[d0]

FileValult problems: http://mjtsai.com/blog/2012/08/07/filevault-2s-apple-id-back...

AFAIK they don't login to fix hardware issues -- they netboot diagnostics software but on multiple occasions I was informed by people that Apple had "made a backup of their system" before a reinstall. What that entails and what the retention policy is, I do not know but I suspect unless they're doing a three-pass erase on their temporary storage devices afterwards (which is unlikely) then your data is easy pickings...

My MBP, which is incidentally knackered, is still FileVault encrypted. It will stop a casual theif getting in but not much more

[tptacek]

So if I understand what you're saying here, you think that a thief working at the Apple store might have either themselves had access to your Apple ID, or was colluding with someone inside of Apple at Cupertino to get access to your Apple ID, so that they could steal $8500 from you?

Am I missing something about the story here or is that an accurate summary?

[aroch]

So turn off letting your Apple ID unlock your FV volumes. A FV drive, that's locked cannot be unlocked just by having local access.

You authorize Apple to make a backup of your drive if yu're having work done that may cause data loss.

[d0]

There is an issue with user switching and firewire/DMA that allows remote access as well as cold boot attacks but these are out of reach of most people.

[acdha]

firewire / thunderbolt DMA access was fixed many years ago: if you enabled a firmware password, those buses have DMA disabled.

[toomuchtodo]

Are you saying that if I have a firmware password on my MBA that my internal SSD is inaccessible via Thunderbolt externally (until I've entered my password)?

[aroch]

No, but your TB device wouldn't have read access to physical memory (where keys would be)

[acdha]

No - but it means that a device can't read your FileVault keys out of memory so all they can read is the encrypted volume.

[rdl]

They generally do ask for a login on your system when you give them the machine for service. You don't need to provide it.