Hardening macOS part 6: The Human Surface and Metadata Risks
Context
You may know it - you may not know it, but IT people often have funny ways to refer to users. I remember lusers from the old, glorious days in which I was a sysadmin. But there are more, even sharper.
It’s peculiar noticing how when I shifted from pure system administration to security management this mindset held - and actually was even more pervasive, if possible.
Now as a “security expert”, I agree with the general mantra of the category, that appoints the human factor as the weaker link in the whole protection chain.
It’s true. There you go: the problem quite often sits between the chair and the keyboard.
But here’s the uncomfortable part: I’m the user too. And so are you.
We can harden the network layer, compartmentalise browsers, set up hardware tokens, encrypt everything twice — and then undo it all with a single careless click, a reused password, or a file shared with the wrong person.
This post isn’t about tools. It’s about behaviour. The habits, shortcuts, and blind spots that make all the technical work pointless. And unlike the previous posts in this series, there’s no configuration file to fix this. It’s just you, your choices, and the uncomfortable awareness that you’re the attack surface.
Let’s talk about what that actually means. But we’ll discuss this á la byte arquitechte, mes chers!
This is the post in this series that is more generic - the ideas you find here can be applied on all OS’s. Better than Java or Python, babs, for here we deal with the greatest vulnerability of any system.
The main exposure: the user
Yes, we’ll talk about our behaviours, what we do (and should not!), how we do things,… basically, all the boring considerations that all paranoids fear to say out loud in their heads.
I will try and look for my evolution as a (l)user.
Exercise:
Take a look at my Mastodon ProPic (infosec.exchange - handle: @gbiondo). Can you realise where that photo was taken? No? let me give you some suggestions:
- google for “Black Sabbath Bridge”
- cut the propic over one of the other images and do a Google Images search
Yay, the answer is Birmingham. Brum. Mordor. Call it whatever.
Now, this is deliberate - at least in my case. I have no ninja running after my head, but again - basic information that is easily obtained.
You may think that if you post a picture of your room it has less information. Really? I am looking at my webcam now, and I see in the background some of my books. If someone wanted to profile me, these would give a greater hint than the aforementioned propic.
Now, all this data has a collective name - we call it metadata, the name already suggests that this is data about data - and it makes sense, as we’ll shortly see.
Metadata: what your data says when you’re not talking
Metadata isn’t just in photos. It’s in everything you create - and quite often, also in everything that passes through your devices.
Open a Word document you wrote last month. Right-click, Properties, Details.
What do you see?
- Author: your full name
- Company: your employer (or worse — your client’s name if you’re a consultant)
- Last modified: timestamp revealing your timezone
- Total editing time: how long you actually worked on it
- Software version: “Microsoft Word 16.x on macOS 14.3”
You just documented yourself. Identity, employer, timezone, work habits, OS version — all embedded in the file without you typing a single word of it.
Exercise
If you don’t have it already, install exiftool on your Mac:
brew install exiftool
Then take a picture with your phone and download it to your computer. Then run:
exiftool ~/Desktop/Photo3.jpeg
and have fun! Just to give you the idea:
3gnever@0xREVENG3 ~ % exiftool ~/Desktop/Photo3.jpeg | grep -i GPS|wc -l
17
3gnever@0xREVENG3 ~ %
“Only” 17 pieces of information regarding where the picture has been taken!
