What’s Your Risk of Internet Intrusion?

The most likely determinant of risk to attacks or intrusion via the internet is how directly reachable your Mac is. While the vast majority of routers have a public IP address, very few computers on local networks do. Almost always, your router receives traffic and then re-addresses it to your Mac.

Let’s start back with the basics, though. A public IP address is simply one that’s uniquely assigned across the internet, and can be reached from anywhere else on the internet. Your router almost certainly has a public IP address, because that’s how it interacts with the rest of the world on your behalf.

It’s a very low bar for any interested party to scan all the originally defined set of public addresses on the internet—yes, as many as hundreds of millions of them—to find open access for services that the scanner might know potential security exploits for, sometimes far out of date…but there are a lot of old, unpatched machines on the internet. Thus, with a public address, there’s no obscurity possible.

Most homes and businesses rely on private IP addresses for everything but their broadband connection’s router, however. These reserved ranges are only used on local networks, are managed by a router (using something called Network Address Translation or NAT), and typically assigned out automatically with DHCP (less well known as Dynamic Host Configuration Protocol).

Private addresses, which are usually in the form 10.0.1.x or 192.168.1.x, can be reached without any special effort by other devices on the same network of privately assigned addresses. However, when a device on your network makes a request outside its private network range, like viewing a webpage, the router rewrites the request to use the router’s public IP address, and sends it out; the router receives a reply and then forwards it to the locally connected device that requested it.

If you were to have a public IP address on your Mac—not just on your router—it would be like standing on a street corner instead of being inside a house with a locked door and a mail slot. Anyone can come up to and start talking to you or assault and rob you! (Unlike in the world of atoms, where violent crime is minimal and has drastically fallen in recent years, an internet mugger can attack targets wherever they are and a huge number simultaneously.)

The same effect happens if you configure your router to connect its public address with specific services on one or more devices on the local network. For instance, some people want to have a globally available web server or fileserver, and it’s not terribly hard to expose the correct connection. That makes that web server or fileserver just as exposed as if the Mac had a public IP address—but only those services, not everything else shared on the Mac.

NAT isn’t designed as a security measure: it’s just a spreadsheet the router maintains to wire requests and replies together. It’s incidentally a general security measure because it makes potentially exploitable open doors on your devices nearly impossible to reach without being specifically targeted, particularly with a router that can be subverted.

You may already be sure you don’t have a public IP address on your Mac: your ISP charges extra for public addresses you use beyond the one attached to your router, and you know you’re not paying for it; your ISP doesn’t offer public addresses; you specifically made sure you weren’t getting one from your ISP; or you’ve configured your router and you know exactly how you set things up.

If you’re not sure, walk through this list:

• Check your Mac’s address: You can examine the IP address assigned for your active network interfaces. In Monterey and earlier, open System Preferences > Network and select in turn each of your active interfaces in the list on the left; in Ventura, go to System Settings > Network and select each of your active interfaces in the main panel:

  • Ethernet and most interfaces show the address in the main pane under or next to “IP Address.”

  • For a Wi-Fi interface, the address appears in Monterey and earlier at the top at the end of a descriptive chunk of text as “…has the address x.y.z.a.” In Ventura, click Details to see the address next to IP Address (Figure 28).

  

• Check your router: Connect using the administrative controls for your routers, log in, and look at where your router shows its WAN (Wide Area Network), Modem, or Internet IP address, and how network addresses are handed out under DHCP, LAN (Local Area Network) or similar labels (Figure 29). The WAN side is almost always a public IP; the LAN/DHCP part almost always private.

  

If the IP address of your Mac or LAN/DHCP addresses on the router is in any of these ranges, it’s a private one, where “x” is any number from 0 to 255: 10.x.x.x, 172.16.x.x to 172.31.x.x, or 192.168.x.x. Otherwise, it’s almost assuredly public.

IPv6 Networking Adds a Wrinkle

Technically, the IP address style of x.y.z.a, like 192.168.0.1 or 36.44.0.6, is IPv4 (version four), which has been in use for decades. For nearly 20 years, internet mavens have been trying to move the networks that comprise the internet to IPv6, which has a lot of advantages, including a much larger potential number of addresses—billions versus hundreds of undecillions (that’s 10³⁸).

However, the trouble has been all the inertia of having billions of devices and hundreds of millions of routers and pieces of plumbing designed around IPv4. A lot of the internet can now handle IPv6, but nobody wants to pull the bandage off yet, because of private addressing. IPv6 was designed before NAT became de facto and a sort of quasi-security measure used by ISPs and corporate networks alike.

For most of us, that means until private addressing can work in a similar way within IPv6, our ISPs have assigned our routers a public IPv4 address, and have chosen one of several paths with IPv6:

• Ignored/disabled: Your ISP may simply not pass IPv6 traffic, and it’s not an issue for security.

• Allow, but disabled by default: You can use IPv6, but you have to configure your router to allow it. My ISP, CenturyLink, requires a special router for its fiber-optic service, and has detailed instructions for enabling IPv6. Since I have no specific need of it, I’ve left it disabled to reduce my exposure on the public internet.

• Turned on by default: You may have an ISP, like my editor Joe Kissell, who enables IPv6 by default through its system, and your router and devices all automatically get IPv6 addresses, just as they do IPv4 ones.

If you’re in that last situation, you may have publicly reachable IPv6 addresses—it can be hard to tell, because some ISPs use techniques described in the article linked above that are almost, but not quite, like NAT. If the IPv6 addresses are truly publicly accessible, they expose the same kind of general risk to remote attack as with public IPv4 addresses, and follow the advice that comes in the next section.

