Results 1 to 14 of 14

Thread: More security questions

  1. #1
    Join Date
    May 2004
    Posts
    478

    Default More security questions

    Why am I getting more paranoid than usual? Well, we've had several burglaries up and down our street recently, so it does concentrate the mind a bit.

    Came across this in a web article on hard drive security:

    It doesn’t matter if you have a good password because the attacker can simply boot to a new operating system off of a USB stick, bypassing your password, to look at your files

    And wondered if this is true, or if it applies to PCs only, or what?

    Any thoughts? Or don't other Mac users worry too much about security!?

    Ta.

    Allen.

  2. #2
    Join Date
    May 2004
    Posts
    478

    Default

    More thoughts on similar fronts.

    Way back, I asked about SSDs and Filevault (back in March this year). Eventually, I gave up trying to get Filevault running, on the basis that my Toshiba SSD was the problem.

    UncleMac concluded the discussion by mentioning a new OS due out later in the year, and I decided to wait till then.

    So now High Sierra is with us, with (allegedly) a new overall encryption system that is superior to Filevault.

    Any comments about High Sierra (apart from the much-publicised 'root' password business, which I hope/assume/pray is fixed on the version I'm about to download from the App Store?

    Thanks.

    Allen.

  3. #3
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    8,964

    Default

    From a hardware standpoint, possession equals ability to take over the system. The statement was correct as far as that goes. Anything that you can access while logged in as the user without entering an encryption password is available to anyone who possesses your computer.

    An encrypted file or drive is another matter. The encryption is supposed to require you to entire a key before it can be accessed.
    molṑn labe'
    "I am a mortal enemy to arbitrary government and unlimited power. I am naturally very jealous for the rights and liberties of my country, and the least encroachment of those invaluable privileges is apt to make my blood boil."
--Ben Franklin

  4. #4
    Join Date
    May 2004
    Posts
    478

    Default

    I went down the route of my lack of Recovery Partitions being the cause of my problems, (thank you M Brayne and others) and indeed it seems it was so.

    This:

    http://osxdaily.com/2016/07/03/recre...partition-mac/

    tells you how to create a recovery partition when for some reason you don't have one. I went through the fairly simple procedure, and half an hour later had El Capitan with recovery.

    Tried FileVault, and sure enough, it is now ticking away encrypting my hard drive.

    So not the Toshiba SSD, or maybe it was, but it was the lack of a Recovery Partition wot dun it. (Still don't really know what a Recovery Partition is or does, but I'm happy with my FileVault).

    Allen.

  5. #5
    Join Date
    May 2004
    Posts
    478

    Default

    Well, it ticked away for nearly 8 hours, encrypting and optimising, and was finished.

    So this morning when I turned on I expected to be asked for my long code, and wasn't. It took longer than usual to boot, and then I was just asked for my 'usual' hard drive password.

    Is this the way it's supposed to work? Is it now encrypted?

    Can't find answers from Apple (no surprise there).

    A.

  6. #6
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    8,964

    Default

    So, if it doesn't ask for a password beyond your logging in as a User, your data is not secured by virtue of anything. If I can lay hands on your computer, I can log in as you after inserting a new root password. Anything that your user cn access from its login is available to anyone who has possession.
    molṑn labe'
    "I am a mortal enemy to arbitrary government and unlimited power. I am naturally very jealous for the rights and liberties of my country, and the least encroachment of those invaluable privileges is apt to make my blood boil."
--Ben Franklin

  7. #7
    Join Date
    May 2004
    Posts
    478

    Default

    Thanks Ricks,

    Although that does leave me with a dilemma. I was anxious to get an answer to this, so as well as posting my question here, I asked the same question on Apple Support:

    https://discussions.apple.com/message/32666103#32666103

    What I asked there was:

    "I've enabled FileVault on my Mac Mini running El Capitan. I've made a note of the long code, but on log-in still use my (also long and complex) 'hard drive' password.
    *
    Question: is this sufficient to defeat the thief who steals my machine, removes the hard drive, and reboots in another machine? Will he be faced with gobbledegook, or my data?
    *
    When do I need the system-generated 'long' password?
    *
    Thanks."

    and the reply came, I think from an Apple staff member:

    "Thanks for using the Apple Support Communities. If you have questions about FileVault, you may find the following article helpful:

    Use FileVault to encrypt the startup disk on your Mac - Apple Support

    In short, though, that is correct. FileVault provides full-disk encryption, so even removing and mounting the drive on another machine would only show encrypted data. Under normal circumstances, you would use your standard password. If that password is ever lost or forgotten, the extended *"long code" (recovery key) can be used to regain access, if so configured.

    Regards."


    Now, over the years I've come to trust MacGuru's advice - it has always proved right! But you see the problem. Apple Support say that my FileVault encrypted hard drive IS secure.

    I'm getting to the stage where I might revert to keeping all my documents under the bed instead...


    Allen.

  8. #8
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    8,964

    Default

    The answers you get on the Apple Discussion Forums are from other users. Almost never does an Apple employee answer anything there. Only way to get actual Apple support is through direct to a support agent. While it is possible to escalate some things up stairs to higher levels, a question like this is unlikely to be answerable by base level support personnel. I would suspect this is not in their 3 month training nor in their binder full of support possibilities.
    molṑn labe'
    "I am a mortal enemy to arbitrary government and unlimited power. I am naturally very jealous for the rights and liberties of my country, and the least encroachment of those invaluable privileges is apt to make my blood boil."
--Ben Franklin

  9. #9
    Join Date
    May 2004
    Posts
    478

    Default

    Ricks:

    If you can find the time, can you have a look at the link provided in that posting, i.e.

    https://support.apple.com/en-us/HT204837

    which is Apple's description of their FileVault2 system, and their claims for its lack of vulnerability.

    The point is, it contradicts your assertion that an educated crook with a screwdriver and other bits could remove my hard drive AND (crucially) gain access to my UNENCRYPTED data.

    If this is wrong, then Apple have much to answer for - nothing new there, but I think data security is pretty important.

    Thanks.


    Allen.

  10. #10
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    8,964

    Default

    I NEVER said an educated crook could take your hard drive out and access it.

    I very specifically said that I could log into any Mac I had possession of and enter new passwords for the users. If you can access the data on the drive just by virtue of being logged in then it i not protected. If you have to enter some sort of key to access protected data then you are protected.
    molṑn labe'
    "I am a mortal enemy to arbitrary government and unlimited power. I am naturally very jealous for the rights and liberties of my country, and the least encroachment of those invaluable privileges is apt to make my blood boil."
--Ben Franklin

  11. #11
    Join Date
    May 2004
    Posts
    478

    Default

    So is there anything I can do to protect my data?

    If for example I install a new root password, would that stop someone from over-writing my FileVault encryption?

    Tks.

    A

  12. #12
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    8,964

    Default

    As far as I know, anyone who has physical access to your computer can use password utilities and insert new user passwords. I have never used encryption, I need to keep saying that so I don't give any impression I know much. But I always thought that you had to enter the encryption password to access the files, over and above your user password.
    molṑn labe'
    "I am a mortal enemy to arbitrary government and unlimited power. I am naturally very jealous for the rights and liberties of my country, and the least encroachment of those invaluable privileges is apt to make my blood boil."
--Ben Franklin

  13. #13
    Join Date
    May 2004
    Posts
    478

    Default

    Fair enough, Ricks; my confusion arises because in that Apple Support link they claim (?) that once you've done the FileVault (long and tedious, took me over 9 hours) routine, entering your usual hard-drive password activates the FileVault protection.

    I'll set a new Root Password as well - probably over the top, but double-locking everything will do no harm.

    Allen.

  14. #14
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    8,964

    Default

    Don't think root has anything to do with it. As root you have total permissions for system files. You do want a root password. But it doesn't really change much.
    molṑn labe'
    "I am a mortal enemy to arbitrary government and unlimited power. I am naturally very jealous for the rights and liberties of my country, and the least encroachment of those invaluable privileges is apt to make my blood boil."
--Ben Franklin

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •