, but the Firefox article doesn't go into great detail about how (and how frequently) they review these extensions.

[1] https://support.mozilla.org/en-US/kb/recommended-extensions-...

I did look at that. I guess I just don't/can't trust the Firefox staff to make sure it doesn't turn evil, before doing a lot of damage. I figure if it does turn evil, it will be noticed after a short while, but lots of data could be collected in that short time.
(comment deleted)
Coincidentally, NIST published the SP 800-219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP)[1], a few days ago. NIST hosts all you need to verify as well as enforce several compliance requirements in their official GitHub repo [2]. The following baselines are supported for macOS Monterey:

- NIST SP 800-53r5 Low, Moderate, and High - DISA-STIG - NIST 800-171 - CNSSI-1253 - CIS macOS Benchmarks Level 1 and 2 - CIS Critical Security Controls Version 8

If you've been following the project closely you'll notice that rules that were originally written as shell scripts are going away in favor of config profiles.

[1] https://csrc.nist.gov/publications/detail/sp/800-219/final [2] https://github.com/usnistgov/macos_security