[nSLUG] LTS considered harmful

George N. White III gnwiii at gmail.com
Mon Mar 13 14:39:58 ADT 2017


On 13 March 2017 at 13:26, Daniel AJ Sokolov <daniel at falco.ca> wrote:

> Can you provide more background/examples?
>

Start with
https://oceancolor.gsfc.nasa.gov/forum/oceancolor/topic_show.pl?tid=6460

(At one time  you could view this forum without a login, but that may have
changed.
The NASA EOSDIS login is free, but you might have to qualify under US
export
restrictions to get a login.  There are concerns that EOSDIS will be
defunded with
NASA's new focus.)

For user impacts, key threads are:

https://oceancolor.gsfc.nasa.gov/forum/oceancolor/board_show.pl?tid=6427#tid6427

https://oceancolor.gsfc.nasa.gov/forum/oceancolor/topic_show.pl?tid=6427


> And who is no allowed to upgrade?
>

Large sites with significant investments in hardware.  Think of the remote
sensing
data ingestion for operational weather models.   These big purchases are
done
thru a bidding process, require  "threat-risk assessment" (TRA), etc.  The
TRA
may require hiring a consultant and will impose conditions on how the system
is used.   Hardware has to be qualified against the OS, etc.   Typically,
these
systems are locked up and IT provides hardware maintenance, installs OS
vendors'
updates and apps from an approved list.  Users are stuck with the base OS
until
the hardware is replaced, at which time you get a newer base OS.   There is
often a cycle of testing for OS updates from the vendor before they are
allowed
on the "production" systems.


Thank you
> Daniel AJ
>
>
> On 2017-03-11 at 12:01, George N. White III wrote:
> > Last year, Obama issued an order that all US Gov't public facing web
> > servers use https.
> > It seems this also affects  public facing web servers operated by
> > contractors, such as
> > hdfgroup.org <http://hdfgroup.org>.  The NASA systems I use are
> > configured to "Mozilla Modern" standards
> > (https://wiki.mozilla.org/Security/Server_Side_TLS):
> >
> > "For services that don't need backward compatibility, the parameters
> > below provide a higher level of security. This configuration is
> > compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera
> > 17, Safari 9, Android 5.0, and Java 8."
> >
> > As the hackers move to softer targets in other countries, similar
> > configurations are going to be needed in Canada.
> >
> > This list omits many real-world clients (python scripts, git, etc), so
> > in practice, Ubuntu 14.04 (LTS) support for https in git doesn't work
> > because git was built with libcurl that uses an old gnutls library.
> > Many sites ran into trouble because they aren't allowed to upgrade LTS
> linux
> > until year 5, nor are they supposed to replace vendor-supplied tools.
> > Linux was not alone in being  caught using obsolete libraries, current
> > macOS python ssl is linked to a very old openssl library.
> >
> > Given the current security environment, a 5-year "LTS" model doesn't
> > work for systems that need to connect to internet servers.  Firefox,
> > Chrome, and Java provide their own TLS implementations.    Anaconda
> > python includes newer TLS libraries with tools such as git and curl.
> > Maybe it is time to have "Mozilla Modern network tools for LT linux".
>
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug
>



-- 
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20170313/35e3bf70/attachment.html>


More information about the nSLUG mailing list