Calling All Hackers

without physical security. If someone can get to your machine to reboot while holding down a key, they can probably compromise it no matter what OS it's running.

Some other UNIXoids require that you know the root password to get in when booted to single user mode. (Most modern Linux distributions and recent Solaris versions, for instance.) But of course, in those cases someone could just force the machine to, say, boot from a CD-ROM, mount the "/" partition on the disk, chroot to it, and modify the password of their choice. Windows can be broken by booting a floppy with a password database munger... etc, etc.

Simple rule of thumb: Don't let people you don't trust touch your machine. And if you're really paranoid, encrypt your filesystem.

--Peace

Also keep in mind that OS X intended for both business and home users. It would be poor marketing to sell an OS that people are inevitably going to lock themselves out of without having a back door that tech support or their IT can walk them through over the phone (unless you're Dogbert ;))

You could do similar with At Ease back in the early 90s. Figuring this stuff out is half the fun.

But of course, in those cases someone could just force the machine to, say, boot from a CD-ROM, mount the "/" partition on the disk, chroot to it, and modify the password of their choice.
--Peace

I can say that I have done that to every Major Unix OS except Tru64.

I remember back in 98 or so I talked a guy down $100 on a SGI Indy because he did not have the root password. I borrowed a set of Irix discs and was in under 5 min. The hardest one I ever did that on was a HP PA-Risc machine with HP-UX. Took me a month to figure out how to boot the thing from a CD. I can't remember what exactly the difficulty was in doing it but I think I ended up having to boot from tape or something.

Any password to anything can be craked or changed, its just a matter of time/effort to do it. this seems easy even to me, and i know almost nothing about unix! my solution to this problem? don't let your laptop out of your sight, and put your destop system somewhere(I.E. bedroom) where most people wont be able to jsut sit down and mess with it without you noticing. best security mesures i can think of...

I remember back in 98 or so I talked a guy down $100 on a SGI Indy because he did not have the root password. I borrowed a set of Irix discs and was in under 5 min.

I "rooted" my (free) Indy by compiling the XFS filesystem patches to the kernel on a Linux machine and hanging the drive from the Indy on its SCSI controller. (At the time I had neither Irix CDs or a bootable CD-ROM drive for the system.)

Admittedly, steps like that are a bit more invasive then changing a password on OS X, but a motivated data thief could to it in 10 minutes alone with the machine. Which just emphasizes the point.

--Peace

And if your BIOS allows you to have a password to boot the machine, USE IT! It's in BIOS and probably more difficult to crack than an OS password.

And if your BIOS allows you to have a password to boot the machine, USE IT! It's in BIOS and probably more difficult to crack than an OS password.

Not really, unless you have an IBM Thinkpad. (Most BIOS passwords can be cleared by resetting the CMOS.)

And if you do have a Thinkpad, you'll seriously regret setting a BIOS password after you forget it. (And have to pay IBM for a new motherboard.)

--Peace

I had a Fujitsu E-series in a bulk lot of lappies I'd purchased that was bios password protected. Fujitsu recommends shipping the laptop off to Cypress or Singapore or some darn place, and they'll re-flash the bios and send it back. Supposedly very secure, those Fujitsus.

Alternatively, I spent five minutes on google and found a dos program that'll reset the bios from a floppy.

IIRC my first laptop, a Packard Bell Statesman, had a horrid BIOS password setup. When you typed in the password it would register an incorrect attempt at the first incorrect key that was typed. You just started at 'a' and kept following the alphabet until it accepted the first key without error. Then you did it again 'first-key'-'a', etc. until it let you in. Way, way, way too easy. I've hated PBs ever since and fully regret spending the $500 (new) on the POS. Of course security that crappy can only come during the days after the release of Win 95, one reason I got the lappy so cheap as everything still running 3.x (the PB had 3.11) was being cleared from stock.