Slashdot Mirror
Should Open Source Software Expire?
Daffy writes "Jon Lasser at SecurityFocus has an idea for combating the tendancy most sysadmins have to leave old versions of software running long after they're known to have security holes. He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."
Open Source is about not forcing you to do anything. Besides the code could just be removed. Who is a developer to say how I should administer my box.
As if being kept on the upgrade treadmill by Microsoft isn't bad enough!
You can't pick an arbitrary point in time when software is "too old", or "known to have security holes!" If you could do the latter, you'd just fix the security holes...!
I have old internal boxes that are way way out of date, but safely firewalled away doing just what I want them to do. Rebuilding those every few months/years (or having to remove timebombs from software before I install it) == Bad idea.
I agree that software should assist admins in keeping it uptodate, but honestly, legitimate users shouldn't be affected if an admin is incompetant or lazy.
Why not just have it a feature of your package management system? IE. the not yet finnished, PKGtool 2.0 system
Need help finding the flow? http://www.myspace.com/naturalismandbalance
I think that the premise that all computers are exploitable is a wrong one to persue. Granted, any idiot that leaves an exploitable machine running on the net gets what he deserves, yet in this age of DDOS viruses/trojans, the damage goes far beyond a single machine. BUT, I dont think FORCING an upgrade is the way to go. If I have a machine on an internal network merrily pluggin away for years, why break it if its working?
He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update.
Interesting idea, but the assumption that people will only want to run newer software seems a bit flawed to me. To quote the genius Anonymous, "Assumption is the mother of all fuck-ups."
Last night I installed RH 6.2 on an old P75 I picked up somewhere, and ended up installing an old version of openssh on it (along with a bunch of other older stuff) to save disk space. Under this scheme, I wouldn't be able to; despite the fact that the machine is behind a firewall, I'd be bullied into running larger, more secure software.
The computer is mine. The software is mine. And, should there be an issue, the blame is mine. I don't want anyone who thinks they're smarter than me fucking around with my computers. If I did, I'd run Windows, now wouldn't I?
--saint
Wouldn't it make more sense to include something that checked the web for available updates and presented them to a sysadmin as an option or a recommended upgrade. It's silly to have something "expire" when it can just be patched or upgraded.
Uh, they DIED when they expired. Probably not a good thing to let your web server die over a long holiday weekend.
(Insert "Tears in the Rain" speech here.)
I've often thought that expiry times in software would be a good thing. Not nessesarily in Paid for software, but in free software where free updates are readily available. Would be great for the web.... imagine knowing that you will never have a Netscape 3.x or IE 3.x visitor to your site again... or knowing that on such and such a date you wont have to support Netscape 4
The only downside I can see is what happens when you've using some software and the developer stops developing it....your software passes its expiry date...no updates are available... what then?
I don't think the software should automatically update itself or expire, but rather have some way of communicating with the sysadmin. For example, if you use the CPAN module for perl in shell mode, it'll tell you if there's a new version of itself available, and how to update. Most importantly, it does so unobtrusively (as opposed to some programs that get annoying about it).
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
What a dumb thing to say -- any requirement you make for Open Source will be totally ignored by a good segment of the population no matter how good an idea it is. You can't make demands of a free community simply because much of the population are idiots. It's those idiots losing their jobs when the servers become infested with hackers that is going to teach them to update their software. Putting in artificial expiry dates only leaves another worthless feature to debug.
Expiry is for shareware...open source's trademark is its install once, run forever (for most applications) reputation. And for machines properly behind firewalls, this reputation is justified, even with the holes. Who is going to be rooting the print server at our church with no internet access.
Hey freaks: now you're ju
Hey... how else are the young techies of the world supposed to get the plum jobs and read /. all day? =)
How about instead putting a little bug in the code that contacts the author every time the software is run? It could also send some basic marketing information as well, such as the names of every DVD watched, or MP3 played, or every website visited.
