[nSLUG] LTS considered harmful

Rory Bray rory at unixism.org
Tue Mar 14 21:45:11 ADT 2017


This may be more a symptom of outdated purchasing models and onerous
processes rather than an issue with LTS itself.

I run into this from time to time where some standard or other requires
very specific configurations for cipher suites or very specific
(certified) versions of libraries. This is supposedly in the name of
security but certifications take so long to obtain that by the time they
are approved new vulnerabilities have been discovered. Upgrading may not
be allowed because it would take one out of compliance with the security
standard or certification. One of the many ironies in cybersecurity.


On 2017-03-13 14:39, George N. White III wrote:
> On 13 March 2017 at 13:26, Daniel AJ Sokolov <daniel at falco.ca
> <mailto:daniel at falco.ca>> wrote:
>
>     Can you provide more background/examples?
>
>
> Start with
> https://oceancolor.gsfc.nasa.gov/forum/oceancolor/topic_show.pl?tid=6460
>
> (At one time  you could view this forum without a login, but that may
> have changed.
> The NASA EOSDIS login is free, but you might have to qualify under US
> export
> restrictions to get a login.  There are concerns that EOSDIS will be
> defunded with
> NASA's new focus.)
>
> For user impacts, key threads are:
>
> https://oceancolor.gsfc.nasa.gov/forum/oceancolor/board_show.pl?tid=6427#tid6427
>
> https://oceancolor.gsfc.nasa.gov/forum/oceancolor/topic_show.pl?tid=6427
>
>
>     And who is no allowed to upgrade?
>
>
> Large sites with significant investments in hardware.  Think of the
> remote sensing
> data ingestion for operational weather models.   These big purchases
> are done
> thru a bidding process, require  "threat-risk assessment" (TRA), etc. 
> The TRA
> may require hiring a consultant and will impose conditions on how the
> system
> is used.   Hardware has to be qualified against the OS, etc.  
> Typically, these
> systems are locked up and IT provides hardware maintenance, installs
> OS vendors'
> updates and apps from an approved list.  Users are stuck with the base
> OS until
> the hardware is replaced, at which time you get a newer base OS.  
> There is
> often a cycle of testing for OS updates from the vendor before they
> are allowed
> on the "production" systems.
>
>
>     Thank you
>     Daniel AJ
>
>
>     On 2017-03-11 at 12:01, George N. White III wrote:
>     > Last year, Obama issued an order that all US Gov't public facing web
>     > servers use https.
>     > It seems this also affects  public facing web servers operated by
>     > contractors, such as
>     > hdfgroup.org <http://hdfgroup.org> <http://hdfgroup.org>.  The
>     NASA systems I use are
>     > configured to "Mozilla Modern" standards
>     > (https://wiki.mozilla.org/Security/Server_Side_TLS
>     <https://wiki.mozilla.org/Security/Server_Side_TLS>):
>     >
>     > "For services that don't need backward compatibility, the parameters
>     > below provide a higher level of security. This configuration is
>     > compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge,
>     Opera
>     > 17, Safari 9, Android 5.0, and Java 8."
>     >
>     > As the hackers move to softer targets in other countries, similar
>     > configurations are going to be needed in Canada.
>     >
>     > This list omits many real-world clients (python scripts, git,
>     etc), so
>     > in practice, Ubuntu 14.04 (LTS) support for https in git doesn't
>     work
>     > because git was built with libcurl that uses an old gnutls library.
>     > Many sites ran into trouble because they aren't allowed to
>     upgrade LTS linux
>     > until year 5, nor are they supposed to replace vendor-supplied
>     tools.
>     > Linux was not alone in being  caught using obsolete libraries,
>     current
>     > macOS python ssl is linked to a very old openssl library.
>     >
>     > Given the current security environment, a 5-year "LTS" model doesn't
>     > work for systems that need to connect to internet servers.  Firefox,
>     > Chrome, and Java provide their own TLS implementations.    Anaconda
>     > python includes newer TLS libraries with tools such as git and curl.
>     > Maybe it is time to have "Mozilla Modern network tools for LT
>     linux".
>
>     _______________________________________________
>     nSLUG mailing list
>     nSLUG at nslug.ns.ca <mailto:nSLUG at nslug.ns.ca>
>     http://nslug.ns.ca/mailman/listinfo/nslug
>     <http://nslug.ns.ca/mailman/listinfo/nslug>
>
>
>
>
> -- 
> George N. White III <aa056 at chebucto.ns.ca <mailto:aa056 at chebucto.ns.ca>>
> Head of St. Margarets Bay, Nova Scotia
>
>
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20170314/8b328923/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 536 bytes
Desc: OpenPGP digital signature
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20170314/8b328923/attachment.sig>


More information about the nSLUG mailing list