Stolen macbook - hard drive data safe?
October 14, 2009 4:58 PM Subscribe
Someone stole my 2009 macbook pro. I doubt they can guess my password. Given that, how likely is it that they can access my hard drive's data (I didn't do anything special beyond the default to encrypt it or anything)? Can my Applecare plan transfer to a new laptop? Anything else I can do to help destroy the value of the computer? I don't need any advice about police reports, etc. - but Apple-specific advice welcome.
I'm afraid the news is all bad.
Your typical user (especially if all they know is Windows) won't have the first clue as to how to get to your data. A moderately knowledgeable Mac user will, as will an expert PC user.
AppleCare plans are tied to product serial numbers, not owners, so I very much doubt that it will be transferred.
posted by jjg at 5:04 PM on October 14, 2009
Your typical user (especially if all they know is Windows) won't have the first clue as to how to get to your data. A moderately knowledgeable Mac user will, as will an expert PC user.
AppleCare plans are tied to product serial numbers, not owners, so I very much doubt that it will be transferred.
posted by jjg at 5:04 PM on October 14, 2009
Define "the default." If all you did was set a password for login, you're not protected once someone actually has your computer in hand, because they can...
(1) Boot from an OS X Install CD, choose "Reset Password" from menu. Poof, they're you.
(2) Boot in single-user mode, type 'passwd yourusername' to change it. Poof.
(3) Connect to another Mac with a firewire cable. Mount as hard disk. Poof.
Unless you encrypted your Home Directory (FileVault) or used encrypted disk images, you should proceed assuming that all your data is being read by someone else.
Sorry, this really sucks for you, but better to start taking steps now to protect your identity and any online accounts you have.
posted by rokusan at 5:05 PM on October 14, 2009 [5 favorites]
(1) Boot from an OS X Install CD, choose "Reset Password" from menu. Poof, they're you.
(2) Boot in single-user mode, type 'passwd yourusername' to change it. Poof.
(3) Connect to another Mac with a firewire cable. Mount as hard disk. Poof.
Unless you encrypted your Home Directory (FileVault) or used encrypted disk images, you should proceed assuming that all your data is being read by someone else.
Sorry, this really sucks for you, but better to start taking steps now to protect your identity and any online accounts you have.
posted by rokusan at 5:05 PM on October 14, 2009 [5 favorites]
FWIW FileVault is easy to set up and very seamless. It just works. You should definitely use it next time around.
posted by GuyZero at 5:16 PM on October 14, 2009
posted by GuyZero at 5:16 PM on October 14, 2009
I know you said you weren't interested in any advice other than data advice, but... since you specifically mention that the macbook is 2009, I thought I'd pop in and see if you paid with a credit card. Most credit cards offer purchase protection against theft or destruction for a period of time. The period of time varies, so it may be worth calling your card ASAP. Sorry that this happened to you!
posted by theantikitty at 5:18 PM on October 14, 2009
posted by theantikitty at 5:18 PM on October 14, 2009
to continue theantikitty's train of thought, if you have homeowners or renters insurance a theft like this (even if it did not occur while the machine was in your home) may be covered.
posted by k8lin at 5:28 PM on October 14, 2009
posted by k8lin at 5:28 PM on October 14, 2009
I'd talk to Apple. They may transfer your Applecare. They can change some of that stuff.
They can also flag the macbook as stolen, so if someone takes it into Apple....
You can also firmware lock a macbook to prevent at least two of the methods rokusan lists.
I wish there was a way to find the lost one and catch the thief.
posted by cjorgensen at 5:35 PM on October 14, 2009
They can also flag the macbook as stolen, so if someone takes it into Apple....
You can also firmware lock a macbook to prevent at least two of the methods rokusan lists.
I wish there was a way to find the lost one and catch the thief.
posted by cjorgensen at 5:35 PM on October 14, 2009
Yes, it will be trivial to access any data on your computer. Besides the methods mentioned above (reboot in target disk mode, boot from CD and reset password), the hard drives of MacBook Pros are reasonably easy to access. No determined attacker will be kept from your data.
