Wednesday, October 3, 2012
Leopard security in 2012
A large majority of people still running PowerPC hardware from Apple use 10.5 Leopard as their primary OS. This is understandable since it is the final version to run on PowerPC hardware. Although it’s security technology like socket layers and sandboxing is still reasonably close to modern standards there are other areas where it is not cutting it any longer unfortunately. These would be java and flash. Java is halted at 1.5 forever on it, which is very insecure now, and flash stopped PowerPC development at version 10.1. The good news is that it is totally possible as well as beneficial to live without both on Leopard.
The thing with Java is that many people think it’s directly involved with JavaScript, which it is not. Java Script is required by many websites and is a browser only technology for the most part. If your browser is up to date then so is it’s ability to use JavaScript properly and safely. Java is used to support the running of some applications such as Java Applets or Runtime and as I mention above it is stuck at 1.5 on PowerPC. I would say Java 1.5 and older is easily the biggest security risk for all OS X users on PowerPC hardware.
Disabling Java
This is something that literally all PowerPC users on any version of OS X should do. In Leopard it’s actually very easy to disable. Simply go to the Utilities folder within Applications and open “Java Preferences.app”. Then deselect any version selected in the General pane. After this click on the Security pane and deselect “keep temporary files for fast access”. For the sake of being thorough click the “Delete Files” button at the bottom for any that may already exist.
The next and final step is to open all the browsers you use and deselect “Enable Java” which is how most word it. Although you have already disabled it at the system level this is just an extra measure so that your browsers tell sites right away not to bother with any Java. If you want to go even further you can find and delete all the files within Leopard that are Java related. This is really unneeded because as long as you have it disabled in the OS and browsers you’re fine. For those that really need Java you should look for Linux alternatives and use Java through Linux instead.
JavaScript is far more secure and inherently much harder to make malicious. As I already mentioned it is not related to Java so as long as your browser is up to date then so is your JavaScript in most cases.
Flash
This is a technology that will likely never die because of people’s tolerance of it . PowerPC users for example should see flash as the plague and avoid it at all costs. I personally wouldn’t use it even if there were a modern secure version for PowerPC. In my opinion the flash alternatives like MacTubes or similar apps make the experience more organic at least where YouTube is concerned. You don’t have all the ads and obnoxious comments in your face nor the bad site design. It’s much more like watching a video in VLC or CorePlayer. I actually use CorePlayer to play them mostly but use MacTubes to find and get the direct resolution links for CorePlayer. This can be done with VLC also. The reason for adding these extra players in the mix is that they use even less CPU than Quicktime.
I understand there is a whole world of flash video out there besides what is on YouTube but there are many tools available for browsers that can download flash video from virtually any site. This will give you a .flv or .mp4 file which you can then play in your favorite playback app. If this still doesn’t provide a solution that works for you then you need to ask yourself an important question. What is more important, the ability to watch some online video or the health and security of your computer? If your answer is to watch the video then I really don’t know what to say other than your priorities are a bit messed up.
For the few that need flash for important things that cannot be avoided like some unfortunate education resource which uses flash then the best thing to do is buy a cheap x86 machine and dedicate it to that. That way you can run Windows or whatever OS you prefer with updated flash options. People with PowerPC Macs should never allow a flash plugin on their hard drive unless you like to live on the edge in a bad way.
The only way people can truly unburden themselves from some of the awful technology out there is to avoid it and find other methods which may not be your preference but will be secure and more importantly liberating. I use that word because when you can make your own way in the computing world without relying on all the horrible tech most people do it’s a very liberating feeling.
Leopard moving forward
Other than the java and flash shortcomings Leopard is actually quite a secure OS compared to WinXP or Vista or any Mac OS before it. The people still running Tiger or older should consider upgrading if you have a G4/G5 (no G3 support) especially if they have a Core Image capable GPU and plan on sticking with OS X a good ways into the future. As I mention in my “Leopard performance on sub-867 MHz hardware” post from August Leopard uses the CPU for Core Image rendering if it doesn’t have a capable GPU which slows the CPU down up to 30%. If you have a capable GPU then Leopard should run just as fast if not a bit faster.
Tiger and Panther were great versions of OS X but they both really lack all the advances that started in Leopard like socket layers and sandboxing. Leopard has more security built in than you could ever add to Tiger/Panther. As I mentioned in my pervious post I encourage people to use Linux also these days but for all your Mac OS needs Leopard can serve you much better. Although 10.5 is starting to lose a lot of software support it still has a much better/newer software selection. There are also 2-3 more browsers being developed for Leopard and not Tiger like SeaMonkey, Leopard Webkit and AuroraFox.