But some analysis suggests it’s not as bad as it might seem. The Internet Society has an interesting FAQ about IPv6 and security, and notes that attackers could find “infrastructure nodes” reasonably easily—the routers that form the backbone of the internet and connect ISPs, streaming services, data center, and so forth all together.

But, the document explains, “It is generally unfeasible though to address scan a network for client devices, since their addresses are randomized over a very large address space.” Simplified, it means that it’s not a needle in a haystack, but 10,000 needles in a Nebraska’s area of haystacks. (With IPv4, it’s a cubic foot of hay and you can see all the needles inside.)

If you’re truly concerned, you can disable IPv6, as it isn’t a mandatory or critical part of using the internet. Here are three possibilities, the first two of which will affect your entire network:

• Disable IPv6 at the router: Find the manual for your router and follow instructions to disable IPv6. It may be as simple as selecting a radio button.

• Ask your ISP to disable IPV6: Contact your ISP and ask them to disable IPv6 on your account or router if they control your router or have the ability to do this at a higher network level.

• Disable IPv6 on your Mac: If you can’t or don’t want to disable IPv6 network-wide, disable IPv6 on your Mac. Go to System Preferences > Network (Monterey and earlier) or System Settings > Network (Ventura), select your interface (or each active interface) in the list, click the Advanced button, select TCP/IP, and choose “Link-local only” from the IPv6 popup menu. Click OK; in Monterey and earlier, then click Apply. This leaves other devices still reachable via IPv6, but at least locks down your Mac.

Configure Your Mac’s Services

With all that in mind, you might wonder: what should I open for use and what’s safe? I advise always turning on only the services you need, and I’ll spell out a few that are worthwhile and how to configure them just ahead.

But you should have different considerations under these sets of circumstances:

• Privately addressed Mac on a network in which all users are trusted: If you’re by yourself or you trust your roommate and family to not attempt to access things they shouldn’t, you can enable what you like and just configure for general safety.

• Privately addressed Mac on a network in which not all users are trusted: If you share a network with other people—which could include kids or parents who may not be as safe or honest with you as you might like—consider locking things down further and using the fewest possible services.

• Publicly addressed Mac: You need to take more care to set passwords and configure limitations, and to consider whether to leave services active all the time or only when you know you or someone you trust needs them.

• High-risk individual or group: People who believe themselves at elevated risk shouldn’t operate any services on public addresses, and should think strongly about not running them even on privately addressed networks. It’s very easy for so-called Internet of Things (IoT) or “embedded devices” to be compromised. That can include DVRs, routers, smart-home gear, and more. A subverted device on your local network can have the same access as anyone else on the network.

Hold that in your head now as I run you through a few items in System Preferences > Sharing (Monterey and earlier) or System Settings > General > Sharing (Ventura) that can be valuable to enable (or disable). Configuration options appear in the main pane in Monterey and earlier; in Ventura, click the info icon next to whichever service I mention to access those detailed settings.

iCloud Drive

Apple’s iCloud Drive is integrated into macOS, iOS, and iPadOS, and lets you use your free or paid iCloud space to store and share files.

A shared folder requires an Apple ID to access, and the contents are all accessible to whomever is invited or has the link, depending on the permissions you set. Up to 100 people can be invited to a folder. Only folders you create can be shared—not ones that Apple manages or that are created for apps. Storage space is occupied only in the sharing party’s iCloud account, which makes it handy if other people don’t have large iCloud storage subscriptions.

iCloud Drive appears by default as an item in the Finder window sidebar. You can select it there, or you can choose Go > iCloud Drive or press ⌘-I. Apple overhauled the Finder interface in Ventura significantly, so I’ll show you both the older and new methods.

Dropbox

Dropbox is an exceedingly popular service for simple syncing across devices that offers several different ways to share files with strong controls on access. It has integrated macOS support, as well as full-featured apps for iOS/iPadOS and other major platforms, and a sophisticated web app.

In macOS, Dropbox uses some jiggery-pokery to add icons to the right of files and folders in the Finder in its folder. The Dropbox folder is the only one that’s synced, and it’s located by default in your home folder. Files and folders may be online only, and files and folders may be synced and up to date locally. Files show a syncing icon while they’re being uploaded or downloaded.

Control-click or right-click a file or folder inside the Dropbox folder, and a series of menu items appears. Here are the items you’re really concerned with:

• Share: This opens a dialog box with extensive options to let people have access to a file or folder (Figure 34). The dialog lets you invite people, create publicly available or password-protected links for sharing, and set an end-date for access. Use this option for sharing items that you want people to have ongoing access to, particularly for folders that you might optionally want to let people drop items into or modify. (Shared folders count against other people’s Dropbox storage limits.)

• Send with Transfer: Dropbox lets you send files without providing any access to your Dropbox space. The transfer can be password protected and have an expiration date.

• Copy Dropbox Link: Selecting this creates a public link that anyone who has it can use to download the particular item. For certain kinds of files, like images and PDFs, the link allows viewing inline on a website, too.

  

Google Drive and Microsoft OneDrive

Two other major firms’ apps don’t offer file-level Finder integration, but can sync files automatically and provide macOS access via a web app. Both also have iOS/iPadOS apps.

The advantage of both is that you might already have paid for storage:

• Google Drive: Google Drive provides access to the 15 GB of free storage available for all Google individual accounts or to the larger pool of paid Google One tiers that start at 100 GB for $19.99 per year. Business accounts include a higher starting storage allocation. Google allows public and invitation-based links with varying permission, but doesn’t offer automatic expiration.

• Microsoft OneDrive: Anyone can get 5 GB of free storage in Microsoft OneDrive by setting up a Microsoft account, purchase small amounts of storage, or get 1 TB for each user on paid plans (whether one individual or a family of up to six). OneDrive’s sharing options are comparable to those of Dropbox, with options for invitations, public links, and an expiration date for the link.