Somewhat off topic - keeping older Macs running

[Uli Wienands]

As someone who is running mostly older hardware/software I have to chime 
in here.

You do want to run behind a firewall, no question. I only have 
experience with AT&T, but their routers have a firewall built-in and it 
can often be tailored to your needs. For many years I ran with all ports 
closed and no reaction to incoming pings. I also have the Mac's firewall 
active (not sure how much that actually helps). This does not interfere 
with web surfing, email, ssh and all the other good stuff as long as you 
initiate it from your Mac.

MacPorts has a number of updated clients for stuff you want (shells, ssl 
and what-not) so you can at least plug the most egregious holes.

The big risk IMO is social engineering, i.e. falling for a phishing 
attach or clicking on a bad link or things like that. I use things like 
uMatrix and its black lists, and if a link gets caught by it I will not 
go there, period. My wife and I have discussed the do's and don'ts of 
email and web surfing (my being her IT support), and as a result she has 
on several occasions asked me about some things she observed (pop-ups or 
emails) before acting on them.

If you need to get into your Mac from the outside there are other things 
to consider, but most people don't need that.

There is no guarantee that nothing bad will ever happen to us; but then, 
each time we get into the car we are putting ourselves at risk, 
statistically speaking. One needs to be alert & watch what one is doing.

