NSA Security Guide for Mac OS X

An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."

You Bastards!

Hmm the pdf is downloading at .6 k/s and dropping. Slashdotting the NSA - this qualifies for some sort of Darwin award, doesn't it? :)

File Vault

[dumitrius]

This is simply the encryption of the entire user's home directory. I had this enabled on my powerbook stuffed it with a few gigs of data and it ran fine for a while... maybe like 3 months. Then one day on a reboot the thing silently lost all my personal settings and dropped me into a stock desktop configuration. Was nursing this for a week or two when I started getting garbage in some source files. Was thinking maybe the hardrive was defective but have a hunch the enctyption just went haywire and was getting worse. Turning File Vault off failed with an error. Have reinstalled the os keeping a plain text home dir and things seem dandy.

Has anyone seen this before?

In other news...

[eventDriven]

The U.S. Governement's ultra-secret monitoring system 'echelon' was briefly unavailable after the NSA's web servers were Slashdotted.

NSA Security Guide

Always leave an NSA auto-secure port (9999) open on your machine.

Disregard any unexplained background executables.

Always use IE when surfing.

Confine all discussing of terrorist/anti-government actions to public networks (or private ones, we don't really care)

Security, Usability, Reliability

[stratjakt]

Pick any two.

Slashdotted already?

[BandwidthHog]

Alright, we've slashdotted the NSA!!!!!

Now we can safely do, umm, whatever it is that we thought we couldn't do safely while the NSA had an active internet connection. Psst, any terrorists out there need a browser with 128-bit SSL enabled?

Screwed up

[AKAImBatman]

Yikes! The replies to this story are completely screwed up. I'm starting to feel sorry I ever tried to make a joke. I figured others would have something more insightful to say. Well, since no one else will, I'll try to say something insightful.

It seems to me that most OS X users are pretty quiet on the topic because they can't find anything to say. Not because they're ashamed, but more because OS X Just Works(TM). Since the OS Just Works(TM), security guidelines like this are nothing more than hints on how to prevent users from accidentally opening security holes.

Contrast this with Windows, where everyone is always looking for the "magic solution" that will allow them to completely close of the machine from attack. Yet Windows insists on requiring various services (e.g. RPC) to be running and publicly available before it will run properly.

Some might argue that OS X is so secure because the developers had an opportunity to view OSes which came before them. This may seem like a reasonable argument, but quickly falls apart once OS X's heritage is investigated. You see, OS X is really the next major release of NeXTSTEPl an OS that pre-dates Microsoft's creation of Windows NT & 95. NeXT got it right back then. Why can't other OS makers get it right today?

Keychain Access Gripe

[finkployd]

I finally found something about OS X that I absolutely hate and is making me question the entire OS. OS X has its own digital certificate/private key cache (which also stores passwords, but that is irrelevant), which is convenient for applications that use certificates and private keys for identity (like safari and mail.app). It also has a nice utility for managing this environment (Keychain Access).

HOWEVER, Apple (for reasons I cannot fathom) has decided to not allow keys and certs to be exported from this cache. This is totally unacceptable and horribly wrong. In this email, which confirms my worst fears, Peter Sagerson says it best:

In Jaguar, private keys are never exportable. This seems kind of silly, since my digital identity should be linked to me, not the platform, the machine or that particular (and transient) installation of the OS. In Panther, Keychain Access has an Export command, but it's never enabled. I don't see a Keychain-level API for key export and the CSSM API doesn't seem to work. So it's hard to tell what the intention is.

The intention seems to be the very incorrect idea that the digital identity belongs to the computer, and not the person. I have figured out how to move my cert and key to another Mac, that is simple creating a new keychain, copying certs to it, and moving the new keychain file to another machine. However, I still cannot get them out of Apple's proprietary format to move them to any non-OSX platform. I have posted this question to Apple's usually helpful discussion forum, but have received no answer.

This is most disturbing and calls into question both Apple's competency with regard to security in general, and their intentions with regard to what the user can do with their own data (or in this case, their own identity)

They're... still... up

[twalls]

Several people have already called the slashdotting. They're still alive and kicking! Gotta give em credit for trying. "Mr. President, we're giving her all we can! She just doesn't have enough bandwidth!" "Well, why not just use one of the other Internets?"

Re:NSA Guide to securing Windows computers

[patman600]

Sure, just add even more holes to the system...