macOS Ventura: Journey to Security and Privacy
HTML-код
- Опубликовано: 3 авг 2024
- I have wanted to put this together for sometime, I stated out using an Apple ][+ back in 1981, using various Mac's including Mac AUX (UNIX for Mac). I still use Macs today, but the Macs and Mac Software isn't the same.
In the beginning, I used the Mac as a standalone machine, but as I began using UNIX, it became clear to me the Mac and its operating system was a better client than Windows as a client to UNIX servers. I designed my first website in 1992 on a Mac and hosted it on a DEC 11/780, later moving it to an AT&T 3B2 Model 5, and then a Sun Sun Fire machine. Today, it runs on some cloud based x86_64, I no longer run it, but the website is still there.
There is more concern with MacOS regarding Privacy and Security. The Question is, Can we users tame it, get it back under our control and away from corporations who want to put their noses into everything we do. This is my attempt to show some of the things I have learned along the way to help wrestle the software back and use the machines to solve problems without telegraphing what I do to Apple, and the people they sell our data too.
As I have said before Security and Privacy is not a destination, it is an journey along an every changing road, with new challenges and obstacles placed along the way.
Even Linux is starting down this road so if you think Linux is immune...you might want to read a bit more recent articles.
00:00 - Start
00:14 - Threat Models
01:24 - Keep Your System up-to-date
01:32 - Encrypt Data at Rest
01:39 - Encrypt Data at Rest
02:18 - Rapid Security Response
02:54 - Backup Your System
04:08 - Verify the Backup
04:21 - Re-Installing macOS
05:07 - Browser
07:30 - Cookies
10:03 - Firmware Passwords
10:44 - Captive Portal
11:50 - Firewalls
14:22 - pf firewall (same one used in pfSense)
16:55 - GPL Removal
20:19 - Passkeys
22:27 - Wrapup
Support me on Patreon: / djware
Follow me:
Twitter @djware55
Facebook: / don.ware.7758
Gitlab: gitlab.com/djware27
#macOS #Security #Privacy 
Наука
![J.P., NLE Choppa - Bad Bitty (Remix) [Official Music Video]](http://i.ytimg.com/vi/rBDa6BCvw10/mqdefault.jpg)
The best analogy for cyber security I ever heard came from John Hammond who said, "We're layering swiss cheese. We know there are gaps in each layer we add. We also know we're never going to add a layer that doesn't have one. But the idea is that if we add enough layers? We can reduce the possibility of giving a hacker a clean shot all the way through. That's the best we got."
sad indeed, sounds like an IBM approach to problem solving, loadup every solutions you can think of fire and hope something hits
@@CyberGizmo Agreed! Inelegant, but effective. Regarding your disapproval of biometric methods of MFA? I second this. Aggressively. For all of the points you mentioned and for one more you didn't. Under duress? A password or hard token can be surrendered. But biometric methods? Things like palm, retinal and fingerprint scanners? Well...those things have to be "borrowed" from you. And your permission is not needed to do so. I think I'll stick with my YubiKey.
Thank you for coming to my tedTalk.
old guy with a sharp mind, count me in ! you gained a follower
Welcome to the channel!
Chromium-based web browsers are the perfect means of exfiltrating data from your company. You can sign in with your Google or Microsoft Account, synchronize bookmarks and passwords, and then title your bookmarks with whatever you want.
And most organizations aren’t sophisticated enough to understand, much less implement, an MDM that could address that vulnerability.
The Nix package manager can also be installed on Mac OS. Works pretty well!
Thanks Eric
@@CyberGizmo Can i make my custom macOs images the same way as on windows where with DISM i can make my custom iso of the os?
Having a backup set can give a deceptive feeling of security, especially if you DON'T KNOW how to restore, both as a whole or in parts.
