Blog Archives

security: keeping OS X’s nose out of your data


Over the last few years, Apple have made great strides in protecting users from losing their data, be it from system failure, software crashes, accidental deletion, disk corruption or just the plain negligence of forgetting to save before quitting. We now have Time Machine for automatic backups, application savedStates and Resume for crashes, and Autosave and Versions for negligence. As if all that wasn’t enough, iCloud is probably syncing your browser tabs, photos, and pretty much anything else you want straight up to Apple’s servers and pushing it back down the pipe to your other devices as and when needed. All this is a good thing, right?

Well, probably. For most people, most of the time. But not always. The security implications of having your OS (and even Apple) copying everything you type, open or edit on your computer can sometimes be disturbing. What if you need to open a confidential pdf in Preview but are required to make sure (either morally or contractually) that all copies of that document are destroyed after viewing? No one wants to be zeroing their hard-drive every week; and what if you need to edit a Pages or Numbers document but don’t want the changes pushed to the cloud? Turning iCloud on and off is no 2-second job and can have implications for your other workflows and data. Making duplicates to save locally risks having copies stored in the hidden .DocumentRevisions-v100 folder.

Use a secure USB
With USB flash drives now coming in at large GB sizes and relatively low cost, one solution is to load and delete sensitive files via a USB. Wiping a flash drive takes considerably less time than wiping a hard disk and keeps your sensitive data nicely partitioned from everything else, but there are problems. First, there’s always the danger of negligence; in the heat of deadlines or other pressures, we might just forget to wipe that disk; second, there’s the danger of loss or theft; and third, there’s always the possibility of deep recovery by people with the appropriate tools and know-how. Some of those issues can be mitigated by encrypting the drive using Disk Utility.

Set up a RAM disk on OS X
Using an encrypted USB can be a great idea, but it both takes time to create and is not always unobtrusive. If another party should get physical access to your USB, the fact that it’s encrypted also tells interested parties that you might have secrets to hide. A faster and less conspicuous solution could be to use a RAM disk, a portion of your RAM memory that is partitioned and formatted just like any other disk. RAM disks were once common on Macs when peripherals were considerably slower at loading data, but with the speed of modern drives few people bother with them anymore. However, a RAM disk has another advantage apart from being the fastest way to read and write data: its entirely non-persistent. There’s no way of recovering something that was once in RAM once that memory has been flushed.

A 0.5GB RAM disk

A 0.5GB RAM disk

Making, using and deleting a RAM disk is incredibly simple. Here I’ve created one that’s a half a gigabyte. To create it, you just need a one liner in Terminal. Triple-click the following line and copy and paste it directly into a Terminal window:

diskutil erasevolume HFS+ "ramdisk" `hdiutil attach -nomount ram://1165430`

After you hit ‘return’, you’ll see a new disk icon on your desktop and in the Finder sidebar. You can now use the RAM disk just like any other disk. Use it as the location to download, open or create sensitive files that you know you are going to destroy after use. You can, of course, even create copies of applications and run them from your RAM disk, too.

The RAM disk, while it exists, will behave just like any other disk, so it will have its own .Trashes directory, and its own Versions and Spotlight indexes just as all other disks do. That means you get all the comforts of OSX’s failsafes while the disk is mounted, but as soon as you eject or unmount the disk, all the Versions and Autosaves and Trashes disappear completely and unrecoverably. RAM disks are ideal for reading or editing short pieces of information (such as messages or passwords) that you want to quickly review or store before discarding without a trace.

You can eject the disk either in the usual way from within Finder or the Desktop, or you can use another Terminal line:

hdiutil detach /dev/disk1

And if you want to flush the contents of your entire RAM buffer for good measure, you can also do:

sudo purge

followed by an admin password (if you’re using any version of OS X before 10.9, you can just type ‘purge’ at the command line. No need for sudo or a password).

