Slashdot Mirror
Prevent Insecure Booting Of Your Mac
maxphunk writes "So you can boot anyone's Mac using a CD or (for newer machines) mount the hard drive using target disk mode. Therefore, your machine isn't secure, right? Stock, yes; otherwise, no. Apple has a neato utility described here that eliminates this problem and more, using Open Firmware Password Protection. I have installed it on my iBook (late 2001) and I am definitely pleased with the results." It requires Mac OS X 10.1 or greater, and prevents things like starting up in single user mode, verbose mode, resetting PRAM, and more.
What would happen if you opened up the Mac and hit the hardware reset switch on the motherboard? Will this bypass this new password protection?
I wish my lawn was emo, so it would cut itself.
What if you forget password? Just call Mac service? Well that doesn't sound secure...
...and this prevents people from just removing your harddrive and grabbing the data that way how exactly? oops.
US Citizen living abroad? Register to vote!
i think it can be compromized anyway, take your harddrive out, etc.. But it's very effective against fast console hacks. (going to take a coffe and leaving my iBook on my desc...)
Fear not! According to the securemac site and the macosxlabs site, just do the following:
I'm not sure if just removing the PRAM battery will also reset the PRAM or not in this case.
Is this secure? Well, it depends on your situation. If you are in a lab situation and you don't want the students booting off CDs, ZIPs, external hard drives, etc., for their hax0rish needs, then this works OK. It's easy to spot someone opening up a computer and swapping out ram, etc.
For your own machine? Probably more trouble than it's worth because it causes problems with firmware upgrades, etc. If someone has physical access to your machine, they can get the data off by using the above procedure or by the hard drive swapping someone else mentioned.
Bottom Line: If you have sensitive data on your machine, you should encrypt it even if you have OF password set. In general, if you let someone have physical access to a machine, assume they can get access to all the data on it.
<?php while ($self != "asleep") { $sheep_count++; } ?>
For the record, I'm an Apple Service Technician, so I'm not quite talking out of the side of my face.
Open Firmware protection has been around since the Blue & White G3 (maybe the original G3) but wasn't really endorsed by Apple until now. I think they really wanted to make a formal way to configure it. Before this, users had to boot into OF and enter some arcane commands.
Basically, all Macs made since late 1999 work with this, but original and Blue & White G3s as well as early iMacs (made in 1998 and 1999) don't qualify. That doesn't mean you can't attempt to use the OF password features available on these systems, just that you may not be able to use Apple's utility to configure it since the firmware versions don't match.
As someone already said, all bets are off when a hacker has physical access to the computer. But, combined with physical deterrents such as locks and proper security (rlogin off, password on screen saver, proper admin and user accounts, etc.), this really helps teachers and other sysadmins who need to keep kiddies or college kids from overriding the system's security and installing or copying stuff.
Apple hardware has really needed this for a long time, and I couldn't endorse it until Apple did since it's a CYA thing.
Vos teneo officium eram periculosus ut vos recipero is.
we hacked an entire room of G4's just to put on our Wacom drivers so we could use our tablets to do homework.
I want 2D games back.
You know, i was thinking the other day about low-level security. i've got roommates who use my machine without my permission, and it pisses me off. i have the machine password-protected; trouble is, i think they know the boot-from-CD trick. This OF thing sounds peachy to me, because it solves that problem. as for the HD-removal trick? I don't think they've got the savvy to rip out my (iMac) hard drive, at least not without me knowing about it. and btw, i'm not an anonymous coward, i just don't feel like typing in my password.
Actually, it's a deterrent. If your lab is made up of new flatscreen iMacs, you'd have to prevent the base from being opened up. Four screws for the RAM access plate, then some torx screws inside that for the drives. PowerMac G4 computers and CRT iMacs are better protected because their access doors can be secured with a cable.
Bottom line, the Open Firmware password is a Maginot Line. It's great until someone realizes they can go around it. You'd better be ready to use other utilties or practices in conjunction with the password.
If you have physical access to the device, of course you can access the data stored on the device. All of these measures help keep the dad from being accessed, but if one steals the storage medium, you better hope that everything important on the drive was encrypted.
In the article:
Warning: The Open Firmware Password can be reset and changed by any one of the following:
1. By any Admin user, as designated in the users pane of System Preferences (or in Server Admin).
2. Via physical access to the inside of the computer.
3. When the computer is started up in Mac OS 9.
No computer is secure if you have physical access to the computer.
