This has popped up a bunch of times before:<p><a href="https://hn.algolia.com/?query=macOS%20Security%20and%20Privacy%20Guide&sort=byDate&dateRange=all&type=story&storyText=false&prefix&page=0" rel="nofollow">https://hn.algolia.com/?query=macOS%20Security%20and%20Priva...</a><p>It's not good. See:<p><a href="https://news.ycombinator.com/item?id=17904304" rel="nofollow">https://news.ycombinator.com/item?id=17904304</a>
I love how this is offered fully in Chinese, and that reminds me of something. Every operating system like macOS has its place, no matter what one's threat model is. Don't just say 'move to Linux if you're really worried about security or privacy'.<p>Maybe someone in China or another authoritarian regime needs to look less suspicious on the outside by using macOS instead of Linux. For those people, this information is gold.<p>BTW, this is indeed the famous Github guide many of us have known for years, just now renamed and updated.<p>2016 HN discussion of it with the old title, 'A practical guide to securing macOS': <a href="https://news.ycombinator.com/item?id=13023823" rel="nofollow">https://news.ycombinator.com/item?id=13023823</a>
I'm somewhat surprised that this guide recommends Homebrew. I agree that using a package manager is a good way to keep software updated from a central, trusted repository--always a good thing--but Homebrew makes a number of trade-offs for convenience instead of security. MacPorts has most of the same common packages and doesn't mess up filesystem permissions like Homebrew does. If I remember correctly, the all-inside-the-home-directory technique used in this guide is unsupported by the Homebrew developers as well.<p>See <a href="https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-package-managers/" rel="nofollow">https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-pack...</a> for a more nuanced take on this.
I was looking at Yabai [1] as a window manager and it requires SIP[2] to be disabled for advanced features... Is SIP really needed ? I see that it didn't even exist since "since OS X 10.11 "El Capitan".".<p>[1] <a href="https://github.com/koekeishiya/yabai/wiki" rel="nofollow">https://github.com/koekeishiya/yabai/wiki</a><p>[2] <a href="https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection" rel="nofollow">https://github.com/drduh/macOS-Security-and-Privacy-Guide#sy...</a>
As a side note: isn't ChromeOS a <i>safer</i> alternative to macOS in 2020[1]?<p>[1] <a href="https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview" rel="nofollow">https://www.chromium.org/chromium-os/chromiumos-design-docs/...</a>
This guide is great. It's a pity there is no easy to use (maybe GUI) tool for the average user go be able to implement a lot of the things mentioned here. There used to a few scripts around but most seem outdated. I'm thinking along the lines of Harden Tools for Windows. Great open source project for someone.<p><a href="https://securitywithoutborders.org/tools/hardentools.html" rel="nofollow">https://securitywithoutborders.org/tools/hardentools.html</a>
The thing about PRNG "entropy" and when to enable Filevault is almost certainly false, and based on a misconception of how PRNGs work.<p>Also, recommending libpurple-based IM clients as a security/privacy measure, so you can run OTR over them, is probably a bad idea.<p>And it recommends Mac antivirus! Do not install antivirus on your Mac.
Nice guide. I didn't realize the security implications of iOS devices and the Touch Bar (being practically an iOS device itself).<p>I'd be interested to see an equivalent guide for Android devices. My current suspicion is that I'd be far more alarmed by Android than iOS but it would be nice to verify this.
Does anyone knows of a similar collection of tweaks, but for getting performance out of macOS?<p>Things like disabling Spotlight so it's not indexing node_modules and other folders, or adding tools to the Developer Tools to disable network checks with apple servers when you want to run a binary
i've increasingly been having issues with hands off![0] on my machine (intermittent high cpu usage, regular kernel panics), and was actually looking at this guide a while back to decide whether i should switch to pf instead[1].<p>but pf seems to require much more configuration and management. anyone have experience/pointers in this regard?<p>[0] i used to use little snitch many years ago, but ran into similar issues with it over time (maybe it's better now).<p>[1] <a href="https://github.com/drduh/macOS-Security-and-Privacy-Guide#kernel-level-packet-filtering" rel="nofollow">https://github.com/drduh/macOS-Security-and-Privacy-Guide#ke...</a>
> Is your adversary a three letter agency (if so, you may want to consider using OpenBSD instead);<p>A 3 letter agency won't be stopped by OpenBSD or any other OS.<p>There is so much security holes in the hardware itself and ultimately they can always "convince" you to release your data.