Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

basslik

macrumors 6502
Feb 22, 2008
448
97
I feel pretty good. I only use OCLP for running Pro Tools and nothing else.

Although I still have to do updates on software and plugins, but none have any financial info.
 

Subarctic5216

macrumors newbie
Mar 27, 2024
15
10
Excellent read this thread. Bottom line, if you value security and privacy you should be buying new hardware that is stilll in software support with Apple.

Once Apple stops supporting intel in the next year or two, this project will have nowhere else to go.

Excellent read this thread. Bottom line, if you value security and privacy you should be buying new hardware that is stilll in software support with Apple.

Once Apple stops supporting intel in the next year or two, this project will have nowhere else to go.
Great point. Excellent thread! Security is important a never ending battle.
My 2 OCLP Macs are desktops. A MacMini 2014 7,1 and iMac 27" Late 2015 17,1. Sonoma 14.4.1/OCLP 1.4.2.
They are always at home with my LAN and WIFI behind a firewall (Firewalla Gold+) and blocked from ingress WAN.
This being said what if any is my threat exposure with OCLP on a home network?
A big thanks to the OCLP Developers for keeping my trusty old macs out of the landfill. And thanks to all the knowledgeable people here on MR!
 
  • Like
Reactions: Wheel_D

deeveedee

macrumors 65816
May 2, 2019
1,421
2,037
Peoria, IL United States
@Subarctic5216 I'm not trying to be alarmist, but I want you to understand the worst-case scenario, so that you can act according to your own risk tolerance and security posture...

Apple has wisely implemented multiple layers of security in macOS. These layers include SIP, a sealed APFS Volume and SecureBoot. Even Apple knows that it is foolish to rely on a single security measure, because software and hardware inevitably have flaws that can be exploited.

In order for OCLP to work its magic, it must defeat/disable these security measures to permit unauthorized frameworks and kernel extensions to be injected into macOS (e.g., graphics extensions and Wi-Fi frameworks). With this compromised security, your Mac may be more vulnerable to exploits introduced by websites that you visit, software that you download and USB thumb drives that you insert - even if you are on your home network.

Only you know how careful you are to avoid these potential exploits and only you know what additional measures you take to ensure the security of your Mac. But no matter how careful you are to recognize the phishing e-mail that you receive, if you fall into a trap only once with inadequate security protections, you could inadvertently allow a hacker to exploit a security vulnerability. Use your judgment to determine how much personal / private information you store on an OCLP-patched MAC, what websites you visit with an OCLP-patched Mac and what secure / private credentials you employ on an OCLP-patched MAC -- regardless of whether the OCLP-patched Mac is on your home network or a public Wi-Fi hotspot.

You should also be aware that, depending on the nature of the exploit, a PC or Mac on a private network can be used as a gateway for hackers to other PCs or Macs on that private network. Again, not to be alarmist, but to make sure you understand the worst-case scenario.

Since OCLP-patched Macs are not subject to any third-party security certifications (which are resource intensive and expensive), there is no way to know the extent to which an OCLP-patched Mac is vulnerable to hacker exploits. "It works, therefore it must be ok" is not a wise security assessment.
 
  • Like
Reactions: Wheel_D

Subarctic5216

macrumors newbie
Mar 27, 2024
15
10
@Subarctic5216 I'm not trying to be alarmist, but I want you to understand the worst-case scenario, so that you can act according to your own risk tolerance and security posture...

Apple has wisely implemented multiple layers of security in macOS. These layers include SIP, a sealed APFS Volume and SecureBoot. Even Apple knows that it is foolish to rely on a single security measure, because software and hardware inevitably have flaws that can be exploited.

In order for OCLP to work its magic, it must defeat/disable these security measures to permit unauthorized frameworks and kernel extensions to be injected into macOS (e.g., graphics extensions and Wi-Fi frameworks). With this compromised security, your Mac may be more vulnerable to exploits introduced by websites that you visit, software that you download and USB thumb drives that you insert - even if you are on your home network.

Only you know how careful you are to avoid these potential exploits and only you know what additional measures you take to ensure the security of your Mac. But no matter how careful you are to recognize the phishing e-mail that you receive, if you fall into a trap only once with inadequate security protections, you could inadvertently allow a hacker to exploit a security vulnerability. Use your judgment to determine how much personal / private information you store on an OCLP-patched MAC, what websites you visit with an OCLP-patched Mac and what secure / private credentials you employ on an OCLP-patched MAC -- regardless of whether the OCLP-patched Mac is on your home network or a public Wi-Fi hotspot.

