What you are doing is NOT using a clone to boot a system. You are using a clone of your disk to extract a few files. Not the same thing at all.
Ah, but I did extract the data I needed by booting the system using Superduper backup on my external HD.
I have to argue in strong favor of bootable clone backups. If a Mac dies screaming at a point where downtime is inexcusable (doing work on a workstation on deadline, or pretty much any server), if the fault is the drive you can be back up and running in under 10 minutes if your clone is up-to-date. A little bit longer if your clone is older and you need to restore recent file changes from Time Machine. If the fault is the other hardware, the external drive lets you swap in a different Mac on the same schedule.
Of course, the key thing to understand is that the instant you do this, your clone backup is no longer a backup. So ideally, you have two rotating clone backup drives, and the first thing you do is boot off the newer one and update the older one so there’s always one clone backup.
I’m happy to have Time Machine capturing files I edited 20 minutes ago, and Backblaze if my house burns down—but both mean at least a day of downtime. For $30-50 for software and ~$200 for a drive, very few people wouldn’t benefit from a clone.
1 Like
Agreed on all counts, Jeff. The main issues I run into with end users are:
-
Acquiring external drives that can successfully boot a Mac from a clone. Harder than it seems. I have never (repeat NEVER) known a user new to the bootable clone game getting a drive that can be used for a bootable clone on their Mac on their first try. I always have to recommend drives that are known to work—and sometimes drive models that worked get revised and…stop working. (Think this is an issue only for old Macs or old drives? You’re wrong.) Dongleland — er, Apple’s decision to go with USB C — makes the situation for USB drives even worse. And sometimes the only way to get USB C drives to work is — yep — to use a USB 2 cable. That’ll help with recovery, but for many people that’s no longer a hot-swappable/get-back-to-work solution.
-
For best results you have to use Thunderbolt drives or (cough) Firewire, not USB. (Yes I still have clients using Firewire Macs.) Thunderbolt drives are pretty pricey per GB (about $250/500GB compared to say $65/2TB for USB drives). Good luck finding Firewire drives. (You can! But you probably want to make your own.)
-
Once all those hurdles are cleared (usually takes quite a lot of time), then the user has to be disciplined about making bootable clones. Disciplined forever.
Now, some people do handle this with aplomb, and Jeff’s points are all valid. But the pain threshold is high, especially for non-technical folks, home users, students, etc.
Firewire is spectacularly good and reliable technology and unlike when it was introduced very affordable. What’s with this silly geek snobbery about ThunderBolt?
The best machines Apple has ever made are the Silver Towers 4,1 and 5,1. The 1,1 though 3,1 are still not too shabby for very old machines. They fall down on high end gaming or video work but can still do almost anything else.
Apple is anti-environment, controlling company who look out only for the shareholders (Steve Jobs ran Apple for himself and for Apple users). All this lockdown stuff is very scary. Remember how Microsoft would not let you move your license/OS/startup drive from one computer to another for decades?
It looks like I will be an ex-Apple user within four or five years. I’m hanging on by my fingernails now, despite at least ten thousand dollars invested in third party software (for myself, another ten thousand or more for my business). The Apple brand was supposed to be about freedom and creativity, not locking users in a cubicle with bars, even if it is rainbow-coloured.
I just ran into my first set of issues with the T2 chip and after a trip to the local Apple Store came away a bit dismayed at their lack of support for my problem making Bootable Backups. As I read through these comments, I took note of one critical issue which wasn’t discussed. It has to do with the fact that until the T2 chip came on the scene, because the Mac can be booted from an external drive, it is the only computer on the market that gives users a shot at dealing with Ransomware, which has attacked six student’s computers at McGill University, here in Montreal, Quebec. Canada. The Macs that had Bootable Backups simple booted up on their external drives, erased the internal and CCC’d the cleaned up drive back to life.
Any thoughts?
I perfectly understand where you’re coming from.
I have always considered the fact that any Mac can easily be booted from an external clone a key troubleshooting advantage of the platform. I don’t know how many times that has saved my bacon, not to mention how easy it makes testing a new OS version or an update. You can always role back fairly quickly. It’s bad enough that Apple screwed around so much in DiskUtility (related [solely?] to APFS) it’s now at a point where making a simple clone of your internal drive has become such a hassle so that instead of using the free built-in tool, most people (especially those less experienced) will be better off using a commercial 3rd party tool like SuperDuper.
Once I get a T2 Mac for myself I will certainly change the default setting so I retain the capability to boot from external drives. The added recovery security easily outweighs the added risk in my case.
“… I will certainly change the default setting so I retain the capability to boot from external drives.”
Sorry, Simon, but as far as I can find out, no matter what you do, there is no way you can get a T2 chipped Mac to boot from an external drive. And, since most people just plug in TM and leave it running – thinking that they are covered – they will possibly find out that they are just as vulnerable to Ransomware since it locks up the attached TM drive, too. Couldn’t we just have a separate password for our external drives?
While Apple seems to think that they are boxing in one solution, they are actually opening up other problems by not thoroughly field testing. For example, Disk Warrior hasn’t been able to get a functioning disk map from Apple since macOS 10.12.6. They seemingly have decided on mandating annual upgrades, whether they are justified or not.
Yes there is. Boot from the Mac’s Recovery partition, run Startup Security Utility, choose “Allow booting from external media.” Ransomware shouldn’t be able to prevent booting any partition on the Mac so “Allow booting” doesn’t have to be enabled before an attack. It’s also not in their interests, they need victims to be able to read their ransom note.
To recover from ransomware, following the 3-2-1 backup rule is more helpful than merely having a bootable external drive. The “1” doesn’t even have to be offsite, having a copy of your data that’s not mounted when the ransomware strikes is what’s critical.
I like the option to use an external boot drive, I don’t think everyone has to have one.
1 Like
Excellent point, Curtis. The setting can be left off until you actually need to boot from an external. Best of both worlds. :)
Have you guys actually done this process? I have and it didn’t work. Took it down to my local Genius Bar and neither of the two “Apple Geniuses” that worked on it could get it to boot the external drive … and it wasn’t one of those flakey WD drives, either. The best that they could do was send in a report to Apple Engineering.
In fact, here is a copy of the report:
Genius Bar Work Authorization
Repair No: RXXXXXXXX
Customer Information ### Product Information
Terry Sneller Warranty Status: In Warranty (W)
Canada Model: MacBook Air (Retina, 13-inch, 2019)
Date of Purchase: 10-Jul-2019
Serial No: XXXXXXXXXXX
Problem Description/Diagnosis
Issue: Customer came to Genius Bar with a new MacBook Air and two external hard drives. Customer had used carbon copy to copy the internal hard drive of an older Mac to an external hard drive and then to a second external hard drive. Customer wanted to use the external hard drives as a bootable backup for his clients computers if they were infected with ransomware. Attempted to boot to external drives using his new MacBook Air, which has a T2 chip. We removed secure boot and allowed booting from external sources. After the setting was changed, the copied drives appeared in startup manager, but booted to a prohibitory sign. Tested external drive with our floater MacBook Air, not a T2 system, and it booted normally.
Proposed Resolution: Was unable to find any Apple articles referencing creating external bootable Mojave disk or how to make it work with T2 system, only an external installer. Recommended to customer to have his customers use time machine as it is is supported for all systems to back up user data. Customer pushed back as his customers leave their external hard drives connected and it would back up ransomeware as well if it happened. Advised customer to advise his customers that it may be better to connect hard drives only when they intend to create a backup to avoid that possibility. Also advised customer to contact carbon copy to see if they have any options as their software is what created the bootable disks that were not working for the customer.
Proposed Resolution: Application used by customer to create clones has a support article referencing prohibitory sign on startup.
Thank you, Terry Sneller, for your contribution.
