Thursday, December 18, 2014

OS X PowerPC Security Holes Katy Perry Kate Upton Chili Hot Dogs!!!

Given that Leopard and below are no longer supported by Apple, it's reasonable to expect security holes to pop up every now and then, and though Apple will never officially patch them, us PowerPC users can at least come up with the necessary workarounds. The only problem is, news of these vulnerabilities is a bit scattered, so I wanted to put up one post that's a compilation of all the security holes you should be aware of when running OS X on the PowerPC platform--hence the clickbait title, I want everyone to see this (sorry Katy Kate fans). This post will also be linked on the right and updated as more security exploits are discovered.

Here's the big list, and honestly, this is mostly about linking to posts on Cameron Kaiser's TenFourFox Development blog since he wrote the bash replacement below and knows just as much as anybody:

1) Yes, the bash that comes with your PowerPC Mac is compromised. Cameron Kaiser was nice enough to build a new version) that fixes the security flaw so us PowerPC users can rest easy (also works for Snow Leopard).

2) SSLv3 is no longer safe. The solution here is to update TenFourFox and Tenfourbird to their latest versions which disable SSLv3. Webkit browsers that depend on the system SSL libraries remain vulnerable.

3) Certain versions of OpenSSL have a hole. Older OpenSSL-based libraries bundled with Tiger and Leopard are not vulnerable to this specific bug, but if you have versions 1.0.1 to 1.0.1f installed on your system through Macports or Homebrew/Tigerbrew, you'll want to update to the latest version.

4) That handy tool sudo, giving you root access from the command line, is vulnerable to an exploit. Check this post for the solution and also look down to the comments on how to use nano in case vi is a mystery to you.

5) Flash is not safe.

6) Java is not safe. I've seen links about installing Open JDK 7 on Leopard, but I don't know how feasible it is. You could also put Debian on a separate partition and run the latest Java from there.

7) Finally, your Firewire ports are vulnerable to physical attack. You can check out Adam Albrec's Security Mode scripts to secure your laptops from this and other vulnerabilities.

As said, this post will be continually updated with developing news. Hopefully the list won't get too long. ;-)

UPDATE:

8) And I've been informed of yet another one. The Diginotar SSL certificate is compromised. This was back in 2011 and was the first time Apple released a security update that didn't include PowerPC, so maybe that's why I blocked it out. Follow the step-by-step instructions at $ ps | Enable (their mpkg automator didn't seem to change things for me) to clear your system. This only affects you if you use Safari or another browser that accesses your system's SSL certificates. It does not effect TenFourFox.

Monday, December 8, 2014

Lock Down Your Mac With Security Mode

You may recognize Adam Albrec as the author of PPC Media Center, a suite of Applescripts that serves as a GUI wrapper for youtube-dl, and as a past guest poster here. Well, he's back, this time with another package of Applescripts called Security Mode (download at bottom of post). If you've ever wondered what it would take to completely lock down your PowerPC laptop in the modern jungle out there, this is what you've been waiting for.

Along with the Applescripts comes a very extensive Read Me file that has a lot of general tips as well as how to use/edit the scripts. In all honesty, I'd never heard of the Firewire vulnerability before perusing the Read Me, and I'm supposed to be on top of this stuff.

So what do the scripts do? As Adam writes:

The primary app is a simple toggle that will change your laptop to a 'Secure Mode' which implements the following security features:

- A password is now required to unlock the screen on waking the system from sleep (like after having the lid closed), or once the screensaver has become active.

- The unit will have the screensaver activate after 10 minutes.

- The display will sleep after 20 minutes of inactivity.

- The system will sleep after 30 minutes of inactivity.

- Firewire will be disabled - thus illuminating the threat of a DMA (Direct Memory Access) attack.

...

When toggled again, all the security features listed above go back to normal 'Home Mode':

- No password is required to wake the system or deactivate the screensaver.

- Both display and system sleep are set to 'Never'.

- Firewire will work normally.

