Guide should probably mention automatically updated Chrome extensions. There have been multiple cases where the owner of a popular extension sold it to a 3rd party that pushed out malicious updates. Tab Manager is the most recent instance that comes to mind: http://security.stackexchange.com/a/130600
Chrome does disable extensions when an update requires new permissions, but that won't catch malicious updates to extensions that require extensive permissions for basic functionality.
And means that Chrome will nag you about your "developer mode extensions" every time it starts up. I know why they do that, but it's still annoying. :(
This is similar to how Android warns me every single time I reboot that an unknown entity can observe my network traffic. The unknown entity, of course, is me (I've installed a certificate for my Streisand server). But still, it flashes a warning everysingletime.
Of course, this means that if anyone ever does install a malicious certificate on my phone, I'll be none the wiser. Thanks Google!
The reason for that warning is the fact that when you add a certificate that is not trusted by Android, it goes into the personal cert store. When you add a cert in the personal cert store, the system requires a higher security level to unlock the device. hence the warning and pin/password nag.
But if you manage to add your cert to the global system store then Android will not issue any warning. Here's how to do it:
1 - add your cert normally, it will be stored in your personal store and Android will ask you a pin/password.
2 - With a file manager which has root access, browse to /data/misc/keychain/cacerts-added. You should see a file there. This is the certificate you just added at step 1.
3 - Move this file to /system/etc/security/cacerts
4 - Reboot the phone
5 - Now you can clear the pin/password you have set to unlock the device and there are no warnings.
I won't recommend doing this blindly as by doing this, you are actually man-in-the-middling yourself. But if you know what you are doing, this is the way.
Yeah, and that's even more stupid if your threat model considers your country and ISP as an adversary. We don't all live in nice countries, and in this case not having a VPN is far worse in terms of traffic interception than having your Streisand or similar. I guess Android developers are only aware of suspicious VPN providers and do not even provide an option to reverse this warning banner.
Oops. Thanks for the correction! Looks like Windows and Mac Chrome developers are out of luck now, unless they are brave enough to try a solution listed here:
I like reading guides like this, and they're useful in a sort of encyclopedic sense, but the problem with them is that they're really a "practical guide to doing every conceivable security thing you could do" with macOS, which is in fact not the best way to secure your operating system. For instance: it's probably not the world's greatest idea to go out of your way to install Adium for secure messaging on a locked-down Mac.
The cryptographic advice in this particular guide is not especially great. You can, for instance, safely ignore what it says about randomness (and, in particular, about how it interacts with FileVault's XTS block crypto). Its advice about password management is needlessly complex (if you trust Keychain, use Keychain Assistant to generate passwords, not OpenSSL --- but most of the cool kids just use 1Password, and they're right to do that).
I suggest pass [1]. It's just gpg with git. If you don't like the command line very much you can use a front end for desktop [2], Android [3] or iOS[4]. There are scripts to migrate from others password managers.
I am using pass on Mac and all other computers for over a year. The only thing missing is proper dmenu alternative for Mac but I modified https://github.com/oNaiPs/dmenu-mac to work with pass and paste username/password to the clipboard. If I get time I will publish this code because it makes pass fly.
I do, I've been a heavy user of both for 4+ years, but I'm not a security expert of any kind.
LastPass has been exploited a few times in ways that could have given up passwords. Their UX and server infrastructure seems to be a mess of php scripts, that itself doesn't have to be insecure but is a code smell. Their commercial support looks unmaintained. Both platforms support "cloud" based syncing but since 1Password's is pretty new I can't speak to it.
1Password does local encryption outside of the browser, LastPass will encrypt locally in the browser.
1Password can leverage other file transports to sync passwords, iCloud, DropBox, or any shared directory. LastPass does it all with their servers.
LastPass's web interface if compromised can have you give away the password to all your passwords. 1Password has a much smaller risk of this and would probably have to include a malicious software update.
