Go Dark: Mac Edition

Blackout.

Your privacy is (not) an illusion

As someone who has not only been interested in “the security aspect of cyber” and the implications for personal privacy for quite a long time, it’s facinating to watch the world become slightly more aware of what really happens to your data when you’re using your computer, mobile phone, tablet device, internet-connected-fridge, etc.

The security (or the lack there-of) with regards to the “connected age” is just starting to light on fire with the public, and unfortunately there will most likely be some real ramifications that will hit people in the next few years.

While I am not advocating that you need rush to the store and buy a tinfoil hat, as a user of technology, I think it’s important to understand what information you are giving up — either willingly or unwillingly — to those that want to monetize off of your habits and social networks, or even worse; those who have ill intent towards any and everyone.

The tech industry has always slapped labels on this type of data collection as “big data” or “personalization” or “data science” — and sure, I agree — there is value in some basic level of understanding what a user is doing to augment and enhance the experience of whatever you’re doing. But i’d argue there are ways to do same type of enhanced experiences without collecting every little personal detail about you.

Anyways — I thought I would put a few words down on some tools you can use to see under the hood on what those apps are collecting. I’ll handle mobile in an upcoming post, but for now, let’s see what’s going on with your home computer.

Internet Traffic

Little Snitch — Have you ever wanted to see the traffic that every application (even system processes) is sending from your computer? Little Snitch is the answer.

little snitch will scare the crap out of you

Little Snitch also allows you to control that data collection: you have the ability to block (or allow) every little network call that is made from your apps. You’d be shocked how many applications send data over to Google Analytics. The warning on Little Snitch is that it can get incredibly noisy. It will be somewhat shocking to you when you first install it how much data is flying off your machine to the cloud. But with some tuning, you can really get things under control with a little work.

Ghostery— Best ad-blocker out there with extensions for almost every major browser. I have this on, blocking every social network beacon and data tracker I can find; but it sometimes causes odd side effects. For example, I can’t even log into xbox.com with this on. (note: Ghostery supports per-site whitelisting)

Communications

After the election, the question people asked me the most about was how to lock down their communication and instant messages.

iMessage — For the casual user, iMessage does already offer a reasonable amount of security on each message. Apple doesn’t have the encryption keys for messages, encrypts each message in transit, etc., but the security field usually dings Apple as there’s no way to confirm independently that there’s no one eavesdropping on the encrypted session. In addition, Apple doesn’t open up it’s encryption code to outside reiew.

So what’s the other options?

Wire — Wire is a relative newcomer to the encrypted messaging space. It has end-to-end encryption for its text, voice and video communications, runs everywhere from a browser to your iPhone to your iPad. No ads. No profiling. It uses a fingerprint comparison to verify the digital identity of other users. Wire also open sources its code. See 1.15.17 and 1.16.17 updates.

Signal — Signal is probably the most well known of the encrypted messenger applications. Built on Open Whisper Systems, all messages sent over Signal are end-to-end encrypted, and they don’t store the keys to decrypt them. Signal’s source code is also open-sourced, and they store little-to-no data on you or your communications. Even in your backups, messages aren’t included.

Several folks also recommend using WhatsApp, which is built upon the same Open Whisper system that Signal uses. The “issue” with WhatsApp is although they do not have access to the messages you send, they can read metadata which includes time stamp of each sent and received message, mobile phone numbers and the time stamp of delivered messages.

As for other system such as Facebook Messenger, just don’t bother if you’re looking for privacy.


Update 1.15.17: After reading through this post on how private messengers handle key changes, I would not recommend Wire until they fix/alert when a remote key is changed. Signal still seems to be the best. Bummer, I was really starting to enjoy Wire.

Update 1.16.17: Wire responds, and now I’m more intrigued. Going to keep an eye on this to see how it shakes out, as I really like Wire.


File System

Little Flocker— You can think of Little Flocker as “protection against ransomware, spyware, and misbehaving applications”. It does real-time protection (similar to Little Snitch) against unauthorized access to your files, alerts you against ransomware, spyware, or other programs that might attempt to steal, encrypt, or destroy your personal files. It also protects USB sticks from being accessed by applications without your permission.

Like Little Snitch, I find Little Flocker to be an essential tool — but it’s VERY noisy. It requires some serious tuning/personalizing to be effective.

BlockBlock — BlockBlock continually monitors certain persistence locations and displays an alert whenever a persistent component is added to the OS. More simply — it looks for software that’s installing itself in such a way that it will always be running and will restart after a system reboot — similar to most malware.

Cameras and Microphones

MicroSnitch— I use MicroSnitch instead of putting tape over my webcam.

Sure, tape can help with your camera — but what about your microphones?

This simple app sits in the background, and notifies you whenever your camera or microphone gets turned on. Nice and easy.

Everything else

If you want to go really hardcore, check out “The Practical Guide to Securing macOS”. Most of the suggestions in there are going to go beyond what a normal user will do, but it’s a great read.

Next time, I’ll dive into an even worse source of data collection: your phone.