filevault 2 + project prey

[alphaace]

Hi,

I was wondering if there was any progress in regards to Filevault 2 and Project prey. I really really like project prey but it seems it's one or the other and not both. I understand I can make a honeypot account, but the problem with that is that anyone can then log in using super user mode and get all my files that way. Currently, under filevault 2, if they can't get my password, the drive is locked and at least my data is protected. Any thoughts?

Thanks!

[Drew Reece]

It may be possible to install Prey in some form into the recovery partition (where the OS boots before you login & decrypt the disk) but that partition pretty much belongs to Apple, & system updates could do anything to it. Prey running on a limited OS that is not very useful (at least for users to do basic tasks) is unlikely to send many reports. A guest account may be enough, but not being able to save work may put people off using it.

I think the only option is to use FileVault 1 (you'll need to migrate from an older OS to do this) & only have your home folder encrypted, other accounts can't access your home folder (so long as you logged out). It may be enough if you are careful not to leave sensitive data on the rest of the disk.

I think full disk encryption creates this issue wherever it is used. What is the value of the encrypted data to you compared to the value of the computer? Pick which one you want to protect.

I think this may be another case where Apple's own solution may be the only option.
http://www.macworld.com/article/1163387/can_filevault_2_and_find_my_mac_foil_thieves_.html

Drew

> --
> ------------
> Want to help translating Prey to your language?
> Write us: transl...@preyproject.com
> ------------
> You received this message because you are subscribed to the Google
> Groups "Prey" group.
> To post to this group, send email to prey-s...@googlegroups.com
> To unsubscribe from this group, send email to
> prey-securit...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/prey-security?hl=en_US?hl=en

[M.V.]

i'm using filefault 2 too. and yeah a second account would not allow that account access to your account data, but obviously the partition will be encrypted for that and thus be vulnerable for attacks...

i doubt there's anything prey can do. the recovery partition is apple's territory. only option would be to create a new unencrypted partition w/ a new osx install, but osx w/ filevault and possibly bootcamp sadly doesn't like non standard partition setups.

so yeah, looks like we have to decide if we want the ability to track the laptop or secure our data.

currently my galaxy nexus is unencrypted and thus trackable, my macbook is encrypted.

[alphaace]

I'm wondering if one can get really crafty with truecrypt here. Split the drive into 2 partitions, a small unencrypted honeypot (say 30 gigs) and a much larger encrypted partition for your account.

In that case, you wouldn't need filevault 2. You make your default boot directory the honey pot partition where you have prey installed. You then make your non-default boot the truecrypt encrypted partition that you get to using the option key. In theory it should work, although I'm kind of loathe to try it on my one and only macbook.

Does someone have a spare laptop and is willing to try this? And then be kind enough to write about their experience?

Cheers,
Greg

[Drew Reece]

It should work, but it would be easier to convince File vault to use the legacy system (just encrypt the home dir).
There are guides on the net for doing it on 10.7.
I suspect users may be unwilling to sacrifice extra few GB's for another boot partition considering the size limits on SSD's.

The 'option key' boot picker also remembers the last used startup disk, so you would be relying on a thief knowing how to switch between boot partitions & to assume there is another one that is usable on that Mac.
You can't use firmware passwords either with your truecrypt method (unless you manage to always change booting back to the other partition), so people can boot from USB or the recovery partition & wipe the data.

You can do all this on USB if you want to test it, a recent Mac will boot from USB.

Drew

[jlg89]

This will get Prey installed on your Mac's recovery partition, which means Prey will load and run if you hold command-R when booting the Mac. I have not verified whether or not Prey is able to send reports etc. when it runs; I can only say that it runs.

If you login as the guest user (which starts a Safari-only login, with no access to the FileVault-encrypted HD), Prey runs, but I have been unable to get it to generate a report. I'm using Prey in "self served" mode, where it's checking a URL, so having it hit the preyproject server might change things.

I'm providing this information as-is, with no warranties, no guarantees, no nothing. I don't have time to dink with it any more right now. Maybe someone can take what I've done and get something working more dependably.

1. Install, configure, and test Prey on your computer. Be sure it works.

2. Open TextEdit and create a file called "CreatePreyRecovery.command" (this will make it a double-clickable Terminal script). Paste the following text into the file, save & exit.

#!/bin/bash

#

# Mount the recovery partition

/usr/bin/sudo /usr/sbin/diskutil mount Recovery\ HD

#

# Backup the recovery boot image

/usr/bin/sudo /bin/cp /Volumes/Recovery\ HD/com.apple.recovery.boot/BaseSystem.dmg ~/Desktop/

#

# Create a read/write version, and mount it

/usr/bin/sudo /usr/bin/hdiutil convert ~/Desktop/BaseSystem.dmg -format UDRW -o ~/Desktop/BaseSystem-rw.dmg

/usr/bin/sudo /usr/bin/hdiutil attach ~/Desktop/BaseSystem-rw.dmg

#

# Copy your working Prey installation to the read/write image

/usr/bin/sudo /bin/cp -Rp /usr/share/prey /Volumes/Mac\ OS\ X\ Base\ System/usr/share/

#

# Copy necessary utilities that are missing from the default recovery image

for prog in dirname uname who whoami curl

do

  /usr/bin/sudo /bin/cp -p /usr/bin/$prog /Volumes/Mac\ OS\ X\ Base\ System/usr/bin/

done

#

# Create the necessary files/folders

/usr/bin/sudo /bin/mkdir /Volumes/Mac\ OS\ X\ Base\ System/Library/LaunchDaemons

/usr/bin/sudo /usr/bin/touch /Volumes/Mac\ OS\ X\ Base\ System/Library/LaunchDaemons/org.preyproject.prey.plist

/usr/bin/sudo /usr/bin/touch /Volumes/Mac\ OS\ X\ Base\ System/private/var/db/launchd.db/com.apple.launchd/overrides.plist

#

# Assign the correct ownership/permissions

/usr/bin/sudo /usr/sbin/chown -R root:wheel /Volumes/Mac\ OS\ X\ Base\ System/Library/LaunchDaemons

/usr/bin/sudo /usr/sbin/chown root:wheel /Volumes/Mac\ OS\ X\ Base\ System/private/var/db/launchd.db/com.apple.launchd/overrides.plist

/usr/bin/sudo /bin/chmod 755 /Volumes/Mac\ OS\ X\ Base\ System/Library/LaunchDaemons

/usr/bin/sudo /bin/chmod 644 /Volumes/Mac\ OS\ X\ Base\ System/Library/LaunchDaemons/org.preyproject.prey.plist

/usr/bin/sudo /bin/chmod 600 /Volumes/Mac\ OS\ X\ Base\ System/private/var/db/launchd.db/com.apple.launchd/overrides.plist

#

# Create the plist file that tells launchctl to run prey every 10 minutes

/usr/bin/sudo /bin/cat > /Volumes/Mac\ OS\ X\ Base\ System/Library/LaunchDaemons/org.preyproject.prey.plist << END1

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

        <key>Label</key>

        <string>org.preyproject.prey</string>

        <key>LingonWhat</key>

        <string>/usr/share/prey/prey.sh</string>

        <key>ProgramArguments</key>

        <array>

                <string>/usr/share/prey/prey.sh</string>

        </array>

        <key>StartInterval</key>

        <integer>600</integer>

</dict>

</plist>

END1

#

# Tell launchctl to load the plist file automatically

/usr/bin/sudo /bin/cat > /Volumes/Mac\ OS\ X\ Base\ System/private/var/db/launchd.db/com.apple.launchd/overrides.plist << END2

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

        <key>org.preyproject.prey</key>

        <dict>

                <key>Disabled</key>

                <false/>

        </dict>

</dict>

</plist>   

END2

#

# Be sure launchctl actually loads the plist file at boot

/usr/bin/sudo echo "/bin/launchctl load -F /Library/LaunchDaemons/org.preyproject.prey.plist" >> /Volumes/Mac\ OS\ X\ Base\ System/etc/rc.common

#

# Unmount the modified image

/usr/bin/sudo /usr/bin/hdiutil detach /Volumes/Mac\ OS\ X\ Base\ System

#

# Convert the modified image to compressed read-only, and verify the final image

/usr/bin/sudo /usr/bin/hdiutil convert ~/Desktop/BaseSystem-rw.dmg -format UDZO -o ~/Desktop/BaseSystem+Prey.dmg

/usr/bin/sudo /usr/bin/hdiutil verify ~/Desktop/BaseSystem+Prey.dmg

#

# Replace the old image with the new

/usr/bin/sudo /bin/cp ~/Desktop/BaseSystem+Prey.dmg /Volumes/Recovery\ HD/com.apple.recovery.boot/BaseSystem.dmg

#

# Done!

#

[Drew Reece]

The usual disclaimer applies to this… don't attempt it if you don't know what you are doing & are not willing to possibly break your system :^)

It looks promising. I wonder if you should set the check url to something else on this installation so that it can be looked at in the server logs independently of the current installation. It may help to see if it is checking in but the reports may fail because of other unmet dependancies (who know what Apple left off the recovery partition).
Something like…
sed -i '' -e 's|YOURCHECKURL|YOURNEWCHECKURLHERE|' /Volumes/Mac\ OS\ X\ Base\ System/usr/share/prey/config

It would be great to know if it works.

Drew

[Oliver Schrenk]

Nice work! I'll be trying this out when my new machine comes next week.