To expand on what IPalindromeI said, there are a... uh...
growing number of reasons why running old versions of Mac OS X on the Internet is a bad idea.
Security is a complicated issue, so get your tea or coffee and settle in. Hopefully this reads as informative and helpful and not as a "rant."
Firstly, you're correct, no amount of security is actually total security. That having been said, your network design professor would have been remiss if they ended the statement there and didn't talk about what levels of risk are acceptable, etc. Just because security is
hard doesn't mean we should give up.
You live in the United States, and you haven't specifically mentioned a predilection for your telco, so I'm just going to presume that you have cable Internet, generously, let's call it 30 by 5 megabits.
What that means is that somebody who compromises one of your boxes has five megabits worth of ability to send out malformed packets to bigger systems online in order to do things like reflection attacks, or only needs to use a little bit of your incoming throughput to send out five megabits worth of NTP/DNS responses, or can send out five megabits of spam or phishing e-mail from your IP, which does work on most ISPs in the United States. (Even though I'd argue that that should be blocked along with incoming 25, for residential connections that don't order a static and specifically opt to open 25.)
Five megabits per second is a whole lot of spam messages.
And, today it's not about getting your data or just causing damage for the sake of damage. It's about either getting you to pay up (cryptolocker, and other ransomware) or using your resources to make money (there's malware that mines bitcoin for Windows, for example, plus malware like pushdo/cutwail, and on a Mac OS X system, the attackers are just looking at a regular BSD system, which already has a mail transfer agent built in.
So, firehose of spam aside, here are some things to consider!
- With IPv6, which has been enabled by default since 10.4, your Mac has a direct, public IP address. Statistically, you have Comcast, and they are either finished or almost finished with their IPv6 depoyment, so unless you're intentionally running a router way slower than your Internet line can handle, such as a WRT54 series device, then you have IPv6.
- Mac OS X has never shipped with the firewall on by default, for IPv4 or IPv6. This persists today, at least for upgraded installations of 10.10. (I upgraded it from 10.6.8.)
- Heartbleed didn't affect Mac OS X, because Apple is slow going on certain aspects of the system, but it was a vulnerability that was discovered that affected computers on which OpenSSL was installed in some pretty surprising ways.
- Shellshock does affect Mac OS X! In fact, it should affect everything from 10.3 and forward, because this error has been in bash for over a decade. When it rains it pours and when shellshock itself was discovered, like five or six other critical vulnerabilities were found in bash. I'm pretty sure there are still people patching the code. Fortunately, Mac OS X is a little bit better off than linux, and from what I've heard using DHCP for remote code execution on a Mac won't work.
- There might be other vulnerabilities similar to Heartbleed in Shellshock, and some of Apple's design decisions for Mac OS X may even prove to work against the overall security of the system at some point. The terrifying thing about shellshock is that bash was released in 1989 -- it is 25 years old -- and it has had this vulnerability since the beginning. This vulnerability was discovered, literally, on it's 25th birthday, so just because something is old doesn't mean it has been thoroughly tested and audited yet, or that anybody actually knows what's going on in a single component of an operating system, let alone an entire operating system built on components like this.
There
is a patch for Mac OS X to fix Shellshock, in the aforelinked (and related) thread, but this is a great time to mention that the points I brought up in
Older Mac OS X Security Discussion came true shockingly quickly. This thread which was started in August essentially prophesied shellshock just about a month ago.
The biggest reason a few of us make sure to drop at least a subtle reminder to think about security in most threads like this discussing the use of PowerPC computers as daily workstations is because most people who are looking at Macs just aren't thinking about finding non-Apple patches to an "internal" part of the operating system that they're not likely to look at. In fact, many Mac users (most of them?) aren't even aware that those components are there or what those components can do. I would say that we have a proportionally low amount of that population on this site, but that they are there.
Ultimately, none of us can stop you from running older software on your LAN or even
directly on the Internet, unfirewalled, with its own unique public IP address, but we can at least attempt to make you aware of the potential problems. For example, most people don't seem to be aware of the fact that Mac OS X shipped with IPv6 and with it enabled, and what the whole point of IPv6 is.
The question that has been brought up is whether or not it's worth it for there to be a page on
the 68kMLA Wiki (as an example of where it could be) with a guide on how to harden older versions of Mac OS X after the fact. Not just discussing the possibilities, but actually patching problems as they come out. Some people (such as Cameron Kaiser, who ports Firefox as TenFourFox and who released the aforelinked shellshock patch) are sort of involved with the process, but they only seem to get vocal when a really big security bug is found, and nobody seems to be interested in, say, updating CUPS, etc.