Another real advantage to Leopard is that it has a lot more unintended natural compatibility with devices from the x86 market like wifi and Bluetooth dongles and PCI expansion cards. I have x86 market gigabit Ethernet and Bluetooth dongles on both my main Sawtooth.
Whatever course any of you take in your computing journey the best security is always going to be an educated user who knows what not to do online just as well as what to do. When you combine a capable educated user with the best software situation for your hardware then you have the ultimate level of security. A good NAT router always helps also.
More on Leopard security in the future as things come up.
Other Leopard security related posts:
TCPBlock
DigiNotar neglect on PowerPC
Subscribe to:
Post Comments (Atom)
I'm using a 700MHz G3 iBook, so I'm limited to Tiger. How do I remove Java from Tiger?
ReplyDeleteThanks.
Tiger doesn't have a way to turn off runtime system wide but you can still disable it in the browsers. That prevents internet based Java threats which is really all the protection your need. I only really advise to do that in Leopard because it's more thorough and has the ability.
DeleteI would use Camino 2.12 G3 optimized with java disabled and keep TenFourFox around also for the times you need modern Mozilla.
I'd like to point out that while there are no official Oracle Java 6/7 releases for PowerPC, there is a build of OpenJDK 7 which is made available here: http://landonf.bikemonkey.org/static/soylatte/.
ReplyDeleteA few libraries present in Oracle Java are missing from the OpenJDK release, but for the most part there is a decent level of compatibility; more importantly there is a much higher level of security than Java 5.
I was told about that beta a while ago but I have never tried it to vouch for it. Not being a big Java user to begin with I didn't feel inclined to try it.
DeleteI downloaded it and will try it on my testing system when I get around to it. Thanks
I have lived 100% Java free on Mac OS for at least 2-3 years. LibreOffice for Mac is the one things that would make me use it again because it uses local runtime.
There's something about all of this (Mac OS security; or the lack thereof) that I don't quite understand. I think that most of us who use the Mac OS do so largely because it is much less problematic than Windows or Linux. Even those who promote the various flavors of Linux seem to like keeping Mac OS around because it allows them to do certain things much more easily, and productively, than Linux can.
ReplyDeleteNow don't get me wrong: I do NOT suffer from the ignorant fortress mentality that many mac users have, i.e., "I use a mac and therefore don't need to worry about security". I came from the Windows world about ten years or so ago, and one of the things that drove me to the mac was security. I got tired of dealing with viruses and the like on my Windows machines, and tired of the effort required to maintain Windows in something like an operable condition. I wanted things to be safe and to "just work".
It wasn't very long after I became invested in the mac experience that Apple decided to pull the plug on PowerPC. I wasn't willing to follow Apple back down the road to where I had just come from (X86-based hardware), nor could I afford to do so; therefore I determined that I was going to get the most out of my PPC machines. I thought then that at some point my macs, which were already a few years old when I bought them, would soon become too obsolete for daily use...but, here I am today still using a Power Mac G4 & Powerbook G4. They still do everything I need them to do, and I just don't like to replace things unnecessarily.
But I digress. The question in my mind boils down to essentially this: What, exactly, are the risks I am running by continuing to use outdated versions of Mac OS X (Leopard on one; Tiger on the other)? I use only updated, supposedly secure browsers (AuroraFox, TenFourFox, Leopard Webkit, TenFourKit); I steer clear of malware hotbeds such as file-sharing & pornographic sites; I'm mindful of what I do when I'm using a publicly accessible wifi hotspot; etc., etc., etc. I connect, and remain connected, only when necessary for whatever I'm doing with the computer (I don't have an always-on type of connection). I'm not stupid, and try not to be ignorant; I read about and follow sensible security precautions when I'm online.
It's my understanding that files created in a mac user's home directory are non-executable, so a traditional virus such as commonly afflicts Windows cannot get itself started in OS X. What, then, does a reasonably security-minded mac user like myself have to fear? Can a Trojan take control of my computer? Can a keystroke logger be used to steal my passwords? I'd just like to have a better handle on what my possible vulnerabilities are, so that I can then use that information to better protect myself, or possibly go ahead and make the jump to Linux if my vulnerability in OS X seems too great. I routinely do things like online banking, shopping, and such; as well as doing my taxes on my PPC macs; and I plan on continuing to do these things, on these machines, for as long as they last.
I'm not opposed to transitioning to Linux, and figure that I'll eventually end up there one way or another...but I really, really like the Mac OS and plan on using it as long as possible. So, could someone explain to me, in as little geekspeak as possible, just what is likely to happen to me/my data/my identity/my money if I continue to do so? Maybe I'll switch to Linux tomorrow, who knows...
All these answers already exist on this blog but in multiple posts so I will sum it up for you in the least technical speak I can get away with.
