Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

On the state of OSX - how to protect

Freewheeling spot to chew the fat on anything cryptostorm-related that doesn't fit elsewhere (i.e. support, howto, &c.). Criticism & praise & brainstorming & requests for explanation... this is where it goes when it's hot & ready for action! :-)
User avatar

Topic Author
hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

On the state of OSX - how to protect

Postby hashtable » Sun Apr 03, 2016 6:10 am

First, I want to start by saying I love apple's products. I haven't used anything since windows 98' that made me feel this good. With that being said, apple's megalithic status is making them become jaded, similar to microsoft during the height of that era. Apple has secret schools, secret labs, they rarely opensource anything, instead prefer to go 'old school' announcing the next line of products at hyped events. I kinda like it - but in the modern era, it doesn't matter how much money or talent you have, if your software isn't opensource - it will decline in quality, become vulnerable, and that's happening today.

More malware / viruses have been discovered for iOS / OSX this year than like the last 10 years combined. The inner workings of the OS, dubbed SIP, estranges itself away from UNIX and classical linux behavior. It's easy to assume that because of it's command line and interoperability with linux programs that it behaves like OpenBSD - which is what the source code is based on. In reality, like in the movie Steve Jobs, there's locks, not just on the outside, but the inside, that cannot be opened by anyone. When you agree to license statement - they are RENTING you the software. You don't own it, you can't control it, and it's a tricky illusion to believe you can.

With that being said, I believe Apple to be a benign dictator. When their ads chief quit because they wouldn't collect enough user data - and recent fight with the FBI - I think it's safe to say that they have no incentive to market YOU. Unlike google, Apple doesn't need to sell you as product, they make enough money, for now. There's also some amazing projects that have been built independently, open sourced, which can help protect your identity while enjoying the luxury.


Monitoring

objective-see

They currently have 7 apps, user friendly, great for any user.

KnockKnock, TaskExplorer, DylibHyjak Scaner, and Kext Viewer enable you to see all the processes running on your computer and then they can (optionally) scan a virus database to see if any weird shit is installed. They go down to the kernel / root level, unlike the shitty anti-virus products you might find - these are minimal apps - they won't fuck with you - trust me (or read their blog and use the apps to see for yourself).

Ostarius and blockblock will download stuff into the kernel to watch for weird behavior. Ostarius is another layer of protection on top of gatekeeper which has known vulnerabilities, and blockblock let you stop unsigned code from being downloaded deeper in the system. It's common for malware to be discovered and deleted, just to reinstall install itself (Google Chrome does this actually). It lets you know, and maybe stop it.


Firewall

littlesnitch is the usual goto app for firewalls in OSX. I'd recommend it, but it only touches the surface level. It'll work for 3rd party apps you download - but it won't do much to stop anything deeper in the OS.

Murus is a gui on top of OpenBSD's PF (firewall). Apple left pf in the OS for some reason. It's not really used for much, but it's one of the most powerful firewalls built for any linux system. It's a bitch to control, but the GUI helps. It's lower lever, more powerful than littlesnitch, and I'm sure people more clever than myself could figure out how to combine it with proxies and tunnels to really do crazy shit. But they also just released a new firewall app Murus as competition to littlesnitch. Unlike littlesnitch, murus detects almost everything, and it's easier to use. Not available now (unless you purchase murus pro) but i think it's going to be released soon. In combination with VPN, you can set paramaters in Murus / Vallum to change quickly, or only use traffic over the tun0 / tun1 interface or block icloud or whatever. It's pretty cool.


Hardcore

For those looking for something more powerful and have some computer knowledge - this is the holy grail: OS-X-Security-and-Privacy-Guide

It covers everything from how to install OSX properly to using DNSMASQ/DNSCRYPT GPG VPN's PF TOR and links to tons of resources and blogs and other libraries.

For the paranoid, do everything this guy says here: osxparanoia. It works. you kill all the social widgets and bullshit, and it goes quiet. Stops phoning home. The traffic just drops. Also spoof you mac address on all the reloads - maybe the hostname? I dunno. It uses Mavericks, anything above Mavericks cannot be quieted to this degree.

