Is a PPC mac safe for internet use?

[pl1984]

That last bit right there is the key. Most exploits that we're worried about when considering this PPC thread's subject are surrounding Safari, or whatever browser they choose to use. Since they can't update those applications (stock mac apps anyway) then thats where you're vulnerable. Have I made the point clear yet?

Edit: The 'exploit' being specifically written to target Safari is something you can assume. Vulnerabilities are rarely tied to hardware, but they do happen as evidenced by Intel's laundry list of security advisories. Part of my day job is going through vulnerabilities that come out every day and writing audits for them. I'd estimate that 95-98% of the vulnerabilities that I end up going through are software specific related.

An exploit needs to be able to run on the target system. In order to do so it needs to be specifically written for the application and specific platform being targeted. Otherwise you're asking us to believe malware writers are able to do something the rest of the software development community is unable to do: Write a single binary that runs, unaltered and without emulation, on all platforms and operating systems.

The instruction set for a specific processor is, typically, unique to that specific implementation. How a register is loaded is a different opcode on Intel than it is PPC than it is 68K. Thus the instruction code for Intel processor is not going to run, unaltered, on a PPC processor. Exploits, unless targeted at weakness in a cross platform technology, are very platform specific and as such are extremely unlikely to run on anything but the targeted platform. No and or ifs about it.

 

[SecuritySteve]

An exploit needs to be able to run on the target system. In order to do so it needs to be specifically written for the application and specific platform being targeted. Otherwise you're asking us to believe malware writers are able to do something the rest of the software development community is unable to do: Write a single binary that runs, unaltered and without emulation, on all platforms and operating systems.

The instruction set for a specific processor is, typically, unique to that specific implementation. How a register is loaded is a different opcode on Intel than it is PPC than it is 68K. Thus the instruction code for Intel processor is not going to run, unaltered, on a PPC processor. Exploits, unless targeted at weakness in a cross platform technology, are very platform specific and as such are extremely unlikely to run on anything but the targeted platform. No and or ifs about it.

First off, as stated way back up this chain, the 'malware' in this case is not being written for your computer. They're just busting open a remote shell using an application that you're already installed. I am going in circles with you, and you fail to recognize how this works. Let me spell it out clearly all at once in an attack scenario to clear this up, and if this doesn't satisfy you then you're living in the 1990s and I can't help you.

Assume attacker has compromised a site, for the sake of this argument, macrumors.
1) The attacker knows that this site is frequented by Macs, which run Safari.
2) He uploads content that causes a crash in the Safari application, and executes remote code. The flaw could've been patched years ago in El Capitan, but he knows older mac users still use the site nonetheless without upgrading because they erroneously believe they are safe.
3) The shell code payload that is attached to the content that triggers an automatic crash in Safari that is exploited has a PPC / x86 payload that opens a remote shell to his listening server. From there the server runs a few automated bash commands to install a backdoor on your system appropriate for your architecture with privileges equal to the security context of Safari. (Admin users more affected, regular users less. This is common and why Chrome refuses to run as Root)

That attack scenario is entirely possible. This is why your PPC system needs to be air gapped.

 

[pl1984]

First off, as stated way back up this chain, the 'malware' in this case is not being written for your computer. They're just busting open a remote shell using an application that you're already installed. I am going in circles with you, and you fail to recognize how this works. Let me spell it out clearly all at once in an attack scenario to clear this up, and if this doesn't satisfy you then you're living in the 1990s and I can't help you.

Assume attacker has compromised a site, for the sake of this argument, macrumors.
1) The attacker knows that this site is frequented by Macs, which run Safari.
2) He uploads content that causes a crash in the Safari application, and executes remote code. The flaw could've been patched years ago in El Capitan, but he knows older mac users still use the site nonetheless without upgrading because they erroneously believe they are safe.
3) The shell code payload that is attached to the content that triggers an automatic crash in Safari that is exploited has a PPC / x86 payload that opens a remote shell to his listening server. From there the server runs a few automated bash commands to install a backdoor on your system appropriate for your architecture with privileges equal to the security context of Safari. (Admin users more affected, regular users less. This is common and why Chrome refuses to run as Root)

That attack scenario is entirely possible. This is why your PPC system needs to be air gapped.

The highlighted part of your post is the key: The shell code was specifically written to target both platforms. Despite the fact it was written to target both platforms the shell code itself is different for each platform. The shell code which will execute on PPC is extremely unlikely to execute on x86 and vice-versa. I emphasize this because the malware author had to make a conscious decision to target both platform.

Enter today's threats: As PPC has been out of production for over a decade it's highly unlikely today's malware authors are going to bother developing PPC specific shell code. Thus exploits which specifically target x86 will not work on PPC. Period. There are no and or ifs about it.

Legacy exploits will continue to work but new exploits are unlikely to merely because malware authors are very unlikely to target the PPC platform. There are so few of them it doesn't make sense to do so unless they're interested in a specific target. It is this which makes using PPC safe, but not secure, today. The chances of coming across PPC specific exploits is low.

