I just put my iBook in Target disk mode (as in hold T while booting, so that it appears as an external disk on my g5 via a firewire cable) and my G5 has root (well, unlimited) access to the iBook's hard disk! No passwords asked!

I could just take anyone's computer and attach with a firewire cable.. and bob's your uncle, access to anyone's files! What's going on?!

I just put my iBook in Target disk mode (as in hold T while booting, so that it appears as an external disk on my g5 via a firewire cable) and my G5 has root (well, unlimited) access to the iBook's hard disk! No passwords asked!

I could just take anyone's computer and attach with a firewire cable.. and bob's your uncle, access to anyone's files! What's going on?!If this is true then that's the biggest security hole I've ever read about in my life. Wow! You sure don't have to be l33t to do some damage there.

It is not possible, you are joking...
right

It sure is possible. Try it if you can!

I thought this was common knowledge.

Yes it is possible; but if someone has physical access to your machine and is able to do this, then you might as well let all security measures go out the window...
You can, however, enable Open Firmware password protection (http://docs.info.apple.com/article.html?artnum=106482) to stop people booting up in Target Disk Mode.

I thought this was common knowledge.

so did i :rolleyes:

You can, however, enable Open Firmware password protection (http://docs.info.apple.com/article.html?artnum=106482) to stop people booting up in Target Disk Mode.
Still not a good solution. I can break that password in about 2 minutes.

What about with File Vault? Technically, they shouldn't be able to access your home directory.

The use of encrypted disk images should be used, if the information is really sensitive. I have one called Confidential.dmg, which I store all my banking passwords, financial info, naked images of myself in compromising positions, etc. Let's also not forget my stash of hot donkey porn!

Here's to the Crazy Ones http://forums.macrumors.com/attachment.php?attachmentid=35452 (http://www.uriah.com/apple-qt/movies/think-different.mov)

This is what encrypted disk images (with or without the FileVault scheme) are for.

Seriously, Are you all kidding?
People are shocked that a computer system is not secure when you've got raw access to that computer's drive on another machine?

You can pull the drive out of any computer system and plug it into another computer system and get full access to that data. We pull NTFS drives all the time and copy user data to new computers or recover data onto other computers. We reset Windows 2K and XP passwords with recovery CDs by writing directly into the hive. I can boot OS X or any other Unix system into single user mode (Root) and have free run over the whole filesystem.

As soon as you give up physical access of your machine or a physical console on that machine you have absolutely no security unless you implement some sort of physical security barrier (like bio-metrics) or some sort of encryption like encrypted disk images or encrypted filesystems.

This isn't a shock. It isn't a huge security hole. This is just reality. Freaking out about whether or not your unencrypted drive is secure after someone steals your computer makes even less sense than expecting your home safe to be secure after someone steals the whole safe.

ffakr

Mac OS X on your iPod, bob's your uncle.

wow im amazed how people are shocked at this even with a windows machine you can crack it open by ripping out the hdd unless you use efs which macosx has as well, but i think at that point you would be more concered at that fact they have your laptop, but target disk mode it great i hear for when your mac crashes you can recover your files quick and easy

I knew about this but I still think being able to reset the password with an Installation CD is complete bull.

Complete bull in the sense that it's crap you can do it, not that it's not true. Sorry, it's a very slowww day today.

If anybody took my computer, I'd roundhouse kick them to the face:cool: .

Also, Bob's your uncle?

Well I didn't know about it, nor do I think it's right.

1) A PC cannot read Mac formatted drives natively so it's not as if PCs can rip out a mac drive and view the info.

2) I always thought permissions were set on the file in Unix, in fact I know they are as you can CHMOD them. However, permissions therefore on my iBook's drive should be to their user... who is not present on the Mac targeting the drive. Therefore a password should be requested.

3) The point is many of you here I'm sure have information you wouldn't particularly like your parents or lover to see ;). While you're in the shower, out to the shops, eating fish n chips.. all they have to do is press T on your mac! They then have Spotlight to find ANY information they please.

4) Open Firmware Passwords. Ok... fair enough. But how many of you have this enabled? And then how many of the newer mac users even know about it?

I suggest a computer should ask for your admin password in order to go into target disk mode.

Or.. you could just use filevault as someone else here suggested.

Target disk mode has nothing to do with os x. it comes "before" unix and osx.

I consider that a feature... I use it sometimes for transferring video projects from one machine to another... I guess "technically" it could be looked at as a security flaw, but it still requires physical access to your machine... I see the point, but for me it's not the type of security problem I'm concerned with...

The most effective form of computer security yet devised is a deadbolt lock on the door to the building. Once someone has physical access to your machine, it's all over (unless you store everything on an encrypted volume.)

If you make a habit of keeping embarrassing secrets from your lover/parents/children/roommate, encrypt them.

Or.. you could just use filevault as someone else here suggested.

Filevault requires a lot of hard drive space though.

Or.. you could just use filevault as someone else here suggested.

Target disk mode has nothing to do with os x. it comes "before" unix and osx.

encrpyting a disk image is so easy in OS X.
Just open up disk utility, follow a few steps (Sorry, Don't know them.. I'm not at my PB) and Bam! encrypted disk image.

isn't that where everyone keeps their banking passwords, financial info, and naked images of themselves in compromising positions?
Lacero, you're my hero!

Still not a good solution. I can break that password in about 2 minutes.

How's that?

How's that?
Open it up, add or remove some RAM, zap the PRAM and you're in. Here's (http://www.computerworld.com/printthis/2005/0,4814,103889,00.html) a nice little article on the deal.

Open it up, add or remove some RAM, zap the PRAM and you're in. Here's (http://www.computerworld.com/printthis/2005/0,4814,103889,00.html) a nice little article on the deal.

Very cool. Thanks...