What a great feature!
Gnumeric had something like this.
I was running an old version, the one that comes with a default slackware 8.0 install.
On opening, it popped up an alert saying "This software is old, and has probably been updated by now! Check out gnumeric.org for an update."
No hassle, just a one-off friendly reminder.
Good idea, I thought.
You can't pick an arbitrary point in time when software is ... "known to have security holes!"
Sure I can. How about "right now."
Why not try something a little more reasonable, such as SecurityFocus Pager 3.0? And I blockquote:
Of course, there are other tools available that do the same thing (or something similar). The point is tools like this allow admins to stay up on security issues, but let them upgrade immediately or as soon as practicable.Or you can just do an apt-get update; apt-get upgrade; once in a while like I do. ;)
-- null
There is no real reason why old software should have an expiry date.
First of all, there is a lot of code out there that is simply not maintained anymore. It doesn't have any major bugs, it does what it's supposed to do, so why expire it? Even if you tried, you couldn't get new versions for it. One example is tkirc. I used to love that app, but the last time it was updated was sometime in '98. I still use it whenever I feel like IRC-ing...
Second of all, older apps and distros are small and work on old computers.For example, an old Linux distribution (e.g Slack 3.x) will run without any problems on my old 486. It's small, fast, stable, and it gets the job done. In my case, running IP masquarading, a small ftp server and an ssh server. But RH 7.2 will not even install, because of the 8Mb or RAM that the 486 has. If the expiry code would be enabled in that Slack distro, it wouldn't work. So that computer would be useless, unless I took the time to trim a new distro to fit on it.
The third reason is more debatable. It's the admin's job to keep the systems updated. If his box gets hacked, he should be responsible for it, and suffer the consequences. It happened to me because of an old wu-ftp on RH6.2. I knew of the vulnerability, but I was too lazy to upgrade the package. Well, needless to say I had to reinstall that computer. Since then, I never leave any apps running or any ports open unless I know the apps are safe and I absolutely need the ports to be open.
So I say leave the software as it is, without an expity date on it. Even if the expiration is only activated if a hole is discovered, leave the app as it is. Maybe someone is using it on his personal, isolated network (or box) which nobody will ever hack into. But that someone might depend on that app for some task, and he can't live without it. I know it's a stretch, but still...
This is great.
I have a similar idea for my car. You could design an oil system so that once the car had been driven more than 3000 miles, the car automatically drained all the oil from the drain pan and left the engine without oil.
This would prevent a careless driver from driving with oil that no longer provided sufficient viscocity.
So, you want me to tell my boss that our web server is free software and has expired because the people writing the software figured by now it would have a bunch of security holes?
That's gonna be easy to sell. I can just imagine it.
Boss: "Why did our server go down last night!?!?!"
Me: "Well, it expired."
Boss: "It free for Christs sake! How does the d*mn thing expire if we're not paying for it!"
Me: "Well, the authors figured that by now, there would be a bunch of problems in the software so they want us to upgrade it, it's really a good thing."
Boss: "I thought this free stuff was supposed to work, not be full of security holes! We're switching to IIS!"
int func(int a);
func((b += 3, b));
What if the system were to log the last update for all packages to a central file that could be polled by the admin? Or email the admin once the software reaches a certain age? I doubt many security patches are deliberatly not applied, but most admins are probably overworked as-is and would appreciate a gentle nudge to check for security updates on a piece of code that they normally don't look at too often because it just works.
Why not just have it a feature of your package management system?
Because it would be foolish for a SysAdmin to load fixes/patches without testing them first. There have been occasions in which a patch will break something else that the application does. (Checkpoint FW-1 patches are notorious for this) There have been patches that are issued and then recalled because of problems with the patch itself. Who would want to put production systems at risk by having critical code installed automatically before the SysAdmin would have the chance to test it.
If someone wants to implement something like this, all I can say is that I hope you take regular back-ups and validate your tapes.
