Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How the NSA snoop-proofs its Macs

Rich Mogull | Sept. 9, 2013
It's the NSA's job to snoop on all of us, but it doesn't want to be snooped on itself. So it has guidelines for securing all the Macs in its service.

On the next screen, select Do not store the recovery key with Apple for the best security. Apple can't read your key without your providing answers to a series of questions, but an attacker could potentially figure those answers out. Finally, click Restart on the last screen. Your Mac will start encrypting itself in the background after a reboot; you can still use it while it's doing so.

Firewall: Click Turn On Firewall. Then open Firewall Options and check Block all incoming connections and Enable stealth mode, and uncheck Automatically allow signed software to receive incoming connections. Afterward, spend the rest of your day approving all the network connection requests.

Privacy: Open Location Services and uncheck Enable Location Services. Open Diagnostics & Usage and uncheck Send diagnostic and usage data to Apple.


iCloud synchronization itself is a minor risk (unless you're worried about your NSA coworker subpoenaing your email). But at least disable Back to My Mac and Find My Mac, lest someone be able to access or wipe your Mac if they gain access to your iCloud account.

Home-folder permissions
The command-line item that the NSA recommends locks a folder from other standard users, but not from administrator accounts; it still works.

Firmware password

The NSA's instructions in the pamphlet no longer work. Instead, boot your Mac into the Recovery partition by pressing Command-R as your Mac is booting. Then select Utilities > Firmware Password Utility and set the password. You will need it whenever you boot into recovery mode or from an external drive.

Disable IPv6 and AirPort when not needed
In Mountain Lion, these options are still in System Preferences > Network, but other things have moved, and a few new options are available.

Your AirPort is now simply called 'Wi-Fi' on screen; you disable it by clicking the gear icon on the lower-left side and selecting Make Service Inactive, or by clicking the Turn Wi-Fi Off button when the service is selected. Then, open the Advanced options and uncheck Remember networks this computer has joined so that your Mac doesn't search for known networks and leak information. You can also require administrator authorization to manage Wi-Fi connections.

To disable IPv6 for interfaces, open the Advanced options and set Configure IPv6 to Link-local only.

Unnecessary services Warning: Following these bits of NSA advice will seriously alter the functionality of your Mac.

iSight no longer has a LaunchDaemon, but you can disable or enable it using this AppleScript. The service called is no longer used. The rest should work as listed.

I'd be nervous about disabling system services that don't present known risks, so I don't have any to add to the NSA list.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.