NSA Security Guide for Mac OS X 250
An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."
Jurrasic Park on OS X (Score:2, Funny)
New Government-Oriented Commercial? (Score:4, Funny)
Step 45,328:
There is no step 45,328. There is no step 45,328...*soft weeping sounds*
What about... (Score:4, Interesting)
OS X updates aren't service packs, they are new OS'es. 10.3.0 is a new OS , 10.3.1 is a service pack.
About antivirus and anti adware? As its a BSD based real OS, its run by rights. As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.
Oh there is a program on OS X, comes with it and has a unsolved security problem. Yes, it still exists. Guess what is it? INTERNET EXPLORER macintosh edition.
Re:What about... (Score:3, Insightful)
Malware is hard to code on Linux and *BSD not because of some standard or non-standard way of asking for access,
Re:What about... (Score:5, Informative)
It is my understanding that on OS X, the authorization dialog pops up because a request to a protected reqource/API has been made, as opposed to an application being able to just randomly tell the OS to pop up an authorization dialog.
The dialog itself always displays the name (and if available icon) of the application making the request, as well as the name of the right being requested. As this is put together only by the OS, you can't substitute one right name when you really want to do something different. And getting one right doesn't automatically permit a process to use any other right on the system -- each right needs authorization.
It's actually quite a good system, and has been very well thought out. It does, of course, rely on some vigilence by the end user -- if they're entering their password anytime it's being requested without quickly checking to see what is making the request and why, obviously they're going to get into trouble.
Then again, if I e-mail a bunch of Linux admins and ask them for their passwords, and they send them to me, you wind up with the same end result.
Yaz.
Re:What about... (Score:2, Informative)
Re:What about... (Score:3, Insightful)
That would make it EASIER to spread worms/viruses than a normal Unix system, NOT harder. In Unix, attempts to access resources you don't have permissions to, just fail. If it pops up a window that says "would you like to give this program access" then you're just as screwed as the rest of the world...
Re:What about... (Score:4, Insightful)
Re:What about... (Score:5, Insightful)
On Windows, if you are logged in as an administrator (not the Administrator account), your account will automatically authenticate during program installations and such, hence why you can make changes to the system settings and install programs without ever being challenged for a password. That is what makes the Windows way of doing things inherently more risky. You don't need to enter your password for administrator actions.
Re:What about... (Score:2)
So your position is that it would be safer if it just ran without a security dialog? You might want to rethink that. Only people with admin rights get the security dialog. In your example, the code would just run on a "normal Unix system" without double-checking with the admin. Sounds less sa
Re:What about... (Score:3, Informative)
On MacOSX, running as an administrator is not the same as running as "root". On MacOSX, running as an "administrator" is more-or-less equivalent to having "sudo" privileges on a Unix box: entering your password in a security box permits you to do certain administrator-type operations for a limited period.
Re:What about... (Score:2)
The authentication dialog only appears if it's explicitly requested by an application. If an application tries to access a resource that it doesn't have permission for, it fails just like on any other UNIX. The application can then, if it desires, ask the OS to pop up this authentication dialog. It's actually fairly limited; the process doesn't get changed permissions at all, but it is allowed to run a subprocess as root. Of course there is nothing that prevents a spyw
Re:What about... (Score:2, Interesting)
Lack of safety in numbers (Score:4, Funny)
(I work for NASA; almost everyone in our group has Mac OS X on our desktops and Linux in the server room. Our supervisor is the only Windows user. Yes, he's developing pointy hair.)
Re:Lack of safety in numbers (Score:4, Informative)
NSA Guide to securing Windows computers (Score:5, Funny)
Step 2:Mark container "Target"
Step 3: Have courier deliver container to nearest FBI shooting range
Re:NSA Guide to securing Windows computers (Score:5, Funny)
Re:Lack of safety in numbers (Score:5, Funny)
Re:Lack of safety in numbers (Score:4, Insightful)
Did you click on the second link in the story? There's a lot for Windows See under "Operating Systems".
Given the fact that I don't use MacOSX, I checked out the Cisco one some time ago and it's quite impressive. Lots of common sense things of course, but some good ideas I would have otherwise not thought about. Definitely recommended.
It's nice to see government agencies not waste our (sorry: your) tax dollars and instead produce something useful and not hiding it in one of their many shelfs.