 

[SecuritySteve]

The highlighted part of your post is the key: The shell code was specifically written to target both platforms. Despite the fact it was written to target both platforms the shell code itself is different for each platform. The shell code which will execute on PPC is extremely unlikely to execute on x86 and vice-versa. I emphasize this because the malware author had to make a conscious decision to target both platform.

Enter today's threats: As PPC has been out of production for over a decade it's highly unlikely today's malware authors are going to bother developing PPC specific shell code. Thus exploits which specifically target x86 will not work on PPC. Period. There are no and or ifs about it.

Legacy exploits will continue to work but new exploits are unlikely to merely because malware authors are very unlikely to target the PPC platform. There are so few of them it doesn't make sense to do so unless they're interested in a specific target. It is this which makes using PPC safe, but not secure, today. The chances of coming across PPC specific exploits is low.

In that scenario, it is in the attacker's interest to cast as wide a net as possible to maximize the odds of valuable prey being captured. It is therefore logical to assume that he would attach a payload that targets both architectures since he knows the site is visited by older macs, and his exploit is for a patched vulnerability. I assume you read the shell code post earlier, it executes x86 on x86 and PPC on PPC in the same code. Doesn't matter how it does it, just know that it works.

Are you unlikely to be targeted specifically? Most likely. But you're in a lump category that can be easily targeted together. If you were running an OS and web browser that was custom made and no one knew what your architecture was, then your argument would be valid. However you are not, the vulnerabilities in your software are well known, and exploits are publicly available to include you in the fishing net.

Believe what you want at this point, I wont be returning to this thread.

 

[pl1984]

In that scenario, it is in the attacker's interest to cast as wide a net as possible to maximize the odds of valuable prey being captured. It is therefore logical to assume that he would attach a payload that targets both architectures since he knows the site is visited by older macs, and his exploit is for a patched vulnerability. I assume you read the shell code post earlier, it executes x86 on x86 and PPC on PPC in the same code. Doesn't matter how it does it, just know that it works.

Are you unlikely to be targeted specifically? Most likely. But you're in a lump category that can be easily targeted together. If you were running an OS and web browser that was custom made and no one knew what your architecture was, then your argument would be valid. However you are not, the vulnerabilities in your software are well known, and exploits are publicly available to include you in the fishing net.

Believe what you want at this point, I wont be returning to this thread.

Yes, I read it. It's dated 2005. Thus reinforcing my point that few, if any, malware authors are writing PPC specific shell code.

 

[mmphosis]

Some time ago, I dragged Safari to the Trash. And, way before that when Java was still receiving numerous updates, I stopped using Java altogether. I run the latest version of TenFourFox with Javascript turned off. I am very selective about what I install and run and what I let software do. I am always looking for services I can stop, and unneeded programs and frameworks that I can remove. The air gap suggestion might be next.

 

[eyoungren]

@SecuritySteve

You may be entirely right in everything you say. That is not the reason for this post of mine.

I am not air gapping a Quad G5, a DC 2.3 G5, a DP 2.7 G5 a 1Ghz 17" PowerBook G4, a 2.16Ghz 17" MBP and a 450mhz G3.

Period. I'm not.

I have specific uses for these Macs and I will continue to use them in those functions. I know they are old and I know there is a risk.

I don't care. I refuse to relegate my computing life to computers I cannot afford, running operating systems I don't want to use, with locked down accounts that make using everything an exercise in paranoid fear that the internet boogeyman is going to crush my financial and computing life at any moment.

I will not be ruled by fear.

I have done everything I can to secure the online accounts I use. 99.99% of my browsing is done in the latest version of TenFourFox and I am not in the habit of hanging out on questionable websites.

Of the browsing I do, it's MacRumors, Reddit and Google News. Unless all three have been hijacked recently and no one has said anything I'll take my chances.

All of us understand the risks involved and have chosen to accept those risks to keep using the computers we all love. Will it bite us in the ass? Maybe. But that's the risk.

I am not being harsh, nor am I trying to discredit you or your statements. I am not questioning your knowledge or your informed assessments. In short, I am not trying to be a jerk to you.

I'm just simply saying…we know the dangers involved and we accept them.

 

[AphoticD]

I'm just simply saying…we know the dangers involved and we accept them.

Very well stated @eyoungren

Another angle is to recognize that there would be a near zero installation base of PowerPC Macs in any organizations storing sensitive data. Any (IBM) PowerPC machines in use in these environments will not be running Mac OS X.

The only PowerPC Macs going online are going to be those of individuals who either put older hardware to good use and understand the security risks in doing so, or have not brought themselves up to date within the past 12+ years, so could probably do with a refresher course on security.

Chances are, the internet's evolution would have brought about forced upgrades and/or research into more compatible (read:secure) methods for users of strictly older hardware anyway.

TLDR; I wouldn't worry about it too much.

