A secure computer, it has been said many times, is one that's turned off and not connected to any network. But that could easily describe a TiBook in the backpack you just set down for a minute. If somebody can steal it, or even access it for a few minutes, they can get at your files. This article shows you how to slow them down.
If you're going to be on the Internet, of course, you have a moral and (in most jurisdictions) a legal responsibility to do all that is prudent and reasonable to ensure that your computer can't be used to attack other computers on that network. Yet how secure can you make a computer that is deliberately designed to be wide open (i.e., easy to use)? After showing you how to set a "BIOS password" in your TiBook or iBook, I'll show you how to close a few of the most obvious security openings in Mac OS X. If you're still running OS 9, of course, you should probably just forget about the notion of security and never connect your machine to any network. :>
I switched from an Intel notebook to a TiBook around the end of 2002. Because I do security work for some of my clients, I need to keep things under pretty tight control. Intel notebooks almost invariably have a BIOS password that prevents somebody who finds your notebook from booting it easily. By easily I mean they cannot boot it without taking the computer apart and removing the CMOS battery out. The average crime of opportunity is probably committed in a few minutes when nobody's looking; if your notebook is unattended for only a few minutes it may be stolen, but it probably won't be disassembled.
I should mention that PC notebooks are generally less secure than Macs, if only because they usually have floppy drives and are usually set to boot from them if a floppy is in the drive. Put in a UNIX floppy and boot up and you can get any information off the hard drive. The BIOS password blocks this. My TiBook lacks a floppy, but like most off-the-shelf Macs it used to boot from a bootable UNIX CD (MacOS, OpenBSD/NetBSD or Linux) if one held down the C key while restarting.
Where, then, is the password on a TiBook or any other machine with "Open Firmware" (OFW)? OFW is part of the boot-up code in a "new-world" Mac (new-world is anything made since the first iMac). OFW, the command-line BIOS firmware in these machines, is patterned on the "Open Boot PROM" used for a long time on Sun Microsystems' SPARC Workstations. Sun donated the syntax to be an IEEE standard (IEEE-1275, released in 1994) and licensed the code to FirmWorks. Not surprisingly, Mitch Bradley, who designed OBP and implemented it for the Sun SPARCStation 1, left Sun to support the companies using OFW, founding FirmWorks to help support them.
So I wasn't surprised that many of the same commands I'd used years ago on Sun SPARCstations worked almost the same on my TiBook. They have a common heritage, even though Apple's is one of the few implementations not derived from the Sun/FirmWorks codebase. OFW is based on the Forth programming language, an older stack-based language that I won't describe here. You don't need to know anything about Forth to use OFW, but it explains why you get a strange "catch" message if you type, say, a single question mark at OFW's ok prompt.
Instead, I'll concentrate on how you can use OFW to make your Mac a bit more secure. First, we need a way to get into the boot prom monitor--a command-line mode in which you can change certain machine options. Hold down Option-Command-O-F (for Open Firmware). This will get you a bunch of chatter followed by an "ok" prompt.
Apple Powerbook3,2 4.x.x BootRom build on mm/dd/yy at hh:mm:ss
Copyright 1994-2002 Apple Computer, Inc.
All Rights Reserved
Welcome to Open Firmware, the system time and date is: 02:36:52 01/15/2003
Full security mode.
To continue booting, type "mac-boot" and press return.
To shut down, type "shut-down" and press return.
ok
0>
Just to get a look around, give the command "printenv" and press return; you will see a list of settings like "boot-device", "auto-boot?". That really is "auto-boot-[question mark]"; the ? at the end implies that it is a boolean, or predicate, rather like venerable LISP programmers giving function names ending in -p for predicate (see the introduction to the Hackers' Dictionary stored at many places on the net, including www.mcs.kent.edu, and search the file for "Gosperism").
0> printenv
------------ Partition: common ------- Signature:0x70 ----------
little-endian? false false
real-mode? false false
auto-boot? true true
..
boot-device hd:,\\:tbxi hd:,\\:tbxi
boot-file
boot-screen
..
More [<space>,<cr>,q] ?
..
security-mode full
..Note the two columns of values; the center column, where my system says "full", is the current setting of the variable. (Yours probably says none there, which is normal.) The rightmost column, for variables that have a default value, is the factory default setting, which can be restored by set-default boot-device.
Another informative command you can give is "devalias", which shows various short names and the actual OFW names for the devices.
Turning off "auto-boot?" drops me into the OFW prompt when I boot. But how do I get it to require a password?
First, the disclaimer. Making a mistake here, or forgetting the password you set, can and will turn your TiBook into a doorstop. Read the whole article through to the end before attempting. Do not do this unless you really care about security. Do not do this when you are sleep-deprived or otherwise inattentive. Use at own risk. Your mileage may vary. Neither the author nor O'Reilly assumes any liability.
Still reading? Type the obvious command at the OK prompt:
password (No, you Unix geek, not "passwd", "password". This
is "security for the rest of us".) Like any sane password prompt, it
echoes with a masked character (to deter shoulder surfing), but also makes
you type it twice to be sure you typed it correctly and to help you commit
it to your medium-term memory.