I don't use MacOS. What I do about cookies is I have a bash script for each of my web browsers and when they close the cookies are deleted. It's annoying to have to log back into everything, every session, but at least I know I'm somewhat less exposed. Security is NOT convenient. The easier it is for you to access and use your machine, the easier it is for everyone else.
The message on fixing the root problem reminds me of a story Dave Plumber, a former Windows engineer who makes vids on here, talked about his team reading some book and being so rocked by it that they paused all production on new features to focus solely on security for a good while. I just don't see that happening today, though I'm not in the industry and couldn't comment for certain. There could be a lot going on behind the scenes, but based on this look into MacOS, probably not 😂
You are right, in today's marketing sets the due date and the budget, the concentration is on getting the software out the door on time, no matter what state it is in. I guess they missed the study from the 1970's which showed it costs 1000x more to fix a bug after release than during development.
From what I've heard even if you don't use file vault to encrypt the drive it's already encrypted by the means of the T2 chip, but that won't only allow swapping of the drive to a different device to get into the data.
encrypted, true however if you want to use a password to decrypt the data, turn on file vault otherwise you will be relying solely on the T2 chip
HAL 9000 is always watching ;)
No official package manager after all these years... How come so many developers use Macs if the first thing they need to do is to install third party software manager?
Not my cup of tea, but thanks DJ👍
On Intel Mac's with T2 and on all Apple Silicon Mac's they now support the Erase All Content & Settings functionality that blows away all user writable areas of the SSD (via destroying the encryption key stored in the secure enclave), verifies the volume seal is intact against signatures it verifies from Apple's server (so network access is required) and gives you a clean 'fresh out the box' system. It takes just a few minutes and is the preferred way (by Apple anyway) to reset a machine vs a 'reinstall' of the OS. Of course this only works if you want a clean system using the same version that is currently installed, if you want to up/downgrade to a different version of macOS you will need to of course get that version of the installer and do a manual clean install.
Regarding firmware password, this feature was removed on Apple Silicon hardware. You can read more about this on Apple Support article HT204455.
I've been a long time user of Little Snitch and while it is a bit "chatty" as you said IMHO that is the price you pay for outbound connection monitoring. Like you say regarding your threat model, for my particular use I am not concerned about Apple's OS binaries making outbound connections (if I were I wouldn't be using macOS in the first place) so I have Little Snitch setup to allow those without nagging me constantly. However any third party apps I have installed myself I am prompted about. It is a compromise I am happy with and has treated me well for a long time now.
Also Apple's new Advanced Data Protection is something to mention for end-to-end encrypted iCloud.
Can you explain us how to disable macOS telemetry ???
i don't want my data being snitched from Apple.
a good suggestion for a video will add it to the list
@@CyberGizmo
Thanks.
The point of an OS is to allow programs to run without taking control of the entire system. So if arbitrary code execution is considered a vulnerability, you made some critical error when designing the thing.
I don't trust 99% of the code I run: I didn't write it, don't know who did, and I haven't been able to audit it. So, running untrusted code should be the one thing an OS should be able to do safely.
The problem with the browser is it's no good at keeping secrets. The dev tools shows your cookies and secret urls to anyone you screen share with. They store these to the disk. TBF the OS offers no protection it could use.
I once wrote an OS called RATs OS with RAT being my initials and the OS name being a play on "I don't give a rats arse"... It was for the MC6809 processor and included a full BASIC interpreter as the command line processor... It was lame
Sounds pretty freaking cool to me
There is a mainframe OS from 1974 called RATS, for the plessey 250. Great minds, I guess 😉
Basically don’t use google chrome or windows pcs ~
Whew, Mac OS is a tough OS to secure.
Especially when everyone is targeting you. Moral of the story, people are generally terrible.
"A MacBook is device designed to download and execute untrusted code from the internet" ;)
I like lynis. Tho I think it can give you a bit of a false sense of security. It could be smarter than it is.
Lynis is just one tool of many, but for what it does, it easier than some of the other ones I have tried.