johnklos
Well-known member
It's interesting to think that in some ways the picture of security is clearer because of the greater number of security issues. It seems, then, that each major component in an OS can be said to be insecure in either (1) a way that affects normal operation, or (2) a way that does not.
For instance, shellshock was pretty much irrelevant to Leopard because the default shell then was tcsh. So, people who prefer bash enough to change their default shell heard about shellshock and could do something about it. Didn't know or didn't care? Then it didn't affect your Leopard system.
Likewise, all the reflection issues with NTP are irrelevant unless you're allowing queries to your machine. Are you running your own NTP server? Yes? Then you know and have handled it yourself. No? Then it doesn't affect you. The same applies to DNS, Apache, and so on.
The reason I still support some Leopard systems boils down to things they do well. File services in later versions of OS X are more idiosyncratic and Apple's Server tools these days suck horribly. They make me feel bad for Windows admins because the mystery surrounding their behavior makes me imagine that I'm experiencing what Windows admins go through regularly.
With AFP, people can select "Connect To Server..." from their Go menu in the Finder, and they're sharing files. AFP is encrypted, and there still aren't any CVEs for AFP servers in Leopard (or CVEs for AFP clients which haven't been fixed). But I'm probably the odd one out who still has a legitimate desire to keep something like a Leopard Server not only in use, but actively connected directly to the Internet. Of course I monitor it and would get notified the moment any account gets used for anything outside of the context of AFP, but that makes sense for all servers. In my opinion, it's much better to have a system that's old that one knows and has configured very carefully than to have a fully up-to-date default whatever GNU/Linux distro of the day where security is just taken for granted.
But really, the value I see in PowerPC systems is that they can do things that other systems can't quite do, or can do but not quite as well. Take Final Cut - there's no Final Cut equivalent on Windows. There just isn't. Media Composer is a completely different workflow, and Premiere can't be used for anything of any complexity. If you just want to transcode tons of footage to ProRes on a modest RAID, then cut like crazy, there's no equal. Sure, Final Cut X is fancy, but people who cut features are still more inclined to prefer older Final Cut Studio.
Final Cut on a Power Mac G5 is STILL a viable option these days and can even handle ProRes 4444. The best part is that someone on a budget can have one indefinitely for far cheaper than a modern system, and with lots of good software for a fraction of what that software would cost for modern versions. The same goes for Adobe software - older Photoshop and Illustrator work quite well, so instead of dealing with the security and billing nightmares of Adobe, one can have all that software for next to nothing, for ever, on an older system.
The hypervisor thing and how it relates to Intel's Management Engine, though, is another matter and one I think I've misexplained. I'm not saying that there's this "feature" of either current hypervisors or Intel's CPUs that does this - I'm suggesting that the various government agencies which have shown no regard whatsoever for the Constitution, the Bill of Rights or the letter of law are already making use of compromised hypervisors in "clouds" all over the planet to collect data surreptitiously. Heck, I'd even say it's not crazy to imagine they had a hand in the marketing push for the "cloud". Imagine if you were them and you wanted access to more businesses' data, but all of those larger businesses were still running their own servers on-site. What would you do? Of course, you'd encourage them to move that data to places which were much easier to get to.
The Intel Management Engine, FYI, is tiny controller in every Intel CPU which has unfettered access to everything - ring 0, memory, DMA, caches, microcode, you name it. But guess who knows exactly what it does, how it's programmed, what its safeguards are? You probably guessed correctly - none of us! It's partly why China has been moving to a natively built CPU. Literally every Intel system made these days has one. The capabilities Intel admits are scary enough - imagine if a rootkit could be made which allowed modification of the ME's code? Game over, literally every Intel system everywhere!
http://www.slideshare.net/codeblue_jp/igor-skochinsky-enpub
http://hackaday.com/2016/01/22/the-trouble-with-intels-management-engine/
http://hackaday.com/2015/12/28/32c3-towards-trustworthy-x86-laptops/
Now imagine - just suspend your disbelief for two minutes - that the Intel ME has been in the pocket of those we-don't-care-what's-legal TLAs for years. Go ahead. Let that sink in.
Support for alternate platforms, both for the sake of code robustness and for the sake of system resiliency, is never a bad idea.
For instance, shellshock was pretty much irrelevant to Leopard because the default shell then was tcsh. So, people who prefer bash enough to change their default shell heard about shellshock and could do something about it. Didn't know or didn't care? Then it didn't affect your Leopard system.
Likewise, all the reflection issues with NTP are irrelevant unless you're allowing queries to your machine. Are you running your own NTP server? Yes? Then you know and have handled it yourself. No? Then it doesn't affect you. The same applies to DNS, Apache, and so on.
The reason I still support some Leopard systems boils down to things they do well. File services in later versions of OS X are more idiosyncratic and Apple's Server tools these days suck horribly. They make me feel bad for Windows admins because the mystery surrounding their behavior makes me imagine that I'm experiencing what Windows admins go through regularly.
With AFP, people can select "Connect To Server..." from their Go menu in the Finder, and they're sharing files. AFP is encrypted, and there still aren't any CVEs for AFP servers in Leopard (or CVEs for AFP clients which haven't been fixed). But I'm probably the odd one out who still has a legitimate desire to keep something like a Leopard Server not only in use, but actively connected directly to the Internet. Of course I monitor it and would get notified the moment any account gets used for anything outside of the context of AFP, but that makes sense for all servers. In my opinion, it's much better to have a system that's old that one knows and has configured very carefully than to have a fully up-to-date default whatever GNU/Linux distro of the day where security is just taken for granted.
But really, the value I see in PowerPC systems is that they can do things that other systems can't quite do, or can do but not quite as well. Take Final Cut - there's no Final Cut equivalent on Windows. There just isn't. Media Composer is a completely different workflow, and Premiere can't be used for anything of any complexity. If you just want to transcode tons of footage to ProRes on a modest RAID, then cut like crazy, there's no equal. Sure, Final Cut X is fancy, but people who cut features are still more inclined to prefer older Final Cut Studio.
Final Cut on a Power Mac G5 is STILL a viable option these days and can even handle ProRes 4444. The best part is that someone on a budget can have one indefinitely for far cheaper than a modern system, and with lots of good software for a fraction of what that software would cost for modern versions. The same goes for Adobe software - older Photoshop and Illustrator work quite well, so instead of dealing with the security and billing nightmares of Adobe, one can have all that software for next to nothing, for ever, on an older system.
The hypervisor thing and how it relates to Intel's Management Engine, though, is another matter and one I think I've misexplained. I'm not saying that there's this "feature" of either current hypervisors or Intel's CPUs that does this - I'm suggesting that the various government agencies which have shown no regard whatsoever for the Constitution, the Bill of Rights or the letter of law are already making use of compromised hypervisors in "clouds" all over the planet to collect data surreptitiously. Heck, I'd even say it's not crazy to imagine they had a hand in the marketing push for the "cloud". Imagine if you were them and you wanted access to more businesses' data, but all of those larger businesses were still running their own servers on-site. What would you do? Of course, you'd encourage them to move that data to places which were much easier to get to.
The Intel Management Engine, FYI, is tiny controller in every Intel CPU which has unfettered access to everything - ring 0, memory, DMA, caches, microcode, you name it. But guess who knows exactly what it does, how it's programmed, what its safeguards are? You probably guessed correctly - none of us! It's partly why China has been moving to a natively built CPU. Literally every Intel system made these days has one. The capabilities Intel admits are scary enough - imagine if a rootkit could be made which allowed modification of the ME's code? Game over, literally every Intel system everywhere!
http://www.slideshare.net/codeblue_jp/igor-skochinsky-enpub
http://hackaday.com/2016/01/22/the-trouble-with-intels-management-engine/
http://hackaday.com/2015/12/28/32c3-towards-trustworthy-x86-laptops/
Now imagine - just suspend your disbelief for two minutes - that the Intel ME has been in the pocket of those we-don't-care-what's-legal TLAs for years. Go ahead. Let that sink in.
Support for alternate platforms, both for the sake of code robustness and for the sake of system resiliency, is never a bad idea.