El Capitan now logs everything. All the commands. All the downloads. All the wifi. And the log won't die. It will preserve itself across boots, even if the nvram is flushed. Even if you disable sip. They keep it. I don't think they care -they're doing it with good intention, just be warned.

Love and Peace :angel:

User avatar

parityboy
Site Admin
Posts: 1091
Joined: Wed Feb 05, 2014 3:47 am

Re: On the state of OSX - how to protect

Postby parityboy » Sun Apr 03, 2016 8:51 am

@OP

Good stuff! :D I have an iMac running Mavericks, I'll definitely check out those links. :)

User avatar

Topic Author
hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: On the state of OSX - how to protect

Postby hashtable » Thu Apr 07, 2016 3:44 am

Vallum firewall beta just officially released to the public!!!

http://vallumfirewall.com/downloads/

Also, If you want any vials, download the injector:

http://murusfirewall.com/downloads/

My advice is to log in normally - after connected to vpn - inject the vpn vial (which only allows traffic on ipv4 tun0), and then after you disconnect inject a default vial. I can provide vials but I'll need to know what connections you need on / off because we might have the exact same ports open / services used.

I'd also recommend downloading the dnscrypt client for osx - https://github.com/alterstep/dnscrypt-o ... t/releases

The csv stays up to date - but you have to select the node's dns BEFORE you connect via tunnelblick (viscosity might have an option built in) because it won't connect after openvpn is running. The app also overrides any serverside pushes for DNS changes. You'll have the projection of dnscrypt with openvpn, and it seems to pass the test online. The timing of when these apps are run is important - I wonder if there's a way to automate it?

User avatar

parityboy
Site Admin
Posts: 1091
Joined: Wed Feb 05, 2014 3:47 am

Re: On the state of OSX - how to protect

Postby parityboy » Thu Apr 07, 2016 11:16 pm

@hashtable

Many thanks for the update. :D

You'll have the projection of dnscrypt with openvpn, and it seems to pass the test online. The timing of when these apps are run is important - I wonder if there's a way to automate it?


AppleScript maybe?

User avatar

Topic Author
hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: On the state of OSX - how to protect

Postby hashtable » Wed Apr 20, 2016 4:41 pm

update: it's getting better ;) the effects of the recent legal battle have already started to trickle down into the newest dev environments...


Wister
Posts: 4
Joined: Mon May 30, 2016 2:35 pm

Re: On the state of OSX - how to protect

Postby Wister » Fri Jun 03, 2016 8:55 am



Guest

Re: On the state of OSX - how to protect

Postby Guest » Sun Jun 19, 2016 8:56 am

WWDC happened this week. They've made some pretty substantional changes in the OS - both good and bad (depending on the use case). So, the most important changes that have been made in the networking level are:

1) Depreciation of outdated VPN protocol and ** potentially ** default support for openvpn. Openvpn is not documented yet, but it's recommended as one of the VPN's and there's an undocumented SSL - VPN - API (and maybe 2 other VPN protocols) that previously didn't exist. So, if someone (cough cough) wanted to ACTUALLY build a VPN network secure connection - which can also now be turned into a safari extension app content blocker / virtualmachine little box of an app.

2) IPv6 is mandatory for everything. There's no escaping the ipv6 from within the MacOSX (whatever) system. You'll have to still deal with that using routers or like a raspi as vpn or somethnig. They're going balls deep with ipv6.

Other changes: they've designed a new filesystem that can encrypt all the files - it's flexible / powerful but it won't be a used default and you get in what you put out - it's not going to do everything for you, but it's possible to make some very secure data storage.

On the flip side - eveything is clouded, siri listens everything you say, and everything you do, every file you download, everything is going to be syncing with the cloud by default - convenience > privacy. But... they're enforcing all connections to use high standard TLS (https) - and if someone programs something cool with the new FS then it's possible to have every single thing encrypted - including the metadata.

Everything exists in paradox. They give us VPN secure networks - while forcing ipv6. They give us an amazing encrypted FS - while syncing viritually everything into the cloud. With that said, it's not perfect, but wayyyyyyyy better than anything made by microsoft or google (for secure, personal computing)


Return to “general chat, suggestions, industry news”

Who is online

Users browsing this forum: No registered users and 11 guests

Login