Security 101 for Macs

[Michael Winter]

Reading through the "password management" thread brought up an issue I've been 
trying to figure out.

My oldest is heading off for her freshman year of college with her first 
MacBook Pro (we've been a Mac family since before she was born, but this is the 
first one that's all hers).

What should she know about security? What kind of security software should she 
have?

She knows the bare basics (like not having it automatically log her in on 
startup, having a backup, etc.). But are there things she should know that 
aren't that obvious? Password management is something I hadn't really thought 
about, and I know there are also different things that can be done to help in 
recovering lost/stolen Macs. What recommendations are there for an "average" 
Mac user?

TIA

-Mike
___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[LuKreme]

On Sep 12, 2011, at 10:02, Michael Winter  wrote:

> But are there things she should know that aren't that obvious?

For a laptop a firmware password to prevent booting of another drive or disc 
and a LoJack sort of system is best. Make sure and leave the guest account 
enabled so the tracker software can work.

If the laptop contains data than is worth a lot of money (think millions in 
research or something) then whole disk encryption, encrypted time machine, and 
no guest account are the best way to go. This will protect the data at the cost 
of almost certainly never recovering the hardware. For most people, the 
hardware is more valuable.___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Macs R We]

On Sep 12, 2011, at 9:02 AM, Michael Winter wrote:

> My oldest is heading off for her freshman year of college with her first 
> MacBook Pro (we've been a Mac family since before she was born, but this is 
> the first one that's all hers).
> 
> What should she know about security? What kind of security software should 
> she have?
> 
> She knows the bare basics (like not having it automatically log her in on 
> startup, having a backup, etc.). But are there things she should know that 
> aren't that obvious?

The internet is forever.  Don't post anything she wouldn't want read by a 
potential employer, stalker, or criminal.

Most (not all) online scams are easily detectable by anyone with the 
grammatical skills students graduated with prior to the '70s.  Not so much 
today.

Don't do anything sensitive (like banking or e-commerce) over a "free wifi" 
service, including the campus's own dorm service.  Get her a trusted VPN 
service and show her how to use it.

-- 
  Macs R We -- Personal Macintosh Service and Support
in the Wickenburg and far Northwest Valley Areas.
http://macsrwe.com

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Charles Dyer]

On 12 Sep 2011, at 12:15 , LuKreme wrote:

> On Sep 12, 2011, at 10:02, Michael Winter  wrote:
> 
>> But are there things she should know that aren't that obvious?
> 
> For a laptop a firmware password to prevent booting of another drive or disc 
> and a LoJack sort of system is best. Make sure and leave the guest account 
> enabled so the tracker software can work.

I haven't had an Apple laptop in a _long_ time. How do you set the firmware 
password on a modern Mac laptop? And isn't the Laptop Lojack software paritally 
parked in firmware? Does it _need_ an account? Wouldn't that be a major 
weakness?

> 
> If the laptop contains data than is worth a lot of money (think millions in 
> research or something) then whole disk encryption, encrypted time machine,

How do you encrypt Time Machine? I didn't think that that was possible.

> and no guest account are the best way to go. This will protect the data at 
> the cost of almost certainly never recovering the hardware. For most people, 
> the hardware is more valuable.___
> MacOSX-talk mailing list
> MacOSX-talk@omnigroup.com
> http://www.omnigroup.com/mailman/listinfo/macosx-talk

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Macs R We]

On Sep 12, 2011, at 9:48 AM, Charles Dyer wrote:

> I haven't had an Apple laptop in a _long_ time. How do you set the firmware 
> password on a modern Mac laptop? 

You can extract the "Firmware Password Utility" app from an invisible folder on 
the startup DVD, prior to Lion (which has no DVD).  Not up to date on where you 
get it now, but it can't be too hard.

-- 
  Macs R We -- Personal Macintosh Service and Support
in the Wickenburg and far Northwest Valley Areas.
http://macsrwe.com

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Charles Dyer]

On 12 Sep 2011, at 13:07 , Macs R We wrote:

> 
> On Sep 12, 2011, at 9:48 AM, Charles Dyer wrote:
> 
>> I haven't had an Apple laptop in a _long_ time. How do you set the firmware 
>> password on a modern Mac laptop? 
> 
> You can extract the "Firmware Password Utility" app from an invisible folder 
> on the startup DVD, prior to Lion (which has no DVD).  Not up to date on 
> where you get it now, but it can't be too hard.

