Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How the NSA snoop-proofs its Macs

Rich Mogull | Sept. 9, 2013
It's the NSA's job to snoop on all of us, but it doesn't want to be snooped on itself. So it has guidelines for securing all the Macs in its service.

Disable setuid and setgid binaries

Altering setuid and setgid is another suggestion you need to be extremely careful about, since following this advice will break functionality. The list the NSA guide provides is a good place to start, though, and you can always reverse your changes.

To get a proper list of all setuid binaries, update the suggested command lines to:

sudo find / -perm -04000 -ls


sudo find / -perm -02000 -ls

Those commands will produce a long list of applications, not all of which need root, wheel, or admin permissions. (All three are admin-level.) Since you aren't regularly running as an admin user anymore, changing these items may break applications you use, but you can change them back. (I'm still trying to figure out why my outdated Logitech Harmony Remote application needs root privileges.)

Configure and use both firewalls

Apple still includes ipfw with OS X, but starting in 10.7 it moved to pf as the primary option when you want more than the default application firewall. Since pf has more features, you should switch to that; you can use Icefloor for a graphical front end with some recommended rules.

Disable Bluetooth and AirPort devices
The NSA obviously worries about wireless connections. The agency's suggestions still work, but I'd recommend disabling Wi-Fi and Bluetooth in System Preferences instead. And, it goes without saying, but don't try this step if you are using a Bluetooth keyboard and mouse.

Disable iSight and sound input
For your iSight, the best thing to do is just put some tape over it. (Plus, you already know how to disable it in software.) The NSA's advice for audio still works, but if you follow it the NSA won't be able listen to your conversations, so I'm sure the NSA wouldn't want you to do that.

Under Safari > Preferences, you can still uncheck Open safe files after downloading. Then click the Security tab and uncheck Allow Java. For extra security, you can also uncheck Allow all other plug-ins, but then more sites may not work properly.

I'd also suggest that you uninstall Adobe Flash and download the Google Chrome browser. Chrome includes its own sandboxed Flash player, so you can use Flash-enabled sites with less risk.

Au revoir, Bonjour!
This tip still works just as the NSA suggests—and if you follow it, you no longer have to worry about anyone seeing your iTunes library when you connect to a hotel network.

Most of the NSA's Snow Leopard security tips still work in Mountain Lion, but be very careful once you make changes outside System Preferences. Seriously, you have been warned.


Previous Page  1  2  3  4 

Sign up for CIO Asia eNewsletters.