system autodeath

[Glen Turner]

Hello,

I am the author of the Wiki page with the suggestion. A friend showed
me this discussion and I'd like to add a few points.


MOTIVATION

The intent is to remove machines which are subvertable from the Internet.

My employer provides network connectivity to universities, and it's very
evident in traffic profiles when a distribution ceases maintenance and
an exploit for a never-to-be-patched flaw sweeps across the network.

In the past we found a real person for the IP address which has been
subverted, educated that person in the evil side of the Internet, and
then encouraged them to act. Today -- like most ISPs -- we are becoming
less and less generous about this massive waste of our time. I can
see the day arriving where we automatically blackhole machines which
reach some threshold in the IDS systems. Of course, this is less than
optimal, as the first thing we'll see is misuse of that automation by
some IRC user upset at other IRC users.

The loss of default route is no different to what we do if we can't
get a subverted machine fixed -- we simply set our routing table to
blackhole all traffic to and from that machine. The end result for
an EOL machine is the same -- it is only a matter of timing and cost.

This motivation is substantially different to the motivation for Windows Genuine
Advantage. In fact, WGA discourages some users from being up to date with
patches, which is counter to our goal.


GUI V SERVER

There's no difference between server and desktop machines. From a
networking perspective a desktop Linux machine is simply a server
which has a console user for a third of the day.  Unfortunately,
desktop machines are now so abundant in computing resources that
users generally do not notice exploit behaviour.

Nagging GUI users would be fine. But that would be a related package,
not this one.


PHILOSOPHY

To be effective, the package will need to be installed by default.
I do realise that this is a big ask, and something likely to be
achieved by small steps. People will need to become conversant with
the idea and happy with the quality of the implementation.

If a sysadmin intends deploying a machine past EOL, they can simply
remove the autodeath package.

If a sysadmin needs to stop autodeath acting (because it is hosing
an important machine) then there should be two configuration switches:
  - a "not now" toggle, which is re-set on OS upgrade
  - a "never" switch, which disables autodeath from acting, ever.

Because the configuration holds the expiry date, logwatch can warn of
expiring Internet connectivity for a machine, just as it warns of expiring
certificates today.

Someone mentioned "tyranny". I rather think of this as correctly assigning
the work from a unmaintained machine. Making the system owner of the
machine deal with their lack of an upgrade plan is much, much fairer than
pushing the cost onto network administrators, ISPs or onto those people
DDoSed by a subverted machine.

And yes, we've all failed at various times to do the work of a timely
upgrade of a short-life operating system. A lot of the argument seems
to be that avoiding a penalty for this is OK.  I'd argue in return that
this is mix of hubris (my machine would never be subverted) and cost-shifting
(a subversion will harm others more than me).

Best wishes to all, Glen

-- 
  Glen Turner   <http://www.gdt.id.au/~gdt/>