Jon Lasser, 2002-04-03
We all know that outdated network software is security hazard. The solution: hard-wired expiration codes that self-destruct an old program when it's past its prime.
Colapse all |
Post comment
You are right.
2002-04-03
J. J. Horner
J. J. Horner
This does seem like some crazy, left-wing, "we'll protect you from yourself", find-someone-else-to-blame, I'm-not-at-fault-because-you-didn't-fix-me idea. You seem to be missing a very important aspect of open-source: To ride the train, you must buy a ticket. The ticket cost is personal responsib...
[ more ] [ reply ]
[ more ] [ reply ]
Death to Old Software
2002-04-03
Steve (1 replies)
Steve (1 replies)
Better yet, how about software that will beat the sysadmin over the head with a baseball bat if it finds itself in use for too long?
There's no way I'm going to consider using software that is timebombed, whether open-source or proprietary. I strongly doubt I'm in the minority in that respect.
...
[ more ] [ reply ]
There's no way I'm going to consider using software that is timebombed, whether open-source or proprietary. I strongly doubt I'm in the minority in that respect.
...
[ more ] [ reply ]
Death to Old Software
2002-04-03
Anonymous (1 replies)
Anonymous (1 replies)
That's what jumped out at me as a better idea, how about a central register of systems with a map of program to a url where the up to date stuff lives and a timestamp for when to warn you that it's getting a bit old. Some kind of automated notification or automatic update (if you're confident of the...
[ more ] [ reply ]
[ more ] [ reply ]
I have a better solution
2002-04-04
A Debian User (1 replies)
A Debian User (1 replies)
Why not a central repository for open source software and scripts that automate updating.
Why not a system that updates itself at regular intervals in a simple manner by typing "apt-get -y update".
Just put this in your cron.weekly. After you install Debian....
[ more ] [ reply ]
Why not a system that updates itself at regular intervals in a simple manner by typing "apt-get -y update".
Just put this in your cron.weekly. After you install Debian....
[ more ] [ reply ]
Counting the cost
2002-04-03
Working poor
Working poor
You have a point - MS loves you for it. The problem is not all companies can afford to continualy pay for software. Your 'Great Idea' is what MS has been pushing toward for the past few years - and it sucks. Any vender would love if everyone paided them a large fee monthly per client for the OS a...
[ more ] [ reply ]
[ more ] [ reply ]
Death to Old Software
2002-04-03
Anonymous
Anonymous
Very bad idea. As others have mentioned, sometimes new versions of software introduce bugs which were not present in old versions.
A better idea, though much harder to implement, would be a central registry of software. For each software package, it would contain a list of known problems for ea...
[ more ] [ reply ]
A better idea, though much harder to implement, would be a central registry of software. For each software package, it would contain a list of known problems for ea...
[ more ] [ reply ]
Death to Old Software
2002-04-03
Paul Wouters
Paul Wouters
> My feeling is that this user should take on the one-time
> difficult of replacing his keys if necessary to help
> the cause of compatibility. An expiration date would
> make that happen.
Free software is meant to be free. Just like "rm -rf /"
The core philosophy of Unix is not to protect a...
[ more ] [ reply ]
> difficult of replacing his keys if necessary to help
> the cause of compatibility. An expiration date would
> make that happen.
Free software is meant to be free. Just like "rm -rf /"
The core philosophy of Unix is not to protect a...
[ more ] [ reply ]
Death to Old Software
2002-04-03
CodePunk
CodePunk
I cannot believe that anyone would stand for such a thing. Say for instance I am running some 50 box webfarm running PHP. One of the authors of php decide to take your advice and put in a time expiration. Now some fatefull day I come strolling into work and immediately get my head handed to me on a ...
[ more ] [ reply ]
[ more ] [ reply ]
A really bad idea: The solution is better placed elsewhere
2002-04-03
Robert A. Klahn (rklahn@acm.org) (1 replies)
Robert A. Klahn (rklahn@acm.org) (1 replies)
While thought provoking, with all due respect, this is a really bad idea.
The point to Open Source, or at least the Freedom part of Open Source, is that you should not be forced into anything. This Freedom includes, among other unalienable rights, the right for a System Administrator to be stupid...
[ more ] [ reply ]
The point to Open Source, or at least the Freedom part of Open Source, is that you should not be forced into anything. This Freedom includes, among other unalienable rights, the right for a System Administrator to be stupid...
[ more ] [ reply ]
A really bad idea: The solution is better placed elsewhere
2002-04-04
CCH
CCH
Just to add to this idea, we shouldn't have time-outs or other draconian things. I would hate for working systems to break arbitrarily. The package system could simply do what Windows (OH NO) does and searches for 'critical updates'. (Not Microsoft's idea of critical, but actual problems related to...
