General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsFellow networking/programming people: want to see something terrifying from Georgia?
Link to tweet
Let's focus in on that photo just a little bit:
2011.
The web server hasn't been updated or patched since 2011. Since the year Kemp took over as Secretary of State.
MontanaMama
(23,239 posts)Seriously? This is dereliction of duty. Wonder how many states have this issue?
SWBTATTReg
(21,859 posts)the money wasn't there to change the copyright notice. It does require either a code change or table edit change to implement, which of course, cost money.
Recursion
(56,582 posts)And Apache is about as "corporate" as an open source project gets: they make sure they dot their i's with that stuff.
BumRushDaShow
(127,312 posts)When you update versions, the version numbers change on the screen. You can do a query on the version too and get it. And Apache is open source and "free". No $$$ involved. The labor to do the maintenance on it would obviously have a cost but that should be something included in a maintenance contract with either outside techs and/or included in the duties of the state's IT staff if they handle or oversee it.
The only other issue here might be whatever software application the system is using that probably bundled that version of Apache and whether that system was even updated and/or could even run on the newer web server implementations without some major modification.
SWBTATTReg
(21,859 posts)it doesn't need to be changed or edited doesn't mean that for 100% of all software, that it doesn't need to be changed. It depends on the software and I didn't know enough about Apache nor was the information provided in the orig. post to determine this.
BumRushDaShow
(127,312 posts)most organizations "publicly" copyright their work and follow traditional code change versioning (i.e., denoting "major" / "minor" ).
To me, this appears to literally be a stock Apache install at the level that probably came bundled with the system they bought (the same version that eventually spawned Tomcat too). Quite a few things come bundled with web servers (whether they are enabled or not) and really, for a system that is to be used by some government entity that may end up with parts that are public-facing, there really needs to be some kind of schedule of maintenance on it.
lapfog_1
(29,166 posts)From the Apache project home page:
Apache httpd 2.2 is End-of-Life since December 2017 and should not be used. This page only lists security issues that occurred before the End-of-Life. Subsequent issues may have affected 2.2 but will not be investigated or listed here. Users are advised to upgrade to the currently supported released version to address known issues.
https://httpd.apache.org/security/vulnerabilities_22.html
MattP
(3,304 posts)Courts have been horrible in voter cases saying yes you're horrible but it's ok
BumRushDaShow
(127,312 posts)And even v 2.2.x is already at end of life for patches as of 2017.
https://httpd.apache.org/
They can't really do anything with that now. It would probably require a whole new parallel install and then transition to the new version (after major UAT, etc).
Recursion
(56,582 posts)If you're moving slower than RedHat, you're moving too slowly.
BumRushDaShow
(127,312 posts)Yeah, 2.2 is old!
I remember briefly running RH 6.0 (had been running 5.1 - various versions including for Sparc and Alpha) with 2.2 and decided to just go back to my SuSE (now OpenSuSE) on my desktop. Of course now RH is gonna be owned by IBM. Guess it was a matter of time.
Quackers
(2,256 posts)Version Initial release Latest release
1.3 1998-06-06[49] 2010-02-03 (1.3.42)[50]
2.0 2002-04-06[51] 2013-07-10 (2.0.65)[52]
2.2 2005-12-01[53] 2017-07-11 (2.2.34)[54]
2.4 2012-02-21[55] 2018-10-23 (2.4.37)[56]
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, feature-rich and freely available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project.[57][58][59]
Apache 2.4 dropped support for BeOS, TPF and even older platforms.[8]
BumRushDaShow
(127,312 posts)I remember Be operating system (at least the free version). Had been out during the period when I was fooling around with the various pre-windoze 95 OSes that came out in the '90s, and that also included OS/2.
Feeling old now...
2naSalit
(86,056 posts)What a sham, and this is obviously intentional.
Recursion
(56,582 posts)He's got 20K followers, and they include a lot of tech CIOs and CTOs.
2naSalit
(86,056 posts)All I can do, at this point is meditate on what it would be like to have a solid takeover in Congress.
SWBTATTReg
(21,859 posts)software versions so rapidly and oftentimes users are struggling to keep up with the changes. This was one of my top issues w/ IBM and all of its changes it made to software on a constant basis. And IBM isn't / wasn't the only company doing this practice. I know that fixes and the like are required, but the user community is oftentimes struggling to keep up w/ all of the updates.
Something as sensitive as the web server as described in this original post, I don't know. Depending upon the security enacted by the carrier(s) it may or may not be a problem. Perhaps the web server is behind a firewall located at a provider's host site. Too many open ended ?s as to true impact.
Recursion
(56,582 posts)And nearly all of them are in-band, i.e., it's a perfectly legal HTTP request that a firewall would let through that compromises the server in some way.
SWBTATTReg
(21,859 posts)BumRushDaShow
(127,312 posts)so the code they release and deem as "stable" would have had a better chance of having issues caught before getting that designation vs proprietary systems (like windoze... ).
Recursion
(56,582 posts)TheBlackAdder
(28,075 posts).
The fallacy is the open-source is better, yet their development communities are taken over by nation state actors and hackers. People thing that open-source is safer because people review it. It turns out, that besides academia, doing it, most reviews are by hackers.
Many companies are using the Spring framework, which is rife with security exposures, and it's last fix was in 2017.
.
Recursion
(56,582 posts)And it has a significantly better security record than its closed-source competitors.
TheBlackAdder
(28,075 posts)Afromania
(2,767 posts)uponit7771
(90,225 posts)greymattermom
(5,751 posts)The machines are ancient, so nothing surprises me. But we are careful to report the correct number of voters, and the machines won't be out of my sight until I take the final counts to the county. Georgia has no party affiliation when you register, so it's hard to guess outcomes. We are being told to prepare for a possible run off (I hope not, I won't be in the country that day.) Republicans are running against Nancy Pelosi, and that's getting old around here. Jon Ossoff wasn't Nancy Pelosi, and neither is Lucy McBath. They are even suggesting that local candidates like Sally Harrell are somehow the image of Nancy Pelosi. That seems really weird to me.
hueymahl
(2,415 posts)Seem like a last ditch effort to scare their base into coming out.
Thanks for your work at the precincts!
CCExile
(456 posts)Republicans refuse to offer good pay for technical support. Many years ago in Austin, TX a job with the state paid a full third less than the City of Austin for the same work. That did not attract the best and brightest. Their tech managers were the worst.
Roy Rolling
(6,853 posts)Politicians should not be making decisions about complex online computer security. Not having competent and unbiased network pprofessionals overseeing these agencies is a BIG problem.
usaf-vet
(6,094 posts)Well maybe, considering it's GA, the voting system ain't broke it's doing exactly what the republicans want it to do.
Stealing votes?
Allowing remote access?
Allowing remote access for altering the final tallies?
Keeping suppressed voter suppressed via a DIY patch?
One more extended message.
IGNORE THE POLLS.... YOU GET OUT AND VOTE!
TheBlackAdder
(28,075 posts)TheBlackAdder
(28,075 posts)knightmaar
(748 posts)Recursion
(56,582 posts)But the entire protocol stack of TLS1 suffers from design problems.
33taw
(2,420 posts)This may be difficult in some locations, but I always ask and have been accommodated.
33taw
(2,420 posts)We can only determine that the server delivering this message may not have had Apache patches since 2011.
FakeNoose
(32,351 posts)Best of luck to Stacey Abrams and all Georgia Democrats!