# Software Obsolescence



## Ftb2015 (Dec 29, 2019)

Hello

My company relies on an old FreeBSD email server that was installed in 2007 and last updated in 2009, before I joined the company. Any attempts to upgrade the machine have been thwarted by the management - “if it ain’t broke, we don’t fix it”. I don’t mind as the server keeps on working fine.

Common sense says this needs to change but I was wondering how common is using the old tech in your line of worn? Do you upgrade as soon as feasible or do you still use something from a decade ago?

Thanks
Ftb


----------



## kpedersen (Dec 29, 2019)

I could ramble on about this stuff for hours (actually my PhD topic).

The short version for me is, if it is offline and you don't need to worry about security then keep using it until it is dust. Useful software is great, no matter how old it is and should be preserved in any way possible 

However, for your purposes, it sounds kind of critical and you might like to mention about breach risks to your management. Even if they say "no", you have done your professional due diligence; the rest is on them. *Try to get it in an email; print it out and frame it over your desk* (or stick it to the side of the server in question haha). Them seeing you do this might hopefully make them reconsider their position.

In the mean time, try to clone the disk and keep a handy VM ready so if it does go down due to hardware failure or other non-security related reason, you can get the VM backup spinning up again with minimal downtime.


----------



## Ftb2015 (Dec 29, 2019)

kpedersen said:


> I could ramble on about this stuff for hours (actually my PhD topic).
> 
> The short version for me is, if it is offline and you don't need to worry about security then keep using it until it is dust. Useful software is great, no matter how old it is and should be preserved in any way possible
> 
> ...



Thanks for your reply. The back up is in place. I was curious if using of old software and hardware is commonplace these days. and maybe see how others managed to convince their management to get on with modern age and use current versions.


----------



## Ftb2015 (Dec 29, 2019)

Phishfry said:


> What cracks me up is how there is a game which was apparently bootlegged alot.
> All the instructions seem to be for FreeBSD 9 or older and newbies really have a hard time adjusting the instructions.
> 
> 
> ...



No idea what you’re on about buddy. Wrong thread perhaps?


----------



## ralphbsz (Dec 30, 2019)

In my professional career, I have often seen ancient software still running. I used to work for the oldest computer company that's still among the major ones (it's over 100 years old), and there were lots of ancient internal systems. However, this is ALWAYS done with a real good cost/benefit/risk analysis. And with extremely careful attention to security: old systems have to be carefully isolated and firewalled, and are for internal use only.

In your case, with a mail server, what your management is making you do is insane AF (please look up the abbreviation "AF" on the internet, it is a particularly forceful and rude way to say "a lot"). By definition, a mail server has to be exposed to the internet, and having a 10-year old software out there is just dumb. Personally, my answer to managements demand would be to get new management, which in practice means quitting.

I agree with kpedersen's advice: get it in writing from your management that you are strongly recommending that this machine be upgraded or replaced, and that they are refusing it. But don't keep the only copy of that e-mail at work, instead save a paper copy of it at home, or e-mail it to your personal attorney (under attorney-client privilege). Because if this blows up, it is possible that you will (a) lose your job, and (b) be personally sued, and at that point that e-mail will be an important piece of evidence to allow you to force discovery of documents from your employer. In particular, since if the e-mail server is destroyed, your (ex-) employer won't be able to honor subpoenas of e-mails, so paper or off-site copies will become important.


----------



## Remington (Dec 30, 2019)

You can also bring this issue up to your senior manager up the chain but your manager may not like it.  It's a high security risk to the company running 10 years outdated email server completely exposed to Internet and the upper management needs to be aware of it.  It's a disaster waiting to happen when a hacker breaks into the server.

Be sure to document everything between you and the manager and secure it for your defense.  One day when it blows up, your manager will be held responsible... not you.


----------



## Birdy (Dec 30, 2019)

Ftb2015 said:


> ... how ... to convince their management to get on with modern age and use current versions.


Advise to have a hacker demonstrate whether it ain't broke or needs fixing?


----------



## Ftb2015 (Dec 30, 2019)

Thanks for the replies. It’s a small business and the managers are business owners. Quite friendly and not the corporate type where I would feel comfortable signing letters etc. I want to resolve this amicably as it’s in my best interest to keep this job.

This server is not the only machine that runs on old software (for compatibility) but the only one currently connected to the internet. It is behind an OpenBSD pf box with only two ports open (993, 25) so not completely exposed. Being a small business owners don’t believe the chance of someone hacking it is high which is why it hadn’t had the attention it requires.

Anyone can show what immediate risk the server would be under other than being 10 years old?

Thanks again for your input. 
Ftb


----------



## Remington (Dec 30, 2019)

Leave the old server alone and don't update anything... not even one package otherwise you'll break something.

You could ask your manager if they'll let you build a new email server and transfer all email data to new server.  If everything works, they might agree to let you scrape the old server.  I think they'll be more agreeable if you do it on your spare time.  It's something you will have to think about but taking the initiative is good.


----------



## ralphbsz (Dec 30, 2019)

If you are firewalled, and only ports 25 and 993 can come through, and your sendmail configuration is good, then it being old is not (in and of itself) too bad. Is this a really good setup? Absolutely not. You are relying on the firewall to not let anything else through, you are relying on the internal network itself not being breached (for example by some foolish insider running a tunnel on their machine, which is often done innocently), and you don't have terribly good protection against SMTP and IMAP abuses that can come in over ports 25 and 993. In particular, I worry about you becoming a relay for bad stuff. It would be much more comforting to run up-to-date stuff everywhere, and also have multiple layers of security.

I also understand your concerns about this being a small operation, where protection again legal fallout is not easy, because everything is so personal.

To find out what your exposure is, you'd have to look at what SMTP and IMAP vulnerabilities have been fixed in the last 10 years. There must be lots. But are they being actively exploited? In particular if the target is a small (and presumably financially uninteresting) business? I hate to admit that "security through obscurity" can work pretty well, although it should never be relied on. As far as I know (and I'm not an expert on mail security at all), the biggest advantage of modern mail handling is that it automated removing malware and spam, so things like phishing links or attachments that install viruses doesn't even enter the building. The other thing which has changed a lot in the last decade is that SMTP without SSL and authentication on port 25 has mostly died out, so even having port 25 open is a bit outdated and risky.

Sorry this is not very concrete.


----------



## Hakaba (Dec 30, 2019)

In my experience, updating technically an old system is often a bad idea. It is better to find a replacement regarding the user usage.

Why (in short) :
The new technical system will face to the old constraint plus the new one.
The usage of the system has probably evolved. Consuming some time to updating a system that no fit the usage is a lost of time.

If I was in charge, I will analyse the usage of that server and make a proposal to migrate (if needed) to a new system.


----------



## ralphbsz (Dec 31, 2019)

I was thinking about this in the car, and I have a question: Why even have a mail server in this day and age? There are lots of companies that will outsource the complete e-mail system for a company, for relatively little money. I hear some of them are quite competent; they tend to have very good spam and malware filters. Why not just get rid of the problem?


----------



## Remington (Dec 31, 2019)

ralphbsz said:


> I was thinking about this in the car, and I have a question: Why even have a mail server in this day and age? There are lots of companies that will outsource the complete e-mail system for a company, for relatively little money. I hear some of them are quite competent; they tend to have very good spam and malware filters. Why not just get rid of the problem?



One problem... they won't be in business forever.  Sure you may contract a small email hosting company, 5 years later it was bought out by different company and they changed everything... different server, software setups, pricing, privacy policies, terms of agreement, etc.  Also there are proprietary intellectual properties or trade secrets which companies are not privy to share or allow its contents to be in possession with third-party contractors.  I know many law firms have their own email server to protect their clients' information from falling into wrong hands.

It comes down to how important is the email data to the company and does it have any email information that can jeopardize the company or their clients.  If yes then private email server is better to reduce the liability risks.


----------



## `Orum (Dec 31, 2019)

ralphbsz said:


> By definition, a mail server has to be exposed to the internet


This isn't true, as it might be exposed only to an intranet or in some cases, only to localhost.  I've come across all three situations in my professional work, and in all cases, I recommend upgrading.  Any known vulnerability is likely to be exploited by script kiddies from across the globe, and even servers that aren't themselves connected to the internet can be attacked via other vectors.