The only way to be really secure is using an encrypted disk image for sensitive data. It's time that Apple let's File Vault only encrypt wanted folders and not the entire home folder... who wants their music library encrypted anyway?

Still not a good solution. I can break that password in about 2 minutes.
How's that?Open it up, add or remove some RAM, zap the PRAM and you're in. Here's (http://www.computerworld.com/printthis/2005/0,4814,103889,00.html) a nice little article on the deal.


Overly simple huh? I guess you could physically lock the computer shut with a pad lock in most cases. But that wouldn't be too hard to break either.

The only way to be really secure is using an encrypted disk image for sensitive data. It's time that Apple let's File Vault only encrypt wanted folders and not the entire home folder... who wants their music library encrypted anyway?
PGP is much better and does exactly what you want. It does a lot more too.

I have to agree with folks who are saying once somebody has physical access to your machine, you can forget about security. If you want to increase your protection, encrypt your sensitive data (and choose a good passwod). Still, if somebody has access to your machine and lots of time, they may still crack this.

Target Disk mode is a wonderful feature in my opinion, allowing one to trouble shoot a Mac and recover data in case things go wonky. It has also been advertised many times by Apple. I fear lots of people have similar misconceptions, thinking that their data is safe when it is in fact not. I work for a web design firm and you wouldn't believe how many clients want full orders from their websites with credit full card info emailed to them (we refuse, keeping part of the credit card number on a secure server which they have to log into).

I really wish folks would be required to take a little short computer basics class before buying a computer. Think of all the computer data theft, identity theft, and spam (through zombied computers) which could be avoided. You have to get a license before driving, you should be at least minimally qualified to use a computer since it can easily ruin yours or someone else's life (well, your credit history, job, etc...) if not used properly.

~ Mr.T

If you want to increase your protection, encrypt your sensitive data (and choose a good passwod). Still, if somebody has access to your machine and lots of time, they may still crack this.
Not true (unless by "lots of time", you mean billions of years). If you use a very secure algorithm and a very secure password, your files are pretty much impossible to crack. Even with some of the fastest supercomputers, it is estimated to take billions of years on average to crack something like RSA. Quantum computers may change this, but they are still years away from any practical use.

Still not a good solution. I can break that password in about 2 minutes.

All you have to do is change the amount of RAM in the Mac to disable that OF password thingy. Uhm, ooops.

Well, there is a padlock device on the latch on the tower Power Macs, at least. I used to use a big Masterlock padlock on my G4. Even the newest G5s still have this capability.

Basically anyone with physical access to a computer can get in so this is a moot point really.

Even those tiny personal safes are not secure, a thief can just pick em up and take em home to take as much time as they want to get into it. No different with a Mac.

All you have to do is change the amount of RAM in the Mac to disable that OF password thingy. Uhm, ooops.

Well, there is a padlock device on the latch on the tower Power Macs, at least. I used to use a big Masterlock padlock on my G4. Even the newest G5s still have this capability.

Basically anyone with physical access to a computer can get in so this is a moot point really.

Even those tiny personal safes are not secure, a thief can just pick em up and take em home to take as much time as they want to get into it. No different with a Mac.Um...Everything you just said was already discussed...

PGP is much better and does exactly what you want. It does a lot more too.

PGP?

Ok sure, if somebody has physical access to your machine, then yes your security is compromised. BUT, short of ripping out the hard drive on a windows machine, you can't steal the data off of the disc all that easily. With a Mac that you want to steal data off of, just boot up holding T while connected to your laptop, then steal all of their files. Awesome.

Target Disk Mode makes it all too easy to get into the system and steal data. I don't care if having physical access to the machine makes it easy for someone to physically steal your Hard Drive, it shouldn't be this easy to steal data. Basically, I can walk in with my laptop, hook up to your PowerMac, hold the T key down during boot, steal everything that's not encrypted, turn your machine back off, and you have no idea that I did it.

At least with Windows, to achieve the same data mining, you have to at least physically take the hard drive out. There is no Target Disk Mode to exploit so easily.

PGP?
PGP - Pretty Good Privacy (http://en.wikipedia.org/wiki/Pretty_Good_Privacy). It was one of the first of one-way encrypting programs. All other programs have copied this idea. It costs some money, but it is well worth it.

Features:
Encrypt and/or Sign entire Disk
Encrypt and/or Sign Folder or file
Encrypt and/or Sign Mail
And much, much more.

Sorry to sound like an advertisement, but I love this program for all my security needs. It is worth every penny.


There is a free version GPG - GNU Privacy Guard (http://macgpg.sourceforge.net/), but I don't find it nearly as nice.

This is a perfect example of why you should use strong file encryption on your home directory (file vault) so that your data is safe. Besides the fact that it makes your home folder icon look sweet.

http://images.apple.com/macosx/features/filevault/images/indextop20050412.jpg

Basically, I can walk in with my laptop, hook up to your PowerMac, hold the T key down during boot, steal everything that's not encrypted, turn your machine back off, and you have no idea that I did it.

Well, not with my PowerMac. Cuz in order to do that you'd need to shutdown my machine first. I always leaving it running, so that it's folding if it's not doing anything else. And in order to shut it down, you'd first need to get past the password-protected screen saver.

Well, not with my PowerMac. Cuz in order to do that you'd need to shutdown my machine first. I always leaving it running, so that it's folding if it's not doing anything else. And in order to shut it down, you'd first need to get past the password-protected screen saver.Or yank the power cord out of the wall. Whichever is easier. :p

Well, not with my PowerMac. Cuz in order to do that you'd need to shutdown my machine first. I always leaving it running, so that it's folding if it's not doing anything else. And in order to shut it down, you'd first need to get past the password-protected screen saver.

