Securing Your Computer


Š      MANDATORY: Setting a Firmware Password


With newer Macs, it is essential that you set a firmware password on your Mac to increase your chances of recovering it.  Since the introduction of Lion (10.7), Apple has added new features that make your Mac much more secure if you set a firmware password, but make your Mac less secure if you do not.


Setting the firmware password prevents someone from booting your Mac from an external drive, or erasing the internal drive.  Clearly this is very desirable if you want to prevent the thief from deleting VUWER from your computer.  Setting the firmware password in older Macs involves using the installer DVD that came with the computer, or downloading a firmware password utility from Apple.  Although this firmware password can be circumvented, the thief still needs an installer DVD to wipe the drive and install a new operating system.


In newer Macs (since late 2010), the firmware password is far more secure.  The firmware password of a stolen MacBook Air or MacBook Pro can only be reset at an Apple service center.  However, Apple has also made it much simpler to reinstall the operating system by including a recovery partition in OS 10.7 and later.  Setting the firmware password prevents a thief from accessing the recovery partition, but without that password it is very easy for him to wipe the drive, install a fresh copy of the OS using the recovery partition, and sell your computer.


If your Mac uses OS 10.4 through 10.6 and included an installer DVD when you bought it, follow these directions to set a firmware password.  If your Mac has a newer OS (i.e. with a recovery partition placed on the internal drive), then use these directions to set a firmware password.


Š      OPTIONAL (but strongly recommended): Creating a VUWER Guest Account on Your Laptop


VUWER won’t work unless the thief connects to the Internet with your computer.  As unusual as it may sound, you actually want to encourage him to use the laptop he has stolen, so that you can track it and learn his identity.  If you are like most Mac owners, you probably have a single personal administrative user account on your laptop, and have it configured for automatic login.  This allows you to use your laptop without entering a password after startup, or after waking from sleep.   This is a desirable situation from the viewpoint of VUWER operation, since the thief can immediately use the laptop without needing a password.


Unfortunately, the problem with automatic login is that it also gives the thief full access to your personal data and emails.  To protect your privacy, a better solution is to create a guest user account that the thief can use, and configure your laptop so that your personal account is password protected.  (In fact, you may prefer to only enable VUWER on the guest account.  Personally I enable VUWER on all my laptop user accounts, just to guard against the possibility that a thief somehow learns my personal account password.)


Note that creating a guest account is strongly recommended but not required.  If you really don’t care if the thief has access to your personal account, you can skip creating a guest account and use VUWER “as is”, provided your personal account is configured for automatic login, and you set a firmware password.  However, most people will probably prefer to maintain their privacy and create a guest account.


You should first use your administrative account to create a VUWER guest account on your laptop with the Users & Groups pane in System Preferences.  Refer to the Apple documentation for creating a standard account on your Mac.  (I call this account “Guest User” on my laptop, with a short name of “guestuser”.)  In the Password Hint field, tell the user what the guest account password is, e.g. “Password is xxxxxxx.”  Remember, you want the thief to be able to log into the guest account.


Be sure to make the guest account a standard (non-administrative) account, i.e. uncheck the “Allow user to administer this computer” box.  Next, run VUWER and enable the account to run VUWER.  Note that you can repeat this process for any number of user accounts on your laptop.


As you may find, having a guest account can be very useful, as it allows you to lend your laptop to someone while keeping your own data private.  Don’t hesistate to use the guest account for other purposes besides VUWER.  Note that activating Parental Controls for the guest account will prevent Google WiFi geolocation from working properly, although the less precise geolocation through will still function.



IMPORTANT:  OS versions 10.5 and above offer you the option of activating a special “sharing only” guest account (named Guest).  I do not recommend that you use this special guest account for VUWER, as all user data is deleted on it after logout.  Create a standard user account instead.


Furthermore, installing OS 10.7 (and above) may create a “Safari Only” guest account that boots from the recovery partition.  VUWER will not work for that account, but it is straightforward to encourage a thief to use the guest account you create instead.  Just call that account “Full Access Guest User”, or something similar, and you can be certain that the thief will take the bait and log in to the account you want him to use.



Š      Securing Your Personal Data


Like most Mac users, I usually stay logged into my personal account, and put my MacBook to sleep by closing the lid.  But what happens if your laptop is stolen while in sleep mode, but logged into your personal account?  Even if you have a guest account, the thief now has access to your personal account once he opens the lid.  To prevent this from happening, and to guide the thief into logging into the guest account instead, do the following:


Š      Set the Security & Privacy pane in System Preferences to (1) require a password to wake the computer from sleep or a screen saver, (2) disable automatic login, and (3) require a password to unlock each Systems Preference pane.


Š      In the Users & Groups pane, set the Password Hint field of your administrative account to point the thief to log into the guest account, e.g. “Use guest account, password is xxxxxxx.”


Š      Remember to use the Password Hint option of the guest account to reveal the guest password.  As an alternative, you can use the long user name of the guest account to reveal the password, e.g. “Guest User (pw is bemyguest)”.


Now if your laptop is stolen, the thief will open the lid, wake it from sleep, and see the panel requiring him to enter the password.  He’ll quickly realize that he can’t access your personal account.  He will then click on the Switch User button and be presented with the option to log into the guest account.


The thief may also force a restart from the screen saver by holding down the power button or removing the battery, but the reboot will once again put him at the login screen with the guest account as his easiest option for seeing what’s on your computer.  From that point, all he has to do is connect to the Internet while in the guest account, and VUWER will begin transmitting images and IP data.  The longer you can collect screenshots, the more you’ll learn about him, and hopefully you’ll soon be able to tell the police everything they need to find him.


Note that the main drawback to these enhanced security settings is that you’ll have to enter your password every time after waking your laptop from sleep, or to deactivate the screen saver.  If you have confidential personal or work information on your Mac laptop, you may also consider using the FileVault encryption (built into OS 10.5 or later) to further protect your own user account.  Even if a knowledgeable thief is capable of overriding the firmware password, he’ll still be unable to gain access to your personal information.