[ntp:hackers] Workflow and issues surrounding security issueswith NTP

todd glassey tglassey at earthlink.net
Fri Aug 25 23:29:37 UTC 2006


Harlan - while these are noble ideas there is a commercial and fiduciary
liability that is created by much of what was discussed here. Unfortunately
when you emerge from a Public Access type Org as the NTP Org is, this
creates IMHO some serious liabilities by pulling services that people are
already dependant on away from them.

----- Original Message ----- 
From: "Harlan Stenn" <stenn at ntp.isc.org>
To: "Hal Murray" <hmurray at suespammers.org>
Cc: "Harlan Stenn" <stenn at ntp.isc.org>; <hackers at ntp.isc.org>;
<mills at udel.edu>
Sent: Friday, August 25, 2006 2:56 PM
Subject: Re: [ntp:hackers] Workflow and issues surrounding security
issueswith NTP


> > > Feedback on http://ntp.isc.org/Dev/HandlingSecurityIssues would be
> > > greatly appreciated.
> >
> > I assume the big picture is to minimize publicity for an exploit until
it
> > gets fixed.
>
> Yes.

This may have legal implications where there is a warranty of fitness or not
in the license.

>
> > How many vendors have a copy of the sources that they modify and/or
> > distribute?  Is there any way to contact them?  If not, it might be a
good
> > idea to collect a list of people to contact.
>
> At the moment, whoever is working on the bug works with whoever reported
> the bug and when a fix is ready we publish it.

The problem is that the Vendor's all rely on your testing of the product and
that is what possibly creates the enduring liability no matter what you want
to say about it.

>
> For better or worse, to my knowledge we have had >1< CERT report
> involving a string overflow with ntpq (or was it ntpdc), and no exploit
> was ever demonstrated.
>
> We have been cleaning up some similar overflow/overrun issues as they
> are discovered.
>
> We have been fortunate enough to not have to deal with any significant
> security issues, but I want to be prepared in case one shows up.

You may be legally speaking better off not addressing the security issues at
all and claiming that they are the responsibility of those using the Code to
address and if this is made as a decision - the license langusge for the use
of the code base must reflect this IMHO

>
> I am working on exploring the creation of an "NTP Forum", where
> membership in the group would allow for:
>
> - setting product direction and feature priorities

Unless you are planning on assuming liability for pulling the rug out from
under someone then this may be an issue. There should at least be a
Hold-Harmless Agreement that one is required to have their Sponsor's and
their execution of prior to playing in this sandbox. This is not meant to be
nasty - just to protect everyone.

> - early security vulnerability notices and patch releases

This is a real liability since it creates a dependency which will if its
ever pulled out from under a relying party will cause more than $5000 in
damage making the NTP.ISC.ORG quite suable in both State and Federal Courts
under the Computer Fraud and Abuse Act.

You will initially probably disagree - but in fact I am right here I bet.

> - 3rd line support for integration and complicated customer issues

This is a nightmare because support means liability.

> - Possibly limiting non-release-candidate development releases to this
>   group

Since you havent started out that way changing now will also violate the
expectations of people relying on these now. Again a liability.

> - priority bug fixes
> - direct access to developers on a priority basis to discuss strategy
>   and assist in deployment planning

This is a commercial service and that means Liability in spades.

> - direct input to further release planning
>
> Please note this is a preliminary list, and >IF< this group is created
> the above list is merely the starting point.
>
> I also expect there will be different "membership levels" for the group,
> and for certain "higher" membership/benefit levels it will cost money
> for commercial (not freeware) organizations to join.  There will also be
> a very useful number of membership levels that will not cost money.
>
> If you reply to this message with information about the Subject: thread,
> great.  If you reply to this message with information about the NTP
> Forum thread, please change the Subject: accordingly.
>
> H
> _______________________________________________
> hackers mailing list
> hackers at support.ntp.org
> https://support.ntp.org/mailman/listinfo/hackers



More information about the hackers mailing list