Like I can't get around that:

http://www.hochien.com/NEMA_5-15P.gif

Like I can't get around that:

http://www.hochien.com/NEMA_5-15P.gifLOL your response was so much funnier. Pictures are priceless. ;)

Or yank the power cord out of the wall. Whichever is easier. :p

Well, you got me there. :mad: :p

LOL your response was so much funnier. Pictures are priceless. ;)
Yeah...but you beat me to the punch. I was a little too slow browsing google images. :p

Well, you got me there. :mad: :pYeah. I agree with everyone on this thread that says if somebody has physical access to your machine, then you're hosed. BUT, I still consider Target Disk mode to be a HUGE security hole. I'm sure that all of the fanbois would agree with me if this was a Windows "feature". LOL :p

Remember to encrypt your files. Sure you'll take a small preformance hit, but your data will be safe as a kitten, assuming you pick a decent password that nobody could easily guess, and is aplaha-numeric, with different cases. Strong encryption is only as good as your password.

This is a perfect example of why you should use strong file encryption on your home directory (file vault) so that your data is safe. Besides the fact that it makes your home folder icon look sweet.

http://images.apple.com/macosx/features/filevault/images/indextop20050412.jpg

But as I said before... who needs their music library encrypted...? It needs to be selective.

Well I didn't know about it, nor do I think it's right.

1) A PC cannot read Mac formatted drives natively so it's not as if PCs can rip out a mac drive and view the info.


Unless the PC is running linux (from the pc hard drive or from a knoppix CD), or unless you buy a HFS+ driver for windows (eg MacOpener, MacDrive) for about $40.


2) I always thought permissions were set on the file in Unix, in fact I know they are as you can CHMOD them. However, permissions therefore on my iBook's drive should be to their user... who is not present on the Mac targeting the drive. Therefore a password should be requested.


Permissions are stored on the disk based on the numeric user id. This means that if the drive stores user "fred" as UID 501 and the drive is connected to a machine that also has a user with UID 501, say "jane" then the files will appear to be owned by "jane" on the second computer. Since the permissions are stored on the filesystem based on the UID, the question is whether a UID of 501 exists. If it does not then the files will be "owned" by "unknown". In either case access permissions for user group and other will be observed.

By default OS X mounts external drives using an option to igore the owner of the files. What you are forgetting is that if the user has root or admin access then they can access any file on the system, bypassing the standard filesystem permissions.


3) The point is many of you here I'm sure have information you wouldn't particularly like your parents or lover to see ;). While you're in the shower, out to the shops, eating fish n chips.. all they have to do is press T on your mac! They then have Spotlight to find ANY information they please.


This is not a security issue. This is a privacy issue. There are other mechanisms to address the privacy issue. Specifically file encryption (using openssl, PGP, etc) or file system encryption (eg FileVault).


4) Open Firmware Passwords. Ok... fair enough. But how many of you have this enabled? And then how many of the newer mac users even know about it?

I suggest a computer should ask for your admin password in order to go into target disk mode.

So, the computer should just magically protect people? The admin password is just a chunk of data on the hard drive as far as the hardware is concerned. There is nothing special about it. And what do you want to happen when the sector on your harddrive storing your admin password goes bad? Should an unfortunate bad sector make it impossible for you to access your data, even if you do not need the level of privacy protection that you suggest?

The closest viable technical solution to the hardware controls you are suggesting is restricting target firewire mode in the open firmware.

In responce to the target disk mode it is true that is SOP at the helpdesk that i work at. also using safemode getsaround the passwords about 50% of the time soafemode is ctrl + V

But as I said before... who needs their music library encrypted...? It needs to be selective.
One way to get around this is to move the music library into a different folding, currently i have mine in the shared folder.:)

PGP - Pretty Good Privacy (http://en.wikipedia.org/wiki/Pretty_Good_Privacy). It was one of the first of one-way encrypting programs. All other programs have copied this idea. It costs some money, but it is well worth it.

Features:
Encrypt and/or Sign entire Disk
Encrypt and/or Sign Folder or file
Encrypt and/or Sign Mail
And much, much more.

Sorry to sound like an advertisement, but I love this program for all my security needs. It is worth every penny.


There is a free version GPG - GNU Privacy Guard (http://macgpg.sourceforge.net/), but I don't find it nearly as nice.

Thanks for the info. Do you have a link to the other app?

But as I said before... who needs their music library encrypted...? It needs to be selective.Well sure, but if it's selective, then people with many files could be a big hassle to encrypt them. i.e. Did I encrypt this file? etc. If you just encrypt your whole home directory/partition then you don't ever have to worry about it. True that a lot of things will be unnecessarily encrypted (misic, videos, etc.) but I think it's a small price to pay for not having to worry about it.

One way to get around this is to move the music library into a different folding, currently i have mine in the shared folder.:)

Yeah I know this would be possible but I like everything neat and organized. :D

One way to get around this is to move the music library into a different folding, currently i have mine in the shared folder.:)I made a user called RIAA and put my music library there... yeah it's shared :p

Thanks for the info. Do you have a link to the other app?
http://www.pgp.com/

Unless the PC is running linux (from the pc hard drive or from a knoppix CD), or unless you buy a HFS+ driver for windows (eg MacOpener, MacDrive) for about $40.



Permissions are stored on the disk based on the numeric user id. This means that if the drive stores user "fred" as UID 501 and the drive is connected to a machine that also has a user with UID 501, say "jane" then the files will appear to be owned by "jane" on the second computer. Since the permissions are stored on the filesystem based on the UID, the question is whether a UID of 501 exists. If it does not then the files will be "owned" by "unknown". In either case access permissions for user group and other will be observed.

By default OS X mounts external drives using an option to igore the owner of the files. What you are forgetting is that if the user has root or admin access then they can access any file on the system, bypassing the standard filesystem permissions.



This is not a security issue. This is a privacy issue. There are other mechanisms to address the privacy issue. Specifically file encryption (using openssl, PGP, etc) or file system encryption (eg FileVault).



So, the computer should just magically protect people? The admin password is just a chunk of data on the hard drive as far as the hardware is concerned. There is nothing special about it. And what do you want to happen when the sector on your harddrive storing your admin password goes bad? Should an unfortunate bad sector make it impossible for you to access your data, even if you do not need the level of privacy protection that you suggest?

The closest viable technical solution to the hardware controls you are suggesting is restricting target firewire mode in the open firmware.

now if i read this right and i have a mac that i need information off of. i could just get another Harddrive and buy an enclosure and i would have bypassed all of the above. However time consuming and costly. right?

Well sure, but if it's selective, then people with many files could be a big hassle to encrypt them. i.e. Did I encrypt this file? etc. If you just encrypt your whole home directory/partition then you don't ever have to worry about it. True that a lot of things will be unnecessarily encrypted (misic, videos, etc.) but I think it's a small price to pay for not having to worry about it.

Just making it able to select folders would be nice.

Does anyone have any experiences on the slowdown using File Vault? And are there any other disadvantages?

http://www.pgp.com/

Thank you. :)

I just figured another thing... File Vault doesn't secure ****.
If you reset the master password with the installation disk you can turn off File Vault too. So it's no use either way, or am I missing sth. here?

Not true (unless by "lots of time", you mean billions of years). If you use a very secure algorithm and a very secure password, your files are pretty much impossible to crack. Even with some of the fastest supercomputers, it is estimated to take billions of years on average to crack something like RSA. Quantum computers may change this, but they are still years away from any practical use.

Um... that's why I said "may" and not "will".

Hmmmm, now that I think about it... anyone who can get physical access to a computer at least two times can install a keystroke logger (a few exist for the Mac, at least one or two are transparent unless you open up Activity Monitor and notice a process running you don't recognize) which will then give them that very secure password for any very secure algorithm.

I guess it all comes down to what level of security makes you comfortable.

If you don't want random stupid security holes making it possible for your computer to be zombified by visiting a webpage (or buying a Sony music CD), buy a Mac and toss your PC.

If you are bugged by the Mac's Target Disk mode, encrypt sensitive data with a good password.

If you are worried about somebody keystroking your password, type out a long string of numbers and letters and then copy individual letters out of the string, pasting them into the password field until it makes up your password (that should confuse anyone looking at a record of your keystrokes).

If you are super paranoid, do the above and also keep your computer in some secure location, offline, with motion sensors, video cameras, dogs, etc...

If you are more paranoid than that, then it doesn't matter what you do to your computer because the government is already scanning your thoughts with their satellites.

~ Mr.T

Just making it able to select folders would be nice.

Does anyone have any experiences on the slowdown using File Vault? And are there any other disadvantages?Yes, if they made it so that you could pick certain folders within your home directory to encrypt, then that would probably be ideal. I use File Vault, and there is a slight performance hit depending on what you're doing (searching for many files, working with large files, etc.). I don't believe that there are any other disadvantages to using it. Although, it can take a long time to encrypt your home directory initially, depending on how many files you have in there before you start using File Vault. But once that's done, everything is on the fly. IMO the performance hit is negligible, and worth the added security.

Yes, if they made it so that you could pick certain folders within your home directory to encrypt, then that would probably be ideal. I use File Vault, and there is a slight performance hit depending on what you're doing (searching for many files, working with large files, etc.). I don't believe that there are any other disadvantages to using it. Although, if you have a large hard drive, it can take a long time to encrypt your home directory initially, depending on how many files you have in there before you start using File Vault. But once that's done, everything is on the fly. IMO the performance hit is negligible, and worth the added security.

Yeah but as I have written in the other post...

File Vault doesn't secure ****.
If you reset the master password with the installation disk you can turn off File Vault too. So it's no use either way, or am I missing sth. here?

so much for my naked photos in compromising positions.

Yeah but as I have written in the other post...

File Vault doesn't secure ****.
If you reset the master password with the installation disk you can turn off File Vault too. So it's no use either way, or am I missing sth. here?Can you reset the master password without knowing it first? I don't think you can. If you can then yes, File Vault is completely useless. It would just be stupid of Apple to allow this to be true, and it's the first I've heard of it. I find it hard to believe that you could do this.

Yeah but as I have written in the other post...

File Vault doesn't secure ****.
If you reset the master password with the installation disk you can turn off File Vault too. So it's no use either way, or am I missing sth. here?

Master Password (does not equal) Admin Password.

How do you do a does not equal sign?

Master Password (does not equal) Admin Password.

How do you do a does not equal sign? != will suffice

or ≠

!= will suffice
But I don't know how many people know programming. I was looking for the symbol from this page. It is much more standard.

I thought this was common knowledge.
:rolleyes: :rolleyes: :rolleyes:


yes all of humanity knows about this. your right, once again.

But I don't know how many people know programming. I was looking for the symbol from this page. It is much more standard.I think the html code for not equals (the symbol) is ≠ and I got it on my Windows box at work with Alt + 2260 (Arial Font)

But as I said before... who needs their music library encrypted...? It needs to be selective.That's why you move the iTunes Music folder (http://docs.info.apple.com/article.html?artnum=301748) out of your home folder before enabeling FileVault... :)

Edit: Way too slow :o, but I hope the link was helpful. That way you can still let iTunes take care of all the organizing for you... ;)

Yeah but as I have written in the other post...

File Vault doesn't secure ****.
If you reset the master password with the installation disk you can turn off File Vault too. So it's no use either way, or am I missing sth. here?Can anybody confirm or deny Diatribe's claim here? Can you reset the master password without knowing it first? That would be insane if it were true.

Can anybody confirm or deny Diatribe's claim here? Can you reset the master password without knowing it first? That would be insane if it were true.
You cannot reset the Master Password. You can reset the Admin Password.
And as I said before:Master Password (does not equal) Admin Password.