You should also be aware that, depending on the nature of the exploit, a PC or Mac on a private network can be used as a gateway for hackers to other PCs or Macs on that private network. Again, not to be alarmist, but to make sure you understand the worst-case scenario.

Since OCLP-patched Macs are not subject to any third-party security certifications (which are resource intensive and expensive), there is no way to know the extent to which an OCLP-patched Mac is vulnerable to hacker exploits. "It works, therefore it must be ok" is not a wise security assessment.
Very insightful info.
These security issues you mentioned are another reason to be proactive and cautious everywhere all the time. I am.
Thanks for the clarifications about my particular configuration and not just WiFi.
Hopefully I can move up to Apple Silicon some day. The end of Intel support is not far off.
~Cheers
 

dumastudetto

macrumors 603
Aug 28, 2013
5,501
8,229
Los Angeles, USA
@Subarctic5216 I'm not trying to be alarmist, but I want you to understand the worst-case scenario, so that you can act according to your own risk tolerance and security posture...

You should also be aware that, depending on the nature of the exploit, a PC or Mac on a private network can be used as a gateway for hackers to other PCs or Macs on that private network. Again, not to be alarmist, but to make sure you understand the worst-case scenario.

Since OCLP-patched Macs are not subject to any third-party security certifications (which are resource intensive and expensive), there is no way to know the extent to which an OCLP-patched Mac is vulnerable to hacker exploits. "It works, therefore it must be ok" is not a wise security assessment.

It’s not alarmist at all. Many of the worst hacks ever start from the exploitation of a single weakness from one client or server. That gets them onto your network to start exploiting other vulnerabilities across all other devices connected to your network.

The information you are putting up here is critically impotyttgj
 

shafez

macrumors 6502
Jul 3, 2011
278
169
United States
I have been reading through this thread and other threads over the internet and all I can find is warnings, The attacker could and could and could and no evedance that an attack has happened due to disabling SIP, I may be wrong but it seems that disabling SIP is not a big deal and not as dangerous as we are made to think.
 
  • Like
Reactions: turbineseaplane

Wheel_D

macrumors regular
Jan 13, 2016
137
36
One could keep one's door unlocked, too. Is it a safe practice simply because the person never reported a home invasion?
 
  • Like
Reactions: shafez

deeveedee

macrumors 65816
May 2, 2019
1,421
2,037
Peoria, IL United States
I have been reading through this thread and other threads over the internet and all I can find is warnings, The attacker could and could and could and no evedance that an attack has happened due to disabling SIP, I may be wrong but it seems that disabling SIP is not a big deal and not as dangerous as we are made to think.
If you don't care, then this thread isn't for you. The point of this thread is that OCLP documentation and in-app messaging does not even have any warnings. Prior to this thread, the documentation said "you're just as safe as with a fully-supported Mac." The documentation was revised as a result of a request in this thread. This thread isn't telling anyone not to use OCLP - it's just making sure that users understand what macOS security features are disabled/defeated by OCLP in order to enable unsupported versions of macOS.

Following your logic, there is no reason that Apple implemented SIP, sealed APFS volumes and Secure Boot. Also, to cherry-pick SIP and ignore the other disabled/defeated Apple security measures is a bit naive.

Read this.
 
Last edited:

JonaM

macrumors regular
Sep 26, 2017
188
198
I have been reading through this thread and other threads over the internet and all I can find is warnings, The attacker could and could and could and no evidence that an attack has happened due to disabling SIP, I may be wrong but it seems that disabling SIP is not a big deal and not as dangerous as we are made to think.
As with all subjects it's all about your risk and your subjective evaluation of risk, which makes it very challenging to decide as people generally like a nice and clear 'yes or no' answer.

It's unlikely that using OCLP and the disabling of the additional security measures to allow that will on its own lead to the compromise of your Mac. Given the niche usage of OCLP it's also unlikely that someone would go to the effort of building an exploit that assumes it's present*
Would I use OCLP to extend the lifespan of a Mac that is no longer receiving Apple security updates to allow it to get patches via installing a support OS? Yes - I would evaluate that having the applications patched is less risk than having SIP disabled.
Would I do it if I was in a job that someone might be targeting me for? No - I would want a full secure stack ( and cost of hardware replacement to achieve that).