1Password Families/Teams exists and I'm not familiar with it but it probably has a similar attack vector to LastPass's web interfaces.
You know, they both offer end to end encryption with similar attacks. Overall these companies are big targets and I'd rather keep my passwords offline or synced via side channels in a standalone app like 1Password.
PS I'd be amiss if I didn't mention dashlane https://www.dashlane.com/ I hear good things and it's passed review at a few companies who know their stuff, but that's all I know.
The debate that the smart people have on that one still seems to go back and forth. I can find people I respect who have both opinions.
My only contribution is that I suspect that in practice almost every site leaks this info if you try hard enough, via some form of timing attack. You can get off-the-shelf "constant time string comparison" algorithms, but it's impractical to write anything much larger in a constant-time fashion, certainly nothing as complicated as a full authentication flow, especially in the light of the complexity of the systems we program on nowadays, with so many layers of caching to exploit for timing, etc. I've leaned in the direction of going for the user-friendly approach in my code, though I've only come around to that recently.
I mean, honestly, it's not a crazy trade-off to let people see the username, especially if you have a registration page that's going to tell people "sorry, that name is already registered."
I've been using Dashlane for the past 12 months. It is excellent. Integrates well with OSX, Chrome, Firefox and Android, haven't heard of any security issues/break-ins or them handing out everyone's password data to anyone who shouldn't have them. I'm sticking with Dashlane for the foreseeable future. There's certain things that would be "nice to have" such as an API so a command line utility could be built but I'll deal with it.
You will probably get tons of bad comments on KeePass security (specially for 2.x the "Professional" version, since its developed with .NET C#) but KeePass threat model is way more easy to handle/secure than any of those cloud based password providers. Just remember to keep it updated and use password and key to protect your database.
Plus remember to read the Security section for clarification on "ways to pwn you": http://keepass.info/help/base/security.html
I'm assuming this specifically refers to the 1Password app (iOS and macOS)? Do you have better-informed-than-me opinions of their web based 1Password for Teams? (I'm using it at work, but don't "trust" it in the way I trust my personal passwords to the 1Password apps on my phone and laptop. Not because I know of any specific vulnerabilities, but just because "Web app? surely that's a probably-unnecessary risk for my passwords?")
I've run 1Password in wine on Arch for years. Both the app and the browser plugin are styled like Win95 applications (even after changing the winecfg settings), but otherwise run flawlessly.
I have wondered if running 1Password through wine would introduce some not-considered attack vector, but I've yet to hear it.
I think you might be over thinking it, though I can understand how it's a daunting question.
I believe the intent is to ensure that it's understood the list isn't a requirement, but rather the varying options and levels of secure you can have based on your wants/needs.
When asking someone to create a threat model, you can begin with a simple question: "What are you afraid someone will do to your computer?" From this, you can then begin to piece through the list and look for items that address that.
Just care about malware? Look at the scanning tools.
Fearful that some bored teens in eastern europe are goofing around with hacking shit? Look at the security and notification tools
Think Putin is sending the new FSB/KGB after you for your exfiltrated борщ recipe? Look at the disk encryption section. (and perhaps professional help)
Maybe it could use some clarification, but I think the author's intent here was to convey that the list isn't a laundry list of "do this or your computer is going to be attacked", but more that you get what is required for your needs. Many of these tools require that you adopt different computing habits than traditional computing, and not all are applicable to every single use case.
Be careful. Some of these tools do not include any way to reverse their settings. A friend followed one of these guides and we had to reinstall the OS to get some wireless tech working again (Might have been AirDrop).
But what I miss most, is a deeper analysis of the different launchd services and agents. - Especially which ones can be disabled and what features will be impacted.
It is quite opaque, especially considering the verbose descriptions of Windows Services out of the box.
I want to disable all these, for me, useless features: handoff, geo, maps, icloud, push, commCenter, spotlight web, siri, social integration, diagnostics reporting, and many more.
