Should Open Source Software Expire?
Daffy writes "Jon Lasser at SecurityFocus has an idea for combating the tendancy most sysadmins have to leave old versions of software running long after they're known to have security holes. He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."
I think that the premise that all computers are exploitable is a wrong one to persue. Granted, any idiot that leaves an exploitable machine running on the net gets what he deserves, yet in this age of DDOS viruses/trojans, the damage goes far beyond a single machine. BUT, I dont think FORCING an upgrade is the way to go. If I have a machine on an internal network merrily pluggin away for years, why break it if its working?
He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update.
Interesting idea, but the assumption that people will only want to run newer software seems a bit flawed to me. To quote the genius Anonymous, "Assumption is the mother of all fuck-ups."
Last night I installed RH 6.2 on an old P75 I picked up somewhere, and ended up installing an old version of openssh on it (along with a bunch of other older stuff) to save disk space. Under this scheme, I wouldn't be able to; despite the fact that the machine is behind a firewall, I'd be bullied into running larger, more secure software.
The computer is mine. The software is mine. And, should there be an issue, the blame is mine. I don't want anyone who thinks they're smarter than me fucking around with my computers. If I did, I'd run Windows, now wouldn't I?
--saint
Wouldn't it make more sense to include something that checked the web for available updates and presented them to a sysadmin as an option or a recommended upgrade. It's silly to have something "expire" when it can just be patched or upgraded.
I've often thought that expiry times in software would be a good thing. Not nessesarily in Paid for software, but in free software where free updates are readily available. Would be great for the web.... imagine knowing that you will never have a Netscape 3.x or IE 3.x visitor to your site again... or knowing that on such and such a date you wont have to support Netscape 4
The only downside I can see is what happens when you've using some software and the developer stops developing it....your software passes its expiry date...no updates are available... what then?
I don't think the software should automatically update itself or expire, but rather have some way of communicating with the sysadmin. For example, if you use the CPAN module for perl in shell mode, it'll tell you if there's a new version of itself available, and how to update. Most importantly, it does so unobtrusively (as opposed to some programs that get annoying about it).
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
Gnumeric had something like this.
I was running an old version, the one that comes with a default slackware 8.0 install.
On opening, it popped up an alert saying "This software is old, and has probably been updated by now! Check out gnumeric.org for an update."
No hassle, just a one-off friendly reminder.
Good idea, I thought.
If I'm runing a cacheing DNS server on my loopback address, it's a waste of effort to upgrade it even if it has as many wholes as a wheel of swiss cheeze, or worse yet, a M$ OS. Also, I disagree with the premise that "most sysadmins" tend to neglect security patchs & updates. Besides.... It's like the counterproductive logic involved when M$ releases a patch to protect agains DOS attacks that crashes 25% of the boxes it's installed on. Here your talking about crashing a box semianually to protect the person from getting hacked. Basically, the person was allready hacked when they installed the termlimited software. Trojaned if you will. It really must be a slow news day.
OK, I think we'll all agree that the vast majority of servers that've been exploited and abused for a long period are in the hands of luser admins. Savvy admins get burned all too aften as well, but they usually catch it and patch their systems before too much time has elapsed.
Think about it... how many SMTP open relays are still running that have been spew points for years? How many Code Red hosts *still* probe your hosts, after all the hype and months gone by? How many hosts can you find that are listening on port 12378 (Gibe worm/trojan)?
The "admins" of these systems have *no clue* what's going on and LARTs fall on deaf ears at their luser ISPs!
So. My proposal is this: Include disabling timeouts on *all* net connected ware, enabled by default. Put a nice, little checkbox in an unassuming corner of a/the install screen (or a line in a conf file somewhere) that allows this "feature" to be disabled.
I figure all savvy admins will turn the feature off. Some of the luser admins will turn the feature off. A majority of the lusers won't even know it's there, and won't disable it. To bad for them, but they'll have a cluestick swingin' their way in a year or so.
I still don't think it'll fly (no one's going to build this feature in), but the above is my spin on how it might be made to work, after a fashion.
-
That way i'd have to configure each piece of software, or make it all depend on a special configure file. Anyway i don't find it appropriate to patch each app in such a way. It'd be much easier to regularly run an 'expire' job that simply updates a list of expired software (from the net) and compares it against the versions in the rpm-database.
...
Then the user/admin can decide what expire should do: maintain a list of expired software (maybe with different warning levels, from "obsoleted by a new version" to "security hole, patch now"), mail him, shutdown the service, update automatically (shiver), whatever. The admin can also decide how often 'expire' should run, or, in case of a static ip, maybe even allow the 'expire-server' to contact his machine.
The method of comparing against a list on the net (or maybe on some update media) is better than expiring after a preset time. And selferasing software is simply nonsense. imagine software development is discontinued, or you just can't reach the net, and thus not update anyway, or an admin is on holidays. He'd probably prefer the firewall up and running, even if outdated, than having no firewall at all.
Also maybe other projects depend on a certain piece of software. Forcing to switch versions at some preset date isn't helpfull at all in that case. There are so many possible reasons why someone might want to hold onto an old app a little longer, maybe even for 20-30 years. This "force to upgrade" practice could come right out of microsofts book of marketing, but it doesn't make sense for open source software.
Maybe he should've written that piece 2 days ago
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
ph33r...
_____
|--` ()_)
| ()__)
| ()___)
|-. ()__)
\ \
|_)
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden