Advanced Plus Security Tafose6875 - MacBook Pro 13" 2021

Last updated
Apr 24, 2021
How it's used?
For home and private use
Operating system
macOS 11 Big Sur
On-device encryption
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
User Access Control
Smart App Control
Network firewall
Real-time security
- XProtect
Firewall security
Built-in Firewall for Mac/Linux
About custom security
Periodic malware scanners
No
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
- Safari (Hardened)
- Google Chrome (Hardened) + uBlock Origin with Medium Mode (Hardened)
Secure DNS
Google DNS:
- 8.8.8.8
- 8.8.4.4
Desktop VPN
No
Password manager
- KeePassXC
- Keychain
Maintenance tools
No
File and Photo backup
- iCloud Drive
- Google Drive
- Dropbox
- Jotta
System recovery
- NAS on RAID1 (My NAS running Netatalk, providing AFP for Time Machine backups. My NAS uses ZFS as a file-system which allows snapshots).
- Time Machine (Always connected)
- Time Machine (Connected every 1-2 month)
Risk factors
    • Working from home
    • Browsing to popular websites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Gaming
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
    • Coding and development
Computer specs
Model: Apple MacBook Pro 13" 2020
CPU: Intel i5-1038NG7 2.0 GHz 10th gen.
GPU: Intel Iris Plus G7
RAM: 16 GB LPDDR4X 3733 MHz
Storage: 512 GB SSD
What I'm looking for?

Looking for maximum feedback.

tafose6875

New Member
Thread author
Apr 24, 2021
3
Hi!

My threat model is more tailored towards security when accessing the device physically (leaving it at the hotel or universities), preventing malware and protect against data loss. Privacy is not that much of a topic. Could I improve something else here? ;)

ps. I'm new here so if there is something wrong please correct it! :)
 

tafose6875

New Member
Thread author
Apr 24, 2021
3
Instead of Google DNS i would use NextDNS or Quad9 for higher security.

Also, what did you mean with "Safari (Hardened)"? What settings?

-> NextDNS / Quad9 <-

How will I be safer? The concepts of "Privacy" and "Security" are inseparable and one cannot be without the other on the Internet, but WHILE IT IS ALL, Privacy and Security are not the same. These are TWO DIFFERENT concepts. How is this change going to protect me? Can you explain to me? :)


NextDNS works like a regular DNS server that blocks ads and trackers. This is great but in my opinion there is one disadvantage - serious - you have to trust them and here I am very careful. They are too short for me on the internet as a business. Google knows what I do on the Internet and I think it is hard to escape from user profiling by advertisers (which does not mean that you can not, you need to spend a lot of energy and time on it, and yet it will not be the level of TOR Browser that is hard to use every day as a normal browser unless you are crazy ...) which is not my threat model. However, the advantage of Google is that it is a well-known company with quite a lot of experience, good security systems and many specialists working practically 24/7 on the service and its security, which I am not entirely sure in the case of NextDNS. However, it is an alternative. Well, unless there are other advantages that I don't see?

It's the same as asking why you don't use Bitwarden but KeePass? As KeePass has been around for longer as a "company" on the internet, it's proven by millions of users. For the same reason, I bought an MBP with an Intel processor and not an Apple M1. I will buy one in the next 2-3 generations when they get rid of childhood mistakes. It's fun to get excited about high performance, but no one says anymore that Virtualization is not quite working, there are problems with Docker and packages, there are only 2 thunderbolt 3 ports or even incompatible software.

-> Safari (Hardened) <-

Safari has been configured to reduce the attack surface as much as possible. I use it mainly for the few trusted websites that I use on a daily basis - there are only 15-20 of them - the most trusted and large companies that I trust will be rather difficult to break their security.

- Disable AutoFill
- Disable open files after download (though I do not download NOTHING)
- Show full website address
- Warn when visiting a fraudulent website (just in case what)
- No extensions (there are currently no extensions like NoScript Security Suite / uMatrix / uBlock Origin / HTTPS Everyvhere)
- I skip the AdGuard installation because uBlock Origin from Google Chrome does it to less trusted websites so as not to increase the attack surface and I need it because most of people use Google Chrome and I prefer to know how the created website looks at the client's. I live in Poland and computers with macOS are not very popular in companies (unless someone is a programmer etc.) due to the fact that they cost a lot of money and are not fully compatible with the companies' software. There is one CentOS server computer in my work and all the rest is Windows. The only person I saw live with macOS is my sister who got my old MBA 2017 from me. At the university everyone was surprised that I use macOS but what is not being done to be more secure? Linux! But it works once and doesn't work once, so ... In my opinion, it is much easier to hack Windows than macOS (stands for Unix) or Linux. It is also easier to ensure its security and keep the system and applications up-to-date. I chose macOS for work, home and school.

Do you have any more suggestions or questions? :D
 
Last edited:

Gandalf_The_Grey

Level 75
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,440
Quad9:

An open DNS recursive service for free security and high privacy​

Quad9 is a free service that replaces your default ISP or enterprise Domain Name Server (DNS) configuration. When your computer performs any Internet transaction that uses the DNS (and most transactions do), Quad9 blocks lookups of malicious host names from an up-to-the-minute list of threats. This blocking action protects your computer, mobile device, or IoT systems against a wide range of threats such as malware, phishing, spyware, and botnets, and it can improve performance in addition to guaranteeing privacy. The Quad9 DNS service is operated by the Swiss-based Quad9 Foundation, whose mission is to provide a safer and more robust Internet for everyone.
More (also security related) info can be found here:
Google's DNS doesn't block those threats.
 

tafose6875

New Member
Thread author
Apr 24, 2021
3
Quad9:

More (also security related) info can be found here:
Google's DNS doesn't block those threats.

In that case, I will have to consult it with someone who works at CyberSecurity / IT and has even more knowledge than me - 3-4 of the largest, most famous and experienced companies in my country. I will write them an e-mail and we will see what they say and what they think about it, but I will definitely let you know if it will be worth changing because it looks GREAT on paper! :D

ps. Router has lists of malicious sites that it blocks, then macOS "hosts file" another lists, then uBlock Origin with lists and entire countries and their top-level domains blocked so that it has a triple layer of protection! :)
 
Last edited:

Gandalf_The_Grey

Level 75
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,440
In that case, I will have to consult it with someone who works at CyberSecurity / IT and has even more knowledge than me - 3-4 of the largest, most famous and experienced companies in my country. I will write them an e-mail and we will see what they say and what they think about it, but I will definitely let you know if it will be worth changing because it looks GREAT on paper! :D

ps. Router has lists of malicious sites that it blocks, then macOS "hosts file" another lists, then uBlock Origin with lists and entire countries and their top-level domains blocked so that it has a triple layer of protection! :)
Let us know what that person responds.
With Quad9 that would be quadruple protection :D
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top