There are 10 types of people in this world, those who can count in binary and those who can't.
Enabling the OF password will disable all of the startup key sequences, including booting from a CD, ejecting removable media, and Firewire target disk mode. This can be very confusing if you set the password, forget that it is set, and then try to use FW target disk mode, or need to boot from a CD. For everything that it disables, it is not worth the very little bit of security that it adds.
-- Charles A. Plater
Physical security is always part of the secruity equation, so here's a somewhat ridiculous method, and one that can work well in a school environment.
1 68
Remove the internal hard drive, or ensure that there is no OS installed on it (data only), set up an external firewire drive with everything you need (OS, Apps, etc.), and set the system to boot from that drive. When you're done, take the hard drive with you.
Alternatively, you could also boot this same system off an OSX server volume (ala diskless Unix workstations) Apple demonstrated that capability with an early dsitro of OSX Server to 50 diskless iMacs a while back. Here's a reference: http://docs.info.apple.com/article.html?artnum=60
We're sorry, the phone number you have reached is imaginary. Please rotate your phone 90 degrees and try your call again
My PB was stolen a while ago, so this has been on my mind recently. How sophisticated are the people who fence stolen mac laptops. I'm sure that there's a sophisticated network for turning around stolen PCs, but Macs are a bit more obscure. In my case, the stupid theives took the laptop, but not the $80 power cable. I'm sure that the battery ran down in a few days in sleep mode, so to show that it's working to sell it or wipe the drive with a bootable CD would require a specific power cord. Are there 'resale channels' with those kinds of resources? Back to the topic, an OF password would help to some degree by preventing simply booting off a CD. Are there Mac specific fences who would know how to get around that? It's been a couple of months since the theft, and I still suspect that I may get a call one day: "Uh, I, uh, found a laptop that has your name on the screen and asks for a password...." I can always hope, can't I?
You're right--your message is a troll. See the hairy little bastard under the bridge? That's your comment.
Historically, Apple cared not to add password protection to their first Macs for the same reason that you don't expect someone to ask for your papers just to use your toaster. Apple's original intent was to design the Macintosh for use as an appliance--something that didn't require a science degree to use. Easy. Efficient. Simple. NOTHING on a Macintosh was meant to be complex. That is why we STILL have only one button on our boxed mouse. This is a fundamental difference in how Apple and other companies, particularly Microsoft, design their products. If you, the user, want complexity, you're free to do so, but Apple won't screw their product by adding something that many do not need or want, and sometimes compromises the whole box. Perhaps you should think about WHY PCs had to have password protection to begin with, so long before Apple supported it on their hardware? Compensating for something, perhaps?
Recent changes to Apple hardware such as Open Firmware are extensions to this simplicity. In the past, Macintosh systems had fixed ROMs where the system bootstrapping code and portions of the system software was stored. This was expensive (these were custom chips) and inefficient over time (OS upgrades would have to hack over the hard code in the chips, if it could). Old systems could not be modified to handle more advanced OS tasks after a point.
Rather than go towards the use of the very inefficient and extremely complex BIOS format of the PC world, Apple chose OF, something that STILL didn't require users to go nuts when making hardware changes, and added similar BIOS functionality, including flashing. As an "old Mac user", you should know this, so that's why I doubt your sincerity, much less your knowledge base.
Apple is simply responding to the current world's need for greater security, particularly with the increased potential for cracking Mac OS X (it's basically BSD, after all). Apple may want a Macintosh to be free and open, but its just not that kind of world. Sure, password protection isn't not necessarily innovative. But it's a positive step in an otherwise dull market where innovation is still an exception, not a rule.
What you get out of your PC creations is your business. I make my PCs, too. They make great game boxes, but I doubt I'll make anything with it. With your kind of logic, Apple will never impress you. When you really need something that Apple's products solve for you, please buy it and enjoy it. Otherwise, I'm sure you can post to applesucks.com and not waste our bandwidth.
Apple has provided quite a lot to the computer industry. I don't remember Microsoft or Tovalds discussing how digital video would be a neat thing to do. I don't remember Bill Gates discussing the merits of FireWire or USB before 1998. I've never found a computer as easy to open and install new components as a Power Mac tower (and I've used a lot of computers since 1977). I would love for other companies to have a quarter of vision like Apple (Sun is one of the few exceptions: Java was a marvelous concept), but it's not that world. Microsoft earns its "borg" nickname for a reason. And they control the PC hardware design by controlling the OS, which is a shame: PC hardware should've been free of interrupts and other stupid things that Macs and other advanced hardware like SGIs have never dealt with.
Which is worse: Apple offering password protection at a time where it needed it and the OS fully supported it, or PC users being stuck with a bootstrapping process bound in an archaic resource management system that's so old that it makes my wristwatch seem advanced?
IAAAST (I am an Apple Service Technician)
Vos teneo officium eram periculosus ut vos recipero is.
> Apple's original intent was to design the Macintosh for use as an appliance
/. and the front pages of several Mac enthusiast websites. It's a very basic low-level functionality which every x86 enthusiast has had at his fingertips for years, despite the "primitive" nature of the hardware.
/., not a Reality Distortion Field fanboy site.
This is why I much prefer Woz's old philosophy. The Apple ]['s actually came with schematics. The Macs came with "tamper-resistant" cases. That says a lot to me about how little Apple respects tech-savvy users. They only want to build an appliance for the average user, closing it off to the point of not even making it well known that their OpenFirmware had this simple functionality which would be so useful for labs and other public Macs. (That is, if the below post about this functionality having been there for so long is accurate).
As a user who actually knows what he's doing, I feel condescended to by Apple's behaviour constantly, which is why I remain a PC user. When I graduated collage I couldn't afford a PowerMac, and very reluctantly bought a used 100MHz 486DX4 laptop. Practically burnt a hole in my leg when using it for extended periods, but it ran Windows 95 well enough and did everything the Macs did, but with less finesse and speed. By the time I could afford a new computer, I'd educated myself enough to realize that although I *much* preferred the MacOS, despite its cooperative multitasking at the time, I'd be able to build a PC from quality parts that would perform much better and be much more upgradeable. Today my PC is based around an Abit motherboard with onboard RAID; Abit not only lets users know what's in their BIOSes, it encourages tech-savvy users to change features and settings by providing a utility to change registers of a binary BIOS file before flashing to the new one. They don't hide features from me for years. I like having control over my hardware, not being condescended to about it, which is why this OpenFirmware feature being made available after so many years is so unimpressive. I love the MacOS, but I loathe the closed nature of the hardware.
> it's a positive step in an otherwise dull market where innovation is still an exception, not a rule.
Again, providing something in the Mac world which has been available on most PCs for many years, isn't innovation at all. I'm perfectly willing to award Apple the software innovation crown it richly deserves. But it doesn't deserve any credit for hardware and low-level logic innovation. In that regard it's still trailing behind x86 machines, since while Apple's logic is newer and cleaner, its functionality trails behind x86 counterparts. x86 users get the fastest and newest of almost every feature first, with quite a lag before Mac platforms get them. We get faster memory, faster and larger ATA device support for newer ATA standards, faster graphics accelerators, and the ability to interchange most of this technology with our older hardware. The few exceptions I can think of where Apple got the hardware first are areas where PCs very soon caught up, often with the mere purchase of a $40 card, like USB and Firewire. The SuperDrive (of course, to guys of my vintage that brings up memories of Apple's cool floppy drive that read both PC and Mac disks, but I digress) is the only clear victory I can give Apple for hardware innovation in a very long time, and even so I can now buy one OEM for my PC for $300.
It all just underlines what I found odd about this little bit of functionality, present in "primitive" x86 BIOSes for many many years, making it to the Apple section of
> With your kind of logic, Apple will never impress you.
Not with Steve's reality distortion field dictating everything at Apple, unfortunately. Look! It's a small cube! Buy it; it's innovative! Look! An LCD stuck onto the computer! Buy it! It's innovative! Look! We've integrated the power and DVI signals to produce an incompatible adapter so you can't use third-party displays without buying clunky adapters! It's innovative!
Again, I like MacOS' simple, intuitive design. That would be why I have Basilisk II running OS 8 on my PC for playing old Mac games, and for a symbolic link to my loving relationship with MacOS. That's also why, if the PCI card (by one of the Mac accelerator card companies in conjunction with Microcode Solutions) which is still under wraps which will allow a real G3/G4 processor to be used in an emulation of older iMacs does become available, I'll buy it and gladly run OS X at about native speed on my x86 box. But OS X's beautiful design isn't worth the closed design and great expense of the hardwae it currently runs on.
> , I'm sure you can post to applesucks.com and not waste our bandwidth.
It ain't your bandwidth, pal. This is the Apple section of
> Apple has provided quite a lot to the computer industry.
Problem is, Apple never follows through. It starts something, and then sits on the pot while other companies do their business and makle it better than Apple ever did. You mentioned video: this is why Apple has to pay big studios to release content in QuickTime, while that really crappy Windows Media quietly took over the world., and why RealPlayer, which by all rights should not exist, still does. And while Windows Media format really, really sucks, the actual Windows Media Player has become far superior to QuickTime in its support of so many formats, and in the very simplicity of its design. QuickTime has an ungainly interface which Jobs insists on for aesthetic rather than practical reasons, with functionaility not present which has been in WMP since version 6.4, like remembering that I always want my videos to play double-sized or restarting as well as stopping when the screen is clicked in succession. I can't say whether these features are present in the Mac versions, but they are entirely lacking on the Win32 versions, including the beta of QuickTime 6.0. Apple starts a lot of things, and then never takes them to their fullest potential. It ties itself to closed and proprietary bits moreso than Microsoft does, since at least Microsoft doesn't exercise near-total control over the hardware.
> I've never found a computer as easy to open and install new components as a Power Mac tower
IBM's snap-open cases of the same vintage, if not a bit earlier, were just as nice if not moreso. Push in the sides, pull the covr up, instant access. Beautiful.
> Microsoft earns its "borg" nickname for a reason.
Yes, they do. I'm by no means a Microsoft fanatic. It's not the Microsoft OSes I love; it's the x86 hardware. Because, as much as I love MacOS (and believe it or not I do), I love having the added control and flexibility over my PC and my hardwae and upgrade paths. Something as simple as a BIOS password wasn't even available to typical Mac users until recently. Not to mention the higher-level hardware, like my beloved ATI All-in-Wonder card with its sweet sweet Guide+ driven TiVo functionality, hardware DVD acceleration that puts a Mac's to shame (the picture is much better; I have compared), etc. ATI's own TV products for the Mac don't nearly offer the ame functionalities and qualities.
That's just an example, of course. It's the x86 hardware's openness I love, not Windows or x86 Linux. In contrast the Mac field of available hardware and software is...paltry. I really do hate to say that, since I do prefer the Mac OS. But its hardware just sucks.
> And they control the PC hardware design by controlling the OS
Not remotely true. PC hardware manufacture is wide-open, and writing drivers for Windows is something any company can freely do. Not just that, but Microsoft has even on rare occasion offered to write their own drivers into the OS for compatibility with older hardware that nonetheless has a large user base--Voodoo video cards, for example. Microsoft offered to write XP drivers since nVidia had purchased 3dfx and discontinued support for 3dfx cards; but nVidia refused to allow Microsoft to do so.
At any rate, the hardware is wide-open, and unconstrained--unlike in the Mac world, where hardware makers often want to make their products available to all Mac users, and so cripple their devices in order to be compatible with the smaller Macs with little or no internal expansion. Hence expensive Firewire peripherals which could have been IDE devices at half the cost. Hence crippled devices like ATI's TV devices for the Mac, which haven't the same functionality since they're external and don't have the PCI bus' data rate.
In other words, there are no hardwae constraints in the PC world, other than what none of the dozens of motherboard manufacturers, drive manufcturers, etc., want to do. MS decides nothing, except for a few "XP Compatible" or other designations which are essentially meaningless since you can still install the hardware and drivers even if the drivers aren't approved.
> PC hardware should've been free of interrupts and other stupid things that Macs and other advanced hardware
> like SGIs have never dealt with.
You have to blame IBM for that, not Microsoft, since IBM is responsible both for the basic PC design and the BIOS functionality. Aside from which, none of that matters except in very rare cases anymore, since ACPI compliance is the standard. Blaming PCs for IRQ conflicts is a bit passe, don't you think? That would be like me finding fault with the 16-bit bus which crippled many 68k Macs. It';s true, but it doesn't matter anymore. All modern PC motherboards have ACPI, which typically eliminates all problems in recent OSes. A small number of users have complaints, but on the whole the issue is dead.
> Which is worse: Apple offering password protection at a time where it needed it and the OS fully supported
> it, or PC users being stuck with a bootstrapping process bound in an archaic resource management
> system that's so old that it makes my wristwatch seem advanced?