Try it a little bit - exiftool works pretty much on all filetypes:
3gnever@0xREVENG3 ~ % exiftool /Users/3gnever/Desktop/topdown.pdf
ExifTool Version Number : 13.55
File Name : topdown.pdf
Directory : /Users/3gnever/Desktop
File Size : 42 kB
File Modification Date/Time : 2026:04:08 06:36:10+01:00
File Access Date/Time : 2026:04:10 06:05:03+01:00
File Inode Change Date/Time : 2026:04:08 06:36:10+01:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
Linearized : No
Media Box : 0, 0, 595.2756, 841.8898
Page Count : 12
PDF Version : 1.4
Modify Date : 2026:04:08 05:36:10Z
Producer : macOS Version 26.4 (Build 25E246) Quartz PDFContext
Author : Gabriele Biondo
Title : Untitled
Creator : Seven7hSense
Create Date : 2026:04:08 05:36:10Z
3gnever@0xREVENG3 ~ % exiftool /Users/3gnever/Desktop/Dashboard\ _\ The\ Byte\ Architect-htmlonly.html
ExifTool Version Number : 13.55
File Name : Dashboard _ The Byte Architect-htmlonly.html
Directory : /Users/3gnever/Desktop
File Size : 35 kB
File Modification Date/Time : 2026:04:09 08:01:50+01:00
File Access Date/Time : 2026:04:09 08:01:51+01:00
File Inode Change Date/Time : 2026:04:09 08:01:50+01:00
File Permissions : -rw-r--r--
File Type : HTML
File Type Extension : html
MIME Type : text/html
Title : Dashboard | The Byte Architect
Description : Hacking is my business… and business is good.
Robots : noindex, nofollow
Viewport : width=device-width, initial-scale=1.0
exiftool gives you an impressive quantity of data - for pictures, which is how I use it the most, it gives you:
- GPS coordinates (latitude/longitude, accurate to meters)
- Camera make and model
- Timestamp
- Lens focal length
- Sometimes the camera serial number
There was a time when that sunset you posted on social media from your balcony
would have leaked your home address to anyone with exiftool and thirty seconds
of curiosity. These days, Meta strips EXIF data automatically before upload —
but don’t assume every platform does the same.
This is metadata. Not the content — the context. And context is often more valuable than content.
You can encrypt an email end-to-end with PGP. Perfect forward secrecy, zero-knowledge architecture, the works. The metadata still reveals:
- Who you emailed
- When
- How often
- Roughly from where
That’s enough to map your entire social graph, infer relationships, track movements, and predict behaviour — without reading a single word of the actual message.
The NSA has been refreshingly honest about this: “We kill people based on metadata.”
You’re probably not on a targeted killing list. But the principle stands. Metadata tells stories you didn’t mean to share.
When it comes to PDF, I find qpdf a great tool. It removes metadata from PDFs:
brew install qpdf
qpdf --linearize --remove-unreferenced-resources input.pdf output.pdf
but nothing that exiftool doesn’t do - so up to you selecting your bane:
exiftool -all= document.pdf
If you prefer the GUI, look for ImageOptim on macOS.
For Word/LibreOffice documents: File → Properties → clear author, company, revision history. Export to PDF. Strip that PDF too. Metadata survives format conversions.
For photos you post publicly: disable location services in your camera app. Or use Scrambled Exif (Android) / Metapho (iOS) to strip EXIF on your phone before upload.
And remember: you can only strip metadata before you publish. Once it’s indexed, cached, scraped — it’s permanent. You can’t retract GPS coordinates from an image that’s already in Google’s database.
… and you believed it was “just a photo”.
Observe how the system and the applications give you enough rope to hang yourself: the metadata is just an artefact - a completely legit technology that can give you precious pieces of information on your data. Not being aware of it - or worse, not caring! - is a human behaviour. We’ll see this pattern quite often: a tool meant to give the users new possibilities end up being weaponizable against users.
Social media patterns
Nowadays it looks like if you are not on social media, if you don’t like social media, and if your behaviour is a bit different from the usual social media user, then there’s something wrong with you.
Well, very Huxley-sh. But I am not the right guy to give judgements, here, for I find that environment toxic as hell. Plus, that is an over-structure. We cannot do much on perceptions.
First we should define what is meant by social media. In my current mindset, all applications that allow you to interact with unknown people are social media. So, all that TikTok/FaceBook/Instawhatever business - but not only. Also OnlyFans/Tinder/GiveMeYourContactToIntercourseApp and all that dismal.
The problem isn’t what you post. It’s the pattern.
You don’t need to dox yourself explicitly. Your behaviour does it for you.
You post at 8:00 AM, 1:00 PM, and 6:00 PM every day? Your timezone is visible. Cross-reference with daylight in your photos and someone can narrow your location to a region.
You post photos of your morning coffee, your office window view, your evening commute? You’ve just mapped your daily routine. A patient observer knows where you live, where you work, and what route you take between them.
You complain about your boss on a pseudonymous account but use the same sentence structure, vocabulary quirks, and posting schedule as your real account? Stylometry connects the dots. It’s not paranoia if they’re actually correlating your datasets.
The problem isn’t individual posts. It’s the aggregate. One photo is harmless. A hundred photos become a timeline. One opinion is noise. Fifty opinions become a profile.
Books on your shelf, again
Remember the webcam example from earlier? The books visible in the background of a video call can profile you more accurately than your LinkedIn bio.
Someone screenshots your Zoom call. They zoom in on your bookshelf. They see:
- The Phoenix Project — you work in DevOps or IT management
- Thinking, Fast and Slow — you’re into behavioural economics or decision-making
- Italian novels — you’re Italian or studied Italian literature
- Security books, obviously — your field is clear
- Perhaps, some controversial books (“Chaos Monkeys:…”? “Temporary Autonomous Zone”? Something more political? Anything religious? LGBT-related titles?)
They didn’t need your CV. Your environment told them.
Now apply this to Instagram stories, TikTok backgrounds, YouTube home office tours. Every frame is a data point.
What you actually do about it
Delay posting. Take the photo now. Post it three days later. Break the real-time correlation between your life and your feed.
Randomise timing. Use a scheduler if you want consistency without predictability. Don’t post at the exact moment something happens.
Strip location context. “Grabbed coffee this morning” is fine. “At the Starbucks on 5th and Main, same table as every Tuesday at 7:15 AM” is not.
Separate identities properly. If you run a pseudonymous account, treat it like a completely different person. Different tone. Different schedule. Different topics. Different everything. And for the love of encryption, do not cross-post the same content on both accounts within the same timeframe.
Assume correlation. If you post on Twitter, LinkedIn, and Instagram at roughly the same time with similar phrasing, anyone with basic OSINT skills can link those accounts in under five minutes. If you don’t want them linked, don’t make it trivial.
Background hygiene. Before you go live, stream, or post video — scan your background. Whiteboards with project names. Post-it notes with passwords (yes, I’ve seen this). Books that reveal more than you intended. Reflections in windows or screens showing your location. Get rid of those Your-Fave-Movement/Company/Band/Country flags. Get rid of everything that actually talks about you. Create an aseptic environment. Yes, it’s frustrating and alienating.
Or don’t. Blur your background. Use a virtual background. Or accept that you’re trading convenience for exposure and make peace with it.
As I mentioned before: I am not the most equilibrated voice when it comes to social media. I see this business as too pervasive and toxic. The thing is - I tried not to be too paranoid in this discussion. I could have discussed the LinkedIn arena - which is where the most delicate information pop up. I didn’t. On purpose. Left for you as an exercise. Another exercise for you: observe the patterns: where does human behaviour ends, and technicalities start? Any difference with the Metadata?
The Digital Twin you didn’t know you were building
Here’s the uncomfortable part.
All these breadcrumbs — posting times, books on your shelf, word choices, sentiment patterns, where you grab coffee, what you complain about — they’re not just data points for a hypothetical stalker.
They’re training data.
Algorithms don’t need to hack into your house. They just need enough signal to build a model of you. A digital twin that reacts to stimuli — ads, propaganda, nudges, recommendations — exactly like you would.
You post at 8 AM? The algorithm knows when you’re most receptive. You share articles about privacy? It knows what makes you angry, what makes you click. You engage more on Tuesdays? It schedules content for Tuesdays.
