> On Oct 29, 2021, at 12:02, Michael <keybou...@gmail.com> wrote:
>
> As a user who spent a week trying to figure out what was going on with more
> and more sites not working, making less of the information out there
> available to figure out how to solve the expired cert, it was really painful
> to find out that this was "known in advance", and worse, this implies that
> ANY "modern", "secure" OS is an inherent time-death, for no good reason.
>
> Having an easy way to update certs would be wonderful.
> Finding out the hard way that not only did I need to put the DST root in, but
> that in the next year there's a couple more that will expire, when this was
> something that could have, and should have, been made very public in advance,
> was painful.
>
> Discovering the *harder* way that adding a root key to your personal account
> is not the same as adding it system wide, meaning that the first information
> I got wasn't even accurate, only made things worse -- I could browse the web
> just fine, but stuff running as root from launchd was using a different set
> of certs that did not include this.
>
> Some sort of "Warning! This system is considered extremely vulnerable" is
> fine. But we see ATM's running windows XP, voting machines running Vista,
> etc. Old systems being used past their expiration date is normal.
The ancient (and inadequately audited and reviewed, even if not ancient)
software on ATMs and voting machines should be a scandal. Although they are
(supposedly) more physically controlled than user desktops/laptops are, and are
at least INTENDED to be limited to specific kiosk-like functions and nothing
else, so they're FAR less exposed (software-wise) than a browser accessing
potentially anything, including once-legit sites that had been hacked to become
nasty. The risks are (IMO) NOT THE SAME.
> Or do you think that 50 year old FORTRAN programs on 370 systems should be
> retired and the entire financial system forced to rewrite code used all
> around the world?
A heck of a lot had to be fixed for Y2K, and some things that couldn't be fixed
were either replaced or tossed (including a few that were tossed simply because
nobody would take responsibility to affirm that they didn't use dates, even
though it was obvious). Been there, done that. It was only a big yawn-fest due
to a LOT of hard work. Same thing will happen again in 2038 for any 32-bit
Unix/Linux code, btw. That won't be modern desktops (just about all of which
are already 64-bit, some now 64-bit only), but a heck of a lot of embedded
devices may still be running that old code then. Fortunately I'm retired, so
assuming I'm still around, I won't have to deal with THAT mess.
>> Sometimes, one has to work with what one has.
>
> Exactly.
Ok, sometimes. In a retro computing museum. Or in a nonprofit with no budget.
But for anything serious, one REALLY should be aware of the risks, even if that
means going back to pen, paper, and snail mail rather than taking the risks. Or
else realizing that EVERYTHING they do where the information or transaction has
any value at all, is at greater risk of being corrupted or exploited by
hostiles if they're doing it on that old system, at least if that system has
Internet access.
But basically EVERY computer, even if the physical box could last longer, has
support issues past 5 years old, CERTAINLY if one doesn't have a paid support
contract. I have a box that's industrial enough that it's 20+ years old and has
only had a drive or two (mirrored, so never any data loss) replaced, but I
can't (ok, won't) afford a support contract for it (there probably is still
support for an older OS version that could still run on it, those things were
built like tanks!), so I know I'm taking my chances. In other words, no system
seller is going to be on the hook to support an old system forever as part of
the purchase price; if they'll provide extended support at all, you'd better
expect to pay extra for that, every year. EVERYTHING costs, 'cause everybody
has to make a living, including the rich people and the little people at the
rich people's companies. Magic no problems forever does NOT exist.
