# Actual dangers of vulnerability of public institutions and infrastructure? (FreeBSD specific)



## Snurg (Jan 6, 2017)

After reading that a hacker purports to have hacked into several governments' institutions' websites, in the US and other countries.
He claims to have used a zero-day exploit for Plone CMS, and to have found that some use obsolete FreeBSD versions.
For example, he stated that he found out that the fbi.gov web server is running FreeBSD 6.2.

Now my specific interest is, how much is the actual risk running obsolete FreeBSD versions?

Are there any old FreeBSD versions whose _base system_ is so vulnerable, that a server using them today is easily or even insta-hackable like older Windows versions? (assuming the packages aside the base system are up-to-date and safe)
For example, would a FreeBSD 6.2 server be as "open door" like a Windows XP?

And, are there any custom-maintained US state versions of FreeBSD for official use?
Maybe a 6.2 kept up to date with safety patches? Maybe such like Chinese Kylin Linux?


Please note:
Sadly my previous thread has been hijacked by some guys apparently having been hurt in their national pride.
 Just because I quoted Russia Times as source, and  pointed at the high personal prosecution risk for the hacker as a potential reason to be hesitant to release/leak actually meaningful stuff he got during his purported breach.
If anybody has the desire to discuss about topics like "Gods own country", I kindly ask to make a separate thread and not to damage this thread by totally OT-ing it. The problem I ask about affects many countries. Thank you.


----------



## drhowarddrfine (Jan 6, 2017)

Snurg said:


> Maybe such like Chinese Kylin Linux?


Do you honestly think a Chinese created version of Linux would be safer than anything created in the US? After all, the Chinese do more break-in attempts than any country in the world! Hardware from China is known to contain back doors in the "internet of things" and much hardware from there.

It would be far more safe to assume a FreeBSD server is FAR more safe than any other known country that has always been known to use vulnerabilities with the intent of doing harm and damage. I won't list those countries because, again I'll say, your question is the political, anti-government, anti-US type based on baseless rumors I always find all over  reddit, and in the 13 years I've been on FreeBSD forums, I've always been thrilled to never find such threads as these until the last year or so and only from a couple of members, some of whom are no longer here, fortunately.

I hope I will continue to see none of them again as they only create adversity and division among members.


----------



## SirDice (Jan 6, 2017)

Snurg said:


> Are there any old FreeBSD versions whose _base system_ is so vulnerable, that a server using them today is easily or even insta-hackable like older Windows versions?


Yes, certainly the old 6.x versions. There have been many vulnerabilities discovered after 6 went EoL. Some of them quite severe. But you should assume that _any_ unsupported version is vulnerable.


Snurg said:


> (assuming the packages aside the base system are up-to-date and safe)


That's going to be another problem. The current ports tree simply doesn't work anymore on FreeBSD 8 or lower. So it'll be difficult to pull this off.


----------



## Snurg (Jan 6, 2017)

SirDice said:


> But you should assume that _any_ unsupported version is vulnerable.


This seems to be common sense to me.
Just as background info:
Some time ago there was a quite large public discussion in Germany about the fact that many state offices still use Windows XP even though official support has been ceased.
As a result of this, it became known that the Niedersachsen state annually pays millions of euros to Microsoft for obtaining continued safety updates.
Before this, I was unaware of the fact that Microsoft actually continues to support Windows XP, albeit only for high-volume customers for a quite high fee.

I guess a reason for this might be that it might be more economical to keep a well-working system using paid updates, than to take the costs and problems that are connected with rebuilding the whole infrastructure only to change to another OS version. One has to take in consideration that such would force the country doing a reinstall of countless systems spread over thousands of office sites, resulting in a massive productivity loss. This situation is common to state infrastructure in all countries.



SirDice said:


> Yes, certainly the old 6.x versions. There have been many vulnerabilities discovered after 6 went EoL. Some of them quite severe... The current ports tree simply doesn't work anymore on FreeBSD 8 or lower. So it'll be difficult to pull this off.


This means, "normal" users cannot keep their software up-to-date easily with FreeBSD lower than version 9.

Taking into consideration the points I listed in above paragraph and the comment of sidetone in my original post, it might be very reasonable for state entities to stick with a system that works efficiently for longer terms than the relatively short support times of most OSes. You know, "don't fix what is working"...

So I think it could possibly be a sensible idea to take a good open-source OS release and fork it, to keep it up-to-date safety-wise for, say, 10, 15 years.
As the number of applications used (usually less than a dozen) and the hardware to be supported is quite limited, couldn't this be a more economic and less disruptive way to keep a country's infrastructure working safely?
Apparently there are some countries going this path.

Now to the problem of foreign backdoors which drhowarddrfine points at.
This regards all countries who use closed-source infrastructure or software manufactured in foreign countries.
So this is not limited to Chinese and US products, which just have the biggest market share. Both countries are known in the world for the massive technological espionage they do. (Please apologize for not only taking in consideration the US viewpoint. This is not intended as country bashing. The spy business is the second-oldest trade. Every country does it. Thus many peoples take it as given fact and consider excessive complaining as hypocritical and immature.)

Just take as example the CCTV devices which can be remotely controlled and recently are being for massive DDOSing.
Can it be really justified not to spend a bit more and use domestic-made stuff of verifiable safety?
If there are no domestic products, wouldn't it make sense to at least reverse-engineer and audit the systems and for example, modify the firmware so the backdoors are closed? 
Like some countries do with imported routers, for example?
Or, to take the example provided by drhowarddrfine, imagine the risk of IoT CCTV allowing others to peek into high-security areas...

*In this context, could it be a sensible idea to take a good FreeBSD release, and choose a limited number of most-important/most-used server software which gets safety upgrades over a longer interval than usual?
I am sure many server operators would be happy about a FreeBSD with the few packages that they actually use, which they can just keep running for more than two, three years without all the issues a version change introduces.
*
*Could it make sense to make a, say, 10-year LTS FreeBSD with only the stuff needed for, say, Apache, nginx, samba and the like?*
*Maybe supporting only a small number of most important hardware?
Could such help FreeBSD get a bigger market share, and gain more support and contributions not only from corporations, but states, too?*


----------



## Deleted member 9563 (Jan 7, 2017)

Some Chinese manufacturers of IoT have indeed taken the high road here and shown a willingness to deal with this issue right now. Western companies are free to deal with those companies if they wish. Obviously many have other buying criterion. I don't believe there are any government or nationality issues in that regard.

I don't think it's particularly relevant to this thread but for those who like to think in those terms, there's information from Semantec and Business Week which is detailed in an easy to digest version here: http://www.enigmasoftware.com/top-20-countries-the-most-cybercrime/


----------



## sidetone (Jan 7, 2017)

Snurg said:


> Could such help FreeBSD get a bigger market share, and gain more support and contributions not only from corporations, but states, too?



There's not much from preventing it, but the idea of a bad actor doing that scares me. However, a bad actor that can use a tool that's for anyone, will probably benefit off of it without advertising by contributing.


----------



## Sevendogs (Jan 8, 2017)

I thought someone reported the fbi.gov/old freebsd hack as a hoax? I'll have to go back and find the thread.


----------



## drhowarddrfine (Jan 8, 2017)

Sevendogs Yes. The plone people said it's a hoax.


----------



## ANOKNUSA (Jan 8, 2017)

Snurg said:


> I guess a reason for this might be that it might be more economical to keep a well-working system using paid updates, than to take the costs and problems that are connected with rebuilding the whole infrastructure only to change to another OS version.



Perhaps, but then this comes to mind. The long-term cost of maintaining a good situation now could well be greater than the short-term cost of trying to improve the situation. Paying to keep XP alive may work alright for the German government now, but once all the hardware making up their IT infrastructure dies they might be in serious trouble. To put it another way: it may be possible to make a system (any kind of system) reasonably future-proof, but paying a mountain of money to try to prevent the future from coming is the wrong way to go about it.


----------

