Blog: February 2024

Most of these posts were originally posted somewhere else and link to the originals. While this blog is not set up for comments, the original locations generally are, and I welcome comments there. Sorry for the inconvenience.

Breaking into a Mac?

Dear brain trust,

My father had a laptop, an old MacBook. My mother would like to know what's on it. It's password-protected. I've been unable to guess the password, even knowing some of his other passwords and some patterns he used.

I have the passwords to his two desktop computers (iMacs), but also can't get in via network share (access denied). I have his cell phone, which should let me get into his iCloud account (that's the second factor). I have the impression that none of that will help.

Is there any way I can override the laptop's password and get in anyway? Or connect an external drive and make a copy somehow? I'm willing to take the laptop and a copy of the death certificate to an Apple store, except that I don't know if it's technically possible to get in (without damaging the contents, which is the whole point of the operation). I mean, we'd all like security to actually be secure, so this shouldn't be easy, but is there something between "easy" and "impossible" that I can try?

The laptop is at my mom's house, so I can't test things immediately, but I'm looking for any clues that could help on my next visit.

Bo (the last plague)

I gave a d'var torah a couple weeks ago on shortish notice and forgot to post it then. This is for Bo, the parsha that contains the last three plagues and the actual exodus from Egypt.

--

The pattern is familiar: Moshe goes to Paro to demand freedom, Paro refuses, Moshe announces the next plague, and God carries it out. Paro says he's sorry and asks for relief, God lifts the plague, and then Paro hardens his heart and we start all over again. There's no change; the oppression never seems to end.

Rabbi Mordechai Kamenetzky points out that for most of the plagues these negotiations are strained but civil. Moshe and Paro are on opposite sides of an argument, but nobody is throwing tantrums as far as we can tell. But their last meeting is different: after telling Paro what is to come, the torah tells us that Moshe went out from Paro in hot anger.

Was he angry about Paro's stubborn refusal to let the people go? That doesn't seem likely; they've had that well-worn exchange many times before. No, what is different this time is the cost of Paro's recalcitrance.

The first nine plagues caused extensive damage to Mitzrayim, to the point where even Paro's advisors are urging him to give up because Egypt is surely lost. The first nine plagues destroyed crops and livestock, caused injury and sickness, and massively inconvenienced people -- but they weren't fatal to anyone who heeded the warnings to come in out of the hailstorm.

The last plague is different: there is an unavoidable human cost. The last plague targets based on who you are, not on what wrongs you did, and it kills. It's not individual punishment; it's a tax on those living in Egypt. Surely not all of the dead deserved it, even in a society with many evildoers and oppressors.

God does not want the death of sinners, our prophets tell us, but that they should repent. God wouldn't be sending this last plague if there were an alternative. Moshe sees this, Rabbi Kamenetzky points out, and it fills him with anger at the Paro who causes widespread death. This could have been avoided. These deaths are Paro's fault.

But wait, one might say -- it is God who sends this plague, and thus God could avert this widespread loss of human life. It's God's fault, not Paro's, right?

My father, of blessed memory, taught me many things. One of them is that we solve problems with words, not with fists. Another of them is that giving bullies what they demand does not end the bullying. There was a kid in my grade who, starting in kindergarten, was physically abusive to me, and in the many parental conferences that followed, his parents told my parents that boys will be boys and if I didn't react he would probably stop. My father said that was unacceptable. This went on for years, until I was given permission to respond. The bullying ended the day I decked that kid with my large-print dictionary. We don't solve problems with violence, except that sometimes we have to.

I hit the kid; did that make it my fault he got hurt? Absolutely not, according to me, my parents, and the school principal. Lesser interventions had failed. Now my attack didn't do permanent damage, didn't even break his nose -- nothing like the last plague in that regard. But the principle is the same: the oppressor is culpable for the consequences of his behavior. The blood of the victims of collateral damage is on the hands of the evildoers who refuse to resolve conflicts peacefully.

Rabbi Elie Kaunfer from Hadar points out a surprising passage near the end of the parsha, after the final plague, when Paro asks Moshe and Aharon to pray for him. Say what now? The Paro who has done so much damage asks his victims to pray for his welfare? Why would they do that?

Rabbi Kaunfer points out a rabbinic tradition that Paro did not die at the Sea of Reeds with his army. Through the midrashic principle of the conservation of biblical personalities (that's not Rabbi Kaunfer's label), Paro went on to become the king of Nineveh. When Yonah comes to Nineveh to announce their impending destruction, it is the king who asks for forgiveness and leads his nation in teshuva to avert the decree.

Perhaps Moshe and Aharon did pray for Paro like he asked. More specifically, perhaps they prayed that he repent and do teshuva, like we pray our enemies will do in the daily Amidah. That's a prayer I can get behind -- that oppressors big and small soften their hearts, stop doing harm, and turn toward the right path. Ken y'hi ratzono.

Swiss-cheese security

Cory Doctorow's How I got scammed was a fascinating read. Phishing has gotten more sophisticated, but also, even people whose security practices are way above the norm can get hit when the stars (mis)align just so.

There's a name for this in security circles: "Swiss-cheese security." Imagine multiple slices of Swiss cheese all stacked up, the holes in one slice blocked by the slice below it. All the slices move around and every now and again, a hole opens up that goes all the way through the stack. Zap!

The fraudster who tricked me out of my credit card number had Swiss cheese security on his side. Yes, he spoofed my bank's caller ID, but that wouldn't have been enough to fool me if I hadn't been on vacation, having just used a pair of dodgy ATMs, in a hurry and distracted. If the 737 Max disaster hadn't happened that day and I'd had more time at the gate, I'd have called my bank back. If my bank didn't use a slightly crappy outsource/out-of-hours fraud center that I'd already had sub-par experiences with. If, if, if. [...]

The following Tuesday, I called my bank and spoke to their head of risk-management. I went through everything I'd figured out about the fraudsters, and she told me that credit unions across America were being hit by this scam, by fraudsters who somehow knew CU customers' phone numbers and names, and which CU they banked at. This was key: my phone number is a reasonably well-kept secret. You can get it by spending money with Equifax or another nonconsensual doxing giant, but you can't just google it or get it at any of the free services. The fact that the fraudsters knew where I banked, knew my name, and had my phone number had really caused me to let down my guard.

Years ago, I got a call on a weekend from someone claiming to be from my credit card and was just plausible enough for me to not hang up. (Also a claimed fraud alert.) But I got suspicious when the caller started asking me for private information and then claimed it was necessary to authenticate me (at my own phone number). So I said "I also need to authenticate you; what's my mother's maiden name?" Oh no, the caller said, we can't give you that information... but with all the data breaches we've seen, that technique is no longer safe. The phisher might have my mother's maiden name [1]. Doctorow's phisher had his unpublished phone number. Secrets aren't.

[1] Helpful tip: don't use the actual answers for security questions that people might be able to research or guess. As far as your bank is concerned, your mother's maiden name can be QjFVa6ufeqr_7.