[kogepathic]

Just so you're aware, the firmware password on a Mac can easily be bypassed by anyone with an SPI writer. [1] Using a teensy and a chip clip, someone can clear the password or bypass the password check completely.

So, it will keep the honest out, but for someone who knows what they're doing, it will only prove a mild inconvenience.

This obviously doesn't help them bypass FDE, but in case they want to steal the laptop and not have a brick, the SPI writer works a treat.

[1] https://trmm.net/SPI_flash

[coldtea]

FDE is not supposed to be an anti-stealing mechanism anyway.

Besides any potential thief wont even know whether you're running FDE or not on the laptop they steal, or whether it would be bricked or not. They can always sell it for its parts (screen, etc) anyway.

[nickpsecurity]

It actually is a mechanism to reduce impact of theft. Someone with access to your computing hardware might modify it to subvert the system, read keystrokes, decrypt drive, leak it, and so on. This can be as simple as Customs installing something as you leave the country during an "inspection" then reading keys right off when you come back. Not saying it happens so much as a concern we had during a brainstorm. Or someone plugging in an attack tool into your Firewire port while you take a piss at Starbucks. Or you plug in USB drive they dropped with a radio and attack kit in its connector.

Whereas, if someone straight-up steals it, they have no chance of recovering data if the encryption is strong and key isn't in memory (eg cold boot). You can also transmit media through untrusted channels that way. Even NSA's Inline Media Encryptor, which my inspired my designs, has that use case.

[coldtea]

>It actually is a mechanism to reduce impact of theft.

Sure, but that's different from anti-stealing (and I mean stealing the machine of course, not the data).

[ShaneOG]

I did not know that, but at least they can't get my data. The machine is costly, but my work is much more so!