You will need them.
*** Where are we going? And what's with this handbasket?
First, there is a name for software that is going to be deprecated in a foreseeable time frame. That name is "beta." If you are writing software with the belief that "in x months people will be better off not running this" you are doing something wrong.
Second, what if you write a really great program, and you put this "feature" in it. The program is great. People love it. They depend on it. And it doesn't have security problems. Meanwhile you get married, have triplets and move to the Amazon. Then your little "time bomb" goes off. Thanks a bunch. Now it falls on "someone" to rip the thing out. Not good.
There are any number of other problems like:
This is all outside of the fact that I (like many others) don't care for software that thinks it is smarter than I am. That's why I run *NIX in general and Free Software in particular in the first place.
Bottom line: Sounds nice. Makes more problems than it solves.
-Peter
It seems to me that there are a few needs here:
1) Having an upgrade system that's easy enough that sysadmins won't dread it and put it off till it's too late. (I run dselect on my machines on a regular basis, and ... at least once you've slogged through the package list and gotten just what you want on your machine ... I think it's a great sytem)
2) Getting sysadmins in the habit of using the system regularly.
Perhaps a good solution for number 2 would be to have a standardized system (which is installed and set running by default) for alerting the sysadmin if they've gone too long without checking for an upgraded version of a piece of software. Once a day, a cron job checks to see if it's been more than a week or whatever since the packaging system was run to check for updates, and if it has been that long, the admin gets an email every day reminding tehm to get on the stick.
Better yet, a cron job could run once a day to check whether any upgrades were available, and if so, send an email to the sysadmin to tell them to upgrade. (I wouldn't advocate automatic upgrades, because you never know when something requiring a little human intelligence is going to happen--rare but not unheard of).
The remaining issue would be custom-compiled software that you can't just grab using the packaging system. For example, I've got a custom Apache installation with PHP, mod_ssl, etc. built into it with all the options set the way I want them. I've built my own compile and install script to automate rebuilds whenever I notice that one of the components has an upgrade available. If the OS could provide some standardized service for each of the components to check for updates and email me when one is available, the process would be almost 100% painless.
Convert RSS to HTML - integrate webfeeds into your website
If I'm runing a cacheing DNS server on my loopback address, it's a waste of effort to upgrade it even if it has as many wholes as a wheel of swiss cheeze, or worse yet, a M$ OS. Also, I disagree with the premise that "most sysadmins" tend to neglect security patchs & updates. Besides.... It's like the counterproductive logic involved when M$ releases a patch to protect agains DOS attacks that crashes 25% of the boxes it's installed on. Here your talking about crashing a box semianually to protect the person from getting hacked. Basically, the person was allready hacked when they installed the termlimited software. Trojaned if you will. It really must be a slow news day.
OK, I think we'll all agree that the vast majority of servers that've been exploited and abused for a long period are in the hands of luser admins. Savvy admins get burned all too aften as well, but they usually catch it and patch their systems before too much time has elapsed.
Think about it... how many SMTP open relays are still running that have been spew points for years? How many Code Red hosts *still* probe your hosts, after all the hype and months gone by? How many hosts can you find that are listening on port 12378 (Gibe worm/trojan)?
The "admins" of these systems have *no clue* what's going on and LARTs fall on deaf ears at their luser ISPs!
So. My proposal is this: Include disabling timeouts on *all* net connected ware, enabled by default. Put a nice, little checkbox in an unassuming corner of a/the install screen (or a line in a conf file somewhere) that allows this "feature" to be disabled.
I figure all savvy admins will turn the feature off. Some of the luser admins will turn the feature off. A majority of the lusers won't even know it's there, and won't disable it. To bad for them, but they'll have a cluestick swingin' their way in a year or so.
I still don't think it'll fly (no one's going to build this feature in), but the above is my spin on how it might be made to work, after a fashion.
