Security -- a lesson to be learned from Apple

With almost any machine using any OS you can name, you can bypass a lot 
of the security features if you have physical access to it and can boot 
from a suitably configured floppy or CD or simply interrupt the normal 
boot process. (E.g., I have a Linux boot CD with software that can zap 
out the WinXP Administrator password -- but I can assure you that I've 
only ever used it on my own machine.)

Our son's new MacBook Pro seems to have guarded against this kind of 
thing: it can't even be shut down without an Administrator ID and 
password. It can be put into Sleep mode but not completely shut down. 
And since it can't be shut down, it can't be rebooted from a CD, so the 
boot process can't be interrupted.

eCS needs a feature like this in many environments, surely?

-=-

Unplug it, replug it. Tada. You can password your bios preventing a boot 
event, thats been around for years. What else. Oh, the only thing I want 
from mac is the remainder of their marketshare.

On 07/13/07 06:24 am Brett Carlock wrote:

> Unplug it, replug it. Tada. You can password your bios preventing a boot 
> event, thats been around for years. What else. Oh, the only thing I want 
> from mac is the remainder of their marketshare.


I thought they had covered the unplug/replug method too: I had removed 
the battery from the notebook (the power cord being unplugged already), 
left it out for a while, then reinserted the battery, and back it came 
to the previous no-administrator-privileges account. What I had 
overlooked, however, was that by closing the notebook to turn it over 
and get at the battery I had put it into sleep/suspend (or whatever) 
mode first, so it simply resumed when it was powered up again.

When I removed and replaced the battery without closing the notebook 
first, it did indeed reboot, and I could have booted it from a startup 
disk and do all kinds of things that are normally available only to an 
administrator. And I was able to interrupt the boot and get to a 
Unix-like prompt from which various administrator-type things could be done.

Re: BIOS passwords. I understand that more recent Apples have a similar 
feature, but it wasn't enabled on this machine. IAC, all the PC BIOSes 
I've seen permit only a 6-character password, which is not wonderfully 
secure.

I'm not dissing OS/2 or eComStation, which is what I use 90% of the 
time, but that doesn't mean there's no room for improvement -- even if 
it means using ideas that come from Apple, Micro$oft, or Linux/Unix. 
Being unable to shut down without an administrator password would be one 
more hurdle for a casual hacker.

-=-

On Fri, 13 Jul 2007 15:11:16 UTC, Alan Beagley <cyberpastor@att.net> 
wrote:

-> On 07/13/07 06:24 am Brett Carlock wrote:
-> 
-> > Unplug it, replug it. Tada. You can password your bios preventing a
boot 
-> > event, thats been around for years. What else. Oh, the only thing I
want 
-> > from mac is the remainder of their marketshare.
-> 
-> 
-> I thought they had covered the unplug/replug method too: I had removed 
-> the battery from the notebook (the power cord being unplugged already), 
-> left it out for a while, then reinserted the battery, and back it came 
-> to the previous no-administrator-privileges account. What I had 
-> overlooked, however, was that by closing the notebook to turn it over 
-> and get at the battery I had put it into sleep/suspend (or whatever) 
-> mode first, so it simply resumed when it was powered up again.
-> 
-> When I removed and replaced the battery without closing the notebook 
-> first, it did indeed reboot, and I could have booted it from a startup 
-> disk and do all kinds of things that are normally available only to an 
-> administrator. And I was able to interrupt the boot and get to a 
-> Unix-like prompt from which various administrator-type things could be
done.
-> 
-> Re: BIOS passwords. I understand that more recent Apples have a similar 
-> feature, but it wasn't enabled on this machine. IAC, all the PC BIOSes 
-> I've seen permit only a 6-character password, which is not wonderfully 
-> secure.
-> 
-> I'm not dissing OS/2 or eComStation, which is what I use 90% of the 
-> time, but that doesn't mean there's no room for improvement -- even if 
-> it means using ideas that come from Apple, Micro$oft, or Linux/Unix. 
-> Being unable to shut down without an administrator password would be one 
-> more hurdle for a casual hacker.
-> 
-> -=-
-> Alan

That must be selectable.  My kids have Macbook Pros with the latest 
OSX (10.4.10) and no such password is required to shutdown.  It does 
require an admin signon to install anything, even updates from Apple. 
I like eCS not requiring signon/password myself even on startup, but 
if it were an optional item that would be fine with me.  I can 
understand why others might like this. I find it annoying that it has 
a delay to shutdown unless you hit Enter. But for me when I want to 
shutdown, I just want it as fast as possible. 

I also find most software on the Mac annoying to use because of all 
the popups asking if you really want to do something("Are you sure you
really want to close?") though usually you can avoid these by using 
Apple key+Q to shut an application immediately.  It also takes some 
retraining to close an app using either the menu bar or the Apple+Q 
keys.  I kept clicking on the X in the window corner and that just 
closes the window.  Any idea if there is a key combo that will 
shutdown OSX itself?  On eCS I can shutdown the system using Alt-F4 if
I have the desktop focus thanks to eWorkPlace.


Mark


-- 
From the eComStation of Mark Dodel

 http://www.os2voice.org
 Warpstock 2006, Windsor, Ontario, Canada,  Oct 12-15, 2006 - 

On 07/13/07 05:23 pm Mark Dodel wrote:

> -> Re: BIOS passwords. I understand that more recent Apples have a
similar 
> -> feature, but it wasn't enabled on this machine. IAC, all the PC
BIOSes 
> -> I've seen permit only a 6-character password, which is not
wonderfully 
> -> secure.
> -> 
> -> I'm not dissing OS/2 or eComStation, which is what I use 90% of the 
> -> time, but that doesn't mean there's no room for improvement -- even
if 
> -> it means using ideas that come from Apple, Micro$oft, or Linux/Unix.

> -> Being unable to shut down without an administrator password would be
one 
> -> more hurdle for a casual hacker.

> That must be selectable.  My kids have Macbook Pros with the latest 
> OSX (10.4.10) and no such password is required to shutdown.  It does 
> require an admin signon to install anything, even updates from Apple. 
> I like eCS not requiring signon/password myself even on startup, but 
> if it were an optional item that would be fine with me.  I can 
> understand why others might like this. I find it annoying that it has 
> a delay to shutdown unless you hit Enter. But for me when I want to 
> shutdown, I just want it as fast as possible. 

Here's what I had in mind, but it seems that it's quite dicey and not 
officially supported:

http://www.securemac.com/openfirmwarepasswordprotection.php

> I also find most software on the Mac annoying to use because of all 
> the popups asking if you really want to do something("Are you sure
you
> really want to close?") though usually you can avoid these by using 
> Apple key+Q to shut an application immediately.  It also takes some 
> retraining to close an app using either the menu bar or the Apple+Q 
> keys.  I kept clicking on the X in the window corner and that just 
> closes the window.  Any idea if there is a key combo that will 
> shutdown OSX itself?  On eCS I can shutdown the system using Alt-F4 if
> I have the desktop focus thanks to eWorkPlace.

Don't know about a direct keyboard shutdown method for a Mac. I haven't 
played with the machine enough yet to find out.

-=-