Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Mac OS X Security! Anyone can see files!

mrichmon said:
Unless the PC is running linux (from the pc hard drive or from a knoppix CD), or unless you buy a HFS+ driver for windows (eg MacOpener, MacDrive) for about $40.



Permissions are stored on the disk based on the numeric user id. This means that if the drive stores user "fred" as UID 501 and the drive is connected to a machine that also has a user with UID 501, say "jane" then the files will appear to be owned by "jane" on the second computer. Since the permissions are stored on the filesystem based on the UID, the question is whether a UID of 501 exists. If it does not then the files will be "owned" by "unknown". In either case access permissions for user group and other will be observed.

By default OS X mounts external drives using an option to igore the owner of the files. What you are forgetting is that if the user has root or admin access then they can access any file on the system, bypassing the standard filesystem permissions.



This is not a security issue. This is a privacy issue. There are other mechanisms to address the privacy issue. Specifically file encryption (using openssl, PGP, etc) or file system encryption (eg FileVault).



So, the computer should just magically protect people? The admin password is just a chunk of data on the hard drive as far as the hardware is concerned. There is nothing special about it. And what do you want to happen when the sector on your harddrive storing your admin password goes bad? Should an unfortunate bad sector make it impossible for you to access your data, even if you do not need the level of privacy protection that you suggest?

The closest viable technical solution to the hardware controls you are suggesting is restricting target firewire mode in the open firmware.
Click to expand...

now if i read this right and i have a mac that i need information off of. i could just get another Harddrive and buy an enclosure and i would have bypassed all of the above. However time consuming and costly. right?
 
Randall said:
Well sure, but if it's selective, then people with many files could be a big hassle to encrypt them. i.e. Did I encrypt this file? etc. If you just encrypt your whole home directory/partition then you don't ever have to worry about it. True that a lot of things will be unnecessarily encrypted (misic, videos, etc.) but I think it's a small price to pay for not having to worry about it.
Click to expand...

Just making it able to select folders would be nice.

Does anyone have any experiences on the slowdown using File Vault? And are there any other disadvantages?
 
grapes911 said:
Not true (unless by "lots of time", you mean billions of years). If you use a very secure algorithm and a very secure password, your files are pretty much impossible to crack. Even with some of the fastest supercomputers, it is estimated to take billions of years on average to crack something like RSA. Quantum computers may change this, but they are still years away from any practical use.
Click to expand...

Um... that's why I said "may" and not "will".

Hmmmm, now that I think about it... anyone who can get physical access to a computer at least two times can install a keystroke logger (a few exist for the Mac, at least one or two are transparent unless you open up Activity Monitor and notice a process running you don't recognize) which will then give them that very secure password for any very secure algorithm.

I guess it all comes down to what level of security makes you comfortable.

If you don't want random stupid security holes making it possible for your computer to be zombified by visiting a webpage (or buying a Sony music CD), buy a Mac and toss your PC.

If you are bugged by the Mac's Target Disk mode, encrypt sensitive data with a good password.

If you are worried about somebody keystroking your password, type out a long string of numbers and letters and then copy individual letters out of the string, pasting them into the password field until it makes up your password (that should confuse anyone looking at a record of your keystrokes).

If you are super paranoid, do the above and also keep your computer in some secure location, offline, with motion sensors, video cameras, dogs, etc...

If you are more paranoid than that, then it doesn't matter what you do to your computer because the government is already scanning your thoughts with their satellites.

~ Mr.T
 
Diatribe said:
Just making it able to select folders would be nice.

Does anyone have any experiences on the slowdown using File Vault? And are there any other disadvantages?
Click to expand...
Yes, if they made it so that you could pick certain folders within your home directory to encrypt, then that would probably be ideal. I use File Vault, and there is a slight performance hit depending on what you're doing (searching for many files, working with large files, etc.). I don't believe that there are any other disadvantages to using it. Although, it can take a long time to encrypt your home directory initially, depending on how many files you have in there before you start using File Vault. But once that's done, everything is on the fly. IMO the performance hit is negligible, and worth the added security.
 
Randall said:
Yes, if they made it so that you could pick certain folders within your home directory to encrypt, then that would probably be ideal. I use File Vault, and there is a slight performance hit depending on what you're doing (searching for many files, working with large files, etc.). I don't believe that there are any other disadvantages to using it. Although, if you have a large hard drive, it can take a long time to encrypt your home directory initially, depending on how many files you have in there before you start using File Vault. But once that's done, everything is on the fly. IMO the performance hit is negligible, and worth the added security.
Click to expand...

Yeah but as I have written in the other post...

File Vault doesn't secure ****.
If you reset the master password with the installation disk you can turn off File Vault too. So it's no use either way, or am I missing sth. here?
 
Diatribe said:
Yeah but as I have written in the other post...

File Vault doesn't secure ****.
If you reset the master password with the installation disk you can turn off File Vault too. So it's no use either way, or am I missing sth. here?
Click to expand...
Can you reset the master password without knowing it first? I don't think you can. If you can then yes, File Vault is completely useless. It would just be stupid of Apple to allow this to be true, and it's the first I've heard of it. I find it hard to believe that you could do this.
 
Diatribe said:
Yeah but as I have written in the other post...

File Vault doesn't secure ****.
If you reset the master password with the installation disk you can turn off File Vault too. So it's no use either way, or am I missing sth. here?
Click to expand...

Master Password (does not equal) Admin Password.

How do you do a does not equal sign?
 
grapes911 said:
But I don't know how many people know programming. I was looking for the symbol from this page. It is much more standard.
Click to expand...
I think the html code for not equals (the symbol) is ≠ and I got it on my Windows box at work with Alt + 2260 (Arial Font)
 
Diatribe said:
Yeah but as I have written in the other post...

File Vault doesn't secure ****.
If you reset the master password with the installation disk you can turn off File Vault too. So it's no use either way, or am I missing sth. here?
Click to expand...
Can anybody confirm or deny Diatribe's claim here? Can you reset the master password without knowing it first? That would be insane if it were true.
 
Randall said:
Can anybody confirm or deny Diatribe's claim here? Can you reset the master password without knowing it first? That would be insane if it were true.
Click to expand...
You cannot reset the Master Password. You can reset the Admin Password.
And as I said before:
Master Password (does not equal) Admin Password.
Click to expand...
 
grapes911 said:
You cannot reset the Master Password. You can reset the Admin Password.
And as I said before:
Click to expand...
Wow. I got so distracted with the not equals thing that I ignored the content of your post. LOL sorry. :p
 
Randall said:
Can anybody confirm or deny Diatribe's claim here? Can you reset the master password without knowing it first? That would be insane if it were true.
Click to expand...
No, he's not right. Like grapes said earlier (and again while I was rummaging through Apple Support ;)) the master password is not tha same at the admin password.

When you turn on FileVault, you also set up a master password for the computer that you or an administrator can use if you forget your regular login password.

WARNING: If you turn on FileVault and then forget both your login password and your master password, you will not be able to log in to your account and your data will be lost forever.
Click to expand...
from About FileVault.
 
I don't really see what the big deal is here..

The difference between me nabbing your PC data and your Mac data is about 5 minutes if I come prepared.

If I planned on stealing your data, you better be sure I'd bring tools and an external FW enclosure. Pop open your PC, pop out your disk, pop it into the enclosure, plug it into my laptop, steal you blind, reverse process, rinse, repeat.

I find target mode to be very helpful.
 
Ok here's the thing. I'm probably way off topic at this point, but anyway...

If you don't want to use FileVault for any of the performance issues or you only want to encrypt file X, then it's very simple to do as long as you're not affraid to use the Terminal. (You shouldn't be! UNIX is your friend!)

You can use OpenSSL (should be shipped with your Mac OS X) to encrypt your files with strong ciphers. Umm a small warning here, you will not have a "safety net" of a master password here. You can type
Code: 
$ openssl enc -e -a -salt -aes-256-cbc -in examplefile.jpg -out examplefile.aes
enter aes-256-cbc encryption password:
Verifying password - enter aes-256-cbc encryption password:
Then you type your password to use, and that's it. This will encrypt a file using Advanced Encryption Standard (AES) 256-bit. It will literally take a billion years to crack that password with brute force.

To decrypt the file (you better know your password)
Code: 
$ openssl enc -d -a -aes-256-cbc -in examplefile.aes -out examplefile.jpg
enter aes-256-cbc decryption password:
Enter your password and you're all set. Now you're l337... ok not really, but you have some serious encryption on those important files. It's just not practical to use this method on files that you touch every day, since the same steps must be repeated every time you want to open these files etc.
 
trainguy77 said:
One way to get around this is to move the music library into a different folding, currently i have mine in the shared folder.:)
Click to expand...
One problem with that - if you use iTunes, you load them up, iTunes will copy them into your home directory. Then let's say your wife wants to do the same in her account, you then have three copies of the same songs on your machine. Awful if you have a large ammount of songs. Then you kid/s decides to load them into iTunes on their account!!! :(

Windows will make a playlist from anywhere on your computer, Mac OS X has to copy them to your home directory. It can suck monkeyballs at times.


I have made my root account secure using File Vault. If their is anything sensitive I drop it into roots 'drop box', and disable roots account until I need that data again.

There are a few apps for making files/folders secure using 256, 512 or 1024 bit encryption for UNIX. I have seen them around but cannot remember their names?
 
howesey said:
One problem with that - if you use iTunes, you load them up, iTunes will copy them into your home directory . . .
Click to expand...
Then turn that preference off.

Open iTunes
iTunes -->Preferences -->Advanced
Uncheck "Copy files to iTunes Music folder when adding to library"

Things will now stay where you put them.

While you're in there, you can also change your iTunes Music folder location. I put it somewhere where all user can access it. I change this for every user account and make them all the same place.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back