It has been a very annoying experience of seemingly unrelated parts of the OS breaking when Disabling anything, - and log spamming of unsuccessful attempts of using it.
The parts of the OS you are describing were not designed in a modular way. It seems to me like you are using the wrong operating system if you want this level of control.
Ah, I'm holding it wrong. :P
I use FreeBSD, Linux and Windows. I like macOS, I want to use it, but not under a facist rule of the one holy way.
It is a tool and should not push policy through arbitrary limitations. But it seems we are caught in a war of lock-in ecosystem providers. Kind of a more realistic version of the much used picture of corporation-states or societies in sci-fi.
Apart from this, hypothetically I might not only an end-user but also an admin who has to implement certain policies. The argument is never sound, there is always an economic or practical tradeoff and you are stuck somewhere and have to make it work and yours.
The UI is polished, Commercial and refined Apps are available and technological it is a reasonably sound design.
I have my *nix shell with software from macports as well.
I just don't have the motivation or time anymore to make linux fit my personal computer needs, it always ends up in rabbit holes of tangles to accomplish many things and when you are actually trying to accomplish something unrelated to playing with it.
Do you think the two might be related? One is modular and configurable and ends up in rabbit holes of tangles and the other is monolithic and controlling but keeps the trains running on time?
Sure they are related. But its not black and white, and not an absolute correlation.
macOS itself is actually designed in a very modular way if you look at the message based integration of components via XPC and "do one thing" daemons.
I have accepted that I must forfeit some personal preferences in the Apple ecosystem, but I choose to draw the line with not being able to disable intrusive and privacy related features/components.
A similar complaint can be made about Windows, which is more monolithic in its design in my view, but it offers (as mentioned in my top-level comment) proper descriptions and a UI to disable services. Also there are many tools like Win10Privacy and such available which disable a lot, without making the system to constantly misbehave.
"trains on time" - While I appreciate the metaphor, when considered carefully, it is more likely linux and the pragmatic approach that makes the "trains run on time" in many fields. (embedded and server-side)
It's designed to be modular for ease of development by Apple folks. Whether they extend the benefits of that modularity to you, the user, is entirely case-by-case --
and the default answer is 'no'.
While a government that's "monolithic and controlling but keeps the trains running on time" is clearly a bad thing, it's not clear that the same holds for computers -- particularly for your average user. I'm not too concerned about Apple locking down my machine as long as I can get what I want to get done done -- and that doesn't involve making my tool conform to some ideology. I have more important things to worry about -- even more important infringements on personal freedom -- and I'd rather have my tool work adequately with as little pain as possible.
that doesn't involve making my tool conform to some ideology
The only platform that does this is iOS, which embeds an ideology that forces developers to lock down their apps even against their own wishes, and hence prevents the use of GPLv3 licensed code.
Meanwhile, the major Linux distros include all types of licenses, including proprietary.
That is certainly true of the more recent versions, but at least there has historically been a far bigger wealth of information about tweaking and modifying Windows than any version of MacOS, no doubt discovered through experimentation and reverse-engineering. On the other hand, Apple and its user's philosophy has always leaned towards the "don't look, don't touch, just use it as we made it" direction.
Linux and the BSDs are traditionally far in the other direction: extreme flexibility and customisability, but you really do have to configure things before you can start working. Windows is somewhere in the middle but (IMHO unfortunately) moving towards the Mac side.
"Is your adversary a three letter agency (if so, you may want to consider using OpenBSD instead)"
If your adversary is a 3 letter agency you'd better use no computer at all. If they can't subvert the OS (witch I doubt) they'll subvert the hardware (hello Intel ME).
I used to follow the changes a lot on this repo. Lots of great discussion in the issues of balancing practicality and security. Like @ents mentioned though, there are some un-reversible changes if you do everything they recommend. Although it'll make you more secure.
I don't do most of this. I'm waiting until I decide to wipe my Mac and have plenty of time to play with it. (which is going to be when exactly? Not sure.)