You cannot reset the Master Password. You can reset the Admin Password.
And as I said before:Wow. I got so distracted with the not equals thing that I ignored the content of your post. LOL sorry. :p

Can anybody confirm or deny Diatribe's claim here? Can you reset the master password without knowing it first? That would be insane if it were true.No, he's not right. Like grapes said earlier (and again while I was rummaging through Apple Support ;)) the master password is not tha same at the admin password.

When you turn on FileVault, you also set up a master password for the computer that you or an administrator can use if you forget your regular login password.

WARNING: If you turn on FileVault and then forget both your login password and your master password, you will not be able to log in to your account and your data will be lost forever. from About FileVault (http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1877.html).

I don't really see what the big deal is here..

The difference between me nabbing your PC data and your Mac data is about 5 minutes if I come prepared.

If I planned on stealing your data, you better be sure I'd bring tools and an external FW enclosure. Pop open your PC, pop out your disk, pop it into the enclosure, plug it into my laptop, steal you blind, reverse process, rinse, repeat.

I find target mode to be very helpful.

Ok here's the thing. I'm probably way off topic at this point, but anyway...

If you don't want to use FileVault for any of the performance issues or you only want to encrypt file X, then it's very simple to do as long as you're not affraid to use the Terminal. (You shouldn't be! UNIX is your friend!)

You can use OpenSSL (should be shipped with your Mac OS X) to encrypt your files with strong ciphers. Umm a small warning here, you will not have a "safety net" of a master password here. You can type $ openssl enc -e -a -salt -aes-256-cbc -in examplefile.jpg -out examplefile.aes
enter aes-256-cbc encryption password:
Verifying password - enter aes-256-cbc encryption password:

Then you type your password to use, and that's it. This will encrypt a file using Advanced Encryption Standard (AES) 256-bit. It will literally take a billion years to crack that password with brute force.

To decrypt the file (you better know your password)
$ openssl enc -d -a -aes-256-cbc -in examplefile.aes -out examplefile.jpg
enter aes-256-cbc decryption password:Enter your password and you're all set. Now you're l337... ok not really, but you have some serious encryption on those important files. It's just not practical to use this method on files that you touch every day, since the same steps must be repeated every time you want to open these files etc.

Thanks to all that replied. Good to know that it is secure.

That's why you move the iTunes Music folder (http://docs.info.apple.com/article.html?artnum=301748) out of your home folder before enabeling FileVault... :)

Edit: Way too slow :o, but I hope the link was helpful. That way you can still let iTunes take care of all the organizing for you... ;)

Yeah I might think about turning it on, leaving out the music folder. Now where to put it? :cool:

One way to get around this is to move the music library into a different folding, currently i have mine in the shared folder.:)
One problem with that - if you use iTunes, you load them up, iTunes will copy them into your home directory. Then let's say your wife wants to do the same in her account, you then have three copies of the same songs on your machine. Awful if you have a large ammount of songs. Then you kid/s decides to load them into iTunes on their account!!! :(

Windows will make a playlist from anywhere on your computer, Mac OS X has to copy them to your home directory. It can suck monkeyballs at times.


I have made my root account secure using File Vault. If their is anything sensitive I drop it into roots 'drop box', and disable roots account until I need that data again.

There are a few apps for making files/folders secure using 256, 512 or 1024 bit encryption for UNIX. I have seen them around but cannot remember their names?

One problem with that - if you use iTunes, you load them up, iTunes will copy them into your home directory . . .
Then turn that preference off.

Open iTunes
iTunes -->Preferences -->Advanced
Uncheck "Copy files to iTunes Music folder when adding to library"

Things will now stay where you put them.

While you're in there, you can also change your iTunes Music folder location. I put it somewhere where all user can access it. I change this for every user account and make them all the same place.

Then turn that preference off.

Open iTunes
iTunes -->Preferences -->Advanced
Uncheck "Copy files to iTunes Music folder when adding to library"

Things will now stay where you put them.

While you're in there, you can also change your iTunes Music folder location. I put it somewhere where all user can access it. I change this for every user account and make them all the same place.
Thanx. :o :o


Talking of copies though, is their an easy way to remove duplicate files? Half of my collection has become duplicated, I have over 11,000 songs in my library.. long painful task doing it all. It's not just a link, but duplicated the files on the file system. :S

Thanx. :o :o
No problem. OS X does it all, you just have to know where to look. :cool:


Talking of copies though, is their an easy way to remove duplicate files? Half of my collection has become duplicated, I have over 11,000 songs in my library.. long painful task doing it all.
Edit --> Show duplicate songs.

Thanx again.

Yeah I might think about turning it on, leaving out the music folder. Now where to put it? :cool:

I like the idea of a selective Filevault. That'd be a pretty nice feature.

One problem with that - if you use iTunes, you load them up, iTunes will copy them into your home directory.
OR what i do is just make a alias so you lose no functionality at all!:eek: So make an alias of the music folder once you got it where you want it, then make a alias, name it iTunes, put it in our music home folder and, bang! There you go it works like a charm!:D

I knew about this but I still think being able to reset the password with an Installation CD is complete bull.

Complete bull in the sense that it's crap you can do it, not that it's not true. Sorry, it's a very slowww day today.

Good point. It is pretty stupid, but if you ever got stuck and forgot your password I'm sure you'd be grateful.

The Target Disk Mode is just the same as swapping hard drives

If people want to get on your machine, they will... especially if they have physical access. If it is just over a network or the web, Macs have more protection than PC's in that area. In the physical sense, all computers are at the same risk.