 

[amagichnich]

In that scenario, it is in the attacker's interest to cast as wide a net as possible to maximize the odds of valuable prey being captured. It is therefore logical to assume that he would attach a payload that targets both architectures since he knows the site is visited by older macs, and his exploit is for a patched vulnerability. I assume you read the shell code post earlier, it executes x86 on x86 and PPC on PPC in the same code. Doesn't matter how it does it, just know that it works.

Are you unlikely to be targeted specifically? Most likely. But you're in a lump category that can be easily targeted together. If you were running an OS and web browser that was custom made and no one knew what your architecture was, then your argument would be valid. However you are not, the vulnerabilities in your software are well known, and exploits are publicly available to include you in the fishing net.

Believe what you want at this point, I wont be returning to this thread.

What is it anyway you want us to do? Trash our ppcs and buy new MacBooks? Then you fail to understand why we use ppcs.
But if you want to help us making ppcs more secure, you are very welcome to do so

 

[amagichnich]

What exactly does a crash dump say? Only app crash info or personal info too?

 

[pl1984]

What is it anyway you want us to do? Trash our ppcs and buy new MacBooks? Then you fail to understand why we use ppcs.
But if you want to help us making ppcs more secure, you are very welcome to do so

What I took away from his post was that relying on security through the obscurity offered by the PPC platform involves more risk than what many think it does. His initial response was to a statement that a malware author will not bother writing an exploit for an architecture which has less than .1% usage. He was making the argument there is currently exploit code and that malware authors are likely to write more (at least when it comes to targeting websites where PPC systems are known to be in use).

While I disagree with the notion malware authors are continuing to target the PPC platform I have no evidence to support my opinion up. He could very well be right.

What I found interesting was Eric's response. For someone who doesn't do security he did an excellent job of stating he has weighed all the information and has accepted the risk. In essence Eric has done a risk analysis and determined he is comfortable with the risk. That is what security is about: evaluating risk and taking steps to mitigate it or accept it.

 

[amagichnich]

What I took away from his post was that relying on security through the obscurity offered by the PPC platform involves more risk than what many think it does. His initial response was to a statement that a malware author will not bother writing an exploit for an architecture which has less than .1% usage. He was making the argument there is currently exploit code and that malware authors are likely to write more (at least when it comes to targeting websites where PPC systems are known to be in use).

While I disagree with the notion malware authors are continuing to target the PPC platform I have no evidence to support my opinion up. He could very well be right.

What I found interesting was Eric's response. For someone who doesn't do security he did an excellent job of stating he has weighed all the information and has accepted the risk. In essence Eric has done a risk analysis and determined he is comfortable with the risk. That is what security is about: evaluating risk and taking steps to mitigate it or accept it.

Well said!

 

[pl1984]

What exactly does a crash dump say? Only app crash info or personal info too?

Depends on the crash dump. Full crash dumps contain the contents of whatever was in memory when the crash occurred.

If it is an application level crash then it will contain the contents of the applications memory. For example if the browser I'm writing this in crashed and a dump file created for it then this very text would be contained within. It is likely to also contain my user ID and password for this web site (and possibly any other websites which may also be open).

If it's an OS crash dump then a lot of sensitive information can be had. The aforementioned contents of the web browser plus any other applications which may be running (and possibly contents of applications which were running but were closed, memory is not automatically cleared when you close an application). If I have any encrypted volumes then the encryption key(s) are likely contained within.

In fact on many Windows systems there is already a "crash dump" which exists on the system. It's "hiberfil.sys" in the root of the boot volume. If the system has ever entered hibernation then the contents of memory are written to that file and the contents of processes which were running on the system can easily be recovered from it.

If you want to see what is available there are open source tools which you can use. Things like Rekall and Volatility are the top open source forensic tools. With these tools one can recover a lot of information from a memory dump.

 

[mmphosis]

@SecuritySteve

You may be entirely right in everything you say. That is not the reason for this post of mine.

I am not air gapping a Quad G5, a DC 2.3 G5, a DP 2.7 G5 a 1Ghz 17" PowerBook G4, a 2.16Ghz 17" MBP and a 450mhz G3.

Period. I'm not.

I have specific uses for these Macs and I will continue to use them in those functions. I know they are old and I know there is a risk.

I don't care. I refuse to relegate my computing life to computers I cannot afford, running operating systems I don't want to use, with locked down accounts that make using everything an exercise in paranoid fear that the internet boogeyman is going to crush my financial and computing life at any moment.

I will not be ruled by fear.

I have done everything I can to secure the online accounts I use. 99.99% of my browsing is done in the latest version of TenFourFox and I am not in the habit of hanging out on questionable websites.

Of the browsing I do, it's MacRumors, Reddit and Google News. Unless all three have been hijacked recently and no one has said anything I'll take my chances.

All of us understand the risks involved and have chosen to accept those risks to keep using the computers we all love. Will it bite us in the ass? Maybe. But that's the risk.

I am not being harsh, nor am I trying to discredit you or your statements. I am not questioning your knowledge or your informed assessments. In short, I am not trying to be a jerk to you.

I'm just simply saying…we know the dangers involved and we accept them.

Well written and I agree.