My $0.02,

Uli

On 4/26/22 7:02 PM, bunk3m wrote:
> Thank you everyone for your help.
>
> The older mac is sitting behind a firewall, intrusion detection and 
> protection gateway but I hear everyone about keeping it off the web. 
> That won't work well with my wife. LOL
>
> But I also understand that this is way above my capabilities so all 
> comments and recommendations are much appreciated!
>
> I was hoping there may be something like backports for security 
> vulnerabilities for Macs, or a way to install current Macports 
> security apps (like SSL etc) and writing over the MacOS version. 
> Granted that may make everything unstable. :-)
>
> So it looks like the choices are: (1) keep the old Mac behind the 
> firewall and don't surf the web. (2) saving the hardware from the 
> landfill by using a current version of Linux, or (3) buying a new Mac.
>
> It is a shame.  We pay a more for Macs in part to get solidly built 
> hardware.  The hardware easily outlasts the software that can run on 
> it.  As I get older, I see all the good and functional hardware that 
> we just toss in the bin.  Not very environmentally friendly.  It pains 
> me.
>
> Thanks for all the help on this off-topic question.  You folks are great!
>
> B.
>
> On 26.04.2022 08:00, macports-users-request at lists.macports.org wrote:
>> Message: 2 Date: Mon, 25 Apr 2022 11:32:19 -0400 From: Bill Cole 
>> <macportsusers-20171215 at billmail.scconsult.com> To: 
>> macports-users at lists.macports.org Subject: Re: Somewhat off topic - 
>> keeping older Macs running Message-ID: 
>> <2BEE2C62-FBB7-48C4-AF9C-28C04723A8F4 at billmail.scconsult.com> 
>> Content-Type: text/plain; format=flowed On 2022-04-25 at 03:06:25 
>> UTC-0400 (Mon, 25 Apr 2022 15:06:25 +0800) James <jam at tigger.ws> is 
>> rumored to have said:
>>>> On 25 Apr 2022, at 1:44 pm, Dave Horsfall<dave at horsfall.org>  wrote:
>>>>
>>>> On Mon, 25 Apr 2022, James wrote:
>>>>
>>>>> I too have old macs that cant be updated. I just keep a time machine
>>>>> backup and if ever I get hacked a quick restore will fix. For 10
>>>>> years
>>>>> I've had no issues !!
>>>> Your "old macs" are not protected by a firewall?  One day...
>>>>
>>>> As for backups, consider malware that will not trigger until well and
>>>> truly embedded into your backups; not much use then, are they?
>>> Dave methinks there is lots of hysteria in the arena
>> Yes, but there is also a lot of nasty reality.
>>
>>> I have no firewall on my modem and no firewall on any of my machines.
>>> Yet the world is full of stories about exploits! Most of those are
>>> windows exploits!
>> Most but by no means all. A lot of modern attacks are multi-platform as
>> they start as scripts on web pages that run in any browser, or as abuse
>> of embeded execution mechanisms such as VBA in MS apps and embedded
>> JavaScript in PDFs.
>>
>>> Lets consider firewalls:
>>>
>>> By RFC no router on the internet may route a private IP. So*every*  
>>> router between you and bad guys is broken!
>> So, this glosses over a couple of things...
>>
>> 1. Enabling NAT in your router (which may also be a modem) is 
>> a*form*  of a firewall. Without NAT, 'private' (RFC1918) IPs do in 
>> fact not route
>> anywhere. With NAT, the world only sees your external non-private
>> address(es)
>>
>> 2. If by chance there was massive external breakage allowing outsiders
>> to route your private network, if your own router isn't badly broken, it
>> will drop private IPs on the public interface anyway.
>>
>> So this is a pointless statement...
>>
>>> A firewall allows ESTABLISHED,RELATED traffic back, so if you've got a
>>> bad machine then bad guys can get to that machine and from there to
>>> your macs.
>>> If you have a compromised machine then it is a target.
>> Macs can be compromised.
>>
>>> A decade ago one of the anti-virus companies offered $10 000 and a
>>> Sony Viao to first person to hack their honeypots. The windows
>>> honeypot was hacked in under an hour, the mac in a week (a flaw in
>>> safari) and the linux 'pot has never been hacked. They ascribed this
>>> to being unkewl to hack linux. Nonsense you'd be a hero for exposing a
>>> flaw (as has happened a couple of times.)
>> Urban legend unless you actually identify a reliable source...
>>
>> I've been administering Internet-connected systems for 30 years,
>> including Linux systems back to v0.99 and Macs back to System 7 with
>> MacSLIP. I guarantee you that there is no such thing as an unhackable
>> OS. I don't believe there has been a year since my first use of Linux
>> where there has not been at least one publicly documented RCE
>> vulnerability in core Linux components such as the kernel, core
>> utilities, and Bash.
>>
>> I have not been unlucky enough to have had a machine on the Internet
>> that I was responsible for get taken over, but I recognize that as a
>> function of luck. I did get hit by a couple of Mac viruses back in the
>> 80's and early 90's, but those all came via disk swapping and dialup
>> BBSs. However, in my consulting and sysadmin work I've had to clean up a
>> LOT of compromised boxes, including Mac, Linux, Solaris, Tru64, and
>> BSDOS machines. And a few Windows machines, although I mostly avoid
>> those.
>>
>>> If you enjoy playing then by all means, if not then enjoy an icecream,
>>> except if you have windows machines on your network forget the
>>> icecream.
>>>
>>> I guess IPV6 will change the landscape somewhat.
>> Not so much, except that some people will take their non-shortage of
>> address space as an excuse to stop NATing at their borders, which would
>> be unwise.
>>
>>> The subtle comment about ring 0: linux and mac work in a way that is
>>> very limited, what disk?, whereas widows you are not allowed, here is
>>> $100, well ok.
>>>
>>> Query: heresay not allowed, who has ever had a mac hacked?
>> Not my own, but I've cleaned up the mess when others have been careless,
>> thinking they were safe because they had a Mac.
>>
>> Especially of note for older Macs in recent years is the "ShellShock"
>> vulnerability in older Bash, which was directly exploitable via Apache
>> HTTPD through (at least) Snow Leopard. I have seen that hit multiple
>> people who were sure that they were safe because they were running old
>> stable systems. On Macs with humans sitting in front of them, the
>> problem is worse because humans do things like "Updating Flash" when
>> told they need to do so, even when they don't have Flash installed and
>> definitely don't need it.
>>
>>
>> -- Bill Cole bill at scconsult.com or billcole at apache.org (AKA 
>> @grumpybozo and many *@billmail.scconsult.com addresses) Not 
>> Currently Available For Hire