File Vault is not secure b/c the master key password is kept in /Library/Keychains/FileVaultMaster.keychain; this portion of the disk is not encrypted, only the home folders of the enabled accounts. If you delete this, it resets the password. You then need to log into each user account and change the password but we all know you can reset each user accounts passwords from the startup disc.

File Vault is not secure b/c the master key password is kept in /Library/Keychains/FileVaultMaster.keychain; this portion of the disk is not encrypted, only the home folders of the enabled accounts. If you delete this, it resets the password. You then need to log into each user account and change the password but we all know you can reset each user accounts passwords from the startup disc.Have you actually tried doing this? Sounds too easy, but then again you might just have found a hole in Apple security. That could give you 15 minutes... :)

The only thing is that I thought the (original) FileVault Master key password was used when encrypting the sparseimage (ie. FileVault), so even if you delete the keychain, you would still have to set the new pasword to the same as the original to be able to open the sparseimage. But then again I could be very wrong...

Have you actually tried doing this? Sounds too easy, but then again you might just have found a hole in Apple security. That could give you 15 minutes... :)

The only thing is that I thought the (original) FileVault Master key password was used when encrypting the sparseimage (ie. FileVault), so even if you delete the keychain, you would still have to set the new pasword to the same as the original to be able to open the sparseimage. But then again I could be very wrong...

Now that would all be a good question. Anyone care to try? :D

now if i read this right and i have a mac that i need information off of. i could just get another Harddrive and buy an enclosure and i would have bypassed all of the above. However time consuming and costly. right?

Time consuming/costly to the point of maybe US$60 and an hour of time. (A little more if they need to open up your laptop and want to reassemble it to hide the evidence.)

Like I said in my previous post, if you want to encrypt your files beyond a reasonable doubt then use OpenSSL to do it with strong encryption AES 256...

I think I need a class on the whole keychains, encryption,file transfer protocol, disk ethics thing. Anyone know where I can learn this stuff? It sounds like this is the best time to obtain and start using this knowledge... me thinks (YAARRRR!!)

Like I said in my previous post, if you want to encrypt your files beyond a reasonable doubt then use OpenSSL to do it with strong encryption AES 256...

Beyond reasonable doubt.... for the next 6-12 months. :)

Beyond reasonable doubt.... for the next 6-12 months. :)
Why do you say that.

Well, if you're that worried about data security, get scared of van Eck Phreaking. :D

http://en.wikipedia.org/wiki/Van_Eck_Phreaking
http://web.archive.org/web/20000830130750/www.shmoo.com/tempest/emr.pdf


You can play with this if you have a PC and a CRT:
http://www.erikyyy.de/tempest/

Or maybe you can find an old copy of Tinfoilhat:
http://en.wikipedia.org/wiki/Tinfoil_Hat_Linux

Why do you say that.

Because encryption is not perfect. As computing power increases and better analysis techniques are developed it becomes possible to crack encryption either through brute force or better analysis techniques.

When the DES encryption standard was published (admittedly in 1977) it was considered secure using a key size of 56 bits. It was reaffirmed as being secure in 1993, and a modified application of DES was reaffirmed as secure in 1999. As of 2004 with increased computing power and better cryptoanalysis techniques have shown that DES can be cracked using custom publically described hardware in around 2 days.

There are also theoretical concerns about the AES algorithm, specifically some of the mathematical struture of the cypher.

An encryption algorthm will eventually be cracked. Unless it is a truely randome one-time pad. The question whenever you store data is "how much is the data worth to someone?". If the cost of cracking the encryption is higher than the worth of the data then the data is "safe". However, next month the cost of cracking the encryption will probably be less than it is today since hardware continues to decrease in cost and techniques for cracking encryption algorithms continues to improve. Therefore, if you really want to secure the data then you need to keep updating the method of encryption you use. And you still can never be totally certain that someone will not find a cryptoanalysis approach tomorrow that will crack the encryption for minimal cost.

The corollary of this is that if the data is truely sensitive then it should never be stored on a computer. If the data is stored on a computer, then that machine should have no network connections and physical access must be restricted. But expert wisdom is that the act of storing data on a computer dramatically reduces the security of the data simply due to the ability to make identical copies of the encrypted data without evidence of the copy being made.

Because encryption is not perfect. As computing power increases and better analysis techniques are developed it becomes possible to crack encryption either through brute force or better analysis techniques.

Well, as I said before, a 2048 RSA takes a billion years on average to crack with current technology. We just keep using larger keys, until quantum computers become a reality, which is still years away from becoming practicle. I'm going to assume you were making a joke with that 6-12 month thing.

Well, as I said before, a 2048 RSA takes a billion years on average to crack with current technology. We just keep using larger keys, until quantum computers become a reality, which is still years away from becoming practicle. I'm going to assume you were making a joke with that 6-12 month thing.

Yes, I was being a little facetious. But the hidden point was that when DES was released it was estimated as taking X years to crack using what was then "current technology". Where X was a very large number which was commonly described as longer than it will take for the Sun to burn out. (I've googled but have not been able to turn up a numeric estimate of the brute force search time using 1977 technology.)

In practice it turned out that X ~= 22 years. We may wind up with a similar value of X for 2048 bit RSA and 256 bit AES since we don't know what impact technology improvements will have on current encryption standards.

Yes, I was being a little facetious. But the hidden point was that when DES was released it was estimated as taking X years to crack using what was then "current technology". Where X was a very large number which was commonly described as longer than it will take for the Sun to burn out. (I've googled but have not been able to turn up a numeric estimate of the brute force search time using 1977 technology.)

In practice it turned out that X ~= 22 years. We may wind up with a similar value of X for 2048 bit RSA and 256 bit AES since we don't know what impact technology improvements will have on current encryption standards.Well that's true, but I think as we increase the bit strength 32, 64, 128, 256, etc. that the time it takes to decrypt via brute force gets exponentially larger, even with advances in computer hardware, we're still talking in the thousands of years. You're saying that with our current technology, we could break an encryption cipher from 1977 in 22 years? Or that if you started in 1977 with the same tech, that it would take only 22 years? Either way, that is more then enough time to keep your data safe. Even with the strongest supercomputers in the world working on it with distributed computing, it would take a long long time to crack.

At least with Windows, to achieve the same data mining, you have to at least physically take the hard drive out. There is no Target Disk Mode to exploit so easily.

Actually... on a Windows machine, you'd just have to boot up from a Knoppix CD and copy whatever you like onto a USB drive. I do it all the time to recover data from PCs whose Windows installations have gotten corrupted.

Actually... on a Windows machine, you'd just have to boot up from a Knoppix CD and copy whatever you like onto a USB drive. I do it all the time to recover data from PCs whose Windows installations have gotten corrupted.Ok so I stand corrected. At least there is no target disc mode that you can use to just dump your hard disc to somebody else's computer. Like was mentioned eariler, anybody that has physical access to the machine is going to be able to get information off of it, it's just a matter of how easily it will be done. Target Disk mode is handing you the hard drive on a silver platter, a major security risk IMO. The bottom line is you gotta encrypt files that you don't want people to get access to. Because like you said, if somebody wants your data bad enough, they'll get it. If you encrypted your files the right way though, hell will freeze over before they actually can use the data.

You're saying that with our current technology, we could break an encryption cipher from 1977 in 22 years? Or that if you started in 1977 with the same tech, that it would take only 22 years?

No, that with current technology DES can be cracked in around 2 days. DES is an encryption standard that was first published in 1977 and recertified by the US Department of Defense as secure a couple of times, most recently in 1994 I think. So, in 1977 it was estimated to take some very long time to crack using 1977 technoloy. In 1999 it was cracked in 49 days using 1999 technology. Therefore with the advance in technology, the time it took to crack DES was 22 years (to wait for the 1999 technology) + 49 days (to actaully crack the cypher).

Today, in 2006, DES can be cracked in around 2 days using current technology.

Either way, that is more then enough time to keep your data safe. Even with the strongest supercomputers in the world working on it with distributed computing, it would take a long long time to crack.

Yes. My original point was only that periodically encrypted data needs to be migrated from the old encryption standard to whatever is the current encryption standard.

A similar thing happened with WiFi encryption... WEP was released and believed to be secure, a couple of years later better analysis techniques have shown how to crack WEP in under an hour. WEP is now generally seen as a minor barrier to data access and if you want a secure network you need to use WPA or LEAP.

We have no guarantees that a "secure" encryption standard today will not be found to be easy to crack next year. Therefore, if you rely on encryption to secure your data you need to periodically check whether the encryption standard is still secure and migrate your data to a secure standard if necessary.

We have no guarantees that a "secure" encryption standard today will not be found to be easy to crack next year. Therefore, if you rely on encryption to secure your data you need to periodically check whether the encryption standard is still secure and migrate your data to a secure standard if necessary.

So, assuming that AES takes about as long to become obsolete as DES did, I should plan on switching my AES-encrypted disk images over to some new standard around when Steve Jobs releases OS XIII? ;)

(Yes, in all seriousness I do understand that AES may end up becoming vulnerable sooner than that. But unless AES has some hidden weakness that dramatically reduces the amount of computing required to crack a given file, this seems kind of academic. After all, we'll probably all have ended up shifting to AES' successor anyways, in order to maintain easy access to our data with up-to-date tools, by the time AES becomes as weak as DES is today.)

You can play with this if you have a PC and a CRT:
http://www.erikyyy.de/tempest/


Could you get this working on a emac? I tried to ./config it runs and then says it needs the sdl i found a os x version of libsdl and a linux version, does anyone know how to install them?

Now that would all be a good question. Anyone care to try? :D I did accidently. Doesn't work. It's the same as changing the password hash on Windows EFS - still doesn't open.

Target Disk mode is handing you the hard drive on a silver platter, a major security risk IMO. I would actually say that LiveCD and a portable HDD is easier than FWTDM. It's almost as fast (depends if you use drag/drop or just dd), and a lot easier to carry around (even a 12" PowerBook is bulkier and heavier than external HDD and a CD. If you really dislike it that much, then turn on the Open Firmware Password (on the DVD for Tiger, off the Apple site for pre-Tiger)

Does anyone have any experiences on the slowdown using File Vault? And are there any other disadvantages? Sometimes it can completely ***** up :p I had an error where it couldn't "releive unused space" or whatever, so I had almost no free space yet very little used

I would actually say that LiveCD and a portable HDD is easier than FWTDM. It's almost as fast (depends if you use drag/drop or just dd), and a lot easier to carry around (even a 12" PowerBook is bulkier and heavier than external HDD and a CD. If you really dislike it that much, then turn on the Open Firmware Password (on the DVD for Tiger, off the Apple site for pre-Tiger)Yeah you're right that LiveCD is just as bad. It just goes to show you that having physical access to a system will enable anyone to steal data from you, and they don't even have to know what they're doing (that much). I guess TDM is no more of a security risk then having a LiveCD to boot from. The only files that I actually bother encrypting are my personal finances, and some other misc documents. I use the OpenSSL commands that I wrote about in the beginning of the thread. Remember that your data is never safe. *leaves to go put on tinfoil hat* :p

Speaking of the Open Firmware Password, can you not get around this in less then 30 seconds by zapping the PRAM?

I did accidently. Doesn't work. It's the same as changing the password hash on Windows EFS - still doesn't open.

Good to know. :)


Sometimes it can completely ***** up :p I had an error where it couldn't "releive unused space" or whatever, so I had almost no free space yet very little used

Don't scare me, I was about to turn it on... :p

All this talk of security reminds me of what my Netware 3.1x instructor told me in 1996.

