Wherever one goes on Apple forums, non-technical experts scream and shout that one must update to the latest version of macOS for security reasons. And one must most of all be very careful:
- not to disable SIP (a requirement to be able to boot from external disks)
- not to disable Secure Boot
- to disable third-party kernel extensions (required for advanced functionality)
Protecting root for personal users
Most of this is nonsense. For personal users, protecting root from bad actors is irrelevant. As a simple admin user, any viable malware can get all of your personal and financial data. It can also run most spyware to turn on your camera and/or microphone. To turn the alert light off on the camera may require root privileges, it’s true. The absence of comprising video of yourself at home is mild compensation when all of your documents, accounts and passwords have already been stolen.
For enterprise and tech admins, protecting root is a worthwhile endeavour. This means the default action on a compromised device would be to delete the breached user account and start over. If a scan shows the device clean, no need to reformat the entire device.
On the other side. Trying to run one’s Mac as a non-privileged user is a complete nightmare. It’s impossible to do anything except drive at below 30 km/h between the two cones. Almost every action and every account requires entering admin account credentials. Again, for the individual user or even small business user, all this security theatre just restricts what s/he can do with his/her computer and creates hours every month of IT interruption.
Real World Test of Apple Security
One of the leading voices for update – update – update is Howard Oakley. Unlike the drones on Apple’s own forums, photo forums and general tech forums, Oakley knows his stuff. He must be running about eight Macs of various generations, and another twenty macOS VM. Oakley had the personal integrity to test some of his Macs (mostly via VM) against some common malware while running macOS 14 Sonoma (2023 release) with various degrees of security.
In these tests, I have again run four variants of the same 14.6.1 VM:
Full Security, with SIP and Gatekeeper/XProtect enabled; Full Security, with Gatekeeper/XProtect disabled; Permissive Security, with SIP disabled; Permissive Security, with both SIP and Gatekeeper/XProtect disabled.
Here’s the results. Against three malware, two of them were stopped by all versions of the VM. One of the malware compromised all versions of the VM.
Security theatre does not help in the real world.
macOS compromised from install
The security theatre becomes more egregious when one considers that there is both spyware and malware built into every modern Mac. I won’t go into the low level entries via hardware backdoor like the EFI bios today but the low hanging fruit we can see.
Built-in spyware: iCloud. iCloud data is kept on US servers and the US security state (started with the NSA/CIA but now includes over fifty different agencies) has near direct access to everything stored here (if we’re luck, there’s a request approval button, but if there is it’s rubber stamped in minutes).
Built-in malware: Apple App Store. Outside of the software which comes with its own built-in back doors (Adobe, Microsoft, Facebook apps, Dropbox), any app one downloads from the App Store can be Tailored Access. The security state can see what you have installed and in your next update of BusyCal or iAWriter can include routines to directly monitor your activity and turn on cameras or microphones silently. Agency hackers would be more likely to choose applications like Dropbox which the user expects to sync large quantities of data, as the user wouldn’t even notice his data being uploaded for scrutiny.
I trust the US Security State
In that case, you haven’t been paying attention. People have spent years in jail for showing up at a demonstration (January 6). Baseless dirt-mucking investigations have been going on against political opponents. Compromising material has been leaked to journalists from anonymous sources.
Apple should be protecting our privacy but is not. The security measures they have in place do more to prevent us from securing our computers and ensuing the security state has easy access (we can’t modify at root level to cut off some of Apple’s access).
Point of this article
Howard Oakley who never stops advocating for Apple’s security measures, did his own tests. The file monitoring of XProtect which doesn’t compromise our ability to manage our computers detected the malware. All of the rest of the lockdown methods are mostly security theatre and actively prevent a user from securing his or her computer.
Action Points
If, to be able to boot from an external drive, or to set up your computer the way you want, or to be able to run advanced programs, do not hesitate to disable SIP and boot protect. You should not enable iCloud at all on your computer (impossible to avoid on iPhones and iPads) and should not allow any data onto iCloud however convenient it may be. It is possible to sign into the App Store without signing into iCloud on your computer.
It’s still not enough, as Apple may say one thing and do another. Apple said they wouldn’t do that is not an argument. Spouses vow not to cheat on one another but infidelity remains the number one cause of divorce.
If freedom to compute and privacy are important to you, plan to move away from Apple soon. Apple users (myself included) are frogs in hot water. The next step is to completely disable our ability to turn off SIP or boot from external devices or not to be logged into iCloud all the time.
Our iPhones and iPads should be dropped in the trash as well, as the built-in cameras/microphones/batteries and locked-down OS means they are 24/7 spyware which we carry with us. In 2024, there is an alternative. LineageOS and GrapheneOS have come a long way. Since the Apple Watch must be tied to an iPhone and it’s no more secure than the parent, it has to go too. This is sad as Apple Watch does a lot for people’s fitness with its daily goals and accurate heart monitoring (the rest of the monitoring is mostly marketing claptrap).[^ Heart rate monitoring helps me a great deal to not take my heart rate to unsafe levels during vigorous exercise. No other device gave instant and accurate readings (Garmin, Withings tested, 2020).]
Consequences
These decisions are difficult to make. It would be nice to be able to trust our computers and phone makers. The recent attack in Lebanon has shown how vulnerable we all are to our electronics. It’s a personal decision for each of us must make, but we should do so consciously.
The more of us who leave the walled garden so carefully constructed for us, the better our collective security. The security state cannot individually track all of us if we choose devices without built-in tracking and spyware.
Alec Kinnear
Alec has been helping businesses succeed online since 2000. Alec is an SEM expert with a background in advertising, as a former Head of Television for Grey Moscow and Senior Television Producer for Bates, Saatchi and Saatchi Russia.
Leave a Reply