DeleteFor things like graphic design, video editing or audio work even Leopard beats modern Linux and those are the type of tasks where security is not a concern at all. I promote the dual use of OS X and Linux/BSD. Not the abandonment of OS X. I still use X every single day on PowerPC and will in 10-20 years also I imagine. It is internet based activity where PowerPC users are better off with Linux or BSD.
There are several executables that exist within an OS X user folder. Leopard would have the most. Several utility type apps like "Screen Sharing" or other lesser utilities. There are also several internet apps which interact with the user folder directly.
I am not sure how it is hard to understand that Tiger or Leopard does not have all the added security of every version after it like Snow Leopard, Lion and Mountain Lion. Everything those improved on is not in OS X PowerPC.
The way that operating systems interact with the internet makes or breaks their security. Everything from how it deals with plugins, scripts, certificates, java etc etc. All that has been neglected for 4-6 years now on PowerPC OS X depending on what part of the code is in question. Most if not all of that stuff is kept in the user folder.
There have been a few issues that have risen as threats only for PowerPC users or Intel Macs that have not upgraded to newer OS. Things like the DigiNotar certificate, flash, java are issues that only effect us because the proper fixes only agree in software that does not support our PowerPC hardware. This should be a very easy concept to understand.
It sounds like you already have smart user habits so that is a great start right there.
I will break it down like this. You are safer on Leopard than Tiger. Safer on Tiger than XP or Vista. OS X 10.6+, Linux and BSD are the ultimate security. Modern Linux or BSD beats modern OS X in security. So if you run Linux on your PowerPC Mac you will be more secure than people with brand new Intel Mac's running Mountain Lion.
I am only really good at heavy geek speak so I hope this simpler explanations gets the right points across. Let me know if you have more questions about this.
Even if you have more interest in BSD I recommend you start with Linux. BSD is only truly usable if you're a bit of a command line rock star.
Thanks for the reply! I have read your entire blog (which is excellent btw), and realize that you have answered many of my concerns elsewhere. I also realize that it's not really possible to give a definitive answer to my question, since many of PPC OS X's vulnerabilities have yet to be exploited, and there's simply no way of knowing which vulnerabilities will be exploited in the future, or what parts of the OS that are now "secure" may at some point in the future become less so. I understand that the whole subject requires a bit of crystal ball gazing, as it were.
ReplyDeleteI guess what I'm after is something of a more practical explanation. On Windows, I knew what my vulnerabilities were: viruses could crash my computer and/or destroy my data; trojans could take control of the computer away from me; spyware could steal my passwords; and so on. Security is such a ubiquitous topic in the Wintel world that I think it's safe to say a majority of Windows users, even the non-techie ones, have some understanding of what could happen to them if they don't take the usual precautions that Windows requires.
But on the Mac OS, it seems that the longstanding relative security of the OS has made most of the threats theoretical in nature (I do understand, however, that there have been a handful of actual threats). When I try to educate myself on Mac OS security, it seems that what I encounter is mostly either very general in nature, or loaded with a bunch of technical jargon that is at this point somewhat beyond me...or, people who are ignorantly suggesting that security just isn't important on a mac (I know better).
To use an analogy: If I become aware that my home is in a flood plain, then, having an understanding of exactly what could happen to my home, I could then go and make a realistic assessment of my risk. If I determine that the risk is too great to withstand any modifications to the property I might make (say, sandbagging around the house, constructing a dike, etc.), then I may choose to abandon my home altogether in favor of one on higher ground. Or, if I determine that my home is in a low-risk 500-year flood plain, I may decide that the relatively remote chance of harm does not justify a change of residence. I'm sure you see where I'm going with all of this.
I know better than to try to use, say, Windows 98 to do, say, online banking; because I know what's likely to happen. But with Mac OS X, I don't know what could happen. I know of people who still use Mac OS 9 to do online banking, shopping, etc., using Classilla, and have done so for years without ill effect. What's likely to happen to them/me? The same things that could happen if I used an outdated unprotected version of Windows; or something else? If I had a better understanding of the actual risks, then I could better determine whether or not I want to remain in the PPC OS X "floodplain", or seek higher ground on "Linux Hill".
I understand that you're not promoting Linux at the expense of PPC OS X, but rather that you promote the complementary use of both. I'm confident, especially after reading your blog and others, that Linux will be my future home. But as for dual booting, that's something I'd rather avoid. If I had the means to use two computers in the same place at the same time, I'd run Linux on one, and OS X on the other, and my problems would be solved. But I only have access to one computer at a time, because one is at work and the other is at home. I prefer to use one OS for all my needs, rather than waiting for a reboot every time I have to go online. But oh well, it's not a perfect world, I may end up doing just that.