Somewhat off topic - keeping older Macs running

Bill Cole macportsusers-20171215 at billmail.scconsult.com
Mon Apr 25 15:32:19 UTC 2022 

On 2022-04-25 at 03:06:25 UTC-0400 (Mon, 25 Apr 2022 15:06:25 +0800)
James <jam at tigger.ws>
is rumored to have said:

>> On 25 Apr 2022, at 1:44 pm, Dave Horsfall <dave at horsfall.org> wrote:
>>
>> On Mon, 25 Apr 2022, James wrote:
>>
>>> I too have old macs that cant be updated. I just keep a time machine
>>> backup and if ever I get hacked a quick restore will fix. For 10 
>>> years
>>> I've had no issues !!
>>
>> Your "old macs" are not protected by a firewall?  One day...
>>
>> As for backups, consider malware that will not trigger until well and
>> truly embedded into your backups; not much use then, are they?
>
> Dave methinks there is lots of hysteria in the arena

Yes, but there is also a lot of nasty reality.

> I have no firewall on my modem and no firewall on any of my machines. 
> Yet the world is full of stories about exploits! Most of those are 
> windows exploits!

Most but by no means all. A lot of modern attacks are multi-platform as 
they start as scripts on web pages that run in any browser, or as abuse 
of embeded execution mechanisms such as VBA in MS apps and embedded 
JavaScript in PDFs.

> Lets consider firewalls:
>
> By RFC no router on the internet may route a private IP. So *every* 
> router between you and bad guys is broken!

So, this glosses over a couple of things...

1. Enabling NAT in your router (which may also be a modem) is a *form* 
of a firewall. Without NAT, 'private' (RFC1918) IPs do in fact not route 
anywhere. With NAT, the world only sees your external non-private 
address(es)

2. If by chance there was massive external breakage allowing outsiders 
to route your private network, if your own router isn't badly broken, it 
will drop private IPs on the public interface anyway.

So this is a pointless statement...

> A firewall allows ESTABLISHED,RELATED traffic back, so if you've got a 
> bad machine then bad guys can get to that machine and from there to 
> your macs.
> If you have a compromised machine then it is a target.

Macs can be compromised.

> A decade ago one of the anti-virus companies offered $10 000 and a 
> Sony Viao to first person to hack their honeypots. The windows 
> honeypot was hacked in under an hour, the mac in a week (a flaw in 
> safari) and the linux 'pot has never been hacked. They ascribed this 
> to being unkewl to hack linux. Nonsense you'd be a hero for exposing a 
> flaw (as has happened a couple of times.)

Urban legend unless you actually identify a reliable source...

I've been administering Internet-connected systems for 30 years, 
including Linux systems back to v0.99 and Macs back to System 7 with 
MacSLIP. I guarantee you that there is no such thing as an unhackable 
OS. I don't believe there has been a year since my first use of Linux 
where there has not been at least one publicly documented RCE 
vulnerability in core Linux components such as the kernel, core 
utilities, and Bash.

I have not been unlucky enough to have had a machine on the Internet 
that I was responsible for get taken over, but I recognize that as a 
function of luck. I did get hit by a couple of Mac viruses back in the 
80's and early 90's, but those all came via disk swapping and dialup 
BBSs. However, in my consulting and sysadmin work I've had to clean up a 
LOT of compromised boxes, including Mac, Linux, Solaris, Tru64, and 
BSDOS machines. And a few Windows machines, although I mostly avoid 
those.

> If you enjoy playing then by all means, if not then enjoy an icecream, 
> except if you have windows machines on your network forget the 
> icecream.
>
> I guess IPV6 will change the landscape somewhat.

Not so much, except that some people will take their non-shortage of 
address space as an excuse to stop NATing at their borders, which would 
be unwise.

> The subtle comment about ring 0: linux and mac work in a way that is 
> very limited, what disk?, whereas widows you are not allowed, here is 
> $100, well ok.
>
> Query: heresay not allowed, who has ever had a mac hacked?

Not my own, but I've cleaned up the mess when others have been careless, 
thinking they were safe because they had a Mac.

Especially of note for older Macs in recent years is the "ShellShock" 
vulnerability in older Bash, which was directly exploitable via Apache 
HTTPD through (at least) Snow Leopard. I have seen that hit multiple 
people who were sure that they were safe because they were running old 
stable systems. On Macs with humans sitting in front of them, the 
problem is worse because humans do things like "Updating Flash" when 
told they need to do so, even when they don't have Flash installed and 
definitely don't need it.


-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

More information about the macports-users mailing list