Secure those Macs: Apple must step up and support older machines
I have long advocated keeping machines up to date. When machines become too old to update, I’ve bitten the bullet and dumped them, even if they were still fully functional.
With all the malware and ransomware, not to mention simple flaws that could cause a system to crash, it’s become necessary to keep machines up to date, regularly updating both operating system and applications software. When that software can no longer be updated, it’s time to toss the machine.
But should it be?
I just finished upgrading my small fleet of older Macs. I pulled one iMac and four Mac minis out of service. The iMac went to a friend who’s tech savvy enough and responsible enough to manage his own security.
But those four Mac minis are now sitting on a shelf. I’d like to donate them to a local school or library. But because they can’t be upgraded to the latest versions of MacOS (and can’t have the latest security fixes), I won’t give them to unsuspecting muggles, no matter how deserving they might be.
Making donations of woefully out-of-date machines that can’t get security updates isn’t an act of charity, it’s creating potential victims.
But here’s the thing. Even though those Mac minis are eight and nine years old, they are perfectly functional. Given Apple’s build quality, there is no reason they wouldn’t keep chugging along for another eight or nine years.
The modern tech lifecycle
Most IT folk understand and probably even agree with the modern tech lifecycle. Put simply, as newer releases of computers and operating systems come out, older software and hardware become obsoleted.
Vendors don’t want to continue to support systems that are quite old. Developers don’t want to test against numerous generations of older machines. The cost to maintain and update the dregs of old gear is impractical.
It’s also impractical, because features that run like the wind on new hardware can be dog slow on older hardware. Some features (for example Face ID on iOS devices) simply won’t run on older hardware because of intrinsic limits on that older hardware (like not having fast enough processing power, the right GPU, or the necessary lenses).
As an independent developer, I can’t support and test versions of code for users running very out-of-date software or hardware. I barely have the time to support and test the more current releases. So, as a developer, I concur with the idea that tech becomes obsolete over time, and it’s regularly necessary to move on.
A paradigm shift
But as I looked at those four perfectly functional Mac minis sitting in a stack on a shelf, never to process bits ever again, I found myself getting upset.
It’s one thing for an independent developer to set a baseline for version or operating system support. It’s another for Apple, the world’s most valuable company, with a valuation in the trillions of dollars.
It’s not like Apple can’t afford to make sure even its oldest machines stay safe year after year. What would that cost? The salary of a hundred engineers would be, roughly — in Silicon Valley dollars — about $20 million. Let’s say facilities and gear for those hundred engineers is another $20 million.
Does anyone seriously think Apple can’t afford $40 million a year to keep software up to date? In its second quarter, Apple posted revenues of $89.6 billion (up 54 percent year over year). $40 million isn’t even 0.05% of Apple’s quarterly revenue.
Heck, $40 million is only 15% of Tim Cook’s $265 million 2020 compensation package. He could pay to keep all installed Macs up to date and it would cost him the equivalent compensation percentage of what putting a fence up would cost to us normal folk.
There are some natural constraints to this “keep everything updated” plan I seem to be advocating. First, developers can’t all be expected to keep all their software compatible with ancient machines. Yes, sure, Microsoft and Adobe could, but it’s beyond the scope of all the little indy developers out there.
Second, performance will undoubtedly be pretty poor on the oldest machines. Not all the advanced features will run on them.
But even with these restrictions, Apple could certainly establish a baseline. All the applications that ship with the machines could be kept up to date. On Macs, that would provide a nice suite of tools for users of older machines. And updating and hardening Safari would provide a solid, safe baseline for users of older machines.
The state of Apple support
Apple doesn’t explicitly state its end-of-life policy for devices. When a new OS is released, it will list devices supported. You can derive from the supported list a secondary list of those devices left behind.
Apple does maintain an information page detailing Apple security updates. As of today (end of September, 2021), Apple is still issuing security updates for MacOS Catalina. That means that three of the four machines I took out of service can still be updated — but they don’t run Big Sur or Monterey, and Apple won’t say when Catalina security updates will stop.
My fourth newly out-of-service machine, the 2011 Mac mini, can’t be updated beyond High Sierra. Apple’s last High Sierra security patch was in 2020, and the company gives no indication whether (a) there are any known but unpatched security flaws in High Sierra, and (b) whether it ever intends to issue future patches.
In fact, this lack of transparency is policy. On that same Security Updates page, Apple says, “For the protection of our customers, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available.”
That’s… helpful. NOT. Especially for users of older machines.
But this isn’t just about my four computers. I took a quick look on eBay and found a lot of older machines for sale. This one is just one example:
As you can see, it’s an old 2008 MacBook Pro. While it might not be something the typical ZDNet reader is likely to buy, someone on a limited budget in need of a computer might well decide to spend $66 plus $17.14 shipping to land a MacBook Pro. This low-cost machine already has 12 bids and as of the time I took the screenshot, it had two days left to go.
But, according to the site Apple History, the 2008 MacBook Pro maxes out at 10.10.4. That’s OS X Yosemite, an operating system that came out in October 2014 and received its last major update in August 2015. According to Apple’s Security Updates page, the last security update for Yosemite was in 2017 — four years ago. The last time Safari was updated for Yosemite was also four years ago.
This is what I’m talking about. There is no reason that Apple, a company that brought in nearly $90 billion (with a B) in revenue last quarter, couldn’t keep churning out security updates for these older machines.
Time for the big vendors to step up
Those machines are out there, people are using them, and it’s well within Apple’s power to keep those people safe. So why don’t they? Or a better question would be, Apple, when will you step up?
This article has been mostly focused on Macs, but phones need the same attention. I also call on companies like Samsung to keep older devices up to date.
Samsung also had a record quarter last quarter, pulling in KRW 63.67 trillion ($54B USD) in sales and KRW 12.57 trillion ($10B USD) in operating profit. With $10 billion in operating profit for just one quarter, do we seriously think Samsung can’t issue updates for all those old Android phones it sold? But it doesn’t.
Many of those phones haven’t gotten updates since after just a year or two after they were sold. Android is a cesspool for malware, which Samsung is essentially enabling by its inaction in providing security updates.
As I said before, there is a line somewhere between the individual developer like me, and companies like Apple and Samsung who are rolling in billions of dollars in profits. I don’t expect boutique developers to handle the load of back-facing security updates. But the big players? Not doing so is irresponsible.
There are millions of those machines out there, still in use. All those machines are actively vulnerable to malware and other security threats. Worse, those machines can become patient zero devices, spreading malware to other machines on their networks. So it’s not just about updating old machines to keep their users safe. It’s about updating old machines to keep us all safe.
So, the next time you see Apple give a long song and dance about how enviromentally responsible they are, how much they’re moving towards sustainability, and how many robots they’ve built that can disassemble their old electronics, keep in mind that a minor investment could have kept millions of old computers and phones out of landfills, and made them available to lower-income users who need them.
What about you? Do you have a stack of old gear you can’t give responsibly give away, but also don’t want to toss out? Do you think Apple and Samsung have been dropping the ball in not taking responsibility for older security updates? Let us know in the comments below.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.