|Home » Learning Curve
Tough times need brave solutions. Tough love from the NSA (updated).
BIG SMOKE (Rixstep) — Tough times need brave solutions. The privacy of Internet surfers has been crushed by worldwide surveillance. You might not be able to control what happens at Facebook, but you can still control what happens on your own file system.
The easiest way to deal with this new knowledge is to ignore it. All is as before. Go on and keep telling yourself you'll be fine.
A remote alternative is to spend a few minutes each day making sure you haven't been invaded - something that's not personal to them - only to you.
Perhaps the worst thing you can do is purchase patent solutions. Applications that promise the world and give you a sand lot.
Where's the Indignation?
One wouldn't expect the Mac community to be in an uproar over the revelation Apple joined the 'ugly nine', giving unfettered access to your personal data to the NSA. And one would be right. There's nary a mention of it in there.
There's nothing to mention because there's nothing happened. It simply doesn't exist.
PRISM? What's that? WHOOSH - it's gone. Life is good.
But hey - if you're fighting the NSA, why not start with their own advice for hardening defences?
Tough Love From the NSA (Updated)
Most of their stuff (written for 10.6) is pretty basic but it doesn't take long to go through their list and update it.
As there are such great tools out there today which don't rely on system weakness (such as found in abundance on Windows) to compromise you, but which rely instead on tricking you, you need to be very careful what you put on your computer.
Rich Mogull covered a lot of this for Macworld a month ago. Some of his comments are worth taking to heart, such as:
'When you're the NSA, nothing is safe.'
Keep that in mind.
Lysa Myers also cites the NSA back in August, but the doc she found is a whole OS X version older. And Lysa's writing for an AV vendor, so 'caveat emptor'. (No you still don't need AV on a Mac.) Even Nicole Nguyen cites the same document from the NSA for 10.5 Leopard.
Mogull recommends disabling 'allow user to reset password using Apple ID' as found in System Preferences → Users & Groups. And he has good tips for dealing with iCloud:
'Disable Back to My Mac and Find My Mac, lest someone be able to access or wipe your Mac if they gain access to your iCloud account.'
As for setting a firmware password (be careful) Mogull recommends booting into your recovery partition, as the NSA guide no longer works.
'Boot your Mac into the recovery partition by pressing cmd-R as your Mac is booting. Then select Utilities → Firmware Password Utility and set the password. You will need it whenever you boot into recovery mode or from an external drive.'
Disabling iSight requires more work on 10.8. Go here to get a script for it. Four binaries need to be dealt with now.
What a shame the author couldn't provide the simple shell script so people could see what's really going on.
Also recommended is taking a look at 'icefloor' as a front end for pfctl. Check the source first so you know what's going on.
Anything Else? (II)
Yes. Daily use. The above will help you against stupid and targeted attacks both. Check the WikiLeaks Spy Files 3 collection for additional info on how the bad guys (and their subcontractors) are targeting your Mac. Don't forget the original Spy Files releases.
Several other articles in the Learning Curve can be of use.
This article will explain what's currently wrong with sudo and how you can temporarily fix it. This article will introduce you to Glimmerglass, something that affects your online activities. This article will explain why you can't ever trust Google Chrome with your online passwords. And this article tells you more of what you need to know about staying under the radar of NSA PRISM.
There are tonnes more articles about hardening your Mac in the Learning Curve. Browse through the list or use the site search facility to find what you want.
The best way to manage security and other settings on an OS X Mac remains this application: CLIX. CLIX has security built into and up to the gills, and now for Mavericks comes with some pretty strong technologies. This article - published four years ago - showed already back then why Apple's code signing for OS X was a waste of time: it can easily be defeated manually, and skiddies can surely find a way to automate the process. And closing the gates as with the iPad and the iPhone is something you definitely don't want (and assuredly don't need).
But CLIX has another way (or two) to ensure integrity. The list is too long to enumerate here, but the methods have been described as 'reverse Houdini': CLIX in effect applies, from the inside, hermetical seals on the outside, and they can't be peeled off as can be done with Apple's code signing technology. Each and every sensitive operation in CLIX is prefaced by an integrity check. CLIX also makes sure your 'security' elsewhere is not lacking, so that setting 'TTY tickets' and removing the sudo grace period can thwart trojans in hiding, but not your use of the application and your own convenience.
Xfile: Free Test Drive
CLIX: Learn How to Fish