Grey Matters header image
Photo taken from deck of Warren's home.

MacLockPick

May 7th, 2007
by Warren.

You’ve probably seen the hoopla regarding MacLockPick — a USB device used for extracting passwords and such from a Mac running OS X. You can google MacLockPick or simply go to <http://www.subrosasoft.com/> to read about it.

Couple of notes:

To work, the software on MacLockPick must be run. That means someone has to gain physical access to your computer, insert the device then access and run the software on the device. If they have physical access to your computer in your absence, your security is already pretty much compromised anyway, especially if your account is logged in. Also the MacLockPick software must be run by a user with Admin privileges. Logged in.

This device is defeated by the simple expedient of locking your screen with a password; either a password to wake from the screen saver or by switching to the login screen when you are away from your Mac.

It helps too if your account is not an Admin account. If it’s not, even logged in, this tool is worthless at extracting anything.

So, as security conscious users of OS X have been saying from Day One,

  1. Turn off auto log-in (so someone cannot simply pull the plug on your Mac then plug it back in to become logged in as you);
  2. Do not use an admin enabled account for day-to-day activities. Set up a separate admin account to which you log in only when doing things which require admin permissions. Use a Non-admin for routine Mac use;
  3. Either log out, lock your screen with a screen saver password or switch to the login screen when you leave your Mac unattended.

Now the following is supposition on my part…

Isn’t this device in violation of the DMCA? The Digital Millennium Copyright Act makes it illegal to even possess the means for bypassing content protected by digital encryption.

My keychain file contents, which I ‘authored,’ are, by law, automatically copyrighted by me as soon as I wrote it. There is no need to register a work to have it copyrighted, though enforcement of copyright is easier if the copyrighted work is registered.

Point is, everything I have authored, including everything on my computer, right down to its passwords, is protected by copyright law. My keychain, in particular, is protected using encryption. Content protected from unauthorized access by encryption is protected by the DMCA.

As Wikipedia says, the DMCA “… criminalizes production and dissemination of technology, devices, or services that are used to circumvent measures that control access to copyrighted works … and criminalizes the act of circumventing an access control, even when there is no infringement of copyright itself. ”

What is the proper federal agency to which we should report SubRosa (the manufacturer of MacLockPick)? As Mac users, we should be able to (for once) make the onerous DMCA work FOR us instead of against us.

Posted in: Law, Technology.

Comments are closed.