> I'm waiting until I decide to wipe my Mac and have plenty of time to play with it.
Clone a copy of your drive (use something like super duper) and then simply boot from the cloned drive. The clone drive can be another physical drive (attached via USB) or just use disk utility to create a separate partition and clone a copy there.
How often you find yourself locked out of your house obeys Murphy's Law, add lots of security and you will find yourself annoyingly locked out for silly reasons all the time. Have just the one simple lock on the door and you probably will not end up locked out, particularly given there is a key under the mat.
I had a laptop of mine retrieved by the police from a big rubbish bin. The screen was broken, it did boot up though. Another time I had the broken screen after being hit by a car. These things happen and I am always sure I can get in even if keyboard/screen/mouse isn't an option. It is more useful for me to be able to somehow access my machine even if broken, I imagine there will be circumstances of that.
When the police retrieved my laptop I wasn't exactly worried about my obvious login password or whether I had locked down that mysql port sufficiently. The thief wasn't even literate so those extreme security measures wouldn't have helped.
Yes, brew automatically checks that hashes of downloads match what was specified in the formula. This does mean you're trusting the formula maintainer(s), but anyone using brew is already doing that anyway.
Frankly, I am starting to have serious reservations about brew itself. It seems to now be forcing a self-update on every package installation, and that update somehow (I'm not a good enough *nix hacker to sort it out) gets some kind of elevated in the process privs: I've tried setting some of its component ruby scripts read-only and even changing ownership, and they still get force-updated on package installation.
>http://brew.sh/
the home site shows a simple wget example for homebrew formulae
the chain of trust is solid up until make and configure happen, at that point any number of things could happen so it's a question of whether or not you trust whatever scripts its running.
unless homebrew has some sort of enforcement on what that script can do it could do anything. This is why its a really good thing that homebrew does not require root.
I have a MBP as my primary machine, and I do all of my development work in a VirtualBox VM running Ubuntu. MacOS seems a lot more stable without 40gb of development stuff installed.
Keep in mind this is a very rigorous script and modifies Windows10 beyond recognition. Infact it kind of makes Win10 appear and function more like Windows8
Wow, and people laughed at all the Windows 10 antispy tools/script packs. Turns out this is the state of personal computing in 2016, nothing is decent out of the box anymore :(
At least in the case of free (as in freedom) software, the vulnerabilities can be exposed and patched. More importantly (and more relevant to this discussion), software freedom also tends to make it difficult for the original developer to hide malicious features.
Theoretically, yes, but if you're going to make that claim you'd need some hard data showing that exploitable bugs either happen less frequently or are going and patched earlier.
To be fair - they didn't make that claim, just left it up to you to assume the dichotomy.
It can be (and arguably is) true that "proprietary software is inherently insecure" - without requiring an opposite statement like "open source software is inherently secure" to also hold. (The wording in context _does_ strongly suggest that was the implied premise of the implied premise tho.)
How can I obtain reliable data on non-free software when the public cannot study the source code?
You also seem to discount the possibility of _intentional_ vulnerabilities (from the user's perspective) being included in the software by its developer.
You appear to be unaware of the large industry reverse-engineering software of all sorts. You could compare comparable projects and see whether source availability correlates with fewer vulnerabilities, lower severity, etc.
Similarly, the security community has discussed the possibility of intentional vulnerabilities in opensource software for decades. Sure, someone would probably notice if you submitted secret-nsa-exploit.patch but it's unclear that someone would notice if e.g. you submitted a Heartbleed-style bug, not to mention something the NSA's dual curve backdoor.
To be clear, I've been working with open-source software since the mid-90s. I think the model has a lot to offer but it's not magic. Lazy fanboy activism doesn't do anything but lower your credibility and help the companies which are arguing that open-source isn't safe to use (or isn't safe to use without paying them to manage it).
Chrome does disable extensions when an update requires new permissions, but that won't catch malicious updates to extensions that require extensive permissions for basic functionality.