A word of caution, however. The strength of a RAM disk from a security point of view is simultaneously a danger from almost every other: — the volatility of RAM means you could easily lose everything in your RAM disk if any of the following occur: you eject the disk accidentally, the computer crashes, the power fails or battery runs flat, you log out or restart the computer. Keep these points in mind and only use your RAM disk for short sessions. Never store anything solely on a RAM disk if preserving the data is of importance to you.

Featured picture: OCD — security by kenns

taming Versions…sort of

If you’re working with large files in Keynote, Pages, Numbers or other Versions-supported programs, and making multiple changes at regular intervals, Versions could just be eating up your hard disk and causing a big-slow down in your work.

If you want to reclaim all that space and speed things back up, go delete the .documentrevisions-V100 folder in the root directory of your hard disk, the place where Lion stores all your document versions. Be aware that this means you will lose ALL Version history for ALL your Version-supported applications. If you are comfortable with that, read on…

You need to do four things: enable the root user, show hidden files, change the permissions on the folder and finally check the folder’s contents and delete it. Here’s how:

1. Show hidden files
In Terminal (Applications > Utilities) type

defaults write AppleShowAllFiles YES
Press ‘Return’, then type
killall Finder

2. Enable root user
Go to  > System Preferences…Users & Groups
Click ‘Login Options’
Click ‘Network Account Server: Join’
In the resulting dialogue box, ignore the text input and click the button below, ‘Open Directory Utility’
Click the padlock at the bottom of the next box and enter your admin password.
At the top menu bar of Directory Utility, choose the ‘Edit’ menu > Enable Root User
If you are requested to set a password for it, set the same one as your Admin password (this ensures you won’t forget it).
Log out through  > Log out (username), then log back in with user ‘root’ and the password you just enabled.

3. Change Permissions
Now go look in the root directory of your hard disk.
You should see a greyed out folder called ‘DocumentRevisions-V100’. If it has a ‘no entry’ icon on it, click the folder and press ‘Cmd-i’ on the keyboard (or right click the folder and choose ‘Get info’).
Scroll down to the bottom of the box, click the padlock, and enter your root password if necessary. Change all the permissions to ‘read & write’, and click on the ‘gear wheel/cog’ and choose ‘Apply to enclosed items’ if it appears.
Choose ‘OK’ in the warning dialogue box.

4. Deleting Versions history
Now you are ready to go and look inside the Versions directory. I recommend you have a nosey about and check the file sizes both of the folder itself and of the individual contents. Now, here’s a warning: you can’t just delete some of the contents in the folder. If you do, in about 24hrs Lion will see that the folder is corrupt and mark the whole thing as ‘bad’ and make a new Versions (.DocumentRevisions-V100) folder. What this means is that you will lose access to Versions in the UI, but you won’t get your disk space back as it won’t delete the ‘bad’ folder.

The only option is to either lock the thing back up and leave it alone, OR delete the entire .DocumentRevisions-V100 folder with all its contents.

Restart your computer logging in as your usual user.

Lion will make a new, empty DocumentRevisions-V100 folder to replace the one you deleted and start filling it up with versions you make from then on. You’ll have reclaimed your disk space (and removed all your previous versions), but you’ll need to keep doing the same process at regular intervals.

a. No, this does not affect your original saves or any duplicates. Only the versions.

b. Messing about as a root user can have serious consequences if you mess with other stuff. Do as the instructions say and nothing else unless you know what you’re doing. After you’ve deleted the Versions folder and emptied the Trash, go back to Directory Utility > Edit and disable the root user.

c. To stop seeing the hidden files, type the same command as given in 1. above into Terminal, but change ‘YES’ to ‘NO’. Don’t forget to do the ‘killall’ command afterwards.

d. If you have trouble saving documents without re-booting after deleting .DocumentRevisions-V100, try this script from Apple Discussions user Yvan. This will recreate a clean (i.e., empty) Versions folder every time you reboot, saving you the hassle of regularly cleaning out the .DocumentRevision-V100 folder (as well as preventing any ‘Save’ issues.)

how to stop Versions in its tracks

This post has been superceded by this one

%d bloggers like this: