Hacker News new | ask | show | jobs
by classichasclass 2763 days ago
TenFourFox dev here. I certainly agree that security through obscurity (especially on less common architectures) is underestimated in terms of the protection it offers, though it should never be the only security means, of course. However, I think the biggest practical risk to unusual arches is through cross-platform-capable code. If you'll pardon a minor shameless plug, for the security advice I give Power Mac owners using TenFourFox, see

https://tenfourfox.blogspot.com/2017/11/the-security-blanket...

As you'll see from the article, aside from the OS X-specific exploits on Power Macs, components capable of running platform-independent code such as Java, Flash and Office macros are probably where the biggest risk is. And, of course, web browsers. Unfortunately these are some of the most common types of applications for people to run and very few are maintained on Power Macs anymore.

The good news with Talos and other P9 systems is that they're now running supported and maintained software and most of the applications people want to use "just work," so that problem goes away.
1 comments
nickpsecurity 2763 days ago
Thanks for chiming in! Great work on TenFourFox, too! I was stunned one person or a small team could even do that given how large Firefox is. I know you probably focus on a subset of it but still.

"components capable of running platform-independent code such as Java, Flash and Office macros are probably where the biggest risk is."

I'll add the risk of those components mostly has to do with their complexity, use of unsafe language, and security not being a concern in design. It's true there's gonna be exploits, esp on legacy systems. The crowd I was talking about was mainly concerned with malware forcing reinstalls, etc. That attackers mostly target high-ROI platforms meant they didnt have that problem any more. Although I suggested Ubuntu, they're Mac people with Mac apps they want to keep.

"The good news with Talos and other P9 systems is that they're now running supported and maintained software and most of the applications people want to use "just work," so that problem goes away."

Exactly. On top of it, many techniques for mitigating vulnerabilities have a performance cost. Esp overflow checking and microkernels. The extra speed of POWER9's might turn that from unbearable to acceptable. For me, Im fine with being stuck at Core Duo 2 performance for most tasks cuz my now-deadish, 9-yr-old laptop was working fine. If I get same performance but more security/control, that's a net gain. If it's faster, too, then that's even better. Similar argument might apply to those of you that port risky PPC software to it.

link
classichasclass 2763 days ago
Thanks! Most of the work these days is maintaining the 32-bit PPC JIT and keeping up with security patches from the ESRs. Unfortunately I can only shove so many new features into old wineskins. :/

But what I learned from Classilla I used to port TenFourFox, and what I learned from TenFourFox I'm using to write a POWER9 JIT for Firefox and keep the build working. So it's all incremental.

link