Do I need to digress on "what makes a good password"? Don't use your name, your SO's name, your computer's name. Don't write it down on the top drawer of your desk or on the bottom of your TiBook. You get the picture. One bit of advice: don't put spaces or Option-keyed characters in your password. While these are great from the point of view of avoiding somebody trying to guess your password, some of the Apple upgrade documents list this requirement: "An Admin user password that does not contain spaces or Option-keyed characters is required to install. The password may not be blank." If you want some good characters to make a non-obvious password, choose from the top row of the keyboard (digits, !, @, etc.), rather than alphabetics plus the Option key.
By the way, you can reset all configuration variables to their
defaults by the command set-defaults. This does not erase a
password if you've set one, nor does it change the value of
secure-mode.
Only after your password is set and memorized should you enable security.
setenv security-mode full
The possible settings of security-mode are "none", "command", and "full". None is the default and is wide open--anybody who can get at your machine can do anything. Command lets you boot from the default disk (as set in boot-device) without the password, but not change settings. And full requires a password to do anything to the machine, including booting. The setting command is a bit more convenient and may be a better option for OS X users. I do not know the complete list of things you can do in "command" mode without a password, though, so out of paranoia I use "full" mode. As well, with "command" mode, you will boot normally for months without using the password, you will forget it, and you won't know it when you need it. So maybe you should use full mode.
|
Related Reading Mac OS X in a Nutshell |
The next step, and it's optional, is to turn off automatic booting, by
setting auto-boot? to false.
setenv auto-boot? falseNow when your Mac boots it will bypass the shiny apple boot screen and give you an OFW banner and an OK prompt. Just type "boot", enter the correct password that only you know, and you're away to the races. Or wherever your Mac will take you.
But before you try booting it, type
reset-allto save the new settings and reboot with them (note that you must use reset-all to save settings that are entered interactively, otherwise they are lost when you reboot).
You now have a machine which can't be operated without the password, though it may boot into OFW or directly into Mac OS depending on the settings, which are summarized in the Table below.
| Restart Sequence | ||||
|---|---|---|---|---|
| security-mode | auto-boot? | Normal Boot | Boot with Option key |
Boot with C key |
| (any) | false | OFW Prompt | ||
| none | true | Boots Mac OS X | Boot Chooser | Boot from CD |
| command | true | Boots Mac OS X | Boot Chooser with password | Ignored, boot from HD |
| full | (any) | OFW Prompt | ||
Note that you can also set these variables using the "nvram" command under Darwin, that is, in a Terminal window. For example,
sudo nvram 'auto-boot?=false'(assuming you have set up the sudo command correctly--see
Michael Lucas' O'ReillyNet article on sudo which stated that sudo
ships with OpenBSD; but now it also ships with Mac OS X. See also the
"man" command for sudo and for nvram for more
details.)
|
Of course, this is a Macintosh and you're not supposed to have to use the command line for anything. If you'd prefer a Mac GUI program that will keep it simple, but only let you set a password and set the security-mode described above to "command" (or back to "none"), you can get one from Apple. But since you're here, why not read the rest of this article?
Note also that with full security turned on you can no longer:
boot cd:,\\:tbxi and give
the correct password.
A minor historical artifact: there are a few differences between Sun's
implementation and Apple's. Sun's doesn't allow setting your own
variables, but Apple's does. The only real result is that Apple requires
more care in typing. For example, if you meant to say setenv
boot-file hd:,ofwboot but you actually type setenv boot-fiel
hd:,ofwboot Apple's implementation will silently create a new
variable boot-fiel, and since you haven't actually set the boot-file to
anything, it will still have the default value. That is, Apple's OFW
implementation will silently ignore a lot of errors. Strangely, Apple's
implementation also does not implement the unsetenv command, so there is
no defined way of deleting these extraneous variables. Perhaps Apple just
doesn't intend people to use OFW interactively; indeed, the all-important,
user-friendly command-line help command does not work. Sun's at
least gives you a list of commands by category.
|
Do NOT try to set the password using the nvram command or using setenv in OFW. Doing so will create a "word" called password which will "hide" the password command so you will no longer be able to invoke the password command in OFW (you can then only change the OFW password using Apple's GUI program described in the text). |
And what happens if you forget the password? You can turn your doorstop back into a Mac, of course, but it may cost you. First, if you can still boot (i.e., you didn't set security-mode full), and you have the password to an "administrator" account, you can reset the password using the Apple-provided GUI program mentioned earlier (but not using the nvram command -- see sidebar). Otherwise, you have to open the case and add or remove any amount of system memory. Apple figured this would happen AND figured that if you have physical access to open it, you "own" the machine. So if the amount of memory changes, the password is removed. Yet another reason for not leaving your TiBook lying around unattended! If that doesn't work or you just don't want to open the case, take it back to your Apple service center.
Although most readers won't need to set up a machine for "dual boot", that is, being able to boot into one of two different operating systems, you only need one extra OFW command to enable it. You probably don't need a "boot manager" as you would on a PC. For example, because of my security work, my TiBook often runs OpenBSD, but can easily be booted into Jaguar, depending on my mood when I boot it up. Other choices for dual-booting, if you need the capabilities of the other system, are NetBSD and Linux/PPC. As per the install instructions for OpenBSD, I set the boot-device to be "hd:,ofwboot" after installing the file ofwboot in the root of the HFS+ partition.
setenv boot-device hd:,ofwbootNow when I boot, I can just type "boot" at the OK prompt (with security-mode full, or just restart the machine with security-mode command) to boot into OpenBSD. Or, I can type the cryptic
boot hd:,\\tbxi(note that with command mode, I have to enter OFW, then type any command that requires a password, then type the boot command above. I guess a boot manager might be good after all. And don't ask me what tbxi stands for, but I simply observed that it's the factory default in printenv's listing. And it gets me into Mac OS X. Alternately, I could have left this setting alone and used "boot" to get Mac OS and "boot hd:,ofwboot" to boot OpenBSD (right now you cannot use the graphical boot chooser to boot into OpenBSD from the hard drive).
Again, for normal Mac OS X-only use, you only need to set a password and security-mode; it will prompt you for the password as appropriate.
So you've set a boot password and enabled full security. Now the bad guy can't just turn your machine on and walk all through your secret data, right? Wrong. Because, out of the box, OS X doesn't even require login passwords. First thing to do is change this. Go to System Preferences -> System -> Accounts -> Users -> Set Auto Login... and ensure that the "Log in automatically" checkbox is not checked for any user. You now have to type a password to login to the computer. As an aside, your login password should not be the same as the "BIOS password" set earlier.
Now the Screen Saver. Screen savers should always have a password, so nobody can use your machine if they walk up to it while you've stepped out for a coffee. Go to System Preferences -> Personal -> Screen Effects -> Activation, and ensure that "Use my user account password" is selected. While you're there, "Hot Corners" provides a convenient way to start the screen saver--which should now be a screen lock--just by dragging the mouse off a given corner of the screen. I use this feature.
What about your OS 9 disk? If you have an OS 9 disk attached to your machine, or an OS 9 partition, with some Mac hardware you can sometimes get the Mac to boot into OS 9 by interrupting the boot on the OS X partition. Either don't keep OS 9 disks online or ensure you have selected passwords under the Multiple Users control panel.
|
Related Reading Mac OS X Hacks |
If you use rsh, telnet or SSH, you might want to enable remote access to your computer. Mac OS X comes with OpenSSH, the free, open-source implementation of SSH, the Secure Shell protocol. The client is part of Mac OS X--to ssh out to another host, just say "ssh nameOfHost.com" and you've got an SSH connection, assuming the host runs an SSH server. To enable the SSH server, look in System Preferences -> Sharing and check the box for Remote Login.
While you're there, if your machine is on the Internet or any other network, you should probably start the "Personal Firewall" under the Firewall tab. The "Personal Firewall"--like pf or ipf on BSD UNIXes--provides a simple but effective packet filter which prevents all incoming network traffic other than what you allow. When you turn on a service like SSH, it is automatically allowed by the firewall. Note that if you don't enable the firewall, there is a greater chance of crackers accessing system services or files remotely. There is more detail on the Personal Firewall in Chris Cochella's macdevcenter article.
There is no rsh or telnet server--and I'm glad they don't ship r*d or telnetd. Actually these do ship with OS X, but there is no way to enable these services from the System Preferences, which is a step in the right direction. These puppies are dangerous--read: "totally insecure"--and should not be used. Your Mac OS X comes with ssh; use it instead.
Most of these servers, as well as the OS kernel, are part of the "open source" Darwin project, which means two things: bugs are likely to get found and likely to get fixed. The system crackers have the source code to this stuff and are reading it while you're reading this article, so do be sure and apply all updates that Apple makes available.
Finally, the fewer "sharing options" you enable, the less likely you are to suffer a hull breach when the crackers attack from deep in cyberspace.
OFW is designed to help in debugging operating systems; as such, it gives you much more control over the machine than is good for you. Do not experiment with OFW commands not discussed here; you can render your machine unbootable or lose data from your disk.
Here's a handy table that shows you four useful keyboard combinations related to restarting and powering down.
| Control Sequence | When valid | Meaning |
|---|---|---|
| Command-Option-O-F | During restart | Enter Open FirmWare |
| Control-Option-P-R | When restarting | "Zap the PRAM", disabled by security-mode |
| Control-Option-POWER | Almost anytime | Emergency Power Off |
| Command-shift-option-delete | During Restart | Boot from CD |
Ian F. Darwin has worked in the computer industry for three decades: with Unix since 1980, Java since 1995, and OpenBSD since 1998. He is the author of two O'Reilly books, Checking C Programs with lint and Java Cookbook, and co-author of Tomcat: The Definitive Guide with Jason Brittain.
Return to the Mac DevCenter.
Copyright © 2007 O'Reilly Media, Inc.