There are NO viruses for Mac at this time. Not through any vector. Nor is any vector for any future virus known at this time. Basically, macOS is pretty secure. Anything that installs to your machine has to have YOUR permission to install.
They COULD potentially, if they had your password, try to come in remotely and have your system reboot, but on that reboot, they would have to have direct access to your keyboard to enter the password or select the recovery partition to boot because in the boot process you have to have a keyboard entry before the network connects. But I told you to change your password. I said that because even if they have your current password, they won't have the new and therefore won't be able to do even that reboot. The reason I said "potentially" is that if you ask a question about "Can something be done?" I have to say "yes, anything is possible." Pigs could fly, all the air in the room could decide to exit through the window and leave a vacuum, you could flip a coin and have it land on the edge, you could be hit by a meteorite tomorrow, etc. But the probabilities of all of those is really, really small and not worth worrying about. But NOTHING is guaranteed in this world, ever. Anything can happen.
And that's as objective as it's going to get. At this point you sound like you are never going to trust anything, ever again, which is kind of sad. If you are that afraid of this "internet stalker" then don't go online. Seriously, there is a life without the internet, and it sounds like in your case it would be a better life.
You have a very secure computer in the Mac, you say you use VPN, you have reinstalled the OS and you can (and should) change your passwords. That's about all any person can do to keep a bad actor out of your system. Don't let the stalker win by creating such paranoia.
I used to work in the highly classified computer industry where our data was super-classified and sensitive beyond belief. Our assumption in that industry was that there was NEVER a truly secure system. Two people cannot keep a secret. And computers are always going to be able to be cracked. The closest to a secure system I ever heard about was a CIA system that had double filtered power supply to a computer in a vault with total electronic shielding, no printer, one terminal in a locked vault with two guards on it 24/7. And nothing went in or out of the room except cleared agents. Basically the operator went into the room, took nothing in, did the query on the terminal, got the answer, memorized it, and walked out, taking nothing out. Even their pockets were emptied and checked by the guards. We thought it COULD be secure, but we could not guarantee it. Because as I said, NOTHING is guaranteed. So you can see why my mind runs to could/should/ought to instead of will/does. Don't let my paranoia and hair-splitting about "can something be done" get to you. I already drive my wife crazy, but after 40 years of being in that industry, it's just how my mind works.
If you want to go one more step, you could encrypt your hard drive. The risk in doing that is that if you ever forget that password, there is NO way to recover it, or the data on the encrypted drive. Given your paranoia, what I would suggest if you decide to do this is to take the Mac offline totally (No network, no WiFi, no BT), make a backup, test the backup, and then open System Preferences, Security & Privacy, click on the FileFault button and turn on FileVault. It will ask for you to create a password and then will create a recovery key for you. Then let it run to encrypt your hard drive. It will take a long time to complete, so let it run until it is done. If you interrupt it, you will end up with a totally unstable drive that probably won't boot any more. You will have to recover from the backup or from the internet and format the drive to recover it and repeat the process. So DON'T INTERRUPT IT. (Yes, I am shouting.) Of course, if you are still convinced that this bad actor can see every keystroke (which I seriously doubt, given what you are doing), then you may work that on the entry of that FV password this stalker will have it, too. But probably not.
I say that because with FV turned on, when your system boots you will have to provide the encryption password before it even starts to boot, and then you will have to enter your account password after it boots. But any "intruder" to your system will be totally stymied by the FileVault encryption because the FV password comes well before any network connection is even opened, so even if a bad actor could somehow force a reboot from outside, the FV password will keep it from booting. Once you know it's done encrypting, you can turn on the network (WiFI and BT) again. Oh, and if you make backups of this encrypted system, make sure to encrypt them, too. You can do that in most backup software, including TimeMachine.
You can read more about FileVault here: https://support.apple.com/en-us/HT204837
I want to extend my full gratitude for the detailed clarification you've now provided. I think you can appreciate what I'm experiencing. I'd like to know more about a couple points you raised. Before I ask though I will reply to your query re: Filevault - I actually turned it on straight away after the last clean install and endured the full 4-5 hours (High Sierra is notorious for this but it seems wiser to use the most patched OS thats still reasonably current than risk this https://www.servercentral.com/blog/o...erra-zero-day/ )
I also want to thank you for clarifying the actual mechanics of why a remote reboot of my system is effectively impossible given the need for keyboard access at the startup prompt. These kinds of key facts are vital as I try to understand how I've been compromised.
I'd like to get your input on the following possibility and I think its of great interest not just to me but many others who use Filevault here. When a drive is encrypted using FileVault AFTER the installation of OSX (not during) it syncs the password used to unencrypt the drive each time at startup with your user account password. So, if I had been exposed to a keylogger, isn't it possible that they would quickly have obtained my user account pass given the frequency with which I use it for my daily computing such as unlocking the mac after a screen break or installing new apps?, and therefore be able to unencrypt the drive at will using terminal commands?. Or would a keylogger be impossible to install by virtue of developer protections that operate by default in OSx?
