Slashdot Mirror
Prevent Insecure Booting Of Your Mac
maxphunk writes "So you can boot anyone's Mac using a CD or (for newer machines) mount the hard drive using target disk mode. Therefore, your machine isn't secure, right? Stock, yes; otherwise, no. Apple has a neato utility described here that eliminates this problem and more, using Open Firmware Password Protection. I have installed it on my iBook (late 2001) and I am definitely pleased with the results." It requires Mac OS X 10.1 or greater, and prevents things like starting up in single user mode, verbose mode, resetting PRAM, and more.
No.
,and then you should be able to read all the data.
The hardware reset starts the machine reading at the beginning of its onboard ROM (or wherever the reset address is set to) and so it immediately starts executing code that wants the password.
The way around this is to grab a the hard drive out of the machine, and put it in an external firewire case, attach it to another machine that boots from its internal hard drive
This password protection is basically a deterrant, but not ultimate security.
Yeah, and you guys panned the ipod too: http://apple.slashdot.org/article.pl?sid=01/10/23
Fear not! According to the securemac site and the macosxlabs site, just do the following:
I'm not sure if just removing the PRAM battery will also reset the PRAM or not in this case.
Is this secure? Well, it depends on your situation. If you are in a lab situation and you don't want the students booting off CDs, ZIPs, external hard drives, etc., for their hax0rish needs, then this works OK. It's easy to spot someone opening up a computer and swapping out ram, etc.
For your own machine? Probably more trouble than it's worth because it causes problems with firmware upgrades, etc. If someone has physical access to your machine, they can get the data off by using the above procedure or by the hard drive swapping someone else mentioned.
Bottom Line: If you have sensitive data on your machine, you should encrypt it even if you have OF password set. In general, if you let someone have physical access to a machine, assume they can get access to all the data on it.
<?php while ($self != "asleep") { $sheep_count++; } ?>
Oh I don' t know.. if by "*real* bitch" you mean "gotta enter the OF password," then yeah I guess so.
Seriously, is it more than that? I wouldn't have thought so.
You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
For the record, I'm an Apple Service Technician, so I'm not quite talking out of the side of my face.
Open Firmware protection has been around since the Blue & White G3 (maybe the original G3) but wasn't really endorsed by Apple until now. I think they really wanted to make a formal way to configure it. Before this, users had to boot into OF and enter some arcane commands.
Basically, all Macs made since late 1999 work with this, but original and Blue & White G3s as well as early iMacs (made in 1998 and 1999) don't qualify. That doesn't mean you can't attempt to use the OF password features available on these systems, just that you may not be able to use Apple's utility to configure it since the firmware versions don't match.
As someone already said, all bets are off when a hacker has physical access to the computer. But, combined with physical deterrents such as locks and proper security (rlogin off, password on screen saver, proper admin and user accounts, etc.), this really helps teachers and other sysadmins who need to keep kiddies or college kids from overriding the system's security and installing or copying stuff.
Apple hardware has really needed this for a long time, and I couldn't endorse it until Apple did since it's a CYA thing.
Vos teneo officium eram periculosus ut vos recipero is.
You're right--your message is a troll. See the hairy little bastard under the bridge? That's your comment.
Historically, Apple cared not to add password protection to their first Macs for the same reason that you don't expect someone to ask for your papers just to use your toaster. Apple's original intent was to design the Macintosh for use as an appliance--something that didn't require a science degree to use. Easy. Efficient. Simple. NOTHING on a Macintosh was meant to be complex. That is why we STILL have only one button on our boxed mouse. This is a fundamental difference in how Apple and other companies, particularly Microsoft, design their products. If you, the user, want complexity, you're free to do so, but Apple won't screw their product by adding something that many do not need or want, and sometimes compromises the whole box. Perhaps you should think about WHY PCs had to have password protection to begin with, so long before Apple supported it on their hardware? Compensating for something, perhaps?
Recent changes to Apple hardware such as Open Firmware are extensions to this simplicity. In the past, Macintosh systems had fixed ROMs where the system bootstrapping code and portions of the system software was stored. This was expensive (these were custom chips) and inefficient over time (OS upgrades would have to hack over the hard code in the chips, if it could). Old systems could not be modified to handle more advanced OS tasks after a point.
Rather than go towards the use of the very inefficient and extremely complex BIOS format of the PC world, Apple chose OF, something that STILL didn't require users to go nuts when making hardware changes, and added similar BIOS functionality, including flashing. As an "old Mac user", you should know this, so that's why I doubt your sincerity, much less your knowledge base.
Apple is simply responding to the current world's need for greater security, particularly with the increased potential for cracking Mac OS X (it's basically BSD, after all). Apple may want a Macintosh to be free and open, but its just not that kind of world. Sure, password protection isn't not necessarily innovative. But it's a positive step in an otherwise dull market where innovation is still an exception, not a rule.
What you get out of your PC creations is your business. I make my PCs, too. They make great game boxes, but I doubt I'll make anything with it. With your kind of logic, Apple will never impress you. When you really need something that Apple's products solve for you, please buy it and enjoy it. Otherwise, I'm sure you can post to applesucks.com and not waste our bandwidth.
Apple has provided quite a lot to the computer industry. I don't remember Microsoft or Tovalds discussing how digital video would be a neat thing to do. I don't remember Bill Gates discussing the merits of FireWire or USB before 1998. I've never found a computer as easy to open and install new components as a Power Mac tower (and I've used a lot of computers since 1977). I would love for other companies to have a quarter of vision like Apple (Sun is one of the few exceptions: Java was a marvelous concept), but it's not that world. Microsoft earns its "borg" nickname for a reason. And they control the PC hardware design by controlling the OS, which is a shame: PC hardware should've been free of interrupts and other stupid things that Macs and other advanced hardware like SGIs have never dealt with.
Which is worse: Apple offering password protection at a time where it needed it and the OS fully supported it, or PC users being stuck with a bootstrapping process bound in an archaic resource management system that's so old that it makes my wristwatch seem advanced?
IAAAST (I am an Apple Service Technician)
Vos teneo officium eram periculosus ut vos recipero is.