Go Dark: Mac Edition

Blackout.

Your privacy is (not) an illusion

As someone who has not only been interested in “the security aspect of cyber” and the implications for personal privacy for quite a long time, it’s facinating to watch the world become slightly more aware of what really happens to your data when you’re using your computer, mobile phone, tablet device, internet-connected-fridge, etc.

The security (or the lack there-of) with regards to the “connected age” is just starting to light on fire with the public, and unfortunately there will most likely be some real ramifications that will hit people in the next few years.

While I am not advocating that you need rush to the store and buy a tinfoil hat, as a user of technology, I think it’s important to understand what information you are giving up — either willingly or unwillingly — to those that want to monetize off of your habits and social networks, or even worse; those who have ill intent towards any and everyone.

The tech industry has always slapped labels on this type of data collection as “big data” or “personalization” or “data science” — and sure, I agree — there is value in some basic level of understanding what a user is doing to augment and enhance the experience of whatever you’re doing. But i’d argue there are ways to do same type of enhanced experiences without collecting every little personal detail about you.

Anyways — I thought I would put a few words down on some tools you can use to see under the hood on what those apps are collecting. I’ll handle mobile in an upcoming post, but for now, let’s see what’s going on with your home computer.

Internet Traffic

Little Snitch — Have you ever wanted to see the traffic that every application (even system processes) is sending from your computer? Little Snitch is the answer.

little snitch will scare the crap out of you

Little Snitch also allows you to control that data collection: you have the ability to block (or allow) every little network call that is made from your apps. You’d be shocked how many applications send data over to Google Analytics. The warning on Little Snitch is that it can get incredibly noisy. It will be somewhat shocking to you when you first install it how much data is flying off your machine to the cloud. But with some tuning, you can really get things under control with a little work.

Ghostery— Best ad-blocker out there with extensions for almost every major browser. I have this on, blocking every social network beacon and data tracker I can find; but it sometimes causes odd side effects. For example, I can’t even log into xbox.com with this on. (note: Ghostery supports per-site whitelisting)

Communications

After the election, the question people asked me the most about was how to lock down their communication and instant messages.

iMessage — For the casual user, iMessage does already offer a reasonable amount of security on each message. Apple doesn’t have the encryption keys for messages, encrypts each message in transit, etc., but the security field usually dings Apple as there’s no way to confirm independently that there’s no one eavesdropping on the encrypted session. In addition, Apple doesn’t open up it’s encryption code to outside reiew.

So what’s the other options?

Wire — Wire is a relative newcomer to the encrypted messaging space. It has end-to-end encryption for its text, voice and video communications, runs everywhere from a browser to your iPhone to your iPad. No ads. No profiling. It uses a fingerprint comparison to verify the digital identity of other users. Wire also open sources its code. See 1.15.17 and 1.16.17 updates.

Signal — Signal is probably the most well known of the encrypted messenger applications. Built on Open Whisper Systems, all messages sent over Signal are end-to-end encrypted, and they don’t store the keys to decrypt them. Signal’s source code is also open-sourced, and they store little-to-no data on you or your communications. Even in your backups, messages aren’t included.

Several folks also recommend using WhatsApp, which is built upon the same Open Whisper system that Signal uses. The “issue” with WhatsApp is although they do not have access to the messages you send, they can read metadata which includes time stamp of each sent and received message, mobile phone numbers and the time stamp of delivered messages.

As for other system such as Facebook Messenger, just don’t bother if you’re looking for privacy.


Update 1.15.17: After reading through this post on how private messengers handle key changes, I would not recommend Wire until they fix/alert when a remote key is changed. Signal still seems to be the best. Bummer, I was really starting to enjoy Wire.

Update 1.16.17: Wire responds, and now I’m more intrigued. Going to keep an eye on this to see how it shakes out, as I really like Wire.


File System

Little Flocker— You can think of Little Flocker as “protection against ransomware, spyware, and misbehaving applications”. It does real-time protection (similar to Little Snitch) against unauthorized access to your files, alerts you against ransomware, spyware, or other programs that might attempt to steal, encrypt, or destroy your personal files. It also protects USB sticks from being accessed by applications without your permission.

Like Little Snitch, I find Little Flocker to be an essential tool — but it’s VERY noisy. It requires some serious tuning/personalizing to be effective.

BlockBlock — BlockBlock continually monitors certain persistence locations and displays an alert whenever a persistent component is added to the OS. More simply — it looks for software that’s installing itself in such a way that it will always be running and will restart after a system reboot — similar to most malware.

Cameras and Microphones

MicroSnitch— I use MicroSnitch instead of putting tape over my webcam.

Sure, tape can help with your camera — but what about your microphones?

This simple app sits in the background, and notifies you whenever your camera or microphone gets turned on. Nice and easy.

Everything else

If you want to go really hardcore, check out “The Practical Guide to Securing macOS”. Most of the suggestions in there are going to go beyond what a normal user will do, but it’s a great read.

Next time, I’ll dive into an even worse source of data collection: your phone.

Don’t Get Hacked by a USB Charger

“What do you mean the charger hacked me?”

Now that I am doing a large amount (if not all) of my computing via mobile devices, making sure that I have enough power with me throughout the day is an absolute must.

Even though the iPhone 6S+ and the iPad Pro 9.7 are great on the battery, I still carry a small backup battery and a rapid charge adapter with me to keep myself charged throughout the day. And as a frequent traveler, I also find myself in a rental car, airplane, airport or hotel with a USB charge available — but I never felt really comfortable plugging into some random USB port just to get a quick battery recharge.

Every day, there seems to be a new article detailing a horror story about people using these plugs out of convenience and then the chargers steal your data — a practice commonly known as “juice jacking”:

Juice jacking happens when a mobile device (i.e. smart phone or tablet) is plugged into a charging station via USB — it does not occur via laptops or devices plugged into wall sockets. Any employee with a smart phone or tablet that is connected to a corporate network can open up exposure simply by plugging his or her dying device into the USB charging kiosk at an airport, business center or conference. These charging stations can be hijacked by hackers and configured to read and copy data from the device and also upload malware to facilitate later exploitation, all without the user’s knowledge that anything is amiss.

To combat that, one of the easiest and most useful tools that I always carry with me is a USB “condom” — also known as a smart data blocker. From trying out a bunch of these, I highly recommend the PortaPow Fast Charge + Data Block USB Adaptor with SmartCharge. It’s easily the best one that I’ve tried, without any charge time performance hit. Basically, the PortaPow sits in-between your normal charge cable and the USB outlet — cutting the data lines of the USB — so your device is only getting the charge and doesn’t leak your data.

It’s a simple but effective way to keep yourself and your data safe.