Well... the only copy of the utility that I can find on Apple's site is at 
 and that's v1.0.2, posted in Dec 2001. 
Somehow I doubt that this is a Universal app. The note says to check the DVD 
that ships with the machine. This may be difficult with Lion, as it seems that 
no DVD ships with new machines and Lion. A call to Apple establishes that 
no-one who is not in Tech Support seems to know how to set the firmware 
password (so far as I can see there aren't very many who even know what a 
firmware password is) and Tech Support won't speak to me if I don't already own 
the machine in question.

A quick Google turns up 
 which states 
that the utility is now available if you boot into the Lion Recovery Volume. If 
so, this makes it substantially less secure, as now _anyone_ who has access to 
the machine can reboot into the LRV and reset the password without a hassle. I 
hope that this is in error. I really 
do.___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Michael Caplinger]

> A quick Google turns up 
>  which states 
> that the utility is now available if you boot into the Lion Recovery Volume. 
> If so, this makes it substantially less secure, as now _anyone_ who has 
> access to the machine can reboot into the LRV and reset the password without 
> a hassle. I hope that this is in error. I really 
> do.___

A firmware password will fix this problem, and keep anyone from booting from a 
CD/DVD/USB Drive, etc.

Mike


___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Macs R We]

On Sep 12, 2011, at 11:08 AM, Charles Dyer wrote:

> Well... the only copy of the utility that I can find on Apple's site is at 
>  and that's v1.0.2, posted in Dec 2001. 
> Somehow I doubt that this is a Universal app.

That's the original version, I think.  New versions have shipped on subsequent 
DVDs, and they haven't posted them.

> The note says to check the DVD that ships with the machine. This may be 
> difficult with Lion, as it seems that no DVD ships with new machines and 
> Lion. A call to Apple establishes that no-one who is not in Tech Support 
> seems to know how to set the firmware password (so far as I can see there 
> aren't very many who even know what a firmware password is) and Tech Support 
> won't speak to me if I don't already own the machine in question.

There wasn't an app per model, there was an app per release, and frankly I 
think the differences only had to do with the change from OpenFW to EFI, and 
maybe some concession for new features in later models.  But the SL version 
will probably work on your machine unless it's real new.

> A quick Google turns up 
>  which states 
> that the utility is now available if you boot into the Lion Recovery Volume. 
> If so, this makes it substantially less secure, as now _anyone_ who has 
> access to the machine can reboot into the LRV and reset the password without 
> a hassle. I hope that this is in error. I really do.

You are assuming it's some kind of magic application.  There's nothing magic 
about the application -- if you want to remove a machine's existing firmware 
password with the application you still have to know the password.  "Anyone" 
with a retail install disc in his pocket could always do exactly the same 
thing, but it only got him to the same place (nowhere).

-- 
  Macs R We -- Personal Macintosh Service and Support
in the Wickenburg and far Northwest Valley Areas.
http://macsrwe.com

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[David Schwartz]

On Sep 12, 2011, at 9:02 AM, Michael Winter wrote:

> My oldest is heading off for her freshman year of college with her first 
> MacBook Pro (we've been a Mac family since before she was born, but this is 
> the first one that's all hers).

Is this a new modern Mac? Running Lion?

I don't know why all this blather about firmware password; run Lion and enable 
File Vault (2). It will prevent anyone from seeing her data, even if they have 
physical access to her machine or the drive.

With File Vault 2 enabled, the General tab of the Security & Privacy preference 
pane's "Require password … after sleep or screen saver begins" cannot be turned 
off, with the only options being how long before the password kicks in. So user 
error is unlikely to allow an exploit should someone run off with it. Even the 
recovery partition can't be booted without the machine password.

As for the LoJack stuff remember that iCloud is slated to include a "Find My 
Mac" feature that works the way the "Find My iPhone" iApp and web app work 
today. I don't know if it will be as full featured as some of the commercial 
software, but it might be all you need.

And lastly, speaking as someone who is also sending his only son to UC with a 
brand new (and easy to steal) Macbook Air, purchasing theft insurance is worth 
consideration. A policy that will more then cover his computer is only about 
sixty dollars (he can pay the $100 deductible if he drops his guard), and with 
the data secured all he'll loose is the skateboard stickers on the case. These 
policies can even include accidental damage, which seems even more likely an 
occurrence then library or room-mate theft (late night, paper due and Jolt 
Cola, anyone?). 

We're looking at this place, but it might be worth calling your homeowners 
underwriter and see if they can offer a better deal:

http://www.worthavegroup.com/college-plus-chart



David___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Nathan Sims]

On Sep 12, 2011, at 12:07 PM, David Schwartz wrote:

> With File Vault 2 enabled, the General tab of the Security & Privacy 
> preference pane's "Require password … after sleep or screen saver begins" 
> cannot be turned off, with the only options being how long before the 
> password kicks in. So user error is unlikely to allow an exploit should 
> someone run off with it. Even the recovery partition can't be booted without 
> the machine password.

File Vault is a tantalizing option, but I have always been a bit intimidated to 
enable it:
1. Is File Vault one-way and forever on a volume?
2. When it is first enabled, does it laboriously go through your /Users account 
and encrypt everything in one fell swoop, and then afterwards encrypt files 
only as they are saved?
3. How much overhead is there when its on, any perceived lagging or slowness?
4. What happens if/when you turn File Vault off?
5. If the master password is forgotten, is recovery hopeless?

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[LuKreme]

Charles Dyer  squawked out on Monday 
12-Sep-2011@10:48:07
> 
> On 12 Sep 2011, at 12:15 , LuKreme wrote:
> 
>> On Sep 12, 2011, at 10:02, Michael Winter  wrote:
>> 
>> 
>> For a laptop a firmware password to prevent booting of another drive or disc 
>> and a LoJack sort of system is best. Make sure and leave the guest account 
>> enabled so the tracker software can work.
> 
> I haven't had an Apple laptop in a _long_ time. How do you set the firmware 
> password on a modern Mac laptop?

Boot off the install disc and choose “Set Firmware password” from the menu 
somewhere.

> And isn't the Laptop Lojack software paritally parked in firmware? Does it 
> _need_ an account? Wouldn't that be a major weakness?

No, oddly enough if you want the lojack to work, you need them to be able to 
USE the computer. If the data is more important than recovering the hardware, 
then you encrypt the crap out of everything and know that if the laptops is 
stolen you will never see it again, but the their will never be able to access 
the drive.

Either you want the hardware returned (install tracker software, enable guest 
account, do not encrypt the hardware and rely on the unit permissions to 
protect the data) or you want the data to be protected (no guest account, no 
tracking software, encrypt drive).

The tracking software doesn’t work unless there is a user logged in to the 
system. It also needs to be able to connect to WiFi.

>> If the laptop contains data than is worth a lot of money (think millions in 
>> research or something) then whole disk encryption, encrypted time machine,
> 
> How do you encrypt Time Machine? I didn't think that that was possible.

It’s a check box in the time machine control panel in 10.7

-- 
'I don't like to ask them questions.' 'Why not?' 'They might give me
answers. And then what would I do?' 

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[LuKreme]

Charles Dyer  squawked out on Monday 
12-Sep-2011@12:08:31
> A call to Apple establishes that no-one who is not in Tech Support seems to 
> know how to set the firmware password (so far as I can see there aren't very 
> many who even know what a firmware password is) and Tech Support won't speak 
> to me if I don't already own the machine in question.

Its in the menu’s in the installer when you boot off a installer disc (or a 
recovery partition). It’s ALWAYS<1> been there.


> For Mac OS X v10.5.x<2>, start from the Leopard Install DVD and choose 
> Firmware Password Utility from the Utilities menu, then skip to step 5.

(step 5 is basically "type in the password")

<1> for limited definitions of always.
<2> or 10.6 or 10.7

> A quick Google turns up 
>  which states 
> that the utility is now available if you boot into the Lion Recovery Volume. 
> If so, this makes it substantially less secure, as now _anyone_ who has 
> access to the machine can reboot into the LRV and reset the password without 
> a hassle. I hope that this is in error. I really do.

It doesn’t make the password less secure since you cannot CHANGE the password 
(or even boot into the recovery partition) without the original password. It 
does mean that someone could more easily set the firmware password without the 
owner knowing about it, I suppose. However, that’s always been true since you 
could simply boot a non-protected machine up with and install disc and set the 
password, but like you can set the BIOS password on a wintendo machine.

