1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 21:01:34 -05:00
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-11-27 07:43:04 -07:00 committed by GitHub
parent 890af86a51
commit 58172c93f7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -276,6 +276,45 @@ Avoid connecting to [hidden networks](https://support.apple.com/en-us/102766#hid
By default, macOS uses a random MAC address for each SSID. However, it also defaults to using the "Fixed" randomization mode, re-using the same MAC address for SSID instead of changing it on every connection. Essentially, this allows network operators to recognize that you are the same user that has previously connected to the network. Consider changing the randomization mode to "Rotating" depending on your threat model. By default, macOS uses a random MAC address for each SSID. However, it also defaults to using the "Fixed" randomization mode, re-using the same MAC address for SSID instead of changing it on every connection. Essentially, this allows network operators to recognize that you are the same user that has previously connected to the network. Consider changing the randomization mode to "Rotating" depending on your threat model.
## Secure Time Synchronization
macOS uses NTP for time synchronization, which is insecure and unauthenticated. You should setup NTS for secure time synchronization. You can do so by:
- Using a local virtual machine as the NTP server. The local virtual machine can then get its time safely using NTS and chrony. Check out [our guide](/posts/macos/secure-time-synchronization-on-macos/).
- Using [ChronyControl](https://www.whatroute.net/chronycontrol.html). A sample Chrony configuration derived from GrapheneOS's is as follows:
```
user daemon
server time.cloudflare.com iburst nts
server ntppool1.time.nl iburst nts
server nts.netnod.se iburst nts
server ptbtime1.ptb.de iburst nts
server time.dfm.dk iburst nts
server time.cifelli.xyz iburst nts
minsources 3
authselectmode require
# EF
dscp 46
driftfile /var/db/chrony/chrony.drift
bindcmdaddress /var/run/chrony/chronyd.sock
log tracking measurements statistics
logdir /var/log/chrony
ntsdumpdir /var/db/chrony/
leapsectz right/UTC
makestep 1.0 3
rtconutc
rtcsync
```
## Securely Erase Your Mac ## Securely Erase Your Mac
To completely wipe your Mac securely, use the [Erase All Content and Settings](https://support.apple.com/en-us/102664) option. This will ensure all data is securely wiped and no traces of your ownership are left on the Mac. This is important so that the next owner is able to set it up without running into issues with verification. You'll need to know an Administrator password and Apple Account password to turn off Find My if you've enabled it previously. To completely wipe your Mac securely, use the [Erase All Content and Settings](https://support.apple.com/en-us/102664) option. This will ensure all data is securely wiped and no traces of your ownership are left on the Mac. This is important so that the next owner is able to set it up without running into issues with verification. You'll need to know an Administrator password and Apple Account password to turn off Find My if you've enabled it previously.