2018 Macbook Pro Touchbar has NO Data Recovery Port!

[Thaldor]

1 hour ago, Blade of Grass said:

FileVault is not enabled by default. It’s similar to BitLocker (1 click enabling). 

 

Edit: also, haven’t heard of a lot of complaints about TouchID breaking, just the keyboard. 

If the hardware level encryption isn't on as default then that's good. If someone sees their data that valuable it should be possible to desolder the (hopefully) intact memory chips and solder them on a new logic board or control board that can read them. Expensive, yeah, but doable.

 

But if the hardware encryption is on as default and you cannot disable it, then that is taking it too far in most of the use cases.

 

ThouchID is more like just another possible failure point, because it's not just a fingerprint scanner but apparently paired with the 2T chip (hopefully Apple can pair new TouchID sensors to 2T chips because otherwise that's one expensive repair).

[2FA]

5 minutes ago, VegetableStu said:

in context to a workstation client far away from the server though? o_o

Daily or twice daily backups are not uncommon. Any enterprise worth their salt will be doing this. Stop trying to rationalize bad practices.

 

EDIT: Additionally many enterprises will be using network shares as storage so the critical data isn't even stored on the local workstation.

[spartaman64]

1 minute ago, 2FA said:

Please write a proper english sentence, I have zero idea what you meant by that post.

Yes, but if they want to you think they cant?

[captain_to_fire]

2 minutes ago, VegetableStu said:

hmm, i wonder if there's a emergency target disk mode via the thunderbolt ports where the owner could access the data with TouchID or the system password (different from the hardware key) while the main system is practically bricked o_o

That I do not know. All I know is that the T2 chip provides AES-256 bit file level encryption. I know in past OS X versions a user can easily reset a forgotten password by hitting Command + R while booting. I'm not sure it still works with a T2 chip present.

[2FA]

1 minute ago, spartaman64 said:

Yes, but if they want to you think they cant?

Can you just reword it or expand it? The bolded part doesn't make sense.

[Christophe Corazza]

5 hours ago, captain_to_fire said:

Time Machine

 

Time Machine is great until your cat decides to take out the external hard drive.

[spartaman64]

Just now, 2FA said:

Can you just reword it or expand it? The bolded part doesn't make sense.

You think they won't be able to decrypt the drive 

[captain_to_fire]

Just now, Christophe Corazza said:

 

Time Machine is great until your cat decides to take out the external hard drive.

Your cat probably needs some catnip and cuddling 

[vanished]

5 hours ago, captain_to_fire said:

The advantage of hardware based encryption enforced by the custom T2 chip is that user data is protected at rest while having minimal read/write penalty. It’s not Apple’s fault that the user can’t be bothered to use Time Machine which nowadays works well with cheapo external hard drives to NAS like Synology and WD. 

 

So I don’t really see this as a huge issue for prioritizing security. 

Assuming this actually works well, and assuming the same benefit couldn't be achieved in a more user friendly way, sure, there's no doubting the upsides to this.  Hell, I've often joked that the soldered RAM on the macbook air (and since then, additional models) is a security feature because it means you can't do that trick where you open it up while running, dump compressed air upside down to freeze it and slow data loss, rip it out, and pop it in a scanner that finds the encryption keys It's a bit of a tongue-in-cheek kind of joke, but it's also got some truth to it.  But, those qualifications I listed at the start are important, and I've been on this forum long enough to know that while encryption is great for those who need it, the majority of average home users will be screwed over by it far more than they're saved by it.  Having the option to turn this on, but having it off by default would be better imo.

[2FA]

3 minutes ago, spartaman64 said:

You think they won't be able to decrypt the drive 

Who is they? Companies don't deal with repairs themselves since it's easier to just send it in for a replacement or order a new one. I did edit my above post so I'll insert that here.

 

9 minutes ago, 2FA said:

Daily or twice daily backups are not uncommon. Any enterprise worth their salt will be doing this. Stop trying to rationalize bad practices.

 

EDIT: Additionally many enterprises will be using network shares as storage so the critical data isn't even stored on the local workstation.

 

[Christophe Corazza]

1 minute ago, captain_to_fire said:

Your cat probably needs some catnip and cuddling 

 

Highly doubt that will solve his electronics destruction sprees 

[ExplodingTNT]

17 hours ago, Drak3 said:

Surface Pro/Book.

Not sure about Pro, but Book definitely uses a standard M.2 NVMe SSD internally. Any Windows PC should be able to unlock the Bitlocker encryption with the password.

[Christophe Corazza]

Apple... encrypt everything and recover nothing...

[spartaman64]

3 minutes ago, 2FA said:

Who is they? Companies don't deal with repairs themselves since it's easier to just send it in for a replacement or order a new one. I did edit my above post so I'll insert that here.

 

 

Despite the question you seem to understand who they are fairly well. I don't see how being able to decrypt your own data is bad practice as long as you don't leave the key around for everyone else. And there are instances where you want to do something like check out what an employee is doing on their computer that isn't in a data backup

[mynameisjuan]

22 minutes ago, 2FA said:

Enterprise people make backups and don't need to worry about a bricked drive.

