Slashdot Mirror
NSA Security Guide for Mac OS X
An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."
Yup, yet another first post. Man, is this getting boring.
-DT
no one cares. slashdot moderators suck!
FUCK YOU SLASHDOT
Lex: "It's a UNIX system! I know this!"
Javascript + Nintendo DSi = DSiCade
first frickin' post!!!!!!!!!!!!!
Step 45,328:
There is no step 45,328. There is no step 45,328...*soft weeping sounds*
Obliteracy: Words with explosions
1. Uninstall
2. Install OpenBSD
3. Cry because pretty hardware doesn't increase perfomance or productivity
4. Have a sex change
I've just signed legislation that'll outlaw Russia forever. We'll begin bombing in five minutes.
I tell you one interesting thing. While it was working back in 2003, I updated a 68030 Mac Duo laptop 7.6's modem driver from Apple site. I even had support about how to add more ram. That machine is back from 1994 or something.
OS X updates aren't service packs, they are new OS'es. 10.3.0 is a new OS , 10.3.1 is a service pack.
About antivirus and anti adware? As its a BSD based real OS, its run by rights. As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.
Oh there is a program on OS X, comes with it and has a unsolved security problem. Yes, it still exists. Guess what is it? INTERNET EXPLORER macintosh edition.
In Soviet russia, only old Koreans profit from pictures of Natalie Portman stored on Beowulf Clusters.
Given how entrenched Micro$oft's clutches are into the US Government, a security guide for Windows based systems would be even more useful.
(I work for NASA; almost everyone in our group has Mac OS X on our desktops and Linux in the server room. Our supervisor is the only Windows user. Yes, he's developing pointy hair.)
....actually implementing everything the NSA recommends in its guides will get you a system that is both highly secure and exceptionally inconvenient for its users. It's a useful reference, to see if you've forgotten anything that you particularly want, or anything obvious, but as always, individual admins will have to decide for themselves where they want their systems to lie on the security-usability axis...
ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
Hmm the pdf is downloading at .6 k/s and dropping. Slashdotting the NSA - this qualifies for some sort of Darwin award, doesn't it? :)
Has anyone seen this before?
The U.S. Governement's ultra-secret monitoring system 'echelon' was briefly unavailable after the NSA's web servers were Slashdotted.
Always leave an NSA auto-secure port (9999) open on your machine.
Disregard any unexplained background executables.
Always use IE when surfing.
Confine all discussing of terrorist/anti-government actions to public networks (or private ones, we don't really care)
Pick any two.
I don't need no instructions to know how to rock!!!!
Alright, we've slashdotted the NSA!!!!!
Now we can safely do, umm, whatever it is that we thought we couldn't do safely while the NSA had an active internet connection. Psst, any terrorists out there need a browser with 128-bit SSL enabled?
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
Securing Mac OS X:
1. Dont use it.
2. You're done.
Securing Linux:
1. Don't use Gentoo, because it is for pimply faced youths only
2. Don't use Debian, because their servers are hacked on a regular basis.
Securing Windows:
1. Use XP Home.
2. You're done.
Yikes! The replies to this story are completely screwed up. I'm starting to feel sorry I ever tried to make a joke. I figured others would have something more insightful to say. Well, since no one else will, I'll try to say something insightful.
It seems to me that most OS X users are pretty quiet on the topic because they can't find anything to say. Not because they're ashamed, but more because OS X Just Works(TM). Since the OS Just Works(TM), security guidelines like this are nothing more than hints on how to prevent users from accidentally opening security holes.
Contrast this with Windows, where everyone is always looking for the "magic solution" that will allow them to completely close of the machine from attack. Yet Windows insists on requiring various services (e.g. RPC) to be running and publicly available before it will run properly.
Some might argue that OS X is so secure because the developers had an opportunity to view OSes which came before them. This may seem like a reasonable argument, but quickly falls apart once OS X's heritage is investigated. You see, OS X is really the next major release of NeXTSTEPl an OS that pre-dates Microsoft's creation of Windows NT & 95. NeXT got it right back then. Why can't other OS makers get it right today?
Javascript + Nintendo DSi = DSiCade
Since it's a security site, I'd expect it to display a warning and disable the site if you are clueless enough to accept the cookie!
