Securing unsupported Macs (OCLP) - What is your setup / Best practices?

[Omega Mac]

Apprently a growing portion of Mac users use OCLP to keep their Mac's in daily useful and usable service for a whole host of reasons.

Yet the crucial issue of the security trade off / proof and cons is discussed in this topic with some cautionary comments on being secure using an unsupported Mac when outside the normative parameters of Apple support, can not be ignored.

As a awareness raising exercise - I thought a topic like this where users primarily focus on supporting and sharing their general security setups tips, tricks and approaches for the greater benefit when using their unsupported Macs day to day would be a good idea, and address one of the concerns of @deeveedee

Posting in this topic means you understand that OCLP introduces some security vulnerabilities and this topic is not to discuss or debate that specifically, but rather support users who have decided on this path for their Mac in ignorance or full knowledge and therefore, the main aim is to showcase the best mitigations users can make in terms of hardware, software and user behaviours while being free to raise any facts that are totally within context of all round good spirited "awareness raising" contributions.

- This post will be updated with some more framing and maybe a summary guide as the topic matures -

 

[Happy_John]

Not connecting those machines onto the internet, and sited only have them connected to your internal network, and setting up your network to manage traffic to and from the OCLPed machines.

I know it sounds laborious, and not really a viable option for how people are using those machines, but, as you say, there's no way of using OCLP (which is a wonderful project for many reasons) without having the vulnerabilities, all you can do is mitigate them.

I'd also to OCLP users not to automatically update to the latest available macOS version on OCLP - choose a version of macOS that your hardware is most compatible with, even when your machine does not support that version for macOS. ( This reminds me of the debate with Mac Pro 5,1 and whether to use OCLP or Martin's Lo's OC config - there were pluses and minuses for both )

Mainly, as with many security issues, the responsibility is on the user to not do stupid things.

 

[Madhatter32]

One important best practice is to continue to use a browser that is supported and receives critical security patches like Firefox, or if it's a really old Mac, Firefox ESR.

 

[cynics]

Good topic I'm very interested.

I was about to update my 2013 iMac to Linux and saw OCLP for the first time and without doing any research I figured I would try it then do Linux. To my surprise it worked perfectly, no issues, everything works (at least at face value).

Now I'm half tempted to leave it since it's not my main computer, however being tied to my iCloud has me concerned.

 

[Omega Mac]

Nt connecting those machines onto the internet, and sited only have them connected to your internal network, and setting up your network to manage traffic to and from the OCLPed machines.

I know it sounds laborious, and not really a viable option for how people are using those machines, but, as you say, there's no way of using OCLP (which is a wonderful project for many reasons) without having the vulnerabilities, all you can do is mitigate them.

I'd also to OCLP users not to automatically update to the latest available macOS version on OCLP - choose a version of macOS that your hardware is most compatible with, even when your machine does not support that version for macOS. ( This reminds me of the debate with Mac Pro 5,1 and whether to use OCLP or Martin's Lo's OC config - there were pluses and minuses for both )

Mainly, as with many security issues, the responsibility is on the user to not do stupid things.

I suppose most will not want to isolate their OCLP machines for they become pointless. There is a bit of an analogy here for recent life and times, them lockdowns did not work out so well after all.

Regards your third point, if say your machine was tapped out by Apple at Monterey but Ventura works, then that is about as deep-end one should venture?

or, maybe a target of hitting as safe as optimally possible Safari since it is tied in with OS level updates. Getting to venture to get Safari 18 seems to be a target, so that means people want to Ventura onto the webtura asap with their unsupported Mac.

I wonder how you gauge "most compatible" trial and error and/or do research in the relevant "unsupported" topic on MR, lots of work / don't work feedback in there.

 

[bogdanw]

rather support users who have decided on this path for their Mac in ignorance or full knowledge

Most are utterly ignorant about what OCLP is or does. There should be a thread presenting alternatives to OCLP. Like installing Windows 10 or a Linux distribution on Intel Macs. Or installing and running for free a newer version of macOS in a virtual machine.

 

[Omega Mac]

One important best practice is to continue to use a browser that is supported and receives critical security patches like Firefox, or if it's a really old Mac, Firefox ESR.

A lot of OCLP users seem to need to get their Safari up to one within security updates zone and optimum web support, as per previous point hitting Safari 18 but not necessarily safari 26 since that OS might be a few degrees to out there for the machine.

I thought Firefox was reliant on the native macOS level web support (frameworks is it?) or am I thinking iOS?

 

[Omega Mac]

Most are utterly ignorant about what OCLP is or does. There should be a thread presenting alternatives to OCLP. Like installing Windows 10 or a Linux distribution on Intel Macs. Or installing and running for free a newer version of macOS in a virtual machine.

Feel free to setup that topic, with the exception that VM machine point is the one relevant to this topic, as a security mitigation right?

 

[Happy_John]

Regards your third point, if say your machine was tapped out by Apple at Monterey but Ventura works, then that is about as deep-end one should venture?

There’s no definitive answer to that, or, at least, I’m no way qualified to give such an answer. At best I’ll give to real examples from my own experience.

Officially, a Mac Pro 5,1 tops out at Mojave, and that’s with latest firmware and a non-stock Metal GPU installed ( you can’t get above High Sierra with a non-Metal card) In theory, you can use OCLP to successfully install more recent versions of macOS.

The problem is that Apple started depreciating hardware drivers in macOS after Big Sur. Relying on an implementation of OC that doesn’t start patching and replacing the code in macOS, you can run Monterey, but you will lose WiFi-fi and Bluetooth unless you physically upgrade the WiFi and Bluetooth card(s) to a more up to date Broadcom card.

After Monterey, the only way you can run a later version of MacOS is by applying patches to both the drivers and the kernel itself. At this point you’ve turned your Mac Pro into a hackintosh, which is not necessarily a bad thing in and of itself, but there are a huge amount of potential vulnerabilities and issues that can arise, because you are spoofing more and more aspects of the hardware.

The dilemma is that, while Mojave, as the last official release (and still able to run my legally purchased but non-subscription versions of Abode software) should be more secure than an OCLP-enabled 5,1, the fact that macOS no longer released security updates for older OSes is a concern, so the Mac Pro does not connect to the internet.

or, maybe a target of hitting as safe as optimally possible Safari since it is tied in with OS level updates. Getting to venture to get Safari 18 seems to be a target, so that means people want to Ventura onto the webtura asap with their unsupported Mac.

I just wouldn’t recommend running safari as a browser on OCLP, that said, if the machine is unsupported because of Apple’s “cut off” of support, rather than any significant hardware changes, then it’s probably OK.

I wonder how you gauge "most compatible" trial and error and/or do research in the relevant "unsupported" topic on MR, lots of work / don't work feedback in there.

I wouldn’t think MR is the best place for it, but I gave up on Facebook a few months ago, so I’m in exile :-(. There was just far too much slop on FB, but I miss the LEM and Mac Pro groups ( and Dull Men, of course). To answer your question, I don’t gauge, I’m purely a hobbyist who plays around with old Macs.

EDIT: My work Macs and my “hobby” Macs are very different machines. My work machines are not running either OCLP or any other flavour of OC. Paid work is done on currently supported AS Macs ( I’d love a Mac Pro 7,1, and I would use it as a “work machine”, but I don’t have one. )

 

[Omega Mac]

A guide I stumbled across in search for what it's worth it seems very appropriate:

This guide is a collection of techniques for improving the security and privacy of Apple silicon Mac computers running a currently supported version of macOS. Using Macs with Intel CPUs leaves you open to security vulnerabilities on the hardware level that Apple can't patch. Apple silicon Macs are the minimum recommendation but as a general rule, newer chips are always more secure.

This guide is targeted to power users who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.

GitHub - drduh/macOS-Security-and-Privacy-Guide: Community guide to securing and improving privacy on macOS.

Community guide to securing and improving privacy on macOS. - drduh/macOS-Security-and-Privacy-Guide

github.com

 

[Omega Mac]

Following up a link from the guide that took me to malwarebytes (which I normally install) the blog actually, and this article jumped out, interestingly it does not target intel Macs (the irony) but targets the latest M2 Macs and higher!