Re:Lack of safety in numbers (Score:2)
I agree that useful government work in this area is great, and i don't mean to assail this poster....but getting things even further out there (i.e., not on a somewhat-obscure sehlf, but somewhere where my clueless, windows-using family would find it.). Wonder if there's a better way that NSA could promote this stuff so that everyday (non-power-
Re:Lack of safety in numbers (Score:2, Funny)
Talk about an exercise in futility. I'd put that book right next to Understanding Republican Mindset, Philosophical Debates of Military Intelligence and Filanthropy of Modern Man
Re:Lack of safety in numbers (Score:5, Funny)
I'll put it alongside my copy of Speling Fer Slahsdooters.
Re:Lack of safety in numbers (Score:2, Funny)
Re:Lack of safety in numbers (Score:2)
These things make a nice checklist, but.... (Score:5, Insightful)
Security, Usability, Reliability (Score:5, Insightful)
Re:Security, Usability, Reliability (Score:2)
Re:Security, Usability, Reliability (Score:2)
Loads of games still being produced which still run on 95, alot more than Macs. Usability.
And as more people move on to XP or other systems, blackhats are slowly turning their attention away from 95. Just don't use IE. Who makes new viruses for DOS?
Re:Security, Usability, Reliability (Score:2)
Re:These things make a nice checklist, but.... (Score:2)
Re:These things make a nice checklist, but.... (Score:2)
You Bastards! (Score:5, Funny)
Re:You Bastards! (Score:4, Funny)
File Vault (Score:5, Informative)
Has anyone seen this before?
Re:File Vault (Score:5, Informative)
Your milage may vary.
Re:File Vault (Score:3, Interesting)
Name it something like 'Secret Encrypted File' or something...
Re:File Vault (Score:2)
Re:File Vault (Score:3, Informative)
No more FileVault for me. And this was Tiger (yes I know, its not even beta software but I like to test).
Re:File Vault (Score:2, Informative)
Re:File Vault (Score:4, Informative)
I've used this hint [macosxhints.com] for over six months now without problem.
On the other hand, it's trivial to get the user's password from swap, unless Apple fixed this hole already, so there's not much point to File Vault right now.
Re:File Vault (Score:2)
This works well, plus the files get backed up, so if the home directory got corrupted or wiped, I can retrieve everything.
It's a little more complex than that (Score:3, Informative)
Yes, the nature of this architecture means that there can be zero disk corruption or you won't be able to mount it. So in a normal disk corruption setting, you would lose a few files or somthing. Having your user dir as an encrypted volume forces a sort of checksum on all the data and if even a single byte is incorrect, then the whole thing fails to mount.
It's ac
Re:File Vault (Score:2, Funny)
(with appol to the Mouseketeer, who in 1984 coined the name VileFision... what happened to him anyway ?)
Re:File Vault (Score:2, Interesting)
Password length related... (Score:3, Informative)
I've had both problems happen (the bad and the recoverable), the bad one has not happened since I updated to 10.3.1. For the recoverable with a re-login one, near as I can tell this comes from some legacy 8 character password weirdness. As this post [macosxhints.com] indicates, i
Opps, forgot to add (Score:2)
Re:File Vault (Score:4, Insightful)
Kind of defeats the purpose, doesn't it?
In other news... (Score:5, Funny)
The U.S. Governement's ultra-secret monitoring system 'echelon' was briefly unavailable after the NSA's web servers were Slashdotted.
NSA Security Guide (Score:5, Funny)
Disregard any unexplained background executables.
Always use IE when surfing.
Confine all discussing of terrorist/anti-government actions to public networks (or private ones, we don't really care)
Slashdotted already? (Score:5, Funny)
Now we can safely do, umm, whatever it is that we thought we couldn't do safely while the NSA had an active internet connection. Psst, any terrorists out there need a browser with 128-bit SSL enabled?
Re:Slashdotted already? Nope. (Score:4, Funny)
They
Re:Slashdotted already? (Score:2, Insightful)
-nB
Re:Slashdotted already? (Score:2, Funny)
Re:Slashdotted already? (Score:2)
True story. Back in 1990, one of my co-workers, whom I think was mildly ill in the head, called up the state capital when George Bush Sr. was coming to town, and told them he was going to shoot the President. The Secret Service came and took his ass away. He came back about a year later, and never really explained to anyone exactly where he'd been. Of course, he came back crazier than ever...