Unless you're comfortable with the possibility of the whole world seeing it, don't store it on a computer.

Not exactly feasible a decade later, but the premise remains.

I did accidently. Doesn't work. It's the same as changing the password hash on Windows EFS - still doesn't open.


Actually it does. After the file gets deleted and you restart the machine, all the users' master passwords have been reset to nothing. So if you delete the file, restart, then use the OS X disc to reset users passwords you can get into the accounts. If you don't believe me make a test account up and try.

Actually it does. After the file gets deleted and you restart the machine, all the users' master passwords have been reset to nothing. So if you delete the file, restart, then use the OS X disc to reset users passwords you can get into the accounts. If you don't believe me make a test account up and try.

You sure about that? That would render File Vault useless...

encrpyting a disk image is so easy in OS X.
Just open up disk utility, follow a few steps (Sorry, Don't know them.. I'm not at my PB) and Bam! encrypted disk image.

isn't that where everyone keeps their banking passwords, financial info, and naked images of themselves in compromising positions?
Lacero, you're my hero!
Nice thread, lots of stuff I didn't know...I'm a consumer though.
Anyway, so do you create a disk image and just drag the sensitive stuff onto it then set a password? Also, what about keychain? Is this good or vunerable?

When you create the disk image, you have to choose the password at that time.

The keychain is protected with 128-bit AES encryption, however, if your login password is weak, and you haven't protected yourself (e.g., your swap files), then someone who gets your login password is into your keychain as well.

I defy anyone to get my information off of my particular computer.

(And while you're at it, please put in a larger hard drive and OS7.6. I don't feel like buying a SCSI CD-ROM, so you'll have to bring your own)

File Vault is not secure b/c the master key password is kept in /Library/Keychains/FileVaultMaster.keychain; this portion of the disk is not encrypted, only the home folders of the enabled accounts. If you delete this, it resets the password. You then need to log into each user account and change the password but we all know you can reset each user accounts passwords from the startup disc.
That will only let you log in. The encrypted data can't be decrypted if you reset the passwords. If you delete the FileVaultMaster.keychain and reset the passwords the decryption keys will no longer exist anywhere and even the person who knows the original password will probably not be able to decrypt the data unless the key generation is deterministic based on the password, which I doubt it is.

Good Thread.

Firewire Traget disk mode is meant as a troubleshooting and data rescue tool. And a fine feature it is indeed. I've saved the day of a few people with it. But, all the advice here is good:

-If someone has physical access to your computer and they are determined, they will figure out how to access it somehow.

-Got stuff you don't want people to see? Follow earlier advice, and use an encrypted disk image. Pick a good, "strong" password. 8 characters at least, mix up case, alpha-numeric, and toss in one or two upper keyboard characters such as the dollar sigh, percent, etc. This disk image is 128 bit AES encryption, but without a stong password, it could be defeated by a determined hacker. Add a layer by making it invisible in the finder. Use the terminal, and have the image name begin with a period dot. Then it's only visible if you use the ls -a command.

-If you choose to set an open firmware password, and the maximum security setting in open firmware, don't forget that password. If you do, well, oops.

-A very good manual for Mac OS X security is available for free, (PDF format) from the NSA's public website. I don't think they've released a 10.4 version though. The version I have is current as of July 8th, 2005. I'd say these folks know their computer security stuff.

-If you choose to set an open firmware password, and the maximum security setting in open firmware, don't forget that password. If you do, well, oops.
Don't worry about it. It can be cracked in under two minutes.

Don't worry about it. It can be cracked in under two minutes.

If you can log in to a shell, yes.

Otherwise, you have to either remove the battery, or remove (and optionally replace) some RAM. (On a tower, this can be prevented by locking the case shut, but it's not so easy on portables or iMacs.)

If you can log in to a shell, yes.
You cannot remove the OF password via shell.

Otherwise, you have to either remove the battery,I've never heard that removing the battery works. I'll have to look into this.

or remove (and optionally replace) some RAM. (On a tower, this can be prevented by locking the case shut, but it's not so easy on portables or iMacs.)This is the method I'm talking about. If were are talking about someone getting physical access to your machine, do you really think getting to the RAM will be difficult? Even a pad lock on a PM can be removed with a pair of bolt cutters.

I personally don't like to use file-vault because like everyone else was saying, you must encrypt your entire home folder. Instead, as suggested earlier, I create an encrypted disk partition and change the icon to a normal folder icon.

If you really want to be paranoid about privacy (security usually refers to threats from the internet etc), I would:

1. Set an Open Firmware password
2. Disable Target disk-mode
3. Make sure and encrypt the login and your screensaver on OS X
4. Turn on file-vault.
5. Create five layers of randomly assigned password protected encrypted disk partitions within the file-vault but hidden a few layers down and for gods sake change the icon!
(as far as the keychain app is concerned if someone gets that far then they know your system password anyways...but encrypt that too...
6. Reformat your disk once a month using the random highest level format that is available in disk utility, just to make sure that steps 1-5 weren't compromised.
7. Always use the secure empty trash when deleting files.
8. If you ever feel that your security has been compromised take your mac to an undisclosed location and burn it. Then make sure that the serial number is unreadable as well!

You can see how this could get silly. I you are really worried about your significant other seeing your stuff you have issues in your relationship and if you are worried about the theft situation I would think that you would worry more about your missing hardware. Finally, if you are really this paranoid then, of course, you would have a whole plethora of security measures for external attacks like Little Snitch, Net Barrier, OS X firewall or just not ever going online etc...

7. Always use the secure empty trash when deleting files.

Could you explain this more?

Could you explain this more?

There is a secure empty trash feature in finder right under the regular one. It just ensures that any data that you were intending to delete is randomly over written so that it can't be recovered at a later time. Kinda like shredding your important documents etc instead of just putting them in the garbage.