Your digital twin doesn’t need to be perfect. It just needs to be predictive enough to:
- Sell you things you didn’t know you wanted
- Show you news that confirms what you already believe
- Surface content that keeps you scrolling
- Influence how you vote, what you fear, who you trust
You’re not the customer. Your digital twin is the product. And you built it for free.
The irony? You thought you were just sharing your life. You were actually donating yourself to a prediction engine.
So here’s the real question: do you want that twin to exist? And if it already does — because let’s be honest, it probably does — how much are you still feeding it?
Your digital twin is the product. And you built it for free. And it’s a high-fidelity model because, at our core, we are creatures of habit. As far as I could see in my whole life: human beings love routines. Routines give you comfort. Credibility. Identity. You express yourself through your routines and habits. And this is wonderful, in a perfect world. In this world, these routine generate patterns. Patterns that can be exploited - and usually are exploited for profit. A not-so-mild form of manipulation, but it could be worse.
As we’re talking Social Media and web, why not mentioning…
Social login: convenience is a hell of a drug
“Sign in with Google.”
“Sign in with Facebook.”
“Sign in with GitHub.”
One click. No password to remember. No account creation form. Instant access.
Convenient as hell. And that’s the problem.
You just gave that service:
- Your real name
- Your email address
- Potentially your profile picture
- Access to your social graph (depending on permissions you didn’t read)
- A link between that service and your Google/Facebook/GitHub account
And now, every service you’ve ever “signed in with Google” to is tied to that one account.
Single point of failure, distributed everywhere.
Your Google account gets compromised? Every service you signed into with Google is now compromised too. One breach, infinite exposure.
Worse: you’ve just told Google (or Facebook, or GitHub) everywhere you have an account. They know which services you use, when you signed up, how often you log in. They’re tracking your digital footprint across the entire web — and you gave them permission when you clicked that button.
The trust problem
Social login is built on a simple assumption: you trust the identity provider more than you trust yourself to manage passwords.
For most people, that’s probably true. Google’s security is likely better than Password123! reused across forty sites.
But here’s what you’re actually saying when you use social login:
- “I trust Google/Facebook/GitHub to never get breached.”
- “I trust them to never misuse my login data.”
- “I trust them to never change their terms of service in ways I don’t like.”
- “I trust that if my account gets locked, banned, or suspended, I won’t lose access to everything I’ve ever signed into with it.”
That last one? It happens. Google bans accounts. Facebook suspends people. GitHub locks accounts for ToS violations. And when that happens, you lose access to every service that relied on that login.
You don’t own your identity anymore. They do.
What you actually do about it
Don’t use social login. Just don’t.
Create an account the old-fashioned way. Use your password manager to generate a unique password. Enable 2FA on the service itself.
Yes, it’s a PitA. Yes, it takes an extra thirty seconds. That’s the point. That pain is a feature when the alternative is centralising your entire digital identity under one corporation’s control.
If you already did:
Go through your connected apps settings:
- Google: myaccount.google.com/permissions
- Facebook: Settings → Apps and Websites
- GitHub: Settings → Applications → Authorized OAuth Apps
Revoke access to anything you don’t actively use. Then go to those services, create a proper account with a unique password, and break the link.
For developers:
Don’t offer only social login. Give users the option to create a real account. Some of us actually care about this. And some of us remember when OAuth was supposed to be about delegation, not identity consolidation.
Enough dystopia for this post. Let’s get back to what you expect me to tell you. Like credentials hygiene, for starters.
Credentials hygiene
## Password reuse: the attack that never gets old
Everyone knows this one. Everyone. Literally.
Security trainings mention it. Articles warn about it. Your IT department sends passive-aggressive emails about it every quarter.
And yet here we are.
You use the same password for your email, your bank, and that random forum you signed up for in 2014 because you needed to download a PDF.
Why? Because remembering fifty unique passwords is impossible, and you’re not a computer.
