USB security dongle
 

Hi all,

I'd like to use my USB flash drive as a security key (dongle) for my MacBook. Is there any software (possibly free) that can do it for me?

Thank you for your help.

PS.
Yes, I know, OS-X has strong security like 254 character long passwords for login, etc; and I know I can loose the hardware key, but I like to use hardware key very mutch and I don't want to buy any new hardware, I'd like to use my own, existing USB flash drive if it is possible.
Thanks.

Okay create a StartupItem that insists on there being a certain file on a certain volume (like your flash drive). If it is not there your computer will shutdown.

Very easy, actually.

i just created a launch daemon that will actually shut your system down if the proper disk is not mounted. It checks your disks every ten seconds, so it must be inserted when you start the machine up. This what you want?

fyi: anything of this nature you do with scripts or launchd can be circumvented by starting up in safe mode. don't know if that's an issue or not...

Yeah, I know, but I think you can disable safe mode, right?

You can? That's news to me. I'd be interested in how to do that.

I am probably wrong. However, I have read two articles on the web so far about safe-mode in Tiger. I have only seen that it will de-activate the StartupItems, Login Items and ".kext" files. No Mention about launchd.

Thanks for the answers.

Yes, the AppleScript is a very easy and useful option. I tried it, wrote a little script and it works great, but only on sturt up or after come back form sleep.

Yes, it is. It is a great solution I think. Can you send it's source or the app to me?

Thanks!

You must put the .plist file in /Sysytem/Library/LaunchDaemons and the executable in /usr/bin.

After that you must repair the permissions on them.

Also, rename the USB flash drive "Security Key" and place a file ".accessfile" on it and change it's contents to a password that you want to use.

Now, change "5u5an29" on line five of the exacutable to the same password.

Restart and check it out.

If it does not work as expected you will have to boot in safe-mode to remove the daemon.

The warning I would give about doing this is that flash drives can fail very easily -- their lives can be shortened or brought to an end by pulling them out of a machine when they are in use. This is likely to happen at the least convenient time.

I have had several become completely useless instantly, (though my current one did go through the washine machine and is still ok!)

The best security for your laptop is probably to put a password on startup and screensaver, and generally make sure that no-one else gets physical access to your machine.

You can actually clone the USB drive to a cd after creating it and my app will work with the cd as the "Security Key"

I would recommend making a backp the USB Drive on a cd, just in case.

Here you go, now more stable
 

Okay, I have re-worked my original app:

Now, it only puts the display to sleep immediately when the Key is not there.
When the key is inserted it sets the display sleep to 0 (never). So you can just move the mouse or whatever to activate again.

The problem with the original is that it would force a shutdown and possibly lose all your un-saved data.

On the disk image:
Run the install, supply your admin password. Then, choose the disk you wish to use (Be careful, the installer will rename the disk, so don't use any disks whose name cannot be changed....Don't worry, you can still use the leftover space on the disk for storage if you like.). Then, supply the password you wish to use in your key (this only prevents anyone from merely creating their own "Security_Key" and using it on your machine.

Now you're done. Once you have re-started your machine, eject the disk and watch (move your mouse and your machine will not wake). Now re-insert it, wait a few seconds and move your mouse.

After a successfull "Security_Key" is made, clone it to a CD and put it somewhere safe. You made need it if the USB disk is ever corrupted.

Some 3rd party apps like Little Snitch run in safe mode. Could you try to use same trick to run this software in safe mode?

Ah hah!

check out versiontracker.com for "Security_Key 1.2".

This is an app that I created. If you install it right it actually disables safe-mode, single-user mode, target-disk mode, etc.

I am still quite curious how you disabled safe-mode.

And I should add, having safe-mode as an option is a very important tool for recovering from catstrophic kext failures. It's not a good idea to disable this.

To say that the app you created disables single-user mode, target-disk mode, etc. is a bit disingenuous, don't you think? I haven't installed it, but I'm assuming it invokes the copy of Apple's "Firmware Password Utility.app" that is included on your dmg (according to the description on versiontracker) so that is what is disabling those things. Also, I don't know if you did or not, but you probably need to get permission from Apple to redistribute that...

Oh my god, Geez oh man.

Okay, version 1.0 did disable single-user mode all by itself. However, I thought that an app from apple would ease everybody's mind on exactly how I did it. Go to apple's website and see for yourself. There are very good instructions on how to bypass it if you ever run into a problem. The best of course, is to re-configure your RAM and then restart your computer.

Maybe I will just include a link to the app instead if you really are having that big of a cow over it.

Ooooohhh.. I suspected as much. But was too lazy to look.

I concur, you should investigate whether Apple will allow you to redistribute that.

Like I said don't have a cow!!!!!!! I will just update my installer package to only include a link.

My god, If you want I will sit and figure out how to do it without apple's application, but don't you think that everybody would feel safer it was from apple.

This has absolutely nothing to do with that. This has everything to do with you risking legal action by including software from Apple without learning if you're allowd to do it. Frankly, I don't think we really care if you get sued.

If you don't care, then why exactly are you posting about it?

Because this site tries to be a professional site.
Morally we are obligated to try and take the high road.

Fixed....Now there is just a "Read Before Install.rtf" file in my installer that explains how to get it and why.

That's not a cow. Now THIS is a cow. mmm cow....

The question of the legality of redistributing Apple software is an issue that I would have thought experienced programmers would be familiar with. Appearing to take credit for the function of Apple software just rubbed me the wrong way. Lifting the whole displaysleep routine verbatim from macgeekery without attribution also seems wrong (unless you happen to be the person that posted there originally, in which case I apologize for the insinuation). Note that the submitter at macgeekery referenced the widget the code was based on. I'm not a security expert but I have to wonder if polling every two seconds just for a world-readable file in a given folder with a set name containing a plain text password provides any real security. Plus, the displaysleep function doesn't completely lock out keystrokes and mouse clicks, another reason why this method doesn't provide real security. But despite these objections, I would have stayed out of this thread if it weren't for the fact that this app is up on versiontracker and other sites.

What worries me is that a few posts ago, after boldly declaring how easy it would be to make a startup item to implement the key idea (this to a person worried that a 254 character password was not secure enough), you had to be told by someone else that a startup item could be disabled simply be booting in "safe mode". I'm worried that maybe despite having picked up how to do few things, you don't yet know enough to realize that there are things you may not know. This is important because one of the greatest dangers in using any security measure is not knowing its limitations and using it incorrectly. Sort of like Apple implying a while back that a FileVault account would take longer than the age of the universe to crack, while leaving the password in plain text in a swap file on the hard drive.

Sorry, I know this seems harsh, but there have been over a thousand downloads already. I hope you understand the responsibility that goes with promising to provide someone with a security product in this day and age. Do you consider yourself to be enough of a security expert to provide such a product? If it was just tinkering in a forum thread, or wasn't about security, or even if you were pushing it as a gimmick / gadget / toy rather than a "security" key, I might have only thought about commenting, but actually refrained from posting.

Going the other way, I see there is one user on versiontracker that has been locked out of their computer for four days (maybe a week or more if there hasn't been any private correspondence) after running this app, suggesting the level of support might be inadequate.

For the record, I am not a programmer, security expert or associated with anyone making a competing product. Just a concerned member of the Mac community responding to something I personally see as reckless.

OK, noted. And, also, dis-regarded.

Like I said, my app at one point DID disable "single-usermode, etc" all by itself. But the concern was that no one really trusts that sort of thing (messing with important system files), so I thought that I should let Apple's app take care of that. So, when you read "that my app does it", you are actually reading a comment from before (when my app DID do it all by itself).

Also, do you think that you could actually use a machine without the monitor turned on? I don't think you are that good.

As for the versiontracker user, I am not responsible for people who do not follow directions.

Whatever!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!

Actually, that's unfortunate, I think, but fine. I was actually posting mainly for the benefit of others who might be reading this thread, especially since you plugged your app from here. I wanted to make sure that it was understood that some people (ok, maybe just me) had reservations about this app since it doesn't offer much in the way of security over what is built in to the system, and relying on it might lead to a false sense of security.

That's exactly what I mean. If 'displaysleep' is the only thing in effect, and it allows mouse-clicks and keystrokes through, how do you know that doesn't allow enough wiggle room to bypass the block? Just because you can't think of a way, don't assume that it can't be done - what if it turns out to be really easy? If you are underestimating what you don't know and make promises of security, you may be placing people's data at risk. Just today, you advised someone to do something that would have resulted in their "admin" password being hard coded in plain text in an AppleScript. Experienced AppleScripters would be well aware of this problem. I'm giving you the benefit of the doubt and assuming you did that out of ignorance of the danger, rather than knowingly being cavalier with somebody else's security.

Again, important information for those that may be reading this thread.

But to your credit, you did try to help the person who was locked out of their computer for a week. However, as you acknowleged, the instructions you initially gave contained an error - a command intended to be executed with "root" privileges in "single-user" mode, contained a typo. A harmless typo, as it turned out, but yikes! And why are you using 'rm -Rf' to remove a file? Sure, it should work but the '-R' in particular is not necessary, and you are introducing an unneccessary risk - one misplaced space and... I don't think that someone that understands the 'rm' command, appreciates the need for care when working with "root" privileges, and respects the person who they are advising would choose to use that particular form of the command in that situation.

Anyway, honestly, it's nothing personal. I saw some red flags, and sounded the alarm. I think for the purposes of this thread, I have said enough.

Yeah, I understand. But, seriously what are you running a background check on me or something. The typo was explained in that I assume everyone knows that launchdaemons end in ".plist". I use "-Rf" as habit. It is my catch-all way of using "rm". I always use it, that way it doesn't matter if it is a file or directory.

I never made promises of security.

For an applescript noob, I thought the keychain scripting might be a little too much. I personally make sure that all my apps use the keychain to retrieve passwords. But, that might have been overwhelming to someone who has never done that before.

I think it is a very bad idea to use the "-R" option by habit, even when it isn't needed. As biovizier has pointed out, it vastly increases the catastrophic consequences of an inadvertent extra space or other typo.

I'm not sure what you meant by this - although I haven't looked into the details, it seems that the utility you are providing is intended as a security measure. I think biovizier's main point was that you ought to be hugely more careful (to the point of paranoia) when providing a program whose focus is security.

UUUUGHHHHH!

Dude, I do not make typos when I am messing around with the command line. I read, re-read, and then re-re-read all my commands. I do not hit the enter key until I am ready.

Of course, it is intended for security. But, there is no promise made about no one ever being able to hack it.

As I state in one of the comments on versiontracker, All someone has to do is change the RAM configuration to override it. No way around that one.