As a convenient means of identifying the system's current security status, the Dock position will change in 'Secure Mode' to the left of the screen, and back to the bottom in 'Home Mode'.

The secondary helper app SM Fw-Disabler, when set as a login item, will make sure that whatever mode the system is in when it is shut down, will continue when restarted until the user chooses to change it.

Both scripts store your user name and password in plain text, so you need to keep the scripts on an encrypted volume. FileVault instructions are included in the Read Me for this purpose. Also...

As stated in the script comments, all the settings in the script including the sleep/screensaver times and Dock position changes can be set if the above are not to the user's liking. Those who are great at Applescript will have no trouble at this, but for those who might like some tips, just leave a comment here on the blog and I'll reply ASAP.

Finally, the Read Me concludes with some not-commonly-known tips on PCMCIA expansion bays, Open Firmware passwords, and TrueCrypt. All in all, this is great stuff, so download the scripts and the Read Me at the Mediafire link below:

Security Mode.dmg.zip

(ADDED: This can also be useful for Snow Leopard. It'll take some tinkering with the Applescript, but leave a comment and Adam will be glad to help.)

Friday, November 21, 2014

An Offline Password Manager

I'm not a huge fan of the cloud. It's not just for tinfoil hat's sake. I've seen just enough server repositories and companies fail that I hesitate to truly trust them with my data security. I'd rather just back up my own stuff and do all my syncing over my home network. The one exception I've made is with Firefox Sync, where I can sync all my bookmarks, history, and passwords across the various TenFourfoxes and Iceweasels I have. But I've been thinking lately about those passwords and the ways Firefox sells password security short.

It's not just that it's in the cloud (though encrypted). Firefox keeps passwords in plain text on your hard drive unless you secure them with a master password, and if you pick a good password it starts to be inconvenient to enter it every time you start the browser. And if you're going to put up with a little inconvenience, why not just use an offline password manager?

Offline password managers have the inconvenience of a couple more clicks but have the advantage of making you completely responsible for your own passwords. They're stored on an encrypted file on your hard drive and no one else has access. You never have to worry about how LastPass or Firefox Sync are storing your passwords or which institutional entities have the keys to the kingdom.

I'm not completely willing to give up the convenience of Firefox Sync. For the vast majority of my passwords, I don't hugely care about security. They're mostly forum passwords and sites I don't even remember registering with. But for sensitive passwords for banking, Paypal, or anything financial-related, I want to keep those out of Firefox Sync and encrypted on my hard drive. And it just so happens there's a password manager for this that's cross platform and still runs on Tiger PowerPC: it's called KeePassX.

Setup is pretty self-explanatory. You just start a new database and enter your passwords. One cool feature is it rates the quality of your existing password and also features a password generator with many parameters like password length and whether it's pronounceable. From then on, you just copy your password to the clipboard with a click and then paste it into your web page's password entry (Firefox usually auto-enters the username).

Some of you (okay, nearly all of you) might be bothered by the OS X icon. One generous soul, however, contributed their own, much better, icon in this KeePassX forum post. I couldn't get their .icns file to work, but I saved the .png image displayed in the post, used FastIcns to convert it to my own .icns and installed it in the app package (by right-clicking and choosing "Show Package Contents" and then finding and replacing the original .icns image).

Another forum post features an unofficial version of KeePassX with global auto-type: Global Autotype for OS X: at last! This allows you to hit a key combo without having to switch to KeePassX to copy a password. It's a universal binary, but it doesn't launch on Tiger, so I guess it requires Leopard.

One caveat when using KeePassX on Linux: KeePassX erases your password from the clipboard after several seconds, but some clipboard managers (I'm looking at you, Parcellite and Glipper) don't respect this and still keep your super secret password displayed in their menu. Something to be aware of.

Some people report good results syncing their KeePassX database file on Dropbox, but that kind of defeats the purpose of keeping your passwords offline, so it's not for me.

One fun thing about this is going into Firefox's password manager to delete your sensitive passwords and seeing all the crap you registered for in the past. I'm apparently signed up on cracked.com. I have beautiful taste.

