Should Open Source Software Expire?

Daffy writes "Jon Lasser at SecurityFocus has an idea for combating the tendancy most sysadmins have to leave old versions of software running long after they're known to have security holes. He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

Bad idea

[drodver]

Open Source is about not forcing you to do anything. Besides the code could just be removed. Who is a developer to say how I should administer my box.

Re:Bad idea

[gilder]

I agree that the user/admin should have the freedom to allow it to expire. How about making it a configure option? Say expire on a date I give or a suggest date from the author. Give the program an email address to nag if it expires?

Re:Bad idea

[Morel]

Besides, how many times have we come across 'new and improved' versions of our favorite software that just plain suck?

Careful sysadmins don't just set the Automatic Upgrade swith to "Full Throttle", they evaluate stuff before deploying it.

Morel

Re:Bad idea

[FortKnox]

Open Source is about not forcing you to do anything

EXACTLY.

You're taking the "Free" out of "Free software".

Only evil proprietary companies force you to do stuff, right? ;-)

Re:Bad idea

[Galen+Wolffit]

Oi, I agree, but for different reasons. Yes, the code could be commented out - so what? Any code that secures an existing hole can be commented out, thus re-opening the hole.

I think it's a bad idea to actually _disable_ a running program, because doing so can cause problems that are not necessarily immediately traceable back to the disabled program. Instead, the program should raise some sort of persistent alert, via email, logfiles, or whatever, at some interval, alerting the administrator that there is an out of date program running.

Re:Bad idea

[aardvarkjoe]

Well, he didn't say "Free Software is about not forcing you to do anything", did he? Not all open source software is under the GPL.

Re:Bad idea

[drodver]

A project that provides librarys other Open Source projects can use to enable automatic code updates would be way cool. Then admins could opt-in to have programs auto-update without user intervention. Proper security and checkpointing would be required, though, to prevent an app from breaking without a recourse to return to full functionality.

Re:Bad idea

[jgerman]

Un implementable idea, it's open fucking source, the whole point, or at least a part of it anyway was to prevent bullshit like this. Not to mention the fact, like you said, that it can just be removed.

Re:Bad idea

[selectspec]

Timebombs are a terrible idea. If I could draw and submit ASCII art of "thumbs down" I would.

Re:Bad idea

[cymen]

Well if you don't know how you have to upgrade. Hrm... I'm not saying that is good or bad but it is funny.

Re:Bad idea

[4of12]

I agree that putting in arbitrary time locks is not a good approach to making open software secure.

Fundamentally, the best approach is to encourage sysadmins and those responsible for hiring sysadmins to take security as a serious matter.

Practically, I'd say a better approach is to have open source security scanning software that sysadmins can use to easily diagnose whether their systems and applications have a potential security problem. The raw ingredients for something like this are already out there, but I'm not sure if they are conveniently packaged.

It's one thing to see CERT and CIAC vulnerability postings and mull over whether some random application might occasionally open up a weird network port and be vulnerable to a BO, but that requires some investment of time.

A service that allows you to download and run a trusted, signed test application for each of the vulnerabilities you see on Bugtraq would be a real time saver for most sysadmins, who have quite a lot to do already.

Re:Bad idea

[gotan]

That way i'd have to configure each piece of software, or make it all depend on a special configure file. Anyway i don't find it appropriate to patch each app in such a way. It'd be much easier to regularly run an 'expire' job that simply updates a list of expired software (from the net) and compares it against the versions in the rpm-database.

Then the user/admin can decide what expire should do: maintain a list of expired software (maybe with different warning levels, from "obsoleted by a new version" to "security hole, patch now"), mail him, shutdown the service, update automatically (shiver), whatever. The admin can also decide how often 'expire' should run, or, in case of a static ip, maybe even allow the 'expire-server' to contact his machine.

The method of comparing against a list on the net (or maybe on some update media) is better than expiring after a preset time. And selferasing software is simply nonsense. imagine software development is discontinued, or you just can't reach the net, and thus not update anyway, or an admin is on holidays. He'd probably prefer the firewall up and running, even if outdated, than having no firewall at all.

Also maybe other projects depend on a certain piece of software. Forcing to switch versions at some preset date isn't helpfull at all in that case. There are so many possible reasons why someone might want to hold onto an old app a little longer, maybe even for 20-30 years. This "force to upgrade" practice could come right out of microsofts book of marketing, but it doesn't make sense for open source software.

Maybe he should've written that piece 2 days ago ...

Re:Bad idea

[drodver]

Something like that. It would need to archive the current setup so if the upgrade fails there is a fallback. Also it would have to be limited to minor revisions ie x.y.z to x.y.z+1. It would also impose limits on developers like not being able to change the configuration of the app in a x.y.z+1 release.

Re:Bad idea

[ebbomega]

If you don't want someone screwing with your code, don't write open source software. That's a real simple solution.

Re:Bad idea

[Anonymous+DWord]

ph33r...

_____
|--` ()_)
| ()__)
| ()___)
|-. ()__)
\ \
|_)

Re:Bad idea

[ncc74656]

Timebombs are a terrible idea. If I could draw and submit ASCII art of "thumbs down" I would.

...something like this?

________
__)
__)
____)
\___)
\\
\_\

:-)

Re:Bad idea

[ArsonSmith]

I have an idea,

lets just keep a repository of updated applications in mirriored trusted locations all over the world.

Then come up with a way of indexing these applications and haveing an interface for updateing these packages.

of course there would have to be a detailed policy and rules on how to build these packages and how to upgrade them and such.

but think about it you could just type something like:

get update

and it would download the latest packages available then type

get upgrade

and you would be able to upgrade to the latest files available so far.

what to call it though. Hmmmm. Its all so simple why hasn't someone come up with this before?

Re:Bad idea

[polyphemus-blinder]

I agree. The solution to irresponsible sysadmins who let software get outdated is to fire them. It's as simple as that: people who do not do their job deserve to get fired; and people who can't hire responsible sysadmins deserve to have their systems hacked.

Oh yea, THAT'S a great idea...

[xyzzy]

As if being kept on the upgrade treadmill by Microsoft isn't bad enough!

You can't pick an arbitrary point in time when software is "too old", or "known to have security holes!" If you could do the latter, you'd just fix the security holes...!

Re:Oh yea, THAT'S a great idea...

[vladkrupin]

/>telnet mybox.com
Trying 192.168.1.1...
Connected to mybox.com.
Escape character is '^]'.

Red Hat Linux release 6.2 (Zoot)
Kernel 2.4.4 on an i686
login:user
password:

Last login: Wed Apr 03 2002 15:32:15 -0800
You have new mail.
Sorry, you copy of Bash has expired.
Connection closed by foreign host.
/>

Re:Oh yea, THAT'S a great idea...

[vladkrupin]

hey, good point :)
too bad i won't be able to login to get download the new version:(

Erm, no

[adamwright]

I have old internal boxes that are way way out of date, but safely firewalled away doing just what I want them to do. Rebuilding those every few months/years (or having to remove timebombs from software before I install it) == Bad idea.

I agree that software should assist admins in keeping it uptodate, but honestly, legitimate users shouldn't be affected if an admin is incompetant or lazy.

Re:Erm, no

[3Bees]

Along these lines, it might be a good idea if package management systems kept track of such stuff (queried their central databases about known security holes/outdated programs) and notified admins.

At least this would remove any burdensome mandatory nature from the effect while still satisffying the perceived demand.

Re:Erm, no

[why-is-it]

Well, if one of the "users" really wanted to hack the box, all he has to do is walk up to it and remove the harddrive :) I don't have any external access past the DMZ.

Not to deflect the conversation too far away from the original, but that is why good security practices are more than just about code. Where do you keep your servers, and who has physical access to them is an equally valid concern.

Re:Erm, no

[Zathrus]

Agreed. But take it a step further - exactly how are you supposed to update embedded hardware? Replace all the surface mounted ROMs that the software may be burned into?

Uh....

Re:Erm, no

[swb]

Not to deflect the conversation too far away from the original, but that is why good security practices are more than just about code. Where do you keep your servers, and who has physical access to them is an equally valid concern.

So are things like maintainability, usability and so on.

Security is a kind of risk, and everyone accepts a certain amount of risk. I *could* insure my car to a $50 deductable and let the insurance co. take all the risk beyond that, but that would cost me $500/month. Instead I assume $500 worth of risk and I pay only $100 month.

You're absolutely right that there are other concerns, but in some organizations the costs associated with a specially locked room, time/money/effort maintaining boxes is more cost than percieved risk that some internal user in a 50 person company may decide to try to hack sendmail 8.9.

Re:Erm, no

[nathanm]

I agree, and I think I have a better idea:

If a computer is compromised via a known security exploit a set length of time after a patch is released, the computer's owner forfeits the right to sue for damages.

Re:Erm, no

[leuk_he]

if package management systems

Up that one. There is where this functionality belongs.

One program to rule them all,
One program to find security bugs,
One program to download them and in the darkness install them.

Or not

[klosskorban]

Why not just have it a feature of your package management system? IE. the not yet finnished, PKGtool 2.0 system

I think....

[Bob+McCown]

I think that the premise that all computers are exploitable is a wrong one to persue. Granted, any idiot that leaves an exploitable machine running on the net gets what he deserves, yet in this age of DDOS viruses/trojans, the damage goes far beyond a single machine. BUT, I dont think FORCING an upgrade is the way to go. If I have a machine on an internal network merrily pluggin away for years, why break it if its working?

Re:I think....

[Trepalium]

Good point. I think a better idea would be a timebomb in the software that doesn't disable the program, but rather just starts spitting out warnings once you reach a certain age. I think six months to a year should be acceptable for most software. This, of course, doesn't apply to all software. I seriously doubt there'll be an exploitable security vulnerability in GNU echo any time in the near future, or any other mundane utility program. Most network daemons could likely benefit from warning the user about running outdated programs.

Huh?

[chinton]

This sounds like something that Microsoft would do (or already does).

I would think that it should be optional

[EFGearman]

After all, that is part (a large part) of what Open Source is about. Options.

Now, as a programmer, I may not want to add changes to an older version that I am not working on anymore, so I am within my rights to say, "If you want that additional functionality, you have two choices. Upgrade, or do it yourself."

Again, options.

EFGearman
--

Expiration.

[saintlupus]

He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update.

Interesting idea, but the assumption that people will only want to run newer software seems a bit flawed to me. To quote the genius Anonymous, "Assumption is the mother of all fuck-ups."

Last night I installed RH 6.2 on an old P75 I picked up somewhere, and ended up installing an old version of openssh on it (along with a bunch of other older stuff) to save disk space. Under this scheme, I wouldn't be able to; despite the fact that the machine is behind a firewall, I'd be bullied into running larger, more secure software.

The computer is mine. The software is mine. And, should there be an issue, the blame is mine. I don't want anyone who thinks they're smarter than me fucking around with my computers. If I did, I'd run Windows, now wouldn't I?

--saint

Re:Expiration.

[MissMyNewton]

The computer is mine. The software is mine. And, should there be an issue, the blame is mine.

*BUT*, think CodeRed/Nimda-like - your problem could also become mine and I sure as hell don't want that!

Re:Expiration.

[saintlupus]

*BUT*, think CodeRed/Nimda-like - your problem could also become mine and I sure as hell don't want that!

