Conversation
Notices
-
Embed this notice
feld (feld@friedcheese.us)'s status on Sunday, 08-Sep-2024 03:50:31 JST feld So apparently it's impossible to clone a Mac and boot off external storage?
According to CCC docs:
> Only Apple can make an external device bootable. Our support for system copying and bootability is limited to the suggestions noted above.
The storage needs to be signed with a signature only Apple can do-
Embed this notice
feld (feld@friedcheese.us)'s status on Sunday, 08-Sep-2024 03:54:31 JST feld I used to be comforted with the idea that if something bad happened to my Mac I could at least limp along and boot off the external. This is not possible anymore.
Grrr now I have to find a different disaster recovery strategy as the one I've had for ages won't work anymore. -
Embed this notice
Charles Corbett (chas@tty0.social)'s status on Sunday, 08-Sep-2024 03:54:38 JST Charles Corbett @feld we have dell using proprietary chargers so the hardware can refuse to charge if it doesn't send a dell signal
And apple refuses to use a drive it doesn't like
sigh
feld likes this. -
Embed this notice
Angry Sun (sun@shitposter.world)'s status on Sunday, 08-Sep-2024 03:55:10 JST Angry Sun @feld Seriously they removed this feature? -
Embed this notice
feld (feld@friedcheese.us)'s status on Sunday, 08-Sep-2024 03:56:55 JST feld @chas well they had to find a way to close one of the backdoors being abused by state attackers and so now the storage volume is cryptographically sealed/signed/verified by key only Apple controls.
It *may* be possible to do a clean install on an external drive and Apple sign it during (does this mean you can't install macOS without internet at all now?) -
Embed this notice
feld (feld@friedcheese.us)'s status on Sunday, 08-Sep-2024 03:58:39 JST feld @sun booting off an external drive that was already installed from scratch may still work but you can't clone an existing system and have it be bootable -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 08-Sep-2024 03:59:04 JST 翠星石 @feld >to my Mac
>Not allowed to boot off external storage
Which master does the mac really serve? -
Embed this notice
feld (feld@friedcheese.us)'s status on Sunday, 08-Sep-2024 04:00:02 JST feld @Suiseiseki Security always has trade-offs -
Embed this notice
feld (feld@friedcheese.us)'s status on Sunday, 08-Sep-2024 04:04:37 JST feld @coolboymew @sun I also used CCC for years, but wasn't made aware of this problem until today 😞 -
Embed this notice
cool_boy_mew (coolboymew@shitposter.world)'s status on Sunday, 08-Sep-2024 04:04:38 JST cool_boy_mew @feld @sun They completely fucked the cloning ability. At work we used Carbon Copy Cloner and that program has been completely fucked by Apple. Now the clones at best has to be done within the OS and then within an already reinstalled OS. It's completely stupid and pointless now Angry Sun likes this. -
Embed this notice
feld (feld@friedcheese.us)'s status on Sunday, 08-Sep-2024 04:06:37 JST feld @animeirl @chas Got a link I can reference when I'm home later? 🙏 -
Embed this notice
anemone🦐🦀🦞:shrimpface: (animeirl@shitposter.world)'s status on Sunday, 08-Sep-2024 04:06:38 JST anemone🦐🦀🦞:shrimpface: @feld @chas with the default level of security, yes, though it’s configurable in recovery options -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 08-Sep-2024 04:09:56 JST 翠星石 @feld There is security and there are digital handcuffs.
There is no security risk posed by the user deciding to boot off an external storage medium on their computer.
If the user would like only approved software to externally boot, then the user should be able to remove any vendor keys and set their own key as to what software is authorized to externally boot.
Anything else is a form of digital handcuffs.
You have no security if apple can decide to load up malware onto your computer and have it execute (oh wait, that's exactly what macos is).
In the land of freedom, you can have real security, as you can put a gnupg signature in the cbfs of GNUboot and configure GRUB to only boot kernels signed with that signature and therefore refuse to boot any proprietary kernels. -
Embed this notice
feld (feld@friedcheese.us)'s status on Sunday, 08-Sep-2024 04:11:03 JST feld @Suiseiseki > There is no security risk
Don't be ignorant; yes there is. Evil maid attack is well known. -
Embed this notice
cool_boy_mew (coolboymew@shitposter.world)'s status on Sunday, 08-Sep-2024 04:12:37 JST cool_boy_mew @feld @sun Yeah I had to completely stop using it because it was pointless. I would have a full clone of every needed department and it's been so utterly destroyed by Apple that installing everything manually again is less stupid than dealing with CCC now
What they want you to do is to subscribe to a paid mobile device manager (note that some of them are free under x devices. They generally aren't very good tho') so that you can just automate everything per department... Except for the fact that just about 95% of them requires signing your packages for the MDM to be able to distribute them if they aren't on the App Store. Some of them accepts the developers dmg/pkg own certificate, but some others doesn't. Good luck if it comes in a freaking zip :shrugz: screw you, get an Apple Developer account, pay for it and sign the damn package, it sure ain't Apple's problem :shrugz:
Oh wait, you're a lone home user? Well screw you I guess :shrugz:
I freaking hate Apple manfeld likes this. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 08-Sep-2024 04:17:35 JST 翠星石 @feld Yes, if an attacker has physical access to your computer, you are screwed no matter what - there is no way around this sad reality.
If you use full disk encryption and the computer is shut down, the attacker won't be able to access any of your data - although if the attacker decides to clone the storage and attaches a keylogger/recording device and you don't notice, the attacker will be able to get your password and use that to extract the cloned storage. -
Embed this notice
feld (feld@friedcheese.us)'s status on Sunday, 08-Sep-2024 04:21:41 JST feld @Suiseiseki if they can boot off another drive they can attack your hardware to extract the key or do some other firmware/EFI type attacks... -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 08-Sep-2024 04:27:00 JST 翠星石 @feld If they have physical access to the computer, they can attack your hardware to extract the key or do some other software/EFI type attacks.
You don't need boot drive access to carry out software or hardware attacks - you can remove the case and jack yourself into the buses (you might need to delid the SoC case, but that's not strictly impossible to do). -
Embed this notice
feld (feld@friedcheese.us)'s status on Sunday, 08-Sep-2024 04:28:14 JST feld @Suiseiseki Yes if you have the hardware for infinite amount of time you can do all sorts of things which is not within scope of the attack I'm describing -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 08-Sep-2024 04:33:23 JST 翠星石 @feld If there is physical access, but access time is limited, then a competent attacker will place a listening/recording device close enough and promptly leave, wait for you to enter any password(s), with the listening device capturing them and then they'll come back later and simply unlock the device with the password. -
Embed this notice
feld (feld@friedcheese.us)'s status on Wednesday, 11-Sep-2024 00:21:33 JST feld @sun he got it working. Turns out it was poorly documented that on his M1 Mac Mini the specific USB-C port he was using is not compatible with being used for an external boot drive. After changing the port and starting from scratch he was able to get it successfully installed and booting off an external 2TB NVME so now his storage woes are gone
-
Embed this notice