That's the bad news.
The good news is that most thieves don't care about that. They'll get rid of it as fast as possible, maybe sell it to somebody who can wipe the drive. Although your files are accessible, digging through them for personal information requires some technical know-how and time. In particular, if you're concerned about saved passwords, credit card numbers, and other AutoFill data, that information IS encrypted by default in your login keychain. They won't be able to get to it without your password.
In the future? Yes, FileVault would help you here. Even though your passwords are encrypted, your photos, music, email, etc., are not. FileVault is easy to use and solves this issue, but-- and I can't emphasize this enough-- YOU MUST KEEP REGULAR BACKUPS IF YOU USE FILEVAULT. Every day. Every hour (with Time Machine). Whatever. I can't tell you how many clients have come into my shop with dead or dying hard drives, FileVault, and no backups- they're screwed. Often, we're able to recover some data from a dying drive with software tools, but with FileVault, it's all-or-nothing.
Security-wise, you may also want to look into firmware password protection, which would prevent the thief from booting from another CD. FileVault and firmware password protection provide "reasonable" security against crookery. Software like Undercover can also help you find a stolen computer, although chances are always slim.
Sorry to hear about it. Best luck with insurance/recovery/etc.
posted by aaronbeekay at 5:44 PM on October 14, 2009 [5 favorites]
That's the bad news.
The good news is that most thieves don't care about that. They'll get rid of it as fast as possible, maybe sell it to somebody who can wipe the drive. Although your files are accessible, digging through them for personal information requires some technical know-how and time. In particular, if you're concerned about saved passwords, credit card numbers, and other AutoFill data, that information IS encrypted by default in your login keychain. They won't be able to get to it without your password.
In the future? Yes, FileVault would help you here. Even though your passwords are encrypted, your photos, music, email, etc., are not. FileVault is easy to use and solves this issue, but-- and I can't emphasize this enough-- YOU MUST KEEP REGULAR BACKUPS IF YOU USE FILEVAULT. Every day. Every hour (with Time Machine). Whatever. I can't tell you how many clients have come into my shop with dead or dying hard drives, FileVault, and no backups- they're screwed. Often, we're able to recover some data from a dying drive with software tools, but with FileVault, it's all-or-nothing.
Security-wise, you may also want to look into firmware password protection, which would prevent the thief from booting from another CD. FileVault and firmware password protection provide "reasonable" security against crookery. Software like Undercover can also help you find a stolen computer, although chances are always slim.
Sorry to hear about it. Best luck with insurance/recovery/etc.
posted by aaronbeekay at 5:44 PM on October 14, 2009 [5 favorites]
Repeated for emphasis
better to start taking steps now to protect your identity and any online accounts you have.
posted by lalochezia at 5:45 PM on October 14, 2009
better to start taking steps now to protect your identity and any online accounts you have.
posted by lalochezia at 5:45 PM on October 14, 2009
In the unlikely event that you had an active MobileMe account, you may be able to notice if someone is applying for jobs on your laptop by enabling the screen sharing feature.
posted by june made him a gemini at 6:02 PM on October 14, 2009
posted by june made him a gemini at 6:02 PM on October 14, 2009
They can also flag the macbook as stolen, so if someone takes it into Apple....
I don't believe they will do that.
I'd talk to Apple. They may transfer your Applecare.
They refunded some of the cost when ours was stolen.
posted by R. Mutt at 6:52 PM on October 14, 2009
I don't believe they will do that.
I'd talk to Apple. They may transfer your Applecare.
They refunded some of the cost when ours was stolen.
posted by R. Mutt at 6:52 PM on October 14, 2009
>They can also flag the macbook as stolen, so if someone takes it into Apple....
I don't believe they will do that.
No, unfortunately (at least when I worked there) Apple Stores can't do anything about items that are reported stolen.. you can imagine how someone could simply get ahold of a serial number and cause problems.
posted by starman at 6:57 PM on October 14, 2009
I don't believe they will do that.
