New Crowdin translations by GitHub Action

i18n/ar/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/bn/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/cs/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/de/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Empfohlene Konfiguration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Datenschutz & Sicherheit
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Sicherheit
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/el/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/eo/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/es/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Configuración Recomendada
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacidad & Seguridad
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Seguridad
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### Aleatorización de direcciones Mac
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning "Advertencia"
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning "Advertencia"
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Copias de seguridad
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Fuentes
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/fa/basics/why-privacy-matters.md

@@ -40,7 +40,7 @@ All of these concepts overlap, but it is possible to have any combination of the
 
 A common counter-argument to pro-privacy movements is the notion that one doesn't need privacy if they have **"nothing to hide."** This is a dangerous misconception, because it creates a sense that people who demand privacy must be deviant, criminal, or wrong.
 
-==You shouldn't confuse privacy with secrecy.== We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. There are always certain facts about us—say, personal health information, or sexual behavior—that we wouldn't want the whole world to know, and that's okay. The need for privacy is legitimate, and that's what makes us human. Privacy is about empowering your rights over your own information, not about hiding secrets.
+==You shouldn't confuse privacy with secrecy.== We know what happens in the bathroom, but you still close the door. این به این خاطر است که شما حریم خصوصی می‌خواهید، نه محرمانگی. There are always certain facts about us—say, personal health information, or sexual behavior—that we wouldn't want the whole world to know, and that's okay. The need for privacy is legitimate, and that's what makes us human. Privacy is about empowering your rights over your own information, not about hiding secrets.
 
 ## Is Privacy About Control?
 

i18n/fa/desktop-browsers.md

@@ -57,9 +57,9 @@ schema:
       url: "./"
 ---
 
-These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility.
+اینها برنامه‌های مرورگر و تنظیماتی هستند که در حال حاضر برای مرورگرهای وب دسکتاپ به منظور مرور استاندارد/غیرناشناس توصیه می‌شوند. اگر شما دنبال حفاظت قوی از حریم خصوصی و anti-fingerprinting هستید ما به شما مرورگر، [Mullvad Browser](#mullvad-browser) را توصیه می‌کنیم، [Firefox](#firefox) را برای کاربران عادی اینترنتی که به دنبال جایگزین مناسبی برای Google Chrome هستند پیشنهاد می‌کنیم و [Brave](#brave) در صورتی نیاز به سازگاری با مرورگر Chromium دارید.
 
-If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another.
+اگر نیاز به مرور اینترنت به صورت ناشناس دارید، بهتر است از مرورگر [Tor](tor.md) استفاده کنید. ما در این صفحه برخی از تنظیمات را توصیه می‌کنیم، اما تمامی مرورگرها به جز Tor Browser به طریقی یا ناگزیر توسط *کسی* قابل ردیابی هستند.
 
 ## مرورگر Mullvad
 
@@ -102,7 +102,7 @@ This is required to prevent advanced forms of tracking, but does come at the cos
 
 Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers.
 
-## Firefox
+## فایرفاکس
 
 !!! recommendation
 
@@ -130,7 +130,7 @@ Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-
 
 These options can be found in :material-menu: → **Settings**
 
-#### Search
+#### جستجو
 
 - [ ] Uncheck **Provide search suggestions**
 
@@ -138,7 +138,7 @@ Search suggestion features may not be available in your region.
 
 Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider.
 
-#### Privacy & Security
+#### حریم‌خصوصی & امنیت
 
 ##### Enhanced Tracking Protection
 
@@ -194,7 +194,7 @@ The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of ca
 
 Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing.
 
-## Brave
+## بریو (Brave)
 
 !!! recommendation
 
@@ -219,7 +219,7 @@ Arkenfox only aims to thwart basic or naive tracking scripts through canvas rand
 
     1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc.
 