[ more ] [ reply ]
[ more ] [ reply ]
a sane suggestion
2002-04-03
Anonymous
Anonymous
If a developer wants to do something productive on this, why not provide a place where sysadmins can volunteer to leave an email address at which they can be notified of issues, updates, et cetera?
The lazy still get what they have coming, and the diligent get a hand at staying on top of updates....
[ more ] [ reply ]
The lazy still get what they have coming, and the diligent get a hand at staying on top of updates....
[ more ] [ reply ]
Very stupid, here's why
2002-04-03
Anonymous
Anonymous
So now each program has replicated code, and each deals with expirations in its own special way, making it absolutely hell for the system administrator
(one program might just refuse to start, one might print errors, one might require you to hit enter before it
starts.. who knows!)
What we rea...
[ more ] [ reply ]
(one program might just refuse to start, one might print errors, one might require you to hit enter before it
starts.. who knows!)
What we rea...
[ more ] [ reply ]
What a horrible idea.
2002-04-03
Steve Briggs
Steve Briggs
Forcing the user to upgrade? Brilliant. Now we're following Microsoft's strategy.
What you must remember is that much open-source software is ran internally, in many cases with no fear of any exploitation (especially at home).
Also, is breaking the software and denying the service better t...
[ more ] [ reply ]
What you must remember is that much open-source software is ran internally, in many cases with no fear of any exploitation (especially at home).
Also, is breaking the software and denying the service better t...
[ more ] [ reply ]
Is it a bug or has it expired
2002-04-03
Anonymous
Anonymous
It is hard enough determining what causes stuff to quit without having to run through code trying to find out if the software expired, or something is really wrong. Keeping up with all the updates for the ~10,000 pieces of software in my company is hard enough without adding logic bombs and time bom...
[ more ] [ reply ]
[ more ] [ reply ]
You have got to me kidding me.
2002-04-03
Anonymous
Anonymous
Yes, let's go against the whole premise of freedom in open source, let's FORCE 'em!
You really missed the mark on this one. There are more reasons against this than I can count, but to name a few...who's to say the newer version is better? Just because it's newer doesn't mean it doesn't introdu...
[ more ] [ reply ]
You really missed the mark on this one. There are more reasons against this than I can count, but to name a few...who's to say the newer version is better? Just because it's newer doesn't mean it doesn't introdu...
[ more ] [ reply ]
Death to Old Software
2002-04-04
Anonymous
Anonymous
Yet another so called "export" wanting to mandate choice on others. Some of us in the "real" world run olds apps not by choice, but by circumstance.
I STILL have the original (4.?) sendmail running on SunOS 4.0.2 on a 3/260, not because I want it, not because I'm lazy, but because the machine is ...
[ more ] [ reply ]
I STILL have the original (4.?) sendmail running on SunOS 4.0.2 on a 3/260, not because I want it, not because I'm lazy, but because the machine is ...
[ more ] [ reply ]
Death to Old Software
2002-04-04
Anonymous
Anonymous
This would be a good reason to compile up software from source, so that I could change the timeouts to 2037 before I put the software into production.
I don't want to have to explain to a large group of users that email is broken because we let it expire. I'd much rather blame it on security issu...
[ more ] [ reply ]
I don't want to have to explain to a large group of users that email is broken because we let it expire. I'd much rather blame it on security issu...
[ more ] [ reply ]
Death to Old Software
2002-04-04
Anonymous
Anonymous
That's a dumb idea. No running piece of software should EVER intentionally fail. Perhaps send notifications that the administrator should update it, but NEVER fail. The programmer has no way of judging how much the system will rely on a particular functionality, the cause of the failure may not be i...
[ more ] [ reply ]
[ more ] [ reply ]
Monumentally *BAD* Idea
2002-04-04
Arne Flones
Arne Flones
There are any number of reasons why automatically expiring software is just plain bad policy. Foremost is that, as an administrator, I must retain the right to make my own bad decisions. Nobody needs software that decides by itself to make its own bad decisions.
I cannot measure my revulsion t...
[ more ] [ reply ]
I cannot measure my revulsion t...
[ more ] [ reply ]
other options?
2002-04-04
Mac guy
Mac guy
How about following the lead of Mac OS (no flames, please) and developing a software update mechanism? On the Mac it periodically checks for new versions of installed software (OS, applications, etc.) and notifies the user. The user can then decide what to update, and it will download and install th...