It also limits itself to devices with newer ARM features introduced with M2 chips or later. chips, skipping older Macs, Intel-based chips, and most virtual machines.

Mac users warned about new DigitStealer information stealer

DigitStealer is a new infostealer built for macOS, and it stands out for being smarter than most. Here's how it works and how to stay safe.

www.malwarebytes.com

This topic does not discriminate against non-OCLP or OCLP'd Macs

 

[Omega Mac]

Also a general security enquiry but when you forgot your password etc. and you use the method:

CMD + R > terminal > "resetpassword"

How is this secure?

First time I used it (a life saver a decade ago) as somehow I totally forgot some or all of my password. I used this method to reset it and get back in, but if someone stole your MacBook, then they can use this to get right in, what am I missing?

 

[MacinMan]

I was reading through this thread. I only have my late 2015, 27" iMac as my daily computer. I've found that I can run OCLP and Sequoia with very few issues, as I did Monterey (last supported OS.). I have considered going back to Monterey, as the host, and putting Sonoma in a VM as the ratio between the apps I use needing a newer vs of macOS vs an older one is still greater for either preferring an older version, or not needing a newer version. The apps that have dropped support for Monterey, are things I like to keep around (when needed) but don't use very often, and they aren't anything that wouldn't run in a VM, especially with Paravirtualization enabled. However, to be clear. After reading through different threads on this topic of security practices (including Apple's own community), many of the same concerns arise with using a supported macOS install, but older, and no longer receiving updates. The user is still responsible for safe use practices. I've even heard, and read some experienced users say, that using OCLP, or an older version of macOS, is better for promoting safe use practices, as it puts us (as users) on guard more vs a modern supported OS where we let our guard down, as we assume we're safe because it's current, and supported.

My takeaway here is, and what I'll offer here to the thread is, mainly two questions:
1. Do the apps, and other things you need to do work on your planned setup
2. Are you able to use the setup safely, and responsibly.

That's really what matters. Let's not overcomplicate things here. Some people just want a simple solution.

 

[Bigwaff]

Let's not overcomplicate things here. Some people just want a simple solution.

Completely agree. Physical access aside, the only secure computer is an air gapped one. Connect to a network and the trade offs and complexity start. Enable firewall, either on computer and router. Use modern browser still receiving security updates. Install something like Malwarebytes. Go to shady sites or download shady files/applications, you’re off the reservation related to this thread.

 

[Omega Mac]

@MacinMan I have started to look at lot more at my "security" awareness bubble, and this topic is part of me giving me a focus point and reason to sustain interest with a hope to improve the overall lot.

I have started researching other browsers and the browsers I use more from a security point of view and because I see a lot of comments by Mac users here that they no longer seem to rate Safari as their main browser.

 

[MacinMan]

@MacinMan I have started to look at lot more at my "security" awareness bubble, and this topic is part of me giving me a focus point and reason to sustain interest with a hope to improve the overall lot.

I have started researching other browsers and the browsers I use more from a security point of view and because I see a lot of comments by Mac users here that they no longer seem to rate Safari as their main browser.

In my case, when it comes to Safari, I just never liked it from the start as a main browser. I use it sometimes, but my view goes way back when Safari was new, and had lots of incompatibilities with sites. So, I started using Firefox, and then Chrome for cast support. From the very start, I think I've had a different approach to the end of life support of my iMac. That has mainly been to find as many open source / cross platform solutions as possible, so it wouldn't matter which OS / platform I chose to use, the apps would vastly be the same, so no extra learning curves, or lack of functionality between platforms. My main purpose for keeping "a" version of macOS around is for Apple-specific features such as text message forwarding, which for me being visually impaired is a lot easier than trying to type on a touch screen, or rely on voice dictation to be accurate. The physical keyboard is much better. Beyond that, I would much rather call it a day, and move to Linux for it's flexibility, and it's better capabilities of cross platform gaming than macOS.

 

[MNissen]

Just my 10¢ worth ::

OCLP has allowed me to use as a daily driver a $200, 8 core 5,1 machine that was $21,000 when new and could run a whole newspaper.

If you bought a Ferrari and then the engine stopped running after 15 years, you'd be upset yes?