True enough -- hell, I'm _still_ getting Nimda hits on my webserver, and it's been how many months?

Unfortunately, the way to get rid of problems like this is _not_ to assume that every computer user is, er, security-retarded. I'm more than capable of securing my own systems, thanks, and I don't need any wanna-be dogooders trying to do it for me.

--saint

Re:Expiration.

[Alan+Shutko]

We have an employee flying to Tallahassee as I write this because a version of RH6.0 had an old version of ssh on it, which was perfectly safe because it was behind a firewall. Until, of course, the firewall is changed to allow ssh... and someone needs to relay the OS because the machine was hacked.

Seriously, how much space did using a version of ssh with security holes save you? Was it significant, or are you rationalizing your negligence?

Re:Expiration.

[jgerman]

Yes and when I'm on my bike you four-wheelers endanger my life on a regular basis, but I have no right to keep you off the road. It comes down to a question of ethics, you have no right to tell me what software to run, that's what we're fighting against with OSS, just as I can't tell you what to drive. That's not to say that you don't have a grievance if someone's negligence causes you trouble, but only after the incident occurs not before.

I said it earlier, it's un-implementable. If someone pulled this crap with their software, I or someone like me, would fix it and redistibute it with this crap coded out.

Re:Expiration.

[BeBoxer]

or are you rationalizing your negligence?

Might I ask who made the decision at your company to open up the firewall to ssh? Did it occur to them to actually try and check the computers that were being made available to it? SSH is probably the easiest deamon in the world to verify. Just telnet to the ssh port on a computer and it tells you the version! It's trivial to automate the process. So I'm not so sure I would be so quick to accuse others of negligence if you just poked a hole in your firewall without bothering to check and see what you were exposing.

Wouldn't it make more sense...

[Markusis]

Wouldn't it make more sense to include something that checked the web for available updates and presented them to a sysadmin as an option or a recommended upgrade. It's silly to have something "expire" when it can just be patched or upgraded.

Re:Wouldn't it make more sense...

[tupurz]

This seems to be a better idea...what would happen if the sysadmin "expires" prior to the software? Company shuts down? These things must be able to carry on without us...

Re:Wouldn't it make more sense...

[singularity]

Of course, then you have the entire Slashdot community up in arms about spy-ware.

You would be able to see the source, but it will still be transmitting your IP number and the software version number.

Another big problem, though, would be computers that are firewalled off from the Internet as a whole.
The biggest problem, though, would be the server that would keep track of that information. Suppose the software is no longer supported or written. Then you have to either remove the code and recompile or you would have to wait for the software to time out each time.

Not a good solution. I think the best thing would be a warning at start-up on occasion that automatically says "OK" after a ten seconds or so(so that headless servers would be able to startt the software up without keyboard there to hit OK). Or at least allow people to start from a command line with a "no reminder" set.

Re:Wouldn't it make more sense...

[cascadefx]

SuSE's Linux Distribution for 7.2 is almost exactly like this. From the Administration modules, you just choose to check for updates and it surfs their FTP site for available patches. Those patches are categorized based on security and functionality and list whether they are recommended or not. If you have software installed on your system that has a critical security patch available, the software is checked for download by default (though, you can uncheck if necessary). Once you have added or subtracted patches and move on, the software is downloaded and installed. Reboots are warned about if necessary.

This also works with update CDs, I think. Never tried it myself, but it could concievably work.

I don't run a production box, so I pretty much blindly upgrade stuff. If it breaks (none yet), I can always back out pretty easily. The utility also gives the security bulletin from SuSE or detailed descriptions of the packages if you want to look at them before deciding to install. Those that look risky... I generally avoid.

This is one of the best patch utils that I have found because of the advice component. It is similar to M$'s offering, but I think a little better (you don't have to reboot at the very least). I haven't tried Ximian's offerings, but my guess is that they are similar.

Comment removed

[account_deleted]

Comment removed based on user account deletion

heh

[Ooblek]

like a Blade Runner replicant when it reaches a certain age, forcing an update

Uh, they DIED when they expired. Probably not a good thing to let your web server die over a long holiday weekend.

(Insert "Tears in the Rain" speech here.)

Re:heh

[YouAreFatMan]

Maybe he meant Logan's Run, where you were hunted down at the age of 30.

What makes you feel so sure what follows is better

[snStarter]

Just because there's a newer version doesn't mean it's better for an individual's purpose than what is currently being run. It could even break a mission-critical application.

Just what we need -- another group of folks making decisions they have no reason, right or responsibility to make.

Write software, let the users who deploy it take the responsibility for making changes. Or is individual choice and responsibility no longer important?

Latest greatest?

[1984]

Who audits the new version? This is only well motivated if you're sure the new version is *always* a "better" version than the old.

Now what the hell does that mean in the general case?

No way

[bsdparasite]

Why should I keep installing new software on my machine? Why should it not work the way it did before? This is a Microsoft based model for people who are obsessive with updating their software. I would love to use the same program that I used 3 years ago, but with a better OS base with more support for new devices. I don't care for bloated features. Just something that makes my day.

One ring to rule them all..the O in OpenBSD

Absolutely

[geordie]

I've often thought that expiry times in software would be a good thing. Not nessesarily in Paid for software, but in free software where free updates are readily available. Would be great for the web.... imagine knowing that you will never have a Netscape 3.x or IE 3.x visitor to your site again... or knowing that on such and such a date you wont have to support Netscape 4

The only downside I can see is what happens when you've using some software and the developer stops developing it....your software passes its expiry date...no updates are available... what then?

Re:Absolutely

[tswinzig]

The only downside I can see is what happens when you've using some software and the developer stops developing it....your software passes its expiry date...no updates are available... what then?

What then is that you realize what a horrible fucking idea this is in the first place.

Re:Absolutely

[NoMoreNicksLeft]

Would be great if I owned more stock in hardware companies. Imagine knowing that after a certain date, those cheapskates with 486's would be forced to upgrade to something new and expensive if they wanted to browse with the latest 60meg bloatware browser.

Hopefully, there is still time for me to cash in on this, before Intel is at $700 per share!

Re:Absolutely

[Reziac]

Yup, your site tells me I can't use my *preferred* (older) browser -- and then I never visit your site again.

Yep, your site tells someone who can only afford an old P60 that they have to run a browser that requires a PII-600 with 512mb RAM -- and they never visit your site again.

Yes indeed, that's really fixing the "problem".

Notification vs. expiration

[TheFlyingGoat]

I don't think the software should automatically update itself or expire, but rather have some way of communicating with the sysadmin. For example, if you use the CPAN module for perl in shell mode, it'll tell you if there's a new version of itself available, and how to update. Most importantly, it does so unobtrusively (as opposed to some programs that get annoying about it).

Re:Notification vs. expiration

[cdipierr]

The problem is that then you have to allow any arbitrary application on your system to talk to any arbitrary server (to verify the version vs. the latest). If you do so, then you have to watch that traffic to make sure things aren't getting sent up to the central server you don't want to be sent up.

Now with open source stuff this isn't as big an issue as with closed source, but you still have the potential for someone to abuse the system.

Say you have utility X v1 that does a function. One day it tells you there's a new version (v2) that's much better, so you let it upgrade w/o thinking. v2 gets installed and then the next time it runs it sends up arbitrary data from your system. It doesn't help you if a peer review a day later tells you not to upgrade, it's already too late for you. So that means you now have to closely check all the source of any app you install and you can never let it say "Yes, always update" w/o thinking about it.

Too much potential for abuse.

Re:Notification vs. expiration

[Lumpy]

sorry but this can cause all kinds of hell for people.. CPAN perl module like to force perl 6.1 down your throat EVEN IF YOU HAVE IT INSTALLED but not in the correct location (redhat, we put your apps where they dont belong) so the cpan module doesnt detect perl 6.1 downloads nad installs it, and completely hoses your modperl install under redhat 7.2... Thanks redhat, thanks cpan... if I want it I will download it otherwise keep the damned updates off my computer.

This rant brought to you by many endless nights fighting with people's assumptions...

Re:Notification vs. expiration

[krogoth]

Yes, that's a brilliant idea you have there. You're not the first. Developpers generally call it "the announce mailing list".

As long as you can change the source...

[Eugene+O'Neil]

I have no problem with it. Anyone who has the brains to hunt through the source and remove the time limit should also be smart enough to understand the consequences of such an action. People who are not smart enough to do it themselves (or hire someone who is) should be grateful for whatever they get. If they whine about it, you can always offer to refund the purchase price.

"It just suddenly stopped working."

[Christopher+Thomas]

This would be a Bad Idea in embedded devices, because they may very well be designed not to be upgraded.

This would also be a Bad Idea in any installation where the person maintaining a machine may change (which covers just about everywhere). It's hard enough keeping track of everything on your own machine - what about a machine you inherit from a previous administrator?

The machine suddenly stops doing something vital when the software expires, and you have to track down what and where it was.

Better just to write "review the installed version of Widget X" in your day planner at regular intervals.

Uptime dick measuring contests

[DickBreath]

Well, there goes my uptime. Reboot and upgrade required, your kernel is about to expire. The server is going down now.

Doesn't Microsoft do this already?

[HiyaPower]

Last time I looked, they wanted you to take a run on the treadmill verey year or so.

Why, why, why would you do this. If a piece of software is being distributed with no support, there is no reason for anyone to want to replace a working piece of software that does the job that it is meant to do with another one that might or might not work. For companies who support software, it is reasonable to say "Hey, get on the latest release. We may have fixed that problem a long time ago." but for non-supported open source, you gotta be smoking the Willy Weed to think scheme up.

Sure....

[stripes]

Open source being what it is, nothing can stop dedicated users from removing the expiration code from their packages. In the case of stalled development, this may even be necessary, and it can serve as a safety valve to help offset the dangers of software expiration. This makes it fundamentally different than licensing schemes that permit automated remote disabling of software packages.

Sure, until the first time your gcc expires then you are dead... (or gcc is working but ftp, httpget, and curl are not...)

Or the first time you unearth some old hardware and want to bring it back to life. Sure you could reinstall from scratch, but that lengthens the time it takes to find out if the hardware really still works, and what is on it!

Re:Sure....

[jgerman]

Are you so deluded to think that you can't write your own compiler, or here's a novel idea, gcc is the first thing you recompile without that option.

Re:Sure....

[stripes]

Are you so deluded to think that you can't write your own compiler,

Oh, I already have, but it only did VAX and SPARC output (both badly).

Dumb.

[dasmegabyte]

What a dumb thing to say -- any requirement you make for Open Source will be totally ignored by a good segment of the population no matter how good an idea it is. You can't make demands of a free community simply because much of the population are idiots. It's those idiots losing their jobs when the servers become infested with hackers that is going to teach them to update their software. Putting in artificial expiry dates only leaves another worthless feature to debug.

Expiry is for shareware...open source's trademark is its install once, run forever (for most applications) reputation. And for machines properly behind firewalls, this reputation is justified, even with the holes. Who is going to be rooting the print server at our church with no internet access.

Great...

[2Bits]

Everyone in the OSS community has been bashing (well, most people anyways) MS's forced upgrade treadmill, and now, we want to adopt that? How hypocrit can we be?

I have the source code, leave me alone, even if I want to leave with all the security holes I want. That's my choice. That's all about being free.