*This may well change if AI-driven tools that allow the building of easy exploit chains become viable and used - security through obscurity was aways unwise, but it may well become untenable if exploits become more automated and personalised [/opinion piece]
 

shafez

macrumors 6502
Jul 3, 2011
278
169
United States
If you don't care, then this thread isn't for you. The point of this thread is that OCLP documentation and in-app messaging does not even have any warnings. Prior to this thread, the documentation said "you're just as safe as with a fully-supported Mac." The documentation was revised as a result of a request in this thread. This thread isn't telling anyone not to use OCLP - it's just making sure that users understand what macOS security features are disabled/defeated by OCLP in order to enable unsupported versions of macOS.

Following your logic, there is no reason that Apple implemented SIP, sealed APFS volumes and Secure Boot. Also, to cherry-pick SIP and ignore the other disabled/defeated Apple security measures is a bit naive.

Read this.
I think you need to cool the pace and be less aggressive defending you thoughts, also try to refer to other resources than your posts to make them trust worthy.
No offense, best regards.

One could keep one's door unlocked, too. Is it a safe practice simply because the person never reported a home invasion?
Good point and well noted, thank you.
 
Last edited:
  • Like
Reactions: JonaM

deeveedee

macrumors 65816
May 2, 2019
1,421
2,037
Peoria, IL United States
...try to refer to other resources than your posts to make them trust worthy.
No offense, best regards.
No offense taken. If I were stating opinions, then I would need other sources. Let me know which of the facts that I've stated are incorrect.

I think you need to cool the pace and be less aggressive defending you thoughts
This thread is 5 months old. The points stated in the thread haven't changed. Please forgive me for the aggressive pace. I tend to get frustrated when users who haven't read the entire thread state their unfounded, unsubstantiated opinions to offer rebuttal to the facts stated here.
 
Last edited:

deeveedee

macrumors 65816
May 2, 2019
1,421
2,037
Peoria, IL United States
It's unlikely that using OCLP and the disabling of the additional security measures to allow that will on its own lead to the compromise of your Mac.
Based on what? While you "qualify" this statement later in your post with "Would I do it if I was in a job that someone might be targeting me for? No," it is not possible to make a blanket statement about the likelihood of a compromise without knowing the use case. ... and even then, it is not possible without extensive penetration/vulnerability testing.

Would I do it if I was in a job that someone might be targeting me for? No - I would want a full secure stack ( and cost of hardware replacement to achieve that).
Exactly. The information presented here is only to inform and allow OCLP users to make informed decisions based on their risk tolerance and use cases.

I am an OCLP donator and user. I think what the OCLP devs have achieved is incredible. I remain disappointed that OCLP documentation neglects to disclose the Apple security measures that are disabled/defeated by OCLP. This thread is one of the only sources that discloses OCLP security issues for the interested user.
 
Last edited:

deeveedee

macrumors 65816
May 2, 2019
1,421
2,037
Peoria, IL United States
Disabling SIP is not dangerous.
Using OCLP is dangerous.
While tempting to make black and white statements about security, making blanket statements like this does not help and is probably what agitates the OCLP fans who feel compelled to defend OCLP and the Devs. In matters of security (especially where there are not tests/certifications by accredited entities), it is best to state the potential vulnerability and then for users to make informed decisions based on their risk tolerance and their use cases. OCLP has its place and can extend the useful life of Macs for many users whose use cases are not compromised by a combination of all or some of disabled SIP, disabled Secure Boot, broken APFS seal and injection of a modified Wi-Fi framework that is no longer updated by Apple.
 

houser

macrumors 6502
Oct 29, 2006
375
491
Can we discuss OCLP in the age of "AI" (scare quotes as it is not really AI yet but mostly a plagiarism machine and copyright circumventor) might gradually produce new issues and further complicate a security strategy for end users.
 
Last edited:

deeveedee

macrumors 65816
May 2, 2019
1,421
2,037
Peoria, IL United States
Can we discuss OCLP in the age of "AI" (scare quotes as it is not really AI yet but mostly a plagiarism machine and copyright circumventor) might gradually produce new issues and further complicate a security strategy for end users.
If you are implying that most of macOS AI features are exclusive to Apple-Silicon Macs, then I agree that OCLP-enabled Intel Macs are unlikely to have these new AI features. If you are realizing that AI makes even the most basic hacker a threat to vulnerable Macs and PCs ...
 

houser

macrumors 6502
Oct 29, 2006
375
491
If you are implying that most of macOS AI features are exclusive to Apple-Silicon Macs, then I agree that OCLP-enabled Intel Macs are unlikely to have these new AI features. If you are realizing that AI makes even the most basic hacker a threat to vulnerable Macs and PCs ...
Both I suppose. According to the Apple blurbs Apples take on AI will definitely require M1 or better and the iPhone remote features will require a T2. So there's that, but we will find out as we go what new vulnerabilities can emerge from all this. I would appreciate any comment on how AI could potentially be harnessed by low level hackers as I assume we are already there to some extent. It is way beyond my skillset to say anything about this, other than any exploit that could access the onboard AI in some way would probably be pretty bad.
 

deeveedee

macrumors 65816
May 2, 2019
1,421
2,037
Peoria, IL United States
@houser I did not see this article when I wrote this. In the article, Dr. H. Oakley (yes, the same Dr. H. Oakley) says

'And if any software vendor suggests that you should run your Mac with SIP disabled so that their software works, don’t trust them in the slightest. Look for an alternative product. Would you trust a mechanic who fixed a problem with your car by disabling the airbags and removing the seatbelts?'

In order for OCLP to work, multiple macOS security measures must be fully or partially disabled (SIP is only one of the security measures disabled by OCLP). Maybe you could ask ChatGPT what macOS vulnerabilities are exposed by simultaneously disabling SIP, disabling Secure Boot, breaking the APFS seal and injecting an outdated Wi-Fi framework.

EDIT: The comments posted after Dr. Oakley's article are entertaining. While a bit extreme, this is Dr. Oakley's opinion:
'Frankly, anyone who turns SIP off and leaves it off (except for very specific and exceptional purposes, and I still can’t think of any for a user) is a fool and deserves everything that comes to them. It is one of macOS’s primary protections, not only against malware but against all sort of other issues which arise when system files get altered or corrupted.'
 
Last edited:
  • Like
Reactions: Wheel_D and houser

dimme

macrumors 68040
Feb 14, 2007
3,215
31,131
SF, CA
I run OCLP on a 2012 Mac mini for experimenting and learning.I have WIFI turned off and after I installed OCLP I reenabled SIP. Everything seems to work for now.
 
  • Like
Reactions: alvindarkness

deeveedee

macrumors 65816
May 2, 2019
1,421
2,037
Peoria, IL United States
... after I installed OCLP I reenabled SIP. Everything seems to work for now.
It all depends on what patches your Mac needs to run your desired version of macOS. For example, if your Mac doesn't need graphics and Wi-Fi patches for a particular version of macOS (so essentially, you only need the Open Core boot loader), then you may very well be able to run with SIP fully enabled in your OC config.plist.
 
  • Like
Reactions: dimme

Sven G

macrumors 6502
Original poster
Jun 3, 2012
410
852
Milan, EU
Up to Monterey, it was possible to run a Metal-capable root patched system with SIP enabled (manually set at 0x800: thus, with only the SSV disabled): but this changed with Ventura, and now SIP must be set at 0x803, in order for the system to work; and this probably won’t change.
 

bogdanw

macrumors 603
Mar 10, 2009
6,026
2,947
this is Dr. Oakley's opinion:
'Frankly, anyone who turns SIP off and leaves it off (except for very specific and exceptional purposes, and I still can’t think of any for a user) is a fool and deserves everything that comes to them. It is one of macOS’s primary protections, not only against malware but against all sort of other issues which arise when system files get altered or corrupted.'
From his writing style, Howard Oakley appears to be senile. Fools are those who trust his closed source apps, like SilentKnight, to manage their Macs security. Also fools are those who trust OCLP to set SIP to undocumented/depreciated values.
 
  • Wow
Reactions: deeveedee

deeveedee

macrumors 65816
May 2, 2019
1,421
2,037
Peoria, IL United States
From his writing style, Howard Oakley appears to be senile.
I think that says everything we need to know about your writing style.

Your fact-based comments and observations are welcome here. When you make personal attacks, you do more to shed light on your own character than on that of the person you are attacking.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.