-- 
Otto: Apes don't read philosophy.  Wanda: Yes, they do Otto, they just
don't understand it.

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[David Schwartz]

On Sep 12, 2011, at 1:26 PM, Nathan Sims wrote:

> File Vault is a tantalizing option, but I have always been a bit intimidated 
> to enable it:
> 1. Is File Vault one-way and forever on a volume?
No

> 2. When it is first enabled, does it laboriously go through your /Users 
> account and encrypt everything in one fell swoop, and then afterwards encrypt 
> files only as they are saved?
"Laboriously"? It's a computer; it doesn't get calluses. 
File Vault 2 encrypts the entire volume, not just your user account. And the 
initial encryption pass allows you to continue using the machine while it 
crunches the numbers.

> 3. How much overhead is there when its on, any perceived lagging or slowness?
Reports are that it is hardly noticeable, at least on modern machines.

> 4. What happens if/when you turn File Vault off?
It decrypts the volume; see answer #1 above.

> 5. If the master password is forgotten, is recovery hopeless?
Apple provides a 24 digit Recovery Key that will decrypt the drive and an 
escrow service if you'd like them to hold the key for you.
If all keys are forgotten, then yes, recovery is not 
possible.___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[LuKreme]

Nathan Sims  squawked out on Monday 
12-Sep-2011@14:26:07
> 
> On Sep 12, 2011, at 12:07 PM, David Schwartz wrote:
> 
>> With File Vault 2 enabled, the General tab of the Security & Privacy 
>> preference pane's "Require password … after sleep or screen saver begins" 
>> cannot be turned off, with the only options being how long before the 
>> password kicks in. So user error is unlikely to allow an exploit should 
>> someone run off with it. Even the recovery partition can't be booted without 
>> the machine password.
> 
> File Vault is a tantalizing option, but I have always been a bit intimidated 
> to enable it:
> 1. Is File Vault one-way and forever on a volume?
> 2. When it is first enabled, does it laboriously go through your /Users 
> account and encrypt everything in one fell swoop, and then afterwards encrypt 
> files only as they are saved?

It does this for the Time Machine backups. For the disk it encrypts the entire 
disk. How fast is it? I don’t know I haven’t tried it.

I suspect it is either miraculously fast (throw the switch and it’s done) or it 
takes days.

> 3. How much overhead is there when its on, any perceived lagging or slowness?

No. The encryption is at the driver level. You will never notice it. Even 
running benchmarks there is almost no measurable difference in speeds.

> 4. What happens if/when you turn File Vault off?

Dunno.

> 5. If the master password is forgotten, is recovery hopeless?

Yep.

Turning on encryption requires TWO passwords. One is your regular password to 
give you access to the machine. One is the master password to recover any data 
on the machine. This one you need to keep someplace safe. The first one is just 
going to be your login password.

FTW, I would never ever ever run WDE (whole Disk Encryption) on a disk that was 
not being backed up at least twice, but I am paranoid.


-- 
Today the road all runners come/Shoulder high we bring you home.  And
set you at your threshold down/Townsman of a stiller town.

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Michael Winter]

On Sep 12, 2011, at 2:07 PM, David Schwartz wrote:

> On Sep 12, 2011, at 9:02 AM, Michael Winter wrote:
> 
>> My oldest is heading off for her freshman year of college with her first 
>> MacBook Pro (we've been a Mac family since before she was born, but this is 
>> the first one that's all hers).
> 
> Is this a new modern Mac? Running Lion?

Yes. Just picked it up at the Apple Store 2 weeks ago. I'm still trying to get 
used to not getting a bootable DVD with the machine. Things keep changing. We 
set it up so she can boot from the drive that has her Time Machine backup on 
it. 

-Mike
___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[David Schwartz]

On Sep 12, 2011, at 3:00 PM, Michael Winter wrote:

> We set it up so she can boot from the drive that has her Time Machine backup 
> on it. 


Why? 



Any Macintosh with Lion installed has a recovery partition as part of the disk 
formatting. You can boot into this partition and have access to handy Apple 
tools. You can access WiFi networks and run Safari, and you can restore a 
volume from a Time Machine (local or Time Capsule style remote) backup. For a 
general user I don't see a need for having an additional external boot drive. 
Am I missing something?


