-
Website
http://www.scripting.com/ -
Original page
http://www.scripting.com/stories/2007/12/23/whatILearnedAboutSecurityP.html -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
All Comments
Whenever I start the laptop, I'm asked for a pass phrase and then starts up. In my opinion a minor headache.
Thanks again.
Since you're planning to stick with Apple, here are some tips on not getting burned this way again:
1) Turn on FileVault and swap file encryption (System Preferences > Security > General > Use Secure Virtual Memory, and then go to the FileVault tab. You'll need lots of free disk space if it isn't a brand new machine).
Now, FileVault is a two-edged sword--if you forget your keys, or you somehow corrupt the encrypted disk image, your data is gone. Which brings us to (2):
2) Set up a painless backup system which your actually use. And maybe buy a copy of Disk Warrior; as of MacOS X 10.4, it was the only product which could recover a corrupted FileVault.
3) Before sending _any_ machine out for repairs, back up the entire hard drive, wipe it, and reinstall a pristine copy of the OS.
If you follow all these steps, you'll be slightly more likely to lose all your data (FileVault causes trouble for some people). But your data won't fall into other people's hands, and that's a big win.
That being said, any laptop user with any concern for the privacy of their data should be using disk or volume encryption anyway. A desktop in your home or workplace at least has some level of physical security. I would always backup and securely wipe a disk before taking it to any third-party (sell, repair, recycle, etc.)
No matter which manufacturer you select, if you're working with sensitive data that has not been strongly encrypted, Dave's suggestion of "I'm...going to replace it myself and shred the old disk" is definitely the best advice that can be followed. Frankly, the $100 for an HDD, even if the machine is in warranty, is FAR cheaper than the exposure associated with your data falling into the wrong hands.
If you can't do the repair yourself, I'm sure there is someone around that can do it that you can trust. I'm sure there are plenty of former Apple service techs floating around that'd be willing to do the job for $50 while you watched.
I see no difference between these two situations. Not every data is precious but c'mon! you say, you're changing your passwords. How on earth you store them unencrypted. Ignorance for security measures can have great consequences. I'm sure you know that better than me as you're clearly wiser than me.
With Mac OS X's FileVault, disk encryption is a no brainer. Now with Leopard, decent backups are fire and forget with Time Machine. ...Even with Mozy or Jungle Disk, online backup with military grade encryption is possible at no or insignificant costs.
I understand your frustration but I'm sure you won't be posting a sympathetic comment if you were not the author but the commentator.
But that's just me. ;)
-jim
If the price and the fact that you were not getting the drive back made you so angry you should have clicked here...
http://manuals.info.apple.com/en/MacBook_13inch...
Why is confiscating used drives a bad idea? Well, read the story below.
http://ask.metafilter.com/70962/Where-to-send-M...
"But here is a serious warning. Make sure you wipe and reformat your hard drive before you send it back to Apple. I know someone who needed a drive replaced by Apple a year ago. Instead (for complex reasons) Apple replaced the entire iBook. Months later, his *old* drive (which he had expected to be replaced and wiped by Apple) had found its way (via a parts machine sold by a major online Mac dealer that also handles used and parts machines, to a private individual) to the home of a guy who makes a business recovering data from used drives and "selling" it (with a hint of blackmail threat, suggesting identity theft) back to the original owner of the data.
"Apple sold his personal data, accidentally perhaps, but for sure. They admitted selling the iBook without erasing it to the retailer -- on the phone to my friend. They compensated him, but not nearly enough to cover any future identity theft."
The problem is when it applies to off-the-shelf components, and particularly hard disks due to their sensitive data. And it's compounded when the customer doesn't realize what's going to happen. A few years ago, I had a hard disk go bad in an iMac. My experience was different because the guy at the genius bar explained what would happened, and pointed out if I bought a new hard disk from them and had it "upgraded" (at about the same price) it wouldn't be a repair and so I got to keep the old hard disk (which, in an external enclosure, I managed to tap and spin into briefly starting up so was able to recover some data).
With the MacBook, you can change the hard disk easily and do it completely yourself. But even if their people are working on the hardware, there's an alternative.
The system should handle hard drives differently.