-### فایرفاکس Firefox
+### تنظیمات پیشنهادی
 
 These options can be found in :material-menu: → **Settings**.
 

i18n/fa/email.md

@@ -40,7 +40,7 @@ cover: email.png
 
     ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right }
     
-    **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan.
+    **Proton Mail** یک سرویس ایمیل با تمرکز بر حریم خصوصی، رمزگذاری، امنیت و سهولت استفاده است. آن‌ها از **2013** شروع به کار کرده‌اند. شرکت Proton AG در ژنو سوئیس قرار دارد. طرح رایگان شامل ۵۰۰ مگابایت فضای ذخیره‌سازی است.
     
     [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary }
     [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" }
@@ -48,7 +48,8 @@ cover: email.png
     [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation}
     [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" }
     
-    ??? downloads
+    ؟؟؟ دانلودها
+    
     
         - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android)
         - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905)
@@ -58,27 +59,27 @@ cover: email.png
         - [:simple-linux: Linux](https://proton.me/mail/bridge#download)
         - [:octicons-browser-16: Web](https://mail.proton.me)
 
-Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com).
+حساب‌های رایگان دارای محدودیت‌هایی هستند، مانند عدم امکان جستجوی متن اصلی و عدم دسترسی به [Proton Mail Bridge](https://proton.me/mail/bridge)، که برای استفاده از [نرم افزار ایمیل دسک‌تاپ (ویندوزی) توصیه‌شده](email-clients.md) لازم است (به عنوان مثال. Thunderbird). حساب‌های پولی شامل ویژگی‌هایی مانند Proton Mail Bridge، فضای ذخیره‌سازی اضافی و پشتیبانی از دامنه سفارشی است. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com).
 
-If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free.
+اگر حسابUnlimited یا Business یا Visionary دارید، [SimpleLogin](#simplelogin) پولی را نیز به صورت رایگان دریافت می کنید.
 
-Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**.
+Proton Mail گزارش‌های خرابی داخلی دارد که اطلاعات آن را با اشخاص ثالث به اشتراک **نمی‌گذارد**. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**.
 
 #### :material-check:{ .pg-green } Custom Domains and Aliases
 
-Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain.
+مشترکین Proton Mail پولی می توانند از دامنه خود با این سرویس یا آدرس [catch-all](https://proton.me/support/catch-all) استفاده کنند. Proton Mail همچنین از [subaddressing](https://proton.me/support/creating-aliases) پشتیبانی می‌کند که برای افرادی که نمی‌خواهند دامنه بخرند مفید است.
 
-#### :material-check:{ .pg-green } Private Payment Methods
+#### :material-check:{ .pg-green } روش های پرداخت خصوصی
 
-Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments.
+Proton Mail پول نقد از طریق پست، کارت اعتباری/دبیت استاندارد، [Bitcoin](advanced/payments.md# other-coins-bitcoin-ethereum-etc) و پرداخت های PayPal را [می‌پذیرد](https://proton.me/support/payment-options).
 
-#### :material-check:{ .pg-green } Account Security
+#### :material-check:{ .pg-green } امنیت حساب
 
-Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first.
+Proton Mail از TOTP [احراز هویت دو عاملی](https://proton.me/support/two-factor-authentication-2fa) و [کلیدهای امنیتی سخت افزاری](https://proton.me/support TOTP/2fa-security-key) با استفاده از استانداردهای FIDO2 یا U2F پشتیبانی می‌کند. استفاده از کلید امنیتی سخت افزاری نیازمند راه‌اندازی احراز هویت دو عاملی TOTP است.
 
-#### :material-check:{ .pg-green } Data Security
+#### :material-check:{ .pg-green } امنیت داده
 
-Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you.
+Proton Mail دارای [رمزگذاری بدون دسترسی](https://proton.me/blog/zero-access-encryption) برای سرویس ایمیل‌ و [تقویم](https://proton.me/news/protoncalendar-security-model) است. داده های ایمن شده با رمزگذاری دسترسی صفر فقط توسط شما قابل دسترسی است.
 
 Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon.
 
@@ -118,11 +119,11 @@ Proton Mail doesn't offer a digital legacy feature.
 
 Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain.
 
-#### :material-check:{ .pg-green } Private Payment Methods
+#### :material-check:{ .pg-green } روش های پرداخت خصوصی
 
 Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung.
 
-#### :material-check:{ .pg-green } Account Security
+#### :material-check:{ .pg-green } امنیت حساب
 
 Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported.
 
@@ -190,11 +191,11 @@ You can create up to 3 additional @skiff.com email aliases in addition to your p
 
 Skiff Mail accepts cryptocurrency payments via Coinbase Commerce, including Bitcoin and Ethereum, but they do not accept our recommended [cryptocurrency](cryptocurrency.md), Monero. They also accept credit card payments via Stripe.
 
-#### :material-check:{ .pg-green } Account Security
+#### :material-check:{ .pg-green } امنیت حساب
 
 Skiff Mail supports TOTP two-factor authentication and hardware security keys using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two-factor authentication first.
 
-#### :material-check:{ .pg-green } Data Security
+#### :material-check:{ .pg-green } امنیت داده
 
 Skiff Mail has zero access encryption at rest for all of your data. This means the messages and other data stored in your account are only readable by you.
 
@@ -246,11 +247,11 @@ Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias)
 
 Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore.
 
-#### :material-check:{ .pg-green } Account Security
+#### :material-check:{ .pg-green } امنیت حساب
 
 Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F.
 
-#### :material-check:{ .pg-green } Data Security
+#### :material-check:{ .pg-green } امنیت داده
 
 Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you.
 
@@ -395,22 +396,22 @@ For a more manual approach we've picked out these two articles:
 - [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019)
 - [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017)
 
-## Criteria
+## معیار
 
 **Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you.
 
-### Technology
+### فناوری
 
 We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require.
 
-**Minimum to Qualify:**
+**حداقل شرایط صلاحیت:**
 
 - Encrypts email account data at rest with zero-access encryption.
 - Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard.
 - Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy.
 - Operates on owned infrastructure, i.e. not built upon third-party email service providers.
 
-**Best Case:**
+**بهترین شرایط:**
 
 - Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption.
 - Integrated webmail E2EE/PGP encryption provided as a convenience.
@@ -421,17 +422,17 @@ We regard these features as important in order to provide a safe and optimal ser
 - Catch-all or alias functionality for those who own their own domains.
 - Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider.
 
-### Privacy
+### حریم خصوصی
 
 We prefer our recommended providers to collect as little data as possible.
 
-**Minimum to Qualify:**
+**حداقل شرایط صلاحیت:**
 
 - Protect sender's IP address. Filter it from showing in the `Received` header field.
 - Don't require personally identifiable information (PII) besides a username and a password.
 - Privacy policy that meets the requirements defined by the GDPR.
 
-**Best Case:**
+**بهترین شرایط:**
 
 - Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.)
 - Hosted in a jurisdiction with strong email privacy protection laws.
@@ -468,28 +469,28 @@ Email servers deal with a lot of very sensitive data. We expect that providers w
     - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy)
     - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/)
 
-### Trust
+### اعتماد
 
-You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled.
+شما به شخصی با هویت تقلبی برای امور مالی اعتماد نمی‌کنید، پس چرا با ایمیل‌تان به آنها اعتماد کنید؟ ما از ارائه‌دهندگانی که توصیه می‌کنیم می‌خواهیم که درباره مالکیت یا رهبری خود به صورت عمومی اطلاع رسانی کنند. همچنین، ما علاقه‌مندیم که گزارش‌های شفافیت متناوب ببینیم، به ویژه در ارتباط با روش برخورد با درخواست‌های دولتی.
 
-**Minimum to Qualify:**
+**حداقل شرایط صلاحیت:**
 
-- Public-facing leadership or ownership.
+- رهبری یا مالکیت قابل رویت توسط عموم.
 
-**Best Case:**
+**بهترین شرایط:**
 
-- Public-facing leadership.
-- Frequent transparency reports.
+- رهبری قابل رویت عمومی.
+- گزارش‌های شفافیت متناوب.
 
