Securing Your TiBook (or Any Other Mac OS X Machine)

A secure computer, it has been said many times, is one that's turned off and not connected to any network. But that could easily describe a TiBook in the backpack you just set down for a minute. If somebody can steal it, or even access it for a few minutes, they can get at your files. This article shows you how to slow them down.

If you're going to be on the Internet, of course, you have a moral and (in most jurisdictions) a legal responsibility to do all that is prudent and reasonable to ensure that your computer can't be used to attack other computers on that network. Yet how secure can you make a computer that is deliberately designed to be wide open (i.e., easy to use)? After showing you how to set a "BIOS password" in your TiBook or iBook, I'll show you how to close a few of the most obvious security openings in Mac OS X. If you're still running OS 9, of course, you should probably just forget about the notion of security and never connect your machine to any network. :>

BIOS Password?

I switched from an Intel notebook to a TiBook around the end of 2002. Because I do security work for some of my clients, I need to keep things under pretty tight control. Intel notebooks almost invariably have a BIOS password that prevents somebody who finds your notebook from booting it easily. By easily I mean they cannot boot it without taking the computer apart and removing the CMOS battery out. The average crime of opportunity is probably committed in a few minutes when nobody's looking; if your notebook is unattended for only a few minutes it may be stolen, but it probably won't be disassembled.

I should mention that PC notebooks are generally less secure than Macs, if only because they usually have floppy drives and are usually set to boot from them if a floppy is in the drive. Put in a UNIX floppy and boot up and you can get any information off the hard drive. The BIOS password blocks this. My TiBook lacks a floppy, but like most off-the-shelf Macs it used to boot from a bootable UNIX CD (MacOS, OpenBSD/NetBSD or Linux) if one held down the C key while restarting.

Where, then, is the password on a TiBook or any other machine with "Open Firmware" (OFW)? OFW is part of the boot-up code in a "new-world" Mac (new-world is anything made since the first iMac). OFW, the command-line BIOS firmware in these machines, is patterned on the "Open Boot PROM" used for a long time on Sun Microsystems' SPARC Workstations. Sun donated the syntax to be an IEEE standard (IEEE-1275, released in 1994) and licensed the code to FirmWorks. Not surprisingly, Mitch Bradley, who designed OBP and implemented it for the Sun SPARCStation 1, left Sun to support the companies using OFW, founding FirmWorks to help support them.

So I wasn't surprised that many of the same commands I'd used years ago on Sun SPARCstations worked almost the same on my TiBook. They have a common heritage, even though Apple's is one of the few implementations not derived from the Sun/FirmWorks codebase. OFW is based on the Forth programming language, an older stack-based language that I won't describe here. You don't need to know anything about Forth to use OFW, but it explains why you get a strange "catch" message if you type, say, a single question mark at OFW's ok prompt.

Instead, I'll concentrate on how you can use OFW to make your Mac a bit more secure. First, we need a way to get into the boot prom monitor--a command-line mode in which you can change certain machine options. Hold down Option-Command-O-F (for Open Firmware). This will get you a bunch of chatter followed by an "ok" prompt.

Apple Powerbook3,2 4.x.x BootRom build on mm/dd/yy at hh:mm:ss
Copyright 1994-2002 Apple Computer, Inc.
All Rights Reserved

Welcome to Open Firmware, the system time and date is: 02:36:52 01/15/2003
Full security mode.

To continue booting, type "mac-boot" and press return.
To shut down, type "shut-down" and press return.

ok
0>

Just to get a look around, give the command "printenv" and press return; you will see a list of settings like "boot-device", "auto-boot?". That really is "auto-boot-[question mark]"; the ? at the end implies that it is a boolean, or predicate, rather like venerable LISP programmers giving function names ending in -p for predicate (see the introduction to the Hackers' Dictionary stored at many places on the net, including www.mcs.kent.edu, and search the file for "Gosperism").

0> printenv

------------ Partition: common ------- Signature:0x70 ----------

little-endian?        false               false

real-mode?            false               false

auto-boot?            true                true

..

boot-device           hd:,\\:tbxi         hd:,\\:tbxi

boot-file

boot-screen

..

More [<space>,<cr>,q] ?

..

security-mode         full

..

Note the two columns of values; the center column, where my system says "full", is the current setting of the variable. (Yours probably says none there, which is normal.) The rightmost column, for variables that have a default value, is the factory default setting, which can be restored by set-default boot-device.

Another informative command you can give is "devalias", which shows various short names and the actual OFW names for the devices.

Turning off "auto-boot?" drops me into the OFW prompt when I boot. But how do I get it to require a password?

First, the disclaimer. Making a mistake here, or forgetting the password you set, can and will turn your TiBook into a doorstop. Read the whole article through to the end before attempting. Do not do this unless you really care about security. Do not do this when you are sleep-deprived or otherwise inattentive. Use at own risk. Your mileage may vary. Neither the author nor O'Reilly assumes any liability.

Still reading? Type the obvious command at the OK prompt: password (No, you Unix geek, not "passwd", "password". This is "security for the rest of us".) Like any sane password prompt, it echoes with a masked character (to deter shoulder surfing), but also makes you type it twice to be sure you typed it correctly and to help you commit it to your medium-term memory.

Do I need to digress on "what makes a good password"? Don't use your name, your SO's name, your computer's name. Don't write it down on the top drawer of your desk or on the bottom of your TiBook. You get the picture. One bit of advice: don't put spaces or Option-keyed characters in your password. While these are great from the point of view of avoiding somebody trying to guess your password, some of the Apple upgrade documents list this requirement: "An Admin user password that does not contain spaces or Option-keyed characters is required to install. The password may not be blank." If you want some good characters to make a non-obvious password, choose from the top row of the keyboard (digits, !, @, etc.), rather than alphabetics plus the Option key.

By the way, you can reset all configuration variables to their defaults by the command set-defaults. This does not erase a password if you've set one, nor does it change the value of secure-mode.

Only after your password is set and memorized should you enable security.

setenv security-mode full

The possible settings of security-mode are "none", "command", and "full". None is the default and is wide open--anybody who can get at your machine can do anything. Command lets you boot from the default disk (as set in boot-device) without the password, but not change settings. And full requires a password to do anything to the machine, including booting. The setting command is a bit more convenient and may be a better option for OS X users. I do not know the complete list of things you can do in "command" mode without a password, though, so out of paranoia I use "full" mode. As well, with "command" mode, you will boot normally for months without using the password, you will forget it, and you won't know it when you need it. So maybe you should use full mode.

The next step, and it's optional, is to turn off automatic booting, by setting auto-boot? to false.

setenv auto-boot? false

Now when your Mac boots it will bypass the shiny apple boot screen and give you an OFW banner and an OK prompt. Just type "boot", enter the correct password that only you know, and you're away to the races. Or wherever your Mac will take you.

But before you try booting it, type

reset-all

to save the new settings and reboot with them (note that you must use reset-all to save settings that are entered interactively, otherwise they are lost when you reboot).

You now have a machine which can't be operated without the password, though it may boot into OFW or directly into Mac OS depending on the settings, which are summarized in the Table below.

Note that you can also set these variables using the "nvram" command under Darwin, that is, in a Terminal window. For example,

sudo nvram 'auto-boot?=false'

(assuming you have set up the sudo command correctly--see Michael Lucas' O'ReillyNet article on sudo which stated that sudo ships with OpenBSD; but now it also ships with Mac OS X. See also the "man" command for sudo and for nvram for more details.)

[1] [2] Next