[ more ] [ reply ]
[ more ] [ reply ]
Death to Old Software - What a Crock
2002-04-04
Paul Mauriks
Paul Mauriks
Using your analogy of Cars - no one forces you to upgrade to the latest, it's a decision the consumer makes based on availability of parts, comfort and safety. There are collectors who are happy to accept the deficiencies and continue to drive old cars, despite the difference in driving safety - bra...
[ more ] [ reply ]
[ more ] [ reply ]
Hey an even bigger security hole..
2002-04-04
Anonymous
Anonymous
Put a timer of expiration into an application
that helps protect a computer, like say a firewall,
database (for passwords), etc. Part of the purpose of
using Open Source software is to allow people to
use Obsolete hardware.. Now the concern is eliminating
the obsolete software, who will co...
[ more ] [ reply ]
that helps protect a computer, like say a firewall,
database (for passwords), etc. Part of the purpose of
using Open Source software is to allow people to
use Obsolete hardware.. Now the concern is eliminating
the obsolete software, who will co...
[ more ] [ reply ]
Death to Old Software... not in my organization
2002-04-04
Steven C. Buttgereit (sf@buttgereit.net)
Steven C. Buttgereit (sf@buttgereit.net)
This idea is a great academic solution to the problem it tries to solve; but selection of software that implements it would show exceptionally poor judgment in the real world.
The answer to the problem of outdated software as presented could only assume that security is the dominant concern of a...
[ more ] [ reply ]
The answer to the problem of outdated software as presented could only assume that security is the dominant concern of a...
[ more ] [ reply ]
Death to Old Software?
2002-04-04
Anonymous
Anonymous
So abandonware dies on cue?
This is the _worst_ idea I have seen in ages.
Even commercial s/w companies don't work like this, for
very good reasons.
Examples: Lots of sites ran SunOS 4.1.x on old h/w for
years after Sun moved on. Why? because it worked.
Lots of sites used Ingres 6.4 long after...
[ more ] [ reply ]
This is the _worst_ idea I have seen in ages.
Even commercial s/w companies don't work like this, for
very good reasons.
Examples: Lots of sites ran SunOS 4.1.x on old h/w for
years after Sun moved on. Why? because it worked.
Lots of sites used Ingres 6.4 long after...
[ more ] [ reply ]
A really, really stupid idea
2002-04-04
Anonymous
Anonymous
What if the software expires and there is no newer version?
What if the newer version won't run on my hardware (for example, KDE 2 is unusable on my Sparc 5, but KDE 1 is OK)?
Why should you be forced to upgrade if there are no holes?
Being open source, I guess people will remove the expire cod...
[ more ] [ reply ]
What if the newer version won't run on my hardware (for example, KDE 2 is unusable on my Sparc 5, but KDE 1 is OK)?
Why should you be forced to upgrade if there are no holes?
Being open source, I guess people will remove the expire cod...
[ more ] [ reply ]
Death to Old Software, you NUTS
2002-04-04
Anonymous
Anonymous
Wrong!
Though there should be a better patch/updating system for GNU/Linux software farmers, One can not fore a system to update of cause malfunction in the program without prior notification to the SYSOP, further more only the SYSOP should initiate the patching/updating proces.
Good thing abo...
[ more ] [ reply ]
Though there should be a better patch/updating system for GNU/Linux software farmers, One can not fore a system to update of cause malfunction in the program without prior notification to the SYSOP, further more only the SYSOP should initiate the patching/updating proces.
Good thing abo...
[ more ] [ reply ]
Death to Old Software
2002-04-04
Anonymous
Anonymous
forget it... Given that the timebomb *could* be removed, crackers will assume that it *was*, and will still probe your system for the rpc.statd attack... And ya know what? They're still going to get into systems because as fast as this shit comes out, someone will update lint to automatically remov...
[ more ] [ reply ]
[ more ] [ reply ]
Interesting, but No.
2002-04-04
Chris Fairbairn
Chris Fairbairn
There are several problems with this approach:
1. How do you determine the time frame at the end of which the packages will expire? Release times differ from project to project and aren't always reliable.
2. This takes away some of the freedom of Open Source Software by attempting to tell users ...
[ more ] [ reply ]
1. How do you determine the time frame at the end of which the packages will expire? Release times differ from project to project and aren't always reliable.
2. This takes away some of the freedom of Open Source Software by attempting to tell users ...
[ more ] [ reply ]
Poor idea, poorly thought out, poorly described
2002-04-04
Rex Bob Lowenstein
Rex Bob Lowenstein
* No thought about risk analysis, and comparative weighting of business risk.
* No thought about business impact
* No understanding of configuration or change management. Have you actually worked in a real job?