I am especially, um, intrigued by the advice to disconnect Time Machine disks from the computer, apparently negating what I thought was supposed to be a primary advantage of Time Machine. I was also gratified by this recommendation, as it is something I have been doing with one of my Time Machine disks for many months, all the while wondering if I was crazy.
And, unless I’m misreading it, that “Proposed Resolution” is a complete abdication of responsibility for creating a problem, and not a resolution in any sense.
I have no definitive information on how Ransomware works, other than it suddenly encrypts all the data on your computer and you have to use Bitcoin to buy a key and hopefully “unencrypt” your computer. I don’t know if Ransomware is activated as soon as it is installed, or if it is time activated. Regardless, what I’ve been advocating – on the assumption that it activates upon installation – is to keep TM inactive and the external drive “unplugged” until you want to make a backup. At that time, simple turn off access to wifi while doing the backup and then, when the backup is complete, unplug the external drive and turn wifi back on.
Any thoughts from you Wizards out there?
There have only been a couple of actual Mac ransomware attacks and they were short lived, so there isn’t much data available to pass on. A rash of fake attacks have been showing up that claim to be on hold, to be implemented if payment is not made, but none of those have turned out to be true.
It’s my understanding that the encryption starts immediately after the malware is installed and triggered, but takes an extended amount of time to complete its task, which may only include selected types of files.
In a number of cases with PC ransomware, it’s been possible for experts to figure out and publish the key to users so they don’t need to pay.
If by “this process” you mean booted a T2 Mac from an external drive, yes I have, it was an iMac Pro last fall. It was not a drive created from cloning the internal drive, I definitely booted from a flash drive made using macOS’s createinstallmedia command but I might have also booted it from another drive running a full macOS that had been previously installed directly, not created by cloning.
I haven’t looking for the actual information but the last comment from Apple Support makes it sound like a known issue with Carbon Copy Cloner.
1 Like
I’m not aware of Time Machine backups having any protection against ransomware or other malware that could alter or delete their contents, unmounting the drive is all you can do. It’s probably not that hard for Apple to keep users from changing files in Time Machine backups but users need to be able to selectively delete backup contents and to be able to format drives. Ransomware could achieve its goal of having the keys to the sole copy of one’s data by encrypting the user files on the internal drive and reformatting any attached external drives.
Rather than only leaving a Time Machine volume connected long enough to complete a backup, the safer option would be to have two Time Machine drives that are regularly swapped so only one is exposed to the risk at a time.
Thanks, Curtis, for the tip on the createinstallmedia command! I already have several uses in mind for a bit of future Terminal action.
I’m going to quiz the CCC folks about this whole issue.
I also assume ransomware runs as soon as it can. The longer it lies in wait, the greater the chance of being discovered. Waiting, or silently working over a long period of time is more the realm of state-on-state attacks (e.g. Stuxnet) or other targeted attacks, where there’s knowledge of the specific victim’s systems and/or the goal is to cause harm rather than make money. this is “Mr. Robot” Season 1 stuff.
Turning off the wifi for the duration of the backup seems a little extreme but is simpler to follow than “avoid doing risky things while you’re running a backup.” Ransomware is almost always going to be initiated by tricking someone into downloading and opening a file, reading email is fine (don’t open attachments or click links), directly visiting major sites is fine, maybe avoid media sites that are heavy with ads.
I think regularly rotating two backup drives is easier to do and doesn’t require changing other behavior.
I think there have been a few cases of really sloppy ransomware but it’s also been revealed that a number of businesses that offer decryption to ransomware victims were secretly paying ransom.
Ransomware writers have become more clever to make it difficult to recover on your own. They may try to encrypt backups first before encrypting a server. Or encrypt files in an order to make it less likely that you will notice.
I have seen Apple reference the T2 makes HEVC encoding on the Mac Mini faster, but for no other Mac with a T2 chip is this claim made. Does anyone have any confirmation from Apple or real world experience that HEVC hardware encoding has been turn on in the iMac Pro?