The situation you are in is bad no matter how you look at it.  First, you could already be infested with some malware.  This might not only harm that company in terms of privacy (e.g. sending all emails that go through your server to an attacker), but it could be actively harming other people if, for example, it was running a bot to DDoS.  IANAL but I think you might be able to be held liable if you participate in such attacks due to gross negligence.  Second, it sounds like few if any of the employees know enough about FreeBSD to even update it properly (judging by the fact that we don't even know what mail daemon is running).  FreeBSD is a joy to use once you know it, but it has a learning curve.  Finally, when a system is this out of date, it's much harder to update than if regular updates were performed.  If it's literally a decade old as you say, it might actually be easier to start from scratch with a fresh install and just glace at the previous configs to understand how things were configured.  If it's using sendmail, I pray for the souls of those responsible for updating/replacing it.

The good news is, once you get in the habit of updating regularly, it's _relatively_ painless.  Obviously you'll still hit bumps in the road, but would you rather deal with a few problems several times a year, or a ton of problems simultaneously once per decade?  When something doesn't work, you can point the finger much more quickly if only 5 things were updated instead of 500.  However, this is all probably barking up the wrong tree as it seems like your problems are mostly managerial in nature, and hopefully not so much technical.

So how do you get management to listen?  Well, show them any of the countless security beaches over the last several decades, and the damage that it has done to those businesses.  If that doesn't work, you have basically three options: do nothing, CYA, or quit and find a better place to work.  I don't recommend doing nothing, because when something bad happens (and it eventually will), guess where the axe will fall.  You can CYA, but the issue persists as a ticking time bomb, and even if your head doesn't roll when the defecation hits the oscillation, you'll be asked to 'fix' the problem, and right quick.  This is certainly not a situation I'd enjoy being in.  The last option is pretty self explanatory, but ask yourself, "Do I really want to work somewhere that management doesn't hear the cries of their employees?"


----------



## SKull (Dec 31, 2019)

Ftb2015 said:


> I was curious if using of old software and hardware is commonplace these days.


Every company I've ever worked for had at least one ancient box that no one dared to touch. 

It's neither good nor save, but it sure is common


----------



## Deleted member 30996 (Dec 31, 2019)

Ftb2015 said:


> Any attempts to upgrade the machine have been thwarted by the management - “if it ain’t broke, we don’t fix it”. I don’t mind as the server keeps on working fine.



Then I would suggest finding out whether or not it was broke. If you have port 25 open to the internet I'd take a look at this to make sure it was configured correctly:









						Hack Like a Pro: How to Extract Email Addresses from an SMTP Server
					

Welcome back, my budding hackers!




					null-byte.wonderhowto.com
				




I was thinking spammers scanned for open port 25 so they could use it as a relay, but Sevendogsbsd would know more about it than I.



Ftb2015 said:


> I was curious if using of old software and hardware is commonplace these days. and maybe see how others managed to convince their management to get on with modern age and use current versions.



It depends on who you ask, and how much you value their opinion:









						Solved - Did anybody else notice that FreeBSD 12 only has an 18-month lifespan?
					

TL;DR - Release Engineering is apparently only committed to supporting FreeBSD 12 for 18 months  Before FreeBSD 12.0 was released, the "Security Information" page (Internet Archive capture on November 22, 2018) said: Branch Release Type Release Date Expected EoL stable/12 n/a n/a n/a December...




					forums.freebsd.org
				





As an offsite email server side note, I've received 3 text messages from Yahoo in the past two weeks with a code to enter that could only be happening if somebody was trying to hack my account. I have a gut feeling it's the only other person in the building who knows what FreeBSD is, how they found out that rarely used email addy, why they're doing it and what recent correspondence they'd like to see. Nobody else I know personally has that kind of skill and anybody else would go after my website contact box.


----------



## Sevendogsbsd (Dec 31, 2019)

Agree with the port 25 issue: old server or not, if 25 is open and the server can be leveraged as a relay, someone will at some point. I would change the config to not allow it to be a relay if possible. 

So, as far as being old, someone may try to leverage an RCE vulnerability perhaps or some other published vulnerability in whatever service is exposed to the Internet. If nothing exposed and the system isolated, no reason the server can't stay running. 
If nothing was connected to the Internet, I'd be out of a job, or I would be doing physical pen testing, but at 6'2" and 225 pounds, it's not easy for me to sneak around


----------



## Crivens (Jan 1, 2020)

Sevendogsbsd said:


> at 6'2" and 225 pounds, it's not easy for me to sneak around


Easy. Don some old rags and carry a sign "Homeless. Hungry. Please help" Noone will see you, sadly.


----------



## Deleted member 30996 (Jan 3, 2020)

Sevendogsbsd said:


> Agree with the port 25 issue: old server or not, if 25 is open and the server can be leveraged as a relay, someone will at some point.