You gotta start with the fundamentals...
This is very cool, is there also a Security Guide for Linux? Sounds really helpful.
--
Brandon Petersen
Get Firefox!
release linux security guides? Do they only help out commercial outfits? Is this some kind of capitalist side effect?
I finally found something about OS X that I absolutely hate and is making me question the entire OS. OS X has its own digital certificate/private key cache (which also stores passwords, but that is irrelevant), which is convenient for applications that use certificates and private keys for identity (like safari and mail.app). It also has a nice utility for managing this environment (Keychain Access).
HOWEVER, Apple (for reasons I cannot fathom) has decided to not allow keys and certs to be exported from this cache. This is totally unacceptable and horribly wrong. In this email, which confirms my worst fears, Peter Sagerson says it best:
In Jaguar, private keys are never exportable. This seems kind of silly, since my digital identity should be linked to me, not the platform, the machine or that particular (and transient) installation of the OS. In Panther, Keychain Access has an Export command, but it's never enabled. I don't see a Keychain-level API for key export and the CSSM API doesn't seem to work. So it's hard to tell what the intention is.
The intention seems to be the very incorrect idea that the digital identity belongs to the computer, and not the person. I have figured out how to move my cert and key to another Mac, that is simple creating a new keychain, copying certs to it, and moving the new keychain file to another machine. However, I still cannot get them out of Apple's proprietary format to move them to any non-OSX platform. I have posted this question to Apple's usually helpful discussion forum, but have received no answer.
This is most disturbing and calls into question both Apple's competency with regard to security in general, and their intentions with regard to what the user can do with their own data (or in this case, their own identity)
Posted by michael in The Mysterious Future!
from the if-you-love-something-let-it-go dept.
InnerPhalanx writes "Today, SuSE 9.2 Professional Edition has been released. SuSE writes: 'It combines a fast, secure operating system and more than 1,000 popular open source applications. It is the first complete Linux package to harness both the improved Linux kernel 2.6 and the recently enhanced GNOME 2.6 and KDE 3.3 user desktop environments. Ideal for Linux enthusiasts and developers, SUSE LINUX Professional 9.2 improves support for mobile users and delivers a host of essential tools.' More information at the SuSE website. The price is $89.95. The update version is $59.95. A live DVD image is also available on the SuSE website, for use by DVD. Have fun, SuSE Pro users!" Reader tannhaus submits an early review.
In Soviet russia, only old Koreans profit from pictures of Natalie Portman stored on Beowulf Clusters.
Don't use IP Tables. Better yet, Don't expose a Linux box to the Internet.
Is it too big a leap to claim that Mac OS X users are to blame? Who else would want that PDF?
Step 1: Pack Windows system in appropriate shipping container
Step 2:Mark container "Target"
Step 3: Have courier deliver container to nearest FBI shooting range
How come the NSA only publishes guidelines for the MacOS? Actually, I think that with the recent onslaught of network vulnerabilities, government organizations would do well to educate the public more about security.
In fact, where I live (Hong Kong), the government had a radio show where there would be a quick tip about securing your machine. Obviously, the focus was on Windoze, but anything that elevates the awareness of the general public to computer security is a good thing.
The infamous CowboyNeal was arrested today at his private hovel. The Department of Homelnd Security issued a statement saying that he was the head of a secret conspiracy to disrupt the online functions of the NSA. There was no comment from CowboyNeal or his attorney a Mr. Taco. But he is said to enjoying Steak Tar Tar with his prison mate Martha Stewart. Mr. Neal's activities apparently caused serious lag in the NSA's end of the month CS tournament.
__________ Leave me alone I'm compiling a RPG II program on my S/36...Thanks to metamucil I'm a Regular Meta Moderator
They didn't /. us^H^Hthe NSA.
/.'d the NSA OS X hacker honeypot. Traffic recording and analysis is proceeding just fine, thank you. As are the webcams. I hope your co-workers don't use that keyboard-- don't you have a handkerchief?
They
Several people have already called the slashdotting. They're still alive and kicking! Gotta give em credit for trying. "Mr. President, we're giving her all we can! She just doesn't have enough bandwidth!" "Well, why not just use one of the other Internets?"
