A Lot of Old Software
avatar

Posted on by February 7, 2015

Ghost glibc Vulnerability Affects Enterprise Applications | Threatpost | The first stop for security news

Researchers at Veracode this week published their look at Ghost and determined that like Bash, gethostbyname is relatively everywhere. And what’s sure to compound lingering frustration over Ghost is that gethostbyname was long ago deprecated and replaced by getaddrinfo() calls in order to satisfy IPv6 compatibility.

“We were surprised by the pervasiveness of calls to these functions, which are older functions which have been deprecated for about 15 years, mainly because of their lack of support for IPv6,” said Veracode cofounder and CTO Chris Wysopal. “So this analysis shows that there’s still a lot of old software out there that’s being used in production applications.”

Yep.  So of course my sites were shut down early this AM while the code monkeys at Hostgator spent time disinfecting my VPS from this bug.

Posted in Technology permalink

About Bill Quick

I am a small-l libertarian. My primary concern is to increase individual liberty as much as possible in the face of statist efforts to restrict it from both the right and the left. If I had to sum up my beliefs as concisely as possible, I would say, "Stay out of my wallet and my bedroom," "your liberty stops at my nose," and "don't tread on me." I will believe that things are taking a turn for the better in America when married gays are able to, and do, maintain large arsenals of automatic weapons, and tax collectors are, and do, not.

Comments

A Lot of Old Software — 8 Comments

  1. “So this analysis shows that there’s still a lot of old software out there that’s being used in production applications.”

    Why is this so surprising? I present, for your consideration, that dinosaur of programming languages, COBOL:

    COBOL is primarily used in business, finance, and administrative systems for companies and governments. In 1997, Gartner Group estimated that there were a total of 200 billion lines of COBOL in existence which ran 80% of all business programs.

  2. Five years ago I worked for a consulting company which got most of its business in working on and running old COBOL programs. (I was only peripherally involved. I was the head of the non-COBOL team, all five of us.)

    By the way, I actually recommend getting into COBOL and big-iron databases for compsci people who aren’t balls of fire either intellectually or in drive. There’s a lot of COBOL maintenance work out there, and it’s vital because a lot of bigger or older businesses will fail if their programs aren’t kept going, and the workforce of COBOL workers is aging. (At that consulting company, I was in my late 40s, and was slightly younger than the average programmer there.) The work is by no means cool, but it’s steady. You’ll likely have work for the rest of your life, and that’s more important to a lot of people than working on a cool gadget or an app that will be a hit for a year and forgotten next year.

  3. I can, or at one time could, code Cobol. I thought about trying to cash in on that during the runup to Y2K, but in the end, didn’t.

    But yeah – ton of Cobol still out there – modern business programs are like an archeology dig for long-lived major companies, with layers upon layers of obsolete but still running code underneath similar layers of newer, more modern code. It’s like a mutch- patched road – eventually the road is nothing but patches. They they slap down a new layer of asphalt on top of everything, and keep right on going.

  4. I was involved a bit in Y2k remediation (premediation?) but on a different end, power systems. Yah, payroll programs going down would be a nuisance, but wouldn’t be lethal (or not directly so). The power going out… I live in the Northeast. The power going out on Jan 1 would kill thousands, maybe millions if it didn’t come back up in a couple days.

    Shortly before midnight of Jan 1, 2000, I was in my car — with a full tank of gas, cold weather gear, and provisions — in a high spot overlooking several of the local cities. I wasn’t really concerned, but it was a relief when midnight came and the lights stayed on, and were still on around 0100, when I went home.

    FWIW, I’d gone to a First Night in Albany that evening (solo; my on-again-off-again girlfriend was off again as of a couple days before) and chatted with a handful of people about whether they were at all worried about Y2K. Short answer, no, they weren’t. This wasn’t justifiable confidence, it was ignorance or “it’s not my problem”. They’re lucky that lots of companies paid lots of programmers and engineers to make sure things would keep working. (And then, when there were essentially no problems when the day came, it was declared by many “leaders” that the money was obviously wasted, or even scammed. Lovely. Fuck them all, and I hope they die the next time something similar comes up.)

  6. I hear that “Y2K hoax” BS all the time and usually I give them an earful.

    Imagine if your bank balance went negative because the interest accrual systems set to 1900 and deducted 100 years interest from your account. How long would we last with just the currency in our pockets and the banks shut.