NSA Security Guide for Mac OS X

An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."

What about...

[Staos]

I tell you one interesting thing. While it was working back in 2003, I updated a 68030 Mac Duo laptop 7.6's modem driver from Apple site. I even had support about how to add more ram. That machine is back from 1994 or something.

OS X updates aren't service packs, they are new OS'es. 10.3.0 is a new OS , 10.3.1 is a service pack.

About antivirus and anti adware? As its a BSD based real OS, its run by rights. As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.

Oh there is a program on OS X, comes with it and has a unsolved security problem. Yes, it still exists. Guess what is it? INTERNET EXPLORER macintosh edition.

Screwed up

[AKAImBatman]

Yikes! The replies to this story are completely screwed up. I'm starting to feel sorry I ever tried to make a joke [slashdot.org]. I figured others would have something more insightful to say. Well, since no one else will, I'll try to say something insightful.

It seems to me that most OS X users are pretty quiet on the topic because they can't find anything to say. Not because they're ashamed, but more because OS X Just Works(TM). Since the OS Just Works(TM), security guidelines like this are nothing more than hints on how to prevent users from accidentally opening security holes.

Contrast this with Windows, where everyone is always looking for the "magic solution" that will allow them to completely close of the machine from attack. Yet Windows insists on requiring various services (e.g. RPC) to be running and publicly available before it will run properly.

Some might argue that OS X is so secure because the developers had an opportunity to view OSes which came before them. This may seem like a reasonable argument, but quickly falls apart once OS X's heritage is investigated. You see, OS X is really the next major release of NeXTSTEPl an OS that pre-dates Microsoft's creation of Windows NT & 95. NeXT got it right back then. Why can't other OS makers get it right today?

Guide for Linux?

[brandonp]

This is very cool, is there also a Security Guide for Linux? Sounds really helpful.

--
Brandon Petersen
Get Firefox! [spreadfirefox.com]

Re:File Vault

[Anonymous Coward]

I had a File Vault eaten when I first installed 10.3 but since some of their updates to it I have been able to use File Vault pretty well when I have tried it. I don't trust it with anything important though so I don't use it on my adminstartor account or on my work account, which is kind of sad. I prefer to use Encrypted DMG files to store stuff I want private but that I only need occasional access to.

Re:File Vault

[twalls]

That's really sad, man. I had that happen and it scared the crap out of me (I've got a 15GB home directory). One day I logged in and it just sort of stared blankly at me with all the defaults. I blinked, told myself I was having a very bad dream, and logged off. When I logged back in, everything was fine and I breathed a huge sigh of relief! I guess I was one of the "lucky" ones. I keep using it and I haven't had any more issues... yet.

Re:File Vault

[Matey-O]

think they coulda named it something better than 'sparse diskimage'? I blew away all my settings (yeah, boo hoo, won't do THAT again) cause the diskimage was roughly the size of the two huge AVI's I just threw away and I wasn't getting my diskspace back after emptying the trashcan.

Name it something like 'Secret Encrypted File' or something...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Keychain Access Gripe

[AKAImBatman]

Not really. A reader is a $10-$20 part that can easily be added to any system. An external reader could easily market for $20-$50. The end result is that the smart card is going to be cheaper in the long run. (Keep in mind that each person who uses the computer is going to need two cards/keys. Things get particularly dicey in family situations.)

If you look at a diagram for a smart card sometime, you'll notice how simple the things are. Basically, they fab small RAM, ROM, and processor chips right onto the card itself. This makes them cheaper to produce than wiring components together on breadboard, then encasing them in plastic.

Comment removed

[account_deleted]

Comment removed based on user account deletion

A Tinfoil Moment

[sockonafish]

I got curious while waiting for my 300 byte/second download to complete and decided to see what nmap had to say about nsa.gov.

Shortly after I began, I was unable to access any network resources. Shortly after I stopped, I was able to access things again.

Can anyone else provide a port scan of the nsa without being DOS'd?

Re:What about...

[r2q2]

I agree, I was running 10.1 and then upgraded to 10.3. There is a whole user interface redo, support for rendevous, a journaling file system much better support for unix, an x windowing system, ipv6 support expose and a host of other reasons why that was a good upgrade. Although I didn't pay full price for it it was one of the best upgrades and I believe I got my moneys worth.

Re: You spelled it wrong

[wheatwilliams]

The Americans spell it one way, and the British (and all other English speaking peoples besides the Americans) spell it the other way. Same with "color" and "colour" and many other examples. It's been that way since the American, Noah Webster, wrote his dictionaries the early 1800s. He not only single-handedly "reformed" English spelling, he also wanted to create a distinction between "American English" and that of Great Britain, possibly for political reasons or a sense of nationalism. http://en.wikipedia.org/wiki/Noah_Webster