Following on from this post in Do you use LittleSnitch or the equivalent on your OS? I think it might be worth us creating this thread so we can share tips and tricks we might have picked up over the years to help secure our dev machines and home networks - if you have any please share!

macOS

Apart from the obvious like setting a password etc…

• Turn on FileVault to encrypt your drive: Privacy & Security > FileVault
• Turn on your firewall: Network > Firewall (then periodically click on ‘Options’ to check those in the list of incoming connections).
• Enable end-to-end encryption of iCloud data: iCloud > Advanced Data Protection

Oddly - none of the above is on by default!

• Install LittleSnitch to allow/disallow connections to the web (there are free alternatives)
• Set up Time Machine backups (encrypted and usually run two and keep old copies)
• Check Privacy & Security > Files * Folders to see which folders your apps can access
• Check Privacy & Security > Full Disk Access
• Check Privacy & Security > Accessibility to see which apps can ‘control’ your Mac
• Check Lock Screen > require password after screen saver begins immediately/whatever you require
• Check General > login items for apps/services that automatically start at login
• Check your folder permissions (particularly if you have added any to you home folder). Folder > right click > info (should be you > Read & Write and everyone > no access)
• Privacy & Security > Advanced > log out automatically after inactivity (means a password would be required instead of just Touch ID)

You may also want to look at Apple’s new Lockdown Mode, which they say can offer extreme protection.

1. For 16 years I have been securing my Windows machines with the one and only Kaspersky Internet Security and recently Kaspersky Endpoint Security.

2. My development systems are actually virtual machines inside the Windows host, not connected directly to the LAN.

I use a Yubikey as a 2FA for doing anything with root access in my computer.

Also, for critical files, I create a vault with CryFS (which I can easily manage using the Gnome app called Vaults) and only mount it when I need something from it.

For firewall, I have a small device running PFSense that manage all the internet access to my local network instead of handling that in each computer.

Finally, for data storage and backup I use a NUC as a NAS with all data and I have a wireguard VPN setup on it so i can access it when I’m not at home.

In 99.999999999% cases I prefer prevent instead of defend tactic. I block adds, 3rd part content (including cookies) and usually access sites I already known. I use Gentoo Linux and I decide what’s inside my environment setup part by part. Maybe it’s a bit too manual, but in exchange I don’t have support for everything like cups without a printer and so on.

Most of apps and services is open source alternative for BigTech products. I rarely use Google, Twitter/X account only for giveaways, Discord only for a contact with family and Slack also for Elixir contacts. I had a LinkedIn account, but for some reason just checking inbox was a “suspicious activity” and because of that they require my ID scan (which in many countries is illegal btw.), so I showed middle finger and stopped using it.

I do not pay by card online. I prefer cash or “old, good” bank transfer. Simply most type of attacks that require “rush without thinking” does not work on me. On a single key I access a terminal with lots of useful information and actions.

obraz1200×659 124 KB

I feel a little uncomfortable about running some code “raw” on my machine, so I ended up writing a little “devshell” system to isolate projects inside their own containers. This also offers the benefit of very precise control over the build environment, of course.

At a lower level, I use full-disk LUKS encryption with an external USB key for 2FA, and Secure Boot. That’s getting pretty standard nowadays, though. And doesn’t address the most important attack vectors in a remote-first environment anyway.

docker and vms don’t really offer the convenience vs security as something like firejail imo.

vms lack the convenience and docker is all about convenience. firejail is a good middle ground, even more so if you take the time to add apparmour and veth routing rules on the firewall (but nobody does those add it’s still better than docker/VM).

I’m curious about what you mean about firejail being a middle ground: isn’t it kind of more lightweight than docker? If I remember correctly it doesn’t offer isolation, just very restricted permissions. Is that right? So the jail is still basically the host system, but with reduced access. To me that feels like a lighter solution than both a VM and Docker. Not that that’s a bad thing. But when I tried it I didn’t feel confident about the degree of isolation I’d get without extensive tweaking.