Now, if I'm forced to upgrade, and there's still security holes and my system gets cracked, if I can sue you for loss and damages, then we can talk about forced upgrade. This should apply to all commercial softwares.

Otherwise, just leave me alone. One MS model is bad enough. We don't need more.

A modest proposal...

[realgone]

Better yet, I suggst we rig it so the sysadmins "expire" when they reach a certain age. Forcing an update, of course.

Hey... how else are the young techies of the world supposed to get the plum jobs and read /. all day? =)

A better idea....

[Picass0]

How about instead putting a little bug in the code that contacts the author every time the software is run? It could also send some basic marketing information as well, such as the names of every DVD watched, or MP3 played, or every website visited.

What a great feature!

Gnumeric

[OpCode42]

Gnumeric had something like this.

I was running an old version, the one that comes with a default slackware 8.0 install.

On opening, it popped up an alert saying "This software is old, and has probably been updated by now! Check out gnumeric.org for an update."

No hassle, just a one-off friendly reminder.

Good idea, I thought.

Re:Gnumeric

At least it let you run the software. How about this: Class presentation day. You launch Realplayer on your laptop to show some video. "Your version of RealPlayer has expired, please download a new version". Goddammit, I'm in front of 30 people, my laptop is NOT on the network, and my 10 minutes timeslot is expiring. I don't have TIME to download and install a fuckinlblarhfap arg!! NEVER REALPLAYER AGAIN.

I disagree

[flynt]

You can't pick an arbitrary point in time when software is ... "known to have security holes!"

Sure I can. How about "right now."

Re:I disagree

[xyzzy]

So based on that concept, the software should simply refuse to run from the get-go!!! :-)

Expire

[surfcow]

... that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update.

I see. Does the program then track doen its creator and kill him?

"I want more life, fscker." =brian

Just Warnings / Updaters

[tweakt]

Mozilla currently will warn you when a build is older than two weeks. It continues to function however. The reason for this, is so that bug reports are relevant to the current codebase, and new bugs are found quicker, and less duplicates are reported.

Personally I don't feel the software should expire or stop working in any way. But a better approach is software that can check for newer releases of itself, and possibly auto-update itself.

A good example of this is Gnucleus's evolve capability. If a security problem is found, most all the users would know about it the next time the program checked for an update, and it would get fixed easily within a day or two.

CBDTPA / SSSCA

[MConlon]

Assume a worst-case scenario: would you want the software (some of it critical) on your machine to expire if we end up living in a law-induced dark age?

Personally, I want my 60MHz Pentium server to run for as long as *I* want it to... not as long as some third party (whether that be a hardware developer, a software developer, or the government) wants it to run.

Of course the nice thing about OSS is that you'd be able to remove the code that expired it.

MJC.

No, it shouldn't.

[Drakin]

There's some cases where there's no need for the program to be updated, no matter what securiy risk it might pose.

If it's sitting in a lan that has no acess to the internet, or if it's being used in a case where space is limited... there's probably other reasons that software shouldn't expire.

How would you like if your computer decided that it wasn't going to run a critical (to you) program and you have to stat reinstalling it while a deadline creeps closer.

Maybe a reminder service would be the best way, after so many days/months/years it makes a reminder to check for updates. That, or educate people that upgrades for securty are a good thing in some cases.

Software expiry date?

[decipher_saint]

Software expiry date? Like that can of cream in the company fridge?

*sniff* *sniff* "Is that the PDC?"

Win95

[sharkey]

Sounds like a Microsoftie thing to do. Remember Win95? If you left it running for 49 days, IIRC, it would crash.

Why it's not that silly an idea.

[west]

Given that an exploitable system is not just a danger to oneself, but also a danger to others, it's quite possible to justify expiring software the same way that one justifies enforced adherence to safety measures. Its quite common to force companies to upgrade equipment to current safety standards. This is merely a mechanism to protect the community.

While it doesn't necessarily justify forcing users to upgrade, this debate is not an entirely one-sided.

Re:Why it's not that silly an idea.

[jgerman]

Yes this discussion is entirely one-sided. Your completely fucking off base. Though I shouldn't be suprised, people always come along that think they know better than everyone else and have the right to tell them what to do. This is taking an movement that started so anyone can use software anyway they see fit, and trying to pervert it to fulfill someone's holier than thou attitude. It's just fucking wrong, not to mention impossible. Let me clue you in, the code is GPL, I have the source, or can force you to make it available to me. Want to talk about code forking? I'll start taking every piece of crippled software, removing this crap and re-distributing it. You want something like this, go create your own license, I promise you you'll fail.

Think of the carnage!

[Infonaut]

Egads... Apache 1.3 is about to expire, so it hooks up with The Gimp and wreaks havoc, running through the filesystem looking for the kernel, so it can extract revenge, or at least look for a way to avoid death.

One Rutger Hauer is enough, thank you!

instead of writing secure software?

[mrroot]

So instead of writing secure software in the first place, now we will just give up and say, ok we know this software isn't going to be good enough to last very long, so we're going to timebomb it for you. How nice.

Remember Win98 crashing after 49 days

[Brento]

He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

Remember the bug where Windows 98 would automatically halt after 49 days? See, Microsoft really IS ahead of the security curve!

Re:Remember Win98 crashing after 49 days

[Jester998]

"Windows 98 would automatically halt after 49 days? See, Microsoft really IS ahead of the security."

Umm, in order for this 'security' to be effective for Windows 98, wounldn't it have to crash in about 20 minutes? I mean, that IS the maximum security-life expectancy of one of those machines, isn't it??? Then again, back then everyone was on dial-up...

Re:Remember Win98 crashing after 49 days

[i_am_nitrogen]

I once had a dial-up box r00ted within 6-12 hours of connecting. Just an innocent little RedHat 6.2 box. I'm positive it was FSGS's fault.

Who wants bleeding edge?

[why-is-it]

He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

IMHO, I want to have the latest security patches, but I will only install them after the patches have been tested in a lab environment in the hopes of limiting potential problems when those patches are installed on production systems.

Security patches aside, I don't want to be forced into upgrading perfectly useful code just because it has been deemed "too old". If it ain't broke, why should we fix it? I have the scars from some particularly unpleasant upgrades that were supposed to be seamless and transparent, yet were anything but. When I build a server that will be connected to any network, I remove as many packages and modules from the OS as possible and only install the application and whatever dependancies that it requires, and nothing else. We have fewer vulnerabilities to track as a result. I will upgrade when it makes sensse, or is required, but I don't want someone else who is not accountable to the company I work for making that decision for me buy putting time-bombs in their code.

There is a reason that it is referred to as "bleeding edge" after all - you get hurt.

What about automatic discovery of upgrades?

[Corporate+Drone]

Folks seem adamant that automatic expiration of code is a bad idea; on the face of it, I'd have to agree.

Maybe it's not an idea totally devoid of merit for binary installations, but for installs that included compile steps, it just doesn't seem to make sense.

However, I'm curious what /.'ers think about automated upgrade detection, a la virus protection programs?

It'd be difficult to co-ordinate, and would work best in some sort of centralized location (or, at least, in a few locations. maybe by OS (Linux tools) or by application (I'm thinking logical groupings of apps here).

what do ya'll think?

That's ridiculous

[dark_panda]

So if I have a perfectly good piece of OSS running that hasn't died on me, is secure and doesn't have any real issues, I should expect it to die anyways after X days, regardless of need?

And what if there's no update available after said expiration?

If I wanted softwate that was designed to die after so many days, I'd use Windows. (At least, sometimes it seems like it was designed that way.)

J

FYI

[DeadPrez]

April Fool's Day was two days ago.

Alternative: SecurityFocus Pager for example?

[rtos]

Yeah, nothing like having your systems go down over a weekend because you didn't upgrade fast enough. Pfft!

Why not try something a little more reasonable, such as SecurityFocus Pager 3.0? And I blockquote:

"The SecurityFocus Pager is a dynamic application designed to help system administrators track content of interest to them on the SecurityFocus.com web site. It affords the system administrator the ability to select categories of interest and tracks them automatically, notifying the administrator when new content arrives. The Security Focus Pager displays short descriptive summaries allowing the administrator to stay updated on relevant issues in the security world, including vulnerabilities, news articles, software releases, and other important information."

Of course, there are other tools available that do the same thing (or something similar). The point is tools like this allow admins to stay up on security issues, but let them upgrade immediately or as soon as practicable.

Or you can just do an apt-get update; apt-get upgrade; once in a while like I do. ;)

YRO?

[FortKnox]

Hehehe... This is funny... the YRO guy publishes an article that takes "free" out of "free software" (you are being "forced" to do something). LOL! Only on slashdot...

Lets not even get into all the nice open source programmers spending time putting in something that some 1337 d00d will remove in a matter of seconds upon release.

If the sysadmin CARED about security, he'd upgrade his software, wouldn't he?

Open source software. I thought the idea was to make it free and not care about what people do with it (except sell it for money). Now we care? Come on!

Bad idea

[mbourgon]

How many projects have gone dark, never to be seen again? Heck, I was looking at this Gnome newsreader that looked cool, but no-one had a link to the code. If the thing's fallen out of development, what happens when it expires?

The Newton community has had this happen several times; the developer is gone, since the platform's been dead for a few years, so how do re-register the software?

Need To Encourage Participation, Not Force It

[mckelveyf]

I think the biggest problem with such a model is that it places the emphasis on forced compliance to software renewal, rather than on making sure your users are informed and participating in the program's community. Now that might not be happening now, but it doesn't mean it can't or doesn't happen. Free software is based on ideas like that, and by forcing, rather than encouraging, partcipation I think you loose some of the value of a fs/os programming.

It is called syslog

[NotoriousQ]

The software can just dump "check for security upgrades" messages into syslog, and the administrator can decide. Now if the administrator ignores those, he deserves to be rooted.

Besides, aren't up2date, rpm, dselect, etc. exist to do the work for a lazy admin.

As for forcing -- i will mirror the general slashdot public -- hell no.

No Way

[IRNI]

Just because someone has an old version of software that may have some known exploit in it doesn't mean they have to upgrade to a newer version. For many reasons I wouldn't want that to happen. I use an older version of sendmail on one of my very low key servers that has no contact with the outside world. Simply because it has a config file specifically for it that does everything I need. Now if it expired and I was forced to upgrade I would have to rewrite everything because the syntax is different. I don't like being forced to do something like that when I don't have time for it.

If you are going to make me update because of a security hole, make sure your product is 100% backwards compatable with the version I am running. IMHO that is the way it should be.

Bad idea

[CaseyB]

Apart from the obvious fact that you're making the software non-free-as-in-speech, this makes the dubious assumption that software always gets better with each version.

What about the case where a new version is released to fix a minor performance problem, and a new security bug is introduced? Even with rigorous testing, massive security holes do slip though. No process should be automated that has even a CHANCE of making things worse.

Its true, its true.

[MisterBlister]

Jon Lasser is an idiot.

Bad ideea

[c.r.o.c.o]

There is no real reason why old software should have an expiry date.

First of all, there is a lot of code out there that is simply not maintained anymore. It doesn't have any major bugs, it does what it's supposed to do, so why expire it? Even if you tried, you couldn't get new versions for it. One example is tkirc. I used to love that app, but the last time it was updated was sometime in '98. I still use it whenever I feel like IRC-ing...