A side point: I installed Wireshark for the first time about a week ago and ran it for a few hours not really having a clue what it was doing. I soon found that I had exhausted 6Gb of my monthly data allowance which doesn't sound much, but is 20% of whats available on my sole means of internet access (Remember: Tethered iPhone) It was in promiscuous mode, if thats of any relevance, but is this reasonable given my own data use during the 3 hours would have been no more than 30mb of HTTP browsing?
I've also been running Little Snitch for a couple weeks now. Only a few 'incoming requests' but they were all using openVPN (My VPN service) so I'm guessing this bodes well? The only peculiarity is that when I go through the tiring process of authorising the connections the VPN app makes to connect in the first place, sometimes the user is listed as root and sometimes the name of my macbook. Is this normal? (am guessing so)
Thanks again for your advice. I really appreciate it so that I can get this sorted sooner rather than later. I think we are all entitled to privacy at this basic level.
FV can only be invoked after the OS is installed. It's part of the OS, so you have to have the OS to have FV. When FV encrypts the drive, it gives you three options to gain access if you lose your password. In the document I linked for you, it saysSo, you get to pick what you want. Given your level of concern, I would open for the last option, a local recovery key that you can print out and store somewhere only YOU can get to. And as it says, once it's done, you use your password (remember, I said to change it) to unlock the encryption. But that unlock happens BEFORE the boot, and before any network connections, so even if someone has the password, they won't have access to your keyboard.Quote:
Choose how you want to be able to unlock your disk and reset your password, in case you ever forget your password:
If you're using OS X Yosemite or later, you can choose to use your iCloud account to unlock your disk and reset your password.*
If you're using OS X Mavericks, you can choose to store a FileVault recovery key with Apple by providing the questions and answers to three security questions. Choose answers that you're sure to remember.*
If you don't want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk.
You saidI'm not sure what you mean by "exposed to a key logger" in that quote, because you have reinstalled the OS from scratch, which eliminated any key logger that may have been installed. So just because you HAD been exposed does not mean you ARE now exposed. Do you have hard evidence of being key logged now? I am unaware of terminal commands that might decrypt the drive, if someone could gain access to it, but I suppose one could somehow do that (again, I never say nothing is possible, but some things are pretty much only remotely possible (pigs, air, meteorites)). Again, the way macOS works is that you must provide YOUR password to install software, as you said, so any malware that gets installed gets installed because you provided the password. There is no "magic fairy dust" to install anything. The macOS is one of the more secure systems available to consumers, there are no viruses and no known vectors for viruses in the current version.Quote:
So, if I had been exposed to a keylogger, isn't it possible that they would quickly have obtained my user account pass given the frequency with which I use it for my daily computing such as unlocking the mac after a screen break or installing new apps?, and therefore be able to unencrypt the drive at will using terminal commands?. Or would a keylogger be impossible to install by virtue of developer protections that operate by default in OSx?
I cannot speak to Wireshark or Little Snitch. If you want to see what is working your network, open Activity Monitor (In the Utilities folder) and click on the Network tab. Then you can see in the Sent Bytes and Sent Packets what processes are using the network. 6GB seems high to me, but again, I don't have any feel for what your connection involves (WiFi, VPN, cellular, wireshark, little snitch, etc) so there may be some interaction in all of that that is triggering usage. But maybe Activity Monitor will show that. You can click on the column headers to sort the entries to have the highest hitters at the top where you can compare.
I've had my personal data stolen now six times, each time triggered me to change my passwords and in one case to change email providers. Now I'm getting the scammer email that says "here is your password just to prove I have access" with one of the stolen passwords from 4-5 iterations back. But it's a scam because NONE of my accounts now use that password, so I just ignore it. I'm not letting uncertainty set in.
So, unless you have evidence that you are NOW being key logged, I think given what you say you have done it's unlikely. And if you have no key logger now, then change your password and the bad guys don't have a chance.
The fundamental security of macOS, if you change your password. That plus the fact that every time you go online through your cell connection or the campus network you get a different IP for that session. So unless the bad guy knows exactly where and when you are on the net, they cannot know your exact IP.Quote:
So again, whats to stop someone who has your IP address from doing a remote terminal command and simply entering the user account password when prompted?
Your new passwordQuote:
If entry of the user account password makes the drive fully accessible locally, whats preventing it being accessible to someone remotely who has a good knowledge of all the terminal command AND the user account pw?
Your new password.Quote:
What would also then stop them from uploading some form of malware or trojan to that same drive?
If you give away your password, nothing protects you from access.
And with that, I'm done here. Nothing I say is going to make you trust the computer or the internet. Good luck with it.
I've noticed that even when I go to campus (about 2km from my home near the stalkers) they track me down even with the phone off and macbook off. However I've worked out that this only occurs if I log into the campus network. Given that they've probably MITM'd some fellow student to get on the campus WPAII network, how hard would it be for them to check for my username (the one thing that stays consistent even when I change my campus login). Are there rogue programs available that would give them a real time list of usernames logged into the same network so that they could then direct their password sniffing activities accordingly?