Following some of the comments in the EF version of How often do you upgrade/replace your dev machine? (poll) I’m wondering how you all secure your dev machines. Please let us know in this thread!

When answering please say which OS you’re talking about if applicable.

While fresh in my mind…
^{(Was messing around with the stats and istats apps and noticed weird startup processes!)}

macOS

Apart from the obvious like setting a password etc…

• Turn on FileVault to encrypt your drive: Privacy & Security > FileVault
• Turn on your firewall: Network > Firewall (then periodically click on ‘Options’ to check those in the list of incoming connections).
• Enable end-to-end encryption of iCloud data: iCloud > Advanced Data Protection

Oddly - none of the above is on by default!

• Install LittleSnitch to allow/disallow connections to the web (there are free alternatives)
• Set up Time Machine backups (encrypted and usually run two and keep old copies)
• Check Privacy & Security > Files * Folders to see which folders your apps can access
• Check Privacy & Security > Full Disk Access
• Check Privacy & Security > Accessibility to see which apps can ‘control’ your Mac
• Check Lock Screen > require password after screen saver begins immediately/whatever you require
• Check General > login items for apps/services that automatically start at login
• Check your folder permissions (particularly if you have added any to you home folder). Folder > right click > info (should be you > Read & Write and everyone > no access)
• Privacy & Security > Advanced > log out automatically after inactivity (means a password would be required instead of just Touch ID)

You may also want to look at Apple’s new Lockdown Mode, which they say can offer extreme protection.

That’s all I can think of for now, I’d be curious how people are achieving similar in Linux (if I move from macOS I’d probably go to Linux).

This necro-thread popped up in my feed today for some reason.

FreeBSD

• login only via yubikey, whether ssh or locally
• zfs with native encryption on key partitions
• pf firewall, block by default
• a bunch of typical FreeBSD security sysctls

As security is CIA (confidentiality, Integrity, Availability) I also do backups!

• tarsnap for critical individual files & key server files
• restic for larger things like database backups
• patch regularly of course

Without the yubikey and the disk password the system is useless, same setup for my laptop.

Very interesting question! And I guess I’m gonna join in on reviving the thread.

That’s all I can think of for now, I’d be curious how people are achieving similar in Linux (if I move from macOS I’d probably go to Linux).

I am on Linux, the standard system setup procedure for me is:

• set up full disk encryption using dm-crypt via cryptsetup
• configure the nftables firewall to block everything inbound except for anything apps might need (e.g. syncthing)
• lock down the kernel via selected sysctls from Linux Hardening Guide | Madaidan's Insecurities
• install USBGuard to block any unexpected USB devices by default
• install and configure firejail. This will put most programs into a restrictive sandbox, e.g. Firefox can’t access files outside of the downloads directory. This isn’t a perfect sandbox (see e.g. NVD - CVE-2022-31214) but it’s very very good and really ships with profiles for almost everything. I also set force-nonewprivs yes to reduce the possibility of privilege escalation. (This pretty much does the “see which folders your apps can access”, but you can also restrict the network, process tree and so on).
• I install a bunch of browser plugins to restrict what may run in my browser, mainly UBlock Origin and NoScript.
• heavily recommended: do not give your own user sudo rights, instead switch to a virtual console (i.e. CTRL+ALT+F1), use Secure Attention Key and only then enter root password

There’s a decent amount of privacy measures as well.

Anyways, the problem I see with all this sandboxing - which is why I think it’s a very interesting topic - is that basically the moment you install something with mix / pip / gem / rebar / go etc. usually no “standard” sandboxing is available. So any piece of malicious open source code can take over your computer (or at least user account). At least on Linux this is the case, on the BSDs I’m not really sure, if I remember correctly on Mac once you give Terminal access to your files that’s also the case? Not sure how it is on Windows. The XZ Utils backdoor IMO is a good example how “easy” it is to hide something malicious even in the open, or see Ken Thompson’s Turing Award Lecture: Reflections on Trusting Trust I see a few options:

• accept the risk that any malicious open source can take over your computer (most convenient)
• sandbox using something like firejail (small inconvenience)
• set up some containerization for every development environment (has other benefits, too)
  • at least guix can also make isolated containers, see GNU Guix cookbook, p. 49
  • of course this gets messy with things like how to edit files in there, networking and so on
• use VMs, e.g https://www.qubes-os.org/
  • most inconvenient but most secure I think !

I think it’s all a big scale on how much you want to inconvenience yourself. For Python (which I use at work) I wrote a plugin for the dependency manager that uses Linux’s Landlock and unshare to restrict what any code running in there can’t see. Not perfect, but it’s all about raising the bar

Thanks @dch and @jchrist - what do you use for backups?

On macOS I use Time Machine, encrypted and usually have two on the go (and keep old copies from time to time just to be on the safe side).

what do you use for backups?

A mix of two things:

• filesystem snapshots - I use BTRFS and these are very cheap to make, the btrbk tool manages them automatically for me, Snapper would be a GUI snapshot tool. These are shipped offsite via btrbk, too. Usually if I screw up something it’s enough to look into the local snapshots.
  • Note that btrfs doesn’t have native encryption, so you will want to put this on top of encrypted hard drives.
• “true” backups I do via borgmatic which is a “frontend” for Borg. Basically, you have one (or more) configuration file(s) which say I want to back up these files to those locations, retain this data for so long etc… It’s fully encrypted and has never failed me. Vorta is a GUI for borg.