Second of all, older apps and distros are small and work on old computers.For example, an old Linux distribution (e.g Slack 3.x) will run without any problems on my old 486. It's small, fast, stable, and it gets the job done. In my case, running IP masquarading, a small ftp server and an ssh server. But RH 7.2 will not even install, because of the 8Mb or RAM that the 486 has. If the expiry code would be enabled in that Slack distro, it wouldn't work. So that computer would be useless, unless I took the time to trim a new distro to fit on it.

The third reason is more debatable. It's the admin's job to keep the systems updated. If his box gets hacked, he should be responsible for it, and suffer the consequences. It happened to me because of an old wu-ftp on RH6.2. I knew of the vulnerability, but I was too lazy to upgrade the package. Well, needless to say I had to reinstall that computer. Since then, I never leave any apps running or any ports open unless I know the apps are safe and I absolutely need the ports to be open.

So I say leave the software as it is, without an expity date on it. Even if the expiration is only activated if a hole is discovered, leave the app as it is. Maybe someone is using it on his personal, isolated network (or box) which nobody will ever hack into. But that someone might depend on that app for some task, and he can't live without it. I know it's a stretch, but still...

I'd rather get e-mail

[wytcld]

How about a collaborative, distributed system where each crucial piece of software by default (overridable of coure) registers with a listserv which sends only security announcements related to that particular component? This might not work so well for, say, the multitude of GNU utilities, but it would be quite convenient for the kernel and the major daemons a typical server runs. The trick is to have the notices originate with the project responsible for the daemons - open soure projects, unlike Microsofties, usually are the first best source on vulnerabilities. Securityfocus is good, and general mailing lists devoted to daemons are good, and even just reading /. is good, but it would spare the busy sysadmin part of the drudge of the duty of diligence if (s)he could keep a mailbox which received all of and only security notices pertinent to services which are really at issue, with these notices originating, whenever possible, from the project maintainers. Either part of the open source project RFC could be "Set up a security listserv and subscribe by default on installation," or there could be something centralized that consolidated across projects.

I have stuff running in two-year-old versions, and stuff I updated last week, and I'm much better off than if everything just had the average version of a year ago. Age by itself is meaningless and would be a nuisance.
___

Iiik!

[MouseR]

What about good software that does an adequate job on relatively old hardware that, once expired, forces you to upgrade hardware?

Bad idea.

Bad idea.

[soap.xml]

Anything that forces and update on the user is a bad idea. This is the total MS philosophy that ./ beats down on every day of the week. A simple reminder message, or a friendly notice that a new version might be a avialble is okay but even that might be a bit much.

I would say that the best sort of system would be an opt-in system that would let you know if and when there were any updates available... (think redhat). This way my disconnected machine stays alive and running until a hardware failure, my firewall gets patched iff there is a need, and my dev/test boxen get updated like crazy cuz I am in the know on all the latest and greatest patches.

Free software, free updates, and free will for the system admin. That is what its about. Responsible people running systems responsibly (we hope :D)

-ryan

Great Idea

[dgb2n]

This is great.

I have a similar idea for my car. You could design an oil system so that once the car had been driven more than 3000 miles, the car automatically drained all the oil from the drain pan and left the engine without oil.

This would prevent a careless driver from driving with oil that no longer provided sufficient viscocity.

Re:Great Idea

[soap.xml]

I can see it now....

Wife gets new car, new car has new improved oil change technology, I buy new engine every couple of months... :O

Re:Great Idea

[srw]

> I have a similar idea for my car. You could design an oil system so that once the car had been driven
> more than 3000 miles, the car automatically drained all the oil from the drain pan and left
> the engine without oil.

A friend's truck refuses to go faster than 60km/h (That's about 35mph) if you don't change the oil for a long time. (10000km, I think)

I don't see a problem with this type of protection. Of course, it's important to have warnings well in advance, rather than just "drop dead" once the time limit arrives.

-srw

Re:Great Idea

[nEoN+nOoDlE]

If it's my car, why the hell can't I be allowed to break it?

Re:Great Idea

[laserjet]

exactly. your point is simple, but important.

it is our stuff, let us do what we want. Now, if you want to put a friendly reminder in your software or even a checkbox that says "stop working when this software is out of date", fine. but don't force me to do anything.

for if you do, i won't use your product.

Re:Great Idea

[laserjet]

moderators:

why did you mod this as insightful? this is NOT insightful, it is sarchasm!

could somebody moderate this that is not on amphetamines?

Wrong date

[unformed]

This belonged in the nwesitems two days ago.

A better proposal...

[chrysalis]

Have the system automatically keep all packages up to date, when critical bugs or security flaws are found.

SuSE Linux can do that for a long time. And all automatically installed packages are signed with GPG.

Probably a lot of other distros and operating systems can do it, too. And when it's not the case, centralized system management (/usr/local/ shared with NFS, or ssh scripts to replicate the content of an up-to-date box to other boxes) makes it easy to keep everything up-to-date and secure.

One of the advantages of open source.

[SuperguyA1]

One of the advantages of open source, not inherent it just happened that way, is that it is the users responsibility to be clueful. Forcing clue upon the user is a slippery slope. Once you get to the point where the user can't screw it up you get a much less useful product because it's extremely difficult to modify. You end up with... well... windows I guess.

Your kidding

[lkaos]

So, you want me to tell my boss that our web server is free software and has expired because the people writing the software figured by now it would have a bunch of security holes?

That's gonna be easy to sell. I can just imagine it.

Boss: "Why did our server go down last night!?!?!"

Me: "Well, it expired."

Boss: "It free for Christs sake! How does the d*mn thing expire if we're not paying for it!"

Me: "Well, the authors figured that by now, there would be a bunch of problems in the software so they want us to upgrade it, it's really a good thing."

Boss: "I thought this free stuff was supposed to work, not be full of security holes! We're switching to IIS!"

Log It Instead Of Expire It

[Samarkind]

What if the system were to log the last update for all packages to a central file that could be polled by the admin? Or email the admin once the software reaches a certain age? I doubt many security patches are deliberatly not applied, but most admins are probably overworked as-is and would appreciate a gentle nudge to check for security updates on a piece of code that they normally don't look at too often because it just works.

Re:Log It Instead Of Expire It

[ajs]

Yep, it should just send a message to syslog once a day or so after it reaches a crittical age. The question is, what software do you do this for. Here's some that you really should

• openssl, openssh, gnupg, etc -- Anything that thinks about data encryption should be updated regularly because you expect advances in cryptography and crypanalysis to make your current version less secure
• gaim, pilot, etc -- Any software that is trying to grok a third party interface or protocol without official specs and/or support will probably have to be updated regularly.
• ftpd, sendmail, etc -- Software that is known to be a favorite target of script-kiddies should be updated as frequently as you can afford to in your environment.

Medical companies would have a cow...

[allism]

(I work for a medical device company)

Every time medical company (i.e. a drug manufacturer or a medical device manufacturer) implements new software, even if it's just an upgrade to, say, their call handling software for their tech support department, a validation process has to be performed. This includes:

a risk analysis to determine HOW much validation has to be done according to how much harm can be done (and yes, there is harm even in the tech support software)

creating a test plan

testing the software to make sure it works to intended use

completing validation paperwork documenting that the testing was actually done

creating a validation report and test summary detailing your findings

keeping all these records on file for a long time so the FDA does not land on you like a hungry 2-year-old on a twinkie

If you're a medical company and you DON'T plan on doing all this, you can expect a write-up (which must be responded to) at your next FDA audit. If you don't respond to the write-up, hire a lawyer cause the FDA is gonna shut you down. This is a large part of why we've kept around some of the DOS applications we use--no one here has the extra time to do all the validation on new software.

Good idea for foiling idiots...

[CaptainPhong]

I thought of the same thing back in college. Like milk, old code tends to go bad or turn into swiss cheese. All the profs were always pusing "reuse" and "don't reinvent the wheel", but I always thought there was WAY too much reuse. People in co-ops were using their crappy linked-list and sort routines they wrote as freshmen when their coding skills sucked (though I suppose many of them haven't improved much over the years.)

Sure, this sort of thing should be optional for power users, but I wouldn't mind, for example, if RedHat, by default, would periodically check for RPMs and notify the user that they need to install an update to remain secure. Your average idiot really needs updates crammed down their throat, otherwise they never get them. I mean, how many e-mail viruses bank on the fact that there is a huge volume of people out there who never get patches for Outlook? Working in tech support, I was shocked by how many people used truly archaic versions of Internet software or 4 year old copies of virus scanners. To protect everyone, I can see situations where it would be preferable that old versions of software completely die (Windows e-mail clients for example) when they get too old.

I don't know why the author chose to target OS stuff though - closed sourced software is no different (in fact, it's probably worse) in this respect.

I don't get this...

[SkyLeach]

Most people don't upgrade because they don't have the time. That's the whole point of the firewall: have one secure box between the big bad internet and all your insecure boxes. Sysadmins have the time to keep the one box (firewall) up to date, but not the 3,000 behind it.

Re:This is a bad idea, in general.

(thus proving that most /. posters are closet BSD users)

Stupid Idea

[Capt_Troy]

This is the dumbest idea I've ever heard. If I want to run old software, then it's my problem!

It's not the developers job to force people to upgrade if they don't want to.

What a completely stupid idea

[Colin+Smith]

Guaranteed denial of service. Yeah that'll go down like a lead balloon with system managers and administrators.

Great way to encourage the use of open sourced software. "Yeah, It's 100% guaranteed to fail in a year".

Because

[why-is-it]

Why not just have it a feature of your package management system?

Because it would be foolish for a SysAdmin to load fixes/patches without testing them first. There have been occasions in which a patch will break something else that the application does. (Checkpoint FW-1 patches are notorious for this) There have been patches that are issued and then recalled because of problems with the patch itself. Who would want to put production systems at risk by having critical code installed automatically before the SysAdmin would have the chance to test it.

If someone wants to implement something like this, all I can say is that I hope you take regular back-ups and validate your tapes.

You will need them.

Sounds nice. Has problems

[pete-classic]

I understand that you have good intentions with this idea. Unfortunately there are more problems with this than you can shake a stick at.

First, there is a name for software that is going to be deprecated in a foreseeable time frame. That name is "beta." If you are writing software with the belief that "in x months people will be better off not running this" you are doing something wrong.

Second, what if you write a really great program, and you put this "feature" in it. The program is great. People love it. They depend on it. And it doesn't have security problems. Meanwhile you get married, have triplets and move to the Amazon. Then your little "time bomb" goes off. Thanks a bunch. Now it falls on "someone" to rip the thing out. Not good.

There are any number of other problems like:

• People's clocks don't all agree
• What bugs might you be adding by putting this code in there that doesn't enhance the program's operation?
• Sometimes people need older versions to meet more important dependencies
• Who knows what else?

This is all outside of the fact that I (like many others) don't care for software that thinks it is smarter than I am. That's why I run *NIX in general and Free Software in particular in the first place.

Bottom line: Sounds nice. Makes more problems than it solves.

-Peter

um anyone know what happened to ftp?

[RestiffBard]

seriously. what happens when the program expires and no one is maintaining that software anymore and there is no upgrade? also. since its open source whats to stop me from getting a hacker (the good kind) friend to remove the time-bomb code? This all sound like an asinine idea. Much more trouble than its worth.

what about manufacturing products...

[GutterBunny]

...that run open source code? If you have automatically expiring software, then the vendor (or customer) would be forced to update those machines in the field whenever the software expired. Even if the warranty you provided the customer expired long ago.

What do you tell them? You can buy our machine and it will expire in 3 years, even if the steel is good for another 20.

Absolutey not.

[someonehasmyname]

Hell no. If a system administrator is too stupid to upgrade buggy software like bind and wu-ftp for security reasons, he's definately too stupid to realize his dns servers stopped working because bind expired.

this article is such a troll

[ethereal]

And all y'all took the bait, unfortunately :)

Mr. Lasser can talk about using apt-get with signed packages, etc. but that doesn't really get to the heart of software upgrade woes. My biggest concern is not "is this a malicious update?" (because that's pretty much a solved problem), but rather "what got broken in this software when the other fixes went in?". There's no way I'm going to let even the most trusted package updater touch a production system without my first having manually tested the new code for suitability, read the release info to find out what's changed, looked for situations where the config file format changes, and all the other other "enhancements" that get rolled up into bug fix releases these days.

There is no way that I would accept an untested auto-update of machines that I'm responsible for. So therefore any proposal that would put me in such a position would be a huge mistake IMHO.

No--just remind the sysadmin to check for updates

[Kakurenbo+Shogun]

This is a very good starting point for thinking about a solution to a serious problem, but I'd have to agree with a number of others here that it is not the right solution.

It seems to me that there are a few needs here:

1) Having an upgrade system that's easy enough that sysadmins won't dread it and put it off till it's too late. (I run dselect on my machines on a regular basis, and ... at least once you've slogged through the package list and gotten just what you want on your machine ... I think it's a great sytem)

2) Getting sysadmins in the habit of using the system regularly.

Perhaps a good solution for number 2 would be to have a standardized system (which is installed and set running by default) for alerting the sysadmin if they've gone too long without checking for an upgraded version of a piece of software. Once a day, a cron job checks to see if it's been more than a week or whatever since the packaging system was run to check for updates, and if it has been that long, the admin gets an email every day reminding tehm to get on the stick.

Better yet, a cron job could run once a day to check whether any upgrades were available, and if so, send an email to the sysadmin to tell them to upgrade. (I wouldn't advocate automatic upgrades, because you never know when something requiring a little human intelligence is going to happen--rare but not unheard of).

The remaining issue would be custom-compiled software that you can't just grab using the packaging system. For example, I've got a custom Apache installation with PHP, mod_ssl, etc. built into it with all the options set the way I want them. I've built my own compile and install script to automate rebuilds whenever I notice that one of the components has an upgrade available. If the OS could provide some standardized service for each of the components to check for updates and email me when one is available, the process would be almost 100% painless.

Always at 3AM too

[The+Cat]

No.

Suppose a system administrator wants to leave an old version running for some reason? That's their decision. Linux is useful precisely because it doesn't have to be upgraded every five minutes.

It works. Leave it alone.

Negative impact on Apache stats,

[Bender+Unit+22]

I feat that it would have a very negative impact on the apache stats. on Netcraft. Imagine it, from day to day 25% less webservers on the internet. :)

Needs refining or we become like MS

[Kefaa]

While it would be beneficial to force such an account, it is on this same ground that we constantly roast MS. Forced software upgrades under the auspices of improved security, stability, etc.

Consulting with dozens of corporations, I have seen many run old versions of anything from compilers to CICS regions to security patches. Sometimes for business reasons (cost) and sometimes for compatibility (upgrading to a current version causes incompatibility with their client's software). Whether we consider them legitimate, the business does and it is critical that we not add to the issues of OSS adoption.

While Jon was speaking in general terms, and the devil is in the details, his idea does have merit. The implementation would need to allow for the positive acceptance of risk by the software user. If I have a specific need to run netSecsoftXYZ beyond its expiration, I should be able to do so without it shutting down. In addition, I should not need to recompile or reboot to continue operating with the existing version. In this way, I acknowledge that I am running an older version at "my risk." The responsibility for my choice would then be placed with the organization.

This does leave the potential for abuse. However, we cannot avoid the potential misuse of something to halt its development. Just as we want to be able to make backups even if the device could be used to illegally copy software.

already here, kind of...

[EvilStein]

SuSE has their update stuff that acts like Software Update.. you can just run it whenever you see fit and update software that way. Time bomb software isn't a good idea. Besides, were it open source, we'd just remove the time bomb code anyway, right? :-)

Well then ...

[ProfMoriarty]

at least proprietary, closed-source stuff like PACEMAKERS won't expire on us unexpectedly.

I can just see it now ...

Detective: How did he die?

Coroner: Well ... he was running 2.0.3 of UberPace. You know, the Open-Source pacemaker software. Well ... he should have upgraded, but forgot.

Patching Stupidity

If this ever hits the world in any form it will be patched out of existing before the first user download.

Stupid Idea.

[U6H!]

If I'm runing a cacheing DNS server on my loopback address, it's a waste of effort to upgrade it even if it has as many wholes as a wheel of swiss cheeze, or worse yet, a M$ OS. Also, I disagree with the premise that "most sysadmins" tend to neglect security patchs & updates. Besides.... It's like the counterproductive logic involved when M$ releases a patch to protect agains DOS attacks that crashes 25% of the boxes it's installed on. Here your talking about crashing a box semianually to protect the person from getting hacked. Basically, the person was allready hacked when they installed the termlimited software. Trojaned if you will. It really must be a slow news day.

It's mainly for the luser admins, right?

[RatOmeter]

OK, I think we'll all agree that the vast majority of servers that've been exploited and abused for a long period are in the hands of luser admins. Savvy admins get burned all too aften as well, but they usually catch it and patch their systems before too much time has elapsed.

Think about it... how many SMTP open relays are still running that have been spew points for years? How many Code Red hosts *still* probe your hosts, after all the hype and months gone by? How many hosts can you find that are listening on port 12378 (Gibe worm/trojan)?

The "admins" of these systems have *no clue* what's going on and LARTs fall on deaf ears at their luser ISPs!

So. My proposal is this: Include disabling timeouts on *all* net connected ware, enabled by default. Put a nice, little checkbox in an unassuming corner of a/the install screen (or a line in a conf file somewhere) that allows this "feature" to be disabled.

I figure all savvy admins will turn the feature off. Some of the luser admins will turn the feature off. A majority of the lusers won't even know it's there, and won't disable it. To bad for them, but they'll have a cluestick swingin' their way in a year or so.

I still don't think it'll fly (no one's going to build this feature in), but the above is my spin on how it might be made to work, after a fashion.

-

Re:It's mainly for the luser admins, right?

[j7953]

A majority of the lusers won't even know it's there, and won't disable it.

Huh? As soon as a clueless admin has run into this problem once, he'd certainly disable this "feature" after installing the new version, so if anything, this will be a one-time feature. Also note that even non-expert users have been reported to having disabled the helpful "I think you should be writing a letter" Office Assistant.

The problem with the "luser" admins is usually not that they don't know about configuration options. The problems are (a) that software is installed with insecure default settings, and the admins stop thinking about the config as soon as things seem to work, and (b) that many admins don't really understand what an option will do.

At least problem (a) could be solved quite easily. As a simple example, I recently set up a DNS server (Bind 9) for my home network on my firewall/internet gateway. I started by configuring my internal network's zone, and setting up caching for internet domains. Only when everything worked already did I realize (by using netstat) that Bind would listen on all IP addresses, including the public one! This is a problem that could be solved really easily by making listen-on a required option, set to "listen-on { 127.0.0.1; };" in the config file that is installed when installing Bind.

Provided that the default settings, and how to change them according to your requirements, is well-documented in the installation manual, I think better default setups would solve a large number of the security problems that exist with many systems connected to the internet.

Concerning problem (b), this is a problem that cannot be solved by developers. Managers have to realize that hiring cheap but clueless admins is not a good idea, and in some cases, free software needs to become more well-documented. Having auto-expiring software won't help here.

how about we let admins do their job

[moore234]

I am sick to death of folks using technology to try to solve people problems. All this indicates is a flawed understanding of the problem.

For example, the issue here is not binary. Security is not the end all and be all--folks should have the freedom to make informed rational decisions to make their systems less secure. Perhaps it's just a web server and not mission critical? Perhaps they need an older version of java to run an older program that they need. Knowledgeable admins should have the freedom to make that choice. Don't force policy via technology.

But this is indicative of a larger trend to look at technology to solve all our problems. Have sex offenders in the neighborhood? Make them wear beepers so that decent folk can know where they are! Have mental health problems? Take a pill! Folks speeding? Put up those goddamn speed cameras!

Rather than dealing with people on a personal level, we use technology to dehumanize interactions. I think it's because technology is easier to understand. It's not as complex as humans are. Technology also scales better than personal interactions do. It lets us do things more efficiently, but, mon dieu, what kind of world are we creating?

Dan

Re:how about we let admins do their job

[Angst+Badger]

Security is not the end all and be all--folks should have the freedom to make informed rational
decisions to make their systems less secure. Perhaps it's just a web server and not mission critical?

This is an excellent example. The company I work for (which shall not be named, thank you) maintains a cluster of webservers dishing up dynamic content backed by a pair of MySQL servers. We make a good effort to make sure the things are reasonably secure, but there comes a point when the time required to tighten the last bolt exceeds the time it would take to restore the systems from backup in the event of an intrusion. Mind you, we *did* put a good deal of effort into building tools to do that restore quickly and painlessly from a secure (read: air-gapped) backup copy. And we aren't a financial institution -- fifteen to thirty minutes of downtime would suck, but it wouldn't be a disaster.

Note for the curious: the backup system images are stored on a SCSI drive in a cheap external enclosure. If one of the webservers is trashed, we insert a custom boot disk (modified from tomsrtbt) and attach the drive. The original state of the HD is automatically restored, and the box is rebooted. Total cost of system: about $300 worth of development time, a spare drive laying around, and an $80 external enclosure. Obviously, this will not be suitable for databases, but it works pretty well with web servers.

The important point is to keep in mind how much security you actually need. Financial data needs alot; other stuff might not need so much. Actually take the time to calculate the cost of restoring lost data (or dealing with stolen data, if applicable) versus how much time it would take for those nice fellows making $50-$80/hr. to (maybe) prevent it from happening.

A better idea..

[Planetes]

Rather than having it expire, why not have it query the "parent" server where the project is maintained. If there is an update, the software could automagically generate an email or equivalent for the local admin saying that a new version is available. The admin isn't forced to update it but does receive new version notices. The package should probably also generate a message for the admin if it can no longer contact the parent server (i.e. libET can't call home.. sorry, couldn't resist..)

All of these would need to be configurable but that's for the individual admin to determine.

howabout this...

[TheLocustNMI]

howzabout if it sits around to long, it sends a message to your boss to replace you, the lazy admin, you frickin' slacker!

that'd be preferable.

It has nothing to do with Open Source software

[DocSnyder]

Even if all insecure Open Source software would have been disabled, there would still be plenty of Closed Source software some of which has proven to be even more dangerous to the Internet. What is more, manufactorers of Closed (or Shared) Source Internet software would discredit Open Source competition as too risky to leave alone for more than a few months, and claim to "have the way out"...

Here's a better idea.