David




___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Michael Winter]

On Sep 12, 2011, at 5:11 PM, David Schwartz wrote:

> On Sep 12, 2011, at 3:00 PM, Michael Winter wrote:
> 
>> We set it up so she can boot from the drive that has her Time Machine backup 
>> on it. 
> 
> 
> Why? 
> 
> Any Macintosh with Lion installed has a recovery partition as part of the 
> disk formatting. 

Because drives fail. A hardware failure can knock out all partitions. 

A drive replacement, followed by booting from the external drive, 
repartitioning/formatting, then restore gets you up and running (though I 
hadn't thought about restoring the recovery partition). 

Is there a better way? What's the best way to handle a drive replacement in a 
situation like that (or even if you want a bigger drive)? I haven't checked 
into the network booting, but I'm hesitant to rely on that.

-Mike
___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[David Schwartz]

On Sep 12, 2011, at 4:44 PM, Michael Winter wrote:

> Because drives fail. A hardware failure can knock out all partitions. 
> 
> A drive replacement, followed by booting from the external drive, 
> repartitioning/formatting, then restore gets you up and running (though I 
> hadn't thought about restoring the recovery partition). 
> 
> Is there a better way? What's the best way to handle a drive replacement in a 
> situation like that (or even if you want a bigger drive)? I haven't checked 
> into the network booting, but I'm hesitant to rely on that.

If the goal is bare metal restore/disaster recovery, you could have partitioned 
the external USB drive first and then used the Lion Recovery Disk Assistant to 
put a Lion Recovery partition on the Time Machine drive. And/or, since this is 
a Macbook Pro with internal optical drive (a model introduced before the Lion 
release*), you could burn a DVD from the Lion installer package and keep that 
handy. Or use said Lion Recovery Disk Assistant to create an emergency USB 
stick; you only need 1GB free.

http://support.apple.com/kb/DL1433

If it were a model introduced after Lion was released (currently only the 
Macbook Airs and the new Mini) you can actually do a bare metal restore via the 
internet, booting the machine from the cloud:

http://support.apple.com/kb/HT4718 


*you actually have more disaster recovery options for this hardware then owners 
of newer models. From here on out you won't be able to install from an 
installer such as the Apple USB Thumb Drive (or, presumably, from a burned Lion 
installer DVD). You'll be required to use Lion Recovery. Which means a network 
connection.

http://support.apple.com/kb/HT4905___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[David Schwartz]

On Sep 12, 2011, at 5:22 PM, I asserted:

> You'll be required to use Lion Recovery. Which means a network connection.

That's probably wrong; with Lion Recovery and a Time Machine backup you could 
probably get up and running on a desert island.



David

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[LuKreme]

David Schwartz  squawked out on Monday 12-Sep-2011@13:07:28
> As for the LoJack stuff remember that iCloud is slated to include a "Find My 
> Mac" feature that works the way the "Find My iPhone" iApp and web app work 
> today. I don't know if it will be as full featured as some of the commercial 
> software, but it might be all you need.

Oh right. I forgot about that. That will be nice because it will allow tracing 
without leaving a Guest account enabled and the disk unencrypted. Will have to 
see how well it actually works though.

-- 
Updated to be PRCE compatible after 400 years: /(bb|[^b]{2})/

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[LuKreme]

Michael Winter  squawked out on Monday 12-Sep-2011@17:44:01
> 
> On Sep 12, 2011, at 5:11 PM, David Schwartz wrote:
> 
>> On Sep 12, 2011, at 3:00 PM, Michael Winter wrote:
>> 
>> 
>> 
>> Why? 
>> 
>> Any Macintosh with Lion installed has a recovery partition as part of the 
>> disk formatting. 
> 
> Because drives fail. A hardware failure can knock out all partitions. 

You said this was a brand new Mac? Those have the recovery partition in 
firmware. They can boot with a completely unreadable disk and reformat it and 
try to reinstall the OS. Or recover from a Time Machine partition.

-- 
'Begone From This Place Or I Will Smite Thee!' he [the god] commanded.
'Why?' 

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[David Schwartz]

On Sep 12, 2011, at 6:38 PM, LuKreme wrote:

> You said this was a brand new Mac? Those have the recovery partition in 
> firmware

No, not the entire Lion Recovery partition, just the bare minimum to contact 
Apple via TCP/IP. This gives Apple the ability to update the recovery system 
software if/when they want to. 