-
I am sick to death of folks using technology to try to solve people problems. All this indicates is a flawed understanding of the problem.
For example, the issue here is not binary. Security is not the end all and be all--folks should have the freedom to make informed rational decisions to make their systems less secure. Perhaps it's just a web server and not mission critical? Perhaps they need an older version of java to run an older program that they need. Knowledgeable admins should have the freedom to make that choice. Don't force policy via technology.
But this is indicative of a larger trend to look at technology to solve all our problems. Have sex offenders in the neighborhood? Make them wear beepers so that decent folk can know where they are! Have mental health problems? Take a pill! Folks speeding? Put up those goddamn speed cameras!
Rather than dealing with people on a personal level, we use technology to dehumanize interactions. I think it's because technology is easier to understand. It's not as complex as humans are. Technology also scales better than personal interactions do. It lets us do things more efficiently, but, mon dieu, what kind of world are we creating?
Dan
howzabout if it sits around to long, it sends a message to your boss to replace you, the lazy admin, you frickin' slacker!
that'd be preferable.
thelocust[dot]org
Netrek clients had expiration times embedded in them back about 8 years ago. The theory was similar, that there were probably bugs and the developers wanted to force people to update periodically.
It didn't make much sense because clients were also digitally signed with RSA keys, and those could have been revoked and new keys issued, but anyway.
The problem came along around 1997 or so when people stopped maintaining and creating new clients. Once a year the bloody client would expire and you'd get a series of posts to the usenet group and mailing lists whining about it. Someone would then have to go recompile the client(usually with no additional changes in the source tree) and put it up on an ftp site.
I remember rejecting this expiration idea back when it first happened and forked my own client versions which didn't do this. If I want to eliminate the use of a version, I revoke the RSA key.
[root@owl.tyrell.com] /usr/local/apache/bin/apachectl start
Starting httpd - please wait...
How old am I?
^C
My birthday's April 10 2017 - how long do I live?
^C^C^C^C
Nothing is worse than having an itch you can never scratch!
^C^C^ZC^Z^C^Z^CZ^C^C^C^C^Z^C^C^C
Wake up! Time to die!
Starting httpd... [FAILED]
mod_leon died prematurely...
[root@owl.tyrell.com]#
--- Hot Shot City is particularly good.
If providers of hosting and connectivity services require their customers to prove their knowledge with a standardized certification, the Internet would miss thousands of unsafe and dangerous systems, and upgrading server software will be one of the basic tasks of a qualified administrator.
AFAIR on the former FidoNet a few years ago my uplink really wanted to know if I was competent enough to run an official node, and FidoNet wasn't too easy to understand either.
Instead of expiring, how about building into all
network code the capability to check for upgrades based on security holes. On a daily, weekly, or so basis, the program itself could check an internet database to see if there are security upgrades available and if so, NOTIFY THE SYSADMIN, and continue to notify the sysadmin until the problem is fixed, or the warning disabled.
I always check on my programs to see if they're up to date, but I miss some every once in a while. Its a pain to constantly keep track of everything all the time. If the programs themselves did this work, it would be a little less hassle.
And if the programs are unable to access those databases due to a lack of internet access, then it doesn't really matter anyways.
I'm all for bugging the crap out of sysadmins who are running exploitable programs. In fact, I'd imagine most of them would upgrade to fix their problems if only they were aware of them. Some won't obviously, but at least this is a saner solution than to have perfectly working code suddenly stop working just because there MIGHT be a problem with it.
-Restil
Play with my webcams and lights here
I too use the same security philosophy (as the post to which you responded), that anyone who can get by my firewall basically has the run of my LAN. I don't excactly open up all my internal machines, but I don't lock them down to unuseability, either.
/.'ers
fall into this same category.