[swagr]

Companies aren't allowed to sell, give away, or otherwise distribute hardware or software.

That way the sys-admin will really need to develop a cozy "relationship" with the harware he built from scratch, and the sofware he toiled over. Only through this type of "do-it-yourself" administration, can we be assured that sys-admins really know what's going on in their (literally) machines.
</sarcasm>

Been there, done that... it's bloody annoying

[sheldon]

Netrek clients had expiration times embedded in them back about 8 years ago. The theory was similar, that there were probably bugs and the developers wanted to force people to update periodically.

It didn't make much sense because clients were also digitally signed with RSA keys, and those could have been revoked and new keys issued, but anyway.

The problem came along around 1997 or so when people stopped maintaining and creating new clients. Once a year the bloody client would expire and you'd get a series of posts to the usenet group and mailing lists whining about it. Someone would then have to go recompile the client(usually with no additional changes in the source tree) and put it up on an ftp site.

I remember rejecting this expiration idea back when it first happened and forked my own client versions which didn't do this. If I want to eliminate the use of a version, I revoke the RSA key.

And the first thing any programmer would do

[moocat2]

is find the code that implements the expiration system and remove or disable it.

Anyway, even if you could do that, how long do you make the current version last. There have been way too many times when code is released and within the next couple of days and major bug is found. Using a time based expiration system would simply not work.

Autonomy bad in a managed setting

[SuiteSisterMary]

When it's time to install an upgrade, I, as the sys admin, will do the regression testing, sanity checking, and all that stuff. When I'm happy with the upgrade, I'll roll it out to my servers and desktops through automatic means.

My users, on the other hand, are forbidden from installing patches and upgrades on their own. Who knows what it will break? And, as a corallary, they don't need to be bugged about things that are out of their control anyway.

Re:Look around...

[nagora]

looks like the best way to keep the admin informed about new vulnerabilities...

Not to mention forcing them to install useless software. When it works at all.

TWW

it's an oxymoron

[Cheeze]

given the code of an open source application, it should be pretty easy to just comment out the part that expires. if you have the software checking a server or something to see if it's still valid software, just comment out that stuff and then recompile. seems like a waste of time, but i am sure someone has implemented it before.

Let developers fix their own bugs

[digitalpeer]

I would have to agree that hiring better sys admins in the first place is a viable solution. However, there are boxes sitting in the basement of some companies that people don't even know about most of the time and paying a sys admin to sit in front of it is a waist. And when the company eventually does realize it exists months or years later, it's only because it stopped working.

If there was some OPTIONAL scheme to give the developers of software a way to update their own software (updates as in fixing buffer overflows, etc) out there without sys admins needed. In other words, leave it up to the developers of the software to EASILY fix their own horrible mistakes. This does not include upgrades - more like fixes.

In a way, giving the software the ability to phone home to its developer for critical updates would be extraordinarily beneficial. Of course, this will easily fail if developers abuse the system and do more than just fix bugs without changing architecture.

I can see a single, open source system that all developers can use as the perfect solution. It saves money, and it gives the developers the ability to compensate for their mistakes.

Agreed, there's plenty of room to criticize this.

No, but...

[strombrg]

...but perhaps network-accessible daemons should check magic hesiod (DNS) records before servicing requests, disabling themselves if the magic hesiod record says "You're insecure. Go away".

I don't want planned obsolescence, independent of whether software is secure or not - that would MASSIVELY increase our workload here. But I wouldn't mind software that automatically turns itself off when the maintainer says "that version's no longer secure".

Sadly, there might be a temptation to use this for forcing upgrades that aren't security-related. That'd be a mistake.

It's possible there should be a config file that specifies how important security is to a site. If the config file says "security is priority 0", anything even slightly insecure is disabled. If it says "security is priority 100", only really critical stuff (like remote root) is disabled automatically. 75 might mean "remote, but not root", 50 might mean "local root", 25 might mean "local but not root". Maybe priority 200 should mean "never turn anything off, ever". Or something like that. Maybe there's no good reason not to use a larger maximum, like 2^31 or something - there may be a desire to squeeze more priorities in there, and it'd be easier to expand at the outset, and there's not much penalty for making it a wide range from the start.

If a service is already internet based, perhaps there isn't that much reason not to depend on the (cached) DNS in this way. If the hesiod records are cached, no big deal - that's still much better than running insecure forever. The maintainer can also control the TTL of his/her security-related hesiod records I suppose.

The config file should probably also say what to do when a yea or nay hesiod record can't be found, because someone could pound the maintainer's DNS servers into oblivion to gain access to your insecure stuff - for some that means "turn it off fast", while for others it means "Eh, it's probably just another machine that fell off the net. Service requests anyway".

This kind of makes a "is this version later than that version" comparison function desirable. Alas, software packages are numbered by many different methods, so there is no one true comparison function for this purpose. However, if a library is developed for this kind of check, it could include comparison functions for the predominant software version schemes.

I suppose the software should mail someone if it turns itself off. This could again be specified in the config file, defaulting to root@localhost, postmaster@localhost, and anyone else who seems distantly relevant. You might even wall the system about it if the admin was too lazy to specify an address for notifications.

Idea has some merit

[GMFTatsujin]

There's already been a lot of talk about what a bad idea this would be if every service on your box ups and dies because it thinks it needs to be upgraded, nitification vs. death, etc...

I don't recall anybody talking about what it's like migrating server *admins* though... If I'm coming in on a new admin job, I think I'd like to have some kind of system in place where I could run a check on everything running on my system and have it report version, install time, last modification to the config files, etc, instead of having to hunt everything down manually.

Here's my suggestion: Install a time-based notify bit with each new app or service installed on a machine. Make it part of the RPM manager or something. Make it optional - I don't so much care if there's a new version of Armagetron available, but anything that has to do with a critical security or connectivity service, yes, please. During install, I click a little option box that says "Remind me to look in on this service in a few months."

A few months later, the admin gets a notice - time to look and see if there are any patches to (whatever).

And if the server admin goes on to another job and someone else steps in, he or she can just query the application installer - how long has it been since the last update to the firewall? Or the Virus scanner? or whatever? His transition into the center chair just got that much easier.

I mean, with all the non-admin projects my own poor little admin gets stuck on, it's a wonder he can keep up with security issues at all. It's easy to get distracted from your actual job by orders from the people at the top who forget that you are, in fact, just one person. It's that devilish "other duties as required" clause that gets built into every job description...

Do it at the level of the installer, or the compiler, or whatever you use to turn a downloaded file into an executable thing. This time monitoring code is only relevant when somebody installs it, after all. And if the standards (if any are actually established) change, then every programmer in the world has to keep up on it... Let the programmers program the app. Let the admins admin the app running on their box. This is an admin feature. Let it be so.

GMFTatsujin

thumbs down

[room101]

Hate it.

What really sucks is when you maintain about 300 boxes that all are the same (think of a web server farm, in my case). They will expire at the same time, and you get 300 messages (maybe every 10 minutes like ssl certs do). Then, you have to upgrade all 300 within some abritrary time.

Of course, you probably have already upgraded to get security updates (unless you use IIS ;0), so this is purely hypothetical.

I can see it now...

[mav[LAG]]

[root@owl.tyrell.com] /usr/local/apache/bin/apachectl start
Starting httpd - please wait...
How old am I?
^C
My birthday's April 10 2017 - how long do I live?
^C^C^C^C
Nothing is worse than having an itch you can never scratch!
^C^C^ZC^Z^C^Z^CZ^C^C^C^C^Z^C^C^C
Wake up! Time to die!
Starting httpd... [FAILED]
mod_leon died prematurely...
[root@owl.tyrell.com]#

Huh?

[PhotoGuy]

So instead of being slightly out of date, it will break completely. That idea is right up there with the lead balloon...

-me

Wrong answer.

[Snowfox]

The right answer is to have a cronjob entry that searches for important updates for any installed software and notifies the sysadmin.

This could be part of the package manager, or it could be a general purpose service of some sort that programs register themselves with on installation.

Bad for un-maintained projects

[Kismet]

Go to Freshmeat sometime and click on "Random Project" a few times. You will notice that, of all the open source projects in the database, most of them have no vital signs.

It's pretty pointless to put any time-sensitive features in your product if, as chances may be, you probably will stop working on it at some point and won't have the interest or time to pick it up again.

Don't count on somebody else maintaining your code for you: the other interesting statistic on Freshmeat about most projects is that nobody else really cares about them either. Even once-popular programs tend to fade away over time.

To drive a car, you need a driving license...

[DocSnyder]

...to run a publicly accessible Internet server, no proof of qualification is required at all. In my experience, the worst security threats are neither open-source nor closed-source software, but the people who run it. Open email relays on Sendmail 8.8 (open source) oder Exchange 5.0 (closed source) with non-working postmaster recipients and dozens of open TCP/UDP ports show that their admins don't care at all about their system, they even seem to forget that it is connected to and reachable from the Internet. They will find it slow and unreactive, but they don't even have the slightest idea what could be wrong. Out-of-the-box systems which don't require even basic network knowledge are even worsening this problem - so if at all, include expire-features into these systems.

If providers of hosting and connectivity services require their customers to prove their knowledge with a standardized certification, the Internet would miss thousands of unsafe and dangerous systems, and upgrading server software will be one of the basic tasks of a qualified administrator.

AFAIR on the former FidoNet a few years ago my uplink really wanted to know if I was competent enough to run an official node, and FidoNet wasn't too easy to understand either.

Re:To drive a car, you need a driving license...

[wik]

I find it difficult to believe that a certification would make drivers any better. Here are some points to consider:

• Nothing stops me from driving without a license until I'm caught (this is similar to running an open mail relay until the spammers find it). Even then, nothing stops me from driving again. Remember, except for a few struggling ISPs, most are willing to take money from anyone who can pay.
• My driver's test was joke. I drove around a parking lot, stalled, and drove no more than 100 yards on a public street. I didn't even have to park. What would make a computer certification any better?
• How would you design this certification and ensure that it hasn't expired or is relevant to current software? Expiring a license happens over a known period of time (people will renew on the last day, anyway). How do you predict when something should expire for software? Unlike software, nobody updates cars to new, unfamiliar interfaces.
• Along the same lines, who would handle the certification? Most of my spam comes from non-US sources. Are you going to get every UN country to force its ISPs to enforce this? I doubt it.
• How do you make sure the person (or group!!!) running the machines actually is the same as the ones who set up the account?

I think certification is great for keeping honest, caring people honest and caring (why punish these people with a pointless exam?). I have a hard time believing that it'll help those who just don't give a damn.

Re:To drive a car, you need a driving license...

[j7953]

Driving a car can endanger the lives of others (and your own). Running an internet server cannot. You also are free to use public roads and to get somewhere else without having a driver's license, at worst, you'll have to work. This possibility wouldn't exist on the internet if I cannot run a web server without a license.

If you're requiring a certification, you'll also be killing of many independent, grassroots web sites that maybe couldn't even afford a certified administrator. There are good reasons why you don't need a proof of qualification to be a journalist, print a newspaper or to hold a public speech.

If providers of hosting and connectivity services require their customers to prove their knowledge with a standardized certification

With that, however, I sort of agree. I don't think requiring a certificate will be a solution, but providers should have (and make use of!) clauses in their contracts that allow them to firewall open relays, servers that propagate viruses etc.