-### Marketing
+### تبلیغات و بازاریابی
 
-With the email providers we recommend we like to see responsible marketing.
+با ارائه‌دهندگان ایمیلی که ما توصیه می‌کنیم، ما علاقه‌مند به بازاریابی مسئولانه هستیم.
 
-**Minimum to Qualify:**
+**حداقل شرایط صلاحیت:**
 
 - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out.
 
-Must not have any marketing which is irresponsible:
+نباید هیچ گونه بازاریابی نامسئولانه انجام شود:
 
 - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it.
 - Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.:
@@ -497,10 +498,10 @@ Must not have any marketing which is irresponsible:
 - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.)
 - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint)
 
-**Best Case:**
+**بهترین شرایط:**
 
 - Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc.
 
-### Additional Functionality
+### قابلیت‌های اضافی
 
-While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend.
+با اینکه این موارد الزامی نیستند، اما در انتخاب ارائه‌دهندگانی که توصیه ‌می‌کنیم، به عواملی مانند راحتی و حفظ حریم خصوصی نیز توجه می‌کنیم.

i18n/fa/index.md

@@ -1,5 +1,5 @@
 ---
-meta_title: "Privacy Guides: Your Independent Privacy and Security Resource"
+meta_title: "Privacy Guides: منبع مستقل حریم خصوصی و امنیت شما"
 template: overrides/home.fa.html
 hide:
   - navigation
@@ -42,30 +42,30 @@ schema:
 
 تمام حقوقی که اکنون برای ما طبیعی به نظر می‌رسند، به عنوان انسان‌ها برای ما در طول تاریخ تضمین نشده بوده‌اند. حق ازدواج مختلط، حق رأی زنان، آزادی بیان و بسیاری از حقوق دیگر در برابر سرکوب و نقض قرار گرفته‌اند. در چندین دیکتاتوری، هنوز هم این امر صادق نیست. نسل‌های قبل از ما برای حق حریم خصوصی ما مبارزه کردند. حریم خصوصی یک حق انسانی است که درونی برای همهٔ ما وجود دارد و ما به آن (بدون تبعیض) حق داریم.
 
-شما نباید حریم خصوصی را با امنیت اشتباه بگیرید. ما می‌دانیم که در حمام چه اتفاقاتی می‌افتد، اما همچنان در را می‌بندید. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human.
+شما نباید حریم خصوصی را با امنیت اشتباه بگیرید. ما می‌دانیم که در حمام چه اتفاقاتی می‌افتد، اما همچنان در را می‌بندید. این به این خاطر است که شما حریم خصوصی می‌خواهید، نه محرمانگی. **همه‌ی افراد** چیزی برای حفاظت دارند. حریم خصوصی، چیزی است که ما را انسان می‌سازد.
 
-[:material-book-outline: Why Privacy Matters](basics/why-privacy-matters.md){ class="md-button md-button--primary" }
+[:material-book-outline: چرا حریم خصوصی اهمیت دارد](basics/why-privacy-matters.md){ class="md-button md-button--primary"}
 
 ## چه کاری باید انجام بدهم؟
 
-##### First, you need to make a plan
+##### اول، شما باید یک برنامه تهیه کنید
 
-Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. ولی نگران نباشید! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them.
+تلاش برای حفاظت از تمام داده‌هایتان از همه و در هر زمان، غیرعملی، هزینه‌بر و خسته‌کننده است. ولی نگران نباشید! امنیت یک فرآیند است و با فکر به آینده، شما می‌توانید یک برنامه‌ی مناسب برای خودتان تهیه کنید. امنیت فقط درباره ابزارهایی که استفاده می‌کنید یا نرم‌افزارهایی که دانلود می‌کنید نیست. بلکه آغاز آن با درک تهدیدات منحصر به فردی است که در برابر آنها قرار دارید و چگونگی کاهش این تهدیدات.
 
-==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan.
+==این فرآیند شناسایی تهدیدات و تعریف اقدامات متقابل، به نام **مدلسازی تهدید** شناخته می‌شود و اساس هر برنامه امنیت و حریم خصوصی خوب را تشکیل می‌دهد.==.
 
-[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md){ class="md-button md-button--primary" }
+[:material-book-outline: یادگیری بیشتر درباره مدلسازی تهدید](basics/threat-modeling.md){ class="md-button md-button--primary" }
 
 ---
 
-## ما به کمک شما نیاز داریم! Here's how to get involved:
+## ما به کمک شما نیاز داریم! اینطوری می‌توانید مشارکت کنید:
 
-[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" }
-[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" }
-[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" }
-[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" }
-[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" }
-[:material-information-outline:](about/index.md){ title="Learn more about us" }
-[:material-hand-coin-outline:](about/donate.md){ title="Support the project" }
+[:simple-discourse:](https://discuss.privacyguides.net/){ title="به انجمن ما بپیوندید" }
+[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="ما را در Mastodon دنبال کنید" }
+[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="مشارکت در این وبسایت" }
+[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="به ترجمه این وبسایت کمک کنید" }
+[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="با ما در Matrix چت کنید" }
+[:material-information-outline:](about/index.md){ title="درباره ما بیشتر بدانید" }
+[:material-hand-coin-outline:](about/donate.md){ title="حمایت از پروژه" }
 
-It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know.
+برای یک وبسایت مانند Privacy Guides، مهم است که همواره به‌روز باشد. ما نیاز داریم که مخاطبانمان به بروزرسانی‌های نرم‌افزاری برای برنامه‌های لیست شده در وبسایت‌‌، دقت کنند و اخبار جدید مربوط به ارائه‌دهندگانی که ما توصیه می‌کنیم را دنبال کنند. سخت است با سرعت بالای اینترنت هماهنگ شد، اما ما تلاش خود را بهترین شکل ممکن انجام می‌دهیم. اگر خطایی را مشاهده کردید، فکر می‌کنید که یک ارائه‌دهنده باید در لیست وجود نداشته باشد، یا متوجه شدید که یک ارائه‌دهنده متخصص حذف شده است، باور دارید که یک افزونه مرورگر دیگر بهترین انتخاب نیست یا هر مشکل دیگری را کشف کردید، لطفاً به ما اطلاع دهید.

i18n/fa/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## فایرفاکس Firefox
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### حریم‌خصوصی & امنیت
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/fr/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Configuration recommandée
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Confidentialité & sécurité
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Sécurité
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### Adresse MAC aléatoire
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning "Avertissement"
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning "Avertissement"
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Sauvegardes
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/he/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## תצורה מומלצת
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### פרטיות& אבטחה
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### אבטחה
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### כתובת MAC אקראית
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning "אזהרה"
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning "אזהרה"
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### גיבויים
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## מקורות
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/hi/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/hu/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Adatbiztonság
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/id/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Keamanan
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sumber
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/it/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Configurazione consigliata
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Il tuo firewall blocca le connessioni di rete indesiderate. Più le impostazioni del tuo firewall sono rigide, più il tuo Mac è sicuro. Tuttavia, alcuni servizi verranno bloccati. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Aggiornamenti software
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Sicurezza
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Sicurezza
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### Randomizzazione dell'indirizzo MAC
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning "Attenzione"
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning "Attenzione"
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Fonti
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/ja/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### プライバシーとセキュリティ
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### セキュリティ
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## ソース
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/ko/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## 권장 설정
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### 개인 정보 및 보안
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### 보안
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning "경고"
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning "경고"
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### 백업
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## 출처
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/ku-IQ/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/nl/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Aanbevolen configuratie
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & beveiliging
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Veiligheid
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC-adres randomisatie
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Back-ups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Bronnen
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/pl/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Kopie zapasowe
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Źródła
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/pt-BR/basics/vpn-overview.md

@@ -23,19 +23,19 @@ No entanto, eles ocultam seu IP real de um serviço de terceiros, desde que não
 
 É pouco provável que a utilização de uma VPN seja útil nos casos em que utiliza a sua [identidade](common-threats.md#common-misconceptions).
 
-Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website.
+Fazê-lo pode acionar sistemas de detecção de fraude e “spam”, como se você logasse no site do seu banco.
 
 ## E Quanto à Criptografia?
 
-Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption.
+A criptografia oferecida por provedores de VPN está presente entre seus dispositivos e os servidores deles. Isso garante que esse link específico entre cliente-servidor é seguro. Isso já é um avanço em relação a utilizar “proxies” descriptografados onde um adversário na rede pode interceptar as comunicações entre seus dispositivos e os respectivos “proxies”, modificando-as. No entanto, a criptografia entre seus aplicativos e navegadores com os provedores de serviço não é tratada por essa criptografia.
 
-In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf).
+Para manter realmente privado e seguro o que você faz nos sites que visita, você precisa utilizar HTTPS. Isso irá manter suas senhas, “tokens” de seção, e consultas seguras do seu provedor de VPN. Considere habilitar a opção “HTTPS automático” no seu navegador para mitigar ataques de “downgrade” como o [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf).
 
 ## Devo usar DNS criptografado com uma VPN?
 
-Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider.
+A menos que seu próprio provedor de VPN hospede os servidores de DNS criptografados, **não**. Usar “DOH/DOT” (ou qualquer outra forma de DNS criptografado) com um servidor terceiro irá simplesmente adicionar mais entidades para confiar e não faz **absolutamente nada** para melhorar sua privacidade/segurança. Seu provedor VPN ainda pode ver quais sites você visita baseado nos seus endereços IP e outros métodos. Ao invés de confiar apenas no seu provedor VPN, você agora estará confiando nele e no provedor DNS escolhido.
 
-A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different.
+Uma razão comum para recomendar DNS criptografado é que ajuda contra a falsificação de DNS (ou “DNS spoofing”). No entanto, seu navegador já deve estar checando por [certificados TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) com **HTTPS** e te informar sobre. Se você não está usando **HTTPS**, então um adversário pode simplesmente modificar qualquer coisa diferente das suas consultas DNS e o resultado será pouco diferente.
 
 Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you.
 

i18n/pt-BR/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Firefox
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacidade & Segurança
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Segurança
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Fontes
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/pt/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Configuração recomendada
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacidade & Segurança
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Segurança
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso.
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso.
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Cópias de segurança
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Fontes
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/ru/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Рекомендованные настройки
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Приватность и защита
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Безопасность
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### Рандомизация MAC-адресов
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning "Осторожно"
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning "Осторожно"
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Резервное копирование
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Источники
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/sv/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Rekommenderad konfiguration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### Randomisering av MAC-adresser
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! varning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! varning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Säkerhetskopior
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/tr/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Kaynaklar
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/uk/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Джерела
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/vi/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## Recommended Configuration
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### Security
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC Address Randomization
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### Backups
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## Sources
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/zh-Hant/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## 建議配置
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### 隱私 & 安全
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### 安全
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC 地址隨機化
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! warning
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! warning
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### 備份
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## 來源
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

i18n/zh/os/macos-overview.md

@@ -0,0 +1,255 @@
+---
+title: macOS Overview
+icon: material/apple-finder
+description: macOS is Apple's desktop operating system that works with their hardware to provide strong security.
+---
+
+**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
+
+Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
+
+## Privacy Notes
+
+There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services.
+
+### Activation Lock
+
+Brand new Apple silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices.
+
+### App Revocation Checks
+
+macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked.
+
+Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
+
+While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
+
+## 推荐配置
+
+Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
+
+However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
+
+If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
+
+Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
+
+### iCloud
+
+The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
+
+Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
+
+### System Settings
+
+There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app:
+
+#### Bluetooth
+
+- [ ] Uncheck **Bluetooth** (unless you are currently using it)
+
+#### Network
+
+Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon.
+
+Click on the "Details" button by your network name:
+
+- [x] Check **Limit IP address tracking**
+
+##### Firewall
+
+Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use.
+
+- [x] Check **Firewall**
+
+Click the **Options** button:
+
+- [x] Check **Block all incoming connections**
+
+If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it.
+
+#### General
+
+By default, your device name will be something like "[your name]'s iMac". Because this name is publicly broadcast on your network, you'll want to change your device name to something generic like "Mac".
+
+Click on **About** and type your desired device name into the **Name** field.
+
+##### Software Updates
+
+You should automatically install all available updates to make sure your Mac has the latest security fixes.
+
+Click the small :material-information-outline: icon next to **Automatic Updates**:
+
+- [x] Check **Check for updates**
+
+- [x] Check **Download new updates when available**
+
+- [x] Check **Install macOS updates**
+
+- [x] Check **Install application updates from the App Store**
+
+- [x] Check **Install Security Responses and system files**
+
+#### Privacy & Security
+
+Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
+
+##### Location Services
+
+You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option.
+
+- [ ] Uncheck **Location Services**
+
+##### Analytics & Improvements
+
+Decide whether you want to share analytics data with Apple and developers.
+
+- [ ] Uncheck **Share Mac Analytics**
+
+- [ ] Uncheck **Improve Siri & Dictation**
+
+- [ ] Uncheck **Share with app developers**
+
+- [ ] Uncheck **Share iCloud Analytics** (visible if you are signed in to iCloud)
+
+##### Apple Advertising
+
+Decide whether you want personalized ads based on your usage.
+
+- [ ] Uncheck **Personalized Ads**
+
+##### 安全性
+
+Apps from the App Store are subject to stricter security guidelines, such as stricter sandboxing. If the only apps you need are available from the App Store, change the **Allow applications downloaded from** setting to **App Store** to prevent accidentally running other apps. This is a good option particularly if you are configuring a machine for other, less technical users such as children.
+
+If you choose to also allow applications from identified developers, be careful about the apps you run and where you obtain them.
+
+##### FileVault
+
+On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling FileVault additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on.
+
+On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled.
+
+- [x] Click **Turn On**
+
+##### Lockdown Mode
+
+[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
+
+- [x] Click **Turn On**
+
+### MAC地址随机化
+
+Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so you'll need to do it with a command or a script.
+
+You open up your Terminal and enter this command to randomize your MAC address:
+
+``` zsh
+openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en1 ether 
+```
+
+en1 is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen.
+
+This will be reset on reboot.
+
+## Security Protections
+
+macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security.
+
+### Software Security
+
+!!! 推荐
+
+    macOS allows you to install beta updates. These are unstable and may come with extra telemetry since they're for testing purposes. Because of this, we recommend you avoid beta software in general.
+
+#### Signed System Volume
+
+macOS's system components are protected in a read-only signed system volume, meaning that neither you nor malware can alter important system files.
+
+The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected.
+
+#### System Integrity Protection
+
+macOS sets certain security restrictions that can't be overridden. These are called Mandatory Access Controls, and they form the basis of the sandbox, parental controls, and System Integrity Protection on macOS.
+
+System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory.
+
+#### Application Security
+
+##### App Sandbox
+
+macOS apps downloaded from the App Store are required to be sandboxed usng the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
+
+!!! 推荐
+
+    Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
+
+##### Antivirus
+
+macOS comes with two forms of malware defense:
+
+1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
+2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
+
+We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.
+
+##### 备份
+
+macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create encrypted backups to an external or network drive in the event of corrupted/deleted files.
+
+### Hardware Security
+
+Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple silicon, and not older Intel-based Mac computers or Hackintoshes.
+
+Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security,
+
+If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will automatically be updated for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly.
+
+Apple's SoCs focus on minimizing attack surface by relegating security functions to dedicated hardware with limited functionality.
+
+#### Boot ROM
+
+macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as secure boot. Mac computers verify this with a bit of read-only memory on the SoC called the boot ROM, which is laid down during the manufacturing of the chip.
+
+The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust.
+
+Mac computers can be configured to boot in three security modes: *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **kernel extensions** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode.
+
+#### Secure Enclave
+
+The Secure Enclave is a security chip built into devices with Apple silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own separate boot ROM.
+
+You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe.
+
+#### Touch ID
+
+Apple's Touch ID feature allows you to securely unlock your devices using biometrics.
+
+Your biometric data never leaves your device; it's stored only in the Secure Enclave.
+
+#### Hardware Microphone Disconnect
+
+All laptops with Apple silicon or the T2 chip feature a hardware disconnect for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised.
+
+Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway.
+
+#### Peripheral Processor Security
+
+Computers have built-in processors other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware.
+
+When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor
+
+- runs verified firmware from the primary CPU on startup
+- has its own Secure Boot chain
+- follows minimum cryptographic standards
+- ensures known bad firmware is properly revoked
+- has its debug interfaces disabled
+- is signed with Apple's cryptographic keys
+
+#### Direct Memory Access Protections
+
+Apple silicon separates each component that requires direct memory access. For example, a Thunderbolt port can't access memory designated for the kernel.
+
+## 资料来源
+
+- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)

includes/strings.pt-BR.yml

@@ -5,10 +5,10 @@ config:
   copyright:
     - 
       1: |
-         Privacy Guides é um site sem fins lucrativos, mantido pela comunidade, que fornece informações para proteger sua segurança de dados e privacidade.
+         Privacy Guides é um site sem fins lucrativos e socialmente motivado que fornece informações para proteger a segurança e privacidade dos seus dados.
     - 
       2: |
-         Não ganhamos dinheiro com recomendações de produtos nem links de afiliados.
+         Não ganhamos dinheiro recomendando produtos e nem usamos links de afiliados.
     - 
       3: |
          Privacy Guides e colaboradores.
@@ -19,7 +19,7 @@ config:
     question: Esta página foi útil?
     yes: Esta página foi útil
     yes-note: Agradecemos sua resposta!
-    no: Esta página poderia ser melhorada
+    no: Esta página pode ser melhorada
     no-note: |
       Agradecemos sua resposta! Ajude-nos a melhorar esta página abrindo uma discussão em nosso fórum.
   theme:
@@ -35,8 +35,8 @@ nav:
   Recommendations: Recomendações
   Internet Browsing: Navegação na Internet
   Providers: Provedores
-  Software: Programa
-  About: Sobre
+  Software: Software (Programa)
+  About: Sobre Nós
   Community: Comunidade
   Online Services: Serviços Online
   Code of Conduct: Código de Conduta
@@ -48,4 +48,4 @@ nav:
   Blog: Blog
 site:
   translation: |
-    You're viewing the English copy of Privacy Guides, translated by our fantastic language team on Crowdin. If you notice an error, or see any untranslated sections on this page, please consider helping out! For more information and tips see our translation guide.
+    Você está visualizando uma cópia em português do Brasil da Privacy Guides, traduzidos pela nossa fantástica equipe de idiomas na Crowdin. Se você notar um erro ou ver quaisquer seções não traduzidas nesta página, por favor considere ajudar! Para mais informações e dicas veja nosso guia de tradução.

includes/strings.ru.yml

@@ -48,4 +48,4 @@ nav:
   Blog: Блог
 site:
   translation: |
-    You're viewing the English copy of Privacy Guides, translated by our fantastic language team on Crowdin. If you notice an error, or see any untranslated sections on this page, please consider helping out! For more information and tips see our translation guide.
+    Вы просматриваете русскую версию Privacy Guides, переведенную нашей фантастической командой переводчиков на Crowdin. Если вы заметили ошибку или непереведенные разделы на этой странице, пожалуйста, помогите нам! Для получения дополнительной информации и советов почитайте наше руководство по переводу.