Thursday, October 30, 2014

Lude Smuggler Will Not Be Suppressed

So I was perusing through Macintosh Garden in the arcade section, taking a trip down memory lane, when I noticed something not quite right. They had MacLanding and Missile Command and even its awesome clone, Ground Zero™, but still, something was missing. Lude Smuggler!

Lude Smuggler, for the uninitiated, was a re-skin of Lode Runner, which for a time was the addictive game de jour before Tetris and Cranky Birds or whatever. The object of Lode Runner was to dodge a bunch of enemies while collecting bags of gold and escaping to the next level. Lude Smuggler was the same, but instead of bags of gold, they're supposed to be bags of ludes.

So after failing to find Lude Smuggler on Macintosh Garden, I went googling to find some confirmation of its existence and couldn't find anything. I googled Lude Smuggler with quotes and got this:

Lude Smuggler search result

Can this be? Can there be literally no record of Lude Smuggler on the entire World Wide Web? No, no, no, no, no. This cannot stand. I know the drug war is taken to ridiculous extremes, but this is going too far. I knew I had Lude Smuggler on some hard drive somewhere, or at least on a floppy, so I became determined to retrieve it and upload it to the hallowed halls of the 'Garden.

So I got out my Power Mac 7100, which was my only Mac with a still-working high-density floppy drive, and hooked up my LCD monitor (with like a thousand adapters) and fired it up. Still works! And it turns out I did have Lude Smuggler on a floppy. Great! Now I just need to network it to my PowerBook and I can upload it from there.

(Author's note: Okay, I wrote about 800 words here about everything I had to do to get it to my Powerbook, but I'm cutting it because, frankly, it makes me sound crazy. Tl;dr version: it was a bitch.)

So finally Lude Smuggler is re-introduced to the masses. You can download it at its hopefully permanent home at Macintosh Garden and be smuggling ludes like a pro in no time. Here's the icon which my young impressionable mind would forever associate with "greasy":

Lude Smuggler icon

And here's a screenshot:

Lude Smuggler screenshot

My wasted youth.

Thursday, October 16, 2014

A New Notebook for PowerPC?

Roberto Innocenti emails me that he's started a project to deliver a new PowerPC notebook in the DIY tradition of the Novena Project and the pi-top, only significantly more powerful. Apparently he intends to team up with an Italian motherboard producer and will present his project plans at Linux Day 2014 in Milan. According to Mobile Linux News, the laptop will feature upgradeable components such as the video card, RAM, and SDD/HDD. It will also be 64-bit with altivec and multi-threaded capabilities, and will fully support gnu/linux as well as OS X virtualization.

You can follow along with the project's news at PowerPC-Notebook.org. Needless to say, if this became a reality you could knock me over with a feather, but stranger things have happened. Like Apple switching to Intel. ;)

Saturday, October 11, 2014

Mac OS 9 is a Lightning Rod

Apparently debating the merits of Mac OS 9 is very 2014. Via TenFourFox Development, all the hubbub was kicked off by an Ars Technica article* about living with OS 9.2.2 for a few days, which was followed with a rebuttal from Riccardo Mori at his blog. Some previous points of view on the subject are from The Vintage Mac Museum and LowEndMac, but I wanted to use this as an excuse to point to a Mac OS 9 Lives Forum thread which reveals how to boot OS 9 on MDD FW800 Power Macs.

First sold in 2003, the FW800 models were the first Power Macs, and only G4 Power Macs, to not boot OS 9. This remained the case till over a decade later when this Mac OS 9 Lives thread, "Downgrade firmware of FW800 for OS9 comp", appeared. The whole thread is incredibly long (these were a dedicated, persistent bunch), but I'll just point to this post which has the actual solution. Basically it involves flashing the firmware with an older version that supports booting into OS 9. This works for the FW800s because the earlier firmware is for a very similar MDD model.

