Slashdot Mirror
Prevent Insecure Booting Of Your Mac
maxphunk writes "So you can boot anyone's Mac using a CD or (for newer machines) mount the hard drive using target disk mode. Therefore, your machine isn't secure, right? Stock, yes; otherwise, no. Apple has a neato utility described here that eliminates this problem and more, using Open Firmware Password Protection. I have installed it on my iBook (late 2001) and I am definitely pleased with the results." It requires Mac OS X 10.1 or greater, and prevents things like starting up in single user mode, verbose mode, resetting PRAM, and more.
No.
,and then you should be able to read all the data.
The hardware reset starts the machine reading at the beginning of its onboard ROM (or wherever the reset address is set to) and so it immediately starts executing code that wants the password.
The way around this is to grab a the hard drive out of the machine, and put it in an external firewire case, attach it to another machine that boots from its internal hard drive
This password protection is basically a deterrant, but not ultimate security.
Yeah, and you guys panned the ipod too: http://apple.slashdot.org/article.pl?sid=01/10/23
Fear not! According to the securemac site and the macosxlabs site, just do the following:
I'm not sure if just removing the PRAM battery will also reset the PRAM or not in this case.
Is this secure? Well, it depends on your situation. If you are in a lab situation and you don't want the students booting off CDs, ZIPs, external hard drives, etc., for their hax0rish needs, then this works OK. It's easy to spot someone opening up a computer and swapping out ram, etc.
For your own machine? Probably more trouble than it's worth because it causes problems with firmware upgrades, etc. If someone has physical access to your machine, they can get the data off by using the above procedure or by the hard drive swapping someone else mentioned.
Bottom Line: If you have sensitive data on your machine, you should encrypt it even if you have OF password set. In general, if you let someone have physical access to a machine, assume they can get access to all the data on it.
<?php while ($self != "asleep") { $sheep_count++; } ?>
Actually, it's a deterrent. If your lab is made up of new flatscreen iMacs, you'd have to prevent the base from being opened up. Four screws for the RAM access plate, then some torx screws inside that for the drives. PowerMac G4 computers and CRT iMacs are better protected because their access doors can be secured with a cable.
Bottom line, the Open Firmware password is a Maginot Line. It's great until someone realizes they can go around it. You'd better be ready to use other utilties or practices in conjunction with the password.
Enabling the OF password will disable all of the startup key sequences, including booting from a CD, ejecting removable media, and Firewire target disk mode. This can be very confusing if you set the password, forget that it is set, and then try to use FW target disk mode, or need to boot from a CD. For everything that it disables, it is not worth the very little bit of security that it adds.
-- Charles A. Plater
Physical security is always part of the secruity equation, so here's a somewhat ridiculous method, and one that can work well in a school environment.
1 68
Remove the internal hard drive, or ensure that there is no OS installed on it (data only), set up an external firewire drive with everything you need (OS, Apps, etc.), and set the system to boot from that drive. When you're done, take the hard drive with you.
Alternatively, you could also boot this same system off an OSX server volume (ala diskless Unix workstations) Apple demonstrated that capability with an early dsitro of OSX Server to 50 diskless iMacs a while back. Here's a reference: http://docs.info.apple.com/article.html?artnum=60
We're sorry, the phone number you have reached is imaginary. Please rotate your phone 90 degrees and try your call again