Worst of all as a proxy on a list to be used by some agent of chaos at large and appearing to be you part of the chaos.


----------



## Ftb2015 (Jan 3, 2020)

ralphbsz said:


> I was thinking about this in the car, and I have a question: Why even have a mail server in this day and age? There are lots of companies that will outsource the complete e-mail system for a company, for relatively little money. I hear some of them are quite competent; they tend to have very good spam and malware filters. Why not just get rid of the problem?



They owners are concerned with privacy. It’s an old fashioned shop that generally didn’t have anything bad happened to them in terms of losing data (or emails) so no real reason to change.


----------



## Ftb2015 (Jan 3, 2020)

Re Port 25. It’s a password / starttls combo so no relaying unless I’m missing something?

Thanks again for the input everyone.


----------



## Sevendogsbsd (Jan 3, 2020)

I don't know how mail relaying takes pace specifically but there are settings in the server that specify whether it is a relay and/or who can use it as a relay. I am not sure authentication plays a part in that but not sure on the specifics of that either. Mail is not my area of specialization...


----------



## ralphbsz (Jan 3, 2020)

Ftb2015 said:


> They owners are concerned with privacy. It’s an old fashioned shop that generally didn’t have anything bad happened to them in terms of losing data (or emails) so no real reason to change.


I understand. And it is hard to convince someone that certain tasks are better outsourced than kept in house, because of the issue of trust: Trusting Amazon or Google or Microsoft is really hard. Even though a good e-mail provider that uses the cloud infrastructure of those three companies (the largest cloud providers) is probably much better for privacy and security than trying to do e-mail in house. But the reputation of these vendors (not just the cloud companies, also the e-mail ones) is awful, and dominated by bad news. Makes sense, even if factually not correct.


----------



## CraigHB (Jan 4, 2020)

Yes it is hard to put trust in these large providers.  On a personal level I switched to a paid email service that explicitly guarantees privacy when I found out Verizon/Yahoo was actually mining email data from their users.  They've been doing that for several years now and it's been reported, but I didn't find out about it until I looked into it.  I think Verizon is probably the worst offender, but it definitely makes me wary of any corporation that can benefit from such data.


----------



## PMc (Jan 5, 2020)

Traditionally, a unix machine has a mailer running on port 25, so that one can send messages to the people on that machine - because, how else could one achieve that?
And traditionally, such a mailer would do it's best to get any intellegible address delivered to anywhere on the Internet - but that's switched off by default for a long time, already, so relaying has to be enabled explicitely.

Then, the people were all running W*, which is no unix and doesn't have a mailer. So these companies appeared on the web who would do mail services for them. But, in the old RFC822, there were about one or two dozen headers defined with special delicate behaviours. And those "mail services" implemented almost none of them - I doubt they ever bothered to read an RFC. For them, a mail has a sender and some recipients, and that's it. And the W* people were happy, because they didn't know otherwise, anyway.
That was why I engaged in obtaining a static IP, so that I can open a proper mailer on it. But now, the problem is the other way round: as all the people have addresses from these "mail services", a _real_ mail address (from an arbitrary resolveable IP) is considered unusual and potential risk, and may not even be delivered, So, finally, the idiots have the victory. 

I once did hand-craft my sendmail.cf according to the RFC, and later updated that to the *.mc scheme. I don't think I had anything to change on it for the last ten years, at least.
As usual there are two viewpoints to the matter: there is the MMF[1] viewpoint where it all is about paranoia, and there is the viewpoint of technical expertise, which is diminishing.


[1]MakeMoneyFast, aka the business people.


----------



## Deleted member 30996 (Jan 7, 2020)

They used to post fresh proxy lists on the MultiProxy site, my all-time favorite Windows gaming app, as a service to agents of chaos at large and pretty sure I remember seeing machines from around the globe with open port 25. If it was an open port i could and would use it, was more concerned with the country it was in and could change in a second from the list. Trolling trolls and doing funny impressions on UFO boards and such that showed your IP# with a post 20 years ago.

I'm no longer at large and mostly just sit and wait now.


----------



## drhowarddrfine (Jan 7, 2020)

Why don't these companies just buy another box for a couple of hundred dollars, set it up, test it, and then replace the old one? Might that take a day or week? Even if a month, the issue will go away.


----------