Efforts are also underway to duplicate this approach with other Macs, and the thread, "Mac Os 9 boot on unsupported iMac G4", reports limited success. Perhaps this won't work so well on other models because the only available firmware downgrades are too old and for too dissimilar hardware. It sure would be nice seeing an aluminum PowerBook booting OS 9, though.

As far as I read, the only limitations on the MDD are the disabling of the Firewire 400 ports in OS 9 and the Firewire 800 port running only at 400 speed, also only in OS 9. In OS X everything works fine. But for that, you get an OS 9 booting machine for your FW800, and now you too can join the online Mac OS 9 wars! Small price to pay for having access to all that great audio, productivity, and gaming software from the '90s-'00s.

*WARNING: That Ars Technica article is like weaponized banality.

Monday, September 29, 2014

8.6 Software Install Disc for Sawtooth AGP?

(UPDATE: Disc image found!)

Chris Nova from Mac OS 9 Lives has put out a call for a certain Software Install & Restore disc. This one's very rare, an 8.6 one specific to the Sawtooth AGP (not Yikes). Apparently they were bundled with Sawtooths only for a couple of months back in 1999, and not one has made its way onto Macintosh Garden or any other Mac archive site.

Here's a Mac OS 9 Lives forum link to the thread where Chris lays out the full details. If you can report a sighting of one of these rare birds, click on over and drop Chris a line. :)

Monday, September 22, 2014

FreeCol For PowerPC Macs

If any of you were downcast that the strategy game FreeCol required Java 1.6 and wouldn't run on PowerPC Macs, today's your lucky day. Thanks to the compiling talents of reader Javier A., we now have a new version of FreeCol that runs on Java 1.5. He uploaded it to his Dropbox folder (direct link), and it's only a 30 MB download.

Here's a blurb from the FreeCol website:
FreeCol is a turn-based strategy game based on the old game Colonization, and similar to Civilization. The objective of the game is to create an independent nation.

You start with only a few colonists defying the stormy seas in their search for new land. Will you guide them on the Colonization of a New World?
So it's a little like FreeCiv. FreeCol somehow escaped my attention, but I tried it out a little bit and it looks great. In addition to single player, you can also join multiplayer games over the internet. I'm not sure about the security implications of that, since Java 1.5 is outdated. From what I understand, only the web browser plug-in was vulnerable, but maybe someone can weigh in with a comment. I only do single player, anyway. It's humiliating enough when the A.I. kicks my ass ;)

Sunday, September 7, 2014

Gawker Writer Slave To Consumerism, Hates Self

One of Gawker's latest slew of nondescript hires, Leah Finnegan, wrote an odd polemic taking Chloe Sevigny to task for using a "15-year-old Macbook." Her point being, well, at the end of her word salad I'm not sure what her point is. Something about Chloe being pretentious for using a fashionably unfashionable fashion. As usual, what's left unsaid is more interesting, that Finnegan can't stand to see someone opt out of the upgrade merry-go-round and so that person must be attacked.

The worst part of it, though, was Finnegan quoting Gizmodo's Editor-in-Chief Brian Barrett on whether it was possible a human could have such an ancient machine in today's world. Now, Finnegan doesn't have to know anything. She writes for Gawker. But Barrett's supposed to be an expert. This is his area. So what does he say?

"Honestly that thing is several factors shittier than a shitty phone," he typed in a Slack message. "I would say if she does have a 14-year-old MacBook I hope she does not need to use it very often."

Barrett continued: "Assuming she has a 2000 PowerBook, she has half the disk space you'd need to run Chrome and probably half the RAM, but I don't think she even has the hardware you'd need. Basically Chrome alone would destroy her computer."

For the record, Chrome never existed on PowerPC. And for the record, a 2000 Powerbook can run TenFourFox 31 (equivalent of Firefox 31) and, if RAM is limited, have even better luck with Iceweasel and Linux. As to Barrett's point that the Powerbook is worse than a "shitty phone" by several factors, I don't see too many people using three-year-old phones much less 15-year-old phones like people still use their Pismos.

So go to Brian Barrett for all of Apple's latest press releases, but don't expect him to know what he's talking about.