The odds of you losing data to laptop theft are VASTLY greater than the odds of you losing data because a large corporation has mishandled your exchanged HDD. There are two reasons for this. The first is that the corporation would be legally liable if your data were leaked, the second is that it would take a clean room and tens of thousands of dollars of equipment to recover the data from a drive that is so damaged it cannot be mounted
Compare to Joe Shmoe booting your Macbook from an install disk and resetting your password through the password reset utility (password-protecting your firmware will defeat this tactic, but your data is still not secure unless it is encrypted because a thief can remove the drive from the machine).
Data integrity and security is the responsibility of the creator of the data. Backup regularly, and encrypt information you can't afford to have public.
You should never give a disk to _any_ repair shop or support agent without completely wiping the data. Ever, ever, ever. Even if you get your disk back there are any number of people who might have touched it and either archived it (for your benefit) or scanned it directly with ill intent. Getting the physical disk back is irrelevant.
This isn't much different from asking some random mechanic to repair your car - and leaving your wallet/passport/etc. in the vehicle. Protection starts with a defensive approach with you at the center of your risk zone.
I understand how you might feel concerned or frustrated, but it's _your_ responsibility to protect your privacy.
Furthermore, some Apple service contracts prevent anybody but Apple from replacing hard drives. So, depending on the details of Dave Winer's AppleCare contract, he may have no other option than to take the laptop back to Apple.
Really, the only viable options for somebody in Dave Winer's position would to either (a) void his AppleCare coverage, or (b) turn on FileVault and substantially increase his risk of data corruption.
It's a pretty lousy choice for a premium-priced laptop.
Though, in giving it some thought. Consider that if you take your car in to a shop and have a say, a Water Pump replaced ( or an A/C compressor ), the shop will in all likelihood take back the defective parts, and more than likely sell it to a recycler ( or rebuilder ). It's standard practice in the auto industry, so I can't say it's utterly a stretch.
What troubles me to no end is that you're not allowed access to the drive to wipe or eliminate any of your personal information. Even if the drive won't boot, it supposedly could be put into an external drive enclosure, and a sound wiping performed on it.
While the concept of taking back the hardware isn't necessarily new. It's not like your mechanic is going to get a whole lot of personal banking information from that broken water pump.
'nuff said.
I'm sorry but I have to disagree. I have worked for well over 15 years in PC and Apple repair. All the manufacturers source their harddrives from the same locations as the rest of the industry. There is absolutely *no* difference between that toshiba brand drive you grab from the bin and the one someone orders from Newegg or Buy.com. The markup your referring to is called overhead and that is the costly part of the industry. It's the same with auto parts. If you go to the dealer you get charged X, but you *can* still pickup or order the same part from many different places.
There is also no reason for the repair center to keep the drive. Drives cent back for re-manufacture or re-certification are typically worth pennies to the service center and very little to the manufacturer as well.
I would most assuredly replace the disk myself if I knew
what screws to remove and get the macbook apart .
http://manuals.info.apple.com/en/MacBook_13inch...
If I'm paying for it, though, I'd just take it in sans drive.
"When you return back, you see your the rear window glass broken, easy trunk access from the back seat is open and MBP is missing. You data is in wrong hands. Again...
I see no difference between these two situations."
You see no difference between an Apple store stealing your data and a person who steals your laptop out of your car? Neither do I.
Seriously, this just goes to show that Apple needs to work this out before doing the repair. There needs to be a procedure for getting the data back. This is a common thing in the PC repair cycle. Customers don't give a rat's behind whether you replace the part with an 80gig Toshiba drive or a 160 gig Maxtor. They just want to be able to use their computer, again. Part of that equation is being able to recover their data. If Apple does not see this, they've been living under Mr. Jobs' Reality Distortion Field for too long.
Personally, I would have figured out how to do the replacement on my own, but most likely Mr. Winer has other interests, and doesn't feel like geeking out to his MacBook. Cool, that's what techs are for. Unfortunately, this Apple tech, and the Apple Store gave the rest of us geeks a bad name. OK, just to be clear, I've never worked on a laptop, much less a MacBook, but I like building desktops, and they are a joy to work with, even when I fry the odd power supply or motherboard.
Sorry, Mr. Winer. Looks like you got the shaft. For the rest of you Mac Fanbois: caveat emptor. Ask first what will happen to the old hard drive. If the answer dissatisfies you, ask what will happen to the data. If you are upset by this, complain, but by all means, do not do business with Apple until this policy changes. It's too bad more of us hardware geeks aren't doing more Apple outreach (pro-customer, that is). This kind of practice wouldn't happen if the customer knew he could call up his best buddy and have him change the drive for a lot less.
Oh, and to anyone who thinks "Corporations would never abuse your data" imagine this scenario. I, or someone like me, gets a job at an Apple store. I get to do all of the out-of-warranty repairs, or even if I don't I can gain access to all the old HDD's that the customer cannot have. I then meticulously copy every byte of data and upload them to an anonymous Gmail account (hey, free storage, they promised!). Even if Gmail rejects me, I am sure I can find a willing "buyer" for all of this personal information. Problem out in the wild.
OK, so all of that personal information flying around the web would eventually lead back to me, but in the time between starting my scam and the time between being caught, (and I would be caught, so that's the other reason I wouldn't work for Apple), there would be many hard drives' worth of information floating around the internet. Bad for business? You betcha.
Oh, and the other reason I would never work for Apple is that Steve Jobs wears turtlenecks. I know, arbitrary, but I need to have some standards.
--Shun
In a typical repair like yours, the dealer has the drive in inventory (managed by Apple), and if the failed part is not returned to Apple, the dealer is charged again for the drive.
There is a chain of custody with Apple Service Parts, your dead drive will go to a facility for failure analysis, typically by Apple, sometimes by the OEM, and then, most like recycled (not refurbed for drives typically).
Major components, such as mainboards, are refurbished, and placed back into the parts program.
If the machine is out of warranty, replacing items such as hard disks, it's usually more sensible to replace the part with a non-Apple logo'ed part. It's cheaper, and yes, then you can keep your old drive.
Now... if the drive the Genius is not an Apple part, then you should be able to get the drive back, as it would not qualify under the Service Exchange Program. It's a one in, one out process...
This - I think - what the traits will be of major corporation in the new millinium. Less q/c, higher production rates, accessable technology (by the public), and a loss of good will ethics in the inner circles of these corporations. (which drives the final policy -first point of support/interaction with the consumer to lose all trust in the product itself and many more proclaimed to be whatever they maybe).
Just remmeber the days of the 80's and 90's when buying a product with a well-known logo, definitely meant the solidness and shelf-life you'd come to take for granted and get your money's worth.
Apple authorized companies to fix mac hardware. If that company uses an APPLE PART. Apple wants to track that part. This can be to determine more wide spread failures, keep track of valuable components or just to make sure the service centers are doing what they say before billing time back to apple. As such apple has two prices on "APPLE PARTS", and exchange price and a stock price. The exchange price is a reasonable price based on the cost of the component when the computer was created. Thus a year and a half or two years ago when you purchased your macbook $160 for 80GB laptop drive was about what they went for. The stock price is much higher to ensure that replacement parts make it back to apple.
This all makes sense for logic boards, power supplies, cases etc. But not so much for memory and hard drives. If he really wanted the drive back, I guess he could have paid the higher stock price or just go to an apple service center that supports third party parts.
Someone should have given you better options, but they did what they had to do.
HD breaks
-> customer sends it or the TP in and the HD is exchanged
-> the exchanged part is tested
---> if the part is bad it gets scrapped
---> if the part is found to be still ok it gets formatted and stocked to serve as replacement disk
Of course mistakes happen, therefore always keep the HD if there is sensitive unencrypted data on it. If you are big enough a customer you will ge away with dropping the HD on the floor a few times to make sure it can't be used as a replacement part. ;)
There were funny stories about replacement disks having data on them - pr0n on a replacement disk at a governmental body, e.g. Of course this was a rare exception, but you can never be 100% sure about what happens to your data...
Perhaps you are unfamiliar with the mess last year involving a Veterans' Administration programmer who took a file containing millions of veterans personal data home with his laptop to work on over a weekend.
Common burglary when he was away, laptop missing with 25 million names, addresses, SSN's, military and health information on people just like and including me. The Virginia local and state police, the FBI, and the Secret Service were on high-active search mode looking for this laptop, and it was recovered a couple of months later, drive un-wiped, being sold from a flea market. While there was no indication that the file was accessed by anyone, it put a huge scare in the VA and some top heads rolled over it Veteran's weren't exactly comfortable with the idea of our files exposed to the public either.
I use PC's and PGP encrypted folders and drives. I'll have to look into File Drive (saw it in another post here.) The rest of the posters had valuable information, even though I don't deal with Mac I have still had to send off PC formatted drives for warranty exchanges, and found that I received in return "refurbished" drives. I always do wipes and low-level formats before anyone else can get it. Recently though, since drive prices have fallen so fast, I just buy a new drive and destroy the bad one.
While I agree that Apple has an unacceptable policy, in terms of security you failed before the disk did.
Moreover (as SCO vs. Novell demonstrates), copyright title does *not*
transfer without a specific written conveyance -- I'll bet Apple's form does not describe your source code in detail, for example. If it gets out at all, you have them for copyright infringement. Arguably, you have a case for an _ex parte_ order, to go back to them with a Federal marshal and sieze the drive (following the precedent of the Scientologists and the BSA -- to implement that, you need the advice of a good copyright lawyer, though.
FWIW
I had her buy a bigger drive at CompUSA for $100 (paying the brick & mortar retail premium) and used the instructions at iFixit to replace it. Not a trivial job, but not that hard either.
http://www.ifixit.com/Guide/Mac/MacBook-Pro-17-...
Sounds like there's more than enough blame to go around. The data should definitely have been encrypted, but a service oriented establishment would have given you the drive back for a surcharge. Of course everyone knows that Apple isn't service oriented, so you bought into that when you bought your laptop.
Jake
communityguy.com
Adding RAM or Changing your hard drive does not void your warantee..
there are small circuits that one can purchased -30-50- dollars that can be plugged into any raw hard drive.. and connected to your mac via firewire or USB.... that will allow access to your hard drive eve if the that hard drive is not able to boot up your computer... you should be at ease doing this simple proceedure... you use this proceedure to clone your internal hard drive to the external raw drive as a bootable back up drive.
all you need to see, is it done one time...-a piece of cake- and then you to can do it...
Apple was fortunate that there was no contamination on your mother board.... replacing that would have cost them their profit on your computer... they may have had to give you a replacement computer...
When buying any Computer or perhipheral ALWAYS insist on a factory sealed carton..
If for somereason a new device has to be replace at the store from where you bought it... you want a FACTORY sealed carton as a replacement... so when you bring in your computer for service and it is less then 3months old.... pack it back up in orginal carton and packaging... demanding a FACTORY SEALED carton as a replacement.... never buy a computer wher the reseller has to open your box, and open your computer to add something, like more ram... do that your self later... do not buy a computer that has been opened..
I agree the hard drive replacement experience... was ruiniation of the apple experience....
next time you have to ut smart the Apple geniuses.... -in my experience, it's not so hard to do-
One last thing, many Mac users, -friends- use me as their guru, I have helped them through their service problems. I have seen -replacement computers that were worse than the one replaced-
yu should have a guru friend.... who is very familiar with the apple product line and the apple waranty repair process.... see them first....
The last thing I want for my self is to have the apple "geniuses" having their hands inside of my computer..- only as last resort-...
so far, in all these years... since I bought my first "Mac-128" 1984, I have managed to keep the local " mac geniuses" out of my computers..
Any one who really knows computers and macs.. are not going to be making a living by servicing these computers... there is not enough money in it..
Make friends with someone who really knows what they are doing.... call them up for advice, sometimes they will see your computer for you, most of the time they will be able to orient you, into what is in your own best interests.... they will not charge you any money... and if they do something that takes more than 30 minuets for you, offer them something, don't ask How much do I owe you. Make them a friend -beyound just computer stuff-
In my life. I have at least a dozen friends who went MAC because of my conciling, and they use me, to solve mac issues... mostly all the time on the phone in 5 minutes.. sometimes I go to their house, or ask them to bring their mac here to my home.. -most rare-
I have saved them mony and time.. they are my friends...
Encrypt your data. Store it on a pocket hard drive and use the internal HD for non-sensitive data only. Or many other tactics you could have employed.
Depending on the state you live in, you could have bought a true "replacement" hard drive (for many times the $160). You chose not to, just as you chose not to ask questions and just as you chose initially for them to take your HD into the back.
Scream all you want, Dave, but there's some obligation on the consumer to certain things, too.
How does one become a former genius, btw?
I didn't say that Apple "thinks they own your content."
Must have a pretty weak case if you have to argue against things I didn't say and don't believe.
Also, just curious how you got here -- there's been a curious increase in the crappyness of the posts here in the last few hours.