All in all, an attempt to return to the bad old days where security "experts" ra...
[ more ] [ reply ]
* No thought about business impact
* No understanding of configuration or change management. Have you actually worked in a real job?
All in all, an attempt to return to the bad old days where security "experts" ra...
[ more ] [ reply ]
Death to Old Software: Problems with this idea
2002-04-04
Vinnie
Vinnie
As a sysadmin who actually does update software, this strikes me as a really bad idea.
There's two ways of enforcing expiration (that I can think of, in any case). The first is to make it completely impossible to use the software after an expiration date. The second is to inform the software use...
[ more ] [ reply ]
There's two ways of enforcing expiration (that I can think of, in any case). The first is to make it completely impossible to use the software after an expiration date. The second is to inform the software use...
[ more ] [ reply ]
Horrible Idea !!!
2002-04-04
Anonymous
Anonymous
Jon,
Open Source is about choice. If I use Open Source software and I choose to not apply security patches then that is my choice. Putting expiring code in software is a bit to paternalistic to me. If you are seriously considering putting this in an open source software you write, please warn u...
[ more ] [ reply ]
Open Source is about choice. If I use Open Source software and I choose to not apply security patches then that is my choice. Putting expiring code in software is a bit to paternalistic to me. If you are seriously considering putting this in an open source software you write, please warn u...
[ more ] [ reply ]
Death to Old Software (good idea bad implementation)
2002-04-04
Anonymous
Anonymous
My own feeling is that forcing people to upgrade is a double edged sword. I mean talk to anyone who uses MS' Select licensing agreement and they'll tell you that being forced to upgrade due to their new licensing/support model is a huge pain and just plain rude. I've also seen instances where you si...
[ more ] [ reply ]
[ more ] [ reply ]
A cure worse than the disease?
2002-04-04
Echo8
Echo8
Consider the case of a system administrator in a business-critical environment. Imagine that guy having to explain to his management/shareholders that the company lost a ton of money because some software expired. Imagine the amount of time/staffing that would have to be devoted to doing nothing but...
[ more ] [ reply ]
[ more ] [ reply ]
Death to Old Software
2002-04-04
Paul
Paul
I must admit that the idea of forcing bad admins to do their job is tempting, but is this perhaps nothing more than a knee-jerk reaction to having to deal with other peoples incompetance. A webserver that I administer still gets between 10-50 Nimda or Red Alert infection attempts a day. I for one w...
[ more ] [ reply ]
[ more ] [ reply ]
A Deepness in the Sky
2002-04-05
Adrian Close <adrian@close.wattle.id.au>
Adrian Close <adrian@close.wattle.id.au>
Read Vernor Vinge's book "A Deepness in the Sky". Amongst many other things, he talks about a far future where software is simply referred to as "automation" and it compromises layer upon layer upon layer of code/APIs/libraries, some of it dating back thousands of years (with a cute nod to the gene...
[ more ] [ reply ]
[ more ] [ reply ]
DJB does it right
2002-04-07
Anonymous
Anonymous
Dan Bernstien does it the Right Way. I'm running Qmail and DJBDNS, neither of which have been updated in years. They do exactly what they need to do, neither have been cracked, and I don't have to hassle with upgrading. To top it of, they blow away Postfix, Sendmail, and BIND in usability as well...
[ more ] [ reply ]
[ more ] [ reply ]
Extremely bad idea: here's why...
2002-04-07
Anonymous
Anonymous
(a) Timebombing software in the name of reliability and security is a blatent contradiction of both counts and would guarantee the persistent and, if complex enough, continuous failure of a computer or network system. A timebombed /system/ will face certain failure, even with constant maintenance.
...
[ more ] [ reply ]
[ more ] [ reply ]
Death to Old Software
2002-04-08
Anonymous
Anonymous
interesting ideas, but as always security and knowledge are jobs of sys admins or the end users.
If you are stupid enough to to keep things update, then you are screwed bottom lines. I hate to implement something that limits user's abilities, especially on open source, which is what was supposed t...
[ more ] [ reply ]
If you are stupid enough to to keep things update, then you are screwed bottom lines. I hate to implement something that limits user's abilities, especially on open source, which is what was supposed t...
[ more ] [ reply ]
Death to Old Software - Stupid Idea
2002-04-09
NightOwl
NightOwl
MicroSoft is trying that idea with their new licensing program and it only designed to create a revenue stream. If a company creates a item of software and someone chooses to not update it because it serves their purpose or they are willing to take a chance on the holes, that is their choice. If y...
[ more ] [ reply ]
[ more ] [ reply ]
Death to Old Software -- Not
2002-04-11
Anonymous
Anonymous
You can tell he's a consultant, because he argues like one.
Crackers wouldn't still be attempting to exploit the hole
if systems weren't still finding vulnerable systems. But
if network daemons such as rpc.statd were "renewed" on a
yearly basis, crackers could stop wasting network
...
[ more ] [ reply ]
Crackers wouldn't still be attempting to exploit the hole
if systems weren't still finding vulnerable systems. But
if network daemons such as rpc.statd were "renewed" on a
yearly basis, crackers could stop wasting network
...
[ more ] [ reply ]
What we REALLY need...
2002-04-12
BAShMaster
BAShMaster
What we REALLY need is that older versions of the software have the security holes patched, while changing the functionality of the software as little as possible. For example, FooFTPD 1.0.9000 would be as secure as FooFTPD 10.0.2, but FooFTPD 1.0.9000 would be so similar to FooFTPD 1.0.0 that no tr...
[ more ] [ reply ]
[ more ] [ reply ]
Print an expiration message
2002-04-17
Computer Science Tory
Computer Science Tory
Lovers of security are sometimes haters of functionality. What's the point having something so secure you can't do anything to it? And who's got time to keep reinstalling software?
A good compromise would be to print a message to the effect of "This software is old and might be stricken - go to w...
[ more ] [ reply ]
A good compromise would be to print a message to the effect of "This software is old and might be stricken - go to w...
[ more ] [ reply ]
This hard disk will self-destruct in 5 seconds........
2002-04-18
Bob Radvanovsky
Bob Radvanovsky
I've got a wonderful idea!
How about we introduce some "spyware" that never existed into the kernel releases of the operating systems and demand from users that they need to perform needless upgrades on their systems after 30 days of use (just like Microsoft), huh?
As always, the IMF will disa...
[ more ] [ reply ]
How about we introduce some "spyware" that never existed into the kernel releases of the operating systems and demand from users that they need to perform needless upgrades on their systems after 30 days of use (just like Microsoft), huh?
As always, the IMF will disa...
[ more ] [ reply ]
Pathetic
2002-04-19
dw
dw
I can't say much about your article, except that it's a pathetic idea. The idea that /bin/cat might one day tell me it no longer wants to run, I'll come after you.. Not only does this idea taint a program's function, it'd make a program larger, slower, and generally, stupider.
A better idea is to...
[ more ] [ reply ]
A better idea is to...
[ more ] [ reply ]
Death to Old Software
2002-04-20
Anonymous
Anonymous
You wrote: "One of the big problems with open source software is that, without a base of registered users, it's difficult to ensure that users have actually patched their software for the latest security holes. Unlike Novell, who can find all licensed users of their server products and impress upon ...
[ more ] [ reply ]
[ more ] [ reply ]
Death to Old Software
2002-04-20
Anonymous
Anonymous
Your comment at the top says "We all know that outdated network software is security hazard. The solution: hard-wired expiration codes that self-destruct an old program when it's past its prime."
Looks like you've never worked in a production environment. If software on a server suddenly stops wo...
[ more ] [ reply ]
Looks like you've never worked in a production environment. If software on a server suddenly stops wo...
[ more ] [ reply ]
Death to Old Software
2002-04-21
InterWN Labs <interwn@interwn.nl>
It seems like a good idea but this sort of thing
basically takes away the job of an administrator,
which is to manage and protect a system. Before
any drastic measures like this are taken I believe
that administrators should get their acts together.
This idea is also another way for software ...
[ more ] [ reply ]
InterWN Labs <interwn@interwn.nl>
It seems like a good idea but this sort of thing
basically takes away the job of an administrator,
which is to manage and protect a system. Before
any drastic measures like this are taken I believe
that administrators should get their acts together.
This idea is also another way for software ...
[ more ] [ reply ]
Death to Old Software
2002-04-22
Greg
Greg
LOL... Tihs article was a late Aprils fools joke? This is the stupidest thing I have ever heard of. Lets time bomb things that work well. I am not a complete advocate of holding on to old technology just cause it works, but in a lot of cases, what works is all thats needed, and can be afforded. Oh w...
[ more ] [ reply ]
[ more ] [ reply ]
Death to Old Software - Expiration Message
2002-04-23
Anonymous Mike
Anonymous Mike
I have to agree with Computer Science Tory. An expiration message is most appropiate, auto checking a home site to inform you updates are available is even better. Anti-Virus software use this technique today. They tell you only a luzer would use a signature file this old, but if you got nothing ...
[ more ] [ reply ]
[ more ] [ reply ]
[ more ] [ reply ]