Fair enough. The problem is: attackers know this too.
How it actually works
That forum you forgot about? It gets breached. The database leaks. Your email and password are now in a text file being sold for $3 on a Telegram channel.
The attackers don’t try to crack your password. You already gave it to them. They just try it everywhere else.
This is called credential stuffing. Automated bots take your leaked email and password, then try logging in to:
- Gmail
- Outlook
- Your bank
- Amazon
- PayPal
- Every major service they can think of
If you reused that password, one of those attempts succeeds.
The pattern? Email compromised to password reset links for everything else (bank account, cloud storage, social media), done.
This is not theoretical. Have I Been Pwned has logged over 12 billion breached credentials. The statistical probability that you’re not in there? Low.
The human problem
You know you shouldn’t reuse passwords. You do it anyway. Why?
Because the alternative — remembering Xk9$mP2@vQ7! for your bank, wL4#nR8&tY3% for your email, and bF6@hS1$pM9^ for Netflix — is cognitively impossible.
So you do what every human does: you create a system.
MyPassword2014! for old accounts.
MyPassword2018! for newer ones.
MyPassword2024! for this year.
Predictable. Weak. Worse than random because it feels secure.
Or you use BankPassword!, EmailPassword!, WorkPassword! — which is just reuse with extra steps.
The human brain is not built for this. Passwords were designed for a world where you had three accounts, not three hundred.
What you actually do about it
Use a password manager.
Strongbox. Bitwarden. 1Password. KeePassXC. I don’t care which one. Pick one. Install it. Use it.
Generate unique passwords for every service. Let the manager remember them. You only need to remember one master password — make it long, make it strong, and never reuse it anywhere else.
Audit your breaches.
Go to haveibeenpwned.com. Enter your email addresses. If you’re in a breach, change those passwords immediately. All of them. Even the ones from 2009 that you “don’t use anymore” — because you probably reused that password somewhere you do still use.
Enable 2FA everywhere.
Even if your password leaks, 2FA stops the login cold. Prefer hardware tokens (YubiKey) over SMS. SMS can be intercepted, SIM-swapped, social-engineered. A YubiKey sitting in your desk drawer cannot.
Rotate old credentials.
API keys you generated two years ago and forgot about. SSH keys you haven’t touched since your last laptop. App-specific passwords for services you don’t use anymore. Clean them up.
The honest truth
You will reuse passwords. Not maliciously — just because you’re tired, you’re busy, and “this site doesn’t matter anyway.”
That’s the site that gets breached. Always.
The goal isn’t perfection. The goal is: make credential stuffing unprofitable.
If your leaked password only works on one throwaway forum and nowhere else? The attackers move on. There are easier targets.
But if your leaked password unlocks your email, and your email unlocks everything else? You just made their job trivial.
SSH keys without passphrases: the unlocked front door
You generated an SSH key. Good.
You didn’t set a passphrase. Bad.
Now that key is sitting in ~/.ssh/id_rsa (or ~/.ssh/id_ed25519 if you’re modern), completely unencrypted. Anyone with access to your laptop — malware, physical theft, an unencrypted backup — can use it to access every server you’ve ever SSHed into.
An SSH key without a passphrase is a plaintext credential.
And unlike a password you can change with a few clicks, revoking SSH keys means logging into every server, editing ~/.ssh/authorized_keys, and hoping you didn’t miss one.
Why people skip passphrases
Because typing a passphrase every time you SSH is annoying.
You’re deploying code. You’re debugging production. You’re jumping between five servers in ten minutes. Stopping to type a passphrase each time breaks your flow.
So you generate the key without one. Or you generate it with one, get annoyed after three days, and regenerate it without.
I get it. Convenience wins. Always.
But here’s what you’re actually doing: you’re turning your SSH key into a password stored in plaintext on disk. The exact thing you’d never do with your email password, you’re doing with root access to your infrastructure.
What actually happens when it leaks
Let’s say your laptop gets stolen. Or you get hit with ransomware that exfiltrates ~/.ssh/ before encrypting your disk. Or you restore from an unencrypted Time Machine backup that someone finds.
The attacker now has:
- Your private key (unencrypted)
- Your
~/.ssh/configfile (which lists all your servers) - Your
~/.ssh/known_hostsfile (which confirms which servers you’ve accessed)
They don’t need to crack anything. They just:
ssh -i stolen_key user@your-production-server
And they’re in. Root access. No password prompt. No 2FA. Just in.
What you actually do about it
Set a passphrase when you generate the key
ssh-keygen -t ed25519 -C "your_email@example.com"
It will ask for a passphrase. Use one. Make it strong. Store it in your password manager if you need to.
Already have keys without passphrases?
You can add one retroactively:
ssh-keygen -p -f ~/.ssh/id_ed25519
It will prompt for the old passphrase (none) and the new one. Done.
Use ssh-agent to avoid typing it constantly
Once per session, unlock your key:
ssh-add ~/.ssh/id_ed25519
Enter the passphrase once. The agent remembers it for the session. You SSH freely after that.
On macOS, you can make it even smoother:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
This stores the passphrase in your macOS Keychain. You unlock it once (when you log in), and ssh-agent handles the rest.
Rotate old keys.
If you’ve been using the same SSH key for five years, generate a new one. Remove the old public key from your servers’ ~/.ssh/authorized_keys. Treat keys like passwords — they expire.
Separate keys for separate contexts
Work servers? ~/.ssh/work_ed25519.
Personal servers? ~/.ssh/personal_ed25519.
GitHub? ~/.ssh/github_ed25519.
If one key leaks, the blast radius is contained. Your ~/.ssh/config can handle the routing:
Host github.com
IdentityFile ~/.ssh/github_ed25519
Host work-server
IdentityFile ~/.ssh/work_ed25519
The honest truth
You’ll generate a key without a passphrase “just for testing.” That key will still be in ~/.ssh/ three years later, with access to servers you forgot existed.
Clean your SSH directory. Right now. Go look. You’ll find keys you don’t remember creating, for servers you don’t remember accessing.
Delete them. Revoke their public keys from the servers. Start fresh.
Because the alternative is: someone else finds them first.
The pattern you’ve probably noticed
Metadata. Social media patterns. Password reuse. SSH keys without passphrases. Social login.
None of these are technical failures. Your OS didn’t fail. Your browser didn’t fail. Your firewall is fine.
You failed. Or more accurately: human behaviour failed.
The tools work. The encryption works. The compartmentalisation works. But then you post a photo with GPS coordinates embedded. You reuse a password because it’s easier. You skip the SSH passphrase because typing it is annoying. You click “Sign in with Google” because it’s one less account to manage.
And all the hardening, all the configuration, all the layered defence — gone.
This is why security people are exhausted. It’s not the technology. Technology is solvable. Humans are not.
You can patch software. You can’t patch behaviour.
But here’s the thing: you can change it. Not overnight. Not perfectly. But incrementally.
Strip metadata before you share. Delay your posts. Use a password manager. Set passphrases on your SSH keys. Create proper accounts instead of social login.
One habit at a time. One decision at a time.
Because the alternative is: you’ll do all the technical work, set up all the defences, harden all the layers — and then leak your home address in a sunset photo’s EXIF data.
The human factor is the weakest link. But it’s also the only one you can actually control.
Conclusion
In the next post: VeraCrypt and plausible deniability, oversharing in the workplace, security theater, when paranoia is actually justified, and how I actually work day-to-day. The behaviours that make or break everything we’ve built so far.
Stay paranoid — but stay sane.
A kind request for you
I’m deciding what to write next. Which gap hurts you most — code signing internals, AppKit underdocumented patterns, or macOS threat detection? Hit me directly: work@bytearchitect.dev