From the KB article I referenced down-thread:

"Lion Internet Recovery lets you start your Mac directly from Apple's Servers. 
The system runs a quick test of your memory and hard drive to ensure there are 
no hardware issues.

"Lion Internet Recovery presents a limited interface at first, with only the 
ability to select your preferred Wi-Fi network and, if needed, enter the WPA 
passphrase. Next, Lion Internet Recovery will download and start from a 
Recovery HD image. From there, you are offered all the same utilities and 
functions described above."


And it's only for _models_ of Macs introduced after Lion. At this point in time 
that means only Air and Mini.




David


___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Michael Winter]

On Sep 12, 2011, at 9:37 PM, David Schwartz wrote:

> And it's only for _models_ of Macs introduced after Lion. At this point in 
> time that means only Air and Mini.

Lots of new (to me) information. Her Macbook Pro did come with Lion 
pre-installed. The guy we worked with at the Apple Store made a point that it 
was the first one he sold they didn't have to pull out to install Lion. 
Obviously, its the hardware that counts, not what's installed on the drive. 
When we get a chance, I'll have to see what it can and can't do. 

-Mike

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[LuKreme]

David Schwartz  squawked out on Monday 12-Sep-2011@20:37:43
> 
> On Sep 12, 2011, at 6:38 PM, LuKreme wrote:
> 
>> You said this was a brand new Mac? Those have the recovery partition in 
>> firmware
> 
> No, not the entire Lion Recovery partition, just the bare minimum to contact 
> Apple via TCP/IP. This gives Apple the ability to update the recovery system 
> software if/when they want to.

Well, yes, ok.

> "Lion Internet Recovery presents a limited interface at first, with only the 
> ability to select your preferred Wi-Fi network and, if needed, enter the WPA 
> passphrase. Next, Lion Internet Recovery will download and start from a 
> Recovery HD image. From there, you are offered all the same utilities and 
> functions described above.”

So after a minute or 3, depending on WiFi bandwidth, you have a recovery 
partition without accessing a hard drive at all.

> And it's only for _models_ of Macs introduced after Lion. At this point in 
> time that means only Air and Mini.

Yes, that could have been clearer. The brand new AIR and mini can do this, 
brand new (*anything else*) can’t do that until the next hardware refresh on 
the specific model.

***

Really, it’s pretty darn nifty. 

-- 
"I used to hate the sun, because it'd shone on everything I'd done. Made
me feel that all that I had done was overfill the ashtray of my life."

___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Nathan Sims]

On Sep 12, 2011, at 12:07 PM, David Schwartz wrote:

> With File Vault 2 enabled, the General tab of the Security & Privacy 
> preference pane's "Require password … after sleep or screen saver begins" 
> cannot be turned off, with the only options being how long before the 
> password kicks in. So user error is unlikely to allow an exploit should 
> someone run off with it. Even the recovery partition can't be booted without 
> the machine password.

Okay, one additional question about this...

I have a system where that has about 1GB of Time Machine backups on an external 
drive. If I turn on File Vault, what does it do to the existing Time Machine 
backups? Encrypt them also? Leave them in cleartext? Will the new Time Machine 
backups be done encrypted?


___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk

Re: Security 101 for Macs

[Arno Hautala]

On Mon, Sep 19, 2011 at 15:28, Nathan Sims
 wrote:
>
> I have a system where that has about 1GB of Time Machine backups on an 
> external drive. If I turn on File Vault, what does it do to the existing Time 
> Machine backups? Encrypt them also? Leave them in cleartext? Will the new 
> Time Machine backups be done encrypted?

I can't confirm this from experience, but my understanding is that the
existing and future backups won't be encrypted. When you attach a new
drive and you're give the option to use it for TimeMachine, you're
also given the option to encrypt the backups.

All this does is turn on FileVault encryption for the TimeMachine
drive / partition. You can do the same using the command line to
enable encryption on your existing backup drive.

-- 
arno  s  hautala    /-|   a...@alum.wpi.edu

pgp b2c9d448
___
MacOSX-talk mailing list
MacOSX-talk@omnigroup.com
http://www.omnigroup.com/mailman/listinfo/macosx-talk