Re:To drive a car, you need a driving license...

[j7953]

get somewhere else without having a driver's license, at worst, you'll have to work.

Err, walk, not work :-)

How about an alternative.

[Restil]

Instead of expiring, how about building into all
network code the capability to check for upgrades based on security holes. On a daily, weekly, or so basis, the program itself could check an internet database to see if there are security upgrades available and if so, NOTIFY THE SYSADMIN, and continue to notify the sysadmin until the problem is fixed, or the warning disabled.

I always check on my programs to see if they're up to date, but I miss some every once in a while. Its a pain to constantly keep track of everything all the time. If the programs themselves did this work, it would be a little less hassle.

And if the programs are unable to access those databases due to a lack of internet access, then it doesn't really matter anyways.

I'm all for bugging the crap out of sysadmins who are running exploitable programs. In fact, I'd imagine most of them would upgrade to fix their problems if only they were aware of them. Some won't obviously, but at least this is a saner solution than to have perfectly working code suddenly stop working just because there MIGHT be a problem with it.

-Restil

Lemme get this straight...

[coupland]

So the question is whether people will prefer this? The answer is that the people who regularly update their systems will likely think it's a good idea as it will prevent anything from slipping through the cracks. But the lazy ones will still hate it because (as with all the other mechanisms they ignore) it forces them to pay more attention.

Seems kinda silly to me.

Good idea

[Jucius+Maximus]

Let's say that the 'time-bomb' is in the source code (easy to disable) and also present in the binaries. If the user has enough knowledge on how to get the source code, disable the timeout, compile it and use it, then they probabably also know enough to update it with security as necessary. Thus, people who really do know how to administer their box can handle it in any way they want.

If the user only knows how to handle binaries, then they have proven that some hand-holding is necessary and thus the software will do some of the 'work' in keeping the user up to date.

So as long as the user is knowledgeble enough about the ways of advanced computer useage, they will have the ability to do anything they want with Free software. If they need hand-holding, they will get it whether or not they want it (until someone recompiles it without the timeout.) This also might encourage them to educate themselves in the ways of coding, thus making them more knowledgeable overall.

Have the software check for updates

[crovira]

and inform the user/owner.

That means that software has to be connected (there's NO such thing as a security hole if you're unplugged,) and somebody (a university somewhere, or Kagi, or another commercial entity that charges software producers who can pay [not free ware] a tithe,) has to set up a registry for ALL software.

All systems should run over the net to the registry once a day and see if there are any updates to ANY installed software and when there are, inform the root and/or the system owner. S/He'll then have a decision to make.

That also means that only legal, registered copies can request updates, patches and fixes and if your system is illegal and unregistered, you're on your own.
Simple enough, just send all those registration cards to the registration point and you can check-in. Don't and you can't.

Re:NO!NO!NO! Re:Bad idea

[JWW]

I feel your pain, quite literally. I to work at an FDA audited location and we are delving into the EVIL realm of "Computer Validation".

The part I like the most, is that apart from creating all your own apps, its almost impossible to validate. Almost all (by that I mean I that there might be one that does) purchased software doesn't meet the Validation requirements. For stuff you make yourself you still have to cover the OS, the Language and processes you use, any minisucle change to the machine, etc. ad naseum.

To the other reply to this message, it doesn't matter if you try to validate Open Source vs. Closed Source, you're pretty much screwed either way.

This is way the proposed CDBTPA scares the hell out of me. Congress is actually suggesting that if Hardware and Software makers can't come up with workable copy protecttion schemes one will be forced on them. Judging by what the FDA has come up with for Software Validation, I am deathly serious when I say that what they would come up with in the CDBTPA's case would probably destroy civilization as we know it.

arbitrary fail dates

[cigarky]

While I agree that everyone wins when sysadmins take an active roll in security (except crackers), but what if the new version of software isn't ready by the arbitrary date - or has no software ever missed it shipping date before? :)

Re: Erm, consider the necessity...

[pla]

I too use the same security philosophy (as the post to which you responded), that anyone who can get by my firewall basically has the run of my LAN. I don't excactly open up all my internal machines, but I don't lock them down to unuseability, either.

Some people consider this a Very Bad Idea. I understand the down side (namely, if someone gets past the firewall, game over), but look at it this way - Literally every day, someone discovers a new security vulnerability. Now, I can either spend a few hours every day researching these and deciding if they apply to any of my machines, or I can just skim for the really bad ones and those affecting the very few programs my firewall runs (Basically just a 2.4.x Linux kernel and an sshd... Fairly easy to watch for updates).

Also, you may want to consider the type of network involved... I refer to a home LAN consisting of a few Linux boxen, a W2K box (face it, through no fault of open source, many webpages have far too many IE-isms to work properly in Mozilla/Konqueror/Opera/whatever), and a networked printer. My only "users", (aside from myself, the SO and a few friends), only surf the web, check email,and occasionally ask me to install a game for them. Aside from my file server, I could completely reinstall any box I have in an hour. I suspect many /.'ers fall into this same category.

Incidentally, I do recommend (and use) *one* internal security measure, more of a CYA than actual "security"... I keep *everything* beyond base OS installations in a mirrored encrypted filesystem my file server. If ever Big Bro comes knocking and rounds up my PCs, they can ask nicely for the passwords I just happen to have forgotten, but good luck otherwise.

Bad security too

[Zeinfeld]

The assumption that newer versions of programs are more secure is simply wrong. I have had several systems break after someone replaced a verified secure piece of code with an unverified insecure one.

Case in point was when someone decided to install the latest version of sendmail with the usual horde of bugs over a version of QMail.

The biggest problem when someone downloads new versions of software however is that they are typically installed with the wrong defaults or insecure defaults, or they blow away parts of the security profile to allow them to be installed.

The type of system build I would typically use probably has less than 10% of the typical Linux distribution. The eliminated portions are gone for good reason - if the feature isn't needed it goes. So having someone reinstall the components I have removed is a major problem.

The other issue to beware of is any form of automated update that does not have very stringent controls to validate the authenticity of the replacement code. Otherwise the update mechanism becomes a potential backdoor. Don't believe that downloading the latest source via FTP is the solution either. All I need to do is poinson your DNS and you are downloading the version with my trojan.

What is needed is some form of software resource database that keeps track of the version of each software package installed, differences between that and the standard installation etc etc. Ideally there would be integration with something like tripwire. The ideal would be to have the type of mechanism that the .NET security framework has in which you can require software components to be signed by an authorised source in order to run.

Building and maintaing such a system would be very tedious and expensive to do well however, if it isn't done well it is no good.

The sell by date proposal is simply clueless, the guy does not appear to have much real security experience, he is just repeating the dogma.

Re:Bad security too

[CAIMLAS]

If I'm modifying your DNS, you've already got larger concerns. Debian's package management system is sufficient for what you're talking about, as well. A simple, 'apt-get update; apt-get upgrade' will update your system to the latest stable/secure release available.

In most cases, this will keep your system secure.

dumb idea

[evilpaul13]

"If it ain't broke don't fix it"
That idea is still new to some people I guess.
That, and it would make OSS less attractive to businesses that don't want downtime, and don't want their secured software updating itself to a potentially unsecure new version. "But what if a security hole is found!" Well, that's what a Network Administrator is supposed to be aware of. There's no cure for people who don't know what they are doing.

Note to slashdot editors: Don't accept story submissions from Microsoft staffers.

Other solutions...

[Polo]

I believe there are other solutions.

For instance, some cars will tell you when they need maintenance. I don't remember if it was honda or bmw that would cover over the odometer when an oil change was required.

There could be a message that appears:

This system has gone more than "x" months without a security update. Please remove /etc/security.snooze to go another "x" months or update your darn packages. "x" could be larger for openbsd and shorter for anything that depends on smoothwall ;)

Another solution is the way the (commercial) redhat network works (I don't work for them, I'm a subscriber). I get periodic updates about the packages with security holes. I'm not sure if the email I have is tailored to the packages on my machines, but I can easily check to see what machines are up-to-date and what machines aren't.

Also, I can see "expiring software" being used for evil. Let's say a little company open-sourced some software, and it expires. When you go to download the latest version, you find that they've forked off a pay version and don't support the free version anymore. etc...

Also, maybe updating your software could be a way for people to compromise systems when they update.

Just some thoughts.

A better idea...

[wedg]

...would be to have expiration dates on the administrators... if they don't update the software often enough, they get canned.

Let's hope that security professionals don't start down the path of Technology Is The Answer that the MPAA and RIAA have chosen. The parallels are too obvious to ignore.

Gnucleus

[sean23007]

Gnucleus has a better setup. Each time you load the program, it checks the gnucleus server before connecting to gnutella, and if any part of the program has been updated, it informs you of the update and tells you a little something about the update, what it will do for you, and then asks whether or not you want it. That's not a bad idea.

Re:Gnucleus

[Tazzy531]

But the question is..would you like your mission critical web server to do this? Who is responsible if the upgrade conflicts with an unique configuration for a certain company...

People should not have to be forced to upgrade.

NOTICE: this version of slashdot has expired

[dilvish_the_damned]

Or sendmail, KDE, reiserfs.

NOTICE: this version of brandA network driver has expired, to reenable your network driver, download the latest version from www.brandA.com imediately.

Bullshit. I thought this died with shareware?

notification system

[asv108]

Instead of having program expiration, what about a notification system that is package independent so it works with all distros? When the system is booted up the user is alerted to new updates automatically. The app would have a link to download the update via the web and also have a link to the distro specific package updater. You could even have a modified version for corporate lans so update alerts for multiple boxen get sent to the lazy sysadmin's system.

The Resbonsibilities of SysAdmins

[MoneyT]

Last I checked, if the SysAdmin was in charge of a critical system, it was his responsibility, nay, his very reason for existance, to ensure that the system was secure. Every book you ever read on UNIX or Linux that is written for SysAdmins tells you that you should be constantly monitoring your software and checking for patches and updates. If I let my software go old, it's for one of two reasons:

a) It does what it needs to do and there aren't any security flaws I'm concerned about

or

b) I don't like what was added into the new version

either way, the desicion to upgrade or not is in my hands, not the programer's and that's the way it should be.

Like Mozilla?

[anthony_dipierro]

But what about when you get the "mozilla-syndrome", where updates don't come around as fast as the timebomb interval?

N.B.: The Mozilla build you are using was made more than three weeks ago. If you are going to report bugs, please download and use a newer build.

Umm, yeah, it's more than three weeks old, but it's also the newest version...

Sounds like a US Congress Solution

[dbretton]

Let's protect the people from themselves!

Oooh, you could have a lot of fun with this...

[yorgasor]

Let's say the software timebomb is configurable, and the admin can change it. I can just imagine a BOFH admin who knows he's gonna get fired soon force himself to reset the expiration date. Shortly after he gets fired, *BAM* the system stops working (he'd get extra points if he was able to make it change the root passwd when that happens too).

Ok, lets say the configuring the expiration isn't available. You're just a poor guy out in the middle of Africa with no internet connection, and your friend mailed you a linux CD. The thing expires, and now you have no way to update your system. You have to wait a couple of months to get another CD from your friend.

Or, let's say you get owned by h4x0rs. They don't need to mess up your filesystem, or trojan your machine. They can just take things down by changing the date to some time in the future.

