Mac Hacks (24 page)
. Encrypt a USB Drive
You
know how to encrypt your hard drive (
[Hack #34]
), but what if you want that same
level of safety when you’re physically transporting files? This hack shows
you how to encrypt a USB drive (or other portable drive) with
state-of-the-art security.
The preferred method of sharing files is Dropbox or iCloud. Those
sites work well unless the files are large or you’ve got a ton of them. In
either of those cases, you’ll want to consider transferring the files by
hand—by physically carrying them from one place to another.
The first thing you’ll need to pull this off is an appropriately
sized drive that’s either blank or doesn’t have any important info on it
(since you’re going to erase it before encrypting it). Flash memory has
become very affordable in recent years (a 16 GB flash drive can be had for
under 10 bucks), so finding a drive large enough for your data shouldn’t
be a problem unless you’re rendering the next Pixar movie.
Note: This hack is written with a USB flash drive in mind, but
this technique works with just about any drive.
Once you’ve got a portable drive, it’s time to mount it on your Mac
(that’s the geeky way of saying “jam the drive in the USB slot”). Once
you’ve done that, you’ll see it in the sidebar of a Finder window or on
the desktop (depending on how your preferences are set).
If
you’ve been reading this book in order, you can guess what
the next step is; if you haven’t (it’s
your
book,
after all, so read it however you wish), the utility you need to password
protect your drive is Disk Utility (Applications→Utilities→Disk Utility).
Upon opening Disk Utility, you’ll be presented with a window resembling
Figure 7-14
.
proceed with caution. This Mac, for example, has one internal drive with
three partitions and the USB drive inserted into the USB slot. Note the
different look of the icons representing the drives.
Warning: Fortunately, Disk Utility won’t allow you to mess up the
startup disk. But you can suffer catastrophic data loss on any of the
other
drives you have connected to your Mac if you
try this process on the wrong drive.
Once you’ve picked the right drive, you’ve got a decision to make.
Do you want to encrypt the
entire
drive or partition
the drive and encrypt only part of it? In this hack, we’ll encrypt the
entire drive, but this process will work on just part of the drive, as
well (see
[Hack #3]
for
more on partitioning drives).
To get the process rolling, click the name of the drive you want to
encrypt, and then click the Erase button at the top of the righthand pane
as shown in
Figure 7-15
.
the drive), but you could select any drive in the left column. For
example, if you wanted to encrypt just one partition of your hard drive,
you’d select that partition.
Among the various settings, you’ll find a world of new options in
Format menu:
| Mac OS Extended (Journaled) |
| Mac OS Extended (Journaled, Encrypted) |
| Mac OS Extended (Case-sensitive, Journaled) |
| Mac OS Extended (Case-sensitive, Journaled, Encrypted) |
| MS DOS (FAT) |
| Ex FAT |
You’ll want to choose either “Mac OS Extended (Journaled,
Encrypted)” or “Mac OS Extended (Case-sensitive, Journaled, Encrypted).”
Which option is right for you? That depends. The difference between the
two options isn’t as big as you might imagine. The case-sensitive option
means that OS X will pay attention to the capitalization (upper- and
lowercase) of names, whereas the non-case-sensitive option doesn’t discern
between j and J, for example. To put a finer point on it: if you choose
case-sensitive, you’ll be able to put a folder called Pictures inside a
folder called PICTURES; if you choose the other option, OS X will see the
two folders as having the same name and won’t let you nest them. This
isn’t a huge issue for most people, but knowing what behavior to expect
can save you headaches down the road. So just choose the format option
that best suits your organizational habits.
Now it’s time to let your creative side shine through: you get to
rename the drive to something meaningful (or, barring that, something
entertaining). Simply type the new moniker in the Name field. Once you’ve
done that, it’s time to step into the past. What was on the drive before
you decided to use it as a secure device? If you just bought it from your
local USB Drive Shoppe, go ahead and click the Erase... button. But if
you’ve previously stored sensitive data on the drive, you’ll want to
consider
securely
erasing the drive.
When
you’re about to erase the data from a drive, you might be
wondering why you should bother securely erasing it. It turns out your
computer is lazy. If you just tell it to erase the data, it only erases
the
reference
to the data, which is kind of like
ripping the table of contents out of a book and imagining that no one
will bother looking at the actual pages. When you want the data to be
truly gone, you have to securely erase the drive instead. You might
think that this involves simply deleting all the data on the disk, but
the method your Mac uses for this procedure is counterintuitive: your
Mac erases the disk by writing over the existing data (kind of like
using a black Sharpie to redact info on sensitive documents).
To securely erase the drive, click Security Options. You’ll get a
nifty slider that lets you decide whether your Mac should be lackadaisical
about the previous data or go full on cold war and overwrite the data
seven times
. With a USB stick or other nonmagnetic
memory, once is enough; but if you’re worried about the old data, the only
drawback to choosing the maximum setting (Most Secure) is that the erasing
process takes slightly longer.
Whether you choose to invoke the Security Options or not, the next
step is the same: time to erase the drive. Click Erase... and a pane will
drop down asking if you’re sure you
really
want to
proceed (
Figure 7-16
).
This isn’t the binary yes-or-no pane you’re likely used to; this pane
demands some attention before the process can move forward. To
proceed, enter the password you want to use for the drive
twice and then click the Erase button. Disk Utility will take care of the
rest.
Utility is judgmental and will rate your password.
The process could take some time depending on the settings you
choose and the size of the disk. You don’t want to remove the disk while
the formatting process is going on, so Disk Utility displays a tiny bar in
the lower-right part of the pane indicating its progress. (For reference,
on a 2009 iMac, an 8 GB USB stick was securely erased, encrypted, and
formatted in less than 30 seconds.)
Once the drive is encrypted, you can use it in the same fashion
you’ve always used it. The big difference is that now you’ll see
something like
Figure 7-17
when you attempt
to mount the drive. Type in the password correctly and you can use the
drive as you wish. Type in an incorrect password and the window will
shake and you’ll be denied
access.
the Show Hint button to give yourself a hint—if you remembered to add
one when you encrypted the disk, that is.
An encrypted portable drive sounds great, but the privacy-minded
among us will quickly object that, while the password protection is
great if you just lose the drive, the password isn’t very good if
someone wants the data out of you. The problem is that, while nefarious
types can’t get at the data directly, they might have access to
you
. Sure, you’ve memorized an unbreakable,
128-random-character password that can’t be brute-forced with all the
computing power in the world. But it if they decide to use the
password-cracking algorithm known as “a t-ball bat to the knees,” that
password won’t last long.
The
easiest way to avoid such complications is to not
physically transport any sensitive data. Unfortunately, that isn’t
always an option. When you have to physically move data, a little
misdirection can help. What if you could use a completely normal drive
and partition part of it to be invisible? For example, you could
partition a 4 GB drive into a visible 2 GB section and an invisible 2 GB
section. That way, anyone examining the drive would likely assume you
had a 2 GB drive with nothing interesting on it.
That’s
the idea behind TrueCrypt, which can do a lot of nifty
things including make a partition invisible so you always have plausible
deniability. To get started, head to
the TrueCrypt download
page
and download the version for OS X. (TrueCrypt is free but
the team accepts donations; don’t be afraid to make
one!)
. Add Physical Security Measures to Your Mac
You’ve
protected your Mac from the networks you use; now protect
it from people who can touch it!
With
Mountain Lion, Apple introduced a new feature called
Gatekeeper that allows you to specify what apps your Mac can run based on
where you procured them. You can, for example, set your Mac so that it
will refuse to install an app that isn’t from the Mac App Store (to adjust
these settings, head to the General tab of the Security & Privacy
preference pane). Like sandboxing (wherein apps are run separately from
the operating system) and permissions, these steps help protect your Mac
from malicious and/or inept developers.
Protecting your Mac from developers and network intruders is one
thing, but your Mac isn’t safe without
physical
protections, too. Physical access to your Mac means that someone could
steal it or—if you’ve left the default settings in place—simply turn it on
(or wake it from sleep) and access files. Obviously, stealing your Mac
doesn’t require a password—and until you set one, neither does waking your
Mac. So how can you achieve maximum security for your precious files? The
best option is never to lose physical control of your computer, but that
method can be unwieldy (especially in the shower). This hack shows you
steps you can take to protect your Mac and files from someone with
physical access.
You want your data to be safe from crashes, user error, and prying
eyes. Time Machine or solid backups have you covered for the crash and
user-error scenarios, but you want more security than that. So just how do
you protect your Mac from the nosey? There are four different solutions,
and they’re described in the following sections.
Most
Macs feature a security slot (which is specially designed
to accept a security cable), and you can find cables and locks
specifically designed to use this slot, making your Mac impossible to
steal without cutting the cable. But some Macs (MacBook Airs and MacBook
Pro Retinas) don’t have security slots because there simply isn’t room
in their minimalist design. Does that mean that fans of Retinas and
utra-light Airs are stuck bathing with their machines? Nope—if you’re
lucky enough to own one Apple’s cutting-edge laptops, you can find
various solutions ranging from lockable protective cases to clever
cables. The
site
Maclocks
site
is one good place to find them.
Protecting
your computer from unauthorized “borrowing” is a good
idea, but it doesn’t protect your
data
from those
with physical access. This scenario is familiar to many of us: you work
in an office but spend a lot of time away from your desk. When you leave
your desk, you likely leave your Mac on so you can skip the tedium of a
restart. Your Mac is just sitting there, alone, defenseless against the
hordes who might want to steal all your hard work and take credit for
it! Even if you have honest coworkers who help orphans fill out college
applications, there will still be at least one joker who will mess with
your computer just for kicks. You don’t want that.
This
hack is telling you how to secure your Mac, but it
isn’t really helping your coworker secure
their
Mac. So it might occur to you that it would be fun to be the jerk who
plays pranks while you remain unprankable (computer-wise, that is—your
car can still get filled with packing peanuts). There are a ton of
good Mac pranks, but one of the better ones is a simple prank called
iPanic
. It simulates
a kernel panic by displaying the kernel panic screen and telling folks
to restart (you quit iPanic with the predictable Command-Q). You can
get your victim to start a fake kernel panic with whatever nefarious
scheme you want to use: set it as a startup item, change its name and
icon to some app they use all the time (
[Hack #18]
), etc. Great fun for everyone (well,
at least for you), but be prepared to confess quickly because it does
get very frustrating for the person who needs to use the Mac. (It’s
also not considered cool to install iPanic on your home computer to
convince your significant other that your Mac is beyond hope and that
it’s time to buy a new one. )
The simplest solution is to set a screensaver/wake-from-sleep
password. Just open System Preferences, open the Security & Privacy
preference pane, authenticate by clicking the lock icon, and then, on
the preference pane’s General tab, tick the box labeled “Require
password [some time interval] after sleep or screen saver begins” (
Figure 7-18
).
immediately to four hours in the future. In general, the shorter
intervals are more cumbersome and safer, while the longer intervals
require less input from you but offer less protection from
others.
The
following passwords aren’t any good: qwerty, 123,
letmein. So now that you know three bad passwords, you might be
wondering how to pick a better one. There are plenty of tips and
techniques from misspelling real words (try substituting letters with
symbols), to using your favorite book title ([email protected] #2CK$ 2o!3), to using
a random number generator. These are good methods, but they don’t
provide any feedback about your password choice. Fortunately, OS X is
here to help.
Once
Password Assistant is running, OS X will helpfully
volunteer suggested passwords, or rate one you’ve entered (see
Figure 7-19
).
So what’s the difference between a good and bad password? Since
Password Assistant is running, it is an opportune moment for an
experiment!
Figure 7-20
shows a good
password;
Figure 7-21
shows a bad password.
you’re one click away from Password Assistant. Click the key icon and
OS X will start judging your password.
up to a great password. Don’t use this particular one, though—it’s
been in a book and probably added to a hash table (a list of passwords
used to crack systems) somewhere.
refined to say so. Pick something better or let OS X generate a better
one (use the drop-down menu to have OS X suggest passwords).
Does
a screensaver password make your Mac any safer? Yes, if
the person wants to casually poke about on your machine, but your Mac
isn’t really any safer from someone even slightly determined to get
access. The screensaver password can be avoided by restarting the Mac
(holding down the power button for a few seconds is the simplest way to
do so, and everyone knows about the power button). Once your Mac
restarts, the malefactor will have free rein. So you also need to make
your Mac ask for a password at every login. To do that, go to System
Preferences→Users & Groups. In the Accounts pane on the left, select
your username and then click Login Options. Click the lock icon and
authenticate, and then set “Automatic login” to Off (
Figure 7-22
).
perform unless you live alone in some place completely inaccessible by
any other human.
You’ve
locked your computer down against the casual interloper,
but is your data really safe? Not if the person after your data is
persistent. People can still access your files with one of the following
methods:
- Target Disk mode
Connect
two Macs with a FireWire or Thunderbolt
cable.Restart the one whose data you want to access.
Press T just after the startup sound.
The target hard drive will appear on the other Mac’s
desktop.
- Single-user mode
Reboot
the Mac that contains the data you wish to
access.Press Command-S after the startup sound.
Enjoy root privileges (if you know how to use the
command line).
- Password reset
Hold down Command-R while booting the Mac whose
password(s) you want to reset.Select Utilities→Terminal.
Type
resetpasswordat the
prompt.Select the user whose password you want to reset.
Choose a new password.
As you can see, once someone has physical access, there are
several ways to get around your password machinations. Surely there’s
some way to protect your Mac against intrusions of these sorts. There
is: set a firmware password.
Warning: Unless you are serious about security, be
very
careful when applying a firmware password.
If you forget your firmware password on a 2011-model Mac or newer,
you’ll have to go through Apple to get your computer functioning
again.
Setting a firmware password will:
Block the ability to start up from an optical disc (using the
C key).Block the ability to start up from a NetBoot server (using the
N key).Block the ability to start up in Target Disk mode (using the T
key).Block the ability to start up in verbose mode (pressing
Command-V during startup).Block the ability to start up in single-user mode (pressing
Command-S during startup).Block a reset of parameter RAM, also known as PRAM (pressing
Command-Option-P-R during startup).Make your Mac ask for a password to enter the Startup Manager
(accessed by pressing Option during startup).Block the ability to start up in Safe Boot mode (pressing the
Shift key during startup).
Once you’ve decided to set a firmware password, you have two ways
to do it. The standard method is to boot using the Recovery HD
partition. To do that, simply hold Command-R while booting. Once your
Mac has booted and OS X Utilities is running, head to the Utilities menu
and choose Firmware Password Utility. Follow the onscreen instructions
to set a firmware password.
The nonstandard method is preferable if you’ve done
[Hack #6]
and don’t want to reboot your Mac. Open Disk
Utility (make sure you’ve added the option to see all partitions per
[Hack #6]
) and, in the list on the left, select
Recovery HD (
Figure 7-23
).
have multiple partitions, so don’t worry if this picture doesn’t
exactly match what you see.) If you don’t see Recovery HD, you either
haven’t enabled Disk Utility’s debug menu, haven’t turned on the
option to see all partitions, or you’re missing the Recovery
partition. You can either enable Disk Utility’s debug menu (
[Hack #6]
) or restart your Mac while holding the
Option key, and then choose the Recovery partition (if you don’t see a
Recovery partition, reinstall OS X).
Once the Recovery HD partition is selected, mount the partition by
clicking the blue Mount button at the top of the Disk Utility window.
Once it’s mounted, the name of the disk will turn from being grayed out
to black.
Time to head to the Terminal! In a Terminal window, type:
open /Volumes/Recovery\ HD/com.apple.recovery.boot/BaseSystem.dmg
Press Return, and your machine will tell you it’s opening the
.dmg
(the place where the recovery system is
stored). Then you’ll be presented with the contents of the Recovery HD
partition (
Figure 7-24
).
Recovery mode.
All that’s left is to navigate to the Firmware Password Utility:
in the Mac OS X Base System window, go to
Applications→Utilities→Firmware Password Utility. Then simply follow the
onscreen instructions to add a firmware password for your
Mac (
Figure 7-25
).
data.