[ntp:hackers] Workflow and issues surrounding security issueswithNTP

David L. Mills mills at udel.edu
Sat Aug 26 03:06:17 UTC 2006


TOdd,

I will not sign anything of the sort. My experience with Sun and the 
DARTNET consortium flashes blinking, brilliant red lights.

Dave

todd glassey wrote:

> Here is what I suggest Harlan and David -
>
> 1) That ALL individuals working in the NTP effort execute
> Hold-harmless agreements. And that a Hold-Harmless agreement is placed in
> the License for the Code and that it is propagated as a compiled ASCII
> String in the actual executable. This way the Code is branded permanently
> inside the executable.
>
> 2) That all of the partnering companies also sign an agreement to
> hold the NTP development team harmless for anything done in extending,
> supporting, or characterizing NTP which opens or illustrates security
> liabilities already existing in the Partnering Company's products.
>
> 3) That there is also a very clear statement that any and all
> security issues with NTP and its packaging are the
> distributor/reseller/vendor's responsibility to address. And that like 
> #1 it
> also is encoded into the executable.
>
> 4) The NTP.ORG upper management team may also want to consider this -
> that it have Cignacert or one of the other branding company's that 
> work with
> NIST to start a program for branding the code.
>
> This might even include you Judah - Wyatt Starnes the CEO of Cignacert is
> part of Hratch S's team of advisors so it would make sense for NIST to use
> them for certifying the NIST NTP footprint.
>
> None of this of course applies to the USNO or NIST instances of NTP 
> because
> they already belong to the people as it were.
>
> Just my two cents as a lay guy.
>
> T.
> ----- Original Message -----
> From: "todd glassey" <tglassey at earthlink.net>
> To: "Hal Murray" <hmurray at suespammers.org>; "Harlan Stenn"
> <stenn at ntp.isc.org>
> Cc: "Harlan Stenn" <stenn at ntp.isc.org>; <hackers at ntp.isc.org>;
> <mills at udel.edu>
> Sent: Friday, August 25, 2006 4:29 PM
> Subject: Re: [ntp:hackers] Workflow and issues surrounding security
> issueswithNTP
>
>
>> Harlan - while these are noble ideas there is a commercial and fiduciary
>> liability that is created by much of what was discussed here.
>
> Unfortunately
>
>> when you emerge from a Public Access type Org as the NTP Org is, this
>> creates IMHO some serious liabilities by pulling services that people are
>> already dependant on away from them.
>>
>> ----- Original Message -----
>> From: "Harlan Stenn" <stenn at ntp.isc.org>
>> To: "Hal Murray" <hmurray at suespammers.org>
>> Cc: "Harlan Stenn" <stenn at ntp.isc.org>; <hackers at ntp.isc.org>;
>> <mills at udel.edu>
>> Sent: Friday, August 25, 2006 2:56 PM
>> Subject: Re: [ntp:hackers] Workflow and issues surrounding security
>> issueswith NTP
>>
>>
>>>>> Feedback on http://ntp.isc.org/Dev/HandlingSecurityIssues would be
>>>>> greatly appreciated.
>>>>
>>>> I assume the big picture is to minimize publicity for an exploit until
>>>
>> it
>>
>>>> gets fixed.
>>>
>>> Yes.
>>
>> This may have legal implications where there is a warranty of fitness or
>
> not
>
>> in the license.
>>
>>>> How many vendors have a copy of the sources that they modify and/or
>>>> distribute? Is there any way to contact them? If not, it might be a
>>>
>> good
>>
>>>> idea to collect a list of people to contact.
>>>
>>> At the moment, whoever is working on the bug works with whoever reported
>>> the bug and when a fix is ready we publish it.
>>
>> The problem is that the Vendor's all rely on your testing of the product
>
> and
>
>> that is what possibly creates the enduring liability no matter what you
>
> want
>
>> to say about it.
>>
>>> For better or worse, to my knowledge we have had >1< CERT report
>>> involving a string overflow with ntpq (or was it ntpdc), and no exploit
>>> was ever demonstrated.
>>>
>>> We have been cleaning up some similar overflow/overrun issues as they
>>> are discovered.
>>>
>>> We have been fortunate enough to not have to deal with any significant
>>> security issues, but I want to be prepared in case one shows up.
>>
>> You may be legally speaking better off not addressing the security issues
>
> at
>
>> all and claiming that they are the responsibility of those using the Code
>
> to
>
>> address and if this is made as a decision - the license langusge for the
>
> use
>
>> of the code base must reflect this IMHO
>>
>>> I am working on exploring the creation of an "NTP Forum", where
>>> membership in the group would allow for:
>>>
>>> - setting product direction and feature priorities
>>
>> Unless you are planning on assuming liability for pulling the rug out 
>> from
>> under someone then this may be an issue. There should at least be a
>> Hold-Harmless Agreement that one is required to have their Sponsor's and
>> their execution of prior to playing in this sandbox. This is not meant to
>
> be
>
>> nasty - just to protect everyone.
>>
>>> - early security vulnerability notices and patch releases
>>
>> This is a real liability since it creates a dependency which will if its
>> ever pulled out from under a relying party will cause more than $5000 in
>> damage making the NTP.ISC.ORG quite suable in both State and Federal
>
> Courts
>
>> under the Computer Fraud and Abuse Act.
>>
>> You will initially probably disagree - but in fact I am right here I bet.
>>
>>> - 3rd line support for integration and complicated customer issues
>>
>> This is a nightmare because support means liability.
>>
>>> - Possibly limiting non-release-candidate development releases to this
>>> group
>>
>> Since you havent started out that way changing now will also violate the
>> expectations of people relying on these now. Again a liability.
>>
>>> - priority bug fixes
>>> - direct access to developers on a priority basis to discuss strategy
>>> and assist in deployment planning
>>
>> This is a commercial service and that means Liability in spades.
>>
>>> - direct input to further release planning
>>>
>>> Please note this is a preliminary list, and >IF< this group is created
>>> the above list is merely the starting point.
>>>
>>> I also expect there will be different "membership levels" for the group,
>>> and for certain "higher" membership/benefit levels it will cost money
>>> for commercial (not freeware) organizations to join. There will also be
>>> a very useful number of membership levels that will not cost money.
>>>
>>> If you reply to this message with information about the Subject: thread,
>>> great. If you reply to this message with information about the NTP
>>> Forum thread, please change the Subject: accordingly.
>>>
>>> H
>>> _______________________________________________
>>> hackers mailing list
>>> hackers at support.ntp.org
>>> https://support.ntp.org/mailman/listinfo/hackers
>>
>> _______________________________________________
>> hackers mailing list
>> hackers at support.ntp.org
>> https://support.ntp.org/mailman/listinfo/hackers
>
>



More information about the hackers mailing list