The guide would have to both be a practical information guide on how Mac OS X is configured when it ships and how you can change the configuration, and it would need to have mirrored copies of Apple's updates available (or at least
links to Apple's combo updaters), and it would need to have information on security events after the release of that version of Mac OS X, and whoever maintains it (johnklos might be a good candidate) would also need to be somebody who keeps up with the CVEs (because I only run operating systems that are getting updates from a community or vendor, I don't specifically follow CVEs) and other security issues, and ideally somebody who can actually produce the patches for the page.
Also, let's be honest, this is a Mac site and not all Mac users actually have the self awareness to do things like not click on unknown links, not run unknown binaries, and not joining unknown wireless networks. (remember: it's not all about the network perimeter, the network perimeter of your LAN means
nothing when you're on your iBook or PowerBook and you take it to a cafe or a restaurant and you join an unknown network and as part of the association process, you have to talk to an unknown DHCP server.)
Somewhat ironically, those people running Linux on their PowerPC Mac hardware are actually hit a lot harder by the shellshock bash vulnerabilities, due to things like the unknown DHCP servers and the fact that on linux, you can run any command you want, as root, through the DHCP client on the system. That goes to show more about the value of patching frequently than to be a specific indictment of Linux or a specific praise of Mac OS X for some of its different design decisions. (That can be another thread if somebody wants.)
The reason I call out patching linux is that some people like to go "Well, I'm running Ubuntu 8.04, clearly I'm more secure than Mac OS X 10.4" but that's only true to a certain extent, and at some point, an unpatched operating system is an unpatched operating system and something will affect it.
"What about Classic Mac OS?", you may ask. That's a good question!
The participants in this thread may already know this information, but this is on a public part of the web site and our web site gets googled and used as a resource by a lot of people.
Mac OS X is based on UNIX, and the only difference between desktop Mac OS X (which "doesn't have a mail server") and server Mac OS X is the management interface. What this means is that Mac OS X "client" does have all of the server components from Mac OS X Server. There's a DHCP server built in, a mail transfer agent, an FTP server, any number of text-based mail clients, the web server, the SSH server, printer sharing server, file server, SQL/database server, and so on down the line. Most of these things are turned off, but some enthusiasts turn things on, and a vulnerability like shellshock actually introduces the possibility to enable services remotely simply by way of routine requests the computer makes, or by tacking things on, say, to requests that mediawiki makes.
Also, connecting to a Mac OS X machine and sending mail from the command line on it is the same as connecting to an IRIX, Tru64, Solaris, HP-UX, AIX, Linux, Net/Free/OpenBSD machine and sending mail from the command line, which means that for somebody who remotely compromises such a machine, there's essentially no learning curve to start using it.
Mac OS 9 is its own thing, and has essentially no underpinnings whatsoever. Everything in Mac OS 9 is provided by extensions, and without the right extensions for it, it doesn't have AppleTalk
or TCP/IP built in. That's OpenTransport's job. As such, unless you installed ASIP onto your box, you can be reasonably sure that you don't have the code for a DHCP/DNS server or a mail transfer agent running around.
In addition to that, Mac OS 9 doesn't really have a unified way to remotely issue commands to the system. There's remote AppleScript, which needs to be enabled, and which you can kill by tossing the extensions into the trash. There's no system shell, however, and when one gets added (mpw for example) it's not universal to all UNIX systems, and you don't have people going "It's UNIX, I know this!"
Windows 9x and Windows NT have a similar relationship to each other as Mac OS 9 and Mac OS X. Windows 9x integrated a few more things into the operating system itself than Mac OS 9x did, or at least made them slightly more difficult to extract, but most of the same stuff applies, with the exception that some of the server code Microsoft doesn't include in Windows, namely a mail transfer agent that I know of, but that's because Microsoft wants you to buy a copy of Exchange.
Oh, that and Windows 9x does have a shell, but it's not super commonly remotely accessible, at least based on what's built into the system.
So, I hope that's helpful. Keep in mind, I mention PowerPC a lot, but these issues all affect Mac OS X 10.6 and very soon 10.7 as well. Owning a modern Mac is, for better or worse, an exercise in keeping up with a technology treadmill. Fortunately, that treadmill is becoming easier to keep up with as Mac OS X hasn't increased system requirements since 10.8, and
10.10 runs better on the oldest hardware that supports it than 10.6 did.
(I think the only extension I had installed was Adblock Plus.)
