Protecting a PowerBook from unauthorized use

On Nov 29, 2005, at 1:46 PM, Hector I. Macedo wrote:

> I would like to ask for help. I have experience with my usage of
> desktop Macs, but I just got my new PB and would like to have it
> secure in regards to usage, something like no one could operate it
> without my password.

If you go to the Security system preference, you will find many
options for securing your Mac. You can have it prompt for a password
whenever it wakes from sleep (and have it ask for a password on boot
rather than automatically log in -- handled via login options in the
Accounts preference pane). This can be worked around by booting off
an external drive, as you surmised.

The ultimate in security is to turn on "FileVault." This will encrypt
(with US government-grade encryption) your entire home folder and
everything in it. Without the password, nobody will be able to access
your stuff without the password.

They can still USE your computer, and even delete your home folder
(if they can boot off a startup disk), but they cannot log in as you
nor access your files.

You can even bypass the ability to boot off another disk by modifying
open firmware and adding an open firmware password.

<http://www.securemac.com/startupsecurity.php>

Keep in mind, however, that this level of security can create many
inconveniences and potentially drag down performance. Disabling
external boot devices also makes it impossible to repair or reinstall
MacOS X. So be careful what you do and don't go too far.

For my part, I just have a password and engage a password on sleep. I
keep critical files in an encrypted disk image so that they cannot be
accessed even if my computer is compromised. This seems to be a good
balance between security and convenience.

--Nik

On Nov 29, 2005, at 3:46 PM, Hector I. Macedo wrote:

> I would like to ask for help. I have experience with my usage of
> desktop Macs, but I just got my new PB and would like to have it
> secure in regards to usage, something like no one could operate it
> without my password.

I think a combination of security features built into OSX and Open
Firmware should accomplish this.

First, make sure that the PB is not set to automatically log-in so
that when the PB boots from the internal drive, you need the account
name and password to use it. Enable password protection for sleep.
Then, use Apple's Open Firmware Password to enable the security
features of Open Firmware. This will prevent the PB from booting
from any drive other than the one specified in the Startup Disk Sys
Prefs. It disables the boot from CD/DVD. It also asks for the OF
password when you attempt to boot from an external HD.

For extra security, store sensitive data on an encrypted disk image
(or enable filevault if you are feeling brave).

I think there is a commercial product called FileGuard that
supposedly provides more security, but it was announced few months
ago and has been vaporware ever since.

Tn


 

I found the Securing Mac OSX white paper from Corsaire to be very useful:

http://www.corsaire.com/white-papers/

Although you probably won't want to implement all of their suggestions, it certainly helps you think about what's appropriate for your situation and it does provide a good checklist of things to look at.

Cheers GK

Add a 'Reward for Return' message to login display.



MacWorld magazine had a nice tip but it only works if an honest person finds your PB. Use a grapics editor (i.e. PhotoShop, GraphicConverter) to modify the file /Library/Desktop Pictures/Aqua Blue.jpg. Edit a message onto this picture and it will show up on the login prompt display. My message looks something like this:

----------------------

Property of Joe Smith

123 Main Street

Anywhere, AL, USA

(555)123-4567

myemailmyisp.com

Reward for Return

----------------------

Kevin Ryan

Since the big risk with a portable is disappearance, some way for it to phone home is a plus. LapCop protects all of your machines for $25 (has some issues, which hopefully will be resolved with a New Year reprogramming.) Set the machine to start up into a non-admin guest account, with the ownership info appearing on the desktop. Then the less than honest "finder" can happily play around with the machine until the cops arrive :-)