So yeah, don't threaten the Pr
Screwed up (Score:5, Interesting)
It seems to me that most OS X users are pretty quiet on the topic because they can't find anything to say. Not because they're ashamed, but more because OS X Just Works(TM). Since the OS Just Works(TM), security guidelines like this are nothing more than hints on how to prevent users from accidentally opening security holes.
Contrast this with Windows, where everyone is always looking for the "magic solution" that will allow them to completely close of the machine from attack. Yet Windows insists on requiring various services (e.g. RPC) to be running and publicly available before it will run properly.
Some might argue that OS X is so secure because the developers had an opportunity to view OSes which came before them. This may seem like a reasonable argument, but quickly falls apart once OS X's heritage is investigated. You see, OS X is really the next major release of NeXTSTEPl an OS that pre-dates Microsoft's creation of Windows NT & 95. NeXT got it right back then. Why can't other OS makers get it right today?
Re:Screwed up (Score:2, Funny)
Oh bitter, bitter irony!
Re:Screwed up (Score:3, Informative)
Re:Screwed up (Score:3, Funny)
How I am supposed to afford a Mac and a Slashdot subscription?
(Just kidding...please don't start posting Dell comparisons..I know already.)
Re:Screwed up (Score:4, Funny)
Yacc: "It's a UNIX system! I know how to parse this!"
Re:Screwed up (Score:2, Insightful)
But I think more needs to be done to educate the public that security isn't any single software/component, but rather, a process.. From passwords, to firewalls, to antivirus, to spyware, there are many parts to it.
I think it's unfair to blame the OS solely. Application developers need to be aware of bugs and potential prob
Re:Screwed up (Score:2)
I don't know whou would argue like that but yeah, you are probably right, it's not in the heritage, at least not on Apple's side. Still, it's very simple: OSX is so secure becasuse it's based on BSD!
Re:Screwed up (Score:2)
Hmm...
# nmap localhost
25/tcp open smtp
1024/tcp open kdm
6000/tcp open X11
And that's Debian. Mandrake had about 10 ports open by default, including SUN-RPC and I think it opens NFS and CUPS by default if you choose certain configuration options. Debian also had a whole host of finger, time, echo, etc. ports open by default.
What's worse? That I
Re:Screwed up (Score:2)
XP SP2 is a different OS from the one released in 2001. It's time to start recognizing that.
Oh, and a preemptive attack on the "Apache is more popular and it's more secure than IIS":
IIS6 has 2 announced security veulnarabilities since its release over a year ago. Apache2 has more than 20 in the same period, not
Re:Screwed up (Score:2)
MacOSX attacks... (Score:5, Informative)
The biggest problem for malware writers in MacOS X is that it's hard to remotely attack the box.
Mac OS 9 and its ilk were pretty much impossible to compromise remotely, because, well, they were designed as single-user OSs with no network services (no network daemons) installed by default.
Mac OS X isn't quite like that, but it's close. The downside is all those bsd-level things probably have holes of one sort or another. Has anyone actually checked the robustness of Apple's X-11 implementation?
OTOH, it's must easier to get the user to click and download something. The "prompt for your admin password" thing is great, but everyone does it without thinking these days, giving any installer root access.
Once that happens, you can install anything, anywhere, and given the structure of MacOS X you can hide your stuff in places a normal user won't be able to find. The "Opener" guys (see www.macintouch.com) should have edited the rc scripts, not stuck their stuff in
Luckily, the web/email based attacks haven't worked so far (unlike on Windows), so you really do need to get someone to run an app. These days that isn't as hard as it used to be.
Apple could protect against that by doing a system restore/diff after every installer run. It would be useful after-the-fact, and most users may not understand any of it, but it would be nice to have. Or (assuming the metadata stuff works in tiger) you could stash metadata info on the installed files somewhere, then search across your filesystem for matching stuff?
Ideally (and this is what MS tried) each publisher would sign all their files, and that sig would be part of the file metadata. So you could list, see, and search across it. Malware would bypass that, though, but you never know.
Counterintuitive... (Score:4, Insightful)
You gotta start with the fundamentals...
Re:Counterintuitive... (Score:4, Informative)
If you would have said privacy, you could possibly have had a point. But security? No way.
Guide for Linux? (Score:2, Interesting)
--
Brandon Petersen
Get Firefox! [spreadfirefox.com]
Re:Guide for Linux? (Score:3, Informative)
Comment removed (Score:5, Informative)
Re:Keychain Access Gripe (Score:2)
Such a design would be pretty transparent to users, and could easily fit in with the way they expect day to day things to work. You can even recommend that they make a backup card at card creation time, so that they can stash it in a sa
Comment removed (Score:4, Interesting)
Re:Keychain Access Gripe (Score:2)
The only reason is that smart cards are cheap. I can pack all the security info I need on a card that costs $1.00 - $5.00 each. In comparison, a USB key has to have a variety of communications electronics that make its minimum price somewhere arounf $15.00 a key.
So it's really a matter of economics.
Re:Keychain Access Gripe (Score:3, Interesting)
If you look at a diagram for a smart card sometime, you'll notice how simple the things are. Basically, they fab small RAM, ROM, and processor chips right onto the
Re:Keychain Access Gripe (Score:2)
Actually, I believe I listed the USB token as a MINIMUM of $15, while I gave the reader range as $10-$20. Consumer prices are always much higher. i.e.:
Cheapest Amazon USB key [amazon.com]
$25 External SmartCard reader [didya.com]
1K SmartCards [didya.com]
8K SmartCards [didya.com]
So to a consumer buying all the equipment, Smart Cards and USB keys are competitive on a 1 USB Key vs. 1 Smart Card + Reader basis. Now remember the backup. 2 USB Keys are significantly
I smell another Visa ad (Score:2)
Reader = $11
Abduction and implantation of RFID chip by aliens = priceless
Re:Keychain Access Gripe (Score:2)
Re:Keychain Access Gripe (Score:3, Informative)
Re:Keychain Access Gripe (Score:2)
Keychain itself deisgned to be portable (Score:5, Informative)
Your Keychain, in ~/Library/Keychains, is perfectly portable, and designed to be moved from computer to computer, or stored on a device for storing such tokens, such as a USB flash drive.
Further, that certificates are even in your keychain at all implies that you should have access to the original source certificate files, which clearly remain portable.
And finally, rumor has it [appleinsider.com] that Tiger will include much more advanced features for managing, importing, and exporting certificates and CAs.
Re: (Score:3, Interesting)
Re:Keychain itself deisgned to be portable (Score:2)
What about users of other OSes? (Score:2, Informative)
In fact, where I live (Hong Kong), the government had a radio show where there would be a quick tip about securing your machine. Obviously, the focus was on Windoze, but anything that elevates the awareness of the general public to computer security is a good thing.
Re:What about users of other OSes? (Score:2, Informative)
Re:What about users of other OSes? (Score:2)
And in other News..... (Score:3, Funny)
Re:And in other News..... (Score:3, Funny)
Wait! Don't answer that!
They're... still... up (Score:5, Funny)
Another excellent OS X security guide (Score:5, Informative)
Pardon Me while I take a NAP while waiting for my (Score:3, Insightful)
Here's a summary (Score:2, Funny)
(For those who missed this way back when, here's a good summary: http://cryptome.org/nsakey-ms-dc.htm [cryptome.org]
A Tinfoil Moment (Score:2, Interesting)
Shortly after I began, I was unable to access any network resources. Shortly after I stopped, I was able to access things again.
Can anyone else provide a port scan of the nsa without being DOS'd?
NSA.gov runs windows 2k (Score:2)
It's too bad these won't last (Score:2, Informative)
Re:is there a reason why the NSA won't (Score:2, Informative)
Re:is there a reason why the NSA won't (Score:3, Informative)
http://www.nsa.gov/selinux/
If you read the source and documentation, it's quite clear what they did. Producing a "boiler-plate" security document for all Linux distributions would be futile -- there are too many variables involved.
A commercial product such as OSX is quite a bit more linear, and this easier to release a straightforward guide.
-psy
Re:FU SLASHDOT (Score:2, Funny)
Not all of us - some of us prefer Guatemalan insanity peppers.
Re:Mirror anyone? (Score:3, Informative)
http://mirrordot.org/stories/111603fdae3
Re:Mirror anyone? (Score:2)
Re:Mirror anyone? (Score:2)