No password for target disk mode..

alex:

Even in FW-TDM you do not have unrestricted access, especially to the Users folder, Documents etc. They should have a no access symbol and if you attempted to access them you will get a message that you do not have sufficient permissions or something similar.

😉 cornelius

And, anyone with an install DVD can do the same.
Once you lose physical control of the machine, anybody (with enough knowledge) can do anything with any machine.

You can [set up the Open Firmware password|http://support.apple.com/kb/HT1352] which blocks being able to start up in Target disk mode, among other things. Search for more info on that and you'll find your back to my second paragraph, above.

If you're worried about your data, encrypt it with FileVault, or make an encrypted disk image for the items you want to encrypt.

Message was edited by: Barney-15E

Your scenario still goes back to this:

Once you lose physical control of the machine, anybody (with enough knowledge) can do anything with any machine.

Barney-15E wrote:
Your scenario still goes back to this:

Once you lose physical control of the machine, anybody (with enough knowledge) can do anything with any machine.

FileVault can protect personal things in the user folders, but that's it. I would never leave a computer unattended when strangers or even friends might be able to access it. In a worst case scenario, you might come back and find it gone.

alex:

As nerowolfe pointed out FileVault will only protect your Home Folder and I do not recommend its use for anyone who does not know a lot more about it than I do. If you are interested in Setting up firmware password protection in Mac OS X I would suggest that you read through the entire article thoroughly so that you have a good grasp of what Open Firmware protection does before electing this option.

😉 cornelius

Yes, you had full access to everything on his Mac while it was in target disk mode.

Even setting up a firmware password to prevent booting in target disk mode does not protect against data theft; because the firmware password can be easily defeated with physical access to the Mac.

Physical security is the best way to protect against data theft. Keep your Mac under lock and key when you are not using it.

When physical security cannot be guaranteed, the only effective way to protect data from theft is to encrypt it. The built-in way that Apple offers this functionality is with FileVault, which you can enable in System Preferences -> Accounts. You can also use Disk Utility to create an encrypted disk image and store your sensitive data inside of it.

This is not a Mac-specific case; it is the case with all digital data. If the hardware is not in a physically secure location, and the data is not encrypted, the data could be easily stolen.

alex.lyons wrote:
Its not so much as if my computer gets stolen or I loose it, its more leaving it, for example, in a rented holiday house with friends who have Mac's, that may see it funny to play a joke by deleting my system folder or the like 😉

If you are going to do that, turn off automatic login and set up a screen saver password so that they can't login. Or, if you want to allow them to use your Mac, make sure you give them a non-admin account to use. Non-admin users who do not know the admin password cannot delete anything except for files and folders they create themselves, and they can only change system preferences that affect their own user account. They can't mess up anything that affects the System or any other user accounts. Unless, of course, they reset the admin password (see below).

Open firmware password sounds cool, I did it once on an old mac but since forgot about it or what it can do.

The firmware password is useful for preventing users from gaining unauthorized admin access. Non-admin users can gain admin access by:

-booting up from the OS X install DVD and running the reset password utility, or
-booting up in single user mode (hold down command S) and entering a few commands
-booting up in target disk mode, hooking up to another Mac, and using the second Mac to make some changes

Setting up a firmware password will prevent all of the above things. But the firmware password can be easily defeated with physical access inside the Mac. That's why setting up a firmware password is not effective against data theft if your Mac falls into the wrong hands.

If you are going to have your Mac in a friend's house and there is a risk of the friend playing a practical joke on you, what you might do is disable automatic login, set up the firmware password, and then put a label over the RAM access door saying "break this seal and you will never be my friend again." Even if you give your friend a non-admin account to use, and you don't encrypt your data, your friend cannot get at your data without breaking the seal.

Also, I have read about FileVault but it was very confusing. What is filevault in a nut shell? and does it slow performance? How safe is it and how can it be bypassed?

It encrypts your whole home folder. It doesn't noticeably slow performance. It can only be bypassed by entering the computer's master password, which you specify when you turn on FileVault. If you forget both your FileVaulted account's password, and the master password, all the data in your home folder will be lost forever.

for example, in a rented holiday house with friends who have Mac's, that may see it funny to play a joke by deleting my system folder or the like

I suggest that you begin with employing the security features that Mac OS X affords in normal operation without opting for either FileVault or OpenFirmware which present their own challenges. Take a look at Security: OS Hardening and follow the links the end of the article for additional suggestions.

😉 cornelius

Additionally, download and read the Mac OS X Security Configuration Manual.

Thanks, baltwo. I will.

😉 cornelius

Cute response, but it was mainly intended for the OP, alex.lyons.

🙂

Hey, no! I did not intend my comment to be cute. I was not aware of that document, so I have not read it. I have downloaded it and will read it when I don't have so many family around after the holidays. Besides, I'm not smart enough to be cute 😟

😉 cornelius

OK. My mistake. 🙂 Enjoy that doc. There's also one directed for server admins, if you're interested in that application.

Király wrote:
Setting up a firmware password will prevent all of the above things. But the firmware password can be easily defeated with physical access inside the Mac. That's why setting up a firmware password is not effective against data theft if your Mac falls into the wrong hands.

These cautions are very valid, but I really think the Open Firmware Password is effective in most situations involving casual Mac users.

If they try to bypass normal security and find themselves blocked by the Open Firmware Password, first they must recognize that the problem is that an Open Firmware Password is set. The vast majority of the users, even on these forums, are not even aware that such a thing exists. Then they have to find out how to get around it. I've known about the Open Firmware Password for years, but I can never remember exactly what it is you have to do to the RAM to reset the password. I would have to look it up.

If you believe that the pranksters are not service tech level users, the Open Firmware Password is probably going to work pretty well. But if they are sophisticated, and it isn't a lockable case like a Mac Pro, then yes, additional precautions are needed and the Open Firmware Password can't be relied on if physical access is available.

A lot of my really sensitive info is in encrypted disk images. Physical access won't help anyone there.