TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

Spencer Graves spencer.graves at effectivedefense.org
Sat Sep 14 09:10:50 EDT 2019 


On 2019-09-14 07:30, Gene Heskett wrote:
> On Saturday 14 September 2019 04:37:14 Larry Martell wrote:
>
>> On Fri, Sep 13, 2019 at 1:37 PM Skip Montanaro
>> <skip.montanaro at gmail.com>
>>
>> wrote:
>>> https://www.techrepublic.com/google-amp/article/jpmorgans-athena-has
>>> -35-million-lines-of-python-code-and-wont-be-updated-to-python-3-in-t
>>> ime/
>>>
>>> I doubt this is unusual, and presume JP Morgan is big enough to
>>> handle the change of status, either by managing security releases
>>> in-house or relying on third-party releases (say, Anaconda). When I
>>> retired from Citadel recently, most Python was still 2.7 (though the
>>> group I worked in was well on the way to converting to 3.x, and no
>>> new applications were written against 2.7). Bank of America has an
>>> enterprise-wide system called Quartz. I wouldn't be surprised if it
>>> was still running Python 2.7 (though I don't know for sure).
>> Yes Quartz is 2.7. As I’ve said before here, I know a lot of companies
>> running large apps in 2.7 and they have no intention of moving to 3.
> And I, Larry, have little doubt that the hackers have a hole into a 2.7
> install, all squirreled away, and waiting until 2.7 security support
> goes away. It's the nature of the thing.
>
> They will get hacked.  Its like asking if concrete will crack as you are
> watching it being poured, will is the wrong question, when is far more
> correct.
>
> And it will cost them trillions in the long haul. The courts,
> adjudicating damages, will not be kind to the foot dragger's who think
> they are saving money.  History sure seems to be pointing in that
> direction recently.
>
> Its a puzzle to me, why so-called sane MBA's cannot understand that the
> best defense is spending money on the offense by updateing their
> in-house operating code. Or the OS under it.


       Is anyone interested in contacting these companies -- or the 
companies from which they buy cybersecurity insurance -- and inviting 
them to provide paid staff to maintain 2.7 and to offer further offer 
consulting services to help these clients inventory what they have and 
how much it would cost to migrate?


       For example, how much would it cost to write and maintain an 
emulator for 2.7.16 in 3.7.4?


       The Python Software Foundation does not want to maintain 2.7 for 
free anymore, but if there is sufficient demand, they should be thrilled 
to make a handsome profit off of it -- while providing high quality, 
good paying jobs for smart Pythonistas.


       As I'm thinking about it, the companies that provide 
cybersecurity insurance could be the best points of leverage for this, 
because they think about these kinds of things all the time. Insurance 
companies for decades and probably well over 100 years have required 
their commercial clients to employ night watch crews, who make the 
rounds of a facility collecting time stamps from different points in the 
facility, which they provide to insurer(s) in exchange for reduced rates 
-- on as a condition of getting insurance in the first place.  This is 
conceptually and practically the same kind of thing.


       Spencer Graves

> Cheers, Gene Heskett

More information about the Python-list mailing list