You keep thinking that. Ive seen large businesses not have any backup. Even if they do I highly doubt they have client backup. 

[captain_to_fire]

11 minutes ago, Ryan_Vickers said:

Assuming this actually works well, and assuming the same benefit couldn't be achieved in a more user friendly way, sure

Time Machine is user friendly and unlike Windows 10's File History that requires digging, it's persistent in the menu bar or at the dock

 

11 minutes ago, Ryan_Vickers said:

the majority of average home users will be screwed over by it far more than they're saved by it.  Having the option to turn this on, but having it off by default would be better imo.

That would be good to have an option to turn off T2 enforced file level encryption rather granting the user access to the encryption keys inside the T2 chip. Since file level encryption can be turned off in the iPhone by removing the passcode, it's possible it's the same way with the touchbar MBP with T2 chip.

6 minutes ago, Christophe Corazza said:

Apple... encrypt everything and recover nothing...

I bet nowadays US government regrets sharing AES to the world as it created a double edged sword

Edited July 24, 2018 by captain_to_fire

[captain_to_fire]

9 minutes ago, VegetableStu said:

no I mean like the password you can create to the hardware (if I remember right you need this password before booting Recovery or Bootcamp afterwards). not sure what exactly was it called

I don't know. All I know password resetting is easy back then with Command + R.

[XenosTech]

Just now, mynameisjuan said:

You keep thinking that. Ive seen large businesses not have any backup. Even if they do I highly doubt they have client backup. 

Or you could have the idiots that work here that have a ton of backups that are bytes in size plus a corrupted Os... Fun times

[schwellmo92]

39 minutes ago, captain_to_fire said:

Also, one disadvantage with FileVault is that once the password is typed, all disk contents becomes unencrypted. https://www.symantec.com/content/en/us/enterprise/white_papers/b-pgp_how_wholedisk_encryption_works_WP_21158817.en-us.pdf

The T2 encryption seems to share the same disadvantage.

 

“You should also turn on FileVault for additional security, because without FileVault enabled, your encrypted SSDs automatically mount and decrypt when connected to your Mac.”

https://support.apple.com/en-au/HT208344

[schwellmo92]

37 minutes ago, captain_to_fire said:

Just imagine a whole can of worms if Apple allowed users to access encryption keys inside the secure enclave. When it comes to security, there will always be compromises that's why timely backups are essential. @leadeater does regular backups snapshots at his work.

 

We’re talking about backing up desktops/laptops here not content on servers. Completely different discussions.

[vanished]

8 minutes ago, captain_to_fire said:

Time Machine is user friendly and unlike Windows 10's File History that requires digging, it's persistent in the menu bar or at the dock

Yes, it's fantastic from what I've seen and people need to use it.  Windows should just make something like it, afaik, there's no technical reason they couldn't (Windows and NTFS apparently supports multiple hardlinks, although I've never witnessed or used it myself), but perhaps it's patented or something.

8 minutes ago, captain_to_fire said:

That would be good to have an option to turn off T2 enforced file level encryption rather granting the user access to the encryption keys inside the T2 chip. Since file level encryption can be turned off in the iPhone by removing the passcode, it's possible it's the same way with the touchbar MBP with T2 chip.

Yes that's what I'm saying

8 minutes ago, captain_to_fire said:

I bet nowadays US government regrets sharing AES to the world as it created a double edged sword

The world can come up with encryption techniques on its own

[vanished]

6 minutes ago, schwellmo92 said:

The T2 encryption seems to share the same disadvantage.

 

“You should also turn on FileVault for additional security, because without FileVault enabled, your encrypted SSDs automatically mount and decrypt when connected to your Mac.”

https://support.apple.com/en-au/HT208344

Which, if you're actually concerned about security, I would recommend.  Don't just rely on the hardware thing.

[captain_to_fire]

3 minutes ago, schwellmo92 said:

The T2 encryption seems to share the same disadvantage.

 

“You should also turn on FileVault for additional security, because without FileVault enabled, your encrypted SSDs automatically mount and decrypt when connected to your Mac.”

https://support.apple.com/en-au/HT208344

Automatically mount and decrypt to your Mac. Not someone’s Mac since every encryption key generated is unique in every Mac especially with file level encryption. Though full disk encryption with FileVault definitely improves security together with file level encryption. 

[2FA]

18 minutes ago, mynameisjuan said:

You keep thinking that. Ive seen large businesses not have any backup. Even if they do I highly doubt they have client backup. 

Until they run into an issue where they fuck themselves over by not having backups and lose millions of dollars.

[DrMacintosh]

6 hours ago, jk441 said:

If they stopped forcing the "We want everything to be as thin as possible" design it probably would've been possible. Didn't the 2015 models have m.2 ssds? I wish Apple were more flexible on their design methodology specially for the Pro line up

No. They were removable drives but they were not M.2. They were special PCIe drives.