OCLP and the great people who work on it, have allowed legions of perfectly good Macs, to go on for a while.

I certainly can't afford the planned obsolescence that is integral in today's tech world.

Having said that, I've just ordered a new laptop (M4 max) for the first time in 20 years.

 

[nmt1900]

Also a general security enquiry but when you forgot your password etc. and you use the method:

CMD + R > terminal > "resetpassword"

How is this secure?

First time I used it (a life saver a decade ago) as somehow I totally forgot some or all of my password. I used this method to reset it and get back in, but if someone stole your MacBook, then they can use this to get right in, what am I missing?

That's why disabled Filevault = unsecured computer.

 

[Omega Mac]

That's why disabled Filevault = unsecured computer.

Thanks for that and for context clarity for my slow head, this will only work if the drive is non-filevault, is what you are sayin?

I happened to run this on a Mac that has no FileVault enabled, and when I think about it the last time I used it a long long time ago that Mac also did not have filevault enabled.

So then I must ask (if your point was speicif can don't a general security point) - is it then true that FileVault is borked using OCLP even you have it enabled and in theory or practice you could still run reset password cmd in terminal via recovery boot?

EDIT:
Ah found this, comments on FileVault and OCLP in https://forums.macrumors.com/threads/security-for-oclp-opencore-legacy-patcher.2406586/post-32873602

 

[Wowfunhappy]

A lot of the rhetoric around updates and security drives me bonkers. You’d think your entire life will be ruined unless you install every update right away.

Think about this logically. When is the last time the Playstation 3 got a software update? Is everyone who wants to play online Little Big Planet 2 levels going to have their bank account information stolen by an evil hacker? Obviously not—unless you’ve done something really unusual, there is no bank account information on your PS3 for a hacker to steal.

It’s true that if you don’t want to think too hard, staying fully up to date is an easy shortcut for being reasonably secure in most situations. But that’s not practical or desirable for everyone.

True zero-click RCE vulnerabilities—where merely connecting your computer to the internet is enough for an attacker to infect the machine—are extremely rare, especially if you’re using the computer behind a router. To my knowledge—and I have researched this reasonably extensively—there are not any known vulnerabilities like this on any version of macOS. In order for an attacker to hack you, they would have to be able to run malicious computer code on your machine.

So what opportunities are there for a neerdowell to run malicious code? One way would be to install a malicious app. However, I only install apps from developers who I have concluded are good/trustworthy people. There is certainly a risk I will end up trusting the wrong person, but that’s true for most things in life.

It’s theoretically possible for an outdated, vulnerable app to open a document or media file which tricks it into running malicious code. This is a legitimate concern. However, these types of vulnerabilities are generally difficult to exploit. So unless you’re a high value target who someone will be willing to put considerable effort into attacking, you probably aren’t going to hacked in this way. That said, you should briefly stop and think before opening a document you downloaded from the internet on an old OS. If you know the source, it’s probably fine. If it came from a Nigerian Prince, stay away.

However, when you browse the internet, your computer is constantly running Javascript code from all over the place! You probably don’t think "do I trust the owner of this website” every time you open a link—I certainly don’t. IMO, this is a clear source of danger, and I do NOT recommend browsing the web with both an unsupported operating system and an unsupported web browser. If your web browser is up-to-date, the browser sandbox should keep code isolated. However, an outdated web browser may have documented vulnerabilities. So I’d say you should always use an up-to-date web browser if at all possible!

Security people will tell you it’s better to also have defense in depth—if there’s a vulnerability in your up-to-date web browser which no one knows about yet (a “0 day”), it’s better to have an up-to-date operating system as an additional layer of protection. They’re right, of course! But if you’re Joe Schmo and not working with military secrets, what are the chances a sophisticated hacker is going to waist a heretofore undiscovered vulnerability on you?

All of this is to say that, yes, of course using old operating systems is less secure. However, I truly believe that for most normal people, just using a password manager + unique randomly-generated passwords on every website will make you more secure than 99% of tech users, and any brain power you’re currently spending worrying about your operating system should be dedicated to switching to a password manager. Otherwise, keep your web browser up to date and think before installing an app, and to some very limited extent think before opening a file.