Lots of generally useful info there but as to MacOS and Apple Silicon machines specifically, irrelevant if people merely use FaceID and TouchID, Apples biometric 2FA bullt into everything they make these days. Chip/NFC credit/debit cards even are less secure - they don't require fingerprint or 3D IR face scans to use. Logging in to anything, bank/financial sites and any app on the device is a snap - just stare at the device or swipe across a fingerprint sensor. And it's not only that these two biometric sensors are available. They're part of a military-security grade 'secure enclave' of trustworthy tamperproof hardware and software components 'baked in' to Apple devices.
P.S. I'm not a fan of being 'untrusted' from tinkering with devices I've bought, nor that 'the most recent version' of Web browsers -required for any real interaction on the Web- are inexorably anchored to buying incessant upgrades of only 'the most recent' devices. But those peeves don't diminish that security of iThings as described in the paper and more A3 and privelege mechanisms intertwined beneath in MacOS which BTW are FIPS 140-3 certified. With a few minor tweaks to capabilities Apple already has, they could implement FIPS 140-4 and CMAC, making their devices secure enough to handle top-secret highly-sensitive classified compartmented secure information - then you could launch nuclear strikes with them!! Which speaks to the weakest link in all security - the people involved. Don't be blindly trusting of someone from 'the help desk' calling.
Touch ID and Face ID is inherently insecure from the entities we are rightly to most fear of all: the authorities. All they need is to hold our device before our faces, or take hold of our finger, and they gain total access.
Super interesting Paul. All such important information— thank you. Now trying to figure out the vault thing. I have an older MacAir but IOS is 12.6 —also old but good enough it seems to have in pre-installed.
I’ve been working with Macs close to 15 years. I’ve only seen one machine actually have Ransomeware (which was caused by someone pirating a piece of software that the user installed even though the OS prompted them several times this is an unsigned application and is dangerous) the closest thing to Malware I have seen has all been browser based, meaning the user clicked on a pop up and gave the site to install an extension which hijacks their browser. This is usually on sketchy sites and you can’t view the site until you install the extension. Uninstalling the browser then restarting it removes the plist file that causes the hijacking. In NO way ever will I recommend buy/downloading third party antivirus software on a Mac. They cause more trouble than what they are worth, OSX has so many safeguards built in already. Even windows I recommend using Defender than a third party antivirus.
Brilliant article. I need to read it several times. And I need to act! Question: I have several passwords attached to an inactive email account so I can't get the email code needed to change some passwords. I know the password I used years ago is comprimised. Any thoughts?
Oh man that’s a rough situation to be in — is there any possibility of getting access to that email again? Or possibly creating it again? If there was no recovery option setup for that account it will be very difficult to access. You may have some luck actually contacting the folks who manage the accounts you are trying to change the password to by contacting their support and telling them the situation. They may have another way to verify you are you. I wish you luck!
Isn’t the internet so _freeing_? All we need to do every year is a half-day of personal security work!
Just like the bright futurists said!
Lots of generally useful info there but as to MacOS and Apple Silicon machines specifically, irrelevant if people merely use FaceID and TouchID, Apples biometric 2FA bullt into everything they make these days. Chip/NFC credit/debit cards even are less secure - they don't require fingerprint or 3D IR face scans to use. Logging in to anything, bank/financial sites and any app on the device is a snap - just stare at the device or swipe across a fingerprint sensor. And it's not only that these two biometric sensors are available. They're part of a military-security grade 'secure enclave' of trustworthy tamperproof hardware and software components 'baked in' to Apple devices.
TL;DR https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf 12/2024 (400+ page deep dive)
P.S. I'm not a fan of being 'untrusted' from tinkering with devices I've bought, nor that 'the most recent version' of Web browsers -required for any real interaction on the Web- are inexorably anchored to buying incessant upgrades of only 'the most recent' devices. But those peeves don't diminish that security of iThings as described in the paper and more A3 and privelege mechanisms intertwined beneath in MacOS which BTW are FIPS 140-3 certified. With a few minor tweaks to capabilities Apple already has, they could implement FIPS 140-4 and CMAC, making their devices secure enough to handle top-secret highly-sensitive classified compartmented secure information - then you could launch nuclear strikes with them!! Which speaks to the weakest link in all security - the people involved. Don't be blindly trusting of someone from 'the help desk' calling.
Touch ID and Face ID is inherently insecure from the entities we are rightly to most fear of all: the authorities. All they need is to hold our device before our faces, or take hold of our finger, and they gain total access.
That’s why I stay with a passcode.
Thank you for directing me to this article, Paul. So much to unpack here. Right after I get over my panic attack, I'll be making some changes! :)
Do you recommend a particular VPN?
Proton mail had an all inclusive package
Thanks.
Super interesting Paul. All such important information— thank you. Now trying to figure out the vault thing. I have an older MacAir but IOS is 12.6 —also old but good enough it seems to have in pre-installed.
I’ve been working with Macs close to 15 years. I’ve only seen one machine actually have Ransomeware (which was caused by someone pirating a piece of software that the user installed even though the OS prompted them several times this is an unsigned application and is dangerous) the closest thing to Malware I have seen has all been browser based, meaning the user clicked on a pop up and gave the site to install an extension which hijacks their browser. This is usually on sketchy sites and you can’t view the site until you install the extension. Uninstalling the browser then restarting it removes the plist file that causes the hijacking. In NO way ever will I recommend buy/downloading third party antivirus software on a Mac. They cause more trouble than what they are worth, OSX has so many safeguards built in already. Even windows I recommend using Defender than a third party antivirus.
Agreed. I deeply mistrust third party anti-anything. Without exception, my experience with these has been hellish.
Brilliant article. I need to read it several times. And I need to act! Question: I have several passwords attached to an inactive email account so I can't get the email code needed to change some passwords. I know the password I used years ago is comprimised. Any thoughts?
Oh man that’s a rough situation to be in — is there any possibility of getting access to that email again? Or possibly creating it again? If there was no recovery option setup for that account it will be very difficult to access. You may have some luck actually contacting the folks who manage the accounts you are trying to change the password to by contacting their support and telling them the situation. They may have another way to verify you are you. I wish you luck!