Security

[onceagain]

So, if you set a firmware password to help make the system more security by preventing booting from an alternative source - what happens if the boot drive becomes unbootable for one reason or another?

I should mention my question is about a 2011+ model machine (mine is a mid 2012 13" MBP), where the "usual tricks" of booting without ram and so forth don't work (or so I've read).

I want to lock my firmware with a password (I've already encrypted the disk), but I am concerned about what happens if the boot drive becomes unbootable for one reason or another.

The info here is informative:
http://support.apple.com/kb/TS3554
http://www.hackmac.org/forum/topic/1...d-macbook-pro/

If it is true, then it would seem that the only way around the issue is to take it to Apple, pay them money and let them unlock it. That could be inconvenient for a lot of different reasons, not the least of which is lack of access to an authorized tech (travel, live in the middle of nowhere, etc.).

I just want to lock down my machine, but I don't want to screw myself in the process.

UPDATE:
Oh, I think I get it. You just have to enter the password and you can boot from whatever other device you want - so it's not a problem if the boot drive goes tits up. Nevermind (:

[acme.mail.order]

Quote: Originally Posted by onceagain If it is true, then it would seem that the only way around the issue is to take it to Apple, pay them money and let them unlock it. That could be inconvenient

Although you have answered your own question, I will add that this would indeed be inconvenient, but inconvenience is the whole point of security.

[onceagain]

Quote: Originally Posted by acme.mail.order I will add that this would indeed be inconvenient, but inconvenience is the whole point of security.

That's completely incorrect. Inconvenience is a RESULT of security, it's not the reason it exists.

[acme.mail.order]

I didn't say that's the "reason it exists", I said it was the point of it - to inconvenience those who want what is yours. This will also inconvenience (hopefully to a lesser degree) those who are allowed.

[DeltaMac]

Just to clarify for others who may read this thread:
The password reset for the firmware password only becomes (truly!) inconvenient if you _forget_ that firmware password.

And - the firmware password remains only a simple hindrance to someone you really wants your data, if they have physical access to the Mac. The hard drive does not have firmware protection, so just remove the hard drive - which is a simpler procedure than bypassing the firmware password.
a.m.o. is accurate, I think. Inconvenience is the real goal - make the data thief move on to something quicker/easier...
And you are choosing to have another layer of "inconvenience" - an encrypted drive.

I was recently helping a friend, with similar questions. He had an encrypted drive, yet kept using an automatic login. I couldn't get him to understand that the encrypted drive didn't keep anything secure, when all anyone had to do was restart, and you could go everywhere....

[onceagain]

Quote: Originally Posted by DeltaMac Just to clarify for others who may read this thread: The password reset for the firmware password only becomes (truly!) inconvenient if you _forget_ that firmware password. And - the firmware password remains only a simple hindrance to someone you really wants your data, if they have physical access to the Mac. The hard drive does not have firmware protection, so just remove the hard drive - which is a simpler procedure than bypassing the firmware password.

The goal is two-fold (not necessarily in this order):

1). Try to make the machine as useless/worthless as possible to someone who would steal it. The firmware password serves this function.

2). Keep someone who would steal it from accessing my data. Full volume encryption serves this function.

Note that "Make the computer inconvenient to use" is not on that list. Yes, it is possible that someone could still get use of the mac - by selling it for parts if nothing else. Yes, it is possible that someone could still access my data. But at least I will have done what I can to prevent it, should, for whatever reason, my machine fall out of my hands and into the hands of the government or other evil-doers.

Quote: a.m.o. is accurate, I think. Inconvenience is the real goal - make the data thief move on to something quicker/easier...

If you guys want to claim that inconvenience is the same as security - that's such a ridiculous concept that I really don't know what to say.

Quote: I was recently helping a friend, with similar questions. He had an encrypted drive, yet kept using an automatic login. I couldn't get him to understand that the encrypted drive didn't keep anything secure, when all anyone had to do was restart, and you could go everywhere....

Probably went to public schools.

[acme.mail.order]

Quote: Originally Posted by onceagain If you guys want to claim that inconvenience is the same as security

No security system is 100%. All it does, wether we're talking about checking your email or access to Fort Knox, is reduce the ease of an unauthorized person gaining access. According to Dictionary.app that's inconvenience.

Got a login password? Good. Does that not cause inconvenience for you when using your machine?

Got a lock on your front door? Good. Does that not cause inconvenience for you when coming home carrying several bags?

We accept these inconveniences as normal because they provide substantially more inconvenience to others. But note that getting into either your computer or your house is still possible - it just takes longer than at the house that didn't lock it's doors, or at the business that installed the very convenient automatic door opener.

Quote: Originally Posted by onceagain Keep someone who would steal it from accessing my data. Full volume encryption serves this function.

You have written that sentence in the absolute. And computer-based encryption is not absolute*. It adds a speedbump, often a substantial one, and thus makes getting at your data like invading Switzerland - not worth the trouble.

* ironically, pencil-based encryption IS absolute. But it's less convenient.

[onceagain]

Quote: Originally Posted by acme.mail.order No security system is 100%.

Never said it was.

Quote: is reduce the ease of an unauthorized person gaining access. According to Dictionary.app that's inconvenience.

Inconvenience is a result, not the goal. The goal is protection (security).

Quote: Got a login password? Good. Does that not cause inconvenience for you when using your machine?

Not really. Now, certain websites, yeah.

Quote: Got a lock on your front door? Good. Does that not cause inconvenience for you when coming home carrying several bags?

No. I always go in through the garage door anyway (:

Quote: You have written that sentence in the absolute.

I said it serves the function. I didn't say it serves the function flawlessly.

Quote: like invading Switzerland - not worth the trouble.

Oh, I dunno about that (:

[DeltaMac]

I should point out that the firmware password is still not a good security method, as physical access to the laptop still gives someone easy access to the data. You are never asked for the firmware password, unless you are using some OTHER method of booting...
Physical access (the laptop is stolen, or acquired in some other way), and you can remove the hard drive. Then, the "security" of the firmware password is gone.
So, the firmware password is not, by itself, a 'security' measure, as it simply makes it 'inconvenient' to access the data.

The laptop would not be worthless, as the buyer might needs to claim ownership, and call Apple to have the firmware password cleared.
So, the firmware password, even though now somewhat improved, is still just an 'inconvenience', and not a good security measure.
So, I agree that inconvenience is not the same as security.

[onceagain]

Quote: Originally Posted by DeltaMac So, I agree that inconvenience is not the same as security.

Glad we agree.