Macbook stolen, what to do?

Discussion in 'OS X El Capitan (10.11)' started by macbook123, Oct 22, 2015.

  1. macbook123 macrumors 68000

    Joined:
    Feb 11, 2006
    #1
    #1
    Somebody just broke into my car and stole my Macbook. What's the best thing to do if I don't want the to be able to access my data? I honestly don't recall if I had a password set on login screen since I sometimes turn it off when I'm working a lot from home.

    I imagine if I had no password set I'm screwed, or is there anything I can do still?

    If I did have a password set, can they still access my data?

    And should I do remote erase or lock, i.e., which is safer?

    Thanks!
     
  2. Shirasaki macrumors 603

    Shirasaki

    Joined:
    May 16, 2015
    #2
    Call police.

    And if Find Mac is on, set a remote lock, and remote erase. Then if your Mac goes online again, it will be locked automatically.

    But given the fact that this feature is somewhat useless, what you can only wish is data is erased by thief without checking it. :( The reason I say it is useless because I have tried this once, and I didn't receive any notifications, while Mac remained fully accessible even after my MacBook was found.
     
  3. Evren Carven macrumors regular

    Evren Carven

    Joined:
    Dec 16, 2014
    #3
  4. bobdamnit macrumors regular

    Joined:
    Mar 26, 2014
    #4
    I disagree. If I can get into recovery with a Terminal, I can do a few different things to obtain administrator access to the Macbook, and thus, the original owners data.

    This is where Filevault and a firmware password would have helped.
     
  5. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #5
    Yes... very easily. All they have to do is command-r boot to recovery then in Terminal enter "resetpassword" and follow the prompts to change the password.

    Turning on FileVault encryption will prevent this.

    If you have Find my Mac turned on, do an erase and lock.
     
  6. vanc macrumors 6502

    Joined:
    Nov 21, 2007
    #6
    It's true unless you have file vault enabled. I have file vault enabled on my 2012 MBP 15 as soon as I bought it. Without a correct password, the whole disk is fully encrypted with AES, and nobody could read it.
     
  7. macbook123 thread starter macrumors 68000

    Joined:
    Feb 11, 2006
    #7
    Why is erase better than lock? If I lock it I can send a message with my contact information. There's probably a non-negligible chance that the thief is too stupid to get around that and will just leave it somewhere and then somebody can find it and give it to me. Or the thief might contact me claiming they didn't steal it but only found it.

    If I do erase I basically present them with a laptop that is all theirs at that point, with no way of ever getting it back. But maybe I'm misunderstanding something?
     
  8. Queen6 macrumors 603

    Queen6

    Joined:
    Dec 11, 2008
    Location:
    Enjoying Better Things
    #8
    Ultimately it depends if you value your Mac over your personal data. Personally I would lock it and erase, I would also think carefully about what information you pass and meeting such individuals unless you are well prepared and know what your doing.

    Q-6
     
  9. netsped macrumors regular

    Joined:
    Jul 8, 2008
    #9
    Do you think it is overkill to have FileVault 2 enabled (with a strong password) and also Firmware Password (with a stronger password)? Or is it the best way to keep a Mac unusable if stolen.
     
  10. jazz1 macrumors 65816

    jazz1

    Joined:
    Aug 19, 2002
    Location:
    Mid-West USA
    #10
    Too late now, but do current Macs allow a firmware lock? I understand the a few years ago there was a way to get around even that, but now I think you actually have to send it to Apple to get around a firmware lock if you don't know the password.
     
  11. Queen6 macrumors 603

    Queen6

    Joined:
    Dec 11, 2008
    Location:
    Enjoying Better Things
    #11
    No not at all, if anything it`s prudent and will prevent any access to your Mac, barring the very skilled.

    Q-6
     
  12. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #12
    Eh... maybe a bit. All the FW password does is stop somebody from booting from an external drive making the computer worthless pretty much. But it does not really increase security to any great extent.

    Yes... they do allow a firmware lock. Pre-2011 you could reset the FW PW by removing a RAM chip, but with newer models (article) that is no longer possible.
     
  13. Queen6 macrumors 603

    Queen6

    Joined:
    Dec 11, 2008
    Location:
    Enjoying Better Things
    #13
    Bit more to it than that; the Firmware password prevents the OS being replaced, and it prevents the Mac being started up in Target Disk mode. It does indeed render the Mac unless, it also reduces the chance of the thief and or accomplices making decent money out of the crime.

    If the OS can be replaced the system can be sold on for a very decent profit, likely to someone innocent a point worth considering. I see no need to make things easier for them.

    Q-6
     
  14. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #14
    Sounds like you are just repeating what I said.
     
  15. Queen6 macrumors 603

    Queen6

    Joined:
    Dec 11, 2008
    Location:
    Enjoying Better Things
    #15
    Shall we say expanding on what you said :) equally I believe the Firmware password does add a layer of protection

    Q-6
     
  16. NoBoMac macrumors 6502a

    Joined:
    Jul 1, 2014
    #16
    My information might be old, but, I read a whitepaper a few years back re: FileVault2 hacking. Long story short, not easy to do, but, the first level of defense is that the user passwords to unlock the disk (actually, unlock the encryption key to decrypt the encryption key to decrypt the disk) are stored in a known location on disk and is basically a mini keychain-like structure. And though using strong encryption/hashing for the passwords, can be cracked easily if the password is not strong.

    Maybe Apple has made improvements to the scheme in the last few years?

    FileVault will stop your run-of-the-mill thieves, but not immune to a determined individual, so, use strong passwords on your Mac's accounts.
     
  17. Mcmeowmers macrumors 6502

    Joined:
    Jun 1, 2015
    #17

    I could most definitely access your files if you had a password set - the password largely only stops normal users as it is easily bypassed. Only FileVault would stop someone.
     
  18. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #18
    That is old information. What you may have read was people accessing direct memory access (DMA) to grab the password. That was patched in Lion 10.7.2. I have yet to read of anybody able to crack a FV2 encrypted system.
     
  19. NoBoMac, Oct 24, 2015
    Last edited: Oct 24, 2015

    NoBoMac macrumors 6502a

    Joined:
    Jul 1, 2014
    #19
    Nope, not DMA. They were able to scrape off the "keychain" file containing the accounts that can unlock the disk, decrypt the password(s) off line.

    A hacker that can get access to
    /Volumes/Recovery HD/com.apple.boot.R/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey
    has the keys to FileVault. It's an encrypted file, but at the time, was easy to decrypt (key was stored in the header of the file in plaintext). The file contains the user accounts that can unlock, encrypted passwords, and then the encrypted encryption key for decrypting the master encryption key. The recovery key is stored here as well, with similar structure as a user account.

    Since the Recovery volume is not encrypted, someone with skills and tools could scrape that volume off to another computer and work with that.

    As mentioned, not simple tasks, required software they developed that could handle CoreStorage files on non-Mac machines, won't be carried out by Average Joe Thief, but was not impossible at the time.

    When I have some time, I'll see if I can dredge up the white paper again (didn't save since I got the gist of what goes on with FileVault, and my user accounts all have strong passcodes on them [difficult for a dictionary attack] so not too concerned about FileVault security).
     
  20. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #20
  21. macbook123 thread starter macrumors 68000

    Joined:
    Feb 11, 2006
    #21
    Quick question: I changed my iCloud password after loosing the laptop. Will Find my Mac still work even if the stolen Mac can't connect to iCloud anymore because I changed the password?
     
  22. dogslobber macrumors 68020

    dogslobber

    Joined:
    Oct 19, 2014
    Location:
    Apple Campus, Cupertino CA
    #22
    This.

    Plus Find My Mac is junk because it needs the OS to boot. The feature should actually run from the Mac BIOS like recovery mode can. The tools are all there once a network connection is available.
     
  23. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #23
    Full disk encryption with a very strong passphrase is really the only way to prevent that.

    But honestly, the thief is much more likely to just wipe it, reinstall the OS, and sell it cheaply on Craigslist or eBay than to sift through it trying to steal your data. That's if he even bothers to wipe it. There's a good video from Defcon where a security researcher had his desktop stolen and tracked the thief down. The thief was a total idiot.
     
  24. dogslobber macrumors 68020

    dogslobber

    Joined:
    Oct 19, 2014
    Location:
    Apple Campus, Cupertino CA
    #24
    If the thief was technological proficient then chances are (I think) they'd get an honest job to avoid felonous behaviour.
     
  25. HenryDJP macrumors 603

    Joined:
    Nov 25, 2012
    Location:
    United States
    #25
    If a person is a "thief" they likely want much more than to just sell the Macbook. No doubt he or someone he associates with will go through the contents on the computer to see whatever is valuable to him/her. That's just the reality of it unfortunately.
     

Share This Page