[ntp:questions] NTP internal server?
Richard B. Gilbert
rgilbert88 at comcast.net
Sun Oct 29 19:49:13 UTC 2006
Maarten Wiltink wrote:
> "Richard B. Gilbert" <rgilbert88 at comcast.net> wrote in message
> news:_eWdna3k2Zfvpd_YnZ2dnUVZ_uqdnZ2d at comcast.com...
>
>>Maarten Wiltink wrote:
>>
>>>"Richard B. Gilbert" <rgilbert88 at comcast.net> wrote in message
>>>news:9dqdndo838CLatzYnZ2dnUVZ_uqdnZ2d at comcast.com...
>
>
>>>>As far as anyone here knows there are no "exploits" associated with
>>>>NTP.
>
>
>>>After a short look-around on SecurityFocus, I would like to exclude
>>>myself from that 'anyone' group.
>
>
>>All right, there are, or were, fifteen reported exploits. None is dated
>>more recently than 2004 and some seem to be complaining about ten year
>>old software distributed by companies such as Sun, Redhat, Debian, etc.
>
>
> Still distributed right now, yes. For all those people who aren't allowed
> to run something not backed by RFCs, and then come here with questions
> about something called xntp. Sound familiar?
>
>
> [...]
>
>>I'd say that the proper response is not to forbid the use of the NTP
>>protocol but rather to avoid running defective implementations thereof!
>
>
> That would be nice. However, letting your guard down is _never_ a
> secure response. I will work on the assumption that there are exploits
> in the current NTP until you _prove_ to me it's safe, and I'm not
> holding my breath.
If you want "proof" that ANY piece of software is free from bugs or
exploits, you may have a very long wait!
Ever wonder why half the world failed to handle the last leap second
properly??? A large number of servers were running software with a bug.
More information about the questions
mailing list