[gtvwill]

I factory reset a 2012 Mac book pro that was needed for a client to use to check emails and use the web browser. Device was instantly blocked by Apple from accessing most websites because the factory version of the OS was deemed insecure by Apple. This included blocking the updater from being able to update the device via the web to a safe version of the OS that was available. What was supposed to be a 1 hour service became about 4 hours of me reading online trying to work out wtf was going on. Then I had to spend time navigating my way around the nightmare of distro hopping it up OS updates manually til it got to the most recent "safe" supported os version.

Device works completely fine and lives behind a well secured network (battery was stuffed but it lives plugged in). Apple took it upon themselves to dictate to the user that it was no longer fit for operation. Apples solution was "replace the device and send the old one to landfil.

Apple literally greenwash their entire business model. But they are one of the most wasteful companies around.

Meanwhile I'm still reformatting 8, 12 and 15 year old windows pcs with Linux and putting them back into service for email checking and basic web browsing without a single hiccup. Saving more and more from landfil, they get used once in a blue moon but it's literally all the owners want. They don't mind waiting a bit for stuff to turn on, hell plenty of them are over 60, they've spend their life being patient and a few mins to make a cuppa while something turns on is a blessing to them.

[astrange]

> Device was instantly blocked by Apple from accessing most websites because the factory version of the OS was deemed insecure by Apple.

Is that your way of saying "it doesn't support any modern SSL ciphers?" I don't think there is anything built into the OS that asks Apple if it's allowed to visit websites.

[gtvwill]

Well given it was both the update app and the web browser, not just the web browser. It's definitely built in. Unless their app updater/software updater is just safari with an overlay.

[stephen_g]

The updater and Safari would use the same TLS/SSL library (which would only support older, no longer secure TLS ciphers and would have the same root certificates, some of which would be expired). If you put a recent version of Firefox or Chrome on (via a USB drive), they bundle their own TLS libraries and certificates so those would work.

(But in the same way the OS ones weren't working, you wouldn't be able to use a 12 year old version of Firefox or Chrome to access most websites either for the same reasons).

[gtvwill]

Either way the inbuilt update system had zero way of updating itself or the OS to something that worked and it resulted in a painful few hours of stepping the system up through various OS versions downloaded on other devices until it got to the end of the downloadable versions, and from there on it was inbuilt app for updates only. No downloadable OS. Which would indicate since you can no longer download the latest OS iso's eventually they will block the last available Iso's one from working on their app store and the devices will be bricks.

This is shite design. Let's not kid ourselves here. This is one of the wealthiest companies on earth and thy control their entire hardware and software stack from the ground up. If they can't keep stuff sorted so when an old system plugs in it atleast limp mode upgrades it to the latest offering that system was supported with, this isn't because it's something that's impossible, it's because they don't want to.

If community non profit managed linux distros can get installed on 15 year old machines and just you know, sort out the drivers for the ancient ass tech in them without the user doing any more than running the update manager to hell apple couldn't have worked out the same.

It's a load of crap sold under the guise of security. Some nefarious actor wants to dl updates from their servers for ancient tech? Why in the world should they not be able to? Their update servers shouldn't have any services attached other than being a glorified dl directory.it shouldn't even be something they care about because there is zero risk attached.

[yearolinuxdsktp]

> This is shite design . . . [Stuff] sorted so when an old system plugins in it at least limp mode upgrades

It’s an economic- and risk-based calculation based on security.

You’re trying to get a TWELVE-YEAR OLD system online. Let’s see, since 2012, TLS 1.0 and TLS 1.1 have been officially deprecated (in 2021). In 2024, companies serving TLS 1.1 do not pass certain modern compliance standards. Mountain Lion from 2012 doesn’t support TLS 1.2. Are you arguing that they should leave around a TLS 1.1-based endpoint up, with ciphers that are no longer recommended? And how many CAs can still issue a valid cert trusted by a 12-yr old system?

> [there is zero risk attached]

Community-based Linux distros also offer HTTP (insecure) mirrors. There is also zero risk attached to the mirror serving HTTP. All the risk is on the user side. They don’t care that it’s an exploitable vector. They don’t have a commercial risk/downside. They didn’t sell fleets of old devices with their name on it.

> This is one of the wealthiest corporations on earth

Well this is why. It’s because they spend their money wisely. They decided that supporting OSes over 7 year old (with god knows what unpatched critical bulbs) is not money wisely spent and poses too much risk to their user populace, so they would rather not allow it, rather than support it. They don’t want to train their support on it and they don’t want to allow the possibility of punters getting their old hardware to an older release with open CVEs.

[mlyle]

SSL/TLS/etc are libraries, yes. And the certificate store is an OS service.

Ancient software has trouble talking to modern services; modern services and devices don't want to fall back to speaking the old versions because of downgrade attacks.

And if you have an important CA certificate expire, you can't talk to anything.

[Kirby64]

Why can't you just put Linux on the Macbook then? Most 12-15 year old laptops are not capable of running the current version of Windows, either, and have major vulnerabilities.

[gtvwill]

Because the client is >55 in age and isn't a fan of change. They want what they are used to. Other clients who are more open to learning definitely and have in the past gotten linux. Huge fan of using it for bringing life back to old hardware. Some clients are however very abrasive towards the idea of a different OS/Interface/Change.

[yearolinuxdsktp]

Your elderly client made a smart choice using MacOS. Elderly using Windows were not given a choice to not upgrade to Windows 8, this forced upgrade was a crime against the elderly, many of whom suffered in silence.