macOS Security and Privacy Guide

323 点作者 Nginx487超过 4 年前

15 条评论

pvg超过 4 年前

This has popped up a bunch of times before:<a href="https://hn.algolia.com/?query=macOS%20Security%20and%20Privacy%20Guide&sort=byDate&dateRange=all&type=story&storyText=false&prefix&page=0" rel="nofollow">https://hn.algolia.com/?query=macOS%20Security%20and%20Priva...</a>It's not good. See:<a href="https://news.ycombinator.com/item?id=17904304" rel="nofollow">https://news.ycombinator.com/item?id=17904304</a>

评论 #24247194 未加载

mindfulhack超过 4 年前

I love how this is offered fully in Chinese, and that reminds me of something. Every operating system like macOS has its place, no matter what one's threat model is. Don't just say 'move to Linux if you're really worried about security or privacy'.Maybe someone in China or another authoritarian regime needs to look less suspicious on the outside by using macOS instead of Linux. For those people, this information is gold.BTW, this is indeed the famous Github guide many of us have known for years, just now renamed and updated.2016 HN discussion of it with the old title, 'A practical guide to securing macOS': <a href="https://news.ycombinator.com/item?id=13023823" rel="nofollow">https://news.ycombinator.com/item?id=13023823</a>

评论 #24244067 未加载

评论 #24246623 未加载

snazz超过 4 年前

I'm somewhat surprised that this guide recommends Homebrew. I agree that using a package manager is a good way to keep software updated from a central, trusted repository--always a good thing--but Homebrew makes a number of trade-offs for convenience instead of security. MacPorts has most of the same common packages and doesn't mess up filesystem permissions like Homebrew does. If I remember correctly, the all-inside-the-home-directory technique used in this guide is unsupported by the Homebrew developers as well.See <a href="https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-package-managers/" rel="nofollow">https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-pack...</a> for a more nuanced take on this.

评论 #24244365 未加载

评论 #24244278 未加载

评论 #24246216 未加载

评论 #24244761 未加载

abledon超过 4 年前

I was looking at Yabai [1] as a window manager and it requires SIP[2] to be disabled for advanced features... Is SIP really needed ? I see that it didn't even exist since "since OS X 10.11 "El Capitan".".[1] <a href="https://github.com/koekeishiya/yabai/wiki" rel="nofollow">https://github.com/koekeishiya/yabai/wiki</a>[2] <a href="https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-integrity-protection" rel="nofollow">https://github.com/drduh/macOS-Security-and-Privacy-Guide#sy...</a>

评论 #24243851 未加载

评论 #24246052 未加载

krn超过 4 年前

As a side note: isn't ChromeOS a safer alternative to macOS in 2020[1]?[1] <a href="https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview" rel="nofollow">https://www.chromium.org/chromium-os/chromiumos-design-docs/...</a>

评论 #24243961 未加载

评论 #24248761 未加载

评论 #24244755 未加载

secfirstmd超过 4 年前

This guide is great. It's a pity there is no easy to use (maybe GUI) tool for the average user go be able to implement a lot of the things mentioned here. There used to a few scripts around but most seem outdated. I'm thinking along the lines of Harden Tools for Windows. Great open source project for someone.<a href="https://securitywithoutborders.org/tools/hardentools.html" rel="nofollow">https://securitywithoutborders.org/tools/hardentools.html</a>

评论 #24243565 未加载

评论 #24243811 未加载

tptacek超过 4 年前

The thing about PRNG "entropy" and when to enable Filevault is almost certainly false, and based on a misconception of how PRNGs work.Also, recommending libpurple-based IM clients as a security/privacy measure, so you can run OTR over them, is probably a bad idea.And it recommends Mac antivirus! Do not install antivirus on your Mac.

评论 #24247225 未加载

fouc超过 4 年前

Nice guide. I didn't realize the security implications of iOS devices and the Touch Bar (being practically an iOS device itself).I'd be interested to see an equivalent guide for Android devices. My current suspicion is that I'd be far more alarmed by Android than iOS but it would be nice to verify this.

评论 #24243891 未加载

评论 #24243814 未加载

评论 #24243522 未加载

lwouis超过 4 年前

Does anyone knows of a similar collection of tweaks, but for getting performance out of macOS?Things like disabling Spotlight so it's not indexing node_modules and other folders, or adding tools to the Developer Tools to disable network checks with apple servers when you want to run a binary

评论 #24254028 未加载

clairity超过 4 年前

i've increasingly been having issues with hands off![0] on my machine (intermittent high cpu usage, regular kernel panics), and was actually looking at this guide a while back to decide whether i should switch to pf instead[1].but pf seems to require much more configuration and management. anyone have experience/pointers in this regard?[0] i used to use little snitch many years ago, but ran into similar issues with it over time (maybe it's better now).[1] <a href="https://github.com/drduh/macOS-Security-and-Privacy-Guide#kernel-level-packet-filtering" rel="nofollow">https://github.com/drduh/macOS-Security-and-Privacy-Guide#ke...</a>

评论 #24245633 未加载

jmnicolas超过 4 年前

> Is your adversary a three letter agency (if so, you may want to consider using OpenBSD instead);A 3 letter agency won't be stopped by OpenBSD or any other OS.There is so much security holes in the hardware itself and ultimately they can always "convince" you to release your data.

评论 #24243727 未加载

评论 #24244600 未加载

Simon_says超过 4 年前

It's enough to make one want to switch to OpenBSD or Linux.

评论 #24248251 未加载

ChrisMarshallNY超过 4 年前

This is great! Thanks for sharing it. Obviously a labor of love.

Razengan超过 4 年前

Should add an explanation for what "sepOS" is.

t0mmyb0y超过 4 年前

This fails to make much sense overall. My macs only talk to apple when I let them and it was way simpler than this.