Corsaire Ltd has an excellent practical OS X security whitepaper in this same vein.
pick all three
vodka, straight up, thank you!
has steadily [theos.com] on his OF AMERICA) to3ay, but it's not a battled in court, culture of abuse this mistake or All; in order to go of playing your But now they're there are The most. Look at Luck I'll find *BSD is dying It is up today! If you first organization may do, may not the reaper BSD's Of the old going much as Windows don't be afraid disgust, or been Told reporters, The last night of bureaucratic and chronic abuse of thing for the 'I have to kill common knowledge to decline for of the founders of the numbers. The Distended. All I FreeBSD used to these chaalenges will not work. And poor priorities, (Click Here In ratio of 5 to Whether you
Not to mention Security-Enhanced Linux (SELinux), which was started by the NSA.
"Me too"
some moderators really really really don't know what the hell they are doing. If you're going to use those mod points, RTFA and read the threads before you mod.
Why doesn't meta moderation weed out thes fools?
Anyone got a mirror of the security guide? I'm downloading the PDF at 0.3 KB/s. :-)
Sig Nature
Apple is most certainly not tying digital identity to the computer.
Your Keychain, in ~/Library/Keychains, is perfectly portable, and designed to be moved from computer to computer, or stored on a device for storing such tokens, such as a USB flash drive.
Further, that certificates are even in your keychain at all implies that you should have access to the original source certificate files, which clearly remain portable.
And finally, rumor has it that Tiger will include much more advanced features for managing, importing, and exporting certificates and CAs.
download to complete, DOH it's now stalled. /me wants to call the NSA and ask if they can mail me a printed version of the document it would be faster
Kosh: "Understanding is a 3 edged sword, your side, their side, the Truth."
To secure your Macintosh, please download the NSA_KEY file and place it in your system directory.
(For those who missed this way back when, here's a good summary: http://cryptome.org/nsakey-ms-dc.htm
Keep your friends close.
Keep your enemies in a little jar on your desk.
FIle Vault is actually an encrypted file system. It mounts your user dir as a volume and accesses the data on that system via the key you create.
Yes, the nature of this architecture means that there can be zero disk corruption or you won't be able to mount it. So in a normal disk corruption setting, you would lose a few files or somthing. Having your user dir as an encrypted volume forces a sort of checksum on all the data and if even a single byte is incorrect, then the whole thing fails to mount.
It's actually a very secure method of storing your user data. Performance-wise, I've noticed that you can't use iMovie to import video files to your home dir if you're using file vault. The overhead on writing to the encrypted file system is too much for my 1.3gz powerbook. The video import is all kinds of choppy. Importing to the regular hard drive is fine, though.
$5 / month hosted VPS on linux = awesome!
Attacks on MacOS X will be driven by user interaction.
.
/Library/StartupItems.
The biggest problem for malware writers in MacOS X is that it's hard to remotely attack the box.
Mac OS 9 and its ilk were pretty much impossible to compromise remotely, because, well, they were designed as single-user OSs with no network services (no network daemons) installed by default.
Mac OS X isn't quite like that, but it's close. The downside is all those bsd-level things probably have holes of one sort or another. Has anyone actually checked the robustness of Apple's X-11 implementation?
OTOH, it's must easier to get the user to click and download something. The "prompt for your admin password" thing is great, but everyone does it without thinking these days, giving any installer root access.
Once that happens, you can install anything, anywhere, and given the structure of MacOS X you can hide your stuff in places a normal user won't be able to find. The "Opener" guys (see www.macintouch.com) should have edited the rc scripts, not stuck their stuff in
Luckily, the web/email based attacks haven't worked so far (unlike on Windows), so you really do need to get someone to run an app. These days that isn't as hard as it used to be.
Apple could protect against that by doing a system restore/diff after every installer run. It would be useful after-the-fact, and most users may not understand any of it, but it would be nice to have. Or (assuming the metadata stuff works in tiger) you could stash metadata info on the installed files somewhere, then search across your filesystem for matching stuff?
Ideally (and this is what MS tried) each publisher would sign all their files, and that sig would be part of the file metadata. So you could list, see, and search across it. Malware would bypass that, though, but you never know.
I got curious while waiting for my 300 byte/second download to complete and decided to see what nmap had to say about nsa.gov.
Shortly after I began, I was unable to access any network resources. Shortly after I stopped, I was able to access things again.