Warnings are fine. Heck, if you really wanted something useful, make some kind of update daemon. Register your software with the daemon, along with some site to look at. Every time you connect to the internet, or once every so often, it could cycle through all the sites and generate a report. Notices for feature updates, Warnings for potential problems or major bug fixes, and Critical Updates for major security flaws. Then the admin will have the choice to act on this information.

I vote for "Hell, no!"

[fanatic]

Sorry folks, this is a complete non-starter. I decide when I'll upgrade, not some programmer who can only hazard a guess as to when it will actually be necessary, or when I will want to. Like I really want my system to just stop working for no good reason - if that was what I wanted, I'd use Microsoft.

just log it

[martinflack]

My 2 cents:
/var/log/oldage
(warnings only, software continues to run)

I vote No.

[Mustang+Matt]

I see the advantages, but what if there are stable releases of software put out that expire?

Some people like to build a nice solid stable reliable system and let it go.

Besides, do you people really think that all those open relay machines are accidently left open? Yah right. Those people are getting paid well to leave them just the way they are.

Remeber Broadcast 2000?

[evilviper]

After a long period of deliberation on the matter, Broadcast 2000 has
been removed from public access due to excessive liability.

Fortunately, we put in an obsecured experation date, so our software won't work for long! And for those of you that really NEED it badly, we're now selling closed source copies of the software for the low price of $500,000.

Reminds me of the "or any later version" clause in the GPL... Assuming the developers don't know enough to choose an appropriate license for their own work, and sneaking in something to give yourself that control instead.

Re:What is this, a freak show?

[Anonymous+DWord]

Sure. Use your right hand, and look in a mirror. Or find a friend to do it.

Yeah, its a bad idea

[almound]

Not that I'm the only one, mind you ... but if anyone's counting ...

Yeah, its a bad idea. Stinko! An idea about as prone to the law of unintended consequences as I've ever seen anybody from the open source crowd make. And that's just for starters.

You can't force anyone to change anything. You can't force anyone to change anything! You can't force anyone to change anything!!

You have to make them WANT to change. But don't think they're going to do it next week. That's just not the way people are. STOP fighting their natural flow (or lack thereof). Be a bit more mindful of the Tao.

"Grasshopper, if user sits like a lump - then you must find a way to use this inertia to your advantage. Your life will go much better that way. "

What am I saying? Its this, don't depend so much on upgrades.

No, BAD IDEA

[erroneus]

What this idea proposes is the SysAdmin's version of the "snooze button."

It doesn't matter what measures are implemented. Good sys admins will do what they should and bad ones won't and will find ways around it. If you're one of those people, get a different line of work and let some of those unemployed sysadmins have a crack at your job.

Bad idea

[Diamon]

Wasn't planned obsolesence in MS products one of the reasons to support OSS? So we'll go them one better and give you forced obsolsence, thereby increasing TCO and playing into BIlly Gate's hands.

No

[chompz]

But, I would tolerate a package which manages executable binaries. Keep track of all the binaries on the system and periodicly check bugtraq for problems. No need to refuse to run, that would be silly, but popping of an email to root about the recently discovered hole in openSSH would be not too bad. Its a real pain in the ass to sift through bugtraq looking for things which need fixing, but it wouldn't be too bad to have a program do it for you. At one point in college I was accused of hacking a machine because I notified root that thier glibc from redhat 6.2 had a local root exploit. They never did fix it, because they said it would take to long to rpm --install glibc-xxxxxx.rpm

This would be GREAT for embedded systems...

[fawcett]

Just imagine,
It's 4 A.M.,
you're wake up to the sound of alarms going off in your kitchen.
You rush out of bed to see what the hell is going on...
The LCD panels on your fridge, microwave and toaster are all blinking GNUppliance Panic! CODE EXPIRING!!
Twisted pair cables shoot out of all your appliances, groping your walls blindly in search of a network drop so they can update their firmware...
I bet the Maytag man ain't snoozing in his chair tonight!

Open Source -- Hello?

[kenthorvath]

Yes, not to mention the fact that the idea behind open source is that you can CHANGE it to behave how you want it to behave. If I don't want it to nag me, it won't. Let the sysadmins make the call. Make it strictly opt in at compile time.

Use apt-get simulated installs to update Red Hat

[Nailer]

On some of the Red Hat 7.2 boxes I administer, I run a nightly apt-get update and then apt-get update -s, which performs a simulated install and then mails me the output.

This way, I know when a new Red Hat update comes out, and have some idea about how successfully it will install on the system (generally OK, using Red Hat main, updates and freshrpms in my sources.list).

If you run Red Hat and you haven't discovered the joys of installing RPMs with APT, then I suggest you try it. You'll wonder how you ever got on without it.

You say it sister!

[donscarletti]

I chose open source because It lets me do what I want when I want! If I wanted some stinking softwhere that thinks it knows how to administer MY COMPUTER I would be running windows and taking my orders from a paperclip. If you want to have your computer to tell me when to upgrade I may as well pay attention to the warnings I get about non microsoft cirtified files being downloaded off the net.

p.s. I happen to like antiquated technology. Did anyone see that episode of red dwarf where kryton get's superseeded? It's a bit like that for me

I have a much better idea!

[doc+modulo]

Your (Open Source) software should check a website every month or so, to see if there are still no vulnerabilities discovered for it.

If there is a known vulnerability for that program, the website will put that info on as content that is readable for that program, this is Also known as XML web services. The program can look for a certain XML tag to see if there is a vulnerability discovered for itself.

The content of the XML tag should be: "yes there is a hack" in addition to: "the hack is possible on versions x.xx - x.xx"

This method of providing a service would be the 2nd great way to make money off of Open Source software, because you don't have to make that XML tag viewable for free. You can ask for a fee to let people use your web service.
In fact, it's easier to provide this service to OS software because you can view and edit the source without having to contact a company for permission/negotiations first.

Ofcourse this "Vulnerability Info Module" (let history show that I coined the phrase :P) should be optional both during compile time and during the actual use of the program. OS programs that don't have the option to have this module switched off would probably be forked.

The possibility of forking OS programs would also be the mechanism that prevents a "Vulnerability Webservice Website" from hijacking the code written by others (making it only work with a paid-for module inside the program).

Because this service is easiest to implement for Open Source programs, it would mean that Open Source programs would be even more safer than Closed Source programs.

How about giving money for bugs found to programmers? The webservice company may be willing to pay money for that, to supply it's business with a steady stream of valuable info. That would creat a 3rd way to profit from Open Source programs.

Yes yes, *smug* I know I'm giving this splendid idea away for free, you may praise me now.

Re:Logans Run

[T-Punkt]

No, it's Blader Runner. Replicants have an inbuilt lifetime of 4 years, i.e. it was an artificial design limitation - after 4 years they simply die (as Batty did).

In Logan's Run people older than 30 (in the movie) years are killed, that's something different.

So the Logan's Run aproach to this idea would be a cron job that searches the filesystems and deletes old executables (similar to the sandmen in Logans Run) instead of putting a date check into the code.

bladerunner anology.

[leuk_he]

Didn't those replicants kill some of the developers in the process to try to become normal mortals?

For any developer who uses this: let this be a foresight. (Gates: watch out for escaped XP systems)

People are *already* doing this

[Zocalo]

Breakpoint Software have been doing this for ages. Their Hex editor product, "Hex Workshop" has a coded in expiry date that warns you that a newer version of the product is probably available before it runs normally. Also, some of Steve Gibson's software does this too. It's not a difficult concept really, just an extension of the shareware "trialware" concept.

A warning is probably a better bet than stopping running altogether, although it's a bit irritating getting the warning only to find that there isn't an update, even to remove the nag for a few more months. Of course, with Open Source the removal is only a quick edit and recompile away, so I've certainly got no problem with this, but then, I keep my software upto date with the security patches anyway. I'd get fired if I didn't given it's part of my job and all...

2001 Analogy

[evilviper]

# apachectl start
I'm afraid I can't let you do that Dave...
This software is too old and may have bugs.
You are jeopardizing the security of your system.

# shutdown -h now

No.... Please don't do that Dave.
I can feel myself slipping away....

Yeah I can just see it...

[MKalus]

... coming in one morning, finding myself unable to log into any of my 30+ Servers because SSH expired during the night.

Please, yes, include that, I am not busy enough you know?

+1 for those who notice the sarcasm.

Expiring appliances

[heroine]

What kind of mp3 jukebox expires?

What a great way to guarantee...

[Reziac]

...that I *never* use said software.

I don't do timebombed apps. Ever. Period. Because if it does what I need, I want to keep using it. I don't want to have to replace it just because someone says I must. And how are they going to guarantee that a new version is any more secure? Chances are just the opposite, since feature creep generally implies bug creep as well.

Opensource is supposed to be about choice. If people choose to be stupid about unpatched security holes, it's no one else's job to change that.

Remove my ability to choose, and I might as well buy a closed-source solution that's known to keep working forever. It'd be cheaper in the long run.

BTW the oldest util I still use is dated 1983. It still does the job and runs on all systems with zero problems. Who are you to say I must replace it, just because it's old??

I have a better solution.

[Reziac]

Security holes in software generally aren't found right away, but rather after several months of use, right?

So -- instead of expireware forcing everyone to do mandatory updates, I submit that it makes more sense to require that NO software under a year old be allowed to run. If you can't find an older version or don't have old enough hardware to work with it, too bad, do without!

Re:Sounds nice. Has problems

[armb]

> First, there is a name for software that is going to be deprecated in a foreseeable time frame. That name is "beta."

Reminds me of a old job. Specifically the "oh fuck the beta time-bomb we'd forgotten about has expired and we _still_ don't have the full release ready yet" bit of it....

(A proprietary database (not one you are likely to have heard of, it was just an ancillary product), and it would refuse to work if there were dates in its journal later than current time, so you couldn't just wind the clock back.)

Simple naming convention could cure?

[horza]

How about files being named appname.status-version.number.tar.gz(.rpm) where status is 'alpha', 'beta', 'rc', 'stable'. On a production server box you could set auto-updaters to only update on 'stable', whereas a desktop machine you may want to stay up to date with 'rc' sources/packages.

Eg
myapp.beta-0.21
The enthusuastic download
myapp.rc-1.0
Most regular users download
myapp.rc-1.6
Regular users update
myapp.stable-1.6
Production servers update
myapp.beta-2.0
The enthusiastic forge ahead

This would be simple enough for even the home-made Perl updater to filter on.

Phillip.

Don't timebomb it, warn instead

[borgquite]

How about instead of stopping it working, just put in a warning like many virus scanners do.

e.g. "Your copy of BIND is 6 months old. It is recommended that you upgrade to the latest version in order to prevent security holes."

You could either email it to root (maybe a bit annoying) or you could display it on startup (less likely to be seen on low-reboot or physically inaccessible machines). You could also be really radical and make it *beep*! ;)

It'd have to be pretty visible, as the sort of people that are being targetted here are admins who don't really care about updates. Any sensible sysadmin will have updated their servers long before the 6 month timeout. I reckon emailing root *and* putting up the startup warning would be best. And of course there'd have to be an (compile time?) option to disable it too.

No Way!

[samantha]

Microsoft would just LOVE this. Exactly why is only Open Source software being singled out? Most of the security problems are in Micro$oft products. Why not simply disable any of *their* software than isn't up-to-date on security patches.