>
The hacker says he did this in order to make the world aware of a flaw in Apple's security. By bragging to the victim, and even supplying specifics of how the attack was done, he has attained that goal in spectacular fashion. The victim is now shouting from the rooftops the message that the hacker wanted to get out.Thanks for the fill-in. (You've obviously read more about the matter than I have.)
So the victim did, in a sense, unwittingly target himself by being in a far better position to make his voice heard loud and clear by a large audience than, let's say, the hacker's next door neighbor would have been.
And beyond making the world aware of a flaw in Apple's security, the hacker has, yet again, made the world aware that the weakest link in
any chain is the person holding on to its end.
>
It had nothing to do with Open Firmware, which, in any event, only protects you from someone with physical access to the machine. Which is silly because once someone has physical access (almost) nothing can protect you.I mentioned Open Firmware password because considering the damage the hacker had already done, adding insult to injury didn't seem out of the question, and I was unaware that a PIN could be remotely attached to a Mac (
*).
>
The attack was done through good old old-fashioned social engineering, targeting his iCloud account. Once into iCloud, the hacker used Find My Mac to put a PIN on the victim's Mac (*). The scary part is that the successful attack was done by exploiting the naiveté of the very people at Apple whose job it is to maintain iCloud security. The scarier part is that a day later Apple still has not closed the hole. There should have been some heads rolling; instead, all we've seen so far is shoulder shrugging.Closing that hole looks like yet another use for duct tape.
>
(BTW: adding/removing RAM, even if unsoldered, no longer disables an Open Firmware password.)Thanks for that update. (Without soliciting it, I wonder what the current brute-force method for removing a maliciously set password is?)
Edit:
Recovering a lost firmware passwordIn the past, when the issue has come up here, I and others have advised the poster to take the Mac in question to an Apple Store, but this thread has got me wondering, because I note that the doc does not mention anything about a requirement that you document your right to the service.