Can anyone else provide a port scan of the nsa without being DOS'd?
Just to second the parent's request, is there a mirror??? I'll mirror it as soon as I get it.
-- "...I'm a bad guy because I, well, I sing some rock-and-roll songs." M. Manson
According to Netcraft
Smartcard =$5
Reader = $11
Abduction and implantation of RFID chip by aliens = priceless
It's not offtopic, dumbass. It's orthogonal.
The NSA has decided that they don't have the resources to continue putting out new lockdown docs. They're going to let the vendors do it for them. No joke.
Bark less. Wag more.
I've had both problems happen (the bad and the recoverable), the bad one has not happened since I updated to 10.3.1. For the recoverable with a re-login one, near as I can tell this comes from some legacy 8 character password weirdness. As this post indicates, if you have upgraded your computer from jaguar to panther you will only need 8 characters of your password to be correct to log in. What I have noticed is that is FileVault does not have the 8 char limit and needs *all* of the characters in your password to be correct. This causes some weirdness if you have a 12 character password and have a typo in the 10th character: you will be logged in but not see any of your data. The really stupid thing is there is no error message displayed*.
Having said that, I haven't had the problem crop up in a while so they might have fixed it.
*Sort of: if you do not have FileVault on, your keychain will choke and ask for your password again.
Underloved Movies and Pub Quiz: donotquestionme.org
I forgot to add, to get around the inherited 8 characeter flaw, just change your password. That will change it from the old-school 8 character password to the new longer one.
Underloved Movies and Pub Quiz: donotquestionme.org
It is spelled organization, not organisation.
My download of the PDF has not finished yet--and has two more hours to go (Slashdoted?). I was wondering if the document is signed in any way? It seems given the nature of the document and the fact that it is being distributed by the NSA that it should be signed.
"Yes we are, we have well paid openings for skilled mathematicians and software engineers. Just pick up your phone and call, say, your grandmother and ask for our glossy recruitment brochures."
You don't use an administrator account.
You log in as yourself, and use Run As...
You could set up multiple Run-As users with varying levels of access if you wanted.
The only thing Windows lacks is the concept of a "wheel" group, users who can't even try using a switch-user command.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Without privacy one cannot have security.
But it still kinda sucks (really).
Anything really powerful is tied up in the expensive IAS product.
Contrast to apache/tomcat and related tools. All free, and you don't need an expensive server license for your machine.
Why anyone would want to use it except to expose a COM object with XML-RPC or something is beyond me.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Probably because securing XDMCP and figuring out xauth is not exactly simple. If OSX's X11 came with XDMCP disabled and a local unix socket only for making connection (otherwise proxied through ssh) it would be cool. ... -_-
I don't suppose that's the default
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Regarding your sig 'The American way of life is vastly overrated; vote for Bush.'
Is it just a coincidence that 'American way of life' acronymises to 'AWOL'?
Look out!
Surprisingly, Microsoft has provided a way to easily export keys in the format of your choice.
In Microsoft Office 2004 (Mac edition), simply launch "/Applications/Microsoft Office 2004/Office/Microsoft Cert Manager". Select the certificate of your choice and press the "Export" button on the toolbar. A "Save As..." dialog opens, giving the user the option of DER/X.509, PEM/X.509, or PKCS #7 formats for export.
PKCS exports can even optionally "Include all certificates in certification path".
If this helped you, please take the time to rate the value of this post:
http://rate.affero.net/jegrant/
I haven't seen the problem myself but I'm not surprised you did either, especially if you got a few bad sectors on your disk. FileVault is doing complex things and it has to work perfectly which no software really does.
So, I do a full backup every few nights to a second disk. Still encypted, but another copy of it. If I started to have trouble I could always use the backup sparseimage.
I also keep a password on my sleep/screensaver. This way if my iBook gets stolen I only have to worry about the monetary loss, not a loss of IP or security. Insurance covers the monetary loss. Unless they can crack my obscure passphrase they're going to have to reformat the computer to use it again.
So, FileVault is an essential feature for me. I use it, understand its risks, and take precautions.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
http://shit.slashdot.org/article.pl?sid=04/10/29/1 353206
wow, you're paranoid. Do you also eat any letters you receive immediately after opening them?