No, unfortunately (at least when I worked there) Apple Stores can't do anything about items that are reported stolen.. you can imagine how someone could simply get ahold of a serial number and cause problems.
posted by starman at 6:57 PM on October 14, 2009
Your typical user (especially if all they know is Windows) won't have the first clue as to how to get to your data. A moderately knowledgeable Mac user will, as will an expert PC user.
Anyone who can use Google can figure out target disk mode, or they can take out the hard drive and put it in another machine.
But I wouldn't worry about someone seeing your data too much. They'll probably wipe the disk and reinstall MacOS if they can't figure out the password. There won't be any way to get your data back, that's why backups are critical. Everyone learns the hard way.
posted by delmoi at 7:46 PM on October 14, 2009
Anyone who can use Google can figure out target disk mode, or they can take out the hard drive and put it in another machine.
But I wouldn't worry about someone seeing your data too much. They'll probably wipe the disk and reinstall MacOS if they can't figure out the password. There won't be any way to get your data back, that's why backups are critical. Everyone learns the hard way.
posted by delmoi at 7:46 PM on October 14, 2009
In particular, if you're concerned about saved passwords, credit card numbers, and other AutoFill data, that information IS encrypted by default in your login keychain. They won't be able to get to it without your password.
They'll probably wipe the disk and reinstall MacOS if they can't figure out the password.
Sorry to piggyback, but couldn't anyone with an OSX install disk reset that password?
posted by pompomtom at 8:31 PM on October 14, 2009
They'll probably wipe the disk and reinstall MacOS if they can't figure out the password.
Sorry to piggyback, but couldn't anyone with an OSX install disk reset that password?
posted by pompomtom at 8:31 PM on October 14, 2009
Hi shivohum, welcome to the miserable club.
> I doubt they can guess my password. Given that, how likely is it that they can access my hard drive's data?
As several people have touched on, there is good and bad news. The good news is, if you have auto-login disabled -- that is to say, if you need to type in a password to reach your desktop after turning on the computer -- it is very unlikely the thief is inclined to circumvent your password. For simplicity and resellability it is more likely they would format/restore your computer.
The bad news is, if they are interested in your data for any reason, it is relatively trivial for them to access it via the methods described above. A fundamental tenet of data security is that a sufficiently motivated person with physical access to your computer can read your data. Your best future defense against this is, as mentioned above, FileVault (but keep backups); and frankly, a sturdy laptop lock. All Kensington locks fit Apple laptops, which have a socket specifically for this purpose.
If for any reason you have other people's confidential information on your hard drive -- if you're a mental health professional and you keep patient notes on your laptop, for example -- you need to be extremely concerned about this. If you keep notes for yourself of important data, or have important data in your email inbox -- like your kids' social security numbers or an "I forgot my password" password reset email from your bank or anything of the sort -- you should be very concerned about this.
However, most people do not have this sort of information laying around on their hard drive. Most people, well, they'd be vaguely embarrassed for the thief to find out which dirty websites are in their browser history, or how many dozens of silly vanity pictures they took of themselves with Photo Booth, but they don't have to contend with identity theft or anything at that scale when their laptop is stolen. Be a little paranoid and keep a closer than normal eye on your credit card statements, but unless you have specific reason to believe you left critical data in an accessible state then don't lose sleep over it.
> Can my Applecare plan transfer to a new laptop?
AppleCare will refund you for the "unused" portion of your AppleCare.
Within 10 days of the original AppleCare purchase, they give you a refund for the entire cost of AppleCare. If it is over 10 days, they give you whatever percentage of the retail price of AppleCare corresponds to the remaining time you did not use on it. That is to say, if you paid $249 for AppleCare, and you called Apple because your computer was stolen 2 years from the date of purchase (of AppleCare's 3 years of coverage), they would refund you $83 (1/3 of $249). They will mail your refund by check and it will take 2-3 weeks. Because putting this off means your refund will be slightly smaller, you should do it soon. It will be a 15-20 minute phone call to AppleCare at 1-800-275-2273.
They do not transfer the remaining coverage to a new laptop, instead suggesting you use your refunded money toward the cost of your new computer + AppleCare.
> Sorry to piggyback, but couldn't anyone with an OSX install disk reset that password?
They certainly can reset your login password. This will allow them to log into your user account and view any unencrypted files, including browser caches and history as well as any unencrypted personal documents that may or may not have sensitive information in them. However, changing the login password does not change the password for the login keychain. Anything kept in your login keychain remains encrypted by your original login password, and is not feasibly recoverable without it. By default, this normally includes Safari autofill information, saved Mail.app passwords, saved wireless network passwords, and similar data.
posted by churl at 9:35 PM on October 14, 2009 [2 favorites]
> I doubt they can guess my password. Given that, how likely is it that they can access my hard drive's data?
As several people have touched on, there is good and bad news. The good news is, if you have auto-login disabled -- that is to say, if you need to type in a password to reach your desktop after turning on the computer -- it is very unlikely the thief is inclined to circumvent your password. For simplicity and resellability it is more likely they would format/restore your computer.
The bad news is, if they are interested in your data for any reason, it is relatively trivial for them to access it via the methods described above. A fundamental tenet of data security is that a sufficiently motivated person with physical access to your computer can read your data. Your best future defense against this is, as mentioned above, FileVault (but keep backups); and frankly, a sturdy laptop lock. All Kensington locks fit Apple laptops, which have a socket specifically for this purpose.
If for any reason you have other people's confidential information on your hard drive -- if you're a mental health professional and you keep patient notes on your laptop, for example -- you need to be extremely concerned about this. If you keep notes for yourself of important data, or have important data in your email inbox -- like your kids' social security numbers or an "I forgot my password" password reset email from your bank or anything of the sort -- you should be very concerned about this.
However, most people do not have this sort of information laying around on their hard drive. Most people, well, they'd be vaguely embarrassed for the thief to find out which dirty websites are in their browser history, or how many dozens of silly vanity pictures they took of themselves with Photo Booth, but they don't have to contend with identity theft or anything at that scale when their laptop is stolen. Be a little paranoid and keep a closer than normal eye on your credit card statements, but unless you have specific reason to believe you left critical data in an accessible state then don't lose sleep over it.
> Can my Applecare plan transfer to a new laptop?
AppleCare will refund you for the "unused" portion of your AppleCare.
Within 10 days of the original AppleCare purchase, they give you a refund for the entire cost of AppleCare. If it is over 10 days, they give you whatever percentage of the retail price of AppleCare corresponds to the remaining time you did not use on it. That is to say, if you paid $249 for AppleCare, and you called Apple because your computer was stolen 2 years from the date of purchase (of AppleCare's 3 years of coverage), they would refund you $83 (1/3 of $249). They will mail your refund by check and it will take 2-3 weeks. Because putting this off means your refund will be slightly smaller, you should do it soon. It will be a 15-20 minute phone call to AppleCare at 1-800-275-2273.
They do not transfer the remaining coverage to a new laptop, instead suggesting you use your refunded money toward the cost of your new computer + AppleCare.
> Sorry to piggyback, but couldn't anyone with an OSX install disk reset that password?
They certainly can reset your login password. This will allow them to log into your user account and view any unencrypted files, including browser caches and history as well as any unencrypted personal documents that may or may not have sensitive information in them. However, changing the login password does not change the password for the login keychain. Anything kept in your login keychain remains encrypted by your original login password, and is not feasibly recoverable without it. By default, this normally includes Safari autofill information, saved Mail.app passwords, saved wireless network passwords, and similar data.
posted by churl at 9:35 PM on October 14, 2009 [2 favorites]
Response by poster: Thanks for the info, everyone. Fortunately, everything was backed up using carbonite and I changed all important passwords, so all should be ok (relatively).
posted by shivohum at 7:10 AM on October 15, 2009
posted by shivohum at 7:10 AM on October 15, 2009
This thread is closed to new comments.
posted by GuyZero at 5:03 PM on October 14, 2009