ACPI isn't archaic, it's a modern way to deal with low-level processes in such a way as to be compatible with the archaic. I find it very elegant in fact that I can run nearly any PC OS made in the last 20 years, and most PC software made in the last 20 years, and yet still outperform the highest-end Macintosh available on almost all applications and benchmarks. If your computer is so much better because of its "superior" clean hardware design, why does mine kick its ass? And to get back to the topic, why is yours only now getting fatures my platform has had for at least 6 years?
Archaic or not, the PC platform has both near-total backwards compatibility, and the ability to eat G4 towers for breakfast. While I greatly prefer the interface of the Mac OS, it isn't worth the deficient hardware.
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
Well, maybe Apple solution just works better than the PC solution?
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
ha ha ha ha ha !!
I think the last line is the best:
"I am an apple service technician"
so mr apple guy, why did solaris, ibm, hp,
sgi, cray, and any other large system have
console access boot passwords then?
many of the older ones don't even have one
mouse button like your apple, so it must be
even better, right? less complicated.
ha ha ha ha
Its funny when the apple people believe their
own made up history -- and think the mistakes
were divine inspiration and good design.
* no second mouse button? GREAT!
* no boot password? FANTASTIC!
* fruity colors and transparency?
The "common" BIOS passwords are gone from current PC motherboards. However, I'm sure it'll only be a few days before someone posts an easy way to get around the OpenFirmware passwords on Macs, too. Hackers have a way of doing that sort of thing. ;-)
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
Let's not go into name calling. I'm too old for that shit, and so, it appears, are you, if you laughed at the resurrected "SuperDrive" name.
Your points are all valid, so we'll agree to disagree. And "fanboy" I ain't. I'm a computer person, not "Apple person." Like you, I have my choices, but I'm obligated to make good choices for my work, and many of them aren't Apple related. It's hard to determine from your comments which platform you would prefer if cost were not a factor.
Steve runs the company. This can (and has) changed, but Apple was nearly killed from that change. The "magic", if I dare to use such a word, comes from Steve Jobs and his "screw you, I like it THIS way" sort of attitude. It's not for everybody. Today, it tends to move things forward where everyone else in the industry appears moribund. I don't think I'd like the guy personally if I met him--but I appreciate what he does for his company, and the products he creates keep me employed and a few less things to worry about than whether my SMART drive settings were on or if I put that last jumper on wrong.
I don't buy the hype. I only have optimism because working dominantly with Apple, with all its highs and lows, requires it. But I recommend to users what they need, not what I like. Need to do video? An iMac or Power Mac. Need to write a letter and surf? A PC. Tight budget? PC. Hate fighting with a computer? Mac. It's not a complex formula, and I would be jobless if I were strictly an Apple proponent.
Not everyone wants to get their hands dirty. If that toots your boat, great. Innovation is subjective firsthand. Few people debate that Apple was innovative when it introduced the Macintosh initially. I guess we can really judge that much, much later.
Sounds like the traditional PC homebrew style is best for you. It's a fine choice. It's just not something that everyone can do, and I don't presume that they can build their own box. Hence my rant. We are in agreement on one thing: Woz is a genius and was the quintessential homebrewer.
Vos teneo officium eram periculosus ut vos recipero is.
NeXt's 'Objective C' API base is _amazingly_ similar to Java's original APIs. Um, and pre-dates it substantially. The biggest complaints from the ObjectiveC crowd are always 'JVM sucks', 'garbage collection sucks', and the lack of catagories (a sort of multiple inheritance) sucks. Nothing about the APIs... be cause _those_ are ridiculously similar.
But... you can NOT say that the 2002 PowerMacs inhibit tinkering! For the iMacs, it's another story - granted. But I have yet to see a do-it-yourselfer case that approaches the PowerMacs in ease of modification. I think Apple should offer the PCI expansion chassis directly, but the way the case opens up without endangering any body-parts is very subtle... but VERY important.
Plus, it is pretty easy to edit the OF to provide precisely the level of security you desire (assuming you HAVE the security password.)
The custom hard drive is easy, but the 'secured' computer won't allow you to change the boot volume - even if there is no other valid drive. It just fails to boot. (If you HAD access to the internal HD, you could just remove/replace the RAM though. - usually involves cutting a computer cable)
Editing netboot settings is also not possible without physical access to the the innards (read:cutting a cable).
If you _have_ the security password, these are still pretty trivial things you could do - but if you don't have them, it's clearly a lot more work. Most lab situations lock the boxes already to prevent RAM theft, that it prevents/hinders people from munging up the default install is a bonus.