08 May 2007

What you need to know about the Apple firmware password

The Apple firmware password can be a very important tool to make your Mac more secure: it basically prevents anyone who does not know the password to reformat your hard disk. For Undercover users, this is particularly useful, since a reformat is the only way to disable Undercover. In spite of its usefulness, the firmware password utility is one of the most poorly understood Apple tools.

Before explaining how to enable the firmware password on your Mac, we first squash some common misconceptions.

Misconception 1: The firmware password does not work on Intel Macs.
This is absolutely untrue: Intel Macs use EFI (Extensible Firmware) and Apple has adapted the firmware password utility to work with EFI. For the end user, this is completely transparent: although the underlying technology is totally different on PPC (Open Firmware) and Intel Macs (Extensible Firmware), the firmware password utility looks and works the same way on every Mac.

Misconception 2: If I enable the firmware password, I will need to enter a password every time I boot my Mac.
Only when booting from *another* disk than your default startup disk, the firmware password needs to be entered. This is what makes the firmware password very convenient: since most of us boot from our default startup disk 99% of the time, one will rarely need to enter a password. At the same time, this prevents thieves from reformatting the HD, because the current startup disk cannot be formatted while in use and booting from another drive without entering the password is impossible.

Misconception 3: If I enable the firmware password, a thief cannot boot my Mac, making Undercover useless.
When enabling the password, a thief can still boot your Mac. The only restriction is that he can only boot your Mac from the default startup disk. As a result, a thief can still work and play with your Mac and Undercover can do its work.
In addition, we recommend to create a dummy user account that has no admin privileges and requires no password. That way, a thief can still login and connect to the net, while your personal files are hidden behind a password protected (admin) account.

Misconception 4: With the firmware password enabled, I will not be able to troubleshoot my Mac in case of a problem.
Since you know the password, you will still be able to boot your Mac from any drive you want, including CDs, DVDs, ... and troubleshoot or reformat your drive. You just need to enter the firmware password when prompted.

Enabling the firmware password on your Mac
  • Locate the Mac OS X install CD/DVD that came with your Mac.

  • In the Finder, locate the /Applications/Utilities folder on that disk.

  • Double click the Firmware Password Utility application inside this folder.

  • Click the icon to authenticate. Enter an administrator username and password when prompted.

  • Click Change.

  • Click to select the checkbox for "Require password to change Open Firmware settings".

  • Type your password in the Password and Verify fields and click OK. A confirmation appears.

  • Click the lock icon to prevent further changes.

  • Quit from the Open Firmware Password application.

  • Eject the Mac OS X install disk.


NOTE: It is important NOT to use a disk that came with another Mac model. Also, do NOT download the firmware password utility application from the Net! Use the disk that came with your Mac.

More information regarding the Apple firmware password is available on the Apple website at http://docs.info.apple.com/article.html?artnum=106482.

03 May 2007

New theft web form

As promised in one of our previous blog posts, we now have a web form available that makes it very easy to report a theft: http://orbicule.com/theft. When launching Undercover last year, we told clients that they can inform us of a theft either by phone or by email. In practice, almost every theft is reported by email. That's why we streamlined the process and created a web form, giving instant feedback to our customers. Another advantage is that victims of theft no longer need to have access to an email account. Any internet connection will suffice to activate Undercover.