By the third or fourth week of November was the only time I realized I was hacked. Tinkering on my mac’s logs and system files showed that the attackers started observing what I was doing between the last week of Febrary to the first week of March. Ill try to write all four exploits that the attackers did in a different blog post. In the meantime, this article details the custom “hack” I set on my mac for additional protection. This may or may not work for everyone. Duplicate at yer own risk.
Things I did:
- Install XCode and CLI tools
- Deactivate remote management
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
- Remove Desktop Sharing
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
- Remove Apple Remote Desktop Settings
sudo rm -rf /var/db/RemoteManagement ; \
sudo defaults delete /Library/Preferences/com.apple.RemoteDesktop.plist ; \
defaults delete ~/Library/Preferences/com.apple.RemoteDesktop.plist ; \
sudo rm -r /Library/Application\ Support/Apple/Remote\ Desktop/ ; \
rm -r ~/Library/Application\ Support/Remote\ Desktop/ ; \
rm -r ~/Library/Containers/com.apple.RemoteDesktop
- Uninstall Google Update
~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ksinstall --nuke
- Show mail attachments as icons
defaults write com.apple.mail DisableInlineAttachmentViewing -bool yes
- Enable developer menu and web inspector in safari
defaults write com.apple.Safari IncludeInternalDebugMenu -bool true && \
defaults write com.apple.Safari IncludeDevelopMenu -bool true && \
defaults write com.apple.Safari WebKitDeveloperExtrasEnabledPreferenceKey -bool true && \
defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2DeveloperExtrasEnabled -bool true && \
defaults write -g WebKitDeveloperExtras -bool true
- Focus follows mouse on terminal
defaults write com.apple.Terminal FocusFollowsMouse -string YES
- Use plain text in TextEdit as default
defaults write com.apple.TextEdit RichText -int 0
- Disable local backups
sudo tmutil disable
User@user ~ % sudo tmutil disable
tmutil: disable requires Full Disk Access privileges.
To allow this operation, select Full Disk Access in the Privacy
tab of the Security & Privacy preference pane, and add Terminal
to the list of applications which are allowed Full Disk Access.
- Install CLI Tools
xcode-select --install
- Disable icon bounce on Dock
defaults write com.apple.dock no-bouncing -bool false && \
killall Dock
- Enable Scroll Gestures
defaults write com.apple.dock scroll-to-open -bool true && \
killall Dock
- Show Hidden Apps/Icons
defaults write com.apple.dock showhidden -bool true && \
killall Dock
- Disable Sudden Motion Sensor
sudo pmset -a sms 0
- Show AFP, SMB, NFS, WebDAV etc
defaults write com.apple.finder ShowMountedServersOnDesktop -bool true && \
killall Finder
- Show All File Extensions
defaults write -g AppleShowAllExtensions -bool true
- Show hidden files
defaults write com.apple.finder AppleShowAllFiles true
- Show ~/Library folder
chflags nohidden ~/Library
- Save to Disk by Default(not iCloud)
defaults write -g NSDocumentSaveNewDocumentsToCloud -bool false
- Disable creation of .DS_Store and AppleDouble files
defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true
- Recursively delete .DS_Store Files
find . -type f -name '.DS_Store' -ls -delete
- Clear Font Cache for All users
sudo atsutil databases -removeUser && \
sudo atsutil server -shutdown && \
sudo atsutil server -ping
- Disable IR Receiver
sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -int 0
- Disable sound effects on boot
sudo nvram SystemAudioVolume=" "
- Disable autoplay in quicktime
defaults write com.apple.QuickTimePlayerX MGPlayMovieOnOpen
0 - Disable bonjour service
sudo defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist ProgramArguments -array-add "-NoMulticastAdvertisements"
- Enable screensaver password
defaults write com.apple.screensaver askForPassword -int 1
- Install Homebrew
/bin/bash -c "$(curl -fsSL [https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh](https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh))"
- Install pyenv https://github.com/pyenv/pyenv
- Install nvm https://github.com/nvm-sh/nvm#installing-and-updating
No VSCode, right? I decided to use GitHub codespaces instead of coding in my Mac. I’ll most-likely write another article to talk about my GitHub codespaces set-up. Cheers!
Top comments (4)
I just starting using pyenv, feels great so far.
I recently put a bunch of work into my new machine setup, I have it down to this.
This clones my dotfiles, installs ansible and runs the ansible playbook in my dotfiles repo. You can see the script in plain text waylonwalker.com/bootstrap/
Thanks for the resources!
Thanks for the write up Vicente!
Really glad to see you've taken back control of your accounts and sorry that you had to go through all this. 🙌
Thank you to you and Ella for the comforting words! It really helped recover my confidence in going back online again!