Some people consider this a Very Bad Idea. I understand the down side (namely, if someone gets past the firewall, game over), but look at it this way - Literally every day, someone discovers a new security vulnerability. Now, I can either spend a few hours every day researching these and deciding if they apply to any of my machines, or I can just skim for the really bad ones and those affecting the very few programs my firewall runs (Basically just a 2.4.x Linux kernel and an sshd... Fairly easy to watch for updates).
Also, you may want to consider the type of network involved... I refer to a home LAN consisting of a few Linux boxen, a W2K box (face it, through no fault of open source, many webpages have far too many IE-isms to work properly in Mozilla/Konqueror/Opera/whatever), and a networked printer. My only "users", (aside from myself, the SO and a few friends), only surf the web, check email,and occasionally ask me to install a game for them. Aside from my file server, I could completely reinstall any box I have in an hour. I suspect many
Incidentally, I do recommend (and use) *one* internal security measure, more of a CYA than actual "security"... I keep *everything* beyond base OS installations in a mirrored encrypted filesystem my file server. If ever Big Bro comes knocking and rounds up my PCs, they can ask nicely for the passwords I just happen to have forgotten, but good luck otherwise.
Case in point was when someone decided to install the latest version of sendmail with the usual horde of bugs over a version of QMail.
The biggest problem when someone downloads new versions of software however is that they are typically installed with the wrong defaults or insecure defaults, or they blow away parts of the security profile to allow them to be installed.
The type of system build I would typically use probably has less than 10% of the typical Linux distribution. The eliminated portions are gone for good reason - if the feature isn't needed it goes. So having someone reinstall the components I have removed is a major problem.
The other issue to beware of is any form of automated update that does not have very stringent controls to validate the authenticity of the replacement code. Otherwise the update mechanism becomes a potential backdoor. Don't believe that downloading the latest source via FTP is the solution either. All I need to do is poinson your DNS and you are downloading the version with my trojan.
What is needed is some form of software resource database that keeps track of the version of each software package installed, differences between that and the standard installation etc etc. Ideally there would be integration with something like tripwire. The ideal would be to have the type of mechanism that the .NET security framework has in which you can require software components to be signed by an authorised source in order to run.
Building and maintaing such a system would be very tedious and expensive to do well however, if it isn't done well it is no good.
The sell by date proposal is simply clueless, the guy does not appear to have much real security experience, he is just repeating the dogma.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Your (Open Source) software should check a website every month or so, to see if there are still no vulnerabilities discovered for it.
:P) should be optional both during compile time and during the actual use of the program. OS programs that don't have the option to have this module switched off would probably be forked.
If there is a known vulnerability for that program, the website will put that info on as content that is readable for that program, this is Also known as XML web services. The program can look for a certain XML tag to see if there is a vulnerability discovered for itself.
The content of the XML tag should be: "yes there is a hack" in addition to: "the hack is possible on versions x.xx - x.xx"
This method of providing a service would be the 2nd great way to make money off of Open Source software, because you don't have to make that XML tag viewable for free. You can ask for a fee to let people use your web service.
In fact, it's easier to provide this service to OS software because you can view and edit the source without having to contact a company for permission/negotiations first.
Ofcourse this "Vulnerability Info Module" (let history show that I coined the phrase
The possibility of forking OS programs would also be the mechanism that prevents a "Vulnerability Webservice Website" from hijacking the code written by others (making it only work with a paid-for module inside the program).
Because this service is easiest to implement for Open Source programs, it would mean that Open Source programs would be even more safer than Closed Source programs.
How about giving money for bugs found to programmers? The webservice company may be willing to pay money for that, to supply it's business with a steady stream of valuable info. That would creat a 3rd way to profit from Open Source programs.
Yes yes, *smug* I know I'm giving this splendid idea away for free, you may praise me now.
- -- Truth addict for life.
# apachectl start
I'm afraid I can't let you do that Dave...
This software is too old and may have bugs.
You are jeopardizing the security of your system.
# shutdown -h now
No.... Please don't do that Dave.
I can feel myself slipping away....
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant