I think I have found a major security flaw with the firmware password feature

[kevinsa]

If you enable the firmware password, it prevents you from booting from a partition/drive that isn't the default startup disk.

However, when I boot into mountain lion, The startup disk preference pane isn't locked, despite locking it before rebooting. The default startup disk can simply then be changed. This is even easier with software such as BootChamp installed.

If the default startup disk is bootcamp, the system tray bootcamp icon allows the startup disk to be changed without even the option of a lock (regardless of whether that lock would stay locked like in OSX).

Am I being stupid or is this a flaw?

 

[CyBeRino]

You're being stupid for not having passwords on your accounts.

 

[Weaselboy]

Go to System Prefs and in the Security & Privacy tab click advanced then checkmark to require a admin password to change system settings.

Like CyBeRino mentioned though, the idea is to have a login password to stop anybody from getting in your account to change this to begin with.

If you are really concerned about security you should take a look at Filevault2. It runs pretty transparently and is very secure.

 

[kevinsa]

I do have a login password. I was thinking in the unlikely circumstance that somebody has the laptop with it logged in.

 

[Weaselboy]

I do have a login password. I was thinking in the unlikely circumstance that somebody has the laptop with it logged in.

Ah... I see. Yes that would be a way around things, but they would need to have access to your computer to make the change then also later I suppose steal your computer and boot from another drive.

Setting that pref pane lock like I said will stop it though.

 

[kevinsa]

I see. Thanks for the tip.

 

[Mal]

No single password is ever going to be sufficient against all methods of attack. Weaselboy's suggestion will be a good step, as is requiring a password when waking from sleep. If you take enough steps, you'll prevent all but the most determined of attackers from gaining access. There's no foolproof methods, but combinations of good techniques can stop most fools.

jW

 

[Weaselboy]

No single password is ever going to be sufficient against all methods of attack. Weaselboy's suggestion will be a good step, as is requiring a password when waking from sleep. If you take enough steps, you'll prevent all but the most determined of attackers from gaining access. There's no foolproof methods, but combinations of good techniques can stop most fools.

jW

We had a nice back and forth on security recently in this thread. I think it will stop much more than fools. I have yet to see anybody show exactly how they would get into stolen a machine with a EFI password and FV2 on with a good login password.

I'll repeat what I said in the other thread. I am not saying this to be argumentative, but the common line seems to be "if someone gets your computer they can get your data" (I know this is not exactly what you said ), but I still have not had anybody show me how they would do this.

 

[Mal]

We had a nice back and forth on security recently in this thread. I think it will stop much more than fools. I have yet to see anybody show exactly how they would get into stolen a machine with a EFI password and FV2 on with a good login password.

I'll repeat what I said in the other thread. I am not saying this to be argumentative, but the common line seems to be "if someone gets your computer they can get your data" (I know this is not exactly what you said ), but I still have not had anybody show me how they would do this.

The fools line was just supposed to be clever wordplay. I do believe that with enough time and determination, someone could probably pull it off, but I'm willing to believe I could be wrong. Either way, there's almost nothing to worry about if you take enough of the proper steps, short of someone physically coercing you into giving them access. I very much doubt anyone here would ever have a gun to their head demanding that they log someone else into their computer, however.

jW